SUSE-CU-2026:4473-1: Security update of suse/multi-linux-manager/5.1/x86_64/server-postgresql
sle-container-updates at lists.suse.com
sle-container-updates at lists.suse.com
Fri Apr 24 08:29:49 UTC 2026
SUSE Container Update Advisory: suse/multi-linux-manager/5.1/x86_64/server-postgresql
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2026:4473-1
Container Tags : suse/multi-linux-manager/5.1/x86_64/server-postgresql:5.1.3 , suse/multi-linux-manager/5.1/x86_64/server-postgresql:5.1.3.6.18.1 , suse/multi-linux-manager/5.1/x86_64/server-postgresql:latest
Container Release : 6.18.1
Severity : important
Type : security
References : 1029961 1120610 1120610 1130496 1130496 1144060 1176006 1177047
1180713 1181131 1181131 1181400 1182850 1184124 1185897 1186642
1187536 1189139 1198062 1198922 1199026 1200657 1200657 1202436
1202436 1202436 1203600 1203823 1205502 1206627 1207753 1214806
1217969 1222465 1234736 1246052 1246399 1257463 1258008 1258008
1258009 1258009 1258010 1258010 1258011 1258011 1258012 1258045
1258049 1258054 1258080 1258081 1258311 1258319 1258392 1258754
1258754 1258859 1259362 1259363 1259364 1259365 1259377 1259418
1259650 1259697 1259825 1259845 1260078 1260082 1260441 1260442
1260443 1260444 1260445 1261678 1261809 916845 CVE-2013-4235
CVE-2018-20482 CVE-2018-20482 CVE-2019-9923 CVE-2019-9923 CVE-2021-20193
CVE-2021-20193 CVE-2022-1271 CVE-2022-48303 CVE-2023-39804 CVE-2023-4641
CVE-2025-45582 CVE-2026-0964 CVE-2026-0965 CVE-2026-0966 CVE-2026-0967
CVE-2026-0968 CVE-2026-1965 CVE-2026-2003 CVE-2026-2003 CVE-2026-2004
CVE-2026-2004 CVE-2026-2005 CVE-2026-2005 CVE-2026-2006 CVE-2026-2006
CVE-2026-2007 CVE-2026-27135 CVE-2026-27171 CVE-2026-28387 CVE-2026-28388
CVE-2026-28389 CVE-2026-28390 CVE-2026-29111 CVE-2026-31789 CVE-2026-31790
CVE-2026-3184 CVE-2026-3731 CVE-2026-3783 CVE-2026-3784 CVE-2026-3805
CVE-2026-4105 CVE-2026-4437 CVE-2026-4438 CVE-2026-4878
-----------------------------------------------------------------
The container suse/multi-linux-manager/5.1/x86_64/server-postgresql was updated. The following patches have been included in this update:
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:926-1
Released: Wed Apr 10 16:33:12 2019
Summary: Security update for tar
Type: security
Severity: moderate
References: 1120610,1130496,CVE-2018-20482,CVE-2019-9923
This update for tar fixes the following issues:
Security issues fixed:
- CVE-2019-9923: Fixed a denial of service while parsing certain archives with malformed extended headers in pax_decode_header() (bsc#1130496).
- CVE-2018-20482: Fixed a denial of service when the '--sparse' option mishandles file shrinkage during read access (bsc#1120610).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:3791-1
Released: Mon Dec 14 17:39:19 2020
Summary: Recommended update for gzip
Type: recommended
Severity: moderate
References:
This update for gzip fixes the following issue:
- Enable `DFLTCC` (Deflate Conversion Call) compression for s390x for levels 1-6 to `CFLAGS`. (jsc#SLE-13775)
Enable by adding `-DDFLTCC_LEVEL_MASK=0x7e` to `CFLAGS`.
