From sle-container-updates at lists.suse.com Fri Jan 2 08:05:13 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 2 Jan 2026 09:05:13 +0100 (CET) Subject: SUSE-IU-2026:2-1: Recommended update of suse/sl-micro/6.1/base-os-container Message-ID: <20260102080513.63AD4FB9C@maintenance.suse.de> SUSE Image Update Advisory: suse/sl-micro/6.1/base-os-container ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2026:2-1 Image Tags : suse/sl-micro/6.1/base-os-container:2.2.1 , suse/sl-micro/6.1/base-os-container:2.2.1-5.61 , suse/sl-micro/6.1/base-os-container:latest Image Release : 5.61 Severity : important Type : recommended References : 1205588 1247432 1254336 1254679 CVE-2024-2312 ----------------------------------------------------------------- The container suse/sl-micro/6.1/base-os-container was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: 363 Released: Thu Jan 1 14:54:36 2026 Summary: Recommended update for shim Type: recommended Severity: important References: 1205588,1247432,1254336,1254679,CVE-2024-2312 This update for shim fixes the following issues: This update for shim fixes the following issues: shim is updated to version 16.1: - shim_start_image(): fix guid/handle pairing when uninstalling protocols - Fix uncompressed ipv6 netboot - fix test segfaults caused by uninitialized memory - SbatLevel_Variable.txt: minor typo fix. - Realloc() needs to allocate one more byte for sprintf() - IPv6: Add more check to avoid multiple double colon and illegal char - Loader proto v2 - loader-protocol: add workaround for EDK2 2025.02 page fault on FreePages - Generate Authenticode for the entire PE file - README: mention new loader protocol and interaction with UKIs - shim: change automatically enable MOK_POLICY_REQUIRE_NX - Save var info - add SbatLevel entry 2025051000 for PSA-2025-00012-1 - Coverity fixes 20250804 - fix http boot - Fix double free and leak in the loader protocol shim is updated to version 16.0: - Validate that a supplied vendor cert is not in PEM format - sbat: Add grub.peimage,2 to latest (CVE-2024-2312) - sbat: Also bump latest for grub,4 (and to todays date) - undo change that limits certificate files to a single file - shim: don't set second_stage to the empty string - Fix SBAT.md for today's consensus about numbers - Update Code of Conduct contact address - make-certs: Handle missing OpenSSL installation - Update MokVars.txt - export DEFINES for sub makefile - Drop unused EFI_IMAGE_SECURITY_DATABASE_GUID definition - Null-terminate 'arguments' in fallback - Fix 'Verifiying' typo in error message - Update Fedora CI targets - Force gcc to produce DWARF4 so that gdb can use it - Minor housekeeping 2024121700 - Discard load-options that start with WINDOWS - Fix the issue that the gBS->LoadImage pointer was empty. - shim: Allow data after the end of device path node in load options - Handle network file not found like disks - Update gnu-efi submodule for EFI_HTTP_ERROR - Increase EFI file alignment - avoid EFIv2 runtime services on Apple x86 machines - Improve shortcut performance when comparing two boolean expressions - Provide better error message when MokManager is not found - tpm: Boot with a warning if the event log is full - MokManager: remove redundant logical constraints - Test import_mok_state() when MokListRT would be bigger than available size - test-mok-mirror: minor bug fix - Fix file system browser hang when enrolling MOK from disk - Ignore a minor clang-tidy nit - Allow fallback to default loader when encountering errors on network boot - test.mk: don't use a temporary random.bin - pe: Enhance debug report for update_mem_attrs - Multiple certificate handling improvements - Generate SbatLevel Metadata from SbatLevel_Variable.txt - Apply EKU check with compile option - Add configuration option to boot an alternative 2nd stage - Loader protocol (with Device Path resolution support) - netboot cleanup for additional files - Document how revocations can be delivered - post-process-pe: add tests to validate NX compliance - regression: CopyMem() in ad8692e copies out of bounds - Save the debug and error logs in mok-variables - Add features for the Host Security ID program - Mirror some more efi variables to mok-variables - This adds DXE Services measurements to HSI and uses them for NX - Add shim's current NX_COMPAT status to HSIStatus - README.tpm: reflect that vendor_db is in fact logged as 'vendor_db' - Reject HTTP message with duplicate Content-Length header fields - Disable log saving - fallback: don't add new boot order entries backwards - README.tpm: Update MokList entry to MokListRT - SBAT Level update for February 2025 GRUB CVEs The following package changes have been done: - shim-16.1-slfo.1.1_1.1 updated From sle-container-updates at lists.suse.com Sat Jan 3 08:04:38 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 3 Jan 2026 09:04:38 +0100 (CET) Subject: SUSE-CU-2026:5-1: Security update of private-registry/harbor-trivy-adapter Message-ID: <20260103080438.4A407FB9C@maintenance.suse.de> SUSE Container Update Advisory: private-registry/harbor-trivy-adapter ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2026:5-1 Container Tags : private-registry/harbor-trivy-adapter:1.1.0 , private-registry/harbor-trivy-adapter:1.1.0-1.4 , private-registry/harbor-trivy-adapter:latest Container Release : 1.4 Severity : important Type : security References : 1251363 1251547 1253512 1253786 1253977 CVE-2025-47911 CVE-2025-47913 CVE-2025-47914 CVE-2025-58181 CVE-2025-58190 ----------------------------------------------------------------- The container private-registry/harbor-trivy-adapter was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:4-1 Released: Fri Jan 2 13:10:53 2026 Summary: Security update for trivy Type: security Severity: important References: 1251363,1251547,1253512,1253786,1253977,CVE-2025-47911,CVE-2025-47913,CVE-2025-47914,CVE-2025-58181,CVE-2025-58190 This update for trivy fixes the following issues: Update to version 0.68.2. Security issues fixed: - CVE-2025-47911: golang.org/x/net/html: quadratic complexity algorithms used when parsing untrusted HTML documents (bsc#1251363). - CVE-2025-47913: golang.org/x/crypto: early client process termination when receiving an unexpected message type in response to a key listing or signing request (bsc#1253512). - CVE-2025-47914: golang.org/x/crypto/ssh/agent: lack of message size validation in SSH Agent servers leads to an out-of-bounds read when processing new identity requests (bsc#1253977). - CVE-2025-58181: golang.org/x/crypto/ssh: missing validations in SSH servers lead to excessive memory consumption when parsing GSSAPI authentication requests (bsc#1253786). - CVE-2025-58190: golang.org/x/net/html: excessive memory consumption by `html.ParseFragment` when processing specially crafted input (bsc#1251547). Other updates and bugfixes: - Version 0.68.2: * fix(deps): bump alpine from 3.22.1 to 3.23.0 (#9949) - Version 0.68.1: * fix: update cosing settings for GoReleaser after bumping cosing to v3 (#9863) * chore(deps): bump the testcontainers group with 2 updates (#9506) - Version 0.68.0: * feat(aws): Add support for dualstack ECR endpoints (#9862) * fix(vex): use a separate `visited` set for each DFS path (#9760) * refactor(misconf): parse azure_policy_enabled to addonprofile.azurepolicy.enabled (#9851) * chore(cli): Remove Trivy Cloud (#9847) * fix(misconf): ensure value used as ignore marker is non-null and known (#9835) * fix(misconf): map healthcheck start period flag to --start-period instead of --startPeriod (#9837) * chore(deps): bump the docker group with 3 updates (#9776) * chore(deps): bump golang.org/x/crypto from 0.41.0 to 0.45.0 (#9827) * chore(deps): bump the common group across 1 directory with 20 updates (#9840) * feat(image): add Sigstore bundle SBOM support (#9516) * chore(deps): bump the aws group with 7 updates (#9691) * chore(deps): bump github.com/containerd/containerd from 1.7.28 to 1.7.29 (#9764) * feat(sbom): add support for SPDX attestations (#9829) * feat(misconf): Update Azure network schema for new checks (#9791) * feat(misconf): Update AppService schema (#9792) * fix(misconf): ensure boolean metadata values are correctly interpreted (#9770) * feat(misconf): support https_traffic_only_enabled in Az storage account (#9784) * feat(report): add fingerprint generation for vulnerabilities (#9794) * chore: trigger the trivy-www workflow (#9737) * fix: update all documentation links (#9777) * feat(suse): Add new openSUSE, Micro and SLES releases end of life dates (#9788) * feat(flag): add `--cacert` flag (#9781) * fix(misconf): handle unsupported experimental flags in Dockerfile (#9769) * chore(deps): bump github.com/opencontainers/selinux from 1.12.0 to 1.13.0 (#9778) * chore(deps): bump github.com/containerd/containerd/v2 from 2.1.4 to 2.1.5 (#9763) * fix(java): use `true` as default value for Repository Release|Snapshot Enabled in pom.xml and settings.xml files (#9751) * feat(db): enable concurrent access to vulnerability database (#9750) * feat(misconf): add agentpools to azure container schema (#9714) * feat(report): switch ReportID from UUIDv4 to UUIDv7 (#9749) * feat(misconf): Update Azure Compute schema (#9675) * feat(misconf): Update azure storage schema (#9728) * feat(misconf): Update SecurityCenter schema (#9674) * feat(image): pass global context to docker/podman image save func (#9733) * chore(deps): bump the github-actions group with 4 updates (#9739) * fix(flag): remove viper.SetDefault to fix IsSet() for config-only flags (#9732) * feat(license): use separate SPDX ids to ignore SPDX expressions (#9087) * feat(dotnet): add dependency graph support for .deps.json files (#9726) * feat(misconf): Add support for configurable Rego error limit (#9657) * feat(misconf): Add RoleAssignments attribute (#9396) * feat(report): add image reference to report metadata (#9729) * fix(os): Add photon 5.0 in supported OS (#9724) * fix(license): handle SPDX WITH exceptions as single license in category detection (#9380) * refactor: add case-insensitive string set implementation (#9720) * feat: include registry and repository in artifact ID calculation (#9689) * feat(java): add support remote repositories from settings.xml files (#9708) * fix(sbom): don???t panic on SBOM format if scanned CycloneDX file has empty metadata (#9562) * fix(report): correct field order in SARIF license results (#9712) * refactor(misconf): mark AVDID fields as deprecated and use ID internally (#9576) * fix(nodejs): fix npmjs parser.pkgNameFromPath() panic issue (#9688) * fix: close all opened resources if an error occurs (#9665) * refactor(misconf): type-safe parser results in generic scanner (#9685) * feat(image): add RepoTags support for Docker archives (#9690) * chore(deps): bump github.com/quic-go/quic-go from 0.52.0 to 0.54.1 (#9694) * feat(misconf): Update Azure Container Schema (#9673) * feat(misconf): include map key in manifest snippet for diagnostics (#9681) * refactor(misconf): add ManifestFromYAML for unified manifest parsing (#9680) * refactor(cli): Update the cloud config command (#9676) * fix(sbom): add `buildInfo` info as properties (#9683) * feat: add ReportID field to scan reports (#9670) * feat(cli): Add trivy cloud suppport (#9637) * feat: add ArtifactID field to uniquely identify scan targets (#9663) * fix(nodejs): use the default ID format to match licenses in pnpm packages. (#9661) * feat(sbom): use SPDX license IDs list to validate SPDX IDs (#9569) * fix: use context for analyzers (#9538) * chore(deps): bump the docker group with 3 updates (#9545) * chore(deps): bump the aws group with 6 updates (#9547) * fix: Trim the end-of-range suffix (#9618) * fix: Use `fetch-level: 1` to check out trivy-repo in the release workflow (#9636) * refactor: move the aws config (#9617) * fix(license): don't normalize `unlicensed` licenses into `unlicense` (#9611) * fix: using SrcVersion instead of Version for echo detector (#9552) * feat(fs): change artifact type to repository when git info is detected (#9613) * fix: add `buildInfo` for `BlobInfo` in `rpc` package (#9608) * fix(vex): don't use reused BOM (#9604) * fix: restore compatibility for google.protobuf.Value (#9559) * chore(deps): update to module-compatible docker-credential-gcr/v2 (#9591) * feat: allow ignoring findings by type in Rego (#9578) * refactor(misconf): add ID to scan.Rule (#9573) * fix(java): update order for resolving package fields from multiple demManagement (#9575) * chore(deps): bump the github-actions group across 1 directory with 9 updates (#9563) * chore(deps): bump the common group across 1 directory with 7 updates (#9590) * chore(deps): Switch to go-viper/mapstructure (#9579) * chore: add context to the cache interface (#9565) * fix: validate backport branch name (#9548) The following package changes have been done: - trivy-0.68.2-150000.1.9.1 updated - container:registry.suse.com-bci-bci-micro-15.7-4ea6269b17048f73c022844251731ef4f640fdb9eb72a2ab53ec7f9413b89ee3-0 updated From sle-container-updates at lists.suse.com Sat Jan 3 08:09:06 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 3 Jan 2026 09:09:06 +0100 (CET) Subject: SUSE-IU-2026:8-1: Security update of suse/sl-micro/6.1/rt-os-container Message-ID: <20260103080906.25D36FBA5@maintenance.suse.de> SUSE Image Update Advisory: suse/sl-micro/6.1/rt-os-container ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2026:8-1 Image Tags : suse/sl-micro/6.1/rt-os-container:2.2.1 , suse/sl-micro/6.1/rt-os-container:2.2.1-5.54 , suse/sl-micro/6.1/rt-os-container:latest Image Release : 5.54 Severity : moderate Type : security References : 1254441 CVE-2025-10158 ----------------------------------------------------------------- The container suse/sl-micro/6.1/rt-os-container was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: 365 Released: Fri Jan 2 12:13:06 2026 Summary: Security update for rsync Type: security Severity: moderate References: 1254441,CVE-2025-10158 This update for rsync fixes the following issues: - CVE-2025-10158: Fixed out of bounds array access via negative index (bsc#1254441) The following package changes have been done: - rsync-3.3.0-slfo.1.1_4.1 updated - container:SL-Micro-container-2.2.1-7.41 updated From sle-container-updates at lists.suse.com Sat Jan 3 08:05:37 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 3 Jan 2026 09:05:37 +0100 (CET) Subject: SUSE-IU-2026:5-1: Security update of suse/sl-micro/6.1/baremetal-os-container Message-ID: <20260103080537.A7967FB9C@maintenance.suse.de> SUSE Image Update Advisory: suse/sl-micro/6.1/baremetal-os-container ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2026:5-1 Image Tags : suse/sl-micro/6.1/baremetal-os-container:2.2.1 , suse/sl-micro/6.1/baremetal-os-container:2.2.1-7.41 , suse/sl-micro/6.1/baremetal-os-container:latest Image Release : 7.41 Severity : moderate Type : security References : 1254441 CVE-2025-10158 ----------------------------------------------------------------- The container suse/sl-micro/6.1/baremetal-os-container was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: 365 Released: Fri Jan 2 12:13:06 2026 Summary: Security update for rsync Type: security Severity: moderate References: 1254441,CVE-2025-10158 This update for rsync fixes the following issues: - CVE-2025-10158: Fixed out of bounds array access via negative index (bsc#1254441) The following package changes have been done: - rsync-3.3.0-slfo.1.1_4.1 updated - container:SL-Micro-base-container-2.2.1-5.62 updated From sle-container-updates at lists.suse.com Sat Jan 3 08:07:49 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 3 Jan 2026 09:07:49 +0100 (CET) Subject: SUSE-IU-2026:7-1: Security update of suse/sl-micro/6.1/kvm-os-container Message-ID: <20260103080749.26BB3FBA1@maintenance.suse.de> SUSE Image Update Advisory: suse/sl-micro/6.1/kvm-os-container ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2026:7-1 Image Tags : suse/sl-micro/6.1/kvm-os-container:2.2.1 , suse/sl-micro/6.1/kvm-os-container:2.2.1-5.65 , suse/sl-micro/6.1/kvm-os-container:latest Image Release : 5.65 Severity : moderate Type : security References : 1254441 CVE-2025-10158 ----------------------------------------------------------------- The container suse/sl-micro/6.1/kvm-os-container was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: 365 Released: Fri Jan 2 12:13:06 2026 Summary: Security update for rsync Type: security Severity: moderate References: 1254441,CVE-2025-10158 This update for rsync fixes the following issues: - CVE-2025-10158: Fixed out of bounds array access via negative index (bsc#1254441) The following package changes have been done: - rsync-3.3.0-slfo.1.1_4.1 updated - container:SL-Micro-base-container-2.2.1-5.62 updated From sle-container-updates at lists.suse.com Sat Jan 3 08:06:42 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 3 Jan 2026 09:06:42 +0100 (CET) Subject: SUSE-IU-2026:6-1: Security update of suse/sl-micro/6.1/base-os-container Message-ID: <20260103080642.D65F4FBA0@maintenance.suse.de> SUSE Image Update Advisory: suse/sl-micro/6.1/base-os-container ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2026:6-1 Image Tags : suse/sl-micro/6.1/base-os-container:2.2.1 , suse/sl-micro/6.1/base-os-container:2.2.1-5.62 , suse/sl-micro/6.1/base-os-container:latest Image Release : 5.62 Severity : moderate Type : security References : 1254441 CVE-2025-10158 ----------------------------------------------------------------- The container suse/sl-micro/6.1/base-os-container was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: 365 Released: Fri Jan 2 12:13:06 2026 Summary: Security update for rsync Type: security Severity: moderate References: 1254441,CVE-2025-10158 This update for rsync fixes the following issues: - CVE-2025-10158: Fixed out of bounds array access via negative index (bsc#1254441) The following package changes have been done: - rsync-3.3.0-slfo.1.1_4.1 updated From sle-container-updates at lists.suse.com Sat Jan 3 08:23:59 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 3 Jan 2026 09:23:59 +0100 (CET) Subject: SUSE-CU-2026:29-1: Security update of suse/kubectl Message-ID: <20260103082359.74766FB9B@maintenance.suse.de> SUSE Container Update Advisory: suse/kubectl ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2026:29-1 Container Tags : suse/kubectl:1.33 , suse/kubectl:1.33.7 , suse/kubectl:1.33.7-2.62.1 , suse/kubectl:oldstable , suse/kubectl:oldstable-2.62.1 Container Release : 62.1 Severity : important Type : security References : 1251168 ----------------------------------------------------------------- The container suse/kubectl was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1947-1 Released: Fri Jun 13 12:17:32 2025 Summary: Recommended update for kubernetes client Type: recommended Severity: moderate References: This update for kubernetes fixes the following issues: kubernetes client version 1.33.1,(jsc#PED-11106) * Find full changelog ??? https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.33.md#v1331 ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:3952-1 Released: Wed Nov 5 11:43:18 2025 Summary: Recommended update for kubernetes Type: recommended Severity: moderate References: 1251168 This update for kubernetes fixes the following issues: Added `Recommends: diffutils` to Kubernetes*-client package (bsc#1251168) * This fixes errors like: kubectl kustomize . --enable-helm | kubectl diff -n '$NAMESPACE' -f - error: failed to run 'diff': executable file not found in $PATH ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:4381-1 Released: Fri Dec 12 11:19:10 2025 Summary: Security update for kubernetes-client Type: security Severity: important References: This update for kubernetes client rebuilds it against current the go release to fix bugs and security issues in the go stdlib. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:4509-1 Released: Tue Dec 23 10:51:42 2025 Summary: Recommended update for kubernetes-old Type: recommended Severity: moderate References: This update for kubernetes-old fixes the following issues: Initial package for Kubernetes v1.33.7 * Full changelog - https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.33.md#v1337 The following package changes have been done: - kubernetes1.33-client-1.33.7-150600.13.18.1 added - kubernetes1.33-client-common-1.33.7-150600.13.18.1 added - container:registry.suse.com-bci-bci-micro-15.7-4ea6269b17048f73c022844251731ef4f640fdb9eb72a2ab53ec7f9413b89ee3-0 updated - kubernetes1.31-client-1.31.9-150600.13.15.2 removed - kubernetes1.31-client-common-1.31.9-150600.13.15.2 removed From sle-container-updates at lists.suse.com Sat Jan 3 08:24:09 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 3 Jan 2026 09:24:09 +0100 (CET) Subject: SUSE-CU-2026:30-1: Security update of suse/kubectl Message-ID: <20260103082409.9E965FB9B@maintenance.suse.de> SUSE Container Update Advisory: suse/kubectl ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2026:30-1 Container Tags : suse/kubectl:1.35 , suse/kubectl:1.35.0 , suse/kubectl:1.35.0-1.62.1 , suse/kubectl:latest , suse/kubectl:stable , suse/kubectl:stable-1.62.1 Container Release : 62.1 Severity : important Type : security References : 1156913 1216378 1240414 CVE-2023-45853 CVE-2025-31115 ----------------------------------------------------------------- The container suse/kubectl was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:2083-1 Released: Thu Jul 30 10:27:59 2020 Summary: Recommended update for diffutils Type: recommended Severity: moderate References: 1156913 This update for diffutils fixes the following issue: - Disable a sporadically failing test for ppc64 and ppc64le builds. (bsc#1156913) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4215-1 Released: Thu Oct 26 12:19:25 2023 Summary: Security update for zlib Type: security Severity: moderate References: 1216378,CVE-2023-45853 This update for zlib fixes the following issues: - CVE-2023-45853: Fixed an integer overflow that would lead to a buffer overflow in the minizip subcomponent (bsc#1216378). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1137-1 Released: Thu Apr 3 17:11:02 2025 Summary: Security update for xz Type: security Severity: important References: 1240414,CVE-2025-31115 This update for xz fixes the following issues: - CVE-2025-31115: Fixed heap use after free and writing to an address based on the null pointer plus an offset (bsc#1240414) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:4510-1 Released: Tue Dec 23 12:24:56 2025 Summary: Recommended update for kubernetes Type: recommended Severity: moderate References: This update for kubernetes fixes the following issues: - Update to version 1.35.0: initial package for Kubernetes v1.35.0 * Full changelog - https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.35.md#v1350 The following package changes have been done: - libbz2-1-1.0.8-150400.1.122 added - liblzma5-5.4.1-150600.3.3.1 added - libz1-1.2.13-150500.4.3.1 added - libzio1-1.06-2.20 added - info-6.5-4.17 added - diffutils-3.6-4.3.1 added - kubernetes1.35-client-1.35.0-150600.13.18.1 added - kubernetes1.35-client-common-1.35.0-150600.13.18.1 added - container:registry.suse.com-bci-bci-micro-15.7-4ea6269b17048f73c022844251731ef4f640fdb9eb72a2ab53ec7f9413b89ee3-0 updated - kubernetes1.33-client-1.33.7-150600.13.18.1 removed - kubernetes1.33-client-common-1.33.7-150600.13.18.1 removed From sle-container-updates at lists.suse.com Sat Jan 3 08:30:49 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 3 Jan 2026 09:30:49 +0100 (CET) Subject: SUSE-CU-2026:51-1: Recommended update of bci/rust Message-ID: <20260103083049.6E7F6FB9B@maintenance.suse.de> SUSE Container Update Advisory: bci/rust ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2026:51-1 Container Tags : bci/rust:1.91 , bci/rust:1.91.0 , bci/rust:1.91.0-2.2.1 , bci/rust:oldstable , bci/rust:oldstable-2.2.1 Container Release : 2.1 Severity : moderate Type : recommended References : ----------------------------------------------------------------- The container bci/rust was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:4234-1 Released: Tue Nov 25 16:34:42 2025 Summary: Recommended update for rust, rust1.91 Type: recommended Severity: moderate References: This update for rust fixes the following issues: Rust is shipped in 1.91.0 version. Please see https://github.com/rust-lang/rust/releases/tag/1.91.0 for changes. The following package changes have been done: - cpp15-15.2.0+git10201-150000.1.6.1 added - gcc15-15.2.0+git10201-150000.1.6.1 added - rust1.91-1.91.0-150300.7.3.1 added - cargo1.91-1.91.0-150300.7.3.1 added - cargo1.90-1.90.0-150300.7.14.1 removed - cpp14-14.3.0+git11799-150000.1.11.1 removed - gcc14-14.3.0+git11799-150000.1.11.1 removed - rust1.90-1.90.0-150300.7.14.1 removed From sle-container-updates at lists.suse.com Sat Jan 3 08:31:13 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 3 Jan 2026 09:31:13 +0100 (CET) Subject: SUSE-CU-2026:53-1: Recommended update of bci/rust Message-ID: <20260103083113.70F7FFB9B@maintenance.suse.de> SUSE Container Update Advisory: bci/rust ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2026:53-1 Container Tags : bci/rust:1.92 , bci/rust:1.92.0 , bci/rust:1.92.0-1.2.1 , bci/rust:latest , bci/rust:stable , bci/rust:stable-1.2.1 Container Release : 2.1 Severity : moderate Type : recommended References : ----------------------------------------------------------------- The container bci/rust was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:4519-1 Released: Wed Dec 24 06:35:21 2025 Summary: Recommended update for rust1.92 Type: recommended Severity: moderate References: This update for rust1.92 fixes the following issues: Added rust1.92. Release notes can be found externally: https://github.com/rust-lang/rust/releases/tag/1.92.0 The following package changes have been done: - rust1.92-1.92.0-150300.7.3.1 added - cargo1.92-1.92.0-150300.7.3.1 added - cargo1.91-1.91.0-150300.7.3.1 removed - rust1.91-1.91.0-150300.7.3.1 removed From sle-container-updates at lists.suse.com Sat Jan 3 08:35:13 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 3 Jan 2026 09:35:13 +0100 (CET) Subject: SUSE-CU-2026:59-1: Recommended update of suse/sle-micro/5.2/toolbox Message-ID: <20260103083513.06D7EFB9B@maintenance.suse.de> SUSE Container Update Advisory: suse/sle-micro/5.2/toolbox ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2026:59-1 Container Tags : suse/sle-micro/5.2/toolbox:14.2 , suse/sle-micro/5.2/toolbox:14.2-7.11.216 , suse/sle-micro/5.2/toolbox:latest Container Release : 7.11.216 Severity : moderate Type : recommended References : 1216488 1221763 1238724 1240047 1240838 1250033 1251213 ----------------------------------------------------------------- The container suse/sle-micro/5.2/toolbox was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2026:1-1 Released: Fri Jan 2 11:23:47 2026 Summary: Recommended update for gdb Type: recommended Severity: moderate References: 1216488,1221763,1238724,1240047,1240838,1250033,1251213 This update for gdb fixes the following issues: GDB 16.3 changes: * GDB now supports watchpoints for tagged data pointers (see https://en.wikipedia.org/wiki/Tagged_pointer) on amd64, such as the one used by the Linear Address Masking (LAM) feature provided by Intel. * Debugging support for Intel MPX has been removed. This includes the removal of: * MPX register support * the commands 'show/set mpx bound' (deprecated since GDB 15) * i386 and amd64 implementation of the hooks report_signal_info and get_siginfo_type. * GDB now supports printing of asynchronous events from the Intel Processor Trace during 'record instruction-history', 'record function-call-history' and all stepping commands. This can be controlled with the new 'set record btrace pt event-tracing' command. * GDB now supports printing of ptwrite payloads from the Intel Processor Trace during 'record instruction-history', 'record function-call-history' and all stepping commands. The payload is also accessible in Python as a RecordAuxiliary object. Printing is customizable via a ptwrite filter function in Python. By default, the raw ptwrite payload is printed for each ptwrite that is encountered. * For breakpoints that are created in the 'pending' state, any 'thread' or 'task' keywords are parsed at the time the breakpoint is created, rather than at the time the breakpoint becomes non-pending. * Thread-specific breakpoints are only inserted into the program space in which the thread of interest is running. In most cases program spaces are unique for each inferior, so this means that thread-specific breakpoints will usually only be inserted for the inferior containing the thread of interest. The breakpoint will be hit no less than before. * For ARM targets, the offset of the pc in the jmp_buf has been fixed to match glibc 2.20 and later. This should only matter when not using libc probes. This may cause breakage when using an incompatible libc, like uclibc or newlib, or an older glibc. * MTE (Memory Tagging Extension) debugging is now supported on AArch64 baremetal targets. * In a record session, when a forward emulation reaches the end of the reverse history, the warning message has been changed to indicate that the end of the history has been reached. It also specifies that the forward execution can continue, and the recording will also continue. * The Ada 'Object_Size attribute is now supported. * New bash script gstack uses GDB to print stack traces of running processes. * Python API: * Added gdb.record.clear. Clears the trace data of the current recording. This forces re-decoding of the trace for successive commands. * Added the new event source gdb.tui_enabled. * New module gdb.missing_objfile that facilitates dealing with missing objfiles when opening a core-file. * New function gdb.missing_objfile.register_handler that can register an instance of a sub-class of gdb.missing_debug.MissingObjfileHandler as a handler for missing objfiles. * New class gdb.missing_objfile.MissingObjfileHandler which can be sub-classed to create handlers for missing objfiles. * The 'signed' argument to gdb.Architecture.integer_type() will no longer accept non-bool types. * The gdb.MICommand.installed property can only be set to True or False. * The 'qualified' argument to gdb.Breakpoint constructor will no longer accept non-bool types. * Added the gdb.Symbol.is_artificial attribute. * Debugger Adapter Protocol changes: * The 'scopes' request will now return a scope holding global variables from the stack frame's compilation unit. * The 'scopes' request will return a 'returnValue' scope holding the return value from the latest 'stepOut' command, when appropriate. * The 'launch' and 'attach' requests were rewritten in accordance with some clarifications to the spec. Now they can be sent at any time after the 'initialized' event, but will not take effect (or send a response) until after the 'configurationDone' request has been sent. * The 'variables' request will not return artificial symbols. * New commands: * show jit-reader-directory Show the name of the directory that 'jit-reader-load' uses for relative file names. * set style line-number foreground COLOR set style line-number background COLOR set style line-number intensity VALUE Control the styling of line numbers printed by GDB. * set style command foreground COLOR set style command background COLOR set style command intensity VALUE Control the styling of GDB commands when displayed by GDB. * set style title foreground COLOR set style title background COLOR set style title intensity VALUE This style now applies to the header line of lists, for example the first line of the output of 'info breakpoints'. Previous uses of this style have been replaced with the new 'command' style. * set warn-language-frame-mismatch [on|off] show warn-language-frame-mismatch Control the warning that is emitted when specifying a language that does not match the current frame's language. * maintenance info inline-frames [ADDRESS] New command which displays GDB's inline-frame information for the current address, or for ADDRESS if specified. The output identifies inlined frames which start at the specified address. * maintenance info blocks [ADDRESS] New command which displays information about all of the blocks at ADDRESS, or at the current address if ADDRESS is not given. Blocks are listed starting at the inner global block out to the most inner block. * info missing-objfile-handlers List all the registered missing-objfile handlers. * enable missing-objfile-handler LOCUS HANDLER disable missing-objfile-handler LOCUS HANDLER Enable or disable a missing-objfile handler with a name matching the regular expression HANDLER, in LOCUS. LOCUS can be 'global' to operate on global missing-objfile handler, 'progspace' to operate on handlers within the current program space, or can be a regular expression which is matched against the filename of the primary executable in each program space. * Changed commands: * remove-symbol-file This command now supports file-name completion. * remove-symbol-file -a ADDRESS The ADDRESS expression can now be a full expression consisting of multiple terms, e.g. 'function + 0x1000' (without quotes), previously only a single term could be given. * target core target exec target tfile target ctf compile file maint print c-tdesc save gdb-index These commands now require their filename argument to be quoted if it contains white space or quote characters. If the argument contains no such special characters then quoting is not required. * maintenance print remote-registers Add an 'Expedited' column to the output of the command. It indicates which registers were included in the last stop reply packet received by GDB. * show configuration Now includes the version of GNU Readline library that GDB is using. * New remote packets: * vFile:stat Return information about files on the remote system. Like vFile:fstat but takes a filename rather than an open file descriptor. * x addr,length Given ADDR and LENGTH, fetch LENGTH units from the memory at address ADDR and send the fetched data in binary format. This packet is equivalent to 'm', except that the data in the response are in binary format. * binary-upload in qSupported reply If the stub sends back 'binary-upload+' in it's qSupported reply, then GDB will, where possible, make use of the 'x' packet. If the stub doesn't report this feature supported, then GDB will not use the 'x' packet. The following package changes have been done: - libsource-highlight4-3.1.9-150000.3.9.1 updated From sle-container-updates at lists.suse.com Tue Jan 6 08:05:36 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 6 Jan 2026 09:05:36 +0100 (CET) Subject: SUSE-IU-2026:9-1: Security update of suse/sle-micro/rt-5.5 Message-ID: <20260106080536.E5EDFFB9C@maintenance.suse.de> SUSE Image Update Advisory: suse/sle-micro/rt-5.5 ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2026:9-1 Image Tags : suse/sle-micro/rt-5.5:2.0.4 , suse/sle-micro/rt-5.5:2.0.4-4.5.550 , suse/sle-micro/rt-5.5:latest Image Release : 4.5.550 Severity : important Type : security References : 1233640 1249806 1251786 1252267 1252780 1252862 1253367 1253431 1253436 CVE-2022-50280 CVE-2023-53676 CVE-2024-53093 CVE-2025-40040 CVE-2025-40048 CVE-2025-40121 CVE-2025-40154 CVE-2025-40204 ----------------------------------------------------------------- The container suse/sle-micro/rt-5.5 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:34-1 Released: Mon Jan 5 20:29:25 2026 Summary: Security update for the Linux Kernel Type: security Severity: important References: 1233640,1249806,1251786,1252267,1252780,1252862,1253367,1253431,1253436,CVE-2022-50280,CVE-2023-53676,CVE-2024-53093,CVE-2025-40040,CVE-2025-40048,CVE-2025-40121,CVE-2025-40154,CVE-2025-40204 The SUSE Linux Enterprise 15 SP5 RT kernel was updated to receive various security bugfixes. The following security bugs were fixed: - CVE-2022-50280: pnode: terminate at peers of source (bsc#1249806). - CVE-2023-53676: scsi: target: iscsi: Fix buffer overflow in lio_target_nacl_info_show() (bsc#1251786). - CVE-2024-53093: nvme-multipath: defer partition scanning (bsc#1233640). - CVE-2025-40040: mm/ksm: fix flag-dropping behavior in ksm_madvise (bsc#1252780). - CVE-2025-40048: uio_hv_generic: Let userspace take care of interrupt mask (bsc#1252862). - CVE-2025-40121: ASoC: Intel: bytcr_rt5651: Fix invalid quirk input mapping (bsc#1253367). - CVE-2025-40154: ASoC: Intel: bytcr_rt5640: Fix invalid quirk input mapping (bsc#1253431). - CVE-2025-40204: sctp: Fix MAC comparison to be constant-time (bsc#1253436). The following non-security bugs were fixed: - Fix type signess in fbcon_set_font() (bsc#1252033). - scsi: storvsc: Prefer returning channel with the same CPU as on the I/O issuing CPU (bsc#1252267). The following package changes have been done: - kernel-rt-5.14.21-150500.13.115.2 updated From sle-container-updates at lists.suse.com Tue Jan 6 08:15:58 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 6 Jan 2026 09:15:58 +0100 (CET) Subject: SUSE-CU-2026:67-1: Security update of suse/389-ds Message-ID: <20260106081558.C5DE2FB9B@maintenance.suse.de> SUSE Container Update Advisory: suse/389-ds ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2026:67-1 Container Tags : suse/389-ds:2.5 , suse/389-ds:2.5.3 , suse/389-ds:2.5.3-67.3 , suse/389-ds:latest Container Release : 67.3 Severity : moderate Type : security References : 1254400 1254401 1254997 CVE-2025-12084 CVE-2025-13836 CVE-2025-13837 ----------------------------------------------------------------- The container suse/389-ds was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:27-1 Released: Mon Jan 5 13:45:08 2026 Summary: Security update for python3 Type: security Severity: moderate References: 1254400,1254401,1254997,CVE-2025-12084,CVE-2025-13836,CVE-2025-13837 This update for python3 fixes the following issues: - CVE-2025-12084: cpython: Fixed quadratic algorithm in xml.dom.minidom leading to denial of service (bsc#1254997) - CVE-2025-13836: Fixed default Content-Lenght read amount from HTTP response (bsc#1254400) - CVE-2025-13837: Fixed plistlib module denial of service (bsc#1254401) The following package changes have been done: - python3-base-3.6.15-150300.10.103.1 updated - libpython3_6m1_0-3.6.15-150300.10.103.1 updated - python3-3.6.15-150300.10.103.1 updated - container:registry.suse.com-bci-bci-base-15.7-17d580e01de81ee10782633976ab6983923855d96e8b6342192d8486fa7933cf-0 updated From sle-container-updates at lists.suse.com Tue Jan 6 08:16:52 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 6 Jan 2026 09:16:52 +0100 (CET) Subject: SUSE-CU-2026:69-1: Security update of bci/gcc Message-ID: <20260106081652.706BCFB9B@maintenance.suse.de> SUSE Container Update Advisory: bci/gcc ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2026:69-1 Container Tags : bci/gcc:14 , bci/gcc:14.3 , bci/gcc:14.3-17.3 , bci/gcc:latest Container Release : 17.3 Severity : important Type : security References : 1254297 1254662 1254878 CVE-2025-13601 CVE-2025-14087 CVE-2025-14512 ----------------------------------------------------------------- The container bci/gcc was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:18-1 Released: Mon Jan 5 11:52:25 2026 Summary: Security update for glib2 Type: security Severity: important References: 1254297,1254662,1254878,CVE-2025-13601,CVE-2025-14087,CVE-2025-14512 This update for glib2 fixes the following issues: - CVE-2025-14512: integer overflow in the GIO `escape_byte_string()` function when processing malicious files or remote filesystem attribute values can lead to denial-of-service (bsc#1254878). - CVE-2025-14087: buffer underflow in the GVariant parser `bytestring_parse()` and `string_parse()`functions when processing attacker-influenced data may lead to crash or code execution (bsc#1254662). - CVE-2025-13601: heap-based buffer overflow in the `g_escape_uri_string()` function when processing strings with a large number of unacceptable characters may lead to crash or code execution (bsc#1254297). The following package changes have been done: - libglib-2_0-0-2.78.6-150600.4.25.1 updated - container:registry.suse.com-bci-bci-base-15.7-17d580e01de81ee10782633976ab6983923855d96e8b6342192d8486fa7933cf-0 updated From sle-container-updates at lists.suse.com Tue Jan 6 08:17:17 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 6 Jan 2026 09:17:17 +0100 (CET) Subject: SUSE-CU-2026:70-1: Security update of bci/golang Message-ID: <20260106081717.DC651FB9B@maintenance.suse.de> SUSE Container Update Advisory: bci/golang ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2026:70-1 Container Tags : bci/golang:1.24 , bci/golang:1.24.11 , bci/golang:1.24.11-2.78.3 , bci/golang:oldstable , bci/golang:oldstable-2.78.3 Container Release : 78.3 Severity : important Type : security References : 1254297 1254662 1254878 CVE-2025-13601 CVE-2025-14087 CVE-2025-14512 ----------------------------------------------------------------- The container bci/golang was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:18-1 Released: Mon Jan 5 11:52:25 2026 Summary: Security update for glib2 Type: security Severity: important References: 1254297,1254662,1254878,CVE-2025-13601,CVE-2025-14087,CVE-2025-14512 This update for glib2 fixes the following issues: - CVE-2025-14512: integer overflow in the GIO `escape_byte_string()` function when processing malicious files or remote filesystem attribute values can lead to denial-of-service (bsc#1254878). - CVE-2025-14087: buffer underflow in the GVariant parser `bytestring_parse()` and `string_parse()`functions when processing attacker-influenced data may lead to crash or code execution (bsc#1254662). - CVE-2025-13601: heap-based buffer overflow in the `g_escape_uri_string()` function when processing strings with a large number of unacceptable characters may lead to crash or code execution (bsc#1254297). The following package changes have been done: - libglib-2_0-0-2.78.6-150600.4.25.1 updated - container:registry.suse.com-bci-bci-base-15.7-17d580e01de81ee10782633976ab6983923855d96e8b6342192d8486fa7933cf-0 updated From sle-container-updates at lists.suse.com Tue Jan 6 08:18:11 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 6 Jan 2026 09:18:11 +0100 (CET) Subject: SUSE-CU-2026:72-1: Security update of bci/golang Message-ID: <20260106081811.D75C8FBA0@maintenance.suse.de> SUSE Container Update Advisory: bci/golang ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2026:72-1 Container Tags : bci/golang:1.25-openssl , bci/golang:1.25.1-openssl , bci/golang:1.25.1-openssl-81.3 , bci/golang:latest , bci/golang:stable-openssl , bci/golang:stable-openssl-81.3 Container Release : 81.3 Severity : important Type : security References : 1254297 1254662 1254878 CVE-2025-13601 CVE-2025-14087 CVE-2025-14512 ----------------------------------------------------------------- The container bci/golang was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:18-1 Released: Mon Jan 5 11:52:25 2026 Summary: Security update for glib2 Type: security Severity: important References: 1254297,1254662,1254878,CVE-2025-13601,CVE-2025-14087,CVE-2025-14512 This update for glib2 fixes the following issues: - CVE-2025-14512: integer overflow in the GIO `escape_byte_string()` function when processing malicious files or remote filesystem attribute values can lead to denial-of-service (bsc#1254878). - CVE-2025-14087: buffer underflow in the GVariant parser `bytestring_parse()` and `string_parse()`functions when processing attacker-influenced data may lead to crash or code execution (bsc#1254662). - CVE-2025-13601: heap-based buffer overflow in the `g_escape_uri_string()` function when processing strings with a large number of unacceptable characters may lead to crash or code execution (bsc#1254297). The following package changes have been done: - libglib-2_0-0-2.78.6-150600.4.25.1 updated - container:registry.suse.com-bci-bci-base-15.7-17d580e01de81ee10782633976ab6983923855d96e8b6342192d8486fa7933cf-0 updated From sle-container-updates at lists.suse.com Tue Jan 6 08:18:38 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 6 Jan 2026 09:18:38 +0100 (CET) Subject: SUSE-CU-2026:73-1: Security update of bci/bci-init Message-ID: <20260106081838.77C55FBA0@maintenance.suse.de> SUSE Container Update Advisory: bci/bci-init ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2026:73-1 Container Tags : bci/bci-init:15.7 , bci/bci-init:15.7-48.3 , bci/bci-init:latest Container Release : 48.3 Severity : important Type : security References : 1254297 1254662 1254878 CVE-2025-13601 CVE-2025-14087 CVE-2025-14512 ----------------------------------------------------------------- The container bci/bci-init was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:18-1 Released: Mon Jan 5 11:52:25 2026 Summary: Security update for glib2 Type: security Severity: important References: 1254297,1254662,1254878,CVE-2025-13601,CVE-2025-14087,CVE-2025-14512 This update for glib2 fixes the following issues: - CVE-2025-14512: integer overflow in the GIO `escape_byte_string()` function when processing malicious files or remote filesystem attribute values can lead to denial-of-service (bsc#1254878). - CVE-2025-14087: buffer underflow in the GVariant parser `bytestring_parse()` and `string_parse()`functions when processing attacker-influenced data may lead to crash or code execution (bsc#1254662). - CVE-2025-13601: heap-based buffer overflow in the `g_escape_uri_string()` function when processing strings with a large number of unacceptable characters may lead to crash or code execution (bsc#1254297). The following package changes have been done: - libglib-2_0-0-2.78.6-150600.4.25.1 updated - container:registry.suse.com-bci-bci-base-15.7-17d580e01de81ee10782633976ab6983923855d96e8b6342192d8486fa7933cf-0 updated From sle-container-updates at lists.suse.com Tue Jan 6 08:18:56 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 6 Jan 2026 09:18:56 +0100 (CET) Subject: SUSE-CU-2026:74-1: Security update of suse/kea Message-ID: <20260106081856.62D72FBA0@maintenance.suse.de> SUSE Container Update Advisory: suse/kea ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2026:74-1 Container Tags : suse/kea:2.6 , suse/kea:2.6-69.3 , suse/kea:latest Container Release : 69.3 Severity : moderate Type : security References : 1254400 1254401 1254997 CVE-2025-12084 CVE-2025-13836 CVE-2025-13837 ----------------------------------------------------------------- The container suse/kea was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:27-1 Released: Mon Jan 5 13:45:08 2026 Summary: Security update for python3 Type: security Severity: moderate References: 1254400,1254401,1254997,CVE-2025-12084,CVE-2025-13836,CVE-2025-13837 This update for python3 fixes the following issues: - CVE-2025-12084: cpython: Fixed quadratic algorithm in xml.dom.minidom leading to denial of service (bsc#1254997) - CVE-2025-13836: Fixed default Content-Lenght read amount from HTTP response (bsc#1254400) - CVE-2025-13837: Fixed plistlib module denial of service (bsc#1254401) The following package changes have been done: - python3-base-3.6.15-150300.10.103.1 updated - libpython3_6m1_0-3.6.15-150300.10.103.1 updated - container:registry.suse.com-bci-bci-base-15.7-17d580e01de81ee10782633976ab6983923855d96e8b6342192d8486fa7933cf-0 updated From sle-container-updates at lists.suse.com Tue Jan 6 08:19:26 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 6 Jan 2026 09:19:26 +0100 (CET) Subject: SUSE-CU-2026:75-1: Security update of suse/kiosk/firefox-esr Message-ID: <20260106081926.6C2E6FBA0@maintenance.suse.de> SUSE Container Update Advisory: suse/kiosk/firefox-esr ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2026:75-1 Container Tags : suse/kiosk/firefox-esr:140.6 , suse/kiosk/firefox-esr:140.6-70.3 , suse/kiosk/firefox-esr:esr , suse/kiosk/firefox-esr:latest Container Release : 70.3 Severity : important Type : security References : 1254297 1254662 1254878 CVE-2025-13601 CVE-2025-14087 CVE-2025-14512 ----------------------------------------------------------------- The container suse/kiosk/firefox-esr was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:18-1 Released: Mon Jan 5 11:52:25 2026 Summary: Security update for glib2 Type: security Severity: important References: 1254297,1254662,1254878,CVE-2025-13601,CVE-2025-14087,CVE-2025-14512 This update for glib2 fixes the following issues: - CVE-2025-14512: integer overflow in the GIO `escape_byte_string()` function when processing malicious files or remote filesystem attribute values can lead to denial-of-service (bsc#1254878). - CVE-2025-14087: buffer underflow in the GVariant parser `bytestring_parse()` and `string_parse()`functions when processing attacker-influenced data may lead to crash or code execution (bsc#1254662). - CVE-2025-13601: heap-based buffer overflow in the `g_escape_uri_string()` function when processing strings with a large number of unacceptable characters may lead to crash or code execution (bsc#1254297). The following package changes have been done: - libglib-2_0-0-2.78.6-150600.4.25.1 updated - libgthread-2_0-0-2.78.6-150600.4.25.1 updated - libgobject-2_0-0-2.78.6-150600.4.25.1 updated - libgmodule-2_0-0-2.78.6-150600.4.25.1 updated - libgio-2_0-0-2.78.6-150600.4.25.1 updated - glib2-tools-2.78.6-150600.4.25.1 updated - container:registry.suse.com-bci-bci-micro-15.7-4ea6269b17048f73c022844251731ef4f640fdb9eb72a2ab53ec7f9413b89ee3-0 updated From sle-container-updates at lists.suse.com Tue Jan 6 08:22:20 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 6 Jan 2026 09:22:20 +0100 (CET) Subject: SUSE-CU-2026:84-1: Security update of suse/pcp Message-ID: <20260106082220.75696FBA0@maintenance.suse.de> SUSE Container Update Advisory: suse/pcp ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2026:84-1 Container Tags : suse/pcp:6 , suse/pcp:6.2 , suse/pcp:6.2.0 , suse/pcp:6.2.0-70.4 , suse/pcp:latest Container Release : 70.4 Severity : important Type : security References : 1254297 1254662 1254878 CVE-2025-13601 CVE-2025-14087 CVE-2025-14512 ----------------------------------------------------------------- The container suse/pcp was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:18-1 Released: Mon Jan 5 11:52:25 2026 Summary: Security update for glib2 Type: security Severity: important References: 1254297,1254662,1254878,CVE-2025-13601,CVE-2025-14087,CVE-2025-14512 This update for glib2 fixes the following issues: - CVE-2025-14512: integer overflow in the GIO `escape_byte_string()` function when processing malicious files or remote filesystem attribute values can lead to denial-of-service (bsc#1254878). - CVE-2025-14087: buffer underflow in the GVariant parser `bytestring_parse()` and `string_parse()`functions when processing attacker-influenced data may lead to crash or code execution (bsc#1254662). - CVE-2025-13601: heap-based buffer overflow in the `g_escape_uri_string()` function when processing strings with a large number of unacceptable characters may lead to crash or code execution (bsc#1254297). The following package changes have been done: - libglib-2_0-0-2.78.6-150600.4.25.1 updated - container:bci-bci-init-15.7-8a58a7f89b0a95fd889e31b7abfd03fda0b5602c3b88bbc5ffa7121b30b3ea17-0 updated From sle-container-updates at lists.suse.com Tue Jan 6 08:22:42 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 6 Jan 2026 09:22:42 +0100 (CET) Subject: SUSE-CU-2026:85-1: Security update of suse/kiosk/pulseaudio Message-ID: <20260106082242.861B9FBA0@maintenance.suse.de> SUSE Container Update Advisory: suse/kiosk/pulseaudio ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2026:85-1 Container Tags : suse/kiosk/pulseaudio:17 , suse/kiosk/pulseaudio:17.0 , suse/kiosk/pulseaudio:17.0-68.3 , suse/kiosk/pulseaudio:latest Container Release : 68.3 Severity : important Type : security References : 1254297 1254662 1254878 CVE-2025-13601 CVE-2025-14087 CVE-2025-14512 ----------------------------------------------------------------- The container suse/kiosk/pulseaudio was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:18-1 Released: Mon Jan 5 11:52:25 2026 Summary: Security update for glib2 Type: security Severity: important References: 1254297,1254662,1254878,CVE-2025-13601,CVE-2025-14087,CVE-2025-14512 This update for glib2 fixes the following issues: - CVE-2025-14512: integer overflow in the GIO `escape_byte_string()` function when processing malicious files or remote filesystem attribute values can lead to denial-of-service (bsc#1254878). - CVE-2025-14087: buffer underflow in the GVariant parser `bytestring_parse()` and `string_parse()`functions when processing attacker-influenced data may lead to crash or code execution (bsc#1254662). - CVE-2025-13601: heap-based buffer overflow in the `g_escape_uri_string()` function when processing strings with a large number of unacceptable characters may lead to crash or code execution (bsc#1254297). The following package changes have been done: - libglib-2_0-0-2.78.6-150600.4.25.1 updated - libgobject-2_0-0-2.78.6-150600.4.25.1 updated - libgmodule-2_0-0-2.78.6-150600.4.25.1 updated - libgio-2_0-0-2.78.6-150600.4.25.1 updated - glib2-tools-2.78.6-150600.4.25.1 updated - container:registry.suse.com-bci-bci-micro-15.7-4ea6269b17048f73c022844251731ef4f640fdb9eb72a2ab53ec7f9413b89ee3-0 updated From sle-container-updates at lists.suse.com Tue Jan 6 08:22:43 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 6 Jan 2026 09:22:43 +0100 (CET) Subject: SUSE-CU-2026:86-1: Security update of suse/kiosk/pulseaudio Message-ID: <20260106082243.6ED81FBA0@maintenance.suse.de> SUSE Container Update Advisory: suse/kiosk/pulseaudio ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2026:86-1 Container Tags : suse/kiosk/pulseaudio:17 , suse/kiosk/pulseaudio:17.0 , suse/kiosk/pulseaudio:17.0-68.5 , suse/kiosk/pulseaudio:latest Container Release : 68.5 Severity : moderate Type : security References : 1254400 1254401 1254997 CVE-2025-12084 CVE-2025-13836 CVE-2025-13837 ----------------------------------------------------------------- The container suse/kiosk/pulseaudio was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:27-1 Released: Mon Jan 5 13:45:08 2026 Summary: Security update for python3 Type: security Severity: moderate References: 1254400,1254401,1254997,CVE-2025-12084,CVE-2025-13836,CVE-2025-13837 This update for python3 fixes the following issues: - CVE-2025-12084: cpython: Fixed quadratic algorithm in xml.dom.minidom leading to denial of service (bsc#1254997) - CVE-2025-13836: Fixed default Content-Lenght read amount from HTTP response (bsc#1254400) - CVE-2025-13837: Fixed plistlib module denial of service (bsc#1254401) The following package changes have been done: - libpython3_6m1_0-3.6.15-150300.10.103.1 updated - python3-base-3.6.15-150300.10.103.1 updated - container:suse-sle15-15.7-17d580e01de81ee10782633976ab6983923855d96e8b6342192d8486fa7933cf-0 updated From sle-container-updates at lists.suse.com Tue Jan 6 08:23:11 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 6 Jan 2026 09:23:11 +0100 (CET) Subject: SUSE-CU-2026:87-1: Security update of bci/python Message-ID: <20260106082311.038FBFBA0@maintenance.suse.de> SUSE Container Update Advisory: bci/python ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2026:87-1 Container Tags : bci/python:3 , bci/python:3.13 , bci/python:3.13.11 , bci/python:3.13.11-82.3 , bci/python:latest Container Release : 82.3 Severity : moderate Type : security References : 1254400 1254401 1254997 CVE-2025-12084 CVE-2025-13836 CVE-2025-13837 ----------------------------------------------------------------- The container bci/python was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:24-1 Released: Mon Jan 5 13:09:31 2026 Summary: Security update for python313 Type: security Severity: moderate References: 1254400,1254401,1254997,CVE-2025-12084,CVE-2025-13836,CVE-2025-13837 This update for python313 fixes the following issues: Update to version 3.13.11. Security issues fixed: - CVE-2025-12084: quadratic complexity when building nested elements using `xml.dom.minidom` methods that depend on `_clear_id_cache()` can lead to availability issues when building excessively nested documents (bsc#1254997). - CVE-2025-13836: use of `Content-Length` by default when reading an HTTP response with no read amount specified can lead to OOM issues and DoS when a client deals with a malicious server (bsc#1254400). - CVE-2025-13837: data read by the plistlib module according to the size specified by the file itself can lead to OOM issues and DoS (bsc#1254401). Other updates and bugfixes: - Version 3.13.11: * Library - gh-140797: Revert changes to the undocumented re.Scanner class. Capturing groups are still allowed for backward compatibility, although using them can lead to incorrect result. They will be forbidden in future Python versions. - gh-142206: The resource tracker in the multiprocessing module now uses the original communication protocol, as in Python 3.14.0 and below, by default. This avoids issues with upgrading Python while it is running. (Note that such ???in-place??? upgrades are not tested.) The tracker remains compatible with subprocesses that use new protocol (that is, subprocesses using Python 3.13.10, 3.14.1 and 3.15). * Core and Builtins - gh-142218: Fix crash when inserting into a split table dictionary with a non str key that matches an existing key. - Version to 3.13.10: * Security - gh-137836: Add support of the ???plaintext??? element, RAWTEXT elements ???xmp???, ???iframe???, ???noembed??? and ???noframes???, and optionally RAWTEXT element ???noscript??? in html.parser.HTMLParser. - gh-136063: email.message: ensure linear complexity for legacy HTTP parameters parsing. Patch by B??n??dikt Tran. * Library - gh-74389: When the stdin being used by a subprocess.Popen instance is closed, this is now ignored in subprocess.Popen.communicate() instead of leaving the class in an inconsistent state. - gh-87512: Fix subprocess.Popen.communicate() timeout handling on Windows when writing large input. Previously, the timeout was ignored during stdin writing, causing the method to block indefinitely if the child process did not consume input quickly. The stdin write is now performed in a background thread, allowing the timeout to be properly enforced. - gh-141473: When subprocess.Popen.communicate() was called with input and a timeout and is called for a second time after a TimeoutExpired exception before the process has died, it should no longer hang. - gh-59000: Fix pdb breakpoint resolution for class methods when the module defining the class is not imported. - gh-141570: Support file-like object raising OSError from fileno() in color detection (_colorize.can_colorize()). This can occur when sys.stdout is redirected. - gh-141659: Fix bad file descriptor errors from _posixsubprocess on AIX. - gh-141497: ipaddress: ensure that the methods IPv4Network.hosts() and IPv6Network.hosts() always return an iterator. - gh-140938: The statistics.stdev() and statistics.pstdev() functions now raise a ValueError when the input contains an infinity or a NaN. - gh-124111: Updated Tcl threading configuration in _tkinter to assume that threads are always available in Tcl 9 and later. - gh-137109: The os.fork and related forking APIs will no longer warn in the common case where Linux or macOS platform APIs return the number of threads in a process and find the answer to be 1 even when a os.register_at_fork() after_in_parent= callback (re)starts a thread. - gh-141314: Fix assertion failure in io.TextIOWrapper.tell() when reading files with standalone carriage return (\r) line endings. - gh-141311: Fix assertion failure in io.BytesIO.readinto() and undefined behavior arising when read position is above capcity in io.BytesIO. - gh-141141: Fix a thread safety issue with base64.b85decode(). Contributed by Benel Tayar. - gh-140911: collections: Ensure that the methods UserString.rindex() and UserString.index() accept collections.UserString instances as the sub argument. - gh-140797: The undocumented re.Scanner class now forbids regular expressions containing capturing groups in its lexicon patterns. Patterns using capturing groups could previously lead to crashes with segmentation fault. Use non-capturing groups (?:???) instead. - gh-140815: faulthandler now detects if a frame or a code object is invalid or freed. Patch by Victor Stinner. - gh-100218: Correctly set errno when socket.if_nametoindex() or socket.if_indextoname() raise an OSError. Patch by B??n??dikt Tran. - gh-140875: Fix handling of unclosed character references (named and numerical) followed by the end of file in html.parser.HTMLParser with convert_charrefs=False. - gh-140734: multiprocessing: fix off-by-one error when checking the length of a temporary socket file path. Patch by B??n??dikt Tran. - gh-140874: Bump the version of pip bundled in ensurepip to version 25.3 - gh-140691: In urllib.request, when opening a FTP URL fails because a data connection cannot be made, the control connection???s socket is now closed to avoid a ResourceWarning. - gh-103847: Fix hang when cancelling process created by asyncio.create_subprocess_exec() or asyncio.create_subprocess_shell(). Patch by Kumar Aditya. - gh-140590: Fix arguments checking for the functools.partial.__setstate__() that may lead to internal state corruption and crash. Patch by Sergey Miryanov. - gh-140634: Fix a reference counting bug in os.sched_param.__reduce__(). - gh-140633: Ignore AttributeError when setting a module???s __file__ attribute when loading an extension module packaged as Apple Framework. - gh-140593: xml.parsers.expat: Fix a memory leak that could affect users with ElementDeclHandler() set to a custom element declaration handler. Patch by Sebastian Pipping. - gh-140607: Inside io.RawIOBase.read(), validate that the count of bytes returned by io.RawIOBase.readinto() is valid (inside the provided buffer). - gh-138162: Fix logging.LoggerAdapter with merge_extra=True and without the extra argument. - gh-140474: Fix memory leak in array.array when creating arrays from an empty str and the u type code. - gh-140272: Fix memory leak in the clear() method of the dbm.gnu database. - gh-140041: Fix import of ctypes on Android and Cygwin when ABI flags are present. - gh-139905: Add suggestion to error message for typing.Generic subclasses when cls.__parameters__ is missing due to a parent class failing to call super().__init_subclass__() in its __init_subclass__. - gh-139845: Fix to not print KeyboardInterrupt twice in default asyncio REPL. - gh-139783: Fix inspect.getsourcelines() for the case when a decorator is followed by a comment or an empty line. - gh-70765: http.server: fix default handling of HTTP/0.9 requests in BaseHTTPRequestHandler. Previously, BaseHTTPRequestHandler.parse_request() incorrectly waited for headers in the request although those are not supported in HTTP/0.9. Patch by B??n??dikt Tran. - gh-139391: Fix an issue when, on non-Windows platforms, it was not possible to gracefully exit a python -m asyncio process suspended by Ctrl+Z and later resumed by fg other than with kill. - gh-101828: Fix 'shift_jisx0213', 'shift_jis_2004', 'euc_jisx0213' and 'euc_jis_2004' codecs truncating null chars as they were treated as part of multi-character sequences. - gh-139246: fix: paste zero-width in default repl width is wrong. - gh-90949: Add SetAllocTrackerActivationThreshold() and SetAllocTrackerMaximumAmplification() to xmlparser objects to prevent use of disproportional amounts of dynamic memory from within an Expat parser. Patch by B??n??dikt Tran. - gh-139065: Fix trailing space before a wrapped long word if the line length is exactly width in textwrap. - gh-138993: Dedent credits text. - gh-138859: Fix generic type parameterization raising a TypeError when omitting a ParamSpec that has a default which is not a list of types. - gh-138775: Use of python -m with base64 has been fixed to detect input from a terminal so that it properly notices EOF. - gh-98896: Fix a failure in multiprocessing resource_tracker when SharedMemory names contain colons. Patch by Rani Pinchuk. - gh-75989: tarfile.TarFile.extractall() and tarfile.TarFile.extract() now overwrite symlinks when extracting hardlinks. (Contributed by Alexander Enrique Urieles Nieto in gh-75989.) - gh-83424: Allows creating a ctypes.CDLL without name when passing a handle as an argument. - gh-136234: Fix asyncio.WriteTransport.writelines() to be robust to connection failure, by using the same behavior as write(). - gh-136057: Fixed the bug in pdb and bdb where next and step can???t go over the line if a loop exists in the line. - gh-135307: email: Fix exception in set_content() when encoding text and max_line_length is set to 0 or None (unlimited). - gh-134453: Fixed subprocess.Popen.communicate() input= handling of memoryview instances that were non-byte shaped on POSIX platforms. Those are now properly cast to a byte shaped view instead of truncating the input. Windows platforms did not have this bug. - gh-102431: Clarify constraints for ???logical??? arguments in methods of decimal.Context. * IDLE - gh-96491: Deduplicate version number in IDLE shell title bar after saving to a file. * Core and Builtins - gh-142048: Fix quadratically increasing garbage collection delays in free-threaded build. - gh-141930: When importing a module, use Python???s regular file object to ensure that writes to .pyc files are complete or an appropriate error is raised. - gh-120158: Fix inconsistent state when enabling or disabling monitoring events too many times. - gh-141579: Fix sys.activate_stack_trampoline() to properly support the perf_jit backend. Patch by Pablo Galindo. - gh-141312: Fix the assertion failure in the __setstate__ method of the range iterator when a non-integer argument is passed. Patch by Sergey Miryanov. - gh-140939: Fix memory leak when bytearray or bytes is formated with the %*b format with a large width that results in %a MemoryError. - gh-140530: Fix a reference leak when raise exc from cause fails. Patch by B??n??dikt Tran. - gh-140576: Fixed crash in tokenize.generate_tokens() in case of specific incorrect input. Patch by Mikhail Efimov. - gh-140551: Fixed crash in dict if dict.clear() is called at the lookup stage. Patch by Mikhail Efimov and Inada Naoki. - gh-140471: Fix potential buffer overflow in ast.AST node initialization when encountering malformed _fields containing non-str. - gh-140406: Fix memory leak when an object???s __hash__() method returns an object that isn???t an int. - gh-140306: Fix memory leaks in cross-interpreter channel operations and shared namespace handling. - gh-140301: Fix memory leak of PyConfig in subinterpreters. - gh-140000: Fix potential memory leak when a reference cycle exists between an instance of typing.TypeAliasType, typing.TypeVar, typing.ParamSpec, or typing.TypeVarTuple and its __name__ attribute. Patch by Mikhail Efimov. - gh-139748: Fix reference leaks in error branches of functions accepting path strings or bytes such as compile() and os.system(). Patch by B??n??dikt Tran. - gh-139516: Fix lambda colon erroneously start format spec in f-string in tokenizer. - gh-139640: Fix swallowing some syntax warnings in different modules if they accidentally have the same message and are emitted from the same line. Fix duplicated warnings in the finally block. - gh-137400: Fix a crash in the free threading build when disabling profiling or tracing across all threads with PyEval_SetProfileAllThreads() or PyEval_SetTraceAllThreads() or their Python equivalents threading.settrace_all_threads() and threading.setprofile_all_threads(). - gh-133400: Fixed Ctrl+D (^D) behavior in _pyrepl module to match old pre-3.13 REPL behavior. * C API - gh-140042: Removed the sqlite3_shutdown call that could cause closing connections for sqlite when used with multiple sub interpreters. - gh-140487: Fix Py_RETURN_NOTIMPLEMENTED in limited C API 3.11 and older: don???t treat Py_NotImplemented as immortal. Patch by Victor Stinner. The following package changes have been done: - libpython3_13-1_0-3.13.11-150700.4.36.1 updated - python313-base-3.13.11-150700.4.36.1 updated - python313-3.13.11-150700.4.36.1 updated - python313-devel-3.13.11-150700.4.36.1 updated From sle-container-updates at lists.suse.com Tue Jan 6 08:23:38 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 6 Jan 2026 09:23:38 +0100 (CET) Subject: SUSE-CU-2026:88-1: Security update of bci/python Message-ID: <20260106082338.F2B5EFBA0@maintenance.suse.de> SUSE Container Update Advisory: bci/python ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2026:88-1 Container Tags : bci/python:3 , bci/python:3.6 , bci/python:3.6.15 , bci/python:3.6.15-79.3 Container Release : 79.3 Severity : moderate Type : security References : 1254400 1254401 1254997 CVE-2025-12084 CVE-2025-13836 CVE-2025-13837 ----------------------------------------------------------------- The container bci/python was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:27-1 Released: Mon Jan 5 13:45:08 2026 Summary: Security update for python3 Type: security Severity: moderate References: 1254400,1254401,1254997,CVE-2025-12084,CVE-2025-13836,CVE-2025-13837 This update for python3 fixes the following issues: - CVE-2025-12084: cpython: Fixed quadratic algorithm in xml.dom.minidom leading to denial of service (bsc#1254997) - CVE-2025-13836: Fixed default Content-Lenght read amount from HTTP response (bsc#1254400) - CVE-2025-13837: Fixed plistlib module denial of service (bsc#1254401) The following package changes have been done: - libpython3_6m1_0-3.6.15-150300.10.103.1 updated - python3-base-3.6.15-150300.10.103.1 updated - python3-3.6.15-150300.10.103.1 updated - python3-devel-3.6.15-150300.10.103.1 updated From sle-container-updates at lists.suse.com Tue Jan 6 08:23:56 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 6 Jan 2026 09:23:56 +0100 (CET) Subject: SUSE-CU-2026:89-1: Security update of suse/mariadb Message-ID: <20260106082356.4F7B3FBA0@maintenance.suse.de> SUSE Container Update Advisory: suse/mariadb ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2026:89-1 Container Tags : suse/mariadb:11.8 , suse/mariadb:11.8.5 , suse/mariadb:11.8.5-70.3 , suse/mariadb:latest Container Release : 70.3 Severity : moderate Type : security References : 1254400 1254401 1254997 CVE-2025-12084 CVE-2025-13836 CVE-2025-13837 ----------------------------------------------------------------- The container suse/mariadb was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:27-1 Released: Mon Jan 5 13:45:08 2026 Summary: Security update for python3 Type: security Severity: moderate References: 1254400,1254401,1254997,CVE-2025-12084,CVE-2025-13836,CVE-2025-13837 This update for python3 fixes the following issues: - CVE-2025-12084: cpython: Fixed quadratic algorithm in xml.dom.minidom leading to denial of service (bsc#1254997) - CVE-2025-13836: Fixed default Content-Lenght read amount from HTTP response (bsc#1254400) - CVE-2025-13837: Fixed plistlib module denial of service (bsc#1254401) The following package changes have been done: - libpython3_6m1_0-3.6.15-150300.10.103.1 updated - python3-base-3.6.15-150300.10.103.1 updated - container:registry.suse.com-bci-bci-micro-15.7-4ea6269b17048f73c022844251731ef4f640fdb9eb72a2ab53ec7f9413b89ee3-0 updated From sle-container-updates at lists.suse.com Tue Jan 6 08:24:41 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 6 Jan 2026 09:24:41 +0100 (CET) Subject: SUSE-CU-2026:91-1: Security update of bci/rust Message-ID: <20260106082441.C2A88FBA0@maintenance.suse.de> SUSE Container Update Advisory: bci/rust ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2026:91-1 Container Tags : bci/rust:1.92 , bci/rust:1.92.0 , bci/rust:1.92.0-1.3.3 , bci/rust:latest , bci/rust:stable , bci/rust:stable-1.3.3 Container Release : 3.3 Severity : important Type : security References : 1254297 1254662 1254878 CVE-2025-13601 CVE-2025-14087 CVE-2025-14512 ----------------------------------------------------------------- The container bci/rust was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:18-1 Released: Mon Jan 5 11:52:25 2026 Summary: Security update for glib2 Type: security Severity: important References: 1254297,1254662,1254878,CVE-2025-13601,CVE-2025-14087,CVE-2025-14512 This update for glib2 fixes the following issues: - CVE-2025-14512: integer overflow in the GIO `escape_byte_string()` function when processing malicious files or remote filesystem attribute values can lead to denial-of-service (bsc#1254878). - CVE-2025-14087: buffer underflow in the GVariant parser `bytestring_parse()` and `string_parse()`functions when processing attacker-influenced data may lead to crash or code execution (bsc#1254662). - CVE-2025-13601: heap-based buffer overflow in the `g_escape_uri_string()` function when processing strings with a large number of unacceptable characters may lead to crash or code execution (bsc#1254297). The following package changes have been done: - libglib-2_0-0-2.78.6-150600.4.25.1 updated - container:registry.suse.com-bci-bci-base-15.7-17d580e01de81ee10782633976ab6983923855d96e8b6342192d8486fa7933cf-0 updated From sle-container-updates at lists.suse.com Tue Jan 6 08:25:02 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 6 Jan 2026 09:25:02 +0100 (CET) Subject: SUSE-CU-2026:92-1: Security update of suse/samba-client Message-ID: <20260106082502.011EDFBA0@maintenance.suse.de> SUSE Container Update Advisory: suse/samba-client ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2026:92-1 Container Tags : suse/samba-client:4.21 , suse/samba-client:4.21 , suse/samba-client:4.21-70.3 , suse/samba-client:latest Container Release : 70.3 Severity : moderate Type : security References : 1254400 1254401 1254997 CVE-2025-12084 CVE-2025-13836 CVE-2025-13837 ----------------------------------------------------------------- The container suse/samba-client was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:27-1 Released: Mon Jan 5 13:45:08 2026 Summary: Security update for python3 Type: security Severity: moderate References: 1254400,1254401,1254997,CVE-2025-12084,CVE-2025-13836,CVE-2025-13837 This update for python3 fixes the following issues: - CVE-2025-12084: cpython: Fixed quadratic algorithm in xml.dom.minidom leading to denial of service (bsc#1254997) - CVE-2025-13836: Fixed default Content-Lenght read amount from HTTP response (bsc#1254400) - CVE-2025-13837: Fixed plistlib module denial of service (bsc#1254401) The following package changes have been done: - libpython3_6m1_0-3.6.15-150300.10.103.1 updated - python3-base-3.6.15-150300.10.103.1 updated - container:registry.suse.com-bci-bci-micro-15.7-4ea6269b17048f73c022844251731ef4f640fdb9eb72a2ab53ec7f9413b89ee3-0 updated From sle-container-updates at lists.suse.com Tue Jan 6 08:25:26 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 6 Jan 2026 09:25:26 +0100 (CET) Subject: SUSE-CU-2026:93-1: Security update of suse/samba-server Message-ID: <20260106082526.5A67CFBA0@maintenance.suse.de> SUSE Container Update Advisory: suse/samba-server ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2026:93-1 Container Tags : suse/samba-server:4.21 , suse/samba-server:4.21 , suse/samba-server:4.21-71.3 , suse/samba-server:latest Container Release : 71.3 Severity : moderate Type : security References : 1254400 1254401 1254997 CVE-2025-12084 CVE-2025-13836 CVE-2025-13837 ----------------------------------------------------------------- The container suse/samba-server was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:27-1 Released: Mon Jan 5 13:45:08 2026 Summary: Security update for python3 Type: security Severity: moderate References: 1254400,1254401,1254997,CVE-2025-12084,CVE-2025-13836,CVE-2025-13837 This update for python3 fixes the following issues: - CVE-2025-12084: cpython: Fixed quadratic algorithm in xml.dom.minidom leading to denial of service (bsc#1254997) - CVE-2025-13836: Fixed default Content-Lenght read amount from HTTP response (bsc#1254400) - CVE-2025-13837: Fixed plistlib module denial of service (bsc#1254401) The following package changes have been done: - libpython3_6m1_0-3.6.15-150300.10.103.1 updated - python3-base-3.6.15-150300.10.103.1 updated - container:registry.suse.com-bci-bci-micro-15.7-4ea6269b17048f73c022844251731ef4f640fdb9eb72a2ab53ec7f9413b89ee3-0 updated From sle-container-updates at lists.suse.com Tue Jan 6 08:25:44 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 6 Jan 2026 09:25:44 +0100 (CET) Subject: SUSE-CU-2026:94-1: Security update of suse/samba-toolbox Message-ID: <20260106082544.C5CF5FBA0@maintenance.suse.de> SUSE Container Update Advisory: suse/samba-toolbox ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2026:94-1 Container Tags : suse/samba-toolbox:4.21 , suse/samba-toolbox:4.21 , suse/samba-toolbox:4.21-71.3 , suse/samba-toolbox:latest Container Release : 71.3 Severity : moderate Type : security References : 1254400 1254401 1254997 CVE-2025-12084 CVE-2025-13836 CVE-2025-13837 ----------------------------------------------------------------- The container suse/samba-toolbox was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:27-1 Released: Mon Jan 5 13:45:08 2026 Summary: Security update for python3 Type: security Severity: moderate References: 1254400,1254401,1254997,CVE-2025-12084,CVE-2025-13836,CVE-2025-13837 This update for python3 fixes the following issues: - CVE-2025-12084: cpython: Fixed quadratic algorithm in xml.dom.minidom leading to denial of service (bsc#1254997) - CVE-2025-13836: Fixed default Content-Lenght read amount from HTTP response (bsc#1254400) - CVE-2025-13837: Fixed plistlib module denial of service (bsc#1254401) The following package changes have been done: - libpython3_6m1_0-3.6.15-150300.10.103.1 updated - python3-base-3.6.15-150300.10.103.1 updated - container:registry.suse.com-bci-bci-micro-15.7-4ea6269b17048f73c022844251731ef4f640fdb9eb72a2ab53ec7f9413b89ee3-0 updated From sle-container-updates at lists.suse.com Tue Jan 6 08:26:32 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 6 Jan 2026 09:26:32 +0100 (CET) Subject: SUSE-CU-2026:96-1: Security update of suse/sle15 Message-ID: <20260106082632.0DCF6FBA0@maintenance.suse.de> SUSE Container Update Advisory: suse/sle15 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2026:96-1 Container Tags : bci/bci-base:15.7 , bci/bci-base:15.7-5.14.4 , bci/bci-base:latest , suse/sle15:15.7 , suse/sle15:15.7-5.14.4 , suse/sle15:latest Container Release : 5.14.4 Severity : important Type : security References : 1254297 1254662 1254878 CVE-2025-13601 CVE-2025-14087 CVE-2025-14512 ----------------------------------------------------------------- The container suse/sle15 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:18-1 Released: Mon Jan 5 11:52:25 2026 Summary: Security update for glib2 Type: security Severity: important References: 1254297,1254662,1254878,CVE-2025-13601,CVE-2025-14087,CVE-2025-14512 This update for glib2 fixes the following issues: - CVE-2025-14512: integer overflow in the GIO `escape_byte_string()` function when processing malicious files or remote filesystem attribute values can lead to denial-of-service (bsc#1254878). - CVE-2025-14087: buffer underflow in the GVariant parser `bytestring_parse()` and `string_parse()`functions when processing attacker-influenced data may lead to crash or code execution (bsc#1254662). - CVE-2025-13601: heap-based buffer overflow in the `g_escape_uri_string()` function when processing strings with a large number of unacceptable characters may lead to crash or code execution (bsc#1254297). The following package changes have been done: - libglib-2_0-0-2.78.6-150600.4.25.1 updated From sle-container-updates at lists.suse.com Tue Jan 6 08:17:45 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 6 Jan 2026 09:17:45 +0100 (CET) Subject: SUSE-CU-2026:71-1: Security update of bci/golang Message-ID: <20260106081745.2E087FB9B@maintenance.suse.de> SUSE Container Update Advisory: bci/golang ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2026:71-1 Container Tags : bci/golang:1.25 , bci/golang:1.25.5 , bci/golang:1.25.5-1.78.3 , bci/golang:latest , bci/golang:stable , bci/golang:stable-1.78.3 Container Release : 78.3 Severity : important Type : security References : 1254297 1254662 1254878 CVE-2025-13601 CVE-2025-14087 CVE-2025-14512 ----------------------------------------------------------------- The container bci/golang was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:18-1 Released: Mon Jan 5 11:52:25 2026 Summary: Security update for glib2 Type: security Severity: important References: 1254297,1254662,1254878,CVE-2025-13601,CVE-2025-14087,CVE-2025-14512 This update for glib2 fixes the following issues: - CVE-2025-14512: integer overflow in the GIO `escape_byte_string()` function when processing malicious files or remote filesystem attribute values can lead to denial-of-service (bsc#1254878). - CVE-2025-14087: buffer underflow in the GVariant parser `bytestring_parse()` and `string_parse()`functions when processing attacker-influenced data may lead to crash or code execution (bsc#1254662). - CVE-2025-13601: heap-based buffer overflow in the `g_escape_uri_string()` function when processing strings with a large number of unacceptable characters may lead to crash or code execution (bsc#1254297). The following package changes have been done: - libglib-2_0-0-2.78.6-150600.4.25.1 updated - container:registry.suse.com-bci-bci-base-15.7-17d580e01de81ee10782633976ab6983923855d96e8b6342192d8486fa7933cf-0 updated From sle-container-updates at lists.suse.com Tue Jan 6 08:27:06 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 6 Jan 2026 09:27:06 +0100 (CET) Subject: SUSE-CU-2026:97-1: Security update of bci/spack Message-ID: <20260106082706.EF138FB9B@maintenance.suse.de> SUSE Container Update Advisory: bci/spack ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2026:97-1 Container Tags : bci/spack:0.23 , bci/spack:0.23.1 , bci/spack:0.23.1-21.2 , bci/spack:latest Container Release : 21.2 Severity : important Type : security References : 1254297 1254662 1254878 CVE-2025-13601 CVE-2025-14087 CVE-2025-14512 ----------------------------------------------------------------- The container bci/spack was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:18-1 Released: Mon Jan 5 11:52:25 2026 Summary: Security update for glib2 Type: security Severity: important References: 1254297,1254662,1254878,CVE-2025-13601,CVE-2025-14087,CVE-2025-14512 This update for glib2 fixes the following issues: - CVE-2025-14512: integer overflow in the GIO `escape_byte_string()` function when processing malicious files or remote filesystem attribute values can lead to denial-of-service (bsc#1254878). - CVE-2025-14087: buffer underflow in the GVariant parser `bytestring_parse()` and `string_parse()`functions when processing attacker-influenced data may lead to crash or code execution (bsc#1254662). - CVE-2025-13601: heap-based buffer overflow in the `g_escape_uri_string()` function when processing strings with a large number of unacceptable characters may lead to crash or code execution (bsc#1254297). The following package changes have been done: - libgmodule-2_0-0-2.78.6-150600.4.25.1 updated - libgobject-2_0-0-2.78.6-150600.4.25.1 updated - libgio-2_0-0-2.78.6-150600.4.25.1 updated - glib2-tools-2.78.6-150600.4.25.1 updated From sle-container-updates at lists.suse.com Tue Jan 6 16:03:53 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 6 Jan 2026 17:03:53 +0100 (CET) Subject: SUSE-IU-2026:10-1: Security update of suse/sle-micro/base-5.5 Message-ID: <20260106160353.70029FBA0@maintenance.suse.de> SUSE Image Update Advisory: suse/sle-micro/base-5.5 ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2026:10-1 Image Tags : suse/sle-micro/base-5.5:2.0.4 , suse/sle-micro/base-5.5:2.0.4-5.8.231 , suse/sle-micro/base-5.5:latest Image Release : 5.8.231 Severity : moderate Type : security References : 1254441 CVE-2025-10158 ----------------------------------------------------------------- The container suse/sle-micro/base-5.5 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:41-1 Released: Tue Jan 6 11:33:23 2026 Summary: Security update for rsync Type: security Severity: moderate References: 1254441,CVE-2025-10158 This update for rsync fixes the following issues: - CVE-2025-10158: Fixed out of bounds array access via negative index (bsc#1254441) The following package changes have been done: - rsync-3.2.3-150400.3.26.1 updated From sle-container-updates at lists.suse.com Tue Jan 6 16:05:21 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 6 Jan 2026 17:05:21 +0100 (CET) Subject: SUSE-IU-2026:11-1: Security update of suse/sle-micro/kvm-5.5 Message-ID: <20260106160521.6654AFBA0@maintenance.suse.de> SUSE Image Update Advisory: suse/sle-micro/kvm-5.5 ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2026:11-1 Image Tags : suse/sle-micro/kvm-5.5:2.0.4 , suse/sle-micro/kvm-5.5:2.0.4-3.5.443 , suse/sle-micro/kvm-5.5:latest Image Release : 3.5.443 Severity : important Type : security References : 1227397 1250984 1252768 1253002 1254286 1254441 CVE-2024-6505 CVE-2025-10158 CVE-2025-11234 CVE-2025-12464 ----------------------------------------------------------------- The container suse/sle-micro/kvm-5.5 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:39-1 Released: Tue Jan 6 11:31:07 2026 Summary: Security update for qemu Type: security Severity: important References: 1227397,1250984,1252768,1253002,1254286,CVE-2024-6505,CVE-2025-11234,CVE-2025-12464 This update for qemu fixes the following issues: - CVE-2024-6505: qemu-kvm: virtio-net: Fixed queue index out-of-bounds access in software RSS (bsc#1227397) - CVE-2025-12464: net: pad packets to minimum length in qemu_receive_packet() (bsc#1253002) - CVE-2025-11234: qemu-kvm: Fixed use-after-free in websocket handshake code leading to denial of service (bsc#1250984) Other fixes: - Fixed *-virtio-gpu-pci dependency on ARM (bsc#1254286) - block/curl: Fixed curl internal handles handling (bsc#1252768) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:41-1 Released: Tue Jan 6 11:33:23 2026 Summary: Security update for rsync Type: security Severity: moderate References: 1254441,CVE-2025-10158 This update for rsync fixes the following issues: - CVE-2025-10158: Fixed out of bounds array access via negative index (bsc#1254441) The following package changes have been done: - qemu-guest-agent-7.1.0-150500.49.36.2 updated - rsync-3.2.3-150400.3.26.1 updated - container:suse-sle-micro-base-5.5-latest-2.0.4-5.8.231 updated From sle-container-updates at lists.suse.com Tue Jan 6 16:10:31 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 6 Jan 2026 17:10:31 +0100 (CET) Subject: SUSE-IU-2026:13-1: Security update of suse/sl-micro/6.0/kvm-os-container Message-ID: <20260106161031.26208FB9C@maintenance.suse.de> SUSE Image Update Advisory: suse/sl-micro/6.0/kvm-os-container ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2026:13-1 Image Tags : suse/sl-micro/6.0/kvm-os-container:2.1.3 , suse/sl-micro/6.0/kvm-os-container:2.1.3-6.100 , suse/sl-micro/6.0/kvm-os-container:latest Image Release : 6.100 Severity : important Type : security References : 1230042 1240157 1243013 1246566 1250984 1252768 1253002 1254286 CVE-2025-11234 CVE-2025-12464 ----------------------------------------------------------------- The container suse/sl-micro/6.0/kvm-os-container was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: 545 Released: Tue Jan 6 12:41:24 2026 Summary: Security update for qemu Type: security Severity: important References: 1230042,1240157,1243013,1246566,1250984,1252768,1253002,1254286,CVE-2025-11234,CVE-2025-12464 This update for qemu fixes the following issues: Update to version 8.2.10. Security issues fixed: - CVE-2025-12464: stack-based buffer overflow in the e1000 network device operations can be exploited by a malicious guest user to crash the QEMU process on the host (bsc#1253002). - CVE-2025-11234: use-after-free in WebSocket handshake operations can be exploited by a malicious client with network access to the VNC WebSocket port to cause a denial-of-service (bsc#1250984). Other updates and bugfixes: - [openSUSE][RPM] spec: require qemu-hw-display-virtio-gpu-pci for x86 too. - [openSUSE][RPM]: really fix *-virtio-gpu-pci dependency on ARM (bsc#1254286). - block/curl: fix curl internal handles handling (bsc#1252768). - [openSUSE][RPM]: spec: qemu-vgabios is required on ppc (bsc#1230042). - [roms] seabios: include 'pciinit: don't misalign large BARs' (bsc#1246566). - [openSUSE][RPM] spec: Require ipxe and virtio-gpu packages for more arch-es (bsc#1240157). - [openSUSE][RPM]: disable LTO for userspace emulation on 15.6 (bsc#1243013). - Version 8.2.10 changes: * Full changelog: https://lore.kernel.org/qemu-devel/7dd1fbc7-a58f-4b2c-82b9-735840246ab2 at tls.msk.ru/ * Some backports: - hw/misc/aspeed_hace: Fix buffer overflow in has_padding function - target/ppc: Fix e200 duplicate SPRs - linux-user/riscv: Fix handling of cpu mask in riscv_hwprobe syscall - docs/about/emulation: Fix broken link - vdpa: Allow vDPA to work on big-endian machine - vdpa: Fix endian bugs in shadow virtqueue - target/loongarch: Fix vldi inst - target/arm: Simplify pstate_sm check in sve_access_check - target/arm: Make DisasContext.