SUSE-IU-2025:2412-1: Security update of suse/sl-micro/6.1/baremetal-os-container
sle-container-updates at lists.suse.com
sle-container-updates at lists.suse.com
Wed Sep 3 15:51:30 UTC 2025
SUSE Image Update Advisory: suse/sl-micro/6.1/baremetal-os-container
-----------------------------------------------------------------
Image Advisory ID : SUSE-IU-2025:2412-1
Image Tags : suse/sl-micro/6.1/baremetal-os-container:2.2.1 , suse/sl-micro/6.1/baremetal-os-container:2.2.1-7.2 , suse/sl-micro/6.1/baremetal-os-container:latest
Image Release : 7.2
Severity : critical
Type : security
References : 1047218 1199630 1210638 1216091 1218459 1219559 1219666 1220262
1221107 1221854 1222849 1224285 1225660 1226447 1226448 1227378
1227999 1228165 1228780 1229596 1229704 1230227 1230262 1230906
1231463 1231795 1232241 1232425 1232526 1234128 1234665 1234812
1236177 1236705 1236931 1236931 1236931 1237147 1237442 1237496
1238078 1238450 1238491 1238700 1239119 1239119 1239119 1239119
1239210 1239335 1239566 1239623 1239883 1239938 1240366 1240414
1240788 1240897 1241020 1241052 1241067 1241078 1241083 1241114
1241190 1241453 1241549 1241551 1241680 1241938 1242827 1242844
1242938 1242987 1243069 1243106 1243155 1243226 1243242 1243273
1243273 1243313 1243317 1243450 1243767 1243935 1243991 1244032
1244050 1244056 1244059 1244060 1244061 1244079 1244116 1244509
1244554 1244555 1244557 1244580 1244700 1244705 1245169 1245274
1245275 1245309 1245310 1245311 1245312 1245314 1245317 1246296
1246360 1246472 1247074 1247819 391434 915387 CVE-2022-25236
CVE-2023-27043 CVE-2023-50782 CVE-2023-52425 CVE-2023-6597 CVE-2024-0397
CVE-2024-0450 CVE-2024-12718 CVE-2024-2236 CVE-2024-23337 CVE-2024-32487
CVE-2024-4030 CVE-2024-4032 CVE-2024-40896 CVE-2024-53427 CVE-2024-56406
CVE-2024-6232 CVE-2024-6923 CVE-2024-7592 CVE-2024-8088 CVE-2024-9287
CVE-2025-0938 CVE-2025-1795 CVE-2025-22247 CVE-2025-22869 CVE-2025-22870
CVE-2025-27587 CVE-2025-29087 CVE-2025-29088 CVE-2025-30258 CVE-2025-30258
CVE-2025-30258 CVE-2025-30258 CVE-2025-31115 CVE-2025-32414 CVE-2025-32415
CVE-2025-32462 CVE-2025-32463 CVE-2025-3360 CVE-2025-40909 CVE-2025-4138
CVE-2025-4330 CVE-2025-4373 CVE-2025-4435 CVE-2025-4516 CVE-2025-4516
CVE-2025-4517 CVE-2025-4598 CVE-2025-4598 CVE-2025-47273 CVE-2025-4802
CVE-2025-48060 CVE-2025-4877 CVE-2025-4878 CVE-2025-49794 CVE-2025-49795
CVE-2025-49796 CVE-2025-5278 CVE-2025-5318 CVE-2025-5351 CVE-2025-5372
CVE-2025-5987 CVE-2025-6018 CVE-2025-6020 CVE-2025-6021 CVE-2025-6069
CVE-2025-6170 CVE-2025-7424 CVE-2025-7425 CVE-2025-7519
-----------------------------------------------------------------
The container suse/sl-micro/6.1/baremetal-os-container was updated. The following patches have been included in this update:
-----------------------------------------------------------------
Advisory ID: 120
Released: Tue May 27 09:48:45 2025
Summary: Recommended update for lsof
Type: recommended
Severity: moderate
References: 1224285,1232425
This update for lsof fixes the following issues:
- Update to version 4.99.4:
* In lsof manpage: mention /etc/services for -P option
* Fix typos in docs
* Linux 6.9 changed the pidfs appearence in procfs. Try to
maintain original output in lsof (bsc#1224285)
* closefrom_shim: Add optimized fallback for platforms without
closefrom or close_range
* fix build against -std=c23 (`void (*)()`) changed the meaning)
- Fix embedding build host kernel version (bsc#1232425)
- lsof 4.99.3:
* Fix compilation error when HASIPv6 is not defined
* Add configure option --disable-liblsof to disable installation
of liblsof
- Skip tests that are difficult to emulate by qemu
- lsof 4.99.0:
* Do not hard-code fd numbers in epoll test
* --with-selinux configure option.
* Improve performance by using closefrom()
* Introduce liblsof for programmatic access over spawning lsof
in a subprocess
- build with libtirpc
- switch to upstream tarball again as it dropped proprietary code
-----------------------------------------------------------------
Advisory ID: 122
Released: Tue May 27 11:28:57 2025
Summary: Security update for glibc
Type: security
Severity: critical
References: 1234128,1234665,1239883,1243317,CVE-2025-4802
This update for glibc fixes the following issues:
- CVE-2025-4802: elf: Ignore LD_LIBRARY_PATH and debug env var for setuid for static (bsc#1243317)
- pthreads NPTL: lost wakeup fix 2 (bsc#1234128, BZ #25847)
- Mark functions in libc_nonshared.a as hidden (bsc#1239883)
- Linux: Switch back to assembly syscall wrapper for prctl (bsc#1234665, BZ #29770)
-----------------------------------------------------------------
Advisory ID: 126
Released: Wed May 28 11:00:31 2025
Summary: Security update for libxml2
Type: security
Severity: moderate
References: 1241453,1241551,CVE-2025-32414,CVE-2025-32415
This update for libxml2 fixes the following issues:
- CVE-2025-32414: Fixed out-of-bounds read when parsing text via the Python API (bsc#1241551).
- CVE-2025-32415: Fixed heap-based buffer under-read via crafted XML documents (bsc#1241453).
-----------------------------------------------------------------
Advisory ID: 127
Released: Mon Jun 2 11:11:24 2025
Summary: Recommended update for elemental
Type: recommended
Severity: moderate
References: 1239623
This update for elemental fixes the following issues:
Update to v2.2.1:
* Include an empty /etc/machine-id file (bsc#1239623)
* Remove /etc/machine-id from base container
-----------------------------------------------------------------
Advisory ID: 130
Released: Tue Jun 3 11:03:45 2025
Summary: Security update for elemental-toolkit
Type: security
Severity: important
References: 1238700,1239335,CVE-2025-22869,CVE-2025-22870
This update for elemental-toolkit fixes the following issues:
- Updated to v2.2.3:
* Adapted .golangci.yml format to a new version
* Simplified podman calls in CI steup
* Switched GHA runners to Ubuntu 24.04
* Updated year in headers
* Vendored go.mod libraries
* CVE-2025-22870: golang.org/x/net/proxy: Fixed proxy bypass using IPv6 zone IDs (bsc#1238700)
* CVE-2025-22869: golang.org/x/crypto/ssh: Fixed Denial of Service in the Key Exchange of golang.org/x/crypto/ssh (bsc#1239335)
-----------------------------------------------------------------
Advisory ID: 128
Released: Tue Jun 3 11:05:30 2025
Summary: Security update for python311
Type: security
Severity: important
References: 1210638,1219559,1219666,1221854,1225660,1226447,1226448,1227378,1227999,1228165,1228780,1229596,1229704,1230227,1230906,1231795,1232241,1236705,1238450,1239210,1241067,1243273,CVE-2022-25236,CVE-2023-27043,CVE-2023-52425,CVE-2023-6597,CVE-2024-0397,CVE-2024-0450,CVE-2024-4030,CVE-2024-4032,CVE-2024-6232,CVE-2024-6923,CVE-2024-7592,CVE-2024-8088,CVE-2024-9287,CVE-2025-0938,CVE-2025-1795,CVE-2025-4516
This update for python311 fixes the following issues:
- CVE-2025-4516: Fixed blocking DecodeError handling
vulnerability, which could lead to DoS. (bsc#1243273)
Update to 3.11.12:
- gh-105704: When using urllib.parse.urlsplit() and
urllib.parse.urlparse() host parsing would not reject domain
names containing square brackets ([ and ]). Square brackets
are only valid for IPv6 and IPvFuture hosts according to RFC
3986 Section 3.2.2 (bsc#1236705, CVE-2025-0938,
gh#python/cpython#105704).
