From sle-container-updates at lists.suse.com Mon Sep 1 09:43:57 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Mon, 1 Sep 2025 11:43:57 +0200 (CEST) Subject: SUSE-CU-2025:6670-1: Security update of private-registry/harbor-core Message-ID: <20250901094357.CA297FBA1@maintenance.suse.de> SUSE Container Update Advisory: private-registry/harbor-core ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:6670-1 Container Tags : private-registry/harbor-core:2.13 , private-registry/harbor-core:2.13.2 , private-registry/harbor-core:2.13.2-3.2 , private-registry/harbor-core:latest Container Release : 3.2 Severity : moderate Type : security References : 1232234 1240058 1246221 1246965 1247144 1247148 CVE-2024-10041 CVE-2025-8058 ----------------------------------------------------------------- The container private-registry/harbor-core was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2956-1 Released: Fri Aug 22 08:57:48 2025 Summary: Recommended update for openssl-3 Type: recommended Severity: moderate References: 1247144,1247148 This update for openssl-3 fixes the following issues: - Increased limit for CRL download (bsc#1247148, bsc#1247144) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2964-1 Released: Fri Aug 22 14:52:39 2025 Summary: Security update for glibc Type: security Severity: moderate References: 1240058,1246965,CVE-2025-8058 This update for glibc fixes the following issues: - CVE-2025-8058: Fixed double-free after allocation failure in regcomp. (bsc#1246965) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2970-1 Released: Mon Aug 25 10:27:57 2025 Summary: Security update for pam Type: security Severity: moderate References: 1232234,1246221,CVE-2024-10041 This update for pam fixes the following issues: - Improve previous CVE-2024-10041 fix which led to CPU performance issues (bsc#1232234) The following package changes have been done: - glibc-2.38-150600.14.37.1 updated - libopenssl3-3.1.4-150600.5.36.4 updated - openssl-3-3.1.4-150600.5.36.4 updated - pam-1.3.0-150000.6.86.1 updated - system-user-harbor-2.13.2-150600.2.1 updated - harbor213-core-2.13.2-150600.2.1 added - container:suse-sle15-15.6-0934acc60b392531bf6a68a99f0793b3e01c1027d0968caade3ec95a5cd1b2e6-0 updated - container:registry.suse.com-bci-bci-micro-15.6-1998c870659774535cf3fcd5f21bf2171bcd511edd7b5515cb3aa1c420e8a441-0 updated - harbor212-core-2.12.2-150600.2.2 removed From sle-container-updates at lists.suse.com Mon Sep 1 09:44:02 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Mon, 1 Sep 2025 11:44:02 +0200 (CEST) Subject: SUSE-CU-2025:6671-1: Security update of private-registry/harbor-db Message-ID: <20250901094402.B2331FBA1@maintenance.suse.de> SUSE Container Update Advisory: private-registry/harbor-db ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:6671-1 Container Tags : private-registry/harbor-db:2.13 , private-registry/harbor-db:2.13.2 , private-registry/harbor-db:2.13.2-3.3 , private-registry/harbor-db:latest Container Release : 3.3 Severity : important Type : security References : 1232234 1240058 1246221 1246965 1247144 1247148 1248119 1248119 1248120 1248120 1248122 1248122 CVE-2024-10041 CVE-2025-8058 CVE-2025-8713 CVE-2025-8713 CVE-2025-8714 CVE-2025-8714 CVE-2025-8715 CVE-2025-8715 ----------------------------------------------------------------- The container private-registry/harbor-db was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2956-1 Released: Fri Aug 22 08:57:48 2025 Summary: Recommended update for openssl-3 Type: recommended Severity: moderate References: 1247144,1247148 This update for openssl-3 fixes the following issues: - Increased limit for CRL download (bsc#1247148, bsc#1247144) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2964-1 Released: Fri Aug 22 14:52:39 2025 Summary: Security update for glibc Type: security Severity: moderate References: 1240058,1246965,CVE-2025-8058 This update for glibc fixes the following issues: - CVE-2025-8058: Fixed double-free after allocation failure in regcomp. (bsc#1246965) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2970-1 Released: Mon Aug 25 10:27:57 2025 Summary: Security update for pam Type: security Severity: moderate References: 1232234,1246221,CVE-2024-10041 This update for pam fixes the following issues: - Improve previous CVE-2024-10041 fix which led to CPU performance issues (bsc#1232234) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2986-1 Released: Tue Aug 26 12:41:07 2025 Summary: Security update for postgresql17 Type: security Severity: important References: 1248119,1248120,1248122,CVE-2025-8713,CVE-2025-8714,CVE-2025-8715 This update for postgresql17 fixes the following issues: Updated to 17.6: * CVE-2025-8713: Fixed optimizer statistics exposing sampled data within a view, partition, or child table (bsc#1248120) * CVE-2025-8714: Fixed untrusted data inclusion in pg_dump allows superuser of origin server to execute arbitrary code in psql client (bsc#1248122) * CVE-2025-8715: Fixed improper neutralization of newlines in pg_dump leading to arbitrary code execution in the psql client and in the restore target server (bsc#1248119) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3018-1 Released: Fri Aug 29 10:31:13 2025 Summary: Security update for postgresql15 Type: security Severity: important References: 1248119,1248120,1248122,CVE-2025-8713,CVE-2025-8714,CVE-2025-8715 This update for postgresql15 fixes the following issues: Upgrade to 15.14: - CVE-2025-8713: optimizer statistics can expose sampled data within a view, partition, or child table (bsc#1248120). - CVE-2025-8714: untrusted data inclusion in `pg_dump` lets superuser of origin server execute arbitrary code in psql client (bsc#1248122). - CVE-2025-8715: improper neutralization of newlines in `pg_dump` allows execution of arbitrary code in psql client and in restore target server (bsc#1248119). The following package changes have been done: - glibc-2.38-150600.14.37.1 updated - glibc-locale-base-2.38-150600.14.37.1 updated - glibc-locale-2.38-150600.14.37.1 updated - libopenssl3-3.1.4-150600.5.36.4 updated - libpq5-17.6-150600.13.16.1 updated - postgresql15-15.14-150600.16.20.1 updated - pam-1.3.0-150000.6.86.1 updated - postgresql17-17.6-150600.13.16.1 updated - postgresql15-server-15.14-150600.16.20.1 updated - postgresql17-server-17.6-150600.13.16.1 updated - harbor213-db-2.13.2-150600.2.1 added - container:suse-sle15-15.6-0934acc60b392531bf6a68a99f0793b3e01c1027d0968caade3ec95a5cd1b2e6-0 updated - container:registry.suse.com-bci-bci-micro-15.6-1998c870659774535cf3fcd5f21bf2171bcd511edd7b5515cb3aa1c420e8a441-0 updated - harbor212-db-2.12.2-150600.2.2 removed From sle-container-updates at lists.suse.com Mon Sep 1 09:44:06 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Mon, 1 Sep 2025 11:44:06 +0200 (CEST) Subject: SUSE-CU-2025:6672-1: Security update of private-registry/harbor-exporter Message-ID: <20250901094406.753CDFBA1@maintenance.suse.de> SUSE Container Update Advisory: private-registry/harbor-exporter ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:6672-1 Container Tags : private-registry/harbor-exporter:2.13 , private-registry/harbor-exporter:2.13 , private-registry/harbor-exporter:2.13.2 , private-registry/harbor-exporter:2.13.2 , private-registry/harbor-exporter:2.13.2-3.2 , private-registry/harbor-exporter:latest Container Release : 3.2 Severity : moderate Type : security References : 1232234 1240058 1246221 1246965 1247144 1247148 CVE-2024-10041 CVE-2025-8058 ----------------------------------------------------------------- The container private-registry/harbor-exporter was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2956-1 Released: Fri Aug 22 08:57:48 2025 Summary: Recommended update for openssl-3 Type: recommended Severity: moderate References: 1247144,1247148 This update for openssl-3 fixes the following issues: - Increased limit for CRL download (bsc#1247148, bsc#1247144) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2964-1 Released: Fri Aug 22 14:52:39 2025 Summary: Security update for glibc Type: security Severity: moderate References: 1240058,1246965,CVE-2025-8058 This update for glibc fixes the following issues: - CVE-2025-8058: Fixed double-free after allocation failure in regcomp. (bsc#1246965) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2970-1 Released: Mon Aug 25 10:27:57 2025 Summary: Security update for pam Type: security Severity: moderate References: 1232234,1246221,CVE-2024-10041 This update for pam fixes the following issues: - Improve previous CVE-2024-10041 fix which led to CPU performance issues (bsc#1232234) The following package changes have been done: - glibc-2.38-150600.14.37.1 updated - harbor213-exporter-2.13.2-150600.2.1 added - libopenssl3-3.1.4-150600.5.36.4 updated - openssl-3-3.1.4-150600.5.36.4 updated - pam-1.3.0-150000.6.86.1 updated - system-user-harbor-2.13.2-150600.2.1 updated - container:suse-sle15-15.6-0934acc60b392531bf6a68a99f0793b3e01c1027d0968caade3ec95a5cd1b2e6-0 updated - container:registry.suse.com-bci-bci-micro-15.6-1998c870659774535cf3fcd5f21bf2171bcd511edd7b5515cb3aa1c420e8a441-0 updated - harbor212-exporter-2.12.2-150600.2.2 removed From sle-container-updates at lists.suse.com Mon Sep 1 09:44:09 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Mon, 1 Sep 2025 11:44:09 +0200 (CEST) Subject: SUSE-CU-2025:6673-1: Security update of private-registry/harbor-jobservice Message-ID: <20250901094409.F19ACFBA1@maintenance.suse.de> SUSE Container Update Advisory: private-registry/harbor-jobservice ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:6673-1 Container Tags : private-registry/harbor-jobservice:2.13 , private-registry/harbor-jobservice:2.13.2 , private-registry/harbor-jobservice:2.13.2-3.2 , private-registry/harbor-jobservice:latest Container Release : 3.2 Severity : moderate Type : security References : 1232234 1240058 1246221 1246965 1247144 1247148 CVE-2024-10041 CVE-2025-8058 ----------------------------------------------------------------- The container private-registry/harbor-jobservice was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2956-1 Released: Fri Aug 22 08:57:48 2025 Summary: Recommended update for openssl-3 Type: recommended Severity: moderate References: 1247144,1247148 This update for openssl-3 fixes the following issues: - Increased limit for CRL download (bsc#1247148, bsc#1247144) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2964-1 Released: Fri Aug 22 14:52:39 2025 Summary: Security update for glibc Type: security Severity: moderate References: 1240058,1246965,CVE-2025-8058 This update for glibc fixes the following issues: - CVE-2025-8058: Fixed double-free after allocation failure in regcomp. (bsc#1246965) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2970-1 Released: Mon Aug 25 10:27:57 2025 Summary: Security update for pam Type: security Severity: moderate References: 1232234,1246221,CVE-2024-10041 This update for pam fixes the following issues: - Improve previous CVE-2024-10041 fix which led to CPU performance issues (bsc#1232234) The following package changes have been done: - glibc-2.38-150600.14.37.1 updated - libopenssl3-3.1.4-150600.5.36.4 updated - openssl-3-3.1.4-150600.5.36.4 updated - pam-1.3.0-150000.6.86.1 updated - system-user-harbor-2.13.2-150600.2.1 updated - harbor213-jobservice-2.13.2-150600.2.1 added - container:suse-sle15-15.6-0934acc60b392531bf6a68a99f0793b3e01c1027d0968caade3ec95a5cd1b2e6-0 updated - container:registry.suse.com-bci-bci-micro-15.6-1998c870659774535cf3fcd5f21bf2171bcd511edd7b5515cb3aa1c420e8a441-0 updated - harbor212-jobservice-2.12.2-150600.2.2 removed From sle-container-updates at lists.suse.com Mon Sep 1 09:44:14 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Mon, 1 Sep 2025 11:44:14 +0200 (CEST) Subject: SUSE-CU-2025:6674-1: Security update of private-registry/harbor-nginx Message-ID: <20250901094414.447F9FBA1@maintenance.suse.de> SUSE Container Update Advisory: private-registry/harbor-nginx ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:6674-1 Container Tags : private-registry/harbor-nginx:1.21 , private-registry/harbor-nginx:1.21.5 , private-registry/harbor-nginx:1.21.5-2.36 , private-registry/harbor-nginx:latest Container Release : 2.36 Severity : important Type : security References : 1232234 1240058 1246221 1246965 1247106 1247108 1247144 1247148 CVE-2024-10041 CVE-2025-8058 CVE-2025-8176 CVE-2025-8177 ----------------------------------------------------------------- The container private-registry/harbor-nginx was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2815-1 Released: Fri Aug 15 14:54:44 2025 Summary: Security update for tiff Type: security Severity: important References: 1247106,1247108,CVE-2025-8176,CVE-2025-8177 This update for tiff fixes the following issues: - CVE-2025-8176: Fixed heap use-after-free in tools/tiffmedian.c (bsc#1247108) - CVE-2025-8177: Fixed possible buffer overflow in tools/thumbnail.c:setrow() when processing malformed TIFF files (bsc#1247106) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2956-1 Released: Fri Aug 22 08:57:48 2025 Summary: Recommended update for openssl-3 Type: recommended Severity: moderate References: 1247144,1247148 This update for openssl-3 fixes the following issues: - Increased limit for CRL download (bsc#1247148, bsc#1247144) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2964-1 Released: Fri Aug 22 14:52:39 2025 Summary: Security update for glibc Type: security Severity: moderate References: 1240058,1246965,CVE-2025-8058 This update for glibc fixes the following issues: - CVE-2025-8058: Fixed double-free after allocation failure in regcomp. (bsc#1246965) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2970-1 Released: Mon Aug 25 10:27:57 2025 Summary: Security update for pam Type: security Severity: moderate References: 1232234,1246221,CVE-2024-10041 This update for pam fixes the following issues: - Improve previous CVE-2024-10041 fix which led to CPU performance issues (bsc#1232234) The following package changes have been done: - glibc-2.38-150600.14.37.1 updated - libtiff5-4.0.9-150000.45.50.1 updated - libopenssl3-3.1.4-150600.5.36.4 updated - openssl-3-3.1.4-150600.5.36.4 updated - pam-1.3.0-150000.6.86.1 updated - system-user-harbor-2.13.2-150600.2.1 updated - container:suse-sle15-15.6-0934acc60b392531bf6a68a99f0793b3e01c1027d0968caade3ec95a5cd1b2e6-0 updated - container:registry.suse.com-bci-bci-micro-15.6-1998c870659774535cf3fcd5f21bf2171bcd511edd7b5515cb3aa1c420e8a441-0 updated From sle-container-updates at lists.suse.com Mon Sep 1 09:44:18 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Mon, 1 Sep 2025 11:44:18 +0200 (CEST) Subject: SUSE-CU-2025:6675-1: Security update of private-registry/harbor-portal Message-ID: <20250901094418.56E79FBA1@maintenance.suse.de> SUSE Container Update Advisory: private-registry/harbor-portal ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:6675-1 Container Tags : private-registry/harbor-portal:2.13 , private-registry/harbor-portal:2.13.2 , private-registry/harbor-portal:2.13.2-3.2 , private-registry/harbor-portal:latest Container Release : 3.2 Severity : important Type : security References : 1232234 1240058 1246221 1246965 1247106 1247108 1247144 1247148 CVE-2024-10041 CVE-2025-8058 CVE-2025-8176 CVE-2025-8177 ----------------------------------------------------------------- The container private-registry/harbor-portal was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2815-1 Released: Fri Aug 15 14:54:44 2025 Summary: Security update for tiff Type: security Severity: important References: 1247106,1247108,CVE-2025-8176,CVE-2025-8177 This update for tiff fixes the following issues: - CVE-2025-8176: Fixed heap use-after-free in tools/tiffmedian.c (bsc#1247108) - CVE-2025-8177: Fixed possible buffer overflow in tools/thumbnail.c:setrow() when processing malformed TIFF files (bsc#1247106) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2956-1 Released: Fri Aug 22 08:57:48 2025 Summary: Recommended update for openssl-3 Type: recommended Severity: moderate References: 1247144,1247148 This update for openssl-3 fixes the following issues: - Increased limit for CRL download (bsc#1247148, bsc#1247144) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2964-1 Released: Fri Aug 22 14:52:39 2025 Summary: Security update for glibc Type: security Severity: moderate References: 1240058,1246965,CVE-2025-8058 This update for glibc fixes the following issues: - CVE-2025-8058: Fixed double-free after allocation failure in regcomp. (bsc#1246965) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2970-1 Released: Mon Aug 25 10:27:57 2025 Summary: Security update for pam Type: security Severity: moderate References: 1232234,1246221,CVE-2024-10041 This update for pam fixes the following issues: - Improve previous CVE-2024-10041 fix which led to CPU performance issues (bsc#1232234) The following package changes have been done: - glibc-2.38-150600.14.37.1 updated - libtiff5-4.0.9-150000.45.50.1 updated - libopenssl3-3.1.4-150600.5.36.4 updated - pam-1.3.0-150000.6.86.1 updated - system-user-harbor-2.13.2-150600.2.1 updated - harbor213-portal-2.13.2-150600.2.1 added - container:suse-sle15-15.6-0934acc60b392531bf6a68a99f0793b3e01c1027d0968caade3ec95a5cd1b2e6-0 updated - container:registry.suse.com-bci-bci-micro-15.6-1998c870659774535cf3fcd5f21bf2171bcd511edd7b5515cb3aa1c420e8a441-0 updated - harbor212-portal-2.12.2-150600.2.2 removed From sle-container-updates at lists.suse.com Mon Sep 1 09:44:21 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Mon, 1 Sep 2025 11:44:21 +0200 (CEST) Subject: SUSE-CU-2025:6676-1: Security update of private-registry/harbor-registry Message-ID: <20250901094422.0066AFBA1@maintenance.suse.de> SUSE Container Update Advisory: private-registry/harbor-registry ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:6676-1 Container Tags : private-registry/harbor-registry:2.8.3 , private-registry/harbor-registry:2.8.3-2.43 , private-registry/harbor-registry:latest Container Release : 2.43 Severity : moderate Type : security References : 1232234 1240058 1246221 1246965 1247144 1247148 CVE-2024-10041 CVE-2025-8058 ----------------------------------------------------------------- The container private-registry/harbor-registry was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2956-1 Released: Fri Aug 22 08:57:48 2025 Summary: Recommended update for openssl-3 Type: recommended Severity: moderate References: 1247144,1247148 This update for openssl-3 fixes the following issues: - Increased limit for CRL download (bsc#1247148, bsc#1247144) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2964-1 Released: Fri Aug 22 14:52:39 2025 Summary: Security update for glibc Type: security Severity: moderate References: 1240058,1246965,CVE-2025-8058 This update for glibc fixes the following issues: - CVE-2025-8058: Fixed double-free after allocation failure in regcomp. (bsc#1246965) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2970-1 Released: Mon Aug 25 10:27:57 2025 Summary: Security update for pam Type: security Severity: moderate References: 1232234,1246221,CVE-2024-10041 This update for pam fixes the following issues: - Improve previous CVE-2024-10041 fix which led to CPU performance issues (bsc#1232234) The following package changes have been done: - glibc-2.38-150600.14.37.1 updated - libopenssl3-3.1.4-150600.5.36.4 updated - openssl-3-3.1.4-150600.5.36.4 updated - pam-1.3.0-150000.6.86.1 updated - system-user-harbor-2.13.2-150600.2.1 updated - harbor-distribution-registry-2.8.3-150600.2.1 updated - container:suse-sle15-15.6-0934acc60b392531bf6a68a99f0793b3e01c1027d0968caade3ec95a5cd1b2e6-0 updated - container:registry.suse.com-bci-bci-micro-15.6-1998c870659774535cf3fcd5f21bf2171bcd511edd7b5515cb3aa1c420e8a441-0 updated From sle-container-updates at lists.suse.com Mon Sep 1 09:44:29 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Mon, 1 Sep 2025 11:44:29 +0200 (CEST) Subject: SUSE-CU-2025:6678-1: Security update of private-registry/harbor-trivy-adapter Message-ID: <20250901094429.876EEFBA1@maintenance.suse.de> SUSE Container Update Advisory: private-registry/harbor-trivy-adapter ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:6678-1 Container Tags : private-registry/harbor-trivy-adapter:0.33.2 , private-registry/harbor-trivy-adapter:0.33.2-2.36 , private-registry/harbor-trivy-adapter:latest Container Release : 2.36 Severity : important Type : security References : 1212476 1216545 1218588 1218664 1232234 1240058 1243197 1245938 1245939 1245942 1245943 1245946 1246221 1246965 1247144 1247148 CVE-2024-10041 CVE-2025-27613 CVE-2025-27614 CVE-2025-46835 CVE-2025-48384 CVE-2025-48385 CVE-2025-8058 ----------------------------------------------------------------- The container private-registry/harbor-trivy-adapter was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2956-1 Released: Fri Aug 22 08:57:48 2025 Summary: Recommended update for openssl-3 Type: recommended Severity: moderate References: 1247144,1247148 This update for openssl-3 fixes the following issues: - Increased limit for CRL download (bsc#1247148, bsc#1247144) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2964-1 Released: Fri Aug 22 14:52:39 2025 Summary: Security update for glibc Type: security Severity: moderate References: 1240058,1246965,CVE-2025-8058 This update for glibc fixes the following issues: - CVE-2025-8058: Fixed double-free after allocation failure in regcomp. (bsc#1246965) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2970-1 Released: Mon Aug 25 10:27:57 2025 Summary: Security update for pam Type: security Severity: moderate References: 1232234,1246221,CVE-2024-10041 This update for pam fixes the following issues: - Improve previous CVE-2024-10041 fix which led to CPU performance issues (bsc#1232234) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3012-1 Released: Fri Aug 29 02:07:38 2025 Summary: security update for git, git-lfs, obs-scm-bridge, python-PyYAML Type: security Severity: important References: 1212476,1216545,1218588,1218664,1243197,1245938,1245939,1245942,1245943,1245946,CVE-2025-27613,CVE-2025-27614,CVE-2025-46835,CVE-2025-48384,CVE-2025-48385 This update for git, git-lfs, obs-scm-bridge, python-PyYAML fixes the following issues: git was updated from version 2.43.0 to 2.51.0 (bsc#1243197): - Security issues fixed: * CVE-2025-27613 Fixed arbitrary writable file creation and truncation in Gitk(bsc#1245938) * CVE-2025-27614 Fixed arbitrary script execution via repository clonation in gitk(bsc#1245939) * CVE-2025-46835 Fixed arbitrary writable file creation in Git GUI when untrusted repository is cloned (bsc#1245942) * CVE-2025-48384 Fixed the unintentional execution of a script after checkout due to CRLF transforming (bsc#1245943) * CVE-2025-48385 Fixed arbitrary code execution due to protocol injection via fetching advertised bundle(bsc#1245946) - Other changes and bugs fixed: - Other changes and bugs fixed: * Added SHA256 support (bsc#1243197) * Git moved to /usr/libexec/git/git and updated AppArmor profile accordingly (bsc#1218588) * gitweb AppArmor profile: allow reading etc/gitweb-common.conf (bsc#1218664) * Do not replace apparmor configuration (bsc#1216545) * Fixed the Python version required (bsc#1212476) - Version Updates Release Notes: * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.51.0.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.50.1.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.50.0.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.49.0.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.48.1.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.48.0.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.47.1.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.47.0.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.46.2.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.46.1.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.46.0.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.45.3.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.45.2.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.45.1.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.45.0.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.44.0.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.43.3.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.43.2.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.43.1.adoc git-lfs is included in version 3.7.0. python-PyYAML was updated from version 6.0.1 to 6.0.2: - Added support for Cython 3.x and Python 3.13 obs-scm-bridge was updated from version 0.5.4 to 0.7.4: - New Features and Improvements: * Manifest File Support: Support has been added for a `_manifest file`, which serves as a successor to the `_subdirs` file. * Control Over Git Information: A new noobsinfo query parameter was added to hide git information in source and binary files. * Enhanced Submodule Handling: The system now records the configured branch of submodules and stays on that branch during checkout. * Git SHA Tracking: In project mode, the tool now uses git SHA sums instead of md5sum to track package sources. * SSH URL Support: ssh:// SCM URLs can now be used. * Improved Error Messages: Error reporting for invalid files within package subdirectories has been improved. * Standardized Config Location: In project mode, the _config file is now always located in the top-level directory, even when using subdirs. * Reduced Unnecessary Changes: In project mode, unnecessary modifications to the package meta URL are now avoided. * Limit Asset Handling: A new mechanism has been introduced to limit how assets are handled. * Branch Information Export: The trackingbranch is now exported to scmsync.obsinfo. - Bugs fixed: * Syntax Fix: A syntax issue was corrected. * Git Submodule Parsing: The .gitsubmodule parser was fixed to correctly handle files that contain a mix of spaces and tabs. The following package changes have been done: - glibc-2.38-150600.14.37.1 updated - libopenssl3-3.1.4-150600.5.36.4 updated - openssl-3-3.1.4-150600.5.36.4 updated - pam-1.3.0-150000.6.86.1 updated - git-core-2.51.0-150600.3.12.1 updated - harbor-scanner-trivy-0.33.2-150600.1.1 updated - system-user-harbor-2.13.2-150600.2.1 updated - container:suse-sle15-15.6-0934acc60b392531bf6a68a99f0793b3e01c1027d0968caade3ec95a5cd1b2e6-0 updated - container:registry.suse.com-bci-bci-micro-15.6-1998c870659774535cf3fcd5f21bf2171bcd511edd7b5515cb3aa1c420e8a441-0 updated From sle-container-updates at lists.suse.com Mon Sep 1 09:44:25 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Mon, 1 Sep 2025 11:44:25 +0200 (CEST) Subject: SUSE-CU-2025:6677-1: Security update of private-registry/harbor-registryctl Message-ID: <20250901094425.B9A20FBA1@maintenance.suse.de> SUSE Container Update Advisory: private-registry/harbor-registryctl ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:6677-1 Container Tags : private-registry/harbor-registryctl:2.13 , private-registry/harbor-registryctl:2.13.2 , private-registry/harbor-registryctl:2.13.2-3.2 , private-registry/harbor-registryctl:latest Container Release : 3.2 Severity : moderate Type : security References : 1232234 1240058 1246221 1246965 1247144 1247148 CVE-2024-10041 CVE-2025-8058 ----------------------------------------------------------------- The container private-registry/harbor-registryctl was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2956-1 Released: Fri Aug 22 08:57:48 2025 Summary: Recommended update for openssl-3 Type: recommended Severity: moderate References: 1247144,1247148 This update for openssl-3 fixes the following issues: - Increased limit for CRL download (bsc#1247148, bsc#1247144) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2964-1 Released: Fri Aug 22 14:52:39 2025 Summary: Security update for glibc Type: security Severity: moderate References: 1240058,1246965,CVE-2025-8058 This update for glibc fixes the following issues: - CVE-2025-8058: Fixed double-free after allocation failure in regcomp. (bsc#1246965) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2970-1 Released: Mon Aug 25 10:27:57 2025 Summary: Security update for pam Type: security Severity: moderate References: 1232234,1246221,CVE-2024-10041 This update for pam fixes the following issues: - Improve previous CVE-2024-10041 fix which led to CPU performance issues (bsc#1232234) The following package changes have been done: - glibc-2.38-150600.14.37.1 updated - libopenssl3-3.1.4-150600.5.36.4 updated - openssl-3-3.1.4-150600.5.36.4 updated - pam-1.3.0-150000.6.86.1 updated - system-user-harbor-2.13.2-150600.2.1 updated - harbor-distribution-registry-2.8.3-150600.2.1 updated - harbor213-registryctl-2.13.2-150600.2.1 added - container:suse-sle15-15.6-0934acc60b392531bf6a68a99f0793b3e01c1027d0968caade3ec95a5cd1b2e6-0 updated - container:registry.suse.com-bci-bci-micro-15.6-1998c870659774535cf3fcd5f21bf2171bcd511edd7b5515cb3aa1c420e8a441-0 updated - harbor212-registryctl-2.12.2-150600.2.2 removed From sle-container-updates at lists.suse.com Mon Sep 1 14:02:50 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Mon, 1 Sep 2025 16:02:50 +0200 (CEST) Subject: SUSE-CU-2025:6679-1: Security update of private-registry/harbor-valkey Message-ID: <20250901140250.22B13FF9E@maintenance.suse.de> SUSE Container Update Advisory: private-registry/harbor-valkey ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:6679-1 Container Tags : private-registry/harbor-valkey:8.0.2 , private-registry/harbor-valkey:8.0.2-2.33 , private-registry/harbor-valkey:latest Container Release : 2.33 Severity : moderate Type : security References : 1232234 1240058 1246221 1246965 1247144 1247148 CVE-2024-10041 CVE-2025-8058 ----------------------------------------------------------------- The container private-registry/harbor-valkey was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2956-1 Released: Fri Aug 22 08:57:48 2025 Summary: Recommended update for openssl-3 Type: recommended Severity: moderate References: 1247144,1247148 This update for openssl-3 fixes the following issues: - Increased limit for CRL download (bsc#1247148, bsc#1247144) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2964-1 Released: Fri Aug 22 14:52:39 2025 Summary: Security update for glibc Type: security Severity: moderate References: 1240058,1246965,CVE-2025-8058 This update for glibc fixes the following issues: - CVE-2025-8058: Fixed double-free after allocation failure in regcomp. (bsc#1246965) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2970-1 Released: Mon Aug 25 10:27:57 2025 Summary: Security update for pam Type: security Severity: moderate References: 1232234,1246221,CVE-2024-10041 This update for pam fixes the following issues: - Improve previous CVE-2024-10041 fix which led to CPU performance issues (bsc#1232234) The following package changes have been done: - glibc-2.38-150600.14.37.1 updated - libopenssl3-3.1.4-150600.5.36.4 updated - pam-1.3.0-150000.6.86.1 updated - container:suse-sle15-15.6-0934acc60b392531bf6a68a99f0793b3e01c1027d0968caade3ec95a5cd1b2e6-0 updated - container:registry.suse.com-bci-bci-micro-15.6-1998c870659774535cf3fcd5f21bf2171bcd511edd7b5515cb3aa1c420e8a441-0 updated From sle-container-updates at lists.suse.com Mon Sep 1 14:09:13 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Mon, 1 Sep 2025 16:09:13 +0200 (CEST) Subject: SUSE-CU-2025:6681-1: Security update of bci/spack Message-ID: <20250901140913.EBBC2FF9E@maintenance.suse.de> SUSE Container Update Advisory: bci/spack ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:6681-1 Container Tags : bci/spack:0.23 , bci/spack:0.23.1 , bci/spack:0.23.1-11.54 Container Release : 11.54 Severity : important Type : security References : 1212476 1216545 1218588 1218664 1243197 1245938 1245939 1245942 1245943 1245946 CVE-2025-27613 CVE-2025-27614 CVE-2025-46835 CVE-2025-48384 CVE-2025-48385 ----------------------------------------------------------------- The container bci/spack was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3012-1 Released: Fri Aug 29 02:07:38 2025 Summary: security update for git, git-lfs, obs-scm-bridge, python-PyYAML Type: security Severity: important References: 1212476,1216545,1218588,1218664,1243197,1245938,1245939,1245942,1245943,1245946,CVE-2025-27613,CVE-2025-27614,CVE-2025-46835,CVE-2025-48384,CVE-2025-48385 This update for git, git-lfs, obs-scm-bridge, python-PyYAML fixes the following issues: git was updated from version 2.43.0 to 2.51.0 (bsc#1243197): - Security issues fixed: * CVE-2025-27613 Fixed arbitrary writable file creation and truncation in Gitk(bsc#1245938) * CVE-2025-27614 Fixed arbitrary script execution via repository clonation in gitk(bsc#1245939) * CVE-2025-46835 Fixed arbitrary writable file creation in Git GUI when untrusted repository is cloned (bsc#1245942) * CVE-2025-48384 Fixed the unintentional execution of a script after checkout due to CRLF transforming (bsc#1245943) * CVE-2025-48385 Fixed arbitrary code execution due to protocol injection via fetching advertised bundle(bsc#1245946) - Other changes and bugs fixed: - Other changes and bugs fixed: * Added SHA256 support (bsc#1243197) * Git moved to /usr/libexec/git/git and updated AppArmor profile accordingly (bsc#1218588) * gitweb AppArmor profile: allow reading etc/gitweb-common.conf (bsc#1218664) * Do not replace apparmor configuration (bsc#1216545) * Fixed the Python version required (bsc#1212476) - Version Updates Release Notes: * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.51.0.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.50.1.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.50.0.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.49.0.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.48.1.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.48.0.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.47.1.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.47.0.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.46.2.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.46.1.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.46.0.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.45.3.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.45.2.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.45.1.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.45.0.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.44.0.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.43.3.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.43.2.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.43.1.adoc git-lfs is included in version 3.7.0. python-PyYAML was updated from version 6.0.1 to 6.0.2: - Added support for Cython 3.x and Python 3.13 obs-scm-bridge was updated from version 0.5.4 to 0.7.4: - New Features and Improvements: * Manifest File Support: Support has been added for a `_manifest file`, which serves as a successor to the `_subdirs` file. * Control Over Git Information: A new noobsinfo query parameter was added to hide git information in source and binary files. * Enhanced Submodule Handling: The system now records the configured branch of submodules and stays on that branch during checkout. * Git SHA Tracking: In project mode, the tool now uses git SHA sums instead of md5sum to track package sources. * SSH URL Support: ssh:// SCM URLs can now be used. * Improved Error Messages: Error reporting for invalid files within package subdirectories has been improved. * Standardized Config Location: In project mode, the _config file is now always located in the top-level directory, even when using subdirs. * Reduced Unnecessary Changes: In project mode, unnecessary modifications to the package meta URL are now avoided. * Limit Asset Handling: A new mechanism has been introduced to limit how assets are handled. * Branch Information Export: The trackingbranch is now exported to scmsync.obsinfo. - Bugs fixed: * Syntax Fix: A syntax issue was corrected. * Git Submodule Parsing: The .gitsubmodule parser was fixed to correctly handle files that contain a mix of spaces and tabs. The following package changes have been done: - git-core-2.51.0-150600.3.12.1 updated - perl-Git-2.51.0-150600.3.12.1 updated - git-2.51.0-150600.3.12.1 updated From sle-container-updates at lists.suse.com Mon Sep 1 14:09:26 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Mon, 1 Sep 2025 16:09:26 +0200 (CEST) Subject: SUSE-CU-2025:6682-1: Security update of bci/golang Message-ID: <20250901140926.DD9AAFF9E@maintenance.suse.de> SUSE Container Update Advisory: bci/golang ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:6682-1 Container Tags : bci/golang:1.23-openssl , bci/golang:1.23.2-openssl , bci/golang:1.23.2-openssl-73.14 , bci/golang:oldstable-openssl , bci/golang:oldstable-openssl-73.14 Container Release : 73.14 Severity : important Type : security References : 1212476 1216545 1218588 1218664 1243197 1245938 1245939 1245942 1245943 1245946 CVE-2025-27613 CVE-2025-27614 CVE-2025-46835 CVE-2025-48384 CVE-2025-48385 ----------------------------------------------------------------- The container bci/golang was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3012-1 Released: Fri Aug 29 02:07:38 2025 Summary: security update for git, git-lfs, obs-scm-bridge, python-PyYAML Type: security Severity: important References: 1212476,1216545,1218588,1218664,1243197,1245938,1245939,1245942,1245943,1245946,CVE-2025-27613,CVE-2025-27614,CVE-2025-46835,CVE-2025-48384,CVE-2025-48385 This update for git, git-lfs, obs-scm-bridge, python-PyYAML fixes the following issues: git was updated from version 2.43.0 to 2.51.0 (bsc#1243197): - Security issues fixed: * CVE-2025-27613 Fixed arbitrary writable file creation and truncation in Gitk(bsc#1245938) * CVE-2025-27614 Fixed arbitrary script execution via repository clonation in gitk(bsc#1245939) * CVE-2025-46835 Fixed arbitrary writable file creation in Git GUI when untrusted repository is cloned (bsc#1245942) * CVE-2025-48384 Fixed the unintentional execution of a script after checkout due to CRLF transforming (bsc#1245943) * CVE-2025-48385 Fixed arbitrary code execution due to protocol injection via fetching advertised bundle(bsc#1245946) - Other changes and bugs fixed: - Other changes and bugs fixed: * Added SHA256 support (bsc#1243197) * Git moved to /usr/libexec/git/git and updated AppArmor profile accordingly (bsc#1218588) * gitweb AppArmor profile: allow reading etc/gitweb-common.conf (bsc#1218664) * Do not replace apparmor configuration (bsc#1216545) * Fixed the Python version required (bsc#1212476) - Version Updates Release Notes: * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.51.0.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.50.1.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.50.0.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.49.0.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.48.1.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.48.0.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.47.1.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.47.0.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.46.2.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.46.1.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.46.0.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.45.3.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.45.2.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.45.1.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.45.0.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.44.0.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.43.3.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.43.2.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.43.1.adoc git-lfs is included in version 3.7.0. python-PyYAML was updated from version 6.0.1 to 6.0.2: - Added support for Cython 3.x and Python 3.13 obs-scm-bridge was updated from version 0.5.4 to 0.7.4: - New Features and Improvements: * Manifest File Support: Support has been added for a `_manifest file`, which serves as a successor to the `_subdirs` file. * Control Over Git Information: A new noobsinfo query parameter was added to hide git information in source and binary files. * Enhanced Submodule Handling: The system now records the configured branch of submodules and stays on that branch during checkout. * Git SHA Tracking: In project mode, the tool now uses git SHA sums instead of md5sum to track package sources. * SSH URL Support: ssh:// SCM URLs can now be used. * Improved Error Messages: Error reporting for invalid files within package subdirectories has been improved. * Standardized Config Location: In project mode, the _config file is now always located in the top-level directory, even when using subdirs. * Reduced Unnecessary Changes: In project mode, unnecessary modifications to the package meta URL are now avoided. * Limit Asset Handling: A new mechanism has been introduced to limit how assets are handled. * Branch Information Export: The trackingbranch is now exported to scmsync.obsinfo. - Bugs fixed: * Syntax Fix: A syntax issue was corrected. * Git Submodule Parsing: The .gitsubmodule parser was fixed to correctly handle files that contain a mix of spaces and tabs. The following package changes have been done: - git-core-2.51.0-150600.3.12.1 updated From sle-container-updates at lists.suse.com Mon Sep 1 14:09:46 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Mon, 1 Sep 2025 16:09:46 +0200 (CEST) Subject: SUSE-CU-2025:6683-1: Security update of bci/kiwi Message-ID: <20250901140946.60919FF9E@maintenance.suse.de> SUSE Container Update Advisory: bci/kiwi ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:6683-1 Container Tags : bci/kiwi:9 , bci/kiwi:9.24 , bci/kiwi:9.24.43 , bci/kiwi:9.24.43-18.29 , bci/kiwi:latest Container Release : 18.29 Severity : important Type : security References : 1212476 1216545 1218588 1218664 1243197 1245938 1245939 1245942 1245943 1245946 CVE-2025-27613 CVE-2025-27614 CVE-2025-46835 CVE-2025-48384 CVE-2025-48385 ----------------------------------------------------------------- The container bci/kiwi was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3012-1 Released: Fri Aug 29 02:07:38 2025 Summary: security update for git, git-lfs, obs-scm-bridge, python-PyYAML Type: security Severity: important References: 1212476,1216545,1218588,1218664,1243197,1245938,1245939,1245942,1245943,1245946,CVE-2025-27613,CVE-2025-27614,CVE-2025-46835,CVE-2025-48384,CVE-2025-48385 This update for git, git-lfs, obs-scm-bridge, python-PyYAML fixes the following issues: git was updated from version 2.43.0 to 2.51.0 (bsc#1243197): - Security issues fixed: * CVE-2025-27613 Fixed arbitrary writable file creation and truncation in Gitk(bsc#1245938) * CVE-2025-27614 Fixed arbitrary script execution via repository clonation in gitk(bsc#1245939) * CVE-2025-46835 Fixed arbitrary writable file creation in Git GUI when untrusted repository is cloned (bsc#1245942) * CVE-2025-48384 Fixed the unintentional execution of a script after checkout due to CRLF transforming (bsc#1245943) * CVE-2025-48385 Fixed arbitrary code execution due to protocol injection via fetching advertised bundle(bsc#1245946) - Other changes and bugs fixed: - Other changes and bugs fixed: * Added SHA256 support (bsc#1243197) * Git moved to /usr/libexec/git/git and updated AppArmor profile accordingly (bsc#1218588) * gitweb AppArmor profile: allow reading etc/gitweb-common.conf (bsc#1218664) * Do not replace apparmor configuration (bsc#1216545) * Fixed the Python version required (bsc#1212476) - Version Updates Release Notes: * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.51.0.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.50.1.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.50.0.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.49.0.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.48.1.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.48.0.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.47.1.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.47.0.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.46.2.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.46.1.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.46.0.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.45.3.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.45.2.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.45.1.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.45.0.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.44.0.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.43.3.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.43.2.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.43.1.adoc git-lfs is included in version 3.7.0. python-PyYAML was updated from version 6.0.1 to 6.0.2: - Added support for Cython 3.x and Python 3.13 obs-scm-bridge was updated from version 0.5.4 to 0.7.4: - New Features and Improvements: * Manifest File Support: Support has been added for a `_manifest file`, which serves as a successor to the `_subdirs` file. * Control Over Git Information: A new noobsinfo query parameter was added to hide git information in source and binary files. * Enhanced Submodule Handling: The system now records the configured branch of submodules and stays on that branch during checkout. * Git SHA Tracking: In project mode, the tool now uses git SHA sums instead of md5sum to track package sources. * SSH URL Support: ssh:// SCM URLs can now be used. * Improved Error Messages: Error reporting for invalid files within package subdirectories has been improved. * Standardized Config Location: In project mode, the _config file is now always located in the top-level directory, even when using subdirs. * Reduced Unnecessary Changes: In project mode, unnecessary modifications to the package meta URL are now avoided. * Limit Asset Handling: A new mechanism has been introduced to limit how assets are handled. * Branch Information Export: The trackingbranch is now exported to scmsync.obsinfo. - Bugs fixed: * Syntax Fix: A syntax issue was corrected. * Git Submodule Parsing: The .gitsubmodule parser was fixed to correctly handle files that contain a mix of spaces and tabs. The following package changes have been done: - git-core-2.51.0-150600.3.12.1 updated From sle-container-updates at lists.suse.com Mon Sep 1 14:09:59 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Mon, 1 Sep 2025 16:09:59 +0200 (CEST) Subject: SUSE-CU-2025:6684-1: Security update of bci/openjdk Message-ID: <20250901140959.DF1AFFF9E@maintenance.suse.de> SUSE Container Update Advisory: bci/openjdk ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:6684-1 Container Tags : bci/openjdk:17 , bci/openjdk:17.0.16.0 , bci/openjdk:17.0.16.0-8.21 Container Release : 8.21 Severity : important Type : security References : 1212476 1216545 1218588 1218664 1243197 1245938 1245939 1245942 1245943 1245946 CVE-2025-27613 CVE-2025-27614 CVE-2025-46835 CVE-2025-48384 CVE-2025-48385 ----------------------------------------------------------------- The container bci/openjdk was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3012-1 Released: Fri Aug 29 02:07:38 2025 Summary: security update for git, git-lfs, obs-scm-bridge, python-PyYAML Type: security Severity: important References: 1212476,1216545,1218588,1218664,1243197,1245938,1245939,1245942,1245943,1245946,CVE-2025-27613,CVE-2025-27614,CVE-2025-46835,CVE-2025-48384,CVE-2025-48385 This update for git, git-lfs, obs-scm-bridge, python-PyYAML fixes the following issues: git was updated from version 2.43.0 to 2.51.0 (bsc#1243197): - Security issues fixed: * CVE-2025-27613 Fixed arbitrary writable file creation and truncation in Gitk(bsc#1245938) * CVE-2025-27614 Fixed arbitrary script execution via repository clonation in gitk(bsc#1245939) * CVE-2025-46835 Fixed arbitrary writable file creation in Git GUI when untrusted repository is cloned (bsc#1245942) * CVE-2025-48384 Fixed the unintentional execution of a script after checkout due to CRLF transforming (bsc#1245943) * CVE-2025-48385 Fixed arbitrary code execution due to protocol injection via fetching advertised bundle(bsc#1245946) - Other changes and bugs fixed: - Other changes and bugs fixed: * Added SHA256 support (bsc#1243197) * Git moved to /usr/libexec/git/git and updated AppArmor profile accordingly (bsc#1218588) * gitweb AppArmor profile: allow reading etc/gitweb-common.conf (bsc#1218664) * Do not replace apparmor configuration (bsc#1216545) * Fixed the Python version required (bsc#1212476) - Version Updates Release Notes: * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.51.0.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.50.1.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.50.0.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.49.0.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.48.1.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.48.0.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.47.1.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.47.0.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.46.2.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.46.1.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.46.0.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.45.3.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.45.2.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.45.1.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.45.0.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.44.0.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.43.3.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.43.2.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.43.1.adoc git-lfs is included in version 3.7.0. python-PyYAML was updated from version 6.0.1 to 6.0.2: - Added support for Cython 3.x and Python 3.13 obs-scm-bridge was updated from version 0.5.4 to 0.7.4: - New Features and Improvements: * Manifest File Support: Support has been added for a `_manifest file`, which serves as a successor to the `_subdirs` file. * Control Over Git Information: A new noobsinfo query parameter was added to hide git information in source and binary files. * Enhanced Submodule Handling: The system now records the configured branch of submodules and stays on that branch during checkout. * Git SHA Tracking: In project mode, the tool now uses git SHA sums instead of md5sum to track package sources. * SSH URL Support: ssh:// SCM URLs can now be used. * Improved Error Messages: Error reporting for invalid files within package subdirectories has been improved. * Standardized Config Location: In project mode, the _config file is now always located in the top-level directory, even when using subdirs. * Reduced Unnecessary Changes: In project mode, unnecessary modifications to the package meta URL are now avoided. * Limit Asset Handling: A new mechanism has been introduced to limit how assets are handled. * Branch Information Export: The trackingbranch is now exported to scmsync.obsinfo. - Bugs fixed: * Syntax Fix: A syntax issue was corrected. * Git Submodule Parsing: The .gitsubmodule parser was fixed to correctly handle files that contain a mix of spaces and tabs. The following package changes have been done: - git-core-2.51.0-150600.3.12.1 updated From sle-container-updates at lists.suse.com Mon Sep 1 14:10:29 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Mon, 1 Sep 2025 16:10:29 +0200 (CEST) Subject: SUSE-CU-2025:6686-1: Security update of bci/python Message-ID: <20250901141029.0261AFF9E@maintenance.suse.de> SUSE Container Update Advisory: bci/python ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:6686-1 Container Tags : bci/python:3 , bci/python:3.13 , bci/python:3.13.5 , bci/python:3.13.5-76.21 , bci/python:latest Container Release : 76.21 Severity : important Type : security References : 1212476 1216545 1218588 1218664 1243197 1245938 1245939 1245942 1245943 1245946 CVE-2025-27613 CVE-2025-27614 CVE-2025-46835 CVE-2025-48384 CVE-2025-48385 ----------------------------------------------------------------- The container bci/python was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3012-1 Released: Fri Aug 29 02:07:38 2025 Summary: security update for git, git-lfs, obs-scm-bridge, python-PyYAML Type: security Severity: important References: 1212476,1216545,1218588,1218664,1243197,1245938,1245939,1245942,1245943,1245946,CVE-2025-27613,CVE-2025-27614,CVE-2025-46835,CVE-2025-48384,CVE-2025-48385 This update for git, git-lfs, obs-scm-bridge, python-PyYAML fixes the following issues: git was updated from version 2.43.0 to 2.51.0 (bsc#1243197): - Security issues fixed: * CVE-2025-27613 Fixed arbitrary writable file creation and truncation in Gitk(bsc#1245938) * CVE-2025-27614 Fixed arbitrary script execution via repository clonation in gitk(bsc#1245939) * CVE-2025-46835 Fixed arbitrary writable file creation in Git GUI when untrusted repository is cloned (bsc#1245942) * CVE-2025-48384 Fixed the unintentional execution of a script after checkout due to CRLF transforming (bsc#1245943) * CVE-2025-48385 Fixed arbitrary code execution due to protocol injection via fetching advertised bundle(bsc#1245946) - Other changes and bugs fixed: - Other changes and bugs fixed: * Added SHA256 support (bsc#1243197) * Git moved to /usr/libexec/git/git and updated AppArmor profile accordingly (bsc#1218588) * gitweb AppArmor profile: allow reading etc/gitweb-common.conf (bsc#1218664) * Do not replace apparmor configuration (bsc#1216545) * Fixed the Python version required (bsc#1212476) - Version Updates Release Notes: * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.51.0.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.50.1.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.50.0.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.49.0.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.48.1.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.48.0.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.47.1.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.47.0.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.46.2.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.46.1.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.46.0.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.45.3.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.45.2.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.45.1.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.45.0.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.44.0.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.43.3.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.43.2.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.43.1.adoc git-lfs is included in version 3.7.0. python-PyYAML was updated from version 6.0.1 to 6.0.2: - Added support for Cython 3.x and Python 3.13 obs-scm-bridge was updated from version 0.5.4 to 0.7.4: - New Features and Improvements: * Manifest File Support: Support has been added for a `_manifest file`, which serves as a successor to the `_subdirs` file. * Control Over Git Information: A new noobsinfo query parameter was added to hide git information in source and binary files. * Enhanced Submodule Handling: The system now records the configured branch of submodules and stays on that branch during checkout. * Git SHA Tracking: In project mode, the tool now uses git SHA sums instead of md5sum to track package sources. * SSH URL Support: ssh:// SCM URLs can now be used. * Improved Error Messages: Error reporting for invalid files within package subdirectories has been improved. * Standardized Config Location: In project mode, the _config file is now always located in the top-level directory, even when using subdirs. * Reduced Unnecessary Changes: In project mode, unnecessary modifications to the package meta URL are now avoided. * Limit Asset Handling: A new mechanism has been introduced to limit how assets are handled. * Branch Information Export: The trackingbranch is now exported to scmsync.obsinfo. - Bugs fixed: * Syntax Fix: A syntax issue was corrected. * Git Submodule Parsing: The .gitsubmodule parser was fixed to correctly handle files that contain a mix of spaces and tabs. The following package changes have been done: - git-core-2.51.0-150600.3.12.1 updated From sle-container-updates at lists.suse.com Mon Sep 1 14:10:43 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Mon, 1 Sep 2025 16:10:43 +0200 (CEST) Subject: SUSE-CU-2025:6687-1: Security update of bci/ruby Message-ID: <20250901141043.F120FFF9E@maintenance.suse.de> SUSE Container Update Advisory: bci/ruby ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:6687-1 Container Tags : bci/ruby:2 , bci/ruby:2.5 , bci/ruby:2.5-14.2 Container Release : 14.2 Severity : important Type : security References : 1212476 1216545 1218588 1218664 1243197 1245938 1245939 1245942 1245943 1245946 CVE-2025-27613 CVE-2025-27614 CVE-2025-46835 CVE-2025-48384 CVE-2025-48385 ----------------------------------------------------------------- The container bci/ruby was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3012-1 Released: Fri Aug 29 02:07:38 2025 Summary: security update for git, git-lfs, obs-scm-bridge, python-PyYAML Type: security Severity: important References: 1212476,1216545,1218588,1218664,1243197,1245938,1245939,1245942,1245943,1245946,CVE-2025-27613,CVE-2025-27614,CVE-2025-46835,CVE-2025-48384,CVE-2025-48385 This update for git, git-lfs, obs-scm-bridge, python-PyYAML fixes the following issues: git was updated from version 2.43.0 to 2.51.0 (bsc#1243197): - Security issues fixed: * CVE-2025-27613 Fixed arbitrary writable file creation and truncation in Gitk(bsc#1245938) * CVE-2025-27614 Fixed arbitrary script execution via repository clonation in gitk(bsc#1245939) * CVE-2025-46835 Fixed arbitrary writable file creation in Git GUI when untrusted repository is cloned (bsc#1245942) * CVE-2025-48384 Fixed the unintentional execution of a script after checkout due to CRLF transforming (bsc#1245943) * CVE-2025-48385 Fixed arbitrary code execution due to protocol injection via fetching advertised bundle(bsc#1245946) - Other changes and bugs fixed: - Other changes and bugs fixed: * Added SHA256 support (bsc#1243197) * Git moved to /usr/libexec/git/git and updated AppArmor profile accordingly (bsc#1218588) * gitweb AppArmor profile: allow reading etc/gitweb-common.conf (bsc#1218664) * Do not replace apparmor configuration (bsc#1216545) * Fixed the Python version required (bsc#1212476) - Version Updates Release Notes: * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.51.0.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.50.1.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.50.0.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.49.0.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.48.1.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.48.0.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.47.1.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.47.0.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.46.2.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.46.1.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.46.0.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.45.3.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.45.2.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.45.1.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.45.0.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.44.0.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.43.3.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.43.2.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.43.1.adoc git-lfs is included in version 3.7.0. python-PyYAML was updated from version 6.0.1 to 6.0.2: - Added support for Cython 3.x and Python 3.13 obs-scm-bridge was updated from version 0.5.4 to 0.7.4: - New Features and Improvements: * Manifest File Support: Support has been added for a `_manifest file`, which serves as a successor to the `_subdirs` file. * Control Over Git Information: A new noobsinfo query parameter was added to hide git information in source and binary files. * Enhanced Submodule Handling: The system now records the configured branch of submodules and stays on that branch during checkout. * Git SHA Tracking: In project mode, the tool now uses git SHA sums instead of md5sum to track package sources. * SSH URL Support: ssh:// SCM URLs can now be used. * Improved Error Messages: Error reporting for invalid files within package subdirectories has been improved. * Standardized Config Location: In project mode, the _config file is now always located in the top-level directory, even when using subdirs. * Reduced Unnecessary Changes: In project mode, unnecessary modifications to the package meta URL are now avoided. * Limit Asset Handling: A new mechanism has been introduced to limit how assets are handled. * Branch Information Export: The trackingbranch is now exported to scmsync.obsinfo. - Bugs fixed: * Syntax Fix: A syntax issue was corrected. * Git Submodule Parsing: The .gitsubmodule parser was fixed to correctly handle files that contain a mix of spaces and tabs. The following package changes have been done: - git-core-2.51.0-150600.3.12.1 updated From sle-container-updates at lists.suse.com Mon Sep 1 14:11:05 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Mon, 1 Sep 2025 16:11:05 +0200 (CEST) Subject: SUSE-CU-2025:6688-1: Security update of bci/spack Message-ID: <20250901141105.4BD94FF9E@maintenance.suse.de> SUSE Container Update Advisory: bci/spack ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:6688-1 Container Tags : bci/spack:0.23 , bci/spack:0.23.1 , bci/spack:0.23.1-15.20 , bci/spack:latest Container Release : 15.20 Severity : important Type : security References : 1212476 1216545 1218588 1218664 1243197 1245938 1245939 1245942 1245943 1245946 CVE-2025-27613 CVE-2025-27614 CVE-2025-46835 CVE-2025-48384 CVE-2025-48385 ----------------------------------------------------------------- The container bci/spack was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3012-1 Released: Fri Aug 29 02:07:38 2025 Summary: security update for git, git-lfs, obs-scm-bridge, python-PyYAML Type: security Severity: important References: 1212476,1216545,1218588,1218664,1243197,1245938,1245939,1245942,1245943,1245946,CVE-2025-27613,CVE-2025-27614,CVE-2025-46835,CVE-2025-48384,CVE-2025-48385 This update for git, git-lfs, obs-scm-bridge, python-PyYAML fixes the following issues: git was updated from version 2.43.0 to 2.51.0 (bsc#1243197): - Security issues fixed: * CVE-2025-27613 Fixed arbitrary writable file creation and truncation in Gitk(bsc#1245938) * CVE-2025-27614 Fixed arbitrary script execution via repository clonation in gitk(bsc#1245939) * CVE-2025-46835 Fixed arbitrary writable file creation in Git GUI when untrusted repository is cloned (bsc#1245942) * CVE-2025-48384 Fixed the unintentional execution of a script after checkout due to CRLF transforming (bsc#1245943) * CVE-2025-48385 Fixed arbitrary code execution due to protocol injection via fetching advertised bundle(bsc#1245946) - Other changes and bugs fixed: - Other changes and bugs fixed: * Added SHA256 support (bsc#1243197) * Git moved to /usr/libexec/git/git and updated AppArmor profile accordingly (bsc#1218588) * gitweb AppArmor profile: allow reading etc/gitweb-common.conf (bsc#1218664) * Do not replace apparmor configuration (bsc#1216545) * Fixed the Python version required (bsc#1212476) - Version Updates Release Notes: * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.51.0.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.50.1.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.50.0.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.49.0.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.48.1.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.48.0.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.47.1.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.47.0.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.46.2.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.46.1.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.46.0.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.45.3.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.45.2.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.45.1.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.45.0.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.44.0.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.43.3.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.43.2.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.43.1.adoc git-lfs is included in version 3.7.0. python-PyYAML was updated from version 6.0.1 to 6.0.2: - Added support for Cython 3.x and Python 3.13 obs-scm-bridge was updated from version 0.5.4 to 0.7.4: - New Features and Improvements: * Manifest File Support: Support has been added for a `_manifest file`, which serves as a successor to the `_subdirs` file. * Control Over Git Information: A new noobsinfo query parameter was added to hide git information in source and binary files. * Enhanced Submodule Handling: The system now records the configured branch of submodules and stays on that branch during checkout. * Git SHA Tracking: In project mode, the tool now uses git SHA sums instead of md5sum to track package sources. * SSH URL Support: ssh:// SCM URLs can now be used. * Improved Error Messages: Error reporting for invalid files within package subdirectories has been improved. * Standardized Config Location: In project mode, the _config file is now always located in the top-level directory, even when using subdirs. * Reduced Unnecessary Changes: In project mode, unnecessary modifications to the package meta URL are now avoided. * Limit Asset Handling: A new mechanism has been introduced to limit how assets are handled. * Branch Information Export: The trackingbranch is now exported to scmsync.obsinfo. - Bugs fixed: * Syntax Fix: A syntax issue was corrected. * Git Submodule Parsing: The .gitsubmodule parser was fixed to correctly handle files that contain a mix of spaces and tabs. The following package changes have been done: - git-core-2.51.0-150600.3.12.1 updated - perl-Git-2.51.0-150600.3.12.1 updated - git-2.51.0-150600.3.12.1 updated From sle-container-updates at lists.suse.com Tue Sep 2 07:03:46 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 2 Sep 2025 09:03:46 +0200 (CEST) Subject: SUSE-CU-2025:6689-1: Security update of private-registry/harbor-nginx Message-ID: <20250902070346.8D985FF9D@maintenance.suse.de> SUSE Container Update Advisory: private-registry/harbor-nginx ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:6689-1 Container Tags : private-registry/harbor-nginx:1.21 , private-registry/harbor-nginx:1.21.5 , private-registry/harbor-nginx:1.21.5-2.37 , private-registry/harbor-nginx:latest Container Release : 2.37 Severity : moderate Type : security References : 1246090 ----------------------------------------------------------------- The container private-registry/harbor-nginx was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3039-1 Released: Mon Sep 1 15:56:28 2025 Summary: Recommended update for nginx Type: security Severity: moderate References: 1246090 This update for nginx fixes the following issues: - Drop root priviledges while running logrotate (bsc#1246090) The following package changes have been done: - nginx-1.21.5-150600.10.9.1 updated From sle-container-updates at lists.suse.com Tue Sep 2 07:03:49 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 2 Sep 2025 09:03:49 +0200 (CEST) Subject: SUSE-CU-2025:6690-1: Security update of private-registry/harbor-portal Message-ID: <20250902070349.3EA4FFF9D@maintenance.suse.de> SUSE Container Update Advisory: private-registry/harbor-portal ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:6690-1 Container Tags : private-registry/harbor-portal:2.13 , private-registry/harbor-portal:2.13.2 , private-registry/harbor-portal:2.13.2-3.3 , private-registry/harbor-portal:latest Container Release : 3.3 Severity : moderate Type : security References : 1246090 ----------------------------------------------------------------- The container private-registry/harbor-portal was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3039-1 Released: Mon Sep 1 15:56:28 2025 Summary: Recommended update for nginx Type: security Severity: moderate References: 1246090 This update for nginx fixes the following issues: - Drop root priviledges while running logrotate (bsc#1246090) The following package changes have been done: - nginx-1.21.5-150600.10.9.1 updated From sle-container-updates at lists.suse.com Tue Sep 2 07:07:51 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 2 Sep 2025 09:07:51 +0200 (CEST) Subject: SUSE-CU-2025:6691-1: Security update of bci/python Message-ID: <20250902070751.5EC67FF9D@maintenance.suse.de> SUSE Container Update Advisory: bci/python ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:6691-1 Container Tags : bci/python:3 , bci/python:3.12 , bci/python:3.12.11 , bci/python:3.12.11-72.25 Container Release : 72.25 Severity : important Type : security References : 1212476 1216545 1218588 1218664 1243197 1245938 1245939 1245942 1245943 1245946 CVE-2025-27613 CVE-2025-27614 CVE-2025-46835 CVE-2025-48384 CVE-2025-48385 ----------------------------------------------------------------- The container bci/python was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3012-1 Released: Fri Aug 29 02:07:38 2025 Summary: security update for git, git-lfs, obs-scm-bridge, python-PyYAML Type: security Severity: important References: 1212476,1216545,1218588,1218664,1243197,1245938,1245939,1245942,1245943,1245946,CVE-2025-27613,CVE-2025-27614,CVE-2025-46835,CVE-2025-48384,CVE-2025-48385 This update for git, git-lfs, obs-scm-bridge, python-PyYAML fixes the following issues: git was updated from version 2.43.0 to 2.51.0 (bsc#1243197): - Security issues fixed: * CVE-2025-27613 Fixed arbitrary writable file creation and truncation in Gitk(bsc#1245938) * CVE-2025-27614 Fixed arbitrary script execution via repository clonation in gitk(bsc#1245939) * CVE-2025-46835 Fixed arbitrary writable file creation in Git GUI when untrusted repository is cloned (bsc#1245942) * CVE-2025-48384 Fixed the unintentional execution of a script after checkout due to CRLF transforming (bsc#1245943) * CVE-2025-48385 Fixed arbitrary code execution due to protocol injection via fetching advertised bundle(bsc#1245946) - Other changes and bugs fixed: - Other changes and bugs fixed: * Added SHA256 support (bsc#1243197) * Git moved to /usr/libexec/git/git and updated AppArmor profile accordingly (bsc#1218588) * gitweb AppArmor profile: allow reading etc/gitweb-common.conf (bsc#1218664) * Do not replace apparmor configuration (bsc#1216545) * Fixed the Python version required (bsc#1212476) - Version Updates Release Notes: * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.51.0.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.50.1.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.50.0.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.49.0.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.48.1.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.48.0.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.47.1.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.47.0.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.46.2.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.46.1.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.46.0.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.45.3.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.45.2.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.45.1.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.45.0.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.44.0.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.43.3.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.43.2.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.43.1.adoc git-lfs is included in version 3.7.0. python-PyYAML was updated from version 6.0.1 to 6.0.2: - Added support for Cython 3.x and Python 3.13 obs-scm-bridge was updated from version 0.5.4 to 0.7.4: - New Features and Improvements: * Manifest File Support: Support has been added for a `_manifest file`, which serves as a successor to the `_subdirs` file. * Control Over Git Information: A new noobsinfo query parameter was added to hide git information in source and binary files. * Enhanced Submodule Handling: The system now records the configured branch of submodules and stays on that branch during checkout. * Git SHA Tracking: In project mode, the tool now uses git SHA sums instead of md5sum to track package sources. * SSH URL Support: ssh:// SCM URLs can now be used. * Improved Error Messages: Error reporting for invalid files within package subdirectories has been improved. * Standardized Config Location: In project mode, the _config file is now always located in the top-level directory, even when using subdirs. * Reduced Unnecessary Changes: In project mode, unnecessary modifications to the package meta URL are now avoided. * Limit Asset Handling: A new mechanism has been introduced to limit how assets are handled. * Branch Information Export: The trackingbranch is now exported to scmsync.obsinfo. - Bugs fixed: * Syntax Fix: A syntax issue was corrected. * Git Submodule Parsing: The .gitsubmodule parser was fixed to correctly handle files that contain a mix of spaces and tabs. The following package changes have been done: - git-core-2.51.0-150600.3.12.1 updated From sle-container-updates at lists.suse.com Tue Sep 2 07:09:25 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 2 Sep 2025 09:09:25 +0200 (CEST) Subject: SUSE-CU-2025:6692-1: Security update of suse/nginx Message-ID: <20250902070925.E5E39FF9D@maintenance.suse.de> SUSE Container Update Advisory: suse/nginx ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:6692-1 Container Tags : suse/nginx:1.21 , suse/nginx:1.21-62.22 , suse/nginx:latest Container Release : 62.22 Severity : moderate Type : security References : 1246090 ----------------------------------------------------------------- The container suse/nginx was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3039-1 Released: Mon Sep 1 15:56:28 2025 Summary: Recommended update for nginx Type: security Severity: moderate References: 1246090 This update for nginx fixes the following issues: - Drop root priviledges while running logrotate (bsc#1246090) The following package changes have been done: - nginx-1.21.5-150600.10.9.1 updated From sle-container-updates at lists.suse.com Tue Sep 2 07:09:39 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 2 Sep 2025 09:09:39 +0200 (CEST) Subject: SUSE-CU-2025:6693-1: Security update of bci/python Message-ID: <20250902070939.20520FF9D@maintenance.suse.de> SUSE Container Update Advisory: bci/python ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:6693-1 Container Tags : bci/python:3 , bci/python:3.11 , bci/python:3.11.13 , bci/python:3.11.13-74.22 Container Release : 74.22 Severity : important Type : security References : 1212476 1216545 1218588 1218664 1243197 1245938 1245939 1245942 1245943 1245946 CVE-2025-27613 CVE-2025-27614 CVE-2025-46835 CVE-2025-48384 CVE-2025-48385 ----------------------------------------------------------------- The container bci/python was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3012-1 Released: Fri Aug 29 02:07:38 2025 Summary: security update for git, git-lfs, obs-scm-bridge, python-PyYAML Type: security Severity: important References: 1212476,1216545,1218588,1218664,1243197,1245938,1245939,1245942,1245943,1245946,CVE-2025-27613,CVE-2025-27614,CVE-2025-46835,CVE-2025-48384,CVE-2025-48385 This update for git, git-lfs, obs-scm-bridge, python-PyYAML fixes the following issues: git was updated from version 2.43.0 to 2.51.0 (bsc#1243197): - Security issues fixed: * CVE-2025-27613 Fixed arbitrary writable file creation and truncation in Gitk(bsc#1245938) * CVE-2025-27614 Fixed arbitrary script execution via repository clonation in gitk(bsc#1245939) * CVE-2025-46835 Fixed arbitrary writable file creation in Git GUI when untrusted repository is cloned (bsc#1245942) * CVE-2025-48384 Fixed the unintentional execution of a script after checkout due to CRLF transforming (bsc#1245943) * CVE-2025-48385 Fixed arbitrary code execution due to protocol injection via fetching advertised bundle(bsc#1245946) - Other changes and bugs fixed: - Other changes and bugs fixed: * Added SHA256 support (bsc#1243197) * Git moved to /usr/libexec/git/git and updated AppArmor profile accordingly (bsc#1218588) * gitweb AppArmor profile: allow reading etc/gitweb-common.conf (bsc#1218664) * Do not replace apparmor configuration (bsc#1216545) * Fixed the Python version required (bsc#1212476) - Version Updates Release Notes: * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.51.0.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.50.1.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.50.0.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.49.0.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.48.1.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.48.0.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.47.1.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.47.0.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.46.2.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.46.1.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.46.0.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.45.3.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.45.2.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.45.1.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.45.0.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.44.0.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.43.3.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.43.2.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.43.1.adoc git-lfs is included in version 3.7.0. python-PyYAML was updated from version 6.0.1 to 6.0.2: - Added support for Cython 3.x and Python 3.13 obs-scm-bridge was updated from version 0.5.4 to 0.7.4: - New Features and Improvements: * Manifest File Support: Support has been added for a `_manifest file`, which serves as a successor to the `_subdirs` file. * Control Over Git Information: A new noobsinfo query parameter was added to hide git information in source and binary files. * Enhanced Submodule Handling: The system now records the configured branch of submodules and stays on that branch during checkout. * Git SHA Tracking: In project mode, the tool now uses git SHA sums instead of md5sum to track package sources. * SSH URL Support: ssh:// SCM URLs can now be used. * Improved Error Messages: Error reporting for invalid files within package subdirectories has been improved. * Standardized Config Location: In project mode, the _config file is now always located in the top-level directory, even when using subdirs. * Reduced Unnecessary Changes: In project mode, unnecessary modifications to the package meta URL are now avoided. * Limit Asset Handling: A new mechanism has been introduced to limit how assets are handled. * Branch Information Export: The trackingbranch is now exported to scmsync.obsinfo. - Bugs fixed: * Syntax Fix: A syntax issue was corrected. * Git Submodule Parsing: The .gitsubmodule parser was fixed to correctly handle files that contain a mix of spaces and tabs. The following package changes have been done: - git-core-2.51.0-150600.3.12.1 updated From sle-container-updates at lists.suse.com Tue Sep 2 07:09:55 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 2 Sep 2025 09:09:55 +0200 (CEST) Subject: SUSE-CU-2025:6694-1: Security update of bci/python Message-ID: <20250902070955.B3B9DFF9D@maintenance.suse.de> SUSE Container Update Advisory: bci/python ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:6694-1 Container Tags : bci/python:3 , bci/python:3.6 , bci/python:3.6.15 , bci/python:3.6.15-73.23 Container Release : 73.23 Severity : important Type : security References : 1212476 1216545 1218588 1218664 1243197 1245938 1245939 1245942 1245943 1245946 CVE-2025-27613 CVE-2025-27614 CVE-2025-46835 CVE-2025-48384 CVE-2025-48385 ----------------------------------------------------------------- The container bci/python was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3012-1 Released: Fri Aug 29 02:07:38 2025 Summary: security update for git, git-lfs, obs-scm-bridge, python-PyYAML Type: security Severity: important References: 1212476,1216545,1218588,1218664,1243197,1245938,1245939,1245942,1245943,1245946,CVE-2025-27613,CVE-2025-27614,CVE-2025-46835,CVE-2025-48384,CVE-2025-48385 This update for git, git-lfs, obs-scm-bridge, python-PyYAML fixes the following issues: git was updated from version 2.43.0 to 2.51.0 (bsc#1243197): - Security issues fixed: * CVE-2025-27613 Fixed arbitrary writable file creation and truncation in Gitk(bsc#1245938) * CVE-2025-27614 Fixed arbitrary script execution via repository clonation in gitk(bsc#1245939) * CVE-2025-46835 Fixed arbitrary writable file creation in Git GUI when untrusted repository is cloned (bsc#1245942) * CVE-2025-48384 Fixed the unintentional execution of a script after checkout due to CRLF transforming (bsc#1245943) * CVE-2025-48385 Fixed arbitrary code execution due to protocol injection via fetching advertised bundle(bsc#1245946) - Other changes and bugs fixed: - Other changes and bugs fixed: * Added SHA256 support (bsc#1243197) * Git moved to /usr/libexec/git/git and updated AppArmor profile accordingly (bsc#1218588) * gitweb AppArmor profile: allow reading etc/gitweb-common.conf (bsc#1218664) * Do not replace apparmor configuration (bsc#1216545) * Fixed the Python version required (bsc#1212476) - Version Updates Release Notes: * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.51.0.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.50.1.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.50.0.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.49.0.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.48.1.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.48.0.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.47.1.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.47.0.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.46.2.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.46.1.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.46.0.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.45.3.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.45.2.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.45.1.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.45.0.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.44.0.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.43.3.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.43.2.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.43.1.adoc git-lfs is included in version 3.7.0. python-PyYAML was updated from version 6.0.1 to 6.0.2: - Added support for Cython 3.x and Python 3.13 obs-scm-bridge was updated from version 0.5.4 to 0.7.4: - New Features and Improvements: * Manifest File Support: Support has been added for a `_manifest file`, which serves as a successor to the `_subdirs` file. * Control Over Git Information: A new noobsinfo query parameter was added to hide git information in source and binary files. * Enhanced Submodule Handling: The system now records the configured branch of submodules and stays on that branch during checkout. * Git SHA Tracking: In project mode, the tool now uses git SHA sums instead of md5sum to track package sources. * SSH URL Support: ssh:// SCM URLs can now be used. * Improved Error Messages: Error reporting for invalid files within package subdirectories has been improved. * Standardized Config Location: In project mode, the _config file is now always located in the top-level directory, even when using subdirs. * Reduced Unnecessary Changes: In project mode, unnecessary modifications to the package meta URL are now avoided. * Limit Asset Handling: A new mechanism has been introduced to limit how assets are handled. * Branch Information Export: The trackingbranch is now exported to scmsync.obsinfo. - Bugs fixed: * Syntax Fix: A syntax issue was corrected. * Git Submodule Parsing: The .gitsubmodule parser was fixed to correctly handle files that contain a mix of spaces and tabs. The following package changes have been done: - git-core-2.51.0-150600.3.12.1 updated From sle-container-updates at lists.suse.com Wed Sep 3 07:07:35 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 3 Sep 2025 09:07:35 +0200 (CEST) Subject: SUSE-IU-2025:2406-1: Recommended update of suse/sle-micro/5.5 Message-ID: <20250903070735.5DAA9FF9D@maintenance.suse.de> SUSE Image Update Advisory: suse/sle-micro/5.5 ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2025:2406-1 Image Tags : suse/sle-micro/5.5:2.0.4 , suse/sle-micro/5.5:2.0.4-5.5.364 , suse/sle-micro/5.5:latest Image Release : 5.5.364 Severity : moderate Type : recommended References : 1207054 1207077 1221720 1227442 1248171 1248201 ----------------------------------------------------------------- The container suse/sle-micro/5.5 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:3042-1 Released: Tue Sep 2 11:19:19 2025 Summary: Recommended update for container-selinux Type: recommended Severity: moderate References: 1207054,1207077,1221720,1227442,1248171,1248201 This update for container-selinux fixes the following issues: Update to version 2.236.0: * Allow super privileged containers to use RealtimeKit for scheduling * Add container_ro_file_t to the podman artifact store Update to version 2.235.0: * container_log{reader,writer}_t: allow watch file * Enable aarch64 testing * TMT: simplify podman tests * feat: support /var/lib/crio Update to version 2.234.2: * TMT: enable epel idomatically * Packit: switch back to fedora-all * RPM: Bump Epoch to 4 * rpm: ship manpage * Add proper labeling for RamaLama * Packit: remove rhel / epel jobs * packit: remove unused file Update to version 2.233.0: * container_engine_t: small change to allow non root exec in a container * RPM: explicitly list ghosted paths and skip mode verification * container-selinux install on non selinux-policy-targeted systems (#332) * set container_log_t type for /var/log/kube-apiserver * Allow kubelet_t to create a sock file kubelet_var_lib_t * dontaudit spc_t to mmap_zero * Packit: update targets (#330) * container_engine_t: another round of small improvements (#327) * Allow container_device_plugin_t to use the network (#325) * RPM: cleanup changelog (#324) * TMT: Simplify tests Update to version 2.232.1: * TMT: fix srpm download syntax on rawhide * Packit: remove `update_release` key from downstream jobs (#313) * Update container-selinux.8 man page * Add ownership of /usr/share/udica (#312) * Packit/TMT: upstream maintenance of downstream gating tests * extend container_engine_t again * Allow spc_t to use localectl * Allow spc_t to use timedatectl * introduce container_use_xserver_devices boolean to allow GPU access Update to version 2.231.0: * Allow container domains to communicate with spc_t unix_stream_sockets * Move to %posttrans to ensure selinux-policy got updated before the commands run (bsc#1221720) * Rename all /var/run file context entries to /run Update to version 2.230.0 (bsc#1248201): * Move to tar_scm based packaging: added _service and _servicedata * Allow containers to unmount file systems * Add buildah as a container_runtime_exec_t label * Additional rules for container_user_t * improve container_engine_t Update to version 2.228: * Allow container domains to watch fifo_files * container_engine_t: improve for podman in kubernetes case * Allow spc_t to transition to install_t domain * Default to allowing containers to use dri devices * Allow access to BPF Filesystems * Fix kubernetes transition rule * Label kubensenter as well as kubenswrapper * Allow container domains to execute container_runtime_tmpfs_t files * Allow container domains to ptrace themselves * Allow container domains to use container_runtime_tmpfs_t as an entrypoint * Add boolean to allow containers to use dri devices * Give containers access to pod resources endpoint * Label kubenswrapper kubelet_exec_t Update to version 2.222: * Allow containers to read/write inherited dri devices Update to version 2.221 (bsc#1248171): * Allow containers to shutdown sockets inherited from container runtimes * Allow spc_t to use execmod libraries on container file systems * Add boolean to allow containers to read all cert files * More MLS Policy allow rules * Allow container runtimes using pasta bind icmp_socket to port_t * Fix spc_t transitions from container_runtime_domain Update to version 2.215.0: * Add some MLS rules to policy * Allow container runtime to dyntransition to spc_t * Tighten controls on confined users * Add labels for /var/lib/shared * Cleanup entrypoint definitions * Allow container_device_plugin_t access to debugfs * Allow containers which use devices to map them Update to version 2.211.0: * Don't transition to initrc_t domains from spc_t * Add tunable to allow sshd_t to launch container engines * Allow syslogd_t gettatr on inheritited runtime tmpfs files * Add container_file_t and container_ro_file_t as user_home_type * Set default context for local-path-provisioner * Allow daemon to send dbus messages to spc_t by Update to version 2.206.0: * Allow unconfined domains to transition to container_runtime_t * Allow container domains to transition to install_t * Allow avirt_sandbox_domain to manage container_file_t types * Allow containers to watch sysfs_t directories * Allow spc_t to transption to rpm_script_t * Add support to new user_namespace access check * Smaller permission changes for container_init_t Update to version 2.198.0: * Fix spc_t transition rules on tmpfs_t Changes from 2.197.0: * Add boolean containers_use_ecryptfs policy Changes from 2.195.1: * Readd missing allow rules for container_t Changes from 2.194.0: * Allow syslogd_t to use tmpfs files created by container runtime Changes from 2.193.0: * Allow containers to mount tmpfs_t file systems * Label spc_t as a init initrc daemon * Allow userdomains to run containers Changes from 2.191.0: * Create container_logwriter_t type Changes from 2.190.1: * Support BuildKit * container.fc: Set label for kata-agent * support nerdctl Changes from 2.190.0: * Packit: initial enablement * Allow iptables to list directories labeled as container_file_t (bsc#1227442) Changes from 2.189.0: * Dont audit searching other processes in /proc. - Allow privileged containers to use localectl (bsc#1207077) - Allow privileged containers to use timedatectl (bsc#1207054) The following package changes have been done: - container-selinux-2.236.0-150500.3.6.1 updated From sle-container-updates at lists.suse.com Wed Sep 3 07:13:51 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 3 Sep 2025 09:13:51 +0200 (CEST) Subject: SUSE-CU-2025:6701-1: Security update of bci/nodejs Message-ID: <20250903071352.07CB7FBA1@maintenance.suse.de> SUSE Container Update Advisory: bci/nodejs ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:6701-1 Container Tags : bci/node:20 , bci/node:20.19.2 , bci/node:20.19.2-55.26 , bci/nodejs:20 , bci/nodejs:20.19.2 , bci/nodejs:20.19.2-55.26 Container Release : 55.26 Severity : important Type : security References : 1212476 1216545 1218588 1218664 1243197 1245938 1245939 1245942 1245943 1245946 CVE-2025-27613 CVE-2025-27614 CVE-2025-46835 CVE-2025-48384 CVE-2025-48385 ----------------------------------------------------------------- The container bci/nodejs was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3012-1 Released: Fri Aug 29 02:07:38 2025 Summary: security update for git, git-lfs, obs-scm-bridge, python-PyYAML Type: security Severity: important References: 1212476,1216545,1218588,1218664,1243197,1245938,1245939,1245942,1245943,1245946,CVE-2025-27613,CVE-2025-27614,CVE-2025-46835,CVE-2025-48384,CVE-2025-48385 This update for git, git-lfs, obs-scm-bridge, python-PyYAML fixes the following issues: git was updated from version 2.43.0 to 2.51.0 (bsc#1243197): - Security issues fixed: * CVE-2025-27613 Fixed arbitrary writable file creation and truncation in Gitk(bsc#1245938) * CVE-2025-27614 Fixed arbitrary script execution via repository clonation in gitk(bsc#1245939) * CVE-2025-46835 Fixed arbitrary writable file creation in Git GUI when untrusted repository is cloned (bsc#1245942) * CVE-2025-48384 Fixed the unintentional execution of a script after checkout due to CRLF transforming (bsc#1245943) * CVE-2025-48385 Fixed arbitrary code execution due to protocol injection via fetching advertised bundle(bsc#1245946) - Other changes and bugs fixed: - Other changes and bugs fixed: * Added SHA256 support (bsc#1243197) * Git moved to /usr/libexec/git/git and updated AppArmor profile accordingly (bsc#1218588) * gitweb AppArmor profile: allow reading etc/gitweb-common.conf (bsc#1218664) * Do not replace apparmor configuration (bsc#1216545) * Fixed the Python version required (bsc#1212476) - Version Updates Release Notes: * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.51.0.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.50.1.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.50.0.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.49.0.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.48.1.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.48.0.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.47.1.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.47.0.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.46.2.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.46.1.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.46.0.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.45.3.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.45.2.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.45.1.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.45.0.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.44.0.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.43.3.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.43.2.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.43.1.adoc git-lfs is included in version 3.7.0. python-PyYAML was updated from version 6.0.1 to 6.0.2: - Added support for Cython 3.x and Python 3.13 obs-scm-bridge was updated from version 0.5.4 to 0.7.4: - New Features and Improvements: * Manifest File Support: Support has been added for a `_manifest file`, which serves as a successor to the `_subdirs` file. * Control Over Git Information: A new noobsinfo query parameter was added to hide git information in source and binary files. * Enhanced Submodule Handling: The system now records the configured branch of submodules and stays on that branch during checkout. * Git SHA Tracking: In project mode, the tool now uses git SHA sums instead of md5sum to track package sources. * SSH URL Support: ssh:// SCM URLs can now be used. * Improved Error Messages: Error reporting for invalid files within package subdirectories has been improved. * Standardized Config Location: In project mode, the _config file is now always located in the top-level directory, even when using subdirs. * Reduced Unnecessary Changes: In project mode, unnecessary modifications to the package meta URL are now avoided. * Limit Asset Handling: A new mechanism has been introduced to limit how assets are handled. * Branch Information Export: The trackingbranch is now exported to scmsync.obsinfo. - Bugs fixed: * Syntax Fix: A syntax issue was corrected. * Git Submodule Parsing: The .gitsubmodule parser was fixed to correctly handle files that contain a mix of spaces and tabs. The following package changes have been done: - git-core-2.51.0-150600.3.12.1 updated From sle-container-updates at lists.suse.com Wed Sep 3 07:16:24 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 3 Sep 2025 09:16:24 +0200 (CEST) Subject: SUSE-CU-2025:6704-1: Security update of bci/golang Message-ID: <20250903071624.74DDFFF9E@maintenance.suse.de> SUSE Container Update Advisory: bci/golang ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:6704-1 Container Tags : bci/golang:1.24 , bci/golang:1.24.6 , bci/golang:1.24.6-2.71.4 , bci/golang:oldstable , bci/golang:oldstable-2.71.4 Container Release : 71.4 Severity : important Type : security References : 1212476 1216545 1218588 1218664 1243197 1245938 1245939 1245942 1245943 1245946 CVE-2025-27613 CVE-2025-27614 CVE-2025-46835 CVE-2025-48384 CVE-2025-48385 ----------------------------------------------------------------- The container bci/golang was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3012-1 Released: Fri Aug 29 02:07:38 2025 Summary: security update for git, git-lfs, obs-scm-bridge, python-PyYAML Type: security Severity: important References: 1212476,1216545,1218588,1218664,1243197,1245938,1245939,1245942,1245943,1245946,CVE-2025-27613,CVE-2025-27614,CVE-2025-46835,CVE-2025-48384,CVE-2025-48385 This update for git, git-lfs, obs-scm-bridge, python-PyYAML fixes the following issues: git was updated from version 2.43.0 to 2.51.0 (bsc#1243197): - Security issues fixed: * CVE-2025-27613 Fixed arbitrary writable file creation and truncation in Gitk(bsc#1245938) * CVE-2025-27614 Fixed arbitrary script execution via repository clonation in gitk(bsc#1245939) * CVE-2025-46835 Fixed arbitrary writable file creation in Git GUI when untrusted repository is cloned (bsc#1245942) * CVE-2025-48384 Fixed the unintentional execution of a script after checkout due to CRLF transforming (bsc#1245943) * CVE-2025-48385 Fixed arbitrary code execution due to protocol injection via fetching advertised bundle(bsc#1245946) - Other changes and bugs fixed: - Other changes and bugs fixed: * Added SHA256 support (bsc#1243197) * Git moved to /usr/libexec/git/git and updated AppArmor profile accordingly (bsc#1218588) * gitweb AppArmor profile: allow reading etc/gitweb-common.conf (bsc#1218664) * Do not replace apparmor configuration (bsc#1216545) * Fixed the Python version required (bsc#1212476) - Version Updates Release Notes: * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.51.0.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.50.1.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.50.0.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.49.0.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.48.1.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.48.0.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.47.1.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.47.0.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.46.2.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.46.1.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.46.0.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.45.3.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.45.2.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.45.1.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.45.0.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.44.0.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.43.3.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.43.2.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.43.1.adoc git-lfs is included in version 3.7.0. python-PyYAML was updated from version 6.0.1 to 6.0.2: - Added support for Cython 3.x and Python 3.13 obs-scm-bridge was updated from version 0.5.4 to 0.7.4: - New Features and Improvements: * Manifest File Support: Support has been added for a `_manifest file`, which serves as a successor to the `_subdirs` file. * Control Over Git Information: A new noobsinfo query parameter was added to hide git information in source and binary files. * Enhanced Submodule Handling: The system now records the configured branch of submodules and stays on that branch during checkout. * Git SHA Tracking: In project mode, the tool now uses git SHA sums instead of md5sum to track package sources. * SSH URL Support: ssh:// SCM URLs can now be used. * Improved Error Messages: Error reporting for invalid files within package subdirectories has been improved. * Standardized Config Location: In project mode, the _config file is now always located in the top-level directory, even when using subdirs. * Reduced Unnecessary Changes: In project mode, unnecessary modifications to the package meta URL are now avoided. * Limit Asset Handling: A new mechanism has been introduced to limit how assets are handled. * Branch Information Export: The trackingbranch is now exported to scmsync.obsinfo. - Bugs fixed: * Syntax Fix: A syntax issue was corrected. * Git Submodule Parsing: The .gitsubmodule parser was fixed to correctly handle files that contain a mix of spaces and tabs. The following package changes have been done: - git-core-2.51.0-150600.3.12.1 updated From sle-container-updates at lists.suse.com Wed Sep 3 07:16:37 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 3 Sep 2025 09:16:37 +0200 (CEST) Subject: SUSE-CU-2025:6705-1: Security update of bci/golang Message-ID: <20250903071637.0FED1FF9E@maintenance.suse.de> SUSE Container Update Advisory: bci/golang ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:6705-1 Container Tags : bci/golang:1.25 , bci/golang:1.25.0 , bci/golang:1.25.0-1.71.4 , bci/golang:latest , bci/golang:stable , bci/golang:stable-1.71.4 Container Release : 71.4 Severity : important Type : security References : 1212476 1216545 1218588 1218664 1243197 1245938 1245939 1245942 1245943 1245946 CVE-2025-27613 CVE-2025-27614 CVE-2025-46835 CVE-2025-48384 CVE-2025-48385 ----------------------------------------------------------------- The container bci/golang was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3012-1 Released: Fri Aug 29 02:07:38 2025 Summary: security update for git, git-lfs, obs-scm-bridge, python-PyYAML Type: security Severity: important References: 1212476,1216545,1218588,1218664,1243197,1245938,1245939,1245942,1245943,1245946,CVE-2025-27613,CVE-2025-27614,CVE-2025-46835,CVE-2025-48384,CVE-2025-48385 This update for git, git-lfs, obs-scm-bridge, python-PyYAML fixes the following issues: git was updated from version 2.43.0 to 2.51.0 (bsc#1243197): - Security issues fixed: * CVE-2025-27613 Fixed arbitrary writable file creation and truncation in Gitk(bsc#1245938) * CVE-2025-27614 Fixed arbitrary script execution via repository clonation in gitk(bsc#1245939) * CVE-2025-46835 Fixed arbitrary writable file creation in Git GUI when untrusted repository is cloned (bsc#1245942) * CVE-2025-48384 Fixed the unintentional execution of a script after checkout due to CRLF transforming (bsc#1245943) * CVE-2025-48385 Fixed arbitrary code execution due to protocol injection via fetching advertised bundle(bsc#1245946) - Other changes and bugs fixed: - Other changes and bugs fixed: * Added SHA256 support (bsc#1243197) * Git moved to /usr/libexec/git/git and updated AppArmor profile accordingly (bsc#1218588) * gitweb AppArmor profile: allow reading etc/gitweb-common.conf (bsc#1218664) * Do not replace apparmor configuration (bsc#1216545) * Fixed the Python version required (bsc#1212476) - Version Updates Release Notes: * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.51.0.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.50.1.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.50.0.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.49.0.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.48.1.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.48.0.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.47.1.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.47.0.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.46.2.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.46.1.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.46.0.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.45.3.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.45.2.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.45.1.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.45.0.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.44.0.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.43.3.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.43.2.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.43.1.adoc git-lfs is included in version 3.7.0. python-PyYAML was updated from version 6.0.1 to 6.0.2: - Added support for Cython 3.x and Python 3.13 obs-scm-bridge was updated from version 0.5.4 to 0.7.4: - New Features and Improvements: * Manifest File Support: Support has been added for a `_manifest file`, which serves as a successor to the `_subdirs` file. * Control Over Git Information: A new noobsinfo query parameter was added to hide git information in source and binary files. * Enhanced Submodule Handling: The system now records the configured branch of submodules and stays on that branch during checkout. * Git SHA Tracking: In project mode, the tool now uses git SHA sums instead of md5sum to track package sources. * SSH URL Support: ssh:// SCM URLs can now be used. * Improved Error Messages: Error reporting for invalid files within package subdirectories has been improved. * Standardized Config Location: In project mode, the _config file is now always located in the top-level directory, even when using subdirs. * Reduced Unnecessary Changes: In project mode, unnecessary modifications to the package meta URL are now avoided. * Limit Asset Handling: A new mechanism has been introduced to limit how assets are handled. * Branch Information Export: The trackingbranch is now exported to scmsync.obsinfo. - Bugs fixed: * Syntax Fix: A syntax issue was corrected. * Git Submodule Parsing: The .gitsubmodule parser was fixed to correctly handle files that contain a mix of spaces and tabs. The following package changes have been done: - git-core-2.51.0-150600.3.12.1 updated From sle-container-updates at lists.suse.com Wed Sep 3 07:16:51 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 3 Sep 2025 09:16:51 +0200 (CEST) Subject: SUSE-CU-2025:6706-1: Security update of bci/golang Message-ID: <20250903071651.31DF6FF9E@maintenance.suse.de> SUSE Container Update Advisory: bci/golang ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:6706-1 Container Tags : bci/golang:1.24-openssl , bci/golang:1.24.3-openssl , bci/golang:1.24.3-openssl-73.15 , bci/golang:latest , bci/golang:stable-openssl , bci/golang:stable-openssl-73.15 Container Release : 73.15 Severity : important Type : security References : 1212476 1216545 1218588 1218664 1243197 1245938 1245939 1245942 1245943 1245946 CVE-2025-27613 CVE-2025-27614 CVE-2025-46835 CVE-2025-48384 CVE-2025-48385 ----------------------------------------------------------------- The container bci/golang was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3012-1 Released: Fri Aug 29 02:07:38 2025 Summary: security update for git, git-lfs, obs-scm-bridge, python-PyYAML Type: security Severity: important References: 1212476,1216545,1218588,1218664,1243197,1245938,1245939,1245942,1245943,1245946,CVE-2025-27613,CVE-2025-27614,CVE-2025-46835,CVE-2025-48384,CVE-2025-48385 This update for git, git-lfs, obs-scm-bridge, python-PyYAML fixes the following issues: git was updated from version 2.43.0 to 2.51.0 (bsc#1243197): - Security issues fixed: * CVE-2025-27613 Fixed arbitrary writable file creation and truncation in Gitk(bsc#1245938) * CVE-2025-27614 Fixed arbitrary script execution via repository clonation in gitk(bsc#1245939) * CVE-2025-46835 Fixed arbitrary writable file creation in Git GUI when untrusted repository is cloned (bsc#1245942) * CVE-2025-48384 Fixed the unintentional execution of a script after checkout due to CRLF transforming (bsc#1245943) * CVE-2025-48385 Fixed arbitrary code execution due to protocol injection via fetching advertised bundle(bsc#1245946) - Other changes and bugs fixed: - Other changes and bugs fixed: * Added SHA256 support (bsc#1243197) * Git moved to /usr/libexec/git/git and updated AppArmor profile accordingly (bsc#1218588) * gitweb AppArmor profile: allow reading etc/gitweb-common.conf (bsc#1218664) * Do not replace apparmor configuration (bsc#1216545) * Fixed the Python version required (bsc#1212476) - Version Updates Release Notes: * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.51.0.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.50.1.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.50.0.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.49.0.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.48.1.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.48.0.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.47.1.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.47.0.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.46.2.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.46.1.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.46.0.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.45.3.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.45.2.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.45.1.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.45.0.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.44.0.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.43.3.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.43.2.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.43.1.adoc git-lfs is included in version 3.7.0. python-PyYAML was updated from version 6.0.1 to 6.0.2: - Added support for Cython 3.x and Python 3.13 obs-scm-bridge was updated from version 0.5.4 to 0.7.4: - New Features and Improvements: * Manifest File Support: Support has been added for a `_manifest file`, which serves as a successor to the `_subdirs` file. * Control Over Git Information: A new noobsinfo query parameter was added to hide git information in source and binary files. * Enhanced Submodule Handling: The system now records the configured branch of submodules and stays on that branch during checkout. * Git SHA Tracking: In project mode, the tool now uses git SHA sums instead of md5sum to track package sources. * SSH URL Support: ssh:// SCM URLs can now be used. * Improved Error Messages: Error reporting for invalid files within package subdirectories has been improved. * Standardized Config Location: In project mode, the _config file is now always located in the top-level directory, even when using subdirs. * Reduced Unnecessary Changes: In project mode, unnecessary modifications to the package meta URL are now avoided. * Limit Asset Handling: A new mechanism has been introduced to limit how assets are handled. * Branch Information Export: The trackingbranch is now exported to scmsync.obsinfo. - Bugs fixed: * Syntax Fix: A syntax issue was corrected. * Git Submodule Parsing: The .gitsubmodule parser was fixed to correctly handle files that contain a mix of spaces and tabs. The following package changes have been done: - git-core-2.51.0-150600.3.12.1 updated From sle-container-updates at lists.suse.com Wed Sep 3 07:17:14 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 3 Sep 2025 09:17:14 +0200 (CEST) Subject: SUSE-CU-2025:6708-1: Security update of bci/openjdk Message-ID: <20250903071714.A8D6DFF9E@maintenance.suse.de> SUSE Container Update Advisory: bci/openjdk ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:6708-1 Container Tags : bci/openjdk:21 , bci/openjdk:21.0.8.0 , bci/openjdk:21.0.8.0-11.21 , bci/openjdk:latest Container Release : 11.21 Severity : important Type : security References : 1212476 1216545 1218588 1218664 1243197 1245938 1245939 1245942 1245943 1245946 CVE-2025-27613 CVE-2025-27614 CVE-2025-46835 CVE-2025-48384 CVE-2025-48385 ----------------------------------------------------------------- The container bci/openjdk was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3012-1 Released: Fri Aug 29 02:07:38 2025 Summary: security update for git, git-lfs, obs-scm-bridge, python-PyYAML Type: security Severity: important References: 1212476,1216545,1218588,1218664,1243197,1245938,1245939,1245942,1245943,1245946,CVE-2025-27613,CVE-2025-27614,CVE-2025-46835,CVE-2025-48384,CVE-2025-48385 This update for git, git-lfs, obs-scm-bridge, python-PyYAML fixes the following issues: git was updated from version 2.43.0 to 2.51.0 (bsc#1243197): - Security issues fixed: * CVE-2025-27613 Fixed arbitrary writable file creation and truncation in Gitk(bsc#1245938) * CVE-2025-27614 Fixed arbitrary script execution via repository clonation in gitk(bsc#1245939) * CVE-2025-46835 Fixed arbitrary writable file creation in Git GUI when untrusted repository is cloned (bsc#1245942) * CVE-2025-48384 Fixed the unintentional execution of a script after checkout due to CRLF transforming (bsc#1245943) * CVE-2025-48385 Fixed arbitrary code execution due to protocol injection via fetching advertised bundle(bsc#1245946) - Other changes and bugs fixed: - Other changes and bugs fixed: * Added SHA256 support (bsc#1243197) * Git moved to /usr/libexec/git/git and updated AppArmor profile accordingly (bsc#1218588) * gitweb AppArmor profile: allow reading etc/gitweb-common.conf (bsc#1218664) * Do not replace apparmor configuration (bsc#1216545) * Fixed the Python version required (bsc#1212476) - Version Updates Release Notes: * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.51.0.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.50.1.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.50.0.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.49.0.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.48.1.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.48.0.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.47.1.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.47.0.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.46.2.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.46.1.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.46.0.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.45.3.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.45.2.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.45.1.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.45.0.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.44.0.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.43.3.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.43.2.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.43.1.adoc git-lfs is included in version 3.7.0. python-PyYAML was updated from version 6.0.1 to 6.0.2: - Added support for Cython 3.x and Python 3.13 obs-scm-bridge was updated from version 0.5.4 to 0.7.4: - New Features and Improvements: * Manifest File Support: Support has been added for a `_manifest file`, which serves as a successor to the `_subdirs` file. * Control Over Git Information: A new noobsinfo query parameter was added to hide git information in source and binary files. * Enhanced Submodule Handling: The system now records the configured branch of submodules and stays on that branch during checkout. * Git SHA Tracking: In project mode, the tool now uses git SHA sums instead of md5sum to track package sources. * SSH URL Support: ssh:// SCM URLs can now be used. * Improved Error Messages: Error reporting for invalid files within package subdirectories has been improved. * Standardized Config Location: In project mode, the _config file is now always located in the top-level directory, even when using subdirs. * Reduced Unnecessary Changes: In project mode, unnecessary modifications to the package meta URL are now avoided. * Limit Asset Handling: A new mechanism has been introduced to limit how assets are handled. * Branch Information Export: The trackingbranch is now exported to scmsync.obsinfo. - Bugs fixed: * Syntax Fix: A syntax issue was corrected. * Git Submodule Parsing: The .gitsubmodule parser was fixed to correctly handle files that contain a mix of spaces and tabs. The following package changes have been done: - git-core-2.51.0-150600.3.12.1 updated From sle-container-updates at lists.suse.com Wed Sep 3 07:19:33 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 3 Sep 2025 09:19:33 +0200 (CEST) Subject: SUSE-CU-2025:6713-1: Recommended update of suse/manager/4.3/proxy-httpd Message-ID: <20250903071933.690E9FF9E@maintenance.suse.de> SUSE Container Update Advisory: suse/manager/4.3/proxy-httpd ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:6713-1 Container Tags : suse/manager/4.3/proxy-httpd:4.3.16 , suse/manager/4.3/proxy-httpd:4.3.16.9.67.20 , suse/manager/4.3/proxy-httpd:latest Container Release : 9.67.20 Severity : important Type : recommended References : 1218459 1245220 1245985 1246038 1246149 1246466 1247054 1247690 ----------------------------------------------------------------- The container suse/manager/4.3/proxy-httpd was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2952-1 Released: Thu Aug 21 14:56:24 2025 Summary: Recommended update for libzypp, zypper Type: recommended Severity: important References: 1218459,1245220,1245985,1246038,1246149,1246466,1247054,1247690 This update for libzypp, zypper fixes the following issues: - Fix evaluation of libproxy results (bsc#1247690) - Replace URL variables inside mirrorlist/metalink files - Append RepoInfo::path() to the mirror URLs in Preloader (bsc#1247054) - During installation indicate the backend being used (bsc#1246038) If some package actually needs to know, it should test for ZYPP_CLASSIC_RPMTRANS being set in the environment. Otherwise the transaction is driven by librpm. - Workaround 'rpm -vv' leaving scriptlets /var/tmp (bsc#1218459) - Verbose log libproxy results if PX_DEBUG=1 is set. - BuildRequires: cmake >= 3.17. - Allow explicit request to probe an added repo's URL (bsc#1246466) - Fix tests with -DISABLE_MEDIABACKEND_TESTS=1 - Add runtime check for a broken rpm-4.18.0 --runpostrans (bsc#1246149) - Add regression test for (bsc#1245220) and some other filesize related tests. - Fix addrepo to handle explicit --check and --no-check requests (bsc#1246466) - Accept 'show' as alias for 'info' (bsc#1245985) The following package changes have been done: - libzypp-17.37.16-150400.3.142.1 updated - zypper-1.14.93-150400.3.98.2 updated - container:sles15-ltss-image-15.4.0-2.69 updated From sle-container-updates at lists.suse.com Wed Sep 3 07:16:12 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 3 Sep 2025 09:16:12 +0200 (CEST) Subject: SUSE-CU-2025:6703-1: Security update of bci/gcc Message-ID: <20250903071612.873C9FBA1@maintenance.suse.de> SUSE Container Update Advisory: bci/gcc ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:6703-1 Container Tags : bci/gcc:14 , bci/gcc:14.3 , bci/gcc:14.3-11.20 , bci/gcc:latest Container Release : 11.20 Severity : important Type : security References : 1212476 1216545 1218588 1218664 1243197 1245938 1245939 1245942 1245943 1245946 CVE-2025-27613 CVE-2025-27614 CVE-2025-46835 CVE-2025-48384 CVE-2025-48385 ----------------------------------------------------------------- The container bci/gcc was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3012-1 Released: Fri Aug 29 02:07:38 2025 Summary: security update for git, git-lfs, obs-scm-bridge, python-PyYAML Type: security Severity: important References: 1212476,1216545,1218588,1218664,1243197,1245938,1245939,1245942,1245943,1245946,CVE-2025-27613,CVE-2025-27614,CVE-2025-46835,CVE-2025-48384,CVE-2025-48385 This update for git, git-lfs, obs-scm-bridge, python-PyYAML fixes the following issues: git was updated from version 2.43.0 to 2.51.0 (bsc#1243197): - Security issues fixed: * CVE-2025-27613 Fixed arbitrary writable file creation and truncation in Gitk(bsc#1245938) * CVE-2025-27614 Fixed arbitrary script execution via repository clonation in gitk(bsc#1245939) * CVE-2025-46835 Fixed arbitrary writable file creation in Git GUI when untrusted repository is cloned (bsc#1245942) * CVE-2025-48384 Fixed the unintentional execution of a script after checkout due to CRLF transforming (bsc#1245943) * CVE-2025-48385 Fixed arbitrary code execution due to protocol injection via fetching advertised bundle(bsc#1245946) - Other changes and bugs fixed: - Other changes and bugs fixed: * Added SHA256 support (bsc#1243197) * Git moved to /usr/libexec/git/git and updated AppArmor profile accordingly (bsc#1218588) * gitweb AppArmor profile: allow reading etc/gitweb-common.conf (bsc#1218664) * Do not replace apparmor configuration (bsc#1216545) * Fixed the Python version required (bsc#1212476) - Version Updates Release Notes: * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.51.0.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.50.1.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.50.0.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.49.0.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.48.1.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.48.0.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.47.1.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.47.0.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.46.2.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.46.1.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.46.0.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.45.3.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.45.2.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.45.1.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.45.0.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.44.0.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.43.3.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.43.2.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.43.1.adoc git-lfs is included in version 3.7.0. python-PyYAML was updated from version 6.0.1 to 6.0.2: - Added support for Cython 3.x and Python 3.13 obs-scm-bridge was updated from version 0.5.4 to 0.7.4: - New Features and Improvements: * Manifest File Support: Support has been added for a `_manifest file`, which serves as a successor to the `_subdirs` file. * Control Over Git Information: A new noobsinfo query parameter was added to hide git information in source and binary files. * Enhanced Submodule Handling: The system now records the configured branch of submodules and stays on that branch during checkout. * Git SHA Tracking: In project mode, the tool now uses git SHA sums instead of md5sum to track package sources. * SSH URL Support: ssh:// SCM URLs can now be used. * Improved Error Messages: Error reporting for invalid files within package subdirectories has been improved. * Standardized Config Location: In project mode, the _config file is now always located in the top-level directory, even when using subdirs. * Reduced Unnecessary Changes: In project mode, unnecessary modifications to the package meta URL are now avoided. * Limit Asset Handling: A new mechanism has been introduced to limit how assets are handled. * Branch Information Export: The trackingbranch is now exported to scmsync.obsinfo. - Bugs fixed: * Syntax Fix: A syntax issue was corrected. * Git Submodule Parsing: The .gitsubmodule parser was fixed to correctly handle files that contain a mix of spaces and tabs. The following package changes have been done: - git-core-2.51.0-150600.3.12.1 updated From sle-container-updates at lists.suse.com Wed Sep 3 13:43:26 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 3 Sep 2025 15:43:26 +0200 (CEST) Subject: SUSE-CU-2025:6714-1: Security update of suse/git Message-ID: <20250903134326.5A4F3FBA1@maintenance.suse.de> SUSE Container Update Advisory: suse/git ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:6714-1 Container Tags : suse/git:2 , suse/git:2.51 , suse/git:2.51.0 , suse/git:2.51.0-61.1 , suse/git:latest Container Release : 61.1 Severity : important Type : security References : 1212476 1216545 1218588 1218664 1243197 1245938 1245939 1245942 1245943 1245946 CVE-2025-27613 CVE-2025-27614 CVE-2025-46835 CVE-2025-48384 CVE-2025-48385 ----------------------------------------------------------------- The container suse/git was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3012-1 Released: Fri Aug 29 02:07:38 2025 Summary: security update for git, git-lfs, obs-scm-bridge, python-PyYAML Type: security Severity: important References: 1212476,1216545,1218588,1218664,1243197,1245938,1245939,1245942,1245943,1245946,CVE-2025-27613,CVE-2025-27614,CVE-2025-46835,CVE-2025-48384,CVE-2025-48385 This update for git, git-lfs, obs-scm-bridge, python-PyYAML fixes the following issues: git was updated from version 2.43.0 to 2.51.0 (bsc#1243197): - Security issues fixed: * CVE-2025-27613 Fixed arbitrary writable file creation and truncation in Gitk(bsc#1245938) * CVE-2025-27614 Fixed arbitrary script execution via repository clonation in gitk(bsc#1245939) * CVE-2025-46835 Fixed arbitrary writable file creation in Git GUI when untrusted repository is cloned (bsc#1245942) * CVE-2025-48384 Fixed the unintentional execution of a script after checkout due to CRLF transforming (bsc#1245943) * CVE-2025-48385 Fixed arbitrary code execution due to protocol injection via fetching advertised bundle(bsc#1245946) - Other changes and bugs fixed: - Other changes and bugs fixed: * Added SHA256 support (bsc#1243197) * Git moved to /usr/libexec/git/git and updated AppArmor profile accordingly (bsc#1218588) * gitweb AppArmor profile: allow reading etc/gitweb-common.conf (bsc#1218664) * Do not replace apparmor configuration (bsc#1216545) * Fixed the Python version required (bsc#1212476) - Version Updates Release Notes: * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.51.0.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.50.1.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.50.0.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.49.0.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.48.1.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.48.0.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.47.1.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.47.0.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.46.2.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.46.1.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.46.0.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.45.3.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.45.2.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.45.1.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.45.0.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.44.0.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.43.3.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.43.2.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.43.1.adoc git-lfs is included in version 3.7.0. python-PyYAML was updated from version 6.0.1 to 6.0.2: - Added support for Cython 3.x and Python 3.13 obs-scm-bridge was updated from version 0.5.4 to 0.7.4: - New Features and Improvements: * Manifest File Support: Support has been added for a `_manifest file`, which serves as a successor to the `_subdirs` file. * Control Over Git Information: A new noobsinfo query parameter was added to hide git information in source and binary files. * Enhanced Submodule Handling: The system now records the configured branch of submodules and stays on that branch during checkout. * Git SHA Tracking: In project mode, the tool now uses git SHA sums instead of md5sum to track package sources. * SSH URL Support: ssh:// SCM URLs can now be used. * Improved Error Messages: Error reporting for invalid files within package subdirectories has been improved. * Standardized Config Location: In project mode, the _config file is now always located in the top-level directory, even when using subdirs. * Reduced Unnecessary Changes: In project mode, unnecessary modifications to the package meta URL are now avoided. * Limit Asset Handling: A new mechanism has been introduced to limit how assets are handled. * Branch Information Export: The trackingbranch is now exported to scmsync.obsinfo. - Bugs fixed: * Syntax Fix: A syntax issue was corrected. * Git Submodule Parsing: The .gitsubmodule parser was fixed to correctly handle files that contain a mix of spaces and tabs. The following package changes have been done: - git-core-2.51.0-150600.3.12.1 updated From sle-container-updates at lists.suse.com Wed Sep 3 13:43:43 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 3 Sep 2025 15:43:43 +0200 (CEST) Subject: SUSE-CU-2025:6715-1: Security update of bci/ruby Message-ID: <20250903134343.19B5DFBA1@maintenance.suse.de> SUSE Container Update Advisory: bci/ruby ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:6715-1 Container Tags : bci/ruby:3 , bci/ruby:3.4 , bci/ruby:3.4-13.2 , bci/ruby:latest Container Release : 13.2 Severity : important Type : security References : 1212476 1216545 1218588 1218664 1243197 1245938 1245939 1245942 1245943 1245946 CVE-2025-27613 CVE-2025-27614 CVE-2025-46835 CVE-2025-48384 CVE-2025-48385 ----------------------------------------------------------------- The container bci/ruby was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3012-1 Released: Fri Aug 29 02:07:38 2025 Summary: security update for git, git-lfs, obs-scm-bridge, python-PyYAML Type: security Severity: important References: 1212476,1216545,1218588,1218664,1243197,1245938,1245939,1245942,1245943,1245946,CVE-2025-27613,CVE-2025-27614,CVE-2025-46835,CVE-2025-48384,CVE-2025-48385 This update for git, git-lfs, obs-scm-bridge, python-PyYAML fixes the following issues: git was updated from version 2.43.0 to 2.51.0 (bsc#1243197): - Security issues fixed: * CVE-2025-27613 Fixed arbitrary writable file creation and truncation in Gitk(bsc#1245938) * CVE-2025-27614 Fixed arbitrary script execution via repository clonation in gitk(bsc#1245939) * CVE-2025-46835 Fixed arbitrary writable file creation in Git GUI when untrusted repository is cloned (bsc#1245942) * CVE-2025-48384 Fixed the unintentional execution of a script after checkout due to CRLF transforming (bsc#1245943) * CVE-2025-48385 Fixed arbitrary code execution due to protocol injection via fetching advertised bundle(bsc#1245946) - Other changes and bugs fixed: - Other changes and bugs fixed: * Added SHA256 support (bsc#1243197) * Git moved to /usr/libexec/git/git and updated AppArmor profile accordingly (bsc#1218588) * gitweb AppArmor profile: allow reading etc/gitweb-common.conf (bsc#1218664) * Do not replace apparmor configuration (bsc#1216545) * Fixed the Python version required (bsc#1212476) - Version Updates Release Notes: * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.51.0.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.50.1.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.50.0.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.49.0.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.48.1.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.48.0.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.47.1.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.47.0.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.46.2.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.46.1.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.46.0.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.45.3.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.45.2.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.45.1.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.45.0.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.44.0.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.43.3.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.43.2.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.43.1.adoc git-lfs is included in version 3.7.0. python-PyYAML was updated from version 6.0.1 to 6.0.2: - Added support for Cython 3.x and Python 3.13 obs-scm-bridge was updated from version 0.5.4 to 0.7.4: - New Features and Improvements: * Manifest File Support: Support has been added for a `_manifest file`, which serves as a successor to the `_subdirs` file. * Control Over Git Information: A new noobsinfo query parameter was added to hide git information in source and binary files. * Enhanced Submodule Handling: The system now records the configured branch of submodules and stays on that branch during checkout. * Git SHA Tracking: In project mode, the tool now uses git SHA sums instead of md5sum to track package sources. * SSH URL Support: ssh:// SCM URLs can now be used. * Improved Error Messages: Error reporting for invalid files within package subdirectories has been improved. * Standardized Config Location: In project mode, the _config file is now always located in the top-level directory, even when using subdirs. * Reduced Unnecessary Changes: In project mode, unnecessary modifications to the package meta URL are now avoided. * Limit Asset Handling: A new mechanism has been introduced to limit how assets are handled. * Branch Information Export: The trackingbranch is now exported to scmsync.obsinfo. - Bugs fixed: * Syntax Fix: A syntax issue was corrected. * Git Submodule Parsing: The .gitsubmodule parser was fixed to correctly handle files that contain a mix of spaces and tabs. The following package changes have been done: - ruby3.4-rubygem-gem2rpm-0.10.1-150700.22.7.1 added - git-core-2.51.0-150600.3.12.1 updated - libgdbm4-1.12-1.418 removed - libruby2_5-2_5-2.5.9-150700.22.16 removed - ruby2.5-2.5.9-150700.22.16 removed - ruby2.5-rubygem-gem2rpm-0.10.1-150700.22.7.1 removed - ruby2.5-stdlib-2.5.9-150700.22.16 removed From sle-container-updates at lists.suse.com Thu Sep 4 12:55:57 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Thu, 4 Sep 2025 14:55:57 +0200 (CEST) Subject: SUSE-IU-2025:2416-1: Recommended update of suse/sle-micro/5.5 Message-ID: <20250904125557.42DA0F783@maintenance.suse.de> SUSE Image Update Advisory: suse/sle-micro/5.5 ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2025:2416-1 Image Tags : suse/sle-micro/5.5:2.0.4 , suse/sle-micro/5.5:2.0.4-5.5.365 , suse/sle-micro/5.5:latest Image Release : 5.5.365 Severity : moderate Type : recommended References : 1244553 1246835 1246852 ----------------------------------------------------------------- The container suse/sle-micro/5.5 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:3072-1 Released: Thu Sep 4 09:20:43 2025 Summary: Recommended update for sysstat Type: recommended Severity: moderate References: 1244553,1246835,1246852 This update for sysstat fixes the following issues: - Renaming services to allow preset in systemd-presets-branding-SLE to work (bsc#1244553, bsc#1246835). - Fix argument order of find (bsc#1246852). - Fix systemd timers that are not enabled after upgrade (bsc#1244553). - deleted 90-sysstat.preset file, not needed anymore. The following package changes have been done: - sysstat-12.0.2-150000.3.48.3 updated From sle-container-updates at lists.suse.com Thu Sep 4 13:04:29 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Thu, 4 Sep 2025 15:04:29 +0200 (CEST) Subject: SUSE-CU-2025:6729-1: Recommended update of suse/sle-micro-rancher/5.4 Message-ID: <20250904130429.B23E4F783@maintenance.suse.de> SUSE Container Update Advisory: suse/sle-micro-rancher/5.4 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:6729-1 Container Tags : suse/sle-micro-rancher/5.4:5.4.4.5.47 , suse/sle-micro-rancher/5.4:latest Container Release : 4.5.47 Severity : moderate Type : recommended References : 1244553 1246835 1246852 ----------------------------------------------------------------- The container suse/sle-micro-rancher/5.4 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:3072-1 Released: Thu Sep 4 09:20:43 2025 Summary: Recommended update for sysstat Type: recommended Severity: moderate References: 1244553,1246835,1246852 This update for sysstat fixes the following issues: - Renaming services to allow preset in systemd-presets-branding-SLE to work (bsc#1244553, bsc#1246835). - Fix argument order of find (bsc#1246852). - Fix systemd timers that are not enabled after upgrade (bsc#1244553). - deleted 90-sysstat.preset file, not needed anymore. The following package changes have been done: - sysstat-12.0.2-150000.3.48.3 updated From sle-container-updates at lists.suse.com Thu Sep 4 13:08:58 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Thu, 4 Sep 2025 15:08:58 +0200 (CEST) Subject: SUSE-CU-2025:6730-1: Recommended update of bci/kiwi Message-ID: <20250904130858.F031AF783@maintenance.suse.de> SUSE Container Update Advisory: bci/kiwi ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:6730-1 Container Tags : bci/kiwi:9 , bci/kiwi:9.24 , bci/kiwi:9.24.43 , bci/kiwi:9.24.43-18.30 , bci/kiwi:latest Container Release : 18.30 Severity : moderate Type : recommended References : 1244553 1246835 ----------------------------------------------------------------- The container bci/kiwi was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:3066-1 Released: Thu Sep 4 08:37:17 2025 Summary: Recommended update for systemd-presets-branding-SLE Type: recommended Severity: moderate References: 1244553,1246835 This update for systemd-presets-branding-SLE fixes the following issues: - Enable sysstat_collect.timer and sysstat_summary.timer (bsc#1244553, bsc#1246835). - Modified default SLE presets. The following package changes have been done: - systemd-presets-branding-SLE-15.1-150600.35.3.1 updated From sle-container-updates at lists.suse.com Thu Sep 4 13:11:08 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Thu, 4 Sep 2025 15:11:08 +0200 (CEST) Subject: SUSE-CU-2025:6733-1: Recommended update of suse/manager/4.3/proxy-httpd Message-ID: <20250904131108.16BEEFB9C@maintenance.suse.de> SUSE Container Update Advisory: suse/manager/4.3/proxy-httpd ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:6733-1 Container Tags : suse/manager/4.3/proxy-httpd:4.3.16 , suse/manager/4.3/proxy-httpd:4.3.16.9.67.21 , suse/manager/4.3/proxy-httpd:latest Container Release : 9.67.21 Severity : moderate Type : recommended References : 1244553 1246835 ----------------------------------------------------------------- The container suse/manager/4.3/proxy-httpd was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:3065-1 Released: Thu Sep 4 08:36:30 2025 Summary: Recommended update for systemd-presets-branding-SLE Type: recommended Severity: moderate References: 1244553,1246835 This update for systemd-presets-branding-SLE fixes the following issues: - enable sysstat_collect.timer and sysstat_summary.timer (bsc#1244553, bsc#1246835). - modified default SLE presets The following package changes have been done: - systemd-presets-branding-SLE-15.1-150100.20.17.2 updated From sle-container-updates at lists.suse.com Thu Sep 4 13:09:09 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Thu, 4 Sep 2025 15:09:09 +0200 (CEST) Subject: SUSE-CU-2025:6731-1: Security update of bci/nodejs Message-ID: <20250904130909.ED20EF783@maintenance.suse.de> SUSE Container Update Advisory: bci/nodejs ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:6731-1 Container Tags : bci/node:22 , bci/node:22.15.1 , bci/node:22.15.1-10.21 , bci/node:latest , bci/nodejs:22 , bci/nodejs:22.15.1 , bci/nodejs:22.15.1-10.21 , bci/nodejs:latest Container Release : 10.21 Severity : important Type : security References : 1212476 1216545 1218588 1218664 1243197 1245938 1245939 1245942 1245943 1245946 CVE-2025-27613 CVE-2025-27614 CVE-2025-46835 CVE-2025-48384 CVE-2025-48385 ----------------------------------------------------------------- The container bci/nodejs was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3012-1 Released: Fri Aug 29 02:07:38 2025 Summary: security update for git, git-lfs, obs-scm-bridge, python-PyYAML Type: security Severity: important References: 1212476,1216545,1218588,1218664,1243197,1245938,1245939,1245942,1245943,1245946,CVE-2025-27613,CVE-2025-27614,CVE-2025-46835,CVE-2025-48384,CVE-2025-48385 This update for git, git-lfs, obs-scm-bridge, python-PyYAML fixes the following issues: git was updated from version 2.43.0 to 2.51.0 (bsc#1243197): - Security issues fixed: * CVE-2025-27613 Fixed arbitrary writable file creation and truncation in Gitk(bsc#1245938) * CVE-2025-27614 Fixed arbitrary script execution via repository clonation in gitk(bsc#1245939) * CVE-2025-46835 Fixed arbitrary writable file creation in Git GUI when untrusted repository is cloned (bsc#1245942) * CVE-2025-48384 Fixed the unintentional execution of a script after checkout due to CRLF transforming (bsc#1245943) * CVE-2025-48385 Fixed arbitrary code execution due to protocol injection via fetching advertised bundle(bsc#1245946) - Other changes and bugs fixed: - Other changes and bugs fixed: * Added SHA256 support (bsc#1243197) * Git moved to /usr/libexec/git/git and updated AppArmor profile accordingly (bsc#1218588) * gitweb AppArmor profile: allow reading etc/gitweb-common.conf (bsc#1218664) * Do not replace apparmor configuration (bsc#1216545) * Fixed the Python version required (bsc#1212476) - Version Updates Release Notes: * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.51.0.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.50.1.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.50.0.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.49.0.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.48.1.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.48.0.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.47.1.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.47.0.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.46.2.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.46.1.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.46.0.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.45.3.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.45.2.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.45.1.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.45.0.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.44.0.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.43.3.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.43.2.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.43.1.adoc git-lfs is included in version 3.7.0. python-PyYAML was updated from version 6.0.1 to 6.0.2: - Added support for Cython 3.x and Python 3.13 obs-scm-bridge was updated from version 0.5.4 to 0.7.4: - New Features and Improvements: * Manifest File Support: Support has been added for a `_manifest file`, which serves as a successor to the `_subdirs` file. * Control Over Git Information: A new noobsinfo query parameter was added to hide git information in source and binary files. * Enhanced Submodule Handling: The system now records the configured branch of submodules and stays on that branch during checkout. * Git SHA Tracking: In project mode, the tool now uses git SHA sums instead of md5sum to track package sources. * SSH URL Support: ssh:// SCM URLs can now be used. * Improved Error Messages: Error reporting for invalid files within package subdirectories has been improved. * Standardized Config Location: In project mode, the _config file is now always located in the top-level directory, even when using subdirs. * Reduced Unnecessary Changes: In project mode, unnecessary modifications to the package meta URL are now avoided. * Limit Asset Handling: A new mechanism has been introduced to limit how assets are handled. * Branch Information Export: The trackingbranch is now exported to scmsync.obsinfo. - Bugs fixed: * Syntax Fix: A syntax issue was corrected. * Git Submodule Parsing: The .gitsubmodule parser was fixed to correctly handle files that contain a mix of spaces and tabs. The following package changes have been done: - git-core-2.51.0-150600.3.12.1 updated From sle-container-updates at lists.suse.com Thu Sep 4 13:12:24 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Thu, 4 Sep 2025 15:12:24 +0200 (CEST) Subject: SUSE-CU-2025:6734-1: Recommended update of suse/manager/4.3/proxy-salt-broker Message-ID: <20250904131224.81C0BFB9C@maintenance.suse.de> SUSE Container Update Advisory: suse/manager/4.3/proxy-salt-broker ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:6734-1 Container Tags : suse/manager/4.3/proxy-salt-broker:4.3.16 , suse/manager/4.3/proxy-salt-broker:4.3.16.9.57.21 , suse/manager/4.3/proxy-salt-broker:latest Container Release : 9.57.21 Severity : important Type : recommended References : 1218459 1245220 1245985 1246038 1246149 1246466 1247054 1247690 ----------------------------------------------------------------- The container suse/manager/4.3/proxy-salt-broker was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2952-1 Released: Thu Aug 21 14:56:24 2025 Summary: Recommended update for libzypp, zypper Type: recommended Severity: important References: 1218459,1245220,1245985,1246038,1246149,1246466,1247054,1247690 This update for libzypp, zypper fixes the following issues: - Fix evaluation of libproxy results (bsc#1247690) - Replace URL variables inside mirrorlist/metalink files - Append RepoInfo::path() to the mirror URLs in Preloader (bsc#1247054) - During installation indicate the backend being used (bsc#1246038) If some package actually needs to know, it should test for ZYPP_CLASSIC_RPMTRANS being set in the environment. Otherwise the transaction is driven by librpm. - Workaround 'rpm -vv' leaving scriptlets /var/tmp (bsc#1218459) - Verbose log libproxy results if PX_DEBUG=1 is set. - BuildRequires: cmake >= 3.17. - Allow explicit request to probe an added repo's URL (bsc#1246466) - Fix tests with -DISABLE_MEDIABACKEND_TESTS=1 - Add runtime check for a broken rpm-4.18.0 --runpostrans (bsc#1246149) - Add regression test for (bsc#1245220) and some other filesize related tests. - Fix addrepo to handle explicit --check and --no-check requests (bsc#1246466) - Accept 'show' as alias for 'info' (bsc#1245985) The following package changes have been done: - libzypp-17.37.16-150400.3.142.1 updated - zypper-1.14.93-150400.3.98.2 updated - container:sles15-ltss-image-15.4.0-2.69 updated From sle-container-updates at lists.suse.com Mon Sep 1 14:08:03 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Mon, 1 Sep 2025 16:08:03 +0200 (CEST) Subject: SUSE-CU-2025:6680-1: Security update of bci/bci-sle15-kernel-module-devel Message-ID: <20250901140803.8252AFF9E@maintenance.suse.de> SUSE Container Update Advisory: bci/bci-sle15-kernel-module-devel ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:6680-1 Container Tags : bci/bci-sle15-kernel-module-devel:15.6 , bci/bci-sle15-kernel-module-devel:15.6.47.15 Container Release : 47.15 Severity : important Type : security References : 1204142 1212476 1216545 1218588 1218664 1219338 1225707 1230216 1233300 1235613 1235837 1236333 1236897 1238896 1239061 1239470 1240323 1240885 1240966 1241166 1241345 1241537 1242086 1242414 1242837 1242960 1242965 1242993 1243068 1243100 1243197 1243479 1243669 1243806 1244309 1244337 1244457 1244735 1244749 1244750 1244792 1244801 1245151 1245201 1245202 1245216 1245260 1245431 1245440 1245457 1245498 1245499 1245504 1245506 1245508 1245510 1245540 1245598 1245599 1245646 1245647 1245649 1245650 1245654 1245658 1245660 1245665 1245666 1245668 1245669 1245670 1245671 1245675 1245676 1245677 1245679 1245682 1245683 1245684 1245688 1245689 1245690 1245691 1245695 1245705 1245708 1245711 1245713 1245714 1245719 1245723 1245729 1245730 1245731 1245735 1245737 1245744 1245745 1245746 1245747 1245748 1245749 1245750 1245751 1245752 1245757 1245758 1245765 1245768 1245769 1245777 1245781 1245789 1245937 1245938 1245939 1245942 1245943 1245945 1245946 1245951 1245952 1245954 1245957 1245966 1245970 1245976 1245980 1245983 1245986 1246000 1246002 1246006 1246008 1246020 1246023 1246029 1246031 1246037 1246041 1246042 1246044 1246045 1246047 1246049 1246050 1246055 1246073 1246093 1246098 1246109 1246122 1246125 1246171 1246173 1246178 1246182 1246183 1246186 1246195 1246203 1246212 1246220 1246236 1246240 1246243 1246246 1246249 1246250 1246253 1246258 1246262 1246264 1246266 1246268 1246273 1246283 1246287 1246292 1246293 1246295 1246334 1246337 1246342 1246349 1246354 1246358 1246361 1246364 1246370 1246375 1246384 1246386 1246387 1246438 1246453 1246473 1246490 1246506 1246547 1246777 1246781 1246870 1246879 1246911 1247018 1247023 1247028 1247031 1247033 1247035 1247061 1247089 1247091 1247097 1247098 1247101 1247103 1247104 1247113 1247118 1247123 1247125 1247128 1247132 1247138 1247141 1247143 1247145 1247146 1247147 1247149 1247150 1247151 1247153 1247154 1247156 1247160 1247164 1247169 1247170 1247171 1247172 1247174 1247176 1247177 1247178 1247181 1247209 1247210 1247227 1247233 1247236 1247238 1247241 1247251 1247252 1247253 1247255 1247271 1247273 1247274 1247276 1247277 1247278 1247279 1247284 1247285 1247288 1247289 1247293 1247311 1247314 1247317 1247347 1247348 1247349 1247374 1247437 1247450 CVE-2019-11135 CVE-2024-36028 CVE-2024-36348 CVE-2024-36349 CVE-2024-36350 CVE-2024-36357 CVE-2024-44963 CVE-2024-49861 CVE-2024-56742 CVE-2024-57947 CVE-2025-21839 CVE-2025-21854 CVE-2025-21872 CVE-2025-22090 CVE-2025-23163 CVE-2025-27613 CVE-2025-27614 CVE-2025-37798 CVE-2025-37856 CVE-2025-37864 CVE-2025-37885 CVE-2025-37920 CVE-2025-37984 CVE-2025-38034 CVE-2025-38035 CVE-2025-38051 CVE-2025-38052 CVE-2025-38058 CVE-2025-38061 CVE-2025-38062 CVE-2025-38063 CVE-2025-38064 CVE-2025-38074 CVE-2025-38084 CVE-2025-38085 CVE-2025-38087 CVE-2025-38088 CVE-2025-38089 CVE-2025-38090 CVE-2025-38094 CVE-2025-38095 CVE-2025-38097 CVE-2025-38098 CVE-2025-38099 CVE-2025-38100 CVE-2025-38102 CVE-2025-38105 CVE-2025-38107 CVE-2025-38108 CVE-2025-38109 CVE-2025-38110 CVE-2025-38111 CVE-2025-38112 CVE-2025-38113 CVE-2025-38115 CVE-2025-38117 CVE-2025-38118 CVE-2025-38120 CVE-2025-38122 CVE-2025-38123 CVE-2025-38124 CVE-2025-38126 CVE-2025-38127 CVE-2025-38129 CVE-2025-38131 CVE-2025-38132 CVE-2025-38135 CVE-2025-38136 CVE-2025-38138 CVE-2025-38142 CVE-2025-38143 CVE-2025-38145 CVE-2025-38147 CVE-2025-38148 CVE-2025-38149 CVE-2025-38151 CVE-2025-38153 CVE-2025-38154 CVE-2025-38155 CVE-2025-38157 CVE-2025-38158 CVE-2025-38159 CVE-2025-38161 CVE-2025-38162 CVE-2025-38165 CVE-2025-38166 CVE-2025-38173 CVE-2025-38174 CVE-2025-38177 CVE-2025-38180 CVE-2025-38181 CVE-2025-38182 CVE-2025-38183 CVE-2025-38187 CVE-2025-38188 CVE-2025-38192 CVE-2025-38193 CVE-2025-38194 CVE-2025-38197 CVE-2025-38198 CVE-2025-38200 CVE-2025-38202 CVE-2025-38203 CVE-2025-38204 CVE-2025-38206 CVE-2025-38210 CVE-2025-38211 CVE-2025-38212 CVE-2025-38213 CVE-2025-38214 CVE-2025-38215 CVE-2025-38217 CVE-2025-38220 CVE-2025-38222 CVE-2025-38225 CVE-2025-38226 CVE-2025-38227 CVE-2025-38229 CVE-2025-38231 CVE-2025-38236 CVE-2025-38239 CVE-2025-38244 CVE-2025-38246 CVE-2025-38248 CVE-2025-38249 CVE-2025-38250 CVE-2025-38257 CVE-2025-38259 CVE-2025-38264 CVE-2025-38272 CVE-2025-38273 CVE-2025-38275 CVE-2025-38277 CVE-2025-38279 CVE-2025-38283 CVE-2025-38286 CVE-2025-38289 CVE-2025-38290 CVE-2025-38292 CVE-2025-38293 CVE-2025-38300 CVE-2025-38303 CVE-2025-38304 CVE-2025-38305 CVE-2025-38307 CVE-2025-38310 CVE-2025-38312 CVE-2025-38313 CVE-2025-38319 CVE-2025-38323 CVE-2025-38326 CVE-2025-38328 CVE-2025-38332 CVE-2025-38334 CVE-2025-38335 CVE-2025-38336 CVE-2025-38337 CVE-2025-38338 CVE-2025-38342 CVE-2025-38343 CVE-2025-38344 CVE-2025-38345 CVE-2025-38348 CVE-2025-38349 CVE-2025-38350 CVE-2025-38352 CVE-2025-38354 CVE-2025-38362 CVE-2025-38363 CVE-2025-38364 CVE-2025-38365 CVE-2025-38369 CVE-2025-38371 CVE-2025-38373 CVE-2025-38375 CVE-2025-38376 CVE-2025-38377 CVE-2025-38380 CVE-2025-38382 CVE-2025-38384 CVE-2025-38385 CVE-2025-38386 CVE-2025-38387 CVE-2025-38389 CVE-2025-38391 CVE-2025-38392 CVE-2025-38393 CVE-2025-38395 CVE-2025-38396 CVE-2025-38399 CVE-2025-38400 CVE-2025-38401 CVE-2025-38403 CVE-2025-38404 CVE-2025-38406 CVE-2025-38409 CVE-2025-38410 CVE-2025-38412 CVE-2025-38414 CVE-2025-38415 CVE-2025-38416 CVE-2025-38420 CVE-2025-38424 CVE-2025-38425 CVE-2025-38426 CVE-2025-38428 CVE-2025-38429 CVE-2025-38430 CVE-2025-38436 CVE-2025-38443 CVE-2025-38448 CVE-2025-38449 CVE-2025-38455 CVE-2025-38457 CVE-2025-38460 CVE-2025-38461 CVE-2025-38462 CVE-2025-38463 CVE-2025-38465 CVE-2025-38467 CVE-2025-38468 CVE-2025-38470 CVE-2025-38471 CVE-2025-38473 CVE-2025-38474 CVE-2025-38476 CVE-2025-38477 CVE-2025-38478 CVE-2025-38480 CVE-2025-38481 CVE-2025-38482 CVE-2025-38483 CVE-2025-38485 CVE-2025-38487 CVE-2025-38489 CVE-2025-38494 CVE-2025-38495 CVE-2025-38496 CVE-2025-38497 CVE-2025-38498 CVE-2025-46835 CVE-2025-48384 CVE-2025-48385 ----------------------------------------------------------------- The container bci/bci-sle15-kernel-module-devel was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2996-1 Released: Wed Aug 27 14:02:41 2025 Summary: Security update for the Linux Kernel Type: security Severity: important References: 1204142,1219338,1225707,1230216,1233300,1235613,1235837,1236333,1236897,1238896,1239061,1239470,1240323,1240885,1240966,1241166,1241345,1241537,1242086,1242414,1242837,1242960,1242965,1242993,1243068,1243100,1243479,1243669,1243806,1244309,1244337,1244457,1244735,1244749,1244750,1244792,1244801,1245151,1245201,1245202,1245216,1245260,1245431,1245440,1245457,1245498,1245499,1245504,1245506,1245508,1245510,1245540,1245598,1245599,1245646,1245647,1245649,1245650,1245654,1245658,1245660,1245665,1245666,1245668,1245669,1245670,1245671,1245675,1245676,1245677,1245679,1245682,1245683,1245684,1245688,1245689,1245690,1245691,1245695,1245705,1245708,1245711,1245713,1245714,1245719,1245723,1245729,1245730,1245731,1245735,1245737,1245744,1245745,1245746,1245747,1245748,1245749,1245750,1245751,1245752,1245757,1245758,1245765,1245768,1245769,1245777,1245781,1245789,1245937,1245945,1245951,1245952,1245954,1245957,1245966,1245970,1245976,1245980,1245983,1245986,1246000,1246002,1246006,1 246008,1246020,1246023,1246029,1246031,1246037,1246041,1246042,1246044,1246045,1246047,1246049,1246050,1246055,1246073,1246093,1246098,1246109,1246122,1246125,1246171,1246173,1246178,1246182,1246183,1246186,1246195,1246203,1246212,1246220,1246236,1246240,1246243,1246246,1246249,1246250,1246253,1246258,1246262,1246264,1246266,1246268,1246273,1246283,1246287,1246292,1246293,1246295,1246334,1246337,1246342,1246349,1246354,1246358,1246361,1246364,1246370,1246375,1246384,1246386,1246387,1246438,1246453,1246473,1246490,1246506,1246547,1246777,1246781,1246870,1246879,1246911,1247018,1247023,1247028,1247031,1247033,1247035,1247061,1247089,1247091,1247097,1247098,1247101,1247103,1247104,1247113,1247118,1247123,1247125,1247128,1247132,1247138,1247141,1247143,1247145,1247146,1247147,1247149,1247150,1247151,1247153,1247154,1247156,1247160,1247164,1247169,1247170,1247171,1247172,1247174,1247176,1247177,1247178,1247181,1247209,1247210,1247227,1247233,1247236,1247238,1247241,1247251,1247252,124725 3,1247255,1247271,1247273,1247274,1247276,1247277,1247278,1247279,1247284,1247285,1247288,1247289,1247293,1247311,1247314,1247317,1247347,1247348,1247349,1247374,1247437,1247450,CVE-2019-11135,CVE-2024-36028,CVE-2024-36348,CVE-2024-36349,CVE-2024-36350,CVE-2024-36357,CVE-2024-44963,CVE-2024-49861,CVE-2024-56742,CVE-2024-57947,CVE-2025-21839,CVE-2025-21854,CVE-2025-21872,CVE-2025-22090,CVE-2025-23163,CVE-2025-37798,CVE-2025-37856,CVE-2025-37864,CVE-2025-37885,CVE-2025-37920,CVE-2025-37984,CVE-2025-38034,CVE-2025-38035,CVE-2025-38051,CVE-2025-38052,CVE-2025-38058,CVE-2025-38061,CVE-2025-38062,CVE-2025-38063,CVE-2025-38064,CVE-2025-38074,CVE-2025-38084,CVE-2025-38085,CVE-2025-38087,CVE-2025-38088,CVE-2025-38089,CVE-2025-38090,CVE-2025-38094,CVE-2025-38095,CVE-2025-38097,CVE-2025-38098,CVE-2025-38099,CVE-2025-38100,CVE-2025-38102,CVE-2025-38105,CVE-2025-38107,CVE-2025-38108,CVE-2025-38109,CVE-2025-38110,CVE-2025-38111,CVE-2025-38112,CVE-2025-38113,CVE-2025-38115,CVE-2025-38117,CVE-2025- 38118,CVE-2025-38120,CVE-2025-38122,CVE-2025-38123,CVE-2025-38124,CVE-2025-38126,CVE-2025-38127,CVE-2025-38129,CVE-2025-38131,CVE-2025-38132,CVE-2025-38135,CVE-2025-38136,CVE-2025-38138,CVE-2025-38142,CVE-2025-38143,CVE-2025-38145,CVE-2025-38147,CVE-2025-38148,CVE-2025-38149,CVE-2025-38151,CVE-2025-38153,CVE-2025-38154,CVE-2025-38155,CVE-2025-38157,CVE-2025-38158,CVE-2025-38159,CVE-2025-38161,CVE-2025-38162,CVE-2025-38165,CVE-2025-38166,CVE-2025-38173,CVE-2025-38174,CVE-2025-38177,CVE-2025-38180,CVE-2025-38181,CVE-2025-38182,CVE-2025-38183,CVE-2025-38187,CVE-2025-38188,CVE-2025-38192,CVE-2025-38193,CVE-2025-38194,CVE-2025-38197,CVE-2025-38198,CVE-2025-38200,CVE-2025-38202,CVE-2025-38203,CVE-2025-38204,CVE-2025-38206,CVE-2025-38210,CVE-2025-38211,CVE-2025-38212,CVE-2025-38213,CVE-2025-38214,CVE-2025-38215,CVE-2025-38217,CVE-2025-38220,CVE-2025-38222,CVE-2025-38225,CVE-2025-38226,CVE-2025-38227,CVE-2025-38229,CVE-2025-38231,CVE-2025-38236,CVE-2025-38239,CVE-2025-38244,CVE-2025-38246,C VE-2025-38248,CVE-2025-38249,CVE-2025-38250,CVE-2025-38257,CVE-2025-38259,CVE-2025-38264,CVE-2025-38272,CVE-2025-38273,CVE-2025-38275,CVE-2025-38277,CVE-2025-38279,CVE-2025-38283,CVE-2025-38286,CVE-2025-38289,CVE-2025-38290,CVE-2025-38292,CVE-2025-38293,CVE-2025-38300,CVE-2025-38303,CVE-2025-38304,CVE-2025-38305,CVE-2025-38307,CVE-2025-38310,CVE-2025-38312,CVE-2025-38313,CVE-2025-38319,CVE-2025-38323,CVE-2025-38326,CVE-2025-38328,CVE-2025-38332,CVE-2025-38334,CVE-2025-38335,CVE-2025-38336,CVE-2025-38337,CVE-2025-38338,CVE-2025-38342,CVE-2025-38343,CVE-2025-38344,CVE-2025-38345,CVE-2025-38348,CVE-2025-38349,CVE-2025-38350,CVE-2025-38352,CVE-2025-38354,CVE-2025-38362,CVE-2025-38363,CVE-2025-38364,CVE-2025-38365,CVE-2025-38369,CVE-2025-38371,CVE-2025-38373,CVE-2025-38375,CVE-2025-38376,CVE-2025-38377,CVE-2025-38380,CVE-2025-38382,CVE-2025-38384,CVE-2025-38385,CVE-2025-38386,CVE-2025-38387,CVE-2025-38389,CVE-2025-38391,CVE-2025-38392,CVE-2025-38393,CVE-2025-38395,CVE-2025-38396,CVE-2025 -38399,CVE-2025-38400,CVE-2025-38401,CVE-2025-38403,CVE-2025-38404,CVE-2025-38406,CVE-2025-38409,CVE-2025-38410,CVE-2025-38412,CVE-2025-38414,CVE-2025-38415,CVE-2025-38416,CVE-2025-38420,CVE-2025-38424,CVE-2025-38425,CVE-2025-38426,CVE-2025-38428,CVE-2025-38429,CVE-2025-38430,CVE-2025-38436,CVE-2025-38443,CVE-2025-38448,CVE-2025-38449,CVE-2025-38455,CVE-2025-38457,CVE-2025-38460,CVE-2025-38461,CVE-2025-38462,CVE-2025-38463,CVE-2025-38465,CVE-2025-38467,CVE-2025-38468,CVE-2025-38470,CVE-2025-38471,CVE-2025-38473,CVE-2025-38474,CVE-2025-38476,CVE-2025-38477,CVE-2025-38478,CVE-2025-38480,CVE-2025-38481,CVE-2025-38482,CVE-2025-38483,CVE-2025-38485,CVE-2025-38487,CVE-2025-38489,CVE-2025-38494,CVE-2025-38495,CVE-2025-38496,CVE-2025-38497,CVE-2025-38498 The SUSE Linux Enterprise 15 SP6 kernel was updated to receive various security bugfixes. The following security bugs were fixed: - CVE-2024-36028: mm/hugetlb: fix DEBUG_LOCKS_WARN_ON(1) when dissolve_free_hugetlb_folio() (bsc#1225707). - CVE-2024-36348, CVE-2024-36349, CVE-2024-36350, CVE-2024-36357: x86/process: Move the buffer clearing before MONITOR (bsc#1238896). - CVE-2024-44963: btrfs: do not BUG_ON() when freeing tree block after error (1230216). - CVE-2024-49861: net: clear the dst when changing skb protocol (bsc#1245954). - CVE-2024-56742: vfio/mlx5: Fix an unwind issue in mlx5vf_add_migration_pages() (bsc#1235613). - CVE-2025-21839: KVM: x86: Load DR6 with guest value only before entering .vcpu_run() loop (bsc#1239061). - CVE-2025-21854: selftest/bpf: Add vsock test for sockmap rejecting unconnected (bsc#1239470). - CVE-2025-21872: efi/mokvar-table: Avoid repeated map/unmap of the same page (bsc#1240323). - CVE-2025-22090: mm: (un)track_pfn_copy() fix + doc improvements (bsc#1241537). - CVE-2025-23163: net: vlan: do not propagate flags on open (bsc#1242837). - CVE-2025-37856: btrfs: harden block_group::bg_list against list_del() races (bsc#1243068). - CVE-2025-37864: net: dsa: clean up FDB, MDB, VLAN entries on unbind (bsc#1242965). - CVE-2025-37885: KVM: x86: Reset IRTE to host control if *new* route isn't postable (bsc#1242960). - CVE-2025-37920: kABI workaround for xsk: Fix race condition in AF_XDP generic RX path (bsc#1243479). - CVE-2025-37984: crypto: ecdsa - Harden against integer overflows in DIV_ROUND_UP() (bsc#1243669). - CVE-2025-38034: btrfs: correct the order of prelim_ref arguments in btrfs__prelim_ref (bsc#1244792). - CVE-2025-38035: nvmet-tcp: do not restore null sk_state_change (bsc#1244801). - CVE-2025-38051: smb: client: Fix use-after-free in cifs_fill_dirent (bsc#1244750). - CVE-2025-38058: __legitimize_mnt(): check for MNT_SYNC_UMOUNT should be under mount_lock (bsc#1245151). - CVE-2025-38061: net: pktgen: fix access outside of user given buffer in pktgen_thread_write() (bsc#1245440). - CVE-2025-38062: kABI: restore layout of struct msi_desc (bsc#1245216). - CVE-2025-38063: dm: fix unconditional IO throttle caused by REQ_PREFLUSH (bsc#1245202). - CVE-2025-38064: virtio: break and reset virtio devices on device_shutdown() (bsc#1245201). - CVE-2025-38074: vhost-scsi: protect vq->log_used with vq->mutex (bsc#1244735). - CVE-2025-38094: net: cadence: macb: Fix a possible deadlock in macb_halt_tx (bsc#1245649). - CVE-2025-38097: kabi: restore encap_sk in struct xfrm_state (bsc#1245660). - CVE-2025-38098: drm/amd/display: Do not treat wb connector as physical in (bsc#1245654). - CVE-2025-38099: Bluetooth: btusb: Fix regression in the initialization of fake Bluetooth controllers (bsc#1245671). - CVE-2025-38100: x86/iopl: Cure TIF_IO_BITMAP inconsistencies (bsc#1245650). - CVE-2025-38105: ALSA: usb-audio: Kill timer properly at removal (bsc#1245682). - CVE-2025-38115: net_sched: sch_sfq: fix a potential crash on gso_skb handling (bsc#1245689). - CVE-2025-38117: hci_dev centralize extra lock (bsc#1245695). - CVE-2025-38126: net: stmmac: make sure that ptp_rate is not 0 before configuring timestamping (bsc#1245708). - CVE-2025-38131: coresight: prevent deactivate active config while enabling the config (bsc#1245677). - CVE-2025-38132: coresight: holding cscfg_csdev_lock while removing cscfg from csdev (bsc#1245679). - CVE-2025-38147: calipso: unlock rcu before returning -EAFNOSUPPORT (bsc#1245768). - CVE-2025-38158: hisi_acc_vfio_pci: fix XQE dma address error (bsc#1245750). - CVE-2025-38162: netfilter: nft_set_pipapo: prevent overflow in lookup table allocation (bsc#1245752). - CVE-2025-38166: bpf: fix ktls panic with sockmap (bsc#1245758). - CVE-2025-38180: net: atm: fix /proc/net/atm/lec handling (bsc#1245970). - CVE-2025-38182: ublk: santizize the arguments from userspace when adding a device (bsc#1245937). - CVE-2025-38183: net: lan743x: fix potential out-of-bounds write in lan743x_ptp_io_event_clock_get() (bsc#1246006). - CVE-2025-38187: drm/nouveau: fix a use-after-free in r535_gsp_rpc_push() (bsc#1245951). - CVE-2025-38188: drm/msm/a7xx: Call CP_RESET_CONTEXT_STATE (bsc#1246098). - CVE-2025-38200: i40e: fix MMIO write access to an invalid page in i40e_clear_hw (bsc#1246045). - CVE-2025-38202: bpf: Check rcu_read_lock_trace_held() in bpf_map_lookup_percpu_elem() (bsc#1245980). - CVE-2025-38203: jfs: Fix null-ptr-deref in jfs_ioc_trim (bsc#1246044). - CVE-2025-38204: jfs: fix array-index-out-of-bounds read in add_missing_indices (bsc#1245983). - CVE-2025-38206: exfat: fix double free in delayed_free (bsc#1246073). - CVE-2025-38210: configfs-tsm-report: Fix NULL dereference of tsm_ops (bsc#1246020). - CVE-2025-38212: ipc: fix to protect IPCS lookups using RCU (bsc#1246029). - CVE-2025-38220: ext4: only dirty folios when data journaling regular files (bsc#1245966). - CVE-2025-38222: ext4: inline: fix len overflow in ext4_prepare_inline_data (bsc#1245976). - CVE-2025-38236: af_unix: Disable MSG_OOB for unprivileged users (bsc#1246093). - CVE-2025-38239: scsi: megaraid_sas: Fix invalid node index (bsc#1246178). - CVE-2025-38244: smb: client: fix potential deadlock when reconnecting channels (bsc#1246183). - CVE-2025-38248: bridge: mcast: Fix use-after-free during router port configuration (bsc#1246173). - CVE-2025-38250: kABI workaround for bluetooth hci_dev changes (bsc#1246182). - CVE-2025-38264: llist: add interface to check if a node is on a list (bsc#1246387). - CVE-2025-38272: net: dsa: b53: do not enable EEE on bcm63xx (bsc#1246268). - CVE-2025-38279: selftests/bpf: Add tests with stack ptr register in conditional jmp (bsc#1246264). - CVE-2025-38283: hisi_acc_vfio_pci: bugfix live migration function without VF device driver (bsc#1246273). - CVE-2025-38303: Bluetooth: eir: Fix possible crashes on eir_create_adv_data (bsc#1246354). - CVE-2025-38310: seg6: Fix validation of nexthop addresses (bsc#1246361). - CVE-2025-38323: net: atm: add lec_mutex (bsc#1246473). - CVE-2025-38334: x86/sgx: Prevent attempts to reclaim poisoned pages (bsc#1246384). - CVE-2025-38335: Input: gpio-keys - fix a sleep while atomic with PREEMPT_RT (bsc#1246250). - CVE-2025-38337: jbd2: fix data-race and null-ptr-deref in jbd2_journal_dirty_metadata() (bsc#1246253). - CVE-2025-38349: eventpoll: do not decrement ep refcount while still holding the ep mutex (bsc#1246777). - CVE-2025-38350: net/sched: Always pass notifications when child class becomes empty (bsc#1246781). - CVE-2025-38352: posix-cpu-timers: fix race between handle_posix_cpu_timers() and posix_cpu_timer_del() (bsc#1246911). - CVE-2025-38364: maple_tree: fix MA_STATE_PREALLOC flag in mas_preallocate() (bsc#1247091). - CVE-2025-38365: btrfs: fix a race between renames and directory logging (bsc#1247023). - CVE-2025-38371: drm/v3d: Disable interrupts before resetting the GPU (bsc#1247178). - CVE-2025-38375: virtio-net: ensure the received length does not exceed allocated size (bsc#1247177). - CVE-2025-38382: btrfs: fix iteration of extrefs during log replay (bsc#1247031). - CVE-2025-38392: idpf: convert control queue mutex to a spinlock (bsc#1247169). - CVE-2025-38396: fs: export anon_inode_make_secure_inode() and fix secretmem LSM bypass (bsc#1247156). - CVE-2025-38399: scsi: target: Fix NULL pointer dereference in core_scsi3_decode_spec_i_port() (bsc#1247097). - CVE-2025-38403: vsock/vmci: Clear the vmci transport packet properly when initializing it (bsc#1247141). - CVE-2025-38414: wifi: ath12k: fix GCC_GCC_PCIE_HOT_RST definition for WCN7850 (bsc#1247145). - CVE-2025-38426: drm/amdgpu: Add basic validation for RAS header (bsc#1247252). - CVE-2025-38429: bus: mhi: ep: Update read pointer only after buffer is written (bsc#1247253). - CVE-2025-38455: KVM: SVM: Reject SEV{-ES} intra host migration if vCPU creation is in-flight (bsc#1247101). - CVE-2025-38457: net/sched: Abort __tc_modify_qdisc if parent class does not exist (bsc#1247098). - CVE-2025-38460: atm: clip: Fix potential null-ptr-deref in to_atmarpd() (bsc#1247143). - CVE-2025-38461: vsock: Fix transport_* TOCTOU (bsc#1247103). - CVE-2025-38462: vsock: Fix transport_{g2h,h2g} TOCTOU (bsc#1247104). - CVE-2025-38463: tcp: Correct signedness in skb remaining space calculation (bsc#1247113). - CVE-2025-38465: netlink: make sure we allow at least one dump skb (bsc#1247118). - CVE-2025-38470: kABI fix for net: vlan: fix VLAN 0 refcount imbalance of toggling (bsc#1247288). - CVE-2025-38471: tls: always refresh the queue when reading sock (bsc#1247450). - CVE-2025-38497: usb: gadget: configfs: Fix OOB read on empty string write (bsc#1247347). - CVE-2025-38498: do_change_type(): refuse to operate on unmounted/not ours mounts (bsc#1247374). The following non-security bugs were fixed: - Fix dma_unmap_sg() nents value (git-fixes) - Logitech C-270 even more broken (stable-fixes). - Reapply 'wifi: mac80211: Update skb's control block key in ieee80211_tx_dequeue()' (git-fixes). - Revert 'ACPI: battery: negate current when discharging' (stable-fixes). - Revert 'cgroup_freezer: cgroup_freezing: Check if not frozen' (bsc#1219338). - Revert 'drm/i915/gem: Allow EXEC_CAPTURE on recoverable contexts on DG1' (stable-fixes). - Revert 'mmc: sdhci: Disable SD card clock before changing parameters' (git-fixes). - Revert 'usb: xhci: Implement xhci_handshake_check_state() helper' (git-fixes). - Revert 'vgacon: Add check for vc_origin address range in vgacon_scroll()' (stable-fixes). - acpi: LPSS: Remove AudioDSP related ID (git-fixes). - acpi: PRM: Reduce unnecessary printing to avoid user confusion (bsc#1246122). - acpi: processor: perflib: Fix initial _PPC limit application (git-fixes). - acpica: Refuse to evaluate a method if arguments are missing (stable-fixes). - af_packet: fix the SO_SNDTIMEO constraint not effective on tpacked_snd() (git-fixes). - af_unix: Add a prompt to CONFIG_AF_UNIX_OOB (bsc#1246093). - alsa: hda/ca0132: Fix missing error handling in ca0132_alt_select_out() (git-fixes). - alsa: hda/realtek - Add mute LED support for HP Pavilion 15-eg0xxx (stable-fixes). - alsa: hda/realtek - Enable mute LED on HP Pavilion Laptop 15-eg100 (stable-fixes). - alsa: hda/realtek: Add quirk for ASUS ROG Strix G712LWS (stable-fixes). - alsa: hda/tegra: Add Tegra264 support (stable-fixes). - alsa: hda: Add missing NVIDIA HDA codec IDs (stable-fixes). - alsa: hda: Add new pci id for AMD GPU display HD audio controller (stable-fixes). - alsa: hda: Ignore unsol events for cards being shut down (stable-fixes). - alsa: intel_hdmi: Fix off-by-one error in __hdmi_lpe_audio_probe() (git-fixes). - alsa: sb: Do not allow changing the DMA mode during operations (stable-fixes). - alsa: sb: Force to disable DMAs once when DMA mode is changed (stable-fixes). - amd/amdkfd: fix a kfd_process ref leak (stable-fixes). - aoe: clean device rq_list in aoedev_downdev() (git-fixes). - apple-mfi-fastcharge: protect first device name (git-fixes). - asoc: amd: yc: Add DMI quirk for Lenovo IdeaPad Slim 5 15 (stable-fixes). - asoc: amd: yc: Add quirk for MSI Bravo 17 D7VF internal mic (stable-fixes). - asoc: amd: yc: add quirk for Acer Nitro ANV15-41 internal mic (stable-fixes). - asoc: amd: yc: update quirk data for HP Victus (stable-fixes). - asoc: codec: wcd9335: Convert to GPIO descriptors (stable-fixes). - asoc: codecs: wcd9335: Fix missing free of regulator supplies (git-fixes). - asoc: codecs: wcd9335: Handle nicer probe deferral and simplify with dev_err_probe() (stable-fixes). - asoc: cs35l56: probe() should fail if the device ID is not recognized (git-fixes). - asoc: fsl_asrc: use internal measured ratio for non-ideal ratio mode (git-fixes). - asoc: fsl_xcvr: get channel status data when PHY is not exists (git-fixes). - asoc: ops: dynamically allocate struct snd_ctl_elem_value (git-fixes). - asoc: soc-dai: tidyup return value of snd_soc_xlate_tdm_slot_mask() (git-fixes). - ata: pata_cs5536: fix build on 32-bit UML (stable-fixes). - audit,module: restore audit logging in load failure case (git-fixes). - bluetooth: Fix null-ptr-deref in l2cap_sock_resume_cb() (git-fixes). - bluetooth: L2CAP: Fix L2CAP MTU negotiation (stable-fixes). - bluetooth: L2CAP: Fix attempting to adjust outgoing MTU (git-fixes). - bluetooth: MGMT: Fix not generating command complete for MGMT_OP_DISCONNECT (git-fixes). - bluetooth: MGMT: mesh_send: check instances prior disabling advertising (git-fixes). - bluetooth: MGMT: set_mesh: update LE scan interval and window (git-fixes). - bluetooth: Prevent unintended pause by checking if advertising is active (git-fixes). - bluetooth: SMP: Fix using HCI_ERROR_REMOTE_USER_TERM on timeout (git-fixes). - bluetooth: SMP: If an unallowed command is received consider it a failure (git-fixes). - bluetooth: btusb: QCA: Fix downloading wrong NVM for WCN6855 GF variant without board ID (git-fixes). - bluetooth: hci_conn: Fix sending BT_HCI_CMD_LE_CREATE_CONN_CANCEL (git-fixes). - bluetooth: hci_event: Fix not marking Broadcast Sink BIS as connected (git-fixes). - bluetooth: hci_event: Mask data status from LE ext adv reports (git-fixes). - bluetooth: hci_sync: Attempt to dequeue connection attempt (git-fixes). - bluetooth: hci_sync: Fix UAF on create_le_conn_complete (git-fixes). - bluetooth: hci_sync: Fix handling of HCI_OP_CREATE_CONN_CANCEL (git-fixes). - bluetooth: hci_sync: Fix not disabling advertising instance (git-fixes). - bluetooth: hci_sync: fix connectable extended advertising when using static random address (git-fixes). - bluetooth: hci_sync: revert some mesh modifications (git-fixes). - bpf, sockmap: Fix sk_msg_reset_curr (git-fixes). - bpf/lpm_trie: Inline longest_prefix_match for fastpath (git-fixes). - bpf/selftests: Check errno when percpu map value size exceeds (git-fixes). - bpf: Add a possibly-zero-sized read test (git-fixes). - bpf: Avoid __hidden__ attribute in static object (git-fixes). - bpf: Check percpu map value size first (git-fixes). - bpf: Disable some `attribute ignored' warnings in GCC (git-fixes). - bpf: Fix memory leak in bpf_core_apply (git-fixes). - bpf: Fix potential integer overflow in resolve_btfids (git-fixes). - bpf: Harden __bpf_kfunc tag against linker kfunc removal (git-fixes). - bpf: Make the pointer returned by iter next method valid (git-fixes). - bpf: Simplify checking size of helper accesses (git-fixes). - bpf: fix order of args in call to bpf_map_kvcalloc (git-fixes). - bpf: sockmap, updating the sg structure should also update curr (git-fixes). - bpftool: Fix missing pids during link show (git-fixes). - bpftool: Fix undefined behavior caused by shifting into the sign bit (git-fixes). - bpftool: Mount bpffs on provided dir instead of parent dir (git-fixes). - bpftool: Remove unnecessary source files from bootstrap version (git-fixes). - bpftool: Un-const bpf_func_info to fix it for llvm 17 and newer (git-fixes). - btrfs: do not ignore inode missing when replaying log tree (git-fixes). - btrfs: do not silently ignore unexpected extent type when replaying log (git-fixes). - btrfs: do not skip remaining extrefs if dir not found during log replay (git-fixes). - btrfs: explicitly ref count block_group on new_bgs list (bsc#1243068) - btrfs: fix assertion when building free space tree (git-fixes). - btrfs: fix inode lookup error handling during log replay (git-fixes). - btrfs: fix invalid inode pointer dereferences during log replay (git-fixes). - btrfs: fix log tree replay failure due to file with 0 links and extents (git-fixes). - btrfs: fix missing error handling when searching for inode refs during log replay (git-fixes). - btrfs: fix non-empty delayed iputs list on unmount due to async workers (git-fixes). - btrfs: fix ssd_spread overallocation (git-fixes). - btrfs: make btrfs_discard_workfn() block_group ref explicit (bsc#1243068) - btrfs: propagate last_unlink_trans earlier when doing a rmdir (git-fixes). - btrfs: rename err to ret in btrfs_rmdir() (git-fixes). - btrfs: return a btrfs_inode from btrfs_iget_logging() (git-fixes). - btrfs: return a btrfs_inode from read_one_inode() (git-fixes). - btrfs: tests: fix chunk map leak after failure to add it to the tree (git-fixes). - btrfs: update superblock's device bytes_used when dropping chunk (git-fixes). - btrfs: use NOFS context when getting inodes during logging and log replay (git-fixes). - btrfs: use btrfs_record_snapshot_destroy() during rmdir (git-fixes). - bus: fsl-mc: Fix potential double device reference in fsl_mc_get_endpoint() (git-fixes). - bus: mhi: host: Detect events pointing to unexpected TREs (git-fixes). - can: dev: can_restart(): move debug message and stats after successful restart (stable-fixes). - can: dev: can_restart(): reverse logic to remove need for goto (stable-fixes). - can: kvaser_pciefd: Store device channel index (git-fixes). - can: kvaser_usb: Assign netdev.dev_port based on device channel index (git-fixes). - can: m_can: m_can_handle_lost_msg(): downgrade msg lost in rx message to debug level (git-fixes). - can: netlink: can_changelink(): fix NULL pointer deref of struct can_priv::do_set_mode (git-fixes). - can: peak_usb: fix USB FD devices potential malfunction (git-fixes). - cdc-acm: fix race between initial clearing halt and open (git-fixes). - cgroup,freezer: fix incomplete freezing when attaching tasks (bsc#1245789). - cgroup/cpuset: Extend kthread_is_per_cpu() check to all PF_NO_SETAFFINITY tasks (bsc#1241166). - cifs: reconnect helper should set reconnect for the right channel (git-fixes). - clk: clk-axi-clkgen: fix fpfd_max frequency for zynq (git-fixes). - clk: davinci: Add NULL check in davinci_lpsc_clk_register() (git-fixes). - clk: sunxi-ng: v3s: Fix de clock definition (git-fixes). - clk: xilinx: vcu: unregister pll_post only if registered correctly (git-fixes). - clocksource: Scale the watchdog read retries automatically (bsc#1241345 bsc#1244457). - clocksource: Set cs_watchdog_read() checks based on .uncertainty_margin (bsc#1241345 bsc#1244457). - comedi: Fail COMEDI_INSNLIST ioctl if n_insns is too large (git-fixes). - comedi: Fix initialization of data for instructions that write to subdevice (git-fixes). - comedi: Fix some signed shift left operations (git-fixes). - comedi: Fix use of uninitialized data in insn_rw_emulate_bits() (git-fixes). - comedi: aio_iiro_16: Fix bit shift out of bounds (git-fixes). - comedi: das16m1: Fix bit shift out of bounds (git-fixes). - comedi: das6402: Fix bit shift out of bounds (git-fixes). - comedi: pcl812: Fix bit shift out of bounds (git-fixes). - compiler_types.h: Define __retain for __attribute__((__retain__)) (git-fixes). - crypto: arm/aes-neonbs - work around gcc-15 warning (git-fixes). - crypto: ccp - Fix crash when rebind ccp device for ccp.ko (git-fixes). - crypto: ccp - Fix locking on alloc failure handling (git-fixes). - crypto: img-hash - Fix dma_unmap_sg() nents value (git-fixes). - crypto: inside-secure - Fix `dma_unmap_sg()` nents value (git-fixes). - crypto: keembay - Fix dma_unmap_sg() nents value (git-fixes). - crypto: marvell/cesa - Fix engine load inaccuracy (git-fixes). - crypto: qat - allow enabling VFs in the absence of IOMMU (git-fixes). - crypto: qat - disable ZUC-256 capability for QAT GEN5 (git-fixes). - crypto: qat - fix DMA direction for compression on GEN2 devices (git-fixes). - crypto: qat - fix seq_file position update in adf_ring_next() (git-fixes). - crypto: qat - fix state restore for banks with exceptions (git-fixes). - crypto: qat - flush misc workqueue during device shutdown (git-fixes). - crypto: qat - use unmanaged allocation for dc_data (git-fixes). - crypto: sun8i-ce - fix nents passed to dma_unmap_sg() (git-fixes). - dm-bufio: fix sched in atomic context (git-fixes). - dm-flakey: error all IOs when num_features is absent (git-fixes). - dm-flakey: make corrupting read bios work (git-fixes). - dm-mirror: fix a tiny race condition (git-fixes). - dm-raid: fix variable in journal device check (git-fixes). - dm-verity: fix a memory leak if some arguments are specified multiple times (git-fixes). - dm: do not change md if dm_table_set_restrictions() fails (git-fixes). - dm: free table mempools if not used in __bind (git-fixes). - dm: restrict dm device size to 2^63-512 bytes (git-fixes). - dma-buf: fix timeout handling in dma_resv_wait_timeout v2 (stable-fixes). - dmaengine: dw-edma: Drop unused dchan2dev() and chan2dev() (git-fixes). - dmaengine: idxd: Check availability of workqueue allocated by idxd wq driver before using (stable-fixes). - dmaengine: mv_xor: Fix missing check after DMA map and missing unmap (git-fixes). - dmaengine: nbpfaxi: Add missing check after DMA map (git-fixes). - dmaengine: nbpfaxi: Fix memory corruption in probe() (git-fixes). - dmaengine: qcom: gpi: Drop unused gpi_write_reg_field() (git-fixes). - dmaengine: xilinx_dma: Set dma_device directions (stable-fixes). - docs/ABI: Fix sysfs-kernel-address_bits path (git-fixes). - documentation: ACPI: Fix parent device references (git-fixes). - documentation: usb: gadget: Wrap remaining usage snippets in literal code block (git-fixes). - drm/amd/display: Do not overwrite dce60_clk_mgr (git-fixes). - drm/amd/pm/powerplay/hwmgr/smu_helper: fix order of mask and value (git-fixes). - drm/amdgpu/gfx8: reset compute ring wptr on the GPU on resume (git-fixes). - drm/amdgpu: amdgpu_vram_mgr_new(): Clamp lpfn to total vram (stable-fixes). - drm/amdkfd: Fix race in GWS queue scheduling (stable-fixes). - drm/bridge: panel: move prepare_prev_first handling to drm_panel_bridge_add_typed (git-fixes). - drm/bridge: ti-sn65dsi86: Add HPD for DisplayPort connector type (git-fixes). - drm/bridge: ti-sn65dsi86: Remove extra semicolon in ti_sn_bridge_probe() (git-fixes). - drm/bridge: ti-sn65dsi86: make use of debugfs_init callback (stable-fixes). - drm/exynos: exynos7_drm_decon: add vblank check in IRQ handling (git-fixes). - drm/exynos: fimd: Guard display clock control with runtime PM calls (git-fixes). - drm/framebuffer: Acquire internal references on GEM handles (git-fixes). - drm/gem: Acquire references on GEM handles for framebuffers (stable-fixes). - drm/gem: Fix race in drm_gem_handle_create_tail() (stable-fixes). - drm/i915/gsc: mei interrupt top half should be in irq disabled context (git-fixes). - drm/i915/gt: Fix timeline left held on VMA alloc error (git-fixes). - drm/i915/selftests: Change mock_request() to return error pointers (git-fixes). - drm/msm/dpu: Fill in min_prefill_lines for SC8180X (git-fixes). - drm/msm: Fix a fence leak in submit error path (stable-fixes). - drm/msm: Fix another leak in the submit error path (stable-fixes). - drm/panfrost: Fix panfrost device variable name in devfreq (git-fixes). - drm/rockchip: cleanup fb when drm_gem_fb_afbc_init failed (git-fixes). - drm/sched: Increment job count before swapping tail spsc queue (git-fixes). - drm/sched: Remove optimization that causes hang when killing dependent jobs (git-fixes). - drm/scheduler: signal scheduled fence when kill job (stable-fixes). - drm/tegra: nvdec: Fix dma_alloc_coherent error check (git-fixes). - drm/ttm: fix error handling in ttm_buffer_object_transfer (git-fixes). - drm/vmwgfx: Fix Host-Backed userspace on Guest-Backed kernel (git-fixes). - exfat: fdatasync flag should be same like generic_write_sync() (git-fixes). - fbcon: Fix outdated registered_fb reference in comment (git-fixes). - fbdev: imxfb: Check fb_add_videomode to prevent null-ptr-deref (git-fixes). - firewire: ohci: correct code comments about bus_reset tasklet (git-fixes). - fs/jfs: consolidate sanity checking in dbMount (git-fixes). - fs/orangefs: Allow 2 more characters in do_c_string() (git-fixes). - gpio: mlxbf2: use platform_get_irq_optional() (git-fixes). - gpio: pca953x: log an error when failing to get the reset GPIO (git-fixes). - gpio: sim: include a missing header (git-fixes). - gpio: vf610: add locking to gpio direction functions (git-fixes). - gpio: virtio: Fix config space reading (git-fixes). - gpiolib: Fix debug messaging in gpiod_find_and_request() (git-fixes). - gpiolib: Handle no pin_ranges in gpiochip_generic_config() (git-fixes). - gpiolib: acpi: Do not use GPIO chip fwnode in acpi_gpiochip_find() (bsc#1233300). - gpiolib: acpi: Fix failed in acpi_gpiochip_find() by adding parent node match (bsc#1233300). - gpiolib: cdev: Ignore reconfiguration without direction (git-fixes). - gpiolib: of: Add polarity quirk for s5m8767 (stable-fixes). - hfs: make splice write available again (git-fixes). - hfsplus: make splice write available again (git-fixes). - hfsplus: remove mutex_lock check in hfsplus_free_extents (git-fixes). - hid: Add IGNORE quirk for SMARTLINKTECHNOLOGY (stable-fixes). - hid: core: do not bypass hid_hw_raw_request (stable-fixes). - hid: core: ensure __hid_request reserves the report ID as the first byte (git-fixes). - hid: core: ensure the allocated report buffer can contain the reserved report ID (stable-fixes). - hid: lenovo: Add support for ThinkPad X1 Tablet Thin Keyboard Gen2 (stable-fixes). - hid: quirks: Add quirk for 2 Chicony Electronics HP 5MP Cameras (stable-fixes). - hv_netvsc: Use VF's tso_max_size value when data path is VF (bsc#1246203). - hwmon: (corsair-cpro) Validate the size of the received input buffer (git-fixes). - hwmon: (gsc-hwmon) fix fan pwm setpoint show functions (git-fixes). - hwmon: (pmbus/max34440) Fix support for max34451 (stable-fixes). - hwrng: mtk - handle devm_pm_runtime_enable errors (git-fixes). - i2c/designware: Fix an initialization issue (git-fixes). - i2c: qup: jump out of the loop in case of timeout (git-fixes). - i2c: stm32: fix the device used for the DMA map (git-fixes). - i2c: tegra: Fix reset error handling with ACPI (git-fixes). - i2c: virtio: Avoid hang by using interruptible completion wait (git-fixes). - i3c: fix module_i3c_i2c_driver() with I3C=n (git-fixes). - ib/mlx5: Fix potential deadlock in MR deregistration (git-fixes) - iio: accel: fxls8962af: Fix use after free in fxls8962af_fifo_flush (git-fixes). - iio: adc: ad7949: use spi_is_bpw_supported() (git-fixes). - iio: adc: ad_sigma_delta: Fix use of uninitialized status_pos (stable-fixes). - iio: adc: ad_sigma_delta: change to buffer predisable (git-fixes). - iio: adc: max1363: Fix MAX1363_4X_CHANS/MAX1363_8X_CHANS[] (stable-fixes). - iio: adc: max1363: Reorder mode_list[] entries (stable-fixes). - iio: adc: stm32-adc: Fix race in installing chained IRQ handler (git-fixes). - iio: imu: bno055: fix OOB access of hw_xlate array (git-fixes). - iio: pressure: zpa2326: Use aligned_s64 for the timestamp (stable-fixes). - input: iqs7222 - explicitly define number of external channels (git-fixes). - input: xpad - adjust error handling for disconnect (git-fixes). - input: xpad - set correct controller type for Acer NGR200 (git-fixes). - input: xpad - support Acer NGR 200 Controller (stable-fixes). - iommu/amd: Fix geometry.aperture_end for V2 tables (git-fixes). - iommu/amd: Set the pgsize_bitmap correctly (git-fixes). - iommu/arm-smmu-qcom: Add SM6115 MDSS compatible (git-fixes). - iommu/vt-d: Fix possible circular locking dependency (git-fixes). - iommu/vt-d: Fix system hang on reboot -f (git-fixes). - ipv6: fix possible infinite loop in fib6_info_uses_dev() (git-fixes). - ipv6: mcast: Delay put pmc->idev in mld_del_delrec() (git-fixes). - ipv6: prevent infinite loop in rt6_nlmsg_size() (git-fixes). - ipv6: reject malicious packets in ipv6_gso_segment() (git-fixes). - iwlwifi: Add missing check for alloc_ordered_workqueue (git-fixes). - jfs: fix metapage reference count leak in dbAllocCtl (git-fixes). - kABI workaround for struct drm_framebuffer changes (git-fixes). - kABI: Fix the module::name type in audit_context (git-fixes). - kasan: remove kasan_find_vm_area() to prevent possible deadlock (git-fixes). - leds: multicolor: Fix intensity setting while SW blinking (stable-fixes). - lib/group_cpus.c: avoid acquiring cpu hotplug lock in group_cpus_evenly (bsc#1236897). - lib/group_cpus: fix NULL pointer dereference from group_cpus_evenly() (bsc#1236897). - maple_tree: fix mt_destroy_walk() on root leaf node (git-fixes). - md/md-bitmap: fix dm-raid max_write_behind setting (git-fixes). - media: gspca: Add bounds checking to firmware parser (git-fixes). - media: hi556: correct the test pattern configuration (git-fixes). - media: imx: fix a potential memory leak in imx_media_csc_scaler_device_init() (git-fixes). - media: ov2659: Fix memory leaks in ov2659_probe() (git-fixes). - media: rainshadow-cec: fix TOCTOU race condition in rain_interrupt() (git-fixes). - media: usbtv: Lock resolution while streaming (git-fixes). - media: uvcvideo: Do not mark valid metadata as invalid (git-fixes). - media: uvcvideo: Fix 1-byte out-of-bounds read in uvc_parse_format() (git-fixes). - media: v4l2-ctrls: Do not reset handler's error in v4l2_ctrl_handler_free() (git-fixes). - media: v4l2-ctrls: Fix H264 SEPARATE_COLOUR_PLANE check (git-fixes). - media: venus: Add a check for packet size after reading from shared memory (git-fixes). - media: venus: hfi: explicitly release IRQ during teardown (git-fixes). - media: venus: protect against spurious interrupts during probe (git-fixes). - media: venus: vdec: Clamp param smaller than 1fps and bigger than 240 (git-fixes). - media: venus: venc: Clamp param smaller than 1fps and bigger than 240 (git-fixes). - media: vivid: fix wrong pixel_array control size (git-fixes). - memstick: core: Zero initialize id_reg in h_memstick_read_dev_id() (git-fixes). - mfd: max14577: Fix wakeup source leaks on device unbind (stable-fixes). - misc: rtsx: usb: Ensure mmc child device is active when card is present (git-fixes). - mmc: bcm2835: Fix dma_unmap_sg() nents value (git-fixes). - mmc: core: sd: Apply BROKEN_SD_DISCARD quirk earlier (git-fixes). - mmc: sdhci-pci: Quirk for broken command queuing on Intel GLK-based Positivo models (git-fixes). - mmc: sdhci: Add a helper function for dump register in dynamic debug mode (stable-fixes). - mmc: sdhci_am654: Workaround for Errata i2312 (git-fixes). - module: Fix memory deallocation on error path in move_module() (git-fixes). - module: Remove unnecessary +1 from last_unloaded_module::name size (git-fixes). - module: Restore the moduleparam prefix length check (git-fixes). - mtd: fix possible integer overflow in erase_xfer() (git-fixes). - mtd: rawnand: atmel: Fix dma_mapping_error() address (git-fixes). - mtd: rawnand: atmel: set pmecc data setup time (git-fixes). - mtd: rawnand: fsmc: Add missing check after DMA map (git-fixes). - mtd: rawnand: renesas: Add missing check after DMA map (git-fixes). - mtd: rawnand: rockchip: Add missing check after DMA map (git-fixes). - mtd: spi-nor: Fix spi_nor_try_unlock_all() (git-fixes). - mtd: spinand: fix memory leak of ECC engine conf (stable-fixes). - mtd: spinand: propagate spinand_wait() errors from spinand_write_page() (git-fixes). - mtk-sd: Fix a pagefault in dma_unmap_sg() for not prepared data (git-fixes). - mtk-sd: Prevent memory corruption from DMA map failure (git-fixes). - mtk-sd: reset host->mrq on prepare_data() error (git-fixes). - mwl8k: Add missing check after DMA map (git-fixes). - nbd: fix uaf in nbd_genl_connect() error path (git-fixes). - net/packet: fix a race in packet_set_ring() and packet_notifier() (git-fixes). - net/sched: Restrict conditions for adding duplicating netems to qdisc tree (git-fixes). - net/sched: Return NULL when htb_lookup_leaf encounters an empty rbtree (git-fixes). - net/sched: mqprio: fix stack out-of-bounds write in tc entry parsing (git-fixes). - net/sched: sch_qfq: Avoid triggering might_sleep in atomic context in qfq_delete_class (git-fixes). - net/sched: sch_qfq: Fix race condition on qfq_aggregate (git-fixes). - net/sched: taprio: enforce minimum value for picos_per_byte (git-fixes). - net: mana: Add debug logs in MANA network driver (bsc#1246212). - net: mana: Add handler for hardware servicing events (bsc#1245730). - net: mana: Allocate MSI-X vectors dynamically (bsc#1245457). - net: mana: Allow irq_setup() to skip cpus for affinity (bsc#1245457). - net: mana: Allow tso_max_size to go up-to GSO_MAX_SIZE (bsc#1246203). - net: mana: Expose additional hardware counters for drop and TC via ethtool (bsc#1245729). - net: mana: Set tx_packets to post gso processing packet count (bsc#1245731). - net: mana: explain irq_setup() algorithm (bsc#1245457). - net: phy: Do not register LEDs for genphy (git-fixes). - net: phy: micrel: fix KSZ8081/KSZ8091 cable test (git-fixes). - net: phy: microchip: limit 100M workaround to link-down events on LAN88xx (git-fixes). - net: phy: smsc: Fix Auto-MDIX configuration when disabled by strap (git-fixes). - net: phy: smsc: Fix link failure in forced mode with Auto-MDIX (git-fixes). - net: usb: lan78xx: fix WARN in __netif_napi_del_locked on disconnect (git-fixes). - net: usb: qmi_wwan: add SIMCom 8230C composition (stable-fixes). - net: usbnet: Avoid potential RCU stall on LINK_CHANGE event (git-fixes). - net: usbnet: Fix the wrong netif_carrier_on() call (git-fixes). - netpoll: prevent hanging NAPI when netcons gets enabled (git-fixes). - nfs: Clean up /proc/net/rpc/nfs when nfs_fs_proc_net_init() fails (git-fixes). - nfs: Fix filehandle bounds checking in nfs_fh_to_dentry() (git-fixes). - nfs: Fix the setting of capabilities when automounting a new filesystem (git-fixes). - nfs: Fix wakeup of __nfs_lookup_revalidate() in unblock_revalidate() (git-fixes). - nfs: Fixup allocation flags for nfsiod's __GFP_NORETRY (git-fixes). - nfsd: detect mismatch of file handle and delegation stateid in OPEN op (git-fixes). - nfsd: handle get_client_locked() failure in nfsd4_setclientid_confirm() (git-fixes). - nfsv4.2: another fix for listxattr (git-fixes). - nfsv4.2: fix listxattr to return selinux security label (git-fixes). - nfsv4/pnfs: Fix a race to wake on NFS_LAYOUT_DRAIN (git-fixes). - nfsv4: Always set NLINK even if the server does not support it (git-fixes). - nfsv4: xattr handlers should check for absent nfs filehandles (git-fixes). - nilfs2: reject invalid file types when reading inodes (git-fixes). - nvme-pci: refresh visible attrs after being checked (git-fixes). - nvme: Fix incorrect cdw15 value in passthru error logging (git-fixes). - nvme: fix endianness of command word prints in nvme_log_err_passthru() (git-fixes). - nvme: fix inconsistent RCU list manipulation in nvme_ns_add_to_ctrl_list() (git-fixes). - nvme: fix misaccounting of nvme-mpath inflight I/O (git-fixes). - nvmet-tcp: fix callback lock for TLS handshake (git-fixes). - objtool: Fix INSN_CONTEXT_SWITCH handling in validate_unret() (git-fixes). - objtool: Fix UNWIND_HINT_{SAVE,RESTORE} across basic blocks (git-fixes). - objtool: Fix _THIS_IP_ detection for cold functions (git-fixes). - objtool: Fix error handling inconsistencies in check() (git-fixes). - objtool: Ignore dangling jump table entries (git-fixes). - objtool: Ignore end-of-section jumps for KCOV/GCOV (git-fixes). - objtool: Properly disable uaccess validation (git-fixes). - objtool: Silence more KCOV warnings (git-fixes). - objtool: Silence more KCOV warnings, part 2 (git-fixes). - objtool: Stop UNRET validation on UD2 (git-fixes). - pch_uart: Fix dma_sync_sg_for_device() nents value (git-fixes). - pci/msi: Export pci_msix_prepare_desc() for dynamic MSI-X allocations (bsc#1245457). - pci: dwc: Make link training more robust by setting PORT_LOGIC_LINK_WIDTH to one lane (stable-fixes). - pci: endpoint: Fix configfs group list head handling (git-fixes). - pci: endpoint: Fix configfs group removal on driver teardown (git-fixes). - pci: endpoint: pci-epf-vntb: Fix the incorrect usage of __iomem attribute (git-fixes). - pci: endpoint: pci-epf-vntb: Return -ENOENT if pci_epc_get_next_free_bar() fails (git-fixes). - pci: hv: Allow dynamic MSI-X vector allocation (bsc#1245457). - pci: rockchip-host: Fix 'Unexpected Completion' log message (git-fixes). - perf: Fix sample vs do_exit() (bsc#1246547). - phy: tegra: xusb: Fix unbalanced regulator disable in UTMI PHY mode (git-fixes). - pinctrl: amd: Clear GPIO debounce for suspend (git-fixes). - pinctrl: qcom: msm: mark certain pins as invalid for interrupts (git-fixes). - pinctrl: sunxi: Fix memory leak on krealloc failure (git-fixes). - pinmux: fix race causing mux_owner NULL with active mux_usecount (git-fixes). - platform/chrome: cros_ec: Unregister notifier in cros_ec_unregister() (git-fixes). - platform/mellanox: mlxbf-pmc: Fix duplicate event ID for CACHE_DATA1 (git-fixes). - platform/mellanox: mlxbf-tmfifo: fix vring_desc.len assignment (git-fixes). - platform/mellanox: mlxreg-lc: Fix logic error in power state check (git-fixes). - platform/mellanox: nvsw-sn2201: Fix bus number in adapter error message (git-fixes). - platform/x86/amd/pmc: Add PCSpecialist Lafite Pro V 14M to 8042 quirks list (stable-fixes). - platform/x86: dell-wmi-sysman: Fix WMI data block retrieval in sysfs callbacks (git-fixes). - platform/x86: ideapad-laptop: Fix kbd backlight not remembered among boots (git-fixes). - platform/x86: think-lmi: Create ksets consecutively (stable-fixes). - platform/x86: think-lmi: Fix kobject cleanup (git-fixes). - platform/x86: think-lmi: Fix sysfs group cleanup (git-fixes). - pm / devfreq: Check governor before using governor->name (git-fixes). - pnfs/flexfiles: do not attempt pnfs on fatal DS errors (git-fixes). - power: supply: cpcap-charger: Fix null check for power_supply_get_by_name (git-fixes). - power: supply: max14577: Handle NULL pdata when CONFIG_OF is not set (git-fixes). - powercap: call put_device() on an error path in powercap_register_control_type() (stable-fixes). - powercap: dtpm_cpu: Fix NULL pointer dereference in get_pd_power_uw() (git-fixes). - powercap: intel_rapl: Do not change CLAMPING bit if ENABLE bit cannot be changed (git-fixes). - powerpc/bpf: enforce full ordering for ATOMIC operations with BPF_FETCH (git-fixes). - ptp: fix breakage after ptp_vclock_in_use() rework (bsc#1246506). - pwm: imx-tpm: Reset counter if CMOD is 0 (git-fixes). - pwm: mediatek: Ensure to disable clocks in error path (git-fixes). - rdma/core: Rate limit GID cache warning messages (git-fixes) - rdma/counter: Check CAP_NET_RAW check in user namespace for RDMA counters (git-fixes) - rdma/hns: Drop GFP_NOWARN (git-fixes) - rdma/hns: Fix -Wframe-larger-than issue (git-fixes) - rdma/hns: Fix HW configurations not cleared in error flow (git-fixes) - rdma/hns: Fix accessing uninitialized resources (git-fixes) - rdma/hns: Fix double destruction of rsv_qp (git-fixes) - rdma/hns: Get message length of ack_req from FW (git-fixes) - rdma/mlx5: Check CAP_NET_RAW in user namespace for anchor create (git-fixes) - rdma/mlx5: Check CAP_NET_RAW in user namespace for devx create (git-fixes) - rdma/mlx5: Check CAP_NET_RAW in user namespace for flow create (git-fixes) - rdma/mlx5: Fix CC counters query for MPV (git-fixes) - rdma/mlx5: Fix HW counters query for non-representor devices (git-fixes) - rdma/mlx5: Fix compilation warning when USER_ACCESS isn't set (git-fixes) - rdma/mlx5: Fix vport loopback for MPV device (git-fixes) - rdma/mlx5: Initialize obj_event->obj_sub_list before xa_insert (git-fixes) - rdma/nldev: Check CAP_NET_RAW in user namespace for QP modify (git-fixes) - rdma/siw: Fix the sendmsg byte count in siw_tcp_sendpages (git-fixes) - rdma/uverbs: Add empty rdma_uattrs_has_raw_cap() declaration (git-fixes) - rdma/uverbs: Check CAP_NET_RAW in user namespace for QP create (git-fixes) - rdma/uverbs: Check CAP_NET_RAW in user namespace for RAW QP create (git-fixes) - rdma/uverbs: Check CAP_NET_RAW in user namespace for flow create (git-fixes) - regmap: fix potential memory leak of regmap_bus (git-fixes). - regulator: fan53555: add enable_time support and soft-start times (stable-fixes). - regulator: gpio: Fix the out-of-bounds access to drvdata::gpiods (git-fixes). - regulator: pwm-regulator: Calculate the output voltage for disabled PWMs (stable-fixes). - resource: fix false warning in __request_region() (git-fixes). - restore UCSI_CONNECTOR_RESET_HARD definition (git-fixes). - ring-buffer: Do not allow events in NMI with generic atomic64 cmpxchg() (git-fixes). - rose: fix dangling neighbour pointers in rose_rt_device_down() (git-fixes). - rpl: Fix use-after-free in rpl_do_srh_inline() (git-fixes). - rpm/mkspec: Fix missing kernel-syms-rt creation (bsc#1244337) - rtc: ds1307: fix incorrect maximum clock rate handling (git-fixes). - rtc: hym8563: fix incorrect maximum clock rate handling (git-fixes). - rtc: nct3018y: fix incorrect maximum clock rate handling (git-fixes). - rtc: pcf85063: fix incorrect maximum clock rate handling (git-fixes). - rtc: pcf8563: fix incorrect maximum clock rate handling (git-fixes). - rtc: rv3028: fix incorrect maximum clock rate handling (git-fixes). - s390/bpf: Fix bpf_arch_text_poke() with new_addr == NULL again (git-fixes bsc#1246870). - s390/entry: Fix last breaking event handling in case of stack corruption (git-fixes bsc#1243806). - s390/pci: Do not try re-enabling load/store if device is disabled (git-fixes bsc#1245646). - s390/pci: Fix stale function handles in error handling (git-fixes bsc#1245647). - s390/pkey: Prevent overflow in size calculation for memdup_user() (git-fixes bsc#1245598). - s390: Add z17 elf platform (LTC#214086 bsc#1245540). - samples: mei: Fix building on musl libc (git-fixes). - sched,freezer: Remove unnecessary warning in __thaw_task (bsc#1219338). - sched: Add test_and_clear_wake_up_bit() and atomic_dec_and_wake_up() (git-fixes). - scsi: core: Enforce unlimited max_segment_size when virt_boundary_mask is set (git-fixes). - scsi: lpfc: Check for hdwq null ptr when cleaning up lpfc_vport structure (bsc#1245260 bsc#1243100 bsc#1246125). - scsi: lpfc: Copyright updates for 14.4.0.10 (bsc#1245260 bsc#1243100 bsc#1246125). - scsi: lpfc: Early return out of FDMI cmpl for locally rejected statuses (bsc#1245260 bsc#1243100 bsc#1246125). - scsi: lpfc: Ensure HBA_SETUP flag is used only for SLI4 in dev_loss_tmo_callbk (bsc#1245260 bsc#1243100 bsc#1246125). - scsi: lpfc: Modify end-of-life adapters' model descriptions (bsc#1245260 bsc#1243100 bsc#1246125 bsc#1204142). - scsi: lpfc: Move clearing of HBA_SETUP flag to before lpfc_sli4_queue_unset (bsc#1245260 bsc#1243100 bsc#1246125). - scsi: lpfc: Relocate clearing initial phba flags from link up to link down hdlr (bsc#1245260 bsc#1243100 bsc#1246125). - scsi: lpfc: Revise CQ_CREATE_SET mailbox bitfield definitions (bsc#1245260 bsc#1243100 bsc#1246125). - scsi: lpfc: Revise logging format for failed CT MIB requests (bsc#1245260 bsc#1243100 bsc#1246125). - scsi: lpfc: Simplify error handling for failed lpfc_get_sli4_parameters cmd (bsc#1245260 bsc#1243100 bsc#1246125). - scsi: lpfc: Skip RSCN processing when FC_UNLOADING flag is set (bsc#1245260 bsc#1243100 bsc#1246125). - scsi: lpfc: Update debugfs trace ring initialization messages (bsc#1245260 bsc#1243100 bsc#1246125). - scsi: lpfc: Update lpfc version to 14.4.0.10 (bsc#1245260 bsc#1243100 bsc#1246125). - scsi: megaraid_sas: Fix invalid node index (git-fixes). - scsi: qla2xxx: Fix DMA mapping test in qla24xx_get_port_database() (git-fixes). - scsi: qla4xxx: Fix missing DMA mapping error in qla4xxx_alloc_pdu() (git-fixes). - scsi: s390: zfcp: Ensure synchronous unit_add (git-fixes bsc#1245599). - selftests/bpf: Add CFLAGS per source file and runner (git-fixes). - selftests/bpf: Add tests for iter next method returning valid pointer (git-fixes). - selftests/bpf: Change functions definitions to support GCC (git-fixes). - selftests/bpf: Fix a few tests for GCC related warnings (git-fixes). - selftests/bpf: Fix pointer arithmetic in test_xdp_do_redirect (git-fixes). - selftests/bpf: Fix prog numbers in test_sockmap (git-fixes). - smb3: move server check earlier when setting channel sequence number (git-fixes). - smb3: rename macro CIFS_SERVER_IS_CHAN to avoid confusion (git-fixes). - smb3: send channel sequence number in SMB3 requests after reconnects (git-fixes). - soc/tegra: cbb: Clear ERR_FORCE register with ERR_STATUS (git-fixes). - soc: aspeed: lpc-snoop: Cleanup resources in stack-order (git-fixes). - soc: aspeed: lpc-snoop: Do not disable channels that are not enabled (git-fixes). - soc: qcom: QMI encoding/decoding for big endian (git-fixes). - soc: qcom: fix endianness for QMI header (git-fixes). - soc: qcom: pmic_glink: fix OF node leak (git-fixes). - soundwire: amd: fix for clearing command status register (git-fixes). - soundwire: stream: restore params when prepare ports fail (git-fixes). - spi: spi-fsl-dspi: Clear completion counter before initiating transfer (git-fixes). - staging: axis-fifo: remove sysfs interface (git-fixes). - staging: fbtft: fix potential memory leak in fbtft_framebuffer_alloc() (git-fixes). - staging: nvec: Fix incorrect null termination of battery manufacturer (git-fixes). - struct cdns: move new member to the end (git-fixes). - struct ucsi_operations: use padding for new operation (git-fixes). - sunrpc: do not immediately retransmit on seqno miss (git-fixes). - sunrpc: fix client side handling of tls alerts (git-fixes). - supported.conf: add missing entries for armv7hl - supported.conf: move nvme-apple to optional again - supported.conf: sort entries again - tcp: call tcp_measure_rcv_mss() for ooo packets (git-fixes). - thunderbolt: Fix bit masking in tb_dp_port_set_hops() (git-fixes). - thunderbolt: Fix copy+paste error in match_service_id() (git-fixes). - thunderbolt: Fix wake on connect at runtime (git-fixes). - tracing/kprobe: Make trace_kprobe's module callback called after jump_label update (git-fixes). - tracing/kprobes: Fix to free objects when failed to copy a symbol (git-fixes). - types: Complement the aligned types with signed 64-bit one (stable-fixes). - ucount: fix atomic_long_inc_below() argument type (git-fixes). - ucsi-glink: adapt to kABI consistency (git-fixes). - ucsi_ccg: Refine the UCSI Interrupt handling (git-fixes). - ucsi_operations: add stubs for all operations (git-fixes). - ucsi_ops: adapt update_connector to kABI consistency (git-fixes). - usb: Add checks for snprintf() calls in usb_alloc_dev() (stable-fixes). - usb: atm: cxacru: Merge cxacru_upload_firmware() into cxacru_heavy_init() (git-fixes). - usb: cdc-wdm: avoid setting WDM_READ for ZLP-s (stable-fixes). - usb: cdnsp: Fix issue with CV Bad Descriptor test (git-fixes). - usb: cdnsp: Fix issue with resuming from L1 (git-fixes). - usb: cdnsp: Replace snprintf() with the safer scnprintf() variant (stable-fixes). - usb: cdnsp: do not disable slot for disabled slot (git-fixes). - usb: chipidea: udc: disconnect/reconnect from host when do suspend/resume (git-fixes). - usb: common: usb-conn-gpio: use a unique name for usb connector device (stable-fixes). - usb: dwc2: also exit clock_gating when stopping udc while suspended (stable-fixes). - usb: dwc3: meson-g12a: fix device leaks at unbind (git-fixes). - usb: early: xhci-dbc: Fix early_ioremap leak (git-fixes). - usb: gadget : fix use-after-free in composite_dev_cleanup() (git-fixes). - usb: gadget: u_serial: Fix race condition in TTY wakeup (git-fixes). - usb: gadget: udc: renesas_usb3: fix device leak at unbind (git-fixes). - usb: host: xhci-plat: fix incorrect type for of_match variable in xhci_plat_probe() (git-fixes). - usb: hub: Do not try to recover devices lost during warm reset (git-fixes). - usb: misc: apple-mfi-fastcharge: Make power supply names unique (git-fixes). - usb: musb: fix gadget state on disconnect (git-fixes). - usb: musb: omap2430: fix device leak at unbind (git-fixes). - usb: net: sierra: check for no status endpoint (git-fixes). - usb: potential integer overflow in usbg_make_tpg() (stable-fixes). - usb: serial: ftdi_sio: add support for NDI EMGUIDE GEMINI (stable-fixes). - usb: serial: option: add Foxconn T99W640 (stable-fixes). - usb: serial: option: add Telit Cinterion FE910C04 (ECM) composition (stable-fixes). - usb: typec: Update sysfs when setting ops (git-fixes). - usb: typec: altmodes/displayport: do not index invalid pin_assignments (git-fixes). - usb: typec: displayport: Fix potential deadlock (git-fixes). - usb: typec: displayport: Receive DP Status Update NAK request exit dp altmode (stable-fixes). - usb: typec: mux: do not return on EOPNOTSUPP in {mux, switch}_set (stable-fixes). - usb: typec: tcpm: allow switching to mode accessory to mux properly (stable-fixes). - usb: typec: tcpm: allow to use sink in accessory mode (stable-fixes). - usb: typec: tcpm: apply vbus before data bringup in tcpm_src_attach (git-fixes). - usb: typec: ucsi: Add DATA_RESET option of Connector Reset command (git-fixes). - usb: typec: ucsi: Add qcm6490-pmic-glink as needing PDOS quirk (git-fixes). - usb: typec: ucsi: Delay alternate mode discovery (git-fixes). - usb: typec: ucsi: Fix busy loop on ASUS VivoBooks (git-fixes). - usb: typec: ucsi: Fix the partner PD revision (git-fixes). - usb: typec: ucsi: Get PD revision for partner (git-fixes). - usb: typec: ucsi: Set orientation as none when connector is unplugged (git-fixes). - usb: typec: ucsi: Update power_supply on power role change (git-fixes). - usb: typec: ucsi: add callback for connector status updates (git-fixes). - usb: typec: ucsi: add update_connector callback (git-fixes). - usb: typec: ucsi: do not retrieve PDOs if not supported (git-fixes). - usb: typec: ucsi: extract code to read PD caps (git-fixes). - usb: typec: ucsi: fix UCSI on SM8550 & SM8650 Qualcomm devices (git-fixes). - usb: typec: ucsi: glink: fix off-by-one in connector_status (git-fixes). - usb: typec: ucsi: glink: increase max ports for x1e80100 (git-fixes). - usb: typec: ucsi: glink: move GPIO reading into connector_status callback (git-fixes). - usb: typec: ucsi: glink: use typec_set_orientation (git-fixes). - usb: typec: ucsi: move ucsi_acknowledge() from ucsi_read_error() (git-fixes). - usb: typec: ucsi: properly register partner's PD device (git-fixes). - usb: typec: ucsi: support delaying GET_PDOS for device (git-fixes). - usb: typec: ucsi_acpi: Add LG Gram quirk (git-fixes). - usb: typec: ucsi_glink: drop NO_PARTNER_PDOS quirk for sm8550 / sm8650 (git-fixes). - usb: typec: ucsi_glink: enable the UCSI_DELAY_DEVICE_PDOS quirk (git-fixes). - usb: typec: ucsi_glink: enable the UCSI_DELAY_DEVICE_PDOS quirk on qcm6490 (git-fixes). - usb: typec: ucsi_glink: rework quirks implementation (git-fixes). - usb: xhci: Skip xhci_reset in xhci_resume if xhci is being removed (git-fixes). - usb: xhci: quirk for data loss in ISOC transfers (stable-fixes). - usb:cdnsp: remove TRB_FLUSH_ENDPOINT command (stable-fixes). - virtgpu: do not reset on shutdown (git-fixes). - vmci: Prevent the dispatching of uninitialized payloads (git-fixes). - vt: add missing notification when switching back to text mode (stable-fixes). - vt: defkeymap: Map keycodes above 127 to K_HOLE (git-fixes). - vt: keyboard: Do not process Unicode characters in K_OFF mode (git-fixes). - watchdog: ziirave_wdt: check record length in ziirave_firm_verify() (git-fixes). - wifi: ath11k: clear initialized flag for deinit-ed srng lists (git-fixes). - wifi: ath11k: fix dest ring-buffer corruption (git-fixes). - wifi: ath11k: fix dest ring-buffer corruption when ring is full (git-fixes). - wifi: ath11k: fix sleeping-in-atomic in ath11k_mac_op_set_bitrate_mask() (git-fixes). - wifi: ath11k: fix source ring-buffer corruption (git-fixes). - wifi: ath11k: fix suspend use-after-free after probe failure (git-fixes). - wifi: ath12k: fix dest ring-buffer corruption (git-fixes). - wifi: ath12k: fix dest ring-buffer corruption when ring is full (git-fixes). - wifi: ath12k: fix endianness handling while accessing wmi service bit (git-fixes). - wifi: ath12k: fix source ring-buffer corruption (git-fixes). - wifi: ath6kl: remove WARN on bad firmware input (stable-fixes). - wifi: brcmfmac: fix P2P discovery failure in P2P peer due to missing P2P IE (git-fixes). - wifi: brcmsmac: Remove const from tbl_ptr parameter in wlc_lcnphy_common_read_table() (git-fixes). - wifi: iwlwifi: Fix error code in iwl_op_mode_dvm_start() (git-fixes). - wifi: iwlwifi: Fix memory leak in iwl_mvm_init() (git-fixes). - wifi: iwlwifi: return ERR_PTR from opmode start() (stable-fixes). - wifi: mac80211: Add link iteration macro for link data (stable-fixes). - wifi: mac80211: Check 802.11 encaps offloading in ieee80211_tx_h_select_key() (git-fixes). - wifi: mac80211: Do not call fq_flow_idx() for management frames (git-fixes). - wifi: mac80211: Do not schedule stopped TXQs (git-fixes). - wifi: mac80211: chan: chandef is non-NULL for reserved (stable-fixes). - wifi: mac80211: drop invalid source address OCB frames (stable-fixes). - wifi: mac80211: reject TDLS operations when station is not associated (git-fixes). - wifi: mt76: mt7925: Fix null-ptr-deref in mt7925_thermal_init() (git-fixes). - wifi: mt76: mt7925: fix invalid array index in ssid assignment during hw scan (git-fixes). - wifi: mt76: mt7925: fix the wrong config for tx interrupt (git-fixes). - wifi: plfxlc: Fix error handling in usb driver probe (git-fixes). - wifi: prevent A-MSDU attacks in mesh networks (stable-fixes). - wifi: rtl818x: Kill URBs before clearing tx status queue (git-fixes). - wifi: rtw89: avoid NULL dereference when RX problematic packet on unsupported 6 GHz band (git-fixes). - wifi: zd1211rw: Fix potential NULL pointer dereference in zd_mac_tx_to_dev() (git-fixes). - x86/cpu/amd: Fix workaround for erratum 1054 (git-fixes). - x86/mce/amd: Add default names for MCA banks and blocks (git-fixes). - x86/mce/amd: Fix threshold limit reset (git-fixes). - x86/mce: Do not remove sysfs if thresholding sysfs init fails (git-fixes). - x86/mce: Make sure CMCI banks are cleared during shutdown on Intel (git-fixes). - x86/tdx: Fix __noreturn build warning around __tdx_hypercall_failed() (git-fixes). - x86/traps: Initialize DR6 by writing its architectural reset value (git-fixes). - x86/virt/tdx: Avoid indirect calls to TDX assembly functions (git-fixes). - x86: UV RTC: Add parameter to disable RTC clocksource (bsc#1241345). - xfs: fix off-by-one error in fsmap's end_daddr usage (bsc#1235837). - xfs: only create event xfs_file_compat_ioctl when CONFIG_COMPAT is configure (git-fixes). - xfs: remove unused event xfs_alloc_near_error (git-fixes). - xfs: remove unused event xfs_alloc_near_nominleft (git-fixes). - xfs: remove unused event xfs_attr_node_removename (git-fixes). - xfs: remove unused event xfs_ioctl_clone (git-fixes). - xfs: remove unused event xfs_pagecache_inval (git-fixes). - xfs: remove unused event xlog_iclog_want_sync (git-fixes). - xfs: remove unused trace event xfs_attr_remove_iter_return (git-fixes). - xfs: remove unused trace event xfs_attr_rmtval_set (git-fixes). - xfs: remove unused trace event xfs_reflink_cow_enospc (git-fixes). - xfs: remove unused xfs_attr events (git-fixes). - xfs: remove unused xfs_reflink_compare_extents events (git-fixes). - xfs: remove usused xfs_end_io_direct events (git-fixes). - xhci: Disable stream for xHC controller with XHCI_BROKEN_STREAMS (git-fixes). - xhci: dbc: Flush queued requests before stopping dbc (git-fixes). - xhci: dbctty: disable ECHO flag by default (git-fixes). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3012-1 Released: Fri Aug 29 02:07:38 2025 Summary: security update for git, git-lfs, obs-scm-bridge, python-PyYAML Type: security Severity: important References: 1212476,1216545,1218588,1218664,1243197,1245938,1245939,1245942,1245943,1245946,CVE-2025-27613,CVE-2025-27614,CVE-2025-46835,CVE-2025-48384,CVE-2025-48385 This update for git, git-lfs, obs-scm-bridge, python-PyYAML fixes the following issues: git was updated from version 2.43.0 to 2.51.0 (bsc#1243197): - Security issues fixed: * CVE-2025-27613 Fixed arbitrary writable file creation and truncation in Gitk(bsc#1245938) * CVE-2025-27614 Fixed arbitrary script execution via repository clonation in gitk(bsc#1245939) * CVE-2025-46835 Fixed arbitrary writable file creation in Git GUI when untrusted repository is cloned (bsc#1245942) * CVE-2025-48384 Fixed the unintentional execution of a script after checkout due to CRLF transforming (bsc#1245943) * CVE-2025-48385 Fixed arbitrary code execution due to protocol injection via fetching advertised bundle(bsc#1245946) - Other changes and bugs fixed: - Other changes and bugs fixed: * Added SHA256 support (bsc#1243197) * Git moved to /usr/libexec/git/git and updated AppArmor profile accordingly (bsc#1218588) * gitweb AppArmor profile: allow reading etc/gitweb-common.conf (bsc#1218664) * Do not replace apparmor configuration (bsc#1216545) * Fixed the Python version required (bsc#1212476) - Version Updates Release Notes: * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.51.0.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.50.1.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.50.0.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.49.0.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.48.1.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.48.0.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.47.1.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.47.0.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.46.2.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.46.1.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.46.0.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.45.3.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.45.2.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.45.1.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.45.0.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.44.0.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.43.3.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.43.2.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.43.1.adoc git-lfs is included in version 3.7.0. python-PyYAML was updated from version 6.0.1 to 6.0.2: - Added support for Cython 3.x and Python 3.13 obs-scm-bridge was updated from version 0.5.4 to 0.7.4: - New Features and Improvements: * Manifest File Support: Support has been added for a `_manifest file`, which serves as a successor to the `_subdirs` file. * Control Over Git Information: A new noobsinfo query parameter was added to hide git information in source and binary files. * Enhanced Submodule Handling: The system now records the configured branch of submodules and stays on that branch during checkout. * Git SHA Tracking: In project mode, the tool now uses git SHA sums instead of md5sum to track package sources. * SSH URL Support: ssh:// SCM URLs can now be used. * Improved Error Messages: Error reporting for invalid files within package subdirectories has been improved. * Standardized Config Location: In project mode, the _config file is now always located in the top-level directory, even when using subdirs. * Reduced Unnecessary Changes: In project mode, unnecessary modifications to the package meta URL are now avoided. * Limit Asset Handling: A new mechanism has been introduced to limit how assets are handled. * Branch Information Export: The trackingbranch is now exported to scmsync.obsinfo. - Bugs fixed: * Syntax Fix: A syntax issue was corrected. * Git Submodule Parsing: The .gitsubmodule parser was fixed to correctly handle files that contain a mix of spaces and tabs. The following package changes have been done: - kernel-macros-6.4.0-150600.23.65.1 updated - kernel-devel-6.4.0-150600.23.65.1 updated - git-core-2.51.0-150600.3.12.1 updated - kernel-default-devel-6.4.0-150600.23.65.1 updated - kernel-syms-6.4.0-150600.23.65.1 updated From sle-container-updates at lists.suse.com Wed Sep 3 07:17:26 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 3 Sep 2025 09:17:26 +0200 (CEST) Subject: SUSE-CU-2025:6709-1: Security update of bci/bci-sle15-kernel-module-devel Message-ID: <20250903071726.AC228FF9E@maintenance.suse.de> SUSE Container Update Advisory: bci/bci-sle15-kernel-module-devel ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:6709-1 Container Tags : bci/bci-sle15-kernel-module-devel:15.7 , bci/bci-sle15-kernel-module-devel:15.7-44.12 , bci/bci-sle15-kernel-module-devel:latest Container Release : 44.12 Severity : important Type : security References : 1139073 1204142 1212476 1216545 1218588 1218664 1219338 1225707 1227082 1228664 1230216 1232234 1233300 1235515 1235613 1235837 1236333 1236897 1238896 1239061 1239470 1240058 1240323 1240696 1240885 1240966 1240998 1241166 1241200 1241345 1241537 1242086 1242414 1242837 1242960 1242965 1242993 1243042 1243068 1243100 1243197 1243479 1243669 1243678 1243806 1244309 1244337 1244457 1244735 1244749 1244750 1244792 1244801 1245084 1245151 1245201 1245202 1245216 1245260 1245431 1245440 1245457 1245498 1245499 1245504 1245506 1245508 1245510 1245540 1245598 1245599 1245621 1245646 1245647 1245649 1245650 1245654 1245658 1245660 1245664 1245665 1245666 1245668 1245669 1245670 1245671 1245675 1245676 1245677 1245679 1245682 1245683 1245684 1245686 1245688 1245689 1245690 1245691 1245695 1245705 1245708 1245711 1245713 1245714 1245719 1245723 1245729 1245730 1245731 1245735 1245737 1245744 1245745 1245746 1245747 1245748 1245749 1245750 1245751 1245752 1245757 1245758 1245765 1245768 1245769 1245777 1245781 1245789 1245812 1245937 1245938 1245939 1245942 1245943 1245945 1245946 1245951 1245952 1245954 1245955 1245957 1245966 1245970 1245976 1245980 1245983 1245986 1246000 1246002 1246006 1246008 1246020 1246023 1246029 1246031 1246037 1246041 1246042 1246044 1246045 1246047 1246049 1246050 1246055 1246073 1246093 1246098 1246109 1246113 1246122 1246125 1246134 1246171 1246173 1246178 1246179 1246182 1246183 1246186 1246188 1246195 1246203 1246212 1246217 1246220 1246221 1246236 1246240 1246243 1246244 1246246 1246249 1246250 1246253 1246258 1246262 1246264 1246266 1246268 1246273 1246283 1246285 1246286 1246287 1246290 1246292 1246293 1246295 1246297 1246333 1246334 1246337 1246342 1246349 1246354 1246358 1246361 1246364 1246370 1246375 1246384 1246385 1246386 1246387 1246438 1246443 1246449 1246453 1246473 1246490 1246506 1246547 1246644 1246695 1246777 1246781 1246870 1246879 1246911 1246965 1247018 1247021 1247023 1247028 1247031 1247033 1247035 1247061 1247062 1247064 1247079 1247089 1247091 1247097 1247098 1247101 1247103 1247104 1247113 1247118 1247123 1247125 1247128 1247132 1247138 1247141 1247143 1247145 1247146 1247147 1247149 1247150 1247151 1247152 1247153 1247154 1247156 1247160 1247164 1247169 1247170 1247171 1247172 1247174 1247176 1247177 1247178 1247181 1247209 1247210 1247227 1247233 1247234 1247236 1247238 1247241 1247251 1247252 1247253 1247255 1247265 1247271 1247273 1247274 1247276 1247277 1247278 1247279 1247282 1247284 1247285 1247288 1247289 1247293 1247308 1247311 1247314 1247317 1247347 1247348 1247349 1247374 1247437 1247450 1247712 1247831 CVE-2019-11135 CVE-2024-10041 CVE-2024-36028 CVE-2024-36348 CVE-2024-36349 CVE-2024-36350 CVE-2024-36357 CVE-2024-39298 CVE-2024-42134 CVE-2024-44963 CVE-2024-49861 CVE-2024-56742 CVE-2024-57947 CVE-2025-21839 CVE-2025-21854 CVE-2025-21872 CVE-2025-22090 CVE-2025-23163 CVE-2025-27613 CVE-2025-27614 CVE-2025-37798 CVE-2025-37856 CVE-2025-37864 CVE-2025-37885 CVE-2025-37920 CVE-2025-37984 CVE-2025-38034 CVE-2025-38035 CVE-2025-38047 CVE-2025-38051 CVE-2025-38052 CVE-2025-38058 CVE-2025-38061 CVE-2025-38062 CVE-2025-38063 CVE-2025-38064 CVE-2025-38074 CVE-2025-38084 CVE-2025-38085 CVE-2025-38087 CVE-2025-38088 CVE-2025-38089 CVE-2025-38090 CVE-2025-38091 CVE-2025-38094 CVE-2025-38095 CVE-2025-38097 CVE-2025-38098 CVE-2025-38099 CVE-2025-38100 CVE-2025-38102 CVE-2025-38105 CVE-2025-38106 CVE-2025-38107 CVE-2025-38108 CVE-2025-38109 CVE-2025-38110 CVE-2025-38111 CVE-2025-38112 CVE-2025-38113 CVE-2025-38114 CVE-2025-38115 CVE-2025-38117 CVE-2025-38118 CVE-2025-38120 CVE-2025-38122 CVE-2025-38123 CVE-2025-38124 CVE-2025-38126 CVE-2025-38127 CVE-2025-38129 CVE-2025-38131 CVE-2025-38132 CVE-2025-38135 CVE-2025-38136 CVE-2025-38138 CVE-2025-38142 CVE-2025-38143 CVE-2025-38145 CVE-2025-38147 CVE-2025-38148 CVE-2025-38149 CVE-2025-38151 CVE-2025-38153 CVE-2025-38154 CVE-2025-38155 CVE-2025-38157 CVE-2025-38158 CVE-2025-38159 CVE-2025-38161 CVE-2025-38162 CVE-2025-38165 CVE-2025-38166 CVE-2025-38173 CVE-2025-38174 CVE-2025-38177 CVE-2025-38180 CVE-2025-38181 CVE-2025-38182 CVE-2025-38183 CVE-2025-38186 CVE-2025-38187 CVE-2025-38188 CVE-2025-38189 CVE-2025-38192 CVE-2025-38193 CVE-2025-38194 CVE-2025-38197 CVE-2025-38198 CVE-2025-38200 CVE-2025-38202 CVE-2025-38203 CVE-2025-38204 CVE-2025-38206 CVE-2025-38210 CVE-2025-38211 CVE-2025-38212 CVE-2025-38213 CVE-2025-38214 CVE-2025-38215 CVE-2025-38217 CVE-2025-38220 CVE-2025-38222 CVE-2025-38225 CVE-2025-38226 CVE-2025-38227 CVE-2025-38229 CVE-2025-38231 CVE-2025-38236 CVE-2025-38238 CVE-2025-38239 CVE-2025-38244 CVE-2025-38246 CVE-2025-38248 CVE-2025-38249 CVE-2025-38250 CVE-2025-38256 CVE-2025-38257 CVE-2025-38259 CVE-2025-38264 CVE-2025-38265 CVE-2025-38268 CVE-2025-38272 CVE-2025-38273 CVE-2025-38275 CVE-2025-38277 CVE-2025-38279 CVE-2025-38283 CVE-2025-38286 CVE-2025-38287 CVE-2025-38288 CVE-2025-38289 CVE-2025-38290 CVE-2025-38291 CVE-2025-38292 CVE-2025-38293 CVE-2025-38299 CVE-2025-38300 CVE-2025-38303 CVE-2025-38304 CVE-2025-38305 CVE-2025-38307 CVE-2025-38310 CVE-2025-38312 CVE-2025-38313 CVE-2025-38315 CVE-2025-38317 CVE-2025-38319 CVE-2025-38323 CVE-2025-38326 CVE-2025-38328 CVE-2025-38332 CVE-2025-38334 CVE-2025-38335 CVE-2025-38336 CVE-2025-38337 CVE-2025-38338 CVE-2025-38342 CVE-2025-38343 CVE-2025-38344 CVE-2025-38345 CVE-2025-38348 CVE-2025-38349 CVE-2025-38350 CVE-2025-38352 CVE-2025-38353 CVE-2025-38354 CVE-2025-38355 CVE-2025-38356 CVE-2025-38361 CVE-2025-38362 CVE-2025-38363 CVE-2025-38364 CVE-2025-38365 CVE-2025-38369 CVE-2025-38371 CVE-2025-38373 CVE-2025-38375 CVE-2025-38376 CVE-2025-38377 CVE-2025-38380 CVE-2025-38382 CVE-2025-38384 CVE-2025-38385 CVE-2025-38386 CVE-2025-38387 CVE-2025-38389 CVE-2025-38391 CVE-2025-38392 CVE-2025-38393 CVE-2025-38395 CVE-2025-38396 CVE-2025-38399 CVE-2025-38400 CVE-2025-38401 CVE-2025-38403 CVE-2025-38404 CVE-2025-38406 CVE-2025-38409 CVE-2025-38410 CVE-2025-38412 CVE-2025-38414 CVE-2025-38415 CVE-2025-38416 CVE-2025-38417 CVE-2025-38420 CVE-2025-38424 CVE-2025-38425 CVE-2025-38426 CVE-2025-38427 CVE-2025-38428 CVE-2025-38429 CVE-2025-38430 CVE-2025-38436 CVE-2025-38443 CVE-2025-38448 CVE-2025-38449 CVE-2025-38453 CVE-2025-38455 CVE-2025-38457 CVE-2025-38460 CVE-2025-38461 CVE-2025-38462 CVE-2025-38463 CVE-2025-38465 CVE-2025-38467 CVE-2025-38468 CVE-2025-38470 CVE-2025-38471 CVE-2025-38473 CVE-2025-38474 CVE-2025-38475 CVE-2025-38476 CVE-2025-38477 CVE-2025-38478 CVE-2025-38480 CVE-2025-38481 CVE-2025-38482 CVE-2025-38483 CVE-2025-38485 CVE-2025-38487 CVE-2025-38489 CVE-2025-38494 CVE-2025-38495 CVE-2025-38496 CVE-2025-38497 CVE-2025-38498 CVE-2025-46835 CVE-2025-48384 CVE-2025-48385 CVE-2025-8058 ----------------------------------------------------------------- The container bci/bci-sle15-kernel-module-devel was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2964-1 Released: Fri Aug 22 14:52:39 2025 Summary: Security update for glibc Type: security Severity: moderate References: 1240058,1246965,CVE-2025-8058 This update for glibc fixes the following issues: - CVE-2025-8058: Fixed double-free after allocation failure in regcomp. (bsc#1246965) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2970-1 Released: Mon Aug 25 10:27:57 2025 Summary: Security update for pam Type: security Severity: moderate References: 1232234,1246221,CVE-2024-10041 This update for pam fixes the following issues: - Improve previous CVE-2024-10041 fix which led to CPU performance issues (bsc#1232234) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2997-1 Released: Wed Aug 27 14:04:03 2025 Summary: Security update for the Linux Kernel Type: security Severity: important References: 1139073,1204142,1219338,1225707,1227082,1228664,1230216,1233300,1235515,1235613,1235837,1236333,1236897,1238896,1239061,1239470,1240323,1240696,1240885,1240966,1240998,1241166,1241200,1241345,1241537,1242086,1242414,1242837,1242960,1242965,1242993,1243042,1243068,1243100,1243479,1243669,1243678,1243806,1244309,1244337,1244457,1244735,1244749,1244750,1244792,1244801,1245084,1245151,1245201,1245202,1245216,1245260,1245431,1245440,1245457,1245498,1245499,1245504,1245506,1245508,1245510,1245540,1245598,1245599,1245621,1245646,1245647,1245649,1245650,1245654,1245658,1245660,1245664,1245665,1245666,1245668,1245669,1245670,1245671,1245675,1245676,1245677,1245679,1245682,1245683,1245684,1245686,1245688,1245689,1245690,1245691,1245695,1245705,1245708,1245711,1245713,1245714,1245719,1245723,1245729,1245730,1245731,1245735,1245737,1245744,1245745,1245746,1245747,1245748,1245749,1245750,1245751,1245752,1245757,1245758,1245765,1245768,1245769,1245777,1245781,1245789,1245812,1245937,1 245945,1245951,1245952,1245954,1245955,1245957,1245966,1245970,1245976,1245980,1245983,1245986,1246000,1246002,1246006,1246008,1246020,1246023,1246029,1246031,1246037,1246041,1246042,1246044,1246045,1246047,1246049,1246050,1246055,1246073,1246093,1246098,1246109,1246113,1246122,1246125,1246134,1246171,1246173,1246178,1246179,1246182,1246183,1246186,1246188,1246195,1246203,1246212,1246217,1246220,1246236,1246240,1246243,1246244,1246246,1246249,1246250,1246253,1246258,1246262,1246264,1246266,1246268,1246273,1246283,1246285,1246286,1246287,1246290,1246292,1246293,1246295,1246297,1246333,1246334,1246337,1246342,1246349,1246354,1246358,1246361,1246364,1246370,1246375,1246384,1246385,1246386,1246387,1246438,1246443,1246449,1246453,1246473,1246490,1246506,1246547,1246644,1246695,1246777,1246781,1246870,1246879,1246911,1247018,1247021,1247023,1247028,1247031,1247033,1247035,1247061,1247062,1247064,1247079,1247089,1247091,1247097,1247098,1247101,1247103,1247104,1247113,1247118,1247123,124712 5,1247128,1247132,1247138,1247141,1247143,1247145,1247146,1247147,1247149,1247150,1247151,1247152,1247153,1247154,1247156,1247160,1247164,1247169,1247170,1247171,1247172,1247174,1247176,1247177,1247178,1247181,1247209,1247210,1247227,1247233,1247234,1247236,1247238,1247241,1247251,1247252,1247253,1247255,1247265,1247271,1247273,1247274,1247276,1247277,1247278,1247279,1247282,1247284,1247285,1247288,1247289,1247293,1247308,1247311,1247314,1247317,1247347,1247348,1247349,1247374,1247437,1247450,1247712,1247831,CVE-2019-11135,CVE-2024-36028,CVE-2024-36348,CVE-2024-36349,CVE-2024-36350,CVE-2024-36357,CVE-2024-39298,CVE-2024-42134,CVE-2024-44963,CVE-2024-49861,CVE-2024-56742,CVE-2024-57947,CVE-2025-21839,CVE-2025-21854,CVE-2025-21872,CVE-2025-22090,CVE-2025-23163,CVE-2025-37798,CVE-2025-37856,CVE-2025-37864,CVE-2025-37885,CVE-2025-37920,CVE-2025-37984,CVE-2025-38034,CVE-2025-38035,CVE-2025-38047,CVE-2025-38051,CVE-2025-38052,CVE-2025-38058,CVE-2025-38061,CVE-2025-38062,CVE-2025-38063,CVE -2025-38064,CVE-2025-38074,CVE-2025-38084,CVE-2025-38085,CVE-2025-38087,CVE-2025-38088,CVE-2025-38089,CVE-2025-38090,CVE-2025-38091,CVE-2025-38094,CVE-2025-38095,CVE-2025-38097,CVE-2025-38098,CVE-2025-38099,CVE-2025-38100,CVE-2025-38102,CVE-2025-38105,CVE-2025-38106,CVE-2025-38107,CVE-2025-38108,CVE-2025-38109,CVE-2025-38110,CVE-2025-38111,CVE-2025-38112,CVE-2025-38113,CVE-2025-38114,CVE-2025-38115,CVE-2025-38117,CVE-2025-38118,CVE-2025-38120,CVE-2025-38122,CVE-2025-38123,CVE-2025-38124,CVE-2025-38126,CVE-2025-38127,CVE-2025-38129,CVE-2025-38131,CVE-2025-38132,CVE-2025-38135,CVE-2025-38136,CVE-2025-38138,CVE-2025-38142,CVE-2025-38143,CVE-2025-38145,CVE-2025-38147,CVE-2025-38148,CVE-2025-38149,CVE-2025-38151,CVE-2025-38153,CVE-2025-38154,CVE-2025-38155,CVE-2025-38157,CVE-2025-38158,CVE-2025-38159,CVE-2025-38161,CVE-2025-38162,CVE-2025-38165,CVE-2025-38166,CVE-2025-38173,CVE-2025-38174,CVE-2025-38177,CVE-2025-38180,CVE-2025-38181,CVE-2025-38182,CVE-2025-38183,CVE-2025-38186,CVE-2025-3 8187,CVE-2025-38188,CVE-2025-38189,CVE-2025-38192,CVE-2025-38193,CVE-2025-38194,CVE-2025-38197,CVE-2025-38198,CVE-2025-38200,CVE-2025-38202,CVE-2025-38203,CVE-2025-38204,CVE-2025-38206,CVE-2025-38210,CVE-2025-38211,CVE-2025-38212,CVE-2025-38213,CVE-2025-38214,CVE-2025-38215,CVE-2025-38217,CVE-2025-38220,CVE-2025-38222,CVE-2025-38225,CVE-2025-38226,CVE-2025-38227,CVE-2025-38229,CVE-2025-38231,CVE-2025-38236,CVE-2025-38238,CVE-2025-38239,CVE-2025-38244,CVE-2025-38246,CVE-2025-38248,CVE-2025-38249,CVE-2025-38250,CVE-2025-38256,CVE-2025-38257,CVE-2025-38259,CVE-2025-38264,CVE-2025-38265,CVE-2025-38268,CVE-2025-38272,CVE-2025-38273,CVE-2025-38275,CVE-2025-38277,CVE-2025-38279,CVE-2025-38283,CVE-2025-38286,CVE-2025-38287,CVE-2025-38288,CVE-2025-38289,CVE-2025-38290,CVE-2025-38291,CVE-2025-38292,CVE-2025-38293,CVE-2025-38299,CVE-2025-38300,CVE-2025-38303,CVE-2025-38304,CVE-2025-38305,CVE-2025-38307,CVE-2025-38310,CVE-2025-38312,CVE-2025-38313,CVE-2025-38315,CVE-2025-38317,CVE-2025-38319,CV E-2025-38323,CVE-2025-38326,CVE-2025-38328,CVE-2025-38332,CVE-2025-38334,CVE-2025-38335,CVE-2025-38336,CVE-2025-38337,CVE-2025-38338,CVE-2025-38342,CVE-2025-38343,CVE-2025-38344,CVE-2025-38345,CVE-2025-38348,CVE-2025-38349,CVE-2025-38350,CVE-2025-38352,CVE-2025-38353,CVE-2025-38354,CVE-2025-38355,CVE-2025-38356,CVE-2025-38361,CVE-2025-38362,CVE-2025-38363,CVE-2025-38364,CVE-2025-38365,CVE-2025-38369,CVE-2025-38371,CVE-2025-38373,CVE-2025-38375,CVE-2025-38376,CVE-2025-38377,CVE-2025-38380,CVE-2025-38382,CVE-2025-38384,CVE-2025-38385,CVE-2025-38386,CVE-2025-38387,CVE-2025-38389,CVE-2025-38391,CVE-2025-38392,CVE-2025-38393,CVE-2025-38395,CVE-2025-38396,CVE-2025-38399,CVE-2025-38400,CVE-2025-38401,CVE-2025-38403,CVE-2025-38404,CVE-2025-38406,CVE-2025-38409,CVE-2025-38410,CVE-2025-38412,CVE-2025-38414,CVE-2025-38415,CVE-2025-38416,CVE-2025-38417,CVE-2025-38420,CVE-2025-38424,CVE-2025-38425,CVE-2025-38426,CVE-2025-38427,CVE-2025-38428,CVE-2025-38429,CVE-2025-38430,CVE-2025-38436,CVE-2025- 38443,CVE-2025-38448,CVE-2025-38449,CVE-2025-38453,CVE-2025-38455,CVE-2025-38457,CVE-2025-38460,CVE-2025-38461,CVE-2025-38462,CVE-2025-38463,CVE-2025-38465,CVE-2025-38467,CVE-2025-38468,CVE-2025-38470,CVE-2025-38471,CVE-2025-38473,CVE-2025-38474,CVE-2025-38475,CVE-2025-38476,CVE-2025-38477,CVE-2025-38478,CVE-2025-38480,CVE-2025-38481,CVE-2025-38482,CVE-2025-38483,CVE-2025-38485,CVE-2025-38487,CVE-2025-38489,CVE-2025-38494,CVE-2025-38495,CVE-2025-38496,CVE-2025-38497,CVE-2025-38498 The SUSE Linux Enterprise 15 SP7 kernel was updated to receive various security bugfixes. The following security bugs were fixed: - CVE-2019-11135: enabled CONFIG_X86_INTEL_TSX_MODE_AUTO (bsc#1139073, bsc#1246695) - CVE-2024-36028: mm/hugetlb: fix DEBUG_LOCKS_WARN_ON(1) when dissolve_free_hugetlb_folio() (bsc#1225707). - CVE-2024-36348, CVE-2024-36349, CVE-2024-36350, CVE-2024-36357: x86/process: Move the buffer clearing before MONITOR (bsc#1238896). - CVE-2024-39298:mm/memory-failure: fix handling of dissolved but not taken off from buddy pages (bsc#1227082). - CVE-2024-42134: virtio-pci: Check if is_avq is NULL (bsc#1228664). - CVE-2024-44963: btrfs: do not BUG_ON() when freeing tree block after error (bsc#1230216). - CVE-2024-49861: net: clear the dst when changing skb protocol (bsc#1245954). - CVE-2024-56742: vfio/mlx5: Fix an unwind issue in mlx5vf_add_migration_pages() (bsc#1235613). - CVE-2025-21839: KVM: x86: Load DR6 with guest value only before entering .vcpu_run() loop (bsc#1239061). - CVE-2025-21854: selftest/bpf: Add vsock test for sockmap rejecting unconnected (bsc#1239470). - CVE-2025-21872: efi/mokvar-table: Avoid repeated map/unmap of the same page (bsc#1240323). - CVE-2025-22090: mm: (un)track_pfn_copy() fix + doc improvements (bsc#1241537). - CVE-2025-23163: net: vlan: do not propagate flags on open (bsc#1242837). - CVE-2025-37856: btrfs: harden block_group::bg_list against list_del() races (bsc#1243068). - CVE-2025-37864: net: dsa: clean up FDB, MDB, VLAN entries on unbind (bsc#1242965). - CVE-2025-37885: KVM: x86: Reset IRTE to host control if *new* route isn't postable (bsc#1242960). - CVE-2025-37920: kABI workaround for xsk: Fix race condition in AF_XDP generic RX path (bsc#1243479). - CVE-2025-37984: crypto: ecdsa - Harden against integer overflows in DIV_ROUND_UP() (bsc#1243669). - CVE-2025-38034: btrfs: correct the order of prelim_ref arguments in btrfs__prelim_ref (bsc#1244792). - CVE-2025-38035: nvmet-tcp: do not restore null sk_state_change (bsc#1244801). - CVE-2025-38047: x86/fred: Fix system hang during S4 resume with FRED enabled (bsc#1245084). - CVE-2025-38051: smb: client: Fix use-after-free in cifs_fill_dirent (bsc#1244750). - CVE-2025-38058: __legitimize_mnt(): check for MNT_SYNC_UMOUNT should be under mount_lock (bsc#1245151). - CVE-2025-38061: net: pktgen: fix access outside of user given buffer in pktgen_thread_write() (bsc#1245440). - CVE-2025-38062: kABI: restore layout of struct msi_desc (bsc#1245216). - CVE-2025-38063: dm: fix unconditional IO throttle caused by REQ_PREFLUSH (bsc#1245202). - CVE-2025-38064: virtio: break and reset virtio devices on device_shutdown() (bsc#1245201). - CVE-2025-38074: vhost-scsi: protect vq->log_used with vq->mutex (bsc#1244735). - CVE-2025-38094: net: cadence: macb: Fix a possible deadlock in macb_halt_tx (bsc#1245649). - CVE-2025-38097: kabi: restore encap_sk in struct xfrm_state (bsc#1245660). - CVE-2025-38098: drm/amd/display: Do not treat wb connector as physical in (bsc#1245654). - CVE-2025-38099: Bluetooth: btusb: Fix regression in the initialization of fake Bluetooth controllers (bsc#1245671). - CVE-2025-38100: x86/iopl: Cure TIF_IO_BITMAP inconsistencies (bsc#1245650). - CVE-2025-38105: ALSA: usb-audio: Kill timer properly at removal (bsc#1245682). - CVE-2025-38106: io_uring/sqpoll: do not put task_struct on tctx setup failure (bsc#1245664). - CVE-2025-38115: net_sched: sch_sfq: fix a potential crash on gso_skb handling (bsc#1245689). - CVE-2025-38117: hci_dev centralize extra lock (bsc#1245695). - CVE-2025-38126: net: stmmac: make sure that ptp_rate is not 0 before configuring timestamping (bsc#1245708). - CVE-2025-38131: coresight: prevent deactivate active config while enabling the config (bsc#1245677). - CVE-2025-38132: coresight: holding cscfg_csdev_lock while removing cscfg from csdev (bsc#1245679). - CVE-2025-38147: calipso: unlock rcu before returning -EAFNOSUPPORT (bsc#1245768). - CVE-2025-38158: hisi_acc_vfio_pci: fix XQE dma address error (bsc#1245750). - CVE-2025-38162: netfilter: nft_set_pipapo: prevent overflow in lookup table allocation (bsc#1245752). - CVE-2025-38166: bpf: fix ktls panic with sockmap (bsc#1245758). - CVE-2025-38180: net: atm: fix /proc/net/atm/lec handling (bsc#1245970). - CVE-2025-38182: ublk: santizize the arguments from userspace when adding a device (bsc#1245937). - CVE-2025-38183: net: lan743x: fix potential out-of-bounds write in lan743x_ptp_io_event_clock_get() (bsc#1246006). - CVE-2025-38187: drm/nouveau: fix a use-after-free in r535_gsp_rpc_push() (bsc#1245951). - CVE-2025-38188: drm/msm/a7xx: Call CP_RESET_CONTEXT_STATE (bsc#1246098). - CVE-2025-38200: i40e: fix MMIO write access to an invalid page in i40e_clear_hw (bsc#1246045). - CVE-2025-38202: bpf: Check rcu_read_lock_trace_held() in bpf_map_lookup_percpu_elem() (bsc#1245980). - CVE-2025-38203: jfs: Fix null-ptr-deref in jfs_ioc_trim (bsc#1246044). - CVE-2025-38204: jfs: fix array-index-out-of-bounds read in add_missing_indices (bsc#1245983). - CVE-2025-38206: exfat: fix double free in delayed_free (bsc#1246073). - CVE-2025-38210: configfs-tsm-report: Fix NULL dereference of tsm_ops (bsc#1246020). - CVE-2025-38212: ipc: fix to protect IPCS lookups using RCU (bsc#1246029). - CVE-2025-38220: ext4: only dirty folios when data journaling regular files (bsc#1245966). - CVE-2025-38222: ext4: inline: fix len overflow in ext4_prepare_inline_data (bsc#1245976). - CVE-2025-38236: af_unix: Disable MSG_OOB for unprivileged users (bsc#1246093). - CVE-2025-38239: scsi: megaraid_sas: Fix invalid node index (bsc#1246178). - CVE-2025-38244: smb: client: fix potential deadlock when reconnecting channels (bsc#1246183). - CVE-2025-38248: bridge: mcast: Fix use-after-free during router port configuration (bsc#1246173). - CVE-2025-38250: kABI workaround for bluetooth hci_dev changes (bsc#1246182). - CVE-2025-38256: io_uring/rsrc: fix folio unpinning (bsc#1246188). - CVE-2025-38264: llist: add interface to check if a node is on a list (bsc#1246387). - CVE-2025-38272: net: dsa: b53: do not enable EEE on bcm63xx (bsc#1246268). - CVE-2025-38279: kABI workaround for bpf: Do not include stack ptr register in precision backtracking bookkeeping (bsc#1246264). - CVE-2025-38283: hisi_acc_vfio_pci: bugfix live migration function without VF device driver (bsc#1246273). - CVE-2025-38303: Bluetooth: eir: Fix possible crashes on eir_create_adv_data (bsc#1246354). - CVE-2025-38310: seg6: Fix validation of nexthop addresses (bsc#1246361). - CVE-2025-38323: net: atm: add lec_mutex (bsc#1246473). - CVE-2025-38334: x86/sgx: Prevent attempts to reclaim poisoned pages (bsc#1246384). - CVE-2025-38335: Input: gpio-keys - fix a sleep while atomic with PREEMPT_RT (bsc#1246250). - CVE-2025-38337: jbd2: fix data-race and null-ptr-deref in jbd2_journal_dirty_metadata() (bsc#1246253). - CVE-2025-38349: eventpoll: do not decrement ep refcount while still holding the ep mutex (bsc#1246777). - CVE-2025-38350: net/sched: Always pass notifications when child class becomes empty (bsc#1246781). - CVE-2025-38352: posix-cpu-timers: fix race between handle_posix_cpu_timers() and posix_cpu_timer_del() (bsc#1246911). - CVE-2025-38364: maple_tree: fix MA_STATE_PREALLOC flag in mas_preallocate() (bsc#1247091). - CVE-2025-38365: btrfs: fix a race between renames and directory logging (bsc#1247023). - CVE-2025-38375: virtio-net: ensure the received length does not exceed allocated size (bsc#1247177). - CVE-2025-38382: btrfs: fix iteration of extrefs during log replay (bsc#1247031). - CVE-2025-38392: idpf: convert control queue mutex to a spinlock (bsc#1247169). - CVE-2025-38396: fs: export anon_inode_make_secure_inode() and fix secretmem LSM bypass (bsc#1247156). - CVE-2025-38399: scsi: target: Fix NULL pointer dereference in core_scsi3_decode_spec_i_port() (bsc#1247097). - CVE-2025-38403: vsock/vmci: Clear the vmci transport packet properly when initializing it (bsc#1247141). - CVE-2025-38414: wifi: ath12k: fix GCC_GCC_PCIE_HOT_RST definition for WCN7850 (bsc#1247145). - CVE-2025-38426: drm/amdgpu: Add basic validation for RAS header (bsc#1247252). - CVE-2025-38429: bus: mhi: ep: Update read pointer only after buffer is written (bsc#1247253). - CVE-2025-38453: kABI: io_uring: msg_ring ensure io_kiocb freeing is deferred (bsc#1247234). - CVE-2025-38455: KVM: SVM: Reject SEV{-ES} intra host migration if vCPU creation is in-flight (bsc#1247101). - CVE-2025-38457: net/sched: Abort __tc_modify_qdisc if parent class does not exist (bsc#1247098). - CVE-2025-38460: atm: clip: Fix potential null-ptr-deref in to_atmarpd() (bsc#1247143). - CVE-2025-38461: vsock: Fix transport_* TOCTOU (bsc#1247103). - CVE-2025-38462: vsock: Fix transport_{g2h,h2g} TOCTOU (bsc#1247104). - CVE-2025-38463: tcp: Correct signedness in skb remaining space calculation (bsc#1247113). - CVE-2025-38465: netlink: make sure we allow at least one dump skb (bsc#1247118). - CVE-2025-38470: kABI fix for net: vlan: fix VLAN 0 refcount imbalance of toggling (bsc#1247288). - CVE-2025-38471: tls: always refresh the queue when reading sock (bsc#1247450). - CVE-2025-38475: smc: Fix various oops due to inet_sock type confusion (bsc#1247308). - CVE-2025-38497: usb: gadget: configfs: Fix OOB read on empty string write (bsc#1247347). - CVE-2025-38498: do_change_type(): refuse to operate on unmounted/not ours mounts (bsc#1247374). The following non-security bugs were fixed: - accel/ivpu: Remove copy engine support (stable-fixes). - acpi: LPSS: Remove AudioDSP related ID (git-fixes). - acpi: PRM: Reduce unnecessary printing to avoid user confusion (bsc#1246122). - acpi: processor: perflib: Fix initial _PPC limit application (git-fixes). - acpica: Refuse to evaluate a method if arguments are missing (stable-fixes). - af_packet: fix the SO_SNDTIMEO constraint not effective on tpacked_snd() (git-fixes). - af_unix: Add a prompt to CONFIG_AF_UNIX_OOB (bsc#1246093). - alsa: hda/ca0132: Fix missing error handling in ca0132_alt_select_out() (git-fixes). - alsa: hda/realtek - Add mute LED support for HP Pavilion 15-eg0xxx (stable-fixes). - alsa: hda/realtek - Enable mute LED on HP Pavilion Laptop 15-eg100 (stable-fixes). - alsa: hda/realtek: Add quirk for ASUS ROG Strix G712LWS (stable-fixes). - alsa: hda/realtek: Fix mute LED mask on HP OMEN 16 laptop (git-fixes). - alsa: hda/tegra: Add Tegra264 support (stable-fixes). - alsa: hda: Add missing NVIDIA HDA codec IDs (stable-fixes). - alsa: hda: Add new pci id for AMD GPU display HD audio controller (stable-fixes). - alsa: hda: Ignore unsol events for cards being shut down (stable-fixes). - alsa: intel_hdmi: Fix off-by-one error in __hdmi_lpe_audio_probe() (git-fixes). - alsa: sb: Do not allow changing the DMA mode during operations (stable-fixes). - alsa: sb: Force to disable DMAs once when DMA mode is changed (stable-fixes). - alsa: scarlett2: Add retry on -EPROTO from scarlett2_usb_tx() (git-fixes). - amd/amdkfd: fix a kfd_process ref leak (stable-fixes). - aoe: clean device rq_list in aoedev_downdev() (git-fixes). - apple-mfi-fastcharge: protect first device name (git-fixes). - asoc: amd: yc: Add DMI quirk for Lenovo IdeaPad Slim 5 15 (stable-fixes). - asoc: amd: yc: Add quirk for MSI Bravo 17 D7VF internal mic (stable-fixes). - asoc: amd: yc: add quirk for Acer Nitro ANV15-41 internal mic (stable-fixes). - asoc: amd: yc: update quirk data for HP Victus (stable-fixes). - asoc: codec: wcd9335: Convert to GPIO descriptors (stable-fixes). - asoc: codecs: wcd9335: Fix missing free of regulator supplies (git-fixes). - asoc: codecs: wcd9335: Handle nicer probe deferral and simplify with dev_err_probe() (stable-fixes). - asoc: cs35l56: probe() should fail if the device ID is not recognized (git-fixes). - asoc: fsl_asrc: use internal measured ratio for non-ideal ratio mode (git-fixes). - asoc: fsl_sai: Force a software reset when starting in consumer mode (git-fixes). - asoc: fsl_xcvr: get channel status data when PHY is not exists (git-fixes). - asoc: mediatek: use reserved memory or enable buffer pre-allocation (git-fixes). - asoc: ops: dynamically allocate struct snd_ctl_elem_value (git-fixes). - asoc: soc-dai: tidyup return value of snd_soc_xlate_tdm_slot_mask() (git-fixes). - ata: pata_cs5536: fix build on 32-bit UML (stable-fixes). - audit,module: restore audit logging in load failure case (git-fixes). - bluetooth: Fix null-ptr-deref in l2cap_sock_resume_cb() (git-fixes). - bluetooth: HCI: Set extended advertising data synchronously (git-fixes). - bluetooth: L2CAP: Fix L2CAP MTU negotiation (stable-fixes). - bluetooth: L2CAP: Fix attempting to adjust outgoing MTU (git-fixes). - bluetooth: MGMT: Fix not generating command complete for MGMT_OP_DISCONNECT (git-fixes). - bluetooth: MGMT: mesh_send: check instances prior disabling advertising (git-fixes). - bluetooth: MGMT: set_mesh: update LE scan interval and window (git-fixes). - bluetooth: Prevent unintended pause by checking if advertising is active (git-fixes). - bluetooth: SMP: Fix using HCI_ERROR_REMOTE_USER_TERM on timeout (git-fixes). - bluetooth: SMP: If an unallowed command is received consider it a failure (git-fixes). - bluetooth: btintel: Check if controller is ISO capable on btintel_classify_pkt_type (git-fixes). - bluetooth: btusb: QCA: Fix downloading wrong NVM for WCN6855 GF variant without board ID (git-fixes). - bluetooth: hci_conn: Fix sending BT_HCI_CMD_LE_CREATE_CONN_CANCEL (git-fixes). - bluetooth: hci_core: add missing braces when using macro parameters (git-fixes). - bluetooth: hci_event: Fix not marking Broadcast Sink BIS as connected (git-fixes). - bluetooth: hci_event: Mask data status from LE ext adv reports (git-fixes). - bluetooth: hci_sync: Attempt to dequeue connection attempt (git-fixes). - bluetooth: hci_sync: Fix UAF on create_le_conn_complete (git-fixes). - bluetooth: hci_sync: Fix handling of HCI_OP_CREATE_CONN_CANCEL (git-fixes). - bluetooth: hci_sync: Fix not disabling advertising instance (git-fixes). - bluetooth: hci_sync: fix connectable extended advertising when using static random address (git-fixes). - bluetooth: hci_sync: revert some mesh modifications (git-fixes). - bnxt_en: Fix double invocation of bnxt_ulp_stop()/bnxt_ulp_start() (git-fixes). - bonding: Correctly support GSO ESP offload (git-fixes). - bpf, sockmap: Fix sk_msg_reset_curr (git-fixes). - bpf/lpm_trie: Inline longest_prefix_match for fastpath (git-fixes). - bpf/selftests: Check errno when percpu map value size exceeds (git-fixes). - bpf: Add a possibly-zero-sized read test (git-fixes). - bpf: Avoid __hidden__ attribute in static object (git-fixes). - bpf: Check percpu map value size first (git-fixes). - bpf: Disable some `attribute ignored' warnings in GCC (git-fixes). - bpf: Fix memory leak in bpf_core_apply (git-fixes). - bpf: Fix potential integer overflow in resolve_btfids (git-fixes). - bpf: Harden __bpf_kfunc tag against linker kfunc removal (git-fixes). - bpf: Make the pointer returned by iter next method valid (git-fixes). - bpf: Simplify checking size of helper accesses (git-fixes). - bpf: fix order of args in call to bpf_map_kvcalloc (git-fixes). - bpf: sockmap, updating the sg structure should also update curr (git-fixes). - bpftool: Fix missing pids during link show (git-fixes). - bpftool: Fix undefined behavior caused by shifting into the sign bit (git-fixes). - bpftool: Mount bpffs on provided dir instead of parent dir (git-fixes). - bpftool: Remove unnecessary source files from bootstrap version (git-fixes). - bpftool: Un-const bpf_func_info to fix it for llvm 17 and newer (git-fixes). - btrfs: do not ignore inode missing when replaying log tree (git-fixes). - btrfs: do not silently ignore unexpected extent type when replaying log (git-fixes). - btrfs: do not skip remaining extrefs if dir not found during log replay (git-fixes). - btrfs: explicitly ref count block_group on new_bgs list (bsc#1243068) - btrfs: fix assertion when building free space tree (git-fixes). - btrfs: fix inode lookup error handling during log replay (git-fixes). - btrfs: fix invalid inode pointer dereferences during log replay (git-fixes). - btrfs: fix log tree replay failure due to file with 0 links and extents (git-fixes). - btrfs: fix missing error handling when searching for inode refs during log replay (git-fixes). - btrfs: fix non-empty delayed iputs list on unmount due to async workers (git-fixes). - btrfs: fix ssd_spread overallocation (git-fixes). - btrfs: make btrfs_discard_workfn() block_group ref explicit (bsc#1243068) - btrfs: propagate last_unlink_trans earlier when doing a rmdir (git-fixes). - btrfs: rename err to ret in btrfs_rmdir() (git-fixes). - btrfs: return a btrfs_inode from btrfs_iget_logging() (git-fixes). - btrfs: return a btrfs_inode from read_one_inode() (git-fixes). - btrfs: tests: fix chunk map leak after failure to add it to the tree (git-fixes). - btrfs: update superblock's device bytes_used when dropping chunk (git-fixes). - btrfs: use NOFS context when getting inodes during logging and log replay (git-fixes). - btrfs: use btrfs_record_snapshot_destroy() during rmdir (git-fixes). - bus: fsl-mc: Fix potential double device reference in fsl_mc_get_endpoint() (git-fixes). - bus: mhi: host: Detect events pointing to unexpected TREs (git-fixes). - can: dev: can_restart(): move debug message and stats after successful restart (stable-fixes). - can: dev: can_restart(): reverse logic to remove need for goto (stable-fixes). - can: kvaser_pciefd: Store device channel index (git-fixes). - can: kvaser_usb: Assign netdev.dev_port based on device channel index (git-fixes). - can: m_can: m_can_handle_lost_msg(): downgrade msg lost in rx message to debug level (git-fixes). - can: netlink: can_changelink(): fix NULL pointer deref of struct can_priv::do_set_mode (git-fixes). - can: peak_usb: fix USB FD devices potential malfunction (git-fixes). - cdc-acm: fix race between initial clearing halt and open (git-fixes). - cgroup,freezer: fix incomplete freezing when attaching tasks (bsc#1245789). - cgroup/cpuset: Extend kthread_is_per_cpu() check to all PF_NO_SETAFFINITY tasks (bsc#1241166). - cifs: reconnect helper should set reconnect for the right channel (git-fixes). - clk: clk-axi-clkgen: fix fpfd_max frequency for zynq (git-fixes). - clk: davinci: Add NULL check in davinci_lpsc_clk_register() (git-fixes). - clk: sunxi-ng: v3s: Fix de clock definition (git-fixes). - clk: xilinx: vcu: unregister pll_post only if registered correctly (git-fixes). - clocksource: Scale the watchdog read retries automatically (bsc#1241345 bsc#1244457). - clocksource: Set cs_watchdog_read() checks based on .uncertainty_margin (bsc#1241345 bsc#1244457). - comedi: Fail COMEDI_INSNLIST ioctl if n_insns is too large (git-fixes). - comedi: Fix initialization of data for instructions that write to subdevice (git-fixes). - comedi: Fix some signed shift left operations (git-fixes). - comedi: Fix use of uninitialized data in insn_rw_emulate_bits() (git-fixes). - comedi: aio_iiro_16: Fix bit shift out of bounds (git-fixes). - comedi: das16m1: Fix bit shift out of bounds (git-fixes). - comedi: das6402: Fix bit shift out of bounds (git-fixes). - comedi: pcl812: Fix bit shift out of bounds (git-fixes). - compiler_types.h: Define __retain for __attribute__((__retain__)) (git-fixes). - crypto: arm/aes-neonbs - work around gcc-15 warning (git-fixes). - crypto: ccp - Fix crash when rebind ccp device for ccp.ko (git-fixes). - crypto: ccp - Fix locking on alloc failure handling (git-fixes). - crypto: hkdf - skip TVs with unapproved salt lengths in FIPS mode (bsc#1241200 bsc#1246134). - crypto: img-hash - Fix dma_unmap_sg() nents value (git-fixes). - crypto: inside-secure - Fix `dma_unmap_sg()` nents value (git-fixes). - crypto: keembay - Fix dma_unmap_sg() nents value (git-fixes). - crypto: marvell/cesa - Fix engine load inaccuracy (git-fixes). - crypto: qat - allow enabling VFs in the absence of IOMMU (git-fixes). - crypto: qat - disable ZUC-256 capability for QAT GEN5 (git-fixes). - crypto: qat - fix DMA direction for compression on GEN2 devices (git-fixes). - crypto: qat - fix seq_file position update in adf_ring_next() (git-fixes). - crypto: qat - fix state restore for banks with exceptions (git-fixes). - crypto: qat - flush misc workqueue during device shutdown (git-fixes). - crypto: qat - use unmanaged allocation for dc_data (git-fixes). - crypto: sun8i-ce - fix nents passed to dma_unmap_sg() (git-fixes). - dax: add a sysfs knob to control memmap_on_memory behavior (bsc#1235515,jsc#PED-12731). - dax: add a sysfs knob to control memmap_on_memory behavior (bsc#1235515,jsc#PED-12731). - devlink: Add support for u64 parameters (jsc#PED-12745). - devlink: Add support for u64 parameters (jsc#PED-12745). - devlink: avoid param type value translations (jsc#PED-12745). - devlink: avoid param type value translations (jsc#PED-12745). - devlink: define enum for attr types of dynamic attributes (jsc#PED-12745). - devlink: define enum for attr types of dynamic attributes (jsc#PED-12745). - devlink: introduce devlink_nl_put_u64() (jsc#PED-12745). - devlink: introduce devlink_nl_put_u64() (jsc#PED-12745). - dm-bufio: fix sched in atomic context (git-fixes). - dm-flakey: error all IOs when num_features is absent (git-fixes). - dm-flakey: make corrupting read bios work (git-fixes). - dm-mirror: fix a tiny race condition (git-fixes). - dm-raid: fix variable in journal device check (git-fixes). - dm-verity: fix a memory leak if some arguments are specified multiple times (git-fixes). - dm: do not change md if dm_table_set_restrictions() fails (git-fixes). - dm: free table mempools if not used in __bind (git-fixes). - dm: restrict dm device size to 2^63-512 bytes (git-fixes). - dma-buf: fix timeout handling in dma_resv_wait_timeout v2 (stable-fixes). - dmaengine: dw-edma: Drop unused dchan2dev() and chan2dev() (git-fixes). - dmaengine: idxd: Check availability of workqueue allocated by idxd wq driver before using (stable-fixes). - dmaengine: mv_xor: Fix missing check after DMA map and missing unmap (git-fixes). - dmaengine: nbpfaxi: Add missing check after DMA map (git-fixes). - dmaengine: nbpfaxi: Fix memory corruption in probe() (git-fixes). - dmaengine: qcom: gpi: Drop unused gpi_write_reg_field() (git-fixes). - dmaengine: xilinx_dma: Set dma_device directions (stable-fixes). - docs/ABI: Fix sysfs-kernel-address_bits path (git-fixes). - documentatiion/ABI: add ABI documentation for sys-bus-dax (bsc#1235515,jsc#PED-12731). - documentation/ABI: add ABI documentation for sys-bus-dax (bsc#1235515,jsc#PED-12731). - documentation: ACPI: Fix parent device references (git-fixes). - documentation: usb: gadget: Wrap remaining usage snippets in literal code block (git-fixes). - dpll: Add basic Microchip ZL3073x support (jsc#PED-12745). - dpll: Add basic Microchip ZL3073x support (jsc#PED-12745). - dpll: zl3073x: Add support to get/set frequency on pins (jsc#PED-12745). - dpll: zl3073x: Add support to get/set frequency on pins (jsc#PED-12745). - dpll: zl3073x: Add support to get/set priority on input pins (jsc#PED-12745). - dpll: zl3073x: Add support to get/set priority on input pins (jsc#PED-12745). - dpll: zl3073x: Fetch invariants during probe (jsc#PED-12745). - dpll: zl3073x: Fetch invariants during probe (jsc#PED-12745). - dpll: zl3073x: Implement input pin selection in manual mode (jsc#PED-12745). - dpll: zl3073x: Implement input pin selection in manual mode (jsc#PED-12745). - dpll: zl3073x: Implement input pin state setting in automatic mode (jsc#PED-12745). - dpll: zl3073x: Implement input pin state setting in automatic mode (jsc#PED-12745). - dpll: zl3073x: Read DPLL types and pin properties from system firmware (jsc#PED-12745). - dpll: zl3073x: Read DPLL types and pin properties from system firmware (jsc#PED-12745). - dpll: zl3073x: Register DPLL devices and pins (jsc#PED-12745). - dpll: zl3073x: Register DPLL devices and pins (jsc#PED-12745). - drm/amd/display: Check dce_hwseq before dereferencing it (stable-fixes). - drm/amd/display: Correct non-OLED pre_T11_delay (stable-fixes). - drm/amd/display: Disable CRTC degamma LUT for DCN401 (stable-fixes). - drm/amd/display: Do not overwrite dce60_clk_mgr (git-fixes). - drm/amd/display: Fix RMCM programming seq errors (stable-fixes). - drm/amd/display: Fix mpv playback corruption on weston (stable-fixes). - drm/amd/display: Free memory allocation (stable-fixes). - drm/amd/display: fix initial backlight brightness calculation (git-fixes). - drm/amd/pm/powerplay/hwmgr/smu_helper: fix order of mask and value (git-fixes). - drm/amdgpu/discovery: use specific ip_discovery.bin for legacy asics (stable-fixes). - drm/amdgpu/gfx10: fix kiq locking in KCQ reset (git-fixes). - drm/amdgpu/gfx8: reset compute ring wptr on the GPU on resume (git-fixes). - drm/amdgpu/gfx9.4.3: fix kiq locking in KCQ reset (git-fixes). - drm/amdgpu/gfx9: fix kiq locking in KCQ reset (git-fixes). - drm/amdgpu/ip_discovery: add missing ip_discovery fw (stable-fixes). - drm/amdgpu: Add kicker device detection (stable-fixes). - drm/amdgpu: Fix SDMA UTC_L1 handling during start/stop sequences (stable-fixes). - drm/amdgpu: Increase reset counter only on success (stable-fixes). - drm/amdgpu: Initialize data to NULL in imu_v12_0_program_rlc_ram() (git-fixes). - drm/amdgpu: Remove nbiov7.9 replay count reporting (git-fixes). - drm/amdgpu: Reset the clear flag in buddy during resume (git-fixes). - drm/amdgpu: amdgpu_vram_mgr_new(): Clamp lpfn to total vram (stable-fixes). - drm/amdgpu: seq64 memory unmap uses uninterruptible lock (stable-fixes). - drm/amdkfd: Do not call mmput from MMU notifier callback (git-fixes). - drm/amdkfd: Fix instruction hazard in gfx12 trap handler (stable-fixes). - drm/amdkfd: Fix race in GWS queue scheduling (stable-fixes). - drm/amdkfd: remove gfx 12 trap handler page size cap (stable-fixes). - drm/bridge: aux-hpd-bridge: fix assignment of the of_node (git-fixes). - drm/bridge: panel: move prepare_prev_first handling to drm_panel_bridge_add_typed (git-fixes). - drm/bridge: ti-sn65dsi86: Add HPD for DisplayPort connector type (git-fixes). - drm/bridge: ti-sn65dsi86: Remove extra semicolon in ti_sn_bridge_probe() (git-fixes). - drm/bridge: ti-sn65dsi86: make use of debugfs_init callback (stable-fixes). - drm/connector: hdmi: Evaluate limited range after computing format (git-fixes). - drm/exynos: exynos7_drm_decon: add vblank check in IRQ handling (git-fixes). - drm/exynos: fimd: Guard display clock control with runtime PM calls (git-fixes). - drm/framebuffer: Acquire internal references on GEM handles (git-fixes). - drm/gem: Acquire references on GEM handles for framebuffers (stable-fixes). - drm/gem: Fix race in drm_gem_handle_create_tail() (stable-fixes). - drm/i915/display: Fix dma_fence_wait_timeout() return value handling (git-fixes). - drm/i915/dsi: Fix off by one in BXT_MIPI_TRANS_VTOTAL (stable-fixes). - drm/i915/gsc: mei interrupt top half should be in irq disabled context (git-fixes). - drm/i915/gt: Fix timeline left held on VMA alloc error (git-fixes). - drm/i915/selftests: Change mock_request() to return error pointers (git-fixes). - drm/imagination: Fix kernel crash when hard resetting the GPU (git-fixes). - drm/mediatek: Add wait_event_timeout when disabling plane (git-fixes). - drm/mediatek: only announce AFBC if really supported (git-fixes). - drm/msm/dpu: Fill in min_prefill_lines for SC8180X (git-fixes). - drm/msm: Fix a fence leak in submit error path (stable-fixes). - drm/msm: Fix another leak in the submit error path (stable-fixes). - drm/nouveau: check ioctl command codes better (git-fixes). - drm/panfrost: Fix panfrost device variable name in devfreq (git-fixes). - drm/panthor: Add missing explicit padding in drm_panthor_gpu_info (git-fixes). - drm/rockchip: cleanup fb when drm_gem_fb_afbc_init failed (git-fixes). - drm/sched: Increment job count before swapping tail spsc queue (git-fixes). - drm/sched: Remove optimization that causes hang when killing dependent jobs (git-fixes). - drm/scheduler: signal scheduled fence when kill job (stable-fixes). - drm/tegra: nvdec: Fix dma_alloc_coherent error check (git-fixes). - drm/ttm: fix error handling in ttm_buffer_object_transfer (git-fixes). - drm/v3d: Disable interrupts before resetting the GPU (git-fixes). - drm/vmwgfx: Fix Host-Backed userspace on Guest-Backed kernel (git-fixes). - drm/xe/bmg: fix compressed VRAM handling (git-fixes). - drm/xe/guc: Dead CT helper (stable-fixes). - drm/xe/guc: Explicitly exit CT safe mode on unwind (git-fixes). - drm/xe/guc_submit: add back fix (git-fixes). - drm/xe/mocs: Initialize MOCS index early (stable-fixes). - drm/xe/pf: Clear all LMTT pages on alloc (git-fixes). - drm/xe/pf: Move VFs reprovisioning to worker (stable-fixes). - drm/xe/pf: Prepare to stop SR-IOV support prior GT reset (git-fixes). - drm/xe/pf: Sanitize VF scratch registers on FLR (stable-fixes). - drm/xe/pm: Correct comment of xe_pm_set_vram_threshold() (git-fixes). - drm/xe/uapi: Correct sync type definition in comments (git-fixes). - drm/xe/vf: Disable CSC support on VF (git-fixes). - drm/xe: Allocate PF queue size on pow2 boundary (git-fixes). - drm/xe: Allow bo mapping on multiple ggtts (stable-fixes). - drm/xe: Fix DSB buffer coherency (stable-fixes). - drm/xe: Fix build without debugfs (git-fixes). - drm/xe: Fix early wedge on GuC load failure (git-fixes). - drm/xe: Fix taking invalid lock on wedge (stable-fixes). - drm/xe: Move DSB l2 flush to a more sensible place (git-fixes). - drm/xe: Replace double space with single space after comma (stable-fixes). - drm/xe: add interface to request physical alignment for buffer objects (stable-fixes). - drm/xe: move DPT l2 flush to a more sensible place (git-fixes). - dt-bindings: dpll: Add DPLL device and pin (jsc#PED-12745). - dt-bindings: dpll: Add DPLL device and pin (jsc#PED-12745). - dt-bindings: dpll: Add support for Microchip Azurite chip family (jsc#PED-12745). - dt-bindings: dpll: Add support for Microchip Azurite chip family (jsc#PED-12745). - e1000: Move cancel_work_sync to avoid deadlock (git-fixes). - enable SMC_LO (a.k.a SMC-D) (jsc#PED-13248). - exfat: fdatasync flag should be same like generic_write_sync() (git-fixes). - fbcon: Fix outdated registered_fb reference in comment (git-fixes). - fbdev: imxfb: Check fb_add_videomode to prevent null-ptr-deref (git-fixes). - firewire: ohci: correct code comments about bus_reset tasklet (git-fixes). - fix dma_unmap_sg() nents value (git-fixes) - fs/jfs: consolidate sanity checking in dbMount (git-fixes). - fs/orangefs: Allow 2 more characters in do_c_string() (git-fixes). - gpio: mlxbf2: use platform_get_irq_optional() (git-fixes). - gpio: pca953x: log an error when failing to get the reset GPIO (git-fixes). - gpio: sim: include a missing header (git-fixes). - gpio: vf610: add locking to gpio direction functions (git-fixes). - gpio: virtio: Fix config space reading (git-fixes). - gpiolib: Fix debug messaging in gpiod_find_and_request() (git-fixes). - gpiolib: Handle no pin_ranges in gpiochip_generic_config() (git-fixes). - gpiolib: acpi: Do not use GPIO chip fwnode in acpi_gpiochip_find() (bsc#1233300). - gpiolib: acpi: Fix failed in acpi_gpiochip_find() by adding parent node match (bsc#1233300). - gpiolib: cdev: Ignore reconfiguration without direction (git-fixes). - gpiolib: of: Add polarity quirk for s5m8767 (stable-fixes). - hfs: make splice write available again (git-fixes). - hfsplus: make splice write available again (git-fixes). - hfsplus: remove mutex_lock check in hfsplus_free_extents (git-fixes). - hid: Add IGNORE quirk for SMARTLINKTECHNOLOGY (stable-fixes). - hid: core: do not bypass hid_hw_raw_request (stable-fixes). - hid: core: ensure __hid_request reserves the report ID as the first byte (git-fixes). - hid: core: ensure the allocated report buffer can contain the reserved report ID (stable-fixes). - hid: lenovo: Add support for ThinkPad X1 Tablet Thin Keyboard Gen2 (stable-fixes). - hid: quirks: Add quirk for 2 Chicony Electronics HP 5MP Cameras (stable-fixes). - hv_netvsc: Use VF's tso_max_size value when data path is VF (bsc#1246203). - hwmon: (corsair-cpro) Validate the size of the received input buffer (git-fixes). - hwmon: (gsc-hwmon) fix fan pwm setpoint show functions (git-fixes). - hwmon: (pmbus/max34440) Fix support for max34451 (stable-fixes). - hwrng: mtk - handle devm_pm_runtime_enable errors (git-fixes). - i2c/designware: Fix an initialization issue (git-fixes). - i2c: qup: jump out of the loop in case of timeout (git-fixes). - i2c: stm32: fix the device used for the DMA map (git-fixes). - i2c: tegra: Fix reset error handling with ACPI (git-fixes). - i2c: virtio: Avoid hang by using interruptible completion wait (git-fixes). - i3c: fix module_i3c_i2c_driver() with I3C=n (git-fixes). - ib/mlx5: Fix potential deadlock in MR deregistration (git-fixes) - ice, irdma: fix an off by one in error handling code (bsc#1247712). - ice, irdma: move interrupts code to irdma (bsc#1247712). - ice: Fix signedness bug in ice_init_interrupt_scheme() (bsc#1247712). - ice: count combined queues using Rx/Tx count (bsc#1247712). - ice: devlink PF MSI-X max and min parameter (bsc#1247712). - ice: enable_rdma devlink param (bsc#1247712). - ice: fix eswitch code memory leak in reset scenario (git-fixes). - ice: get rid of num_lan_msix field (bsc#1247712). - ice: init flow director before RDMA (bsc#1247712). - ice: remove splitting MSI-X between features (bsc#1247712). - ice: simplify VF MSI-X managing (bsc#1247712). - ice: treat dyn_allowed only as suggestion (bsc#1247712). - iio: accel: fxls8962af: Fix use after free in fxls8962af_fifo_flush (git-fixes). - iio: adc: ad7949: use spi_is_bpw_supported() (git-fixes). - iio: adc: ad_sigma_delta: Fix use of uninitialized status_pos (stable-fixes). - iio: adc: ad_sigma_delta: change to buffer predisable (git-fixes). - iio: adc: max1363: Fix MAX1363_4X_CHANS/MAX1363_8X_CHANS[] (stable-fixes). - iio: adc: max1363: Reorder mode_list[] entries (stable-fixes). - iio: adc: stm32-adc: Fix race in installing chained IRQ handler (git-fixes). - iio: imu: bno055: fix OOB access of hw_xlate array (git-fixes). - iio: pressure: zpa2326: Use aligned_s64 for the timestamp (stable-fixes). - input: iqs7222 - explicitly define number of external channels (git-fixes). - input: xpad - adjust error handling for disconnect (git-fixes). - input: xpad - set correct controller type for Acer NGR200 (git-fixes). - input: xpad - support Acer NGR 200 Controller (stable-fixes). - io_uring/timeout: fix multishot updates (bsc#1247021). - io_uring: fix potential page leak in io_sqe_buffer_register() (git-fixes). - iommu/amd: Fix geometry.aperture_end for V2 tables (git-fixes). - iommu/amd: Set the pgsize_bitmap correctly (git-fixes). - iommu/arm-smmu-qcom: Add SM6115 MDSS compatible (git-fixes). - iommu/tegra241-cmdqv: Read SMMU IDR1.CMDQS instead of hardcoding (git-fixes). - iommu/vt-d: Fix possible circular locking dependency (git-fixes). - iommu/vt-d: Fix system hang on reboot -f (git-fixes). - ipv6: fix possible infinite loop in fib6_info_uses_dev() (git-fixes). - ipv6: mcast: Delay put pmc->idev in mld_del_delrec() (git-fixes). - ipv6: prevent infinite loop in rt6_nlmsg_size() (git-fixes). - ipv6: reject malicious packets in ipv6_gso_segment() (git-fixes). - irdma: free iwdev->rf after removing MSI-X (bsc#1247712). - iwlwifi: Add missing check for alloc_ordered_workqueue (git-fixes). - jfs: fix metapage reference count leak in dbAllocCtl (git-fixes). - kABI fix after KVM: SVM: Fix SNP AP destroy race with VMRUN (git-fixes). - kABI fixes for struct memory_block changes (bsc#1235515,jsc#PED-12731). - kABI fixes for struct memory_block changes (bsc#1235515,jsc#PED-12731). - kABI workaround for fw_attributes_class_get() (stable-fixes). - kABI workaround for struct drm_framebuffer changes (git-fixes). - kABI: Fix the module::name type in audit_context (git-fixes). - kabi/severities: ignore two unused/dropped symbols from MEI - kabi: Hide adding of u64 to devlink_param_type (jsc#PED-12745). - kabi: Hide adding of u64 to devlink_param_type (jsc#PED-12745). - kasan: remove kasan_find_vm_area() to prevent possible deadlock (git-fixes). - kernel-obs-qa: Do not depend on srchash when qemu emulation is used In this case the dependency is never fulfilled Fixes: 485ae1da2b88 ('kernel-obs-qa: Use srchash for dependency as well') - kernel-syms.spec: Drop old rpm release number hack (bsc#1247172). - kvm: SVM: Fix SNP AP destroy race with VMRUN (git-fixes). - leds: multicolor: Fix intensity setting while SW blinking (stable-fixes). - lib/group_cpus.c: avoid acquiring cpu hotplug lock in group_cpus_evenly (bsc#1236897). - lib/group_cpus: fix NULL pointer dereference from group_cpus_evenly() (bsc#1236897). - logitech C-270 even more broken (stable-fixes). - maple_tree: fix mt_destroy_walk() on root leaf node (git-fixes). - md/md-bitmap: fix dm-raid max_write_behind setting (git-fixes). - media: gspca: Add bounds checking to firmware parser (git-fixes). - media: hi556: correct the test pattern configuration (git-fixes). - media: imx: fix a potential memory leak in imx_media_csc_scaler_device_init() (git-fixes). - media: ipu6: isys: Use correct pads for xlate_streams() (git-fixes). - media: ivsc: Fix crash at shutdown due to missing mei_cldev_disable() calls (git-fixes). - media: ov2659: Fix memory leaks in ov2659_probe() (git-fixes). - media: rainshadow-cec: fix TOCTOU race condition in rain_interrupt() (git-fixes). - media: usbtv: Lock resolution while streaming (git-fixes). - media: uvcvideo: Do not mark valid metadata as invalid (git-fixes). - media: uvcvideo: Fix 1-byte out-of-bounds read in uvc_parse_format() (git-fixes). - media: v4l2-ctrls: Do not reset handler's error in v4l2_ctrl_handler_free() (git-fixes). - media: v4l2-ctrls: Fix H264 SEPARATE_COLOUR_PLANE check (git-fixes). - media: venus: Add a check for packet size after reading from shared memory (git-fixes). - media: venus: hfi: explicitly release IRQ during teardown (git-fixes). - media: venus: protect against spurious interrupts during probe (git-fixes). - media: venus: vdec: Clamp param smaller than 1fps and bigger than 240 (git-fixes). - media: venus: venc: Clamp param smaller than 1fps and bigger than 240 (git-fixes). - media: verisilicon: Fix AV1 decoder clock frequency (git-fixes). - media: vivid: fix wrong pixel_array control size (git-fixes). - mei: vsc: Destroy mutex after freeing the IRQ (git-fixes). - mei: vsc: Do not re-init VSC from mei_vsc_hw_reset() on stop (git-fixes). - mei: vsc: Drop unused vsc_tp_request_irq() and vsc_tp_free_irq() (stable-fixes). - mei: vsc: Event notifier fixes (git-fixes). - mei: vsc: Fix 'BUG: Invalid wait context' lockdep error (git-fixes). - mei: vsc: Run event callback from a workqueue (git-fixes). - mei: vsc: Unset the event callback on remove and probe errors (git-fixes). - memstick: core: Zero initialize id_reg in h_memstick_read_dev_id() (git-fixes). - mfd: max14577: Fix wakeup source leaks on device unbind (stable-fixes). - misc: rtsx: usb: Ensure mmc child device is active when card is present (git-fixes). - mm/memory_hotplug: allow architecture to override memmap on memory support check (bsc#1235515,jsc#PED-12731). - mm/memory_hotplug: allow architecture to override memmap on memory support check (bsc#1235515,jsc#PED-12731). - mm/memory_hotplug: allow memmap on memory hotplug request to fallback (bsc#1235515,jsc#PED-12731). - mm/memory_hotplug: allow memmap on memory hotplug request to fallback (bsc#1235515,jsc#PED-12731). - mm/memory_hotplug: embed vmem_altmap details in memory block (bsc#1235515,jsc#PED-12731). - mm/memory_hotplug: embed vmem_altmap details in memory block (bsc#1235515,jsc#PED-12731). - mm/memory_hotplug: export mhp_supports_memmap_on_memory() (bsc#1235515,jsc#PED-12731). - mm/memory_hotplug: export mhp_supports_memmap_on_memory() (bsc#1235515,jsc#PED-12731). - mm/memory_hotplug: fix memmap_on_memory sysfs value retrieval (git-fixes). - mm/memory_hotplug: replace an open-coded kmemdup() in (bsc#1235515,jsc#PED-12731). - mm/memory_hotplug: replace an open-coded kmemdup() in (bsc#1235515,jsc#PED-12731). - mm/memory_hotplug: simplify ARCH_MHP_MEMMAP_ON_MEMORY_ENABLE kconfig (bsc#1235515,jsc#PED-12731). - mm/memory_hotplug: simplify ARCH_MHP_MEMMAP_ON_MEMORY_ENABLE kconfig (bsc#1235515,jsc#PED-12731). - mm/memory_hotplug: split memmap_on_memory requests across memblocks (bsc#1235515,jsc#PED-12731). - mm/memory_hotplug: split memmap_on_memory requests across memblocks (bsc#1235515,jsc#PED-12731). - mm/memory_hotplug: support memmap_on_memory when memmap is not aligned to pageblocks (bsc#1235515,jsc#PED-12731). - mm/memory_hotplug: support memmap_on_memory when memmap is not aligned to pageblocks (bsc#1235515,jsc#PED-12731). - mmc: bcm2835: Fix dma_unmap_sg() nents value (git-fixes). - mmc: core: sd: Apply BROKEN_SD_DISCARD quirk earlier (git-fixes). - mmc: sdhci-pci: Quirk for broken command queuing on Intel GLK-based Positivo models (git-fixes). - mmc: sdhci: Add a helper function for dump register in dynamic debug mode (stable-fixes). - mmc: sdhci_am654: Workaround for Errata i2312 (git-fixes). - module: Fix memory deallocation on error path in move_module() (git-fixes). - module: Remove unnecessary +1 from last_unloaded_module::name size (git-fixes). - module: Restore the moduleparam prefix length check (git-fixes). - mtd: fix possible integer overflow in erase_xfer() (git-fixes). - mtd: rawnand: atmel: Fix dma_mapping_error() address (git-fixes). - mtd: rawnand: atmel: set pmecc data setup time (git-fixes). - mtd: rawnand: fsmc: Add missing check after DMA map (git-fixes). - mtd: rawnand: renesas: Add missing check after DMA map (git-fixes). - mtd: rawnand: rockchip: Add missing check after DMA map (git-fixes). - mtd: spi-nor: Fix spi_nor_try_unlock_all() (git-fixes). - mtd: spinand: fix memory leak of ECC engine conf (stable-fixes). - mtd: spinand: propagate spinand_wait() errors from spinand_write_page() (git-fixes). - mtk-sd: Fix a pagefault in dma_unmap_sg() for not prepared data (git-fixes). - mtk-sd: Prevent memory corruption from DMA map failure (git-fixes). - mtk-sd: reset host->mrq on prepare_data() error (git-fixes). - mwl8k: Add missing check after DMA map (git-fixes). - nbd: fix uaf in nbd_genl_connect() error path (git-fixes). - net/mlx5: HWS, fix missing ip_version handling in definer (git-fixes). - net/packet: fix a race in packet_set_ring() and packet_notifier() (git-fixes). - net/sched: Restrict conditions for adding duplicating netems to qdisc tree (git-fixes). - net/sched: Return NULL when htb_lookup_leaf encounters an empty rbtree (git-fixes). - net/sched: mqprio: fix stack out-of-bounds write in tc entry parsing (git-fixes). - net/sched: sch_qfq: Avoid triggering might_sleep in atomic context in qfq_delete_class (git-fixes). - net/sched: sch_qfq: Fix race condition on qfq_aggregate (git-fixes). - net/sched: taprio: enforce minimum value for picos_per_byte (git-fixes). - net/smc: Fix lookup of netdev by using ib_device_get_netdev() (git-fixes bsc#1246217). - net: mana: Add debug logs in MANA network driver (bsc#1246212). - net: mana: Add handler for hardware servicing events (bsc#1245730). - net: mana: Allocate MSI-X vectors dynamically (bsc#1245457). - net: mana: Allow irq_setup() to skip cpus for affinity (bsc#1245457). - net: mana: Allow tso_max_size to go up-to GSO_MAX_SIZE (bsc#1246203). - net: mana: Expose additional hardware counters for drop and TC via ethtool (bsc#1245729). - net: mana: Set tx_packets to post gso processing packet count (bsc#1245731). - net: mana: explain irq_setup() algorithm (bsc#1245457). - net: phy: Do not register LEDs for genphy (git-fixes). - net: phy: micrel: fix KSZ8081/KSZ8091 cable test (git-fixes). - net: phy: microchip: limit 100M workaround to link-down events on LAN88xx (git-fixes). - net: phy: smsc: Fix Auto-MDIX configuration when disabled by strap (git-fixes). - net: phy: smsc: Fix link failure in forced mode with Auto-MDIX (git-fixes). - net: usb: lan78xx: fix WARN in __netif_napi_del_locked on disconnect (git-fixes). - net: usb: qmi_wwan: add SIMCom 8230C composition (stable-fixes). - net: usbnet: Avoid potential RCU stall on LINK_CHANGE event (git-fixes). - net: usbnet: Fix the wrong netif_carrier_on() call (git-fixes). - netlink: fix policy dump for int with validation callback (jsc#PED-12745). - netlink: fix policy dump for int with validation callback (jsc#PED-12745). - netlink: specs: devlink: replace underscores with dashes in names (jsc#PED-12745). - netlink: specs: devlink: replace underscores with dashes in names (jsc#PED-12745). - netlink: specs: nfsd: replace underscores with dashes in names (git-fixes). - netlink: specs: tc: replace underscores with dashes in names (git-fixes). - netpoll: prevent hanging NAPI when netcons gets enabled (git-fixes). - nfs: Clean up /proc/net/rpc/nfs when nfs_fs_proc_net_init() fails (git-fixes). - nfs: Fix filehandle bounds checking in nfs_fh_to_dentry() (git-fixes). - nfs: Fix the setting of capabilities when automounting a new filesystem (git-fixes). - nfs: Fix wakeup of __nfs_lookup_revalidate() in unblock_revalidate() (git-fixes). - nfs: Fixup allocation flags for nfsiod's __GFP_NORETRY (git-fixes). - nfsd: detect mismatch of file handle and delegation stateid in OPEN op (git-fixes). - nfsd: handle get_client_locked() failure in nfsd4_setclientid_confirm() (git-fixes). - nfsv4.2: another fix for listxattr (git-fixes). - nfsv4.2: fix listxattr to return selinux security label (git-fixes). - nfsv4/pNFS: Fix a race to wake on NFS_LAYOUT_DRAIN (git-fixes). - nfsv4: Always set NLINK even if the server does not support it (git-fixes). - nfsv4: xattr handlers should check for absent nfs filehandles (git-fixes). - nilfs2: reject invalid file types when reading inodes (git-fixes). - nvme-pci: refresh visible attrs after being checked (git-fixes). - nvme: Fix incorrect cdw15 value in passthru error logging (git-fixes). - nvme: fix endianness of command word prints in nvme_log_err_passthru() (git-fixes). - nvme: fix inconsistent RCU list manipulation in nvme_ns_add_to_ctrl_list() (git-fixes). - nvme: fix misaccounting of nvme-mpath inflight I/O (git-fixes). - nvmet-tcp: fix callback lock for TLS handshake (git-fixes). - objtool: Fix INSN_CONTEXT_SWITCH handling in validate_unret() (git-fixes). - objtool: Fix UNWIND_HINT_{SAVE,RESTORE} across basic blocks (git-fixes). - objtool: Fix _THIS_IP_ detection for cold functions (git-fixes). - objtool: Fix error handling inconsistencies in check() (git-fixes). - objtool: Ignore dangling jump table entries (git-fixes). - objtool: Ignore end-of-section jumps for KCOV/GCOV (git-fixes). - objtool: Properly disable uaccess validation (git-fixes). - objtool: Silence more KCOV warnings (git-fixes). - objtool: Silence more KCOV warnings, part 2 (git-fixes). - objtool: Stop UNRET validation on UD2 (git-fixes). - pNFS/flexfiles: do not attempt pnfs on fatal DS errors (git-fixes). - pch_uart: Fix dma_sync_sg_for_device() nents value (git-fixes). - pci/msi: Export pci_msix_prepare_desc() for dynamic MSI-X allocations (bsc#1245457). - pci: dwc: Make link training more robust by setting PORT_LOGIC_LINK_WIDTH to one lane (stable-fixes). - pci: endpoint: Fix configfs group list head handling (git-fixes). - pci: endpoint: Fix configfs group removal on driver teardown (git-fixes). - pci: endpoint: pci-epf-vntb: Fix the incorrect usage of __iomem attribute (git-fixes). - pci: endpoint: pci-epf-vntb: Return -ENOENT if pci_epc_get_next_free_bar() fails (git-fixes). - pci: hv: Allow dynamic MSI-X vector allocation (bsc#1245457). - pci: rockchip-host: Fix 'Unexpected Completion' log message (git-fixes). - perf: Fix sample vs do_exit() (bsc#1246547). - phy: tegra: xusb: Fix unbalanced regulator disable in UTMI PHY mode (git-fixes). - pinctrl: amd: Clear GPIO debounce for suspend (git-fixes). - pinctrl: qcom: msm: mark certain pins as invalid for interrupts (git-fixes). - pinctrl: sunxi: Fix memory leak on krealloc failure (git-fixes). - pinmux: fix race causing mux_owner NULL with active mux_usecount (git-fixes). - platform/chrome: cros_ec: Unregister notifier in cros_ec_unregister() (git-fixes). - platform/mellanox: mlxbf-pmc: Fix duplicate event ID for CACHE_DATA1 (git-fixes). - platform/mellanox: mlxbf-tmfifo: fix vring_desc.len assignment (git-fixes). - platform/mellanox: mlxreg-lc: Fix logic error in power state check (git-fixes). - platform/mellanox: nvsw-sn2201: Fix bus number in adapter error message (git-fixes). - platform/x86/amd/pmc: Add PCSpecialist Lafite Pro V 14M to 8042 quirks list (stable-fixes). - platform/x86: Fix initialization order for firmware_attributes_class (git-fixes). - platform/x86: dell-sysman: Directly use firmware_attributes_class (stable-fixes). - platform/x86: dell-wmi-sysman: Fix WMI data block retrieval in sysfs callbacks (git-fixes). - platform/x86: dell-wmi-sysman: Fix class device unregistration (git-fixes). - platform/x86: firmware_attributes_class: Move include linux/device/class.h (stable-fixes). - platform/x86: firmware_attributes_class: Simplify API (stable-fixes). - platform/x86: hp-bioscfg: Directly use firmware_attributes_class (stable-fixes). - platform/x86: hp-bioscfg: Fix class device unregistration (git-fixes). - platform/x86: ideapad-laptop: Fix kbd backlight not remembered among boots (git-fixes). - platform/x86: make fw_attr_class constant (stable-fixes). - platform/x86: think-lmi: Create ksets consecutively (stable-fixes). - platform/x86: think-lmi: Directly use firmware_attributes_class (stable-fixes). - platform/x86: think-lmi: Fix class device unregistration (git-fixes). - platform/x86: think-lmi: Fix kobject cleanup (git-fixes). - platform/x86: think-lmi: Fix sysfs group cleanup (git-fixes). - pm / devfreq: Check governor before using governor->name (git-fixes). - power: supply: cpcap-charger: Fix null check for power_supply_get_by_name (git-fixes). - power: supply: max14577: Handle NULL pdata when CONFIG_OF is not set (git-fixes). - powercap: call put_device() on an error path in powercap_register_control_type() (stable-fixes). - powercap: dtpm_cpu: Fix NULL pointer dereference in get_pd_power_uw() (git-fixes). - powercap: intel_rapl: Do not change CLAMPING bit if ENABLE bit cannot be changed (git-fixes). - powerpc/bpf: enforce full ordering for ATOMIC operations with BPF_FETCH (git-fixes). - powerpc/pseries/dlpar: Search DRC index from ibm,drc-indexes for IO add (bsc#1243042 ltc#212167). - ptp: fix breakage after ptp_vclock_in_use() rework (bsc#1246506). - pwm: imx-tpm: Reset counter if CMOD is 0 (git-fixes). - pwm: mediatek: Ensure to disable clocks in error path (git-fixes). - pwm: rockchip: Round period/duty down on apply, up on get (git-fixes). - rdma/core: Rate limit GID cache warning messages (git-fixes) - rdma/counter: Check CAP_NET_RAW check in user namespace for RDMA counters (git-fixes) - rdma/hns: Drop GFP_NOWARN (git-fixes) - rdma/hns: Fix -Wframe-larger-than issue (git-fixes) - rdma/hns: Fix HW configurations not cleared in error flow (git-fixes) - rdma/hns: Fix accessing uninitialized resources (git-fixes) - rdma/hns: Fix double destruction of rsv_qp (git-fixes) - rdma/hns: Get message length of ack_req from FW (git-fixes) - rdma/mlx5: Check CAP_NET_RAW in user namespace for anchor create (git-fixes) - rdma/mlx5: Check CAP_NET_RAW in user namespace for devx create (git-fixes) - rdma/mlx5: Check CAP_NET_RAW in user namespace for flow create (git-fixes) - rdma/mlx5: Fix CC counters query for MPV (git-fixes) - rdma/mlx5: Fix HW counters query for non-representor devices (git-fixes) - rdma/mlx5: Fix UMR modifying of mkey page size (git-fixes) - rdma/mlx5: Fix compilation warning when USER_ACCESS isn't set (git-fixes) - rdma/mlx5: Fix vport loopback for MPV device (git-fixes) - rdma/mlx5: Initialize obj_event->obj_sub_list before xa_insert (git-fixes) - rdma/mlx5: reduce stack usage in mlx5_ib_ufile_hw_cleanup (git-fixes) - rdma/nldev: Check CAP_NET_RAW in user namespace for QP modify (git-fixes) - rdma/siw: Fix the sendmsg byte count in siw_tcp_sendpages (git-fixes) - rdma/uverbs: Add empty rdma_uattrs_has_raw_cap() declaration (git-fixes) - rdma/uverbs: Check CAP_NET_RAW in user namespace for QP create (git-fixes) - rdma/uverbs: Check CAP_NET_RAW in user namespace for RAW QP create (git-fixes) - rdma/uverbs: Check CAP_NET_RAW in user namespace for flow create (git-fixes) - re-enable qmi_wwan for arm64 (bsc#1246113) - reapply 'wifi: mac80211: Update skb's control block key in ieee80211_tx_dequeue()' (git-fixes). - regmap: fix potential memory leak of regmap_bus (git-fixes). - regulator: core: fix NULL dereference on unbind due to stale coupling data (stable-fixes). - regulator: fan53555: add enable_time support and soft-start times (stable-fixes). - regulator: gpio: Fix the out-of-bounds access to drvdata::gpiods (git-fixes). - regulator: pwm-regulator: Calculate the output voltage for disabled PWMs (stable-fixes). - resource: fix false warning in __request_region() (git-fixes). - restore UCSI_CONNECTOR_RESET_HARD definition (git-fixes). - revert 'ACPI: battery: negate current when discharging' (stable-fixes). - revert 'cgroup_freezer: cgroup_freezing: Check if not frozen' (bsc#1219338). - revert 'drm/i915/gem: Allow EXEC_CAPTURE on recoverable contexts on DG1' (stable-fixes). - revert 'drm/nouveau: check ioctl command codes better' (git-fixes). - revert 'drm/xe/xe2: Enable Indirect Ring State support for Xe2' (git-fixes). - revert 'mmc: sdhci: Disable SD card clock before changing parameters' (git-fixes). - revert 'usb: xhci: Implement xhci_handshake_check_state() helper' (git-fixes). - revert 'vgacon: Add check for vc_origin address range in vgacon_scroll()' (stable-fixes). - ring-buffer: Do not allow events in NMI with generic atomic64 cmpxchg() (git-fixes). - rose: fix dangling neighbour pointers in rose_rt_device_down() (git-fixes). - rpl: Fix use-after-free in rpl_do_srh_inline() (git-fixes). - rpm/kernel-subpackage-spec: Skip brp-strip-debug to avoid file truncation (bsc#1246879) Put the same workaround to avoid file truncation of vmlinux and co in kernel-default-base package, too. - rpm/mkspec: Fix missing kernel-syms-rt creation (bsc#1244337) - rtc: ds1307: fix incorrect maximum clock rate handling (git-fixes). - rtc: hym8563: fix incorrect maximum clock rate handling (git-fixes). - rtc: nct3018y: fix incorrect maximum clock rate handling (git-fixes). - rtc: pcf85063: fix incorrect maximum clock rate handling (git-fixes). - rtc: pcf8563: fix incorrect maximum clock rate handling (git-fixes). - rtc: rv3028: fix incorrect maximum clock rate handling (git-fixes). - s390/bpf: Fix bpf_arch_text_poke() with new_addr == NULL again (git-fixes bsc#1246870). - s390/entry: Fix last breaking event handling in case of stack corruption (git-fixes bsc#1243806). - s390/pci: Do not try re-enabling load/store if device is disabled (git-fixes bsc#1245646). - s390/pci: Fix stale function handles in error handling (git-fixes bsc#1245647). - s390/pkey: Prevent overflow in size calculation for memdup_user() (git-fixes bsc#1245598). - s390: Add z17 elf platform (LTC#214086 bsc#1245540). - samples: mei: Fix building on musl libc (git-fixes). - sched,freezer: Remove unnecessary warning in __thaw_task (bsc#1219338). - sched: Add test_and_clear_wake_up_bit() and atomic_dec_and_wake_up() (git-fixes). - scsi: core: Enforce unlimited max_segment_size when virt_boundary_mask is set (git-fixes). - scsi: fnic: Add and improve logs in FDMI and FDMI ABTS paths (bsc#1246644). - scsi: fnic: Fix crash in fnic_wq_cmpl_handler when FDMI times out (git-fixes). - scsi: fnic: Fix missing DMA mapping error in fnic_send_frame() (git-fixes). - scsi: fnic: Set appropriate logging level for log message (bsc#1246644). - scsi: fnic: Turn off FDMI ACTIVE flags on link down (git-fixes). - scsi: lpfc: Check for hdwq null ptr when cleaning up lpfc_vport structure (bsc#1245260 bsc#1243100 bsc#1246125). - scsi: lpfc: Early return out of FDMI cmpl for locally rejected statuses (bsc#1245260 bsc#1243100 bsc#1246125). - scsi: lpfc: Ensure HBA_SETUP flag is used only for SLI4 in dev_loss_tmo_callbk (bsc#1245260 bsc#1243100 bsc#1246125). - scsi: lpfc: Modify end-of-life adapters' model descriptions (bsc#1245260 bsc#1243100 bsc#1246125 bsc#1204142). - scsi: lpfc: Move clearing of HBA_SETUP flag to before lpfc_sli4_queue_unset (bsc#1245260 bsc#1243100 bsc#1246125). - scsi: lpfc: Relocate clearing initial phba flags from link up to link down hdlr (bsc#1245260 bsc#1243100 bsc#1246125). - scsi: lpfc: Revise CQ_CREATE_SET mailbox bitfield definitions (bsc#1245260 bsc#1243100 bsc#1246125). - scsi: lpfc: Revise logging format for failed CT MIB requests (bsc#1245260 bsc#1243100 bsc#1246125). - scsi: lpfc: Simplify error handling for failed lpfc_get_sli4_parameters cmd (bsc#1245260 bsc#1243100 bsc#1246125). - scsi: lpfc: Skip RSCN processing when FC_UNLOADING flag is set (bsc#1245260 bsc#1243100 bsc#1246125). - scsi: lpfc: Update debugfs trace ring initialization messages (bsc#1245260 bsc#1243100 bsc#1246125). - scsi: lpfc: Update lpfc version to 14.4.0.10 (bsc#1245260 bsc#1243100 bsc#1246125). - scsi: megaraid_sas: Fix invalid node index (git-fixes). - scsi: qla2xxx: Fix DMA mapping test in qla24xx_get_port_database() (git-fixes). - scsi: qla4xxx: Fix missing DMA mapping error in qla4xxx_alloc_pdu() (git-fixes). - scsi: s390: zfcp: Ensure synchronous unit_add (git-fixes bsc#1245599). - selftests/bpf: Add CFLAGS per source file and runner (git-fixes). - selftests/bpf: Add tests for iter next method returning valid pointer (git-fixes). - selftests/bpf: Change functions definitions to support GCC (git-fixes). - selftests/bpf: Fix a few tests for GCC related warnings (git-fixes). - selftests/bpf: Fix pointer arithmetic in test_xdp_do_redirect (git-fixes). - selftests/bpf: Fix prog numbers in test_sockmap (git-fixes). - smb3: move server check earlier when setting channel sequence number (git-fixes). - smb3: rename macro CIFS_SERVER_IS_CHAN to avoid confusion (git-fixes). - smb3: send channel sequence number in SMB3 requests after reconnects (git-fixes). - soc/tegra: cbb: Clear ERR_FORCE register with ERR_STATUS (git-fixes). - soc: aspeed: lpc-snoop: Cleanup resources in stack-order (git-fixes). - soc: aspeed: lpc-snoop: Do not disable channels that are not enabled (git-fixes). - soc: qcom: QMI encoding/decoding for big endian (git-fixes). - soc: qcom: fix endianness for QMI header (git-fixes). - soc: qcom: pmic_glink: fix OF node leak (git-fixes). - soundwire: amd: fix for clearing command status register (git-fixes). - soundwire: stream: restore params when prepare ports fail (git-fixes). - spi: spi-fsl-dspi: Clear completion counter before initiating transfer (git-fixes). - sprintf.h requires stdarg.h (git-fixes). - sprintf.h: mask additional include (git-fixes). - staging: axis-fifo: remove sysfs interface (git-fixes). - staging: fbtft: fix potential memory leak in fbtft_framebuffer_alloc() (git-fixes). - staging: nvec: Fix incorrect null termination of battery manufacturer (git-fixes). - staging: vchiq_arm: Make vchiq_shutdown never fail (git-fixes). - struct cdns: move new member to the end (git-fixes). - struct ucsi_operations: use padding for new operation (git-fixes). - sunrpc: do not immediately retransmit on seqno miss (git-fixes). - sunrpc: fix client side handling of tls alerts (git-fixes). - supported.conf: Mark ZL3073X modules supported - supported.conf: add missing entries for armv7hl - supported.conf: move nvme-apple to optional again - supported.conf: sort entries again - tcp: call tcp_measure_rcv_mss() for ooo packets (git-fixes). - thermal: trip: Use READ_ONCE() for lockless access to trip properties (git-fixes). - thermal: trip: Use common set of trip type names (git-fixes). - thunderbolt: Fix bit masking in tb_dp_port_set_hops() (git-fixes). - thunderbolt: Fix copy+paste error in match_service_id() (git-fixes). - thunderbolt: Fix wake on connect at runtime (git-fixes). - tracing/kprobe: Make trace_kprobe's module callback called after jump_label update (git-fixes). - tracing/kprobes: Fix to free objects when failed to copy a symbol (git-fixes). - types: Complement the aligned types with signed 64-bit one (stable-fixes). - ucount: fix atomic_long_inc_below() argument type (git-fixes). - ucsi-glink: adapt to kABI consistency (git-fixes). - ucsi_ccg: Refine the UCSI Interrupt handling (git-fixes). - ucsi_operations: add stubs for all operations (git-fixes). - ucsi_ops: adapt update_connector to kABI consistency (git-fixes). - update config files (bsc#1243678) - usb: Add checks for snprintf() calls in usb_alloc_dev() (stable-fixes). - usb: atm: cxacru: Merge cxacru_upload_firmware() into cxacru_heavy_init() (git-fixes). - usb: cdc-wdm: avoid setting WDM_READ for ZLP-s (stable-fixes). - usb: cdnsp: Fix issue with CV Bad Descriptor test (git-fixes). - usb: cdnsp: Fix issue with resuming from L1 (git-fixes). - usb: cdnsp: Replace snprintf() with the safer scnprintf() variant (stable-fixes). - usb: cdnsp: do not disable slot for disabled slot (git-fixes). - usb: chipidea: udc: disconnect/reconnect from host when do suspend/resume (git-fixes). - usb: common: usb-conn-gpio: use a unique name for usb connector device (stable-fixes). - usb: dwc2: also exit clock_gating when stopping udc while suspended (stable-fixes). - usb: dwc3: Abort suspend on soft disconnect failure (git-fixes). - usb: dwc3: meson-g12a: fix device leaks at unbind (git-fixes). - usb: early: xhci-dbc: Fix early_ioremap leak (git-fixes). - usb: gadget : fix use-after-free in composite_dev_cleanup() (git-fixes). - usb: gadget: u_serial: Fix race condition in TTY wakeup (git-fixes). - usb: gadget: udc: renesas_usb3: fix device leak at unbind (git-fixes). - usb: host: xhci-plat: fix incorrect type for of_match variable in xhci_plat_probe() (git-fixes). - usb: hub: Do not try to recover devices lost during warm reset (git-fixes). - usb: misc: apple-mfi-fastcharge: Make power supply names unique (git-fixes). - usb: musb: fix gadget state on disconnect (git-fixes). - usb: musb: omap2430: fix device leak at unbind (git-fixes). - usb: net: sierra: check for no status endpoint (git-fixes). - usb: potential integer overflow in usbg_make_tpg() (stable-fixes). - usb: serial: ftdi_sio: add support for NDI EMGUIDE GEMINI (stable-fixes). - usb: serial: option: add Foxconn T99W640 (stable-fixes). - usb: serial: option: add Telit Cinterion FE910C04 (ECM) composition (stable-fixes). - usb: typec: Update sysfs when setting ops (git-fixes). - usb: typec: altmodes/displayport: do not index invalid pin_assignments (git-fixes). - usb: typec: displayport: Fix potential deadlock (git-fixes). - usb: typec: displayport: Receive DP Status Update NAK request exit dp altmode (stable-fixes). - usb: typec: mux: do not return on EOPNOTSUPP in {mux, switch}_set (stable-fixes). - usb: typec: tcpm: allow switching to mode accessory to mux properly (stable-fixes). - usb: typec: tcpm: allow to use sink in accessory mode (stable-fixes). - usb: typec: tcpm: apply vbus before data bringup in tcpm_src_attach (git-fixes). - usb: typec: ucsi: Add DATA_RESET option of Connector Reset command (git-fixes). - usb: typec: ucsi: Add qcm6490-pmic-glink as needing PDOS quirk (git-fixes). - usb: typec: ucsi: Delay alternate mode discovery (git-fixes). - usb: typec: ucsi: Fix busy loop on ASUS VivoBooks (git-fixes). - usb: typec: ucsi: Fix the partner PD revision (git-fixes). - usb: typec: ucsi: Get PD revision for partner (git-fixes). - usb: typec: ucsi: Set orientation as none when connector is unplugged (git-fixes). - usb: typec: ucsi: Update power_supply on power role change (git-fixes). - usb: typec: ucsi: add callback for connector status updates (git-fixes). - usb: typec: ucsi: add update_connector callback (git-fixes). - usb: typec: ucsi: do not retrieve PDOs if not supported (git-fixes). - usb: typec: ucsi: extract code to read PD caps (git-fixes). - usb: typec: ucsi: fix UCSI on SM8550 & SM8650 Qualcomm devices (git-fixes). - usb: typec: ucsi: glink: fix off-by-one in connector_status (git-fixes). - usb: typec: ucsi: glink: increase max ports for x1e80100 (git-fixes). - usb: typec: ucsi: glink: move GPIO reading into connector_status callback (git-fixes). - usb: typec: ucsi: glink: use typec_set_orientation (git-fixes). - usb: typec: ucsi: move ucsi_acknowledge() from ucsi_read_error() (git-fixes). - usb: typec: ucsi: properly register partner's PD device (git-fixes). - usb: typec: ucsi: support delaying GET_PDOS for device (git-fixes). - usb: typec: ucsi_acpi: Add LG Gram quirk (git-fixes). - usb: typec: ucsi_glink: drop NO_PARTNER_PDOS quirk for sm8550 / sm8650 (git-fixes). - usb: typec: ucsi_glink: enable the UCSI_DELAY_DEVICE_PDOS quirk (git-fixes). - usb: typec: ucsi_glink: enable the UCSI_DELAY_DEVICE_PDOS quirk on qcm6490 (git-fixes). - usb: typec: ucsi_glink: rework quirks implementation (git-fixes). - usb: xhci: Skip xhci_reset in xhci_resume if xhci is being removed (git-fixes). - usb: xhci: quirk for data loss in ISOC transfers (stable-fixes). - usb:cdnsp: remove TRB_FLUSH_ENDPOINT command (stable-fixes). - virtgpu: do not reset on shutdown (git-fixes). - vmci: Prevent the dispatching of uninitialized payloads (git-fixes). - vt: add missing notification when switching back to text mode (stable-fixes). - vt: defkeymap: Map keycodes above 127 to K_HOLE (git-fixes). - vt: keyboard: Do not process Unicode characters in K_OFF mode (git-fixes). - watchdog: ziirave_wdt: check record length in ziirave_firm_verify() (git-fixes). - wifi: ath11k: clear initialized flag for deinit-ed srng lists (git-fixes). - wifi: ath11k: fix dest ring-buffer corruption (git-fixes). - wifi: ath11k: fix dest ring-buffer corruption when ring is full (git-fixes). - wifi: ath11k: fix sleeping-in-atomic in ath11k_mac_op_set_bitrate_mask() (git-fixes). - wifi: ath11k: fix source ring-buffer corruption (git-fixes). - wifi: ath11k: fix suspend use-after-free after probe failure (git-fixes). - wifi: ath12k: Pass ab pointer directly to ath12k_dp_tx_get_encap_type() (git-fixes). - wifi: ath12k: fix dest ring-buffer corruption (git-fixes). - wifi: ath12k: fix dest ring-buffer corruption when ring is full (git-fixes). - wifi: ath12k: fix endianness handling while accessing wmi service bit (git-fixes). - wifi: ath12k: fix source ring-buffer corruption (git-fixes). - wifi: ath6kl: remove WARN on bad firmware input (stable-fixes). - wifi: brcmfmac: fix P2P discovery failure in P2P peer due to missing P2P IE (git-fixes). - wifi: brcmsmac: Remove const from tbl_ptr parameter in wlc_lcnphy_common_read_table() (git-fixes). - wifi: cfg80211/mac80211: correctly parse S1G beacon optional elements (git-fixes). - wifi: cfg80211: fix S1G beacon head validation in nl80211 (git-fixes). - wifi: cfg80211: remove scan request n_channels counted_by (git-fixes). - wifi: iwlwifi: Fix error code in iwl_op_mode_dvm_start() (git-fixes). - wifi: iwlwifi: Fix memory leak in iwl_mvm_init() (git-fixes). - wifi: iwlwifi: return ERR_PTR from opmode start() (stable-fixes). - wifi: mac80211: Add link iteration macro for link data (stable-fixes). - wifi: mac80211: Check 802.11 encaps offloading in ieee80211_tx_h_select_key() (git-fixes). - wifi: mac80211: Create separate links for VLAN interfaces (stable-fixes). - wifi: mac80211: Do not call fq_flow_idx() for management frames (git-fixes). - wifi: mac80211: Do not schedule stopped TXQs (git-fixes). - wifi: mac80211: Write cnt before copying in ieee80211_copy_rnr_beacon() (git-fixes). - wifi: mac80211: chan: chandef is non-NULL for reserved (stable-fixes). - wifi: mac80211: drop invalid source address OCB frames (stable-fixes). - wifi: mac80211: finish link init before RCU publish (git-fixes). - wifi: mac80211: fix non-transmitted BSSID profile search (git-fixes). - wifi: mac80211: reject TDLS operations when station is not associated (git-fixes). - wifi: mt76: mt7925: Fix null-ptr-deref in mt7925_thermal_init() (git-fixes). - wifi: mt76: mt7925: fix invalid array index in ssid assignment during hw scan (git-fixes). - wifi: mt76: mt7925: fix the wrong config for tx interrupt (git-fixes). - wifi: nl80211: Set num_sub_specs before looping through sub_specs (git-fixes). - wifi: plfxlc: Fix error handling in usb driver probe (git-fixes). - wifi: prevent A-MSDU attacks in mesh networks (stable-fixes). - wifi: rt2x00: fix remove callback type mismatch (git-fixes). - wifi: rtl818x: Kill URBs before clearing tx status queue (git-fixes). - wifi: rtw89: avoid NULL dereference when RX problematic packet on unsupported 6 GHz band (git-fixes). - wifi: zd1211rw: Fix potential NULL pointer dereference in zd_mac_tx_to_dev() (git-fixes). - x86/CPU/AMD: Add more models to X86_FEATURE_ZEN5 (bsc#1246449). - x86/CPU/AMD: Improve the erratum 1386 workaround (git-fixes). - x86/CPU/AMD: Terminate the erratum_1386_microcode array (git-fixes). - x86/cpu/amd: Fix workaround for erratum 1054 (git-fixes). - x86/cpu: Avoid running off the end of an AMD erratum table (git-fixes). - x86/cpu: Expose only stepping min/max interface (git-fixes). - x86/cpu: Introduce new microcode matching helper (git-fixes). - x86/cpu: Move AMD erratum 1386 table over to 'x86_cpu_id' (git-fixes). - x86/cpu: Replace PEBS use of 'x86_cpu_desc' use with 'x86_cpu_id' (git-fixes). - x86/mce/amd: Add default names for MCA banks and blocks (git-fixes). - x86/mce/amd: Fix threshold limit reset (git-fixes). - x86/mce: Do not remove sysfs if thresholding sysfs init fails (git-fixes). - x86/mce: Make sure CMCI banks are cleared during shutdown on Intel (git-fixes). - x86/mtrr: Rename mtrr_overwrite_state() to guest_force_mtrr_state() (git-fixes). - x86/tdx: Fix __noreturn build warning around __tdx_hypercall_failed() (git-fixes). - x86/traps: Initialize DR6 by writing its architectural reset value (git-fixes). - x86/virt/tdx: Avoid indirect calls to TDX assembly functions (git-fixes). - x86: UV RTC: Add parameter to disable RTC clocksource (bsc#1241345). - xfs: fix off-by-one error in fsmap's end_daddr usage (bsc#1235837). - xfs: only create event xfs_file_compat_ioctl when CONFIG_COMPAT is configure (git-fixes). - xfs: remove unused event xfs_alloc_near_error (git-fixes). - xfs: remove unused event xfs_alloc_near_nominleft (git-fixes). - xfs: remove unused event xfs_attr_node_removename (git-fixes). - xfs: remove unused event xfs_ioctl_clone (git-fixes). - xfs: remove unused event xfs_pagecache_inval (git-fixes). - xfs: remove unused event xlog_iclog_want_sync (git-fixes). - xfs: remove unused trace event xfs_attr_remove_iter_return (git-fixes). - xfs: remove unused trace event xfs_attr_rmtval_set (git-fixes). - xfs: remove unused trace event xfs_reflink_cow_enospc (git-fixes). - xfs: remove unused xfs_attr events (git-fixes). - xfs: remove unused xfs_reflink_compare_extents events (git-fixes). - xfs: remove usused xfs_end_io_direct events (git-fixes). - xhci: Disable stream for xHC controller with XHCI_BROKEN_STREAMS (git-fixes). - xhci: dbc: Flush queued requests before stopping dbc (git-fixes). - xhci: dbctty: disable ECHO flag by default (git-fixes). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3012-1 Released: Fri Aug 29 02:07:38 2025 Summary: security update for git, git-lfs, obs-scm-bridge, python-PyYAML Type: security Severity: important References: 1212476,1216545,1218588,1218664,1243197,1245938,1245939,1245942,1245943,1245946,CVE-2025-27613,CVE-2025-27614,CVE-2025-46835,CVE-2025-48384,CVE-2025-48385 This update for git, git-lfs, obs-scm-bridge, python-PyYAML fixes the following issues: git was updated from version 2.43.0 to 2.51.0 (bsc#1243197): - Security issues fixed: * CVE-2025-27613 Fixed arbitrary writable file creation and truncation in Gitk(bsc#1245938) * CVE-2025-27614 Fixed arbitrary script execution via repository clonation in gitk(bsc#1245939) * CVE-2025-46835 Fixed arbitrary writable file creation in Git GUI when untrusted repository is cloned (bsc#1245942) * CVE-2025-48384 Fixed the unintentional execution of a script after checkout due to CRLF transforming (bsc#1245943) * CVE-2025-48385 Fixed arbitrary code execution due to protocol injection via fetching advertised bundle(bsc#1245946) - Other changes and bugs fixed: - Other changes and bugs fixed: * Added SHA256 support (bsc#1243197) * Git moved to /usr/libexec/git/git and updated AppArmor profile accordingly (bsc#1218588) * gitweb AppArmor profile: allow reading etc/gitweb-common.conf (bsc#1218664) * Do not replace apparmor configuration (bsc#1216545) * Fixed the Python version required (bsc#1212476) - Version Updates Release Notes: * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.51.0.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.50.1.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.50.0.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.49.0.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.48.1.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.48.0.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.47.1.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.47.0.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.46.2.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.46.1.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.46.0.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.45.3.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.45.2.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.45.1.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.45.0.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.44.0.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.43.3.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.43.2.adoc * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.43.1.adoc git-lfs is included in version 3.7.0. python-PyYAML was updated from version 6.0.1 to 6.0.2: - Added support for Cython 3.x and Python 3.13 obs-scm-bridge was updated from version 0.5.4 to 0.7.4: - New Features and Improvements: * Manifest File Support: Support has been added for a `_manifest file`, which serves as a successor to the `_subdirs` file. * Control Over Git Information: A new noobsinfo query parameter was added to hide git information in source and binary files. * Enhanced Submodule Handling: The system now records the configured branch of submodules and stays on that branch during checkout. * Git SHA Tracking: In project mode, the tool now uses git SHA sums instead of md5sum to track package sources. * SSH URL Support: ssh:// SCM URLs can now be used. * Improved Error Messages: Error reporting for invalid files within package subdirectories has been improved. * Standardized Config Location: In project mode, the _config file is now always located in the top-level directory, even when using subdirs. * Reduced Unnecessary Changes: In project mode, unnecessary modifications to the package meta URL are now avoided. * Limit Asset Handling: A new mechanism has been introduced to limit how assets are handled. * Branch Information Export: The trackingbranch is now exported to scmsync.obsinfo. - Bugs fixed: * Syntax Fix: A syntax issue was corrected. * Git Submodule Parsing: The .gitsubmodule parser was fixed to correctly handle files that contain a mix of spaces and tabs. The following package changes have been done: - glibc-2.38-150600.14.37.1 updated - pam-1.3.0-150000.6.86.1 updated - glibc-locale-base-2.38-150600.14.37.1 updated - kernel-macros-6.4.0-150700.53.11.1 updated - glibc-locale-2.38-150600.14.37.1 updated - kernel-devel-6.4.0-150700.53.11.1 updated - glibc-devel-2.38-150600.14.37.1 updated - git-core-2.51.0-150600.3.12.1 updated - kernel-default-devel-6.4.0-150700.53.11.1 updated - kernel-syms-6.4.0-150700.53.11.1 updated - container:registry.suse.com-bci-bci-base-15.7-6d58784f25ab2a6683cd03e5c220cdb204e4d82db4b49ea1b4635dbd52b60a5b-0 updated From sle-container-updates at lists.suse.com Wed Sep 3 15:51:30 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 3 Sep 2025 17:51:30 +0200 (CEST) Subject: SUSE-IU-2025:2412-1: Security update of suse/sl-micro/6.1/baremetal-os-container Message-ID: <20250903155130.9EB60FBA1@maintenance.suse.de> SUSE Image Update Advisory: suse/sl-micro/6.1/baremetal-os-container ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2025:2412-1 Image Tags : suse/sl-micro/6.1/baremetal-os-container:2.2.1 , suse/sl-micro/6.1/baremetal-os-container:2.2.1-7.2 , suse/sl-micro/6.1/baremetal-os-container:latest Image Release : 7.2 Severity : critical Type : security References : 1047218 1199630 1210638 1216091 1218459 1219559 1219666 1220262 1221107 1221854 1222849 1224285 1225660 1226447 1226448 1227378 1227999 1228165 1228780 1229596 1229704 1230227 1230262 1230906 1231463 1231795 1232241 1232425 1232526 1234128 1234665 1234812 1236177 1236705 1236931 1236931 1236931 1237147 1237442 1237496 1238078 1238450 1238491 1238700 1239119 1239119 1239119 1239119 1239210 1239335 1239566 1239623 1239883 1239938 1240366 1240414 1240788 1240897 1241020 1241052 1241067 1241078 1241083 1241114 1241190 1241453 1241549 1241551 1241680 1241938 1242827 1242844 1242938 1242987 1243069 1243106 1243155 1243226 1243242 1243273 1243273 1243313 1243317 1243450 1243767 1243935 1243991 1244032 1244050 1244056 1244059 1244060 1244061 1244079 1244116 1244509 1244554 1244555 1244557 1244580 1244700 1244705 1245169 1245274 1245275 1245309 1245310 1245311 1245312 1245314 1245317 1246296 1246360 1246472 1247074 1247819 391434 915387 CVE-2022-25236 CVE-2023-27043 CVE-2023-50782 CVE-2023-52425 CVE-2023-6597 CVE-2024-0397 CVE-2024-0450 CVE-2024-12718 CVE-2024-2236 CVE-2024-23337 CVE-2024-32487 CVE-2024-4030 CVE-2024-4032 CVE-2024-40896 CVE-2024-53427 CVE-2024-56406 CVE-2024-6232 CVE-2024-6923 CVE-2024-7592 CVE-2024-8088 CVE-2024-9287 CVE-2025-0938 CVE-2025-1795 CVE-2025-22247 CVE-2025-22869 CVE-2025-22870 CVE-2025-27587 CVE-2025-29087 CVE-2025-29088 CVE-2025-30258 CVE-2025-30258 CVE-2025-30258 CVE-2025-30258 CVE-2025-31115 CVE-2025-32414 CVE-2025-32415 CVE-2025-32462 CVE-2025-32463 CVE-2025-3360 CVE-2025-40909 CVE-2025-4138 CVE-2025-4330 CVE-2025-4373 CVE-2025-4435 CVE-2025-4516 CVE-2025-4516 CVE-2025-4517 CVE-2025-4598 CVE-2025-4598 CVE-2025-47273 CVE-2025-4802 CVE-2025-48060 CVE-2025-4877 CVE-2025-4878 CVE-2025-49794 CVE-2025-49795 CVE-2025-49796 CVE-2025-5278 CVE-2025-5318 CVE-2025-5351 CVE-2025-5372 CVE-2025-5987 CVE-2025-6018 CVE-2025-6020 CVE-2025-6021 CVE-2025-6069 CVE-2025-6170 CVE-2025-7424 CVE-2025-7425 CVE-2025-7519 ----------------------------------------------------------------- The container suse/sl-micro/6.1/baremetal-os-container was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: 120 Released: Tue May 27 09:48:45 2025 Summary: Recommended update for lsof Type: recommended Severity: moderate References: 1224285,1232425 This update for lsof fixes the following issues: - Update to version 4.99.4: * In lsof manpage: mention /etc/services for -P option * Fix typos in docs * Linux 6.9 changed the pidfs appearence in procfs. Try to maintain original output in lsof (bsc#1224285) * closefrom_shim: Add optimized fallback for platforms without closefrom or close_range * fix build against -std=c23 (`void (*)()`) changed the meaning) - Fix embedding build host kernel version (bsc#1232425) - lsof 4.99.3: * Fix compilation error when HASIPv6 is not defined * Add configure option --disable-liblsof to disable installation of liblsof - Skip tests that are difficult to emulate by qemu - lsof 4.99.0: * Do not hard-code fd numbers in epoll test * --with-selinux configure option. * Improve performance by using closefrom() * Introduce liblsof for programmatic access over spawning lsof in a subprocess - build with libtirpc - switch to upstream tarball again as it dropped proprietary code ----------------------------------------------------------------- Advisory ID: 122 Released: Tue May 27 11:28:57 2025 Summary: Security update for glibc Type: security Severity: critical References: 1234128,1234665,1239883,1243317,CVE-2025-4802 This update for glibc fixes the following issues: - CVE-2025-4802: elf: Ignore LD_LIBRARY_PATH and debug env var for setuid for static (bsc#1243317) - pthreads NPTL: lost wakeup fix 2 (bsc#1234128, BZ #25847) - Mark functions in libc_nonshared.a as hidden (bsc#1239883) - Linux: Switch back to assembly syscall wrapper for prctl (bsc#1234665, BZ #29770) ----------------------------------------------------------------- Advisory ID: 126 Released: Wed May 28 11:00:31 2025 Summary: Security update for libxml2 Type: security Severity: moderate References: 1241453,1241551,CVE-2025-32414,CVE-2025-32415 This update for libxml2 fixes the following issues: - CVE-2025-32414: Fixed out-of-bounds read when parsing text via the Python API (bsc#1241551). - CVE-2025-32415: Fixed heap-based buffer under-read via crafted XML documents (bsc#1241453). ----------------------------------------------------------------- Advisory ID: 127 Released: Mon Jun 2 11:11:24 2025 Summary: Recommended update for elemental Type: recommended Severity: moderate References: 1239623 This update for elemental fixes the following issues: Update to v2.2.1: * Include an empty /etc/machine-id file (bsc#1239623) * Remove /etc/machine-id from base container ----------------------------------------------------------------- Advisory ID: 130 Released: Tue Jun 3 11:03:45 2025 Summary: Security update for elemental-toolkit Type: security Severity: important References: 1238700,1239335,CVE-2025-22869,CVE-2025-22870 This update for elemental-toolkit fixes the following issues: - Updated to v2.2.3: * Adapted .golangci.yml format to a new version * Simplified podman calls in CI steup * Switched GHA runners to Ubuntu 24.04 * Updated year in headers * Vendored go.mod libraries * CVE-2025-22870: golang.org/x/net/proxy: Fixed proxy bypass using IPv6 zone IDs (bsc#1238700) * CVE-2025-22869: golang.org/x/crypto/ssh: Fixed Denial of Service in the Key Exchange of golang.org/x/crypto/ssh (bsc#1239335) ----------------------------------------------------------------- Advisory ID: 128 Released: Tue Jun 3 11:05:30 2025 Summary: Security update for python311 Type: security Severity: important References: 1210638,1219559,1219666,1221854,1225660,1226447,1226448,1227378,1227999,1228165,1228780,1229596,1229704,1230227,1230906,1231795,1232241,1236705,1238450,1239210,1241067,1243273,CVE-2022-25236,CVE-2023-27043,CVE-2023-52425,CVE-2023-6597,CVE-2024-0397,CVE-2024-0450,CVE-2024-4030,CVE-2024-4032,CVE-2024-6232,CVE-2024-6923,CVE-2024-7592,CVE-2024-8088,CVE-2024-9287,CVE-2025-0938,CVE-2025-1795,CVE-2025-4516 This update for python311 fixes the following issues: - CVE-2025-4516: Fixed blocking DecodeError handling vulnerability, which could lead to DoS. (bsc#1243273) Update to 3.11.12: - gh-105704: When using urllib.parse.urlsplit() and urllib.parse.urlparse() host parsing would not reject domain names containing square brackets ([ and ]). Square brackets are only valid for IPv6 and IPvFuture hosts according to RFC 3986 Section 3.2.2 (bsc#1236705, CVE-2025-0938, gh#python/cpython#105704). - gh-121284: Fix bug in the folding of rfc2047 encoded-words when flattening an email message using a modern email policy. Previously when an encoded-word was too long for a line, it would be decoded, split across lines, and re-encoded. But commas and other special characters in the original text could be left unencoded and unquoted. This could theoretically be used to spoof header lines using a carefully constructed encoded-word if the resulting rendered email was transmitted or re-parsed. - gh-80222: Fix bug in the folding of quoted strings when flattening an email message using a modern email policy. Previously when a quoted string was folded so that it spanned more than one line, the surrounding quotes and internal escapes would be omitted. This could theoretically be used to spoof header lines using a carefully constructed quoted string if the resulting rendered email was transmitted or re-parsed. - gh-119511: Fix a potential denial of service in the imaplib module. When connecting to a malicious server, it could cause an arbitrary amount of memory to be allocated. On many systems this is harmless as unused virtual memory is only a mapping, but if this hit a virtual address size limit it could lead to a MemoryError or other process crash. On unusual systems or builds where all allocated memory is touched and backed by actual ram or storage it could???ve consumed resources doing so until similarly crashing. - gh-127257: In ssl, system call failures that OpenSSL reports using ERR_LIB_SYS are now raised as OSError. - gh-121277: Writers of CPython???s documentation can now use next as the version for the versionchanged, versionadded, deprecated directives. - gh-106883: Disable GC during the _PyThread_CurrentFrames() and _PyThread_CurrentExceptions() calls to avoid the interpreter to deadlock. - CVE-2025-0938: disallow square brackets ([ and ]) in domain names for parsed URLs (bsc#1236705, gh#python/cpython#105704) Update to 3.11.11: - Tools/Demos - gh-123418: Update GitHub CI workflows to use OpenSSL 3.0.15 and multissltests to use 3.0.15, 3.1.7, and 3.2.3. - Security - gh-122792: Changed IPv4-mapped ipaddress.IPv6Address to consistently use the mapped IPv4 address value for deciding properties. Properties which have their behavior fixed are is_multicast, is_reserved, is_link_local, is_global, and is_unspecified. - Library - gh-124651: Properly quote template strings in venv activation scripts (bsc#1232241, CVE-2024-9287). - Remove -IVendor/ from python-config bsc#1231795 - CVE-2024-9287: Properly quote path names provided when creating a virtual environment (bsc#1232241, - Drop .pyc files from docdir for reproducible builds (bsc#1230906). Update to 3.11.10: - Security - gh-121957: Fixed missing audit events around interactive use of Python, now also properly firing for ``python -i``, as well as for ``python -m asyncio``. The event in question is ``cpython.run_stdin``. - gh-122133: Authenticate the socket connection for the ``socket.socketpair()`` fallback on platforms where ``AF_UNIX`` is not available like Windows. Patch by Gregory P. Smith and Seth Larson . Reported by Ellie - gh-121285: Remove backtracking from tarfile header parsing for ``hdrcharset``, PAX, and GNU sparse headers (bsc#1230227, CVE-2024-6232). - gh-118486: :func:`os.mkdir` on Windows now accepts *mode* of ``0o700`` to restrict the new directory to the current user. This fixes CVE-2024-4030 affecting :func:`tempfile.mkdtemp` in scenarios where the base temporary directory is more permissive than the default. - Library - gh-123270: Applied a more surgical fix for malformed payloads in :class:`zipfile.Path` causing infinite loops (gh-122905) without breaking contents using legitimate characters (bsc#1229704, CVE-2024-8088). - gh-123067: Fix quadratic complexity in parsing ``'``-quoted cookie values with backslashes by :mod:`http.cookies` (bsc#1229596, CVE-2024-7592). - gh-122905: :class:`zipfile.Path` objects now sanitize names from the zipfile. - gh-121650: :mod:`email` headers with embedded newlines are now quoted on output. The :mod:`~email.generator` will now refuse to serialize (write) headers that are unsafely folded or delimited; see :attr:`~email.policy.Policy.verify_generated_headers`. (Contributed by Bas Bloemsaat and Petr Viktorin in :gh:`121650`; CVE-2024-6923, bsc#1228780). - gh-119506: Fix :meth:`!io.TextIOWrapper.write` method breaks internal buffer when the method is called again during flushing internal buffer. - gh-118643: Fix an AttributeError in the :mod:`email` module when re-fold a long address list. Also fix more cases of incorrect encoding of the address separator in the address list. - gh-113171: Fixed various false positives and false negatives in * :attr:`ipaddress.IPv4Address.is_private` (see these docs for details) * :attr:`ipaddress.IPv4Address.is_global` * :attr:`ipaddress.IPv6Address.is_private` * :attr:`ipaddress.IPv6Address.is_global` Also in the corresponding :class:`ipaddress.IPv4Network` and :class:`ipaddress.IPv6Network` attributes. Fixes bsc#1226448 (CVE-2024-4032). - gh-102988: :func:`email.utils.getaddresses` and :func:`email.utils.parseaddr` now return ``('', '')`` 2-tuples in more situations where invalid email addresses are encountered instead of potentially inaccurate values. Add optional *strict* parameter to these two functions: use ``strict=False`` to get the old behavior, accept malformed inputs. ``getattr(email.utils, 'supports_strict_parsing', False)`` can be use to check if the *strict* paramater is available. Patch by Thomas Dwyer and Victor Stinner to improve the CVE-2023-27043 fix (bsc#1210638). - gh-67693: Fix :func:`urllib.parse.urlunparse` and :func:`urllib.parse.urlunsplit` for URIs with path starting with multiple slashes and no authority. Based on patch by Ashwin Ramaswami. - Core and Builtins - gh-112275: A deadlock involving ``pystate.c``'s ``HEAD_LOCK`` in ``posixmodule.c`` at fork is now fixed. Patch by ChuBoning based on previous Python 3.12 fix by Victor Stinner. - gh-109120: Added handle of incorrect star expressions, e.g ``f(3, *)``. Patch by Grigoryev Semyon - CVE-2024-8088: Prevent malformed payload to cause infinite loops in zipfile.Path (bsc#1229704) - Make pip and modern tools install directly in /usr/local when used by the user. (bsc#1225660) - CVE-2024-4032: Fix rearranging definition of private v global IP addresses. (bsc#1226448) Update to 3.11.9: * Security - gh-115398: Allow controlling Expat >=2.6.0 reparse deferral (CVE-2023-52425, bsc#1219559) by adding five new methods: xml.etree.ElementTree.XMLParser.flush() xml.etree.ElementTree.XMLPullParser.flush() xml.parsers.expat.xmlparser.GetReparseDeferralEnabled() xml.parsers.expat.xmlparser.SetReparseDeferralEnabled() xml.sax.expatreader.ExpatParser.flush() - gh-115399: Update bundled libexpat to 2.6.0 - gh-115243: Fix possible crashes in collections.deque.index() when the deque is concurrently modified. - gh-114572: ssl.SSLContext.cert_store_stats() and ssl.SSLContext.get_ca_certs() now correctly lock access to the certificate store, when the ssl.SSLContext is shared across multiple threads (bsc#1226447, CVE-2024-0397). * Core and Builtins - gh-116296: Fix possible refleak in object.__reduce__() internal error handling. - gh-116034: Fix location of the error on a failed assertion. - gh-115823: Properly calculate error ranges in the parser when raising SyntaxError exceptions caused by invalid byte sequences. Patch by Pablo Galindo - gh-112087: For an empty reverse iterator for list will be reduced to reversed(). Patch by Donghee Na. - gh-115011: Setters for members with an unsigned integer type now support the same range of valid values for objects that has a __index__() method as for int. - gh-96497: Fix incorrect resolution of mangled class variables used in assignment expressions in comprehensions. * Library - gh-117310: Fixed an unlikely early & extra Py_DECREF triggered crash in ssl when creating a new _ssl._SSLContext if CPython was built implausibly such that the default cipher list is empty or the SSL library it was linked against reports a failure from its C SSL_CTX_set_cipher_list() API. - gh-117178: Fix regression in lazy loading of self-referential modules, introduced in gh-114781. - gh-117084: Fix zipfile extraction for directory entries with the name containing backslashes on Windows. - gh-117110: Fix a bug that prevents subclasses of typing.Any to be instantiated with arguments. Patch by Chris Fu. - gh-90872: On Windows, subprocess.Popen.wait() no longer calls WaitForSingleObject() with a negative timeout: pass 0 ms if the timeout is negative. Patch by Victor Stinner. - gh-116957: configparser: Don???t leave ConfigParser values in an invalid state (stored as a list instead of a str) after an earlier read raised DuplicateSectionError or DuplicateOptionError. - gh-90095: Ignore empty lines and comments in .pdbrc - gh-116764: Restore support of None and other false values in urllib.parse functions parse_qs() and parse_qsl(). Also, they now raise a TypeError for non-zero integers and non-empty sequences. - gh-116811: In PathFinder.invalidate_caches, delegate to MetadataPathFinder.invalidate_caches. - gh-116600: Fix repr() for global Flag members. - gh-116484: Change automatically generated tkinter.Checkbutton widget names to avoid collisions with automatically generated tkinter.ttk.Checkbutton widget names within the same parent widget. - gh-116401: Fix blocking os.fwalk() and shutil.rmtree() on opening named pipe. - gh-116143: Fix a race in pydoc _start_server, eliminating a window in which _start_server can return a thread that is ???serving??? but without a docserver set. - gh-116325: typing: raise SyntaxError instead of AttributeError on forward references as empty strings. - gh-90535: Fix support of interval values > 1 in logging.TimedRotatingFileHandler for when='MIDNIGHT' and when='Wx'. - gh-115978: Disable preadv(), readv(), pwritev(), and writev() on WASI. - Under wasmtime for WASI 0.2, these functions don???t pass test_posix (https://github.com/bytecodealliance/wasmtime/issues/7830). - gh-88352: Fix the computation of the next rollover time in the logging.TimedRotatingFileHandler handler. computeRollover() now always returns a timestamp larger than the specified time and works correctly during the DST change. doRollover() no longer overwrite the already rolled over file, saving from data loss when run at midnight or during repeated time at the DST change. - gh-87115: Set __main__.__spec__ to None when running a script with pdb - gh-76511: Fix UnicodeEncodeError in email.Message.as_string() that results when a message that claims to be in the ascii character set actually has non-ascii characters. Non-ascii characters are now replaced with the U+FFFD replacement character, like in the replace error handler. - gh-75988: Fixed unittest.mock.create_autospec() to pass the call through to the wrapped object to return the real result. - gh-115881: Fix issue where ast.parse() would incorrectly flag conditional context managers (such as with (x() if y else z()): ...) as invalid syntax if feature_version=(3, 8) was passed. This reverts changes to the grammar made as part of gh-94949. - gh-115886: Fix silent truncation of the name with an embedded null character in multiprocessing.shared_memory.SharedMemory. - gh-115809: Improve algorithm for computing which rolled-over log files to delete in logging.TimedRotatingFileHandler. It is now reliable for handlers without namer and with arbitrary deterministic namer that leaves the datetime part in the file name unmodified. - gh-74668: urllib.parse functions parse_qs() and parse_qsl() now support bytes arguments containing raw and percent-encoded non-ASCII data. - gh-67044: csv.writer() now always quotes or escapes '\r' and '\n', regardless of lineterminator value. - gh-115712: csv.writer() now quotes empty fields if delimiter is a space and skipinitialspace is true and raises exception if quoting is not possible. - gh-115618: Fix improper decreasing the reference count for None argument in property methods getter(), setter() and deleter(). - gh-115570: A DeprecationWarning is no longer omitted on access to the __doc__ attributes of the deprecated typing.io and typing.re pseudo-modules. - gh-112006: Fix inspect.unwrap() for types with the __wrapper__ data descriptor. - gh-101293: Support callables with the __call__() method and types with __new__() and __init__() methods set to class methods, static methods, bound methods, partial functions, and other types of methods and descriptors in inspect.Signature.from_callable(). - gh-115392: Fix a bug in doctest where incorrect line numbers would be reported for decorated functions. - gh-114563: Fix several format() bugs when using the C implementation of Decimal: * memory leak in some rare cases when using the z format option (coerce negative 0) * incorrect output when applying the z format option to type F (fixed-point with capital NAN / INF) * incorrect output when applying the # format option (alternate form) - gh-115197: urllib.request no longer resolves the hostname before checking it against the system???s proxy bypass list on macOS and Windows. - gh-115198: Fix support of Docutils >= 0.19 in distutils. - gh-115165: Most exceptions are now ignored when attempting to set the __orig_class__ attribute on objects returned when calling typing generic aliases (including generic aliases created using typing.Annotated). Previously only AttributeError was ignored. Patch by Dave Shawley. - gh-115133: Fix tests for XMLPullParser with Expat 2.6.0. - gh-115059: io.BufferedRandom.read1() now flushes the underlying write buffer. - gh-79382: Trailing ** no longer allows to match files and non-existing paths in recursive glob(). - gh-114763: Protect modules loaded with importlib.util.LazyLoader from race conditions when multiple threads try to access attributes before the loading is complete. - gh-97959: Fix rendering class methods, bound methods, method and function aliases in pydoc. Class methods no longer have ???method of builtins.type instance??? note. Corresponding notes are now added for class and unbound methods. Method and function aliases now have references to the module or the class where the origin was defined if it differs from the current. Bound methods are now listed in the static methods section. Methods of builtin classes are now supported as well as methods of Python classes. - gh-112281: Allow creating union of types for typing.Annotated with unhashable metadata. - gh-111775: Fix importlib.resources.simple.ResourceHandle.open() for text mode, added missed stream argument. - gh-90095: Make .pdbrc and -c work with any valid pdb commands. - gh-107155: Fix incorrect output of help(x) where x is a lambda function, which has an __annotations__ dictionary attribute with a 'return' key. - gh-105866: Fixed _get_slots bug which caused error when defining dataclasses with slots and a weakref_slot. - gh-60346: Fix ArgumentParser inconsistent with parse_known_args. - gh-100985: Update HTTPSConnection to consistently wrap IPv6 Addresses when using a proxy. - gh-100884: email: fix misfolding of comma in address-lists over multiple lines in combination with unicode encoding (bsc#1238450 CVE-2025-1795) - gh-95782: Fix io.BufferedReader.tell(), io.BufferedReader.seek(), _pyio.BufferedReader.tell(), io.BufferedRandom.tell(), io.BufferedRandom.seek() and _pyio.BufferedRandom.tell() being able to return negative offsets. - gh-96310: Fix a traceback in argparse when all options in a mutually exclusive group are suppressed. - gh-93205: Fixed a bug in logging.handlers.TimedRotatingFileHandler where multiple rotating handler instances pointing to files with the same name but different extensions would conflict and not delete the correct files. - bpo-44865: Add missing call to localization function in argparse. - bpo-43952: Fix multiprocessing.connection.Listener.accept() to accept empty bytes as authkey. Not accepting empty bytes as key causes it to hang indefinitely. - bpo-42125: linecache: get module name from __spec__ if available. This allows getting source code for the __main__ module when a custom loader is used. - gh-66543: Make mimetypes.guess_type() properly parsing of URLs with only a host name, URLs containing fragment or query, and filenames with only a UNC sharepoint on Windows. Based on patch by Dong-hee Na. - bpo-33775: Add ???default??? and ???version??? help text for localization in argparse. * Documentation - gh-115399: Document CVE-2023-52425 of Expat <2.6.0 under ???XML vulnerabilities???. - gh-115233: Fix an example for LoggerAdapter in the Logging Cookbook. * IDLE - gh-88516: On macOS show a proxy icon in the title bar of editor windows to match platform behaviour. * Tools/Demos - gh-113516: Don???t set LDSHARED when building for WASI. * C API - gh-117021: Fix integer overflow in PyLong_AsPid() on non-Windows 64-bit platforms. - Add reference to CVE-2024-0450 (bsc#1221854) to changelog. ----------------------------------------------------------------- Advisory ID: 139 Released: Sun Jun 8 15:39:11 2025 Summary: Security update for less Type: security Severity: important References: 1047218,1222849,915387,CVE-2024-32487 This update for less fixes the following issues: - Updated to version 668 * Fixed crash when using --header on command line * Fixed possible crash when scrolling left/right or toggling -S * Fixed bug when using #stop in a lesskey file * Fixed bug when using --shift or --match-shift on command line with a parameter starting with '.' * Fixed bug in R command when file size changes * Fixed bug using --header when file does not fill screen * Fixed ^X bug when output is not a terminal * Fixed bug where ^Z is not handled immediately * Fixed bug where first byte from a LESSOPEN filter is deleted if it is greater than 0x7F * Fixed uninitialized variable in edit_ifile * Fixed incorrect handling of UTF-8 chars in prompts - Change preprocessor dependencies from Requires to Recommends. It's disabled by default and they are not necessary for less. - Updated to version 661: * fixed crash - buffer overflow by one in fexpand * fixed free(): double free detected in tcache 2 * fixed segmentation fault on line-num-width & -N - Updated to version 656: * Add ^O^N, ^O^P, ^O^L and ^O^O commands and mouse clicks (with --mouse) to find and open OSC8 hyperlinks (github #251). * Add --match-shift option. * Add --lesskey-content option (github #447). * Add LESSKEY_CONTENT environment variable (github #447). * Add --no-search-header-lines and --no-search-header-columns options (github #397). * Add ctrl-L search modifier (github #367). * A ctrl-P at the start of a shell command suppresses the 'done' message (github #462). * Add attribute characters ('*', '~', '_', '&') to --color parameter (github #471). * Allow expansion of environment variables in lesskey files. * Add LESSSECURE_ALLOW environment variable (github #449). * Add LESS_UNSUPPORT environment variable. * Add line number parameter to --header option (github #436). * Mouse right-click jumps to position marked by left-click (github #390). * Ensure that the target line is not obscured by a header line set by --header (github #444). * Change default character set to 'utf-8', except remains 'dos' on MS-DOS. * Add message when search with ^W wraps (github #459). * UCRT builds on Windows 10 and later now support Unicode file names (github #438). * Improve behavior of interrupt while reading non-terminated pipe (github #414). * Improve parsing of -j, -x and -# options (github #393). * Support files larger than 4GB on Windows (github #417). * Support entry of Unicode chars larger than U+FFFF on Windows (github #391). * Improve colors of bold, underline and standout text on Windows. * Allow --rscroll to accept non-ASCII characters (github #483). * Allow the parameter to certain options to be terminated with a space (--color, --quotes, --rscroll, --search-options and --intr) (github #495). * Fix bug where # substitution failed after viewing help (github #420). * Fix crash if files are deleted while less is viewing them (github #404). * Workaround unreliable ReadConsoleInputW behavior on Windows with non-ASCII input. * Fix -J display when searching for non-ASCII characters (github #422). * Don't filter header lines via the & command (github #423). * Fix bug when horizontally shifting long lines (github #425). * Add -x and -D options to lesstest, to make it easier to diagnose a failed lesstest run. * Fix bug searching long lines with --incsearch and -S (github #428). * Fix bug that made ESC-} fail if top line on screen was empty (github #429). * Fix bug with --mouse on Windows when used with pipes (github #440). * Fix bug in --+OPTION command line syntax. * Fix display bug when using -w with an empty line with a CR/LF line ending (github #474). * When substituting '#' or '%' with a filename, quote the filename if it contains a space (github #480). * Fix wrong sleep time when system has usleep but not nanosleep (github #489). * Fix bug when file name contains a newline (CVE-2024-32487, bsc#1222849). * Fix bug when file name contains nonprintable characters (github #503). * Fix DJGPP build (github #497). * Update Unicode tables. - add zstd support to lessopen - Updated to 643: * Fixed problem when a program piping into less reads from the tty, like sudo asking for password (github #368). * Fixed search modifier ^E after ^W. * Fixed bug using negated (^N) search (github #374). * Fixed bug setting colors with -D on Windows build (github #386). * Fixed reading special chars like PageDown on Windows (github #378). * Fixed mouse wheel scrolling on Windows (github #379). * Fixed erroneous EOF when terminal window size changes (github #372). * Fixed compile error with some definitions of ECHONL (github #395). * Fixed crash on Windows when writing logfile (github #405). * Fixed regression in exit code when stdin is /dev/null and output is a file (github #373). * Add lesstest test suite to production release (github #344). * Change lesstest output to conform with automake Simple Test Format (github #399). ----------------------------------------------------------------- Advisory ID: 141 Released: Tue Jun 10 13:50:09 2025 Summary: Security update for sqlite3 Type: security Severity: moderate References: 1241020,1241078,CVE-2025-29087,CVE-2025-29088 This update for sqlite3 fixes the following issues: - Update to release 3.49.1: * Improve portability of makefiles and configure scripts. * CVE-2025-29087: Fixed Integer Overflow in SQLite concat Function (bsc#1241020) * CVE-2025-29088: Fixed integer overflow through the SQLITE_DBCONFIG_LOOKASIDE component (bsc#1241078) - Update to release 3.49.0: * Enhancements to the query planner: - Improve the query-time index optimization so that it works on WITHOUT ROWID tables. - Better query plans for large star-query joins. This fixes three different performance regressions that were reported on the SQLite Forum. - When two or more queries have the same estimated cost, use the one with the fewer bytes per row. * Enhance the iif() SQL function so that it can accept any number of arguments greater than or equal to two. * Enhance the session extension so that it works on databases that make use of generated columns. * Omit the SQLITE_USE_STDIO_FOR_CONSOLE compile-time option which was not implemented correctly and never worked right. In its place add the SQLITE_USE_W32_FOR_CONSOLE_IO compile-time option. This option applies to command-line tools like the CLI only, not to the SQLite core. It causes Win32 APIs to be used for console I/O instead of stdio. This option affects Windows builds only. * Three new options to sqlite3_db_config(). All default 'on'. SQLITE_DBCONFIG_ENABLE_ATTACH_CREATE SQLITE_DBCONFIG_ENABLE_ATTACH_WRITE SQLITE_DBCONFIG_ENABLE_COMMENTS - Re-enable SONAME which got disabled by default in 3.48.0. - Update to release 3.48.0: * Improved EXPLAIN QUERY PLAN output for covering indexes. * Allow a two-argument version of the iif() SQL function. * Also allow if() as an alternative spelling for iif(). * Add the '.dbtotxt' command to the CLI. * Add the SQLITE_IOCAP_SUBPAGE_READ property to the xDeviceCharacteristics method of the sqlite3_io_methods object. * Add the SQLITE_PREPARE_DONT_LOG option to sqlite3_prepare_v3() that prevents warning messages being sent to the error log if the SQL is ill-formed. This allows sqlite3_prepare_v3() to be used to do test compiles of SQL to check for validity without polluting the error log with false messages. * Increase the minimum allowed value of SQLITE_LIMIT_LENGTH from 1 to 30. * Added the SQLITE_FCNTL_NULL_IO file control. * Extend the FTS5 auxiliary API xInstToken() to work with prefix queries via the insttoken configuration option and the fts5_insttoken() SQL function. * Increase the maximum number of arguments to an SQL function from 127 to 1000. - Update to release 3.47.2: * Fix a problem in text-to-floating-point conversion that affects text values where the first 16 significant digits are '1844674407370955'. This issue was introduced in 3.47.0 and only arises on x64 and i386 hardware. * Other minor bug fixes. - Enable the session extension, because NodeJS 22 needs it. - Update to release 3.47.1: * Fix the makefiles so that they once again honored DESTDIR for the 'install' target. * Add the SQLITE_IOCAP_SUBPAGE_READ capability to the VFS, to work around issues on some non-standard VFSes caused by making SQLITE_DIRECT_OVERFLOW_READ the default in version 3.45.0. * Fix incorrect answers to certain obscure IN queries caused by new query optimizations added in the 3.47.0 release. * Other minor bug fixes. - Update to release 3.47.0: * Allow arbitrary expressions in the second argument to the RAISE function. * If the RHS of the ->> operator is negative, then access array elements counting from the right. * Fix a problem with rolling back hot journal files in the seldom-used unix-dotfile VFS. * FTS5 tables can now be dropped even if they use a non-standard tokenizer that has not been registered. * Fix the group_concat() aggregate function so that it returns an empty string, not a NULL, if it receives a single input value which is an empty string. * Enhance the generate_series() table-valued function so that it is able to recognize and use constraints on its output value. Preupdate hooks now recognize when a column added by ALTER TABLE ADD COLUMN has a non-null default value. * Improved reuse of subqueries associated with the IN operator, especially when the IN operator has been duplicated due to predicate push-down. * Use a Bloom filter on subqueries on the right-hand side of the IN operator, in cases where that seems likely to improve performance. * Ensure that queries like 'SELECT func(a) FROM tab GROUP BY 1' only invoke the func() function once per row. * No attempt is made to create automatic indexes on a column that is known to be non-selective because of its use in other indexes that have been analyzed. * Adjustments to the query planner so that it produces better plans for star queries with a large number of dimension tables. * Add the 'order-by-subquery' optimization, that seeks to disable sort operations in outer queries if the desired order is obtained naturally due to ORDER BY clauses in subqueries. * The 'indexed-subtype-expr' optimization strives to use expressions that are part of an index rather than recomputing the expression based on table values, as long as the query planner can prove that the subtype of the expression will never be used. * Miscellaneous coding tweaks for faster runtimes. * Add the experimental sqlite3_rsync program. * Add extension functions median(), percentile(), percentile_cont(), and percentile_disc() to the CLI. * Add the .www dot-command to the CLI. * The sqlite3_analyzer utility now provides a break-out of statistics for WITHOUT ROWID tables. * The sqldiff utility avoids creating an empty database if its second argument does not exist. * Enhance the sqlite_dbpage table-valued function such that INSERT can be used to increase or decrease the size of the database file. * SQLite no longer makes any use of the 'long double' data type, as hardware support for long double is becoming less common and long double creates challenges for some compiler tool chains. Instead, SQLite uses Dekker's algorithm when extended precision is needed. * The TCL Interface for SQLite supports TCL9. Everything probably still works for TCL 8.5 and later, though this is not guaranteed. Users are encouraged to upgrade to TCL9. * Fix a corruption-causing bug in the JavaScript 'opfs' VFS. Correct 'mode=ro' handling for the 'opfs' VFS. Work around a couple of browser-specific OPFS quirks. * Add the fts5_tokenizer_v2 API and the locale=1 option, for creating custom locale-aware tokenizers and fts5 tables that may take advantage of them. * Add the contentless_unindexed=1 option, for creating contentless fts5 tables that store the values of any UNINDEXED columns persistently in the database. * Allow an FTS5 table to be dropped even if it uses a custom tokenizer whose implementation is not available. - Update to release 3.46.1: * Improved robustness while parsing the tokenize= arguments in FTS5. * Enhancements to covering index prediction in the query planner. * Do not let the number of terms on a VALUES clause be limited by SQLITE_LIMIT_COMPOUND_SELECT, even if the VALUES clause contains elements that appear to be variables due to double-quoted string literals. * Fix the window function version of group_concat() so that it returns an empty string if it has one or more empty string inputs. * In FTS5 secure-delete mode, fix false-positive integrity-check reports about corrupt indexes. * Syntax errors in ALTER TABLE should always return SQLITE_ERROR. In some cases, they were formerly returning SQLITE_INTERNAL. * Other minor fixes. - Update to release 3.46.0: * Enhance PRAGMA optimize in multiple ways. * Enhancements to the date and time functions. * Add support for underscore ('_') characters between digits in numeric literals. * Add the json_pretty() SQL function. * Query planner improvements. * Allocate additional memory from the heap for the SQL parser stack if that stack overflows, rather than reporting a 'parser stack overflow' error. * Allow ASCII control characters within JSON5 string literals. * Fix the -> and ->> JSON operators so that when the right-hand side operand is a string that looks like an integer it is still treated as a string, because that is what PostgreSQL does. - Update to release 3.45.3: * Fix a long-standing bug (going back to version 3.24.0) that might (rarely) cause the 'old.*' values of an UPDATE trigger to be incorrect if that trigger fires in response to an UPSERT. * Reduce the scope of the NOT NULL strength reduction optimization that was added as item 8e in version 3.35.0. The optimization was being attempted in some contexts where it did not work, resulting in incorrect query results. - Add SQLITE_STRICT_SUBTYPE=1 as recommended by upstream. - Update to release 3.45.2: * Added the SQLITE_RESULT_SUBTYPE property for application- defined SQL functions. * Enhancements to the JSON SQL functions * Add the FTS5 tokendata option to the FTS5 virtual table. * The SQLITE_DIRECT_OVERFLOW_READ optimization is now enabled by default. * Query planner improvements * Increase the default value for SQLITE_MAX_PAGE_COUNT from 1073741824 to 4294967294. * Enhancements to the CLI * Restore the JSON BLOB input bug, and promise to support the anomaly in subsequent releases, for backward compatibility. * Fix the PRAGMA integrity_check command so that it works on read-only databases that contain FTS3 and FTS5 tables. * Fix issues associated with processing corrupt JSONB inputs. * Fix a long-standing bug in which a read of a few bytes past the end of a memory-mapped segment might occur when accessing a craftily corrupted database using memory-mapped database. * Fix a long-standing bug in which a NULL pointer dereference might occur in the bytecode engine due to incorrect bytecode being generated for a class of SQL statements that are deliberately designed to stress the query planner but which are otherwise pointless. * Fix an error in UPSERT, introduced in version 3.35.0. * Reduce the scope of the NOT NULL strength reduction optimization that was added in version 3.35.0. ----------------------------------------------------------------- Advisory ID: 145 Released: Thu Jun 12 09:37:25 2025 Summary: Security update for systemd Type: security Severity: moderate References: 1236177,1237496,1241190,1242938,CVE-2025-4598 This update for systemd fixes the following issues: - coredump: use %d in kernel core pattern (CVE-2025-4598) - Revert 'macro: terminate the temporary VA_ARGS_FOREACH() array with a sentinel' (SUSE specific) - umount: do not move busy network mounts (bsc#1236177) - man/pstore.conf: pstore.conf template is not always installed in /etc - man: coredump.conf template is not always installed in /etc (bsc#1237496) - Don't write messages sent from users with UID falling into the container UID range to the system journal. Daemons in the container don't talk to the outside journald as they talk to the inner one directly, which does its journal splitting based on shifted uids. (bsc#1242938) - This re-adds back the support for the persistent net name rules as well as their generator since predictable naming scheme is still disabled by default on Micro (via the `net.ifnames=0` boot option). (bsc#1241190) ----------------------------------------------------------------- Advisory ID: 146 Released: Fri Jun 13 12:48:33 2025 Summary: Security update for openssl-3 Type: security Severity: moderate References: 1240366,CVE-2025-27587 This update for openssl-3 fixes the following issues: - CVE-2025-27587: Fixed Minerva side channel vulnerability in P-384 (bsc#1240366) ----------------------------------------------------------------- Advisory ID: 147 Released: Fri Jun 13 12:50:10 2025 Summary: Security update for libxml2 Type: security Severity: important References: 1234812,CVE-2024-40896 This update for libxml2 fixes the following issues: - CVE-2024-40896: Fixed XXE vulnerability (bsc#1234812) ----------------------------------------------------------------- Advisory ID: 151 Released: Thu Jun 19 10:45:49 2025 Summary: Security update for pam Type: security Severity: important References: 1244509,CVE-2025-6020 This update for pam fixes the following issues: - CVE-2025-6020: pam_namespace: convert functions that may operate on a user-controlled path to operate on file descriptors instead of absolute path. And keep the bind-mount protection from protect_mount() as a defense in depthmeasure. (bsc#1244509) ----------------------------------------------------------------- Advisory ID: 156 Released: Mon Jun 23 15:34:00 2025 Summary: Security update for gpg2 Type: security Severity: moderate References: 1239119,CVE-2025-30258 This update for gpg2 fixes the following issues: - CVE-2025-30258: Fixed a verification DoS due to a malicious subkey in the keyring. (bsc#1239119) ----------------------------------------------------------------- Advisory ID: 159 Released: Wed Jun 25 10:23:42 2025 Summary: Security update for open-vm-tools Type: security Severity: moderate References: 1237147,1241938,1243106,CVE-2025-22247 This update for open-vm-tools fixes the following issues: - Updated to 12.5.2: * CVE-2025-22247: Fixed Insecure file handling (bsc#1243106) ----------------------------------------------------------------- Advisory ID: 163 Released: Mon Jun 30 10:31:31 2025 Summary: Security update for gpg2 Type: security Severity: moderate References: 1236931,1239119,CVE-2025-30258 This update for gpg2 fixes the following issues: * Fixed regressions for the recent malicious subkey DoS fix for CVE-2025-30258 (bsc#1239119). ----------------------------------------------------------------- Advisory ID: 165 Released: Tue Jul 1 13:27:41 2025 Summary: Recommended update for gpg2 Type: recommended Severity: moderate References: 1236931,1239119,CVE-2025-30258 This update for gpg2 fixes the following issues: This reverts the CVE-2025-30258 fix, as it changed behaviour when using expired keys. ----------------------------------------------------------------- Advisory ID: 166 Released: Wed Jul 2 10:15:40 2025 Summary: Security update for python-setuptools Type: security Severity: important References: 1243313,CVE-2025-47273 This update for python-setuptools fixes the following issues: - CVE-2025-47273: Fixed path traversal vulnerability in `PackageIndex` (bsc#1243313) ----------------------------------------------------------------- Advisory ID: 168 Released: Fri Jul 4 10:41:41 2025 Summary: Recommended update for elemental-operator Type: recommended Severity: moderate References: This update for elemental-operator fixes the following issues: - [v1.7.x] Label Templates: improve Random family processing - Dockerfile: bump golang container to 1.24 - operator: update RBAC for upgrade plans ----------------------------------------------------------------- Advisory ID: 170 Released: Fri Jul 4 16:31:25 2025 Summary: Recommended update for gptfdisk Type: recommended Severity: important References: 1242987 This update for gptfdisk fixes the following issues: - Fix boot failure with qcow and vmdk images (bsc#1242987) ----------------------------------------------------------------- Advisory ID: 172 Released: Mon Jul 7 13:11:11 2025 Summary: Security update for glib2 Type: security Severity: moderate References: 1231463,1240897,1242844,CVE-2025-3360,CVE-2025-4373 This update for glib2 fixes the following issues: Security issues: - CVE-2025-4373: Fixed handling gssize parameters (bsc#1242844). - CVE-2025-3360: Fixed integer overflow and buffer underread when parsing a very long and invalid ISO 8601 timestamp with g_date_time_new_from_iso8601 (bsc#1240897) Non security issues: - Trigger glib2-tools postun trigger exit normally if glib2-compile-schemas can't be run. Fixes error when uninstalling if libgio is uninstalled first (bsc#1231463). ----------------------------------------------------------------- Advisory ID: 173 Released: Tue Jul 8 18:15:02 2025 Summary: Security update for gpg2 Type: security Severity: moderate References: 1236931,1239119,1243069,CVE-2025-30258 This update for gpg2 fixes the following issues: - CVE-2025-30258: Fix a verification DoS due to a malicious subkey in the keyring: [bsc#1239119, bsc#1236931]] * gpg: Fix regression for the recent malicious subkey DoS fix. * gpg: Fix another regression due to the T7547 fix. * gpg: Allow the use of an ADSK subkey as ADSK subkey. - Don't install expired sks certificate [bsc#1243069] ----------------------------------------------------------------- Advisory ID: 182 Released: Tue Jul 15 16:48:17 2025 Summary: Security update for sudo Type: security Severity: important References: 1245274,1245275,CVE-2025-32462,CVE-2025-32463 This update for sudo fixes the following issues: - CVE-2025-32462: Fix a possible local privilege escalation via the --host option (bsc#1245274) - CVE-2025-32463: Fix a possible local privilege Escalation via chroot option (bsc#1245275) ----------------------------------------------------------------- Advisory ID: 187 Released: Fri Jul 18 11:07:15 2025 Summary: Recommended update for rpm Type: recommended Severity: important References: 1216091,1218459,1241052 This update for rpm fixes the following issues: - fix --runposttrans not working correctly with the --root option [bsc#1216091] * added 'rpm_fixed_runposttrans' provides for libzypp - print scriptlet messages in --runposttrans * needed to fix leaking tmp files [bsc#1218459] - fix memory leak in str2locale [bsc#1241052] ----------------------------------------------------------------- Advisory ID: 191 Released: Mon Jul 28 16:35:09 2025 Summary: Security update for perl Type: security Severity: important References: 1241083,1244079,CVE-2024-56406,CVE-2025-40909 This update for perl fixes the following issues: - CVE-2024-56406: Fixed heap buffer overflow when transliterating non-ASCII bytes (bsc#1241083) - CVE-2025-40909: Fixed a working directory race condition causing file operations to target unintended paths (bsc#1244079) ----------------------------------------------------------------- Advisory ID: 192 Released: Mon Jul 28 16:36:18 2025 Summary: Security update for pam-config Type: security Severity: important References: 1243226,CVE-2025-6018 This update for pam-config fixes the following issues: - CVE-2025-6018: Stop adding pam_env in AUTH stack, and be sure to put this module at the really end of the SESSION stack. (bsc#1243226) ----------------------------------------------------------------- Advisory ID: 197 Released: Thu Jul 31 13:53:17 2025 Summary: Recommended update for gcc14 Type: recommended Severity: moderate References: 1230262,1232526,1237442,1238491,1239566,1239938,1240788,1241549,1243991,1244050 This update for gcc14 fixes the following issues: - Exclude shared objects present for link editing in the GCC specific subdirectory from provides processing via __provides_exclude_from. [bsc#1244050][bsc#1243991] - Update to GCC 14.3 release, bb24b4c804f3d95b0ba95b7496, git11799 - Update to gcc-14 branch head, 3418d740b344e0ba38022f3be, git11702 - Fix build on s390x [bsc#1241549] - Make sure link editing is done against our own shared library copy rather than the installed system runtime. [bsc#1240788] - cross-compiler builds with --enable-host-pie. - Allow GCC executables to be built PIE. [bsc#1239938] - Backport -msplit-patch-nops required for user-space livepatching on powerpc. - Also record -D_FORTIFY_SOURCE=2 in the DWARF debug info DW_AT_producer string. [bsc#1239566] - Disable profiling during build when %want_reproducible_builds is set [bsc#1238491] - Update to gcc-14 branch head, 9ffecde121af883b60bbe60d0, git11321 * fixes reported ICE in [bsc#1237442] - Adjust cross compiler requirements to use %requires_ge - Fix condition on whether to enable plugins or JIT support to not check sle_version which is not defined in SLFO but to check is_opensuse and suse_version instead. - For cross compilers require the same or newer binutils, newlib or cross-glibc that was used at build time. [bsc#1232526] - Update to gcc-14 branch head, 4af44f2cf7d281f3e4f3957ef, git10750 * includes libstdc++6 fix for parsing tzdata 2024b [gcc#116657] - Fix ICE with LTO building openvino on aarch64 [bsc#1230262] ----------------------------------------------------------------- Advisory ID: 196 Released: Thu Jul 31 14:00:30 2025 Summary: Security update for libgcrypt Type: security Severity: moderate References: 1221107,CVE-2024-2236 This update for libgcrypt fixes the following issues: - CVE-2024-2236: Fixed timing based side-channel in RSA implementation (bsc#1221107) ----------------------------------------------------------------- Advisory ID: 198 Released: Fri Aug 1 12:15:51 2025 Summary: Security update for python311 Type: security Severity: important References: 1243155,1243273,1244032,1244056,1244059,1244060,1244061,1244705,CVE-2024-12718,CVE-2025-4138,CVE-2025-4330,CVE-2025-4435,CVE-2025-4516,CVE-2025-4517,CVE-2025-6069 This update for python311 fixes the following issues: - CVE-2025-6069: Avoid worst case quadratic complexity when processing certain crafted malformed inputs with HTMLParser (bsc#1244705). Update to 3.11.13: - Security - gh-135034: Fixes multiple issues that allowed tarfile extraction filters (filter='data' and filter='tar') to be bypassed using crafted symlinks and hard links. Addresses CVE-2024-12718 (bsc#1244056), CVE-2025-4138 (bsc#1244059), CVE-2025-4330 (bsc#1244060), and CVE-2025-4517 (bsc#1244032). Also addresses CVE-2025-4435 (gh#135034, bsc#1244061). - gh-133767: Fix use-after-free in the ???unicode-escape??? decoder with a non-???strict??? error handler (CVE-2025-4516, bsc#1243273). - gh-128840: Short-circuit the processing of long IPv6 addresses early in ipaddress to prevent excessive memory consumption and a minor denial-of-service. - Library - gh-128840: Fix parsing long IPv6 addresses with embedded IPv4 address. - gh-134062: ipaddress: fix collisions in __hash__() for IPv4Network and IPv6Network objects. - gh-123409: Fix ipaddress.IPv6Address.reverse_pointer output according to RFC 3596, ??2.5. Patch by B??n??dikt Tran. - bpo-43633: Improve the textual representation of IPv4-mapped IPv6 addresses (RFC 4291 Sections 2.2, 2.5.5.2) in ipaddress. Patch by Oleksandr Pavliuk. ----------------------------------------------------------------- Advisory ID: 204 Released: Thu Aug 7 10:06:05 2025 Summary: Recommended update for selinux-policy Type: recommended Severity: moderate References: 1199630,1243242 This update for selinux-policy fixes the following issues: Update to version 20241031+git8.1f94e96d: * Revert downstream fix for bsc#1199630 due to regression (bsc#1243242) ----------------------------------------------------------------- Advisory ID: 205 Released: Thu Aug 7 14:07:54 2025 Summary: Recommended update for open-vm-tools Type: recommended Severity: moderate References: 1245169,391434 This update for open-vm-tools fixes the following issues: - Update to open-vm-tools 13.0.0 based on build 24696409. (bsc#1245169): There are no new features in the open-vm-tools 13.0.0 release. This is primarily a maintenance release that addresses a few issues, including: + The vm-support script has been updated to collect the open-vm-tools log files from the Linux guest and information from the systemd journal. + Github pull requests has been integrated and issues fixed. Please see the Resolved Issues section of the Release Notes. For a more complete list of issues resolved in this release, see the Resolved Issues section of the Release Notes. - Add patch: Currently the 'telinit 6' command is used to reboot a Linux VM following Guest OS Customization. As the classic Linux init system, SysVinit, is deprecated in favor of a newer init system, systemd, the telinit command may not be available on the base Linux OS. This change adds support to Guest OS Customization for the systemd init system. If the modern init system, systemd, is available, then a 'systemctl reboot' command will be used to trigger reboot. Otherwise, the 'telinit 6' command will be used assuming the traditional init system, SysVinit, is still available. - Ran /usr/lib/obs/service/source_validators/helpers/fix_changelog to fix changes file where source validator was failing. ----------------------------------------------------------------- Advisory ID: 206 Released: Fri Aug 8 12:26:24 2025 Summary: Security update for xz Type: security Severity: important References: 1240414,CVE-2025-31115 This update for xz fixes the following issues: - CVE-2025-31115: Fixed heap use after free and writing to an address based on the null pointer plus an offset (bsc#1240414) ----------------------------------------------------------------- Advisory ID: 207 Released: Fri Aug 8 12:28:13 2025 Summary: Security update for jq Type: security Severity: important References: 1238078,1243450,1244116,CVE-2024-23337,CVE-2024-53427,CVE-2025-48060 This update for jq fixes the following issues: - CVE-2025-48060: Fixed stack-buffer-overflow in jq_fuzz_execute (jv_string_vfmt) (bsc#1244116) - CVE-2024-23337: Fixed signed integer overflow in jv.c:jvp_array_write (bsc#1243450) - CVE-2024-53427: Fixed stack-buffer-overflow in the decNumberCopy function in decNumber.c (bsc#1238078) ----------------------------------------------------------------- Advisory ID: 215 Released: Thu Aug 14 12:12:18 2025 Summary: Security update for openssl-3 Type: security Severity: moderate References: 1220262,CVE-2023-50782 This update for openssl-3 fixes the following issues: - CVE-2023-50782: Implicit rejection in PKCS#1 v1.5 (bsc#1220262) ----------------------------------------------------------------- Advisory ID: 213 Released: Thu Aug 14 12:19:26 2025 Summary: Security update for libssh Type: security Severity: important References: 1245309,1245310,1245311,1245312,1245314,1245317,CVE-2025-4877,CVE-2025-4878,CVE-2025-5318,CVE-2025-5351,CVE-2025-5372,CVE-2025-5987 This update for libssh fixes the following issues: - CVE-2025-5372: ssh_kdf() returns a success code on certain failures (bsc#1245314) - CVE-2025-5987: Invalid return code for chacha20 poly1305 with OpenSSL backend (bsc#1245317) - CVE-2025-4877: Write beyond bounds in binary to base64 conversion functions (bsc#1245309) - CVE-2025-4878: Use of uninitialized variable in privatekey_from_file() (bsc#1245310) - CVE-2025-5318: Likely read beyond bounds in sftp server handle management (bsc#1245311) - CVE-2025-5351: Double free in functions exporting keys (bsc#1245312) ----------------------------------------------------------------- Advisory ID: 218 Released: Sat Aug 16 13:46:56 2025 Summary: Security update for systemd Type: security Severity: moderate References: 1242827,1243935,1247074,CVE-2025-4598 This update for systemd fixes the following issues: - Remove the script used to help migrating the language and locale settings located in /etc/sysconfig/language on old systems to the systemd default locations (bsc#1247074) The script was introduced more than 7 years ago and all systems running TW should have been migrated since then. Moreover the installer supports the systemd default locations since approximately SLE15. - triggers.systemd: skip update of hwdb, journal-catalog if executed during an offline update. - logs-show: get timestamp and boot ID only when necessary (bsc#1242827) - sd-journal: drop to use Hashmap to manage journal files per boot ID - tree-wide: set SD_JOURNAL_ASSUME_IMMUTABLE where appropriate - sd-journal: introduce SD_JOURNAL_ASSUME_IMMUTABLE flag - sd-journal: make journal_file_read_tail_timestamp() notify to the caller that some new journal entries added - sd-journal: cache last entry offset and journal file state - sd-journal: fix typo in function name - coredump: use %d in kernel core pattern (bsc#1243935 CVE-2025-4598) ----------------------------------------------------------------- Advisory ID: 227 Released: Fri Aug 22 14:33:27 2025 Summary: Recommended update for elemental-toolkit Type: recommended Severity: moderate References: This update for elemental-toolkit fixes the following issues: - Update to v2.2.4: * Avoid panic when MaxSnaps is set to 0 ----------------------------------------------------------------- Advisory ID: 229 Released: Tue Aug 26 10:49:45 2025 Summary: Recommended update for dracut Type: recommended Severity: moderate References: 1241114,1241680,1247819 This update for dracut fixes the following issues: - fix (dracut-util): crash if CMDLINE ends with quotation mark (bsc#1247819) - fix (rngd): adjust license to match the license of the whole project - fix (dracut): kernel module name normalization in drivers lists (bsc#1241680) - fix (dracut-init): assign real path to srcmods (bsc#1241114) ----------------------------------------------------------------- Advisory ID: 236 Released: Wed Aug 27 11:46:23 2025 Summary: Security update for libxml2 Type: security Severity: important References: 1244554,1244555,1244557,1244580,1244700,1246296,CVE-2025-49794,CVE-2025-49795,CVE-2025-49796,CVE-2025-6021,CVE-2025-6170,CVE-2025-7425 This update for libxml2 fixes the following issues: - CVE-2025-6021: Integer Overflow in xmlBuildQName() Leads to Stack Buffer Overflow in libxml2 [bsc#1244580] - CVE-2025-6170: stack buffer overflow may lead to a crash [bsc#1244700] - CVE-2025-7425: Heap Use-After-Free in libxslt caused by atype corruption in xmlAttrPtr [bsc#1246296] - CVE-2025-49794: heap use after free (UAF) can lead to Denial of service (DoS) [bsc#1244554] - CVE-2025-49795: null pointer dereference may lead to Denial of service (DoS) [bsc#1244555] - CVE-2025-49796: type confusion may lead to Denial of service (DoS) [bsc#1244557] ----------------------------------------------------------------- Advisory ID: 238 Released: Thu Aug 28 17:15:06 2025 Summary: Security update for coreutils Type: security Severity: moderate References: 1243767,CVE-2025-5278 This update for coreutils fixes the following issues: - CVE-2025-5278: Sort with key character offsets of SIZE_MAX, could induce a read of 1 byte before an allocated heap buffer (bsc#1243767). ----------------------------------------------------------------- Advisory ID: 239 Released: Fri Aug 29 09:49:21 2025 Summary: Security update for libxslt Type: security Severity: important References: 1246360,CVE-2025-7424 This update for libxslt fixes the following issues: - CVE-2025-7424: Type confusion in xmlNode.psvi between stylesheet and source nodes [bsc#1246360] ----------------------------------------------------------------- Advisory ID: 240 Released: Fri Aug 29 09:50:36 2025 Summary: Security update for polkit Type: security Severity: important References: 1246472,CVE-2025-7519 This update for polkit fixes the following issues: - CVE-2025-7519: Fixed that a XML policy file with a large number of nested elements may lead to out-of-bounds write (bsc#1246472). The following package changes have been done: - glibc-2.38-slfo.1.1_4.1 updated - liblzma5-5.4.3-slfo.1.1_2.1 updated - libgcc_s1-14.3.0+git11799-slfo.1.1_1.1 updated - libxml2-2-2.11.6-slfo.1.1_6.1 updated - libopenssl3-3.1.4-slfo.1.1_6.1 updated - libgcrypt20-1.10.3-slfo.1.1_2.1 updated - libstdc++6-14.3.0+git11799-slfo.1.1_1.1 updated - perl-base-5.38.2-slfo.1.1_2.1 updated - libudev1-254.27-slfo.1.1_1.1 updated - libsystemd0-254.27-slfo.1.1_1.1 updated - xz-5.4.3-slfo.1.1_2.1 updated - coreutils-9.4-slfo.1.1_2.1 updated - rpm-4.18.0-slfo.1.1_2.1 updated - pam-1.6.1-slfo.1.1_3.1 updated - pam-config-2.11+git.20240906-slfo.1.1_2.1 updated - SL-Micro-release-6.1-slfo.1.11.53 updated - systemd-254.27-slfo.1.1_1.1 updated - udev-254.27-slfo.1.1_1.1 updated - dracut-059+suse.639.g19f24feb-slfo.1.1_1.1 updated - libglib-2_0-0-2.78.6-slfo.1.1_3.1 updated - libsqlite3-0-3.49.1-slfo.1.1_1.1 updated - libssh-config-0.10.6-slfo.1.1_2.1 updated - libgobject-2_0-0-2.78.6-slfo.1.1_3.1 updated - libgmodule-2_0-0-2.78.6-slfo.1.1_3.1 updated - libgio-2_0-0-2.78.6-slfo.1.1_3.1 updated - glib2-tools-2.78.6-slfo.1.1_3.1 updated - libssh4-0.10.6-slfo.1.1_2.1 updated - elemental-register-1.7.3-slfo.1.1_1.1 updated - elemental-support-1.7.3-slfo.1.1_1.1 updated - elemental-updater-2.2.1-slfo.1.1_1.1 updated - glibc-locale-base-2.38-slfo.1.1_4.1 updated - gptfdisk-1.0.9-slfo.1.1_2.1 updated - elemental-toolkit-2.2.4-slfo.1.1_1.1 updated - elemental-2.2.1-slfo.1.1_1.1 updated - gpg2-2.4.4-slfo.1.1_5.1 updated - libxslt1-1.1.38-slfo.1.1_4.1 updated - sudo-1.9.15p5-slfo.1.1_2.1 updated - libpolkit-gobject-1-0-121-slfo.1.1_2.1 updated - libpolkit-agent-1-0-121-slfo.1.1_2.1 updated - polkit-121-slfo.1.1_2.1 updated - python311-base-3.11.13-slfo.1.1_1.1 updated - libpython3_11-1_0-3.11.13-slfo.1.1_1.1 updated - libjq1-1.7.1-slfo.1.1_2.1 updated - less-668-slfo.1.1_1.1 updated - perl-5.38.2-slfo.1.1_2.1 updated - python311-3.11.13-slfo.1.1_1.1 updated - jq-1.7.1-slfo.1.1_2.1 updated - lsof-4.99.4-slfo.1.1_1.1 updated - libvmtools0-13.0.0-slfo.1.1_1.1 updated - python311-setuptools-70.0.0-slfo.1.1_2.1 updated - open-vm-tools-13.0.0-slfo.1.1_1.1 updated - selinux-policy-20241031+git8.1f94e96d-slfo.1.1_1.1 updated - selinux-policy-targeted-20241031+git8.1f94e96d-slfo.1.1_1.1 updated - container:SL-Micro-base-container-2.2.1-5.27 updated From sle-container-updates at lists.suse.com Wed Sep 3 15:52:34 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 3 Sep 2025 17:52:34 +0200 (CEST) Subject: SUSE-IU-2025:2413-1: Security update of suse/sl-micro/6.1/base-os-container Message-ID: <20250903155234.463B0FBA1@maintenance.suse.de> SUSE Image Update Advisory: suse/sl-micro/6.1/base-os-container ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2025:2413-1 Image Tags : suse/sl-micro/6.1/base-os-container:2.2.1 , suse/sl-micro/6.1/base-os-container:2.2.1-5.27 , suse/sl-micro/6.1/base-os-container:latest Image Release : 5.27 Severity : important Type : security References : 1204142 1218459 1219338 1220262 1221107 1225707 1230216 1230262 1232526 1233300 1235613 1235837 1236333 1236897 1237442 1238491 1238896 1239061 1239566 1239938 1240323 1240414 1240788 1240885 1240966 1241114 1241166 1241345 1241549 1241680 1242086 1242414 1242827 1242837 1242960 1242965 1242993 1243068 1243100 1243479 1243669 1243767 1243806 1243935 1243991 1244050 1244309 1244337 1244457 1244554 1244555 1244557 1244580 1244700 1244735 1244749 1244750 1244792 1244801 1245151 1245201 1245202 1245216 1245260 1245309 1245310 1245311 1245312 1245314 1245317 1245431 1245440 1245457 1245498 1245499 1245504 1245506 1245508 1245510 1245540 1245598 1245599 1245646 1245647 1245649 1245650 1245654 1245658 1245660 1245665 1245666 1245668 1245669 1245670 1245671 1245675 1245676 1245677 1245679 1245682 1245683 1245684 1245688 1245689 1245690 1245691 1245695 1245705 1245708 1245711 1245713 1245714 1245719 1245723 1245729 1245730 1245731 1245735 1245737 1245744 1245745 1245746 1245747 1245748 1245749 1245750 1245751 1245752 1245757 1245758 1245765 1245768 1245769 1245777 1245781 1245789 1245937 1245945 1245951 1245952 1245954 1245957 1245966 1245970 1245976 1245980 1245983 1245985 1245986 1246000 1246002 1246006 1246008 1246020 1246023 1246029 1246031 1246037 1246038 1246041 1246042 1246044 1246045 1246047 1246049 1246050 1246055 1246073 1246093 1246098 1246109 1246122 1246125 1246171 1246173 1246178 1246182 1246183 1246186 1246195 1246203 1246212 1246220 1246236 1246240 1246243 1246246 1246249 1246250 1246253 1246258 1246262 1246264 1246266 1246268 1246273 1246283 1246287 1246292 1246293 1246295 1246296 1246334 1246337 1246342 1246349 1246354 1246358 1246361 1246364 1246370 1246375 1246384 1246386 1246387 1246438 1246453 1246466 1246473 1246490 1246506 1246547 1246777 1246781 1246870 1246879 1246911 1246912 1247018 1247023 1247028 1247031 1247033 1247035 1247054 1247061 1247074 1247089 1247091 1247097 1247098 1247101 1247103 1247104 1247113 1247118 1247123 1247125 1247128 1247132 1247138 1247141 1247143 1247145 1247146 1247147 1247149 1247150 1247151 1247153 1247154 1247156 1247160 1247164 1247169 1247170 1247171 1247172 1247174 1247176 1247177 1247178 1247181 1247209 1247210 1247227 1247233 1247236 1247238 1247241 1247251 1247252 1247253 1247255 1247271 1247273 1247274 1247276 1247277 1247278 1247279 1247284 1247285 1247288 1247289 1247293 1247311 1247314 1247317 1247347 1247348 1247349 1247374 1247437 1247450 1247690 1247819 CVE-2019-11135 CVE-2023-50782 CVE-2024-2236 CVE-2024-36028 CVE-2024-36348 CVE-2024-36349 CVE-2024-36350 CVE-2024-36357 CVE-2024-44963 CVE-2024-56742 CVE-2024-57947 CVE-2025-21839 CVE-2025-21872 CVE-2025-23163 CVE-2025-31115 CVE-2025-37798 CVE-2025-37856 CVE-2025-37864 CVE-2025-37885 CVE-2025-37920 CVE-2025-37984 CVE-2025-38034 CVE-2025-38035 CVE-2025-38051 CVE-2025-38052 CVE-2025-38058 CVE-2025-38061 CVE-2025-38062 CVE-2025-38063 CVE-2025-38064 CVE-2025-38074 CVE-2025-38084 CVE-2025-38085 CVE-2025-38087 CVE-2025-38088 CVE-2025-38089 CVE-2025-38090 CVE-2025-38094 CVE-2025-38095 CVE-2025-38097 CVE-2025-38098 CVE-2025-38099 CVE-2025-38100 CVE-2025-38102 CVE-2025-38105 CVE-2025-38107 CVE-2025-38108 CVE-2025-38109 CVE-2025-38110 CVE-2025-38111 CVE-2025-38112 CVE-2025-38113 CVE-2025-38115 CVE-2025-38117 CVE-2025-38118 CVE-2025-38120 CVE-2025-38122 CVE-2025-38123 CVE-2025-38124 CVE-2025-38126 CVE-2025-38127 CVE-2025-38129 CVE-2025-38131 CVE-2025-38132 CVE-2025-38135 CVE-2025-38136 CVE-2025-38138 CVE-2025-38142 CVE-2025-38143 CVE-2025-38145 CVE-2025-38147 CVE-2025-38148 CVE-2025-38149 CVE-2025-38151 CVE-2025-38153 CVE-2025-38154 CVE-2025-38155 CVE-2025-38157 CVE-2025-38158 CVE-2025-38159 CVE-2025-38161 CVE-2025-38162 CVE-2025-38165 CVE-2025-38166 CVE-2025-38173 CVE-2025-38174 CVE-2025-38177 CVE-2025-38180 CVE-2025-38181 CVE-2025-38182 CVE-2025-38183 CVE-2025-38187 CVE-2025-38188 CVE-2025-38192 CVE-2025-38193 CVE-2025-38194 CVE-2025-38197 CVE-2025-38198 CVE-2025-38200 CVE-2025-38202 CVE-2025-38203 CVE-2025-38204 CVE-2025-38206 CVE-2025-38210 CVE-2025-38211 CVE-2025-38212 CVE-2025-38213 CVE-2025-38214 CVE-2025-38215 CVE-2025-38217 CVE-2025-38220 CVE-2025-38222 CVE-2025-38225 CVE-2025-38226 CVE-2025-38227 CVE-2025-38229 CVE-2025-38231 CVE-2025-38236 CVE-2025-38239 CVE-2025-38244 CVE-2025-38246 CVE-2025-38248 CVE-2025-38249 CVE-2025-38250 CVE-2025-38257 CVE-2025-38259 CVE-2025-38264 CVE-2025-38272 CVE-2025-38273 CVE-2025-38275 CVE-2025-38277 CVE-2025-38279 CVE-2025-38283 CVE-2025-38286 CVE-2025-38289 CVE-2025-38290 CVE-2025-38292 CVE-2025-38293 CVE-2025-38300 CVE-2025-38303 CVE-2025-38304 CVE-2025-38305 CVE-2025-38307 CVE-2025-38310 CVE-2025-38312 CVE-2025-38313 CVE-2025-38319 CVE-2025-38323 CVE-2025-38326 CVE-2025-38328 CVE-2025-38332 CVE-2025-38334 CVE-2025-38335 CVE-2025-38336 CVE-2025-38337 CVE-2025-38338 CVE-2025-38342 CVE-2025-38343 CVE-2025-38344 CVE-2025-38345 CVE-2025-38348 CVE-2025-38349 CVE-2025-38350 CVE-2025-38352 CVE-2025-38354 CVE-2025-38362 CVE-2025-38363 CVE-2025-38364 CVE-2025-38365 CVE-2025-38369 CVE-2025-38371 CVE-2025-38373 CVE-2025-38375 CVE-2025-38376 CVE-2025-38377 CVE-2025-38380 CVE-2025-38382 CVE-2025-38384 CVE-2025-38385 CVE-2025-38386 CVE-2025-38387 CVE-2025-38389 CVE-2025-38391 CVE-2025-38392 CVE-2025-38393 CVE-2025-38395 CVE-2025-38396 CVE-2025-38399 CVE-2025-38400 CVE-2025-38401 CVE-2025-38403 CVE-2025-38404 CVE-2025-38406 CVE-2025-38409 CVE-2025-38410 CVE-2025-38412 CVE-2025-38414 CVE-2025-38415 CVE-2025-38416 CVE-2025-38420 CVE-2025-38424 CVE-2025-38425 CVE-2025-38426 CVE-2025-38428 CVE-2025-38429 CVE-2025-38430 CVE-2025-38436 CVE-2025-38443 CVE-2025-38448 CVE-2025-38449 CVE-2025-38455 CVE-2025-38457 CVE-2025-38460 CVE-2025-38461 CVE-2025-38462 CVE-2025-38463 CVE-2025-38465 CVE-2025-38467 CVE-2025-38468 CVE-2025-38470 CVE-2025-38471 CVE-2025-38473 CVE-2025-38474 CVE-2025-38476 CVE-2025-38477 CVE-2025-38478 CVE-2025-38480 CVE-2025-38481 CVE-2025-38482 CVE-2025-38483 CVE-2025-38485 CVE-2025-38487 CVE-2025-38489 CVE-2025-38494 CVE-2025-38495 CVE-2025-38496 CVE-2025-38497 CVE-2025-38498 CVE-2025-4598 CVE-2025-4877 CVE-2025-4878 CVE-2025-49794 CVE-2025-49795 CVE-2025-49796 CVE-2025-5278 CVE-2025-5318 CVE-2025-5351 CVE-2025-5372 CVE-2025-5987 CVE-2025-6021 CVE-2025-6170 CVE-2025-7425 ----------------------------------------------------------------- The container suse/sl-micro/6.1/base-os-container was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: 197 Released: Thu Jul 31 13:53:17 2025 Summary: Recommended update for gcc14 Type: recommended Severity: moderate References: 1230262,1232526,1237442,1238491,1239566,1239938,1240788,1241549,1243991,1244050 This update for gcc14 fixes the following issues: - Exclude shared objects present for link editing in the GCC specific subdirectory from provides processing via __provides_exclude_from. [bsc#1244050][bsc#1243991] - Update to GCC 14.3 release, bb24b4c804f3d95b0ba95b7496, git11799 - Update to gcc-14 branch head, 3418d740b344e0ba38022f3be, git11702 - Fix build on s390x [bsc#1241549] - Make sure link editing is done against our own shared library copy rather than the installed system runtime. [bsc#1240788] - cross-compiler builds with --enable-host-pie. - Allow GCC executables to be built PIE. [bsc#1239938] - Backport -msplit-patch-nops required for user-space livepatching on powerpc. - Also record -D_FORTIFY_SOURCE=2 in the DWARF debug info DW_AT_producer string. [bsc#1239566] - Disable profiling during build when %want_reproducible_builds is set [bsc#1238491] - Update to gcc-14 branch head, 9ffecde121af883b60bbe60d0, git11321 * fixes reported ICE in [bsc#1237442] - Adjust cross compiler requirements to use %requires_ge - Fix condition on whether to enable plugins or JIT support to not check sle_version which is not defined in SLFO but to check is_opensuse and suse_version instead. - For cross compilers require the same or newer binutils, newlib or cross-glibc that was used at build time. [bsc#1232526] - Update to gcc-14 branch head, 4af44f2cf7d281f3e4f3957ef, git10750 * includes libstdc++6 fix for parsing tzdata 2024b [gcc#116657] - Fix ICE with LTO building openvino on aarch64 [bsc#1230262] ----------------------------------------------------------------- Advisory ID: 196 Released: Thu Jul 31 14:00:30 2025 Summary: Security update for libgcrypt Type: security Severity: moderate References: 1221107,CVE-2024-2236 This update for libgcrypt fixes the following issues: - CVE-2024-2236: Fixed timing based side-channel in RSA implementation (bsc#1221107) ----------------------------------------------------------------- Advisory ID: 206 Released: Fri Aug 8 12:26:24 2025 Summary: Security update for xz Type: security Severity: important References: 1240414,CVE-2025-31115 This update for xz fixes the following issues: - CVE-2025-31115: Fixed heap use after free and writing to an address based