{fp, sve}_access_checked tristate - util/cacheflush: Make first DSB unconditional on aarch64 - ui/cocoa: Temporarily ignore annoying deprecated declaration warnings - docs: Rename default-configs to configs - block: Zero block driver state before reopening - hw/xen/hvm: Fix Aarch64 typo - hw/net/smc91c111: Don't allow data register access to overrun buffer - hw/net/smc91c111: Sanitize packet length on tx - hw/net/smc91c111: Sanitize packet numbers - hw/net/smc91c111: Ignore attempt to pop from empty RX fifo - ppc/pnv/occ: Fix common area sensor offsets - net: move backend cleanup to NIC cleanup - net: parameterize the removing client from nc list - util/qemu-timer.c: Don't warp timer from timerlist_rearm() - target/arm: Correct STRD atomicity - target/arm: Correct LDRD atomicity and fault behaviour The following package changes have been done: - qemu-guest-agent-8.2.10-1.1 updated From sle-container-updates at lists.suse.com Tue Jan 6 16:19:20 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 6 Jan 2026 17:19:20 +0100 (CET) Subject: SUSE-CU-2026:109-1: Security update of bci/golang Message-ID: <20260106161920.AFBCFFB9C@maintenance.suse.de> SUSE Container Update Advisory: bci/golang ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2026:109-1 Container Tags : bci/golang:1.24-openssl , bci/golang:1.24.7-openssl , bci/golang:1.24.7-openssl-81.3 , bci/golang:oldstable-openssl , bci/golang:oldstable-openssl-81.3 Container Release : 81.3 Severity : important Type : security References : 1254297 1254662 1254878 CVE-2025-13601 CVE-2025-14087 CVE-2025-14512 ----------------------------------------------------------------- The container bci/golang was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:18-1 Released: Mon Jan 5 11:52:25 2026 Summary: Security update for glib2 Type: security Severity: important References: 1254297,1254662,1254878,CVE-2025-13601,CVE-2025-14087,CVE-2025-14512 This update for glib2 fixes the following issues: - CVE-2025-14512: integer overflow in the GIO `escape_byte_string()` function when processing malicious files or remote filesystem attribute values can lead to denial-of-service (bsc#1254878). - CVE-2025-14087: buffer underflow in the GVariant parser `bytestring_parse()` and `string_parse()`functions when processing attacker-influenced data may lead to crash or code execution (bsc#1254662). - CVE-2025-13601: heap-based buffer overflow in the `g_escape_uri_string()` function when processing strings with a large number of unacceptable characters may lead to crash or code execution (bsc#1254297). The following package changes have been done: - libglib-2_0-0-2.78.6-150600.4.25.1 updated - container:registry.suse.com-bci-bci-base-15.7-17d580e01de81ee10782633976ab6983923855d96e8b6342192d8486fa7933cf-0 updated From sle-container-updates at lists.suse.com Tue Jan 6 16:19:44 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 6 Jan 2026 17:19:44 +0100 (CET) Subject: SUSE-CU-2026:110-1: Recommended update of bci/php-apache Message-ID: <20260106161944.A6F76FB9C@maintenance.suse.de> SUSE Container Update Advisory: bci/php-apache ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2026:110-1 Container Tags : bci/php-apache:8 , bci/php-apache:8.3.23 , bci/php-apache:8.3.23-18.3 , bci/php-apache:latest Container Release : 18.3 Severity : moderate Type : recommended References : 1255043 ----------------------------------------------------------------- The container bci/php-apache was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2026:35-1 Released: Tue Jan 6 09:42:19 2026 Summary: Recommended update for php8 Type: recommended Severity: moderate References: 1255043 This update for php8 fixes the following issues: - main package require wwwrun:www user as it assumes it in filelist (bsc#1255043) The following package changes have been done: - php8-cli-8.3.23-150700.3.6.1 updated - php8-8.3.23-150700.3.6.1 updated - apache2-mod_php8-8.3.23-150700.3.6.1 updated - php8-openssl-8.3.23-150700.3.6.1 updated - php8-mbstring-8.3.23-150700.3.6.1 updated - php8-zlib-8.3.23-150700.3.6.1 updated - php8-zip-8.3.23-150700.3.6.1 updated - php8-curl-8.3.23-150700.3.6.1 updated - php8-phar-8.3.23-150700.3.6.1 updated - container:registry.suse.com-bci-bci-base-15.7-17d580e01de81ee10782633976ab6983923855d96e8b6342192d8486fa7933cf-0 updated From sle-container-updates at lists.suse.com Tue Jan 6 16:20:06 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 6 Jan 2026 17:20:06 +0100 (CET) Subject: SUSE-CU-2026:111-1: Recommended update of bci/php-fpm Message-ID: <20260106162006.964C9FB9C@maintenance.suse.de> SUSE Container Update Advisory: bci/php-fpm ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2026:111-1 Container Tags : bci/php-fpm:8 , bci/php-fpm:8.3.23 , bci/php-fpm:8.3.23-18.3 , bci/php-fpm:latest Container Release : 18.3 Severity : moderate Type : recommended References : 1255043 ----------------------------------------------------------------- The container bci/php-fpm was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2026:35-1 Released: Tue Jan 6 09:42:19 2026 Summary: Recommended update for php8 Type: recommended Severity: moderate References: 1255043 This update for php8 fixes the following issues: - main package require wwwrun:www user as it assumes it in filelist (bsc#1255043) The following package changes have been done: - php8-cli-8.3.23-150700.3.6.1 updated - php8-8.3.23-150700.3.6.1 updated - php8-fpm-8.3.23-150700.3.6.1 updated - php8-openssl-8.3.23-150700.3.6.1 updated - php8-mbstring-8.3.23-150700.3.6.1 updated - php8-zlib-8.3.23-150700.3.6.1 updated - php8-zip-8.3.23-150700.3.6.1 updated - php8-curl-8.3.23-150700.3.6.1 updated - php8-phar-8.3.23-150700.3.6.1 updated - container:registry.suse.com-bci-bci-base-15.7-17d580e01de81ee10782633976ab6983923855d96e8b6342192d8486fa7933cf-0 updated From sle-container-updates at lists.suse.com Tue Jan 6 16:20:25 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 6 Jan 2026 17:20:25 +0100 (CET) Subject: SUSE-CU-2026:112-1: Security update of bci/php Message-ID: <20260106162025.2C8FAFB9C@maintenance.suse.de> SUSE Container Update Advisory: bci/php ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2026:112-1 Container Tags : bci/php:8 , bci/php:8.3.23 , bci/php:8.3.23-18.3 , bci/php:latest Container Release : 18.3 Severity : important Type : security References : 1110700 1115640 1156913 1164562 1166510 1166510 1174593 1177858 1178727 1181443 1184358 1185562 1190052 1191987 1194818 1195391 1196093 1196647 1196647 1197024 1197794 1198165 1198176 1198752 1199467 1200800 1201519 1201680 1204844 1205161 1207778 1210004 1211078 1211418 1211419 1213240 1214140 1215377 1216862 1217000 1218475 1219321 1221632 1228770 1230972 1232234 1232234 1243226 1243767 1244509 1246221 1255043 916845 953659 CVE-2013-4235 CVE-2013-4235 CVE-2018-17953 CVE-2021-46828 CVE-2023-22652 CVE-2023-2602 CVE-2023-2603 CVE-2023-30078 CVE-2023-30079 CVE-2023-32181 CVE-2024-10041 CVE-2024-10041 CVE-2024-22365 CVE-2025-5278 CVE-2025-6018 CVE-2025-6020 ----------------------------------------------------------------- The container bci/php was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2569-1 Released: Fri Nov 2 19:00:18 2018 Summary: Recommended update for pam Type: recommended Severity: moderate References: 1110700 This update for pam fixes the following issues: - Remove limits for nproc from /etc/security/limits.conf (bsc#1110700) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2825-1 Released: Mon Dec 3 15:35:02 2018 Summary: Security update for pam Type: security Severity: important References: 1115640,CVE-2018-17953 This update for pam fixes the following issue: Security issue fixed: - CVE-2018-17953: Fixed IP address and subnet handling of pam_access.so that was not honoured correctly when a single host was specified (bsc#1115640). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:44-1 Released: Tue Jan 8 13:07:32 2019 Summary: Recommended update for acl Type: recommended Severity: low References: 953659 This update for acl fixes the following issues: - test: Add helper library to fake passwd/group files. - quote: Escape literal backslashes. (bsc#953659) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:525-1 Released: Fri Feb 28 11:49:36 2020 Summary: Recommended update for pam Type: recommended Severity: moderate References: 1164562 This update for pam fixes the following issues: - Add libdb as build-time dependency to enable pam_userdb module. Enable pam_userdb.so (jsc#sle-7258, bsc#1164562) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:689-1 Released: Fri Mar 13 17:09:01 2020 Summary: Recommended update for pam Type: recommended Severity: moderate References: 1166510 This update for PAM fixes the following issue: - The license of libdb linked against pam_userdb is not always wanted, so we temporary disabled pam_userdb again. It will be published in a different package at a later time. (bsc#1166510) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:917-1 Released: Fri Apr 3 15:02:25 2020 Summary: Recommended update for pam Type: recommended Severity: moderate References: 1166510 This update for pam fixes the following issues: - Moved pam_userdb into a separate package pam-extra. (bsc#1166510) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:2083-1 Released: Thu Jul 30 10:27:59 2020 Summary: Recommended update for diffutils Type: recommended Severity: moderate References: 1156913 This update for diffutils fixes the following issue: - Disable a sporadically failing test for ppc64 and ppc64le builds. (bsc#1156913) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3462-1 Released: Fri Nov 20 13:14:35 2020 Summary: Recommended update for pam and sudo Type: recommended Severity: moderate References: 1174593,1177858,1178727 This update for pam and sudo fixes the following issue: pam: - pam_xauth: do not *free* a string which has been successfully passed to *putenv*. (bsc#1177858) - Initialize the local variable *daysleft* to avoid a misleading warning for password expire days. (bsc#1178727) - Run /usr/bin/xauth using the old user's and group's identifiers. (bsc#1174593) sudo: - Fix a problem with pam_xauth which checks effective and real uids to get the real identity of the user. (bsc#1174593) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3620-1 Released: Thu Dec 3 17:03:55 2020 Summary: Recommended update for pam Type: recommended Severity: moderate References: This update for pam fixes the following issues: - Check if the password is part of the username. (jsc#SLE-16719, jsc#SLE-16720) - Check whether the password contains a substring of of the user's name of at least `` characters length in some form. This is enabled by the new parameter `usersubstr=` ----------------------------------------------------------------- Advisory ID: SUSE-OU-2021:339-1 Released: Mon Feb 8 13:16:07 2021 Summary: Optional update for pam Type: optional Severity: low References: This update for pam fixes the following issues: - Added rpm macros for this package, so that other packages can make use of it This patch is optional to be installed - it doesn't fix any bugs. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1643-1 Released: Wed May 19 13:51:48 2021 Summary: Recommended update for pam Type: recommended Severity: important References: 1181443,1184358,1185562 This update for pam fixes the following issues: - Fixed a bug, where the 'unlimited'/'-1' value was not interpreted correctly (bsc#1181443) - Fixed a bug, where pam_access interpreted the keyword 'LOCAL' incorrectly, leading to an attempt to resolve it as a hostname (bsc#1184358) - In the 32-bit compatibility package for 64-bit architectures, require 'systemd-32bit' to be also installed as it contains pam_systemd.so for 32 bit applications. (bsc#1185562) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:3494-1 Released: Wed Oct 20 16:48:46 2021 Summary: Recommended update for pam Type: recommended Severity: moderate References: 1190052 This update for pam fixes the following issues: - Added pam_faillock to the set of available PAM modules. (jsc#SLE-20638) - Added new file macros.pam on request of systemd. (bsc#1190052) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:3510-1 Released: Tue Oct 26 11:22:15 2021 Summary: Recommended update for pam Type: recommended Severity: important References: 1191987 This update for pam fixes the following issues: - Fixed a bad directive file which resulted in the 'securetty' file to be installed as 'macros.pam'. (bsc#1191987) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:1047-1 Released: Wed Mar 30 16:20:56 2022 Summary: Recommended update for pam Type: recommended Severity: moderate References: 1196093,1197024 This update for pam fixes the following issues: - Define _pam_vendordir as the variable is needed by systemd and others. (bsc#1196093) - Between allocating the variable 'ai' and free'ing them, there are two 'return NO' were we don't free this variable. This patch inserts freaddrinfo() calls before the 'return NO;'s. (bsc#1197024) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:1281-1 Released: Wed Apr 20 12:26:38 2022 Summary: Recommended update for libtirpc Type: recommended Severity: moderate References: 1196647 This update for libtirpc fixes the following issues: - Add option to enforce connection via protocol version 2 first (bsc#1196647) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:1655-1 Released: Fri May 13 15:36:10 2022 Summary: Recommended update for pam Type: recommended Severity: moderate References: 1197794 This update for pam fixes the following issue: - Do not include obsolete header files (bsc#1197794) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:1899-1 Released: Wed Jun 1 10:43:22 2022 Summary: Recommended update for libtirpc Type: recommended Severity: important References: 1198176 This update for libtirpc fixes the following issues: - Add a check for nullpointer in check_address to prevent client from crashing (bsc#1198176) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:3127-1 Released: Wed Sep 7 04:36:10 2022 Summary: Recommended update for libtirpc Type: recommended Severity: moderate References: 1198752,1200800 This update for libtirpc fixes the following issues: - Exclude ipv6 addresses in client protocol version 2 code (bsc#1200800) - Fix memory leak in params.r_addr assignement (bsc#1198752) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:3305-1 Released: Mon Sep 19 11:45:57 2022 Summary: Security update for libtirpc Type: security Severity: important References: 1201680,CVE-2021-46828 This update for libtirpc fixes the following issues: - CVE-2021-46828: Fixed denial of service vulnerability with lots of connections (bsc#1201680). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:3910-1 Released: Tue Nov 8 13:05:04 2022 Summary: Recommended update for pam Type: recommended Severity: moderate References: This update for pam fixes the following issue: - Update pam_motd to the most current version. (PED-1712) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:4135-1 Released: Mon Nov 21 00:13:40 2022 Summary: Recommended update for libeconf Type: recommended Severity: moderate References: 1198165 This update for libeconf fixes the following issues: - Update to version 0.4.6+git - econftool: Parsing error: Reporting file and line nr. --delimeters=spaces accepting all kind of spaces for delimiter. - libeconf: Parse files correctly on space characters (1198165) - Update to version 0.4.5+git - econftool: New call 'syntax' for checking the configuration files only. Returns an error string with line number if error. New options '--comment' and '--delimeters' ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:48-1 Released: Mon Jan 9 10:37:54 2023 Summary: Recommended update for libtirpc Type: recommended Severity: moderate References: 1199467 This update for libtirpc fixes the following issues: - Consider /proc/sys/net/ipv4/ip_local_reserved_ports, before binding to a random port (bsc#1199467) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:2765-1 Released: Mon Jul 3 20:28:14 2023 Summary: Security update for libcap Type: security Severity: moderate References: 1211418,1211419,CVE-2023-2602,CVE-2023-2603 This update for libcap fixes the following issues: - CVE-2023-2602: Fixed improper memory release in libcap/psx/psx.c:__wrap_pthread_create() (bsc#1211418). - CVE-2023-2603: Fixed an integer overflow or wraparound in libcap/cap_alloc.c:_libcap_strdup() (bsc#1211419). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:2847-1 Released: Mon Jul 17 08:40:42 2023 Summary: Recommended update for audit Type: recommended Severity: moderate References: 1210004 This update for audit fixes the following issues: - Check for AF_UNIX unnamed sockets (bsc#1210004) - Enable livepatching on main library on x86_64 ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:3410-1 Released: Thu Aug 24 06:56:32 2023 Summary: Recommended update for audit Type: recommended Severity: moderate References: 1201519,1204844 This update for audit fixes the following issues: - Create symbolic link from /sbin/audisp-syslog to /usr/sbin/audisp-syslog (bsc#1201519) - Fix rules not loaded when restarting auditd.service (bsc#1204844) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:3611-1 Released: Fri Sep 15 09:28:36 2023 Summary: Recommended update for sysuser-tools Type: recommended Severity: moderate References: 1195391,1205161,1207778,1213240,1214140 This update for sysuser-tools fixes the following issues: - Update to version 3.2 - Always create a system group of the same name as the system user (bsc#1205161, bsc#1207778, bsc#1213240) - Add 'quilt setup' friendly hint to %sysusers_requires usage - Use append so if a pre file already exists it isn't overridden - Invoke bash for bash scripts (bsc#1195391) - Remove all systemd requires not supported on SLE15 (bsc#1214140) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:3954-1 Released: Tue Oct 3 20:09:47 2023 Summary: Security update for libeconf Type: security Severity: important References: 1211078,CVE-2023-22652,CVE-2023-30078,CVE-2023-30079,CVE-2023-32181 This update for libeconf fixes the following issues: Update to version 0.5.2. - CVE-2023-30078, CVE-2023-32181: Fixed a stack-buffer-overflow vulnerability in 'econf_writeFile' function (bsc#1211078). - CVE-2023-30079, CVE-2023-22652: Fixed a stack-buffer-overflow vulnerability in 'read_file' function. (bsc#1211078) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:4310-1 Released: Tue Oct 31 14:10:47 2023 Summary: Recommended update for libtirpc Type: recommended Severity: moderate References: 1196647 This Update for libtirpc to 1.3.4, fixing the following issues: Update to 1.3.4 (bsc#1199467) * binddynport.c honor ip_local_reserved_ports - replaces: binddynport-honor-ip_local_reserved_ports.patch * gss-api: expose gss major/minor error in authgss_refresh() * rpcb_clnt.c: Eliminate double frees in delete_cache() * rpcb_clnt.c: memory leak in destroy_addr * portmapper: allow TCP-only portmapper * getnetconfigent: avoid potential DoS issue by removing unnecessary sleep * clnt_raw.c: fix a possible null pointer dereference * bindresvport.c: fix a potential resource leakage Update to 1.3.3: * Fix DoS vulnerability in libtirpc - replaces: 0001-Fix-DoS-vulnerability-in-libtirpc.patch * _rpc_dtablesize: use portable system call * libtirpc: Fix use-after-free accessing the error number * Fix potential memory leak of parms.r_addr - replaces 0001-fix-parms.r_addr-memory-leak.patch * rpcb_clnt.c add mechanism to try v2 protocol first - preplaces: 0001-rpcb_clnt.c-config-to-try-protocolversion-2-first.patch * Eliminate deadlocks in connects with an MT environment * clnt_dg_freeres() uncleared set active state may deadlock * thread safe clnt destruction * SUNRPC: mutexed access blacklist_read state variable * SUNRPC: MT-safe overhaul of address cache management in rpcb_clnt.c Update to 1.3.2: * Replace the final SunRPC licenses with BSD licenses * blacklist: Add a few more well known ports * libtirpc: disallow calling auth_refresh from clnt_call with RPCSEC_GSS Update to 1.3.1: * Remove AUTH_DES interfaces from auth_des.h The unsupported AUTH_DES authentication has be compiled out since commit d918e41d889 (Wed Oct 9 2019) replaced by API routines that return errors. * svc_dg: Free xp_netid during destroy * Fix memory management issues of fd locks * libtirpc: replace array with list for per-fd locks * __svc_vc_dodestroy: fix double free of xp_ltaddr.buf * __rpc_dtbsize: rlim_cur instead of rlim_max * pkg-config: use the correct replacements for libdir/includedir ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:4671-1 Released: Wed Dec 6 14:33:41 2023 Summary: Recommended update for man Type: recommended Severity: moderate References: This update of man fixes the following problem: - The 'man' commands is delivered to SUSE Linux Enterprise Micro to allow browsing man pages. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:4723-1 Released: Tue Dec 12 09:57:51 2023 Summary: Recommended update for libtirpc Type: recommended Severity: moderate References: 1216862 This update for libtirpc fixes the following issue: - fix sed parsing in specfile (bsc#1216862) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2024:136-1 Released: Thu Jan 18 09:53:47 2024 Summary: Security update for pam Type: security Severity: moderate References: 1217000,1218475,CVE-2024-22365 This update for pam fixes the following issues: - CVE-2024-22365: Fixed a local denial of service during PAM login due to a missing check during path manipulation (bsc#1218475). - Check localtime_r() return value to fix crashing (bsc#1217000) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2024:907-1 Released: Fri Mar 15 08:57:38 2024 Summary: Recommended update for audit Type: recommended Severity: moderate References: 1215377 This update for audit fixes the following issue: - Fix plugin termination when using systemd service units (bsc#1215377) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2024:929-1 Released: Tue Mar 19 06:36:24 2024 Summary: Recommended update for coreutils Type: recommended Severity: moderate References: 1219321 This update for coreutils fixes the following issues: - tail: fix tailing sysfs files where PAGE_SIZE > BUFSIZ (bsc#1219321) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2024:1665-1 Released: Thu May 16 08:00:09 2024 Summary: Recommended update for coreutils Type: recommended Severity: moderate References: 1221632 This update for coreutils fixes the following issues: - ls: avoid triggering automounts (bsc#1221632) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2024:2630-1 Released: Tue Jul 30 09:12:44 2024 Summary: Security update for shadow Type: security Severity: important References: 916845,CVE-2013-4235 This update for shadow fixes the following issues: - CVE-2013-4235: Fixed a race condition when copying and removing directory trees (bsc#916845). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2024:2808-1 Released: Wed Aug 7 09:49:32 2024 Summary: Security update for shadow Type: security Severity: moderate References: 1228770,CVE-2013-4235 This update for shadow fixes the following issues: - Fixed not copying of skel files (bsc#1228770) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2024:2967-1 Released: Mon Aug 19 15:41:29 2024 Summary: Recommended update for pam Type: recommended Severity: moderate References: 1194818 This update for pam fixes the following issue: - Prevent cursor escape from the login prompt (bsc#1194818). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2024:3896-1 Released: Mon Nov 4 12:08:29 2024 Summary: Recommended update for shadow Type: recommended Severity: moderate References: 1230972 This update for shadow fixes the following issues: - Add useradd warnings when requested UID is outside the default range (bsc#1230972) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1334-1 Released: Thu Apr 17 09:03:05 2025 Summary: Security update for pam Type: security Severity: moderate References: 1232234,CVE-2024-10041 This update for pam fixes the following issues: - CVE-2024-10041: sensitive data exposure while performing authentications. (bsc#1232234) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2013-1 Released: Wed Jun 18 20:05:07 2025 Summary: Security update for pam Type: security Severity: important References: 1243226,1244509,CVE-2025-6018,CVE-2025-6020 This update for pam fixes the following issues: - CVE-2025-6018: pam_env: Change the default to not read the user .pam_environment file (bsc#1243226). - CVE-2025-6020: pam_namespace: convert functions that may operate on a user-controlled path to operate on file descriptors instead of absolute path (bsc#1244509). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2362-1 Released: Fri Jul 18 11:07:24 2025 Summary: Security update for coreutils Type: security Severity: moderate References: 1243767,CVE-2025-5278 This update for coreutils fixes the following issues: - CVE-2025-5278: Fixed heap buffer under-read may lead to a crash or leak sensitive data (bsc#1243767) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2970-1 Released: Mon Aug 25 10:27:57 2025 Summary: Security update for pam Type: security Severity: moderate References: 1232234,1246221,CVE-2024-10041 This update for pam fixes the following issues: - Improve previous CVE-2024-10041 fix which led to CPU performance issues (bsc#1232234) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2026:35-1 Released: Tue Jan 6 09:42:19 2026 Summary: Recommended update for php8 Type: recommended Severity: moderate References: 1255043 This update for php8 fixes the following issues: - main package require wwwrun:www user as it assumes it in filelist (bsc#1255043) The following package changes have been done: - libtirpc-netconfig-1.3.4-150300.3.23.1 added - cracklib-dict-small-2.9.11-150600.1.90 added - libsemanage-conf-3.5-150600.1.48 added - libsepol2-3.5-150600.1.49 added - libattr1-2.4.47-2.19 added - fillup-1.42-2.18 added - libeconf0-0.5.2-150400.3.6.1 added - libcap2-2.63-150400.3.3.1 added - libaudit1-3.0.6-150400.4.16.1 added - login_defs-4.8.1-150600.17.9.1 added - libacl1-2.2.52-4.3.1 added - libcrack2-2.9.11-150600.1.90 added - cracklib-2.9.11-150600.1.90 added - libsemanage2-3.5-150600.1.48 added - grep-3.11-150700.1.8 added - coreutils-8.32-150400.9.9.1 added - diffutils-3.6-4.3.1 added - permissions-20240826-150700.14.4 added - libtirpc3-1.3.4-150300.3.23.1 added - libnsl2-1.2.0-2.44 added - pam-1.3.0-150000.6.86.1 added - shadow-4.8.1-150600.17.9.1 added - sysuser-shadow-3.2-150400.3.5.3 added - system-user-wwwrun-20170617-150400.24.2.1 added - php8-cli-8.3.23-150700.3.6.1 updated - php8-8.3.23-150700.3.6.1 updated - php8-openssl-8.3.23-150700.3.6.1 updated - php8-mbstring-8.3.23-150700.3.6.1 updated - php8-zlib-8.3.23-150700.3.6.1 updated - php8-readline-8.3.23-150700.3.6.1 updated - php8-curl-8.3.23-150700.3.6.1 updated - php8-zip-8.3.23-150700.3.6.1 updated - php8-phar-8.3.23-150700.3.6.1 updated - container:registry.suse.com-bci-bci-base-15.7-17d580e01de81ee10782633976ab6983923855d96e8b6342192d8486fa7933cf-0 updated From sle-container-updates at lists.suse.com Tue Jan 6 16:20:48 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 6 Jan 2026 17:20:48 +0100 (CET) Subject: SUSE-CU-2026:113-1: Security update of bci/python Message-ID: <20260106162048.03F25FB9C@maintenance.suse.de> SUSE Container Update Advisory: bci/python ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2026:113-1 Container Tags : bci/python:3 , bci/python:3.11 , bci/python:3.11.14 , bci/python:3.11.14-80.3 Container Release : 80.3 Severity : important Type : security References : 1254297 1254662 1254878 CVE-2025-13601 CVE-2025-14087 CVE-2025-14512 ----------------------------------------------------------------- The container bci/python was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:18-1 Released: Mon Jan 5 11:52:25 2026 Summary: Security update for glib2 Type: security Severity: important References: 1254297,1254662,1254878,CVE-2025-13601,CVE-2025-14087,CVE-2025-14512 This update for glib2 fixes the following issues: - CVE-2025-14512: integer overflow in the GIO `escape_byte_string()` function when processing malicious files or remote filesystem attribute values can lead to denial-of-service (bsc#1254878). - CVE-2025-14087: buffer underflow in the GVariant parser `bytestring_parse()` and `string_parse()`functions when processing attacker-influenced data may lead to crash or code execution (bsc#1254662). - CVE-2025-13601: heap-based buffer overflow in the `g_escape_uri_string()` function when processing strings with a large number of unacceptable characters may lead to crash or code execution (bsc#1254297). The following package changes have been done: - libglib-2_0-0-2.78.6-150600.4.25.1 updated - container:registry.suse.com-bci-bci-base-15.7-17d580e01de81ee10782633976ab6983923855d96e8b6342192d8486fa7933cf-0 updated From sle-container-updates at lists.suse.com Tue Jan 6 16:21:12 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 6 Jan 2026 17:21:12 +0100 (CET) Subject: SUSE-CU-2026:114-1: Security update of bci/python Message-ID: <20260106162112.E2965FB9C@maintenance.suse.de> SUSE Container Update Advisory: bci/python ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2026:114-1 Container Tags : bci/python:3 , bci/python:3.13 , bci/python:3.13.11 , bci/python:3.13.11-82.4 , bci/python:latest Container Release : 82.4 Severity : important Type : security References : 1254297 1254662 1254878 CVE-2025-13601 CVE-2025-14087 CVE-2025-14512 ----------------------------------------------------------------- The container bci/python was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:18-1 Released: Mon Jan 5 11:52:25 2026 Summary: Security update for glib2 Type: security Severity: important References: 1254297,1254662,1254878,CVE-2025-13601,CVE-2025-14087,CVE-2025-14512 This update for glib2 fixes the following issues: - CVE-2025-14512: integer overflow in the GIO `escape_byte_string()` function when processing malicious files or remote filesystem attribute values can lead to denial-of-service (bsc#1254878). - CVE-2025-14087: buffer underflow in the GVariant parser `bytestring_parse()` and `string_parse()`functions when processing attacker-influenced data may lead to crash or code execution (bsc#1254662). - CVE-2025-13601: heap-based buffer overflow in the `g_escape_uri_string()` function when processing strings with a large number of unacceptable characters may lead to crash or code execution (bsc#1254297). The following package changes have been done: - libglib-2_0-0-2.78.6-150600.4.25.1 updated - container:registry.suse.com-bci-bci-base-15.7-17d580e01de81ee10782633976ab6983923855d96e8b6342192d8486fa7933cf-0 updated From sle-container-updates at lists.suse.com Tue Jan 6 16:21:39 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 6 Jan 2026 17:21:39 +0100 (CET) Subject: SUSE-CU-2026:115-1: Security update of bci/python Message-ID: <20260106162140.00620FB9C@maintenance.suse.de> SUSE Container Update Advisory: bci/python ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2026:115-1 Container Tags : bci/python:3 , bci/python:3.6 , bci/python:3.6.15 , bci/python:3.6.15-79.4 Container Release : 79.4 Severity : important Type : security References : 1254297 1254662 1254878 CVE-2025-13601 CVE-2025-14087 CVE-2025-14512 ----------------------------------------------------------------- The container bci/python was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:18-1 Released: Mon Jan 5 11:52:25 2026 Summary: Security update for glib2 Type: security Severity: important References: 1254297,1254662,1254878,CVE-2025-13601,CVE-2025-14087,CVE-2025-14512 This update for glib2 fixes the following issues: - CVE-2025-14512: integer overflow in the GIO `escape_byte_string()` function when processing malicious files or remote filesystem attribute values can lead to denial-of-service (bsc#1254878). - CVE-2025-14087: buffer underflow in the GVariant parser `bytestring_parse()` and `string_parse()`functions when processing attacker-influenced data may lead to crash or code execution (bsc#1254662). - CVE-2025-13601: heap-based buffer overflow in the `g_escape_uri_string()` function when processing strings with a large number of unacceptable characters may lead to crash or code execution (bsc#1254297). The following package changes have been done: - libglib-2_0-0-2.78.6-150600.4.25.1 updated - container:registry.suse.com-bci-bci-base-15.7-17d580e01de81ee10782633976ab6983923855d96e8b6342192d8486fa7933cf-0 updated From sle-container-updates at lists.suse.com Tue Jan 6 16:22:15 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 6 Jan 2026 17:22:15 +0100 (CET) Subject: SUSE-CU-2026:116-1: Security update of bci/ruby Message-ID: <20260106162215.14F3DFB9C@maintenance.suse.de> SUSE Container Update Advisory: bci/ruby ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2026:116-1 Container Tags : bci/ruby:2 , bci/ruby:2.5 , bci/ruby:2.5-21.3 Container Release : 21.3 Severity : important Type : security References : 1254297 1254662 1254878 CVE-2025-13601 CVE-2025-14087 CVE-2025-14512 ----------------------------------------------------------------- The container bci/ruby was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:18-1 Released: Mon Jan 5 11:52:25 2026 Summary: Security update for glib2 Type: security Severity: important References: 1254297,1254662,1254878,CVE-2025-13601,CVE-2025-14087,CVE-2025-14512 This update for glib2 fixes the following issues: - CVE-2025-14512: integer overflow in the GIO `escape_byte_string()` function when processing malicious files or remote filesystem attribute values can lead to denial-of-service (bsc#1254878). - CVE-2025-14087: buffer underflow in the GVariant parser `bytestring_parse()` and `string_parse()`functions when processing attacker-influenced data may lead to crash or code execution (bsc#1254662). - CVE-2025-13601: heap-based buffer overflow in the `g_escape_uri_string()` function when processing strings with a large number of unacceptable characters may lead to crash or code execution (bsc#1254297). The following package changes have been done: - libglib-2_0-0-2.78.6-150600.4.25.1 updated - container:registry.suse.com-bci-bci-base-15.7-17d580e01de81ee10782633976ab6983923855d96e8b6342192d8486fa7933cf-0 updated From sle-container-updates at lists.suse.com Tue Jan 6 16:22:39 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 6 Jan 2026 17:22:39 +0100 (CET) Subject: SUSE-CU-2026:117-1: Security update of bci/ruby Message-ID: <20260106162239.D9EB5FB9C@maintenance.suse.de> SUSE Container Update Advisory: bci/ruby ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2026:117-1 Container Tags : bci/ruby:3 , bci/ruby:3.4 , bci/ruby:3.4-20.3 , bci/ruby:latest Container Release : 20.3 Severity : important Type : security References : 1254297 1254662 1254878 CVE-2025-13601 CVE-2025-14087 CVE-2025-14512 ----------------------------------------------------------------- The container bci/ruby was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:18-1 Released: Mon Jan 5 11:52:25 2026 Summary: Security update for glib2 Type: security Severity: important References: 1254297,1254662,1254878,CVE-2025-13601,CVE-2025-14087,CVE-2025-14512 This update for glib2 fixes the following issues: - CVE-2025-14512: integer overflow in the GIO `escape_byte_string()` function when processing malicious files or remote filesystem attribute values can lead to denial-of-service (bsc#1254878). - CVE-2025-14087: buffer underflow in the GVariant parser `bytestring_parse()` and `string_parse()`functions when processing attacker-influenced data may lead to crash or code execution (bsc#1254662). - CVE-2025-13601: heap-based buffer overflow in the `g_escape_uri_string()` function when processing strings with a large number of unacceptable characters may lead to crash or code execution (bsc#1254297). The following package changes have been done: - libglib-2_0-0-2.78.6-150600.4.25.1 updated - container:registry.suse.com-bci-bci-base-15.7-17d580e01de81ee10782633976ab6983923855d96e8b6342192d8486fa7933cf-0 updated From sle-container-updates at lists.suse.com Tue Jan 6 16:23:05 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 6 Jan 2026 17:23:05 +0100 (CET) Subject: SUSE-CU-2026:118-1: Security update of bci/bci-sle15-kernel-module-devel Message-ID: <20260106162305.EB960FB9C@maintenance.suse.de> SUSE Container Update Advisory: bci/bci-sle15-kernel-module-devel ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2026:118-1 Container Tags : bci/bci-sle15-kernel-module-devel:15.7 , bci/bci-sle15-kernel-module-devel:15.7-55.4 , bci/bci-sle15-kernel-module-devel:latest Container Release : 55.4 Severity : important Type : security References : 1254297 1254400 1254401 1254662 1254878 1254997 CVE-2025-12084 CVE-2025-13601 CVE-2025-13836 CVE-2025-13837 CVE-2025-14087 CVE-2025-14512 ----------------------------------------------------------------- The container bci/bci-sle15-kernel-module-devel was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:18-1 Released: Mon Jan 5 11:52:25 2026 Summary: Security update for glib2 Type: security Severity: important References: 1254297,1254662,1254878,CVE-2025-13601,CVE-2025-14087,CVE-2025-14512 This update for glib2 fixes the following issues: - CVE-2025-14512: integer overflow in the GIO `escape_byte_string()` function when processing malicious files or remote filesystem attribute values can lead to denial-of-service (bsc#1254878). - CVE-2025-14087: buffer underflow in the GVariant parser `bytestring_parse()` and `string_parse()`functions when processing attacker-influenced data may lead to crash or code execution (bsc#1254662). - CVE-2025-13601: heap-based buffer overflow in the `g_escape_uri_string()` function when processing strings with a large number of unacceptable characters may lead to crash or code execution (bsc#1254297). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:27-1 Released: Mon Jan 5 13:45:08 2026 Summary: Security update for python3 Type: security Severity: moderate References: 1254400,1254401,1254997,CVE-2025-12084,CVE-2025-13836,CVE-2025-13837 This update for python3 fixes the following issues: - CVE-2025-12084: cpython: Fixed quadratic algorithm in xml.dom.minidom leading to denial of service (bsc#1254997) - CVE-2025-13836: Fixed default Content-Lenght read amount from HTTP response (bsc#1254400) - CVE-2025-13837: Fixed plistlib module denial of service (bsc#1254401) The following package changes have been done: - libglib-2_0-0-2.78.6-150600.4.25.1 updated - python3-base-3.6.15-150300.10.103.1 updated - libpython3_6m1_0-3.6.15-150300.10.103.1 updated - container:registry.suse.com-bci-bci-base-15.7-17d580e01de81ee10782633976ab6983923855d96e8b6342192d8486fa7933cf-0 updated From sle-container-updates at lists.suse.com Tue Jan 6 16:23:38 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 6 Jan 2026 17:23:38 +0100 (CET) Subject: SUSE-CU-2026:97-1: Security update of bci/spack Message-ID: <20260106162338.B90D2FB9C@maintenance.suse.de> SUSE Container Update Advisory: bci/spack ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2026:97-1 Container Tags : bci/spack:0.23 , bci/spack:0.23.1 , bci/spack:0.23.1-21.2 , bci/spack:latest Container Release : 21.2 Severity : important Type : security References : 1254297 1254662 1254878 CVE-2025-13601 CVE-2025-14087 CVE-2025-14512 ----------------------------------------------------------------- The container bci/spack was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:18-1 Released: Mon Jan 5 11:52:25 2026 Summary: Security update for glib2 Type: security Severity: important References: 1254297,1254662,1254878,CVE-2025-13601,CVE-2025-14087,CVE-2025-14512 This update for glib2 fixes the following issues: - CVE-2025-14512: integer overflow in the GIO `escape_byte_string()` function when processing malicious files or remote filesystem attribute values can lead to denial-of-service (bsc#1254878). - CVE-2025-14087: buffer underflow in the GVariant parser `bytestring_parse()` and `string_parse()`functions when processing attacker-influenced data may lead to crash or code execution (bsc#1254662). - CVE-2025-13601: heap-based buffer overflow in the `g_escape_uri_string()` function when processing strings with a large number of unacceptable characters may lead to crash or code execution (bsc#1254297). The following package changes have been done: - libgmodule-2_0-0-2.78.6-150600.4.25.1 updated - libgobject-2_0-0-2.78.6-150600.4.25.1 updated - libgio-2_0-0-2.78.6-150600.4.25.1 updated - glib2-tools-2.78.6-150600.4.25.1 updated From sle-container-updates at lists.suse.com Tue Jan 6 16:23:39 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 6 Jan 2026 17:23:39 +0100 (CET) Subject: SUSE-CU-2026:119-1: Security update of bci/spack Message-ID: <20260106162339.8E51FFB9C@maintenance.suse.de> SUSE Container Update Advisory: bci/spack ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2026:119-1 Container Tags : bci/spack:0.23 , bci/spack:0.23.1 , bci/spack:0.23.1-21.4 , bci/spack:latest Container Release : 21.4 Severity : moderate Type : security References : 1254400 1254401 1254997 CVE-2025-12084 CVE-2025-13836 CVE-2025-13837 ----------------------------------------------------------------- The container bci/spack was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:27-1 Released: Mon Jan 5 13:45:08 2026 Summary: Security update for python3 Type: security Severity: moderate References: 1254400,1254401,1254997,CVE-2025-12084,CVE-2025-13836,CVE-2025-13837 This update for python3 fixes the following issues: - CVE-2025-12084: cpython: Fixed quadratic algorithm in xml.dom.minidom leading to denial of service (bsc#1254997) - CVE-2025-13836: Fixed default Content-Lenght read amount from HTTP response (bsc#1254400) - CVE-2025-13837: Fixed plistlib module denial of service (bsc#1254401) The following package changes have been done: - libglib-2_0-0-2.78.6-150600.4.25.1 updated - libpython3_6m1_0-3.6.15-150300.10.103.1 updated - python3-base-3.6.15-150300.10.103.1 updated - container:registry.suse.com-bci-bci-base-15.7-17d580e01de81ee10782633976ab6983923855d96e8b6342192d8486fa7933cf-0 updated From sle-container-updates at lists.suse.com Tue Jan 6 16:24:01 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 6 Jan 2026 17:24:01 +0100 (CET) Subject: SUSE-CU-2026:120-1: Security update of suse/kiosk/xorg Message-ID: <20260106162401.042BBFB9C@maintenance.suse.de> SUSE Container Update Advisory: suse/kiosk/xorg ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2026:120-1 Container Tags : suse/kiosk/xorg:21 , suse/kiosk/xorg:21.1 , suse/kiosk/xorg:21.1-73.3 , suse/kiosk/xorg:latest , suse/kiosk/xorg:notaskbar Container Release : 73.3 Severity : important Type : security References : 1254297 1254662 1254878 CVE-2025-13601 CVE-2025-14087 CVE-2025-14512 ----------------------------------------------------------------- The container suse/kiosk/xorg was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:18-1 Released: Mon Jan 5 11:52:25 2026 Summary: Security update for glib2 Type: security Severity: important References: 1254297,1254662,1254878,CVE-2025-13601,CVE-2025-14087,CVE-2025-14512 This update for glib2 fixes the following issues: - CVE-2025-14512: integer overflow in the GIO `escape_byte_string()` function when processing malicious files or remote filesystem attribute values can lead to denial-of-service (bsc#1254878). - CVE-2025-14087: buffer underflow in the GVariant parser `bytestring_parse()` and `string_parse()`functions when processing attacker-influenced data may lead to crash or code execution (bsc#1254662). - CVE-2025-13601: heap-based buffer overflow in the `g_escape_uri_string()` function when processing strings with a large number of unacceptable characters may lead to crash or code execution (bsc#1254297). The following package changes have been done: - libglib-2_0-0-2.78.6-150600.4.25.1 updated - libgobject-2_0-0-2.78.6-150600.4.25.1 updated - libgmodule-2_0-0-2.78.6-150600.4.25.1 updated - libgio-2_0-0-2.78.6-150600.4.25.1 updated - glib2-tools-2.78.6-150600.4.25.1 updated - container:registry.suse.com-bci-bci-micro-15.7-4ea6269b17048f73c022844251731ef4f640fdb9eb72a2ab53ec7f9413b89ee3-0 updated From sle-container-updates at lists.suse.com Tue Jan 6 16:28:11 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 6 Jan 2026 17:28:11 +0100 (CET) Subject: SUSE-CU-2026:141-1: Security update of suse/manager/4.3/proxy-httpd Message-ID: <20260106162811.127D6FB9C@maintenance.suse.de> SUSE Container Update Advisory: suse/manager/4.3/proxy-httpd ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2026:141-1 Container Tags : suse/manager/4.3/proxy-httpd:4.3.16.2 , suse/manager/4.3/proxy-httpd:4.3.16.2.9.73.6 , suse/manager/4.3/proxy-httpd:latest Container Release : 9.73.6 Severity : important Type : security References : 1254400 1254401 1254511 1254512 1254514 1254515 1254997 CVE-2025-12084 CVE-2025-13836 CVE-2025-13837 CVE-2025-55753 CVE-2025-58098 CVE-2025-65082 CVE-2025-66200 ----------------------------------------------------------------- The container suse/manager/4.3/proxy-httpd was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:19-1 Released: Mon Jan 5 12:06:21 2026 Summary: Security update for apache2 Type: security Severity: important References: 1254511,1254512,1254514,1254515,CVE-2025-55753,CVE-2025-58098,CVE-2025-65082,CVE-2025-66200 This update for apache2 fixes the following issues: - CVE-2025-55753: Fixed mod_md (ACME) unintended retry intervals (bsc#1254511) - CVE-2025-65082: Fixed CGI environment variable override (bsc#1254514) - CVE-2025-58098: Fixed Server Side Includes adding query string to #exec cmd=... (bsc#1254512) - CVE-2025-66200: Fixed mod_userdir+suexec bypass via AllowOverride FileInfo (bsc#1254515) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:27-1 Released: Mon Jan 5 13:45:08 2026 Summary: Security update for python3 Type: security Severity: moderate References: 1254400,1254401,1254997,CVE-2025-12084,CVE-2025-13836,CVE-2025-13837 This update for python3 fixes the following issues: - CVE-2025-12084: cpython: Fixed quadratic algorithm in xml.dom.minidom leading to denial of service (bsc#1254997) - CVE-2025-13836: Fixed default Content-Lenght read amount from HTTP response (bsc#1254400) - CVE-2025-13837: Fixed plistlib module denial of service (bsc#1254401) The following package changes have been done: - python3-base-3.6.15-150300.10.103.1 updated - libpython3_6m1_0-3.6.15-150300.10.103.1 updated - python3-3.6.15-150300.10.103.1 updated - apache2-utils-2.4.51-150400.6.52.1 updated - apache2-2.4.51-150400.6.52.1 updated - apache2-prefork-2.4.51-150400.6.52.1 updated - container:sles15-ltss-image-15.4.0-6.1 updated From sle-container-updates at lists.suse.com Tue Jan 6 16:29:24 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 6 Jan 2026 17:29:24 +0100 (CET) Subject: SUSE-CU-2026:142-1: Security update of suse/manager/4.3/proxy-salt-broker Message-ID: <20260106162924.4DB7EFB9C@maintenance.suse.de> SUSE Container Update Advisory: suse/manager/4.3/proxy-salt-broker ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2026:142-1 Container Tags : suse/manager/4.3/proxy-salt-broker:4.3.16.2 , suse/manager/4.3/proxy-salt-broker:4.3.16.2.9.63.6 , suse/manager/4.3/proxy-salt-broker:latest Container Release : 9.63.6 Severity : moderate Type : security References : 1254400 1254401 1254997 CVE-2025-12084 CVE-2025-13836 CVE-2025-13837 ----------------------------------------------------------------- The container suse/manager/4.3/proxy-salt-broker was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:27-1 Released: Mon Jan 5 13:45:08 2026 Summary: Security update for python3 Type: security Severity: moderate References: 1254400,1254401,1254997,CVE-2025-12084,CVE-2025-13836,CVE-2025-13837 This update for python3 fixes the following issues: - CVE-2025-12084: cpython: Fixed quadratic algorithm in xml.dom.minidom leading to denial of service (bsc#1254997) - CVE-2025-13836: Fixed default Content-Lenght read amount from HTTP response (bsc#1254400) - CVE-2025-13837: Fixed plistlib module denial of service (bsc#1254401) The following package changes have been done: - libpython3_6m1_0-3.6.15-150300.10.103.1 updated - python3-base-3.6.15-150300.10.103.1 updated - python3-3.6.15-150300.10.103.1 updated - container:sles15-ltss-image-15.4.0-6.1 updated From sle-container-updates at lists.suse.com Tue Jan 6 16:31:48 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 6 Jan 2026 17:31:48 +0100 (CET) Subject: SUSE-CU-2026:144-1: Security update of suse/manager/4.3/proxy-ssh Message-ID: <20260106163148.D6C2CFBA0@maintenance.suse.de> SUSE Container Update Advisory: suse/manager/4.3/proxy-ssh ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2026:144-1 Container Tags : suse/manager/4.3/proxy-ssh:4.3.16.2 , suse/manager/4.3/proxy-ssh:4.3.16.2.9.63.5 , suse/manager/4.3/proxy-ssh:latest Container Release : 9.63.5 Severity : moderate Type : security References : 1254400 1254401 1254997 CVE-2025-12084 CVE-2025-13836 CVE-2025-13837 ----------------------------------------------------------------- The container suse/manager/4.3/proxy-ssh was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:27-1 Released: Mon Jan 5 13:45:08 2026 Summary: Security update for python3 Type: security Severity: moderate References: 1254400,1254401,1254997,CVE-2025-12084,CVE-2025-13836,CVE-2025-13837 This update for python3 fixes the following issues: - CVE-2025-12084: cpython: Fixed quadratic algorithm in xml.dom.minidom leading to denial of service (bsc#1254997) - CVE-2025-13836: Fixed default Content-Lenght read amount from HTTP response (bsc#1254400) - CVE-2025-13837: Fixed plistlib module denial of service (bsc#1254401) The following package changes have been done: - libpython3_6m1_0-3.6.15-150300.10.103.1 updated - python3-base-3.6.15-150300.10.103.1 updated - python3-3.6.15-150300.10.103.1 updated - container:sles15-ltss-image-15.4.0-6.1 updated From sle-container-updates at lists.suse.com Tue Jan 6 16:33:21 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 6 Jan 2026 17:33:21 +0100 (CET) Subject: SUSE-CU-2026:145-1: Security update of suse/manager/4.3/proxy-tftpd Message-ID: <20260106163321.EDC64FBA0@maintenance.suse.de> SUSE Container Update Advisory: suse/manager/4.3/proxy-tftpd ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2026:145-1 Container Tags : suse/manager/4.3/proxy-tftpd:4.3.16.2 , suse/manager/4.3/proxy-tftpd:4.3.16.2.9.63.5 , suse/manager/4.3/proxy-tftpd:latest Container Release : 9.63.5 Severity : moderate Type : security References : 1254400 1254401 1254997 CVE-2025-12084 CVE-2025-13836 CVE-2025-13837 ----------------------------------------------------------------- The container suse/manager/4.3/proxy-tftpd was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:27-1 Released: Mon Jan 5 13:45:08 2026 Summary: Security update for python3 Type: security Severity: moderate References: 1254400,1254401,1254997,CVE-2025-12084,CVE-2025-13836,CVE-2025-13837 This update for python3 fixes the following issues: - CVE-2025-12084: cpython: Fixed quadratic algorithm in xml.dom.minidom leading to denial of service (bsc#1254997) - CVE-2025-13836: Fixed default Content-Lenght read amount from HTTP response (bsc#1254400) - CVE-2025-13837: Fixed plistlib module denial of service (bsc#1254401) The following package changes have been done: - libpython3_6m1_0-3.6.15-150300.10.103.1 updated - python3-base-3.6.15-150300.10.103.1 updated - python3-3.6.15-150300.10.103.1 updated - container:sles15-ltss-image-15.4.0-6.1 updated From sle-container-updates at lists.suse.com Tue Jan 6 16:39:42 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 6 Jan 2026 17:39:42 +0100 (CET) Subject: SUSE-CU-2026:147-1: Security update of suse/sle-micro/5.2/toolbox Message-ID: <20260106163942.176A2FB9C@maintenance.suse.de> SUSE Container Update Advisory: suse/sle-micro/5.2/toolbox ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2026:147-1 Container Tags : suse/sle-micro/5.2/toolbox:14.2 , suse/sle-micro/5.2/toolbox:14.2-7.11.218 , suse/sle-micro/5.2/toolbox:latest Container Release : 7.11.218 Severity : moderate Type : security References : 1254400 1254401 1254997 CVE-2025-12084 CVE-2025-13836 CVE-2025-13837 ----------------------------------------------------------------- The container suse/sle-micro/5.2/toolbox was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:27-1 Released: Mon Jan 5 13:45:08 2026 Summary: Security update for python3 Type: security Severity: moderate References: 1254400,1254401,1254997,CVE-2025-12084,CVE-2025-13836,CVE-2025-13837 This update for python3 fixes the following issues: - CVE-2025-12084: cpython: Fixed quadratic algorithm in xml.dom.minidom leading to denial of service (bsc#1254997) - CVE-2025-13836: Fixed default Content-Lenght read amount from HTTP response (bsc#1254400) - CVE-2025-13837: Fixed plistlib module denial of service (bsc#1254401) The following package changes have been done: - libpython3_6m1_0-3.6.15-150300.10.103.1 updated - python3-base-3.6.15-150300.10.103.1 updated From sle-container-updates at lists.suse.com Wed Jan 7 08:13:06 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 7 Jan 2026 09:13:06 +0100 (CET) Subject: SUSE-CU-2026:147-1: Security update of suse/sle-micro/5.2/toolbox Message-ID: <20260107081306.6FB7BFB9C@maintenance.suse.de> SUSE Container Update Advisory: suse/sle-micro/5.2/toolbox ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2026:147-1 Container Tags : suse/sle-micro/5.2/toolbox:14.2 , suse/sle-micro/5.2/toolbox:14.2-7.11.218 , suse/sle-micro/5.2/toolbox:latest Container Release : 7.11.218 Severity : moderate Type : security References : 1254400 1254401 1254997 CVE-2025-12084 CVE-2025-13836 CVE-2025-13837 ----------------------------------------------------------------- The container suse/sle-micro/5.2/toolbox was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:27-1 Released: Mon Jan 5 13:45:08 2026 Summary: Security update for python3 Type: security Severity: moderate References: 1254400,1254401,1254997,CVE-2025-12084,CVE-2025-13836,CVE-2025-13837 This update for python3 fixes the following issues: - CVE-2025-12084: cpython: Fixed quadratic algorithm in xml.dom.minidom leading to denial of service (bsc#1254997) - CVE-2025-13836: Fixed default Content-Lenght read amount from HTTP response (bsc#1254400) - CVE-2025-13837: Fixed plistlib module denial of service (bsc#1254401) The following package changes have been done: - libpython3_6m1_0-3.6.15-150300.10.103.1 updated - python3-base-3.6.15-150300.10.103.1 updated From sle-container-updates at lists.suse.com Wed Jan 7 16:24:59 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 7 Jan 2026 17:24:59 +0100 (CET) Subject: SUSE-CU-2026:148-1: Security update of private-registry/harbor-trivy-adapter Message-ID: <20260107162459.0C320FB9C@maintenance.suse.de> SUSE Container Update Advisory: private-registry/harbor-trivy-adapter ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2026:148-1 Container Tags : private-registry/harbor-trivy-adapter:1.1.0 , private-registry/harbor-trivy-adapter:1.1.0-1.7 , private-registry/harbor-trivy-adapter:latest Container Release : 1.7 Severity : moderate Type : security References : 1255731 1255732 1255733 1255734 CVE-2025-14524 CVE-2025-14819 CVE-2025-15079 CVE-2025-15224 ----------------------------------------------------------------- The container private-registry/harbor-trivy-adapter was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:52-1 Released: Wed Jan 7 10:28:34 2026 Summary: Security update for curl Type: security Severity: moderate References: 1255731,1255732,1255733,1255734,CVE-2025-14524,CVE-2025-14819,CVE-2025-15079,CVE-2025-15224 This update for curl fixes the following issues: - CVE-2025-14524: bearer token leak on cross-protocol redirect (bsc#1255731). - CVE-2025-14819: libssh global knownhost override (bsc#1255732). - CVE-2025-15079: libssh key passphrase bypass without agent set (bsc#1255733). - CVE-2025-15224: OpenSSL partial chain store policy bypass (bsc#1255734). The following package changes have been done: - libcurl4-8.14.1-150700.7.8.1 updated From sle-container-updates at lists.suse.com Wed Jan 7 16:26:27 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 7 Jan 2026 17:26:27 +0100 (CET) Subject: SUSE-IU-2026:14-1: Security update of suse/sl-micro/6.0/rt-os-container Message-ID: <20260107162627.D6D6CFB9C@maintenance.suse.de> SUSE Image Update Advisory: suse/sl-micro/6.0/rt-os-container ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2026:14-1 Image Tags : suse/sl-micro/6.0/rt-os-container:2.1.3 , suse/sl-micro/6.0/rt-os-container:2.1.3-7.116 , suse/sl-micro/6.0/rt-os-container:latest Image Release : 7.116 Severity : important Type : security References : 1232223 1237888 1243474 1245193 1247076 1247079 1247500 1247509 1249547 1249912 1249982 1250176 1250237 1250252 1250705 1251120 1251786 1252063 1252267 1252303 1252353 1252681 1252763 1252773 1252780 1252794 1252795 1252809 1252817 1252821 1252836 1252845 1252862 1252912 1252917 1252928 1253018 1253176 1253275 1253318 1253324 1253349 1253352 1253355 1253360 1253362 1253363 1253367 1253369 1253393 1253395 1253403 1253407 1253409 1253412 1253416 1253421 1253423 1253424 1253425 1253427 1253428 1253431 1253436 1253438 1253440 1253441 1253445 1253448 1253449 1253453 1253456 1253472 1253779 CVE-2022-50253 CVE-2023-53676 CVE-2025-21710 CVE-2025-37916 CVE-2025-38359 CVE-2025-38361 CVE-2025-39788 CVE-2025-39805 CVE-2025-39819 CVE-2025-39859 CVE-2025-39944 CVE-2025-39980 CVE-2025-40001 CVE-2025-40021 CVE-2025-40027 CVE-2025-40030 CVE-2025-40038 CVE-2025-40040 CVE-2025-40048 CVE-2025-40055 CVE-2025-40059 CVE-2025-40064 CVE-2025-40070 CVE-2025-40074 CVE-2025-40075 CVE-2025-40083 CVE-2025-40098 CVE-2025-40105 CVE-2025-40107 CVE-2025-40109 CVE-2025-40110 CVE-2025-40111 CVE-2025-40115 CVE-2025-40116 CVE-2025-40118 CVE-2025-40120 CVE-2025-40121 CVE-2025-40127 CVE-2025-40129 CVE-2025-40139 CVE-2025-40140 CVE-2025-40141 CVE-2025-40149 CVE-2025-40154 CVE-2025-40156 CVE-2025-40157 CVE-2025-40159 CVE-2025-40164 CVE-2025-40168 CVE-2025-40169 CVE-2025-40171 CVE-2025-40172 CVE-2025-40173 CVE-2025-40176 CVE-2025-40180 CVE-2025-40183 CVE-2025-40186 CVE-2025-40188 CVE-2025-40194 CVE-2025-40198 CVE-2025-40200 CVE-2025-40204 CVE-2025-40205 CVE-2025-40206 CVE-2025-40207 ----------------------------------------------------------------- The container suse/sl-micro/6.0/rt-os-container was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: kernel-230 Released: Wed Jan 7 13:33:45 2026 Summary: Security update for the Linux Kernel Type: security Severity: important References: 1232223,1237888,1243474,1245193,1247076,1247079,1247500,1247509,1249547,1249912,1249982,1250176,1250237,1250252,1250705,1251120,1251786,1252063,1252267,1252303,1252353,1252681,1252763,1252773,1252780,1252794,1252795,1252809,1252817,1252821,1252836,1252845,1252862,1252912,1252917,1252928,1253018,1253176,1253275,1253318,1253324,1253349,1253352,1253355,1253360,1253362,1253363,1253367,1253369,1253393,1253395,1253403,1253407,1253409,1253412,1253416,1253421,1253423,1253424,1253425,1253427,1253428,1253431,1253436,1253438,1253440,1253441,1253445,1253448,1253449,1253453,1253456,1253472,1253779,CVE-2022-50253,CVE-2023-53676,CVE-2025-21710,CVE-2025-37916,CVE-2025-38359,CVE-2025-38361,CVE-2025-39788,CVE-2025-39805,CVE-2025-39819,CVE-2025-39859,CVE-2025-39944,CVE-2025-39980,CVE-2025-40001,CVE-2025-40021,CVE-2025-40027,CVE-2025-40030,CVE-2025-40038,CVE-2025-40040,CVE-2025-40048,CVE-2025-40055,CVE-2025-40059,CVE-2025-40064,CVE-2025-40070,CVE-2025-40074,CVE-2025-40075,CVE-2025-40083,CVE -2025-40098,CVE-2025-40105,CVE-2025-40107,CVE-2025-40109,CVE-2025-40110,CVE-2025-40111,CVE-2025-40115,CVE-2025-40116,CVE-2025-40118,CVE-2025-40120,CVE-2025-40121,CVE-2025-40127,CVE-2025-40129,CVE-2025-40139,CVE-2025-40140,CVE-2025-40141,CVE-2025-40149,CVE-2025-40154,CVE-2025-40156,CVE-2025-40157,CVE-2025-40159,CVE-2025-40164,CVE-2025-40168,CVE-2025-40169,CVE-2025-40171,CVE-2025-40172,CVE-2025-40173,CVE-2025-40176,CVE-2025-40180,CVE-2025-40183,CVE-2025-40186,CVE-2025-40188,CVE-2025-40194,CVE-2025-40198,CVE-2025-40200,CVE-2025-40204,CVE-2025-40205,CVE-2025-40206,CVE-2025-40207 The SUSE Linux Enterprise Micro 6.0 and 6.1 RT kernel was updated to receive various security bugfixes. The following security bugs were fixed: - CVE-2022-50253: bpf: make sure skb->len != 0 when redirecting to a tunneling device (bsc#1249912). - CVE-2023-53676: scsi: target: iscsi: Fix buffer overflow in lio_target_nacl_info_show() (bsc#1251786). - CVE-2025-21710: tcp: correct handling of extreme memory squeeze (bsc#1237888). - CVE-2025-37916: pds_core: remove write-after-free of client_id (bsc#1243474). - CVE-2025-38359: s390/mm: Fix in_atomic() handling in do_secure_storage_access() (bsc#1247076). - CVE-2025-38361: drm/amd/display: Check dce_hwseq before dereferencing it (bsc#1247079). - CVE-2025-39788: scsi: ufs: exynos: Fix programming of HCI_UTRL_NEXUS_TYPE (bsc#1249547). - CVE-2025-39805: net: macb: fix unregister_netdev call order in macb_remove() (bsc#1249982). - CVE-2025-39819: fs/smb: Fix inconsistent refcnt update (bsc#1250176). - CVE-2025-39859: ptp: ocp: fix use-after-free bugs causing by ptp_ocp_watchdog (bsc#1250252). - CVE-2025-39944: octeontx2-pf: Fix use-after-free bugs in otx2_sync_tstamp() (bsc#1251120). - CVE-2025-39980: nexthop: Forbid FDB status change while nexthop is in a group (bsc#1252063). - CVE-2025-40001: scsi: mvsas: Fix use-after-free bugs in mvs_work_queue (bsc#1252303). - CVE-2025-40021: tracing: dynevent: Add a missing lockdown check on dynevent (bsc#1252681). - CVE-2025-40027: net/9p: fix double req put in p9_fd_cancelled (bsc#1252763). - CVE-2025-40030: pinctrl: check the return value of pinmux_ops::get_function_name() (bsc#1252773). - CVE-2025-40038: KVM: SVM: Skip fastpath emulation on VM-Exit if next RIP isn't valid (bsc#1252817). - CVE-2025-40040: mm/ksm: fix flag-dropping behavior in ksm_madvise (bsc#1252780). - CVE-2025-40048: uio_hv_generic: Let userspace take care of interrupt mask (bsc#1252862). - CVE-2025-40055: ocfs2: fix double free in user_cluster_connect() (bsc#1252821). - CVE-2025-40059: coresight: Fix incorrect handling for return value of devm_kzalloc (bsc#1252809). - CVE-2025-40064: smc: Fix use-after-free in __pnet_find_base_ndev() (bsc#1252845). - CVE-2025-40070: pps: fix warning in pps_register_cdev when register device fail (bsc#1252836). - CVE-2025-40074: net: dst_cache: annotate data-races around dst_cache->reset_ts (bsc#1252794). - CVE-2025-40075: tcp_metrics: use dst_dev_net_rcu() (bsc#1252795). - CVE-2025-40083: net/sched: sch_qfq: Fix null-deref in agg_dequeue (bsc#1252912). - CVE-2025-40098: ALSA: hda: cs35l41: Fix NULL pointer dereference in cs35l41_get_acpi_mute_state() (bsc#1252917). - CVE-2025-40105: vfs: Don't leak disconnected dentries on umount (bsc#1252928). - CVE-2025-40139: smc: Use __sk_dst_get() and dst_dev_rcu() in in smc_clc_prfx_set() (bsc#1253409). - CVE-2025-40149: tls: Use __sk_dst_get() and dst_dev_rcu() in get_netdev_for_sock() (bsc#1253355). - CVE-2025-40159: xsk: Harden userspace-supplied xdp_desc validation (bsc#1253403). - CVE-2025-40168: smc: Use __sk_dst_get() and dst_dev_rcu() in smc_clc_prfx_match() (bsc#1253427). - CVE-2025-40169: bpf: Reject negative offsets for ALU ops (bsc#1253416). - CVE-2025-40173: net/ip6_tunnel: Prevent perpetual tunnel growth (bsc#1253421). - CVE-2025-40176: tls: wait for pending async decryptions if tls_strp_msg_hold fails (bsc#1253425). - CVE-2025-40204: sctp: Fix MAC comparison to be constant-time (bsc#1253436). - CVE-2025-40206: Add missing bugzilla reference to net fix (bsc#1250237 bsc#1253393). The following non-security bugs were fixed: - ACPI: CPPC: Check _CPC validity for only the online CPUs (git-fixes). - ACPI: CPPC: Limit perf ctrs in PCC check only to online CPUs (git-fixes). - ACPI: CPPC: Perform fast check switch only for online CPUs (git-fixes). - ACPI: PRM: Skip handlers with NULL handler_address or NULL VA (stable-fixes). - ACPI: SBS: Fix present test in acpi_battery_read() (git-fixes). - ACPI: property: Return present device nodes only on fwnode interface (stable-fixes). - ACPI: scan: Add Intel CVS ACPI HIDs to acpi_ignore_dep_ids (stable-fixes). - ACPICA: Update dsmethod.c to get rid of unused variable warning (stable-fixes). - ACPICA: dispatcher: Use acpi_ds_clear_operands() in acpi_ds_call_control_method() (stable-fixes). - ALSA: hda: Fix missing pointer check in hda_component_manager_init function (git-fixes). - ALSA: serial-generic: remove shared static buffer (stable-fixes). - ALSA: usb-audio: Add validation of UAC2/UAC3 effect units (stable-fixes). - ALSA: usb-audio: Fix NULL pointer dereference in snd_usb_mixer_controls_badd (git-fixes). - ALSA: usb-audio: Fix potential overflow of PCM transfer buffer (stable-fixes). - ALSA: usb-audio: add mono main switch to Presonus S1824c (stable-fixes). - ALSA: usb-audio: apply quirk for MOONDROP Quark2 (stable-fixes). - ALSA: usb-audio: do not log messages meant for 1810c when initializing 1824c (git-fixes). - ALSA: usb-audio: fix uac2 clock source at terminal parser (git-fixes). - ASoC: codecs: va-macro: fix resource leak in probe error path (git-fixes). - ASoC: cs4271: Fix regulator leak on probe failure (git-fixes). - ASoC: max98090/91: fixed max98091 ALSA widget powering up/down (stable-fixes). - ASoC: meson: aiu-encoder-i2s: fix bit clock polarity (stable-fixes). - ASoC: qcom: sc8280xp: explicitly set S16LE format in sc8280xp_be_hw_params_fixup() (stable-fixes). - ASoC: stm32: sai: manage context in set_sysclk callback (stable-fixes). - ASoC: tlv320aic3x: Fix class-D initialization for tlv320aic3007 (stable-fixes). - Bluetooth: 6lowpan: Do not hold spin lock over sleeping functions (git-fixes). - Bluetooth: 6lowpan: add missing l2cap_chan_lock() (git-fixes). - Bluetooth: 6lowpan: fix BDADDR_LE vs ADDR_LE_DEV address type confusion (git-fixes). - Bluetooth: 6lowpan: reset link-local header on ipv6 recv path (git-fixes). - Bluetooth: L2CAP: export l2cap_chan_hold for modules (stable-fixes). - Bluetooth: MGMT: cancel mesh send timer when hdev removed (git-fixes). - Bluetooth: SCO: Fix UAF on sco_conn_free (stable-fixes). - Bluetooth: bcsp: receive data only if registered (stable-fixes). - Bluetooth: btrtl: Fix memory leak in rtlbt_parse_firmware_v2() (git-fixes). - Bluetooth: btusb: Check for unexpected bytes when defragmenting HCI frames (stable-fixes). - Bluetooth: btusb: reorder cleanup in btusb_disconnect to avoid UAF (git-fixes). - Bluetooth: hci_event: validate skb length for unknown CC opcode (git-fixes). - Documentation: ACPI: i2c-muxes: fix I2C device references (git-fixes). - Drivers: hv: vmbus: Add utility function for querying ring size (git-fixes). - HID: amd_sfh: Stop sensor before starting (git-fixes). - HID: hid-ntrig: Prevent memory leak in ntrig_report_version() (git-fixes). - HID: quirks: avoid Cooler Master MM712 dongle wakeup bug (stable-fixes). - HID: quirks: work around VID/PID conflict for 0x4c4a/0x4155 (git-fixes). - HID: uclogic: Fix potential memory leak in error path (git-fixes). - Input: atmel_mxt_ts - allow reset GPIO to sleep (stable-fixes). - Input: imx_sc_key - fix memory corruption on unload (git-fixes). - Input: pegasus-notetaker - fix potential out-of-bounds access (git-fixes). - KVM: Pass new routing entries and irqfd when updating IRTEs (git-fixes). - KVM: SVM: Delete IRTE link from previous vCPU before setting new IRTE (git-fixes). - KVM: SVM: Delete IRTE link from previous vCPU irrespective of new routing (git-fixes). - KVM: SVM: Emulate PERF_CNTR_GLOBAL_STATUS_SET for PerfMonV2 (git-fixes). - KVM: SVM: Mark VMCB_LBR dirty when MSR_IA32_DEBUGCTLMSR is updated (git-fixes). - KVM: SVM: Re-load current, not host, TSC_AUX on #VMEXIT from SEV-ES guest (git-fixes). - KVM: SVM: Track per-vCPU IRTEs using kvm_kernel_irqfd structure (git-fixes). - KVM: SVM: WARN if an invalid posted interrupt IRTE entry is added (git-fixes). - KVM: VMX: Allow guest to set DEBUGCTL.RTM_DEBUG if RTM is supported (git-fixes). - KVM: VMX: Apply MMIO Stale Data mitigation if KVM maps MMIO into the guest (git-fixes). - KVM: VMX: Fix check for valid GVA on an EPT violation (git-fixes). - KVM: VMX: Preserve host's DEBUGCTLMSR_FREEZE_IN_SMM while running the guest (git-fixes). - KVM: VMX: Wrap all accesses to IA32_DEBUGCTL with getter/setter APIs (git-fixes). - KVM: nVMX: Check vmcs12->guest_ia32_debugctl on nested VM-Enter (git-fixes). - KVM: x86/mmu: Locally cache whether a PFN is host MMIO when making a SPTE (git-fixes). - KVM: x86: Add helper to retrieve current value of user return MSR (git-fixes). - KVM: x86: Convert vcpu_run()'s immediate exit param into a generic bitmap (git-fixes). - KVM: x86: Do not treat ENTER and LEAVE as branches, because they are not (git-fixes). - KVM: x86: Drop kvm_x86_ops.set_dr6() in favor of a new KVM_RUN flag (git-fixes). - NFS4: Fix state renewals missing after boot (git-fixes). - NFS: check if suid/sgid was cleared after a write as needed (git-fixes). - NFSD: Never cache a COMPOUND when the SEQUENCE operation fails (git-fixes). - NFSD: Skip close replay processing if XDR encoding fails (git-fixes). - NFSD: free copynotify stateid in nfs4_free_ol_stateid() (git-fixes). - NFSv4.1: fix mount hang after CREATE_SESSION failure (git-fixes). - NFSv4: handle ERR_GRACE on delegation recalls (git-fixes). - PCI/P2PDMA: Fix incorrect pointer usage in devm_kfree() call (stable-fixes). - PCI/PM: Skip resuming to D0 if device is disconnected (stable-fixes). - PCI: Disable MSI on RDC PCI to PCIe bridges (stable-fixes). - PCI: cadence: Check for the existence of cdns_pcie::ops before using it (stable-fixes). - PCI: dwc: Verify the single eDMA IRQ in dw_pcie_edma_irq_verify() (stable-fixes). - PCI: j721e: Fix incorrect error message in probe() (git-fixes). - PCI: rcar-host: Convert struct rcar_msi mask_lock into raw spinlock (git-fixes). - PCI: tegra194: Reset BARs when running in PCIe endpoint mode (git-fixes). - RDMA/bnxt_re: Do not fail destroy QP and cleanup debugfs earlier (git-fixes) - RDMA/bnxt_re: Fix a potential memory leak in destroy_gsi_sqp (git-fixes) - RDMA/hns: Fix recv CQ and QP cache affinity (git-fixes) - RDMA/hns: Fix the modification of max_send_sge (git-fixes) - RDMA/hns: Fix wrong WQE data when QP wraps around (git-fixes) - RDMA/irdma: Fix SD index calculation (git-fixes) - RDMA/irdma: Set irdma_cq cq_num field during CQ create (git-fixes) - Revert 'drm/tegra: dsi: Clear enable register if powered by bootloader' (git-fixes). - Revert 'wifi: ath10k: avoid unnecessary wait for service ready message' (git-fixes). - accel/habanalabs/gaudi2: fix BMON disable configuration (stable-fixes). - accel/habanalabs/gaudi2: read preboot status after recovering from dirty state (stable-fixes). - accel/habanalabs: return ENOMEM if less than requested pages were pinned (stable-fixes). - accel/habanalabs: support mapping cb with vmalloc-backed coherent memory (stable-fixes). - acpi,srat: Fix incorrect device handle check for Generic Initiator (git-fixes). - amd/amdkfd: resolve a race in amdgpu_amdkfd_device_fini_sw (stable-fixes). - block: avoid possible overflow for chunk_sectors check in blk_stack_limits() (git-fixes). - block: fix kobject double initialization in add_disk (git-fixes). - btrfs: abort transaction on failure to add link to inode (git-fixes). - btrfs: avoid page_lockend underflow in btrfs_punch_hole_lock_range() (git-fix). - btrfs: avoid using fixed char array size for tree names (git-fix). - btrfs: do not update last_log_commit when logging inode due to a new name (git-fixes). - btrfs: fix COW handling in run_delalloc_nocow() (git-fix). - btrfs: fix inode leak on failure to add link to inode (git-fixes). - btrfs: make btrfs_clear_delalloc_extent() free delalloc reserve (git-fix). - btrfs: mark dirty extent range for out of bound prealloc extents (git-fixes). - btrfs: qgroup: correctly model root qgroup rsv in convert (git-fix). - btrfs: rename err to ret in btrfs_link() (git-fixes). - btrfs: run btrfs_error_commit_super() early (git-fix). - btrfs: scrub: put bio after errors in scrub_raid56_parity_stripe() (git-fix). - btrfs: scrub: put bio after errors in scrub_raid56_parity_stripe() (git-fixes). - btrfs: send: fix duplicated rmdir operations when using extrefs (git-fixes). - btrfs: set inode flag BTRFS_INODE_COPY_EVERYTHING when logging new name (git-fixes). - btrfs: simplify error handling logic for btrfs_link() (git-fixes). - btrfs: tree-checker: add dev extent item checks (git-fix). - btrfs: tree-checker: add type and sequence check for inline backrefs (git-fix). - btrfs: tree-checker: fix the wrong output of data backref objectid (git-fix). - btrfs: tree-checker: reject BTRFS_FT_UNKNOWN dir type (git-fix). - btrfs: tree-checker: validate dref root and objectid (git-fix). - btrfs: use smp_mb__after_atomic() when forcing COW in create_pending_snapshot() (git-fixes). - char: misc: Does not request module for miscdevice with dynamic minor (stable-fixes). - char: misc: Make misc_register() reentry for miscdevice who wants dynamic minor (stable-fixes). - char: misc: restrict the dynamic range to exclude reserved minors (stable-fixes). - cramfs: Verify inode mode when loading from disk (git-fixes). - crypto: aspeed - fix double free caused by devm (git-fixes). - crypto: aspeed-acry - Convert to platform remove callback returning void (stable-fixes). - crypto: hisilicon/qm - Fix device reference leak in qm_get_qos_value (git-fixes). - crypto: iaa - Do not clobber req->base.data (git-fixes). - crypto: qat - use kcalloc() in qat_uclo_map_objs_from_mof() (stable-fixes). - dmaengine: dw-edma: Set status for callback_result (stable-fixes). - dmaengine: mv_xor: match alloc_wc and free_wc (stable-fixes). - drm/amd/display: Add AVI infoframe copy in copy_stream_update_to_stream (stable-fixes). - drm/amd/display: Disable VRR on DCE 6 (stable-fixes). - drm/amd/display: Fix DVI-D/HDMI adapters (stable-fixes). - drm/amd/display: Fix NULL deref in debugfs odm_combine_segments (git-fixes). - drm/amd/display: Fix black screen with HDMI outputs (git-fixes). - drm/amd/display: Increase AUX Intra-Hop Done Max Wait Duration (stable-fixes). - drm/amd/display: add more cyan skillfish devices (stable-fixes). - drm/amd/display: ensure committing streams is seamless (stable-fixes). - drm/amd/display: update dpp/disp clock from smu clock table (stable-fixes). - drm/amd/pm: Disable MCLK switching on SI at high pixel clocks (stable-fixes). - drm/amd/pm: Use cached metrics data on aldebaran (stable-fixes). - drm/amd/pm: Use cached metrics data on arcturus (stable-fixes). - drm/amd: Avoid evicting resources at S5 (stable-fixes). - drm/amd: Fix suspend failure with secure display TA (git-fixes). - drm/amd: add more cyan skillfish PCI ids (stable-fixes). - drm/amdgpu/jpeg: Hold pg_lock before jpeg poweroff (stable-fixes). - drm/amdgpu: Allow kfd CRIU with no buffer objects (stable-fixes). - drm/amdgpu: Fix NULL pointer dereference in VRAM logic for APU devices (stable-fixes). - drm/amdgpu: Use memdup_array_user in amdgpu_cs_wait_fences_ioctl (stable-fixes). - drm/amdgpu: add support for cyan skillfish gpu_info (stable-fixes). - drm/amdgpu: do not enable SMU on cyan skillfish (stable-fixes). - drm/amdgpu: reject gang submissions under SRIOV (stable-fixes). - drm/amdkfd: Handle lack of READ permissions in SVM mapping (stable-fixes). - drm/amdkfd: Tie UNMAP_LATENCY to queue_preemption (stable-fixes). - drm/amdkfd: fix vram allocation failure for a special case (stable-fixes). - drm/amdkfd: return -ENOTTY for unsupported IOCTLs (stable-fixes). - drm/bridge: cdns-dsi: Do not fail on MIPI_DSI_MODE_VIDEO_BURST (stable-fixes). - drm/bridge: cdns-dsi: Fix REG_WAKEUP_TIME value (stable-fixes). - drm/bridge: display-connector: do not set OP_DETECT for DisplayPorts (stable-fixes). - drm/i915: Avoid lock inversion when pinning to GGTT on CHV/BXT+VTD (git-fixes). - drm/i915: Fix conversion between clock ticks and nanoseconds (git-fixes). - drm/msm/dsi/phy: Toggle back buffer resync after preparing PLL (stable-fixes). - drm/msm/dsi/phy_7nm: Fix missing initial VCO rate (stable-fixes). - drm/msm: make sure to not queue up recovery more than once (stable-fixes). - drm/nouveau: replace snprintf() with scnprintf() in nvkm_snprintbf() (stable-fixes). - drm/sched: Fix deadlock in drm_sched_entity_kill_jobs_cb (git-fixes). - drm/tegra: Add call to put_pid() (git-fixes). - drm/tegra: dc: Fix reference leak in tegra_dc_couple() (git-fixes). - drm/tidss: Set crtc modesetting parameters with adjusted mode (stable-fixes). - drm/tidss: Use the crtc_* timings when programming the HW (stable-fixes). - drm/vmwgfx: Validate command header size against SVGA_CMD_MAX_DATASIZE (git-fixes). - exfat: limit log print for IO error (git-fixes). - extcon: adc-jack: Cleanup wakeup source only if it was enabled (git-fixes). - extcon: adc-jack: Fix wakeup source leaks on device unbind (stable-fixes). - fbcon: Set fb_display[i]->mode to NULL when the mode is released (stable-fixes). - fbdev: Add bounds checking in bit_putcs to fix vmalloc-out-of-bounds (stable-fixes). - fbdev: bitblit: bound-check glyph index in bit_putcs* (stable-fixes). - fbdev: pvr2fb: Fix leftover reference to ONCHIP_NR_DMA_CHANNELS (stable-fixes). - hwmon: (asus-ec-sensors) increase timeout for locking ACPI mutex (stable-fixes). - hwmon: (dell-smm) Add support for Dell OptiPlex 7040 (stable-fixes). - hwmon: (k10temp) Add device ID for Strix Halo (stable-fixes). - hwmon: (k10temp) Add thermal support for AMD Family 1Ah-based models (stable-fixes). - hwmon: (sbtsi_temp) AMD CPU extended temperature range support (stable-fixes). - hwmon: sy7636a: add alias (stable-fixes). - iio: adc: imx93_adc: load calibrated values even calibration failed (stable-fixes). - iio: adc: spear_adc: mask SPEAR_ADC_STATUS channel and avg sample before setting register (stable-fixes). - ima: do not clear IMA_DIGSIG flag when setting or removing non-IMA xattr (stable-fixes). - iommu/amd: Return an error if vCPU affinity is set for non-vCPU IRTE (git-fixes). - isdn: mISDN: hfcsusb: fix memory leak in hfcsusb_probe() (git-fixes). - jfs: Verify inode mode when loading from disk (git-fixes). - jfs: fix uninitialized waitqueue in transaction manager (git-fixes). - kABI fix for KVM: VMX: Apply MMIO Stale Data mitigation if KVM maps MMIO into the guest (git-fixes) (git-fixes). - lib/crypto: curve25519-hacl64: Fix older clang KASAN workaround for GCC (git-fixes). - md/raid1: fix data lost for writemostly rdev (git-fixes). - md: fix mssing blktrace bio split events (git-fixes). - media: adv7180: Add missing lock in suspend callback (stable-fixes). - media: adv7180: Do not write format to device in set_fmt (stable-fixes). - media: adv7180: Only validate format in querystd (stable-fixes). - media: amphion: Delete v4l2_fh synchronously in .release() (stable-fixes). - media: fix uninitialized symbol warnings (stable-fixes). - media: i2c: Kconfig: Ensure a dependency on HAVE_CLK for VIDEO_CAMERA_SENSOR (stable-fixes). - media: i2c: og01a1b: Specify monochrome media bus format instead of Bayer (stable-fixes). - media: imon: make send_packet() more robust (stable-fixes). - media: ov08x40: Fix the horizontal flip control (stable-fixes). - media: redrat3: use int type to store negative error codes (stable-fixes). - media: uvcvideo: Use heuristic to find stream entity (git-fixes). - memstick: Add timeout to prevent indefinite waiting (stable-fixes). - mfd: da9063: Split chip variant reading in two bus transactions (stable-fixes). - mfd: madera: Work around false-positive -Wininitialized warning (stable-fixes). - mfd: stmpe-i2c: Add missing MODULE_LICENSE (stable-fixes). - mfd: stmpe: Remove IRQ domain upon removal (stable-fixes). - minixfs: Verify inode mode when loading from disk (git-fixes). - mm/mm_init: fix hash table order logging in alloc_large_system_hash() (git-fixes). - mm/secretmem: fix use-after-free race in fault handler (git-fixes). - mmc: host: renesas_sdhi: Fix the actual clock (stable-fixes). - mmc: sdhci-msm: Enable tuning for SDR50 mode for SD card (stable-fixes). - mmc: sdhci-of-dwcmshc: Change DLL_STRBIN_TAPNUM_DEFAULT to 0x4 (git-fixes). - mtd: onenand: Pass correct pointer to IRQ handler (git-fixes). - mtd: rawnand: cadence: fix DMA device NULL pointer dereference (git-fixes). - mtdchar: fix integer overflow in read/write ioctls (git-fixes). - net/mana: fix warning in the writer of client oob (git-fixes). - net/smc: Remove validation of reserved bits in CLC Decline message (bsc#1253779). - net: nfc: nci: Increase NCI_DATA_TIMEOUT to 3000 ms (stable-fixes). - net: phy: clear link parameters on admin link down (stable-fixes). - net: phy: fixed_phy: let fixed_phy_unregister free the phy_device (stable-fixes). - net: phy: marvell: Fix 88e1510 downshift counter errata (stable-fixes). - net: tcp: send zero-window ACK when no memory (bsc#1253779). - net: usb: qmi_wwan: initialize MAC header offset in qmimux_rx_fixup (git-fixes). - nfs4_setup_readdir(): insufficient locking for ->d_parent->d_inode dereferencing (git-fixes). - nfsd: do not defer requests during idmap lookup in v4 compound decode (bsc#1232223). - nfsd: fix return error codes for nfsd_map_name_to_id (bsc#1232223). - nouveau/firmware: Add missing kfree() of nvkm_falcon_fw::boot (git-fixes). - perf script: add --addr2line option (bsc#1247509). - phy: cadence: cdns-dphy: Enable lower resolutions in dphy (stable-fixes). - phy: renesas: r8a779f0-ether-serdes: add new step added to latest datasheet (stable-fixes). - phy: rockchip: phy-rockchip-inno-csidphy: allow writes to grf register 0 (stable-fixes). - pinctrl: s32cc: fix uninitialized memory in s32_pinctrl_desc (git-fixes). - pinctrl: s32cc: initialize gpio_pin_config::list after kmalloc() (git-fixes). - pinctrl: single: fix bias pull up/down handling in pin_config_set (stable-fixes). - platform/x86/intel/speed_select_if: Convert PCIBIOS_* return codes to errnos (git-fixes). - power: supply: qcom_battmgr: add OOI chemistry (stable-fixes). - power: supply: qcom_battmgr: handle charging state change notifications (stable-fixes). - power: supply: sbs-charger: Support multiple devices (stable-fixes). - regulator: fixed: fix GPIO descriptor leak on register failure (git-fixes). - rtc: rx8025: fix incorrect register reference (git-fixes). - s390/mm,fault: simplify kfence fault handling (bsc#1247076). - scsi: Fix sas_user_scan() to handle wildcard and multi-channel scans (git-fixes). - scsi: aacraid: Stop using PCI_IRQ_AFFINITY (git-fixes). - scsi: core: sysfs: Correct sysfs attributes access rights (git-fixes). - scsi: hpsa: Fix potential memory leak in hpsa_big_passthru_ioctl() (git-fixes). - scsi: libfc: Prevent integer overflow in fc_fcp_recv_data() (git-fixes). - scsi: mpi3mr: Correctly handle ATA device errors (git-fixes). - scsi: mpi3mr: Drop unnecessary volatile from __iomem pointers (git-fixes). - scsi: mpt3sas: Correctly handle ATA device errors (git-fixes). - scsi: mpt3sas: Fix crash in transport port remove by using ioc_info() (git-fixes). - scsi: pm80xx: Fix array-index-out-of-of-bounds on rmmod (git-fixes). - scsi: storvsc: Prefer returning channel with the same CPU as on the I/O issuing CPU (bsc#1252267). - selftests/bpf: Close fd in error path in drop_on_reuseport (git-fixes). - selftests/bpf: Close obj in error path in xdp_adjust_tail (git-fixes). - selftests/bpf: Fix missing ARRAY_SIZE() definition in bench.c (git-fixes). - selftests/bpf: Fix missing BUILD_BUG_ON() declaration (git-fixes). - selftests/bpf: Fix missing UINT_MAX definitions in benchmarks (git-fixes). - selftests/bpf: Fix string read in strncmp benchmark (git-fixes). - selftests/bpf: Use pid_t consistently in test_progs.c (git-fixes). - selftests/bpf: fix signedness bug in redir_partial() (git-fixes). - serial: 8250_exar: add support for Advantech 2 port card with Device ID 0x0018 (git-fixes). - serial: 8250_mtk: Enable baud clock and manage in runtime PM (git-fixes). - soc/tegra: fuse: Add Tegra114 nvmem cells and fuse lookups (stable-fixes). - soc: aspeed: socinfo: Add AST27xx silicon IDs (stable-fixes). - soc: qcom: smem: Fix endian-unaware access of num_entries (stable-fixes). - spi: Try to get ACPI GPIO IRQ earlier (git-fixes). - spi: loopback-test: Do not use %pK through printk (stable-fixes). - spi: rpc-if: Add resume support for RZ/G3E (stable-fixes). - strparser: Fix signed/unsigned mismatch bug (git-fixes). - tcp_bpf: Call sk_msg_free() when tcp_bpf_send_verdict() fails to allocate psock->cork (bsc#1250705). - thunderbolt: Use is_pciehp instead of is_hotplug_bridge (stable-fixes). - tools/cpupower: Fix incorrect size in cpuidle_state_disable() (stable-fixes). - tools/cpupower: fix error return value in cpupower_write_sysfs() (stable-fixes). - tools/power x86_energy_perf_policy: Enhance HWP enable (stable-fixes). - tools/power x86_energy_perf_policy: Fix incorrect fopen mode usage (stable-fixes). - tools/power x86_energy_perf_policy: Prefer driver HWP limits (stable-fixes). - tools: lib: thermal: do not preserve owner in install (stable-fixes). - tools: lib: thermal: use pkg-config to locate libnl3 (stable-fixes). - uio_hv_generic: Query the ringbuffer size for device (git-fixes). - usb/core/quirks: Add Huawei ME906S to wakeup quirk (git-fixes). - usb: cdns3: gadget: Use-after-free during failed initialization and exit of cdnsp gadget (stable-fixes). - usb: gadget: f_fs: Fix epfile null pointer access after ep enable (stable-fixes). - usb: gadget: f_hid: Fix zero length packet transfer (stable-fixes). - usb: gadget: f_ncm: Fix MAC assignment NCM ethernet (stable-fixes). - usb: mon: Increase BUFF_MAX to 64 MiB to support multi-MB URBs (stable-fixes). - usb: xhci: plat: Facilitate using autosuspend for xhci plat devices (stable-fixes). - video: backlight: lp855x_bl: Set correct EPROM start for LP8556 (stable-fixes). - watchdog: s3c2410_wdt: Fix max_timeout being calculated larger (stable-fixes). - wifi: ath10k: Fix connection after GTK rekeying (stable-fixes). - wifi: ath11k: zero init info->status in wmi_process_mgmt_tx_comp() (git-fixes). - wifi: ath12k: Increase DP_REO_CMD_RING_SIZE to 256 (stable-fixes). - wifi: mac80211: Fix HE capabilities element check (stable-fixes). - wifi: mac80211: reject address change while connecting (git-fixes). - wifi: mac80211: skip rate verification for not captured PSDUs (git-fixes). - wifi: mac80211_hwsim: Limit destroy_on_close radio removal to netgroup (git-fixes). - wifi: mt76: mt7921: Add 160MHz beamformee capability for mt7922 device (stable-fixes). - wifi: mt76: mt7996: Temporarily disable EPCS (stable-fixes). - wifi: mwl8k: inject DSSS Parameter Set element into beacons if missing (git-fixes). - wifi: rtw88: sdio: use indirect IO for device registers before power-on (stable-fixes). - wifi: zd1211rw: fix potential memory leak in __zd_usb_enable_rx() (git-fixes). - x86/CPU/AMD: Add RDSEED fix for Zen5 (git-fixes). - x86/CPU/AMD: Add additional fixed RDSEED microcode revisions (git-fixes). - x86/CPU/AMD: Add missing terminator for zen5_rdseed_microcode (git-fixes). - x86/CPU/AMD: Do the common init on future Zens too (git-fixes). - x86/amd_nb: Add new PCI IDs for AMD family 0x1a (stable-fixes). - x86/bugs: Fix reporting of LFENCE retpoline (git-fixes). - x86/bugs: Report correct retbleed mitigation status (git-fixes). - x86/vmscape: Add old Intel CPUs to affected list (git-fixes). - xhci: dbc: Allow users to modify DbC poll interval via sysfs (stable-fixes). - xhci: dbc: Avoid event polling busyloop if pending rx transfers are inactive (git-fixes). - xhci: dbc: Improve performance by removing delay in transfer event polling (stable-fixes). - xhci: dbc: fix bogus 1024 byte prefix if ttyDBC read races with stall event (git-fixes). - xhci: dbc: poll at different rate depending on data transfer activity (stable-fixes). The following package changes have been done: - kernel-rt-6.4.0-39.1 updated From sle-container-updates at lists.suse.com Wed Jan 7 16:27:32 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 7 Jan 2026 17:27:32 +0100 (CET) Subject: SUSE-IU-2026:15-1: Security update of suse/sl-micro/6.1/rt-os-container Message-ID: <20260107162732.5EF6AFB9C@maintenance.suse.de> SUSE Image Update Advisory: suse/sl-micro/6.1/rt-os-container ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2026:15-1 Image Tags : suse/sl-micro/6.1/rt-os-container:2.2.1 , suse/sl-micro/6.1/rt-os-container:2.2.1-5.55 , suse/sl-micro/6.1/rt-os-container:latest Image Release : 5.55 Severity : important Type : security References : 1232223 1237888 1243474 1245193 1247076 1247079 1247500 1247509 1249547 1249912 1249982 1250176 1250237 1250252 1250705 1251120 1251786 1252063 1252267 1252303 1252353 1252681 1252763 1252773 1252780 1252794 1252795 1252809 1252817 1252821 1252836 1252845 1252862 1252912 1252917 1252928 1253018 1253176 1253275 1253318 1253324 1253349 1253352 1253355 1253360 1253362 1253363 1253367 1253369 1253393 1253395 1253403 1253407 1253409 1253412 1253416 1253421 1253423 1253424 1253425 1253427 1253428 1253431 1253436 1253438 1253440 1253441 1253445 1253448 1253449 1253453 1253456 1253472 1253779 CVE-2022-50253 CVE-2023-53676 CVE-2025-21710 CVE-2025-37916 CVE-2025-38359 CVE-2025-38361 CVE-2025-39788 CVE-2025-39805 CVE-2025-39819 CVE-2025-39859 CVE-2025-39944 CVE-2025-39980 CVE-2025-40001 CVE-2025-40021 CVE-2025-40027 CVE-2025-40030 CVE-2025-40038 CVE-2025-40040 CVE-2025-40048 CVE-2025-40055 CVE-2025-40059 CVE-2025-40064 CVE-2025-40070 CVE-2025-40074 CVE-2025-40075 CVE-2025-40083 CVE-2025-40098 CVE-2025-40105 CVE-2025-40107 CVE-2025-40109 CVE-2025-40110 CVE-2025-40111 CVE-2025-40115 CVE-2025-40116 CVE-2025-40118 CVE-2025-40120 CVE-2025-40121 CVE-2025-40127 CVE-2025-40129 CVE-2025-40139 CVE-2025-40140 CVE-2025-40141 CVE-2025-40149 CVE-2025-40154 CVE-2025-40156 CVE-2025-40157 CVE-2025-40159 CVE-2025-40164 CVE-2025-40168 CVE-2025-40169 CVE-2025-40171 CVE-2025-40172 CVE-2025-40173 CVE-2025-40176 CVE-2025-40180 CVE-2025-40183 CVE-2025-40186 CVE-2025-40188 CVE-2025-40194 CVE-2025-40198 CVE-2025-40200 CVE-2025-40204 CVE-2025-40205 CVE-2025-40206 CVE-2025-40207 ----------------------------------------------------------------- The container suse/sl-micro/6.1/rt-os-container was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: kernel-230 Released: Wed Jan 7 13:33:45 2026 Summary: Security update for the Linux Kernel Type: security Severity: important References: 1232223,1237888,1243474,1245193,1247076,1247079,1247500,1247509,1249547,1249912,1249982,1250176,1250237,1250252,1250705,1251120,1251786,1252063,1252267,1252303,1252353,1252681,1252763,1252773,1252780,1252794,1252795,1252809,1252817,1252821,1252836,1252845,1252862,1252912,1252917,1252928,1253018,1253176,1253275,1253318,1253324,1253349,1253352,1253355,1253360,1253362,1253363,1253367,1253369,1253393,1253395,1253403,1253407,1253409,1253412,1253416,1253421,1253423,1253424,1253425,1253427,1253428,1253431,1253436,1253438,1253440,1253441,1253445,1253448,1253449,1253453,1253456,1253472,1253779,CVE-2022-50253,CVE-2023-53676,CVE-2025-21710,CVE-2025-37916,CVE-2025-38359,CVE-2025-38361,CVE-2025-39788,CVE-2025-39805,CVE-2025-39819,CVE-2025-39859,CVE-2025-39944,CVE-2025-39980,CVE-2025-40001,CVE-2025-40021,CVE-2025-40027,CVE-2025-40030,CVE-2025-40038,CVE-2025-40040,CVE-2025-40048,CVE-2025-40055,CVE-2025-40059,CVE-2025-40064,CVE-2025-40070,CVE-2025-40074,CVE-2025-40075,CVE-2025-40083,CVE -2025-40098,CVE-2025-40105,CVE-2025-40107,CVE-2025-40109,CVE-2025-40110,CVE-2025-40111,CVE-2025-40115,CVE-2025-40116,CVE-2025-40118,CVE-2025-40120,CVE-2025-40121,CVE-2025-40127,CVE-2025-40129,CVE-2025-40139,CVE-2025-40140,CVE-2025-40141,CVE-2025-40149,CVE-2025-40154,CVE-2025-40156,CVE-2025-40157,CVE-2025-40159,CVE-2025-40164,CVE-2025-40168,CVE-2025-40169,CVE-2025-40171,CVE-2025-40172,CVE-2025-40173,CVE-2025-40176,CVE-2025-40180,CVE-2025-40183,CVE-2025-40186,CVE-2025-40188,CVE-2025-40194,CVE-2025-40198,CVE-2025-40200,CVE-2025-40204,CVE-2025-40205,CVE-2025-40206,CVE-2025-40207 The SUSE Linux Enterprise Micro 6.0 and 6.1 RT kernel was updated to receive various security bugfixes. The following security bugs were fixed: - CVE-2022-50253: bpf: make sure skb->len != 0 when redirecting to a tunneling device (bsc#1249912). - CVE-2023-53676: scsi: target: iscsi: Fix buffer overflow in lio_target_nacl_info_show() (bsc#1251786). - CVE-2025-21710: tcp: correct handling of extreme memory squeeze (bsc#1237888). - CVE-2025-37916: pds_core: remove write-after-free of client_id (bsc#1243474). - CVE-2025-38359: s390/mm: Fix in_atomic() handling in do_secure_storage_access() (bsc#1247076). - CVE-2025-38361: drm/amd/display: Check dce_hwseq before dereferencing it (bsc#1247079). - CVE-2025-39788: scsi: ufs: exynos: Fix programming of HCI_UTRL_NEXUS_TYPE (bsc#1249547). - CVE-2025-39805: net: macb: fix unregister_netdev call order in macb_remove() (bsc#1249982). - CVE-2025-39819: fs/smb: Fix inconsistent refcnt update (bsc#1250176). - CVE-2025-39859: ptp: ocp: fix use-after-free bugs causing by ptp_ocp_watchdog (bsc#1250252). - CVE-2025-39944: octeontx2-pf: Fix use-after-free bugs in otx2_sync_tstamp() (bsc#1251120). - CVE-2025-39980: nexthop: Forbid FDB status change while nexthop is in a group (bsc#1252063). - CVE-2025-40001: scsi: mvsas: Fix use-after-free bugs in mvs_work_queue (bsc#1252303). - CVE-2025-40021: tracing: dynevent: Add a missing lockdown check on dynevent (bsc#1252681). - CVE-2025-40027: net/9p: fix double req put in p9_fd_cancelled (bsc#1252763). - CVE-2025-40030: pinctrl: check the return value of pinmux_ops::get_function_name() (bsc#1252773). - CVE-2025-40038: KVM: SVM: Skip fastpath emulation on VM-Exit if next RIP isn't valid (bsc#1252817). - CVE-2025-40040: mm/ksm: fix flag-dropping behavior in ksm_madvise (bsc#1252780). - CVE-2025-40048: uio_hv_generic: Let userspace take care of interrupt mask (bsc#1252862). - CVE-2025-40055: ocfs2: fix double free in user_cluster_connect() (bsc#1252821). - CVE-2025-40059: coresight: Fix incorrect handling for return value of devm_kzalloc (bsc#1252809). - CVE-2025-40064: smc: Fix use-after-free in __pnet_find_base_ndev() (bsc#1252845). - CVE-2025-40070: pps: fix warning in pps_register_cdev when register device fail (bsc#1252836). - CVE-2025-40074: net: dst_cache: annotate data-races around dst_cache->reset_ts (bsc#1252794). - CVE-2025-40075: tcp_metrics: use dst_dev_net_rcu() (bsc#1252795). - CVE-2025-40083: net/sched: sch_qfq: Fix null-deref in agg_dequeue (bsc#1252912). - CVE-2025-40098: ALSA: hda: cs35l41: Fix NULL pointer dereference in cs35l41_get_acpi_mute_state() (bsc#1252917). - CVE-2025-40105: vfs: Don't leak disconnected dentries on umount (bsc#1252928). - CVE-2025-40139: smc: Use __sk_dst_get() and dst_dev_rcu() in in smc_clc_prfx_set() (bsc#1253409). - CVE-2025-40149: tls: Use __sk_dst_get() and dst_dev_rcu() in get_netdev_for_sock() (bsc#1253355). - CVE-2025-40159: xsk: Harden userspace-supplied xdp_desc validation (bsc#1253403). - CVE-2025-40168: smc: Use __sk_dst_get() and dst_dev_rcu() in smc_clc_prfx_match() (bsc#1253427). - CVE-2025-40169: bpf: Reject negative offsets for ALU ops (bsc#1253416). - CVE-2025-40173: net/ip6_tunnel: Prevent perpetual tunnel growth (bsc#1253421). - CVE-2025-40176: tls: wait for pending async decryptions if tls_strp_msg_hold fails (bsc#1253425). - CVE-2025-40204: sctp: Fix MAC comparison to be constant-time (bsc#1253436). - CVE-2025-40206: Add missing bugzilla reference to net fix (bsc#1250237 bsc#1253393). The following non-security bugs were fixed: - ACPI: CPPC: Check _CPC validity for only the online CPUs (git-fixes). - ACPI: CPPC: Limit perf ctrs in PCC check only to online CPUs (git-fixes). - ACPI: CPPC: Perform fast check switch only for online CPUs (git-fixes). - ACPI: PRM: Skip handlers with NULL handler_address or NULL VA (stable-fixes). - ACPI: SBS: Fix present test in acpi_battery_read() (git-fixes). - ACPI: property: Return present device nodes only on fwnode interface (stable-fixes). - ACPI: scan: Add Intel CVS ACPI HIDs to acpi_ignore_dep_ids (stable-fixes). - ACPICA: Update dsmethod.c to get rid of unused variable warning (stable-fixes). - ACPICA: dispatcher: Use acpi_ds_clear_operands() in acpi_ds_call_control_method() (stable-fixes). - ALSA: hda: Fix missing pointer check in hda_component_manager_init function (git-fixes). - ALSA: serial-generic: remove shared static buffer (stable-fixes). - ALSA: usb-audio: Add validation of UAC2/UAC3 effect units (stable-fixes). - ALSA: usb-audio: Fix NULL pointer dereference in snd_usb_mixer_controls_badd (git-fixes). - ALSA: usb-audio: Fix potential overflow of PCM transfer buffer (stable-fixes). - ALSA: usb-audio: add mono main switch to Presonus S1824c (stable-fixes). - ALSA: usb-audio: apply quirk for MOONDROP Quark2 (stable-fixes). - ALSA: usb-audio: do not log messages meant for 1810c when initializing 1824c (git-fixes). - ALSA: usb-audio: fix uac2 clock source at terminal parser (git-fixes). - ASoC: codecs: va-macro: fix resource leak in probe error path (git-fixes). - ASoC: cs4271: Fix regulator leak on probe failure (git-fixes). - ASoC: max98090/91: fixed max98091 ALSA widget powering up/down (stable-fixes). - ASoC: meson: aiu-encoder-i2s: fix bit clock polarity (stable-fixes). - ASoC: qcom: sc8280xp: explicitly set S16LE format in sc8280xp_be_hw_params_fixup() (stable-fixes). - ASoC: stm32: sai: manage context in set_sysclk callback (stable-fixes). - ASoC: tlv320aic3x: Fix class-D initialization for tlv320aic3007 (stable-fixes). - Bluetooth: 6lowpan: Do not hold spin lock over sleeping functions (git-fixes). - Bluetooth: 6lowpan: add missing l2cap_chan_lock() (git-fixes). - Bluetooth: 6lowpan: fix BDADDR_LE vs ADDR_LE_DEV address type confusion (git-fixes). - Bluetooth: 6lowpan: reset link-local header on ipv6 recv path (git-fixes). - Bluetooth: L2CAP: export l2cap_chan_hold for modules (stable-fixes). - Bluetooth: MGMT: cancel mesh send timer when hdev removed (git-fixes). - Bluetooth: SCO: Fix UAF on sco_conn_free (stable-fixes). - Bluetooth: bcsp: receive data only if registered (stable-fixes). - Bluetooth: btrtl: Fix memory leak in rtlbt_parse_firmware_v2() (git-fixes). - Bluetooth: btusb: Check for unexpected bytes when defragmenting HCI frames (stable-fixes). - Bluetooth: btusb: reorder cleanup in btusb_disconnect to avoid UAF (git-fixes). - Bluetooth: hci_event: validate skb length for unknown CC opcode (git-fixes). - Documentation: ACPI: i2c-muxes: fix I2C device references (git-fixes). - Drivers: hv: vmbus: Add utility function for querying ring size (git-fixes). - HID: amd_sfh: Stop sensor before starting (git-fixes). - HID: hid-ntrig: Prevent memory leak in ntrig_report_version() (git-fixes). - HID: quirks: avoid Cooler Master MM712 dongle wakeup bug (stable-fixes). - HID: quirks: work around VID/PID conflict for 0x4c4a/0x4155 (git-fixes). - HID: uclogic: Fix potential memory leak in error path (git-fixes). - Input: atmel_mxt_ts - allow reset GPIO to sleep (stable-fixes). - Input: imx_sc_key - fix memory corruption on unload (git-fixes). - Input: pegasus-notetaker - fix potential out-of-bounds access (git-fixes). - KVM: Pass new routing entries and irqfd when updating IRTEs (git-fixes). - KVM: SVM: Delete IRTE link from previous vCPU before setting new IRTE (git-fixes). - KVM: SVM: Delete IRTE link from previous vCPU irrespective of new routing (git-fixes). - KVM: SVM: Emulate PERF_CNTR_GLOBAL_STATUS_SET for PerfMonV2 (git-fixes). - KVM: SVM: Mark VMCB_LBR dirty when MSR_IA32_DEBUGCTLMSR is updated (git-fixes). - KVM: SVM: Re-load current, not host, TSC_AUX on #VMEXIT from SEV-ES guest (git-fixes). - KVM: SVM: Track per-vCPU IRTEs using kvm_kernel_irqfd structure (git-fixes). - KVM: SVM: WARN if an invalid posted interrupt IRTE entry is added (git-fixes). - KVM: VMX: Allow guest to set DEBUGCTL.RTM_DEBUG if RTM is supported (git-fixes). - KVM: VMX: Apply MMIO Stale Data mitigation if KVM maps MMIO into the guest (git-fixes). - KVM: VMX: Fix check for valid GVA on an EPT violation (git-fixes). - KVM: VMX: Preserve host's DEBUGCTLMSR_FREEZE_IN_SMM while running the guest (git-fixes). - KVM: VMX: Wrap all accesses to IA32_DEBUGCTL with getter/setter APIs (git-fixes). - KVM: nVMX: Check vmcs12->guest_ia32_debugctl on nested VM-Enter (git-fixes). - KVM: x86/mmu: Locally cache whether a PFN is host MMIO when making a SPTE (git-fixes). - KVM: x86: Add helper to retrieve current value of user return MSR (git-fixes). - KVM: x86: Convert vcpu_run()'s immediate exit param into a generic bitmap (git-fixes). - KVM: x86: Do not treat ENTER and LEAVE as branches, because they are not (git-fixes). - KVM: x86: Drop kvm_x86_ops.set_dr6() in favor of a new KVM_RUN flag (git-fixes). - NFS4: Fix state renewals missing after boot (git-fixes). - NFS: check if suid/sgid was cleared after a write as needed (git-fixes). - NFSD: Never cache a COMPOUND when the SEQUENCE operation fails (git-fixes). - NFSD: Skip close replay processing if XDR encoding fails (git-fixes). - NFSD: free copynotify stateid in nfs4_free_ol_stateid() (git-fixes). - NFSv4.1: fix mount hang after CREATE_SESSION failure (git-fixes). - NFSv4: handle ERR_GRACE on delegation recalls (git-fixes). - PCI/P2PDMA: Fix incorrect pointer usage in devm_kfree() call (stable-fixes). - PCI/PM: Skip resuming to D0 if device is disconnected (stable-fixes). - PCI: Disable MSI on RDC PCI to PCIe bridges (stable-fixes). - PCI: cadence: Check for the existence of cdns_pcie::ops before using it (stable-fixes). - PCI: dwc: Verify the single eDMA IRQ in dw_pcie_edma_irq_verify() (stable-fixes). - PCI: j721e: Fix incorrect error message in probe() (git-fixes). - PCI: rcar-host: Convert struct rcar_msi mask_lock into raw spinlock (git-fixes). - PCI: tegra194: Reset BARs when running in PCIe endpoint mode (git-fixes). - RDMA/bnxt_re: Do not fail destroy QP and cleanup debugfs earlier (git-fixes) - RDMA/bnxt_re: Fix a potential memory leak in destroy_gsi_sqp (git-fixes) - RDMA/hns: Fix recv CQ and QP cache affinity (git-fixes) - RDMA/hns: Fix the modification of max_send_sge (git-fixes) - RDMA/hns: Fix wrong WQE data when QP wraps around (git-fixes) - RDMA/irdma: Fix SD index calculation (git-fixes) - RDMA/irdma: Set irdma_cq cq_num field during CQ create (git-fixes) - Revert 'drm/tegra: dsi: Clear enable register if powered by bootloader' (git-fixes). - Revert 'wifi: ath10k: avoid unnecessary wait for service ready message' (git-fixes). - accel/habanalabs/gaudi2: fix BMON disable configuration (stable-fixes). - accel/habanalabs/gaudi2: read preboot status after recovering from dirty state (stable-fixes). - accel/habanalabs: return ENOMEM if less than requested pages were pinned (stable-fixes). - accel/habanalabs: support mapping cb with vmalloc-backed coherent memory (stable-fixes). - acpi,srat: Fix incorrect device handle check for Generic Initiator (git-fixes). - amd/amdkfd: resolve a race in amdgpu_amdkfd_device_fini_sw (stable-fixes). - block: avoid possible overflow for chunk_sectors check in blk_stack_limits() (git-fixes). - block: fix kobject double initialization in add_disk (git-fixes). - btrfs: abort transaction on failure to add link to inode (git-fixes). - btrfs: avoid page_lockend underflow in btrfs_punch_hole_lock_range() (git-fix). - btrfs: avoid using fixed char array size for tree names (git-fix). - btrfs: do not update last_log_commit when logging inode due to a new name (git-fixes). - btrfs: fix COW handling in run_delalloc_nocow() (git-fix). - btrfs: fix inode leak on failure to add link to inode (git-fixes). - btrfs: make btrfs_clear_delalloc_extent() free delalloc reserve (git-fix). - btrfs: mark dirty extent range for out of bound prealloc extents (git-fixes). - btrfs: qgroup: correctly model root qgroup rsv in convert (git-fix). - btrfs: rename err to ret in btrfs_link() (git-fixes). - btrfs: run btrfs_error_commit_super() early (git-fix). - btrfs: scrub: put bio after errors in scrub_raid56_parity_stripe() (git-fix). - btrfs: scrub: put bio after errors in scrub_raid56_parity_stripe() (git-fixes). - btrfs: send: fix duplicated rmdir operations when using extrefs (git-fixes). - btrfs: set inode flag BTRFS_INODE_COPY_EVERYTHING when logging new name (git-fixes). - btrfs: simplify error handling logic for btrfs_link() (git-fixes). - btrfs: tree-checker: add dev extent item checks (git-fix). - btrfs: tree-checker: add type and sequence check for inline backrefs (git-fix). - btrfs: tree-checker: fix the wrong output of data backref objectid (git-fix). - btrfs: tree-checker: reject BTRFS_FT_UNKNOWN dir type (git-fix). - btrfs: tree-checker: validate dref root and objectid (git-fix). - btrfs: use smp_mb__after_atomic() when forcing COW in create_pending_snapshot() (git-fixes). - char: misc: Does not request module for miscdevice with dynamic minor (stable-fixes). - char: misc: Make misc_register() reentry for miscdevice who wants dynamic minor (stable-fixes). - char: misc: restrict the dynamic range to exclude reserved minors (stable-fixes). - cramfs: Verify inode mode when loading from disk (git-fixes). - crypto: aspeed - fix double free caused by devm (git-fixes). - crypto: aspeed-acry - Convert to platform remove callback returning void (stable-fixes). - crypto: hisilicon/qm - Fix device reference leak in qm_get_qos_value (git-fixes). - crypto: iaa - Do not clobber req->base.data (git-fixes). - crypto: qat - use kcalloc() in qat_uclo_map_objs_from_mof() (stable-fixes). - dmaengine: dw-edma: Set status for callback_result (stable-fixes). - dmaengine: mv_xor: match alloc_wc and free_wc (stable-fixes). - drm/amd/display: Add AVI infoframe copy in copy_stream_update_to_stream (stable-fixes). - drm/amd/display: Disable VRR on DCE 6 (stable-fixes). - drm/amd/display: Fix DVI-D/HDMI adapters (stable-fixes). - drm/amd/display: Fix NULL deref in debugfs odm_combine_segments (git-fixes). - drm/amd/display: Fix black screen with HDMI outputs (git-fixes). - drm/amd/display: Increase AUX Intra-Hop Done Max Wait Duration (stable-fixes). - drm/amd/display: add more cyan skillfish devices (stable-fixes). - drm/amd/display: ensure committing streams is seamless (stable-fixes). - drm/amd/display: update dpp/disp clock from smu clock table (stable-fixes). - drm/amd/pm: Disable MCLK switching on SI at high pixel clocks (stable-fixes). - drm/amd/pm: Use cached metrics data on aldebaran (stable-fixes). - drm/amd/pm: Use cached metrics data on arcturus (stable-fixes). - drm/amd: Avoid evicting resources at S5 (stable-fixes). - drm/amd: Fix suspend failure with secure display TA (git-fixes). - drm/amd: add more cyan skillfish PCI ids (stable-fixes). - drm/amdgpu/jpeg: Hold pg_lock before jpeg poweroff (stable-fixes). - drm/amdgpu: Allow kfd CRIU with no buffer objects (stable-fixes). - drm/amdgpu: Fix NULL pointer dereference in VRAM logic for APU devices (stable-fixes). - drm/amdgpu: Use memdup_array_user in amdgpu_cs_wait_fences_ioctl (stable-fixes). - drm/amdgpu: add support for cyan skillfish gpu_info (stable-fixes). - drm/amdgpu: do not enable SMU on cyan skillfish (stable-fixes). - drm/amdgpu: reject gang submissions under SRIOV (stable-fixes). - drm/amdkfd: Handle lack of READ permissions in SVM mapping (stable-fixes). - drm/amdkfd: Tie UNMAP_LATENCY to queue_preemption (stable-fixes). - drm/amdkfd: fix vram allocation failure for a special case (stable-fixes). - drm/amdkfd: return -ENOTTY for unsupported IOCTLs (stable-fixes). - drm/bridge: cdns-dsi: Do not fail on MIPI_DSI_MODE_VIDEO_BURST (stable-fixes). - drm/bridge: cdns-dsi: Fix REG_WAKEUP_TIME value (stable-fixes). - drm/bridge: display-connector: do not set OP_DETECT for DisplayPorts (stable-fixes). - drm/i915: Avoid lock inversion when pinning to GGTT on CHV/BXT+VTD (git-fixes). - drm/i915: Fix conversion between clock ticks and nanoseconds (git-fixes). - drm/msm/dsi/phy: Toggle back buffer resync after preparing PLL (stable-fixes). - drm/msm/dsi/phy_7nm: Fix missing initial VCO rate (stable-fixes). - drm/msm: make sure to not queue up recovery more than once (stable-fixes). - drm/nouveau: replace snprintf() with scnprintf() in nvkm_snprintbf() (stable-fixes). - drm/sched: Fix deadlock in drm_sched_entity_kill_jobs_cb (git-fixes). - drm/tegra: Add call to put_pid() (git-fixes). - drm/tegra: dc: Fix reference leak in tegra_dc_couple() (git-fixes). - drm/tidss: Set crtc modesetting parameters with adjusted mode (stable-fixes). - drm/tidss: Use the crtc_* timings when programming the HW (stable-fixes). - drm/vmwgfx: Validate command header size against SVGA_CMD_MAX_DATASIZE (git-fixes). - exfat: limit log print for IO error (git-fixes). - extcon: adc-jack: Cleanup wakeup source only if it was enabled (git-fixes). - extcon: adc-jack: Fix wakeup source leaks on device unbind (stable-fixes). - fbcon: Set fb_display[i]->mode to NULL when the mode is released (stable-fixes). - fbdev: Add bounds checking in bit_putcs to fix vmalloc-out-of-bounds (stable-fixes). - fbdev: bitblit: bound-check glyph index in bit_putcs* (stable-fixes). - fbdev: pvr2fb: Fix leftover reference to ONCHIP_NR_DMA_CHANNELS (stable-fixes). - hwmon: (asus-ec-sensors) increase timeout for locking ACPI mutex (stable-fixes). - hwmon: (dell-smm) Add support for Dell OptiPlex 7040 (stable-fixes). - hwmon: (k10temp) Add device ID for Strix Halo (stable-fixes). - hwmon: (k10temp) Add thermal support for AMD Family 1Ah-based models (stable-fixes). - hwmon: (sbtsi_temp) AMD CPU extended temperature range support (stable-fixes). - hwmon: sy7636a: add alias (stable-fixes). - iio: adc: imx93_adc: load calibrated values even calibration failed (stable-fixes). - iio: adc: spear_adc: mask SPEAR_ADC_STATUS channel and avg sample before setting register (stable-fixes). - ima: do not clear IMA_DIGSIG flag when setting or removing non-IMA xattr (stable-fixes). - iommu/amd: Return an error if vCPU affinity is set for non-vCPU IRTE (git-fixes). - isdn: mISDN: hfcsusb: fix memory leak in hfcsusb_probe() (git-fixes). - jfs: Verify inode mode when loading from disk (git-fixes). - jfs: fix uninitialized waitqueue in transaction manager (git-fixes). - kABI fix for KVM: VMX: Apply MMIO Stale Data mitigation if KVM maps MMIO into the guest (git-fixes) (git-fixes). - lib/crypto: curve25519-hacl64: Fix older clang KASAN workaround for GCC (git-fixes). - md/raid1: fix data lost for writemostly rdev (git-fixes). - md: fix mssing blktrace bio split events (git-fixes). - media: adv7180: Add missing lock in suspend callback (stable-fixes). - media: adv7180: Do not write format to device in set_fmt (stable-fixes). - media: adv7180: Only validate format in querystd (stable-fixes). - media: amphion: Delete v4l2_fh synchronously in .release() (stable-fixes). - media: fix uninitialized symbol warnings (stable-fixes). - media: i2c: Kconfig: Ensure a dependency on HAVE_CLK for VIDEO_CAMERA_SENSOR (stable-fixes). - media: i2c: og01a1b: Specify monochrome media bus format instead of Bayer (stable-fixes). - media: imon: make send_packet() more robust (stable-fixes). - media: ov08x40: Fix the horizontal flip control (stable-fixes). - media: redrat3: use int type to store negative error codes (stable-fixes). - media: uvcvideo: Use heuristic to find stream entity (git-fixes). - memstick: Add timeout to prevent indefinite waiting (stable-fixes). - mfd: da9063: Split chip variant reading in two bus transactions (stable-fixes). - mfd: madera: Work around false-positive -Wininitialized warning (stable-fixes). - mfd: stmpe-i2c: Add missing MODULE_LICENSE (stable-fixes). - mfd: stmpe: Remove IRQ domain upon removal (stable-fixes). - minixfs: Verify inode mode when loading from disk (git-fixes). - mm/mm_init: fix hash table order logging in alloc_large_system_hash() (git-fixes). - mm/secretmem: fix use-after-free race in fault handler (git-fixes). - mmc: host: renesas_sdhi: Fix the actual clock (stable-fixes). - mmc: sdhci-msm: Enable tuning for SDR50 mode for SD card (stable-fixes). - mmc: sdhci-of-dwcmshc: Change DLL_STRBIN_TAPNUM_DEFAULT to 0x4 (git-fixes). - mtd: onenand: Pass correct pointer to IRQ handler (git-fixes). - mtd: rawnand: cadence: fix DMA device NULL pointer dereference (git-fixes). - mtdchar: fix integer overflow in read/write ioctls (git-fixes). - net/mana: fix warning in the writer of client oob (git-fixes). - net/smc: Remove validation of reserved bits in CLC Decline message (bsc#1253779). - net: nfc: nci: Increase NCI_DATA_TIMEOUT to 3000 ms (stable-fixes). - net: phy: clear link parameters on admin link down (stable-fixes). - net: phy: fixed_phy: let fixed_phy_unregister free the phy_device (stable-fixes). - net: phy: marvell: Fix 88e1510 downshift counter errata (stable-fixes). - net: tcp: send zero-window ACK when no memory (bsc#1253779). - net: usb: qmi_wwan: initialize MAC header offset in qmimux_rx_fixup (git-fixes). - nfs4_setup_readdir(): insufficient locking for ->d_parent->d_inode dereferencing (git-fixes). - nfsd: do not defer requests during idmap lookup in v4 compound decode (bsc#1232223). - nfsd: fix return error codes for nfsd_map_name_to_id (bsc#1232223). - nouveau/firmware: Add missing kfree() of nvkm_falcon_fw::boot (git-fixes). - perf script: add --addr2line option (bsc#1247509). - phy: cadence: cdns-dphy: Enable lower resolutions in dphy (stable-fixes). - phy: renesas: r8a779f0-ether-serdes: add new step added to latest datasheet (stable-fixes). - phy: rockchip: phy-rockchip-inno-csidphy: allow writes to grf register 0 (stable-fixes). - pinctrl: s32cc: fix uninitialized memory in s32_pinctrl_desc (git-fixes). - pinctrl: s32cc: initialize gpio_pin_config::list after kmalloc() (git-fixes). - pinctrl: single: fix bias pull up/down handling in pin_config_set (stable-fixes). - platform/x86/intel/speed_select_if: Convert PCIBIOS_* return codes to errnos (git-fixes). - power: supply: qcom_battmgr: add OOI chemistry (stable-fixes). - power: supply: qcom_battmgr: handle charging state change notifications (stable-fixes). - power: supply: sbs-charger: Support multiple devices (stable-fixes). - regulator: fixed: fix GPIO descriptor leak on register failure (git-fixes). - rtc: rx8025: fix incorrect register reference (git-fixes). - s390/mm,fault: simplify kfence fault handling (bsc#1247076). - scsi: Fix sas_user_scan() to handle wildcard and multi-channel scans (git-fixes). - scsi: aacraid: Stop using PCI_IRQ_AFFINITY (git-fixes). - scsi: core: sysfs: Correct sysfs attributes access rights (git-fixes). - scsi: hpsa: Fix potential memory leak in hpsa_big_passthru_ioctl() (git-fixes). - scsi: libfc: Prevent integer overflow in fc_fcp_recv_data() (git-fixes). - scsi: mpi3mr: Correctly handle ATA device errors (git-fixes). - scsi: mpi3mr: Drop unnecessary volatile from __iomem pointers (git-fixes). - scsi: mpt3sas: Correctly handle ATA device errors (git-fixes). - scsi: mpt3sas: Fix crash in transport port remove by using ioc_info() (git-fixes). - scsi: pm80xx: Fix array-index-out-of-of-bounds on rmmod (git-fixes). - scsi: storvsc: Prefer returning channel with the same CPU as on the I/O issuing CPU (bsc#1252267). - selftests/bpf: Close fd in error path in drop_on_reuseport (git-fixes). - selftests/bpf: Close obj in error path in xdp_adjust_tail (git-fixes). - selftests/bpf: Fix missing ARRAY_SIZE() definition in bench.c (git-fixes). - selftests/bpf: Fix missing BUILD_BUG_ON() declaration (git-fixes). - selftests/bpf: Fix missing UINT_MAX definitions in benchmarks (git-fixes). - selftests/bpf: Fix string read in strncmp benchmark (git-fixes). - selftests/bpf: Use pid_t consistently in test_progs.c (git-fixes). - selftests/bpf: fix signedness bug in redir_partial() (git-fixes). - serial: 8250_exar: add support for Advantech 2 port card with Device ID 0x0018 (git-fixes). - serial: 8250_mtk: Enable baud clock and manage in runtime PM (git-fixes). - soc/tegra: fuse: Add Tegra114 nvmem cells and fuse lookups (stable-fixes). - soc: aspeed: socinfo: Add AST27xx silicon IDs (stable-fixes). - soc: qcom: smem: Fix endian-unaware access of num_entries (stable-fixes). - spi: Try to get ACPI GPIO IRQ earlier (git-fixes). - spi: loopback-test: Do not use %pK through printk (stable-fixes). - spi: rpc-if: Add resume support for RZ/G3E (stable-fixes). - strparser: Fix signed/unsigned mismatch bug (git-fixes). - tcp_bpf: Call sk_msg_free() when tcp_bpf_send_verdict() fails to allocate psock->cork (bsc#1250705). - thunderbolt: Use is_pciehp instead of is_hotplug_bridge (stable-fixes). - tools/cpupower: Fix incorrect size in cpuidle_state_disable() (stable-fixes). - tools/cpupower: fix error return value in cpupower_write_sysfs() (stable-fixes). - tools/power x86_energy_perf_policy: Enhance HWP enable (stable-fixes). - tools/power x86_energy_perf_policy: Fix incorrect fopen mode usage (stable-fixes). - tools/power x86_energy_perf_policy: Prefer driver HWP limits (stable-fixes). - tools: lib: thermal: do not preserve owner in install (stable-fixes). - tools: lib: thermal: use pkg-config to locate libnl3 (stable-fixes). - uio_hv_generic: Query the ringbuffer size for device (git-fixes). - usb/core/quirks: Add Huawei ME906S to wakeup quirk (git-fixes). - usb: cdns3: gadget: Use-after-free during failed initialization and exit of cdnsp gadget (stable-fixes). - usb: gadget: f_fs: Fix epfile null pointer access after ep enable (stable-fixes). - usb: gadget: f_hid: Fix zero length packet transfer (stable-fixes). - usb: gadget: f_ncm: Fix MAC assignment NCM ethernet (stable-fixes). - usb: mon: Increase BUFF_MAX to 64 MiB to support multi-MB URBs (stable-fixes). - usb: xhci: plat: Facilitate using autosuspend for xhci plat devices (stable-fixes). - video: backlight: lp855x_bl: Set correct EPROM start for LP8556 (stable-fixes). - watchdog: s3c2410_wdt: Fix max_timeout being calculated larger (stable-fixes). - wifi: ath10k: Fix connection after GTK rekeying (stable-fixes). - wifi: ath11k: zero init info->status in wmi_process_mgmt_tx_comp() (git-fixes). - wifi: ath12k: Increase DP_REO_CMD_RING_SIZE to 256 (stable-fixes). - wifi: mac80211: Fix HE capabilities element check (stable-fixes). - wifi: mac80211: reject address change while connecting (git-fixes). - wifi: mac80211: skip rate verification for not captured PSDUs (git-fixes). - wifi: mac80211_hwsim: Limit destroy_on_close radio removal to netgroup (git-fixes). - wifi: mt76: mt7921: Add 160MHz beamformee capability for mt7922 device (stable-fixes). - wifi: mt76: mt7996: Temporarily disable EPCS (stable-fixes). - wifi: mwl8k: inject DSSS Parameter Set element into beacons if missing (git-fixes). - wifi: rtw88: sdio: use indirect IO for device registers before power-on (stable-fixes). - wifi: zd1211rw: fix potential memory leak in __zd_usb_enable_rx() (git-fixes). - x86/CPU/AMD: Add RDSEED fix for Zen5 (git-fixes). - x86/CPU/AMD: Add additional fixed RDSEED microcode revisions (git-fixes). - x86/CPU/AMD: Add missing terminator for zen5_rdseed_microcode (git-fixes). - x86/CPU/AMD: Do the common init on future Zens too (git-fixes). - x86/amd_nb: Add new PCI IDs for AMD family 0x1a (stable-fixes). - x86/bugs: Fix reporting of LFENCE retpoline (git-fixes). - x86/bugs: Report correct retbleed mitigation status (git-fixes). - x86/vmscape: Add old Intel CPUs to affected list (git-fixes). - xhci: dbc: Allow users to modify DbC poll interval via sysfs (stable-fixes). - xhci: dbc: Avoid event polling busyloop if pending rx transfers are inactive (git-fixes). - xhci: dbc: Improve performance by removing delay in transfer event polling (stable-fixes). - xhci: dbc: fix bogus 1024 byte prefix if ttyDBC read races with stall event (git-fixes). - xhci: dbc: poll at different rate depending on data transfer activity (stable-fixes). The following package changes have been done: - kernel-rt-6.4.0-39.1 updated From sle-container-updates at lists.suse.com Wed Jan 7 16:32:58 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 7 Jan 2026 17:32:58 +0100 (CET) Subject: SUSE-CU-2026:150-1: Security update of suse/postgres Message-ID: <20260107163258.E5182FBA0@maintenance.suse.de> SUSE Container Update Advisory: suse/postgres ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2026:150-1 Container Tags : suse/postgres:16 , suse/postgres:16.11 , suse/postgres:16.11 , suse/postgres:16.11-83.4 Container Release : 83.4 Severity : moderate Type : security References : 1255731 1255732 1255733 1255734 CVE-2025-14524 CVE-2025-14819 CVE-2025-15079 CVE-2025-15224 ----------------------------------------------------------------- The container suse/postgres was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:52-1 Released: Wed Jan 7 10:28:34 2026 Summary: Security update for curl Type: security Severity: moderate References: 1255731,1255732,1255733,1255734,CVE-2025-14524,CVE-2025-14819,CVE-2025-15079,CVE-2025-15224 This update for curl fixes the following issues: - CVE-2025-14524: bearer token leak on cross-protocol redirect (bsc#1255731). - CVE-2025-14819: libssh global knownhost override (bsc#1255732). - CVE-2025-15079: libssh key passphrase bypass without agent set (bsc#1255733). - CVE-2025-15224: OpenSSL partial chain store policy bypass (bsc#1255734). The following package changes have been done: - libcurl4-8.14.1-150700.7.8.1 updated - container:suse-sle15-15.7-17d580e01de81ee10782633976ab6983923855d96e8b6342192d8486fa7933cf-0 updated - container:registry.suse.com-bci-bci-micro-15.7-4ea6269b17048f73c022844251731ef4f640fdb9eb72a2ab53ec7f9413b89ee3-0 updated From sle-container-updates at lists.suse.com Wed Jan 7 16:33:22 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 7 Jan 2026 17:33:22 +0100 (CET) Subject: SUSE-CU-2026:151-1: Recommended update of suse/kiosk/xorg Message-ID: <20260107163322.B0040FBA0@maintenance.suse.de> SUSE Container Update Advisory: suse/kiosk/xorg ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2026:151-1 Container Tags : suse/kiosk/xorg:21 , suse/kiosk/xorg:21.1 , suse/kiosk/xorg:21.1-73.5 , suse/kiosk/xorg:latest , suse/kiosk/xorg:notaskbar Container Release : 73.5 Severity : moderate Type : recommended References : 1252338 ----------------------------------------------------------------- The container suse/kiosk/xorg was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2026:48-1 Released: Wed Jan 7 09:08:18 2026 Summary: Recommended update for pciutils Type: recommended Severity: moderate References: 1252338 This update for pciutils fixes the following issues: - Add a strict dependency to libpci to prevent possible segfault (bsc#1252338) The following package changes have been done: - libpci3-3.13.0-150300.13.12.1 updated - pciutils-3.13.0-150300.13.12.1 updated - container:suse-sle15-15.7-17d580e01de81ee10782633976ab6983923855d96e8b6342192d8486fa7933cf-0 updated From sle-container-updates at lists.suse.com Wed Jan 7 16:40:27 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 7 Jan 2026 17:40:27 +0100 (CET) Subject: SUSE-CU-2026:153-1: Security update of suse/sle-micro/5.2/toolbox Message-ID: <20260107164027.DD022FB9C@maintenance.suse.de> SUSE Container Update Advisory: suse/sle-micro/5.2/toolbox ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2026:153-1 Container Tags : suse/sle-micro/5.2/toolbox:14.2 , suse/sle-micro/5.2/toolbox:14.2-7.11.220 , suse/sle-micro/5.2/toolbox:latest Container Release : 7.11.220 Severity : moderate Type : security References : 1255731 1255732 1255733 1255734 1255765 CVE-2025-11961 CVE-2025-14524 CVE-2025-14819 CVE-2025-15079 CVE-2025-15224 ----------------------------------------------------------------- The container suse/sle-micro/5.2/toolbox was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:51-1 Released: Wed Jan 7 10:28:23 2026 Summary: Security update for curl Type: security Severity: moderate References: 1255731,1255732,1255733,1255734,CVE-2025-14524,CVE-2025-14819,CVE-2025-15079,CVE-2025-15224 This update for curl fixes the following issues: - CVE-2025-14524: bearer token leak on cross-protocol redirect (bsc#1255731). - CVE-2025-14819: libssh global knownhost override (bsc#1255732). - CVE-2025-15079: libssh key passphrase bypass without agent set (bsc#1255733). - CVE-2025-15224: OpenSSL partial chain store policy bypass (bsc#1255734). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:53-1 Released: Wed Jan 7 12:03:42 2026 Summary: Security update for libpcap Type: security Severity: low References: 1255765,CVE-2025-11961 This update for libpcap fixes the following issues: - CVE-2025-11961: missing validation of provided MAC-48 address string in `pcap_ether_aton()` can lead to out-of-bounds read and write (bsc#1255765). The following package changes have been done: - curl-8.14.1-150200.4.97.1 updated - libcurl4-8.14.1-150200.4.97.1 updated - libpcap1-1.9.1-150300.3.6.1 updated From sle-container-updates at lists.suse.com Fri Jan 9 08:06:00 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 9 Jan 2026 09:06:00 +0100 (CET) Subject: SUSE-IU-2026:16-1: Security update of suse/sl-micro/6.0/baremetal-os-container Message-ID: <20260109080600.E9BF5FB9C@maintenance.suse.de> SUSE Image Update Advisory: suse/sl-micro/6.0/baremetal-os-container ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2026:16-1 Image Tags : suse/sl-micro/6.0/baremetal-os-container:2.1.3 , suse/sl-micro/6.0/baremetal-os-container:2.1.3-6.115 , suse/sl-micro/6.0/baremetal-os-container:latest Image Release : 6.115 Severity : important Type : security References : 1254297 1254441 1254662 1254878 1255731 1255732 1255733 1255734 CVE-2025-10158 CVE-2025-13601 CVE-2025-14087 CVE-2025-14512 CVE-2025-14524 CVE-2025-14819 CVE-2025-15079 CVE-2025-15224 ----------------------------------------------------------------- The container suse/sl-micro/6.0/baremetal-os-container was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: 546 Released: Thu Jan 8 16:18:54 2026 Summary: Security update for curl Type: security Severity: moderate References: 1255731,1255732,1255733,1255734,CVE-2025-14524,CVE-2025-14819,CVE-2025-15079,CVE-2025-15224 This update for curl fixes the following issues: - CVE-2025-14524: bearer token leak on cross-protocol redirect (bsc#1255731). - CVE-2025-14819: libssh global knownhost override (bsc#1255732). - CVE-2025-15079: libssh key passphrase bypass without agent set (bsc#1255733). - CVE-2025-15224: OpenSSL partial chain store policy bypass (bsc#1255734). ----------------------------------------------------------------- Advisory ID: 551 Released: Thu Jan 8 16:49:46 2026 Summary: Security update for rsync Type: security Severity: moderate References: 1254441,CVE-2025-10158 This update for rsync fixes the following issues: - CVE-2025-10158: Fixed out of bounds array access via negative index (bsc#1254441) ----------------------------------------------------------------- Advisory ID: 550 Released: Thu Jan 8 17:00:18 2026 Summary: Security update for glib2 Type: security Severity: important References: 1254297,1254662,1254878,CVE-2025-13601,CVE-2025-14087,CVE-2025-14512 This update for glib2 fixes the following issues: - CVE-2025-13601: Fixed Integer overflow in in g_escape_uri_string() (bsc#1254297) - CVE-2025-14087: Fixed buffer underflow in GVariant parser leads to heap corruption (bsc#1254662) - CVE-2025-14512: Fixed Integer Overflow in GLib GIO Attribute Escaping Causes Heap Buffer Overflow (bsc#1254878) The following package changes have been done: - SL-Micro-release-6.0-25.62 updated - libglib-2_0-0-2.76.2-11.1 updated - libgobject-2_0-0-2.76.2-11.1 updated - libgmodule-2_0-0-2.76.2-11.1 updated - libcurl-mini4-8.14.1-3.1 updated - libgio-2_0-0-2.76.2-11.1 updated - glib2-tools-2.76.2-11.1 updated - rsync-3.2.7-5.1 updated - container:SL-Micro-base-container-2.1.3-7.81 updated From sle-container-updates at lists.suse.com Fri Jan 9 08:07:19 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 9 Jan 2026 09:07:19 +0100 (CET) Subject: SUSE-IU-2026:17-1: Security update of suse/sl-micro/6.0/base-os-container Message-ID: <20260109080719.89116FB9C@maintenance.suse.de> SUSE Image Update Advisory: suse/sl-micro/6.0/base-os-container ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2026:17-1 Image Tags : suse/sl-micro/6.0/base-os-container:2.1.3 , suse/sl-micro/6.0/base-os-container:2.1.3-7.81 , suse/sl-micro/6.0/base-os-container:latest Image Release : 7.81 Severity : important Type : security References : 1254297 1254441 1254662 1254878 1255731 1255732 1255733 1255734 CVE-2025-10158 CVE-2025-13601 CVE-2025-14087 CVE-2025-14512 CVE-2025-14524 CVE-2025-14819 CVE-2025-15079 CVE-2025-15224 ----------------------------------------------------------------- The container suse/sl-micro/6.0/base-os-container was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: 546 Released: Thu Jan 8 16:18:54 2026 Summary: Security update for curl Type: security Severity: moderate References: 1255731,1255732,1255733,1255734,CVE-2025-14524,CVE-2025-14819,CVE-2025-15079,CVE-2025-15224 This update for curl fixes the following issues: - CVE-2025-14524: bearer token leak on cross-protocol redirect (bsc#1255731). - CVE-2025-14819: libssh global knownhost override (bsc#1255732). - CVE-2025-15079: libssh key passphrase bypass without agent set (bsc#1255733). - CVE-2025-15224: OpenSSL partial chain store policy bypass (bsc#1255734). ----------------------------------------------------------------- Advisory ID: 551 Released: Thu Jan 8 16:49:46 2026 Summary: Security update for rsync Type: security Severity: moderate References: 1254441,CVE-2025-10158 This update for rsync fixes the following issues: - CVE-2025-10158: Fixed out of bounds array access via negative index (bsc#1254441) ----------------------------------------------------------------- Advisory ID: 550 Released: Thu Jan 8 17:00:18 2026 Summary: Security update for glib2 Type: security Severity: important References: 1254297,1254662,1254878,CVE-2025-13601,CVE-2025-14087,CVE-2025-14512 This update for glib2 fixes the following issues: - CVE-2025-13601: Fixed Integer overflow in in g_escape_uri_string() (bsc#1254297) - CVE-2025-14087: Fixed buffer underflow in GVariant parser leads to heap corruption (bsc#1254662) - CVE-2025-14512: Fixed Integer Overflow in GLib GIO Attribute Escaping Causes Heap Buffer Overflow (bsc#1254878) The following package changes have been done: - SL-Micro-release-6.0-25.62 updated - libglib-2_0-0-2.76.2-11.1 updated - libgobject-2_0-0-2.76.2-11.1 updated - libgmodule-2_0-0-2.76.2-11.1 updated - libcurl-mini4-8.14.1-3.1 updated - libgio-2_0-0-2.76.2-11.1 updated - glib2-tools-2.76.2-11.1 updated - curl-8.14.1-3.1 updated - rsync-3.2.7-5.1 updated - container:suse-toolbox-image-1.0.0-9.56 updated From sle-container-updates at lists.suse.com Fri Jan 9 08:09:08 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 9 Jan 2026 09:09:08 +0100 (CET) Subject: SUSE-IU-2026:18-1: Security update of suse/sl-micro/6.0/kvm-os-container Message-ID: <20260109080908.76029FB9C@maintenance.suse.de> SUSE Image Update Advisory: suse/sl-micro/6.0/kvm-os-container ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2026:18-1 Image Tags : suse/sl-micro/6.0/kvm-os-container:2.1.3 , suse/sl-micro/6.0/kvm-os-container:2.1.3-6.102 , suse/sl-micro/6.0/kvm-os-container:latest Image Release : 6.102 Severity : important Type : security References : 1254297 1254441 1254662 1254878 1255731 1255732 1255733 1255734 CVE-2025-10158 CVE-2025-13601 CVE-2025-14087 CVE-2025-14512 CVE-2025-14524 CVE-2025-14819 CVE-2025-15079 CVE-2025-15224 ----------------------------------------------------------------- The container suse/sl-micro/6.0/kvm-os-container was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: 546 Released: Thu Jan 8 16:18:54 2026 Summary: Security update for curl Type: security Severity: moderate References: 1255731,1255732,1255733,1255734,CVE-2025-14524,CVE-2025-14819,CVE-2025-15079,CVE-2025-15224 This update for curl fixes the following issues: - CVE-2025-14524: bearer token leak on cross-protocol redirect (bsc#1255731). - CVE-2025-14819: libssh global knownhost override (bsc#1255732). - CVE-2025-15079: libssh key passphrase bypass without agent set (bsc#1255733). - CVE-2025-15224: OpenSSL partial chain store policy bypass (bsc#1255734). ----------------------------------------------------------------- Advisory ID: 551 Released: Thu Jan 8 16:49:46 2026 Summary: Security update for rsync Type: security Severity: moderate References: 1254441,CVE-2025-10158 This update for rsync fixes the following issues: - CVE-2025-10158: Fixed out of bounds array access via negative index (bsc#1254441) ----------------------------------------------------------------- Advisory ID: 550 Released: Thu Jan 8 17:00:18 2026 Summary: Security update for glib2 Type: security Severity: important References: 1254297,1254662,1254878,CVE-2025-13601,CVE-2025-14087,CVE-2025-14512 This update for glib2 fixes the following issues: - CVE-2025-13601: Fixed Integer overflow in in g_escape_uri_string() (bsc#1254297) - CVE-2025-14087: Fixed buffer underflow in GVariant parser leads to heap corruption (bsc#1254662) - CVE-2025-14512: Fixed Integer Overflow in GLib GIO Attribute Escaping Causes Heap Buffer Overflow (bsc#1254878) The following package changes have been done: - SL-Micro-release-6.0-25.62 updated - libglib-2_0-0-2.76.2-11.1 updated - libgobject-2_0-0-2.76.2-11.1 updated - libgmodule-2_0-0-2.76.2-11.1 updated - libcurl-mini4-8.14.1-3.1 updated - libgio-2_0-0-2.76.2-11.1 updated - glib2-tools-2.76.2-11.1 updated - rsync-3.2.7-5.1 updated - container:SL-Micro-base-container-2.1.3-7.81 updated From sle-container-updates at lists.suse.com Fri Jan 9 08:11:10 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 9 Jan 2026 09:11:10 +0100 (CET) Subject: SUSE-IU-2026:19-1: Security update of suse/sl-micro/6.0/rt-os-container Message-ID: <20260109081110.D9E18FB9C@maintenance.suse.de> SUSE Image Update Advisory: suse/sl-micro/6.0/rt-os-container ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2026:19-1 Image Tags : suse/sl-micro/6.0/rt-os-container:2.1.3 , suse/sl-micro/6.0/rt-os-container:2.1.3-7.117 , suse/sl-micro/6.0/rt-os-container:latest Image Release : 7.117 Severity : important Type : security References : 1254297 1254441 1254662 1254878 1255731 1255732 1255733 1255734 CVE-2025-10158 CVE-2025-13601 CVE-2025-14087 CVE-2025-14512 CVE-2025-14524 CVE-2025-14819 CVE-2025-15079 CVE-2025-15224 ----------------------------------------------------------------- The container suse/sl-micro/6.0/rt-os-container was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: 546 Released: Thu Jan 8 16:18:54 2026 Summary: Security update for curl Type: security Severity: moderate References: 1255731,1255732,1255733,1255734,CVE-2025-14524,CVE-2025-14819,CVE-2025-15079,CVE-2025-15224 This update for curl fixes the following issues: - CVE-2025-14524: bearer token leak on cross-protocol redirect (bsc#1255731). - CVE-2025-14819: libssh global knownhost override (bsc#1255732). - CVE-2025-15079: libssh key passphrase bypass without agent set (bsc#1255733). - CVE-2025-15224: OpenSSL partial chain store policy bypass (bsc#1255734). ----------------------------------------------------------------- Advisory ID: 551 Released: Thu Jan 8 16:49:46 2026 Summary: Security update for rsync Type: security Severity: moderate References: 1254441,CVE-2025-10158 This update for rsync fixes the following issues: - CVE-2025-10158: Fixed out of bounds array access via negative index (bsc#1254441) ----------------------------------------------------------------- Advisory ID: 550 Released: Thu Jan 8 17:00:18 2026 Summary: Security update for glib2 Type: security Severity: important References: 1254297,1254662,1254878,CVE-2025-13601,CVE-2025-14087,CVE-2025-14512 This update for glib2 fixes the following issues: - CVE-2025-13601: Fixed Integer overflow in in g_escape_uri_string() (bsc#1254297) - CVE-2025-14087: Fixed buffer underflow in GVariant parser leads to heap corruption (bsc#1254662) - CVE-2025-14512: Fixed Integer Overflow in GLib GIO Attribute Escaping Causes Heap Buffer Overflow (bsc#1254878) The following package changes have been done: - SL-Micro-release-6.0-25.62 updated - libglib-2_0-0-2.76.2-11.1 updated - libgobject-2_0-0-2.76.2-11.1 updated - libgmodule-2_0-0-2.76.2-11.1 updated - libcurl-mini4-8.14.1-3.1 updated - libgio-2_0-0-2.76.2-11.1 updated - glib2-tools-2.76.2-11.1 updated - rsync-3.2.7-5.1 updated - container:SL-Micro-container-2.1.3-6.115 updated From sle-container-updates at lists.suse.com Fri Jan 9 08:14:59 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 9 Jan 2026 09:14:59 +0100 (CET) Subject: SUSE-IU-2026:20-1: Security update of suse/sl-micro/6.1/baremetal-os-container Message-ID: <20260109081459.9DFDCFB9B@maintenance.suse.de> SUSE Image Update Advisory: suse/sl-micro/6.1/baremetal-os-container ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2026:20-1 Image Tags : suse/sl-micro/6.1/baremetal-os-container:2.2.1 , suse/sl-micro/6.1/baremetal-os-container:2.2.1-7.43 , suse/sl-micro/6.1/baremetal-os-container:latest Image Release : 7.43 Severity : moderate Type : security References : 1243314 1243332 1243422 1243423 1255731 1255732 1255733 1255734 528882 553466 CVE-2025-14524 CVE-2025-14819 CVE-2025-15079 CVE-2025-15224 CVE-2025-4476 CVE-2025-4945 CVE-2025-4948 CVE-2025-4969 ----------------------------------------------------------------- The container suse/sl-micro/6.1/baremetal-os-container was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: 368 Released: Thu Jan 8 15:51:43 2026 Summary: Security update for curl Type: security Severity: moderate References: 1243314,1243332,1243422,1243423,1255731,1255732,1255733,1255734,528882,553466,CVE-2025-14524,CVE-2025-14819,CVE-2025-15079,CVE-2025-15224,CVE-2025-4476,CVE-2025-4945,CVE-2025-4948,CVE-2025-4969 This update for curl fixes the following issues: - CVE-2025-14524: bearer token leak on cross-protocol redirect (bsc#1255731). - CVE-2025-14819: libssh global knownhost override (bsc#1255732). - CVE-2025-15079: libssh key passphrase bypass without agent set (bsc#1255733). - CVE-2025-15224: OpenSSL partial chain store policy bypass (bsc#1255734). The following package changes have been done: - SL-Micro-release-6.1-slfo.1.12.2 updated - libcurl4-8.14.1-slfo.1.1_4.1 updated - container:SL-Micro-base-container-2.2.1-5.64 updated From sle-container-updates at lists.suse.com Fri Jan 9 08:16:13 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 9 Jan 2026 09:16:13 +0100 (CET) Subject: SUSE-IU-2026:21-1: Security update of suse/sl-micro/6.1/base-os-container Message-ID: <20260109081613.643F5FB9B@maintenance.suse.de> SUSE Image Update Advisory: suse/sl-micro/6.1/base-os-container ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2026:21-1 Image Tags : suse/sl-micro/6.1/base-os-container:2.2.1 , suse/sl-micro/6.1/base-os-container:2.2.1-5.64 , suse/sl-micro/6.1/base-os-container:latest Image Release : 5.64 Severity : moderate Type : security References : 1243314 1243332 1243422 1243423 1255731 1255732 1255733 1255734 528882 553466 CVE-2025-14524 CVE-2025-14819 CVE-2025-15079 CVE-2025-15224 CVE-2025-4476 CVE-2025-4945 CVE-2025-4948 CVE-2025-4969 ----------------------------------------------------------------- The container suse/sl-micro/6.1/base-os-container was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: 368 Released: Thu Jan 8 15:51:43 2026 Summary: Security update for curl Type: security Severity: moderate References: 1243314,1243332,1243422,1243423,1255731,1255732,1255733,1255734,528882,553466,CVE-2025-14524,CVE-2025-14819,CVE-2025-15079,CVE-2025-15224,CVE-2025-4476,CVE-2025-4945,CVE-2025-4948,CVE-2025-4969 This update for curl fixes the following issues: - CVE-2025-14524: bearer token leak on cross-protocol redirect (bsc#1255731). - CVE-2025-14819: libssh global knownhost override (bsc#1255732). - CVE-2025-15079: libssh key passphrase bypass without agent set (bsc#1255733). - CVE-2025-15224: OpenSSL partial chain store policy bypass (bsc#1255734). The following package changes have been done: - SL-Micro-release-6.1-slfo.1.12.2 updated - libcurl4-8.14.1-slfo.1.1_4.1 updated - curl-8.14.1-slfo.1.1_4.1 updated - container:suse-toolbox-image-1.0.0-4.96 updated From sle-container-updates at lists.suse.com Fri Jan 9 08:17:21 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 9 Jan 2026 09:17:21 +0100 (CET) Subject: SUSE-IU-2026:22-1: Security update of suse/sl-micro/6.1/kvm-os-container Message-ID: <20260109081721.7C388FB9B@maintenance.suse.de> SUSE Image Update Advisory: suse/sl-micro/6.1/kvm-os-container ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2026:22-1 Image Tags : suse/sl-micro/6.1/kvm-os-container:2.2.1 , suse/sl-micro/6.1/kvm-os-container:2.2.1-5.67 , suse/sl-micro/6.1/kvm-os-container:latest Image Release : 5.67 Severity : moderate Type : security References : 1243314 1243332 1243422 1243423 1255731 1255732 1255733 1255734 528882 553466 CVE-2025-14524 CVE-2025-14819 CVE-2025-15079 CVE-2025-15224 CVE-2025-4476 CVE-2025-4945 CVE-2025-4948 CVE-2025-4969 ----------------------------------------------------------------- The container suse/sl-micro/6.1/kvm-os-container was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: 368 Released: Thu Jan 8 15:51:43 2026 Summary: Security update for curl Type: security Severity: moderate References: 1243314,1243332,1243422,1243423,1255731,1255732,1255733,1255734,528882,553466,CVE-2025-14524,CVE-2025-14819,CVE-2025-15079,CVE-2025-15224,CVE-2025-4476,CVE-2025-4945,CVE-2025-4948,CVE-2025-4969 This update for curl fixes the following issues: - CVE-2025-14524: bearer token leak on cross-protocol redirect (bsc#1255731). - CVE-2025-14819: libssh global knownhost override (bsc#1255732). - CVE-2025-15079: libssh key passphrase bypass without agent set (bsc#1255733). - CVE-2025-15224: OpenSSL partial chain store policy bypass (bsc#1255734). The following package changes have been done: - SL-Micro-release-6.1-slfo.1.12.2 updated - libcurl4-8.14.1-slfo.1.1_4.1 updated - container:SL-Micro-base-container-2.2.1-5.64 updated From sle-container-updates at lists.suse.com Fri Jan 9 08:18:35 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 9 Jan 2026 09:18:35 +0100 (CET) Subject: SUSE-IU-2026:23-1: Security update of suse/sl-micro/6.1/rt-os-container Message-ID: <20260109081835.F3448FB9B@maintenance.suse.de> SUSE Image Update Advisory: suse/sl-micro/6.1/rt-os-container ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2026:23-1 Image Tags : suse/sl-micro/6.1/rt-os-container:2.2.1 , suse/sl-micro/6.1/rt-os-container:2.2.1-5.57 , suse/sl-micro/6.1/rt-os-container:latest Image Release : 5.57 Severity : moderate Type : security References : 1243314 1243332 1243422 1243423 1255731 1255732 1255733 1255734 528882 553466 CVE-2025-14524 CVE-2025-14819 CVE-2025-15079 CVE-2025-15224 CVE-2025-4476 CVE-2025-4945 CVE-2025-4948 CVE-2025-4969 ----------------------------------------------------------------- The container suse/sl-micro/6.1/rt-os-container was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: 368 Released: Thu Jan 8 15:51:43 2026 Summary: Security update for curl Type: security Severity: moderate References: 1243314,1243332,1243422,1243423,1255731,1255732,1255733,1255734,528882,553466,CVE-2025-14524,CVE-2025-14819,CVE-2025-15079,CVE-2025-15224,CVE-2025-4476,CVE-2025-4945,CVE-2025-4948,CVE-2025-4969 This update for curl fixes the following issues: - CVE-2025-14524: bearer token leak on cross-protocol redirect (bsc#1255731). - CVE-2025-14819: libssh global knownhost override (bsc#1255732). - CVE-2025-15079: libssh key passphrase bypass without agent set (bsc#1255733). - CVE-2025-15224: OpenSSL partial chain store policy bypass (bsc#1255734). The following package changes have been done: - SL-Micro-release-6.1-slfo.1.12.2 updated - libcurl4-8.14.1-slfo.1.1_4.1 updated - container:SL-Micro-container-2.2.1-7.43 updated From sle-container-updates at lists.suse.com Fri Jan 9 08:23:14 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 9 Jan 2026 09:23:14 +0100 (CET) Subject: SUSE-IU-2026:24-1: Security update of suse/sl-micro/6.2/baremetal-os-container Message-ID: <20260109082314.28081FB9B@maintenance.suse.de> SUSE Image Update Advisory: suse/sl-micro/6.2/baremetal-os-container ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2026:24-1 Image Tags : suse/sl-micro/6.2/baremetal-os-container:2.3.0 , suse/sl-micro/6.2/baremetal-os-container:2.3.0-6.23 , suse/sl-micro/6.2/baremetal-os-container:latest Image Release : 6.23 Severity : moderate Type : security References : 1216320 1229122 1234959 1236045 1236046 1236801 1238572 1240550 1245636 1245738 1245953 1246231 1247242 1249088 1249385 1252930 1252931 1252932 1252933 1252934 1252935 CVE-2024-45336 CVE-2024-45341 CVE-2024-56738 CVE-2025-22866 CVE-2025-22870 CVE-2025-22871 CVE-2025-54770 CVE-2025-54771 CVE-2025-61661 CVE-2025-61662 CVE-2025-61663 CVE-2025-61664 ----------------------------------------------------------------- The container suse/sl-micro/6.2/baremetal-os-container was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: 106 Released: Tue May 13 10:45:13 2025 Summary: Security update for go1.23-openssl Type: security Severity: moderate References: 1216320,1229122,1234959,1236045,1236046,1236801,1238572,1240550,1245636,1245738,1245953,1246231,1247242,1249088,1249385,1252930,1252931,1252932,1252933,1252934,1252935,CVE-2024-45336,CVE-2024-45341,CVE-2024-56738,CVE-2025-22866,CVE-2025-22870,CVE-2025-22871,CVE-2025-54770,CVE-2025-54771,CVE-2025-61661,CVE-2025-61662,CVE-2025-61663,CVE-2025-61664 This update for go1.23-openssl fixes the following issues: Update to version 1.23.9 cut from the go1.23-fips-release branch at the revision tagged go1.23.9-0-openssl-fips. * Rebase to 1.23.9 go1.23.9 (released 2025-05-06) includes fixes to the runtime and the linker. * go#73091 cmd/link: linkname directive on userspace variable can override runtime variable * go#73380 runtime, x/sys/unix: Connectx is broken on darwin/amd64 Update to version 1.23.8 cut from the go1.23-fips-release branch at the revision tagged go1.23.8-1-openssl-fips. * Rebase to 1.23.8 go1.23.8 (released 2025-04-01) includes security fixes to the net/http package, as well as bug fixes to the runtime and the go command. (bsc#1229122) CVE-2025-22871: * go#72010 go#71988 bsc#1240550 security: fix CVE-2025-22871 net/http: reject bare LF in chunked encoding * go#72114 runtime: process hangs for mips hardware * go#72871 runtime: cgo callback on extra M treated as external code after nested cgo callback returns * go#72937 internal/godebugs: winsymlink and winreadlinkvolume have incorrect defaults for Go 1.22 Update to version 1.23.6 cut from the go1.23-fips-release branch at the revision tagged go1.23.7-1-openssl-fips. * Rebase to 1.23.7 go1.23.7 (released 2025-03-04) includes security fixes to the net/http package, as well as bug fixes to cgo, the compiler, and the reflect, runtime, and syscall packages. (bsc#1229122) CVE-2025-22870: * go#71985 go#71984 bsc#1238572 security: fix CVE-2025-22870 net/http, x/net/proxy, x/net/http/httpproxy: proxy bypass using IPv6 zone IDs * go#71727 runtime: usleep computes wrong tv_nsec on s390x * go#71839 runtime: recover added in range-over-func loop body doesn't stop panic propagation / segfaults printing error * go#71848 os: spurious SIGCHILD on running child process * go#71875 reflect: Value.Seq panicking on functional iterator methods * go#71915 reflect: Value.Seq iteration value types not matching the type of given int types * go#71962 runtime/cgo: does not build with -Wdeclaration-after-statement Update to version 1.23.6 cut from the go1.23-fips-release branch at the revision tagged go1.23.6-1-openssl-fips. * Rebase to 1.23.6 (#267) * Allow fetching from a fork of the Go repo go1.23.6 (released 2025-02-04) includes security fixes to the crypto/elliptic package, as well as bug fixes to the compiler and the go command. CVE-2025-22866: * go#71423 go#71383 bsc#1236801 security: fix CVE-2025-22866 crypto/internal/fips140/nistec: p256NegCond is variable time on ppc64le * go#71263 cmd/go/internal/modfetch/codehost: test fails with git 2.47.1 * go#71230 cmd/compile: broken write barrier go1.23.5 (released 2025-01-16) includes security fixes to the crypto/x509 and net/http packages, as well as bug fixes to the compiler, the runtime, and the net package. CVE-2024-45341 CVE-2024-45336: * go#71208 go#71156 bsc#1236045 security: fix CVE-2024-45341 crypto/x509: usage of IPv6 zone IDs can bypass URI name constraints * go#71211 go#70530 bsc#1236046 security: fix CVE-2024-45336 net/http: sensitive headers incorrectly sent after cross-domain redirect * go#69988 runtime: severe performance drop for cgo calls in go1.22.5 * go#70517 cmd/compile/internal/importer: flip enable alias to true * go#70789 os: io.Copy(net.Conn, os.Stdin) on MacOS terminate immediately without waiting for input * go#71104 crypto/tls: TestVerifyConnection/TLSv12 failures * go#71147 internal/trace: TestTraceCPUProfile/Stress failures Update to version 1.23.4 cut from the go1.23-fips-release branch at the revision tagged go1.23.4-1-openssl-fips. * Update to Go 1.23.4 (#250) The following package changes have been done: - libtextstyle0-0.22.5-160000.2.2 added - envsubst-0.22.5-160000.2.2 added - gettext-runtime-0.22.5-160000.2.2 added - grub2-common-2.12-160000.3.1 added - grub2-i386-pc-2.12-160000.3.1 added - grub2-2.12-160000.3.1 added - squashfs-4.6.1-160000.2.2 added - elemental-2.3.0-160000.1.1 updated - elemental-updater-2.3.0-160000.1.1 updated - elemental-toolkit-2.3.1-160000.1.1 updated From sle-container-updates at lists.suse.com Fri Jan 9 08:28:13 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 9 Jan 2026 09:28:13 +0100 (CET) Subject: SUSE-IU-2026:28-1: Security update of suse/sl-micro/6.2/kvm-os-container Message-ID: <20260109082813.BC485FB9B@maintenance.suse.de> SUSE Image Update Advisory: suse/sl-micro/6.2/kvm-os-container ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2026:28-1 Image Tags : suse/sl-micro/6.2/kvm-os-container:2.3.0 , suse/sl-micro/6.2/kvm-os-container:2.3.0-6.22 , suse/sl-micro/6.2/kvm-os-container:latest Image Release : 6.22 Severity : important Type : security References : 1216320 1229122 1229339 1233313 1233593 1233594 1233773 1234959 1236045 1236046 1236801 1237096 1238572 1238848 1240550 1245636 1245738 1245953 1246231 1247242 1249088 1249385 1252930 1252931 1252932 1252933 1252934 1252935 CVE-2024-10524 CVE-2024-11595 CVE-2024-11596 CVE-2024-21820 CVE-2024-21853 CVE-2024-23918 CVE-2024-23984 CVE-2024-24968 CVE-2024-31068 CVE-2024-36293 CVE-2024-37020 CVE-2024-39355 CVE-2024-45336 CVE-2024-45341 CVE-2024-56738 CVE-2025-22866 CVE-2025-22870 CVE-2025-22871 CVE-2025-54770 CVE-2025-54771 CVE-2025-61661 CVE-2025-61662 CVE-2025-61663 CVE-2025-61664 ----------------------------------------------------------------- The container suse/sl-micro/6.2/kvm-os-container was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: 26 Released: Fri Mar 28 14:56:24 2025 Summary: Security update for ucode-intel Type: security Severity: important References: 1229339,1233313,1237096,1238848,CVE-2024-21820,CVE-2024-21853,CVE-2024-23918,CVE-2024-23984,CVE-2024-24968,CVE-2024-31068,CVE-2024-36293,CVE-2024-37020,CVE-2024-39355 This update for ucode-intel fixes the following issues: - Intel CPU Microcode was updated to the 20250211 release (bsc#1237096) - Security updates for INTEL-SA-01166 https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01166.html * CVE-2024-31068: Improper Finite State Machines (FSMs) in Hardware Logic for some Intel Processors may allow privileged user to potentially enable denial of service via local access. - Security updates for INTEL-SA-01213 https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01213.html * CVE-2024-36293: A potential security vulnerability in some Intel Software Guard Extensions (Intel SGX) Platforms may allow denial of service. Intel is releasing microcode updates to mitigate this potential vulnerability. - Security updates for INTEL-SA-01139 https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01139.html * not clear which CVEs are fixed here, and which are in UEFI BIOS updates. - Security updates for INTEL-SA-01228 https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01228.html * CVE-2024-39355: A potential security vulnerability in some 13th and 14th Generation Intel Core Processors may allow denial of service. Intel is releasing microcode and UEFI reference code updates to mitigate this potential vulnerability. - Security updates for INTEL-SA-01194 https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01194.html * CVE-2024-37020: A potential security vulnerability in the Intel Data Streaming Accelerator (Intel DSA) for some Intel Xeon Processors may allow denial of service. Intel is releasing software updates to mitigate this potential vulnerability. - Update for functional issues. Refer to Intel Core Ultra Processor https://cdrdv2.intel.com/v1/dl/getContent/792254 for details. - Refer to 13th/14th Generation Intel Core Processor Specification Update https://cdrdv2.intel.com/v1/dl/getContent/740518 for details. - Refer to 12th Generation Intel Core Processor Family https://cdrdv2.intel.com/v1/dl/getContent/682436 for details. - Refer to 11th Gen Intel Core Processor Specification Update https://cdrdv2.intel.com/v1/dl/getContent/631123 for details. - Refer to 8th and 9th Generation Intel Core Processor Family Spec Update https://cdrdv2.intel.com/v1/dl/getContent/337346 for details. - Refer to 5th Gen Intel Xeon Scalable Processors Specification Update https://cdrdv2.intel.com/v1/dl/getContent/793902 for details. - Refer to 4th Gen Intel Xeon Scalable Processors Specification Update https://cdrdv2.intel.com/v1/dl/getContent/772415 for details. - Refer to 3rd Generation Intel Xeon Processor Scalable Family Specification Update https://cdrdv2.intel.com/v1/dl/getContent/637780 for details. - Refer to Intel Xeon D-2700 Processor Specification Update https://cdrdv2.intel.com/v1/dl/getContent/714071 for details. - Refer to Intel Xeon E-2300 Processor Specification Update https://cdrdv2.intel.com/v1/dl/getContent/709192 for details. - Refer to Intel Xeon 6700-Series Processor Specification Update https://cdrdv2.intel.com/v1/dl/getContent/820922 for details. - Refer to Intel Processors and Intel Core i3 N-Series https://cdrdv2.intel.com/v1/dl/getContent/764616 for details ### New Platforms | Processor | Stepping | F-M-S/PI | Old Ver | New Ver | Products |:---------------|:---------|:------------|:---------|:---------|:--------- | SRF-SP | C0 | 06-af-03/01 | | 03000330 | Xeon 6700-Series Processors ### Updated Platforms | Processor | Stepping | F-M-S/PI | Old Ver | New Ver | Products |:---------------|:---------|:------------|:---------|:---------|:--------- | ADL | C0 | 06-97-02/07 | 00000037 | 00000038 | Core Gen12 | ADL | H0 | 06-97-05/07 | 00000037 | 00000038 | Core Gen12 | ADL | L0 | 06-9a-03/80 | 00000435 | 00000436 | Core Gen12 | ADL | R0 | 06-9a-04/80 | 00000435 | 00000436 | Core Gen12 | ADL-N | N0 | 06-be-00/19 | 0000001a | 0000001c | Core i3-N305/N300, N50/N97/N100/N200, Atom x7211E/x7213E/x7425E | AZB | A0/R0 | 06-9a-04/40 | 00000007 | 00000009 | Intel(R) Atom(R) C1100 | CFL-H | R0 | 06-9e-0d/22 | 00000100 | 00000102 | Core Gen9 Mobile | CFL-H/S/E3 | U0 | 06-9e-0a/22 | 000000f8 | 000000fa | Core Gen8 Desktop, Mobile, Xeon E | EMR-SP | A0 | 06-cf-01/87 | 21000283 | 21000291 | Xeon Scalable Gen5 | EMR-SP | A1 | 06-cf-02/87 | 21000283 | 21000291 | Xeon Scalable Gen5 | ICL-D | B0 | 06-6c-01/10 | 010002b0 | 010002c0 | Xeon D-17xx, D-27xx | ICX-SP | Dx/M1 | 06-6a-06/87 | 0d0003e7 | 0d0003f5 | Xeon Scalable Gen3 | RPL-E/HX/S | B0 | 06-b7-01/32 | 0000012b | 0000012c | Core Gen13/Gen14 | RPL-H/P/PX 6+8 | J0 | 06-ba-02/e0 | 00004123 | 00004124 | Core Gen13 | RPL-HX/S | C0 | 06-bf-02/07 | 00000037 | 00000038 | Core Gen13/Gen14 | RPL-U 2+8 | Q0 | 06-ba-03/e0 | 00004123 | 00004124 | Core Gen13 | RPL-S | H0 | 06-bf-05/07 | 00000037 | 00000038 | Core Gen13/Gen14 | RKL-S | B0 | 06-a7-01/02 | 00000062 | 00000063 | Core Gen11 | SPR-HBM | Bx | 06-8f-08/10 | 2c000390 | 2c0003e0 | Xeon Max | SPR-SP | E4/S2 | 06-8f-07/87 | 2b000603 | 2b000620 | Xeon Scalable Gen4 | SPR-SP | E5/S3 | 06-8f-08/87 | 2b000603 | 2b000620 | Xeon Scalable Gen4 | TWL | N0 | 06-be-00/19 | 0000001a | 0000001c | Core i3-N305/N300, N50/N97/N100/N200, Atom x7211E/x7213E/x7425E ### New Disclosures Updated in Prior Releases | Processor | Stepping | F-M-S/PI | Old Ver | New Ver | Products |:---------------|:---------|:------------|:---------|:---------|:--------- | CFL-H/S | P0 | 06-9e-0c/22 | 000000f6 | 000000f8 | Core Gen9 - Intel CPU Microcode was updated to the 20241112 release (bsc#1233313) - CVE-2024-21853: Faulty finite state machines (FSMs) in the hardware logic in some 4th and 5th Generation Intel Xeon Processors may allow an authorized user to potentially enable denial of service via local access. Security updates for [INTEL-SA-01101](https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01101.html) - CVE-2024-23918: Improper conditions check in some Intel Xeon processor memory controller configurations when using Intel SGX may allow a privileged user to potentially enable escalation of privilege via local access. Security updates for [INTEL-SA-01079](https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01079.html) - CVE-2024-21820: Incorrect default permissions in some Intel Xeon processor memory controller configurations when using Intel SGX may allow a privileged user to potentially enable escalation of privilege via local access. Security updates for [INTEL-SA-01079](https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01079.html) - CVE-2024-24968: Improper finite state machines (FSMs) in hardware logic in some Intel Processors may allow an privileged user to potentially enable a denial of service via local access. Updated security updates for [INTEL-SA-01097](https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01097.html) - CVE-2024-23984: Observable discrepancy in RAPL interface for some Intel Processors may allow a privileged user to potentially enable information disclosure via local access Updated security updates for [INTEL-SA-01103](https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01103.html) - Update for functional issues. - Refer to [Intel Core Ultra Processor](https://cdrdv2.intel.com/v1/dl/getContent/792254) for details. - Refer to [14th/13th Generation Intel Core Processor Specification Update](https://cdrdv2.intel.com/v1/dl/getContent/740518) for details. - Refer to [12th Generation Intel Core Processor Family](https://cdrdv2.intel.com/v1/dl/getContent/682436) for details. - Refer to [5th Gen Intel Xeon Scalable Processors Specification Update](https://cdrdv2.intel.com/v1/dl/getContent/793902) for details. - Refer to [4th Gen Intel Xeon Scalable Processors Specification Update](https://cdrdv2.intel.com/v1/dl/getContent/772415) for details. - Refer to [3rd Generation Intel Xeon Processor Scalable Family Specification Update](https://cdrdv2.intel.com/v1/dl/getContent/637780) for details. - Refer to [Intel Xeon D-2700 Processor Specification Update](https://cdrdv2.intel.com/v1/dl/getContent/714071) for details. - Refer to [Intel Xeon D-1700 and D-1800 Processor Family Specification Update](https://cdrdv2.intel.com/v1/dl/getContent/714069) for details New Platforms: | Processor | Stepping | F-M-S/PI | Old Ver | New Ver | Products |:---------------|:---------|:------------|:---------|:---------|:--------- Updated Platforms: | Processor | Stepping | F-M-S/PI | Old Ver | New Ver | Products |:---------------|:---------|:------------|:---------|:---------|:--------- | ADL | C0 | 06-97-02/07 | 00000036 | 00000037 | Core Gen12 | ADL | H0 | 06-97-05/07 | 00000036 | 00000037 | Core Gen12 | ADL | L0 | 06-9a-03/80 | 00000434 | 00000435 | Core Gen12 | ADL | R0 | 06-9a-04/80 | 00000434 | 00000435 | Core Gen12 | EMR-SP | A0 | 06-cf-01/87 | 21000230 | 21000283 | Xeon Scalable Gen5 | EMR-SP | A1 | 06-cf-02/87 | 21000230 | 21000283 | Xeon Scalable Gen5 | MTL | C0 | 06-aa-04/e6 | 0000001f | 00000020 | Core??? Ultra Processor | RPL-H/P/PX 6+8 | J0 | 06-ba-02/e0 | 00004122 | 00004123 | Core Gen13 | RPL-HX/S | C0 | 06-bf-02/07 | 00000036 | 00000037 | Core Gen13/Gen14 | RPL-S | H0 | 06-bf-05/07 | 00000036 | 00000037 | Core Gen13/Gen14 | RPL-U 2+8 | Q0 | 06-ba-03/e0 | 00004122 | 00004123 | Core Gen13 | SPR-SP | E3 | 06-8f-06/87 | 2b0005c0 | 2b000603 | Xeon Scalable Gen4 | SPR-SP | E4/S2 | 06-8f-07/87 | 2b0005c0 | 2b000603 | Xeon Scalable Gen4 | SPR-SP | E5/S3 | 06-8f-08/87 | 2b0005c0 | 2b000603 | Xeon Scalable Gen4 New Disclosures Updated in Prior Releases: | Processor | Stepping | F-M-S/PI | Old Ver | New Ver | Products |:---------------|:---------|:------------|:---------|:---------|:--------- | ICL-D | B0 | 06-6c-01/10 | 010002b0 | N/A | Xeon D-17xx/D-18xx, D-27xx/D-28xx | ICX-SP | Dx/M1 | 06-6a-06/87 | 0d0003e7 | N/A | Xeon Scalable Gen3 - Intel CPU Microcode was updated to the 20241029 release Update for functional issues. Refer to [14th/13th Generation Intel Core Processor Specification Update](https://cdrdv2.intel.com/v1/dl/getContent/740518) for details. Updated Platforms: | Processor | Stepping | F-M-S/PI | Old Ver | New Ver | Products |:---------------|:---------|:------------|:---------|:---------|:--------- | RPL-E/HX/S | B0 | 06-b7-01/32 | 00000129 | 0000012b | Core Gen13/Gen14 ----------------------------------------------------------------- Advisory ID: 106 Released: Tue May 13 10:45:13 2025 Summary: Security update for go1.23-openssl Type: security Severity: moderate References: 1216320,1229122,1234959,1236045,1236046,1236801,1238572,1240550,1245636,1245738,1245953,1246231,1247242,1249088,1249385,1252930,1252931,1252932,1252933,1252934,1252935,CVE-2024-45336,CVE-2024-45341,CVE-2024-56738,CVE-2025-22866,CVE-2025-22870,CVE-2025-22871,CVE-2025-54770,CVE-2025-54771,CVE-2025-61661,CVE-2025-61662,CVE-2025-61663,CVE-2025-61664 This update for go1.23-openssl fixes the following issues: Update to version 1.23.9 cut from the go1.23-fips-release branch at the revision tagged go1.23.9-0-openssl-fips. * Rebase to 1.23.9 go1.23.9 (released 2025-05-06) includes fixes to the runtime and the linker. * go#73091 cmd/link: linkname directive on userspace variable can override runtime variable * go#73380 runtime, x/sys/unix: Connectx is broken on darwin/amd64 Update to version 1.23.8 cut from the go1.23-fips-release branch at the revision tagged go1.23.8-1-openssl-fips. * Rebase to 1.23.8 go1.23.8 (released 2025-04-01) includes security fixes to the net/http package, as well as bug fixes to the runtime and the go command. (bsc#1229122) CVE-2025-22871: * go#72010 go#71988 bsc#1240550 security: fix CVE-2025-22871 net/http: reject bare LF in chunked encoding * go#72114 runtime: process hangs for mips hardware * go#72871 runtime: cgo callback on extra M treated as external code after nested cgo callback returns * go#72937 internal/godebugs: winsymlink and winreadlinkvolume have incorrect defaults for Go 1.22 Update to version 1.23.6 cut from the go1.23-fips-release branch at the revision tagged go1.23.7-1-openssl-fips. * Rebase to 1.23.7 go1.23.7 (released 2025-03-04) includes security fixes to the net/http