- gh-121284: Fix bug in the folding of rfc2047 encoded-words
when flattening an email message using a modern email
policy. Previously when an encoded-word was too long for
a line, it would be decoded, split across lines, and
re-encoded. But commas and other special characters in the
original text could be left unencoded and unquoted. This
could theoretically be used to spoof header lines using a
carefully constructed encoded-word if the resulting rendered
email was transmitted or re-parsed.
- gh-80222: Fix bug in the folding of quoted strings
when flattening an email message using a modern email
policy. Previously when a quoted string was folded so that
it spanned more than one line, the surrounding quotes and
internal escapes would be omitted. This could theoretically
be used to spoof header lines using a carefully constructed
quoted string if the resulting rendered email was transmitted
or re-parsed.
- gh-119511: Fix a potential denial of service in the imaplib
module. When connecting to a malicious server, it could
cause an arbitrary amount of memory to be allocated. On many
systems this is harmless as unused virtual memory is only
a mapping, but if this hit a virtual address size limit
it could lead to a MemoryError or other process crash. On
unusual systems or builds where all allocated memory is
touched and backed by actual ram or storage it could’ve
consumed resources doing so until similarly crashing.
- gh-127257: In ssl, system call failures that OpenSSL reports
using ERR_LIB_SYS are now raised as OSError.
- gh-121277: Writers of CPython’s documentation can now use
next as the version for the versionchanged, versionadded,
deprecated directives.
- gh-106883: Disable GC during the _PyThread_CurrentFrames()
and _PyThread_CurrentExceptions() calls to avoid the
interpreter to deadlock.
- CVE-2025-0938: disallow square brackets ([ and ]) in domain names for parsed
URLs (bsc#1236705, gh#python/cpython#105704)
Update to 3.11.11:
- Tools/Demos
- gh-123418: Update GitHub CI workflows to use OpenSSL 3.0.15
and multissltests to use 3.0.15, 3.1.7, and 3.2.3.
- Security
- gh-122792: Changed IPv4-mapped ipaddress.IPv6Address to
consistently use the mapped IPv4 address value for deciding
properties. Properties which have their behavior fixed are
is_multicast, is_reserved, is_link_local, is_global, and
is_unspecified.
- Library
- gh-124651: Properly quote template strings in venv
activation scripts (bsc#1232241, CVE-2024-9287).
- Remove -IVendor/ from python-config bsc#1231795
- CVE-2024-9287: Properly quote path names provided when creating a
virtual environment (bsc#1232241,
- Drop .pyc files from docdir for reproducible builds (bsc#1230906).
Update to 3.11.10:
- Security
- gh-121957: Fixed missing audit events around interactive
use of Python, now also properly firing for ``python -i``,
as well as for ``python -m asyncio``. The event in question
is ``cpython.run_stdin``.
- gh-122133: Authenticate the socket connection for the
``socket.socketpair()`` fallback on platforms where
``AF_UNIX`` is not available like Windows. Patch by
Gregory P. Smith <greg at krypto.org> and Seth Larson
<seth at python.org>. Reported by Ellie <el at horse64.org>
- gh-121285: Remove backtracking from tarfile header parsing
for ``hdrcharset``, PAX, and GNU sparse headers
(bsc#1230227, CVE-2024-6232).
- gh-118486: :func:`os.mkdir` on Windows now accepts
*mode* of ``0o700`` to restrict the new directory to
the current user. This fixes CVE-2024-4030 affecting
:func:`tempfile.mkdtemp` in scenarios where the base
temporary directory is more permissive than the default.
- Library
- gh-123270: Applied a more surgical fix for malformed
payloads in :class:`zipfile.Path` causing infinite loops
(gh-122905) without breaking contents using legitimate
characters (bsc#1229704, CVE-2024-8088).
- gh-123067: Fix quadratic complexity in parsing ``'``-quoted
cookie values with backslashes by :mod:`http.cookies`
(bsc#1229596, CVE-2024-7592).
- gh-122905: :class:`zipfile.Path` objects now sanitize names
from the zipfile.
- gh-121650: :mod:`email` headers with embedded newlines are
now quoted on output. The :mod:`~email.generator` will now
refuse to serialize (write) headers that are unsafely folded
or delimited; see :attr:`~email.policy.Policy.verify_generated_headers`.
(Contributed by Bas Bloemsaat and Petr Viktorin in
:gh:`121650`; CVE-2024-6923, bsc#1228780).
- gh-119506: Fix :meth:`!io.TextIOWrapper.write` method
breaks internal buffer when the method is called again
during flushing internal buffer.
- gh-118643: Fix an AttributeError in the :mod:`email` module
when re-fold a long address list. Also fix more cases of
incorrect encoding of the address separator in the address
list.
- gh-113171: Fixed various false positives and false
negatives in * :attr:`ipaddress.IPv4Address.is_private`
(see these docs for details) *
:attr:`ipaddress.IPv4Address.is_global` *
:attr:`ipaddress.IPv6Address.is_private` *
:attr:`ipaddress.IPv6Address.is_global` Also in the
corresponding :class:`ipaddress.IPv4Network` and
:class:`ipaddress.IPv6Network` attributes.
Fixes bsc#1226448 (CVE-2024-4032).
- gh-102988: :func:`email.utils.getaddresses` and
:func:`email.utils.parseaddr` now return ``('', '')``
2-tuples in more situations where invalid email addresses
are encountered instead of potentially inaccurate
values. Add optional *strict* parameter to these two
functions: use ``strict=False`` to get the old behavior,
accept malformed inputs. ``getattr(email.utils,
'supports_strict_parsing', False)`` can be use to check if
the *strict* paramater is available. Patch by Thomas Dwyer
and Victor Stinner to improve the CVE-2023-27043 fix
(bsc#1210638).
- gh-67693: Fix :func:`urllib.parse.urlunparse` and
:func:`urllib.parse.urlunsplit` for URIs with path starting
with multiple slashes and no authority. Based on patch by
Ashwin Ramaswami.
- Core and Builtins
- gh-112275: A deadlock involving ``pystate.c``'s
``HEAD_LOCK`` in ``posixmodule.c`` at fork is now
fixed. Patch by ChuBoning based on previous Python 3.12 fix
by Victor Stinner.
- gh-109120: Added handle of incorrect star expressions, e.g
``f(3, *)``. Patch by Grigoryev Semyon
- CVE-2024-8088: Prevent malformed payload to cause infinite loops in
zipfile.Path (bsc#1229704)
- Make pip and modern tools install directly in /usr/local when used by
the user. (bsc#1225660)
- CVE-2024-4032: Fix rearranging definition of private v global IP
addresses. (bsc#1226448)
Update to 3.11.9:
* Security
- gh-115398: Allow controlling Expat >=2.6.0 reparse deferral
(CVE-2023-52425, bsc#1219559) by adding five new methods:
xml.etree.ElementTree.XMLParser.flush()
xml.etree.ElementTree.XMLPullParser.flush()
xml.parsers.expat.xmlparser.GetReparseDeferralEnabled()
xml.parsers.expat.xmlparser.SetReparseDeferralEnabled()
xml.sax.expatreader.ExpatParser.flush()
- gh-115399: Update bundled libexpat to 2.6.0
- gh-115243: Fix possible crashes in collections.deque.index()
when the deque is concurrently modified.
- gh-114572: ssl.SSLContext.cert_store_stats() and
ssl.SSLContext.get_ca_certs() now correctly lock access to the
certificate store, when the ssl.SSLContext is shared across
multiple threads (bsc#1226447, CVE-2024-0397).
* Core and Builtins
- gh-116296: Fix possible refleak in object.__reduce__() internal
error handling.
- gh-116034: Fix location of the error on a failed assertion.
