SUSE-CU-2025:7011-1: Security update of bci/golang

sle-container-updates at lists.suse.com sle-container-updates at lists.suse.com
Mon Sep 22 15:41:27 UTC 2025 

SUSE Container Update Advisory: bci/golang
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2025:7011-1
Container Tags        : bci/golang:1.25 , bci/golang:1.25.1 , bci/golang:1.25.1-1.71.10 , bci/golang:latest , bci/golang:stable , bci/golang:stable-1.71.10
Container Release     : 71.10
Severity              : important
Type                  : security
References            : 1239618 1246197 1249191 1249348 1249367 CVE-2024-8176 CVE-2025-10148
                        CVE-2025-9086 
-----------------------------------------------------------------

The container bci/golang was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2025:3239-1
Released:    Tue Sep 16 19:04:00 2025
Summary:     Security update for expat
Type:        security
Severity:    important
References:  1239618,CVE-2024-8176
This update for expat fixes the following issues:

expat was updated to version 2.7.1:

  -  Bug fixes:

       - Restore event pointer behavior from Expat 2.6.4
        (that the fix to CVE-2024-8176 changed in 2.7.0);
        affected API functions are:

                    - XML_GetCurrentByteCount
                    - XML_GetCurrentByteIndex
                    - XML_GetCurrentColumnNumber
                    - XML_GetCurrentLineNumber
                    - XML_GetInputContext
  -  Other changes:

       - Fix printf format specifiers for 32bit Emscripten
       - docs: Promote OpenSSF Best Practices self-certification
       - tests/benchmark: Resolve mistaken double close
       - Address compiler warnings
       - Version info bumped from 11:1:10 (libexpat*.so.1.10.1)
         to 11:2:10 (libexpat*.so.1.10.2); see https://verbump.de/
         for what these numbers do

Version update to 2.7.0 (CVE-2024-8176, bsc#1239618, jsc#PED-12507)

* Security fixes:

- CVE-2024-8176 -- Fix crash from chaining a large number of
  entities caused by stack overflow by resolving use of recursion,
  for all three uses of entities: - general entities in character data
  ('<e>&g1;</e>') - general entities in attribute values
  ('<e k1='&g1;'/>') - parameter entities ('%p1;')

  Known impact is (reliable and easy) denial of service:
  CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:H/RL:O/RC:C
  (Base Score: 7.5, Temporal Score: 7.2)
  Please note that a layer of compression around XML can
  significantly reduce the minimum attack payload size.

* Other changes:
  - docs: Add missing documentation of error code XML_ERROR_NOT_STARTED
    that was introduced with 2.6.4
  - docs: Document need for C++11 compiler for use from C++
  - Address Cppcheck warnings
  - Mass-migrate links from http:// to https://

  - Document changes since the previous release
  - Version info bumped from 11:0:10 (libexpat*.so.1.10.0)
    to 11:1:10 (libexpat*.so.1.10.1); see https://verbump.de/
    for what these numbers do

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2025:3268-1
Released:    Thu Sep 18 13:08:10 2025
Summary:     Security update for curl
Type:        security
Severity:    important
References:  1246197,1249191,1249348,1249367,CVE-2025-10148,CVE-2025-9086
This update for curl fixes the following issues:

Security issues fixed:

- CVE-2025-9086: bug in patch comparison logic when processing cookies can lead to out-of-bounds read in heap buffer
  (bsc#1249191).
- CVE-2025-10148: predictable websocket mask can lead to proxy cache poisoning by malicious server (bsc#1249348).
    
Other issues fixed:
    
- Fix the --ftp-pasv option in curl v8.14.1 (bsc#1246197).
  * tool_getparam: fix --ftp-pasv [5f805ee]

- Update to version 8.14.1 (jsc#PED-13055, jsc#PED-13056).
  * TLS: add CURLOPT_SSL_SIGNATURE_ALGORITHMS and --sigalgs.
  * websocket: add option to disable auto-pong reply.
  * huge number of bugfixes.

  Please see https://curl.se/ch/ for full changelogs.



The following package changes have been done:

- libbrotlicommon1-1.0.7-150200.3.5.1 updated
- libbrotlidec1-1.0.7-150200.3.5.1 updated
- libexpat1-2.7.1-150700.3.3.1 updated
- container:registry.suse.com-bci-bci-base-15.7-58f9c044bea87805cae0e4122c7157699ff07944d120923c8f92ba4d9a128a2a-0 updated

More information about the sle-container-updates mailing list