on the null pointer plus an offset (bsc#1240414) ----------------------------------------------------------------- Advisory ID: 208 Released: Fri Aug 8 13:09:13 2025 Summary: Recommended update for zypper, libzypp Type: recommended Severity: important References: 1218459,1245985,1246038,1246466,1247054,1247690 This update for zypper, libzypp fixes the following issues: libzypp was updated to 17.37.16: - Fix evaluation of libproxy results (bsc#1247690) - Replace URL variables inside mirrorlist/metalink files (fixes #667) - Append RepoInfo::path() to the mirror URLs in Preloader (bsc#1247054) - During installation indicate the backend being used (bsc#1246038) If some package actually needs to know, it should test for ZYPP_CLASSIC_RPMTRANS being set in the environment. Otherwise the transaction is driven by librpm. - Workaround 'rpm -vv' leaving scriptlets /var/tmp (bsc#1218459) - Verbose log libproxy results if PX_DEBUG=1 is set. - BuildRequires: cmake >= 3.17. - Allow explicit request to probe an added repo's URL (bsc#1246466) - Fix tests with -DISABLE_MEDIABACKEND_TESTS=1 (fixes #661) zypper was updated to 1.14.93: - Fix addrepo to handle explicit --check and --no-check requests (bsc#1246466) - Accept 'show' as alias for 'info' (bsc#1245985) ----------------------------------------------------------------- Advisory ID: 215 Released: Thu Aug 14 12:12:18 2025 Summary: Security update for openssl-3 Type: security Severity: moderate References: 1220262,CVE-2023-50782 This update for openssl-3 fixes the following issues: - CVE-2023-50782: Implicit rejection in PKCS#1 v1.5 (bsc#1220262) ----------------------------------------------------------------- Advisory ID: 213 Released: Thu Aug 14 12:19:26 2025 Summary: Security update for libssh Type: security Severity: important References: 1245309,1245310,1245311,1245312,1245314,1245317,CVE-2025-4877,CVE-2025-4878,CVE-2025-5318,CVE-2025-5351,CVE-2025-5372,CVE-2025-5987 This update for libssh fixes the following issues: - CVE-2025-5372: ssh_kdf() returns a success code on certain failures (bsc#1245314) - CVE-2025-5987: Invalid return code for chacha20 poly1305 with OpenSSL backend (bsc#1245317) - CVE-2025-4877: Write beyond bounds in binary to base64 conversion functions (bsc#1245309) - CVE-2025-4878: Use of uninitialized variable in privatekey_from_file() (bsc#1245310) - CVE-2025-5318: Likely read beyond bounds in sftp server handle management (bsc#1245311) - CVE-2025-5351: Double free in functions exporting keys (bsc#1245312) ----------------------------------------------------------------- Advisory ID: 218 Released: Sat Aug 16 13:46:56 2025 Summary: Security update for systemd Type: security Severity: moderate References: 1242827,1243935,1247074,CVE-2025-4598 This update for systemd fixes the following issues: - Remove the script used to help migrating the language and locale settings located in /etc/sysconfig/language on old systems to the systemd default locations (bsc#1247074) The script was introduced more than 7 years ago and all systems running TW should have been migrated since then. Moreover the installer supports the systemd default locations since approximately SLE15. - triggers.systemd: skip update of hwdb, journal-catalog if executed during an offline update. - logs-show: get timestamp and boot ID only when necessary (bsc#1242827) - sd-journal: drop to use Hashmap to manage journal files per boot ID - tree-wide: set SD_JOURNAL_ASSUME_IMMUTABLE where appropriate - sd-journal: introduce SD_JOURNAL_ASSUME_IMMUTABLE flag - sd-journal: make journal_file_read_tail_timestamp() notify to the caller that some new journal entries added - sd-journal: cache last entry offset and journal file state - sd-journal: fix typo in function name - coredump: use %d in kernel core pattern (bsc#1243935 CVE-2025-4598) ----------------------------------------------------------------- Advisory ID: 227 Released: Fri Aug 22 14:33:27 2025 Summary: Recommended update for elemental-toolkit Type: recommended Severity: moderate References: This update for elemental-toolkit fixes the following issues: - Update to v2.2.4: * Avoid panic when MaxSnaps is set to 0 ----------------------------------------------------------------- Advisory ID: kernel-82 Released: Mon Aug 25 15:33:57 2025 Summary: Security update for the Linux Kernel Type: security Severity: important References: 1204142,1219338,1225707,1230216,1233300,1235613,1235837,1236333,1236897,1238896,1239061,1240323,1240885,1240966,1241166,1241345,1242086,1242414,1242837,1242960,1242965,1242993,1243068,1243100,1243479,1243669,1243806,1244309,1244337,1244457,1244735,1244749,1244750,1244792,1244801,1245151,1245201,1245202,1245216,1245260,1245431,1245440,1245457,1245498,1245499,1245504,1245506,1245508,1245510,1245540,1245598,1245599,1245646,1245647,1245649,1245650,1245654,1245658,1245660,1245665,1245666,1245668,1245669,1245670,1245671,1245675,1245676,1245677,1245679,1245682,1245683,1245684,1245688,1245689,1245690,1245691,1245695,1245705,1245708,1245711,1245713,1245714,1245719,1245723,1245729,1245730,1245731,1245735,1245737,1245744,1245745,1245746,1245747,1245748,1245749,1245750,1245751,1245752,1245757,1245758,1245765,1245768,1245769,1245777,1245781,1245789,1245937,1245945,1245951,1245952,1245954,1245957,1245966,1245970,1245976,1245980,1245983,1245986,1246000,1246002,1246006,1246008,1246020,1 246023,1246029,1246031,1246037,1246041,1246042,1246044,1246045,1246047,1246049,1246050,1246055,1246073,1246093,1246098,1246109,1246122,1246125,1246171,1246173,1246178,1246182,1246183,1246186,1246195,1246203,1246212,1246220,1246236,1246240,1246243,1246246,1246249,1246250,1246253,1246258,1246262,1246264,1246266,1246268,1246273,1246283,1246287,1246292,1246293,1246295,1246334,1246337,1246342,1246349,1246354,1246358,1246361,1246364,1246370,1246375,1246384,1246386,1246387,1246438,1246453,1246473,1246490,1246506,1246547,1246777,1246781,1246870,1246879,1246911,1247018,1247023,1247028,1247031,1247033,1247035,1247061,1247089,1247091,1247097,1247098,1247101,1247103,1247104,1247113,1247118,1247123,1247125,1247128,1247132,1247138,1247141,1247143,1247145,1247146,1247147,1247149,1247150,1247151,1247153,1247154,1247156,1247160,1247164,1247169,1247170,1247171,1247172,1247174,1247176,1247177,1247178,1247181,1247209,1247210,1247227,1247233,1247236,1247238,1247241,1247251,1247252,1247253,1247255,124727 1,1247273,1247274,1247276,1247277,1247278,1247279,1247284,1247285,1247288,1247289,1247293,1247311,1247314,1247317,1247347,1247348,1247349,1247374,1247437,1247450,CVE-2019-11135,CVE-2024-36028,CVE-2024-36348,CVE-2024-36349,CVE-2024-36350,CVE-2024-36357,CVE-2024-44963,CVE-2024-56742,CVE-2024-57947,CVE-2025-21839,CVE-2025-21872,CVE-2025-23163,CVE-2025-37798,CVE-2025-37856,CVE-2025-37864,CVE-2025-37885,CVE-2025-37920,CVE-2025-37984,CVE-2025-38034,CVE-2025-38035,CVE-2025-38051,CVE-2025-38052,CVE-2025-38058,CVE-2025-38061,CVE-2025-38062,CVE-2025-38063,CVE-2025-38064,CVE-2025-38074,CVE-2025-38084,CVE-2025-38085,CVE-2025-38087,CVE-2025-38088,CVE-2025-38089,CVE-2025-38090,CVE-2025-38094,CVE-2025-38095,CVE-2025-38097,CVE-2025-38098,CVE-2025-38099,CVE-2025-38100,CVE-2025-38102,CVE-2025-38105,CVE-2025-38107,CVE-2025-38108,CVE-2025-38109,CVE-2025-38110,CVE-2025-38111,CVE-2025-38112,CVE-2025-38113,CVE-2025-38115,CVE-2025-38117,CVE-2025-38118,CVE-2025-38120,CVE-2025-38122,CVE-2025-38123,CVE-2025-3 8124,CVE-2025-38126,CVE-2025-38127,CVE-2025-38129,CVE-2025-38131,CVE-2025-38132,CVE-2025-38135,CVE-2025-38136,CVE-2025-38138,CVE-2025-38142,CVE-2025-38143,CVE-2025-38145,CVE-2025-38147,CVE-2025-38148,CVE-2025-38149,CVE-2025-38151,CVE-2025-38153,CVE-2025-38154,CVE-2025-38155,CVE-2025-38157,CVE-2025-38158,CVE-2025-38159,CVE-2025-38161,CVE-2025-38162,CVE-2025-38165,CVE-2025-38166,CVE-2025-38173,CVE-2025-38174,CVE-2025-38177,CVE-2025-38180,CVE-2025-38181,CVE-2025-38182,CVE-2025-38183,CVE-2025-38187,CVE-2025-38188,CVE-2025-38192,CVE-2025-38193,CVE-2025-38194,CVE-2025-38197,CVE-2025-38198,CVE-2025-38200,CVE-2025-38202,CVE-2025-38203,CVE-2025-38204,CVE-2025-38206,CVE-2025-38210,CVE-2025-38211,CVE-2025-38212,CVE-2025-38213,CVE-2025-38214,CVE-2025-38215,CVE-2025-38217,CVE-2025-38220,CVE-2025-38222,CVE-2025-38225,CVE-2025-38226,CVE-2025-38227,CVE-2025-38229,CVE-2025-38231,CVE-2025-38236,CVE-2025-38239,CVE-2025-38244,CVE-2025-38246,CVE-2025-38248,CVE-2025-38249,CVE-2025-38250,CVE-2025-38257,CV E-2025-38259,CVE-2025-38264,CVE-2025-38272,CVE-2025-38273,CVE-2025-38275,CVE-2025-38277,CVE-2025-38279,CVE-2025-38283,CVE-2025-38286,CVE-2025-38289,CVE-2025-38290,CVE-2025-38292,CVE-2025-38293,CVE-2025-38300,CVE-2025-38303,CVE-2025-38304,CVE-2025-38305,CVE-2025-38307,CVE-2025-38310,CVE-2025-38312,CVE-2025-38313,CVE-2025-38319,CVE-2025-38323,CVE-2025-38326,CVE-2025-38328,CVE-2025-38332,CVE-2025-38334,CVE-2025-38335,CVE-2025-38336,CVE-2025-38337,CVE-2025-38338,CVE-2025-38342,CVE-2025-38343,CVE-2025-38344,CVE-2025-38345,CVE-2025-38348,CVE-2025-38349,CVE-2025-38350,CVE-2025-38352,CVE-2025-38354,CVE-2025-38362,CVE-2025-38363,CVE-2025-38364,CVE-2025-38365,CVE-2025-38369,CVE-2025-38371,CVE-2025-38373,CVE-2025-38375,CVE-2025-38376,CVE-2025-38377,CVE-2025-38380,CVE-2025-38382,CVE-2025-38384,CVE-2025-38385,CVE-2025-38386,CVE-2025-38387,CVE-2025-38389,CVE-2025-38391,CVE-2025-38392,CVE-2025-38393,CVE-2025-38395,CVE-2025-38396,CVE-2025-38399,CVE-2025-38400,CVE-2025-38401,CVE-2025-38403,CVE-2025- 38404,CVE-2025-38406,CVE-2025-38409,CVE-2025-38410,CVE-2025-38412,CVE-2025-38414,CVE-2025-38415,CVE-2025-38416,CVE-2025-38420,CVE-2025-38424,CVE-2025-38425,CVE-2025-38426,CVE-2025-38428,CVE-2025-38429,CVE-2025-38430,CVE-2025-38436,CVE-2025-38443,CVE-2025-38448,CVE-2025-38449,CVE-2025-38455,CVE-2025-38457,CVE-2025-38460,CVE-2025-38461,CVE-2025-38462,CVE-2025-38463,CVE-2025-38465,CVE-2025-38467,CVE-2025-38468,CVE-2025-38470,CVE-2025-38471,CVE-2025-38473,CVE-2025-38474,CVE-2025-38476,CVE-2025-38477,CVE-2025-38478,CVE-2025-38480,CVE-2025-38481,CVE-2025-38482,CVE-2025-38483,CVE-2025-38485,CVE-2025-38487,CVE-2025-38489,CVE-2025-38494,CVE-2025-38495,CVE-2025-38496,CVE-2025-38497,CVE-2025-38498 The SUSE Linux Enterprise Micro 6.0 and 6.1 kernel was updated to receive various security bugfixes. The following security bugs were fixed: - CVE-2019-11135: TSX Asynchronous Abort condition on some CPUs utilizing speculative execution may - CVE-2024-36028: mm/hugetlb: fix DEBUG_LOCKS_WARN_ON(1) when dissolve_free_hugetlb_folio() (bsc#1225707). - CVE-2024-36348, CVE-2024-36349, CVE-2024-36350, CVE-2024-36357: x86/process: Move the buffer clearing before MONITOR (bsc#1238896). - CVE-2024-44963: btrfs: do not BUG_ON() when freeing tree block after error (bsc#1230216). - CVE-2024-56742: vfio/mlx5: Fix an unwind issue in mlx5vf_add_migration_pages() (bsc#1235613). - CVE-2025-21839: KVM: x86: Load DR6 with guest value only before entering .vcpu_run() loop (bsc#1239061). - CVE-2025-21872: efi/mokvar-table: Avoid repeated map/unmap of the same page (bsc#1240323). - CVE-2025-23163: net: vlan: do not propagate flags on open (bsc#1242837). - CVE-2025-37856: btrfs: harden block_group::bg_list against list_del() races (bsc#1243068). - CVE-2025-37864: net: dsa: clean up FDB, MDB, VLAN entries on unbind (bsc#1242965). - CVE-2025-37885: KVM: x86: Reset IRTE to host control if *new* route isn't postable (bsc#1242960). - CVE-2025-37920: kABI workaround for xsk: Fix race condition in AF_XDP generic RX path (bsc#1243479). - CVE-2025-37984: crypto: ecdsa - Harden against integer overflows in DIV_ROUND_UP() (bsc#1243669). - CVE-2025-38034: btrfs: correct the order of prelim_ref arguments in btrfs__prelim_ref (bsc#1244792). - CVE-2025-38035: nvmet-tcp: do not restore null sk_state_change (bsc#1244801). - CVE-2025-38051: smb: client: Fix use-after-free in cifs_fill_dirent (bsc#1244750). - CVE-2025-38058: __legitimize_mnt(): check for MNT_SYNC_UMOUNT should be under mount_lock (bsc#1245151). - CVE-2025-38061: net: pktgen: fix access outside of user given buffer in pktgen_thread_write() (bsc#1245440). - CVE-2025-38062: kABI: restore layout of struct msi_desc (bsc#1245216). - CVE-2025-38063: dm: fix unconditional IO throttle caused by REQ_PREFLUSH (bsc#1245202). - CVE-2025-38064: virtio: break and reset virtio devices on device_shutdown() (bsc#1245201). - CVE-2025-38074: vhost-scsi: protect vq->log_used with vq->mutex (bsc#1244735). - CVE-2025-38094: net: cadence: macb: Fix a possible deadlock in macb_halt_tx (bsc#1245649). - CVE-2025-38097: kabi: restore encap_sk in struct xfrm_state (bsc#1245660). - CVE-2025-38098: drm/amd/display: Do not treat wb connector as physical in (bsc#1245654). - CVE-2025-38099: Bluetooth: btusb: Fix regression in the initialization of fake Bluetooth controllers (bsc#1245671). - CVE-2025-38100: x86/iopl: Cure TIF_IO_BITMAP inconsistencies (bsc#1245650). - CVE-2025-38105: ALSA: usb-audio: Kill timer properly at removal (bsc#1245682). - CVE-2025-38115: net_sched: sch_sfq: fix a potential crash on gso_skb handling (bsc#1245689). - CVE-2025-38117: hci_dev centralize extra lock (bsc#1245695). - CVE-2025-38126: net: stmmac: make sure that ptp_rate is not 0 before configuring timestamping (bsc#1245708). - CVE-2025-38131: coresight: prevent deactivate active config while enabling the config (bsc#1245677). - CVE-2025-38132: coresight: holding cscfg_csdev_lock while removing cscfg from csdev (bsc#1245679). - CVE-2025-38147: calipso: unlock rcu before returning -EAFNOSUPPORT (bsc#1245768). - CVE-2025-38158: hisi_acc_vfio_pci: fix XQE dma address error (bsc#1245750). - CVE-2025-38162: netfilter: nft_set_pipapo: prevent overflow in lookup table allocation (bsc#1245752). - CVE-2025-38166: bpf: fix ktls panic with sockmap (bsc#1245758). - CVE-2025-38180: net: atm: fix /proc/net/atm/lec handling (bsc#1245970). - CVE-2025-38182: ublk: santizize the arguments from userspace when adding a device (bsc#1245937). - CVE-2025-38183: net: lan743x: fix potential out-of-bounds write in lan743x_ptp_io_event_clock_get() (bsc#1246006). - CVE-2025-38187: drm/nouveau: fix a use-after-free in r535_gsp_rpc_push() (bsc#1245951). - CVE-2025-38188: drm/msm/a7xx: Call CP_RESET_CONTEXT_STATE (bsc#1246098). - CVE-2025-38200: i40e: fix MMIO write access to an invalid page in i40e_clear_hw (bsc#1246045). - CVE-2025-38202: bpf: Check rcu_read_lock_trace_held() in bpf_map_lookup_percpu_elem() (bsc#1245980). - CVE-2025-38203: jfs: Fix null-ptr-deref in jfs_ioc_trim (bsc#1246044). - CVE-2025-38204: jfs: fix array-index-out-of-bounds read in add_missing_indices (bsc#1245983). - CVE-2025-38206: exfat: fix double free in delayed_free (bsc#1246073). - CVE-2025-38210: configfs-tsm-report: Fix NULL dereference of tsm_ops (bsc#1246020). - CVE-2025-38212: ipc: fix to protect IPCS lookups using RCU (bsc#1246029). - CVE-2025-38220: ext4: only dirty folios when data journaling regular files (bsc#1245966). - CVE-2025-38222: ext4: inline: fix len overflow in ext4_prepare_inline_data (bsc#1245976). - CVE-2025-38236: af_unix: Disable MSG_OOB for unprivileged users (bsc#1246093). - CVE-2025-38239: scsi: megaraid_sas: Fix invalid node index (bsc#1246178). - CVE-2025-38244: smb: client: fix potential deadlock when reconnecting channels (bsc#1246183). - CVE-2025-38248: bridge: mcast: Fix use-after-free during router port configuration (bsc#1246173). - CVE-2025-38250: kABI workaround for bluetooth hci_dev changes (bsc#1246182). - CVE-2025-38264: llist: add interface to check if a node is on a list (bsc#1246387). - CVE-2025-38272: net: dsa: b53: do not enable EEE on bcm63xx (bsc#1246268). - CVE-2025-38279: selftests/bpf: Add tests with stack ptr register in conditional jmp (bsc#1246264). - CVE-2025-38283: hisi_acc_vfio_pci: bugfix live migration function without VF device driver (bsc#1246273). - CVE-2025-38303: Bluetooth: eir: Fix possible crashes on eir_create_adv_data (bsc#1246354). - CVE-2025-38310: seg6: Fix validation of nexthop addresses (bsc#1246361). - CVE-2025-38323: net: atm: add lec_mutex (bsc#1246473). - CVE-2025-38334: x86/sgx: Prevent attempts to reclaim poisoned pages (bsc#1246384). - CVE-2025-38335: Input: gpio-keys - fix a sleep while atomic with PREEMPT_RT (bsc#1246250). - CVE-2025-38337: jbd2: fix data-race and null-ptr-deref in jbd2_journal_dirty_metadata() (bsc#1246253). - CVE-2025-38349: eventpoll: do not decrement ep refcount while still holding the ep mutex (bsc#1246777). - CVE-2025-38350: net/sched: Always pass notifications when child class becomes empty (bsc#1246781). - CVE-2025-38352: posix-cpu-timers: fix race between handle_posix_cpu_timers() and posix_cpu_timer_del() (bsc#1246911). - CVE-2025-38364: maple_tree: fix MA_STATE_PREALLOC flag in mas_preallocate() (bsc#1247091). - CVE-2025-38365: btrfs: fix a race between renames and directory logging (bsc#1247023). - CVE-2025-38371: drm/v3d: Disable interrupts before resetting the GPU (bsc#1247178). - CVE-2025-38375: virtio-net: ensure the received length does not exceed allocated size (bsc#1247177). - CVE-2025-38382: btrfs: fix iteration of extrefs during log replay (bsc#1247031). - CVE-2025-38392: idpf: convert control queue mutex to a spinlock (bsc#1247169). - CVE-2025-38396: fs: export anon_inode_make_secure_inode() and fix secretmem LSM bypass (bsc#1247156). - CVE-2025-38399: scsi: target: Fix NULL pointer dereference in core_scsi3_decode_spec_i_port() (bsc#1247097). - CVE-2025-38403: vsock/vmci: Clear the vmci transport packet properly when initializing it (bsc#1247141). - CVE-2025-38414: wifi: ath12k: fix GCC_GCC_PCIE_HOT_RST definition for WCN7850 (bsc#1247145). - CVE-2025-38426: drm/amdgpu: Add basic validation for RAS header (bsc#1247252). - CVE-2025-38429: bus: mhi: ep: Update read pointer only after buffer is written (bsc#1247253). - CVE-2025-38455: KVM: SVM: Reject SEV{-ES} intra host migration if vCPU creation is in-flight (bsc#1247101). - CVE-2025-38457: net/sched: Abort __tc_modify_qdisc if parent class does not exist (bsc#1247098). - CVE-2025-38460: atm: clip: Fix potential null-ptr-deref in to_atmarpd() (bsc#1247143). - CVE-2025-38461: vsock: Fix transport_* TOCTOU (bsc#1247103). - CVE-2025-38462: vsock: Fix transport_{g2h,h2g} TOCTOU (bsc#1247104). - CVE-2025-38463: tcp: Correct signedness in skb remaining space calculation (bsc#1247113). - CVE-2025-38465: netlink: make sure we allow at least one dump skb (bsc#1247118). - CVE-2025-38470: kABI fix for net: vlan: fix VLAN 0 refcount imbalance of toggling (bsc#1247288). - CVE-2025-38471: tls: always refresh the queue when reading sock (bsc#1247450). - CVE-2025-38497: usb: gadget: configfs: Fix OOB read on empty string write (bsc#1247347). - CVE-2025-38498: do_change_type(): refuse to operate on unmounted/not ours mounts (bsc#1247374). The following non-security bugs were fixed: - ACPI: LPSS: Remove AudioDSP related ID (git-fixes). - ACPI: PRM: Reduce unnecessary printing to avoid user confusion (bsc#1246122). - ACPI: processor: perflib: Fix initial _PPC limit application (git-fixes). - ACPICA: Refuse to evaluate a method if arguments are missing (stable-fixes). - ALSA: hda/ca0132: Fix missing error handling in ca0132_alt_select_out() (git-fixes). - ALSA: hda/realtek - Add mute LED support for HP Pavilion 15-eg0xxx (stable-fixes). - ALSA: hda/realtek - Enable mute LED on HP Pavilion Laptop 15-eg100 (stable-fixes). - ALSA: hda/realtek: Add quirk for ASUS ROG Strix G712LWS (stable-fixes). - ALSA: hda/tegra: Add Tegra264 support (stable-fixes). - ALSA: hda: Add missing NVIDIA HDA codec IDs (stable-fixes). - ALSA: hda: Add new pci id for AMD GPU display HD audio controller (stable-fixes). - ALSA: hda: Ignore unsol events for cards being shut down (stable-fixes). - ALSA: intel_hdmi: Fix off-by-one error in __hdmi_lpe_audio_probe() (git-fixes). - ALSA: sb: Do not allow changing the DMA mode during operations (stable-fixes). - ALSA: sb: Force to disable DMAs once when DMA mode is changed (stable-fixes). - ASoC: amd: yc: Add DMI quirk for Lenovo IdeaPad Slim 5 15 (stable-fixes). - ASoC: amd: yc: Add quirk for MSI Bravo 17 D7VF internal mic (stable-fixes). - ASoC: amd: yc: add quirk for Acer Nitro ANV15-41 internal mic (stable-fixes). - ASoC: amd: yc: update quirk data for HP Victus (stable-fixes). - ASoC: codec: wcd9335: Convert to GPIO descriptors (stable-fixes). - ASoC: codecs: wcd9335: Fix missing free of regulator supplies (git-fixes). - ASoC: codecs: wcd9335: Handle nicer probe deferral and simplify with dev_err_probe() (stable-fixes). - ASoC: cs35l56: probe() should fail if the device ID is not recognized (git-fixes). - ASoC: fsl_asrc: use internal measured ratio for non-ideal ratio mode (git-fixes). - ASoC: fsl_xcvr: get channel status data when PHY is not exists (git-fixes). - ASoC: ops: dynamically allocate struct snd_ctl_elem_value (git-fixes). - ASoC: soc-dai: tidyup return value of snd_soc_xlate_tdm_slot_mask() (git-fixes). - Bluetooth: Fix null-ptr-deref in l2cap_sock_resume_cb() (git-fixes). - Bluetooth: L2CAP: Fix L2CAP MTU negotiation (stable-fixes). - Bluetooth: L2CAP: Fix attempting to adjust outgoing MTU (git-fixes). - Bluetooth: MGMT: Fix not generating command complete for MGMT_OP_DISCONNECT (git-fixes). - Bluetooth: MGMT: mesh_send: check instances prior disabling advertising (git-fixes). - Bluetooth: MGMT: set_mesh: update LE scan interval and window (git-fixes). - Bluetooth: Prevent unintended pause by checking if advertising is active (git-fixes). - Bluetooth: SMP: Fix using HCI_ERROR_REMOTE_USER_TERM on timeout (git-fixes). - Bluetooth: SMP: If an unallowed command is received consider it a failure (git-fixes). - Bluetooth: btusb: QCA: Fix downloading wrong NVM for WCN6855 GF variant without board ID (git-fixes). - Bluetooth: hci_conn: Fix sending BT_HCI_CMD_LE_CREATE_CONN_CANCEL (git-fixes). - Bluetooth: hci_event: Fix not marking Broadcast Sink BIS as connected (git-fixes). - Bluetooth: hci_event: Mask data status from LE ext adv reports (git-fixes). - Bluetooth: hci_sync: Attempt to dequeue connection attempt (git-fixes). - Bluetooth: hci_sync: Fix UAF on create_le_conn_complete (git-fixes). - Bluetooth: hci_sync: Fix handling of HCI_OP_CREATE_CONN_CANCEL (git-fixes). - Bluetooth: hci_sync: Fix not disabling advertising instance (git-fixes). - Bluetooth: hci_sync: fix connectable extended advertising when using static random address (git-fixes). - Bluetooth: hci_sync: revert some mesh modifications (git-fixes). - Docs/ABI: Fix sysfs-kernel-address_bits path (git-fixes). - Documentation: ACPI: Fix parent device references (git-fixes). - Documentation: usb: gadget: Wrap remaining usage snippets in literal code block (git-fixes). - Fix dma_unmap_sg() nents value (git-fixes) - HID: Add IGNORE quirk for SMARTLINKTECHNOLOGY (stable-fixes). - HID: core: do not bypass hid_hw_raw_request (stable-fixes). - HID: core: ensure __hid_request reserves the report ID as the first byte (git-fixes). - HID: core: ensure the allocated report buffer can contain the reserved report ID (stable-fixes). - HID: lenovo: Add support for ThinkPad X1 Tablet Thin Keyboard Gen2 (stable-fixes). - HID: quirks: Add quirk for 2 Chicony Electronics HP 5MP Cameras (stable-fixes). - IB/mlx5: Fix potential deadlock in MR deregistration (git-fixes) - Input: iqs7222 - explicitly define number of external channels (git-fixes). - Input: xpad - adjust error handling for disconnect (git-fixes). - Input: xpad - set correct controller type for Acer NGR200 (git-fixes). - Input: xpad - support Acer NGR 200 Controller (stable-fixes). - Logitech C-270 even more broken (stable-fixes). - Move upstreamed SCSI and ACPI patches into sorted section - NFS: Fix filehandle bounds checking in nfs_fh_to_dentry() (git-fixes). - NFS: Fix the setting of capabilities when automounting a new filesystem (git-fixes). - NFS: Fix wakeup of __nfs_lookup_revalidate() in unblock_revalidate() (git-fixes). - NFS: Fixup allocation flags for nfsiod's __GFP_NORETRY (git-fixes). - NFSD: detect mismatch of file handle and delegation stateid in OPEN op (git-fixes). - NFSv4.2: another fix for listxattr (git-fixes). - NFSv4.2: fix listxattr to return selinux security label (git-fixes). - NFSv4/pNFS: Fix a race to wake on NFS_LAYOUT_DRAIN (git-fixes). - NFSv4: Always set NLINK even if the server does not support it (git-fixes). - NFSv4: xattr handlers should check for absent nfs filehandles (git-fixes). - PCI/MSI: Export pci_msix_prepare_desc() for dynamic MSI-X allocations (bsc#1245457). - PCI: dwc: Make link training more robust by setting PORT_LOGIC_LINK_WIDTH to one lane (stable-fixes). - PCI: endpoint: Fix configfs group list head handling (git-fixes). - PCI: endpoint: Fix configfs group removal on driver teardown (git-fixes). - PCI: endpoint: pci-epf-vntb: Fix the incorrect usage of __iomem attribute (git-fixes). - PCI: endpoint: pci-epf-vntb: Return -ENOENT if pci_epc_get_next_free_bar() fails (git-fixes). - PCI: hv: Allow dynamic MSI-X vector allocation (bsc#1245457). - PCI: rockchip-host: Fix 'Unexpected Completion' log message (git-fixes). - PM / devfreq: Check governor before using governor->name (git-fixes). - RDMA/core: Rate limit GID cache warning messages (git-fixes) - RDMA/counter: Check CAP_NET_RAW check in user namespace for RDMA counters (git-fixes) - RDMA/hns: Drop GFP_NOWARN (git-fixes) - RDMA/hns: Fix -Wframe-larger-than issue (git-fixes) - RDMA/hns: Fix HW configurations not cleared in error flow (git-fixes) - RDMA/hns: Fix accessing uninitialized resources (git-fixes) - RDMA/hns: Fix double destruction of rsv_qp (git-fixes) - RDMA/hns: Get message length of ack_req from FW (git-fixes) - RDMA/mlx5: Check CAP_NET_RAW in user namespace for anchor create (git-fixes) - RDMA/mlx5: Check CAP_NET_RAW in user namespace for devx create (git-fixes) - RDMA/mlx5: Check CAP_NET_RAW in user namespace for flow create (git-fixes) - RDMA/mlx5: Fix CC counters query for MPV (git-fixes) - RDMA/mlx5: Fix HW counters query for non-representor devices (git-fixes) - RDMA/mlx5: Fix compilation warning when USER_ACCESS isn't set (git-fixes) - RDMA/mlx5: Fix vport loopback for MPV device (git-fixes) - RDMA/mlx5: Initialize obj_event->obj_sub_list before xa_insert (git-fixes) - RDMA/nldev: Check CAP_NET_RAW in user namespace for QP modify (git-fixes) - RDMA/siw: Fix the sendmsg byte count in siw_tcp_sendpages (git-fixes) - RDMA/uverbs: Add empty rdma_uattrs_has_raw_cap() declaration (git-fixes) - RDMA/uverbs: Check CAP_NET_RAW in user namespace for QP create (git-fixes) - RDMA/uverbs: Check CAP_NET_RAW in user namespace for RAW QP create (git-fixes) - RDMA/uverbs: Check CAP_NET_RAW in user namespace for flow create (git-fixes) - Reapply 'wifi: mac80211: Update skb's control block key in ieee80211_tx_dequeue()' (git-fixes). - Revert 'ACPI: battery: negate current when discharging' (stable-fixes). - Revert 'cgroup_freezer: cgroup_freezing: Check if not frozen' (bsc#1219338). - Revert 'drm/i915/gem: Allow EXEC_CAPTURE on recoverable contexts on DG1' (stable-fixes). - Revert 'mmc: sdhci: Disable SD card clock before changing parameters' (git-fixes). - Revert 'usb: xhci: Implement xhci_handshake_check_state() helper' (git-fixes). - Revert 'vgacon: Add check for vc_origin address range in vgacon_scroll()' (stable-fixes). - SMB3: rename macro CIFS_SERVER_IS_CHAN to avoid confusion (git-fixes). - USB: serial: ftdi_sio: add support for NDI EMGUIDE GEMINI (stable-fixes). - USB: serial: option: add Foxconn T99W640 (stable-fixes). - USB: serial: option: add Telit Cinterion FE910C04 (ECM) composition (stable-fixes). - [SMB3] send channel sequence number in SMB3 requests after reconnects (git-fixes). - af_packet: fix the SO_SNDTIMEO constraint not effective on tpacked_snd() (git-fixes). - af_unix: Add a prompt to CONFIG_AF_UNIX_OOB (bsc#1246093). - amd/amdkfd: fix a kfd_process ref leak (stable-fixes). - aoe: clean device rq_list in aoedev_downdev() (git-fixes). - apple-mfi-fastcharge: protect first device name (git-fixes). - ata: pata_cs5536: fix build on 32-bit UML (stable-fixes). - audit,module: restore audit logging in load failure case (git-fixes). - bpf, sockmap: Fix sk_msg_reset_curr (git-fixes). - bpf/lpm_trie: Inline longest_prefix_match for fastpath (git-fixes). - bpf/selftests: Check errno when percpu map value size exceeds (git-fixes). - bpf: Add a possibly-zero-sized read test (git-fixes). - bpf: Avoid __hidden__ attribute in static object (git-fixes). - bpf: Check percpu map value size first (git-fixes). - bpf: Disable some `attribute ignored' warnings in GCC (git-fixes). - bpf: Fix memory leak in bpf_core_apply (git-fixes). - bpf: Fix potential integer overflow in resolve_btfids (git-fixes). - bpf: Harden __bpf_kfunc tag against linker kfunc removal (git-fixes). - bpf: Make the pointer returned by iter next method valid (git-fixes). - bpf: Simplify checking size of helper accesses (git-fixes). - bpf: fix order of args in call to bpf_map_kvcalloc (git-fixes). - bpf: sockmap, updating the sg structure should also update curr (git-fixes). - bpftool: Fix missing pids during link show (git-fixes). - bpftool: Fix undefined behavior caused by shifting into the sign bit (git-fixes). - bpftool: Mount bpffs on provided dir instead of parent dir (git-fixes). - bpftool: Remove unnecessary source files from bootstrap version (git-fixes). - bpftool: Un-const bpf_func_info to fix it for llvm 17 and newer (git-fixes). - btrfs: do not ignore inode missing when replaying log tree (git-fixes). - btrfs: do not silently ignore unexpected extent type when replaying log (git-fixes). - btrfs: do not skip remaining extrefs if dir not found during log replay (git-fixes). - btrfs: explicitly ref count block_group on new_bgs list (bsc#1243068) - btrfs: fix assertion when building free space tree (git-fixes). - btrfs: fix inode lookup error handling during log replay (git-fixes). - btrfs: fix invalid inode pointer dereferences during log replay (git-fixes). - btrfs: fix log tree replay failure due to file with 0 links and extents (git-fixes). - btrfs: fix missing error handling when searching for inode refs during log replay (git-fixes). - btrfs: fix non-empty delayed iputs list on unmount due to async workers (git-fixes). - btrfs: fix ssd_spread overallocation (git-fixes). - btrfs: make btrfs_discard_workfn() block_group ref explicit (bsc#1243068) - btrfs: propagate last_unlink_trans earlier when doing a rmdir (git-fixes). - btrfs: rename err to ret in btrfs_rmdir() (git-fixes). - btrfs: return a btrfs_inode from btrfs_iget_logging() (git-fixes). - btrfs: return a btrfs_inode from read_one_inode() (git-fixes). - btrfs: tests: fix chunk map leak after failure to add it to the tree (git-fixes). - btrfs: update superblock's device bytes_used when dropping chunk (git-fixes). - btrfs: use NOFS context when getting inodes during logging and log replay (git-fixes). - btrfs: use btrfs_record_snapshot_destroy() during rmdir (git-fixes). - bus: fsl-mc: Fix potential double device reference in fsl_mc_get_endpoint() (git-fixes). - bus: mhi: host: Detect events pointing to unexpected TREs (git-fixes). - can: dev: can_restart(): move debug message and stats after successful restart (stable-fixes). - can: dev: can_restart(): reverse logic to remove need for goto (stable-fixes). - can: kvaser_pciefd: Store device channel index (git-fixes). - can: kvaser_usb: Assign netdev.dev_port based on device channel index (git-fixes). - can: m_can: m_can_handle_lost_msg(): downgrade msg lost in rx message to debug level (git-fixes). - can: netlink: can_changelink(): fix NULL pointer deref of struct can_priv::do_set_mode (git-fixes). - can: peak_usb: fix USB FD devices potential malfunction (git-fixes). - cdc-acm: fix race between initial clearing halt and open (git-fixes). - cgroup,freezer: fix incomplete freezing when attaching tasks (bsc#1245789). - cgroup/cpuset: Extend kthread_is_per_cpu() check to all PF_NO_SETAFFINITY tasks (bsc#1241166). - cifs: reconnect helper should set reconnect for the right channel (git-fixes). - clk: clk-axi-clkgen: fix fpfd_max frequency for zynq (git-fixes). - clk: davinci: Add NULL check in davinci_lpsc_clk_register() (git-fixes). - clk: sunxi-ng: v3s: Fix de clock definition (git-fixes). - clk: xilinx: vcu: unregister pll_post only if registered correctly (git-fixes). - clocksource: Scale the watchdog read retries automatically (bsc#1241345 bsc#1244457). - clocksource: Set cs_watchdog_read() checks based on .uncertainty_margin (bsc#1241345 bsc#1244457). - comedi: Fail COMEDI_INSNLIST ioctl if n_insns is too large (git-fixes). - comedi: Fix initialization of data for instructions that write to subdevice (git-fixes). - comedi: Fix some signed shift left operations (git-fixes). - comedi: Fix use of uninitialized data in insn_rw_emulate_bits() (git-fixes). - comedi: aio_iiro_16: Fix bit shift out of bounds (git-fixes). - comedi: das16m1: Fix bit shift out of bounds (git-fixes). - comedi: das6402: Fix bit shift out of bounds (git-fixes). - comedi: pcl812: Fix bit shift out of bounds (git-fixes). - compiler_types.h: Define __retain for __attribute__((__retain__)) (git-fixes). - config: enable RBD (jsc#PED-13238) - crypto: arm/aes-neonbs - work around gcc-15 warning (git-fixes). - crypto: ccp - Fix crash when rebind ccp device for ccp.ko (git-fixes). - crypto: ccp - Fix locking on alloc failure handling (git-fixes). - crypto: img-hash - Fix dma_unmap_sg() nents value (git-fixes). - crypto: inside-secure - Fix `dma_unmap_sg()` nents value (git-fixes). - crypto: keembay - Fix dma_unmap_sg() nents value (git-fixes). - crypto: marvell/cesa - Fix engine load inaccuracy (git-fixes). - crypto: qat - allow enabling VFs in the absence of IOMMU (git-fixes). - crypto: qat - disable ZUC-256 capability for QAT GEN5 (git-fixes). - crypto: qat - fix DMA direction for compression on GEN2 devices (git-fixes). - crypto: qat - fix seq_file position update in adf_ring_next() (git-fixes). - crypto: qat - fix state restore for banks with exceptions (git-fixes). - crypto: qat - flush misc workqueue during device shutdown (git-fixes). - crypto: qat - use unmanaged allocation for dc_data (git-fixes). - crypto: sun8i-ce - fix nents passed to dma_unmap_sg() (git-fixes). - dm-bufio: fix sched in atomic context (git-fixes). - dm-flakey: error all IOs when num_features is absent (git-fixes). - dm-flakey: make corrupting read bios work (git-fixes). - dm-mirror: fix a tiny race condition (git-fixes). - dm-raid: fix variable in journal device check (git-fixes). - dm-verity: fix a memory leak if some arguments are specified multiple times (git-fixes). - dm: do not change md if dm_table_set_restrictions() fails (git-fixes). - dm: free table mempools if not used in __bind (git-fixes). - dm: restrict dm device size to 2^63-512 bytes (git-fixes). - dma-buf: fix timeout handling in dma_resv_wait_timeout v2 (stable-fixes). - dmaengine: dw-edma: Drop unused dchan2dev() and chan2dev() (git-fixes). - dmaengine: idxd: Check availability of workqueue allocated by idxd wq driver before using (stable-fixes). - dmaengine: mv_xor: Fix missing check after DMA map and missing unmap (git-fixes). - dmaengine: nbpfaxi: Add missing check after DMA map (git-fixes). - dmaengine: nbpfaxi: Fix memory corruption in probe() (git-fixes). - dmaengine: qcom: gpi: Drop unused gpi_write_reg_field() (git-fixes). - dmaengine: xilinx_dma: Set dma_device directions (stable-fixes). - drm/amd/display: Do not overwrite dce60_clk_mgr (git-fixes). - drm/amd/pm/powerplay/hwmgr/smu_helper: fix order of mask and value (git-fixes). - drm/amdgpu/gfx8: reset compute ring wptr on the GPU on resume (git-fixes). - drm/amdgpu: amdgpu_vram_mgr_new(): Clamp lpfn to total vram (stable-fixes). - drm/amdkfd: Fix race in GWS queue scheduling (stable-fixes). - drm/bridge: panel: move prepare_prev_first handling to drm_panel_bridge_add_typed (git-fixes). - drm/bridge: ti-sn65dsi86: Add HPD for DisplayPort connector type (git-fixes). - drm/bridge: ti-sn65dsi86: Remove extra semicolon in ti_sn_bridge_probe() (git-fixes). - drm/bridge: ti-sn65dsi86: make use of debugfs_init callback (stable-fixes). - drm/exynos: exynos7_drm_decon: add vblank check in IRQ handling (git-fixes). - drm/exynos: fimd: Guard display clock control with runtime PM calls (git-fixes). - drm/framebuffer: Acquire internal references on GEM handles (git-fixes). - drm/gem: Acquire references on GEM handles for framebuffers (stable-fixes). - drm/gem: Fix race in drm_gem_handle_create_tail() (stable-fixes). - drm/i915/gsc: mei interrupt top half should be in irq disabled context (git-fixes). - drm/i915/gt: Fix timeline left held on VMA alloc error (git-fixes). - drm/i915/selftests: Change mock_request() to return error pointers (git-fixes). - drm/msm/dpu: Fill in min_prefill_lines for SC8180X (git-fixes). - drm/msm: Fix a fence leak in submit error path (stable-fixes). - drm/msm: Fix another leak in the submit error path (stable-fixes). - drm/panfrost: Fix panfrost device variable name in devfreq (git-fixes). - drm/rockchip: cleanup fb when drm_gem_fb_afbc_init failed (git-fixes). - drm/sched: Increment job count before swapping tail spsc queue (git-fixes). - drm/sched: Remove optimization that causes hang when killing dependent jobs (git-fixes). - drm/scheduler: signal scheduled fence when kill job (stable-fixes). - drm/tegra: nvdec: Fix dma_alloc_coherent error check (git-fixes). - drm/ttm: fix error handling in ttm_buffer_object_transfer (git-fixes). - drm/vmwgfx: Fix Host-Backed userspace on Guest-Backed kernel (git-fixes). - exfat: fdatasync flag should be same like generic_write_sync() (git-fixes). - fbcon: Fix outdated registered_fb reference in comment (git-fixes). - fbdev: imxfb: Check fb_add_videomode to prevent null-ptr-deref (git-fixes). - firewire: ohci: correct code comments about bus_reset tasklet (git-fixes). - fs/jfs: consolidate sanity checking in dbMount (git-fixes). - fs/orangefs: Allow 2 more characters in do_c_string() (git-fixes). - gpio: mlxbf2: use platform_get_irq_optional() (git-fixes). - gpio: pca953x: log an error when failing to get the reset GPIO (git-fixes). - gpio: sim: include a missing header (git-fixes). - gpio: vf610: add locking to gpio direction functions (git-fixes). - gpio: virtio: Fix config space reading (git-fixes). - gpiolib: Fix debug messaging in gpiod_find_and_request() (git-fixes). - gpiolib: Handle no pin_ranges in gpiochip_generic_config() (git-fixes). - gpiolib: acpi: Do not use GPIO chip fwnode in acpi_gpiochip_find() (bsc#1233300). - gpiolib: acpi: Fix failed in acpi_gpiochip_find() by adding parent node match (bsc#1233300). - gpiolib: cdev: Ignore reconfiguration without direction (git-fixes). - gpiolib: of: Add polarity quirk for s5m8767 (stable-fixes). - hfs: make splice write available again (git-fixes). - hfsplus: make splice write available again (git-fixes). - hfsplus: remove mutex_lock check in hfsplus_free_extents (git-fixes). - hv_netvsc: Use VF's tso_max_size value when data path is VF (bsc#1246203). - hwmon: (corsair-cpro) Validate the size of the received input buffer (git-fixes). - hwmon: (gsc-hwmon) fix fan pwm setpoint show functions (git-fixes). - hwmon: (pmbus/max34440) Fix support for max34451 (stable-fixes). - hwrng: mtk - handle devm_pm_runtime_enable errors (git-fixes). - i2c/designware: Fix an initialization issue (git-fixes). - i2c: qup: jump out of the loop in case of timeout (git-fixes). - i2c: stm32: fix the device used for the DMA map (git-fixes). - i2c: tegra: Fix reset error handling with ACPI (git-fixes). - i2c: virtio: Avoid hang by using interruptible completion wait (git-fixes). - i3c: fix module_i3c_i2c_driver() with I3C=n (git-fixes). - iio: accel: fxls8962af: Fix use after free in fxls8962af_fifo_flush (git-fixes). - iio: adc: ad7949: use spi_is_bpw_supported() (git-fixes). - iio: adc: ad_sigma_delta: Fix use of uninitialized status_pos (stable-fixes). - iio: adc: ad_sigma_delta: change to buffer predisable (git-fixes). - iio: adc: max1363: Fix MAX1363_4X_CHANS/MAX1363_8X_CHANS[] (stable-fixes). - iio: adc: max1363: Reorder mode_list[] entries (stable-fixes). - iio: adc: stm32-adc: Fix race in installing chained IRQ handler (git-fixes). - iio: imu: bno055: fix OOB access of hw_xlate array (git-fixes). - iio: pressure: zpa2326: Use aligned_s64 for the timestamp (stable-fixes). - iommu/amd: Fix geometry.aperture_end for V2 tables (git-fixes). - iommu/amd: Set the pgsize_bitmap correctly (git-fixes). - iommu/arm-smmu-qcom: Add SM6115 MDSS compatible (git-fixes). - iommu/vt-d: Fix possible circular locking dependency (git-fixes). - iommu/vt-d: Fix system hang on reboot -f (git-fixes). - ipv6: fix possible infinite loop in fib6_info_uses_dev() (git-fixes). - ipv6: mcast: Delay put pmc->idev in mld_del_delrec() (git-fixes). - ipv6: prevent infinite loop in rt6_nlmsg_size() (git-fixes). - ipv6: reject malicious packets in ipv6_gso_segment() (git-fixes). - iwlwifi: Add missing check for alloc_ordered_workqueue (git-fixes). - jfs: fix metapage reference count leak in dbAllocCtl (git-fixes). - kABI workaround for struct drm_framebuffer changes (git-fixes). - kABI: Fix the module::name type in audit_context (git-fixes). - kasan: remove kasan_find_vm_area() to prevent possible deadlock (git-fixes). - kernel-syms.spec: Drop old rpm release number hack (bsc#1247172). - leds: multicolor: Fix intensity setting while SW blinking (stable-fixes). - lib/group_cpus.c: avoid acquiring cpu hotplug lock in group_cpus_evenly (bsc#1236897). - lib/group_cpus: fix NULL pointer dereference from group_cpus_evenly() (bsc#1236897). - maple_tree: fix mt_destroy_walk() on root leaf node (git-fixes). - md/md-bitmap: fix dm-raid max_write_behind setting (git-fixes). - media: gspca: Add bounds checking to firmware parser (git-fixes). - media: hi556: correct the test pattern configuration (git-fixes). - media: imx: fix a potential memory leak in imx_media_csc_scaler_device_init() (git-fixes). - media: ov2659: Fix memory leaks in ov2659_probe() (git-fixes). - media: rainshadow-cec: fix TOCTOU race condition in rain_interrupt() (git-fixes). - media: usbtv: Lock resolution while streaming (git-fixes). - media: uvcvideo: Do not mark valid metadata as invalid (git-fixes). - media: uvcvideo: Fix 1-byte out-of-bounds read in uvc_parse_format() (git-fixes). - media: v4l2-ctrls: Do not reset handler's error in v4l2_ctrl_handler_free() (git-fixes). - media: v4l2-ctrls: Fix H264 SEPARATE_COLOUR_PLANE check (git-fixes). - media: venus: Add a check for packet size after reading from shared memory (git-fixes). - media: venus: hfi: explicitly release IRQ during teardown (git-fixes). - media: venus: protect against spurious interrupts during probe (git-fixes). - media: venus: vdec: Clamp param smaller than 1fps and bigger than 240 (git-fixes). - media: venus: venc: Clamp param smaller than 1fps and bigger than 240 (git-fixes). - media: vivid: fix wrong pixel_array control size (git-fixes). - memstick: core: Zero initialize id_reg in h_memstick_read_dev_id() (git-fixes). - mfd: max14577: Fix wakeup source leaks on device unbind (stable-fixes). - misc: rtsx: usb: Ensure mmc child device is active when card is present (git-fixes). - mmc: bcm2835: Fix dma_unmap_sg() nents value (git-fixes). - mmc: core: sd: Apply BROKEN_SD_DISCARD quirk earlier (git-fixes). - mmc: sdhci-pci: Quirk for broken command queuing on Intel GLK-based Positivo models (git-fixes). - mmc: sdhci: Add a helper function for dump register in dynamic debug mode (stable-fixes). - mmc: sdhci_am654: Workaround for Errata i2312 (git-fixes). - module: Fix memory deallocation on error path in move_module() (git-fixes). - module: Remove unnecessary +1 from last_unloaded_module::name size (git-fixes). - module: Restore the moduleparam prefix length check (git-fixes). - mtd: fix possible integer overflow in erase_xfer() (git-fixes). - mtd: rawnand: atmel: Fix dma_mapping_error() address (git-fixes). - mtd: rawnand: atmel: set pmecc data setup time (git-fixes). - mtd: rawnand: fsmc: Add missing check after DMA map (git-fixes). - mtd: rawnand: renesas: Add missing check after DMA map (git-fixes). - mtd: rawnand: rockchip: Add missing check after DMA map (git-fixes). - mtd: spi-nor: Fix spi_nor_try_unlock_all() (git-fixes). - mtd: spinand: fix memory leak of ECC engine conf (stable-fixes). - mtd: spinand: propagate spinand_wait() errors from spinand_write_page() (git-fixes). - mtk-sd: Fix a pagefault in dma_unmap_sg() for not prepared data (git-fixes). - mtk-sd: Prevent memory corruption from DMA map failure (git-fixes). - mtk-sd: reset host->mrq on prepare_data() error (git-fixes). - mwl8k: Add missing check after DMA map (git-fixes). - nbd: fix uaf in nbd_genl_connect() error path (git-fixes). - net/packet: fix a race in packet_set_ring() and packet_notifier() (git-fixes). - net/sched: Restrict conditions for adding duplicating netems to qdisc tree (git-fixes). - net/sched: Return NULL when htb_lookup_leaf encounters an empty rbtree (git-fixes). - net/sched: mqprio: fix stack out-of-bounds write in tc entry parsing (git-fixes). - net/sched: sch_qfq: Avoid triggering might_sleep in atomic context in qfq_delete_class (git-fixes). - net/sched: sch_qfq: Fix race condition on qfq_aggregate (git-fixes). - net/sched: taprio: enforce minimum value for picos_per_byte (git-fixes). - net: mana: Add debug logs in MANA network driver (bsc#1246212). - net: mana: Add handler for hardware servicing events (bsc#1245730). - net: mana: Allocate MSI-X vectors dynamically (bsc#1245457). - net: mana: Allow irq_setup() to skip cpus for affinity (bsc#1245457). - net: mana: Allow tso_max_size to go up-to GSO_MAX_SIZE (bsc#1246203). - net: mana: Expose additional hardware counters for drop and TC via ethtool (bsc#1245729). - net: mana: Set tx_packets to post gso processing packet count (bsc#1245731). - net: mana: explain irq_setup() algorithm (bsc#1245457). - net: phy: Do not register LEDs for genphy (git-fixes). - net: phy: micrel: fix KSZ8081/KSZ8091 cable test (git-fixes). - net: phy: microchip: limit 100M workaround to link-down events on LAN88xx (git-fixes). - net: phy: smsc: Fix Auto-MDIX configuration when disabled by strap (git-fixes). - net: phy: smsc: Fix link failure in forced mode with Auto-MDIX (git-fixes). - net: usb: lan78xx: fix WARN in __netif_napi_del_locked on disconnect (git-fixes). - net: usb: qmi_wwan: add SIMCom 8230C composition (stable-fixes). - net: usbnet: Avoid potential RCU stall on LINK_CHANGE event (git-fixes). - net: usbnet: Fix the wrong netif_carrier_on() call (git-fixes). - netpoll: prevent hanging NAPI when netcons gets enabled (git-fixes). - nfs: Clean up /proc/net/rpc/nfs when nfs_fs_proc_net_init() fails (git-fixes). - nfsd: handle get_client_locked() failure in nfsd4_setclientid_confirm() (git-fixes). - nilfs2: reject invalid file types when reading inodes (git-fixes). - nvme-pci: refresh visible attrs after being checked (git-fixes). - nvme: Fix incorrect cdw15 value in passthru error logging (git-fixes). - nvme: fix endianness of command word prints in nvme_log_err_passthru() (git-fixes). - nvme: fix inconsistent RCU list manipulation in nvme_ns_add_to_ctrl_list() (git-fixes). - nvme: fix misaccounting of nvme-mpath inflight I/O (git-fixes). - nvmet-tcp: fix callback lock for TLS handshake (git-fixes). - objtool: Fix INSN_CONTEXT_SWITCH handling in validate_unret() (git-fixes). - objtool: Fix UNWIND_HINT_{SAVE,RESTORE} across basic blocks (git-fixes). - objtool: Fix _THIS_IP_ detection for cold functions (git-fixes). - objtool: Fix error handling inconsistencies in check() (git-fixes). - objtool: Ignore dangling jump table entries (git-fixes). - objtool: Ignore end-of-section jumps for KCOV/GCOV (git-fixes). - objtool: Properly disable uaccess validation (git-fixes). - objtool: Silence more KCOV warnings (git-fixes). - objtool: Silence more KCOV warnings, part 2 (git-fixes). - objtool: Stop UNRET validation on UD2 (git-fixes). - pNFS/flexfiles: do not attempt pnfs on fatal DS errors (git-fixes). - pch_uart: Fix dma_sync_sg_for_device() nents value (git-fixes). - perf: Fix sample vs do_exit() (bsc#1246547). - phy: tegra: xusb: Fix unbalanced regulator disable in UTMI PHY mode (git-fixes). - pinctrl: amd: Clear GPIO debounce for suspend (git-fixes). - pinctrl: qcom: msm: mark certain pins as invalid for interrupts (git-fixes). - pinctrl: sunxi: Fix memory leak on krealloc failure (git-fixes). - pinmux: fix race causing mux_owner NULL with active mux_usecount (git-fixes). - platform/chrome: cros_ec: Unregister notifier in cros_ec_unregister() (git-fixes). - platform/mellanox: mlxbf-pmc: Fix duplicate event ID for CACHE_DATA1 (git-fixes). - platform/mellanox: mlxbf-tmfifo: fix vring_desc.len assignment (git-fixes). - platform/mellanox: mlxreg-lc: Fix logic error in power state check (git-fixes). - platform/mellanox: nvsw-sn2201: Fix bus number in adapter error message (git-fixes). - platform/x86/amd/pmc: Add PCSpecialist Lafite Pro V 14M to 8042 quirks list (stable-fixes). - platform/x86: dell-wmi-sysman: Fix WMI data block retrieval in sysfs callbacks (git-fixes). - platform/x86: ideapad-laptop: Fix kbd backlight not remembered among boots (git-fixes). - platform/x86: think-lmi: Create ksets consecutively (stable-fixes). - platform/x86: think-lmi: Fix kobject cleanup (git-fixes). - platform/x86: think-lmi: Fix sysfs group cleanup (git-fixes). - power: supply: cpcap-charger: Fix null check for power_supply_get_by_name (git-fixes). - power: supply: max14577: Handle NULL pdata when CONFIG_OF is not set (git-fixes). - powercap: call put_device() on an error path in powercap_register_control_type() (stable-fixes). - powercap: dtpm_cpu: Fix NULL pointer dereference in get_pd_power_uw() (git-fixes). - powercap: intel_rapl: Do not change CLAMPING bit if ENABLE bit cannot be changed (git-fixes). - powerpc/bpf: enforce full ordering for ATOMIC operations with BPF_FETCH (git-fixes). - ptp: fix breakage after ptp_vclock_in_use() rework (bsc#1246506). - pwm: imx-tpm: Reset counter if CMOD is 0 (git-fixes). - pwm: mediatek: Ensure to disable clocks in error path (git-fixes). - regmap: fix potential memory leak of regmap_bus (git-fixes). - regulator: fan53555: add enable_time support and soft-start times (stable-fixes). - regulator: gpio: Fix the out-of-bounds access to drvdata::gpiods (git-fixes). - regulator: pwm-regulator: Calculate the output voltage for disabled PWMs (stable-fixes). - resource: fix false warning in __request_region() (git-fixes). - restore UCSI_CONNECTOR_RESET_HARD definition (git-fixes). - ring-buffer: Do not allow events in NMI with generic atomic64 cmpxchg() (git-fixes). - rose: fix dangling neighbour pointers in rose_rt_device_down() (git-fixes). - rpl: Fix use-after-free in rpl_do_srh_inline() (git-fixes). - rpm/mkspec: Fix missing kernel-syms-rt creation (bsc#1244337) - rtc: ds1307: fix incorrect maximum clock rate handling (git-fixes). - rtc: hym8563: fix incorrect maximum clock rate handling (git-fixes). - rtc: nct3018y: fix incorrect maximum clock rate handling (git-fixes). - rtc: pcf85063: fix incorrect maximum clock rate handling (git-fixes). - rtc: pcf8563: fix incorrect maximum clock rate handling (git-fixes). - rtc: rv3028: fix incorrect maximum clock rate handling (git-fixes). - s390/bpf: Fix bpf_arch_text_poke() with new_addr == NULL again (git-fixes bsc#1246870). - s390/entry: Fix last breaking event handling in case of stack corruption (git-fixes bsc#1243806). - s390/pci: Do not try re-enabling load/store if device is disabled (git-fixes bsc#1245646). - s390/pci: Fix stale function handles in error handling (git-fixes bsc#1245647). - s390/pkey: Prevent overflow in size calculation for memdup_user() (git-fixes bsc#1245598). - s390: Add z17 elf platform (LTC#214086 bsc#1245540). - samples: mei: Fix building on musl libc (git-fixes). - sched,freezer: Remove unnecessary warning in __thaw_task (bsc#1219338). - sched: Add test_and_clear_wake_up_bit() and atomic_dec_and_wake_up() (git-fixes). - scsi: core: Enforce unlimited max_segment_size when virt_boundary_mask is set (git-fixes). - scsi: lpfc: Check for hdwq null ptr when cleaning up lpfc_vport structure (bsc#1245260 bsc#1243100 bsc#1246125). - scsi: lpfc: Copyright updates for 14.4.0.10 patches (bsc#1245260 bsc#1243100 bsc#1246125). - scsi: lpfc: Early return out of FDMI cmpl for locally rejected statuses (bsc#1245260 bsc#1243100 bsc#1246125). - scsi: lpfc: Ensure HBA_SETUP flag is used only for SLI4 in dev_loss_tmo_callbk (bsc#1245260 bsc#1243100 bsc#1246125). - scsi: lpfc: Modify end-of-life adapters' model descriptions (bsc#1245260 bsc#1243100 bsc#1246125 bsc#1204142). - scsi: lpfc: Move clearing of HBA_SETUP flag to before lpfc_sli4_queue_unset (bsc#1245260 bsc#1243100 bsc#1246125). - scsi: lpfc: Relocate clearing initial phba flags from link up to link down hdlr (bsc#1245260 bsc#1243100 bsc#1246125). - scsi: lpfc: Revise CQ_CREATE_SET mailbox bitfield definitions (bsc#1245260 bsc#1243100 bsc#1246125). - scsi: lpfc: Revise logging format for failed CT MIB requests (bsc#1245260 bsc#1243100 bsc#1246125). - scsi: lpfc: Simplify error handling for failed lpfc_get_sli4_parameters cmd (bsc#1245260 bsc#1243100 bsc#1246125). - scsi: lpfc: Skip RSCN processing when FC_UNLOADING flag is set (bsc#1245260 bsc#1243100 bsc#1246125). - scsi: lpfc: Update debugfs trace ring initialization messages (bsc#1245260 bsc#1243100 bsc#1246125). - scsi: lpfc: Update lpfc version to 14.4.0.10 (bsc#1245260 bsc#1243100 bsc#1246125). - scsi: megaraid_sas: Fix invalid node index (git-fixes). - scsi: qla2xxx: Fix DMA mapping test in qla24xx_get_port_database() (git-fixes). - scsi: qla4xxx: Fix missing DMA mapping error in qla4xxx_alloc_pdu() (git-fixes). - scsi: s390: zfcp: Ensure synchronous unit_add (git-fixes bsc#1245599). - selftests/bpf: Add CFLAGS per source file and runner (git-fixes). - selftests/bpf: Add tests for iter next method returning valid pointer (git-fixes). - selftests/bpf: Change functions definitions to support GCC (git-fixes). - selftests/bpf: Fix a few tests for GCC related warnings (git-fixes). - selftests/bpf: Fix pointer arithmetic in test_xdp_do_redirect (git-fixes). - selftests/bpf: Fix prog numbers in test_sockmap (git-fixes). - smb3: move server check earlier when setting channel sequence number (git-fixes). - soc/tegra: cbb: Clear ERR_FORCE register with ERR_STATUS (git-fixes). - soc: aspeed: lpc-snoop: Cleanup resources in stack-order (git-fixes). - soc: aspeed: lpc-snoop: Do not disable channels that are not enabled (git-fixes). - soc: qcom: QMI encoding/decoding for big endian (git-fixes). - soc: qcom: fix endianness for QMI header (git-fixes). - soc: qcom: pmic_glink: fix OF node leak (git-fixes). - soundwire: amd: fix for clearing command status register (git-fixes). - soundwire: stream: restore params when prepare ports fail (git-fixes). - spi: spi-fsl-dspi: Clear completion counter before initiating transfer (git-fixes). - staging: axis-fifo: remove sysfs interface (git-fixes). - staging: fbtft: fix potential memory leak in fbtft_framebuffer_alloc() (git-fixes). - staging: nvec: Fix incorrect null termination of battery manufacturer (git-fixes). - struct cdns: move new member to the end (git-fixes). - struct ucsi_operations: use padding for new operation (git-fixes). - sunrpc: do not immediately retransmit on seqno miss (git-fixes). - sunrpc: fix client side handling of tls alerts (git-fixes). - tcp: call tcp_measure_rcv_mss() for ooo packets (git-fixes). - thunderbolt: Fix bit masking in tb_dp_port_set_hops() (git-fixes). - thunderbolt: Fix copy+paste error in match_service_id() (git-fixes). - thunderbolt: Fix wake on connect at runtime (git-fixes). - tracing/kprobe: Make trace_kprobe's module callback called after jump_label update (git-fixes). - tracing/kprobes: Fix to free objects when failed to copy a symbol (git-fixes). - types: Complement the aligned types with signed 64-bit one (stable-fixes). - ucount: fix atomic_long_inc_below() argument type (git-fixes). - ucsi-glink: adapt to kABI consistency (git-fixes). - ucsi_ccg: Refine the UCSI Interrupt handling (git-fixes). - ucsi_operations: add stubs for all operations (git-fixes). - ucsi_ops: adapt update_connector to kABI consistency (git-fixes). - usb: Add checks for snprintf() calls in usb_alloc_dev() (stable-fixes). - usb: atm: cxacru: Merge cxacru_upload_firmware() into cxacru_heavy_init() (git-fixes). - usb: cdc-wdm: avoid setting WDM_READ for ZLP-s (stable-fixes). - usb: cdnsp: Fix issue with CV Bad Descriptor test (git-fixes). - usb: cdnsp: Fix issue with resuming from L1 (git-fixes). - usb: cdnsp: Replace snprintf() with the safer scnprintf() variant (stable-fixes). - usb: cdnsp: do not disable slot for disabled slot (git-fixes). - usb: chipidea: udc: disconnect/reconnect from host when do suspend/resume (git-fixes). - usb: common: usb-conn-gpio: use a unique name for usb connector device (stable-fixes). - usb: dwc2: also exit clock_gating when stopping udc while suspended (stable-fixes). - usb: dwc3: meson-g12a: fix device leaks at unbind (git-fixes). - usb: early: xhci-dbc: Fix early_ioremap leak (git-fixes). - usb: gadget : fix use-after-free in composite_dev_cleanup() (git-fixes). - usb: gadget: u_serial: Fix race condition in TTY wakeup (git-fixes). - usb: gadget: udc: renesas_usb3: fix device leak at unbind (git-fixes). - usb: host: xhci-plat: fix incorrect type for of_match variable in xhci_plat_probe() (git-fixes). - usb: hub: Do not try to recover devices lost during warm reset (git-fixes). - usb: misc: apple-mfi-fastcharge: Make power supply names unique (git-fixes). - usb: musb: fix gadget state on disconnect (git-fixes). - usb: musb: omap2430: fix device leak at unbind (git-fixes). - usb: net: sierra: check for no status endpoint (git-fixes). - usb: potential integer overflow in usbg_make_tpg() (stable-fixes). - usb: typec: Update sysfs when setting ops (git-fixes). - usb: typec: altmodes/displayport: do not index invalid pin_assignments (git-fixes). - usb: typec: displayport: Fix potential deadlock (git-fixes). - usb: typec: displayport: Receive DP Status Update NAK request exit dp altmode (stable-fixes). - usb: typec: mux: do not return on EOPNOTSUPP in {mux, switch}_set (stable-fixes). - usb: typec: tcpm: allow switching to mode accessory to mux properly (stable-fixes). - usb: typec: tcpm: allow to use sink in accessory mode (stable-fixes). - usb: typec: tcpm: apply vbus before data bringup in tcpm_src_attach (git-fixes). - usb: typec: ucsi: Add DATA_RESET option of Connector Reset command (git-fixes). - usb: typec: ucsi: Add qcm6490-pmic-glink as needing PDOS quirk (git-fixes). - usb: typec: ucsi: Delay alternate mode discovery (git-fixes). - usb: typec: ucsi: Fix busy loop on ASUS VivoBooks (git-fixes). - usb: typec: ucsi: Fix the partner PD revision (git-fixes). - usb: typec: ucsi: Get PD revision for partner (git-fixes). - usb: typec: ucsi: Set orientation as none when connector is unplugged (git-fixes). - usb: typec: ucsi: Update power_supply on power role change (git-fixes). - usb: typec: ucsi: add callback for connector status updates (git-fixes). - usb: typec: ucsi: add update_connector callback (git-fixes). - usb: typec: ucsi: do not retrieve PDOs if not supported (git-fixes). - usb: typec: ucsi: extract code to read PD caps (git-fixes). - usb: typec: ucsi: fix UCSI on SM8550 & SM8650 Qualcomm devices (git-fixes). - usb: typec: ucsi: glink: fix off-by-one in connector_status (git-fixes). - usb: typec: ucsi: glink: increase max ports for x1e80100 (git-fixes). - usb: typec: ucsi: glink: move GPIO reading into connector_status callback (git-fixes). - usb: typec: ucsi: glink: use typec_set_orientation (git-fixes). - usb: typec: ucsi: move ucsi_acknowledge() from ucsi_read_error() (git-fixes). - usb: typec: ucsi: properly register partner's PD device (git-fixes). - usb: typec: ucsi: support delaying GET_PDOS for device (git-fixes). - usb: typec: ucsi_acpi: Add LG Gram quirk (git-fixes). - usb: typec: ucsi_glink: drop NO_PARTNER_PDOS quirk for sm8550 / sm8650 (git-fixes). - usb: typec: ucsi_glink: enable the UCSI_DELAY_DEVICE_PDOS quirk (git-fixes). - usb: typec: ucsi_glink: enable the UCSI_DELAY_DEVICE_PDOS quirk on qcm6490 (git-fixes). - usb: typec: ucsi_glink: rework quirks implementation (git-fixes). - usb: xhci: Skip xhci_reset in xhci_resume if xhci is being removed (git-fixes). - usb: xhci: quirk for data loss in ISOC transfers (stable-fixes). - usb:cdnsp: remove TRB_FLUSH_ENDPOINT command (stable-fixes). - virtgpu: do not reset on shutdown (git-fixes). - vmci: Prevent the dispatching of uninitialized payloads (git-fixes). - vt: add missing notification when switching back to text mode (stable-fixes). - vt: defkeymap: Map keycodes above 127 to K_HOLE (git-fixes). - vt: keyboard: Do not process Unicode characters in K_OFF mode (git-fixes). - watchdog: ziirave_wdt: check record length in ziirave_firm_verify() (git-fixes). - wifi: ath11k: clear initialized flag for deinit-ed srng lists (git-fixes). - wifi: ath11k: fix dest ring-buffer corruption (git-fixes). - wifi: ath11k: fix dest ring-buffer corruption when ring is full (git-fixes). - wifi: ath11k: fix sleeping-in-atomic in ath11k_mac_op_set_bitrate_mask() (git-fixes). - wifi: ath11k: fix source ring-buffer corruption (git-fixes). - wifi: ath11k: fix suspend use-after-free after probe failure (git-fixes). - wifi: ath12k: fix dest ring-buffer corruption (git-fixes). - wifi: ath12k: fix dest ring-buffer corruption when ring is full (git-fixes). - wifi: ath12k: fix endianness handling while accessing wmi service bit (git-fixes). - wifi: ath12k: fix source ring-buffer corruption (git-fixes). - wifi: ath6kl: remove WARN on bad firmware input (stable-fixes). - wifi: brcmfmac: fix P2P discovery failure in P2P peer due to missing P2P IE (git-fixes). - wifi: brcmsmac: Remove const from tbl_ptr parameter in wlc_lcnphy_common_read_table() (git-fixes). - wifi: iwlwifi: Fix error code in iwl_op_mode_dvm_start() (git-fixes). - wifi: iwlwifi: Fix memory leak in iwl_mvm_init() (git-fixes). - wifi: iwlwifi: return ERR_PTR from opmode start() (stable-fixes). - wifi: mac80211: Add link iteration macro for link data (stable-fixes). - wifi: mac80211: Check 802.11 encaps offloading in ieee80211_tx_h_select_key() (git-fixes). - wifi: mac80211: Do not call fq_flow_idx() for management frames (git-fixes). - wifi: mac80211: Do not schedule stopped TXQs (git-fixes). - wifi: mac80211: chan: chandef is non-NULL for reserved (stable-fixes). - wifi: mac80211: drop invalid source address OCB frames (stable-fixes). - wifi: mac80211: reject TDLS operations when station is not associated (git-fixes). - wifi: mt76: mt7925: Fix null-ptr-deref in mt7925_thermal_init() (git-fixes). - wifi: mt76: mt7925: fix invalid array index in ssid assignment during hw scan (git-fixes). - wifi: mt76: mt7925: fix the wrong config for tx interrupt (git-fixes). - wifi: plfxlc: Fix error handling in usb driver probe (git-fixes). - wifi: prevent A-MSDU attacks in mesh networks (stable-fixes). - wifi: rtl818x: Kill URBs before clearing tx status queue (git-fixes). - wifi: rtw89: avoid NULL dereference when RX problematic packet on unsupported 6 GHz band (git-fixes). - wifi: zd1211rw: Fix potential NULL pointer dereference in zd_mac_tx_to_dev() (git-fixes). - x86/cpu/amd: Fix workaround for erratum 1054 (git-fixes). - x86/mce/amd: Add default names for MCA banks and blocks (git-fixes). - x86/mce/amd: Fix threshold limit reset (git-fixes). - x86/mce: Do not remove sysfs if thresholding sysfs init fails (git-fixes). - x86/mce: Make sure CMCI banks are cleared during shutdown on Intel (git-fixes). - x86/tdx: Fix __noreturn build warning around __tdx_hypercall_failed() (git-fixes). - x86/traps: Initialize DR6 by writing its architectural reset value (git-fixes). - x86/virt/tdx: Avoid indirect calls to TDX assembly functions (git-fixes). - x86: UV RTC: Add parameter to disable RTC clocksource (bsc#1241345). - xfs: fix off-by-one error in fsmap's end_daddr usage (bsc#1235837). - xfs: only create event xfs_file_compat_ioctl when CONFIG_COMPAT is configure (git-fixes). - xfs: remove unused event xfs_alloc_near_error (git-fixes). - xfs: remove unused event xfs_alloc_near_nominleft (git-fixes). - xfs: remove unused event xfs_attr_node_removename (git-fixes). - xfs: remove unused event xfs_ioctl_clone (git-fixes). - xfs: remove unused event xfs_pagecache_inval (git-fixes). - xfs: remove unused event xlog_iclog_want_sync (git-fixes). - xfs: remove unused trace event xfs_attr_remove_iter_return (git-fixes). - xfs: remove unused trace event xfs_attr_rmtval_set (git-fixes). - xfs: remove unused trace event xfs_reflink_cow_enospc (git-fixes). - xfs: remove unused xfs_attr events (git-fixes). - xfs: remove unused xfs_reflink_compare_extents events (git-fixes). - xfs: remove usused xfs_end_io_direct events (git-fixes). - xhci: Disable stream for xHC controller with XHCI_BROKEN_STREAMS (git-fixes). - xhci: dbc: Flush queued requests before stopping dbc (git-fixes). - xhci: dbctty: disable ECHO flag by default (git-fixes). ----------------------------------------------------------------- Advisory ID: 229 Released: Tue Aug 26 10:49:45 2025 Summary: Recommended update for dracut Type: recommended Severity: moderate References: 1241114,1241680,1247819 This update for dracut fixes the following issues: - fix (dracut-util): crash if CMDLINE ends with quotation mark (bsc#1247819) - fix (rngd): adjust license to match the license of the whole project - fix (dracut): kernel module name normalization in drivers lists (bsc#1241680) - fix (dracut-init): assign real path to srcmods (bsc#1241114) ----------------------------------------------------------------- Advisory ID: 234 Released: Wed Aug 27 09:48:38 2025 Summary: Recommended update for libzypp Type: recommended Severity: moderate References: 1246912 This update for libzypp fixes the following issues: - Make ld.so ignore the subarch packages during install (bsc#1246912) ----------------------------------------------------------------- Advisory ID: 236 Released: Wed Aug 27 11:46:23 2025 Summary: Security update for libxml2 Type: security Severity: important References: 1244554,1244555,1244557,1244580,1244700,1246296,CVE-2025-49794,CVE-2025-49795,CVE-2025-49796,CVE-2025-6021,CVE-2025-6170,CVE-2025-7425 This update for libxml2 fixes the following issues: - CVE-2025-6021: Integer Overflow in xmlBuildQName() Leads to Stack Buffer Overflow in libxml2 [bsc#1244580] - CVE-2025-6170: stack buffer overflow may lead to a crash [bsc#1244700] - CVE-2025-7425: Heap Use-After-Free in libxslt caused by atype corruption in xmlAttrPtr [bsc#1246296] - CVE-2025-49794: heap use after free (UAF) can lead to Denial of service (DoS) [bsc#1244554] - CVE-2025-49795: null pointer dereference may lead to Denial of service (DoS) [bsc#1244555] - CVE-2025-49796: type confusion may lead to Denial of service (DoS) [bsc#1244557] ----------------------------------------------------------------- Advisory ID: 238 Released: Thu Aug 28 17:15:06 2025 Summary: Security update for coreutils Type: security Severity: moderate References: 1243767,CVE-2025-5278 This update for coreutils fixes the following issues: - CVE-2025-5278: Sort with key character offsets of SIZE_MAX, could induce a read of 1 byte before an allocated heap buffer (bsc#1243767). The following package changes have been done: - liblzma5-5.4.3-slfo.1.1_2.1 updated - libgcc_s1-14.3.0+git11799-slfo.1.1_1.1 updated - libxml2-2-2.11.6-slfo.1.1_6.1 updated - libopenssl3-3.1.4-slfo.1.1_6.1 updated - libgcrypt20-1.10.3-slfo.1.1_2.1 updated - libstdc++6-14.3.0+git11799-slfo.1.1_1.1 updated - libudev1-254.27-slfo.1.1_1.1 updated - libsystemd0-254.27-slfo.1.1_1.1 updated - xz-5.4.3-slfo.1.1_2.1 updated - coreutils-9.4-slfo.1.1_2.1 updated - SL-Micro-release-6.1-slfo.1.11.53 updated - systemd-254.27-slfo.1.1_1.1 updated - udev-254.27-slfo.1.1_1.1 updated - dracut-059+suse.639.g19f24feb-slfo.1.1_1.1 updated - kernel-default-6.4.0-33.1 updated - libssh-config-0.10.6-slfo.1.1_2.1 updated - libssh4-0.10.6-slfo.1.1_2.1 updated - openssl-3-3.1.4-slfo.1.1_6.1 updated - elemental-toolkit-2.2.4-slfo.1.1_1.1 updated - libzypp-17.37.17-slfo.1.1_1.1 updated - zypper-1.14.93-slfo.1.1_1.1 updated - container:suse-toolbox-image-1.0.0-4.66 updated From sle-container-updates at lists.suse.com Wed Sep 3 15:53:48 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 3 Sep 2025 17:53:48 +0200 (CEST) Subject: SUSE-IU-2025:2414-1: Security update of suse/sl-micro/6.1/kvm-os-container Message-ID: <20250903155348.587B8FBA1@maintenance.suse.de> SUSE Image Update Advisory: suse/sl-micro/6.1/kvm-os-container ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2025:2414-1 Image Tags : suse/sl-micro/6.1/kvm-os-container:2.2.1 , suse/sl-micro/6.1/kvm-os-container:2.2.1-5.29 , suse/sl-micro/6.1/kvm-os-container:latest Image Release : 5.29 Severity : important Type : security References : 1204142 1219338 1220262 1221107 1225707 1230216 1230262 1232526 1233300 1235613 1235837 1236333 1236897 1237442 1238491 1238896 1239061 1239566 1239938 1240323 1240414 1240788 1240885 1240966 1241114 1241166 1241345 1241549 1241680 1242086 1242414 1242827 1242837 1242960 1242965 1242993 1243068 1243100 1243479 1243669 1243767 1243806 1243935 1243991 1244050 1244309 1244337 1244457 1244554 1244555 1244557 1244580 1244700 1244735 1244749 1244750 1244792 1244801 1245151 1245201 1245202 1245216 1245260 1245309 1245310 1245311 1245312 1245314 1245317 1245431 1245440 1245457 1245498 1245499 1245504 1245506 1245508 1245510 1245540 1245598 1245599 1245646 1245647 1245649 1245650 1245654 1245658 1245660 1245665 1245666 1245668 1245669 1245670 1245671 1245675 1245676 1245677 1245679 1245682 1245683 1245684 1245688 1245689 1245690 1245691 1245695 1245705 1245708 1245711 1245713 1245714 1245719 1245723 1245729 1245730 1245731 1245735 1245737 1245744 1245745 1245746 1245747 1245748 1245749 1245750 1245751 1245752 1245757 1245758 1245765 1245768 1245769 1245777 1245781 1245789 1245937 1245945 1245951 1245952 1245954 1245957 1245966 1245970 1245976 1245980 1245983 1245986 1246000 1246002 1246006 1246008 1246020 1246023 1246029 1246031 1246037 1246041 1246042 1246044 1246045 1246047 1246049 1246050 1246055 1246073 1246093 1246098 1246109 1246122 1246125 1246171 1246173 1246178 1246182 1246183 1246186 1246195 1246203 1246212 1246220 1246236 1246240 1246243 1246246 1246249 1246250 1246253 1246258 1246262 1246264 1246266 1246268 1246273 1246283 1246287 1246292 1246293 1246295 1246296 1246334 1246337 1246342 1246349 1246354 1246358 1246361 1246364 1246370 1246375 1246384 1246386 1246387 1246438 1246453 1246473 1246490 1246506 1246547 1246777 1246781 1246870 1246879 1246911 1247018 1247023 1247028 1247031 1247033 1247035 1247061 1247074 1247089 1247091 1247097 1247098 1247101 1247103 1247104 1247113 1247118 1247123 1247125 1247128 1247132 1247138 1247141 1247143 1247145 1247146 1247147 1247149 1247150 1247151 1247153 1247154 1247156 1247160 1247164 1247169 1247170 1247171 1247172 1247174 1247176 1247177 1247178 1247181 1247209 1247210 1247227 1247233 1247236 1247238 1247241 1247251 1247252 1247253 1247255 1247271 1247273 1247274 1247276 1247277 1247278 1247279 1247284 1247285 1247288 1247289 1247293 1247311 1247314 1247317 1247347 1247348 1247349 1247374 1247437 1247450 1247819 CVE-2019-11135 CVE-2023-50782 CVE-2024-2236 CVE-2024-36028 CVE-2024-36348 CVE-2024-36349 CVE-2024-36350 CVE-2024-36357 CVE-2024-44963 CVE-2024-56742 CVE-2024-57947 CVE-2025-21839 CVE-2025-21872 CVE-2025-23163 CVE-2025-31115 CVE-2025-37798 CVE-2025-37856 CVE-2025-37864 CVE-2025-37885 CVE-2025-37920 CVE-2025-37984 CVE-2025-38034 CVE-2025-38035 CVE-2025-38051 CVE-2025-38052 CVE-2025-38058 CVE-2025-38061 CVE-2025-38062 CVE-2025-38063 CVE-2025-38064 CVE-2025-38074 CVE-2025-38084 CVE-2025-38085 CVE-2025-38087 CVE-2025-38088 CVE-2025-38089 CVE-2025-38090 CVE-2025-38094 CVE-2025-38095 CVE-2025-38097 CVE-2025-38098 CVE-2025-38099 CVE-2025-38100 CVE-2025-38102 CVE-2025-38105 CVE-2025-38107 CVE-2025-38108 CVE-2025-38109 CVE-2025-38110 CVE-2025-38111 CVE-2025-38112 CVE-2025-38113 CVE-2025-38115 CVE-2025-38117 CVE-2025-38118 CVE-2025-38120 CVE-2025-38122 CVE-2025-38123 CVE-2025-38124 CVE-2025-38126 CVE-2025-38127 CVE-2025-38129 CVE-2025-38131 CVE-2025-38132 CVE-2025-38135 CVE-2025-38136 CVE-2025-38138 CVE-2025-38142 CVE-2025-38143 CVE-2025-38145 CVE-2025-38147 CVE-2025-38148 CVE-2025-38149 CVE-2025-38151 CVE-2025-38153 CVE-2025-38154 CVE-2025-38155 CVE-2025-38157 CVE-2025-38158 CVE-2025-38159 CVE-2025-38161 CVE-2025-38162 CVE-2025-38165 CVE-2025-38166 CVE-2025-38173 CVE-2025-38174 CVE-2025-38177 CVE-2025-38180 CVE-2025-38181 CVE-2025-38182 CVE-2025-38183 CVE-2025-38187 CVE-2025-38188 CVE-2025-38192 CVE-2025-38193 CVE-2025-38194 CVE-2025-38197 CVE-2025-38198 CVE-2025-38200 CVE-2025-38202 CVE-2025-38203 CVE-2025-38204 CVE-2025-38206 CVE-2025-38210 CVE-2025-38211 CVE-2025-38212 CVE-2025-38213 CVE-2025-38214 CVE-2025-38215 CVE-2025-38217 CVE-2025-38220 CVE-2025-38222 CVE-2025-38225 CVE-2025-38226 CVE-2025-38227 CVE-2025-38229 CVE-2025-38231 CVE-2025-38236 CVE-2025-38239 CVE-2025-38244 CVE-2025-38246 CVE-2025-38248 CVE-2025-38249 CVE-2025-38250 CVE-2025-38257 CVE-2025-38259 CVE-2025-38264 CVE-2025-38272 CVE-2025-38273 CVE-2025-38275 CVE-2025-38277 CVE-2025-38279 CVE-2025-38283 CVE-2025-38286 CVE-2025-38289 CVE-2025-38290 CVE-2025-38292 CVE-2025-38293 CVE-2025-38300 CVE-2025-38303 CVE-2025-38304 CVE-2025-38305 CVE-2025-38307 CVE-2025-38310 CVE-2025-38312 CVE-2025-38313 CVE-2025-38319 CVE-2025-38323 CVE-2025-38326 CVE-2025-38328 CVE-2025-38332 CVE-2025-38334 CVE-2025-38335 CVE-2025-38336 CVE-2025-38337 CVE-2025-38338 CVE-2025-38342 CVE-2025-38343 CVE-2025-38344 CVE-2025-38345 CVE-2025-38348 CVE-2025-38349 CVE-2025-38350 CVE-2025-38352 CVE-2025-38354 CVE-2025-38362 CVE-2025-38363 CVE-2025-38364 CVE-2025-38365 CVE-2025-38369 CVE-2025-38371 CVE-2025-38373 CVE-2025-38375 CVE-2025-38376 CVE-2025-38377 CVE-2025-38380 CVE-2025-38382 CVE-2025-38384 CVE-2025-38385 CVE-2025-38386 CVE-2025-38387 CVE-2025-38389 CVE-2025-38391 CVE-2025-38392 CVE-2025-38393 CVE-2025-38395 CVE-2025-38396 CVE-2025-38399 CVE-2025-38400 CVE-2025-38401 CVE-2025-38403 CVE-2025-38404 CVE-2025-38406 CVE-2025-38409 CVE-2025-38410 CVE-2025-38412 CVE-2025-38414 CVE-2025-38415 CVE-2025-38416 CVE-2025-38420 CVE-2025-38424 CVE-2025-38425 CVE-2025-38426 CVE-2025-38428 CVE-2025-38429 CVE-2025-38430 CVE-2025-38436 CVE-2025-38443 CVE-2025-38448 CVE-2025-38449 CVE-2025-38455 CVE-2025-38457 CVE-2025-38460 CVE-2025-38461 CVE-2025-38462 CVE-2025-38463 CVE-2025-38465 CVE-2025-38467 CVE-2025-38468 CVE-2025-38470 CVE-2025-38471 CVE-2025-38473 CVE-2025-38474 CVE-2025-38476 CVE-2025-38477 CVE-2025-38478 CVE-2025-38480 CVE-2025-38481 CVE-2025-38482 CVE-2025-38483 CVE-2025-38485 CVE-2025-38487 CVE-2025-38489 CVE-2025-38494 CVE-2025-38495 CVE-2025-38496 CVE-2025-38497 CVE-2025-38498 CVE-2025-4598 CVE-2025-4877 CVE-2025-4878 CVE-2025-49794 CVE-2025-49795 CVE-2025-49796 CVE-2025-5278 CVE-2025-5318 CVE-2025-5351 CVE-2025-5372 CVE-2025-5987 CVE-2025-6021 CVE-2025-6170 CVE-2025-7425 ----------------------------------------------------------------- The container suse/sl-micro/6.1/kvm-os-container was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: 197 Released: Thu Jul 31 13:53:17 2025 Summary: Recommended update for gcc14 Type: recommended Severity: moderate References: 1230262,1232526,1237442,1238491,1239566,1239938,1240788,1241549,1243991,1244050 This update for gcc14 fixes the following issues: - Exclude shared objects present for link editing in the GCC specific subdirectory from provides processing via __provides_exclude_from. [bsc#1244050][bsc#1243991] - Update to GCC 14.3 release, bb24b4c804f3d95b0ba95b7496, git11799 - Update to gcc-14 branch head, 3418d740b344e0ba38022f3be, git11702 - Fix build on s390x [bsc#1241549] - Make sure link editing is done against our own shared library copy rather than the installed system runtime. [bsc#1240788] - cross-compiler builds with --enable-host-pie. - Allow GCC executables to be built PIE. [bsc#1239938] - Backport -msplit-patch-nops required for user-space livepatching on powerpc. - Also record -D_FORTIFY_SOURCE=2 in the DWARF debug info DW_AT_producer string. [bsc#1239566] - Disable profiling during build when %want_reproducible_builds is set [bsc#1238491] - Update to gcc-14 branch head, 9ffecde121af883b60bbe60d0, git11321 * fixes reported ICE in [bsc#1237442] - Adjust cross compiler requirements to use %requires_ge - Fix condition on whether to enable plugins or JIT support to not check sle_version which is not defined in SLFO but to check is_opensuse and suse_version instead. - For cross compilers require the same or newer binutils, newlib or cross-glibc that was used at build time. [bsc#1232526] - Update to gcc-14 branch head, 4af44f2cf7d281f3e4f3957ef, git10750 * includes libstdc++6 fix for parsing tzdata 2024b [gcc#116657] - Fix ICE with LTO building openvino on aarch64 [bsc#1230262] ----------------------------------------------------------------- Advisory ID: 196 Released: Thu Jul 31 14:00:30 2025 Summary: Security update for libgcrypt Type: security Severity: moderate References: 1221107,CVE-2024-2236 This update for libgcrypt fixes the following issues: - CVE-2024-2236: Fixed timing based side-channel in RSA implementation (bsc#1221107) ----------------------------------------------------------------- Advisory ID: 206 Released: Fri Aug 8 12:26:24 2025 Summary: Security update for xz Type: security Severity: important References: 1240414,CVE-2025-31115 This update for xz fixes the following issues: - CVE-2025-31115: Fixed heap use after free and writing to an address based on the null pointer plus an offset (bsc#1240414) ----------------------------------------------------------------- Advisory ID: 215 Released: Thu Aug 14 12:12:18 2025 Summary: Security update for openssl-3 Type: security Severity: moderate References: 1220262,CVE-2023-50782 This update for openssl-3 fixes the following issues: - CVE-2023-50782: Implicit rejection in PKCS#1 v1.5 (bsc#1220262) ----------------------------------------------------------------- Advisory ID: 213 Released: Thu Aug 14 12:19:26 2025 Summary: Security update for libssh Type: security Severity: important References: 1245309,1245310,1245311,1245312,1245314,1245317,CVE-2025-4877,CVE-2025-4878,CVE-2025-5318,CVE-2025-5351,CVE-2025-5372,CVE-2025-5987 This update for libssh fixes the following issues: - CVE-2025-5372: ssh_kdf() returns a success code on certain failures (bsc#1245314) - CVE-2025-5987: Invalid return code for chacha20 poly1305 with OpenSSL backend (bsc#1245317) - CVE-2025-4877: Write beyond bounds in binary to base64 conversion functions (bsc#1245309) - CVE-2025-4878: Use of uninitialized variable in privatekey_from_file() (bsc#1245310) - CVE-2025-5318: Likely read beyond bounds in sftp server handle management (bsc#1245311) - CVE-2025-5351: Double free in functions exporting keys (bsc#1245312) ----------------------------------------------------------------- Advisory ID: 218 Released: Sat Aug 16 13:46:56 2025 Summary: Security update for systemd Type: security Severity: moderate References: 1242827,1243935,1247074,CVE-2025-4598 This update for systemd fixes the following issues: - Remove the script used to help migrating the language and locale settings located in /etc/sysconfig/language on old systems to the systemd default locations (bsc#1247074) The script was introduced more than 7 years ago and all systems running TW should have been migrated since then. Moreover the installer supports the systemd default locations since approximately SLE15. - triggers.systemd: skip update of hwdb, journal-catalog if executed during an offline update. - logs-show: get timestamp and boot ID only when necessary (bsc#1242827) - sd-journal: drop to use Hashmap to manage journal files per boot ID - tree-wide: set SD_JOURNAL_ASSUME_IMMUTABLE where appropriate - sd-journal: introduce SD_JOURNAL_ASSUME_IMMUTABLE flag - sd-journal: make journal_file_read_tail_timestamp() notify to the caller that some new journal entries added - sd-journal: cache last entry offset and journal file state - sd-journal: fix typo in function name - coredump: use %d in kernel core pattern (bsc#1243935 CVE-2025-4598) ----------------------------------------------------------------- Advisory ID: 227 Released: Fri Aug 22 14:33:27 2025 Summary: Recommended update for elemental-toolkit Type: recommended Severity: moderate References: This update for elemental-toolkit fixes the following issues: - Update to v2.2.4: * Avoid panic when MaxSnaps is set to 0 ----------------------------------------------------------------- Advisory ID: kernel-82 Released: Mon Aug 25 15:33:57 2025 Summary: Security update for the Linux Kernel Type: security Severity: important References: 1204142,1219338,1225707,1230216,1233300,1235613,1235837,1236333,1236897,1238896,1239061,1240323,1240885,1240966,1241166,1241345,1242086,1242414,1242837,1242960,1242965,1242993,1243068,1243100,1243479,1243669,1243806,1244309,1244337,1244457,1244735,1244749,1244750,1244792,1244801,1245151,1245201,1245202,1245216,1245260,1245431,1245440,1245457,1245498,1245499,1245504,1245506,1245508,1245510,1245540,1245598,1245599,1245646,1245647,1245649,1245650,1245654,1245658,1245660,1245665,1245666,1245668,1245669,1245670,1245671,1245675,1245676,1245677,1245679,1245682,1245683,1245684,1245688,1245689,1245690,1245691,1245695,1245705,1245708,1245711,1245713,1245714,1245719,1245723,1245729,1245730,1245731,1245735,1245737,1245744,1245745,1245746,1245747,1245748,1245749,1245750,1245751,1245752,1245757,1245758,1245765,1245768,1245769,1245777,1245781,1245789,1245937,1245945,1245951,1245952,1245954,1245957,1245966,1245970,1245976,1245980,1245983,1245986,1246000,1246002,1246006,1246008,1246020,1 246023,1246029,1246031,1246037,1246041,1246042,1246044,1246045,1246047,1246049,1246050,1246055,1246073,1246093,1246098,1246109,1246122,1246125,1246171,1246173,1246178,1246182,1246183,1246186,1246195,1246203,1246212,1246220,1246236,1246240,1246243,1246246,1246249,1246250,1246253,1246258,1246262,1246264,1246266,1246268,1246273,1246283,1246287,1246292,1246293,1246295,1246334,1246337,1246342,1246349,1246354,1246358,1246361,1246364,1246370,1246375,1246384,1246386,1246387,1246438,1246453,1246473,1246490,1246506,1246547,1246777,1246781,1246870,1246879,1246911,1247018,1247023,1247028,1247031,1247033,1247035,1247061,1247089,1247091,1247097,1247098,1247101,1247103,1247104,1247113,1247118,1247123,1247125,1247128,1247132,1247138,1247141,1247143,1247145,1247146,1247147,1247149,1247150,1247151,1247153,1247154,1247156,1247160,1247164,1247169,1247170,1247171,1247172,1247174,1247176,1247177,1247178,1247181,1247209,1247210,1247227,1247233,1247236,1247238,1247241,1247251,1247252,1247253,1247255,124727 1,1247273,1247274,1247276,1247277,1247278,1247279,1247284,1247285,1247288,1247289,1247293,1247311,1247314,1247317,1247347,1247348,1247349,1247374,1247437,1247450,CVE-2019-11135,CVE-2024-36028,CVE-2024-36348,CVE-2024-36349,CVE-2024-36350,CVE-2024-36357,CVE-2024-44963,CVE-2024-56742,CVE-2024-57947,CVE-2025-21839,CVE-2025-21872,CVE-2025-23163,CVE-2025-37798,CVE-2025-37856,CVE-2025-37864,CVE-2025-37885,CVE-2025-37920,CVE-2025-37984,CVE-2025-38034,CVE-2025-38035,CVE-2025-38051,CVE-2025-38052,CVE-2025-38058,CVE-2025-38061,CVE-2025-38062,CVE-2025-38063,CVE-2025-38064,CVE-2025-38074,CVE-2025-38084,CVE-2025-38085,CVE-2025-38087,CVE-2025-38088,CVE-2025-38089,CVE-2025-38090,CVE-2025-38094,CVE-2025-38095,CVE-2025-38097,CVE-2025-38098,CVE-2025-38099,CVE-2025-38100,CVE-2025-38102,CVE-2025-38105,CVE-2025-38107,CVE-2025-38108,CVE-2025-38109,CVE-2025-38110,CVE-2025-38111,CVE-2025-38112,CVE-2025-38113,CVE-2025-38115,CVE-2025-38117,CVE-2025-38118,CVE-2025-38120,CVE-2025-38122,CVE-2025-38123,CVE-2025-3 8124,CVE-2025-38126,CVE-2025-38127,CVE-2025-38129,CVE-2025-38131,CVE-2025-38132,CVE-2025-38135,CVE-2025-38136,CVE-2025-38138,CVE-2025-38142,CVE-2025-38143,CVE-2025-38145,CVE-2025-38147,CVE-2025-38148,CVE-2025-38149,CVE-2025-38151,CVE-2025-38153,CVE-2025-38154,CVE-2025-38155,CVE-2025-38157,CVE-2025-38158,CVE-2025-38159,CVE-2025-38161,CVE-2025-38162,CVE-2025-38165,CVE-2025-38166,CVE-2025-38173,CVE-2025-38174,CVE-2025-38177,CVE-2025-38180,CVE-2025-38181,CVE-2025-38182,CVE-2025-38183,CVE-2025-38187,CVE-2025-38188,CVE-2025-38192,CVE-2025-38193,CVE-2025-38194,CVE-2025-38197,CVE-2025-38198,CVE-2025-38200,CVE-2025-38202,CVE-2025-38203,CVE-2025-38204,CVE-2025-38206,CVE-2025-38210,CVE-2025-38211,CVE-2025-38212,CVE-2025-38213,CVE-2025-38214,CVE-2025-38215,CVE-2025-38217,CVE-2025-38220,CVE-2025-38222,CVE-2025-38225,CVE-2025-38226,CVE-2025-38227,CVE-2025-38229,CVE-2025-38231,CVE-2025-38236,CVE-2025-38239,CVE-2025-38244,CVE-2025-38246,CVE-2025-38248,CVE-2025-38249,CVE-2025-38250,CVE-2025-38257,CV E-2025-38259,CVE-2025-38264,CVE-2025-38272,CVE-2025-38273,CVE-2025-38275,CVE-2025-38277,CVE-2025-38279,CVE-2025-38283,CVE-2025-38286,CVE-2025-38289,CVE-2025-38290,CVE-2025-38292,CVE-2025-38293,CVE-2025-38300,CVE-2025-38303,CVE-2025-38304,CVE-2025-38305,CVE-2025-38307,CVE-2025-38310,CVE-2025-38312,CVE-2025-38313,CVE-2025-38319,CVE-2025-38323,CVE-2025-38326,CVE-2025-38328,CVE-2025-38332,CVE-2025-38334,CVE-2025-38335,CVE-2025-38336,CVE-2025-38337,CVE-2025-38338,CVE-2025-38342,CVE-2025-38343,CVE-2025-38344,CVE-2025-38345,CVE-2025-38348,CVE-2025-38349,CVE-2025-38350,CVE-2025-38352,CVE-2025-38354,CVE-2025-38362,CVE-2025-38363,CVE-2025-38364,CVE-2025-38365,CVE-2025-38369,CVE-2025-38371,CVE-2025-38373,CVE-2025-38375,CVE-2025-38376,CVE-2025-38377,CVE-2025-38380,CVE-2025-38382,CVE-2025-38384,CVE-2025-38385,CVE-2025-38386,CVE-2025-38387,CVE-2025-38389,CVE-2025-38391,CVE-2025-38392,CVE-2025-38393,CVE-2025-38395,CVE-2025-38396,CVE-2025-38399,CVE-2025-38400,CVE-2025-38401,CVE-2025-38403,CVE-2025- 38404,CVE-2025-38406,CVE-2025-38409,CVE-2025-38410,CVE-2025-38412,CVE-2025-38414,CVE-2025-38415,CVE-2025-38416,CVE-2025-38420,CVE-2025-38424,CVE-2025-38425,CVE-2025-38426,CVE-2025-38428,CVE-2025-38429,CVE-2025-38430,CVE-2025-38436,CVE-2025-38443,CVE-2025-38448,CVE-2025-38449,CVE-2025-38455,CVE-2025-38457,CVE-2025-38460,CVE-2025-38461,CVE-2025-38462,CVE-2025-38463,CVE-2025-38465,CVE-2025-38467,CVE-2025-38468,CVE-2025-38470,CVE-2025-38471,CVE-2025-38473,CVE-2025-38474,CVE-2025-38476,CVE-2025-38477,CVE-2025-38478,CVE-2025-38480,CVE-2025-38481,CVE-2025-38482,CVE-2025-38483,CVE-2025-38485,CVE-2025-38487,CVE-2025-38489,CVE-2025-38494,CVE-2025-38495,CVE-2025-38496,CVE-2025-38497,CVE-2025-38498 The SUSE Linux Enterprise Micro 6.0 and 6.1 kernel was updated to receive various security bugfixes. The following security bugs were fixed: - CVE-2019-11135: TSX Asynchronous Abort condition on some CPUs utilizing speculative execution may - CVE-2024-36028: mm/hugetlb: fix DEBUG_LOCKS_WARN_ON(1) when dissolve_free_hugetlb_folio() (bsc#1225707). - CVE-2024-36348, CVE-2024-36349, CVE-2024-36350, CVE-2024-36357: x86/process: Move the buffer clearing before MONITOR (bsc#1238896). - CVE-2024-44963: btrfs: do not BUG_ON() when freeing tree block after error (bsc#1230216). - CVE-2024-56742: vfio/mlx5: Fix an unwind issue in mlx5vf_add_migration_pages() (bsc#1235613). - CVE-2025-21839: KVM: x86: Load DR6 with guest value only before entering .vcpu_run() loop (bsc#1239061). - CVE-2025-21872: efi/mokvar-table: Avoid repeated map/unmap of the same page (bsc#1240323). - CVE-2025-23163: net: vlan: do not propagate flags on open (bsc#1242837). - CVE-2025-37856: btrfs: harden block_group::bg_list against list_del() races (bsc#1243068). - CVE-2025-37864: net: dsa: clean up FDB, MDB, VLAN entries on unbind (bsc#1242965). - CVE-2025-37885: KVM: x86: Reset IRTE to host control if *new* route isn't postable (bsc#1242960). - CVE-2025-37920: kABI workaround for xsk: Fix race condition in AF_XDP generic RX path (bsc#1243479). - CVE-2025-37984: crypto: ecdsa - Harden against integer overflows in DIV_ROUND_UP() (bsc#1243669). - CVE-2025-38034: btrfs: correct the order of prelim_ref arguments in btrfs__prelim_ref (bsc#1244792). - CVE-2025-38035: nvmet-tcp: do not restore null sk_state_change (bsc#1244801). - CVE-2025-38051: smb: client: Fix use-after-free in cifs_fill_dirent (bsc#1244750). - CVE-2025-38058: __legitimize_mnt(): check for MNT_SYNC_UMOUNT should be under mount_lock (bsc#1245151). - CVE-2025-38061: net: pktgen: fix access outside of user given buffer in pktgen_thread_write() (bsc#1245440). - CVE-2025-38062: kABI: restore layout of struct msi_desc (bsc#1245216). - CVE-2025-38063: dm: fix unconditional IO throttle caused by REQ_PREFLUSH (bsc#1245202). - CVE-2025-38064: virtio: break and reset virtio devices on device_shutdown() (bsc#1245201). - CVE-2025-38074: vhost-scsi: protect vq->log_used with vq->mutex (bsc#1244735). - CVE-2025-38094: net: cadence: macb: Fix a possible deadlock in macb_halt_tx (bsc#1245649). - CVE-2025-38097: kabi: restore encap_sk in struct xfrm_state (bsc#1245660). - CVE-2025-38098: drm/amd/display: Do not treat wb connector as physical in (bsc#1245654). - CVE-2025-38099: Bluetooth: btusb: Fix regression in the initialization of fake Bluetooth controllers (bsc#1245671). - CVE-2025-38100: x86/iopl: Cure TIF_IO_BITMAP inconsistencies (bsc#1245650). - CVE-2025-38105: ALSA: usb-audio: Kill timer properly at removal (bsc#1245682). - CVE-2025-38115: net_sched: sch_sfq: fix a potential crash on gso_skb handling (bsc#1245689). - CVE-2025-38117: hci_dev centralize extra lock (bsc#1245695). - CVE-2025-38126: net: stmmac: make sure that ptp_rate is not 0 before configuring timestamping (bsc#1245708). - CVE-2025-38131: coresight: prevent deactivate active config while enabling the config (bsc#1245677). - CVE-2025-38132: coresight: holding cscfg_csdev_lock while removing cscfg from csdev (bsc#1245679). - CVE-2025-38147: calipso: unlock rcu before returning -EAFNOSUPPORT (bsc#1245768). - CVE-2025-38158: hisi_acc_vfio_pci: fix XQE dma address error (bsc#1245750). - CVE-2025-38162: netfilter: nft_set_pipapo: prevent overflow in lookup table allocation (bsc#1245752). - CVE-2025-38166: bpf: fix ktls panic with sockmap (bsc#1245758). - CVE-2025-38180: net: atm: fix /proc/net/atm/lec handling (bsc#1245970). - CVE-2025-38182: ublk: santizize the arguments from userspace when adding a device (bsc#1245937). - CVE-2025-38183: net: lan743x: fix potential out-of-bounds write in lan743x_ptp_io_event_clock_get() (bsc#1246006). - CVE-2025-38187: drm/nouveau: fix a use-after-free in r535_gsp_rpc_push() (bsc#1245951). - CVE-2025-38188: drm/msm/a7xx: Call CP_RESET_CONTEXT_STATE (bsc#1246098). - CVE-2025-38200: i40e: fix MMIO write access to an invalid page in i40e_clear_hw (bsc#1246045). - CVE-2025-38202: bpf: Check rcu_read_lock_trace_held() in bpf_map_lookup_percpu_elem() (bsc#1245980). - CVE-2025-38203: jfs: Fix null-ptr-deref in jfs_ioc_trim (bsc#1246044). - CVE-2025-38204: jfs: fix array-index-out-of-bounds read in add_missing_indices (bsc#1245983). - CVE-2025-38206: exfat: fix double free in delayed_free (bsc#1246073). - CVE-2025-38210: configfs-tsm-report: Fix NULL dereference of tsm_ops (bsc#1246020). - CVE-2025-38212: ipc: fix to protect IPCS lookups using RCU (bsc#1246029). - CVE-2025-38220: ext4: only dirty folios when data journaling regular files (bsc#1245966). - CVE-2025-38222: ext4: inline: fix len overflow in ext4_prepare_inline_data (bsc#1245976). - CVE-2025-38236: af_unix: Disable MSG_OOB for unprivileged users (bsc#1246093). - CVE-2025-38239: scsi: megaraid_sas: Fix invalid node index (bsc#1246178). - CVE-2025-38244: smb: client: fix potential deadlock when reconnecting channels (bsc#1246183). - CVE-2025-38248: bridge: mcast: Fix use-after-free during router port configuration (bsc#1246173). - CVE-2025-38250: kABI workaround for bluetooth hci_dev changes (bsc#1246182). - CVE-2025-38264: llist: add interface to check if a node is on a list (bsc#1246387). - CVE-2025-38272: net: dsa: b53: do not enable EEE on bcm63xx (bsc#1246268). - CVE-2025-38279: selftests/bpf: Add tests with stack ptr register in conditional jmp (bsc#1246264). - CVE-2025-38283: hisi_acc_vfio_pci: bugfix live migration function without VF device driver (bsc#1246273). - CVE-2025-38303: Bluetooth: eir: Fix possible crashes on eir_create_adv_data (bsc#1246354). - CVE-2025-38310: seg6: Fix validation of nexthop addresses (bsc#1246361). - CVE-2025-38323: net: atm: add lec_mutex (bsc#1246473). - CVE-2025-38334: x86/sgx: Prevent attempts to reclaim poisoned pages (bsc#1246384). - CVE-2025-38335: Input: gpio-keys - fix a sleep while atomic with PREEMPT_RT (bsc#1246250). - CVE-2025-38337: jbd2: fix data-race and null-ptr-deref in jbd2_journal_dirty_metadata() (bsc#1246253). - CVE-2025-38349: eventpoll: do not decrement ep refcount while still holding the ep mutex (bsc#1246777). - CVE-2025-38350: net/sched: Always pass notifications when child class becomes empty (bsc#1246781). - CVE-2025-38352: posix-cpu-timers: fix race between handle_posix_cpu_timers() and posix_cpu_timer_del() (bsc#1246911). - CVE-2025-38364: maple_tree: fix MA_STATE_PREALLOC flag in mas_preallocate() (bsc#1247091). - CVE-2025-38365: btrfs: fix a race between renames and directory logging (bsc#1247023). - CVE-2025-38371: drm/v3d: Disable interrupts before resetting the GPU (bsc#1247178). - CVE-2025-38375: virtio-net: ensure the received length does not exceed allocated size (bsc#1247177). - CVE-2025-38382: btrfs: fix iteration of extrefs during log replay (bsc#1247031). - CVE-2025-38392: idpf: convert control queue mutex to a spinlock (bsc#1247169). - CVE-2025-38396: fs: export anon_inode_make_secure_inode() and fix secretmem LSM bypass (bsc#1247156). - CVE-2025-38399: scsi: target: Fix NULL pointer dereference in core_scsi3_decode_spec_i_port() (bsc#1247097). - CVE-2025-38403: vsock/vmci: Clear the vmci transport packet properly when initializing it (bsc#1247141). - CVE-2025-38414: wifi: ath12k: fix GCC_GCC_PCIE_HOT_RST definition for WCN7850 (bsc#1247145). - CVE-2025-38426: drm/amdgpu: Add basic validation for RAS header (bsc#1247252). - CVE-2025-38429: bus: mhi: ep: Update read pointer only after buffer is written (bsc#1247253). - CVE-2025-38455: KVM: SVM: Reject SEV{-ES} intra host migration if vCPU creation is in-flight (bsc#1247101). - CVE-2025-38457: net/sched: Abort __tc_modify_qdisc if parent class does not exist (bsc#1247098). - CVE-2025-38460: atm: clip: Fix potential null-ptr-deref in to_atmarpd() (bsc#1247143). - CVE-2025-38461: vsock: Fix transport_* TOCTOU (bsc#1247103). - CVE-2025-38462: vsock: Fix transport_{g2h,h2g} TOCTOU (bsc#1247104). - CVE-2025-38463: tcp: Correct signedness in skb remaining space calculation (bsc#1247113). - CVE-2025-38465: netlink: make sure we allow at least one dump skb (bsc#1247118). - CVE-2025-38470: kABI fix for net: vlan: fix VLAN 0 refcount imbalance of toggling (bsc#1247288). - CVE-2025-38471: tls: always refresh the queue when reading sock (bsc#1247450). - CVE-2025-38497: usb: gadget: configfs: Fix OOB read on empty string write (bsc#1247347). - CVE-2025-38498: do_change_type(): refuse to operate on unmounted/not ours mounts (bsc#1247374). The following non-security bugs were fixed: - ACPI: LPSS: Remove AudioDSP related ID (git-fixes). - ACPI: PRM: Reduce unnecessary printing to avoid user confusion (bsc#1246122). - ACPI: processor: perflib: Fix initial _PPC limit application (git-fixes). - ACPICA: Refuse to evaluate a method if arguments are missing (stable-fixes). - ALSA: hda/ca0132: Fix missing error handling in ca0132_alt_select_out() (git-fixes). - ALSA: hda/realtek - Add mute LED support for HP Pavilion 15-eg0xxx (stable-fixes). - ALSA: hda/realtek - Enable mute LED on HP Pavilion Laptop 15-eg100 (stable-fixes). - ALSA: hda/realtek: Add quirk for ASUS ROG Strix G712LWS (stable-fixes). - ALSA: hda/tegra: Add Tegra264 support (stable-fixes). - ALSA: hda: Add missing NVIDIA HDA codec IDs (stable-fixes). - ALSA: hda: Add new pci id for AMD GPU display HD audio controller (stable-fixes). - ALSA: hda: Ignore unsol events for cards being shut down (stable-fixes). - ALSA: intel_hdmi: Fix off-by-one error in __hdmi_lpe_audio_probe() (git-fixes). - ALSA: sb: Do not allow changing the DMA mode during operations (stable-fixes). - ALSA: sb: Force to disable DMAs once when DMA mode is changed (stable-fixes). - ASoC: amd: yc: Add DMI quirk for Lenovo IdeaPad Slim 5 15 (stable-fixes). - ASoC: amd: yc: Add quirk for MSI Bravo 17 D7VF internal mic (stable-fixes). - ASoC: amd: yc: add quirk for Acer Nitro ANV15-41 internal mic (stable-fixes). - ASoC: amd: yc: update quirk data for HP Victus (stable-fixes). - ASoC: codec: wcd9335: Convert to GPIO descriptors (stable-fixes). - ASoC: codecs: wcd9335: Fix missing free of regulator supplies (git-fixes). - ASoC: codecs: wcd9335: Handle nicer probe deferral and simplify with dev_err_probe() (stable-fixes). - ASoC: cs35l56: probe() should fail if the device ID is not recognized (git-fixes). - ASoC: fsl_asrc: use internal measured ratio for non-ideal ratio mode (git-fixes). - ASoC: fsl_xcvr: get channel status data when PHY is not exists (git-fixes). - ASoC: ops: dynamically allocate struct snd_ctl_elem_value (git-fixes). - ASoC: soc-dai: tidyup return value of snd_soc_xlate_tdm_slot_mask() (git-fixes). - Bluetooth: Fix null-ptr-deref in l2cap_sock_resume_cb() (git-fixes). - Bluetooth: L2CAP: Fix L2CAP MTU negotiation (stable-fixes). - Bluetooth: L2CAP: Fix attempting to adjust outgoing MTU (git-fixes). - Bluetooth: MGMT: Fix not generating command complete for MGMT_OP_DISCONNECT (git-fixes). - Bluetooth: MGMT: mesh_send: check instances prior disabling advertising (git-fixes). - Bluetooth: MGMT: set_mesh: update LE scan interval and window (git-fixes). - Bluetooth: Prevent unintended pause by checking if advertising is active (git-fixes). - Bluetooth: SMP: Fix using HCI_ERROR_REMOTE_USER_TERM on timeout (git-fixes). - Bluetooth: SMP: If an unallowed command is received consider it a failure (git-fixes). - Bluetooth: btusb: QCA: Fix downloading wrong NVM for WCN6855 GF variant without board ID (git-fixes). - Bluetooth: hci_conn: Fix sending BT_HCI_CMD_LE_CREATE_CONN_CANCEL (git-fixes). - Bluetooth: hci_event: Fix not marking Broadcast Sink BIS as connected (git-fixes). - Bluetooth: hci_event: Mask data status from LE ext adv reports (git-fixes). - Bluetooth: hci_sync: Attempt to dequeue connection attempt (git-fixes). - Bluetooth: hci_sync: Fix UAF on create_le_conn_complete (git-fixes). - Bluetooth: hci_sync: Fix handling of HCI_OP_CREATE_CONN_CANCEL (git-fixes). - Bluetooth: hci_sync: Fix not disabling advertising instance (git-fixes). - Bluetooth: hci_sync: fix connectable extended advertising when using static random address (git-fixes). - Bluetooth: hci_sync: revert some mesh modifications (git-fixes). - Docs/ABI: Fix sysfs-kernel-address_bits path (git-fixes). - Documentation: ACPI: Fix parent device references (git-fixes). - Documentation: usb: gadget: Wrap remaining usage snippets in literal code block (git-fixes). - Fix dma_unmap_sg() nents value (git-fixes) - HID: Add IGNORE quirk for SMARTLINKTECHNOLOGY (stable-fixes). - HID: core: do not bypass hid_hw_raw_request (stable-fixes). - HID: core: ensure __hid_request reserves the report ID as the first byte (git-fixes). - HID: core: ensure the allocated report buffer can contain the reserved report ID (stable-fixes). - HID: lenovo: Add support for ThinkPad X1 Tablet Thin Keyboard Gen2 (stable-fixes). - HID: quirks: Add quirk for 2 Chicony Electronics HP 5MP Cameras (stable-fixes). - IB/mlx5: Fix potential deadlock in MR deregistration (git-fixes) - Input: iqs7222 - explicitly define number of external channels (git-fixes). - Input: xpad - adjust error handling for disconnect (git-fixes). - Input: xpad - set correct controller type for Acer NGR200 (git-fixes). - Input: xpad - support Acer NGR 200 Controller (stable-fixes). - Logitech C-270 even more broken (stable-fixes). - Move upstreamed SCSI and ACPI patches into sorted section - NFS: Fix filehandle bounds checking in nfs_fh_to_dentry() (git-fixes). - NFS: Fix the setting of capabilities when automounting a new filesystem (git-fixes). - NFS: Fix wakeup of __nfs_lookup_revalidate() in unblock_revalidate() (git-fixes). - NFS: Fixup allocation flags for nfsiod's __GFP_NORETRY (git-fixes). - NFSD: detect mismatch of file handle and delegation stateid in OPEN op (git-fixes). - NFSv4.2: another fix for listxattr (git-fixes). - NFSv4.2: fix listxattr to return selinux security label (git-fixes). - NFSv4/pNFS: Fix a race to wake on NFS_LAYOUT_DRAIN (git-fixes). - NFSv4: Always set NLINK even if the server does not support it (git-fixes). - NFSv4: xattr handlers should check for absent nfs filehandles (git-fixes). - PCI/MSI: Export pci_msix_prepare_desc() for dynamic MSI-X allocations (bsc#1245457). - PCI: dwc: Make link training more robust by setting PORT_LOGIC_LINK_WIDTH to one lane (stable-fixes). - PCI: endpoint: Fix configfs group list head handling (git-fixes). - PCI: endpoint: Fix configfs group removal on driver teardown (git-fixes). - PCI: endpoint: pci-epf-vntb: Fix the incorrect usage of __iomem attribute (git-fixes). - PCI: endpoint: pci-epf-vntb: Return -ENOENT if pci_epc_get_next_free_bar() fails (git-fixes). - PCI: hv: Allow dynamic MSI-X vector allocation (bsc#1245457). - PCI: rockchip-host: Fix 'Unexpected Completion' log message (git-fixes). - PM / devfreq: Check governor before using governor->name (git-fixes). - RDMA/core: Rate limit GID cache warning messages (git-fixes) - RDMA/counter: Check CAP_NET_RAW check in user namespace for RDMA counters (git-fixes) - RDMA/hns: Drop GFP_NOWARN (git-fixes) - RDMA/hns: Fix -Wframe-larger-than issue (git-fixes) - RDMA/hns: Fix HW configurations not cleared in error flow (git-fixes) - RDMA/hns: Fix accessing uninitialized resources (git-fixes) - RDMA/hns: Fix double destruction of rsv_qp (git-fixes) - RDMA/hns: Get message length of ack_req from FW (git-fixes) - RDMA/mlx5: Check CAP_NET_RAW in user namespace for anchor create (git-fixes) - RDMA/mlx5: Check CAP_NET_RAW in user namespace for devx create (git-fixes) - RDMA/mlx5: Check CAP_NET_RAW in user namespace for flow create (git-fixes) - RDMA/mlx5: Fix CC counters query for MPV (git-fixes) - RDMA/mlx5: Fix HW counters query for non-representor devices (git-fixes) - RDMA/mlx5: Fix compilation warning when USER_ACCESS isn't set (git-fixes) - RDMA/mlx5: Fix vport loopback for MPV device (git-fixes) - RDMA/mlx5: Initialize obj_event->obj_sub_list before xa_insert (git-fixes) - RDMA/nldev: Check CAP_NET_RAW in user namespace for QP modify (git-fixes) - RDMA/siw: Fix the sendmsg byte count in siw_tcp_sendpages (git-fixes) - RDMA/uverbs: Add empty rdma_uattrs_has_raw_cap() declaration (git-fixes) - RDMA/uverbs: Check CAP_NET_RAW in user namespace for QP create (git-fixes) - RDMA/uverbs: Check CAP_NET_RAW in user namespace for RAW QP create (git-fixes) - RDMA/uverbs: Check CAP_NET_RAW in user namespace for flow create (git-fixes) - Reapply 'wifi: mac80211: Update skb's control block key in ieee80211_tx_dequeue()' (git-fixes). - Revert 'ACPI: battery: negate current when discharging' (stable-fixes). - Revert 'cgroup_freezer: cgroup_freezing: Check if not frozen' (bsc#1219338). - Revert 'drm/i915/gem: Allow EXEC_CAPTURE on recoverable contexts on DG1' (stable-fixes). - Revert 'mmc: sdhci: Disable SD card clock before changing parameters' (git-fixes). - Revert 'usb: xhci: Implement xhci_handshake_check_state() helper' (git-fixes). - Revert 'vgacon: Add check for vc_origin address range in vgacon_scroll()' (stable-fixes). - SMB3: rename macro CIFS_SERVER_IS_CHAN to avoid confusion (git-fixes). - USB: serial: ftdi_sio: add support for NDI EMGUIDE GEMINI (stable-fixes). - USB: serial: option: add Foxconn T99W640 (stable-fixes). - USB: serial: option: add Telit Cinterion FE910C04 (ECM) composition (stable-fixes). - [SMB3] send channel sequence number in SMB3 requests after reconnects (git-fixes). - af_packet: fix the SO_SNDTIMEO constraint not effective on tpacked_snd() (git-fixes). - af_unix: Add a prompt to CONFIG_AF_UNIX_OOB (bsc#1246093). - amd/amdkfd: fix a kfd_process ref leak (stable-fixes). - aoe: clean device rq_list in aoedev_downdev() (git-fixes). - apple-mfi-fastcharge: protect first device name (git-fixes). - ata: pata_cs5536: fix build on 32-bit UML (stable-fixes). - audit,module: restore audit logging in load failure case (git-fixes). - bpf, sockmap: Fix sk_msg_reset_curr (git-fixes). - bpf/lpm_trie: Inline longest_prefix_match for fastpath (git-fixes). - bpf/selftests: Check errno when percpu map value size exceeds (git-fixes). - bpf: Add a possibly-zero-sized read test (git-fixes). - bpf: Avoid __hidden__ attribute in static object (git-fixes). - bpf: Check percpu map value size first (git-fixes). - bpf: Disable some `attribute ignored' warnings in GCC (git-fixes). - bpf: Fix memory leak in bpf_core_apply (git-fixes). - bpf: Fix potential integer overflow in resolve_btfids (git-fixes). - bpf: Harden __bpf_kfunc tag against linker kfunc removal (git-fixes). - bpf: Make the pointer returned by iter next method valid (git-fixes). - bpf: Simplify checking size of helper accesses (git-fixes). - bpf: fix order of args in call to bpf_map_kvcalloc (git-fixes). - bpf: sockmap, updating the sg structure should also update curr (git-fixes). - bpftool: Fix missing pids during link show (git-fixes). - bpftool: Fix undefined behavior caused by shifting into the sign bit (git-fixes). - bpftool: Mount bpffs on provided dir instead of parent dir (git-fixes). - bpftool: Remove unnecessary source files from bootstrap version (git-fixes). - bpftool: Un-const bpf_func_info to fix it for llvm 17 and newer (git-fixes). - btrfs: do not ignore inode missing when replaying log tree (git-fixes). - btrfs: do not silently ignore unexpected extent type when replaying log (git-fixes). - btrfs: do not skip remaining extrefs if dir not found during log replay (git-fixes). - btrfs: explicitly ref count block_group on new_bgs list (bsc#1243068) - btrfs: fix assertion when building free space tree (git-fixes). - btrfs: fix inode lookup error handling during log replay (git-fixes). - btrfs: fix invalid inode pointer dereferences during log replay (git-fixes). - btrfs: fix log tree replay failure due to file with 0 links and extents (git-fixes). - btrfs: fix missing error handling when searching for inode refs during log replay (git-fixes). - btrfs: fix non-empty delayed iputs list on unmount due to async workers (git-fixes). - btrfs: fix ssd_spread overallocation (git-fixes). - btrfs: make btrfs_discard_workfn() block_group ref explicit (bsc#1243068) - btrfs: propagate last_unlink_trans earlier when doing a rmdir (git-fixes). - btrfs: rename err to ret in btrfs_rmdir() (git-fixes). - btrfs: return a btrfs_inode from btrfs_iget_logging() (git-fixes). - btrfs: return a btrfs_inode from read_one_inode() (git-fixes). - btrfs: tests: fix chunk map leak after failure to add it to the tree (git-fixes). - btrfs: update superblock's device bytes_used when dropping chunk (git-fixes). - btrfs: use NOFS context when getting inodes during logging and log replay (git-fixes). - btrfs: use btrfs_record_snapshot_destroy() during rmdir (git-fixes). - bus: fsl-mc: Fix potential double device reference in fsl_mc_get_endpoint() (git-fixes). - bus: mhi: host: Detect events pointing to unexpected TREs (git-fixes). - can: dev: can_restart(): move debug message and stats after successful restart (stable-fixes). - can: dev: can_restart(): reverse logic to remove need for goto (stable-fixes). - can: kvaser_pciefd: Store device channel index (git-fixes). - can: kvaser_usb: Assign netdev.dev_port based on device channel index (git-fixes). - can: m_can: m_can_handle_lost_msg(): downgrade msg lost in rx message to debug level (git-fixes). - can: netlink: can_changelink(): fix NULL pointer deref of struct can_priv::do_set_mode (git-fixes). - can: peak_usb: fix USB FD devices potential malfunction (git-fixes). - cdc-acm: fix race between initial clearing halt and open (git-fixes). - cgroup,freezer: fix incomplete freezing when attaching tasks (bsc#1245789). - cgroup/cpuset: Extend kthread_is_per_cpu() check to all PF_NO_SETAFFINITY tasks (bsc#1241166). - cifs: reconnect helper should set reconnect for the right channel (git-fixes). - clk: clk-axi-clkgen: fix fpfd_max frequency for zynq (git-fixes). - clk: davinci: Add NULL check in davinci_lpsc_clk_register() (git-fixes). - clk: sunxi-ng: v3s: Fix de clock definition (git-fixes). - clk: xilinx: vcu: unregister pll_post only if registered correctly (git-fixes). - clocksource: Scale the watchdog read retries automatically (bsc#1241345 bsc#1244457). - clocksource: Set cs_watchdog_read() checks based on .uncertainty_margin (bsc#1241345 bsc#1244457). - comedi: Fail COMEDI_INSNLIST ioctl if n_insns is too large (git-fixes). - comedi: Fix initialization of data for instructions that write to subdevice (git-fixes). - comedi: Fix some signed shift left operations (git-fixes). - comedi: Fix use of uninitialized data in insn_rw_emulate_bits() (git-fixes). - comedi: aio_iiro_16: Fix bit shift out of bounds (git-fixes). - comedi: das16m1: Fix bit shift out of bounds (git-fixes). - comedi: das6402: Fix bit shift out of bounds (git-fixes). - comedi: pcl812: Fix bit shift out of bounds (git-fixes). - compiler_types.h: Define __retain for __attribute__((__retain__)) (git-fixes). - config: enable RBD (jsc#PED-13238) - crypto: arm/aes-neonbs - work around gcc-15 warning (git-fixes). - crypto: ccp - Fix crash when rebind ccp device for ccp.ko (git-fixes). - crypto: ccp - Fix locking on alloc failure handling (git-fixes). - crypto: img-hash - Fix dma_unmap_sg() nents value (git-fixes). - crypto: inside-secure - Fix `dma_unmap_sg()` nents value (git-fixes). - crypto: keembay - Fix dma_unmap_sg() nents value (git-fixes). - crypto: marvell/cesa - Fix engine load inaccuracy (git-fixes). - crypto: qat - allow enabling VFs in the absence of IOMMU (git-fixes). - crypto: qat - disable ZUC-256 capability for QAT GEN5 (git-fixes). - crypto: qat - fix DMA direction for compression on GEN2 devices (git-fixes). - crypto: qat - fix seq_file position update in adf_ring_next() (git-fixes). - crypto: qat - fix state restore for banks with exceptions (git-fixes). - crypto: qat - flush misc workqueue during device shutdown (git-fixes). - crypto: qat - use unmanaged allocation for dc_data (git-fixes). - crypto: sun8i-ce - fix nents passed to dma_unmap_sg() (git-fixes). - dm-bufio: fix sched in atomic context (git-fixes). - dm-flakey: error all IOs when num_features is absent (git-fixes). - dm-flakey: make corrupting read bios work (git-fixes). - dm-mirror: fix a tiny race condition (git-fixes). - dm-raid: fix variable in journal device check (git-fixes). - dm-verity: fix a memory leak if some arguments are specified multiple times (git-fixes). - dm: do not change md if dm_table_set_restrictions() fails (git-fixes). - dm: free table mempools if not used in __bind (git-fixes). - dm: restrict dm device size to 2^63-512 bytes (git-fixes). - dma-buf: fix timeout handling in dma_resv_wait_timeout v2 (stable-fixes). - dmaengine: dw-edma: Drop unused dchan2dev() and chan2dev() (git-fixes). - dmaengine: idxd: Check availability of workqueue allocated by idxd wq driver before using (stable-fixes). - dmaengine: mv_xor: Fix missing check after DMA map and missing unmap (git-fixes). - dmaengine: nbpfaxi: Add missing check after DMA map (git-fixes). - dmaengine: nbpfaxi: Fix memory corruption in probe() (git-fixes). - dmaengine: qcom: gpi: Drop unused gpi_write_reg_field() (git-fixes). - dmaengine: xilinx_dma: Set dma_device directions (stable-fixes). - drm/amd/display: Do not overwrite dce60_clk_mgr (git-fixes). - drm/amd/pm/powerplay/hwmgr/smu_helper: fix order of mask and value (git-fixes). - drm/amdgpu/gfx8: reset compute ring wptr on the GPU on resume (git-fixes). - drm/amdgpu: amdgpu_vram_mgr_new(): Clamp lpfn to total vram (stable-fixes). - drm/amdkfd: Fix race in GWS queue scheduling (stable-fixes). - drm/bridge: panel: move prepare_prev_first handling to drm_panel_bridge_add_typed (git-fixes). - drm/bridge: ti-sn65dsi86: Add HPD for DisplayPort connector type (git-fixes). - drm/bridge: ti-sn65dsi86: Remove extra semicolon in ti_sn_bridge_probe() (git-fixes). - drm/bridge: ti-sn65dsi86: make use of debugfs_init callback (stable-fixes). - drm/exynos: exynos7_drm_decon: add vblank check in IRQ handling (git-fixes). - drm/exynos: fimd: Guard display clock control with runtime PM calls (git-fixes). - drm/framebuffer: Acquire internal references on GEM handles (git-fixes). - drm/gem: Acquire references on GEM handles for framebuffers (stable-fixes). - drm/gem: Fix race in drm_gem_handle_create_tail() (stable-fixes). - drm/i915/gsc: mei interrupt top half should be in irq disabled context (git-fixes). - drm/i915/gt: Fix timeline left held on VMA alloc error (git-fixes). - drm/i915/selftests: Change mock_request() to return error pointers (git-fixes). - drm/msm/dpu: Fill in min_prefill_lines for SC8180X (git-fixes). - drm/msm: Fix a fence leak in submit error path (stable-fixes). - drm/msm: Fix another leak in the submit error path (stable-fixes). - drm/panfrost: Fix panfrost device variable name in devfreq (git-fixes). - drm/rockchip: cleanup fb when drm_gem_fb_afbc_init failed (git-fixes). - drm/sched: Increment job count before swapping tail spsc queue (git-fixes). - drm/sched: Remove optimization that causes hang when killing dependent jobs (git-fixes). - drm/scheduler: signal scheduled fence when kill job (stable-fixes). - drm/tegra: nvdec: Fix dma_alloc_coherent error check (git-fixes). - drm/ttm: fix error handling in ttm_buffer_object_transfer (git-fixes). - drm/vmwgfx: Fix Host-Backed userspace on Guest-Backed kernel (git-fixes). - exfat: fdatasync flag should be same like generic_write_sync() (git-fixes). - fbcon: Fix outdated registered_fb reference in comment (git-fixes). - fbdev: imxfb: Check fb_add_videomode to prevent null-ptr-deref (git-fixes). - firewire: ohci: correct code comments about bus_reset tasklet (git-fixes). - fs/jfs: consolidate sanity checking in dbMount (git-fixes). - fs/orangefs: Allow 2 more characters in do_c_string() (git-fixes). - gpio: mlxbf2: use platform_get_irq_optional() (git-fixes). - gpio: pca953x: log an error when failing to get the reset GPIO (git-fixes). - gpio: sim: include a missing header (git-fixes). - gpio: vf610: add locking to gpio direction functions (git-fixes). - gpio: virtio: Fix config space reading (git-fixes). - gpiolib: Fix debug messaging in gpiod_find_and_request() (git-fixes). - gpiolib: Handle no pin_ranges in gpiochip_generic_config() (git-fixes). - gpiolib: acpi: Do not use GPIO chip fwnode in acpi_gpiochip_find() (bsc#1233300). - gpiolib: acpi: Fix failed in acpi_gpiochip_find() by adding parent node match (bsc#1233300). - gpiolib: cdev: Ignore reconfiguration without direction (git-fixes). - gpiolib: of: Add polarity quirk for s5m8767 (stable-fixes). - hfs: make splice write available again (git-fixes). - hfsplus: make splice write available again (git-fixes). - hfsplus: remove mutex_lock check in hfsplus_free_extents (git-fixes). - hv_netvsc: Use VF's tso_max_size value when data path is VF (bsc#1246203). - hwmon: (corsair-cpro) Validate the size of the received input buffer (git-fixes). - hwmon: (gsc-hwmon) fix fan pwm setpoint show functions (git-fixes). - hwmon: (pmbus/max34440) Fix support for max34451 (stable-fixes). - hwrng: mtk - handle devm_pm_runtime_enable errors (git-fixes). - i2c/designware: Fix an initialization issue (git-fixes). - i2c: qup: jump out of the loop in case of timeout (git-fixes). - i2c: stm32: fix the device used for the DMA map (git-fixes). - i2c: tegra: Fix reset error handling with ACPI (git-fixes). - i2c: virtio: Avoid hang by using interruptible completion wait (git-fixes). - i3c: fix module_i3c_i2c_driver() with I3C=n (git-fixes). - iio: accel: fxls8962af: Fix use after free in fxls8962af_fifo_flush (git-fixes). - iio: adc: ad7949: use spi_is_bpw_supported() (git-fixes). - iio: adc: ad_sigma_delta: Fix use of uninitialized status_pos (stable-fixes). - iio: adc: ad_sigma_delta: change to buffer predisable (git-fixes). - iio: adc: max1363: Fix MAX1363_4X_CHANS/MAX1363_8X_CHANS[] (stable-fixes). - iio: adc: max1363: Reorder mode_list[] entries (stable-fixes). - iio: adc: stm32-adc: Fix race in installing chained IRQ handler (git-fixes). - iio: imu: bno055: fix OOB access of hw_xlate array (git-fixes). - iio: pressure: zpa2326: Use aligned_s64 for the timestamp (stable-fixes). - iommu/amd: Fix geometry.aperture_end for V2 tables (git-fixes). - iommu/amd: Set the pgsize_bitmap correctly (git-fixes). - iommu/arm-smmu-qcom: Add SM6115 MDSS compatible (git-fixes). - iommu/vt-d: Fix possible circular locking dependency (git-fixes). - iommu/vt-d: Fix system hang on reboot -f (git-fixes). - ipv6: fix possible infinite loop in fib6_info_uses_dev() (git-fixes). - ipv6: mcast: Delay put pmc->idev in mld_del_delrec() (git-fixes). - ipv6: prevent infinite loop in rt6_nlmsg_size() (git-fixes). - ipv6: reject malicious packets in ipv6_gso_segment() (git-fixes). - iwlwifi: Add missing check for alloc_ordered_workqueue (git-fixes). - jfs: fix metapage reference count leak in dbAllocCtl (git-fixes). - kABI workaround for struct drm_framebuffer changes (git-fixes). - kABI: Fix the module::name type in audit_context (git-fixes). - kasan: remove kasan_find_vm_area() to prevent possible deadlock (git-fixes). - kernel-syms.spec: Drop old rpm release number hack (bsc#1247172). - leds: multicolor: Fix intensity setting while SW blinking (stable-fixes). - lib/group_cpus.c: avoid acquiring cpu hotplug lock in group_cpus_evenly (bsc#1236897). - lib/group_cpus: fix NULL pointer dereference from group_cpus_evenly() (bsc#1236897). - maple_tree: fix mt_destroy_walk() on root leaf node (git-fixes). - md/md-bitmap: fix dm-raid max_write_behind setting (git-fixes). - media: gspca: Add bounds checking to firmware parser (git-fixes). - media: hi556: correct the test pattern configuration (git-fixes). - media: imx: fix a potential memory leak in imx_media_csc_scaler_device_init() (git-fixes). - media: ov2659: Fix memory leaks in ov2659_probe() (git-fixes). - media: rainshadow-cec: fix TOCTOU race condition in rain_interrupt() (git-fixes). - media: usbtv: Lock resolution while streaming (git-fixes). - media: uvcvideo: Do not mark valid metadata as invalid (git-fixes). - media: uvcvideo: Fix 1-byte out-of-bounds read in uvc_parse_format() (git-fixes). - media: v4l2-ctrls: Do not reset handler's error in v4l2_ctrl_handler_free() (git-fixes). - media: v4l2-ctrls: Fix H264 SEPARATE_COLOUR_PLANE check (git-fixes). - media: venus: Add a check for packet size after reading from shared memory (git-fixes). - media: venus: hfi: explicitly release IRQ during teardown (git-fixes). - media: venus: protect against spurious interrupts during probe (git-fixes). - media: venus: vdec: Clamp param smaller than 1fps and bigger than 240 (git-fixes). - media: venus: venc: Clamp param smaller than 1fps and bigger than 240 (git-fixes). - media: vivid: fix wrong pixel_array control size (git-fixes). - memstick: core: Zero initialize id_reg in h_memstick_read_dev_id() (git-fixes). - mfd: max14577: Fix wakeup source leaks on device unbind (stable-fixes). - misc: rtsx: usb: Ensure mmc child device is active when card is present (git-fixes). - mmc: bcm2835: Fix dma_unmap_sg() nents value (git-fixes). - mmc: core: sd: Apply BROKEN_SD_DISCARD quirk earlier (git-fixes). - mmc: sdhci-pci: Quirk for broken command queuing on Intel GLK-based Positivo models (git-fixes). - mmc: sdhci: Add a helper function for dump register in dynamic debug mode (stable-fixes). - mmc: sdhci_am654: Workaround for Errata i2312 (git-fixes). - module: Fix memory deallocation on error path in move_module() (git-fixes). - module: Remove unnecessary +1 from last_unloaded_module::name size (git-fixes). - module: Restore the moduleparam prefix length check (git-fixes). - mtd: fix possible integer overflow in erase_xfer() (git-fixes). - mtd: rawnand: atmel: Fix dma_mapping_error() address (git-fixes). - mtd: rawnand: atmel: set pmecc data setup time (git-fixes). - mtd: rawnand: fsmc: Add missing check after DMA map (git-fixes). - mtd: rawnand: renesas: Add missing check after DMA map (git-fixes). - mtd: rawnand: rockchip: Add missing check after DMA map (git-fixes). - mtd: spi-nor: Fix spi_nor_try_unlock_all() (git-fixes). - mtd: spinand: fix memory leak of ECC engine conf (stable-fixes). - mtd: spinand: propagate spinand_wait() errors from spinand_write_page() (git-fixes). - mtk-sd: Fix a pagefault in dma_unmap_sg() for not prepared data (git-fixes). - mtk-sd: Prevent memory corruption from DMA map failure (git-fixes). - mtk-sd: reset host->mrq on prepare_data() error (git-fixes). - mwl8k: Add missing check after DMA map (git-fixes). - nbd: fix uaf in nbd_genl_connect() error path (git-fixes). - net/packet: fix a race in packet_set_ring() and packet_notifier() (git-fixes). - net/sched: Restrict conditions for adding duplicating netems to qdisc tree (git-fixes). - net/sched: Return NULL when htb_lookup_leaf encounters an empty rbtree (git-fixes). - net/sched: mqprio: fix stack out-of-bounds write in tc entry parsing (git-fixes). - net/sched: sch_qfq: Avoid triggering might_sleep in atomic context in qfq_delete_class (git-fixes). - net/sched: sch_qfq: Fix race condition on qfq_aggregate (git-fixes). - net/sched: taprio: enforce minimum value for picos_per_byte (git-fixes). - net: mana: Add debug logs in MANA network driver (bsc#1246212). - net: mana: Add handler for hardware servicing events (bsc#1245730). - net: mana: Allocate MSI-X vectors dynamically (bsc#1245457). - net: mana: Allow irq_setup() to skip cpus for affinity (bsc#1245457). - net: mana: Allow tso_max_size to go up-to GSO_MAX_SIZE (bsc#1246203). - net: mana: Expose additional hardware counters for drop and TC via ethtool (bsc#1245729). - net: mana: Set tx_packets to post gso processing packet count (bsc#1245731). - net: mana: explain irq_setup() algorithm (bsc#1245457). - net: phy: Do not register LEDs for genphy (git-fixes). - net: phy: micrel: fix KSZ8081/KSZ8091 cable test (git-fixes). - net: phy: microchip: limit 100M workaround to link-down events on LAN88xx (git-fixes). - net: phy: smsc: Fix Auto-MDIX configuration when disabled by strap (git-fixes). - net: phy: smsc: Fix link failure in forced mode with Auto-MDIX (git-fixes). - net: usb: lan78xx: fix WARN in __netif_napi_del_locked on disconnect (git-fixes). - net: usb: qmi_wwan: add SIMCom 8230C composition (stable-fixes). - net: usbnet: Avoid potential RCU stall on LINK_CHANGE event (git-fixes). - net: usbnet: Fix the wrong netif_carrier_on() call (git-fixes). - netpoll: prevent hanging NAPI when netcons gets enabled (git-fixes). - nfs: Clean up /proc/net/rpc/nfs when nfs_fs_proc_net_init() fails (git-fixes). - nfsd: handle get_client_locked() failure in nfsd4_setclientid_confirm() (git-fixes). - nilfs2: reject invalid file types when reading inodes (git-fixes). - nvme-pci: refresh visible attrs after being checked (git-fixes). - nvme: Fix incorrect cdw15 value in passthru error logging (git-fixes). - nvme: fix endianness of command word prints in nvme_log_err_passthru() (git-fixes). - nvme: fix inconsistent RCU list manipulation in nvme_ns_add_to_ctrl_list() (git-fixes). - nvme: fix misaccounting of nvme-mpath inflight I/O (git-fixes). - nvmet-tcp: fix callback lock for TLS handshake (git-fixes). - objtool: Fix INSN_CONTEXT_SWITCH handling in validate_unret() (git-fixes). - objtool: Fix UNWIND_HINT_{SAVE,RESTORE} across basic blocks (git-fixes). - objtool: Fix _THIS_IP_ detection for cold functions (git-fixes). - objtool: Fix error handling inconsistencies in check() (git-fixes). - objtool: Ignore dangling jump table entries (git-fixes). - objtool: Ignore end-of-section jumps for KCOV/GCOV (git-fixes). - objtool: Properly disable uaccess validation (git-fixes). - objtool: Silence more KCOV warnings (git-fixes). - objtool: Silence more KCOV warnings, part 2 (git-fixes). - objtool: Stop UNRET validation on UD2 (git-fixes). - pNFS/flexfiles: do not attempt pnfs on fatal DS errors (git-fixes). - pch_uart: Fix dma_sync_sg_for_device() nents value (git-fixes). - perf: Fix sample vs do_exit() (bsc#1246547). - phy: tegra: xusb: Fix unbalanced regulator disable in UTMI PHY mode (git-fixes). - pinctrl: amd: Clear GPIO debounce for suspend (git-fixes). - pinctrl: qcom: msm: mark certain pins as invalid for interrupts (git-fixes). - pinctrl: sunxi: Fix memory leak on krealloc failure (git-fixes). - pinmux: fix race causing mux_owner NULL with active mux_usecount (git-fixes). - platform/chrome: cros_ec: Unregister notifier in cros_ec_unregister() (git-fixes). - platform/mellanox: mlxbf-pmc: Fix duplicate event ID for CACHE_DATA1 (git-fixes). - platform/mellanox: mlxbf-tmfifo: fix vring_desc.len assignment (git-fixes). - platform/mellanox: mlxreg-lc: Fix logic error in power state check (git-fixes). - platform/mellanox: nvsw-sn2201: Fix bus number in adapter error message (git-fixes). - platform/x86/amd/pmc: Add PCSpecialist Lafite Pro V 14M to 8042 quirks list (stable-fixes). - platform/x86: dell-wmi-sysman: Fix WMI data block retrieval in sysfs callbacks (git-fixes). - platform/x86: ideapad-laptop: Fix kbd backlight not remembered among boots (git-fixes). - platform/x86: think-lmi: Create ksets consecutively (stable-fixes). - platform/x86: think-lmi: Fix kobject cleanup (git-fixes). - platform/x86: think-lmi: Fix sysfs group cleanup (git-fixes). - power: supply: cpcap-charger: Fix null check for power_supply_get_by_name (git-fixes). - power: supply: max14577: Handle NULL pdata when CONFIG_OF is not set (git-fixes). - powercap: call put_device() on an error path in powercap_register_control_type() (stable-fixes). - powercap: dtpm_cpu: Fix NULL pointer dereference in get_pd_power_uw() (git-fixes). - powercap: intel_rapl: Do not change CLAMPING bit if ENABLE bit cannot be changed (git-fixes). - powerpc/bpf: enforce full ordering for ATOMIC operations with BPF_FETCH (git-fixes). - ptp: fix breakage after ptp_vclock_in_use() rework (bsc#1246506). - pwm: imx-tpm: Reset counter if CMOD is 0 (git-fixes). - pwm: mediatek: Ensure to disable clocks in error path (git-fixes). - regmap: fix potential memory leak of regmap_bus (git-fixes). - regulator: fan53555: add enable_time support and soft-start times (stable-fixes). - regulator: gpio: Fix the out-of-bounds access to drvdata::gpiods (git-fixes). - regulator: pwm-regulator: Calculate the output voltage for disabled PWMs (stable-fixes). - resource: fix false warning in __request_region() (git-fixes). - restore UCSI_CONNECTOR_RESET_HARD definition (git-fixes). - ring-buffer: Do not allow events in NMI with generic atomic64 cmpxchg() (git-fixes). - rose: fix dangling neighbour pointers in rose_rt_device_down() (git-fixes). - rpl: Fix use-after-free in rpl_do_srh_inline() (git-fixes). - rpm/mkspec: Fix missing kernel-syms-rt creation (bsc#1244337) - rtc: ds1307: fix incorrect maximum clock rate handling (git-fixes). - rtc: hym8563: fix incorrect maximum clock rate handling (git-fixes). - rtc: nct3018y: fix incorrect maximum clock rate handling (git-fixes). - rtc: pcf85063: fix incorrect maximum clock rate handling (git-fixes). - rtc: pcf8563: fix incorrect maximum clock rate handling (git-fixes). - rtc: rv3028: fix incorrect maximum clock rate handling (git-fixes). - s390/bpf: Fix bpf_arch_text_poke() with new_addr == NULL again (git-fixes bsc#1246870). - s390/entry: Fix last breaking event handling in case of stack corruption (git-fixes bsc#1243806). - s390/pci: Do not try re-enabling load/store if device is disabled (git-fixes bsc#1245646). - s390/pci: Fix stale function handles in error handling (git-fixes bsc#1245647). - s390/pkey: Prevent overflow in size calculation for memdup_user() (git-fixes bsc#1245598). - s390: Add z17 elf platform (LTC#214086 bsc#1245540). - samples: mei: Fix building on musl libc (git-fixes). - sched,freezer: Remove unnecessary warning in __thaw_task (bsc#1219338). - sched: Add test_and_clear_wake_up_bit() and atomic_dec_and_wake_up() (git-fixes). - scsi: core: Enforce unlimited max_segment_size when virt_boundary_mask is set (git-fixes). - scsi: lpfc: Check for hdwq null ptr when cleaning up lpfc_vport structure (bsc#1245260 bsc#1243100 bsc#1246125). - scsi: lpfc: Copyright updates for 14.4.0.10 patches (bsc#1245260 bsc#1243100 bsc#1246125). - scsi: lpfc: Early return out of FDMI cmpl for locally rejected statuses (bsc#1245260 bsc#1243100 bsc#1246125). - scsi: lpfc: Ensure HBA_SETUP flag is used only for SLI4 in dev_loss_tmo_callbk (bsc#1245260 bsc#1243100 bsc#1246125). - scsi: lpfc: Modify end-of-life adapters' model descriptions (bsc#1245260 bsc#1243100 bsc#1246125 bsc#1204142). - scsi: lpfc: Move clearing of HBA_SETUP flag to before lpfc_sli4_queue_unset (bsc#1245260 bsc#1243100 bsc#1246125). - scsi: lpfc: Relocate clearing initial phba flags from link up to link down hdlr (bsc#1245260 bsc#1243100 bsc#1246125). - scsi: lpfc: Revise CQ_CREATE_SET mailbox bitfield definitions (bsc#1245260 bsc#1243100 bsc#1246125). - scsi: lpfc: Revise logging format for failed CT MIB requests (bsc#1245260 bsc#1243100 bsc#1246125). - scsi: lpfc: Simplify error handling for failed lpfc_get_sli4_parameters cmd (bsc#1245260 bsc#1243100 bsc#1246125). - scsi: lpfc: Skip RSCN processing when FC_UNLOADING flag is set (bsc#1245260 bsc#1243100 bsc#1246125). - scsi: lpfc: Update debugfs trace ring initialization messages (bsc#1245260 bsc#1243100 bsc#1246125). - scsi: lpfc: Update lpfc version to 14.4.0.10 (bsc#1245260 bsc#1243100 bsc#1246125). - scsi: megaraid_sas: Fix invalid node index (git-fixes). - scsi: qla2xxx: Fix DMA mapping test in qla24xx_get_port_database() (git-fixes). - scsi: qla4xxx: Fix missing DMA mapping error in qla4xxx_alloc_pdu() (git-fixes). - scsi: s390: zfcp: Ensure synchronous unit_add (git-fixes bsc#1245599). - selftests/bpf: Add CFLAGS per source file and runner (git-fixes). - selftests/bpf: Add tests for iter next method returning valid pointer (git-fixes). - selftests/bpf: Change functions definitions to support GCC (git-fixes). - selftests/bpf: Fix a few tests for GCC related warnings (git-fixes). - selftests/bpf: Fix pointer arithmetic in test_xdp_do_redirect (git-fixes). - selftests/bpf: Fix prog numbers in test_sockmap (git-fixes). - smb3: move server check earlier when setting channel sequence number (git-fixes). - soc/tegra: cbb: Clear ERR_FORCE register with ERR_STATUS (git-fixes). - soc: aspeed: lpc-snoop: Cleanup resources in stack-order (git-fixes). - soc: aspeed: lpc-snoop: Do not disable channels that are not enabled (git-fixes). - soc: qcom: QMI encoding/decoding for big endian (git-fixes). - soc: qcom: fix endianness for QMI header (git-fixes). - soc: qcom: pmic_glink: fix OF node leak (git-fixes). - soundwire: amd: fix for clearing command status register (git-fixes). - soundwire: stream: restore params when prepare ports fail (git-fixes). - spi: spi-fsl-dspi: Clear completion counter before initiating transfer (git-fixes). - staging: axis-fifo: remove sysfs interface (git-fixes). - staging: fbtft: fix potential memory leak in fbtft_framebuffer_alloc() (git-fixes). - staging: nvec: Fix incorrect null termination of battery manufacturer (git-fixes). - struct cdns: move new member to the end (git-fixes). - struct ucsi_operations: use padding for new operation (git-fixes). - sunrpc: do not immediately retransmit on seqno miss (git-fixes). - sunrpc: fix client side handling of tls alerts (git-fixes). - tcp: call tcp_measure_rcv_mss() for ooo packets (git-fixes). - thunderbolt: Fix bit masking in tb_dp_port_set_hops() (git-fixes). - thunderbolt: Fix copy+paste error in match_service_id() (git-fixes). - thunderbolt: Fix wake on connect at runtime (git-fixes). - tracing/kprobe: Make trace_kprobe's module callback called after jump_label update (git-fixes). - tracing/kprobes: Fix to free objects when failed to copy a symbol (git-fixes). - types: Complement the aligned types with signed 64-bit one (stable-fixes). - ucount: fix atomic_long_inc_below() argument type (git-fixes). - ucsi-glink: adapt to kABI consistency (git-fixes). - ucsi_ccg: Refine the UCSI Interrupt handling (git-fixes). - ucsi_operations: add stubs for all operations (git-fixes). - ucsi_ops: adapt update_connector to kABI consistency (git-fixes). - usb: Add checks for snprintf() calls in usb_alloc_dev() (stable-fixes). - usb: atm: cxacru: Merge cxacru_upload_firmware() into cxacru_heavy_init() (git-fixes). - usb: cdc-wdm: avoid setting WDM_READ for ZLP-s (stable-fixes). - usb: cdnsp: Fix issue with CV Bad Descriptor test (git-fixes). - usb: cdnsp: Fix issue with resuming from L1 (git-fixes). - usb: cdnsp: Replace snprintf() with the safer scnprintf() variant (stable-fixes). - usb: cdnsp: do not disable slot for disabled slot (git-fixes). - usb: chipidea: udc: disconnect/reconnect from host when do suspend/resume (git-fixes). - usb: common: usb-conn-gpio: use a unique name for usb connector device (stable-fixes). - usb: dwc2: also exit clock_gating when stopping udc while suspended (stable-fixes). - usb: dwc3: meson-g12a: fix device leaks at unbind (git-fixes). - usb: early: xhci-dbc: Fix early_ioremap leak (git-fixes). - usb: gadget : fix use-after-free in composite_dev_cleanup() (git-fixes). - usb: gadget: u_serial: Fix race condition in TTY wakeup (git-fixes). - usb: gadget: udc: renesas_usb3: fix device leak at unbind (git-fixes). - usb: host: xhci-plat: fix incorrect type for of_match variable in xhci_plat_probe() (git-fixes). - usb: hub: Do not try to recover devices lost during warm reset (git-fixes). - usb: misc: apple-mfi-fastcharge: Make power supply names unique (git-fixes). - usb: musb: fix gadget state on disconnect (git-fixes). - usb: musb: omap2430: fix device leak at unbind (git-fixes). - usb: net: sierra: check for no status endpoint (git-fixes). - usb: potential integer overflow in usbg_make_tpg() (stable-fixes). - usb: typec: Update sysfs when setting ops (git-fixes). - usb: typec: altmodes/displayport: do not index invalid pin_assignments (git-fixes). - usb: typec: displayport: Fix potential deadlock (git-fixes). - usb: typec: displayport: Receive DP Status Update NAK request exit dp altmode (stable-fixes). - usb: typec: mux: do not return on EOPNOTSUPP in {mux, switch}_set (stable-fixes). - usb: typec: tcpm: allow switching to mode accessory to mux properly (stable-fixes). - usb: typec: tcpm: allow to use sink in accessory mode (stable-fixes). - usb: typec: tcpm: apply vbus before data bringup in tcpm_src_attach (git-fixes). - usb: typec: ucsi: Add DATA_RESET option of Connector Reset command (git-fixes). - usb: typec: ucsi: Add qcm6490-pmic-glink as needing PDOS quirk (git-fixes). - usb: typec: ucsi: Delay alternate mode discovery (git-fixes). - usb: typec: ucsi: Fix busy loop on ASUS VivoBooks (git-fixes). - usb: typec: ucsi: Fix the partner PD revision (git-fixes). - usb: typec: ucsi: Get PD revision for partner (git-fixes). - usb: typec: ucsi: Set orientation as none when connector is unplugged (git-fixes). - usb: typec: ucsi: Update power_supply on power role change (git-fixes). - usb: typec: ucsi: add callback for connector status updates (git-fixes). - usb: typec: ucsi: add update_connector callback (git-fixes). - usb: typec: ucsi: do not retrieve PDOs if not supported (git-fixes). - usb: typec: ucsi: extract code to read PD caps (git-fixes). - usb: typec: ucsi: fix UCSI on SM8550 & SM8650 Qualcomm devices (git-fixes). - usb: typec: ucsi: glink: fix off-by-one in connector_status (git-fixes). - usb: typec: ucsi: glink: increase max ports for x1e80100 (git-fixes). - usb: typec: ucsi: glink: move GPIO reading into connector_status callback (git-fixes). - usb: typec: ucsi: glink: use typec_set_orientation (git-fixes). - usb: typec: ucsi: move ucsi_acknowledge() from ucsi_read_error() (git-fixes). - usb: typec: ucsi: properly register partner's PD device (git-fixes). - usb: typec: ucsi: support delaying GET_PDOS for device (git-fixes). - usb: typec: ucsi_acpi: Add LG Gram quirk (git-fixes). - usb: typec: ucsi_glink: drop NO_PARTNER_PDOS quirk for sm8550 / sm8650 (git-fixes). - usb: typec: ucsi_glink: enable the UCSI_DELAY_DEVICE_PDOS quirk (git-fixes). - usb: typec: ucsi_glink: enable the UCSI_DELAY_DEVICE_PDOS quirk on qcm6490 (git-fixes). - usb: typec: ucsi_glink: rework quirks implementation (git-fixes). - usb: xhci: Skip xhci_reset in xhci_resume if xhci is being removed (git-fixes). - usb: xhci: quirk for data loss in ISOC transfers (stable-fixes). - usb:cdnsp: remove TRB_FLUSH_ENDPOINT command (stable-fixes). - virtgpu: do not reset on shutdown (git-fixes). - vmci: Prevent the dispatching of uninitialized payloads (git-fixes). - vt: add missing notification when switching back to text mode (stable-fixes). - vt: defkeymap: Map keycodes above 127 to K_HOLE (git-fixes). - vt: keyboard: Do not process Unicode characters in K_OFF mode (git-fixes). - watchdog: ziirave_wdt: check record length in ziirave_firm_verify() (git-fixes). - wifi: ath11k: clear initialized flag for deinit-ed srng lists (git-fixes). - wifi: ath11k: fix dest ring-buffer corruption (git-fixes). - wifi: ath11k: fix dest ring-buffer corruption when ring is full (git-fixes). - wifi: ath11k: fix sleeping-in-atomic in ath11k_mac_op_set_bitrate_mask() (git-fixes). - wifi: ath11k: fix source ring-buffer corruption (git-fixes). - wifi: ath11k: fix suspend use-after-free after probe failure (git-fixes). - wifi: ath12k: fix dest ring-buffer corruption (git-fixes). - wifi: ath12k: fix dest ring-buffer corruption when ring is full (git-fixes). - wifi: ath12k: fix endianness handling while accessing wmi service bit (git-fixes). - wifi: ath12k: fix source ring-buffer corruption (git-fixes). - wifi: ath6kl: remove WARN on bad firmware input (stable-fixes). - wifi: brcmfmac: fix P2P discovery failure in P2P peer due to missing P2P IE (git-fixes). - wifi: brcmsmac: Remove const from tbl_ptr parameter in wlc_lcnphy_common_read_table() (git-fixes). - wifi: iwlwifi: Fix error code in iwl_op_mode_dvm_start() (git-fixes). - wifi: iwlwifi: Fix memory leak in iwl_mvm_init() (git-fixes). - wifi: iwlwifi: return ERR_PTR from opmode start() (stable-fixes). - wifi: mac80211: Add link iteration macro for link data (stable-fixes). - wifi: mac80211: Check 802.11 encaps offloading in ieee80211_tx_h_select_key() (git-fixes). - wifi: mac80211: Do not call fq_flow_idx() for management frames (git-fixes). - wifi: mac80211: Do not schedule stopped TXQs (git-fixes). - wifi: mac80211: chan: chandef is non-NULL for reserved (stable-fixes). - wifi: mac80211: drop invalid source address OCB frames (stable-fixes). - wifi: mac80211: reject TDLS operations when station is not associated (git-fixes). - wifi: mt76: mt7925: Fix null-ptr-deref in mt7925_thermal_init() (git-fixes). - wifi: mt76: mt7925: fix invalid array index in ssid assignment during hw scan (git-fixes). - wifi: mt76: mt7925: fix the wrong config for tx interrupt (git-fixes). - wifi: plfxlc: Fix error handling in usb driver probe (git-fixes). - wifi: prevent A-MSDU attacks in mesh networks (stable-fixes). - wifi: rtl818x: Kill URBs before clearing tx status queue (git-fixes). - wifi: rtw89: avoid NULL dereference when RX problematic packet on unsupported 6 GHz band (git-fixes). - wifi: zd1211rw: Fix potential NULL pointer dereference in zd_mac_tx_to_dev() (git-fixes). - x86/cpu/amd: Fix workaround for erratum 1054 (git-fixes). - x86/mce/amd: Add default names for MCA banks and blocks (git-fixes). - x86/mce/amd: Fix threshold limit reset (git-fixes). - x86/mce: Do not remove sysfs if thresholding sysfs init fails (git-fixes). - x86/mce: Make sure CMCI banks are cleared during shutdown on Intel (git-fixes). - x86/tdx: Fix __noreturn build warning around __tdx_hypercall_failed() (git-fixes). - x86/traps: Initialize DR6 by writing its architectural reset value (git-fixes). - x86/virt/tdx: Avoid indirect calls to TDX assembly functions (git-fixes). - x86: UV RTC: Add parameter to disable RTC clocksource (bsc#1241345). - xfs: fix off-by-one error in fsmap's end_daddr usage (bsc#1235837). - xfs: only create event xfs_file_compat_ioctl when CONFIG_COMPAT is configure (git-fixes). - xfs: remove unused event xfs_alloc_near_error (git-fixes). - xfs: remove unused event xfs_alloc_near_nominleft (git-fixes). - xfs: remove unused event xfs_attr_node_removename (git-fixes). - xfs: remove unused event xfs_ioctl_clone (git-fixes). - xfs: remove unused event xfs_pagecache_inval (git-fixes). - xfs: remove unused event xlog_iclog_want_sync (git-fixes). - xfs: remove unused trace event xfs_attr_remove_iter_return (git-fixes). - xfs: remove unused trace event xfs_attr_rmtval_set (git-fixes). - xfs: remove unused trace event xfs_reflink_cow_enospc (git-fixes). - xfs: remove unused xfs_attr events (git-fixes). - xfs: remove unused xfs_reflink_compare_extents events (git-fixes). - xfs: remove usused xfs_end_io_direct events (git-fixes). - xhci: Disable stream for xHC controller with XHCI_BROKEN_STREAMS (git-fixes). - xhci: dbc: Flush queued requests before stopping dbc (git-fixes). - xhci: dbctty: disable ECHO flag by default (git-fixes). ----------------------------------------------------------------- Advisory ID: 229 Released: Tue Aug 26 10:49:45 2025 Summary: Recommended update for dracut Type: recommended Severity: moderate References: 1241114,1241680,1247819 This update for dracut fixes the following issues: - fix (dracut-util): crash if CMDLINE ends with quotation mark (bsc#1247819) - fix (rngd): adjust license to match the license of the whole project - fix (dracut): kernel module name normalization in drivers lists (bsc#1241680) - fix (dracut-init): assign real path to srcmods (bsc#1241114) ----------------------------------------------------------------- Advisory ID: 236 Released: Wed Aug 27 11:46:23 2025 Summary: Security update for libxml2 Type: security Severity: important References: 1244554,1244555,1244557,1244580,1244700,1246296,CVE-2025-49794,CVE-2025-49795,CVE-2025-49796,CVE-2025-6021,CVE-2025-6170,CVE-2025-7425 This update for libxml2 fixes the following issues: - CVE-2025-6021: Integer Overflow in xmlBuildQName() Leads to Stack Buffer Overflow in libxml2 [bsc#1244580] - CVE-2025-6170: stack buffer overflow may lead to a crash [bsc#1244700] - CVE-2025-7425: Heap Use-After-Free in libxslt caused by atype corruption in xmlAttrPtr [bsc#1246296] - CVE-2025-49794: heap use after free (UAF) can lead to Denial of service (DoS) [bsc#1244554] - CVE-2025-49795: null pointer dereference may lead to Denial of service (DoS) [bsc#1244555] - CVE-2025-49796: type confusion may lead to Denial of service (DoS) [bsc#1244557] ----------------------------------------------------------------- Advisory ID: 238 Released: Thu Aug 28 17:15:06 2025 Summary: Security update for coreutils Type: security Severity: moderate References: 1243767,CVE-2025-5278 This update for coreutils fixes the following issues: - CVE-2025-5278: Sort with key character offsets of SIZE_MAX, could induce a read of 1 byte before an allocated heap buffer (bsc#1243767). The following package changes have been done: - liblzma5-5.4.3-slfo.1.1_2.1 updated - libgcc_s1-14.3.0+git11799-slfo.1.1_1.1 updated - libxml2-2-2.11.6-slfo.1.1_6.1 updated - libopenssl3-3.1.4-slfo.1.1_6.1 updated - libgcrypt20-1.10.3-slfo.1.1_2.1 updated - libstdc++6-14.3.0+git11799-slfo.1.1_1.1 updated - libudev1-254.27-slfo.1.1_1.1 updated - libsystemd0-254.27-slfo.1.1_1.1 updated - xz-5.4.3-slfo.1.1_2.1 updated - coreutils-9.4-slfo.1.1_2.1 updated - SL-Micro-release-6.1-slfo.1.11.53 updated - systemd-254.27-slfo.1.1_1.1 updated - udev-254.27-slfo.1.1_1.1 updated - dracut-059+suse.639.g19f24feb-slfo.1.1_1.1 updated - kernel-default-base-6.4.0-32.1.21.10 updated - qemu-guest-agent-8.2.10-slfo.1.1_1.1 updated - libssh-config-0.10.6-slfo.1.1_2.1 updated - libssh4-0.10.6-slfo.1.1_2.1 updated - elemental-toolkit-2.2.4-slfo.1.1_1.1 updated - container:SL-Micro-base-container-2.2.1-5.27 updated From sle-container-updates at lists.suse.com Thu Sep 4 17:01:03 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Thu, 4 Sep 2025 19:01:03 +0200 (CEST) Subject: SUSE-CU-2025:6736-1: Recommended update of bci/bci-init Message-ID: <20250904170103.4609FF783@maintenance.suse.de> SUSE Container Update Advisory: bci/bci-init ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:6736-1 Container Tags : bci/bci-init:15.6 , bci/bci-init:15.6.45.27 Container Release : 45.27 Severity : moderate Type : recommended References : 1244553 1246835 ----------------------------------------------------------------- The container bci/bci-init was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:3066-1 Released: Thu Sep 4 08:37:17 2025 Summary: Recommended update for systemd-presets-branding-SLE Type: recommended Severity: moderate References: 1244553,1246835 This update for systemd-presets-branding-SLE fixes the following issues: - Enable sysstat_collect.timer and sysstat_summary.timer (bsc#1244553, bsc#1246835). - Modified default SLE presets. The following package changes have been done: - systemd-presets-branding-SLE-15.1-150600.35.3.1 updated From sle-container-updates at lists.suse.com Thu Sep 4 17:02:39 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Thu, 4 Sep 2025 19:02:39 +0200 (CEST) Subject: SUSE-CU-2025:6737-1: Recommended update of bci/bci-init Message-ID: <20250904170239.A0D2EF783@maintenance.suse.de> SUSE Container Update Advisory: bci/bci-init ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:6737-1 Container Tags : bci/bci-init:15.7 , bci/bci-init:15.7-42.22 , bci/bci-init:latest Container Release : 42.22 Severity : moderate Type : recommended References : 1244553 1246835 ----------------------------------------------------------------- The container bci/bci-init was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:3066-1 Released: Thu Sep 4 08:37:17 2025 Summary: Recommended update for systemd-presets-branding-SLE Type: recommended Severity: moderate References: 1244553,1246835 This update for systemd-presets-branding-SLE fixes the following issues: - Enable sysstat_collect.timer and sysstat_summary.timer (bsc#1244553, bsc#1246835). - Modified default SLE presets. The following package changes have been done: - systemd-presets-branding-SLE-15.1-150600.35.3.1 updated From sle-container-updates at lists.suse.com Fri Sep 5 07:08:08 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 5 Sep 2025 09:08:08 +0200 (CEST) Subject: SUSE-CU-2025:6738-1: Recommended update of suse/pcp Message-ID: <20250905070808.0555FF783@maintenance.suse.de> SUSE Container Update Advisory: suse/pcp ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:6738-1 Container Tags : suse/pcp:6 , suse/pcp:6.2 , suse/pcp:6.2.0 , suse/pcp:6.2.0-62.30 , suse/pcp:latest Container Release : 62.30 Severity : moderate Type : recommended References : 1244553 1246835 ----------------------------------------------------------------- The container suse/pcp was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:3066-1 Released: Thu Sep 4 08:37:17 2025 Summary: Recommended update for systemd-presets-branding-SLE Type: recommended Severity: moderate References: 1244553,1246835 This update for systemd-presets-branding-SLE fixes the following issues: - Enable sysstat_collect.timer and sysstat_summary.timer (bsc#1244553, bsc#1246835). - Modified default SLE presets. The following package changes have been done: - systemd-presets-branding-SLE-15.1-150600.35.3.1 updated - container:bci-bci-init-15.7-10ecd945e69288310d50b78bbe7216098be972854afaf68fd5897616bbe0bd3a-0 updated From sle-container-updates at lists.suse.com Sat Sep 6 07:04:42 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 6 Sep 2025 09:04:42 +0200 (CEST) Subject: SUSE-IU-2025:2418-1: Recommended update of suse/sle-micro/base-5.5 Message-ID: <20250906070442.20120F783@maintenance.suse.de> SUSE Image Update Advisory: suse/sle-micro/base-5.5 ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2025:2418-1 Image Tags : suse/sle-micro/base-5.5:2.0.4 , suse/sle-micro/base-5.5:2.0.4-5.8.204 , suse/sle-micro/base-5.5:latest Image Release : 5.8.204 Severity : important Type : recommended References : 1224400 1240950 ----------------------------------------------------------------- The container suse/sle-micro/base-5.5 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:3083-1 Released: Fri Sep 5 11:02:28 2025 Summary: Recommended update for suse-module-tools Type: recommended Severity: important References: 1224400,1240950 This update for suse-module-tools fixes the following issues: - Version update 15.5.7: - Add blacklist entry for reiserfs (jsc#PED-6167). - Add more modules to file system blacklist (jsc#PED-6167). - Add hfsplus to file system blacklist (bsc#1240950, jsc#PED-12632). - udevrules: activate CPUs on hotplug for s390 (bsc#1224400). The following package changes have been done: - suse-module-tools-15.5.7-150500.3.15.3 updated From sle-container-updates at lists.suse.com Sat Sep 6 07:05:42 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 6 Sep 2025 09:05:42 +0200 (CEST) Subject: SUSE-IU-2025:2419-1: Recommended update of suse/sle-micro/kvm-5.5 Message-ID: <20250906070542.81FDFF783@maintenance.suse.de> SUSE Image Update Advisory: suse/sle-micro/kvm-5.5 ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2025:2419-1 Image Tags : suse/sle-micro/kvm-5.5:2.0.4 , suse/sle-micro/kvm-5.5:2.0.4-3.5.388 , suse/sle-micro/kvm-5.5:latest Image Release : 3.5.388 Severity : important Type : recommended References : 1224400 1240950 ----------------------------------------------------------------- The container suse/sle-micro/kvm-5.5 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:3083-1 Released: Fri Sep 5 11:02:28 2025 Summary: Recommended update for suse-module-tools Type: recommended Severity: important References: 1224400,1240950 This update for suse-module-tools fixes the following issues: - Version update 15.5.7: - Add blacklist entry for reiserfs (jsc#PED-6167). - Add more modules to file system blacklist (jsc#PED-6167). - Add hfsplus to file system blacklist (bsc#1240950, jsc#PED-12632). - udevrules: activate CPUs on hotplug for s390 (bsc#1224400). The following package changes have been done: - suse-module-tools-15.5.7-150500.3.15.3 updated - container:suse-sle-micro-base-5.5-latest-2.0.4-5.8.204 updated From sle-container-updates at lists.suse.com Sat Sep 6 07:07:21 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 6 Sep 2025 09:07:21 +0200 (CEST) Subject: SUSE-IU-2025:2420-1: Recommended update of suse/sle-micro/rt-5.5 Message-ID: <20250906070721.78CECF783@maintenance.suse.de> SUSE Image Update Advisory: suse/sle-micro/rt-5.5 ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2025:2420-1 Image Tags : suse/sle-micro/rt-5.5:2.0.4 , suse/sle-micro/rt-5.5:2.0.4-4.5.483 , suse/sle-micro/rt-5.5:latest Image Release : 4.5.483 Severity : important Type : recommended References : 1224400 1240950 ----------------------------------------------------------------- The container suse/sle-micro/rt-5.5 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:3083-1 Released: Fri Sep 5 11:02:28 2025 Summary: Recommended update for suse-module-tools Type: recommended Severity: important References: 1224400,1240950 This update for suse-module-tools fixes the following issues: - Version update 15.5.7: - Add blacklist entry for reiserfs (jsc#PED-6167). - Add more modules to file system blacklist (jsc#PED-6167). - Add hfsplus to file system blacklist (bsc#1240950, jsc#PED-12632). - udevrules: activate CPUs on hotplug for s390 (bsc#1224400). The following package changes have been done: - suse-module-tools-15.5.7-150500.3.15.3 updated - container:suse-sle-micro-5.5-latest-2.0.4-5.5.367 updated From sle-container-updates at lists.suse.com Sat Sep 6 07:17:54 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 6 Sep 2025 09:17:54 +0200 (CEST) Subject: SUSE-CU-2025:6742-1: Recommended update of suse/sle-micro-rancher/5.4 Message-ID: <20250906071754.5884EF782@maintenance.suse.de> SUSE Container Update Advisory: suse/sle-micro-rancher/5.4 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:6742-1 Container Tags : suse/sle-micro-rancher/5.4:5.4.4.5.49 , suse/sle-micro-rancher/5.4:latest Container Release : 4.5.49 Severity : important Type : recommended References : 1240950 ----------------------------------------------------------------- The container suse/sle-micro-rancher/5.4 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:3085-1 Released: Fri Sep 5 11:03:27 2025 Summary: Recommended update for suse-module-tools Type: recommended Severity: important References: 1240950 This update for suse-module-tools fixes the following issues: - Version update 15.4.20 - Add blacklist entry for reiserfs (jsc#PED-6167). - Add more modules to file system blacklist (jsc#PED-6167). - Add hfsplus to file system blacklist (bsc#1240950, jsc#PED-12632). The following package changes have been done: - suse-module-tools-15.4.20-150400.3.20.3 updated From sle-container-updates at lists.suse.com Sat Sep 6 07:19:36 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 6 Sep 2025 09:19:36 +0200 (CEST) Subject: SUSE-IU-2025:2423-1: Security update of suse/sl-micro/6.0/base-os-container Message-ID: <20250906071936.1B786F782@maintenance.suse.de> SUSE Image Update Advisory: suse/sl-micro/6.0/base-os-container ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2025:2423-1 Image Tags : suse/sl-micro/6.0/base-os-container:2.1.3 , suse/sl-micro/6.0/base-os-container:2.1.3-7.50 , suse/sl-micro/6.0/base-os-container:latest Image Release : 7.50 Severity : important Type : security References : 1012628 1213545 1215199 1221858 1222323 1230557 1230708 1233120 1234959 1240708 1240890 1242034 1242754 1244734 1244930 1245663 1245710 1245767 1245780 1245815 1245956 1245973 1245977 1246005 1246012 1246181 1246193 1247057 1247078 1247112 1247116 1247119 1247155 1247162 1247167 1247229 1247243 1247280 1247313 1247712 1247976 1248088 1248108 1248164 1248166 1248178 1248179 1248180 1248183 1248186 1248194 1248196 1248198 1248205 1248206 1248208 1248209 1248212 1248213 1248214 1248216 1248217 1248223 1248227 1248228 1248229 1248240 1248255 1248297 1248306 1248312 1248333 1248337 1248338 1248340 1248341 1248345 1248349 1248350 1248354 1248355 1248361 1248363 1248368 1248374 1248377 1248386 1248390 1248395 1248399 1248401 1248511 1248573 1248575 1248577 1248609 1248614 1248617 1248621 1248636 1248643 1248648 1248652 1248655 1248666 1248669 1248746 1248748 1249022 CVE-2023-3867 CVE-2023-4130 CVE-2023-4515 CVE-2024-26661 CVE-2024-46733 CVE-2024-56738 CVE-2024-58238 CVE-2024-58239 CVE-2025-38006 CVE-2025-38075 CVE-2025-38103 CVE-2025-38125 CVE-2025-38146 CVE-2025-38160 CVE-2025-38184 CVE-2025-38185 CVE-2025-38190 CVE-2025-38201 CVE-2025-38205 CVE-2025-38208 CVE-2025-38245 CVE-2025-38251 CVE-2025-38360 CVE-2025-38439 CVE-2025-38441 CVE-2025-38444 CVE-2025-38445 CVE-2025-38458 CVE-2025-38459 CVE-2025-38464 CVE-2025-38472 CVE-2025-38490 CVE-2025-38491 CVE-2025-38499 CVE-2025-38500 CVE-2025-38503 CVE-2025-38506 CVE-2025-38510 CVE-2025-38512 CVE-2025-38513 CVE-2025-38515 CVE-2025-38516 CVE-2025-38520 CVE-2025-38524 CVE-2025-38528 CVE-2025-38529 CVE-2025-38530 CVE-2025-38531 CVE-2025-38535 CVE-2025-38537 CVE-2025-38538 CVE-2025-38540 CVE-2025-38541 CVE-2025-38543 CVE-2025-38546 CVE-2025-38548 CVE-2025-38550 CVE-2025-38553 CVE-2025-38555 CVE-2025-38560 CVE-2025-38563 CVE-2025-38565 CVE-2025-38566 CVE-2025-38568 CVE-2025-38571 CVE-2025-38572 CVE-2025-38576 CVE-2025-38581 CVE-2025-38582 CVE-2025-38583 CVE-2025-38585 CVE-2025-38587 CVE-2025-38588 CVE-2025-38591 CVE-2025-38601 CVE-2025-38602 CVE-2025-38604 CVE-2025-38608 CVE-2025-38609 CVE-2025-38610 CVE-2025-38612 CVE-2025-38617 CVE-2025-38618 CVE-2025-38621 CVE-2025-38624 CVE-2025-38630 CVE-2025-38632 CVE-2025-38634 CVE-2025-38635 CVE-2025-38644 CVE-2025-38646 CVE-2025-38650 CVE-2025-38656 CVE-2025-38663 CVE-2025-38665 CVE-2025-38670 CVE-2025-38671 ----------------------------------------------------------------- The container suse/sl-micro/6.0/base-os-container was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: kernel-101 Released: Fri Sep 5 14:02:35 2025 Summary: Security update for the Linux Kernel Type: security Severity: important References: 1012628,1213545,1215199,1221858,1222323,1230557,1230708,1233120,1240708,1240890,1242034,1242754,1244734,1244930,1245663,1245710,1245767,1245780,1245815,1245956,1245973,1245977,1246005,1246012,1246181,1246193,1247057,1247078,1247112,1247116,1247119,1247155,1247162,1247167,1247229,1247243,1247280,1247313,1247712,1247976,1248088,1248108,1248164,1248166,1248178,1248179,1248180,1248183,1248186,1248194,1248196,1248198,1248205,1248206,1248208,1248209,1248212,1248213,1248214,1248216,1248217,1248223,1248227,1248228,1248229,1248240,1248255,1248297,1248306,1248312,1248333,1248337,1248338,1248340,1248341,1248345,1248349,1248350,1248354,1248355,1248361,1248363,1248368,1248374,1248377,1248386,1248390,1248395,1248399,1248401,1248511,1248573,1248575,1248577,1248609,1248614,1248617,1248621,1248636,1248643,1248648,1248652,1248655,1248666,1248669,1248746,1248748,1249022,CVE-2023-3867,CVE-2023-4130,CVE-2023-4515,CVE-2024-26661,CVE-2024-46733,CVE-2024-58238,CVE-2024-58239,CVE-2025-38006,CVE- 2025-38075,CVE-2025-38103,CVE-2025-38125,CVE-2025-38146,CVE-2025-38160,CVE-2025-38184,CVE-2025-38185,CVE-2025-38190,CVE-2025-38201,CVE-2025-38205,CVE-2025-38208,CVE-2025-38245,CVE-2025-38251,CVE-2025-38360,CVE-2025-38439,CVE-2025-38441,CVE-2025-38444,CVE-2025-38445,CVE-2025-38458,CVE-2025-38459,CVE-2025-38464,CVE-2025-38472,CVE-2025-38490,CVE-2025-38491,CVE-2025-38499,CVE-2025-38500,CVE-2025-38503,CVE-2025-38506,CVE-2025-38510,CVE-2025-38512,CVE-2025-38513,CVE-2025-38515,CVE-2025-38516,CVE-2025-38520,CVE-2025-38524,CVE-2025-38528,CVE-2025-38529,CVE-2025-38530,CVE-2025-38531,CVE-2025-38535,CVE-2025-38537,CVE-2025-38538,CVE-2025-38540,CVE-2025-38541,CVE-2025-38543,CVE-2025-38546,CVE-2025-38548,CVE-2025-38550,CVE-2025-38553,CVE-2025-38555,CVE-2025-38560,CVE-2025-38563,CVE-2025-38565,CVE-2025-38566,CVE-2025-38568,CVE-2025-38571,CVE-2025-38572,CVE-2025-38576,CVE-2025-38581,CVE-2025-38582,CVE-2025-38583,CVE-2025-38585,CVE-2025-38587,CVE-2025-38588,CVE-2025-38591,CVE-2025-38601,CVE-2025-38 602,CVE-2025-38604,CVE-2025-38608,CVE-2025-38609,CVE-2025-38610,CVE-2025-38612,CVE-2025-38617,CVE-2025-38618,CVE-2025-38621,CVE-2025-38624,CVE-2025-38630,CVE-2025-38632,CVE-2025-38634,CVE-2025-38635,CVE-2025-38644,CVE-2025-38646,CVE-2025-38650,CVE-2025-38656,CVE-2025-38663,CVE-2025-38665,CVE-2025-38670,CVE-2025-38671 The SUSE Linux Enterprise Micro 6.0 and 6.1 kernel was updated to receive various security bugfixes. The following security bugs were fixed: - CVE-2024-46733: btrfs: fix qgroup reserve leaks in cow_file_range (bsc#1230708). - CVE-2025-38006: net: mctp: Do not access ifa_index when missing (bsc#1244930). - CVE-2025-38075: scsi: target: iscsi: Fix timeout on deleted connection (bsc#1244734). - CVE-2025-38103: HID: usbhid: Eliminate recurrent out-of-bounds bug in usbhid_parse() (bsc#1245663). - CVE-2025-38125: net: stmmac: make sure that ptp_rate is not 0 before configuring EST (bsc#1245710). - CVE-2025-38146: net: openvswitch: Fix the dead loop of MPLS parse (bsc#1245767). - CVE-2025-38160: clk: bcm: rpi: Add NULL check in raspberrypi_clk_register() (bsc#1245780). - CVE-2025-38184: tipc: fix null-ptr-deref when acquiring remote ip of ethernet bearer (bsc#1245956). - CVE-2025-38185: atm: atmtcp: Free invalid length skb in atmtcp_c_send() (bsc#1246012). - CVE-2025-38190: atm: Revert atm_account_tx() if copy_from_iter_full() fails (bsc#1245973). - CVE-2025-38201: netfilter: nft_set_pipapo: clamp maximum map bucket size to INT_MAX (bsc#1245977). - CVE-2025-38205: drm/amd/display: Avoid divide by zero by initializing dummy pitch to 1 (bsc#1246005). - CVE-2025-38208: smb: client: add NULL check in automount_fullpath (bsc#1245815). - CVE-2025-38245: atm: Release atm_dev_mutex after removing procfs in atm_dev_deregister() (bsc#1246193). - CVE-2025-38251: atm: clip: prevent NULL deref in clip_push() (bsc#1246181). - CVE-2025-38360: drm/amd/display: Add more checks for DSC / HUBP ONO guarantees (bsc#1247078). - CVE-2025-38439: bnxt_en: Set DMA unmap len correctly for XDP_REDIRECT (bsc#1247155). - CVE-2025-38441: netfilter: flowtable: account for Ethernet header in nf_flow_pppoe_proto() (bsc#1247167). - CVE-2025-38444: raid10: cleanup memleak at raid10_make_request (bsc#1247162). - CVE-2025-38445: md/raid1: Fix stack memory use after return in raid1_reshape (bsc#1247229). - CVE-2025-38458: atm: clip: Fix NULL pointer dereference in vcc_sendmsg() (bsc#1247116). - CVE-2025-38459: atm: clip: Fix infinite recursive call of clip_push() (bsc#1247119). - CVE-2025-38464: tipc: Fix use-after-free in tipc_conn_close() (bsc#1247112). - CVE-2025-38472: netfilter: nf_conntrack: fix crash due to removal of uninitialised entry (bsc#1247313). - CVE-2025-38490: net: libwx: remove duplicate page_pool_put_full_page() (bsc#1247243). - CVE-2025-38491: mptcp: make fallback action and fallback decision atomic (bsc#1247280). - CVE-2025-38499: clone_private_mnt(): make sure that caller has CAP_SYS_ADMIN in the right userns (bsc#1247976). - CVE-2025-38500: xfrm: interface: fix use-after-free after changing collect_md xfrm interface (bsc#1248088). - CVE-2025-38506: KVM: Allow CPU to reschedule while setting per-page memory attributes (bsc#1248186). - CVE-2025-38520: drm/amdkfd: Do not call mmput from MMU notifier callback (bsc#1248217). - CVE-2025-38524: rxrpc: Fix recv-recv race of completed call (bsc#1248194). - CVE-2025-38528: bpf: Reject %p% format string in bprintf-like helpers (bsc#1248198). - CVE-2025-38531: iio: common: st_sensors: Fix use of uninitialize device structs (bsc#1248205). - CVE-2025-38546: atm: clip: Fix memory leak of struct clip_vcc (bsc#1248223). - CVE-2025-38560: x86/sev: Evict cache lines during SNP memory validation (bsc#1248312). - CVE-2025-38585: staging: media: atomisp: Fix stack buffer overflow in gmin_get_var_int() (bsc#1248355). - CVE-2025-38591: bpf: Reject narrower access to pointer ctx fields (bsc#1248363). - CVE-2025-38608: bpf, ktls: Fix data corruption when using bpf_msg_pop_data() in ktls (bsc#1248338). - CVE-2025-38618: vsock: Do not allow binding to VMADDR_PORT_ANY (bsc#1248511). The following non-security bugs were fixed: - ACPI: APEI: send SIGBUS to current task if synchronous memory error not recovered (stable-fixes). - ACPI: pfr_update: Fix the driver update version check (git-fixes). - ACPI: processor: fix acpi_object initialization (stable-fixes). - ACPI: processor: perflib: Move problematic pr->performance check (git-fixes). - ALSA: hda/ca0132: Fix buffer overflow in add_tuning_control (stable-fixes). - ALSA: hda/realtek: Add Framework Laptop 13 (AMD Ryzen AI 300) to quirks (stable-fixes). - ALSA: hda/realtek: Add support for HP EliteBook x360 830 G6 and EliteBook 830 G6 (stable-fixes). - ALSA: hda/realtek: Audio disappears on HP 15-fc000 after warm boot again (git-fixes). - ALSA: hda/realtek: Fix headset mic on ASUS Zenbook 14 (git-fixes). - ALSA: hda/realtek: Fix headset mic on HONOR BRB-X (stable-fixes). - ALSA: hda: Disable jack polling at shutdown (stable-fixes). - ALSA: hda: Handle the jack polling always via a work (stable-fixes). - ALSA: intel8x0: Fix incorrect codec index usage in mixer for ICH4 (stable-fixes). - ALSA: pcm: Rewrite recalculate_boundary() to avoid costly loop (stable-fixes). - ALSA: scarlett2: Add retry on -EPROTO from scarlett2_usb_tx() (git-fixes). - ALSA: usb-audio: Avoid precedence issues in mixer_quirks macros (stable-fixes). - ALSA: usb-audio: Fix size validation in convert_chmap_v3() (git-fixes). - ALSA: usb-audio: Use correct sub-type for UAC3 feature unit validation (git-fixes). - ALSA: usb-audio: Validate UAC3 cluster segment descriptors (git-fixes). - ALSA: usb-audio: Validate UAC3 power domain descriptors, too (git-fixes). - ASoC: Intel: avs: Fix uninitialized pointer error in probe() (stable-fixes). - ASoC: Intel: fix SND_SOC_SOF dependencies (stable-fixes). - ASoC: amd: yc: Add DMI entries to support HP 15-fb1xxx (stable-fixes). - ASoC: amd: yc: Add DMI quirk for HP Laptop 17 cp-2033dx (stable-fixes). - ASoC: amd: yc: add DMI quirk for ASUS M6501RM (stable-fixes). - ASoC: codecs: rt5640: Retry DEVICE_ID verification (stable-fixes). - ASoC: core: Check for rtd == NULL in snd_soc_remove_pcm_runtime() (stable-fixes). - ASoC: hdac_hdmi: Rate limit logging on connection and disconnection (stable-fixes). - ASoC: soc-dapm: set bias_level if snd_soc_dapm_set_bias_level() was successed (stable-fixes). - Bluetooth: btusb: Add USB ID 3625:010b for TP-LINK Archer TX10UB Nano (stable-fixes). - Bluetooth: hci_conn: do return error from hci_enhanced_setup_sync() (git-fixes). - Bluetooth: hci_event: Detect if HCI_EV_NUM_COMP_PKTS is unbalanced (git-fixes). - Bluetooth: hci_event: Mark connection as closed during suspend disconnect (git-fixes). - Bluetooth: hci_event: Treat UNKNOWN_CONN_ID on disconnect as success (git-fixes). - Bluetooth: hci_event: fix MTU for BN == 0 in CIS Established (git-fixes). - Bluetooth: hci_sock: Reset cookie to zero in hci_sock_free_cookie() (stable-fixes). - Bluetooth: hci_sync: fix set_local_name race condition (git-fixes). - HID: asus: fix UAF via HID_CLAIMED_INPUT validation (git-fixes). - HID: multitouch: fix slab out-of-bounds access in mt_report_fixup() (git-fixes). - Move pesign-obs-integration requirement from kernel-syms to kernel devel subpackage (bsc#1248108). - PCI/ACPI: Fix runtime PM ref imbalance on Hot-Plug Capable ports (git-fixes). - PCI/portdrv: Use is_pciehp instead of is_hotplug_bridge (git-fixes). - PCI: Add ACS quirk for Loongson PCIe (git-fixes). - PCI: Support Immediate Readiness on devices without PM capabilities (git-fixes). - PCI: apple: Fix missing OF node reference in apple_pcie_setup_port (git-fixes). - PCI: imx6: Add IMX8MM_EP and IMX8MP_EP fixed 256-byte BAR 4 in epc_features (git-fixes). - PCI: imx6: Delay link start until configfs 'start' written (git-fixes). - PCI: imx6: Remove apps_reset toggling from imx_pcie_{assert/deassert}_core_reset (git-fixes). - PCI: pnv_php: Clean up allocated IRQs on unplug (bsc#1215199). - PCI: pnv_php: Work around switches with broken presence detection (bsc#1215199). - PCI: rockchip: Set Target Link Speed to 5.0 GT/s before retraining (git-fixes). - PCI: rockchip: Use standard PCIe definitions (git-fixes). - PM / devfreq: governor: Replace sscanf() with kstrtoul() in set_freq_store() (stable-fixes). - PM: runtime: Clear power.needs_force_resume in pm_runtime_reinit() (stable-fixes). - PM: sleep: console: Fix the black screen issue (stable-fixes). - RAS/AMD/ATL: Include row bit in row retirement (bsc#1242034). - RAS/AMD/FMPM: Get masked address (bsc#1242034). - RAS/AMD/FMPM: Use atl internal.h for INVALID_SPA (bsc#1242034). - RDMA/bnxt_re: Fix a possible memory leak in the driver (git-fixes) - RDMA/bnxt_re: Fix to do SRQ armena by default (git-fixes) - RDMA/bnxt_re: Fix to initialize the PBL array (git-fixes) - RDMA/bnxt_re: Fix to remove workload check in SRQ limit path (git-fixes) - RDMA/core: reduce stack using in nldev_stat_get_doit() (git-fixes) - RDMA/erdma: Fix ignored return value of init_kernel_qp (git-fixes) - RDMA/hns: Fix dip entries leak on devices newer than hip09 (git-fixes) - RDMA: hfi1: fix possible divide-by-zero in find_hw_thread_mask() (git-fixes) - Revert 'gpio: mlxbf3: only get IRQ for device instance 0' (git-fixes). - USB: serial: option: add Foxconn T99W709 (stable-fixes). - USB: storage: Add unusual-devs entry for Novatek NTK96550-based camera (stable-fixes). - USB: storage: Ignore driver CD mode for Realtek multi-mode Wi-Fi dongles (stable-fixes). - aoe: defer rexmit timer downdev work to workqueue (git-fixes). - arch/powerpc: Remove .interp section in vmlinux (bsc#1215199). - arm64/cpufeatures/kvm: Add ARMv8.9 FEAT_ECBHB bits in ID_AA64MMFR1 (git-fixes) - arm64/entry: Mask DAIF in cpu_switch_to(), call_on_irq_stack() (git-fixes) - arm64/mm: Check PUD_TYPE_TABLE in pud_bad() (git-fixes) - arm64: Add support for HIP09 Spectre-BHB mitigation (git-fixes) - arm64: Filter out SME hwcaps when FEAT_SME isn't implemented (git-fixes) - arm64: Restrict pagetable teardown to avoid false warning (git-fixes) - arm64: dts: apple: t8103: Fix PCIe BCM4377 nodename (git-fixes) - arm64: dts: freescale: imx8mm-verdin: Keep LDO5 always on (git-fixes) - arm64: dts: imx8mm-beacon: Fix HS400 USDHC clock speed (git-fixes) - arm64: dts: imx8mm-beacon: Fix RTC capacitive load (git-fixes) - arm64: dts: imx8mm-venice-gw700x: Increase HS400 USDHC clock speed (git-fixes) - arm64: dts: imx8mm-venice-gw7901: Increase HS400 USDHC clock speed (git-fixes) - arm64: dts: imx8mm-venice-gw7902: Increase HS400 USDHC clock speed (git-fixes) - arm64: dts: imx8mm-venice-gw7903: Increase HS400 USDHC clock speed (git-fixes) - arm64: dts: imx8mm-venice-gw7904: Increase HS400 USDHC clock speed (git-fixes) - arm64: dts: imx8mn-beacon: Fix HS400 USDHC clock speed (git-fixes) - arm64: dts: imx8mn-beacon: Fix RTC capacitive load (git-fixes) - arm64: dts: imx8mn-venice-gw7902: Increase HS400 USDHC clock speed (git-fixes) - arm64: dts: imx8mp-beacon: Fix RTC capacitive load (git-fixes) - arm64: dts: rockchip: Update eMMC for NanoPi R5 series (git-fixes) - arm64: dts: rockchip: fix endpoint dtc warning for PX30 ISP (git-fixes) - arm64: tegra: Drop remaining serial clock-names and reset-names (git-fixes) - arm64: tegra: p2597: Fix gpio for vdd-1v8-dis regulator (git-fixes) - arm64: zynqmp: add clock-output-names property in clock nodes (git-fixes) - ata: libata-scsi: Fix CDL control (git-fixes). - block: fix kobject leak in blk_unregister_queue (git-fixes). - block: mtip32xx: Fix usage of dma_map_sg() (git-fixes). - bpf: fix kfunc btf caching for modules (git-fixes). - bpf: use kvzmalloc to allocate BPF verifier environment (git-fixes). - btrfs: convert BUG_ON in btrfs_reloc_cow_block() to proper error handling (git-fixes). - btrfs: correctly escape subvol in btrfs_show_options() (git-fixes). - btrfs: fix adding block group to a reclaim list and the unused list during reclaim (git-fixes). - btrfs: fix bitmap leak when loading free space cache on duplicate entry (git-fixes). - btrfs: fix data race when accessing the inode's disk_i_size at btrfs_drop_extents() (git-fixes). - btrfs: fix the length of reserved qgroup to free (bsc#1240708) - btrfs: retry block group reclaim without infinite loop (git-fixes). - btrfs: return accurate error code on open failure in open_fs_devices() (bsc#1233120) - btrfs: run delayed iputs when flushing delalloc (git-fixes). - btrfs: update target inode's ctime on unlink (git-fixes). - cdx: Fix off-by-one error in cdx_rpmsg_probe() (git-fixes). - char: misc: Fix improper and inaccurate error code returned by misc_init() (stable-fixes). - comedi: Fix use of uninitialized memory in do_insn_ioctl() and do_insnlist_ioctl() (git-fixes). - comedi: Make insn_rw_emulate_bits() do insn->n samples (git-fixes). - comedi: fix race between polling and detaching (git-fixes). - comedi: pcl726: Prevent invalid irq number (git-fixes). - crypto: hisilicon/hpre - fix dma unmap sequence (stable-fixes). - crypto: jitter - fix intermediary handling (stable-fixes). - crypto: octeontx2 - add timeout for load_fvc completion poll (stable-fixes). - crypto: qat - lower priority for skcipher and aead algorithms (stable-fixes). - drm/amd/display: Add null pointer check in mod_hdcp_hdcp1_create_session() (git-fixes). - drm/amd/display: Add primary plane to commits for correct VRR handling (stable-fixes). - drm/amd/display: Adjust DCE 8-10 clock, do not overclock by 15% (git-fixes). - drm/amd/display: Avoid a NULL pointer dereference (stable-fixes). - drm/amd/display: Avoid configuring PSR granularity if PSR-SU not supported (stable-fixes). - drm/amd/display: Avoid trying AUX transactions on disconnected ports (stable-fixes). - drm/amd/display: Do not overclock DCE 6 by 15% (git-fixes). - drm/amd/display: Fill display clock and vblank time in dce110_fill_display_configs (stable-fixes). - drm/amd/display: Find first CRTC and its line time in dce110_fill_display_configs (stable-fixes). - drm/amd/display: Fix 'failed to blank crtc!' (stable-fixes). - drm/amd/display: Fix DP audio DTO1 clock source on DCE 6 (stable-fixes). - drm/amd/display: Fix fractional fb divider in set_pixel_clock_v3 (git-fixes). - drm/amd/display: Only finalize atomic_obj if it was initialized (stable-fixes). - drm/amd/display: Separate set_gsl from set_gsl_source_select (stable-fixes). - drm/amd: Allow printing VanGogh OD SCLK levels without setting dpm to manual (stable-fixes). - drm/amd: Restore cached power limit during resume (stable-fixes). - drm/amdgpu: Avoid extra evict-restore process (stable-fixes). - drm/amdgpu: fix incorrect vm flags to map bo (git-fixes). - drm/amdgpu: fix task hang from failed job submission during process kill (git-fixes). - drm/amdgpu: update mmhub 3.0.1 client id mappings (stable-fixes). - drm/amdkfd: Destroy KFD debugfs after destroy KFD wq (stable-fixes). - drm/dp: Change AUX DPCD probe address from DPCD_REV to LANE0_1_STATUS (stable-fixes). - drm/hisilicon/hibmc: fix the hibmc loaded failed bug (git-fixes). - drm/mediatek: Fix device/node reference count leaks in mtk_drm_get_all_drm_priv (git-fixes). - drm/msm/kms: move snapshot init earlier in KMS init (git-fixes). - drm/msm: Defer fd_install in SUBMIT ioctl (git-fixes). - drm/msm: use trylock for debugfs (stable-fixes). - drm/nouveau/disp: Always accept linear modifier (git-fixes). - drm/nouveau/nvif: Fix potential memory leak in nvif_vmm_ctor() (git-fixes). - drm/nouveau: fix error path in nvkm_gsp_fwsec_v2 (git-fixes). - drm/nouveau: fix typos in comments (git-fixes). - drm/nouveau: remove unused increment in gm200_flcn_pio_imem_wr (git-fixes). - drm/nouveau: remove unused memory target test (git-fixes). - drm/ttm: Respect the shrinker core free target (stable-fixes). - drm/ttm: Should to return the evict error (stable-fixes). - et131x: Add missing check after DMA map (stable-fixes). - exfat: add cluster chain loop check for dir (git-fixes). - fbdev: Fix vmalloc out-of-bounds write in fast_imageblit (stable-fixes). - fbdev: fix potential buffer overflow in do_register_framebuffer() (stable-fixes). - fs/mnt_idmapping.c: Return -EINVAL when no map is written (bsc#1233120) - fs/orangefs: use snprintf() instead of sprintf() (git-fixes). - gpio: mlxbf3: use platform_get_irq_optional() (git-fixes). - gpio: tps65912: check the return value of regmap_update_bits() (stable-fixes). - gpio: wcd934x: check the return value of regmap_update_bits() (stable-fixes). - hfs: fix not erasing deleted b-tree node issue (git-fixes). - hfs: fix slab-out-of-bounds in hfs_bnode_read() (git-fixes). - hfsplus: do not use BUG_ON() in hfsplus_create_attributes_file() (git-fixes). - hfsplus: fix slab-out-of-bounds in hfsplus_bnode_read() (git-fixes). - hfsplus: fix slab-out-of-bounds read in hfsplus_uni2asc() (git-fixes). - hwmon: (emc2305) Set initial PWM minimum value during probe based on thermal state (stable-fixes). - i2c: Force DLL0945 touchpad i2c freq to 100khz (stable-fixes). - i3c: do not fail if GETHDRCAP is unsupported (stable-fixes). - i3c: master: Initialize ret in i3c_i2c_notifier_call() (stable-fixes). - ice, irdma: fix an off by one in error handling code (bsc#1247712). - ice, irdma: move interrupts code to irdma (bsc#1247712). - ice: Fix signedness bug in ice_init_interrupt_scheme() (bsc#1247712). - ice: count combined queues using Rx/Tx count (bsc#1247712). - ice: devlink PF MSI-X max and min parameter (bsc#1247712). - ice: enable_rdma devlink param (bsc#1247712). - ice: get rid of num_lan_msix field (bsc#1247712). - ice: init flow director before RDMA (bsc#1247712). - ice: remove splitting MSI-X between features (bsc#1247712). - ice: simplify VF MSI-X managing (bsc#1247712). - ice: treat dyn_allowed only as suggestion (bsc#1247712). - iio: adc: ad7768-1: Ensure SYNC_IN pulse minimum timing requirement (stable-fixes). - iio: adc: ad_sigma_delta: do not overallocate scan buffer (stable-fixes). - iio: imu: inv_icm42600: switch timestamp type from int64_t __aligned(8) to aligned_s64 (stable-fixes). - iio: imu: inv_icm42600: use = { } instead of memset() (stable-fixes). - iio: pressure: bmp280: Use IS_ERR() in bmp280_common_probe() (git-fixes). - iio: proximity: isl29501: fix buffered read on big-endian systems (git-fixes). - integrity/platform_certs: Allow loading of keys in the static key management mode (jsc#PED-13345 jsc#PED-13343). - iosys-map: Fix undefined behavior in iosys_map_clear() (git-fixes). - ipmi: Fix strcpy source and destination the same (stable-fixes). - ipmi: Use dev_warn_ratelimited() for incorrect message warnings (stable-fixes). - irdma: free iwdev->rf after removing MSI-X (bsc#1247712). - jfs: Regular file corruption check (git-fixes). - jfs: truncate good inode pages when hard link is 0 (git-fixes). - jfs: upper bound check of tree index in dbAllocAG (git-fixes). - kABI: PCI/ACPI: Fix runtime PM ref imbalance on Hot-Plug Capable ports (git-fixes). - kselftest/arm64: Fix check for setting new VLs in sve-ptrace (git-fixes). - leds: leds-lp50xx: Handle reg to get correct multi_index (stable-fixes). - loop: use kiocb helpers to fix lockdep warning (git-fixes). - mISDN: hfcpci: Fix warning when deleting uninitialized timer (git-fixes). - md/md-cluster: handle REMOVE message earlier (bsc#1247057). - md/raid1,raid10: strip REQ_NOWAIT from member bios (git-fixes). - md: allow removing faulty rdev during resync (git-fixes). - md: make rdev_addable usable for rcu mode (git-fixes). - media: dvb-frontends: dib7090p: fix null-ptr-deref in dib7090p_rw_on_apb() (stable-fixes). - media: dvb-frontends: w7090p: fix null-ptr-deref in w7090p_tuner_write_serpar and w7090p_tuner_read_serpar (stable-fixes). - media: tc358743: Check I2C succeeded during probe (stable-fixes). - media: tc358743: Increase FIFO trigger level to 374 (stable-fixes). - media: tc358743: Return an appropriate colorspace from tc358743_set_fmt (stable-fixes). - media: usb: hdpvr: disable zero-length read messages (stable-fixes). - media: uvcvideo: Fix bandwidth issue for Alcor camera (stable-fixes). - media: v4l2-common: Reduce warnings about missing V4L2_CID_LINK_FREQ control (stable-fixes). - mei: bus: Check for still connected devices in mei_cl_bus_dev_release() (stable-fixes). - memstick: Fix deadlock by moving removing flag earlier (git-fixes). - mm/ptdump: take the memory hotplug lock inside ptdump_walk_pgd() (git-fixes) - mmc: rtsx_usb_sdmmc: Fix error-path in sd_set_power_mode() (stable-fixes). - mmc: sdhci-msm: Ensure SD card power isn't ON when card removed (stable-fixes). - mmc: sdhci-pci-gli: GL9763e: Rename the gli_set_gl9763e() for consistency (git-fixes). - most: core: Drop device reference after usage in get_channel() (git-fixes). - mptcp: fallback when MPTCP opts are dropped after 1st data (git-fixes). - mptcp: reset when MPTCP opts are dropped after join (git-fixes). - net: phy: micrel: Add ksz9131_resume() (stable-fixes). - net: phy: smsc: add proper reset flags for LAN8710A (stable-fixes). - net: thunderbolt: Enable end-to-end flow control also in transmit (stable-fixes). - net: thunderbolt: Fix the parameter passing of tb_xdomain_enable_paths()/tb_xdomain_disable_paths() (stable-fixes). - net: usb: asix_devices: Fix PHY address mask in MDIO bus initialization (git-fixes). - net: usb: asix_devices: add phy_mask for ax88772 mdio bus (git-fixes). - pNFS: Fix disk addr range check in block/scsi layout (git-fixes). - pNFS: Fix stripe mapping in block/scsi layout (git-fixes). - pNFS: Fix uninited ptr deref in block/scsi layout (git-fixes). - pNFS: Handle RPC size limit for layoutcommits (git-fixes). - phy: mscc: Fix parsing of unicast frames (git-fixes). - phy: rockchip-pcie: Properly disable TEST_WRITE strobe signal (stable-fixes). - pinctrl: STMFX: add missing HAS_IOMEM dependency (git-fixes). - pinctrl: stm32: Manage irq affinity settings (stable-fixes). - platform/chrome: cros_ec_typec: Defer probe on missing EC parent (stable-fixes). - platform/x86/amd: pmc: Add Lenovo Yoga 6 13ALC6 to pmc quirk list (stable-fixes). - pm: cpupower: Fix the snapshot-order of tsc,mperf, clock in mperf_stop() (stable-fixes). - power: supply: qcom_battmgr: Add lithium-polymer entry (stable-fixes). - powerpc/eeh: Export eeh_unfreeze_pe() (bsc#1215199). - powerpc/eeh: Make EEH driver device hotplug safe (bsc#1215199). - powerpc/eeh: Rely on dev->link_active_reporting (bsc#1215199). - powerpc/kernel: Fix ppc_save_regs inclusion in build (bsc#1215199). - powerpc/pseries: Correct secvar format representation for static key management (jsc#PED-13345 jsc#PED-13343). - powerpc/secvar: Expose secvars relevant to the key management mode (jsc#PED-13345 jsc#PED-13343). - powerpc: do not build ppc_save_regs.o always (bsc#1215199). - pwm: mediatek: Fix duty and period setting (git-fixes). - pwm: mediatek: Handle hardware enable and clock enable separately (stable-fixes). - reset: brcmstb: Enable reset drivers for ARCH_BCM2835 (stable-fixes). - rpm/config.sh: Update Leap project - rtc: ds1307: handle oscillator stop flag (OSF) for ds1341 (stable-fixes). - rtc: ds1307: remove clear of oscillator stop flag (OSF) in probe (stable-fixes). - samples/bpf: Fix compilation errors with cf-protection option (git-fixes). - scsi: Revert 'scsi: iscsi: Fix HW conn removal use after free' (git-fixes). - scsi: core: Fix kernel doc for scsi_track_queue_full() (git-fixes). - scsi: elx: efct: Fix dma_unmap_sg() nents value (git-fixes). - scsi: ibmvscsi_tgt: Fix dma_unmap_sg() nents value (git-fixes). - scsi: isci: Fix dma_unmap_sg() nents value (git-fixes). - scsi: mpi3mr: Fix kernel-doc issues in mpi3mr_app.c (git-fixes). - scsi: mpi3mr: Fix race between config read submit and interrupt completion (git-fixes). - scsi: mpi3mr: Serialize admin queue BAR writes on 32-bit systems (git-fixes). - scsi: mpt3sas: Fix a fw_event memory leak (git-fixes). - scsi: mvsas: Fix dma_unmap_sg() nents value (git-fixes). - scsi: sd: Make sd shutdown issue START STOP UNIT appropriately (git-fixes). - selftests/bpf: fexit_sleep: Fix stack allocation for arm64 (git-fixes). - selftests/tracing: Fix false failure of subsystem event test (git-fixes). - selftests: Fix errno checking in syscall_user_dispatch test (git-fixes). - selftests: rtnetlink.sh: remove esp4_offload after test (git-fixes). - serial: 8250: fix panic due to PSLVERR (git-fixes). - slab: Decouple slab_debug and no_hash_pointers (bsc#1249022). - smb: client: fix parsing of device numbers (git-fixes). - soc/tegra: pmc: Ensure power-domains are in a known state (git-fixes). - soundwire: amd: serialize amd manager resume sequence during pm_prepare (stable-fixes). - squashfs: fix memory leak in squashfs_fill_super (git-fixes). - sunrpc: fix handling of server side tls alerts (git-fixes). - sunvdc: Balance device refcount in vdc_port_mpgroup_check (git-fixes). - thermal/drivers/qcom-spmi-temp-alarm: Enable stage 2 shutdown when required (stable-fixes). - thermal: sysfs: Return ENODATA instead of EAGAIN for reads (stable-fixes). - ublk: sanity check add_dev input for underflow (git-fixes). - ublk: use vmalloc for ublk_device's __queues (git-fixes). - usb: core: config: Prevent OOB read in SS endpoint companion parsing (stable-fixes). - usb: core: hcd: fix accessing unmapped memory in SINGLE_STEP_SET_FEATURE test (git-fixes). - usb: core: usb_submit_urb: downgrade type check (stable-fixes). - usb: dwc3: Ignore late xferNotReady event to prevent halt timeout (git-fixes). - usb: dwc3: Remove WARN_ON for device endpoint command timeouts (stable-fixes). - usb: dwc3: core: Fix system suspend on TI AM62 platforms (git-fixes). - usb: dwc3: fix fault at system suspend if device was already runtime suspended (git-fixes). - usb: dwc3: pci: add support for the Intel Wildcat Lake (stable-fixes). - usb: quirks: Add DELAY_INIT quick for another SanDisk 3.2Gen1 Flash Drive (stable-fixes). - usb: renesas-xhci: Fix External ROM access timeouts (git-fixes). - usb: storage: realtek_cr: Use correct byte order for bcs->Residue (git-fixes). - usb: typec: intel_pmc_mux: Defer probe if SCU IPC isn't present (stable-fixes). - usb: typec: ucsi: psy: Set current max to 100mA for BC 1.2 and Default (stable-fixes). - usb: xhci: Avoid showing errors during surprise removal (stable-fixes). - usb: xhci: Avoid showing warnings for dying controller (stable-fixes). - usb: xhci: Fix slot_id resource race conflict (git-fixes). - usb: xhci: Set avg_trb_len = 8 for EP0 during Address Device Command (stable-fixes). - usb: xhci: print xhci->xhc_state when queue_command failed (stable-fixes). - vfs: Add a sysctl for automated deletion of dentry (bsc#1240890). - watchdog: dw_wdt: Fix default timeout (stable-fixes). - watchdog: iTCO_wdt: Report error if timeout configuration fails (stable-fixes). - watchdog: sbsa: Adjust keepalive timeout to avoid MediaTek WS0 race condition (stable-fixes). - wifi: ath12k: Add memset and update default rate value in wmi tx completion (stable-fixes). - wifi: ath12k: Correct tid cleanup when tid setup fails (stable-fixes). - wifi: ath12k: Decrement TID on RX peer frag setup error handling (stable-fixes). - wifi: ath12k: Enable REO queue lookup table feature on QCN9274 hw2.0 (stable-fixes). - wifi: cfg80211: Fix interface type validation (stable-fixes). - wifi: cfg80211: reject HTC bit for management frames (stable-fixes). - wifi: iwlegacy: Check rate_idx range after addition (stable-fixes). - wifi: iwlwifi: dvm: fix potential overflow in rs_fill_link_cmd() (stable-fixes). - wifi: iwlwifi: fw: Fix possible memory leak in iwl_fw_dbg_collect (stable-fixes). - wifi: iwlwifi: mvm: fix scan request validation (stable-fixes). - wifi: iwlwifi: mvm: set gtk id also in older FWs (stable-fixes). - wifi: mac80211: do not complete management TX on SAE commit (stable-fixes). - wifi: mac80211: fix rx link assignment for non-MLO stations (stable-fixes). - wifi: mac80211: update radar_required in channel context after channel switch (stable-fixes). - wifi: mt76: mt7915: mcu: re-init MCU before loading FW patch (stable-fixes). - wifi: rtlwifi: fix possible skb memory leak in _rtl_pci_init_one_rxdesc() (stable-fixes). - wifi: rtlwifi: fix possible skb memory leak in `_rtl_pci_rx_interrupt()` (stable-fixes). - wifi: rtw89: Disable deep power saving for USB/SDIO (stable-fixes). - wifi: rtw89: Fix rtw89_mac_power_switch() for USB (stable-fixes). - wifi: rtw89: Lower the timeout in rtw89_fw_read_c2h_reg() for USB (stable-fixes). ----------------------------------------------------------------- Advisory ID: 445 Released: Fri Sep 5 14:57:04 2025 Summary: Security update for grub2 Type: security Severity: moderate References: 1234959,CVE-2024-56738 This update for grub2 fixes the following issues: - CVE-2024-56738: Side-channel attack due to not constant-timealgorithm in grub_crypto_memcmp (bsc#1234959). The following package changes have been done: - grub2-2.12~rc1-7.1 updated - grub2-i386-pc-2.12~rc1-7.1 updated - kernel-default-6.4.0-34.1 updated - grub2-x86_64-efi-2.12~rc1-7.1 updated From sle-container-updates at lists.suse.com Sat Sep 6 07:20:28 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 6 Sep 2025 09:20:28 +0200 (CEST) Subject: SUSE-IU-2025:2424-1: Security update of suse/sl-micro/6.0/kvm-os-container Message-ID: <20250906072028.8BB3DF782@maintenance.suse.de> SUSE Image Update Advisory: suse/sl-micro/6.0/kvm-os-container ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2025:2424-1 Image Tags : suse/sl-micro/6.0/kvm-os-container:2.1.3 , suse/sl-micro/6.0/kvm-os-container:2.1.3-6.73 , suse/sl-micro/6.0/kvm-os-container:latest Image Release : 6.73 Severity : important Type : security References : 1012628 1213545 1215199 1221858 1222323 1230557 1230708 1233120 1240708 1240890 1242034 1242754 1244734 1244930 1245663 1245710 1245767 1245780 1245815 1245956 1245973 1245977 1246005 1246012 1246181 1246193 1247057 1247078 1247112 1247116 1247119 1247155 1247162 1247167 1247229 1247243 1247280 1247313 1247712 1247976 1248088 1248108 1248164 1248166 1248178 1248179 1248180 1248183 1248186 1248194 1248196 1248198 1248205 1248206 1248208 1248209 1248212 1248213 1248214 1248216 1248217 1248223 1248227 1248228 1248229 1248240 1248255 1248297 1248306 1248312 1248333 1248337 1248338 1248340 1248341 1248345 1248349 1248350 1248354 1248355 1248361 1248363 1248368 1248374 1248377 1248386 1248390 1248395 1248399 1248401 1248511 1248573 1248575 1248577 1248609 1248614 1248617 1248621 1248636 1248643 1248648 1248652 1248655 1248666 1248669 1248746 1248748 1249022 CVE-2023-3867 CVE-2023-4130 CVE-2023-4515 CVE-2024-26661 CVE-2024-46733 CVE-2024-58238 CVE-2024-58239 CVE-2025-38006 CVE-2025-38075 CVE-2025-38103 CVE-2025-38125 CVE-2025-38146 CVE-2025-38160 CVE-2025-38184 CVE-2025-38185 CVE-2025-38190 CVE-2025-38201 CVE-2025-38205 CVE-2025-38208 CVE-2025-38245 CVE-2025-38251 CVE-2025-38360 CVE-2025-38439 CVE-2025-38441 CVE-2025-38444 CVE-2025-38445 CVE-2025-38458 CVE-2025-38459 CVE-2025-38464 CVE-2025-38472 CVE-2025-38490 CVE-2025-38491 CVE-2025-38499 CVE-2025-38500 CVE-2025-38503 CVE-2025-38506 CVE-2025-38510 CVE-2025-38512 CVE-2025-38513 CVE-2025-38515 CVE-2025-38516 CVE-2025-38520 CVE-2025-38524 CVE-2025-38528 CVE-2025-38529 CVE-2025-38530 CVE-2025-38531 CVE-2025-38535 CVE-2025-38537 CVE-2025-38538 CVE-2025-38540 CVE-2025-38541 CVE-2025-38543 CVE-2025-38546 CVE-2025-38548 CVE-2025-38550 CVE-2025-38553 CVE-2025-38555 CVE-2025-38560 CVE-2025-38563 CVE-2025-38565 CVE-2025-38566 CVE-2025-38568 CVE-2025-38571 CVE-2025-38572 CVE-2025-38576 CVE-2025-38581 CVE-2025-38582 CVE-2025-38583 CVE-2025-38585 CVE-2025-38587 CVE-2025-38588 CVE-2025-38591 CVE-2025-38601 CVE-2025-38602 CVE-2025-38604 CVE-2025-38608 CVE-2025-38609 CVE-2025-38610 CVE-2025-38612 CVE-2025-38617 CVE-2025-38618 CVE-2025-38621 CVE-2025-38624 CVE-2025-38630 CVE-2025-38632 CVE-2025-38634 CVE-2025-38635 CVE-2025-38644 CVE-2025-38646 CVE-2025-38650 CVE-2025-38656 CVE-2025-38663 CVE-2025-38665 CVE-2025-38670 CVE-2025-38671 ----------------------------------------------------------------- The container suse/sl-micro/6.0/kvm-os-container was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: kernel-101 Released: Fri Sep 5 14:02:35 