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:974-1
Released: Mon Mar 29 19:31:27 2021
Summary: Security update for tar
Type: security
Severity: low
References: 1181131,CVE-2021-20193
This update for tar fixes the following issues:
CVE-2021-20193: Memory leak in read_header() in list.c (bsc#1181131)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:1018-1
Released: Tue Apr 6 14:29:13 2021
Summary: Recommended update for gzip
Type: recommended
Severity: moderate
References: 1180713
This update for gzip fixes the following issues:
- Fixes an issue when 'gzexe' counts the lines to skip wrong. (bsc#1180713)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:1289-1
Released: Wed Apr 21 14:02:46 2021
Summary: Recommended update for gzip
Type: recommended
Severity: moderate
References: 1177047
This update for gzip fixes the following issues:
- Fixed a potential segfault when zlib acceleration is enabled (bsc#1177047)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:1935-1
Released: Thu Jun 10 10:45:09 2021
Summary: Recommended update for gzip
Type: recommended
Severity: moderate
References: 1186642
This update for gzip fixes the following issue:
- gzip had a lower release number in 15 sp2 and sp3 than in 15 sp1, which could lead
to migration issues. (bsc#1186642)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:2193-1
Released: Mon Jun 28 18:38:43 2021
Summary: Recommended update for tar
Type: recommended
Severity: moderate
References: 1184124
This update for tar fixes the following issues:
- Link '/var/lib/tests/tar/bin/genfile' as Position-Independent Executable (bsc#1184124)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:1548-1
Released: Thu May 5 16:45:28 2022
Summary: Security update for tar
Type: security
Severity: moderate
References: 1029961,1120610,1130496,1181131,CVE-2018-20482,CVE-2019-9923,CVE-2021-20193
This update for tar fixes the following issues:
- CVE-2021-20193: Fixed a memory leak in read_header() in list.c (bsc#1181131).
- CVE-2019-9923: Fixed a null-pointer dereference in pax_decode_header in sparse.c (bsc#1130496).
- CVE-2018-20482: Fixed infinite read loop in sparse_dump_region in sparse.c (bsc#1120610).
- Update to GNU tar 1.34:
* Fix extraction over pipe
* Fix memory leak in read_header (CVE-2021-20193) (bsc#1181131)
* Fix extraction when . and .. are unreadable
* Gracefully handle duplicate symlinks when extracting
* Re-initialize supplementary groups when switching to user
privileges
- Update to GNU tar 1.33:
* POSIX extended format headers do not include PID by default
* --delay-directory-restore works for archives with reversed
member ordering
* Fix extraction of a symbolic link hardlinked to another
symbolic link
* Wildcards in exclude-vcs-ignore mode don't match slash
* Fix the --no-overwrite-dir option
* Fix handling of chained renames in incremental backups
* Link counting works for file names supplied with -T
* Accept only position-sensitive (file-selection) options in file
list files
- prepare usrmerge (bsc#1029961)
- Update to GNU 1.32
* Fix the use of --checkpoint without explicit --checkpoint-action
* Fix extraction with the -U option
* Fix iconv usage on BSD-based systems
* Fix possible NULL dereference (savannah bug #55369)
[bsc#1130496] [CVE-2019-9923]
* Improve the testsuite
- Update to GNU 1.31
* Fix heap-buffer-overrun with --one-top-level, bug introduced
with the addition of that option in 1.28
* Support for zstd compression
* New option '--zstd' instructs tar to use zstd as compression
program. When listing, extractng and comparing, zstd compressed
archives are recognized automatically. When '-a' option is in
effect, zstd compression is selected if the destination archive
name ends in '.zst' or '.tzst'.
* The -K option interacts properly with member names given in the
command line. Names of members to extract can be specified along
with the '-K NAME' option. In this case, tar will extract NAME
and those of named members that appear in the archive after it,
which is consistent with the semantics of the option. Previous
versions of tar extracted NAME, those of named members that
appeared before it, and everything after it.
* Fix CVE-2018-20482 - When creating archives with the --sparse
option, previous versions of tar would loop endlessly if a
sparse file had been truncated while being archived.
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:1617-1
Released: Tue May 10 14:40:12 2022
Summary: Security update for gzip
Type: security
Severity: important
References: 1198062,1198922,CVE-2022-1271
This update for gzip fixes the following issues:
- CVE-2022-1271: Fix escaping of malicious filenames. (bsc#1198062)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:2735-1
Released: Wed Aug 10 04:31:41 2022
Summary: Recommended update for tar
Type: recommended
Severity: moderate
References: 1200657
This update for tar fixes the following issues:
- Fix race condition while creating intermediate subdirectories (bsc#1200657)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:2844-1
Released: Thu Aug 18 14:41:25 2022
Summary: Recommended update for tar
Type: recommended
Severity: important
References: 1202436
This update for tar fixes the following issues:
- A regression in a previous update lead to potential deadlocks when extracting an archive. (bsc#1202436)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:4312-1
Released: Fri Dec 2 11:16:47 2022
Summary: Recommended update for tar
Type: recommended
Severity: moderate
References: 1200657,1203600
This update for tar fixes the following issues:
- Fix unexpected inconsistency when making directory (bsc#1203600)
- Update race condition fix (bsc#1200657)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:179-1
Released: Thu Jan 26 21:54:30 2023
Summary: Recommended update for tar
Type: recommended
Severity: low
References: 1202436
This update for tar fixes the following issue:
- Fix hang when unpacking test tarball (bsc#1202436)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:463-1
Released: Mon Feb 20 16:33:39 2023
Summary: Security update for tar
Type: security
Severity: moderate
References: 1202436,1207753,CVE-2022-48303
This update for tar fixes the following issues:
- CVE-2022-48303: Fixed a one-byte out-of-bounds read that resulted in use of uninitialized memory for a conditional jump (bsc#1207753).
