SUSE-CU-2025:6755-1: Security update of rancher/seedimage-builder
sle-container-updates at lists.suse.com
sle-container-updates at lists.suse.com
Tue Sep 9 07:04:19 UTC 2025
SUSE Container Update Advisory: rancher/seedimage-builder
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2025:6755-1
Container Tags : rancher/seedimage-builder:1.6.9 , rancher/seedimage-builder:1.6.9-8.43 , rancher/seedimage-builder:latest
Container Release : 8.43
Severity : important
Type : security
References : 1216091 1218459 1221107 1229163 1229164 1233606 1233608 1233609
1233610 1233612 1233613 1233614 1233615 1233616 1233617 1234958
1234959 1236136 1236136 1236177 1236316 1236317 1237002 1237006
1237008 1237009 1237010 1237011 1237012 1237013 1237014 1237496
1239674 1240366 1240414 1241052 1241190 1242827 1242938 1242971
1242987 1243226 1243767 1243935 1244079 1244509 1244554 1244555
1244557 1244580 1244700 1245309 1245310 1245311 1245312 1245314
1245317 1246296 1247074 CVE-2024-13176 CVE-2024-13176 CVE-2024-2236
CVE-2024-45774 CVE-2024-45775 CVE-2024-45776 CVE-2024-45777 CVE-2024-45778
CVE-2024-45779 CVE-2024-45780 CVE-2024-45781 CVE-2024-45782 CVE-2024-45783
CVE-2024-49504 CVE-2024-56737 CVE-2024-56738 CVE-2025-0622 CVE-2025-0624
CVE-2025-0677 CVE-2025-0678 CVE-2025-0684 CVE-2025-0685 CVE-2025-0686
CVE-2025-0689 CVE-2025-0690 CVE-2025-1118 CVE-2025-1125 CVE-2025-27587
CVE-2025-31115 CVE-2025-40909 CVE-2025-4382 CVE-2025-4598 CVE-2025-4598
CVE-2025-4877 CVE-2025-4878 CVE-2025-49794 CVE-2025-49795 CVE-2025-49796
CVE-2025-5278 CVE-2025-5318 CVE-2025-5351 CVE-2025-5372 CVE-2025-5987
CVE-2025-6018 CVE-2025-6020 CVE-2025-6021 CVE-2025-6170 CVE-2025-7425
-----------------------------------------------------------------
The container rancher/seedimage-builder was updated. The following patches have been included in this update:
-----------------------------------------------------------------
Advisory ID: 352
Released: Thu Jun 12 09:16:56 2025
Summary: Security update for systemd
Type: security
Severity: moderate
References: 1236177,1237496,1241190,1242938,CVE-2025-4598
This update for systemd fixes the following issues:
- coredump: use %d in kernel core pattern (CVE-2025-4598)
- Revert 'macro: terminate the temporary VA_ARGS_FOREACH() array with a sentinel' (SUSE specific)
- umount: do not move busy network mounts (bsc#1236177)
- man/pstore.conf: pstore.conf template is not always installed in /etc
- man: coredump.conf template is not always installed in /etc (bsc#1237496)
- Don't write messages sent from users with UID falling into the container UID
range to the system journal. Daemons in the container don't talk to the
outside journald as they talk to the inner one directly, which does its
journal splitting based on shifted uids. (bsc#1242938)
- This re-adds back the support for the persistent net name rules as well as
their generator since predictable naming scheme is still disabled by default
on Micro (via the `net.ifnames=0` boot option). (bsc#1241190)
-----------------------------------------------------------------
Advisory ID: 353
Released: Fri Jun 13 13:05:04 2025
Summary: Security update for openssl-3
Type: security
Severity: moderate
References: 1236136,1240366,CVE-2024-13176,CVE-2025-27587
This update for openssl-3 fixes the following issues:
- CVE-2025-27587: Fixed Minerva side channel vulnerability in P-384 on PPC arch (bsc#1240366)
- CVE-2024-13176: Fixed timing side-channel in the ECDSA signature computation (bsc#1236136)
-----------------------------------------------------------------
Advisory ID: 361
Released: Thu Jun 19 10:49:31 2025
Summary: Security update for pam
Type: security
Severity: important
References: 1244509,CVE-2025-6020
This update for pam fixes the following issues:
- CVE-2025-6020: pam_namespace: convert functions that may operate