2025 Summary: Security update for the Linux Kernel Type: security Severity: important References: 1012628,1213545,1215199,1221858,1222323,1230557,1230708,1233120,1240708,1240890,1242034,1242754,1244734,1244930,1245663,1245710,1245767,1245780,1245815,1245956,1245973,1245977,1246005,1246012,1246181,1246193,1247057,1247078,1247112,1247116,1247119,1247155,1247162,1247167,1247229,1247243,1247280,1247313,1247712,1247976,1248088,1248108,1248164,1248166,1248178,1248179,1248180,1248183,1248186,1248194,1248196,1248198,1248205,1248206,1248208,1248209,1248212,1248213,1248214,1248216,1248217,1248223,1248227,1248228,1248229,1248240,1248255,1248297,1248306,1248312,1248333,1248337,1248338,1248340,1248341,1248345,1248349,1248350,1248354,1248355,1248361,1248363,1248368,1248374,1248377,1248386,1248390,1248395,1248399,1248401,1248511,1248573,1248575,1248577,1248609,1248614,1248617,1248621,1248636,1248643,1248648,1248652,1248655,1248666,1248669,1248746,1248748,1249022,CVE-2023-3867,CVE-2023-4130,CVE-2023-4515,CVE-2024-26661,CVE-2024-46733,CVE-2024-58238,CVE-2024-58239,CVE-2025-38006,CVE- 2025-38075,CVE-2025-38103,CVE-2025-38125,CVE-2025-38146,CVE-2025-38160,CVE-2025-38184,CVE-2025-38185,CVE-2025-38190,CVE-2025-38201,CVE-2025-38205,CVE-2025-38208,CVE-2025-38245,CVE-2025-38251,CVE-2025-38360,CVE-2025-38439,CVE-2025-38441,CVE-2025-38444,CVE-2025-38445,CVE-2025-38458,CVE-2025-38459,CVE-2025-38464,CVE-2025-38472,CVE-2025-38490,CVE-2025-38491,CVE-2025-38499,CVE-2025-38500,CVE-2025-38503,CVE-2025-38506,CVE-2025-38510,CVE-2025-38512,CVE-2025-38513,CVE-2025-38515,CVE-2025-38516,CVE-2025-38520,CVE-2025-38524,CVE-2025-38528,CVE-2025-38529,CVE-2025-38530,CVE-2025-38531,CVE-2025-38535,CVE-2025-38537,CVE-2025-38538,CVE-2025-38540,CVE-2025-38541,CVE-2025-38543,CVE-2025-38546,CVE-2025-38548,CVE-2025-38550,CVE-2025-38553,CVE-2025-38555,CVE-2025-38560,CVE-2025-38563,CVE-2025-38565,CVE-2025-38566,CVE-2025-38568,CVE-2025-38571,CVE-2025-38572,CVE-2025-38576,CVE-2025-38581,CVE-2025-38582,CVE-2025-38583,CVE-2025-38585,CVE-2025-38587,CVE-2025-38588,CVE-2025-38591,CVE-2025-38601,CVE-2025-38 602,CVE-2025-38604,CVE-2025-38608,CVE-2025-38609,CVE-2025-38610,CVE-2025-38612,CVE-2025-38617,CVE-2025-38618,CVE-2025-38621,CVE-2025-38624,CVE-2025-38630,CVE-2025-38632,CVE-2025-38634,CVE-2025-38635,CVE-2025-38644,CVE-2025-38646,CVE-2025-38650,CVE-2025-38656,CVE-2025-38663,CVE-2025-38665,CVE-2025-38670,CVE-2025-38671 The SUSE Linux Enterprise Micro 6.0 and 6.1 kernel was updated to receive various security bugfixes. The following security bugs were fixed: - CVE-2024-46733: btrfs: fix qgroup reserve leaks in cow_file_range (bsc#1230708). - CVE-2025-38006: net: mctp: Do not access ifa_index when missing (bsc#1244930). - CVE-2025-38075: scsi: target: iscsi: Fix timeout on deleted connection (bsc#1244734). - CVE-2025-38103: HID: usbhid: Eliminate recurrent out-of-bounds bug in usbhid_parse() (bsc#1245663). - CVE-2025-38125: net: stmmac: make sure that ptp_rate is not 0 before configuring EST (bsc#1245710). - CVE-2025-38146: net: openvswitch: Fix the dead loop of MPLS parse (bsc#1245767). - CVE-2025-38160: clk: bcm: rpi: Add NULL check in raspberrypi_clk_register() (bsc#1245780). - CVE-2025-38184: tipc: fix null-ptr-deref when acquiring remote ip of ethernet bearer (bsc#1245956). - CVE-2025-38185: atm: atmtcp: Free invalid length skb in atmtcp_c_send() (bsc#1246012). - CVE-2025-38190: atm: Revert atm_account_tx() if copy_from_iter_full() fails (bsc#1245973). - CVE-2025-38201: netfilter: nft_set_pipapo: clamp maximum map bucket size to INT_MAX (bsc#1245977). - CVE-2025-38205: drm/amd/display: Avoid divide by zero by initializing dummy pitch to 1 (bsc#1246005). - CVE-2025-38208: smb: client: add NULL check in automount_fullpath (bsc#1245815). - CVE-2025-38245: atm: Release atm_dev_mutex after removing procfs in atm_dev_deregister() (bsc#1246193). - CVE-2025-38251: atm: clip: prevent NULL deref in clip_push() (bsc#1246181). - CVE-2025-38360: drm/amd/display: Add more checks for DSC / HUBP ONO guarantees (bsc#1247078). - CVE-2025-38439: bnxt_en: Set DMA unmap len correctly for XDP_REDIRECT (bsc#1247155). - CVE-2025-38441: netfilter: flowtable: account for Ethernet header in nf_flow_pppoe_proto() (bsc#1247167). - CVE-2025-38444: raid10: cleanup memleak at raid10_make_request (bsc#1247162). - CVE-2025-38445: md/raid1: Fix stack memory use after return in raid1_reshape (bsc#1247229). - CVE-2025-38458: atm: clip: Fix NULL pointer dereference in vcc_sendmsg() (bsc#1247116). - CVE-2025-38459: atm: clip: Fix infinite recursive call of clip_push() (bsc#1247119). - CVE-2025-38464: tipc: Fix use-after-free in tipc_conn_close() (bsc#1247112). - CVE-2025-38472: netfilter: nf_conntrack: fix crash due to removal of uninitialised entry (bsc#1247313). - CVE-2025-38490: net: libwx: remove duplicate page_pool_put_full_page() (bsc#1247243). - CVE-2025-38491: mptcp: make fallback action and fallback decision atomic (bsc#1247280). - CVE-2025-38499: clone_private_mnt(): make sure that caller has CAP_SYS_ADMIN in the right userns (bsc#1247976). - CVE-2025-38500: xfrm: interface: fix use-after-free after changing collect_md xfrm interface (bsc#1248088). - CVE-2025-38506: KVM: Allow CPU to reschedule while setting per-page memory attributes (bsc#1248186). - CVE-2025-38520: drm/amdkfd: Do not call mmput from MMU notifier callback (bsc#1248217). - CVE-2025-38524: rxrpc: Fix recv-recv race of completed call (bsc#1248194). - CVE-2025-38528: bpf: Reject %p% format string in bprintf-like helpers (bsc#1248198). - CVE-2025-38531: iio: common: st_sensors: Fix use of uninitialize device structs (bsc#1248205). - CVE-2025-38546: atm: clip: Fix memory leak of struct clip_vcc (bsc#1248223). - CVE-2025-38560: x86/sev: Evict cache lines during SNP memory validation (bsc#1248312). - CVE-2025-38585: staging: media: atomisp: Fix stack buffer overflow in gmin_get_var_int() (bsc#1248355). - CVE-2025-38591: bpf: Reject narrower access to pointer ctx fields (bsc#1248363). - CVE-2025-38608: bpf, ktls: Fix data corruption when using bpf_msg_pop_data() in ktls (bsc#1248338). - CVE-2025-38618: vsock: Do not allow binding to VMADDR_PORT_ANY (bsc#1248511). The following non-security bugs were fixed: - ACPI: APEI: send SIGBUS to current task if synchronous memory error not recovered (stable-fixes). - ACPI: pfr_update: Fix the driver update version check (git-fixes). - ACPI: processor: fix acpi_object initialization (stable-fixes). - ACPI: processor: perflib: Move problematic pr->performance check (git-fixes). - ALSA: hda/ca0132: Fix buffer overflow in add_tuning_control (stable-fixes). - ALSA: hda/realtek: Add Framework Laptop 13 (AMD Ryzen AI 300) to quirks (stable-fixes). - ALSA: hda/realtek: Add support for HP EliteBook x360 830 G6 and EliteBook 830 G6 (stable-fixes). - ALSA: hda/realtek: Audio disappears on HP 15-fc000 after warm boot again (git-fixes). - ALSA: hda/realtek: Fix headset mic on ASUS Zenbook 14 (git-fixes). - ALSA: hda/realtek: Fix headset mic on HONOR BRB-X (stable-fixes). - ALSA: hda: Disable jack polling at shutdown (stable-fixes). - ALSA: hda: Handle the jack polling always via a work (stable-fixes). - ALSA: intel8x0: Fix incorrect codec index usage in mixer for ICH4 (stable-fixes). - ALSA: pcm: Rewrite recalculate_boundary() to avoid costly loop (stable-fixes). - ALSA: scarlett2: Add retry on -EPROTO from scarlett2_usb_tx() (git-fixes). - ALSA: usb-audio: Avoid precedence issues in mixer_quirks macros (stable-fixes). - ALSA: usb-audio: Fix size validation in convert_chmap_v3() (git-fixes). - ALSA: usb-audio: Use correct sub-type for UAC3 feature unit validation (git-fixes). - ALSA: usb-audio: Validate UAC3 cluster segment descriptors (git-fixes). - ALSA: usb-audio: Validate UAC3 power domain descriptors, too (git-fixes). - ASoC: Intel: avs: Fix uninitialized pointer error in probe() (stable-fixes). - ASoC: Intel: fix SND_SOC_SOF dependencies (stable-fixes). - ASoC: amd: yc: Add DMI entries to support HP 15-fb1xxx (stable-fixes). - ASoC: amd: yc: Add DMI quirk for HP Laptop 17 cp-2033dx (stable-fixes). - ASoC: amd: yc: add DMI quirk for ASUS M6501RM (stable-fixes). - ASoC: codecs: rt5640: Retry DEVICE_ID verification (stable-fixes). - ASoC: core: Check for rtd == NULL in snd_soc_remove_pcm_runtime() (stable-fixes). - ASoC: hdac_hdmi: Rate limit logging on connection and disconnection (stable-fixes). - ASoC: soc-dapm: set bias_level if snd_soc_dapm_set_bias_level() was successed (stable-fixes). - Bluetooth: btusb: Add USB ID 3625:010b for TP-LINK Archer TX10UB Nano (stable-fixes). - Bluetooth: hci_conn: do return error from hci_enhanced_setup_sync() (git-fixes). - Bluetooth: hci_event: Detect if HCI_EV_NUM_COMP_PKTS is unbalanced (git-fixes). - Bluetooth: hci_event: Mark connection as closed during suspend disconnect (git-fixes). - Bluetooth: hci_event: Treat UNKNOWN_CONN_ID on disconnect as success (git-fixes). - Bluetooth: hci_event: fix MTU for BN == 0 in CIS Established (git-fixes). - Bluetooth: hci_sock: Reset cookie to zero in hci_sock_free_cookie() (stable-fixes). - Bluetooth: hci_sync: fix set_local_name race condition (git-fixes). - HID: asus: fix UAF via HID_CLAIMED_INPUT validation (git-fixes). - HID: multitouch: fix slab out-of-bounds access in mt_report_fixup() (git-fixes). - Move pesign-obs-integration requirement from kernel-syms to kernel devel subpackage (bsc#1248108). - PCI/ACPI: Fix runtime PM ref imbalance on Hot-Plug Capable ports (git-fixes). - PCI/portdrv: Use is_pciehp instead of is_hotplug_bridge (git-fixes). - PCI: Add ACS quirk for Loongson PCIe (git-fixes). - PCI: Support Immediate Readiness on devices without PM capabilities (git-fixes). - PCI: apple: Fix missing OF node reference in apple_pcie_setup_port (git-fixes). - PCI: imx6: Add IMX8MM_EP and IMX8MP_EP fixed 256-byte BAR 4 in epc_features (git-fixes). - PCI: imx6: Delay link start until configfs 'start' written (git-fixes). - PCI: imx6: Remove apps_reset toggling from imx_pcie_{assert/deassert}_core_reset (git-fixes). - PCI: pnv_php: Clean up allocated IRQs on unplug (bsc#1215199). - PCI: pnv_php: Work around switches with broken presence detection (bsc#1215199). - PCI: rockchip: Set Target Link Speed to 5.0 GT/s before retraining (git-fixes). - PCI: rockchip: Use standard PCIe definitions (git-fixes). - PM / devfreq: governor: Replace sscanf() with kstrtoul() in set_freq_store() (stable-fixes). - PM: runtime: Clear power.needs_force_resume in pm_runtime_reinit() (stable-fixes). - PM: sleep: console: Fix the black screen issue (stable-fixes). - RAS/AMD/ATL: Include row bit in row retirement (bsc#1242034). - RAS/AMD/FMPM: Get masked address (bsc#1242034). - RAS/AMD/FMPM: Use atl internal.h for INVALID_SPA (bsc#1242034). - RDMA/bnxt_re: Fix a possible memory leak in the driver (git-fixes) - RDMA/bnxt_re: Fix to do SRQ armena by default (git-fixes) - RDMA/bnxt_re: Fix to initialize the PBL array (git-fixes) - RDMA/bnxt_re: Fix to remove workload check in SRQ limit path (git-fixes) - RDMA/core: reduce stack using in nldev_stat_get_doit() (git-fixes) - RDMA/erdma: Fix ignored return value of init_kernel_qp (git-fixes) - RDMA/hns: Fix dip entries leak on devices newer than hip09 (git-fixes) - RDMA: hfi1: fix possible divide-by-zero in find_hw_thread_mask() (git-fixes) - Revert 'gpio: mlxbf3: only get IRQ for device instance 0' (git-fixes). - USB: serial: option: add Foxconn T99W709 (stable-fixes). - USB: storage: Add unusual-devs entry for Novatek NTK96550-based camera (stable-fixes). - USB: storage: Ignore driver CD mode for Realtek multi-mode Wi-Fi dongles (stable-fixes). - aoe: defer rexmit timer downdev work to workqueue (git-fixes). - arch/powerpc: Remove .interp section in vmlinux (bsc#1215199). - arm64/cpufeatures/kvm: Add ARMv8.9 FEAT_ECBHB bits in ID_AA64MMFR1 (git-fixes) - arm64/entry: Mask DAIF in cpu_switch_to(), call_on_irq_stack() (git-fixes) - arm64/mm: Check PUD_TYPE_TABLE in pud_bad() (git-fixes) - arm64: Add support for HIP09 Spectre-BHB mitigation (git-fixes) - arm64: Filter out SME hwcaps when FEAT_SME isn't implemented (git-fixes) - arm64: Restrict pagetable teardown to avoid false warning (git-fixes) - arm64: dts: apple: t8103: Fix PCIe BCM4377 nodename (git-fixes) - arm64: dts: freescale: imx8mm-verdin: Keep LDO5 always on (git-fixes) - arm64: dts: imx8mm-beacon: Fix HS400 USDHC clock speed (git-fixes) - arm64: dts: imx8mm-beacon: Fix RTC capacitive load (git-fixes) - arm64: dts: imx8mm-venice-gw700x: Increase HS400 USDHC clock speed (git-fixes) - arm64: dts: imx8mm-venice-gw7901: Increase HS400 USDHC clock speed (git-fixes) - arm64: dts: imx8mm-venice-gw7902: Increase HS400 USDHC clock speed (git-fixes) - arm64: dts: imx8mm-venice-gw7903: Increase HS400 USDHC clock speed (git-fixes) - arm64: dts: imx8mm-venice-gw7904: Increase HS400 USDHC clock speed (git-fixes) - arm64: dts: imx8mn-beacon: Fix HS400 USDHC clock speed (git-fixes) - arm64: dts: imx8mn-beacon: Fix RTC capacitive load (git-fixes) - arm64: dts: imx8mn-venice-gw7902: Increase HS400 USDHC clock speed (git-fixes) - arm64: dts: imx8mp-beacon: Fix RTC capacitive load (git-fixes) - arm64: dts: rockchip: Update eMMC for NanoPi R5 series (git-fixes) - arm64: dts: rockchip: fix endpoint dtc warning for PX30 ISP (git-fixes) - arm64: tegra: Drop remaining serial clock-names and reset-names (git-fixes) - arm64: tegra: p2597: Fix gpio for vdd-1v8-dis regulator (git-fixes) - arm64: zynqmp: add clock-output-names property in clock nodes (git-fixes) - ata: libata-scsi: Fix CDL control (git-fixes). - block: fix kobject leak in blk_unregister_queue (git-fixes). - block: mtip32xx: Fix usage of dma_map_sg() (git-fixes). - bpf: fix kfunc btf caching for modules (git-fixes). - bpf: use kvzmalloc to allocate BPF verifier environment (git-fixes). - btrfs: convert BUG_ON in btrfs_reloc_cow_block() to proper error handling (git-fixes). - btrfs: correctly escape subvol in btrfs_show_options() (git-fixes). - btrfs: fix adding block group to a reclaim list and the unused list during reclaim (git-fixes). - btrfs: fix bitmap leak when loading free space cache on duplicate entry (git-fixes). - btrfs: fix data race when accessing the inode's disk_i_size at btrfs_drop_extents() (git-fixes). - btrfs: fix the length of reserved qgroup to free (bsc#1240708) - btrfs: retry block group reclaim without infinite loop (git-fixes). - btrfs: return accurate error code on open failure in open_fs_devices() (bsc#1233120) - btrfs: run delayed iputs when flushing delalloc (git-fixes). - btrfs: update target inode's ctime on unlink (git-fixes). - cdx: Fix off-by-one error in cdx_rpmsg_probe() (git-fixes). - char: misc: Fix improper and inaccurate error code returned by misc_init() (stable-fixes). - comedi: Fix use of uninitialized memory in do_insn_ioctl() and do_insnlist_ioctl() (git-fixes). - comedi: Make insn_rw_emulate_bits() do insn->n samples (git-fixes). - comedi: fix race between polling and detaching (git-fixes). - comedi: pcl726: Prevent invalid irq number (git-fixes). - crypto: hisilicon/hpre - fix dma unmap sequence (stable-fixes). - crypto: jitter - fix intermediary handling (stable-fixes). - crypto: octeontx2 - add timeout for load_fvc completion poll (stable-fixes). - crypto: qat - lower priority for skcipher and aead algorithms (stable-fixes). - drm/amd/display: Add null pointer check in mod_hdcp_hdcp1_create_session() (git-fixes). - drm/amd/display: Add primary plane to commits for correct VRR handling (stable-fixes). - drm/amd/display: Adjust DCE 8-10 clock, do not overclock by 15% (git-fixes). - drm/amd/display: Avoid a NULL pointer dereference (stable-fixes). - drm/amd/display: Avoid configuring PSR granularity if PSR-SU not supported (stable-fixes). - drm/amd/display: Avoid trying AUX transactions on disconnected ports (stable-fixes). - drm/amd/display: Do not overclock DCE 6 by 15% (git-fixes). - drm/amd/display: Fill display clock and vblank time in dce110_fill_display_configs (stable-fixes). - drm/amd/display: Find first CRTC and its line time in dce110_fill_display_configs (stable-fixes). - drm/amd/display: Fix 'failed to blank crtc!' (stable-fixes). - drm/amd/display: Fix DP audio DTO1 clock source on DCE 6 (stable-fixes). - drm/amd/display: Fix fractional fb divider in set_pixel_clock_v3 (git-fixes). - drm/amd/display: Only finalize atomic_obj if it was initialized (stable-fixes). - drm/amd/display: Separate set_gsl from set_gsl_source_select (stable-fixes). - drm/amd: Allow printing VanGogh OD SCLK levels without setting dpm to manual (stable-fixes). - drm/amd: Restore cached power limit during resume (stable-fixes). - drm/amdgpu: Avoid extra evict-restore process (stable-fixes). - drm/amdgpu: fix incorrect vm flags to map bo (git-fixes). - drm/amdgpu: fix task hang from failed job submission during process kill (git-fixes). - drm/amdgpu: update mmhub 3.0.1 client id mappings (stable-fixes). - drm/amdkfd: Destroy KFD debugfs after destroy KFD wq (stable-fixes). - drm/dp: Change AUX DPCD probe address from DPCD_REV to LANE0_1_STATUS (stable-fixes). - drm/hisilicon/hibmc: fix the hibmc loaded failed bug (git-fixes). - drm/mediatek: Fix device/node reference count leaks in mtk_drm_get_all_drm_priv (git-fixes). - drm/msm/kms: move snapshot init earlier in KMS init (git-fixes). - drm/msm: Defer fd_install in SUBMIT ioctl (git-fixes). - drm/msm: use trylock for debugfs (stable-fixes). - drm/nouveau/disp: Always accept linear modifier (git-fixes). - drm/nouveau/nvif: Fix potential memory leak in nvif_vmm_ctor() (git-fixes). - drm/nouveau: fix error path in nvkm_gsp_fwsec_v2 (git-fixes). - drm/nouveau: fix typos in comments (git-fixes). - drm/nouveau: remove unused increment in gm200_flcn_pio_imem_wr (git-fixes). - drm/nouveau: remove unused memory target test (git-fixes). - drm/ttm: Respect the shrinker core free target (stable-fixes). - drm/ttm: Should to return the evict error (stable-fixes). - et131x: Add missing check after DMA map (stable-fixes). - exfat: add cluster chain loop check for dir (git-fixes). - fbdev: Fix vmalloc out-of-bounds write in fast_imageblit (stable-fixes). - fbdev: fix potential buffer overflow in do_register_framebuffer() (stable-fixes). - fs/mnt_idmapping.c: Return -EINVAL when no map is written (bsc#1233120) - fs/orangefs: use snprintf() instead of sprintf() (git-fixes). - gpio: mlxbf3: use platform_get_irq_optional() (git-fixes). - gpio: tps65912: check the return value of regmap_update_bits() (stable-fixes). - gpio: wcd934x: check the return value of regmap_update_bits() (stable-fixes). - hfs: fix not erasing deleted b-tree node issue (git-fixes). - hfs: fix slab-out-of-bounds in hfs_bnode_read() (git-fixes). - hfsplus: do not use BUG_ON() in hfsplus_create_attributes_file() (git-fixes). - hfsplus: fix slab-out-of-bounds in hfsplus_bnode_read() (git-fixes). - hfsplus: fix slab-out-of-bounds read in hfsplus_uni2asc() (git-fixes). - hwmon: (emc2305) Set initial PWM minimum value during probe based on thermal state (stable-fixes). - i2c: Force DLL0945 touchpad i2c freq to 100khz (stable-fixes). - i3c: do not fail if GETHDRCAP is unsupported (stable-fixes). - i3c: master: Initialize ret in i3c_i2c_notifier_call() (stable-fixes). - ice, irdma: fix an off by one in error handling code (bsc#1247712). - ice, irdma: move interrupts code to irdma (bsc#1247712). - ice: Fix signedness bug in ice_init_interrupt_scheme() (bsc#1247712). - ice: count combined queues using Rx/Tx count (bsc#1247712). - ice: devlink PF MSI-X max and min parameter (bsc#1247712). - ice: enable_rdma devlink param (bsc#1247712). - ice: get rid of num_lan_msix field (bsc#1247712). - ice: init flow director before RDMA (bsc#1247712). - ice: remove splitting MSI-X between features (bsc#1247712). - ice: simplify VF MSI-X managing (bsc#1247712). - ice: treat dyn_allowed only as suggestion (bsc#1247712). - iio: adc: ad7768-1: Ensure SYNC_IN pulse minimum timing requirement (stable-fixes). - iio: adc: ad_sigma_delta: do not overallocate scan buffer (stable-fixes). - iio: imu: inv_icm42600: switch timestamp type from int64_t __aligned(8) to aligned_s64 (stable-fixes). - iio: imu: inv_icm42600: use = { } instead of memset() (stable-fixes). - iio: pressure: bmp280: Use IS_ERR() in bmp280_common_probe() (git-fixes). - iio: proximity: isl29501: fix buffered read on big-endian systems (git-fixes). - integrity/platform_certs: Allow loading of keys in the static key management mode (jsc#PED-13345 jsc#PED-13343). - iosys-map: Fix undefined behavior in iosys_map_clear() (git-fixes). - ipmi: Fix strcpy source and destination the same (stable-fixes). - ipmi: Use dev_warn_ratelimited() for incorrect message warnings (stable-fixes). - irdma: free iwdev->rf after removing MSI-X (bsc#1247712). - jfs: Regular file corruption check (git-fixes). - jfs: truncate good inode pages when hard link is 0 (git-fixes). - jfs: upper bound check of tree index in dbAllocAG (git-fixes). - kABI: PCI/ACPI: Fix runtime PM ref imbalance on Hot-Plug Capable ports (git-fixes). - kselftest/arm64: Fix check for setting new VLs in sve-ptrace (git-fixes). - leds: leds-lp50xx: Handle reg to get correct multi_index (stable-fixes). - loop: use kiocb helpers to fix lockdep warning (git-fixes). - mISDN: hfcpci: Fix warning when deleting uninitialized timer (git-fixes). - md/md-cluster: handle REMOVE message earlier (bsc#1247057). - md/raid1,raid10: strip REQ_NOWAIT from member bios (git-fixes). - md: allow removing faulty rdev during resync (git-fixes). - md: make rdev_addable usable for rcu mode (git-fixes). - media: dvb-frontends: dib7090p: fix null-ptr-deref in dib7090p_rw_on_apb() (stable-fixes). - media: dvb-frontends: w7090p: fix null-ptr-deref in w7090p_tuner_write_serpar and w7090p_tuner_read_serpar (stable-fixes). - media: tc358743: Check I2C succeeded during probe (stable-fixes). - media: tc358743: Increase FIFO trigger level to 374 (stable-fixes). - media: tc358743: Return an appropriate colorspace from tc358743_set_fmt (stable-fixes). - media: usb: hdpvr: disable zero-length read messages (stable-fixes). - media: uvcvideo: Fix bandwidth issue for Alcor camera (stable-fixes). - media: v4l2-common: Reduce warnings about missing V4L2_CID_LINK_FREQ control (stable-fixes). - mei: bus: Check for still connected devices in mei_cl_bus_dev_release() (stable-fixes). - memstick: Fix deadlock by moving removing flag earlier (git-fixes). - mm/ptdump: take the memory hotplug lock inside ptdump_walk_pgd() (git-fixes) - mmc: rtsx_usb_sdmmc: Fix error-path in sd_set_power_mode() (stable-fixes). - mmc: sdhci-msm: Ensure SD card power isn't ON when card removed (stable-fixes). - mmc: sdhci-pci-gli: GL9763e: Rename the gli_set_gl9763e() for consistency (git-fixes). - most: core: Drop device reference after usage in get_channel() (git-fixes). - mptcp: fallback when MPTCP opts are dropped after 1st data (git-fixes). - mptcp: reset when MPTCP opts are dropped after join (git-fixes). - net: phy: micrel: Add ksz9131_resume() (stable-fixes). - net: phy: smsc: add proper reset flags for LAN8710A (stable-fixes). - net: thunderbolt: Enable end-to-end flow control also in transmit (stable-fixes). - net: thunderbolt: Fix the parameter passing of tb_xdomain_enable_paths()/tb_xdomain_disable_paths() (stable-fixes). - net: usb: asix_devices: Fix PHY address mask in MDIO bus initialization (git-fixes). - net: usb: asix_devices: add phy_mask for ax88772 mdio bus (git-fixes). - pNFS: Fix disk addr range check in block/scsi layout (git-fixes). - pNFS: Fix stripe mapping in block/scsi layout (git-fixes). - pNFS: Fix uninited ptr deref in block/scsi layout (git-fixes). - pNFS: Handle RPC size limit for layoutcommits (git-fixes). - phy: mscc: Fix parsing of unicast frames (git-fixes). - phy: rockchip-pcie: Properly disable TEST_WRITE strobe signal (stable-fixes). - pinctrl: STMFX: add missing HAS_IOMEM dependency (git-fixes). - pinctrl: stm32: Manage irq affinity settings (stable-fixes). - platform/chrome: cros_ec_typec: Defer probe on missing EC parent (stable-fixes). - platform/x86/amd: pmc: Add Lenovo Yoga 6 13ALC6 to pmc quirk list (stable-fixes). - pm: cpupower: Fix the snapshot-order of tsc,mperf, clock in mperf_stop() (stable-fixes). - power: supply: qcom_battmgr: Add lithium-polymer entry (stable-fixes). - powerpc/eeh: Export eeh_unfreeze_pe() (bsc#1215199). - powerpc/eeh: Make EEH driver device hotplug safe (bsc#1215199). - powerpc/eeh: Rely on dev->link_active_reporting (bsc#1215199). - powerpc/kernel: Fix ppc_save_regs inclusion in build (bsc#1215199). - powerpc/pseries: Correct secvar format representation for static key management (jsc#PED-13345 jsc#PED-13343). - powerpc/secvar: Expose secvars relevant to the key management mode (jsc#PED-13345 jsc#PED-13343). - powerpc: do not build ppc_save_regs.o always (bsc#1215199). - pwm: mediatek: Fix duty and period setting (git-fixes). - pwm: mediatek: Handle hardware enable and clock enable separately (stable-fixes). - reset: brcmstb: Enable reset drivers for ARCH_BCM2835 (stable-fixes). - rpm/config.sh: Update Leap project - rtc: ds1307: handle oscillator stop flag (OSF) for ds1341 (stable-fixes). - rtc: ds1307: remove clear of oscillator stop flag (OSF) in probe (stable-fixes). - samples/bpf: Fix compilation errors with cf-protection option (git-fixes). - scsi: Revert 'scsi: iscsi: Fix HW conn removal use after free' (git-fixes). - scsi: core: Fix kernel doc for scsi_track_queue_full() (git-fixes). - scsi: elx: efct: Fix dma_unmap_sg() nents value (git-fixes). - scsi: ibmvscsi_tgt: Fix dma_unmap_sg() nents value (git-fixes). - scsi: isci: Fix dma_unmap_sg() nents value (git-fixes). - scsi: mpi3mr: Fix kernel-doc issues in mpi3mr_app.c (git-fixes). - scsi: mpi3mr: Fix race between config read submit and interrupt completion (git-fixes). - scsi: mpi3mr: Serialize admin queue BAR writes on 32-bit systems (git-fixes). - scsi: mpt3sas: Fix a fw_event memory leak (git-fixes). - scsi: mvsas: Fix dma_unmap_sg() nents value (git-fixes). - scsi: sd: Make sd shutdown issue START STOP UNIT appropriately (git-fixes). - selftests/bpf: fexit_sleep: Fix stack allocation for arm64 (git-fixes). - selftests/tracing: Fix false failure of subsystem event test (git-fixes). - selftests: Fix errno checking in syscall_user_dispatch test (git-fixes). - selftests: rtnetlink.sh: remove esp4_offload after test (git-fixes). - serial: 8250: fix panic due to PSLVERR (git-fixes). - slab: Decouple slab_debug and no_hash_pointers (bsc#1249022). - smb: client: fix parsing of device numbers (git-fixes). - soc/tegra: pmc: Ensure power-domains are in a known state (git-fixes). - soundwire: amd: serialize amd manager resume sequence during pm_prepare (stable-fixes). - squashfs: fix memory leak in squashfs_fill_super (git-fixes). - sunrpc: fix handling of server side tls alerts (git-fixes). - sunvdc: Balance device refcount in vdc_port_mpgroup_check (git-fixes). - thermal/drivers/qcom-spmi-temp-alarm: Enable stage 2 shutdown when required (stable-fixes). - thermal: sysfs: Return ENODATA instead of EAGAIN for reads (stable-fixes). - ublk: sanity check add_dev input for underflow (git-fixes). - ublk: use vmalloc for ublk_device's __queues (git-fixes). - usb: core: config: Prevent OOB read in SS endpoint companion parsing (stable-fixes). - usb: core: hcd: fix accessing unmapped memory in SINGLE_STEP_SET_FEATURE test (git-fixes). - usb: core: usb_submit_urb: downgrade type check (stable-fixes). - usb: dwc3: Ignore late xferNotReady event to prevent halt timeout (git-fixes). - usb: dwc3: Remove WARN_ON for device endpoint command timeouts (stable-fixes). - usb: dwc3: core: Fix system suspend on TI AM62 platforms (git-fixes). - usb: dwc3: fix fault at system suspend if device was already runtime suspended (git-fixes). - usb: dwc3: pci: add support for the Intel Wildcat Lake (stable-fixes). - usb: quirks: Add DELAY_INIT quick for another SanDisk 3.2Gen1 Flash Drive (stable-fixes). - usb: renesas-xhci: Fix External ROM access timeouts (git-fixes). - usb: storage: realtek_cr: Use correct byte order for bcs->Residue (git-fixes). - usb: typec: intel_pmc_mux: Defer probe if SCU IPC isn't present (stable-fixes). - usb: typec: ucsi: psy: Set current max to 100mA for BC 1.2 and Default (stable-fixes). - usb: xhci: Avoid showing errors during surprise removal (stable-fixes). - usb: xhci: Avoid showing warnings for dying controller (stable-fixes). - usb: xhci: Fix slot_id resource race conflict (git-fixes). - usb: xhci: Set avg_trb_len = 8 for EP0 during Address Device Command (stable-fixes). - usb: xhci: print xhci->xhc_state when queue_command failed (stable-fixes). - vfs: Add a sysctl for automated deletion of dentry (bsc#1240890). - watchdog: dw_wdt: Fix default timeout (stable-fixes). - watchdog: iTCO_wdt: Report error if timeout configuration fails (stable-fixes). - watchdog: sbsa: Adjust keepalive timeout to avoid MediaTek WS0 race condition (stable-fixes). - wifi: ath12k: Add memset and update default rate value in wmi tx completion (stable-fixes). - wifi: ath12k: Correct tid cleanup when tid setup fails (stable-fixes). - wifi: ath12k: Decrement TID on RX peer frag setup error handling (stable-fixes). - wifi: ath12k: Enable REO queue lookup table feature on QCN9274 hw2.0 (stable-fixes). - wifi: cfg80211: Fix interface type validation (stable-fixes). - wifi: cfg80211: reject HTC bit for management frames (stable-fixes). - wifi: iwlegacy: Check rate_idx range after addition (stable-fixes). - wifi: iwlwifi: dvm: fix potential overflow in rs_fill_link_cmd() (stable-fixes). - wifi: iwlwifi: fw: Fix possible memory leak in iwl_fw_dbg_collect (stable-fixes). - wifi: iwlwifi: mvm: fix scan request validation (stable-fixes). - wifi: iwlwifi: mvm: set gtk id also in older FWs (stable-fixes). - wifi: mac80211: do not complete management TX on SAE commit (stable-fixes). - wifi: mac80211: fix rx link assignment for non-MLO stations (stable-fixes). - wifi: mac80211: update radar_required in channel context after channel switch (stable-fixes). - wifi: mt76: mt7915: mcu: re-init MCU before loading FW patch (stable-fixes). - wifi: rtlwifi: fix possible skb memory leak in _rtl_pci_init_one_rxdesc() (stable-fixes). - wifi: rtlwifi: fix possible skb memory leak in `_rtl_pci_rx_interrupt()` (stable-fixes). - wifi: rtw89: Disable deep power saving for USB/SDIO (stable-fixes). - wifi: rtw89: Fix rtw89_mac_power_switch() for USB (stable-fixes). - wifi: rtw89: Lower the timeout in rtw89_fw_read_c2h_reg() for USB (stable-fixes). The following package changes have been done: - kernel-default-base-6.4.0-34.1.21.11 updated - container:SL-Micro-base-container-2.1.3-7.50 updated From sle-container-updates at lists.suse.com Sat Sep 6 07:23:57 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 6 Sep 2025 09:23:57 +0200 (CEST) Subject: SUSE-IU-2025:2427-1: Security update of suse/sl-micro/6.1/base-os-container Message-ID: <20250906072357.3B4EBF782@maintenance.suse.de> SUSE Image Update Advisory: suse/sl-micro/6.1/base-os-container ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2025:2427-1 Image Tags : suse/sl-micro/6.1/base-os-container:2.2.1 , suse/sl-micro/6.1/base-os-container:2.2.1-5.29 , suse/sl-micro/6.1/base-os-container:latest Image Release : 5.29 Severity : important Type : security References : 1012628 1213545 1215199 1221858 1222323 1223880 1230557 1230708 1233120 1240708 1240890 1242034 1242754 1244596 1244734 1244930 1245663 1245710 1245767 1245780 1245815 1245956 1245973 1245977 1246005 1246012 1246181 1246193 1247057 1247078 1247112 1247116 1247119 1247155 1247162 1247167 1247229 1247243 1247280 1247313 1247712 1247976 1248088 1248108 1248164 1248166 1248178 1248179 1248180 1248183 1248186 1248194 1248196 1248198 1248205 1248206 1248208 1248209 1248212 1248213 1248214 1248216 1248217 1248223 1248227 1248228 1248229 1248240 1248255 1248297 1248306 1248312 1248333 1248337 1248338 1248340 1248341 1248345 1248349 1248350 1248354 1248355 1248361 1248363 1248368 1248374 1248377 1248386 1248390 1248395 1248399 1248401 1248511 1248573 1248575 1248577 1248609 1248614 1248617 1248621 1248636 1248643 1248648 1248652 1248655 1248666 1248669 1248746 1248748 1249022 6680 CVE-2023-3867 CVE-2023-4130 CVE-2023-4515 CVE-2024-26661 CVE-2024-34062 CVE-2024-46733 CVE-2024-58238 CVE-2024-58239 CVE-2025-38006 CVE-2025-38075 CVE-2025-38103 CVE-2025-38125 CVE-2025-38146 CVE-2025-38160 CVE-2025-38184 CVE-2025-38185 CVE-2025-38190 CVE-2025-38201 CVE-2025-38205 CVE-2025-38208 CVE-2025-38245 CVE-2025-38251 CVE-2025-38360 CVE-2025-38439 CVE-2025-38441 CVE-2025-38444 CVE-2025-38445 CVE-2025-38458 CVE-2025-38459 CVE-2025-38464 CVE-2025-38472 CVE-2025-38490 CVE-2025-38491 CVE-2025-38499 CVE-2025-38500 CVE-2025-38503 CVE-2025-38506 CVE-2025-38510 CVE-2025-38512 CVE-2025-38513 CVE-2025-38515 CVE-2025-38516 CVE-2025-38520 CVE-2025-38524 CVE-2025-38528 CVE-2025-38529 CVE-2025-38530 CVE-2025-38531 CVE-2025-38535 CVE-2025-38537 CVE-2025-38538 CVE-2025-38540 CVE-2025-38541 CVE-2025-38543 CVE-2025-38546 CVE-2025-38548 CVE-2025-38550 CVE-2025-38553 CVE-2025-38555 CVE-2025-38560 CVE-2025-38563 CVE-2025-38565 CVE-2025-38566 CVE-2025-38568 CVE-2025-38571 CVE-2025-38572 CVE-2025-38576 CVE-2025-38581 CVE-2025-38582 CVE-2025-38583 CVE-2025-38585 CVE-2025-38587 CVE-2025-38588 CVE-2025-38591 CVE-2025-38601 CVE-2025-38602 CVE-2025-38604 CVE-2025-38608 CVE-2025-38609 CVE-2025-38610 CVE-2025-38612 CVE-2025-38617 CVE-2025-38618 CVE-2025-38621 CVE-2025-38624 CVE-2025-38630 CVE-2025-38632 CVE-2025-38634 CVE-2025-38635 CVE-2025-38644 CVE-2025-38646 CVE-2025-38650 CVE-2025-38656 CVE-2025-38663 CVE-2025-38665 CVE-2025-38670 CVE-2025-38671 CVE-2025-6052 ----------------------------------------------------------------- The container suse/sl-micro/6.1/base-os-container was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: kernel-101 Released: Fri Sep 5 14:02:35 2025 Summary: Security update for the Linux Kernel Type: security Severity: important References: 1012628,1213545,1215199,1221858,1222323,1230557,1230708,1233120,1240708,1240890,1242034,1242754,1244734,1244930,1245663,1245710,1245767,1245780,1245815,1245956,1245973,1245977,1246005,1246012,1246181,1246193,1247057,1247078,1247112,1247116,1247119,1247155,1247162,1247167,1247229,1247243,1247280,1247313,1247712,1247976,1248088,1248108,1248164,1248166,1248178,1248179,1248180,1248183,1248186,1248194,1248196,1248198,1248205,1248206,1248208,1248209,1248212,1248213,1248214,1248216,1248217,1248223,1248227,1248228,1248229,1248240,1248255,1248297,1248306,1248312,1248333,1248337,1248338,1248340,1248341,1248345,1248349,1248350,1248354,1248355,1248361,1248363,1248368,1248374,1248377,1248386,1248390,1248395,1248399,1248401,1248511,1248573,1248575,1248577,1248609,1248614,1248617,1248621,1248636,1248643,1248648,1248652,1248655,1248666,1248669,1248746,1248748,1249022,CVE-2023-3867,CVE-2023-4130,CVE-2023-4515,CVE-2024-26661,CVE-2024-46733,CVE-2024-58238,CVE-2024-58239,CVE-2025-38006,CVE- 2025-38075,CVE-2025-38103,CVE-2025-38125,CVE-2025-38146,CVE-2025-38160,CVE-2025-38184,CVE-2025-38185,CVE-2025-38190,CVE-2025-38201,CVE-2025-38205,CVE-2025-38208,CVE-2025-38245,CVE-2025-38251,CVE-2025-38360,CVE-2025-38439,CVE-2025-38441,CVE-2025-38444,CVE-2025-38445,CVE-2025-38458,CVE-2025-38459,CVE-2025-38464,CVE-2025-38472,CVE-2025-38490,CVE-2025-38491,CVE-2025-38499,CVE-2025-38500,CVE-2025-38503,CVE-2025-38506,CVE-2025-38510,CVE-2025-38512,CVE-2025-38513,CVE-2025-38515,CVE-2025-38516,CVE-2025-38520,CVE-2025-38524,CVE-2025-38528,CVE-2025-38529,CVE-2025-38530,CVE-2025-38531,CVE-2025-38535,CVE-2025-38537,CVE-2025-38538,CVE-2025-38540,CVE-2025-38541,CVE-2025-38543,CVE-2025-38546,CVE-2025-38548,CVE-2025-38550,CVE-2025-38553,CVE-2025-38555,CVE-2025-38560,CVE-2025-38563,CVE-2025-38565,CVE-2025-38566,CVE-2025-38568,CVE-2025-38571,CVE-2025-38572,CVE-2025-38576,CVE-2025-38581,CVE-2025-38582,CVE-2025-38583,CVE-2025-38585,CVE-2025-38587,CVE-2025-38588,CVE-2025-38591,CVE-2025-38601,CVE-2025-38 602,CVE-2025-38604,CVE-2025-38608,CVE-2025-38609,CVE-2025-38610,CVE-2025-38612,CVE-2025-38617,CVE-2025-38618,CVE-2025-38621,CVE-2025-38624,CVE-2025-38630,CVE-2025-38632,CVE-2025-38634,CVE-2025-38635,CVE-2025-38644,CVE-2025-38646,CVE-2025-38650,CVE-2025-38656,CVE-2025-38663,CVE-2025-38665,CVE-2025-38670,CVE-2025-38671 The SUSE Linux Enterprise Micro 6.0 and 6.1 kernel was updated to receive various security bugfixes. The following security bugs were fixed: - CVE-2024-46733: btrfs: fix qgroup reserve leaks in cow_file_range (bsc#1230708). - CVE-2025-38006: net: mctp: Do not access ifa_index when missing (bsc#1244930). - CVE-2025-38075: scsi: target: iscsi: Fix timeout on deleted connection (bsc#1244734). - CVE-2025-38103: HID: usbhid: Eliminate recurrent out-of-bounds bug in usbhid_parse() (bsc#1245663). - CVE-2025-38125: net: stmmac: make sure that ptp_rate is not 0 before configuring EST (bsc#1245710). - CVE-2025-38146: net: openvswitch: Fix the dead loop of MPLS parse (bsc#1245767). - CVE-2025-38160: clk: bcm: rpi: Add NULL check in raspberrypi_clk_register() (bsc#1245780). - CVE-2025-38184: tipc: fix null-ptr-deref when acquiring remote ip of ethernet bearer (bsc#1245956). - CVE-2025-38185: atm: atmtcp: Free invalid length skb in atmtcp_c_send() (bsc#1246012). - CVE-2025-38190: atm: Revert atm_account_tx() if copy_from_iter_full() fails (bsc#1245973). - CVE-2025-38201: netfilter: nft_set_pipapo: clamp maximum map bucket size to INT_MAX (bsc#1245977). - CVE-2025-38205: drm/amd/display: Avoid divide by zero by initializing dummy pitch to 1 (bsc#1246005). - CVE-2025-38208: smb: client: add NULL check in automount_fullpath (bsc#1245815). - CVE-2025-38245: atm: Release atm_dev_mutex after removing procfs in atm_dev_deregister() (bsc#1246193). - CVE-2025-38251: atm: clip: prevent NULL deref in clip_push() (bsc#1246181). - CVE-2025-38360: drm/amd/display: Add more checks for DSC / HUBP ONO guarantees (bsc#1247078). - CVE-2025-38439: bnxt_en: Set DMA unmap len correctly for XDP_REDIRECT (bsc#1247155). - CVE-2025-38441: netfilter: flowtable: account for Ethernet header in nf_flow_pppoe_proto() (bsc#1247167). - CVE-2025-38444: raid10: cleanup memleak at raid10_make_request (bsc#1247162). - CVE-2025-38445: md/raid1: Fix stack memory use after return in raid1_reshape (bsc#1247229). - CVE-2025-38458: atm: clip: Fix NULL pointer dereference in vcc_sendmsg() (bsc#1247116). - CVE-2025-38459: atm: clip: Fix infinite recursive call of clip_push() (bsc#1247119). - CVE-2025-38464: tipc: Fix use-after-free in tipc_conn_close() (bsc#1247112). - CVE-2025-38472: netfilter: nf_conntrack: fix crash due to removal of uninitialised entry (bsc#1247313). - CVE-2025-38490: net: libwx: remove duplicate page_pool_put_full_page() (bsc#1247243). - CVE-2025-38491: mptcp: make fallback action and fallback decision atomic (bsc#1247280). - CVE-2025-38499: clone_private_mnt(): make sure that caller has CAP_SYS_ADMIN in the right userns (bsc#1247976). - CVE-2025-38500: xfrm: interface: fix use-after-free after changing collect_md xfrm interface (bsc#1248088). - CVE-2025-38506: KVM: Allow CPU to reschedule while setting per-page memory attributes (bsc#1248186). - CVE-2025-38520: drm/amdkfd: Do not call mmput from MMU notifier callback (bsc#1248217). - CVE-2025-38524: rxrpc: Fix recv-recv race of completed call (bsc#1248194). - CVE-2025-38528: bpf: Reject %p% format string in bprintf-like helpers (bsc#1248198). - CVE-2025-38531: iio: common: st_sensors: Fix use of uninitialize device structs (bsc#1248205). - CVE-2025-38546: atm: clip: Fix memory leak of struct clip_vcc (bsc#1248223). - CVE-2025-38560: x86/sev: Evict cache lines during SNP memory validation (bsc#1248312). - CVE-2025-38585: staging: media: atomisp: Fix stack buffer overflow in gmin_get_var_int() (bsc#1248355). - CVE-2025-38591: bpf: Reject narrower access to pointer ctx fields (bsc#1248363). - CVE-2025-38608: bpf, ktls: Fix data corruption when using bpf_msg_pop_data() in ktls (bsc#1248338). - CVE-2025-38618: vsock: Do not allow binding to VMADDR_PORT_ANY (bsc#1248511). The following non-security bugs were fixed: - ACPI: APEI: send SIGBUS to current task if synchronous memory error not recovered (stable-fixes). - ACPI: pfr_update: Fix the driver update version check (git-fixes). - ACPI: processor: fix acpi_object initialization (stable-fixes). - ACPI: processor: perflib: Move problematic pr->performance check (git-fixes). - ALSA: hda/ca0132: Fix buffer overflow in add_tuning_control (stable-fixes). - ALSA: hda/realtek: Add Framework Laptop 13 (AMD Ryzen AI 300) to quirks (stable-fixes). - ALSA: hda/realtek: Add support for HP EliteBook x360 830 G6 and EliteBook 830 G6 (stable-fixes). - ALSA: hda/realtek: Audio disappears on HP 15-fc000 after warm boot again (git-fixes). - ALSA: hda/realtek: Fix headset mic on ASUS Zenbook 14 (git-fixes). - ALSA: hda/realtek: Fix headset mic on HONOR BRB-X (stable-fixes). - ALSA: hda: Disable jack polling at shutdown (stable-fixes). - ALSA: hda: Handle the jack polling always via a work (stable-fixes). - ALSA: intel8x0: Fix incorrect codec index usage in mixer for ICH4 (stable-fixes). - ALSA: pcm: Rewrite recalculate_boundary() to avoid costly loop (stable-fixes). - ALSA: scarlett2: Add retry on -EPROTO from scarlett2_usb_tx() (git-fixes). - ALSA: usb-audio: Avoid precedence issues in mixer_quirks macros (stable-fixes). - ALSA: usb-audio: Fix size validation in convert_chmap_v3() (git-fixes). - ALSA: usb-audio: Use correct sub-type for UAC3 feature unit validation (git-fixes). - ALSA: usb-audio: Validate UAC3 cluster segment descriptors (git-fixes). - ALSA: usb-audio: Validate UAC3 power domain descriptors, too (git-fixes). - ASoC: Intel: avs: Fix uninitialized pointer error in probe() (stable-fixes). - ASoC: Intel: fix SND_SOC_SOF dependencies (stable-fixes). - ASoC: amd: yc: Add DMI entries to support HP 15-fb1xxx (stable-fixes). - ASoC: amd: yc: Add DMI quirk for HP Laptop 17 cp-2033dx (stable-fixes). - ASoC: amd: yc: add DMI quirk for ASUS M6501RM (stable-fixes). - ASoC: codecs: rt5640: Retry DEVICE_ID verification (stable-fixes). - ASoC: core: Check for rtd == NULL in snd_soc_remove_pcm_runtime() (stable-fixes). - ASoC: hdac_hdmi: Rate limit logging on connection and disconnection (stable-fixes). - ASoC: soc-dapm: set bias_level if snd_soc_dapm_set_bias_level() was successed (stable-fixes). - Bluetooth: btusb: Add USB ID 3625:010b for TP-LINK Archer TX10UB Nano (stable-fixes). - Bluetooth: hci_conn: do return error from hci_enhanced_setup_sync() (git-fixes). - Bluetooth: hci_event: Detect if HCI_EV_NUM_COMP_PKTS is unbalanced (git-fixes). - Bluetooth: hci_event: Mark connection as closed during suspend disconnect (git-fixes). - Bluetooth: hci_event: Treat UNKNOWN_CONN_ID on disconnect as success (git-fixes). - Bluetooth: hci_event: fix MTU for BN == 0 in CIS Established (git-fixes). - Bluetooth: hci_sock: Reset cookie to zero in hci_sock_free_cookie() (stable-fixes). - Bluetooth: hci_sync: fix set_local_name race condition (git-fixes). - HID: asus: fix UAF via HID_CLAIMED_INPUT validation (git-fixes). - HID: multitouch: fix slab out-of-bounds access in mt_report_fixup() (git-fixes). - Move pesign-obs-integration requirement from kernel-syms to kernel devel subpackage (bsc#1248108). - PCI/ACPI: Fix runtime PM ref imbalance on Hot-Plug Capable ports (git-fixes). - PCI/portdrv: Use is_pciehp instead of is_hotplug_bridge (git-fixes). - PCI: Add ACS quirk for Loongson PCIe (git-fixes). - PCI: Support Immediate Readiness on devices without PM capabilities (git-fixes). - PCI: apple: Fix missing OF node reference in apple_pcie_setup_port (git-fixes). - PCI: imx6: Add IMX8MM_EP and IMX8MP_EP fixed 256-byte BAR 4 in epc_features (git-fixes). - PCI: imx6: Delay link start until configfs 'start' written (git-fixes). - PCI: imx6: Remove apps_reset toggling from imx_pcie_{assert/deassert}_core_reset (git-fixes). - PCI: pnv_php: Clean up allocated IRQs on unplug (bsc#1215199). - PCI: pnv_php: Work around switches with broken presence detection (bsc#1215199). - PCI: rockchip: Set Target Link Speed to 5.0 GT/s before retraining (git-fixes). - PCI: rockchip: Use standard PCIe definitions (git-fixes). - PM / devfreq: governor: Replace sscanf() with kstrtoul() in set_freq_store() (stable-fixes). - PM: runtime: Clear power.needs_force_resume in pm_runtime_reinit() (stable-fixes). - PM: sleep: console: Fix the black screen issue (stable-fixes). - RAS/AMD/ATL: Include row bit in row retirement (bsc#1242034). - RAS/AMD/FMPM: Get masked address (bsc#1242034). - RAS/AMD/FMPM: Use atl internal.h for INVALID_SPA (bsc#1242034). - RDMA/bnxt_re: Fix a possible memory leak in the driver (git-fixes) - RDMA/bnxt_re: Fix to do SRQ armena by default (git-fixes) - RDMA/bnxt_re: Fix to initialize the PBL array (git-fixes) - RDMA/bnxt_re: Fix to remove workload check in SRQ limit path (git-fixes) - RDMA/core: reduce stack using in nldev_stat_get_doit() (git-fixes) - RDMA/erdma: Fix ignored return value of init_kernel_qp (git-fixes) - RDMA/hns: Fix dip entries leak on devices newer than hip09 (git-fixes) - RDMA: hfi1: fix possible divide-by-zero in find_hw_thread_mask() (git-fixes) - Revert 'gpio: mlxbf3: only get IRQ for device instance 0' (git-fixes). - USB: serial: option: add Foxconn T99W709 (stable-fixes). - USB: storage: Add unusual-devs entry for Novatek NTK96550-based camera (stable-fixes). - USB: storage: Ignore driver CD mode for Realtek multi-mode Wi-Fi dongles (stable-fixes). - aoe: defer rexmit timer downdev work to workqueue (git-fixes). - arch/powerpc: Remove .interp section in vmlinux (bsc#1215199). - arm64/cpufeatures/kvm: Add ARMv8.9 FEAT_ECBHB bits in ID_AA64MMFR1 (git-fixes) - arm64/entry: Mask DAIF in cpu_switch_to(), call_on_irq_stack() (git-fixes) - arm64/mm: Check PUD_TYPE_TABLE in pud_bad() (git-fixes) - arm64: Add support for HIP09 Spectre-BHB mitigation (git-fixes) - arm64: Filter out SME hwcaps when FEAT_SME isn't implemented (git-fixes) - arm64: Restrict pagetable teardown to avoid false warning (git-fixes) - arm64: dts: apple: t8103: Fix PCIe BCM4377 nodename (git-fixes) - arm64: dts: freescale: imx8mm-verdin: Keep LDO5 always on (git-fixes) - arm64: dts: imx8mm-beacon: Fix HS400 USDHC clock speed (git-fixes) - arm64: dts: imx8mm-beacon: Fix RTC capacitive load (git-fixes) - arm64: dts: imx8mm-venice-gw700x: Increase HS400 USDHC clock speed (git-fixes) - arm64: dts: imx8mm-venice-gw7901: Increase HS400 USDHC clock speed (git-fixes) - arm64: dts: imx8mm-venice-gw7902: Increase HS400 USDHC clock speed (git-fixes) - arm64: dts: imx8mm-venice-gw7903: Increase HS400 USDHC clock speed (git-fixes) - arm64: dts: imx8mm-venice-gw7904: Increase HS400 USDHC clock speed (git-fixes) - arm64: dts: imx8mn-beacon: Fix HS400 USDHC clock speed (git-fixes) - arm64: dts: imx8mn-beacon: Fix RTC capacitive load (git-fixes) - arm64: dts: imx8mn-venice-gw7902: Increase HS400 USDHC clock speed (git-fixes) - arm64: dts: imx8mp-beacon: Fix RTC capacitive load (git-fixes) - arm64: dts: rockchip: Update eMMC for NanoPi R5 series (git-fixes) - arm64: dts: rockchip: fix endpoint dtc warning for PX30 ISP (git-fixes) - arm64: tegra: Drop remaining serial clock-names and reset-names (git-fixes) - arm64: tegra: p2597: Fix gpio for vdd-1v8-dis regulator (git-fixes) - arm64: zynqmp: add clock-output-names property in clock nodes (git-fixes) - ata: libata-scsi: Fix CDL control (git-fixes). - block: fix kobject leak in blk_unregister_queue (git-fixes). - block: mtip32xx: Fix usage of dma_map_sg() (git-fixes). - bpf: fix kfunc btf caching for modules (git-fixes). - bpf: use kvzmalloc to allocate BPF verifier environment (git-fixes). - btrfs: convert BUG_ON in btrfs_reloc_cow_block() to proper error handling (git-fixes). - btrfs: correctly escape subvol in btrfs_show_options() (git-fixes). - btrfs: fix adding block group to a reclaim list and the unused list during reclaim (git-fixes). - btrfs: fix bitmap leak when loading free space cache on duplicate entry (git-fixes). - btrfs: fix data race when accessing the inode's disk_i_size at btrfs_drop_extents() (git-fixes). - btrfs: fix the length of reserved qgroup to free (bsc#1240708) - btrfs: retry block group reclaim without infinite loop (git-fixes). - btrfs: return accurate error code on open failure in open_fs_devices() (bsc#1233120) - btrfs: run delayed iputs when flushing delalloc (git-fixes). - btrfs: update target inode's ctime on unlink (git-fixes). - cdx: Fix off-by-one error in cdx_rpmsg_probe() (git-fixes). - char: misc: Fix improper and inaccurate error code returned by misc_init() (stable-fixes). - comedi: Fix use of uninitialized memory in do_insn_ioctl() and do_insnlist_ioctl() (git-fixes). - comedi: Make insn_rw_emulate_bits() do insn->n samples (git-fixes). - comedi: fix race between polling and detaching (git-fixes). - comedi: pcl726: Prevent invalid irq number (git-fixes). - crypto: hisilicon/hpre - fix dma unmap sequence (stable-fixes). - crypto: jitter - fix intermediary handling (stable-fixes). - crypto: octeontx2 - add timeout for load_fvc completion poll (stable-fixes). - crypto: qat - lower priority for skcipher and aead algorithms (stable-fixes). - drm/amd/display: Add null pointer check in mod_hdcp_hdcp1_create_session() (git-fixes). - drm/amd/display: Add primary plane to commits for correct VRR handling (stable-fixes). - drm/amd/display: Adjust DCE 8-10 clock, do not overclock by 15% (git-fixes). - drm/amd/display: Avoid a NULL pointer dereference (stable-fixes). - drm/amd/display: Avoid configuring PSR granularity if PSR-SU not supported (stable-fixes). - drm/amd/display: Avoid trying AUX transactions on disconnected ports (stable-fixes). - drm/amd/display: Do not overclock DCE 6 by 15% (git-fixes). - drm/amd/display: Fill display clock and vblank time in dce110_fill_display_configs (stable-fixes). - drm/amd/display: Find first CRTC and its line time in dce110_fill_display_configs (stable-fixes). - drm/amd/display: Fix 'failed to blank crtc!' (stable-fixes). - drm/amd/display: Fix DP audio DTO1 clock source on DCE 6 (stable-fixes). - drm/amd/display: Fix fractional fb divider in set_pixel_clock_v3 (git-fixes). - drm/amd/display: Only finalize atomic_obj if it was initialized (stable-fixes). - drm/amd/display: Separate set_gsl from set_gsl_source_select (stable-fixes). - drm/amd: Allow printing VanGogh OD SCLK levels without setting dpm to manual (stable-fixes). - drm/amd: Restore cached power limit during resume (stable-fixes). - drm/amdgpu: Avoid extra evict-restore process (stable-fixes). - drm/amdgpu: fix incorrect vm flags to map bo (git-fixes). - drm/amdgpu: fix task hang from failed job submission during process kill (git-fixes). - drm/amdgpu: update mmhub 3.0.1 client id mappings (stable-fixes). - drm/amdkfd: Destroy KFD debugfs after destroy KFD wq (stable-fixes). - drm/dp: Change AUX DPCD probe address from DPCD_REV to LANE0_1_STATUS (stable-fixes). - drm/hisilicon/hibmc: fix the hibmc loaded failed bug (git-fixes). - drm/mediatek: Fix device/node reference count leaks in mtk_drm_get_all_drm_priv (git-fixes). - drm/msm/kms: move snapshot init earlier in KMS init (git-fixes). - drm/msm: Defer fd_install in SUBMIT ioctl (git-fixes). - drm/msm: use trylock for debugfs (stable-fixes). - drm/nouveau/disp: Always accept linear modifier (git-fixes). - drm/nouveau/nvif: Fix potential memory leak in nvif_vmm_ctor() (git-fixes). - drm/nouveau: fix error path in nvkm_gsp_fwsec_v2 (git-fixes). - drm/nouveau: fix typos in comments (git-fixes). - drm/nouveau: remove unused increment in gm200_flcn_pio_imem_wr (git-fixes). - drm/nouveau: remove unused memory target test (git-fixes). - drm/ttm: Respect the shrinker core free target (stable-fixes). - drm/ttm: Should to return the evict error (stable-fixes). - et131x: Add missing check after DMA map (stable-fixes). - exfat: add cluster chain loop check for dir (git-fixes). - fbdev: Fix vmalloc out-of-bounds write in fast_imageblit (stable-fixes). - fbdev: fix potential buffer overflow in do_register_framebuffer() (stable-fixes). - fs/mnt_idmapping.c: Return -EINVAL when no map is written (bsc#1233120) - fs/orangefs: use snprintf() instead of sprintf() (git-fixes). - gpio: mlxbf3: use platform_get_irq_optional() (git-fixes). - gpio: tps65912: check the return value of regmap_update_bits() (stable-fixes). - gpio: wcd934x: check the return value of regmap_update_bits() (stable-fixes). - hfs: fix not erasing deleted b-tree node issue (git-fixes). - hfs: fix slab-out-of-bounds in hfs_bnode_read() (git-fixes). - hfsplus: do not use BUG_ON() in hfsplus_create_attributes_file() (git-fixes). - hfsplus: fix slab-out-of-bounds in hfsplus_bnode_read() (git-fixes). - hfsplus: fix slab-out-of-bounds read in hfsplus_uni2asc() (git-fixes). - hwmon: (emc2305) Set initial PWM minimum value during probe based on thermal state (stable-fixes). - i2c: Force DLL0945 touchpad i2c freq to 100khz (stable-fixes). - i3c: do not fail if GETHDRCAP is unsupported (stable-fixes). - i3c: master: Initialize ret in i3c_i2c_notifier_call() (stable-fixes). - ice, irdma: fix an off by one in error handling code (bsc#1247712). - ice, irdma: move interrupts code to irdma (bsc#1247712). - ice: Fix signedness bug in ice_init_interrupt_scheme() (bsc#1247712). - ice: count combined queues using Rx/Tx count (bsc#1247712). - ice: devlink PF MSI-X max and min parameter (bsc#1247712). - ice: enable_rdma devlink param (bsc#1247712). - ice: get rid of num_lan_msix field (bsc#1247712). - ice: init flow director before RDMA (bsc#1247712). - ice: remove splitting MSI-X between features (bsc#1247712). - ice: simplify VF MSI-X managing (bsc#1247712). - ice: treat dyn_allowed only as suggestion (bsc#1247712). - iio: adc: ad7768-1: Ensure SYNC_IN pulse minimum timing requirement (stable-fixes). - iio: adc: ad_sigma_delta: do not overallocate scan buffer (stable-fixes). - iio: imu: inv_icm42600: switch timestamp type from int64_t __aligned(8) to aligned_s64 (stable-fixes). - iio: imu: inv_icm42600: use = { } instead of memset() (stable-fixes). - iio: pressure: bmp280: Use IS_ERR() in bmp280_common_probe() (git-fixes). - iio: proximity: isl29501: fix buffered read on big-endian systems (git-fixes). - integrity/platform_certs: Allow loading of keys in the static key management mode (jsc#PED-13345 jsc#PED-13343). - iosys-map: Fix undefined behavior in iosys_map_clear() (git-fixes). - ipmi: Fix strcpy source and destination the same (stable-fixes). - ipmi: Use dev_warn_ratelimited() for incorrect message warnings (stable-fixes). - irdma: free iwdev->rf after removing MSI-X (bsc#1247712). - jfs: Regular file corruption check (git-fixes). - jfs: truncate good inode pages when hard link is 0 (git-fixes). - jfs: upper bound check of tree index in dbAllocAG (git-fixes). - kABI: PCI/ACPI: Fix runtime PM ref imbalance on Hot-Plug Capable ports (git-fixes). - kselftest/arm64: Fix check for setting new VLs in sve-ptrace (git-fixes). - leds: leds-lp50xx: Handle reg to get correct multi_index (stable-fixes). - loop: use kiocb helpers to fix lockdep warning (git-fixes). - mISDN: hfcpci: Fix warning when deleting uninitialized timer (git-fixes). - md/md-cluster: handle REMOVE message earlier (bsc#1247057). - md/raid1,raid10: strip REQ_NOWAIT from member bios (git-fixes). - md: allow removing faulty rdev during resync (git-fixes). - md: make rdev_addable usable for rcu mode (git-fixes). - media: dvb-frontends: dib7090p: fix null-ptr-deref in dib7090p_rw_on_apb() (stable-fixes). - media: dvb-frontends: w7090p: fix null-ptr-deref in w7090p_tuner_write_serpar and w7090p_tuner_read_serpar (stable-fixes). - media: tc358743: Check I2C succeeded during probe (stable-fixes). - media: tc358743: Increase FIFO trigger level to 374 (stable-fixes). - media: tc358743: Return an appropriate colorspace from tc358743_set_fmt (stable-fixes). - media: usb: hdpvr: disable zero-length read messages (stable-fixes). - media: uvcvideo: Fix bandwidth issue for Alcor camera (stable-fixes). - media: v4l2-common: Reduce warnings about missing V4L2_CID_LINK_FREQ control (stable-fixes). - mei: bus: Check for still connected devices in mei_cl_bus_dev_release() (stable-fixes). - memstick: Fix deadlock by moving removing flag earlier (git-fixes). - mm/ptdump: take the memory hotplug lock inside ptdump_walk_pgd() (git-fixes) - mmc: rtsx_usb_sdmmc: Fix error-path in sd_set_power_mode() (stable-fixes). - mmc: sdhci-msm: Ensure SD card power isn't ON when card removed (stable-fixes). - mmc: sdhci-pci-gli: GL9763e: Rename the gli_set_gl9763e() for consistency (git-fixes). - most: core: Drop device reference after usage in get_channel() (git-fixes). - mptcp: fallback when MPTCP opts are dropped after 1st data (git-fixes). - mptcp: reset when MPTCP opts are dropped after join (git-fixes). - net: phy: micrel: Add ksz9131_resume() (stable-fixes). - net: phy: smsc: add proper reset flags for LAN8710A (stable-fixes). - net: thunderbolt: Enable end-to-end flow control also in transmit (stable-fixes). - net: thunderbolt: Fix the parameter passing of tb_xdomain_enable_paths()/tb_xdomain_disable_paths() (stable-fixes). - net: usb: asix_devices: Fix PHY address mask in MDIO bus initialization (git-fixes). - net: usb: asix_devices: add phy_mask for ax88772 mdio bus (git-fixes). - pNFS: Fix disk addr range check in block/scsi layout (git-fixes). - pNFS: Fix stripe mapping in block/scsi layout (git-fixes). - pNFS: Fix uninited ptr deref in block/scsi layout (git-fixes). - pNFS: Handle RPC size limit for layoutcommits (git-fixes). - phy: mscc: Fix parsing of unicast frames (git-fixes). - phy: rockchip-pcie: Properly disable TEST_WRITE strobe signal (stable-fixes). - pinctrl: STMFX: add missing HAS_IOMEM dependency (git-fixes). - pinctrl: stm32: Manage irq affinity settings (stable-fixes). - platform/chrome: cros_ec_typec: Defer probe on missing EC parent (stable-fixes). - platform/x86/amd: pmc: Add Lenovo Yoga 6 13ALC6 to pmc quirk list (stable-fixes). - pm: cpupower: Fix the snapshot-order of tsc,mperf, clock in mperf_stop() (stable-fixes). - power: supply: qcom_battmgr: Add lithium-polymer entry (stable-fixes). - powerpc/eeh: Export eeh_unfreeze_pe() (bsc#1215199). - powerpc/eeh: Make EEH driver device hotplug safe (bsc#1215199). - powerpc/eeh: Rely on dev->link_active_reporting (bsc#1215199). - powerpc/kernel: Fix ppc_save_regs inclusion in build (bsc#1215199). - powerpc/pseries: Correct secvar format representation for static key management (jsc#PED-13345 jsc#PED-13343). - powerpc/secvar: Expose secvars relevant to the key management mode (jsc#PED-13345 jsc#PED-13343). - powerpc: do not build ppc_save_regs.o always (bsc#1215199). - pwm: mediatek: Fix duty and period setting (git-fixes). - pwm: mediatek: Handle hardware enable and clock enable separately (stable-fixes). - reset: brcmstb: Enable reset drivers for ARCH_BCM2835 (stable-fixes). - rpm/config.sh: Update Leap project - rtc: ds1307: handle oscillator stop flag (OSF) for ds1341 (stable-fixes). - rtc: ds1307: remove clear of oscillator stop flag (OSF) in probe (stable-fixes). - samples/bpf: Fix compilation errors with cf-protection option (git-fixes). - scsi: Revert 'scsi: iscsi: Fix HW conn removal use after free' (git-fixes). - scsi: core: Fix kernel doc for scsi_track_queue_full() (git-fixes). - scsi: elx: efct: Fix dma_unmap_sg() nents value (git-fixes). - scsi: ibmvscsi_tgt: Fix dma_unmap_sg() nents value (git-fixes). - scsi: isci: Fix dma_unmap_sg() nents value (git-fixes). - scsi: mpi3mr: Fix kernel-doc issues in mpi3mr_app.c (git-fixes). - scsi: mpi3mr: Fix race between config read submit and interrupt completion (git-fixes). - scsi: mpi3mr: Serialize admin queue BAR writes on 32-bit systems (git-fixes). - scsi: mpt3sas: Fix a fw_event memory leak (git-fixes). - scsi: mvsas: Fix dma_unmap_sg() nents value (git-fixes). - scsi: sd: Make sd shutdown issue START STOP UNIT appropriately (git-fixes). - selftests/bpf: fexit_sleep: Fix stack allocation for arm64 (git-fixes). - selftests/tracing: Fix false failure of subsystem event test (git-fixes). - selftests: Fix errno checking in syscall_user_dispatch test (git-fixes). - selftests: rtnetlink.sh: remove esp4_offload after test (git-fixes). - serial: 8250: fix panic due to PSLVERR (git-fixes). - slab: Decouple slab_debug and no_hash_pointers (bsc#1249022). - smb: client: fix parsing of device numbers (git-fixes). - soc/tegra: pmc: Ensure power-domains are in a known state (git-fixes). - soundwire: amd: serialize amd manager resume sequence during pm_prepare (stable-fixes). - squashfs: fix memory leak in squashfs_fill_super (git-fixes). - sunrpc: fix handling of server side tls alerts (git-fixes). - sunvdc: Balance device refcount in vdc_port_mpgroup_check (git-fixes). - thermal/drivers/qcom-spmi-temp-alarm: Enable stage 2 shutdown when required (stable-fixes). - thermal: sysfs: Return ENODATA instead of EAGAIN for reads (stable-fixes). - ublk: sanity check add_dev input for underflow (git-fixes). - ublk: use vmalloc for ublk_device's __queues (git-fixes). - usb: core: config: Prevent OOB read in SS endpoint companion parsing (stable-fixes). - usb: core: hcd: fix accessing unmapped memory in SINGLE_STEP_SET_FEATURE test (git-fixes). - usb: core: usb_submit_urb: downgrade type check (stable-fixes). - usb: dwc3: Ignore late xferNotReady event to prevent halt timeout (git-fixes). - usb: dwc3: Remove WARN_ON for device endpoint command timeouts (stable-fixes). - usb: dwc3: core: Fix system suspend on TI AM62 platforms (git-fixes). - usb: dwc3: fix fault at system suspend if device was already runtime suspended (git-fixes). - usb: dwc3: pci: add support for the Intel Wildcat Lake (stable-fixes). - usb: quirks: Add DELAY_INIT quick for another SanDisk 3.2Gen1 Flash Drive (stable-fixes). - usb: renesas-xhci: Fix External ROM access timeouts (git-fixes). - usb: storage: realtek_cr: Use correct byte order for bcs->Residue (git-fixes). - usb: typec: intel_pmc_mux: Defer probe if SCU IPC isn't present (stable-fixes). - usb: typec: ucsi: psy: Set current max to 100mA for BC 1.2 and Default (stable-fixes). - usb: xhci: Avoid showing errors during surprise removal (stable-fixes). - usb: xhci: Avoid showing warnings for dying controller (stable-fixes). - usb: xhci: Fix slot_id resource race conflict (git-fixes). - usb: xhci: Set avg_trb_len = 8 for EP0 during Address Device Command (stable-fixes). - usb: xhci: print xhci->xhc_state when queue_command failed (stable-fixes). - vfs: Add a sysctl for automated deletion of dentry (bsc#1240890). - watchdog: dw_wdt: Fix default timeout (stable-fixes). - watchdog: iTCO_wdt: Report error if timeout configuration fails (stable-fixes). - watchdog: sbsa: Adjust keepalive timeout to avoid MediaTek WS0 race condition (stable-fixes). - wifi: ath12k: Add memset and update default rate value in wmi tx completion (stable-fixes). - wifi: ath12k: Correct tid cleanup when tid setup fails (stable-fixes). - wifi: ath12k: Decrement TID on RX peer frag setup error handling (stable-fixes). - wifi: ath12k: Enable REO queue lookup table feature on QCN9274 hw2.0 (stable-fixes). - wifi: cfg80211: Fix interface type validation (stable-fixes). - wifi: cfg80211: reject HTC bit for management frames (stable-fixes). - wifi: iwlegacy: Check rate_idx range after addition (stable-fixes). - wifi: iwlwifi: dvm: fix potential overflow in rs_fill_link_cmd() (stable-fixes). - wifi: iwlwifi: fw: Fix possible memory leak in iwl_fw_dbg_collect (stable-fixes). - wifi: iwlwifi: mvm: fix scan request validation (stable-fixes). - wifi: iwlwifi: mvm: set gtk id also in older FWs (stable-fixes). - wifi: mac80211: do not complete management TX on SAE commit (stable-fixes). - wifi: mac80211: fix rx link assignment for non-MLO stations (stable-fixes). - wifi: mac80211: update radar_required in channel context after channel switch (stable-fixes). - wifi: mt76: mt7915: mcu: re-init MCU before loading FW patch (stable-fixes). - wifi: rtlwifi: fix possible skb memory leak in _rtl_pci_init_one_rxdesc() (stable-fixes). - wifi: rtlwifi: fix possible skb memory leak in `_rtl_pci_rx_interrupt()` (stable-fixes). - wifi: rtw89: Disable deep power saving for USB/SDIO (stable-fixes). - wifi: rtw89: Fix rtw89_mac_power_switch() for USB (stable-fixes). - wifi: rtw89: Lower the timeout in rtw89_fw_read_c2h_reg() for USB (stable-fixes). ----------------------------------------------------------------- Advisory ID: 247 Released: Fri Sep 5 14:22:34 2025 Summary: Security update for glib2 Type: security Severity: important References: 1223880,1244596,6680,CVE-2024-34062,CVE-2025-6052 This update for glib2 fixes the following issues: - CVE-2025-6052: Fix overflow check when expanding a GString (bsc#1244596). The following package changes have been done: - SL-Micro-release-6.1-slfo.1.11.54 updated - kernel-default-6.4.0-34.1 updated - libglib-2_0-0-2.78.6-slfo.1.1_4.1 updated - libgobject-2_0-0-2.78.6-slfo.1.1_4.1 updated - libgmodule-2_0-0-2.78.6-slfo.1.1_4.1 updated - libgio-2_0-0-2.78.6-slfo.1.1_4.1 updated - glib2-tools-2.78.6-slfo.1.1_4.1 updated - container:suse-toolbox-image-1.0.0-4.67 updated From sle-container-updates at lists.suse.com Sat Sep 6 07:24:41 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 6 Sep 2025 09:24:41 +0200 (CEST) Subject: SUSE-IU-2025:2428-1: Security update of suse/sl-micro/6.1/kvm-os-container Message-ID: <20250906072441.70493F782@maintenance.suse.de> SUSE Image Update Advisory: suse/sl-micro/6.1/kvm-os-container ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2025:2428-1 Image Tags : suse/sl-micro/6.1/kvm-os-container:2.2.1 , suse/sl-micro/6.1/kvm-os-container:2.2.1-5.32 , suse/sl-micro/6.1/kvm-os-container:latest Image Release : 5.32 Severity : important Type : security References : 1012628 1213545 1215199 1221858 1222323 1223880 1230557 1230708 1233120 1240708 1240890 1242034 1242754 1244596 1244734 1244930 1245663 1245710 1245767 1245780 1245815 1245956 1245973 1245977 1246005 1246012 1246181 1246193 1247057 1247078 1247112 1247116 1247119 1247155 1247162 1247167 1247229 1247243 1247280 1247313 1247712 1247976 1248088 1248108 1248164 1248166 1248178 1248179 1248180 1248183 1248186 1248194 1248196 1248198 1248205 1248206 1248208 1248209 1248212 1248213 1248214 1248216 1248217 1248223 1248227 1248228 1248229 1248240 1248255 1248297 1248306 1248312 1248333 1248337 1248338 1248340 1248341 1248345 1248349 1248350 1248354 1248355 1248361 1248363 1248368 1248374 1248377 1248386 1248390 1248395 1248399 1248401 1248511 1248573 1248575 1248577 1248609 1248614 1248617 1248621 1248636 1248643 1248648 1248652 1248655 1248666 1248669 1248746 1248748 1249022 6680 CVE-2023-3867 CVE-2023-4130 CVE-2023-4515 CVE-2024-26661 CVE-2024-34062 CVE-2024-46733 CVE-2024-58238 CVE-2024-58239 CVE-2025-38006 CVE-2025-38075 CVE-2025-38103 CVE-2025-38125 CVE-2025-38146 CVE-2025-38160 CVE-2025-38184 CVE-2025-38185 CVE-2025-38190 CVE-2025-38201 CVE-2025-38205 CVE-2025-38208 CVE-2025-38245 CVE-2025-38251 CVE-2025-38360 CVE-2025-38439 CVE-2025-38441 CVE-2025-38444 CVE-2025-38445 CVE-2025-38458 CVE-2025-38459 CVE-2025-38464 CVE-2025-38472 CVE-2025-38490 CVE-2025-38491 CVE-2025-38499 CVE-2025-38500 CVE-2025-38503 CVE-2025-38506 CVE-2025-38510 CVE-2025-38512 CVE-2025-38513 CVE-2025-38515 CVE-2025-38516 CVE-2025-38520 CVE-2025-38524 CVE-2025-38528 CVE-2025-38529 CVE-2025-38530 CVE-2025-38531 CVE-2025-38535 CVE-2025-38537 CVE-2025-38538 CVE-2025-38540 CVE-2025-38541 CVE-2025-38543 CVE-2025-38546 CVE-2025-38548 CVE-2025-38550 CVE-2025-38553 CVE-2025-38555 CVE-2025-38560 CVE-2025-38563 CVE-2025-38565 CVE-2025-38566 CVE-2025-38568 CVE-2025-38571 CVE-2025-38572 CVE-2025-38576 CVE-2025-38581 CVE-2025-38582 CVE-2025-38583 CVE-2025-38585 CVE-2025-38587 CVE-2025-38588 CVE-2025-38591 CVE-2025-38601 CVE-2025-38602 CVE-2025-38604 CVE-2025-38608 CVE-2025-38609 CVE-2025-38610 CVE-2025-38612 CVE-2025-38617 CVE-2025-38618 CVE-2025-38621 CVE-2025-38624 CVE-2025-38630 CVE-2025-38632 CVE-2025-38634 CVE-2025-38635 CVE-2025-38644 CVE-2025-38646 CVE-2025-38650 CVE-2025-38656 CVE-2025-38663 CVE-2025-38665 CVE-2025-38670 CVE-2025-38671 CVE-2025-6052 ----------------------------------------------------------------- The container suse/sl-micro/6.1/kvm-os-container was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: kernel-101 Released: Fri Sep 5 14:02:35 2025 Summary: Security update for the Linux Kernel Type: security Severity: important References: 1012628,1213545,1215199,1221858,1222323,1230557,1230708,1233120,1240708,1240890,1242034,1242754,1244734,1244930,1245663,1245710,1245767,1245780,1245815,1245956,1245973,1245977,1246005,1246012,1246181,1246193,1247057,1247078,1247112,1247116,1247119,1247155,1247162,1247167,1247229,1247243,1247280,1247313,1247712,1247976,1248088,1248108,1248164,1248166,1248178,1248179,1248180,1248183,1248186,1248194,1248196,1248198,1248205,1248206,1248208,1248209,1248212,1248213,1248214,1248216,1248217,1248223,1248227,1248228,1248229,1248240,1248255,1248297,1248306,1248312,1248333,1248337,1248338,1248340,1248341,1248345,1248349,1248350,1248354,1248355,1248361,1248363,1248368,1248374,1248377,1248386,1248390,1248395,1248399,1248401,1248511,1248573,1248575,1248577,1248609,1248614,1248617,1248621,1248636,1248643,1248648,1248652,1248655,1248666,1248669,1248746,1248748,1249022,CVE-2023-3867,CVE-2023-4130,CVE-2023-4515,CVE-2024-26661,CVE-2024-46733,CVE-2024-58238,CVE-2024-58239,CVE-2025-38006,CVE- 2025-38075,CVE-2025-38103,CVE-2025-38125,CVE-2025-38146,CVE-2025-38160,CVE-2025-38184,CVE-2025-38185,CVE-2025-38190,CVE-2025-38201,CVE-2025-38205,CVE-2025-38208,CVE-2025-38245,CVE-2025-38251,CVE-2025-38360,CVE-2025-38439,CVE-2025-38441,CVE-2025-38444,CVE-2025-38445,CVE-2025-38458,CVE-2025-38459,CVE-2025-38464,CVE-2025-38472,CVE-2025-38490,CVE-2025-38491,CVE-2025-38499,CVE-2025-38500,CVE-2025-38503,CVE-2025-38506,CVE-2025-38510,CVE-2025-38512,CVE-2025-38513,CVE-2025-38515,CVE-2025-38516,CVE-2025-38520,CVE-2025-38524,CVE-2025-38528,CVE-2025-38529,CVE-2025-38530,CVE-2025-38531,CVE-2025-38535,CVE-2025-38537,CVE-2025-38538,CVE-2025-38540,CVE-2025-38541,CVE-2025-38543,CVE-2025-38546,CVE-2025-38548,CVE-2025-38550,CVE-2025-38553,CVE-2025-38555,CVE-2025-38560,CVE-2025-38563,CVE-2025-38565,CVE-2025-38566,CVE-2025-38568,CVE-2025-38571,CVE-2025-38572,CVE-2025-38576,CVE-2025-38581,CVE-2025-38582,CVE-2025-38583,CVE-2025-38585,CVE-2025-38587,CVE-2025-38588,CVE-2025-38591,CVE-2025-38601,CVE-2025-38 602,CVE-2025-38604,CVE-2025-38608,CVE-2025-38609,CVE-2025-38610,CVE-2025-38612,CVE-2025-38617,CVE-2025-38618,CVE-2025-38621,CVE-2025-38624,CVE-2025-38630,CVE-2025-38632,CVE-2025-38634,CVE-2025-38635,CVE-2025-38644,CVE-2025-38646,CVE-2025-38650,CVE-2025-38656,CVE-2025-38663,CVE-2025-38665,CVE-2025-38670,CVE-2025-38671 The SUSE Linux Enterprise Micro 6.0 and 6.1 kernel was updated to receive various security bugfixes. The following security bugs were fixed: - CVE-2024-46733: btrfs: fix qgroup reserve leaks in cow_file_range (bsc#1230708). - CVE-2025-38006: net: mctp: Do not access ifa_index when missing (bsc#1244930). - CVE-2025-38075: scsi: target: iscsi: Fix timeout on deleted connection (bsc#1244734). - CVE-2025-38103: HID: usbhid: Eliminate recurrent out-of-bounds bug in usbhid_parse() (bsc#1245663). - CVE-2025-38125: net: stmmac: make sure that ptp_rate is not 0 before configuring EST (bsc#1245710). - CVE-2025-38146: net: openvswitch: Fix the dead loop of MPLS parse (bsc#1245767). - CVE-2025-38160: clk: bcm: rpi: Add NULL check in raspberrypi_clk_register() (bsc#1245780). - CVE-2025-38184: tipc: fix null-ptr-deref when acquiring remote ip of ethernet bearer (bsc#1245956). - CVE-2025-38185: atm: atmtcp: Free invalid length skb in atmtcp_c_send() (bsc#1246012). - CVE-2025-38190: atm: Revert atm_account_tx() if copy_from_iter_full() fails (bsc#1245973). - CVE-2025-38201: netfilter: nft_set_pipapo: clamp maximum map bucket size to INT_MAX (bsc#1245977). - CVE-2025-38205: drm/amd/display: Avoid divide by zero by initializing dummy pitch to 1 (bsc#1246005). - CVE-2025-38208: smb: client: add NULL check in automount_fullpath (bsc#1245815). - CVE-2025-38245: atm: Release atm_dev_mutex after removing procfs in atm_dev_deregister() (bsc#1246193). - CVE-2025-38251: atm: clip: prevent NULL deref in clip_push() (bsc#1246181). - CVE-2025-38360: drm/amd/display: Add more checks for DSC / HUBP ONO guarantees (bsc#1247078). - CVE-2025-38439: bnxt_en: Set DMA unmap len correctly for XDP_REDIRECT (bsc#1247155). - CVE-2025-38441: netfilter: flowtable: account for Ethernet header in nf_flow_pppoe_proto() (bsc#1247167). - CVE-2025-38444: raid10: cleanup memleak at raid10_make_request (bsc#1247162). - CVE-2025-38445: md/raid1: Fix stack memory use after return in raid1_reshape (bsc#1247229). - CVE-2025-38458: atm: clip: Fix NULL pointer dereference in vcc_sendmsg() (bsc#1247116). - CVE-2025-38459: atm: clip: Fix infinite recursive call of clip_push() (bsc#1247119). - CVE-2025-38464: tipc: Fix use-after-free in tipc_conn_close() (bsc#1247112). - CVE-2025-38472: netfilter: nf_conntrack: fix crash due to removal of uninitialised entry (bsc#1247313). - CVE-2025-38490: net: libwx: remove duplicate page_pool_put_full_page() (bsc#1247243). - CVE-2025-38491: mptcp: make fallback action and fallback decision atomic (bsc#1247280). - CVE-2025-38499: clone_private_mnt(): make sure that caller has CAP_SYS_ADMIN in the right userns (bsc#1247976). - CVE-2025-38500: xfrm: interface: fix use-after-free after changing collect_md xfrm interface (bsc#1248088). - CVE-2025-38506: KVM: Allow CPU to reschedule while setting per-page memory attributes (bsc#1248186). - CVE-2025-38520: drm/amdkfd: Do not call mmput from MMU notifier callback (bsc#1248217). - CVE-2025-38524: rxrpc: Fix recv-recv race of completed call (bsc#1248194). - CVE-2025-38528: bpf: Reject %p% format string in bprintf-like helpers (bsc#1248198). - CVE-2025-38531: iio: common: st_sensors: Fix use of uninitialize device structs (bsc#1248205). - CVE-2025-38546: atm: clip: Fix memory leak of struct clip_vcc (bsc#1248223). - CVE-2025-38560: x86/sev: Evict cache lines during SNP memory validation (bsc#1248312). - CVE-2025-38585: staging: media: atomisp: Fix stack buffer overflow in gmin_get_var_int() (bsc#1248355). - CVE-2025-38591: bpf: Reject narrower access to pointer ctx fields (bsc#1248363). - CVE-2025-38608: bpf, ktls: Fix data corruption when using bpf_msg_pop_data() in ktls (bsc#1248338). - CVE-2025-38618: vsock: Do not allow binding to VMADDR_PORT_ANY (bsc#1248511). The following non-security bugs were fixed: - ACPI: APEI: send SIGBUS to current task if synchronous memory error not recovered (stable-fixes). - ACPI: pfr_update: Fix the driver update version check (git-fixes). - ACPI: processor: fix acpi_object initialization (stable-fixes). - ACPI: processor: perflib: Move problematic pr->performance check (git-fixes). - ALSA: hda/ca0132: Fix buffer overflow in add_tuning_control (stable-fixes). - ALSA: hda/realtek: Add Framework Laptop 13 (AMD Ryzen AI 300) to quirks (stable-fixes). - ALSA: hda/realtek: Add support for HP EliteBook x360 830 G6 and EliteBook 830 G6 (stable-fixes). - ALSA: hda/realtek: Audio disappears on HP 15-fc000 after warm boot again (git-fixes). - ALSA: hda/realtek: Fix headset mic on ASUS Zenbook 14 (git-fixes). - ALSA: hda/realtek: Fix headset mic on HONOR BRB-X (stable-fixes). - ALSA: hda: Disable jack polling at shutdown (stable-fixes). - ALSA: hda: Handle the jack polling always via a work (stable-fixes). - ALSA: intel8x0: Fix incorrect codec index usage in mixer for ICH4 (stable-fixes). - ALSA: pcm: Rewrite recalculate_boundary() to avoid costly loop (stable-fixes). - ALSA: scarlett2: Add retry on -EPROTO from scarlett2_usb_tx() (git-fixes). - ALSA: usb-audio: Avoid precedence issues in mixer_quirks macros (stable-fixes). - ALSA: usb-audio: Fix size validation in convert_chmap_v3() (git-fixes). - ALSA: usb-audio: Use correct sub-type for UAC3 feature unit validation (git-fixes). - ALSA: usb-audio: Validate UAC3 cluster segment descriptors (git-fixes). - ALSA: usb-audio: Validate UAC3 power domain descriptors, too (git-fixes). - ASoC: Intel: avs: Fix uninitialized pointer error in probe() (stable-fixes). - ASoC: Intel: fix SND_SOC_SOF dependencies (stable-fixes). - ASoC: amd: yc: Add DMI entries to support HP 15-fb1xxx (stable-fixes). - ASoC: amd: yc: Add DMI quirk for HP Laptop 17 cp-2033dx (stable-fixes). - ASoC: amd: yc: add DMI quirk for ASUS M6501RM (stable-fixes). - ASoC: codecs: rt5640: Retry DEVICE_ID verification (stable-fixes). - ASoC: core: Check for rtd == NULL in snd_soc_remove_pcm_runtime() (stable-fixes). - ASoC: hdac_hdmi: Rate limit logging on connection and disconnection (stable-fixes). - ASoC: soc-dapm: set bias_level if snd_soc_dapm_set_bias_level() was successed (stable-fixes). - Bluetooth: btusb: Add USB ID 3625:010b for TP-LINK Archer TX10UB Nano (stable-fixes). - Bluetooth: hci_conn: do return error from hci_enhanced_setup_sync() (git-fixes). - Bluetooth: hci_event: Detect if HCI_EV_NUM_COMP_PKTS is unbalanced (git-fixes). - Bluetooth: hci_event: Mark connection as closed during suspend disconnect (git-fixes). - Bluetooth: hci_event: Treat UNKNOWN_CONN_ID on disconnect as success (git-fixes). - Bluetooth: hci_event: fix MTU for BN == 0 in CIS Established (git-fixes). - Bluetooth: hci_sock: Reset cookie to zero in hci_sock_free_cookie() (stable-fixes). - Bluetooth: hci_sync: fix set_local_name race condition (git-fixes). - HID: asus: fix UAF via HID_CLAIMED_INPUT validation (git-fixes). - HID: multitouch: fix slab out-of-bounds access in mt_report_fixup() (git-fixes). - Move pesign-obs-integration requirement from kernel-syms to kernel devel subpackage (bsc#1248108). - PCI/ACPI: Fix runtime PM ref imbalance on Hot-Plug Capable ports (git-fixes). - PCI/portdrv: Use is_pciehp instead of is_hotplug_bridge (git-fixes). - PCI: Add ACS quirk for Loongson PCIe (git-fixes). - PCI: Support Immediate Readiness on devices without PM capabilities (git-fixes). - PCI: apple: Fix missing OF node reference in apple_pcie_setup_port (git-fixes). - PCI: imx6: Add IMX8MM_EP and IMX8MP_EP fixed 256-byte BAR 4 in epc_features (git-fixes). - PCI: imx6: Delay link start until configfs 'start' written (git-fixes). - PCI: imx6: Remove apps_reset toggling from imx_pcie_{assert/deassert}_core_reset (git-fixes). - PCI: pnv_php: Clean up allocated IRQs on unplug (bsc#1215199). - PCI: pnv_php: Work around switches with broken presence detection (bsc#1215199). - PCI: rockchip: Set Target Link Speed to 5.0 GT/s before retraining (git-fixes). - PCI: rockchip: Use standard PCIe definitions (git-fixes). - PM / devfreq: governor: Replace sscanf() with kstrtoul() in set_freq_store() (stable-fixes). - PM: runtime: Clear power.needs_force_resume in pm_runtime_reinit() (stable-fixes). - PM: sleep: console: Fix the black screen issue (stable-fixes). - RAS/AMD/ATL: Include row bit in row retirement (bsc#1242034). - RAS/AMD/FMPM: Get masked address (bsc#1242034). - RAS/AMD/FMPM: Use atl internal.h for INVALID_SPA (bsc#1242034). - RDMA/bnxt_re: Fix a possible memory leak in the driver (git-fixes) - RDMA/bnxt_re: Fix to do SRQ armena by default (git-fixes) - RDMA/bnxt_re: Fix to initialize the PBL array (git-fixes) - RDMA/bnxt_re: Fix to remove workload check in SRQ limit path (git-fixes) - RDMA/core: reduce stack using in nldev_stat_get_doit() (git-fixes) - RDMA/erdma: Fix ignored return value of init_kernel_qp (git-fixes) - RDMA/hns: Fix dip entries leak on devices newer than hip09 (git-fixes) - RDMA: hfi1: fix possible divide-by-zero in find_hw_thread_mask() (git-fixes) - Revert 'gpio: mlxbf3: only get IRQ for device instance 0' (git-fixes). - USB: serial: option: add Foxconn T99W709 (stable-fixes). - USB: storage: Add unusual-devs entry for Novatek NTK96550-based camera (stable-fixes). - USB: storage: Ignore driver CD mode for Realtek multi-mode Wi-Fi dongles (stable-fixes). - aoe: defer rexmit timer downdev work to workqueue (git-fixes). - arch/powerpc: Remove .interp section in vmlinux (bsc#1215199). - arm64/cpufeatures/kvm: Add ARMv8.9 FEAT_ECBHB bits in ID_AA64MMFR1 (git-fixes) - arm64/entry: Mask DAIF in cpu_switch_to(), call_on_irq_stack() (git-fixes) - arm64/mm: Check PUD_TYPE_TABLE in pud_bad() (git-fixes) - arm64: Add support for HIP09 Spectre-BHB mitigation (git-fixes) - arm64: Filter out SME hwcaps when FEAT_SME isn't implemented (git-fixes) - arm64: Restrict pagetable teardown to avoid false warning (git-fixes) - arm64: dts: apple: t8103: Fix PCIe BCM4377 nodename (git-fixes) - arm64: dts: freescale: imx8mm-verdin: Keep LDO5 always on (git-fixes) - arm64: dts: imx8mm-beacon: Fix HS400 USDHC clock speed (git-fixes) - arm64: dts: imx8mm-beacon: Fix RTC capacitive load (git-fixes) - arm64: dts: imx8mm-venice-gw700x: Increase HS400 USDHC clock speed (git-fixes) - arm64: dts: imx8mm-venice-gw7901: Increase HS400 USDHC clock speed (git-fixes) - arm64: dts: imx8mm-venice-gw7902: Increase HS400 USDHC clock speed (git-fixes) - arm64: dts: imx8mm-venice-gw7903: Increase HS400 USDHC clock speed (git-fixes) - arm64: dts: imx8mm-venice-gw7904: Increase HS400 USDHC clock speed (git-fixes) - arm64: dts: imx8mn-beacon: Fix HS400 USDHC clock speed (git-fixes) - arm64: dts: imx8mn-beacon: Fix RTC capacitive load (git-fixes) - arm64: dts: imx8mn-venice-gw7902: Increase HS400 USDHC clock speed (git-fixes) - arm64: dts: imx8mp-beacon: Fix RTC capacitive load (git-fixes) - arm64: dts: rockchip: Update eMMC for NanoPi R5 series (git-fixes) - arm64: dts: rockchip: fix endpoint dtc warning for PX30 ISP (git-fixes) - arm64: tegra: Drop remaining serial clock-names and reset-names (git-fixes) - arm64: tegra: p2597: Fix gpio for vdd-1v8-dis regulator (git-fixes) - arm64: zynqmp: add clock-output-names property in clock nodes (git-fixes) - ata: libata-scsi: Fix CDL control (git-fixes). - block: fix kobject leak in blk_unregister_queue (git-fixes). - block: mtip32xx: Fix usage of dma_map_sg() (git-fixes). - bpf: fix kfunc btf caching for modules (git-fixes). - bpf: use kvzmalloc to allocate BPF verifier environment (git-fixes). - btrfs: convert BUG_ON in btrfs_reloc_cow_block() to proper error handling (git-fixes). - btrfs: correctly escape subvol in btrfs_show_options() (git-fixes). - btrfs: fix adding block group to a reclaim list and the unused list during reclaim (git-fixes). - btrfs: fix bitmap leak when loading free space cache on duplicate entry (git-fixes). - btrfs: fix data race when accessing the inode's disk_i_size at btrfs_drop_extents() (git-fixes). - btrfs: fix the length of reserved qgroup to free (bsc#1240708) - btrfs: retry block group reclaim without infinite loop (git-fixes). - btrfs: return accurate error code on open failure in open_fs_devices() (bsc#1233120) - btrfs: run delayed iputs when flushing delalloc (git-fixes). - btrfs: update target inode's ctime on unlink (git-fixes). - cdx: Fix off-by-one error in cdx_rpmsg_probe() (git-fixes). - char: misc: Fix improper and inaccurate error code returned by misc_init() (stable-fixes). - comedi: Fix use of uninitialized memory in do_insn_ioctl() and do_insnlist_ioctl() (git-fixes). - comedi: Make insn_rw_emulate_bits() do insn->n samples (git-fixes). - comedi: fix race between polling and detaching (git-fixes). - comedi: pcl726: Prevent invalid irq number (git-fixes). - crypto: hisilicon/hpre - fix dma unmap sequence (stable-fixes). - crypto: jitter - fix intermediary handling (stable-fixes). - crypto: octeontx2 - add timeout for load_fvc completion poll (stable-fixes). - crypto: qat - lower priority for skcipher and aead algorithms (stable-fixes). - drm/amd/display: Add null pointer check in mod_hdcp_hdcp1_create_session() (git-fixes). - drm/amd/display: Add primary plane to commits for correct VRR handling (stable-fixes). - drm/amd/display: Adjust DCE 8-10 clock, do not overclock by 15% (git-fixes). - drm/amd/display: Avoid a NULL pointer dereference (stable-fixes). - drm/amd/display: Avoid configuring PSR granularity if PSR-SU not supported (stable-fixes). - drm/amd/display: Avoid trying AUX transactions on disconnected ports (stable-fixes). - drm/amd/display: Do not overclock DCE 6 by 15% (git-fixes). - drm/amd/display: Fill display clock and vblank time in dce110_fill_display_configs (stable-fixes). - drm/amd/display: Find first CRTC and its line time in dce110_fill_display_configs (stable-fixes). - drm/amd/display: Fix 'failed to blank crtc!' (stable-fixes). - drm/amd/display: Fix DP audio DTO1 clock source on DCE 6 (stable-fixes). - drm/amd/display: Fix fractional fb divider in set_pixel_clock_v3 (git-fixes). - drm/amd/display: Only finalize atomic_obj if it was initialized (stable-fixes). - drm/amd/display: Separate set_gsl from set_gsl_source_select (stable-fixes). - drm/amd: Allow printing VanGogh OD SCLK levels without setting dpm to manual (stable-fixes). - drm/amd: Restore cached power limit during resume (stable-fixes). - drm/amdgpu: Avoid extra evict-restore process (stable-fixes). - drm/amdgpu: fix incorrect vm flags to map bo (git-fixes). - drm/amdgpu: fix task hang from failed job submission during process kill (git-fixes). - drm/amdgpu: update mmhub 3.0.1 client id mappings (stable-fixes). - drm/amdkfd: Destroy KFD debugfs after destroy KFD wq (stable-fixes). - drm/dp: Change AUX DPCD probe address from DPCD_REV to LANE0_1_STATUS (stable-fixes). - drm/hisilicon/hibmc: fix the hibmc loaded failed bug (git-fixes). - drm/mediatek: Fix device/node reference count leaks in mtk_drm_get_all_drm_priv (git-fixes). - drm/msm/kms: move snapshot init earlier in KMS init (git-fixes). - drm/msm: Defer fd_install in SUBMIT ioctl (git-fixes). - drm/msm: use trylock for debugfs (stable-fixes). - drm/nouveau/disp: Always accept linear modifier (git-fixes). - drm/nouveau/nvif: Fix potential memory leak in nvif_vmm_ctor() (git-fixes). - drm/nouveau: fix error path in nvkm_gsp_fwsec_v2 (git-fixes). - drm/nouveau: fix typos in comments (git-fixes). - drm/nouveau: remove unused increment in gm200_flcn_pio_imem_wr (git-fixes). - drm/nouveau: remove unused memory target test (git-fixes). - drm/ttm: Respect the shrinker core free target (stable-fixes). - drm/ttm: Should to return the evict error (stable-fixes). - et131x: Add missing check after DMA map (stable-fixes). - exfat: add cluster chain loop check for dir (git-fixes). - fbdev: Fix vmalloc out-of-bounds write in fast_imageblit (stable-fixes). - fbdev: fix potential buffer overflow in do_register_framebuffer() (stable-fixes). - fs/mnt_idmapping.c: Return -EINVAL when no map is written (bsc#1233120) - fs/orangefs: use snprintf() instead of sprintf() (git-fixes). - gpio: mlxbf3: use platform_get_irq_optional() (git-fixes). - gpio: tps65912: check the return value of regmap_update_bits() (stable-fixes). - gpio: wcd934x: check the return value of regmap_update_bits() (stable-fixes). - hfs: fix not erasing deleted b-tree node issue (git-fixes). - hfs: fix slab-out-of-bounds in hfs_bnode_read() (git-fixes). - hfsplus: do not use BUG_ON() in hfsplus_create_attributes_file() (git-fixes). - hfsplus: fix slab-out-of-bounds in hfsplus_bnode_read() (git-fixes). - hfsplus: fix slab-out-of-bounds read in hfsplus_uni2asc() (git-fixes). - hwmon: (emc2305) Set initial PWM minimum value during probe based on thermal state (stable-fixes). - i2c: Force DLL0945 touchpad i2c freq to 100khz (stable-fixes). - i3c: do not fail if GETHDRCAP is unsupported (stable-fixes). - i3c: master: Initialize ret in i3c_i2c_notifier_call() (stable-fixes). - ice, irdma: fix an off by one in error handling code (bsc#1247712). - ice, irdma: move interrupts code to irdma (bsc#1247712). - ice: Fix signedness bug in ice_init_interrupt_scheme() (bsc#1247712). - ice: count combined queues using Rx/Tx count (bsc#1247712). - ice: devlink PF MSI-X max and min parameter (bsc#1247712). - ice: enable_rdma devlink param (bsc#1247712). - ice: get rid of num_lan_msix field (bsc#1247712). - ice: init flow director before RDMA (bsc#1247712). - ice: remove splitting MSI-X between features (bsc#1247712). - ice: simplify VF MSI-X managing (bsc#1247712). - ice: treat dyn_allowed only as suggestion (bsc#1247712). - iio: adc: ad7768-1: Ensure SYNC_IN pulse minimum timing requirement (stable-fixes). - iio: adc: ad_sigma_delta: do not overallocate scan buffer (stable-fixes). - iio: imu: inv_icm42600: switch timestamp type from int64_t __aligned(8) to aligned_s64 (stable-fixes). - iio: imu: inv_icm42600: use = { } instead of memset() (stable-fixes). - iio: pressure: bmp280: Use IS_ERR() in bmp280_common_probe() (git-fixes). - iio: proximity: isl29501: fix buffered read on big-endian systems (git-fixes). - integrity/platform_certs: Allow loading of keys in the static key management mode (jsc#PED-13345 jsc#PED-13343). - iosys-map: Fix undefined behavior in iosys_map_clear() (git-fixes). - ipmi: Fix strcpy source and destination the same (stable-fixes). - ipmi: Use dev_warn_ratelimited() for incorrect message warnings (stable-fixes). - irdma: free iwdev->rf after removing MSI-X (bsc#1247712). - jfs: Regular file corruption check (git-fixes). - jfs: truncate good inode pages when hard link is 0 (git-fixes). - jfs: upper bound check of tree index in dbAllocAG (git-fixes). - kABI: PCI/ACPI: Fix runtime PM ref imbalance on Hot-Plug Capable ports (git-fixes). - kselftest/arm64: Fix check for setting new VLs in sve-ptrace (git-fixes). - leds: leds-lp50xx: Handle reg to get correct multi_index (stable-fixes). - loop: use kiocb helpers to fix lockdep warning (git-fixes). - mISDN: hfcpci: Fix warning when deleting uninitialized timer (git-fixes). - md/md-cluster: handle REMOVE message earlier (bsc#1247057). - md/raid1,raid10: strip REQ_NOWAIT from member bios (git-fixes). - md: allow removing faulty rdev during resync (git-fixes). - md: make rdev_addable usable for rcu mode (git-fixes). - media: dvb-frontends: dib7090p: fix null-ptr-deref in dib7090p_rw_on_apb() (stable-fixes). - media: dvb-frontends: w7090p: fix null-ptr-deref in w7090p_tuner_write_serpar and w7090p_tuner_read_serpar (stable-fixes). - media: tc358743: Check I2C succeeded during probe (stable-fixes). - media: tc358743: Increase FIFO trigger level to 374 (stable-fixes). - media: tc358743: Return an appropriate colorspace from tc358743_set_fmt (stable-fixes). - media: usb: hdpvr: disable zero-length read messages (stable-fixes). - media: uvcvideo: Fix bandwidth issue for Alcor camera (stable-fixes). - media: v4l2-common: Reduce warnings about missing V4L2_CID_LINK_FREQ control (stable-fixes). - mei: bus: Check for still connected devices in mei_cl_bus_dev_release() (stable-fixes). - memstick: Fix deadlock by moving removing flag earlier (git-fixes). - mm/ptdump: take the memory hotplug lock inside ptdump_walk_pgd() (git-fixes) - mmc: rtsx_usb_sdmmc: Fix error-path in sd_set_power_mode() (stable-fixes). - mmc: sdhci-msm: Ensure SD card power isn't ON when card removed (stable-fixes). - mmc: sdhci-pci-gli: GL9763e: Rename the gli_set_gl9763e() for consistency (git-fixes). - most: core: Drop device reference after usage in get_channel() (git-fixes). - mptcp: fallback when MPTCP opts are dropped after 1st data (git-fixes). - mptcp: reset when MPTCP opts are dropped after join (git-fixes). - net: phy: micrel: Add ksz9131_resume() (stable-fixes). - net: phy: smsc: add proper reset flags for LAN8710A (stable-fixes). - net: thunderbolt: Enable end-to-end flow control also in transmit (stable-fixes). - net: thunderbolt: Fix the parameter passing of tb_xdomain_enable_paths()/tb_xdomain_disable_paths() (stable-fixes). - net: usb: asix_devices: Fix PHY address mask in MDIO bus initialization (git-fixes). - net: usb: asix_devices: add phy_mask for ax88772 mdio bus (git-fixes). - pNFS: Fix disk addr range check in block/scsi layout (git-fixes). - pNFS: Fix stripe mapping in block/scsi layout (git-fixes). - pNFS: Fix uninited ptr deref in block/scsi layout (git-fixes). - pNFS: Handle RPC size limit for layoutcommits (git-fixes). - phy: mscc: Fix parsing of unicast frames (git-fixes). - phy: rockchip-pcie: Properly disable TEST_WRITE strobe signal (stable-fixes). - pinctrl: STMFX: add missing HAS_IOMEM dependency (git-fixes). - pinctrl: stm32: Manage irq affinity settings (stable-fixes). - platform/chrome: cros_ec_typec: Defer probe on missing EC parent (stable-fixes). - platform/x86/amd: pmc: Add Lenovo Yoga 6 13ALC6 to pmc quirk list (stable-fixes). - pm: cpupower: Fix the snapshot-order of tsc,mperf, clock in mperf_stop() (stable-fixes). - power: supply: qcom_battmgr: Add lithium-polymer entry (stable-fixes). - powerpc/eeh: Export eeh_unfreeze_pe() (bsc#1215199). - powerpc/eeh: Make EEH driver device hotplug safe (bsc#1215199). - powerpc/eeh: Rely on dev->link_active_reporting (bsc#1215199). - powerpc/kernel: Fix ppc_save_regs inclusion in build (bsc#1215199). - powerpc/pseries: Correct secvar format representation for static key management (jsc#PED-13345 jsc#PED-13343). - powerpc/secvar: Expose secvars relevant to the key management mode (jsc#PED-13345 jsc#PED-13343). - powerpc: do not build ppc_save_regs.o always (bsc#1215199). - pwm: mediatek: Fix duty and period setting (git-fixes). - pwm: mediatek: Handle hardware enable and clock enable separately (stable-fixes). - reset: brcmstb: Enable reset drivers for ARCH_BCM2835 (stable-fixes). - rpm/config.sh: Update Leap project - rtc: ds1307: handle oscillator stop flag (OSF) for ds1341 (stable-fixes). - rtc: ds1307: remove clear of oscillator stop flag (OSF) in probe (stable-fixes). - samples/bpf: Fix compilation errors with cf-protection option (git-fixes). - scsi: Revert 'scsi: iscsi: Fix HW conn removal use after free' (git-fixes). - scsi: core: Fix kernel doc for scsi_track_queue_full() (git-fixes). - scsi: elx: efct: Fix dma_unmap_sg() nents value (git-fixes). - scsi: ibmvscsi_tgt: Fix dma_unmap_sg() nents value (git-fixes). - scsi: isci: Fix dma_unmap_sg() nents value (git-fixes). - scsi: mpi3mr: Fix kernel-doc issues in mpi3mr_app.c (git-fixes). - scsi: mpi3mr: Fix race between config read submit and interrupt completion (git-fixes). - scsi: mpi3mr: Serialize admin queue BAR writes on 32-bit systems (git-fixes). - scsi: mpt3sas: Fix a fw_event memory leak (git-fixes). - scsi: mvsas: Fix dma_unmap_sg() nents value (git-fixes). - scsi: sd: Make sd shutdown issue START STOP UNIT appropriately (git-fixes). - selftests/bpf: fexit_sleep: Fix stack allocation for arm64 (git-fixes). - selftests/tracing: Fix false failure of subsystem event test (git-fixes). - selftests: Fix errno checking in syscall_user_dispatch test (git-fixes). - selftests: rtnetlink.sh: remove esp4_offload after test (git-fixes). - serial: 8250: fix panic due to PSLVERR (git-fixes). - slab: Decouple slab_debug and no_hash_pointers (bsc#1249022). - smb: client: fix parsing of device numbers (git-fixes). - soc/tegra: pmc: Ensure power-domains are in a known state (git-fixes). - soundwire: amd: serialize amd manager resume sequence during pm_prepare (stable-fixes). - squashfs: fix memory leak in squashfs_fill_super (git-fixes). - sunrpc: fix handling of server side tls alerts (git-fixes). - sunvdc: Balance device refcount in vdc_port_mpgroup_check (git-fixes). - thermal/drivers/qcom-spmi-temp-alarm: Enable stage 2 shutdown when required (stable-fixes). - thermal: sysfs: Return ENODATA instead of EAGAIN for reads (stable-fixes). - ublk: sanity check add_dev input for underflow (git-fixes). - ublk: use vmalloc for ublk_device's __queues (git-fixes). - usb: core: config: Prevent OOB read in SS endpoint companion parsing (stable-fixes). - usb: core: hcd: fix accessing unmapped memory in SINGLE_STEP_SET_FEATURE test (git-fixes). - usb: core: usb_submit_urb: downgrade type check (stable-fixes). - usb: dwc3: Ignore late xferNotReady event to prevent halt timeout (git-fixes). - usb: dwc3: Remove WARN_ON for device endpoint command timeouts (stable-fixes). - usb: dwc3: core: Fix system suspend on TI AM62 platforms (git-fixes). - usb: dwc3: fix fault at system suspend if device was already runtime suspended (git-fixes). - usb: dwc3: pci: add support for the Intel Wildcat Lake (stable-fixes). - usb: quirks: Add DELAY_INIT quick for another SanDisk 3.2Gen1 Flash Drive (stable-fixes). - usb: renesas-xhci: Fix External ROM access timeouts (git-fixes). - usb: storage: realtek_cr: Use correct byte order for bcs->Residue (git-fixes). - usb: typec: intel_pmc_mux: Defer probe if SCU IPC isn't present (stable-fixes). - usb: typec: ucsi: psy: Set current max to 100mA for BC 1.2 and Default (stable-fixes). - usb: xhci: Avoid showing errors during surprise removal (stable-fixes). - usb: xhci: Avoid showing warnings for dying controller (stable-fixes). - usb: xhci: Fix slot_id resource race conflict (git-fixes). - usb: xhci: Set avg_trb_len = 8 for EP0 during Address Device Command (stable-fixes). - usb: xhci: print xhci->xhc_state when queue_command failed (stable-fixes). - vfs: Add a sysctl for automated deletion of dentry (bsc#1240890). - watchdog: dw_wdt: Fix default timeout (stable-fixes). - watchdog: iTCO_wdt: Report error if timeout configuration fails (stable-fixes). - watchdog: sbsa: Adjust keepalive timeout to avoid MediaTek WS0 race condition (stable-fixes). - wifi: ath12k: Add memset and update default rate value in wmi tx completion (stable-fixes). - wifi: ath12k: Correct tid cleanup when tid setup fails (stable-fixes). - wifi: ath12k: Decrement TID on RX peer frag setup error handling (stable-fixes). - wifi: ath12k: Enable REO queue lookup table feature on QCN9274 hw2.0 (stable-fixes). - wifi: cfg80211: Fix interface type validation (stable-fixes). - wifi: cfg80211: reject HTC bit for management frames (stable-fixes). - wifi: iwlegacy: Check rate_idx range after addition (stable-fixes). - wifi: iwlwifi: dvm: fix potential overflow in rs_fill_link_cmd() (stable-fixes). - wifi: iwlwifi: fw: Fix possible memory leak in iwl_fw_dbg_collect (stable-fixes). - wifi: iwlwifi: mvm: fix scan request validation (stable-fixes). - wifi: iwlwifi: mvm: set gtk id also in older FWs (stable-fixes). - wifi: mac80211: do not complete management TX on SAE commit (stable-fixes). - wifi: mac80211: fix rx link assignment for non-MLO stations (stable-fixes). - wifi: mac80211: update radar_required in channel context after channel switch (stable-fixes). - wifi: mt76: mt7915: mcu: re-init MCU before loading FW patch (stable-fixes). - wifi: rtlwifi: fix possible skb memory leak in _rtl_pci_init_one_rxdesc() (stable-fixes). - wifi: rtlwifi: fix possible skb memory leak in `_rtl_pci_rx_interrupt()` (stable-fixes). - wifi: rtw89: Disable deep power saving for USB/SDIO (stable-fixes). - wifi: rtw89: Fix rtw89_mac_power_switch() for USB (stable-fixes). - wifi: rtw89: Lower the timeout in rtw89_fw_read_c2h_reg() for USB (stable-fixes). ----------------------------------------------------------------- Advisory ID: 247 Released: Fri Sep 5 14:22:34 2025 Summary: Security update for glib2 Type: security Severity: important References: 1223880,1244596,6680,CVE-2024-34062,CVE-2025-6052 This update for glib2 fixes the following issues: - CVE-2025-6052: Fix overflow check when expanding a GString (bsc#1244596). The following package changes have been done: - SL-Micro-release-6.1-slfo.1.11.54 updated - kernel-default-base-6.4.0-34.1.21.11 updated - libglib-2_0-0-2.78.6-slfo.1.1_4.1 updated - libgobject-2_0-0-2.78.6-slfo.1.1_4.1 updated - libgmodule-2_0-0-2.78.6-slfo.1.1_4.1 updated - libgio-2_0-0-2.78.6-slfo.1.1_4.1 updated - glib2-tools-2.78.6-slfo.1.1_4.1 updated - container:SL-Micro-base-container-2.2.1-5.29 updated From sle-container-updates at lists.suse.com Sat Sep 6 07:08:52 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 6 Sep 2025 09:08:52 +0200 (CEST) Subject: SUSE-IU-2025:2421-1: Recommended update of suse/sle-micro/5.5 Message-ID: <20250906070852.666EBF783@maintenance.suse.de> SUSE Image Update Advisory: suse/sle-micro/5.5 ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2025:2421-1 Image Tags : suse/sle-micro/5.5:2.0.4 , suse/sle-micro/5.5:2.0.4-5.5.367 , suse/sle-micro/5.5:latest Image Release : 5.5.367 Severity : important Type : recommended References : 1224400 1240950 ----------------------------------------------------------------- The container suse/sle-micro/5.5 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:3083-1 Released: Fri Sep 5 11:02:28 2025 Summary: Recommended update for suse-module-tools Type: recommended Severity: important References: 1224400,1240950 This update for suse-module-tools fixes the following issues: - Version update 15.5.7: - Add blacklist entry for reiserfs (jsc#PED-6167). - Add more modules to file system blacklist (jsc#PED-6167). - Add hfsplus to file system blacklist (bsc#1240950, jsc#PED-12632). - udevrules: activate CPUs on hotplug for s390 (bsc#1224400). The following package changes have been done: - suse-module-tools-15.5.7-150500.3.15.3 updated - container:suse-sle-micro-base-5.5-latest-2.0.4-5.8.204 updated From sle-container-updates at lists.suse.com Sat Sep 6 07:18:48 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 6 Sep 2025 09:18:48 +0200 (CEST) Subject: SUSE-IU-2025:2422-1: Security update of suse/sl-micro/6.0/baremetal-os-container Message-ID: <20250906071848.C4512F782@maintenance.suse.de> SUSE Image Update Advisory: suse/sl-micro/6.0/baremetal-os-container ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2025:2422-1 Image Tags : suse/sl-micro/6.0/baremetal-os-container:2.1.3 , suse/sl-micro/6.0/baremetal-os-container:2.1.3-6.81 , suse/sl-micro/6.0/baremetal-os-container:latest Image Release : 6.81 Severity : moderate Type : security References : 1244116 CVE-2025-48060 ----------------------------------------------------------------- The container suse/sl-micro/6.0/baremetal-os-container was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: 446 Released: Fri Sep 5 14:57:05 2025 Summary: Security update for jq Type: security Severity: moderate References: 1244116,CVE-2025-48060 This update for jq fixes the following issues: - CVE-2025-48060: Fixed stack-buffer-overflow in jq_fuzz_execute (jv_string_vfmt) (bsc#1244116). The following package changes have been done: - libjq1-1.6-5.1 updated - jq-1.6-5.1 updated - container:SL-Micro-base-container-2.1.3-7.50 updated From sle-container-updates at lists.suse.com Sat Sep 6 07:25:21 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 6 Sep 2025 09:25:21 +0200 (CEST) Subject: SUSE-IU-2025:2429-1: Security update of suse/sl-micro/6.1/rt-os-container Message-ID: <20250906072521.DA485F782@maintenance.suse.de> SUSE Image Update Advisory: suse/sl-micro/6.1/rt-os-container ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2025:2429-1 Image Tags : suse/sl-micro/6.1/rt-os-container:2.2.1 , suse/sl-micro/6.1/rt-os-container:2.2.1-5.17 , suse/sl-micro/6.1/rt-os-container:latest Image Release : 5.17 Severity : important Type : security References : 1223880 1244596 6680 CVE-2024-34062 CVE-2025-6052 ----------------------------------------------------------------- The container suse/sl-micro/6.1/rt-os-container was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: 247 Released: Fri Sep 5 14:22:34 2025 Summary: Security update for glib2 Type: security Severity: important References: 1223880,1244596,6680,CVE-2024-34062,CVE-2025-6052 This update for glib2 fixes the following issues: - CVE-2025-6052: Fix overflow check when expanding a GString (bsc#1244596). The following package changes have been done: - SL-Micro-release-6.1-slfo.1.11.54 updated - libglib-2_0-0-2.78.6-slfo.1.1_4.1 updated - libgobject-2_0-0-2.78.6-slfo.1.1_4.1 updated - libgmodule-2_0-0-2.78.6-slfo.1.1_4.1 updated - libgio-2_0-0-2.78.6-slfo.1.1_4.1 updated - glib2-tools-2.78.6-slfo.1.1_4.1 updated - container:SL-Micro-container-2.2.1-7.5 updated From sle-container-updates at lists.suse.com Sat Sep 6 07:23:17 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 6 Sep 2025 09:23:17 +0200 (CEST) Subject: SUSE-IU-2025:2426-1: Security update of suse/sl-micro/6.1/baremetal-os-container Message-ID: <20250906072317.EA354F782@maintenance.suse.de> SUSE Image Update Advisory: suse/sl-micro/6.1/baremetal-os-container ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2025:2426-1 Image Tags : suse/sl-micro/6.1/baremetal-os-container:2.2.1 , suse/sl-micro/6.1/baremetal-os-container:2.2.1-7.5 , suse/sl-micro/6.1/baremetal-os-container:latest Image Release : 7.5 Severity : important Type : security References : 1223880 1244596 1245573 6680 CVE-2024-13484 CVE-2024-1725 CVE-2024-34062 CVE-2024-52812 CVE-2024-57603 CVE-2024-57604 CVE-2025-0426 CVE-2025-1243 CVE-2025-1293 CVE-2025-1296 CVE-2025-1412 CVE-2025-20051 CVE-2025-22870 CVE-2025-22952 CVE-2025-23387 CVE-2025-23388 CVE-2025-23389 CVE-2025-24016 CVE-2025-24371 CVE-2025-24526 CVE-2025-24806 CVE-2025-24976 CVE-2025-25196 CVE-2025-25199 CVE-2025-25204 CVE-2025-25279 CVE-2025-25294 CVE-2025-26260 CVE-2025-27088 CVE-2025-27090 CVE-2025-27100 CVE-2025-27112 CVE-2025-27144 CVE-2025-27155 CVE-2025-27403 CVE-2025-27414 CVE-2025-27421 CVE-2025-27507 CVE-2025-27509 CVE-2025-27616 CVE-2025-6052 CVE-2025-6297 ----------------------------------------------------------------- The container suse/sl-micro/6.1/baremetal-os-container was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: 249 Released: Fri Sep 5 14:14:12 2025 Summary: Security update for dpkg Type: security Severity: moderate References: 1245573,CVE-2024-13484,CVE-2024-1725,CVE-2024-52812,CVE-2024-57603,CVE-2024-57604,CVE-2025-0426,CVE-2025-1243,CVE-2025-1293,CVE-2025-1296,CVE-2025-1412,CVE-2025-20051,CVE-2025-22870,CVE-2025-22952,CVE-2025-23387,CVE-2025-23388,CVE-2025-23389,CVE-2025-24016,CVE-2025-24371,CVE-2025-24526,CVE-2025-24806,CVE-2025-24976,CVE-2025-25196,CVE-2025-25199,CVE-2025-25204,CVE-2025-25279,CVE-2025-25294,CVE-2025-26260,CVE-2025-27088,CVE-2025-27090,CVE-2025-27100,CVE-2025-27112,CVE-2025-27144,CVE-2025-27155,CVE-2025-27403,CVE-2025-27414,CVE-2025-27421,CVE-2025-27507,CVE-2025-27509,CVE-2025-27616,CVE-2025-6297 This update for dpkg fixes the following issues: - CVE-2025-6297: Fixed cleanup for control member with restricted directories (bsc#1245573). ----------------------------------------------------------------- Advisory ID: 247 Released: Fri Sep 5 14:22:34 2025 Summary: Security update for glib2 Type: security Severity: important References: 1223880,1244596,6680,CVE-2024-34062,CVE-2025-6052 This update for glib2 fixes the following issues: - CVE-2025-6052: Fix overflow check when expanding a GString (bsc#1244596). The following package changes have been done: - SL-Micro-release-6.1-slfo.1.11.54 updated - libglib-2_0-0-2.78.6-slfo.1.1_4.1 updated - libgobject-2_0-0-2.78.6-slfo.1.1_4.1 updated - libgmodule-2_0-0-2.78.6-slfo.1.1_4.1 updated - libgio-2_0-0-2.78.6-slfo.1.1_4.1 updated - glib2-tools-2.78.6-slfo.1.1_4.1 updated - update-alternatives-1.22.0-slfo.1.1_2.1 updated - container:SL-Micro-base-container-2.2.1-5.29 updated From sle-container-updates at lists.suse.com Tue Sep 9 07:04:09 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 9 Sep 2025 09:04:09 +0200 (CEST) Subject: SUSE-CU-2025:6754-1: Security update of rancher/elemental-operator Message-ID: <20250909070409.3A4CFF783@maintenance.suse.de> SUSE Container Update Advisory: rancher/elemental-operator ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:6754-1 Container Tags : rancher/elemental-operator:1.6.9 , rancher/elemental-operator:1.6.9-8.36 , rancher/elemental-operator:latest Container Release : 8.36 Severity : moderate Type : security References : 1243767 CVE-2025-5278 ----------------------------------------------------------------- The container rancher/elemental-operator was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: 405 Released: Thu Jul 31 11:41:53 2025 Summary: Security update for coreutils Type: security Severity: moderate References: 1243767,CVE-2025-5278 This update for coreutils fixes the following issues: - CVE-2025-5278: Fixed heap buffer under-read ledaing to a crash or leak sensitive data (bsc#1243767) The following package changes have been done: - compat-usrmerge-tools-84.87-3.1 updated - elemental-operator-1.6.9-1.1 updated - system-user-root-20190513-2.208 updated - filesystem-84.87-5.2 updated - glibc-2.38-9.1 updated - libtasn1-6-4.19.0-4.1 updated - libpcre2-8-0-10.42-2.179 updated - libgmp10-6.3.0-1.119 updated - libgcc_s1-13.3.0+git8781-2.1 updated - libffi8-3.4.4-3.1 updated - libcap2-2.69-2.83 updated - libattr1-2.5.1-3.1 updated - libacl1-2.3.1-3.1 updated - libselinux1-3.5-3.1 updated - libstdc++6-13.3.0+git8781-2.1 updated - libp11-kit0-0.25.3-1.6 updated - libncurses6-6.4.20240224-10.2 updated - terminfo-base-6.4.20240224-10.2 updated - p11-kit-0.25.3-1.6 updated - p11-kit-tools-0.25.3-1.6 updated - libreadline8-8.2-2.180 updated - bash-5.2.15-3.1 updated - bash-sh-5.2.15-3.1 updated - coreutils-9.4-5.1 updated - ca-certificates-2+git20230406.2dae8b7-3.1 updated - ca-certificates-mozilla-2.74-1.1 updated - container:suse-toolbox-image-1.0.0-9.31 updated From sle-container-updates at lists.suse.com Tue Sep 9 07:04:19 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 9 Sep 2025 09:04:19 +0200 (CEST) Subject: SUSE-CU-2025:6755-1: Security update of rancher/seedimage-builder Message-ID: <20250909070419.53F6BF783@maintenance.suse.de> SUSE Container Update Advisory: rancher/seedimage-builder ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:6755-1 Container Tags : rancher/seedimage-builder:1.6.9 , rancher/seedimage-builder:1.6.9-8.43 , rancher/seedimage-builder:latest Container Release : 8.43 Severity : important Type : security References : 1216091 1218459 1221107 1229163 1229164 1233606 1233608 1233609 1233610 1233612 1233613 1233614 1233615 1233616 1233617 1234958 1234959 1236136 1236136 1236177 1236316 1236317 1237002 1237006 1237008 1237009 1237010 1237011 1237012 1237013 1237014 1237496 1239674 1240366 1240414 1241052 1241190 1242827 1242938 1242971 1242987 1243226 1243767 1243935 1244079 1244509 1244554 1244555 1244557 1244580 1244700 1245309 1245310 1245311 1245312 1245314 1245317 1246296 1247074 CVE-2024-13176 CVE-2024-13176 CVE-2024-2236 CVE-2024-45774 CVE-2024-45775 CVE-2024-45776 CVE-2024-45777 CVE-2024-45778 CVE-2024-45779 CVE-2024-45780 CVE-2024-45781 CVE-2024-45782 CVE-2024-45783 CVE-2024-49504 CVE-2024-56737 CVE-2024-56738 CVE-2025-0622 CVE-2025-0624 CVE-2025-0677 CVE-2025-0678 CVE-2025-0684 CVE-2025-0685 CVE-2025-0686 CVE-2025-0689 CVE-2025-0690 CVE-2025-1118 CVE-2025-1125 CVE-2025-27587 CVE-2025-31115 CVE-2025-40909 CVE-2025-4382 CVE-2025-4598 CVE-2025-4598 CVE-2025-4877 CVE-2025-4878 CVE-2025-49794 CVE-2025-49795 CVE-2025-49796 CVE-2025-5278 CVE-2025-5318 CVE-2025-5351 CVE-2025-5372 CVE-2025-5987 CVE-2025-6018 CVE-2025-6020 CVE-2025-6021 CVE-2025-6170 CVE-2025-7425 ----------------------------------------------------------------- The container rancher/seedimage-builder was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: 352 Released: Thu Jun 12 09:16:56 2025 Summary: Security update for systemd Type: security Severity: moderate References: 1236177,1237496,1241190,1242938,CVE-2025-4598 This update for systemd fixes the following issues: - coredump: use %d in kernel core pattern (CVE-2025-4598) - Revert 'macro: terminate the temporary VA_ARGS_FOREACH() array with a sentinel' (SUSE specific) - umount: do not move busy network mounts (bsc#1236177) - man/pstore.conf: pstore.conf template is not always installed in /etc - man: coredump.conf template is not always installed in /etc (bsc#1237496) - Don't write messages sent from users with UID falling into the container UID range to the system journal. Daemons in the container don't talk to the outside journald as they talk to the inner one directly, which does its journal splitting based on shifted uids. (bsc#1242938) - This re-adds back the support for the persistent net name rules as well as their generator since predictable naming scheme is still disabled by default on Micro (via the `net.ifnames=0` boot option). (bsc#1241190) ----------------------------------------------------------------- Advisory ID: 353 Released: Fri Jun 13 13:05:04 2025 Summary: Security update for openssl-3 Type: security Severity: moderate References: 1236136,1240366,CVE-2024-13176,CVE-2025-27587 This update for openssl-3 fixes the following issues: - CVE-2025-27587: Fixed Minerva side channel vulnerability in P-384 on PPC arch (bsc#1240366) - CVE-2024-13176: Fixed timing side-channel in the ECDSA signature computation (bsc#1236136) ----------------------------------------------------------------- Advisory ID: 361 Released: Thu Jun 19 10:49:31 2025 Summary: Security update for pam Type: security Severity: important References: 1244509,CVE-2025-6020 This update for pam fixes the following issues: - CVE-2025-6020: pam_namespace: convert functions that may operate on a user-controlled path to operate on file descriptors instead of absolute path. And keep the bind-mount protection from protect_mount() as a defense in depthmeasure. (bsc#1244509) ----------------------------------------------------------------- Advisory ID: 372 Released: Tue Jul 1 13:42:56 2025 Summary: Security update for perl Type: security Severity: moderate References: 1244079,CVE-2025-40909 This update for perl fixes the following issues: - CVE-2025-40909: Fixed a working directory race condition causing file operations to target unintended paths (bsc#1244079) ----------------------------------------------------------------- Advisory ID: 373 Released: Thu Jul 3 12:28:04 2025 Summary: Security update for openssl-3 Type: security Severity: moderate References: 1236136,CVE-2024-13176 This update for openssl-3 fixes the following issues: - CVE-2024-13176: Fixed timing side-channel in the ECDSA signature computation (bsc#1236136) ----------------------------------------------------------------- Advisory ID: 375 Released: Fri Jul 4 16:18:40 2025 Summary: Recommended update for gptfdisk Type: recommended Severity: moderate References: 1242987 This update for gptfdisk fixes the following issues: - Fixed boot failure with qcow and vmdk images (bsc#1242987) ----------------------------------------------------------------- Advisory ID: 381 Released: Fri Jul 11 11:20:30 2025 Summary: Security update for libgcrypt Type: security Severity: moderate References: 1221107,CVE-2024-2236 This update for libgcrypt fixes the following issues: - CVE-2024-2236: Fixed timing based side-channel in RSA implementation (bsc#1221107) ----------------------------------------------------------------- Advisory ID: 388 Released: Mon Jul 21 11:01:26 2025 Summary: Recommended update for rpm Type: recommended Severity: important References: 1216091,1218459,1241052 This update for rpm fixes the following issues: - fix --runposttrans not working correctly with the --root option [bsc#1216091] * added 'rpm_fixed_runposttrans' provides for libzypp - print scriptlet messages in --runposttrans * needed to fix leaking tmp files [bsc#1218459] - fix memory leak in str2locale [bsc#1241052] ----------------------------------------------------------------- Advisory ID: 399 Released: Tue Jul 29 10:20:21 2025 Summary: Security update for grub2 Type: security Severity: important References: 1229163,1229164,1233606,1233608,1233609,1233610,1233612,1233613,1233614,1233615,1233616,1233617,1234958,1236316,1236317,1237002,1237006,1237008,1237009,1237010,1237011,1237012,1237013,1237014,1239674,1242971,CVE-2024-45774,CVE-2024-45775,CVE-2024-45776,CVE-2024-45777,CVE-2024-45778,CVE-2024-45779,CVE-2024-45780,CVE-2024-45781,CVE-2024-45782,CVE-2024-45783,CVE-2024-49504,CVE-2024-56737,CVE-2025-0622,CVE-2025-0624,CVE-2025-0677,CVE-2025-0678,CVE-2025-0684,CVE-2025-0685,CVE-2025-0686,CVE-2025-0689,CVE-2025-0690,CVE-2025-1118,CVE-2025-1125,CVE-2025-4382 This update for grub2 fixes the following issues: - CVE-2025-4382: Fixed TPM auto-decryption data exposure (bsc#1242971) - Filter out the non-subvolume btrfs mount points when creating the relative path (bsc#1239674) - CVE-2024-45781: Fixed ufs strcpy overflow (bsc#1233617) - CVE-2024-56737: Fixed heap-based buffer overflow in fs/hfs.c via crafted sblock data in an HFS filesystem (bsc#1234958) - CVE-2024-45782: Fixed hfs strcpy overflow (bsc#1233615) - CVE-2024-45780: Fixed overflow in tar/cpio(bsc#1233614) - CVE-2024-45783: Fixed hfsplus refcount overflow (bsc#1233616) - CVE-2025-0624: Fixed out-of-bounds write in grub_net_search_config_file() (bsc#1236316) - CVE-2024-45774: Fixed heap overflows in JPEG parser (bsc#1233609) - CVE-2024-45775: Fixed missing NULL check in extcmd parser (bsc#1233610) - CVE-2025-0622: Fixed command/gpg: Use-after-free due to hooks not being removed on module unload (bsc#1236317) - CVE-2024-45776: Fixed overflow in .MO file (gettext) handling (bsc#1233612) - CVE-2024-45777: Fixed integer overflow in gettext (bsc#1233613) - CVE-2025-0690: Fixed integer overflow in read that may lead to out-of-bounds write (bsc#1237012) - CVE-2025-1118: Fixed commands/dump: The dump command is not in lockdown when secure boot is enabled(bsc#1237013) - CVE-2024-45778: Fixed bfs filesystem not fuzzing stable (bsc#1233606) - CVE-2024-45779: Fixed bfs heap overflow (bsc#1233608) - CVE-2025-0677: Fixed integer overflow that may lead to heap based out-of-bounds write when handling symlinks in ufs (bsc#1237002) - CVE-2025-0684: Fixed reiserfs: Integer overflow when handling symlinks may lead to heap based out-of-bounds write when reading data (bsc#1237008) - CVE-2025-0685: Fixed jfs: Integer overflow when handling symlinks may lead to heap based out-of-bounds write when reading data (bsc#1237009) - CVE-2025-0686: Fixed romfs: Integer overflow when handling symlinks may lead to heap based out-of-bounds write when reading data (bsc#1237010) - CVE-2025-0689: Fixed udf: Heap based buffer overflow in grub_udf_read_block() may lead to arbitrary code execution (bsc#1237011) - CVE-2025-1125: Fixed fs/hfs: Interger overflow may lead to heap based out-of-bounds write (bsc#1237014) - CVE-2025-0678: Fixed squash4: Integer overflow may lead to heap based out-of-bounds write when reading data (bsc#1237006) - Bump upstream SBAT generation to 5 to block older grub2 versions. - CVE-2024-49504: Fixed Bypassing TPM-bound disk encryption on SL(E)M encrypted Images (bsc#1229163) (bsc#1229164) - Restrict CLI access if the encrypted root device is automatically unlocked by the TPM. LUKS password authentication is required for access to be granted - Obsolete, as CLI access is now locked and granted access no longer requires the previous restrictions ----------------------------------------------------------------- Advisory ID: 401 Released: Tue Jul 29 16:09:33 2025 Summary: Security update for pam-config Type: security Severity: important References: 1243226,CVE-2025-6018 This update for pam-config fixes the following issues: - CVE-2025-6018: Stop adding pam_env in AUTH stack, and be sure to put this module at the really end of the SESSION stack. (bsc#1243226) ----------------------------------------------------------------- Advisory ID: 405 Released: Thu Jul 31 11:41:53 2025 Summary: Security update for coreutils Type: security Severity: moderate References: 1243767,CVE-2025-5278 This update for coreutils fixes the following issues: - CVE-2025-5278: Fixed heap buffer under-read ledaing to a crash or leak sensitive data (bsc#1243767) ----------------------------------------------------------------- Advisory ID: 412 Released: Fri Aug 8 12:14:29 2025 Summary: Security update for xz Type: security Severity: important References: 1240414,CVE-2025-31115 This update for xz fixes the following issues: - CVE-2025-31115: Fixed heap use after free and writing to an address based on the null pointer plus an offset (bsc#1240414) ----------------------------------------------------------------- Advisory ID: 416 Released: Tue Aug 12 16:05:24 2025 Summary: Security update for systemd Type: security Severity: moderate References: 1242827,1243935,1247074,CVE-2025-4598 This update for systemd fixes the following issues: - Remove the script used to help migrating the language and locale settings located in /etc/sysconfig/language on old systems to the systemd default locations (bsc#1247074) The script was introduced more than 7 years ago and all systems running TW should have been migrated since then. Moreover the installer supports the systemd default locations since approximately SLE15. - triggers.systemd: skip update of hwdb, journal-catalog if executed during an offline update. - logs-show: get timestamp and boot ID only when necessary (bsc#1242827) - sd-journal: drop to use Hashmap to manage journal files per boot ID - tree-wide: set SD_JOURNAL_ASSUME_IMMUTABLE where appropriate - sd-journal: introduce SD_JOURNAL_ASSUME_IMMUTABLE flag - sd-journal: make journal_file_read_tail_timestamp() notify to the caller that some new journal entries added - sd-journal: cache last entry offset and journal file state - sd-journal: fix typo in function name - coredump: use %d in kernel core pattern (bsc#1243935 CVE-2025-4598) ----------------------------------------------------------------- Advisory ID: 419 Released: Thu Aug 14 11:26:49 2025 Summary: Security update for libssh Type: security Severity: important References: 1245309,1245310,1245311,1245312,1245314,1245317,CVE-2025-4877,CVE-2025-4878,CVE-2025-5318,CVE-2025-5351,CVE-2025-5372,CVE-2025-5987 This update for libssh fixes the following issues: - CVE-2025-5372: ssh_kdf() returns a success code on certain failures (bsc#1245314) - CVE-2025-5987: Invalid return code for chacha20 poly1305 with OpenSSL backend (bsc#1245317) - CVE-2025-4877: Write beyond bounds in binary to base64 conversion functions (bsc#1245309) - CVE-2025-4878: Use of uninitialized variable in privatekey_from_file() (bsc#1245310) - CVE-2025-5318: Likely read beyond bounds in sftp server handle management (bsc#1245311) - CVE-2025-5351: Double free in functions exporting keys (bsc#1245312) ----------------------------------------------------------------- Advisory ID: 429 Released: Thu Aug 21 10:01:26 2025 Summary: Security update for libxml2 Type: security Severity: important References: 1244554,1244555,1244557,1244580,1244700,1246296,CVE-2025-49794,CVE-2025-49795,CVE-2025-49796,CVE-2025-6021,CVE-2025-6170,CVE-2025-7425 This update for libxml2 fixes the following issues: - CVE-2025-6021: Integer Overflow in xmlBuildQName() Leads to Stack Buffer Overflow in libxml2 [bsc#1244580] - CVE-2025-6170: stack buffer overflow may lead to a crash [bsc#1244700] - CVE-2025-7425: Heap Use-After-Free in libxslt caused by atype corruption in xmlAttrPtr [bsc#1246296] - CVE-2025-49794: heap use after free (UAF) can lead to Denial of service (DoS) [bsc#1244554] - CVE-2025-49795: null pointer dereference may lead to Denial of service (DoS) [bsc#1244555] - CVE-2025-49796: type confusion may lead to Denial of service (DoS) [bsc#1244557] ----------------------------------------------------------------- Advisory ID: 445 Released: Fri Sep 5 14:57:04 2025 Summary: Security update for grub2 Type: security Severity: moderate References: 1234959,CVE-2024-56738 This update for grub2 fixes the following issues: - CVE-2024-56738: Side-channel attack due to not constant-timealgorithm in grub_crypto_memcmp (bsc#1234959). The following package changes have been done: - boost-license1_84_0-1.84.0-1.4 updated - btrfsprogs-udev-rules-6.1.3-6.19 updated - compat-usrmerge-tools-84.87-3.1 updated - crypto-policies-20230920.570ea89-1.50 updated - elemental-httpfy-1.6.9-1.1 updated - elemental-seedimage-hooks-1.6.9-1.1 updated - file-magic-5.44-4.151 added - kbd-legacy-2.6.4-1.3 added - libsemanage-conf-3.5-3.1 updated - libssh-config-0.10.6-2.1 updated - pkgconf-m4-1.8.0-2.205 updated - system-user-root-20190513-2.208 updated - filesystem-84.87-5.2 updated - glibc-2.38-9.1 updated - libzstd1-1.5.5-8.142 updated - libz1-1.2.13-6.138 updated - libxxhash0-0.8.1-2.194 updated - libverto1-0.3.2-12.5 updated - libuuid1-2.39.3-3.1 updated - liburcu8-0.14.0-2.8 updated - libunistring5-1.1-3.1 updated - libtextstyle0-0.21.1-6.1 updated - libtasn1-6-4.19.0-4.1 updated - libsmartcols1-2.39.3-3.1 updated - libsepol2-3.5-3.1 updated - libseccomp2-2.5.4-3.1 updated - libsasl2-3-2.1.28-5.7 updated - libpopt0-1.19-2.184 updated - libpkgconf3-1.8.0-2.205 updated - libpcre2-8-0-10.42-2.179 updated - libparted-fs-resize0-3.5-2.11 updated - libnss_usrfiles2-2.27-3.1 updated - libnghttp2-14-1.52.0-5.1 updated - liblzo2-2-2.10-3.1 updated - liblzma5-5.4.3-5.1 updated - liblz4-1-1.9.4-4.1 updated - liblua5_4-5-5.4.6-1.68 updated - libkeyutils1-1.6.3-3.1 updated - libjson-c5-0.16-3.1 updated - libjitterentropy3-3.4.1-3.1 updated - libip4tc2-1.8.9-4.1 updated - libgpg-error0-1.47-4.136 updated - libgmp10-6.3.0-1.119 updated - libgcc_s1-13.3.0+git8781-2.1 updated - libfuse2-2.9.9-3.1 updated - libffi8-3.4.4-3.1 updated - libexpat1-2.7.1-1.1 updated - libeconf0-0.6.1-1.13 updated - libcrypt1-4.4.36-1.134 updated - libcom_err2-1.47.0-3.1 updated - libcap2-2.69-2.83 updated - libcap-ng0-0.8.3-4.1 updated - libbz2-1-1.0.8-3.1 updated - libburn4-1.5.4-1.9 updated - libbtrfsutil1-6.1.3-6.19 updated - libbtrfs0-6.1.3-6.19 updated - libbrotlicommon1-1.1.0-1.6 updated - libblkid1-2.39.3-3.1 updated - libaudit1-3.0.9-4.1 updated - libattr1-2.5.1-3.1 updated - libargon2-1-20190702-3.1 updated - libalternatives1-1.2+30.a5431e9-3.1 updated - libaio1-0.3.113-3.1 updated - libacl1-2.3.1-3.1 updated - fillup-1.42-3.1 updated - dosfstools-4.2-2.9 updated - diffutils-3.10-2.101 updated - libpng16-16-1.6.43-1.1 updated - libidn2-0-2.3.4-3.1 updated - pkgconf-1.8.0-2.205 updated - libselinux1-3.5-3.1 updated - netcfg-11.6-4.42 updated - libxml2-2-2.11.6-10.1 updated - squashfs-4.6.1-3.7 updated - libgcrypt20-1.10.3-2.1 updated - libstdc++6-13.3.0+git8781-2.1 updated - libp11-kit0-0.25.3-1.6 updated - perl-base-5.38.2-4.1 updated - libext2fs2-1.47.0-3.1 updated - libudev1-254.27-1.1 updated - chkstat-1600_20240206-1.8 updated - libzio1-1.08-3.1 updated - libmagic1-5.44-4.151 added - libjte2-1.22-1.8 updated - libbrotlidec1-1.1.0-1.6 updated - libfdisk1-2.39.3-3.1 updated - alts-1.2+30.a5431e9-3.1 updated - libpsl5-0.21.2-3.1 updated - sed-4.9-2.9 updated - libsubid4-4.15.1-1.1 updated - libsemanage2-3.5-3.1 updated - libmount1-2.39.3-3.1 updated - findutils-4.9.0-4.1 updated - libsystemd0-254.27-1.1 updated - libncurses6-6.4.20240224-10.2 updated - terminfo-base-6.4.20240224-10.2 updated - libinih0-56-3.1 updated - libboost_thread1_84_0-1.84.0-1.4 updated - p11-kit-0.25.3-1.6 updated - p11-kit-tools-0.25.3-1.6 updated - libisofs6-1.5.4-1.9 updated - libfreetype6-2.13.3-1.1 updated - ncurses-utils-6.4.20240224-10.2 updated - libreadline8-8.2-2.180 updated - libedit0-20210910.3.1-9.169 updated - gptfdisk-1.0.9-4.1 updated - libisoburn1-1.5.4-1.9 updated - bash-5.2.15-3.1 updated - bash-sh-5.2.15-3.1 updated - xz-5.4.3-5.1 updated - systemd-default-settings-branding-openSUSE-0.7-2.4 updated - systemd-default-settings-0.7-2.4 updated - pkgconf-pkg-config-1.8.0-2.205 updated - login_defs-4.15.1-1.1 updated - libdevmapper1_03-2.03.22_1.02.196-1.8 updated - gzip-1.13-1.50 updated - grep-3.11-4.8 updated - gettext-runtime-0.21.1-6.1 updated - coreutils-9.4-5.1 updated - ALP-dummy-release-0.1-8.67 updated - libparted2-3.5-2.11 updated - libdevmapper-event1_03-2.03.22_1.02.196-1.8 updated - info-7.0.3-4.1 updated - xfsprogs-6.5.0-1.9 updated - thin-provisioning-tools-0.9.0-2.10 updated - systemd-rpm-macros-24-1.205 updated - systemd-presets-common-SUSE-15-5.1 updated - rpm-config-SUSE-20240214-1.1 updated - rpm-4.18.0-7.1 updated - permissions-config-1600_20240206-1.8 updated - glibc-locale-base-2.38-9.1 updated - e2fsprogs-1.47.0-3.1 updated - ca-certificates-2+git20230406.2dae8b7-3.1 updated - ca-certificates-mozilla-2.74-1.1 updated - btrfsprogs-6.1.3-6.19 updated - parted-3.5-2.11 updated - liblvm2cmd2_03-2.03.22-1.8 updated - xorriso-1.5.4-1.9 updated - device-mapper-2.03.22_1.02.196-1.8 updated - systemd-presets-branding-ALP-transactional-20230214-3.1 updated - permissions-1600_20240206-1.8 updated - mtools-4.0.43-4.9 updated - libopenssl3-3.1.4-9.1 updated - pam-1.6.0-5.1 updated - grub2-2.12~rc1-7.1 updated - grub2-i386-pc-2.12~rc1-7.1 updated - suse-module-tools-16.0.43-1.1 updated - kmod-30-10.56 updated - rsync-3.2.7-4.1 updated - libldap2-2.6.4-4.12 updated - libkmod2-30-10.56 updated - libcryptsetup12-2.6.1-4.13 updated - krb5-1.20.1-6.1 updated - util-linux-2.39.3-3.1 updated - shadow-4.15.1-1.1 updated - pam-config-2.11-2.1 updated - kbd-2.6.4-1.3 updated - libssh4-0.10.6-2.1 updated - libsnapper7-0.10.5-2.10 updated - aaa_base-84.87+git20230815.cab7b44-1.8 updated - libcurl4-8.6.0-6.1 updated - dbus-1-daemon-1.14.10-1.11 updated - curl-8.6.0-6.1 updated - dbus-1-tools-1.14.10-1.11 updated - systemd-254.27-1.1 updated - sysuser-shadow-3.1-2.197 updated - dbus-1-common-1.14.10-1.11 updated - libdbus-1-3-1.14.10-1.11 updated - dbus-1-1.14.10-1.11 updated - system-group-kvm-20170617-2.197 updated - system-group-hardware-20170617-2.197 updated - udev-254.27-1.1 updated - snapper-0.10.5-2.10 updated - lvm2-2.03.22-1.8 updated - elemental-toolkit-2.1.3-1.1 updated - container:suse-toolbox-image-1.0.0-9.31 updated From sle-container-updates at lists.suse.com Tue Sep 9 07:05:19 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 9 Sep 2025 09:05:19 +0200 (CEST) Subject: SUSE-IU-2025:2434-1: Security update of suse/sl-micro/6.0/baremetal-os-container Message-ID: <20250909070519.1EAC6F783@maintenance.suse.de> SUSE Image Update Advisory: suse/sl-micro/6.0/baremetal-os-container ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2025:2434-1 Image Tags : suse/sl-micro/6.0/baremetal-os-container:2.1.3 , suse/sl-micro/6.0/baremetal-os-container:2.1.3-6.82 , suse/sl-micro/6.0/baremetal-os-container:latest Image Release : 6.82 Severity : critical Type : security References : 1245320 CVE-2025-6032 ----------------------------------------------------------------- The container suse/sl-micro/6.0/baremetal-os-container was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: 451 Released: Mon Sep 8 15:37:03 2025 Summary: Security update for podman Type: security Severity: critical References: 1245320,CVE-2025-6032 This update for podman fixes the following issues: - CVE-2025-6032: Machine init command fails to verify TLS certificate when downloading VM images from an OCI registry (bsc#1245320). The following package changes have been done: - SL-Micro-release-6.0-25.46 updated - podman-4.9.5-7.1 updated - container:SL-Micro-base-container-2.1.3-7.51 updated From sle-container-updates at lists.suse.com Tue Sep 9 07:14:13 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 9 Sep 2025 09:14:13 +0200 (CEST) Subject: SUSE-CU-2025:6759-1: Recommended update of suse/hpc/warewulf4-x86_64/sle-hpc-node Message-ID: <20250909071413.40DECF782@maintenance.suse.de> SUSE Container Update Advisory: suse/hpc/warewulf4-x86_64/sle-hpc-node ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:6759-1 Container Tags : suse/hpc/warewulf4-x86_64/sle-hpc-node:15.6 , suse/hpc/warewulf4-x86_64/sle-hpc-node:15.6.17.8.105 , suse/hpc/warewulf4-x86_64/sle-hpc-node:latest Container Release : 17.8.105 Severity : moderate Type : recommended References : 1244553 1244553 1246835 1246835 1246852 ----------------------------------------------------------------- The container suse/hpc/warewulf4-x86_64/sle-hpc-node was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:3066-1 Released: Thu Sep 4 08:37:17 2025 Summary: Recommended update for systemd-presets-branding-SLE Type: recommended Severity: moderate References: 1244553,1246835 This update for systemd-presets-branding-SLE fixes the following issues: - Enable sysstat_collect.timer and sysstat_summary.timer (bsc#1244553, bsc#1246835). - Modified default SLE presets. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:3072-1 Released: Thu Sep 4 09:20:43 2025 Summary: Recommended update for sysstat Type: recommended Severity: moderate References: 1244553,1246835,1246852 This update for sysstat fixes the following issues: - Renaming services to allow preset in systemd-presets-branding-SLE to work (bsc#1244553, bsc#1246835). - Fix argument order of find (bsc#1246852). - Fix systemd timers that are not enabled after upgrade (bsc#1244553). - deleted 90-sysstat.preset file, not needed anymore. The following package changes have been done: - sysstat-12.0.2-150000.3.48.3 updated - systemd-presets-branding-SLE-15.1-150600.35.3.1 updated From sle-container-updates at lists.suse.com Tue Sep 9 07:14:14 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 9 Sep 2025 09:14:14 +0200 (CEST) Subject: SUSE-CU-2025:6760-1: Recommended update of suse/hpc/warewulf4-x86_64/sle-hpc-node Message-ID: <20250909071414.60E89F783@maintenance.suse.de> SUSE Container Update Advisory: suse/hpc/warewulf4-x86_64/sle-hpc-node ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:6760-1 Container Tags : suse/hpc/warewulf4-x86_64/sle-hpc-node:15.6 , suse/hpc/warewulf4-x86_64/sle-hpc-node:15.6.17.8.106 , suse/hpc/warewulf4-x86_64/sle-hpc-node:latest Container Release : 17.8.106 Severity : low Type : recommended References : 1246113 ----------------------------------------------------------------- The container suse/hpc/warewulf4-x86_64/sle-hpc-node was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-OU-2025:3094-1 Released: Mon Sep 8 11:46:41 2025 Summary: Optional update for NetworkManager Type: optional Severity: low References: 1246113 This update for NetworkManager fixes the following issue - Add NetworkManager-wwan to SLE-Module-Desktop-Applications_15-SP7 (bsc#1246113) The following package changes have been done: - NetworkManager-1.44.2-150600.3.4.1 updated - libnm0-1.44.2-150600.3.4.1 updated From sle-container-updates at lists.suse.com Wed Sep 10 07:04:10 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 10 Sep 2025 09:04:10 +0200 (CEST) Subject: SUSE-IU-2025:2438-1: Security update of suse/sl-micro/6.1/baremetal-os-container Message-ID: <20250910070410.9C839F783@maintenance.suse.de> SUSE Image Update Advisory: suse/sl-micro/6.1/baremetal-os-container ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2025:2438-1 Image Tags : suse/sl-micro/6.1/baremetal-os-container:2.2.1 , suse/sl-micro/6.1/baremetal-os-container:2.2.1-7.6 , suse/sl-micro/6.1/baremetal-os-container:latest Image Release : 7.6 Severity : important Type : security References : 1243397 1243706 1243933 1246197 1246597 CVE-2025-4947 CVE-2025-5025 CVE-2025-5399 CVE-2025-6965 ----------------------------------------------------------------- The container suse/sl-micro/6.1/baremetal-os-container was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: 253 Released: Tue Sep 9 12:20:07 2025 Summary: Security update for sqlite3 Type: security Severity: important References: 1246597,CVE-2025-6965 This update for sqlite3 fixes the following issues: - CVE-2025-6965: Fixed integer truncation (bsc#1246597). ----------------------------------------------------------------- Advisory ID: 254 Released: Tue Sep 9 12:22:04 2025 Summary: Security update for curl Type: security Severity: important References: 1243397,1243706,1243933,1246197,CVE-2025-4947,CVE-2025-5025,CVE-2025-5399 This update for curl fixes the following issues: - CVE-2025-5399: libcurl can possibly get trapped in an endless busy-loop when processing specially crafted packets (bsc#1243933). - CVE-2025-5025: No QUIC certificate pinning with wolfSSL (bsc#1243706). - CVE-2025-4947: QUIC certificate check skip with wolfSSL (bsc#1243397). Other bugfixes: - Fix the --ftp-pasv option in curl v8.14.1 (bsc#1246197). The following package changes have been done: - SL-Micro-release-6.1-slfo.1.11.55 updated - libsqlite3-0-3.50.2-slfo.1.1_1.1 updated - libcurl4-8.14.1-slfo.1.1_1.1 updated - container:SL-Micro-base-container-2.2.1-5.30 updated From sle-container-updates at lists.suse.com Wed Sep 10 07:04:45 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 10 Sep 2025 09:04:45 +0200 (CEST) Subject: SUSE-IU-2025:2439-1: Security update of suse/sl-micro/6.1/base-os-container Message-ID: <20250910070445.A11FEF783@maintenance.suse.de> SUSE Image Update Advisory: suse/sl-micro/6.1/base-os-container ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2025:2439-1 Image Tags : suse/sl-micro/6.1/base-os-container:2.2.1 , suse/sl-micro/6.1/base-os-container:2.2.1-5.30 , suse/sl-micro/6.1/base-os-container:latest Image Release : 5.30 Severity : important Type : security References : 1243397 1243706 1243933 1246197 1246597 CVE-2025-4947 CVE-2025-5025 CVE-2025-5399 CVE-2025-6965 ----------------------------------------------------------------- The container suse/sl-micro/6.1/base-os-container was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: 253 Released: Tue Sep 9 12:20:07 2025 Summary: Security update for sqlite3 Type: security Severity: important References: 1246597,CVE-2025-6965 This update for sqlite3 fixes the following issues: - CVE-2025-6965: Fixed integer truncation (bsc#1246597). ----------------------------------------------------------------- Advisory ID: 254 Released: Tue Sep 9 12:22:04 2025 Summary: Security update for curl Type: security Severity: important References: 1243397,1243706,1243933,1246197,CVE-2025-4947,CVE-2025-5025,CVE-2025-5399 This update for curl fixes the following issues: - CVE-2025-5399: libcurl can possibly get trapped in an endless busy-loop when processing specially crafted packets (bsc#1243933). - CVE-2025-5025: No QUIC certificate pinning with wolfSSL (bsc#1243706). - CVE-2025-4947: QUIC certificate check skip with wolfSSL (bsc#1243397). Other bugfixes: - Fix the --ftp-pasv option in curl v8.14.1 (bsc#1246197). The following package changes have been done: - SL-Micro-release-6.1-slfo.1.11.55 updated - libsqlite3-0-3.50.2-slfo.1.1_1.1 updated - libcurl4-8.14.1-slfo.1.1_1.1 updated - curl-8.14.1-slfo.1.1_1.1 updated - container:suse-toolbox-image-1.0.0-4.68 updated From sle-container-updates at lists.suse.com Wed Sep 10 07:05:22 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 10 Sep 2025 09:05:22 +0200 (CEST) Subject: SUSE-IU-2025:2440-1: Security update of suse/sl-micro/6.1/kvm-os-container Message-ID: <20250910070522.5C313F783@maintenance.suse.de> SUSE Image Update Advisory: suse/sl-micro/6.1/kvm-os-container ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2025:2440-1 Image Tags : suse/sl-micro/6.1/kvm-os-container:2.2.1 , suse/sl-micro/6.1/kvm-os-container:2.2.1-5.33 , suse/sl-micro/6.1/kvm-os-container:latest Image Release : 5.33 Severity : important Type : security References : 1243397 1243706 1243933 1246197 1246597 CVE-2025-4947 CVE-2025-5025 CVE-2025-5399 CVE-2025-6965 ----------------------------------------------------------------- The container suse/sl-micro/6.1/kvm-os-container was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: 253 Released: Tue Sep 9 12:20:07 2025 Summary: Security update for sqlite3 Type: security Severity: important References: 1246597,CVE-2025-6965 This update for sqlite3 fixes the following issues: - CVE-2025-6965: Fixed integer truncation (bsc#1246597). ----------------------------------------------------------------- Advisory ID: 254 Released: Tue Sep 9 12:22:04 2025 Summary: Security update for curl Type: security Severity: important References: 1243397,1243706,1243933,1246197,CVE-2025-4947,CVE-2025-5025,CVE-2025-5399 This update for curl fixes the following issues: - CVE-2025-5399: libcurl can possibly get trapped in an endless busy-loop when processing specially crafted packets (bsc#1243933). - CVE-2025-5025: No QUIC certificate pinning with wolfSSL (bsc#1243706). - CVE-2025-4947: QUIC certificate check skip with wolfSSL (bsc#1243397). Other bugfixes: - Fix the --ftp-pasv option in curl v8.14.1 (bsc#1246197). The following package changes have been done: - SL-Micro-release-6.1-slfo.1.11.55 updated - libsqlite3-0-3.50.2-slfo.1.1_1.1 updated - libcurl4-8.14.1-slfo.1.1_1.1 updated - container:SL-Micro-base-container-2.2.1-5.30 updated From sle-container-updates at lists.suse.com Wed Sep 10 07:05:58 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 10 Sep 2025 09:05:58 +0200 (CEST) Subject: SUSE-IU-2025:2441-1: Security update of suse/sl-micro/6.1/rt-os-container Message-ID: <20250910070558.D4200F783@maintenance.suse.de> SUSE Image Update Advisory: suse/sl-micro/6.1/rt-os-container ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2025:2441-1 Image Tags : suse/sl-micro/6.1/rt-os-container:2.2.1 , suse/sl-micro/6.1/rt-os-container:2.2.1-5.18 , suse/sl-micro/6.1/rt-os-container:latest Image Release : 5.18 Severity : important Type : security References : 1243397 1243706 1243933 1246197 1246597 CVE-2025-4947 CVE-2025-5025 CVE-2025-5399 CVE-2025-6965 ----------------------------------------------------------------- The container suse/sl-micro/6.1/rt-os-container was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: 253 Released: Tue Sep 9 12:20:07 2025 Summary: Security update for sqlite3 Type: security Severity: important References: 1246597,CVE-2025-6965 This update for sqlite3 fixes the following issues: - CVE-2025-6965: Fixed integer truncation (bsc#1246597). ----------------------------------------------------------------- Advisory ID: 254 Released: Tue Sep 9 12:22:04 2025 Summary: Security update for curl Type: security Severity: important References: 1243397,1243706,1243933,1246197,CVE-2025-4947,CVE-2025-5025,CVE-2025-5399 This update for curl fixes the following issues: - CVE-2025-5399: libcurl can possibly get trapped in an endless busy-loop when processing specially crafted packets (bsc#1243933). - CVE-2025-5025: No QUIC certificate pinning with wolfSSL (bsc#1243706). - CVE-2025-4947: QUIC certificate check skip with wolfSSL (bsc#1243397). Other bugfixes: - Fix the --ftp-pasv option in curl v8.14.1 (bsc#1246197). The following package changes have been done: - SL-Micro-release-6.1-slfo.1.11.55 updated - libsqlite3-0-3.50.2-slfo.1.1_1.1 updated - libcurl4-8.14.1-slfo.1.1_1.1 updated - container:SL-Micro-container-2.2.1-7.6 updated From sle-container-updates at lists.suse.com Thu Sep 11 07:08:16 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Thu, 11 Sep 2025 09:08:16 +0200 (CEST) Subject: SUSE-CU-2025:6765-1: Security update of bci/golang Message-ID: <20250911070816.D4931F783@maintenance.suse.de> SUSE Container Update Advisory: bci/golang ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:6765-1 Container Tags : bci/golang:1.23-openssl , bci/golang:1.23.12-openssl , bci/golang:1.23.12-openssl-73.15 , bci/golang:oldstable-openssl , bci/golang:oldstable-openssl-73.15 Container Release : 73.15 Severity : important Type : security References : 1229122 1236045 1236046 1236801 1238572 1240550 1244156 1244157 1246118 1247719 1247720 1247816 CVE-2024-45336 CVE-2024-45341 CVE-2025-0913 CVE-2025-22866 CVE-2025-22870 CVE-2025-22871 CVE-2025-4673 CVE-2025-4674 CVE-2025-47906 CVE-2025-47907 ----------------------------------------------------------------- The container bci/golang was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3159-1 Released: Thu Sep 11 05:05:01 2025 Summary: Security update for go1.23-openssl Type: security Severity: important References: 1229122,1236045,1236046,1236801,1238572,1240550,1244156,1244157,1246118,1247719,1247720,1247816,CVE-2024-45336,CVE-2024-45341,CVE-2025-0913,CVE-2025-22866,CVE-2025-22870,CVE-2025-22871,CVE-2025-4673,CVE-2025-4674,CVE-2025-47906,CVE-2025-47907 This update for go1.23-openssl fixes the following issues: Update to version 1.23.12 cut from the go1.23-fips-release branch at the revision tagged go1.23.12-1-openssl-fips. ( jsc#SLE-18320) * Rebase to 1.23.12 * Fix HKDF-Extract The latest OpenSSL in c9s/c10s requires nil salt to be passed as a hash length buffer of zeros. Packaging improvements: * Update go_bootstrap_version to go1.21 from go1.20 to shorten the bootstrap chain. go1.21 can optionally be bootstrapped with gccgo and serve as the inital version of go1.x. * Refs boo#1247816 bootstrap go1.21 with gccgo go1.23.12 (released 2025-08-06) includes security fixes to the database/sql and os/exec packages, as well as bug fixes to the runtime. CVE-2025-47906 CVE-2025-47907: * go#74803 go#74466 boo#1247719 security: fix CVE-2025-47906 os/exec: LookPath bug: incorrect expansion of '', '.' and '..' in some PATH configurations * go#74832 go#74831 boo#1247720 security: fix CVE-2025-47907 database/sql: incorrect results returned from Rows.Scan * go#74415 runtime: use-after-free of allpSnapshot in findRunnable * go#74693 runtime: segfaults in runtime.(*unwinder).next * go#74721 cmd/go: TestScript/build_trimpath_cgo fails to decode dwarf on release-branch.go1.23 * go#74726 cmd/cgo/internal/testsanitizers: failures with signal: segmentation fault or exit status 66 go1.23.11 (released 2025-07-08) includes security fixes to the go command, as well as bug fixes to the compiler, the linker, and the runtime. CVE-2025-4674: * go#74382 go#74380 boo#1246118 security: fix CVE-2025-4674 cmd/go: disable support for multiple vcs in one module * go#73907 runtime: bad frame pointer during panic during duffcopy * go#74289 runtime: heap mspan limit is set too late, causing data race between span allocation and conservative scanning * go#74293 internal/trace: stress tests triggering suspected deadlock in tracer * go#74362 runtime/pprof: crash 'cannot read stack of running goroutine' in goroutine profile * go#74402 cmd/link: duplicated definition of symbol github.com/ebitengine/purego.syscall15XABI0 when running with ASAN go1.23.10 (released 2025-06-05) includes security fixes to the net/http and os packages, as well as bug fixes to the linker. (boo#1229122 go1.23 release tracking) CVE-2025-0913 CVE-2025-4673: * go#73719 go#73612 boo#1244157 security: fix CVE-2025-0913 os: inconsistent handling of O_CREATE|O_EXCL on Unix and Windows * go#73905 go#73816 boo#1244156 security: fix CVE-2025-4673 net/http: sensitive headers not cleared on cross-origin redirect * go#73677 runtime/debug: BuildSetting does not document DefaultGODEBUG * go#73831 cmd/link: Go 1.24.3 and 1.23.9 regression - duplicated definition of symbol dlopen go1.23.9 (released 2025-05-06) includes fixes to the runtime and the linker. (boo#1229122 go1.23 release tracking) * go#73091 cmd/link: linkname directive on userspace variable can override runtime variable * go#73380 runtime, x/sys/unix: Connectx is broken on darwin/amd64 go1.23.8 (released 2025-04-01) includes security fixes to the net/http package, as well as bug fixes to the runtime and the go command. CVE-2025-22871: * go#72010 go#71988 boo#1240550 security: fix CVE-2025-22871 net/http: reject bare LF in chunked encoding * go#72114 runtime: process hangs for mips hardware * go#72871 runtime: cgo callback on extra M treated as external code after nested cgo callback returns * go#72937 internal/godebugs: winsymlink and winreadlinkvolume have incorrect defaults for Go 1.22 go1.23.7 (released 2025-03-04) includes security fixes to the net/http package, as well as bug fixes to cgo, the compiler, and the reflect, runtime, and syscall packages. CVE-2025-22870: * go#71985 go#71984 boo#1238572 security: fix CVE-2025-22870 net/http, x/net/proxy, x/net/http/httpproxy: proxy bypass using IPv6 zone IDs * go#71727 runtime: usleep computes wrong tv_nsec on s390x * go#71839 runtime: recover added in range-over-func loop body doesn't stop panic propagation / segfaults printing error * go#71848 os: spurious SIGCHILD on running child process * go#71875 reflect: Value.Seq panicking on functional iterator methods * go#71915 reflect: Value.Seq iteration value types not matching the type of given int types * go#71962 runtime/cgo: does not build with -Wdeclaration-after-statement go1.23.6 (released 2025-02-04) includes security fixes to the crypto/elliptic package, as well as bug fixes to the compiler and the go command. CVE-2025-22866 * go#71423 go#71383 boo#1236801 security: fix CVE-2025-22866 crypto/internal/fips140/nistec: p256NegCond is variable time on ppc64le * go#71263 cmd/go/internal/modfetch/codehost: test fails with git 2.47.1 * go#71230 cmd/compile: broken write barrier go1.23.5 (released 2025-01-16) includes security fixes to the crypto/x509 and net/http packages, as well as bug fixes to the compiler, the runtime, and the net package. CVE-2024-45341 CVE-2024-45336: * go#71208 go#71156 boo#1236045 security: fix CVE-2024-45341 crypto/x509: usage of IPv6 zone IDs can bypass URI name constraints * go#71211 go#70530 boo#1236046 security: fix CVE-2024-45336 net/http: sensitive headers incorrectly sent after cross-domain redirect * go#69988 runtime: severe performance drop for cgo calls in go1.22.5 * go#70517 cmd/compile/internal/importer: flip enable alias to true * go#70789 os: io.Copy(net.Conn, os.Stdin) on MacOS terminate immediately without waiting for input * go#71104 crypto/tls: TestVerifyConnection/TLSv12 failures * go#71147 internal/trace: TestTraceCPUProfile/Stress failures go1.23.4 (released 2024-12-03) includes fixes to the compiler, the runtime, the trace command, and the syscall package. * go#70644 crypto/rsa: new key generation prohibitively slow under race detector * go#70645 proposal: go/types: add Scope.Node convenience getter * go#70646 x/tools/gopls: unimported completion corrupts import decl (client=BBEdit) * go#70648 crypto/tls: TestHandshakeClientECDHEECDSAAESGCM/TLSv12 failures * go#70649 x/benchmarks/sweet/cmd/sweet: TestSweetEndToEnd failures * go#70650 crypto/tls: TestGetClientCertificate/TLSv13 failures * go#70651 x/tools/go/gcexportdata: simplify implementation assuming go >= 1.21 * go#70654 cmd/go: Incorrect output from go list * go#70655 x/build/cmd/relui: add workflows for some remaining manual recurring Go major release cycle tasks * go#70657 proposal: bufio: Scanner.IterText/Scanner.IterBytes * go#70658 x/net/http2: stuck extended CONNECT requests * go#70659 os: TestRootDirFS failures on linux-mips64 and linux-mips64le arch-mips * go#70660 crypto/ecdsa: TestRFC6979 failures on s390x * go#70664 x/mobile: target maccatalyst cannot find OpenGLES header * go#70665 x/tools/gopls: refactor.extract.variable fails at package level * go#70666 x/tools/gopls: panic in GetIfaceStubInfo * go#70667 proposal: crypto/x509: support extracting X25519 public keys from certificates * go#70668 proposal: x/mobile: better support for unrecovered panics * go#70669 cmd/go: local failure in TestScript/build_trimpath_cgo * go#70670 cmd/link: unused functions aren't getting deadcoded from the binary * go#70674 x/pkgsite: package removal request for https://pkg.go.dev/github.com/uisdevsquad/go-test/debugmate * go#70675 cmd/go/internal/lockedfile: mountrpc flake in TestTransform on plan9 * go#70677 all: remote file server I/O flakiness with 'Bad fid' errors on plan9 * go#70678 internal/poll: deadlock on 'Intel(R) Xeon(R) Platinum' when an FD is closed * go#70679 mime/multipart: With go 1.23.3, mime/multipart does not link Update to version 1.23.2.3 cut from the go1.23-fips-release branch at the revision tagged go1.23.2-3-openssl-fips. ( jsc#SLE-18320) * Add negative tests for openssl (#243) go1.23.3 (released 2024-11-06) includes fixes to the linker, the runtime, and the net/http, os, and syscall packages. * go#69258 runtime: corrupted GoroutineProfile stack traces * go#69259 runtime: multi-arch build via qemu fails to exec go binary * go#69640 os: os.checkPidfd() crashes with SIGSYS * go#69746 runtime: TestGdbAutotmpTypes failures * go#69848 cmd/compile: syscall.Syscall15: nosplit stack over 792 byte limit * go#69865 runtime: MutexProfile missing root frames in go1.23 * go#69882 time,runtime: too many concurrent timer firings for short time.Ticker * go#69978 time,runtime: too many concurrent timer firings for short, fast-resetting time.Timer * go#69992 cmd/link: LC_UUID not generated by go linker, resulting in failure to access local network on macOS 15 * go#70001 net/http/pprof: coroutines + pprof makes the program panic * go#70020 net/http: short writes with FileServer on macos The following package changes have been done: - go1.23-openssl-doc-1.23.12-150600.13.9.1 updated - go1.23-openssl-1.23.12-150600.13.9.1 updated - go1.23-openssl-race-1.23.12-150600.13.9.1 updated From sle-container-updates at lists.suse.com Thu Sep 11 07:08:34 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Thu, 11 Sep 2025 09:08:34 +0200 (CEST) Subject: SUSE-CU-2025:6766-1: Security update of bci/golang Message-ID: <20250911070834.0560EF783@maintenance.suse.de> SUSE Container Update Advisory: bci/golang ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:6766-1 Container Tags : bci/golang:1.24-openssl , bci/golang:1.24.6-openssl , bci/golang:1.24.6-openssl-73.16 , bci/golang:latest , bci/golang:stable-openssl , bci/golang:stable-openssl-73.16 Container Release : 73.16 Severity : important Type : security References : 1236217 1244156 1244157 1244158 1246118 1247719 1247720 CVE-2025-0913 CVE-2025-22874 CVE-2025-4673 CVE-2025-4674 CVE-2025-47906 CVE-2025-47907 ----------------------------------------------------------------- The container bci/golang was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3158-1 Released: Thu Sep 11 05:04:45 2025 Summary: Security update for go1.24-openssl Type: security Severity: important References: 1236217,1244156,1244157,1244158,1246118,1247719,1247720,CVE-2025-0913,CVE-2025-22874,CVE-2025-4673,CVE-2025-4674,CVE-2025-47906,CVE-2025-47907 This security update of go1.24-openssl fixes the following issues: Update to version 1.24.6 cut from the go1.24-fips-release branch at the revision tagged go1.24.6-1-openssl-fips. Refs jsc#SLE-18320 * Fix HKDF-Extract The latest OpenSSL in c9s/c10s requires nil salt to be passed as a hash length buffer of zeros. go1.24.6 (released 2025-08-06) includes security fixes to the database/sql and os/exec packages, as well as bug fixes to the runtime. ( boo#1236217 go1.24 release tracking) CVE-2025-47906 CVE-2025-47907: * go#74804 go#74466 boo#1247719 security: fix CVE-2025-47906 os/exec: LookPath bug: incorrect expansion of '', '.' and '..' in some PATH configurations * go#74833 go#74831 boo#1247720 security: fix CVE-2025-47907 database/sql: incorrect results returned from Rows.Scan * go#73800 runtime: RSS seems to have increased in Go 1.24 while the runtime accounting has not * go#74416 runtime: use-after-free of allpSnapshot in findRunnable * go#74694 runtime: segfaults in runtime.(*unwinder).next * go#74760 os/user:nolibgcc: TestGroupIdsTestUser failures go1.24.5 (released 2025-07-08) includes security fixes to the go command, as well as bug fixes to the compiler, the linker, the , and the go command. ( boo#1236217 go1.24 release tracking) j CVE-2025-4674: * go#74381 go#74380 boo#1246118 security: fix CVE-2025-4674 cmd/go: disable support for multiple vcs in one module * go#73908 runtime: bad frame pointer during panic during duffcopy * go#74098 cmd/compile: regression on ppc64le bit operations * go#74113 cmd/go: crash on unknown GOEXPERIMENT during toolchain selection * go#74290 runtime: heap mspan limit is set too late, causing data race between span allocation and conservative scanning * go#74294 internal/trace: stress tests triggering suspected deadlock in tracer * go#74346 runtime: memlock not unlocked in all control flow paths in sysReserveAlignedSbrk * go#74363 runtime/pprof: crash 'cannot read stack of running goroutine' in goroutine profile * go#74403 cmd/link: duplicated definition of symbol github.com/ebitengine/purego.syscall15XABI0 when running with ASAN go1.24.4 (released 2025-06-05) includes security fixes to the crypto/x509, net/http, and os packages, as well as bug fixes to the linker, the go command, and the hash/maphash and os packages. ( boo#1236217 go1.24 release tracking) CVE-2025-22874 CVE-2025-0913 CVE-2025-4673 * go#73700 go#73702 boo#1244158 security: fix CVE-2025-22874 crypto/x509: ExtKeyUsageAny bypasses policy validation * go#73720 go#73612 boo#1244157 security: fix CVE-2025-0913 os: inconsistent handling of O_CREATE|O_EXCL on Unix and Windows * go#73906 go#73816 boo#1244156 security: fix CVE-2025-4673 net/http: sensitive headers not cleared on cross-origin redirect * go#73570 os: Root.Mkdir creates directories with zero permissions on OpenBSD * go#73669 hash/maphash: hashing channels with purego impl. of maphash.Comparable panics * go#73678 runtime/debug: BuildSetting does not document DefaultGODEBUG * go#73809 cmd/go: add fips140 module selection mechanism * go#73832 cmd/link: Go 1.24.3 and 1.23.9 regression - duplicated definition of symbol dlopen The following package changes have been done: - go1.24-openssl-doc-1.24.6-150600.13.9.1 updated - go1.24-openssl-1.24.6-150600.13.9.1 updated - go1.24-openssl-race-1.24.6-150600.13.9.1 updated From sle-container-updates at lists.suse.com Thu Sep 11 07:08:45 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Thu, 11 Sep 2025 09:08:45 +0200 (CEST) Subject: SUSE-CU-2025:6767-1: Security update of suse/kiosk/firefox-esr Message-ID: <20250911070845.11BD0F783@maintenance.suse.de> SUSE Container Update Advisory: suse/kiosk/firefox-esr ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:6767-1 Container Tags : suse/kiosk/firefox-esr:140.2 , suse/kiosk/firefox-esr:140.2-64.22 , suse/kiosk/firefox-esr:esr , suse/kiosk/firefox-esr:latest Container Release : 64.22 Severity : important Type : security References : 1226112 1232234 1240058 1245227 1246114 1246221 1246965 1247774 1248162 CVE-2024-10041 CVE-2025-6199 CVE-2025-7345 CVE-2025-8058 CVE-2025-9179 CVE-2025-9180 CVE-2025-9181 CVE-2025-9182 CVE-2025-9183 CVE-2025-9184 CVE-2025-9185 CVE-2025-9187 ----------------------------------------------------------------- The container suse/kiosk/firefox-esr was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2954-1 Released: Thu Aug 21 15:42:53 2025 Summary: Security update for gdk-pixbuf Type: security Severity: important References: 1245227,1246114,CVE-2025-6199,CVE-2025-7345 This update for gdk-pixbuf fixes the following issues: - CVE-2025-6199: Fixed uninitialized memory leading to arbitrary memory contents leak (bsc#1245227) - CVE-2025-7345: Fixed heap buffer overflow within the gdk_pixbuf__jpeg_image_load_increment function (bsc#1246114) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2964-1 Released: Fri Aug 22 14:52:39 2025 Summary: Security update for glibc Type: security Severity: moderate References: 1240058,1246965,CVE-2025-8058 This update for glibc fixes the following issues: - CVE-2025-8058: Fixed double-free after allocation failure in regcomp. (bsc#1246965) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2970-1 Released: Mon Aug 25 10:27:57 2025 Summary: Security update for pam Type: security Severity: moderate References: 1232234,1246221,CVE-2024-10041 This update for pam fixes the following issues: - Improve previous CVE-2024-10041 fix which led to CPU performance issues (bsc#1232234) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3008-1 Released: Thu Aug 28 11:18:10 2025 Summary: Security update for MozillaFirefox Type: security Severity: important References: 1226112,1247774,1248162,CVE-2025-9179,CVE-2025-9180,CVE-2025-9181,CVE-2025-9182,CVE-2025-9183,CVE-2025-9184,CVE-2025-9185,CVE-2025-9187 This update for MozillaFirefox fixes the following issues: - Firefox Extended Support Release 140.2.0 ESR MFSA 2025-67 (bsc#1248162) * CVE-2025-9179 (bmo#1979527): Sandbox escape due to invalid pointer in the Audio/Video: GMP component * CVE-2025-9180 (bmo#1979782): Same-origin policy bypass in the Graphics: Canvas2D component * CVE-2025-9181 (bmo#1977130): Uninitialized memory in the JavaScript Engine component * CVE-2025-9182 (bmo#1975837): Denial-of-service due to out-of-memory in the Graphics: WebRender component * CVE-2025-9183 (bmo#1976102): Spoofing issue in the Address Bar component * CVE-2025-9184 (bmo#1929482, bmo#1976376, bmo#1979163, bmo#1979955): Memory safety bugs fixed in Firefox ESR 140.2, Thunderbird ESR 140.2, Firefox 142 and Thunderbird 142 * CVE-2025-9185 (bmo#1970154, bmo#1976782, bmo#1977166): Memory safety bugs fixed in Firefox ESR 115.27, Firefox ESR 128.14, Thunderbird ESR 128.14, Firefox ESR 140.2, Thunderbird ESR 140.2, Firefox 142 and Thunderbird 142 * CVE-2025-9187 (bmo#1825621, bmo#1970079, bmo#1976736, bmo#1979072): Memory safety bugs fixed in Firefox 142 and Thunderbird 142 - Other fixes: * Ensure the use of the correct file-picker on KDE (bsc#1226112) The following package changes have been done: - glibc-2.38-150600.14.37.1 updated - gdk-pixbuf-query-loaders-2.42.12-150600.3.8.1 updated - libgdk_pixbuf-2_0-0-2.42.12-150600.3.8.1 updated - pam-1.3.0-150000.6.86.1 updated - MozillaFirefox-140.2.0-150200.152.198.1 updated - container:suse-sle15-15.7-6d58784f25ab2a6683cd03e5c220cdb204e4d82db4b49ea1b4635dbd52b60a5b-0 updated - container:registry.suse.com-bci-bci-micro-15.7-e631ddc87a64067f3454b729f811eed0236dbf4ae669a438bf1b78e771b90a13-0 updated From sle-container-updates at lists.suse.com Thu Sep 11 07:08:57 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Thu, 11 Sep 2025 09:08:57 +0200 (CEST) Subject: SUSE-CU-2025:6768-1: Security update of suse/kiosk/pulseaudio Message-ID: <20250911070857.1F7C3F783@maintenance.suse.de> SUSE Container Update Advisory: suse/kiosk/pulseaudio ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:6768-1 Container Tags : suse/kiosk/pulseaudio:17 , suse/kiosk/pulseaudio:17.0 , suse/kiosk/pulseaudio:17.0-63.18 , suse/kiosk/pulseaudio:latest Container Release : 63.18 Severity : moderate Type : security References : 1232234 1240058 1244553 1246221 1246835 1246965 CVE-2024-10041 CVE-2025-8058 ----------------------------------------------------------------- The container suse/kiosk/pulseaudio was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2964-1 Released: Fri Aug 22 14:52:39 2025 Summary: Security update for glibc Type: security Severity: moderate References: 1240058,1246965,CVE-2025-8058 This update for glibc fixes the following issues: - CVE-2025-8058: Fixed double-free after allocation failure in regcomp. (bsc#1246965) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2970-1 Released: Mon Aug 25 10:27:57 2025 Summary: Security update for pam Type: security Severity: moderate References: 1232234,1246221,CVE-2024-10041 This update for pam fixes the following issues: - Improve previous CVE-2024-10041 fix which led to CPU performance issues (bsc#1232234) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:3066-1 Released: Thu Sep 4 08:37:17 2025 Summary: Recommended update for systemd-presets-branding-SLE Type: recommended Severity: moderate References: 1244553,1246835 This update for systemd-presets-branding-SLE fixes the following issues: - Enable sysstat_collect.timer and sysstat_summary.timer (bsc#1244553, bsc#1246835). - Modified default SLE presets. The following package changes have been done: - glibc-2.38-150600.14.37.1 updated - systemd-presets-branding-SLE-15.1-150600.35.3.1 updated - pam-1.3.0-150000.6.86.1 updated - container:suse-sle15-15.7-6d58784f25ab2a6683cd03e5c220cdb204e4d82db4b49ea1b4635dbd52b60a5b-0 updated - container:registry.suse.com-bci-bci-micro-15.7-e631ddc87a64067f3454b729f811eed0236dbf4ae669a438bf1b78e771b90a13-0 updated From sle-container-updates at lists.suse.com Thu Sep 11 07:09:07 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Thu, 11 Sep 2025 09:09:07 +0200 (CEST) Subject: SUSE-CU-2025:6769-1: Security update of suse/kiosk/xorg Message-ID: <20250911070907.A40E7F783@maintenance.suse.de> SUSE Container Update Advisory: suse/kiosk/xorg ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:6769-1 Container Tags : suse/kiosk/xorg:21 , suse/kiosk/xorg:21.1 , suse/kiosk/xorg:21.1-65.25 , suse/kiosk/xorg:latest , suse/kiosk/xorg:notaskbar Container Release : 65.25 Severity : important Type : security References : 1232234 1240058 1244553 1245227 1246114 1246221 1246835 1246965 CVE-2024-10041 CVE-2025-6199 CVE-2025-7345 CVE-2025-8058 ----------------------------------------------------------------- The container suse/kiosk/xorg was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2954-1 Released: Thu Aug 21 15:42:53 2025 Summary: Security update for gdk-pixbuf Type: security Severity: important References: 1245227,1246114,CVE-2025-6199,CVE-2025-7345 This update for gdk-pixbuf fixes the following issues: - CVE-2025-6199: Fixed uninitialized memory leading to arbitrary memory contents leak (bsc#1245227) - CVE-2025-7345: Fixed heap buffer overflow within the gdk_pixbuf__jpeg_image_load_increment function (bsc#1246114) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2964-1 Released: Fri Aug 22 14:52:39 2025 Summary: Security update for glibc Type: security Severity: moderate References: 1240058,1246965,CVE-2025-8058 This update for glibc fixes the following issues: - CVE-2025-8058: Fixed double-free after allocation failure in regcomp. (bsc#1246965) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2970-1 Released: Mon Aug 25 10:27:57 2025 Summary: Security update for pam Type: security Severity: moderate References: 1232234,1246221,CVE-2024-10041 This update for pam fixes the following issues: - Improve previous CVE-2024-10041 fix which led to CPU performance issues (bsc#1232234) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:3066-1 Released: Thu Sep 4 08:37:17 2025 Summary: Recommended update for systemd-presets-branding-SLE Type: recommended Severity: moderate References: 1244553,1246835 This update for systemd-presets-branding-SLE fixes the following issues: - Enable sysstat_collect.timer and sysstat_summary.timer (bsc#1244553, bsc#1246835). - Modified default SLE presets. The following package changes have been done: - glibc-2.38-150600.14.37.1 updated - systemd-presets-branding-SLE-15.1-150600.35.3.1 updated - pam-1.3.0-150000.6.86.1 updated - gdk-pixbuf-query-loaders-2.42.12-150600.3.8.1 updated - libgdk_pixbuf-2_0-0-2.42.12-150600.3.8.1 updated - container:suse-sle15-15.7-6d58784f25ab2a6683cd03e5c220cdb204e4d82db4b49ea1b4635dbd52b60a5b-0 updated - container:registry.suse.com-bci-bci-micro-15.7-e631ddc87a64067f3454b729f811eed0236dbf4ae669a438bf1b78e771b90a13-0 updated From sle-container-updates at lists.suse.com Fri Sep 12 07:08:34 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 12 Sep 2025 09:08:34 +0200 (CEST) Subject: SUSE-IU-2025:2444-1: Security update of suse/sl-micro/6.0/baremetal-os-container Message-ID: <20250912070834.C943EF783@maintenance.suse.de> SUSE Image Update Advisory: suse/sl-micro/6.0/baremetal-os-container ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2025:2444-1 Image Tags : suse/sl-micro/6.0/baremetal-os-container:2.1.3 , suse/sl-micro/6.0/baremetal-os-container:2.1.3-6.84 , suse/sl-micro/6.0/baremetal-os-container:latest Image Release : 6.84 Severity : moderate Type : security References : 1246602 1246604 1247938 1247939 CVE-2025-53905 CVE-2025-53906 CVE-2025-55157 CVE-2025-55158 ----------------------------------------------------------------- The container suse/sl-micro/6.0/baremetal-os-container was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: 457 Released: Thu Sep 11 12:30:52 2025 Summary: Security update for vim Type: security Severity: moderate References: 1246602,1246604,1247938,1247939,CVE-2025-53905,CVE-2025-53906,CVE-2025-55157,CVE-2025-55158 This update for vim fixes the following issues: - CVE-2025-53906: Fixed malicious zip archive causing path traversal (bsc#1246602) - CVE-2025-53905: Fixed malicious tar archive causing path traversal (bsc#1246604) - CVE-2025-55157: Fixed use-after-free in internal tuple reference management (bsc#1247938) - CVE-2025-55158: Fixed double-free in internal typed value (typval_T) management (bsc#1247939) - Update to 9.1.1629: 9.1.1629: Vim9: Not able to use more than 10 type arguments in a generic function 9.1.1628: fuzzy.c has a few issues 9.1.1627: fuzzy matching can be improved 9.1.1626: cindent: does not handle compound literals 9.1.1625: Autocompletion slow with include- and tag-completion 9.1.1624: Cscope not enabled on MacOS 9.1.1623: Buffer menu does not handle unicode names correctly 9.1.1622: Patch v9.1.1432 causes performance regressions 9.1.1621: flicker in popup menu during cmdline autocompletion 9.1.1620: filetype: composer.lock and symfony.lock files not recognized 9.1.1619: Incorrect E535 error message 9.1.1618: completion: incorrect selected index returned from complete_info() 9.1.1617: Vim9: some error messages can be improved 9.1.1616: xxd: possible buffer overflow with bitwise output 9.1.1615: diff format erroneously detected 9.1.1614: Vim9: possible variable type change 9.1.1613: tests: test_search leaves a few swapfiles behind 9.1.1612: Ctrl-G/Ctrl-T do not ignore the end search delimiter 9.1.1611: possible undefined behaviour in mb_decompose() 9.1.1610: completion: hang or E684 when 'tagfunc' calls complete() 9.1.1609: complete: Heap-buffer overflow with complete function 9.1.1608: No command-line completion for :unsilent {command} 9.1.1607: :apple command detected as :append 9.1.1606: filetype: a few more files are not recognized 9.1.1605: cannot specify scope for chdir() 9.1.1604: completion: incsearch highlight might be lost 9.1.1603: completion: cannot use autoloaded funcs in 'complete' F{func} 9.1.1602: filetype: requirements-*.txt files are not recognized 9.1.1601: Patch v8.1.0425 was wrong 9.1.1600: using diff anchors with hidden buffers fails silently 9.1.1599: :bnext doesn't go to unlisted help buffers 9.1.1598: filetype: waybar config file is not recognized 9.1.1597: CI reports leaks in libgtk3 library 9.1.1596: tests: Test_search_wildmenu_iminsert() depends on help file 9.1.1595: Wayland: non-portable use of select() 9.1.1594: completion: search completion throws errors 9.1.1593: Confusing error when compiling incomplete try block 9.1.1592: Vim9: crash with classes and garbage collection 9.1.1591: VMS support can be improved 9.1.1590: cannot perform autocompletion 9.1.1589: Cannot disable cscope interface using configure 9.1.1588: Vim9: cannot split dict inside command block 9.1.1587: Wayland: timeout not updated before select() 9.1.1586: Vim9: can define an enum/interface in a function 9.1.1585: Wayland: gvim still needs GVIM_ENABLE_WAYLAND 9.1.1584: using ints as boolean type 9.1.1583: gvim window lost its icons 9.1.1582: style issue in vim9type.c and vim9generics.c 9.1.1581: possible memory leak in vim9generics.c 9.1.1580: possible memory leak in vim9type.c 9.1.1579: Coverity complains about unchecked return value 9.1.1578: configure: comment still mentions autoconf 2.71 9.1.1577: Vim9: no generic support yet 9.1.1576: cannot easily trigger wildcard expansion 9.1.1575: tabpanel not drawn correctly with wrapped lines 9.1.1574: Dead code in mbyte.c 9.1.1573: Memory leak when pressing Ctrl-D in cmdline mode 9.1.1572: expanding $var does not escape whitespace for 'path' 9.1.1571: CmdlineChanged triggered to often 9.1.1570: Copilot suggested some improvements in cmdexpand.c 9.1.1569: tests: Vim9 tests can be improved 9.1.1568: need a few more default highlight groups 9.1.1567: crash when using inline diff mode 9.1.1566: self-referenced enum may not get freed 9.1.1565: configure: does not consider tiny version for wayland 9.1.1564: crash when opening popup to closing buffer 9.1.1563: completion: ruler may disappear 9.1.1562: close button always visible in the 'tabline' 9.1.1561: configure: wayland test can be improved 9.1.1560: configure: uses $PKG_CONFIG before it is defined 9.1.1559: tests: Test_popup_complete_info_01() fails when run alone 9.1.1558: str2blob() treats NULL string and empty string differently 9.1.1557: not possible to anchor specific lines in difff mode 9.1.1556: string handling in cmdexpand.c can be improved 9.1.1555: completion: repeated insertion of leader 9.1.1554: crash when omni-completion opens command-line window 9.1.1553: Vim9: crash when accessing a variable in if condition 9.1.1552: [security]: path traversal issue in tar.vim 9.1.1551: [security]: path traversal issue in zip.vim 9.1.1550: defaults: 'showcmd' is not enabled in non-compatible mode on Unix 9.1.1549: filetype: pkl files are not recognized 9.1.1548: filetype: OpenFGA files are not recognized 9.1.1547: Wayland: missing ifdef 9.1.1546: Vim9: error with has() and short circuit evaluation 9.1.1545: typo in os_unix.c 9.1.1544: :retab cannot be limited to indentation only 9.1.1543: Wayland: clipboard appears to not be working 9.1.1542: Coverity complains about uninitialized variable 9.1.1541: Vim9: error when last enum value ends with a comma 9.1.1540: completion: menu state wrong on interruption 9.1.1539: completion: messages don't respect 'shm' setting 9.1.1537: helptoc: still some issues when markdown code blocks 9.1.1536: tests: test_plugin_comment uses wrong :Check command 9.1.1535: the maximum search count uses hard-coded value 99 9.1.1534: unnecessary code in tabpanel.c 9.1.1533: helptoc: does not handle code sections in markdown well 9.1.1532: termdebug: not enough ways to configure breakpoints 9.1.1531: confusing error with nested legacy function 9.1.1530: Missing version change in v9.1.1529 9.1.1529: Win32: the toolbar in the GUI is old and dated 9.1.1528: completion: crash with getcompletion() 9.1.1527: Vim9: Crash with string compound assignment 9.1.1526: completion: search completion match may differ in case 9.1.1525: tests: testdir/ is a bit messy 9.1.1524: tests: too many imports in the test suite 9.1.1523: tests: test_clipmethod fails in non X11 environment 9.1.1522: tests: still some ANSI escape sequences in test output 9.1.1521: completion: pum does not reset scroll pos on reopen with 'noselect' 9.1.1520: completion: search completion doesn't handle 'smartcase' well 9.1.1519: tests: Test_termdebug_decimal_breakpoints() may fail 9.1.1518: getcompletiontype() may crash 9.1.1517: filetype: autopkgtest files are not recognized 9.1.1516: tests: no test that 'incsearch' is updated after search completion 9.1.1515: Coverity complains about potential unterminated strings 9.1.1514: Coverity complains about the use of tmpfile() 9.1.1513: resizing Vim window causes unexpected internal window width 9.1.1512: completion: can only complete from keyword characters 9.1.1511: tests: two edit tests change v:testing from 1 to 0 9.1.1510: Search completion may use invalid memory 9.1.1509: patch 9.1.1505 was not good 9.1.1508: string manipulation can be improved in cmdexpand.c 9.1.1507: symlinks are resolved on :cd commands 9.1.1506: tests: missing cleanup in Test_search_cmdline_incsearch_highlight() 9.1.1505: not possible to return completion type for :ex command 9.1.1504: filetype: numbat files are not recognized 9.1.1503: filetype: haxe files are not recognized 9.1.1502: filetype: quickbms files are not recognized 9.1.1501: filetype: flix files are not recognized 9.1.1500: if_python: typo in python error variable 9.1.1499: MS-Windows: no indication of ARM64 architecture 9.1.1498: completion: 'complete' funcs behave different to 'omnifunc' 9.1.1497: Link error with shm_open() 9.1.1496: terminal: still not highlighting empty cells correctly 9.1.1495: Wayland: uses $XDG_SEAT to determine seat 9.1.1494: runtime(tutor): no French translation for Chapter 2 9.1.1493: manually comparing positions on buffer 9.1.1492: tests: failure when Wayland compositor fails to start 9.1.1491: missing out-of-memory checks in cmdexpand.c 9.1.1490: 'wildchar' does not work in search contexts 9.1.1489: terminal: no visual highlight of empty cols with empty 'listchars' 9.1.1488: configure: using obsolete macro AC_PROG_GCC_TRADITIONAL 9.1.1487: :cl doesn't invoke :clist 9.1.1486: documentation issues with Wayland 9.1.1485: missing Wayland clipboard support 9.1.1484: tests: Turkish locale tests fails on Mac 9.1.1483: not possible to translation position in buffer 9.1.1482: scrolling with 'splitkeep' and line() 9.1.1481: gcc complains about uninitialized variable 9.1.1480: Turkish translation outdated 9.1.1479: regression when displaying localized percentage position 9.1.1478: Unused assignment in ex_uniq() 9.1.1476: no easy way to deduplicate text 9.1.1476: missing out-of-memory checks in cmdexpand.c 9.1.1475: completion: regression when 'nearest' in 'completeopt' 9.1.1474: missing out-of-memory check in mark.c 9.1.1473: inconsistent range arg for :diffget/diffput 9.1.1472: if_python: PySequence_Fast_{GET_SIZE,GET_ITEM} removed 9.1.1471: completion: inconsistent ordering with CTRL-P 9.1.1470: use-after-free with popup callback on error 9.1.1469: potential buffer-underflow with invalid hl_id 9.1.1468: filetype: bright(er)script files are not recognized 9.1.1467: too many strlen() calls 9.1.1466: filetype: not all lex files are recognized 9.1.1465: tabpanel: not correctly drawn with 'equalalways' 9.1.1464: gv does not work in operator-pending mode 9.1.1463: Integer overflow in getmarklist() after linewise operation 9.1.1462: missing change from patch v9.1.1461 9.1.1461: tabpanel: tabpanel vanishes with popup menu 9.1.1460: MS-Windows: too many strlen() calls in os_win32.c 9.1.1459: xxd: coloring output is inefficient 9.1.1458: tabpanel: tabs not properly updated with 'stpl' 9.1.1457: compile warning with tabpanelopt 9.1.1456: comment plugin fails toggling if 'cms' contains \ 9.1.1455: Haiku: dailog objects created with no reference 9.1.1454: tests: no test for pum at line break position 9.1.1453: tests: Test_geometry() may fail 9.1.1452: completion: redundant check for completion flags 9.1.1451: tabpanel rendering artifacts when scrolling 9.1.1450: Session has wrong arglist with :tcd and :arglocal 9.1.1449: typo in pum_display() 9.1.1448: tabpanel is not displayed correctly when msg_scrolled 9.1.1447: completion: crash when backspacing with fuzzy completion 9.1.1446: filetype: cuda-gdb config files are not recognized 9.1.1445: negative matchfuzzy scores although there is a match 9.1.1444: Unused assignment in set_fuzzy_score() 9.1.1443: potential buffer underflow in insertchar() 9.1.1442: tests: Test_diff_fold_redraw() is insufficient 9.1.1441: completion: code can be improved 9.1.1440: too many strlen() calls in os_win32.c 9.1.1439: Last diff folds not merged 9.1.1438: tests: Test_breakindent_list_split() fails 9.1.1437: MS-Windows: internal compile error in uc_list() 9.1.1436: GUI control code is displayed on the console on startup 9.1.1435: completion: various flaws in fuzzy completion 9.1.1434: MS-Windows: missing out-of-memory checks in os_win32.c 9.1.1433: Unnecessary :if when writing session 9.1.1432: GTK GUI: Buffer menu does not handle unicode correctly 9.1.1431: Hit-Enter Prompt when loading session files 9.1.1430: tabpanel may flicker in the GUI 9.1.1429: dragging outside the tabpanel changes tabpagenr 9.1.1428: completion: register completion needs cleanup 9.1.1427: rendering artifacts with the tabpanel 9.1.1426: completion: register contents not completed 9.1.1425: tabpanel: there are still some problems with the tabpanel 9.1.1424: PMenu selection broken with multi-line selection and limits 9.1.1423: :tag command not working correctly using Vim9 Script 9.1.1422: scheduling of complete function can be improved 9.1.1421: tests: need a test for the new-style tutor.tutor 9.1.1420: tests: could need some more tests for shebang lines 9.1.1419: It is difficult to ignore all but some events 9.1.1418: configures GUI auto detection favors GTK2 9.1.1417: missing info about register completion in complete_info() 9.1.1416: completion limits not respected for fuzzy completions 9.1.1415: potential use-after free when there is an error in 'tabpanel' 9.1.1414: MS-Windows: compile warnings in os_win32.c 9.1.1413: spurious CursorHold triggered in GUI on startup 9.1.1412: tests: Test_tabpanel_tabonly() fails on larger screens 9.1.1411: crash when calling non-existing function for tabpanel 9.1.1410: out-of-bounds access with 'completefunc' 9.1.1409: using f-flag in 'complete' conflicts with Neovim 9.1.1408: not easily possible to complete from register content 9.1.1407: Can't use getpos('v') in OptionSet when using setbufvar() 9.1.1406: crash when importing invalid tuple 9.1.1405: tests: no test for mapping with special keys in session file 9.1.1404: wrong link to Chapter 2 in new-tutor 9.1.1403: expansion of 'tabpanelopt' value adds wrong values 9.1.1402: multi-byte mappings not properly stored in session file 9.1.1401: list not materialized in prop_list() 9.1.1400: [security]: use-after-free when evaluating tuple fails 9.1.1399: tests: test_codestyle fails for auto-generated files 9.1.1398: completion: trunc does not follow Pmenu highlighting attributes 9.1.1397: tabpanel not correctly updated on :tabonly 9.1.1396: 'errorformat' is a global option 9.1.1395: search_stat not reset when pattern differs in case 9.1.1394: tabpanel not correctly redrawn on tabonly 9.1.1393: missing test for switching buffers and reusing curbuf 9.1.1392: missing patch number 9.1.1391: Vim does not have a vertical tabpanel 9.1.1390: style: more wrong indentation 9.1.1389: completion: still some issue when 'isexpand' contains a space 9.1.1388: Scrolling one line too far with 'nosmoothscroll' page scrolling 9.1.1387: memory leak when buflist_new() fails to reuse curbuf 9.1.1386: MS-Windows: some minor problems building on AARCH64 9.1.1385: inefficient loop for 'nosmoothscroll' scrolling 9.1.1384: still some problem with the new tutors filetype plugin 9.1.1383: completion: 'isexpand' option does not handle space char correct 9.1.1382: if_ruby: unused compiler warnings from ruby internals 9.1.1381: completion: cannot return to original text 9.1.1380: 'eventignorewin' only checked for current buffer 9.1.1379: MS-Windows: error when running evim when space in path 9.1.1378: sign without text overwrites number option 9.1.1377: patch v9.1.1370 causes some GTK warning messages 9.1.1376: quickfix dummy buffer may remain as dummy buffer 9.1.1375: [security]: possible heap UAF with quickfix dummy buffer 9.1.1374: completion: 'smartcase' not respected when filtering matches 9.1.1373: 'completeopt' checking logic can be simplified 9.1.1372: style: braces issues in various files 9.1.1371: style: indentation and brace issues in insexpand.c 9.1.1370: CI Tests favor GTK2 over GTK3 9.1.1369: configure still using autoconf 2.71 9.1.1368: GTK3 and GTK4 will drop numeric cursor support. 9.1.1367: too many strlen() calls in gui.c 9.1.1366: v9.1.1364 unintentionally changed sign.c and sound.c 9.1.1365: MS-Windows: compile warnings and too many strlen() calls 9.1.1364: style: more indentation issues 9.1.1363: style: inconsistent indentation in various files 9.1.1362: Vim9: type ignored when adding tuple to instance list var 9.1.1361: [security]: possible use-after-free when closing a buffer 9.1.1360: filetype: GNU Radio companion files are not recognized 9.1.1359: filetype: GNU Radio config files are not recognized 9.1.1358: if_lua: compile warnings with gcc15 9.1.1357: Vim incorrectly escapes tags with '[' in a help buffer 9.1.1356: Vim9: crash when unletting variable 9.1.1355: The pum_redraw() function is too complex 9.1.1354: tests: Test_terminalwinscroll_topline() fails on Windows 9.1.1353: missing change from v9.1.1350 9.1.1352: style: inconsistent indent in insexpand.c 9.1.1351: Return value of getcmdline() inconsistent in CmdlineLeavePre 9.1.1350: tests: typo in Test_CmdlineLeavePre_cabbr() 9.1.1349: CmdlineLeavePre may trigger twice 9.1.1348: still E315 with the terminal feature 9.1.1347: small problems with gui_w32.c 9.1.1346: missing out-of-memory check in textformat.c 9.1.1345: tests: Test_xxd_color2() test failure dump diff is misleading 9.1.1344: double free in f_complete_match() (after v9.1.1341) 9.1.1343: filetype: IPython files are not recognized 9.1.1342: Shebang filetype detection can be improved 9.1.1341: cannot define completion triggers 9.1.1340: cannot complete :filetype arguments 9.1.1339: missing out-of-memory checks for enc_to_utf16()/utf16_to_enc() 9.1.1338: Calling expand() interferes with cmdcomplete_info() 9.1.1337: Undo corrupted with 'completeopt' 'preinsert' when switching buffer 9.1.1336: comment plugin does not support case-insensitive 'commentstring' 9.1.1335: Coverity complains about Null pointer dereferences 9.1.1334: Coverity complains about unchecked return value 9.1.1333: Coverity: complains about unutilized variable 9.1.1332: Vim9: segfault when using super within a lambda 9.1.1331: Leaking memory with cmdcomplete() 9.1.1330: may receive E315 in terminal 9.1.1329: cannot get information about command line completion 9.1.1328: too many strlen() calls in indent.c 9.1.1327: filetype: nroff detection can be improved 9.1.1326: invalid cursor position after 'tagfunc' 9.1.1325: tests: not checking error numbers properly 9.1.1324: undefined behaviour if X11 connection dies 9.1.1323: b:undo_ftplugin not executed when re-using buffer 9.1.1322: small delete register cannot paste multi-line correctly 9.1.1321: filetype: MS ixx and mpp files are not recognized 9.1.1320: filetype: alsoft config files are not recognized 9.1.1319: Various typos in the code, issue with test_inst_complete.vim 9.1.1318: tests: test_format fails 9.1.1317: noisy error when restoring folds from session fails 9.1.1316: missing memory allocation failure in os_mswin.c 9.1.1315: completion: issue with fuzzy completion and 'completefuzzycollect' 9.1.1314: max allowed string width too small 9.1.1313: compile warning about uninitialized value 9.1.1312: tests: Test_backupskip() fails when HOME is defined 9.1.1311: completion: not possible to limit number of matches 9.1.1310: completion: redundant check for preinsert effect 9.1.1309: tests: no test for 'pummaxwidth' with non-truncated 'kind' 9.1.1308: completion: cannot order matches by distance to cursor 9.1.1307: make syntax does not reliably detect different flavors 9.1.1306: completion menu rendering can be improved 9.1.1305: completion menu active after switching windows/tabs 9.1.1304: filetype: some man files are not recognized 9.1.1303: missing out-of-memory check in linematch.c 9.1.1302: Coverity warns about using uninitialized value 9.1.1301: completion: cannot configure completion functions with 'complete' 9.1.1300: wrong detection of -inf 9.1.1299: filetype: mbsyncrc files are not recognized 9.1.1298: define_function() is too long 9.1.1297: Ctrl-D scrolling can get stuck 9.1.1296: completion: incorrect truncation logic 9.1.1295: clientserver: does not handle :stopinsert correctly 9.1.1294: gui tabline menu does not use confirm when closing tabs 9.1.1293: comment plugin does not handle 'exclusive' selection for comment object 9.1.1292: statusline not correctly evaluated 9.1.1291: too many strlen() calls in buffer.c 9.1.1290: tests: missing cleanup in test_filetype.vim 9.1.1289: tests: no test for matchparen plugin with WinScrolled event 9.1.1288: Using wrong window in ll_resize_stack() 9.1.1287: quickfix code can be further improved 9.1.1286: filetype: help files not detected when 'iskeyword' includes ':' 9.1.1285: Vim9: no error message for missing method after 'super.' 