Bug fixes:
- Fix hang when unpacking test tarball (bsc#1202436).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:70-1
Released: Tue Jan 9 18:29:39 2024
Summary: Security update for tar
Type: security
Severity: low
References: 1217969,CVE-2023-39804
This update for tar fixes the following issues:
- CVE-2023-39804: Fixed extension attributes in PAX archives incorrect hanling (bsc#1217969).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:779-1
Released: Tue Mar 3 14:25:07 2026
Summary: Security update for libssh
Type: security
Severity: moderate
References: 1258045,1258049,1258054,1258080,1258081,CVE-2026-0964,CVE-2026-0965,CVE-2026-0966,CVE-2026-0967,CVE-2026-0968
This update for libssh fixes the following issues:
- CVE-2026-0964: improper sanitation of paths received from SCP servers can cause path traversal (bsc#1258049).
- CVE-2026-0965: possible denial of service when parsing unexpected configuration files (bsc#1258045).
- CVE-2026-0966: buffer underflow in ssh_get_hexa() on invalid input (bsc#1258054).
- CVE-2026-0967: specially crafted patterns could cause denial of service (bsc#1258081).
- CVE-2026-0968: malformed SFTP message can lead to out of bound read (bsc#1258080).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:783-1
Released: Tue Mar 3 14:36:14 2026
Summary: Security update for zlib
Type: security
Severity: moderate
References: 1258392,CVE-2026-27171
This update for zlib fixes the following issue:
- CVE-2026-27171: Fixed infinite loop via the `crc32_combine64` and `crc32_combine_gen64` functions due to missing
checks for negative lengths (bsc#1258392).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2026:791-1
Released: Tue Mar 3 16:59:33 2026
Summary: Recommended update for gcc15
Type: recommended
Severity: moderate
References: 1257463
This update for gcc15 fixes the following issues:
- Fix bogus expression simplification (bsc#1257463)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2026:844-1
Released: Fri Mar 6 16:45:31 2026
Summary: Recommended update for glibc
Type: recommended
Severity: moderate
References: 1258319
This update for glibc fixes the following issues:
- nss: Missing checks in __nss_configure_lookup, __nss_database_get (bsc#1258319, BZ #28940)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2026:863-1
Released: Wed Mar 11 13:41:48 2026
Summary: Recommended update for openldap2
Type: recommended
Severity: moderate
References:
This update for openldap2 fixes the following issues:
- expose ldap_log.h in -devel (jsc#PED-15735)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:881-1
Released: Thu Mar 12 11:18:51 2026
Summary: Security update for postgresql18
Type: security
Severity: important
References: 1258008,1258009,1258010,1258011,1258012,1258754,CVE-2026-2003,CVE-2026-2004,CVE-2026-2005,CVE-2026-2006,CVE-2026-2007
This update for postgresql18 fixes the following issues:
Update to version 18.3 (bsc#1258754).
Security issues fixed:
- CVE-2026-2003: improper validation of type 'oidvector' may allow disclose a few bytes of server memory (bsc#1258008).
- CVE-2026-2004: intarray missing validation of type of input to selectivity estimator could lead to arbitrary code
execution (bsc#1258009).
- CVE-2026-2005: buffer overrun in contrib/pgcrypto's PGP decryption functions could lead to arbitrary code execution
(bsc#1258010).
- CVE-2026-2006: inadequate validation of multibyte character lengths could lead to arbitrary code execution
(bsc#1258011).
- CVE-2026-2007: pg_trgm heap buffer overflow can cause to write pattern onto server memory (bsc#1258012).
Regression fixes:
- the substring() function raises an error 'invalid byte sequence for encoding' on non-ASCII text values if the
source of that value is a database column (caused by CVE-2026-2006 fix).
- a standby may halt and return an error 'could not access status of transaction'.
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:882-1
Released: Thu Mar 12 11:19:24 2026
Summary: Security update for postgresql16
Type: security
Severity: important
References: 1258008,1258009,1258010,1258011,1258754,CVE-2026-2003,CVE-2026-2004,CVE-2026-2005,CVE-2026-2006
This update for postgresql16 fixes the following issues:
Update to version 16.13 (bsc#1258754).