- gh-115823: Properly calculate error ranges in the parser when
raising SyntaxError exceptions caused by invalid byte sequences.
Patch by Pablo Galindo
- gh-112087: For an empty reverse iterator for list will be
reduced to reversed(). Patch by Donghee Na.
- gh-115011: Setters for members with an unsigned integer type now
support the same range of valid values for objects that has a
__index__() method as for int.
- gh-96497: Fix incorrect resolution of mangled class variables
used in assignment expressions in comprehensions.
* Library
- gh-117310: Fixed an unlikely early & extra Py_DECREF triggered
crash in ssl when creating a new _ssl._SSLContext if CPython was
built implausibly such that the default cipher list is empty or
the SSL library it was linked against reports a failure from its
C SSL_CTX_set_cipher_list() API.
- gh-117178: Fix regression in lazy loading of self-referential
modules, introduced in gh-114781.
- gh-117084: Fix zipfile extraction for directory entries with the
name containing backslashes on Windows.
- gh-117110: Fix a bug that prevents subclasses of typing.Any to
be instantiated with arguments. Patch by Chris Fu.
- gh-90872: On Windows, subprocess.Popen.wait() no longer calls
WaitForSingleObject() with a negative timeout: pass 0 ms if the
timeout is negative. Patch by Victor Stinner.
- gh-116957: configparser: Don’t leave ConfigParser values in an
invalid state (stored as a list instead of a str) after an
earlier read raised DuplicateSectionError or
DuplicateOptionError.
- gh-90095: Ignore empty lines and comments in .pdbrc
- gh-116764: Restore support of None and other false values in
urllib.parse functions parse_qs() and parse_qsl(). Also, they
now raise a TypeError for non-zero integers and non-empty
sequences.
- gh-116811: In PathFinder.invalidate_caches, delegate to
MetadataPathFinder.invalidate_caches.
- gh-116600: Fix repr() for global Flag members.
- gh-116484: Change automatically generated tkinter.Checkbutton
widget names to avoid collisions with automatically generated
tkinter.ttk.Checkbutton widget names within the same parent
widget.
- gh-116401: Fix blocking os.fwalk() and shutil.rmtree() on
opening named pipe.
- gh-116143: Fix a race in pydoc _start_server, eliminating a
window in which _start_server can return a thread that is
“serving†but without a docserver set.
- gh-116325: typing: raise SyntaxError instead of AttributeError
on forward references as empty strings.
- gh-90535: Fix support of interval values > 1 in
logging.TimedRotatingFileHandler for when='MIDNIGHT' and
when='Wx'.
- gh-115978: Disable preadv(), readv(), pwritev(), and writev() on
WASI.
- Under wasmtime for WASI 0.2, these functions don’t pass
test_posix
(https://github.com/bytecodealliance/wasmtime/issues/7830).
- gh-88352: Fix the computation of the next rollover time in the
logging.TimedRotatingFileHandler handler. computeRollover() now
always returns a timestamp larger than the specified time and
works correctly during the DST change. doRollover() no longer
overwrite the already rolled over file, saving from data loss
when run at midnight or during repeated time at the DST change.
- gh-87115: Set __main__.__spec__ to None when running a script
with pdb
- gh-76511: Fix UnicodeEncodeError in email.Message.as_string()
that results when a message that claims to be in the ascii
character set actually has non-ascii characters. Non-ascii
characters are now replaced with the U+FFFD replacement
character, like in the replace error handler.
- gh-75988: Fixed unittest.mock.create_autospec() to pass the call
through to the wrapped object to return the real result.
- gh-115881: Fix issue where ast.parse() would incorrectly flag
conditional context managers (such as with (x() if y else z()):
...) as invalid syntax if feature_version=(3, 8) was passed.
This reverts changes to the grammar made as part of gh-94949.
- gh-115886: Fix silent truncation of the name with an embedded
null character in multiprocessing.shared_memory.SharedMemory.
- gh-115809: Improve algorithm for computing which rolled-over log
files to delete in logging.TimedRotatingFileHandler. It is now
reliable for handlers without namer and with arbitrary
deterministic namer that leaves the datetime part in the file
name unmodified.
- gh-74668: urllib.parse functions parse_qs() and parse_qsl() now
support bytes arguments containing raw and percent-encoded
non-ASCII data.
- gh-67044: csv.writer() now always quotes or escapes '\r' and
'\n', regardless of lineterminator value.
- gh-115712: csv.writer() now quotes empty fields if delimiter is
a space and skipinitialspace is true and raises exception if
quoting is not possible.
- gh-115618: Fix improper decreasing the reference count for None
argument in property methods getter(), setter() and deleter().
- gh-115570: A DeprecationWarning is no longer omitted on access
to the __doc__ attributes of the deprecated typing.io and
typing.re pseudo-modules.
- gh-112006: Fix inspect.unwrap() for types with the __wrapper__
data descriptor.
- gh-101293: Support callables with the __call__() method and
types with __new__() and __init__() methods set to class
methods, static methods, bound methods, partial functions, and
other types of methods and descriptors in
inspect.Signature.from_callable().
- gh-115392: Fix a bug in doctest where incorrect line numbers
would be reported for decorated functions.
- gh-114563: Fix several format() bugs when using the C
implementation of Decimal: * memory leak in some rare cases when
using the z format option (coerce negative 0) * incorrect output
when applying the z format option to type F (fixed-point with
capital NAN / INF) * incorrect output when applying the # format
option (alternate form)
- gh-115197: urllib.request no longer resolves the hostname before
checking it against the system’s proxy bypass list on macOS and
Windows.
- gh-115198: Fix support of Docutils >= 0.19 in distutils.
- gh-115165: Most exceptions are now ignored when attempting to
set the __orig_class__ attribute on objects returned when
calling typing generic aliases (including generic aliases
created using typing.Annotated). Previously only AttributeError
was ignored. Patch by Dave Shawley.
- gh-115133: Fix tests for XMLPullParser with Expat 2.6.0.
- gh-115059: io.BufferedRandom.read1() now flushes the underlying
write buffer.
- gh-79382: Trailing ** no longer allows to match files and
non-existing paths in recursive glob().
- gh-114763: Protect modules loaded with importlib.util.LazyLoader
from race conditions when multiple threads try to access
attributes before the loading is complete.
- gh-97959: Fix rendering class methods, bound methods, method and
function aliases in pydoc. Class methods no longer have “method
of builtins.type instance†note. Corresponding notes are now
added for class and unbound methods. Method and function aliases
now have references to the module or the class where the origin
was defined if it differs from the current. Bound methods are
now listed in the static methods section. Methods of builtin
classes are now supported as well as methods of Python classes.
- gh-112281: Allow creating union of types for typing.Annotated
with unhashable metadata.
- gh-111775: Fix importlib.resources.simple.ResourceHandle.open()
for text mode, added missed stream argument.
- gh-90095: Make .pdbrc and -c work with any valid pdb commands.
- gh-107155: Fix incorrect output of help(x) where x is a lambda
function, which has an __annotations__ dictionary attribute with
a 'return' key.
- gh-105866: Fixed _get_slots bug which caused error when defining
dataclasses with slots and a weakref_slot.
- gh-60346: Fix ArgumentParser inconsistent with parse_known_args.
- gh-100985: Update HTTPSConnection to consistently wrap IPv6
Addresses when using a proxy.
- gh-100884: email: fix misfolding of comma in address-lists
over multiple lines in combination with unicode encoding
(bsc#1238450 CVE-2025-1795)
- gh-95782: Fix io.BufferedReader.tell(),
io.BufferedReader.seek(), _pyio.BufferedReader.tell(),
io.BufferedRandom.tell(), io.BufferedRandom.seek() and
_pyio.BufferedRandom.tell() being able to return negative
offsets.
- gh-96310: Fix a traceback in argparse when all options in a
mutually exclusive group are suppressed.
- gh-93205: Fixed a bug in
logging.handlers.TimedRotatingFileHandler where multiple
rotating handler instances pointing to files with the same name
but different extensions would conflict and not delete the
correct files.
- bpo-44865: Add missing call to localization function in
argparse.
