SUSE-CU-2025:6954-1: Security update of suse/sle-micro/5.2/toolbox

sle-container-updates at lists.suse.com sle-container-updates at lists.suse.com
Fri Sep 19 12:41:31 UTC 2025 

SUSE Container Update Advisory: suse/sle-micro/5.2/toolbox
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2025:6954-1
Container Tags        : suse/sle-micro/5.2/toolbox:14.2 , suse/sle-micro/5.2/toolbox:14.2-7.11.174 , suse/sle-micro/5.2/toolbox:latest
Container Release     : 7.11.174
Severity              : important
Type                  : security
References            : 1175825 1246197 1249191 1249348 1249367 CVE-2020-8927 CVE-2025-10148
                        CVE-2025-9086 
-----------------------------------------------------------------

The container suse/sle-micro/5.2/toolbox was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:3942-1
Released:    Mon Dec  6 14:46:05 2021
Summary:     Security update for brotli
Type:        security
Severity:    moderate
References:  1175825,CVE-2020-8927
This update for brotli fixes the following issues:

- CVE-2020-8927: Fixed integer overflow when input chunk is larger than 2GiB (bsc#1175825).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2025:3265-1
Released:    Thu Sep 18 12:34:39 2025
Summary:     Recommended update for container-suseconnect
Type:        recommended
Severity:    moderate
References:  

This update of container-suseconnect rebuilds it against current go1.25.

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2025:3268-1
Released:    Thu Sep 18 13:08:10 2025
Summary:     Security update for curl
Type:        security
Severity:    important
References:  1246197,1249191,1249348,1249367,CVE-2025-10148,CVE-2025-9086
This update for curl fixes the following issues:

Security issues fixed:

- CVE-2025-9086: bug in patch comparison logic when processing cookies can lead to out-of-bounds read in heap buffer
  (bsc#1249191).
- CVE-2025-10148: predictable websocket mask can lead to proxy cache poisoning by malicious server (bsc#1249348).
    
Other issues fixed:
    
- Fix the --ftp-pasv option in curl v8.14.1 (bsc#1246197).
  * tool_getparam: fix --ftp-pasv [5f805ee]

- Update to version 8.14.1 (jsc#PED-13055, jsc#PED-13056).
  * TLS: add CURLOPT_SSL_SIGNATURE_ALGORITHMS and --sigalgs.
  * websocket: add option to disable auto-pong reply.
  * huge number of bugfixes.

  Please see https://curl.se/ch/ for full changelogs.



The following package changes have been done:

- container-suseconnect-2.5.5-150000.4.71.1 updated
- curl-8.14.1-150200.4.91.1 updated
- libbrotlicommon1-1.0.7-150200.3.5.1 added
- libbrotlidec1-1.0.7-150200.3.5.1 added
- libcurl4-8.14.1-150200.4.91.1 updated

More information about the sle-container-updates mailing list