Security issues fixed:
- CVE-2026-2003: improper validation of type 'oidvector' may allow disclose a few bytes of server memory (bsc#1258008).
- CVE-2026-2004: intarray missing validation of type of input to selectivity estimator could lead to arbitrary code
execution (bsc#1258009).
- CVE-2026-2005: buffer overrun in contrib/pgcrypto's PGP decryption functions could lead to arbitrary code execution
(bsc#1258010).
- CVE-2026-2006: inadequate validation of multibyte character lengths could lead to arbitrary code execution
(bsc#1258011).
Regression fixes:
- the substring() function raises an error 'invalid byte sequence for encoding' on non-ASCII text values if the
source of that value is a database column (caused by CVE-2026-2006 fix).
- a standby may halt and return an error 'could not access status of transaction'.
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:903-1
Released: Tue Mar 17 11:04:44 2026
Summary: Security update for curl
Type: security
Severity: important
References: 1259362,1259363,1259364,1259365,CVE-2026-1965,CVE-2026-3783,CVE-2026-3784,CVE-2026-3805
This update for curl fixes the following issues:
- CVE-2026-1965: bad reuse of HTTP Negotiate connection (bsc#1259362).
- CVE-2026-3783: token leak with redirect and netrc (bsc#1259363).
- CVE-2026-3784: wrong proxy connection reuse with credentials (bsc#1259364).
- CVE-2026-3805: use after free in SMB connection reuse (bsc#1259365).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:1040-1
Released: Wed Mar 25 13:43:08 2026
Summary: Security update for systemd
Type: security
Severity: important
References: 1259418,1259650,1259697,CVE-2026-29111,CVE-2026-4105
This update for systemd fixes the following issues:
- CVE-2026-4105: privilege escalation due to improper access control in RegisterMachine D-Bus method (bsc#1259650).
- CVE-2026-29111: local unprivileged user can trigger an assert in systemd (bsc#1259418).
- udev: check for invalid chars in various fields received from the kernel (bsc#1259697).
Changelog:
- a943e3ce2f machined: reject invalid class types when registering machines
- 71593f77db udev: fix review mixup
- 73a89810b4 udev-builtin-net-id: print cescaped bad attributes
- 0f360bfdc0 udev-builtin-net_id: do not assume the current interface name is ethX
- 40905232e2 udev: ensure tag parsing stays within bounds
- 7bce9026e3 udev: ensure there is space for trailing NUL before calling sprintf
- d018ac1ea3 udev: check for invalid chars in various fields received from the kernel
- aef6e11921 core/cgroup: avoid one unnecessary strjoina()
- cc7426f38a sd-json: fix off-by-one issue when updating parent for array elements
- 26a748f727 core: validate input cgroup path more prudently
- 99d8308fde core/dbus-manager: propagate meaningful dbus errors from EnqueueMarkedJobs
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:1074-1
Released: Thu Mar 26 13:39:49 2026
Summary: Security update for nghttp2
Type: security
Severity: important
References: 1259845,CVE-2026-27135
This update for nghttp2 fixes the following issues:
- CVE-2026-27135: Assertion failure due to missing state validation can lead to DoS (bsc#1259845).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2026:1113-1
Released: Fri Mar 27 10:34:35 2026
Summary: Recommended update for crypto-policies
Type: recommended
Severity: moderate
References: 1258311,1259825
This update for crypto-policies fixes the following issues:
Enables PQC key exchange support for OpenSSH (bsc#1258311, bsc#1259825)
* The sntrup761x25519-sha512 hybrid keyexchange for OpenSSH is enabled.
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:1177-1
Released: Thu Apr 2 17:00:30 2026
Summary: Security update for tar
Type: security
Severity: important
References: 1246399,CVE-2025-45582
This update for tar fixes the following issue:
- CVE-2025-45582: file overwrite via directory traversal in crafted TAR archives (bsc#1246399).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2026:1228-1
Released: Thu Apr 9 10:27:25 2026
Summary: Recommended update for shadow
Type: recommended
Severity: important
References: 1144060,1176006,1181400,1182850,1185897,1187536,1189139,1199026,1203823,1205502,1206627,1214806,1246052,916845,CVE-2013-4235,CVE-2023-4641
This update for shadow fixes the following issues:
shadow is updated to 4.17.2 to bring lots of features and bug fixes.
- util-linux-2.41 introduced new variable: LOGIN_ENV_SAFELIST. Recognize
it and update dependencies.
- Set SYS_{UID,GID}_MIN to 201:
After repeated similar requests to change the ID ranges we set the
above mentioned value to 201. The max value will stay at 499.