- bpo-43952: Fix multiprocessing.connection.Listener.accept() to
accept empty bytes as authkey. Not accepting empty bytes as key
causes it to hang indefinitely.
- bpo-42125: linecache: get module name from __spec__ if
available. This allows getting source code for the __main__
module when a custom loader is used.
- gh-66543: Make mimetypes.guess_type() properly parsing of URLs
with only a host name, URLs containing fragment or query, and
filenames with only a UNC sharepoint on Windows. Based on patch
by Dong-hee Na.
- bpo-33775: Add ‘default’ and ‘version’ help text for
localization in argparse.
* Documentation
- gh-115399: Document CVE-2023-52425 of Expat <2.6.0 under “XML
vulnerabilitiesâ€.
- gh-115233: Fix an example for LoggerAdapter in the Logging
Cookbook.
* IDLE
- gh-88516: On macOS show a proxy icon in the title bar of editor
windows to match platform behaviour.
* Tools/Demos
- gh-113516: Don’t set LDSHARED when building for WASI.
* C API
- gh-117021: Fix integer overflow in PyLong_AsPid() on non-Windows
64-bit platforms.
- Add reference to CVE-2024-0450 (bsc#1221854) to changelog.
-----------------------------------------------------------------
Advisory ID: 139
Released: Sun Jun 8 15:39:11 2025
Summary: Security update for less
Type: security
Severity: important
References: 1047218,1222849,915387,CVE-2024-32487
This update for less fixes the following issues:
- Updated to version 668
* Fixed crash when using --header on command line
* Fixed possible crash when scrolling left/right or toggling -S
* Fixed bug when using #stop in a lesskey file
* Fixed bug when using --shift or --match-shift on command line with a parameter starting with '.'
* Fixed bug in R command when file size changes
* Fixed bug using --header when file does not fill screen
* Fixed ^X bug when output is not a terminal
* Fixed bug where ^Z is not handled immediately
* Fixed bug where first byte from a LESSOPEN filter is deleted if it is greater than 0x7F
* Fixed uninitialized variable in edit_ifile
* Fixed incorrect handling of UTF-8 chars in prompts
- Change preprocessor dependencies from Requires to Recommends. It's disabled by
default and they are not necessary for less.
- Updated to version 661:
* fixed crash - buffer overflow by one in fexpand
* fixed free(): double free detected in tcache 2
* fixed segmentation fault on line-num-width & -N
- Updated to version 656:
* Add ^O^N, ^O^P, ^O^L and ^O^O commands and mouse clicks (with --mouse) to find and open OSC8 hyperlinks (github #251).
* Add --match-shift option.
* Add --lesskey-content option (github #447).
* Add LESSKEY_CONTENT environment variable (github #447).
* Add --no-search-header-lines and --no-search-header-columns options (github #397).
* Add ctrl-L search modifier (github #367).
* A ctrl-P at the start of a shell command suppresses the 'done' message (github #462).
* Add attribute characters ('*', '~', '_', '&') to --color parameter (github #471).
* Allow expansion of environment variables in lesskey files.
* Add LESSSECURE_ALLOW environment variable (github #449).
* Add LESS_UNSUPPORT environment variable.
* Add line number parameter to --header option (github #436).
* Mouse right-click jumps to position marked by left-click (github #390).
* Ensure that the target line is not obscured by a header line set by --header (github #444).
* Change default character set to 'utf-8', except remains 'dos' on MS-DOS.
* Add message when search with ^W wraps (github #459).
* UCRT builds on Windows 10 and later now support Unicode file names (github #438).
* Improve behavior of interrupt while reading non-terminated pipe (github #414).
* Improve parsing of -j, -x and -# options (github #393).
* Support files larger than 4GB on Windows (github #417).
* Support entry of Unicode chars larger than U+FFFF on Windows (github #391).
* Improve colors of bold, underline and standout text on Windows.
* Allow --rscroll to accept non-ASCII characters (github #483).
* Allow the parameter to certain options to be terminated with a space (--color, --quotes, --rscroll, --search-options and --intr) (github #495).
* Fix bug where # substitution failed after viewing help (github #420).
* Fix crash if files are deleted while less is viewing them (github #404).
* Workaround unreliable ReadConsoleInputW behavior on Windows with non-ASCII input.
* Fix -J display when searching for non-ASCII characters (github #422).
* Don't filter header lines via the & command (github #423).
* Fix bug when horizontally shifting long lines (github #425).
* Add -x and -D options to lesstest, to make it easier to diagnose a failed lesstest run.
* Fix bug searching long lines with --incsearch and -S (github #428).
* Fix bug that made ESC-} fail if top line on screen was empty (github #429).
* Fix bug with --mouse on Windows when used with pipes (github #440).
* Fix bug in --+OPTION command line syntax.
* Fix display bug when using -w with an empty line with a CR/LF line ending (github #474).
* When substituting '#' or '%' with a filename, quote the filename if it contains a space (github #480).
* Fix wrong sleep time when system has usleep but not nanosleep (github #489).
* Fix bug when file name contains a newline (CVE-2024-32487, bsc#1222849).
* Fix bug when file name contains nonprintable characters (github #503).
* Fix DJGPP build (github #497).
* Update Unicode tables.
- add zstd support to lessopen
- Updated to 643:
* Fixed problem when a program piping into less reads from the tty,
like sudo asking for password (github #368).
* Fixed search modifier ^E after ^W.
* Fixed bug using negated (^N) search (github #374).
* Fixed bug setting colors with -D on Windows build (github #386).
* Fixed reading special chars like PageDown on Windows (github #378).
* Fixed mouse wheel scrolling on Windows (github #379).
* Fixed erroneous EOF when terminal window size changes (github #372).
* Fixed compile error with some definitions of ECHONL (github #395).
* Fixed crash on Windows when writing logfile (github #405).
* Fixed regression in exit code when stdin is /dev/null and
output is a file (github #373).
* Add lesstest test suite to production release (github #344).
* Change lesstest output to conform with
automake Simple Test Format (github #399).
-----------------------------------------------------------------
Advisory ID: 141
Released: Tue Jun 10 13:50:09 2025
Summary: Security update for sqlite3
Type: security
Severity: moderate
References: 1241020,1241078,CVE-2025-29087,CVE-2025-29088
This update for sqlite3 fixes the following issues:
- Update to release 3.49.1:
* Improve portability of makefiles and configure scripts.
* CVE-2025-29087: Fixed Integer Overflow in SQLite concat
Function (bsc#1241020)
* CVE-2025-29088: Fixed integer overflow through the
SQLITE_DBCONFIG_LOOKASIDE component (bsc#1241078)
- Update to release 3.49.0:
* Enhancements to the query planner:
- Improve the query-time index optimization so that it works on
WITHOUT ROWID tables.
- Better query plans for large star-query joins. This fixes
three different performance regressions that were reported
on the SQLite Forum.
- When two or more queries have the same estimated cost, use
the one with the fewer bytes per row.
* Enhance the iif() SQL function so that it can accept any number
of arguments greater than or equal to two.
* Enhance the session extension so that it works on databases
that make use of generated columns.
* Omit the SQLITE_USE_STDIO_FOR_CONSOLE compile-time option which
was not implemented correctly and never worked right. In its place
add the SQLITE_USE_W32_FOR_CONSOLE_IO compile-time option. This
option applies to command-line tools like the CLI only, not to the
SQLite core. It causes Win32 APIs to be used for console I/O
instead of stdio. This option affects Windows builds only.
* Three new options to sqlite3_db_config(). All default 'on'.
SQLITE_DBCONFIG_ENABLE_ATTACH_CREATE
SQLITE_DBCONFIG_ENABLE_ATTACH_WRITE
SQLITE_DBCONFIG_ENABLE_COMMENTS
- Re-enable SONAME which got disabled by default in 3.48.0.
- Update to release 3.48.0:
* Improved EXPLAIN QUERY PLAN output for covering indexes.
* Allow a two-argument version of the iif() SQL function.
* Also allow if() as an alternative spelling for iif().
* Add the '.dbtotxt' command to the CLI.
* Add the SQLITE_IOCAP_SUBPAGE_READ property to the
xDeviceCharacteristics method of the sqlite3_io_methods object.
