SUSE-IU-2026:685-1: Security update of suse/sl-micro/6.2/baremetal-os-container

sle-container-updates at lists.suse.com sle-container-updates at lists.suse.com
Thu Feb 5 08:09:05 UTC 2026 

SUSE Image Update Advisory: suse/sl-micro/6.2/baremetal-os-container
-----------------------------------------------------------------
Image Advisory ID : SUSE-IU-2026:685-1
Image Tags        : suse/sl-micro/6.2/baremetal-os-container:2.3.0 , suse/sl-micro/6.2/baremetal-os-container:2.3.0-7.37 , suse/sl-micro/6.2/baremetal-os-container:latest
Image Release     : 7.37
Severity          : critical
Type              : security
References        : 1244057 1249049 1249128 1253783 1254353 CVE-2025-58060 CVE-2025-58364
                        CVE-2025-58436 CVE-2025-61915 
-----------------------------------------------------------------

The container suse/sl-micro/6.2/baremetal-os-container was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: 242
Released:    Wed Feb  4 12:37:13 2026
Summary:     Security update for cups
Type:        security
Severity:    critical
References:  1244057,1249049,1249128,1253783,1254353,CVE-2025-58060,CVE-2025-58364,CVE-2025-58436,CVE-2025-61915
This update for cups fixes the following issues:

Update to version 2.4.16.

Security issues fixed:

- CVE-2025-61915: local denial-of-service via cupsd.conf update and related issues (bsc#1253783).
- CVE-2025-58436: slow client communication leads to a possible DoS attack (bsc#1244057).
- CVE-2025-58364: unsafe deserialization and validation of printer attributes can cause a null dereference (bsc#1249128).
- CVE-2025-58060: authentication bypass with AuthType Negotiate (bsc#1249049).

Other updates and bugfixes:

- Version upgrade to 2.4.16:

  * 'cupsUTF8ToCharset' didn't validate 2-byte UTF-8 sequences,
    potentially reading past the end of the source string
    (Issue #1438)
  * The web interface did not support domain usernames fully
    (Issue #1441)
  * Fixed an infinite loop issue in the GTK+ print dialog
    (Issue #1439 boo#1254353)
  * Fixed stopping scheduler on unknown directive in
    configuration (Issue #1443)
  * Fixed packages for Immutable Mode (jsc#PED-14775
    from epic jsc#PED-14688)

- Version upgrade to 2.4.15:

  * Fixed potential crash in 'cups-driverd' when there are
    duplicate PPDs (Issue #1355)
  * Fixed error recovery when scanning for PPDs
    in 'cups-driverd' (Issue #1416)

- Version upgrade to 2.4.14.

- Version upgrade to 2.4.13:

  * Added 'print-as-raster' printer and job attributes
    for forcing rasterization (Issue #1282)
  * Updated documentation (Issue #1086)
  * Updated IPP backend to try a sanitized user name if the
    printer/server does not like the value (Issue #1145)
  * Updated the scheduler to send the 'printer-added'
    or 'printer-modified' events  whenever an IPP Everywhere PPD
    is installed (Issue #1244)
  * Updated the scheduler to send the 'printer-modified' event
    whenever the system default printer is changed (Issue #1246)
  * Fixed a memory leak in 'httpClose' (Issue #1223)
  * Fixed missing commas in 'ippCreateRequestedArray'
    (Issue #1234)
  * Fixed subscription issues in the scheduler and D-Bus notifier
    (Issue #1235)
  * Fixed media-default reporting for custom sizes (Issue #1238)
  * Fixed support for IPP/PPD options with periods or underscores
    (Issue #1249)
  * Fixed parsing of real numbers in PPD compiler source files
    (Issue #1263)
  * Fixed scheduler freezing with zombie clients (Issue #1264)
  * Fixed support for the server name in the ErrorLog filename
    (Issue #1277)
  * Fixed job cleanup after daemon restart (Issue #1315)
  * Fixed handling of buggy DYMO USB printer serial numbers
   (Issue #1338)
  * Fixed unreachable block in IPP backend (Issue #1351)
  * Fixed memory leak in _cupsConvertOptions (Issue #1354)

- Version upgrade to 2.4.12:

  * GnuTLS follows system crypto policies now (Issue #1105)
  * Added `NoSystem` SSLOptions value (Issue #1130)
  * Now we raise alert for certificate issues (Issue #1194)
  * Added Kyocera USB quirk (Issue #1198)
  * The scheduler now logs a job's debugging history
    if the backend fails (Issue #1205)
  * Fixed a potential timing issue with `cupsEnumDests`
    (Issue #1084)
  * Fixed a potential 'lost PPD' condition in the scheduler
    (Issue #1109)
  * Fixed a compressed file error handling bug (Issue #1070)
  * Fixed a bug in the make-and-model whitespace trimming
    code (Issue #1096)
  * Fixed a removal of IPP Everywhere permanent queue
    if installation failed (Issue #1102)
  * Fixed `ServerToken None` in scheduler (Issue #1111)
  * Fixed invalid IPP keyword values created from PPD
    option names (Issue #1118)
  * Fixed handling of 'media' and 'PageSize' in the same
    print request (Issue #1125)
  * Fixed client raster printing from macOS (Issue #1143)
  * Fixed the default User-Agent string.
  * Fixed a recursion issue in `ippReadIO`.
  * Fixed handling incorrect radix in `scan_ps()` (Issue #1188)
  * Fixed validation of dateTime values with time zones
    more than UTC+11 (Issue #1201)
  * Fixed attributes returned by the Create-Xxx-Subscriptions
    requests (Issue #1204)
  * Fixed `ippDateToTime` when using a non GMT/UTC timezone
    (Issue #1208)
  * Fixed `job-completed` event notifications for jobs that are
    cancelled before started (Issue #1209)
  * Fixed DNS-SD discovery with `ippfind` (Issue #1211)


The following package changes have been done:

- cups-config-2.4.16-160000.1.1 updated
- libcups2-2.4.16-160000.1.1 updated

More information about the sle-container-updates mailing list