SUSE-IU-2026:2315-1: Security update of suse/sl-micro/6.1/baremetal-os-container

sle-container-updates at lists.suse.com sle-container-updates at lists.suse.com
Fri Apr 17 07:12:36 UTC 2026 

SUSE Image Update Advisory: suse/sl-micro/6.1/baremetal-os-container
-----------------------------------------------------------------
Image Advisory ID : SUSE-IU-2026:2315-1
Image Tags        : suse/sl-micro/6.1/baremetal-os-container:2.2.1 , suse/sl-micro/6.1/baremetal-os-container:2.2.1-7.92 , suse/sl-micro/6.1/baremetal-os-container:latest
Image Release     : 7.92
Severity          : important
Type              : security
References        : 1259611 1259734 1259735 1259989 1260026 1261420 CVE-2025-13462
                        CVE-2026-3479 CVE-2026-35535 CVE-2026-3644 CVE-2026-4224 CVE-2026-4519
-----------------------------------------------------------------

The container suse/sl-micro/6.1/baremetal-os-container was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: 491
Released:    Thu Apr 16 14:53:36 2026
Summary:     Security update for sudo
Type:        security
Severity:    important
References:  1261420,CVE-2026-35535
This update for sudo fixes the following issues:

- CVE-2026-35535: unhandled failure of `setuid`, `setgid` or `setgroups` calls during a mailer privilege drop allows
  for local privilege escalation (bsc#1261420). 

-----------------------------------------------------------------
Advisory ID: 490
Released:    Thu Apr 16 15:24:01 2026
Summary:     Security update for python311
Type:        security
Severity:    important
References:  1259611,1259734,1259735,1259989,1260026,CVE-2025-13462,CVE-2026-3479,CVE-2026-3644,CVE-2026-4224,CVE-2026-4519
This update for python311 fixes the following issues:

- CVE-2025-13462: incorrect parsing of TarInfo when GNU long name and type AREGTYPE are combined can lead to
  misinterpretation of tar archives (bsc#1259611).
- CVE-2026-3479: improper resource argument validation in `pkgutil.get_data()` can lead to path traversal (bsc#1259989).
- CVE-2026-3644: incomplete control character validation in http.cookies can lead to input validation bypass
  (bsc#1259734).
- CVE-2026-4224: parsing XML with deeply nested DTD content models can lead to C stack overflow (bsc#1259735).
- CVE-2026-4519: failure to sanitize leading dashes in URLs in the `webbrowser.open()` API can lead to web browser
  command line option injection (bsc#1260026).


The following package changes have been done:

- SL-Micro-release-6.1-slfo.1.12.30 updated
- sudo-1.9.15p5-slfo.1.1_3.1 updated
- python311-base-3.11.15-slfo.1.1_3.1 updated
- libpython3_11-1_0-3.11.15-slfo.1.1_3.1 updated
- python311-3.11.15-slfo.1.1_3.1 updated
- container:SL-Micro-base-container-2.2.1-5.116 updated

More information about the sle-container-updates mailing list