on a user-controlled path to operate on file descriptors instead of
absolute path. And keep the bind-mount protection from protect_mount()
as a defense in depthmeasure. (bsc#1244509)
-----------------------------------------------------------------
Advisory ID: 372
Released: Tue Jul 1 13:42:56 2025
Summary: Security update for perl
Type: security
Severity: moderate
References: 1244079,CVE-2025-40909
This update for perl fixes the following issues:
- CVE-2025-40909: Fixed a working directory race condition causing
file operations to target unintended paths (bsc#1244079)
-----------------------------------------------------------------
Advisory ID: 373
Released: Thu Jul 3 12:28:04 2025
Summary: Security update for openssl-3
Type: security
Severity: moderate
References: 1236136,CVE-2024-13176
This update for openssl-3 fixes the following issues:
- CVE-2024-13176: Fixed timing side-channel in the ECDSA signature computation (bsc#1236136)
-----------------------------------------------------------------
Advisory ID: 375
Released: Fri Jul 4 16:18:40 2025
Summary: Recommended update for gptfdisk
Type: recommended
Severity: moderate
References: 1242987
This update for gptfdisk fixes the following issues:
- Fixed boot failure with qcow and vmdk images (bsc#1242987)
-----------------------------------------------------------------
Advisory ID: 381
Released: Fri Jul 11 11:20:30 2025
Summary: Security update for libgcrypt
Type: security
Severity: moderate
References: 1221107,CVE-2024-2236
This update for libgcrypt fixes the following issues:
- CVE-2024-2236: Fixed timing based side-channel in RSA implementation (bsc#1221107)
-----------------------------------------------------------------
Advisory ID: 388
Released: Mon Jul 21 11:01:26 2025
Summary: Recommended update for rpm
Type: recommended
Severity: important
References: 1216091,1218459,1241052
This update for rpm fixes the following issues:
- fix --runposttrans not working correctly with the --root
option [bsc#1216091]
* added 'rpm_fixed_runposttrans' provides for libzypp
- print scriptlet messages in --runposttrans
* needed to fix leaking tmp files [bsc#1218459]
- fix memory leak in str2locale [bsc#1241052]
-----------------------------------------------------------------
Advisory ID: 399
Released: Tue Jul 29 10:20:21 2025
Summary: Security update for grub2
Type: security
Severity: important
References: 1229163,1229164,1233606,1233608,1233609,1233610,1233612,1233613,1233614,1233615,1233616,1233617,1234958,1236316,1236317,1237002,1237006,1237008,1237009,1237010,1237011,1237012,1237013,1237014,1239674,1242971,CVE-2024-45774,CVE-2024-45775,CVE-2024-45776,CVE-2024-45777,CVE-2024-45778,CVE-2024-45779,CVE-2024-45780,CVE-2024-45781,CVE-2024-45782,CVE-2024-45783,CVE-2024-49504,CVE-2024-56737,CVE-2025-0622,CVE-2025-0624,CVE-2025-0677,CVE-2025-0678,CVE-2025-0684,CVE-2025-0685,CVE-2025-0686,CVE-2025-0689,CVE-2025-0690,CVE-2025-1118,CVE-2025-1125,CVE-2025-4382
This update for grub2 fixes the following issues:
- CVE-2025-4382: Fixed TPM auto-decryption data exposure (bsc#1242971)
- Filter out the non-subvolume btrfs mount points when creating the
relative path (bsc#1239674)
- CVE-2024-45781: Fixed ufs strcpy overflow (bsc#1233617)
- CVE-2024-56737: Fixed heap-based buffer overflow in fs/hfs.c via
crafted sblock data in an HFS filesystem (bsc#1234958)
- CVE-2024-45782: Fixed hfs strcpy overflow (bsc#1233615)
- CVE-2024-45780: Fixed overflow in tar/cpio(bsc#1233614)
- CVE-2024-45783: Fixed hfsplus refcount overflow (bsc#1233616)
- CVE-2025-0624: Fixed out-of-bounds write in grub_net_search_config_file() (bsc#1236316)
- CVE-2024-45774: Fixed heap overflows in JPEG parser (bsc#1233609)
- CVE-2024-45775: Fixed missing NULL check in extcmd parser (bsc#1233610)