* Add the SQLITE_PREPARE_DONT_LOG option to sqlite3_prepare_v3()
that prevents warning messages being sent to the error log if
the SQL is ill-formed. This allows sqlite3_prepare_v3() to be
used to do test compiles of SQL to check for validity without
polluting the error log with false messages.
* Increase the minimum allowed value of SQLITE_LIMIT_LENGTH from
1 to 30.
* Added the SQLITE_FCNTL_NULL_IO file control.
* Extend the FTS5 auxiliary API xInstToken() to work with prefix
queries via the insttoken configuration option and the
fts5_insttoken() SQL function.
* Increase the maximum number of arguments to an SQL function
from 127 to 1000.
- Update to release 3.47.2:
* Fix a problem in text-to-floating-point conversion that affects
text values where the first 16 significant digits are
'1844674407370955'. This issue was introduced in 3.47.0 and
only arises on x64 and i386 hardware.
* Other minor bug fixes.
- Enable the session extension, because NodeJS 22 needs it.
- Update to release 3.47.1:
* Fix the makefiles so that they once again honored DESTDIR for
the 'install' target.
* Add the SQLITE_IOCAP_SUBPAGE_READ capability to the VFS, to
work around issues on some non-standard VFSes caused by making
SQLITE_DIRECT_OVERFLOW_READ the default in version 3.45.0.
* Fix incorrect answers to certain obscure IN queries caused by
new query optimizations added in the 3.47.0 release.
* Other minor bug fixes.
- Update to release 3.47.0:
* Allow arbitrary expressions in the second argument to the RAISE
function.
* If the RHS of the ->> operator is negative, then access array
elements counting from the right.
* Fix a problem with rolling back hot journal files in the
seldom-used unix-dotfile VFS.
* FTS5 tables can now be dropped even if they use a non-standard
tokenizer that has not been registered.
* Fix the group_concat() aggregate function so that it returns an
empty string, not a NULL, if it receives a single input value
which is an empty string.
* Enhance the generate_series() table-valued function so that it
is able to recognize and use constraints on its output value.
Preupdate hooks now recognize when a column added by ALTER
TABLE ADD COLUMN has a non-null default value.
* Improved reuse of subqueries associated with the IN operator,
especially when the IN operator has been duplicated due to
predicate push-down.
* Use a Bloom filter on subqueries on the right-hand side of the
IN operator, in cases where that seems likely to improve
performance.
* Ensure that queries like 'SELECT func(a) FROM tab GROUP BY 1'
only invoke the func() function once per row.
* No attempt is made to create automatic indexes on a column
that is known to be non-selective because of its use in other
indexes that have been analyzed.
* Adjustments to the query planner so that it produces better
plans for star queries with a large number of dimension
tables.
* Add the 'order-by-subquery' optimization, that seeks to
disable sort operations in outer queries if the desired order
is obtained naturally due to ORDER BY clauses in subqueries.
* The 'indexed-subtype-expr' optimization strives to use
expressions that are part of an index rather than recomputing
the expression based on table values, as long as the query
planner can prove that the subtype of the expression will
never be used.
* Miscellaneous coding tweaks for faster runtimes.
* Add the experimental sqlite3_rsync program.
* Add extension functions median(), percentile(),
percentile_cont(), and percentile_disc() to the CLI.
* Add the .www dot-command to the CLI.
* The sqlite3_analyzer utility now provides a break-out of
statistics for WITHOUT ROWID tables.
* The sqldiff utility avoids creating an empty database if its
second argument does not exist.
* Enhance the sqlite_dbpage table-valued function such that
INSERT can be used to increase or decrease the size of the
database file.
* SQLite no longer makes any use of the 'long double' data type,
as hardware support for long double is becoming less common
and long double creates challenges for some compiler tool
chains. Instead, SQLite uses Dekker's algorithm when extended
precision is needed.
* The TCL Interface for SQLite supports TCL9. Everything
probably still works for TCL 8.5 and later, though this is not
guaranteed. Users are encouraged to upgrade to TCL9.
* Fix a corruption-causing bug in the JavaScript 'opfs' VFS.
Correct 'mode=ro' handling for the 'opfs' VFS. Work around a
couple of browser-specific OPFS quirks.
* Add the fts5_tokenizer_v2 API and the locale=1 option, for
creating custom locale-aware tokenizers and fts5 tables that
may take advantage of them.
* Add the contentless_unindexed=1 option, for creating
contentless fts5 tables that store the values of any UNINDEXED
columns persistently in the database.
* Allow an FTS5 table to be dropped even if it uses a custom
tokenizer whose implementation is not available.
- Update to release 3.46.1:
* Improved robustness while parsing the tokenize= arguments in
FTS5.
* Enhancements to covering index prediction in the query planner.
* Do not let the number of terms on a VALUES clause be limited by
SQLITE_LIMIT_COMPOUND_SELECT, even if the VALUES clause
contains elements that appear to be variables due to
double-quoted string literals.
* Fix the window function version of group_concat() so that it
returns an empty string if it has one or more empty string
inputs.
* In FTS5 secure-delete mode, fix false-positive integrity-check
reports about corrupt indexes.
* Syntax errors in ALTER TABLE should always return SQLITE_ERROR.
In some cases, they were formerly returning SQLITE_INTERNAL.
* Other minor fixes.
- Update to release 3.46.0:
* Enhance PRAGMA optimize in multiple ways.
* Enhancements to the date and time functions.
* Add support for underscore ('_') characters between digits in
numeric literals.
* Add the json_pretty() SQL function.
* Query planner improvements.
* Allocate additional memory from the heap for the SQL parser
stack if that stack overflows, rather than reporting a 'parser
stack overflow' error.
* Allow ASCII control characters within JSON5 string literals.
* Fix the -> and ->> JSON operators so that when the right-hand
side operand is a string that looks like an integer it is still
treated as a string, because that is what PostgreSQL does.
- Update to release 3.45.3:
* Fix a long-standing bug (going back to version 3.24.0) that
might (rarely) cause the 'old.*' values of an UPDATE trigger
to be incorrect if that trigger fires in response to an UPSERT.
* Reduce the scope of the NOT NULL strength reduction
optimization that was added as item 8e in version 3.35.0. The
optimization was being attempted in some contexts where it did
not work, resulting in incorrect query results.
- Add SQLITE_STRICT_SUBTYPE=1 as recommended by upstream.
- Update to release 3.45.2:
* Added the SQLITE_RESULT_SUBTYPE property for application-
defined SQL functions.
* Enhancements to the JSON SQL functions
* Add the FTS5 tokendata option to the FTS5 virtual table.
* The SQLITE_DIRECT_OVERFLOW_READ optimization is now enabled by
default.
* Query planner improvements
* Increase the default value for SQLITE_MAX_PAGE_COUNT from
1073741824 to 4294967294.
* Enhancements to the CLI
* Restore the JSON BLOB input bug, and promise to support the
anomaly in subsequent releases, for backward compatibility.
* Fix the PRAGMA integrity_check command so that it works on
read-only databases that contain FTS3 and FTS5 tables.
* Fix issues associated with processing corrupt JSONB inputs.
* Fix a long-standing bug in which a read of a few bytes past the
end of a memory-mapped segment might occur when accessing a
craftily corrupted database using memory-mapped database.
* Fix a long-standing bug in which a NULL pointer dereference
might occur in the bytecode engine due to incorrect bytecode
being generated for a class of SQL statements that are
deliberately designed to stress the query planner but which
are otherwise pointless.
* Fix an error in UPSERT, introduced in version 3.35.0.
* Reduce the scope of the NOT NULL strength reduction
optimization that was added in version 3.35.0.