This range should be sufficient and will give us leeway for the
future.
It's not straightforward to find out which static UIDs/GIDs are
used in all packages.
Update to 4.17.2:
* src/login_nopam.c: Fix compiler warnings #1170
* lib/chkname.c: Put limits for LOGIN_NAME_MAX and sysconf(_SC_LOGIN_NAME_MAX) #1169
* Use HTTPS in link to Wikipedia article on password strength #1164
* lib/attr.h: use C23 attributes only with gcc >= 10 #1172
* login: Fix no-pam authorization regression #1174
* man: Add Portuguese translation #1178
* Update French translation #1177
* Add cheap defense mechanisms #1171
* Add Romanian translation #1176
Update to 4.17.1:
* Fix `su -` regression #1163
Update to 4.17.0:
* Fix the lower part of the domain of csrand_uniform()
* Fix use of volatile pointer
* Use str2[u]l() instead of atoi(3)
* Use a2i() in various places
* Fix const correctness
* Use uid_t for holding UIDs (and GIDs)
* Move all sprintf(3)-like APIs to a subdirectory
* Move all copying APIs to a subdirectory
* Fix forever loop on ENOMEM
* Fix REALLOC() nmemb calculation
* Remove id(1)
* Remove groups(1)
* Use local time for human-readable dates
* Use %F instead of %Y-%m-%d with strftime(3)
* is_valid{user,group}_name(): Set errno to distinguish the reasons
* Recommend --badname only if it is useful
* Add fmkomstemp() to fix mode of /etc/default/useradd
* Fix use-after-free bug in sgetgrent()
* Update Catalan translation
* Remove references to cppw, cpgr
* groupadd, groupmod: Update gshadow file with -U
* Added option -a for listing active users only, optimized using if aflg,return
* Added information in lastlog man page for new option '-a'
* Plenty of code cleanup and clarifications
- Disable flushing sssd caches. The sssd's files provider is no
longer available.
Update to 4.16.0:
* The shadow implementations of id(1) and groups(1) are deprecated
in favor of the GNU coreutils and binutils versions.
They will be removed in 4.17.0.
* The rlogind implementation has been removed.
* The libsubid major version has been bumped, since it now requires
specification of the module's free() implementation.
Update to 4.15.1:
* Fix a bug that caused spurious error messages about unknown
login.defs configuration options #967
* Adding checks for fd omission #964
* Use temporary stat buffer #974
* Fix wrong french translation #975
Update to 4.15.0
* libshadow:
+ Use utmpx instead of utmp. This fixes a regression introduced
in 4.14.0.
+ Fix build error (parameter name omitted).
* Build system:
+ Link correctly with libdl.
+ Install pam configs for chpasswd(8) and newusers(8) when using
./configure --with-libpam --disable-account-tools-setuid.
+ Merge libshadow and libmisc into a single libshadow. This fixes
problems in the linker, which were reported at least in Gentoo.
+ Fix build with musl libc.
+ Support out of tree builds
* useradd(8):
+ Set proper SELinux labels for def_usrtemplate
Update to 4.14.6:
* login(1):
+ Fix off-by-one bugs.
* passwd(1):
+ Don't silently truncate passwords of length >= 200 characters.
Instead, accept a length of PASS_MAX, and reject longer ones.
* libshadow:
+ Fix calculation in strtoday(), which caused a wrong half-day
offset in some cases (bsc#1176006)
+ Fix parsing of dates in get_date() (bsc#1176006)
+ Use utmpx instead of utmp. This fixes a regression introduced in
4.14.0.
Update to 4.14.5:
* Build system:
+ Fix regression introduced in 4.14.4, due to a typo. chgpasswd had
been deleted from a Makefile variable, but it should have been
chpasswd.
Update to 4.14.4:
* Build system:
+ Link correctly with libdl.
+ Install pam configs for chpasswd(8) and newusers(8) when using
./configure --with-libpam --disable-account-tools-setuid.
* libshadow:
+ Fix build error (parameter name omitted).
+ Fix off-by-one bug.
+ Remove warning.
Update to 4.14.3:
* libshadow: Avoid null pointer dereference (#904)
* Remove pam_keyinit from PAM configuration. (bsc#1199026 bsc#1203823)
This was introduced for bsc#1144060.
Update to 4.14.2:
* libshadow:
+ Fix build with musl libc.
+ Avoid NULL dereference.
+ Update utmp at an initial login
* useradd(8):
+ Set proper SELinux labels for def_usrtemplate
* Manual:
+ Document --prefix in chage(1), chpasswd(8), and passwd(1)
Update to 4.14.1:
Build system: Merge libshadow and libmisc into a single libshadow.