- CVE-2025-0622: Fixed command/gpg: Use-after-free due to hooks not being removed on module unload (bsc#1236317)
- CVE-2024-45776: Fixed overflow in .MO file (gettext) handling (bsc#1233612)
- CVE-2024-45777: Fixed integer overflow in gettext (bsc#1233613)
- CVE-2025-0690: Fixed integer overflow in read that may lead to out-of-bounds write (bsc#1237012)
- CVE-2025-1118: Fixed commands/dump: The dump command is not in lockdown when secure boot is enabled(bsc#1237013)
- CVE-2024-45778: Fixed bfs filesystem not fuzzing stable (bsc#1233606)
- CVE-2024-45779: Fixed bfs heap overflow (bsc#1233608)
- CVE-2025-0677: Fixed integer overflow that may lead to heap based
out-of-bounds write when handling symlinks in ufs (bsc#1237002)
- CVE-2025-0684: Fixed reiserfs: Integer overflow when handling symlinks
may lead to heap based out-of-bounds write when reading data (bsc#1237008)
- CVE-2025-0685: Fixed jfs: Integer overflow when handling symlinks may
lead to heap based out-of-bounds write when reading data (bsc#1237009)
- CVE-2025-0686: Fixed romfs: Integer overflow when handling symlinks
may lead to heap based out-of-bounds write when reading data (bsc#1237010)
- CVE-2025-0689: Fixed udf: Heap based buffer overflow in
grub_udf_read_block() may lead to arbitrary code execution (bsc#1237011)
- CVE-2025-1125: Fixed fs/hfs: Interger overflow may lead to heap based out-of-bounds write (bsc#1237014)
- CVE-2025-0678: Fixed squash4: Integer overflow may lead to heap based out-of-bounds write when reading data (bsc#1237006)
- Bump upstream SBAT generation to 5 to block older grub2 versions.
- CVE-2024-49504: Fixed Bypassing TPM-bound disk encryption on SL(E)M encrypted Images (bsc#1229163) (bsc#1229164)
- Restrict CLI access if the encrypted root device is automatically unlocked by
the TPM. LUKS password authentication is required for access to be granted
- Obsolete, as CLI access is now locked and granted access no longer requires
the previous restrictions
-----------------------------------------------------------------
Advisory ID: 401
Released: Tue Jul 29 16:09:33 2025
Summary: Security update for pam-config
Type: security
Severity: important
References: 1243226,CVE-2025-6018
This update for pam-config fixes the following issues:
- CVE-2025-6018: Stop adding pam_env in AUTH stack, and be sure to put this module at the
really end of the SESSION stack. (bsc#1243226)
-----------------------------------------------------------------
Advisory ID: 405
Released: Thu Jul 31 11:41:53 2025
Summary: Security update for coreutils
Type: security
Severity: moderate
References: 1243767,CVE-2025-5278
This update for coreutils fixes the following issues:
- CVE-2025-5278: Fixed heap buffer under-read ledaing to a
crash or leak sensitive data (bsc#1243767)
-----------------------------------------------------------------
Advisory ID: 412
Released: Fri Aug 8 12:14:29 2025
Summary: Security update for xz
Type: security
Severity: important
References: 1240414,CVE-2025-31115
This update for xz fixes the following issues:
- CVE-2025-31115: Fixed heap use after free and writing to an address based on the null pointer plus an offset (bsc#1240414)
-----------------------------------------------------------------
Advisory ID: 416
Released: Tue Aug 12 16:05:24 2025
Summary: Security update for systemd
Type: security
Severity: moderate
References: 1242827,1243935,1247074,CVE-2025-4598
This update for systemd fixes the following issues:
- Remove the script used to help migrating the language and locale settings
located in /etc/sysconfig/language on old systems to the systemd default
locations (bsc#1247074)
The script was introduced more than 7 years ago and all systems running TW
should have been migrated since then. Moreover the installer supports the
systemd default locations since approximately SLE15.
