SUSE-CU-2026:3848-1: Security update of suse/sles/16.0/toolbox
sle-container-updates at lists.suse.com
sle-container-updates at lists.suse.com
Wed Apr 8 07:42:51 UTC 2026
SUSE Container Update Advisory: suse/sles/16.0/toolbox
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2026:3848-1
Container Tags : suse/sles/16.0/toolbox:16.3 , suse/sles/16.0/toolbox:16.3-1.42 , suse/sles/16.0/toolbox:latest
Container Release : 1.42
Severity : critical
Type : security
References : 1159103 1211721 1219038 1221763 1227117 1228879 1236217 1242170
1246399 1246607 1249832 1255326 1256341 1258344 1259418 1259650
1259697 1259711 1259726 1259729 1259963 CVE-2025-13151 CVE-2025-45582
CVE-2026-29111 CVE-2026-32776 CVE-2026-32777 CVE-2026-32778 CVE-2026-4105
-----------------------------------------------------------------
The container suse/sles/16.0/toolbox was updated. The following patches have been included in this update:
-----------------------------------------------------------------
Advisory ID: 485
Released: Thu Oct 9 16:42:20 2025
Summary: Security update for aaa_base
Type: security
Severity: moderate
References: 1159103,1211721,1219038,1221763,1227117,1255326,1258344,1259418,1259650,1259697,CVE-2026-29111,CVE-2026-4105
This update for aaa_base fixes the following issues:
Update to version 84.87+git20240906.742565b:
* yama-enable-ptrace: enforce changed behavior upon installation (bsc#1221763)
* Avoid unnecessary /bin/bash dependency
* sysctl: Fixup of not setting kernel.pid_max on 32b archs (bsc#1227117)
Update to version 84.87+git20240821.fbabe1d:
* Add helper service for soft-reboot
Update to version 84.87+git20240809.5d13eb4:
* cleanup aaa_base.post and fold back into specfile
Update to version 84.87+git20240805.7513b28:
* Remove obsolete resolv+ manual page
* Remove obsolete defaultdomain.5 manual page
* Move /etc/skel to /usr/etc/skel (hermetic-usr)
* Remove obsolete refresh_initrd
* Add deprecation notice for service [jsc#PED-266]
Update to version 84.87+git20240801.75f05dd:
* sysctl: Don't set kernel.pid_max on 32b archs (bsc#1227117)
Update to version 84.87+git20240620.57ee9e1:
* Remove legacy-actions support [jsc#PED-264]
Update to version 84.87+git20240617.f5ff27f:
* add /usr/bin/nu to etc/shells for nushell
Update to version 84.87+git20240614.332933e:
* Do not save/restore cursor for foot at status line
* Add tmux and others to DIR_COLORS (Issue #116)
* Remove kernel.pid_max limit (bsc#1219038)
* Add subpackge to enable ptrace
Update to version 84.87+git20240523.10a5692:
* Add tmpfiles.d/soft-reboot-cleanup.conf
Update to version 84.87+git20240415.e6815bf:
* drop obsolete 50-default-s390.conf (bsc#1211721)
* fix typo in alljava.csh and drop stderr redirection
Update to version 84.87+git20240402.16596d1:
* add alacritty to DIR_COLORS
* Make sure tput it present before resetting TERM
* Add mc helpers for both tcsh and bash resources
* Do not overwrite escape sequences for xterm like
* Check for valid TERM
Update to version 84.87+git20240202.9526d46:
* properly shorten the variable when setting JAVA_HOME and JRE_HOME
* silence output of alljava
* Restrict ptrace with Yama LSM by default
* patch alljava.sh and alljava.csh, use the links from update alternatives
Update to version 84.87+git20231023.f347d36:
* Remove %ghost lastlog entry, lastlog is long gone
* Remove shaky safe-rm and safe-rmdir helpers (bsc#1159103)
-----------------------------------------------------------------
Advisory ID: 486
Released: Tue Oct 14 09:08:22 2025
Summary: Recommended update for selinux-policy
Type: recommended
Severity: important
References: 1228879,1246399,1246607,1249832,CVE-2025-45582
This update for selinux-policy fixes the following issues:
- Ensure dbus communication is allowed bidirectionally
- policy module for kiwi
- Label /var/livepatches as lib_t for ULP on micro (bsc#1228879, bsc#1249832)
-----------------------------------------------------------------
Advisory ID: 484
Released: Fri Nov 14 12:27:35 2025
Summary: Recommended update for rust1.90, rust
Type: recommended
Severity: critical
References: 1242170,1256341,CVE-2025-13151
This update for rust1.90, rust fixes the following issues:
- bsc#1242170 - raise gcc requirement to version 14
- resolve linker test failures
Version 1.90.0 (2025-09-18)
===========================
# Language
- Split up the `unknown_or_malformed_diagnostic_attributes` lint. This lint has been split up into four finer-grained lints, with `unknown_or_malformed_diagnostic_attributes` now being the lint group that contains these lints:
1. `unknown_diagnostic_attributes`: unknown to the current compiler
2. `misplaced_diagnostic_attributes`: placed on the wrong item
3. `malformed_diagnostic_attributes`: malformed attribute syntax or options
4. `malformed_diagnostic_format_literals`: malformed format string literal
- Allow constants whose final value has references to mutable/external memory, but reject such constants as patterns
- Allow volatile access to non-Rust memory, including address 0
# Compiler
- Use `lld` by default on `x86_64-unknown-linux-gnu`
- Tier 3 `musl` targets now link dynamically by default. Affected targets:
- `mips64-unknown-linux-muslabi64`
- `powerpc64-unknown-linux-musl`
- `powerpc-unknown-linux-musl`
- `powerpc-unknown-linux-muslspe`
- `riscv32gc-unknown-linux-musl`
- `s390x-unknown-linux-musl`
- `thumbv7neon-unknown-linux-musleabihf`
# Platform Support
- Demote `x86_64-apple-darwin` to Tier 2 with host tools
Refer to Rust's platform support page for more information on Rust's tiered platform support.