This fixes problems in the linker, which were reported at least
in Gentoo. #791
- Set proper SELinux labels for new homedirs.
Update to 4.14.0:
* configure: add with-libbsd option
* Code cleanup
* Replace utmp interface #757
* new option enable-logind #674
* shadow userdel: add the adaptation to the busybox ps in 01-kill_user_procs.sh
* chsh: warn if root sets a shell not listed in /etc/shells #535
* newgrp: fix potential string injection
* lastlog: fix alignment of Latest header
* Fix yescrypt support #748
* chgpasswd: Fix segfault in command-line options
* gpasswd: Fix password leak (bsc#1214806, CVE-2023-4641)
* Add --prefix to passwd, chpasswd and chage #714 (bsc#1206627)
* usermod: fix off-by-one issues #701
* ch(g)passwd: Check selinux permissions upon startup #675
* sub_[ug]id_{add,remove}: fix return values
* chsh: Verify that login shell path is absolute #730
* process_prefix_flag: Drop privileges
* run_parts for groupadd and groupdel #706
* newgrp/useradd: always set SIGCHLD to default
* useradd/usermod: add --selinux-range argument #698
* sssd: skip flushing if executable does not exist #699
* semanage: Do not set default SELinux range #676
* Add control character check #687
* usermod: respect --prefix for --gid option
* Fix null dereference in basename
* newuidmap and newgidmap: support passing pid as fd
* Prevent out of boundary access #633
* Explicitly override only newlines #633
* Correctly handle illegal system file in tz #633
* Supporting vendor given -shells- configuration file #599
* Warn if failed to read existing /etc/nsswitch.conf
* chfn: new_fields: fix wrong fields printed
* Allow supplementary groups to be added via config file #586
* useradd: check if subid range exists for user #592 (rh#2012929)
- Rename lastlog to lastlog.legacy to be able to switch to
Y2038 safe lastlog2 as default [jsc#PED-3144]
- bsc#1205502: Fix useradd audit event logging of ID field
Update to 4.13:
* useradd.8: fix default group ID
* Revert drop of subid_init()
* Georgian translation
* useradd: Avoid taking unneeded space: do not reset non-existent data in lastlog
* relax username restrictions
* selinux: check MLS enabled before setting serange
* copy_tree: use fchmodat instead of chmod
* copy_tree: don't block on FIFOs
* add shell linter
* copy_tree: carefully treat permissions
* lib/commonio: make lock failures more detailed
* lib: use strzero and memzero where applicable
* Update Dutch translation
* Don't test for NULL before calling free
* Use libc MAX() and MIN()
* chage: Fix regression in print_date
* usermod: report error if homedir does not exist
* libmisc: minimum id check for system accounts
* fix usermod -rG x y wrongly adding a group
* man: add missing space in useradd.8.xml
* lastlog: check for localtime() return value
* Raise limit for passwd and shadow entry length
* Remove adduser-old.c
* useradd: Fix buffer overflow when using a prefix
* Don't warn when failed to open /etc/nsswitch.conf
Update to 4.12.3:
Revert removal of subid_init, which should have bumped soname.
So note that 4.12 through 4.12.2 were broken for subid users.
Update to 4.12.2:
* Address CVE-2013-4235 (TOCTTOU when copying directories) [bsc#916845]
Update to 4.12.1:
* Fix uk manpages
Update to 4.12:
* Add absolute path hint to --root
* Various cleanups
* Fix Ubuntu release used in CI tests
* add -F options to userad
* useradd manpage updates
* Check for ownerid (not just username) in subid ranges
* Declare file local functions static
* Use strict prototypes
* Do not drop const qualifier for Basename
* Constify various pointers
* Don't return uninitialized memory
* Don't let compiler optimize away memory cleaning
* Remove many obsolete compatibility checks and defines
* Modify ID range check in useradd
* Use 'extern 'C'' to make libsubid easier to use from C++
* French translation updates
* Fix s/with-pam/with-libpam/
* Spanish translation updates
* French translation fixes
* Default max group name length to 32
* Fix PAM service files without-selinux
* Improve manpages
- groupadd, useradd, usermod
- groups and id
- pwck
* Fix condition under which pw_dir check happens
* logoutd: switch to strncat
* AUTHORS: improve markdown output
* Handle ERANGE errors correctly
* Check for fopen NULL return
* Split get_salt() into its own fn juyin)
* Get salt before chroot to ensure /dev/urandom.