- triggers.systemd: skip update of hwdb, journal-catalog if executed during an
offline update.
- logs-show: get timestamp and boot ID only when necessary (bsc#1242827)
- sd-journal: drop to use Hashmap to manage journal files per boot ID
- tree-wide: set SD_JOURNAL_ASSUME_IMMUTABLE where appropriate
- sd-journal: introduce SD_JOURNAL_ASSUME_IMMUTABLE flag
- sd-journal: make journal_file_read_tail_timestamp() notify to the caller that some new journal entries added
- sd-journal: cache last entry offset and journal file state
- sd-journal: fix typo in function name
- coredump: use %d in kernel core pattern (bsc#1243935 CVE-2025-4598)
-----------------------------------------------------------------
Advisory ID: 419
Released: Thu Aug 14 11:26:49 2025
Summary: Security update for libssh
Type: security
Severity: important
References: 1245309,1245310,1245311,1245312,1245314,1245317,CVE-2025-4877,CVE-2025-4878,CVE-2025-5318,CVE-2025-5351,CVE-2025-5372,CVE-2025-5987
This update for libssh fixes the following issues:
- CVE-2025-5372: ssh_kdf() returns a success code on certain failures (bsc#1245314)
- CVE-2025-5987: Invalid return code for chacha20 poly1305 with OpenSSL backend (bsc#1245317)
- CVE-2025-4877: Write beyond bounds in binary to base64 conversion functions (bsc#1245309)
- CVE-2025-4878: Use of uninitialized variable in privatekey_from_file() (bsc#1245310)
- CVE-2025-5318: Likely read beyond bounds in sftp server handle management (bsc#1245311)
- CVE-2025-5351: Double free in functions exporting keys (bsc#1245312)
-----------------------------------------------------------------
Advisory ID: 429
Released: Thu Aug 21 10:01:26 2025
Summary: Security update for libxml2
Type: security
Severity: important
References: 1244554,1244555,1244557,1244580,1244700,1246296,CVE-2025-49794,CVE-2025-49795,CVE-2025-49796,CVE-2025-6021,CVE-2025-6170,CVE-2025-7425
This update for libxml2 fixes the following issues:
- CVE-2025-6021: Integer Overflow in xmlBuildQName() Leads to Stack Buffer Overflow in libxml2 [bsc#1244580]
- CVE-2025-6170: stack buffer overflow may lead to a crash [bsc#1244700]
- CVE-2025-7425: Heap Use-After-Free in libxslt caused by atype corruption in xmlAttrPtr [bsc#1246296]
- CVE-2025-49794: heap use after free (UAF) can lead to Denial of service (DoS) [bsc#1244554]
- CVE-2025-49795: null pointer dereference may lead to Denial of service (DoS) [bsc#1244555]
- CVE-2025-49796: type confusion may lead to Denial of service (DoS) [bsc#1244557]
-----------------------------------------------------------------
Advisory ID: 445
Released: Fri Sep 5 14:57:04 2025
Summary: Security update for grub2
Type: security
Severity: moderate
References: 1234959,CVE-2024-56738
This update for grub2 fixes the following issues:
- CVE-2024-56738: Side-channel attack due to not constant-timealgorithm in grub_crypto_memcmp (bsc#1234959).