-----------------------------------------------------------------
Advisory ID: 145
Released: Thu Jun 12 09:37:25 2025
Summary: Security update for systemd
Type: security
Severity: moderate
References: 1236177,1237496,1241190,1242938,CVE-2025-4598
This update for systemd fixes the following issues:
- coredump: use %d in kernel core pattern (CVE-2025-4598)
- Revert 'macro: terminate the temporary VA_ARGS_FOREACH() array with a sentinel' (SUSE specific)
- umount: do not move busy network mounts (bsc#1236177)
- man/pstore.conf: pstore.conf template is not always installed in /etc
- man: coredump.conf template is not always installed in /etc (bsc#1237496)
- Don't write messages sent from users with UID falling into the container UID
range to the system journal. Daemons in the container don't talk to the
outside journald as they talk to the inner one directly, which does its
journal splitting based on shifted uids. (bsc#1242938)
- This re-adds back the support for the persistent net name rules as well as
their generator since predictable naming scheme is still disabled by default
on Micro (via the `net.ifnames=0` boot option). (bsc#1241190)
-----------------------------------------------------------------
Advisory ID: 146
Released: Fri Jun 13 12:48:33 2025
Summary: Security update for openssl-3
Type: security
Severity: moderate
References: 1240366,CVE-2025-27587
This update for openssl-3 fixes the following issues:
- CVE-2025-27587: Fixed Minerva side channel vulnerability in P-384 (bsc#1240366)
-----------------------------------------------------------------
Advisory ID: 147
Released: Fri Jun 13 12:50:10 2025
Summary: Security update for libxml2
Type: security
Severity: important
References: 1234812,CVE-2024-40896
This update for libxml2 fixes the following issues:
- CVE-2024-40896: Fixed XXE vulnerability (bsc#1234812)
-----------------------------------------------------------------
Advisory ID: 151
Released: Thu Jun 19 10:45:49 2025
Summary: Security update for pam
Type: security
Severity: important
References: 1244509,CVE-2025-6020
This update for pam fixes the following issues:
- CVE-2025-6020: pam_namespace: convert functions that may operate on a user-controlled path
to operate on file descriptors instead of absolute path. And keep the
bind-mount protection from protect_mount() as a defense in depthmeasure.
(bsc#1244509)
-----------------------------------------------------------------
Advisory ID: 156
Released: Mon Jun 23 15:34:00 2025
Summary: Security update for gpg2
Type: security
Severity: moderate
References: 1239119,CVE-2025-30258
This update for gpg2 fixes the following issues:
- CVE-2025-30258: Fixed a verification DoS due to a malicious subkey in the keyring. (bsc#1239119)
-----------------------------------------------------------------
Advisory ID: 159
Released: Wed Jun 25 10:23:42 2025
Summary: Security update for open-vm-tools
Type: security
Severity: moderate
References: 1237147,1241938,1243106,CVE-2025-22247
This update for open-vm-tools fixes the following issues:
- Updated to 12.5.2:
* CVE-2025-22247: Fixed Insecure file handling (bsc#1243106)
-----------------------------------------------------------------
Advisory ID: 163
Released: Mon Jun 30 10:31:31 2025
Summary: Security update for gpg2
Type: security
Severity: moderate
References: 1236931,1239119,CVE-2025-30258
This update for gpg2 fixes the following issues:
* Fixed regressions for the recent malicious subkey DoS fix for CVE-2025-30258 (bsc#1239119).
-----------------------------------------------------------------
Advisory ID: 165
Released: Tue Jul 1 13:27:41 2025
Summary: Recommended update for gpg2
Type: recommended
Severity: moderate
References: 1236931,1239119,CVE-2025-30258
This update for gpg2 fixes the following issues:
This reverts the CVE-2025-30258 fix, as it changed behaviour when using expired keys.
-----------------------------------------------------------------
Advisory ID: 166
Released: Wed Jul 2 10:15:40 2025
Summary: Security update for python-setuptools
Type: security
Severity: important
References: 1243313,CVE-2025-47273
This update for python-setuptools fixes the following issues:
- CVE-2025-47273: Fixed path traversal vulnerability in `PackageIndex` (bsc#1243313)
-----------------------------------------------------------------
Advisory ID: 168
Released: Fri Jul 4 10:41:41 2025
Summary: Recommended update for elemental-operator
Type: recommended
Severity: moderate
References:
This update for elemental-operator fixes the following issues:
- [v1.7.x] Label Templates: improve Random family processing
- Dockerfile: bump golang container to 1.24
- operator: update RBAC for upgrade plans
-----------------------------------------------------------------
Advisory ID: 170
Released: Fri Jul 4 16:31:25 2025
Summary: Recommended update for gptfdisk
Type: recommended
Severity: important
References: 1242987
This update for gptfdisk fixes the following issues:
- Fix boot failure with qcow and vmdk images (bsc#1242987)
-----------------------------------------------------------------
Advisory ID: 172
Released: Mon Jul 7 13:11:11 2025
Summary: Security update for glib2
Type: security
Severity: moderate
References: 1231463,1240897,1242844,CVE-2025-3360,CVE-2025-4373
This update for glib2 fixes the following issues:
Security issues:
- CVE-2025-4373: Fixed handling gssize parameters (bsc#1242844).
- CVE-2025-3360: Fixed integer overflow and buffer underread
when parsing a very long and invalid ISO 8601 timestamp with
g_date_time_new_from_iso8601 (bsc#1240897)
Non security issues:
- Trigger glib2-tools postun trigger exit normally if
glib2-compile-schemas can't be run. Fixes error when uninstalling if
libgio is uninstalled first (bsc#1231463).
-----------------------------------------------------------------
Advisory ID: 173
Released: Tue Jul 8 18:15:02 2025
Summary: Security update for gpg2
Type: security
Severity: moderate
References: 1236931,1239119,1243069,CVE-2025-30258
This update for gpg2 fixes the following issues:
- CVE-2025-30258: Fix a verification DoS due to a malicious subkey in the keyring: [bsc#1239119, bsc#1236931]]
* gpg: Fix regression for the recent malicious subkey DoS fix.
* gpg: Fix another regression due to the T7547 fix.
* gpg: Allow the use of an ADSK subkey as ADSK subkey.
- Don't install expired sks certificate [bsc#1243069]
-----------------------------------------------------------------
Advisory ID: 182
Released: Tue Jul 15 16:48:17 2025
Summary: Security update for sudo
Type: security
Severity: important
References: 1245274,1245275,CVE-2025-32462,CVE-2025-32463
This update for sudo fixes the following issues:
- CVE-2025-32462: Fix a possible local privilege escalation via the --host option (bsc#1245274)
- CVE-2025-32463: Fix a possible local privilege Escalation via chroot option (bsc#1245275)
-----------------------------------------------------------------
Advisory ID: 187
Released: Fri Jul 18 11:07:15 2025
Summary: Recommended update for rpm
Type: recommended
Severity: important
References: 1216091,1218459,1241052
This update for rpm fixes the following issues:
- fix --runposttrans not working correctly with the --root
option [bsc#1216091]
* added 'rpm_fixed_runposttrans' provides for libzypp
- print scriptlet messages in --runposttrans
* needed to fix leaking tmp files [bsc#1218459]
- fix memory leak in str2locale [bsc#1241052]
-----------------------------------------------------------------
Advisory ID: 191
Released: Mon Jul 28 16:35:09 2025
Summary: Security update for perl
Type: security
Severity: important
References: 1241083,1244079,CVE-2024-56406,CVE-2025-40909
This update for perl fixes the following issues:
- CVE-2024-56406: Fixed heap buffer overflow when transliterating
non-ASCII bytes (bsc#1241083)
- CVE-2025-40909: Fixed a working directory race condition causing
file operations to target unintended paths (bsc#1244079)
-----------------------------------------------------------------
Advisory ID: 192
Released: Mon Jul 28 16:36:18 2025
Summary: Security update for pam-config
Type: security
Severity: important
References: 1243226,CVE-2025-6018
This update for pam-config fixes the following issues:
- CVE-2025-6018: Stop adding pam_env in AUTH stack, and be sure to put
this module at the really end of the SESSION stack. (bsc#1243226)
-----------------------------------------------------------------
Advisory ID: 197
Released: Thu Jul 31 13:53:17 2025
Summary: Recommended update for gcc14
Type: recommended
Severity: moderate
References: 1230262,1232526,1237442,1238491,1239566,1239938,1240788,1241549,1243991,1244050
This update for gcc14 fixes the following issues:
- Exclude shared objects present for link editing in the GCC specific
subdirectory from provides processing via __provides_exclude_from.