package, as well as bug fixes to cgo, the compiler, and the reflect, runtime, and syscall packages. (bsc#1229122) CVE-2025-22870: * go#71985 go#71984 bsc#1238572 security: fix CVE-2025-22870 net/http, x/net/proxy, x/net/http/httpproxy: proxy bypass using IPv6 zone IDs * go#71727 runtime: usleep computes wrong tv_nsec on s390x * go#71839 runtime: recover added in range-over-func loop body doesn't stop panic propagation / segfaults printing error * go#71848 os: spurious SIGCHILD on running child process * go#71875 reflect: Value.Seq panicking on functional iterator methods * go#71915 reflect: Value.Seq iteration value types not matching the type of given int types * go#71962 runtime/cgo: does not build with -Wdeclaration-after-statement Update to version 1.23.6 cut from the go1.23-fips-release branch at the revision tagged go1.23.6-1-openssl-fips. * Rebase to 1.23.6 (#267) * Allow fetching from a fork of the Go repo go1.23.6 (released 2025-02-04) includes security fixes to the crypto/elliptic package, as well as bug fixes to the compiler and the go command. CVE-2025-22866: * go#71423 go#71383 bsc#1236801 security: fix CVE-2025-22866 crypto/internal/fips140/nistec: p256NegCond is variable time on ppc64le * go#71263 cmd/go/internal/modfetch/codehost: test fails with git 2.47.1 * go#71230 cmd/compile: broken write barrier go1.23.5 (released 2025-01-16) includes security fixes to the crypto/x509 and net/http packages, as well as bug fixes to the compiler, the runtime, and the net package. CVE-2024-45341 CVE-2024-45336: * go#71208 go#71156 bsc#1236045 security: fix CVE-2024-45341 crypto/x509: usage of IPv6 zone IDs can bypass URI name constraints * go#71211 go#70530 bsc#1236046 security: fix CVE-2024-45336 net/http: sensitive headers incorrectly sent after cross-domain redirect * go#69988 runtime: severe performance drop for cgo calls in go1.22.5 * go#70517 cmd/compile/internal/importer: flip enable alias to true * go#70789 os: io.Copy(net.Conn, os.Stdin) on MacOS terminate immediately without waiting for input * go#71104 crypto/tls: TestVerifyConnection/TLSv12 failures * go#71147 internal/trace: TestTraceCPUProfile/Stress failures Update to version 1.23.4 cut from the go1.23-fips-release branch at the revision tagged go1.23.4-1-openssl-fips. * Update to Go 1.23.4 (#250) ----------------------------------------------------------------- Advisory ID: 109 Released: Thu May 15 11:36:36 2025 Summary: Security update for wget Type: security Severity: moderate References: 1233593,1233594,1233773,CVE-2024-10524,CVE-2024-11595,CVE-2024-11596 This update for wget fixes the following issues: - CVE-2024-10524: Drop support for shorthand URLs (bsc#1233773). The following package changes have been done: - file-magic-5.46-160000.2.2 added - libtextstyle0-0.22.5-160000.2.2 added - libtasn1-6-4.20.0-160000.3.2 added - liblz1-1.15-160000.2.2 added - libfuse3-3-3.16.2-160000.2.2 added - envsubst-0.22.5-160000.2.2 added - pigz-2.8-160000.2.2 added - libpng16-16-1.6.44-160000.2.2 added - liblastlog2-2-2.41.1-160000.2.2 added - perl-base-5.42.0-160000.2.2 added - libmagic1-5.46-160000.2.2 added - libdw1-0.192-160000.2.2 added - file-5.46-160000.2.2 added - libfreetype6-2.13.3-160000.3.1 added - zstd-1.5.7-160000.2.2 added - gettext-runtime-0.22.5-160000.2.2 added - cpio-2.15-160000.2.2 added - libasm1-0.192-160000.2.2 added - grub2-common-2.12-160000.3.1 added - elfutils-0.192-160000.2.2 added - grub2-i386-pc-2.12-160000.3.1 added - grub2-2.12-160000.3.1 added - util-linux-systemd-2.41.1-160000.2.2 added - dracut-059+suse.700.g40f7c5c4-160000.1.1 added - elemental-toolkit-2.3.1-160000.1.1 updated - elemental-updater-2.3.0-160000.1.1 updated - squashfs-4.6.1-160000.2.2 added - elemental-2.3.0-160000.1.1 updated From sle-container-updates at lists.suse.com Fri Jan 9 08:28:54 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 9 Jan 2026 09:28:54 +0100 (CET) Subject: SUSE-IU-2026:30-1: Security update of suse/sl-micro/6.2/rt-os-container Message-ID: <20260109082854.9D8B9FB9B@maintenance.suse.de> SUSE Image Update Advisory: suse/sl-micro/6.2/rt-os-container ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2026:30-1 Image Tags : suse/sl-micro/6.2/rt-os-container:2.3.0 , suse/sl-micro/6.2/rt-os-container:2.3.0-5.24 , suse/sl-micro/6.2/rt-os-container:latest Image Release : 5.24 Severity : important Type : security References : 1216320 1229122 1229339 1233313 1233593 1233594 1233773 1234959 1236045 1236046 1236801 1237096 1238572 1238848 1240550 1245636 1245738 1245953 1246231 1247242 1249088 1249385 1252930 1252931 1252932 1252933 1252934 1252935 CVE-2024-10524 CVE-2024-11595 CVE-2024-11596 CVE-2024-21820 CVE-2024-21853 CVE-2024-23918 CVE-2024-23984 CVE-2024-24968 CVE-2024-31068 CVE-2024-36293 CVE-2024-37020 CVE-2024-39355 CVE-2024-45336 CVE-2024-45341 CVE-2024-56738 CVE-2025-22866 CVE-2025-22870 CVE-2025-22871 CVE-2025-54770 CVE-2025-54771 CVE-2025-61661 CVE-2025-61662 CVE-2025-61663 CVE-2025-61664 ----------------------------------------------------------------- The container suse/sl-micro/6.2/rt-os-container was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: 26 Released: Fri Mar 28 14:56:24 2025 Summary: Security update for ucode-intel Type: security Severity: important References: 1229339,1233313,1237096,1238848,CVE-2024-21820,CVE-2024-21853,CVE-2024-23918,CVE-2024-23984,CVE-2024-24968,CVE-2024-31068,CVE-2024-36293,CVE-2024-37020,CVE-2024-39355 This update for ucode-intel fixes the following issues: - Intel CPU Microcode was updated to the 20250211 release (bsc#1237096) - Security updates for INTEL-SA-01166 https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01166.html * CVE-2024-31068: Improper Finite State Machines (FSMs) in Hardware Logic for some Intel Processors may allow privileged user to potentially enable denial of service via local access. - Security updates for INTEL-SA-01213 https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01213.html * CVE-2024-36293: A potential security vulnerability in some Intel Software Guard Extensions (Intel SGX) Platforms may allow denial of service. Intel is releasing microcode updates to mitigate this potential vulnerability. - Security updates for INTEL-SA-01139 https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01139.html * not clear which CVEs are fixed here, and which are in UEFI BIOS updates. - Security updates for INTEL-SA-01228 https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01228.html * CVE-2024-39355: A potential security vulnerability in some 13th and 14th Generation Intel Core Processors may allow denial of service. Intel is releasing microcode and UEFI reference code updates to mitigate this potential vulnerability. - Security updates for INTEL-SA-01194 https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01194.html * CVE-2024-37020: A potential security vulnerability in the Intel Data Streaming Accelerator (Intel DSA) for some Intel Xeon Processors may allow denial of service. Intel is releasing software updates to mitigate this potential vulnerability. - Update for functional issues. Refer to Intel Core Ultra Processor https://cdrdv2.intel.com/v1/dl/getContent/792254 for details. - Refer to 13th/14th Generation Intel Core Processor Specification Update https://cdrdv2.intel.com/v1/dl/getContent/740518 for details. - Refer to 12th Generation Intel Core Processor Family https://cdrdv2.intel.com/v1/dl/getContent/682436 for details. - Refer to 11th Gen Intel Core Processor Specification Update https://cdrdv2.intel.com/v1/dl/getContent/631123 for details. - Refer to 8th and 9th Generation Intel Core Processor Family Spec Update https://cdrdv2.intel.com/v1/dl/getContent/337346 for details. - Refer to 5th Gen Intel Xeon Scalable Processors Specification Update https://cdrdv2.intel.com/v1/dl/getContent/793902 for details. - Refer to 4th Gen Intel Xeon Scalable Processors Specification Update https://cdrdv2.intel.com/v1/dl/getContent/772415 for details. - Refer to 3rd Generation Intel Xeon Processor Scalable Family Specification Update https://cdrdv2.intel.com/v1/dl/getContent/637780 for details. - Refer to Intel Xeon D-2700 Processor Specification Update https://cdrdv2.intel.com/v1/dl/getContent/714071 for details. - Refer to Intel Xeon E-2300 Processor Specification Update https://cdrdv2.intel.com/v1/dl/getContent/709192 for details. - Refer to Intel Xeon 6700-Series Processor Specification Update https://cdrdv2.intel.com/v1/dl/getContent/820922 for details. - Refer to Intel Processors and Intel Core i3 N-Series https://cdrdv2.intel.com/v1/dl/getContent/764616 for details ### New Platforms | Processor | Stepping | F-M-S/PI | Old Ver | New Ver | Products |:---------------|:---------|:------------|:---------|:---------|:--------- | SRF-SP | C0 | 06-af-03/01 | | 03000330 | Xeon 6700-Series Processors ### Updated Platforms | Processor | Stepping | F-M-S/PI | Old Ver | New Ver | Products |:---------------|:---------|:------------|:---------|:---------|:--------- | ADL | C0 | 06-97-02/07 | 00000037 | 00000038 | Core Gen12 | ADL | H0 | 06-97-05/07 | 00000037 | 00000038 | Core Gen12 | ADL | L0 | 06-9a-03/80 | 00000435 | 00000436 | Core Gen12 | ADL | R0 | 06-9a-04/80 | 00000435 | 00000436 | Core Gen12 | ADL-N | N0 | 06-be-00/19 | 0000001a | 0000001c | Core i3-N305/N300, N50/N97/N100/N200, Atom x7211E/x7213E/x7425E | AZB | A0/R0 | 06-9a-04/40 | 00000007 | 00000009 | Intel(R) Atom(R) C1100 | CFL-H | R0 | 06-9e-0d/22 | 00000100 | 00000102 | Core Gen9 Mobile | CFL-H/S/E3 | U0 | 06-9e-0a/22 | 000000f8 | 000000fa | Core Gen8 Desktop, Mobile, Xeon E | EMR-SP | A0 | 06-cf-01/87 | 21000283 | 21000291 | Xeon Scalable Gen5 | EMR-SP | A1 | 06-cf-02/87 | 21000283 | 21000291 | Xeon Scalable Gen5 | ICL-D | B0 | 06-6c-01/10 | 010002b0 | 010002c0 | Xeon D-17xx, D-27xx | ICX-SP | Dx/M1 | 06-6a-06/87 | 0d0003e7 | 0d0003f5 | Xeon Scalable Gen3 | RPL-E/HX/S | B0 | 06-b7-01/32 | 0000012b | 0000012c | Core Gen13/Gen14 | RPL-H/P/PX 6+8 | J0 | 06-ba-02/e0 | 00004123 | 00004124 | Core Gen13 | RPL-HX/S | C0 | 06-bf-02/07 | 00000037 | 00000038 | Core Gen13/Gen14 | RPL-U 2+8 | Q0 | 06-ba-03/e0 | 00004123 | 00004124 | Core Gen13 | RPL-S | H0 | 06-bf-05/07 | 00000037 | 00000038 | Core Gen13/Gen14 | RKL-S | B0 | 06-a7-01/02 | 00000062 | 00000063 | Core Gen11 | SPR-HBM | Bx | 06-8f-08/10 | 2c000390 | 2c0003e0 | Xeon Max | SPR-SP | E4/S2 | 06-8f-07/87 | 2b000603 | 2b000620 | Xeon Scalable Gen4 | SPR-SP | E5/S3 | 06-8f-08/87 | 2b000603 | 2b000620 | Xeon Scalable Gen4 | TWL | N0 | 06-be-00/19 | 0000001a | 0000001c | Core i3-N305/N300, N50/N97/N100/N200, Atom x7211E/x7213E/x7425E ### New Disclosures Updated in Prior Releases | Processor | Stepping | F-M-S/PI | Old Ver | New Ver | Products |:---------------|:---------|:------------|:---------|:---------|:--------- | CFL-H/S | P0 | 06-9e-0c/22 | 000000f6 | 000000f8 | Core Gen9 - Intel CPU Microcode was updated to the 20241112 release (bsc#1233313) - CVE-2024-21853: Faulty finite state machines (FSMs) in the hardware logic in some 4th and 5th Generation Intel Xeon Processors may allow an authorized user to potentially enable denial of service via local access. Security updates for [INTEL-SA-01101](https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01101.html) - CVE-2024-23918: Improper conditions check in some Intel Xeon processor memory controller configurations when using Intel SGX may allow a privileged user to potentially enable escalation of privilege via local access. Security updates for [INTEL-SA-01079](https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01079.html) - CVE-2024-21820: Incorrect default permissions in some Intel Xeon processor memory controller configurations when using Intel SGX may allow a privileged user to potentially enable escalation of privilege via local access. Security updates for [INTEL-SA-01079](https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01079.html) - CVE-2024-24968: Improper finite state machines (FSMs) in hardware logic in some Intel Processors may allow an privileged user to potentially enable a denial of service via local access. Updated security updates for [INTEL-SA-01097](https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01097.html) - CVE-2024-23984: Observable discrepancy in RAPL interface for some Intel Processors may allow a privileged user to potentially enable information disclosure via local access Updated security updates for [INTEL-SA-01103](https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01103.html) - Update for functional issues. - Refer to [Intel Core Ultra Processor](https://cdrdv2.intel.com/v1/dl/getContent/792254) for details. - Refer to [14th/13th Generation Intel Core Processor Specification Update](https://cdrdv2.intel.com/v1/dl/getContent/740518) for details. - Refer to [12th Generation Intel Core Processor Family](https://cdrdv2.intel.com/v1/dl/getContent/682436) for details. - Refer to [5th Gen Intel Xeon Scalable Processors Specification Update](https://cdrdv2.intel.com/v1/dl/getContent/793902) for details. - Refer to [4th Gen Intel Xeon Scalable Processors Specification Update](https://cdrdv2.intel.com/v1/dl/getContent/772415) for details. - Refer to [3rd Generation Intel Xeon Processor Scalable Family Specification Update](https://cdrdv2.intel.com/v1/dl/getContent/637780) for details. - Refer to [Intel Xeon D-2700 Processor Specification Update](https://cdrdv2.intel.com/v1/dl/getContent/714071) for details. - Refer to [Intel Xeon D-1700 and D-1800 Processor Family Specification Update](https://cdrdv2.intel.com/v1/dl/getContent/714069) for details New Platforms: | Processor | Stepping | F-M-S/PI | Old Ver | New Ver | Products |:---------------|:---------|:------------|:---------|:---------|:--------- Updated Platforms: | Processor | Stepping | F-M-S/PI | Old Ver | New Ver | Products |:---------------|:---------|:------------|:---------|:---------|:--------- | ADL | C0 | 06-97-02/07 | 00000036 | 00000037 | Core Gen12 | ADL | H0 | 06-97-05/07 | 00000036 | 00000037 | Core Gen12 | ADL | L0 | 06-9a-03/80 | 00000434 | 00000435 | Core Gen12 | ADL | R0 | 06-9a-04/80 | 00000434 | 00000435 | Core Gen12 | EMR-SP | A0 | 06-cf-01/87 | 21000230 | 21000283 | Xeon Scalable Gen5 | EMR-SP | A1 | 06-cf-02/87 | 21000230 | 21000283 | Xeon Scalable Gen5 | MTL | C0 | 06-aa-04/e6 | 0000001f | 00000020 | Core??? Ultra Processor | RPL-H/P/PX 6+8 | J0 | 06-ba-02/e0 | 00004122 | 00004123 | Core Gen13 | RPL-HX/S | C0 | 06-bf-02/07 | 00000036 | 00000037 | Core Gen13/Gen14 | RPL-S | H0 | 06-bf-05/07 | 00000036 | 00000037 | Core Gen13/Gen14 | RPL-U 2+8 | Q0 | 06-ba-03/e0 | 00004122 | 00004123 | Core Gen13 | SPR-SP | E3 | 06-8f-06/87 | 2b0005c0 | 2b000603 | Xeon Scalable Gen4 | SPR-SP | E4/S2 | 06-8f-07/87 | 2b0005c0 | 2b000603 | Xeon Scalable Gen4 | SPR-SP | E5/S3 | 06-8f-08/87 | 2b0005c0 | 2b000603 | Xeon Scalable Gen4 New Disclosures Updated in Prior Releases: | Processor | Stepping | F-M-S/PI | Old Ver | New Ver | Products |:---------------|:---------|:------------|:---------|:---------|:--------- | ICL-D | B0 | 06-6c-01/10 | 010002b0 | N/A | Xeon D-17xx/D-18xx, D-27xx/D-28xx | ICX-SP | Dx/M1 | 06-6a-06/87 | 0d0003e7 | N/A | Xeon Scalable Gen3 - Intel CPU Microcode was updated to the 20241029 release Update for functional issues. Refer to [14th/13th Generation Intel Core Processor Specification Update](https://cdrdv2.intel.com/v1/dl/getContent/740518) for details. Updated Platforms: | Processor | Stepping | F-M-S/PI | Old Ver | New Ver | Products |:---------------|:---------|:------------|:---------|:---------|:--------- | RPL-E/HX/S | B0 | 06-b7-01/32 | 00000129 | 0000012b | Core Gen13/Gen14 ----------------------------------------------------------------- Advisory ID: 106 Released: Tue May 13 10:45:13 2025 Summary: Security update for go1.23-openssl Type: security Severity: moderate References: 1216320,1229122,1234959,1236045,1236046,1236801,1238572,1240550,1245636,1245738,1245953,1246231,1247242,1249088,1249385,1252930,1252931,1252932,1252933,1252934,1252935,CVE-2024-45336,CVE-2024-45341,CVE-2024-56738,CVE-2025-22866,CVE-2025-22870,CVE-2025-22871,CVE-2025-54770,CVE-2025-54771,CVE-2025-61661,CVE-2025-61662,CVE-2025-61663,CVE-2025-61664 This update for go1.23-openssl fixes the following issues: Update to version 1.23.9 cut from the go1.23-fips-release branch at the revision tagged go1.23.9-0-openssl-fips. * Rebase to 1.23.9 go1.23.9 (released 2025-05-06) includes fixes to the runtime and the linker. * go#73091 cmd/link: linkname directive on userspace variable can override runtime variable * go#73380 runtime, x/sys/unix: Connectx is broken on darwin/amd64 Update to version 1.23.8 cut from the go1.23-fips-release branch at the revision tagged go1.23.8-1-openssl-fips. * Rebase to 1.23.8 go1.23.8 (released 2025-04-01) includes security fixes to the net/http package, as well as bug fixes to the runtime and the go command. (bsc#1229122) CVE-2025-22871: * go#72010 go#71988 bsc#1240550 security: fix CVE-2025-22871 net/http: reject bare LF in chunked encoding * go#72114 runtime: process hangs for mips hardware * go#72871 runtime: cgo callback on extra M treated as external code after nested cgo callback returns * go#72937 internal/godebugs: winsymlink and winreadlinkvolume have incorrect defaults for Go 1.22 Update to version 1.23.6 cut from the go1.23-fips-release branch at the revision tagged go1.23.7-1-openssl-fips. * Rebase to 1.23.7 go1.23.7 (released 2025-03-04) includes security fixes to the net/http package, as well as bug fixes to cgo, the compiler, and the reflect, runtime, and syscall packages. (bsc#1229122) CVE-2025-22870: * go#71985 go#71984 bsc#1238572 security: fix CVE-2025-22870 net/http, x/net/proxy, x/net/http/httpproxy: proxy bypass using IPv6 zone IDs * go#71727 runtime: usleep computes wrong tv_nsec on s390x * go#71839 runtime: recover added in range-over-func loop body doesn't stop panic propagation / segfaults printing error * go#71848 os: spurious SIGCHILD on running child process * go#71875 reflect: Value.Seq panicking on functional iterator methods * go#71915 reflect: Value.Seq iteration value types not matching the type of given int types * go#71962 runtime/cgo: does not build with -Wdeclaration-after-statement Update to version 1.23.6 cut from the go1.23-fips-release branch at the revision tagged go1.23.6-1-openssl-fips. * Rebase to 1.23.6 (#267) * Allow fetching from a fork of the Go repo go1.23.6 (released 2025-02-04) includes security fixes to the crypto/elliptic package, as well as bug fixes to the compiler and the go command. CVE-2025-22866: * go#71423 go#71383 bsc#1236801 security: fix CVE-2025-22866 crypto/internal/fips140/nistec: p256NegCond is variable time on ppc64le * go#71263 cmd/go/internal/modfetch/codehost: test fails with git 2.47.1 * go#71230 cmd/compile: broken write barrier go1.23.5 (released 2025-01-16) includes security fixes to the crypto/x509 and net/http packages, as well as bug fixes to the compiler, the runtime, and the net package. CVE-2024-45341 CVE-2024-45336: * go#71208 go#71156 bsc#1236045 security: fix CVE-2024-45341 crypto/x509: usage of IPv6 zone IDs can bypass URI name constraints * go#71211 go#70530 bsc#1236046 security: fix CVE-2024-45336 net/http: sensitive headers incorrectly sent after cross-domain redirect * go#69988 runtime: severe performance drop for cgo calls in go1.22.5 * go#70517 cmd/compile/internal/importer: flip enable alias to true * go#70789 os: io.Copy(net.Conn, os.Stdin) on MacOS terminate immediately without waiting for input * go#71104 crypto/tls: TestVerifyConnection/TLSv12 failures * go#71147 internal/trace: TestTraceCPUProfile/Stress failures Update to version 1.23.4 cut from the go1.23-fips-release branch at the revision tagged go1.23.4-1-openssl-fips. * Update to Go 1.23.4 (#250) ----------------------------------------------------------------- Advisory ID: 109 Released: Thu May 15 11:36:36 2025 Summary: Security update for wget Type: security Severity: moderate References: 1233593,1233594,1233773,CVE-2024-10524,CVE-2024-11595,CVE-2024-11596 This update for wget fixes the following issues: - CVE-2024-10524: Drop support for shorthand URLs (bsc#1233773). The following package changes have been done: - file-magic-5.46-160000.2.2 added - libtextstyle0-0.22.5-160000.2.2 added - libtasn1-6-4.20.0-160000.3.2 added - liblz1-1.15-160000.2.2 added - libfuse3-3-3.16.2-160000.2.2 added - envsubst-0.22.5-160000.2.2 added - pigz-2.8-160000.2.2 added - libpng16-16-1.6.44-160000.2.2 added - liblastlog2-2-2.41.1-160000.2.2 added - perl-base-5.42.0-160000.2.2 added - libmagic1-5.46-160000.2.2 added - libdw1-0.192-160000.2.2 added - file-5.46-160000.2.2 added - libfreetype6-2.13.3-160000.3.1 added - zstd-1.5.7-160000.2.2 added - gettext-runtime-0.22.5-160000.2.2 added - cpio-2.15-160000.2.2 added - libasm1-0.192-160000.2.2 added - grub2-common-2.12-160000.3.1 added - elfutils-0.192-160000.2.2 added - grub2-i386-pc-2.12-160000.3.1 added - grub2-2.12-160000.3.1 added - util-linux-systemd-2.41.1-160000.2.2 added - dracut-059+suse.700.g40f7c5c4-160000.1.1 added - elemental-toolkit-2.3.1-160000.1.1 updated - elemental-updater-2.3.0-160000.1.1 updated - squashfs-4.6.1-160000.2.2 added - elemental-2.3.0-160000.1.1 updated From sle-container-updates at lists.suse.com Fri Jan 9 08:30:19 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 9 Jan 2026 09:30:19 +0100 (CET) Subject: SUSE-CU-2026:160-1: Security update of suse/ltss/sle12.5/sles12sp5 Message-ID: <20260109083019.3B946FB9B@maintenance.suse.de> SUSE Container Update Advisory: suse/ltss/sle12.5/sles12sp5 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2026:160-1 Container Tags : suse/ltss/sle12.5/sles12sp5:8.5.174 , suse/ltss/sle12.5/sles12sp5:latest Container Release : 8.5.174 Severity : moderate Type : security References : 1255731 1255732 1255733 CVE-2025-14524 CVE-2025-14819 CVE-2025-15079 ----------------------------------------------------------------- The container suse/ltss/sle12.5/sles12sp5 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:66-1 Released: Thu Jan 8 13:21:34 2026 Summary: Security update for curl Type: security Severity: moderate References: 1255731,1255732,1255733,CVE-2025-14524,CVE-2025-14819,CVE-2025-15079 This update for curl fixes the following issues: - CVE-2025-14524: Fixed bearer token leak on cross-protocol redirect (bsc#1255731) - CVE-2025-15079: Fixed unknown host connection acceptance when set in the global knownhostsfile (bsc#1255733) - CVE-2025-14819: Fixed issue where alteration of CURLSSLOPT_NO_PARTIALCHAIN could accidentally lead to CA cache reuse for which partial chain was reversed (bsc#1255732) The following package changes have been done: - libcurl4-8.0.1-11.111.1 updated From sle-container-updates at lists.suse.com Fri Jan 9 08:37:28 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 9 Jan 2026 09:37:28 +0100 (CET) Subject: SUSE-CU-2026:161-1: Recommended update of suse/kubectl Message-ID: <20260109083728.885C3FB9B@maintenance.suse.de> SUSE Container Update Advisory: suse/kubectl ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2026:161-1 Container Tags : suse/kubectl:1.33 , suse/kubectl:1.33.7 , suse/kubectl:1.33.7-2.62.3 , suse/kubectl:oldstable , suse/kubectl:oldstable-2.62.3 Container Release : 62.3 Severity : moderate Type : recommended References : 1251168 ----------------------------------------------------------------- The container suse/kubectl was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2026:75-1 Released: Thu Jan 8 17:01:27 2026 Summary: Recommended update for kubernetes-old Type: recommended Severity: moderate References: 1251168 This update for kubernetes-old fixes the following issues: - bump `diffutils` as `Requires` in the Kubernetes*-client package (bsc#1251168) * Adding as `Recommends` did not work - recommends do not actually get respected in container builds, as container builds are configured to install with packages marked as required. The following package changes have been done: - kubernetes1.33-client-1.33.7-150600.13.21.1 updated - kubernetes1.33-client-common-1.33.7-150600.13.21.1 updated - container:suse-sle15-15.7-17d580e01de81ee10782633976ab6983923855d96e8b6342192d8486fa7933cf-0 updated From sle-container-updates at lists.suse.com Fri Jan 9 08:37:48 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 9 Jan 2026 09:37:48 +0100 (CET) Subject: SUSE-CU-2026:162-1: Recommended update of suse/kubectl Message-ID: <20260109083748.A9EAFFB9B@maintenance.suse.de> SUSE Container Update Advisory: suse/kubectl ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2026:162-1 Container Tags : suse/kubectl:1.35 , suse/kubectl:1.35.0 , suse/kubectl:1.35.0-1.62.3 , suse/kubectl:latest , suse/kubectl:stable , suse/kubectl:stable-1.62.3 Container Release : 62.3 Severity : moderate Type : recommended References : 1251168 ----------------------------------------------------------------- The container suse/kubectl was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2026:74-1 Released: Thu Jan 8 17:01:10 2026 Summary: Recommended update for kubernetes Type: recommended Severity: moderate References: 1251168 This update for kubernetes fixes the following issues: - bump `diffutils` as `Requires` in the Kubernetes*-client package (bsc#1251168) * Adding as `Recommends` didn't work - recommends do not actually get respected in container builds, as container builds are configured to install with packages marked as required. The following package changes have been done: - kubernetes1.35-client-1.35.0-150600.13.21.1 updated - kubernetes1.35-client-common-1.35.0-150600.13.21.1 updated - container:suse-sle15-15.7-17d580e01de81ee10782633976ab6983923855d96e8b6342192d8486fa7933cf-0 updated From sle-container-updates at lists.suse.com Fri Jan 9 08:39:39 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 9 Jan 2026 09:39:39 +0100 (CET) Subject: SUSE-CU-2026:163-1: Recommended update of suse/sles/16.0/toolbox Message-ID: <20260109083940.0313FFB9B@maintenance.suse.de> SUSE Container Update Advisory: suse/sles/16.0/toolbox ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2026:163-1 Container Tags : suse/sles/16.0/toolbox:16.3 , suse/sles/16.0/toolbox:16.3-1.8 , suse/sles/16.0/toolbox:latest Container Release : 1.8 Severity : moderate Type : recommended References : 1232211 1235600 1235601 1246912 1250343 CVE-2024-50349 CVE-2024-52006 ----------------------------------------------------------------- The container suse/sles/16.0/toolbox was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: 124 Released: Wed May 28 09:24:11 2025 Summary: Recommended update for git Type: recommended Severity: moderate References: 1232211,1235600,1235601,1246912,1250343,CVE-2024-50349,CVE-2024-52006 This update for git fixes the following issues: - CVE-2024-50349: passwords for trusted sites could be sent to untrusted sites (bsc#1235600) - CVE-2024-52006: Carriage Returns via the credential protocol to credential helpers (bsc#1235601) The following package changes have been done: - libzypp-17.37.18-160000.1.1 updated From sle-container-updates at lists.suse.com Fri Jan 9 13:56:34 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 9 Jan 2026 14:56:34 +0100 (CET) Subject: SUSE-CU-2026:167-1: Security update of suse/sle-micro/5.2/toolbox Message-ID: <20260109135634.714DDFB9C@maintenance.suse.de> SUSE Container Update Advisory: suse/sle-micro/5.2/toolbox ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2026:167-1 Container Tags : suse/sle-micro/5.2/toolbox:14.2 , suse/sle-micro/5.2/toolbox:14.2-7.11.223 , suse/sle-micro/5.2/toolbox:latest Container Release : 7.11.223 Severity : moderate Type : security References : 1256105 CVE-2025-14017 ----------------------------------------------------------------- The container suse/sle-micro/5.2/toolbox was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:78-1 Released: Fri Jan 9 08:07:06 2026 Summary: Security update for curl Type: security Severity: moderate References: 1256105,CVE-2025-14017 This update for curl fixes the following issues: - CVE-2025-14017: Fixed broken TLS options for threaded LDAPS (bsc#1256105). The following package changes have been done: - curl-8.14.1-150200.4.100.1 updated - libcurl4-8.14.1-150200.4.100.1 updated From sle-container-updates at lists.suse.com Mon Jan 12 08:04:08 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Mon, 12 Jan 2026 09:04:08 +0100 (CET) Subject: SUSE-IU-2026:55-1: Security update of suse/sl-micro/6.2/baremetal-os-container Message-ID: <20260112080408.2484FFB9C@maintenance.suse.de> SUSE Image Update Advisory: suse/sl-micro/6.2/baremetal-os-container ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2026:55-1 Image Tags : suse/sl-micro/6.2/baremetal-os-container:2.3.0 , suse/sl-micro/6.2/baremetal-os-container:2.3.0-7.3 , suse/sl-micro/6.2/baremetal-os-container:latest Image Release : 7.3 Severity : moderate Type : security References : 1233421 CVE-2024-52615 ----------------------------------------------------------------- The container suse/sl-micro/6.2/baremetal-os-container was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: 127 Released: Sun Jan 11 17:54:00 2026 Summary: Security update for avahi Type: security Severity: moderate References: 1233421,CVE-2024-52615 This update for avahi fixes the following issues: - CVE-2024-52615: Fixed DNS spoofing (bsc#1233421) The following package changes have been done: - libavahi-common3-0.8-160000.3.1 updated - libavahi-core7-0.8-160000.3.1 updated - libavahi-client3-0.8-160000.3.1 updated - avahi-0.8-160000.3.1 updated From sle-container-updates at lists.suse.com Mon Jan 12 08:15:10 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Mon, 12 Jan 2026 09:15:10 +0100 (CET) Subject: SUSE-CU-2026:169-1: Security update of suse/git Message-ID: <20260112081510.E4C6FFB9B@maintenance.suse.de> SUSE Container Update Advisory: suse/git ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2026:169-1 Container Tags : suse/git:2 , suse/git:2.51 , suse/git:2.51.0 , suse/git:2.51.0-66.4 , suse/git:latest Container Release : 66.4 Severity : moderate Type : security References : 1255731 1255732 1255733 1255734 CVE-2025-14524 CVE-2025-14819 CVE-2025-15079 CVE-2025-15224 ----------------------------------------------------------------- The container suse/git was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:52-1 Released: Wed Jan 7 10:28:34 2026 Summary: Security update for curl Type: security Severity: moderate References: 1255731,1255732,1255733,1255734,CVE-2025-14524,CVE-2025-14819,CVE-2025-15079,CVE-2025-15224 This update for curl fixes the following issues: - CVE-2025-14524: bearer token leak on cross-protocol redirect (bsc#1255731). - CVE-2025-14819: libssh global knownhost override (bsc#1255732). - CVE-2025-15079: libssh key passphrase bypass without agent set (bsc#1255733). - CVE-2025-15224: OpenSSL partial chain store policy bypass (bsc#1255734). The following package changes have been done: - libcurl4-8.14.1-150700.7.8.1 updated - container:suse-sle15-15.7-17d580e01de81ee10782633976ab6983923855d96e8b6342192d8486fa7933cf-0 updated - container:registry.suse.com-bci-bci-micro-15.7-4ea6269b17048f73c022844251731ef4f640fdb9eb72a2ab53ec7f9413b89ee3-0 updated From sle-container-updates at lists.suse.com Mon Jan 12 08:15:51 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Mon, 12 Jan 2026 09:15:51 +0100 (CET) Subject: SUSE-CU-2026:170-1: Security update of suse/nginx Message-ID: <20260112081551.0D3A9FB9B@maintenance.suse.de> SUSE Container Update Advisory: suse/nginx ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2026:170-1 Container Tags : suse/nginx:1.21 , suse/nginx:1.21-70.4 , suse/nginx:latest Container Release : 70.4 Severity : moderate Type : security References : 1255731 1255732 1255733 1255734 CVE-2025-14524 CVE-2025-14819 CVE-2025-15079 CVE-2025-15224 ----------------------------------------------------------------- The container suse/nginx was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:52-1 Released: Wed Jan 7 10:28:34 2026 Summary: Security update for curl Type: security Severity: moderate References: 1255731,1255732,1255733,1255734,CVE-2025-14524,CVE-2025-14819,CVE-2025-15079,CVE-2025-15224 This update for curl fixes the following issues: - CVE-2025-14524: bearer token leak on cross-protocol redirect (bsc#1255731). - CVE-2025-14819: libssh global knownhost override (bsc#1255732). - CVE-2025-15079: libssh key passphrase bypass without agent set (bsc#1255733). - CVE-2025-15224: OpenSSL partial chain store policy bypass (bsc#1255734). The following package changes have been done: - libcurl4-8.14.1-150700.7.8.1 updated - curl-8.14.1-150700.7.8.1 updated - container:suse-sle15-15.7-17d580e01de81ee10782633976ab6983923855d96e8b6342192d8486fa7933cf-0 updated - container:registry.suse.com-bci-bci-micro-15.7-4ea6269b17048f73c022844251731ef4f640fdb9eb72a2ab53ec7f9413b89ee3-0 updated From sle-container-updates at lists.suse.com Mon Jan 12 08:16:27 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Mon, 12 Jan 2026 09:16:27 +0100 (CET) Subject: SUSE-CU-2026:171-1: Security update of bci/php-apache Message-ID: <20260112081627.7F8A6FB9B@maintenance.suse.de> SUSE Container Update Advisory: bci/php-apache ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2026:171-1 Container Tags : bci/php-apache:8 , bci/php-apache:8.3.29 , bci/php-apache:8.3.29-18.5 , bci/php-apache:latest Container Release : 18.5 Severity : moderate Type : security References : 1255710 1255711 1255712 CVE-2025-14177 CVE-2025-14178 CVE-2025-14180 ----------------------------------------------------------------- The container bci/php-apache was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:86-1 Released: Fri Jan 9 16:01:49 2026 Summary: Security update for php8 Type: security Severity: moderate References: 1255710,1255711,1255712,CVE-2025-14177,CVE-2025-14178,CVE-2025-14180 This update for php8 fixes the following issues: Security fixes: - CVE-2025-14177: getimagesize() function may leak uninitialized heap memory into the APPn segments when reading images in multi-chunk mode (bsc#1255710). - CVE-2025-14178: heap buffer overflow occurs in array_merge() when the total element count of packed arrays exceeds 32-bit limits or HT_MAX_SIZE (bsc#1255711). - CVE-2025-14180: null pointer dereference in pdo_parse_params() function when using the PDO PostgreSQL driver with PDO::ATTR_EMULATE_PREPARES enabled (bsc#1255712). Other fixes: Version 8.3.29 Core: Sync all boost.context files with release 1.86.0. Fixed bug GH-20435 (SensitiveParameter doesn't work for named argument passing to variadic parameter). Fixed bug GH-20286 (use-after-destroy during userland stream_close()). Bz2: Fix assertion failures resulting in crashes with stream filter object parameters. Date: Fix crashes when trying to instantiate uninstantiable classes via date static constructors. DOM: Fix missing NUL byte check on C14NFile(). Fibers: Fixed bug GH-20483 (ASAN stack overflow with fiber.stack_size INI small value). FTP: Fixed bug GH-20601 (ftp_connect overflow on timeout). GD: Fixed bug GH-20511 (imagegammacorrect out of range input/output values). Fixed bug GH-20602 (imagescale overflow with large height values). Intl: Fixed bug GH-20426 (Spoofchecker::setRestrictionLevel() error message suggests missing constants). LibXML: Fix some deprecations on newer libxml versions regarding input buffer/parser handling. MbString: Fixed bug GH-20491 (SLES15 compile error with mbstring oniguruma). Fixed bug GH-20492 (mbstring compile warning due to non-strings). MySQLnd: Fixed bug GH-20528 (Regression breaks mysql connexion using an IPv6 address enclosed in square brackets). Opcache: Fixed bug GH-20329 (opcache.file_cache broken with full interned string buffer). PDO: Fixed GHSA-8xr5-qppj-gvwj (PDO quoting result null deref). (CVE-2025-14180) Phar: Fixed bug GH-20442 (Phar does not respect case-insensitiveness of __halt_compiler() when reading stub). Fix broken return value of fflush() for phar file entries. Fix assertion failure when fseeking a phar file out of bounds. PHPDBG: Fixed ZPP type violation in phpdbg_get_executable() and phpdbg_end_oplog(). SPL: Fixed bug GH-20614 (SplFixedArray incorrectly handles references in deserialization). Standard: Fix memory leak in array_diff() with custom type checks. Fixed bug GH-20583 (Stack overflow in http_build_query via deep structures). Fixed GHSA-www2-q4fc-65wf (Null byte termination in dns_get_record()). Fixed GHSA-h96m-rvf9-jgm2 (Heap buffer overflow in array_merge()). (CVE-2025-14178) Fixed GHSA-3237-qqm7-mfv7 (Information Leak of Memory in getimagesize). (CVE-2025-14177) Tidy: Fixed bug GH-20374 (PHP with tidy and custom-tags). XML: Fixed bug GH-20439 (xml_set_default_handler() does not properly handle special characters in attributes when passing data to callback). Zip: Fix crash in property existence test. Don't truncate return value of zip_fread() with user sizes. Zlib: Fix assertion failures resulting in crashes with stream filter object parameters. Version 8.3.28 Core: Fixed bug GH-19934 (CGI with auto_globals_jit=0 causes uouv). Fixed bug GH-20073 (Assertion failure in WeakMap offset operations on reference). Fixed bug GH-19844 (Don't bail when closing resources on shutdown). Fixed bug GH-20177 (Accessing overridden private property in get_object_vars() triggers assertion error). Fixed bug GH-20183 (Stale EG(opline_before_exception) pointer through eval). DOM: Partially fixed bug GH-16317 (DOM classes do not allow __debugInfo() overrides to work). Exif: Fix possible memory leak when tag is empty. FPM: Fixed bug GH-19974 (fpm_status_export_to_zval segfault for parallel execution). FTP: Fixed bug GH-20240 (FTP with SSL: ftp_fput(): Connection timed out on successful writes). GD: Fixed bug GH-20070 (Return type violation in imagefilter when an invalid filter is provided). Intl: Fix memory leak on error in locale_filter_matches(). LibXML: Fix not thread safe schema/relaxng calls. MySQLnd: Fixed bug GH-8978 (SSL certificate verification fails (port doubled)). Fixed bug GH-20122 (getColumnMeta() for JSON-column in MySQL). Opcache: Fixed bug GH-20081 (access to uninitialized vars in preload_load()). Fixed bug GH-20121 (JIT broken in ZTS builds on MacOS 15). PgSql: Fix memory leak when first string conversion fails. Fix segfaults when attempting to fetch row into a non-instantiable class name. Phar: Fix memory leak of argument in webPhar. Fix memory leak when setAlias() fails. Fix a bunch of memory leaks in phar_parse_zipfile() error handling. Fix file descriptor/memory leak when opening central fp fails. Fix memleak+UAF when opening temp stream in buildFromDirectory() fails. Fix potential buffer length truncation due to usage of type int instead of type size_t. Fix memory leak when openssl polyfill returns garbage. Fix file descriptor leak in phar_zip_flush() on failure. Fix memory leak when opening temp file fails while trying to open gzip-compressed archive. Fixed bug GH-20302 (Freeing a phar alias may invalidate PharFileInfo objects). Random: Fix Randomizer::__serialize() w.r.t. INDIRECTs. SimpleXML: Partially fixed bug GH-16317 (SimpleXML does not allow __debugInfo() overrides to work). Standard: Fix shm corruption with coercion in options of unserialize(). Streams: Fixed bug GH-19798: XP_SOCKET XP_SSL (Socket stream modules): Incorrect condition for Win32/Win64. Tidy: Fixed GH-19021 (improved tidyOptGetCategory detection). Fix UAF in tidy when tidySetErrorBuffer() fails. XMLReader: Fix arginfo/zpp violations when LIBXML_SCHEMAS_ENABLED is not available. Windows: Fix GH-19722 (_get_osfhandle asserts in debug mode when given a socket). Zip: Fix memory leak when passing enc_method/enc_password is passed as option for ZipArchive::addGlob()/addPattern() and with consecutive calls. Version 8.3.27 Core: Fixed bug GH-19765 (object_properties_load() bypasses readonly property checks). Fixed hard_timeout with --enable-zend-max-execution-timers. Fixed bug GH-19792 (SCCP causes UAF for return value if both warning and exception are triggered). Fixed bug GH-19653 (Closure named argument unpacking between temporary closures can cause a crash). Fixed bug GH-19839 (Incorrect HASH_FLAG_HAS_EMPTY_IND flag on userland array). Fixed bug GH-19480 (error_log php.ini cannot be unset when open_basedir is configured). Fixed bug GH-20002 (Broken build on *BSD with MSAN). CLI: Fix useless 'Failed to poll event' error logs due to EAGAIN in CLI server with PHP_CLI_SERVER_WORKERS. Curl: Fix cloning of CURLOPT_POSTFIELDS when using the clone operator instead of the curl_copy_handle() function to clone a CurlHandle. Fix curl build and test failures with version 8.16. Date: Fixed GH-17159: 'P' format for ::createFromFormat swallows string literals. DBA: Fixed GH-19885 (dba_fetch() overflow on skip argument). GD: Fixed GH-19955 (imagefttext() memory leak). MySQLnd: Fixed bug #67563 (mysqli compiled with mysqlnd does not take ipv6 adress as parameter). Phar: Fix memory leak and invalid continuation after tar header writing fails. Fix memory leaks when creating temp file fails when applying zip signature. SimpleXML: Fixed bug GH-19988 (zend_string_init with NULL pointer in simplexml (UB)). Soap: Fixed bug GH-19784 (SoapServer memory leak). Fixed bug GH-20011 (Array of SoapVar of unknown type causes crash). Standard: Fixed bug GH-12265 (Cloning an object breaks serialization recursion). Fixed bug GH-19701 (Serialize/deserialize loses some data). Fixed bug GH-19801 (leaks in var_dump() and debug_zval_dump()). Fixed bug GH-20043 (array_unique assertion failure with RC1 array causing an exception on sort). Fixed bug GH-19926 (reset internal pointer earlier while splicing array while COW violation flag is still set). Fixed bug GH-19570 (unable to fseek in /dev/zero and /dev/null). Streams: Fixed bug GH-19248 (Use strerror_r instead of strerror in main). Fixed bug GH-17345 (Bug #35916 was not completely fixed). Fixed bug GH-19705 (segmentation when attempting to flush on non seekable stream. XMLReader: Fixed bug GH-20009 (XMLReader leak on RelaxNG schema failure). Zip: Fixed bug GH-19688 (Remove pattern overflow in zip addGlob()). Fixed bug GH-19932 (Memory leak in zip setEncryptionName()/setEncryptionIndex()). Zlib: Fixed bug GH-19922 (Double free on gzopen). Version 8.3.26 Core: Fixed bug GH-18850 (Repeated inclusion of file with __halt_compiler() triggers 'Constant already defined' warning). Partially fixed bug GH-19542 (Scanning of string literals >=2GB will fail due to signed int overflow). Fixed bug GH-19544 (GC treats ZEND_WEAKREF_TAG_MAP references as WeakMap references). Fixed bug GH-19613 (Stale array iterator pointer). Fixed bug GH-19679 (zend_ssa_range_widening may fail to converge). Fixed bug GH-19681 (PHP_EXPAND_PATH broken with bash 5.3.0). Fixed bug GH-19720 (Assertion failure when error handler throws when accessing a deprecated constant). CLI: Fixed bug GH-19461 (Improve error message on listening error with IPv6 address). Date: Fixed date_sunrise() and date_sunset() with partial-hour UTC offset. DOM: Fixed bug GH-19612 (Mitigate libxml2 tree dictionary bug). FPM: Fixed failed debug assertion when php_admin_value setting fails. GD: Fixed bug GH-19579 (imagefilledellipse underflow on width argument). Intl: Fixed bug GH-11952 (Fix locale strings canonicalization for IntlDateFormatter and NumberFormatter). OpenSSL: Fixed bug GH-19245 (Success error message on TLS stream accept failure). PGSQL: Fixed bug GH-19485 (potential use after free when using persistent pgsql connections). Phar: Fixed memory leaks when verifying OpenSSL signature. Fix memory leak in phar tar temporary file error handling code. Fix metadata leak when phar convert logic fails. Fix memory leak on failure in phar_convert_to_other(). Fixed bug GH-19752 (Phar decompression with invalid extension can cause UAF). Standard: Fixed bug GH-16649 (UAF during array_splice). Fixed bug GH-19577 (Avoid integer overflow when using a small offset and PHP_INT_MAX with LimitIterator). Streams: Remove incorrect call to zval_ptr_dtor() in user_wrapper_metadata(). Fix OSS-Fuzz #385993744. Tidy: Fixed GH-19021 build issue with libtidy in regard of tidyOptIsReadonly deprecation and TidyInternalCategory being available later than tidyOptGetCategory. Zip: Fix memory leak in zip when encountering empty glob result. Version 8.3.25 Core: Fixed GH-19169 build issue with C++17 and ZEND_STATIC_ASSERT macro. Fixed bug GH-18581 (Coerce numeric string keys from iterators when argument unpacking). Fixed OSS-Fuzz #434346548 (Failed assertion with throwing __toString in binary const expr). Fixed bug GH-19305 (Operands may be being released during comparison). Fixed bug GH-19303 (Unpacking empty packed array into uninitialized array causes assertion failure). Fixed bug GH-19306 (Generator can be resumed while fetching next value from delegated Generator). Fixed bug GH-19326 (Calling Generator::throw() on a running generator with a non-Generator delegate crashes). Fixed bug GH-18736 (Circumvented type check with return by ref + finally). Fixed zend call stack size for macOs/arm64. Fixed bug GH-19065 (Long match statement can segfault compiler during recursive SSA renaming). Calendar: Fixed bug GH-19371 (integer overflow in calendar.c). FTP: Fix theoretical issues with hrtime() not being available. GD: Fix incorrect comparison with result of php_stream_can_cast(). Hash: Fix crash on clone failure. Intl: Fixed GH-19261: msgfmt_parse_message leaks on message creation failure. Fix return value on failure for resourcebundle count handler. LDAP: Fixed bug GH-18529 (additional inheriting of TLS int options). LibXML: Fixed bug GH-19098 (libxml<2.13 segmentation fault caused by php_libxml_node_free). MbString: Fixed bug GH-19397 (mb_list_encodings() can cause crashes on shutdown). Opcache: Reset global pointers to prevent use-after-free in zend_jit_status(). OpenSSL: Fixed bug GH-18986 (OpenSSL backend: incorrect RAND_{load,write}_file() return value check). Fix error return check of EVP_CIPHER_CTX_ctrl(). Fixed bug GH-19428 (openssl_pkey_derive segfaults for DH derive with low key_length param). PDO Pgsql: Fixed dangling pointer access on _pdo_pgsql_trim_message helper. Readline: Fixed bug GH-19250 and bug #51360 (Invalid conftest for rl_pending_input). SOAP: Fixed bug GH-18640 (heap-use-after-free ext/soap/php_encoding.c:299:32 in soap_check_zval_ref). Sockets: Fix some potential crashes on incorrect argument value. Standard: Fixed OSS Fuzz #433303828 (Leak in failed unserialize() with opcache). Fix theoretical issues with hrtime() not being available. Fixed bug GH-19300 (Nested array_multisort invocation with error breaks). Windows: Free opened_path when opened_path_len >= MAXPATHLEN. Version 8.3.24 Calendar: Fixed jewishtojd overflow on year argument. Core: Fixed bug GH-18833 (Use after free with weakmaps dependent on destruction order). Fix OSS-Fuzz #427814456. Fix OSS-Fuzz #428983568 and #428760800. Fixed bug GH-17204 -Wuseless-escape warnings emitted by re2c. Curl: Fix memory leaks when returning refcounted value from curl callback. Remove incorrect string release. LDAP: Fixed GH-18902 ldap_exop/ldap_exop_sync assert triggered on empty request OID. MbString: Fixed bug GH-18901 (integer overflow mb_split). OCI8: Fixed bug GH-18873 (OCI_RETURN_LOBS flag causes oci8 to leak memory). Opcache: Fixed bug GH-18639 (Internal class aliases can break preloading + JIT). Fixed bug GH-14082 (Segmentation fault on unknown address 0x600000000018 in ext/opcache/jit/zend_jit.c). OpenSSL: Fixed bug #80770 (It is not possible to get client peer certificate with stream_socket_server). PCNTL: Fixed bug GH-18958 (Fatal error during shutdown after pcntl_rfork() or pcntl_forkx() with zend-max-execution-timers). Phar: Fix stream double free in phar. Fix phar crash and file corruption with SplFileObject. SOAP: Fixed bug GH-18990, bug #81029, bug #47314 (SOAP HTTP socket not closing on object destruction). Fix memory leak when URL parsing fails in redirect. SPL: Fixed bug GH-19094 (Attaching class with no Iterator implementation to MultipleIterator causes crash). Standard: Fix misleading errors in printf(). Fix RCN violations in array functions. Fixed GH-18976 pack() overflow with h/H format and INT_MAX repeater value. Streams: Fixed GH-13264 (fgets() and stream_get_line() do not return false on filter fatal error). Zip: Fix leak when path is too long in ZipArchive::extractTo(). The following package changes have been done: - php8-cli-8.3.29-150700.3.9.1 updated - php8-8.3.29-150700.3.9.1 updated - apache2-mod_php8-8.3.29-150700.3.9.1 updated - php8-openssl-8.3.29-150700.3.9.1 updated - php8-mbstring-8.3.29-150700.3.9.1 updated - php8-zlib-8.3.29-150700.3.9.1 updated - php8-zip-8.3.29-150700.3.9.1 updated - php8-curl-8.3.29-150700.3.9.1 updated - php8-phar-8.3.29-150700.3.9.1 updated From sle-container-updates at lists.suse.com Mon Jan 12 08:16:59 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Mon, 12 Jan 2026 09:16:59 +0100 (CET) Subject: SUSE-CU-2026:172-1: Security update of bci/php-fpm Message-ID: <20260112081659.7CCEAFB9B@maintenance.suse.de> SUSE Container Update Advisory: bci/php-fpm ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2026:172-1 Container Tags : bci/php-fpm:8 , bci/php-fpm:8.3.29 , bci/php-fpm:8.3.29-18.5 , bci/php-fpm:latest Container Release : 18.5 Severity : moderate Type : security References : 1255710 1255711 1255712 CVE-2025-14177 CVE-2025-14178 CVE-2025-14180 ----------------------------------------------------------------- The container bci/php-fpm was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:86-1 Released: Fri Jan 9 16:01:49 2026 Summary: Security update for php8 Type: security Severity: moderate References: 1255710,1255711,1255712,CVE-2025-14177,CVE-2025-14178,CVE-2025-14180 This update for php8 fixes the following issues: Security fixes: - CVE-2025-14177: getimagesize() function may leak uninitialized heap memory into the APPn segments when reading images in multi-chunk mode (bsc#1255710). - CVE-2025-14178: heap buffer overflow occurs in array_merge() when the total element count of packed arrays exceeds 32-bit limits or HT_MAX_SIZE (bsc#1255711). - CVE-2025-14180: null pointer dereference in pdo_parse_params() function when using the PDO PostgreSQL driver with PDO::ATTR_EMULATE_PREPARES enabled (bsc#1255712). Other fixes: Version 8.3.29 Core: Sync all boost.context files with release 1.86.0. Fixed bug GH-20435 (SensitiveParameter doesn't work for named argument passing to variadic parameter). Fixed bug GH-20286 (use-after-destroy during userland stream_close()). Bz2: Fix assertion failures resulting in crashes with stream filter object parameters. Date: Fix crashes when trying to instantiate uninstantiable classes via date static constructors. DOM: Fix missing NUL byte check on C14NFile(). Fibers: Fixed bug GH-20483 (ASAN stack overflow with fiber.stack_size INI small value). FTP: Fixed bug GH-20601 (ftp_connect overflow on timeout). GD: Fixed bug GH-20511 (imagegammacorrect out of range input/output values). Fixed bug GH-20602 (imagescale overflow with large height values). Intl: Fixed bug GH-20426 (Spoofchecker::setRestrictionLevel() error message suggests missing constants). LibXML: Fix some deprecations on newer libxml versions regarding input buffer/parser handling. MbString: Fixed bug GH-20491 (SLES15 compile error with mbstring oniguruma). Fixed bug GH-20492 (mbstring compile warning due to non-strings). MySQLnd: Fixed bug GH-20528 (Regression breaks mysql connexion using an IPv6 address enclosed in square brackets). Opcache: Fixed bug GH-20329 (opcache.file_cache broken with full interned string buffer). PDO: Fixed GHSA-8xr5-qppj-gvwj (PDO quoting result null deref). (CVE-2025-14180) Phar: Fixed bug GH-20442 (Phar does not respect case-insensitiveness of __halt_compiler() when reading stub). Fix broken return value of fflush() for phar file entries. Fix assertion failure when fseeking a phar file out of bounds. PHPDBG: Fixed ZPP type violation in phpdbg_get_executable() and phpdbg_end_oplog(). SPL: Fixed bug GH-20614 (SplFixedArray incorrectly handles references in deserialization). Standard: Fix memory leak in array_diff() with custom type checks. Fixed bug GH-20583 (Stack overflow in http_build_query via deep structures). Fixed GHSA-www2-q4fc-65wf (Null byte termination in dns_get_record()). Fixed GHSA-h96m-rvf9-jgm2 (Heap buffer overflow in array_merge()). (CVE-2025-14178) Fixed GHSA-3237-qqm7-mfv7 (Information Leak of Memory in getimagesize). (CVE-2025-14177) Tidy: Fixed bug GH-20374 (PHP with tidy and custom-tags). XML: Fixed bug GH-20439 (xml_set_default_handler() does not properly handle special characters in attributes when passing data to callback). Zip: Fix crash in property existence test. Don't truncate return value of zip_fread() with user sizes. Zlib: Fix assertion failures resulting in crashes with stream filter object parameters. Version 8.3.28 Core: Fixed bug GH-19934 (CGI with auto_globals_jit=0 causes uouv). Fixed bug GH-20073 (Assertion failure in WeakMap offset operations on reference). Fixed bug GH-19844 (Don't bail when closing resources on shutdown). Fixed bug GH-20177 (Accessing overridden private property in get_object_vars() triggers assertion error). Fixed bug GH-20183 (Stale EG(opline_before_exception) pointer through eval). DOM: Partially fixed bug GH-16317 (DOM classes do not allow __debugInfo() overrides to work). Exif: Fix possible memory leak when tag is empty. FPM: Fixed bug GH-19974 (fpm_status_export_to_zval segfault for parallel execution). FTP: Fixed bug GH-20240 (FTP with SSL: ftp_fput(): Connection timed out on successful writes). GD: Fixed bug GH-20070 (Return type violation in imagefilter when an invalid filter is provided). Intl: Fix memory leak on error in locale_filter_matches(). LibXML: Fix not thread safe schema/relaxng calls. MySQLnd: Fixed bug GH-8978 (SSL certificate verification fails (port doubled)). Fixed bug GH-20122 (getColumnMeta() for JSON-column in MySQL). Opcache: Fixed bug GH-20081 (access to uninitialized vars in preload_load()). Fixed bug GH-20121 (JIT broken in ZTS builds on MacOS 15). PgSql: Fix memory leak when first string conversion fails. Fix segfaults when attempting to fetch row into a non-instantiable class name. Phar: Fix memory leak of argument in webPhar. Fix memory leak when setAlias() fails. Fix a bunch of memory leaks in phar_parse_zipfile() error handling. Fix file descriptor/memory leak when opening central fp fails. Fix memleak+UAF when opening temp stream in buildFromDirectory() fails. Fix potential buffer length truncation due to usage of type int instead of type size_t. Fix memory leak when openssl polyfill returns garbage. Fix file descriptor leak in phar_zip_flush() on failure. Fix memory leak when opening temp file fails while trying to open gzip-compressed archive. Fixed bug GH-20302 (Freeing a phar alias may invalidate PharFileInfo objects). Random: Fix Randomizer::__serialize() w.r.t. INDIRECTs. SimpleXML: Partially fixed bug GH-16317 (SimpleXML does not allow __debugInfo() overrides to work). Standard: Fix shm corruption with coercion in options of unserialize(). Streams: Fixed bug GH-19798: XP_SOCKET XP_SSL (Socket stream modules): Incorrect condition for Win32/Win64. Tidy: Fixed GH-19021 (improved tidyOptGetCategory detection). Fix UAF in tidy when tidySetErrorBuffer() fails. XMLReader: Fix arginfo/zpp violations when LIBXML_SCHEMAS_ENABLED is not available. Windows: Fix GH-19722 (_get_osfhandle asserts in debug mode when given a socket). Zip: Fix memory leak when passing enc_method/enc_password is passed as option for ZipArchive::addGlob()/addPattern() and with consecutive calls. Version 8.3.27 Core: Fixed bug GH-19765 (object_properties_load() bypasses readonly property checks). Fixed hard_timeout with --enable-zend-max-execution-timers. Fixed bug GH-19792 (SCCP causes UAF for return value if both warning and exception are triggered). Fixed bug GH-19653 (Closure named argument unpacking between temporary closures can cause a crash). Fixed bug GH-19839 (Incorrect HASH_FLAG_HAS_EMPTY_IND flag on userland array). Fixed bug GH-19480 (error_log php.ini cannot be unset when open_basedir is configured). Fixed bug GH-20002 (Broken build on *BSD with MSAN). CLI: Fix useless 'Failed to poll event' error logs due to EAGAIN in CLI server with PHP_CLI_SERVER_WORKERS. Curl: Fix cloning of CURLOPT_POSTFIELDS when using the clone operator instead of the curl_copy_handle() function to clone a CurlHandle. Fix curl build and test failures with version 8.16. Date: Fixed GH-17159: 'P' format for ::createFromFormat swallows string literals. DBA: Fixed GH-19885 (dba_fetch() overflow on skip argument). GD: Fixed GH-19955 (imagefttext() memory leak). MySQLnd: Fixed bug #67563 (mysqli compiled with mysqlnd does not take ipv6 adress as parameter). Phar: Fix memory leak and invalid continuation after tar header writing fails. Fix memory leaks when creating temp file fails when applying zip signature. SimpleXML: Fixed bug GH-19988 (zend_string_init with NULL pointer in simplexml (UB)). Soap: Fixed bug GH-19784 (SoapServer memory leak). Fixed bug GH-20011 (Array of SoapVar of unknown type causes crash). Standard: Fixed bug GH-12265 (Cloning an object breaks serialization recursion). Fixed bug GH-19701 (Serialize/deserialize loses some data). Fixed bug GH-19801 (leaks in var_dump() and debug_zval_dump()). Fixed bug GH-20043 (array_unique assertion failure with RC1 array causing an exception on sort). Fixed bug GH-19926 (reset internal pointer earlier while splicing array while COW violation flag is still set). Fixed bug GH-19570 (unable to fseek in /dev/zero and /dev/null). Streams: Fixed bug GH-19248 (Use strerror_r instead of strerror in main). Fixed bug GH-17345 (Bug #35916 was not completely fixed). Fixed bug GH-19705 (segmentation when attempting to flush on non seekable stream. XMLReader: Fixed bug GH-20009 (XMLReader leak on RelaxNG schema failure). Zip: Fixed bug GH-19688 (Remove pattern overflow in zip addGlob()). Fixed bug GH-19932 (Memory leak in zip setEncryptionName()/setEncryptionIndex()). Zlib: Fixed bug GH-19922 (Double free on gzopen). Version 8.3.26 Core: Fixed bug GH-18850 (Repeated inclusion of file with __halt_compiler() triggers 'Constant already defined' warning). Partially fixed bug GH-19542 (Scanning of string literals >=2GB will fail due to signed int overflow). Fixed bug GH-19544 (GC treats ZEND_WEAKREF_TAG_MAP references as WeakMap references). Fixed bug GH-19613 (Stale array iterator pointer). Fixed bug GH-19679 (zend_ssa_range_widening may fail to converge). Fixed bug GH-19681 (PHP_EXPAND_PATH broken with bash 5.3.0). Fixed bug GH-19720 (Assertion failure when error handler throws when accessing a deprecated constant). CLI: Fixed bug GH-19461 (Improve error message on listening error with IPv6 address). Date: Fixed date_sunrise() and date_sunset() with partial-hour UTC offset. DOM: Fixed bug GH-19612 (Mitigate libxml2 tree dictionary bug). FPM: Fixed failed debug assertion when php_admin_value setting fails. GD: Fixed bug GH-19579 (imagefilledellipse underflow on width argument). Intl: Fixed bug GH-11952 (Fix locale strings canonicalization for IntlDateFormatter and NumberFormatter). OpenSSL: Fixed bug GH-19245 (Success error message on TLS stream accept failure). PGSQL: Fixed bug GH-19485 (potential use after free when using persistent pgsql connections). Phar: Fixed memory leaks when verifying OpenSSL signature. Fix memory leak in phar tar temporary file error handling code. Fix metadata leak when phar convert logic fails. Fix memory leak on failure in phar_convert_to_other(). Fixed bug GH-19752 (Phar decompression with invalid extension can cause UAF). Standard: Fixed bug GH-16649 (UAF during array_splice). Fixed bug GH-19577 (Avoid integer overflow when using a small offset and PHP_INT_MAX with LimitIterator). Streams: Remove incorrect call to zval_ptr_dtor() in user_wrapper_metadata(). Fix OSS-Fuzz #385993744. Tidy: Fixed GH-19021 build issue with libtidy in regard of tidyOptIsReadonly deprecation and TidyInternalCategory being available later than tidyOptGetCategory. Zip: Fix memory leak in zip when encountering empty glob result. Version 8.3.25 Core: Fixed GH-19169 build issue with C++17 and ZEND_STATIC_ASSERT macro. Fixed bug GH-18581 (Coerce numeric string keys from iterators when argument unpacking). Fixed OSS-Fuzz #434346548 (Failed assertion with throwing __toString in binary const expr). Fixed bug GH-19305 (Operands may be being released during comparison). Fixed bug GH-19303 (Unpacking empty packed array into uninitialized array causes assertion failure). Fixed bug GH-19306 (Generator can be resumed while fetching next value from delegated Generator). Fixed bug GH-19326 (Calling Generator::throw() on a running generator with a non-Generator delegate crashes). Fixed bug GH-18736 (Circumvented type check with return by ref + finally). Fixed zend call stack size for macOs/arm64. Fixed bug GH-19065 (Long match statement can segfault compiler during recursive SSA renaming). Calendar: Fixed bug GH-19371 (integer overflow in calendar.c). FTP: Fix theoretical issues with hrtime() not being available. GD: Fix incorrect comparison with result of php_stream_can_cast(). Hash: Fix crash on clone failure. Intl: Fixed GH-19261: msgfmt_parse_message leaks on message creation failure. Fix return value on failure for resourcebundle count handler. LDAP: Fixed bug GH-18529 (additional inheriting of TLS int options). LibXML: Fixed bug GH-19098 (libxml<2.13 segmentation fault caused by php_libxml_node_free). MbString: Fixed bug GH-19397 (mb_list_encodings() can cause crashes on shutdown). Opcache: Reset global pointers to prevent use-after-free in zend_jit_status(). OpenSSL: Fixed bug GH-18986 (OpenSSL backend: incorrect RAND_{load,write}_file() return value check). Fix error return check of EVP_CIPHER_CTX_ctrl(). Fixed bug GH-19428 (openssl_pkey_derive segfaults for DH derive with low key_length param). PDO Pgsql: Fixed dangling pointer access on _pdo_pgsql_trim_message helper. Readline: Fixed bug GH-19250 and bug #51360 (Invalid conftest for rl_pending_input). SOAP: Fixed bug GH-18640 (heap-use-after-free ext/soap/php_encoding.c:299:32 in soap_check_zval_ref). Sockets: Fix some potential crashes on incorrect argument value. Standard: Fixed OSS Fuzz #433303828 (Leak in failed unserialize() with opcache). Fix theoretical issues with hrtime() not being available. Fixed bug GH-19300 (Nested array_multisort invocation with error breaks). Windows: Free opened_path when opened_path_len >= MAXPATHLEN. Version 8.3.24 Calendar: Fixed jewishtojd overflow on year argument. Core: Fixed bug GH-18833 (Use after free with weakmaps dependent on destruction order). Fix OSS-Fuzz #427814456. Fix OSS-Fuzz #428983568 and #428760800. Fixed bug GH-17204 -Wuseless-escape warnings emitted by re2c. Curl: Fix memory leaks when returning refcounted value from curl callback. Remove incorrect string release. LDAP: Fixed GH-18902 ldap_exop/ldap_exop_sync assert triggered on empty request OID. MbString: Fixed bug GH-18901 (integer overflow mb_split). OCI8: Fixed bug GH-18873 (OCI_RETURN_LOBS flag causes oci8 to leak memory). Opcache: Fixed bug GH-18639 (Internal class aliases can break preloading + JIT). Fixed bug GH-14082 (Segmentation fault on unknown address 0x600000000018 in ext/opcache/jit/zend_jit.c). OpenSSL: Fixed bug #80770 (It is not possible to get client peer certificate with stream_socket_server). PCNTL: Fixed bug GH-18958 (Fatal error during shutdown after pcntl_rfork() or pcntl_forkx() with zend-max-execution-timers). Phar: Fix stream double free in phar. Fix phar crash and file corruption with SplFileObject. SOAP: Fixed bug GH-18990, bug #81029, bug #47314 (SOAP HTTP socket not closing on object destruction). Fix memory leak when URL parsing fails in redirect. SPL: Fixed bug GH-19094 (Attaching class with no Iterator implementation to MultipleIterator causes crash). Standard: Fix misleading errors in printf(). Fix RCN violations in array functions. Fixed GH-18976 pack() overflow with h/H format and INT_MAX repeater value. Streams: Fixed GH-13264 (fgets() and stream_get_line() do not return false on filter fatal error). Zip: Fix leak when path is too long in ZipArchive::extractTo(). The following package changes have been done: - php8-cli-8.3.29-150700.3.9.1 updated - php8-8.3.29-150700.3.9.1 updated - php8-fpm-8.3.29-150700.3.9.1 updated - php8-openssl-8.3.29-150700.3.9.1 updated - php8-mbstring-8.3.29-150700.3.9.1 updated - php8-zlib-8.3.29-150700.3.9.1 updated - php8-zip-8.3.29-150700.3.9.1 updated - php8-curl-8.3.29-150700.3.9.1 updated - php8-phar-8.3.29-150700.3.9.1 updated From sle-container-updates at lists.suse.com Mon Jan 12 08:17:28 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Mon, 12 Jan 2026 09:17:28 +0100 (CET) Subject: SUSE-CU-2026:173-1: Security update of bci/php Message-ID: <20260112081728.A4E2AFB9B@maintenance.suse.de> SUSE Container Update Advisory: bci/php ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2026:173-1 Container Tags : bci/php:8 , bci/php:8.3.29 , bci/php:8.3.29-18.5 , bci/php:latest Container Release : 18.5 Severity : moderate Type : security References : 1255710 1255711 1255712 CVE-2025-14177 CVE-2025-14178 CVE-2025-14180 ----------------------------------------------------------------- The container bci/php was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:86-1 Released: Fri Jan 9 16:01:49 2026 Summary: Security update for php8 Type: security Severity: moderate References: 1255710,1255711,1255712,CVE-2025-14177,CVE-2025-14178,CVE-2025-14180 This update for php8 fixes the following issues: Security fixes: - CVE-2025-14177: getimagesize() function may leak uninitialized heap memory into the APPn segments when reading images in multi-chunk mode (bsc#1255710). - CVE-2025-14178: heap buffer overflow occurs in array_merge() when the total element count of packed arrays exceeds 32-bit limits or HT_MAX_SIZE (bsc#1255711). - CVE-2025-14180: null pointer dereference in pdo_parse_params() function when using the PDO PostgreSQL driver with PDO::ATTR_EMULATE_PREPARES enabled (bsc#1255712). Other fixes: Version 8.3.29 Core: Sync all boost.context files with release 1.86.0. Fixed bug GH-20435 (SensitiveParameter doesn't work for named argument passing to variadic parameter). Fixed bug GH-20286 (use-after-destroy during userland stream_close()). Bz2: Fix assertion failures resulting in crashes with stream filter object parameters. Date: Fix crashes when trying to instantiate uninstantiable classes via date static constructors. DOM: Fix missing NUL byte check on C14NFile(). Fibers: Fixed bug GH-20483 (ASAN stack overflow with fiber.stack_size INI small value). FTP: Fixed bug GH-20601 (ftp_connect overflow on timeout). GD: Fixed bug GH-20511 (imagegammacorrect out of range input/output values). Fixed bug GH-20602 (imagescale overflow with large height values). Intl: Fixed bug GH-20426 (Spoofchecker::setRestrictionLevel() error message suggests missing constants). LibXML: Fix some deprecations on newer libxml versions regarding input buffer/parser handling. MbString: Fixed bug GH-20491 (SLES15 compile error with mbstring oniguruma). Fixed bug GH-20492 (mbstring compile warning due to non-strings). MySQLnd: Fixed bug GH-20528 (Regression breaks mysql connexion using an IPv6 address enclosed in square brackets). Opcache: Fixed bug GH-20329 (opcache.file_cache broken with full interned string buffer). PDO: Fixed GHSA-8xr5-qppj-gvwj (PDO quoting result null deref). (CVE-2025-14180) Phar: Fixed bug GH-20442 (Phar does not respect case-insensitiveness of __halt_compiler() when reading stub). Fix broken return value of fflush() for phar file entries. Fix assertion failure when fseeking a phar file out of bounds. PHPDBG: Fixed ZPP type violation in phpdbg_get_executable() and phpdbg_end_oplog(). SPL: Fixed bug GH-20614 (SplFixedArray incorrectly handles references in deserialization). Standard: Fix memory leak in array_diff() with custom type checks. Fixed bug GH-20583 (Stack overflow in http_build_query via deep structures). Fixed GHSA-www2-q4fc-65wf (Null byte termination in dns_get_record()). Fixed GHSA-h96m-rvf9-jgm2 (Heap buffer overflow in array_merge()). (CVE-2025-14178) Fixed GHSA-3237-qqm7-mfv7 (Information Leak of Memory in getimagesize). (CVE-2025-14177) Tidy: Fixed bug GH-20374 (PHP with tidy and custom-tags). XML: Fixed bug GH-20439 (xml_set_default_handler() does not properly handle special characters in attributes when passing data to callback). Zip: Fix crash in property existence test. Don't truncate return value of zip_fread() with user sizes. Zlib: Fix assertion failures resulting in crashes with stream filter object parameters. Version 8.3.28 Core: Fixed bug GH-19934 (CGI with auto_globals_jit=0 causes uouv). Fixed bug GH-20073 (Assertion failure in WeakMap offset operations on reference). Fixed bug GH-19844 (Don't bail when closing resources on shutdown). Fixed bug GH-20177 (Accessing overridden private property in get_object_vars() triggers assertion error). Fixed bug GH-20183 (Stale EG(opline_before_exception) pointer through eval). DOM: Partially fixed bug GH-16317 (DOM classes do not allow __debugInfo() overrides to work). Exif: Fix possible memory leak when tag is empty. FPM: Fixed bug GH-19974 (fpm_status_export_to_zval segfault for parallel execution). FTP: Fixed bug GH-20240 (FTP with SSL: ftp_fput(): Connection timed out on successful writes). GD: Fixed bug GH-20070 (Return type violation in imagefilter when an invalid filter is provided). Intl: Fix memory leak on error in locale_filter_matches(). LibXML: Fix not thread safe schema/relaxng calls. MySQLnd: Fixed bug GH-8978 (SSL certificate verification fails (port doubled)). Fixed bug GH-20122 (getColumnMeta() for JSON-column in MySQL). Opcache: Fixed bug GH-20081 (access to uninitialized vars in preload_load()). Fixed bug GH-20121 (JIT broken in ZTS builds on MacOS 15). PgSql: Fix memory leak when first string conversion fails. Fix segfaults when attempting to fetch row into a non-instantiable class name. Phar: Fix memory leak of argument in webPhar. Fix memory leak when setAlias() fails. Fix a bunch of memory leaks in phar_parse_zipfile() error handling. Fix file descriptor/memory leak when opening central fp fails. Fix memleak+UAF when opening temp stream in buildFromDirectory() fails. Fix potential buffer length truncation due to usage of type int instead of type size_t. Fix memory leak when openssl polyfill returns garbage. Fix file descriptor leak in phar_zip_flush() on failure. Fix memory leak when opening temp file fails while trying to open gzip-compressed archive. Fixed bug GH-20302 (Freeing a phar alias may invalidate PharFileInfo objects). Random: Fix Randomizer::__serialize() w.r.t. INDIRECTs. SimpleXML: Partially fixed bug GH-16317 (SimpleXML does not allow __debugInfo() overrides to work). Standard: Fix shm corruption with coercion in options of unserialize(). Streams: Fixed bug GH-19798: XP_SOCKET XP_SSL (Socket stream modules): Incorrect condition for Win32/Win64. Tidy: Fixed GH-19021 (improved tidyOptGetCategory detection). Fix UAF in tidy when tidySetErrorBuffer() fails. XMLReader: Fix arginfo/zpp violations when LIBXML_SCHEMAS_ENABLED is not available. Windows: Fix GH-19722 (_get_osfhandle asserts in debug mode when given a socket). Zip: Fix memory leak when passing enc_method/enc_password is passed as option for ZipArchive::addGlob()/addPattern() and with consecutive calls. Version 8.3.27 Core: Fixed bug GH-19765 (object_properties_load() bypasses readonly property checks). Fixed hard_timeout with --enable-zend-max-execution-timers. Fixed bug GH-19792 (SCCP causes UAF for return value if both warning and exception are triggered). Fixed bug GH-19653 (Closure named argument unpacking between temporary closures can cause a crash). Fixed bug GH-19839 (Incorrect HASH_FLAG_HAS_EMPTY_IND flag on userland array). Fixed bug GH-19480 (error_log php.ini cannot be unset when open_basedir is configured). Fixed bug GH-20002 (Broken build on *BSD with MSAN). CLI: Fix useless 'Failed to poll event' error logs due to EAGAIN in CLI server with PHP_CLI_SERVER_WORKERS. Curl: Fix cloning of CURLOPT_POSTFIELDS when using the clone operator instead of the curl_copy_handle() function to clone a CurlHandle. Fix curl build and test failures with version 8.16. Date: Fixed GH-17159: 'P' format for ::createFromFormat swallows string literals. DBA: Fixed GH-19885 (dba_fetch() overflow on skip argument). GD: Fixed GH-19955 (imagefttext() memory leak). MySQLnd: Fixed bug #67563 (mysqli compiled with mysqlnd does not take ipv6 adress as parameter). Phar: Fix memory leak and invalid continuation after tar header writing fails. Fix memory leaks when creating temp file fails when applying zip signature. SimpleXML: Fixed bug GH-19988 (zend_string_init with NULL pointer in simplexml (UB)). Soap: Fixed bug GH-19784 (SoapServer memory leak). Fixed bug GH-20011 (Array of SoapVar of unknown type causes crash). Standard: Fixed bug GH-12265 (Cloning an object breaks serialization recursion). Fixed bug GH-19701 (Serialize/deserialize loses some data). Fixed bug GH-19801 (leaks in var_dump() and debug_zval_dump()). Fixed bug GH-20043 (array_unique assertion failure with RC1 array causing an exception on sort). Fixed bug GH-19926 (reset internal pointer earlier while splicing array while COW violation flag is still set). Fixed bug GH-19570 (unable to fseek in /dev/zero and /dev/null). Streams: Fixed bug GH-19248 (Use strerror_r instead of strerror in main). Fixed bug GH-17345 (Bug #35916 was not completely fixed). Fixed bug GH-19705 (segmentation when attempting to flush on non seekable stream. XMLReader: Fixed bug GH-20009 (XMLReader leak on RelaxNG schema failure). Zip: Fixed bug GH-19688 (Remove pattern overflow in zip addGlob()). Fixed bug GH-19932 (Memory leak in zip setEncryptionName()/setEncryptionIndex()). Zlib: Fixed bug GH-19922 (Double free on gzopen). Version 8.3.26 Core: Fixed bug GH-18850 (Repeated inclusion of file with __halt_compiler() triggers 'Constant already defined' warning). Partially fixed bug GH-19542 (Scanning of string literals >=2GB will fail due to signed int overflow). Fixed bug GH-19544 (GC treats ZEND_WEAKREF_TAG_MAP references as WeakMap references). Fixed bug GH-19613 (Stale array iterator pointer). Fixed bug GH-19679 (zend_ssa_range_widening may fail to converge). Fixed bug GH-19681 (PHP_EXPAND_PATH broken with bash 5.3.0). Fixed bug GH-19720 (Assertion failure when error handler throws when accessing a deprecated constant). CLI: Fixed bug GH-19461 (Improve error message on listening error with IPv6 address). Date: Fixed date_sunrise() and date_sunset() with partial-hour UTC offset. DOM: Fixed bug GH-19612 (Mitigate libxml2 tree dictionary bug). FPM: Fixed failed debug assertion when php_admin_value setting fails. GD: Fixed bug GH-19579 (imagefilledellipse underflow on width argument). Intl: Fixed bug GH-11952 (Fix locale strings canonicalization for IntlDateFormatter and NumberFormatter). OpenSSL: Fixed bug GH-19245 (Success error message on TLS stream accept failure). PGSQL: Fixed bug GH-19485 (potential use after free when using persistent pgsql connections). Phar: Fixed memory leaks when verifying OpenSSL signature. Fix memory leak in phar tar temporary file error handling code. Fix metadata leak when phar convert logic fails. Fix memory leak on failure in phar_convert_to_other(). Fixed bug GH-19752 (Phar decompression with invalid extension can cause UAF). Standard: Fixed bug GH-16649 (UAF during array_splice). Fixed bug GH-19577 (Avoid integer overflow when using a small offset and PHP_INT_MAX with LimitIterator). Streams: Remove incorrect call to zval_ptr_dtor() in user_wrapper_metadata(). Fix OSS-Fuzz #385993744. Tidy: Fixed GH-19021 build issue with libtidy in regard of tidyOptIsReadonly deprecation and TidyInternalCategory being available later than tidyOptGetCategory. Zip: Fix memory leak in zip when encountering empty glob result. Version 8.3.25 Core: Fixed GH-19169 build issue with C++17 and ZEND_STATIC_ASSERT macro. Fixed bug GH-18581 (Coerce numeric string keys from iterators when argument unpacking). Fixed OSS-Fuzz #434346548 (Failed assertion with throwing __toString in binary const expr). Fixed bug GH-19305 (Operands may be being released during comparison). Fixed bug GH-19303 (Unpacking empty packed array into uninitialized array causes assertion failure). Fixed bug GH-19306 (Generator can be resumed while fetching next value from delegated Generator). Fixed bug GH-19326 (Calling Generator::throw() on a running generator with a non-Generator delegate crashes). Fixed bug GH-18736 (Circumvented type check with return by ref + finally). Fixed zend call stack size for macOs/arm64. Fixed bug GH-19065 (Long match statement can segfault compiler during recursive SSA renaming). Calendar: Fixed bug GH-19371 (integer overflow in calendar.c). FTP: Fix theoretical issues with hrtime() not being available. GD: Fix incorrect comparison with result of php_stream_can_cast(). Hash: Fix crash on clone failure. Intl: Fixed GH-19261: msgfmt_parse_message leaks on message creation failure. Fix return value on failure for resourcebundle count handler. LDAP: Fixed bug GH-18529 (additional inheriting of TLS int options). LibXML: Fixed bug GH-19098 (libxml<2.13 segmentation fault caused by php_libxml_node_free). MbString: Fixed bug GH-19397 (mb_list_encodings() can cause crashes on shutdown). Opcache: Reset global pointers to prevent use-after-free in zend_jit_status(). OpenSSL: Fixed bug GH-18986 (OpenSSL backend: incorrect RAND_{load,write}_file() return value check). Fix error return check of EVP_CIPHER_CTX_ctrl(). Fixed bug GH-19428 (openssl_pkey_derive segfaults for DH derive with low key_length param). PDO Pgsql: Fixed dangling pointer access on _pdo_pgsql_trim_message helper. Readline: Fixed bug GH-19250 and bug #51360 (Invalid conftest for rl_pending_input). SOAP: Fixed bug GH-18640 (heap-use-after-free ext/soap/php_encoding.c:299:32 in soap_check_zval_ref). Sockets: Fix some potential crashes on incorrect argument value. Standard: Fixed OSS Fuzz #433303828 (Leak in failed unserialize() with opcache). Fix theoretical issues with hrtime() not being available. Fixed bug GH-19300 (Nested array_multisort invocation with error breaks). Windows: Free opened_path when opened_path_len >= MAXPATHLEN. Version 8.3.24 Calendar: Fixed jewishtojd overflow on year argument. Core: Fixed bug GH-18833 (Use after free with weakmaps dependent on destruction order). Fix OSS-Fuzz #427814456. Fix OSS-Fuzz #428983568 and #428760800. Fixed bug GH-17204 -Wuseless-escape warnings emitted by re2c. Curl: Fix memory leaks when returning refcounted value from curl callback. Remove incorrect string release. LDAP: Fixed GH-18902 ldap_exop/ldap_exop_sync assert triggered on empty request OID. MbString: Fixed bug GH-18901 (integer overflow mb_split). OCI8: Fixed bug GH-18873 (OCI_RETURN_LOBS flag causes oci8 to leak memory). Opcache: Fixed bug GH-18639 (Internal class aliases can break preloading + JIT). Fixed bug GH-14082 (Segmentation fault on unknown address 0x600000000018 in ext/opcache/jit/zend_jit.c). OpenSSL: Fixed bug #80770 (It is not possible to get client peer certificate with stream_socket_server). PCNTL: Fixed bug GH-18958 (Fatal error during shutdown after pcntl_rfork() or pcntl_forkx() with zend-max-execution-timers). Phar: Fix stream double free in phar. Fix phar crash and file corruption with SplFileObject. SOAP: Fixed bug GH-18990, bug #81029, bug #47314 (SOAP HTTP socket not closing on object destruction). Fix memory leak when URL parsing fails in redirect. SPL: Fixed bug GH-19094 (Attaching class with no Iterator implementation to MultipleIterator causes crash). Standard: Fix misleading errors in printf(). Fix RCN violations in array functions. Fixed GH-18976 pack() overflow with h/H format and INT_MAX repeater value. Streams: Fixed GH-13264 (fgets() and stream_get_line() do not return false on filter fatal error). Zip: Fix leak when path is too long in ZipArchive::extractTo(). The following package changes have been done: - php8-cli-8.3.29-150700.3.9.1 updated - php8-8.3.29-150700.3.9.1 updated - php8-openssl-8.3.29-150700.3.9.1 updated - php8-mbstring-8.3.29-150700.3.9.1 updated - php8-zlib-8.3.29-150700.3.9.1 updated - php8-readline-8.3.29-150700.3.9.1 updated - php8-curl-8.3.29-150700.3.9.1 updated - php8-zip-8.3.29-150700.3.9.1 updated - php8-phar-8.3.29-150700.3.9.1 updated From sle-container-updates at lists.suse.com Mon Jan 12 08:17:54 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Mon, 12 Jan 2026 09:17:54 +0100 (CET) Subject: SUSE-CU-2026:175-1: Security update of suse/postgres Message-ID: <20260112081754.404A8FBA0@maintenance.suse.de> SUSE Container Update Advisory: suse/postgres ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2026:175-1 Container Tags : suse/postgres:18 , suse/postgres:18.1 , suse/postgres:18.1 , suse/postgres:18.1-63.4 , suse/postgres:latest Container Release : 63.4 Severity : moderate Type : security References : 1255731 1255732 1255733 1255734 CVE-2025-14524 CVE-2025-14819 CVE-2025-15079 CVE-2025-15224 ----------------------------------------------------------------- The container suse/postgres was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:52-1 Released: Wed Jan 7 10:28:34 2026 Summary: Security update for curl Type: security Severity: moderate References: 1255731,1255732,1255733,1255734,CVE-2025-14524,CVE-2025-14819,CVE-2025-15079,CVE-2025-15224 This update for curl fixes the following issues: - CVE-2025-14524: bearer token leak on cross-protocol redirect (bsc#1255731). - CVE-2025-14819: libssh global knownhost override (bsc#1255732). - CVE-2025-15079: libssh key passphrase bypass without agent set (bsc#1255733). - CVE-2025-15224: OpenSSL partial chain store policy bypass (bsc#1255734). The following package changes have been done: - libcurl4-8.14.1-150700.7.8.1 updated - container:suse-sle15-15.7-17d580e01de81ee10782633976ab6983923855d96e8b6342192d8486fa7933cf-0 updated - container:registry.suse.com-bci-bci-micro-15.7-4ea6269b17048f73c022844251731ef4f640fdb9eb72a2ab53ec7f9413b89ee3-0 updated From sle-container-updates at lists.suse.com Mon Jan 12 08:17:50 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Mon, 12 Jan 2026 09:17:50 +0100 (CET) Subject: SUSE-CU-2026:174-1: Security update of suse/postgres Message-ID: <20260112081750.541CDFB9B@maintenance.suse.de> SUSE Container Update Advisory: suse/postgres ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2026:174-1 Container Tags : suse/postgres:17 , suse/postgres:17.7 , suse/postgres:17.7 , suse/postgres:17.7-73.4 Container Release : 73.4 Severity : moderate Type : security References : 1255731 1255732 1255733 1255734 CVE-2025-14524 CVE-2025-14819 CVE-2025-15079 CVE-2025-15224 ----------------------------------------------------------------- The container suse/postgres was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:52-1 Released: Wed Jan 7 10:28:34 2026 Summary: Security update for curl Type: security Severity: moderate References: 1255731,1255732,1255733,1255734,CVE-2025-14524,CVE-2025-14819,CVE-2025-15079,CVE-2025-15224 This update for curl fixes the following issues: - CVE-2025-14524: bearer token leak on cross-protocol redirect (bsc#1255731). - CVE-2025-14819: libssh global knownhost override (bsc#1255732). - CVE-2025-15079: libssh key passphrase bypass without agent set (bsc#1255733). - CVE-2025-15224: OpenSSL partial chain store policy bypass (bsc#1255734). The following package changes have been done: - libcurl4-8.14.1-150700.7.8.1 updated - container:suse-sle15-15.7-17d580e01de81ee10782633976ab6983923855d96e8b6342192d8486fa7933cf-0 updated - container:registry.suse.com-bci-bci-micro-15.7-4ea6269b17048f73c022844251731ef4f640fdb9eb72a2ab53ec7f9413b89ee3-0 updated From sle-container-updates at lists.suse.com Tue Jan 13 08:05:33 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 13 Jan 2026 09:05:33 +0100 (CET) Subject: SUSE-IU-2026:65-1: Recommended update of suse/sl-micro/6.0/baremetal-os-container