SUSE-CU-2025:6946-1: Security update of suse/sle-micro/5.5/toolbox

sle-container-updates at lists.suse.com sle-container-updates at lists.suse.com
Fri Sep 19 12:27:27 UTC 2025 

SUSE Container Update Advisory: suse/sle-micro/5.5/toolbox
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2025:6946-1
Container Tags        : suse/sle-micro/5.5/toolbox:14.2 , suse/sle-micro/5.5/toolbox:14.2-3.12.89 , suse/sle-micro/5.5/toolbox:latest
Container Release     : 3.12.89
Severity              : important
Type                  : security
References            : 1241219 1246197 1246197 1249191 1249191 1249348 1249348 1249367
                        1249367 CVE-2025-10148 CVE-2025-10148 CVE-2025-3576 CVE-2025-9086
                        CVE-2025-9086 
-----------------------------------------------------------------

The container suse/sle-micro/5.5/toolbox was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2025:3265-1
Released:    Thu Sep 18 12:34:39 2025
Summary:     Recommended update for container-suseconnect
Type:        recommended
Severity:    moderate
References:  

This update of container-suseconnect rebuilds it against current go1.25.

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2025:3267-1
Released:    Thu Sep 18 13:05:51 2025
Summary:     Security update for curl
Type:        security
Severity:    important
References:  1246197,1249191,1249348,1249367,CVE-2025-10148,CVE-2025-9086
This update for curl fixes the following issues:

Security issues fixed:

- CVE-2025-9086: bug in patch comparison logic when processing cookies can lead to out-of-bounds read in heap buffer
  (bsc#1249191).
- CVE-2025-10148: predictable websocket mask can lead to proxy cache poisoning by malicious server (bsc#1249348).
    
Other issues fixed:
    
- Fix the --ftp-pasv option in curl v8.14.1 (bsc#1246197).
  * tool_getparam: fix --ftp-pasv [5f805ee]

- Update to version 8.14.1 (jsc#PED-13055, jsc#PED-13056).
  * TLS: add CURLOPT_SSL_SIGNATURE_ALGORITHMS and --sigalgs.
  * websocket: add option to disable auto-pong reply.
  * huge number of bugfixes.

  Please see https://curl.se/ch/ for full changelogs.

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2025:3268-1
Released:    Thu Sep 18 13:08:10 2025
Summary:     Security update for curl
Type:        security
Severity:    important
References:  1246197,1249191,1249348,1249367,CVE-2025-10148,CVE-2025-9086
This update for curl fixes the following issues:

Security issues fixed:

- CVE-2025-9086: bug in patch comparison logic when processing cookies can lead to out-of-bounds read in heap buffer
  (bsc#1249191).
- CVE-2025-10148: predictable websocket mask can lead to proxy cache poisoning by malicious server (bsc#1249348).
    
Other issues fixed:
    
- Fix the --ftp-pasv option in curl v8.14.1 (bsc#1246197).
  * tool_getparam: fix --ftp-pasv [5f805ee]

- Update to version 8.14.1 (jsc#PED-13055, jsc#PED-13056).
  * TLS: add CURLOPT_SSL_SIGNATURE_ALGORITHMS and --sigalgs.
  * websocket: add option to disable auto-pong reply.
  * huge number of bugfixes.

  Please see https://curl.se/ch/ for full changelogs.


-----------------------------------------------------------------
Advisory ID: SUSE-SU-2025:3270-1
Released:    Thu Sep 18 13:18:05 2025
Summary:     Security update for krb5
Type:        security
Severity:    moderate
References:  1241219,CVE-2025-3576
This update for krb5 fixes the following issues:

- CVE-2025-3576: weakness in the MD5 checksum design allows for spoofing of GSSAPI-protected messages that are using
  RC4-HMAC-MD5 (bsc#1241219).

Krb5 as very old protocol supported quite a number of ciphers
that are not longer up to current cryptographic standards.

To avoid problems with those, SUSE has by default now disabled
those alorithms.

The following algorithms have been removed from valid krb5 enctypes:

- des3-cbc-sha1
- arcfour-hmac-md5

To reenable those algorithms, you can use allow options in krb5.conf:

[libdefaults]
allow_des3 = true
allow_rc4 = true

to reenable them.



The following package changes have been done:

- container-suseconnect-2.5.5-150000.4.71.1 updated
- curl-8.14.1-150400.5.69.1 updated
- krb5-1.20.1-150500.3.17.1 updated
- libbrotlicommon1-1.0.7-150200.3.5.1 updated
- libbrotlidec1-1.0.7-150200.3.5.1 updated
- libcurl4-8.14.1-150400.5.69.1 updated

More information about the sle-container-updates mailing list