9.1.1284: not possible to configure pum truncation char 9.1.1283: quickfix stack is limited to 10 items 9.1.1282: Build and test failure without job feature 9.1.1281: extra newline output when editing stdin 9.1.1280: trailing additional semicolon in get_matches_in_str() 9.1.1279: Vim9: null_object and null_class are no reserved names 9.1.1278: Vim9: too long functions in vim9type.c 9.1.1277: tests: trailing comment char in test_popupwin 9.1.1276: inline word diff treats multibyte chars as word char 9.1.1275: MS-Windows: Not possible to pass additional flags to Make_mvc 9.1.1274: Vim9: no support for object as variable type 9.1.1273: Coverity warns about using uninitialized value 9.1.1272: completion: in keyword completion Ctrl_P cannot go back after Ctrl_N 9.1.1271: filetype: Power Query files are not recognized 9.1.1270: missing out-of-memory checks in buffer.c 9.1.1269: completion: compl_shown_match is updated when starting keyword completion 9.1.1268: filetype: dax files are not recognized 9.1.1267: Vim9: no support for type list/dict> 9.1.1266: MS-Windows: type conversion warnings 9.1.1265: tests: no tests for typing normal char during completion 9.1.1264: Vim9: error when comparing objects 9.1.1263: string length wrong in get_last_inserted_save() 9.1.1262: heap-buffer-overflow with narrow 'pummaxwidth' value 9.1.1261: No test for 'pummaxwidth' non-truncated items 9.1.1260: Hang when filtering buffer with NUL bytes 9.1.1259: some issues with comment package and tailing spaces 9.1.1258: regexp: max \U and \%U value is limited by INT_MAX 9.1.1257: Mixing vim_strsize() with mb_ptr2cells() in pum_redraw() 9.1.1256: if_python: duplicate tuple data entries 9.1.1255: missing test condition for 'pummaxwidth' setting 9.1.1254: need more tests for the comment plugin 9.1.1253: abort when closing window with attached quickfix data 9.1.1252: typos in code and docs related to 'diffopt' 'inline:' 9.1.1251: if_python: build error with tuples and dynamic python 9.1.1250: cannot set the maximum popup menu width 9.1.1249: tests: no test that 'listchars' 'eol' doesn't affect 'gM' 9.1.1248: compile error when building without FEAT_QUICKFIX 9.1.1247: fragile setup to get (preferred) keys from key_name_entry 9.1.1246: coverity complains about some changes in v9.1.1243 9.1.1245: need some more tests for curly braces evaluation 9.1.1244: part of patch v9.1.1242 was wrong 9.1.1243: diff mode is lacking for changes within lines 9.1.1242: Crash when evaluating variable name 9.1.1241: wrong preprocessort indentation in term.c 9.1.1240: Regression with ic/ac text objects and comment plugin 9.1.1239: if_python: no tuple data type support 9.1.1238: wrong cursor column with 'set splitkeep=screen' 9.1.1237: Compile error with C89 compiler in term.c 9.1.1236: tests: test_comments leaves swapfiles around 9.1.1235: cproto files are outdated 9.1.1234: Compile error when SIZE_MAX is not defined 9.1.1233: Coverity warns about NULL pointer when triggering WinResized 9.1.1232: Vim script is missing the tuple data type 9.1.1231: filetype: SPA JSON files are not recognized 9.1.1230: inconsistent CTRL-C behaviour for popup windows 9.1.1229: the comment plugin can be improved 9.1.1228: completion: current position column wrong after got a match 9.1.1227: no tests for the comment package 9.1.1226: 'shellcmdline' completion doesn't work with input() 9.1.1225: extra NULL check in VIM_CLEAR() 9.1.1224: cannot :put while keeping indent 9.1.1223: wrong translation used for encoding failures 9.1.1222: using wrong length for last inserted string 9.1.1221: Wrong cursor pos when leaving Insert mode just after 'autoindent' 9.1.1220: filetype: uv.lock file not recognized 9.1.1219: Strange error with wrong type for matchfuzzy() 'camelcase' 9.1.1218: missing out-of-memory check in filepath.c 9.1.1217: tests: typos in test_matchfuzzy.vim 9.1.1216: Pasting the '.' register multiple times may not work 9.1.1215: Patch 9.1.1213 has some issues 9.1.1214: matchfuzzy() can be improved for camel case matches 9.1.1213: cannot :put while keeping indent 9.1.1212: too many strlen() calls in edit.c 9.1.1212: filetype: logrotate'd pacmanlogs are not recognized 9.1.1211: TabClosedPre is triggered just before the tab is being freed 9.1.1210: translation(ru): missing Russian translation for the new tutor 9.1.1209: colorcolumn not drawn after virtual text lines 9.1.1208: MS-Windows: not correctly restoring alternate screen on Win 10 9.1.1207: MS-Windows: build warning in filepath.c 9.1.1206: tests: test_filetype fails when a file is a directory 9.1.1205: completion: preinserted text not removed when closing pum 9.1.1204: MS-Windows: crash when passing long string to expand() 9.1.1203: matchparen keeps cursor on case label in sh filetype 9.1.1202: Missing TabClosedPre autocommand 9.1.1201: 'completefuzzycollect' does not handle dictionary correctly 9.1.1200: cmdline pum not cleared for input() completion 9.1.1199: gvim uses hardcoded xpm icon file 9.1.1198: [security]: potential data loss with zip.vim 9.1.1197: process_next_cpt_value() uses wrong condition 9.1.1196: filetype: config files for container tools are not recognized 9.1.1195: inside try-block: fn body executed with default arg undefined 9.1.1194: filetype: false positive help filetype detection 9.1.1193: Unnecessary use of STRCAT() in au_event_disable() 9.1.1192: Vim crashes with term response debug logging enabled 9.1.1191: tests: test for patch 9.1.1186 doesn't fail without the patch 9.1.1190: C indentation does not detect multibyte labels 9.1.1189: if_python: build error due to incompatible pointer types 9.1.1188: runtime(tera): tera support can be improved 9.1.1187: matchparen plugin wrong highlights shell case statement 9.1.1186: filetype: help files in git repos are not detected 9.1.1185: endless loop with completefuzzycollect and no match found 9.1.1184: Unnecessary use of vim_tolower() in vim_strnicmp_asc() 9.1.1083: 'above' virtual text breaks cursorlineopt=number 9.1.1182: No cmdline completion for 'completefuzzycollect' 9.1.1181: Unnecessary STRLEN() calls in insexpand.c 9.1.1180: short-description 9.1.1179: too many strlen() calls in misc2.c 9.1.1178: not possible to generate completion candidates using fuzzy matching 9.1.1177: filetype: tera files not detected The following package changes have been done: - vim-data-common-9.1.1629-1.1 updated - vim-small-9.1.1629-1.1 updated - container:SL-Micro-base-container-2.1.3-7.52 updated From sle-container-updates at lists.suse.com Fri Sep 12 07:13:34 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 12 Sep 2025 09:13:34 +0200 (CEST) Subject: SUSE-CU-2025:6773-1: Security update of suse/sl-micro/6.0/toolbox Message-ID: <20250912071334.0620BF782@maintenance.suse.de> SUSE Container Update Advisory: suse/sl-micro/6.0/toolbox ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:6773-1 Container Tags : suse/sl-micro/6.0/toolbox:13.2 , suse/sl-micro/6.0/toolbox:13.2-9.33 , suse/sl-micro/6.0/toolbox:latest Container Release : 9.33 Severity : moderate Type : security References : 1246602 1246604 1247938 1247939 CVE-2025-53905 CVE-2025-53906 CVE-2025-55157 CVE-2025-55158 ----------------------------------------------------------------- The container suse/sl-micro/6.0/toolbox was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: 457 Released: Thu Sep 11 12:30:52 2025 Summary: Security update for vim Type: security Severity: moderate References: 1246602,1246604,1247938,1247939,CVE-2025-53905,CVE-2025-53906,CVE-2025-55157,CVE-2025-55158 This update for vim fixes the following issues: - CVE-2025-53906: Fixed malicious zip archive causing path traversal (bsc#1246602) - CVE-2025-53905: Fixed malicious tar archive causing path traversal (bsc#1246604) - CVE-2025-55157: Fixed use-after-free in internal tuple reference management (bsc#1247938) - CVE-2025-55158: Fixed double-free in internal typed value (typval_T) management (bsc#1247939) - Update to 9.1.1629: 9.1.1629: Vim9: Not able to use more than 10 type arguments in a generic function 9.1.1628: fuzzy.c has a few issues 9.1.1627: fuzzy matching can be improved 9.1.1626: cindent: does not handle compound literals 9.1.1625: Autocompletion slow with include- and tag-completion 9.1.1624: Cscope not enabled on MacOS 9.1.1623: Buffer menu does not handle unicode names correctly 9.1.1622: Patch v9.1.1432 causes performance regressions 9.1.1621: flicker in popup menu during cmdline autocompletion 9.1.1620: filetype: composer.lock and symfony.lock files not recognized 9.1.1619: Incorrect E535 error message 9.1.1618: completion: incorrect selected index returned from complete_info() 9.1.1617: Vim9: some error messages can be improved 9.1.1616: xxd: possible buffer overflow with bitwise output 9.1.1615: diff format erroneously detected 9.1.1614: Vim9: possible variable type change 9.1.1613: tests: test_search leaves a few swapfiles behind 9.1.1612: Ctrl-G/Ctrl-T do not ignore the end search delimiter 9.1.1611: possible undefined behaviour in mb_decompose() 9.1.1610: completion: hang or E684 when 'tagfunc' calls complete() 9.1.1609: complete: Heap-buffer overflow with complete function 9.1.1608: No command-line completion for :unsilent {command} 9.1.1607: :apple command detected as :append 9.1.1606: filetype: a few more files are not recognized 9.1.1605: cannot specify scope for chdir() 9.1.1604: completion: incsearch highlight might be lost 9.1.1603: completion: cannot use autoloaded funcs in 'complete' F{func} 9.1.1602: filetype: requirements-*.txt files are not recognized 9.1.1601: Patch v8.1.0425 was wrong 9.1.1600: using diff anchors with hidden buffers fails silently 9.1.1599: :bnext doesn't go to unlisted help buffers 9.1.1598: filetype: waybar config file is not recognized 9.1.1597: CI reports leaks in libgtk3 library 9.1.1596: tests: Test_search_wildmenu_iminsert() depends on help file 9.1.1595: Wayland: non-portable use of select() 9.1.1594: completion: search completion throws errors 9.1.1593: Confusing error when compiling incomplete try block 9.1.1592: Vim9: crash with classes and garbage collection 9.1.1591: VMS support can be improved 9.1.1590: cannot perform autocompletion 9.1.1589: Cannot disable cscope interface using configure 9.1.1588: Vim9: cannot split dict inside command block 9.1.1587: Wayland: timeout not updated before select() 9.1.1586: Vim9: can define an enum/interface in a function 9.1.1585: Wayland: gvim still needs GVIM_ENABLE_WAYLAND 9.1.1584: using ints as boolean type 9.1.1583: gvim window lost its icons 9.1.1582: style issue in vim9type.c and vim9generics.c 9.1.1581: possible memory leak in vim9generics.c 9.1.1580: possible memory leak in vim9type.c 9.1.1579: Coverity complains about unchecked return value 9.1.1578: configure: comment still mentions autoconf 2.71 9.1.1577: Vim9: no generic support yet 9.1.1576: cannot easily trigger wildcard expansion 9.1.1575: tabpanel not drawn correctly with wrapped lines 9.1.1574: Dead code in mbyte.c 9.1.1573: Memory leak when pressing Ctrl-D in cmdline mode 9.1.1572: expanding $var does not escape whitespace for 'path' 9.1.1571: CmdlineChanged triggered to often 9.1.1570: Copilot suggested some improvements in cmdexpand.c 9.1.1569: tests: Vim9 tests can be improved 9.1.1568: need a few more default highlight groups 9.1.1567: crash when using inline diff mode 9.1.1566: self-referenced enum may not get freed 9.1.1565: configure: does not consider tiny version for wayland 9.1.1564: crash when opening popup to closing buffer 9.1.1563: completion: ruler may disappear 9.1.1562: close button always visible in the 'tabline' 9.1.1561: configure: wayland test can be improved 9.1.1560: configure: uses $PKG_CONFIG before it is defined 9.1.1559: tests: Test_popup_complete_info_01() fails when run alone 9.1.1558: str2blob() treats NULL string and empty string differently 9.1.1557: not possible to anchor specific lines in difff mode 9.1.1556: string handling in cmdexpand.c can be improved 9.1.1555: completion: repeated insertion of leader 9.1.1554: crash when omni-completion opens command-line window 9.1.1553: Vim9: crash when accessing a variable in if condition 9.1.1552: [security]: path traversal issue in tar.vim 9.1.1551: [security]: path traversal issue in zip.vim 9.1.1550: defaults: 'showcmd' is not enabled in non-compatible mode on Unix 9.1.1549: filetype: pkl files are not recognized 9.1.1548: filetype: OpenFGA files are not recognized 9.1.1547: Wayland: missing ifdef 9.1.1546: Vim9: error with has() and short circuit evaluation 9.1.1545: typo in os_unix.c 9.1.1544: :retab cannot be limited to indentation only 9.1.1543: Wayland: clipboard appears to not be working 9.1.1542: Coverity complains about uninitialized variable 9.1.1541: Vim9: error when last enum value ends with a comma 9.1.1540: completion: menu state wrong on interruption 9.1.1539: completion: messages don't respect 'shm' setting 9.1.1537: helptoc: still some issues when markdown code blocks 9.1.1536: tests: test_plugin_comment uses wrong :Check command 9.1.1535: the maximum search count uses hard-coded value 99 9.1.1534: unnecessary code in tabpanel.c 9.1.1533: helptoc: does not handle code sections in markdown well 9.1.1532: termdebug: not enough ways to configure breakpoints 9.1.1531: confusing error with nested legacy function 9.1.1530: Missing version change in v9.1.1529 9.1.1529: Win32: the toolbar in the GUI is old and dated 9.1.1528: completion: crash with getcompletion() 9.1.1527: Vim9: Crash with string compound assignment 9.1.1526: completion: search completion match may differ in case 9.1.1525: tests: testdir/ is a bit messy 9.1.1524: tests: too many imports in the test suite 9.1.1523: tests: test_clipmethod fails in non X11 environment 9.1.1522: tests: still some ANSI escape sequences in test output 9.1.1521: completion: pum does not reset scroll pos on reopen with 'noselect' 9.1.1520: completion: search completion doesn't handle 'smartcase' well 9.1.1519: tests: Test_termdebug_decimal_breakpoints() may fail 9.1.1518: getcompletiontype() may crash 9.1.1517: filetype: autopkgtest files are not recognized 9.1.1516: tests: no test that 'incsearch' is updated after search completion 9.1.1515: Coverity complains about potential unterminated strings 9.1.1514: Coverity complains about the use of tmpfile() 9.1.1513: resizing Vim window causes unexpected internal window width 9.1.1512: completion: can only complete from keyword characters 9.1.1511: tests: two edit tests change v:testing from 1 to 0 9.1.1510: Search completion may use invalid memory 9.1.1509: patch 9.1.1505 was not good 9.1.1508: string manipulation can be improved in cmdexpand.c 9.1.1507: symlinks are resolved on :cd commands 9.1.1506: tests: missing cleanup in Test_search_cmdline_incsearch_highlight() 9.1.1505: not possible to return completion type for :ex command 9.1.1504: filetype: numbat files are not recognized 9.1.1503: filetype: haxe files are not recognized 9.1.1502: filetype: quickbms files are not recognized 9.1.1501: filetype: flix files are not recognized 9.1.1500: if_python: typo in python error variable 9.1.1499: MS-Windows: no indication of ARM64 architecture 9.1.1498: completion: 'complete' funcs behave different to 'omnifunc' 9.1.1497: Link error with shm_open() 9.1.1496: terminal: still not highlighting empty cells correctly 9.1.1495: Wayland: uses $XDG_SEAT to determine seat 9.1.1494: runtime(tutor): no French translation for Chapter 2 9.1.1493: manually comparing positions on buffer 9.1.1492: tests: failure when Wayland compositor fails to start 9.1.1491: missing out-of-memory checks in cmdexpand.c 9.1.1490: 'wildchar' does not work in search contexts 9.1.1489: terminal: no visual highlight of empty cols with empty 'listchars' 9.1.1488: configure: using obsolete macro AC_PROG_GCC_TRADITIONAL 9.1.1487: :cl doesn't invoke :clist 9.1.1486: documentation issues with Wayland 9.1.1485: missing Wayland clipboard support 9.1.1484: tests: Turkish locale tests fails on Mac 9.1.1483: not possible to translation position in buffer 9.1.1482: scrolling with 'splitkeep' and line() 9.1.1481: gcc complains about uninitialized variable 9.1.1480: Turkish translation outdated 9.1.1479: regression when displaying localized percentage position 9.1.1478: Unused assignment in ex_uniq() 9.1.1476: no easy way to deduplicate text 9.1.1476: missing out-of-memory checks in cmdexpand.c 9.1.1475: completion: regression when 'nearest' in 'completeopt' 9.1.1474: missing out-of-memory check in mark.c 9.1.1473: inconsistent range arg for :diffget/diffput 9.1.1472: if_python: PySequence_Fast_{GET_SIZE,GET_ITEM} removed 9.1.1471: completion: inconsistent ordering with CTRL-P 9.1.1470: use-after-free with popup callback on error 9.1.1469: potential buffer-underflow with invalid hl_id 9.1.1468: filetype: bright(er)script files are not recognized 9.1.1467: too many strlen() calls 9.1.1466: filetype: not all lex files are recognized 9.1.1465: tabpanel: not correctly drawn with 'equalalways' 9.1.1464: gv does not work in operator-pending mode 9.1.1463: Integer overflow in getmarklist() after linewise operation 9.1.1462: missing change from patch v9.1.1461 9.1.1461: tabpanel: tabpanel vanishes with popup menu 9.1.1460: MS-Windows: too many strlen() calls in os_win32.c 9.1.1459: xxd: coloring output is inefficient 9.1.1458: tabpanel: tabs not properly updated with 'stpl' 9.1.1457: compile warning with tabpanelopt 9.1.1456: comment plugin fails toggling if 'cms' contains \ 9.1.1455: Haiku: dailog objects created with no reference 9.1.1454: tests: no test for pum at line break position 9.1.1453: tests: Test_geometry() may fail 9.1.1452: completion: redundant check for completion flags 9.1.1451: tabpanel rendering artifacts when scrolling 9.1.1450: Session has wrong arglist with :tcd and :arglocal 9.1.1449: typo in pum_display() 9.1.1448: tabpanel is not displayed correctly when msg_scrolled 9.1.1447: completion: crash when backspacing with fuzzy completion 9.1.1446: filetype: cuda-gdb config files are not recognized 9.1.1445: negative matchfuzzy scores although there is a match 9.1.1444: Unused assignment in set_fuzzy_score() 9.1.1443: potential buffer underflow in insertchar() 9.1.1442: tests: Test_diff_fold_redraw() is insufficient 9.1.1441: completion: code can be improved 9.1.1440: too many strlen() calls in os_win32.c 9.1.1439: Last diff folds not merged 9.1.1438: tests: Test_breakindent_list_split() fails 9.1.1437: MS-Windows: internal compile error in uc_list() 9.1.1436: GUI control code is displayed on the console on startup 9.1.1435: completion: various flaws in fuzzy completion 9.1.1434: MS-Windows: missing out-of-memory checks in os_win32.c 9.1.1433: Unnecessary :if when writing session 9.1.1432: GTK GUI: Buffer menu does not handle unicode correctly 9.1.1431: Hit-Enter Prompt when loading session files 9.1.1430: tabpanel may flicker in the GUI 9.1.1429: dragging outside the tabpanel changes tabpagenr 9.1.1428: completion: register completion needs cleanup 9.1.1427: rendering artifacts with the tabpanel 9.1.1426: completion: register contents not completed 9.1.1425: tabpanel: there are still some problems with the tabpanel 9.1.1424: PMenu selection broken with multi-line selection and limits 9.1.1423: :tag command not working correctly using Vim9 Script 9.1.1422: scheduling of complete function can be improved 9.1.1421: tests: need a test for the new-style tutor.tutor 9.1.1420: tests: could need some more tests for shebang lines 9.1.1419: It is difficult to ignore all but some events 9.1.1418: configures GUI auto detection favors GTK2 9.1.1417: missing info about register completion in complete_info() 9.1.1416: completion limits not respected for fuzzy completions 9.1.1415: potential use-after free when there is an error in 'tabpanel' 9.1.1414: MS-Windows: compile warnings in os_win32.c 9.1.1413: spurious CursorHold triggered in GUI on startup 9.1.1412: tests: Test_tabpanel_tabonly() fails on larger screens 9.1.1411: crash when calling non-existing function for tabpanel 9.1.1410: out-of-bounds access with 'completefunc' 9.1.1409: using f-flag in 'complete' conflicts with Neovim 9.1.1408: not easily possible to complete from register content 9.1.1407: Can't use getpos('v') in OptionSet when using setbufvar() 9.1.1406: crash when importing invalid tuple 9.1.1405: tests: no test for mapping with special keys in session file 9.1.1404: wrong link to Chapter 2 in new-tutor 9.1.1403: expansion of 'tabpanelopt' value adds wrong values 9.1.1402: multi-byte mappings not properly stored in session file 9.1.1401: list not materialized in prop_list() 9.1.1400: [security]: use-after-free when evaluating tuple fails 9.1.1399: tests: test_codestyle fails for auto-generated files 9.1.1398: completion: trunc does not follow Pmenu highlighting attributes 9.1.1397: tabpanel not correctly updated on :tabonly 9.1.1396: 'errorformat' is a global option 9.1.1395: search_stat not reset when pattern differs in case 9.1.1394: tabpanel not correctly redrawn on tabonly 9.1.1393: missing test for switching buffers and reusing curbuf 9.1.1392: missing patch number 9.1.1391: Vim does not have a vertical tabpanel 9.1.1390: style: more wrong indentation 9.1.1389: completion: still some issue when 'isexpand' contains a space 9.1.1388: Scrolling one line too far with 'nosmoothscroll' page scrolling 9.1.1387: memory leak when buflist_new() fails to reuse curbuf 9.1.1386: MS-Windows: some minor problems building on AARCH64 9.1.1385: inefficient loop for 'nosmoothscroll' scrolling 9.1.1384: still some problem with the new tutors filetype plugin 9.1.1383: completion: 'isexpand' option does not handle space char correct 9.1.1382: if_ruby: unused compiler warnings from ruby internals 9.1.1381: completion: cannot return to original text 9.1.1380: 'eventignorewin' only checked for current buffer 9.1.1379: MS-Windows: error when running evim when space in path 9.1.1378: sign without text overwrites number option 9.1.1377: patch v9.1.1370 causes some GTK warning messages 9.1.1376: quickfix dummy buffer may remain as dummy buffer 9.1.1375: [security]: possible heap UAF with quickfix dummy buffer 9.1.1374: completion: 'smartcase' not respected when filtering matches 9.1.1373: 'completeopt' checking logic can be simplified 9.1.1372: style: braces issues in various files 9.1.1371: style: indentation and brace issues in insexpand.c 9.1.1370: CI Tests favor GTK2 over GTK3 9.1.1369: configure still using autoconf 2.71 9.1.1368: GTK3 and GTK4 will drop numeric cursor support. 9.1.1367: too many strlen() calls in gui.c 9.1.1366: v9.1.1364 unintentionally changed sign.c and sound.c 9.1.1365: MS-Windows: compile warnings and too many strlen() calls 9.1.1364: style: more indentation issues 9.1.1363: style: inconsistent indentation in various files 9.1.1362: Vim9: type ignored when adding tuple to instance list var 9.1.1361: [security]: possible use-after-free when closing a buffer 9.1.1360: filetype: GNU Radio companion files are not recognized 9.1.1359: filetype: GNU Radio config files are not recognized 9.1.1358: if_lua: compile warnings with gcc15 9.1.1357: Vim incorrectly escapes tags with '[' in a help buffer 9.1.1356: Vim9: crash when unletting variable 9.1.1355: The pum_redraw() function is too complex 9.1.1354: tests: Test_terminalwinscroll_topline() fails on Windows 9.1.1353: missing change from v9.1.1350 9.1.1352: style: inconsistent indent in insexpand.c 9.1.1351: Return value of getcmdline() inconsistent in CmdlineLeavePre 9.1.1350: tests: typo in Test_CmdlineLeavePre_cabbr() 9.1.1349: CmdlineLeavePre may trigger twice 9.1.1348: still E315 with the terminal feature 9.1.1347: small problems with gui_w32.c 9.1.1346: missing out-of-memory check in textformat.c 9.1.1345: tests: Test_xxd_color2() test failure dump diff is misleading 9.1.1344: double free in f_complete_match() (after v9.1.1341) 9.1.1343: filetype: IPython files are not recognized 9.1.1342: Shebang filetype detection can be improved 9.1.1341: cannot define completion triggers 9.1.1340: cannot complete :filetype arguments 9.1.1339: missing out-of-memory checks for enc_to_utf16()/utf16_to_enc() 9.1.1338: Calling expand() interferes with cmdcomplete_info() 9.1.1337: Undo corrupted with 'completeopt' 'preinsert' when switching buffer 9.1.1336: comment plugin does not support case-insensitive 'commentstring' 9.1.1335: Coverity complains about Null pointer dereferences 9.1.1334: Coverity complains about unchecked return value 9.1.1333: Coverity: complains about unutilized variable 9.1.1332: Vim9: segfault when using super within a lambda 9.1.1331: Leaking memory with cmdcomplete() 9.1.1330: may receive E315 in terminal 9.1.1329: cannot get information about command line completion 9.1.1328: too many strlen() calls in indent.c 9.1.1327: filetype: nroff detection can be improved 9.1.1326: invalid cursor position after 'tagfunc' 9.1.1325: tests: not checking error numbers properly 9.1.1324: undefined behaviour if X11 connection dies 9.1.1323: b:undo_ftplugin not executed when re-using buffer 9.1.1322: small delete register cannot paste multi-line correctly 9.1.1321: filetype: MS ixx and mpp files are not recognized 9.1.1320: filetype: alsoft config files are not recognized 9.1.1319: Various typos in the code, issue with test_inst_complete.vim 9.1.1318: tests: test_format fails 9.1.1317: noisy error when restoring folds from session fails 9.1.1316: missing memory allocation failure in os_mswin.c 9.1.1315: completion: issue with fuzzy completion and 'completefuzzycollect' 9.1.1314: max allowed string width too small 9.1.1313: compile warning about uninitialized value 9.1.1312: tests: Test_backupskip() fails when HOME is defined 9.1.1311: completion: not possible to limit number of matches 9.1.1310: completion: redundant check for preinsert effect 9.1.1309: tests: no test for 'pummaxwidth' with non-truncated 'kind' 9.1.1308: completion: cannot order matches by distance to cursor 9.1.1307: make syntax does not reliably detect different flavors 9.1.1306: completion menu rendering can be improved 9.1.1305: completion menu active after switching windows/tabs 9.1.1304: filetype: some man files are not recognized 9.1.1303: missing out-of-memory check in linematch.c 9.1.1302: Coverity warns about using uninitialized value 9.1.1301: completion: cannot configure completion functions with 'complete' 9.1.1300: wrong detection of -inf 9.1.1299: filetype: mbsyncrc files are not recognized 9.1.1298: define_function() is too long 9.1.1297: Ctrl-D scrolling can get stuck 9.1.1296: completion: incorrect truncation logic 9.1.1295: clientserver: does not handle :stopinsert correctly 9.1.1294: gui tabline menu does not use confirm when closing tabs 9.1.1293: comment plugin does not handle 'exclusive' selection for comment object 9.1.1292: statusline not correctly evaluated 9.1.1291: too many strlen() calls in buffer.c 9.1.1290: tests: missing cleanup in test_filetype.vim 9.1.1289: tests: no test for matchparen plugin with WinScrolled event 9.1.1288: Using wrong window in ll_resize_stack() 9.1.1287: quickfix code can be further improved 9.1.1286: filetype: help files not detected when 'iskeyword' includes ':' 9.1.1285: Vim9: no error message for missing method after 'super.' 9.1.1284: not possible to configure pum truncation char 9.1.1283: quickfix stack is limited to 10 items 9.1.1282: Build and test failure without job feature 9.1.1281: extra newline output when editing stdin 9.1.1280: trailing additional semicolon in get_matches_in_str() 9.1.1279: Vim9: null_object and null_class are no reserved names 9.1.1278: Vim9: too long functions in vim9type.c 9.1.1277: tests: trailing comment char in test_popupwin 9.1.1276: inline word diff treats multibyte chars as word char 9.1.1275: MS-Windows: Not possible to pass additional flags to Make_mvc 9.1.1274: Vim9: no support for object as variable type 9.1.1273: Coverity warns about using uninitialized value 9.1.1272: completion: in keyword completion Ctrl_P cannot go back after Ctrl_N 9.1.1271: filetype: Power Query files are not recognized 9.1.1270: missing out-of-memory checks in buffer.c 9.1.1269: completion: compl_shown_match is updated when starting keyword completion 9.1.1268: filetype: dax files are not recognized 9.1.1267: Vim9: no support for type list/dict> 9.1.1266: MS-Windows: type conversion warnings 9.1.1265: tests: no tests for typing normal char during completion 9.1.1264: Vim9: error when comparing objects 9.1.1263: string length wrong in get_last_inserted_save() 9.1.1262: heap-buffer-overflow with narrow 'pummaxwidth' value 9.1.1261: No test for 'pummaxwidth' non-truncated items 9.1.1260: Hang when filtering buffer with NUL bytes 9.1.1259: some issues with comment package and tailing spaces 9.1.1258: regexp: max \U and \%U value is limited by INT_MAX 9.1.1257: Mixing vim_strsize() with mb_ptr2cells() in pum_redraw() 9.1.1256: if_python: duplicate tuple data entries 9.1.1255: missing test condition for 'pummaxwidth' setting 9.1.1254: need more tests for the comment plugin 9.1.1253: abort when closing window with attached quickfix data 9.1.1252: typos in code and docs related to 'diffopt' 'inline:' 9.1.1251: if_python: build error with tuples and dynamic python 9.1.1250: cannot set the maximum popup menu width 9.1.1249: tests: no test that 'listchars' 'eol' doesn't affect 'gM' 9.1.1248: compile error when building without FEAT_QUICKFIX 9.1.1247: fragile setup to get (preferred) keys from key_name_entry 9.1.1246: coverity complains about some changes in v9.1.1243 9.1.1245: need some more tests for curly braces evaluation 9.1.1244: part of patch v9.1.1242 was wrong 9.1.1243: diff mode is lacking for changes within lines 9.1.1242: Crash when evaluating variable name 9.1.1241: wrong preprocessort indentation in term.c 9.1.1240: Regression with ic/ac text objects and comment plugin 9.1.1239: if_python: no tuple data type support 9.1.1238: wrong cursor column with 'set splitkeep=screen' 9.1.1237: Compile error with C89 compiler in term.c 9.1.1236: tests: test_comments leaves swapfiles around 9.1.1235: cproto files are outdated 9.1.1234: Compile error when SIZE_MAX is not defined 9.1.1233: Coverity warns about NULL pointer when triggering WinResized 9.1.1232: Vim script is missing the tuple data type 9.1.1231: filetype: SPA JSON files are not recognized 9.1.1230: inconsistent CTRL-C behaviour for popup windows 9.1.1229: the comment plugin can be improved 9.1.1228: completion: current position column wrong after got a match 9.1.1227: no tests for the comment package 9.1.1226: 'shellcmdline' completion doesn't work with input() 9.1.1225: extra NULL check in VIM_CLEAR() 9.1.1224: cannot :put while keeping indent 9.1.1223: wrong translation used for encoding failures 9.1.1222: using wrong length for last inserted string 9.1.1221: Wrong cursor pos when leaving Insert mode just after 'autoindent' 9.1.1220: filetype: uv.lock file not recognized 9.1.1219: Strange error with wrong type for matchfuzzy() 'camelcase' 9.1.1218: missing out-of-memory check in filepath.c 9.1.1217: tests: typos in test_matchfuzzy.vim 9.1.1216: Pasting the '.' register multiple times may not work 9.1.1215: Patch 9.1.1213 has some issues 9.1.1214: matchfuzzy() can be improved for camel case matches 9.1.1213: cannot :put while keeping indent 9.1.1212: too many strlen() calls in edit.c 9.1.1212: filetype: logrotate'd pacmanlogs are not recognized 9.1.1211: TabClosedPre is triggered just before the tab is being freed 9.1.1210: translation(ru): missing Russian translation for the new tutor 9.1.1209: colorcolumn not drawn after virtual text lines 9.1.1208: MS-Windows: not correctly restoring alternate screen on Win 10 9.1.1207: MS-Windows: build warning in filepath.c 9.1.1206: tests: test_filetype fails when a file is a directory 9.1.1205: completion: preinserted text not removed when closing pum 9.1.1204: MS-Windows: crash when passing long string to expand() 9.1.1203: matchparen keeps cursor on case label in sh filetype 9.1.1202: Missing TabClosedPre autocommand 9.1.1201: 'completefuzzycollect' does not handle dictionary correctly 9.1.1200: cmdline pum not cleared for input() completion 9.1.1199: gvim uses hardcoded xpm icon file 9.1.1198: [security]: potential data loss with zip.vim 9.1.1197: process_next_cpt_value() uses wrong condition 9.1.1196: filetype: config files for container tools are not recognized 9.1.1195: inside try-block: fn body executed with default arg undefined 9.1.1194: filetype: false positive help filetype detection 9.1.1193: Unnecessary use of STRCAT() in au_event_disable() 9.1.1192: Vim crashes with term response debug logging enabled 9.1.1191: tests: test for patch 9.1.1186 doesn't fail without the patch 9.1.1190: C indentation does not detect multibyte labels 9.1.1189: if_python: build error due to incompatible pointer types 9.1.1188: runtime(tera): tera support can be improved 9.1.1187: matchparen plugin wrong highlights shell case statement 9.1.1186: filetype: help files in git repos are not detected 9.1.1185: endless loop with completefuzzycollect and no match found 9.1.1184: Unnecessary use of vim_tolower() in vim_strnicmp_asc() 9.1.1083: 'above' virtual text breaks cursorlineopt=number 9.1.1182: No cmdline completion for 'completefuzzycollect' 9.1.1181: Unnecessary STRLEN() calls in insexpand.c 9.1.1180: short-description 9.1.1179: too many strlen() calls in misc2.c 9.1.1178: not possible to generate completion candidates using fuzzy matching 9.1.1177: filetype: tera files not detected The following package changes have been done: - vim-data-common-9.1.1629-1.1 updated - vim-9.1.1629-1.1 updated - xxd-9.1.1176-1.1 removed From sle-container-updates at lists.suse.com Fri Sep 12 07:18:58 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 12 Sep 2025 09:18:58 +0200 (CEST) Subject: SUSE-CU-2025:6778-1: Security update of suse/ltss/sle12.5/sles12sp5 Message-ID: <20250912071858.9885FF782@maintenance.suse.de> SUSE Container Update Advisory: suse/ltss/sle12.5/sles12sp5 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:6778-1 Container Tags : suse/ltss/sle12.5/sles12sp5:8.5.129 , suse/ltss/sle12.5/sles12sp5:latest Container Release : 8.5.129 Severity : important Type : security References : 1249191 1249348 CVE-2025-10148 CVE-2025-9086 ----------------------------------------------------------------- The container suse/ltss/sle12.5/sles12sp5 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3173-1 Released: Thu Sep 11 14:54:59 2025 Summary: Security update for curl Type: security Severity: important References: 1249191,1249348,CVE-2025-10148,CVE-2025-9086 This update for curl fixes the following issues: - CVE-2025-9086: bug in path comparison logic when processing cookies can lead to out-of-bounds read in heap buffer (bsc#1249191). - CVE-2025-10148: predictable websocket mask can lead to proxy cache poisoning by malicious server (bsc#1249348). The following package changes have been done: - libcurl4-8.0.1-11.108.1 updated From sle-container-updates at lists.suse.com Fri Sep 12 07:25:08 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 12 Sep 2025 09:25:08 +0200 (CEST) Subject: SUSE-CU-2025:6784-1: Security update of suse/kiosk/firefox-esr Message-ID: <20250912072508.D0CBFF782@maintenance.suse.de> SUSE Container Update Advisory: suse/kiosk/firefox-esr ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:6784-1 Container Tags : suse/kiosk/firefox-esr:140.2 , suse/kiosk/firefox-esr:140.2-64.23 , suse/kiosk/firefox-esr:esr , suse/kiosk/firefox-esr:latest Container Release : 64.23 Severity : moderate Type : security References : 1246790 CVE-2025-7700 ----------------------------------------------------------------- The container suse/kiosk/firefox-esr was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3162-1 Released: Thu Sep 11 11:16:13 2025 Summary: Security update for ffmpeg-4 Type: security Severity: moderate References: 1246790,CVE-2025-7700 This update for ffmpeg-4 fixes the following issues: - CVE-2025-7700: Fixed NULL Pointer Dereference in FFmpeg ALS Decoder (bsc#1246790). The following package changes have been done: - libavutil56_70-4.4.6-150600.13.30.1 updated - libswresample3_9-4.4.6-150600.13.30.1 updated - libavcodec58_134-4.4.6-150600.13.30.1 updated From sle-container-updates at lists.suse.com Fri Sep 12 07:25:21 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 12 Sep 2025 09:25:21 +0200 (CEST) Subject: SUSE-CU-2025:6785-1: Recommended update of bci/rust Message-ID: <20250912072521.BBBD4F782@maintenance.suse.de> SUSE Container Update Advisory: bci/rust ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:6785-1 Container Tags : bci/rust:1.88 , bci/rust:1.88.0 , bci/rust:1.88.0-2.2.1 , bci/rust:oldstable , bci/rust:oldstable-2.2.1 Container Release : 2.1 Severity : moderate Type : recommended References : ----------------------------------------------------------------- The container bci/rust was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: 39484 Released: Wed Jul 2 17:33:15 2025 Summary: Recommended update for rust, rust1.88 Type: recommended Severity: moderate References: This update for rust fixes the following issues: - Update to version 1.88.0 - for details see the rust1.88 package Version 1.88.0 (2025-06-26) ========================== Language: - Stabilize `#![feature(let_chains)]` in the 2024 edition. This feature allows `&&`-chaining `let` statements inside `if` and `while`, allowing intermixture with boolean expressions. The patterns inside the `let` sub-expressions can be irrefutable or refutable. - Stabilize `#![feature(naked_functions)]`. Naked functions allow writing functions with no compiler-generated epilogue and prologue, allowing full control over the generated assembly for a particular function. - Stabilize `#![feature(cfg_boolean_literals)]`. This allows using boolean literals as `cfg` predicates, e.g. `#[cfg(true)]` and `#[cfg(false)]`. - Fully de-stabilize the `#[bench]` attribute. Usage of `#[bench]` without `#![feature(custom_test_frameworks)]` already triggered a deny-by-default future-incompatibility lint since Rust 1.77, but will now become a hard error. - Add warn-by-default `dangerous_implicit_autorefs` lint against implicit autoref of raw pointer dereference. The lint will be bumped to deny-by-default in the next version of Rust. - Add `invalid_null_arguments` lint to prevent invalid usage of null pointers. This lint is uplifted from `clippy::invalid_null_ptr_usage`. - Change trait impl candidate preference for builtin impls and trivial where-clauses. - Check types of generic const parameter defaults Compiler: - Stabilize `-Cdwarf-version` for selecting the version of DWARF debug information to generate. Platform Support: - Demote `i686-pc-windows-gnu` to Tier 2. Refer to Rust's [platform support page][platform-support-doc] for more information on Rust's tiered platform support. [platform-support-doc]: https://doc.rust-lang.org/rustc/platform-support.html Libraries: - Remove backticks from `#[should_panic]` test failure message. - Guarantee that `[T; N]::from_fn` is generated in order of increasing indices, for those passing it a stateful closure. - The libtest flag `--nocapture` is deprecated in favor of the more consistent `--no-capture` flag. - Guarantee that `{float}::NAN` is a quiet NaN. Stabilized APIs: - `Cell::update` https://doc.rust-lang.org/stable/std/cell/struct.Cell.html#method.update - `impl Default for *const T` https://doc.rust-lang.org/nightly/std/primitive.pointer.html#impl-Default-for-*const+T - `impl Default for *mut T` https://doc.rust-lang.org/nightly/std/primitive.pointer.html#impl-Default-for-*mut+T - `HashMap::extract_if` https://doc.rust-lang.org/stable/std/collections/struct.HashMap.html#method.extract_if - `HashSet::extract_if` https://doc.rust-lang.org/stable/std/collections/struct.HashSet.html#method.extract_if - `proc_macro::Span::line` https://doc.rust-lang.org/stable/proc_macro/struct.Span.html#method.line - `proc_macro::Span::column` https://doc.rust-lang.org/stable/proc_macro/struct.Span.html#method.column - `proc_macro::Span::start` https://doc.rust-lang.org/stable/proc_macro/struct.Span.html#method.start - `proc_macro::Span::end` https://doc.rust-lang.org/stable/proc_macro/struct.Span.html#method.end - `proc_macro::Span::file` https://doc.rust-lang.org/stable/proc_macro/struct.Span.html#method.file - `proc_macro::Span::local_file` https://doc.rust-lang.org/stable/proc_macro/struct.Span.html#method.local_file These previously stable APIs are now stable in const contexts: - `NonNull::replace` https://doc.rust-lang.org/stable/std/ptr/struct.NonNull.html#method.replace - `<*mut T>::replace` https://doc.rust-lang.org/stable/std/primitive.pointer.html#method.replace - `std::ptr::swap_nonoverlapping` - `Cell::{replace, get, get_mut, from_mut, as_slice_of_cells}` Cargo: - Stabilize automatic garbage collection. - use `zlib-rs` for gzip compression in rust code Rustdoc: - Doctests can be ignored based on target names using `ignore-*` attributes. - Stabilize the `--test-runtool` and `--test-runtool-arg` CLI options to specify a program (like qemu) and its arguments to run a doctest. Compatibility Notes: - Finish changing the internal representation of pasted tokens. Certain invalid declarative macros that were previously accepted in obscure circumstances are now correctly rejected by the compiler. Use of a `tt` fragment specifier can often fix these macros. - Fully de-stabilize the `#[bench]` attribute. Usage of `#[bench]` without `#![feature(custom_test_frameworks)]` already triggered a deny-by-default future-incompatibility lint since Rust 1.77, but will now become a hard error. - Fix borrow checking some always-true patterns. The borrow checker was overly permissive in some cases, allowing programs that shouldn't have compiled. - Update the minimum external LLVM to 19. - Make it a hard error to use a vector type with a non-Rust ABI without enabling the required target feature. The following package changes have been done: - rust1.88-1.88.0-150300.7.3.2 added - cargo1.88-1.88.0-150300.7.3.2 added - cargo1.87-1.87.0-150300.7.3.1 removed - rust1.87-1.87.0-150300.7.3.1 removed From sle-container-updates at lists.suse.com Fri Sep 12 07:25:37 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 12 Sep 2025 09:25:37 +0200 (CEST) Subject: SUSE-CU-2025:6786-1: Recommended update of bci/rust Message-ID: <20250912072537.64910F782@maintenance.suse.de> SUSE Container Update Advisory: bci/rust ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:6786-1 Container Tags : bci/rust:1.89 , bci/rust:1.89.0 , bci/rust:1.89.0-1.2.1 , bci/rust:latest , bci/rust:stable , bci/rust:stable-1.2.1 Container Release : 2.1 Severity : moderate Type : recommended References : ----------------------------------------------------------------- The container bci/rust was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:3047-1 Released: Tue Sep 2 15:50:24 2025 Summary: Recommended update for rust, rust1.89 Type: recommended Severity: moderate References: This update for rust, rust1.89 fixes the following issues: This update ships rust1.89: Version 1.89.0 (2025-08-07) ========================== ## Language - Stabilize explicitly inferred const arguments (`feature(generic_arg_infer)`) - Add a warn-by-default `mismatched_lifetime_syntaxes` lint. This lint detects when the same lifetime is referred to by different syntax categories between function arguments and return values, which can be confusing to read, especially in unsafe code. This lint supersedes the warn-by-default `elided_named_lifetimes` lint. - Expand `unpredictable_function_pointer_comparisons` to also lint on function pointer comparisons in external macros - Make the `dangerous_implicit_autorefs` lint deny-by-default - Stabilize the avx512 target features - Stabilize `kl` and `widekl` target features for x86 - Stabilize `sha512`, `sm3` and `sm4` target features for x86 - Stabilize LoongArch target features `f`, `d`, `frecipe`, `lasx`, `lbt`, `lsx`, and `lvz` - Remove `i128` and `u128` from `improper_ctypes_definitions` - Stabilize `repr128` (`#[repr(u128)]`, `#[repr(i128)]`) - Allow `#![doc(test(attr(..)))]` everywhere - Extend temporary lifetime extension to also go through tuple struct and tuple variant constructors - `extern 'C'` functions on the `wasm32-unknown-unknown` target now have a standards compliant ABI https://blog.rust-lang.org/2025/04/04/c-abi-changes-for-wasm32-unknown-unknown/ ## Compiler - Default to non-leaf frame pointers on aarch64-linux - Enable non-leaf frame pointers for Arm64EC Windows - Set Apple frame pointers by architecture ## Platform Support - Add new Tier-3 targets `loongarch32-unknown-none` and `loongarch32-unknown-none-softfloat` - `x86_64-apple-darwin` is in the process of being demoted to Tier 2 with host tools Refer to Rust's platform support page for more information on Rust's tiered platform support. [platform-support-doc]: https://doc.rust-lang.org/rustc/platform-support.html ## Libraries - Specify the base path for `file!` - Allow storing `format_args!()` in a variable - Add `#[must_use]` to `[T; N]::map` - Implement `DerefMut` for `Lazy{Cell,Lock}` - Implement `Default` for `array::IntoIter` - Implement `Clone` for `slice::ChunkBy` - Implement `io::Seek` for `io::Take` ## Stabilized APIs - `NonZero` https://doc.rust-lang.org/stable/std/num/struct.NonZero.html - Many intrinsics for x86, not enumerated here - [AVX512 intrinsics - [`SHA512`, `SM3` and `SM4` intrinsics - `File::lock` https://doc.rust-lang.org/stable/std/fs/struct.File.html#method.lock - `File::lock_shared` https://doc.rust-lang.org/stable/std/fs/struct.File.html#method.lock_shared - `File::try_lock` https://doc.rust-lang.org/stable/std/fs/struct.File.html#method.try_lock - `File::try_lock_shared` https://doc.rust-lang.org/stable/std/fs/struct.File.html#method.try_lock_shared - `File::unlock` https://doc.rust-lang.org/stable/std/fs/struct.File.html#method.unlock - `NonNull::from_ref` https://doc.rust-lang.org/stable/std/ptr/struct.NonNull.html#method.from_ref - `NonNull::from_mut` https://doc.rust-lang.org/stable/std/ptr/struct.NonNull.html#method.from_mut - `NonNull::without_provenance` https://doc.rust-lang.org/stable/std/ptr/struct.NonNull.html#method.without_provenance - `NonNull::with_exposed_provenance` https://doc.rust-lang.org/stable/std/ptr/struct.NonNull.html#method.with_exposed_provenance - `NonNull::expose_provenance` https://doc.rust-lang.org/stable/std/ptr/struct.NonNull.html#method.expose_provenance - `OsString::leak` https://doc.rust-lang.org/stable/std/ffi/struct.OsString.html#method.leak - `PathBuf::leak` https://doc.rust-lang.org/stable/std/path/struct.PathBuf.html#method.leak - `Result::flatten` https://doc.rust-lang.org/stable/std/result/enum.Result.html#method.flatten - `std::os::linux::net::TcpStreamExt::quickack` https://doc.rust-lang.org/stable/std/os/linux/net/trait.TcpStreamExt.html#tymethod.quickack - `std::os::linux::net::TcpStreamExt::set_quickack` https://doc.rust-lang.org/stable/std/os/linux/net/trait.TcpStreamExt.html#tymethod.set_quickack These previously stable APIs are now stable in const contexts: - `<[T; N]>::as_mut_slice` https://doc.rust-lang.org/stable/std/primitive.array.html#method.as_mut_slice - `<[u8]>::eq_ignore_ascii_case` https://doc.rust-lang.org/stable/std/primitive.slice.html#impl-%5Bu8%5D/method.eq_ignore_ascii_case - `str::eq_ignore_ascii_case` https://doc.rust-lang.org/stable/std/primitive.str.html#impl-str/method.eq_ignore_ascii_case ## Cargo - `cargo fix` and `cargo clippy --fix` now default to the same Cargo target selection as other build commands. Previously it would apply to all targets (like binaries, examples, tests, etc.). The `--edition` flag still applies to all targets. - Stabilize doctest-xcompile. Doctests are now tested when cross-compiling. Just like other tests, it will use the [`runner` setting https://doc.rust-lang.org/cargo/reference/config.html#targettriplerunner to run the tests. If you need to disable tests for a target, you can use the ignore doctest attribute https://doc.rust-lang.org/rustdoc/write-documentation/documentation-tests.html#ignoring-targets to specify the targets to ignore. ## Rustdoc - On mobile, make the sidebar full width and linewrap. This makes long section and item names much easier to deal with on mobile. ## Compatibility Notes - Make `missing_fragment_specifier` an unconditional error - Enabling the `neon` target feature on `aarch64-unknown-none-softfloat` causes a warning because mixing code with and without that target feature is not properly supported by LLVM - Sized Hierarchy: Part I - Introduces a small breaking change affecting `?Sized` bounds on impls on recursive types which contain associated type projections. It is not expected to affect any existing published crates. Can be fixed by refactoring the involved types or opting into the `sized_hierarchy` unstable feature. See the FCP report for a code example. - The warn-by-default `elided_named_lifetimes` lint is [superseded by the warn-by-default `mismatched_lifetime_syntaxes` lint. - Error on recursive opaque types earlier in the type checker - Type inference side effects from requiring element types of array repeat expressions are `Copy` are now only available at the end of type checking - The deprecated accidentally-stable `std::intrinsics::{copy,copy_nonoverlapping,write_bytes}` are now proper intrinsics. There are no debug assertions guarding against UB, and they cannot be coerced to function pointers. - Remove long-deprecated `std::intrinsics::drop_in_place` - Make well-formedness predicates no longer coinductive - Remove hack when checking impl method compatibility - Remove unnecessary type inference due to built-in trait object impls - Lint against 'stdcall', 'fastcall', and 'cdecl' on non-x86-32 targets - Future incompatibility warnings relating to the never type (`!`) are now reported in dependencies - Ensure `std::ptr::copy_*` intrinsics also perform the static self-init checks - `extern 'C'` functions on the `wasm32-unknown-unknown` target now have a standards compliant ABI https://blog.rust-lang.org/2025/04/04/c-abi-changes-for-wasm32-unknown-unknown/ ## Internal Changes These changes do not affect any public interfaces of Rust, but they represent significant improvements to the performance or internals of rustc and related tools. - Correctly un-remap compiler sources paths with the `rustc-dev` component The following package changes have been done: - rust1.89-1.89.0-150300.7.3.1 added - cargo1.89-1.89.0-150300.7.3.1 added - cargo1.88-1.88.0-150300.7.3.2 removed - rust1.88-1.88.0-150300.7.3.2 removed From sle-container-updates at lists.suse.com Fri Sep 12 07:25:45 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 12 Sep 2025 09:25:45 +0200 (CEST) Subject: SUSE-CU-2025:6787-1: Security update of suse/kiosk/xorg-client Message-ID: <20250912072545.3A5DAF782@maintenance.suse.de> SUSE Container Update Advisory: suse/kiosk/xorg-client ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:6787-1 Container Tags : suse/kiosk/xorg-client:21 , suse/kiosk/xorg-client:21-64.19 , suse/kiosk/xorg-client:latest Container Release : 64.19 Severity : moderate Type : security References : 1246790 CVE-2025-7700 ----------------------------------------------------------------- The container suse/kiosk/xorg-client was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3162-1 Released: Thu Sep 11 11:16:13 2025 Summary: Security update for ffmpeg-4 Type: security Severity: moderate References: 1246790,CVE-2025-7700 This update for ffmpeg-4 fixes the following issues: - CVE-2025-7700: Fixed NULL Pointer Dereference in FFmpeg ALS Decoder (bsc#1246790). The following package changes have been done: - libavutil56_70-4.4.6-150600.13.30.1 updated - libswresample3_9-4.4.6-150600.13.30.1 updated - libavcodec58_134-4.4.6-150600.13.30.1 updated From sle-container-updates at lists.suse.com Fri Sep 12 19:15:13 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 12 Sep 2025 21:15:13 +0200 (CEST) Subject: SUSE-CU-2025:6788-1: Security update of private-registry/harbor-trivy-adapter Message-ID: <20250912191513.D7582F783@maintenance.suse.de> SUSE Container Update Advisory: private-registry/harbor-trivy-adapter ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:6788-1 Container Tags : private-registry/harbor-trivy-adapter:0.33.2 , private-registry/harbor-trivy-adapter:0.33.2-2.37 , private-registry/harbor-trivy-adapter:latest Container Release : 2.37 Severity : important Type : security References : 1228260 1236589 1243397 1243706 1243933 1246197 1249191 1249348 1249367 CVE-2024-6874 CVE-2025-0665 CVE-2025-10148 CVE-2025-4947 CVE-2025-5025 CVE-2025-5399 CVE-2025-9086 ----------------------------------------------------------------- The container private-registry/harbor-trivy-adapter was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3198-1 Released: Fri Sep 12 14:15:08 2025 Summary: Security update for curl Type: security Severity: important References: 1228260,1236589,1243397,1243706,1243933,1246197,1249191,1249348,1249367,CVE-2024-6874,CVE-2025-0665,CVE-2025-10148,CVE-2025-4947,CVE-2025-5025,CVE-2025-5399,CVE-2025-9086 This update for curl fixes the following issues: Update to version 8.14.1 (jsc#PED-13055, jsc#PED-13056). Security issues fixed: - CVE-2025-0665: eventfd double close can cause libcurl to act unreliably (bsc#1236589). - CVE-2025-4947: QUIC certificate check is skipped with wolfSSL allows for MITM attacks (bsc#1243397). - CVE-2025-5025: no QUIC certificate pinning with wolfSSL can lead to connections to impostor servers that are not easily noticed (bsc#1243706). - CVE-2025-5399: bug in websocket code can cause libcurl to get trapped in an endless busy-loop when processing specially crafted packets (bsc#1243933). - CVE-2024-6874: punycode conversions to/from IDN can leak stack content when libcurl is built to use the macidn IDN backend (bsc#1228260). - CVE-2025-9086: bug in patch comparison logic when processing cookies can lead to out-of-bounds read in heap buffer (bsc#1249191). - CVE-2025-10148: predictable websocket mask can lead to proxy cache poisoning by malicious server (bsc#1249348). Other issues fixed: - Fix wrong return code when --retry is used (bsc#1249367). * tool_operate: fix return code when --retry is used but not triggered [b42776b] - Fix the --ftp-pasv option in curl v8.14.1 (bsc#1246197). * tool_getparam: fix --ftp-pasv [5f805ee] - Fixed with version 8.14.1: * TLS: add CURLOPT_SSL_SIGNATURE_ALGORITHMS and --sigalgs. * websocket: add option to disable auto-pong reply. * huge number of bugfixes. Please see https://curl.se/ch/ for full changelogs. The following package changes have been done: - libcurl4-8.14.1-150600.4.28.1 updated From sle-container-updates at lists.suse.com Fri Sep 12 19:19:43 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 12 Sep 2025 21:19:43 +0200 (CEST) Subject: SUSE-CU-2025:6789-1: Security update of suse/hpc/warewulf4-x86_64/sle-hpc-node Message-ID: <20250912191943.1DBE1F783@maintenance.suse.de> SUSE Container Update Advisory: suse/hpc/warewulf4-x86_64/sle-hpc-node ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:6789-1 Container Tags : suse/hpc/warewulf4-x86_64/sle-hpc-node:15.6 , suse/hpc/warewulf4-x86_64/sle-hpc-node:15.6.17.8.107 , suse/hpc/warewulf4-x86_64/sle-hpc-node:latest Container Release : 17.8.107 Severity : important Type : security References : 1228260 1236589 1243397 1243706 1243933 1246197 1249191 1249348 1249367 CVE-2024-6874 CVE-2025-0665 CVE-2025-10148 CVE-2025-4947 CVE-2025-5025 CVE-2025-5399 CVE-2025-9086 ----------------------------------------------------------------- The container suse/hpc/warewulf4-x86_64/sle-hpc-node was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3198-1 Released: Fri Sep 12 14:15:08 2025 Summary: Security update for curl Type: security Severity: important References: 1228260,1236589,1243397,1243706,1243933,1246197,1249191,1249348,1249367,CVE-2024-6874,CVE-2025-0665,CVE-2025-10148,CVE-2025-4947,CVE-2025-5025,CVE-2025-5399,CVE-2025-9086 This update for curl fixes the following issues: Update to version 8.14.1 (jsc#PED-13055, jsc#PED-13056). Security issues fixed: - CVE-2025-0665: eventfd double close can cause libcurl to act unreliably (bsc#1236589). - CVE-2025-4947: QUIC certificate check is skipped with wolfSSL allows for MITM attacks (bsc#1243397). - CVE-2025-5025: no QUIC certificate pinning with wolfSSL can lead to connections to impostor servers that are not easily noticed (bsc#1243706). - CVE-2025-5399: bug in websocket code can cause libcurl to get trapped in an endless busy-loop when processing specially crafted packets (bsc#1243933). - CVE-2024-6874: punycode conversions to/from IDN can leak stack content when libcurl is built to use the macidn IDN backend (bsc#1228260). - CVE-2025-9086: bug in patch comparison logic when processing cookies can lead to out-of-bounds read in heap buffer (bsc#1249191). - CVE-2025-10148: predictable websocket mask can lead to proxy cache poisoning by malicious server (bsc#1249348). Other issues fixed: - Fix wrong return code when --retry is used (bsc#1249367). * tool_operate: fix return code when --retry is used but not triggered [b42776b] - Fix the --ftp-pasv option in curl v8.14.1 (bsc#1246197). * tool_getparam: fix --ftp-pasv [5f805ee] - Fixed with version 8.14.1: * TLS: add CURLOPT_SSL_SIGNATURE_ALGORITHMS and --sigalgs. * websocket: add option to disable auto-pong reply. * huge number of bugfixes. Please see https://curl.se/ch/ for full changelogs. The following package changes have been done: - curl-8.14.1-150600.4.28.1 updated - libcurl4-8.14.1-150600.4.28.1 updated From sle-container-updates at lists.suse.com Fri Sep 12 19:22:30 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 12 Sep 2025 21:22:30 +0200 (CEST) Subject: SUSE-CU-2025:6790-1: Security update of bci/spack Message-ID: <20250912192230.12126F783@maintenance.suse.de> SUSE Container Update Advisory: bci/spack ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:6790-1 Container Tags : bci/spack:0.23 , bci/spack:0.23.1 , bci/spack:0.23.1-11.55 Container Release : 11.55 Severity : important Type : security References : 1228260 1236589 1243397 1243706 1243933 1246197 1249191 1249348 1249367 CVE-2024-6874 CVE-2025-0665 CVE-2025-10148 CVE-2025-4947 CVE-2025-5025 CVE-2025-5399 CVE-2025-9086 ----------------------------------------------------------------- The container bci/spack was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3198-1 Released: Fri Sep 12 14:15:08 2025 Summary: Security update for curl Type: security Severity: important References: 1228260,1236589,1243397,1243706,1243933,1246197,1249191,1249348,1249367,CVE-2024-6874,CVE-2025-0665,CVE-2025-10148,CVE-2025-4947,CVE-2025-5025,CVE-2025-5399,CVE-2025-9086 This update for curl fixes the following issues: Update to version 8.14.1 (jsc#PED-13055, jsc#PED-13056). Security issues fixed: - CVE-2025-0665: eventfd double close can cause libcurl to act unreliably (bsc#1236589). - CVE-2025-4947: QUIC certificate check is skipped with wolfSSL allows for MITM attacks (bsc#1243397). - CVE-2025-5025: no QUIC certificate pinning with wolfSSL can lead to connections to impostor servers that are not easily noticed (bsc#1243706). - CVE-2025-5399: bug in websocket code can cause libcurl to get trapped in an endless busy-loop when processing specially crafted packets (bsc#1243933). - CVE-2024-6874: punycode conversions to/from IDN can leak stack content when libcurl is built to use the macidn IDN backend (bsc#1228260). - CVE-2025-9086: bug in patch comparison logic when processing cookies can lead to out-of-bounds read in heap buffer (bsc#1249191). - CVE-2025-10148: predictable websocket mask can lead to proxy cache poisoning by malicious server (bsc#1249348). Other issues fixed: - Fix wrong return code when --retry is used (bsc#1249367). * tool_operate: fix return code when --retry is used but not triggered [b42776b] - Fix the --ftp-pasv option in curl v8.14.1 (bsc#1246197). * tool_getparam: fix --ftp-pasv [5f805ee] - Fixed with version 8.14.1: * TLS: add CURLOPT_SSL_SIGNATURE_ALGORITHMS and --sigalgs. * websocket: add option to disable auto-pong reply. * huge number of bugfixes. Please see https://curl.se/ch/ for full changelogs. The following package changes have been done: - libpsl-devel-0.20.1-150000.3.3.1 added - libidn2-devel-2.2.0-3.6.1 added - libbrotli-devel-1.0.7-3.3.1 added - libbrotlienc1-1.0.7-3.3.1 added - libverto-devel-0.2.6-3.20 added - libcurl4-8.14.1-150600.4.28.1 updated - curl-8.14.1-150600.4.28.1 updated - libnghttp2-devel-1.40.0-150600.23.2 added - cmake-3.28.3-150600.1.1 added - libzstd-devel-1.5.5-150600.1.3 added - libcom_err-devel-1.47.0-150600.4.6.2 added - keyutils-devel-1.6.3-5.6.1 added - libssh-devel-0.9.8-150600.11.3.1 added - krb5-devel-1.20.1-150600.11.11.2 added - libcurl-devel-8.14.1-150600.4.28.1 updated From sle-container-updates at lists.suse.com Fri Sep 12 19:22:56 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 12 Sep 2025 21:22:56 +0200 (CEST) Subject: SUSE-CU-2025:6792-1: Security update of suse/git Message-ID: <20250912192256.22CB7F783@maintenance.suse.de> SUSE Container Update Advisory: suse/git ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:6792-1 Container Tags : suse/git:2 , suse/git:2.51 , suse/git:2.51.0 , suse/git:2.51.0-61.2 , suse/git:latest Container Release : 61.2 Severity : important Type : security References : 1228260 1236589 1243397 1243706 1243933 1246197 1249191 1249348 1249367 CVE-2024-6874 CVE-2025-0665 CVE-2025-10148 CVE-2025-4947 CVE-2025-5025 CVE-2025-5399 CVE-2025-9086 ----------------------------------------------------------------- The container suse/git was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3198-1 Released: Fri Sep 12 14:15:08 2025 Summary: Security update for curl Type: security Severity: important References: 1228260,1236589,1243397,1243706,1243933,1246197,1249191,1249348,1249367,CVE-2024-6874,CVE-2025-0665,CVE-2025-10148,CVE-2025-4947,CVE-2025-5025,CVE-2025-5399,CVE-2025-9086 This update for curl fixes the following issues: Update to version 8.14.1 (jsc#PED-13055, jsc#PED-13056). Security issues fixed: - CVE-2025-0665: eventfd double close can cause libcurl to act unreliably (bsc#1236589). - CVE-2025-4947: QUIC certificate check is skipped with wolfSSL allows for MITM attacks (bsc#1243397). - CVE-2025-5025: no QUIC certificate pinning with wolfSSL can lead to connections to impostor servers that are not easily noticed (bsc#1243706). - CVE-2025-5399: bug in websocket code can cause libcurl to get trapped in an endless busy-loop when processing specially crafted packets (bsc#1243933). - CVE-2024-6874: punycode conversions to/from IDN can leak stack content when libcurl is built to use the macidn IDN backend (bsc#1228260). - CVE-2025-9086: bug in patch comparison logic when processing cookies can lead to out-of-bounds read in heap buffer (bsc#1249191). - CVE-2025-10148: predictable websocket mask can lead to proxy cache poisoning by malicious server (bsc#1249348). Other issues fixed: - Fix wrong return code when --retry is used (bsc#1249367). * tool_operate: fix return code when --retry is used but not triggered [b42776b] - Fix the --ftp-pasv option in curl v8.14.1 (bsc#1246197). * tool_getparam: fix --ftp-pasv [5f805ee] - Fixed with version 8.14.1: * TLS: add CURLOPT_SSL_SIGNATURE_ALGORITHMS and --sigalgs. * websocket: add option to disable auto-pong reply. * huge number of bugfixes. Please see https://curl.se/ch/ for full changelogs. The following package changes have been done: - libcurl4-8.14.1-150600.4.28.1 updated From sle-container-updates at lists.suse.com Fri Sep 12 19:23:11 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 12 Sep 2025 21:23:11 +0200 (CEST) Subject: SUSE-CU-2025:6793-1: Security update of bci/golang Message-ID: <20250912192311.7A0F7F783@maintenance.suse.de> SUSE Container Update Advisory: bci/golang ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:6793-1 Container Tags : bci/golang:1.25 , bci/golang:1.25.1 , bci/golang:1.25.1-1.71.5 , bci/golang:latest , bci/golang:stable , bci/golang:stable-1.71.5 Container Release : 71.5 Severity : important Type : security References : 1228260 1236589 1243397 1243706 1243933 1244485 1246197 1247816 1248082 1249141 1249191 1249348 1249367 CVE-2024-6874 CVE-2025-0665 CVE-2025-10148 CVE-2025-47910 CVE-2025-4947 CVE-2025-5025 CVE-2025-5399 CVE-2025-9086 ----------------------------------------------------------------- The container bci/golang was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3198-1 Released: Fri Sep 12 14:15:08 2025 Summary: Security update for curl Type: security Severity: important References: 1228260,1236589,1243397,1243706,1243933,1246197,1249191,1249348,1249367,CVE-2024-6874,CVE-2025-0665,CVE-2025-10148,CVE-2025-4947,CVE-2025-5025,CVE-2025-5399,CVE-2025-9086 This update for curl fixes the following issues: Update to version 8.14.1 (jsc#PED-13055, jsc#PED-13056). Security issues fixed: - CVE-2025-0665: eventfd double close can cause libcurl to act unreliably (bsc#1236589). - CVE-2025-4947: QUIC certificate check is skipped with wolfSSL allows for MITM attacks (bsc#1243397). - CVE-2025-5025: no QUIC certificate pinning with wolfSSL can lead to connections to impostor servers that are not easily noticed (bsc#1243706). - CVE-2025-5399: bug in websocket code can cause libcurl to get trapped in an endless busy-loop when processing specially crafted packets (bsc#1243933). - CVE-2024-6874: punycode conversions to/from IDN can leak stack content when libcurl is built to use the macidn IDN backend (bsc#1228260). - CVE-2025-9086: bug in patch comparison logic when processing cookies can lead to out-of-bounds read in heap buffer (bsc#1249191). - CVE-2025-10148: predictable websocket mask can lead to proxy cache poisoning by malicious server (bsc#1249348). Other issues fixed: - Fix wrong return code when --retry is used (bsc#1249367). * tool_operate: fix return code when --retry is used but not triggered [b42776b] - Fix the --ftp-pasv option in curl v8.14.1 (bsc#1246197). * tool_getparam: fix --ftp-pasv [5f805ee] - Fixed with version 8.14.1: * TLS: add CURLOPT_SSL_SIGNATURE_ALGORITHMS and --sigalgs. * websocket: add option to disable auto-pong reply. * huge number of bugfixes. Please see https://curl.se/ch/ for full changelogs. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3200-1 Released: Fri Sep 12 14:22:05 2025 Summary: Security update for go1.25 Type: security Severity: moderate References: 1244485,1247816,1248082,1249141,CVE-2025-47910 This update for go1.25 fixes the following issues: Update to go1.25.1, released 2025-09-03 (bsc#1244485). Security issues fixed: - CVE-2025-47910: net/http: `CrossOriginProtection` insecure bypass patterns not limited to exact matches (bsc#1249141). Other issues fixed: - go#74822 cmd/go: 'get toolchain at latest' should ignore release candidates. - go#74999 net: WriteMsgUDPAddrPort should accept IPv4-mapped IPv6 destination addresses on IPv4 UDP sockets. - go#75008 os/exec: TestLookPath fails on plan9 after CL 685755. - go#75021 testing/synctest: bubble not terminating. - go#75083 os: File.Seek doesn't set the correct offset with Windows overlapped handles. The following package changes have been done: - go1.25-doc-1.25.1-150000.1.8.1 updated - libcurl4-8.14.1-150600.4.28.1 updated - curl-8.14.1-150600.4.28.1 updated - go1.25-1.25.1-150000.1.8.1 updated - go1.25-race-1.25.1-150000.1.8.1 updated From sle-container-updates at lists.suse.com Fri Sep 12 19:23:34 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 12 Sep 2025 21:23:34 +0200 (CEST) Subject: SUSE-CU-2025:6794-1: Security update of bci/kiwi Message-ID: <20250912192334.5D3C7F783@maintenance.suse.de> SUSE Container Update Advisory: bci/kiwi ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:6794-1 Container Tags : bci/kiwi:9 , bci/kiwi:9.24 , bci/kiwi:9.24.43 , bci/kiwi:9.24.43-18.31 , bci/kiwi:latest Container Release : 18.31 Severity : important Type : security References : 1228260 1236589 1243397 1243706 1243933 1246197 1249191 1249348 1249367 CVE-2024-6874 CVE-2025-0665 CVE-2025-10148 CVE-2025-4947 CVE-2025-5025 CVE-2025-5399 CVE-2025-9086 ----------------------------------------------------------------- The container bci/kiwi was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3198-1 Released: Fri Sep 12 14:15:08 2025 Summary: Security update for curl Type: security Severity: important References: 1228260,1236589,1243397,1243706,1243933,1246197,1249191,1249348,1249367,CVE-2024-6874,CVE-2025-0665,CVE-2025-10148,CVE-2025-4947,CVE-2025-5025,CVE-2025-5399,CVE-2025-9086 This update for curl fixes the following issues: Update to version 8.14.1 (jsc#PED-13055, jsc#PED-13056). Security issues fixed: - CVE-2025-0665: eventfd double close can cause libcurl to act unreliably (bsc#1236589). - CVE-2025-4947: QUIC certificate check is skipped with wolfSSL allows for MITM attacks (bsc#1243397). - CVE-2025-5025: no QUIC certificate pinning with wolfSSL can lead to connections to impostor servers that are not easily noticed (bsc#1243706). - CVE-2025-5399: bug in websocket code can cause libcurl to get trapped in an endless busy-loop when processing specially crafted packets (bsc#1243933). - CVE-2024-6874: punycode conversions to/from IDN can leak stack content when libcurl is built to use the macidn IDN backend (bsc#1228260). - CVE-2025-9086: bug in patch comparison logic when processing cookies can lead to out-of-bounds read in heap buffer (bsc#1249191). - CVE-2025-10148: predictable websocket mask can lead to proxy cache poisoning by malicious server (bsc#1249348). Other issues fixed: - Fix wrong return code when --retry is used (bsc#1249367). * tool_operate: fix return code when --retry is used but not triggered [b42776b] - Fix the --ftp-pasv option in curl v8.14.1 (bsc#1246197). * tool_getparam: fix --ftp-pasv [5f805ee] - Fixed with version 8.14.1: * TLS: add CURLOPT_SSL_SIGNATURE_ALGORITHMS and --sigalgs. * websocket: add option to disable auto-pong reply. * huge number of bugfixes. Please see https://curl.se/ch/ for full changelogs. The following package changes have been done: - libcurl4-8.14.1-150600.4.28.1 updated - curl-8.14.1-150600.4.28.1 updated From sle-container-updates at lists.suse.com Fri Sep 12 19:23:56 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 12 Sep 2025 21:23:56 +0200 (CEST) Subject: SUSE-CU-2025:6795-1: Security update of bci/spack Message-ID: <20250912192356.C496FF783@maintenance.suse.de> SUSE Container Update Advisory: bci/spack ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:6795-1 Container Tags : bci/spack:0.23 , bci/spack:0.23.1 , bci/spack:0.23.1-15.21 , bci/spack:latest Container Release : 15.21 Severity : important Type : security References : 1228260 1236589 1243397 1243706 1243933 1246197 1249191 1249348 1249367 CVE-2024-6874 CVE-2025-0665 CVE-2025-10148 CVE-2025-4947 CVE-2025-5025 CVE-2025-5399 CVE-2025-9086 ----------------------------------------------------------------- The container bci/spack was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3198-1 Released: Fri Sep 12 14:15:08 2025 Summary: Security update for curl Type: security Severity: important References: 1228260,1236589,1243397,1243706,1243933,1246197,1249191,1249348,1249367,CVE-2024-6874,CVE-2025-0665,CVE-2025-10148,CVE-2025-4947,CVE-2025-5025,CVE-2025-5399,CVE-2025-9086 This update for curl fixes the following issues: Update to version 8.14.1 (jsc#PED-13055, jsc#PED-13056). Security issues fixed: - CVE-2025-0665: eventfd double close can cause libcurl to act unreliably (bsc#1236589). - CVE-2025-4947: QUIC certificate check is skipped with wolfSSL allows for MITM attacks (bsc#1243397). - CVE-2025-5025: no QUIC certificate pinning with wolfSSL can lead to connections to impostor servers that are not easily noticed (bsc#1243706). - CVE-2025-5399: bug in websocket code can cause libcurl to get trapped in an endless busy-loop when processing specially crafted packets (bsc#1243933). - CVE-2024-6874: punycode conversions to/from IDN can leak stack content when libcurl is built to use the macidn IDN backend (bsc#1228260). - CVE-2025-9086: bug in patch comparison logic when processing cookies can lead to out-of-bounds read in heap buffer (bsc#1249191). - CVE-2025-10148: predictable websocket mask can lead to proxy cache poisoning by malicious server (bsc#1249348). Other issues fixed: - Fix wrong return code when --retry is used (bsc#1249367). * tool_operate: fix return code when --retry is used but not triggered [b42776b] - Fix the --ftp-pasv option in curl v8.14.1 (bsc#1246197). * tool_getparam: fix --ftp-pasv [5f805ee] - Fixed with version 8.14.1: * TLS: add CURLOPT_SSL_SIGNATURE_ALGORITHMS and --sigalgs. * websocket: add option to disable auto-pong reply. * huge number of bugfixes. Please see https://curl.se/ch/ for full changelogs. The following package changes have been done: - libverto-devel-0.2.6-3.20 added - libpsl-devel-0.20.1-150000.3.3.1 added - libidn2-devel-2.2.0-3.6.1 added - libbrotli-devel-1.0.7-3.3.1 added - libbrotlienc1-1.0.7-3.3.1 added - libcurl4-8.14.1-150600.4.28.1 updated - curl-8.14.1-150600.4.28.1 updated - libnghttp2-devel-1.64.0-150700.1.5 added - cmake-3.28.3-150600.1.1 added - libzstd-devel-1.5.7-150700.1.2 added - libcom_err-devel-1.47.0-150600.4.6.2 added - keyutils-devel-1.6.3-5.6.1 added - libssh-devel-0.9.8-150600.11.3.1 added - krb5-devel-1.20.1-150600.11.11.2 added - libcurl-devel-8.14.1-150600.4.28.1 updated From sle-container-updates at lists.suse.com Sat Sep 13 07:07:22 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 13 Sep 2025 09:07:22 +0200 (CEST) Subject: SUSE-CU-2025:6798-1: Security update of suse/sle15 Message-ID: <20250913070722.E9A2FF783@maintenance.suse.de> SUSE Container Update Advisory: suse/sle15 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:6798-1 Container Tags : bci/bci-base:15.7 , bci/bci-base:15.7-5.8.30 , bci/bci-base:latest , suse/sle15:15.7 , suse/sle15:15.7-5.8.30 , suse/sle15:latest Container Release : 5.8.30 Severity : important Type : security References : 1228260 1236589 1243397 1243706 1243933 1246197 1249191 1249348 1249367 CVE-2024-6874 CVE-2025-0665 CVE-2025-10148 CVE-2025-4947 CVE-2025-5025 CVE-2025-5399 CVE-2025-9086 ----------------------------------------------------------------- The container suse/sle15 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3198-1 Released: Fri Sep 12 14:15:08 2025 Summary: Security update for curl Type: security Severity: important References: 1228260,1236589,1243397,1243706,1243933,1246197,1249191,1249348,1249367,CVE-2024-6874,CVE-2025-0665,CVE-2025-10148,CVE-2025-4947,CVE-2025-5025,CVE-2025-5399,CVE-2025-9086 This update for curl fixes the following issues: Update to version 8.14.1 (jsc#PED-13055, jsc#PED-13056). Security issues fixed: - CVE-2025-0665: eventfd double close can cause libcurl to act unreliably (bsc#1236589). - CVE-2025-4947: QUIC certificate check is skipped with wolfSSL allows for MITM attacks (bsc#1243397). - CVE-2025-5025: no QUIC certificate pinning with wolfSSL can lead to connections to impostor servers that are not easily noticed (bsc#1243706). - CVE-2025-5399: bug in websocket code can cause libcurl to get trapped in an endless busy-loop when processing specially crafted packets (bsc#1243933). - CVE-2024-6874: punycode conversions to/from IDN can leak stack content when libcurl is built to use the macidn IDN backend (bsc#1228260). - CVE-2025-9086: bug in patch comparison logic when processing cookies can lead to out-of-bounds read in heap buffer (bsc#1249191). - CVE-2025-10148: predictable websocket mask can lead to proxy cache poisoning by malicious server (bsc#1249348). Other issues fixed: - Fix wrong return code when --retry is used (bsc#1249367). * tool_operate: fix return code when --retry is used but not triggered [b42776b] - Fix the --ftp-pasv option in curl v8.14.1 (bsc#1246197). * tool_getparam: fix --ftp-pasv [5f805ee] - Fixed with version 8.14.1: * TLS: add CURLOPT_SSL_SIGNATURE_ALGORITHMS and --sigalgs. * websocket: add option to disable auto-pong reply. * huge number of bugfixes. Please see https://curl.se/ch/ for full changelogs. The following package changes have been done: - curl-8.14.1-150600.4.28.1 updated - libcurl4-8.14.1-150600.4.28.1 updated From sle-container-updates at lists.suse.com Mon Sep 15 14:51:01 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Mon, 15 Sep 2025 16:51:01 +0200 (CEST) Subject: SUSE-CU-2025:6801-1: Security update of suse/sle15 Message-ID: <20250915145101.E5209F783@maintenance.suse.de> SUSE Container Update Advisory: suse/sle15 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:6801-1 Container Tags : bci/bci-base:15.6 , bci/bci-base:15.6.47.23.29 , suse/sle15:15.6 , suse/sle15:15.6.47.23.29 Container Release : 47.23.29 Severity : important Type : security References : 1228260 1236589 1243397 1243706 1243933 1246197 1249191 1249348 1249367 CVE-2024-6874 CVE-2025-0665 CVE-2025-10148 CVE-2025-4947 CVE-2025-5025 CVE-2025-5399 CVE-2025-9086 ----------------------------------------------------------------- The container suse/sle15 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3198-1 Released: Fri Sep 12 14:15:08 2025 Summary: Security update for curl Type: security Severity: important References: 1228260,1236589,1243397,1243706,1243933,1246197,1249191,1249348,1249367,CVE-2024-6874,CVE-2025-0665,CVE-2025-10148,CVE-2025-4947,CVE-2025-5025,CVE-2025-5399,CVE-2025-9086 This update for curl fixes the following issues: Update to version 8.14.1 (jsc#PED-13055, jsc#PED-13056). Security issues fixed: - CVE-2025-0665: eventfd double close can cause libcurl to act unreliably (bsc#1236589). - CVE-2025-4947: QUIC certificate check is skipped with wolfSSL allows for MITM attacks (bsc#1243397). - CVE-2025-5025: no QUIC certificate pinning with wolfSSL can lead to connections to impostor servers that are not easily noticed (bsc#1243706). - CVE-2025-5399: bug in websocket code can cause libcurl to get trapped in an endless busy-loop when processing specially crafted packets (bsc#1243933). - CVE-2024-6874: punycode conversions to/from IDN can leak stack content when libcurl is built to use the macidn IDN backend (bsc#1228260). - CVE-2025-9086: bug in patch comparison logic when processing cookies can lead to out-of-bounds read in heap buffer (bsc#1249191). - CVE-2025-10148: predictable websocket mask can lead to proxy cache poisoning by malicious server (bsc#1249348). Other issues fixed: - Fix wrong return code when --retry is used (bsc#1249367). * tool_operate: fix return code when --retry is used but not triggered [b42776b] - Fix the --ftp-pasv option in curl v8.14.1 (bsc#1246197). * tool_getparam: fix --ftp-pasv [5f805ee] - Fixed with version 8.14.1: * TLS: add CURLOPT_SSL_SIGNATURE_ALGORITHMS and --sigalgs. * websocket: add option to disable auto-pong reply. * huge number of bugfixes. Please see https://curl.se/ch/ for full changelogs. The following package changes have been done: - curl-8.14.1-150600.4.28.1 updated - libcurl4-8.14.1-150600.4.28.1 updated From sle-container-updates at lists.suse.com Mon Sep 15 14:51:46 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Mon, 15 Sep 2025 16:51:46 +0200 (CEST) Subject: SUSE-CU-2025:6802-1: Recommended update of suse/389-ds Message-ID: <20250915145146.97160F783@maintenance.suse.de> SUSE Container Update Advisory: suse/389-ds ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:6802-1 Container Tags : suse/389-ds:2.5 , suse/389-ds:2.5.3 , suse/389-ds:2.5.3-62.27 , suse/389-ds:latest Container Release : 62.27 Severity : important Type : recommended References : 1246081 ----------------------------------------------------------------- The container suse/389-ds was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:3216-1 Released: Mon Sep 15 08:37:40 2025 Summary: Recommended update for Type: recommended Severity: important References: 1246081 This update for fixes the following issues: - Add lmdb binary into Basesystem 15-SP6 and 15-SP7 (bsc#1246081) The following package changes have been done: - liblmdb-0_9_30-0.9.30-150500.3.2.1 updated - container:registry.suse.com-bci-bci-base-15.7-7509e7e16dfdc2ba3eb2a7409a432209c89350947682a3713af951a95da4b936-0 updated From sle-container-updates at lists.suse.com Mon Sep 15 14:47:58 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Mon, 15 Sep 2025 16:47:58 +0200 (CEST) Subject: SUSE-CU-2025:6800-1: Security update of bci/nodejs Message-ID: <20250915144758.257CAF782@maintenance.suse.de> SUSE Container Update Advisory: bci/nodejs ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:6800-1 Container Tags : bci/node:20 , bci/node:20.19.2 , bci/node:20.19.2-55.27 , bci/nodejs:20 , bci/nodejs:20.19.2 , bci/nodejs:20.19.2-55.27 Container Release : 55.27 Severity : important Type : security References : 1228260 1236589 1243397 1243706 1243933 1246197 1249191 1249348 1249367 CVE-2024-6874 CVE-2025-0665 CVE-2025-10148 CVE-2025-4947 CVE-2025-5025 CVE-2025-5399 CVE-2025-9086 ----------------------------------------------------------------- The container bci/nodejs was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3198-1 Released: Fri Sep 12 14:15:08 2025 Summary: Security update for curl Type: security Severity: important References: 1228260,1236589,1243397,1243706,1243933,1246197,1249191,1249348,1249367,CVE-2024-6874,CVE-2025-0665,CVE-2025-10148,CVE-2025-4947,CVE-2025-5025,CVE-2025-5399,CVE-2025-9086 This update for curl fixes the following issues: Update to version 8.14.1 (jsc#PED-13055, jsc#PED-13056). Security issues fixed: - CVE-2025-0665: eventfd double close can cause libcurl to act unreliably (bsc#1236589). - CVE-2025-4947: QUIC certificate check is skipped with wolfSSL allows for MITM attacks (bsc#1243397). - CVE-2025-5025: no QUIC certificate pinning with wolfSSL can lead to connections to impostor servers that are not easily noticed (bsc#1243706). - CVE-2025-5399: bug in websocket code can cause libcurl to get trapped in an endless busy-loop when processing specially crafted packets (bsc#1243933). - CVE-2024-6874: punycode conversions to/from IDN can leak stack content when libcurl is built to use the macidn IDN backend (bsc#1228260). - CVE-2025-9086: bug in patch comparison logic when processing cookies can lead to out-of-bounds read in heap buffer (bsc#1249191). - CVE-2025-10148: predictable websocket mask can lead to proxy cache poisoning by malicious server (bsc#1249348). Other issues fixed: - Fix wrong return code when --retry is used (bsc#1249367). * tool_operate: fix return code when --retry is used but not triggered [b42776b] - Fix the --ftp-pasv option in curl v8.14.1 (bsc#1246197). * tool_getparam: fix --ftp-pasv [5f805ee] - Fixed with version 8.14.1: * TLS: add CURLOPT_SSL_SIGNATURE_ALGORITHMS and --sigalgs. * websocket: add option to disable auto-pong reply. * huge number of bugfixes. Please see https://curl.se/ch/ for full changelogs. The following package changes have been done: - libcurl4-8.14.1-150600.4.28.1 updated - curl-8.14.1-150600.4.28.1 updated From sle-container-updates at lists.suse.com Mon Sep 15 14:54:22 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Mon, 15 Sep 2025 16:54:22 +0200 (CEST) Subject: SUSE-CU-2025:6809-1: Security update of bci/gcc Message-ID: <20250915145423.00401F782@maintenance.suse.de> SUSE Container Update Advisory: bci/gcc ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:6809-1 Container Tags : bci/gcc:14 , bci/gcc:14.3 , bci/gcc:14.3-11.23 , bci/gcc:latest Container Release : 11.23 Severity : important Type : security References : 1228260 1236589 1243397 1243706 1243933 1246197 1249191 1249348 1249367 CVE-2024-6874 CVE-2025-0665 CVE-2025-10148 CVE-2025-4947 CVE-2025-5025 CVE-2025-5399 CVE-2025-9086 ----------------------------------------------------------------- The container bci/gcc was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3198-1 Released: Fri Sep 12 14:15:08 2025 Summary: Security update for curl Type: security Severity: important References: 1228260,1236589,1243397,1243706,1243933,1246197,1249191,1249348,1249367,CVE-2024-6874,CVE-2025-0665,CVE-2025-10148,CVE-2025-4947,CVE-2025-5025,CVE-2025-5399,CVE-2025-9086 This update for curl fixes the following issues: Update to version 8.14.1 (jsc#PED-13055, jsc#PED-13056). Security issues fixed: - CVE-2025-0665: eventfd double close can cause libcurl to act unreliably (bsc#1236589). - CVE-2025-4947: QUIC certificate check is skipped with wolfSSL allows for MITM attacks (bsc#1243397). - CVE-2025-5025: no QUIC certificate pinning with wolfSSL can lead to connections to impostor servers that are not easily noticed (bsc#1243706). - CVE-2025-5399: bug in websocket code can cause libcurl to get trapped in an endless busy-loop when processing specially crafted packets (bsc#1243933). - CVE-2024-6874: punycode conversions to/from IDN can leak stack content when libcurl is built to use the macidn IDN backend (bsc#1228260). - CVE-2025-9086: bug in patch comparison logic when processing cookies can lead to out-of-bounds read in heap buffer (bsc#1249191). - CVE-2025-10148: predictable websocket mask can lead to proxy cache poisoning by malicious server (bsc#1249348). Other issues fixed: - Fix wrong return code when --retry is used (bsc#1249367). * tool_operate: fix return code when --retry is used but not triggered [b42776b] - Fix the --ftp-pasv option in curl v8.14.1 (bsc#1246197). * tool_getparam: fix --ftp-pasv [5f805ee] - Fixed with version 8.14.1: * TLS: add CURLOPT_SSL_SIGNATURE_ALGORITHMS and --sigalgs. * websocket: add option to disable auto-pong reply. * huge number of bugfixes. Please see https://curl.se/ch/ for full changelogs. The following package changes have been done: - libcurl4-8.14.1-150600.4.28.1 updated - curl-8.14.1-150600.4.28.1 updated - container:registry.suse.com-bci-bci-base-15.7-7509e7e16dfdc2ba3eb2a7409a432209c89350947682a3713af951a95da4b936-0 updated From sle-container-updates at lists.suse.com Mon Sep 15 14:54:46 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Mon, 15 Sep 2025 16:54:46 +0200 (CEST) Subject: SUSE-CU-2025:6810-1: Security update of bci/golang Message-ID: <20250915145446.39A84F782@maintenance.suse.de> SUSE Container Update Advisory: bci/golang ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:6810-1 Container Tags : bci/golang:1.25-openssl , bci/golang:1.25.0-openssl , bci/golang:1.25.0-openssl-74.4 , bci/golang:latest , bci/golang:stable-openssl , bci/golang:stable-openssl-74.4 Container Release : 74.4 Severity : important Type : security References : 1228260 1236589 1243397 1243706 1243933 1244485 1246118 1246197 1247719 1247720 1247816 1248082 1249191 1249348 1249367 CVE-2024-6874 CVE-2025-0665 CVE-2025-10148 CVE-2025-4674 CVE-2025-47906 CVE-2025-47907 CVE-2025-4947 CVE-2025-5025 CVE-2025-5399 CVE-2025-9086 ----------------------------------------------------------------- The container bci/golang was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3161-1 Released: Thu Sep 11 11:15:47 2025 Summary: Security update for go1.25-openssl Type: security Severity: important References: 1244485,1246118,1247719,1247720,1247816,1248082,CVE-2025-4674,CVE-2025-47906,CVE-2025-47907 This update for go1.25-openssl fixes the following issues: Update to version 1.25.0 cut from the go1.25-fips-release branch at the revision tagged go1.25.0-1-openssl-fips. ( jsc#SLE-18320 ) * Rebase to 1.25.0 * Fix HKDF-Extract The latest OpenSSL in c9s/c10s requires nil salt to be passed as a hash length buffer of zeros. go1.25 (released 2025-08-12) is a major release of Go. go1.25.x minor releases will be provided through August 2026. https://github.com/golang/go/wiki/Go-Release-Cycle go1.25 arrives six months after Go 1.24. Most of its changes are in the implementation of the toolchain, runtime, and libraries. As always, the release maintains the Go 1 promise of compatibility. We expect almost all Go programs to continue to compile and run as before. ( bsc#1244485 go1.25 release tracking ) * Language changes: There are no languages changes that affect Go programs in Go 1.25. However, in the language specification the notion of core types has been removed in favor of dedicated prose. See the respective blog post for more information. * go command: The go build -asan option now defaults to doing leak detection at program exit. This will report an error if memory allocated by C is not freed and is not referenced by any other memory allocated by either C or Go. These new error reports may be disabled by setting ASAN_OPTIONS=detect_leaks=0 in the environment when running the program. * go command: The Go distribution will include fewer prebuilt tool binaries. Core toolchain binaries such as the compiler and linker will still be included, but tools not invoked by build or test operations will be built and run by go tool as needed. * go command: The new go.mod ignore directive can be used to specify directories the go command should ignore. Files in these directories and their subdirectories will be ignored by the go command when matching package patterns, such as all or ./..., but will still be included in module zip files. * go command: The new go doc -http option will start a documentation server showing documentation for the requested object, and open the documentation in a browser window. * go command: The new go version -m -json option will print the JSON encodings of the runtime/debug.BuildInfo structures embedded in the given Go binary files. * go command: The go command now supports using a subdirectory of a repository as the path for a module root, when resolving a module path using the syntax to indicate that the root-path corresponds to the subdir of the repo-url with version control system vcs. * go command: The new work package pattern matches all packages in the work (formerly called main) modules: either the single work module in module mode or the set of workspace modules in workspace mode. * go command: When the go command updates the go line in a go.mod or go.work file, it no longer adds a toolchain line specifying the command???s current version. * go vet: The go vet command includes new analyzers: * go vet: waitgroup reports misplaced calls to sync.WaitGroup.Add; * go vet: hostport reports uses of fmt.Sprintf('%s:%d', host, port) to construct addresses for net.Dial, as these will not work with IPv6; instead it suggests using net.JoinHostPort. * Runtime: Container-aware GOMAXPROCS. The default behavior of the GOMAXPROCS has changed. In prior versions of Go, GOMAXPROCS defaults to the number of logical CPUs available at startup (runtime.NumCPU). Go 1.25 introduces two changes: On Linux, the runtime considers the CPU bandwidth limit of the cgroup containing the process, if any. If the CPU bandwidth limit is lower than the number of logical CPUs available, GOMAXPROCS will default to the lower limit. In container runtime systems like Kubernetes, cgroup CPU bandwidth limits generally correspond to the ???CPU limit??? option. The Go runtime does not consider the ???CPU requests??? option. On all OSes, the runtime periodically updates GOMAXPROCS if the number of logical CPUs available or the cgroup CPU bandwidth limit change. Both of these behaviors are automatically disabled if GOMAXPROCS is set manually via the GOMAXPROCS environment variable or a call to runtime.GOMAXPROCS. They can also be disabled explicitly with the GODEBUG settings containermaxprocs=0 and updatemaxprocs=0, respectively. In order to support reading updated cgroup limits, the runtime will keep cached file descriptors for the cgroup files for the duration of the process lifetime. * Runtime: garbage collector: A new garbage collector is now available as an experiment. This garbage collector???s design improves the performance of marking and scanning small objects through better locality and CPU scalability. Benchmark result vary, but we expect somewhere between a 10???40% reduction in garbage collection overhead in real-world programs that heavily use the garbage collector. The new garbage collector may be enabled by setting GOEXPERIMENT=greenteagc at build time. We expect the design to continue to evolve and improve. To that end, we encourage Go developers to try it out and report back their experiences. See the GitHub issue for more details on the design and instructions for sharing feedback. * Runtime: trace flight recorder: Runtime execution traces have long provided a powerful, but expensive way to understand and debug the low-level behavior of an application. Unfortunately, because of their size and the cost of continuously writing an execution trace, they were generally impractical for debugging rare events. The new runtime/trace.FlightRecorder API provides a lightweight way to capture a runtime execution trace by continuously recording the trace into an in-memory ring buffer. When a significant event occurs, a program can call FlightRecorder.WriteTo to snapshot the last few seconds of the trace to a file. This approach produces a much smaller trace by enabling applications to capture only the traces that matter. The length of time and amount of data captured by a FlightRecorder may be configured within the FlightRecorderConfig. * Runtime: Change to unhandled panic output: The message printed when a program exits due to an unhandled panic that was recovered and repanicked no longer repeats the text of the panic value. * Runtime: VMA names on Linux: On Linux systems with kernel support for anonymous virtual memory area (VMA) names (CONFIG_ANON_VMA_NAME), the Go runtime will annotate anonymous memory mappings with context about their purpose. e.g., [anon: Go: heap] for heap memory. This can be disabled with the GODEBUG setting decoratemappings=0. * Compiler: nil pointer bug: This release fixes a compiler bug, introduced in Go 1.21, that could incorrectly delay nil pointer checks. * Compiler: DWARF5 support: The compiler and linker in Go 1.25 now generate debug information using DWARF version 5. The newer DWARF version reduces the space required for debugging information in Go binaries, and reduces the time for linking, especially for large Go binaries. DWARF 5 generation can be disabled by setting the environment variable GOEXPERIMENT=nodwarf5 at build time (this fallback may be removed in a future Go release). * Compiler: Faster slices: The compiler can now allocate the backing store for slices on the stack in more situations, which improves performance. This change has the potential to amplify the effects of incorrect unsafe.Pointer usage, see for example issue 73199. In order to track down these problems, the bisect tool can be used to find the allocation causing trouble using the -compile=variablemake flag. All such new stack allocations can also be turned off using -gcflags=all=-d=variablemakehash=n. * Linker: The linker now accepts a -funcalign=N command line option, which specifies the alignment of function entries. The default value is platform-dependent, and is unchanged in this release. * Standard library: testing/synctest: The new testing/synctest package provides support for testing concurrent code. This package was first available in Go 1.24 under GOEXPERIMENT=synctest, with a slightly different API. The experiment has now graduated to general availability. The old API is still present if GOEXPERIMENT=synctest is set, but will be removed in Go 1.26. * Standard library: testing/synctest: The Test function runs a test function in an isolated ???bubble???. Within the bubble, time is virtualized: time package functions operate on a fake clock and the clock moves forward instantaneously if all goroutines in the bubble are blocked. * Standard library: testing/synctest: The Wait function waits for all goroutines in the current bubble to block. * Standard library: encoding/json/v2: Go 1.25 includes a new, experimental JSON implementation, which can be enabled by setting the environment variable GOEXPERIMENT=jsonv2 at build time. When enabled, two new packages are available: The encoding/json/v2 package is a major revision of the encoding/json package. The encoding/json/jsontext package provides lower-level processing of JSON syntax. In addition, when the ???jsonv2??? GOEXPERIMENT is enabled: The encoding/json package uses the new JSON implementation. Marshaling and unmarshaling behavior is unaffected, but the text of errors returned by package function may change. The encoding/json package contains a number of new options which may be used to configure the marshaler and unmarshaler. The new implementation performs substantially better than the existing one under many scenarios. In general, encoding performance is at parity between the implementations and decoding is substantially faster in the new one. See the github.com/go-json-experiment/jsonbench repository for more detailed analysis. We encourage users of encoding/json to test their programs with GOEXPERIMENT=jsonv2 enabled to help detect any compatibility issues with the new implementation. We expect the design of encoding/json/v2 to continue to evolve. We encourage developers to try out the new API and provide feedback on the proposal issue. * archive/tar: The Writer.AddFS implementation now supports symbolic links for filesystems that implement io/fs.ReadLinkFS. * encoding/asn1: Unmarshal and UnmarshalWithParams now parse the ASN.1 types T61String and BMPString more consistently. This may result in some previously accepted malformed encodings now being rejected. * crypto: MessageSigner is a new signing interface that can be implemented by signers that wish to hash the message to be signed themselves. A new function is also introduced, SignMessage, which attempts to upgrade a Signer interface to MessageSigner, using the MessageSigner.SignMessage method if successful, and Signer.Sign if not. This can be used when code wishes to support both Signer and MessageSigner. * crypto: Changing the fips140 GODEBUG setting after the program has started is now a no-op. Previously, it was documented as not allowed, and could cause a panic if changed. * crypto: SHA-1, SHA-256, and SHA-512 are now slower on amd64 when AVX2 instructions are not available. All server processors (and most others) produced since 2015 support AVX2. * crypto/ecdsa: The new ParseRawPrivateKey, ParseUncompressedPublicKey, PrivateKey.Bytes, and PublicKey.Bytes functions and methods implement low-level encodings, replacing the need to use crypto/elliptic or math/big functions and methods. * crypto/ecdsa: When FIPS 140-3 mode is enabled, signing is now four times faster, matching the performance of non-FIPS mode. * crypto/ed25519: When FIPS 140-3 mode is enabled, signing is now four times faster, matching the performance of non-FIPS mode. * crypto/elliptic: The hidden and undocumented Inverse and CombinedMult methods on some Curve implementations have been removed. * crypto/rsa: PublicKey no longer claims that the modulus value is treated as secret. VerifyPKCS1v15 and VerifyPSS already warned that all inputs are public and could be leaked, and there are mathematical attacks that can recover the modulus from other public values. * crypto/rsa: Key generation is now three times faster. * crypto/sha1: Hashing is now two times faster on amd64 when SHA-NI instructions are available. * crypto/sha3: The new SHA3.Clone method implements hash.Cloner. * crypto/sha3: Hashing is now two times faster on Apple M processors. * crypto/tls: The new ConnectionState.CurveID field exposes the key exchange mechanism used to establish the connection. * crypto/tls: The new Config.GetEncryptedClientHelloKeys callback can be used to set the EncryptedClientHelloKeys for a server to use when a client sends an Encrypted Client Hello extension. * crypto/tls: SHA-1 signature algorithms are now disallowed in TLS 1.2 handshakes, per RFC 9155. They can be re-enabled with the GODEBUG setting tlssha1=1. * crypto/tls: When FIPS 140-3 mode is enabled, Extended Master Secret is now required in TLS 1.2, and Ed25519 and X25519MLKEM768 are now allowed. * crypto/tls: TLS servers now prefer the highest supported protocol version, even if it isn???t the client???s most preferred protocol version. * crypto/tls: Both TLS clients and servers are now stricter in following the specifications and in rejecting off-spec behavior. Connections with compliant peers should be unaffected. * crypto/x509: CreateCertificate, CreateCertificateRequest, and CreateRevocationList can now accept a crypto.MessageSigner signing interface as well as crypto.Signer. This allows these functions to use signers which implement ???one-shot??? signing interfaces, where hashing is done as part of the signing operation, instead of by the caller. * crypto/x509: CreateCertificate now uses truncated SHA-256 to populate the SubjectKeyId if it is missing. The GODEBUG setting x509sha256skid=0 reverts to SHA-1. * crypto/x509: ParseCertificate now rejects certificates which contain a BasicConstraints extension that contains a negative pathLenConstraint. * crypto/x509: ParseCertificate now handles strings encoded with the ASN.1 T61String and BMPString types more consistently. This may result in some previously accepted malformed encodings now being rejected. * debug/elf: The debug/elf package adds two new constants: PT_RISCV_ATTRIBUTES and SHT_RISCV_ATTRIBUTES for RISC-V ELF parsing. * go/ast: The FilterPackage, PackageExports, and MergePackageFiles functions, and the MergeMode type and its constants, are all deprecated, as they are for use only with the long-deprecated Object and Package machinery. * go/ast: The new PreorderStack function, like Inspect, traverses a syntax tree and provides control over descent into subtrees, but as a convenience it also provides the stack of enclosing nodes at each point. * go/parser: The ParseDir function is deprecated. * go/token: The new FileSet.AddExistingFiles method enables existing Files to be added to a FileSet, or a FileSet to be constructed for an arbitrary set of Files, alleviating the problems associated with a single global FileSet in long-lived applications. * go/types: Var now has a Var.Kind method that classifies the variable as one of: package-level, receiver, parameter, result, local variable, or a struct field. * go/types: The new LookupSelection function looks up the field or method of a given name and receiver type, like the existing LookupFieldOrMethod function, but returns the result in the form of a Selection. * hash: The new XOF interface can be implemented by ???extendable output functions???, which are hash functions with arbitrary or unlimited output length such as SHAKE. * hash: Hashes implementing the new Cloner interface can return a copy of their state. All standard library Hash implementations now implement Cloner. * hash/maphash: The new Hash.Clone method implements hash.Cloner. * io/fs: A new ReadLinkFS interface provides the ability to read symbolic links in a filesystem. * log/slog: GroupAttrs creates a group Attr from a slice of Attr values. * log/slog: Record now has a Source method, returning its source location or nil if unavailable. * mime/multipart: The new helper function FileContentDisposition builds multipart Content-Disposition header fields. * net: LookupMX and Resolver.LookupMX now return DNS names that look like valid IP address, as well as valid domain names. Previously if a name server returned an IP address as a DNS name, LookupMX would discard it, as required by the RFCs. However, name servers in practice do sometimes return IP addresses. * net: On Windows, ListenMulticastUDP now supports IPv6 addresses. * net: On Windows, it is now possible to convert between an os.File and a network connection. Specifcally, the FileConn, FilePacketConn, and FileListener functions are now implemented, and return a network connection or listener corresponding to an open file. Similarly, the File methods of TCPConn, UDPConn, UnixConn, IPConn, TCPListener, and UnixListener are now implemented, and return the underlying os.File of a network connection. * net/http: The new CrossOriginProtection implements protections against Cross-Site Request Forgery (CSRF) by rejecting non-safe cross-origin browser requests. It uses modern browser Fetch metadata, doesn???t require tokens or cookies, and supports origin-based and pattern-based bypasses. * os: On Windows, NewFile now supports handles opened for asynchronous I/O (that is, syscall.FILE_FLAG_OVERLAPPED is specified in the syscall.CreateFile call). These handles are associated with the Go runtime???s I/O completion port, which provides the following benefits for the resulting File: I/O methods (File.Read, File.Write, File.ReadAt, and File.WriteAt) do not block an OS thread. Deadline methods (File.SetDeadline, File.SetReadDeadline, and File.SetWriteDeadline) are supported. This enhancement is especially beneficial for applications that communicate via named pipes on Windows. Note that a handle can only be associated with one completion port at a time. If the handle provided to NewFile is already associated with a completion port, the returned File is downgraded to synchronous I/O mode. In this case, I/O methods will block an OS thread, and the deadline methods have no effect. * os: The filesystems returned by DirFS and Root.FS implement the new io/fs.ReadLinkFS interface. CopyFS supports symlinks when copying filesystems that implement io/fs.ReadLinkFS. The Root type supports the following additional methods: Root.Chmod, Root.Chown, Root.Chtimes, Root.Lchown, Root.Link, Root.MkdirAll, Root.ReadFile, Root.Readlink, Root.RemoveAll, Root.Rename, Root.Symlink, and Root.WriteFile. * reflect: The new TypeAssert function permits converting a Value directly to a Go value of the given type. This is like using a type assertion on the result of Value.Interface, but avoids unnecessary memory allocations. * regexp/syntax: The \p{name} and \P{name} character class syntaxes now accept the names Any, ASCII, Assigned, Cn, and LC, as well as Unicode category aliases like \p{Letter} for \pL. Following Unicode TR18, they also now use case-insensitive name lookups, ignoring spaces, underscores, and hyphens. * runtime: Cleanup functions scheduled by AddCleanup are now executed concurrently and in parallel, making cleanups more viable for heavy use like the unique package. Note that individual cleanups should still shunt their work to a new goroutine if they must execute or block for a long time to avoid blocking the cleanup queue. * runtime: A new GODEBUG=checkfinalizers=1 setting helps find common issues with finalizers and cleanups, such as those described in the GC guide. In this mode, the runtime runs diagnostics on each garbage collection cycle, and will also regularly report the finalizer and cleanup queue lengths to stderr to help identify issues with long-running finalizers and/or cleanups. See the GODEBUG documentation for more details. * runtime: The new SetDefaultGOMAXPROCS function sets GOMAXPROCS to the runtime default value, as if the GOMAXPROCS environment variable is not set. This is useful for enabling the new GOMAXPROCS default if it has been disabled by the GOMAXPROCS environment variable or a prior call to GOMAXPROCS. * runtime/pprof: The mutex profile for contention on runtime-internal locks now correctly points to the end of the critical section that caused the delay. This matches the profile???s behavior for contention on sync.Mutex values. The runtimecontentionstacks setting for GODEBUG, which allowed opting in to the unusual behavior of Go 1.22 through 1.24 for this part of the profile, is now gone. * sync: The new WaitGroup.Go method makes the common pattern of creating and counting goroutines more convenient. * testing: The new methods T.Attr, B.Attr, and F.Attr emit an attribute to the test log. An attribute is an arbitrary key and value associated with a test. * testing: With the -json flag, attributes appear as a new ???attr??? action. * testing: The new Output method of T, B and F provides an io.Writer that writes to the same test output stream as TB.Log. Like TB.Log, the output is indented, but it does not include the file and line number. * testing: The AllocsPerRun function now panics if parallel tests are running. The result of AllocsPerRun is inherently flaky if other tests are running. The new panicking behavior helps catch such bugs. * testing/fstest: MapFS implements the new io/fs.ReadLinkFS interface. TestFS will verify the functionality of the io/fs.ReadLinkFS interface if implemented. TestFS will no longer follow symlinks to avoid unbounded recursion. * unicode: The new CategoryAliases map provides access to category alias names, such as ???Letter??? for ???L???. * unicode: The new categories Cn and LC define unassigned codepoints and cased letters, respectively. These have always been defined by Unicode but were inadvertently omitted in earlier versions of Go. The C category now includes Cn, meaning it has added all unassigned code points. * unique: The unique package now reclaims interned values more eagerly, more efficiently, and in parallel. As a consequence, applications using Make are now less likely to experience memory blow-up when lots of truly unique values are interned. * unique: Values passed to Make containing Handles previously required multiple garbage collection cycles to collect, proportional to the depth of the chain of Handle values. Now, once unused, they are collected promptly in a single cycle. * Darwin port: As announced in the Go 1.24 release notes, Go 1.25 requires macOS 12 Monterey or later. Support for previous versions has been discontinued. * Windows port: Go 1.25 is the last release that contains the broken 32-bit windows/arm port (GOOS=windows GOARCH=arm). It will be removed in Go 1.26. * Loong64 port: The linux/loong64 port now supports the race detector, gathering traceback information from C code using runtime.SetCgoTraceback, and linking cgo programs with the internal link mode. * RISC-V port: The linux/riscv64 port now supports the plugin build mode. * RISC-V port: The GORISCV64 environment variable now accepts a new value rva23u64, which selects the RVA23U64 user-mode application profile. Fixed during development: * go#74466 bsc#1247719 security: fix CVE-2025-47906 os/exec: LookPath bug: incorrect expansion of '', '.' and '..' in some PATH configurations * go#74831 bsc#1247720 security: fix CVE-2025-47907 database/sql: incorrect results returned from Rows.Scan CVE-2025-4674 * go#74380 bsc#1246118 security: fix CVE-2025-4674 cmd/go: disable support for multiple vcs in one module ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3198-1 Released: Fri Sep 12 14:15:08 2025 Summary: Security update for curl Type: security Severity: important References: 1228260,1236589,1243397,1243706,1243933,1246197,1249191,1249348,1249367,CVE-2024-6874,CVE-2025-0665,CVE-2025-10148,CVE-2025-4947,CVE-2025-5025,CVE-2025-5399,CVE-2025-9086 This update for curl fixes the following issues: Update to version 8.14.1 (jsc#PED-13055, jsc#PED-13056). Security issues fixed: - CVE-2025-0665: eventfd double close can cause libcurl to act unreliably (bsc#1236589). - CVE-2025-4947: QUIC certificate check is skipped with wolfSSL allows for MITM attacks (bsc#1243397). - CVE-2025-5025: no QUIC certificate pinning with wolfSSL can lead to connections to impostor servers that are not easily noticed (bsc#1243706). - CVE-2025-5399: bug in websocket code can cause libcurl to get trapped in an endless busy-loop when processing specially crafted packets (bsc#1243933). - CVE-2024-6874: punycode conversions to/from IDN can leak stack content when libcurl is built to use the macidn IDN backend (bsc#1228260). - CVE-2025-9086: bug in patch comparison logic when processing cookies can lead to out-of-bounds read in heap buffer (bsc#1249191). - CVE-2025-10148: predictable websocket mask can lead to proxy cache poisoning by malicious server (bsc#1249348). Other issues fixed: - Fix wrong return code when --retry is used (bsc#1249367). * tool_operate: fix return code when --retry is used but not triggered [b42776b] - Fix the --ftp-pasv option in curl v8.14.1 (bsc#1246197). * tool_getparam: fix --ftp-pasv [5f805ee] - Fixed with version 8.14.1: * TLS: add CURLOPT_SSL_SIGNATURE_ALGORITHMS and --sigalgs. * websocket: add option to disable auto-pong reply. * huge number of bugfixes. Please see https://curl.se/ch/ for full changelogs. The following package changes have been done: - libcurl4-8.14.1-150600.4.28.1 updated - curl-8.14.1-150600.4.28.1 updated - go1.25-openssl-doc-1.25.0-150600.13.3.1 added - go1.25-openssl-1.25.0-150600.13.3.1 added - go1.25-openssl-race-1.25.0-150600.13.3.1 added - container:registry.suse.com-bci-bci-base-15.7-7509e7e16dfdc2ba3eb2a7409a432209c89350947682a3713af951a95da4b936-0 updated - go1.24-openssl-1.24.6-150600.13.9.1 removed - go1.24-openssl-doc-1.24.6-150600.13.9.1 removed - go1.24-openssl-race-1.24.6-150600.13.9.1 removed From sle-container-updates at lists.suse.com Mon Sep 15 14:55:41 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Mon, 15 Sep 2025 16:55:41 +0200 (CEST) Subject: SUSE-CU-2025:6813-1: Security update of suse/kiosk/firefox-esr Message-ID: <20250915145541.8F78CF782@maintenance.suse.de> SUSE Container Update Advisory: suse/kiosk/firefox-esr ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:6813-1 Container Tags : suse/kiosk/firefox-esr:140.2 , suse/kiosk/firefox-esr:140.2-64.26 , suse/kiosk/firefox-esr:esr , suse/kiosk/firefox-esr:latest Container Release : 64.26 Severity : important Type : security References : 1228260 1236589 1243397 1243706 1243933 1246197 1249191 1249348 1249367 CVE-2024-6874 CVE-2025-0665 CVE-2025-10148 CVE-2025-4947 CVE-2025-5025 CVE-2025-5399 CVE-2025-9086 ----------------------------------------------------------------- The container suse/kiosk/firefox-esr was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3198-1 Released: Fri Sep 12 14:15:08 2025 Summary: Security update for curl Type: security Severity: important References: 1228260,1236589,1243397,1243706,1243933,1246197,1249191,1249348,1249367,CVE-2024-6874,CVE-2025-0665,CVE-2025-10148,CVE-2025-4947,CVE-2025-5025,CVE-2025-5399,CVE-2025-9086 This update for curl fixes the following issues: Update to version 8.14.1 (jsc#PED-13055, jsc#PED-13056). Security issues fixed: - CVE-2025-0665: eventfd double close can cause libcurl to act unreliably (bsc#1236589). - CVE-2025-4947: QUIC certificate check is skipped with wolfSSL allows for MITM attacks (bsc#1243397). - CVE-2025-5025: no QUIC certificate pinning with wolfSSL can lead to connections to impostor servers that are not easily noticed (bsc#1243706). - CVE-2025-5399: bug in websocket code can cause libcurl to get trapped in an endless busy-loop when processing specially crafted packets (bsc#1243933). - CVE-2024-6874: punycode conversions to/from IDN can leak stack content when libcurl is built to use the macidn IDN backend (bsc#1228260). - CVE-2025-9086: bug in patch comparison logic when processing cookies can lead to out-of-bounds read in heap buffer (bsc#1249191). - CVE-2025-10148: predictable websocket mask can lead to proxy cache poisoning by malicious server (bsc#1249348). Other issues fixed: - Fix wrong return code when --retry is used (bsc#1249367). * tool_operate: fix return code when --retry is used but not triggered [b42776b] - Fix the --ftp-pasv option in curl v8.14.1 (bsc#1246197). * tool_getparam: fix --ftp-pasv [5f805ee] - Fixed with version 8.14.1: * TLS: add CURLOPT_SSL_SIGNATURE_ALGORITHMS and --sigalgs. * websocket: add option to disable auto-pong reply. * huge number of bugfixes. Please see https://curl.se/ch/ for full changelogs. The following package changes have been done: - libcurl4-8.14.1-150600.4.28.1 updated - container:suse-sle15-15.7-7509e7e16dfdc2ba3eb2a7409a432209c89350947682a3713af951a95da4b936-0 updated From sle-container-updates at lists.suse.com Mon Sep 15 14:55:55 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Mon, 15 Sep 2025 16:55:55 +0200 (CEST) Subject: SUSE-CU-2025:6814-1: Security update of bci/nodejs Message-ID: <20250915145555.7C716F782@maintenance.suse.de> SUSE Container Update Advisory: bci/nodejs ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:6814-1 Container Tags : bci/node:22 , bci/node:22.15.1 , bci/node:22.15.1-10.24 , bci/node:latest , bci/nodejs:22 , bci/nodejs:22.15.1 , bci/nodejs:22.15.1-10.24 , bci/nodejs:latest Container Release : 10.24 Severity : important Type : security References : 1228260 1236589 1243397 1243706 1243933 1246197 1249191 1249348 1249367 CVE-2024-6874 CVE-2025-0665 CVE-2025-10148 CVE-2025-4947 CVE-2025-5025 CVE-2025-5399 CVE-2025-9086 ----------------------------------------------------------------- The container bci/nodejs was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3198-1 Released: Fri Sep 12 14:15:08 2025 Summary: Security update for curl Type: security Severity: important References: 1228260,1236589,1243397,1243706,1243933,1246197,1249191,1249348,1249367,CVE-2024-6874,CVE-2025-0665,CVE-2025-10148,CVE-2025-4947,CVE-2025-5025,CVE-2025-5399,CVE-2025-9086 This update for curl fixes the following issues: Update to version 8.14.1 (jsc#PED-13055, jsc#PED-13056). Security issues fixed: - CVE-2025-0665: eventfd double close can cause libcurl to act unreliably (bsc#1236589). - CVE-2025-4947: QUIC certificate check is skipped with wolfSSL allows for MITM attacks (bsc#1243397). - CVE-2025-5025: no QUIC certificate pinning with wolfSSL can lead to connections to impostor servers that are not easily noticed (bsc#1243706). - CVE-2025-5399: bug in websocket code can cause libcurl to get trapped in an endless busy-loop when processing specially crafted packets (bsc#1243933). - CVE-2024-6874: punycode conversions to/from IDN can leak stack content when libcurl is built to use the macidn IDN backend (bsc#1228260). - CVE-2025-9086: bug in patch comparison logic when processing cookies can lead to out-of-bounds read in heap buffer (bsc#1249191). - CVE-2025-10148: predictable websocket mask can lead to proxy cache poisoning by malicious server (bsc#1249348). Other issues fixed: - Fix wrong return code when --retry is used (bsc#1249367). * tool_operate: fix return code when --retry is used but not triggered [b42776b] - Fix the --ftp-pasv option in curl v8.14.1 (bsc#1246197). * tool_getparam: fix --ftp-pasv [5f805ee] - Fixed with version 8.14.1: * TLS: add CURLOPT_SSL_SIGNATURE_ALGORITHMS and --sigalgs. * websocket: add option to disable auto-pong reply. * huge number of bugfixes. Please see https://curl.se/ch/ for full changelogs. The following package changes have been done: - libcurl4-8.14.1-150600.4.28.1 updated - curl-8.14.1-150600.4.28.1 updated - container:registry.suse.com-bci-bci-base-15.7-7509e7e16dfdc2ba3eb2a7409a432209c89350947682a3713af951a95da4b936-0 updated From sle-container-updates at lists.suse.com Mon Sep 15 14:56:37 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Mon, 15 Sep 2025 16:56:37 +0200 (CEST) Subject: SUSE-CU-2025:6816-1: Security update of bci/openjdk Message-ID: <20250915145637.7DC0FF782@maintenance.suse.de> SUSE Container Update Advisory: bci/openjdk ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:6816-1 Container Tags : bci/openjdk:17 , bci/openjdk:17.0.16.0 , bci/openjdk:17.0.16.0-8.24 Container Release : 8.24 Severity : important Type : security References : 1228260 1236589 1243397 1243706 1243933 1246197 1249191 1249348 1249367 CVE-2024-6874 CVE-2025-0665 CVE-2025-10148 CVE-2025-4947 CVE-2025-5025 CVE-2025-5399 CVE-2025-9086 ----------------------------------------------------------------- The container bci/openjdk was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3198-1 Released: Fri Sep 12 14:15:08 2025 Summary: Security update for curl Type: security Severity: important References: 1228260,1236589,1243397,1243706,1243933,1246197,1249191,1249348,1249367,CVE-2024-6874,CVE-2025-0665,CVE-2025-10148,CVE-2025-4947,CVE-2025-5025,CVE-2025-5399,CVE-2025-9086 This update for curl fixes the following issues: Update to version 8.14.1 (jsc#PED-13055, jsc#PED-13056). Security issues fixed: - CVE-2025-0665: eventfd double close can cause libcurl to act unreliably (bsc#1236589). - CVE-2025-4947: QUIC certificate check is skipped with wolfSSL allows for MITM attacks (bsc#1243397). - CVE-2025-5025: no QUIC certificate pinning with wolfSSL can lead to connections to impostor servers that are not easily noticed (bsc#1243706). - CVE-2025-5399: bug in websocket code can cause libcurl to get trapped in an endless busy-loop when processing specially crafted packets (bsc#1243933). - CVE-2024-6874: punycode conversions to/from IDN can leak stack content when libcurl is built to use the macidn IDN backend (bsc#1228260). - CVE-2025-9086: bug in patch comparison logic when processing cookies can lead to out-of-bounds read in heap buffer (bsc#1249191). - CVE-2025-10148: predictable websocket mask can lead to proxy cache poisoning by malicious server (bsc#1249348). Other issues fixed: - Fix wrong return code when --retry is used (bsc#1249367). * tool_operate: fix return code when --retry is used but not triggered [b42776b] - Fix the --ftp-pasv option in curl v8.14.1 (bsc#1246197). * tool_getparam: fix --ftp-pasv [5f805ee] - Fixed with version 8.14.1: * TLS: add CURLOPT_SSL_SIGNATURE_ALGORITHMS and --sigalgs. * websocket: add option to disable auto-pong reply. * huge number of bugfixes. Please see https://curl.se/ch/ for full changelogs. The following package changes have been done: - libcurl4-8.14.1-150600.4.28.1 updated - curl-8.14.1-150600.4.28.1 updated - container:registry.suse.com-bci-bci-base-15.7-7509e7e16dfdc2ba3eb2a7409a432209c89350947682a3713af951a95da4b936-0 updated From sle-container-updates at lists.suse.com Mon Sep 15 14:57:14 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Mon, 15 Sep 2025 16:57:14 +0200 (CEST) Subject: SUSE-CU-2025:6818-1: Security update of bci/openjdk Message-ID: <20250915145714.76CCEF782@maintenance.suse.de> SUSE Container Update Advisory: bci/openjdk ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:6818-1 Container Tags : bci/openjdk:21 , bci/openjdk:21.0.8.0 , bci/openjdk:21.0.8.0-11.24 , bci/openjdk:latest Container Release : 11.24 Severity : important Type : security References : 1228260 1236589 1243397 1243706 1243933 1246197 1249191 1249348 1249367 CVE-2024-6874 CVE-2025-0665 CVE-2025-10148 CVE-2025-4947 CVE-2025-5025 CVE-2025-5399 CVE-2025-9086 ----------------------------------------------------------------- The container bci/openjdk was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3198-1 Released: Fri Sep 12 14:15:08 2025 Summary: Security update for curl Type: security Severity: important References: 1228260,1236589,1243397,1243706,1243933,1246197,1249191,1249348,1249367,CVE-2024-6874,CVE-2025-0665,CVE-2025-10148,CVE-2025-4947,CVE-2025-5025,CVE-2025-5399,CVE-2025-9086 This update for curl fixes the following issues: Update to version 8.14.1 (jsc#PED-13055, jsc#PED-13056). Security issues fixed: - CVE-2025-0665: eventfd double close can cause libcurl to act unreliably (bsc#1236589). - CVE-2025-4947: QUIC certificate check is skipped with wolfSSL allows for MITM attacks (bsc#1243397). - CVE-2025-5025: no QUIC certificate pinning with wolfSSL can lead to connections to impostor servers that are not easily noticed (bsc#1243706). - CVE-2025-5399: bug in websocket code can cause libcurl to get trapped in an endless busy-loop when processing specially crafted packets (bsc#1243933). - CVE-2024-6874: punycode conversions to/from IDN can leak stack content when libcurl is built to use the macidn IDN backend (bsc#1228260). - CVE-2025-9086: bug in patch comparison logic when processing cookies can lead to out-of-bounds read in heap buffer (bsc#1249191). - CVE-2025-10148: predictable websocket mask can lead to proxy cache poisoning by malicious server (bsc#1249348). Other issues fixed: - Fix wrong return code when --retry is used (bsc#1249367). * tool_operate: fix return code when --retry is used but not triggered [b42776b] - Fix the --ftp-pasv option in curl v8.14.1 (bsc#1246197). * tool_getparam: fix --ftp-pasv [5f805ee] - Fixed with version 8.14.1: * TLS: add CURLOPT_SSL_SIGNATURE_ALGORITHMS and --sigalgs. * websocket: add option to disable auto-pong reply. * huge number of bugfixes. Please see https://curl.se/ch/ for full changelogs. The following package changes have been done: - libcurl4-8.14.1-150600.4.28.1 updated - curl-8.14.1-150600.4.28.1 updated - container:registry.suse.com-bci-bci-base-15.7-7509e7e16dfdc2ba3eb2a7409a432209c89350947682a3713af951a95da4b936-0 updated From sle-container-updates at lists.suse.com Mon Sep 15 14:57:30 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Mon, 15 Sep 2025 16:57:30 +0200 (CEST) Subject: SUSE-CU-2025:6819-1: Security update of bci/php-apache Message-ID: <20250915145730.BACFDF782@maintenance.suse.de> SUSE Container Update Advisory: bci/php-apache ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:6819-1 Container Tags : bci/php-apache:8 , bci/php-apache:8.3.23 , bci/php-apache:8.3.23-12.25 , bci/php-apache:latest Container Release : 12.25 Severity : important Type : security References : 1228260 1236589 1243397 1243706 1243933 1246197 1249191 1249348 1249367 CVE-2024-6874 CVE-2025-0665 CVE-2025-10148 CVE-2025-4947 CVE-2025-5025 CVE-2025-5399 CVE-2025-9086 ----------------------------------------------------------------- The container bci/php-apache was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3198-1 Released: Fri Sep 12 14:15:08 2025 Summary: Security update for curl Type: security Severity: important References: 1228260,1236589,1243397,1243706,1243933,1246197,1249191,1249348,1249367,CVE-2024-6874,CVE-2025-0665,CVE-2025-10148,CVE-2025-4947,CVE-2025-5025,CVE-2025-5399,CVE-2025-9086 This update for curl fixes the following issues: Update to version 8.14.1 (jsc#PED-13055, jsc#PED-13056). Security issues fixed: - CVE-2025-0665: eventfd double close can cause libcurl to act unreliably (bsc#1236589). - CVE-2025-4947: QUIC certificate check is skipped with wolfSSL allows for MITM attacks (bsc#1243397). - CVE-2025-5025: no QUIC certificate pinning with wolfSSL can lead to connections to impostor servers that are not easily noticed (bsc#1243706). - CVE-2025-5399: bug in websocket code can cause libcurl to get trapped in an endless busy-loop when processing specially crafted packets (bsc#1243933). - CVE-2024-6874: punycode conversions to/from IDN can leak stack content when libcurl is built to use the macidn IDN backend (bsc#1228260). - CVE-2025-9086: bug in patch comparison logic when processing cookies can lead to out-of-bounds read in heap buffer (bsc#1249191). - CVE-2025-10148: predictable websocket mask can lead to proxy cache poisoning by malicious server (bsc#1249348). Other issues fixed: - Fix wrong return code when --retry is used (bsc#1249367). * tool_operate: fix return code when --retry is used but not triggered [b42776b] - Fix the --ftp-pasv option in curl v8.14.1 (bsc#1246197). * tool_getparam: fix --ftp-pasv [5f805ee] - Fixed with version 8.14.1: * TLS: add CURLOPT_SSL_SIGNATURE_ALGORITHMS and --sigalgs. * websocket: add option to disable auto-pong reply. * huge number of bugfixes. Please see https://curl.se/ch/ for full changelogs. The following package changes have been done: - libcurl4-8.14.1-150600.4.28.1 updated - container:registry.suse.com-bci-bci-base-15.7-7509e7e16dfdc2ba3eb2a7409a432209c89350947682a3713af951a95da4b936-0 updated From sle-container-updates at lists.suse.com Mon Sep 15 14:57:48 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Mon, 15 Sep 2025 16:57:48 +0200 (CEST) Subject: SUSE-CU-2025:6820-1: Security update of bci/php-fpm Message-ID: <20250915145748.18C38F782@maintenance.suse.de> SUSE Container Update Advisory: bci/php-fpm ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:6820-1 Container Tags : bci/php-fpm:8 , bci/php-fpm:8.3.23 , bci/php-fpm:8.3.23-12.24 , bci/php-fpm:latest Container Release : 12.24 Severity : important Type : security References : 1228260 1236589 1243397 1243706 1243933 1246197 1249191 1249348 1249367 CVE-2024-6874 CVE-2025-0665 CVE-2025-10148 CVE-2025-4947 CVE-2025-5025 CVE-2025-5399 CVE-2025-9086 ----------------------------------------------------------------- The container bci/php-fpm was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3198-1 Released: Fri Sep 12 14:15:08 2025 Summary: Security update for curl Type: security Severity: important References: 1228260,1236589,1243397,1243706,1243933,1246197,1249191,1249348,1249367,CVE-2024-6874,CVE-2025-0665,CVE-2025-10148,CVE-2025-4947,CVE-2025-5025,CVE-2025-5399,CVE-2025-9086 This update for curl fixes the following issues: Update to version 8.14.1 (jsc#PED-13055, jsc#PED-13056). Security issues fixed: - CVE-2025-0665: eventfd double close can cause libcurl to act unreliably (bsc#1236589). - CVE-2025-4947: QUIC certificate check is skipped with wolfSSL allows for MITM attacks (bsc#1243397). - CVE-2025-5025: no QUIC certificate pinning with wolfSSL can lead to connections to impostor servers that are not easily noticed (bsc#1243706). - CVE-2025-5399: bug in websocket code can cause libcurl to get trapped in an endless busy-loop when processing specially crafted packets (bsc#1243933). - CVE-2024-6874: punycode conversions to/from IDN can leak stack content when libcurl is built to use the macidn IDN backend (bsc#1228260). - CVE-2025-9086: bug in patch comparison logic when processing cookies can lead to out-of-bounds read in heap buffer (bsc#1249191). - CVE-2025-10148: predictable websocket mask can lead to proxy cache poisoning by malicious server (bsc#1249348). Other issues fixed: - Fix wrong return code when --retry is used (bsc#1249367). * tool_operate: fix return code when --retry is used but not triggered [b42776b] - Fix the --ftp-pasv option in curl v8.14.1 (bsc#1246197). * tool_getparam: fix --ftp-pasv [5f805ee] - Fixed with version 8.14.1: * TLS: add CURLOPT_SSL_SIGNATURE_ALGORITHMS and --sigalgs. * websocket: add option to disable auto-pong reply. * huge number of bugfixes. Please see https://curl.se/ch/ for full changelogs. The following package changes have been done: - libcurl4-8.14.1-150600.4.28.1 updated - container:registry.suse.com-bci-bci-base-15.7-7509e7e16dfdc2ba3eb2a7409a432209c89350947682a3713af951a95da4b936-0 updated From sle-container-updates at lists.suse.com Mon Sep 15 14:58:07 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Mon, 15 Sep 2025 16:58:07 +0200 (CEST) Subject: SUSE-CU-2025:6821-1: Security update of bci/php Message-ID: <20250915145807.2F4E3F782@maintenance.suse.de> SUSE Container Update Advisory: bci/php ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:6821-1 Container Tags : bci/php:8 , bci/php:8.3.23 , bci/php:8.3.23-12.21 , bci/php:latest Container Release : 12.21 Severity : important Type : security References : 1228260 1236589 1243397 1243706 1243933 1246197 1249191 1249348 1249367 CVE-2024-6874 CVE-2025-0665 CVE-2025-10148 CVE-2025-4947 CVE-2025-5025 CVE-2025-5399 CVE-2025-9086 ----------------------------------------------------------------- The container bci/php was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3198-1 Released: Fri Sep 12 14:15:08 2025 Summary: Security update for curl Type: security Severity: important References: 1228260,1236589,1243397,1243706,1243933,1246197,1249191,1249348,1249367,CVE-2024-6874,CVE-2025-0665,CVE-2025-10148,CVE-2025-4947,CVE-2025-5025,CVE-2025-5399,CVE-2025-9086 This update for curl fixes the following issues: Update to version 8.14.1 (jsc#PED-13055, jsc#PED-13056). Security issues fixed: - CVE-2025-0665: eventfd double close can cause libcurl to act unreliably (bsc#1236589). - CVE-2025-4947: QUIC certificate check is skipped with wolfSSL allows for MITM attacks (bsc#1243397). - CVE-2025-5025: no QUIC certificate pinning with wolfSSL can lead to connections to impostor servers that are not easily noticed (bsc#1243706). - CVE-2025-5399: bug in websocket code can cause libcurl to get trapped in an endless busy-loop when processing specially crafted packets (bsc#1243933). - CVE-2024-6874: punycode conversions to/from IDN can leak stack content when libcurl is built to use the macidn IDN backend (bsc#1228260). - CVE-2025-9086: bug in patch comparison logic when processing cookies can lead to out-of-bounds read in heap buffer (bsc#1249191). - CVE-2025-10148: predictable websocket mask can lead to proxy cache poisoning by malicious server (bsc#1249348). Other issues fixed: - Fix wrong return code when --retry is used (bsc#1249367). * tool_operate: fix return code when --retry is used but not triggered [b42776b] - Fix the --ftp-pasv option in curl v8.14.1 (bsc#1246197). * tool_getparam: fix --ftp-pasv [5f805ee] - Fixed with version 8.14.1: * TLS: add CURLOPT_SSL_SIGNATURE_ALGORITHMS and --sigalgs. * websocket: add option to disable auto-pong reply. * huge number of bugfixes. Please see https://curl.se/ch/ for full changelogs. The following package changes have been done: - libcurl4-8.14.1-150600.4.28.1 updated - container:registry.suse.com-bci-bci-base-15.7-7509e7e16dfdc2ba3eb2a7409a432209c89350947682a3713af951a95da4b936-0 updated From sle-container-updates at lists.suse.com Mon Sep 15 14:58:31 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Mon, 15 Sep 2025 16:58:31 +0200 (CEST) Subject: SUSE-CU-2025:6822-1: Security update of bci/python Message-ID: <20250915145831.F233BF782@maintenance.suse.de> SUSE Container Update Advisory: bci/python ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:6822-1 Container Tags : bci/python:3 , bci/python:3.11 , bci/python:3.11.13 , bci/python:3.11.13-74.25 Container Release : 74.25 Severity : important Type : security References : 1228260 1236589 1243397 1243706 1243933 1246197 1249191 1249348 1249367 CVE-2024-6874 CVE-2025-0665 CVE-2025-10148 CVE-2025-4947 CVE-2025-5025 CVE-2025-5399 CVE-2025-9086 ----------------------------------------------------------------- The container bci/python was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3198-1 Released: Fri Sep 12 14:15:08 2025 Summary: Security update for curl Type: security Severity: important References: 1228260,1236589,1243397,1243706,1243933,1246197,1249191,1249348,1249367,CVE-2024-6874,CVE-2025-0665,CVE-2025-10148,CVE-2025-4947,CVE-2025-5025,CVE-2025-5399,CVE-2025-9086 This update for curl fixes the following issues: Update to version 8.14.1 (jsc#PED-13055, jsc#PED-13056). Security issues fixed: - CVE-2025-0665: eventfd double close can cause libcurl to act unreliably (bsc#1236589). - CVE-2025-4947: QUIC certificate check is skipped with wolfSSL allows for MITM attacks (bsc#1243397). - CVE-2025-5025: no QUIC certificate pinning with wolfSSL can lead to connections to impostor servers that are not easily noticed (bsc#1243706). - CVE-2025-5399: bug in websocket code can cause libcurl to get trapped in an endless busy-loop when processing specially crafted packets (bsc#1243933). - CVE-2024-6874: punycode conversions to/from IDN can leak stack content when libcurl is built to use the macidn IDN backend (bsc#1228260). - CVE-2025-9086: bug in patch comparison logic when processing cookies can lead to out-of-bounds read in heap buffer (bsc#1249191). - CVE-2025-10148: predictable websocket mask can lead to proxy cache poisoning by malicious server (bsc#1249348). Other issues fixed: - Fix wrong return code when --retry is used (bsc#1249367). * tool_operate: fix return code when --retry is used but not triggered [b42776b] - Fix the --ftp-pasv option in curl v8.14.1 (bsc#1246197). * tool_getparam: fix --ftp-pasv [5f805ee] - Fixed with version 8.14.1: * TLS: add CURLOPT_SSL_SIGNATURE_ALGORITHMS and --sigalgs. * websocket: add option to disable auto-pong reply. * huge number of bugfixes. Please see https://curl.se/ch/ for full changelogs. The following package changes have been done: - libcurl4-8.14.1-150600.4.28.1 updated - curl-8.14.1-150600.4.28.1 updated - container:registry.suse.com-bci-bci-base-15.7-7509e7e16dfdc2ba3eb2a7409a432209c89350947682a3713af951a95da4b936-0 updated From sle-container-updates at lists.suse.com Mon Sep 15 14:58:57 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Mon, 15 Sep 2025 16:58:57 +0200 (CEST) Subject: SUSE-CU-2025:6823-1: Security update of bci/python Message-ID: <20250915145857.A3B46F782@maintenance.suse.de> SUSE Container Update Advisory: bci/python ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:6823-1 Container Tags : bci/python:3 , bci/python:3.13 , bci/python:3.13.5 , bci/python:3.13.5-76.24 , bci/python:latest Container Release : 76.24 Severity : important Type : security References : 1228260 1236589 1243397 1243706 1243933 1246197 1249191 1249348 1249367 CVE-2024-6874 CVE-2025-0665 CVE-2025-10148 CVE-2025-4947 CVE-2025-5025 CVE-2025-5399 CVE-2025-9086 ----------------------------------------------------------------- The container bci/python was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3198-1 Released: Fri Sep 12 14:15:08 2025 Summary: Security update for curl Type: security Severity: important References: 1228260,1236589,1243397,1243706,1243933,1246197,1249191,1249348,1249367,CVE-2024-6874,CVE-2025-0665,CVE-2025-10148,CVE-2025-4947,CVE-2025-5025,CVE-2025-5399,CVE-2025-9086 This update for curl fixes the following issues: Update to version 8.14.1 (jsc#PED-13055, jsc#PED-13056). Security issues fixed: - CVE-2025-0665: eventfd double close can cause libcurl to act unreliably (bsc#1236589). - CVE-2025-4947: QUIC certificate check is skipped with wolfSSL allows for MITM attacks (bsc#1243397). - CVE-2025-5025: no QUIC certificate pinning with wolfSSL can lead to connections to impostor servers that are not easily noticed (bsc#1243706). - CVE-2025-5399: bug in websocket code can cause libcurl to get trapped in an endless busy-loop when processing specially crafted packets (bsc#1243933). - CVE-2024-6874: punycode conversions to/from IDN can leak stack content when libcurl is built to use the macidn IDN backend (bsc#1228260). - CVE-2025-9086: bug in patch comparison logic when processing cookies can lead to out-of-bounds read in heap buffer (bsc#1249191). - CVE-2025-10148: predictable websocket mask can lead to proxy cache poisoning by malicious server (bsc#1249348). Other issues fixed: - Fix wrong return code when --retry is used (bsc#1249367). * tool_operate: fix return code when --retry is used but not triggered [b42776b] - Fix the --ftp-pasv option in curl v8.14.1 (bsc#1246197). * tool_getparam: fix --ftp-pasv [5f805ee] - Fixed with version 8.14.1: * TLS: add CURLOPT_SSL_SIGNATURE_ALGORITHMS and --sigalgs. * websocket: add option to disable auto-pong reply. * huge number of bugfixes. Please see https://curl.se/ch/ for full changelogs. The following package changes have been done: - libcurl4-8.14.1-150600.4.28.1 updated - curl-8.14.1-150600.4.28.1 updated - container:registry.suse.com-bci-bci-base-15.7-7509e7e16dfdc2ba3eb2a7409a432209c89350947682a3713af951a95da4b936-0 updated From sle-container-updates at lists.suse.com Mon Sep 15 14:59:22 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Mon, 15 Sep 2025 16:59:22 +0200 (CEST) Subject: SUSE-CU-2025:6824-1: Security update of bci/python Message-ID: <20250915145922.E80B5F782@maintenance.suse.de> SUSE Container Update Advisory: bci/python ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:6824-1 Container Tags : bci/python:3 , bci/python:3.6 , bci/python:3.6.15 , bci/python:3.6.15-73.26 Container Release : 73.26 Severity : important Type : security References : 1228260 1236589 1243397 1243706 1243933 1246197 1249191 1249348 1249367 CVE-2024-6874 CVE-2025-0665 CVE-2025-10148 CVE-2025-4947 CVE-2025-5025 CVE-2025-5399 CVE-2025-9086 ----------------------------------------------------------------- The container bci/python was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3198-1 Released: Fri Sep 12 14:15:08 2025 Summary: Security update for curl Type: security Severity: important References: 1228260,1236589,1243397,1243706,1243933,1246197,1249191,1249348,1249367,CVE-2024-6874,CVE-2025-0665,CVE-2025-10148,CVE-2025-4947,CVE-2025-5025,CVE-2025-5399,CVE-2025-9086 This update for curl fixes the following issues: Update to version 8.14.1 (jsc#PED-13055, jsc#PED-13056). Security issues fixed: - CVE-2025-0665: eventfd double close can cause libcurl to act unreliably (bsc#1236589). - CVE-2025-4947: QUIC certificate check is skipped with wolfSSL allows for MITM attacks (bsc#1243397). - CVE-2025-5025: no QUIC certificate pinning with wolfSSL can lead to connections to impostor servers that are not easily noticed (bsc#1243706). - CVE-2025-5399: bug in websocket code can cause libcurl to get trapped in an endless busy-loop when processing specially crafted packets (bsc#1243933). - CVE-2024-6874: punycode conversions to/from IDN can leak stack content when libcurl is built to use the macidn IDN backend (bsc#1228260). - CVE-2025-9086: bug in patch comparison logic when processing cookies can lead to out-of-bounds read in heap buffer (bsc#1249191). - CVE-2025-10148: predictable websocket mask can lead to proxy cache poisoning by malicious server (bsc#1249348). Other issues fixed: - Fix wrong return code when --retry is used (bsc#1249367). * tool_operate: fix return code when --retry is used but not triggered [b42776b] - Fix the --ftp-pasv option in curl v8.14.1 (bsc#1246197). * tool_getparam: fix --ftp-pasv [5f805ee] - Fixed with version 8.14.1: * TLS: add CURLOPT_SSL_SIGNATURE_ALGORITHMS and --sigalgs. * websocket: add option to disable auto-pong reply. * huge number of bugfixes. Please see https://curl.se/ch/ for full changelogs. The following package changes have been done: - libcurl4-8.14.1-150600.4.28.1 updated - curl-8.14.1-150600.4.28.1 updated - container:registry.suse.com-bci-bci-base-15.7-7509e7e16dfdc2ba3eb2a7409a432209c89350947682a3713af951a95da4b936-0 updated From sle-container-updates at lists.suse.com Mon Sep 15 14:59:44 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Mon, 15 Sep 2025 16:59:44 +0200 (CEST) Subject: SUSE-CU-2025:6825-1: Security update of bci/ruby Message-ID: <20250915145944.17C59F782@maintenance.suse.de> SUSE Container Update Advisory: bci/ruby ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:6825-1 Container Tags : bci/ruby:2 , bci/ruby:2.5 , bci/ruby:2.5-14.5 Container Release : 14.5 Severity : important Type : security References : 1228260 1236589 1243397 1243706 1243933 1246197 1249191 1249348 1249367 CVE-2024-6874 CVE-2025-0665 CVE-2025-10148 CVE-2025-4947 CVE-2025-5025 CVE-2025-5399 CVE-2025-9086 ----------------------------------------------------------------- The container bci/ruby was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3198-1 Released: Fri Sep 12 14:15:08 2025 Summary: Security update for curl Type: security Severity: important References: 1228260,1236589,1243397,1243706,1243933,1246197,1249191,1249348,1249367,CVE-2024-6874,CVE-2025-0665,CVE-2025-10148,CVE-2025-4947,CVE-2025-5025,CVE-2025-5399,CVE-2025-9086 This update for curl fixes the following issues: Update to version 8.14.1 (jsc#PED-13055, jsc#PED-13056). Security issues fixed: - CVE-2025-0665: eventfd double close can cause libcurl to act unreliably (bsc#1236589). - CVE-2025-4947: QUIC certificate check is skipped with wolfSSL allows for MITM attacks (bsc#1243397). - CVE-2025-5025: no QUIC certificate pinning with wolfSSL can lead to connections to impostor servers that are not easily noticed (bsc#1243706). - CVE-2025-5399: bug in websocket code can cause libcurl to get trapped in an endless busy-loop when processing specially crafted packets (bsc#1243933). - CVE-2024-6874: punycode conversions to/from IDN can leak stack content when libcurl is built to use the macidn IDN backend (bsc#1228260). - CVE-2025-9086: bug in patch comparison logic when processing cookies can lead to out-of-bounds read in heap buffer (bsc#1249191). - CVE-2025-10148: predictable websocket mask can lead to proxy cache poisoning by malicious server (bsc#1249348). Other issues fixed: - Fix wrong return code when --retry is used (bsc#1249367). * tool_operate: fix return code when --retry is used but not triggered [b42776b] - Fix the --ftp-pasv option in curl v8.14.1 (bsc#1246197). * tool_getparam: fix --ftp-pasv [5f805ee] - Fixed with version 8.14.1: * TLS: add CURLOPT_SSL_SIGNATURE_ALGORITHMS and --sigalgs. * websocket: add option to disable auto-pong reply. * huge number of bugfixes. Please see https://curl.se/ch/ for full changelogs. The following package changes have been done: - libcurl4-8.14.1-150600.4.28.1 updated - curl-8.14.1-150600.4.28.1 updated - container:registry.suse.com-bci-bci-base-15.7-7509e7e16dfdc2ba3eb2a7409a432209c89350947682a3713af951a95da4b936-0 updated From sle-container-updates at lists.suse.com Mon Sep 15 15:00:04 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Mon, 15 Sep 2025 17:00:04 +0200 (CEST) Subject: SUSE-CU-2025:6826-1: Security update of bci/ruby Message-ID: <20250915150004.EADFCFB9C@maintenance.suse.de> SUSE Container Update Advisory: bci/ruby ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:6826-1 Container Tags : bci/ruby:3 , bci/ruby:3.4 , bci/ruby:3.4-13.5 , bci/ruby:latest Container Release : 13.5 Severity : important Type : security References : 1228260 1236589 1243397 1243706 1243933 1246197 1249191 1249348 1249367 CVE-2024-6874 CVE-2025-0665 CVE-2025-10148 CVE-2025-4947 CVE-2025-5025 CVE-2025-5399 CVE-2025-9086 ----------------------------------------------------------------- The container bci/ruby was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3198-1 Released: Fri Sep 12 14:15:08 2025 Summary: Security update for curl Type: security Severity: important References: 1228260,1236589,1243397,1243706,1243933,1246197,1249191,1249348,1249367,CVE-2024-6874,CVE-2025-0665,CVE-2025-10148,CVE-2025-4947,CVE-2025-5025,CVE-2025-5399,CVE-2025-9086 This update for curl fixes the following issues: Update to version 8.14.1 (jsc#PED-13055, jsc#PED-13056). Security issues fixed: - CVE-2025-0665: eventfd double close can cause libcurl to act unreliably (bsc#1236589). - CVE-2025-4947: QUIC certificate check is skipped with wolfSSL allows for MITM attacks (bsc#1243397). - CVE-2025-5025: no QUIC certificate pinning with wolfSSL can lead to connections to impostor servers that are not easily noticed (bsc#1243706). - CVE-2025-5399: bug in websocket code can cause libcurl to get trapped in an endless busy-loop when processing specially crafted packets (bsc#1243933). - CVE-2024-6874: punycode conversions to/from IDN can leak stack content when libcurl is built to use the macidn IDN backend (bsc#1228260). - CVE-2025-9086: bug in patch comparison logic when processing cookies can lead to out-of-bounds read in heap buffer (bsc#1249191). - CVE-2025-10148: predictable websocket mask can lead to proxy cache poisoning by malicious server (bsc#1249348). Other issues fixed: - Fix wrong return code when --retry is used (bsc#1249367). * tool_operate: fix return code when --retry is used but not triggered [b42776b] - Fix the --ftp-pasv option in curl v8.14.1 (bsc#1246197). * tool_getparam: fix --ftp-pasv [5f805ee] - Fixed with version 8.14.1: * TLS: add CURLOPT_SSL_SIGNATURE_ALGORITHMS and --sigalgs. * websocket: add option to disable auto-pong reply. * huge number of bugfixes. Please see https://curl.se/ch/ for full changelogs. The following package changes have been done: - libcurl4-8.14.1-150600.4.28.1 updated - curl-8.14.1-150600.4.28.1 updated - container:registry.suse.com-bci-bci-base-15.7-7509e7e16dfdc2ba3eb2a7409a432209c89350947682a3713af951a95da4b936-0 updated From sle-container-updates at lists.suse.com Mon Sep 15 15:00:22 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Mon, 15 Sep 2025 17:00:22 +0200 (CEST) Subject: SUSE-CU-2025:6827-1: Security update of bci/rust Message-ID: <20250915150022.89CB6FB9C@maintenance.suse.de> SUSE Container Update Advisory: bci/rust ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:6827-1 Container Tags : bci/rust:1.88 , bci/rust:1.88.0 , bci/rust:1.88.0-2.2.4 , bci/rust:oldstable , bci/rust:oldstable-2.2.4 Container Release : 2.4 Severity : important Type : security References : 1228260 1236589 1243397 1243706 1243933 1246197 1249191 1249348 1249367 CVE-2024-6874 CVE-2025-0665 CVE-2025-10148 CVE-2025-4947 CVE-2025-5025 CVE-2025-5399 CVE-2025-9086 ----------------------------------------------------------------- The container bci/rust was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3198-1 Released: Fri Sep 12 14:15:08 2025 Summary: Security update for curl Type: security Severity: important References: 1228260,1236589,1243397,1243706,1243933,1246197,1249191,1249348,1249367,CVE-2024-6874,CVE-2025-0665,CVE-2025-10148,CVE-2025-4947,CVE-2025-5025,CVE-2025-5399,CVE-2025-9086 This update for curl fixes the following issues: Update to version 8.14.1 (jsc#PED-13055, jsc#PED-13056). Security issues fixed: - CVE-2025-0665: eventfd double close can cause libcurl to act unreliably (bsc#1236589). - CVE-2025-4947: QUIC certificate check is skipped with wolfSSL allows for MITM attacks (bsc#1243397). - CVE-2025-5025: no QUIC certificate pinning with wolfSSL can lead to connections to impostor servers that are not easily noticed (bsc#1243706). - CVE-2025-5399: bug in websocket code can cause libcurl to get trapped in an endless busy-loop when processing specially crafted packets (bsc#1243933). - CVE-2024-6874: punycode conversions to/from IDN can leak stack content when libcurl is built to use the macidn IDN backend (bsc#1228260). - CVE-2025-9086: bug in patch comparison logic when processing cookies can lead to out-of-bounds read in heap buffer (bsc#1249191). - CVE-2025-10148: predictable websocket mask can lead to proxy cache poisoning by malicious server (bsc#1249348). Other issues fixed: - Fix wrong return code when --retry is used (bsc#1249367). * tool_operate: fix return code when --retry is used but not triggered [b42776b] - Fix the --ftp-pasv option in curl v8.14.1 (bsc#1246197). * tool_getparam: fix --ftp-pasv [5f805ee] - Fixed with version 8.14.1: * TLS: add CURLOPT_SSL_SIGNATURE_ALGORITHMS and --sigalgs. * websocket: add option to disable auto-pong reply. * huge number of bugfixes. Please see https://curl.se/ch/ for full changelogs. The following package changes have been done: - libcurl4-8.14.1-150600.4.28.1 updated - container:registry.suse.com-bci-bci-base-15.7-7509e7e16dfdc2ba3eb2a7409a432209c89350947682a3713af951a95da4b936-0 updated From sle-container-updates at lists.suse.com Mon Sep 15 15:00:36 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Mon, 15 Sep 2025 17:00:36 +0200 (CEST) Subject: SUSE-CU-2025:6828-1: Security update of bci/rust Message-ID: <20250915150036.E1AC5FB9C@maintenance.suse.de> SUSE Container Update Advisory: bci/rust ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:6828-1 Container Tags : bci/rust:1.89 , bci/rust:1.89.0 , bci/rust:1.89.0-1.2.4 , bci/rust:latest , bci/rust:stable , bci/rust:stable-1.2.4 Container Release : 2.4 Severity : important Type : security References : 1228260 1236589 1243397 1243706 1243933 1246197 1249191 1249348 1249367 CVE-2024-6874 CVE-2025-0665 CVE-2025-10148 CVE-2025-4947 CVE-2025-5025 CVE-2025-5399 CVE-2025-9086 ----------------------------------------------------------------- The container bci/rust was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3198-1 Released: Fri Sep 12 14:15:08 2025 Summary: Security update for curl Type: security Severity: important References: 1228260,1236589,1243397,1243706,1243933,1246197,1249191,1249348,1249367,CVE-2024-6874,CVE-2025-0665,CVE-2025-10148,CVE-2025-4947,CVE-2025-5025,CVE-2025-5399,CVE-2025-9086 This update for curl fixes the following issues: Update to version 8.14.1 (jsc#PED-13055, jsc#PED-13056). Security issues fixed: - CVE-2025-0665: eventfd double close can cause libcurl to act unreliably (bsc#1236589). - CVE-2025-4947: QUIC certificate check is skipped with wolfSSL allows for MITM attacks (bsc#1243397). - CVE-2025-5025: no QUIC certificate pinning with wolfSSL can lead to connections to impostor servers that are not easily noticed (bsc#1243706). - CVE-2025-5399: bug in websocket code can cause libcurl to get trapped in an endless busy-loop when processing specially crafted packets (bsc#1243933). - CVE-2024-6874: punycode conversions to/from IDN can leak stack content when libcurl is built to use the macidn IDN backend (bsc#1228260). - CVE-2025-9086: bug in patch comparison logic when processing cookies can lead to out-of-bounds read in heap buffer (bsc#1249191). - CVE-2025-10148: predictable websocket mask can lead to proxy cache poisoning by malicious server (bsc#1249348). Other issues fixed: - Fix wrong return code when --retry is used (bsc#1249367). * tool_operate: fix return code when --retry is used but not triggered [b42776b] - Fix the --ftp-pasv option in curl v8.14.1 (bsc#1246197). * tool_getparam: fix --ftp-pasv [5f805ee] - Fixed with version 8.14.1: * TLS: add CURLOPT_SSL_SIGNATURE_ALGORITHMS and --sigalgs. * websocket: add option to disable auto-pong reply. * huge number of bugfixes. Please see https://curl.se/ch/ for full changelogs. The following package changes have been done: - libcurl4-8.14.1-150600.4.28.1 updated - container:registry.suse.com-bci-bci-base-15.7-7509e7e16dfdc2ba3eb2a7409a432209c89350947682a3713af951a95da4b936-0 updated From sle-container-updates at lists.suse.com Mon Sep 15 15:00:51 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Mon, 15 Sep 2025 17:00:51 +0200 (CEST) Subject: SUSE-CU-2025:6829-1: Security update of bci/bci-sle15-kernel-module-devel Message-ID: <20250915150051.AA211FB9C@maintenance.suse.de> SUSE Container Update Advisory: bci/bci-sle15-kernel-module-devel ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:6829-1 Container Tags : bci/bci-sle15-kernel-module-devel:15.7 , bci/bci-sle15-kernel-module-devel:15.7-44.15 , bci/bci-sle15-kernel-module-devel:latest Container Release : 44.15 Severity : important Type : security References : 1228260 1236589 1243397 1243706 1243933 1246197 1249191 1249348 1249367 CVE-2024-6874 CVE-2025-0665 CVE-2025-10148 CVE-2025-4947 CVE-2025-5025 CVE-2025-5399 CVE-2025-9086 ----------------------------------------------------------------- The container bci/bci-sle15-kernel-module-devel was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3198-1 Released: Fri Sep 12 14:15:08 2025 Summary: Security update for curl Type: security Severity: important References: 1228260,1236589,1243397,1243706,1243933,1246197,1249191,1249348,1249367,CVE-2024-6874,CVE-2025-0665,CVE-2025-10148,CVE-2025-4947,CVE-2025-5025,CVE-2025-5399,CVE-2025-9086 This update for curl fixes the following issues: Update to version 8.14.1 (jsc#PED-13055, jsc#PED-13056). Security issues fixed: - CVE-2025-0665: eventfd double close can cause libcurl to act unreliably (bsc#1236589). - CVE-2025-4947: QUIC certificate check is skipped with wolfSSL allows for MITM attacks (bsc#1243397). - CVE-2025-5025: no QUIC certificate pinning with wolfSSL can lead to connections to impostor servers that are not easily noticed (bsc#1243706). - CVE-2025-5399: bug in websocket code can cause libcurl to get trapped in an endless busy-loop when processing specially crafted packets (bsc#1243933). - CVE-2024-6874: punycode conversions to/from IDN can leak stack content when libcurl is built to use the macidn IDN backend (bsc#1228260). - CVE-2025-9086: bug in patch comparison logic when processing cookies can lead to out-of-bounds read in heap buffer (bsc#1249191). - CVE-2025-10148: predictable websocket mask can lead to proxy cache poisoning by malicious server (bsc#1249348). Other issues fixed: - Fix wrong return code when --retry is used (bsc#1249367). * tool_operate: fix return code when --retry is used but not triggered [b42776b] - Fix the --ftp-pasv option in curl v8.14.1 (bsc#1246197). * tool_getparam: fix --ftp-pasv [5f805ee] - Fixed with version 8.14.1: * TLS: add CURLOPT_SSL_SIGNATURE_ALGORITHMS and --sigalgs. * websocket: add option to disable auto-pong reply. * huge number of bugfixes. Please see https://curl.se/ch/ for full changelogs. The following package changes have been done: - libcurl4-8.14.1-150600.4.28.1 updated - container:registry.suse.com-bci-bci-base-15.7-7509e7e16dfdc2ba3eb2a7409a432209c89350947682a3713af951a95da4b936-0 updated From sle-container-updates at lists.suse.com Tue Sep 16 07:12:20 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 16 Sep 2025 09:12:20 +0200 (CEST) Subject: SUSE-CU-2025:6832-1: Security update of bci/bci-sle15-kernel-module-devel Message-ID: <20250916071220.6FA34F783@maintenance.suse.de> SUSE Container Update Advisory: bci/bci-sle15-kernel-module-devel ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:6832-1 Container Tags : bci/bci-sle15-kernel-module-devel:15.6 , bci/bci-sle15-kernel-module-devel:15.6.47.17 Container Release : 47.17 Severity : important Type : security References : 1228260 1236589 1243397 1243706 1243933 1246197 1249191 1249348 1249367 CVE-2024-6874 CVE-2025-0665 CVE-2025-10148 CVE-2025-4947 CVE-2025-5025 CVE-2025-5399 CVE-2025-9086 ----------------------------------------------------------------- The container bci/bci-sle15-kernel-module-devel was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3198-1 Released: Fri Sep 12 14:15:08 2025 Summary: Security update for curl Type: security Severity: important References: 1228260,1236589,1243397,1243706,1243933,1246197,1249191,1249348,1249367,CVE-2024-6874,CVE-2025-0665,CVE-2025-10148,CVE-2025-4947,CVE-2025-5025,CVE-2025-5399,CVE-2025-9086 This update for curl fixes the following issues: Update to version 8.14.1 (jsc#PED-13055, jsc#PED-13056). Security issues fixed: - CVE-2025-0665: eventfd double close can cause libcurl to act unreliably (bsc#1236589). - CVE-2025-4947: QUIC certificate check is skipped with wolfSSL allows for MITM attacks (bsc#1243397). - CVE-2025-5025: no QUIC certificate pinning with wolfSSL can lead to connections to impostor servers that are not easily noticed (bsc#1243706). - CVE-2025-5399: bug in websocket code can cause libcurl to get trapped in an endless busy-loop when processing specially crafted packets (bsc#1243933). - CVE-2024-6874: punycode conversions to/from IDN can leak stack content when libcurl is built to use the macidn IDN backend (bsc#1228260). - CVE-2025-9086: bug in patch comparison logic when processing cookies can lead to out-of-bounds read in heap buffer (bsc#1249191). - CVE-2025-10148: predictable websocket mask can lead to proxy cache poisoning by malicious server (bsc#1249348). Other issues fixed: - Fix wrong return code when --retry is used (bsc#1249367). * tool_operate: fix return code when --retry is used but not triggered [b42776b] - Fix the --ftp-pasv option in curl v8.14.1 (bsc#1246197). * tool_getparam: fix --ftp-pasv [5f805ee] - Fixed with version 8.14.1: * TLS: add CURLOPT_SSL_SIGNATURE_ALGORITHMS and --sigalgs. * websocket: add option to disable auto-pong reply. * huge number of bugfixes. Please see https://curl.se/ch/ for full changelogs. The following package changes have been done: - libcurl4-8.14.1-150600.4.28.1 updated - container:registry.suse.com-bci-bci-base-15.6-d13d6758550c72c08b54298b7fb20e8d426127b4692f4b115373e2175184ada8-0 updated From sle-container-updates at lists.suse.com Tue Sep 16 07:12:38 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 16 Sep 2025 09:12:38 +0200 (CEST) Subject: SUSE-CU-2025:6833-1: Recommended update of bci/bci-init Message-ID: <20250916071238.AE428F783@maintenance.suse.de> SUSE Container Update Advisory: bci/bci-init ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:6833-1 Container Tags : bci/bci-init:15.7 , bci/bci-init:15.7-42.25 , bci/bci-init:latest Container Release : 42.25 Severity : important Type : recommended References : 1246522 ----------------------------------------------------------------- The container bci/bci-init was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:3228-1 Released: Mon Sep 15 14:51:02 2025 Summary: Recommended update for console-setup, kbd Type: recommended Severity: important References: 1246522 This update for console-setup and kbd fixes the following issues: console-setup: - Fix unicode check (bsc#1246522) kbd: - Improve error message on unsupported unicode value The following package changes have been done: - kbd-2.4.0-150700.15.6.1 updated From sle-container-updates at lists.suse.com Tue Sep 16 07:13:02 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 16 Sep 2025 09:13:02 +0200 (CEST) Subject: SUSE-CU-2025:6834-1: Recommended update of bci/kiwi Message-ID: <20250916071302.BC6A9F782@maintenance.suse.de> SUSE Container Update Advisory: bci/kiwi ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:6834-1 Container Tags : bci/kiwi:9 , bci/kiwi:9.24 , bci/kiwi:9.24.43 , bci/kiwi:9.24.43-18.34 , bci/kiwi:latest Container Release : 18.34 Severity : important Type : recommended References : 1243125 1246522 1248168 ----------------------------------------------------------------- The container bci/kiwi was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:3228-1 Released: Mon Sep 15 14:51:02 2025 Summary: Recommended update for console-setup, kbd Type: recommended Severity: important References: 1246522 This update for console-setup and kbd fixes the following issues: console-setup: - Fix unicode check (bsc#1246522) kbd: - Improve error message on unsupported unicode value ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:3231-1 Released: Mon Sep 15 15:03:29 2025 Summary: Recommended update for checkmedia Type: recommended Severity: moderate References: 1243125,1248168 This update for checkmedia fixes the following issues: - set LC_MESSAGES to C when running gpg (bsc#1248168) - fix minor issue when printing app_id - added --[no-]signature-tag options for explicit handling of the 'signature' tag (bsc#1243125) The following package changes have been done: - kbd-2.4.0-150700.15.6.1 updated - libmediacheck6-6.5-150600.3.3.1 updated - checkmedia-6.5-150600.3.3.1 updated - container:registry.suse.com-bci-bci-base-15.7-7509e7e16dfdc2ba3eb2a7409a432209c89350947682a3713af951a95da4b936-0 updated From sle-container-updates at lists.suse.com Tue Sep 16 07:13:20 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 16 Sep 2025 09:13:20 +0200 (CEST) Subject: SUSE-CU-2025:6836-1: Recommended update of suse/pcp Message-ID: <20250916071320.1797BF782@maintenance.suse.de> SUSE Container Update Advisory: suse/pcp ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:6836-1 Container Tags : suse/pcp:6 , suse/pcp:6.2 , suse/pcp:6.2.0 , suse/pcp:6.2.0-62.36 , suse/pcp:latest Container Release : 62.36 Severity : important Type : recommended References : 1246522 ----------------------------------------------------------------- The container suse/pcp was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:3228-1 Released: Mon Sep 15 14:51:02 2025 Summary: Recommended update for console-setup, kbd Type: recommended Severity: important References: 1246522 This update for console-setup and kbd fixes the following issues: console-setup: - Fix unicode check (bsc#1246522) kbd: - Improve error message on unsupported unicode value The following package changes have been done: - kbd-2.4.0-150700.15.6.1 updated - container:bci-bci-init-15.7-c046803d58eb37133a05b7b5addcaaefef975a1d19938689988a36c54ca9d9ca-0 updated From sle-container-updates at lists.suse.com Tue Sep 16 07:13:33 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 16 Sep 2025 09:13:33 +0200 (CEST) Subject: SUSE-CU-2025:6837-1: Recommended update of suse/kiosk/pulseaudio Message-ID: <20250916071333.0405AF782@maintenance.suse.de> SUSE Container Update Advisory: suse/kiosk/pulseaudio ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:6837-1 Container Tags : suse/kiosk/pulseaudio:17 , suse/kiosk/pulseaudio:17.0 , suse/kiosk/pulseaudio:17.0-63.21 , suse/kiosk/pulseaudio:latest Container Release : 63.21 Severity : important Type : recommended References : 1246522 ----------------------------------------------------------------- The container suse/kiosk/pulseaudio was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:3228-1 Released: Mon Sep 15 14:51:02 2025 Summary: Recommended update for console-setup, kbd Type: recommended Severity: important References: 1246522 This update for console-setup and kbd fixes the following issues: console-setup: - Fix unicode check (bsc#1246522) kbd: - Improve error message on unsupported unicode value The following package changes have been done: - kbd-2.4.0-150700.15.6.1 updated - container:suse-sle15-15.7-7509e7e16dfdc2ba3eb2a7409a432209c89350947682a3713af951a95da4b936-0 updated From sle-container-updates at lists.suse.com Tue Sep 16 07:13:44 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 16 Sep 2025 09:13:44 +0200 (CEST) Subject: SUSE-CU-2025:6838-1: Recommended update of suse/kiosk/xorg Message-ID: <20250916071344.37951F782@maintenance.suse.de> SUSE Container Update Advisory: suse/kiosk/xorg ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:6838-1 Container Tags : suse/kiosk/xorg:21 , suse/kiosk/xorg:21.1 , suse/kiosk/xorg:21.1-65.28 , suse/kiosk/xorg:latest , suse/kiosk/xorg:notaskbar Container Release : 65.28 Severity : important Type : recommended References : 1246522 ----------------------------------------------------------------- The container suse/kiosk/xorg was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:3228-1 Released: Mon Sep 15 14:51:02 2025 Summary: Recommended update for console-setup, kbd Type: recommended Severity: important References: 1246522 This update for console-setup and kbd fixes the following issues: console-setup: - Fix unicode check (bsc#1246522) kbd: - Improve error message on unsupported unicode value The following package changes have been done: - kbd-2.4.0-150700.15.6.1 updated - container:suse-sle15-15.7-7509e7e16dfdc2ba3eb2a7409a432209c89350947682a3713af951a95da4b936-0 updated From sle-container-updates at lists.suse.com Tue Sep 16 07:15:42 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 16 Sep 2025 09:15:42 +0200 (CEST) Subject: SUSE-CU-2025:6839-1: Security update of suse/sle-micro/5.1/toolbox Message-ID: <20250916071542.949DCF782@maintenance.suse.de> SUSE Container Update Advisory: suse/sle-micro/5.1/toolbox ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:6839-1 Container Tags : suse/sle-micro/5.1/toolbox:14.2 , suse/sle-micro/5.1/toolbox:14.2-3.13.170 , suse/sle-micro/5.1/toolbox:latest Container Release : 3.13.170 Severity : moderate Type : security References : 1241219 CVE-2025-3576 ----------------------------------------------------------------- The container suse/sle-micro/5.1/toolbox was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3227-1 Released: Mon Sep 15 14:33:21 2025 Summary: Security update for krb5 Type: security Severity: moderate References: 1241219,CVE-2025-3576 This update for krb5 fixes the following issues: - CVE-2025-3576: weakness in the MD5 checksum design allows for spoofing of GSSAPI-protected messages that are using RC4-HMAC-MD5 (bsc#1241219). Krb5, as a very old protocol, supported quite a number of ciphers that are not longer up to current cryptographic standards. To avoid problems with those, SUSE has by default now disabled those alorithms. The following algorithms have been removed from valid krb5 enctypes: - des3-cbc-sha1 - arcfour-hmac-md5 To reenable those algorithms, you can use allow options in `krb5.conf`: ``` [libdefaults] allow_des3 = true allow_rc4 = true ``` The following package changes have been done: - krb5-1.19.2-150300.25.1 updated From sle-container-updates at lists.suse.com Tue Sep 16 07:22:05 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 16 Sep 2025 09:22:05 +0200 (CEST) Subject: SUSE-CU-2025:6841-1: Security update of suse/sle-micro/5.2/toolbox Message-ID: <20250916072205.A39E2F782@maintenance.suse.de> SUSE Container Update Advisory: suse/sle-micro/5.2/toolbox ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:6841-1 Container Tags : suse/sle-micro/5.2/toolbox:14.2 , suse/sle-micro/5.2/toolbox:14.2-7.11.172 , suse/sle-micro/5.2/toolbox:latest Container Release : 7.11.172 Severity : moderate Type : security References : 1241219 CVE-2025-3576 ----------------------------------------------------------------- The container suse/sle-micro/5.2/toolbox was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3227-1 Released: Mon Sep 15 14:33:21 2025 Summary: Security update for krb5 Type: security Severity: moderate References: 1241219,CVE-2025-3576 This update for krb5 fixes the following issues: - CVE-2025-3576: weakness in the MD5 checksum design allows for spoofing of GSSAPI-protected messages that are using RC4-HMAC-MD5 (bsc#1241219). Krb5, as a very old protocol, supported quite a number of ciphers that are not longer up to current cryptographic standards. To avoid problems with those, SUSE has by default now disabled those alorithms. The following algorithms have been removed from valid krb5 enctypes: - des3-cbc-sha1 - arcfour-hmac-md5 To reenable those algorithms, you can use allow options in `krb5.conf`: ``` [libdefaults] allow_des3 = true allow_rc4 = true ``` The following package changes have been done: - krb5-1.19.2-150300.25.1 updated From sle-container-updates at lists.suse.com Tue Sep 16 10:17:12 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 16 Sep 2025 12:17:12 +0200 (CEST) Subject: SUSE-CU-2025:6842-1: Security update of bci/golang Message-ID: <20250916101712.7A851F783@maintenance.suse.de> SUSE Container Update Advisory: bci/golang ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:6842-1 Container Tags : bci/golang:1.24-openssl , bci/golang:1.24.6-openssl , bci/golang:1.24.6-openssl-74.4 , bci/golang:oldstable-openssl , bci/golang:oldstable-openssl-74.4 Container Release : 74.4 Severity : important Type : security References : 1228260 1236217 1236589 1243397 1243706 1243933 1243960 1244156 1244157 1244158 1246118 1246197 1247719 1247720 1249191 1249348 1249367 CVE-2024-6874 CVE-2025-0665 CVE-2025-0913 CVE-2025-10148 CVE-2025-22874 CVE-2025-4673 CVE-2025-4674 CVE-2025-47906 CVE-2025-47907 CVE-2025-4947 CVE-2025-5025 CVE-2025-5399 CVE-2025-9086 ----------------------------------------------------------------- The container bci/golang was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1553-1 Released: Wed May 14 19:07:53 2025 Summary: Recommended update for go1.24-openssl Type: recommended Severity: moderate References: This update for go1.24-openssl fixes the following issues: This ships the go1.24.3 openssl flavor. (jsc#SLE-18320) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1847-1 Released: Mon Jun 9 20:34:37 2025 Summary: Recommended update for go1.24-openssl Type: recommended Severity: important References: 1243960 This update for go1.24-openssl fixes the following issues: Update to version 1.24.3 cut from the go1.24-fips-release branch at the revision tagged go1.24.3-3-openssl-fips. (jsc#SLE-18320) * Fix GOLANG_FIPS=0 and enable CGO for bin/go Update to version 1.24.3 cut from the go1.24-fips-release branch at the revision tagged go1.24.3-2-openssl-fips. (jsc#SLE-18320 bsc#1243960) * Force fips140tls in boring mode and run http tests * Implement HKDF for TLS (#297) bsc#1243960. This was previously left unimplemented and would panic if invoked. This was not caught because we only run a subset of the TLS tests in FIPS mode. This patch adds the test case which would have caught this into our test script and fixes the panic with an implementation of HKDF label expanding. * Improve documentation (#294) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3158-1 Released: Thu Sep 11 05:04:45 2025 Summary: Security update for go1.24-openssl Type: security Severity: important References: 1236217,1244156,1244157,1244158,1246118,1247719,1247720,CVE-2025-0913,CVE-2025-22874,CVE-2025-4673,CVE-2025-4674,CVE-2025-47906,CVE-2025-47907 This security update of go1.24-openssl fixes the following issues: Update to version 1.24.6 cut from the go1.24-fips-release branch at the revision tagged go1.24.6-1-openssl-fips. Refs jsc#SLE-18320 * Fix HKDF-Extract The latest OpenSSL in c9s/c10s requires nil salt to be passed as a hash length buffer of zeros. go1.24.6 (released 2025-08-06) includes security fixes to the database/sql and os/exec packages, as well as bug fixes to the runtime. ( boo#1236217 go1.24 release tracking) CVE-2025-47906 CVE-2025-47907: * go#74804 go#74466 boo#1247719 security: fix CVE-2025-47906 os/exec: LookPath bug: incorrect expansion of '', '.' and '..' in some PATH configurations * go#74833 go#74831 boo#1247720 security: fix CVE-2025-47907 database/sql: incorrect results returned from Rows.Scan * go#73800 runtime: RSS seems to have increased in Go 1.24 while the runtime accounting has not * go#74416 runtime: use-after-free of allpSnapshot in findRunnable * go#74694 runtime: segfaults in runtime.(*unwinder).next * go#74760 os/user:nolibgcc: TestGroupIdsTestUser failures go1.24.5 (released 2025-07-08) includes security fixes to the go command, as well as bug fixes to the compiler, the linker, the , and the go command. ( boo#1236217 go1.24 release tracking) j CVE-2025-4674: * go#74381 go#74380 boo#1246118 security: fix CVE-2025-4674 cmd/go: disable support for multiple vcs in one module * go#73908 runtime: bad frame pointer during panic during duffcopy * go#74098 cmd/compile: regression on ppc64le bit operations * go#74113 cmd/go: crash on unknown GOEXPERIMENT during toolchain selection * go#74290 runtime: heap mspan limit is set too late, causing data race between span allocation and conservative scanning * go#74294 internal/trace: stress tests triggering suspected deadlock in tracer * go#74346 runtime: memlock not unlocked in all control flow paths in sysReserveAlignedSbrk * go#74363 runtime/pprof: crash 'cannot read stack of running goroutine' in goroutine profile * go#74403 cmd/link: duplicated definition of symbol github.com/ebitengine/purego.syscall15XABI0 when running with ASAN go1.24.4 (released 2025-06-05) includes security fixes to the crypto/x509, net/http, and os packages, as well as bug fixes to the linker, the go command, and the hash/maphash and os packages. ( boo#1236217 go1.24 release tracking) CVE-2025-22874 CVE-2025-0913 CVE-2025-4673 * go#73700 go#73702 boo#1244158 security: fix CVE-2025-22874 crypto/x509: ExtKeyUsageAny bypasses policy validation * go#73720 go#73612 boo#1244157 security: fix CVE-2025-0913 os: inconsistent handling of O_CREATE|O_EXCL on Unix and Windows * go#73906 go#73816 boo#1244156 security: fix CVE-2025-4673 net/http: sensitive headers not cleared on cross-origin redirect * go#73570 os: Root.Mkdir creates directories with zero permissions on OpenBSD * go#73669 hash/maphash: hashing channels with purego impl. of maphash.Comparable panics * go#73678 runtime/debug: BuildSetting does not document DefaultGODEBUG * go#73809 cmd/go: add fips140 module selection mechanism * go#73832 cmd/link: Go 1.24.3 and 1.23.9 regression - duplicated definition of symbol dlopen ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3198-1 Released: Fri Sep 12 14:15:08 2025 Summary: Security update for curl Type: security Severity: important References: 1228260,1236589,1243397,1243706,1243933,1246197,1249191,1249348,1249367,CVE-2024-6874,CVE-2025-0665,CVE-2025-10148,CVE-2025-4947,CVE-2025-5025,CVE-2025-5399,CVE-2025-9086 This update for curl fixes the following issues: Update to version 8.14.1 (jsc#PED-13055, jsc#PED-13056). Security issues fixed: - CVE-2025-0665: eventfd double close can cause libcurl to act unreliably (bsc#1236589). - CVE-2025-4947: QUIC certificate check is skipped with wolfSSL allows for MITM attacks (bsc#1243397). - CVE-2025-5025: no QUIC certificate pinning with wolfSSL can lead to connections to impostor servers that are not easily noticed (bsc#1243706). - CVE-2025-5399: bug in websocket code can cause libcurl to get trapped in an endless busy-loop when processing specially crafted packets (bsc#1243933). - CVE-2024-6874: punycode conversions to/from IDN can leak stack content when libcurl is built to use the macidn IDN backend (bsc#1228260). - CVE-2025-9086: bug in patch comparison logic when processing cookies can lead to out-of-bounds read in heap buffer (bsc#1249191). - CVE-2025-10148: predictable websocket mask can lead to proxy cache poisoning by malicious server (bsc#1249348). Other issues fixed: - Fix wrong return code when --retry is used (bsc#1249367). * tool_operate: fix return code when --retry is used but not triggered [b42776b] - Fix the --ftp-pasv option in curl v8.14.1 (bsc#1246197). * tool_getparam: fix --ftp-pasv [5f805ee] - Fixed with version 8.14.1: * TLS: add CURLOPT_SSL_SIGNATURE_ALGORITHMS and --sigalgs. * websocket: add option to disable auto-pong reply. * huge number of bugfixes. Please see https://curl.se/ch/ for full changelogs. The following package changes have been done: - libcurl4-8.14.1-150600.4.28.1 updated - curl-8.14.1-150600.4.28.1 updated - go1.24-openssl-doc-1.24.6-150600.13.9.1 added - go1.24-openssl-1.24.6-150600.13.9.1 added - go1.24-openssl-race-1.24.6-150600.13.9.1 added - container:registry.suse.com-bci-bci-base-15.7-7509e7e16dfdc2ba3eb2a7409a432209c89350947682a3713af951a95da4b936-0 updated - go1.23-openssl-1.23.12-150600.13.9.1 removed - go1.23-openssl-doc-1.23.12-150600.13.9.1 removed - go1.23-openssl-race-1.23.12-150600.13.9.1 removed From sle-container-updates at lists.suse.com Tue Sep 16 14:53:56 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 16 Sep 2025 16:53:56 +0200 (CEST) Subject: SUSE-CU-2025:6844-1: Security update of containers/open-webui Message-ID: <20250916145356.A28B7F782@maintenance.suse.de> SUSE Container Update Advisory: containers/open-webui ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:6844-1 Container Tags : containers/open-webui:0 , containers/open-webui:0.6.18 , containers/open-webui:0.6.18-12.6 Container Release : 12.6 Severity : critical Type : security References : 1228260 1232234 1236589 1240058 1243397 1243706 1243933 1246197 1246221 1246790 1246965 1247144 1247148 1248119 1248120 1248122 1249191 1249347 1249348 1249367 CVE-2024-10041 CVE-2024-6874 CVE-2025-0665 CVE-2025-10148 CVE-2025-4947 CVE-2025-5025 CVE-2025-5399 CVE-2025-58367 CVE-2025-7700 CVE-2025-8058 CVE-2025-8713 CVE-2025-8714 CVE-2025-8715 CVE-2025-9086 ----------------------------------------------------------------- The container containers/open-webui was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2956-1 Released: Fri Aug 22 08:57:48 2025 Summary: Recommended update for openssl-3 Type: recommended Severity: moderate References: 1247144,1247148 This update for openssl-3 fixes the following issues: - Increased limit for CRL download (bsc#1247148, bsc#1247144) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2964-1 Released: Fri Aug 22 14:52:39 2025 Summary: Security update for glibc Type: security Severity: moderate References: 1240058,1246965,CVE-2025-8058 This update for glibc fixes the following issues: - CVE-2025-8058: Fixed double-free after allocation failure in regcomp. (bsc#1246965) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2970-1 Released: Mon Aug 25 10:27:57 2025 Summary: Security update for pam Type: security Severity: moderate References: 1232234,1246221,CVE-2024-10041 This update for pam fixes the following issues: - Improve previous CVE-2024-10041 fix which led to CPU performance issues (bsc#1232234) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2986-1 Released: Tue Aug 26 12:41:07 2025 Summary: Security update for postgresql17 Type: security Severity: important References: 1248119,1248120,1248122,CVE-2025-8713,CVE-2025-8714,CVE-2025-8715 This update for postgresql17 fixes the following issues: Updated to 17.6: * CVE-2025-8713: Fixed optimizer statistics exposing sampled data within a view, partition, or child table (bsc#1248120) * CVE-2025-8714: Fixed untrusted data inclusion in pg_dump allows superuser of origin server to execute arbitrary code in psql client (bsc#1248122) * CVE-2025-8715: Fixed improper neutralization of newlines in pg_dump leading to arbitrary code execution in the psql client and in the restore target server (bsc#1248119) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3127-1 Released: Wed Sep 10 10:49:30 2025 Summary: Security update for python-deepdiff Type: security Severity: critical References: 1249347,CVE-2025-58367 This update for python-deepdiff fixes the following issues: - CVE-2025-58367: class pollution via the `Delta` class constructor can lead to denial-of-service and remote code execution (bsc#1249347). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3162-1 Released: Thu Sep 11 11:16:13 2025 Summary: Security update for ffmpeg-4 Type: security Severity: moderate References: 1246790,CVE-2025-7700 This update for ffmpeg-4 fixes the following issues: - CVE-2025-7700: Fixed NULL Pointer Dereference in FFmpeg ALS Decoder (bsc#1246790). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3198-1 Released: Fri Sep 12 14:15:08 2025 Summary: Security update for curl Type: security Severity: important References: 1228260,1236589,1243397,1243706,1243933,1246197,1249191,1249348,1249367,CVE-2024-6874,CVE-2025-0665,CVE-2025-10148,CVE-2025-4947,CVE-2025-5025,CVE-2025-5399,CVE-2025-9086 This update for curl fixes the following issues: Update to version 8.14.1 (jsc#PED-13055, jsc#PED-13056). Security issues fixed: - CVE-2025-0665: eventfd double close can cause libcurl to act unreliably (bsc#1236589). - CVE-2025-4947: QUIC certificate check is skipped with wolfSSL allows for MITM attacks (bsc#1243397). - CVE-2025-5025: no QUIC certificate pinning with wolfSSL can lead to connections to impostor servers that are not easily noticed (bsc#1243706). - CVE-2025-5399: bug in websocket code can cause libcurl to get trapped in an endless busy-loop when processing specially crafted packets (bsc#1243933). - CVE-2024-6874: punycode conversions to/from IDN can leak stack content when libcurl is built to use the macidn IDN backend (bsc#1228260). - CVE-2025-9086: bug in patch comparison logic when processing cookies can lead to out-of-bounds read in heap buffer (bsc#1249191). - CVE-2025-10148: predictable websocket mask can lead to proxy cache poisoning by malicious server (bsc#1249348). Other issues fixed: - Fix wrong return code when --retry is used (bsc#1249367). * tool_operate: fix return code when --retry is used but not triggered [b42776b] - Fix the --ftp-pasv option in curl v8.14.1 (bsc#1246197). * tool_getparam: fix --ftp-pasv [5f805ee] - Fixed with version 8.14.1: * TLS: add CURLOPT_SSL_SIGNATURE_ALGORITHMS and --sigalgs. * websocket: add option to disable auto-pong reply. * huge number of bugfixes. Please see https://curl.se/ch/ for full changelogs. The following package changes have been done: - glibc-2.38-150600.14.37.1 updated - opencv4-cascades-data-4.11.0-150600.1.12 updated - glibc-devel-2.38-150600.14.37.1 updated - libavutil56_70-4.4.6-150600.13.30.1 updated - libswscale5_9-4.4.6-150600.13.30.1 updated - libswresample3_9-4.4.6-150600.13.30.1 updated - libpostproc55_9-4.4.6-150600.13.30.1 updated - libavresample4_0-4.4.6-150600.13.30.1 updated - libopenssl3-3.1.4-150600.5.36.4 updated - libavcodec58_134-4.4.6-150600.13.30.1 updated - openssl-3-3.1.4-150600.5.36.4 updated - libopencv411-4.11.0-150600.1.12 updated - libpq5-17.6-150600.13.16.1 updated - libopencv_objdetect411-4.11.0-150600.1.12 updated - libopencv_imgcodecs411-4.11.0-150600.1.12 updated - libcurl4-8.14.1-150600.4.28.1 updated - libavformat58_76-4.4.6-150600.13.30.1 updated - libopencv_face411-4.11.0-150600.1.12 updated - libopencv_aruco411-4.11.0-150600.1.12 updated - libopencv_ximgproc411-4.11.0-150600.1.12 updated - pam-1.3.0-150000.6.86.1 updated - libavfilter7_110-4.4.6-150600.13.30.1 updated - libopencv_optflow411-4.11.0-150600.1.12 updated - python311-safetensors-0.4.3-150600.1.23 updated - python311-psycopg2-2.9.9-150600.1.23 updated - python311-primp-0.15.0-150600.1.4 updated - python311-orjson-3.10.7-150600.1.27 updated - python311-numpy1-1.26.4-150600.1.58 updated - python311-jiter-0.5.0-150600.1.22 updated - python311-certifi-2024.7.4-150600.1.51 updated - python311-cchardet-2.1.19-150600.1.48 updated - python311-bcrypt-4.3.0-150600.1.4 updated - libavdevice58_13-4.4.6-150600.13.30.1 updated - libopencv_gapi411-4.11.0-150600.1.12 updated - python311-pydantic-core-2.35.1-150600.1.2 updated - python311-scipy-1.14.1-150600.1.58 updated - python311-pyarrow-17.0.0-150600.2.47 updated - python311-deepdiff-6.3.0-150600.3.3.1 updated - ffmpeg-4-4.4.6-150600.13.30.1 updated - python311-pandas-2.2.3-150600.1.65 updated - python311-cryptography-43.0.1-150600.1.26 updated - python311-pycrdt-0.12.26-150600.1.2 updated - libopencv_videoio411-4.11.0-150600.1.12 updated - python311-scikit-learn-1.5.1-150600.1.60 updated - libopencv_highgui411-4.11.0-150600.1.12 updated - python311-tiktoken-0.7.0-150600.1.23 updated - python311-opencv-4.11.0-150600.1.12 updated - python311-tokenizers-0.20.0-150600.1.23 updated - container:registry.suse.com-bci-bci-base-15.6-d13d6758550c72c08b54298b7fb20e8d426127b4692f4b115373e2175184ada8-0 updated - container:registry.suse.com-bci-bci-micro-15.6-1998c870659774535cf3fcd5f21bf2171bcd511edd7b5515cb3aa1c420e8a441-0 updated From sle-container-updates at lists.suse.com Tue Sep 16 14:55:00 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 16 Sep 2025 16:55:00 +0200 (CEST) Subject: SUSE-CU-2025:6849-1: Security update of rancher/elemental-operator Message-ID: <20250916145500.36564F782@maintenance.suse.de> SUSE Container Update Advisory: rancher/elemental-operator ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:6849-1 Container Tags : rancher/elemental-operator:1.7.3 , rancher/elemental-operator:1.7.3-3.11 , rancher/elemental-operator:latest Container Release : 3.11 Severity : moderate Type : security References : 1227052 1230262 1232526 1234820 1236270 1236507 1237442 1237641 1238491 1239566 1239938 1240788 1241549 1243767 1243991 1244050 CVE-2023-45288 CVE-2024-11218 CVE-2024-40896 CVE-2024-6104 CVE-2024-9407 CVE-2025-27144 CVE-2025-5278 ----------------------------------------------------------------- The container rancher/elemental-operator was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: 197 Released: Thu Jul 31 13:53:17 2025 Summary: Recommended update for gcc14 Type: recommended Severity: moderate References: 1230262,1232526,1234820,1237442,1238491,1239566,1239938,1240788,1241549,1243991,1244050,CVE-2024-40896 This update for gcc14 fixes the following issues: - Exclude shared objects present for link editing in the GCC specific subdirectory from provides processing via __provides_exclude_from. [bsc#1244050][bsc#1243991] - Update to GCC 14.3 release, bb24b4c804f3d95b0ba95b7496, git11799 - Update to gcc-14 branch head, 3418d740b344e0ba38022f3be, git11702 - Fix build on s390x [bsc#1241549] - Make sure link editing is done against our own shared library copy rather than the installed system runtime. [bsc#1240788] - cross-compiler builds with --enable-host-pie. - Allow GCC executables to be built PIE. [bsc#1239938] - Backport -msplit-patch-nops required for user-space livepatching on powerpc. - Also record -D_FORTIFY_SOURCE=2 in the DWARF debug info DW_AT_producer string. [bsc#1239566] - Disable profiling during build when %want_reproducible_builds is set [bsc#1238491] - Update to gcc-14 branch head, 9ffecde121af883b60bbe60d0, git11321 * fixes reported ICE in [bsc#1237442] - Adjust cross compiler requirements to use %requires_ge - Fix condition on whether to enable plugins or JIT support to not check sle_version which is not defined in SLFO but to check is_opensuse and suse_version instead. - For cross compilers require the same or newer binutils, newlib or cross-glibc that was used at build time. [bsc#1232526] - Update to gcc-14 branch head, 4af44f2cf7d281f3e4f3957ef, git10750 * includes libstdc++6 fix for parsing tzdata 2024b [gcc#116657] - Fix ICE with LTO building openvino on aarch64 [bsc#1230262] ----------------------------------------------------------------- Advisory ID: 238 Released: Thu Aug 28 17:15:06 2025 Summary: Security update for coreutils Type: security Severity: moderate References: 1227052,1236270,1236507,1237641,1243767,CVE-2023-45288,CVE-2024-11218,CVE-2024-6104,CVE-2024-9407,CVE-2025-27144,CVE-2025-5278 This update for coreutils fixes the following issues: - CVE-2025-5278: Sort with key character offsets of SIZE_MAX, could induce a read of 1 byte before an allocated heap buffer (bsc#1243767). The following package changes have been done: - compat-usrmerge-tools-84.87-slfo.1.1_1.5 updated - elemental-operator-1.7.3-slfo.1.1_1.1 updated - system-user-root-20190513-slfo.1.1_1.2 updated - filesystem-84.87-slfo.1.1_1.2 updated - glibc-2.38-slfo.1.1_4.1 updated - libtasn1-6-4.19.0-slfo.1.1_2.1 updated - libpcre2-8-0-10.42-slfo.1.1_1.4 updated - libgmp10-6.3.0-slfo.1.1_1.5 updated - libgcc_s1-14.3.0+git11799-slfo.1.1_1.1 updated - libffi8-3.4.6-slfo.1.1_1.4 updated - libcap2-2.69-slfo.1.1_1.3 updated - libattr1-2.5.1-slfo.1.1_1.3 updated - libacl1-2.3.1-slfo.1.1_1.3 updated - libselinux1-3.5-slfo.1.1_1.3 updated - libstdc++6-14.3.0+git11799-slfo.1.1_1.1 updated - libp11-kit0-0.25.3-slfo.1.1_1.2 updated - libncurses6-6.4.20240224-slfo.1.1_1.5 updated - terminfo-base-6.4.20240224-slfo.1.1_1.5 updated - p11-kit-0.25.3-slfo.1.1_1.2 updated - p11-kit-tools-0.25.3-slfo.1.1_1.2 updated - libreadline8-8.2-slfo.1.1_1.4 updated - bash-5.2.15-slfo.1.1_1.6 updated - bash-sh-5.2.15-slfo.1.1_1.6 updated - coreutils-9.4-slfo.1.1_2.1 updated - ca-certificates-2+git20240805.fd24d50-slfo.1.1_1.2 updated - ca-certificates-mozilla-2.74-slfo.1.1_1.1 updated - container:suse-toolbox-image-1.0.0-4.70 updated From sle-container-updates at lists.suse.com Tue Sep 16 14:55:16 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 16 Sep 2025 16:55:16 +0200 (CEST) Subject: SUSE-CU-2025:6850-1: Security update of rancher/seedimage-builder Message-ID: <20250916145516.526ABF782@maintenance.suse.de> SUSE Container Update Advisory: rancher/seedimage-builder ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:6850-1 Container Tags : rancher/seedimage-builder:1.7.3 , rancher/seedimage-builder:1.7.3-3.11 , rancher/seedimage-builder:latest Container Release : 3.11 Severity : important Type : security References : 1216091 1218459 1219458 1219724 1220262 1221107 1223880 1223947 1227052 1228216 1229069 1229272 1230007 1230262 1230596 1231284 1232526 1233785 1234027 1234820 1235147 1235849 1236217 1236270 1236507 1236801 1236839 1237442 1237641 1238491 1239566 1239938 1240414 1240788 1241052 1241083 1241549 1242827 1243226 1243397 1243706 1243767 1243933 1243935 1243991 1244050 1244079 1244554 1244555 1244557 1244580 1244700 1245309 1245310 1245311 1245312 1245314 1245317 1246197 1246296 1247074 CVE-2022-47930 CVE-2023-31315 CVE-2023-45288 CVE-2023-50782 CVE-2024-10846 CVE-2024-11218 CVE-2024-11218 CVE-2024-11498 CVE-2024-11741 CVE-2024-13484 CVE-2024-2236 CVE-2024-2410 CVE-2024-24806 CVE-2024-34062 CVE-2024-35177 CVE-2024-36402 CVE-2024-36403 CVE-2024-3727 CVE-2024-40896 CVE-2024-45336 CVE-2024-45337 CVE-2024-45339 CVE-2024-45340 CVE-2024-45341 CVE-2024-47770 CVE-2024-50354 CVE-2024-51491 CVE-2024-52281 CVE-2024-52594 CVE-2024-52602 CVE-2024-52791 CVE-2024-53263 CVE-2024-5594 CVE-2024-56138 CVE-2024-56323 CVE-2024-56406 CVE-2024-56515 CVE-2024-6104 CVE-2024-8508 CVE-2024-9312 CVE-2024-9313 CVE-2024-9407 CVE-2025-0377 CVE-2025-0750 CVE-2025-20033 CVE-2025-20086 CVE-2025-20088 CVE-2025-20621 CVE-2025-21088 CVE-2025-22149 CVE-2025-22445 CVE-2025-22449 CVE-2025-22865 CVE-2025-22866 CVE-2025-22866 CVE-2025-22867 CVE-2025-22867 CVE-2025-22868 CVE-2025-22869 CVE-2025-23028 CVE-2025-23047 CVE-2025-23208 CVE-2025-23216 CVE-2025-24030 CVE-2025-24337 CVE-2025-24354 CVE-2025-24355 CVE-2025-24366 CVE-2025-24369 CVE-2025-24371 CVE-2025-24376 CVE-2025-24784 CVE-2025-24786 CVE-2025-24787 CVE-2025-24883 CVE-2025-24884 CVE-2025-27144 CVE-2025-31115 CVE-2025-40909 CVE-2025-4598 CVE-2025-4877 CVE-2025-4878 CVE-2025-4947 CVE-2025-49794 CVE-2025-49795 CVE-2025-49796 CVE-2025-5025 CVE-2025-5278 CVE-2025-5318 CVE-2025-5351 CVE-2025-5372 CVE-2025-5399 CVE-2025-5987 CVE-2025-6018 CVE-2025-6021 CVE-2025-6170 CVE-2025-7425 ----------------------------------------------------------------- The container rancher/seedimage-builder was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: 187 Released: Fri Jul 18 11:07:15 2025 Summary: Recommended update for rpm Type: recommended Severity: important References: 1216091,1218459,1235849,1241052 This update for rpm fixes the following issues: - fix --runposttrans not working correctly with the --root option [bsc#1216091] * added 'rpm_fixed_runposttrans' provides for libzypp - print scriptlet messages in --runposttrans * needed to fix leaking tmp files [bsc#1218459] - fix memory leak in str2locale [bsc#1241052] ----------------------------------------------------------------- Advisory ID: 191 Released: Mon Jul 28 16:35:09 2025 Summary: Security update for perl Type: security Severity: important References: 1233785,1241083,1244079,CVE-2024-11498,CVE-2024-56406,CVE-2025-40909 This update for perl fixes the following issues: - CVE-2024-56406: Fixed heap buffer overflow when transliterating non-ASCII bytes (bsc#1241083) - CVE-2025-40909: Fixed a working directory race condition causing file operations to target unintended paths (bsc#1244079) ----------------------------------------------------------------- Advisory ID: 192 Released: Mon Jul 28 16:36:18 2025 Summary: Security update for pam-config Type: security Severity: important References: 1223880,1243226,CVE-2024-34062,CVE-2025-6018 This update for pam-config fixes the following issues: - CVE-2025-6018: Stop adding pam_env in AUTH stack, and be sure to put this module at the really end of the SESSION stack. (bsc#1243226) ----------------------------------------------------------------- Advisory ID: 197 Released: Thu Jul 31 13:53:17 2025 Summary: Recommended update for gcc14 Type: recommended Severity: moderate References: 1230262,1232526,1234820,1237442,1238491,1239566,1239938,1240788,1241549,1243991,1244050,CVE-2024-40896 This update for gcc14 fixes the following issues: - Exclude shared objects present for link editing in the GCC specific subdirectory from provides processing via __provides_exclude_from. [bsc#1244050][bsc#1243991] - Update to GCC 14.3 release, bb24b4c804f3d95b0ba95b7496, git11799 - Update to gcc-14 branch head, 3418d740b344e0ba38022f3be, git11702 - Fix build on s390x [bsc#1241549] - Make sure link editing is done against our own shared library copy rather than the installed system runtime. [bsc#1240788] - cross-compiler builds with --enable-host-pie. - Allow GCC executables to be built PIE. [bsc#1239938] - Backport -msplit-patch-nops required for user-space livepatching on powerpc. - Also record -D_FORTIFY_SOURCE=2 in the DWARF debug info DW_AT_producer string. [bsc#1239566] - Disable profiling during build when %want_reproducible_builds is set [bsc#1238491] - Update to gcc-14 branch head, 9ffecde121af883b60bbe60d0, git11321 * fixes reported ICE in [bsc#1237442] - Adjust cross compiler requirements to use %requires_ge - Fix condition on whether to enable plugins or JIT support to not check sle_version which is not defined in SLFO but to check is_opensuse and suse_version instead. - For cross compilers require the same or newer binutils, newlib or cross-glibc that was used at build time. [bsc#1232526] - Update to gcc-14 branch head, 4af44f2cf7d281f3e4f3957ef, git10750 * includes libstdc++6 fix for parsing tzdata 2024b [gcc#116657] - Fix ICE with LTO building openvino on aarch64 [bsc#1230262] ----------------------------------------------------------------- Advisory ID: 196 Released: Thu Jul 31 14:00:30 2025 Summary: Security update for libgcrypt Type: security Severity: moderate References: 1221107,1235147,CVE-2024-2236,CVE-2024-5594 This update for libgcrypt fixes the following issues: - CVE-2024-2236: Fixed timing based side-channel in RSA implementation (bsc#1221107) ----------------------------------------------------------------- Advisory ID: 206 Released: Fri Aug 8 12:26:24 2025 Summary: Security update for xz Type: security Severity: important References: 1219724,1240414,CVE-2024-24806,CVE-2025-31115 This update for xz fixes the following issues: - CVE-2025-31115: Fixed heap use after free and writing to an address based on the null pointer plus an offset (bsc#1240414) ----------------------------------------------------------------- Advisory ID: 215 Released: Thu Aug 14 12:12:18 2025 Summary: Security update for openssl-3 Type: security Severity: moderate References: 1220262,1236217,1236801,1236839,CVE-2023-50782,CVE-2025-22866,CVE-2025-22867 This update for openssl-3 fixes the following issues: - CVE-2023-50782: Implicit rejection in PKCS#1 v1.5 (bsc#1220262) ----------------------------------------------------------------- Advisory ID: 213 Released: Thu Aug 14 12:19:26 2025 Summary: Security update for libssh Type: security Severity: important References: 1231284,1245309,1245310,1245311,1245312,1245314,1245317,CVE-2024-8508,CVE-2025-4877,CVE-2025-4878,CVE-2025-5318,CVE-2025-5351,CVE-2025-5372,CVE-2025-5987 This update for libssh fixes the following issues: - CVE-2025-5372: ssh_kdf() returns a success code on certain failures (bsc#1245314) - CVE-2025-5987: Invalid return code for chacha20 poly1305 with OpenSSL backend (bsc#1245317) - CVE-2025-4877: Write beyond bounds in binary to base64 conversion functions (bsc#1245309) - CVE-2025-4878: Use of uninitialized variable in privatekey_from_file() (bsc#1245310) - CVE-2025-5318: Likely read beyond bounds in sftp server handle management (bsc#1245311) - CVE-2025-5351: Double free in functions exporting keys (bsc#1245312) ----------------------------------------------------------------- Advisory ID: 218 Released: Sat Aug 16 13:46:56 2025 Summary: Security update for systemd Type: security Severity: moderate References: 1219458,1229069,1229272,1230007,1230596,1234027,1242827,1243935,1247074,CVE-2023-31315,CVE-2025-4598 This update for systemd fixes the following issues: - Remove the script used to help migrating the language and locale settings located in /etc/sysconfig/language on old systems to the systemd default locations (bsc#1247074) The script was introduced more than 7 years ago and all systems running TW should have been migrated since then. Moreover the installer supports the systemd default locations since approximately SLE15. - triggers.systemd: skip update of hwdb, journal-catalog if executed during an offline update. - logs-show: get timestamp and boot ID only when necessary (bsc#1242827) - sd-journal: drop to use Hashmap to manage journal files per boot ID - tree-wide: set SD_JOURNAL_ASSUME_IMMUTABLE where appropriate - sd-journal: introduce SD_JOURNAL_ASSUME_IMMUTABLE flag - sd-journal: make journal_file_read_tail_timestamp() notify to the caller that some new journal entries added - sd-journal: cache last entry offset and journal file state - sd-journal: fix typo in function name - coredump: use %d in kernel core pattern (bsc#1243935 CVE-2025-4598) ----------------------------------------------------------------- Advisory ID: 227 Released: Fri Aug 22 14:33:27 2025 Summary: Recommended update for elemental-toolkit Type: recommended Severity: moderate References: 1228216 This update for elemental-toolkit fixes the following issues: - Update to v2.2.4: * Avoid panic when MaxSnaps is set to 0 ----------------------------------------------------------------- Advisory ID: 236 Released: Wed Aug 27 11:46:23 2025 Summary: Security update for libxml2 Type: security Severity: important References: 1244554,1244555,1244557,1244580,1244700,1246296,CVE-2022-47930,CVE-2024-10846,CVE-2024-11218,CVE-2024-11741,CVE-2024-13484,CVE-2024-35177,CVE-2024-36402,CVE-2024-36403,CVE-2024-3727,CVE-2024-45336,CVE-2024-45337,CVE-2024-45339,CVE-2024-45340,CVE-2024-45341,CVE-2024-47770,CVE-2024-50354,CVE-2024-51491,CVE-2024-52281,CVE-2024-52594,CVE-2024-52602,CVE-2024-52791,CVE-2024-53263,CVE-2024-56138,CVE-2024-56323,CVE-2024-56515,CVE-2024-9312,CVE-2024-9313,CVE-2025-0377,CVE-2025-0750,CVE-2025-20033,CVE-2025-20086,CVE-2025-20088,CVE-2025-20621,CVE-2025-21088,CVE-2025-22149,CVE-2025-22445,CVE-2025-22449,CVE-2025-22865,CVE-2025-22866,CVE-2025-22867,CVE-2025-22868,CVE-2025-22869,CVE-2025-23028,CVE-2025-23047,CVE-2025-23208,CVE-2025-23216,CVE-2025-24030,CVE-2025-24337,CVE-2025-24354,CVE-2025-24355,CVE-2025-24366,CVE-2025-24369,CVE-2025-24371,CVE-2025-24376,CVE-2025-24784,CVE-2025-24786,CVE-2025-24787,CVE-2025-24883,CVE-2025-24884,CVE-2025-49794,CVE-2025-49795,CVE-2025-49796,CVE-2025-602 1,CVE-2025-6170,CVE-2025-7425 This update for libxml2 fixes the following issues: - CVE-2025-6021: Integer Overflow in xmlBuildQName() Leads to Stack Buffer Overflow in libxml2 [bsc#1244580] - CVE-2025-6170: stack buffer overflow may lead to a crash [bsc#1244700] - CVE-2025-7425: Heap Use-After-Free in libxslt caused by atype corruption in xmlAttrPtr [bsc#1246296] - CVE-2025-49794: heap use after free (UAF) can lead to Denial of service (DoS) [bsc#1244554] - CVE-2025-49795: null pointer dereference may lead to Denial of service (DoS) [bsc#1244555] - CVE-2025-49796: type confusion may lead to Denial of service (DoS) [bsc#1244557] ----------------------------------------------------------------- Advisory ID: 238 Released: Thu Aug 28 17:15:06 2025 Summary: Security update for coreutils Type: security Severity: moderate References: 1227052,1236270,1236507,1237641,1243767,CVE-2023-45288,CVE-2024-11218,CVE-2024-6104,CVE-2024-9407,CVE-2025-27144,CVE-2025-5278 This update for coreutils fixes the following issues: - CVE-2025-5278: Sort with key character offsets of SIZE_MAX, could induce a read of 1 byte before an allocated heap buffer (bsc#1243767). ----------------------------------------------------------------- Advisory ID: 254 Released: Tue Sep 9 12:22:04 2025 Summary: Security update for curl Type: security Severity: important References: 1223947,1243397,1243706,1243933,1246197,CVE-2024-2410,CVE-2025-4947,CVE-2025-5025,CVE-2025-5399 This update for curl fixes the following issues: - CVE-2025-5399: libcurl can possibly get trapped in an endless busy-loop when processing specially crafted packets (bsc#1243933). - CVE-2025-5025: No QUIC certificate pinning with wolfSSL (bsc#1243706). - CVE-2025-4947: QUIC certificate check skip with wolfSSL (bsc#1243397). Other bugfixes: - Fix the --ftp-pasv option in curl v8.14.1 (bsc#1246197). The following package changes have been done: - boost-license1_84_0-1.84.0-slfo.1.1_1.4 updated - btrfsprogs-udev-rules-6.8.1-slfo.1.1_1.2 updated - compat-usrmerge-tools-84.87-slfo.1.1_1.5 updated - crypto-policies-20230920.570ea89-slfo.1.1_1.2 updated - elemental-httpfy-1.7.3-slfo.1.1_1.1 updated - elemental-seedimage-hooks-1.7.3-slfo.1.1_1.1 updated - libsemanage-conf-3.5-slfo.1.1_1.3 updated - libssh-config-0.10.6-slfo.1.1_2.1 updated - pkgconf-m4-1.8.0-slfo.1.1_1.5 updated - system-user-root-20190513-slfo.1.1_1.2 updated - filesystem-84.87-slfo.1.1_1.2 updated - glibc-2.38-slfo.1.1_4.1 updated - libzstd1-1.5.5-slfo.1.1_1.4 updated - libz1-1.2.13-slfo.1.1_1.3 updated - libxxhash0-0.8.1-slfo.1.1_2.1 updated - libverto1-0.3.2-slfo.1.1_1.2 updated - libuuid1-2.40.4-slfo.1.1_1.1 updated - liburcu8-0.14.0-slfo.1.1_1.3 updated - libunistring5-1.1-slfo.1.1_1.2 updated - libtextstyle0-0.21.1-slfo.1.1_2.1 updated - libtasn1-6-4.19.0-slfo.1.1_2.1 updated - libsmartcols1-2.40.4-slfo.1.1_1.1 updated - libsepol2-3.5-slfo.1.1_1.3 updated - libseccomp2-2.5.4-slfo.1.1_1.4 updated - libsasl2-3-2.1.28-slfo.1.1_1.2 updated - libpopt0-1.19-slfo.1.1_1.3 updated - libpkgconf3-1.8.0-slfo.1.1_1.5 updated - libpcre2-8-0-10.42-slfo.1.1_1.4 updated - libparted-fs-resize0-3.5-slfo.1.1_1.2 updated - libnss_usrfiles2-2.27-slfo.1.1_1.3 updated - libnghttp2-14-1.52.0-slfo.1.1_1.4 updated - liblzo2-2-2.10-slfo.1.1_1.3 updated - liblzma5-5.4.3-slfo.1.1_2.1 updated - liblz4-1-1.9.4-slfo.1.1_1.2 updated - liblua5_4-5-5.4.6-slfo.1.1_1.3 updated - libkeyutils1-1.6.3-slfo.1.1_1.3 updated - libjson-c5-0.16-slfo.1.1_1.2 updated - libjitterentropy3-3.4.1-slfo.1.1_1.3 updated - libip4tc2-1.8.9-slfo.1.1_2.1 updated - libgpg-error0-1.47-slfo.1.1_1.3 updated - libgmp10-6.3.0-slfo.1.1_1.5 updated - libgcc_s1-14.3.0+git11799-slfo.1.1_1.1 updated - libfuse2-2.9.9-slfo.1.1_1.2 updated - libffi8-3.4.6-slfo.1.1_1.4 updated - libexpat1-2.7.1-slfo.1.1_1.1 updated - libeconf0-0.7.2-slfo.1.1_1.3 updated - libcrypt1-4.4.36-slfo.1.1_1.4 updated - libcom_err2-1.47.0-slfo.1.1_1.2 updated - libcap2-2.69-slfo.1.1_1.3 updated - libcap-ng0-0.8.3-slfo.1.1_1.4 updated - libbz2-1-1.0.8-slfo.1.1_1.4 updated - libburn4-1.5.4-slfo.1.1_1.2 updated - libbtrfsutil1-6.8.1-slfo.1.1_1.2 updated - libbtrfs0-6.8.1-slfo.1.1_1.2 updated - libbrotlicommon1-1.1.0-slfo.1.1_1.3 updated - libaudit1-3.1.1-slfo.1.1_1.3 updated - libattr1-2.5.1-slfo.1.1_1.3 updated - libargon2-1-20190702-slfo.1.1_1.2 updated - libalternatives1-1.2+30.a5431e9-slfo.1.1_1.3 updated - libaio1-0.3.113-slfo.1.1_1.2 updated - libacl1-2.3.1-slfo.1.1_1.3 updated - fillup-1.42-slfo.1.1_2.2 updated - dosfstools-4.2-slfo.1.1_1.2 updated - diffutils-3.10-slfo.1.1_1.3 updated - libpng16-16-1.6.43-slfo.1.1_1.2 updated - libidn2-0-2.3.4-slfo.1.1_1.2 updated - pkgconf-1.8.0-slfo.1.1_1.5 updated - libselinux1-3.5-slfo.1.1_1.3 updated - netcfg-11.6-slfo.1.1_1.2 updated - libxml2-2-2.11.6-slfo.1.1_6.1 updated - squashfs-4.6.1-slfo.1.1_1.2 updated - libgcrypt20-1.10.3-slfo.1.1_2.1 updated - libstdc++6-14.3.0+git11799-slfo.1.1_1.1 updated - libp11-kit0-0.25.3-slfo.1.1_1.2 updated - libblkid1-2.40.4-slfo.1.1_1.1 updated - perl-base-5.38.2-slfo.1.1_2.1 updated - libext2fs2-1.47.0-slfo.1.1_1.2 updated - libudev1-254.27-slfo.1.1_1.1 updated - chkstat-1600_20240206-slfo.1.1_1.5 updated - libzio1-1.08-slfo.1.1_1.3 updated - libjte2-1.22-slfo.1.1_1.2 updated - libbrotlidec1-1.1.0-slfo.1.1_1.3 updated - alts-1.2+30.a5431e9-slfo.1.1_1.3 updated - libpsl5-0.21.2-slfo.1.1_1.2 updated - sed-4.9-slfo.1.1_1.2 updated - libsubid4-4.15.1-slfo.1.1_1.3 updated - libsemanage2-3.5-slfo.1.1_1.3 updated - findutils-4.9.0-slfo.1.1_2.1 updated - libsystemd0-254.27-slfo.1.1_1.1 updated - libncurses6-6.4.20240224-slfo.1.1_1.5 updated - terminfo-base-6.4.20240224-slfo.1.1_1.5 updated - libinih0-56-slfo.1.1_1.3 updated - libboost_thread1_84_0-1.84.0-slfo.1.1_1.4 updated - p11-kit-0.25.3-slfo.1.1_1.2 updated - p11-kit-tools-0.25.3-slfo.1.1_1.2 updated - libmount1-2.40.4-slfo.1.1_1.1 updated - libfdisk1-2.40.4-slfo.1.1_1.1 updated - libisofs6-1.5.4-slfo.1.1_1.2 updated - libfreetype6-2.13.3-slfo.1.1_1.1 updated - ncurses-utils-6.4.20240224-slfo.1.1_1.5 updated - libreadline8-8.2-slfo.1.1_1.4 updated - libedit0-20210910.3.1-slfo.1.1_1.3 updated - gptfdisk-1.0.9-slfo.1.1_2.1 updated - libisoburn1-1.5.4-slfo.1.1_1.2 updated - bash-5.2.15-slfo.1.1_1.6 updated - bash-sh-5.2.15-slfo.1.1_1.6 updated - xz-5.4.3-slfo.1.1_2.1 updated - systemd-default-settings-branding-openSUSE-0.7-slfo.1.1_1.2 updated - systemd-default-settings-0.7-slfo.1.1_1.2 updated - pkgconf-pkg-config-1.8.0-slfo.1.1_1.5 updated - login_defs-4.15.1-slfo.1.1_1.3 updated - libdevmapper1_03-2.03.22_1.02.196-slfo.1.1_1.3 updated - gzip-1.13-slfo.1.1_2.4 updated - grep-3.11-slfo.1.1_1.2 updated - gettext-runtime-0.21.1-slfo.1.1_2.1 updated - coreutils-9.4-slfo.1.1_2.1 updated - ALP-dummy-release-0.1-slfo.1.1_1.5 updated - libparted2-3.5-slfo.1.1_1.2 updated - libdevmapper-event1_03-2.03.22_1.02.196-slfo.1.1_1.3 updated - info-7.0.3-slfo.1.1_1.3 updated - xfsprogs-6.5.0-slfo.1.1_1.2 updated - thin-provisioning-tools-0.9.0-slfo.1.1_1.4 updated - systemd-rpm-macros-24-slfo.1.1_1.2 updated - systemd-presets-common-SUSE-15-slfo.1.1_1.2 updated - rpm-config-SUSE-20240214-slfo.1.1_1.2 updated - rpm-4.18.0-slfo.1.1_2.1 updated - permissions-config-1600_20240206-slfo.1.1_1.5 updated - glibc-locale-base-2.38-slfo.1.1_4.1 updated - e2fsprogs-1.47.0-slfo.1.1_1.2 updated - ca-certificates-2+git20240805.fd24d50-slfo.1.1_1.2 updated - ca-certificates-mozilla-2.74-slfo.1.1_1.1 updated - btrfsprogs-6.8.1-slfo.1.1_1.2 updated - parted-3.5-slfo.1.1_1.2 updated - liblvm2cmd2_03-2.03.22-slfo.1.1_1.3 updated - xorriso-1.5.4-slfo.1.1_1.2 updated - device-mapper-2.03.22_1.02.196-slfo.1.1_1.3 updated - systemd-presets-branding-ALP-transactional-20230214-slfo.1.1_1.2 updated - permissions-1600_20240206-slfo.1.1_1.5 updated - mtools-4.0.43-slfo.1.1_1.2 updated - libopenssl3-3.1.4-slfo.1.1_6.1 updated - pam-1.6.1-slfo.1.1_3.1 updated - grub2-2.12-slfo.1.1_1.17 updated - grub2-i386-pc-2.12-slfo.1.1_1.17 updated - suse-module-tools-16.0.43-slfo.1.1_1.2 updated - kmod-32-slfo.1.1_1.2 updated - rsync-3.3.0-slfo.1.1_3.1 updated - libldap2-2.6.4-slfo.1.1_1.2 updated - libkmod2-32-slfo.1.1_1.2 updated - libcryptsetup12-2.6.1-slfo.1.1_1.2 updated - krb5-1.21.3-slfo.1.1_2.1 updated - util-linux-2.40.4-slfo.1.1_1.1 updated - shadow-4.15.1-slfo.1.1_1.3 updated - pam-config-2.11+git.20240906-slfo.1.1_2.1 updated - kbd-2.6.4-slfo.1.1_1.3 updated - libssh4-0.10.6-slfo.1.1_2.1 updated - libsnapper7-0.11.2-slfo.1.1_1.2 updated - aaa_base-84.87+git20240906.742565b-slfo.1.1_1.2 updated - libcurl4-8.14.1-slfo.1.1_1.1 updated - dbus-1-daemon-1.14.10-slfo.1.1_1.2 updated - curl-8.14.1-slfo.1.1_1.1 updated - dbus-1-tools-1.14.10-slfo.1.1_1.2 updated - systemd-254.27-slfo.1.1_1.1 updated - sysuser-shadow-3.1-slfo.1.1_1.2 updated - dbus-1-common-1.14.10-slfo.1.1_1.2 updated - libdbus-1-3-1.14.10-slfo.1.1_1.2 updated - dbus-1-1.14.10-slfo.1.1_1.2 updated - system-group-kvm-20170617-slfo.1.1_1.2 updated - system-group-hardware-20170617-slfo.1.1_1.2 updated - udev-254.27-slfo.1.1_1.1 updated - snapper-0.11.2-slfo.1.1_1.2 updated - lvm2-2.03.22-slfo.1.1_1.3 updated - elemental-toolkit-2.2.4-slfo.1.1_1.1 updated - container:suse-toolbox-image-1.0.0-4.70 updated - file-magic-5.44-4.151 removed - kbd-legacy-2.6.4-1.3 removed - libmagic1-5.44-4.151 removed From sle-container-updates at lists.suse.com Tue Sep 16 15:00:43 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 16 Sep 2025 17:00:43 +0200 (CEST) Subject: SUSE-CU-2025:6852-1: Security update of bci/python Message-ID: <20250916150043.EB918FB9C@maintenance.suse.de> SUSE Container Update Advisory: bci/python ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:6852-1 Container Tags : bci/python:3 , bci/python:3.12 , bci/python:3.12.11 , bci/python:3.12.11-72.27 Container Release : 72.27 Severity : important Type : security References : 1228260 1236589 1243397 1243706 1243933 1246197 1249191 1249348 1249367 CVE-2024-6874 CVE-2025-0665 CVE-2025-10148 CVE-2025-4947 CVE-2025-5025 CVE-2025-5399 CVE-2025-9086 ----------------------------------------------------------------- The container bci/python was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3198-1 Released: Fri Sep 12 14:15:08 2025 Summary: Security update for curl Type: security Severity: important References: 1228260,1236589,1243397,1243706,1243933,1246197,1249191,1249348,1249367,CVE-2024-6874,CVE-2025-0665,CVE-2025-10148,CVE-2025-4947,CVE-2025-5025,CVE-2025-5399,CVE-2025-9086 This update for curl fixes the following issues: Update to version 8.14.1 (jsc#PED-13055, jsc#PED-13056). Security issues fixed: - CVE-2025-0665: eventfd double close can cause libcurl to act unreliably (bsc#1236589). - CVE-2025-4947: QUIC certificate check is skipped with wolfSSL allows for MITM attacks (bsc#1243397). - CVE-2025-5025: no QUIC certificate pinning with wolfSSL can lead to connections to impostor servers that are not easily noticed (bsc#1243706). - CVE-2025-5399: bug in websocket code can cause libcurl to get trapped in an endless busy-loop when processing specially crafted packets (bsc#1243933). - CVE-2024-6874: punycode conversions to/from IDN can leak stack content when libcurl is built to use the macidn IDN backend (bsc#1228260). - CVE-2025-9086: bug in patch comparison logic when processing cookies can lead to out-of-bounds read in heap buffer (bsc#1249191). - CVE-2025-10148: predictable websocket mask can lead to proxy cache poisoning by malicious server (bsc#1249348). Other issues fixed: - Fix wrong return code when --retry is used (bsc#1249367). * tool_operate: fix return code when --retry is used but not triggered [b42776b] - Fix the --ftp-pasv option in curl v8.14.1 (bsc#1246197). * tool_getparam: fix --ftp-pasv [5f805ee] - Fixed with version 8.14.1: * TLS: add CURLOPT_SSL_SIGNATURE_ALGORITHMS and --sigalgs. * websocket: add option to disable auto-pong reply. * huge number of bugfixes. Please see https://curl.se/ch/ for full changelogs. The following package changes have been done: - libcurl4-8.14.1-150600.4.28.1 updated - curl-8.14.1-150600.4.28.1 updated - container:registry.suse.com-bci-bci-base-15.6-d13d6758550c72c08b54298b7fb20e8d426127b4692f4b115373e2175184ada8-0 updated From sle-container-updates at lists.suse.com Wed Sep 17 07:09:45 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 17 Sep 2025 09:09:45 +0200 (CEST) Subject: SUSE-CU-2025:6862-1: Security update of suse/sle-micro/5.3/toolbox Message-ID: <20250917070945.CEFE7F783@maintenance.suse.de> SUSE Container Update Advisory: suse/sle-micro/5.3/toolbox ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:6862-1 Container Tags : suse/sle-micro/5.3/toolbox:14.2 , suse/sle-micro/5.3/toolbox:14.2-6.11.181 , suse/sle-micro/5.3/toolbox:latest Container Release : 6.11.181 Severity : moderate Type : security References : 1246602 1246604 1247938 1247939 CVE-2025-53905 CVE-2025-53906 CVE-2025-55157 CVE-2025-55158 ----------------------------------------------------------------- The container suse/sle-micro/5.3/toolbox was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3240-1 Released: Tue Sep 16 21:56:57 2025 Summary: Security update for vim Type: security Severity: moderate References: 1246602,1246604,1247938,1247939,CVE-2025-53905,CVE-2025-53906,CVE-2025-55157,CVE-2025-55158 This update for vim fixes the following issues: Update to version 9.1.1629. - CVE-2025-53905: Fixed a path traversal issue in tar.vim plugin that may allow for file overwriting when opening specially crafted tar files (bsc#1246604). - CVE-2025-53906: Fixed a path traversal issue in zip.vim plugin that may allow for file overwriting when opening specially crafted zip files (bsc#1246602). - CVE-2025-55157: Fixed use-after-free in internal tuple reference management (bsc#1247938). - CVE-2025-55158: Fixed double-free in internal typed value (typval_T) management (bsc#1247939). The following package changes have been done: - vim-data-common-9.1.1629-150000.5.78.1 updated - vim-9.1.1629-150000.5.78.1 updated - xxd-9.1.1406-150000.5.75.1 removed From sle-container-updates at lists.suse.com Wed Sep 17 07:12:39 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 17 Sep 2025 09:12:39 +0200 (CEST) Subject: SUSE-CU-2025:6863-1: Security update of suse/sle-micro-rancher/5.4 Message-ID: <20250917071239.6EE1BF782@maintenance.suse.de> SUSE Container Update Advisory: suse/sle-micro-rancher/5.4 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:6863-1 Container Tags : suse/sle-micro-rancher/5.4:5.4.4.5.52 , suse/sle-micro-rancher/5.4:latest Container Release : 4.5.52 Severity : moderate Type : security References : 1246602 1246604 1247938 1247939 CVE-2025-53905 CVE-2025-53906 CVE-2025-55157 CVE-2025-55158 ----------------------------------------------------------------- The container suse/sle-micro-rancher/5.4 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3240-1 Released: Tue Sep 16 21:56:57 2025 Summary: Security update for vim Type: security Severity: moderate References: 1246602,1246604,1247938,1247939,CVE-2025-53905,CVE-2025-53906,CVE-2025-55157,CVE-2025-55158 This update for vim fixes the following issues: Update to version 9.1.1629. - CVE-2025-53905: Fixed a path traversal issue in tar.vim plugin that may allow for file overwriting when opening specially crafted tar files (bsc#1246604). - CVE-2025-53906: Fixed a path traversal issue in zip.vim plugin that may allow for file overwriting when opening specially crafted zip files (bsc#1246602). - CVE-2025-55157: Fixed use-after-free in internal tuple reference management (bsc#1247938). - CVE-2025-55158: Fixed double-free in internal typed value (typval_T) management (bsc#1247939). The following package changes have been done: - vim-data-common-9.1.1629-150000.5.78.1 updated - vim-small-9.1.1629-150000.5.78.1 updated From sle-container-updates at lists.suse.com Wed Sep 17 07:14:27 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 17 Sep 2025 09:14:27 +0200 (CEST) Subject: SUSE-CU-2025:6864-1: Security update of suse/sle-micro/5.4/toolbox Message-ID: <20250917071427.3349AF782@maintenance.suse.de> SUSE Container Update Advisory: suse/sle-micro/5.4/toolbox ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:6864-1 Container Tags : suse/sle-micro/5.4/toolbox:14.2 , suse/sle-micro/5.4/toolbox:14.2-5.19.181 , suse/sle-micro/5.4/toolbox:latest Container Release : 5.19.181 Severity : moderate Type : security References : 1246602 1246604 1247938 1247939 CVE-2025-53905 CVE-2025-53906 CVE-2025-55157 CVE-2025-55158 ----------------------------------------------------------------- The container suse/sle-micro/5.4/toolbox was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3240-1 Released: Tue Sep 16 21:56:57 2025 Summary: Security update for vim Type: security Severity: moderate References: 1246602,1246604,1247938,1247939,CVE-2025-53905,CVE-2025-53906,CVE-2025-55157,CVE-2025-55158 This update for vim fixes the following issues: Update to version 9.1.1629. - CVE-2025-53905: Fixed a path traversal issue in tar.vim plugin that may allow for file overwriting when opening specially crafted tar files (bsc#1246604). - CVE-2025-53906: Fixed a path traversal issue in zip.vim plugin that may allow for file overwriting when opening specially crafted zip files (bsc#1246602). - CVE-2025-55157: Fixed use-after-free in internal tuple reference management (bsc#1247938). - CVE-2025-55158: Fixed double-free in internal typed value (typval_T) management (bsc#1247939). The following package changes have been done: - vim-data-common-9.1.1629-150000.5.78.1 updated - vim-9.1.1629-150000.5.78.1 updated - xxd-9.1.1406-150000.5.75.1 removed From sle-container-updates at lists.suse.com Wed Sep 17 07:20:52 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 17 Sep 2025 09:20:52 +0200 (CEST) Subject: SUSE-CU-2025:6868-1: Security update of bci/bci-base-fips Message-ID: <20250917072052.F41DEF782@maintenance.suse.de> SUSE Container Update Advisory: bci/bci-base-fips ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:6868-1 Container Tags : bci/bci-base-fips:15.7 , bci/bci-base-fips:15.7-6.22 , bci/bci-base-fips:latest Container Release : 6.22 Severity : important Type : security References : 1239618 CVE-2024-8176 ----------------------------------------------------------------- The container bci/bci-base-fips was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3239-1 Released: Tue Sep 16 19:04:00 2025 Summary: Security update for expat Type: security Severity: important References: 1239618,CVE-2024-8176 This update for expat fixes the following issues: expat was updated to version 2.7.1: - Bug fixes: - Restore event pointer behavior from Expat 2.6.4 (that the fix to CVE-2024-8176 changed in 2.7.0); affected API functions are: - XML_GetCurrentByteCount - XML_GetCurrentByteIndex - XML_GetCurrentColumnNumber - XML_GetCurrentLineNumber - XML_GetInputContext - Other changes: - Fix printf format specifiers for 32bit Emscripten - docs: Promote OpenSSF Best Practices self-certification - tests/benchmark: Resolve mistaken double close - Address compiler warnings - Version info bumped from 11:1:10 (libexpat*.so.1.10.1) to 11:2:10 (libexpat*.so.1.10.2); see https://verbump.de/ for what these numbers do Version update to 2.7.0 (CVE-2024-8176, bsc#1239618, jsc#PED-12507) * Security fixes: - CVE-2024-8176 -- Fix crash from chaining a large number of entities caused by stack overflow by resolving use of recursion, for all three uses of entities: - general entities in character data ('&g1;') - general entities in attribute values ('') - parameter entities ('%p1;') Known impact is (reliable and easy) denial of service: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:H/RL:O/RC:C (Base Score: 7.5, Temporal Score: 7.2) Please note that a layer of compression around XML can significantly reduce the minimum attack payload size. * Other changes: - docs: Add missing documentation of error code XML_ERROR_NOT_STARTED that was introduced with 2.6.4 - docs: Document need for C++11 compiler for use from C++ - Address Cppcheck warnings - Mass-migrate links from http:// to https:// - Document changes since the previous release - Version info bumped from 11:0:10 (libexpat*.so.1.10.0) to 11:1:10 (libexpat*.so.1.10.1); see https://verbump.de/ for what these numbers do The following package changes have been done: - libexpat1-2.7.1-150700.3.3.1 updated From sle-container-updates at lists.suse.com Wed Sep 17 07:20:59 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 17 Sep 2025 09:20:59 +0200 (CEST) Subject: SUSE-CU-2025:6869-1: Security update of suse/registry Message-ID: <20250917072059.F3BC7F782@maintenance.suse.de> SUSE Container Update Advisory: suse/registry ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:6869-1 Container Tags : suse/registry:2.8 , suse/registry:2.8-7.12 , suse/registry:latest Container Release : 7.12 Severity : important Type : security References : 1239618 CVE-2024-8176 ----------------------------------------------------------------- The container suse/registry was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3239-1 Released: Tue Sep 16 19:04:00 2025 Summary: Security update for expat Type: security Severity: important References: 1239618,CVE-2024-8176 This update for expat fixes the following issues: expat was updated to version 2.7.1: - Bug fixes: - Restore event pointer behavior from Expat 2.6.4 (that the fix to CVE-2024-8176 changed in 2.7.0); affected API functions are: - XML_GetCurrentByteCount - XML_GetCurrentByteIndex - XML_GetCurrentColumnNumber - XML_GetCurrentLineNumber - XML_GetInputContext - Other changes: - Fix printf format specifiers for 32bit Emscripten - docs: Promote OpenSSF Best Practices self-certification - tests/benchmark: Resolve mistaken double close - Address compiler warnings - Version info bumped from 11:1:10 (libexpat*.so.1.10.1) to 11:2:10 (libexpat*.so.1.10.2); see https://verbump.de/ for what these numbers do Version update to 2.7.0 (CVE-2024-8176, bsc#1239618, jsc#PED-12507) * Security fixes: - CVE-2024-8176 -- Fix crash from chaining a large number of entities caused by stack overflow by resolving use of recursion, for all three uses of entities: - general entities in character data ('&g1;') - general entities in attribute values ('') - parameter entities ('%p1;') Known impact is (reliable and easy) denial of service: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:H/RL:O/RC:C (Base Score: 7.5, Temporal Score: 7.2) Please note that a layer of compression around XML can significantly reduce the minimum attack payload size. * Other changes: - docs: Add missing documentation of error code XML_ERROR_NOT_STARTED that was introduced with 2.6.4 - docs: Document need for C++11 compiler for use from C++ - Address Cppcheck warnings - Mass-migrate links from http:// to https:// - Document changes since the previous release - Version info bumped from 11:0:10 (libexpat*.so.1.10.0) to 11:1:10 (libexpat*.so.1.10.1); see https://verbump.de/ for what these numbers do The following package changes have been done: - libexpat1-2.7.1-150700.3.3.1 updated From sle-container-updates at lists.suse.com Wed Sep 17 07:21:10 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 17 Sep 2025 09:21:10 +0200 (CEST) Subject: SUSE-CU-2025:6870-1: Security update of bci/gcc Message-ID: <20250917072110.05DAAF782@maintenance.suse.de> SUSE Container Update Advisory: bci/gcc ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:6870-1 Container Tags : bci/gcc:14 , bci/gcc:14.3 , bci/gcc:14.3-11.24 , bci/gcc:latest Container Release : 11.24 Severity : important Type : security References : 1239618 CVE-2024-8176 ----------------------------------------------------------------- The container bci/gcc was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3239-1 Released: Tue Sep 16 19:04:00 2025 Summary: Security update for expat Type: security Severity: important References: 1239618,CVE-2024-8176 This update for expat fixes the following issues: expat was updated to version 2.7.1: - Bug fixes: - Restore event pointer behavior from Expat 2.6.4 (that the fix to CVE-2024-8176 changed in 2.7.0); affected API functions are: - XML_GetCurrentByteCount - XML_GetCurrentByteIndex - XML_GetCurrentColumnNumber - XML_GetCurrentLineNumber - XML_GetInputContext - Other changes: - Fix printf format specifiers for 32bit Emscripten - docs: Promote OpenSSF Best Practices self-certification - tests/benchmark: Resolve mistaken double close - Address compiler warnings - Version info bumped from 11:1:10 (libexpat*.so.1.10.1) to 11:2:10 (libexpat*.so.1.10.2); see https://verbump.de/ for what these numbers do Version update to 2.7.0 (CVE-2024-8176, bsc#1239618, jsc#PED-12507) * Security fixes: - CVE-2024-8176 -- Fix crash from chaining a large number of entities caused by stack overflow by resolving use of recursion, for all three uses of entities: - general entities in character data ('&g1;') - general entities in attribute values ('') - parameter entities ('%p1;') Known impact is (reliable and easy) denial of service: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:H/RL:O/RC:C (Base Score: 7.5, Temporal Score: 7.2) Please note that a layer of compression around XML can significantly reduce the minimum attack payload size. * Other changes: - docs: Add missing documentation of error code XML_ERROR_NOT_STARTED that was introduced with 2.6.4 - docs: Document need for C++11 compiler for use from C++ - Address Cppcheck warnings - Mass-migrate links from http:// to https:// - Document changes since the previous release - Version info bumped from 11:0:10 (libexpat*.so.1.10.0) to 11:1:10 (libexpat*.so.1.10.1); see https://verbump.de/ for what these numbers do The following package changes have been done: - libexpat1-2.7.1-150700.3.3.1 updated From sle-container-updates at lists.suse.com Wed Sep 17 07:21:17 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 17 Sep 2025 09:21:17 +0200 (CEST) Subject: SUSE-CU-2025:6871-1: Security update of suse/git Message-ID: <20250917072117.B93B2F782@maintenance.suse.de> SUSE Container Update Advisory: suse/git ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:6871-1 Container Tags : suse/git:2 , suse/git:2.51 , suse/git:2.51.0 , suse/git:2.51.0-61.5 , suse/git:latest Container Release : 61.5 Severity : important Type : security References : 1239618 CVE-2024-8176 ----------------------------------------------------------------- The container suse/git was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3239-1 Released: Tue Sep 16 19:04:00 2025 Summary: Security update for expat Type: security Severity: important References: 1239618,CVE-2024-8176 This update for expat fixes the following issues: expat was updated to version 2.7.1: - Bug fixes: - Restore event pointer behavior from Expat 2.6.4 (that the fix to CVE-2024-8176 changed in 2.7.0); affected API functions are: - XML_GetCurrentByteCount - XML_GetCurrentByteIndex - XML_GetCurrentColumnNumber - XML_GetCurrentLineNumber - XML_GetInputContext - Other changes: - Fix printf format specifiers for 32bit Emscripten - docs: Promote OpenSSF Best Practices self-certification - tests/benchmark: Resolve mistaken double close - Address compiler warnings - Version info bumped from 11:1:10 (libexpat*.so.1.10.1) to 11:2:10 (libexpat*.so.1.10.2); see https://verbump.de/ for what these numbers do Version update to 2.7.0 (CVE-2024-8176, bsc#1239618, jsc#PED-12507) * Security fixes: - CVE-2024-8176 -- Fix crash from chaining a large number of entities caused by stack overflow by resolving use of recursion, for all three uses of entities: - general entities in character data ('&g1;') - general entities in attribute values ('') - parameter entities ('%p1;') Known impact is (reliable and easy) denial of service: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:H/RL:O/RC:C (Base Score: 7.5, Temporal Score: 7.2) Please note that a layer of compression around XML can significantly reduce the minimum attack payload size. * Other changes: - docs: Add missing documentation of error code XML_ERROR_NOT_STARTED that was introduced with 2.6.4 - docs: Document need for C++11 compiler for use from C++ - Address Cppcheck warnings - Mass-migrate links from http:// to https:// - Document changes since the previous release - Version info bumped from 11:0:10 (libexpat*.so.1.10.0) to 11:1:10 (libexpat*.so.1.10.1); see https://verbump.de/ for what these numbers do The following package changes have been done: - libexpat1-2.7.1-150700.3.3.1 updated - container:suse-sle15-15.7-7509e7e16dfdc2ba3eb2a7409a432209c89350947682a3713af951a95da4b936-0 updated From sle-container-updates at lists.suse.com Wed Sep 17 07:21:32 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 17 Sep 2025 09:21:32 +0200 (CEST) Subject: SUSE-CU-2025:6872-1: Security update of bci/golang Message-ID: <20250917072132.7BCDBF782@maintenance.suse.de> SUSE Container Update Advisory: bci/golang ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:6872-1 Container Tags : bci/golang:1.24-openssl , bci/golang:1.24.6-openssl , bci/golang:1.24.6-openssl-74.5 , bci/golang:oldstable-openssl , bci/golang:oldstable-openssl-74.5 Container Release : 74.5 Severity : important Type : security References : 1239618 CVE-2024-8176 ----------------------------------------------------------------- The container bci/golang was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3239-1 Released: Tue Sep 16 19:04:00 2025 Summary: Security update for expat Type: security Severity: important References: 1239618,CVE-2024-8176 This update for expat fixes the following issues: expat was updated to version 2.7.1: - Bug fixes: - Restore event pointer behavior from Expat 2.6.4 (that the fix to CVE-2024-8176 changed in 2.7.0); affected API functions are: - XML_GetCurrentByteCount - XML_GetCurrentByteIndex - XML_GetCurrentColumnNumber - XML_GetCurrentLineNumber - XML_GetInputContext - Other changes: - Fix printf format specifiers for 32bit Emscripten - docs: Promote OpenSSF Best Practices self-certification - tests/benchmark: Resolve mistaken double close - Address compiler warnings - Version info bumped from 11:1:10 (libexpat*.so.1.10.1) to 11:2:10 (libexpat*.so.1.10.2); see https://verbump.de/ for what these numbers do Version update to 2.7.0 (CVE-2024-8176, bsc#1239618, jsc#PED-12507) * Security fixes: - CVE-2024-8176 -- Fix crash from chaining a large number of entities caused by stack overflow by resolving use of recursion, for all three uses of entities: - general entities in character data ('&g1;') - general entities in attribute values ('') - parameter entities ('%p1;') Known impact is (reliable and easy) denial of service: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:H/RL:O/RC:C (Base Score: 7.5, Temporal Score: 7.2) Please note that a layer of compression around XML can significantly reduce the minimum attack payload size. * Other changes: - docs: Add missing documentation of error code XML_ERROR_NOT_STARTED that was introduced with 2.6.4 - docs: Document need for C++11 compiler for use from C++ - Address Cppcheck warnings - Mass-migrate links from http:// to https:// - Document changes since the previous release - Version info bumped from 11:0:10 (libexpat*.so.1.10.0) to 11:1:10 (libexpat*.so.1.10.1); see https://verbump.de/ for what these numbers do The following package changes have been done: - libexpat1-2.7.1-150700.3.3.1 updated From sle-container-updates at lists.suse.com Wed Sep 17 07:21:45 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 17 Sep 2025 09:21:45 +0200 (CEST) Subject: SUSE-CU-2025:6873-1: Security update of bci/golang Message-ID: <20250917072145.73D7EF782@maintenance.suse.de> SUSE Container Update Advisory: bci/golang ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:6873-1 Container Tags : bci/golang:1.25-openssl , bci/golang:1.25.0-openssl , bci/golang:1.25.0-openssl-74.5 , bci/golang:latest , bci/golang:stable-openssl , bci/golang:stable-openssl-74.5 Container Release : 74.5 Severity : important Type : security References : 1239618 CVE-2024-8176 ----------------------------------------------------------------- The container bci/golang was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3239-1 Released: Tue Sep 16 19:04:00 2025 Summary: Security update for expat Type: security Severity: important References: 1239618,CVE-2024-8176 This update for expat fixes the following issues: expat was updated to version 2.7.1: - Bug fixes: - Restore event pointer behavior from Expat 2.6.4 (that the fix to CVE-2024-8176 changed in 2.7.0); affected API functions are: - XML_GetCurrentByteCount - XML_GetCurrentByteIndex - XML_GetCurrentColumnNumber - XML_GetCurrentLineNumber - XML_GetInputContext - Other changes: - Fix printf format specifiers for 32bit Emscripten - docs: Promote OpenSSF Best Practices self-certification - tests/benchmark: Resolve mistaken double close - Address compiler warnings - Version info bumped from 11:1:10 (libexpat*.so.1.10.1) to 11:2:10 (libexpat*.so.1.10.2); see https://verbump.de/ for what these numbers do Version update to 2.7.0 (CVE-2024-8176, bsc#1239618, jsc#PED-12507) * Security fixes: - CVE-2024-8176 -- Fix crash from chaining a large number of entities caused by stack overflow by resolving use of recursion, for all three uses of entities: - general entities in character data ('&g1;') - general entities in attribute values ('') - parameter entities ('%p1;') Known impact is (reliable and easy) denial of service: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:H/RL:O/RC:C (Base Score: 7.5, Temporal Score: 7.2) Please note that a layer of compression around XML can significantly reduce the minimum attack payload size. * Other changes: - docs: Add missing documentation of error code XML_ERROR_NOT_STARTED that was introduced with 2.6.4 - docs: Document need for C++11 compiler for use from C++ - Address Cppcheck warnings - Mass-migrate links from http:// to https:// - Document changes since the previous release - Version info bumped from 11:0:10 (libexpat*.so.1.10.0) to 11:1:10 (libexpat*.so.1.10.1); see https://verbump.de/ for what these numbers do The following package changes have been done: - libexpat1-2.7.1-150700.3.3.1 updated From sle-container-updates at lists.suse.com Wed Sep 17 07:21:57 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 17 Sep 2025 09:21:57 +0200 (CEST) Subject: SUSE-CU-2025:6874-1: Security update of bci/bci-init Message-ID: <20250917072157.91966F782@maintenance.suse.de> SUSE Container Update Advisory: bci/bci-init ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:6874-1 Container Tags : bci/bci-init:15.7 , bci/bci-init:15.7-42.26 , bci/bci-init:latest Container Release : 42.26 Severity : important Type : security References : 1239618 CVE-2024-8176 ----------------------------------------------------------------- The container bci/bci-init was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3239-1 Released: Tue Sep 16 19:04:00 2025 Summary: Security update for expat Type: security Severity: important References: 1239618,CVE-2024-8176 This update for expat fixes the following issues: expat was updated to version 2.7.1: - Bug fixes: - Restore event pointer behavior from Expat 2.6.4 (that the fix to CVE-2024-8176 changed in 2.7.0); affected API functions are: - XML_GetCurrentByteCount - XML_GetCurrentByteIndex - XML_GetCurrentColumnNumber - XML_GetCurrentLineNumber - XML_GetInputContext - Other changes: - Fix printf format specifiers for 32bit Emscripten - docs: Promote OpenSSF Best Practices self-certification - tests/benchmark: Resolve mistaken double close - Address compiler warnings - Version info bumped from 11:1:10 (libexpat*.so.1.10.1) to 11:2:10 (libexpat*.so.1.10.2); see https://verbump.de/ for what these numbers do Version update to 2.7.0 (CVE-2024-8176, bsc#1239618, jsc#PED-12507) * Security fixes: - CVE-2024-8176 -- Fix crash from chaining a large number of entities caused by stack overflow by resolving use of recursion, for all three uses of entities: - general entities in character data ('&g1;') - general entities in attribute values ('') - parameter entities ('%p1;') Known impact is (reliable and easy) denial of service: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:H/RL:O/RC:C (Base Score: 7.5, Temporal Score: 7.2) Please note that a layer of compression around XML can significantly reduce the minimum attack payload size. * Other changes: - docs: Add missing documentation of error code XML_ERROR_NOT_STARTED that was introduced with 2.6.4 - docs: Document need for C++11 compiler for use from C++ - Address Cppcheck warnings - Mass-migrate links from http:// to https:// - Document changes since the previous release - Version info bumped from 11:0:10 (libexpat*.so.1.10.0) to 11:1:10 (libexpat*.so.1.10.1); see https://verbump.de/ for what these numbers do The following package changes have been done: - libexpat1-2.7.1-150700.3.3.1 updated From sle-container-updates at lists.suse.com Wed Sep 17 07:22:05 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 17 Sep 2025 09:22:05 +0200 (CEST) Subject: SUSE-CU-2025:6875-1: Security update of suse/kea Message-ID: <20250917072205.044B2F782@maintenance.suse.de> SUSE Container Update Advisory: suse/kea ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:6875-1 Container Tags : suse/kea:2.6 , suse/kea:2.6-62.25 , suse/kea:latest Container Release : 62.25 Severity : important Type : security References : 1239618 CVE-2024-8176 ----------------------------------------------------------------- The container suse/kea was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3239-1 Released: Tue Sep 16 19:04:00 2025 Summary: Security update for expat Type: security Severity: important References: 1239618,CVE-2024-8176 This update for expat fixes the following issues: expat was updated to version 2.7.1: - Bug fixes: - Restore event pointer behavior from Expat 2.6.4 (that the fix to CVE-2024-8176 changed in 2.7.0); affected API functions are: - XML_GetCurrentByteCount - XML_GetCurrentByteIndex - XML_GetCurrentColumnNumber - XML_GetCurrentLineNumber - XML_GetInputContext - Other changes: - Fix printf format specifiers for 32bit Emscripten - docs: Promote OpenSSF Best Practices self-certification - tests/benchmark: Resolve mistaken double close - Address compiler warnings - Version info bumped from 11:1:10 (libexpat*.so.1.10.1) to 11:2:10 (libexpat*.so.1.10.2); see https://verbump.de/ for what these numbers do Version update to 2.7.0 (CVE-2024-8176, bsc#1239618, jsc#PED-12507) * Security fixes: - CVE-2024-8176 -- Fix crash from chaining a large number of entities caused by stack overflow by resolving use of recursion, for all three uses of entities: - general entities in character data ('&g1;') - general entities in attribute values ('') - parameter entities ('%p1;') Known impact is (reliable and easy) denial of service: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:H/RL:O/RC:C (Base Score: 7.5, Temporal Score: 7.2) Please note that a layer of compression around XML can significantly reduce the minimum attack payload size. * Other changes: - docs: Add missing documentation of error code XML_ERROR_NOT_STARTED that was introduced with 2.6.4 - docs: Document need for C++11 compiler for use from C++ - Address Cppcheck warnings - Mass-migrate links from http:// to https:// - Document changes since the previous release - Version info bumped from 11:0:10 (libexpat*.so.1.10.0) to 11:1:10 (libexpat*.so.1.10.1); see https://verbump.de/ for what these numbers do The following package changes have been done: - libexpat1-2.7.1-150700.3.3.1 updated From sle-container-updates at lists.suse.com Wed Sep 17 07:22:16 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 17 Sep 2025 09:22:16 +0200 (CEST) Subject: SUSE-CU-2025:6876-1: Security update of suse/kiosk/firefox-esr Message-ID: <20250917072216.044B6F782@maintenance.suse.de> SUSE Container Update Advisory: suse/kiosk/firefox-esr ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:6876-1 Container Tags : suse/kiosk/firefox-esr:140.2 , suse/kiosk/firefox-esr:140.2-64.27 , suse/kiosk/firefox-esr:esr , suse/kiosk/firefox-esr:latest Container Release : 64.27 Severity : important Type : security References : 1239618 CVE-2024-8176 ----------------------------------------------------------------- The container suse/kiosk/firefox-esr was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3239-1 Released: Tue Sep 16 19:04:00 2025 Summary: Security update for expat Type: security Severity: important References: 1239618,CVE-2024-8176 This update for expat fixes the following issues: expat was updated to version 2.7.1: - Bug fixes: - Restore event pointer behavior from Expat 2.6.4 (that the fix to CVE-2024-8176 changed in 2.7.0); affected API functions are: - XML_GetCurrentByteCount - XML_GetCurrentByteIndex - XML_GetCurrentColumnNumber - XML_GetCurrentLineNumber - XML_GetInputContext - Other changes: - Fix printf format specifiers for 32bit Emscripten - docs: Promote OpenSSF Best Practices self-certification - tests/benchmark: Resolve mistaken double close - Address compiler warnings - Version info bumped from 11:1:10 (libexpat*.so.1.10.1) to 11:2:10 (libexpat*.so.1.10.2); see https://verbump.de/ for what these numbers do Version update to 2.7.0 (CVE-2024-8176, bsc#1239618, jsc#PED-12507) * Security fixes: - CVE-2024-8176 -- Fix crash from chaining a large number of entities caused by stack overflow by resolving use of recursion, for all three uses of entities: - general entities in character data ('&g1;') - general entities in attribute values ('') - parameter entities ('%p1;') Known impact is (reliable and easy) denial of service: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:H/RL:O/RC:C (Base Score: 7.5, Temporal Score: 7.2) Please note that a layer of compression around XML can significantly reduce the minimum attack payload size. * Other changes: - docs: Add missing documentation of error code XML_ERROR_NOT_STARTED that was introduced with 2.6.4 - docs: Document need for C++11 compiler for use from C++ - Address Cppcheck warnings - Mass-migrate links from http:// to https:// - Document changes since the previous release - Version info bumped from 11:0:10 (libexpat*.so.1.10.0) to 11:1:10 (libexpat*.so.1.10.1); see https://verbump.de/ for what these numbers do The following package changes have been done: - libexpat1-2.7.1-150700.3.3.1 updated From sle-container-updates at lists.suse.com Wed Sep 17 07:22:37 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 17 Sep 2025 09:22:37 +0200 (CEST) Subject: SUSE-CU-2025:6877-1: Security update of bci/kiwi Message-ID: <20250917072237.64912F782@maintenance.suse.de> SUSE Container Update Advisory: bci/kiwi ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:6877-1 Container Tags : bci/kiwi:9 , bci/kiwi:9.24 , bci/kiwi:9.24.43 , bci/kiwi:9.24.43-18.35 , bci/kiwi:latest Container Release : 18.35 Severity : important Type : security References : 1239618 CVE-2024-8176 ----------------------------------------------------------------- The container bci/kiwi was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3239-1 Released: Tue Sep 16 19:04:00 2025 Summary: Security update for expat Type: security Severity: important References: 1239618,CVE-2024-8176 This update for expat fixes the following issues: expat was updated to version 2.7.1: - Bug fixes: - Restore event pointer behavior from Expat 2.6.4 (that the fix to CVE-2024-8176 changed in 2.7.0); affected API functions are: - XML_GetCurrentByteCount - XML_GetCurrentByteIndex - XML_GetCurrentColumnNumber - XML_GetCurrentLineNumber - XML_GetInputContext - Other changes: - Fix printf format specifiers for 32bit Emscripten - docs: Promote OpenSSF Best Practices self-certification - tests/benchmark: Resolve mistaken double close - Address compiler warnings - Version info bumped from 11:1:10 (libexpat*.so.1.10.1) to 11:2:10 (libexpat*.so.1.10.2); see https://verbump.de/ for what these numbers do Version update to 2.7.0 (CVE-2024-8176, bsc#1239618, jsc#PED-12507) * Security fixes: - CVE-2024-8176 -- Fix crash from chaining a large number of entities caused by stack overflow by resolving use of recursion, for all three uses of entities: - general entities in character data ('&g1;') - general entities in attribute values ('') - parameter entities ('%p1;') Known impact is (reliable and easy) denial of service: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:H/RL:O/RC:C (Base Score: 7.5, Temporal Score: 7.2) Please note that a layer of compression around XML can significantly reduce the minimum attack payload size. * Other changes: - docs: Add missing documentation of error code XML_ERROR_NOT_STARTED that was introduced with 2.6.4 - docs: Document need for C++11 compiler for use from C++ - Address Cppcheck warnings - Mass-migrate links from http:// to https:// - Document changes since the previous release - Version info bumped from 11:0:10 (libexpat*.so.1.10.0) to 11:1:10 (libexpat*.so.1.10.1); see https://verbump.de/ for what these numbers do The following package changes have been done: - libexpat1-2.7.1-150700.3.3.1 updated From sle-container-updates at lists.suse.com Wed Sep 17 07:22:49 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 17 Sep 2025 09:22:49 +0200 (CEST) Subject: SUSE-CU-2025:6878-1: Security update of suse/nginx Message-ID: <20250917072249.9F3E2F782@maintenance.suse.de> SUSE Container Update Advisory: suse/nginx ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:6878-1 Container Tags : suse/nginx:1.21 , suse/nginx:1.21-62.25 , suse/nginx:latest Container Release : 62.25 Severity : important Type : security References : 1239618 CVE-2024-8176 ----------------------------------------------------------------- The container suse/nginx was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3239-1 Released: Tue Sep 16 19:04:00 2025 Summary: Security update for expat Type: security Severity: important References: 1239618,CVE-2024-8176 This update for expat fixes the following issues: expat was updated to version 2.7.1: - Bug fixes: - Restore event pointer behavior from Expat 2.6.4 (that the fix to CVE-2024-8176 changed in 2.7.0); affected API functions are: - XML_GetCurrentByteCount - XML_GetCurrentByteIndex - XML_GetCurrentColumnNumber - XML_GetCurrentLineNumber - XML_GetInputContext - Other changes: - Fix printf format specifiers for 32bit Emscripten - docs: Promote OpenSSF Best Practices self-certification - tests/benchmark: Resolve mistaken double close - Address compiler warnings - Version info bumped from 11:1:10 (libexpat*.so.1.10.1) to 11:2:10 (libexpat*.so.1.10.2); see https://verbump.de/ for what these numbers do Version update to 2.7.0 (CVE-2024-8176, bsc#1239618, jsc#PED-12507) * Security fixes: - CVE-2024-8176 -- Fix crash from chaining a large number of entities caused by stack overflow by resolving use of recursion, for all three uses of entities: - general entities in character data ('&g1;') - general entities in attribute values ('') - parameter entities ('%p1;') Known impact is (reliable and easy) denial of service: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:H/RL:O/RC:C (Base Score: 7.5, Temporal Score: 7.2) Please note that a layer of compression around XML can significantly reduce the minimum attack payload size. * Other changes: - docs: Add missing documentation of error code XML_ERROR_NOT_STARTED that was introduced with 2.6.4 - docs: Document need for C++11 compiler for use from C++ - Address Cppcheck warnings - Mass-migrate links from http:// to https:// - Document changes since the previous release - Version info bumped from 11:0:10 (libexpat*.so.1.10.0) to 11:1:10 (libexpat*.so.1.10.1); see https://verbump.de/ for what these numbers do The following package changes have been done: - libexpat1-2.7.1-150700.3.3.1 updated From sle-container-updates at lists.suse.com Wed Sep 17 07:23:03 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 17 Sep 2025 09:23:03 +0200 (CEST) Subject: SUSE-CU-2025:6879-1: Security update of bci/openjdk-devel Message-ID: <20250917072303.25E28F782@maintenance.suse.de> SUSE Container Update Advisory: bci/openjdk-devel ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:6879-1 Container Tags : bci/openjdk-devel:17 , bci/openjdk-devel:17.0.16.0 , bci/openjdk-devel:17.0.16.0-8.26 Container Release : 8.26 Severity : important Type : security References : 1239618 CVE-2024-8176 ----------------------------------------------------------------- The container bci/openjdk-devel was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3239-1 Released: Tue Sep 16 19:04:00 2025 Summary: Security update for expat Type: security Severity: important References: 1239618,CVE-2024-8176 This update for expat fixes the following issues: expat was updated to version 2.7.1: - Bug fixes: - Restore event pointer behavior from Expat 2.6.4 (that the fix to CVE-2024-8176 changed in 2.7.0); affected API functions are: - XML_GetCurrentByteCount - XML_GetCurrentByteIndex - XML_GetCurrentColumnNumber - XML_GetCurrentLineNumber - XML_GetInputContext - Other changes: - Fix printf format specifiers for 32bit Emscripten - docs: Promote OpenSSF Best Practices self-certification - tests/benchmark: Resolve mistaken double close - Address compiler warnings - Version info bumped from 11:1:10 (libexpat*.so.1.10.1) to 11:2:10 (libexpat*.so.1.10.2); see https://verbump.de/ for what these numbers do Version update to 2.7.0 (CVE-2024-8176, bsc#1239618, jsc#PED-12507) * Security fixes: - CVE-2024-8176 -- Fix crash from chaining a large number of entities caused by stack overflow by resolving use of recursion, for all three uses of entities: - general entities in character data ('&g1;') - general entities in attribute values ('') - parameter entities ('%p1;') Known impact is (reliable and easy) denial of service: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:H/RL:O/RC:C (Base Score: 7.5, Temporal Score: 7.2) Please note that a layer of compression around XML can significantly reduce the minimum attack payload size. * Other changes: - docs: Add missing documentation of error code XML_ERROR_NOT_STARTED that was introduced with 2.6.4 - docs: Document need for C++11 compiler for use from C++ - Address Cppcheck warnings - Mass-migrate links from http:// to https:// - Document changes since the previous release - Version info bumped from 11:0:10 (libexpat*.so.1.10.0) to 11:1:10 (libexpat*.so.1.10.1); see https://verbump.de/ for what these numbers do The following package changes have been done: - libexpat1-2.7.1-150700.3.3.1 updated - container:bci-openjdk-17-15.7.17-8.25 updated From sle-container-updates at lists.suse.com Wed Sep 17 07:23:15 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 17 Sep 2025 09:23:15 +0200 (CEST) Subject: SUSE-CU-2025:6880-1: Security update of bci/openjdk Message-ID: <20250917072315.3282AF782@maintenance.suse.de> SUSE Container Update Advisory: bci/openjdk ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:6880-1 Container Tags : bci/openjdk:17 , bci/openjdk:17.0.16.0 , bci/openjdk:17.0.16.0-8.25 Container Release : 8.25 Severity : important Type : security References : 1239618 CVE-2024-8176 ----------------------------------------------------------------- The container bci/openjdk was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3239-1 Released: Tue Sep 16 19:04:00 2025 Summary: Security update for expat Type: security Severity: important References: 1239618,CVE-2024-8176 This update for expat fixes the following issues: expat was updated to version 2.7.1: - Bug fixes: - Restore event pointer behavior from Expat 2.6.4 (that the fix to CVE-2024-8176 changed in 2.7.0); affected API functions are: - XML_GetCurrentByteCount - XML_GetCurrentByteIndex - XML_GetCurrentColumnNumber - XML_GetCurrentLineNumber - XML_GetInputContext - Other changes: - Fix printf format specifiers for 32bit Emscripten - docs: Promote OpenSSF Best Practices self-certification - tests/benchmark: Resolve mistaken double close - Address compiler warnings - Version info bumped from 11:1:10 (libexpat*.so.1.10.1) to 11:2:10 (libexpat*.so.1.10.2); see https://verbump.de/ for what these numbers do Version update to 2.7.0 (CVE-2024-8176, bsc#1239618, jsc#PED-12507) * Security fixes: - CVE-2024-8176 -- Fix crash from chaining a large number of entities caused by stack overflow by resolving use of recursion, for all three uses of entities: - general entities in character data ('&g1;') - general entities in attribute values ('') - parameter entities ('%p1;') Known impact is (reliable and easy) denial of service: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:H/RL:O/RC:C (Base Score: 7.5, Temporal Score: 7.2) Please note that a layer of compression around XML can significantly reduce the minimum attack payload size. * Other changes: - docs: Add missing documentation of error code XML_ERROR_NOT_STARTED that was introduced with 2.6.4 - docs: Document need for C++11 compiler for use from C++ - Address Cppcheck warnings - Mass-migrate links from http:// to https:// - Document changes since the previous release - Version info bumped from 11:0:10 (libexpat*.so.1.10.0) to 11:1:10 (libexpat*.so.1.10.1); see https://verbump.de/ for what these numbers do The following package changes have been done: - libexpat1-2.7.1-150700.3.3.1 updated From sle-container-updates at lists.suse.com Wed Sep 17 07:23:28 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 17 Sep 2025 09:23:28 +0200 (CEST) Subject: SUSE-CU-2025:6881-1: Security update of bci/openjdk-devel Message-ID: <20250917072328.5646EF782@maintenance.suse.de> SUSE Container Update Advisory: bci/openjdk-devel ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:6881-1 Container Tags : bci/openjdk-devel:21 , bci/openjdk-devel:21.0.8.0 , bci/openjdk-devel:21.0.8.0-11.26 , bci/openjdk-devel:latest Container Release : 11.26 Severity : important Type : security References : 1239618 CVE-2024-8176 ----------------------------------------------------------------- The container bci/openjdk-devel was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3239-1 Released: Tue Sep 16 19:04:00 2025 Summary: Security update for expat Type: security Severity: important References: 1239618,CVE-2024-8176 This update for expat fixes the following issues: expat was updated to version 2.7.1: - Bug fixes: - Restore event pointer behavior from Expat 2.6.4 (that the fix to CVE-2024-8176 changed in 2.7.0); affected API functions are: - XML_GetCurrentByteCount - XML_GetCurrentByteIndex - XML_GetCurrentColumnNumber - XML_GetCurrentLineNumber - XML_GetInputContext - Other changes: - Fix printf format specifiers for 32bit Emscripten - docs: Promote OpenSSF Best Practices self-certification - tests/benchmark: Resolve mistaken double close - Address compiler warnings - Version info bumped from 11:1:10 (libexpat*.so.1.10.1) to 11:2:10 (libexpat*.so.1.10.2); see https://verbump.de/ for what these numbers do Version update to 2.7.0 (CVE-2024-8176, bsc#1239618, jsc#PED-12507) * Security fixes: - CVE-2024-8176 -- Fix crash from chaining a large number of entities caused by stack overflow by resolving use of recursion, for all three uses of entities: - general entities in character data ('&g1;') - general entities in attribute values ('') - parameter entities ('%p1;') Known impact is (reliable and easy) denial of service: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:H/RL:O/RC:C (Base Score: 7.5, Temporal Score: 7.2) Please note that a layer of compression around XML can significantly reduce the minimum attack payload size. * Other changes: - docs: Add missing documentation of error code XML_ERROR_NOT_STARTED that was introduced with 2.6.4 - docs: Document need for C++11 compiler for use from C++ - Address Cppcheck warnings - Mass-migrate links from http:// to https:// - Document changes since the previous release - Version info bumped from 11:0:10 (libexpat*.so.1.10.0) to 11:1:10 (libexpat*.so.1.10.1); see https://verbump.de/ for what these numbers do The following package changes have been done: - libexpat1-2.7.1-150700.3.3.1 updated - container:bci-openjdk-21-15.7.21-11.25 updated From sle-container-updates at lists.suse.com Wed Sep 17 07:23:39 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 17 Sep 2025 09:23:39 +0200 (CEST) Subject: SUSE-CU-2025:6882-1: Security update of bci/openjdk Message-ID: <20250917072339.7A010F782@maintenance.suse.de> SUSE Container Update Advisory: bci/openjdk ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:6882-1 Container Tags : bci/openjdk:21 , bci/openjdk:21.0.8.0 , bci/openjdk:21.0.8.0-11.25 , bci/openjdk:latest Container Release : 11.25 Severity : important Type : security References : 1239618 CVE-2024-8176 ----------------------------------------------------------------- The container bci/openjdk was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3239-1 Released: Tue Sep 16 19:04:00 2025 Summary: Security update for expat Type: security Severity: important References: 1239618,CVE-2024-8176 This update for expat fixes the following issues: expat was updated to version 2.7.1: - Bug fixes: - Restore event pointer behavior from Expat 2.6.4 (that the fix to CVE-2024-8176 changed in 2.7.0); affected API functions are: - XML_GetCurrentByteCount - XML_GetCurrentByteIndex - XML_GetCurrentColumnNumber - XML_GetCurrentLineNumber - XML_GetInputContext - Other changes: - Fix printf format specifiers for 32bit Emscripten - docs: Promote OpenSSF Best Practices self-certification - tests/benchmark: Resolve mistaken double close - Address compiler warnings - Version info bumped from 11:1:10 (libexpat*.so.1.10.1) to 11:2:10 (libexpat*.so.1.10.2); see https://verbump.de/ for what these numbers do Version update to 2.7.0 (CVE-2024-8176, bsc#1239618, jsc#PED-12507) * Security fixes: - CVE-2024-8176 -- Fix crash from chaining a large number of entities caused by stack overflow by resolving use of recursion, for all three uses of entities: - general entities in character data ('&g1;') - general entities in attribute values ('') - parameter entities ('%p1;') Known impact is (reliable and easy) denial of service: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:H/RL:O/RC:C (Base Score: 7.5, Temporal Score: 7.2) Please note that a layer of compression around XML can significantly reduce the minimum attack payload size. * Other changes: - docs: Add missing documentation of error code XML_ERROR_NOT_STARTED that was introduced with 2.6.4 - docs: Document need for C++11 compiler for use from C++ - Address Cppcheck warnings - Mass-migrate links from http:// to https:// - Document changes since the previous release - Version info bumped from 11:0:10 (libexpat*.so.1.10.0) to 11:1:10 (libexpat*.so.1.10.1); see https://verbump.de/ for what these numbers do The following package changes have been done: - libexpat1-2.7.1-150700.3.3.1 updated From sle-container-updates at lists.suse.com Wed Sep 17 07:23:50 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 17 Sep 2025 09:23:50 +0200 (CEST) Subject: SUSE-CU-2025:6883-1: Security update of bci/php-apache Message-ID: <20250917072350.DB37DF782@maintenance.suse.de> SUSE Container Update Advisory: bci/php-apache ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:6883-1 Container Tags : bci/php-apache:8 , bci/php-apache:8.3.23 , bci/php-apache:8.3.23-12.26 , bci/php-apache:latest Container Release : 12.26 Severity : important Type : security References : 1239618 CVE-2024-8176 ----------------------------------------------------------------- The container bci/php-apache was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3239-1 Released: Tue Sep 16 19:04:00 2025 Summary: Security update for expat Type: security Severity: important References: 1239618,CVE-2024-8176 This update for expat fixes the following issues: expat was updated to version 2.7.1: - Bug fixes: - Restore event pointer behavior from Expat 2.6.4 (that the fix to CVE-2024-8176 changed in 2.7.0); affected API functions are: - XML_GetCurrentByteCount - XML_GetCurrentByteIndex - XML_GetCurrentColumnNumber - XML_GetCurrentLineNumber - XML_GetInputContext - Other changes: - Fix printf format specifiers for 32bit Emscripten - docs: Promote OpenSSF Best Practices self-certification - tests/benchmark: Resolve mistaken double close - Address compiler warnings - Version info bumped from 11:1:10 (libexpat*.so.1.10.1) to 11:2:10 (libexpat*.so.1.10.2); see https://verbump.de/ for what these numbers do Version update to 2.7.0 (CVE-2024-8176, bsc#1239618, jsc#PED-12507) * Security fixes: - CVE-2024-8176 -- Fix crash from chaining a large number of entities caused by stack overflow by resolving use of recursion, for all three uses of entities: - general entities in character data ('&g1;') - general entities in attribute values ('') - parameter entities ('%p1;') Known impact is (reliable and easy) denial of service: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:H/RL:O/RC:C (Base Score: 7.5, Temporal Score: 7.2) Please note that a layer of compression around XML can significantly reduce the minimum attack payload size. * Other changes: - docs: Add missing documentation of error code XML_ERROR_NOT_STARTED that was introduced with 2.6.4 - docs: Document need for C++11 compiler for use from C++ - Address Cppcheck warnings - Mass-migrate links from http:// to https:// - Document changes since the previous release - Version info bumped from 11:0:10 (libexpat*.so.1.10.0) to 11:1:10 (libexpat*.so.1.10.1); see https://verbump.de/ for what these numbers do The following package changes have been done: - libexpat1-2.7.1-150700.3.3.1 updated From sle-container-updates at lists.suse.com Wed Sep 17 07:24:04 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 17 Sep 2025 09:24:04 +0200 (CEST) Subject: SUSE-CU-2025:6884-1: Security update of suse/kiosk/pulseaudio Message-ID: <20250917072404.7E7E6F782@maintenance.suse.de> SUSE Container Update Advisory: suse/kiosk/pulseaudio ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:6884-1 Container Tags : suse/kiosk/pulseaudio:17 , suse/kiosk/pulseaudio:17.0 , suse/kiosk/pulseaudio:17.0-63.22 , suse/kiosk/pulseaudio:latest Container Release : 63.22 Severity : important Type : security References : 1239618 CVE-2024-8176 ----------------------------------------------------------------- The container suse/kiosk/pulseaudio was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3239-1 Released: Tue Sep 16 19:04:00 2025 Summary: Security update for expat Type: security Severity: important References: 1239618,CVE-2024-8176 This update for expat fixes the following issues: expat was updated to version 2.7.1: - Bug fixes: - Restore event pointer behavior from Expat 2.6.4 (that the fix to CVE-2024-8176 changed in 2.7.0); affected API functions are: - XML_GetCurrentByteCount - XML_GetCurrentByteIndex - XML_GetCurrentColumnNumber - XML_GetCurrentLineNumber - XML_GetInputContext - Other changes: - Fix printf format specifiers for 32bit Emscripten - docs: Promote OpenSSF Best Practices self-certification - tests/benchmark: Resolve mistaken double close - Address compiler warnings - Version info bumped from 11:1:10 (libexpat*.so.1.10.1) to 11:2:10 (libexpat*.so.1.10.2); see https://verbump.de/ for what these numbers do Version update to 2.7.0 (CVE-2024-8176, bsc#1239618, jsc#PED-12507) * Security fixes: - CVE-2024-8176 -- Fix crash from chaining a large number of entities caused by stack overflow by resolving use of recursion, for all three uses of entities: - general entities in character data ('&g1;') - general entities in attribute values ('') - parameter entities ('%p1;') Known impact is (reliable and easy) denial of service: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:H/RL:O/RC:C (Base Score: 7.5, Temporal Score: 7.2) Please note that a layer of compression around XML can significantly reduce the minimum attack payload size. * Other changes: - docs: Add missing documentation of error code XML_ERROR_NOT_STARTED that was introduced with 2.6.4 - docs: Document need for C++11 compiler for use from C++ - Address Cppcheck warnings - Mass-migrate links from http:// to https:// - Document changes since the previous release - Version info bumped from 11:0:10 (libexpat*.so.1.10.0) to 11:1:10 (libexpat*.so.1.10.1); see https://verbump.de/ for what these numbers do The following package changes have been done: - libexpat1-2.7.1-150700.3.3.1 updated From sle-container-updates at lists.suse.com Wed Sep 17 07:24:13 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 17 Sep 2025 09:24:13 +0200 (CEST) Subject: SUSE-CU-2025:6885-1: Security update of suse/mariadb Message-ID: <20250917072413.5A1D2F782@maintenance.suse.de> SUSE Container Update Advisory: suse/mariadb ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:6885-1 Container Tags : suse/mariadb:11.8 , suse/mariadb:11.8.2 , suse/mariadb:11.8.2-62.4 , suse/mariadb:latest Container Release : 62.4 Severity : important Type : security References : 1239618 CVE-2024-8176 ----------------------------------------------------------------- The container suse/mariadb was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3239-1 Released: Tue Sep 16 19:04:00 2025 Summary: Security update for expat Type: security Severity: important References: 1239618,CVE-2024-8176 This update for expat fixes the following issues: expat was updated to version 2.7.1: - Bug fixes: - Restore event pointer behavior from Expat 2.6.4 (that the fix to CVE-2024-8176 changed in 2.7.0); affected API functions are: - XML_GetCurrentByteCount - XML_GetCurrentByteIndex - XML_GetCurrentColumnNumber - XML_GetCurrentLineNumber - XML_GetInputContext - Other changes: - Fix printf format specifiers for 32bit Emscripten - docs: Promote OpenSSF Best Practices self-certification - tests/benchmark: Resolve mistaken double close - Address compiler warnings - Version info bumped from 11:1:10 (libexpat*.so.1.10.1) to 11:2:10 (libexpat*.so.1.10.2); see https://verbump.de/ for what these numbers do Version update to 2.7.0 (CVE-2024-8176, bsc#1239618, jsc#PED-12507) * Security fixes: - CVE-2024-8176 -- Fix crash from chaining a large number of entities caused by stack overflow by resolving use of recursion, for all three uses of entities: - general entities in character data ('&g1;') - general entities in attribute values ('') - parameter entities ('%p1;') Known impact is (reliable and easy) denial of service: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:H/RL:O/RC:C (Base Score: 7.5, Temporal Score: 7.2) Please note that a layer of compression around XML can significantly reduce the minimum attack payload size. * Other changes: - docs: Add missing documentation of error code XML_ERROR_NOT_STARTED that was introduced with 2.6.4 - docs: Document need for C++11 compiler for use from C++ - Address Cppcheck warnings - Mass-migrate links from http:// to https:// - Document changes since the previous release - Version info bumped from 11:0:10 (libexpat*.so.1.10.0) to 11:1:10 (libexpat*.so.1.10.1); see https://verbump.de/ for what these numbers do The following package changes have been done: - libexpat1-2.7.1-150700.3.3.1 updated - container:suse-sle15-15.7-7509e7e16dfdc2ba3eb2a7409a432209c89350947682a3713af951a95da4b936-0 updated From sle-container-updates at lists.suse.com Thu Sep 18 07:06:39 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Thu, 18 Sep 2025 09:06:39 +0200 (CEST) Subject: SUSE-IU-2025:2462-1: Security update of suse/sle-micro/5.5 Message-ID: <20250918070639.BE476F783@maintenance.suse.de> SUSE Image Update Advisory: suse/sle-micro/5.5 ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2025:2462-1 Image Tags : suse/sle-micro/5.5:2.0.4 , suse/sle-micro/5.5:2.0.4-5.5.368 , suse/sle-micro/5.5:latest Image Release : 5.5.368 Severity : moderate Type : security References : 1243581 1246608 1248410 1248687 142461 CVE-2025-46836 ----------------------------------------------------------------- The container suse/sle-micro/5.5 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3260-1 Released: Thu Sep 18 02:09:31 2025 Summary: Security update for net-tools Type: security Severity: moderate References: 1243581,1246608,1248410,1248687,142461,CVE-2025-46836 This update for net-tools fixes the following issues: Security issues fixed: - CVE-2025-46836: missing bounds check in `get_name` may lead to a stack buffer overflow (bsc#1243581). - Avoid unsafe use of `memcpy` in `ifconfig` (bsc#1248687). - Prevent overflow in `ax25` and `netrom` (bsc#1248687). - Fix stack buffer overflow in `parse_hex` (bsc#1248687). - Fix stack buffer overflow in `proc_gen_fmt` (bsc#1248687). Other issues fixed: - Allow use of long interface names after CVE-2025-46836 fix, even if they are not accepted by the kernel (bsc#1248410). - Fix netrom support. The following package changes have been done: - net-tools-2.0+git20170221.479bb4a-150000.5.13.1 updated From sle-container-updates at lists.suse.com Thu Sep 18 07:15:08 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Thu, 18 Sep 2025 09:15:08 +0200 (CEST) Subject: SUSE-CU-2025:6889-1: Security update of suse/sle-micro-rancher/5.4 Message-ID: <20250918071508.982ECF782@maintenance.suse.de> SUSE Container Update Advisory: suse/sle-micro-rancher/5.4 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:6889-1 Container Tags : suse/sle-micro-rancher/5.4:5.4.4.5.53 , suse/sle-micro-rancher/5.4:latest Container Release : 4.5.53 Severity : moderate Type : security References : 1243581 1246608 1248410 1248687 142461 CVE-2025-46836 ----------------------------------------------------------------- The container suse/sle-micro-rancher/5.4 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3260-1 Released: Thu Sep 18 02:09:31 2025 Summary: Security update for net-tools Type: security Severity: moderate References: 1243581,1246608,1248410,1248687,142461,CVE-2025-46836 This update for net-tools fixes the following issues: Security issues fixed: - CVE-2025-46836: missing bounds check in `get_name` may lead to a stack buffer overflow (bsc#1243581). - Avoid unsafe use of `memcpy` in `ifconfig` (bsc#1248687). - Prevent overflow in `ax25` and `netrom` (bsc#1248687). - Fix stack buffer overflow in `parse_hex` (bsc#1248687). - Fix stack buffer overflow in `proc_gen_fmt` (bsc#1248687). Other issues fixed: - Allow use of long interface names after CVE-2025-46836 fix, even if they are not accepted by the kernel (bsc#1248410). - Fix netrom support. The following package changes have been done: - net-tools-2.0+git20170221.479bb4a-150000.5.13.1 updated From sle-container-updates at lists.suse.com Thu Sep 18 07:15:49 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Thu, 18 Sep 2025 09:15:49 +0200 (CEST) Subject: SUSE-IU-2025:2463-1: Security update of suse/sl-micro/6.1/base-os-container Message-ID: <20250918071550.00C73F782@maintenance.suse.de> SUSE Image Update Advisory: suse/sl-micro/6.1/base-os-container ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2025:2463-1 Image Tags : suse/sl-micro/6.1/base-os-container:2.2.1 , suse/sl-micro/6.1/base-os-container:2.2.1-5.34 , suse/sl-micro/6.1/base-os-container:latest Image Release : 5.34 Severity : moderate Type : security References : 1232234 CVE-2024-10041 ----------------------------------------------------------------- The container suse/sl-micro/6.1/base-os-container was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: 266 Released: Wed Sep 17 13:30:47 2025 Summary: Security update for pam Type: security Severity: moderate References: 1232234,CVE-2024-10041 This update for pam fixes the following issues: - CVE-2024-10041: Fixed hashed password leak (bsc#1232234) The following package changes have been done: - pam-1.6.1-slfo.1.1_4.1 updated - container:suse-toolbox-image-1.0.0-4.72 updated From sle-container-updates at lists.suse.com Thu Sep 18 07:16:29 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Thu, 18 Sep 2025 09:16:29 +0200 (CEST) Subject: SUSE-IU-2025:2464-1: Security update of suse/sl-micro/6.1/kvm-os-container Message-ID: <20250918071629.2272AF782@maintenance.suse.de> SUSE Image Update Advisory: suse/sl-micro/6.1/kvm-os-container ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2025:2464-1 Image Tags : suse/sl-micro/6.1/kvm-os-container:2.2.1 , suse/sl-micro/6.1/kvm-os-container:2.2.1-5.36 , suse/sl-micro/6.1/kvm-os-container:latest Image Release : 5.36 Severity : moderate Type : security References : 1232234 CVE-2024-10041 ----------------------------------------------------------------- The container suse/sl-micro/6.1/kvm-os-container was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: 266 Released: Wed Sep 17 13:30:47 2025 Summary: Security update for pam Type: security Severity: moderate References: 1232234,CVE-2024-10041 This update for pam fixes the following issues: - CVE-2024-10041: Fixed hashed password leak (bsc#1232234) The following package changes have been done: - pam-1.6.1-slfo.1.1_4.1 updated - SL-Micro-release-6.1-slfo.1.11.57 updated - container:SL-Micro-base-container-2.2.1-5.34 updated From sle-container-updates at lists.suse.com Thu Sep 18 07:22:34 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Thu, 18 Sep 2025 09:22:34 +0200 (CEST) Subject: SUSE-CU-2025:6894-1: Security update of suse/389-ds Message-ID: <20250918072234.D5BC5F782@maintenance.suse.de> SUSE Container Update Advisory: suse/389-ds ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:6894-1 Container Tags : suse/389-ds:2.5 , suse/389-ds:2.5.3 , suse/389-ds:2.5.3-62.28 , suse/389-ds:latest Container Release : 62.28 Severity : important Type : security References : 1239618 CVE-2024-8176 ----------------------------------------------------------------- The container suse/389-ds was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3239-1 Released: Tue Sep 16 19:04:00 2025 Summary: Security update for expat Type: security Severity: important References: 1239618,CVE-2024-8176 This update for expat fixes the following issues: expat was updated to version 2.7.1: - Bug fixes: - Restore event pointer behavior from Expat 2.6.4 (that the fix to CVE-2024-8176 changed in 2.7.0); affected API functions are: - XML_GetCurrentByteCount - XML_GetCurrentByteIndex - XML_GetCurrentColumnNumber - XML_GetCurrentLineNumber - XML_GetInputContext - Other changes: - Fix printf format specifiers for 32bit Emscripten - docs: Promote OpenSSF Best Practices self-certification - tests/benchmark: Resolve mistaken double close - Address compiler warnings - Version info bumped from 11:1:10 (libexpat*.so.1.10.1) to 11:2:10 (libexpat*.so.1.10.2); see https://verbump.de/ for what these numbers do Version update to 2.7.0 (CVE-2024-8176, bsc#1239618, jsc#PED-12507) * Security fixes: - CVE-2024-8176 -- Fix crash from chaining a large number of entities caused by stack overflow by resolving use of recursion, for all three uses of entities: - general entities in character data ('&g1;') - general entities in attribute values ('') - parameter entities ('%p1;') Known impact is (reliable and easy) denial of service: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:H/RL:O/RC:C (Base Score: 7.5, Temporal Score: 7.2) Please note that a layer of compression around XML can significantly reduce the minimum attack payload size. * Other changes: - docs: Add missing documentation of error code XML_ERROR_NOT_STARTED that was introduced with 2.6.4 - docs: Document need for C++11 compiler for use from C++ - Address Cppcheck warnings - Mass-migrate links from http:// to https:// - Document changes since the previous release - Version info bumped from 11:0:10 (libexpat*.so.1.10.0) to 11:1:10 (libexpat*.so.1.10.1); see https://verbump.de/ for what these numbers do The following package changes have been done: - libexpat1-2.7.1-150700.3.3.1 updated From sle-container-updates at lists.suse.com Thu Sep 18 07:22:47 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Thu, 18 Sep 2025 09:22:47 +0200 (CEST) Subject: SUSE-CU-2025:6895-1: Security update of suse/pcp Message-ID: <20250918072247.954AEF782@maintenance.suse.de> SUSE Container Update Advisory: suse/pcp ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:6895-1 Container Tags : suse/pcp:6 , suse/pcp:6.2 , suse/pcp:6.2.0 , suse/pcp:6.2.0-62.38 , suse/pcp:latest Container Release : 62.38 Severity : important Type : security References : 1239618 CVE-2024-8176 ----------------------------------------------------------------- The container suse/pcp was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3239-1 Released: Tue Sep 16 19:04:00 2025 Summary: Security update for expat Type: security Severity: important References: 1239618,CVE-2024-8176 This update for expat fixes the following issues: expat was updated to version 2.7.1: - Bug fixes: - Restore event pointer behavior from Expat 2.6.4 (that the fix to CVE-2024-8176 changed in 2.7.0); affected API functions are: - XML_GetCurrentByteCount - XML_GetCurrentByteIndex - XML_GetCurrentColumnNumber - XML_GetCurrentLineNumber - XML_GetInputContext - Other changes: - Fix printf format specifiers for 32bit Emscripten - docs: Promote OpenSSF Best Practices self-certification - tests/benchmark: Resolve mistaken double close - Address compiler warnings - Version info bumped from 11:1:10 (libexpat*.so.1.10.1) to 11:2:10 (libexpat*.so.1.10.2); see https://verbump.de/ for what these numbers do Version update to 2.7.0 (CVE-2024-8176, bsc#1239618, jsc#PED-12507) * Security fixes: - CVE-2024-8176 -- Fix crash from chaining a large number of entities caused by stack overflow by resolving use of recursion, for all three uses of entities: - general entities in character data ('&g1;') - general entities in attribute values ('') - parameter entities ('%p1;') Known impact is (reliable and easy) denial of service: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:H/RL:O/RC:C (Base Score: 7.5, Temporal Score: 7.2) Please note that a layer of compression around XML can significantly reduce the minimum attack payload size. * Other changes: - docs: Add missing documentation of error code XML_ERROR_NOT_STARTED that was introduced with 2.6.4 - docs: Document need for C++11 compiler for use from C++ - Address Cppcheck warnings - Mass-migrate links from http:// to https:// - Document changes since the previous release - Version info bumped from 11:0:10 (libexpat*.so.1.10.0) to 11:1:10 (libexpat*.so.1.10.1); see https://verbump.de/ for what these numbers do The following package changes have been done: - libexpat1-2.7.1-150700.3.3.1 updated - container:bci-bci-init-15.7-4c92fbeff708bd7a0d0ae84851bca2a17279a699f93b0ddd1ef1566de065fe9d-0 updated From sle-container-updates at lists.suse.com Thu Sep 18 07:23:00 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Thu, 18 Sep 2025 09:23:00 +0200 (CEST) Subject: SUSE-CU-2025:6896-1: Security update of bci/python Message-ID: <20250918072300.1D1C1F782@maintenance.suse.de> SUSE Container Update Advisory: bci/python ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:6896-1 Container Tags : bci/python:3 , bci/python:3.11 , bci/python:3.11.13 , bci/python:3.11.13-74.26 Container Release : 74.26 Severity : important Type : security References : 1239618 CVE-2024-8176 ----------------------------------------------------------------- The container bci/python was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3239-1 Released: Tue Sep 16 19:04:00 2025 Summary: Security update for expat Type: security Severity: important References: 1239618,CVE-2024-8176 This update for expat fixes the following issues: expat was updated to version 2.7.1: - Bug fixes: - Restore event pointer behavior from Expat 2.6.4 (that the fix to CVE-2024-8176 changed in 2.7.0); affected API functions are: - XML_GetCurrentByteCount - XML_GetCurrentByteIndex - XML_GetCurrentColumnNumber - XML_GetCurrentLineNumber - XML_GetInputContext - Other changes: - Fix printf format specifiers for 32bit Emscripten - docs: Promote OpenSSF Best Practices self-certification - tests/benchmark: Resolve mistaken double close - Address compiler warnings - Version info bumped from 11:1:10 (libexpat*.so.1.10.1) to 11:2:10 (libexpat*.so.1.10.2); see https://verbump.de/ for what these numbers do Version update to 2.7.0 (CVE-2024-8176, bsc#1239618, jsc#PED-12507) * Security fixes: - CVE-2024-8176 -- Fix crash from chaining a large number of entities caused by stack overflow by resolving use of recursion, for all three uses of entities: - general entities in character data ('&g1;') - general entities in attribute values ('') - parameter entities ('%p1;') Known impact is (reliable and easy) denial of service: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:H/RL:O/RC:C (Base Score: 7.5, Temporal Score: 7.2) Please note that a layer of compression around XML can significantly reduce the minimum attack payload size. * Other changes: - docs: Add missing documentation of error code XML_ERROR_NOT_STARTED that was introduced with 2.6.4 - docs: Document need for C++11 compiler for use from C++ - Address Cppcheck warnings - Mass-migrate links from http:// to https:// - Document changes since the previous release - Version info bumped from 11:0:10 (libexpat*.so.1.10.0) to 11:1:10 (libexpat*.so.1.10.1); see https://verbump.de/ for what these numbers do The following package changes have been done: - libexpat1-2.7.1-150700.3.3.1 updated From sle-container-updates at lists.suse.com Thu Sep 18 07:23:16 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Thu, 18 Sep 2025 09:23:16 +0200 (CEST) Subject: SUSE-CU-2025:6897-1: Security update of bci/python Message-ID: <20250918072316.657FCF782@maintenance.suse.de> SUSE Container Update Advisory: bci/python ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:6897-1 Container Tags : bci/python:3 , bci/python:3.13 , bci/python:3.13.5 , bci/python:3.13.5-76.25 , bci/python:latest Container Release : 76.25 Severity : important Type : security References : 1239618 CVE-2024-8176 ----------------------------------------------------------------- The container bci/python was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3239-1 Released: Tue Sep 16 19:04:00 2025 Summary: Security update for expat Type: security Severity: important References: 1239618,CVE-2024-8176 This update for expat fixes the following issues: expat was updated to version 2.7.1: - Bug fixes: - Restore event pointer behavior from Expat 2.6.4 (that the fix to CVE-2024-8176 changed in 2.7.0); affected API functions are: - XML_GetCurrentByteCount - XML_GetCurrentByteIndex - XML_GetCurrentColumnNumber - XML_GetCurrentLineNumber - XML_GetInputContext - Other changes: - Fix printf format specifiers for 32bit Emscripten - docs: Promote OpenSSF Best Practices self-certification - tests/benchmark: Resolve mistaken double close - Address compiler warnings - Version info bumped from 11:1:10 (libexpat*.so.1.10.1) to 11:2:10 (libexpat*.so.1.10.2); see https://verbump.de/ for what these numbers do Version update to 2.7.0 (CVE-2024-8176, bsc#1239618, jsc#PED-12507) * Security fixes: - CVE-2024-8176 -- Fix crash from chaining a large number of entities caused by stack overflow by resolving use of recursion, for all three uses of entities: - general entities in character data ('&g1;') - general entities in attribute values ('') - parameter entities ('%p1;') Known impact is (reliable and easy) denial of service: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:H/RL:O/RC:C (Base Score: 7.5, Temporal Score: 7.2) Please note that a layer of compression around XML can significantly reduce the minimum attack payload size. * Other changes: - docs: Add missing documentation of error code XML_ERROR_NOT_STARTED that was introduced with 2.6.4 - docs: Document need for C++11 compiler for use from C++ - Address Cppcheck warnings - Mass-migrate links from http:// to https:// - Document changes since the previous release - Version info bumped from 11:0:10 (libexpat*.so.1.10.0) to 11:1:10 (libexpat*.so.1.10.1); see https://verbump.de/ for what these numbers do The following package changes have been done: - libexpat1-2.7.1-150700.3.3.1 updated From sle-container-updates at lists.suse.com Thu Sep 18 07:23:33 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Thu, 18 Sep 2025 09:23:33 +0200 (CEST) Subject: SUSE-CU-2025:6898-1: Security update of bci/python Message-ID: <20250918072333.0C746F782@maintenance.suse.de> SUSE Container Update Advisory: bci/python ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:6898-1 Container Tags : bci/python:3 , bci/python:3.6 , bci/python:3.6.15 , bci/python:3.6.15-73.27 Container Release : 73.27 Severity : important Type : security References : 1239618 CVE-2024-8176 ----------------------------------------------------------------- The container bci/python was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3239-1 Released: Tue Sep 16 19:04:00 2025 Summary: Security update for expat Type: security Severity: important References: 1239618,CVE-2024-8176 This update for expat fixes the following issues: expat was updated to version 2.7.1: - Bug fixes: - Restore event pointer behavior from Expat 2.6.4 (that the fix to CVE-2024-8176 changed in 2.7.0); affected API functions are: - XML_GetCurrentByteCount - XML_GetCurrentByteIndex - XML_GetCurrentColumnNumber - XML_GetCurrentLineNumber - XML_GetInputContext - Other changes: - Fix printf format specifiers for 32bit Emscripten - docs: Promote OpenSSF Best Practices self-certification - tests/benchmark: Resolve mistaken double close - Address compiler warnings - Version info bumped from 11:1:10 (libexpat*.so.1.10.1) to 11:2:10 (libexpat*.so.1.10.2); see https://verbump.de/ for what these numbers do Version update to 2.7.0 (CVE-2024-8176, bsc#1239618, jsc#PED-12507) * Security fixes: - CVE-2024-8176 -- Fix crash from chaining a large number of entities caused by stack overflow by resolving use of recursion, for all three uses of entities: - general entities in character data ('&g1;') - general entities in attribute values ('') - parameter entities ('%p1;') Known impact is (reliable and easy) denial of service: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:H/RL:O/RC:C (Base Score: 7.5, Temporal Score: 7.2) Please note that a layer of compression around XML can significantly reduce the minimum attack payload size. * Other changes: - docs: Add missing documentation of error code XML_ERROR_NOT_STARTED that was introduced with 2.6.4 - docs: Document need for C++11 compiler for use from C++ - Address Cppcheck warnings - Mass-migrate links from http:// to https:// - Document changes since the previous release - Version info bumped from 11:0:10 (libexpat*.so.1.10.0) to 11:1:10 (libexpat*.so.1.10.1); see https://verbump.de/ for what these numbers do The following package changes have been done: - libexpat1-2.7.1-150700.3.3.1 updated From sle-container-updates at lists.suse.com Thu Sep 18 07:23:41 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Thu, 18 Sep 2025 09:23:41 +0200 (CEST) Subject: SUSE-CU-2025:6885-1: Security update of suse/mariadb Message-ID: <20250918072341.52FBAF782@maintenance.suse.de> SUSE Container Update Advisory: suse/mariadb ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:6885-1 Container Tags : suse/mariadb:11.8 , suse/mariadb:11.8.2 , suse/mariadb:11.8.2-62.4 , suse/mariadb:latest Container Release : 62.4 Severity : important Type : security References : 1239618 CVE-2024-8176 ----------------------------------------------------------------- The container suse/mariadb was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3239-1 Released: Tue Sep 16 19:04:00 2025 Summary: Security update for expat Type: security Severity: important References: 1239618,CVE-2024-8176 This update for expat fixes the following issues: expat was updated to version 2.7.1: - Bug fixes: - Restore event pointer behavior from Expat 2.6.4 (that the fix to CVE-2024-8176 changed in 2.7.0); affected API functions are: - XML_GetCurrentByteCount - XML_GetCurrentByteIndex - XML_GetCurrentColumnNumber - XML_GetCurrentLineNumber - XML_GetInputContext - Other changes: - Fix printf format specifiers for 32bit Emscripten - docs: Promote OpenSSF Best Practices self-certification - tests/benchmark: Resolve mistaken double close - Address compiler warnings - Version info bumped from 11:1:10 (libexpat*.so.1.10.1) to 11:2:10 (libexpat*.so.1.10.2); see https://verbump.de/ for what these numbers do Version update to 2.7.0 (CVE-2024-8176, bsc#1239618, jsc#PED-12507) * Security fixes: - CVE-2024-8176 -- Fix crash from chaining a large number of entities caused by stack overflow by resolving use of recursion, for all three uses of entities: - general entities in character data ('&g1;') - general entities in attribute values ('') - parameter entities ('%p1;') Known impact is (reliable and easy) denial of service: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:H/RL:O/RC:C (Base Score: 7.5, Temporal Score: 7.2) Please note that a layer of compression around XML can significantly reduce the minimum attack payload size. * Other changes: - docs: Add missing documentation of error code XML_ERROR_NOT_STARTED that was introduced with 2.6.4 - docs: Document need for C++11 compiler for use from C++ - Address Cppcheck warnings - Mass-migrate links from http:// to https:// - Document changes since the previous release - Version info bumped from 11:0:10 (libexpat*.so.1.10.0) to 11:1:10 (libexpat*.so.1.10.1); see https://verbump.de/ for what these numbers do The following package changes have been done: - libexpat1-2.7.1-150700.3.3.1 updated - container:suse-sle15-15.7-7509e7e16dfdc2ba3eb2a7409a432209c89350947682a3713af951a95da4b936-0 updated From sle-container-updates at lists.suse.com Thu Sep 18 07:23:56 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Thu, 18 Sep 2025 09:23:56 +0200 (CEST) Subject: SUSE-CU-2025:6899-1: Security update of bci/ruby Message-ID: <20250918072356.2DF49F782@maintenance.suse.de> SUSE Container Update Advisory: bci/ruby ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:6899-1 Container Tags : bci/ruby:2 , bci/ruby:2.5 , bci/ruby:2.5-14.6 Container Release : 14.6 Severity : important Type : security References : 1239618 CVE-2024-8176 ----------------------------------------------------------------- The container bci/ruby was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3239-1 Released: Tue Sep 16 19:04:00 2025 Summary: Security update for expat Type: security Severity: important References: 1239618,CVE-2024-8176 This update for expat fixes the following issues: expat was updated to version 2.7.1: - Bug fixes: - Restore event pointer behavior from Expat 2.6.4 (that the fix to CVE-2024-8176 changed in 2.7.0); affected API functions are: - XML_GetCurrentByteCount - XML_GetCurrentByteIndex - XML_GetCurrentColumnNumber - XML_GetCurrentLineNumber - XML_GetInputContext - Other changes: - Fix printf format specifiers for 32bit Emscripten - docs: Promote OpenSSF Best Practices self-certification - tests/benchmark: Resolve mistaken double close - Address compiler warnings - Version info bumped from 11:1:10 (libexpat*.so.1.10.1) to 11:2:10 (libexpat*.so.1.10.2); see https://verbump.de/ for what these numbers do Version update to 2.7.0 (CVE-2024-8176, bsc#1239618, jsc#PED-12507) * Security fixes: - CVE-2024-8176 -- Fix crash from chaining a large number of entities caused by stack overflow by resolving use of recursion, for all three uses of entities: - general entities in character data ('&g1;') - general entities in attribute values ('') - parameter entities ('%p1;') Known impact is (reliable and easy) denial of service: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:H/RL:O/RC:C (Base Score: 7.5, Temporal Score: 7.2) Please note that a layer of compression around XML can significantly reduce the minimum attack payload size. * Other changes: - docs: Add missing documentation of error code XML_ERROR_NOT_STARTED that was introduced with 2.6.4 - docs: Document need for C++11 compiler for use from C++ - Address Cppcheck warnings - Mass-migrate links from http:// to https:// - Document changes since the previous release - Version info bumped from 11:0:10 (libexpat*.so.1.10.0) to 11:1:10 (libexpat*.so.1.10.1); see https://verbump.de/ for what these numbers do The following package changes have been done: - libexpat1-2.7.1-150700.3.3.1 updated From sle-container-updates at lists.suse.com Thu Sep 18 07:24:10 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Thu, 18 Sep 2025 09:24:10 +0200 (CEST) Subject: SUSE-CU-2025:6900-1: Security update of bci/ruby Message-ID: <20250918072410.AE3B8F782@maintenance.suse.de> SUSE Container Update Advisory: bci/ruby ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:6900-1 Container Tags : bci/ruby:3 , bci/ruby:3.4 , bci/ruby:3.4-13.6 , bci/ruby:latest Container Release : 13.6 Severity : important Type : security References : 1239618 CVE-2024-8176 ----------------------------------------------------------------- The container bci/ruby was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3239-1 Released: Tue Sep 16 19:04:00 2025 Summary: Security update for expat Type: security Severity: important References: 1239618,CVE-2024-8176 This update for expat fixes the following issues: expat was updated to version 2.7.1: - Bug fixes: - Restore event pointer behavior from Expat 2.6.4 (that the fix to CVE-2024-8176 changed in 2.7.0); affected API functions are: - XML_GetCurrentByteCount - XML_GetCurrentByteIndex - XML_GetCurrentColumnNumber - XML_GetCurrentLineNumber - XML_GetInputContext - Other changes: - Fix printf format specifiers for 32bit Emscripten - docs: Promote OpenSSF Best Practices self-certification - tests/benchmark: Resolve mistaken double close - Address compiler warnings - Version info bumped from 11:1:10 (libexpat*.so.1.10.1) to 11:2:10 (libexpat*.so.1.10.2); see https://verbump.de/ for what these numbers do Version update to 2.7.0 (CVE-2024-8176, bsc#1239618, jsc#PED-12507) * Security fixes: - CVE-2024-8176 -- Fix crash from chaining a large number of entities caused by stack overflow by resolving use of recursion, for all three uses of entities: - general entities in character data ('&g1;') - general entities in attribute values ('') - parameter entities ('%p1;') Known impact is (reliable and easy) denial of service: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:H/RL:O/RC:C (Base Score: 7.5, Temporal Score: 7.2) Please note that a layer of compression around XML can significantly reduce the minimum attack payload size. * Other changes: - docs: Add missing documentation of error code XML_ERROR_NOT_STARTED that was introduced with 2.6.4 - docs: Document need for C++11 compiler for use from C++ - Address Cppcheck warnings - Mass-migrate links from http:// to https:// - Document changes since the previous release - Version info bumped from 11:0:10 (libexpat*.so.1.10.0) to 11:1:10 (libexpat*.so.1.10.1); see https://verbump.de/ for what these numbers do The following package changes have been done: - libexpat1-2.7.1-150700.3.3.1 updated From sle-container-updates at lists.suse.com Thu Sep 18 07:24:19 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Thu, 18 Sep 2025 09:24:19 +0200 (CEST) Subject: SUSE-CU-2025:6901-1: Security update of suse/samba-client Message-ID: <20250918072419.76600F782@maintenance.suse.de> SUSE Container Update Advisory: suse/samba-client ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:6901-1 Container Tags : suse/samba-client:4.21 , suse/samba-client:4.21 , suse/samba-client:4.21-64.26 , suse/samba-client:latest Container Release : 64.26 Severity : important Type : security References : 1239618 CVE-2024-8176 ----------------------------------------------------------------- The container suse/samba-client was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3239-1 Released: Tue Sep 16 19:04:00 2025 Summary: Security update for expat Type: security Severity: important References: 1239618,CVE-2024-8176 This update for expat fixes the following issues: expat was updated to version 2.7.1: - Bug fixes: - Restore event pointer behavior from Expat 2.6.4 (that the fix to CVE-2024-8176 changed in 2.7.0); affected API functions are: - XML_GetCurrentByteCount - XML_GetCurrentByteIndex - XML_GetCurrentColumnNumber - XML_GetCurrentLineNumber - XML_GetInputContext - Other changes: - Fix printf format specifiers for 32bit Emscripten - docs: Promote OpenSSF Best Practices self-certification - tests/benchmark: Resolve mistaken double close - Address compiler warnings - Version info bumped from 11:1:10 (libexpat*.so.1.10.1) to 11:2:10 (libexpat*.so.1.10.2); see https://verbump.de/ for what these numbers do Version update to 2.7.0 (CVE-2024-8176, bsc#1239618, jsc#PED-12507) * Security fixes: - CVE-2024-8176 -- Fix crash from chaining a large number of entities caused by stack overflow by resolving use of recursion, for all three uses of entities: - general entities in character data ('&g1;') - general entities in attribute values ('') - parameter entities ('%p1;') Known impact is (reliable and easy) denial of service: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:H/RL:O/RC:C (Base Score: 7.5, Temporal Score: 7.2) Please note that a layer of compression around XML can significantly reduce the minimum attack payload size. * Other changes: - docs: Add missing documentation of error code XML_ERROR_NOT_STARTED that was introduced with 2.6.4 - docs: Document need for C++11 compiler for use from C++ - Address Cppcheck warnings - Mass-migrate links from http:// to https:// - Document changes since the previous release - Version info bumped from 11:0:10 (libexpat*.so.1.10.0) to 11:1:10 (libexpat*.so.1.10.1); see https://verbump.de/ for what these numbers do The following package changes have been done: - libexpat1-2.7.1-150700.3.3.1 updated - container:suse-sle15-15.7-7509e7e16dfdc2ba3eb2a7409a432209c89350947682a3713af951a95da4b936-0 updated From sle-container-updates at lists.suse.com Thu Sep 18 07:24:27 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Thu, 18 Sep 2025 09:24:27 +0200 (CEST) Subject: SUSE-CU-2025:6902-1: Security update of suse/samba-server Message-ID: <20250918072427.F34BDF782@maintenance.suse.de> SUSE Container Update Advisory: suse/samba-server ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:6902-1 Container Tags : suse/samba-server:4.21 , suse/samba-server:4.21 , suse/samba-server:4.21-64.26 , suse/samba-server:latest Container Release : 64.26 Severity : important Type : security References : 1239618 CVE-2024-8176 ----------------------------------------------------------------- The container suse/samba-server was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3239-1 Released: Tue Sep 16 19:04:00 2025 Summary: Security update for expat Type: security Severity: important References: 1239618,CVE-2024-8176 This update for expat fixes the following issues: expat was updated to version 2.7.1: - Bug fixes: - Restore event pointer behavior from Expat 2.6.4 (that the fix to CVE-2024-8176 changed in 2.7.0); affected API functions are: - XML_GetCurrentByteCount - XML_GetCurrentByteIndex - XML_GetCurrentColumnNumber - XML_GetCurrentLineNumber - XML_GetInputContext - Other changes: - Fix printf format specifiers for 32bit Emscripten - docs: Promote OpenSSF Best Practices self-certification - tests/benchmark: Resolve mistaken double close - Address compiler warnings - Version info bumped from 11:1:10 (libexpat*.so.1.10.1) to 11:2:10 (libexpat*.so.1.10.2); see https://verbump.de/ for what these numbers do Version update to 2.7.0 (CVE-2024-8176, bsc#1239618, jsc#PED-12507) * Security fixes: - CVE-2024-8176 -- Fix crash from chaining a large number of entities caused by stack overflow by resolving use of recursion, for all three uses of entities: - general entities in character data ('&g1;') - general entities in attribute values ('') - parameter entities ('%p1;') Known impact is (reliable and easy) denial of service: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:H/RL:O/RC:C (Base Score: 7.5, Temporal Score: 7.2) Please note that a layer of compression around XML can significantly reduce the minimum attack payload size. * Other changes: - docs: Add missing documentation of error code XML_ERROR_NOT_STARTED that was introduced with 2.6.4 - docs: Document need for C++11 compiler for use from C++ - Address Cppcheck warnings - Mass-migrate links from http:// to https:// - Document changes since the previous release - Version info bumped from 11:0:10 (libexpat*.so.1.10.0) to 11:1:10 (libexpat*.so.1.10.1); see https://verbump.de/ for what these numbers do The following package changes have been done: - libexpat1-2.7.1-150700.3.3.1 updated - container:suse-sle15-15.7-7509e7e16dfdc2ba3eb2a7409a432209c89350947682a3713af951a95da4b936-0 updated From sle-container-updates at lists.suse.com Thu Sep 18 07:24:37 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Thu, 18 Sep 2025 09:24:37 +0200 (CEST) Subject: SUSE-CU-2025:6903-1: Security update of suse/samba-toolbox Message-ID: <20250918072437.5CDF7F782@maintenance.suse.de> SUSE Container Update Advisory: suse/samba-toolbox ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:6903-1 Container Tags : suse/samba-toolbox:4.21 , suse/samba-toolbox:4.21 , suse/samba-toolbox:4.21-64.26 , suse/samba-toolbox:latest Container Release : 64.26 Severity : important Type : security References : 1239618 CVE-2024-8176 ----------------------------------------------------------------- The container suse/samba-toolbox was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3239-1 Released: Tue Sep 16 19:04:00 2025 Summary: Security update for expat Type: security Severity: important References: 1239618,CVE-2024-8176 This update for expat fixes the following issues: expat was updated to version 2.7.1: - Bug fixes: - Restore event pointer behavior from Expat 2.6.4 (that the fix to CVE-2024-8176 changed in 2.7.0); affected API functions are: - XML_GetCurrentByteCount - XML_GetCurrentByteIndex - XML_GetCurrentColumnNumber - XML_GetCurrentLineNumber - XML_GetInputContext - Other changes: - Fix printf format specifiers for 32bit Emscripten - docs: Promote OpenSSF Best Practices self-certification - tests/benchmark: Resolve mistaken double close - Address compiler warnings - Version info bumped from 11:1:10 (libexpat*.so.1.10.1) to 11:2:10 (libexpat*.so.1.10.2); see https://verbump.de/ for what these numbers do Version update to 2.7.0 (CVE-2024-8176, bsc#1239618, jsc#PED-12507) * Security fixes: - CVE-2024-8176 -- Fix crash from chaining a large number of entities caused by stack overflow by resolving use of recursion, for all three uses of entities: - general entities in character data ('&g1;') - general entities in attribute values ('') - parameter entities ('%p1;') Known impact is (reliable and easy) denial of service: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:H/RL:O/RC:C (Base Score: 7.5, Temporal Score: 7.2) Please note that a layer of compression around XML can significantly reduce the minimum attack payload size. * Other changes: - docs: Add missing documentation of error code XML_ERROR_NOT_STARTED that was introduced with 2.6.4 - docs: Document need for C++11 compiler for use from C++ - Address Cppcheck warnings - Mass-migrate links from http:// to https:// - Document changes since the previous release - Version info bumped from 11:0:10 (libexpat*.so.1.10.0) to 11:1:10 (libexpat*.so.1.10.1); see https://verbump.de/ for what these numbers do The following package changes have been done: - libexpat1-2.7.1-150700.3.3.1 updated - container:suse-sle15-15.7-7509e7e16dfdc2ba3eb2a7409a432209c89350947682a3713af951a95da4b936-0 updated From sle-container-updates at lists.suse.com Thu Sep 18 07:24:51 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Thu, 18 Sep 2025 09:24:51 +0200 (CEST) Subject: SUSE-CU-2025:6904-1: Security update of bci/bci-sle15-kernel-module-devel Message-ID: <20250918072451.67178F782@maintenance.suse.de> SUSE Container Update Advisory: bci/bci-sle15-kernel-module-devel ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:6904-1 Container Tags : bci/bci-sle15-kernel-module-devel:15.7 , bci/bci-sle15-kernel-module-devel:15.7-44.16 , bci/bci-sle15-kernel-module-devel:latest Container Release : 44.16 Severity : important Type : security References : 1239618 CVE-2024-8176 ----------------------------------------------------------------- The container bci/bci-sle15-kernel-module-devel was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3239-1 Released: Tue Sep 16 19:04:00 2025 Summary: Security update for expat Type: security Severity: important References: 1239618,CVE-2024-8176 This update for expat fixes the following issues: expat was updated to version 2.7.1: - Bug fixes: - Restore event pointer behavior from Expat 2.6.4 (that the fix to CVE-2024-8176 changed in 2.7.0); affected API functions are: - XML_GetCurrentByteCount - XML_GetCurrentByteIndex - XML_GetCurrentColumnNumber - XML_GetCurrentLineNumber - XML_GetInputContext - Other changes: - Fix printf format specifiers for 32bit Emscripten - docs: Promote OpenSSF Best Practices self-certification - tests/benchmark: Resolve mistaken double close - Address compiler warnings - Version info bumped from 11:1:10 (libexpat*.so.1.10.1) to 11:2:10 (libexpat*.so.1.10.2); see https://verbump.de/ for what these numbers do Version update to 2.7.0 (CVE-2024-8176, bsc#1239618, jsc#PED-12507) * Security fixes: - CVE-2024-8176 -- Fix crash from chaining a large number of entities caused by stack overflow by resolving use of recursion, for all three uses of entities: - general entities in character data ('&g1;') - general entities in attribute values ('') - parameter entities ('%p1;') Known impact is (reliable and easy) denial of service: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:H/RL:O/RC:C (Base Score: 7.5, Temporal Score: 7.2) Please note that a layer of compression around XML can significantly reduce the minimum attack payload size. * Other changes: - docs: Add missing documentation of error code XML_ERROR_NOT_STARTED that was introduced with 2.6.4 - docs: Document need for C++11 compiler for use from C++ - Address Cppcheck warnings - Mass-migrate links from http:// to https:// - Document changes since the previous release - Version info bumped from 11:0:10 (libexpat*.so.1.10.0) to 11:1:10 (libexpat*.so.1.10.1); see https://verbump.de/ for what these numbers do The following package changes have been done: - libexpat1-2.7.1-150700.3.3.1 updated From sle-container-updates at lists.suse.com Thu Sep 18 07:25:10 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Thu, 18 Sep 2025 09:25:10 +0200 (CEST) Subject: SUSE-CU-2025:6905-1: Security update of bci/spack Message-ID: <20250918072510.0AE28F782@maintenance.suse.de> SUSE Container Update Advisory: bci/spack ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:6905-1 Container Tags : bci/spack:0.23 , bci/spack:0.23.1 , bci/spack:0.23.1-15.24 , bci/spack:latest Container Release : 15.24 Severity : important Type : security References : 1239618 CVE-2024-8176 ----------------------------------------------------------------- The container bci/spack was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3239-1 Released: Tue Sep 16 19:04:00 2025 Summary: Security update for expat Type: security Severity: important References: 1239618,CVE-2024-8176 This update for expat fixes the following issues: expat was updated to version 2.7.1: - Bug fixes: - Restore event pointer behavior from Expat 2.6.4 (that the fix to CVE-2024-8176 changed in 2.7.0); affected API functions are: - XML_GetCurrentByteCount - XML_GetCurrentByteIndex - XML_GetCurrentColumnNumber - XML_GetCurrentLineNumber - XML_GetInputContext - Other changes: - Fix printf format specifiers for 32bit Emscripten - docs: Promote OpenSSF Best Practices self-certification - tests/benchmark: Resolve mistaken double close - Address compiler warnings - Version info bumped from 11:1:10 (libexpat*.so.1.10.1) to 11:2:10 (libexpat*.so.1.10.2); see https://verbump.de/ for what these numbers do Version update to 2.7.0 (CVE-2024-8176, bsc#1239618, jsc#PED-12507) * Security fixes: - CVE-2024-8176 -- Fix crash from chaining a large number of entities caused by stack overflow by resolving use of recursion, for all three uses of entities: - general entities in character data ('&g1;') - general entities in attribute values ('') - parameter entities ('%p1;') Known impact is (reliable and easy) denial of service: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:H/RL:O/RC:C (Base Score: 7.5, Temporal Score: 7.2) Please note that a layer of compression around XML can significantly reduce the minimum attack payload size. * Other changes: - docs: Add missing documentation of error code XML_ERROR_NOT_STARTED that was introduced with 2.6.4 - docs: Document need for C++11 compiler for use from C++ - Address Cppcheck warnings - Mass-migrate links from http:// to https:// - Document changes since the previous release - Version info bumped from 11:0:10 (libexpat*.so.1.10.0) to 11:1:10 (libexpat*.so.1.10.1); see https://verbump.de/ for what these numbers do The following package changes have been done: - libexpat1-2.7.1-150700.3.3.1 updated - container:registry.suse.com-bci-bci-base-15.7-7509e7e16dfdc2ba3eb2a7409a432209c89350947682a3713af951a95da4b936-0 updated From sle-container-updates at lists.suse.com Thu Sep 18 07:25:16 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Thu, 18 Sep 2025 09:25:16 +0200 (CEST) Subject: SUSE-CU-2025:6906-1: Security update of suse/kiosk/xorg-client Message-ID: <20250918072516.661A3F782@maintenance.suse.de> SUSE Container Update Advisory: suse/kiosk/xorg-client ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:6906-1 Container Tags : suse/kiosk/xorg-client:21 , suse/kiosk/xorg-client:21-64.22 , suse/kiosk/xorg-client:latest Container Release : 64.22 Severity : important Type : security References : 1239618 CVE-2024-8176 ----------------------------------------------------------------- The container suse/kiosk/xorg-client was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3239-1 Released: Tue Sep 16 19:04:00 2025 Summary: Security update for expat Type: security Severity: important References: 1239618,CVE-2024-8176 This update for expat fixes the following issues: expat was updated to version 2.7.1: - Bug fixes: - Restore event pointer behavior from Expat 2.6.4 (that the fix to CVE-2024-8176 changed in 2.7.0); affected API functions are: - XML_GetCurrentByteCount - XML_GetCurrentByteIndex - XML_GetCurrentColumnNumber - XML_GetCurrentLineNumber - XML_GetInputContext - Other changes: - Fix printf format specifiers for 32bit Emscripten - docs: Promote OpenSSF Best Practices self-certification - tests/benchmark: Resolve mistaken double close - Address compiler warnings - Version info bumped from 11:1:10 (libexpat*.so.1.10.1) to 11:2:10 (libexpat*.so.1.10.2); see https://verbump.de/ for what these numbers do Version update to 2.7.0 (CVE-2024-8176, bsc#1239618, jsc#PED-12507) * Security fixes: - CVE-2024-8176 -- Fix crash from chaining a large number of entities caused by stack overflow by resolving use of recursion, for all three uses of entities: - general entities in character data ('&g1;') - general entities in attribute values ('') - parameter entities ('%p1;') Known impact is (reliable and easy) denial of service: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:H/RL:O/RC:C (Base Score: 7.5, Temporal Score: 7.2) Please note that a layer of compression around XML can significantly reduce the minimum attack payload size. * Other changes: - docs: Add missing documentation of error code XML_ERROR_NOT_STARTED that was introduced with 2.6.4 - docs: Document need for C++11 compiler for use from C++ - Address Cppcheck warnings - Mass-migrate links from http:// to https:// - Document changes since the previous release - Version info bumped from 11:0:10 (libexpat*.so.1.10.0) to 11:1:10 (libexpat*.so.1.10.1); see https://verbump.de/ for what these numbers do The following package changes have been done: - libexpat1-2.7.1-150700.3.3.1 updated - container:suse-sle15-15.7-7509e7e16dfdc2ba3eb2a7409a432209c89350947682a3713af951a95da4b936-0 updated From sle-container-updates at lists.suse.com Thu Sep 18 07:25:29 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Thu, 18 Sep 2025 09:25:29 +0200 (CEST) Subject: SUSE-CU-2025:6907-1: Security update of suse/kiosk/xorg Message-ID: <20250918072529.D9AA7F782@maintenance.suse.de> SUSE Container Update Advisory: suse/kiosk/xorg ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:6907-1 Container Tags : suse/kiosk/xorg:21 , suse/kiosk/xorg:21.1 , suse/kiosk/xorg:21.1-66.2 , suse/kiosk/xorg:latest , suse/kiosk/xorg:notaskbar Container Release : 66.2 Severity : important Type : security References : 1239618 CVE-2024-8176 ----------------------------------------------------------------- The container suse/kiosk/xorg was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3239-1 Released: Tue Sep 16 19:04:00 2025 Summary: Security update for expat Type: security Severity: important References: 1239618,CVE-2024-8176 This update for expat fixes the following issues: expat was updated to version 2.7.1: - Bug fixes: - Restore event pointer behavior from Expat 2.6.4 (that the fix to CVE-2024-8176 changed in 2.7.0); affected API functions are: - XML_GetCurrentByteCount - XML_GetCurrentByteIndex - XML_GetCurrentColumnNumber - XML_GetCurrentLineNumber - XML_GetInputContext - Other changes: - Fix printf format specifiers for 32bit Emscripten - docs: Promote OpenSSF Best Practices self-certification - tests/benchmark: Resolve mistaken double close - Address compiler warnings - Version info bumped from 11:1:10 (libexpat*.so.1.10.1) to 11:2:10 (libexpat*.so.1.10.2); see https://verbump.de/ for what these numbers do Version update to 2.7.0 (CVE-2024-8176, bsc#1239618, jsc#PED-12507) * Security fixes: - CVE-2024-8176 -- Fix crash from chaining a large number of entities caused by stack overflow by resolving use of recursion, for all three uses of entities: - general entities in character data ('&g1;') - general entities in attribute values ('') - parameter entities ('%p1;') Known impact is (reliable and easy) denial of service: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:H/RL:O/RC:C (Base Score: 7.5, Temporal Score: 7.2) Please note that a layer of compression around XML can significantly reduce the minimum attack payload size. * Other changes: - docs: Add missing documentation of error code XML_ERROR_NOT_STARTED that was introduced with 2.6.4 - docs: Document need for C++11 compiler for use from C++ - Address Cppcheck warnings - Mass-migrate links from http:// to https:// - Document changes since the previous release - Version info bumped from 11:0:10 (libexpat*.so.1.10.0) to 11:1:10 (libexpat*.so.1.10.1); see https://verbump.de/ for what these numbers do The following package changes have been done: - libexpat1-2.7.1-150700.3.3.1 updated - expat-2.7.1-150700.3.3.1 updated From sle-container-updates at lists.suse.com Thu Sep 18 07:29:03 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Thu, 18 Sep 2025 09:29:03 +0200 (CEST) Subject: SUSE-CU-2025:6914-1: Security update of suse/sle-micro/5.1/toolbox Message-ID: <20250918072903.50908F782@maintenance.suse.de> SUSE Container Update Advisory: suse/sle-micro/5.1/toolbox ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:6914-1 Container Tags : suse/sle-micro/5.1/toolbox:14.2 , suse/sle-micro/5.1/toolbox:14.2-3.13.171 , suse/sle-micro/5.1/toolbox:latest Container Release : 3.13.171 Severity : moderate Type : security References : 1246602 1246604 1247938 1247939 CVE-2025-53905 CVE-2025-53906 CVE-2025-55157 CVE-2025-55158 ----------------------------------------------------------------- The container suse/sle-micro/5.1/toolbox was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3240-1 Released: Tue Sep 16 21:56:57 2025 Summary: Security update for vim Type: security Severity: moderate References: 1246602,1246604,1247938,1247939,CVE-2025-53905,CVE-2025-53906,CVE-2025-55157,CVE-2025-55158 This update for vim fixes the following issues: Update to version 9.1.1629. - CVE-2025-53905: Fixed a path traversal issue in tar.vim plugin that may allow for file overwriting when opening specially crafted tar files (bsc#1246604). - CVE-2025-53906: Fixed a path traversal issue in zip.vim plugin that may allow for file overwriting when opening specially crafted zip files (bsc#1246602). - CVE-2025-55157: Fixed use-after-free in internal tuple reference management (bsc#1247938). - CVE-2025-55158: Fixed double-free in internal typed value (typval_T) management (bsc#1247939). The following package changes have been done: - vim-data-common-9.1.1629-150000.5.78.1 updated - vim-9.1.1629-150000.5.78.1 updated - xxd-9.1.1406-150000.5.75.1 removed From sle-container-updates at lists.suse.com Thu Sep 18 07:34:26 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Thu, 18 Sep 2025 09:34:26 +0200 (CEST) Subject: SUSE-CU-2025:6917-1: Security update of suse/sle-micro/5.2/toolbox Message-ID: <20250918073426.A2B40F782@maintenance.suse.de> SUSE Container Update Advisory: suse/sle-micro/5.2/toolbox ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:6917-1 Container Tags : suse/sle-micro/5.2/toolbox:14.2 , suse/sle-micro/5.2/toolbox:14.2-7.11.173 , suse/sle-micro/5.2/toolbox:latest Container Release : 7.11.173 Severity : moderate Type : security References : 1246602 1246604 1247938 1247939 CVE-2025-53905 CVE-2025-53906 CVE-2025-55157 CVE-2025-55158 ----------------------------------------------------------------- The container suse/sle-micro/5.2/toolbox was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3240-1 Released: Tue Sep 16 21:56:57 2025 Summary: Security update for vim Type: security Severity: moderate References: 1246602,1246604,1247938,1247939,CVE-2025-53905,CVE-2025-53906,CVE-2025-55157,CVE-2025-55158 This update for vim fixes the following issues: Update to version 9.1.1629. - CVE-2025-53905: Fixed a path traversal issue in tar.vim plugin that may allow for file overwriting when opening specially crafted tar files (bsc#1246604). - CVE-2025-53906: Fixed a path traversal issue in zip.vim plugin that may allow for file overwriting when opening specially crafted zip files (bsc#1246602). - CVE-2025-55157: Fixed use-after-free in internal tuple reference management (bsc#1247938). - CVE-2025-55158: Fixed double-free in internal typed value (typval_T) management (bsc#1247939). The following package changes have been done: - vim-data-common-9.1.1629-150000.5.78.1 updated - vim-9.1.1629-150000.5.78.1 updated - xxd-9.1.1406-150000.5.75.1 removed From sle-container-updates at lists.suse.com Thu Sep 18 08:44:07 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Thu, 18 Sep 2025 10:44:07 +0200 (CEST) Subject: SUSE-CU-2025:6918-1: Security update of suse/kiosk/firefox-esr Message-ID: <20250918084407.B7AD3F782@maintenance.suse.de> SUSE Container Update Advisory: suse/kiosk/firefox-esr ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:6918-1 Container Tags : suse/kiosk/firefox-esr:140.2 , suse/kiosk/firefox-esr:140.2-64.28 , suse/kiosk/firefox-esr:esr , suse/kiosk/firefox-esr:latest Container Release : 64.28 Severity : important Type : security References : 1230932 1246533 1249049 1249128 CVE-2024-47175 CVE-2025-58060 CVE-2025-58364 ----------------------------------------------------------------- The container suse/kiosk/firefox-esr was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3261-1 Released: Thu Sep 18 06:35:19 2025 Summary: Security update for cups Type: security Severity: important References: 1230932,1246533,1249049,1249128,CVE-2024-47175,CVE-2025-58060,CVE-2025-58364 This update for cups fixes the following issues: - CVE-2024-47175: no validation of IPP attributes in `ppdCreatePPDFromIPP2` when writing to a temporary PPD file allows for the injection of attacker-controlled data to the resulting PPD (bsc#1230932). - CVE-2025-58060: no password check when `AuthType` is set to anything but `Basic` and a request is made with an `Authorization: Basic` header (bsc#1249049). - CVE-2025-58364: unsafe deserialization and validation of printer attributes leads to NULL pointer dereference (bsc#1249128). The following package changes have been done: - cups-config-2.2.7-150000.3.72.1 updated - libcups2-2.2.7-150000.3.72.1 updated From sle-container-updates at lists.suse.com Thu Sep 18 08:45:58 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Thu, 18 Sep 2025 10:45:58 +0200 (CEST) Subject: SUSE-CU-2025:6917-1: Security update of suse/sle-micro/5.2/toolbox Message-ID: <20250918084558.05B0DF782@maintenance.suse.de> SUSE Container Update Advisory: suse/sle-micro/5.2/toolbox ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:6917-1 Container Tags : suse/sle-micro/5.2/toolbox:14.2 , suse/sle-micro/5.2/toolbox:14.2-7.11.173 , suse/sle-micro/5.2/toolbox:latest Container Release : 7.11.173 Severity : moderate Type : security References : 1246602 1246604 1247938 1247939 CVE-2025-53905 CVE-2025-53906 CVE-2025-55157 CVE-2025-55158 ----------------------------------------------------------------- The container suse/sle-micro/5.2/toolbox was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3240-1 Released: Tue Sep 16 21:56:57 2025 Summary: Security update for vim Type: security Severity: moderate References: 1246602,1246604,1247938,1247939,CVE-2025-53905,CVE-2025-53906,CVE-2025-55157,CVE-2025-55158 This update for vim fixes the following issues: Update to version 9.1.1629. - CVE-2025-53905: Fixed a path traversal issue in tar.vim plugin that may allow for file overwriting when opening specially crafted tar files (bsc#1246604). - CVE-2025-53906: Fixed a path traversal issue in zip.vim plugin that may allow for file overwriting when opening specially crafted zip files (bsc#1246602). - CVE-2025-55157: Fixed use-after-free in internal tuple reference management (bsc#1247938). - CVE-2025-55158: Fixed double-free in internal typed value (typval_T) management (bsc#1247939). The following package changes have been done: - vim-data-common-9.1.1629-150000.5.78.1 updated - vim-9.1.1629-150000.5.78.1 updated - xxd-9.1.1406-150000.5.75.1 removed From sle-container-updates at lists.suse.com Fri Sep 19 07:04:40 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 19 Sep 2025 09:04:40 +0200 (CEST) Subject: SUSE-IU-2025:2472-1: Security update of suse/sle-micro/base-5.5 Message-ID: <20250919070440.E03ACF783@maintenance.suse.de> SUSE Image Update Advisory: suse/sle-micro/base-5.5 ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2025:2472-1 Image Tags : suse/sle-micro/base-5.5:2.0.4 , suse/sle-micro/base-5.5:2.0.4-5.8.205 , suse/sle-micro/base-5.5:latest Image Release : 5.8.205 Severity : important Type : security References : 1241219 1246197 1246197 1249191 1249191 1249348 1249348 1249367 1249367 CVE-2025-10148 CVE-2025-10148 CVE-2025-3576 CVE-2025-9086 CVE-2025-9086 ----------------------------------------------------------------- The container suse/sle-micro/base-5.5 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3267-1 Released: Thu Sep 18 13:05:51 2025 Summary: Security update for curl Type: security Severity: important References: 1246197,1249191,1249348,1249367,CVE-2025-10148,CVE-2025-9086 This update for curl fixes the following issues: Security issues fixed: - CVE-2025-9086: bug in patch comparison logic when processing cookies can lead to out-of-bounds read in heap buffer (bsc#1249191). - CVE-2025-10148: predictable websocket mask can lead to proxy cache poisoning by malicious server (bsc#1249348). Other issues fixed: - Fix the --ftp-pasv option in curl v8.14.1 (bsc#1246197). * tool_getparam: fix --ftp-pasv [5f805ee] - Update to version 8.14.1 (jsc#PED-13055, jsc#PED-13056). * TLS: add CURLOPT_SSL_SIGNATURE_ALGORITHMS and --sigalgs. * websocket: add option to disable auto-pong reply. * huge number of bugfixes. Please see https://curl.se/ch/ for full changelogs. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3268-1 Released: Thu Sep 18 13:08:10 2025 Summary: Security update for curl Type: security Severity: important References: 1246197,1249191,1249348,1249367,CVE-2025-10148,CVE-2025-9086 This update for curl fixes the following issues: Security issues fixed: - CVE-2025-9086: bug in patch comparison logic when processing cookies can lead to out-of-bounds read in heap buffer (bsc#1249191). - CVE-2025-10148: predictable websocket mask can lead to proxy cache poisoning by malicious server (bsc#1249348). Other issues fixed: - Fix the --ftp-pasv option in curl v8.14.1 (bsc#1246197). * tool_getparam: fix --ftp-pasv [5f805ee] - Update to version 8.14.1 (jsc#PED-13055, jsc#PED-13056). * TLS: add CURLOPT_SSL_SIGNATURE_ALGORITHMS and --sigalgs. * websocket: add option to disable auto-pong reply. * huge number of bugfixes. Please see https://curl.se/ch/ for full changelogs. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3270-1 Released: Thu Sep 18 13:18:05 2025 Summary: Security update for krb5 Type: security Severity: moderate References: 1241219,CVE-2025-3576 This update for krb5 fixes the following issues: - CVE-2025-3576: weakness in the MD5 checksum design allows for spoofing of GSSAPI-protected messages that are using RC4-HMAC-MD5 (bsc#1241219). Krb5 as very old protocol supported quite a number of ciphers that are not longer up to current cryptographic standards. To avoid problems with those, SUSE has by default now disabled those alorithms. The following algorithms have been removed from valid krb5 enctypes: - des3-cbc-sha1 - arcfour-hmac-md5 To reenable those algorithms, you can use allow options in krb5.conf: [libdefaults] allow_des3 = true allow_rc4 = true to reenable them. The following package changes have been done: - libbrotlicommon1-1.0.7-150200.3.5.1 updated - libbrotlidec1-1.0.7-150200.3.5.1 updated - krb5-1.20.1-150500.3.17.1 updated - libcurl4-8.14.1-150400.5.69.1 updated - curl-8.14.1-150400.5.69.1 updated From sle-container-updates at lists.suse.com Fri Sep 19 07:05:43 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 19 Sep 2025 09:05:43 +0200 (CEST) Subject: SUSE-IU-2025:2473-1: Security update of suse/sle-micro/kvm-5.5 Message-ID: <20250919070543.36951F783@maintenance.suse.de> SUSE Image Update Advisory: suse/sle-micro/kvm-5.5 ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2025:2473-1 Image Tags : suse/sle-micro/kvm-5.5:2.0.4 , suse/sle-micro/kvm-5.5:2.0.4-3.5.391 , suse/sle-micro/kvm-5.5:latest Image Release : 3.5.391 Severity : important Type : security References : 1241219 1246197 1246197 1249191 1249191 1249348 1249348 1249367 1249367 CVE-2025-10148 CVE-2025-10148 CVE-2025-3576 CVE-2025-9086 CVE-2025-9086 ----------------------------------------------------------------- The container suse/sle-micro/kvm-5.5 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3267-1 Released: Thu Sep 18 13:05:51 2025 Summary: Security update for curl Type: security Severity: important References: 1246197,1249191,1249348,1249367,CVE-2025-10148,CVE-2025-9086 This update for curl fixes the following issues: Security issues fixed: - CVE-2025-9086: bug in patch comparison logic when processing cookies can lead to out-of-bounds read in heap buffer (bsc#1249191). - CVE-2025-10148: predictable websocket mask can lead to proxy cache poisoning by malicious server (bsc#1249348). Other issues fixed: - Fix the --ftp-pasv option in curl v8.14.1 (bsc#1246197). * tool_getparam: fix --ftp-pasv [5f805ee] - Update to version 8.14.1 (jsc#PED-13055, jsc#PED-13056). * TLS: add CURLOPT_SSL_SIGNATURE_ALGORITHMS and --sigalgs. * websocket: add option to disable auto-pong reply. * huge number of bugfixes. Please see https://curl.se/ch/ for full changelogs. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3268-1 Released: Thu Sep 18 13:08:10 2025 Summary: Security update for curl Type: security Severity: important References: 1246197,1249191,1249348,1249367,CVE-2025-10148,CVE-2025-9086 This update for curl fixes the following issues: Security issues fixed: - CVE-2025-9086: bug in patch comparison logic when processing cookies can lead to out-of-bounds read in heap buffer (bsc#1249191). - CVE-2025-10148: predictable websocket mask can lead to proxy cache poisoning by malicious server (bsc#1249348). Other issues fixed: - Fix the --ftp-pasv option in curl v8.14.1 (bsc#1246197). * tool_getparam: fix --ftp-pasv [5f805ee] - Update to version 8.14.1 (jsc#PED-13055, jsc#PED-13056). * TLS: add CURLOPT_SSL_SIGNATURE_ALGORITHMS and --sigalgs. * websocket: add option to disable auto-pong reply. * huge number of bugfixes. Please see https://curl.se/ch/ for full changelogs. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3270-1 Released: Thu Sep 18 13:18:05 2025 Summary: Security update for krb5 Type: security Severity: moderate References: 1241219,CVE-2025-3576 This update for krb5 fixes the following issues: - CVE-2025-3576: weakness in the MD5 checksum design allows for spoofing of GSSAPI-protected messages that are using RC4-HMAC-MD5 (bsc#1241219). Krb5 as very old protocol supported quite a number of ciphers that are not longer up to current cryptographic standards. To avoid problems with those, SUSE has by default now disabled those alorithms. The following algorithms have been removed from valid krb5 enctypes: - des3-cbc-sha1 - arcfour-hmac-md5 To reenable those algorithms, you can use allow options in krb5.conf: [libdefaults] allow_des3 = true allow_rc4 = true to reenable them. The following package changes have been done: - libbrotlicommon1-1.0.7-150200.3.5.1 updated - libbrotlidec1-1.0.7-150200.3.5.1 updated - krb5-1.20.1-150500.3.17.1 updated - libcurl4-8.14.1-150400.5.69.1 updated - container:suse-sle-micro-base-5.5-latest-2.0.4-5.8.205 updated From sle-container-updates at lists.suse.com Fri Sep 19 07:07:23 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 19 Sep 2025 09:07:23 +0200 (CEST) Subject: SUSE-IU-2025:2474-1: Security update of suse/sle-micro/rt-5.5 Message-ID: <20250919070723.9BC3AF783@maintenance.suse.de> SUSE Image Update Advisory: suse/sle-micro/rt-5.5 ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2025:2474-1 Image Tags : suse/sle-micro/rt-5.5:2.0.4 , suse/sle-micro/rt-5.5:2.0.4-4.5.487 , suse/sle-micro/rt-5.5:latest Image Release : 4.5.487 Severity : important Type : security References : 1241219 1246197 1246197 1249191 1249191 1249348 1249348 1249367 1249367 CVE-2025-10148 CVE-2025-10148 CVE-2025-3576 CVE-2025-9086 CVE-2025-9086 ----------------------------------------------------------------- The container suse/sle-micro/rt-5.5 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3267-1 Released: Thu Sep 18 13:05:51 2025 Summary: Security update for curl Type: security Severity: important References: 1246197,1249191,1249348,1249367,CVE-2025-10148,CVE-2025-9086 This update for curl fixes the following issues: Security issues fixed: - CVE-2025-9086: bug in patch comparison logic when processing cookies can lead to out-of-bounds read in heap buffer (bsc#1249191). - CVE-2025-10148: predictable websocket mask can lead to proxy cache poisoning by malicious server (bsc#1249348). Other issues fixed: - Fix the --ftp-pasv option in curl v8.14.1 (bsc#1246197). * tool_getparam: fix --ftp-pasv [5f805ee] - Update to version 8.14.1 (jsc#PED-13055, jsc#PED-13056). * TLS: add CURLOPT_SSL_SIGNATURE_ALGORITHMS and --sigalgs. * websocket: add option to disable auto-pong reply. * huge number of bugfixes. Please see https://curl.se/ch/ for full changelogs. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3268-1 Released: Thu Sep 18 13:08:10 2025 Summary: Security update for curl Type: security Severity: important References: 1246197,1249191,1249348,1249367,CVE-2025-10148,CVE-2025-9086 This update for curl fixes the following issues: Security issues fixed: - CVE-2025-9086: bug in patch comparison logic when processing cookies can lead to out-of-bounds read in heap buffer (bsc#1249191). - CVE-2025-10148: predictable websocket mask can lead to proxy cache poisoning by malicious server (bsc#1249348). Other issues fixed: - Fix the --ftp-pasv option in curl v8.14.1 (bsc#1246197). * tool_getparam: fix --ftp-pasv [5f805ee] - Update to version 8.14.1 (jsc#PED-13055, jsc#PED-13056). * TLS: add CURLOPT_SSL_SIGNATURE_ALGORITHMS and --sigalgs. * websocket: add option to disable auto-pong reply. * huge number of bugfixes. Please see https://curl.se/ch/ for full changelogs. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3270-1 Released: Thu Sep 18 13:18:05 2025 Summary: Security update for krb5 Type: security Severity: moderate References: 1241219,CVE-2025-3576 This update for krb5 fixes the following issues: - CVE-2025-3576: weakness in the MD5 checksum design allows for spoofing of GSSAPI-protected messages that are using RC4-HMAC-MD5 (bsc#1241219). Krb5 as very old protocol supported quite a number of ciphers that are not longer up to current cryptographic standards. To avoid problems with those, SUSE has by default now disabled those alorithms. The following algorithms have been removed from valid krb5 enctypes: - des3-cbc-sha1 - arcfour-hmac-md5 To reenable those algorithms, you can use allow options in krb5.conf: [libdefaults] allow_des3 = true allow_rc4 = true to reenable them. The following package changes have been done: - libbrotlicommon1-1.0.7-150200.3.5.1 updated - libbrotlidec1-1.0.7-150200.3.5.1 updated - krb5-1.20.1-150500.3.17.1 updated - libcurl4-8.14.1-150400.5.69.1 updated - container:suse-sle-micro-5.5-latest-2.0.4-5.5.370 updated From sle-container-updates at lists.suse.com Fri Sep 19 07:08:57 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 19 Sep 2025 09:08:57 +0200 (CEST) Subject: SUSE-IU-2025:2475-1: Security update of suse/sle-micro/5.5 Message-ID: <20250919070857.1FF28F783@maintenance.suse.de> SUSE Image Update Advisory: suse/sle-micro/5.5 ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2025:2475-1 Image Tags : suse/sle-micro/5.5:2.0.4 , suse/sle-micro/5.5:2.0.4-5.5.370 , suse/sle-micro/5.5:latest Image Release : 5.5.370 Severity : important Type : security References : 1241219 1246197 1246197 1249191 1249191 1249348 1249348 1249367 1249367 CVE-2025-10148 CVE-2025-10148 CVE-2025-3576 CVE-2025-9086 CVE-2025-9086 ----------------------------------------------------------------- The container suse/sle-micro/5.5 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3267-1 Released: Thu Sep 18 13:05:51 2025 Summary: Security update for curl Type: security Severity: important References: 1246197,1249191,1249348,1249367,CVE-2025-10148,CVE-2025-9086 This update for curl fixes the following issues: Security issues fixed: - CVE-2025-9086: bug in patch comparison logic when processing cookies can lead to out-of-bounds read in heap buffer (bsc#1249191). - CVE-2025-10148: predictable websocket mask can lead to proxy cache poisoning by malicious server (bsc#1249348). Other issues fixed: - Fix the --ftp-pasv option in curl v8.14.1 (bsc#1246197). * tool_getparam: fix --ftp-pasv [5f805ee] - Update to version 8.14.1 (jsc#PED-13055, jsc#PED-13056). * TLS: add CURLOPT_SSL_SIGNATURE_ALGORITHMS and --sigalgs. * websocket: add option to disable auto-pong reply. * huge number of bugfixes. Please see https://curl.se/ch/ for full changelogs. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3268-1 Released: Thu Sep 18 13:08:10 2025 Summary: Security update for curl Type: security Severity: important References: 1246197,1249191,1249348,1249367,CVE-2025-10148,CVE-2025-9086 This update for curl fixes the following issues: Security issues fixed: - CVE-2025-9086: bug in patch comparison logic when processing cookies can lead to out-of-bounds read in heap buffer (bsc#1249191). - CVE-2025-10148: predictable websocket mask can lead to proxy cache poisoning by malicious server (bsc#1249348). Other issues fixed: - Fix the --ftp-pasv option in curl v8.14.1 (bsc#1246197). * tool_getparam: fix --ftp-pasv [5f805ee] - Update to version 8.14.1 (jsc#PED-13055, jsc#PED-13056). * TLS: add CURLOPT_SSL_SIGNATURE_ALGORITHMS and --sigalgs. * websocket: add option to disable auto-pong reply. * huge number of bugfixes. Please see https://curl.se/ch/ for full changelogs. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3270-1 Released: Thu Sep 18 13:18:05 2025 Summary: Security update for krb5 Type: security Severity: moderate References: 1241219,CVE-2025-3576 This update for krb5 fixes the following issues: - CVE-2025-3576: weakness in the MD5 checksum design allows for spoofing of GSSAPI-protected messages that are using RC4-HMAC-MD5 (bsc#1241219). Krb5 as very old protocol supported quite a number of ciphers that are not longer up to current cryptographic standards. To avoid problems with those, SUSE has by default now disabled those alorithms. The following algorithms have been removed from valid krb5 enctypes: - des3-cbc-sha1 - arcfour-hmac-md5 To reenable those algorithms, you can use allow options in krb5.conf: [libdefaults] allow_des3 = true allow_rc4 = true to reenable them. The following package changes have been done: - libbrotlicommon1-1.0.7-150200.3.5.1 updated - libbrotlidec1-1.0.7-150200.3.5.1 updated - krb5-1.20.1-150500.3.17.1 updated - libcurl4-8.14.1-150400.5.69.1 updated - container:suse-sle-micro-base-5.5-latest-2.0.4-5.8.205 updated From sle-container-updates at lists.suse.com Fri Sep 19 07:11:09 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 19 Sep 2025 09:11:09 +0200 (CEST) Subject: SUSE-CU-2025:6921-1: Security update of private-registry/harbor-nginx Message-ID: <20250919071109.A1853F783@maintenance.suse.de> SUSE Container Update Advisory: private-registry/harbor-nginx ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:6921-1 Container Tags : private-registry/harbor-nginx:1.21 , private-registry/harbor-nginx:1.21.5 , private-registry/harbor-nginx:1.21.5-2.40 , private-registry/harbor-nginx:latest Container Release : 2.40 Severity : important Type : security References : 1246197 1249191 1249348 1249367 CVE-2025-10148 CVE-2025-9086 ----------------------------------------------------------------- The container private-registry/harbor-nginx was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3268-1 Released: Thu Sep 18 13:08:10 2025 Summary: Security update for curl Type: security Severity: important References: 1246197,1249191,1249348,1249367,CVE-2025-10148,CVE-2025-9086 This update for curl fixes the following issues: Security issues fixed: - CVE-2025-9086: bug in patch comparison logic when processing cookies can lead to out-of-bounds read in heap buffer (bsc#1249191). - CVE-2025-10148: predictable websocket mask can lead to proxy cache poisoning by malicious server (bsc#1249348). Other issues fixed: - Fix the --ftp-pasv option in curl v8.14.1 (bsc#1246197). * tool_getparam: fix --ftp-pasv [5f805ee] - Update to version 8.14.1 (jsc#PED-13055, jsc#PED-13056). * TLS: add CURLOPT_SSL_SIGNATURE_ALGORITHMS and --sigalgs. * websocket: add option to disable auto-pong reply. * huge number of bugfixes. Please see https://curl.se/ch/ for full changelogs. The following package changes have been done: - libbrotlicommon1-1.0.7-150200.3.5.1 updated - libbrotlidec1-1.0.7-150200.3.5.1 updated - container:suse-sle15-15.6-d13d6758550c72c08b54298b7fb20e8d426127b4692f4b115373e2175184ada8-0 updated From sle-container-updates at lists.suse.com Fri Sep 19 07:11:12 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 19 Sep 2025 09:11:12 +0200 (CEST) Subject: SUSE-CU-2025:6922-1: Security update of private-registry/harbor-portal Message-ID: <20250919071112.6FBDDF783@maintenance.suse.de> SUSE Container Update Advisory: private-registry/harbor-portal ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:6922-1 Container Tags : private-registry/harbor-portal:2.13 , private-registry/harbor-portal:2.13.2 , private-registry/harbor-portal:2.13.2-3.6 , private-registry/harbor-portal:latest Container Release : 3.6 Severity : important Type : security References : 1246197 1249191 1249348 1249367 CVE-2025-10148 CVE-2025-9086 ----------------------------------------------------------------- The container private-registry/harbor-portal was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3268-1 Released: Thu Sep 18 13:08:10 2025 Summary: Security update for curl Type: security Severity: important References: 1246197,1249191,1249348,1249367,CVE-2025-10148,CVE-2025-9086 This update for curl fixes the following issues: Security issues fixed: - CVE-2025-9086: bug in patch comparison logic when processing cookies can lead to out-of-bounds read in heap buffer (bsc#1249191). - CVE-2025-10148: predictable websocket mask can lead to proxy cache poisoning by malicious server (bsc#1249348). Other issues fixed: - Fix the --ftp-pasv option in curl v8.14.1 (bsc#1246197). * tool_getparam: fix --ftp-pasv [5f805ee] - Update to version 8.14.1 (jsc#PED-13055, jsc#PED-13056). * TLS: add CURLOPT_SSL_SIGNATURE_ALGORITHMS and --sigalgs. * websocket: add option to disable auto-pong reply. * huge number of bugfixes. Please see https://curl.se/ch/ for full changelogs. The following package changes have been done: - libbrotlicommon1-1.0.7-150200.3.5.1 updated - libbrotlidec1-1.0.7-150200.3.5.1 updated - container:suse-sle15-15.6-d13d6758550c72c08b54298b7fb20e8d426127b4692f4b115373e2175184ada8-0 updated From sle-container-updates at lists.suse.com Fri Sep 19 07:11:15 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 19 Sep 2025 09:11:15 +0200 (CEST) Subject: SUSE-CU-2025:6923-1: Security update of private-registry/harbor-trivy-adapter Message-ID: <20250919071115.03D72F783@maintenance.suse.de> SUSE Container Update Advisory: private-registry/harbor-trivy-adapter ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:6923-1 Container Tags : private-registry/harbor-trivy-adapter:0.33.2 , private-registry/harbor-trivy-adapter:0.33.2-2.40 , private-registry/harbor-trivy-adapter:latest Container Release : 2.40 Severity : important Type : security References : 1246197 1249191 1249348 1249367 CVE-2025-10148 CVE-2025-9086 ----------------------------------------------------------------- The container private-registry/harbor-trivy-adapter was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3268-1 Released: Thu Sep 18 13:08:10 2025 Summary: Security update for curl Type: security Severity: important References: 1246197,1249191,1249348,1249367,CVE-2025-10148,CVE-2025-9086 This update for curl fixes the following issues: Security issues fixed: - CVE-2025-9086: bug in patch comparison logic when processing cookies can lead to out-of-bounds read in heap buffer (bsc#1249191). - CVE-2025-10148: predictable websocket mask can lead to proxy cache poisoning by malicious server (bsc#1249348). Other issues fixed: - Fix the --ftp-pasv option in curl v8.14.1 (bsc#1246197). * tool_getparam: fix --ftp-pasv [5f805ee] - Update to version 8.14.1 (jsc#PED-13055, jsc#PED-13056). * TLS: add CURLOPT_SSL_SIGNATURE_ALGORITHMS and --sigalgs. * websocket: add option to disable auto-pong reply. * huge number of bugfixes. Please see https://curl.se/ch/ for full changelogs. The following package changes have been done: - libbrotlicommon1-1.0.7-150200.3.5.1 updated - libbrotlidec1-1.0.7-150200.3.5.1 updated - container:suse-sle15-15.6-d13d6758550c72c08b54298b7fb20e8d426127b4692f4b115373e2175184ada8-0 updated From sle-container-updates at lists.suse.com Fri Sep 19 07:18:05 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 19 Sep 2025 09:18:05 +0200 (CEST) Subject: SUSE-CU-2025:6925-1: Security update of suse/sle-micro-rancher/5.4 Message-ID: <20250919071805.1BA39F782@maintenance.suse.de> SUSE Container Update Advisory: suse/sle-micro-rancher/5.4 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:6925-1 Container Tags : suse/sle-micro-rancher/5.4:5.4.4.5.54 , suse/sle-micro-rancher/5.4:latest Container Release : 4.5.54 Severity : important Type : security References : 1246197 1246197 1249191 1249191 1249348 1249348 1249367 1249367 CVE-2025-10148 CVE-2025-10148 CVE-2025-9086 CVE-2025-9086 ----------------------------------------------------------------- The container suse/sle-micro-rancher/5.4 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3267-1 Released: Thu Sep 18 13:05:51 2025 Summary: Security update for curl Type: security Severity: important References: 1246197,1249191,1249348,1249367,CVE-2025-10148,CVE-2025-9086 This update for curl fixes the following issues: Security issues fixed: - CVE-2025-9086: bug in patch comparison logic when processing cookies can lead to out-of-bounds read in heap buffer (bsc#1249191). - CVE-2025-10148: predictable websocket mask can lead to proxy cache poisoning by malicious server (bsc#1249348). Other issues fixed: - Fix the --ftp-pasv option in curl v8.14.1 (bsc#1246197). * tool_getparam: fix --ftp-pasv [5f805ee] - Update to version 8.14.1 (jsc#PED-13055, jsc#PED-13056). * TLS: add CURLOPT_SSL_SIGNATURE_ALGORITHMS and --sigalgs. * websocket: add option to disable auto-pong reply. * huge number of bugfixes. Please see https://curl.se/ch/ for full changelogs. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3268-1 Released: Thu Sep 18 13:08:10 2025 Summary: Security update for curl Type: security Severity: important References: 1246197,1249191,1249348,1249367,CVE-2025-10148,CVE-2025-9086 This update for curl fixes the following issues: Security issues fixed: - CVE-2025-9086: bug in patch comparison logic when processing cookies can lead to out-of-bounds read in heap buffer (bsc#1249191). - CVE-2025-10148: predictable websocket mask can lead to proxy cache poisoning by malicious server (bsc#1249348). Other issues fixed: - Fix the --ftp-pasv option in curl v8.14.1 (bsc#1246197). * tool_getparam: fix --ftp-pasv [5f805ee] - Update to version 8.14.1 (jsc#PED-13055, jsc#PED-13056). * TLS: add CURLOPT_SSL_SIGNATURE_ALGORITHMS and --sigalgs. * websocket: add option to disable auto-pong reply. * huge number of bugfixes. Please see https://curl.se/ch/ for full changelogs. The following package changes have been done: - curl-8.14.1-150400.5.69.1 updated - libbrotlicommon1-1.0.7-150200.3.5.1 updated - libbrotlidec1-1.0.7-150200.3.5.1 updated - libcurl4-8.14.1-150400.5.69.1 updated From sle-container-updates at lists.suse.com Fri Sep 19 07:25:24 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 19 Sep 2025 09:25:24 +0200 (CEST) Subject: SUSE-CU-2025:6931-1: Security update of suse/hpc/warewulf4-x86_64/sle-hpc-node Message-ID: <20250919072524.75CC3F782@maintenance.suse.de> SUSE Container Update Advisory: suse/hpc/warewulf4-x86_64/sle-hpc-node ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:6931-1 Container Tags : suse/hpc/warewulf4-x86_64/sle-hpc-node:15.6 , suse/hpc/warewulf4-x86_64/sle-hpc-node:15.6.17.8.109 , suse/hpc/warewulf4-x86_64/sle-hpc-node:latest Container Release : 17.8.109 Severity : important Type : security References : 1246197 1249191 1249348 1249367 CVE-2025-10148 CVE-2025-9086 ----------------------------------------------------------------- The container suse/hpc/warewulf4-x86_64/sle-hpc-node was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:3265-1 Released: Thu Sep 18 12:34:39 2025 Summary: Recommended update for container-suseconnect Type: recommended Severity: moderate References: This update of container-suseconnect rebuilds it against current go1.25. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3268-1 Released: Thu Sep 18 13:08:10 2025 Summary: Security update for curl Type: security Severity: important References: 1246197,1249191,1249348,1249367,CVE-2025-10148,CVE-2025-9086 This update for curl fixes the following issues: Security issues fixed: - CVE-2025-9086: bug in patch comparison logic when processing cookies can lead to out-of-bounds read in heap buffer (bsc#1249191). - CVE-2025-10148: predictable websocket mask can lead to proxy cache poisoning by malicious server (bsc#1249348). Other issues fixed: - Fix the --ftp-pasv option in curl v8.14.1 (bsc#1246197). * tool_getparam: fix --ftp-pasv [5f805ee] - Update to version 8.14.1 (jsc#PED-13055, jsc#PED-13056). * TLS: add CURLOPT_SSL_SIGNATURE_ALGORITHMS and --sigalgs. * websocket: add option to disable auto-pong reply. * huge number of bugfixes. Please see https://curl.se/ch/ for full changelogs. The following package changes have been done: - container-suseconnect-2.5.5-150000.4.71.1 updated - libbrotlicommon1-1.0.7-150200.3.5.1 updated - libbrotlidec1-1.0.7-150200.3.5.1 updated From sle-container-updates at lists.suse.com Fri Sep 19 07:26:58 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 19 Sep 2025 09:26:58 +0200 (CEST) Subject: SUSE-CU-2025:6932-1: Security update of suse/git Message-ID: <20250919072658.53C3FF782@maintenance.suse.de> SUSE Container Update Advisory: suse/git ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:6932-1 Container Tags : suse/git:2 , suse/git:2.51 , suse/git:2.51.0 , suse/git:2.51.0-61.6 , suse/git:latest Container Release : 61.6 Severity : important Type : security References : 1246197 1249191 1249348 1249367 CVE-2025-10148 CVE-2025-9086 ----------------------------------------------------------------- The container suse/git was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3268-1 Released: Thu Sep 18 13:08:10 2025 Summary: Security update for curl Type: security Severity: important References: 1246197,1249191,1249348,1249367,CVE-2025-10148,CVE-2025-9086 This update for curl fixes the following issues: Security issues fixed: - CVE-2025-9086: bug in patch comparison logic when processing cookies can lead to out-of-bounds read in heap buffer (bsc#1249191). - CVE-2025-10148: predictable websocket mask can lead to proxy cache poisoning by malicious server (bsc#1249348). Other issues fixed: - Fix the --ftp-pasv option in curl v8.14.1 (bsc#1246197). * tool_getparam: fix --ftp-pasv [5f805ee] - Update to version 8.14.1 (jsc#PED-13055, jsc#PED-13056). * TLS: add CURLOPT_SSL_SIGNATURE_ALGORITHMS and --sigalgs. * websocket: add option to disable auto-pong reply. * huge number of bugfixes. Please see https://curl.se/ch/ for full changelogs. The following package changes have been done: - libbrotlicommon1-1.0.7-150200.3.5.1 updated - libbrotlidec1-1.0.7-150200.3.5.1 updated From sle-container-updates at lists.suse.com Fri Sep 19 07:27:12 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 19 Sep 2025 09:27:12 +0200 (CEST) Subject: SUSE-CU-2025:6933-1: Security update of suse/kiosk/firefox-esr Message-ID: <20250919072712.B4465F782@maintenance.suse.de> SUSE Container Update Advisory: suse/kiosk/firefox-esr ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:6933-1 Container Tags : suse/kiosk/firefox-esr:140.2 , suse/kiosk/firefox-esr:140.2-64.29 , suse/kiosk/firefox-esr:esr , suse/kiosk/firefox-esr:latest Container Release : 64.29 Severity : important Type : security References : 1246197 1249191 1249348 1249367 CVE-2025-10148 CVE-2025-9086 ----------------------------------------------------------------- The container suse/kiosk/firefox-esr was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3268-1 Released: Thu Sep 18 13:08:10 2025 Summary: Security update for curl Type: security Severity: important References: 1246197,1249191,1249348,1249367,CVE-2025-10148,CVE-2025-9086 This update for curl fixes the following issues: Security issues fixed: - CVE-2025-9086: bug in patch comparison logic when processing cookies can lead to out-of-bounds read in heap buffer (bsc#1249191). - CVE-2025-10148: predictable websocket mask can lead to proxy cache poisoning by malicious server (bsc#1249348). Other issues fixed: - Fix the --ftp-pasv option in curl v8.14.1 (bsc#1246197). * tool_getparam: fix --ftp-pasv [5f805ee] - Update to version 8.14.1 (jsc#PED-13055, jsc#PED-13056). * TLS: add CURLOPT_SSL_SIGNATURE_ALGORITHMS and --sigalgs. * websocket: add option to disable auto-pong reply. * huge number of bugfixes. Please see https://curl.se/ch/ for full changelogs. The following package changes have been done: - libbrotlicommon1-1.0.7-150200.3.5.1 updated - libbrotlidec1-1.0.7-150200.3.5.1 updated From sle-container-updates at lists.suse.com Fri Sep 19 07:27:25 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 19 Sep 2025 09:27:25 +0200 (CEST) Subject: SUSE-CU-2025:6934-1: Security update of bci/nodejs Message-ID: <20250919072725.F1148F782@maintenance.suse.de> SUSE Container Update Advisory: bci/nodejs ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:6934-1 Container Tags : bci/node:22 , bci/node:22.15.1 , bci/node:22.15.1-10.26 , bci/node:latest , bci/nodejs:22 , bci/nodejs:22.15.1 , bci/nodejs:22.15.1-10.26 , bci/nodejs:latest Container Release : 10.26 Severity : important Type : security References : 1239618 CVE-2024-8176 ----------------------------------------------------------------- The container bci/nodejs was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3239-1 Released: Tue Sep 16 19:04:00 2025 Summary: Security update for expat Type: security Severity: important References: 1239618,CVE-2024-8176 This update for expat fixes the following issues: expat was updated to version 2.7.1: - Bug fixes: - Restore event pointer behavior from Expat 2.6.4 (that the fix to CVE-2024-8176 changed in 2.7.0); affected API functions are: - XML_GetCurrentByteCount - XML_GetCurrentByteIndex - XML_GetCurrentColumnNumber - XML_GetCurrentLineNumber - XML_GetInputContext - Other changes: - Fix printf format specifiers for 32bit Emscripten - docs: Promote OpenSSF Best Practices self-certification - tests/benchmark: Resolve mistaken double close - Address compiler warnings - Version info bumped from 11:1:10 (libexpat*.so.1.10.1) to 11:2:10 (libexpat*.so.1.10.2); see https://verbump.de/ for what these numbers do Version update to 2.7.0 (CVE-2024-8176, bsc#1239618, jsc#PED-12507) * Security fixes: - CVE-2024-8176 -- Fix crash from chaining a large number of entities caused by stack overflow by resolving use of recursion, for all three uses of entities: - general entities in character data ('&g1;') - general entities in attribute values ('') - parameter entities ('%p1;') Known impact is (reliable and easy) denial of service: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:H/RL:O/RC:C (Base Score: 7.5, Temporal Score: 7.2) Please note that a layer of compression around XML can significantly reduce the minimum attack payload size. * Other changes: - docs: Add missing documentation of error code XML_ERROR_NOT_STARTED that was introduced with 2.6.4 - docs: Document need for C++11 compiler for use from C++ - Address Cppcheck warnings - Mass-migrate links from http:// to https:// - Document changes since the previous release - Version info bumped from 11:0:10 (libexpat*.so.1.10.0) to 11:1:10 (libexpat*.so.1.10.1); see https://verbump.de/ for what these numbers do The following package changes have been done: - libexpat1-2.7.1-150700.3.3.1 updated From sle-container-updates at lists.suse.com Fri Sep 19 07:27:39 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 19 Sep 2025 09:27:39 +0200 (CEST) Subject: SUSE-CU-2025:6935-1: Security update of bci/php-apache Message-ID: <20250919072739.558D4F782@maintenance.suse.de> SUSE Container Update Advisory: bci/php-apache ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:6935-1 Container Tags : bci/php-apache:8 , bci/php-apache:8.3.23 , bci/php-apache:8.3.23-12.27 , bci/php-apache:latest Container Release : 12.27 Severity : important Type : security References : 1246197 1249191 1249348 1249367 CVE-2025-10148 CVE-2025-9086 ----------------------------------------------------------------- The container bci/php-apache was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3268-1 Released: Thu Sep 18 13:08:10 2025 Summary: Security update for curl Type: security Severity: important References: 1246197,1249191,1249348,1249367,CVE-2025-10148,CVE-2025-9086 This update for curl fixes the following issues: Security issues fixed: - CVE-2025-9086: bug in patch comparison logic when processing cookies can lead to out-of-bounds read in heap buffer (bsc#1249191). - CVE-2025-10148: predictable websocket mask can lead to proxy cache poisoning by malicious server (bsc#1249348). Other issues fixed: - Fix the --ftp-pasv option in curl v8.14.1 (bsc#1246197). * tool_getparam: fix --ftp-pasv [5f805ee] - Update to version 8.14.1 (jsc#PED-13055, jsc#PED-13056). * TLS: add CURLOPT_SSL_SIGNATURE_ALGORITHMS and --sigalgs. * websocket: add option to disable auto-pong reply. * huge number of bugfixes. Please see https://curl.se/ch/ for full changelogs. The following package changes have been done: - libbrotlienc1-1.0.7-150200.3.5.1 updated From sle-container-updates at lists.suse.com Fri Sep 19 07:27:53 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 19 Sep 2025 09:27:53 +0200 (CEST) Subject: SUSE-CU-2025:6936-1: Security update of suse/kiosk/pulseaudio Message-ID: <20250919072753.68762F782@maintenance.suse.de> SUSE Container Update Advisory: suse/kiosk/pulseaudio ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:6936-1 Container Tags : suse/kiosk/pulseaudio:17 , suse/kiosk/pulseaudio:17.0 , suse/kiosk/pulseaudio:17.0-63.23 , suse/kiosk/pulseaudio:latest Container Release : 63.23 Severity : important Type : security References : 1246197 1249191 1249348 1249367 CVE-2025-10148 CVE-2025-9086 ----------------------------------------------------------------- The container suse/kiosk/pulseaudio was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3268-1 Released: Thu Sep 18 13:08:10 2025 Summary: Security update for curl Type: security Severity: important References: 1246197,1249191,1249348,1249367,CVE-2025-10148,CVE-2025-9086 This update for curl fixes the following issues: Security issues fixed: - CVE-2025-9086: bug in patch comparison logic when processing cookies can lead to out-of-bounds read in heap buffer (bsc#1249191). - CVE-2025-10148: predictable websocket mask can lead to proxy cache poisoning by malicious server (bsc#1249348). Other issues fixed: - Fix the --ftp-pasv option in curl v8.14.1 (bsc#1246197). * tool_getparam: fix --ftp-pasv [5f805ee] - Update to version 8.14.1 (jsc#PED-13055, jsc#PED-13056). * TLS: add CURLOPT_SSL_SIGNATURE_ALGORITHMS and --sigalgs. * websocket: add option to disable auto-pong reply. * huge number of bugfixes. Please see https://curl.se/ch/ for full changelogs. The following package changes have been done: - libbrotlicommon1-1.0.7-150200.3.5.1 updated - libbrotlidec1-1.0.7-150200.3.5.1 updated From sle-container-updates at lists.suse.com Fri Sep 19 07:28:00 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 19 Sep 2025 09:28:00 +0200 (CEST) Subject: SUSE-CU-2025:6937-1: Security update of suse/kiosk/xorg-client Message-ID: <20250919072800.B62CCF782@maintenance.suse.de> SUSE Container Update Advisory: suse/kiosk/xorg-client ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:6937-1 Container Tags : suse/kiosk/xorg-client:21 , suse/kiosk/xorg-client:21-64.23 , suse/kiosk/xorg-client:latest Container Release : 64.23 Severity : important Type : security References : 1246197 1249191 1249348 1249367 CVE-2025-10148 CVE-2025-9086 ----------------------------------------------------------------- The container suse/kiosk/xorg-client was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3268-1 Released: Thu Sep 18 13:08:10 2025 Summary: Security update for curl Type: security Severity: important References: 1246197,1249191,1249348,1249367,CVE-2025-10148,CVE-2025-9086 This update for curl fixes the following issues: Security issues fixed: - CVE-2025-9086: bug in patch comparison logic when processing cookies can lead to out-of-bounds read in heap buffer (bsc#1249191). - CVE-2025-10148: predictable websocket mask can lead to proxy cache poisoning by malicious server (bsc#1249348). Other issues fixed: - Fix the --ftp-pasv option in curl v8.14.1 (bsc#1246197). * tool_getparam: fix --ftp-pasv [5f805ee] - Update to version 8.14.1 (jsc#PED-13055, jsc#PED-13056). * TLS: add CURLOPT_SSL_SIGNATURE_ALGORITHMS and --sigalgs. * websocket: add option to disable auto-pong reply. * huge number of bugfixes. Please see https://curl.se/ch/ for full changelogs. The following package changes have been done: - libbrotlicommon1-1.0.7-150200.3.5.1 updated - libbrotlidec1-1.0.7-150200.3.5.1 updated From sle-container-updates at lists.suse.com Fri Sep 19 07:28:14 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 19 Sep 2025 09:28:14 +0200 (CEST) Subject: SUSE-CU-2025:6938-1: Security update of suse/kiosk/xorg Message-ID: <20250919072814.379F2F782@maintenance.suse.de> SUSE Container Update Advisory: suse/kiosk/xorg ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:6938-1 Container Tags : suse/kiosk/xorg:21 , suse/kiosk/xorg:21.1 , suse/kiosk/xorg:21.1-66.3 , suse/kiosk/xorg:latest , suse/kiosk/xorg:notaskbar Container Release : 66.3 Severity : important Type : security References : 1246197 1249191 1249348 1249367 CVE-2025-10148 CVE-2025-9086 ----------------------------------------------------------------- The container suse/kiosk/xorg was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3268-1 Released: Thu Sep 18 13:08:10 2025 Summary: Security update for curl Type: security Severity: important References: 1246197,1249191,1249348,1249367,CVE-2025-10148,CVE-2025-9086 This update for curl fixes the following issues: Security issues fixed: - CVE-2025-9086: bug in patch comparison logic when processing cookies can lead to out-of-bounds read in heap buffer (bsc#1249191). - CVE-2025-10148: predictable websocket mask can lead to proxy cache poisoning by malicious server (bsc#1249348). Other issues fixed: - Fix the --ftp-pasv option in curl v8.14.1 (bsc#1246197). * tool_getparam: fix --ftp-pasv [5f805ee] - Update to version 8.14.1 (jsc#PED-13055, jsc#PED-13056). * TLS: add CURLOPT_SSL_SIGNATURE_ALGORITHMS and --sigalgs. * websocket: add option to disable auto-pong reply. * huge number of bugfixes. Please see https://curl.se/ch/ for full changelogs. The following package changes have been done: - libbrotlicommon1-1.0.7-150200.3.5.1 updated - libbrotlidec1-1.0.7-150200.3.5.1 updated From sle-container-updates at lists.suse.com Fri Sep 19 07:29:59 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 19 Sep 2025 09:29:59 +0200 (CEST) Subject: SUSE-CU-2025:6939-1: Security update of suse/manager/4.3/proxy-httpd Message-ID: <20250919072959.2F98DF782@maintenance.suse.de> SUSE Container Update Advisory: suse/manager/4.3/proxy-httpd ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:6939-1 Container Tags : suse/manager/4.3/proxy-httpd:4.3.16 , suse/manager/4.3/proxy-httpd:4.3.16.9.67.22 , suse/manager/4.3/proxy-httpd:latest Container Release : 9.67.22 Severity : important Type : security References : 1246197 1246197 1249191 1249191 1249348 1249348 1249367 1249367 CVE-2025-10148 CVE-2025-10148 CVE-2025-9086 CVE-2025-9086 ----------------------------------------------------------------- The container suse/manager/4.3/proxy-httpd was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3267-1 Released: Thu Sep 18 13:05:51 2025 Summary: Security update for curl Type: security Severity: important References: 1246197,1249191,1249348,1249367,CVE-2025-10148,CVE-2025-9086 This update for curl fixes the following issues: Security issues fixed: - CVE-2025-9086: bug in patch comparison logic when processing cookies can lead to out-of-bounds read in heap buffer (bsc#1249191). - CVE-2025-10148: predictable websocket mask can lead to proxy cache poisoning by malicious server (bsc#1249348). Other issues fixed: - Fix the --ftp-pasv option in curl v8.14.1 (bsc#1246197). * tool_getparam: fix --ftp-pasv [5f805ee] - Update to version 8.14.1 (jsc#PED-13055, jsc#PED-13056). * TLS: add CURLOPT_SSL_SIGNATURE_ALGORITHMS and --sigalgs. * websocket: add option to disable auto-pong reply. * huge number of bugfixes. Please see https://curl.se/ch/ for full changelogs. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3268-1 Released: Thu Sep 18 13:08:10 2025 Summary: Security update for curl Type: security Severity: important References: 1246197,1249191,1249348,1249367,CVE-2025-10148,CVE-2025-9086 This update for curl fixes the following issues: Security issues fixed: - CVE-2025-9086: bug in patch comparison logic when processing cookies can lead to out-of-bounds read in heap buffer (bsc#1249191). - CVE-2025-10148: predictable websocket mask can lead to proxy cache poisoning by malicious server (bsc#1249348). Other issues fixed: - Fix the --ftp-pasv option in curl v8.14.1 (bsc#1246197). * tool_getparam: fix --ftp-pasv [5f805ee] - Update to version 8.14.1 (jsc#PED-13055, jsc#PED-13056). * TLS: add CURLOPT_SSL_SIGNATURE_ALGORITHMS and --sigalgs. * websocket: add option to disable auto-pong reply. * huge number of bugfixes. Please see https://curl.se/ch/ for full changelogs. The following package changes have been done: - libbrotlicommon1-1.0.7-150200.3.5.1 updated - libbrotlidec1-1.0.7-150200.3.5.1 updated - libcurl4-8.14.1-150400.5.69.1 updated - curl-8.14.1-150400.5.69.1 updated - libbrotlienc1-1.0.7-150200.3.5.1 updated - container:sles15-ltss-image-15.4.0-2.70 updated From sle-container-updates at lists.suse.com Fri Sep 19 07:31:12 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 19 Sep 2025 09:31:12 +0200 (CEST) Subject: SUSE-CU-2025:6940-1: Security update of suse/manager/4.3/proxy-salt-broker Message-ID: <20250919073112.B7DD4F782@maintenance.suse.de> SUSE Container Update Advisory: suse/manager/4.3/proxy-salt-broker ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:6940-1 Container Tags : suse/manager/4.3/proxy-salt-broker:4.3.16 , suse/manager/4.3/proxy-salt-broker:4.3.16.9.57.24 , suse/manager/4.3/proxy-salt-broker:latest Container Release : 9.57.24 Severity : important Type : security References : 1246197 1246197 1249191 1249191 1249348 1249348 1249367 1249367 CVE-2025-10148 CVE-2025-10148 CVE-2025-9086 CVE-2025-9086 ----------------------------------------------------------------- The container suse/manager/4.3/proxy-salt-broker was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3267-1 Released: Thu Sep 18 13:05:51 2025 Summary: Security update for curl Type: security Severity: important References: 1246197,1249191,1249348,1249367,CVE-2025-10148,CVE-2025-9086 This update for curl fixes the following issues: Security issues fixed: - CVE-2025-9086: bug in patch comparison logic when processing cookies can lead to out-of-bounds read in heap buffer (bsc#1249191). - CVE-2025-10148: predictable websocket mask can lead to proxy cache poisoning by malicious server (bsc#1249348). Other issues fixed: - Fix the --ftp-pasv option in curl v8.14.1 (bsc#1246197). * tool_getparam: fix --ftp-pasv [5f805ee] - Update to version 8.14.1 (jsc#PED-13055, jsc#PED-13056). * TLS: add CURLOPT_SSL_SIGNATURE_ALGORITHMS and --sigalgs. * websocket: add option to disable auto-pong reply. * huge number of bugfixes. Please see https://curl.se/ch/ for full changelogs. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3268-1 Released: Thu Sep 18 13:08:10 2025 Summary: Security update for curl Type: security Severity: important References: 1246197,1249191,1249348,1249367,CVE-2025-10148,CVE-2025-9086 This update for curl fixes the following issues: Security issues fixed: - CVE-2025-9086: bug in patch comparison logic when processing cookies can lead to out-of-bounds read in heap buffer (bsc#1249191). - CVE-2025-10148: predictable websocket mask can lead to proxy cache poisoning by malicious server (bsc#1249348). Other issues fixed: - Fix the --ftp-pasv option in curl v8.14.1 (bsc#1246197). * tool_getparam: fix --ftp-pasv [5f805ee] - Update to version 8.14.1 (jsc#PED-13055, jsc#PED-13056). * TLS: add CURLOPT_SSL_SIGNATURE_ALGORITHMS and --sigalgs. * websocket: add option to disable auto-pong reply. * huge number of bugfixes. Please see https://curl.se/ch/ for full changelogs. The following package changes have been done: - libbrotlicommon1-1.0.7-150200.3.5.1 updated - libbrotlidec1-1.0.7-150200.3.5.1 updated - libcurl4-8.14.1-150400.5.69.1 updated - curl-8.14.1-150400.5.69.1 updated - container:sles15-ltss-image-15.4.0-2.70 updated From sle-container-updates at lists.suse.com Fri Sep 19 12:23:05 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 19 Sep 2025 14:23:05 +0200 (CEST) Subject: SUSE-CU-2025:6944-1: Security update of suse/sle-micro/5.3/toolbox Message-ID: <20250919122305.CEA61F783@maintenance.suse.de> SUSE Container Update Advisory: suse/sle-micro/5.3/toolbox ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:6944-1 Container Tags : suse/sle-micro/5.3/toolbox:14.2 , suse/sle-micro/5.3/toolbox:14.2-6.11.182 , suse/sle-micro/5.3/toolbox:latest Container Release : 6.11.182 Severity : important Type : security References : 1246197 1246197 1249191 1249191 1249348 1249348 1249367 1249367 CVE-2025-10148 CVE-2025-10148 CVE-2025-9086 CVE-2025-9086 ----------------------------------------------------------------- The container suse/sle-micro/5.3/toolbox was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:3265-1 Released: Thu Sep 18 12:34:39 2025 Summary: Recommended update for container-suseconnect Type: recommended Severity: moderate References: This update of container-suseconnect rebuilds it against current go1.25. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3267-1 Released: Thu Sep 18 13:05:51 2025 Summary: Security update for curl Type: security Severity: important References: 1246197,1249191,1249348,1249367,CVE-2025-10148,CVE-2025-9086 This update for curl fixes the following issues: Security issues fixed: - CVE-2025-9086: bug in patch comparison logic when processing cookies can lead to out-of-bounds read in heap buffer (bsc#1249191). - CVE-2025-10148: predictable websocket mask can lead to proxy cache poisoning by malicious server (bsc#1249348). Other issues fixed: - Fix the --ftp-pasv option in curl v8.14.1 (bsc#1246197). * tool_getparam: fix --ftp-pasv [5f805ee] - Update to version 8.14.1 (jsc#PED-13055, jsc#PED-13056). * TLS: add CURLOPT_SSL_SIGNATURE_ALGORITHMS and --sigalgs. * websocket: add option to disable auto-pong reply. * huge number of bugfixes. Please see https://curl.se/ch/ for full changelogs. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3268-1 Released: Thu Sep 18 13:08:10 2025 Summary: Security update for curl Type: security Severity: important References: 1246197,1249191,1249348,1249367,CVE-2025-10148,CVE-2025-9086 This update for curl fixes the following issues: Security issues fixed: - CVE-2025-9086: bug in patch comparison logic when processing cookies can lead to out-of-bounds read in heap buffer (bsc#1249191). - CVE-2025-10148: predictable websocket mask can lead to proxy cache poisoning by malicious server (bsc#1249348). Other issues fixed: - Fix the --ftp-pasv option in curl v8.14.1 (bsc#1246197). * tool_getparam: fix --ftp-pasv [5f805ee] - Update to version 8.14.1 (jsc#PED-13055, jsc#PED-13056). * TLS: add CURLOPT_SSL_SIGNATURE_ALGORITHMS and --sigalgs. * websocket: add option to disable auto-pong reply. * huge number of bugfixes. Please see https://curl.se/ch/ for full changelogs. The following package changes have been done: - container-suseconnect-2.5.5-150000.4.71.1 updated - curl-8.14.1-150400.5.69.1 updated - libbrotlicommon1-1.0.7-150200.3.5.1 updated - libbrotlidec1-1.0.7-150200.3.5.1 updated - libcurl4-8.14.1-150400.5.69.1 updated From sle-container-updates at lists.suse.com Fri Sep 19 12:25:29 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 19 Sep 2025 14:25:29 +0200 (CEST) Subject: SUSE-CU-2025:6945-1: Security update of suse/sle-micro/5.4/toolbox Message-ID: <20250919122529.D533CF783@maintenance.suse.de> SUSE Container Update Advisory: suse/sle-micro/5.4/toolbox ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:6945-1 Container Tags : suse/sle-micro/5.4/toolbox:14.2 , suse/sle-micro/5.4/toolbox:14.2-5.19.182 , suse/sle-micro/5.4/toolbox:latest Container Release : 5.19.182 Severity : important Type : security References : 1246197 1246197 1249191 1249191 1249348 1249348 1249367 1249367 CVE-2025-10148 CVE-2025-10148 CVE-2025-9086 CVE-2025-9086 ----------------------------------------------------------------- The container suse/sle-micro/5.4/toolbox was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:3265-1 Released: Thu Sep 18 12:34:39 2025 Summary: Recommended update for container-suseconnect Type: recommended Severity: moderate References: This update of container-suseconnect rebuilds it against current go1.25. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3267-1 Released: Thu Sep 18 13:05:51 2025 Summary: Security update for curl Type: security Severity: important References: 1246197,1249191,1249348,1249367,CVE-2025-10148,CVE-2025-9086 This update for curl fixes the following issues: Security issues fixed: - CVE-2025-9086: bug in patch comparison logic when processing cookies can lead to out-of-bounds read in heap buffer (bsc#1249191). - CVE-2025-10148: predictable websocket mask can lead to proxy cache poisoning by malicious server (bsc#1249348). Other issues fixed: - Fix the --ftp-pasv option in curl v8.14.1 (bsc#1246197). * tool_getparam: fix --ftp-pasv [5f805ee] - Update to version 8.14.1 (jsc#PED-13055, jsc#PED-13056). * TLS: add CURLOPT_SSL_SIGNATURE_ALGORITHMS and --sigalgs. * websocket: add option to disable auto-pong reply. * huge number of bugfixes. Please see https://curl.se/ch/ for full changelogs. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3268-1 Released: Thu Sep 18 13:08:10 2025 Summary: Security update for curl Type: security Severity: important References: 1246197,1249191,1249348,1249367,CVE-2025-10148,CVE-2025-9086 This update for curl fixes the following issues: Security issues fixed: - CVE-2025-9086: bug in patch comparison logic when processing cookies can lead to out-of-bounds read in heap buffer (bsc#1249191). - CVE-2025-10148: predictable websocket mask can lead to proxy cache poisoning by malicious server (bsc#1249348). Other issues fixed: - Fix the --ftp-pasv option in curl v8.14.1 (bsc#1246197). * tool_getparam: fix --ftp-pasv [5f805ee] - Update to version 8.14.1 (jsc#PED-13055, jsc#PED-13056). * TLS: add CURLOPT_SSL_SIGNATURE_ALGORITHMS and --sigalgs. * websocket: add option to disable auto-pong reply. * huge number of bugfixes. Please see https://curl.se/ch/ for full changelogs. The following package changes have been done: - container-suseconnect-2.5.5-150000.4.71.1 updated - curl-8.14.1-150400.5.69.1 updated - libbrotlicommon1-1.0.7-150200.3.5.1 updated - libbrotlidec1-1.0.7-150200.3.5.1 updated - libcurl4-8.14.1-150400.5.69.1 updated From sle-container-updates at lists.suse.com Fri Sep 19 12:27:27 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 19 Sep 2025 14:27:27 +0200 (CEST) Subject: SUSE-CU-2025:6946-1: Security update of suse/sle-micro/5.5/toolbox Message-ID: <20250919122727.1EFE5F783@maintenance.suse.de> SUSE Container Update Advisory: suse/sle-micro/5.5/toolbox ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:6946-1 Container Tags : suse/sle-micro/5.5/toolbox:14.2 , suse/sle-micro/5.5/toolbox:14.2-3.12.89 , suse/sle-micro/5.5/toolbox:latest Container Release : 3.12.89 Severity : important Type : security References : 1241219 1246197 1246197 1249191 1249191 1249348 1249348 1249367 1249367 CVE-2025-10148 CVE-2025-10148 CVE-2025-3576 CVE-2025-9086 CVE-2025-9086 ----------------------------------------------------------------- The container suse/sle-micro/5.5/toolbox was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:3265-1 Released: Thu Sep 18 12:34:39 2025 Summary: Recommended update for container-suseconnect Type: recommended Severity: moderate References: This update of container-suseconnect rebuilds it against current go1.25. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3267-1 Released: Thu Sep 18 13:05:51 2025 Summary: Security update for curl Type: security Severity: important References: 1246197,1249191,1249348,1249367,CVE-2025-10148,CVE-2025-9086 This update for curl fixes the following issues: Security issues fixed: - CVE-2025-9086: bug in patch comparison logic when processing cookies can lead to out-of-bounds read in heap buffer (bsc#1249191). - CVE-2025-10148: predictable websocket mask can lead to proxy cache poisoning by malicious server (bsc#1249348). Other issues fixed: - Fix the --ftp-pasv option in curl v8.14.1 (bsc#1246197). * tool_getparam: fix --ftp-pasv [5f805ee] - Update to version 8.14.1 (jsc#PED-13055, jsc#PED-13056). * TLS: add CURLOPT_SSL_SIGNATURE_ALGORITHMS and --sigalgs. * websocket: add option to disable auto-pong reply. * huge number of bugfixes. Please see https://curl.se/ch/ for full changelogs. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3268-1 Released: Thu Sep 18 13:08:10 2025 Summary: Security update for curl Type: security Severity: important References: 1246197,1249191,1249348,1249367,CVE-2025-10148,CVE-2025-9086 This update for curl fixes the following issues: Security issues fixed: - CVE-2025-9086: bug in patch comparison logic when processing cookies can lead to out-of-bounds read in heap buffer (bsc#1249191). - CVE-2025-10148: predictable websocket mask can lead to proxy cache poisoning by malicious server (bsc#1249348). Other issues fixed: - Fix the --ftp-pasv option in curl v8.14.1 (bsc#1246197). * tool_getparam: fix --ftp-pasv [5f805ee] - Update to version 8.14.1 (jsc#PED-13055, jsc#PED-13056). * TLS: add CURLOPT_SSL_SIGNATURE_ALGORITHMS and --sigalgs. * websocket: add option to disable auto-pong reply. * huge number of bugfixes. Please see https://curl.se/ch/ for full changelogs. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3270-1 Released: Thu Sep 18 13:18:05 2025 Summary: Security update for krb5 Type: security Severity: moderate References: 1241219,CVE-2025-3576 This update for krb5 fixes the following issues: - CVE-2025-3576: weakness in the MD5 checksum design allows for spoofing of GSSAPI-protected messages that are using RC4-HMAC-MD5 (bsc#1241219). Krb5 as very old protocol supported quite a number of ciphers that are not longer up to current cryptographic standards. To avoid problems with those, SUSE has by default now disabled those alorithms. The following algorithms have been removed from valid krb5 enctypes: - des3-cbc-sha1 - arcfour-hmac-md5 To reenable those algorithms, you can use allow options in krb5.conf: [libdefaults] allow_des3 = true allow_rc4 = true to reenable them. The following package changes have been done: - container-suseconnect-2.5.5-150000.4.71.1 updated - curl-8.14.1-150400.5.69.1 updated - krb5-1.20.1-150500.3.17.1 updated - libbrotlicommon1-1.0.7-150200.3.5.1 updated - libbrotlidec1-1.0.7-150200.3.5.1 updated - libcurl4-8.14.1-150400.5.69.1 updated From sle-container-updates at lists.suse.com Fri Sep 19 12:33:28 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 19 Sep 2025 14:33:28 +0200 (CEST) Subject: SUSE-CU-2025:6947-1: Security update of suse/sle15 Message-ID: <20250919123328.2BE76F783@maintenance.suse.de> SUSE Container Update Advisory: suse/sle15 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:6947-1 Container Tags : bci/bci-base:15.6 , bci/bci-base:15.6.47.23.31 , suse/sle15:15.6 , suse/sle15:15.6.47.23.31 Container Release : 47.23.31 Severity : important Type : security References : 1246197 1249191 1249348 1249367 CVE-2025-10148 CVE-2025-9086 ----------------------------------------------------------------- The container suse/sle15 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:3265-1 Released: Thu Sep 18 12:34:39 2025 Summary: Recommended update for container-suseconnect Type: recommended Severity: moderate References: This update of container-suseconnect rebuilds it against current go1.25. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3268-1 Released: Thu Sep 18 13:08:10 2025 Summary: Security update for curl Type: security Severity: important References: 1246197,1249191,1249348,1249367,CVE-2025-10148,CVE-2025-9086 This update for curl fixes the following issues: Security issues fixed: - CVE-2025-9086: bug in patch comparison logic when processing cookies can lead to out-of-bounds read in heap buffer (bsc#1249191). - CVE-2025-10148: predictable websocket mask can lead to proxy cache poisoning by malicious server (bsc#1249348). Other issues fixed: - Fix the --ftp-pasv option in curl v8.14.1 (bsc#1246197). * tool_getparam: fix --ftp-pasv [5f805ee] - Update to version 8.14.1 (jsc#PED-13055, jsc#PED-13056). * TLS: add CURLOPT_SSL_SIGNATURE_ALGORITHMS and --sigalgs. * websocket: add option to disable auto-pong reply. * huge number of bugfixes. Please see https://curl.se/ch/ for full changelogs. The following package changes have been done: - container-suseconnect-2.5.5-150000.4.71.1 updated - libbrotlicommon1-1.0.7-150200.3.5.1 updated - libbrotlidec1-1.0.7-150200.3.5.1 updated From sle-container-updates at lists.suse.com Fri Sep 19 12:35:06 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 19 Sep 2025 14:35:06 +0200 (CEST) Subject: SUSE-CU-2025:6948-1: Security update of bci/spack Message-ID: <20250919123506.A5741F783@maintenance.suse.de> SUSE Container Update Advisory: bci/spack ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:6948-1 Container Tags : bci/spack:0.23 , bci/spack:0.23.1 , bci/spack:0.23.1-11.57 Container Release : 11.57 Severity : important Type : security References : 1246197 1249191 1249348 1249367 CVE-2025-10148 CVE-2025-9086 ----------------------------------------------------------------- The container bci/spack was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3268-1 Released: Thu Sep 18 13:08:10 2025 Summary: Security update for curl Type: security Severity: important References: 1246197,1249191,1249348,1249367,CVE-2025-10148,CVE-2025-9086 This update for curl fixes the following issues: Security issues fixed: - CVE-2025-9086: bug in patch comparison logic when processing cookies can lead to out-of-bounds read in heap buffer (bsc#1249191). - CVE-2025-10148: predictable websocket mask can lead to proxy cache poisoning by malicious server (bsc#1249348). Other issues fixed: - Fix the --ftp-pasv option in curl v8.14.1 (bsc#1246197). * tool_getparam: fix --ftp-pasv [5f805ee] - Update to version 8.14.1 (jsc#PED-13055, jsc#PED-13056). * TLS: add CURLOPT_SSL_SIGNATURE_ALGORITHMS and --sigalgs. * websocket: add option to disable auto-pong reply. * huge number of bugfixes. Please see https://curl.se/ch/ for full changelogs. The following package changes have been done: - libbrotlienc1-1.0.7-150200.3.5.1 updated - libbrotlicommon1-1.0.7-150200.3.5.1 updated - libbrotlidec1-1.0.7-150200.3.5.1 updated - libbrotli-devel-1.0.7-150200.3.5.1 updated - container:registry.suse.com-bci-bci-base-15.6-d13d6758550c72c08b54298b7fb20e8d426127b4692f4b115373e2175184ada8-0 updated From sle-container-updates at lists.suse.com Fri Sep 19 12:35:22 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 19 Sep 2025 14:35:22 +0200 (CEST) Subject: SUSE-CU-2025:6949-1: Security update of suse/samba-server Message-ID: <20250919123522.A0851F783@maintenance.suse.de> SUSE Container Update Advisory: suse/samba-server ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:6949-1 Container Tags : suse/samba-server:4.21 , suse/samba-server:4.21 , suse/samba-server:4.21-64.27 , suse/samba-server:latest Container Release : 64.27 Severity : important Type : security References : 1230932 1246533 1249049 1249128 CVE-2024-47175 CVE-2025-58060 CVE-2025-58364 ----------------------------------------------------------------- The container suse/samba-server was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3261-1 Released: Thu Sep 18 06:35:19 2025 Summary: Security update for cups Type: security Severity: important References: 1230932,1246533,1249049,1249128,CVE-2024-47175,CVE-2025-58060,CVE-2025-58364 This update for cups fixes the following issues: - CVE-2024-47175: no validation of IPP attributes in `ppdCreatePPDFromIPP2` when writing to a temporary PPD file allows for the injection of attacker-controlled data to the resulting PPD (bsc#1230932). - CVE-2025-58060: no password check when `AuthType` is set to anything but `Basic` and a request is made with an `Authorization: Basic` header (bsc#1249049). - CVE-2025-58364: unsafe deserialization and validation of printer attributes leads to NULL pointer dereference (bsc#1249128). The following package changes have been done: - cups-config-2.2.7-150000.3.72.1 updated - libcups2-2.2.7-150000.3.72.1 updated From sle-container-updates at lists.suse.com Fri Sep 19 12:35:39 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 19 Sep 2025 14:35:39 +0200 (CEST) Subject: SUSE-CU-2025:6950-1: Security update of suse/sle15 Message-ID: <20250919123539.41FB4F783@maintenance.suse.de> SUSE Container Update Advisory: suse/sle15 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:6950-1 Container Tags : bci/bci-base:15.7 , bci/bci-base:15.7-5.8.32 , bci/bci-base:latest , suse/sle15:15.7 , suse/sle15:15.7-5.8.32 , suse/sle15:latest Container Release : 5.8.32 Severity : important Type : security References : 1246197 1249191 1249348 1249367 CVE-2025-10148 CVE-2025-9086 ----------------------------------------------------------------- The container suse/sle15 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:3265-1 Released: Thu Sep 18 12:34:39 2025 Summary: Recommended update for container-suseconnect Type: recommended Severity: moderate References: This update of container-suseconnect rebuilds it against current go1.25. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3268-1 Released: Thu Sep 18 13:08:10 2025 Summary: Security update for curl Type: security Severity: important References: 1246197,1249191,1249348,1249367,CVE-2025-10148,CVE-2025-9086 This update for curl fixes the following issues: Security issues fixed: - CVE-2025-9086: bug in patch comparison logic when processing cookies can lead to out-of-bounds read in heap buffer (bsc#1249191). - CVE-2025-10148: predictable websocket mask can lead to proxy cache poisoning by malicious server (bsc#1249348). Other issues fixed: - Fix the --ftp-pasv option in curl v8.14.1 (bsc#1246197). * tool_getparam: fix --ftp-pasv [5f805ee] - Update to version 8.14.1 (jsc#PED-13055, jsc#PED-13056). * TLS: add CURLOPT_SSL_SIGNATURE_ALGORITHMS and --sigalgs. * websocket: add option to disable auto-pong reply. * huge number of bugfixes. Please see https://curl.se/ch/ for full changelogs. The following package changes have been done: - container-suseconnect-2.5.5-150000.4.71.1 updated - libbrotlicommon1-1.0.7-150200.3.5.1 updated - libbrotlidec1-1.0.7-150200.3.5.1 updated From sle-container-updates at lists.suse.com Fri Sep 19 12:36:06 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 19 Sep 2025 14:36:06 +0200 (CEST) Subject: SUSE-CU-2025:6951-1: Security update of bci/spack Message-ID: <20250919123606.76D75F783@maintenance.suse.de> SUSE Container Update Advisory: bci/spack ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:6951-1 Container Tags : bci/spack:0.23 , bci/spack:0.23.1 , bci/spack:0.23.1-15.25 , bci/spack:latest Container Release : 15.25 Severity : important Type : security References : 1246197 1249191 1249348 1249367 CVE-2025-10148 CVE-2025-9086 ----------------------------------------------------------------- The container bci/spack was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3268-1 Released: Thu Sep 18 13:08:10 2025 Summary: Security update for curl Type: security Severity: important References: 1246197,1249191,1249348,1249367,CVE-2025-10148,CVE-2025-9086 This update for curl fixes the following issues: Security issues fixed: - CVE-2025-9086: bug in patch comparison logic when processing cookies can lead to out-of-bounds read in heap buffer (bsc#1249191). - CVE-2025-10148: predictable websocket mask can lead to proxy cache poisoning by malicious server (bsc#1249348). Other issues fixed: - Fix the --ftp-pasv option in curl v8.14.1 (bsc#1246197). * tool_getparam: fix --ftp-pasv [5f805ee] - Update to version 8.14.1 (jsc#PED-13055, jsc#PED-13056). * TLS: add CURLOPT_SSL_SIGNATURE_ALGORITHMS and --sigalgs. * websocket: add option to disable auto-pong reply. * huge number of bugfixes. Please see https://curl.se/ch/ for full changelogs. The following package changes have been done: - libbrotlienc1-1.0.7-150200.3.5.1 updated - libbrotlicommon1-1.0.7-150200.3.5.1 updated - libbrotlidec1-1.0.7-150200.3.5.1 updated - libbrotli-devel-1.0.7-150200.3.5.1 updated From sle-container-updates at lists.suse.com Fri Sep 19 12:39:06 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 19 Sep 2025 14:39:06 +0200 (CEST) Subject: SUSE-CU-2025:6953-1: Security update of suse/sle-micro/5.1/toolbox Message-ID: <20250919123906.07040F782@maintenance.suse.de> SUSE Container Update Advisory: suse/sle-micro/5.1/toolbox ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:6953-1 Container Tags : suse/sle-micro/5.1/toolbox:14.2 , suse/sle-micro/5.1/toolbox:14.2-3.13.172 , suse/sle-micro/5.1/toolbox:latest Container Release : 3.13.172 Severity : important Type : security References : 1175825 1246197 1249191 1249348 1249367 CVE-2020-8927 CVE-2025-10148 CVE-2025-9086 ----------------------------------------------------------------- The container suse/sle-micro/5.1/toolbox was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:3942-1 Released: Mon Dec 6 14:46:05 2021 Summary: Security update for brotli Type: security Severity: moderate References: 1175825,CVE-2020-8927 This update for brotli fixes the following issues: - CVE-2020-8927: Fixed integer overflow when input chunk is larger than 2GiB (bsc#1175825). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:3265-1 Released: Thu Sep 18 12:34:39 2025 Summary: Recommended update for container-suseconnect Type: recommended Severity: moderate References: This update of container-suseconnect rebuilds it against current go1.25. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3268-1 Released: Thu Sep 18 13:08:10 2025 Summary: Security update for curl Type: security Severity: important References: 1246197,1249191,1249348,1249367,CVE-2025-10148,CVE-2025-9086 This update for curl fixes the following issues: Security issues fixed: - CVE-2025-9086: bug in patch comparison logic when processing cookies can lead to out-of-bounds read in heap buffer (bsc#1249191). - CVE-2025-10148: predictable websocket mask can lead to proxy cache poisoning by malicious server (bsc#1249348). Other issues fixed: - Fix the --ftp-pasv option in curl v8.14.1 (bsc#1246197). * tool_getparam: fix --ftp-pasv [5f805ee] - Update to version 8.14.1 (jsc#PED-13055, jsc#PED-13056). * TLS: add CURLOPT_SSL_SIGNATURE_ALGORITHMS and --sigalgs. * websocket: add option to disable auto-pong reply. * huge number of bugfixes. Please see https://curl.se/ch/ for full changelogs. The following package changes have been done: - container-suseconnect-2.5.5-150000.4.71.1 updated - curl-8.14.1-150200.4.91.1 updated - libbrotlicommon1-1.0.7-150200.3.5.1 added - libbrotlidec1-1.0.7-150200.3.5.1 added - libcurl4-8.14.1-150200.4.91.1 updated From sle-container-updates at lists.suse.com Fri Sep 19 12:41:31 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 19 Sep 2025 14:41:31 +0200 (CEST) Subject: SUSE-CU-2025:6954-1: Security update of suse/sle-micro/5.2/toolbox Message-ID: <20250919124131.DA310F782@maintenance.suse.de> SUSE Container Update Advisory: suse/sle-micro/5.2/toolbox ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:6954-1 Container Tags : suse/sle-micro/5.2/toolbox:14.2 , suse/sle-micro/5.2/toolbox:14.2-7.11.174 , suse/sle-micro/5.2/toolbox:latest Container Release : 7.11.174 Severity : important Type : security References : 1175825 1246197 1249191 1249348 1249367 CVE-2020-8927 CVE-2025-10148 CVE-2025-9086 ----------------------------------------------------------------- The container suse/sle-micro/5.2/toolbox was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:3942-1 Released: Mon Dec 6 14:46:05 2021 Summary: Security update for brotli Type: security Severity: moderate References: 1175825,CVE-2020-8927 This update for brotli fixes the following issues: - CVE-2020-8927: Fixed integer overflow when input chunk is larger than 2GiB (bsc#1175825). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:3265-1 Released: Thu Sep 18 12:34:39 2025 Summary: Recommended update for container-suseconnect Type: recommended Severity: moderate References: This update of container-suseconnect rebuilds it against current go1.25. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3268-1 Released: Thu Sep 18 13:08:10 2025 Summary: Security update for curl Type: security Severity: important References: 1246197,1249191,1249348,1249367,CVE-2025-10148,CVE-2025-9086 This update for curl fixes the following issues: Security issues fixed: - CVE-2025-9086: bug in patch comparison logic when processing cookies can lead to out-of-bounds read in heap buffer (bsc#1249191). - CVE-2025-10148: predictable websocket mask can lead to proxy cache poisoning by malicious server (bsc#1249348). Other issues fixed: - Fix the --ftp-pasv option in curl v8.14.1 (bsc#1246197). * tool_getparam: fix --ftp-pasv [5f805ee] - Update to version 8.14.1 (jsc#PED-13055, jsc#PED-13056). * TLS: add CURLOPT_SSL_SIGNATURE_ALGORITHMS and --sigalgs. * websocket: add option to disable auto-pong reply. * huge number of bugfixes. Please see https://curl.se/ch/ for full changelogs. The following package changes have been done: - container-suseconnect-2.5.5-150000.4.71.1 updated - curl-8.14.1-150200.4.91.1 updated - libbrotlicommon1-1.0.7-150200.3.5.1 added - libbrotlidec1-1.0.7-150200.3.5.1 added - libcurl4-8.14.1-150200.4.91.1 updated From sle-container-updates at lists.suse.com Sat Sep 20 07:09:39 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 20 Sep 2025 09:09:39 +0200 (CEST) Subject: SUSE-CU-2025:6957-1: Security update of bci/nodejs Message-ID: <20250920070939.BB6FAF783@maintenance.suse.de> SUSE Container Update Advisory: bci/nodejs ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:6957-1 Container Tags : bci/node:20 , bci/node:20.19.2 , bci/node:20.19.2-55.30 , bci/nodejs:20 , bci/nodejs:20.19.2 , bci/nodejs:20.19.2-55.30 Container Release : 55.30 Severity : important Type : security References : 1246197 1249191 1249348 1249367 CVE-2025-10148 CVE-2025-9086 ----------------------------------------------------------------- The container bci/nodejs was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3268-1 Released: Thu Sep 18 13:08:10 2025 Summary: Security update for curl Type: security Severity: important References: 1246197,1249191,1249348,1249367,CVE-2025-10148,CVE-2025-9086 This update for curl fixes the following issues: Security issues fixed: - CVE-2025-9086: bug in patch comparison logic when processing cookies can lead to out-of-bounds read in heap buffer (bsc#1249191). - CVE-2025-10148: predictable websocket mask can lead to proxy cache poisoning by malicious server (bsc#1249348). Other issues fixed: - Fix the --ftp-pasv option in curl v8.14.1 (bsc#1246197). * tool_getparam: fix --ftp-pasv [5f805ee] - Update to version 8.14.1 (jsc#PED-13055, jsc#PED-13056). * TLS: add CURLOPT_SSL_SIGNATURE_ALGORITHMS and --sigalgs. * websocket: add option to disable auto-pong reply. * huge number of bugfixes. Please see https://curl.se/ch/ for full changelogs. The following package changes have been done: - libbrotlicommon1-1.0.7-150200.3.5.1 updated - libbrotlidec1-1.0.7-150200.3.5.1 updated - container:registry.suse.com-bci-bci-base-15.6-e3235826fda424ffcadb5c16b55bcdffc50fd00aa3bfe3d0e13a1b34be967169-0 updated From sle-container-updates at lists.suse.com Sat Sep 20 07:10:55 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 20 Sep 2025 09:10:55 +0200 (CEST) Subject: SUSE-CU-2025:6958-1: Security update of bci/python Message-ID: <20250920071055.5CD41F783@maintenance.suse.de> SUSE Container Update Advisory: bci/python ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:6958-1 Container Tags : bci/python:3 , bci/python:3.12 , bci/python:3.12.11 , bci/python:3.12.11-72.29 Container Release : 72.29 Severity : important Type : security References : 1246197 1249191 1249348 1249367 CVE-2025-10148 CVE-2025-9086 ----------------------------------------------------------------- The container bci/python was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3268-1 Released: Thu Sep 18 13:08:10 2025 Summary: Security update for curl Type: security Severity: important References: 1246197,1249191,1249348,1249367,CVE-2025-10148,CVE-2025-9086 This update for curl fixes the following issues: Security issues fixed: - CVE-2025-9086: bug in patch comparison logic when processing cookies can lead to out-of-bounds read in heap buffer (bsc#1249191). - CVE-2025-10148: predictable websocket mask can lead to proxy cache poisoning by malicious server (bsc#1249348). Other issues fixed: - Fix the --ftp-pasv option in curl v8.14.1 (bsc#1246197). * tool_getparam: fix --ftp-pasv [5f805ee] - Update to version 8.14.1 (jsc#PED-13055, jsc#PED-13056). * TLS: add CURLOPT_SSL_SIGNATURE_ALGORITHMS and --sigalgs. * websocket: add option to disable auto-pong reply. * huge number of bugfixes. Please see https://curl.se/ch/ for full changelogs. The following package changes have been done: - libbrotlicommon1-1.0.7-150200.3.5.1 updated - libbrotlidec1-1.0.7-150200.3.5.1 updated - container:registry.suse.com-bci-bci-base-15.6-e3235826fda424ffcadb5c16b55bcdffc50fd00aa3bfe3d0e13a1b34be967169-0 updated From sle-container-updates at lists.suse.com Sat Sep 20 07:11:33 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 20 Sep 2025 09:11:33 +0200 (CEST) Subject: SUSE-CU-2025:6959-1: Security update of suse/mariadb-client Message-ID: <20250920071133.ED65AF783@maintenance.suse.de> SUSE Container Update Advisory: suse/mariadb-client ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:6959-1 Container Tags : suse/mariadb-client:10.11 , suse/mariadb-client:10.11.14 , suse/mariadb-client:10.11.14-63.28 Container Release : 63.28 Severity : moderate Type : security References : 1239150 1239151 1249212 1249213 1249219 CVE-2023-52969 CVE-2023-52970 CVE-2023-52971 CVE-2025-30693 CVE-2025-30722 ----------------------------------------------------------------- The container suse/mariadb-client was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3275-1 Released: Fri Sep 19 14:16:06 2025 Summary: Security update for mariadb Type: security Severity: moderate References: 1239150,1239151,1249212,1249213,1249219,CVE-2023-52969,CVE-2023-52970,CVE-2023-52971,CVE-2025-30693,CVE-2025-30722 This update for mariadb fixes the following issues: Update to version 10.11.14. Security issues fixed: - CVE-2025-30693: InnoDB issue allows high privileged attacker with network access to gain unauthorized update, insert or delete access to data and cause repeatable crash in MySQL server (bsc#1249213). - CVE-2025-30722: mysqldump issue allows low privileged attacker with network access to gain unauthorized update, insert or delete access to data in MySQL Client (bsc#1249212). - CVE-2023-52969: crash with empty backtrace log in MariaDB Server (bsc#1239150). - CVE-2023-52970: crash in MariaDB Server when inserting from derived table containing insert target table (bsc#1239151). - CVE-2023-52971: crash in the optimizer of MariaDB Server when processing certain queries with subqueries (bsc#1249219). Release notes and changelog: - https://mariadb.com/docs/release-notes/community-server/mariadb-10-11-series/mariadb-10.11.14-release-notes - https://mariadb.com/docs/release-notes/community-server/changelogs/changelogs-mariadb-10-11-series/mariadb-10.11.14-changelog - https://mariadb.com/kb/en/mariadb-10-11-13-release-notes/ - https://mariadb.com/kb/en/mariadb-10-11-13-changelog/ - https://mariadb.com/kb/en/mariadb-10-11-12-release-notes/ - https://mariadb.com/kb/en/mariadb-10-11-12-changelog/ The following package changes have been done: - mariadb-errormessages-10.11.14-150600.4.14.1 updated - mariadb-client-10.11.14-150600.4.14.1 updated - container:suse-sle15-15.6-e3235826fda424ffcadb5c16b55bcdffc50fd00aa3bfe3d0e13a1b34be967169-0 updated From sle-container-updates at lists.suse.com Sat Sep 20 07:14:29 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 20 Sep 2025 09:14:29 +0200 (CEST) Subject: SUSE-CU-2025:6960-1: Security update of bci/bci-sle15-kernel-module-devel Message-ID: <20250920071430.0036BF782@maintenance.suse.de> SUSE Container Update Advisory: bci/bci-sle15-kernel-module-devel ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:6960-1 Container Tags : bci/bci-sle15-kernel-module-devel:15.6 , bci/bci-sle15-kernel-module-devel:15.6.47.19 Container Release : 47.19 Severity : important Type : security References : 1246197 1249191 1249348 1249367 CVE-2025-10148 CVE-2025-9086 ----------------------------------------------------------------- The container bci/bci-sle15-kernel-module-devel was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3268-1 Released: Thu Sep 18 13:08:10 2025 Summary: Security update for curl Type: security Severity: important References: 1246197,1249191,1249348,1249367,CVE-2025-10148,CVE-2025-9086 This update for curl fixes the following issues: Security issues fixed: - CVE-2025-9086: bug in patch comparison logic when processing cookies can lead to out-of-bounds read in heap buffer (bsc#1249191). - CVE-2025-10148: predictable websocket mask can lead to proxy cache poisoning by malicious server (bsc#1249348). Other issues fixed: - Fix the --ftp-pasv option in curl v8.14.1 (bsc#1246197). * tool_getparam: fix --ftp-pasv [5f805ee] - Update to version 8.14.1 (jsc#PED-13055, jsc#PED-13056). * TLS: add CURLOPT_SSL_SIGNATURE_ALGORITHMS and --sigalgs. * websocket: add option to disable auto-pong reply. * huge number of bugfixes. Please see https://curl.se/ch/ for full changelogs. The following package changes have been done: - libbrotlicommon1-1.0.7-150200.3.5.1 updated - libbrotlidec1-1.0.7-150200.3.5.1 updated - container:registry.suse.com-bci-bci-base-15.6-e3235826fda424ffcadb5c16b55bcdffc50fd00aa3bfe3d0e13a1b34be967169-0 updated From sle-container-updates at lists.suse.com Sat Sep 20 07:17:45 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 20 Sep 2025 09:17:45 +0200 (CEST) Subject: SUSE-CU-2025:6970-1: Security update of bci/gcc Message-ID: <20250920071745.E3FB3F782@maintenance.suse.de> SUSE Container Update Advisory: bci/gcc ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:6970-1 Container Tags : bci/gcc:14 , bci/gcc:14.3 , bci/gcc:14.3-11.26 , bci/gcc:latest Container Release : 11.26 Severity : important Type : security References : 1246197 1249191 1249348 1249367 CVE-2025-10148 CVE-2025-9086 ----------------------------------------------------------------- The container bci/gcc was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3268-1 Released: Thu Sep 18 13:08:10 2025 Summary: Security update for curl Type: security Severity: important References: 1246197,1249191,1249348,1249367,CVE-2025-10148,CVE-2025-9086 This update for curl fixes the following issues: Security issues fixed: - CVE-2025-9086: bug in patch comparison logic when processing cookies can lead to out-of-bounds read in heap buffer (bsc#1249191). - CVE-2025-10148: predictable websocket mask can lead to proxy cache poisoning by malicious server (bsc#1249348). Other issues fixed: - Fix the --ftp-pasv option in curl v8.14.1 (bsc#1246197). * tool_getparam: fix --ftp-pasv [5f805ee] - Update to version 8.14.1 (jsc#PED-13055, jsc#PED-13056). * TLS: add CURLOPT_SSL_SIGNATURE_ALGORITHMS and --sigalgs. * websocket: add option to disable auto-pong reply. * huge number of bugfixes. Please see https://curl.se/ch/ for full changelogs. The following package changes have been done: - libbrotlicommon1-1.0.7-150200.3.5.1 updated - libbrotlidec1-1.0.7-150200.3.5.1 updated - container:registry.suse.com-bci-bci-base-15.7-58f9c044bea87805cae0e4122c7157699ff07944d120923c8f92ba4d9a128a2a-0 updated From sle-container-updates at lists.suse.com Sat Sep 20 07:18:00 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 20 Sep 2025 09:18:00 +0200 (CEST) Subject: SUSE-CU-2025:6971-1: Security update of bci/golang Message-ID: <20250920071800.4ECA6F782@maintenance.suse.de> SUSE Container Update Advisory: bci/golang ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:6971-1 Container Tags : bci/golang:1.24-openssl , bci/golang:1.24.6-openssl , bci/golang:1.24.6-openssl-74.7 , bci/golang:oldstable-openssl , bci/golang:oldstable-openssl-74.7 Container Release : 74.7 Severity : important Type : security References : 1246197 1249191 1249348 1249367 CVE-2025-10148 CVE-2025-9086 ----------------------------------------------------------------- The container bci/golang was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3268-1 Released: Thu Sep 18 13:08:10 2025 Summary: Security update for curl Type: security Severity: important References: 1246197,1249191,1249348,1249367,CVE-2025-10148,CVE-2025-9086 This update for curl fixes the following issues: Security issues fixed: - CVE-2025-9086: bug in patch comparison logic when processing cookies can lead to out-of-bounds read in heap buffer (bsc#1249191). - CVE-2025-10148: predictable websocket mask can lead to proxy cache poisoning by malicious server (bsc#1249348). Other issues fixed: - Fix the --ftp-pasv option in curl v8.14.1 (bsc#1246197). * tool_getparam: fix --ftp-pasv [5f805ee] - Update to version 8.14.1 (jsc#PED-13055, jsc#PED-13056). * TLS: add CURLOPT_SSL_SIGNATURE_ALGORITHMS and --sigalgs. * websocket: add option to disable auto-pong reply. * huge number of bugfixes. Please see https://curl.se/ch/ for full changelogs. The following package changes have been done: - libbrotlicommon1-1.0.7-150200.3.5.1 updated - libbrotlidec1-1.0.7-150200.3.5.1 updated - container:registry.suse.com-bci-bci-base-15.7-58f9c044bea87805cae0e4122c7157699ff07944d120923c8f92ba4d9a128a2a-0 updated From sle-container-updates at lists.suse.com Sat Sep 20 07:18:45 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 20 Sep 2025 09:18:45 +0200 (CEST) Subject: SUSE-CU-2025:6974-1: Security update of bci/kiwi Message-ID: <20250920071845.440DBF782@maintenance.suse.de> SUSE Container Update Advisory: bci/kiwi ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:6974-1 Container Tags : bci/kiwi:9 , bci/kiwi:9.24 , bci/kiwi:9.24.43 , bci/kiwi:9.24.43-18.37 , bci/kiwi:latest Container Release : 18.37 Severity : important Type : security References : 1246197 1249191 1249348 1249367 CVE-2025-10148 CVE-2025-9086 ----------------------------------------------------------------- The container bci/kiwi was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3268-1 Released: Thu Sep 18 13:08:10 2025 Summary: Security update for curl Type: security Severity: important References: 1246197,1249191,1249348,1249367,CVE-2025-10148,CVE-2025-9086 This update for curl fixes the following issues: Security issues fixed: - CVE-2025-9086: bug in patch comparison logic when processing cookies can lead to out-of-bounds read in heap buffer (bsc#1249191). - CVE-2025-10148: predictable websocket mask can lead to proxy cache poisoning by malicious server (bsc#1249348). Other issues fixed: - Fix the --ftp-pasv option in curl v8.14.1 (bsc#1246197). * tool_getparam: fix --ftp-pasv [5f805ee] - Update to version 8.14.1 (jsc#PED-13055, jsc#PED-13056). * TLS: add CURLOPT_SSL_SIGNATURE_ALGORITHMS and --sigalgs. * websocket: add option to disable auto-pong reply. * huge number of bugfixes. Please see https://curl.se/ch/ for full changelogs. The following package changes have been done: - libbrotlicommon1-1.0.7-150200.3.5.1 updated - libbrotlidec1-1.0.7-150200.3.5.1 updated - container:registry.suse.com-bci-bci-base-15.7-58f9c044bea87805cae0e4122c7157699ff07944d120923c8f92ba4d9a128a2a-0 updated From sle-container-updates at lists.suse.com Sat Sep 20 07:18:58 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 20 Sep 2025 09:18:58 +0200 (CEST) Subject: SUSE-CU-2025:6975-1: Security update of suse/nginx Message-ID: <20250920071858.596F8F782@maintenance.suse.de> SUSE Container Update Advisory: suse/nginx ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:6975-1 Container Tags : suse/nginx:1.21 , suse/nginx:1.21-62.27 , suse/nginx:latest Container Release : 62.27 Severity : important Type : security References : 1246197 1249191 1249348 1249367 CVE-2025-10148 CVE-2025-9086 ----------------------------------------------------------------- The container suse/nginx was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3268-1 Released: Thu Sep 18 13:08:10 2025 Summary: Security update for curl Type: security Severity: important References: 1246197,1249191,1249348,1249367,CVE-2025-10148,CVE-2025-9086 This update for curl fixes the following issues: Security issues fixed: - CVE-2025-9086: bug in patch comparison logic when processing cookies can lead to out-of-bounds read in heap buffer (bsc#1249191). - CVE-2025-10148: predictable websocket mask can lead to proxy cache poisoning by malicious server (bsc#1249348). Other issues fixed: - Fix the --ftp-pasv option in curl v8.14.1 (bsc#1246197). * tool_getparam: fix --ftp-pasv [5f805ee] - Update to version 8.14.1 (jsc#PED-13055, jsc#PED-13056). * TLS: add CURLOPT_SSL_SIGNATURE_ALGORITHMS and --sigalgs. * websocket: add option to disable auto-pong reply. * huge number of bugfixes. Please see https://curl.se/ch/ for full changelogs. The following package changes have been done: - libbrotlicommon1-1.0.7-150200.3.5.1 updated - libbrotlidec1-1.0.7-150200.3.5.1 updated - container:registry.suse.com-bci-bci-base-15.7-58f9c044bea87805cae0e4122c7157699ff07944d120923c8f92ba4d9a128a2a-0 updated From sle-container-updates at lists.suse.com Sat Sep 20 07:19:10 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 20 Sep 2025 09:19:10 +0200 (CEST) Subject: SUSE-CU-2025:6976-1: Security update of bci/nodejs Message-ID: <20250920071910.2A153F782@maintenance.suse.de> SUSE Container Update Advisory: bci/nodejs ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:6976-1 Container Tags : bci/node:22 , bci/node:22.15.1 , bci/node:22.15.1-10.27 , bci/node:latest , bci/nodejs:22 , bci/nodejs:22.15.1 , bci/nodejs:22.15.1-10.27 , bci/nodejs:latest Container Release : 10.27 Severity : important Type : security References : 1246197 1249191 1249348 1249367 CVE-2025-10148 CVE-2025-9086 ----------------------------------------------------------------- The container bci/nodejs was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3268-1 Released: Thu Sep 18 13:08:10 2025 Summary: Security update for curl Type: security Severity: important References: 1246197,1249191,1249348,1249367,CVE-2025-10148,CVE-2025-9086 This update for curl fixes the following issues: Security issues fixed: - CVE-2025-9086: bug in patch comparison logic when processing cookies can lead to out-of-bounds read in heap buffer (bsc#1249191). - CVE-2025-10148: predictable websocket mask can lead to proxy cache poisoning by malicious server (bsc#1249348). Other issues fixed: - Fix the --ftp-pasv option in curl v8.14.1 (bsc#1246197). * tool_getparam: fix --ftp-pasv [5f805ee] - Update to version 8.14.1 (jsc#PED-13055, jsc#PED-13056). * TLS: add CURLOPT_SSL_SIGNATURE_ALGORITHMS and --sigalgs. * websocket: add option to disable auto-pong reply. * huge number of bugfixes. Please see https://curl.se/ch/ for full changelogs. The following package changes have been done: - libbrotlicommon1-1.0.7-150200.3.5.1 updated - libbrotlidec1-1.0.7-150200.3.5.1 updated - container:registry.suse.com-bci-bci-base-15.7-58f9c044bea87805cae0e4122c7157699ff07944d120923c8f92ba4d9a128a2a-0 updated From sle-container-updates at lists.suse.com Sat Sep 20 07:19:23 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 20 Sep 2025 09:19:23 +0200 (CEST) Subject: SUSE-CU-2025:6977-1: Security update of bci/openjdk-devel Message-ID: <20250920071923.6A3BEF782@maintenance.suse.de> SUSE Container Update Advisory: bci/openjdk-devel ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:6977-1 Container Tags : bci/openjdk-devel:17 , bci/openjdk-devel:17.0.16.0 , bci/openjdk-devel:17.0.16.0-8.28 Container Release : 8.28 Severity : important Type : security References : 1246197 1249191 1249348 1249367 CVE-2025-10148 CVE-2025-9086 ----------------------------------------------------------------- The container bci/openjdk-devel was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3268-1 Released: Thu Sep 18 13:08:10 2025 Summary: Security update for curl Type: security Severity: important References: 1246197,1249191,1249348,1249367,CVE-2025-10148,CVE-2025-9086 This update for curl fixes the following issues: Security issues fixed: - CVE-2025-9086: bug in patch comparison logic when processing cookies can lead to out-of-bounds read in heap buffer (bsc#1249191). - CVE-2025-10148: predictable websocket mask can lead to proxy cache poisoning by malicious server (bsc#1249348). Other issues fixed: - Fix the --ftp-pasv option in curl v8.14.1 (bsc#1246197). * tool_getparam: fix --ftp-pasv [5f805ee] - Update to version 8.14.1 (jsc#PED-13055, jsc#PED-13056). * TLS: add CURLOPT_SSL_SIGNATURE_ALGORITHMS and --sigalgs. * websocket: add option to disable auto-pong reply. * huge number of bugfixes. Please see https://curl.se/ch/ for full changelogs. The following package changes have been done: - libbrotlicommon1-1.0.7-150200.3.5.1 updated - libbrotlidec1-1.0.7-150200.3.5.1 updated - container:bci-openjdk-17-15.7.17-8.27 updated From sle-container-updates at lists.suse.com Sat Sep 20 07:19:36 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 20 Sep 2025 09:19:36 +0200 (CEST) Subject: SUSE-CU-2025:6978-1: Security update of bci/openjdk Message-ID: <20250920071936.DB1F1F782@maintenance.suse.de> SUSE Container Update Advisory: bci/openjdk ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:6978-1 Container Tags : bci/openjdk:17 , bci/openjdk:17.0.16.0 , bci/openjdk:17.0.16.0-8.27 Container Release : 8.27 Severity : important Type : security References : 1246197 1249191 1249348 1249367 CVE-2025-10148 CVE-2025-9086 ----------------------------------------------------------------- The container bci/openjdk was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3268-1 Released: Thu Sep 18 13:08:10 2025 Summary: Security update for curl Type: security Severity: important References: 1246197,1249191,1249348,1249367,CVE-2025-10148,CVE-2025-9086 This update for curl fixes the following issues: Security issues fixed: - CVE-2025-9086: bug in patch comparison logic when processing cookies can lead to out-of-bounds read in heap buffer (bsc#1249191). - CVE-2025-10148: predictable websocket mask can lead to proxy cache poisoning by malicious server (bsc#1249348). Other issues fixed: - Fix the --ftp-pasv option in curl v8.14.1 (bsc#1246197). * tool_getparam: fix --ftp-pasv [5f805ee] - Update to version 8.14.1 (jsc#PED-13055, jsc#PED-13056). * TLS: add CURLOPT_SSL_SIGNATURE_ALGORITHMS and --sigalgs. * websocket: add option to disable auto-pong reply. * huge number of bugfixes. Please see https://curl.se/ch/ for full changelogs. The following package changes have been done: - libbrotlicommon1-1.0.7-150200.3.5.1 updated - libbrotlidec1-1.0.7-150200.3.5.1 updated - container:registry.suse.com-bci-bci-base-15.7-58f9c044bea87805cae0e4122c7157699ff07944d120923c8f92ba4d9a128a2a-0 updated From sle-container-updates at lists.suse.com Sat Sep 20 07:19:49 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 20 Sep 2025 09:19:49 +0200 (CEST) Subject: SUSE-CU-2025:6979-1: Security update of bci/openjdk-devel Message-ID: <20250920071949.ECE1DF782@maintenance.suse.de> SUSE Container Update Advisory: bci/openjdk-devel ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:6979-1 Container Tags : bci/openjdk-devel:21 , bci/openjdk-devel:21.0.8.0 , bci/openjdk-devel:21.0.8.0-11.28 , bci/openjdk-devel:latest Container Release : 11.28 Severity : important Type : security References : 1246197 1249191 1249348 1249367 CVE-2025-10148 CVE-2025-9086 ----------------------------------------------------------------- The container bci/openjdk-devel was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3268-1 Released: Thu Sep 18 13:08:10 2025 Summary: Security update for curl Type: security Severity: important References: 1246197,1249191,1249348,1249367,CVE-2025-10148,CVE-2025-9086 This update for curl fixes the following issues: Security issues fixed: - CVE-2025-9086: bug in patch comparison logic when processing cookies can lead to out-of-bounds read in heap buffer (bsc#1249191). - CVE-2025-10148: predictable websocket mask can lead to proxy cache poisoning by malicious server (bsc#1249348). Other issues fixed: - Fix the --ftp-pasv option in curl v8.14.1 (bsc#1246197). * tool_getparam: fix --ftp-pasv [5f805ee] - Update to version 8.14.1 (jsc#PED-13055, jsc#PED-13056). * TLS: add CURLOPT_SSL_SIGNATURE_ALGORITHMS and --sigalgs. * websocket: add option to disable auto-pong reply. * huge number of bugfixes. Please see https://curl.se/ch/ for full changelogs. The following package changes have been done: - libbrotlicommon1-1.0.7-150200.3.5.1 updated - libbrotlidec1-1.0.7-150200.3.5.1 updated - container:bci-openjdk-21-15.7.21-11.27 updated From sle-container-updates at lists.suse.com Sat Sep 20 07:20:01 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 20 Sep 2025 09:20:01 +0200 (CEST) Subject: SUSE-CU-2025:6980-1: Security update of bci/openjdk Message-ID: <20250920072001.D5D4DF782@maintenance.suse.de> SUSE Container Update Advisory: bci/openjdk ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:6980-1 Container Tags : bci/openjdk:21 , bci/openjdk:21.0.8.0 , bci/openjdk:21.0.8.0-11.27 , bci/openjdk:latest Container Release : 11.27 Severity : important Type : security References : 1246197 1249191 1249348 1249367 CVE-2025-10148 CVE-2025-9086 ----------------------------------------------------------------- The container bci/openjdk was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3268-1 Released: Thu Sep 18 13:08:10 2025 Summary: Security update for curl Type: security Severity: important References: 1246197,1249191,1249348,1249367,CVE-2025-10148,CVE-2025-9086 This update for curl fixes the following issues: Security issues fixed: - CVE-2025-9086: bug in patch comparison logic when processing cookies can lead to out-of-bounds read in heap buffer (bsc#1249191). - CVE-2025-10148: predictable websocket mask can lead to proxy cache poisoning by malicious server (bsc#1249348). Other issues fixed: - Fix the --ftp-pasv option in curl v8.14.1 (bsc#1246197). * tool_getparam: fix --ftp-pasv [5f805ee] - Update to version 8.14.1 (jsc#PED-13055, jsc#PED-13056). * TLS: add CURLOPT_SSL_SIGNATURE_ALGORITHMS and --sigalgs. * websocket: add option to disable auto-pong reply. * huge number of bugfixes. Please see https://curl.se/ch/ for full changelogs. The following package changes have been done: - libbrotlicommon1-1.0.7-150200.3.5.1 updated - libbrotlidec1-1.0.7-150200.3.5.1 updated - container:registry.suse.com-bci-bci-base-15.7-58f9c044bea87805cae0e4122c7157699ff07944d120923c8f92ba4d9a128a2a-0 updated From sle-container-updates at lists.suse.com Sat Sep 20 07:20:25 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 20 Sep 2025 09:20:25 +0200 (CEST) Subject: SUSE-CU-2025:6982-1: Security update of bci/php-fpm Message-ID: <20250920072025.04726F782@maintenance.suse.de> SUSE Container Update Advisory: bci/php-fpm ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:6982-1 Container Tags : bci/php-fpm:8 , bci/php-fpm:8.3.23 , bci/php-fpm:8.3.23-12.26 , bci/php-fpm:latest Container Release : 12.26 Severity : important Type : security References : 1246197 1249191 1249348 1249367 CVE-2025-10148 CVE-2025-9086 ----------------------------------------------------------------- The container bci/php-fpm was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3268-1 Released: Thu Sep 18 13:08:10 2025 Summary: Security update for curl Type: security Severity: important References: 1246197,1249191,1249348,1249367,CVE-2025-10148,CVE-2025-9086 This update for curl fixes the following issues: Security issues fixed: - CVE-2025-9086: bug in patch comparison logic when processing cookies can lead to out-of-bounds read in heap buffer (bsc#1249191). - CVE-2025-10148: predictable websocket mask can lead to proxy cache poisoning by malicious server (bsc#1249348). Other issues fixed: - Fix the --ftp-pasv option in curl v8.14.1 (bsc#1246197). * tool_getparam: fix --ftp-pasv [5f805ee] - Update to version 8.14.1 (jsc#PED-13055, jsc#PED-13056). * TLS: add CURLOPT_SSL_SIGNATURE_ALGORITHMS and --sigalgs. * websocket: add option to disable auto-pong reply. * huge number of bugfixes. Please see https://curl.se/ch/ for full changelogs. The following package changes have been done: - libbrotlicommon1-1.0.7-150200.3.5.1 updated - libbrotlidec1-1.0.7-150200.3.5.1 updated - container:registry.suse.com-bci-bci-base-15.7-58f9c044bea87805cae0e4122c7157699ff07944d120923c8f92ba4d9a128a2a-0 updated From sle-container-updates at lists.suse.com Sat Sep 20 07:20:38 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 20 Sep 2025 09:20:38 +0200 (CEST) Subject: SUSE-CU-2025:6983-1: Security update of bci/php Message-ID: <20250920072038.4AEEBF782@maintenance.suse.de> SUSE Container Update Advisory: bci/php ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:6983-1 Container Tags : bci/php:8 , bci/php:8.3.23 , bci/php:8.3.23-12.23 , bci/php:latest Container Release : 12.23 Severity : important Type : security References : 1246197 1249191 1249348 1249367 CVE-2025-10148 CVE-2025-9086 ----------------------------------------------------------------- The container bci/php was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3268-1 Released: Thu Sep 18 13:08:10 2025 Summary: Security update for curl Type: security Severity: important References: 1246197,1249191,1249348,1249367,CVE-2025-10148,CVE-2025-9086 This update for curl fixes the following issues: Security issues fixed: - CVE-2025-9086: bug in patch comparison logic when processing cookies can lead to out-of-bounds read in heap buffer (bsc#1249191). - CVE-2025-10148: predictable websocket mask can lead to proxy cache poisoning by malicious server (bsc#1249348). Other issues fixed: - Fix the --ftp-pasv option in curl v8.14.1 (bsc#1246197). * tool_getparam: fix --ftp-pasv [5f805ee] - Update to version 8.14.1 (jsc#PED-13055, jsc#PED-13056). * TLS: add CURLOPT_SSL_SIGNATURE_ALGORITHMS and --sigalgs. * websocket: add option to disable auto-pong reply. * huge number of bugfixes. Please see https://curl.se/ch/ for full changelogs. The following package changes have been done: - libbrotlicommon1-1.0.7-150200.3.5.1 updated - libbrotlidec1-1.0.7-150200.3.5.1 updated - container:registry.suse.com-bci-bci-base-15.7-58f9c044bea87805cae0e4122c7157699ff07944d120923c8f92ba4d9a128a2a-0 updated From sle-container-updates at lists.suse.com Sat Sep 20 07:20:52 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 20 Sep 2025 09:20:52 +0200 (CEST) Subject: SUSE-CU-2025:6984-1: Security update of bci/python Message-ID: <20250920072052.C21F9F782@maintenance.suse.de> SUSE Container Update Advisory: bci/python ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:6984-1 Container Tags : bci/python:3 , bci/python:3.11 , bci/python:3.11.13 , bci/python:3.11.13-74.28 Container Release : 74.28 Severity : important Type : security References : 1246197 1249191 1249348 1249367 CVE-2025-10148 CVE-2025-9086 ----------------------------------------------------------------- The container bci/python was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3268-1 Released: Thu Sep 18 13:08:10 2025 Summary: Security update for curl Type: security Severity: important References: 1246197,1249191,1249348,1249367,CVE-2025-10148,CVE-2025-9086 This update for curl fixes the following issues: Security issues fixed: - CVE-2025-9086: bug in patch comparison logic when processing cookies can lead to out-of-bounds read in heap buffer (bsc#1249191). - CVE-2025-10148: predictable websocket mask can lead to proxy cache poisoning by malicious server (bsc#1249348). Other issues fixed: - Fix the --ftp-pasv option in curl v8.14.1 (bsc#1246197). * tool_getparam: fix --ftp-pasv [5f805ee] - Update to version 8.14.1 (jsc#PED-13055, jsc#PED-13056). * TLS: add CURLOPT_SSL_SIGNATURE_ALGORITHMS and --sigalgs. * websocket: add option to disable auto-pong reply. * huge number of bugfixes. Please see https://curl.se/ch/ for full changelogs. The following package changes have been done: - libbrotlicommon1-1.0.7-150200.3.5.1 updated - libbrotlidec1-1.0.7-150200.3.5.1 updated - container:registry.suse.com-bci-bci-base-15.7-58f9c044bea87805cae0e4122c7157699ff07944d120923c8f92ba4d9a128a2a-0 updated From sle-container-updates at lists.suse.com Sat Sep 20 07:21:07 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 20 Sep 2025 09:21:07 +0200 (CEST) Subject: SUSE-CU-2025:6985-1: Security update of bci/python Message-ID: <20250920072107.B1D7EF782@maintenance.suse.de> SUSE Container Update Advisory: bci/python ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:6985-1 Container Tags : bci/python:3 , bci/python:3.13 , bci/python:3.13.5 , bci/python:3.13.5-76.27 , bci/python:latest Container Release : 76.27 Severity : important Type : security References : 1246197 1249191 1249348 1249367 CVE-2025-10148 CVE-2025-9086 ----------------------------------------------------------------- The container bci/python was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3268-1 Released: Thu Sep 18 13:08:10 2025 Summary: Security update for curl Type: security Severity: important References: 1246197,1249191,1249348,1249367,CVE-2025-10148,CVE-2025-9086 This update for curl fixes the following issues: Security issues fixed: - CVE-2025-9086: bug in patch comparison logic when processing cookies can lead to out-of-bounds read in heap buffer (bsc#1249191). - CVE-2025-10148: predictable websocket mask can lead to proxy cache poisoning by malicious server (bsc#1249348). Other issues fixed: - Fix the --ftp-pasv option in curl v8.14.1 (bsc#1246197). * tool_getparam: fix --ftp-pasv [5f805ee] - Update to version 8.14.1 (jsc#PED-13055, jsc#PED-13056). * TLS: add CURLOPT_SSL_SIGNATURE_ALGORITHMS and --sigalgs. * websocket: add option to disable auto-pong reply. * huge number of bugfixes. Please see https://curl.se/ch/ for full changelogs. The following package changes have been done: - libbrotlicommon1-1.0.7-150200.3.5.1 updated - libbrotlidec1-1.0.7-150200.3.5.1 updated - container:registry.suse.com-bci-bci-base-15.7-58f9c044bea87805cae0e4122c7157699ff07944d120923c8f92ba4d9a128a2a-0 updated From sle-container-updates at lists.suse.com Sat Sep 20 07:21:23 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 20 Sep 2025 09:21:23 +0200 (CEST) Subject: SUSE-CU-2025:6986-1: Security update of bci/python Message-ID: <20250920072123.98EDEF782@maintenance.suse.de> SUSE Container Update Advisory: bci/python ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:6986-1 Container Tags : bci/python:3 , bci/python:3.6 , bci/python:3.6.15 , bci/python:3.6.15-73.29 Container Release : 73.29 Severity : important Type : security References : 1246197 1249191 1249348 1249367 CVE-2025-10148 CVE-2025-9086 ----------------------------------------------------------------- The container bci/python was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3268-1 Released: Thu Sep 18 13:08:10 2025 Summary: Security update for curl Type: security Severity: important References: 1246197,1249191,1249348,1249367,CVE-2025-10148,CVE-2025-9086 This update for curl fixes the following issues: Security issues fixed: - CVE-2025-9086: bug in patch comparison logic when processing cookies can lead to out-of-bounds read in heap buffer (bsc#1249191). - CVE-2025-10148: predictable websocket mask can lead to proxy cache poisoning by malicious server (bsc#1249348). Other issues fixed: - Fix the --ftp-pasv option in curl v8.14.1 (bsc#1246197). * tool_getparam: fix --ftp-pasv [5f805ee] - Update to version 8.14.1 (jsc#PED-13055, jsc#PED-13056). * TLS: add CURLOPT_SSL_SIGNATURE_ALGORITHMS and --sigalgs. * websocket: add option to disable auto-pong reply. * huge number of bugfixes. Please see https://curl.se/ch/ for full changelogs. The following package changes have been done: - libbrotlicommon1-1.0.7-150200.3.5.1 updated - libbrotlidec1-1.0.7-150200.3.5.1 updated - container:registry.suse.com-bci-bci-base-15.7-58f9c044bea87805cae0e4122c7157699ff07944d120923c8f92ba4d9a128a2a-0 updated From sle-container-updates at lists.suse.com Sat Sep 20 07:21:37 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 20 Sep 2025 09:21:37 +0200 (CEST) Subject: SUSE-CU-2025:6987-1: Security update of bci/ruby Message-ID: <20250920072137.DEB55F782@maintenance.suse.de> SUSE Container Update Advisory: bci/ruby ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:6987-1 Container Tags : bci/ruby:2 , bci/ruby:2.5 , bci/ruby:2.5-14.8 Container Release : 14.8 Severity : important Type : security References : 1246197 1249191 1249348 1249367 CVE-2025-10148 CVE-2025-9086 ----------------------------------------------------------------- The container bci/ruby was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3268-1 Released: Thu Sep 18 13:08:10 2025 Summary: Security update for curl Type: security Severity: important References: 1246197,1249191,1249348,1249367,CVE-2025-10148,CVE-2025-9086 This update for curl fixes the following issues: Security issues fixed: - CVE-2025-9086: bug in patch comparison logic when processing cookies can lead to out-of-bounds read in heap buffer (bsc#1249191). - CVE-2025-10148: predictable websocket mask can lead to proxy cache poisoning by malicious server (bsc#1249348). Other issues fixed: - Fix the --ftp-pasv option in curl v8.14.1 (bsc#1246197). * tool_getparam: fix --ftp-pasv [5f805ee] - Update to version 8.14.1 (jsc#PED-13055, jsc#PED-13056). * TLS: add CURLOPT_SSL_SIGNATURE_ALGORITHMS and --sigalgs. * websocket: add option to disable auto-pong reply. * huge number of bugfixes. Please see https://curl.se/ch/ for full changelogs. The following package changes have been done: - libbrotlicommon1-1.0.7-150200.3.5.1 updated - libbrotlidec1-1.0.7-150200.3.5.1 updated - container:registry.suse.com-bci-bci-base-15.7-58f9c044bea87805cae0e4122c7157699ff07944d120923c8f92ba4d9a128a2a-0 updated From sle-container-updates at lists.suse.com Sat Sep 20 07:21:53 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 20 Sep 2025 09:21:53 +0200 (CEST) Subject: SUSE-CU-2025:6988-1: Security update of bci/ruby Message-ID: <20250920072153.63F65F782@maintenance.suse.de> SUSE Container Update Advisory: bci/ruby ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:6988-1 Container Tags : bci/ruby:3 , bci/ruby:3.4 , bci/ruby:3.4-13.8 , bci/ruby:latest Container Release : 13.8 Severity : important Type : security References : 1246197 1249191 1249348 1249367 CVE-2025-10148 CVE-2025-9086 ----------------------------------------------------------------- The container bci/ruby was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3268-1 Released: Thu Sep 18 13:08:10 2025 Summary: Security update for curl Type: security Severity: important References: 1246197,1249191,1249348,1249367,CVE-2025-10148,CVE-2025-9086 This update for curl fixes the following issues: Security issues fixed: - CVE-2025-9086: bug in patch comparison logic when processing cookies can lead to out-of-bounds read in heap buffer (bsc#1249191). - CVE-2025-10148: predictable websocket mask can lead to proxy cache poisoning by malicious server (bsc#1249348). Other issues fixed: - Fix the --ftp-pasv option in curl v8.14.1 (bsc#1246197). * tool_getparam: fix --ftp-pasv [5f805ee] - Update to version 8.14.1 (jsc#PED-13055, jsc#PED-13056). * TLS: add CURLOPT_SSL_SIGNATURE_ALGORITHMS and --sigalgs. * websocket: add option to disable auto-pong reply. * huge number of bugfixes. Please see https://curl.se/ch/ for full changelogs. The following package changes have been done: - libbrotlicommon1-1.0.7-150200.3.5.1 updated - libbrotlidec1-1.0.7-150200.3.5.1 updated - container:registry.suse.com-bci-bci-base-15.7-58f9c044bea87805cae0e4122c7157699ff07944d120923c8f92ba4d9a128a2a-0 updated From sle-container-updates at lists.suse.com Sat Sep 20 07:22:05 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 20 Sep 2025 09:22:05 +0200 (CEST) Subject: SUSE-CU-2025:6989-1: Security update of bci/rust Message-ID: <20250920072205.C4E0CF782@maintenance.suse.de> SUSE Container Update Advisory: bci/rust ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:6989-1 Container Tags : bci/rust:1.88 , bci/rust:1.88.0 , bci/rust:1.88.0-2.2.6 , bci/rust:oldstable , bci/rust:oldstable-2.2.6 Container Release : 2.6 Severity : important Type : security References : 1246197 1249191 1249348 1249367 CVE-2025-10148 CVE-2025-9086 ----------------------------------------------------------------- The container bci/rust was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3268-1 Released: Thu Sep 18 13:08:10 2025 Summary: Security update for curl Type: security Severity: important References: 1246197,1249191,1249348,1249367,CVE-2025-10148,CVE-2025-9086 This update for curl fixes the following issues: Security issues fixed: - CVE-2025-9086: bug in patch comparison logic when processing cookies can lead to out-of-bounds read in heap buffer (bsc#1249191). - CVE-2025-10148: predictable websocket mask can lead to proxy cache poisoning by malicious server (bsc#1249348). Other issues fixed: - Fix the --ftp-pasv option in curl v8.14.1 (bsc#1246197). * tool_getparam: fix --ftp-pasv [5f805ee] - Update to version 8.14.1 (jsc#PED-13055, jsc#PED-13056). * TLS: add CURLOPT_SSL_SIGNATURE_ALGORITHMS and --sigalgs. * websocket: add option to disable auto-pong reply. * huge number of bugfixes. Please see https://curl.se/ch/ for full changelogs. The following package changes have been done: - libbrotlicommon1-1.0.7-150200.3.5.1 updated - libbrotlidec1-1.0.7-150200.3.5.1 updated - container:registry.suse.com-bci-bci-base-15.7-58f9c044bea87805cae0e4122c7157699ff07944d120923c8f92ba4d9a128a2a-0 updated From sle-container-updates at lists.suse.com Sun Sep 21 07:07:46 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sun, 21 Sep 2025 09:07:46 +0200 (CEST) Subject: SUSE-CU-2025:6989-1: Security update of bci/rust Message-ID: <20250921070746.B18A0FB9C@maintenance.suse.de> SUSE Container Update Advisory: bci/rust ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:6989-1 Container Tags : bci/rust:1.88 , bci/rust:1.88.0 , bci/rust:1.88.0-2.2.6 , bci/rust:oldstable , bci/rust:oldstable-2.2.6 Container Release : 2.6 Severity : important Type : security References : 1246197 1249191 1249348 1249367 CVE-2025-10148 CVE-2025-9086 ----------------------------------------------------------------- The container bci/rust was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3268-1 Released: Thu Sep 18 13:08:10 2025 Summary: Security update for curl Type: security Severity: important References: 1246197,1249191,1249348,1249367,CVE-2025-10148,CVE-2025-9086 This update for curl fixes the following issues: Security issues fixed: - CVE-2025-9086: bug in patch comparison logic when processing cookies can lead to out-of-bounds read in heap buffer (bsc#1249191). - CVE-2025-10148: predictable websocket mask can lead to proxy cache poisoning by malicious server (bsc#1249348). Other issues fixed: - Fix the --ftp-pasv option in curl v8.14.1 (bsc#1246197). * tool_getparam: fix --ftp-pasv [5f805ee] - Update to version 8.14.1 (jsc#PED-13055, jsc#PED-13056). * TLS: add CURLOPT_SSL_SIGNATURE_ALGORITHMS and --sigalgs. * websocket: add option to disable auto-pong reply. * huge number of bugfixes. Please see https://curl.se/ch/ for full changelogs. The following package changes have been done: - libbrotlicommon1-1.0.7-150200.3.5.1 updated - libbrotlidec1-1.0.7-150200.3.5.1 updated - container:registry.suse.com-bci-bci-base-15.7-58f9c044bea87805cae0e4122c7157699ff07944d120923c8f92ba4d9a128a2a-0 updated From sle-container-updates at lists.suse.com Sun Sep 21 07:07:57 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sun, 21 Sep 2025 09:07:57 +0200 (CEST) Subject: SUSE-CU-2025:6990-1: Security update of bci/rust Message-ID: <20250921070757.44532FB9C@maintenance.suse.de> SUSE Container Update Advisory: bci/rust ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:6990-1 Container Tags : bci/rust:1.89 , bci/rust:1.89.0 , bci/rust:1.89.0-1.2.6 , bci/rust:latest , bci/rust:stable , bci/rust:stable-1.2.6 Container Release : 2.6 Severity : important Type : security References : 1246197 1249191 1249348 1249367 CVE-2025-10148 CVE-2025-9086 ----------------------------------------------------------------- The container bci/rust was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3268-1 Released: Thu Sep 18 13:08:10 2025 Summary: Security update for curl Type: security Severity: important References: 1246197,1249191,1249348,1249367,CVE-2025-10148,CVE-2025-9086 This update for curl fixes the following issues: Security issues fixed: - CVE-2025-9086: bug in patch comparison logic when processing cookies can lead to out-of-bounds read in heap buffer (bsc#1249191). - CVE-2025-10148: predictable websocket mask can lead to proxy cache poisoning by malicious server (bsc#1249348). Other issues fixed: - Fix the --ftp-pasv option in curl v8.14.1 (bsc#1246197). * tool_getparam: fix --ftp-pasv [5f805ee] - Update to version 8.14.1 (jsc#PED-13055, jsc#PED-13056). * TLS: add CURLOPT_SSL_SIGNATURE_ALGORITHMS and --sigalgs. * websocket: add option to disable auto-pong reply. * huge number of bugfixes. Please see https://curl.se/ch/ for full changelogs. The following package changes have been done: - libbrotlicommon1-1.0.7-150200.3.5.1 updated - libbrotlidec1-1.0.7-150200.3.5.1 updated - container:registry.suse.com-bci-bci-base-15.7-58f9c044bea87805cae0e4122c7157699ff07944d120923c8f92ba4d9a128a2a-0 updated From sle-container-updates at lists.suse.com Sun Sep 21 07:08:08 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sun, 21 Sep 2025 09:08:08 +0200 (CEST) Subject: SUSE-CU-2025:6991-1: Security update of bci/bci-sle15-kernel-module-devel Message-ID: <20250921070808.A1B74FB9C@maintenance.suse.de> SUSE Container Update Advisory: bci/bci-sle15-kernel-module-devel ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:6991-1 Container Tags : bci/bci-sle15-kernel-module-devel:15.7 , bci/bci-sle15-kernel-module-devel:15.7-44.18 , bci/bci-sle15-kernel-module-devel:latest Container Release : 44.18 Severity : important Type : security References : 1246197 1249191 1249348 1249367 CVE-2025-10148 CVE-2025-9086 ----------------------------------------------------------------- The container bci/bci-sle15-kernel-module-devel was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3268-1 Released: Thu Sep 18 13:08:10 2025 Summary: Security update for curl Type: security Severity: important References: 1246197,1249191,1249348,1249367,CVE-2025-10148,CVE-2025-9086 This update for curl fixes the following issues: Security issues fixed: - CVE-2025-9086: bug in patch comparison logic when processing cookies can lead to out-of-bounds read in heap buffer (bsc#1249191). - CVE-2025-10148: predictable websocket mask can lead to proxy cache poisoning by malicious server (bsc#1249348). Other issues fixed: - Fix the --ftp-pasv option in curl v8.14.1 (bsc#1246197). * tool_getparam: fix --ftp-pasv [5f805ee] - Update to version 8.14.1 (jsc#PED-13055, jsc#PED-13056). * TLS: add CURLOPT_SSL_SIGNATURE_ALGORITHMS and --sigalgs. * websocket: add option to disable auto-pong reply. * huge number of bugfixes. Please see https://curl.se/ch/ for full changelogs. The following package changes have been done: - libbrotlicommon1-1.0.7-150200.3.5.1 updated - libbrotlidec1-1.0.7-150200.3.5.1 updated - container:registry.suse.com-bci-bci-base-15.7-58f9c044bea87805cae0e4122c7157699ff07944d120923c8f92ba4d9a128a2a-0 updated From sle-container-updates at lists.suse.com Mon Sep 22 14:55:46 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Mon, 22 Sep 2025 16:55:46 +0200 (CEST) Subject: SUSE-IU-2025:2524-1: Recommended update of suse/sle-micro/base-5.5 Message-ID: <20250922145547.017C1F782@maintenance.suse.de> SUSE Image Update Advisory: suse/sle-micro/base-5.5 ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2025:2524-1 Image Tags : suse/sle-micro/base-5.5:2.0.4 , suse/sle-micro/base-5.5:2.0.4-5.8.206 , suse/sle-micro/base-5.5:latest Image Release : 5.8.206 Severity : moderate Type : recommended References : 1235873 ----------------------------------------------------------------- The container suse/sle-micro/base-5.5 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:3288-1 Released: Mon Sep 22 12:13:27 2025 Summary: Recommended update for permissions Type: recommended Severity: moderate References: 1235873 This update for permissions fixes the following issues: - permissions: remove unnecessary static dirs and devices (bsc#1235873) The following package changes have been done: - permissions-20201225-150400.5.22.1 updated From sle-container-updates at lists.suse.com Mon Sep 22 14:57:22 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Mon, 22 Sep 2025 16:57:22 +0200 (CEST) Subject: SUSE-IU-2025:2525-1: Recommended update of suse/sle-micro/kvm-5.5 Message-ID: <20250922145722.AA5E7F782@maintenance.suse.de> SUSE Image Update Advisory: suse/sle-micro/kvm-5.5 ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2025:2525-1 Image Tags : suse/sle-micro/kvm-5.5:2.0.4 , suse/sle-micro/kvm-5.5:2.0.4-3.5.393 , suse/sle-micro/kvm-5.5:latest Image Release : 3.5.393 Severity : moderate Type : recommended References : 1235873 ----------------------------------------------------------------- The container suse/sle-micro/kvm-5.5 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:3288-1 Released: Mon Sep 22 12:13:27 2025 Summary: Recommended update for permissions Type: recommended Severity: moderate References: 1235873 This update for permissions fixes the following issues: - permissions: remove unnecessary static dirs and devices (bsc#1235873) The following package changes have been done: - permissions-20201225-150400.5.22.1 updated - container:suse-sle-micro-base-5.5-latest-2.0.4-5.8.206 updated From sle-container-updates at lists.suse.com Mon Sep 22 15:01:52 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Mon, 22 Sep 2025 17:01:52 +0200 (CEST) Subject: SUSE-IU-2025:2527-1: Recommended update of suse/sle-micro/5.5 Message-ID: <20250922150152.29774FCE1@maintenance.suse.de> SUSE Image Update Advisory: suse/sle-micro/5.5 ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2025:2527-1 Image Tags : suse/sle-micro/5.5:2.0.4 , suse/sle-micro/5.5:2.0.4-5.5.372 , suse/sle-micro/5.5:latest Image Release : 5.5.372 Severity : moderate Type : recommended References : 1235873 ----------------------------------------------------------------- The container suse/sle-micro/5.5 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:3288-1 Released: Mon Sep 22 12:13:27 2025 Summary: Recommended update for permissions Type: recommended Severity: moderate References: 1235873 This update for permissions fixes the following issues: - permissions: remove unnecessary static dirs and devices (bsc#1235873) The following package changes have been done: - permissions-20201225-150400.5.22.1 updated - container:suse-sle-micro-base-5.5-latest-2.0.4-5.8.206 updated From sle-container-updates at lists.suse.com Mon Sep 22 14:59:49 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Mon, 22 Sep 2025 16:59:49 +0200 (CEST) Subject: SUSE-IU-2025:2526-1: Security update of suse/sle-micro/rt-5.5 Message-ID: <20250922145949.6BFCCF783@maintenance.suse.de> SUSE Image Update Advisory: suse/sle-micro/rt-5.5 ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2025:2526-1 Image Tags : suse/sle-micro/rt-5.5:2.0.4 , suse/sle-micro/rt-5.5:2.0.4-4.5.491 , suse/sle-micro/rt-5.5:latest Image Release : 4.5.491 Severity : important Type : security References : 1229334 1233640 1234896 1235873 1240375 1242780 1244824 1245110 1245956 1245970 1246211 1246473 1246911 1247143 1247374 1247518 1247976 1248223 1248297 1248306 1248312 1248338 1248511 1248614 1248621 1248748 CVE-2022-49980 CVE-2022-50116 CVE-2023-53117 CVE-2024-42265 CVE-2024-53093 CVE-2024-53177 CVE-2024-58239 CVE-2025-38180 CVE-2025-38184 CVE-2025-38323 CVE-2025-38352 CVE-2025-38460 CVE-2025-38498 CVE-2025-38499 CVE-2025-38546 CVE-2025-38555 CVE-2025-38560 CVE-2025-38563 CVE-2025-38608 CVE-2025-38617 CVE-2025-38618 CVE-2025-38644 ----------------------------------------------------------------- The container suse/sle-micro/rt-5.5 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3283-1 Released: Fri Sep 19 19:49:41 2025 Summary: Security update for the Linux Kernel Type: security Severity: important References: 1229334,1233640,1234896,1240375,1242780,1244824,1245110,1245956,1245970,1246211,1246473,1246911,1247143,1247374,1247518,1247976,1248223,1248297,1248306,1248312,1248338,1248511,1248614,1248621,1248748,CVE-2022-49980,CVE-2022-50116,CVE-2023-53117,CVE-2024-42265,CVE-2024-53093,CVE-2024-53177,CVE-2024-58239,CVE-2025-38180,CVE-2025-38184,CVE-2025-38323,CVE-2025-38352,CVE-2025-38460,CVE-2025-38498,CVE-2025-38499,CVE-2025-38546,CVE-2025-38555,CVE-2025-38560,CVE-2025-38563,CVE-2025-38608,CVE-2025-38617,CVE-2025-38618,CVE-2025-38644 The SUSE Linux Enterprise 15 SP5 RT kernel was updated to receive various security bugfixes. The following security bugs were fixed: - CVE-2022-49980: USB: gadget: fix use-after-free read in usb_udc_uevent() (bsc#1245110). - CVE-2022-50116: tty: n_gsm: fix deadlock and link starvation in outgoing data path (bsc#1244824). - CVE-2023-53117: fs: prevent out-of-bounds array speculation when closing a file descriptor (bsc#1242780). - CVE-2024-42265: protect the fetch of ->fd[fd] in do_dup2() from mispredictions (bsc#1229334). - CVE-2024-53093: nvme-multipath: defer partition scanning (bsc#122824 bsc#1233640). - CVE-2024-53177: smb: prevent use-after-free due to open_cached_dir error paths (bsc#1234896). - CVE-2024-58239: tls: stop recv() if initial process_rx_list gave us non-DATA (bsc#1248614). - CVE-2025-38180: net: atm: fix /proc/net/atm/lec handling (bsc#1245970). - CVE-2025-38184: tipc: fix null-ptr-deref when acquiring remote ip of ethernet bearer (bsc#1245956). - CVE-2025-38323: net: atm: add lec_mutex (bsc#1246473). - CVE-2025-38352: posix-cpu-timers: fix race between handle_posix_cpu_timers() and posix_cpu_timer_del() (bsc#1246911). - CVE-2025-38460: atm: clip: Fix potential null-ptr-deref in to_atmarpd() (bsc#1247143). - CVE-2025-38498: do_change_type(): refuse to operate on unmounted/not ours mounts (bsc#1247374). - CVE-2025-38499: clone_private_mnt(): make sure that caller has CAP_SYS_ADMIN in the right userns (bsc#1247976). - CVE-2025-38546: atm: clip: Fix memory leak of struct clip_vcc (bsc#1248223). - CVE-2025-38555: usb: gadget : fix use-after-free in composite_dev_cleanup() (bsc#1248297). - CVE-2025-38560: x86/sev: Evict cache lines during SNP memory validation (bsc#1248312). - CVE-2025-38563: perf/core: Prevent VMA split of buffer mappings (bsc#1248306). - CVE-2025-38608: bpf, ktls: Fix data corruption when using bpf_msg_pop_data() in ktls (bsc#1248338). - CVE-2025-38617: net/packet: fix a race in packet_set_ring() and packet_notifier() (bsc#1248621). - CVE-2025-38618: vsock: Do not allow binding to VMADDR_PORT_ANY (bsc#1248511). - CVE-2025-38644: wifi: mac80211: reject TDLS operations when station is not associated (bsc#1248748). The following non-security bugs were fixed: - Disable N_GSM (jsc#PED-8240, bsc#1244824). - NFSv4.1: fix backchannel max_resp_sz verification check (bsc#1247518). - NFSv4: fairly test all delegations on a SEQ4_ revocation (bsc#1246211). - kabi fix for NFSv4: fairly test all delegations on a SEQ4_ revocation (bsc#1246211). - security, lsm: Introduce security_mptcp_add_subflow() (bsc#1240375). - selinux: Implement mptcp_add_subflow hook (bsc#1240375). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:3288-1 Released: Mon Sep 22 12:13:27 2025 Summary: Recommended update for permissions Type: recommended Severity: moderate References: 1235873 This update for permissions fixes the following issues: - permissions: remove unnecessary static dirs and devices (bsc#1235873) The following package changes have been done: - permissions-20201225-150400.5.22.1 updated - kernel-rt-5.14.21-150500.13.106.1 updated - container:suse-sle-micro-5.5-latest-2.0.4-5.5.372 updated From sle-container-updates at lists.suse.com Mon Sep 22 15:10:26 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Mon, 22 Sep 2025 17:10:26 +0200 (CEST) Subject: SUSE-CU-2025:6996-1: Recommended update of suse/sle-micro/5.3/toolbox Message-ID: <20250922151026.DB605F783@maintenance.suse.de> SUSE Container Update Advisory: suse/sle-micro/5.3/toolbox ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:6996-1 Container Tags : suse/sle-micro/5.3/toolbox:14.2 , suse/sle-micro/5.3/toolbox:14.2-6.11.184 , suse/sle-micro/5.3/toolbox:latest Container Release : 6.11.184 Severity : moderate Type : recommended References : 1235873 ----------------------------------------------------------------- The container suse/sle-micro/5.3/toolbox was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:3288-1 Released: Mon Sep 22 12:13:27 2025 Summary: Recommended update for permissions Type: recommended Severity: moderate References: 1235873 This update for permissions fixes the following issues: - permissions: remove unnecessary static dirs and devices (bsc#1235873) The following package changes have been done: - permissions-20201225-150400.5.22.1 updated From sle-container-updates at lists.suse.com Mon Sep 22 15:14:56 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Mon, 22 Sep 2025 17:14:56 +0200 (CEST) Subject: SUSE-CU-2025:6997-1: Recommended update of suse/sle-micro-rancher/5.4 Message-ID: <20250922151456.B360AF783@maintenance.suse.de> SUSE Container Update Advisory: suse/sle-micro-rancher/5.4 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:6997-1 Container Tags : suse/sle-micro-rancher/5.4:5.4.4.5.56 , suse/sle-micro-rancher/5.4:latest Container Release : 4.5.56 Severity : moderate Type : recommended References : 1235873 ----------------------------------------------------------------- The container suse/sle-micro-rancher/5.4 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:3288-1 Released: Mon Sep 22 12:13:27 2025 Summary: Recommended update for permissions Type: recommended Severity: moderate References: 1235873 This update for permissions fixes the following issues: - permissions: remove unnecessary static dirs and devices (bsc#1235873) The following package changes have been done: - permissions-20201225-150400.5.22.1 updated From sle-container-updates at lists.suse.com Mon Sep 22 15:18:09 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Mon, 22 Sep 2025 17:18:09 +0200 (CEST) Subject: SUSE-CU-2025:6998-1: Recommended update of suse/sle-micro/5.4/toolbox Message-ID: <20250922151809.87034F783@maintenance.suse.de> SUSE Container Update Advisory: suse/sle-micro/5.4/toolbox ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:6998-1 Container Tags : suse/sle-micro/5.4/toolbox:14.2 , suse/sle-micro/5.4/toolbox:14.2-5.19.184 , suse/sle-micro/5.4/toolbox:latest Container Release : 5.19.184 Severity : moderate Type : recommended References : 1235873 ----------------------------------------------------------------- The container suse/sle-micro/5.4/toolbox was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:3288-1 Released: Mon Sep 22 12:13:27 2025 Summary: Recommended update for permissions Type: recommended Severity: moderate References: 1235873 This update for permissions fixes the following issues: - permissions: remove unnecessary static dirs and devices (bsc#1235873) The following package changes have been done: - permissions-20201225-150400.5.22.1 updated From sle-container-updates at lists.suse.com Mon Sep 22 15:20:38 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Mon, 22 Sep 2025 17:20:38 +0200 (CEST) Subject: SUSE-CU-2025:6999-1: Recommended update of suse/sle-micro/5.5/toolbox Message-ID: <20250922152038.9AC15F783@maintenance.suse.de> SUSE Container Update Advisory: suse/sle-micro/5.5/toolbox ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:6999-1 Container Tags : suse/sle-micro/5.5/toolbox:14.2 , suse/sle-micro/5.5/toolbox:14.2-3.12.91 , suse/sle-micro/5.5/toolbox:latest Container Release : 3.12.91 Severity : moderate Type : recommended References : 1235873 ----------------------------------------------------------------- The container suse/sle-micro/5.5/toolbox was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:3288-1 Released: Mon Sep 22 12:13:27 2025 Summary: Recommended update for permissions Type: recommended Severity: moderate References: 1235873 This update for permissions fixes the following issues: - permissions: remove unnecessary static dirs and devices (bsc#1235873) The following package changes have been done: - permissions-20201225-150400.5.22.1 updated From sle-container-updates at lists.suse.com Mon Sep 22 15:21:56 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Mon, 22 Sep 2025 17:21:56 +0200 (CEST) Subject: SUSE-IU-2025:2528-1: Security update of suse/sl-micro/6.0/baremetal-os-container Message-ID: <20250922152156.3441CF783@maintenance.suse.de> SUSE Image Update Advisory: suse/sl-micro/6.0/baremetal-os-container ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2025:2528-1 Image Tags : suse/sl-micro/6.0/baremetal-os-container:2.1.3 , suse/sl-micro/6.0/baremetal-os-container:2.1.3-6.85 , suse/sl-micro/6.0/baremetal-os-container:latest Image Release : 6.85 Severity : moderate Type : security References : 1241219 CVE-2025-3576 ----------------------------------------------------------------- The container suse/sl-micro/6.0/baremetal-os-container was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: 469 Released: Mon Sep 22 10:44:49 2025 Summary: Security update for krb5 Type: security Severity: moderate References: 1241219,CVE-2025-3576 This update for krb5 fixes the following issues: - CVE-2025-3576: Fixed Kerberos RC4-HMAC-MD5 Checksum Vulnerability (bsc#1241219) The following package changes have been done: - SL-Micro-release-6.0-25.47 updated - krb5-1.20.1-7.1 updated - container:SL-Micro-base-container-2.1.3-7.53 updated From sle-container-updates at lists.suse.com Mon Sep 22 15:23:26 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Mon, 22 Sep 2025 17:23:26 +0200 (CEST) Subject: SUSE-IU-2025:2529-1: Security update of suse/sl-micro/6.0/base-os-container Message-ID: <20250922152326.94097F783@maintenance.suse.de> SUSE Image Update Advisory: suse/sl-micro/6.0/base-os-container ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2025:2529-1 Image Tags : suse/sl-micro/6.0/base-os-container:2.1.3 , suse/sl-micro/6.0/base-os-container:2.1.3-7.53 , suse/sl-micro/6.0/base-os-container:latest Image Release : 7.53 Severity : moderate Type : security References : 1241219 CVE-2025-3576 ----------------------------------------------------------------- The container suse/sl-micro/6.0/base-os-container was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: 469 Released: Mon Sep 22 10:44:49 2025 Summary: Security update for krb5 Type: security Severity: moderate References: 1241219,CVE-2025-3576 This update for krb5 fixes the following issues: - CVE-2025-3576: Fixed Kerberos RC4-HMAC-MD5 Checksum Vulnerability (bsc#1241219) The following package changes have been done: - SL-Micro-release-6.0-25.47 updated - krb5-1.20.1-7.1 updated - container:suse-toolbox-image-1.0.0-9.34 updated From sle-container-updates at lists.suse.com Mon Sep 22 15:24:58 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Mon, 22 Sep 2025 17:24:58 +0200 (CEST) Subject: SUSE-IU-2025:2530-1: Security update of suse/sl-micro/6.0/kvm-os-container Message-ID: <20250922152458.929B9F783@maintenance.suse.de> SUSE Image Update Advisory: suse/sl-micro/6.0/kvm-os-container ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2025:2530-1 Image Tags : suse/sl-micro/6.0/kvm-os-container:2.1.3 , suse/sl-micro/6.0/kvm-os-container:2.1.3-6.76 , suse/sl-micro/6.0/kvm-os-container:latest Image Release : 6.76 Severity : moderate Type : security References : 1241219 CVE-2025-3576 ----------------------------------------------------------------- The container suse/sl-micro/6.0/kvm-os-container was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: 469 Released: Mon Sep 22 10:44:49 2025 Summary: Security update for krb5 Type: security Severity: moderate References: 1241219,CVE-2025-3576 This update for krb5 fixes the following issues: - CVE-2025-3576: Fixed Kerberos RC4-HMAC-MD5 Checksum Vulnerability (bsc#1241219) The following package changes have been done: - SL-Micro-release-6.0-25.47 updated - krb5-1.20.1-7.1 updated - container:SL-Micro-base-container-2.1.3-7.53 updated From sle-container-updates at lists.suse.com Mon Sep 22 15:28:23 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Mon, 22 Sep 2025 17:28:23 +0200 (CEST) Subject: SUSE-IU-2025:2531-1: Recommended update of suse/sl-micro/6.1/base-os-container Message-ID: <20250922152823.CCADBF783@maintenance.suse.de> SUSE Image Update Advisory: suse/sl-micro/6.1/base-os-container ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2025:2531-1 Image Tags : suse/sl-micro/6.1/base-os-container:2.2.1 , suse/sl-micro/6.1/base-os-container:2.2.1-5.35 , suse/sl-micro/6.1/base-os-container:latest Image Release : 5.35 Severity : moderate Type : recommended References : 1215377 1236217 1238572 1239182 1240550 CVE-2025-22870 CVE-2025-22871 ----------------------------------------------------------------- The container suse/sl-micro/6.1/base-os-container was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: 273 Released: Mon Sep 22 10:29:39 2025 Summary: Recommended update for audit Type: recommended Severity: moderate References: 1215377,1236217,1238572,1239182,1240550,CVE-2025-22870,CVE-2025-22871 This update for audit fixes the following issues: - Fix plugin termination when using systemd service units (bsc#1215377) The following package changes have been done: - libaudit1-3.1.1-slfo.1.1_2.1 updated - SL-Micro-release-6.1-slfo.1.11.59 updated - libauparse0-3.1.1-slfo.1.1_2.1 updated - system-group-audit-3.1.1-slfo.1.1_2.1 updated - audit-3.1.1-slfo.1.1_2.1 updated - container:suse-toolbox-image-1.0.0-4.74 updated From sle-container-updates at lists.suse.com Mon Sep 22 15:29:29 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Mon, 22 Sep 2025 17:29:29 +0200 (CEST) Subject: SUSE-IU-2025:2532-1: Recommended update of suse/sl-micro/6.1/kvm-os-container Message-ID: <20250922152929.198EDF783@maintenance.suse.de> SUSE Image Update Advisory: suse/sl-micro/6.1/kvm-os-container ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2025:2532-1 Image Tags : suse/sl-micro/6.1/kvm-os-container:2.2.1 , suse/sl-micro/6.1/kvm-os-container:2.2.1-5.37 , suse/sl-micro/6.1/kvm-os-container:latest Image Release : 5.37 Severity : moderate Type : recommended References : 1215377 1236217 1238572 1239182 1240550 CVE-2025-22870 CVE-2025-22871 ----------------------------------------------------------------- The container suse/sl-micro/6.1/kvm-os-container was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: 273 Released: Mon Sep 22 10:29:39 2025 Summary: Recommended update for audit Type: recommended Severity: moderate References: 1215377,1236217,1238572,1239182,1240550,CVE-2025-22870,CVE-2025-22871 This update for audit fixes the following issues: - Fix plugin termination when using systemd service units (bsc#1215377) The following package changes have been done: - libaudit1-3.1.1-slfo.1.1_2.1 updated - SL-Micro-release-6.1-slfo.1.11.59 updated - container:SL-Micro-base-container-2.2.1-5.35 updated From sle-container-updates at lists.suse.com Mon Sep 22 15:30:32 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Mon, 22 Sep 2025 17:30:32 +0200 (CEST) Subject: SUSE-IU-2025:2533-1: Security update of suse/sl-micro/6.1/rt-os-container Message-ID: <20250922153032.02570FB9C@maintenance.suse.de> SUSE Image Update Advisory: suse/sl-micro/6.1/rt-os-container ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2025:2533-1 Image Tags : suse/sl-micro/6.1/rt-os-container:2.2.1 , suse/sl-micro/6.1/rt-os-container:2.2.1-5.22 , suse/sl-micro/6.1/rt-os-container:latest Image Release : 5.22 Severity : moderate Type : security References : 1215377 1232234 1236217 1236878 1238572 1239182 1240550 CVE-2024-10041 CVE-2024-12133 CVE-2025-22870 CVE-2025-22871 ----------------------------------------------------------------- The container suse/sl-micro/6.1/rt-os-container was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: 266 Released: Wed Sep 17 13:30:47 2025 Summary: Security update for pam Type: security Severity: moderate References: 1232234,1236878,CVE-2024-10041,CVE-2024-12133 This update for pam fixes the following issues: - CVE-2024-10041: Fixed hashed password leak (bsc#1232234) ----------------------------------------------------------------- Advisory ID: 273 Released: Mon Sep 22 10:29:39 2025 Summary: Recommended update for audit Type: recommended Severity: moderate References: 1215377,1236217,1238572,1239182,1240550,CVE-2025-22870,CVE-2025-22871 This update for audit fixes the following issues: - Fix plugin termination when using systemd service units (bsc#1215377) The following package changes have been done: - libaudit1-3.1.1-slfo.1.1_2.1 updated - pam-1.6.1-slfo.1.1_4.1 updated - SL-Micro-release-6.1-slfo.1.11.59 updated - container:SL-Micro-container-2.2.1-7.10 updated From sle-container-updates at lists.suse.com Mon Sep 22 15:39:22 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Mon, 22 Sep 2025 17:39:22 +0200 (CEST) Subject: SUSE-CU-2025:7009-1: Security update of suse/mariadb Message-ID: <20250922153922.5DB8EF783@maintenance.suse.de> SUSE Container Update Advisory: suse/mariadb ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:7009-1 Container Tags : suse/mariadb:10.11 , suse/mariadb:10.11.14 , suse/mariadb:10.11.14-71.4 Container Release : 71.4 Severity : moderate Type : security References : 1239150 1239151 1249212 1249213 1249219 CVE-2023-52969 CVE-2023-52970 CVE-2023-52971 CVE-2025-30693 CVE-2025-30722 ----------------------------------------------------------------- The container suse/mariadb was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3275-1 Released: Fri Sep 19 14:16:06 2025 Summary: Security update for mariadb Type: security Severity: moderate References: 1239150,1239151,1249212,1249213,1249219,CVE-2023-52969,CVE-2023-52970,CVE-2023-52971,CVE-2025-30693,CVE-2025-30722 This update for mariadb fixes the following issues: Update to version 10.11.14. Security issues fixed: - CVE-2025-30693: InnoDB issue allows high privileged attacker with network access to gain unauthorized update, insert or delete access to data and cause repeatable crash in MySQL server (bsc#1249213). - CVE-2025-30722: mysqldump issue allows low privileged attacker with network access to gain unauthorized update, insert or delete access to data in MySQL Client (bsc#1249212). - CVE-2023-52969: crash with empty backtrace log in MariaDB Server (bsc#1239150). - CVE-2023-52970: crash in MariaDB Server when inserting from derived table containing insert target table (bsc#1239151). - CVE-2023-52971: crash in the optimizer of MariaDB Server when processing certain queries with subqueries (bsc#1249219). Release notes and changelog: - https://mariadb.com/docs/release-notes/community-server/mariadb-10-11-series/mariadb-10.11.14-release-notes - https://mariadb.com/docs/release-notes/community-server/changelogs/changelogs-mariadb-10-11-series/mariadb-10.11.14-changelog - https://mariadb.com/kb/en/mariadb-10-11-13-release-notes/ - https://mariadb.com/kb/en/mariadb-10-11-13-changelog/ - https://mariadb.com/kb/en/mariadb-10-11-12-release-notes/ - https://mariadb.com/kb/en/mariadb-10-11-12-changelog/ The following package changes have been done: - mariadb-errormessages-10.11.14-150600.4.14.1 updated - mariadb-tools-10.11.14-150600.4.14.1 updated - mariadb-client-10.11.14-150600.4.14.1 updated - mariadb-10.11.14-150600.4.14.1 updated - container:suse-sle15-15.6-e3235826fda424ffcadb5c16b55bcdffc50fd00aa3bfe3d0e13a1b34be967169-0 updated From sle-container-updates at lists.suse.com Mon Sep 22 15:41:11 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Mon, 22 Sep 2025 17:41:11 +0200 (CEST) Subject: SUSE-CU-2025:7010-1: Security update of bci/golang Message-ID: <20250922154111.264B4F783@maintenance.suse.de> SUSE Container Update Advisory: bci/golang ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:7010-1 Container Tags : bci/golang:1.24 , bci/golang:1.24.6 , bci/golang:1.24.6-2.71.10 , bci/golang:oldstable , bci/golang:oldstable-2.71.10 Container Release : 71.10 Severity : important Type : security References : 1228260 1236589 1239618 1243397 1243706 1243933 1246197 1246197 1249191 1249191 1249348 1249348 1249367 1249367 CVE-2024-6874 CVE-2024-8176 CVE-2025-0665 CVE-2025-10148 CVE-2025-10148 CVE-2025-4947 CVE-2025-5025 CVE-2025-5399 CVE-2025-9086 CVE-2025-9086 ----------------------------------------------------------------- The container bci/golang was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3198-1 Released: Fri Sep 12 14:15:08 2025 Summary: Security update for curl Type: security Severity: important References: 1228260,1236589,1243397,1243706,1243933,1246197,1249191,1249348,1249367,CVE-2024-6874,CVE-2025-0665,CVE-2025-10148,CVE-2025-4947,CVE-2025-5025,CVE-2025-5399,CVE-2025-9086 This update for curl fixes the following issues: Update to version 8.14.1 (jsc#PED-13055, jsc#PED-13056). Security issues fixed: - CVE-2025-0665: eventfd double close can cause libcurl to act unreliably (bsc#1236589). - CVE-2025-4947: QUIC certificate check is skipped with wolfSSL allows for MITM attacks (bsc#1243397). - CVE-2025-5025: no QUIC certificate pinning with wolfSSL can lead to connections to impostor servers that are not easily noticed (bsc#1243706). - CVE-2025-5399: bug in websocket code can cause libcurl to get trapped in an endless busy-loop when processing specially crafted packets (bsc#1243933). - CVE-2024-6874: punycode conversions to/from IDN can leak stack content when libcurl is built to use the macidn IDN backend (bsc#1228260). - CVE-2025-9086: bug in patch comparison logic when processing cookies can lead to out-of-bounds read in heap buffer (bsc#1249191). - CVE-2025-10148: predictable websocket mask can lead to proxy cache poisoning by malicious server (bsc#1249348). Other issues fixed: - Fix wrong return code when --retry is used (bsc#1249367). * tool_operate: fix return code when --retry is used but not triggered [b42776b] - Fix the --ftp-pasv option in curl v8.14.1 (bsc#1246197). * tool_getparam: fix --ftp-pasv [5f805ee] - Fixed with version 8.14.1: * TLS: add CURLOPT_SSL_SIGNATURE_ALGORITHMS and --sigalgs. * websocket: add option to disable auto-pong reply. * huge number of bugfixes. Please see https://curl.se/ch/ for full changelogs. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3239-1 Released: Tue Sep 16 19:04:00 2025 Summary: Security update for expat Type: security Severity: important References: 1239618,CVE-2024-8176 This update for expat fixes the following issues: expat was updated to version 2.7.1: - Bug fixes: - Restore event pointer behavior from Expat 2.6.4 (that the fix to CVE-2024-8176 changed in 2.7.0); affected API functions are: - XML_GetCurrentByteCount - XML_GetCurrentByteIndex - XML_GetCurrentColumnNumber - XML_GetCurrentLineNumber - XML_GetInputContext - Other changes: - Fix printf format specifiers for 32bit Emscripten - docs: Promote OpenSSF Best Practices self-certification - tests/benchmark: Resolve mistaken double close - Address compiler warnings - Version info bumped from 11:1:10 (libexpat*.so.1.10.1) to 11:2:10 (libexpat*.so.1.10.2); see https://verbump.de/ for what these numbers do Version update to 2.7.0 (CVE-2024-8176, bsc#1239618, jsc#PED-12507) * Security fixes: - CVE-2024-8176 -- Fix crash from chaining a large number of entities caused by stack overflow by resolving use of recursion, for all three uses of entities: - general entities in character data ('&g1;') - general entities in attribute values ('') - parameter entities ('%p1;') Known impact is (reliable and easy) denial of service: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:H/RL:O/RC:C (Base Score: 7.5, Temporal Score: 7.2) Please note that a layer of compression around XML can significantly reduce the minimum attack payload size. * Other changes: - docs: Add missing documentation of error code XML_ERROR_NOT_STARTED that was introduced with 2.6.4 - docs: Document need for C++11 compiler for use from C++ - Address Cppcheck warnings - Mass-migrate links from http:// to https:// - Document changes since the previous release - Version info bumped from 11:0:10 (libexpat*.so.1.10.0) to 11:1:10 (libexpat*.so.1.10.1); see https://verbump.de/ for what these numbers do ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3268-1 Released: Thu Sep 18 13:08:10 2025 Summary: Security update for curl Type: security Severity: important References: 1246197,1249191,1249348,1249367,CVE-2025-10148,CVE-2025-9086 This update for curl fixes the following issues: Security issues fixed: - CVE-2025-9086: bug in patch comparison logic when processing cookies can lead to out-of-bounds read in heap buffer (bsc#1249191). - CVE-2025-10148: predictable websocket mask can lead to proxy cache poisoning by malicious server (bsc#1249348). Other issues fixed: - Fix the --ftp-pasv option in curl v8.14.1 (bsc#1246197). * tool_getparam: fix --ftp-pasv [5f805ee] - Update to version 8.14.1 (jsc#PED-13055, jsc#PED-13056). * TLS: add CURLOPT_SSL_SIGNATURE_ALGORITHMS and --sigalgs. * websocket: add option to disable auto-pong reply. * huge number of bugfixes. Please see https://curl.se/ch/ for full changelogs. The following package changes have been done: - libbrotlicommon1-1.0.7-150200.3.5.1 updated - libbrotlidec1-1.0.7-150200.3.5.1 updated - libcurl4-8.14.1-150600.4.28.1 updated - curl-8.14.1-150600.4.28.1 updated - libexpat1-2.7.1-150700.3.3.1 updated - container:registry.suse.com-bci-bci-base-15.7-58f9c044bea87805cae0e4122c7157699ff07944d120923c8f92ba4d9a128a2a-0 updated From sle-container-updates at lists.suse.com Mon Sep 22 15:41:27 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Mon, 22 Sep 2025 17:41:27 +0200 (CEST) Subject: SUSE-CU-2025:7011-1: Security update of bci/golang Message-ID: <20250922154127.3B672F783@maintenance.suse.de> SUSE Container Update Advisory: bci/golang ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:7011-1 Container Tags : bci/golang:1.25 , bci/golang:1.25.1 , bci/golang:1.25.1-1.71.10 , bci/golang:latest , bci/golang:stable , bci/golang:stable-1.71.10 Container Release : 71.10 Severity : important Type : security References : 1239618 1246197 1249191 1249348 1249367 CVE-2024-8176 CVE-2025-10148 CVE-2025-9086 ----------------------------------------------------------------- The container bci/golang was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3239-1 Released: Tue Sep 16 19:04:00 2025 Summary: Security update for expat Type: security Severity: important References: 1239618,CVE-2024-8176 This update for expat fixes the following issues: expat was updated to version 2.7.1: - Bug fixes: - Restore event pointer behavior from Expat 2.6.4 (that the fix to CVE-2024-8176 changed in 2.7.0); affected API functions are: - XML_GetCurrentByteCount - XML_GetCurrentByteIndex - XML_GetCurrentColumnNumber - XML_GetCurrentLineNumber - XML_GetInputContext - Other changes: - Fix printf format specifiers for 32bit Emscripten - docs: Promote OpenSSF Best Practices self-certification - tests/benchmark: Resolve mistaken double close - Address compiler warnings - Version info bumped from 11:1:10 (libexpat*.so.1.10.1) to 11:2:10 (libexpat*.so.1.10.2); see https://verbump.de/ for what these numbers do Version update to 2.7.0 (CVE-2024-8176, bsc#1239618, jsc#PED-12507) * Security fixes: - CVE-2024-8176 -- Fix crash from chaining a large number of entities caused by stack overflow by resolving use of recursion, for all three uses of entities: - general entities in character data ('&g1;') - general entities in attribute values ('') - parameter entities ('%p1;') Known impact is (reliable and easy) denial of service: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:H/RL:O/RC:C (Base Score: 7.5, Temporal Score: 7.2) Please note that a layer of compression around XML can significantly reduce the minimum attack payload size. * Other changes: - docs: Add missing documentation of error code XML_ERROR_NOT_STARTED that was introduced with 2.6.4 - docs: Document need for C++11 compiler for use from C++ - Address Cppcheck warnings - Mass-migrate links from http:// to https:// - Document changes since the previous release - Version info bumped from 11:0:10 (libexpat*.so.1.10.0) to 11:1:10 (libexpat*.so.1.10.1); see https://verbump.de/ for what these numbers do ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3268-1 Released: Thu Sep 18 13:08:10 2025 Summary: Security update for curl Type: security Severity: important References: 1246197,1249191,1249348,1249367,CVE-2025-10148,CVE-2025-9086 This update for curl fixes the following issues: Security issues fixed: - CVE-2025-9086: bug in patch comparison logic when processing cookies can lead to out-of-bounds read in heap buffer (bsc#1249191). - CVE-2025-10148: predictable websocket mask can lead to proxy cache poisoning by malicious server (bsc#1249348). Other issues fixed: - Fix the --ftp-pasv option in curl v8.14.1 (bsc#1246197). * tool_getparam: fix --ftp-pasv [5f805ee] - Update to version 8.14.1 (jsc#PED-13055, jsc#PED-13056). * TLS: add CURLOPT_SSL_SIGNATURE_ALGORITHMS and --sigalgs. * websocket: add option to disable auto-pong reply. * huge number of bugfixes. Please see https://curl.se/ch/ for full changelogs. The following package changes have been done: - libbrotlicommon1-1.0.7-150200.3.5.1 updated - libbrotlidec1-1.0.7-150200.3.5.1 updated - libexpat1-2.7.1-150700.3.3.1 updated - container:registry.suse.com-bci-bci-base-15.7-58f9c044bea87805cae0e4122c7157699ff07944d120923c8f92ba4d9a128a2a-0 updated From sle-container-updates at lists.suse.com Mon Sep 22 15:41:43 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Mon, 22 Sep 2025 17:41:43 +0200 (CEST) Subject: SUSE-CU-2025:7012-1: Security update of bci/golang Message-ID: <20250922154143.3D745F783@maintenance.suse.de> SUSE Container Update Advisory: bci/golang ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:7012-1 Container Tags : bci/golang:1.25-openssl , bci/golang:1.25.0-openssl , bci/golang:1.25.0-openssl-74.7 , bci/golang:latest , bci/golang:stable-openssl , bci/golang:stable-openssl-74.7 Container Release : 74.7 Severity : important Type : security References : 1246197 1249191 1249348 1249367 CVE-2025-10148 CVE-2025-9086 ----------------------------------------------------------------- The container bci/golang was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3268-1 Released: Thu Sep 18 13:08:10 2025 Summary: Security update for curl Type: security Severity: important References: 1246197,1249191,1249348,1249367,CVE-2025-10148,CVE-2025-9086 This update for curl fixes the following issues: Security issues fixed: - CVE-2025-9086: bug in patch comparison logic when processing cookies can lead to out-of-bounds read in heap buffer (bsc#1249191). - CVE-2025-10148: predictable websocket mask can lead to proxy cache poisoning by malicious server (bsc#1249348). Other issues fixed: - Fix the --ftp-pasv option in curl v8.14.1 (bsc#1246197). * tool_getparam: fix --ftp-pasv [5f805ee] - Update to version 8.14.1 (jsc#PED-13055, jsc#PED-13056). * TLS: add CURLOPT_SSL_SIGNATURE_ALGORITHMS and --sigalgs. * websocket: add option to disable auto-pong reply. * huge number of bugfixes. Please see https://curl.se/ch/ for full changelogs. The following package changes have been done: - libbrotlicommon1-1.0.7-150200.3.5.1 updated - libbrotlidec1-1.0.7-150200.3.5.1 updated - container:registry.suse.com-bci-bci-base-15.7-58f9c044bea87805cae0e4122c7157699ff07944d120923c8f92ba4d9a128a2a-0 updated From sle-container-updates at lists.suse.com Mon Sep 22 15:41:59 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Mon, 22 Sep 2025 17:41:59 +0200 (CEST) Subject: SUSE-CU-2025:7013-1: Recommended update of suse/kiosk/firefox-esr Message-ID: <20250922154159.6E1F4F783@maintenance.suse.de> SUSE Container Update Advisory: suse/kiosk/firefox-esr ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:7013-1 Container Tags : suse/kiosk/firefox-esr:140.2 , suse/kiosk/firefox-esr:140.2-64.31 , suse/kiosk/firefox-esr:esr , suse/kiosk/firefox-esr:latest Container Release : 64.31 Severity : moderate Type : recommended References : 1247503 ----------------------------------------------------------------- The container suse/kiosk/firefox-esr was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:3286-1 Released: Mon Sep 22 08:02:27 2025 Summary: Recommended update for gtk3 Type: recommended Severity: moderate References: 1247503 This update for gtk3 fixes the following issues: - Fixed issue with window dimensions (bsc#1247503) The following package changes have been done: - gtk3-data-3.24.43-150600.3.10.1 updated - gtk3-schema-3.24.43-150600.3.10.1 updated - gtk3-tools-3.24.43-150600.3.10.1 updated - libgtk-3-0-3.24.43-150600.3.10.1 updated - container:suse-sle15-15.7-58f9c044bea87805cae0e4122c7157699ff07944d120923c8f92ba4d9a128a2a-0 updated From sle-container-updates at lists.suse.com Tue Sep 23 07:09:14 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 23 Sep 2025 09:09:14 +0200 (CEST) Subject: SUSE-CU-2025:7015-1: Security update of suse/kiosk/firefox-esr Message-ID: <20250923070914.9A97FF783@maintenance.suse.de> SUSE Container Update Advisory: suse/kiosk/firefox-esr ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:7015-1 Container Tags : suse/kiosk/firefox-esr:140.3 , suse/kiosk/firefox-esr:140.3-64.32 , suse/kiosk/firefox-esr:esr , suse/kiosk/firefox-esr:latest Container Release : 64.32 Severity : important Type : security References : 1249391 CVE-2025-10527 CVE-2025-10528 CVE-2025-10529 CVE-2025-10532 CVE-2025-10533 CVE-2025-10536 CVE-2025-10537 ----------------------------------------------------------------- The container suse/kiosk/firefox-esr was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3291-1 Released: Mon Sep 22 15:48:51 2025 Summary: Security update for MozillaFirefox Type: security Severity: important References: 1249391,CVE-2025-10527,CVE-2025-10528,CVE-2025-10529,CVE-2025-10532,CVE-2025-10533,CVE-2025-10536,CVE-2025-10537 This update for MozillaFirefox fixes the following issues: Firefox Extended Support Release 140.3.0 ESR (bsc#1249391). MFSA 2025-75: * CVE-2025-10527 (bmo#1984825) Sandbox escape due to use-after-free in the Graphics: Canvas2D component * CVE-2025-10528 (bmo#1986185) Sandbox escape due to undefined behavior, invalid pointer in the Graphics: Canvas2D component * CVE-2025-10529 (bmo#1970490) Same-origin policy bypass in the Layout component * CVE-2025-10532 (bmo#1979502) Incorrect boundary conditions in the JavaScript: GC component * CVE-2025-10533 (bmo#1980788) Integer overflow in the SVG component * CVE-2025-10536 (bmo#1981502) Information disclosure in the Networking: Cache component * CVE-2025-10537 (bmo#1938220, bmo#1980730, bmo#1981280, bmo#1981283, bmo#1984505, bmo#1985067) Memory safety bugs fixed in Firefox ESR 140.3, Thunderbird ESR 140.3, Firefox 143 and Thunderbird 143 The following package changes have been done: - MozillaFirefox-140.3.0-150200.152.201.1 updated From sle-container-updates at lists.suse.com Tue Sep 23 07:11:20 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 23 Sep 2025 09:11:20 +0200 (CEST) Subject: SUSE-CU-2025:7016-1: Recommended update of suse/manager/4.3/proxy-httpd Message-ID: <20250923071120.95BD4F783@maintenance.suse.de> SUSE Container Update Advisory: suse/manager/4.3/proxy-httpd ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:7016-1 Container Tags : suse/manager/4.3/proxy-httpd:4.3.16 , suse/manager/4.3/proxy-httpd:4.3.16.9.67.24 , suse/manager/4.3/proxy-httpd:latest Container Release : 9.67.24 Severity : moderate Type : recommended References : 1235873 ----------------------------------------------------------------- The container suse/manager/4.3/proxy-httpd was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:3288-1 Released: Mon Sep 22 12:13:27 2025 Summary: Recommended update for permissions Type: recommended Severity: moderate References: 1235873 This update for permissions fixes the following issues: - permissions: remove unnecessary static dirs and devices (bsc#1235873) The following package changes have been done: - permissions-20201225-150400.5.22.1 updated - container:sles15-ltss-image-15.4.0-2.71 updated From sle-container-updates at lists.suse.com Tue Sep 23 07:12:45 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 23 Sep 2025 09:12:45 +0200 (CEST) Subject: SUSE-CU-2025:7017-1: Recommended update of suse/manager/4.3/proxy-salt-broker Message-ID: <20250923071245.F2617F783@maintenance.suse.de> SUSE Container Update Advisory: suse/manager/4.3/proxy-salt-broker ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:7017-1 Container Tags : suse/manager/4.3/proxy-salt-broker:4.3.16 , suse/manager/4.3/proxy-salt-broker:4.3.16.9.57.26 , suse/manager/4.3/proxy-salt-broker:latest Container Release : 9.57.26 Severity : moderate Type : recommended References : 1235873 ----------------------------------------------------------------- The container suse/manager/4.3/proxy-salt-broker was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:3288-1 Released: Mon Sep 22 12:13:27 2025 Summary: Recommended update for permissions Type: recommended Severity: moderate References: 1235873 This update for permissions fixes the following issues: - permissions: remove unnecessary static dirs and devices (bsc#1235873) The following package changes have been done: - permissions-20201225-150400.5.22.1 updated - container:sles15-ltss-image-15.4.0-2.71 updated From sle-container-updates at lists.suse.com Tue Sep 23 07:14:05 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 23 Sep 2025 09:14:05 +0200 (CEST) Subject: SUSE-CU-2025:7018-1: Recommended update of suse/manager/4.3/proxy-squid Message-ID: <20250923071405.DBD99F782@maintenance.suse.de> SUSE Container Update Advisory: suse/manager/4.3/proxy-squid ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:7018-1 Container Tags : suse/manager/4.3/proxy-squid:4.3.16 , suse/manager/4.3/proxy-squid:4.3.16.9.66.20 , suse/manager/4.3/proxy-squid:latest Container Release : 9.66.20 Severity : moderate Type : recommended References : 1235873 ----------------------------------------------------------------- The container suse/manager/4.3/proxy-squid was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:3288-1 Released: Mon Sep 22 12:13:27 2025 Summary: Recommended update for permissions Type: recommended Severity: moderate References: 1235873 This update for permissions fixes the following issues: - permissions: remove unnecessary static dirs and devices (bsc#1235873) The following package changes have been done: - permissions-20201225-150400.5.22.1 updated - container:sles15-ltss-image-15.4.0-2.71 updated From sle-container-updates at lists.suse.com Wed Sep 24 07:04:44 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 24 Sep 2025 09:04:44 +0200 (CEST) Subject: SUSE-IU-2025:2538-1: Recommended update of suse/sle-micro/base-5.5 Message-ID: <20250924070444.96558F783@maintenance.suse.de> SUSE Image Update Advisory: suse/sle-micro/base-5.5 ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2025:2538-1 Image Tags : suse/sle-micro/base-5.5:2.0.4 , suse/sle-micro/base-5.5:2.0.4-5.8.207 , suse/sle-micro/base-5.5:latest Image Release : 5.8.207 Severity : moderate Type : recommended References : 1247819 ----------------------------------------------------------------- The container suse/sle-micro/base-5.5 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:3303-1 Released: Tue Sep 23 11:10:02 2025 Summary: Recommended update for dracut Type: recommended Severity: moderate References: 1247819 This update for dracut fixes the following issues: - fix (dracut-util): crash if CMDLINE ends with quotation mark (bsc#1247819) - fix( rngd): adjust license to match the license of the whole project The following package changes have been done: - dracut-055+suse.398.g8f75016e-150500.3.32.1 updated From sle-container-updates at lists.suse.com Wed Sep 24 07:04:45 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 24 Sep 2025 09:04:45 +0200 (CEST) Subject: SUSE-IU-2025:2539-1: Recommended update of suse/sle-micro/base-5.5 Message-ID: <20250924070445.A6278F783@maintenance.suse.de> SUSE Image Update Advisory: suse/sle-micro/base-5.5 ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2025:2539-1 Image Tags : suse/sle-micro/base-5.5:2.0.4 , suse/sle-micro/base-5.5:2.0.4-5.8.208 , suse/sle-micro/base-5.5:latest Image Release : 5.8.208 Severity : important Type : recommended References : 1237595 ----------------------------------------------------------------- The container suse/sle-micro/base-5.5 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:3311-1 Released: Tue Sep 23 17:43:53 2025 Summary: Recommended update for sysconfig Type: recommended Severity: important References: 1237595 This update for sysconfig fixes the following issues: - Update to version 0.85.10 - codespell run for all repository files and changes file - spec: define permissions for ghost file attrs to avoid rpm --restore resets them to 0 (bsc#1237595). - spec: fix name-repeated-in-summary rpmlint warning The following package changes have been done: - sysconfig-0.85.10-150500.3.7.1 updated - sysconfig-netconfig-0.85.10-150500.3.7.1 updated From sle-container-updates at lists.suse.com Wed Sep 24 07:07:35 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 24 Sep 2025 09:07:35 +0200 (CEST) Subject: SUSE-IU-2025:2543-1: Recommended update of suse/sle-micro/rt-5.5 Message-ID: <20250924070735.53B4AFB9C@maintenance.suse.de> SUSE Image Update Advisory: suse/sle-micro/rt-5.5 ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2025:2543-1 Image Tags : suse/sle-micro/rt-5.5:2.0.4 , suse/sle-micro/rt-5.5:2.0.4-4.5.496 , suse/sle-micro/rt-5.5:latest Image Release : 4.5.496 Severity : important Type : recommended References : 1237595 ----------------------------------------------------------------- The container suse/sle-micro/rt-5.5 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:3311-1 Released: Tue Sep 23 17:43:53 2025 Summary: Recommended update for sysconfig Type: recommended Severity: important References: 1237595 This update for sysconfig fixes the following issues: - Update to version 0.85.10 - codespell run for all repository files and changes file - spec: define permissions for ghost file attrs to avoid rpm --restore resets them to 0 (bsc#1237595). - spec: fix name-repeated-in-summary rpmlint warning The following package changes have been done: - sysconfig-0.85.10-150500.3.7.1 updated - sysconfig-netconfig-0.85.10-150500.3.7.1 updated - container:suse-sle-micro-5.5-latest-2.0.4-5.5.376 updated From sle-container-updates at lists.suse.com Wed Sep 24 07:09:13 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 24 Sep 2025 09:09:13 +0200 (CEST) Subject: SUSE-IU-2025:2545-1: Recommended update of suse/sle-micro/5.5 Message-ID: <20250924070913.76AD3FBA1@maintenance.suse.de> SUSE Image Update Advisory: suse/sle-micro/5.5 ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2025:2545-1 Image Tags : suse/sle-micro/5.5:2.0.4 , suse/sle-micro/5.5:2.0.4-5.5.376 , suse/sle-micro/5.5:latest Image Release : 5.5.376 Severity : important Type : recommended References : 1237595 ----------------------------------------------------------------- The container suse/sle-micro/5.5 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:3311-1 Released: Tue Sep 23 17:43:53 2025 Summary: Recommended update for sysconfig Type: recommended Severity: important References: 1237595 This update for sysconfig fixes the following issues: - Update to version 0.85.10 - codespell run for all repository files and changes file - spec: define permissions for ghost file attrs to avoid rpm --restore resets them to 0 (bsc#1237595). - spec: fix name-repeated-in-summary rpmlint warning The following package changes have been done: - sysconfig-0.85.10-150500.3.7.1 updated - sysconfig-netconfig-0.85.10-150500.3.7.1 updated - container:suse-sle-micro-base-5.5-latest-2.0.4-5.8.208 updated From sle-container-updates at lists.suse.com Wed Sep 24 07:09:12 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 24 Sep 2025 09:09:12 +0200 (CEST) Subject: SUSE-IU-2025:2544-1: Security update of suse/sle-micro/5.5 Message-ID: <20250924070912.8A768FB9C@maintenance.suse.de> SUSE Image Update Advisory: suse/sle-micro/5.5 ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2025:2544-1 Image Tags : suse/sle-micro/5.5:2.0.4 , suse/sle-micro/5.5:2.0.4-5.5.374 , suse/sle-micro/5.5:latest Image Release : 5.5.374 Severity : moderate Type : security References : 1246602 1246604 1247819 1247938 1247939 CVE-2025-53905 CVE-2025-53906 CVE-2025-55157 CVE-2025-55158 ----------------------------------------------------------------- The container suse/sle-micro/5.5 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3300-1 Released: Tue Sep 23 11:03:41 2025 Summary: Security update for vim Type: security Severity: moderate References: 1246602,1246604,1247938,1247939,CVE-2025-53905,CVE-2025-53906,CVE-2025-55157,CVE-2025-55158 This update for vim fixes the following issues: Updated to 9.1.1629: - CVE-2025-53905: Fixed malicious tar archive may causing a path traversal in Vim???s tar.vim plugin (bsc#1246604) - CVE-2025-53906: Fixed malicious zip archive may causing a path traversal in Vim???s zip (bsc#1246602) - CVE-2025-55157: Fixed use-after-free in internal tuple reference management (bsc#1247938) - CVE-2025-55158: Fixed double-free in internal typed value (typval_T) management (bsc#1247939) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:3303-1 Released: Tue Sep 23 11:10:02 2025 Summary: Recommended update for dracut Type: recommended Severity: moderate References: 1247819 This update for dracut fixes the following issues: - fix (dracut-util): crash if CMDLINE ends with quotation mark (bsc#1247819) - fix( rngd): adjust license to match the license of the whole project The following package changes have been done: - dracut-055+suse.398.g8f75016e-150500.3.32.1 updated - vim-data-common-9.1.1629-150500.20.33.1 updated - vim-small-9.1.1629-150500.20.33.1 updated - container:suse-sle-micro-base-5.5-latest-2.0.4-5.8.207 updated From sle-container-updates at lists.suse.com Wed Sep 24 07:05:53 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 24 Sep 2025 09:05:53 +0200 (CEST) Subject: SUSE-IU-2025:2541-1: Recommended update of suse/sle-micro/kvm-5.5 Message-ID: <20250924070553.D986EF783@maintenance.suse.de> SUSE Image Update Advisory: suse/sle-micro/kvm-5.5 ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2025:2541-1 Image Tags : suse/sle-micro/kvm-5.5:2.0.4 , suse/sle-micro/kvm-5.5:2.0.4-3.5.397 , suse/sle-micro/kvm-5.5:latest Image Release : 3.5.397 Severity : important Type : recommended References : 1237595 ----------------------------------------------------------------- The container suse/sle-micro/kvm-5.5 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:3311-1 Released: Tue Sep 23 17:43:53 2025 Summary: Recommended update for sysconfig Type: recommended Severity: important References: 1237595 This update for sysconfig fixes the following issues: - Update to version 0.85.10 - codespell run for all repository files and changes file - spec: define permissions for ghost file attrs to avoid rpm --restore resets them to 0 (bsc#1237595). - spec: fix name-repeated-in-summary rpmlint warning The following package changes have been done: - sysconfig-0.85.10-150500.3.7.1 updated - sysconfig-netconfig-0.85.10-150500.3.7.1 updated - container:suse-sle-micro-base-5.5-latest-2.0.4-5.8.208 updated From sle-container-updates at lists.suse.com Wed Sep 24 07:18:40 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 24 Sep 2025 09:18:40 +0200 (CEST) Subject: SUSE-CU-2025:7026-1: Recommended update of suse/sle-micro-rancher/5.4 Message-ID: <20250924071840.3805BF782@maintenance.suse.de> SUSE Container Update Advisory: suse/sle-micro-rancher/5.4 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:7026-1 Container Tags : suse/sle-micro-rancher/5.4:5.4.4.5.58 , suse/sle-micro-rancher/5.4:latest Container Release : 4.5.58 Severity : moderate Type : recommended References : 1247819 ----------------------------------------------------------------- The container suse/sle-micro-rancher/5.4 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:3302-1 Released: Tue Sep 23 11:09:49 2025 Summary: Recommended update for dracut Type: recommended Severity: moderate References: 1247819 This update for dracut fixes the following issues: - fix (dracut-util): crash if CMDLINE ends with quotation mark (bsc#1247819) - fix (rngd): adjust license to match the license of the whole project The following package changes have been done: - dracut-mkinitrd-deprecated-055+suse.361.g448229ea-150400.3.40.1 updated - dracut-055+suse.361.g448229ea-150400.3.40.1 updated From sle-container-updates at lists.suse.com Wed Sep 24 07:18:41 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 24 Sep 2025 09:18:41 +0200 (CEST) Subject: SUSE-CU-2025:7027-1: Recommended update of suse/sle-micro-rancher/5.4 Message-ID: <20250924071841.31312F782@maintenance.suse.de> SUSE Container Update Advisory: suse/sle-micro-rancher/5.4 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:7027-1 Container Tags : suse/sle-micro-rancher/5.4:5.4.4.5.59 , suse/sle-micro-rancher/5.4:latest Container Release : 4.5.59 Severity : important Type : recommended References : 1237595 ----------------------------------------------------------------- The container suse/sle-micro-rancher/5.4 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:3312-1 Released: Tue Sep 23 17:44:03 2025 Summary: Recommended update for sysconfig Type: recommended Severity: important References: 1237595 This update for sysconfig fixes the following issues: - Update to version 0.85.10 - codespell run for all repository files and changes file - spec: define permissions for ghost file attrs to avoid rpm --restore resets them to 0 (bsc#1237595). - spec: fix name-repeated-in-summary rpmlint warning The following package changes have been done: - sysconfig-netconfig-0.85.10-150400.3.7.1 updated - sysconfig-0.85.10-150400.3.7.1 updated From sle-container-updates at lists.suse.com Wed Sep 24 07:18:42 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 24 Sep 2025 09:18:42 +0200 (CEST) Subject: SUSE-CU-2025:7028-1: Security update of suse/sle-micro-rancher/5.4 Message-ID: <20250924071842.33062F782@maintenance.suse.de> SUSE Container Update Advisory: suse/sle-micro-rancher/5.4 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:7028-1 Container Tags : suse/sle-micro-rancher/5.4:5.4.4.5.60 , suse/sle-micro-rancher/5.4:latest Container Release : 4.5.60 Severity : important Type : security References : 1234896 1244824 1245970 1246473 1246911 1247143 1247374 1247518 1247976 1248223 1248297 1248306 1248312 1248338 1248511 1248614 1248621 1248748 CVE-2022-50116 CVE-2024-53177 CVE-2024-58239 CVE-2025-38180 CVE-2025-38323 CVE-2025-38352 CVE-2025-38460 CVE-2025-38498 CVE-2025-38499 CVE-2025-38546 CVE-2025-38555 CVE-2025-38560 CVE-2025-38563 CVE-2025-38608 CVE-2025-38617 CVE-2025-38618 CVE-2025-38644 ----------------------------------------------------------------- The container suse/sle-micro-rancher/5.4 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3314-1 Released: Tue Sep 23 20:34:40 2025 Summary: Security update for the Linux Kernel Type: security Severity: important References: 1234896,1244824,1245970,1246473,1246911,1247143,1247374,1247518,1247976,1248223,1248297,1248306,1248312,1248338,1248511,1248614,1248621,1248748,CVE-2022-50116,CVE-2024-53177,CVE-2024-58239,CVE-2025-38180,CVE-2025-38323,CVE-2025-38352,CVE-2025-38460,CVE-2025-38498,CVE-2025-38499,CVE-2025-38546,CVE-2025-38555,CVE-2025-38560,CVE-2025-38563,CVE-2025-38608,CVE-2025-38617,CVE-2025-38618,CVE-2025-38644 The SUSE Linux Enterprise 15 SP4 kernel was updated to receive various security bugfixes. The following security bugs were fixed: - CVE-2022-50116: kernel: tty: n_gsm: fix deadlock and link starvation in outgoing data path (bsc#1244824). - CVE-2024-53177: smb: prevent use-after-free due to open_cached_dir error paths (bsc#1234896). - CVE-2024-58239: tls: stop recv() if initial process_rx_list gave us non-DATA (bsc#1248614). - CVE-2025-38180: net: atm: fix /proc/net/atm/lec handling (bsc#1245970). - CVE-2025-38323: net: atm: add lec_mutex (bsc#1246473). - CVE-2025-38352: posix-cpu-timers: fix race between handle_posix_cpu_timers() and posix_cpu_timer_del() (bsc#1246911). - CVE-2025-38460: atm: clip: Fix potential null-ptr-deref in to_atmarpd() (bsc#1247143). - CVE-2025-38498: do_change_type(): refuse to operate on unmounted/not ours mounts (bsc#1247374). - CVE-2025-38499: clone_private_mnt(): make sure that caller has CAP_SYS_ADMIN in the right userns (bsc#1247976). - CVE-2025-38546: atm: clip: Fix memory leak of struct clip_vcc (bsc#1248223). - CVE-2025-38555: usb: gadget : fix use-after-free in composite_dev_cleanup() (bsc#1248297). - CVE-2025-38560: x86/sev: Evict cache lines during SNP memory validation (bsc#1248312). - CVE-2025-38563: perf/core: Prevent VMA split of buffer mappings (bsc#1248306). - CVE-2025-38608: bpf, ktls: Fix data corruption when using bpf_msg_pop_data() in ktls (bsc#1248338). - CVE-2025-38617: net/packet: fix a race in packet_set_ring() and packet_notifier() (bsc#1248621). - CVE-2025-38618: vsock: Do not allow binding to VMADDR_PORT_ANY (bsc#1248511). - CVE-2025-38644: wifi: mac80211: reject TDLS operations when station is not associated (bsc#1248748). The following non-security bugs were fixed: - NFSv4.1: fix backchannel max_resp_sz verification check (bsc#1247518). - Disable N_GSM (jsc#PED-8240). The following package changes have been done: - kernel-default-5.14.21-150400.24.176.1 updated From sle-container-updates at lists.suse.com Wed Sep 24 07:20:24 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 24 Sep 2025 09:20:24 +0200 (CEST) Subject: SUSE-CU-2025:7029-1: Security update of suse/sle-micro/5.5/toolbox Message-ID: <20250924072024.7B323F782@maintenance.suse.de> SUSE Container Update Advisory: suse/sle-micro/5.5/toolbox ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:7029-1 Container Tags : suse/sle-micro/5.5/toolbox:14.2 , suse/sle-micro/5.5/toolbox:14.2-3.12.93 , suse/sle-micro/5.5/toolbox:latest Container Release : 3.12.93 Severity : moderate Type : security References : 1246602 1246604 1247938 1247939 CVE-2025-53905 CVE-2025-53906 CVE-2025-55157 CVE-2025-55158 ----------------------------------------------------------------- The container suse/sle-micro/5.5/toolbox was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3300-1 Released: Tue Sep 23 11:03:41 2025 Summary: Security update for vim Type: security Severity: moderate References: 1246602,1246604,1247938,1247939,CVE-2025-53905,CVE-2025-53906,CVE-2025-55157,CVE-2025-55158 This update for vim fixes the following issues: Updated to 9.1.1629: - CVE-2025-53905: Fixed malicious tar archive may causing a path traversal in Vim???s tar.vim plugin (bsc#1246604) - CVE-2025-53906: Fixed malicious zip archive may causing a path traversal in Vim???s zip (bsc#1246602) - CVE-2025-55157: Fixed use-after-free in internal tuple reference management (bsc#1247938) - CVE-2025-55158: Fixed double-free in internal typed value (typval_T) management (bsc#1247939) The following package changes have been done: - libwayland-client0-1.21.0-150500.1.1 added - vim-data-common-9.1.1629-150500.20.33.1 updated - vim-9.1.1629-150500.20.33.1 updated From sle-container-updates at lists.suse.com Wed Sep 24 07:21:33 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 24 Sep 2025 09:21:33 +0200 (CEST) Subject: SUSE-IU-2025:2546-1: Security update of suse/sl-micro/6.0/rt-os-container Message-ID: <20250924072133.708EFF782@maintenance.suse.de> SUSE Image Update Advisory: suse/sl-micro/6.0/rt-os-container ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2025:2546-1 Image Tags : suse/sl-micro/6.0/rt-os-container:2.1.3 , suse/sl-micro/6.0/rt-os-container:2.1.3-7.85 , suse/sl-micro/6.0/rt-os-container:latest Image Release : 7.85 Severity : important Type : security References : 1012628 1213545 1215199 1221858 1222323 1230557 1230708 1233120 1240708 1240890 1241219 1242034 1242754 1244734 1244930 1245663 1245710 1245767 1245780 1245815 1245956 1245973 1245977 1246005 1246012 1246181 1246193 1247057 1247078 1247112 1247116 1247119 1247155 1247162 1247167 1247229 1247243 1247280 1247313 1247712 1247976 1248088 1248108 1248164 1248166 1248178 1248179 1248180 1248183 1248186 1248194 1248196 1248198 1248205 1248206 1248208 1248209 1248212 1248213 1248214 1248216 1248217 1248223 1248227 1248228 1248229 1248240 1248255 1248297 1248306 1248312 1248333 1248337 1248338 1248340 1248341 1248345 1248349 1248350 1248354 1248355 1248361 1248363 1248368 1248374 1248377 1248386 1248390 1248395 1248399 1248401 1248511 1248573 1248575 1248577 1248609 1248614 1248617 1248621 1248636 1248643 1248648 1248652 1248655 1248666 1248669 1248746 1248748 1249022 CVE-2023-3867 CVE-2023-4130 CVE-2023-4515 CVE-2024-26661 CVE-2024-46733 CVE-2024-58238 CVE-2024-58239 CVE-2025-3576 CVE-2025-38006 CVE-2025-38075 CVE-2025-38103 CVE-2025-38125 CVE-2025-38146 CVE-2025-38160 CVE-2025-38184 CVE-2025-38185 CVE-2025-38190 CVE-2025-38201 CVE-2025-38205 CVE-2025-38208 CVE-2025-38245 CVE-2025-38251 CVE-2025-38360 CVE-2025-38439 CVE-2025-38441 CVE-2025-38444 CVE-2025-38445 CVE-2025-38458 CVE-2025-38459 CVE-2025-38464 CVE-2025-38472 CVE-2025-38490 CVE-2025-38491 CVE-2025-38499 CVE-2025-38500 CVE-2025-38503 CVE-2025-38506 CVE-2025-38510 CVE-2025-38512 CVE-2025-38513 CVE-2025-38515 CVE-2025-38516 CVE-2025-38520 CVE-2025-38524 CVE-2025-38528 CVE-2025-38529 CVE-2025-38530 CVE-2025-38531 CVE-2025-38535 CVE-2025-38537 CVE-2025-38538 CVE-2025-38540 CVE-2025-38541 CVE-2025-38543 CVE-2025-38546 CVE-2025-38548 CVE-2025-38550 CVE-2025-38553 CVE-2025-38555 CVE-2025-38560 CVE-2025-38563 CVE-2025-38565 CVE-2025-38566 CVE-2025-38568 CVE-2025-38571 CVE-2025-38572 CVE-2025-38576 CVE-2025-38581 CVE-2025-38582 CVE-2025-38583 CVE-2025-38585 CVE-2025-38587 CVE-2025-38588 CVE-2025-38591 CVE-2025-38601 CVE-2025-38602 CVE-2025-38604 CVE-2025-38608 CVE-2025-38609 CVE-2025-38610 CVE-2025-38612 CVE-2025-38617 CVE-2025-38618 CVE-2025-38621 CVE-2025-38624 CVE-2025-38630 CVE-2025-38632 CVE-2025-38634 CVE-2025-38635 CVE-2025-38644 CVE-2025-38646 CVE-2025-38650 CVE-2025-38656 CVE-2025-38663 CVE-2025-38665 CVE-2025-38670 CVE-2025-38671 ----------------------------------------------------------------- The container suse/sl-micro/6.0/rt-os-container was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: 469 Released: Mon Sep 22 10:44:49 2025 Summary: Security update for krb5 Type: security Severity: moderate References: 1241219,CVE-2025-3576 This update for krb5 fixes the following issues: - CVE-2025-3576: Fixed Kerberos RC4-HMAC-MD5 Checksum Vulnerability (bsc#1241219) ----------------------------------------------------------------- Advisory ID: kernel-138 Released: Tue Sep 23 13:26:15 2025 Summary: Security update for the Linux Kernel Type: security Severity: important References: 1012628,1213545,1215199,1221858,1222323,1230557,1230708,1233120,1240708,1240890,1242034,1242754,1244734,1244930,1245663,1245710,1245767,1245780,1245815,1245956,1245973,1245977,1246005,1246012,1246181,1246193,1247057,1247078,1247112,1247116,1247119,1247155,1247162,1247167,1247229,1247243,1247280,1247313,1247712,1247976,1248088,1248108,1248164,1248166,1248178,1248179,1248180,1248183,1248186,1248194,1248196,1248198,1248205,1248206,1248208,1248209,1248212,1248213,1248214,1248216,1248217,1248223,1248227,1248228,1248229,1248240,1248255,1248297,1248306,1248312,1248333,1248337,1248338,1248340,1248341,1248345,1248349,1248350,1248354,1248355,1248361,1248363,1248368,1248374,1248377,1248386,1248390,1248395,1248399,1248401,1248511,1248573,1248575,1248577,1248609,1248614,1248617,1248621,1248636,1248643,1248648,1248652,1248655,1248666,1248669,1248746,1248748,1249022,CVE-2023-3867,CVE-2023-4130,CVE-2023-4515,CVE-2024-26661,CVE-2024-46733,CVE-2024-58238,CVE-2024-58239,CVE-2025-38006,CVE- 2025-38075,CVE-2025-38103,CVE-2025-38125,CVE-2025-38146,CVE-2025-38160,CVE-2025-38184,CVE-2025-38185,CVE-2025-38190,CVE-2025-38201,CVE-2025-38205,CVE-2025-38208,CVE-2025-38245,CVE-2025-38251,CVE-2025-38360,CVE-2025-38439,CVE-2025-38441,CVE-2025-38444,CVE-2025-38445,CVE-2025-38458,CVE-2025-38459,CVE-2025-38464,CVE-2025-38472,CVE-2025-38490,CVE-2025-38491,CVE-2025-38499,CVE-2025-38500,CVE-2025-38503,CVE-2025-38506,CVE-2025-38510,CVE-2025-38512,CVE-2025-38513,CVE-2025-38515,CVE-2025-38516,CVE-2025-38520,CVE-2025-38524,CVE-2025-38528,CVE-2025-38529,CVE-2025-38530,CVE-2025-38531,CVE-2025-38535,CVE-2025-38537,CVE-2025-38538,CVE-2025-38540,CVE-2025-38541,CVE-2025-38543,CVE-2025-38546,CVE-2025-38548,CVE-2025-38550,CVE-2025-38553,CVE-2025-38555,CVE-2025-38560,CVE-2025-38563,CVE-2025-38565,CVE-2025-38566,CVE-2025-38568,CVE-2025-38571,CVE-2025-38572,CVE-2025-38576,CVE-2025-38581,CVE-2025-38582,CVE-2025-38583,CVE-2025-38585,CVE-2025-38587,CVE-2025-38588,CVE-2025-38591,CVE-2025-38601,CVE-2025-38 602,CVE-2025-38604,CVE-2025-38608,CVE-2025-38609,CVE-2025-38610,CVE-2025-38612,CVE-2025-38617,CVE-2025-38618,CVE-2025-38621,CVE-2025-38624,CVE-2025-38630,CVE-2025-38632,CVE-2025-38634,CVE-2025-38635,CVE-2025-38644,CVE-2025-38646,CVE-2025-38650,CVE-2025-38656,CVE-2025-38663,CVE-2025-38665,CVE-2025-38670,CVE-2025-38671 The SUSE Linux Enterprise Micro 6.0 and 6.1 RT kernel was updated to receive various security bugfixes. The following security bugs were fixed: - CVE-2024-46733: btrfs: fix qgroup reserve leaks in cow_file_range (bsc#1230708). - CVE-2025-38006: net: mctp: Do not access ifa_index when missing (bsc#1244930). - CVE-2025-38075: scsi: target: iscsi: Fix timeout on deleted connection (bsc#1244734). - CVE-2025-38103: HID: usbhid: Eliminate recurrent out-of-bounds bug in usbhid_parse() (bsc#1245663). - CVE-2025-38125: net: stmmac: make sure that ptp_rate is not 0 before configuring EST (bsc#1245710). - CVE-2025-38146: net: openvswitch: Fix the dead loop of MPLS parse (bsc#1245767). - CVE-2025-38160: clk: bcm: rpi: Add NULL check in raspberrypi_clk_register() (bsc#1245780). - CVE-2025-38184: tipc: fix null-ptr-deref when acquiring remote ip of ethernet bearer (bsc#1245956). - CVE-2025-38185: atm: atmtcp: Free invalid length skb in atmtcp_c_send() (bsc#1246012). - CVE-2025-38190: atm: Revert atm_account_tx() if copy_from_iter_full() fails (bsc#1245973). - CVE-2025-38201: netfilter: nft_set_pipapo: clamp maximum map bucket size to INT_MAX (bsc#1245977). - CVE-2025-38205: drm/amd/display: Avoid divide by zero by initializing dummy pitch to 1 (bsc#1246005). - CVE-2025-38208: smb: client: add NULL check in automount_fullpath (bsc#1245815). - CVE-2025-38245: atm: Release atm_dev_mutex after removing procfs in atm_dev_deregister() (bsc#1246193). - CVE-2025-38251: atm: clip: prevent NULL deref in clip_push() (bsc#1246181). - CVE-2025-38360: drm/amd/display: Add more checks for DSC / HUBP ONO guarantees (bsc#1247078). - CVE-2025-38439: bnxt_en: Set DMA unmap len correctly for XDP_REDIRECT (bsc#1247155). - CVE-2025-38441: netfilter: flowtable: account for Ethernet header in nf_flow_pppoe_proto() (bsc#1247167). - CVE-2025-38444: raid10: cleanup memleak at raid10_make_request (bsc#1247162). - CVE-2025-38445: md/raid1: Fix stack memory use after return in raid1_reshape (bsc#1247229). - CVE-2025-38458: atm: clip: Fix NULL pointer dereference in vcc_sendmsg() (bsc#1247116). - CVE-2025-38459: atm: clip: Fix infinite recursive call of clip_push() (bsc#1247119). - CVE-2025-38464: tipc: Fix use-after-free in tipc_conn_close() (bsc#1247112). - CVE-2025-38472: netfilter: nf_conntrack: fix crash due to removal of uninitialised entry (bsc#1247313). - CVE-2025-38490: net: libwx: remove duplicate page_pool_put_full_page() (bsc#1247243). - CVE-2025-38491: mptcp: make fallback action and fallback decision atomic (bsc#1247280). - CVE-2025-38499: clone_private_mnt(): make sure that caller has CAP_SYS_ADMIN in the right userns (bsc#1247976). - CVE-2025-38500: xfrm: interface: fix use-after-free after changing collect_md xfrm interface (bsc#1248088). - CVE-2025-38506: KVM: Allow CPU to reschedule while setting per-page memory attributes (bsc#1248186). - CVE-2025-38520: drm/amdkfd: Do not call mmput from MMU notifier callback (bsc#1248217). - CVE-2025-38524: rxrpc: Fix recv-recv race of completed call (bsc#1248194). - CVE-2025-38528: bpf: Reject %p% format string in bprintf-like helpers (bsc#1248198). - CVE-2025-38531: iio: common: st_sensors: Fix use of uninitialize device structs (bsc#1248205). - CVE-2025-38546: atm: clip: Fix memory leak of struct clip_vcc (bsc#1248223). - CVE-2025-38560: x86/sev: Evict cache lines during SNP memory validation (bsc#1248312). - CVE-2025-38585: staging: media: atomisp: Fix stack buffer overflow in gmin_get_var_int() (bsc#1248355). - CVE-2025-38591: bpf: Reject narrower access to pointer ctx fields (bsc#1248363). - CVE-2025-38608: bpf, ktls: Fix data corruption when using bpf_msg_pop_data() in ktls (bsc#1248338). - CVE-2025-38618: vsock: Do not allow binding to VMADDR_PORT_ANY (bsc#1248511). The following non-security bugs were fixed: - ACPI: APEI: send SIGBUS to current task if synchronous memory error not recovered (stable-fixes). - ACPI: pfr_update: Fix the driver update version check (git-fixes). - ACPI: processor: fix acpi_object initialization (stable-fixes). - ACPI: processor: perflib: Move problematic pr->performance check (git-fixes). - ALSA: hda/ca0132: Fix buffer overflow in add_tuning_control (stable-fixes). - ALSA: hda/realtek: Add Framework Laptop 13 (AMD Ryzen AI 300) to quirks (stable-fixes). - ALSA: hda/realtek: Add support for HP EliteBook x360 830 G6 and EliteBook 830 G6 (stable-fixes). - ALSA: hda/realtek: Audio disappears on HP 15-fc000 after warm boot again (git-fixes). - ALSA: hda/realtek: Fix headset mic on ASUS Zenbook 14 (git-fixes). - ALSA: hda/realtek: Fix headset mic on HONOR BRB-X (stable-fixes). - ALSA: hda: Disable jack polling at shutdown (stable-fixes). - ALSA: hda: Handle the jack polling always via a work (stable-fixes). - ALSA: intel8x0: Fix incorrect codec index usage in mixer for ICH4 (stable-fixes). - ALSA: pcm: Rewrite recalculate_boundary() to avoid costly loop (stable-fixes). - ALSA: scarlett2: Add retry on -EPROTO from scarlett2_usb_tx() (git-fixes). - ALSA: usb-audio: Avoid precedence issues in mixer_quirks macros (stable-fixes). - ALSA: usb-audio: Fix size validation in convert_chmap_v3() (git-fixes). - ALSA: usb-audio: Use correct sub-type for UAC3 feature unit validation (git-fixes). - ALSA: usb-audio: Validate UAC3 cluster segment descriptors (git-fixes). - ALSA: usb-audio: Validate UAC3 power domain descriptors, too (git-fixes). - ASoC: Intel: avs: Fix uninitialized pointer error in probe() (stable-fixes). - ASoC: Intel: fix SND_SOC_SOF dependencies (stable-fixes). - ASoC: amd: yc: Add DMI entries to support HP 15-fb1xxx (stable-fixes). - ASoC: amd: yc: Add DMI quirk for HP Laptop 17 cp-2033dx (stable-fixes). - ASoC: amd: yc: add DMI quirk for ASUS M6501RM (stable-fixes). - ASoC: codecs: rt5640: Retry DEVICE_ID verification (stable-fixes). - ASoC: core: Check for rtd == NULL in snd_soc_remove_pcm_runtime() (stable-fixes). - ASoC: hdac_hdmi: Rate limit logging on connection and disconnection (stable-fixes). - ASoC: soc-dapm: set bias_level if snd_soc_dapm_set_bias_level() was successed (stable-fixes). - Bluetooth: btusb: Add USB ID 3625:010b for TP-LINK Archer TX10UB Nano (stable-fixes). - Bluetooth: hci_conn: do return error from hci_enhanced_setup_sync() (git-fixes). - Bluetooth: hci_event: Detect if HCI_EV_NUM_COMP_PKTS is unbalanced (git-fixes). - Bluetooth: hci_event: Mark connection as closed during suspend disconnect (git-fixes). - Bluetooth: hci_event: Treat UNKNOWN_CONN_ID on disconnect as success (git-fixes). - Bluetooth: hci_event: fix MTU for BN == 0 in CIS Established (git-fixes). - Bluetooth: hci_sock: Reset cookie to zero in hci_sock_free_cookie() (stable-fixes). - Bluetooth: hci_sync: fix set_local_name race condition (git-fixes). - HID: asus: fix UAF via HID_CLAIMED_INPUT validation (git-fixes). - HID: multitouch: fix slab out-of-bounds access in mt_report_fixup() (git-fixes). - Move pesign-obs-integration requirement from kernel-syms to kernel devel subpackage (bsc#1248108). - PCI/ACPI: Fix runtime PM ref imbalance on Hot-Plug Capable ports (git-fixes). - PCI/portdrv: Use is_pciehp instead of is_hotplug_bridge (git-fixes). - PCI: Add ACS quirk for Loongson PCIe (git-fixes). - PCI: Support Immediate Readiness on devices without PM capabilities (git-fixes). - PCI: apple: Fix missing OF node reference in apple_pcie_setup_port (git-fixes). - PCI: imx6: Add IMX8MM_EP and IMX8MP_EP fixed 256-byte BAR 4 in epc_features (git-fixes). - PCI: imx6: Delay link start until configfs 'start' written (git-fixes). - PCI: imx6: Remove apps_reset toggling from imx_pcie_{assert/deassert}_core_reset (git-fixes). - PCI: pnv_php: Clean up allocated IRQs on unplug (bsc#1215199). - PCI: pnv_php: Work around switches with broken presence detection (bsc#1215199). - PCI: rockchip: Set Target Link Speed to 5.0 GT/s before retraining (git-fixes). - PCI: rockchip: Use standard PCIe definitions (git-fixes). - PM / devfreq: governor: Replace sscanf() with kstrtoul() in set_freq_store() (stable-fixes). - PM: runtime: Clear power.needs_force_resume in pm_runtime_reinit() (stable-fixes). - PM: sleep: console: Fix the black screen issue (stable-fixes). - RAS/AMD/ATL: Include row bit in row retirement (bsc#1242034). - RAS/AMD/FMPM: Get masked address (bsc#1242034). - RAS/AMD/FMPM: Use atl internal.h for INVALID_SPA (bsc#1242034). - RDMA/bnxt_re: Fix a possible memory leak in the driver (git-fixes) - RDMA/bnxt_re: Fix to do SRQ armena by default (git-fixes) - RDMA/bnxt_re: Fix to initialize the PBL array (git-fixes) - RDMA/bnxt_re: Fix to remove workload check in SRQ limit path (git-fixes) - RDMA/core: reduce stack using in nldev_stat_get_doit() (git-fixes) - RDMA/erdma: Fix ignored return value of init_kernel_qp (git-fixes) - RDMA/hns: Fix dip entries leak on devices newer than hip09 (git-fixes) - RDMA: hfi1: fix possible divide-by-zero in find_hw_thread_mask() (git-fixes) - Revert 'gpio: mlxbf3: only get IRQ for device instance 0' (git-fixes). - USB: serial: option: add Foxconn T99W709 (stable-fixes). - USB: storage: Add unusual-devs entry for Novatek NTK96550-based camera (stable-fixes). - USB: storage: Ignore driver CD mode for Realtek multi-mode Wi-Fi dongles (stable-fixes). - aoe: defer rexmit timer downdev work to workqueue (git-fixes). - arch/powerpc: Remove .interp section in vmlinux (bsc#1215199). - arm64/cpufeatures/kvm: Add ARMv8.9 FEAT_ECBHB bits in ID_AA64MMFR1 (git-fixes) - arm64/entry: Mask DAIF in cpu_switch_to(), call_on_irq_stack() (git-fixes) - arm64/mm: Check PUD_TYPE_TABLE in pud_bad() (git-fixes) - arm64: Add support for HIP09 Spectre-BHB mitigation (git-fixes) - arm64: Filter out SME hwcaps when FEAT_SME isn't implemented (git-fixes) - arm64: Restrict pagetable teardown to avoid false warning (git-fixes) - arm64: dts: apple: t8103: Fix PCIe BCM4377 nodename (git-fixes) - arm64: dts: freescale: imx8mm-verdin: Keep LDO5 always on (git-fixes) - arm64: dts: imx8mm-beacon: Fix HS400 USDHC clock speed (git-fixes) - arm64: dts: imx8mm-beacon: Fix RTC capacitive load (git-fixes) - arm64: dts: imx8mm-venice-gw700x: Increase HS400 USDHC clock speed (git-fixes) - arm64: dts: imx8mm-venice-gw7901: Increase HS400 USDHC clock speed (git-fixes) - arm64: dts: imx8mm-venice-gw7902: Increase HS400 USDHC clock speed (git-fixes) - arm64: dts: imx8mm-venice-gw7903: Increase HS400 USDHC clock speed (git-fixes) - arm64: dts: imx8mm-venice-gw7904: Increase HS400 USDHC clock speed (git-fixes) - arm64: dts: imx8mn-beacon: Fix HS400 USDHC clock speed (git-fixes) - arm64: dts: imx8mn-beacon: Fix RTC capacitive load (git-fixes) - arm64: dts: imx8mn-venice-gw7902: Increase HS400 USDHC clock speed (git-fixes) - arm64: dts: imx8mp-beacon: Fix RTC capacitive load (git-fixes) - arm64: dts: rockchip: Update eMMC for NanoPi R5 series (git-fixes) - arm64: dts: rockchip: fix endpoint dtc warning for PX30 ISP (git-fixes) - arm64: tegra: Drop remaining serial clock-names and reset-names (git-fixes) - arm64: tegra: p2597: Fix gpio for vdd-1v8-dis regulator (git-fixes) - arm64: zynqmp: add clock-output-names property in clock nodes (git-fixes) - ata: libata-scsi: Fix CDL control (git-fixes). - block: fix kobject leak in blk_unregister_queue (git-fixes). - block: mtip32xx: Fix usage of dma_map_sg() (git-fixes). - bpf: fix kfunc btf caching for modules (git-fixes). - bpf: use kvzmalloc to allocate BPF verifier environment (git-fixes). - btrfs: convert BUG_ON in btrfs_reloc_cow_block() to proper error handling (git-fixes). - btrfs: correctly escape subvol in btrfs_show_options() (git-fixes). - btrfs: fix adding block group to a reclaim list and the unused list during reclaim (git-fixes). - btrfs: fix bitmap leak when loading free space cache on duplicate entry (git-fixes). - btrfs: fix data race when accessing the inode's disk_i_size at btrfs_drop_extents() (git-fixes). - btrfs: fix the length of reserved qgroup to free (bsc#1240708) - btrfs: retry block group reclaim without infinite loop (git-fixes). - btrfs: return accurate error code on open failure in open_fs_devices() (bsc#1233120) - btrfs: run delayed iputs when flushing delalloc (git-fixes). - btrfs: update target inode's ctime on unlink (git-fixes). - cdx: Fix off-by-one error in cdx_rpmsg_probe() (git-fixes). - char: misc: Fix improper and inaccurate error code returned by misc_init() (stable-fixes). - comedi: Fix use of uninitialized memory in do_insn_ioctl() and do_insnlist_ioctl() (git-fixes). - comedi: Make insn_rw_emulate_bits() do insn->n samples (git-fixes). - comedi: fix race between polling and detaching (git-fixes). - comedi: pcl726: Prevent invalid irq number (git-fixes). - crypto: hisilicon/hpre - fix dma unmap sequence (stable-fixes). - crypto: jitter - fix intermediary handling (stable-fixes). - crypto: octeontx2 - add timeout for load_fvc completion poll (stable-fixes). - crypto: qat - lower priority for skcipher and aead algorithms (stable-fixes). - drm/amd/display: Add null pointer check in mod_hdcp_hdcp1_create_session() (git-fixes). - drm/amd/display: Add primary plane to commits for correct VRR handling (stable-fixes). - drm/amd/display: Adjust DCE 8-10 clock, do not overclock by 15% (git-fixes). - drm/amd/display: Avoid a NULL pointer dereference (stable-fixes). - drm/amd/display: Avoid configuring PSR granularity if PSR-SU not supported (stable-fixes). - drm/amd/display: Avoid trying AUX transactions on disconnected ports (stable-fixes). - drm/amd/display: Do not overclock DCE 6 by 15% (git-fixes). - drm/amd/display: Fill display clock and vblank time in dce110_fill_display_configs (stable-fixes). - drm/amd/display: Find first CRTC and its line time in dce110_fill_display_configs (stable-fixes). - drm/amd/display: Fix 'failed to blank crtc!' (stable-fixes). - drm/amd/display: Fix DP audio DTO1 clock source on DCE 6 (stable-fixes). - drm/amd/display: Fix fractional fb divider in set_pixel_clock_v3 (git-fixes). - drm/amd/display: Only finalize atomic_obj if it was initialized (stable-fixes). - drm/amd/display: Separate set_gsl from set_gsl_source_select (stable-fixes). - drm/amd: Allow printing VanGogh OD SCLK levels without setting dpm to manual (stable-fixes). - drm/amd: Restore cached power limit during resume (stable-fixes). - drm/amdgpu: Avoid extra evict-restore process (stable-fixes). - drm/amdgpu: fix incorrect vm flags to map bo (git-fixes). - drm/amdgpu: fix task hang from failed job submission during process kill (git-fixes). - drm/amdgpu: update mmhub 3.0.1 client id mappings (stable-fixes). - drm/amdkfd: Destroy KFD debugfs after destroy KFD wq (stable-fixes). - drm/dp: Change AUX DPCD probe address from DPCD_REV to LANE0_1_STATUS (stable-fixes). - drm/hisilicon/hibmc: fix the hibmc loaded failed bug (git-fixes). - drm/mediatek: Fix device/node reference count leaks in mtk_drm_get_all_drm_priv (git-fixes). - drm/msm/kms: move snapshot init earlier in KMS init (git-fixes). - drm/msm: Defer fd_install in SUBMIT ioctl (git-fixes). - drm/msm: use trylock for debugfs (stable-fixes). - drm/nouveau/disp: Always accept linear modifier (git-fixes). - drm/nouveau/nvif: Fix potential memory leak in nvif_vmm_ctor() (git-fixes). - drm/nouveau: fix error path in nvkm_gsp_fwsec_v2 (git-fixes). - drm/nouveau: fix typos in comments (git-fixes). - drm/nouveau: remove unused increment in gm200_flcn_pio_imem_wr (git-fixes). - drm/nouveau: remove unused memory target test (git-fixes). - drm/ttm: Respect the shrinker core free target (stable-fixes). - drm/ttm: Should to return the evict error (stable-fixes). - et131x: Add missing check after DMA map (stable-fixes). - exfat: add cluster chain loop check for dir (git-fixes). - fbdev: Fix vmalloc out-of-bounds write in fast_imageblit (stable-fixes). - fbdev: fix potential buffer overflow in do_register_framebuffer() (stable-fixes). - fs/mnt_idmapping.c: Return -EINVAL when no map is written (bsc#1233120) - fs/orangefs: use snprintf() instead of sprintf() (git-fixes). - gpio: mlxbf3: use platform_get_irq_optional() (git-fixes). - gpio: tps65912: check the return value of regmap_update_bits() (stable-fixes). - gpio: wcd934x: check the return value of regmap_update_bits() (stable-fixes). - hfs: fix not erasing deleted b-tree node issue (git-fixes). - hfs: fix slab-out-of-bounds in hfs_bnode_read() (git-fixes). - hfsplus: do not use BUG_ON() in hfsplus_create_attributes_file() (git-fixes). - hfsplus: fix slab-out-of-bounds in hfsplus_bnode_read() (git-fixes). - hfsplus: fix slab-out-of-bounds read in hfsplus_uni2asc() (git-fixes). - hwmon: (emc2305) Set initial PWM minimum value during probe based on thermal state (stable-fixes). - i2c: Force DLL0945 touchpad i2c freq to 100khz (stable-fixes). - i3c: do not fail if GETHDRCAP is unsupported (stable-fixes). - i3c: master: Initialize ret in i3c_i2c_notifier_call() (stable-fixes). - ice, irdma: fix an off by one in error handling code (bsc#1247712). - ice, irdma: move interrupts code to irdma (bsc#1247712). - ice: Fix signedness bug in ice_init_interrupt_scheme() (bsc#1247712). - ice: count combined queues using Rx/Tx count (bsc#1247712). - ice: devlink PF MSI-X max and min parameter (bsc#1247712). - ice: enable_rdma devlink param (bsc#1247712). - ice: get rid of num_lan_msix field (bsc#1247712). - ice: init flow director before RDMA (bsc#1247712). - ice: remove splitting MSI-X between features (bsc#1247712). - ice: simplify VF MSI-X managing (bsc#1247712). - ice: treat dyn_allowed only as suggestion (bsc#1247712). - iio: adc: ad7768-1: Ensure SYNC_IN pulse minimum timing requirement (stable-fixes). - iio: adc: ad_sigma_delta: do not overallocate scan buffer (stable-fixes). - iio: imu: inv_icm42600: switch timestamp type from int64_t __aligned(8) to aligned_s64 (stable-fixes). - iio: imu: inv_icm42600: use = { } instead of memset() (stable-fixes). - iio: pressure: bmp280: Use IS_ERR() in bmp280_common_probe() (git-fixes). - iio: proximity: isl29501: fix buffered read on big-endian systems (git-fixes). - integrity/platform_certs: Allow loading of keys in the static key management mode (jsc#PED-13345 jsc#PED-13343). - iosys-map: Fix undefined behavior in iosys_map_clear() (git-fixes). - ipmi: Fix strcpy source and destination the same (stable-fixes). - ipmi: Use dev_warn_ratelimited() for incorrect message warnings (stable-fixes). - irdma: free iwdev->rf after removing MSI-X (bsc#1247712). - jfs: Regular file corruption check (git-fixes). - jfs: truncate good inode pages when hard link is 0 (git-fixes). - jfs: upper bound check of tree index in dbAllocAG (git-fixes). - kABI: PCI/ACPI: Fix runtime PM ref imbalance on Hot-Plug Capable ports (git-fixes). - kselftest/arm64: Fix check for setting new VLs in sve-ptrace (git-fixes). - leds: leds-lp50xx: Handle reg to get correct multi_index (stable-fixes). - loop: use kiocb helpers to fix lockdep warning (git-fixes). - mISDN: hfcpci: Fix warning when deleting uninitialized timer (git-fixes). - md/md-cluster: handle REMOVE message earlier (bsc#1247057). - md/raid1,raid10: strip REQ_NOWAIT from member bios (git-fixes). - md: allow removing faulty rdev during resync (git-fixes). - md: make rdev_addable usable for rcu mode (git-fixes). - media: dvb-frontends: dib7090p: fix null-ptr-deref in dib7090p_rw_on_apb() (stable-fixes). - media: dvb-frontends: w7090p: fix null-ptr-deref in w7090p_tuner_write_serpar and w7090p_tuner_read_serpar (stable-fixes). - media: tc358743: Check I2C succeeded during probe (stable-fixes). - media: tc358743: Increase FIFO trigger level to 374 (stable-fixes). - media: tc358743: Return an appropriate colorspace from tc358743_set_fmt (stable-fixes). - media: usb: hdpvr: disable zero-length read messages (stable-fixes). - media: uvcvideo: Fix bandwidth issue for Alcor camera (stable-fixes). - media: v4l2-common: Reduce warnings about missing V4L2_CID_LINK_FREQ control (stable-fixes). - mei: bus: Check for still connected devices in mei_cl_bus_dev_release() (stable-fixes). - memstick: Fix deadlock by moving removing flag earlier (git-fixes). - mm/ptdump: take the memory hotplug lock inside ptdump_walk_pgd() (git-fixes) - mmc: rtsx_usb_sdmmc: Fix error-path in sd_set_power_mode() (stable-fixes). - mmc: sdhci-msm: Ensure SD card power isn't ON when card removed (stable-fixes). - mmc: sdhci-pci-gli: GL9763e: Rename the gli_set_gl9763e() for consistency (git-fixes). - most: core: Drop device reference after usage in get_channel() (git-fixes). - mptcp: fallback when MPTCP opts are dropped after 1st data (git-fixes). - mptcp: reset when MPTCP opts are dropped after join (git-fixes). - net: phy: micrel: Add ksz9131_resume() (stable-fixes). - net: phy: smsc: add proper reset flags for LAN8710A (stable-fixes). - net: thunderbolt: Enable end-to-end flow control also in transmit (stable-fixes). - net: thunderbolt: Fix the parameter passing of tb_xdomain_enable_paths()/tb_xdomain_disable_paths() (stable-fixes). - net: usb: asix_devices: Fix PHY address mask in MDIO bus initialization (git-fixes). - net: usb: asix_devices: add phy_mask for ax88772 mdio bus (git-fixes). - pNFS: Fix disk addr range check in block/scsi layout (git-fixes). - pNFS: Fix stripe mapping in block/scsi layout (git-fixes). - pNFS: Fix uninited ptr deref in block/scsi layout (git-fixes). - pNFS: Handle RPC size limit for layoutcommits (git-fixes). - phy: mscc: Fix parsing of unicast frames (git-fixes). - phy: rockchip-pcie: Properly disable TEST_WRITE strobe signal (stable-fixes). - pinctrl: STMFX: add missing HAS_IOMEM dependency (git-fixes). - pinctrl: stm32: Manage irq affinity settings (stable-fixes). - platform/chrome: cros_ec_typec: Defer probe on missing EC parent (stable-fixes). - platform/x86/amd: pmc: Add Lenovo Yoga 6 13ALC6 to pmc quirk list (stable-fixes). - pm: cpupower: Fix the snapshot-order of tsc,mperf, clock in mperf_stop() (stable-fixes). - power: supply: qcom_battmgr: Add lithium-polymer entry (stable-fixes). - powerpc/eeh: Export eeh_unfreeze_pe() (bsc#1215199). - powerpc/eeh: Make EEH driver device hotplug safe (bsc#1215199). - powerpc/eeh: Rely on dev->link_active_reporting (bsc#1215199). - powerpc/kernel: Fix ppc_save_regs inclusion in build (bsc#1215199). - powerpc/pseries: Correct secvar format representation for static key management (jsc#PED-13345 jsc#PED-13343). - powerpc/secvar: Expose secvars relevant to the key management mode (jsc#PED-13345 jsc#PED-13343). - powerpc: do not build ppc_save_regs.o always (bsc#1215199). - pwm: mediatek: Fix duty and period setting (git-fixes). - pwm: mediatek: Handle hardware enable and clock enable separately (stable-fixes). - reset: brcmstb: Enable reset drivers for ARCH_BCM2835 (stable-fixes). - rpm/config.sh: Update Leap project - rtc: ds1307: handle oscillator stop flag (OSF) for ds1341 (stable-fixes). - rtc: ds1307: remove clear of oscillator stop flag (OSF) in probe (stable-fixes). - samples/bpf: Fix compilation errors with cf-protection option (git-fixes). - scsi: Revert 'scsi: iscsi: Fix HW conn removal use after free' (git-fixes). - scsi: core: Fix kernel doc for scsi_track_queue_full() (git-fixes). - scsi: elx: efct: Fix dma_unmap_sg() nents value (git-fixes). - scsi: ibmvscsi_tgt: Fix dma_unmap_sg() nents value (git-fixes). - scsi: isci: Fix dma_unmap_sg() nents value (git-fixes). - scsi: mpi3mr: Fix kernel-doc issues in mpi3mr_app.c (git-fixes). - scsi: mpi3mr: Fix race between config read submit and interrupt completion (git-fixes). - scsi: mpi3mr: Serialize admin queue BAR writes on 32-bit systems (git-fixes). - scsi: mpt3sas: Fix a fw_event memory leak (git-fixes). - scsi: mvsas: Fix dma_unmap_sg() nents value (git-fixes). - scsi: sd: Make sd shutdown issue START STOP UNIT appropriately (git-fixes). - selftests/bpf: fexit_sleep: Fix stack allocation for arm64 (git-fixes). - selftests/tracing: Fix false failure of subsystem event test (git-fixes). - selftests: Fix errno checking in syscall_user_dispatch test (git-fixes). - selftests: rtnetlink.sh: remove esp4_offload after test (git-fixes). - serial: 8250: fix panic due to PSLVERR (git-fixes). - slab: Decouple slab_debug and no_hash_pointers (bsc#1249022). - smb: client: fix parsing of device numbers (git-fixes). - soc/tegra: pmc: Ensure power-domains are in a known state (git-fixes). - soundwire: amd: serialize amd manager resume sequence during pm_prepare (stable-fixes). - squashfs: fix memory leak in squashfs_fill_super (git-fixes). - sunrpc: fix handling of server side tls alerts (git-fixes). - sunvdc: Balance device refcount in vdc_port_mpgroup_check (git-fixes). - thermal/drivers/qcom-spmi-temp-alarm: Enable stage 2 shutdown when required (stable-fixes). - thermal: sysfs: Return ENODATA instead of EAGAIN for reads (stable-fixes). - ublk: sanity check add_dev input for underflow (git-fixes). - ublk: use vmalloc for ublk_device's __queues (git-fixes). - usb: core: config: Prevent OOB read in SS endpoint companion parsing (stable-fixes). - usb: core: hcd: fix accessing unmapped memory in SINGLE_STEP_SET_FEATURE test (git-fixes). - usb: core: usb_submit_urb: downgrade type check (stable-fixes). - usb: dwc3: Ignore late xferNotReady event to prevent halt timeout (git-fixes). - usb: dwc3: Remove WARN_ON for device endpoint command timeouts (stable-fixes). - usb: dwc3: core: Fix system suspend on TI AM62 platforms (git-fixes). - usb: dwc3: fix fault at system suspend if device was already runtime suspended (git-fixes). - usb: dwc3: pci: add support for the Intel Wildcat Lake (stable-fixes). - usb: quirks: Add DELAY_INIT quick for another SanDisk 3.2Gen1 Flash Drive (stable-fixes). - usb: renesas-xhci: Fix External ROM access timeouts (git-fixes). - usb: storage: realtek_cr: Use correct byte order for bcs->Residue (git-fixes). - usb: typec: intel_pmc_mux: Defer probe if SCU IPC isn't present (stable-fixes). - usb: typec: ucsi: psy: Set current max to 100mA for BC 1.2 and Default (stable-fixes). - usb: xhci: Avoid showing errors during surprise removal (stable-fixes). - usb: xhci: Avoid showing warnings for dying controller (stable-fixes). - usb: xhci: Fix slot_id resource race conflict (git-fixes). - usb: xhci: Set avg_trb_len = 8 for EP0 during Address Device Command (stable-fixes). - usb: xhci: print xhci->xhc_state when queue_command failed (stable-fixes). - vfs: Add a sysctl for automated deletion of dentry (bsc#1240890). - watchdog: dw_wdt: Fix default timeout (stable-fixes). - watchdog: iTCO_wdt: Report error if timeout configuration fails (stable-fixes). - watchdog: sbsa: Adjust keepalive timeout to avoid MediaTek WS0 race condition (stable-fixes). - wifi: ath12k: Add memset and update default rate value in wmi tx completion (stable-fixes). - wifi: ath12k: Correct tid cleanup when tid setup fails (stable-fixes). - wifi: ath12k: Decrement TID on RX peer frag setup error handling (stable-fixes). - wifi: ath12k: Enable REO queue lookup table feature on QCN9274 hw2.0 (stable-fixes). - wifi: cfg80211: Fix interface type validation (stable-fixes). - wifi: cfg80211: reject HTC bit for management frames (stable-fixes). - wifi: iwlegacy: Check rate_idx range after addition (stable-fixes). - wifi: iwlwifi: dvm: fix potential overflow in rs_fill_link_cmd() (stable-fixes). - wifi: iwlwifi: fw: Fix possible memory leak in iwl_fw_dbg_collect (stable-fixes). - wifi: iwlwifi: mvm: fix scan request validation (stable-fixes). - wifi: iwlwifi: mvm: set gtk id also in older FWs (stable-fixes). - wifi: mac80211: do not complete management TX on SAE commit (stable-fixes). - wifi: mac80211: fix rx link assignment for non-MLO stations (stable-fixes). - wifi: mac80211: update radar_required in channel context after channel switch (stable-fixes). - wifi: mt76: mt7915: mcu: re-init MCU before loading FW patch (stable-fixes). - wifi: rtlwifi: fix possible skb memory leak in _rtl_pci_init_one_rxdesc() (stable-fixes). - wifi: rtlwifi: fix possible skb memory leak in `_rtl_pci_rx_interrupt()` (stable-fixes). - wifi: rtw89: Disable deep power saving for USB/SDIO (stable-fixes). - wifi: rtw89: Fix rtw89_mac_power_switch() for USB (stable-fixes). - wifi: rtw89: Lower the timeout in rtw89_fw_read_c2h_reg() for USB (stable-fixes). The following package changes have been done: - SL-Micro-release-6.0-25.47 updated - krb5-1.20.1-7.1 updated - kernel-rt-6.4.0-36.1 updated - container:SL-Micro-container-2.1.3-6.85 updated From sle-container-updates at lists.suse.com Wed Sep 24 14:42:34 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 24 Sep 2025 16:42:34 +0200 (CEST) Subject: SUSE-IU-2025:2553-1: Security update of suse/sle-micro/5.5 Message-ID: <20250924144234.EACF6F782@maintenance.suse.de> SUSE Image Update Advisory: suse/sle-micro/5.5 ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2025:2553-1 Image Tags : suse/sle-micro/5.5:2.0.4 , suse/sle-micro/5.5:2.0.4-5.5.377 , suse/sle-micro/5.5:latest Image Release : 5.5.377 Severity : moderate Type : security References : 1233421 CVE-2024-52615 ----------------------------------------------------------------- The container suse/sle-micro/5.5 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3331-1 Released: Wed Sep 24 08:54:17 2025 Summary: Security update for avahi Type: security Severity: moderate References: 1233421,CVE-2024-52615 This update for avahi fixes the following issues: - CVE-2024-52615: wide-area DNS uses constant source port for queries and can expose the Avahi-daemon to DNS spoofing attacks (bsc#1233421). The following package changes have been done: - libavahi-common3-0.8-150400.7.23.1 updated - libavahi-core7-0.8-150400.7.23.1 updated - avahi-0.8-150400.7.23.1 updated From sle-container-updates at lists.suse.com Wed Sep 24 14:52:01 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 24 Sep 2025 16:52:01 +0200 (CEST) Subject: SUSE-CU-2025:7040-1: Security update of suse/sle-micro-rancher/5.4 Message-ID: <20250924145201.92837F782@maintenance.suse.de> SUSE Container Update Advisory: suse/sle-micro-rancher/5.4 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:7040-1 Container Tags : suse/sle-micro-rancher/5.4:5.4.4.5.61 , suse/sle-micro-rancher/5.4:latest Container Release : 4.5.61 Severity : moderate Type : security References : 1233421 CVE-2024-52615 ----------------------------------------------------------------- The container suse/sle-micro-rancher/5.4 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3331-1 Released: Wed Sep 24 08:54:17 2025 Summary: Security update for avahi Type: security Severity: moderate References: 1233421,CVE-2024-52615 This update for avahi fixes the following issues: - CVE-2024-52615: wide-area DNS uses constant source port for queries and can expose the Avahi-daemon to DNS spoofing attacks (bsc#1233421). The following package changes have been done: - avahi-0.8-150400.7.23.1 updated - libavahi-common3-0.8-150400.7.23.1 updated - libavahi-core7-0.8-150400.7.23.1 updated From sle-container-updates at lists.suse.com Wed Sep 24 14:53:02 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 24 Sep 2025 16:53:02 +0200 (CEST) Subject: SUSE-IU-2025:2554-1: Recommended update of suse/sl-micro/6.0/base-os-container Message-ID: <20250924145302.9700EF782@maintenance.suse.de> SUSE Image Update Advisory: suse/sl-micro/6.0/base-os-container ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2025:2554-1 Image Tags : suse/sl-micro/6.0/base-os-container:2.1.3 , suse/sl-micro/6.0/base-os-container:2.1.3-7.54 , suse/sl-micro/6.0/base-os-container:latest Image Release : 7.54 Severity : moderate Type : recommended References : 1230267 1246912 1250343 ----------------------------------------------------------------- The container suse/sl-micro/6.0/base-os-container was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: 472 Released: Wed Sep 24 11:12:01 2025 Summary: Recommended update for zypper, libzypp Type: recommended Severity: moderate References: 1230267,1246912,1250343 This update for zypper, libzypp fixes the following issues: libzypp was updated to 17.37.18: - runposttrans: strip root prefix from tmppath (bsc#1250343) - Make ld.so ignore the subarch packages during install (bsc#1246912) zypper was updated to 1.14.94: - Fixed `bash-completion`: `zypper refresh` now ignores repository priority lines. - Changes to support building against restructured libzypp in stack build (bsc#1230267) The following package changes have been done: - libzypp-17.37.18-1.1 updated - zypper-1.14.94-1.1 updated - container:suse-toolbox-image-1.0.0-9.35 updated From sle-container-updates at lists.suse.com Wed Sep 24 14:56:28 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 24 Sep 2025 16:56:28 +0200 (CEST) Subject: SUSE-IU-2025:2556-1: Recommended update of suse/sl-micro/6.1/base-os-container Message-ID: <20250924145628.2968DF782@maintenance.suse.de> SUSE Image Update Advisory: suse/sl-micro/6.1/base-os-container ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2025:2556-1 Image Tags : suse/sl-micro/6.1/base-os-container:2.2.1 , suse/sl-micro/6.1/base-os-container:2.2.1-5.36 , suse/sl-micro/6.1/base-os-container:latest Image Release : 5.36 Severity : moderate Type : recommended References : 1227056 1230267 1236483 1237613 1238685 1246912 1250343 CVE-2023-45288 CVE-2024-6104 CVE-2025-22870 CVE-2025-27144 ----------------------------------------------------------------- The container suse/sl-micro/6.1/base-os-container was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: 278 Released: Wed Sep 24 10:50:05 2025 Summary: Recommended update for zypper, libzypp Type: recommended Severity: moderate References: 1227056,1230267,1236483,1237613,1238685,1246912,1250343,CVE-2023-45288,CVE-2024-6104,CVE-2025-22870,CVE-2025-27144 This update for zypper, libzypp fixes the following issues: libzypp was updated to 17.37.18: - runposttrans: strip root prefix from tmppath (bsc#1250343) - Make ld.so ignore the subarch packages during install (bsc#1246912) zypper was updated to 1.14.94: - Fixed `bash-completion`: `zypper refresh` now ignores repository priority lines. - Changes to support building against restructured libzypp in stack build (bsc#1230267) The following package changes have been done: - libzypp-17.37.18-slfo.1.1_1.1 updated - zypper-1.14.94-slfo.1.1_1.1 updated - container:suse-toolbox-image-1.0.0-4.75 updated From sle-container-updates at lists.suse.com Wed Sep 24 14:58:01 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 24 Sep 2025 16:58:01 +0200 (CEST) Subject: SUSE-IU-2025:2558-1: Security update of suse/sl-micro/6.1/rt-os-container Message-ID: <20250924145801.8CA2DF782@maintenance.suse.de> SUSE Image Update Advisory: suse/sl-micro/6.1/rt-os-container ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2025:2558-1 Image Tags : suse/sl-micro/6.1/rt-os-container:2.2.1 , suse/sl-micro/6.1/rt-os-container:2.2.1-5.24 , suse/sl-micro/6.1/rt-os-container:latest Image Release : 5.24 Severity : important Type : security References : 1012628 1213545 1215199 1221858 1222323 1230557 1230708 1233120 1240708 1240890 1242034 1242754 1244734 1244930 1245663 1245710 1245767 1245780 1245815 1245956 1245973 1245977 1246005 1246012 1246181 1246193 1247057 1247078 1247112 1247116 1247119 1247155 1247162 1247167 1247229 1247243 1247280 1247313 1247712 1247976 1248088 1248108 1248164 1248166 1248178 1248179 1248180 1248183 1248186 1248194 1248196 1248198 1248205 1248206 1248208 1248209 1248212 1248213 1248214 1248216 1248217 1248223 1248227 1248228 1248229 1248240 1248255 1248297 1248306 1248312 1248333 1248337 1248338 1248340 1248341 1248345 1248349 1248350 1248354 1248355 1248361 1248363 1248368 1248374 1248377 1248386 1248390 1248395 1248399 1248401 1248511 1248573 1248575 1248577 1248609 1248614 1248617 1248621 1248636 1248643 1248648 1248652 1248655 1248666 1248669 1248746 1248748 1249022 CVE-2023-3867 CVE-2023-4130 CVE-2023-4515 CVE-2024-26661 CVE-2024-46733 CVE-2024-58238 CVE-2024-58239 CVE-2025-38006 CVE-2025-38075 CVE-2025-38103 CVE-2025-38125 CVE-2025-38146 CVE-2025-38160 CVE-2025-38184 CVE-2025-38185 CVE-2025-38190 CVE-2025-38201 CVE-2025-38205 CVE-2025-38208 CVE-2025-38245 CVE-2025-38251 CVE-2025-38360 CVE-2025-38439 CVE-2025-38441 CVE-2025-38444 CVE-2025-38445 CVE-2025-38458 CVE-2025-38459 CVE-2025-38464 CVE-2025-38472 CVE-2025-38490 CVE-2025-38491 CVE-2025-38499 CVE-2025-38500 CVE-2025-38503 CVE-2025-38506 CVE-2025-38510 CVE-2025-38512 CVE-2025-38513 CVE-2025-38515 CVE-2025-38516 CVE-2025-38520 CVE-2025-38524 CVE-2025-38528 CVE-2025-38529 CVE-2025-38530 CVE-2025-38531 CVE-2025-38535 CVE-2025-38537 CVE-2025-38538 CVE-2025-38540 CVE-2025-38541 CVE-2025-38543 CVE-2025-38546 CVE-2025-38548 CVE-2025-38550 CVE-2025-38553 CVE-2025-38555 CVE-2025-38560 CVE-2025-38563 CVE-2025-38565 CVE-2025-38566 CVE-2025-38568 CVE-2025-38571 CVE-2025-38572 CVE-2025-38576 CVE-2025-38581 CVE-2025-38582 CVE-2025-38583 CVE-2025-38585 CVE-2025-38587 CVE-2025-38588 CVE-2025-38591 CVE-2025-38601 CVE-2025-38602 CVE-2025-38604 CVE-2025-38608 CVE-2025-38609 CVE-2025-38610 CVE-2025-38612 CVE-2025-38617 CVE-2025-38618 CVE-2025-38621 CVE-2025-38624 CVE-2025-38630 CVE-2025-38632 CVE-2025-38634 CVE-2025-38635 CVE-2025-38644 CVE-2025-38646 CVE-2025-38650 CVE-2025-38656 CVE-2025-38663 CVE-2025-38665 CVE-2025-38670 CVE-2025-38671 ----------------------------------------------------------------- The container suse/sl-micro/6.1/rt-os-container was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: kernel-138 Released: Tue Sep 23 13:26:15 2025 Summary: Security update for the Linux Kernel Type: security Severity: important References: 1012628,1213545,1215199,1221858,1222323,1230557,1230708,1233120,1240708,1240890,1242034,1242754,1244734,1244930,1245663,1245710,1245767,1245780,1245815,1245956,1245973,1245977,1246005,1246012,1246181,1246193,1247057,1247078,1247112,1247116,1247119,1247155,1247162,1247167,1247229,1247243,1247280,1247313,1247712,1247976,1248088,1248108,1248164,1248166,1248178,1248179,1248180,1248183,1248186,1248194,1248196,1248198,1248205,1248206,1248208,1248209,1248212,1248213,1248214,1248216,1248217,1248223,1248227,1248228,1248229,1248240,1248255,1248297,1248306,1248312,1248333,1248337,1248338,1248340,1248341,1248345,1248349,1248350,1248354,1248355,1248361,1248363,1248368,1248374,1248377,1248386,1248390,1248395,1248399,1248401,1248511,1248573,1248575,1248577,1248609,1248614,1248617,1248621,1248636,1248643,1248648,1248652,1248655,1248666,1248669,1248746,1248748,1249022,CVE-2023-3867,CVE-2023-4130,CVE-2023-4515,CVE-2024-26661,CVE-2024-46733,CVE-2024-58238,CVE-2024-58239,CVE-2025-38006,CVE- 2025-38075,CVE-2025-38103,CVE-2025-38125,CVE-2025-38146,CVE-2025-38160,CVE-2025-38184,CVE-2025-38185,CVE-2025-38190,CVE-2025-38201,CVE-2025-38205,CVE-2025-38208,CVE-2025-38245,CVE-2025-38251,CVE-2025-38360,CVE-2025-38439,CVE-2025-38441,CVE-2025-38444,CVE-2025-38445,CVE-2025-38458,CVE-2025-38459,CVE-2025-38464,CVE-2025-38472,CVE-2025-38490,CVE-2025-38491,CVE-2025-38499,CVE-2025-38500,CVE-2025-38503,CVE-2025-38506,CVE-2025-38510,CVE-2025-38512,CVE-2025-38513,CVE-2025-38515,CVE-2025-38516,CVE-2025-38520,CVE-2025-38524,CVE-2025-38528,CVE-2025-38529,CVE-2025-38530,CVE-2025-38531,CVE-2025-38535,CVE-2025-38537,CVE-2025-38538,CVE-2025-38540,CVE-2025-38541,CVE-2025-38543,CVE-2025-38546,CVE-2025-38548,CVE-2025-38550,CVE-2025-38553,CVE-2025-38555,CVE-2025-38560,CVE-2025-38563,CVE-2025-38565,CVE-2025-38566,CVE-2025-38568,CVE-2025-38571,CVE-2025-38572,CVE-2025-38576,CVE-2025-38581,CVE-2025-38582,CVE-2025-38583,CVE-2025-38585,CVE-2025-38587,CVE-2025-38588,CVE-2025-38591,CVE-2025-38601,CVE-2025-38 602,CVE-2025-38604,CVE-2025-38608,CVE-2025-38609,CVE-2025-38610,CVE-2025-38612,CVE-2025-38617,CVE-2025-38618,CVE-2025-38621,CVE-2025-38624,CVE-2025-38630,CVE-2025-38632,CVE-2025-38634,CVE-2025-38635,CVE-2025-38644,CVE-2025-38646,CVE-2025-38650,CVE-2025-38656,CVE-2025-38663,CVE-2025-38665,CVE-2025-38670,CVE-2025-38671 The SUSE Linux Enterprise Micro 6.0 and 6.1 RT kernel was updated to receive various security bugfixes. The following security bugs were fixed: - CVE-2024-46733: btrfs: fix qgroup reserve leaks in cow_file_range (bsc#1230708). - CVE-2025-38006: net: mctp: Do not access ifa_index when missing (bsc#1244930). - CVE-2025-38075: scsi: target: iscsi: Fix timeout on deleted connection (bsc#1244734). - CVE-2025-38103: HID: usbhid: Eliminate recurrent out-of-bounds bug in usbhid_parse() (bsc#1245663). - CVE-2025-38125: net: stmmac: make sure that ptp_rate is not 0 before configuring EST (bsc#1245710). - CVE-2025-38146: net: openvswitch: Fix the dead loop of MPLS parse (bsc#1245767). - CVE-2025-38160: clk: bcm: rpi: Add NULL check in raspberrypi_clk_register() (bsc#1245780). - CVE-2025-38184: tipc: fix null-ptr-deref when acquiring remote ip of ethernet bearer (bsc#1245956). - CVE-2025-38185: atm: atmtcp: Free invalid length skb in atmtcp_c_send() (bsc#1246012). - CVE-2025-38190: atm: Revert atm_account_tx() if copy_from_iter_full() fails (bsc#1245973). - CVE-2025-38201: netfilter: nft_set_pipapo: clamp maximum map bucket size to INT_MAX (bsc#1245977). - CVE-2025-38205: drm/amd/display: Avoid divide by zero by initializing dummy pitch to 1 (bsc#1246005). - CVE-2025-38208: smb: client: add NULL check in automount_fullpath (bsc#1245815). - CVE-2025-38245: atm: Release atm_dev_mutex after removing procfs in atm_dev_deregister() (bsc#1246193). - CVE-2025-38251: atm: clip: prevent NULL deref in clip_push() (bsc#1246181). - CVE-2025-38360: drm/amd/display: Add more checks for DSC / HUBP ONO guarantees (bsc#1247078). - CVE-2025-38439: bnxt_en: Set DMA unmap len correctly for XDP_REDIRECT (bsc#1247155). - CVE-2025-38441: netfilter: flowtable: account for Ethernet header in nf_flow_pppoe_proto() (bsc#1247167). - CVE-2025-38444: raid10: cleanup memleak at raid10_make_request (bsc#1247162). - CVE-2025-38445: md/raid1: Fix stack memory use after return in raid1_reshape (bsc#1247229). - CVE-2025-38458: atm: clip: Fix NULL pointer dereference in vcc_sendmsg() (bsc#1247116). - CVE-2025-38459: atm: clip: Fix infinite recursive call of clip_push() (bsc#1247119). - CVE-2025-38464: tipc: Fix use-after-free in tipc_conn_close() (bsc#1247112). - CVE-2025-38472: netfilter: nf_conntrack: fix crash due to removal of uninitialised entry (bsc#1247313). - CVE-2025-38490: net: libwx: remove duplicate page_pool_put_full_page() (bsc#1247243). - CVE-2025-38491: mptcp: make fallback action and fallback decision atomic (bsc#1247280). - CVE-2025-38499: clone_private_mnt(): make sure that caller has CAP_SYS_ADMIN in the right userns (bsc#1247976). - CVE-2025-38500: xfrm: interface: fix use-after-free after changing collect_md xfrm interface (bsc#1248088). - CVE-2025-38506: KVM: Allow CPU to reschedule while setting per-page memory attributes (bsc#1248186). - CVE-2025-38520: drm/amdkfd: Do not call mmput from MMU notifier callback (bsc#1248217). - CVE-2025-38524: rxrpc: Fix recv-recv race of completed call (bsc#1248194). - CVE-2025-38528: bpf: Reject %p% format string in bprintf-like helpers (bsc#1248198). - CVE-2025-38531: iio: common: st_sensors: Fix use of uninitialize device structs (bsc#1248205). - CVE-2025-38546: atm: clip: Fix memory leak of struct clip_vcc (bsc#1248223). - CVE-2025-38560: x86/sev: Evict cache lines during SNP memory validation (bsc#1248312). - CVE-2025-38585: staging: media: atomisp: Fix stack buffer overflow in gmin_get_var_int() (bsc#1248355). - CVE-2025-38591: bpf: Reject narrower access to pointer ctx fields (bsc#1248363). - CVE-2025-38608: bpf, ktls: Fix data corruption when using bpf_msg_pop_data() in ktls (bsc#1248338). - CVE-2025-38618: vsock: Do not allow binding to VMADDR_PORT_ANY (bsc#1248511). The following non-security bugs were fixed: - ACPI: APEI: send SIGBUS to current task if synchronous memory error not recovered (stable-fixes). - ACPI: pfr_update: Fix the driver update version check (git-fixes). - ACPI: processor: fix acpi_object initialization (stable-fixes). - ACPI: processor: perflib: Move problematic pr->performance check (git-fixes). - ALSA: hda/ca0132: Fix buffer overflow in add_tuning_control (stable-fixes). - ALSA: hda/realtek: Add Framework Laptop 13 (AMD Ryzen AI 300) to quirks (stable-fixes). - ALSA: hda/realtek: Add support for HP EliteBook x360 830 G6 and EliteBook 830 G6 (stable-fixes). - ALSA: hda/realtek: Audio disappears on HP 15-fc000 after warm boot again (git-fixes). - ALSA: hda/realtek: Fix headset mic on ASUS Zenbook 14 (git-fixes). - ALSA: hda/realtek: Fix headset mic on HONOR BRB-X (stable-fixes). - ALSA: hda: Disable jack polling at shutdown (stable-fixes). - ALSA: hda: Handle the jack polling always via a work (stable-fixes). - ALSA: intel8x0: Fix incorrect codec index usage in mixer for ICH4 (stable-fixes). - ALSA: pcm: Rewrite recalculate_boundary() to avoid costly loop (stable-fixes). - ALSA: scarlett2: Add retry on -EPROTO from scarlett2_usb_tx() (git-fixes). - ALSA: usb-audio: Avoid precedence issues in mixer_quirks macros (stable-fixes). - ALSA: usb-audio: Fix size validation in convert_chmap_v3() (git-fixes). - ALSA: usb-audio: Use correct sub-type for UAC3 feature unit validation (git-fixes). - ALSA: usb-audio: Validate UAC3 cluster segment descriptors (git-fixes). - ALSA: usb-audio: Validate UAC3 power domain descriptors, too (git-fixes). - ASoC: Intel: avs: Fix uninitialized pointer error in probe() (stable-fixes). - ASoC: Intel: fix SND_SOC_SOF dependencies (stable-fixes). - ASoC: amd: yc: Add DMI entries to support HP 15-fb1xxx (stable-fixes). - ASoC: amd: yc: Add DMI quirk for HP Laptop 17 cp-2033dx (stable-fixes). - ASoC: amd: yc: add DMI quirk for ASUS M6501RM (stable-fixes). - ASoC: codecs: rt5640: Retry DEVICE_ID verification (stable-fixes). - ASoC: core: Check for rtd == NULL in snd_soc_remove_pcm_runtime() (stable-fixes). - ASoC: hdac_hdmi: Rate limit logging on connection and disconnection (stable-fixes). - ASoC: soc-dapm: set bias_level if snd_soc_dapm_set_bias_level() was successed (stable-fixes). - Bluetooth: btusb: Add USB ID 3625:010b for TP-LINK Archer TX10UB Nano (stable-fixes). - Bluetooth: hci_conn: do return error from hci_enhanced_setup_sync() (git-fixes). - Bluetooth: hci_event: Detect if HCI_EV_NUM_COMP_PKTS is unbalanced (git-fixes). - Bluetooth: hci_event: Mark connection as closed during suspend disconnect (git-fixes). - Bluetooth: hci_event: Treat UNKNOWN_CONN_ID on disconnect as success (git-fixes). - Bluetooth: hci_event: fix MTU for BN == 0 in CIS Established (git-fixes). - Bluetooth: hci_sock: Reset cookie to zero in hci_sock_free_cookie() (stable-fixes). - Bluetooth: hci_sync: fix set_local_name race condition (git-fixes). - HID: asus: fix UAF via HID_CLAIMED_INPUT validation (git-fixes). - HID: multitouch: fix slab out-of-bounds access in mt_report_fixup() (git-fixes). - Move pesign-obs-integration requirement from kernel-syms to kernel devel subpackage (bsc#1248108). - PCI/ACPI: Fix runtime PM ref imbalance on Hot-Plug Capable ports (git-fixes). - PCI/portdrv: Use is_pciehp instead of is_hotplug_bridge (git-fixes). - PCI: Add ACS quirk for Loongson PCIe (git-fixes). - PCI: Support Immediate Readiness on devices without PM capabilities (git-fixes). - PCI: apple: Fix missing OF node reference in apple_pcie_setup_port (git-fixes). - PCI: imx6: Add IMX8MM_EP and IMX8MP_EP fixed 256-byte BAR 4 in epc_features (git-fixes). - PCI: imx6: Delay link start until configfs 'start' written (git-fixes). - PCI: imx6: Remove apps_reset toggling from imx_pcie_{assert/deassert}_core_reset (git-fixes). - PCI: pnv_php: Clean up allocated IRQs on unplug (bsc#1215199). - PCI: pnv_php: Work around switches with broken presence detection (bsc#1215199). - PCI: rockchip: Set Target Link Speed to 5.0 GT/s before retraining (git-fixes). - PCI: rockchip: Use standard PCIe definitions (git-fixes). - PM / devfreq: governor: Replace sscanf() with kstrtoul() in set_freq_store() (stable-fixes). - PM: runtime: Clear power.needs_force_resume in pm_runtime_reinit() (stable-fixes). - PM: sleep: console: Fix the black screen issue (stable-fixes). - RAS/AMD/ATL: Include row bit in row retirement (bsc#1242034). - RAS/AMD/FMPM: Get masked address (bsc#1242034). - RAS/AMD/FMPM: Use atl internal.h for INVALID_SPA (bsc#1242034). - RDMA/bnxt_re: Fix a possible memory leak in the driver (git-fixes) - RDMA/bnxt_re: Fix to do SRQ armena by default (git-fixes) - RDMA/bnxt_re: Fix to initialize the PBL array (git-fixes) - RDMA/bnxt_re: Fix to remove workload check in SRQ limit path (git-fixes) - RDMA/core: reduce stack using in nldev_stat_get_doit() (git-fixes) - RDMA/erdma: Fix ignored return value of init_kernel_qp (git-fixes) - RDMA/hns: Fix dip entries leak on devices newer than hip09 (git-fixes) - RDMA: hfi1: fix possible divide-by-zero in find_hw_thread_mask() (git-fixes) - Revert 'gpio: mlxbf3: only get IRQ for device instance 0' (git-fixes). - USB: serial: option: add Foxconn T99W709 (stable-fixes). - USB: storage: Add unusual-devs entry for Novatek NTK96550-based camera (stable-fixes). - USB: storage: Ignore driver CD mode for Realtek multi-mode Wi-Fi dongles (stable-fixes). - aoe: defer rexmit timer downdev work to workqueue (git-fixes). - arch/powerpc: Remove .interp section in vmlinux (bsc#1215199). - arm64/cpufeatures/kvm: Add ARMv8.9 FEAT_ECBHB bits in ID_AA64MMFR1 (git-fixes) - arm64/entry: Mask DAIF in cpu_switch_to(), call_on_irq_stack() (git-fixes) - arm64/mm: Check PUD_TYPE_TABLE in pud_bad() (git-fixes) - arm64: Add support for HIP09 Spectre-BHB mitigation (git-fixes) - arm64: Filter out SME hwcaps when FEAT_SME isn't implemented (git-fixes) - arm64: Restrict pagetable teardown to avoid false warning (git-fixes) - arm64: dts: apple: t8103: Fix PCIe BCM4377 nodename (git-fixes) - arm64: dts: freescale: imx8mm-verdin: Keep LDO5 always on (git-fixes) - arm64: dts: imx8mm-beacon: Fix HS400 USDHC clock speed (git-fixes) - arm64: dts: imx8mm-beacon: Fix RTC capacitive load (git-fixes) - arm64: dts: imx8mm-venice-gw700x: Increase HS400 USDHC clock speed (git-fixes) - arm64: dts: imx8mm-venice-gw7901: Increase HS400 USDHC clock speed (git-fixes) - arm64: dts: imx8mm-venice-gw7902: Increase HS400 USDHC clock speed (git-fixes) - arm64: dts: imx8mm-venice-gw7903: Increase HS400 USDHC clock speed (git-fixes) - arm64: dts: imx8mm-venice-gw7904: Increase HS400 USDHC clock speed (git-fixes) - arm64: dts: imx8mn-beacon: Fix HS400 USDHC clock speed (git-fixes) - arm64: dts: imx8mn-beacon: Fix RTC capacitive load (git-fixes) - arm64: dts: imx8mn-venice-gw7902: Increase HS400 USDHC clock speed (git-fixes) - arm64: dts: imx8mp-beacon: Fix RTC capacitive load (git-fixes) - arm64: dts: rockchip: Update eMMC for NanoPi R5 series (git-fixes) - arm64: dts: rockchip: fix endpoint dtc warning for PX30 ISP (git-fixes) - arm64: tegra: Drop remaining serial clock-names and reset-names (git-fixes) - arm64: tegra: p2597: Fix gpio for vdd-1v8-dis regulator (git-fixes) - arm64: zynqmp: add clock-output-names property in clock nodes (git-fixes) - ata: libata-scsi: Fix CDL control (git-fixes). - block: fix kobject leak in blk_unregister_queue (git-fixes). - block: mtip32xx: Fix usage of dma_map_sg() (git-fixes). - bpf: fix kfunc btf caching for modules (git-fixes). - bpf: use kvzmalloc to allocate BPF verifier environment (git-fixes). - btrfs: convert BUG_ON in btrfs_reloc_cow_block() to proper error handling (git-fixes). - btrfs: correctly escape subvol in btrfs_show_options() (git-fixes). - btrfs: fix adding block group to a reclaim list and the unused list during reclaim (git-fixes). - btrfs: fix bitmap leak when loading free space cache on duplicate entry (git-fixes). - btrfs: fix data race when accessing the inode's disk_i_size at btrfs_drop_extents() (git-fixes). - btrfs: fix the length of reserved qgroup to free (bsc#1240708) - btrfs: retry block group reclaim without infinite loop (git-fixes). - btrfs: return accurate error code on open failure in open_fs_devices() (bsc#1233120) - btrfs: run delayed iputs when flushing delalloc (git-fixes). - btrfs: update target inode's ctime on unlink (git-fixes). - cdx: Fix off-by-one error in cdx_rpmsg_probe() (git-fixes). - char: misc: Fix improper and inaccurate error code returned by misc_init() (stable-fixes). - comedi: Fix use of uninitialized memory in do_insn_ioctl() and do_insnlist_ioctl() (git-fixes). - comedi: Make insn_rw_emulate_bits() do insn->n samples (git-fixes). - comedi: fix race between polling and detaching (git-fixes). - comedi: pcl726: Prevent invalid irq number (git-fixes). - crypto: hisilicon/hpre - fix dma unmap sequence (stable-fixes). - crypto: jitter - fix intermediary handling (stable-fixes). - crypto: octeontx2 - add timeout for load_fvc completion poll (stable-fixes). - crypto: qat - lower priority for skcipher and aead algorithms (stable-fixes). - drm/amd/display: Add null pointer check in mod_hdcp_hdcp1_create_session() (git-fixes). - drm/amd/display: Add primary plane to commits for correct VRR handling (stable-fixes). - drm/amd/display: Adjust DCE 8-10 clock, do not overclock by 15% (git-fixes). - drm/amd/display: Avoid a NULL pointer dereference (stable-fixes). - drm/amd/display: Avoid configuring PSR granularity if PSR-SU not supported (stable-fixes). - drm/amd/display: Avoid trying AUX transactions on disconnected ports (stable-fixes). - drm/amd/display: Do not overclock DCE 6 by 15% (git-fixes). - drm/amd/display: Fill display clock and vblank time in dce110_fill_display_configs (stable-fixes). - drm/amd/display: Find first CRTC and its line time in dce110_fill_display_configs (stable-fixes). - drm/amd/display: Fix 'failed to blank crtc!' (stable-fixes). - drm/amd/display: Fix DP audio DTO1 clock source on DCE 6 (stable-fixes). - drm/amd/display: Fix fractional fb divider in set_pixel_clock_v3 (git-fixes). - drm/amd/display: Only finalize atomic_obj if it was initialized (stable-fixes). - drm/amd/display: Separate set_gsl from set_gsl_source_select (stable-fixes). - drm/amd: Allow printing VanGogh OD SCLK levels without setting dpm to manual (stable-fixes). - drm/amd: Restore cached power limit during resume (stable-fixes). - drm/amdgpu: Avoid extra evict-restore process (stable-fixes). - drm/amdgpu: fix incorrect vm flags to map bo (git-fixes). - drm/amdgpu: fix task hang from failed job submission during process kill (git-fixes). - drm/amdgpu: update mmhub 3.0.1 client id mappings (stable-fixes). - drm/amdkfd: Destroy KFD debugfs after destroy KFD wq (stable-fixes). - drm/dp: Change AUX DPCD probe address from DPCD_REV to LANE0_1_STATUS (stable-fixes). - drm/hisilicon/hibmc: fix the hibmc loaded failed bug (git-fixes). - drm/mediatek: Fix device/node reference count leaks in mtk_drm_get_all_drm_priv (git-fixes). - drm/msm/kms: move snapshot init earlier in KMS init (git-fixes). - drm/msm: Defer fd_install in SUBMIT ioctl (git-fixes). - drm/msm: use trylock for debugfs (stable-fixes). - drm/nouveau/disp: Always accept linear modifier (git-fixes). - drm/nouveau/nvif: Fix potential memory leak in nvif_vmm_ctor() (git-fixes). - drm/nouveau: fix error path in nvkm_gsp_fwsec_v2 (git-fixes). - drm/nouveau: fix typos in comments (git-fixes). - drm/nouveau: remove unused increment in gm200_flcn_pio_imem_wr (git-fixes). - drm/nouveau: remove unused memory target test (git-fixes). - drm/ttm: Respect the shrinker core free target (stable-fixes). - drm/ttm: Should to return the evict error (stable-fixes). - et131x: Add missing check after DMA map (stable-fixes). - exfat: add cluster chain loop check for dir (git-fixes). - fbdev: Fix vmalloc out-of-bounds write in fast_imageblit (stable-fixes). - fbdev: fix potential buffer overflow in do_register_framebuffer() (stable-fixes). - fs/mnt_idmapping.c: Return -EINVAL when no map is written (bsc#1233120) - fs/orangefs: use snprintf() instead of sprintf() (git-fixes). - gpio: mlxbf3: use platform_get_irq_optional() (git-fixes). - gpio: tps65912: check the return value of regmap_update_bits() (stable-fixes). - gpio: wcd934x: check the return value of regmap_update_bits() (stable-fixes). - hfs: fix not erasing deleted b-tree node issue (git-fixes). - hfs: fix slab-out-of-bounds in hfs_bnode_read() (git-fixes). - hfsplus: do not use BUG_ON() in hfsplus_create_attributes_file() (git-fixes). - hfsplus: fix slab-out-of-bounds in hfsplus_bnode_read() (git-fixes). - hfsplus: fix slab-out-of-bounds read in hfsplus_uni2asc() (git-fixes). - hwmon: (emc2305) Set initial PWM minimum value during probe based on thermal state (stable-fixes). - i2c: Force DLL0945 touchpad i2c freq to 100khz (stable-fixes). - i3c: do not fail if GETHDRCAP is unsupported (stable-fixes). - i3c: master: Initialize ret in i3c_i2c_notifier_call() (stable-fixes). - ice, irdma: fix an off by one in error handling code (bsc#1247712). - ice, irdma: move interrupts code to irdma (bsc#1247712). - ice: Fix signedness bug in ice_init_interrupt_scheme() (bsc#1247712). - ice: count combined queues using Rx/Tx count (bsc#1247712). - ice: devlink PF MSI-X max and min parameter (bsc#1247712). - ice: enable_rdma devlink param (bsc#1247712). - ice: get rid of num_lan_msix field (bsc#1247712). - ice: init flow director before RDMA (bsc#1247712). - ice: remove splitting MSI-X between features (bsc#1247712). - ice: simplify VF MSI-X managing (bsc#1247712). - ice: treat dyn_allowed only as suggestion (bsc#1247712). - iio: adc: ad7768-1: Ensure SYNC_IN pulse minimum timing requirement (stable-fixes). - iio: adc: ad_sigma_delta: do not overallocate scan buffer (stable-fixes). - iio: imu: inv_icm42600: switch timestamp type from int64_t __aligned(8) to aligned_s64 (stable-fixes). - iio: imu: inv_icm42600: use = { } instead of memset() (stable-fixes). - iio: pressure: bmp280: Use IS_ERR() in bmp280_common_probe() (git-fixes). - iio: proximity: isl29501: fix buffered read on big-endian systems (git-fixes). - integrity/platform_certs: Allow loading of keys in the static key management mode (jsc#PED-13345 jsc#PED-13343). - iosys-map: Fix undefined behavior in iosys_map_clear() (git-fixes). - ipmi: Fix strcpy source and destination the same (stable-fixes). - ipmi: Use dev_warn_ratelimited() for incorrect message warnings (stable-fixes). - irdma: free iwdev->rf after removing MSI-X (bsc#1247712). - jfs: Regular file corruption check (git-fixes). - jfs: truncate good inode pages when hard link is 0 (git-fixes). - jfs: upper bound check of tree index in dbAllocAG (git-fixes). - kABI: PCI/ACPI: Fix runtime PM ref imbalance on Hot-Plug Capable ports (git-fixes). - kselftest/arm64: Fix check for setting new VLs in sve-ptrace (git-fixes). - leds: leds-lp50xx: Handle reg to get correct multi_index (stable-fixes). - loop: use kiocb helpers to fix lockdep warning (git-fixes). - mISDN: hfcpci: Fix warning when deleting uninitialized timer (git-fixes). - md/md-cluster: handle REMOVE message earlier (bsc#1247057). - md/raid1,raid10: strip REQ_NOWAIT from member bios (git-fixes). - md: allow removing faulty rdev during resync (git-fixes). - md: make rdev_addable usable for rcu mode (git-fixes). - media: dvb-frontends: dib7090p: fix null-ptr-deref in dib7090p_rw_on_apb() (stable-fixes). - media: dvb-frontends: w7090p: fix null-ptr-deref in w7090p_tuner_write_serpar and w7090p_tuner_read_serpar (stable-fixes). - media: tc358743: Check I2C succeeded during probe (stable-fixes). - media: tc358743: Increase FIFO trigger level to 374 (stable-fixes). - media: tc358743: Return an appropriate colorspace from tc358743_set_fmt (stable-fixes). - media: usb: hdpvr: disable zero-length read messages (stable-fixes). - media: uvcvideo: Fix bandwidth issue for Alcor camera (stable-fixes). - media: v4l2-common: Reduce warnings about missing V4L2_CID_LINK_FREQ control (stable-fixes). - mei: bus: Check for still connected devices in mei_cl_bus_dev_release() (stable-fixes). - memstick: Fix deadlock by moving removing flag earlier (git-fixes). - mm/ptdump: take the memory hotplug lock inside ptdump_walk_pgd() (git-fixes) - mmc: rtsx_usb_sdmmc: Fix error-path in sd_set_power_mode() (stable-fixes). - mmc: sdhci-msm: Ensure SD card power isn't ON when card removed (stable-fixes). - mmc: sdhci-pci-gli: GL9763e: Rename the gli_set_gl9763e() for consistency (git-fixes). - most: core: Drop device reference after usage in get_channel() (git-fixes). - mptcp: fallback when MPTCP opts are dropped after 1st data (git-fixes). - mptcp: reset when MPTCP opts are dropped after join (git-fixes). - net: phy: micrel: Add ksz9131_resume() (stable-fixes). - net: phy: smsc: add proper reset flags for LAN8710A (stable-fixes). - net: thunderbolt: Enable end-to-end flow control also in transmit (stable-fixes). - net: thunderbolt: Fix the parameter passing of tb_xdomain_enable_paths()/tb_xdomain_disable_paths() (stable-fixes). - net: usb: asix_devices: Fix PHY address mask in MDIO bus initialization (git-fixes). - net: usb: asix_devices: add phy_mask for ax88772 mdio bus (git-fixes). - pNFS: Fix disk addr range check in block/scsi layout (git-fixes). - pNFS: Fix stripe mapping in block/scsi layout (git-fixes). - pNFS: Fix uninited ptr deref in block/scsi layout (git-fixes). - pNFS: Handle RPC size limit for layoutcommits (git-fixes). - phy: mscc: Fix parsing of unicast frames (git-fixes). - phy: rockchip-pcie: Properly disable TEST_WRITE strobe signal (stable-fixes). - pinctrl: STMFX: add missing HAS_IOMEM dependency (git-fixes). - pinctrl: stm32: Manage irq affinity settings (stable-fixes). - platform/chrome: cros_ec_typec: Defer probe on missing EC parent (stable-fixes). - platform/x86/amd: pmc: Add Lenovo Yoga 6 13ALC6 to pmc quirk list (stable-fixes). - pm: cpupower: Fix the snapshot-order of tsc,mperf, clock in mperf_stop() (stable-fixes). - power: supply: qcom_battmgr: Add lithium-polymer entry (stable-fixes). - powerpc/eeh: Export eeh_unfreeze_pe() (bsc#1215199). - powerpc/eeh: Make EEH driver device hotplug safe (bsc#1215199). - powerpc/eeh: Rely on dev->link_active_reporting (bsc#1215199). - powerpc/kernel: Fix ppc_save_regs inclusion in build (bsc#1215199). - powerpc/pseries: Correct secvar format representation for static key management (jsc#PED-13345 jsc#PED-13343). - powerpc/secvar: Expose secvars relevant to the key management mode (jsc#PED-13345 jsc#PED-13343). - powerpc: do not build ppc_save_regs.o always (bsc#1215199). - pwm: mediatek: Fix duty and period setting (git-fixes). - pwm: mediatek: Handle hardware enable and clock enable separately (stable-fixes). - reset: brcmstb: Enable reset drivers for ARCH_BCM2835 (stable-fixes). - rpm/config.sh: Update Leap project - rtc: ds1307: handle oscillator stop flag (OSF) for ds1341 (stable-fixes). - rtc: ds1307: remove clear of oscillator stop flag (OSF) in probe (stable-fixes). - samples/bpf: Fix compilation errors with cf-protection option (git-fixes). - scsi: Revert 'scsi: iscsi: Fix HW conn removal use after free' (git-fixes). - scsi: core: Fix kernel doc for scsi_track_queue_full() (git-fixes). - scsi: elx: efct: Fix dma_unmap_sg() nents value (git-fixes). - scsi: ibmvscsi_tgt: Fix dma_unmap_sg() nents value (git-fixes). - scsi: isci: Fix dma_unmap_sg() nents value (git-fixes). - scsi: mpi3mr: Fix kernel-doc issues in mpi3mr_app.c (git-fixes). - scsi: mpi3mr: Fix race between config read submit and interrupt completion (git-fixes). - scsi: mpi3mr: Serialize admin queue BAR writes on 32-bit systems (git-fixes). - scsi: mpt3sas: Fix a fw_event memory leak (git-fixes). - scsi: mvsas: Fix dma_unmap_sg() nents value (git-fixes). - scsi: sd: Make sd shutdown issue START STOP UNIT appropriately (git-fixes). - selftests/bpf: fexit_sleep: Fix stack allocation for arm64 (git-fixes). - selftests/tracing: Fix false failure of subsystem event test (git-fixes). - selftests: Fix errno checking in syscall_user_dispatch test (git-fixes). - selftests: rtnetlink.sh: remove esp4_offload after test (git-fixes). - serial: 8250: fix panic due to PSLVERR (git-fixes). - slab: Decouple slab_debug and no_hash_pointers (bsc#1249022). - smb: client: fix parsing of device numbers (git-fixes). - soc/tegra: pmc: Ensure power-domains are in a known state (git-fixes). - soundwire: amd: serialize amd manager resume sequence during pm_prepare (stable-fixes). - squashfs: fix memory leak in squashfs_fill_super (git-fixes). - sunrpc: fix handling of server side tls alerts (git-fixes). - sunvdc: Balance device refcount in vdc_port_mpgroup_check (git-fixes). - thermal/drivers/qcom-spmi-temp-alarm: Enable stage 2 shutdown when required (stable-fixes). - thermal: sysfs: Return ENODATA instead of EAGAIN for reads (stable-fixes). - ublk: sanity check add_dev input for underflow (git-fixes). - ublk: use vmalloc for ublk_device's __queues (git-fixes). - usb: core: config: Prevent OOB read in SS endpoint companion parsing (stable-fixes). - usb: core: hcd: fix accessing unmapped memory in SINGLE_STEP_SET_FEATURE test (git-fixes). - usb: core: usb_submit_urb: downgrade type check (stable-fixes). - usb: dwc3: Ignore late xferNotReady event to prevent halt timeout (git-fixes). - usb: dwc3: Remove WARN_ON for device endpoint command timeouts (stable-fixes). - usb: dwc3: core: Fix system suspend on TI AM62 platforms (git-fixes). - usb: dwc3: fix fault at system suspend if device was already runtime suspended (git-fixes). - usb: dwc3: pci: add support for the Intel Wildcat Lake (stable-fixes). - usb: quirks: Add DELAY_INIT quick for another SanDisk 3.2Gen1 Flash Drive (stable-fixes). - usb: renesas-xhci: Fix External ROM access timeouts (git-fixes). - usb: storage: realtek_cr: Use correct byte order for bcs->Residue (git-fixes). - usb: typec: intel_pmc_mux: Defer probe if SCU IPC isn't present (stable-fixes). - usb: typec: ucsi: psy: Set current max to 100mA for BC 1.2 and Default (stable-fixes). - usb: xhci: Avoid showing errors during surprise removal (stable-fixes). - usb: xhci: Avoid showing warnings for dying controller (stable-fixes). - usb: xhci: Fix slot_id resource race conflict (git-fixes). - usb: xhci: Set avg_trb_len = 8 for EP0 during Address Device Command (stable-fixes). - usb: xhci: print xhci->xhc_state when queue_command failed (stable-fixes). - vfs: Add a sysctl for automated deletion of dentry (bsc#1240890). - watchdog: dw_wdt: Fix default timeout (stable-fixes). - watchdog: iTCO_wdt: Report error if timeout configuration fails (stable-fixes). - watchdog: sbsa: Adjust keepalive timeout to avoid MediaTek WS0 race condition (stable-fixes). - wifi: ath12k: Add memset and update default rate value in wmi tx completion (stable-fixes). - wifi: ath12k: Correct tid cleanup when tid setup fails (stable-fixes). - wifi: ath12k: Decrement TID on RX peer frag setup error handling (stable-fixes). - wifi: ath12k: Enable REO queue lookup table feature on QCN9274 hw2.0 (stable-fixes). - wifi: cfg80211: Fix interface type validation (stable-fixes). - wifi: cfg80211: reject HTC bit for management frames (stable-fixes). - wifi: iwlegacy: Check rate_idx range after addition (stable-fixes). - wifi: iwlwifi: dvm: fix potential overflow in rs_fill_link_cmd() (stable-fixes). - wifi: iwlwifi: fw: Fix possible memory leak in iwl_fw_dbg_collect (stable-fixes). - wifi: iwlwifi: mvm: fix scan request validation (stable-fixes). - wifi: iwlwifi: mvm: set gtk id also in older FWs (stable-fixes). - wifi: mac80211: do not complete management TX on SAE commit (stable-fixes). - wifi: mac80211: fix rx link assignment for non-MLO stations (stable-fixes). - wifi: mac80211: update radar_required in channel context after channel switch (stable-fixes). - wifi: mt76: mt7915: mcu: re-init MCU before loading FW patch (stable-fixes). - wifi: rtlwifi: fix possible skb memory leak in _rtl_pci_init_one_rxdesc() (stable-fixes). - wifi: rtlwifi: fix possible skb memory leak in `_rtl_pci_rx_interrupt()` (stable-fixes). - wifi: rtw89: Disable deep power saving for USB/SDIO (stable-fixes). - wifi: rtw89: Fix rtw89_mac_power_switch() for USB (stable-fixes). - wifi: rtw89: Lower the timeout in rtw89_fw_read_c2h_reg() for USB (stable-fixes). The following package changes have been done: - kernel-rt-6.4.0-36.1 updated - container:SL-Micro-container-2.2.1-7.11 