Message-ID: <20260113080533.CB03EFB9C@maintenance.suse.de> SUSE Image Update Advisory: suse/sl-micro/6.0/baremetal-os-container ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2026:65-1 Image Tags : suse/sl-micro/6.0/baremetal-os-container:2.1.3 , suse/sl-micro/6.0/baremetal-os-container:2.1.3-6.117 , suse/sl-micro/6.0/baremetal-os-container:latest Image Release : 6.117 Severity : moderate Type : recommended References : 1231494 1255372 ----------------------------------------------------------------- The container suse/sl-micro/6.0/baremetal-os-container was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: 556 Released: Mon Jan 12 13:07:52 2026 Summary: Recommended update for selinux-policy Type: recommended Severity: moderate References: 1231494,1255372 This update for selinux-policy fixes the following issues: Update to version 20230523+git34.7b0eea050: * rsync: add rsync_exec_commands boolean and enable it by default (bsc#1231494, bsc#1255372) The following package changes have been done: - SL-Micro-release-6.0-25.63 updated - selinux-policy-20230523+git34.7b0eea050-1.1 updated - selinux-policy-targeted-20230523+git34.7b0eea050-1.1 updated - container:SL-Micro-base-container-2.1.3-7.84 updated From sle-container-updates at lists.suse.com Tue Jan 13 08:06:37 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 13 Jan 2026 09:06:37 +0100 (CET) Subject: SUSE-IU-2026:66-1: Security update of suse/sl-micro/6.0/base-os-container Message-ID: <20260113080637.BEBECFB9C@maintenance.suse.de> SUSE Image Update Advisory: suse/sl-micro/6.0/base-os-container ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2026:66-1 Image Tags : suse/sl-micro/6.0/base-os-container:2.1.3 , suse/sl-micro/6.0/base-os-container:2.1.3-7.84 , suse/sl-micro/6.0/base-os-container:latest Image Release : 7.84 Severity : moderate Type : security References : 1256341 CVE-2025-13151 ----------------------------------------------------------------- The container suse/sl-micro/6.0/base-os-container was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: 558 Released: Mon Jan 12 13:00:27 2026 Summary: Security update for libtasn1 Type: security Severity: moderate References: 1256341,CVE-2025-13151 This update for libtasn1 fixes the following issues: - CVE-2025-13151: lack of validation of input data size leads to stack-based buffer overflow in `asn1_expend_octet_string` (bsc#1256341). The following package changes have been done: - libtasn1-6-4.19.0-5.1 updated - SL-Micro-release-6.0-25.63 updated - container:suse-toolbox-image-1.0.0-9.59 updated From sle-container-updates at lists.suse.com Tue Jan 13 08:11:24 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 13 Jan 2026 09:11:24 +0100 (CET) Subject: SUSE-CU-2026:178-1: Security update of suse/sl-micro/6.0/toolbox Message-ID: <20260113081124.370D2FB9C@maintenance.suse.de> SUSE Container Update Advisory: suse/sl-micro/6.0/toolbox ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2026:178-1 Container Tags : suse/sl-micro/6.0/toolbox:13.2 , suse/sl-micro/6.0/toolbox:13.2-9.56 , suse/sl-micro/6.0/toolbox:latest Container Release : 9.56 Severity : important Type : security References : 1254297 1254400 1254401 1254662 1254878 1254997 1255731 1255732 1255733 1255734 CVE-2025-12084 CVE-2025-13601 CVE-2025-13836 CVE-2025-13837 CVE-2025-14087 CVE-2025-14512 CVE-2025-14524 CVE-2025-14819 CVE-2025-15079 CVE-2025-15224 ----------------------------------------------------------------- The container suse/sl-micro/6.0/toolbox was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: 546 Released: Thu Jan 8 16:18:54 2026 Summary: Security update for curl Type: security Severity: moderate References: 1255731,1255732,1255733,1255734,CVE-2025-14524,CVE-2025-14819,CVE-2025-15079,CVE-2025-15224 This update for curl fixes the following issues: - CVE-2025-14524: bearer token leak on cross-protocol redirect (bsc#1255731). - CVE-2025-14819: libssh global knownhost override (bsc#1255732). - CVE-2025-15079: libssh key passphrase bypass without agent set (bsc#1255733). - CVE-2025-15224: OpenSSL partial chain store policy bypass (bsc#1255734). ----------------------------------------------------------------- Advisory ID: 550 Released: Thu Jan 8 17:00:18 2026 Summary: Security update for glib2 Type: security Severity: important References: 1254297,1254662,1254878,CVE-2025-13601,CVE-2025-14087,CVE-2025-14512 This update for glib2 fixes the following issues: - CVE-2025-13601: Fixed Integer overflow in in g_escape_uri_string() (bsc#1254297) - CVE-2025-14087: Fixed buffer underflow in GVariant parser leads to heap corruption (bsc#1254662) - CVE-2025-14512: Fixed Integer Overflow in GLib GIO Attribute Escaping Causes Heap Buffer Overflow (bsc#1254878) ----------------------------------------------------------------- Advisory ID: 552 Released: Thu Jan 8 17:27:35 2026 Summary: Security update for python311 Type: security Severity: moderate References: 1254400,1254401,1254997,CVE-2025-12084,CVE-2025-13836,CVE-2025-13837 This update for python311 fixes the following issues: - CVE-2025-12084: cpython: Fixed quadratic algorithm in xml.dom.minidom leading to denial of service (bsc#1254997) - CVE-2025-13836: Fixed default Content-Lenght read amount from HTTP response (bsc#1254400) - CVE-2025-13837: Fixed plistlib module denial of service (bsc#1254401) The following package changes have been done: - SL-Micro-release-6.0-25.62 updated - curl-8.14.1-3.1 updated - libcurl-mini4-8.14.1-3.1 updated - libglib-2_0-0-2.76.2-11.1 updated - libgmodule-2_0-0-2.76.2-11.1 updated - libpython3_11-1_0-3.11.14-2.1 updated - python311-base-3.11.14-2.1 updated - skelcd-EULA-SL-Micro-2024.01.19-8.61 updated From sle-container-updates at lists.suse.com Tue Jan 13 08:11:25 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 13 Jan 2026 09:11:25 +0100 (CET) Subject: SUSE-CU-2026:179-1: Security update of suse/sl-micro/6.0/toolbox Message-ID: <20260113081125.18EC8FB9C@maintenance.suse.de> SUSE Container Update Advisory: suse/sl-micro/6.0/toolbox ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2026:179-1 Container Tags : suse/sl-micro/6.0/toolbox:13.2 , suse/sl-micro/6.0/toolbox:13.2-9.59 , suse/sl-micro/6.0/toolbox:latest Container Release : 9.59 Severity : moderate Type : security References : 1256341 CVE-2025-13151 ----------------------------------------------------------------- The container suse/sl-micro/6.0/toolbox was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: 558 Released: Mon Jan 12 13:00:27 2026 Summary: Security update for libtasn1 Type: security Severity: moderate References: 1256341,CVE-2025-13151 This update for libtasn1 fixes the following issues: - CVE-2025-13151: lack of validation of input data size leads to stack-based buffer overflow in `asn1_expend_octet_string` (bsc#1256341). The following package changes have been done: - SL-Micro-release-6.0-25.63 updated - libtasn1-6-4.19.0-5.1 updated - skelcd-EULA-SL-Micro-2024.01.19-8.62 updated From sle-container-updates at lists.suse.com Tue Jan 13 08:12:09 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 13 Jan 2026 09:12:09 +0100 (CET) Subject: SUSE-IU-2026:69-1: Recommended update of suse/sl-micro/6.1/baremetal-os-container Message-ID: <20260113081209.17E9FFB9C@maintenance.suse.de> SUSE Image Update Advisory: suse/sl-micro/6.1/baremetal-os-container ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2026:69-1 Image Tags : suse/sl-micro/6.1/baremetal-os-container:2.2.1 , suse/sl-micro/6.1/baremetal-os-container:2.2.1-7.44 , suse/sl-micro/6.1/baremetal-os-container:latest Image Release : 7.44 Severity : moderate Type : recommended References : 1231494 1244039 1255372 CVE-2024-47081 ----------------------------------------------------------------- The container suse/sl-micro/6.1/baremetal-os-container was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: 371 Released: Mon Jan 12 11:51:34 2026 Summary: Recommended update for selinux-policy Type: recommended Severity: moderate References: 1231494,1244039,1255372,CVE-2024-47081 This update for selinux-policy fixes the following issues: Update to version 20241031+git17.66062d7a5: * rsync: add rsync_exec_commands boolean and enable it by default (bsc#1231494, bsc#1255372) The following package changes have been done: - selinux-policy-20241031+git17.66062d7a5-slfo.1.1_1.1 updated - selinux-policy-targeted-20241031+git17.66062d7a5-slfo.1.1_1.1 updated From sle-container-updates at lists.suse.com Tue Jan 13 08:16:26 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 13 Jan 2026 09:16:26 +0100 (CET) Subject: SUSE-IU-2026:71-1: Security update of suse/sl-micro/6.2/baremetal-os-container Message-ID: <20260113081626.3416DFB9B@maintenance.suse.de> SUSE Image Update Advisory: suse/sl-micro/6.2/baremetal-os-container ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2026:71-1 Image Tags : suse/sl-micro/6.2/baremetal-os-container:2.3.0 , suse/sl-micro/6.2/baremetal-os-container:2.3.0-7.6 , suse/sl-micro/6.2/baremetal-os-container:latest Image Release : 7.6 Severity : moderate Type : security References : 1207377 1218474 1228142 1230679 1231565 1241453 1241551 1254157 1254158 1254159 1254160 1254480 CVE-2022-45748 CVE-2024-40724 CVE-2024-45679 CVE-2024-9632 CVE-2025-32414 CVE-2025-32415 CVE-2025-64505 CVE-2025-64506 CVE-2025-64720 CVE-2025-65018 CVE-2025-66293 ----------------------------------------------------------------- The container suse/sl-micro/6.2/baremetal-os-container was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: 126 Released: Wed May 28 11:00:31 2025 Summary: Security update for libxml2 Type: security Severity: moderate References: 1207377,1218474,1228142,1230679,1241453,1241551,CVE-2022-45748,CVE-2024-40724,CVE-2024-45679,CVE-2025-32414,CVE-2025-32415 This update for libxml2 fixes the following issues: - CVE-2025-32414: Fixed out-of-bounds read when parsing text via the Python API (bsc#1241551). - CVE-2025-32415: Fixed heap-based buffer under-read via crafted XML documents (bsc#1241453). ----------------------------------------------------------------- Advisory ID: 131 Released: Wed Jun 4 12:19:33 2025 Summary: Recommended update for scap-security-guide Type: recommended Severity: moderate References: 1231565,1254157,1254158,1254159,1254160,1254480,CVE-2024-9632,CVE-2025-64505,CVE-2025-64506,CVE-2025-64720,CVE-2025-65018,CVE-2025-66293 This update for scap-security-guide fixes the following issues: Ship scap-security-guide in version 0.1.76 (jsc#ECO-3319). The following package changes have been done: - libpng16-16-1.6.44-160000.3.1 updated - libglib-2_0-0-2.84.4-160000.1.1 updated - liblz4-1-1.10.0-160000.3.1 updated - libgobject-2_0-0-2.84.4-160000.1.1 updated - libgmodule-2_0-0-2.84.4-160000.1.1 updated - gio-branding-SLE-16-160000.2.3 updated - libgio-2_0-0-2.84.4-160000.1.1 updated - glib2-tools-2.84.4-160000.1.1 updated - elemental-register-1.8.0-160000.1.1 updated - elemental-support-1.8.0-160000.1.1 updated - elemental-system-agent-0.3.13-160000.1.1 updated - typelib-1_0-GLib-2_0-2.84.4-160000.1.1 updated - typelib-1_0-GObject-2_0-2.84.4-160000.1.1 updated - typelib-1_0-GModule-2_0-2.84.4-160000.1.1 updated - typelib-1_0-Gio-2_0-2.84.4-160000.1.1 updated - container:suse-sl-micro-6.2-base-os-container-latest-2aa313a628647b10026c136b6ac7b08bcb5a65071826c0e357ef52e199e5bdec-0 updated From sle-container-updates at lists.suse.com Tue Jan 13 08:19:59 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 13 Jan 2026 09:19:59 +0100 (CET) Subject: SUSE-IU-2026:78-1: Security update of suse/sl-micro/6.2/kvm-os-container Message-ID: <20260113081959.3B474FB9B@maintenance.suse.de> SUSE Image Update Advisory: suse/sl-micro/6.2/kvm-os-container ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2026:78-1 Image Tags : suse/sl-micro/6.2/kvm-os-container:2.3.0 , suse/sl-micro/6.2/kvm-os-container:2.3.0-7.5 , suse/sl-micro/6.2/kvm-os-container:latest Image Release : 7.5 Severity : moderate Type : security References : 1207377 1218474 1228142 1230679 1231565 1241453 1241551 1254157 1254158 1254159 1254160 1254480 CVE-2022-45748 CVE-2024-40724 CVE-2024-45679 CVE-2024-9632 CVE-2025-32414 CVE-2025-32415 CVE-2025-64505 CVE-2025-64506 CVE-2025-64720 CVE-2025-65018 CVE-2025-66293 ----------------------------------------------------------------- The container suse/sl-micro/6.2/kvm-os-container was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: 126 Released: Wed May 28 11:00:31 2025 Summary: Security update for libxml2 Type: security Severity: moderate References: 1207377,1218474,1228142,1230679,1241453,1241551,CVE-2022-45748,CVE-2024-40724,CVE-2024-45679,CVE-2025-32414,CVE-2025-32415 This update for libxml2 fixes the following issues: - CVE-2025-32414: Fixed out-of-bounds read when parsing text via the Python API (bsc#1241551). - CVE-2025-32415: Fixed heap-based buffer under-read via crafted XML documents (bsc#1241453). ----------------------------------------------------------------- Advisory ID: 131 Released: Wed Jun 4 12:19:33 2025 Summary: Recommended update for scap-security-guide Type: recommended Severity: moderate References: 1231565,1254157,1254158,1254159,1254160,1254480,CVE-2024-9632,CVE-2025-64505,CVE-2025-64506,CVE-2025-64720,CVE-2025-65018,CVE-2025-66293 This update for scap-security-guide fixes the following issues: Ship scap-security-guide in version 0.1.76 (jsc#ECO-3319). The following package changes have been done: - libpng16-16-1.6.44-160000.3.1 updated - libglib-2_0-0-2.84.4-160000.1.1 updated - liblz4-1-1.10.0-160000.3.1 updated - libgobject-2_0-0-2.84.4-160000.1.1 updated - libgmodule-2_0-0-2.84.4-160000.1.1 updated - gio-branding-SLE-16-160000.2.3 updated - libgio-2_0-0-2.84.4-160000.1.1 updated - glib2-tools-2.84.4-160000.1.1 updated - elemental-register-1.8.0-160000.1.1 updated - elemental-support-1.8.0-160000.1.1 updated - elemental-system-agent-0.3.13-160000.1.1 updated - container:suse-sl-micro-6.2-base-os-container-latest-2aa313a628647b10026c136b6ac7b08bcb5a65071826c0e357ef52e199e5bdec-0 updated From sle-container-updates at lists.suse.com Tue Jan 13 08:20:31 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 13 Jan 2026 09:20:31 +0100 (CET) Subject: SUSE-IU-2026:83-1: Security update of suse/sl-micro/6.2/rt-os-container Message-ID: <20260113082031.3DFE6FB9B@maintenance.suse.de> SUSE Image Update Advisory: suse/sl-micro/6.2/rt-os-container ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2026:83-1 Image Tags : suse/sl-micro/6.2/rt-os-container:2.3.0 , suse/sl-micro/6.2/rt-os-container:2.3.0-6.5 , suse/sl-micro/6.2/rt-os-container:latest Image Release : 6.5 Severity : moderate Type : security References : 1207377 1218474 1228142 1230679 1231565 1241453 1241551 1254157 1254158 1254159 1254160 1254480 CVE-2022-45748 CVE-2024-40724 CVE-2024-45679 CVE-2024-9632 CVE-2025-32414 CVE-2025-32415 CVE-2025-64505 CVE-2025-64506 CVE-2025-64720 CVE-2025-65018 CVE-2025-66293 ----------------------------------------------------------------- The container suse/sl-micro/6.2/rt-os-container was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: 126 Released: Wed May 28 11:00:31 2025 Summary: Security update for libxml2 Type: security Severity: moderate References: 1207377,1218474,1228142,1230679,1241453,1241551,CVE-2022-45748,CVE-2024-40724,CVE-2024-45679,CVE-2025-32414,CVE-2025-32415 This update for libxml2 fixes the following issues: - CVE-2025-32414: Fixed out-of-bounds read when parsing text via the Python API (bsc#1241551). - CVE-2025-32415: Fixed heap-based buffer under-read via crafted XML documents (bsc#1241453). ----------------------------------------------------------------- Advisory ID: 131 Released: Wed Jun 4 12:19:33 2025 Summary: Recommended update for scap-security-guide Type: recommended Severity: moderate References: 1231565,1254157,1254158,1254159,1254160,1254480,CVE-2024-9632,CVE-2025-64505,CVE-2025-64506,CVE-2025-64720,CVE-2025-65018,CVE-2025-66293 This update for scap-security-guide fixes the following issues: Ship scap-security-guide in version 0.1.76 (jsc#ECO-3319). The following package changes have been done: - libpng16-16-1.6.44-160000.3.1 updated - libglib-2_0-0-2.84.4-160000.1.1 updated - liblz4-1-1.10.0-160000.3.1 updated - libgobject-2_0-0-2.84.4-160000.1.1 updated - libgmodule-2_0-0-2.84.4-160000.1.1 updated - gio-branding-SLE-16-160000.2.3 updated - libgio-2_0-0-2.84.4-160000.1.1 updated - glib2-tools-2.84.4-160000.1.1 updated - elemental-register-1.8.0-160000.1.1 updated - elemental-support-1.8.0-160000.1.1 updated - elemental-system-agent-0.3.13-160000.1.1 updated - container:suse-sl-micro-6.2-baremetal-os-container-latest-e6df1ccc8bc0bbe2e3a8f7adc13b615eba0c80e7497425a3e6266be77c3639a2-0 updated From sle-container-updates at lists.suse.com Tue Jan 13 08:26:00 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 13 Jan 2026 09:26:00 +0100 (CET) Subject: SUSE-CU-2026:185-1: Recommended update of suse/sles/16.0/toolbox Message-ID: <20260113082600.56F33FB9B@maintenance.suse.de> SUSE Container Update Advisory: suse/sles/16.0/toolbox ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2026:185-1 Container Tags : suse/sles/16.0/toolbox:16.3 , suse/sles/16.0/toolbox:16.3-1.9 , suse/sles/16.0/toolbox:latest Container Release : 1.9 Severity : moderate Type : recommended References : 1216739 1223979 1235788 1235789 1249055 1254297 1254662 1254878 CVE-2024-34069 CVE-2025-13601 CVE-2025-14087 CVE-2025-14512 CVE-2025-7039 ----------------------------------------------------------------- The container suse/sles/16.0/toolbox was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: 132 Released: Wed Jun 4 10:39:40 2025 Summary: Recommended update for sssd, cifs-utils Type: recommended Severity: moderate References: 1216739,1223979,1235788,1235789,1249055,1254297,1254662,1254878,CVE-2024-34069,CVE-2025-13601,CVE-2025-14087,CVE-2025-14512,CVE-2025-7039 This update for sssd, cifs-utils fixes the following issues: cifs-utils: - Migrate away from update-alternatives, replaced by package conflicts (bsc#1235788); sssd: - Migrate away from update-alternatives, replaced by package conflicts; (bsc#1235789); (bsc#1216739); The following package changes have been done: - libglib-2_0-0-2.84.4-160000.1.1 updated - libgmodule-2_0-0-2.84.4-160000.1.1 updated From sle-container-updates at lists.suse.com Tue Jan 13 08:31:59 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 13 Jan 2026 09:31:59 +0100 (CET) Subject: SUSE-CU-2026:187-1: Security update of suse/sle-micro/5.2/toolbox Message-ID: <20260113083159.E681BFB9B@maintenance.suse.de> SUSE Container Update Advisory: suse/sle-micro/5.2/toolbox ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2026:187-1 Container Tags : suse/sle-micro/5.2/toolbox:14.2 , suse/sle-micro/5.2/toolbox:14.2-7.11.225 , suse/sle-micro/5.2/toolbox:latest Container Release : 7.11.225 Severity : moderate Type : security References : 1254666 CVE-2025-14104 ----------------------------------------------------------------- The container suse/sle-micro/5.2/toolbox was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:116-1 Released: Tue Jan 13 03:33:40 2026 Summary: Security update for util-linux Type: security Severity: moderate References: 1254666,CVE-2025-14104 This update for util-linux fixes the following issues: - CVE-2025-14104: Fixed heap buffer overread in setpwnam() when processing 256-byte usernames (bsc#1254666). - lscpu: Add support for NVIDIA Olympus arm64 core (jsc#PED-13682). The following package changes have been done: - libblkid1-2.36.2-150300.4.50.1 updated - libfdisk1-2.36.2-150300.4.50.1 updated - libmount1-2.36.2-150300.4.50.1 updated - libsmartcols1-2.36.2-150300.4.50.1 updated - libuuid1-2.36.2-150300.4.50.1 updated - util-linux-2.36.2-150300.4.50.1 updated From sle-container-updates at lists.suse.com Tue Jan 13 12:43:50 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 13 Jan 2026 13:43:50 +0100 (CET) Subject: SUSE-IU-2026:91-1: Security update of suse/sle-micro/base-5.5 Message-ID: <20260113124350.89132FB9C@maintenance.suse.de> SUSE Image Update Advisory: suse/sle-micro/base-5.5 ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2026:91-1 Image Tags : suse/sle-micro/base-5.5:2.0.4 , suse/sle-micro/base-5.5:2.0.4-5.8.232 , suse/sle-micro/base-5.5:latest Image Release : 5.8.232 Severity : moderate Type : security References : 1254666 CVE-2025-14104 ----------------------------------------------------------------- The container suse/sle-micro/base-5.5 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:117-1 Released: Tue Jan 13 05:33:38 2026 Summary: Security update for util-linux Type: security Severity: moderate References: 1254666,CVE-2025-14104 This update for util-linux fixes the following issues: - CVE-2025-14104: Fixed heap buffer overread in setpwnam() when processing 256-byte usernames (bsc#1254666). - lscpu: Add support for NVIDIA Olympus arm64 core (jsc#PED-13682). The following package changes have been done: - libuuid1-2.37.4-150500.9.20.1 updated - libsmartcols1-2.37.4-150500.9.20.1 updated - libblkid1-2.37.4-150500.9.20.1 updated - libfdisk1-2.37.4-150500.9.20.1 updated - libmount1-2.37.4-150500.9.20.1 updated - util-linux-2.37.4-150500.9.20.1 updated - util-linux-systemd-2.37.4-150500.9.20.1 updated From sle-container-updates at lists.suse.com Tue Jan 13 12:45:13 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 13 Jan 2026 13:45:13 +0100 (CET) Subject: SUSE-IU-2026:92-1: Security update of suse/sle-micro/kvm-5.5 Message-ID: <20260113124513.32563FB9C@maintenance.suse.de> SUSE Image Update Advisory: suse/sle-micro/kvm-5.5 ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2026:92-1 Image Tags : suse/sle-micro/kvm-5.5:2.0.4 , suse/sle-micro/kvm-5.5:2.0.4-3.5.446 , suse/sle-micro/kvm-5.5:latest Image Release : 3.5.446 Severity : moderate Type : security References : 1254666 CVE-2025-14104 ----------------------------------------------------------------- The container suse/sle-micro/kvm-5.5 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:117-1 Released: Tue Jan 13 05:33:38 2026 Summary: Security update for util-linux Type: security Severity: moderate References: 1254666,CVE-2025-14104 This update for util-linux fixes the following issues: - CVE-2025-14104: Fixed heap buffer overread in setpwnam() when processing 256-byte usernames (bsc#1254666). - lscpu: Add support for NVIDIA Olympus arm64 core (jsc#PED-13682). The following package changes have been done: - libuuid1-2.37.4-150500.9.20.1 updated - libsmartcols1-2.37.4-150500.9.20.1 updated - libblkid1-2.37.4-150500.9.20.1 updated - libfdisk1-2.37.4-150500.9.20.1 updated - libmount1-2.37.4-150500.9.20.1 updated - util-linux-2.37.4-150500.9.20.1 updated - util-linux-systemd-2.37.4-150500.9.20.1 updated - container:suse-sle-micro-base-5.5-latest-2.0.4-5.8.232 updated From sle-container-updates at lists.suse.com Tue Jan 13 12:54:01 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 13 Jan 2026 13:54:01 +0100 (CET) Subject: SUSE-CU-2026:189-1: Security update of suse/ltss/sle12.5/sles12sp5 Message-ID: <20260113125401.F24DEFB9C@maintenance.suse.de> SUSE Container Update Advisory: suse/ltss/sle12.5/sles12sp5 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2026:189-1 Container Tags : suse/ltss/sle12.5/sles12sp5:8.5.179 , suse/ltss/sle12.5/sles12sp5:latest Container Release : 8.5.179 Severity : moderate Type : security References : 1256105 1256341 CVE-2025-13151 CVE-2025-14017 ----------------------------------------------------------------- The container suse/ltss/sle12.5/sles12sp5 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:118-1 Released: Tue Jan 13 07:46:52 2026 Summary: Security update for libtasn1 Type: security Severity: moderate References: 1256341,CVE-2025-13151 This update for libtasn1 fixes the following issues: - CVE-2025-13151: stack-based buffer overflow in `asn1_expend_octet_string` (bsc#1256341). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:119-1 Released: Tue Jan 13 09:10:34 2026 Summary: Security update for curl Type: security Severity: moderate References: 1256105,CVE-2025-14017 This update for curl fixes the following issues: - CVE-2025-14017: Fixed broken TLS options for threaded LDAPS (bsc#1256105) The following package changes have been done: - libcurl4-8.0.1-11.114.1 updated - libtasn1-6-4.9-3.19.1 updated - libtasn1-4.9-3.19.1 updated From sle-container-updates at lists.suse.com Tue Jan 13 12:59:28 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 13 Jan 2026 13:59:28 +0100 (CET) Subject: SUSE-CU-2026:192-1: Security update of bci/golang Message-ID: <20260113125928.080C7FB9C@maintenance.suse.de> SUSE Container Update Advisory: bci/golang ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2026:192-1 Container Tags : bci/golang:1.24 , bci/golang:1.24.11 , bci/golang:1.24.11-2.78.4 , bci/golang:oldstable , bci/golang:oldstable-2.78.4 Container Release : 78.4 Severity : moderate Type : security References : 1255731 1255732 1255733 1255734 CVE-2025-14524 CVE-2025-14819 CVE-2025-15079 CVE-2025-15224 ----------------------------------------------------------------- The container bci/golang was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:52-1 Released: Wed Jan 7 10:28:34 2026 Summary: Security update for curl Type: security Severity: moderate References: 1255731,1255732,1255733,1255734,CVE-2025-14524,CVE-2025-14819,CVE-2025-15079,CVE-2025-15224 This update for curl fixes the following issues: - CVE-2025-14524: bearer token leak on cross-protocol redirect (bsc#1255731). - CVE-2025-14819: libssh global knownhost override (bsc#1255732). - CVE-2025-15079: libssh key passphrase bypass without agent set (bsc#1255733). - CVE-2025-15224: OpenSSL partial chain store policy bypass (bsc#1255734). The following package changes have been done: - curl-8.14.1-150700.7.8.1 updated From sle-container-updates at lists.suse.com Tue Jan 13 13:00:03 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 13 Jan 2026 14:00:03 +0100 (CET) Subject: SUSE-CU-2026:193-1: Security update of suse/kiosk/firefox-esr Message-ID: <20260113130003.A9C03FBA0@maintenance.suse.de> SUSE Container Update Advisory: suse/kiosk/firefox-esr ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2026:193-1 Container Tags : suse/kiosk/firefox-esr:140.6 , suse/kiosk/firefox-esr:140.6-70.5 , suse/kiosk/firefox-esr:esr , suse/kiosk/firefox-esr:latest Container Release : 70.5 Severity : moderate Type : security References : 1255731 1255732 1255733 1255734 CVE-2025-14524 CVE-2025-14819 CVE-2025-15079 CVE-2025-15224 ----------------------------------------------------------------- The container suse/kiosk/firefox-esr was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:52-1 Released: Wed Jan 7 10:28:34 2026 Summary: Security update for curl Type: security Severity: moderate References: 1255731,1255732,1255733,1255734,CVE-2025-14524,CVE-2025-14819,CVE-2025-15079,CVE-2025-15224 This update for curl fixes the following issues: - CVE-2025-14524: bearer token leak on cross-protocol redirect (bsc#1255731). - CVE-2025-14819: libssh global knownhost override (bsc#1255732). - CVE-2025-15079: libssh key passphrase bypass without agent set (bsc#1255733). - CVE-2025-15224: OpenSSL partial chain store policy bypass (bsc#1255734). The following package changes have been done: - libcurl4-8.14.1-150700.7.8.1 updated - container:suse-sle15-15.7-17d580e01de81ee10782633976ab6983923855d96e8b6342192d8486fa7933cf-0 updated From sle-container-updates at lists.suse.com Tue Jan 13 13:00:30 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 13 Jan 2026 14:00:30 +0100 (CET) Subject: SUSE-CU-2026:194-1: Security update of bci/nodejs Message-ID: <20260113130030.59F8CFBA0@maintenance.suse.de> SUSE Container Update Advisory: bci/nodejs ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2026:194-1 Container Tags : bci/node:22 , bci/node:22.15.1 , bci/node:22.15.1-16.3 , bci/node:latest , bci/nodejs:22 , bci/nodejs:22.15.1 , bci/nodejs:22.15.1-16.3 , bci/nodejs:latest Container Release : 16.3 Severity : moderate Type : security References : 1255731 1255732 1255733 1255734 CVE-2025-14524 CVE-2025-14819 CVE-2025-15079 CVE-2025-15224 ----------------------------------------------------------------- The container bci/nodejs was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:52-1 Released: Wed Jan 7 10:28:34 2026 Summary: Security update for curl Type: security Severity: moderate References: 1255731,1255732,1255733,1255734,CVE-2025-14524,CVE-2025-14819,CVE-2025-15079,CVE-2025-15224 This update for curl fixes the following issues: - CVE-2025-14524: bearer token leak on cross-protocol redirect (bsc#1255731). - CVE-2025-14819: libssh global knownhost override (bsc#1255732). - CVE-2025-15079: libssh key passphrase bypass without agent set (bsc#1255733). - CVE-2025-15224: OpenSSL partial chain store policy bypass (bsc#1255734). The following package changes have been done: - curl-8.14.1-150700.7.8.1 updated From sle-container-updates at lists.suse.com Tue Jan 13 13:00:36 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 13 Jan 2026 14:00:36 +0100 (CET) Subject: SUSE-CU-2026:195-1: Security update of bci/openjdk Message-ID: <20260113130036.3772CFBA0@maintenance.suse.de> SUSE Container Update Advisory: bci/openjdk ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2026:195-1 Container Tags : bci/openjdk:25 , bci/openjdk:25.0.1.0 , bci/openjdk:25.0.1.0-4.3 , bci/openjdk:latest Container Release : 4.3 Severity : moderate Type : security References : 1255731 1255732 1255733 1255734 CVE-2025-14524 CVE-2025-14819 CVE-2025-15079 CVE-2025-15224 ----------------------------------------------------------------- The container bci/openjdk was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:52-1 Released: Wed Jan 7 10:28:34 2026 Summary: Security update for curl Type: security Severity: moderate References: 1255731,1255732,1255733,1255734,CVE-2025-14524,CVE-2025-14819,CVE-2025-15079,CVE-2025-15224 This update for curl fixes the following issues: - CVE-2025-14524: bearer token leak on cross-protocol redirect (bsc#1255731). - CVE-2025-14819: libssh global knownhost override (bsc#1255732). - CVE-2025-15079: libssh key passphrase bypass without agent set (bsc#1255733). - CVE-2025-15224: OpenSSL partial chain store policy bypass (bsc#1255734). The following package changes have been done: - curl-8.14.1-150700.7.8.1 updated From sle-container-updates at lists.suse.com Tue Jan 13 13:01:06 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 13 Jan 2026 14:01:06 +0100 (CET) Subject: SUSE-CU-2026:196-1: Security update of bci/python Message-ID: <20260113130106.2E831FBA0@maintenance.suse.de> SUSE Container Update Advisory: bci/python ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2026:196-1 Container Tags : bci/python:3 , bci/python:3.11 , bci/python:3.11.14 , bci/python:3.11.14-80.4 Container Release : 80.4 Severity : moderate Type : security References : 1255731 1255732 1255733 1255734 CVE-2025-14524 CVE-2025-14819 CVE-2025-15079 CVE-2025-15224 ----------------------------------------------------------------- The container bci/python was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:52-1 Released: Wed Jan 7 10:28:34 2026 Summary: Security update for curl Type: security Severity: moderate References: 1255731,1255732,1255733,1255734,CVE-2025-14524,CVE-2025-14819,CVE-2025-15079,CVE-2025-15224 This update for curl fixes the following issues: - CVE-2025-14524: bearer token leak on cross-protocol redirect (bsc#1255731). - CVE-2025-14819: libssh global knownhost override (bsc#1255732). - CVE-2025-15079: libssh key passphrase bypass without agent set (bsc#1255733). - CVE-2025-15224: OpenSSL partial chain store policy bypass (bsc#1255734). The following package changes have been done: - curl-8.14.1-150700.7.8.1 updated From sle-container-updates at lists.suse.com Tue Jan 13 13:01:38 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 13 Jan 2026 14:01:38 +0100 (CET) Subject: SUSE-CU-2026:197-1: Security update of bci/python Message-ID: <20260113130138.9E231FBA1@maintenance.suse.de> SUSE Container Update Advisory: bci/python ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2026:197-1 Container Tags : bci/python:3 , bci/python:3.13 , bci/python:3.13.11 , bci/python:3.13.11-82.5 , bci/python:latest Container Release : 82.5 Severity : moderate Type : security References : 1255731 1255732 1255733 1255734 CVE-2025-14524 CVE-2025-14819 CVE-2025-15079 CVE-2025-15224 ----------------------------------------------------------------- The container bci/python was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:52-1 Released: Wed Jan 7 10:28:34 2026 Summary: Security update for curl Type: security Severity: moderate References: 1255731,1255732,1255733,1255734,CVE-2025-14524,CVE-2025-14819,CVE-2025-15079,CVE-2025-15224 This update for curl fixes the following issues: - CVE-2025-14524: bearer token leak on cross-protocol redirect (bsc#1255731). - CVE-2025-14819: libssh global knownhost override (bsc#1255732). - CVE-2025-15079: libssh key passphrase bypass without agent set (bsc#1255733). - CVE-2025-15224: OpenSSL partial chain store policy bypass (bsc#1255734). The following package changes have been done: - curl-8.14.1-150700.7.8.1 updated From sle-container-updates at lists.suse.com Tue Jan 13 13:02:11 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 13 Jan 2026 14:02:11 +0100 (CET) Subject: SUSE-CU-2026:198-1: Security update of bci/ruby Message-ID: <20260113130211.B496BFBA1@maintenance.suse.de> SUSE Container Update Advisory: bci/ruby ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2026:198-1 Container Tags : bci/ruby:2 , bci/ruby:2.5 , bci/ruby:2.5-21.4 Container Release : 21.4 Severity : moderate Type : security References : 1255731 1255732 1255733 1255734 CVE-2025-14524 CVE-2025-14819 CVE-2025-15079 CVE-2025-15224 ----------------------------------------------------------------- The container bci/ruby was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:52-1 Released: Wed Jan 7 10:28:34 2026 Summary: Security update for curl Type: security Severity: moderate References: 1255731,1255732,1255733,1255734,CVE-2025-14524,CVE-2025-14819,CVE-2025-15079,CVE-2025-15224 This update for curl fixes the following issues: - CVE-2025-14524: bearer token leak on cross-protocol redirect (bsc#1255731). - CVE-2025-14819: libssh global knownhost override (bsc#1255732). - CVE-2025-15079: libssh key passphrase bypass without agent set (bsc#1255733). - CVE-2025-15224: OpenSSL partial chain store policy bypass (bsc#1255734). The following package changes have been done: - curl-8.14.1-150700.7.8.1 updated From sle-container-updates at lists.suse.com Tue Jan 13 13:02:42 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 13 Jan 2026 14:02:42 +0100 (CET) Subject: SUSE-CU-2026:199-1: Security update of bci/ruby Message-ID: <20260113130242.426E3FBA0@maintenance.suse.de> SUSE Container Update Advisory: bci/ruby ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2026:199-1 Container Tags : bci/ruby:3 , bci/ruby:3.4 , bci/ruby:3.4-20.4 , bci/ruby:latest Container Release : 20.4 Severity : moderate Type : security References : 1255731 1255732 1255733 1255734 CVE-2025-14524 CVE-2025-14819 CVE-2025-15079 CVE-2025-15224 ----------------------------------------------------------------- The container bci/ruby was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:52-1 Released: Wed Jan 7 10:28:34 2026 Summary: Security update for curl Type: security Severity: moderate References: 1255731,1255732,1255733,1255734,CVE-2025-14524,CVE-2025-14819,CVE-2025-15079,CVE-2025-15224 This update for curl fixes the following issues: - CVE-2025-14524: bearer token leak on cross-protocol redirect (bsc#1255731). - CVE-2025-14819: libssh global knownhost override (bsc#1255732). - CVE-2025-15079: libssh key passphrase bypass without agent set (bsc#1255733). - CVE-2025-15224: OpenSSL partial chain store policy bypass (bsc#1255734). The following package changes have been done: - curl-8.14.1-150700.7.8.1 updated From sle-container-updates at lists.suse.com Wed Jan 14 08:06:06 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 14 Jan 2026 09:06:06 +0100 (CET) Subject: SUSE-IU-2026:98-1: Security update of suse/sl-micro/6.1/base-os-container Message-ID: <20260114080606.9737DFB9C@maintenance.suse.de> SUSE Image Update Advisory: suse/sl-micro/6.1/base-os-container ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2026:98-1 Image Tags : suse/sl-micro/6.1/base-os-container:2.2.1 , suse/sl-micro/6.1/base-os-container:2.2.1-5.66 , suse/sl-micro/6.1/base-os-container:latest Image Release : 5.66 Severity : moderate Type : security References : 1256341 CVE-2025-13151 ----------------------------------------------------------------- The container suse/sl-micro/6.1/base-os-container was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: 372 Released: Tue Jan 13 14:25:46 2026 Summary: Security update for libtasn1 Type: security Severity: moderate References: 1256341,CVE-2025-13151 This update for libtasn1 fixes the following issues: - CVE-2025-13151: lack of validation of input data size leads to stack-based buffer overflow in `asn1_expend_octet_string` (bsc#1256341). The following package changes have been done: - libtasn1-6-4.19.0-slfo.1.1_3.1 updated - SL-Micro-release-6.1-slfo.1.12.3 updated - container:suse-toolbox-image-1.0.0-4.98 updated From sle-container-updates at lists.suse.com Wed Jan 14 08:23:49 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 14 Jan 2026 09:23:49 +0100 (CET) Subject: SUSE-CU-2026:206-1: Security update of bci/gcc Message-ID: <20260114082349.9FD9DFB9B@maintenance.suse.de> SUSE Container Update Advisory: bci/gcc ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2026:206-1 Container Tags : bci/gcc:14 , bci/gcc:14.3 , bci/gcc:14.3-17.4 , bci/gcc:latest Container Release : 17.4 Severity : moderate Type : security References : 1255731 1255732 1255733 1255734 CVE-2025-14524 CVE-2025-14819 CVE-2025-15079 CVE-2025-15224 ----------------------------------------------------------------- The container bci/gcc was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:52-1 Released: Wed Jan 7 10:28:34 2026 Summary: Security update for curl Type: security Severity: moderate References: 1255731,1255732,1255733,1255734,CVE-2025-14524,CVE-2025-14819,CVE-2025-15079,CVE-2025-15224 This update for curl fixes the following issues: - CVE-2025-14524: bearer token leak on cross-protocol redirect (bsc#1255731). - CVE-2025-14819: libssh global knownhost override (bsc#1255732). - CVE-2025-15079: libssh key passphrase bypass without agent set (bsc#1255733). - CVE-2025-15224: OpenSSL partial chain store policy bypass (bsc#1255734). The following package changes have been done: - curl-8.14.1-150700.7.8.1 updated From sle-container-updates at lists.suse.com Wed Jan 14 08:24:20 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 14 Jan 2026 09:24:20 +0100 (CET) Subject: SUSE-CU-2026:207-1: Security update of bci/golang Message-ID: <20260114082420.3F487FB9B@maintenance.suse.de> SUSE Container Update Advisory: bci/golang ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2026:207-1 Container Tags : bci/golang:1.24-openssl , bci/golang:1.24.7-openssl , bci/golang:1.24.7-openssl-81.4 , bci/golang:oldstable-openssl , bci/golang:oldstable-openssl-81.4 Container Release : 81.4 Severity : moderate Type : security References : 1255731 1255732 1255733 1255734 CVE-2025-14524 CVE-2025-14819 CVE-2025-15079 CVE-2025-15224 ----------------------------------------------------------------- The container bci/golang was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:52-1 Released: Wed Jan 7 10:28:34 2026 Summary: Security update for curl Type: security Severity: moderate References: 1255731,1255732,1255733,1255734,CVE-2025-14524,CVE-2025-14819,CVE-2025-15079,CVE-2025-15224 This update for curl fixes the following issues: - CVE-2025-14524: bearer token leak on cross-protocol redirect (bsc#1255731). - CVE-2025-14819: libssh global knownhost override (bsc#1255732). - CVE-2025-15079: libssh key passphrase bypass without agent set (bsc#1255733). - CVE-2025-15224: OpenSSL partial chain store policy bypass (bsc#1255734). The following package changes have been done: - curl-8.14.1-150700.7.8.1 updated From sle-container-updates at lists.suse.com Wed Jan 14 08:24:53 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 14 Jan 2026 09:24:53 +0100 (CET) Subject: SUSE-CU-2026:208-1: Security update of bci/golang Message-ID: <20260114082453.E93C7FB9B@maintenance.suse.de> SUSE Container Update Advisory: bci/golang ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2026:208-1 Container Tags : bci/golang:1.25 , bci/golang:1.25.5 , bci/golang:1.25.5-1.78.4 , bci/golang:latest , bci/golang:stable , bci/golang:stable-1.78.4 Container Release : 78.4 Severity : moderate Type : security References : 1255731 1255732 1255733 1255734 CVE-2025-14524 CVE-2025-14819 CVE-2025-15079 CVE-2025-15224 ----------------------------------------------------------------- The container bci/golang was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:52-1 Released: Wed Jan 7 10:28:34 2026 Summary: Security update for curl Type: security Severity: moderate References: 1255731,1255732,1255733,1255734,CVE-2025-14524,CVE-2025-14819,CVE-2025-15079,CVE-2025-15224 This update for curl fixes the following issues: - CVE-2025-14524: bearer token leak on cross-protocol redirect (bsc#1255731). - CVE-2025-14819: libssh global knownhost override (bsc#1255732). - CVE-2025-15079: libssh key passphrase bypass without agent set (bsc#1255733). - CVE-2025-15224: OpenSSL partial chain store policy bypass (bsc#1255734). The following package changes have been done: - curl-8.14.1-150700.7.8.1 updated From sle-container-updates at lists.suse.com Wed Jan 14 08:25:24 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 14 Jan 2026 09:25:24 +0100 (CET) Subject: SUSE-CU-2026:209-1: Security update of bci/golang Message-ID: <20260114082524.979CCFB9B@maintenance.suse.de> SUSE Container Update Advisory: bci/golang ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2026:209-1 Container Tags : bci/golang:1.25-openssl , bci/golang:1.25.1-openssl , bci/golang:1.25.1-openssl-81.4 , bci/golang:latest , bci/golang:stable-openssl , bci/golang:stable-openssl-81.4 Container Release : 81.4 Severity : moderate Type : security References : 1255731 1255732 1255733 1255734 CVE-2025-14524 CVE-2025-14819 CVE-2025-15079 CVE-2025-15224 ----------------------------------------------------------------- The container bci/golang was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:52-1 Released: Wed Jan 7 10:28:34 2026 Summary: Security update for curl Type: security Severity: moderate References: 1255731,1255732,1255733,1255734,CVE-2025-14524,CVE-2025-14819,CVE-2025-15079,CVE-2025-15224 This update for curl fixes the following issues: - CVE-2025-14524: bearer token leak on cross-protocol redirect (bsc#1255731). - CVE-2025-14819: libssh global knownhost override (bsc#1255732). - CVE-2025-15079: libssh key passphrase bypass without agent set (bsc#1255733). - CVE-2025-15224: OpenSSL partial chain store policy bypass (bsc#1255734). The following package changes have been done: - curl-8.14.1-150700.7.8.1 updated From sle-container-updates at lists.suse.com Wed Jan 14 08:26:42 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 14 Jan 2026 09:26:42 +0100 (CET) Subject: SUSE-CU-2026:211-1: Security update of bci/openjdk Message-ID: <20260114082642.4E060FB9B@maintenance.suse.de> SUSE Container Update Advisory: bci/openjdk ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2026:211-1 Container Tags : bci/openjdk:17 , bci/openjdk:17.0.17.0 , bci/openjdk:17.0.17.0-15.3 Container Release : 15.3 Severity : moderate Type : security References : 1255731 1255732 1255733 1255734 CVE-2025-14524 CVE-2025-14819 CVE-2025-15079 CVE-2025-15224 ----------------------------------------------------------------- The container bci/openjdk was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:52-1 Released: Wed Jan 7 10:28:34 2026 Summary: Security update for curl Type: security Severity: moderate References: 1255731,1255732,1255733,1255734,CVE-2025-14524,CVE-2025-14819,CVE-2025-15079,CVE-2025-15224 This update for curl fixes the following issues: - CVE-2025-14524: bearer token leak on cross-protocol redirect (bsc#1255731). - CVE-2025-14819: libssh global knownhost override (bsc#1255732). - CVE-2025-15079: libssh key passphrase bypass without agent set (bsc#1255733). - CVE-2025-15224: OpenSSL partial chain store policy bypass (bsc#1255734). The following package changes have been done: - curl-8.14.1-150700.7.8.1 updated From sle-container-updates at lists.suse.com Wed Jan 14 08:27:54 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 14 Jan 2026 09:27:54 +0100 (CET) Subject: SUSE-CU-2026:213-1: Security update of bci/openjdk Message-ID: <20260114082754.78C91FB9B@maintenance.suse.de> SUSE Container Update Advisory: bci/openjdk ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2026:213-1 Container Tags : bci/openjdk:21 , bci/openjdk:21.0.9.0 , bci/openjdk:21.0.9.0-19.3 Container Release : 19.3 Severity : moderate Type : security References : 1255731 1255732 1255733 1255734 CVE-2025-14524 CVE-2025-14819 CVE-2025-15079 CVE-2025-15224 ----------------------------------------------------------------- The container bci/openjdk was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:52-1 Released: Wed Jan 7 10:28:34 2026 Summary: Security update for curl Type: security Severity: moderate References: 1255731,1255732,1255733,1255734,CVE-2025-14524,CVE-2025-14819,CVE-2025-15079,CVE-2025-15224 This update for curl fixes the following issues: - CVE-2025-14524: bearer token leak on cross-protocol redirect (bsc#1255731). - CVE-2025-14819: libssh global knownhost override (bsc#1255732). - CVE-2025-15079: libssh key passphrase bypass without agent set (bsc#1255733). - CVE-2025-15224: OpenSSL partial chain store policy bypass (bsc#1255734). The following package changes have been done: - curl-8.14.1-150700.7.8.1 updated From sle-container-updates at lists.suse.com Wed Jan 14 08:28:36 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 14 Jan 2026 09:28:36 +0100 (CET) Subject: SUSE-CU-2026:215-1: Security update of bci/python Message-ID: <20260114082836.4A586FB9B@maintenance.suse.de> SUSE Container Update Advisory: bci/python ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2026:215-1 Container Tags : bci/python:3 , bci/python:3.6 , bci/python:3.6.15 , bci/python:3.6.15-79.5 Container Release : 79.5 Severity : moderate Type : security References : 1255731 1255732 1255733 1255734 CVE-2025-14524 CVE-2025-14819 CVE-2025-15079 CVE-2025-15224 ----------------------------------------------------------------- The container bci/python was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:52-1 Released: Wed Jan 7 10:28:34 2026 Summary: Security update for curl Type: security Severity: moderate References: 1255731,1255732,1255733,1255734,CVE-2025-14524,CVE-2025-14819,CVE-2025-15079,CVE-2025-15224 This update for curl fixes the following issues: - CVE-2025-14524: bearer token leak on cross-protocol redirect (bsc#1255731). - CVE-2025-14819: libssh global knownhost override (bsc#1255732). - CVE-2025-15079: libssh key passphrase bypass without agent set (bsc#1255733). - CVE-2025-15224: OpenSSL partial chain store policy bypass (bsc#1255734). The following package changes have been done: - curl-8.14.1-150700.7.8.1 updated From sle-container-updates at lists.suse.com Thu Jan 15 08:04:22 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Thu, 15 Jan 2026 09:04:22 +0100 (CET) Subject: SUSE-CU-2026:220-1: Security update of rancher/elemental-operator Message-ID: <20260115080422.CE517FB9C@maintenance.suse.de> SUSE Container Update Advisory: rancher/elemental-operator ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2026:220-1 Container Tags : rancher/elemental-operator:1.7.3 , rancher/elemental-operator:1.7.3-3.38 , rancher/elemental-operator:latest Container Release : 3.38 Severity : moderate Type : security References : 1227052 1230262 1232526 1234820 1236270 1236507 1237442 1237641 1238491 1239566 1239938 1240788 1241549 1243767 1243991 1244050 1244079 1256341 CVE-2023-45288 CVE-2024-11218 CVE-2024-40896 CVE-2024-6104 CVE-2024-9407 CVE-2025-13151 CVE-2025-27144 CVE-2025-40909 CVE-2025-5278 ----------------------------------------------------------------- The container rancher/elemental-operator was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: 197 Released: Thu Jul 31 13:53:17 2025 Summary: Recommended update for gcc14 Type: recommended Severity: moderate References: 1230262,1232526,1234820,1237442,1238491,1239566,1239938,1240788,1241549,1243991,1244050,CVE-2024-40896 This update for gcc14 fixes the following issues: - Exclude shared objects present for link editing in the GCC specific subdirectory from provides processing via __provides_exclude_from. [bsc#1244050][bsc#1243991] - Update to GCC 14.3 release, bb24b4c804f3d95b0ba95b7496, git11799 - Update to gcc-14 branch head, 3418d740b344e0ba38022f3be, git11702 - Fix build on s390x [bsc#1241549] - Make sure link editing is done against our own shared library copy rather than the installed system runtime. [bsc#1240788] - cross-compiler builds with --enable-host-pie. - Allow GCC executables to be built PIE. [bsc#1239938] - Backport -msplit-patch-nops required for user-space livepatching on powerpc. - Also record -D_FORTIFY_SOURCE=2 in the DWARF debug info DW_AT_producer string. [bsc#1239566] - Disable profiling during build when %want_reproducible_builds is set [bsc#1238491] - Update to gcc-14 branch head, 9ffecde121af883b60bbe60d0, git11321 * fixes reported ICE in [bsc#1237442] - Adjust cross compiler requirements to use %requires_ge - Fix condition on whether to enable plugins or JIT support to not check sle_version which is not defined in SLFO but to check is_opensuse and suse_version instead. - For cross compilers require the same or newer binutils, newlib or cross-glibc that was used at build time. [bsc#1232526] - Update to gcc-14 branch head, 4af44f2cf7d281f3e4f3957ef, git10750 * includes libstdc++6 fix for parsing tzdata 2024b [gcc#116657] - Fix ICE with LTO building openvino on aarch64 [bsc#1230262] ----------------------------------------------------------------- Advisory ID: 238 Released: Thu Aug 28 17:15:06 2025 Summary: Security update for coreutils Type: security Severity: moderate References: 1227052,1236270,1236507,1237641,1243767,CVE-2023-45288,CVE-2024-11218,CVE-2024-6104,CVE-2024-9407,CVE-2025-27144,CVE-2025-5278 This update for coreutils fixes the following issues: - CVE-2025-5278: Sort with key character offsets of SIZE_MAX, could induce a read of 1 byte before an allocated heap buffer (bsc#1243767). ----------------------------------------------------------------- Advisory ID: 372 Released: Tue Jan 13 14:25:46 2026 Summary: Security update for libtasn1 Type: security Severity: moderate References: 1244079,1256341,CVE-2025-13151,CVE-2025-40909 This update for libtasn1 fixes the following issues: - CVE-2025-13151: lack of validation of input data size leads to stack-based buffer overflow in `asn1_expend_octet_string` (bsc#1256341). The following package changes have been done: - compat-usrmerge-tools-84.87-slfo.1.1_1.5 updated - elemental-operator-1.7.3-slfo.1.1_1.1 updated - system-user-root-20190513-slfo.1.1_1.2 updated - filesystem-84.87-slfo.1.1_1.2 updated - glibc-2.38-slfo.1.1_4.1 updated - libtasn1-6-4.19.0-slfo.1.1_3.1 updated - libpcre2-8-0-10.42-slfo.1.1_1.4 updated - libgmp10-6.3.0-slfo.1.1_1.5 updated - libgcc_s1-14.3.0+git11799-slfo.1.1_1.1 updated - libffi8-3.4.6-slfo.1.1_1.4 updated - libcap2-2.69-slfo.1.1_1.3 updated - libattr1-2.5.1-slfo.1.1_1.3 updated - libacl1-2.3.1-slfo.1.1_1.3 updated - libselinux1-3.5-slfo.1.1_1.3 updated - libstdc++6-14.3.0+git11799-slfo.1.1_1.1 updated - libp11-kit0-0.25.3-slfo.1.1_1.2 updated - libncurses6-6.4.20240224-slfo.1.1_1.5 updated - terminfo-base-6.4.20240224-slfo.1.1_1.5 updated - p11-kit-0.25.3-slfo.1.1_1.2 updated - p11-kit-tools-0.25.3-slfo.1.1_1.2 updated - libreadline8-8.2-slfo.1.1_1.4 updated - bash-5.2.15-slfo.1.1_1.6 updated - bash-sh-5.2.15-slfo.1.1_1.6 updated - coreutils-9.4-slfo.1.1_2.1 updated - ca-certificates-2+git20240805.fd24d50-slfo.1.1_1.2 updated - ca-certificates-mozilla-2.74-slfo.1.1_1.1 updated - container:suse-toolbox-image-1.0.0-4.100 updated From sle-container-updates at lists.suse.com Thu Jan 15 08:04:37 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Thu, 15 Jan 2026 09:04:37 +0100 (CET) Subject: SUSE-CU-2026:221-1: Security update of rancher/seedimage-builder Message-ID: <20260115080437.83E19FB9C@maintenance.suse.de> SUSE Container Update Advisory: rancher/seedimage-builder ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2026:221-1 Container Tags : rancher/seedimage-builder:1.7.3 , rancher/seedimage-builder:1.7.3-3.47 , rancher/seedimage-builder:latest Container Release : 3.47 Severity : important Type : security References : 1215377 1215484 1219276 1220905 1223903 1224386 1229122 1229163 1229164 1230642 1230840 1230944 1231591 1231605 1232411 1233606 1233608 1233609 1233610 1233612 1233613 1233614 1233615 1233616 1233617 1234022 1234881 1234958 1234959 1236217 1236217 1236316 1236317 1237002 1237006 1237008 1237009 1237010 1237011 1237012 1237013 1237014 1237147 1238572 1239182 1239749 1240550 1240764 1241205 1241872 1241938 1241957 1242011 1242300 1242631 1242715 1242971 1243106 1243268 1243314 1243332 1243422 1243423 1244156 1244157 1244449 1245551 1246934 1246974 1247242 1247286 1247495 1248158 1248356 1248501 1249140 1249191 1249348 1249367 1249375 1249584 1250232 1252930 1252931 1252932 1252933 1252934 1252935 1253741 1253757 1254157 1254158 1254159 1254160 1254441 1254480 1254563 1255731 1255732 1255733 1255734 528882 553466 CVE-2017-14992 CVE-2017-9232 CVE-2019-11243 CVE-2019-15119 CVE-2022-48622 CVE-2023-32198 CVE-2024-22031 CVE-2024-40635 CVE-2024-45774 CVE-2024-45775 CVE-2024-45776 CVE-2024-45777 CVE-2024-45778 CVE-2024-45779 CVE-2024-45780 CVE-2024-45781 CVE-2024-45782 CVE-2024-45783 CVE-2024-49504 CVE-2024-56737 CVE-2024-56738 CVE-2025-0622 CVE-2025-0624 CVE-2025-0677 CVE-2025-0678 CVE-2025-0684 CVE-2025-0685 CVE-2025-0686 CVE-2025-0689 CVE-2025-0690 CVE-2025-0913 CVE-2025-10148 CVE-2025-10158 CVE-2025-1118 CVE-2025-1125 CVE-2025-11563 CVE-2025-1386 CVE-2025-14524 CVE-2025-14819 CVE-2025-15079 CVE-2025-15224 CVE-2025-22247 CVE-2025-22870 CVE-2025-22871 CVE-2025-22871 CVE-2025-22872 CVE-2025-22873 CVE-2025-23390 CVE-2025-2424 CVE-2025-24358 CVE-2025-2475 CVE-2025-24839 CVE-2025-24866 CVE-2025-2564 CVE-2025-27538 CVE-2025-27571 CVE-2025-27936 CVE-2025-30204 CVE-2025-30206 CVE-2025-30215 CVE-2025-31363 CVE-2025-31483 CVE-2025-31489 CVE-2025-32024 CVE-2025-32025 CVE-2025-32093 CVE-2025-32386 CVE-2025-32387 CVE-2025-32431 CVE-2025-32445 CVE-2025-32777 CVE-2025-32793 CVE-2025-32963 CVE-2025-3416 CVE-2025-35965 CVE-2025-3801 CVE-2025-3879 CVE-2025-41395 CVE-2025-41423 CVE-2025-4166 CVE-2025-4210 CVE-2025-4382 CVE-2025-43859 CVE-2025-43970 CVE-2025-43971 CVE-2025-43972 CVE-2025-43973 CVE-2025-4476 CVE-2025-46327 CVE-2025-46342 CVE-2025-46569 CVE-2025-46599 CVE-2025-4673 CVE-2025-47268 CVE-2025-47287 CVE-2025-4945 CVE-2025-4948 CVE-2025-4969 CVE-2025-54770 CVE-2025-54771 CVE-2025-59375 CVE-2025-61661 CVE-2025-61662 CVE-2025-61663 CVE-2025-61664 CVE-2025-64505 CVE-2025-64506 CVE-2025-64720 CVE-2025-65018 CVE-2025-66293 CVE-2025-8114 CVE-2025-8277 CVE-2025-9086 CVE-2025-9230 ----------------------------------------------------------------- The container rancher/seedimage-builder was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: 273 Released: Mon Sep 22 10:29:39 2025 Summary: Recommended update for audit Type: recommended Severity: moderate References: 1215377,1236217,1238572,1239182,1240550,CVE-2025-22870,CVE-2025-22871 This update for audit fixes the following issues: - Fix plugin termination when using systemd service units (bsc#1215377) ----------------------------------------------------------------- Advisory ID: 286 Released: Fri Sep 26 11:21:50 2025 Summary: Security update for curl Type: security Severity: important References: 1215484,1220905,1230642,1230944,1231605,1234022,1234881,1249191,1249348,1249367,CVE-2025-10148,CVE-2025-9086 This update for curl fixes the following issues: - tool_operate: fix return code when --retry is used but not triggered [bsc#1249367] - Security fixes: * CVE-2025-9086: Fixed Out of bounds read for cookie path (bsc#1249191) * CVE-2025-10148: Fixed predictable WebSocket mask (bsc#1249348) ----------------------------------------------------------------- Advisory ID: 308 Released: Fri Oct 17 14:05:21 2025 Summary: Security update for grub2 Type: security Severity: important References: 1229163,1229164,1230840,1231591,1232411,1233606,1233608,1233609,1233610,1233612,1233613,1233614,1233615,1233616,1233617,1234958,1234959,1236316,1236317,1237002,1237006,1237008,1237009,1237010,1237011,1237012,1237013,1237014,1242971,1247242,1249140,CVE-2024-45774,CVE-2024-45775,CVE-2024-45776,CVE-2024-45777,CVE-2024-45778,CVE-2024-45779,CVE-2024-45780,CVE-2024-45781,CVE-2024-45782,CVE-2024-45783,CVE-2024-49504,CVE-2024-56737,CVE-2024-56738,CVE-2025-0622,CVE-2025-0624,CVE-2025-0677,CVE-2025-0678,CVE-2025-0684,CVE-2025-0685,CVE-2025-0686,CVE-2025-0689,CVE-2025-0690,CVE-2025-1118,CVE-2025-1125,CVE-2025-4382 This update for grub2 fixes the following issues: - Fix error: /boot/grub2/x86_64-efi/bli.mod not found (bsc#1231591) - Fix OOM error in loading loopback file (bsc#1230840) (bsc#1249140) - Update the patch to fix 'SRK not matched' errors when unsealing the key (bsc#1232411) (bsc#1247242) Security fixes for 2024: - Bump upstream SBAT generation to 5 - CVE-2024-45774: Fixed heap overflows in JPEG parser (bsc#1233609) - CVE-2024-45775: Fixed missing NULL check in extcmd parser (bsc#1233610) - CVE-2024-45776: Fixed overflow in .MO file (gettext) handling (bsc#1233612) - CVE-2024-45777: Fixed integer overflow in gettext (bsc#1233613) - CVE-2024-45778: Fixed bfs filesystem not fuzzing stable (bsc#1233606) - CVE-2024-45779: Fixed bfs heap overflow (bsc#1233608) - CVE-2024-45780: Fixed overflow in tar/cpio (bsc#1233614) - CVE-2024-45781: Fixed ufs strcpy overflow(bsc#1233617) - CVE-2024-45782: Fixed hfs strcpy overflow (bsc#1233615) - CVE-2024-45783: Fixed hfsplus refcount overflow (bsc#1233616) - CVE-2024-49504: Fixed bypassing TPM-bound disk encryption on SL(E)M encrypted Images (bsc#1229163) (bsc#1229164) - CVE-2024-56737: Fixed heap-based buffer overflow in fs/hfs.c via crafted sblock data in an HFS filesystem (bsc#1234958) - CVE-2024-56738: Fixed side-channel attack due to not constant-time algorithm in grub_crypto_memcmp (bsc#1234959) - CVE-2025-0622: Fixed command/gpg use-after-free due to hooks not being removed on module unload (bsc#1236317) - CVE-2025-0624: Fixed net Out-of-bounds write in grub_net_search_config_file() (bsc#1236316) - CVE-2025-0677: Fixed UFS integer overflow may lead to heap based out-of-bounds write when handling symlinks (bsc#1237002) - CVE-2025-0678: Fixed squash4 Integer overflow may lead to heap based out-of-bounds write when reading data (bsc#1237006) - CVE-2025-0684: Fixed reiserfs Integer overflow when handling symlinks may lead to heap based out-of-bounds write when reading data (bsc#1237008) - CVE-2025-0685: Fixed jfs Integer overflow when handling symlinks may lead to heap based out-of-bounds write when reading data (bsc#1237009) - CVE-2025-0686: Fixed romfs Integer overflow when handling symlinks may lead to heap based out-of-bounds write when reading data (bsc#1237010) - CVE-2025-0689: Fixed udf heap based buffer overflow in grub_udf_read_block() may lead to arbitrary code execution (bsc#1237011) - CVE-2025-0690: Fixed 'read' integer overflow may lead to out-of-bounds write (bsc#1237012) - CVE-2025-1118: Fixed commands/dump The dump command is not in lockdown when secure boot is enabled (bsc#1237013) - CVE-2025-1125: Fixed fs/hfs interger overflow may lead to heap based out-of-bounds write (bsc#1237014) - CVE-2025-4382: Fixed TPM auto-decryption data exposure (bsc#1242971) - Restrict CLI access if the encrypted root device is automatically unlocked by the TPM. LUKS password authentication is required for access to be granted ----------------------------------------------------------------- Advisory ID: 310 Released: Mon Oct 20 18:26:21 2025 Summary: Recommended update for aaa_base Type: recommended Severity: important References: 1219276,1223903,1241205,1242011,1247286,1247495,1248158,CVE-2022-48622 This update for aaa_base fixes the following issues: Update to version 84.87+git20250903.33e5ba4: * Correct fix for bsc#1247495 (bsc#1248158) Update to version 84.87+git20250805.3069494: * Remove initviocons for tcsh as well and * Update csh.login * Add missing quoting and remove unneeded uses of eval Update to version 84.87+git20250801.f305627: * Remove sysconfig.language [bsc#1247286] Update to version 84.87+git20250801.b2fa3fe: * Allow /etc/locale.conf to have no newline Update to version 84.87+git20250429.1cad3bc: * Remove alias 'you' (bsc#1242011) Update to version 84.87+git20250425.1664836: * alias.bash: future-proof egrep/fgrep color aliases Update to version 84.87+git20250410.71df276: * Modern s390x uses TERM=linux for ttysclp Update to version 84.87+git20250313.4dd1cfd: * DIR_COLORS: add backup and temporary file extensions * DIR_COLORS: sort audio formats * DIR_COLORS: use cyan for audio formats instead of green * DIR_COLORS: add 'avif' to image formats * DIR_COLORS: add updated and sorted list of archive formats * DIR_COLORS: don't colour DOS/Windows executables * DIR_COLORS: update existing colours and add missing ones * DIR_COLORS: add COLORTERM and 'st' terminal * DIR_COLORS: update file description * DIR_COLORS: sort TERM entries * DIR_COLORS: remove COLOR, OPTIONS and EIGHTBIT Update to version 84.87+git20250313.e71c2f4: * Respect PROFILEREAD/CSHRCREAD at shell switch * Modernize specfile * Add safety quotes and proper escaping * Avoid bashisms in build recipe * Add setup-systemd-proxy-env * profile.{sh,csh}: Drop useless proxy variables cleanup Update to version 84.87+git20250102.c08e614: * Load distrobox_profile.sh ----------------------------------------------------------------- Advisory ID: 309 Released: Mon Oct 20 18:31:36 2025 Summary: Security update for libssh Type: security Severity: moderate References: 1239749,1246974,1249375,CVE-2024-40635,CVE-2025-8114,CVE-2025-8277 This update for libssh fixes the following issues: - CVE-2025-8114: Fixed NULL pointer dereference when calculating the session ID during the key exchange (KEX) process (bsc#1246974) - CVE-2025-8277: Fixed Memory Exhaustion via Repeated Key Exchange (bsc#1249375) ----------------------------------------------------------------- Advisory ID: 316 Released: Wed Oct 22 14:12:39 2025 Summary: Security update for openssl-3 Type: security Severity: important References: 1236217,1240764,1242715,1250232,CVE-2025-22873,CVE-2025-9230 This update for openssl-3 fixes the following issues: Security issues: - CVE-2025-9230: Fix out-of-bounds read & write in RFC 3211 KEK unwrap (bsc#1250232) - Disable LTO for userspace livepatching [jsc#PED-13245] ----------------------------------------------------------------- Advisory ID: 315 Released: Wed Oct 22 14:12:39 2025 Summary: Security update for expat Type: security Severity: important References: 1249584,CVE-2017-14992,CVE-2017-9232,CVE-2019-11243,CVE-2019-15119,CVE-2023-32198,CVE-2024-22031,CVE-2025-1386,CVE-2025-22871,CVE-2025-22872,CVE-2025-23390,CVE-2025-2424,CVE-2025-24358,CVE-2025-2475,CVE-2025-24839,CVE-2025-24866,CVE-2025-2564,CVE-2025-27538,CVE-2025-27571,CVE-2025-27936,CVE-2025-30204,CVE-2025-30206,CVE-2025-30215,CVE-2025-31363,CVE-2025-31483,CVE-2025-31489,CVE-2025-32024,CVE-2025-32025,CVE-2025-32093,CVE-2025-32386,CVE-2025-32387,CVE-2025-32431,CVE-2025-32445,CVE-2025-32777,CVE-2025-32793,CVE-2025-32963,CVE-2025-35965,CVE-2025-3801,CVE-2025-3879,CVE-2025-41395,CVE-2025-41423,CVE-2025-4166,CVE-2025-4210,CVE-2025-43970,CVE-2025-43971,CVE-2025-43972,CVE-2025-43973,CVE-2025-46327,CVE-2025-46342,CVE-2025-46569,CVE-2025-46599,CVE-2025-59375 This update for expat fixes the following issues: - CVE-2025-59375: memory amplification vulnerability allows attackers to trigger excessive dynamic memory allocations by submitting crafted XML input (bsc#1249584). ----------------------------------------------------------------- Advisory ID: 327 Released: Mon Nov 3 08:33:37 2025 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1241872,1246934,CVE-2025-43859 This update for libgcrypt fixes the following issues: - Fix running the test suite in FIPS mode (bsc#1246934) ----------------------------------------------------------------- Advisory ID: 341 Released: Fri Nov 21 14:08:21 2025 Summary: Security update for grub2 Type: security Severity: moderate References: 1241957,1252930,1252931,1252932,1252933,1252934,1252935,CVE-2025-54770,CVE-2025-54771,CVE-2025-61661,CVE-2025-61662,CVE-2025-61663,CVE-2025-61664 This update for grub2 fixes the following issues: - CVE-2025-54770: Missing unregister call for net_set_vlan command may lead to use-after-free (bsc#1252930) - CVE-2025-54771: grub_file_close() does not properly controls the fs refcount (bsc#1252931) - CVE-2025-61661: Out-of-bounds write in grub_usb_get_string() function (bsc#1252932) - CVE-2025-61662: Missing unregister call for gettext command may lead to use-after-free (bsc#1252933) - CVE-2025-61663: Missing unregister call for normal commands may lead to use-after-free (bsc#1252934) - CVE-2025-61664: Missing unregister call for normal_exit command may lead to use-after-free (bsc#1252935) ----------------------------------------------------------------- Advisory ID: 345 Released: Mon Dec 1 09:58:15 2025 Summary: Recommended update for kmod Type: recommended Severity: important References: 1237147,1241938,1243106,1253741,CVE-2025-22247 This update for kmod fixes the following issues: - Fix modprobe.d confusion on man page (bsc#1253741): * document the config file order handling ----------------------------------------------------------------- Advisory ID: 346 Released: Tue Dec 9 17:34:04 2025 Summary: Security update for curl Type: security Severity: moderate References: 1242300,1253757,CVE-2025-11563,CVE-2025-47268 This update for curl fixes the following issues: - CVE-2025-11563: Fixed wcurl path traversal with percent-encoded slashes (bsc#1253757). ----------------------------------------------------------------- Advisory ID: 354 Released: Tue Dec 16 09:24:29 2025 Summary: Security update for libpng16 Type: security Severity: important References: 1242631,1254157,1254158,1254159,1254160,1254480,CVE-2025-3416,CVE-2025-64505,CVE-2025-64506,CVE-2025-64720,CVE-2025-65018,CVE-2025-66293 This update for libpng16 fixes the following issues: - CVE-2025-66293: Fixed out-of-bounds read in png_image_read_composite (bsc#1254480). - CVE-2025-64505: Fixed heap buffer over-read in `png_do_quantize` via malformed palette index (bsc#1254157). - CVE-2025-64506: Fixed heap buffer over-read in `png_write_image_8bit` with 8-bit input and `convert_to_8bit` enabled (bsc#1254158). - CVE-2025-64720: Fixed buffer overflow in `png_image_read_composite` via incorrect palette premultiplication (bsc#1254159). - CVE-2025-65018: Fixed heap buffer overflow in `png_combine_row` triggered via `png_image_finish_read` (bsc#1254160). ----------------------------------------------------------------- Advisory ID: 355 Released: Fri Dec 19 15:37:03 2025 Summary: Recommended update for systemd Type: recommended Severity: important References: 1224386,1229122,1244156,1244157,1244449,1245551,1248356,1248501,1254563,CVE-2025-0913,CVE-2025-4673 This update for systemd fixes the following issues: - timer: rebase last_trigger timestamp if needed - timer: rebase the next elapse timestamp only if timer didn't already run - timer: don't run service immediately after restart of a timer (bsc#1254563) - test: check the next elapse timer timestamp after deserialization - test: restarting elapsed timer shouldn't trigger the corresponding service - units: don't force the loading of the loop and dm_mod modules in systemd-repart.service (bsc#1248356) - units: add dep on systemd-logind.service by user at .service - detect-virt: add bare-metal support for GCE (bsc#1244449) - Sync systemd-update-helper with the version shipped in Base:System - systemd-update-helper: do not stop or disable services when they are migrated to other packages. This can occur during package renaming or splitting. - systemd-update-helper: Fix invalid use of 'break' in case statement - systemd-update-helper: fix regression introduced when support for package renaming/splitting was added (bsc#1245551) - systemd-update-helper: * Since user at .service has `Type=notify-reload` and reloading implies reexecuting with `ReloadSignal=RTMIN+25`, reexecuting user managers synchronously can be achieved with `systemctl reload user@*.service' now. - systemd.spec: use %sysusers_generate_pre so that some systemd users are already available in %pre (bsc#1248501) - Split systemd-network into two new sub-packages: systemd-networkd and systemd-resolved (bsc#1224386 jsc#PED-12669) ----------------------------------------------------------------- Advisory ID: 365 Released: Fri Jan 2 12:13:06 2026 Summary: Security update for rsync Type: security Severity: moderate References: 1243268,1254441,CVE-2025-10158,CVE-2025-47287 This update for rsync fixes the following issues: - CVE-2025-10158: Fixed out of bounds array access via negative index (bsc#1254441) ----------------------------------------------------------------- Advisory ID: 368 Released: Thu Jan 8 15:51:43 2026 Summary: Security update for curl Type: security Severity: moderate References: 1243314,1243332,1243422,1243423,1255731,1255732,1255733,1255734,528882,553466,CVE-2025-14524,CVE-2025-14819,CVE-2025-15079,CVE-2025-15224,CVE-2025-4476,CVE-2025-4945,CVE-2025-4948,CVE-2025-4969 This update for curl fixes the following issues: - CVE-2025-14524: bearer token leak on cross-protocol redirect (bsc#1255731). - CVE-2025-14819: libssh global knownhost override (bsc#1255732). - CVE-2025-15079: libssh key passphrase bypass without agent set (bsc#1255733). - CVE-2025-15224: OpenSSL partial chain store policy bypass (bsc#1255734). The following package changes have been done: - libssh-config-0.10.6-slfo.1.1_3.1 updated - libtasn1-6-4.19.0-slfo.1.1_3.1 updated - libexpat1-2.7.1-slfo.1.1_3.1 updated - libaudit1-3.1.1-slfo.1.1_2.1 updated - libpng16-16-1.6.43-slfo.1.1_2.1 updated - libgcrypt20-1.10.3-slfo.1.1_3.1 updated - libudev1-254.27-slfo.1.1_2.1 updated - libsystemd0-254.27-slfo.1.1_2.1 updated - libopenssl3-3.1.4-slfo.1.1_7.1 updated - pam-1.6.1-slfo.1.1_4.1 updated - grub2-2.12-slfo.1.1_3.1 updated - grub2-i386-pc-2.12-slfo.1.1_3.1 updated - kmod-32-slfo.1.1_2.1 updated - rsync-3.3.0-slfo.1.1_4.1 updated - libkmod2-32-slfo.1.1_2.1 updated - libssh4-0.10.6-slfo.1.1_3.1 updated - aaa_base-84.87+git20250903.33e5ba4-slfo.1.1_1.1 updated - libcurl4-8.14.1-slfo.1.1_4.1 updated - curl-8.14.1-slfo.1.1_4.1 updated - systemd-254.27-slfo.1.1_2.1 updated - udev-254.27-slfo.1.1_2.1 updated - container:suse-toolbox-image-1.0.0-4.100 updated From sle-container-updates at lists.suse.com Thu Jan 15 08:06:17 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Thu, 15 Jan 2026 09:06:17 +0100 (CET) Subject: SUSE-IU-2026:111-1: Security update of suse/sl-micro/6.0/baremetal-os-container Message-ID: <20260115080617.39984FB9C@maintenance.suse.de> SUSE Image Update Advisory: suse/sl-micro/6.0/baremetal-os-container ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2026:111-1 Image Tags : suse/sl-micro/6.0/baremetal-os-container:2.1.3 , suse/sl-micro/6.0/baremetal-os-container:2.1.3-6.118 , suse/sl-micro/6.0/baremetal-os-container:latest Image Release : 6.118 Severity : important Type : security References : 1255715 1256243 1256244 1256246 1256390 CVE-2025-68973 ----------------------------------------------------------------- The container suse/sl-micro/6.0/baremetal-os-container was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: 560 Released: Wed Jan 14 10:44:10 2026 Summary: Security update for gpg2 Type: security Severity: important References: 1255715,1256243,1256244,1256246,1256390,CVE-2025-68973 This update for gpg2 fixes the following issues: - CVE-2025-68973: out-of-bounds write when processing specially crafted input in the armor parser can lead to memory corruption (bsc#1255715). Other security fixes: - gpg: Avoid potential downgrade to SHA1 in 3rd party key signatures (bsc#1256246). - gpg: Error out on unverified output for non-detached signatures (bsc#1256244). - agent: Fix a memory leak (bsc#1256243). - gpg: Deprecate the option --not-dash-escaped (bsc#1256390). The following package changes have been done: - SL-Micro-release-6.0-25.64 updated - gpg2-2.4.4-6.1 updated - container:SL-Micro-base-container-2.1.3-7.85 updated From sle-container-updates at lists.suse.com Thu Jan 15 08:07:28 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Thu, 15 Jan 2026 09:07:28 +0100 (CET) Subject: SUSE-IU-2026:112-1: Security update of suse/sl-micro/6.0/base-os-container Message-ID: <20260115080728.B291EFB9C@maintenance.suse.de> SUSE Image Update Advisory: suse/sl-micro/6.0/base-os-container ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2026:112-1 Image Tags : suse/sl-micro/6.0/base-os-container:2.1.3 , suse/sl-micro/6.0/base-os-container:2.1.3-7.85 , suse/sl-micro/6.0/base-os-container:latest Image Release : 7.85 Severity : important Type : security References : 1255715 1256243 1256244 1256246 1256390 CVE-2025-68973 ----------------------------------------------------------------- The container suse/sl-micro/6.0/base-os-container was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: 560 Released: Wed Jan 14 10:44:10 2026 Summary: Security update for gpg2 Type: security Severity: important References: 1255715,1256243,1256244,1256246,1256390,CVE-2025-68973 This update for gpg2 fixes the following issues: - CVE-2025-68973: out-of-bounds write when processing specially crafted input in the armor parser can lead to memory corruption (bsc#1255715). Other security fixes: - gpg: Avoid potential downgrade to SHA1 in 3rd party key signatures (bsc#1256246). - gpg: Error out on unverified output for non-detached signatures (bsc#1256244). - agent: Fix a memory leak (bsc#1256243). - gpg: Deprecate the option --not-dash-escaped (bsc#1256390). The following package changes have been done: - SL-Micro-release-6.0-25.64 updated - gpg2-2.4.4-6.1 updated - container:suse-toolbox-image-1.0.0-9.60 updated From sle-container-updates at lists.suse.com Thu Jan 15 08:13:01 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Thu, 15 Jan 2026 09:13:01 +0100 (CET) Subject: SUSE-CU-2026:224-1: Security update of suse/sl-micro/6.0/toolbox Message-ID: <20260115081301.C99DDFB9C@maintenance.suse.de> SUSE Container Update Advisory: suse/sl-micro/6.0/toolbox ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2026:224-1 Container Tags : suse/sl-micro/6.0/toolbox:13.2 , suse/sl-micro/6.0/toolbox:13.2-9.60 , suse/sl-micro/6.0/toolbox:latest Container Release : 9.60 Severity : important Type : security References : 1255715 1256243 1256244 1256246 1256390 CVE-2025-68973 ----------------------------------------------------------------- The container suse/sl-micro/6.0/toolbox was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: 560 Released: Wed Jan 14 10:44:10 2026 Summary: Security update for gpg2 Type: security Severity: important References: 1255715,1256243,1256244,1256246,1256390,CVE-2025-68973 This update for gpg2 fixes the following issues: - CVE-2025-68973: out-of-bounds write when processing specially crafted input in the armor parser can lead to memory corruption (bsc#1255715). Other security fixes: - gpg: Avoid potential downgrade to SHA1 in 3rd party key signatures (bsc#1256246). - gpg: Error out on unverified output for non-detached signatures (bsc#1256244). - agent: Fix a memory leak (bsc#1256243). - gpg: Deprecate the option --not-dash-escaped (bsc#1256390). The following package changes have been done: - SL-Micro-release-6.0-25.64 updated - gpg2-2.4.4-6.1 updated - skelcd-EULA-SL-Micro-2024.01.19-8.63 updated From sle-container-updates at lists.suse.com Thu Jan 15 08:13:51 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Thu, 15 Jan 2026 09:13:51 +0100 (CET) Subject: SUSE-IU-2026:115-1: Security update of suse/sl-micro/6.1/baremetal-os-container Message-ID: <20260115081351.08DF6FB9B@maintenance.suse.de> SUSE Image Update Advisory: suse/sl-micro/6.1/baremetal-os-container ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2026:115-1 Image Tags : suse/sl-micro/6.1/baremetal-os-container:2.2.1 , suse/sl-micro/6.1/baremetal-os-container:2.2.1-7.46 , suse/sl-micro/6.1/baremetal-os-container:latest Image Release : 7.46 Severity : important Type : security References : 1236931 1239119 1243069 1255715 1256243 1256244 1256246 1256390 CVE-2025-30258 CVE-2025-68973 ----------------------------------------------------------------- The container suse/sl-micro/6.1/baremetal-os-container was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: 374 Released: Wed Jan 14 10:32:14 2026 Summary: Security update for gpg2 Type: security Severity: important References: 1236931,1239119,1243069,1255715,1256243,1256244,1256246,1256390,CVE-2025-30258,CVE-2025-68973 This update for gpg2 fixes the following issues: - CVE-2025-68973: out-of-bounds write when processing specially crafted input in the armor parser can lead to memory corruption (bsc#1255715). Other security fixes: - gpg: Avoid potential downgrade to SHA1 in 3rd party key signatures (bsc#1256246). - gpg: Error out on unverified output for non-detached signatures (bsc#1256244). - agent: Fix a memory leak (bsc#1256243). - gpg: Deprecate the option --not-dash-escaped (bsc#1256390). The following package changes have been done: - SL-Micro-release-6.1-slfo.1.12.4 updated - gpg2-2.4.4-slfo.1.1_6.1 updated - container:SL-Micro-base-container-2.2.1-5.68 updated From sle-container-updates at lists.suse.com Thu Jan 15 08:14:52 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Thu, 15 Jan 2026 09:14:52 +0100 (CET) Subject: SUSE-IU-2026:116-1: Security update of suse/sl-micro/6.1/base-os-container Message-ID: <20260115081452.55DF6FB9B@maintenance.suse.de> SUSE Image Update Advisory: suse/sl-micro/6.1/base-os-container ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2026:116-1 Image Tags : suse/sl-micro/6.1/base-os-container:2.2.1 , suse/sl-micro/6.1/base-os-container:2.2.1-5.68 , suse/sl-micro/6.1/base-os-container:latest Image Release : 5.68 Severity : important Type : security References : 1236931 1239119 1243069 1255715 1256243 1256244 1256246 1256390 CVE-2025-30258 CVE-2025-68973 ----------------------------------------------------------------- The container suse/sl-micro/6.1/base-os-container was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: 374 Released: Wed Jan 14 10:32:14 2026 Summary: Security update for gpg2 Type: security Severity: important References: 1236931,1239119,1243069,1255715,1256243,1256244,1256246,1256390,CVE-2025-30258,CVE-2025-68973 This update for gpg2 fixes the following issues: - CVE-2025-68973: out-of-bounds write when processing specially crafted input in the armor parser can lead to memory corruption (bsc#1255715). Other security fixes: - gpg: Avoid potential downgrade to SHA1 in 3rd party key signatures (bsc#1256246). - gpg: Error out on unverified output for non-detached signatures (bsc#1256244). - agent: Fix a memory leak (bsc#1256243). - gpg: Deprecate the option --not-dash-escaped (bsc#1256390). The following package changes have been done: - SL-Micro-release-6.1-slfo.1.12.4 updated - gpg2-2.4.4-slfo.1.1_6.1 updated - container:suse-toolbox-image-1.0.0-4.100 updated From sle-container-updates at lists.suse.com Thu Jan 15 08:20:48 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Thu, 15 Jan 2026 09:20:48 +0100 (CET) Subject: SUSE-IU-2026:120-1: Security update of suse/sl-micro/6.2/baremetal-os-container Message-ID: <20260115082048.85831FB9B@maintenance.suse.de> SUSE Image Update Advisory: suse/sl-micro/6.2/baremetal-os-container ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2026:120-1 Image Tags : suse/sl-micro/6.2/baremetal-os-container:2.3.0 , suse/sl-micro/6.2/baremetal-os-container:2.3.0-7.10 , suse/sl-micro/6.2/baremetal-os-container:latest Image Release : 7.10 Severity : important Type : security References : 1229122 1232528 1233282 1236217 1244156 1244156 1244157 1244157 1244158 1255715 1255731 1255732 1255733 1255734 1256105 1256244 1256246 1256390 CVE-2024-52533 CVE-2024-9681 CVE-2025-0913 CVE-2025-0913 CVE-2025-14017 CVE-2025-14524 CVE-2025-14819 CVE-2025-15079 CVE-2025-15224 CVE-2025-22874 CVE-2025-4673 CVE-2025-4673 CVE-2025-68973 ----------------------------------------------------------------- The container suse/sl-micro/6.2/baremetal-os-container was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: 138 Released: Fri Jun 6 16:03:12 2025 Summary: Security update for go1.23 Type: security Severity: important References: 1229122,1232528,1244156,1244157,1255715,1256244,1256246,1256390,CVE-2024-9681,CVE-2025-0913,CVE-2025-4673,CVE-2025-68973 This update for go1.23 fixes the following issues: go1.23.10 (released 2025-06-05) includes security fixes to the net/http and os packages, as well as bug fixes to the linker. (bsc#1229122 CVE-2025-0913 CVE-2025-4673) * bsc#1244157 security: fix CVE-2025-0913 os: inconsistent handling of O_CREATE|O_EXCL on Unix and Windows * bsc#1244156 security: fix CVE-2025-4673 net/http: sensitive headers not cleared on cross-origin redirect * runtime/debug: BuildSetting does not document DefaultGODEBUG * cmd/link: Go 1.24.3 and 1.23.9 regression - duplicated definition of symbol dlopen ----------------------------------------------------------------- Advisory ID: 140 Released: Mon Jun 9 22:13:41 2025 Summary: Security update for go1.24 Type: security Severity: important References: 1233282,1236217,1244156,1244157,1244158,1255731,1255732,1255733,1255734,1256105,CVE-2024-52533,CVE-2025-0913,CVE-2025-14017,CVE-2025-14524,CVE-2025-14819,CVE-2025-15079,CVE-2025-15224,CVE-2025-22874,CVE-2025-4673 This update for go1.24 fixes the following issues: go1.24.4 (released 2025-06-05) includes security fixes to the crypto/x509, net/http, and os packages, as well as bug fixes to the linker, the go command, and the hash/maphash and os packages. ( bsc#1236217 go1.24 release tracking CVE-2025-22874 CVE-2025-0913 CVE-2025-4673) * bsc#1244158 security: fix CVE-2025-22874 crypto/x509: ExtKeyUsageAny bypasses policy validation * bsc#1244157 security: fix CVE-2025-0913 os: inconsistent handling of O_CREATE|O_EXCL on Unix and Windows * bsc#1244156 security: fix CVE-2025-4673 net/http: sensitive headers not cleared on cross-origin redirect * os: Root.Mkdir creates directories with zero permissions on OpenBSD * hash/maphash: hashing channels with purego impl. of maphash.Comparable panics * runtime/debug: BuildSetting does not document DefaultGODEBUG * cmd/go: add fips140 module selection mechanism * cmd/link: Go 1.24.3 and 1.23.9 regression - duplicated definition of symbol dlopen The following package changes have been done: - libcurl4-8.14.1-160000.4.1 updated - gpg2-2.5.5-160000.3.1 updated - container:suse-sl-micro-6.2-base-os-container-latest-a1ef5e1b63aa24f894ba9dd31c4425e0279531f245d52e824a86ca375eeac688-0 updated From sle-container-updates at lists.suse.com Thu Jan 15 08:24:50 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Thu, 15 Jan 2026 09:24:50 +0100 (CET) Subject: SUSE-IU-2026:128-1: Security update of suse/sl-micro/6.2/kvm-os-container Message-ID: <20260115082450.EA477FB9B@maintenance.suse.de> SUSE Image Update Advisory: suse/sl-micro/6.2/kvm-os-container ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2026:128-1 Image Tags : suse/sl-micro/6.2/kvm-os-container:2.3.0 , suse/sl-micro/6.2/kvm-os-container:2.3.0-7.8 , suse/sl-micro/6.2/kvm-os-container:latest Image Release : 7.8 Severity : important Type : security References : 1233282 1236217 1244156 1244157 1244158 1255731 1255732 1255733 1255734 1256105 CVE-2024-52533 CVE-2025-0913 CVE-2025-14017 CVE-2025-14524 CVE-2025-14819 CVE-2025-15079 CVE-2025-15224 CVE-2025-22874 CVE-2025-4673 ----------------------------------------------------------------- The container suse/sl-micro/6.2/kvm-os-container was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: 140 Released: Mon Jun 9 22:13:41 2025 Summary: Security update for go1.24 Type: security Severity: important References: 1233282,1236217,1244156,1244157,1244158,1255731,1255732,1255733,1255734,1256105,CVE-2024-52533,CVE-2025-0913,CVE-2025-14017,CVE-2025-14524,CVE-2025-14819,CVE-2025-15079,CVE-2025-15224,CVE-2025-22874,CVE-2025-4673 This update for go1.24 fixes the following issues: go1.24.4 (released 2025-06-05) includes security fixes to the crypto/x509, net/http, and os packages, as well as bug fixes to the linker, the go command, and the hash/maphash and os packages. ( bsc#1236217 go1.24 release tracking CVE-2025-22874 CVE-2025-0913 CVE-2025-4673) * bsc#1244158 security: fix CVE-2025-22874 crypto/x509: ExtKeyUsageAny bypasses policy validation * bsc#1244157 security: fix CVE-2025-0913 os: inconsistent handling of O_CREATE|O_EXCL on Unix and Windows * bsc#1244156 security: fix CVE-2025-4673 net/http: sensitive headers not cleared on cross-origin redirect * os: Root.Mkdir creates directories with zero permissions on OpenBSD * hash/maphash: hashing channels with purego impl. of maphash.Comparable panics * runtime/debug: BuildSetting does not document DefaultGODEBUG * cmd/go: add fips140 module selection mechanism * cmd/link: Go 1.24.3 and 1.23.9 regression - duplicated definition of symbol dlopen The following package changes have been done: - libcurl4-8.14.1-160000.4.1 updated - container:suse-sl-micro-6.2-base-os-container-latest-a1ef5e1b63aa24f894ba9dd31c4425e0279531f245d52e824a86ca375eeac688-0 updated From sle-container-updates at lists.suse.com Thu Jan 15 08:25:31 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Thu, 15 Jan 2026 09:25:31 +0100 (CET) Subject: SUSE-IU-2026:134-1: Security update of suse/sl-micro/6.2/rt-os-container Message-ID: <20260115082531.E19C5FB9B@maintenance.suse.de> SUSE Image Update Advisory: suse/sl-micro/6.2/rt-os-container ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2026:134-1 Image Tags : suse/sl-micro/6.2/rt-os-container:2.3.0 , suse/sl-micro/6.2/rt-os-container:2.3.0-6.9 , suse/sl-micro/6.2/rt-os-container:latest Image Release : 6.9 Severity : important Type : security References : 1233282 1236217 1244156 1244157 1244158 1255731 1255732 1255733 1255734 1256105 CVE-2024-52533 CVE-2025-0913 CVE-2025-14017 CVE-2025-14524 CVE-2025-14819 CVE-2025-15079 CVE-2025-15224 CVE-2025-22874 CVE-2025-4673 ----------------------------------------------------------------- The container suse/sl-micro/6.2/rt-os-container was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: 140 Released: Mon Jun 9 22:13:41 2025 Summary: Security update for go1.24 Type: security Severity: important References: 1233282,1236217,1244156,1244157,1244158,1255731,1255732,1255733,1255734,1256105,CVE-2024-52533,CVE-2025-0913,CVE-2025-14017,CVE-2025-14524,CVE-2025-14819,CVE-2025-15079,CVE-2025-15224,CVE-2025-22874,CVE-2025-4673 This update for go1.24 fixes the following issues: go1.24.4 (released 2025-06-05) includes security fixes to the crypto/x509, net/http, and os packages, as well as bug fixes to the linker, the go command, and the hash/maphash and os packages. ( bsc#1236217 go1.24 release tracking CVE-2025-22874 CVE-2025-0913 CVE-2025-4673) * bsc#1244158 security: fix CVE-2025-22874 crypto/x509: ExtKeyUsageAny bypasses policy validation * bsc#1244157 security: fix CVE-2025-0913 os: inconsistent handling of O_CREATE|O_EXCL on Unix and Windows * bsc#1244156 security: fix CVE-2025-4673 net/http: sensitive headers not cleared on cross-origin redirect * os: Root.Mkdir creates directories with zero permissions on OpenBSD * hash/maphash: hashing channels with purego impl. of maphash.Comparable panics * runtime/debug: BuildSetting does not document DefaultGODEBUG * cmd/go: add fips140 module selection mechanism * cmd/link: Go 1.24.3 and 1.23.9 regression - duplicated definition of symbol dlopen The following package changes have been done: - libcurl4-8.14.1-160000.4.1 updated - container:suse-sl-micro-6.2-baremetal-os-container-latest-6c8b99ad4601b3fb872184a44edc24d4fd3e2a4215d81eb6f5cc3bfc0e5cf207-0 updated From sle-container-updates at lists.suse.com Fri Jan 16 08:05:44 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 16 Jan 2026 09:05:44 +0100 (CET) Subject: SUSE-IU-2026:139-1: Security update of suse/sl-micro/6.0/baremetal-os-container Message-ID: <20260116080544.3BCD9FB9C@maintenance.suse.de> SUSE Image Update Advisory: suse/sl-micro/6.0/baremetal-os-container ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2026:139-1 Image Tags : suse/sl-micro/6.0/baremetal-os-container:2.1.3 , suse/sl-micro/6.0/baremetal-os-container:2.1.3-6.119 , suse/sl-micro/6.0/baremetal-os-container:latest Image Release : 6.119 Severity : important Type : security References : 1241826 1241857 1251511 1251679 1253581 1253901 1254079 CVE-2025-22872 CVE-2025-47911 CVE-2025-47913 CVE-2025-47914 CVE-2025-58181 CVE-2025-58190 ----------------------------------------------------------------- The container suse/sl-micro/6.0/baremetal-os-container was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: 561 Released: Thu Jan 15 12:08:38 2026 Summary: Security update for elemental-toolkit, elemental-operator Type: security Severity: important References: 1241826,1241857,1251511,1251679,1253581,1253901,1254079,CVE-2025-22872,CVE-2025-47911,CVE-2025-47913,CVE-2025-47914,CVE-2025-58181,CVE-2025-58190 This update for elemental-toolkit, elemental-operator fixes the following issues: elemental-operator: - Update to version 1.6.10: * Remove 'latest' tag as this overlaps with the latest branch * Bump github.com/rancher-sandbox/go-tpm and its dependencies This bump includes fixes to some CVEs: * bsc#1241826 (CVE-2025-22872) * bsc#1241857 (CVE-2025-22872) * bsc#1251511 (CVE-2025-47911) * bsc#1251679 (CVE-2025-58190) elemental-toolkit: - Update to version 2.1.5: * Update headers for new year 2026 * Disable selinux in installer media - Update to version 2.1.4: * Remove leftovers in installer integration test * Bump to build against go 1.24 * Bump golang.org/x/crypto library This bump includes fixes to some CVEs: * bsc#1241826 (CVE-2025-22872) * bsc#1241857 (CVE-2025-22872) * bsc#1251511 (CVE-2025-47911) * bsc#1251679 (CVE-2025-58190) * bsc#1253581 (CVE-2025-47913) * bsc#1253901 (CVE-2025-58181) * bsc#1254079 (CVE-2025-47914) The following package changes have been done: - elemental-register-1.6.10-1.1 updated - elemental-support-1.6.10-1.1 updated - elemental-toolkit-2.1.5-1.1 updated - container:SL-Micro-base-container-2.1.3-7.86 updated From sle-container-updates at lists.suse.com Fri Jan 16 08:06:39 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 16 Jan 2026 09:06:39 +0100 (CET) Subject: SUSE-IU-2026:140-1: Security update of suse/sl-micro/6.0/base-os-container Message-ID: <20260116080639.BA132FB9C@maintenance.suse.de> SUSE Image Update Advisory: suse/sl-micro/6.0/base-os-container ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2026:140-1 Image Tags : suse/sl-micro/6.0/base-os-container:2.1.3 , suse/sl-micro/6.0/base-os-container:2.1.3-7.86 , suse/sl-micro/6.0/base-os-container:latest Image Release : 7.86 Severity : important Type : security References : 1241826 1241857 1251511 1251679 1253581 1253901 1254079 CVE-2025-22872 CVE-2025-47911 CVE-2025-47913 CVE-2025-47914 CVE-2025-58181 CVE-2025-58190 ----------------------------------------------------------------- The container suse/sl-micro/6.0/base-os-container was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: 561 Released: Thu Jan 15 12:08:38 2026 Summary: Security update for elemental-toolkit, elemental-operator Type: security Severity: important References: 1241826,1241857,1251511,1251679,1253581,1253901,1254079,CVE-2025-22872,CVE-2025-47911,CVE-2025-47913,CVE-2025-47914,CVE-2025-58181,CVE-2025-58190 This update for elemental-toolkit, elemental-operator fixes the following issues: elemental-operator: - Update to version 1.6.10: * Remove 'latest' tag as this overlaps with the latest branch * Bump github.com/rancher-sandbox/go-tpm and its dependencies This bump includes fixes to some CVEs: * bsc#1241826 (CVE-2025-22872) * bsc#1241857 (CVE-2025-22872) * bsc#1251511 (CVE-2025-47911) * bsc#1251679 (CVE-2025-58190) elemental-toolkit: - Update to version 2.1.5: * Update headers for new year 2026 * Disable selinux in installer media - Update to version 2.1.4: * Remove leftovers in installer integration test * Bump to build against go 1.24 * Bump golang.org/x/crypto library This bump includes fixes to some CVEs: * bsc#1241826 (CVE-2025-22872) * bsc#1241857 (CVE-2025-22872) * bsc#1251511 (CVE-2025-47911) * bsc#1251679 (CVE-2025-58190) * bsc#1253581 (CVE-2025-47913) * bsc#1253901 (CVE-2025-58181) * bsc#1254079 (CVE-2025-47914) The following package changes have been done: - elemental-register-1.6.10-1.1 updated - elemental-support-1.6.10-1.1 updated - elemental-toolkit-2.1.5-1.1 updated From sle-container-updates at lists.suse.com Fri Jan 16 08:07:40 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 16 Jan 2026 09:07:40 +0100 (CET) Subject: SUSE-IU-2026:141-1: Security update of suse/sl-micro/6.0/kvm-os-container Message-ID: <20260116080740.29B21FB9C@maintenance.suse.de> SUSE Image Update Advisory: suse/sl-micro/6.0/kvm-os-container ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2026:141-1 Image Tags : suse/sl-micro/6.0/kvm-os-container:2.1.3 , suse/sl-micro/6.0/kvm-os-container:2.1.3-6.106 , suse/sl-micro/6.0/kvm-os-container:latest Image Release : 6.106 Severity : important Type : security References : 1241826 1241857 1251511 1251679 1253581 1253901 1254079 CVE-2025-22872 CVE-2025-47911 CVE-2025-47913 CVE-2025-47914 CVE-2025-58181 CVE-2025-58190 ----------------------------------------------------------------- The container suse/sl-micro/6.0/kvm-os-container was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: 561 Released: Thu Jan 15 12:08:38 2026 Summary: Security update for elemental-toolkit, elemental-operator Type: security Severity: important References: 1241826,1241857,1251511,1251679,1253581,1253901,1254079,CVE-2025-22872,CVE-2025-47911,CVE-2025-47913,CVE-2025-47914,CVE-2025-58181,CVE-2025-58190 This update for elemental-toolkit, elemental-operator fixes the following issues: elemental-operator: - Update to version 1.6.10: * Remove 'latest' tag as this overlaps with the latest branch * Bump github.com/rancher-sandbox/go-tpm and its dependencies This bump includes fixes to some CVEs: * bsc#1241826 (CVE-2025-22872) * bsc#1241857 (CVE-2025-22872) * bsc#1251511 (CVE-2025-47911) * bsc#1251679 (CVE-2025-58190) elemental-toolkit: - Update to version 2.1.5: * Update headers for new year 2026 * Disable selinux in installer media - Update to version 2.1.4: * Remove leftovers in installer integration test * Bump to build against go 1.24 * Bump golang.org/x/crypto library This bump includes fixes to some CVEs: * bsc#1241826 (CVE-2025-22872) * bsc#1241857 (CVE-2025-22872) * bsc#1251511 (CVE-2025-47911) * bsc#1251679 (CVE-2025-58190) * bsc#1253581 (CVE-2025-47913) * bsc#1253901 (CVE-2025-58181) * bsc#1254079 (CVE-2025-47914) The following package changes have been done: - elemental-register-1.6.10-1.1 updated - elemental-support-1.6.10-1.1 updated - elemental-toolkit-2.1.5-1.1 updated - container:SL-Micro-base-container-2.1.3-7.86 updated From sle-container-updates at lists.suse.com Fri Jan 16 08:08:45 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 16 Jan 2026 09:08:45 +0100 (CET) Subject: SUSE-IU-2026:142-1: Security update of suse/sl-micro/6.0/rt-os-container Message-ID: <20260116080845.0B672FB9C@maintenance.suse.de> SUSE Image Update Advisory: suse/sl-micro/6.0/rt-os-container ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2026:142-1 Image Tags : suse/sl-micro/6.0/rt-os-container:2.1.3 , suse/sl-micro/6.0/rt-os-container:2.1.3-7.120 , suse/sl-micro/6.0/rt-os-container:latest Image Release : 7.120 Severity : important Type : security References : 1241826 1241857 1251511 1251679 1253581 1253901 1254079 CVE-2025-22872 CVE-2025-47911 CVE-2025-47913 CVE-2025-47914 CVE-2025-58181 CVE-2025-58190 ----------------------------------------------------------------- The container suse/sl-micro/6.0/rt-os-container was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: 561 Released: Thu Jan 15 12:08:38 2026 Summary: Security update for elemental-toolkit, elemental-operator Type: security Severity: important References: 1241826,1241857,1251511,1251679,1253581,1253901,1254079,CVE-2025-22872,CVE-2025-47911,CVE-2025-47913,CVE-2025-47914,CVE-2025-58181,CVE-2025-58190 This update for elemental-toolkit, elemental-operator fixes the following issues: elemental-operator: - Update to version 1.6.10: * Remove 'latest' tag as this overlaps with the latest branch * Bump github.com/rancher-sandbox/go-tpm and its dependencies This bump includes fixes to some CVEs: * bsc#1241826 (CVE-2025-22872) * bsc#1241857 (CVE-2025-22872) * bsc#1251511 (CVE-2025-47911) * bsc#1251679 (CVE-2025-58190) elemental-toolkit: - Update to version 2.1.5: * Update headers for new year 2026 * Disable selinux in installer media - Update to version 2.1.4: * Remove leftovers in installer integration test * Bump to build against go 1.24 * Bump golang.org/x/crypto library This bump includes fixes to some CVEs: * bsc#1241826 (CVE-2025-22872) * bsc#1241857 (CVE-2025-22872) * bsc#1251511 (CVE-2025-47911) * bsc#1251679 (CVE-2025-58190) * bsc#1253581 (CVE-2025-47913) * bsc#1253901 (CVE-2025-58181) * bsc#1254079 (CVE-2025-47914) The following package changes have been done: - elemental-register-1.6.10-1.1 updated - elemental-support-1.6.10-1.1 updated - elemental-toolkit-2.1.5-1.1 updated - container:SL-Micro-container-2.1.3-6.119 updated From sle-container-updates at lists.suse.com Fri Jan 16 08:09:05 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 16 Jan 2026 09:09:05 +0100 (CET) Subject: SUSE-CU-2026:255-1: Recommended update of suse/sl-micro/6.0/baremetal-iso-image Message-ID: <20260116080905.EC4D9FB9C@maintenance.suse.de> SUSE Container Update Advisory: suse/sl-micro/6.0/baremetal-iso-image ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2026:255-1 Container Tags : suse/sl-micro/6.0/baremetal-iso-image:2.1.4 , suse/sl-micro/6.0/baremetal-iso-image:2.1.4-6.114 , suse/sl-micro/6.0/baremetal-iso-image:latest Container Release : 6.114 Severity : important Type : recommended References : 1234128 1239883 1243317 1246080 1250628 CVE-2025-4802 ----------------------------------------------------------------- The container suse/sl-micro/6.0/baremetal-iso-image was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: 328 Released: Mon Nov 3 17:18:08 2025 Summary: Recommended update for selinux-policy Type: recommended Severity: important References: 1234128,1239883,1243317,1246080,1250628,CVE-2025-4802 This update for selinux-policy fixes the following issues: - Mark configfs_t as mountpoint (bsc#1246080, bsc#1250628) The following package changes have been done: - glibc-2.38-9.1 updated - container:SL-Micro-container-2.1.3-6.119 updated From sle-container-updates at lists.suse.com Fri Jan 16 08:11:07 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 16 Jan 2026 09:11:07 +0100 (CET) Subject: SUSE-CU-2026:258-1: Recommended update of suse/sl-micro/6.0/rt-iso-image Message-ID: <20260116081107.2523FFB9C@maintenance.suse.de> SUSE Container Update Advisory: suse/sl-micro/6.0/rt-iso-image ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2026:258-1 Container Tags : suse/sl-micro/6.0/rt-iso-image:2.1.4 , suse/sl-micro/6.0/rt-iso-image:2.1.4-6.115 , suse/sl-micro/6.0/rt-iso-image:latest Container Release : 6.115 Severity : important Type : recommended References : 1234128 1239883 1243317 1246080 1250628 CVE-2025-4802 ----------------------------------------------------------------- The container suse/sl-micro/6.0/rt-iso-image was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: 328 Released: Mon Nov 3 17:18:08 2025 Summary: Recommended update for selinux-policy Type: recommended Severity: important References: 1234128,1239883,1243317,1246080,1250628,CVE-2025-4802 This update for selinux-policy fixes the following issues: - Mark configfs_t as mountpoint (bsc#1246080, bsc#1250628) The following package changes have been done: - glibc-2.38-9.1 updated - container:SL-Micro-rt-container-2.1.3-7.120 updated - container:SL-Micro-container-2.1.3-6.119 updated From sle-container-updates at lists.suse.com Fri Jan 16 08:11:45 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 16 Jan 2026 09:11:45 +0100 (CET) Subject: SUSE-IU-2026:143-1: Security update of suse/sl-micro/6.1/baremetal-os-container Message-ID: <20260116081145.78B41FB9C@maintenance.suse.de> SUSE Image Update Advisory: suse/sl-micro/6.1/baremetal-os-container ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2026:143-1 Image Tags : suse/sl-micro/6.1/baremetal-os-container:2.2.1 , suse/sl-micro/6.1/baremetal-os-container:2.2.1-7.49 , suse/sl-micro/6.1/baremetal-os-container:latest Image Release : 7.49 Severity : important Type : security References : 1189788 1216091 1222044 1225451 1228434 1229106 1230267 1232458 1234752 1235598 1235636 1236384 1236481 1236820 1236939 1236983 1237044 1237172 1237587 1237949 1238315 1239012 1239543 1239809 1240132 1240529 1241463 1241826 1241857 1242987 1243279 1243457 1243887 1243901 1244042 1244105 1244710 1245220 1245452 1245496 1245672 1251511 1251679 1253581 1253901 1254079 1256105 614646 CVE-2025-14017 CVE-2025-22872 CVE-2025-47911 CVE-2025-47913 CVE-2025-47914 CVE-2025-58181 CVE-2025-58190 ----------------------------------------------------------------- The container suse/sl-micro/6.1/baremetal-os-container was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: 375 Released: Thu Jan 15 10:23:45 2026 Summary: Security update for elemental-toolkit, elemental-operator Type: security Severity: important References: 1241826,1241857,1242987,1251511,1251679,1253581,1253901,1254079,CVE-2025-22872,CVE-2025-47911,CVE-2025-47913,CVE-2025-47914,CVE-2025-58181,CVE-2025-58190 This update for elemental-toolkit, elemental-operator fixes the following issues: elemental-operator: - Update to v1.7.4: * Bump github.com/rancher-sandbox/go-tpm and its dependencies This bump includes few CVE fixes: * bsc#1241826 (CVE-2025-22872) * bsc#1241857 (CVE-2025-22872) * bsc#1251511 (CVE-2025-47911) * bsc#1251679 (CVE-2025-58190) * Install yip config files in before-install step * Revert 'Do not delete ManagedOSVersions by default' * Set default channel variable names consistent with OS version * Do not delete ManagedOSVersions by default * Include -channel suffix to channel names * OS channel: enable baremetal channel by default elemental-toolkit: - Update to v2.2.7: * Bump toolkit build to go 1.24 * Bump golang.org/x/crypto library This bumg includes few CVE fixes: * bsc#1241826 (CVE-2025-22872) * bsc#1241857 (CVE-2025-22872) * bsc#1251511 (CVE-2025-47911) * bsc#1251679 (CVE-2025-58190) * bsc#1253581 (CVE-2025-47913) * bsc#1253901 (CVE-2025-58181) * bsc#1254079 (CVE-2025-47914) - Update to v2.2.5: * Permissive mode for green selinux * Adapt code and unit tests * Minor change to lookup devices using blkid ----------------------------------------------------------------- Advisory ID: 377 Released: Thu Jan 15 10:32:16 2026 Summary: Security update for curl Type: security Severity: important References: 1189788,1216091,1222044,1225451,1228434,1229106,1230267,1232458,1234752,1235598,1235636,1236384,1236481,1236820,1236939,1236983,1237044,1237172,1237587,1237949,1238315,1239012,1239543,1239809,1240132,1240529,1241463,1243279,1243457,1243887,1243901,1244042,1244105,1244710,1245220,1245452,1245496,1245672,1256105,614646,CVE-2025-14017 This update for curl fixes the following issues: - CVE-2025-14017: Fixed broken TLS options for threaded LDAPS (bsc#1256105). The following package changes have been done: - SL-Micro-release-6.1-slfo.1.12.5 updated - libcurl4-8.14.1-slfo.1.1_5.1 updated - elemental-register-1.7.4-slfo.1.1_1.1 updated - elemental-support-1.7.4-slfo.1.1_1.1 updated - elemental-toolkit-2.2.7-slfo.1.1_1.1 updated - container:SL-Micro-base-container-2.2.1-5.69 updated From sle-container-updates at lists.suse.com Fri Jan 16 08:12:34 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 16 Jan 2026 09:12:34 +0100 (CET) Subject: SUSE-IU-2026:144-1: Security update of suse/sl-micro/6.1/base-os-container Message-ID: <20260116081234.6882DFB9C@maintenance.suse.de> SUSE Image Update Advisory: suse/sl-micro/6.1/base-os-container ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2026:144-1 Image Tags : suse/sl-micro/6.1/base-os-container:2.2.1 , suse/sl-micro/6.1/base-os-container:2.2.1-5.69 , suse/sl-micro/6.1/base-os-container:latest Image Release : 5.69 Severity : important Type : security References : 1241826 1241857 1242987 1249435 1251511 1251679 1253581 1253901 1254079 CVE-2025-22872 CVE-2025-47911 CVE-2025-47913 CVE-2025-47914 CVE-2025-58181 CVE-2025-58190 ----------------------------------------------------------------- The container suse/sl-micro/6.1/base-os-container was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: 375 Released: Thu Jan 15 10:23:45 2026 Summary: Security update for elemental-toolkit, elemental-operator Type: security Severity: important References: 1241826,1241857,1242987,1251511,1251679,1253581,1253901,1254079,CVE-2025-22872,CVE-2025-47911,CVE-2025-47913,CVE-2025-47914,CVE-2025-58181,CVE-2025-58190 This update for elemental-toolkit, elemental-operator fixes the following issues: elemental-operator: - Update to v1.7.4: * Bump github.com/rancher-sandbox/go-tpm and its dependencies This bump includes few CVE fixes: * bsc#1241826 (CVE-2025-22872) * bsc#1241857 (CVE-2025-22872) * bsc#1251511 (CVE-2025-47911) * bsc#1251679 (CVE-2025-58190) * Install yip config files in before-install step * Revert 'Do not delete ManagedOSVersions by default' * Set default channel variable names consistent with OS version * Do not delete ManagedOSVersions by default * Include -channel suffix to channel names * OS channel: enable baremetal channel by default elemental-toolkit: - Update to v2.2.7: * Bump toolkit build to go 1.24 * Bump golang.org/x/crypto library This bumg includes few CVE fixes: * bsc#1241826 (CVE-2025-22872) * bsc#1241857 (CVE-2025-22872) * bsc#1251511 (CVE-2025-47911) * bsc#1251679 (CVE-2025-58190) * bsc#1253581 (CVE-2025-47913) * bsc#1253901 (CVE-2025-58181) * bsc#1254079 (CVE-2025-47914) - Update to v2.2.5: * Permissive mode for green selinux * Adapt code and unit tests * Minor change to lookup devices using blkid ----------------------------------------------------------------- Advisory ID: 376 Released: Thu Jan 15 11:19:12 2026 Summary: Recommended update for libzypp, libsolv Type: recommended Severity: moderate References: 1249435 This update for libzypp, libsolv fixes the following issues: libsolv was updated to 0.7.35: - fixed rare crash in the handling of allowuninstall in combination with forcebest updates - new pool_satisfieddep_map feature to test if a set of packages satisfies a dependency libzypp was updated to 17.38.0: - zypp.conf: follow the UAPI configuration file specification (PED-14658) In short terms it means we will no longer ship an /etc/zypp/zypp.conf, but store our own defaults in /usr/etc/zypp/zypp.conf. The systems administrator may choose to keep a full copy in /etc/zypp/zypp.conf ignoring our config file settings completely, or - the preferred way - to overwrite specific settings via /etc/zypp/zypp.conf.d/*.conf overlay files. See the ZYPP.CONF(5) man page for details. - cmake: correctly detect rpm6 (fixes #689) - Use 'zypp.tmp' as temp directory component to ease setting up SELinux policies (bsc#1249435) - zyppng: Update Provider to current MediaCurl2 download approach, drop Metalink ( fixes #682 ) The following package changes have been done: - SL-Micro-release-6.1-slfo.1.12.5 updated - libcurl4-8.14.1-slfo.1.1_5.1 updated - curl-8.14.1-slfo.1.1_5.1 updated - elemental-register-1.7.4-slfo.1.1_1.1 updated - elemental-support-1.7.4-slfo.1.1_1.1 updated - elemental-toolkit-2.2.7-slfo.1.1_1.1 updated - libsolv-tools-base-0.7.35-slfo.1.1_1.1 updated - libzypp-17.38.0-slfo.1.1_1.1 updated From sle-container-updates at lists.suse.com Fri Jan 16 08:13:25 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 16 Jan 2026 09:13:25 +0100 (CET) Subject: SUSE-IU-2026:145-1: Security update of suse/sl-micro/6.1/kvm-os-container Message-ID: <20260116081325.981EBFB9C@maintenance.suse.de> SUSE Image Update Advisory: suse/sl-micro/6.1/kvm-os-container ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2026:145-1 Image Tags : suse/sl-micro/6.1/kvm-os-container:2.2.1 , suse/sl-micro/6.1/kvm-os-container:2.2.1-5.72 , suse/sl-micro/6.1/kvm-os-container:latest Image Release : 5.72 Severity : important Type : security References : 1189788 1216091 1222044 1225451 1228434 1229106 1230267 1232458 1234752 1235598 1235636 1236384 1236481 1236820 1236939 1236983 1237044 1237172 1237587 1237949 1238315 1239012 1239543 1239809 1240132 1240529 1241463 1241826 1241857 1242987 1243279 1243457 1243887 1243901 1244042 1244105 1244710 1245220 1245452 1245496 1245672 1251511 1251679 1253581 1253901 1254079 1256105 614646 CVE-2025-14017 CVE-2025-22872 CVE-2025-47911 CVE-2025-47913 CVE-2025-47914 CVE-2025-58181 CVE-2025-58190 ----------------------------------------------------------------- The container suse/sl-micro/6.1/kvm-os-container was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: 375 Released: Thu Jan 15 10:23:45 2026 Summary: Security update for elemental-toolkit, elemental-operator Type: security Severity: important References: 1241826,1241857,1242987,1251511,1251679,1253581,1253901,1254079,CVE-2025-22872,CVE-2025-47911,CVE-2025-47913,CVE-2025-47914,CVE-2025-58181,CVE-2025-58190 This update for elemental-toolkit, elemental-operator fixes the following issues: elemental-operator: - Update to v1.7.4: * Bump github.com/rancher-sandbox/go-tpm and its dependencies This bump includes few CVE fixes: * bsc#1241826 (CVE-2025-22872) * bsc#1241857 (CVE-2025-22872) * bsc#1251511 (CVE-2025-47911) * bsc#1251679 (CVE-2025-58190) * Install yip config files in before-install step * Revert 'Do not delete ManagedOSVersions by default' * Set default channel variable names consistent with OS version * Do not delete ManagedOSVersions by default * Include -channel suffix to channel names * OS channel: enable baremetal channel by default elemental-toolkit: - Update to v2.2.7: * Bump toolkit build to go 1.24 * Bump golang.org/x/crypto library This bumg includes few CVE fixes: * bsc#1241826 (CVE-2025-22872) * bsc#1241857 (CVE-2025-22872) * bsc#1251511 (CVE-2025-47911) * bsc#1251679 (CVE-2025-58190) * bsc#1253581 (CVE-2025-47913) * bsc#1253901 (CVE-2025-58181) * bsc#1254079 (CVE-2025-47914) - Update to v2.2.5: * Permissive mode for green selinux * Adapt code and unit tests * Minor change to lookup devices using blkid ----------------------------------------------------------------- Advisory ID: 377 Released: Thu Jan 15 10:32:16 2026 Summary: Security update for curl Type: security Severity: important References: 1189788,1216091,1222044,1225451,1228434,1229106,1230267,1232458,1234752,1235598,1235636,1236384,1236481,1236820,1236939,1236983,1237044,1237172,1237587,1237949,1238315,1239012,1239543,1239809,1240132,1240529,1241463,1243279,1243457,1243887,1243901,1244042,1244105,1244710,1245220,1245452,1245496,1245672,1256105,614646,CVE-2025-14017 This update for curl fixes the following issues: - CVE-2025-14017: Fixed broken TLS options for threaded LDAPS (bsc#1256105). The following package changes have been done: - SL-Micro-release-6.1-slfo.1.12.5 updated - libcurl4-8.14.1-slfo.1.1_5.1 updated - elemental-register-1.7.4-slfo.1.1_1.1 updated - elemental-support-1.7.4-slfo.1.1_1.1 updated - elemental-toolkit-2.2.7-slfo.1.1_1.1 updated - container:SL-Micro-base-container-2.2.1-5.69 updated From sle-container-updates at lists.suse.com Fri Jan 16 08:14:17 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 16 Jan 2026 09:14:17 +0100 (CET) Subject: SUSE-IU-2026:146-1: Security update of suse/sl-micro/6.1/rt-os-container Message-ID: <20260116081417.D6B46FB9B@maintenance.suse.de> SUSE Image Update Advisory: suse/sl-micro/6.1/rt-os-container ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2026:146-1 Image Tags : suse/sl-micro/6.1/rt-os-container:2.2.1 , suse/sl-micro/6.1/rt-os-container:2.2.1-5.63 , suse/sl-micro/6.1/rt-os-container:latest Image Release : 5.63 Severity : important Type : security References : 1189788 1216091 1222044 1225451 1228434 1229106 1230267 1232458 1234752 1235598 1235636 1236384 1236481 1236820 1236939 1236983 1237044 1237172 1237587 1237949 1238315 1239012 1239543 1239809 1240132 1240529 1241463 1241826 1241857 1242987 1243279 1243457 1243887 1243901 1244042 1244105 1244710 1245220 1245452 1245496 1245672 1251511 1251679 1253581 1253901 1254079 1256105 614646 CVE-2025-14017 CVE-2025-22872 CVE-2025-47911 CVE-2025-47913 CVE-2025-47914 CVE-2025-58181 CVE-2025-58190 ----------------------------------------------------------------- The container suse/sl-micro/6.1/rt-os-container was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: 375 Released: Thu Jan 15 10:23:45 2026 Summary: Security update for elemental-toolkit, elemental-operator Type: security Severity: important References: 1241826,1241857,1242987,1251511,1251679,1253581,1253901,1254079,CVE-2025-22872,CVE-2025-47911,CVE-2025-47913,CVE-2025-47914,CVE-2025-58181,CVE-2025-58190 This update for elemental-toolkit, elemental-operator fixes the following issues: elemental-operator: - Update to v1.7.4: * Bump github.com/rancher-sandbox/go-tpm and its dependencies This bump includes few CVE fixes: * bsc#1241826 (CVE-2025-22872) * bsc#1241857 (CVE-2025-22872) * bsc#1251511 (CVE-2025-47911) * bsc#1251679 (CVE-2025-58190) * Install yip config files in before-install step * Revert 'Do not delete ManagedOSVersions by default' * Set default channel variable names consistent with OS version * Do not delete ManagedOSVersions by default * Include -channel suffix to channel names * OS channel: enable baremetal channel by default elemental-toolkit: - Update to v2.2.7: * Bump toolkit build to go 1.24 * Bump golang.org/x/crypto library This bumg includes few CVE fixes: * bsc#1241826 (CVE-2025-22872) * bsc#1241857 (CVE-2025-22872) * bsc#1251511 (CVE-2025-47911) * bsc#1251679 (CVE-2025-58190) * bsc#1253581 (CVE-2025-47913) * bsc#1253901 (CVE-2025-58181) * bsc#1254079 (CVE-2025-47914) - Update to v2.2.5: * Permissive mode for green selinux * Adapt code and unit tests * Minor change to lookup devices using blkid ----------------------------------------------------------------- Advisory ID: 377 Released: Thu Jan 15 10:32:16 2026 Summary: Security update for curl Type: security Severity: important References: 1189788,1216091,1222044,1225451,1228434,1229106,1230267,1232458,1234752,1235598,1235636,1236384,1236481,1236820,1236939,1236983,1237044,1237172,1237587,1237949,1238315,1239012,1239543,1239809,1240132,1240529,1241463,1243279,1243457,1243887,1243901,1244042,1244105,1244710,1245220,1245452,1245496,1245672,1256105,614646,CVE-2025-14017 This update for curl fixes the following issues: - CVE-2025-14017: Fixed broken TLS options for threaded LDAPS (bsc#1256105). The following package changes have been done: - SL-Micro-release-6.1-slfo.1.12.5 updated - libcurl4-8.14.1-slfo.1.1_5.1 updated - elemental-register-1.7.4-slfo.1.1_1.1 updated - elemental-support-1.7.4-slfo.1.1_1.1 updated - elemental-toolkit-2.2.7-slfo.1.1_1.1 updated - container:SL-Micro-container-2.2.1-7.49 updated From sle-container-updates at lists.suse.com Mon Jan 19 16:06:41 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Mon, 19 Jan 2026 17:06:41 +0100 (CET) Subject: SUSE-CU-2026:271-1: Security update of suse/kea Message-ID: <20260119160641.30DD4FF0F@maintenance.suse.de> SUSE Container Update Advisory: suse/kea ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2026:271-1 Container Tags : suse/kea:2.6 , suse/kea:2.6-69.5 , suse/kea:latest Container Release : 69.5 Severity : moderate Type : security References : 1255731 1255732 1255733 1255734 CVE-2025-14524 CVE-2025-14819 CVE-2025-15079 CVE-2025-15224 ----------------------------------------------------------------- The container suse/kea was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:52-1 Released: Wed Jan 7 10:28:34 2026 Summary: Security update for curl Type: security Severity: moderate References: 1255731,1255732,1255733,1255734,CVE-2025-14524,CVE-2025-14819,CVE-2025-15079,CVE-2025-15224 This update for curl fixes the following issues: - CVE-2025-14524: bearer token leak on cross-protocol redirect (bsc#1255731). - CVE-2025-14819: libssh global knownhost override (bsc#1255732). - CVE-2025-15079: libssh key passphrase bypass without agent set (bsc#1255733). - CVE-2025-15224: OpenSSL partial chain store policy bypass (bsc#1255734). The following package changes have been done: - libcurl4-8.14.1-150700.7.8.1 updated - container:registry.suse.com-bci-bci-base-15.7-7970b1398395a13b38e858c60a7b75db5f5265dd7c0ecdabe8919a458b2f34e5-0 updated From sle-container-updates at lists.suse.com Mon Jan 19 16:09:10 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Mon, 19 Jan 2026 17:09:10 +0100 (CET) Subject: SUSE-CU-2026:276-1: Security update of bci/rust Message-ID: <20260119160910.90DE5FF0D@maintenance.suse.de> SUSE Container Update Advisory: bci/rust ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2026:276-1 Container Tags : bci/rust:1.92 , bci/rust:1.92.0 , bci/rust:1.92.0-1.3.5 , bci/rust:latest , bci/rust:stable , bci/rust:stable-1.3.5 Container Release : 3.5 Severity : moderate Type : security References : 1255731 1255732 1255733 1255734 CVE-2025-14524 CVE-2025-14819 CVE-2025-15079 CVE-2025-15224 ----------------------------------------------------------------- The container bci/rust was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:52-1 Released: Wed Jan 7 10:28:34 2026 Summary: Security update for curl Type: security Severity: moderate References: 1255731,1255732,1255733,1255734,CVE-2025-14524,CVE-2025-14819,CVE-2025-15079,CVE-2025-15224 This update for curl fixes the following issues: - CVE-2025-14524: bearer token leak on cross-protocol redirect (bsc#1255731). - CVE-2025-14819: libssh global knownhost override (bsc#1255732). - CVE-2025-15079: libssh key passphrase bypass without agent set (bsc#1255733). - CVE-2025-15224: OpenSSL partial chain store policy bypass (bsc#1255734). The following package changes have been done: - libcurl4-8.14.1-150700.7.8.1 updated - container:registry.suse.com-bci-bci-base-15.7-7970b1398395a13b38e858c60a7b75db5f5265dd7c0ecdabe8919a458b2f34e5-0 updated From sle-container-updates at lists.suse.com Mon Jan 19 16:10:21 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Mon, 19 Jan 2026 17:10:21 +0100 (CET) Subject: SUSE-CU-2026:278-1: Security update of bci/spack Message-ID: <20260119161021.7B5A7FF12@maintenance.suse.de> SUSE Container Update Advisory: bci/spack ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2026:278-1 Container Tags : bci/spack:0.23 , bci/spack:0.23.1 , bci/spack:0.23.1-21.5 , bci/spack:latest Container Release : 21.5 Severity : moderate Type : security References : 1255731 1255732 1255733 1255734 CVE-2025-14524 CVE-2025-14819 CVE-2025-15079 CVE-2025-15224 ----------------------------------------------------------------- The container bci/spack was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:52-1 Released: Wed Jan 7 10:28:34 2026 Summary: Security update for curl Type: security Severity: moderate References: 1255731,1255732,1255733,1255734,CVE-2025-14524,CVE-2025-14819,CVE-2025-15079,CVE-2025-15224 This update for curl fixes the following issues: - CVE-2025-14524: bearer token leak on cross-protocol redirect (bsc#1255731). - CVE-2025-14819: libssh global knownhost override (bsc#1255732). - CVE-2025-15079: libssh key passphrase bypass without agent set (bsc#1255733). - CVE-2025-15224: OpenSSL partial chain store policy bypass (bsc#1255734). The following package changes have been done: - libcurl-devel-8.14.1-150700.7.8.1 updated From sle-container-updates at lists.suse.com Mon Jan 19 16:09:38 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Mon, 19 Jan 2026 17:09:38 +0100 (CET) Subject: SUSE-CU-2026:277-1: Security update of suse/sle15 Message-ID: <20260119160938.09E79FF0D@maintenance.suse.de> SUSE Container Update Advisory: suse/sle15 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2026:277-1 Container Tags : bci/bci-base:15.7 , bci/bci-base:15.7-5.14.5 , bci/bci-base:latest , suse/sle15:15.7 , suse/sle15:15.7-5.14.5 , suse/sle15:latest Container Release : 5.14.5 Severity : moderate Type : security References : 1255731 1255732 1255733 1255734 CVE-2025-14524 CVE-2025-14819 CVE-2025-15079 CVE-2025-15224 ----------------------------------------------------------------- The container suse/sle15 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:52-1 Released: Wed Jan 7 10:28:34 2026 Summary: Security update for curl Type: security Severity: moderate References: 1255731,1255732,1255733,1255734,CVE-2025-14524,CVE-2025-14819,CVE-2025-15079,CVE-2025-15224 This update for curl fixes the following issues: - CVE-2025-14524: bearer token leak on cross-protocol redirect (bsc#1255731). - CVE-2025-14819: libssh global knownhost override (bsc#1255732). - CVE-2025-15079: libssh key passphrase bypass without agent set (bsc#1255733). - CVE-2025-15224: OpenSSL partial chain store policy bypass (bsc#1255734). The following package changes have been done: - curl-8.14.1-150700.7.8.1 updated - libcurl4-8.14.1-150700.7.8.1 updated From sle-container-updates at lists.suse.com Tue Jan 20 08:04:53 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 20 Jan 2026 09:04:53 +0100 (CET) Subject: SUSE-CU-2026:308-1: Security update of rancher/elemental-operator Message-ID: <20260120080453.B5880FF0D@maintenance.suse.de> SUSE Container Update Advisory: rancher/elemental-operator ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2026:308-1 Container Tags : rancher/elemental-operator:1.7.4 , rancher/elemental-operator:1.7.4-4.2 Container Release : 4.2 Severity : important Type : security References : 1241826 1241857 1242987 1251511 1251679 1253581 1253901 1254079 CVE-2025-22872 CVE-2025-47911 CVE-2025-47913 CVE-2025-47914 CVE-2025-58181 CVE-2025-58190 ----------------------------------------------------------------- The container rancher/elemental-operator was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: 375 Released: Thu Jan 15 10:23:45 2026 Summary: Security update for elemental-toolkit, elemental-operator Type: security Severity: important References: 1241826,1241857,1242987,1251511,1251679,1253581,1253901,1254079,CVE-2025-22872,CVE-2025-47911,CVE-2025-47913,CVE-2025-47914,CVE-2025-58181,CVE-2025-58190 This update for elemental-toolkit, elemental-operator fixes the following issues: elemental-operator: - Update to v1.7.4: * Bump github.com/rancher-sandbox/go-tpm and its dependencies This bump includes few CVE fixes: * bsc#1241826 (CVE-2025-22872) * bsc#1241857 (CVE-2025-22872) * bsc#1251511 (CVE-2025-47911) * bsc#1251679 (CVE-2025-58190) * Install yip config files in before-install step * Revert 'Do not delete ManagedOSVersions by default' * Set default channel variable names consistent with OS version * Do not delete ManagedOSVersions by default * Include -channel suffix to channel names * OS channel: enable baremetal channel by default elemental-toolkit: - Update to v2.2.7: * Bump toolkit build to go 1.24 * Bump golang.org/x/crypto library This bumg includes few CVE fixes: * bsc#1241826 (CVE-2025-22872) * bsc#1241857 (CVE-2025-22872) * bsc#1251511 (CVE-2025-47911) * bsc#1251679 (CVE-2025-58190) * bsc#1253581 (CVE-2025-47913) * bsc#1253901 (CVE-2025-58181) * bsc#1254079 (CVE-2025-47914) - Update to v2.2.5: * Permissive mode for green selinux * Adapt code and unit tests * Minor change to lookup devices using blkid The following package changes have been done: - compat-usrmerge-tools-84.87-slfo.1.1_1.5 added - elemental-operator-1.7.4-slfo.1.1_1.1 added - system-user-root-20190513-slfo.1.1_1.2 added - filesystem-84.87-slfo.1.1_1.2 added - glibc-2.38-slfo.1.1_4.1 added - libtasn1-6-4.19.0-slfo.1.1_3.1 added - libpcre2-8-0-10.42-slfo.1.1_1.4 added - libgmp10-6.3.0-slfo.1.1_1.5 added - libgcc_s1-14.3.0+git11799-slfo.1.1_1.1 added - libffi8-3.4.6-slfo.1.1_1.4 added - libcap2-2.69-slfo.1.1_1.3 added - libattr1-2.5.1-slfo.1.1_1.3 added - libacl1-2.3.1-slfo.1.1_1.3 added - libselinux1-3.5-slfo.1.1_1.3 added - libstdc++6-14.3.0+git11799-slfo.1.1_1.1 added - libp11-kit0-0.25.3-slfo.1.1_1.2 added - libncurses6-6.4.20240224-slfo.1.1_1.5 added - terminfo-base-6.4.20240224-slfo.1.1_1.5 added - p11-kit-0.25.3-slfo.1.1_1.2 added - p11-kit-tools-0.25.3-slfo.1.1_1.2 added - libreadline8-8.2-slfo.1.1_1.4 added - bash-5.2.15-slfo.1.1_1.6 added - bash-sh-5.2.15-slfo.1.1_1.6 added - coreutils-9.4-slfo.1.1_2.1 added - ca-certificates-2+git20240805.fd24d50-slfo.1.1_1.2 added - ca-certificates-mozilla-2.74-slfo.1.1_1.1 added - container:suse-toolbox-image-1.0.0-4.101 added - container:bci-bci-base-16.0-e0609980162bb2a2879a53a75182f374c8b5d93a0e4c3696772adc6f28dd79d4-0 removed From sle-container-updates at lists.suse.com Tue Jan 20 08:04:55 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 20 Jan 2026 09:04:55 +0100 (CET) Subject: SUSE-CU-2026:309-1: Security update of rancher/elemental-operator Message-ID: <20260120080455.253C4FF0D@maintenance.suse.de> SUSE Container Update Advisory: rancher/elemental-operator ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2026:309-1 Container Tags : rancher/elemental-operator:1.6.10 , rancher/elemental-operator:1.6.10-9.1 Container Release : 9.1 Severity : important Type : security References : 1241826 1241857 1251511 1251679 1253581 1253901 1254079 1256341 CVE-2025-13151 CVE-2025-22872 CVE-2025-47911 CVE-2025-47913 CVE-2025-47914 CVE-2025-58181 CVE-2025-58190 ----------------------------------------------------------------- The container rancher/elemental-operator was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: 558 Released: Mon Jan 12 13:00:27 2026 Summary: Security update for libtasn1 Type: security Severity: moderate References: 1256341,CVE-2025-13151 This update for libtasn1 fixes the following issues: - CVE-2025-13151: lack of validation of input data size leads to stack-based buffer overflow in `asn1_expend_octet_string` (bsc#1256341). ----------------------------------------------------------------- Advisory ID: 561 Released: Thu Jan 15 12:08:38 2026 Summary: Security update for elemental-toolkit, elemental-operator Type: security Severity: important References: 1241826,1241857,1251511,1251679,1253581,1253901,1254079,CVE-2025-22872,CVE-2025-47911,CVE-2025-47913,CVE-2025-47914,CVE-2025-58181,CVE-2025-58190 This update for elemental-toolkit, elemental-operator fixes the following issues: elemental-operator: - Update to version 1.6.10: * Remove 'latest' tag as this overlaps with the latest branch * Bump github.com/rancher-sandbox/go-tpm and its dependencies This bump includes fixes to some CVEs: * bsc#1241826 (CVE-2025-22872) * bsc#1241857 (CVE-2025-22872) * bsc#1251511 (CVE-2025-47911) * bsc#1251679 (CVE-2025-58190) elemental-toolkit: - Update to version 2.1.5: * Update headers for new year 2026 * Disable selinux in installer media - Update to version 2.1.4: * Remove leftovers in installer integration test * Bump to build against go 1.24 * Bump golang.org/x/crypto library This bump includes fixes to some CVEs: * bsc#1241826 (CVE-2025-22872) * bsc#1241857 (CVE-2025-22872) * bsc#1251511 (CVE-2025-47911) * bsc#1251679 (CVE-2025-58190) * bsc#1253581 (CVE-2025-47913) * bsc#1253901 (CVE-2025-58181) * bsc#1254079 (CVE-2025-47914) The following package changes have been done: - compat-usrmerge-tools-84.87-3.1 updated - elemental-operator-1.6.10-1.1 updated - system-user-root-20190513-2.208 updated - filesystem-84.87-5.2 updated - glibc-2.38-9.1 updated - libtasn1-6-4.19.0-5.1 updated - libpcre2-8-0-10.42-2.179 updated - libgmp10-6.3.0-1.119 updated - libgcc_s1-13.3.0+git8781-2.1 updated - libffi8-3.4.4-3.1 updated - libcap2-2.69-2.83 updated - libattr1-2.5.1-3.1 updated - libacl1-2.3.1-3.1 updated - libselinux1-3.5-3.1 updated - libstdc++6-13.3.0+git8781-2.1 updated - libp11-kit0-0.25.3-1.6 updated - libncurses6-6.4.20240224-10.2 updated - terminfo-base-6.4.20240224-10.2 updated - p11-kit-0.25.3-1.6 updated - p11-kit-tools-0.25.3-1.6 updated - libreadline8-8.2-2.180 updated - bash-5.2.15-3.1 updated - bash-sh-5.2.15-3.1 updated - coreutils-9.4-5.1 updated - ca-certificates-2+git20230406.2dae8b7-3.1 updated - ca-certificates-mozilla-2.74-1.1 updated - container:suse-toolbox-image-1.0.0-9.60 updated From sle-container-updates at lists.suse.com Tue Jan 20 08:05:12 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 20 Jan 2026 09:05:12 +0100 (CET) Subject: SUSE-CU-2026:310-1: Security update of rancher/seedimage-builder Message-ID: <20260120080512.DF84CFF0D@maintenance.suse.de> SUSE Container Update Advisory: rancher/seedimage-builder ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2026:310-1 Container Tags : rancher/seedimage-builder:1.7.4 , rancher/seedimage-builder:1.7.4-4.2 Container Release : 4.2 Severity : important Type : security References : 1189788 1216091 1222044 1225451 1228434 1229106 1230267 1232458 1234752 1235598 1235636 1236384 1236481 1236820 1236939 1236983 1237044 1237172 1237587 1237949 1238315 1239012 1239543 1239809 1240132 1240529 1241463 1243279 1243457 1243887 1243901 1244042 1244105 1244710 1245220 1245452 1245496 1245672 1256105 614646 CVE-2025-14017 ----------------------------------------------------------------- The container rancher/seedimage-builder was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: 377 Released: Thu Jan 15 10:32:16 2026 Summary: Security update for curl Type: security Severity: important References: 1189788,1216091,1222044,1225451,1228434,1229106,1230267,1232458,1234752,1235598,1235636,1236384,1236481,1236820,1236939,1236983,1237044,1237172,1237587,1237949,1238315,1239012,1239543,1239809,1240132,1240529,1241463,1243279,1243457,1243887,1243901,1244042,1244105,1244710,1245220,1245452,1245496,1245672,1256105,614646,CVE-2025-14017 This update for curl fixes the following issues: - CVE-2025-14017: Fixed broken TLS options for threaded LDAPS (bsc#1256105). The following package changes have been done: - boost-license1_84_0-1.84.0-slfo.1.1_1.4 added - btrfsprogs-udev-rules-6.8.1-slfo.1.1_1.2 added - compat-usrmerge-tools-84.87-slfo.1.1_1.5 added - crypto-policies-20230920.570ea89-slfo.1.1_1.2 added - elemental-httpfy-1.7.4-slfo.1.1_1.1 added - elemental-seedimage-hooks-1.7.4-slfo.1.1_1.1 added - libsemanage-conf-3.5-slfo.1.1_1.3 added - libssh-config-0.10.6-slfo.1.1_3.1 added - pkgconf-m4-1.8.0-slfo.1.1_1.5 added - system-user-root-20190513-slfo.1.1_1.2 added - filesystem-84.87-slfo.1.1_1.2 added - glibc-2.38-slfo.1.1_4.1 added - libzstd1-1.5.5-slfo.1.1_1.4 added - libz1-1.2.13-slfo.1.1_1.3 added - libxxhash0-0.8.1-slfo.1.1_2.1 added - libverto1-0.3.2-slfo.1.1_1.2 added - libuuid1-2.40.4-slfo.1.1_1.1 added - liburcu8-0.14.0-slfo.1.1_1.3 added - libunistring5-1.1-slfo.1.1_1.2 added - libtextstyle0-0.21.1-slfo.1.1_2.1 added - libtasn1-6-4.19.0-slfo.1.1_3.1 added - libsmartcols1-2.40.4-slfo.1.1_1.1 added - libsepol2-3.5-slfo.1.1_1.3 added - libseccomp2-2.5.4-slfo.1.1_1.4 added - libsasl2-3-2.1.28-slfo.1.1_1.2 added - libpopt0-1.19-slfo.1.1_1.3 added - libpkgconf3-1.8.0-slfo.1.1_1.5 added - libpcre2-8-0-10.42-slfo.1.1_1.4 added - libparted-fs-resize0-3.5-slfo.1.1_1.2 added - libnss_usrfiles2-2.27-slfo.1.1_1.3 added - libnghttp2-14-1.52.0-slfo.1.1_1.4 added - liblzo2-2-2.10-slfo.1.1_1.3 added - liblzma5-5.4.3-slfo.1.1_2.1 added - liblz4-1-1.9.4-slfo.1.1_1.2 added - liblua5_4-5-5.4.6-slfo.1.1_1.3 added - libkeyutils1-1.6.3-slfo.1.1_1.3 added - libjson-c5-0.16-slfo.1.1_1.2 added - libjitterentropy3-3.4.1-slfo.1.1_1.3 added - libip4tc2-1.8.9-slfo.1.1_2.1 added - libgpg-error0-1.47-slfo.1.1_1.3 added - libgmp10-6.3.0-slfo.1.1_1.5 added - libgcc_s1-14.3.0+git11799-slfo.1.1_1.1 added - libfuse2-2.9.9-slfo.1.1_1.2 added - libffi8-3.4.6-slfo.1.1_1.4 added - libexpat1-2.7.1-slfo.1.1_3.1 added - libeconf0-0.7.2-slfo.1.1_1.3 added - libcrypt1-4.4.36-slfo.1.1_1.4 added - libcom_err2-1.47.0-slfo.1.1_1.2 added - libcap2-2.69-slfo.1.1_1.3 added - libcap-ng0-0.8.3-slfo.1.1_1.4 added - libbz2-1-1.0.8-slfo.1.1_1.4 added - libburn4-1.5.4-slfo.1.1_1.2 added - libbtrfsutil1-6.8.1-slfo.1.1_1.2 added - libbtrfs0-6.8.1-slfo.1.1_1.2 added - libbrotlicommon1-1.1.0-slfo.1.1_1.3 added - libaudit1-3.1.1-slfo.1.1_2.1 added - libattr1-2.5.1-slfo.1.1_1.3 added - libargon2-1-20190702-slfo.1.1_1.2 added - libalternatives1-1.2+30.a5431e9-slfo.1.1_1.3 added - libaio1-0.3.113-slfo.1.1_1.2 added - libacl1-2.3.1-slfo.1.1_1.3 added - fillup-1.42-slfo.1.1_2.2 added - dosfstools-4.2-slfo.1.1_1.2 added - diffutils-3.10-slfo.1.1_1.3 added - libpng16-16-1.6.43-slfo.1.1_2.1 added - libidn2-0-2.3.4-slfo.1.1_1.2 added - pkgconf-1.8.0-slfo.1.1_1.5 added - libselinux1-3.5-slfo.1.1_1.3 added - netcfg-11.6-slfo.1.1_1.2 added - libxml2-2-2.11.6-slfo.1.1_6.1 added - squashfs-4.6.1-slfo.1.1_1.2 added - libgcrypt20-1.10.3-slfo.1.1_3.1 added - libstdc++6-14.3.0+git11799-slfo.1.1_1.1 added - libp11-kit0-0.25.3-slfo.1.1_1.2 added - libblkid1-2.40.4-slfo.1.1_1.1 added - perl-base-5.38.2-slfo.1.1_2.1 added - libext2fs2-1.47.0-slfo.1.1_1.2 added - libudev1-254.27-slfo.1.1_2.1 added - chkstat-1600_20240206-slfo.1.1_1.5 added - libzio1-1.08-slfo.1.1_1.3 added - libjte2-1.22-slfo.1.1_1.2 added - libbrotlidec1-1.1.0-slfo.1.1_1.3 added - alts-1.2+30.a5431e9-slfo.1.1_1.3 added - libpsl5-0.21.2-slfo.1.1_1.2 added - sed-4.9-slfo.1.1_1.2 added - libsubid4-4.15.1-slfo.1.1_1.3 added - libsemanage2-3.5-slfo.1.1_1.3 added - findutils-4.9.0-slfo.1.1_2.1 added - libsystemd0-254.27-slfo.1.1_2.1 added - libncurses6-6.4.20240224-slfo.1.1_1.5 added - terminfo-base-6.4.20240224-slfo.1.1_1.5 added - libinih0-56-slfo.1.1_1.3 added - libboost_thread1_84_0-1.84.0-slfo.1.1_1.4 added - p11-kit-0.25.3-slfo.1.1_1.2 added - p11-kit-tools-0.25.3-slfo.1.1_1.2 added - libmount1-2.40.4-slfo.1.1_1.1 added - libfdisk1-2.40.4-slfo.1.1_1.1 added - libisofs6-1.5.4-slfo.1.1_1.2 added - libfreetype6-2.13.3-slfo.1.1_1.1 added - ncurses-utils-6.4.20240224-slfo.1.1_1.5 added - libreadline8-8.2-slfo.1.1_1.4 added - libedit0-20210910.3.1-slfo.1.1_1.3 added - gptfdisk-1.0.9-slfo.1.1_2.1 added - libisoburn1-1.5.4-slfo.1.1_1.2 added - bash-5.2.15-slfo.1.1_1.6 added - bash-sh-5.2.15-slfo.1.1_1.6 added - xz-5.4.3-slfo.1.1_2.1 added - systemd-default-settings-branding-openSUSE-0.7-slfo.1.1_1.2 added - systemd-default-settings-0.7-slfo.1.1_1.2 added - pkgconf-pkg-config-1.8.0-slfo.1.1_1.5 added - login_defs-4.15.1-slfo.1.1_1.3 added - libdevmapper1_03-2.03.22_1.02.196-slfo.1.1_1.3 added - gzip-1.13-slfo.1.1_2.4 added - grep-3.11-slfo.1.1_1.2 added - gettext-runtime-0.21.1-slfo.1.1_2.1 added - coreutils-9.4-slfo.1.1_2.1 added - ALP-dummy-release-0.1-slfo.1.1_1.5 added - libparted2-3.5-slfo.1.1_1.2 added - libdevmapper-event1_03-2.03.22_1.02.196-slfo.1.1_1.3 added - info-7.0.3-slfo.1.1_1.3 added - xfsprogs-6.5.0-slfo.1.1_1.2 added - thin-provisioning-tools-0.9.0-slfo.1.1_1.4 added - systemd-rpm-macros-24-slfo.1.1_1.2 added - systemd-presets-common-SUSE-15-slfo.1.1_1.2 added - rpm-config-SUSE-20240214-slfo.1.1_1.2 added - rpm-4.18.0-slfo.1.1_2.1 added - permissions-config-1600_20240206-slfo.1.1_1.5 added - glibc-locale-base-2.38-slfo.1.1_4.1 added - e2fsprogs-1.47.0-slfo.1.1_1.2 added - ca-certificates-2+git20240805.fd24d50-slfo.1.1_1.2 added - ca-certificates-mozilla-2.74-slfo.1.1_1.1 added - btrfsprogs-6.8.1-slfo.1.1_1.2 added - parted-3.5-slfo.1.1_1.2 added - liblvm2cmd2_03-2.03.22-slfo.1.1_1.3 added - xorriso-1.5.4-slfo.1.1_1.2 added - device-mapper-2.03.22_1.02.196-slfo.1.1_1.3 added - systemd-presets-branding-ALP-transactional-20230214-slfo.1.1_1.2 added - permissions-1600_20240206-slfo.1.1_1.5 added - mtools-4.0.43-slfo.1.1_1.2 added - libopenssl3-3.1.4-slfo.1.1_7.1 added - pam-1.6.1-slfo.1.1_4.1 added - grub2-2.12-slfo.1.1_3.1 added - grub2-i386-pc-2.12-slfo.1.1_3.1 added - suse-module-tools-16.0.43-slfo.1.1_1.2 added - kmod-32-slfo.1.1_2.1 added - rsync-3.3.0-slfo.1.1_4.1 added - libldap2-2.6.4-slfo.1.1_1.2 added - libkmod2-32-slfo.1.1_2.1 added - libcryptsetup12-2.6.1-slfo.1.1_1.2 added - krb5-1.21.3-slfo.1.1_2.1 added - util-linux-2.40.4-slfo.1.1_1.1 added - shadow-4.15.1-slfo.1.1_1.3 added - pam-config-2.11+git.20240906-slfo.1.1_2.1 added - kbd-2.6.4-slfo.1.1_1.3 added - libssh4-0.10.6-slfo.1.1_3.1 added - libsnapper7-0.11.2-slfo.1.1_1.2 added - aaa_base-84.87+git20250903.33e5ba4-slfo.1.1_1.1 added - libcurl4-8.14.1-slfo.1.1_5.1 added - dbus-1-daemon-1.14.10-slfo.1.1_1.2 added - curl-8.14.1-slfo.1.1_5.1 added - dbus-1-tools-1.14.10-slfo.1.1_1.2 added - systemd-254.27-slfo.1.1_2.1 added - sysuser-shadow-3.1-slfo.1.1_1.2 added - dbus-1-common-1.14.10-slfo.1.1_1.2 added - libdbus-1-3-1.14.10-slfo.1.1_1.2 added - dbus-1-1.14.10-slfo.1.1_1.2 added - system-group-kvm-20170617-slfo.1.1_1.2 added - system-group-hardware-20170617-slfo.1.1_1.2 added - udev-254.27-slfo.1.1_2.1 added - snapper-0.11.2-slfo.1.1_1.2 added - lvm2-2.03.22-slfo.1.1_1.3 added - elemental-toolkit-2.2.7-slfo.1.1_1.1 added - container:suse-toolbox-image-1.0.0-4.101 added - container:bci-bci-base-16.0-e0609980162bb2a2879a53a75182f374c8b5d93a0e4c3696772adc6f28dd79d4-0 removed From sle-container-updates at lists.suse.com Tue Jan 20 08:05:14 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 20 Jan 2026 09:05:14 +0100 (CET) Subject: SUSE-CU-2026:311-1: Security update of rancher/seedimage-builder Message-ID: <20260120080514.804CFFF0D@maintenance.suse.de> SUSE Container Update Advisory: rancher/seedimage-builder ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2026:311-1 Container Tags : rancher/seedimage-builder:1.6.10 , rancher/seedimage-builder:1.6.10-9.1 Container Release : 9.1 Severity : important Type : security References : 1159103 1211721 1219038 1221763 1224386 1227117 1241826 1241857 1244449 1245551 1246197 1246934 1248356 1248501 1249191 1249348 1249367 1249584 1250232 1251511 1251679 1253581 1253741 1253757 1253901 1254079 1254157 1254158 1254159 1254160 1254441 1254480 1254563 1255731 1255732 1255733 1255734 1256341 CVE-2025-10148 CVE-2025-10158 CVE-2025-11563 CVE-2025-13151 CVE-2025-14524 CVE-2025-14819 CVE-2025-15079 CVE-2025-15224 CVE-2025-22872 CVE-2025-47911 CVE-2025-47913 CVE-2025-47914 CVE-2025-58181 CVE-2025-58190 CVE-2025-59375 CVE-2025-64505 CVE-2025-64506 CVE-2025-64720 CVE-2025-65018 CVE-2025-66293 CVE-2025-9086 CVE-2025-9230 ----------------------------------------------------------------- The container rancher/seedimage-builder was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: 477 Released: Thu Sep 25 12:52:04 2025 Summary: Security update for curl Type: security Severity: important References: 1246197,1249191,1249348,1249367,CVE-2025-10148,CVE-2025-9086 This update for curl fixes the following issues: - CVE-2025-9086: Fixed Out of bounds read for cookie path (bsc#1249191) - CVE-2025-10148: Predictable WebSocket mask (bsc#1249348) - Fix the --ftp-pasv option in curl v8.14.1 [bsc#1246197] - tool_operate: fix return code when --retry is used but not triggered [bsc#1249367] - Updated to 8.14.1: [jsc#PED-13055, jsc#PED-13056] * Add _multibuild * Bugfixes: - asyn-thrdd: fix cleanup when RR fails due to OOM - ftp: fix teardown of DATA connection in done - http: fail early when rewind of input failed when following redirects - multi: fix add_handle resizing - tls BIOs: handle BIO_CTRL_EOF correctly - tool_getparam: make --no-anyauth not be accepted - wolfssl: fix sending of early data - ws: handle blocked sends better - ws: tests and fixes - Sync spec file with SLE codestreams: [jsc#PED-13055, jsc#PED-13056] * Add curl-mini.rpmlintrc to avoid rpmlint shlib-policy-name-error when building the curl-mini package in SLE. * Add libssh minimum version requirements. * Use ldconfig_scriptlets when available. * Remove unused option --disable-ntlm-wb. - Update to 8.14.0: * Changes: - mqtt: send ping at upkeep interval - schannel: handle pkcs12 client certificates containing CA certificates - TLS: add CURLOPT_SSL_SIGNATURE_ALGORITHMS and --sigalgs - vquic: ngtcp2 + openssl support - wcurl: import v2025.04.20 script + docs - websocket: add option to disable auto-pong reply * Bugfixes: - asny-thrdd: fix detach from running thread - async-threaded resolver: use ref counter - async: DoH improvements - build: enable gcc-12/13+, clang-10+ picky warnings - build: enable gcc-15 picky warnings - certs: drop unused `default_bits` from `.prm` files - cf-https-connect: use the passed in dns struct pointer - cf-socket: fix FTP accept connect - cfilters: remove assert - cmake: fix nghttp3 static linking with `USE_OPENSSL_QUIC=ON` - cmake: prefer `COMPILE_OPTIONS` over `CMAKE_C_FLAGS` for custom C options - cmake: revert `CURL_LTO` behavior for multi-config generators - configure: fix --disable-rt - CONTRIBUTE: add project guidelines for AI use - cpool/cshutdown: force close connections under pressure - curl: fix memory leak when -h is used in config file - curl_get_line: handle lines ending on the buffer boundary - headers: enforce a max number of response header to accept - http: fix HTTP/2 handling of TE request header using 'trailers' - lib: include files using known path - lib: unify conversions to/from hex - libssh: add NULL check for Curl_meta_get() - libssh: fix memory leak - mqtt: use conn/easy meta hash - multi: do transfer book keeping using mid - multi: init_do(): check result - netrc: avoid NULL deref on weird input - netrc: avoid strdup NULL - netrc: deal with null token better - openssl-quic: avoid potential `-Wnull-dereference`, add assert - openssl-quic: fix shutdown when stream not open - openssl: enable builds for *both* engines and providers - openssl: set the cipher string before doing private cert - progress: avoid integer overflow when gathering total transfer size - rand: update comment on Curl_rand_bytes weak random - rustls: make max size of cert and key reasonable - smb: avoid integer overflow on weird input date - urlapi: redirecting to '' is considered fine - Update to 8.13.0: * Changes: - curl: add write-out variable 'tls_earlydata' - curl: make --url support a file with URLs - gnutls: set priority via --ciphers - IMAP: add CURLOPT_UPLOAD_FLAGS and --upload-flags - lib: add CURLFOLLOW_OBEYCODE and CURLFOLLOW_FIRSTONLY - OpenSSL/quictls: add support for TLSv1.3 early data - rustls: add support for CERTINFO - rustls: add support for SSLKEYLOGFILE - rustls: support ECH w/ DoH lookup for config - rustls: support native platform verifier - var: add a '64dec' function that can base64 decode a string * Bugfixes: - conn: fix connection reuse when SSL is optional - hash: use single linked list for entries - http2: detect session being closed on ingress handling - http2: reset stream on response header error - http: remove a HTTP method size restriction - http: version negotiation - httpsrr: fix port detection - libssh: fix freeing of resources in disconnect - libssh: fix scp large file upload for 32-bit size_t systems - openssl-quic: do not iterate over multi handles - openssl: check return value of X509_get0_pubkey - openssl: drop support for old OpenSSL/LibreSSL versions - openssl: fix crash on missing cert password - openssl: fix pkcs11 URI checking for key files. - openssl: remove bad `goto`s into other scope - setopt: illegal CURLOPT_SOCKS5_AUTH should return error - setopt: setting PROXYUSERPWD after PROXYUSERNAME/PASSWORD is fine - sshserver.pl: adjust `AuthorizedKeysFile2` cutoff version - sshserver: fix excluding obsolete client config lines - SSLCERTS: list support for SSL_CERT_FILE and SSL_CERT_DIR - tftpd: prefix TFTP protocol error `E*` constants with `TFTP_` - tool_operate: fail SSH transfers without server auth - url: call protocol handler's disconnect in Curl_conn_free - urlapi: remove percent encoded dot sequences from the URL path - urldata: remove 'hostname' from struct Curl_async - Update to 8.12.1: * Bugfixes: - asyn-thread: fix build with 'CURL_DISABLE_SOCKETPAIR' - asyn-thread: fix HTTPS RR crash - asyn-thread: fix the returned bitmask from Curl_resolver_getsock - asyn-thread: survive a c-ares channel set to NULL - cmake: always reference OpenSSL and ZLIB via imported targets - cmake: respect 'GNUTLS_CFLAGS' when detected via 'pkg-config' - cmake: respect 'GNUTLS_LIBRARY_DIRS' in 'libcurl.pc' and 'curl-config' - content_encoding: #error on too old zlib - imap: TLS upgrade fix - ldap: drop support for legacy Novell LDAP SDK - libssh2: comparison is always true because rc <= -1 - libssh2: raise lowest supported version to 1.2.8 - libssh: drop support for libssh older than 0.9.0 - openssl-quic: ignore ciphers for h3 - pop3: TLS upgrade fix - runtests: fix the disabling of the memory tracking - runtests: quote commands to support paths with spaces - scache: add magic checks - smb: silence '-Warray-bounds' with gcc 13+ - smtp: TLS upgrade fix - tool_cfgable: sort struct fields by size, use bitfields for booleans - tool_getparam: add 'TLS required' flag for each such option - vtls: fix multissl-init - wakeup_write: make sure the eventfd write sends eight bytes - Update to 8.12.0: * Changes: - curl: add byte range support to --variable reading from file - curl: make --etag-save acknowledge --create-dirs - getinfo: fix CURLINFO_QUEUE_TIME_T and add 'time_queue' var - getinfo: provide info which auth was used for HTTP and proxy - hyper: drop support - openssl: add support to use keys and certificates from PKCS#11 provider - QUIC: 0RTT for gnutls via CURLSSLOPT_EARLYDATA - vtls: feature ssls-export for SSL session im-/export * Bugfixes: - altsvc: avoid integer overflow in expire calculation - asyn-ares: acknowledge CURLOPT_DNS_SERVERS set to NULL - asyn-ares: fix memory leak - asyn-ares: initial HTTPS resolve support - asyn-thread: use c-ares to resolve HTTPS RR - async-thread: avoid closing eventfd twice - cd2nroff: do not insist on quoted <> within backticks - cd2nroff: support 'none' as a TLS backend - conncache: count shutdowns against host and max limits - content_encoding: drop support for zlib before 1.2.0.4 - content_encoding: namespace GZIP flag constants - content_encoding: put the decomp buffers into the writer structs - content_encoding: support use of custom libzstd memory functions - cookie: cap expire times to 400 days - cookie: parse only the exact expire date - curl: return error if etag options are used with multiple URLs - curl_multi_fdset: include the shutdown connections in the set - curl_sha512_256: rename symbols to the curl namespace - curl_url_set.md: adjust the added-in to 7.62.0 - doh: send HTTPS RR requests for all HTTP(S) transfers - easy: allow connect-only handle reuse with easy_perform - easy: make curl_easy_perform() return error if connection still there - easy_lock: use Sleep(1) for thread yield on old Windows - ECH: update APIs to those agreed with OpenSSL maintainers - GnuTLS: fix 'time_appconnect' for early data - HTTP/2: strip TE request header - http2: fix data_pending check - http2: fix value stored to 'result' is never read - http: ignore invalid Retry-After times - http_aws_sigv4: Fix invalid compare function handling zero-length pairs - https-connect: start next immediately on failure - lib: redirect handling by protocol handler - multi: fix curl_multi_waitfds reporting of fd_count - netrc: 'default' with no credentials is not a match - netrc: fix password-only entries - netrc: restore _netrc fallback logic - ngtcp2: fix memory leak on connect failure - openssl: define `HAVE_KEYLOG_CALLBACK` before use - openssl: fix ECH logic - osslq: use SSL_poll to determine writeability of QUIC streams - sectransp: free certificate on error - select: avoid a NULL deref in cwfds_add_sock - src: omit hugehelp and ca-embed from libcurltool - ssl session cache: change cache dimensions - system.h: add 64-bit curl_off_t definitions for NonStop - telnet: handle single-byte input option - TLS: check connection for SSL use, not handler - tool_formparse.c: make curlx_uztoso a static in here - tool_formparse: accept digits in --form type= strings - tool_getparam: ECH param parsing refix - tool_getparam: fail --hostpubsha256 if libssh2 is not used - tool_getparam: fix 'Ignored Return Value' - tool_getparam: fix memory leak on error in parse_ech - tool_getparam: fix the ECH parser - tool_operate: make --etag-compare always accept a non-existing file - transfer: fix CURLOPT_CURLU override logic - urlapi: fix redirect to a new fragment or query (only) - vquic: make vquic_send_packets not return without setting psent - vtls: fix default SSL backend as a fallback - vtls: only remember the expiry timestamp in session cache - websocket: fix message send corruption - x509asn1: add parse recursion limit ----------------------------------------------------------------- Advisory ID: 485 Released: Thu Oct 9 16:42:20 2025 Summary: Security update for aaa_base Type: security Severity: moderate References: 1159103,1211721,1219038,1221763,1227117 This update for aaa_base fixes the following issues: Update to version 84.87+git20240906.742565b: * yama-enable-ptrace: enforce changed behavior upon installation (bsc#1221763) * Avoid unnecessary /bin/bash dependency * sysctl: Fixup of not setting kernel.pid_max on 32b archs (bsc#1227117) Update to version 84.87+git20240821.fbabe1d: * Add helper service for soft-reboot Update to version 84.87+git20240809.5d13eb4: * cleanup aaa_base.post and fold back into specfile Update to version 84.87+git20240805.7513b28: * Remove obsolete resolv+ manual page * Remove obsolete defaultdomain.5 manual page * Move /etc/skel to /usr/etc/skel (hermetic-usr) * Remove obsolete refresh_initrd * Add deprecation notice for service [jsc#PED-266] Update to version 84.87+git20240801.75f05dd: * sysctl: Don't set kernel.pid_max on 32b archs (bsc#1227117) Update to version 84.87+git20240620.57ee9e1: * Remove legacy-actions support [jsc#PED-264] Update to version 84.87+git20240617.f5ff27f: * add /usr/bin/nu to etc/shells for nushell Update to version 84.87+git20240614.332933e: * Do not save/restore cursor for foot at status line * Add tmux and others to DIR_COLORS (Issue #116) * Remove kernel.pid_max limit (bsc#1219038) * Add subpackge to enable ptrace Update to version 84.87+git20240523.10a5692: * Add tmpfiles.d/soft-reboot-cleanup.conf Update to version 84.87+git20240415.e6815bf: * drop obsolete 50-default-s390.conf (bsc#1211721) * fix typo in alljava.csh and drop stderr redirection Update to version 84.87+git20240402.16596d1: * add alacritty to DIR_COLORS * Make sure tput it present before resetting TERM * Add mc helpers for both tcsh and bash resources * Do not overwrite escape sequences for xterm like * Check for valid TERM Update to version 84.87+git20240202.9526d46: * properly shorten the variable when setting JAVA_HOME and JRE_HOME * silence output of alljava * Restrict ptrace with Yama LSM by default * patch alljava.sh and alljava.csh, use the links from update alternatives Update to version 84.87+git20231023.f347d36: * Remove %ghost lastlog entry, lastlog is long gone * Remove shaky safe-rm and safe-rmdir helpers (bsc#1159103) ----------------------------------------------------------------- Advisory ID: 496 Released: Mon Oct 20 18:12:21 2025 Summary: Security update for openssl-3 Type: security Severity: moderate References: 1250232,CVE-2025-9230 This update for openssl-3 fixes the following issues: - CVE-2025-9230: Fix out-of-bounds read & write in RFC 3211 KEK unwrap (bsc#1250232) - Disable LTO for userspace livepatching [jsc#PED-13245] ----------------------------------------------------------------- Advisory ID: 500 Released: Wed Oct 22 14:00:46 2025 Summary: Security update for expat Type: security Severity: important References: 1249584,CVE-2025-59375 This update for expat fixes the following issues: - CVE-2025-59375: memory amplification vulnerability allows attackers to trigger excessive dynamic memory allocations by submitting crafted XML input (bsc#1249584). ----------------------------------------------------------------- Advisory ID: 509 Released: Mon Nov 3 08:22:32 2025 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1246934 This update for libgcrypt fixes the following issues: - Fix running the test suite in FIPS mode (bsc#1246934) ----------------------------------------------------------------- Advisory ID: 528 Released: Mon Dec 1 09:45:21 2025 Summary: Recommended update for kmod Type: recommended Severity: important References: 1253741 This update for kmod fixes the following issues: - Fix modprobe.d confusion on man page (bsc#1253741): * document the config file order handling ----------------------------------------------------------------- Advisory ID: 529 Released: Tue Dec 9 08:19:13 2025 Summary: Security update for curl Type: security Severity: moderate References: 1253757,CVE-2025-11563 This update for curl fixes the following issues: - CVE-2025-11563: Fixed wcurl path traversal with percent-encoded slashes (bsc#1253757). ----------------------------------------------------------------- Advisory ID: 536 Released: Tue Dec 16 09:31:52 2025 Summary: Security update for libpng16 Type: security Severity: important References: 1254157,1254158,1254159,1254160,1254480,CVE-2025-64505,CVE-2025-64506,CVE-2025-64720,CVE-2025-65018,CVE-2025-66293 This update for libpng16 fixes the following issues: - CVE-2025-66293: Fixed out-of-bounds read in png_image_read_composite (bsc#1254480). - CVE-2025-64505: Fixed heap buffer over-read in `png_do_quantize` via malformed palette index (bsc#1254157). - CVE-2025-64506: Fixed heap buffer over-read in `png_write_image_8bit` with 8-bit input and `convert_to_8bit` enabled (bsc#1254158). - CVE-2025-64720: Fixed buffer overflow in `png_image_read_composite` via incorrect palette premultiplication (bsc#1254159). - CVE-2025-65018: Fixed heap buffer overflow in `png_combine_row` triggered via `png_image_finish_read` (bsc#1254160). ----------------------------------------------------------------- Advisory ID: 537 Released: Tue Dec 16 16:38:50 2025 Summary: Recommended update for systemd Type: recommended Severity: important References: 1224386,1244449,1245551,1248356,1248501,1254563 This update for systemd fixes the following issues: - timer: rebase last_trigger timestamp if needed - timer: rebase the next elapse timestamp only if timer didn't already run - timer: don't run service immediately after restart of a timer (bsc#1254563) - test: check the next elapse timer timestamp after deserialization - test: restarting elapsed timer shouldn't trigger the corresponding service - units: don't force the loading of the loop and dm_mod modules in systemd-repart.service (bsc#1248356) - units: add dep on systemd-logind.service by user at .service - detect-virt: add bare-metal support for GCE (bsc#1244449) - Sync systemd-update-helper with the version shipped in Base:System - systemd-update-helper: do not stop or disable services when they are migrated to other packages. This can occur during package renaming or splitting. - systemd-update-helper: Fix invalid use of 'break' in case statement - systemd-update-helper: fix regression introduced when support for package renaming/splitting was added (bsc#1245551) - systemd-update-helper: * Since user at .service has `Type=notify-reload` and reloading implies reexecuting with `ReloadSignal=RTMIN+25`, reexecuting user managers synchronously can be achieved with `systemctl reload user@*.service' now. - systemd.spec: use %sysusers_generate_pre so that some systemd users are already available in %pre (bsc#1248501) - Split systemd-network into two new sub-packages: systemd-networkd and systemd-resolved (bsc#1224386 jsc#PED-12669) ----------------------------------------------------------------- Advisory ID: 546 Released: Thu Jan 8 16:18:54 2026 Summary: Security update for curl Type: security Severity: moderate References: 1255731,1255732,1255733,1255734,CVE-2025-14524,CVE-2025-14819,CVE-2025-15079,CVE-2025-15224 This update for curl fixes the following issues: - CVE-2025-14524: bearer token leak on cross-protocol redirect (bsc#1255731). - CVE-2025-14819: libssh global knownhost override (bsc#1255732). - CVE-2025-15079: libssh key passphrase bypass without agent set (bsc#1255733). - CVE-2025-15224: OpenSSL partial chain store policy bypass (bsc#1255734). ----------------------------------------------------------------- Advisory ID: 551 Released: Thu Jan 8 16:49:46 2026 Summary: Security update for rsync Type: security Severity: moderate References: 1254441,CVE-2025-10158 This update for rsync fixes the following issues: - CVE-2025-10158: Fixed out of bounds array access via negative index (bsc#1254441) ----------------------------------------------------------------- Advisory ID: 558 Released: Mon Jan 12 13:00:27 2026 Summary: Security update for libtasn1 Type: security Severity: moderate References: 1256341,CVE-2025-13151 This update for libtasn1 fixes the following issues: - CVE-2025-13151: lack of validation of input data size leads to stack-based buffer overflow in `asn1_expend_octet_string` (bsc#1256341). ----------------------------------------------------------------- Advisory ID: 561 Released: Thu Jan 15 12:08:38 2026 Summary: Security update for elemental-toolkit, elemental-operator Type: security Severity: important References: 1241826,1241857,1251511,1251679,1253581,1253901,1254079,CVE-2025-22872,CVE-2025-47911,CVE-2025-47913,CVE-2025-47914,CVE-2025-58181,CVE-2025-58190 This update for elemental-toolkit, elemental-operator fixes the following issues: elemental-operator: - Update to version 1.6.10: * Remove 'latest' tag as this overlaps with the latest branch * Bump github.com/rancher-sandbox/go-tpm and its dependencies This bump includes fixes to some CVEs: * bsc#1241826 (CVE-2025-22872) * bsc#1241857 (CVE-2025-22872) * bsc#1251511 (CVE-2025-47911) * bsc#1251679 (CVE-2025-58190) elemental-toolkit: - Update to version 2.1.5: * Update headers for new year 2026 * Disable selinux in installer media - Update to version 2.1.4: * Remove leftovers in installer integration test * Bump to build against go 1.24 * Bump golang.org/x/crypto library This bump includes fixes to some CVEs: * bsc#1241826 (CVE-2025-22872) * bsc#1241857 (CVE-2025-22872) * bsc#1251511 (CVE-2025-47911) * bsc#1251679 (CVE-2025-58190) * bsc#1253581 (CVE-2025-47913) * bsc#1253901 (CVE-2025-58181) * bsc#1254079 (CVE-2025-47914) The following package changes have been done: - boost-license1_84_0-1.84.0-1.4 updated - btrfsprogs-udev-rules-6.1.3-6.19 updated - compat-usrmerge-tools-84.87-3.1 updated - crypto-policies-20230920.570ea89-1.50 updated - elemental-httpfy-1.6.10-1.1 updated - elemental-seedimage-hooks-1.6.10-1.1 updated - file-magic-5.44-4.151 added - kbd-legacy-2.6.4-1.3 added - libsemanage-conf-3.5-3.1 updated - pkgconf-m4-1.8.0-2.205 updated - system-user-root-20190513-2.208 updated - filesystem-84.87-5.2 updated - glibc-2.38-9.1 updated - libzstd1-1.5.5-8.142 updated - libz1-1.2.13-6.138 updated - libxxhash0-0.8.1-2.194 updated - libuuid1-2.39.3-3.1 updated - liburcu8-0.14.0-2.8 updated - libunistring5-1.1-3.1 updated - libtextstyle0-0.21.1-6.1 updated - libtasn1-6-4.19.0-5.1 updated - libsmartcols1-2.39.3-3.1 updated - libsepol2-3.5-3.1 updated - libseccomp2-2.5.4-3.1 updated - libpopt0-1.19-2.184 updated - libpkgconf3-1.8.0-2.205 updated - libpcre2-8-0-10.42-2.179 updated - libparted-fs-resize0-3.5-2.11 updated - libnss_usrfiles2-2.27-3.1 updated - libnghttp2-14-1.52.0-5.1 updated - liblzo2-2-2.10-3.1 updated - liblzma5-5.4.3-5.1 updated - liblz4-1-1.9.4-4.1 updated - liblua5_4-5-5.4.6-1.68 updated - libjson-c5-0.16-3.1 updated - libjitterentropy3-3.4.1-3.1 updated - libip4tc2-1.8.9-4.1 updated - libgpg-error0-1.47-4.136 updated - libgmp10-6.3.0-1.119 updated - libgcc_s1-13.3.0+git8781-2.1 updated - libfuse2-2.9.9-3.1 updated - libffi8-3.4.4-3.1 updated - libexpat1-2.7.1-3.1 updated - libeconf0-0.6.1-1.13 updated - libcrypt1-4.4.36-1.134 updated - libcom_err2-1.47.0-3.1 updated - libcap2-2.69-2.83 updated - libcap-ng0-0.8.3-4.1 updated - libbz2-1-1.0.8-3.1 updated - libburn4-1.5.4-1.9 updated - libbtrfsutil1-6.1.3-6.19 updated - libbtrfs0-6.1.3-6.19 updated - libbrotlicommon1-1.1.0-1.6 updated - libblkid1-2.39.3-3.1 updated - libaudit1-3.0.9-4.1 updated - libattr1-2.5.1-3.1 updated - libargon2-1-20190702-3.1 updated - libalternatives1-1.2+30.a5431e9-3.1 updated - libaio1-0.3.113-3.1 updated - libacl1-2.3.1-3.1 updated - fillup-1.42-3.1 updated - dosfstools-4.2-2.9 updated - diffutils-3.10-2.101 updated - libpng16-16-1.6.43-2.1 updated - libidn2-0-2.3.4-3.1 updated - pkgconf-1.8.0-2.205 updated - libselinux1-3.5-3.1 updated - netcfg-11.6-4.42 updated - libxml2-2-2.11.6-10.1 updated - squashfs-4.6.1-3.7 updated - libgcrypt20-1.10.3-3.1 updated - libstdc++6-13.3.0+git8781-2.1 updated - libp11-kit0-0.25.3-1.6 updated - perl-base-5.38.2-4.1 updated - libext2fs2-1.47.0-3.1 updated - libudev1-254.27-2.1 updated - chkstat-1600_20240206-1.8 updated - libzio1-1.08-3.1 updated - libmagic1-5.44-4.151 added - libjte2-1.22-1.8 updated - libbrotlidec1-1.1.0-1.6 updated - libfdisk1-2.39.3-3.1 updated - alts-1.2+30.a5431e9-3.1 updated - libpsl5-0.21.2-3.1 updated - sed-4.9-2.9 updated - libsubid4-4.15.1-1.1 updated - libsemanage2-3.5-3.1 updated - libmount1-2.39.3-3.1 updated - findutils-4.9.0-4.1 updated - libsystemd0-254.27-2.1 updated - libncurses6-6.4.20240224-10.2 updated - terminfo-base-6.4.20240224-10.2 updated - libinih0-56-3.1 updated - libboost_thread1_84_0-1.84.0-1.4 updated - p11-kit-0.25.3-1.6 updated - p11-kit-tools-0.25.3-1.6 updated - libisofs6-1.5.4-1.9 updated - libfreetype6-2.13.3-1.1 updated - ncurses-utils-6.4.20240224-10.2 updated - libreadline8-8.2-2.180 updated - libedit0-20210910.3.1-9.169 updated - gptfdisk-1.0.9-4.1 updated - libisoburn1-1.5.4-1.9 updated - bash-5.2.15-3.1 updated - bash-sh-5.2.15-3.1 updated - xz-5.4.3-5.1 updated - systemd-default-settings-branding-openSUSE-0.7-2.4 updated - systemd-default-settings-0.7-2.4 updated - pkgconf-pkg-config-1.8.0-2.205 updated - login_defs-4.15.1-1.1 updated - libdevmapper1_03-2.03.22_1.02.196-1.8 updated - gzip-1.13-1.50 updated - grep-3.11-4.8 updated - gettext-runtime-0.21.1-6.1 updated - coreutils-9.4-5.1 updated - ALP-dummy-release-0.1-8.67 updated - libparted2-3.5-2.11 updated - libdevmapper-event1_03-2.03.22_1.02.196-1.8 updated - info-7.0.3-4.1 updated - xfsprogs-6.5.0-1.9 updated - thin-provisioning-tools-0.9.0-2.10 updated - systemd-rpm-macros-24-1.205 updated - systemd-presets-common-SUSE-15-5.1 updated - rpm-config-SUSE-20240214-1.1 updated - rpm-4.18.0-7.1 updated - permissions-config-1600_20240206-1.8 updated - glibc-locale-base-2.38-9.1 updated - e2fsprogs-1.47.0-3.1 updated - ca-certificates-2+git20230406.2dae8b7-3.1 updated - ca-certificates-mozilla-2.74-1.1 updated - btrfsprogs-6.1.3-6.19 updated - parted-3.5-2.11 updated - liblvm2cmd2_03-2.03.22-1.8 updated - xorriso-1.5.4-1.9 updated - device-mapper-2.03.22_1.02.196-1.8 updated - systemd-presets-branding-ALP-transactional-20230214-3.1 updated - permissions-1600_20240206-1.8 updated - mtools-4.0.43-4.9 updated - libopenssl3-3.1.4-10.1 updated - pam-1.6.0-5.1 updated - grub2-2.12~rc1-7.1 updated - grub2-i386-pc-2.12~rc1-7.1 updated - suse-module-tools-16.0.43-1.1 updated - kmod-30-11.1 updated - rsync-3.2.7-5.1 updated - libkmod2-30-11.1 updated - libcurl-mini4-8.14.1-3.1 added - libcryptsetup12-2.6.1-4.13 updated - util-linux-2.39.3-3.1 updated - shadow-4.15.1-1.1 updated - pam-config-2.11-2.1 updated - kbd-2.6.4-1.3 updated - curl-8.14.1-3.1 updated - libsnapper7-0.10.5-2.10 updated - aaa_base-84.87+git20240906.742565b-1.1 updated - dbus-1-daemon-1.14.10-1.11 updated - dbus-1-tools-1.14.10-1.11 updated - systemd-254.27-2.1 updated - sysuser-shadow-3.1-2.197 updated - dbus-1-common-1.14.10-1.11 updated - libdbus-1-3-1.14.10-1.11 updated - dbus-1-1.14.10-1.11 updated - system-group-kvm-20170617-2.197 updated - system-group-hardware-20170617-2.197 updated - udev-254.27-2.1 updated - snapper-0.10.5-2.10 updated - lvm2-2.03.22-1.8 updated - elemental-toolkit-2.1.5-1.1 updated - container:suse-toolbox-image-1.0.0-9.60 updated - krb5-1.21.3-slfo.1.1_2.1 removed - libcurl4-8.14.1-slfo.1.1_5.1 removed - libkeyutils1-1.6.3-slfo.1.1_1.3 removed - libldap2-2.6.4-slfo.1.1_1.2 removed - libsasl2-3-2.1.28-slfo.1.1_1.2 removed - libssh-config-0.10.6-slfo.1.1_3.1 removed - libssh4-0.10.6-slfo.1.1_3.1 removed - libverto1-0.3.2-slfo.1.1_1.2 removed From sle-container-updates at lists.suse.com Tue Jan 20 08:13:31 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 20 Jan 2026 09:13:31 +0100 (CET) Subject: SUSE-IU-2026:184-1: Security update of suse/sl-micro/6.2/baremetal-os-container Message-ID: <20260120081331.0D3FCFF0C@maintenance.suse.de> SUSE Image Update Advisory: suse/sl-micro/6.2/baremetal-os-container ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2026:184-1 Image Tags : suse/sl-micro/6.2/baremetal-os-container:2.3.0 , suse/sl-micro/6.2/baremetal-os-container:2.3.0-7.13 , suse/sl-micro/6.2/baremetal-os-container:latest Image Release : 7.13 Severity : important Type : security References : 1229122 1231354 1233285 1233287 1233292 1233358 1241964 1244156 1244157 1244459 1244573 1246080 1246559 1251789 1251931 1252095 1252431 1252992 1252993 1253098 1253389 1254395 1254889 1255024 CVE-2024-52530 CVE-2024-52531 CVE-2024-52532 CVE-2025-0913 CVE-2025-4673 ----------------------------------------------------------------- The container suse/sl-micro/6.2/baremetal-os-container was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: 154 Released: Mon Jun 23 13:00:06 2025 Summary: Security update for go1.23-openssl Type: security Severity: important References: 1229122,1231354,1233285,1233287,1233292,1233358,1241964,1244156,1244157,1244459,1244573,1246080,1246559,1251789,1251931,1252095,1252431,1252992,1252993,1253098,1253389,1254395,1254889,1255024,CVE-2024-52530,CVE-2024-52531,CVE-2024-52532,CVE-2025-0913,CVE-2025-4673 This update for go1.23-openssl fixes the following issues: Update to version 1.23.10 cut from the go1.23-fips-release branch at the revision tagged go1.23.10-1-openssl-fips. (jsc#SLE-18320) * Rebase to 1.23.10 * Add ubi10, c10s targets to gating go1.23.10 (released 2025-06-05) includes security fixes to the net/http and os packages, as well as bug fixes to the linker. ( bsc#1229122 ) CVE-2025-0913 CVE-2025-4673: * bsc#1244157 security: fix CVE-2025-0913 os: inconsistent handling of O_CREATE|O_EXCL on Unix and Windows * bsc#1244156 security: fix CVE-2025-4673 net/http: sensitive headers not cleared on cross-origin redirect * runtime/debug: BuildSetting does not document DefaultGODEBUG * cmd/link: Go 1.24.3 and 1.23.9 regression - duplicated definition of symbol dlopen The following package changes have been done: - selinux-policy-20250627+git345.3965b24b0-160000.1.1 updated - selinux-policy-targeted-20250627+git345.3965b24b0-160000.1.1 updated From sle-container-updates at lists.suse.com Tue Jan 20 08:28:31 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 20 Jan 2026 09:28:31 +0100 (CET) Subject: SUSE-CU-2026:336-1: Security update of bci/php-apache Message-ID: <20260120082831.C0E4CFF0C@maintenance.suse.de> SUSE Container Update Advisory: bci/php-apache ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2026:336-1 Container Tags : bci/php-apache:8 , bci/php-apache:8.3.29 , bci/php-apache:8.3.29-18.6 , bci/php-apache:latest Container Release : 18.6 Severity : moderate Type : security References : 1255731 1255732 1255733 1255734 CVE-2025-14524 CVE-2025-14819 CVE-2025-15079 CVE-2025-15224 ----------------------------------------------------------------- The container bci/php-apache was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:52-1 Released: Wed Jan 7 10:28:34 2026 Summary: Security update for curl Type: security Severity: moderate References: 1255731,1255732,1255733,1255734,CVE-2025-14524,CVE-2025-14819,CVE-2025-15079,CVE-2025-15224 This update for curl fixes the following issues: - CVE-2025-14524: bearer token leak on cross-protocol redirect (bsc#1255731). - CVE-2025-14819: libssh global knownhost override (bsc#1255732). - CVE-2025-15079: libssh key passphrase bypass without agent set (bsc#1255733). - CVE-2025-15224: OpenSSL partial chain store policy bypass (bsc#1255734). The following package changes have been done: - libcurl4-8.14.1-150700.7.8.1 updated - container:registry.suse.com-bci-bci-base-15.7-7970b1398395a13b38e858c60a7b75db5f5265dd7c0ecdabe8919a458b2f34e5-0 updated From sle-container-updates at lists.suse.com Tue Jan 20 08:28:55 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 20 Jan 2026 09:28:55 +0100 (CET) Subject: SUSE-CU-2026:337-1: Security update of bci/php-fpm Message-ID: <20260120082855.16204FF0C@maintenance.suse.de> SUSE Container Update Advisory: bci/php-fpm ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2026:337-1 Container Tags : bci/php-fpm:8 , bci/php-fpm:8.3.29 , bci/php-fpm:8.3.29-18.6 , bci/php-fpm:latest Container Release : 18.6 Severity : moderate Type : security References : 1255731 1255732 1255733 1255734 CVE-2025-14524 CVE-2025-14819 CVE-2025-15079 CVE-2025-15224 ----------------------------------------------------------------- The container bci/php-fpm was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:52-1 Released: Wed Jan 7 10:28:34 2026 Summary: Security update for curl Type: security Severity: moderate References: 1255731,1255732,1255733,1255734,CVE-2025-14524,CVE-2025-14819,CVE-2025-15079,CVE-2025-15224 This update for curl fixes the following issues: - CVE-2025-14524: bearer token leak on cross-protocol redirect (bsc#1255731). - CVE-2025-14819: libssh global knownhost override (bsc#1255732). - CVE-2025-15079: libssh key passphrase bypass without agent set (bsc#1255733). - CVE-2025-15224: OpenSSL partial chain store policy bypass (bsc#1255734). The following package changes have been done: - libcurl4-8.14.1-150700.7.8.1 updated - container:registry.suse.com-bci-bci-base-15.7-7970b1398395a13b38e858c60a7b75db5f5265dd7c0ecdabe8919a458b2f34e5-0 updated From sle-container-updates at lists.suse.com Tue Jan 20 08:29:18 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 20 Jan 2026 09:29:18 +0100 (CET) Subject: SUSE-CU-2026:338-1: Security update of bci/php Message-ID: <20260120082918.86528FF0C@maintenance.suse.de> SUSE Container Update Advisory: bci/php ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2026:338-1 Container Tags : bci/php:8 , bci/php:8.3.29 , bci/php:8.3.29-18.6 , bci/php:latest Container Release : 18.6 Severity : moderate Type : security References : 1255731 1255732 1255733 1255734 CVE-2025-14524 CVE-2025-14819 CVE-2025-15079 CVE-2025-15224 ----------------------------------------------------------------- The container bci/php was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:52-1 Released: Wed Jan 7 10:28:34 2026 Summary: Security update for curl Type: security Severity: moderate References: 1255731,1255732,1255733,1255734,CVE-2025-14524,CVE-2025-14819,CVE-2025-15079,CVE-2025-15224 This update for curl fixes the following issues: - CVE-2025-14524: bearer token leak on cross-protocol redirect (bsc#1255731). - CVE-2025-14819: libssh global knownhost override (bsc#1255732). - CVE-2025-15079: libssh key passphrase bypass without agent set (bsc#1255733). - CVE-2025-15224: OpenSSL partial chain store policy bypass (bsc#1255734). The following package changes have been done: - libcurl4-8.14.1-150700.7.8.1 updated - container:registry.suse.com-bci-bci-base-15.7-7970b1398395a13b38e858c60a7b75db5f5265dd7c0ecdabe8919a458b2f34e5-0 updated From sle-container-updates at lists.suse.com Tue Jan 20 08:31:34 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 20 Jan 2026 09:31:34 +0100 (CET) Subject: SUSE-CU-2026:343-1: Security update of bci/rust Message-ID: <20260120083134.B3417FF0C@maintenance.suse.de> SUSE Container Update Advisory: bci/rust ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2026:343-1 Container Tags : bci/rust:1.91 , bci/rust:1.91.0 , bci/rust:1.91.0-2.3.5 , bci/rust:oldstable , bci/rust:oldstable-2.3.5 Container Release : 3.5 Severity : important Type : security References : 1254297 1254662 1254878 1255731 1255732 1255733 1255734 CVE-2025-13601 CVE-2025-14087 CVE-2025-14512 CVE-2025-14524 CVE-2025-14819 CVE-2025-15079 CVE-2025-15224 ----------------------------------------------------------------- The container bci/rust was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:18-1 Released: Mon Jan 5 11:52:25 2026 Summary: Security update for glib2 Type: security Severity: important References: 1254297,1254662,1254878,CVE-2025-13601,CVE-2025-14087,CVE-2025-14512 This update for glib2 fixes the following issues: - CVE-2025-14512: integer overflow in the GIO `escape_byte_string()` function when processing malicious files or remote filesystem attribute values can lead to denial-of-service (bsc#1254878). - CVE-2025-14087: buffer underflow in the GVariant parser `bytestring_parse()` and `string_parse()`functions when processing attacker-influenced data may lead to crash or code execution (bsc#1254662). - CVE-2025-13601: heap-based buffer overflow in the `g_escape_uri_string()` function when processing strings with a large number of unacceptable characters may lead to crash or code execution (bsc#1254297). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:52-1 Released: Wed Jan 7 10:28:34 2026 Summary: Security update for curl Type: security Severity: moderate References: 1255731,1255732,1255733,1255734,CVE-2025-14524,CVE-2025-14819,CVE-2025-15079,CVE-2025-15224 This update for curl fixes the following issues: - CVE-2025-14524: bearer token leak on cross-protocol redirect (bsc#1255731). - CVE-2025-14819: libssh global knownhost override (bsc#1255732). - CVE-2025-15079: libssh key passphrase bypass without agent set (bsc#1255733). - CVE-2025-15224: OpenSSL partial chain store policy bypass (bsc#1255734). The following package changes have been done: - libglib-2_0-0-2.78.6-150600.4.25.1 updated - libcurl4-8.14.1-150700.7.8.1 updated - container:registry.suse.com-bci-bci-base-15.7-7970b1398395a13b38e858c60a7b75db5f5265dd7c0ecdabe8919a458b2f34e5-0 updated From sle-container-updates at lists.suse.com Tue Jan 20 08:32:05 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 20 Jan 2026 09:32:05 +0100 (CET) Subject: SUSE-CU-2026:344-1: Security update of bci/bci-sle15-kernel-module-devel Message-ID: <20260120083205.1DFE2FF0C@maintenance.suse.de> SUSE Container Update Advisory: bci/bci-sle15-kernel-module-devel ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2026:344-1 Container Tags : bci/bci-sle15-kernel-module-devel:15.7 , bci/bci-sle15-kernel-module-devel:15.7-55.6 , bci/bci-sle15-kernel-module-devel:latest Container Release : 55.6 Severity : moderate Type : security References : 1255731 1255732 1255733 1255734 CVE-2025-14524 CVE-2025-14819 CVE-2025-15079 CVE-2025-15224 ----------------------------------------------------------------- The container bci/bci-sle15-kernel-module-devel was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:52-1 Released: Wed Jan 7 10:28:34 2026 Summary: Security update for curl Type: security Severity: moderate References: 1255731,1255732,1255733,1255734,CVE-2025-14524,CVE-2025-14819,CVE-2025-15079,CVE-2025-15224 This update for curl fixes the following issues: - CVE-2025-14524: bearer token leak on cross-protocol redirect (bsc#1255731). - CVE-2025-14819: libssh global knownhost override (bsc#1255732). - CVE-2025-15079: libssh key passphrase bypass without agent set (bsc#1255733). - CVE-2025-15224: OpenSSL partial chain store policy bypass (bsc#1255734). The following package changes have been done: - libcurl4-8.14.1-150700.7.8.1 updated - container:registry.suse.com-bci-bci-base-15.7-7970b1398395a13b38e858c60a7b75db5f5265dd7c0ecdabe8919a458b2f34e5-0 updated From sle-container-updates at lists.suse.com Thu Jan 22 08:10:15 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Thu, 22 Jan 2026 09:10:15 +0100 (CET) Subject: SUSE-IU-2026:208-1: Security update of suse/sl-micro/6.1/baremetal-os-container Message-ID: <20260122081015.E500AFF0D@maintenance.suse.de> SUSE Image Update Advisory: suse/sl-micro/6.1/baremetal-os-container ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2026:208-1 Image Tags : suse/sl-micro/6.1/baremetal-os-container:2.2.1 , suse/sl-micro/6.1/baremetal-os-container:2.2.1-7.52 , suse/sl-micro/6.1/baremetal-os-container:latest Image Release : 7.52 Severity : moderate Type : security References : 1254666 CVE-2025-14104 ----------------------------------------------------------------- The container suse/sl-micro/6.1/baremetal-os-container was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: 381 Released: Wed Jan 21 14:46:47 2026 Summary: Security update for util-linux Type: security Severity: moderate References: 1254666,CVE-2025-14104 This update for util-linux fixes the following issues: - CVE-2025-14104: Fixed heap buffer overread in setpwnam() when processing 256-byte usernames (bsc#1254666). - lscpu: Add support for NVIDIA Olympus arm64 core (jsc#PED-13682). The following package changes have been done: - libuuid1-2.40.4-slfo.1.1_3.1 updated - libsmartcols1-2.40.4-slfo.1.1_3.1 updated - libblkid1-2.40.4-slfo.1.1_3.1 updated - libmount1-2.40.4-slfo.1.1_3.1 updated - libfdisk1-2.40.4-slfo.1.1_3.1 updated - util-linux-2.40.4-slfo.1.1_3.1 updated - SL-Micro-release-6.1-slfo.1.12.6 updated - util-linux-systemd-2.40.4-slfo.1.1_3.1 updated - container:SL-Micro-base-container-2.2.1-5.72 updated From sle-container-updates at lists.suse.com Thu Jan 22 08:11:22 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Thu, 22 Jan 2026 09:11:22 +0100 (CET) Subject: SUSE-IU-2026:209-1: Security update of suse/sl-micro/6.1/base-os-container Message-ID: <20260122081122.BC817FF0D@maintenance.suse.de> SUSE Image Update Advisory: suse/sl-micro/6.1/base-os-container ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2026:209-1 Image Tags : suse/sl-micro/6.1/base-os-container:2.2.1 , suse/sl-micro/6.1/base-os-container:2.2.1-5.72 , suse/sl-micro/6.1/base-os-container:latest Image Release : 5.72 Severity : moderate Type : security References : 1254666 CVE-2025-14104 ----------------------------------------------------------------- The container suse/sl-micro/6.1/base-os-container was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: 381 Released: Wed Jan 21 14:46:47 2026 Summary: Security update for util-linux Type: security Severity: moderate References: 1254666,CVE-2025-14104 This update for util-linux fixes the following issues: - CVE-2025-14104: Fixed heap buffer overread in setpwnam() when processing 256-byte usernames (bsc#1254666). - lscpu: Add support for NVIDIA Olympus arm64 core (jsc#PED-13682). The following package changes have been done: - libuuid1-2.40.4-slfo.1.1_3.1 updated - libsmartcols1-2.40.4-slfo.1.1_3.1 updated - libblkid1-2.40.4-slfo.1.1_3.1 updated - libmount1-2.40.4-slfo.1.1_3.1 updated - libfdisk1-2.40.4-slfo.1.1_3.1 updated - util-linux-2.40.4-slfo.1.1_3.1 updated - SL-Micro-release-6.1-slfo.1.12.6 updated - util-linux-systemd-2.40.4-slfo.1.1_3.1 updated - container:suse-toolbox-image-1.0.0-5.2 updated From sle-container-updates at lists.suse.com Thu Jan 22 08:12:31 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Thu, 22 Jan 2026 09:12:31 +0100 (CET) Subject: SUSE-IU-2026:210-1: Security update of suse/sl-micro/6.1/kvm-os-container Message-ID: <20260122081231.AB77AFF0D@maintenance.suse.de> SUSE Image Update Advisory: suse/sl-micro/6.1/kvm-os-container ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2026:210-1 Image Tags : suse/sl-micro/6.1/kvm-os-container:2.2.1 , suse/sl-micro/6.1/kvm-os-container:2.2.1-5.75 , suse/sl-micro/6.1/kvm-os-container:latest Image Release : 5.75 Severity : moderate Type : security References : 1254666 CVE-2025-14104 ----------------------------------------------------------------- The container suse/sl-micro/6.1/kvm-os-container was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: 381 Released: Wed Jan 21 14:46:47 2026 Summary: Security update for util-linux Type: security Severity: moderate References: 1254666,CVE-2025-14104 This update for util-linux fixes the following issues: - CVE-2025-14104: Fixed heap buffer overread in setpwnam() when processing 256-byte usernames (bsc#1254666). - lscpu: Add support for NVIDIA Olympus arm64 core (jsc#PED-13682). The following package changes have been done: - libuuid1-2.40.4-slfo.1.1_3.1 updated - libsmartcols1-2.40.4-slfo.1.1_3.1 updated - libblkid1-2.40.4-slfo.1.1_3.1 updated - libmount1-2.40.4-slfo.1.1_3.1 updated - libfdisk1-2.40.4-slfo.1.1_3.1 updated - util-linux-2.40.4-slfo.1.1_3.1 updated - SL-Micro-release-6.1-slfo.1.12.6 updated - util-linux-systemd-2.40.4-slfo.1.1_3.1 updated - container:SL-Micro-base-container-2.2.1-5.72 updated From sle-container-updates at lists.suse.com Thu Jan 22 08:13:49 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Thu, 22 Jan 2026 09:13:49 +0100 (CET) Subject: SUSE-IU-2026:211-1: Security update of suse/sl-micro/6.1/rt-os-container Message-ID: <20260122081349.26CF6FF0C@maintenance.suse.de> SUSE Image Update Advisory: suse/sl-micro/6.1/rt-os-container ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2026:211-1 Image Tags : suse/sl-micro/6.1/rt-os-container:2.2.1 , suse/sl-micro/6.1/rt-os-container:2.2.1-5.66 , suse/sl-micro/6.1/rt-os-container:latest Image Release : 5.66 Severity : moderate Type : security References : 1254666 CVE-2025-14104 ----------------------------------------------------------------- The container suse/sl-micro/6.1/rt-os-container was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: 381 Released: Wed Jan 21 14:46:47 2026 Summary: Security update for util-linux Type: security Severity: moderate References: 1254666,CVE-2025-14104 This update for util-linux fixes the following issues: - CVE-2025-14104: Fixed heap buffer overread in setpwnam() when processing 256-byte usernames (bsc#1254666). - lscpu: Add support for NVIDIA Olympus arm64 core (jsc#PED-13682). The following package changes have been done: - libuuid1-2.40.4-slfo.1.1_3.1 updated - libsmartcols1-2.40.4-slfo.1.1_3.1 updated - libblkid1-2.40.4-slfo.1.1_3.1 updated - libmount1-2.40.4-slfo.1.1_3.1 updated - libfdisk1-2.40.4-slfo.1.1_3.1 updated - util-linux-2.40.4-slfo.1.1_3.1 updated - SL-Micro-release-6.1-slfo.1.12.6 updated - util-linux-systemd-2.40.4-slfo.1.1_3.1 updated - container:SL-Micro-container-2.2.1-7.52 updated From sle-container-updates at lists.suse.com Thu Jan 22 08:18:05 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Thu, 22 Jan 2026 09:18:05 +0100 (CET) Subject: SUSE-IU-2026:212-1: Security update of suse/sl-micro/6.2/baremetal-os-container Message-ID: <20260122081805.2A953FF0C@maintenance.suse.de> SUSE Image Update Advisory: suse/sl-micro/6.2/baremetal-os-container ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2026:212-1 Image Tags : suse/sl-micro/6.2/baremetal-os-container:2.3.0 , suse/sl-micro/6.2/baremetal-os-container:2.3.0-7.15 , suse/sl-micro/6.2/baremetal-os-container:latest Image Release : 7.15 Severity : important Type : security References : 1189788 1216091 1222044 1225451 1228434 1229106 1230267 1232458 1234752 1235598 1235636 1236384 1236481 1236820 1236939 1236983 1237044 1237172 1237587 1237949 1238315 1239012 1239543 1239809 1240132 1240529 1240750 1240752 1240754 1240756 1240757 1241162 1241164 1241214 1241222 1241223 1241226 1241238 1241252 1241263 1241463 1241686 1241688 1243279 1243457 1243887 1243901 1244042 1244105 1249154 1250373 1250692 1252376 614646 CVE-2025-2784 CVE-2025-31133 CVE-2025-32050 CVE-2025-32051 CVE-2025-32052 CVE-2025-32053 CVE-2025-32906 CVE-2025-32907 CVE-2025-32908 CVE-2025-32909 CVE-2025-32910 CVE-2025-32911 CVE-2025-32912 CVE-2025-32913 CVE-2025-32914 CVE-2025-41244 CVE-2025-46420 CVE-2025-46421 CVE-2025-52565 CVE-2025-52881 CVE-2025-9566 ----------------------------------------------------------------- The container suse/sl-micro/6.2/baremetal-os-container was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: 158 Released: Wed Jun 25 10:16:46 2025 Summary: Security update for libsoup Type: security Severity: important References: 1240750,1240752,1240754,1240756,1240757,1241162,1241164,1241214,1241222,1241223,1241226,1241238,1241252,1241263,1241686,1241688,1250373,1250692,CVE-2025-2784,CVE-2025-32050,CVE-2025-32051,CVE-2025-32052,CVE-2025-32053,CVE-2025-32906,CVE-2025-32907,CVE-2025-32908,CVE-2025-32909,CVE-2025-32910,CVE-2025-32911,CVE-2025-32912,CVE-2025-32913,CVE-2025-32914,CVE-2025-41244,CVE-2025-46420,CVE-2025-46421 This update for libsoup fixes the following issues: - CVE-2025-2784: Fixed Heap buffer over-read in `skip_insignificant_space` when sniffing content (bsc#1240750) - CVE-2025-32050:Fixed Integer overflow in append_param_quoted (bsc#1240752) - CVE-2025-32051:Fixed Segmentation fault when parsing malformed data URI (bsc#1240754) - CVE-2025-32052:Fixed Heap buffer overflow in sniff_unknown() (bsc#1240756) - CVE-2025-32053:Fixed Heap buffer overflows in sniff_feed_or_html() and skip_insignificant_space() (bsc#1240757) - CVE-2025-32913:Fixed NULL pointer dereference in soup_message_headers_get_content_disposition (bsc#1241162) - CVE-2025-32914:Fixed out of bounds read in `soup_multipart_new_from_message()` (bsc#1241164) - CVE-2025-32912:Fixed NULL pointer dereference in SoupAuthDigest (bsc#1241214) - CVE-2025-32907:Fixed excessive memory consumption in server when client requests a large amount of overlapping ranges in a single HTTP request (bsc#1241222) - CVE-2025-32908:Fixed HTTP request leading to server crash due to HTTP/2 server not fully validating the values of pseudo-headers (bsc#1241223) - CVE-2025-32909:Fixed NULL pointer dereference in the sniff_mp4 function in soup-content-sniffer.c (bsc#1241226) - CVE-2025-32911:Fixed Double free on soup_message_headers_get_content_disposition() via 'params' (bsc#1241238) - CVE-2025-32910:Fixed null pointer deference on client when server omits the 'realm' parameter in an Unauthorized response with Digest authentication (bsc#1241252) - CVE-2025-32906:Fixed Out of bounds reads in soup_headers_parse_request() (bsc#1241263) - CVE-2025-46420:Fixed Memory leak on soup_header_parse_quality_list() via soup-headers.c (bsc#1241686) - CVE-2025-46421:Fixed HTTP Authorization Header leak via an HTTP redirect (bsc#1241688) ----------------------------------------------------------------- Advisory ID: 161 Released: Tue Jul 1 14:39:34 2025 Summary: Recommended update for zypper, libzypp, libsolv Type: recommended Severity: important References: 1189788,1216091,1222044,1225451,1228434,1229106,1230267,1232458,1234752,1235598,1235636,1236384,1236481,1236820,1236939,1236983,1237044,1237172,1237587,1237949,1238315,1239012,1239543,1239809,1240132,1240529,1241463,1243279,1243457,1243887,1243901,1244042,1244105,1249154,1252376,614646,CVE-2025-31133,CVE-2025-52565,CVE-2025-52881,CVE-2025-9566 This update for zypper, libzypp, libsolv fixes the following issues: libsolv was updated to 0.7.33: - improve transaction ordering by allowing more uninst->uninst edges [bsc#1243457] - implement color filtering when adding update targets - support orderwithrequires dependencies in susedata.xml - build both static and dynamic libraries on new suse distros - support the apk package and repository format (both v2 and v3) - new dataiterator_final_{repo,solvable} functions - Provide a symbol specific for the ruby-version so yast does not break across updates (bsc#1235598) - fix replaces_installed_package using the wrong solvable id when checking the noupdate map - make POOL_FLAG_ADDFILEPROVIDESFILTERED behaviour more standard - add rpm_query_idarray query function - support rpm's 'orderwithrequires' dependency - improve transaction ordering by allowing more uninst->uninst edges [bsc#1243457] - implement color filtering when adding update targets - support orderwithrequires dependencies in susedata.xml - build both static and dynamic libraries on new suse distros - support the apk package and repository format (both v2 and v3) - new dataiterator_final_{repo,solvable} functions - Provide a symbol specific for the ruby-version so yast does not break across updates (bsc#1235598) - fix replaces_installed_package using the wrong solvable id when checking the noupdate map - make POOL_FLAG_ADDFILEPROVIDESFILTERED behaviour more standard - add rpm_query_idarray query function - support rpm's 'orderwithrequires' dependency libzypp was updated to 17.37.6: - Enhancements regarding mirror handling during repo refresh. Added means to disable the use of mirrors when downloading security relevant files. Requires updaing zypper to 1.14.91. - Fix autotestcase writer if ZYPP_FULLLOG=1 (bsc#1244042) If ZYPP_FULLLOG=1 a solver testcase to '/var/log/YaST2/autoTestcase' should be written for each solver run. There was no testcase written for the very first solver run. This is now fixed. - Pass $1==2 to %posttrans script if it's an update (bsc#1243279) - Fix credential handling in HEAD requests (bsc#1244105) - RepoInfo: use pathNameSetTrailingSlash (fixes #643) - Fix wrong userdata parameter type when running zypp with debug verbosity (bsc#1239012) - Do not warn about no mirrors if mirrorlist was switched on automatically. (bsc#1243901) - Relax permission of cached packages to 0644 & ~umask (bsc#1243887) - Add a note to service maintained .repo file entries (fixes #638) - Support using %{url} variable in a RIS service's repo section. - Use a cookie file to validate mirrorlist cache. This patch extends the mirrorlist code to use a cookie file to validate the contents of the cache against the source URL, making sure that we do not accidentially use a old cache when the mirrorlist url was changed. For example when migrating a system from one release to the next where the same repo alias might just have a different URL. - Let Service define and update gpgkey, mirrorlist and metalink. - Preserve a mirrorlist file in the raw cache during refresh. - Code16: Enable curl2 backend and parallel package download by default. In Code15 it's optional. Environment variables ZYPP_CURL2=<0|1> and ZYPP_PCK_PRELOAD=<0|1> can be used to turn the features on or off. - Make gpgKeyUrl the default source for gpg keys. When refreshing zypp now primarily uses gpgKeyUrl information from the repo files and only falls back to a automatically generated key Url if a gpgKeyUrl was not specified. - Introduce mirrors into the Media backends (bsc#1240132) - Drop MediaMultiCurl backend. - Throttle progress updates when preloading packages (bsc#1239543) - Check if request is in valid state in CURL callbacks (fixes openSUSE/zypper#605) - spec/CMake: add conditional build '--with[out] classic_rpmtrans_as_default'. classic_rpmtrans is the current builtin default for SUSE, otherwise it's single_rpmtrans. The `enable_preview_single_rpmtrans_as_default_for_zypper` switch was removed from the spec file. Accordingly the CMake option ENABLE_PREVIEW_SINGLE_RPMTRANS_AS_DEFAULT_FOR_ZYPPER was removed. - fixed build with boost 1.88. - XmlReader: Fix detection of bad input streams (fixes #635) libxml2 2.14 potentially reads the complete stream, so it may have the 'eof' bit set. Which is not 'good' but also not 'bad'. - rpm: Fix detection of %triggerscript starts (bsc#1222044) - RepoindexFileReader: add more related attributes a service may set. Add optional attributes gpgcheck, repo_gpgcheck, pkg_gpgcheck, keeppackages, gpgkey, mirrorlist, and metalink with the same semantic as in a .repo file. - Drop workaround for broken rpm-4.18 in Code16 (bsc#1237172) - BuildRequires: %{libsolv_devel_package} >= 0.7.32. Code16 moved static libs to libsolv-devel-static. - Drop usage of SHA1 hash algorithm because it will become unavailable in FIPS mode (bsc#1240529) - Fix zypp.conf dupAllowVendorChange to reflect the correct default (false). The default was true in Code12 (libzypp-16.x) and changed to false with Code15 (libzypp-17.x). Unfortunately this was done by shipping a modified zypp.conf file rather than fixing the code. - zypp.conf: Add `lock_timeout` ($ZYPP_LOCK_TIMEOUT) (bsc#1239809) - Fix computation of RepStatus if Repo URLs change. - Fix lost double slash when appending to an absolute FTP url (bsc#1238315) Ftp actually differs between absolute and relative URL paths. Absolute path names begin with a double slash encoded as '/%2F'. This must be preserved when manipulating the path. - Add a transaction package preloader (fixes openSUSE/zypper#104) This patch adds a preloader that concurrently downloads files during a transaction commit. It's not yet enabled per default. To enable the preview set ZYPP_CURL2=1 and ZYPP_PCK_PRELOAD=1 in the environment. - RpmPkgSigCheck_test: Exchange the test package signingkey (fixes #622) - Exclude MediaCurl tests if DISABLE_MEDIABACKEND_TESTS (fixes #626) - Strip a mediahandler tag from baseUrl querystrings. - Disable zypp.conf:download.use_deltarpm by default (fixes #620) Measurements show that you don't benefit from using deltarpms unless your network connection is very slow. That's why most distributions even stop offering deltarpms. The default remains unchanged on SUSE-15.6 and older. - Make sure repo variables are evaluated in the right context (bsc#1237044) - Introducing MediaCurl2 a alternative HTTP backend. This patch adds MediaCurl2 as a testbed for experimenting with a more simple way to download files. Set ZYPP_CURL2=1 in the environment to use it. - Filesystem usrmerge must not be done in singletrans mode (bsc#1236481, bsc#1189788) Commit will amend the backend in case the transaction would perform a filesystem usrmerge. - Workaround bsc#1216091 on Code16. - Don't issue deprecated warnings if -DNDEBUG is set (bsc#1236983) Released libyui packages compile with -Werror=deprecated-declarations so we can't add deprecated warnings without breaking them. - make gcc15 happy (fixes #613) - Drop zypp-CheckAccessDeleted in favor of 'zypper ps'. - Fix Repoverification plugin not being executed (fixes #614) - Refresh: Fetch the master index file before key and signature (bsc#1236820) - Allow libzypp to compile with C++20. - Deprecate RepoReports we do not trigger. - Create '.keep_packages' in the package cache dir to enforce keeping downloaded packages of all repos cahed there (bsc#1232458) - Fix missing UID checks in repomanager workflow (fixes #603) - Move cmake config files to LIB_INSTALL_DIR/cmake/Zypp (fixes #28) - Fix 'zypper ps' when running in incus container (bsc#1229106) Should apply to lxc and lxd containers as well. - Re-enable 'rpm --runposttrans' usage for chrooted systems (bsc#1216091) zypper was updated to 1.14.91: - BuildRequires: libzypp-devel >= 17.37.6. Enhancements regarding mirror handling during repo refresh. Adapt to libzypp API changes. (bsc#1230267) - Use libzypp improvements for preload and mirror handling. - xmlout.rnc: Update repo-element (bsc#1241463) Add the 'metalink' attribute and reflect that the 'url' elements list may in fact be empty, if no baseurls are defined in the .repo files. - man: update --allow-unsigned-rpm description. Explain how to achieve the same for packages provided by repositories. - Updated translations (bsc#1230267) - Do not double encode URL strings passed on the commandline (bsc#1237587) URLs passed on the commandline must have their special chars encoded already. We just want to check and encode forgotten unsafe chars like a blank. A '%' however must not be encoded again. - Package preloader that concurrently downloads files. It's not yet enabled per default. To enable the preview set ZYPP_CURL2=1 and ZYPP_PCK_PRELOAD=1 in the environment. (#104) - refresh: add --include-all-archs (fixes #598) Future multi-arch repos may allow to download only those metadata which refer to packages actually compatible with the systems architecture. Some tools however want zypp to provide the full metadata of a repository without filtering incompatible architectures. - info,search: add option to search and list Enhances (bsc#1237949) - Annonunce --root in commands not launching a Target (bsc#1237044) - Let zypper dup fail in case of (temporarily) unaccessible repos (bsc#1228434, bsc#1236939, fixes #446) - New system-architecture command (bsc#1236384) Prints the detected system architecture. - Change versioncmp command to return exit code according to the comparison result (#593) - lr: show the repositories keep-packages flag (bsc#1232458) It is shown in the details view or by using -k,--keep-packages. In addition libyzpp supports to enforce keeping downloaded packages of all repos within a package cache by creating a '.keep_packages' file there. - Try to refresh update repos first to have updated GPG keys on the fly (bsc#1234752) An update repo may contain a prolonged GPG key for the GA repo. Refreshing the update repo first updates a trusted key on the fly and avoids a 'key has expired' warning being issued when refreshing the GA repo. - Refresh: restore legacy behavior and suppress Exception reporting as non-root (bsc#1235636) - info: Allow to query a specific version (jsc#PED-11268) To query for a specific version simply append '-' or '--' to the '' pattern. Note that the edition part must always match exactly. - Don't try to download missing raw metadata if cache is not writable (bsc#1225451) - man: Update 'search' command description. Hint to 'se -v' showing the matches within the packages metadata. Explain that search strings starting with a '/' will implicitly look into the filelist as well. Otherfise an explicit '-f' is needed. The following package changes have been done: - libvmtools0-13.0.5-160000.1.1 updated - open-vm-tools-13.0.5-160000.1.1 updated - podman-5.4.2-160000.3.1 updated From sle-container-updates at lists.suse.com Thu Jan 22 08:27:05 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Thu, 22 Jan 2026 09:27:05 +0100 (CET) Subject: SUSE-CU-2026:362-1: Security update of suse/kiosk/firefox-esr Message-ID: <20260122082705.6E57FFF0C@maintenance.suse.de> SUSE Container Update Advisory: suse/kiosk/firefox-esr ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2026:362-1 Container Tags : suse/kiosk/firefox-esr:140.6 , suse/kiosk/firefox-esr:140.6-70.7 , suse/kiosk/firefox-esr:esr , suse/kiosk/firefox-esr:latest Container Release : 70.7 Severity : important Type : security References : 1220545 1255392 CVE-2023-6601 CVE-2025-63757 ----------------------------------------------------------------- The container suse/kiosk/firefox-esr was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:198-1 Released: Wed Jan 21 11:16:17 2026 Summary: Security update for ffmpeg-4 Type: security Severity: important References: 1220545,1255392,CVE-2023-6601,CVE-2025-63757 This update for ffmpeg-4 fixes the following issues: - CVE-2023-6601: Fixed HLS Unsafe File Extension Bypass (bsc#1220545). - CVE-2025-63757: Fixed integer overflow in yuv2ya16_X_c_template() (bsc#1255392). The following package changes have been done: - libavutil56_70-4.4.6-150600.13.38.1 updated - libswresample3_9-4.4.6-150600.13.38.1 updated - libavcodec58_134-4.4.6-150600.13.38.1 updated - container:suse-sle15-15.7-7970b1398395a13b38e858c60a7b75db5f5265dd7c0ecdabe8919a458b2f34e5-0 updated From sle-container-updates at lists.suse.com Thu Jan 22 08:27:20 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Thu, 22 Jan 2026 09:27:20 +0100 (CET) Subject: SUSE-CU-2026:363-1: Security update of suse/kiosk/xorg-client Message-ID: <20260122082720.5F2E6FF0C@maintenance.suse.de> SUSE Container Update Advisory: suse/kiosk/xorg-client ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2026:363-1 Container Tags : suse/kiosk/xorg-client:21 , suse/kiosk/xorg-client:21-70.5 , suse/kiosk/xorg-client:latest Container Release : 70.5 Severity : important Type : security References : 1220545 1255392 CVE-2023-6601 CVE-2025-63757 ----------------------------------------------------------------- The container suse/kiosk/xorg-client was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:198-1 Released: Wed Jan 21 11:16:17 2026 Summary: Security update for ffmpeg-4 Type: security Severity: important References: 1220545,1255392,CVE-2023-6601,CVE-2025-63757 This update for ffmpeg-4 fixes the following issues: - CVE-2023-6601: Fixed HLS Unsafe File Extension Bypass (bsc#1220545). - CVE-2025-63757: Fixed integer overflow in yuv2ya16_X_c_template() (bsc#1255392). The following package changes have been done: - libavutil56_70-4.4.6-150600.13.38.1 updated - libswresample3_9-4.4.6-150600.13.38.1 updated - libavcodec58_134-4.4.6-150600.13.38.1 updated - container:suse-sle15-15.7-7970b1398395a13b38e858c60a7b75db5f5265dd7c0ecdabe8919a458b2f34e5-0 updated - container:registry.suse.com-bci-bci-micro-15.7-4ea6269b17048f73c022844251731ef4f640fdb9eb72a2ab53ec7f9413b89ee3-0 updated From sle-container-updates at lists.suse.com Fri Jan 23 08:06:03 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 23 Jan 2026 09:06:03 +0100 (CET) Subject: SUSE-IU-2026:223-1: Security update of suse/sle-micro/base-5.5 Message-ID: <20260123080603.B945DFF0D@maintenance.suse.de> SUSE Image Update Advisory: suse/sle-micro/base-5.5 ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2026:223-1 Image Tags : suse/sle-micro/base-5.5:2.0.4 , suse/sle-micro/base-5.5:2.0.4-5.8.233 , suse/sle-micro/base-5.5:latest Image Release : 5.8.233 Severity : important Type : security References : 1255715 1256244 1256246 1256341 1256390 CVE-2025-13151 CVE-2025-68973 ----------------------------------------------------------------- The container suse/sle-micro/base-5.5 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:214-1 Released: Thu Jan 22 13:09:26 2026 Summary: Security update for gpg2 Type: security Severity: important References: 1255715,1256244,1256246,1256390,CVE-2025-68973 This update for gpg2 fixes the following issues: - CVE-2025-68973: Fix possible memory corruption in the armor parser (gpg.fail/memcpy)(bsc#1255715). - Avoid potential downgrade to SHA1 in 3rd party key signatures (gpg.fail/sha1) (bsc#1256246). - Error out on unverified output for non-detached signatures (gpg.fail/detached) (bsc#1256244). - Fix Cleartext Signature Forgery in the NotDashEscaped header implementation in GnuPG (gpg.fail/notdash) (bsc#1256390). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:224-1 Released: Thu Jan 22 13:18:20 2026 Summary: Security update for libtasn1 Type: security Severity: moderate References: 1256341,CVE-2025-13151 This update for libtasn1 fixes the following issues: - CVE-2025-13151: stack-based buffer overflow in `asn1_expend_octet_string` (bsc#1256341). The following package changes have been done: - libtasn1-6-4.13-150000.4.14.1 updated - libtasn1-4.13-150000.4.14.1 updated - gpg2-2.2.27-150300.3.16.1 updated From sle-container-updates at lists.suse.com Fri Jan 23 08:09:46 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 23 Jan 2026 09:09:46 +0100 (CET) Subject: SUSE-IU-2026:225-1: Security update of suse/sle-micro/rt-5.5 Message-ID: <20260123080946.9F35EFF0D@maintenance.suse.de> SUSE Image Update Advisory: suse/sle-micro/rt-5.5 ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2026:225-1 Image Tags : suse/sle-micro/rt-5.5:2.0.4 , suse/sle-micro/rt-5.5:2.0.4-4.5.553 , suse/sle-micro/rt-5.5:latest Image Release : 4.5.553 Severity : important Type : security References : 1065729 1193629 1194869 1196823 1204957 1205567 1206451 1206843 1206889 1207051 1207088 1207315 1207611 1207620 1207622 1207636 1207644 1207646 1207652 1207653 1208570 1208758 1209799 1209980 1210644 1210817 1210943 1211690 1213025 1213032 1213093 1213105 1213110 1213111 1213653 1213747 1213867 1214635 1214940 1214962 1214986 1214990 1216062 1224573 1225832 1226797 1226846 1228015 1233640 1235038 1237563 1249871 1252046 1252678 1253409 1254392 1254520 1254559 1254562 1254572 1254578 1254580 1254592 1254601 1254608 1254609 1254614 1254615 1254617 1254623 1254625 1254626 1254631 1254632 1254634 1254644 1254645 1254649 1254651 1254653 1254656 1254658 1254660 1254664 1254671 1254674 1254676 1254677 1254681 1254684 1254685 1254686 1254690 1254692 1254694 1254696 1254698 1254699 1254704 1254706 1254709 1254710 1254711 1254712 1254713 1254714 1254716 1254723 1254725 1254728 1254729 1254743 1254745 1254751 1254753 1254754 1254756 1254759 1254763 1254775 1254780 1254781 1254782 1254783 1254785 1254786 1254788 1254789 1254792 1254813 1254843 1254847 1254851 1254894 1254902 1254910 1254911 1254915 1254916 1254917 1254920 1254922 1254958 1254959 1254974 1254979 1254986 1254994 1255002 1255005 1255007 1255049 1255060 1255107 1255163 1255165 1255245 1255467 1255469 1255521 1255528 1255532 1255546 1255549 1255554 1255555 1255558 1255560 1255561 1255562 1255565 1255574 1255576 1255578 1255582 1255596 1255600 1255605 1255607 1255608 1255609 1255618 1255619 1255620 1255623 1255624 1255626 1255627 1255628 1255635 1255636 1255688 1255690 1255697 1255702 1255704 1255745 1255747 1255749 1255750 1255757 1255758 1255760 1255761 1255762 1255763 1255769 1255771 1255773 1255780 1255786 1255787 1255789 1255790 1255791 1255792 1255796 1255797 1255800 1255801 1255802 1255803 1255804 1255806 1255808 1255819 1255839 1255841 1255843 1255844 1255872 1255875 1255876 1255877 1255878 1255880 1255881 1255888 1255889 1255890 1255899 1255901 1255902 1255905 1255906 1255909 1255910 1255912 1255916 1255919 1255920 1255922 1255924 1255925 1255939 1255946 1255950 1255953 1255954 1255955 1255962 1255964 1255968 1255969 1255970 1255971 1255974 1255978 1255979 1255983 1255985 1255990 1255993 1255994 1255996 1255998 1256034 1256040 1256042 1256045 1256046 1256048 1256049 1256050 1256053 1256056 1256057 1256062 1256063 1256064 1256065 1256071 1256074 1256081 1256084 1256086 1256088 1256091 1256093 1256099 1256101 1256103 1256106 1256111 1256112 1256114 1256115 1256118 1256119 1256121 1256122 1256124 1256125 1256126 1256127 1256128 1256130 1256131 1256132 1256133 1256136 1256137 1256140 1256141 1256142 1256143 1256144 1256145 1256149 1256150 1256152 1256154 1256155 1256157 1256158 1256162 1256164 1256165 1256166 1256167 1256172 1256173 1256174 1256177 1256178 1256179 1256182 1256184 1256185 1256186 1256188 1256189 1256191 1256192 1256193 1256194 1256196 1256198 1256199 1256200 1256202 1256203 1256204 1256205 1256206 1256207 1256208 1256211 1256214 1256215 1256216 1256218 1256219 1256220 1256221 1256223 1256228 1256230 1256231 1256235 1256239 1256241 1256242 1256245 1256248 1256250 1256254 1256260 1256265 1256269 1256271 1256274 1256282 1256285 1256291 1256294 1256295 1256300 1256302 1256306 1256309 1256317 1256320 1256323 1256326 1256328 1256333 1256334 1256335 1256337 1256338 1256344 1256346 1256349 1256352 1256353 1256355 1256358 1256359 1256363 1256364 1256368 1256370 1256375 1256381 1256382 1256383 1256384 1256386 1256388 1256391 1256394 1256395 1256396 1256397 1256398 1256423 1256426 1256432 CVE-2022-0854 CVE-2022-48853 CVE-2022-50614 CVE-2022-50615 CVE-2022-50617 CVE-2022-50618 CVE-2022-50619 CVE-2022-50621 CVE-2022-50622 CVE-2022-50623 CVE-2022-50625 CVE-2022-50626 CVE-2022-50629 CVE-2022-50630 CVE-2022-50633 CVE-2022-50635 CVE-2022-50636 CVE-2022-50638 CVE-2022-50640 CVE-2022-50641 CVE-2022-50643 CVE-2022-50644 CVE-2022-50646 CVE-2022-50649 CVE-2022-50652 CVE-2022-50653 CVE-2022-50656 CVE-2022-50658 CVE-2022-50660 CVE-2022-50661 CVE-2022-50662 CVE-2022-50664 CVE-2022-50665 CVE-2022-50666 CVE-2022-50667 CVE-2022-50668 CVE-2022-50669 CVE-2022-50670 CVE-2022-50671 CVE-2022-50672 CVE-2022-50673 CVE-2022-50675 CVE-2022-50677 CVE-2022-50678 CVE-2022-50679 CVE-2022-50698 CVE-2022-50699 CVE-2022-50700 CVE-2022-50701 CVE-2022-50702 CVE-2022-50703 CVE-2022-50704 CVE-2022-50705 CVE-2022-50709 CVE-2022-50710 CVE-2022-50712 CVE-2022-50714 CVE-2022-50715 CVE-2022-50716 CVE-2022-50717 CVE-2022-50718 CVE-2022-50719 CVE-2022-50722 CVE-2022-50723 CVE-2022-50724 CVE-2022-50726 CVE-2022-50727 CVE-2022-50728 CVE-2022-50730 CVE-2022-50731 CVE-2022-50732 CVE-2022-50733 CVE-2022-50735 CVE-2022-50736 CVE-2022-50738 CVE-2022-50740 CVE-2022-50742 CVE-2022-50744 CVE-2022-50745 CVE-2022-50747 CVE-2022-50749 CVE-2022-50750 CVE-2022-50751 CVE-2022-50752 CVE-2022-50754 CVE-2022-50755 CVE-2022-50756 CVE-2022-50757 CVE-2022-50758 CVE-2022-50760 CVE-2022-50761 CVE-2022-50763 CVE-2022-50767 CVE-2022-50768 CVE-2022-50769 CVE-2022-50770 CVE-2022-50773 CVE-2022-50774 CVE-2022-50776 CVE-2022-50777 CVE-2022-50779 CVE-2022-50781 CVE-2022-50782 CVE-2022-50809 CVE-2022-50814 CVE-2022-50818 CVE-2022-50819 CVE-2022-50821 CVE-2022-50822 CVE-2022-50823 CVE-2022-50824 CVE-2022-50826 CVE-2022-50827 CVE-2022-50828 CVE-2022-50829 CVE-2022-50830 CVE-2022-50832 CVE-2022-50833 CVE-2022-50834 CVE-2022-50835 CVE-2022-50836 CVE-2022-50838 CVE-2022-50839 CVE-2022-50840 CVE-2022-50842 CVE-2022-50843 CVE-2022-50844 CVE-2022-50845 CVE-2022-50846 CVE-2022-50847 CVE-2022-50848 CVE-2022-50849 CVE-2022-50850 CVE-2022-50851 CVE-2022-50853 CVE-2022-50856 CVE-2022-50858 CVE-2022-50859 CVE-2022-50860 CVE-2022-50861 CVE-2022-50862 CVE-2022-50864 CVE-2022-50866 CVE-2022-50867 CVE-2022-50868 CVE-2022-50870 CVE-2022-50872 CVE-2022-50873 CVE-2022-50876 CVE-2022-50878 CVE-2022-50880 CVE-2022-50881 CVE-2022-50882 CVE-2022-50883 CVE-2022-50884 CVE-2022-50885 CVE-2022-50886 CVE-2022-50887 CVE-2022-50888 CVE-2022-50889 CVE-2023-23559 CVE-2023-53254 CVE-2023-53743 CVE-2023-53744 CVE-2023-53746 CVE-2023-53747 CVE-2023-53751 CVE-2023-53753 CVE-2023-53754 CVE-2023-53755 CVE-2023-53761 CVE-2023-53766 CVE-2023-53769 CVE-2023-53780 CVE-2023-53781 CVE-2023-53783 CVE-2023-53786 CVE-2023-53788 CVE-2023-53792 CVE-2023-53794 CVE-2023-53801 CVE-2023-53802 CVE-2023-53803 CVE-2023-53804 CVE-2023-53806 CVE-2023-53808 CVE-2023-53811 CVE-2023-53814 CVE-2023-53816 CVE-2023-53818 CVE-2023-53819 CVE-2023-53820 CVE-2023-53827 CVE-2023-53828 CVE-2023-53830 CVE-2023-53832 CVE-2023-53833 CVE-2023-53834 CVE-2023-53837 CVE-2023-53840 CVE-2023-53842 CVE-2023-53844 CVE-2023-53845 CVE-2023-53847 CVE-2023-53848 CVE-2023-53849 CVE-2023-53850 CVE-2023-53852 CVE-2023-53858 CVE-2023-53860 CVE-2023-53862 CVE-2023-53864 CVE-2023-53866 CVE-2023-53989 CVE-2023-53990 CVE-2023-53991 CVE-2023-53996 CVE-2023-53998 CVE-2023-54001 CVE-2023-54003 CVE-2023-54007 CVE-2023-54009 CVE-2023-54010 CVE-2023-54014 CVE-2023-54015 CVE-2023-54017 CVE-2023-54018 CVE-2023-54019 CVE-2023-54020 CVE-2023-54021 CVE-2023-54024 CVE-2023-54025 CVE-2023-54026 CVE-2023-54028 CVE-2023-54036 CVE-2023-54039 CVE-2023-54040 CVE-2023-54041 CVE-2023-54042 CVE-2023-54044 CVE-2023-54045 CVE-2023-54046 CVE-2023-54047 CVE-2023-54048 CVE-2023-54049 CVE-2023-54050 CVE-2023-54051 CVE-2023-54053 CVE-2023-54055 CVE-2023-54057 CVE-2023-54058 CVE-2023-54064 CVE-2023-54070 CVE-2023-54072 CVE-2023-54074 CVE-2023-54076 CVE-2023-54078 CVE-2023-54079 CVE-2023-54083 CVE-2023-54084 CVE-2023-54090 CVE-2023-54091 CVE-2023-54092 CVE-2023-54095 CVE-2023-54096 CVE-2023-54097 CVE-2023-54098 CVE-2023-54100 CVE-2023-54102 CVE-2023-54104 CVE-2023-54106 CVE-2023-54107 CVE-2023-54108 CVE-2023-54110 CVE-2023-54111 CVE-2023-54114 CVE-2023-54115 CVE-2023-54116 CVE-2023-54118 CVE-2023-54119 CVE-2023-54120 CVE-2023-54122 CVE-2023-54123 CVE-2023-54126 CVE-2023-54127 CVE-2023-54128 CVE-2023-54130 CVE-2023-54131 CVE-2023-54132 CVE-2023-54134 CVE-2023-54136 CVE-2023-54138 CVE-2023-54140 CVE-2023-54144 CVE-2023-54146 CVE-2023-54148 CVE-2023-54150 CVE-2023-54153 CVE-2023-54156 CVE-2023-54159 CVE-2023-54164 CVE-2023-54166 CVE-2023-54168 CVE-2023-54169 CVE-2023-54170 CVE-2023-54171 CVE-2023-54173 CVE-2023-54175 CVE-2023-54177 CVE-2023-54179 CVE-2023-54183 CVE-2023-54186 CVE-2023-54189 CVE-2023-54190 CVE-2023-54194 CVE-2023-54197 CVE-2023-54198 CVE-2023-54199 CVE-2023-54201 CVE-2023-54202 CVE-2023-54205 CVE-2023-54208 CVE-2023-54210 CVE-2023-54211 CVE-2023-54213 CVE-2023-54214 CVE-2023-54219 CVE-2023-54226 CVE-2023-54229 CVE-2023-54230 CVE-2023-54234 CVE-2023-54236 CVE-2023-54238 CVE-2023-54242 CVE-2023-54244 CVE-2023-54245 CVE-2023-54251 CVE-2023-54252 CVE-2023-54254 CVE-2023-54260 CVE-2023-54262 CVE-2023-54264 CVE-2023-54266 CVE-2023-54267 CVE-2023-54269 CVE-2023-54270 CVE-2023-54271 CVE-2023-54274 CVE-2023-54275 CVE-2023-54277 CVE-2023-54280 CVE-2023-54284 CVE-2023-54286 CVE-2023-54287 CVE-2023-54289 CVE-2023-54292 CVE-2023-54293 CVE-2023-54294 CVE-2023-54295 CVE-2023-54298 CVE-2023-54299 CVE-2023-54300 CVE-2023-54301 CVE-2023-54302 CVE-2023-54304 CVE-2023-54305 CVE-2023-54309 CVE-2023-54311 CVE-2023-54315 CVE-2023-54317 CVE-2023-54319 CVE-2023-54320 CVE-2023-54321 CVE-2023-54322 CVE-2023-54325 CVE-2023-54326 CVE-2024-36933 CVE-2024-53093 CVE-2024-56590 CVE-2025-39977 CVE-2025-40019 CVE-2025-40139 CVE-2025-40215 CVE-2025-40220 CVE-2025-40233 CVE-2025-40256 CVE-2025-40258 CVE-2025-40277 CVE-2025-40280 CVE-2025-40331 CVE-2025-68218 CVE-2025-68732 ----------------------------------------------------------------- The container suse/sle-micro/rt-5.5 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:263-1 Released: Thu Jan 22 22:15:00 2026 Summary: Security update for the Linux Kernel Type: security Severity: important References: 1065729,1193629,1194869,1196823,1204957,1205567,1206451,1206843,1206889,1207051,1207088,1207315,1207611,1207620,1207622,1207636,1207644,1207646,1207652,1207653,1208570,1208758,1209799,1209980,1210644,1210817,1210943,1211690,1213025,1213032,1213093,1213105,1213110,1213111,1213653,1213747,1213867,1214635,1214940,1214962,1214986,1214990,1216062,1224573,1225832,1226797,1226846,1228015,1233640,1235038,1237563,1249871,1252046,1252678,1253409,1254392,1254520,1254559,1254562,1254572,1254578,1254580,1254592,1254601,1254608,1254609,1254614,1254615,1254617,1254623,1254625,1254626,1254631,1254632,1254634,1254644,1254645,1254649,1254651,1254653,1254656,1254658,1254660,1254664,1254671,1254674,1254676,1254677,1254681,1254684,1254685,1254686,1254690,1254692,1254694,1254696,1254698,1254699,1254704,1254706,1254709,1254710,1254711,1254712,1254713,1254714,1254716,1254723,1254725,1254728,1254729,1254743,1254745,1254751,1254753,1254754,1254756,1254759,1254763,1254775,1254780,1254781,1254782,1 254783,1254785,1254786,1254788,1254789,1254792,1254813,1254843,1254847,1254851,1254894,1254902,1254910,1254911,1254915,1254916,1254917,1254920,1254922,1254958,1254959,1254974,1254979,1254986,1254994,1255002,1255005,1255007,1255049,1255060,1255107,1255163,1255165,1255245,1255467,1255469,1255521,1255528,1255532,1255546,1255549,1255554,1255555,1255558,1255560,1255561,1255562,1255565,1255574,1255576,1255578,1255582,1255596,1255600,1255605,1255607,1255608,1255609,1255618,1255619,1255620,1255623,1255624,1255626,1255627,1255628,1255635,1255636,1255688,1255690,1255697,1255702,1255704,1255745,1255747,1255749,1255750,1255757,1255758,1255760,1255761,1255762,1255763,1255769,1255771,1255773,1255780,1255786,1255787,1255789,1255790,1255791,1255792,1255796,1255797,1255800,1255801,1255802,1255803,1255804,1255806,1255808,1255819,1255839,1255841,1255843,1255844,1255872,1255875,1255876,1255877,1255878,1255880,1255881,1255888,1255889,1255890,1255899,1255901,1255902,1255905,1255906,1255909,1255910,125591 2,1255916,1255919,1255920,1255922,1255924,1255925,1255939,1255946,1255950,1255953,1255954,1255955,1255962,1255964,1255968,1255969,1255970,1255971,1255974,1255978,1255979,1255983,1255985,1255990,1255993,1255994,1255996,1255998,1256034,1256040,1256042,1256045,1256046,1256048,1256049,1256050,1256053,1256056,1256057,1256062,1256063,1256064,1256065,1256071,1256074,1256081,1256084,1256086,1256088,1256091,1256093,1256099,1256101,1256103,1256106,1256111,1256112,1256114,1256115,1256118,1256119,1256121,1256122,1256124,1256125,1256126,1256127,1256128,1256130,1256131,1256132,1256133,1256136,1256137,1256140,1256141,1256142,1256143,1256144,1256145,1256149,1256150,1256152,1256154,1256155,1256157,1256158,1256162,1256164,1256165,1256166,1256167,1256172,1256173,1256174,1256177,1256178,1256179,1256182,1256184,1256185,1256186,1256188,1256189,1256191,1256192,1256193,1256194,1256196,1256198,1256199,1256200,1256202,1256203,1256204,1256205,1256206,1256207,1256208,1256211,1256214,1256215,1256216,1256218,125 6219,1256220,1256221,1256223,1256228,1256230,1256231,1256235,1256239,1256241,1256242,1256245,1256248,1256250,1256254,1256260,1256265,1256269,1256271,1256274,1256282,1256285,1256291,1256294,1256295,1256300,1256302,1256306,1256309,1256317,1256320,1256323,1256326,1256328,1256333,1256334,1256335,1256337,1256338,1256344,1256346,1256349,1256352,1256353,1256355,1256358,1256359,1256363,1256364,1256368,1256370,1256375,1256381,1256382,1256383,1256384,1256386,1256388,1256391,1256394,1256395,1256396,1256397,1256398,1256423,1256426,1256432,CVE-2022-0854,CVE-2022-48853,CVE-2022-50614,CVE-2022-50615,CVE-2022-50617,CVE-2022-50618,CVE-2022-50619,CVE-2022-50621,CVE-2022-50622,CVE-2022-50623,CVE-2022-50625,CVE-2022-50626,CVE-2022-50629,CVE-2022-50630,CVE-2022-50633,CVE-2022-50635,CVE-2022-50636,CVE-2022-50638,CVE-2022-50640,CVE-2022-50641,CVE-2022-50643,CVE-2022-50644,CVE-2022-50646,CVE-2022-50649,CVE-2022-50652,CVE-2022-50653,CVE-2022-50656,CVE-2022-50658,CVE-2022-50660,CVE-2022-50661,CVE-2022-50662, CVE-2022-50664,CVE-2022-50665,CVE-2022-50666,CVE-2022-50667,CVE-2022-50668,CVE-2022-50669,CVE-2022-50670,CVE-2022-50671,CVE-2022-50672,CVE-2022-50673,CVE-2022-50675,CVE-2022-50677,CVE-2022-50678,CVE-2022-50679,CVE-2022-50698,CVE-2022-50699,CVE-2022-50700,CVE-2022-50701,CVE-2022-50702,CVE-2022-50703,CVE-2022-50704,CVE-2022-50705,CVE-2022-50709,CVE-2022-50710,CVE-2022-50712,CVE-2022-50714,CVE-2022-50715,CVE-2022-50716,CVE-2022-50717,CVE-2022-50718,CVE-2022-50719,CVE-2022-50722,CVE-2022-50723,CVE-2022-50724,CVE-2022-50726,CVE-2022-50727,CVE-2022-50728,CVE-2022-50730,CVE-2022-50731,CVE-2022-50732,CVE-2022-50733,CVE-2022-50735,CVE-2022-50736,CVE-2022-50738,CVE-2022-50740,CVE-2022-50742,CVE-2022-50744,CVE-2022-50745,CVE-2022-50747,CVE-2022-50749,CVE-2022-50750,CVE-2022-50751,CVE-2022-50752,CVE-2022-50754,CVE-2022-50755,CVE-2022-50756,CVE-2022-50757,CVE-2022-50758,CVE-2022-50760,CVE-2022-50761,CVE-2022-50763,CVE-2022-50767,CVE-2022-50768,CVE-2022-50769,CVE-2022-50770,CVE-2022-50773,CVE-202 2-50774,CVE-2022-50776,CVE-2022-50777,CVE-2022-50779,CVE-2022-50781,CVE-2022-50782,CVE-2022-50809,CVE-2022-50814,CVE-2022-50818,CVE-2022-50819,CVE-2022-50821,CVE-2022-50822,CVE-2022-50823,CVE-2022-50824,CVE-2022-50826,CVE-2022-50827,CVE-2022-50828,CVE-2022-50829,CVE-2022-50830,CVE-2022-50832,CVE-2022-50833,CVE-2022-50834,CVE-2022-50835,CVE-2022-50836,CVE-2022-50838,CVE-2022-50839,CVE-2022-50840,CVE-2022-50842,CVE-2022-50843,CVE-2022-50844,CVE-2022-50845,CVE-2022-50846,CVE-2022-50847,CVE-2022-50848,CVE-2022-50849,CVE-2022-50850,CVE-2022-50851,CVE-2022-50853,CVE-2022-50856,CVE-2022-50858,CVE-2022-50859,CVE-2022-50860,CVE-2022-50861,CVE-2022-50862,CVE-2022-50864,CVE-2022-50866,CVE-2022-50867,CVE-2022-50868,CVE-2022-50870,CVE-2022-50872,CVE-2022-50873,CVE-2022-50876,CVE-2022-50878,CVE-2022-50880,CVE-2022-50881,CVE-2022-50882,CVE-2022-50883,CVE-2022-50884,CVE-2022-50885,CVE-2022-50886,CVE-2022-50887,CVE-2022-50888,CVE-2022-50889,CVE-2023-23559,CVE-2023-53254,CVE-2023-53743,CVE-2023-53744 ,CVE-2023-53746,CVE-2023-53747,CVE-2023-53751,CVE-2023-53753,CVE-2023-53754,CVE-2023-53755,CVE-2023-53761,CVE-2023-53766,CVE-2023-53769,CVE-2023-53780,CVE-2023-53781,CVE-2023-53783,CVE-2023-53786,CVE-2023-53788,CVE-2023-53792,CVE-2023-53794,CVE-2023-53801,CVE-2023-53802,CVE-2023-53803,CVE-2023-53804,CVE-2023-53806,CVE-2023-53808,CVE-2023-53811,CVE-2023-53814,CVE-2023-53816,CVE-2023-53818,CVE-2023-53819,CVE-2023-53820,CVE-2023-53827,CVE-2023-53828,CVE-2023-53830,CVE-2023-53832,CVE-2023-53833,CVE-2023-53834,CVE-2023-53837,CVE-2023-53840,CVE-2023-53842,CVE-2023-53844,CVE-2023-53845,CVE-2023-53847,CVE-2023-53848,CVE-2023-53849,CVE-2023-53850,CVE-2023-53852,CVE-2023-53858,CVE-2023-53860,CVE-2023-53862,CVE-2023-53864,CVE-2023-53866,CVE-2023-53989,CVE-2023-53990,CVE-2023-53991,CVE-2023-53996,CVE-2023-53998,CVE-2023-54001,CVE-2023-54003,CVE-2023-54007,CVE-2023-54009,CVE-2023-54010,CVE-2023-54014,CVE-2023-54015,CVE-2023-54017,CVE-2023-54018,CVE-2023-54019,CVE-2023-54020,CVE-2023-54021,CVE-20 23-54024,CVE-2023-54025,CVE-2023-54026,CVE-2023-54028,CVE-2023-54036,CVE-2023-54039,CVE-2023-54040,CVE-2023-54041,CVE-2023-54042,CVE-2023-54044,CVE-2023-54045,CVE-2023-54046,CVE-2023-54047,CVE-2023-54048,CVE-2023-54049,CVE-2023-54050,CVE-2023-54051,CVE-2023-54053,CVE-2023-54055,CVE-2023-54057,CVE-2023-54058,CVE-2023-54064,CVE-2023-54070,CVE-2023-54072,CVE-2023-54074,CVE-2023-54076,CVE-2023-54078,CVE-2023-54079,CVE-2023-54083,CVE-2023-54084,CVE-2023-54090,CVE-2023-54091,CVE-2023-54092,CVE-2023-54095,CVE-2023-54096,CVE-2023-54097,CVE-2023-54098,CVE-2023-54100,CVE-2023-54102,CVE-2023-54104,CVE-2023-54106,CVE-2023-54107,CVE-2023-54108,CVE-2023-54110,CVE-2023-54111,CVE-2023-54114,CVE-2023-54115,CVE-2023-54116,CVE-2023-54118,CVE-2023-54119,CVE-2023-54120,CVE-2023-54122,CVE-2023-54123,CVE-2023-54126,CVE-2023-54127,CVE-2023-54128,CVE-2023-54130,CVE-2023-54131,CVE-2023-54132,CVE-2023-54134,CVE-2023-54136,CVE-2023-54138,CVE-2023-54140,CVE-2023-54144,CVE-2023-54146,CVE-2023-54148,CVE-2023-5415 0,CVE-2023-54153,CVE-2023-54156,CVE-2023-54159,CVE-2023-54164,CVE-2023-54166,CVE-2023-54168,CVE-2023-54169,CVE-2023-54170,CVE-2023-54171,CVE-2023-54173,CVE-2023-54175,CVE-2023-54177,CVE-2023-54179,CVE-2023-54183,CVE-2023-54186,CVE-2023-54189,CVE-2023-54190,CVE-2023-54194,CVE-2023-54197,CVE-2023-54198,CVE-2023-54199,CVE-2023-54201,CVE-2023-54202,CVE-2023-54205,CVE-2023-54208,CVE-2023-54210,CVE-2023-54211,CVE-2023-54213,CVE-2023-54214,CVE-2023-54219,CVE-2023-54226,CVE-2023-54229,CVE-2023-54230,CVE-2023-54234,CVE-2023-54236,CVE-2023-54238,CVE-2023-54242,CVE-2023-54244,CVE-2023-54245,CVE-2023-54251,CVE-2023-54252,CVE-2023-54254,CVE-2023-54260,CVE-2023-54262,CVE-2023-54264,CVE-2023-54266,CVE-2023-54267,CVE-2023-54269,CVE-2023-54270,CVE-2023-54271,CVE-2023-54274,CVE-2023-54275,CVE-2023-54277,CVE-2023-54280,CVE-2023-54284,CVE-2023-54286,CVE-2023-54287,CVE-2023-54289,CVE-2023-54292,CVE-2023-54293,CVE-2023-54294,CVE-2023-54295,CVE-2023-54298,CVE-2023-54299,CVE-2023-54300,CVE-2023-54301,CVE-2 023-54302,CVE-2023-54304,CVE-2023-54305,CVE-2023-54309,CVE-2023-54311,CVE-2023-54315,CVE-2023-54317,CVE-2023-54319,CVE-2023-54320,CVE-2023-54321,CVE-2023-54322,CVE-2023-54325,CVE-2023-54326,CVE-2024-36933,CVE-2024-53093,CVE-2024-56590,CVE-2025-39977,CVE-2025-40019,CVE-2025-40139,CVE-2025-40215,CVE-2025-40220,CVE-2025-40233,CVE-2025-40256,CVE-2025-40258,CVE-2025-40277,CVE-2025-40280,CVE-2025-40331,CVE-2025-68218,CVE-2025-68732 The SUSE Linux Enterprise 15 SP5 RT kernel was updated to fix various security issues The following security issues were fixed: - CVE-2022-50630: mm: hugetlb: fix UAF in hugetlb_handle_userfault (bsc#1254785). - CVE-2022-50700: wifi: ath10k: Delay the unmapping of the buffer (bsc#1255576). - CVE-2023-53254: cacheinfo: Fix shared_cpu_map to handle shared caches at different levels (bsc#1249871). - CVE-2023-53781: smc: Fix use-after-free in tcp_write_timer_handler() (bsc#1254751). - CVE-2024-56590: Bluetooth: hci_core: Fix not checking skb length on hci_acldata_packet (bsc#1235038). - CVE-2025-39977: futex: Prevent use-after-free during requeue-PI (bsc#1252046). - CVE-2025-40019: crypto: essiv - Check ssize for decryption and in-place encryption (bsc#1252678). - CVE-2025-40139: net: ipv4: Consolidate ipv4_mtu and ip_dst_mtu_maybe_forward (bsc#1253409). - CVE-2025-40215: kABI: xfrm: delete x->tunnel as we delete x (bsc#1254959). - CVE-2025-40220: fuse: fix livelock in synchronous file put from fuseblk workers (bsc#1254520). - CVE-2025-40233: ocfs2: clear extent cache after moving/defragmenting extents (bsc#1254813). - CVE-2025-40258: mptcp: fix race condition in mptcp_schedule_work() (bsc#1254843). - CVE-2025-40277: drm/vmwgfx: Validate command header size against (bsc#1254894). - CVE-2025-40280: tipc: Fix use-after-free in tipc_mon_reinit_self() (bsc#1254847). - CVE-2025-40331: sctp: Prevent TOCTOU out-of-bounds write (bsc#1254615). - CVE-2025-68732: gpu: host1x: Fix race in syncpt alloc/free (bsc#1255688). The following non security issues were fixed: - ACPI/IORT: Fix memory leak in iort_rmr_alloc_sids() (git-fixes). - ACPI: PRM: Remove unnecessary strict handler address checks (git-fixes). - ACPI: property: Do not pass NULL handles to acpi_attach_data() (git-fixes). - ACPI: property: Fix buffer properties extraction for subnodes (git-fixes). - KVM: SVM: Fix TSC_AUX virtualization setup (git-fixes). - RDMA/cm: Rate limit destroy CM ID timeout error message (git-fixes). - RDMA/counter: Check CAP_NET_RAW check in user namespace for RDMA counters (git-fixes). - RDMA/hns: Fix the modification of max_send_sge (git-fixes). - RDMA/mlx5: Check CAP_NET_RAW in user namespace for anchor create (git-fixes). - RDMA/mlx5: Check CAP_NET_RAW in user namespace for devx create (git-fixes). - RDMA/mlx5: Check CAP_NET_RAW in user namespace for flow create (git-fixes). - RDMA/mlx5: Fix compilation warning when USER_ACCESS isn't set (git-fixes). - RDMA/nldev: Check CAP_NET_RAW in user namespace for QP modify (git-fixes). - RDMA/uverbs: Add empty rdma_uattrs_has_raw_cap() declaration (git-fixes). - RDMA/uverbs: Check CAP_NET_RAW in user namespace for QP create (git-fixes). - RDMA/uverbs: Check CAP_NET_RAW in user namespace for RAW QP create (git-fixes). - RDMA/uverbs: Check CAP_NET_RAW in user namespace for flow create (git-fixes). - arch/idle: Change arch_cpu_idle() behavior: always exit with IRQs disabled (git-fixes). - cpuidle/poll: Ensure IRQs stay disabled after cpuidle_state::enter() calls (git-fixes). - cpuidle: Move IRQ state validation (git-fixes). - cpuidle: haltpoll: Do not enable interrupts when entering idle (git-fixes). - dm: free table mempools if not used in __bind (git-fixes). - padata: Honor the caller's alignment in case of chunk_size 0 (bsc#1237563). - platform/x86/intel-uncore-freq: Fail module load when plat_info is NULL (git-fixes). - x86/bugs: Fix RSB clearing in indirect_branch_prediction_barrier() (git-fixes). - x86/bugs: Use SBPB in write_ibpb() if applicable (git-fixes). - x86/paravirt: Move halt paravirt calls under CONFIG_PARAVIRT (git-fixes). - x86/tdx: Drop flags from __tdx_hypercall() (git-fixes). - x86/tdx: Dynamically disable SEPT violations from causing #VEs (git-fixes). - x86/tdx: Emit warning if IRQs are enabled during HLT #VE handling (git-fixes). - x86/tdx: Extend TDX_MODULE_CALL to support more TDCALL/SEAMCALL leafs (git-fixes). - x86/tdx: Fix __noreturn build warning around __tdx_hypercall_failed() (git-fixes). - x86/tdx: Fix arch_safe_halt() execution for TDX VMs (git-fixes). - x86/tdx: Introduce wrappers to read and write TD metadata (git-fixes). - x86/tdx: Make TDX_HYPERCALL asm similar to TDX_MODULE_CALL (git-fixes). - x86/tdx: Make macros of TDCALLs consistent with the spec (git-fixes). - x86/tdx: Pass TDCALL/SEAMCALL input/output registers via a structure (git-fixes). - x86/tdx: Reimplement __tdx_hypercall() using TDX_MODULE_CALL asm (git-fixes). - x86/tdx: Remove 'struct tdx_hypercall_args' (git-fixes). - x86/tdx: Remove TDX_HCALL_ISSUE_STI (git-fixes). - x86/tdx: Rename __tdx_module_call() to __tdcall() (git-fixes). - x86/tdx: Rename tdx_parse_tdinfo() to tdx_setup() (git-fixes). - x86/tdx: Retry partially-completed page conversion hypercalls (git-fixes). - x86/tdx: Skip saving output regs when SEAMCALL fails with VMFailInvalid (git-fixes). - x86/tdx: Zero out the missing RSI in TDX_HYPERCALL macro (git-fixes). - x86/virt/tdx: Make TDX_MODULE_CALL handle SEAMCALL #UD and #GP (git-fixes). - x86/virt/tdx: Wire up basic SEAMCALL functions (git-fixes). - xfs: fix sparse inode limits on runt AG (bsc#1254392). The following package changes have been done: - kernel-rt-5.14.21-150500.13.118.1 updated From sle-container-updates at lists.suse.com Fri Jan 23 08:11:53 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 23 Jan 2026 09:11:53 +0100 (CET) Subject: SUSE-IU-2026:226-1: Recommended update of suse/sl-micro/6.2/baremetal-os-container Message-ID: <20260123081153.0F8BFFF0D@maintenance.suse.de> SUSE Image Update Advisory: suse/sl-micro/6.2/baremetal-os-container ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2026:226-1 Image Tags : suse/sl-micro/6.2/baremetal-os-container:2.3.0 , suse/sl-micro/6.2/baremetal-os-container:2.3.0-7.17 , suse/sl-micro/6.2/baremetal-os-container:latest Image Release : 7.17 Severity : important Type : recommended References : 1254087 1254541 ----------------------------------------------------------------- The container suse/sl-micro/6.2/baremetal-os-container was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: 163 Released: Thu Jan 22 10:37:47 2026 Summary: Recommended update for mdadm Type: recommended Severity: important References: 1254087,1254541 This update for mdadm fixes the following issues: - fix crash with homehost=none (bsc#1254541) - mdcheck: workaround for bash 5.3 bug (bsc#1254087) The following package changes have been done: - mdadm-4.4+31.g541b40d3-160000.1.1 updated From sle-container-updates at lists.suse.com Fri Jan 23 08:11:54 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 23 Jan 2026 09:11:54 +0100 (CET) Subject: SUSE-IU-2026:228-1: Security update of suse/sl-micro/6.2/baremetal-os-container Message-ID: <20260123081154.C443DFF0D@maintenance.suse.de> SUSE Image Update Advisory: suse/sl-micro/6.2/baremetal-os-container ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2026:228-1 Image Tags : suse/sl-micro/6.2/baremetal-os-container:2.3.0 , suse/sl-micro/6.2/baremetal-os-container:2.3.0-7.21 , suse/sl-micro/6.2/baremetal-os-container:latest Image Release : 7.21 Severity : moderate Type : security References : 1256525 1256526 CVE-2026-22695 CVE-2026-22801 ----------------------------------------------------------------- The container suse/sl-micro/6.2/baremetal-os-container was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: 172 Released: Thu Jan 22 15:29:42 2026 Summary: Security update for libpng16 Type: security Severity: moderate References: 1256525,1256526,CVE-2026-22695,CVE-2026-22801 This update for libpng16 fixes the following issues: - CVE-2026-22695: Fixed heap buffer over-read in png_image_finish_read (bsc#1256525). - CVE-2026-22801: Fixed integer truncation causing heap buffer over-read in png_image_write_* (bsc#1256526). The following package changes have been done: - libpng16-16-1.6.44-160000.4.1 updated - container:suse-sl-micro-6.2-base-os-container-latest-2c8e5185f404bfa6041e8c8daedfe13f96f3889f3ccd2f52e0dec59f29f61c87-0 updated From sle-container-updates at lists.suse.com Fri Jan 23 08:11:53 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 23 Jan 2026 09:11:53 +0100 (CET) Subject: SUSE-IU-2026:227-1: Security update of suse/sl-micro/6.2/baremetal-os-container Message-ID: <20260123081153.DE5D0FF0D@maintenance.suse.de> SUSE Image Update Advisory: suse/sl-micro/6.2/baremetal-os-container ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2026:227-1 Image Tags : suse/sl-micro/6.2/baremetal-os-container:2.3.0 , suse/sl-micro/6.2/baremetal-os-container:2.3.0-7.20 , suse/sl-micro/6.2/baremetal-os-container:latest Image Release : 7.20 Severity : important Type : security References : 1244680 1244705 1245227 1246114 1247249 1250655 1250664 1251305 1252974 1253679 1254264 1254400 1254401 1254928 1254997 CVE-2025-12084 CVE-2025-13836 CVE-2025-13837 CVE-2025-6069 CVE-2025-6075 CVE-2025-6199 CVE-2025-7345 CVE-2025-8194 CVE-2025-8291 ----------------------------------------------------------------- The container suse/sl-micro/6.2/baremetal-os-container was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: 162 Released: Thu Jan 22 09:15:08 2026 Summary: Recommended update for suse-module-tools Type: recommended Severity: important References: 1250655,1250664,1253679,1254264,1254928 This update for suse-module-tools fixes the following issues: - Update to version 16.0.64: * udev rules: write block queue attributes only if necessary (bsc#1254928) - Update to version 16.0.63: * 80-hotplug-cpu-mem.rules: remount tmpfs on 'online' uevents (bsc#1254264) * udev: use systemd service to remount tmpfs (bsc#1253679) - Update to version 16.0.62: * spec file: remove %udev_rules_update call (bsc#1250664) - Update to version 16.0.61: * weak-modules2: skip livepatch dir when checking for unresolved symbols (bsc#1250655) ----------------------------------------------------------------- Advisory ID: 170 Released: Thu Jan 22 14:47:27 2026 Summary: Security update for python313 Type: security Severity: moderate References: 1244680,1244705,1247249,1251305,1252974,1254400,1254401,1254997,CVE-2025-12084,CVE-2025-13836,CVE-2025-13837,CVE-2025-6069,CVE-2025-6075,CVE-2025-8194,CVE-2025-8291 This update for python313 fixes the following issues: - Update to 3.13.11: - Security - CVE-2025-12084: cpython: Fixed quadratic algorithm in xml.dom.minidom leading to denial of service (bsc#1254997) - CVE-2025-13836: Fixed default Content-Lenght read amount from HTTP response (bsc#1254400) - CVE-2025-13837: Fixed plistlib module denial of service (bsc#1254401) - CVE-2025-8291: Fixed validity of the ZIP64 End of Central Directory (EOCD) not checked by the 'zipfile' module (bsc#1251305) - gh-137836: Add support of the ???plaintext??? element, RAWTEXT elements ???xmp???, ???iframe???, ???noembed??? and ???noframes???, and optionally RAWTEXT element ???noscript??? in html.parser.HTMLParser. - gh-136063: email.message: ensure linear complexity for legacy HTTP parameters parsing. Patch by B??n??dikt Tran. - CVE-2025-6075: Fixed performance issues caused by user-controller os.path.expandvars() (bsc#1252974) - Library - gh-140797: Revert changes to the undocumented re.Scanner class. Capturing groups are still allowed for backward compatibility, although using them can lead to incorrect result. They will be forbidden in future Python versions. - gh-142206: The resource tracker in the multiprocessing module now uses the original communication protocol, as in Python 3.14.0 and below, by default. This avoids issues with upgrading Python while it is running. (Note that such ???in-place??? upgrades are not tested.) The tracker remains compatible with subprocesses that use new protocol (that is, subprocesses using Python 3.13.10, 3.14.1 and 3.15). - Core and Builtins - gh-142218: Fix crash when inserting into a split table dictionary with a non str key that matches an existing key. - Update to 3.13.10: - Tools/Demos - gh-141442: The iOS testbed now correctly handles test arguments that contain spaces. - Tests - gh-140482: Preserve and restore the state of stty echo as part of the test environment. - gh-140082: Update python -m test to set FORCE_COLOR=1 when being run with color enabled so that unittest which is run by it with redirected output will output in color. - gh-136442: Use exitcode 1 instead of 5 if unittest.TestCase.setUpClass() raises an exception - Library - gh-74389: When the stdin being used by a subprocess.Popen instance is closed, this is now ignored in subprocess.Popen.communicate() instead of leaving the class in an inconsistent state. - gh-87512: Fix subprocess.Popen.communicate() timeout handling on Windows when writing large input. Previously, the timeout was ignored during stdin writing, causing the method to block indefinitely if the child process did not consume input quickly. The stdin write is now performed in a background thread, allowing the timeout to be properly enforced. - gh-141473: When subprocess.Popen.communicate() was called with input and a timeout and is called for a second time after a TimeoutExpired exception before the process has died, it should no longer hang. - gh-59000: Fix pdb breakpoint resolution for class methods when the module defining the class is not imported. - gh-141570: Support file-like object raising OSError from fileno() in color detection (_colorize.can_colorize()). This can occur when sys.stdout is redirected. - gh-141659: Fix bad file descriptor errors from _posixsubprocess on AIX. - gh-141497: ipaddress: ensure that the methods IPv4Network.hosts() and IPv6Network.hosts() always return an iterator. - gh-140938: The statistics.stdev() and statistics.pstdev() functions now raise a ValueError when the input contains an infinity or a NaN. - gh-124111: Updated Tcl threading configuration in _tkinter to assume that threads are always available in Tcl 9 and later. - gh-137109: The os.fork and related forking APIs will no longer warn in the common case where Linux or macOS platform APIs return the number of threads in a process and find the answer to be 1 even when a os.register_at_fork() after_in_parent= callback (re)starts a thread. - gh-141314: Fix assertion failure in io.TextIOWrapper.tell() when reading files with standalone carriage return (\r) line endings. - gh-141311: Fix assertion failure in io.BytesIO.readinto() and undefined behavior arising when read position is above capcity in io.BytesIO. - gh-141141: Fix a thread safety issue with base64.b85decode(). Contributed by Benel Tayar. - gh-140911: collections: Ensure that the methods UserString.rindex() and UserString.index() accept collections.UserString instances as the sub argument. - gh-140797: The undocumented re.Scanner class now forbids regular expressions containing capturing groups in its lexicon patterns. Patterns using capturing groups could previously lead to crashes with segmentation fault. Use non-capturing groups (?:???) instead. - gh-140815: faulthandler now detects if a frame or a code object is invalid or freed. Patch by Victor Stinner. - gh-100218: Correctly set errno when socket.if_nametoindex() or socket.if_indextoname() raise an OSError. Patch by B??n??dikt Tran. - gh-140875: Fix handling of unclosed character references (named and numerical) followed by the end of file in html.parser.HTMLParser with convert_charrefs=False. - gh-140734: multiprocessing: fix off-by-one error when checking the length of a temporary socket file path. Patch by B??n??dikt Tran. - gh-140874: Bump the version of pip bundled in ensurepip to version 25.3 - gh-140691: In urllib.request, when opening a FTP URL fails because a data connection cannot be made, the control connection???s socket is now closed to avoid a ResourceWarning. - gh-103847: Fix hang when cancelling process created by asyncio.create_subprocess_exec() or asyncio.create_subprocess_shell(). Patch by Kumar Aditya. - gh-140590: Fix arguments checking for the functools.partial.__setstate__() that may lead to internal state corruption and crash. Patch by Sergey Miryanov. - gh-140634: Fix a reference counting bug in os.sched_param.__reduce__(). - gh-140633: Ignore AttributeError when setting a module???s __file__ attribute when loading an extension module packaged as Apple Framework. - gh-140593: xml.parsers.expat: Fix a memory leak that could affect users with ElementDeclHandler() set to a custom element declaration handler. Patch by Sebastian Pipping. - gh-140607: Inside io.RawIOBase.read(), validate that the count of bytes returned by io.RawIOBase.readinto() is valid (inside the provided buffer). - gh-138162: Fix logging.LoggerAdapter with merge_extra=True and without the extra argument. - gh-140474: Fix memory leak in array.array when creating arrays from an empty str and the u type code. - gh-140272: Fix memory leak in the clear() method of the dbm.gnu database. - gh-140041: Fix import of ctypes on Android and Cygwin when ABI flags are present. - gh-139905: Add suggestion to error message for typing.Generic subclasses when cls.__parameters__ is missing due to a parent class failing to call super().__init_subclass__() in its __init_subclass__. - gh-139845: Fix to not print KeyboardInterrupt twice in default asyncio REPL. - gh-139783: Fix inspect.getsourcelines() for the case when a decorator is followed by a comment or an empty line. - gh-70765: http.server: fix default handling of HTTP/0.9 requests in BaseHTTPRequestHandler. Previously, BaseHTTPRequestHandler.parse_request() incorrectly waited for headers in the request although those are not supported in HTTP/0.9. Patch by B??n??dikt Tran. - gh-139391: Fix an issue when, on non-Windows platforms, it was not possible to gracefully exit a python -m asyncio process suspended by Ctrl+Z and later resumed by fg other than with kill. - gh-101828: Fix 'shift_jisx0213', 'shift_jis_2004', 'euc_jisx0213' and 'euc_jis_2004' codecs truncating null chars as they were treated as part of multi-character sequences. - gh-139246: fix: paste zero-width in default repl width is wrong. - gh-90949: Add SetAllocTrackerActivationThreshold() and SetAllocTrackerMaximumAmplification() to xmlparser objects to prevent use of disproportional amounts of dynamic memory from within an Expat parser. Patch by B??n??dikt Tran. - gh-139065: Fix trailing space before a wrapped long word if the line length is exactly width in textwrap. - gh-138993: Dedent credits text. - gh-138859: Fix generic type parameterization raising a TypeError when omitting a ParamSpec that has a default which is not a list of types. - gh-138775: Use of python -m with base64 has been fixed to detect input from a terminal so that it properly notices EOF. - gh-98896: Fix a failure in multiprocessing resource_tracker when SharedMemory names contain colons. Patch by Rani Pinchuk. - gh-75989: tarfile.TarFile.extractall() and tarfile.TarFile.extract() now overwrite symlinks when extracting hardlinks. (Contributed by Alexander Enrique Urieles Nieto in gh-75989.) - gh-83424: Allows creating a ctypes.CDLL without name when passing a handle as an argument. - gh-136234: Fix asyncio.WriteTransport.writelines() to be robust to connection failure, by using the same behavior as write(). - gh-136057: Fixed the bug in pdb and bdb where next and step can???t go over the line if a loop exists in the line. - gh-135307: email: Fix exception in set_content() when encoding text and max_line_length is set to 0 or None (unlimited). - gh-134453: Fixed subprocess.Popen.communicate() input= handling of memoryview instances that were non-byte shaped on POSIX platforms. Those are now properly cast to a byte shaped view instead of truncating the input. Windows platforms did not have this bug. - gh-102431: Clarify constraints for ???logical??? arguments in methods of decimal.Context. - IDLE - gh-96491: Deduplicate version number in IDLE shell title bar after saving to a file. - Documentation - gh-141994: xml.sax.handler: Make Documentation of xml.sax.handler.feature_external_ges warn of opening up to external entity attacks. Patch by Sebastian Pipping. - gh-140578: Remove outdated sencence in the documentation for multiprocessing, that implied that concurrent.futures.ThreadPoolExecutor did not exist. - Core and Builtins - gh-142048: Fix quadratically increasing garbage collection delays in free-threaded build. - gh-141930: When importing a module, use Python???s regular file object to ensure that writes to .pyc files are complete or an appropriate error is raised. - gh-120158: Fix inconsistent state when enabling or disabling monitoring events too many times. - gh-141579: Fix sys.activate_stack_trampoline() to properly support the perf_jit backend. Patch by Pablo Galindo. - gh-141312: Fix the assertion failure in the __setstate__ method of the range iterator when a non-integer argument is passed. Patch by Sergey Miryanov. - gh-140939: Fix memory leak when bytearray or bytes is formated with the %*b format with a large width that results in %a MemoryError. - gh-140530: Fix a reference leak when raise exc from cause fails. Patch by B??n??dikt Tran. - gh-140576: Fixed crash in tokenize.generate_tokens() in case of specific incorrect input. Patch by Mikhail Efimov. - gh-140551: Fixed crash in dict if dict.clear() is called at the lookup stage. Patch by Mikhail Efimov and Inada Naoki. - gh-140471: Fix potential buffer overflow in ast.AST node initialization when encountering malformed _fields containing non-str. - gh-140406: Fix memory leak when an object???s __hash__() method returns an object that isn???t an int. - gh-140306: Fix memory leaks in cross-interpreter channel operations and shared namespace handling. - gh-140301: Fix memory leak of PyConfig in subinterpreters. - gh-140000: Fix potential memory leak when a reference cycle exists between an instance of typing.TypeAliasType, typing.TypeVar, typing.ParamSpec, or typing.TypeVarTuple and its __name__ attribute. Patch by Mikhail Efimov. - gh-139748: Fix reference leaks in error branches of functions accepting path strings or bytes such as compile() and os.system(). Patch by B??n??dikt Tran. - gh-139516: Fix lambda colon erroneously start format spec in f-string in tokenizer. - gh-139640: Fix swallowing some syntax warnings in different modules if they accidentally have the same message and are emitted from the same line. Fix duplicated warnings in the finally block. - gh-137400: Fix a crash in the free threading build when disabling profiling or tracing across all threads with PyEval_SetProfileAllThreads() or PyEval_SetTraceAllThreads() or their Python equivalents threading.settrace_all_threads() and threading.setprofile_all_threads(). - gh-133400: Fixed Ctrl+D (^D) behavior in _pyrepl module to match old pre-3.13 REPL behavior. - C API - gh-140042: Removed the sqlite3_shutdown call that could cause closing connections for sqlite when used with multiple sub interpreters. - gh-140487: Fix Py_RETURN_NOTIMPLEMENTED in limited C API 3.11 and older: don???t treat Py_NotImplemented as immortal. Patch by Victor Stinner. - Update to 3.13.9: - Library - gh-139783: Fix inspect.getsourcelines() for the case when a decorator is followed by a comment or an empty line. - Update to 3.13.8: - Tools/Demos - gh-139330: SBOM generation tool didn???t cross-check the version and checksum values against the Modules/expat/refresh.sh script, leading to the values becoming out-of-date during routine updates. - gh-137873: The iOS test runner has been simplified, resolving some issues that have been observed using the runner in GitHub Actions and Azure Pipelines test environments. - Tests - gh-139208: Fix regrtest --fast-ci --verbose: don???t ignore the --verbose option anymore. Patch by Victor Stinner. - Security - gh-139400: xml.parsers.expat: Make sure that parent Expat parsers are only garbage-collected once they are no longer referenced by subparsers created by ExternalEntityParserCreate(). Patch by Sebastian Pipping. - gh-139283: sqlite3: correctly handle maximum number of rows to fetch in Cursor.fetchmany and reject negative values for Cursor.arraysize. Patch by B??n??dikt Tran. - gh-135661: Fix CDATA section parsing in html.parser.HTMLParser according to the HTML5 standard: ] ]> and ]] > no longer end the CDATA section. Add private method _set_support_cdata() which can be used to specify how to parse <[CDATA[ ??? as a CDATA section in foreign content (SVG or MathML) or as a bogus comment in the HTML namespace. - Library - gh-139312: Upgrade bundled libexpat to 2.7.3 - gh-139289: Do a real lazy-import on rlcompleter in pdb and restore the existing completer after importing rlcompleter. - gh-139210: Fix use-after-free when reporting unknown event in xml.etree.ElementTree.iterparse(). Patch by Ken Jin. - gh-138860: Lazy import rlcompleter in pdb to avoid deadlock in subprocess. - gh-112729: Fix crash when calling _interpreters.create when the process is out of memory. - gh-139076: Fix a bug in the pydoc module that was hiding functions in a Python module if they were implemented in an extension module and the module did not have __all__. - gh-138998: Update bundled libexpat to 2.7.2 - gh-130567: Fix possible crash in locale.strxfrm() due to a platform bug on macOS. - gh-138779: Support device numbers larger than 2**63-1 for the st_rdev field of the os.stat_result structure. - gh-128636: Fix crash in PyREPL when os.environ is overwritten with an invalid value for mac - gh-88375: Fix normalization of the robots.txt rules and URLs in the urllib.robotparser module. No longer ignore trailing ?. Distinguish raw special characters ?, = and & from the percent-encoded ones. - gh-138515: email is added to Emscripten build. - gh-111788: Fix parsing errors in the urllib.robotparser module. Don???t fail trying to parse weird paths. Don???t fail trying to decode non-UTF-8 robots.txt files. - gh-138432: zoneinfo.reset_tzpath() will now convert any os.PathLike objects it receives into strings before adding them to TZPATH. It will raise TypeError if anything other than a string is found after this conversion. If given an os.PathLike object that represents a relative path, it will now raise ValueError instead of TypeError, and present a more informative error message. - gh-138008: Fix segmentation faults in the ctypes module due to invalid argtypes. Patch by Dung Nguyen. - gh-60462: Fix locale.strxfrm() on Solaris (and possibly other platforms). - gh-138204: Forbid expansion of shared anonymous memory maps on Linux, which caused a bus error. - gh-138010: Fix an issue where defining a class with a @warnings.deprecated-decorated base class may not invoke the correct __init_subclass__() method in cases involving multiple inheritance. Patch by Brian Schubert. - gh-138133: Prevent infinite traceback loop when sending CTRL^C to Python through strace. - gh-134869: Fix an issue where pressing Ctrl+C during tab completion in the REPL would leave the autocompletion menu in a corrupted state. - gh-137317: inspect.signature() now correctly handles classes that use a descriptor on a wrapped __init__() or __new__() method. Contributed by Yongyu Yan. - gh-137754: Fix import of the zoneinfo module if the C implementation of the datetime module is not available. - gh-137490: Handle ECANCELED in the same way as EINTR in signal.sigwaitinfo() on NetBSD. - gh-137477: Fix inspect.getblock(), inspect.getsourcelines() and inspect.getsource() for generator expressions. - gh-137017: Fix threading.Thread.is_alive to remain True until the underlying OS thread is fully cleaned up. This avoids false negatives in edge cases involving thread monitoring or premature threading.Thread.is_alive calls. - gh-136134: SMTP.auth_cram_md5() now raises an SMTPException instead of a ValueError if Python has been built without MD5 support. In particular, SMTP clients will not attempt to use this method even if the remote server is assumed to support it. Patch by B??n??dikt Tran. - gh-136134: IMAP4.login_cram_md5 now raises an IMAP4.error if CRAM-MD5 authentication is not supported. Patch by B??n??dikt Tran. - gh-135386: Fix opening a dbm.sqlite3 database for reading from read-only file or directory. - gh-126631: Fix multiprocessing forkserver bug which prevented __main__ from being preloaded. - gh-123085: In a bare call to importlib.resources.files(), ensure the caller???s frame is properly detected when importlib.resources is itself available as a compiled module only (no source). - gh-118981: Fix potential hang in multiprocessing.popen_spawn_posix that can happen when the child proc dies early by closing the child fds right away. - gh-78319: UTF8 support for the IMAP APPEND command has been made RFC compliant. - bpo-38735: Fix failure when importing a module from the root directory on unix-like platforms with sys.pycache_prefix set. - bpo-41839: Allow negative priority values from os.sched_get_priority_min() and os.sched_get_priority_max() functions. - Core and Builtins - gh-134466: Don???t run PyREPL in a degraded environment where setting termios attributes is not allowed. - gh-71810: Raise OverflowError for (-1).to_bytes() for signed conversions when bytes count is zero. Patch by Sergey B Kirpichev. - gh-105487: Remove non-existent __copy__(), __deepcopy__(), and __bases__ from the __dir__() entries of types.GenericAlias. - gh-134163: Fix a hang when the process is out of memory inside an exception handler. - gh-138479: Fix a crash when a generic object???s __typing_subst__ returns an object that isn???t a tuple. - gh-137576: Fix for incorrect source code being shown in tracebacks from the Basic REPL when PYTHONSTARTUP is given. Patch by Adam Hartz. - gh-132744: Certain calls now check for runaway recursion and respect the system recursion limit. - C API - gh-87135: Attempting to acquire the GIL after runtime finalization has begun in a different thread now causes the thread to hang rather than terminate, which avoids potential crashes or memory corruption caused by attempting to terminate a thread that is running code not specifically designed to support termination. In most cases this hanging is harmless since the process will soon exit anyway. While not officially marked deprecated until 3.14, PyThread_exit_thread is no longer called internally and remains solely for interface compatibility. Its behavior is inconsistent across platforms, and it can only be used safely in the unlikely case that every function in the entire call stack has been designed to support the platform-dependent termination mechanism. It is recommended that users of this function change their design to not require thread termination. In the unlikely case that thread termination is needed and can be done safely, users may migrate to calling platform-specific APIs such as pthread_exit (POSIX) or _endthreadex (Windows) directly. - Build - gh-135734: Python can correctly be configured and built with ./configure --enable-optimizations --disable-test-modules. Previously, the profile data generation step failed due to PGO tests where immortalization couldn???t be properly suppressed. - Update to 3.13.7: - gh-137583: Fix a deadlock introduced in 3.13.6 when a call to ssl.SSLSocket.recv was blocked in one thread, and then another method on the object (such as ssl.SSLSocket.send) was subsequently called in another thread. - gh-137044: Return large limit values as positive integers instead of negative integers in resource.getrlimit(). Accept large values and reject negative values (except RLIM_INFINITY) for limits in resource.setrlimit(). - gh-136914: Fix retrieval of doctest.DocTest.lineno for objects decorated with functools.cache() or functools.cached_property. - gh-131788: Make ResourceTracker.send from multiprocessing re-entrant safe - gh-136155: We are now checking for fatal errors in EPUB builds in CI. - gh-137400: Fix a crash in the free threading build when disabling profiling or tracing across all threads with PyEval_SetProfileAllThreads() or PyEval_SetTraceAllThreads() or their Python equivalents threading.settrace_all_threads() and threading.setprofile_all_threads(). - Update to 3.13.6: - Security - gh-135661: Fix parsing start and end tags in html.parser.HTMLParser according to the HTML5 standard. - gh-102555: Fix comment parsing in html.parser.HTMLParser according to the HTML5 standard. - CVE-2025-6069: Fix quadratic complexity in processing specially crafted input in html.parser.HTMLParser. End-of-file errors are now handled according to the HTML5 specs ??? comments and declarations are automatically closed, tags are ignored (gh-135462, bsc#1244705). - CVE-2025-8194: tarfile now validates archives to ensure member offsets are non-negative. (gh-130577, bsc#1247249). - gh-118350: Fix support of escapable raw text mode (elements ???textarea??? and ???title???) in html.parser.HTMLParser. - Core and Builtins - gh-58124: Fix name of the Python encoding in Unicode errors of the code page codec: use ???cp65000??? and ???cp65001??? instead of ???CP_UTF7??? and ???CP_UTF8??? which are not valid Python code names. Patch by Victor Stinner. - gh-137314: Fixed a regression where raw f-strings incorrectly interpreted escape sequences in format specifications. Raw f-strings now properly preserve literal backslashes in format specs, matching the behavior from Python 3.11. For example, rf'{obj:\xFF}' now correctly produces '\\xFF' instead of '??'