# Libraries
- Stabilize `u*::{checked,overflowing,saturating,wrapping}_sub_signed`
- Allow comparisons between `CStr`, `CString`, and `Cow<CStr>`
- Remove some unsized tuple impls since unsized tuples can't be constructed
- Set `MSG_NOSIGNAL` for `UnixStream`
- `proc_macro::Ident::new` now supports `$crate`.
- Guarantee the pointer returned from `Thread::into_raw` has at least 8 bytes of alignment
# Stabilized APIs
- `u{n}::checked_sub_signed` https://doc.rust-lang.org/stable/std/primitive.usize.html#method.checked_sub_signed
- `u{n}::overflowing_sub_signed` https://doc.rust-lang.org/stable/std/primitive.usize.html#method.overflowing_sub_signed
- `u{n}::saturating_sub_signed` https://doc.rust-lang.org/stable/std/primitive.usize.html#method.saturating_sub_signed
- `u{n}::wrapping_sub_signed` https://doc.rust-lang.org/stable/std/primitive.usize.html#method.wrapping_sub_signed
- `impl Copy for IntErrorKind` https://doc.rust-lang.org/stable/std/num/enum.IntErrorKind.html#impl-Copy-for-IntErrorKind
- `impl Hash for IntErrorKind` https://doc.rust-lang.org/stable/std/num/enum.IntErrorKind.html#impl-Hash-for-IntErrorKind
- `impl PartialEq<&CStr> for CStr` https://doc.rust-lang.org/stable/std/ffi/struct.CStr.html#impl-PartialEq%3C%26CStr%3E-for-CStr
- `impl PartialEq<CString> for CStr` https://doc.rust-lang.org/stable/std/ffi/struct.CStr.html#impl-PartialEq%3CCString%3E-for-CStr
- `impl PartialEq<Cow<CStr>> for CStr` https://doc.rust-lang.org/stable/std/ffi/struct.CStr.html#impl-PartialEq%3CCow%3C'_,+CStr%3E%3E-for-CStr
- `impl PartialEq<&CStr> for CString` https://doc.rust-lang.org/stable/std/ffi/struct.CString.html#impl-PartialEq%3C%26CStr%3E-for-CString
- `impl PartialEq<CStr> for CString` https://doc.rust-lang.org/stable/std/ffi/struct.CString.html#impl-PartialEq%3CCStr%3E-for-CString
- `impl PartialEq<Cow<CStr>> for CString` https://doc.rust-lang.org/stable/std/ffi/struct.CString.html#impl-PartialEq%3CCow%3C'_,+CStr%3E%3E-for-CString
- `impl PartialEq<&CStr> for Cow<CStr>` https://doc.rust-lang.org/stable/std/borrow/enum.Cow.html#impl-PartialEq%3C%26CStr%3E-for-Cow%3C'_,+CStr%3E
- `impl PartialEq<CStr> for Cow<CStr>` https://doc.rust-lang.org/stable/std/borrow/enum.Cow.html#impl-PartialEq%3CCStr%3E-for-Cow%3C'_,+CStr%3E
- `impl PartialEq<CString> for Cow<CStr>` https://doc.rust-lang.org/stable/std/borrow/enum.Cow.html#impl-PartialEq%3CCString%3E-for-Cow%3C'_,+CStr%3E
These previously stable APIs are now stable in const contexts:
- `<[T]>::reverse` https://doc.rust-lang.org/stable/std/primitive.slice.html#method.reverse
- `f32::floor` https://doc.rust-lang.org/stable/std/primitive.f32.html#method.floor
- `f32::ceil` https://doc.rust-lang.org/stable/std/primitive.f32.html#method.ceil
- `f32::trunc` https://doc.rust-lang.org/stable/std/primitive.f32.html#method.trunc
- `f32::fract` https://doc.rust-lang.org/stable/std/primitive.f32.html#method.fract
- `f32::round` https://doc.rust-lang.org/stable/std/primitive.f32.html#method.round
- `f32::round_ties_even` https://doc.rust-lang.org/stable/std/primitive.f32.html#method.round_ties_even
- `f64::floor` https://doc.rust-lang.org/stable/std/primitive.f64.html#method.floor
- `f64::ceil` https://doc.rust-lang.org/stable/std/primitive.f64.html#method.ceil
- `f64::trunc` https://doc.rust-lang.org/stable/std/primitive.f64.html#method.trunc
- `f64::fract` https://doc.rust-lang.org/stable/std/primitive.f64.html#method.fract
- `f64::round` https://doc.rust-lang.org/stable/std/primitive.f64.html#method.round
- `f64::round_ties_even` https://doc.rust-lang.org/stable/std/primitive.f64.html#method.round_ties_even
# Cargo
- Add `http.proxy-cainfo` config for proxy certs
- Use `gix` for `cargo package`