[bsc#1244050][bsc#1243991]
- Update to GCC 14.3 release, bb24b4c804f3d95b0ba95b7496, git11799
- Update to gcc-14 branch head, 3418d740b344e0ba38022f3be, git11702
- Fix build on s390x [bsc#1241549]
- Make sure link editing is done against our own shared library
copy rather than the installed system runtime. [bsc#1240788]
- cross-compiler builds with --enable-host-pie.
- Allow GCC executables to be built PIE. [bsc#1239938]
- Backport -msplit-patch-nops required for user-space livepatching on powerpc.
- Also record -D_FORTIFY_SOURCE=2 in the DWARF debug info DW_AT_producer string. [bsc#1239566]
- Disable profiling during build when %want_reproducible_builds is set
[bsc#1238491]
- Update to gcc-14 branch head, 9ffecde121af883b60bbe60d0, git11321
* fixes reported ICE in [bsc#1237442]
- Adjust cross compiler requirements to use %requires_ge
- Fix condition on whether to enable plugins or JIT support to
not check sle_version which is not defined in SLFO but to check
is_opensuse and suse_version instead.
- For cross compilers require the same or newer binutils, newlib
or cross-glibc that was used at build time. [bsc#1232526]
- Update to gcc-14 branch head, 4af44f2cf7d281f3e4f3957ef, git10750
* includes libstdc++6 fix for parsing tzdata 2024b [gcc#116657]
- Fix ICE with LTO building openvino on aarch64 [bsc#1230262]
-----------------------------------------------------------------
Advisory ID: 196
Released: Thu Jul 31 14:00:30 2025
Summary: Security update for libgcrypt
Type: security
Severity: moderate
References: 1221107,CVE-2024-2236
This update for libgcrypt fixes the following issues:
- CVE-2024-2236: Fixed timing based side-channel in RSA implementation (bsc#1221107)
-----------------------------------------------------------------
Advisory ID: 198
Released: Fri Aug 1 12:15:51 2025
Summary: Security update for python311
Type: security
Severity: important
References: 1243155,1243273,1244032,1244056,1244059,1244060,1244061,1244705,CVE-2024-12718,CVE-2025-4138,CVE-2025-4330,CVE-2025-4435,CVE-2025-4516,CVE-2025-4517,CVE-2025-6069
This update for python311 fixes the following issues:
- CVE-2025-6069: Avoid worst case quadratic complexity when processing
certain crafted malformed inputs with HTMLParser (bsc#1244705).
Update to 3.11.13:
- Security
- gh-135034: Fixes multiple issues that allowed tarfile
extraction filters (filter='data' and filter='tar')
to be bypassed using crafted symlinks and hard links.
Addresses CVE-2024-12718 (bsc#1244056), CVE-2025-4138
(bsc#1244059), CVE-2025-4330 (bsc#1244060), and
CVE-2025-4517 (bsc#1244032). Also addresses CVE-2025-4435
(gh#135034, bsc#1244061).
- gh-133767: Fix use-after-free in the “unicode-escapeâ€
decoder with a non-“strict†error handler (CVE-2025-4516,
bsc#1243273).
- gh-128840: Short-circuit the processing of long IPv6
addresses early in ipaddress to prevent excessive memory
consumption and a minor denial-of-service.
- Library
- gh-128840: Fix parsing long IPv6 addresses with embedded
IPv4 address.
- gh-134062: ipaddress: fix collisions in __hash__() for
IPv4Network and IPv6Network objects.
- gh-123409: Fix ipaddress.IPv6Address.reverse_pointer output
according to RFC 3596, §2.5. Patch by Bénédikt Tran.
- bpo-43633: Improve the textual representation of
IPv4-mapped IPv6 addresses (RFC 4291 Sections 2.2, 2.5.5.2)
in ipaddress. Patch by Oleksandr Pavliuk.
-----------------------------------------------------------------
Advisory ID: 204
Released: Thu Aug 7 10:06:05 2025
Summary: Recommended update for selinux-policy
Type: recommended
Severity: moderate
References: 1199630,1243242
This update for selinux-policy fixes the following issues:
Update to version 20241031+git8.1f94e96d:
* Revert downstream fix for bsc#1199630 due to regression (bsc#1243242)
-----------------------------------------------------------------
Advisory ID: 205
Released: Thu Aug 7 14:07:54 2025
Summary: Recommended update for open-vm-tools
Type: recommended
Severity: moderate
References: 1245169,391434
This update for open-vm-tools fixes the following issues:
- Update to open-vm-tools 13.0.0 based on build 24696409. (bsc#1245169):
There are no new features in the open-vm-tools 13.0.0 release. This is
primarily a maintenance release that addresses a few issues, including:
+ The vm-support script has been updated to collect the open-vm-tools log
files from the Linux guest and information from the systemd journal.
+ Github pull requests has been integrated and issues fixed. Please see
the Resolved Issues section of the Release Notes.
For a more complete list of issues resolved in this release, see the
Resolved Issues section of the Release Notes.
- Add patch:
Currently the 'telinit 6' command is used to reboot a Linux VM
following Guest OS Customization. As the classic Linux init system,
SysVinit, is deprecated in favor of a newer init system, systemd,
the telinit command may not be available on the base Linux OS.
This change adds support to Guest OS Customization for the systemd init
system. If the modern init system, systemd, is available, then a
'systemctl reboot' command will be used to trigger reboot. Otherwise,
the 'telinit 6' command will be used assuming the traditional init
system, SysVinit, is still available.
- Ran /usr/lib/obs/service/source_validators/helpers/fix_changelog to fix changes
file where source validator was failing.
-----------------------------------------------------------------
Advisory ID: 206
Released: Fri Aug 8 12:26:24 2025
Summary: Security update for xz
Type: security
Severity: important
References: 1240414,CVE-2025-31115
This update for xz fixes the following issues:
- CVE-2025-31115: Fixed heap use after free and writing to an address based on the null pointer plus an offset (bsc#1240414)
-----------------------------------------------------------------
Advisory ID: 207
Released: Fri Aug 8 12:28:13 2025
Summary: Security update for jq
Type: security
Severity: important
References: 1238078,1243450,1244116,CVE-2024-23337,CVE-2024-53427,CVE-2025-48060
This update for jq fixes the following issues:
- CVE-2025-48060: Fixed stack-buffer-overflow in jq_fuzz_execute (jv_string_vfmt) (bsc#1244116)
- CVE-2024-23337: Fixed signed integer overflow in jv.c:jvp_array_write (bsc#1243450)
- CVE-2024-53427: Fixed stack-buffer-overflow in the decNumberCopy function in decNumber.c (bsc#1238078)
-----------------------------------------------------------------
Advisory ID: 215
Released: Thu Aug 14 12:12:18 2025
Summary: Security update for openssl-3
Type: security
Severity: moderate
References: 1220262,CVE-2023-50782
This update for openssl-3 fixes the following issues:
- CVE-2023-50782: Implicit rejection in PKCS#1 v1.5 (bsc#1220262)
-----------------------------------------------------------------
Advisory ID: 213
Released: Thu Aug 14 12:19:26 2025
Summary: Security update for libssh
Type: security
Severity: important
References: 1245309,1245310,1245311,1245312,1245314,1245317,CVE-2025-4877,CVE-2025-4878,CVE-2025-5318,CVE-2025-5351,CVE-2025-5372,CVE-2025-5987
This update for libssh fixes the following issues:
- CVE-2025-5372: ssh_kdf() returns a success code on certain failures (bsc#1245314)
- CVE-2025-5987: Invalid return code for chacha20 poly1305 with OpenSSL backend (bsc#1245317)
- CVE-2025-4877: Write beyond bounds in binary to base64 conversion functions (bsc#1245309)
- CVE-2025-4878: Use of uninitialized variable in privatekey_from_file() (bsc#1245310)
- CVE-2025-5318: Likely read beyond bounds in sftp server handle management (bsc#1245311)
- CVE-2025-5351: Double free in functions exporting keys (bsc#1245312)
-----------------------------------------------------------------
Advisory ID: 218
Released: Sat Aug 16 13:46:56 2025
Summary: Security update for systemd
Type: security
Severity: moderate
References: 1242827,1243935,1247074,CVE-2025-4598
This update for systemd fixes the following issues:
- Remove the script used to help migrating the language and locale settings
located in /etc/sysconfig/language on old systems to the systemd default
locations (bsc#1247074)
The script was introduced more than 7 years ago and all systems running TW
should have been migrated since then. Moreover the installer supports the
systemd default locations since approximately SLE15.