The following package changes have been done:
- boost-license1_84_0-1.84.0-1.4 updated
- btrfsprogs-udev-rules-6.1.3-6.19 updated
- compat-usrmerge-tools-84.87-3.1 updated
- crypto-policies-20230920.570ea89-1.50 updated
- elemental-httpfy-1.6.9-1.1 updated
- elemental-seedimage-hooks-1.6.9-1.1 updated
- file-magic-5.44-4.151 added
- kbd-legacy-2.6.4-1.3 added
- libsemanage-conf-3.5-3.1 updated
- libssh-config-0.10.6-2.1 updated
- pkgconf-m4-1.8.0-2.205 updated
- system-user-root-20190513-2.208 updated
- filesystem-84.87-5.2 updated
- glibc-2.38-9.1 updated
- libzstd1-1.5.5-8.142 updated
- libz1-1.2.13-6.138 updated
- libxxhash0-0.8.1-2.194 updated
- libverto1-0.3.2-12.5 updated
- libuuid1-2.39.3-3.1 updated
- liburcu8-0.14.0-2.8 updated
- libunistring5-1.1-3.1 updated
- libtextstyle0-0.21.1-6.1 updated
- libtasn1-6-4.19.0-4.1 updated
- libsmartcols1-2.39.3-3.1 updated
- libsepol2-3.5-3.1 updated
- libseccomp2-2.5.4-3.1 updated
- libsasl2-3-2.1.28-5.7 updated
- libpopt0-1.19-2.184 updated
- libpkgconf3-1.8.0-2.205 updated
- libpcre2-8-0-10.42-2.179 updated
- libparted-fs-resize0-3.5-2.11 updated
- libnss_usrfiles2-2.27-3.1 updated
- libnghttp2-14-1.52.0-5.1 updated
- liblzo2-2-2.10-3.1 updated
- liblzma5-5.4.3-5.1 updated
- liblz4-1-1.9.4-4.1 updated
- liblua5_4-5-5.4.6-1.68 updated
- libkeyutils1-1.6.3-3.1 updated
- libjson-c5-0.16-3.1 updated
- libjitterentropy3-3.4.1-3.1 updated
- libip4tc2-1.8.9-4.1 updated
- libgpg-error0-1.47-4.136 updated
- libgmp10-6.3.0-1.119 updated
- libgcc_s1-13.3.0+git8781-2.1 updated
- libfuse2-2.9.9-3.1 updated
- libffi8-3.4.4-3.1 updated
- libexpat1-2.7.1-1.1 updated
- libeconf0-0.6.1-1.13 updated
- libcrypt1-4.4.36-1.134 updated
- libcom_err2-1.47.0-3.1 updated
- libcap2-2.69-2.83 updated
- libcap-ng0-0.8.3-4.1 updated
- libbz2-1-1.0.8-3.1 updated
- libburn4-1.5.4-1.9 updated
- libbtrfsutil1-6.1.3-6.19 updated
- libbtrfs0-6.1.3-6.19 updated
- libbrotlicommon1-1.1.0-1.6 updated
- libblkid1-2.39.3-3.1 updated
- libaudit1-3.0.9-4.1 updated
- libattr1-2.5.1-3.1 updated
- libargon2-1-20190702-3.1 updated
- libalternatives1-1.2+30.a5431e9-3.1 updated
- libaio1-0.3.113-3.1 updated
- libacl1-2.3.1-3.1 updated
- fillup-1.42-3.1 updated
- dosfstools-4.2-2.9 updated
- diffutils-3.10-2.101 updated
- libpng16-16-1.6.43-1.1 updated
- libidn2-0-2.3.4-3.1 updated
- pkgconf-1.8.0-2.205 updated
- libselinux1-3.5-3.1 updated
- netcfg-11.6-4.42 updated
- libxml2-2-2.11.6-10.1 updated
- squashfs-4.6.1-3.7 updated
- libgcrypt20-1.10.3-2.1 updated
- libstdc++6-13.3.0+git8781-2.1 updated
- libp11-kit0-0.25.3-1.6 updated
- perl-base-5.38.2-4.1 updated
- libext2fs2-1.47.0-3.1 updated
- libudev1-254.27-1.1 updated
- chkstat-1600_20240206-1.8 updated
- libzio1-1.08-3.1 updated
- libmagic1-5.44-4.151 added
- libjte2-1.22-1.8 updated
- libbrotlidec1-1.1.0-1.6 updated
- libfdisk1-2.39.3-3.1 updated
- alts-1.2+30.a5431e9-3.1 updated
- libpsl5-0.21.2-3.1 updated
- sed-4.9-2.9 updated
- libsubid4-4.15.1-1.1 updated
- libsemanage2-3.5-3.1 updated