* Chpasswd code cleanup
* Work around git safe.directory enforcement
* Alphabetize order in usermod help
* Erase password copy on error branches
* Suggest using --badname if needed
* Update translation files
* Correct badnames option to badname
* configure: replace obsolete autoconf macros
* tests: replace egrep with grep -E
* Update Ukrainian translations
* Cleanups
- Remove redeclared variable
- Remove commented out code and FIXMEs
- Add header guards
- Initialize local variables
* CI updates
- Create github workflow to install dependencies
- Enable CodeQL
- Update actions version
* libmisc: use /dev/urandom as fallback if other methods fail
Provide /etc/login.defs.d on SLE15 since we support and use it
Update to 4.11.1:
* build: include lib/shadowlog_internal.h in dist tarballs
Update to 4.11:
* Handle possible TOCTTOU issues in usermod/userdel
- (CVE-2013-4235)
- Use O_NOFOLLOW when copying file
- Kill all user tasks in userdel
* Fix useradd -D segfault
* Clean up obsolete libc feature-check ifdefs
* Fix -fno-common build breaks due to duplicate Prog declarations
* Have single date_to_str definition
* Fix libsubid SONAME version
* Clarify licensing info, use SPDX.
Update to 4.10:
* From this release forward, su from this package should be
considered deprecated. Please replace any users of it with su
rom util-linux
* libsubid fixes
* Rename the test program list_subid_ranges to getsubids, write
a manpage, so distros can ship it.
* Add libeconf dep for new*idmap
* Allow all group types with usermod -G
* Avoid useradd generating empty subid range
* Handle NULL pw_passwd
* Fix default value SHA_get_salt_rounds
* Use https where possible in README
* Update content and format of README
* Translation updates
* Switch from xml2po to itstool in 'make dist'
* Fix double frees
* Add LOG_INIT configurable to useradd
* Add CREATE_MAIL_SPOOL documentation
* Create a security.md
* Fix su never being SIGKILLd when trapping TERM
* Fix wrong SELinux labels in several possible cases
* Fix missing chmod in chadowtb_move
* Handle malformed hushlogins entries
* Fix groupdel segv when passwd does not exist
* Fix covscan-found newgrp segfault
* Remove trailing slash on hoedir
* Fix passwd -l message - it does not change expirey
* Fix SIGCHLD handling bugs in su and vipw
* Remove special case for '' in usermod
* Implement usermod -rG to remove a specific group
* call pam_end() after fork in child path for su and login
* useradd: In absence of /etc/passwd, assume 0 == root
* lib: check NULL before freeing data
* Fix pwck segfault
- Really enable USERGROUPS_ENAB [bsc#1189139].
Added hardening to systemd service(s) (bsc#1181400).
* Add LOGIN_KEEP_USERNAME to login.defs.
* Remove PREVENT_NO_AUTH from login.defs. Only used by the
unpackaged login and su.
* Remove variables BCRYPT_MIN_ROUNDS, BCRYPT_MAX_ROUNDS,
YESCRYPT_COST_FACTOR, not supported by the current
configuratiton.
* login.defs: Enable USERGROUPS_ENAB and CREATE_HOME to
be compatible with other Linux distros and the other tools
creating user accounts in use on openSUSE. Set HOME_MODE to 700
for security reasons and compatibility. [bsc#1189139] [bsc#1182850]
Update to 4.9:
* Updated translations
* Major salt updates
* Various coverity and cleanup fixes
* Consistently use 0 to disable PASS_MIN_DAYS in man
* Implement NSS support for subids and a libsubid
* setfcap: retain setfcap when mapping uid 0
* login.defs: include HMAC_CRYPTO_ALGO key
* selinux fixes
* Fix path prefix path handling
* Manpage updates
* Treat an empty passwd field as invalid(Haelwenn Monnier)
* newxidmap: allow running under alternative gid
* usermod: check that shell is executable
* Add yescript support
* useradd memleak fixes
* useradd: use built-in settings by default
* getdefs: add foreign
* buffer overflow fixes
* Adding run-parts style for pre and post useradd/del
- login.defs/MOTD_FILE: Use '' instead of blank entry [bsc#1187536]
- Add /etc/login.defs.d directory
- Enable shadowgrp so that we can set more secure group passwords
using shadow.
- Disable MOTD_FILE to allow the use of pam_motd to unify motd
message output [bsc#1185897]. Else motd entries of e.g. cockpit
will not be shown.
