SUSE-IU-2026:1705-1: Security update of suse/sle-micro/kvm-5.5

sle-container-updates at lists.suse.com sle-container-updates at lists.suse.com
Fri Apr 3 07:07:41 UTC 2026 

SUSE Image Update Advisory: suse/sle-micro/kvm-5.5
-----------------------------------------------------------------
Image Advisory ID : SUSE-IU-2026:1705-1
Image Tags        : suse/sle-micro/kvm-5.5:2.0.4 , suse/sle-micro/kvm-5.5:2.0.4-3.5.495 , suse/sle-micro/kvm-5.5:latest
Image Release     : 3.5.495
Severity          : important
Type              : security
References        : 1222465 1234736 1254670 1259418 1259619 1259650 1259697 1259711
                        1259726 1259729 CVE-2025-70873 CVE-2025-7709 CVE-2026-29111 CVE-2026-32776
                        CVE-2026-32777 CVE-2026-32778 CVE-2026-4105 
-----------------------------------------------------------------

The container suse/sle-micro/kvm-5.5 was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:1061-1
Released:    Thu Mar 26 11:35:08 2026
Summary:     Security update for systemd
Type:        security
Severity:    important
References:  1259418,1259650,1259697,CVE-2026-29111,CVE-2026-4105
This update for systemd fixes the following issues:

- CVE-2026-4105: privilege escalation due to improper access control in RegisterMachine D-Bus method (bsc#1259650).
- CVE-2026-29111: local unprivileged user can trigger an assert in systemd (bsc#1259418).
- udev: check for invalid chars in various fields received from the kernel (bsc#1259697).  

Changelog:

- 6a38d88a42 machined: reject invalid class types when registering machines
- 8c9a592e5a udev: fix review mixup
- b57007a917 udev-builtin-net-id: print cescaped bad attributes
- ee23c7604b udev-builtin-net_id: do not assume the current interface name is ethX
- 0f63e799e6 udev: ensure tag parsing stays within bounds
- 046f52ec12 udev: ensure there is space for trailing NUL before calling sprintf
- 5be21460ce udev: check for invalid chars in various fields received from the kernel
- 9559607b16 core/cgroup: avoid one unnecessary strjoina()
- fcae348ca4 core: validate input cgroup path more prudently
- a3ca6b3031 alloc-util: add strdupa_safe() + strndupa_safe() and use it everywhere
- 08125d6b06 units: add dep on systemd-logind.service by user at .service

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:1065-1
Released:    Thu Mar 26 11:38:12 2026
Summary:     Security update for sqlite3
Type:        security
Severity:    moderate
References:  1254670,1259619,CVE-2025-70873,CVE-2025-7709
This update for sqlite3 fixes the following issues:

Update sqlite3 to 3.51.3:

- CVE-2025-7709: Integer Overflow in FTS5 Extension (bsc#1254670).
- CVE-2025-70873: SQLite zipfile extension may disclose uninitialized heap memory during inflation (bsc#1259619).

Changelog:

 * Fix the WAL-reset database corruption bug:
   https://sqlite.org/wal.html#walresetbug

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2026:1087-1
Released:    Thu Mar 26 16:20:57 2026
Summary:     Recommended update for util-linux
Type:        recommended
Severity:    moderate
References:  1222465,1234736
This update for util-linux fixes the following issues:

- recognize fuse 'portal' as a virtual file system (bsc#1234736).
- fdisk: Fix possible partition overlay and data corruption if EBR gap is missing (bsc#1222465).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:1166-1
Released:    Thu Apr  2 03:08:04 2026
Summary:     Security update for expat
Type:        security
Severity:    important
References:  1259711,1259726,1259729,CVE-2026-32776,CVE-2026-32777,CVE-2026-32778
This update for expat fixes the following issues:

- CVE-2026-32776: NULL pointer dereference when processing empty external parameter entities inside an entity
  declaration value (bsc#1259726).
- CVE-2026-32777: denial of service due to infinite loop in DTD content parsing (bsc#1259711).
- CVE-2026-32778: NULL pointer dereference in `setContext` on retry after an out-of-memory condition (bsc#1259729).


The following package changes have been done:

- libuuid1-2.37.4-150500.9.26.1 updated
- libudev1-249.17-150400.8.55.1 updated
- libsmartcols1-2.37.4-150500.9.26.1 updated
- libexpat1-2.7.1-150400.3.37.1 updated
- libblkid1-2.37.4-150500.9.26.1 updated
- libfdisk1-2.37.4-150500.9.26.1 updated
- libmount1-2.37.4-150500.9.26.1 updated
- libsystemd0-249.17-150400.8.55.1 updated
- util-linux-2.37.4-150500.9.26.1 updated
- systemd-249.17-150400.8.55.1 updated
- util-linux-systemd-2.37.4-150500.9.26.1 updated
- udev-249.17-150400.8.55.1 updated
- libsqlite3-0-3.51.3-150000.3.39.1 updated
- container:suse-sle-micro-base-5.5-latest-2.0.4-5.8.257 updated

More information about the sle-container-updates mailing list