SUSE-IU-2026:2386-1: Security update of suse/sl-micro/6.2/rt-os-container
sle-container-updates at lists.suse.com
sle-container-updates at lists.suse.com
Tue Apr 21 07:48:55 UTC 2026
SUSE Image Update Advisory: suse/sl-micro/6.2/rt-os-container
-----------------------------------------------------------------
Image Advisory ID : SUSE-IU-2026:2386-1
Image Tags : suse/sl-micro/6.2/rt-os-container:2.3.0 , suse/sl-micro/6.2/rt-os-container:2.3.0-6.135 , suse/sl-micro/6.2/rt-os-container:latest
Image Release : 6.135
Severity : important
Type : security
References : 1191256 1191270 1194778 1207184 1217845 1222768 1243208 1252073
1253129 1254214 1254306 1254307 1255084 1255687 1256647 1257183
1257511 1257708 1257773 1257777 1257908 1258175 1258280 1258293
1258301 1258305 1258330 1258337 1258340 1258414 1258447 1258476
1258849 1259188 1259461 1259484 1259485 1259580 1259707 1259759
1259795 1259797 1259870 1259886 1259891 1259955 1259997 1259998
1260005 1260009 1260347 1260459 1260464 1260471 1260481 1260486
1260490 1260497 1260500 1260522 1260527 1260544 1260550 1260606
1260730 1260732 1260735 1260799 1261496 1261498 1261506 1261507
1261669 CVE-2025-39998 CVE-2025-40253 CVE-2025-68794 CVE-2025-71239
CVE-2026-23072 CVE-2026-23103 CVE-2026-23120 CVE-2026-23125 CVE-2026-23138
CVE-2026-23140 CVE-2026-23187 CVE-2026-23193 CVE-2026-23201 CVE-2026-23204
CVE-2026-23215 CVE-2026-23216 CVE-2026-23231 CVE-2026-23239 CVE-2026-23240
CVE-2026-23242 CVE-2026-23243 CVE-2026-23255 CVE-2026-23262 CVE-2026-23270
CVE-2026-23272 CVE-2026-23274 CVE-2026-23277 CVE-2026-23278 CVE-2026-23281
CVE-2026-23292 CVE-2026-23293 CVE-2026-23297 CVE-2026-23304 CVE-2026-23319
CVE-2026-23326 CVE-2026-23335 CVE-2026-23343 CVE-2026-23361 CVE-2026-23379
CVE-2026-23381 CVE-2026-23383 CVE-2026-23386 CVE-2026-23393 CVE-2026-23398
CVE-2026-23413 CVE-2026-23414 CVE-2026-23419 CVE-2026-23425 CVE-2026-25727
CVE-2026-31788
-----------------------------------------------------------------
The container suse/sl-micro/6.2/rt-os-container was updated. The following patches have been included in this update:
-----------------------------------------------------------------
Advisory ID: 596
Released: Thu Feb 26 12:08:16 2026
Summary: Security update for rust-keylime
Type: security
Severity: important
References: 1191256,1191270,1194778,1207184,1217845,1222768,1243208,1252073,1253129,1254214,1254306,1254307,1255084,1255687,1256647,1257183,1257511,1257708,1257773,1257777,1257908,1258175,1258280,1258293,1258301,1258305,1258330,1258337,1258340,1258414,1258447,1258476,1258849,1259188,1259461,1259484,1259485,1259580,1259707,1259759,1259795,1259797,1259870,1259886,1259891,1259955,1259997,1259998,1260005,1260009,1260347,1260459,1260464,1260471,1260481,1260486,1260490,1260497,1260500,1260522,1260527,1260544,1260550,1260606,1260730,1260732,1260735,1260799,1261496,1261498,1261506,1261507,1261669,CVE-2025-39998,CVE-2025-40253,CVE-2025-68794,CVE-2025-71239,CVE-2026-23072,CVE-2026-23103,CVE-2026-23120,CVE-2026-23125,CVE-2026-23138,CVE-2026-23140,CVE-2026-23187,CVE-2026-23193,CVE-2026-23201,CVE-2026-23204,CVE-2026-23215,CVE-2026-23216,CVE-2026-23231,CVE-2026-23239,CVE-2026-23240,CVE-2026-23242,CVE-2026-23243,CVE-2026-23255,CVE-2026-23262,CVE-2026-23270,CVE-2026-23272,CVE-2026-23274,CVE-2026-23
277,CVE-2026-23278,CVE-2026-23281,CVE-2026-23292,CVE-2026-23293,CVE-2026-23297,CVE-2026-23304,CVE-2026-23319,CVE-2026-23326,CVE-2026-23335,CVE-2026-23343,CVE-2026-23361,CVE-2026-23379,CVE-2026-23381,CVE-2026-23383,CVE-2026-23386,CVE-2026-23393,CVE-2026-23398,CVE-2026-23413,CVE-2026-23414,CVE-2026-23419,CVE-2026-23425,CVE-2026-25727,CVE-2026-31788
This update for rust-keylime fixes the following issues:
Update to version 0.2.8+116.
Security issues fixed:
- CVE-2026-25727: time: parsing of user-provided input by the RFC 2822 date parser can lead to stack exhaustion (bsc#1257908).