- feat(publish): Stabilize multi-package publishing
# Rustdoc
- Add ways to collapse all impl blocks. Previously the 'Summary' button and '-' keyboard shortcut would never collapse `impl` blocks, now they do when shift is held
- Display unsafe attributes with `unsafe()` wrappers
# Compatibility Notes
- Use `lld` by default on `x86_64-unknown-linux-gnu`
See also <https://blog.rust-lang.org/2025/09/01/rust-lld-on-1.90.0-stable/>.
- Make `core::iter::Fuse`'s `Default` impl construct `I::default()` internally as promised in the docs instead of always being empty
- Set `MSG_NOSIGNAL` for `UnixStream`
This may change program behavior but results in the same behavior as other primitives (e.g., stdout, network sockets).
Programs relying on signals to terminate them should update handling of sockets to handle errors on write by exiting.
- On Unix `std::env::home_dir` will use the fallback if the `HOME` environment variable is empty
- We now [reject unsupported `extern '{abi}'`s consistently in all positions. This primarily affects the use of implementing traits on an `extern '{abi}'` function pointer, like `extern 'stdcall' fn()`, on a platform that doesn't support that, like aarch64-unknown-linux-gnu. Direct usage of these unsupported ABI strings by declaring or defining functions was already rejected, so this is only a change for consistency.
- const-eval: error when initializing a static writes to that static
- Check that the `proc_macro_derive` macro has correct arguments when applied to the crate root
-----------------------------------------------------------------
Advisory ID: 466
Released: Tue Mar 31 11:59:46 2026
Summary: Recommended update for rust-keylime
Type: recommended
Severity: moderate
References: 1236217,1259711,1259726,1259729,1259963,CVE-2026-32776,CVE-2026-32777,CVE-2026-32778
This update for rust-keylime fixes the following issues:
- Suggests only the IMA policy package, and keep it as example (bsc#1259963)
- Add a patch to re-generate TSS bindings
- Update to version 0.2.9+8:
* build(deps):
+ bump thiserror from 2.0.17 to 2.0.18
+ bump docker/login-action from 3 to 4
+ bump docker/metadata-action from 5 to 6
+ bump docker/build-push-action from 6 to 7
+ bump actions/upload-artifact from 6 to 7
+ bump mockoon/cli-action from 2 to 3
+ bump http from 1.3.1 to 1.4.0
+ bump serde from 1.0.219 to 1.0.228
+ bump clap from 4.5.45 to 4.5.54
+ bump actix-web from 4.11.0 to 4.12.1
* Remove generate-bindings feature from tss-esapi
* Use port constants instead of hardcoded values in tests
* push-attestation:
+ use registrar TLS port when TLS is enabled
+ drop support for mTLS to registrar
+ drop mTLS support and require PoP authentication
+ drop self-signed mTLS certificate generation
* dist: Make the services to conflict with each other
* cargo:
+ bump tracing_subscriber to version 0.3.20
+ bump time to version 0.3.47
* Update reqwest from 0.12 to 0.13
* auth:
+ load CA certificate in authentication client
+ reuse existing ContextInfo to avoid duplicate TPM objects
* packit: add missing e2e tests
* registrar: rename insecure option to disable_tls
* config:
+ add missing config options to keylime-agent.conf
+ add support for 'default' in registrar_api_versions option
+ add support for 'default' in registrar_tls_ca_cert option
+ drop unused config options and constants
* resilient_client: reauthenticate if a 403 error is received
The following package changes have been done:
- libexpat1-2.7.1-160000.5.1 updated
- libsystemd0-257.13-160000.1.1 updated
- libtasn1-6-4.21.0-160000.1.1 updated
- libudev1-257.13-160000.1.1 updated
- tar-1.35-160000.3.1 updated
More information about the sle-container-updates
mailing list