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:1310-1
Released: Tue Apr 14 12:42:12 2026
Summary: Security update for libssh
Type: security
Severity: moderate
References: 1259377,CVE-2026-3731
This update for libssh fixes the following issues:
- CVE-2026-3731: Denial of Service via out-of-bounds read in SFTP extension name handler (bsc#1259377).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:1369-1
Released: Wed Apr 15 16:42:55 2026
Summary: Security update for glibc
Type: security
Severity: important
References: 1260078,1260082,CVE-2026-4437,CVE-2026-4438
This update for glibc fixes the following issues:
- CVE-2026-4437: incorrect DNS response parsing via crafted DNS server response (bsc#1260078).
- CVE-2026-4438: invalid DNS hostname returned via gethostbyaddr functions (bsc#1260082).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:1375-1
Released: Wed Apr 15 19:25:40 2026
Summary: Security update for openssl-3
Type: security
Severity: important
References: 1260441,1260442,1260443,1260444,1260445,1261678,CVE-2026-28387,CVE-2026-28388,CVE-2026-28389,CVE-2026-28390,CVE-2026-31789,CVE-2026-31790
This update for openssl-3 fixes the following issues:
Security issues fixed:
- CVE-2026-28387: Potential use-after-free in DANE client code (bsc#1260441).
- CVE-2026-28388: NULL Pointer Dereference When Processing a Delta CRL (bsc#1260442).
- CVE-2026-28389: Possible NULL dereference when processing CMS KeyAgreeRecipientInfo (bsc#1260443).
- CVE-2026-31789: Heap buffer overflow in hexadecimal conversion (bsc#1260444).
- CVE-2026-31790: Incorrect failure handling in RSA KEM RSASVE encapsulation (bsc#1260445).
- CVE-2026-28390: NULL pointer dereference during processing of a crafted CMS EnvelopedData message with
KeyTransportRecipientInfo (bsc#1261678).
Other updates and bugfixes:
- Enable MD2 in legacy provider (jsc#PED-15724).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:1406-1
Released: Thu Apr 16 14:35:15 2026
Summary: Security update for util-linux
Type: security
Severity: moderate
References: 1222465,1234736,1258859,CVE-2026-3184
This update for util-linux fixes the following issues:
Security issue:
- CVE-2026-3184: access control bypass due to improper hostname canonicalization in `login` (bsc#1258859).
Non security issues:
- recognize fuse 'portal' as a virtual file system (bsc#1234736).
- fdisk: fix possible partition overlay and data corruption if EBR gap is missing (bsc#1222465).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:1432-1
Released: Fri Apr 17 12:12:08 2026
Summary: Security update for libcap
Type: security
Severity: important
References: 1261809,CVE-2026-4878
This update for libcap fixes the following issue:
- CVE-2026-4878: Address a potential TOCTOU race condition in cap_set_file() (bsc#1261809).
The following package changes have been done:
- glibc-2.38-150600.14.46.1 updated
- libgcc_s1-15.2.0+git10201-150000.1.9.1 updated
- libcap2-2.63-150400.3.6.1 updated
- libstdc++6-15.2.0+git10201-150000.1.9.1 updated
- crypto-policies-20230920.570ea89-150600.3.16.1 updated
- glibc-locale-base-2.38-150600.14.46.1 updated
- libldap-data-2.4.46-150600.25.3.1 updated
- libnghttp2-14-1.64.0-150700.3.3.1 updated
- libssh-config-0.9.8-150600.11.12.1 updated
- libuuid1-2.40.4-150700.4.10.1 updated
- libz1-1.2.13-150500.4.6.1 updated
- login_defs-4.17.2-150600.17.18.1 updated
- tar-1.34-150000.3.37.1 added
- glibc-locale-2.38-150600.14.46.1 updated
- libopenssl3-3.2.3-150700.5.31.1 updated
- libsystemd0-254.27-150600.4.62.1 updated
- libldap-2_4-2-2.4.46-150600.25.3.1 updated
- gzip-1.10-150200.10.1 added
- libssh4-0.9.8-150600.11.12.1 updated
- libcurl4-8.14.1-150700.7.14.1 updated
- libpq5-18.3-150600.13.8.1 updated
- libsubid5-4.17.2-150600.17.18.1 added
- postgresql16-16.13-150600.16.30.1 updated
- shadow-4.17.2-150600.17.18.1 updated
- postgresql16-server-16.13-150600.16.30.1 updated
- container:bci-bci-base-15.7-aea7ef73589b78abbd1fe98bc2619a772c9e7a2dc8912c4bef09fae3a48c8e24-0 updated
- container:registry.suse.com-suse-postgres-16-2dc0096c4e6737587befb9e69e58b8666d55750db5d51072f6c4f7494856773a-0 updated
More information about the sle-container-updates
mailing list