updated From sle-container-updates at lists.suse.com Wed Sep 24 15:05:02 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 24 Sep 2025 17:05:02 +0200 (CEST) Subject: SUSE-CU-2025:7047-1: Security update of suse/kiosk/firefox-esr Message-ID: <20250924150502.C7B5BFB9C@maintenance.suse.de> SUSE Container Update Advisory: suse/kiosk/firefox-esr ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:7047-1 Container Tags : suse/kiosk/firefox-esr:140.3 , suse/kiosk/firefox-esr:140.3-64.34 , suse/kiosk/firefox-esr:esr , suse/kiosk/firefox-esr:latest Container Release : 64.34 Severity : moderate Type : security References : 1233421 CVE-2024-52615 ----------------------------------------------------------------- The container suse/kiosk/firefox-esr was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3333-1 Released: Wed Sep 24 08:55:10 2025 Summary: Security update for avahi Type: security Severity: moderate References: 1233421,CVE-2024-52615 This update for avahi fixes the following issues: - CVE-2024-52615: wide-area DNS uses constant source port for queries and can expose the Avahi-daemon to DNS spoofing attacks (bsc#1233421). The following package changes have been done: - libavahi-common3-0.8-150600.15.9.1 updated - libavahi-client3-0.8-150600.15.9.1 updated - container:registry.suse.com-bci-bci-micro-15.7-f98a5deb3bf91c48bf953f57d3a0bfe7a691340a7abe2a2157c3f8ceb87f4e57-0 updated From sle-container-updates at lists.suse.com Wed Sep 24 15:05:21 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 24 Sep 2025 17:05:21 +0200 (CEST) Subject: SUSE-CU-2025:7048-1: Security update of suse/pcp Message-ID: <20250924150521.66ED0FB9C@maintenance.suse.de> SUSE Container Update Advisory: suse/pcp ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:7048-1 Container Tags : suse/pcp:6 , suse/pcp:6.2 , suse/pcp:6.2.0 , suse/pcp:6.2.0-63.2 , suse/pcp:latest Container Release : 63.2 Severity : moderate Type : security References : 1233421 CVE-2024-52615 ----------------------------------------------------------------- The container suse/pcp was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3333-1 Released: Wed Sep 24 08:55:10 2025 Summary: Security update for avahi Type: security Severity: moderate References: 1233421,CVE-2024-52615 This update for avahi fixes the following issues: - CVE-2024-52615: wide-area DNS uses constant source port for queries and can expose the Avahi-daemon to DNS spoofing attacks (bsc#1233421). The following package changes have been done: - libavahi-common3-0.8-150600.15.9.1 updated - libavahi-client3-0.8-150600.15.9.1 updated From sle-container-updates at lists.suse.com Wed Sep 24 15:05:32 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 24 Sep 2025 17:05:32 +0200 (CEST) Subject: SUSE-CU-2025:7049-1: Security update of suse/samba-client Message-ID: <20250924150532.E8BAAFB9C@maintenance.suse.de> SUSE Container Update Advisory: suse/samba-client ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:7049-1 Container Tags : suse/samba-client:4.21 , suse/samba-client:4.21 , suse/samba-client:4.21-64.30 , suse/samba-client:latest Container Release : 64.30 Severity : moderate Type : security References : 1233421 CVE-2024-52615 ----------------------------------------------------------------- The container suse/samba-client was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3333-1 Released: Wed Sep 24 08:55:10 2025 Summary: Security update for avahi Type: security Severity: moderate References: 1233421,CVE-2024-52615 This update for avahi fixes the following issues: - CVE-2024-52615: wide-area DNS uses constant source port for queries and can expose the Avahi-daemon to DNS spoofing attacks (bsc#1233421). The following package changes have been done: - libavahi-common3-0.8-150600.15.9.1 updated - libavahi-client3-0.8-150600.15.9.1 updated - container:suse-sle15-15.7-58f9c044bea87805cae0e4122c7157699ff07944d120923c8f92ba4d9a128a2a-0 updated - container:registry.suse.com-bci-bci-micro-15.7-f98a5deb3bf91c48bf953f57d3a0bfe7a691340a7abe2a2157c3f8ceb87f4e57-0 updated From sle-container-updates at lists.suse.com Wed Sep 24 15:05:43 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 24 Sep 2025 17:05:43 +0200 (CEST) Subject: SUSE-CU-2025:7050-1: Security update of suse/samba-server Message-ID: <20250924150543.2D914FB9C@maintenance.suse.de> SUSE Container Update Advisory: suse/samba-server ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:7050-1 Container Tags : suse/samba-server:4.21 , suse/samba-server:4.21 , suse/samba-server:4.21-64.31 , suse/samba-server:latest Container Release : 64.31 Severity : moderate Type : security References : 1233421 CVE-2024-52615 ----------------------------------------------------------------- The container suse/samba-server was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3333-1 Released: Wed Sep 24 08:55:10 2025 Summary: Security update for avahi Type: security Severity: moderate References: 1233421,CVE-2024-52615 This update for avahi fixes the following issues: - CVE-2024-52615: wide-area DNS uses constant source port for queries and can expose the Avahi-daemon to DNS spoofing attacks (bsc#1233421). The following package changes have been done: - libavahi-common3-0.8-150600.15.9.1 updated - libavahi-client3-0.8-150600.15.9.1 updated - container:suse-sle15-15.7-58f9c044bea87805cae0e4122c7157699ff07944d120923c8f92ba4d9a128a2a-0 updated - container:registry.suse.com-bci-bci-micro-15.7-f98a5deb3bf91c48bf953f57d3a0bfe7a691340a7abe2a2157c3f8ceb87f4e57-0 updated From sle-container-updates at lists.suse.com Wed Sep 24 15:05:52 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 24 Sep 2025 17:05:52 +0200 (CEST) Subject: SUSE-CU-2025:7051-1: Security update of suse/samba-toolbox Message-ID: <20250924150552.D29EEFB9C@maintenance.suse.de> SUSE Container Update Advisory: suse/samba-toolbox ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:7051-1 Container Tags : suse/samba-toolbox:4.21 , suse/samba-toolbox:4.21 , suse/samba-toolbox:4.21-64.30 , suse/samba-toolbox:latest Container Release : 64.30 Severity : moderate Type : security References : 1233421 CVE-2024-52615 ----------------------------------------------------------------- The container suse/samba-toolbox was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3333-1 Released: Wed Sep 24 08:55:10 2025 Summary: Security update for avahi Type: security Severity: moderate References: 1233421,CVE-2024-52615 This update for avahi fixes the following issues: - CVE-2024-52615: wide-area DNS uses constant source port for queries and can expose the Avahi-daemon to DNS spoofing attacks (bsc#1233421). The following package changes have been done: - libavahi-common3-0.8-150600.15.9.1 updated - libavahi-client3-0.8-150600.15.9.1 updated - container:suse-sle15-15.7-58f9c044bea87805cae0e4122c7157699ff07944d120923c8f92ba4d9a128a2a-0 updated - container:registry.suse.com-bci-bci-micro-15.7-f98a5deb3bf91c48bf953f57d3a0bfe7a691340a7abe2a2157c3f8ceb87f4e57-0 updated From sle-container-updates at lists.suse.com Thu Sep 25 07:04:52 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Thu, 25 Sep 2025 09:04:52 +0200 (CEST) Subject: SUSE-IU-2025:2559-1: Security update of suse/sle-micro/base-5.5 Message-ID: <20250925070452.61ECDFB9C@maintenance.suse.de> SUSE Image Update Advisory: suse/sle-micro/base-5.5 ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2025:2559-1 Image Tags : suse/sle-micro/base-5.5:2.0.4 , suse/sle-micro/base-5.5:2.0.4-5.8.209 , suse/sle-micro/base-5.5:latest Image Release : 5.8.209 Severity : important Type : security References : 1229334 1233640 1234896 1236333 1237164 1240799 1242414 1242780 1244309 1244824 1245110 1245506 1245711 1245956 1245970 1245986 1246211 1246473 1246781 1246911 1247143 1247314 1247347 1247348 1247349 1247374 1247437 1247518 1247976 1248223 1248297 1248306 1248312 1248338 1248511 1248614 1248621 1248748 1249353 CVE-2022-49980 CVE-2022-50116 CVE-2023-53117 CVE-2024-42265 CVE-2024-53093 CVE-2024-53177 CVE-2024-57947 CVE-2024-58239 CVE-2025-21701 CVE-2025-21971 CVE-2025-37798 CVE-2025-38088 CVE-2025-38120 CVE-2025-38177 CVE-2025-38180 CVE-2025-38184 CVE-2025-38323 CVE-2025-38350 CVE-2025-38352 CVE-2025-38460 CVE-2025-38468 CVE-2025-38477 CVE-2025-38494 CVE-2025-38495 CVE-2025-38497 CVE-2025-38498 CVE-2025-38499 CVE-2025-38546 CVE-2025-38555 CVE-2025-38560 CVE-2025-38563 CVE-2025-38608 CVE-2025-38617 CVE-2025-38618 CVE-2025-38644 ----------------------------------------------------------------- The container suse/sle-micro/base-5.5 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3344-1 Released: Wed Sep 24 15:34:13 2025 Summary: Security update for the Linux Kernel Type: security Severity: important References: 1229334,1233640,1234896,1236333,1237164,1240799,1242414,1242780,1244309,1244824,1245110,1245506,1245711,1245956,1245970,1245986,1246211,1246473,1246781,1246911,1247143,1247314,1247347,1247348,1247349,1247374,1247437,1247518,1247976,1248223,1248297,1248306,1248312,1248338,1248511,1248614,1248621,1248748,1249353,CVE-2022-49980,CVE-2022-50116,CVE-2023-53117,CVE-2024-42265,CVE-2024-53093,CVE-2024-53177,CVE-2024-57947,CVE-2024-58239,CVE-2025-21701,CVE-2025-21971,CVE-2025-37798,CVE-2025-38088,CVE-2025-38120,CVE-2025-38177,CVE-2025-38180,CVE-2025-38184,CVE-2025-38323,CVE-2025-38350,CVE-2025-38352,CVE-2025-38460,CVE-2025-38468,CVE-2025-38477,CVE-2025-38494,CVE-2025-38495,CVE-2025-38497,CVE-2025-38498,CVE-2025-38499,CVE-2025-38546,CVE-2025-38555,CVE-2025-38560,CVE-2025-38563,CVE-2025-38608,CVE-2025-38617,CVE-2025-38618,CVE-2025-38644 The SUSE Linux Enterprise 15 SP5 kernel was updated to receive various security bugfixes. The following security bugs were fixed: - CVE-2022-49980: USB: gadget: fix use-after-free read in usb_udc_uevent() (bsc#1245110). - CVE-2022-50116: kernel: tty: n_gsm: fix deadlock and link starvation in outgoing data path (bsc#1244824). - CVE-2023-53117: fs: prevent out-of-bounds array speculation when closing a file descriptor (bsc#1242780). - CVE-2024-42265: protect the fetch of ->fd[fd] in do_dup2() from mispredictions (bsc#1229334). - CVE-2024-53093: nvme-multipath: defer partition scanning (bsc#1233640). - CVE-2024-53177: smb: prevent use-after-free due to open_cached_dir error paths (bsc#1234896). - CVE-2024-58239: tls: stop recv() if initial process_rx_list gave us non-DATA (bsc#1248614). - CVE-2025-21701: net: avoid race between device unregistration and ethnl ops (bsc#1237164). - CVE-2025-21971: net_sched: Prevent creation of classes with TC_H_ROOT (bsc#1240799). - CVE-2025-38180: net: atm: fix /proc/net/atm/lec handling (bsc#1245970). - CVE-2025-38184: tipc: fix null-ptr-deref when acquiring remote ip of ethernet bearer (bsc#1245956). - CVE-2025-38323: net: atm: add lec_mutex (bsc#1246473). - CVE-2025-38350: net/sched: Always pass notifications when child class becomes empty (bsc#1246781). - CVE-2025-38352: posix-cpu-timers: fix race between handle_posix_cpu_timers() and posix_cpu_timer_del() (bsc#1246911). - CVE-2025-38460: atm: clip: Fix potential null-ptr-deref in to_atmarpd() (bsc#1247143). - CVE-2025-38468: net/sched: Return NULL when htb_lookup_leaf encounters an empty rbtree (bsc#1247437). - CVE-2025-38477: net/sched: sch_qfq: Fix race condition on qfq_aggregate (bsc#1247314). - CVE-2025-38494: HID: core: do not bypass hid_hw_raw_request (bsc#1247349). - CVE-2025-38495: HID: core: ensure the allocated report buffer can contain the reserved report ID (bsc#1247348). - CVE-2025-38497: usb: gadget: configfs: Fix OOB read on empty string write (bsc#1247347). - CVE-2025-38498: do_change_type(): refuse to operate on unmounted/not ours mounts (bsc#1247374). - CVE-2025-38499: clone_private_mnt(): make sure that caller has CAP_SYS_ADMIN in the right userns (bsc#1247976). - CVE-2025-38546: atm: clip: Fix memory leak of struct clip_vcc (bsc#1248223). - CVE-2025-38555: usb: gadget : fix use-after-free in composite_dev_cleanup() (bsc#1248297). - CVE-2025-38560: x86/sev: Evict cache lines during SNP memory validation (bsc#1248312). - CVE-2025-38563: perf/core: Prevent VMA split of buffer mappings (bsc#1248306). - CVE-2025-38608: bpf, ktls: Fix data corruption when using bpf_msg_pop_data() in ktls (bsc#1248338). - CVE-2025-38617: net/packet: fix a race in packet_set_ring() and packet_notifier() (bsc#1248621). - CVE-2025-38618: vsock: Do not allow binding to VMADDR_PORT_ANY (bsc#1248511). - CVE-2025-38644: wifi: mac80211: reject TDLS operations when station is not associated (bsc#1248748). The following non-security bugs were fixed: - Disable N_GSM (jsc#PED-8240). - NFSv4.1: fix backchannel max_resp_sz verification check (bsc#1247518). - NFSv4: fairly test all delegations on a SEQ4_ revocation (bsc#1246211). - kabi fix for NFSv4: fairly test all delegations on a SEQ4_ revocation (bsc#1246211). The following package changes have been done: - kernel-default-5.14.21-150500.55.121.2 updated From sle-container-updates at lists.suse.com Thu Sep 25 07:05:58 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Thu, 25 Sep 2025 09:05:58 +0200 (CEST) Subject: SUSE-IU-2025:2560-1: Security update of suse/sle-micro/kvm-5.5 Message-ID: <20250925070558.CCFBEFB9C@maintenance.suse.de> SUSE Image Update Advisory: suse/sle-micro/kvm-5.5 ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2025:2560-1 Image Tags : suse/sle-micro/kvm-5.5:2.0.4 , suse/sle-micro/kvm-5.5:2.0.4-3.5.399 , suse/sle-micro/kvm-5.5:latest Image Release : 3.5.399 Severity : important Type : security References : 1229334 1233640 1234896 1236333 1237164 1240799 1242414 1242780 1244309 1244824 1245110 1245506 1245711 1245956 1245970 1245986 1246211 1246473 1246781 1246911 1247143 1247314 1247347 1247348 1247349 1247374 1247437 1247518 1247976 1248223 1248297 1248306 1248312 1248338 1248511 1248614 1248621 1248748 1249353 CVE-2022-49980 CVE-2022-50116 CVE-2023-53117 CVE-2024-42265 CVE-2024-53093 CVE-2024-53177 CVE-2024-57947 CVE-2024-58239 CVE-2025-21701 CVE-2025-21971 CVE-2025-37798 CVE-2025-38088 CVE-2025-38120 CVE-2025-38177 CVE-2025-38180 CVE-2025-38184 CVE-2025-38323 CVE-2025-38350 CVE-2025-38352 CVE-2025-38460 CVE-2025-38468 CVE-2025-38477 CVE-2025-38494 CVE-2025-38495 CVE-2025-38497 CVE-2025-38498 CVE-2025-38499 CVE-2025-38546 CVE-2025-38555 CVE-2025-38560 CVE-2025-38563 CVE-2025-38608 CVE-2025-38617 CVE-2025-38618 CVE-2025-38644 ----------------------------------------------------------------- The container suse/sle-micro/kvm-5.5 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3344-1 Released: Wed Sep 24 15:34:13 2025 Summary: Security update for the Linux Kernel Type: security Severity: important References: 1229334,1233640,1234896,1236333,1237164,1240799,1242414,1242780,1244309,1244824,1245110,1245506,1245711,1245956,1245970,1245986,1246211,1246473,1246781,1246911,1247143,1247314,1247347,1247348,1247349,1247374,1247437,1247518,1247976,1248223,1248297,1248306,1248312,1248338,1248511,1248614,1248621,1248748,1249353,CVE-2022-49980,CVE-2022-50116,CVE-2023-53117,CVE-2024-42265,CVE-2024-53093,CVE-2024-53177,CVE-2024-57947,CVE-2024-58239,CVE-2025-21701,CVE-2025-21971,CVE-2025-37798,CVE-2025-38088,CVE-2025-38120,CVE-2025-38177,CVE-2025-38180,CVE-2025-38184,CVE-2025-38323,CVE-2025-38350,CVE-2025-38352,CVE-2025-38460,CVE-2025-38468,CVE-2025-38477,CVE-2025-38494,CVE-2025-38495,CVE-2025-38497,CVE-2025-38498,CVE-2025-38499,CVE-2025-38546,CVE-2025-38555,CVE-2025-38560,CVE-2025-38563,CVE-2025-38608,CVE-2025-38617,CVE-2025-38618,CVE-2025-38644 The SUSE Linux Enterprise 15 SP5 kernel was updated to receive various security bugfixes. The following security bugs were fixed: - CVE-2022-49980: USB: gadget: fix use-after-free read in usb_udc_uevent() (bsc#1245110). - CVE-2022-50116: kernel: tty: n_gsm: fix deadlock and link starvation in outgoing data path (bsc#1244824). - CVE-2023-53117: fs: prevent out-of-bounds array speculation when closing a file descriptor (bsc#1242780). - CVE-2024-42265: protect the fetch of ->fd[fd] in do_dup2() from mispredictions (bsc#1229334). - CVE-2024-53093: nvme-multipath: defer partition scanning (bsc#1233640). - CVE-2024-53177: smb: prevent use-after-free due to open_cached_dir error paths (bsc#1234896). - CVE-2024-58239: tls: stop recv() if initial process_rx_list gave us non-DATA (bsc#1248614). - CVE-2025-21701: net: avoid race between device unregistration and ethnl ops (bsc#1237164). - CVE-2025-21971: net_sched: Prevent creation of classes with TC_H_ROOT (bsc#1240799). - CVE-2025-38180: net: atm: fix /proc/net/atm/lec handling (bsc#1245970). - CVE-2025-38184: tipc: fix null-ptr-deref when acquiring remote ip of ethernet bearer (bsc#1245956). - CVE-2025-38323: net: atm: add lec_mutex (bsc#1246473). - CVE-2025-38350: net/sched: Always pass notifications when child class becomes empty (bsc#1246781). - CVE-2025-38352: posix-cpu-timers: fix race between handle_posix_cpu_timers() and posix_cpu_timer_del() (bsc#1246911). - CVE-2025-38460: atm: clip: Fix potential null-ptr-deref in to_atmarpd() (bsc#1247143). - CVE-2025-38468: net/sched: Return NULL when htb_lookup_leaf encounters an empty rbtree (bsc#1247437). - CVE-2025-38477: net/sched: sch_qfq: Fix race condition on qfq_aggregate (bsc#1247314). - CVE-2025-38494: HID: core: do not bypass hid_hw_raw_request (bsc#1247349). - CVE-2025-38495: HID: core: ensure the allocated report buffer can contain the reserved report ID (bsc#1247348). - CVE-2025-38497: usb: gadget: configfs: Fix OOB read on empty string write (bsc#1247347). - CVE-2025-38498: do_change_type(): refuse to operate on unmounted/not ours mounts (bsc#1247374). - CVE-2025-38499: clone_private_mnt(): make sure that caller has CAP_SYS_ADMIN in the right userns (bsc#1247976). - CVE-2025-38546: atm: clip: Fix memory leak of struct clip_vcc (bsc#1248223). - CVE-2025-38555: usb: gadget : fix use-after-free in composite_dev_cleanup() (bsc#1248297). - CVE-2025-38560: x86/sev: Evict cache lines during SNP memory validation (bsc#1248312). - CVE-2025-38563: perf/core: Prevent VMA split of buffer mappings (bsc#1248306). - CVE-2025-38608: bpf, ktls: Fix data corruption when using bpf_msg_pop_data() in ktls (bsc#1248338). - CVE-2025-38617: net/packet: fix a race in packet_set_ring() and packet_notifier() (bsc#1248621). - CVE-2025-38618: vsock: Do not allow binding to VMADDR_PORT_ANY (bsc#1248511). - CVE-2025-38644: wifi: mac80211: reject TDLS operations when station is not associated (bsc#1248748). The following non-security bugs were fixed: - Disable N_GSM (jsc#PED-8240). - NFSv4.1: fix backchannel max_resp_sz verification check (bsc#1247518). - NFSv4: fairly test all delegations on a SEQ4_ revocation (bsc#1246211). - kabi fix for NFSv4: fairly test all delegations on a SEQ4_ revocation (bsc#1246211). The following package changes have been done: - kernel-default-base-5.14.21-150500.55.121.2.150500.6.57.2 updated - container:suse-sle-micro-base-5.5-latest-2.0.4-5.8.209 updated From sle-container-updates at lists.suse.com Thu Sep 25 07:11:49 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Thu, 25 Sep 2025 09:11:49 +0200 (CEST) Subject: SUSE-CU-2025:7054-1: Security update of private-registry/harbor-nginx Message-ID: <20250925071149.D4AB7FB9C@maintenance.suse.de> SUSE Container Update Advisory: private-registry/harbor-nginx ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:7054-1 Container Tags : private-registry/harbor-nginx:1.21 , private-registry/harbor-nginx:1.21.5 , private-registry/harbor-nginx:1.21.5-2.43 , private-registry/harbor-nginx:latest Container Release : 2.43 Severity : low Type : security References : 1247582 1248117 1248330 CVE-2025-8534 CVE-2025-8961 CVE-2025-9165 ----------------------------------------------------------------- The container private-registry/harbor-nginx was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3345-1 Released: Wed Sep 24 15:55:40 2025 Summary: Security update for tiff Type: security Severity: low References: 1247582,1248117,1248330,CVE-2025-8534,CVE-2025-8961,CVE-2025-9165 This update for tiff fixes the following issues: - CVE-2025-9165: local execution manipulation leading to memory leak (bsc#1248330). - CVE-2025-8534: null pointer dereference in function PS_Lvl2page (bsc#1247582). - CVE-2025-8961: segmentation fault via main function of tiffcrop utility (bsc#1248117). The following package changes have been done: - libtiff5-4.0.9-150000.45.55.1 updated - container:suse-sle15-15.6-e3235826fda424ffcadb5c16b55bcdffc50fd00aa3bfe3d0e13a1b34be967169-0 updated - container:registry.suse.com-bci-bci-micro-15.6-a5dcf2ffb40979daa8fda00fc233a5409037207662f4aa6f86d6465c94465b44-0 updated From sle-container-updates at lists.suse.com Thu Sep 25 07:11:53 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Thu, 25 Sep 2025 09:11:53 +0200 (CEST) Subject: SUSE-CU-2025:7055-1: Security update of private-registry/harbor-portal Message-ID: <20250925071153.819B6FB9C@maintenance.suse.de> SUSE Container Update Advisory: private-registry/harbor-portal ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:7055-1 Container Tags : private-registry/harbor-portal:2.13 , private-registry/harbor-portal:2.13.2 , private-registry/harbor-portal:2.13.2-3.9 , private-registry/harbor-portal:latest Container Release : 3.9 Severity : low Type : security References : 1247582 1248117 1248330 CVE-2025-8534 CVE-2025-8961 CVE-2025-9165 ----------------------------------------------------------------- The container private-registry/harbor-portal was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3345-1 Released: Wed Sep 24 15:55:40 2025 Summary: Security update for tiff Type: security Severity: low References: 1247582,1248117,1248330,CVE-2025-8534,CVE-2025-8961,CVE-2025-9165 This update for tiff fixes the following issues: - CVE-2025-9165: local execution manipulation leading to memory leak (bsc#1248330). - CVE-2025-8534: null pointer dereference in function PS_Lvl2page (bsc#1247582). - CVE-2025-8961: segmentation fault via main function of tiffcrop utility (bsc#1248117). The following package changes have been done: - libtiff5-4.0.9-150000.45.55.1 updated - container:suse-sle15-15.6-e3235826fda424ffcadb5c16b55bcdffc50fd00aa3bfe3d0e13a1b34be967169-0 updated - container:registry.suse.com-bci-bci-micro-15.6-a5dcf2ffb40979daa8fda00fc233a5409037207662f4aa6f86d6465c94465b44-0 updated From sle-container-updates at lists.suse.com Thu Sep 25 07:16:16 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Thu, 25 Sep 2025 09:16:16 +0200 (CEST) Subject: SUSE-CU-2025:7056-1: Security update of suse/kiosk/firefox-esr Message-ID: <20250925071616.108C2F783@maintenance.suse.de> SUSE Container Update Advisory: suse/kiosk/firefox-esr ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:7056-1 Container Tags : suse/kiosk/firefox-esr:140.3 , suse/kiosk/firefox-esr:140.3-64.35 , suse/kiosk/firefox-esr:esr , suse/kiosk/firefox-esr:latest Container Release : 64.35 Severity : moderate Type : security References : 1247581 1247582 1248117 1248330 CVE-2024-13978 CVE-2025-8534 CVE-2025-8961 CVE-2025-9165 ----------------------------------------------------------------- The container suse/kiosk/firefox-esr was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3348-1 Released: Wed Sep 24 16:05:03 2025 Summary: Security update for tiff Type: security Severity: moderate References: 1247581,1247582,1248117,1248330,CVE-2024-13978,CVE-2025-8534,CVE-2025-8961,CVE-2025-9165 This update for tiff fixes the following issues: - CVE-2025-9165: local execution manipulation leading to memory leak (bsc#1248330). - CVE-2024-13978: null pointer dereference in component fax2ps (bsc#1247581) - CVE-2025-8534: null pointer dereference in function PS_Lvl2page (bsc#1247582). - CVE-2025-8961: segmentation fault via main function of tiffcrop utility (bsc#1248117). The following package changes have been done: - libtiff6-4.7.0-150600.3.18.1 updated From sle-container-updates at lists.suse.com Thu Sep 25 07:16:28 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Thu, 25 Sep 2025 09:16:28 +0200 (CEST) Subject: SUSE-CU-2025:7057-1: Security update of suse/nginx Message-ID: <20250925071628.F0AA5F783@maintenance.suse.de> SUSE Container Update Advisory: suse/nginx ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:7057-1 Container Tags : suse/nginx:1.21 , suse/nginx:1.21-62.28 , suse/nginx:latest Container Release : 62.28 Severity : low Type : security References : 1247582 1248117 1248330 CVE-2025-8534 CVE-2025-8961 CVE-2025-9165 ----------------------------------------------------------------- The container suse/nginx was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3345-1 Released: Wed Sep 24 15:55:40 2025 Summary: Security update for tiff Type: security Severity: low References: 1247582,1248117,1248330,CVE-2025-8534,CVE-2025-8961,CVE-2025-9165 This update for tiff fixes the following issues: - CVE-2025-9165: local execution manipulation leading to memory leak (bsc#1248330). - CVE-2025-8534: null pointer dereference in function PS_Lvl2page (bsc#1247582). - CVE-2025-8961: segmentation fault via main function of tiffcrop utility (bsc#1248117). The following package changes have been done: - libtiff5-4.0.9-150000.45.55.1 updated From sle-container-updates at lists.suse.com Thu Sep 25 07:16:41 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Thu, 25 Sep 2025 09:16:41 +0200 (CEST) Subject: SUSE-CU-2025:7058-1: Security update of suse/kiosk/xorg Message-ID: <20250925071641.CA0C9F783@maintenance.suse.de> SUSE Container Update Advisory: suse/kiosk/xorg ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:7058-1 Container Tags : suse/kiosk/xorg:21 , suse/kiosk/xorg:21.1 , suse/kiosk/xorg:21.1-66.6 , suse/kiosk/xorg:latest , suse/kiosk/xorg:notaskbar Container Release : 66.6 Severity : moderate Type : security References : 1247581 1247582 1248117 1248330 CVE-2024-13978 CVE-2025-8534 CVE-2025-8961 CVE-2025-9165 ----------------------------------------------------------------- The container suse/kiosk/xorg was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3348-1 Released: Wed Sep 24 16:05:03 2025 Summary: Security update for tiff Type: security Severity: moderate References: 1247581,1247582,1248117,1248330,CVE-2024-13978,CVE-2025-8534,CVE-2025-8961,CVE-2025-9165 This update for tiff fixes the following issues: - CVE-2025-9165: local execution manipulation leading to memory leak (bsc#1248330). - CVE-2024-13978: null pointer dereference in component fax2ps (bsc#1247581) - CVE-2025-8534: null pointer dereference in function PS_Lvl2page (bsc#1247582). - CVE-2025-8961: segmentation fault via main function of tiffcrop utility (bsc#1248117). The following package changes have been done: - libtiff6-4.7.0-150600.3.18.1 updated - container:suse-sle15-15.7-58f9c044bea87805cae0e4122c7157699ff07944d120923c8f92ba4d9a128a2a-0 updated - container:registry.suse.com-bci-bci-micro-15.7-f98a5deb3bf91c48bf953f57d3a0bfe7a691340a7abe2a2157c3f8ceb87f4e57-0 updated From sle-container-updates at lists.suse.com Thu Sep 25 13:35:48 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Thu, 25 Sep 2025 15:35:48 +0200 (CEST) Subject: SUSE-CU-2025:7059-1: Security update of suse/sl-micro/6.0/toolbox Message-ID: <20250925133548.B8FBBFB9C@maintenance.suse.de> SUSE Container Update Advisory: suse/sl-micro/6.0/toolbox ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:7059-1 Container Tags : suse/sl-micro/6.0/toolbox:13.2 , suse/sl-micro/6.0/toolbox:13.2-9.35 , suse/sl-micro/6.0/toolbox:latest Container Release : 9.35 Severity : moderate Type : security References : 1230267 1241219 1246912 1250343 CVE-2025-3576 ----------------------------------------------------------------- The container suse/sl-micro/6.0/toolbox was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: 469 Released: Mon Sep 22 10:44:49 2025 Summary: Security update for krb5 Type: security Severity: moderate References: 1241219,CVE-2025-3576 This update for krb5 fixes the following issues: - CVE-2025-3576: Fixed Kerberos RC4-HMAC-MD5 Checksum Vulnerability (bsc#1241219) ----------------------------------------------------------------- Advisory ID: 472 Released: Wed Sep 24 11:12:01 2025 Summary: Recommended update for zypper, libzypp Type: recommended Severity: moderate References: 1230267,1246912,1250343 This update for zypper, libzypp fixes the following issues: libzypp was updated to 17.37.18: - runposttrans: strip root prefix from tmppath (bsc#1250343) - Make ld.so ignore the subarch packages during install (bsc#1246912) zypper was updated to 1.14.94: - Fixed `bash-completion`: `zypper refresh` now ignores repository priority lines. - Changes to support building against restructured libzypp in stack build (bsc#1230267) The following package changes have been done: - SL-Micro-release-6.0-25.47 updated - krb5-1.20.1-7.1 updated - libzypp-17.37.18-1.1 updated - skelcd-EULA-SL-Micro-2024.01.19-8.46 updated - zypper-1.14.94-1.1 updated From sle-container-updates at lists.suse.com Fri Sep 26 07:04:33 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 26 Sep 2025 09:04:33 +0200 (CEST) Subject: SUSE-IU-2025:2582-1: Security update of suse/sl-micro/6.0/baremetal-os-container Message-ID: <20250926070433.8C1A5FBA1@maintenance.suse.de> SUSE Image Update Advisory: suse/sl-micro/6.0/baremetal-os-container ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2025:2582-1 Image Tags : suse/sl-micro/6.0/baremetal-os-container:2.1.3 , suse/sl-micro/6.0/baremetal-os-container:2.1.3-6.87 , suse/sl-micro/6.0/baremetal-os-container:latest Image Release : 6.87 Severity : important Type : security References : 1214960 1246197 1249191 1249348 1249367 CVE-2025-10148 CVE-2025-9086 ----------------------------------------------------------------- The container suse/sl-micro/6.0/baremetal-os-container was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: 476 Released: Thu Sep 25 12:41:35 2025 Summary: Recommended update for runc Type: recommended Severity: moderate References: 1214960 This update for runc fixes the following issues: Update to runc v1.3.1: Upstream changelog is available from Update to runc v1.3.0: Upstream changelog is available from ----------------------------------------------------------------- Advisory ID: 477 Released: Thu Sep 25 12:52:04 2025 Summary: Security update for curl Type: security Severity: important References: 1246197,1249191,1249348,1249367,CVE-2025-10148,CVE-2025-9086 This update for curl fixes the following issues: - CVE-2025-9086: Fixed Out of bounds read for cookie path (bsc#1249191) - CVE-2025-10148: Predictable WebSocket mask (bsc#1249348) - Fix the --ftp-pasv option in curl v8.14.1 [bsc#1246197] - tool_operate: fix return code when --retry is used but not triggered [bsc#1249367] - Updated to 8.14.1: [jsc#PED-13055, jsc#PED-13056] * Add _multibuild * Bugfixes: - asyn-thrdd: fix cleanup when RR fails due to OOM - ftp: fix teardown of DATA connection in done - http: fail early when rewind of input failed when following redirects - multi: fix add_handle resizing - tls BIOs: handle BIO_CTRL_EOF correctly - tool_getparam: make --no-anyauth not be accepted - wolfssl: fix sending of early data - ws: handle blocked sends better - ws: tests and fixes - Sync spec file with SLE codestreams: [jsc#PED-13055, jsc#PED-13056] * Add curl-mini.rpmlintrc to avoid rpmlint shlib-policy-name-error when building the curl-mini package in SLE. * Add libssh minimum version requirements. * Use ldconfig_scriptlets when available. * Remove unused option --disable-ntlm-wb. - Update to 8.14.0: * Changes: - mqtt: send ping at upkeep interval - schannel: handle pkcs12 client certificates containing CA certificates - TLS: add CURLOPT_SSL_SIGNATURE_ALGORITHMS and --sigalgs - vquic: ngtcp2 + openssl support - wcurl: import v2025.04.20 script + docs - websocket: add option to disable auto-pong reply * Bugfixes: - asny-thrdd: fix detach from running thread - async-threaded resolver: use ref counter - async: DoH improvements - build: enable gcc-12/13+, clang-10+ picky warnings - build: enable gcc-15 picky warnings - certs: drop unused `default_bits` from `.prm` files - cf-https-connect: use the passed in dns struct pointer - cf-socket: fix FTP accept connect - cfilters: remove assert - cmake: fix nghttp3 static linking with `USE_OPENSSL_QUIC=ON` - cmake: prefer `COMPILE_OPTIONS` over `CMAKE_C_FLAGS` for custom C options - cmake: revert `CURL_LTO` behavior for multi-config generators - configure: fix --disable-rt - CONTRIBUTE: add project guidelines for AI use - cpool/cshutdown: force close connections under pressure - curl: fix memory leak when -h is used in config file - curl_get_line: handle lines ending on the buffer boundary - headers: enforce a max number of response header to accept - http: fix HTTP/2 handling of TE request header using 'trailers' - lib: include files using known path - lib: unify conversions to/from hex - libssh: add NULL check for Curl_meta_get() - libssh: fix memory leak - mqtt: use conn/easy meta hash - multi: do transfer book keeping using mid - multi: init_do(): check result - netrc: avoid NULL deref on weird input - netrc: avoid strdup NULL - netrc: deal with null token better - openssl-quic: avoid potential `-Wnull-dereference`, add assert - openssl-quic: fix shutdown when stream not open - openssl: enable builds for *both* engines and providers - openssl: set the cipher string before doing private cert - progress: avoid integer overflow when gathering total transfer size - rand: update comment on Curl_rand_bytes weak random - rustls: make max size of cert and key reasonable - smb: avoid integer overflow on weird input date - urlapi: redirecting to '' is considered fine - Update to 8.13.0: * Changes: - curl: add write-out variable 'tls_earlydata' - curl: make --url support a file with URLs - gnutls: set priority via --ciphers - IMAP: add CURLOPT_UPLOAD_FLAGS and --upload-flags - lib: add CURLFOLLOW_OBEYCODE and CURLFOLLOW_FIRSTONLY - OpenSSL/quictls: add support for TLSv1.3 early data - rustls: add support for CERTINFO - rustls: add support for SSLKEYLOGFILE - rustls: support ECH w/ DoH lookup for config - rustls: support native platform verifier - var: add a '64dec' function that can base64 decode a string * Bugfixes: - conn: fix connection reuse when SSL is optional - hash: use single linked list for entries - http2: detect session being closed on ingress handling - http2: reset stream on response header error - http: remove a HTTP method size restriction - http: version negotiation - httpsrr: fix port detection - libssh: fix freeing of resources in disconnect - libssh: fix scp large file upload for 32-bit size_t systems - openssl-quic: do not iterate over multi handles - openssl: check return value of X509_get0_pubkey - openssl: drop support for old OpenSSL/LibreSSL versions - openssl: fix crash on missing cert password - openssl: fix pkcs11 URI checking for key files. - openssl: remove bad `goto`s into other scope - setopt: illegal CURLOPT_SOCKS5_AUTH should return error - setopt: setting PROXYUSERPWD after PROXYUSERNAME/PASSWORD is fine - sshserver.pl: adjust `AuthorizedKeysFile2` cutoff version - sshserver: fix excluding obsolete client config lines - SSLCERTS: list support for SSL_CERT_FILE and SSL_CERT_DIR - tftpd: prefix TFTP protocol error `E*` constants with `TFTP_` - tool_operate: fail SSH transfers without server auth - url: call protocol handler's disconnect in Curl_conn_free - urlapi: remove percent encoded dot sequences from the URL path - urldata: remove 'hostname' from struct Curl_async - Update to 8.12.1: * Bugfixes: - asyn-thread: fix build with 'CURL_DISABLE_SOCKETPAIR' - asyn-thread: fix HTTPS RR crash - asyn-thread: fix the returned bitmask from Curl_resolver_getsock - asyn-thread: survive a c-ares channel set to NULL - cmake: always reference OpenSSL and ZLIB via imported targets - cmake: respect 'GNUTLS_CFLAGS' when detected via 'pkg-config' - cmake: respect 'GNUTLS_LIBRARY_DIRS' in 'libcurl.pc' and 'curl-config' - content_encoding: #error on too old zlib - imap: TLS upgrade fix - ldap: drop support for legacy Novell LDAP SDK - libssh2: comparison is always true because rc <= -1 - libssh2: raise lowest supported version to 1.2.8 - libssh: drop support for libssh older than 0.9.0 - openssl-quic: ignore ciphers for h3 - pop3: TLS upgrade fix - runtests: fix the disabling of the memory tracking - runtests: quote commands to support paths with spaces - scache: add magic checks - smb: silence '-Warray-bounds' with gcc 13+ - smtp: TLS upgrade fix - tool_cfgable: sort struct fields by size, use bitfields for booleans - tool_getparam: add 'TLS required' flag for each such option - vtls: fix multissl-init - wakeup_write: make sure the eventfd write sends eight bytes - Update to 8.12.0: * Changes: - curl: add byte range support to --variable reading from file - curl: make --etag-save acknowledge --create-dirs - getinfo: fix CURLINFO_QUEUE_TIME_T and add 'time_queue' var - getinfo: provide info which auth was used for HTTP and proxy - hyper: drop support - openssl: add support to use keys and certificates from PKCS#11 provider - QUIC: 0RTT for gnutls via CURLSSLOPT_EARLYDATA - vtls: feature ssls-export for SSL session im-/export * Bugfixes: - altsvc: avoid integer overflow in expire calculation - asyn-ares: acknowledge CURLOPT_DNS_SERVERS set to NULL - asyn-ares: fix memory leak - asyn-ares: initial HTTPS resolve support - asyn-thread: use c-ares to resolve HTTPS RR - async-thread: avoid closing eventfd twice - cd2nroff: do not insist on quoted <> within backticks - cd2nroff: support 'none' as a TLS backend - conncache: count shutdowns against host and max limits - content_encoding: drop support for zlib before 1.2.0.4 - content_encoding: namespace GZIP flag constants - content_encoding: put the decomp buffers into the writer structs - content_encoding: support use of custom libzstd memory functions - cookie: cap expire times to 400 days - cookie: parse only the exact expire date - curl: return error if etag options are used with multiple URLs - curl_multi_fdset: include the shutdown connections in the set - curl_sha512_256: rename symbols to the curl namespace - curl_url_set.md: adjust the added-in to 7.62.0 - doh: send HTTPS RR requests for all HTTP(S) transfers - easy: allow connect-only handle reuse with easy_perform - easy: make curl_easy_perform() return error if connection still there - easy_lock: use Sleep(1) for thread yield on old Windows - ECH: update APIs to those agreed with OpenSSL maintainers - GnuTLS: fix 'time_appconnect' for early data - HTTP/2: strip TE request header - http2: fix data_pending check - http2: fix value stored to 'result' is never read - http: ignore invalid Retry-After times - http_aws_sigv4: Fix invalid compare function handling zero-length pairs - https-connect: start next immediately on failure - lib: redirect handling by protocol handler - multi: fix curl_multi_waitfds reporting of fd_count - netrc: 'default' with no credentials is not a match - netrc: fix password-only entries - netrc: restore _netrc fallback logic - ngtcp2: fix memory leak on connect failure - openssl: define `HAVE_KEYLOG_CALLBACK` before use - openssl: fix ECH logic - osslq: use SSL_poll to determine writeability of QUIC streams - sectransp: free certificate on error - select: avoid a NULL deref in cwfds_add_sock - src: omit hugehelp and ca-embed from libcurltool - ssl session cache: change cache dimensions - system.h: add 64-bit curl_off_t definitions for NonStop - telnet: handle single-byte input option - TLS: check connection for SSL use, not handler - tool_formparse.c: make curlx_uztoso a static in here - tool_formparse: accept digits in --form type= strings - tool_getparam: ECH param parsing refix - tool_getparam: fail --hostpubsha256 if libssh2 is not used - tool_getparam: fix 'Ignored Return Value' - tool_getparam: fix memory leak on error in parse_ech - tool_getparam: fix the ECH parser - tool_operate: make --etag-compare always accept a non-existing file - transfer: fix CURLOPT_CURLU override logic - urlapi: fix redirect to a new fragment or query (only) - vquic: make vquic_send_packets not return without setting psent - vtls: fix default SSL backend as a fallback - vtls: only remember the expiry timestamp in session cache - websocket: fix message send corruption - x509asn1: add parse recursion limit The following package changes have been done: - SL-Micro-release-6.0-25.48 updated - libcurl-mini4-8.14.1-1.1 added - runc-1.3.1-1.1 updated - container:SL-Micro-base-container-2.1.3-7.55 updated - libbrotlicommon1-1.1.0-1.6 removed - libbrotlidec1-1.1.0-1.6 removed - libcurl4-8.6.0-6.1 removed - libssh-config-0.10.6-2.1 removed - libssh4-0.10.6-2.1 removed From sle-container-updates at lists.suse.com Fri Sep 26 07:05:19 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 26 Sep 2025 09:05:19 +0200 (CEST) Subject: SUSE-IU-2025:2583-1: Security update of suse/sl-micro/6.0/base-os-container Message-ID: <20250926070519.A3C96FBA1@maintenance.suse.de> SUSE Image Update Advisory: suse/sl-micro/6.0/base-os-container ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2025:2583-1 Image Tags : suse/sl-micro/6.0/base-os-container:2.1.3 , suse/sl-micro/6.0/base-os-container:2.1.3-7.55 , suse/sl-micro/6.0/base-os-container:latest Image Release : 7.55 Severity : important Type : security References : 1246197 1249191 1249348 1249367 CVE-2025-10148 CVE-2025-9086 ----------------------------------------------------------------- The container suse/sl-micro/6.0/base-os-container was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: 477 Released: Thu Sep 25 12:52:04 2025 Summary: Security update for curl Type: security Severity: important References: 1246197,1249191,1249348,1249367,CVE-2025-10148,CVE-2025-9086 This update for curl fixes the following issues: - CVE-2025-9086: Fixed Out of bounds read for cookie path (bsc#1249191) - CVE-2025-10148: Predictable WebSocket mask (bsc#1249348) - Fix the --ftp-pasv option in curl v8.14.1 [bsc#1246197] - tool_operate: fix return code when --retry is used but not triggered [bsc#1249367] - Updated to 8.14.1: [jsc#PED-13055, jsc#PED-13056] * Add _multibuild * Bugfixes: - asyn-thrdd: fix cleanup when RR fails due to OOM - ftp: fix teardown of DATA connection in done - http: fail early when rewind of input failed when following redirects - multi: fix add_handle resizing - tls BIOs: handle BIO_CTRL_EOF correctly - tool_getparam: make --no-anyauth not be accepted - wolfssl: fix sending of early data - ws: handle blocked sends better - ws: tests and fixes - Sync spec file with SLE codestreams: [jsc#PED-13055, jsc#PED-13056] * Add curl-mini.rpmlintrc to avoid rpmlint shlib-policy-name-error when building the curl-mini package in SLE. * Add libssh minimum version requirements. * Use ldconfig_scriptlets when available. * Remove unused option --disable-ntlm-wb. - Update to 8.14.0: * Changes: - mqtt: send ping at upkeep interval - schannel: handle pkcs12 client certificates containing CA certificates - TLS: add CURLOPT_SSL_SIGNATURE_ALGORITHMS and --sigalgs - vquic: ngtcp2 + openssl support - wcurl: import v2025.04.20 script + docs - websocket: add option to disable auto-pong reply * Bugfixes: - asny-thrdd: fix detach from running thread - async-threaded resolver: use ref counter - async: DoH improvements - build: enable gcc-12/13+, clang-10+ picky warnings - build: enable gcc-15 picky warnings - certs: drop unused `default_bits` from `.prm` files - cf-https-connect: use the passed in dns struct pointer - cf-socket: fix FTP accept connect - cfilters: remove assert - cmake: fix nghttp3 static linking with `USE_OPENSSL_QUIC=ON` - cmake: prefer `COMPILE_OPTIONS` over `CMAKE_C_FLAGS` for custom C options - cmake: revert `CURL_LTO` behavior for multi-config generators - configure: fix --disable-rt - CONTRIBUTE: add project guidelines for AI use - cpool/cshutdown: force close connections under pressure - curl: fix memory leak when -h is used in config file - curl_get_line: handle lines ending on the buffer boundary - headers: enforce a max number of response header to accept - http: fix HTTP/2 handling of TE request header using 'trailers' - lib: include files using known path - lib: unify conversions to/from hex - libssh: add NULL check for Curl_meta_get() - libssh: fix memory leak - mqtt: use conn/easy meta hash - multi: do transfer book keeping using mid - multi: init_do(): check result - netrc: avoid NULL deref on weird input - netrc: avoid strdup NULL - netrc: deal with null token better - openssl-quic: avoid potential `-Wnull-dereference`, add assert - openssl-quic: fix shutdown when stream not open - openssl: enable builds for *both* engines and providers - openssl: set the cipher string before doing private cert - progress: avoid integer overflow when gathering total transfer size - rand: update comment on Curl_rand_bytes weak random - rustls: make max size of cert and key reasonable - smb: avoid integer overflow on weird input date - urlapi: redirecting to '' is considered fine - Update to 8.13.0: * Changes: - curl: add write-out variable 'tls_earlydata' - curl: make --url support a file with URLs - gnutls: set priority via --ciphers - IMAP: add CURLOPT_UPLOAD_FLAGS and --upload-flags - lib: add CURLFOLLOW_OBEYCODE and CURLFOLLOW_FIRSTONLY - OpenSSL/quictls: add support for TLSv1.3 early data - rustls: add support for CERTINFO - rustls: add support for SSLKEYLOGFILE - rustls: support ECH w/ DoH lookup for config - rustls: support native platform verifier - var: add a '64dec' function that can base64 decode a string * Bugfixes: - conn: fix connection reuse when SSL is optional - hash: use single linked list for entries - http2: detect session being closed on ingress handling - http2: reset stream on response header error - http: remove a HTTP method size restriction - http: version negotiation - httpsrr: fix port detection - libssh: fix freeing of resources in disconnect - libssh: fix scp large file upload for 32-bit size_t systems - openssl-quic: do not iterate over multi handles - openssl: check return value of X509_get0_pubkey - openssl: drop support for old OpenSSL/LibreSSL versions - openssl: fix crash on missing cert password - openssl: fix pkcs11 URI checking for key files. - openssl: remove bad `goto`s into other scope - setopt: illegal CURLOPT_SOCKS5_AUTH should return error - setopt: setting PROXYUSERPWD after PROXYUSERNAME/PASSWORD is fine - sshserver.pl: adjust `AuthorizedKeysFile2` cutoff version - sshserver: fix excluding obsolete client config lines - SSLCERTS: list support for SSL_CERT_FILE and SSL_CERT_DIR - tftpd: prefix TFTP protocol error `E*` constants with `TFTP_` - tool_operate: fail SSH transfers without server auth - url: call protocol handler's disconnect in Curl_conn_free - urlapi: remove percent encoded dot sequences from the URL path - urldata: remove 'hostname' from struct Curl_async - Update to 8.12.1: * Bugfixes: - asyn-thread: fix build with 'CURL_DISABLE_SOCKETPAIR' - asyn-thread: fix HTTPS RR crash - asyn-thread: fix the returned bitmask from Curl_resolver_getsock - asyn-thread: survive a c-ares channel set to NULL - cmake: always reference OpenSSL and ZLIB via imported targets - cmake: respect 'GNUTLS_CFLAGS' when detected via 'pkg-config' - cmake: respect 'GNUTLS_LIBRARY_DIRS' in 'libcurl.pc' and 'curl-config' - content_encoding: #error on too old zlib - imap: TLS upgrade fix - ldap: drop support for legacy Novell LDAP SDK - libssh2: comparison is always true because rc <= -1 - libssh2: raise lowest supported version to 1.2.8 - libssh: drop support for libssh older than 0.9.0 - openssl-quic: ignore ciphers for h3 - pop3: TLS upgrade fix - runtests: fix the disabling of the memory tracking - runtests: quote commands to support paths with spaces - scache: add magic checks - smb: silence '-Warray-bounds' with gcc 13+ - smtp: TLS upgrade fix - tool_cfgable: sort struct fields by size, use bitfields for booleans - tool_getparam: add 'TLS required' flag for each such option - vtls: fix multissl-init - wakeup_write: make sure the eventfd write sends eight bytes - Update to 8.12.0: * Changes: - curl: add byte range support to --variable reading from file - curl: make --etag-save acknowledge --create-dirs - getinfo: fix CURLINFO_QUEUE_TIME_T and add 'time_queue' var - getinfo: provide info which auth was used for HTTP and proxy - hyper: drop support - openssl: add support to use keys and certificates from PKCS#11 provider - QUIC: 0RTT for gnutls via CURLSSLOPT_EARLYDATA - vtls: feature ssls-export for SSL session im-/export * Bugfixes: - altsvc: avoid integer overflow in expire calculation - asyn-ares: acknowledge CURLOPT_DNS_SERVERS set to NULL - asyn-ares: fix memory leak - asyn-ares: initial HTTPS resolve support - asyn-thread: use c-ares to resolve HTTPS RR - async-thread: avoid closing eventfd twice - cd2nroff: do not insist on quoted <> within backticks - cd2nroff: support 'none' as a TLS backend - conncache: count shutdowns against host and max limits - content_encoding: drop support for zlib before 1.2.0.4 - content_encoding: namespace GZIP flag constants - content_encoding: put the decomp buffers into the writer structs - content_encoding: support use of custom libzstd memory functions - cookie: cap expire times to 400 days - cookie: parse only the exact expire date - curl: return error if etag options are used with multiple URLs - curl_multi_fdset: include the shutdown connections in the set - curl_sha512_256: rename symbols to the curl namespace - curl_url_set.md: adjust the added-in to 7.62.0 - doh: send HTTPS RR requests for all HTTP(S) transfers - easy: allow connect-only handle reuse with easy_perform - easy: make curl_easy_perform() return error if connection still there - easy_lock: use Sleep(1) for thread yield on old Windows - ECH: update APIs to those agreed with OpenSSL maintainers - GnuTLS: fix 'time_appconnect' for early data - HTTP/2: strip TE request header - http2: fix data_pending check - http2: fix value stored to 'result' is never read - http: ignore invalid Retry-After times - http_aws_sigv4: Fix invalid compare function handling zero-length pairs - https-connect: start next immediately on failure - lib: redirect handling by protocol handler - multi: fix curl_multi_waitfds reporting of fd_count - netrc: 'default' with no credentials is not a match - netrc: fix password-only entries - netrc: restore _netrc fallback logic - ngtcp2: fix memory leak on connect failure - openssl: define `HAVE_KEYLOG_CALLBACK` before use - openssl: fix ECH logic - osslq: use SSL_poll to determine writeability of QUIC streams - sectransp: free certificate on error - select: avoid a NULL deref in cwfds_add_sock - src: omit hugehelp and ca-embed from libcurltool - ssl session cache: change cache dimensions - system.h: add 64-bit curl_off_t definitions for NonStop - telnet: handle single-byte input option - TLS: check connection for SSL use, not handler - tool_formparse.c: make curlx_uztoso a static in here - tool_formparse: accept digits in --form type= strings - tool_getparam: ECH param parsing refix - tool_getparam: fail --hostpubsha256 if libssh2 is not used - tool_getparam: fix 'Ignored Return Value' - tool_getparam: fix memory leak on error in parse_ech - tool_getparam: fix the ECH parser - tool_operate: make --etag-compare always accept a non-existing file - transfer: fix CURLOPT_CURLU override logic - urlapi: fix redirect to a new fragment or query (only) - vquic: make vquic_send_packets not return without setting psent - vtls: fix default SSL backend as a fallback - vtls: only remember the expiry timestamp in session cache - websocket: fix message send corruption - x509asn1: add parse recursion limit The following package changes have been done: - SL-Micro-release-6.0-25.48 updated - libcurl-mini4-8.14.1-1.1 added - curl-8.14.1-1.1 updated - container:suse-toolbox-image-1.0.0-9.36 updated - krb5-1.20.1-7.1 removed - libcurl4-8.6.0-6.1 removed - libkeyutils1-1.6.3-3.1 removed - libldap2-2.6.4-4.12 removed - libsasl2-3-2.1.28-5.7 removed - libssh-config-0.10.6-2.1 removed - libssh4-0.10.6-2.1 removed - libverto1-0.3.2-12.5 removed From sle-container-updates at lists.suse.com Fri Sep 26 07:06:08 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 26 Sep 2025 09:06:08 +0200 (CEST) Subject: SUSE-IU-2025:2584-1: Security update of suse/sl-micro/6.0/kvm-os-container Message-ID: <20250926070608.29350FBA1@maintenance.suse.de> SUSE Image Update Advisory: suse/sl-micro/6.0/kvm-os-container ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2025:2584-1 Image Tags : suse/sl-micro/6.0/kvm-os-container:2.1.3 , suse/sl-micro/6.0/kvm-os-container:2.1.3-6.78 , suse/sl-micro/6.0/kvm-os-container:latest Image Release : 6.78 Severity : important Type : security References : 1246197 1249191 1249348 1249367 CVE-2025-10148 CVE-2025-9086 ----------------------------------------------------------------- The container suse/sl-micro/6.0/kvm-os-container was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: 477 Released: Thu Sep 25 12:52:04 2025 Summary: Security update for curl Type: security Severity: important References: 1246197,1249191,1249348,1249367,CVE-2025-10148,CVE-2025-9086 This update for curl fixes the following issues: - CVE-2025-9086: Fixed Out of bounds read for cookie path (bsc#1249191) - CVE-2025-10148: Predictable WebSocket mask (bsc#1249348) - Fix the --ftp-pasv option in curl v8.14.1 [bsc#1246197] - tool_operate: fix return code when --retry is used but not triggered [bsc#1249367] - Updated to 8.14.1: [jsc#PED-13055, jsc#PED-13056] * Add _multibuild * Bugfixes: - asyn-thrdd: fix cleanup when RR fails due to OOM - ftp: fix teardown of DATA connection in done - http: fail early when rewind of input failed when following redirects - multi: fix add_handle resizing - tls BIOs: handle BIO_CTRL_EOF correctly - tool_getparam: make --no-anyauth not be accepted - wolfssl: fix sending of early data - ws: handle blocked sends better - ws: tests and fixes - Sync spec file with SLE codestreams: [jsc#PED-13055, jsc#PED-13056] * Add curl-mini.rpmlintrc to avoid rpmlint shlib-policy-name-error when building the curl-mini package in SLE. * Add libssh minimum version requirements. * Use ldconfig_scriptlets when available. * Remove unused option --disable-ntlm-wb. - Update to 8.14.0: * Changes: - mqtt: send ping at upkeep interval - schannel: handle pkcs12 client certificates containing CA certificates - TLS: add CURLOPT_SSL_SIGNATURE_ALGORITHMS and --sigalgs - vquic: ngtcp2 + openssl support - wcurl: import v2025.04.20 script + docs - websocket: add option to disable auto-pong reply * Bugfixes: - asny-thrdd: fix detach from running thread - async-threaded resolver: use ref counter - async: DoH improvements - build: enable gcc-12/13+, clang-10+ picky warnings - build: enable gcc-15 picky warnings - certs: drop unused `default_bits` from `.prm` files - cf-https-connect: use the passed in dns struct pointer - cf-socket: fix FTP accept connect - cfilters: remove assert - cmake: fix nghttp3 static linking with `USE_OPENSSL_QUIC=ON` - cmake: prefer `COMPILE_OPTIONS` over `CMAKE_C_FLAGS` for custom C options - cmake: revert `CURL_LTO` behavior for multi-config generators - configure: fix --disable-rt - CONTRIBUTE: add project guidelines for AI use - cpool/cshutdown: force close connections under pressure - curl: fix memory leak when -h is used in config file - curl_get_line: handle lines ending on the buffer boundary - headers: enforce a max number of response header to accept - http: fix HTTP/2 handling of TE request header using 'trailers' - lib: include files using known path - lib: unify conversions to/from hex - libssh: add NULL check for Curl_meta_get() - libssh: fix memory leak - mqtt: use conn/easy meta hash - multi: do transfer book keeping using mid - multi: init_do(): check result - netrc: avoid NULL deref on weird input - netrc: avoid strdup NULL - netrc: deal with null token better - openssl-quic: avoid potential `-Wnull-dereference`, add assert - openssl-quic: fix shutdown when stream not open - openssl: enable builds for *both* engines and providers - openssl: set the cipher string before doing private cert - progress: avoid integer overflow when gathering total transfer size - rand: update comment on Curl_rand_bytes weak random - rustls: make max size of cert and key reasonable - smb: avoid integer overflow on weird input date - urlapi: redirecting to '' is considered fine - Update to 8.13.0: * Changes: - curl: add write-out variable 'tls_earlydata' - curl: make --url support a file with URLs - gnutls: set priority via --ciphers - IMAP: add CURLOPT_UPLOAD_FLAGS and --upload-flags - lib: add CURLFOLLOW_OBEYCODE and CURLFOLLOW_FIRSTONLY - OpenSSL/quictls: add support for TLSv1.3 early data - rustls: add support for CERTINFO - rustls: add support for SSLKEYLOGFILE - rustls: support ECH w/ DoH lookup for config - rustls: support native platform verifier - var: add a '64dec' function that can base64 decode a string * Bugfixes: - conn: fix connection reuse when SSL is optional - hash: use single linked list for entries - http2: detect session being closed on ingress handling - http2: reset stream on response header error - http: remove a HTTP method size restriction - http: version negotiation - httpsrr: fix port detection - libssh: fix freeing of resources in disconnect - libssh: fix scp large file upload for 32-bit size_t systems - openssl-quic: do not iterate over multi handles - openssl: check return value of X509_get0_pubkey - openssl: drop support for old OpenSSL/LibreSSL versions - openssl: fix crash on missing cert password - openssl: fix pkcs11 URI checking for key files. - openssl: remove bad `goto`s into other scope - setopt: illegal CURLOPT_SOCKS5_AUTH should return error - setopt: setting PROXYUSERPWD after PROXYUSERNAME/PASSWORD is fine - sshserver.pl: adjust `AuthorizedKeysFile2` cutoff version - sshserver: fix excluding obsolete client config lines - SSLCERTS: list support for SSL_CERT_FILE and SSL_CERT_DIR - tftpd: prefix TFTP protocol error `E*` constants with `TFTP_` - tool_operate: fail SSH transfers without server auth - url: call protocol handler's disconnect in Curl_conn_free - urlapi: remove percent encoded dot sequences from the URL path - urldata: remove 'hostname' from struct Curl_async - Update to 8.12.1: * Bugfixes: - asyn-thread: fix build with 'CURL_DISABLE_SOCKETPAIR' - asyn-thread: fix HTTPS RR crash - asyn-thread: fix the returned bitmask from Curl_resolver_getsock - asyn-thread: survive a c-ares channel set to NULL - cmake: always reference OpenSSL and ZLIB via imported targets - cmake: respect 'GNUTLS_CFLAGS' when detected via 'pkg-config' - cmake: respect 'GNUTLS_LIBRARY_DIRS' in 'libcurl.pc' and 'curl-config' - content_encoding: #error on too old zlib - imap: TLS upgrade fix - ldap: drop support for legacy Novell LDAP SDK - libssh2: comparison is always true because rc <= -1 - libssh2: raise lowest supported version to 1.2.8 - libssh: drop support for libssh older than 0.9.0 - openssl-quic: ignore ciphers for h3 - pop3: TLS upgrade fix - runtests: fix the disabling of the memory tracking - runtests: quote commands to support paths with spaces - scache: add magic checks - smb: silence '-Warray-bounds' with gcc 13+ - smtp: TLS upgrade fix - tool_cfgable: sort struct fields by size, use bitfields for booleans - tool_getparam: add 'TLS required' flag for each such option - vtls: fix multissl-init - wakeup_write: make sure the eventfd write sends eight bytes - Update to 8.12.0: * Changes: - curl: add byte range support to --variable reading from file - curl: make --etag-save acknowledge --create-dirs - getinfo: fix CURLINFO_QUEUE_TIME_T and add 'time_queue' var - getinfo: provide info which auth was used for HTTP and proxy - hyper: drop support - openssl: add support to use keys and certificates from PKCS#11 provider - QUIC: 0RTT for gnutls via CURLSSLOPT_EARLYDATA - vtls: feature ssls-export for SSL session im-/export * Bugfixes: - altsvc: avoid integer overflow in expire calculation - asyn-ares: acknowledge CURLOPT_DNS_SERVERS set to NULL - asyn-ares: fix memory leak - asyn-ares: initial HTTPS resolve support - asyn-thread: use c-ares to resolve HTTPS RR - async-thread: avoid closing eventfd twice - cd2nroff: do not insist on quoted <> within backticks - cd2nroff: support 'none' as a TLS backend - conncache: count shutdowns against host and max limits - content_encoding: drop support for zlib before 1.2.0.4 - content_encoding: namespace GZIP flag constants - content_encoding: put the decomp buffers into the writer structs - content_encoding: support use of custom libzstd memory functions - cookie: cap expire times to 400 days - cookie: parse only the exact expire date - curl: return error if etag options are used with multiple URLs - curl_multi_fdset: include the shutdown connections in the set - curl_sha512_256: rename symbols to the curl namespace - curl_url_set.md: adjust the added-in to 7.62.0 - doh: send HTTPS RR requests for all HTTP(S) transfers - easy: allow connect-only handle reuse with easy_perform - easy: make curl_easy_perform() return error if connection still there - easy_lock: use Sleep(1) for thread yield on old Windows - ECH: update APIs to those agreed with OpenSSL maintainers - GnuTLS: fix 'time_appconnect' for early data - HTTP/2: strip TE request header - http2: fix data_pending check - http2: fix value stored to 'result' is never read - http: ignore invalid Retry-After times - http_aws_sigv4: Fix invalid compare function handling zero-length pairs - https-connect: start next immediately on failure - lib: redirect handling by protocol handler - multi: fix curl_multi_waitfds reporting of fd_count - netrc: 'default' with no credentials is not a match - netrc: fix password-only entries - netrc: restore _netrc fallback logic - ngtcp2: fix memory leak on connect failure - openssl: define `HAVE_KEYLOG_CALLBACK` before use - openssl: fix ECH logic - osslq: use SSL_poll to determine writeability of QUIC streams - sectransp: free certificate on error - select: avoid a NULL deref in cwfds_add_sock - src: omit hugehelp and ca-embed from libcurltool - ssl session cache: change cache dimensions - system.h: add 64-bit curl_off_t definitions for NonStop - telnet: handle single-byte input option - TLS: check connection for SSL use, not handler - tool_formparse.c: make curlx_uztoso a static in here - tool_formparse: accept digits in --form type= strings - tool_getparam: ECH param parsing refix - tool_getparam: fail --hostpubsha256 if libssh2 is not used - tool_getparam: fix 'Ignored Return Value' - tool_getparam: fix memory leak on error in parse_ech - tool_getparam: fix the ECH parser - tool_operate: make --etag-compare always accept a non-existing file - transfer: fix CURLOPT_CURLU override logic - urlapi: fix redirect to a new fragment or query (only) - vquic: make vquic_send_packets not return without setting psent - vtls: fix default SSL backend as a fallback - vtls: only remember the expiry timestamp in session cache - websocket: fix message send corruption - x509asn1: add parse recursion limit The following package changes have been done: - SL-Micro-release-6.0-25.48 updated - libcurl-mini4-8.14.1-1.1 added - container:SL-Micro-base-container-2.1.3-7.55 updated - krb5-1.20.1-7.1 removed - libbrotlicommon1-1.1.0-1.6 removed - libbrotlidec1-1.1.0-1.6 removed - libcurl4-8.6.0-6.1 removed - libkeyutils1-1.6.3-3.1 removed - libldap2-2.6.4-4.12 removed - libsasl2-3-2.1.28-5.7 removed - libssh-config-0.10.6-2.1 removed - libssh4-0.10.6-2.1 removed - libverto1-0.3.2-12.5 removed From sle-container-updates at lists.suse.com Fri Sep 26 07:07:55 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 26 Sep 2025 09:07:55 +0200 (CEST) Subject: SUSE-CU-2025:7065-1: Security update of suse/sl-micro/6.0/toolbox Message-ID: <20250926070755.C0F93FBA1@maintenance.suse.de> SUSE Container Update Advisory: suse/sl-micro/6.0/toolbox ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:7065-1 Container Tags : suse/sl-micro/6.0/toolbox:13.2 , suse/sl-micro/6.0/toolbox:13.2-9.36 , suse/sl-micro/6.0/toolbox:latest Container Release : 9.36 Severity : important Type : security References : 1246197 1249191 1249348 1249367 CVE-2025-10148 CVE-2025-9086 ----------------------------------------------------------------- The container suse/sl-micro/6.0/toolbox was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: 477 Released: Thu Sep 25 12:52:04 2025 Summary: Security update for curl Type: security Severity: important References: 1246197,1249191,1249348,1249367,CVE-2025-10148,CVE-2025-9086 This update for curl fixes the following issues: - CVE-2025-9086: Fixed Out of bounds read for cookie path (bsc#1249191) - CVE-2025-10148: Predictable WebSocket mask (bsc#1249348) - Fix the --ftp-pasv option in curl v8.14.1 [bsc#1246197] - tool_operate: fix return code when --retry is used but not triggered [bsc#1249367] - Updated to 8.14.1: [jsc#PED-13055, jsc#PED-13056] * Add _multibuild * Bugfixes: - asyn-thrdd: fix cleanup when RR fails due to OOM - ftp: fix teardown of DATA connection in done - http: fail early when rewind of input failed when following redirects - multi: fix add_handle resizing - tls BIOs: handle BIO_CTRL_EOF correctly - tool_getparam: make --no-anyauth not be accepted - wolfssl: fix sending of early data - ws: handle blocked sends better - ws: tests and fixes - Sync spec file with SLE codestreams: [jsc#PED-13055, jsc#PED-13056] * Add curl-mini.rpmlintrc to avoid rpmlint shlib-policy-name-error when building the curl-mini package in SLE. * Add libssh minimum version requirements. * Use ldconfig_scriptlets when available. * Remove unused option --disable-ntlm-wb. - Update to 8.14.0: * Changes: - mqtt: send ping at upkeep interval - schannel: handle pkcs12 client certificates containing CA certificates - TLS: add CURLOPT_SSL_SIGNATURE_ALGORITHMS and --sigalgs - vquic: ngtcp2 + openssl support - wcurl: import v2025.04.20 script + docs - websocket: add option to disable auto-pong reply * Bugfixes: - asny-thrdd: fix detach from running thread - async-threaded resolver: use ref counter - async: DoH improvements - build: enable gcc-12/13+, clang-10+ picky warnings - build: enable gcc-15 picky warnings - certs: drop unused `default_bits` from `.prm` files - cf-https-connect: use the passed in dns struct pointer - cf-socket: fix FTP accept connect - cfilters: remove assert - cmake: fix nghttp3 static linking with `USE_OPENSSL_QUIC=ON` - cmake: prefer `COMPILE_OPTIONS` over `CMAKE_C_FLAGS` for custom C options - cmake: revert `CURL_LTO` behavior for multi-config generators - configure: fix --disable-rt - CONTRIBUTE: add project guidelines for AI use - cpool/cshutdown: force close connections under pressure - curl: fix memory leak when -h is used in config file - curl_get_line: handle lines ending on the buffer boundary - headers: enforce a max number of response header to accept - http: fix HTTP/2 handling of TE request header using 'trailers' - lib: include files using known path - lib: unify conversions to/from hex - libssh: add NULL check for Curl_meta_get() - libssh: fix memory leak - mqtt: use conn/easy meta hash - multi: do transfer book keeping using mid - multi: init_do(): check result - netrc: avoid NULL deref on weird input - netrc: avoid strdup NULL - netrc: deal with null token better - openssl-quic: avoid potential `-Wnull-dereference`, add assert - openssl-quic: fix shutdown when stream not open - openssl: enable builds for *both* engines and providers - openssl: set the cipher string before doing private cert - progress: avoid integer overflow when gathering total transfer size - rand: update comment on Curl_rand_bytes weak random - rustls: make max size of cert and key reasonable - smb: avoid integer overflow on weird input date - urlapi: redirecting to '' is considered fine - Update to 8.13.0: * Changes: - curl: add write-out variable 'tls_earlydata' - curl: make --url support a file with URLs - gnutls: set priority via --ciphers - IMAP: add CURLOPT_UPLOAD_FLAGS and --upload-flags - lib: add CURLFOLLOW_OBEYCODE and CURLFOLLOW_FIRSTONLY - OpenSSL/quictls: add support for TLSv1.3 early data - rustls: add support for CERTINFO - rustls: add support for SSLKEYLOGFILE - rustls: support ECH w/ DoH lookup for config - rustls: support native platform verifier - var: add a '64dec' function that can base64 decode a string * Bugfixes: - conn: fix connection reuse when SSL is optional - hash: use single linked list for entries - http2: detect session being closed on ingress handling - http2: reset stream on response header error - http: remove a HTTP method size restriction - http: version negotiation - httpsrr: fix port detection - libssh: fix freeing of resources in disconnect - libssh: fix scp large file upload for 32-bit size_t systems - openssl-quic: do not iterate over multi handles - openssl: check return value of X509_get0_pubkey - openssl: drop support for old OpenSSL/LibreSSL versions - openssl: fix crash on missing cert password - openssl: fix pkcs11 URI checking for key files. - openssl: remove bad `goto`s into other scope - setopt: illegal CURLOPT_SOCKS5_AUTH should return error - setopt: setting PROXYUSERPWD after PROXYUSERNAME/PASSWORD is fine - sshserver.pl: adjust `AuthorizedKeysFile2` cutoff version - sshserver: fix excluding obsolete client config lines - SSLCERTS: list support for SSL_CERT_FILE and SSL_CERT_DIR - tftpd: prefix TFTP protocol error `E*` constants with `TFTP_` - tool_operate: fail SSH transfers without server auth - url: call protocol handler's disconnect in Curl_conn_free - urlapi: remove percent encoded dot sequences from the URL path - urldata: remove 'hostname' from struct Curl_async - Update to 8.12.1: * Bugfixes: - asyn-thread: fix build with 'CURL_DISABLE_SOCKETPAIR' - asyn-thread: fix HTTPS RR crash - asyn-thread: fix the returned bitmask from Curl_resolver_getsock - asyn-thread: survive a c-ares channel set to NULL - cmake: always reference OpenSSL and ZLIB via imported targets - cmake: respect 'GNUTLS_CFLAGS' when detected via 'pkg-config' - cmake: respect 'GNUTLS_LIBRARY_DIRS' in 'libcurl.pc' and 'curl-config' - content_encoding: #error on too old zlib - imap: TLS upgrade fix - ldap: drop support for legacy Novell LDAP SDK - libssh2: comparison is always true because rc <= -1 - libssh2: raise lowest supported version to 1.2.8 - libssh: drop support for libssh older than 0.9.0 - openssl-quic: ignore ciphers for h3 - pop3: TLS upgrade fix - runtests: fix the disabling of the memory tracking - runtests: quote commands to support paths with spaces - scache: add magic checks - smb: silence '-Warray-bounds' with gcc 13+ - smtp: TLS upgrade fix - tool_cfgable: sort struct fields by size, use bitfields for booleans - tool_getparam: add 'TLS required' flag for each such option - vtls: fix multissl-init - wakeup_write: make sure the eventfd write sends eight bytes - Update to 8.12.0: * Changes: - curl: add byte range support to --variable reading from file - curl: make --etag-save acknowledge --create-dirs - getinfo: fix CURLINFO_QUEUE_TIME_T and add 'time_queue' var - getinfo: provide info which auth was used for HTTP and proxy - hyper: drop support - openssl: add support to use keys and certificates from PKCS#11 provider - QUIC: 0RTT for gnutls via CURLSSLOPT_EARLYDATA - vtls: feature ssls-export for SSL session im-/export * Bugfixes: - altsvc: avoid integer overflow in expire calculation - asyn-ares: acknowledge CURLOPT_DNS_SERVERS set to NULL - asyn-ares: fix memory leak - asyn-ares: initial HTTPS resolve support - asyn-thread: use c-ares to resolve HTTPS RR - async-thread: avoid closing eventfd twice - cd2nroff: do not insist on quoted <> within backticks - cd2nroff: support 'none' as a TLS backend - conncache: count shutdowns against host and max limits - content_encoding: drop support for zlib before 1.2.0.4 - content_encoding: namespace GZIP flag constants - content_encoding: put the decomp buffers into the writer structs - content_encoding: support use of custom libzstd memory functions - cookie: cap expire times to 400 days - cookie: parse only the exact expire date - curl: return error if etag options are used with multiple URLs - curl_multi_fdset: include the shutdown connections in the set - curl_sha512_256: rename symbols to the curl namespace - curl_url_set.md: adjust the added-in to 7.62.0 - doh: send HTTPS RR requests for all HTTP(S) transfers - easy: allow connect-only handle reuse with easy_perform - easy: make curl_easy_perform() return error if connection still there - easy_lock: use Sleep(1) for thread yield on old Windows - ECH: update APIs to those agreed with OpenSSL maintainers - GnuTLS: fix 'time_appconnect' for early data - HTTP/2: strip TE request header - http2: fix data_pending check - http2: fix value stored to 'result' is never read - http: ignore invalid Retry-After times - http_aws_sigv4: Fix invalid compare function handling zero-length pairs - https-connect: start next immediately on failure - lib: redirect handling by protocol handler - multi: fix curl_multi_waitfds reporting of fd_count - netrc: 'default' with no credentials is not a match - netrc: fix password-only entries - netrc: restore _netrc fallback logic - ngtcp2: fix memory leak on connect failure - openssl: define `HAVE_KEYLOG_CALLBACK` before use - openssl: fix ECH logic - osslq: use SSL_poll to determine writeability of QUIC streams - sectransp: free certificate on error - select: avoid a NULL deref in cwfds_add_sock - src: omit hugehelp and ca-embed from libcurltool - ssl session cache: change cache dimensions - system.h: add 64-bit curl_off_t definitions for NonStop - telnet: handle single-byte input option - TLS: check connection for SSL use, not handler - tool_formparse.c: make curlx_uztoso a static in here - tool_formparse: accept digits in --form type= strings - tool_getparam: ECH param parsing refix - tool_getparam: fail --hostpubsha256 if libssh2 is not used - tool_getparam: fix 'Ignored Return Value' - tool_getparam: fix memory leak on error in parse_ech - tool_getparam: fix the ECH parser - tool_operate: make --etag-compare always accept a non-existing file - transfer: fix CURLOPT_CURLU override logic - urlapi: fix redirect to a new fragment or query (only) - vquic: make vquic_send_packets not return without setting psent - vtls: fix default SSL backend as a fallback - vtls: only remember the expiry timestamp in session cache - websocket: fix message send corruption - x509asn1: add parse recursion limit The following package changes have been done: - SL-Micro-release-6.0-25.48 updated - curl-8.14.1-1.1 updated - libcurl-mini4-8.14.1-1.1 added - skelcd-EULA-SL-Micro-2024.01.19-8.47 updated - krb5-1.20.1-7.1 removed - libbrotlicommon1-1.1.0-1.6 removed - libbrotlidec1-1.1.0-1.6 removed - libcom_err2-1.47.0-3.1 removed - libcurl4-8.6.0-6.1 removed - libkeyutils1-1.6.3-3.1 removed - libssh-config-0.10.6-2.1 removed - libssh4-0.10.6-2.1 removed - libverto1-0.3.2-12.5 removed From sle-container-updates at lists.suse.com Fri Sep 26 07:12:21 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 26 Sep 2025 09:12:21 +0200 (CEST) Subject: SUSE-CU-2025:7067-1: Security update of suse/kiosk/xorg-client Message-ID: <20250926071221.CBEDDFB9C@maintenance.suse.de> SUSE Container Update Advisory: suse/kiosk/xorg-client ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:7067-1 Container Tags : suse/kiosk/xorg-client:21 , suse/kiosk/xorg-client:21-64.26 , suse/kiosk/xorg-client:latest Container Release : 64.26 Severity : low Type : security References : 1111638 CVE-2018-18088 ----------------------------------------------------------------- The container suse/kiosk/xorg-client was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3352-1 Released: Thu Sep 25 13:50:15 2025 Summary: Security update for openjpeg2 Type: security Severity: low References: 1111638,CVE-2018-18088 This update for openjpeg2 fixes the following issues: - CVE-2018-18088: Fixed a null pointer dereferencei in imagetopnm function. (bsc#1111638). The following package changes have been done: - libopenjp2-7-2.3.0-150000.3.21.1 updated - container:suse-sle15-15.7-58f9c044bea87805cae0e4122c7157699ff07944d120923c8f92ba4d9a128a2a-0 updated - container:registry.suse.com-bci-bci-micro-15.7-f98a5deb3bf91c48bf953f57d3a0bfe7a691340a7abe2a2157c3f8ceb87f4e57-0 updated From sle-container-updates at lists.suse.com Fri Sep 26 07:12:13 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 26 Sep 2025 09:12:13 +0200 (CEST) Subject: SUSE-CU-2025:7066-1: Security update of suse/kiosk/firefox-esr Message-ID: <20250926071213.CCACCFB9C@maintenance.suse.de> SUSE Container Update Advisory: suse/kiosk/firefox-esr ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:7066-1 Container Tags : suse/kiosk/firefox-esr:140.3 , suse/kiosk/firefox-esr:140.3-64.36 , suse/kiosk/firefox-esr:esr , suse/kiosk/firefox-esr:latest Container Release : 64.36 Severity : low Type : security References : 1111638 CVE-2018-18088 ----------------------------------------------------------------- The container suse/kiosk/firefox-esr was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3352-1 Released: Thu Sep 25 13:50:15 2025 Summary: Security update for openjpeg2 Type: security Severity: low References: 1111638,CVE-2018-18088 This update for openjpeg2 fixes the following issues: - CVE-2018-18088: Fixed a null pointer dereferencei in imagetopnm function. (bsc#1111638). The following package changes have been done: - libopenjp2-7-2.3.0-150000.3.21.1 updated From sle-container-updates at lists.suse.com Fri Sep 26 12:52:41 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 26 Sep 2025 14:52:41 +0200 (CEST) Subject: SUSE-IU-2025:2589-1: Security update of suse/sl-micro/6.0/baremetal-os-container Message-ID: <20250926125241.C4ABAF783@maintenance.suse.de> SUSE Image Update Advisory: suse/sl-micro/6.0/baremetal-os-container ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2025:2589-1 Image Tags : suse/sl-micro/6.0/baremetal-os-container:2.1.3 , suse/sl-micro/6.0/baremetal-os-container:2.1.3-6.88 , suse/sl-micro/6.0/baremetal-os-container:latest Image Release : 6.88 Severity : moderate Type : security References : 1243581 1248410 1248687 142461 544339 CVE-2025-46836 ----------------------------------------------------------------- The container suse/sl-micro/6.0/baremetal-os-container was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: 478 Released: Fri Sep 26 11:29:17 2025 Summary: Security update for net-tools Type: security Severity: moderate References: 1243581,1248410,1248687,142461,544339,CVE-2025-46836 This update for net-tools fixes the following issues: - Fixed stack buffer overflow in parse_hex, proc_gen_fmt, ax25 and netrom (bsc#1248687) - Fixed stack overflow in ax25 and netrom (bsc#1248687) - CVE-2025-46836: Fixed stack buffer overflow caused by the absence of bound checks (bsc#1243581) The following package changes have been done: - net-tools-2.10-4.1 updated From sle-container-updates at lists.suse.com Fri Sep 26 12:54:03 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 26 Sep 2025 14:54:03 +0200 (CEST) Subject: SUSE-IU-2025:2590-1: Security update of suse/sl-micro/6.0/rt-os-container Message-ID: <20250926125403.93160F783@maintenance.suse.de> SUSE Image Update Advisory: suse/sl-micro/6.0/rt-os-container ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2025:2590-1 Image Tags : suse/sl-micro/6.0/rt-os-container:2.1.3 , suse/sl-micro/6.0/rt-os-container:2.1.3-7.88 , suse/sl-micro/6.0/rt-os-container:latest Image Release : 7.88 Severity : important Type : security References : 1246197 1249191 1249348 1249367 CVE-2025-10148 CVE-2025-9086 ----------------------------------------------------------------- The container suse/sl-micro/6.0/rt-os-container was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: 477 Released: Thu Sep 25 12:52:04 2025 Summary: Security update for curl Type: security Severity: important References: 1246197,1249191,1249348,1249367,CVE-2025-10148,CVE-2025-9086 This update for curl fixes the following issues: - CVE-2025-9086: Fixed Out of bounds read for cookie path (bsc#1249191) - CVE-2025-10148: Predictable WebSocket mask (bsc#1249348) - Fix the --ftp-pasv option in curl v8.14.1 [bsc#1246197] - tool_operate: fix return code when --retry is used but not triggered [bsc#1249367] - Updated to 8.14.1: [jsc#PED-13055, jsc#PED-13056] * Add _multibuild * Bugfixes: - asyn-thrdd: fix cleanup when RR fails due to OOM - ftp: fix teardown of DATA connection in done - http: fail early when rewind of input failed when following redirects - multi: fix add_handle resizing - tls BIOs: handle BIO_CTRL_EOF correctly - tool_getparam: make --no-anyauth not be accepted - wolfssl: fix sending of early data - ws: handle blocked sends better - ws: tests and fixes - Sync spec file with SLE codestreams: [jsc#PED-13055, jsc#PED-13056] * Add curl-mini.rpmlintrc to avoid rpmlint shlib-policy-name-error when building the curl-mini package in SLE. * Add libssh minimum version requirements. * Use ldconfig_scriptlets when available. * Remove unused option --disable-ntlm-wb. - Update to 8.14.0: * Changes: - mqtt: send ping at upkeep interval - schannel: handle pkcs12 client certificates containing CA certificates - TLS: add CURLOPT_SSL_SIGNATURE_ALGORITHMS and --sigalgs - vquic: ngtcp2 + openssl support - wcurl: import v2025.04.20 script + docs - websocket: add option to disable auto-pong reply * Bugfixes: - asny-thrdd: fix detach from running thread - async-threaded resolver: use ref counter - async: DoH improvements - build: enable gcc-12/13+, clang-10+ picky warnings - build: enable gcc-15 picky warnings - certs: drop unused `default_bits` from `.prm` files - cf-https-connect: use the passed in dns struct pointer - cf-socket: fix FTP accept connect - cfilters: remove assert - cmake: fix nghttp3 static linking with `USE_OPENSSL_QUIC=ON` - cmake: prefer `COMPILE_OPTIONS` over `CMAKE_C_FLAGS` for custom C options - cmake: revert `CURL_LTO` behavior for multi-config generators - configure: fix --disable-rt - CONTRIBUTE: add project guidelines for AI use - cpool/cshutdown: force close connections under pressure - curl: fix memory leak when -h is used in config file - curl_get_line: handle lines ending on the buffer boundary - headers: enforce a max number of response header to accept - http: fix HTTP/2 handling of TE request header using 'trailers' - lib: include files using known path - lib: unify conversions to/from hex - libssh: add NULL check for Curl_meta_get() - libssh: fix memory leak - mqtt: use conn/easy meta hash - multi: do transfer book keeping using mid - multi: init_do(): check result - netrc: avoid NULL deref on weird input - netrc: avoid strdup NULL - netrc: deal with null token better - openssl-quic: avoid potential `-Wnull-dereference`, add assert - openssl-quic: fix shutdown when stream not open - openssl: enable builds for *both* engines and providers - openssl: set the cipher string before doing private cert - progress: avoid integer overflow when gathering total transfer size - rand: update comment on Curl_rand_bytes weak random - rustls: make max size of cert and key reasonable - smb: avoid integer overflow on weird input date - urlapi: redirecting to '' is considered fine - Update to 8.13.0: * Changes: - curl: add write-out variable 'tls_earlydata' - curl: make --url support a file with URLs - gnutls: set priority via --ciphers - IMAP: add CURLOPT_UPLOAD_FLAGS and --upload-flags - lib: add CURLFOLLOW_OBEYCODE and CURLFOLLOW_FIRSTONLY - OpenSSL/quictls: add support for TLSv1.3 early data - rustls: add support for CERTINFO - rustls: add support for SSLKEYLOGFILE - rustls: support ECH w/ DoH lookup for config - rustls: support native platform verifier - var: add a '64dec' function that can base64 decode a string * Bugfixes: - conn: fix connection reuse when SSL is optional - hash: use single linked list for entries - http2: detect session being closed on ingress handling - http2: reset stream on response header error - http: remove a HTTP method size restriction - http: version negotiation - httpsrr: fix port detection - libssh: fix freeing of resources in disconnect - libssh: fix scp large file upload for 32-bit size_t systems - openssl-quic: do not iterate over multi handles - openssl: check return value of X509_get0_pubkey - openssl: drop support for old OpenSSL/LibreSSL versions - openssl: fix crash on missing cert password - openssl: fix pkcs11 URI checking for key files. - openssl: remove bad `goto`s into other scope - setopt: illegal CURLOPT_SOCKS5_AUTH should return error - setopt: setting PROXYUSERPWD after PROXYUSERNAME/PASSWORD is fine - sshserver.pl: adjust `AuthorizedKeysFile2` cutoff version - sshserver: fix excluding obsolete client config lines - SSLCERTS: list support for SSL_CERT_FILE and SSL_CERT_DIR - tftpd: prefix TFTP protocol error `E*` constants with `TFTP_` - tool_operate: fail SSH transfers without server auth - url: call protocol handler's disconnect in Curl_conn_free - urlapi: remove percent encoded dot sequences from the URL path - urldata: remove 'hostname' from struct Curl_async - Update to 8.12.1: * Bugfixes: - asyn-thread: fix build with 'CURL_DISABLE_SOCKETPAIR' - asyn-thread: fix HTTPS RR crash - asyn-thread: fix the returned bitmask from Curl_resolver_getsock - asyn-thread: survive a c-ares channel set to NULL - cmake: always reference OpenSSL and ZLIB via imported targets - cmake: respect 'GNUTLS_CFLAGS' when detected via 'pkg-config' - cmake: respect 'GNUTLS_LIBRARY_DIRS' in 'libcurl.pc' and 'curl-config' - content_encoding: #error on too old zlib - imap: TLS upgrade fix - ldap: drop support for legacy Novell LDAP SDK - libssh2: comparison is always true because rc <= -1 - libssh2: raise lowest supported version to 1.2.8 - libssh: drop support for libssh older than 0.9.0 - openssl-quic: ignore ciphers for h3 - pop3: TLS upgrade fix - runtests: fix the disabling of the memory tracking - runtests: quote commands to support paths with spaces - scache: add magic checks - smb: silence '-Warray-bounds' with gcc 13+ - smtp: TLS upgrade fix - tool_cfgable: sort struct fields by size, use bitfields for booleans - tool_getparam: add 'TLS required' flag for each such option - vtls: fix multissl-init - wakeup_write: make sure the eventfd write sends eight bytes - Update to 8.12.0: * Changes: - curl: add byte range support to --variable reading from file - curl: make --etag-save acknowledge --create-dirs - getinfo: fix CURLINFO_QUEUE_TIME_T and add 'time_queue' var - getinfo: provide info which auth was used for HTTP and proxy - hyper: drop support - openssl: add support to use keys and certificates from PKCS#11 provider - QUIC: 0RTT for gnutls via CURLSSLOPT_EARLYDATA - vtls: feature ssls-export for SSL session im-/export * Bugfixes: - altsvc: avoid integer overflow in expire calculation - asyn-ares: acknowledge CURLOPT_DNS_SERVERS set to NULL - asyn-ares: fix memory leak - asyn-ares: initial HTTPS resolve support - asyn-thread: use c-ares to resolve HTTPS RR - async-thread: avoid closing eventfd twice - cd2nroff: do not insist on quoted <> within backticks - cd2nroff: support 'none' as a TLS backend - conncache: count shutdowns against host and max limits - content_encoding: drop support for zlib before 1.2.0.4 - content_encoding: namespace GZIP flag constants - content_encoding: put the decomp buffers into the writer structs - content_encoding: support use of custom libzstd memory functions - cookie: cap expire times to 400 days - cookie: parse only the exact expire date - curl: return error if etag options are used with multiple URLs - curl_multi_fdset: include the shutdown connections in the set - curl_sha512_256: rename symbols to the curl namespace - curl_url_set.md: adjust the added-in to 7.62.0 - doh: send HTTPS RR requests for all HTTP(S) transfers - easy: allow connect-only handle reuse with easy_perform - easy: make curl_easy_perform() return error if connection still there - easy_lock: use Sleep(1) for thread yield on old Windows - ECH: update APIs to those agreed with OpenSSL maintainers - GnuTLS: fix 'time_appconnect' for early data - HTTP/2: strip TE request header - http2: fix data_pending check - http2: fix value stored to 'result' is never read - http: ignore invalid Retry-After times - http_aws_sigv4: Fix invalid compare function handling zero-length pairs - https-connect: start next immediately on failure - lib: redirect handling by protocol handler - multi: fix curl_multi_waitfds reporting of fd_count - netrc: 'default' with no credentials is not a match - netrc: fix password-only entries - netrc: restore _netrc fallback logic - ngtcp2: fix memory leak on connect failure - openssl: define `HAVE_KEYLOG_CALLBACK` before use - openssl: fix ECH logic - osslq: use SSL_poll to determine writeability of QUIC streams - sectransp: free certificate on error - select: avoid a NULL deref in cwfds_add_sock - src: omit hugehelp and ca-embed from libcurltool - ssl session cache: change cache dimensions - system.h: add 64-bit curl_off_t definitions for NonStop - telnet: handle single-byte input option - TLS: check connection for SSL use, not handler - tool_formparse.c: make curlx_uztoso a static in here - tool_formparse: accept digits in --form type= strings - tool_getparam: ECH param parsing refix - tool_getparam: fail --hostpubsha256 if libssh2 is not used - tool_getparam: fix 'Ignored Return Value' - tool_getparam: fix memory leak on error in parse_ech - tool_getparam: fix the ECH parser - tool_operate: make --etag-compare always accept a non-existing file - transfer: fix CURLOPT_CURLU override logic - urlapi: fix redirect to a new fragment or query (only) - vquic: make vquic_send_packets not return without setting psent - vtls: fix default SSL backend as a fallback - vtls: only remember the expiry timestamp in session cache - websocket: fix message send corruption - x509asn1: add parse recursion limit The following package changes have been done: - SL-Micro-release-6.0-25.48 updated - libcurl-mini4-8.14.1-1.1 added - container:SL-Micro-container-2.1.3-6.88 updated - krb5-1.20.1-7.1 removed - libbrotlicommon1-1.1.0-1.6 removed - libbrotlidec1-1.1.0-1.6 removed - libcurl4-8.6.0-6.1 removed - libkeyutils1-1.6.3-3.1 removed - libldap2-2.6.4-4.12 removed - libsasl2-3-2.1.28-5.7 removed - libssh-config-0.10.6-2.1 removed - libssh4-0.10.6-2.1 removed - libverto1-0.3.2-12.5 removed From sle-container-updates at lists.suse.com Fri Sep 26 12:57:13 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 26 Sep 2025 14:57:13 +0200 (CEST) Subject: SUSE-IU-2025:2591-1: Security update of suse/sl-micro/6.1/base-os-container Message-ID: <20250926125713.D99A2F783@maintenance.suse.de> SUSE Image Update Advisory: suse/sl-micro/6.1/base-os-container ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2025:2591-1 Image Tags : suse/sl-micro/6.1/base-os-container:2.2.1 , suse/sl-micro/6.1/base-os-container:2.2.1-5.37 , suse/sl-micro/6.1/base-os-container:latest Image Release : 5.37 Severity : important Type : security References : 1215484 1220905 1230642 1230944 1231605 1234022 1234881 1249191 1249348 1249367 CVE-2025-10148 CVE-2025-9086 ----------------------------------------------------------------- The container suse/sl-micro/6.1/base-os-container was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: 286 Released: Fri Sep 26 11:21:50 2025 Summary: Security update for curl Type: security Severity: important References: 1215484,1220905,1230642,1230944,1231605,1234022,1234881,1249191,1249348,1249367,CVE-2025-10148,CVE-2025-9086 This update for curl fixes the following issues: - tool_operate: fix return code when --retry is used but not triggered [bsc#1249367] - Security fixes: * CVE-2025-9086: Fixed Out of bounds read for cookie path (bsc#1249191) * CVE-2025-10148: Fixed predictable WebSocket mask (bsc#1249348) The following package changes have been done: - SL-Micro-release-6.1-slfo.1.11.60 updated - libcurl4-8.14.1-slfo.1.1_2.1 updated - curl-8.14.1-slfo.1.1_2.1 updated - container:suse-toolbox-image-1.0.0-4.76 updated From sle-container-updates at lists.suse.com Fri Sep 26 12:58:11 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 26 Sep 2025 14:58:11 +0200 (CEST) Subject: SUSE-IU-2025:2592-1: Security update of suse/sl-micro/6.1/rt-os-container Message-ID: <20250926125811.3D45CF783@maintenance.suse.de> SUSE Image Update Advisory: suse/sl-micro/6.1/rt-os-container ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2025:2592-1 Image Tags : suse/sl-micro/6.1/rt-os-container:2.2.1 , suse/sl-micro/6.1/rt-os-container:2.2.1-5.25 , suse/sl-micro/6.1/rt-os-container:latest Image Release : 5.25 Severity : important Type : security References : 1215484 1220905 1230642 1230944 1231605 1234022 1234881 1249191 1249348 1249367 CVE-2025-10148 CVE-2025-9086 ----------------------------------------------------------------- The container suse/sl-micro/6.1/rt-os-container was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: 286 Released: Fri Sep 26 11:21:50 2025 Summary: Security update for curl Type: security Severity: important References: 1215484,1220905,1230642,1230944,1231605,1234022,1234881,1249191,1249348,1249367,CVE-2025-10148,CVE-2025-9086 This update for curl fixes the following issues: - tool_operate: fix return code when --retry is used but not triggered [bsc#1249367] - Security fixes: * CVE-2025-9086: Fixed Out of bounds read for cookie path (bsc#1249191) * CVE-2025-10148: Fixed predictable WebSocket mask (bsc#1249348) The following package changes have been done: - SL-Micro-release-6.1-slfo.1.11.60 updated - libcurl4-8.14.1-slfo.1.1_2.1 updated - container:SL-Micro-container-2.2.1-7.12 updated From sle-container-updates at lists.suse.com Fri Sep 26 14:57:06 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 26 Sep 2025 16:57:06 +0200 (CEST) Subject: SUSE-CU-2025:7074-1: Security update of private-registry/harbor-trivy-adapter Message-ID: <20250926145706.1D00DF783@maintenance.suse.de> SUSE Container Update Advisory: private-registry/harbor-trivy-adapter ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:7074-1 Container Tags : private-registry/harbor-trivy-adapter:0.33.2 , private-registry/harbor-trivy-adapter:0.33.2-2.43 , private-registry/harbor-trivy-adapter:latest Container Release : 2.43 Severity : moderate Type : security References : 1246974 1249375 CVE-2025-8114 CVE-2025-8277 ----------------------------------------------------------------- The container private-registry/harbor-trivy-adapter was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3369-1 Released: Fri Sep 26 12:54:43 2025 Summary: Security update for libssh Type: security Severity: moderate References: 1246974,1249375,CVE-2025-8114,CVE-2025-8277 This update for libssh fixes the following issues: - CVE-2025-8277: memory exhaustion leading to client-side DoS due to improper memory management when KEX process is repeated with incorrect guesses (bsc#1249375). - CVE-2025-8114: NULL pointer dereference when an allocation error happens during the calculation of the KEX session ID (bsc#1246974). The following package changes have been done: - libssh-config-0.9.8-150600.11.6.1 updated - libssh4-0.9.8-150600.11.6.1 updated - container:suse-sle15-15.6-e3235826fda424ffcadb5c16b55bcdffc50fd00aa3bfe3d0e13a1b34be967169-0 updated - container:registry.suse.com-bci-bci-micro-15.6-a5dcf2ffb40979daa8fda00fc233a5409037207662f4aa6f86d6465c94465b44-0 updated From sle-container-updates at lists.suse.com Sat Sep 27 07:04:17 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 27 Sep 2025 09:04:17 +0200 (CEST) Subject: SUSE-CU-2025:7075-1: Security update of suse/ltss/sle12.5/sles12sp5 Message-ID: <20250927070417.3E647FB9C@maintenance.suse.de> SUSE Container Update Advisory: suse/ltss/sle12.5/sles12sp5 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:7075-1 Container Tags : suse/ltss/sle12.5/sles12sp5:8.5.137 , suse/ltss/sle12.5/sles12sp5:latest Container Release : 8.5.137 Severity : moderate Type : security References : 1246974 1249375 CVE-2025-8114 CVE-2025-8277 ----------------------------------------------------------------- The container suse/ltss/sle12.5/sles12sp5 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3368-1 Released: Fri Sep 26 12:53:32 2025 Summary: Security update for libssh Type: security Severity: moderate References: 1246974,1249375,CVE-2025-8114,CVE-2025-8277 This update for libssh fixes the following issues: - CVE-2025-8277: memory exhaustion leading to client-side DoS due to improper memory management when KEX process is repeated with incorrect guesses (bsc#1249375). - CVE-2025-8114: NULL pointer dereference when an allocation error happens during the calculation of the KEX session ID (bsc#1246974). The following package changes have been done: - libssh-config-0.9.8-3.18.1 updated - libssh4-0.9.8-3.18.1 updated From sle-container-updates at lists.suse.com Sat Sep 27 07:09:23 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 27 Sep 2025 09:09:23 +0200 (CEST) Subject: SUSE-CU-2025:7077-1: Security update of suse/hpc/warewulf4-x86_64/sle-hpc-node Message-ID: <20250927070923.8C930FB9C@maintenance.suse.de> SUSE Container Update Advisory: suse/hpc/warewulf4-x86_64/sle-hpc-node ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:7077-1 Container Tags : suse/hpc/warewulf4-x86_64/sle-hpc-node:15.6 , suse/hpc/warewulf4-x86_64/sle-hpc-node:15.6.17.8.111 , suse/hpc/warewulf4-x86_64/sle-hpc-node:latest Container Release : 17.8.111 Severity : important Type : security References : 1012628 1213545 1215199 1217885 1221858 1222323 1230557 1230708 1232089 1233120 1234156 1237595 1240708 1240890 1241353 1242034 1242754 1242960 1243005 1244734 1244930 1245663 1245710 1245767 1245780 1245815 1245956 1245973 1245977 1246005 1246012 1246181 1246193 1246602 1246604 1246974 1247057 1247078 1247112 1247116 1247119 1247155 1247162 1247167 1247229 1247243 1247280 1247313 1247712 1247819 1247938 1247939 1247976 1248088 1248108 1248164 1248166 1248178 1248179 1248180 1248183 1248186 1248194 1248196 1248198 1248205 1248206 1248208 1248209 1248212 1248213 1248214 1248216 1248217 1248223 1248227 1248228 1248229 1248240 1248255 1248297 1248306 1248312 1248333 1248337 1248338 1248340 1248341 1248345 1248349 1248350 1248354 1248355 1248361 1248363 1248368 1248374 1248377 1248386 1248390 1248395 1248399 1248401 1248511 1248573 1248575 1248577 1248609 1248614 1248617 1248621 1248636 1248643 1248648 1248652 1248655 1248660 1248666 1248669 1248746 1248748 1249022 1249346 1249375 CVE-2023-3867 CVE-2023-4130 CVE-2023-4515 CVE-2024-26661 CVE-2024-46733 CVE-2024-49996 CVE-2024-53125 CVE-2024-58238 CVE-2024-58239 CVE-2025-37885 CVE-2025-38006 CVE-2025-38075 CVE-2025-38103 CVE-2025-38125 CVE-2025-38146 CVE-2025-38160 CVE-2025-38184 CVE-2025-38185 CVE-2025-38190 CVE-2025-38201 CVE-2025-38205 CVE-2025-38208 CVE-2025-38245 CVE-2025-38251 CVE-2025-38360 CVE-2025-38439 CVE-2025-38441 CVE-2025-38444 CVE-2025-38445 CVE-2025-38458 CVE-2025-38459 CVE-2025-38464 CVE-2025-38472 CVE-2025-38490 CVE-2025-38491 CVE-2025-38499 CVE-2025-38500 CVE-2025-38503 CVE-2025-38506 CVE-2025-38510 CVE-2025-38512 CVE-2025-38513 CVE-2025-38515 CVE-2025-38516 CVE-2025-38520 CVE-2025-38524 CVE-2025-38528 CVE-2025-38529 CVE-2025-38530 CVE-2025-38531 CVE-2025-38535 CVE-2025-38537 CVE-2025-38538 CVE-2025-38540 CVE-2025-38541 CVE-2025-38543 CVE-2025-38546 CVE-2025-38548 CVE-2025-38550 CVE-2025-38553 CVE-2025-38555 CVE-2025-38560 CVE-2025-38563 CVE-2025-38565 CVE-2025-38566 CVE-2025-38568 CVE-2025-38571 CVE-2025-38572 CVE-2025-38576 CVE-2025-38581 CVE-2025-38582 CVE-2025-38583 CVE-2025-38585 CVE-2025-38587 CVE-2025-38588 CVE-2025-38591 CVE-2025-38601 CVE-2025-38602 CVE-2025-38604 CVE-2025-38608 CVE-2025-38609 CVE-2025-38610 CVE-2025-38612 CVE-2025-38617 CVE-2025-38618 CVE-2025-38621 CVE-2025-38624 CVE-2025-38630 CVE-2025-38632 CVE-2025-38634 CVE-2025-38635 CVE-2025-38644 CVE-2025-38646 CVE-2025-38650 CVE-2025-38656 CVE-2025-38663 CVE-2025-38665 CVE-2025-38670 CVE-2025-38671 CVE-2025-53905 CVE-2025-53906 CVE-2025-55157 CVE-2025-55158 CVE-2025-8114 CVE-2025-8277 ----------------------------------------------------------------- The container suse/hpc/warewulf4-x86_64/sle-hpc-node was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3300-1 Released: Tue Sep 23 11:03:41 2025 Summary: Security update for vim Type: security Severity: moderate References: 1246602,1246604,1247938,1247939,CVE-2025-53905,CVE-2025-53906,CVE-2025-55157,CVE-2025-55158 This update for vim fixes the following issues: Updated to 9.1.1629: - CVE-2025-53905: Fixed malicious tar archive may causing a path traversal in Vim???s tar.vim plugin (bsc#1246604) - CVE-2025-53906: Fixed malicious zip archive may causing a path traversal in Vim???s zip (bsc#1246602) - CVE-2025-55157: Fixed use-after-free in internal tuple reference management (bsc#1247938) - CVE-2025-55158: Fixed double-free in internal typed value (typval_T) management (bsc#1247939) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3301-1 Released: Tue Sep 23 11:05:09 2025 Summary: Security update for the Linux Kernel Type: security Severity: important References: 1012628,1213545,1215199,1221858,1222323,1230557,1230708,1232089,1233120,1234156,1240708,1240890,1241353,1242034,1242754,1242960,1244734,1244930,1245663,1245710,1245767,1245780,1245815,1245956,1245973,1245977,1246005,1246012,1246181,1246193,1247057,1247078,1247112,1247116,1247119,1247155,1247162,1247167,1247229,1247243,1247280,1247313,1247712,1247976,1248088,1248108,1248164,1248166,1248178,1248179,1248180,1248183,1248186,1248194,1248196,1248198,1248205,1248206,1248208,1248209,1248212,1248213,1248214,1248216,1248217,1248223,1248227,1248228,1248229,1248240,1248255,1248297,1248306,1248312,1248333,1248337,1248338,1248340,1248341,1248345,1248349,1248350,1248354,1248355,1248361,1248363,1248368,1248374,1248377,1248386,1248390,1248395,1248399,1248401,1248511,1248573,1248575,1248577,1248609,1248614,1248617,1248621,1248636,1248643,1248648,1248652,1248655,1248666,1248669,1248746,1248748,1249022,1249346,CVE-2023-3867,CVE-2023-4130,CVE-2023-4515,CVE-2024-26661,CVE-2024-46733,CVE-2024- 49996,CVE-2024-53125,CVE-2024-58238,CVE-2024-58239,CVE-2025-37885,CVE-2025-38006,CVE-2025-38075,CVE-2025-38103,CVE-2025-38125,CVE-2025-38146,CVE-2025-38160,CVE-2025-38184,CVE-2025-38185,CVE-2025-38190,CVE-2025-38201,CVE-2025-38205,CVE-2025-38208,CVE-2025-38245,CVE-2025-38251,CVE-2025-38360,CVE-2025-38439,CVE-2025-38441,CVE-2025-38444,CVE-2025-38445,CVE-2025-38458,CVE-2025-38459,CVE-2025-38464,CVE-2025-38472,CVE-2025-38490,CVE-2025-38491,CVE-2025-38499,CVE-2025-38500,CVE-2025-38503,CVE-2025-38506,CVE-2025-38510,CVE-2025-38512,CVE-2025-38513,CVE-2025-38515,CVE-2025-38516,CVE-2025-38520,CVE-2025-38524,CVE-2025-38528,CVE-2025-38529,CVE-2025-38530,CVE-2025-38531,CVE-2025-38535,CVE-2025-38537,CVE-2025-38538,CVE-2025-38540,CVE-2025-38541,CVE-2025-38543,CVE-2025-38546,CVE-2025-38548,CVE-2025-38550,CVE-2025-38553,CVE-2025-38555,CVE-2025-38560,CVE-2025-38563,CVE-2025-38565,CVE-2025-38566,CVE-2025-38568,CVE-2025-38571,CVE-2025-38572,CVE-2025-38576,CVE-2025-38581,CVE-2025-38582,CVE-2025-38583,C VE-2025-38585,CVE-2025-38587,CVE-2025-38588,CVE-2025-38591,CVE-2025-38601,CVE-2025-38602,CVE-2025-38604,CVE-2025-38608,CVE-2025-38609,CVE-2025-38610,CVE-2025-38612,CVE-2025-38617,CVE-2025-38618,CVE-2025-38621,CVE-2025-38624,CVE-2025-38630,CVE-2025-38632,CVE-2025-38634,CVE-2025-38635,CVE-2025-38644,CVE-2025-38646,CVE-2025-38650,CVE-2025-38656,CVE-2025-38663,CVE-2025-38665,CVE-2025-38670,CVE-2025-38671 The SUSE Linux Enterprise 15 SP6 kernel was updated to receive various security bugfixes. The following security bugs were fixed: - CVE-2024-46733: btrfs: fix qgroup reserve leaks in cow_file_range (bsc#1230708). - CVE-2024-49996: cifs: Fix buffer overflow when parsing NFS reparse points (bsc#1232089). - CVE-2024-53125: bpf: sync_linked_regs() must preserve subreg_def (bsc#1234156). - CVE-2025-37885: KVM: x86: Reset IRTE to host control if *new* route isn't postable (bsc#1242960). - CVE-2025-38006: net: mctp: Do not access ifa_index when missing (bsc#1244930). - CVE-2025-38075: scsi: target: iscsi: Fix timeout on deleted connection (bsc#1244734). - CVE-2025-38103: HID: usbhid: Eliminate recurrent out-of-bounds bug in usbhid_parse() (bsc#1245663). - CVE-2025-38125: net: stmmac: make sure that ptp_rate is not 0 before configuring EST (bsc#1245710). - CVE-2025-38146: net: openvswitch: Fix the dead loop of MPLS parse (bsc#1245767). - CVE-2025-38160: clk: bcm: rpi: Add NULL check in raspberrypi_clk_register() (bsc#1245780). - CVE-2025-38184: tipc: fix null-ptr-deref when acquiring remote ip of ethernet bearer (bsc#1245956). - CVE-2025-38185: atm: atmtcp: Free invalid length skb in atmtcp_c_send() (bsc#1246012). - CVE-2025-38190: atm: Revert atm_account_tx() if copy_from_iter_full() fails (bsc#1245973). - CVE-2025-38201: netfilter: nft_set_pipapo: clamp maximum map bucket size to INT_MAX (bsc#1245977). - CVE-2025-38205: drm/amd/display: Avoid divide by zero by initializing dummy pitch to 1 (bsc#1246005). - CVE-2025-38208: smb: client: add NULL check in automount_fullpath (bsc#1245815). - CVE-2025-38245: atm: Release atm_dev_mutex after removing procfs in atm_dev_deregister() (bsc#1246193). - CVE-2025-38251: atm: clip: prevent NULL deref in clip_push() (bsc#1246181). - CVE-2025-38360: drm/amd/display: Add more checks for DSC / HUBP ONO guarantees (bsc#1247078). - CVE-2025-38563: perf/core: Prevent VMA split of buffer mappings (bsc#1248306). - CVE-2025-38439: bnxt_en: Set DMA unmap len correctly for XDP_REDIRECT (bsc#1247155). - CVE-2025-38441: netfilter: flowtable: account for Ethernet header in nf_flow_pppoe_proto() (bsc#1247167). - CVE-2025-38444: raid10: cleanup memleak at raid10_make_request (bsc#1247162). - CVE-2025-38445: md/raid1: Fix stack memory use after return in raid1_reshape (bsc#1247229). - CVE-2025-38458: atm: clip: Fix NULL pointer dereference in vcc_sendmsg() (bsc#1247116). - CVE-2025-38459: atm: clip: Fix infinite recursive call of clip_push() (bsc#1247119). - CVE-2025-38464: tipc: Fix use-after-free in tipc_conn_close() (bsc#1247112). - CVE-2025-38472: netfilter: nf_conntrack: fix crash due to removal of uninitialised entry (bsc#1247313). - CVE-2025-38490: net: libwx: remove duplicate page_pool_put_full_page() (bsc#1247243). - CVE-2025-38491: mptcp: make fallback action and fallback decision atomic (bsc#1247280). - CVE-2025-38499: clone_private_mnt(): make sure that caller has CAP_SYS_ADMIN in the right userns (bsc#1247976). - CVE-2025-38500: xfrm: interface: fix use-after-free after changing collect_md xfrm interface (bsc#1248088). - CVE-2025-38506: KVM: Allow CPU to reschedule while setting per-page memory attributes (bsc#1248186). - CVE-2025-38520: drm/amdkfd: Do not call mmput from MMU notifier callback (bsc#1248217). - CVE-2025-38524: rxrpc: Fix recv-recv race of completed call (bsc#1248194). - CVE-2025-38528: bpf: Reject %p% format string in bprintf-like helpers (bsc#1248198). - CVE-2025-38531: iio: common: st_sensors: Fix use of uninitialize device structs (bsc#1248205). - CVE-2025-38546: atm: clip: Fix memory leak of struct clip_vcc (bsc#1248223). - CVE-2025-38560: x86/sev: Evict cache lines during SNP memory validation (bsc#1248312). - CVE-2025-38585: staging: media: atomisp: Fix stack buffer overflow in gmin_get_var_int() (bsc#1248355). - CVE-2025-38591: bpf: Reject narrower access to pointer ctx fields (bsc#1248363). - CVE-2025-38608: bpf, ktls: Fix data corruption when using bpf_msg_pop_data() in ktls (bsc#1248338). - CVE-2025-38618: vsock: Do not allow binding to VMADDR_PORT_ANY (bsc#1248511). The following non-security bugs were fixed: - ACPI: APEI: send SIGBUS to current task if synchronous memory error not recovered (stable-fixes). - ACPI: pfr_update: Fix the driver update version check (git-fixes). - ACPI: processor: fix acpi_object initialization (stable-fixes). - ACPI: processor: perflib: Move problematic pr->performance check (git-fixes). - ALSA: hda/ca0132: Fix buffer overflow in add_tuning_control (stable-fixes). - ALSA: hda/realtek: Add Framework Laptop 13 (AMD Ryzen AI 300) to quirks (stable-fixes). - ALSA: hda/realtek: Add support for HP EliteBook x360 830 G6 and EliteBook 830 G6 (stable-fixes). - ALSA: hda/realtek: Audio disappears on HP 15-fc000 after warm boot again (git-fixes). - ALSA: hda/realtek: Fix headset mic on ASUS Zenbook 14 (git-fixes). - ALSA: hda/realtek: Fix headset mic on HONOR BRB-X (stable-fixes). - ALSA: hda: Disable jack polling at shutdown (stable-fixes). - ALSA: hda: Handle the jack polling always via a work (stable-fixes). - ALSA: intel8x0: Fix incorrect codec index usage in mixer for ICH4 (stable-fixes). - ALSA: pcm: Rewrite recalculate_boundary() to avoid costly loop (stable-fixes). - ALSA: scarlett2: Add retry on -EPROTO from scarlett2_usb_tx() (git-fixes). - ALSA: usb-audio: Avoid precedence issues in mixer_quirks macros (stable-fixes). - ALSA: usb-audio: Fix size validation in convert_chmap_v3() (git-fixes). - ALSA: usb-audio: Use correct sub-type for UAC3 feature unit validation (git-fixes). - ALSA: usb-audio: Validate UAC3 cluster segment descriptors (git-fixes). - ALSA: usb-audio: Validate UAC3 power domain descriptors, too (git-fixes). - ASoC: Intel: avs: Fix uninitialized pointer error in probe() (stable-fixes). - ASoC: Intel: fix SND_SOC_SOF dependencies (stable-fixes). - ASoC: amd: yc: Add DMI entries to support HP 15-fb1xxx (stable-fixes). - ASoC: amd: yc: Add DMI quirk for HP Laptop 17 cp-2033dx (stable-fixes). - ASoC: amd: yc: add DMI quirk for ASUS M6501RM (stable-fixes). - ASoC: codecs: rt5640: Retry DEVICE_ID verification (stable-fixes). - ASoC: core: Check for rtd == NULL in snd_soc_remove_pcm_runtime() (stable-fixes). - ASoC: hdac_hdmi: Rate limit logging on connection and disconnection (stable-fixes). - ASoC: soc-dapm: set bias_level if snd_soc_dapm_set_bias_level() was successed (stable-fixes). - Bluetooth: btusb: Add USB ID 3625:010b for TP-LINK Archer TX10UB Nano (stable-fixes). - Bluetooth: hci_conn: do return error from hci_enhanced_setup_sync() (git-fixes). - Bluetooth: hci_event: Detect if HCI_EV_NUM_COMP_PKTS is unbalanced (git-fixes). - Bluetooth: hci_event: Mark connection as closed during suspend disconnect (git-fixes). - Bluetooth: hci_event: Treat UNKNOWN_CONN_ID on disconnect as success (git-fixes). - Bluetooth: hci_event: fix MTU for BN == 0 in CIS Established (git-fixes). - Bluetooth: hci_sock: Reset cookie to zero in hci_sock_free_cookie() (stable-fixes). - Bluetooth: hci_sync: fix set_local_name race condition (git-fixes). - HID: asus: fix UAF via HID_CLAIMED_INPUT validation (git-fixes). - HID: multitouch: fix slab out-of-bounds access in mt_report_fixup() (git-fixes). - PCI/ACPI: Fix runtime PM ref imbalance on Hot-Plug Capable ports (git-fixes). - PCI/portdrv: Use is_pciehp instead of is_hotplug_bridge (git-fixes). - PCI: Add ACS quirk for Loongson PCIe (git-fixes). - PCI: Support Immediate Readiness on devices without PM capabilities (git-fixes). - PCI: apple: Fix missing OF node reference in apple_pcie_setup_port (git-fixes). - PCI: imx6: Add IMX8MM_EP and IMX8MP_EP fixed 256-byte BAR 4 in epc_features (git-fixes). - PCI: imx6: Delay link start until configfs 'start' written (git-fixes). - PCI: imx6: Remove apps_reset toggling from imx_pcie_{assert/deassert}_core_reset (git-fixes). - PCI: pnv_php: Clean up allocated IRQs on unplug (bsc#1215199). - PCI: pnv_php: Work around switches with broken presence detection (bsc#1215199). - PCI: rockchip: Set Target Link Speed to 5.0 GT/s before retraining (git-fixes). - PCI: rockchip: Use standard PCIe definitions (git-fixes). - PM / devfreq: governor: Replace sscanf() with kstrtoul() in set_freq_store() (stable-fixes). - PM: runtime: Clear power.needs_force_resume in pm_runtime_reinit() (stable-fixes). - PM: sleep: console: Fix the black screen issue (stable-fixes). - RAS/AMD/ATL: Include row bit in row retirement (bsc#1242034). - RAS/AMD/FMPM: Get masked address (bsc#1242034). - RAS/AMD/FMPM: Use atl internal.h for INVALID_SPA (bsc#1242034). - RDMA/bnxt_re: Fix a possible memory leak in the driver (git-fixes) - RDMA/bnxt_re: Fix to do SRQ armena by default (git-fixes) - RDMA/bnxt_re: Fix to initialize the PBL array (git-fixes) - RDMA/bnxt_re: Fix to remove workload check in SRQ limit path (git-fixes) - RDMA/core: reduce stack using in nldev_stat_get_doit() (git-fixes) - RDMA/erdma: Fix ignored return value of init_kernel_qp (git-fixes) - RDMA/hns: Fix dip entries leak on devices newer than hip09 (git-fixes) - RDMA: hfi1: fix possible divide-by-zero in find_hw_thread_mask() (git-fixes) - Revert 'gpio: mlxbf3: only get IRQ for device instance 0' (git-fixes). - USB: serial: option: add Foxconn T99W709 (stable-fixes). - USB: storage: Add unusual-devs entry for Novatek NTK96550-based camera (stable-fixes). - USB: storage: Ignore driver CD mode for Realtek multi-mode Wi-Fi dongles (stable-fixes). - aoe: defer rexmit timer downdev work to workqueue (git-fixes). - arch/powerpc: Remove .interp section in vmlinux (bsc#1215199). - arm64/cpufeatures/kvm: Add ARMv8.9 FEAT_ECBHB bits in ID_AA64MMFR1 (git-fixes) - arm64/entry: Mask DAIF in cpu_switch_to(), call_on_irq_stack() (git-fixes) - arm64/mm: Check PUD_TYPE_TABLE in pud_bad() (git-fixes) - arm64: Add support for HIP09 Spectre-BHB mitigation (git-fixes) - arm64: Filter out SME hwcaps when FEAT_SME isn't implemented (git-fixes) - arm64: Restrict pagetable teardown to avoid false warning (git-fixes) - arm64: dts: apple: t8103: Fix PCIe BCM4377 nodename (git-fixes) - arm64: dts: freescale: imx8mm-verdin: Keep LDO5 always on (git-fixes) - arm64: dts: imx8mm-beacon: Fix HS400 USDHC clock speed (git-fixes) - arm64: dts: imx8mm-beacon: Fix RTC capacitive load (git-fixes) - arm64: dts: imx8mm-venice-gw700x: Increase HS400 USDHC clock speed (git-fixes) - arm64: dts: imx8mm-venice-gw7901: Increase HS400 USDHC clock speed (git-fixes) - arm64: dts: imx8mm-venice-gw7902: Increase HS400 USDHC clock speed (git-fixes) - arm64: dts: imx8mm-venice-gw7903: Increase HS400 USDHC clock speed (git-fixes) - arm64: dts: imx8mm-venice-gw7904: Increase HS400 USDHC clock speed (git-fixes) - arm64: dts: imx8mn-beacon: Fix HS400 USDHC clock speed (git-fixes) - arm64: dts: imx8mn-beacon: Fix RTC capacitive load (git-fixes) - arm64: dts: imx8mn-venice-gw7902: Increase HS400 USDHC clock speed (git-fixes) - arm64: dts: imx8mp-beacon: Fix RTC capacitive load (git-fixes) - arm64: dts: rockchip: Update eMMC for NanoPi R5 series (git-fixes) - arm64: dts: rockchip: fix endpoint dtc warning for PX30 ISP (git-fixes) - arm64: tegra: Drop remaining serial clock-names and reset-names (git-fixes) - arm64: tegra: p2597: Fix gpio for vdd-1v8-dis regulator (git-fixes) - arm64: zynqmp: add clock-output-names property in clock nodes (git-fixes) - ata: libata-scsi: Fix CDL control (git-fixes). - block: fix kobject leak in blk_unregister_queue (git-fixes). - block: mtip32xx: Fix usage of dma_map_sg() (git-fixes). - bpf: fix kfunc btf caching for modules (git-fixes). - bpf: use kvzmalloc to allocate BPF verifier environment (git-fixes). - btrfs: convert BUG_ON in btrfs_reloc_cow_block() to proper error handling (git-fixes). - btrfs: correctly escape subvol in btrfs_show_options() (git-fixes). - btrfs: fix adding block group to a reclaim list and the unused list during reclaim (git-fixes). - btrfs: fix bitmap leak when loading free space cache on duplicate entry (git-fixes). - btrfs: fix data race when accessing the inode's disk_i_size at btrfs_drop_extents() (git-fixes). - btrfs: fix the length of reserved qgroup to free (bsc#1240708) - btrfs: retry block group reclaim without infinite loop (git-fixes). - btrfs: return accurate error code on open failure in open_fs_devices() (bsc#1233120) - btrfs: run delayed iputs when flushing delalloc (git-fixes). - btrfs: update target inode's ctime on unlink (git-fixes). - cdx: Fix off-by-one error in cdx_rpmsg_probe() (git-fixes). - char: misc: Fix improper and inaccurate error code returned by misc_init() (stable-fixes). - comedi: Fix use of uninitialized memory in do_insn_ioctl() and do_insnlist_ioctl() (git-fixes). - comedi: Make insn_rw_emulate_bits() do insn->n samples (git-fixes). - comedi: fix race between polling and detaching (git-fixes). - comedi: pcl726: Prevent invalid irq number (git-fixes). - crypto: hisilicon/hpre - fix dma unmap sequence (stable-fixes). - crypto: jitter - fix intermediary handling (stable-fixes). - crypto: octeontx2 - add timeout for load_fvc completion poll (stable-fixes). - crypto: qat - lower priority for skcipher and aead algorithms (stable-fixes). - drm/amd/display: Add null pointer check in mod_hdcp_hdcp1_create_session() (git-fixes). - drm/amd/display: Add primary plane to commits for correct VRR handling (stable-fixes). - drm/amd/display: Adjust DCE 8-10 clock, do not overclock by 15% (git-fixes). - drm/amd/display: Avoid a NULL pointer dereference (stable-fixes). - drm/amd/display: Avoid configuring PSR granularity if PSR-SU not supported (stable-fixes). - drm/amd/display: Avoid trying AUX transactions on disconnected ports (stable-fixes). - drm/amd/display: Do not overclock DCE 6 by 15% (git-fixes). - drm/amd/display: Fill display clock and vblank time in dce110_fill_display_configs (stable-fixes). - drm/amd/display: Find first CRTC and its line time in dce110_fill_display_configs (stable-fixes). - drm/amd/display: Fix 'failed to blank crtc!' (stable-fixes). - drm/amd/display: Fix DP audio DTO1 clock source on DCE 6 (stable-fixes). - drm/amd/display: Fix fractional fb divider in set_pixel_clock_v3 (git-fixes). - drm/amd/display: Only finalize atomic_obj if it was initialized (stable-fixes). - drm/amd/display: Separate set_gsl from set_gsl_source_select (stable-fixes). - drm/amd: Allow printing VanGogh OD SCLK levels without setting dpm to manual (stable-fixes). - drm/amd: Restore cached power limit during resume (stable-fixes). - drm/amdgpu: Avoid extra evict-restore process (stable-fixes). - drm/amdgpu: fix incorrect vm flags to map bo (git-fixes). - drm/amdgpu: fix task hang from failed job submission during process kill (git-fixes). - drm/amdgpu: update mmhub 3.0.1 client id mappings (stable-fixes). - drm/amdkfd: Destroy KFD debugfs after destroy KFD wq (stable-fixes). - drm/dp: Change AUX DPCD probe address from DPCD_REV to LANE0_1_STATUS (stable-fixes). - drm/hisilicon/hibmc: fix the hibmc loaded failed bug (git-fixes). - drm/mediatek: Fix device/node reference count leaks in mtk_drm_get_all_drm_priv (git-fixes). - drm/msm/kms: move snapshot init earlier in KMS init (git-fixes). - drm/msm: Defer fd_install in SUBMIT ioctl (git-fixes). - drm/msm: use trylock for debugfs (stable-fixes). - drm/nouveau/disp: Always accept linear modifier (git-fixes). - drm/nouveau/nvif: Fix potential memory leak in nvif_vmm_ctor() (git-fixes). - drm/nouveau: fix error path in nvkm_gsp_fwsec_v2 (git-fixes). - drm/nouveau: fix typos in comments (git-fixes). - drm/nouveau: remove unused increment in gm200_flcn_pio_imem_wr (git-fixes). - drm/nouveau: remove unused memory target test (git-fixes). - drm/ttm: Respect the shrinker core free target (stable-fixes). - drm/ttm: Should to return the evict error (stable-fixes). - et131x: Add missing check after DMA map (stable-fixes). - exfat: add cluster chain loop check for dir (git-fixes). - fbdev: Fix vmalloc out-of-bounds write in fast_imageblit (stable-fixes). - fbdev: fix potential buffer overflow in do_register_framebuffer() (stable-fixes). - fs/mnt_idmapping.c: Return -EINVAL when no map is written (bsc#1233120) - fs/orangefs: use snprintf() instead of sprintf() (git-fixes). - gpio: mlxbf3: use platform_get_irq_optional() (git-fixes). - gpio: tps65912: check the return value of regmap_update_bits() (stable-fixes). - gpio: wcd934x: check the return value of regmap_update_bits() (stable-fixes). - hfs: fix not erasing deleted b-tree node issue (git-fixes). - hfs: fix slab-out-of-bounds in hfs_bnode_read() (git-fixes). - hfsplus: do not use BUG_ON() in hfsplus_create_attributes_file() (git-fixes). - hfsplus: fix slab-out-of-bounds in hfsplus_bnode_read() (git-fixes). - hfsplus: fix slab-out-of-bounds read in hfsplus_uni2asc() (git-fixes). - hwmon: (emc2305) Set initial PWM minimum value during probe based on thermal state (stable-fixes). - i2c: Force DLL0945 touchpad i2c freq to 100khz (stable-fixes). - i3c: do not fail if GETHDRCAP is unsupported (stable-fixes). - i3c: master: Initialize ret in i3c_i2c_notifier_call() (stable-fixes). - ice, irdma: fix an off by one in error handling code (bsc#1247712). - ice, irdma: move interrupts code to irdma (bsc#1247712). - ice: Fix signedness bug in ice_init_interrupt_scheme() (bsc#1247712). - ice: count combined queues using Rx/Tx count (bsc#1247712). - ice: devlink PF MSI-X max and min parameter (bsc#1247712). - ice: enable_rdma devlink param (bsc#1247712). - ice: get rid of num_lan_msix field (bsc#1247712). - ice: init flow director before RDMA (bsc#1247712). - ice: remove splitting MSI-X between features (bsc#1247712). - ice: simplify VF MSI-X managing (bsc#1247712). - ice: treat dyn_allowed only as suggestion (bsc#1247712). - iio: adc: ad7768-1: Ensure SYNC_IN pulse minimum timing requirement (stable-fixes). - iio: adc: ad_sigma_delta: do not overallocate scan buffer (stable-fixes). - iio: imu: inv_icm42600: switch timestamp type from int64_t __aligned(8) to aligned_s64 (stable-fixes). - iio: imu: inv_icm42600: use = { } instead of memset() (stable-fixes). - iio: pressure: bmp280: Use IS_ERR() in bmp280_common_probe() (git-fixes). - iio: proximity: isl29501: fix buffered read on big-endian systems (git-fixes). - integrity/platform_certs: Allow loading of keys in the static key management mode (jsc#PED-13345 jsc#PED-13343). - iosys-map: Fix undefined behavior in iosys_map_clear() (git-fixes). - ipmi: Fix strcpy source and destination the same (stable-fixes). - ipmi: Use dev_warn_ratelimited() for incorrect message warnings (stable-fixes). - irdma: free iwdev->rf after removing MSI-X (bsc#1247712). - jfs: Regular file corruption check (git-fixes). - jfs: truncate good inode pages when hard link is 0 (git-fixes). - jfs: upper bound check of tree index in dbAllocAG (git-fixes). - kABI: PCI/ACPI: Fix runtime PM ref imbalance on Hot-Plug Capable ports (git-fixes). - kselftest/arm64: Fix check for setting new VLs in sve-ptrace (git-fixes). - leds: leds-lp50xx: Handle reg to get correct multi_index (stable-fixes). - loop: use kiocb helpers to fix lockdep warning (git-fixes). - mISDN: hfcpci: Fix warning when deleting uninitialized timer (git-fixes). - md/md-cluster: handle REMOVE message earlier (bsc#1247057). - md/raid1,raid10: strip REQ_NOWAIT from member bios (git-fixes). - md: allow removing faulty rdev during resync (git-fixes). - md: make rdev_addable usable for rcu mode (git-fixes). - media: dvb-frontends: dib7090p: fix null-ptr-deref in dib7090p_rw_on_apb() (stable-fixes). - media: dvb-frontends: w7090p: fix null-ptr-deref in w7090p_tuner_write_serpar and w7090p_tuner_read_serpar (stable-fixes). - media: tc358743: Check I2C succeeded during probe (stable-fixes). - media: tc358743: Increase FIFO trigger level to 374 (stable-fixes). - media: tc358743: Return an appropriate colorspace from tc358743_set_fmt (stable-fixes). - media: usb: hdpvr: disable zero-length read messages (stable-fixes). - media: uvcvideo: Fix bandwidth issue for Alcor camera (stable-fixes). - media: v4l2-common: Reduce warnings about missing V4L2_CID_LINK_FREQ control (stable-fixes). - mei: bus: Check for still connected devices in mei_cl_bus_dev_release() (stable-fixes). - memstick: Fix deadlock by moving removing flag earlier (git-fixes). - mm/ptdump: take the memory hotplug lock inside ptdump_walk_pgd() (git-fixes) - mmc: rtsx_usb_sdmmc: Fix error-path in sd_set_power_mode() (stable-fixes). - mmc: sdhci-msm: Ensure SD card power isn't ON when card removed (stable-fixes). - mmc: sdhci-pci-gli: GL9763e: Rename the gli_set_gl9763e() for consistency (git-fixes). - most: core: Drop device reference after usage in get_channel() (git-fixes). - mptcp: fallback when MPTCP opts are dropped after 1st data (git-fixes). - mptcp: reset when MPTCP opts are dropped after join (git-fixes). - net: phy: micrel: Add ksz9131_resume() (stable-fixes). - net: phy: smsc: add proper reset flags for LAN8710A (stable-fixes). - net: thunderbolt: Enable end-to-end flow control also in transmit (stable-fixes). - net: thunderbolt: Fix the parameter passing of tb_xdomain_enable_paths()/tb_xdomain_disable_paths() (stable-fixes). - net: usb: asix_devices: Fix PHY address mask in MDIO bus initialization (git-fixes). - net: usb: asix_devices: add phy_mask for ax88772 mdio bus (git-fixes). - pNFS: Fix disk addr range check in block/scsi layout (git-fixes). - pNFS: Fix stripe mapping in block/scsi layout (git-fixes). - pNFS: Fix uninited ptr deref in block/scsi layout (git-fixes). - pNFS: Handle RPC size limit for layoutcommits (git-fixes). - phy: mscc: Fix parsing of unicast frames (git-fixes). - phy: rockchip-pcie: Properly disable TEST_WRITE strobe signal (stable-fixes). - pinctrl: STMFX: add missing HAS_IOMEM dependency (git-fixes). - pinctrl: stm32: Manage irq affinity settings (stable-fixes). - platform/chrome: cros_ec_typec: Defer probe on missing EC parent (stable-fixes). - platform/x86/amd: pmc: Add Lenovo Yoga 6 13ALC6 to pmc quirk list (stable-fixes). - pm: cpupower: Fix the snapshot-order of tsc,mperf, clock in mperf_stop() (stable-fixes). - power: supply: qcom_battmgr: Add lithium-polymer entry (stable-fixes). - powerpc/eeh: Export eeh_unfreeze_pe() (bsc#1215199). - powerpc/eeh: Make EEH driver device hotplug safe (bsc#1215199). - powerpc/eeh: Rely on dev->link_active_reporting (bsc#1215199). - powerpc/kernel: Fix ppc_save_regs inclusion in build (bsc#1215199). - powerpc/pseries: Correct secvar format representation for static key management (jsc#PED-13345 jsc#PED-13343). - powerpc/secvar: Expose secvars relevant to the key management mode (jsc#PED-13345 jsc#PED-13343). - powerpc: do not build ppc_save_regs.o always (bsc#1215199). - pwm: mediatek: Fix duty and period setting (git-fixes). - pwm: mediatek: Handle hardware enable and clock enable separately (stable-fixes). - reset: brcmstb: Enable reset drivers for ARCH_BCM2835 (stable-fixes). - rtc: ds1307: handle oscillator stop flag (OSF) for ds1341 (stable-fixes). - rtc: ds1307: remove clear of oscillator stop flag (OSF) in probe (stable-fixes). - samples/bpf: Fix compilation errors with cf-protection option (git-fixes). - Revert 'scsi: iscsi: Fix HW conn removal use after free' (git-fixes). - scsi: core: Fix kernel doc for scsi_track_queue_full() (git-fixes). - scsi: elx: efct: Fix dma_unmap_sg() nents value (git-fixes). - scsi: ibmvscsi_tgt: Fix dma_unmap_sg() nents value (git-fixes). - scsi: isci: Fix dma_unmap_sg() nents value (git-fixes). - scsi: mpi3mr: Fix kernel-doc issues in mpi3mr_app.c (git-fixes). - scsi: mpi3mr: Fix race between config read submit and interrupt completion (git-fixes). - scsi: mpi3mr: Serialize admin queue BAR writes on 32-bit systems (git-fixes). - scsi: mpt3sas: Fix a fw_event memory leak (git-fixes). - scsi: mvsas: Fix dma_unmap_sg() nents value (git-fixes). - scsi: sd: Make sd shutdown issue START STOP UNIT appropriately (git-fixes). - selftests/bpf: fexit_sleep: Fix stack allocation for arm64 (git-fixes). - selftests/tracing: Fix false failure of subsystem event test (git-fixes). - selftests: Fix errno checking in syscall_user_dispatch test (git-fixes). - selftests: rtnetlink.sh: remove esp4_offload after test (git-fixes). - serial: 8250: fix panic due to PSLVERR (git-fixes). - slab: Decouple slab_debug and no_hash_pointers (bsc#1249022). - smb: client: fix parsing of device numbers (git-fixes). - soc/tegra: pmc: Ensure power-domains are in a known state (git-fixes). - soundwire: amd: serialize amd manager resume sequence during pm_prepare (stable-fixes). - squashfs: fix memory leak in squashfs_fill_super (git-fixes). - sunrpc: fix handling of server side tls alerts (git-fixes). - sunvdc: Balance device refcount in vdc_port_mpgroup_check (git-fixes). - thermal/drivers/qcom-spmi-temp-alarm: Enable stage 2 shutdown when required (stable-fixes). - thermal: sysfs: Return ENODATA instead of EAGAIN for reads (stable-fixes). - ublk: sanity check add_dev input for underflow (git-fixes). - ublk: use vmalloc for ublk_device's __queues (git-fixes). - usb: core: config: Prevent OOB read in SS endpoint companion parsing (stable-fixes). - usb: core: hcd: fix accessing unmapped memory in SINGLE_STEP_SET_FEATURE test (git-fixes). - usb: core: usb_submit_urb: downgrade type check (stable-fixes). - usb: dwc3: Ignore late xferNotReady event to prevent halt timeout (git-fixes). - usb: dwc3: Remove WARN_ON for device endpoint command timeouts (stable-fixes). - usb: dwc3: core: Fix system suspend on TI AM62 platforms (git-fixes). - usb: dwc3: fix fault at system suspend if device was already runtime suspended (git-fixes). - usb: dwc3: pci: add support for the Intel Wildcat Lake (stable-fixes). - usb: quirks: Add DELAY_INIT quick for another SanDisk 3.2Gen1 Flash Drive (stable-fixes). - usb: renesas-xhci: Fix External ROM access timeouts (git-fixes). - usb: storage: realtek_cr: Use correct byte order for bcs->Residue (git-fixes). - usb: typec: intel_pmc_mux: Defer probe if SCU IPC isn't present (stable-fixes). - usb: typec: ucsi: psy: Set current max to 100mA for BC 1.2 and Default (stable-fixes). - usb: xhci: Avoid showing errors during surprise removal (stable-fixes). - usb: xhci: Avoid showing warnings for dying controller (stable-fixes). - usb: xhci: Fix slot_id resource race conflict (git-fixes). - usb: xhci: Set avg_trb_len = 8 for EP0 during Address Device Command (stable-fixes). - usb: xhci: print xhci->xhc_state when queue_command failed (stable-fixes). - vfs: Add a sysctl for automated deletion of dentry (bsc#1240890). - watchdog: dw_wdt: Fix default timeout (stable-fixes). - watchdog: iTCO_wdt: Report error if timeout configuration fails (stable-fixes). - watchdog: sbsa: Adjust keepalive timeout to avoid MediaTek WS0 race condition (stable-fixes). - wifi: ath12k: Add memset and update default rate value in wmi tx completion (stable-fixes). - wifi: ath12k: Correct tid cleanup when tid setup fails (stable-fixes). - wifi: ath12k: Decrement TID on RX peer frag setup error handling (stable-fixes). - wifi: ath12k: Enable REO queue lookup table feature on QCN9274 hw2.0 (stable-fixes). - wifi: cfg80211: Fix interface type validation (stable-fixes). - wifi: cfg80211: reject HTC bit for management frames (stable-fixes). - wifi: iwlegacy: Check rate_idx range after addition (stable-fixes). - wifi: iwlwifi: dvm: fix potential overflow in rs_fill_link_cmd() (stable-fixes). - wifi: iwlwifi: fw: Fix possible memory leak in iwl_fw_dbg_collect (stable-fixes). - wifi: iwlwifi: mvm: fix scan request validation (stable-fixes). - wifi: iwlwifi: mvm: set gtk id also in older FWs (stable-fixes). - wifi: mac80211: do not complete management TX on SAE commit (stable-fixes). - wifi: mac80211: fix rx link assignment for non-MLO stations (stable-fixes). - wifi: mac80211: update radar_required in channel context after channel switch (stable-fixes). - wifi: mt76: mt7915: mcu: re-init MCU before loading FW patch (stable-fixes). - wifi: rtlwifi: fix possible skb memory leak in _rtl_pci_init_one_rxdesc() (stable-fixes). - wifi: rtlwifi: fix possible skb memory leak in `_rtl_pci_rx_interrupt()` (stable-fixes). - wifi: rtw89: Disable deep power saving for USB/SDIO (stable-fixes). - wifi: rtw89: Fix rtw89_mac_power_switch() for USB (stable-fixes). - wifi: rtw89: Lower the timeout in rtw89_fw_read_c2h_reg() for USB (stable-fixes). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:3304-1 Released: Tue Sep 23 11:10:15 2025 Summary: Recommended update for dracut Type: recommended Severity: moderate References: 1217885,1247819 This update for dracut fixes the following issues: - fix (dracut-util): crash if CMDLINE ends with quotation mark (bsc#1247819) - fix (rngd): adjust license to match the license of the whole project - fix (nfs): set correct ownership of rpc.statd state directories (bsc#1217885) - perf (nfs): remove references to old rpcbind state dir - fix (nfs): libnfsidmap plugins not added in some distributions ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3369-1 Released: Fri Sep 26 12:54:43 2025 Summary: Security update for libssh Type: security Severity: moderate References: 1246974,1249375,CVE-2025-8114,CVE-2025-8277 This update for libssh fixes the following issues: - CVE-2025-8277: memory exhaustion leading to client-side DoS due to improper memory management when KEX process is repeated with incorrect guesses (bsc#1249375). - CVE-2025-8114: NULL pointer dereference when an allocation error happens during the calculation of the KEX session ID (bsc#1246974). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:3371-1 Released: Fri Sep 26 13:41:03 2025 Summary: Recommended update for sysconfig Type: recommended Severity: important References: 1237595 This update for sysconfig fixes the following issues: - Update to version 0.85.10 - codespell run for all repository files and changes file - spec: define permissions for ghost file attrs to avoid rpm --restore resets them to 0 (bsc#1237595). - spec: fix name-repeated-in-summary rpmlint warning ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:3372-1 Released: Fri Sep 26 13:42:10 2025 Summary: Recommended update for iproute2 Type: recommended Severity: important References: 1243005,1248660 This update for iproute2 fixes the following issues: - add post-6.4 follow-up fixes (bsc#1243005) - sync UAPI header copies with SLE15-SP6 kernel - devlink: support ipsec_crypto and ipsec_packet cap (bsc#1248660) The following package changes have been done: - dracut-059+suse.562.geca59f6b-150600.3.23.1 updated - iproute2-6.4-150600.7.9.1 updated - kernel-default-6.4.0-150600.23.70.1 updated - libssh-config-0.9.8-150600.11.6.1 updated - libssh4-0.9.8-150600.11.6.1 updated - sysconfig-netconfig-0.85.10-150200.15.1 updated - sysconfig-0.85.10-150200.15.1 updated - vim-data-common-9.1.1629-150500.20.33.1 updated - vim-small-9.1.1629-150500.20.33.1 updated From sle-container-updates at lists.suse.com Sat Sep 27 07:11:27 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 27 Sep 2025 09:11:27 +0200 (CEST) Subject: SUSE-CU-2025:7079-1: Security update of bci/nodejs Message-ID: <20250927071127.B4F67FB9C@maintenance.suse.de> SUSE Container Update Advisory: bci/nodejs ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:7079-1 Container Tags : bci/node:20 , bci/node:20.19.2 , bci/node:20.19.2-55.32 , bci/nodejs:20 , bci/nodejs:20.19.2 , bci/nodejs:20.19.2-55.32 Container Release : 55.32 Severity : moderate Type : security References : 1246974 1249375 CVE-2025-8114 CVE-2025-8277 ----------------------------------------------------------------- The container bci/nodejs was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3369-1 Released: Fri Sep 26 12:54:43 2025 Summary: Security update for libssh Type: security Severity: moderate References: 1246974,1249375,CVE-2025-8114,CVE-2025-8277 This update for libssh fixes the following issues: - CVE-2025-8277: memory exhaustion leading to client-side DoS due to improper memory management when KEX process is repeated with incorrect guesses (bsc#1249375). - CVE-2025-8114: NULL pointer dereference when an allocation error happens during the calculation of the KEX session ID (bsc#1246974). The following package changes have been done: - libssh-config-0.9.8-150600.11.6.1 updated - libssh4-0.9.8-150600.11.6.1 updated - container:registry.suse.com-bci-bci-base-15.6-5e0c3d434a2b643bae49bc5c102078b9d14d2156adbcc8c0266ab3fde11f1219-0 updated From sle-container-updates at lists.suse.com Sat Sep 27 07:14:44 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 27 Sep 2025 09:14:44 +0200 (CEST) Subject: SUSE-CU-2025:7081-1: Security update of bci/spack Message-ID: <20250927071445.005D6F783@maintenance.suse.de> SUSE Container Update Advisory: bci/spack ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:7081-1 Container Tags : bci/spack:0.23 , bci/spack:0.23.1 , bci/spack:0.23.1-11.59 Container Release : 11.59 Severity : moderate Type : security References : 1246974 1249375 CVE-2025-8114 CVE-2025-8277 ----------------------------------------------------------------- The container bci/spack was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3369-1 Released: Fri Sep 26 12:54:43 2025 Summary: Security update for libssh Type: security Severity: moderate References: 1246974,1249375,CVE-2025-8114,CVE-2025-8277 This update for libssh fixes the following issues: - CVE-2025-8277: memory exhaustion leading to client-side DoS due to improper memory management when KEX process is repeated with incorrect guesses (bsc#1249375). - CVE-2025-8114: NULL pointer dereference when an allocation error happens during the calculation of the KEX session ID (bsc#1246974). The following package changes have been done: - libssh-devel-0.9.8-150600.11.6.1 updated From sle-container-updates at lists.suse.com Sat Sep 27 07:15:03 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 27 Sep 2025 09:15:03 +0200 (CEST) Subject: SUSE-CU-2025:7083-1: Recommended update of suse/389-ds Message-ID: <20250927071503.7F7CAF783@maintenance.suse.de> SUSE Container Update Advisory: suse/389-ds ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:7083-1 Container Tags : suse/389-ds:2.5 , suse/389-ds:2.5.3 , suse/389-ds:2.5.3-62.30 , suse/389-ds:latest Container Release : 62.30 Severity : important Type : recommended References : 1243005 1248660 ----------------------------------------------------------------- The container suse/389-ds was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:3372-1 Released: Fri Sep 26 13:42:10 2025 Summary: Recommended update for iproute2 Type: recommended Severity: important References: 1243005,1248660 This update for iproute2 fixes the following issues: - add post-6.4 follow-up fixes (bsc#1243005) - sync UAPI header copies with SLE15-SP6 kernel - devlink: support ipsec_crypto and ipsec_packet cap (bsc#1248660) The following package changes have been done: - iproute2-6.4-150600.7.9.1 updated From sle-container-updates at lists.suse.com Sat Sep 27 07:13:33 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 27 Sep 2025 09:13:33 +0200 (CEST) Subject: SUSE-CU-2025:7080-1: Security update of suse/sle15 Message-ID: <20250927071333.75DA2F783@maintenance.suse.de> SUSE Container Update Advisory: suse/sle15 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:7080-1 Container Tags : bci/bci-base:15.6 , bci/bci-base:15.6.47.23.32 , suse/sle15:15.6 , suse/sle15:15.6.47.23.32 Container Release : 47.23.32 Severity : moderate Type : security References : 1246974 1249375 CVE-2025-8114 CVE-2025-8277 ----------------------------------------------------------------- The container suse/sle15 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3369-1 Released: Fri Sep 26 12:54:43 2025 Summary: Security update for libssh Type: security Severity: moderate References: 1246974,1249375,CVE-2025-8114,CVE-2025-8277 This update for libssh fixes the following issues: - CVE-2025-8277: memory exhaustion leading to client-side DoS due to improper memory management when KEX process is repeated with incorrect guesses (bsc#1249375). - CVE-2025-8114: NULL pointer dereference when an allocation error happens during the calculation of the KEX session ID (bsc#1246974). The following package changes have been done: - libssh-config-0.9.8-150600.11.6.1 updated - libssh4-0.9.8-150600.11.6.1 updated From sle-container-updates at lists.suse.com Sat Sep 27 07:16:53 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 27 Sep 2025 09:16:53 +0200 (CEST) Subject: SUSE-CU-2025:7092-1: Security update of suse/git Message-ID: <20250927071653.18DC1F783@maintenance.suse.de> SUSE Container Update Advisory: suse/git ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:7092-1 Container Tags : suse/git:2 , suse/git:2.51 , suse/git:2.51.0 , suse/git:2.51.0-61.10 , suse/git:latest Container Release : 61.10 Severity : moderate Type : security References : 1246974 1249375 CVE-2025-8114 CVE-2025-8277 ----------------------------------------------------------------- The container suse/git was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3369-1 Released: Fri Sep 26 12:54:43 2025 Summary: Security update for libssh Type: security Severity: moderate References: 1246974,1249375,CVE-2025-8114,CVE-2025-8277 This update for libssh fixes the following issues: - CVE-2025-8277: memory exhaustion leading to client-side DoS due to improper memory management when KEX process is repeated with incorrect guesses (bsc#1249375). - CVE-2025-8114: NULL pointer dereference when an allocation error happens during the calculation of the KEX session ID (bsc#1246974). The following package changes have been done: - libssh-config-0.9.8-150600.11.6.1 updated - libssh4-0.9.8-150600.11.6.1 updated - container:suse-sle15-15.7-58f9c044bea87805cae0e4122c7157699ff07944d120923c8f92ba4d9a128a2a-0 updated - container:registry.suse.com-bci-bci-micro-15.7-f98a5deb3bf91c48bf953f57d3a0bfe7a691340a7abe2a2157c3f8ceb87f4e57-0 updated From sle-container-updates at lists.suse.com Sat Sep 27 07:17:09 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 27 Sep 2025 09:17:09 +0200 (CEST) Subject: SUSE-CU-2025:7093-1: Security update of bci/golang Message-ID: <20250927071709.2AFD7F783@maintenance.suse.de> SUSE Container Update Advisory: bci/golang ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:7093-1 Container Tags : bci/golang:1.24 , bci/golang:1.24.6 , bci/golang:1.24.6-2.71.12 , bci/golang:oldstable , bci/golang:oldstable-2.71.12 Container Release : 71.12 Severity : moderate Type : security References : 1246974 1249375 CVE-2025-8114 CVE-2025-8277 ----------------------------------------------------------------- The container bci/golang was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3369-1 Released: Fri Sep 26 12:54:43 2025 Summary: Security update for libssh Type: security Severity: moderate References: 1246974,1249375,CVE-2025-8114,CVE-2025-8277 This update for libssh fixes the following issues: - CVE-2025-8277: memory exhaustion leading to client-side DoS due to improper memory management when KEX process is repeated with incorrect guesses (bsc#1249375). - CVE-2025-8114: NULL pointer dereference when an allocation error happens during the calculation of the KEX session ID (bsc#1246974). The following package changes have been done: - libssh-config-0.9.8-150600.11.6.1 updated - libssh4-0.9.8-150600.11.6.1 updated - container:registry.suse.com-bci-bci-base-15.7-c748b740034bd7faee2a71a60ccfdc9e27e13d317b6e9823dbac93189c7f6c8f-0 updated From sle-container-updates at lists.suse.com Sat Sep 27 07:17:26 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 27 Sep 2025 09:17:26 +0200 (CEST) Subject: SUSE-CU-2025:7094-1: Security update of bci/golang Message-ID: <20250927071726.1A599F783@maintenance.suse.de> SUSE Container Update Advisory: bci/golang ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:7094-1 Container Tags : bci/golang:1.24-openssl , bci/golang:1.24.6-openssl , bci/golang:1.24.6-openssl-74.9 , bci/golang:oldstable-openssl , bci/golang:oldstable-openssl-74.9 Container Release : 74.9 Severity : moderate Type : security References : 1246974 1249375 CVE-2025-8114 CVE-2025-8277 ----------------------------------------------------------------- The container bci/golang was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3369-1 Released: Fri Sep 26 12:54:43 2025 Summary: Security update for libssh Type: security Severity: moderate References: 1246974,1249375,CVE-2025-8114,CVE-2025-8277 This update for libssh fixes the following issues: - CVE-2025-8277: memory exhaustion leading to client-side DoS due to improper memory management when KEX process is repeated with incorrect guesses (bsc#1249375). - CVE-2025-8114: NULL pointer dereference when an allocation error happens during the calculation of the KEX session ID (bsc#1246974). The following package changes have been done: - libssh-config-0.9.8-150600.11.6.1 updated - libssh4-0.9.8-150600.11.6.1 updated - container:registry.suse.com-bci-bci-base-15.7-c748b740034bd7faee2a71a60ccfdc9e27e13d317b6e9823dbac93189c7f6c8f-0 updated From sle-container-updates at lists.suse.com Sat Sep 27 07:17:41 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 27 Sep 2025 09:17:41 +0200 (CEST) Subject: SUSE-CU-2025:7095-1: Security update of bci/golang Message-ID: <20250927071741.66458F783@maintenance.suse.de> SUSE Container Update Advisory: bci/golang ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:7095-1 Container Tags : bci/golang:1.25 , bci/golang:1.25.1 , bci/golang:1.25.1-1.71.12 , bci/golang:latest , bci/golang:stable , bci/golang:stable-1.71.12 Container Release : 71.12 Severity : moderate Type : security References : 1246974 1249375 CVE-2025-8114 CVE-2025-8277 ----------------------------------------------------------------- The container bci/golang was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3369-1 Released: Fri Sep 26 12:54:43 2025 Summary: Security update for libssh Type: security Severity: moderate References: 1246974,1249375,CVE-2025-8114,CVE-2025-8277 This update for libssh fixes the following issues: - CVE-2025-8277: memory exhaustion leading to client-side DoS due to improper memory management when KEX process is repeated with incorrect guesses (bsc#1249375). - CVE-2025-8114: NULL pointer dereference when an allocation error happens during the calculation of the KEX session ID (bsc#1246974). The following package changes have been done: - libssh-config-0.9.8-150600.11.6.1 updated - libssh4-0.9.8-150600.11.6.1 updated - container:registry.suse.com-bci-bci-base-15.7-c748b740034bd7faee2a71a60ccfdc9e27e13d317b6e9823dbac93189c7f6c8f-0 updated From sle-container-updates at lists.suse.com Sat Sep 27 07:18:28 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 27 Sep 2025 09:18:28 +0200 (CEST) Subject: SUSE-CU-2025:7098-1: Security update of suse/kiosk/firefox-esr Message-ID: <20250927071828.B4975F783@maintenance.suse.de> SUSE Container Update Advisory: suse/kiosk/firefox-esr ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:7098-1 Container Tags : suse/kiosk/firefox-esr:140.3 , suse/kiosk/firefox-esr:140.3-64.37 , suse/kiosk/firefox-esr:esr , suse/kiosk/firefox-esr:latest Container Release : 64.37 Severity : moderate Type : security References : 1246974 1249375 CVE-2025-8114 CVE-2025-8277 ----------------------------------------------------------------- The container suse/kiosk/firefox-esr was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3369-1 Released: Fri Sep 26 12:54:43 2025 Summary: Security update for libssh Type: security Severity: moderate References: 1246974,1249375,CVE-2025-8114,CVE-2025-8277 This update for libssh fixes the following issues: - CVE-2025-8277: memory exhaustion leading to client-side DoS due to improper memory management when KEX process is repeated with incorrect guesses (bsc#1249375). - CVE-2025-8114: NULL pointer dereference when an allocation error happens during the calculation of the KEX session ID (bsc#1246974). The following package changes have been done: - libssh-config-0.9.8-150600.11.6.1 updated - libssh4-0.9.8-150600.11.6.1 updated From sle-container-updates at lists.suse.com Sat Sep 27 07:19:00 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 27 Sep 2025 09:19:00 +0200 (CEST) Subject: SUSE-CU-2025:7100-1: Security update of bci/nodejs Message-ID: <20250927071900.16135F783@maintenance.suse.de> SUSE Container Update Advisory: bci/nodejs ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:7100-1 Container Tags : bci/node:22 , bci/node:22.15.1 , bci/node:22.15.1-10.29 , bci/node:latest , bci/nodejs:22 , bci/nodejs:22.15.1 , bci/nodejs:22.15.1-10.29 , bci/nodejs:latest Container Release : 10.29 Severity : moderate Type : security References : 1246974 1249375 CVE-2025-8114 CVE-2025-8277 ----------------------------------------------------------------- The container bci/nodejs was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3369-1 Released: Fri Sep 26 12:54:43 2025 Summary: Security update for libssh Type: security Severity: moderate References: 1246974,1249375,CVE-2025-8114,CVE-2025-8277 This update for libssh fixes the following issues: - CVE-2025-8277: memory exhaustion leading to client-side DoS due to improper memory management when KEX process is repeated with incorrect guesses (bsc#1249375). - CVE-2025-8114: NULL pointer dereference when an allocation error happens during the calculation of the KEX session ID (bsc#1246974). The following package changes have been done: - libssh-config-0.9.8-150600.11.6.1 updated - libssh4-0.9.8-150600.11.6.1 updated - container:registry.suse.com-bci-bci-base-15.7-c748b740034bd7faee2a71a60ccfdc9e27e13d317b6e9823dbac93189c7f6c8f-0 updated From sle-container-updates at lists.suse.com Sat Sep 27 07:19:13 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 27 Sep 2025 09:19:13 +0200 (CEST) Subject: SUSE-CU-2025:7101-1: Security update of bci/openjdk Message-ID: <20250927071913.03E1EF783@maintenance.suse.de> SUSE Container Update Advisory: bci/openjdk ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:7101-1 Container Tags : bci/openjdk:17 , bci/openjdk:17.0.16.0 , bci/openjdk:17.0.16.0-8.29 Container Release : 8.29 Severity : moderate Type : security References : 1246974 1249375 CVE-2025-8114 CVE-2025-8277 ----------------------------------------------------------------- The container bci/openjdk was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3369-1 Released: Fri Sep 26 12:54:43 2025 Summary: Security update for libssh Type: security Severity: moderate References: 1246974,1249375,CVE-2025-8114,CVE-2025-8277 This update for libssh fixes the following issues: - CVE-2025-8277: memory exhaustion leading to client-side DoS due to improper memory management when KEX process is repeated with incorrect guesses (bsc#1249375). - CVE-2025-8114: NULL pointer dereference when an allocation error happens during the calculation of the KEX session ID (bsc#1246974). The following package changes have been done: - libssh-config-0.9.8-150600.11.6.1 updated - libssh4-0.9.8-150600.11.6.1 updated - container:registry.suse.com-bci-bci-base-15.7-c748b740034bd7faee2a71a60ccfdc9e27e13d317b6e9823dbac93189c7f6c8f-0 updated From sle-container-updates at lists.suse.com Sat Sep 27 07:19:27 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 27 Sep 2025 09:19:27 +0200 (CEST) Subject: SUSE-CU-2025:7102-1: Security update of bci/openjdk Message-ID: <20250927071927.D3211F783@maintenance.suse.de> SUSE Container Update Advisory: bci/openjdk ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:7102-1 Container Tags : bci/openjdk:21 , bci/openjdk:21.0.8.0 , bci/openjdk:21.0.8.0-11.29 , bci/openjdk:latest Container Release : 11.29 Severity : moderate Type : security References : 1246974 1249375 CVE-2025-8114 CVE-2025-8277 ----------------------------------------------------------------- The container bci/openjdk was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3369-1 Released: Fri Sep 26 12:54:43 2025 Summary: Security update for libssh Type: security Severity: moderate References: 1246974,1249375,CVE-2025-8114,CVE-2025-8277 This update for libssh fixes the following issues: - CVE-2025-8277: memory exhaustion leading to client-side DoS due to improper memory management when KEX process is repeated with incorrect guesses (bsc#1249375). - CVE-2025-8114: NULL pointer dereference when an allocation error happens during the calculation of the KEX session ID (bsc#1246974). The following package changes have been done: - libssh-config-0.9.8-150600.11.6.1 updated - libssh4-0.9.8-150600.11.6.1 updated - container:registry.suse.com-bci-bci-base-15.7-c748b740034bd7faee2a71a60ccfdc9e27e13d317b6e9823dbac93189c7f6c8f-0 updated From sle-container-updates at lists.suse.com Sat Sep 27 07:19:41 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 27 Sep 2025 09:19:41 +0200 (CEST) Subject: SUSE-CU-2025:7103-1: Security update of bci/php-apache Message-ID: <20250927071941.D997BF783@maintenance.suse.de> SUSE Container Update Advisory: bci/php-apache ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:7103-1 Container Tags : bci/php-apache:8 , bci/php-apache:8.3.23 , bci/php-apache:8.3.23-12.30 , bci/php-apache:latest Container Release : 12.30 Severity : moderate Type : security References : 1246974 1249375 CVE-2025-8114 CVE-2025-8277 ----------------------------------------------------------------- The container bci/php-apache was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3369-1 Released: Fri Sep 26 12:54:43 2025 Summary: Security update for libssh Type: security Severity: moderate References: 1246974,1249375,CVE-2025-8114,CVE-2025-8277 This update for libssh fixes the following issues: - CVE-2025-8277: memory exhaustion leading to client-side DoS due to improper memory management when KEX process is repeated with incorrect guesses (bsc#1249375). - CVE-2025-8114: NULL pointer dereference when an allocation error happens during the calculation of the KEX session ID (bsc#1246974). The following package changes have been done: - libssh-config-0.9.8-150600.11.6.1 updated - libssh4-0.9.8-150600.11.6.1 updated - container:registry.suse.com-bci-bci-base-15.7-c748b740034bd7faee2a71a60ccfdc9e27e13d317b6e9823dbac93189c7f6c8f-0 updated From sle-container-updates at lists.suse.com Sat Sep 27 07:19:54 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 27 Sep 2025 09:19:54 +0200 (CEST) Subject: SUSE-CU-2025:7104-1: Security update of suse/sle15 Message-ID: <20250927071954.7A9D2F783@maintenance.suse.de> SUSE Container Update Advisory: suse/sle15 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:7104-1 Container Tags : bci/bci-base:15.7 , bci/bci-base:15.7-5.8.33 , bci/bci-base:latest , suse/sle15:15.7 , suse/sle15:15.7-5.8.33 , suse/sle15:latest Container Release : 5.8.33 Severity : moderate Type : security References : 1246974 1249375 CVE-2025-8114 CVE-2025-8277 ----------------------------------------------------------------- The container suse/sle15 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3369-1 Released: Fri Sep 26 12:54:43 2025 Summary: Security update for libssh Type: security Severity: moderate References: 1246974,1249375,CVE-2025-8114,CVE-2025-8277 This update for libssh fixes the following issues: - CVE-2025-8277: memory exhaustion leading to client-side DoS due to improper memory management when KEX process is repeated with incorrect guesses (bsc#1249375). - CVE-2025-8114: NULL pointer dereference when an allocation error happens during the calculation of the KEX session ID (bsc#1246974). The following package changes have been done: - libssh-config-0.9.8-150600.11.6.1 updated - libssh4-0.9.8-150600.11.6.1 updated From sle-container-updates at lists.suse.com Sat Sep 27 07:20:15 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 27 Sep 2025 09:20:15 +0200 (CEST) Subject: SUSE-CU-2025:7105-1: Security update of bci/spack Message-ID: <20250927072015.ABBA5F783@maintenance.suse.de> SUSE Container Update Advisory: bci/spack ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:7105-1 Container Tags : bci/spack:0.23 , bci/spack:0.23.1 , bci/spack:0.23.1-15.27 , bci/spack:latest Container Release : 15.27 Severity : moderate Type : security References : 1246974 1249375 CVE-2025-8114 CVE-2025-8277 ----------------------------------------------------------------- The container bci/spack was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3369-1 Released: Fri Sep 26 12:54:43 2025 Summary: Security update for libssh Type: security Severity: moderate References: 1246974,1249375,CVE-2025-8114,CVE-2025-8277 This update for libssh fixes the following issues: - CVE-2025-8277: memory exhaustion leading to client-side DoS due to improper memory management when KEX process is repeated with incorrect guesses (bsc#1249375). - CVE-2025-8114: NULL pointer dereference when an allocation error happens during the calculation of the KEX session ID (bsc#1246974). The following package changes have been done: - libssh-devel-0.9.8-150600.11.6.1 updated From sle-container-updates at lists.suse.com Sun Sep 28 07:09:55 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sun, 28 Sep 2025 09:09:55 +0200 (CEST) Subject: SUSE-CU-2025:7111-1: Security update of bci/php Message-ID: <20250928070955.A04C7FBA1@maintenance.suse.de> SUSE Container Update Advisory: bci/php ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:7111-1 Container Tags : bci/php:8 , bci/php:8.3.23 , bci/php:8.3.23-12.25 , bci/php:latest Container Release : 12.25 Severity : moderate Type : security References : 1246974 1249375 CVE-2025-8114 CVE-2025-8277 ----------------------------------------------------------------- The container bci/php was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3369-1 Released: Fri Sep 26 12:54:43 2025 Summary: Security update for libssh Type: security Severity: moderate References: 1246974,1249375,CVE-2025-8114,CVE-2025-8277 This update for libssh fixes the following issues: - CVE-2025-8277: memory exhaustion leading to client-side DoS due to improper memory management when KEX process is repeated with incorrect guesses (bsc#1249375). - CVE-2025-8114: NULL pointer dereference when an allocation error happens during the calculation of the KEX session ID (bsc#1246974). The following package changes have been done: - libssh-config-0.9.8-150600.11.6.1 updated - libssh4-0.9.8-150600.11.6.1 updated - container:registry.suse.com-bci-bci-base-15.7-c748b740034bd7faee2a71a60ccfdc9e27e13d317b6e9823dbac93189c7f6c8f-0 updated From sle-container-updates at lists.suse.com Sun Sep 28 07:10:11 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sun, 28 Sep 2025 09:10:11 +0200 (CEST) Subject: SUSE-CU-2025:7112-1: Security update of bci/python Message-ID: <20250928071011.165DEFBA1@maintenance.suse.de> SUSE Container Update Advisory: bci/python ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:7112-1 Container Tags : bci/python:3 , bci/python:3.11 , bci/python:3.11.13 , bci/python:3.11.13-74.30 Container Release : 74.30 Severity : moderate Type : security References : 1246974 1249375 CVE-2025-8114 CVE-2025-8277 ----------------------------------------------------------------- The container bci/python was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3369-1 Released: Fri Sep 26 12:54:43 2025 Summary: Security update for libssh Type: security Severity: moderate References: 1246974,1249375,CVE-2025-8114,CVE-2025-8277 This update for libssh fixes the following issues: - CVE-2025-8277: memory exhaustion leading to client-side DoS due to improper memory management when KEX process is repeated with incorrect guesses (bsc#1249375). - CVE-2025-8114: NULL pointer dereference when an allocation error happens during the calculation of the KEX session ID (bsc#1246974). The following package changes have been done: - libssh-config-0.9.8-150600.11.6.1 updated - libssh4-0.9.8-150600.11.6.1 updated - container:registry.suse.com-bci-bci-base-15.7-c748b740034bd7faee2a71a60ccfdc9e27e13d317b6e9823dbac93189c7f6c8f-0 updated From sle-container-updates at lists.suse.com Sun Sep 28 07:10:27 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sun, 28 Sep 2025 09:10:27 +0200 (CEST) Subject: SUSE-CU-2025:7113-1: Security update of bci/python Message-ID: <20250928071028.0036BFBA1@maintenance.suse.de> SUSE Container Update Advisory: bci/python ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:7113-1 Container Tags : bci/python:3 , bci/python:3.13 , bci/python:3.13.5 , bci/python:3.13.5-76.29 , bci/python:latest Container Release : 76.29 Severity : moderate Type : security References : 1246974 1249375 CVE-2025-8114 CVE-2025-8277 ----------------------------------------------------------------- The container bci/python was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3369-1 Released: Fri Sep 26 12:54:43 2025 Summary: Security update for libssh Type: security Severity: moderate References: 1246974,1249375,CVE-2025-8114,CVE-2025-8277 This update for libssh fixes the following issues: - CVE-2025-8277: memory exhaustion leading to client-side DoS due to improper memory management when KEX process is repeated with incorrect guesses (bsc#1249375). - CVE-2025-8114: NULL pointer dereference when an allocation error happens during the calculation of the KEX session ID (bsc#1246974). The following package changes have been done: - libssh-config-0.9.8-150600.11.6.1 updated - libssh4-0.9.8-150600.11.6.1 updated - container:registry.suse.com-bci-bci-base-15.7-c748b740034bd7faee2a71a60ccfdc9e27e13d317b6e9823dbac93189c7f6c8f-0 updated From sle-container-updates at lists.suse.com Sun Sep 28 07:10:44 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sun, 28 Sep 2025 09:10:44 +0200 (CEST) Subject: SUSE-CU-2025:7114-1: Security update of bci/python Message-ID: <20250928071044.9FB2AFBA1@maintenance.suse.de> SUSE Container Update Advisory: bci/python ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:7114-1 Container Tags : bci/python:3 , bci/python:3.6 , bci/python:3.6.15 , bci/python:3.6.15-73.31 Container Release : 73.31 Severity : moderate Type : security References : 1246974 1249375 CVE-2025-8114 CVE-2025-8277 ----------------------------------------------------------------- The container bci/python was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3369-1 Released: Fri Sep 26 12:54:43 2025 Summary: Security update for libssh Type: security Severity: moderate References: 1246974,1249375,CVE-2025-8114,CVE-2025-8277 This update for libssh fixes the following issues: - CVE-2025-8277: memory exhaustion leading to client-side DoS due to improper memory management when KEX process is repeated with incorrect guesses (bsc#1249375). - CVE-2025-8114: NULL pointer dereference when an allocation error happens during the calculation of the KEX session ID (bsc#1246974). The following package changes have been done: - libssh-config-0.9.8-150600.11.6.1 updated - libssh4-0.9.8-150600.11.6.1 updated - container:registry.suse.com-bci-bci-base-15.7-c748b740034bd7faee2a71a60ccfdc9e27e13d317b6e9823dbac93189c7f6c8f-0 updated From sle-container-updates at lists.suse.com Sun Sep 28 07:11:15 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sun, 28 Sep 2025 09:11:15 +0200 (CEST) Subject: SUSE-CU-2025:7116-1: Security update of bci/ruby Message-ID: <20250928071115.EC04DFBA1@maintenance.suse.de> SUSE Container Update Advisory: bci/ruby ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:7116-1 Container Tags : bci/ruby:3 , bci/ruby:3.4 , bci/ruby:3.4-13.10 , bci/ruby:latest Container Release : 13.10 Severity : moderate Type : security References : 1246974 1249375 CVE-2025-8114 CVE-2025-8277 ----------------------------------------------------------------- The container bci/ruby was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3369-1 Released: Fri Sep 26 12:54:43 2025 Summary: Security update for libssh Type: security Severity: moderate References: 1246974,1249375,CVE-2025-8114,CVE-2025-8277 This update for libssh fixes the following issues: - CVE-2025-8277: memory exhaustion leading to client-side DoS due to improper memory management when KEX process is repeated with incorrect guesses (bsc#1249375). - CVE-2025-8114: NULL pointer dereference when an allocation error happens during the calculation of the KEX session ID (bsc#1246974). The following package changes have been done: - libssh-config-0.9.8-150600.11.6.1 updated - libssh4-0.9.8-150600.11.6.1 updated - container:registry.suse.com-bci-bci-base-15.7-c748b740034bd7faee2a71a60ccfdc9e27e13d317b6e9823dbac93189c7f6c8f-0 updated From sle-container-updates at lists.suse.com Sun Sep 28 07:07:34 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sun, 28 Sep 2025 09:07:34 +0200 (CEST) Subject: SUSE-CU-2025:7107-1: Security update of bci/python Message-ID: <20250928070734.CEF61FBA1@maintenance.suse.de> SUSE Container Update Advisory: bci/python ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:7107-1 Container Tags : bci/python:3 , bci/python:3.12 , bci/python:3.12.11 , bci/python:3.12.11-72.31 Container Release : 72.31 Severity : moderate Type : security References : 1246974 1249375 CVE-2025-8114 CVE-2025-8277 ----------------------------------------------------------------- The container bci/python was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3369-1 Released: Fri Sep 26 12:54:43 2025 Summary: Security update for libssh Type: security Severity: moderate References: 1246974,1249375,CVE-2025-8114,CVE-2025-8277 This update for libssh fixes the following issues: - CVE-2025-8277: memory exhaustion leading to client-side DoS due to improper memory management when KEX process is repeated with incorrect guesses (bsc#1249375). - CVE-2025-8114: NULL pointer dereference when an allocation error happens during the calculation of the KEX session ID (bsc#1246974). The following package changes have been done: - libssh-config-0.9.8-150600.11.6.1 updated - libssh4-0.9.8-150600.11.6.1 updated - container:registry.suse.com-bci-bci-base-15.6-5e0c3d434a2b643bae49bc5c102078b9d14d2156adbcc8c0266ab3fde11f1219-0 updated From sle-container-updates at lists.suse.com Sun Sep 28 07:11:29 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sun, 28 Sep 2025 09:11:29 +0200 (CEST) Subject: SUSE-CU-2025:7117-1: Security update of bci/rust Message-ID: <20250928071129.E8428FBA1@maintenance.suse.de> SUSE Container Update Advisory: bci/rust ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:7117-1 Container Tags : bci/rust:1.89 , bci/rust:1.89.0 , bci/rust:1.89.0-1.2.8 , bci/rust:latest , bci/rust:stable , bci/rust:stable-1.2.8 Container Release : 2.8 Severity : moderate Type : security References : 1246974 1249375 CVE-2025-8114 CVE-2025-8277 ----------------------------------------------------------------- The container bci/rust was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3369-1 Released: Fri Sep 26 12:54:43 2025 Summary: Security update for libssh Type: security Severity: moderate References: 1246974,1249375,CVE-2025-8114,CVE-2025-8277 This update for libssh fixes the following issues: - CVE-2025-8277: memory exhaustion leading to client-side DoS due to improper memory management when KEX process is repeated with incorrect guesses (bsc#1249375). - CVE-2025-8114: NULL pointer dereference when an allocation error happens during the calculation of the KEX session ID (bsc#1246974). The following package changes have been done: - libssh-config-0.9.8-150600.11.6.1 updated - libssh4-0.9.8-150600.11.6.1 updated - container:registry.suse.com-bci-bci-base-15.7-c748b740034bd7faee2a71a60ccfdc9e27e13d317b6e9823dbac93189c7f6c8f-0 updated From sle-container-updates at lists.suse.com Sun Sep 28 07:09:03 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sun, 28 Sep 2025 09:09:03 +0200 (CEST) Subject: SUSE-CU-2025:7108-1: Security update of bci/gcc Message-ID: <20250928070903.4F22BFBA1@maintenance.suse.de> SUSE Container Update Advisory: bci/gcc ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:7108-1 Container Tags : bci/gcc:14 , bci/gcc:14.3 , bci/gcc:14.3-11.28 , bci/gcc:latest Container Release : 11.28 Severity : moderate Type : security References : 1246974 1249375 CVE-2025-8114 CVE-2025-8277 ----------------------------------------------------------------- The container bci/gcc was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3369-1 Released: Fri Sep 26 12:54:43 2025 Summary: Security update for libssh Type: security Severity: moderate References: 1246974,1249375,CVE-2025-8114,CVE-2025-8277 This update for libssh fixes the following issues: - CVE-2025-8277: memory exhaustion leading to client-side DoS due to improper memory management when KEX process is repeated with incorrect guesses (bsc#1249375). - CVE-2025-8114: NULL pointer dereference when an allocation error happens during the calculation of the KEX session ID (bsc#1246974). The following package changes have been done: - libssh-config-0.9.8-150600.11.6.1 updated - libssh4-0.9.8-150600.11.6.1 updated - container:registry.suse.com-bci-bci-base-15.7-c748b740034bd7faee2a71a60ccfdc9e27e13d317b6e9823dbac93189c7f6c8f-0 updated From sle-container-updates at lists.suse.com Sun Sep 28 07:09:25 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sun, 28 Sep 2025 09:09:25 +0200 (CEST) Subject: SUSE-CU-2025:7109-1: Security update of bci/kiwi Message-ID: <20250928070925.E04CBFBA1@maintenance.suse.de> SUSE Container Update Advisory: bci/kiwi ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:7109-1 Container Tags : bci/kiwi:9 , bci/kiwi:9.24 , bci/kiwi:9.24.43 , bci/kiwi:9.24.43-19.2 , bci/kiwi:latest Container Release : 19.2 Severity : important Type : security References : 1243005 1246974 1248660 1249375 CVE-2025-8114 CVE-2025-8277 ----------------------------------------------------------------- The container bci/kiwi was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3369-1 Released: Fri Sep 26 12:54:43 2025 Summary: Security update for libssh Type: security Severity: moderate References: 1246974,1249375,CVE-2025-8114,CVE-2025-8277 This update for libssh fixes the following issues: - CVE-2025-8277: memory exhaustion leading to client-side DoS due to improper memory management when KEX process is repeated with incorrect guesses (bsc#1249375). - CVE-2025-8114: NULL pointer dereference when an allocation error happens during the calculation of the KEX session ID (bsc#1246974). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:3372-1 Released: Fri Sep 26 13:42:10 2025 Summary: Recommended update for iproute2 Type: recommended Severity: important References: 1243005,1248660 This update for iproute2 fixes the following issues: - add post-6.4 follow-up fixes (bsc#1243005) - sync UAPI header copies with SLE15-SP6 kernel - devlink: support ipsec_crypto and ipsec_packet cap (bsc#1248660) The following package changes have been done: - libssh-config-0.9.8-150600.11.6.1 updated - libssh4-0.9.8-150600.11.6.1 updated - iproute2-6.4-150600.7.9.1 updated - container:registry.suse.com-bci-bci-base-15.7-c748b740034bd7faee2a71a60ccfdc9e27e13d317b6e9823dbac93189c7f6c8f-0 updated From sle-container-updates at lists.suse.com Sun Sep 28 07:10:59 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sun, 28 Sep 2025 09:10:59 +0200 (CEST) Subject: SUSE-CU-2025:7115-1: Security update of bci/ruby Message-ID: <20250928071059.EF82AFBA1@maintenance.suse.de> SUSE Container Update Advisory: bci/ruby ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:7115-1 Container Tags : bci/ruby:2 , bci/ruby:2.5 , bci/ruby:2.5-14.10 Container Release : 14.10 Severity : moderate Type : security References : 1246974 1249375 CVE-2025-8114 CVE-2025-8277 ----------------------------------------------------------------- The container bci/ruby was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3369-1 Released: Fri Sep 26 12:54:43 2025 Summary: Security update for libssh Type: security Severity: moderate References: 1246974,1249375,CVE-2025-8114,CVE-2025-8277 This update for libssh fixes the following issues: - CVE-2025-8277: memory exhaustion leading to client-side DoS due to improper memory management when KEX process is repeated with incorrect guesses (bsc#1249375). - CVE-2025-8114: NULL pointer dereference when an allocation error happens during the calculation of the KEX session ID (bsc#1246974). The following package changes have been done: - libssh-config-0.9.8-150600.11.6.1 updated - libssh4-0.9.8-150600.11.6.1 updated - container:registry.suse.com-bci-bci-base-15.7-c748b740034bd7faee2a71a60ccfdc9e27e13d317b6e9823dbac93189c7f6c8f-0 updated From sle-container-updates at lists.suse.com Tue Sep 30 07:02:54 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 30 Sep 2025 09:02:54 +0200 (CEST) Subject: SUSE-CU-2025:7119-1: Security update of containers/lmcache-vllm-openai Message-ID: <20250930070254.1A351FB9C@maintenance.suse.de> SUSE Container Update Advisory: containers/lmcache-vllm-openai ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:7119-1 Container Tags : containers/lmcache-vllm-openai:0 , containers/lmcache-vllm-openai:0.3.2 , containers/lmcache-vllm-openai:0.3.2-2.3 Container Release : 2.3 Severity : moderate Type : security References : 1111638 1246974 1249375 CVE-2018-18088 CVE-2025-8114 CVE-2025-8277 ----------------------------------------------------------------- The container containers/lmcache-vllm-openai was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3352-1 Released: Thu Sep 25 13:50:15 2025 Summary: Security update for openjpeg2 Type: security Severity: low References: 1111638,CVE-2018-18088 This update for openjpeg2 fixes the following issues: - CVE-2018-18088: Fixed a null pointer dereferencei in imagetopnm function. (bsc#1111638). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3369-1 Released: Fri Sep 26 12:54:43 2025 Summary: Security update for libssh Type: security Severity: moderate References: 1246974,1249375,CVE-2025-8114,CVE-2025-8277 This update for libssh fixes the following issues: - CVE-2025-8277: memory exhaustion leading to client-side DoS due to improper memory management when KEX process is repeated with incorrect guesses (bsc#1249375). - CVE-2025-8114: NULL pointer dereference when an allocation error happens during the calculation of the KEX session ID (bsc#1246974). The following package changes have been done: - libopenjp2-7-2.3.0-150000.3.21.1 updated - libssh-config-0.9.8-150600.11.6.1 updated - libssh4-0.9.8-150600.11.6.1 updated - python311-triton-3.3.1-150600.1.2 updated - python311-pyarrow-17.0.0-150600.2.49 updated - python311-pandas-2.2.3-150600.1.68 updated - python311-xformers-cuda-0.0.31-150600.1.4 updated - python311-torchaudio-cuda-2.7.0-150600.1.4 updated - python311-torch-cuda-2.7.0-150600.3.4 updated - python311-torch-cuda-devel-2.7.0-150600.3.4 updated - python311-lmcache-cuda-0.3.2-150600.1.4 updated - python311-vllm-cuda-0.9.1-150600.1.4 updated From sle-container-updates at lists.suse.com Tue Sep 30 07:02:52 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 30 Sep 2025 09:02:52 +0200 (CEST) Subject: SUSE-CU-2025:7118-1: Security update of containers/lmcache-lmstack-router Message-ID: <20250930070252.BA2F7FB9C@maintenance.suse.de> SUSE Container Update Advisory: containers/lmcache-lmstack-router ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:7118-1 Container Tags : containers/lmcache-lmstack-router:0 , containers/lmcache-lmstack-router:0.1.6 , containers/lmcache-lmstack-router:0.1.6-2.2 Container Release : 2.2 Severity : moderate Type : security References : 1246974 1249375 CVE-2025-8114 CVE-2025-8277 ----------------------------------------------------------------- The container containers/lmcache-lmstack-router was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3369-1 Released: Fri Sep 26 12:54:43 2025 Summary: Security update for libssh Type: security Severity: moderate References: 1246974,1249375,CVE-2025-8114,CVE-2025-8277 This update for libssh fixes the following issues: - CVE-2025-8277: memory exhaustion leading to client-side DoS due to improper memory management when KEX process is repeated with incorrect guesses (bsc#1249375). - CVE-2025-8114: NULL pointer dereference when an allocation error happens during the calculation of the KEX session ID (bsc#1246974). The following package changes have been done: - libssh-config-0.9.8-150600.11.6.1 updated - libssh4-0.9.8-150600.11.6.1 updated From sle-container-updates at lists.suse.com Tue Sep 30 07:02:55 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 30 Sep 2025 09:02:55 +0200 (CEST) Subject: SUSE-CU-2025:7120-1: Security update of containers/vllm-openai Message-ID: <20250930070255.7636CFB9C@maintenance.suse.de> SUSE Container Update Advisory: containers/vllm-openai ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:7120-1 Container Tags : containers/vllm-openai:0 , containers/vllm-openai:0.9.1 , containers/vllm-openai:0.9.1-3.1 Container Release : 3.1 Severity : moderate Type : security References : 1111638 1246974 1249375 CVE-2018-18088 CVE-2025-8114 CVE-2025-8277 ----------------------------------------------------------------- The container containers/vllm-openai was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3352-1 Released: Thu Sep 25 13:50:15 2025 Summary: Security update for openjpeg2 Type: security Severity: low References: 1111638,CVE-2018-18088 This update for openjpeg2 fixes the following issues: - CVE-2018-18088: Fixed a null pointer dereferencei in imagetopnm function. (bsc#1111638). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3369-1 Released: Fri Sep 26 12:54:43 2025 Summary: Security update for libssh Type: security Severity: moderate References: 1246974,1249375,CVE-2025-8114,CVE-2025-8277 This update for libssh fixes the following issues: - CVE-2025-8277: memory exhaustion leading to client-side DoS due to improper memory management when KEX process is repeated with incorrect guesses (bsc#1249375). - CVE-2025-8114: NULL pointer dereference when an allocation error happens during the calculation of the KEX session ID (bsc#1246974). The following package changes have been done: - libopenjp2-7-2.3.0-150000.3.21.1 updated - libssh-config-0.9.8-150600.11.6.1 updated - libssh4-0.9.8-150600.11.6.1 updated - python311-triton-3.3.1-150600.1.2 updated - python311-pyarrow-17.0.0-150600.2.49 updated - python311-pandas-2.2.3-150600.1.68 updated - python311-xformers-cuda-0.0.31-150600.1.4 updated - python311-torchaudio-cuda-2.7.0-150600.1.4 updated - python311-torch-cuda-2.7.0-150600.3.4 updated - python311-torch-cuda-devel-2.7.0-150600.3.4 updated - python311-vllm-cuda-0.9.1-150600.1.4 updated From sle-container-updates at lists.suse.com Tue Sep 30 07:06:21 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 30 Sep 2025 09:06:21 +0200 (CEST) Subject: SUSE-IU-2025:2632-1: Recommended update of suse/sle-micro/5.5 Message-ID: <20250930070621.78606FB9C@maintenance.suse.de> SUSE Image Update Advisory: suse/sle-micro/5.5 ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2025:2632-1 Image Tags : suse/sle-micro/5.5:2.0.4 , suse/sle-micro/5.5:2.0.4-5.5.379 , suse/sle-micro/5.5:latest Image Release : 5.5.379 Severity : important Type : recommended References : 1244553 ----------------------------------------------------------------- The container suse/sle-micro/5.5 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:3421-1 Released: Mon Sep 29 08:01:46 2025 Summary: Recommended update for sysstat Type: recommended Severity: important References: 1244553 This update for sysstat fixes the following issues: - removal of broken symlinks during the post-install phase (bsc#1244553). The following package changes have been done: - sysstat-12.0.2-150000.3.51.1 updated From sle-container-updates at lists.suse.com Tue Sep 30 07:14:24 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 30 Sep 2025 09:14:24 +0200 (CEST) Subject: SUSE-CU-2025:7124-1: Recommended update of suse/sle-micro-rancher/5.4 Message-ID: <20250930071424.9FF25F783@maintenance.suse.de> SUSE Container Update Advisory: suse/sle-micro-rancher/5.4 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:7124-1 Container Tags : suse/sle-micro-rancher/5.4:5.4.4.5.63 , suse/sle-micro-rancher/5.4:latest Container Release : 4.5.63 Severity : important Type : recommended References : 1244553 ----------------------------------------------------------------- The container suse/sle-micro-rancher/5.4 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:3421-1 Released: Mon Sep 29 08:01:46 2025 Summary: Recommended update for sysstat Type: recommended Severity: important References: 1244553 This update for sysstat fixes the following issues: - removal of broken symlinks during the post-install phase (bsc#1244553). The following package changes have been done: - sysstat-12.0.2-150000.3.51.1 updated From sle-container-updates at lists.suse.com Tue Sep 30 07:15:08 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 30 Sep 2025 09:15:08 +0200 (CEST) Subject: SUSE-IU-2025:2633-1: Security update of suse/sl-micro/6.1/kvm-os-container Message-ID: <20250930071508.34738F783@maintenance.suse.de> SUSE Image Update Advisory: suse/sl-micro/6.1/kvm-os-container ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2025:2633-1 Image Tags : suse/sl-micro/6.1/kvm-os-container:2.2.1 , suse/sl-micro/6.1/kvm-os-container:2.2.1-5.39 , suse/sl-micro/6.1/kvm-os-container:latest Image Release : 5.39 Severity : important Type : security References : 1249191 1249348 1249367 CVE-2025-10148 CVE-2025-9086 ----------------------------------------------------------------- The container suse/sl-micro/6.1/kvm-os-container was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: 286 Released: Fri Sep 26 11:21:50 2025 Summary: Security update for curl Type: security Severity: important References: 1249191,1249348,1249367,CVE-2025-10148,CVE-2025-9086 This update for curl fixes the following issues: - tool_operate: fix return code when --retry is used but not triggered [bsc#1249367] - Security fixes: * CVE-2025-9086: Fixed Out of bounds read for cookie path (bsc#1249191) * CVE-2025-10148: Fixed predictable WebSocket mask (bsc#1249348) The following package changes have been done: - SL-Micro-release-6.1-slfo.1.11.60 updated - libcurl4-8.14.1-slfo.1.1_2.1 updated - container:SL-Micro-base-container-2.2.1-5.37 updated From sle-container-updates at lists.suse.com Tue Sep 30 07:18:50 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 30 Sep 2025 09:18:50 +0200 (CEST) Subject: SUSE-CU-2025:7125-1: Security update of bci/bci-busybox Message-ID: <20250930071850.236C2F783@maintenance.suse.de> SUSE Container Update Advisory: bci/bci-busybox ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:7125-1 Container Tags : bci/bci-busybox:15.7 , bci/bci-busybox:15.7-12.3 , bci/bci-busybox:latest Container Release : 12.3 Severity : moderate Type : security References : 1203397 1203399 1206798 1215943 1217580 1217584 1217585 1217883 1240058 1243201 1246965 CVE-2023-42363 CVE-2023-42364 CVE-2023-42365 CVE-2025-8058 ----------------------------------------------------------------- The container bci/bci-busybox was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2964-1 Released: Fri Aug 22 14:52:39 2025 Summary: Security update for glibc Type: security Severity: moderate References: 1240058,1246965,CVE-2025-8058 This update for glibc fixes the following issues: - CVE-2025-8058: Fixed double-free after allocation failure in regcomp. (bsc#1246965) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3205-1 Released: Fri Sep 12 17:57:24 2025 Summary: Security update for busybox, busybox-links Type: security Severity: moderate References: 1203397,1203399,1206798,1215943,1217580,1217584,1217585,1217883,1243201,CVE-2023-42363,CVE-2023-42364,CVE-2023-42365 This update for busybox, busybox-links fixes the following issues: Updated to version 1.37.0 (jsc#PED-13039): - CVE-2023-42363: Fixed use-after-free vulnerability in xasprintf function in xfuncs_printf.c (bsc#1217580) - CVE-2023-42364: Fixed use-after-free in the awk.c evaluate function (bsc#1217584) - CVE-2023-42365: Fixed use-after-free in the awk.c copyvar function (bsc#1217585) Other fixes: - fix generation of file lists via Dockerfile - add copy of busybox.links from the container to catch changes to busybox config - Blacklist creating links for halt, reboot, shutdown commands to avoid accidental use in a fully booted system (bsc#1243201) - Add getfattr applet to attr filelist - busybox-udhcpc conflicts with udhcp. - Add new sub-package for udhcpc - zgrep: don't set the label option as only the real grep supports it (bsc#1215943) - Add conflict for coreutils-systemd, package got splitted - Check in filelists instead of buildrequiring all non-busybox utils - Replace transitional %usrmerged macro with regular version check (bsc#1206798) - Create sub-package 'hexedit' [bsc#1203399] - Create sub-package 'sha3sum' [bsc#1203397] - Drop update-alternatives support - Add provides smtp_daemon to busybox-sendmail - Add conflicts: mawk to busybox-gawk - fix mkdir path to point to /usr/bin instead of /bin - add placeholder variable and ignore applet logic to busybox.install - enable halt, poweroff, reboot commands (bsc#1243201) - Fully enable udhcpc and document that this tool needs special configuration and does not work out of the box [bsc#1217883] - Replace transitional %usrmerged macro with regular version check (bsc#1206798) The following package changes have been done: - busybox-adduser-1.37.0-150700.12.3.2 updated - busybox-attr-1.37.0-150700.12.3.2 updated - busybox-bc-1.37.0-150700.12.3.2 updated - busybox-bind-utils-1.37.0-150700.12.3.2 updated - busybox-bzip2-1.37.0-150700.12.3.2 updated - busybox-coreutils-1.37.0-150700.12.3.2 updated - busybox-cpio-1.37.0-150700.12.3.2 updated - busybox-diffutils-1.37.0-150700.12.3.2 updated - busybox-dos2unix-1.37.0-150700.12.3.2 updated - busybox-ed-1.37.0-150700.12.3.2 updated - busybox-findutils-1.37.0-150700.12.3.2 updated - busybox-gawk-1.37.0-150700.12.3.2 updated - busybox-grep-1.37.0-150700.12.3.2 updated - busybox-gzip-1.37.0-150700.12.3.2 updated - busybox-hexedit-1.37.0-150700.12.3.2 added - busybox-hostname-1.37.0-150700.12.3.2 updated - busybox-iproute2-1.37.0-150700.12.3.2 updated - busybox-iputils-1.37.0-150700.12.3.2 updated - busybox-kbd-1.37.0-150700.12.3.2 updated - busybox-less-1.37.0-150700.12.3.2 updated - busybox-links-1.37.0-150700.12.3.2 updated - busybox-man-1.37.0-150700.12.3.2 updated - busybox-misc-1.37.0-150700.12.3.2 updated - busybox-ncurses-utils-1.37.0-150700.12.3.2 updated - busybox-net-tools-1.37.0-150700.12.3.2 updated - busybox-netcat-1.37.0-150700.12.3.2 updated - busybox-patch-1.37.0-150700.12.3.2 updated - busybox-policycoreutils-1.37.0-150700.12.3.2 updated - busybox-procps-1.37.0-150700.12.3.2 updated - busybox-psmisc-1.37.0-150700.12.3.2 updated - busybox-sed-1.37.0-150700.12.3.2 updated - busybox-selinux-tools-1.37.0-150700.12.3.2 updated - busybox-sendmail-1.37.0-150700.12.3.2 updated - busybox-sha3sum-1.37.0-150700.12.3.2 added - busybox-sharutils-1.37.0-150700.12.3.2 updated - busybox-sh-1.37.0-150700.12.3.2 updated - busybox-syslogd-1.37.0-150700.12.3.2 updated - busybox-sysvinit-tools-1.37.0-150700.12.3.2 updated - busybox-tar-1.37.0-150700.12.3.2 updated - busybox-telnet-1.37.0-150700.12.3.2 updated - busybox-tftp-1.37.0-150700.12.3.2 updated - busybox-time-1.37.0-150700.12.3.2 updated - busybox-traceroute-1.37.0-150700.12.3.2 updated - busybox-tunctl-1.37.0-150700.12.3.2 updated - busybox-udhcpc-1.37.0-150700.12.3.2 added - busybox-unzip-1.37.0-150700.12.3.2 updated - busybox-util-linux-1.37.0-150700.12.3.2 updated - busybox-vi-1.37.0-150700.12.3.2 updated - busybox-vlan-1.37.0-150700.12.3.2 updated - busybox-wget-1.37.0-150700.12.3.2 updated - busybox-which-1.37.0-150700.12.3.2 updated - busybox-whois-1.37.0-150700.12.3.2 updated - busybox-xz-1.37.0-150700.12.3.2 updated - busybox-1.37.0-150700.18.4.1 updated - glibc-2.38-150600.14.37.1 updated From sle-container-updates at lists.suse.com Tue Sep 30 07:19:03 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 30 Sep 2025 09:19:03 +0200 (CEST) Subject: SUSE-CU-2025:7126-1: Security update of bci/golang Message-ID: <20250930071903.D0DCCF783@maintenance.suse.de> SUSE Container Update Advisory: bci/golang ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:7126-1 Container Tags : bci/golang:1.25-openssl , bci/golang:1.25.0-openssl , bci/golang:1.25.0-openssl-74.9 , bci/golang:latest , bci/golang:stable-openssl , bci/golang:stable-openssl-74.9 Container Release : 74.9 Severity : moderate Type : security References : 1246974 1249375 CVE-2025-8114 CVE-2025-8277 ----------------------------------------------------------------- The container bci/golang was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3369-1 Released: Fri Sep 26 12:54:43 2025 Summary: Security update for libssh Type: security Severity: moderate References: 1246974,1249375,CVE-2025-8114,CVE-2025-8277 This update for libssh fixes the following issues: - CVE-2025-8277: memory exhaustion leading to client-side DoS due to improper memory management when KEX process is repeated with incorrect guesses (bsc#1249375). - CVE-2025-8114: NULL pointer dereference when an allocation error happens during the calculation of the KEX session ID (bsc#1246974). The following package changes have been done: - libssh-config-0.9.8-150600.11.6.1 updated - libssh4-0.9.8-150600.11.6.1 updated - container:registry.suse.com-bci-bci-base-15.7-c748b740034bd7faee2a71a60ccfdc9e27e13d317b6e9823dbac93189c7f6c8f-0 updated From sle-container-updates at lists.suse.com Tue Sep 30 07:19:56 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 30 Sep 2025 09:19:56 +0200 (CEST) Subject: SUSE-CU-2025:7130-1: Security update of bci/rust Message-ID: <20250930071956.9FF4EF783@maintenance.suse.de> SUSE Container Update Advisory: bci/rust ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:7130-1 Container Tags : bci/rust:1.88 , bci/rust:1.88.0 , bci/rust:1.88.0-2.2.8 , bci/rust:oldstable , bci/rust:oldstable-2.2.8 Container Release : 2.8 Severity : moderate Type : security References : 1246974 1249375 CVE-2025-8114 CVE-2025-8277 ----------------------------------------------------------------- The container bci/rust was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3369-1 Released: Fri Sep 26 12:54:43 2025 Summary: Security update for libssh Type: security Severity: moderate References: 1246974,1249375,CVE-2025-8114,CVE-2025-8277 This update for libssh fixes the following issues: - CVE-2025-8277: memory exhaustion leading to client-side DoS due to improper memory management when KEX process is repeated with incorrect guesses (bsc#1249375). - CVE-2025-8114: NULL pointer dereference when an allocation error happens during the calculation of the KEX session ID (bsc#1246974). The following package changes have been done: - libssh-config-0.9.8-150600.11.6.1 updated - libssh4-0.9.8-150600.11.6.1 updated - container:registry.suse.com-bci-bci-base-15.7-c748b740034bd7faee2a71a60ccfdc9e27e13d317b6e9823dbac93189c7f6c8f-0 updated