- triggers.systemd: skip update of hwdb, journal-catalog if executed during an
offline update.
- logs-show: get timestamp and boot ID only when necessary (bsc#1242827)
- sd-journal: drop to use Hashmap to manage journal files per boot ID
- tree-wide: set SD_JOURNAL_ASSUME_IMMUTABLE where appropriate
- sd-journal: introduce SD_JOURNAL_ASSUME_IMMUTABLE flag
- sd-journal: make journal_file_read_tail_timestamp() notify to the caller that some new journal entries added
- sd-journal: cache last entry offset and journal file state
- sd-journal: fix typo in function name
- coredump: use %d in kernel core pattern (bsc#1243935 CVE-2025-4598)
-----------------------------------------------------------------
Advisory ID: 227
Released: Fri Aug 22 14:33:27 2025
Summary: Recommended update for elemental-toolkit
Type: recommended
Severity: moderate
References:
This update for elemental-toolkit fixes the following issues:
- Update to v2.2.4:
* Avoid panic when MaxSnaps is set to 0
-----------------------------------------------------------------
Advisory ID: 229
Released: Tue Aug 26 10:49:45 2025
Summary: Recommended update for dracut
Type: recommended
Severity: moderate
References: 1241114,1241680,1247819
This update for dracut fixes the following issues:
- fix (dracut-util): crash if CMDLINE ends with quotation mark (bsc#1247819)
- fix (rngd): adjust license to match the license of the whole project
- fix (dracut): kernel module name normalization in drivers lists (bsc#1241680)
- fix (dracut-init): assign real path to srcmods (bsc#1241114)
-----------------------------------------------------------------
Advisory ID: 236
Released: Wed Aug 27 11:46:23 2025
Summary: Security update for libxml2
Type: security
Severity: important
References: 1244554,1244555,1244557,1244580,1244700,1246296,CVE-2025-49794,CVE-2025-49795,CVE-2025-49796,CVE-2025-6021,CVE-2025-6170,CVE-2025-7425
This update for libxml2 fixes the following issues:
- CVE-2025-6021: Integer Overflow in xmlBuildQName() Leads to Stack Buffer Overflow in libxml2 [bsc#1244580]
- CVE-2025-6170: stack buffer overflow may lead to a crash [bsc#1244700]
- CVE-2025-7425: Heap Use-After-Free in libxslt caused by atype corruption in xmlAttrPtr [bsc#1246296]
- CVE-2025-49794: heap use after free (UAF) can lead to Denial of service (DoS) [bsc#1244554]
- CVE-2025-49795: null pointer dereference may lead to Denial of service (DoS) [bsc#1244555]
- CVE-2025-49796: type confusion may lead to Denial of service (DoS) [bsc#1244557]
-----------------------------------------------------------------
Advisory ID: 238
Released: Thu Aug 28 17:15:06 2025
Summary: Security update for coreutils
Type: security
Severity: moderate
References: 1243767,CVE-2025-5278
This update for coreutils fixes the following issues:
- CVE-2025-5278: Sort with key character offsets of SIZE_MAX, could induce a read of 1 byte before an allocated heap buffer (bsc#1243767).
-----------------------------------------------------------------
Advisory ID: 239
Released: Fri Aug 29 09:49:21 2025
Summary: Security update for libxslt
Type: security
Severity: important
References: 1246360,CVE-2025-7424
This update for libxslt fixes the following issues:
- CVE-2025-7424: Type confusion in xmlNode.psvi between stylesheet and source nodes [bsc#1246360]
-----------------------------------------------------------------
Advisory ID: 240
Released: Fri Aug 29 09:50:36 2025
Summary: Security update for polkit
Type: security
Severity: important
References: 1246472,CVE-2025-7519
This update for polkit fixes the following issues:
- CVE-2025-7519: Fixed that a XML policy file with a large number of nested elements may lead to out-of-bounds write (bsc#1246472).
The following package changes have been done:
- glibc-2.38-slfo.1.1_4.1 updated
- liblzma5-5.4.3-slfo.1.1_2.1 updated
- libgcc_s1-14.3.0+git11799-slfo.1.1_1.1 updated
- libxml2-2-2.11.6-slfo.1.1_6.1 updated
- libopenssl3-3.1.4-slfo.1.1_6.1 updated
- libgcrypt20-1.10.3-slfo.1.1_2.1 updated
- libstdc++6-14.3.0+git11799-slfo.1.1_1.1 updated
- perl-base-5.38.2-slfo.1.1_2.1 updated
- libudev1-254.27-slfo.1.1_1.1 updated
- libsystemd0-254.27-slfo.1.1_1.1 updated
- xz-5.4.3-slfo.1.1_2.1 updated
- coreutils-9.4-slfo.1.1_2.1 updated
- rpm-4.18.0-slfo.1.1_2.1 updated
- pam-1.6.1-slfo.1.1_3.1 updated
- pam-config-2.11+git.20240906-slfo.1.1_2.1 updated
- SL-Micro-release-6.1-slfo.1.11.53 updated
- systemd-254.27-slfo.1.1_1.1 updated
- udev-254.27-slfo.1.1_1.1 updated
- dracut-059+suse.639.g19f24feb-slfo.1.1_1.1 updated
- libglib-2_0-0-2.78.6-slfo.1.1_3.1 updated
- libsqlite3-0-3.49.1-slfo.1.1_1.1 updated
- libssh-config-0.10.6-slfo.1.1_2.1 updated
- libgobject-2_0-0-2.78.6-slfo.1.1_3.1 updated
- libgmodule-2_0-0-2.78.6-slfo.1.1_3.1 updated
- libgio-2_0-0-2.78.6-slfo.1.1_3.1 updated
- glib2-tools-2.78.6-slfo.1.1_3.1 updated
- libssh4-0.10.6-slfo.1.1_2.1 updated
- elemental-register-1.7.3-slfo.1.1_1.1 updated
- elemental-support-1.7.3-slfo.1.1_1.1 updated
- elemental-updater-2.2.1-slfo.1.1_1.1 updated
- glibc-locale-base-2.38-slfo.1.1_4.1 updated
- gptfdisk-1.0.9-slfo.1.1_2.1 updated
- elemental-toolkit-2.2.4-slfo.1.1_1.1 updated
- elemental-2.2.1-slfo.1.1_1.1 updated
- gpg2-2.4.4-slfo.1.1_5.1 updated
- libxslt1-1.1.38-slfo.1.1_4.1 updated
- sudo-1.9.15p5-slfo.1.1_2.1 updated
- libpolkit-gobject-1-0-121-slfo.1.1_2.1 updated
- libpolkit-agent-1-0-121-slfo.1.1_2.1 updated
- polkit-121-slfo.1.1_2.1 updated
- python311-base-3.11.13-slfo.1.1_1.1 updated
- libpython3_11-1_0-3.11.13-slfo.1.1_1.1 updated
- libjq1-1.7.1-slfo.1.1_2.1 updated
- less-668-slfo.1.1_1.1 updated
- perl-5.38.2-slfo.1.1_2.1 updated
- python311-3.11.13-slfo.1.1_1.1 updated
- jq-1.7.1-slfo.1.1_2.1 updated
- lsof-4.99.4-slfo.1.1_1.1 updated
- libvmtools0-13.0.0-slfo.1.1_1.1 updated
- python311-setuptools-70.0.0-slfo.1.1_2.1 updated
- open-vm-tools-13.0.0-slfo.1.1_1.1 updated
- selinux-policy-20241031+git8.1f94e96d-slfo.1.1_1.1 updated
- selinux-policy-targeted-20241031+git8.1f94e96d-slfo.1.1_1.1 updated
- container:SL-Micro-base-container-2.2.1-5.27 updated
More information about the sle-container-updates
mailing list