Other updates and bugfixes:
- Update to version 0.2.8+116:
* build(deps): bump bytes from 1.7.2 to 1.11.1
* api: Modify /version endpoint output in version 2.5
* Add API v2.5 with backward-compatible /v2.5/quotes/integrity
* tests: add unit test for resolve_agent_id (#1182)
* (pull-model): enable retry logic for registration
* rpm: Update specfiles to apply on master
* workflows: Add test to detect unused crates
* lib: Drop unused crates
* push-model: Drop unused crates
* keylime-agent: Drop unused crates
* build(deps): bump uuid from 1.18.1 to 1.19.0
* Update reqwest-retry to 0.8, retry-policies to 0.5
* rpm: Fix cargo_build macro usage on CentOS Stream
* fix(push-model): resolve hash_ek uuid to actual EK hash
* build(deps): bump thiserror from 2.0.16 to 2.0.17
* workflows: Separate upstream test suite from e2e coverage
* Send UEFI measured boot logs as raw bytes (#1173)
* auth: Add unit tests for SecretToken implementation
* packit: Enable push-attestation tests
* resilient_client: Prevent authentication token leakage in logs
- Update to version 0.2.8+96:
* build(deps): bump wiremock from 0.6.4 to 0.6.5
* build(deps): bump actions/checkout from 5 to 6
* build(deps): bump chrono from 0.4.41 to 0.4.42
* packit: Get coverage from Fedora 43 runs
* Fix issues pointed out by clippy
* Replace mutex unwraps with proper error handling in TPM library
* Remove unused session request methods from StructureFiller
* Fix config panic on missing ek_handle in push model agent
* build(deps): bump tempfile from 3.21.0 to 3.23.0
* build(deps): bump actions/upload-artifact from 4 to 6 (#1163)
* Fix clippy warnings project-wide
* Add KEYLIME_DIR support for verifier TLS certificates in push model agent
* Thread privileged resources and use MeasurementList for IMA reading
* Add privileged resource initialization and privilege dropping to push model agent
* Fix privilege dropping order in run_as()
* add documentation on FQDN hostnames
* Remove confusing logs for push mode agent
* Set correct default Verifier port (8891->8881) (#1159)
* Add verifier_url to reference configuration file (#1158)
* Add TLS support for Registrar communication (#1139)
* Fix agent handling of 403 registration responses (#1154)
* Add minor README.md rephrasing (#1151)
* build(deps): bump actions/checkout from 5 to 6 (#1153)
* ci: update spec files for packit COPR build
* docs: improve challenge encoding and async TPM documentation
* refactor: improve middleware and error handling
* feat: add authentication client with middleware integration
* docker: Include keylime_push_model_agent binary
* Include attestation_interval configuration (#1146)
* Persist payload keys to avoid attestation failure on restart
* crypto: Implement the load or generate pattern for keys
* Use simple algorithm specifiers in certification_keys object (#1140)
* tests: Enable more tests in CI
* Fix RSA2048 algorithm reporting in keylime agent
* Remove disabled_signing_algorithms configuration
* rpm: Fix metadata patches to apply to current code
* workflows/rpm.yml: Use more strict patching
* build(deps): bump uuid from 1.17.0 to 1.18.1
* Fix ECC algorithm selection and reporting for keylime agent
* Improve logging consistency and coherency
* Implement minimal RFC compliance for Location header and URI parsing (#1125)
* Use separate keys for payload mechanism and mTLS
* docker: update rust to 1.81 for distroless Dockerfile
* Ensure UEFI log capabilities are set to false
* build(deps): bump http from 1.1.0 to 1.3.1
* build(deps): bump log from 0.4.27 to 0.4.28
* build(deps): bump cfg-if from 1.0.1 to 1.0.3
* build(deps): bump actix-rt from 2.10.0 to 2.11.0
* build(deps): bump async-trait from 0.1.88 to 0.1.89
* build(deps): bump trybuild from 1.0.105 to 1.0.110
* Accept evidence handling structures null entries
* workflows: Add test to check if RPM patches still apply
* CI: Enable test add-agent-with-malformed-ek-cert
* config: Fix singleton tests
* FSM: Remove needless lifetime annotations (#1105)
* rpm: Do not remove wiremock which is now available in Fedora
* Use latest Fedora httpdate version (1.0.3)
* Enhance coverage with parse_retry_after test
* Fix issues reported by CI regarding unwrap() calls
* Reuse max retries indicated to the ResilientClient
* Include limit of retries to 5 for Retry-After
* Add policy to handle Retry-After response headers
* build(deps): bump wiremock from 0.6.3 to 0.6.4
* build(deps): bump serde_json from 1.0.140 to 1.0.143
* build(deps): bump pest_derive from 2.8.0 to 2.8.1
* build(deps): bump syn from 2.0.90 to 2.0.106
* build(deps): bump tempfile from 3.20.0 to 3.21.0
* build(deps): bump thiserror from 2.0.12 to 2.0.16
* rpm: Fix patches to apply to current master code
* build(deps): bump anyhow from 1.0.98 to 1.0.99
* state_machine: Automatically clean config override during tests
* config: Implement singleton and factory pattern
* testing: Support overriding configuration during tests
* feat: implement standalone challenge-response authentication module
* structures: rename session structs for clarity and fix typos
* tpm: refactor certify_credential_with_iak() into a more generic function
* Add Push Model Agent Mermaid FSM chart (#1095)
* Add state to avoid exiting on wrong attestation (#1093)
* Add 6 alphanumeric lowercase X-Request-ID header
* Enhance Evidence Handling response parsing
* build(deps): bump quote from 1.0.35 to 1.0.40
* build(deps): bump libc from 0.2.172 to 0.2.175
* build(deps): bump glob from 0.3.2 to 0.3.3
* build(deps): bump actix-web from 4.10.2 to 4.11.0
The following package changes have been done:
- kernel-rt-6.12.0-160000.28.1 updated
More information about the sle-container-updates
mailing list