- libmount1-2.39.3-3.1 updated
- findutils-4.9.0-4.1 updated
- libsystemd0-254.27-1.1 updated
- libncurses6-6.4.20240224-10.2 updated
- terminfo-base-6.4.20240224-10.2 updated
- libinih0-56-3.1 updated
- libboost_thread1_84_0-1.84.0-1.4 updated
- p11-kit-0.25.3-1.6 updated
- p11-kit-tools-0.25.3-1.6 updated
- libisofs6-1.5.4-1.9 updated
- libfreetype6-2.13.3-1.1 updated
- ncurses-utils-6.4.20240224-10.2 updated
- libreadline8-8.2-2.180 updated
- libedit0-20210910.3.1-9.169 updated
- gptfdisk-1.0.9-4.1 updated
- libisoburn1-1.5.4-1.9 updated
- bash-5.2.15-3.1 updated
- bash-sh-5.2.15-3.1 updated
- xz-5.4.3-5.1 updated
- systemd-default-settings-branding-openSUSE-0.7-2.4 updated
- systemd-default-settings-0.7-2.4 updated
- pkgconf-pkg-config-1.8.0-2.205 updated
- login_defs-4.15.1-1.1 updated
- libdevmapper1_03-2.03.22_1.02.196-1.8 updated
- gzip-1.13-1.50 updated
- grep-3.11-4.8 updated
- gettext-runtime-0.21.1-6.1 updated
- coreutils-9.4-5.1 updated
- ALP-dummy-release-0.1-8.67 updated
- libparted2-3.5-2.11 updated
- libdevmapper-event1_03-2.03.22_1.02.196-1.8 updated
- info-7.0.3-4.1 updated
- xfsprogs-6.5.0-1.9 updated
- thin-provisioning-tools-0.9.0-2.10 updated
- systemd-rpm-macros-24-1.205 updated
- systemd-presets-common-SUSE-15-5.1 updated
- rpm-config-SUSE-20240214-1.1 updated
- rpm-4.18.0-7.1 updated
- permissions-config-1600_20240206-1.8 updated
- glibc-locale-base-2.38-9.1 updated
- e2fsprogs-1.47.0-3.1 updated
- ca-certificates-2+git20230406.2dae8b7-3.1 updated
- ca-certificates-mozilla-2.74-1.1 updated
- btrfsprogs-6.1.3-6.19 updated
- parted-3.5-2.11 updated
- liblvm2cmd2_03-2.03.22-1.8 updated
- xorriso-1.5.4-1.9 updated
- device-mapper-2.03.22_1.02.196-1.8 updated
- systemd-presets-branding-ALP-transactional-20230214-3.1 updated
- permissions-1600_20240206-1.8 updated
- mtools-4.0.43-4.9 updated
- libopenssl3-3.1.4-9.1 updated
- pam-1.6.0-5.1 updated
- grub2-2.12~rc1-7.1 updated
- grub2-i386-pc-2.12~rc1-7.1 updated
- suse-module-tools-16.0.43-1.1 updated
- kmod-30-10.56 updated
- rsync-3.2.7-4.1 updated
- libldap2-2.6.4-4.12 updated
- libkmod2-30-10.56 updated
- libcryptsetup12-2.6.1-4.13 updated
- krb5-1.20.1-6.1 updated
- util-linux-2.39.3-3.1 updated
- shadow-4.15.1-1.1 updated
- pam-config-2.11-2.1 updated
- kbd-2.6.4-1.3 updated
- libssh4-0.10.6-2.1 updated
- libsnapper7-0.10.5-2.10 updated
- aaa_base-84.87+git20230815.cab7b44-1.8 updated
- libcurl4-8.6.0-6.1 updated
- dbus-1-daemon-1.14.10-1.11 updated
- curl-8.6.0-6.1 updated
- dbus-1-tools-1.14.10-1.11 updated
- systemd-254.27-1.1 updated
- sysuser-shadow-3.1-2.197 updated
- dbus-1-common-1.14.10-1.11 updated
- libdbus-1-3-1.14.10-1.11 updated
- dbus-1-1.14.10-1.11 updated
- system-group-kvm-20170617-2.197 updated
- system-group-hardware-20170617-2.197 updated
- udev-254.27-1.1 updated
- snapper-0.10.5-2.10 updated
- lvm2-2.03.22-1.8 updated
- elemental-toolkit-2.1.3-1.1 updated
- container:suse-toolbox-image-1.0.0-9.31 updated
More information about the sle-container-updates
mailing list