. Patch by Pablo Galindo. - gh-136541: Fix some issues with the perf trampolines on x86-64 and aarch64. The trampolines were not being generated correctly for some cases, which could lead to the perf integration not working correctly. Patch by Pablo Galindo. - gh-109700: Fix memory error handling in PyDict_SetDefault(). - gh-78465: Fix error message for cls.__new__(cls, ...) where cls is not instantiable builtin or extension type (with tp_new set to NULL). - gh-135871: Non-blocking mutex lock attempts now return immediately when the lock is busy instead of briefly spinning in the free threading build. - gh-135607: Fix potential weakref races in an object???s destructor on the free threaded build. - gh-135496: Fix typo in the f-string conversion type error (???exclamanation??? -> ???exclamation???). - gh-130077: Properly raise custom syntax errors when incorrect syntax containing names that are prefixes of soft keywords is encountered. Patch by Pablo Galindo. - gh-135148: Fixed a bug where f-string debug expressions (using =) would incorrectly strip out parts of strings containing escaped quotes and # characters. Patch by Pablo Galindo. - gh-133136: Limit excess memory usage in the free threading build when a large dictionary or list is resized and accessed by multiple threads. - gh-132617: Fix dict.update() modification check that could incorrectly raise a ???dict mutated during update??? error when a different dictionary was modified that happens to share the same underlying keys object. - gh-91153: Fix a crash when a bytearray is concurrently mutated during item assignment. - gh-127971: Fix off-by-one read beyond the end of a string in string search. - gh-125723: Fix crash with gi_frame.f_locals when generator frames outlive their generator. Patch by Mikhail Efimov. - Library - gh-132710: If possible, ensure that uuid.getnode() returns the same result even across different processes. Previously, the result was constant only within the same process. Patch by B??n??dikt Tran. - gh-137273: Fix debug assertion failure in locale.setlocale() on Windows. - gh-137257: Bump the version of pip bundled in ensurepip to version 25.2 - gh-81325: tarfile.TarFile now accepts a path-like when working on a tar archive. (Contributed by Alexander Enrique Urieles Nieto in gh-81325.) - gh-130522: Fix unraisable TypeError raised during interpreter shutdown in the threading module. - gh-136549: Fix signature of threading.excepthook(). - gh-136523: Fix wave.Wave_write emitting an unraisable when open raises. - gh-52876: Add missing keepends (default True) parameter to codecs.StreamReaderWriter.readline() and codecs.StreamReaderWriter.readlines(). - gh-85702: If zoneinfo._common.load_tzdata is given a package without a resource a zoneinfo.ZoneInfoNotFoundError is raised rather than a PermissionError. Patch by Victor Stinner. - gh-134759: Fix UnboundLocalError in email.message.Message.get_payload() when the payload to decode is a bytes object. Patch by Kliment Lamonov. - gh-136028: Fix parsing month names containing ???????? (U+0130, LATIN CAPITAL LETTER I WITH DOT ABOVE) in time.strptime(). This affects locales az_AZ, ber_DZ, ber_MA and crh_UA. - gh-135995: In the palmos encoding, make byte 0x9b decode to ??? (U+203A - SINGLE RIGHT-POINTING ANGLE QUOTATION MARK). - gh-53203: Fix time.strptime() for %c and %x formats on locales byn_ER, wal_ET and lzh_TW, and for %X format on locales ar_SA, bg_BG and lzh_TW. - gh-91555: An earlier change, which was introduced in 3.13.4, has been reverted. It disabled logging for a logger during handling of log messages for that logger. Since the reversion, the behaviour should be as it was before 3.13.4. - gh-135878: Fixes a crash of types.SimpleNamespace on free threading builds, when several threads were calling its __repr__() method at the same time. - gh-135836: Fix IndexError in asyncio.loop.create_connection() that could occur when non-OSError exception is raised during connection and socket???s close() raises OSError. - gh-135836: Fix IndexError in asyncio.loop.create_connection() that could occur when the Happy Eyeballs algorithm resulted in an empty exceptions list during connection attempts. - gh-135855: Raise TypeError instead of SystemError when _interpreters.set___main___attrs() is passed a non-dict object. Patch by Brian Schubert. - gh-135815: netrc: skip security checks if os.getuid() is missing. Patch by B??n??dikt Tran. - gh-135640: Address bug where it was possible to call xml.etree.ElementTree.ElementTree.write() on an ElementTree object with an invalid root element. This behavior blanked the file passed to write if it already existed. - gh-135444: Fix asyncio.DatagramTransport.sendto() to account for datagram header size when data cannot be sent. - gh-135497: Fix os.getlogin() failing for longer usernames on BSD-based platforms. - gh-135487: Fix reprlib.Repr.repr_int() when given integers with more than sys.get_int_max_str_digits() digits. Patch by B??n??dikt Tran. - gh-135335: multiprocessing: Flush stdout and stderr after preloading modules in the forkserver. - gh-135244: uuid: when the MAC address cannot be determined, the 48-bit node ID is now generated with a cryptographically-secure pseudo-random number generator (CSPRNG) as per RFC 9562, ??6.10.3. This affects uuid1(). - gh-135069: Fix the ???Invalid error handling??? exception in encodings.idna.IncrementalDecoder to correctly replace the ???errors??? parameter. - gh-134698: Fix a crash when calling methods of ssl.SSLContext or ssl.SSLSocket across multiple threads. - gh-132124: On POSIX-compliant systems, multiprocessing.util.get_temp_dir() now ignores TMPDIR (and similar environment variables) if the path length of AF_UNIX socket files exceeds the platform-specific maximum length when using the forkserver start method. Patch by B??n??dikt Tran. - gh-133439: Fix dot commands with trailing spaces are mistaken for multi-line SQL statements in the sqlite3 command-line interface. - gh-132969: Prevent the ProcessPoolExecutor executor thread, which remains running when shutdown(wait=False), from attempting to adjust the pool???s worker processes after the object state has already been reset during shutdown. A combination of conditions, including a worker process having terminated abormally, resulted in an exception and a potential hang when the still-running executor thread attempted to replace dead workers within the pool. - gh-130664: Support the '_' digit separator in formatting of the integral part of Decimal???s. Patch by Sergey B Kirpichev. - gh-85702: If zoneinfo._common.load_tzdata is given a package without a resource a ZoneInfoNotFoundError is raised rather than a IsADirectoryError. - gh-130664: Handle corner-case for Fraction???s formatting: treat zero-padding (preceding the width field by a zero ('0') character) as an equivalent to a fill character of '0' with an alignment type of '=', just as in case of float???s. - Tools/Demos - gh-135968: Stubs for strip are now provided as part of an iOS install. - Tests - gh-135966: The iOS testbed now handles the app_packages folder as a site directory. - gh-135494: Fix regrtest to support excluding tests from --pgo tests. Patch by Victor Stinner. - gh-135489: Show verbose output for failing tests during PGO profiling step with ???enable-optimizations. - Documentation - gh-135171: Document that the iterator for the leftmost for clause in the generator expression is created immediately. - Build - gh-135497: Fix the detection of MAXLOGNAME in the configure.ac script. ----------------------------------------------------------------- Advisory ID: 173 Released: Thu Jan 22 15:36:57 2026 Summary: Security update for gdk-pixbuf Type: security Severity: important References: 1245227,1246114,CVE-2025-6199,CVE-2025-7345 This update for gdk-pixbuf fixes the following issues: - CVE-2025-7345: heap buffer overflow in gdk-pixbuf within the gdk_pixbuf__jpeg_image_load_increment function (io-jpeg.c) and in glib g_base64_encode_step (bsc#1246114). - CVE-2025-6199: uninitialized memory could lead to leak arbitrary memory contents (bsc#1245227). The following package changes have been done: - suse-module-tools-16.0.64-160000.1.1 updated - libpython3_13-1_0-3.13.11-160000.1.1 updated - gdk-pixbuf-query-loaders-2.42.12-160000.3.1 updated - python313-base-3.13.11-160000.1.1 updated - python313-3.13.11-160000.1.1 updated - libgdk_pixbuf-2_0-0-2.42.12-160000.3.1 updated - typelib-1_0-GdkPixbuf-2_0-2.42.12-160000.3.1 updated - container:suse-sl-micro-6.2-base-os-container-latest-60f6f616d0014b00547122ef9f6fa03c0cfbf5706af41eac6a46df505d8a3125-0 updated From sle-container-updates at lists.suse.com Fri Jan 23 08:15:57 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 23 Jan 2026 09:15:57 +0100 (CET) Subject: SUSE-IU-2026:239-1: Recommended update of suse/sl-micro/6.2/kvm-os-container Message-ID: <20260123081557.20B96FF0C@maintenance.suse.de> SUSE Image Update Advisory: suse/sl-micro/6.2/kvm-os-container ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2026:239-1 Image Tags : suse/sl-micro/6.2/kvm-os-container:2.3.0 , suse/sl-micro/6.2/kvm-os-container:2.3.0-7.14 , suse/sl-micro/6.2/kvm-os-container:latest Image Release : 7.14 Severity : important Type : recommended References : 1250655 1250664 1253679 1254264 1254928 ----------------------------------------------------------------- The container suse/sl-micro/6.2/kvm-os-container was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: 162 Released: Thu Jan 22 09:15:08 2026 Summary: Recommended update for suse-module-tools Type: recommended Severity: important References: 1250655,1250664,1253679,1254264,1254928 This update for suse-module-tools fixes the following issues: - Update to version 16.0.64: * udev rules: write block queue attributes only if necessary (bsc#1254928) - Update to version 16.0.63: * 80-hotplug-cpu-mem.rules: remount tmpfs on 'online' uevents (bsc#1254264) * udev: use systemd service to remount tmpfs (bsc#1253679) - Update to version 16.0.62: * spec file: remove %udev_rules_update call (bsc#1250664) - Update to version 16.0.61: * weak-modules2: skip livepatch dir when checking for unresolved symbols (bsc#1250655) The following package changes have been done: - suse-module-tools-16.0.64-160000.1.1 updated - suse-module-tools-scriptlets-16.0.64-160000.1.1 updated - container:suse-sl-micro-6.2-base-os-container-latest-60f6f616d0014b00547122ef9f6fa03c0cfbf5706af41eac6a46df505d8a3125-0 updated From sle-container-updates at lists.suse.com Fri Jan 23 08:15:58 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 23 Jan 2026 09:15:58 +0100 (CET) Subject: SUSE-IU-2026:240-1: Security update of suse/sl-micro/6.2/kvm-os-container Message-ID: <20260123081558.06003FF0C@maintenance.suse.de> SUSE Image Update Advisory: suse/sl-micro/6.2/kvm-os-container ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2026:240-1 Image Tags : suse/sl-micro/6.2/kvm-os-container:2.3.0 , suse/sl-micro/6.2/kvm-os-container:2.3.0-7.15 , suse/sl-micro/6.2/kvm-os-container:latest Image Release : 7.15 Severity : moderate Type : security References : 1244680 1244705 1247249 1251305 1252974 1254400 1254401 1254997 1256525 1256526 CVE-2025-12084 CVE-2025-13836 CVE-2025-13837 CVE-2025-6069 CVE-2025-6075 CVE-2025-8194 CVE-2025-8291 CVE-2026-22695 CVE-2026-22801 ----------------------------------------------------------------- The container suse/sl-micro/6.2/kvm-os-container was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: 170 Released: Thu Jan 22 14:47:27 2026 Summary: Security update for python313 Type: security Severity: moderate References: 1244680,1244705,1247249,1251305,1252974,1254400,1254401,1254997,CVE-2025-12084,CVE-2025-13836,CVE-2025-13837,CVE-2025-6069,CVE-2025-6075,CVE-2025-8194,CVE-2025-8291 This update for python313 fixes the following issues: - Update to 3.13.11: - Security - CVE-2025-12084: cpython: Fixed quadratic algorithm in xml.dom.minidom leading to denial of service (bsc#1254997) - CVE-2025-13836: Fixed default Content-Lenght read amount from HTTP response (bsc#1254400) - CVE-2025-13837: Fixed plistlib module denial of service (bsc#1254401) - CVE-2025-8291: Fixed validity of the ZIP64 End of Central Directory (EOCD) not checked by the 'zipfile' module (bsc#1251305) - gh-137836: Add support of the ???plaintext??? element, RAWTEXT elements ???xmp???, ???iframe???, ???noembed??? and ???noframes???, and optionally RAWTEXT element ???noscript??? in html.parser.HTMLParser. - gh-136063: email.message: ensure linear complexity for legacy HTTP parameters parsing. Patch by B??n??dikt Tran. - CVE-2025-6075: Fixed performance issues caused by user-controller os.path.expandvars() (bsc#1252974) - Library - gh-140797: Revert changes to the undocumented re.Scanner class. Capturing groups are still allowed for backward compatibility, although using them can lead to incorrect result. They will be forbidden in future Python versions. - gh-142206: The resource tracker in the multiprocessing module now uses the original communication protocol, as in Python 3.14.0 and below, by default. This avoids issues with upgrading Python while it is running. (Note that such ???in-place??? upgrades are not tested.) The tracker remains compatible with subprocesses that use new protocol (that is, subprocesses using Python 3.13.10, 3.14.1 and 3.15). - Core and Builtins - gh-142218: Fix crash when inserting into a split table dictionary with a non str key that matches an existing key. - Update to 3.13.10: - Tools/Demos - gh-141442: The iOS testbed now correctly handles test arguments that contain spaces. - Tests - gh-140482: Preserve and restore the state of stty echo as part of the test environment. - gh-140082: Update python -m test to set FORCE_COLOR=1 when being run with color enabled so that unittest which is run by it with redirected output will output in color. - gh-136442: Use exitcode 1 instead of 5 if unittest.TestCase.setUpClass() raises an exception - Library - gh-74389: When the stdin being used by a subprocess.Popen instance is closed, this is now ignored in subprocess.Popen.communicate() instead of leaving the class in an inconsistent state. - gh-87512: Fix subprocess.Popen.communicate() timeout handling on Windows when writing large input. Previously, the timeout was ignored during stdin writing, causing the method to block indefinitely if the child process did not consume input quickly. The stdin write is now performed in a background thread, allowing the timeout to be properly enforced. - gh-141473: When subprocess.Popen.communicate() was called with input and a timeout and is called for a second time after a TimeoutExpired exception before the process has died, it should no longer hang. - gh-59000: Fix pdb breakpoint resolution for class methods when the module defining the class is not imported. - gh-141570: Support file-like object raising OSError from fileno() in color detection (_colorize.can_colorize()). This can occur when sys.stdout is redirected. - gh-141659: Fix bad file descriptor errors from _posixsubprocess on AIX. - gh-141497: ipaddress: ensure that the methods IPv4Network.hosts() and IPv6Network.hosts() always return an iterator. - gh-140938: The statistics.stdev() and statistics.pstdev() functions now raise a ValueError when the input contains an infinity or a NaN. - gh-124111: Updated Tcl threading configuration in _tkinter to assume that threads are always available in Tcl 9 and later. - gh-137109: The os.fork and related forking APIs will no longer warn in the common case where Linux or macOS platform APIs return the number of threads in a process and find the answer to be 1 even when a os.register_at_fork() after_in_parent= callback (re)starts a thread. - gh-141314: Fix assertion failure in io.TextIOWrapper.tell() when reading files with standalone carriage return (\r) line endings. - gh-141311: Fix assertion failure in io.BytesIO.readinto() and undefined behavior arising when read position is above capcity in io.BytesIO. - gh-141141: Fix a thread safety issue with base64.b85decode(). Contributed by Benel Tayar. - gh-140911: collections: Ensure that the methods UserString.rindex() and UserString.index() accept collections.UserString instances as the sub argument. - gh-140797: The undocumented re.Scanner class now forbids regular expressions containing capturing groups in its lexicon patterns. Patterns using capturing groups could previously lead to crashes with segmentation fault. Use non-capturing groups (?:???) instead. - gh-140815: faulthandler now detects if a frame or a code object is invalid or freed. Patch by Victor Stinner. - gh-100218: Correctly set errno when socket.if_nametoindex() or socket.if_indextoname() raise an OSError. Patch by B??n??dikt Tran. - gh-140875: Fix handling of unclosed character references (named and numerical) followed by the end of file in html.parser.HTMLParser with convert_charrefs=False. - gh-140734: multiprocessing: fix off-by-one error when checking the length of a temporary socket file path. Patch by B??n??dikt Tran. - gh-140874: Bump the version of pip bundled in ensurepip to version 25.3 - gh-140691: In urllib.request, when opening a FTP URL fails because a data connection cannot be made, the control connection???s socket is now closed to avoid a ResourceWarning. - gh-103847: Fix hang when cancelling process created by asyncio.create_subprocess_exec() or asyncio.create_subprocess_shell(). Patch by Kumar Aditya. - gh-140590: Fix arguments checking for the functools.partial.__setstate__() that may lead to internal state corruption and crash. Patch by Sergey Miryanov. - gh-140634: Fix a reference counting bug in os.sched_param.__reduce__(). - gh-140633: Ignore AttributeError when setting a module???s __file__ attribute when loading an extension module packaged as Apple Framework. - gh-140593: xml.parsers.expat: Fix a memory leak that could affect users with ElementDeclHandler() set to a custom element declaration handler. Patch by Sebastian Pipping. - gh-140607: Inside io.RawIOBase.read(), validate that the count of bytes returned by io.RawIOBase.readinto() is valid (inside the provided buffer). - gh-138162: Fix logging.LoggerAdapter with merge_extra=True and without the extra argument. - gh-140474: Fix memory leak in array.array when creating arrays from an empty str and the u type code. - gh-140272: Fix memory leak in the clear() method of the dbm.gnu database. - gh-140041: Fix import of ctypes on Android and Cygwin when ABI flags are present. - gh-139905: Add suggestion to error message for typing.Generic subclasses when cls.__parameters__ is missing due to a parent class failing to call super().__init_subclass__() in its __init_subclass__. - gh-139845: Fix to not print KeyboardInterrupt twice in default asyncio REPL. - gh-139783: Fix inspect.getsourcelines() for the case when a decorator is followed by a comment or an empty line. - gh-70765: http.server: fix default handling of HTTP/0.9 requests in BaseHTTPRequestHandler. Previously, BaseHTTPRequestHandler.parse_request() incorrectly waited for headers in the request although those are not supported in HTTP/0.9. Patch by B??n??dikt Tran. - gh-139391: Fix an issue when, on non-Windows platforms, it was not possible to gracefully exit a python -m asyncio process suspended by Ctrl+Z and later resumed by fg other than with kill. - gh-101828: Fix 'shift_jisx0213', 'shift_jis_2004', 'euc_jisx0213' and 'euc_jis_2004' codecs truncating null chars as they were treated as part of multi-character sequences. - gh-139246: fix: paste zero-width in default repl width is wrong. - gh-90949: Add SetAllocTrackerActivationThreshold() and SetAllocTrackerMaximumAmplification() to xmlparser objects to prevent use of disproportional amounts of dynamic memory from within an Expat parser. Patch by B??n??dikt Tran. - gh-139065: Fix trailing space before a wrapped long word if the line length is exactly width in textwrap. - gh-138993: Dedent credits text. - gh-138859: Fix generic type parameterization raising a TypeError when omitting a ParamSpec that has a default which is not a list of types. - gh-138775: Use of python -m with base64 has been fixed to detect input from a terminal so that it properly notices EOF. - gh-98896: Fix a failure in multiprocessing resource_tracker when SharedMemory names contain colons. Patch by Rani Pinchuk. - gh-75989: tarfile.TarFile.extractall() and tarfile.TarFile.extract() now overwrite symlinks when extracting hardlinks. (Contributed by Alexander Enrique Urieles Nieto in gh-75989.) - gh-83424: Allows creating a ctypes.CDLL without name when passing a handle as an argument. - gh-136234: Fix asyncio.WriteTransport.writelines() to be robust to connection failure, by using the same behavior as write(). - gh-136057: Fixed the bug in pdb and bdb where next and step can???t go over the line if a loop exists in the line. - gh-135307: email: Fix exception in set_content() when encoding text and max_line_length is set to 0 or None (unlimited). - gh-134453: Fixed subprocess.Popen.communicate() input= handling of memoryview instances that were non-byte shaped on POSIX platforms. Those are now properly cast to a byte shaped view instead of truncating the input. Windows platforms did not have this bug. - gh-102431: Clarify constraints for ???logical??? arguments in methods of decimal.Context. - IDLE - gh-96491: Deduplicate version number in IDLE shell title bar after saving to a file. - Documentation - gh-141994: xml.sax.handler: Make Documentation of xml.sax.handler.feature_external_ges warn of opening up to external entity attacks. Patch by Sebastian Pipping. - gh-140578: Remove outdated sencence in the documentation for multiprocessing, that implied that concurrent.futures.ThreadPoolExecutor did not exist. - Core and Builtins - gh-142048: Fix quadratically increasing garbage collection delays in free-threaded build. - gh-141930: When importing a module, use Python???s regular file object to ensure that writes to .pyc files are complete or an appropriate error is raised. - gh-120158: Fix inconsistent state when enabling or disabling monitoring events too many times. - gh-141579: Fix sys.activate_stack_trampoline() to properly support the perf_jit backend. Patch by Pablo Galindo. - gh-141312: Fix the assertion failure in the __setstate__ method of the range iterator when a non-integer argument is passed. Patch by Sergey Miryanov. - gh-140939: Fix memory leak when bytearray or bytes is formated with the %*b format with a large width that results in %a MemoryError. - gh-140530: Fix a reference leak when raise exc from cause fails. Patch by B??n??dikt Tran. - gh-140576: Fixed crash in tokenize.generate_tokens() in case of specific incorrect input. Patch by Mikhail Efimov. - gh-140551: Fixed crash in dict if dict.clear() is called at the lookup stage. Patch by Mikhail Efimov and Inada Naoki. - gh-140471: Fix potential buffer overflow in ast.AST node initialization when encountering malformed _fields containing non-str. - gh-140406: Fix memory leak when an object???s __hash__() method returns an object that isn???t an int. - gh-140306: Fix memory leaks in cross-interpreter channel operations and shared namespace handling. - gh-140301: Fix memory leak of PyConfig in subinterpreters. - gh-140000: Fix potential memory leak when a reference cycle exists between an instance of typing.TypeAliasType, typing.TypeVar, typing.ParamSpec, or typing.TypeVarTuple and its __name__ attribute. Patch by Mikhail Efimov. - gh-139748: Fix reference leaks in error branches of functions accepting path strings or bytes such as compile() and os.system(). Patch by B??n??dikt Tran. - gh-139516: Fix lambda colon erroneously start format spec in f-string in tokenizer. - gh-139640: Fix swallowing some syntax warnings in different modules if they accidentally have the same message and are emitted from the same line. Fix duplicated warnings in the finally block. - gh-137400: Fix a crash in the free threading build when disabling profiling or tracing across all threads with PyEval_SetProfileAllThreads() or PyEval_SetTraceAllThreads() or their Python equivalents threading.settrace_all_threads() and threading.setprofile_all_threads(). - gh-133400: Fixed Ctrl+D (^D) behavior in _pyrepl module to match old pre-3.13 REPL behavior. - C API - gh-140042: Removed the sqlite3_shutdown call that could cause closing connections for sqlite when used with multiple sub interpreters. - gh-140487: Fix Py_RETURN_NOTIMPLEMENTED in limited C API 3.11 and older: don???t treat Py_NotImplemented as immortal. Patch by Victor Stinner. - Update to 3.13.9: - Library - gh-139783: Fix inspect.getsourcelines() for the case when a decorator is followed by a comment or an empty line. - Update to 3.13.8: - Tools/Demos - gh-139330: SBOM generation tool didn???t cross-check the version and checksum values against the Modules/expat/refresh.sh script, leading to the values becoming out-of-date during routine updates. - gh-137873: The iOS test runner has been simplified, resolving some issues that have been observed using the runner in GitHub Actions and Azure Pipelines test environments. - Tests - gh-139208: Fix regrtest --fast-ci --verbose: don???t ignore the --verbose option anymore. Patch by Victor Stinner. - Security - gh-139400: xml.parsers.expat: Make sure that parent Expat parsers are only garbage-collected once they are no longer referenced by subparsers created by ExternalEntityParserCreate(). Patch by Sebastian Pipping. - gh-139283: sqlite3: correctly handle maximum number of rows to fetch in Cursor.fetchmany and reject negative values for Cursor.arraysize. Patch by B??n??dikt Tran. - gh-135661: Fix CDATA section parsing in html.parser.HTMLParser according to the HTML5 standard: ] ]> and ]] > no longer end the CDATA section. Add private method _set_support_cdata() which can be used to specify how to parse <[CDATA[ ??? as a CDATA section in foreign content (SVG or MathML) or as a bogus comment in the HTML namespace. - Library - gh-139312: Upgrade bundled libexpat to 2.7.3 - gh-139289: Do a real lazy-import on rlcompleter in pdb and restore the existing completer after importing rlcompleter. - gh-139210: Fix use-after-free when reporting unknown event in xml.etree.ElementTree.iterparse(). Patch by Ken Jin. - gh-138860: Lazy import rlcompleter in pdb to avoid deadlock in subprocess. - gh-112729: Fix crash when calling _interpreters.create when the process is out of memory. - gh-139076: Fix a bug in the pydoc module that was hiding functions in a Python module if they were implemented in an extension module and the module did not have __all__. - gh-138998: Update bundled libexpat to 2.7.2 - gh-130567: Fix possible crash in locale.strxfrm() due to a platform bug on macOS. - gh-138779: Support device numbers larger than 2**63-1 for the st_rdev field of the os.stat_result structure. - gh-128636: Fix crash in PyREPL when os.environ is overwritten with an invalid value for mac - gh-88375: Fix normalization of the robots.txt rules and URLs in the urllib.robotparser module. No longer ignore trailing ?. Distinguish raw special characters ?, = and & from the percent-encoded ones. - gh-138515: email is added to Emscripten build. - gh-111788: Fix parsing errors in the urllib.robotparser module. Don???t fail trying to parse weird paths. Don???t fail trying to decode non-UTF-8 robots.txt files. - gh-138432: zoneinfo.reset_tzpath() will now convert any os.PathLike objects it receives into strings before adding them to TZPATH. It will raise TypeError if anything other than a string is found after this conversion. If given an os.PathLike object that represents a relative path, it will now raise ValueError instead of TypeError, and present a more informative error message. - gh-138008: Fix segmentation faults in the ctypes module due to invalid argtypes. Patch by Dung Nguyen. - gh-60462: Fix locale.strxfrm() on Solaris (and possibly other platforms). - gh-138204: Forbid expansion of shared anonymous memory maps on Linux, which caused a bus error. - gh-138010: Fix an issue where defining a class with a @warnings.deprecated-decorated base class may not invoke the correct __init_subclass__() method in cases involving multiple inheritance. Patch by Brian Schubert. - gh-138133: Prevent infinite traceback loop when sending CTRL^C to Python through strace. - gh-134869: Fix an issue where pressing Ctrl+C during tab completion in the REPL would leave the autocompletion menu in a corrupted state. - gh-137317: inspect.signature() now correctly handles classes that use a descriptor on a wrapped __init__() or __new__() method. Contributed by Yongyu Yan. - gh-137754: Fix import of the zoneinfo module if the C implementation of the datetime module is not available. - gh-137490: Handle ECANCELED in the same way as EINTR in signal.sigwaitinfo() on NetBSD. - gh-137477: Fix inspect.getblock(), inspect.getsourcelines() and inspect.getsource() for generator expressions. - gh-137017: Fix threading.Thread.is_alive to remain True until the underlying OS thread is fully cleaned up. This avoids false negatives in edge cases involving thread monitoring or premature threading.Thread.is_alive calls. - gh-136134: SMTP.auth_cram_md5() now raises an SMTPException instead of a ValueError if Python has been built without MD5 support. In particular, SMTP clients will not attempt to use this method even if the remote server is assumed to support it. Patch by B??n??dikt Tran. - gh-136134: IMAP4.login_cram_md5 now raises an IMAP4.error if CRAM-MD5 authentication is not supported. Patch by B??n??dikt Tran. - gh-135386: Fix opening a dbm.sqlite3 database for reading from read-only file or directory. - gh-126631: Fix multiprocessing forkserver bug which prevented __main__ from being preloaded. - gh-123085: In a bare call to importlib.resources.files(), ensure the caller???s frame is properly detected when importlib.resources is itself available as a compiled module only (no source). - gh-118981: Fix potential hang in multiprocessing.popen_spawn_posix that can happen when the child proc dies early by closing the child fds right away. - gh-78319: UTF8 support for the IMAP APPEND command has been made RFC compliant. - bpo-38735: Fix failure when importing a module from the root directory on unix-like platforms with sys.pycache_prefix set. - bpo-41839: Allow negative priority values from os.sched_get_priority_min() and os.sched_get_priority_max() functions. - Core and Builtins - gh-134466: Don???t run PyREPL in a degraded environment where setting termios attributes is not allowed. - gh-71810: Raise OverflowError for (-1).to_bytes() for signed conversions when bytes count is zero. Patch by Sergey B Kirpichev. - gh-105487: Remove non-existent __copy__(), __deepcopy__(), and __bases__ from the __dir__() entries of types.GenericAlias. - gh-134163: Fix a hang when the process is out of memory inside an exception handler. - gh-138479: Fix a crash when a generic object???s __typing_subst__ returns an object that isn???t a tuple. - gh-137576: Fix for incorrect source code being shown in tracebacks from the Basic REPL when PYTHONSTARTUP is given. Patch by Adam Hartz. - gh-132744: Certain calls now check for runaway recursion and respect the system recursion limit. - C API - gh-87135: Attempting to acquire the GIL after runtime finalization has begun in a different thread now causes the thread to hang rather than terminate, which avoids potential crashes or memory corruption caused by attempting to terminate a thread that is running code not specifically designed to support termination. In most cases this hanging is harmless since the process will soon exit anyway. While not officially marked deprecated until 3.14, PyThread_exit_thread is no longer called internally and remains solely for interface compatibility. Its behavior is inconsistent across platforms, and it can only be used safely in the unlikely case that every function in the entire call stack has been designed to support the platform-dependent termination mechanism. It is recommended that users of this function change their design to not require thread termination. In the unlikely case that thread termination is needed and can be done safely, users may migrate to calling platform-specific APIs such as pthread_exit (POSIX) or _endthreadex (Windows) directly. - Build - gh-135734: Python can correctly be configured and built with ./configure --enable-optimizations --disable-test-modules. Previously, the profile data generation step failed due to PGO tests where immortalization couldn???t be properly suppressed. - Update to 3.13.7: - gh-137583: Fix a deadlock introduced in 3.13.6 when a call to ssl.SSLSocket.recv was blocked in one thread, and then another method on the object (such as ssl.SSLSocket.send) was subsequently called in another thread. - gh-137044: Return large limit values as positive integers instead of negative integers in resource.getrlimit(). Accept large values and reject negative values (except RLIM_INFINITY) for limits in resource.setrlimit(). - gh-136914: Fix retrieval of doctest.DocTest.lineno for objects decorated with functools.cache() or functools.cached_property. - gh-131788: Make ResourceTracker.send from multiprocessing re-entrant safe - gh-136155: We are now checking for fatal errors in EPUB builds in CI. - gh-137400: Fix a crash in the free threading build when disabling profiling or tracing across all threads with PyEval_SetProfileAllThreads() or PyEval_SetTraceAllThreads() or their Python equivalents threading.settrace_all_threads() and threading.setprofile_all_threads(). - Update to 3.13.6: - Security - gh-135661: Fix parsing start and end tags in html.parser.HTMLParser according to the HTML5 standard. - gh-102555: Fix comment parsing in html.parser.HTMLParser according to the HTML5 standard. - CVE-2025-6069: Fix quadratic complexity in processing specially crafted input in html.parser.HTMLParser. End-of-file errors are now handled according to the HTML5 specs ??? comments and declarations are automatically closed, tags are ignored (gh-135462, bsc#1244705). - CVE-2025-8194: tarfile now validates archives to ensure member offsets are non-negative. (gh-130577, bsc#1247249). - gh-118350: Fix support of escapable raw text mode (elements ???textarea??? and ???title???) in html.parser.HTMLParser. - Core and Builtins - gh-58124: Fix name of the Python encoding in Unicode errors of the code page codec: use ???cp65000??? and ???cp65001??? instead of ???CP_UTF7??? and ???CP_UTF8??? which are not valid Python code names. Patch by Victor Stinner. - gh-137314: Fixed a regression where raw f-strings incorrectly interpreted escape sequences in format specifications. Raw f-strings now properly preserve literal backslashes in format specs, matching the behavior from Python 3.11. For example, rf'{obj:\xFF}' now correctly produces '\\xFF' instead of '??'. Patch by Pablo Galindo. - gh-136541: Fix some issues with the perf trampolines on x86-64 and aarch64. The trampolines were not being generated correctly for some cases, which could lead to the perf integration not working correctly. Patch by Pablo Galindo. - gh-109700: Fix memory error handling in PyDict_SetDefault(). - gh-78465: Fix error message for cls.__new__(cls, ...) where cls is not instantiable builtin or extension type (with tp_new set to NULL). - gh-135871: Non-blocking mutex lock attempts now return immediately when the lock is busy instead of briefly spinning in the free threading build. - gh-135607: Fix potential weakref races in an object???s destructor on the free threaded build. - gh-135496: Fix typo in the f-string conversion type error (???exclamanation??? -> ???exclamation???). - gh-130077: Properly raise custom syntax errors when incorrect syntax containing names that are prefixes of soft keywords is encountered. Patch by Pablo Galindo. - gh-135148: Fixed a bug where f-string debug expressions (using =) would incorrectly strip out parts of strings containing escaped quotes and # characters. Patch by Pablo Galindo. - gh-133136: Limit excess memory usage in the free threading build when a large dictionary or list is resized and accessed by multiple threads. - gh-132617: Fix dict.update() modification check that could incorrectly raise a ???dict mutated during update??? error when a different dictionary was modified that happens to share the same underlying keys object. - gh-91153: Fix a crash when a bytearray is concurrently mutated during item assignment. - gh-127971: Fix off-by-one read beyond the end of a string in string search. - gh-125723: Fix crash with gi_frame.f_locals when generator frames outlive their generator. Patch by Mikhail Efimov. - Library - gh-132710: If possible, ensure that uuid.getnode() returns the same result even across different processes. Previously, the result was constant only within the same process. Patch by B??n??dikt Tran. - gh-137273: Fix debug assertion failure in locale.setlocale() on Windows. - gh-137257: Bump the version of pip bundled in ensurepip to version 25.2 - gh-81325: tarfile.TarFile now accepts a path-like when working on a tar archive. (Contributed by Alexander Enrique Urieles Nieto in gh-81325.) - gh-130522: Fix unraisable TypeError raised during interpreter shutdown in the threading module. - gh-136549: Fix signature of threading.excepthook(). - gh-136523: Fix wave.Wave_write emitting an unraisable when open raises. - gh-52876: Add missing keepends (default True) parameter to codecs.StreamReaderWriter.readline() and codecs.StreamReaderWriter.readlines(). - gh-85702: If zoneinfo._common.load_tzdata is given a package without a resource a zoneinfo.ZoneInfoNotFoundError is raised rather than a PermissionError. Patch by Victor Stinner. - gh-134759: Fix UnboundLocalError in email.message.Message.get_payload() when the payload to decode is a bytes object. Patch by Kliment Lamonov. - gh-136028: Fix parsing month names containing ???????? (U+0130, LATIN CAPITAL LETTER I WITH DOT ABOVE) in time.strptime(). This affects locales az_AZ, ber_DZ, ber_MA and crh_UA. - gh-135995: In the palmos encoding, make byte 0x9b decode to ??? (U+203A - SINGLE RIGHT-POINTING ANGLE QUOTATION MARK). - gh-53203: Fix time.strptime() for %c and %x formats on locales byn_ER, wal_ET and lzh_TW, and for %X format on locales ar_SA, bg_BG and lzh_TW. - gh-91555: An earlier change, which was introduced in 3.13.4, has been reverted. It disabled logging for a logger during handling of log messages for that logger. Since the reversion, the behaviour should be as it was before 3.13.4. - gh-135878: Fixes a crash of types.SimpleNamespace on free threading builds, when several threads were calling its __repr__() method at the same time. - gh-135836: Fix IndexError in asyncio.loop.create_connection() that could occur when non-OSError exception is raised during connection and socket???s close() raises OSError. - gh-135836: Fix IndexError in asyncio.loop.create_connection() that could occur when the Happy Eyeballs algorithm resulted in an empty exceptions list during connection attempts. - gh-135855: Raise TypeError instead of SystemError when _interpreters.set___main___attrs() is passed a non-dict object. Patch by Brian Schubert. - gh-135815: netrc: skip security checks if os.getuid() is missing. Patch by B??n??dikt Tran. - gh-135640: Address bug where it was possible to call xml.etree.ElementTree.ElementTree.write() on an ElementTree object with an invalid root element. This behavior blanked the file passed to write if it already existed. - gh-135444: Fix asyncio.DatagramTransport.sendto() to account for datagram header size when data cannot be sent. - gh-135497: Fix os.getlogin() failing for longer usernames on BSD-based platforms. - gh-135487: Fix reprlib.Repr.repr_int() when given integers with more than sys.get_int_max_str_digits() digits. Patch by B??n??dikt Tran. - gh-135335: multiprocessing: Flush stdout and stderr after preloading modules in the forkserver. - gh-135244: uuid: when the MAC address cannot be determined, the 48-bit node ID is now generated with a cryptographically-secure pseudo-random number generator (CSPRNG) as per RFC 9562, ??6.10.3. This affects uuid1(). - gh-135069: Fix the ???Invalid error handling??? exception in encodings.idna.IncrementalDecoder to correctly replace the ???errors??? parameter. - gh-134698: Fix a crash when calling methods of ssl.SSLContext or ssl.SSLSocket across multiple threads. - gh-132124: On POSIX-compliant systems, multiprocessing.util.get_temp_dir() now ignores TMPDIR (and similar environment variables) if the path length of AF_UNIX socket files exceeds the platform-specific maximum length when using the forkserver start method. Patch by B??n??dikt Tran. - gh-133439: Fix dot commands with trailing spaces are mistaken for multi-line SQL statements in the sqlite3 command-line interface. - gh-132969: Prevent the ProcessPoolExecutor executor thread, which remains running when shutdown(wait=False), from attempting to adjust the pool???s worker processes after the object state has already been reset during shutdown. A combination of conditions, including a worker process having terminated abormally, resulted in an exception and a potential hang when the still-running executor thread attempted to replace dead workers within the pool. - gh-130664: Support the '_' digit separator in formatting of the integral part of Decimal???s. Patch by Sergey B Kirpichev. - gh-85702: If zoneinfo._common.load_tzdata is given a package without a resource a ZoneInfoNotFoundError is raised rather than a IsADirectoryError. - gh-130664: Handle corner-case for Fraction???s formatting: treat zero-padding (preceding the width field by a zero ('0') character) as an equivalent to a fill character of '0' with an alignment type of '=', just as in case of float???s. - Tools/Demos - gh-135968: Stubs for strip are now provided as part of an iOS install. - Tests - gh-135966: The iOS testbed now handles the app_packages folder as a site directory. - gh-135494: Fix regrtest to support excluding tests from --pgo tests. Patch by Victor Stinner. - gh-135489: Show verbose output for failing tests during PGO profiling step with ???enable-optimizations. - Documentation - gh-135171: Document that the iterator for the leftmost for clause in the generator expression is created immediately. - Build - gh-135497: Fix the detection of MAXLOGNAME in the configure.ac script. ----------------------------------------------------------------- Advisory ID: 172 Released: Thu Jan 22 15:29:42 2026 Summary: Security update for libpng16 Type: security Severity: moderate References: 1256525,1256526,CVE-2026-22695,CVE-2026-22801 This update for libpng16 fixes the following issues: - CVE-2026-22695: Fixed heap buffer over-read in png_image_finish_read (bsc#1256525). - CVE-2026-22801: Fixed integer truncation causing heap buffer over-read in png_image_write_* (bsc#1256526). The following package changes have been done: - libpng16-16-1.6.44-160000.4.1 updated - python313-base-3.13.11-160000.1.1 updated - libpython3_13-1_0-3.13.11-160000.1.1 updated - container:suse-sl-micro-6.2-base-os-container-latest-2c8e5185f404bfa6041e8c8daedfe13f96f3889f3ccd2f52e0dec59f29f61c87-0 updated From sle-container-updates at lists.suse.com Fri Jan 23 08:16:43 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 23 Jan 2026 09:16:43 +0100 (CET) Subject: SUSE-IU-2026:247-1: Security update of suse/sl-micro/6.2/rt-os-container Message-ID: <20260123081643.4EF5BFF0C@maintenance.suse.de> SUSE Image Update Advisory: suse/sl-micro/6.2/rt-os-container ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2026:247-1 Image Tags : suse/sl-micro/6.2/rt-os-container:2.3.0 , suse/sl-micro/6.2/rt-os-container:2.3.0-6.19 , suse/sl-micro/6.2/rt-os-container:latest Image Release : 6.19 Severity : important Type : security References : 1244680 1244705 1247249 1250655 1250664 1251305 1252974 1253679 1254264 1254400 1254401 1254928 1254997 CVE-2025-12084 CVE-2025-13836 CVE-2025-13837 CVE-2025-6069 CVE-2025-6075 CVE-2025-8194 CVE-2025-8291 ----------------------------------------------------------------- The container suse/sl-micro/6.2/rt-os-container was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: 162 Released: Thu Jan 22 09:15:08 2026 Summary: Recommended update for suse-module-tools Type: recommended Severity: important References: 1250655,1250664,1253679,1254264,1254928 This update for suse-module-tools fixes the following issues: - Update to version 16.0.64: * udev rules: write block queue attributes only if necessary (bsc#1254928) - Update to version 16.0.63: * 80-hotplug-cpu-mem.rules: remount tmpfs on 'online' uevents (bsc#1254264) * udev: use systemd service to remount tmpfs (bsc#1253679) - Update to version 16.0.62: * spec file: remove %udev_rules_update call (bsc#1250664) - Update to version 16.0.61: * weak-modules2: skip livepatch dir when checking for unresolved symbols (bsc#1250655) ----------------------------------------------------------------- Advisory ID: 170 Released: Thu Jan 22 14:47:27 2026 Summary: Security update for python313 Type: security Severity: moderate References: 1244680,1244705,1247249,1251305,1252974,1254400,1254401,1254997,CVE-2025-12084,CVE-2025-13836,CVE-2025-13837,CVE-2025-6069,CVE-2025-6075,CVE-2025-8194,CVE-2025-8291 This update for python313 fixes the following issues: - Update to 3.13.11: - Security - CVE-2025-12084: cpython: Fixed quadratic algorithm in xml.dom.minidom leading to denial of service (bsc#1254997) - CVE-2025-13836: Fixed default Content-Lenght read amount from HTTP response (bsc#1254400) - CVE-2025-13837: Fixed plistlib module denial of service (bsc#1254401) - CVE-2025-8291: Fixed validity of the ZIP64 End of Central Directory (EOCD) not checked by the 'zipfile' module (bsc#1251305) - gh-137836: Add support of the ???plaintext??? element, RAWTEXT elements ???xmp???, ???iframe???, ???noembed??? and ???noframes???, and optionally RAWTEXT element ???noscript??? in html.parser.HTMLParser. - gh-136063: email.message: ensure linear complexity for legacy HTTP parameters parsing. Patch by B??n??dikt Tran. - CVE-2025-6075: Fixed performance issues caused by user-controller os.path.expandvars() (bsc#1252974) - Library - gh-140797: Revert changes to the undocumented re.Scanner class. Capturing groups are still allowed for backward compatibility, although using them can lead to incorrect result. They will be forbidden in future Python versions. - gh-142206: The resource tracker in the multiprocessing module now uses the original communication protocol, as in Python 3.14.0 and below, by default. This avoids issues with upgrading Python while it is running. (Note that such ???in-place??? upgrades are not tested.) The tracker remains compatible with subprocesses that use new protocol (that is, subprocesses using Python 3.13.10, 3.14.1 and 3.15). - Core and Builtins - gh-142218: Fix crash when inserting into a split table dictionary with a non str key that matches an existing key. - Update to 3.13.10: - Tools/Demos - gh-141442: The iOS testbed now correctly handles test arguments that contain spaces. - Tests - gh-140482: Preserve and restore the state of stty echo as part of the test environment. - gh-140082: Update python -m test to set FORCE_COLOR=1 when being run with color enabled so that unittest which is run by it with redirected output will output in color. - gh-136442: Use exitcode 1 instead of 5 if unittest.TestCase.setUpClass() raises an exception - Library - gh-74389: When the stdin being used by a subprocess.Popen instance is closed, this is now ignored in subprocess.Popen.communicate() instead of leaving the class in an inconsistent state. - gh-87512: Fix subprocess.Popen.communicate() timeout handling on Windows when writing large input. Previously, the timeout was ignored during stdin writing, causing the method to block indefinitely if the child process did not consume input quickly. The stdin write is now performed in a background thread, allowing the timeout to be properly enforced. - gh-141473: When subprocess.Popen.communicate() was called with input and a timeout and is called for a second time after a TimeoutExpired exception before the process has died, it should no longer hang. - gh-59000: Fix pdb breakpoint resolution for class methods when the module defining the class is not imported. - gh-141570: Support file-like object raising OSError from fileno() in color detection (_colorize.can_colorize()). This can occur when sys.stdout is redirected. - gh-141659: Fix bad file descriptor errors from _posixsubprocess on AIX. - gh-141497: ipaddress: ensure that the methods IPv4Network.hosts() and IPv6Network.hosts() always return an iterator. - gh-140938: The statistics.stdev() and statistics.pstdev() functions now raise a ValueError when the input contains an infinity or a NaN. - gh-124111: Updated Tcl threading configuration in _tkinter to assume that threads are always available in Tcl 9 and later. - gh-137109: The os.fork and related forking APIs will no longer warn in the common case where Linux or macOS platform APIs return the number of threads in a process and find the answer to be 1 even when a os.register_at_fork() after_in_parent= callback (re)starts a thread. - gh-141314: Fix assertion failure in io.TextIOWrapper.tell() when reading files with standalone carriage return (\r) line endings. - gh-141311: Fix assertion failure in io.BytesIO.readinto() and undefined behavior arising when read position is above capcity in io.BytesIO. - gh-141141: Fix a thread safety issue with base64.b85decode(). Contributed by Benel Tayar. - gh-140911: collections: Ensure that the methods UserString.rindex() and UserString.index() accept collections.UserString instances as the sub argument. - gh-140797: The undocumented re.Scanner class now forbids regular expressions containing capturing groups in its lexicon patterns. Patterns using capturing groups could previously lead to crashes with segmentation fault. Use non-capturing groups (?:???) instead. - gh-140815: faulthandler now detects if a frame or a code object is invalid or freed. Patch by Victor Stinner. - gh-100218: Correctly set errno when socket.if_nametoindex() or socket.if_indextoname() raise an OSError. Patch by B??n??dikt Tran. - gh-140875: Fix handling of unclosed character references (named and numerical) followed by the end of file in html.parser.HTMLParser with convert_charrefs=False. - gh-140734: multiprocessing: fix off-by-one error when checking the length of a temporary socket file path. Patch by B??n??dikt Tran. - gh-140874: Bump the version of pip bundled in ensurepip to version 25.3 - gh-140691: In urllib.request, when opening a FTP URL fails because a data connection cannot be made, the control connection???s socket is now closed to avoid a ResourceWarning. - gh-103847: Fix hang when cancelling process created by asyncio.create_subprocess_exec() or asyncio.create_subprocess_shell(). Patch by Kumar Aditya. - gh-140590: Fix arguments checking for the functools.partial.__setstate__() that may lead to internal state corruption and crash. Patch by Sergey Miryanov. - gh-140634: Fix a reference counting bug in os.sched_param.__reduce__(). - gh-140633: Ignore AttributeError when setting a module???s __file__ attribute when loading an extension module packaged as Apple Framework. - gh-140593: xml.parsers.expat: Fix a memory leak that could affect users with ElementDeclHandler() set to a custom element declaration handler. Patch by Sebastian Pipping. - gh-140607: Inside io.RawIOBase.read(), validate that the count of bytes returned by io.RawIOBase.readinto() is valid (inside the provided buffer). - gh-138162: Fix logging.LoggerAdapter with merge_extra=True and without the extra argument. - gh-140474: Fix memory leak in array.array when creating arrays from an empty str and the u type code. - gh-140272: Fix memory leak in the clear() method of the dbm.gnu database. - gh-140041: Fix import of ctypes on Android and Cygwin when ABI flags are present. - gh-139905: Add suggestion to error message for typing.Generic subclasses when cls.__parameters__ is missing due to a parent class failing to call super().__init_subclass__() in its __init_subclass__. - gh-139845: Fix to not print KeyboardInterrupt twice in default asyncio REPL. - gh-139783: Fix inspect.getsourcelines() for the case when a decorator is followed by a comment or an empty line. - gh-70765: http.server: fix default handling of HTTP/0.9 requests in BaseHTTPRequestHandler. Previously, BaseHTTPRequestHandler.parse_request() incorrectly waited for headers in the request although those are not supported in HTTP/0.9. Patch by B??n??dikt Tran. - gh-139391: Fix an issue when, on non-Windows platforms, it was not possible to gracefully exit a python -m asyncio process suspended by Ctrl+Z and later resumed by fg other than with kill. - gh-101828: Fix 'shift_jisx0213', 'shift_jis_2004', 'euc_jisx0213' and 'euc_jis_2004' codecs truncating null chars as they were treated as part of multi-character sequences. - gh-139246: fix: paste zero-width in default repl width is wrong. - gh-90949: Add SetAllocTrackerActivationThreshold() and SetAllocTrackerMaximumAmplification() to xmlparser objects to prevent use of disproportional amounts of dynamic memory from within an Expat parser. Patch by B??n??dikt Tran. - gh-139065: Fix trailing space before a wrapped long word if the line length is exactly width in textwrap. - gh-138993: Dedent credits text. - gh-138859: Fix generic type parameterization raising a TypeError when omitting a ParamSpec that has a default which is not a list of types. - gh-138775: Use of python -m with base64 has been fixed to detect input from a terminal so that it properly notices EOF. - gh-98896: Fix a failure in multiprocessing resource_tracker when SharedMemory names contain colons. Patch by Rani Pinchuk. - gh-75989: tarfile.TarFile.extractall() and tarfile.TarFile.extract() now overwrite symlinks when extracting hardlinks. (Contributed by Alexander Enrique Urieles Nieto in gh-75989.) - gh-83424: Allows creating a ctypes.CDLL without name when passing a handle as an argument. - gh-136234: Fix asyncio.WriteTransport.writelines() to be robust to connection failure, by using the same behavior as write(). - gh-136057: Fixed the bug in pdb and bdb where next and step can???t go over the line if a loop exists in the line. - gh-135307: email: Fix exception in set_content() when encoding text and max_line_length is set to 0 or None (unlimited). - gh-134453: Fixed subprocess.Popen.communicate() input= handling of memoryview instances that were non-byte shaped on POSIX platforms. Those are now properly cast to a byte shaped view instead of truncating the input. Windows platforms did not have this bug. - gh-102431: Clarify constraints for ???logical??? arguments in methods of decimal.Context. - IDLE - gh-96491: Deduplicate version number in IDLE shell title bar after saving to a file. - Documentation - gh-141994: xml.sax.handler: Make Documentation of xml.sax.handler.feature_external_ges warn of opening up to external entity attacks. Patch by Sebastian Pipping. - gh-140578: Remove outdated sencence in the documentation for multiprocessing, that implied that concurrent.futures.ThreadPoolExecutor did not exist. - Core and Builtins - gh-142048: Fix quadratically increasing garbage collection delays in free-threaded build. - gh-141930: When importing a module, use Python???s regular file object to ensure that writes to .pyc files are complete or an appropriate error is raised. - gh-120158: Fix inconsistent state when enabling or disabling monitoring events too many times. - gh-141579: Fix sys.activate_stack_trampoline() to properly support the perf_jit backend. Patch by Pablo Galindo. - gh-141312: Fix the assertion failure in the __setstate__ method of the range iterator when a non-integer argument is passed. Patch by Sergey Miryanov. - gh-140939: Fix memory leak when bytearray or bytes is formated with the %*b format with a large width that results in %a MemoryError. - gh-140530: Fix a reference leak when raise exc from cause fails. Patch by B??n??dikt Tran. - gh-140576: Fixed crash in tokenize.generate_tokens() in case of specific incorrect input. Patch by Mikhail Efimov. - gh-140551: Fixed crash in dict if dict.clear() is called at the lookup stage. Patch by Mikhail Efimov and Inada Naoki. - gh-140471: Fix potential buffer overflow in ast.AST node initialization when encountering malformed _fields containing non-str. - gh-140406: Fix memory leak when an object???s __hash__() method returns an object that isn???t an int. - gh-140306: Fix memory leaks in cross-interpreter channel operations and shared namespace handling. - gh-140301: Fix memory leak of PyConfig in subinterpreters. - gh-140000: Fix potential memory leak when a reference cycle exists between an instance of typing.TypeAliasType, typing.TypeVar, typing.ParamSpec, or typing.TypeVarTuple and its __name__ attribute. Patch by Mikhail Efimov. - gh-139748: Fix reference leaks in error branches of functions accepting path strings or bytes such as compile() and os.system(). Patch by B??n??dikt Tran. - gh-139516: Fix lambda colon erroneously start format spec in f-string in tokenizer. - gh-139640: Fix swallowing some syntax warnings in different modules if they accidentally have the same message and are emitted from the same line. Fix duplicated warnings in the finally block. - gh-137400: Fix a crash in the free threading build when disabling profiling or tracing across all threads with PyEval_SetProfileAllThreads() or PyEval_SetTraceAllThreads() or their Python equivalents threading.settrace_all_threads() and threading.setprofile_all_threads(). - gh-133400: Fixed Ctrl+D (^D) behavior in _pyrepl module to match old pre-3.13 REPL behavior. - C API - gh-140042: Removed the sqlite3_shutdown call that could cause closing connections for sqlite when used with multiple sub interpreters. - gh-140487: Fix Py_RETURN_NOTIMPLEMENTED in limited C API 3.11 and older: don???t treat Py_NotImplemented as immortal. Patch by Victor Stinner. - Update to 3.13.9: - Library - gh-139783: Fix inspect.getsourcelines() for the case when a decorator is followed by a comment or an empty line. - Update to 3.13.8: - Tools/Demos - gh-139330: SBOM generation tool didn???t cross-check the version and checksum values against the Modules/expat/refresh.sh script, leading to the values becoming out-of-date during routine updates. - gh-137873: The iOS test runner has been simplified, resolving some issues that have been observed using the runner in GitHub Actions and Azure Pipelines test environments. - Tests - gh-139208: Fix regrtest --fast-ci --verbose: don???t ignore the --verbose option anymore. Patch by Victor Stinner. - Security - gh-139400: xml.parsers.expat: Make sure that parent Expat parsers are only garbage-collected once they are no longer referenced by subparsers created by ExternalEntityParserCreate(). Patch by Sebastian Pipping. - gh-139283: sqlite3: correctly handle maximum number of rows to fetch in Cursor.fetchmany and reject negative values for Cursor.arraysize. Patch by B??n??dikt Tran. - gh-135661: Fix CDATA section parsing in html.parser.HTMLParser according to the HTML5 standard: ] ]> and ]] > no longer end the CDATA section. Add private method _set_support_cdata() which can be used to specify how to parse <[CDATA[ ??? as a CDATA section in foreign content (SVG or MathML) or as a bogus comment in the HTML namespace. - Library - gh-139312: Upgrade bundled libexpat to 2.7.3 - gh-139289: Do a real lazy-import on rlcompleter in pdb and restore the existing completer after importing rlcompleter. - gh-139210: Fix use-after-free when reporting unknown event in xml.etree.ElementTree.iterparse(). Patch by Ken Jin. - gh-138860: Lazy import rlcompleter in pdb to avoid deadlock in subprocess. - gh-112729: Fix crash when calling _interpreters.create when the process is out of memory. - gh-139076: Fix a bug in the pydoc module that was hiding functions in a Python module if they were implemented in an extension module and the module did not have __all__. - gh-138998: Update bundled libexpat to 2.7.2 - gh-130567: Fix possible crash in locale.strxfrm() due to a platform bug on macOS. - gh-138779: Support device numbers larger than 2**63-1 for the st_rdev field of the os.stat_result structure. - gh-128636: Fix crash in PyREPL when os.environ is overwritten with an invalid value for mac - gh-88375: Fix normalization of the robots.txt rules and URLs in the urllib.robotparser module. No longer ignore trailing ?. Distinguish raw special characters ?, = and & from the percent-encoded ones. - gh-138515: email is added to Emscripten build. - gh-111788: Fix parsing errors in the urllib.robotparser module. Don???t fail trying to parse weird paths. Don???t fail trying to decode non-UTF-8 robots.txt files. - gh-138432: zoneinfo.reset_tzpath() will now convert any os.PathLike objects it receives into strings before adding them to TZPATH. It will raise TypeError if anything other than a string is found after this conversion. If given an os.PathLike object that represents a relative path, it will now raise ValueError instead of TypeError, and present a more informative error message. - gh-138008: Fix segmentation faults in the ctypes module due to invalid argtypes. Patch by Dung Nguyen. - gh-60462: Fix locale.strxfrm() on Solaris (and possibly other platforms). - gh-138204: Forbid expansion of shared anonymous memory maps on Linux, which caused a bus error. - gh-138010: Fix an issue where defining a class with a @warnings.deprecated-decorated base class may not invoke the correct __init_subclass__() method in cases involving multiple inheritance. Patch by Brian Schubert. - gh-138133: Prevent infinite traceback loop when sending CTRL^C to Python through strace. - gh-134869: Fix an issue where pressing Ctrl+C during tab completion in the REPL would leave the autocompletion menu in a corrupted state. - gh-137317: inspect.signature() now correctly handles classes that use a descriptor on a wrapped __init__() or __new__() method. Contributed by Yongyu Yan. - gh-137754: Fix import of the zoneinfo module if the C implementation of the datetime module is not available. - gh-137490: Handle ECANCELED in the same way as EINTR in signal.sigwaitinfo() on NetBSD. - gh-137477: Fix inspect.getblock(), inspect.getsourcelines() and inspect.getsource() for generator expressions. - gh-137017: Fix threading.Thread.is_alive to remain True until the underlying OS thread is fully cleaned up. This avoids false negatives in edge cases involving thread monitoring or premature threading.Thread.is_alive calls. - gh-136134: SMTP.auth_cram_md5() now raises an SMTPException instead of a ValueError if Python has been built without MD5 support. In particular, SMTP clients will not attempt to use this method even if the remote server is assumed to support it. Patch by B??n??dikt Tran. - gh-136134: IMAP4.login_cram_md5 now raises an IMAP4.error if CRAM-MD5 authentication is not supported. Patch by B??n??dikt Tran. - gh-135386: Fix opening a dbm.sqlite3 database for reading from read-only file or directory. - gh-126631: Fix multiprocessing forkserver bug which prevented __main__ from being preloaded. - gh-123085: In a bare call to importlib.resources.files(), ensure the caller???s frame is properly detected when importlib.resources is itself available as a compiled module only (no source). - gh-118981: Fix potential hang in multiprocessing.popen_spawn_posix that can happen when the child proc dies early by closing the child fds right away. - gh-78319: UTF8 support for the IMAP APPEND command has been made RFC compliant. - bpo-38735: Fix failure when importing a module from the root directory on unix-like platforms with sys.pycache_prefix set. - bpo-41839: Allow negative priority values from os.sched_get_priority_min() and os.sched_get_priority_max() functions. - Core and Builtins - gh-134466: Don???t run PyREPL in a degraded environment where setting termios attributes is not allowed. - gh-71810: Raise OverflowError for (-1).to_bytes() for signed conversions when bytes count is zero. Patch by Sergey B Kirpichev. - gh-105487: Remove non-existent __copy__(), __deepcopy__(), and __bases__ from the __dir__() entries of types.GenericAlias. - gh-134163: Fix a hang when the process is out of memory inside an exception handler. - gh-138479: Fix a crash when a generic object???s __typing_subst__ returns an object that isn???t a tuple. - gh-137576: Fix for incorrect source code being shown in tracebacks from the Basic REPL when PYTHONSTARTUP is given. Patch by Adam Hartz. - gh-132744: Certain calls now check for runaway recursion and respect the system recursion limit. - C API - gh-87135: Attempting to acquire the GIL after runtime finalization has begun in a different thread now causes the thread to hang rather than terminate, which avoids potential crashes or memory corruption caused by attempting to terminate a thread that is running code not specifically designed to support termination. In most cases this hanging is harmless since the process will soon exit anyway. While not officially marked deprecated until 3.14, PyThread_exit_thread is no longer called internally and remains solely for interface compatibility. Its behavior is inconsistent across platforms, and it can only be used safely in the unlikely case that every function in the entire call stack has been designed to support the platform-dependent termination mechanism. It is recommended that users of this function change their design to not require thread termination. In the unlikely case that thread termination is needed and can be done safely, users may migrate to calling platform-specific APIs such as pthread_exit (POSIX) or _endthreadex (Windows) directly. - Build - gh-135734: Python can correctly be configured and built with ./configure --enable-optimizations --disable-test-modules. Previously, the profile data generation step failed due to PGO tests where immortalization couldn???t be properly suppressed. - Update to 3.13.7: - gh-137583: Fix a deadlock introduced in 3.13.6 when a call to ssl.SSLSocket.recv was blocked in one thread, and then another method on the object (such as ssl.SSLSocket.send) was subsequently called in another thread. - gh-137044: Return large limit values as positive integers instead of negative integers in resource.getrlimit(). Accept large values and reject negative values (except RLIM_INFINITY) for limits in resource.setrlimit(). - gh-136914: Fix retrieval of doctest.DocTest.lineno for objects decorated with functools.cache() or functools.cached_property. - gh-131788: Make ResourceTracker.send from multiprocessing re-entrant safe - gh-136155: We are now checking for fatal errors in EPUB builds in CI. - gh-137400: Fix a crash in the free threading build when disabling profiling or tracing across all threads with PyEval_SetProfileAllThreads() or PyEval_SetTraceAllThreads() or their Python equivalents threading.settrace_all_threads() and threading.setprofile_all_threads(). - Update to 3.13.6: - Security - gh-135661: Fix parsing start and end tags in html.parser.HTMLParser according to the HTML5 standard. - gh-102555: Fix comment parsing in html.parser.HTMLParser according to the HTML5 standard. - CVE-2025-6069: Fix quadratic complexity in processing specially crafted input in html.parser.HTMLParser. End-of-file errors are now handled according to the HTML5 specs ??? comments and declarations are automatically closed, tags are ignored (gh-135462, bsc#1244705). - CVE-2025-8194: tarfile now validates archives to ensure member offsets are non-negative. (gh-130577, bsc#1247249). - gh-118350: Fix support of escapable raw text mode (elements ???textarea??? and ???title???) in html.parser.HTMLParser. - Core and Builtins - gh-58124: Fix name of the Python encoding in Unicode errors of the code page codec: use ???cp65000??? and ???cp65001??? instead of ???CP_UTF7??? and ???CP_UTF8??? which are not valid Python code names. Patch by Victor Stinner. - gh-137314: Fixed a regression where raw f-strings incorrectly interpreted escape sequences in format specifications. Raw f-strings now properly preserve literal backslashes in format specs, matching the behavior from Python 3.11. For example, rf'{obj:\xFF}' now correctly produces '\\xFF' instead of '??'. Patch by Pablo Galindo. - gh-136541: Fix some issues with the perf trampolines on x86-64 and aarch64. The trampolines were not being generated correctly for some cases, which could lead to the perf integration not working correctly. Patch by Pablo Galindo. - gh-109700: Fix memory error handling in PyDict_SetDefault(). - gh-78465: Fix error message for cls.__new__(cls, ...) where cls is not instantiable builtin or extension type (with tp_new set to NULL). - gh-135871: Non-blocking mutex lock attempts now return immediately when the lock is busy instead of briefly spinning in the free threading build. - gh-135607: Fix potential weakref races in an object???s destructor on the free threaded build. - gh-135496: Fix typo in the f-string conversion type error (???exclamanation??? -> ???exclamation???). - gh-130077: Properly raise custom syntax errors when incorrect syntax containing names that are prefixes of soft keywords is encountered. Patch by Pablo Galindo. - gh-135148: Fixed a bug where f-string debug expressions (using =) would incorrectly strip out parts of strings containing escaped quotes and # characters. Patch by Pablo Galindo. - gh-133136: Limit excess memory usage in the free threading build when a large dictionary or list is resized and accessed by multiple threads. - gh-132617: Fix dict.update() modification check that could incorrectly raise a ???dict mutated during update??? error when a different dictionary was modified that happens to share the same underlying keys object. - gh-91153: Fix a crash when a bytearray is concurrently mutated during item assignment. - gh-127971: Fix off-by-one read beyond the end of a string in string search. - gh-125723: Fix crash with gi_frame.f_locals when generator frames outlive their generator. Patch by Mikhail Efimov. - Library - gh-132710: If possible, ensure that uuid.getnode() returns the same result even across different processes. Previously, the result was constant only within the same process. Patch by B??n??dikt Tran. - gh-137273: Fix debug assertion failure in locale.setlocale() on Windows. - gh-137257: Bump the version of pip bundled in ensurepip to version 25.2 - gh-81325: tarfile.TarFile now accepts a path-like when working on a tar archive. (Contributed by Alexander Enrique Urieles Nieto in gh-81325.) - gh-130522: Fix unraisable TypeError raised during interpreter shutdown in the threading module. - gh-136549: Fix signature of threading.excepthook(). - gh-136523: Fix wave.Wave_write emitting an unraisable when open raises. - gh-52876: Add missing keepends (default True) parameter to codecs.StreamReaderWriter.readline() and codecs.StreamReaderWriter.readlines(). - gh-85702: If zoneinfo._common.load_tzdata is given a package without a resource a zoneinfo.ZoneInfoNotFoundError is raised rather than a PermissionError. Patch by Victor Stinner. - gh-134759: Fix UnboundLocalError in email.message.Message.get_payload() when the payload to decode is a bytes object. Patch by Kliment Lamonov. - gh-136028: Fix parsing month names containing ???????? (U+0130, LATIN CAPITAL LETTER I WITH DOT ABOVE) in time.strptime(). This affects locales az_AZ, ber_DZ, ber_MA and crh_UA. - gh-135995: In the palmos encoding, make byte 0x9b decode to ??? (U+203A - SINGLE RIGHT-POINTING ANGLE QUOTATION MARK). - gh-53203: Fix time.strptime() for %c and %x formats on locales byn_ER, wal_ET and lzh_TW, and for %X format on locales ar_SA, bg_BG and lzh_TW. - gh-91555: An earlier change, which was introduced in 3.13.4, has been reverted. It disabled logging for a logger during handling of log messages for that logger. Since the reversion, the behaviour should be as it was before 3.13.4. - gh-135878: Fixes a crash of types.SimpleNamespace on free threading builds, when several threads were calling its __repr__() method at the same time. - gh-135836: Fix IndexError in asyncio.loop.create_connection() that could occur when non-OSError exception is raised during connection and socket???s close() raises OSError. - gh-135836: Fix IndexError in asyncio.loop.create_connection() that could occur when the Happy Eyeballs algorithm resulted in an empty exceptions list during connection attempts. - gh-135855: Raise TypeError instead of SystemError when _interpreters.set___main___attrs() is passed a non-dict object. Patch by Brian Schubert. - gh-135815: netrc: skip security checks if os.getuid() is missing. Patch by B??n??dikt Tran. - gh-135640: Address bug where it was possible to call xml.etree.ElementTree.ElementTree.write() on an ElementTree object with an invalid root element. This behavior blanked the file passed to write if it already existed. - gh-135444: Fix asyncio.DatagramTransport.sendto() to account for datagram header size when data cannot be sent. - gh-135497: Fix os.getlogin() failing for longer usernames on BSD-based platforms. - gh-135487: Fix reprlib.Repr.repr_int() when given integers with more than sys.get_int_max_str_digits() digits. Patch by B??n??dikt Tran. - gh-135335: multiprocessing: Flush stdout and stderr after preloading modules in the forkserver. - gh-135244: uuid: when the MAC address cannot be determined, the 48-bit node ID is now generated with a cryptographically-secure pseudo-random number generator (CSPRNG) as per RFC 9562, ??6.10.3. This affects uuid1(). - gh-135069: Fix the ???Invalid error handling??? exception in encodings.idna.IncrementalDecoder to correctly replace the ???errors??? parameter. - gh-134698: Fix a crash when calling methods of ssl.SSLContext or ssl.SSLSocket across multiple threads. - gh-132124: On POSIX-compliant systems, multiprocessing.util.get_temp_dir() now ignores TMPDIR (and similar environment variables) if the path length of AF_UNIX socket files exceeds the platform-specific maximum length when using the forkserver start method. Patch by B??n??dikt Tran. - gh-133439: Fix dot commands with trailing spaces are mistaken for multi-line SQL statements in the sqlite3 command-line interface. - gh-132969: Prevent the ProcessPoolExecutor executor thread, which remains running when shutdown(wait=False), from attempting to adjust the pool???s worker processes after the object state has already been reset during shutdown. A combination of conditions, including a worker process having terminated abormally, resulted in an exception and a potential hang when the still-running executor thread attempted to replace dead workers within the pool. - gh-130664: Support the '_' digit separator in formatting of the integral part of Decimal???s. Patch by Sergey B Kirpichev. - gh-85702: If zoneinfo._common.load_tzdata is given a package without a resource a ZoneInfoNotFoundError is raised rather than a IsADirectoryError. - gh-130664: Handle corner-case for Fraction???s formatting: treat zero-padding (preceding the width field by a zero ('0') character) as an equivalent to a fill character of '0' with an alignment type of '=', just as in case of float???s. - Tools/Demos - gh-135968: Stubs for strip are now provided as part of an iOS install. - Tests - gh-135966: The iOS testbed now handles the app_packages folder as a site directory. - gh-135494: Fix regrtest to support excluding tests from --pgo tests. Patch by Victor Stinner. - gh-135489: Show verbose output for failing tests during PGO profiling step with ???enable-optimizations. - Documentation - gh-135171: Document that the iterator for the leftmost for clause in the generator expression is created immediately. - Build - gh-135497: Fix the detection of MAXLOGNAME in the configure.ac script. The following package changes have been done: - suse-module-tools-16.0.64-160000.1.1 updated - suse-module-tools-scriptlets-16.0.64-160000.1.1 updated - libpython3_13-1_0-3.13.11-160000.1.1 updated - python313-base-3.13.11-160000.1.1 updated - container:suse-sl-micro-6.2-baremetal-os-container-latest-e55a58e8b89cfbb7d686ce31bf6aed23f839d51075d1eca098959def11c00337-0 updated From sle-container-updates at lists.suse.com Fri Jan 23 08:16:46 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 23 Jan 2026 09:16:46 +0100 (CET) Subject: SUSE-IU-2026:248-1: Security update of suse/sl-micro/6.2/rt-os-container Message-ID: <20260123081646.E353FFF0C@maintenance.suse.de> SUSE Image Update Advisory: suse/sl-micro/6.2/rt-os-container ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2026:248-1 Image Tags : suse/sl-micro/6.2/rt-os-container:2.3.0 , suse/sl-micro/6.2/rt-os-container:2.3.0-6.20 , suse/sl-micro/6.2/rt-os-container:latest Image Release : 6.20 Severity : moderate Type : security References : 1256525 1256526 CVE-2026-22695 CVE-2026-22801 ----------------------------------------------------------------- The container suse/sl-micro/6.2/rt-os-container was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: 172 Released: Thu Jan 22 15:29:42 2026 Summary: Security update for libpng16 Type: security Severity: moderate References: 1256525,1256526,CVE-2026-22695,CVE-2026-22801 This update for libpng16 fixes the following issues: - CVE-2026-22695: Fixed heap buffer over-read in png_image_finish_read (bsc#1256525). - CVE-2026-22801: Fixed integer truncation causing heap buffer over-read in png_image_write_* (bsc#1256526). The following package changes have been done: - libpng16-16-1.6.44-160000.4.1 updated - container:suse-sl-micro-6.2-baremetal-os-container-latest-f0dff622a7bbb60b951106021f49605c2df71463203387b3ed49587938586fd2-0 updated From sle-container-updates at lists.suse.com Fri Jan 23 08:24:06 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 23 Jan 2026 09:24:06 +0100 (CET) Subject: SUSE-CU-2026:365-1: Security update of suse/manager/4.3/proxy-salt-broker Message-ID: <20260123082406.ABE50FF0C@maintenance.suse.de> SUSE Container Update Advisory: suse/manager/4.3/proxy-salt-broker ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2026:365-1 Container Tags : suse/manager/4.3/proxy-salt-broker:4.3.16.2 , suse/manager/4.3/proxy-salt-broker:4.3.16.2.9.63.7 , suse/manager/4.3/proxy-salt-broker:latest Container Release : 9.63.7 Severity : moderate Type : security References : 1256070 CVE-2025-15444 ----------------------------------------------------------------- The container suse/manager/4.3/proxy-salt-broker was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:223-1 Released: Thu Jan 22 13:17:49 2026 Summary: Security update for libsodium Type: security Severity: moderate References: 1256070,CVE-2025-15444 This update for libsodium fixes the following issues: - CVE-2025-15444: fixed cryptographic bypass via improper elliptic curve point validation (bsc#1256070). The following package changes have been done: - libsodium23-1.0.18-150000.4.11.1 updated From sle-container-updates at lists.suse.com Fri Jan 23 08:30:34 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 23 Jan 2026 09:30:34 +0100 (CET) Subject: SUSE-CU-2026:368-1: Security update of suse/sle-micro/5.2/toolbox Message-ID: <20260123083034.1BD74FF0C@maintenance.suse.de> SUSE Container Update Advisory: suse/sle-micro/5.2/toolbox ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2026:368-1 Container Tags : suse/sle-micro/5.2/toolbox:14.2 , suse/sle-micro/5.2/toolbox:14.2-7.11.228 , suse/sle-micro/5.2/toolbox:latest Container Release : 7.11.228 Severity : important Type : security References : 1255715 1256244 1256246 1256341 1256390 CVE-2025-13151 CVE-2025-68973 ----------------------------------------------------------------- The container suse/sle-micro/5.2/toolbox was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:214-1 Released: Thu Jan 22 13:09:26 2026 Summary: Security update for gpg2 Type: security Severity: important References: 1255715,1256244,1256246,1256390,CVE-2025-68973 This update for gpg2 fixes the following issues: - CVE-2025-68973: Fix possible memory corruption in the armor parser (gpg.fail/memcpy)(bsc#1255715). - Avoid potential downgrade to SHA1 in 3rd party key signatures (gpg.fail/sha1) (bsc#1256246). - Error out on unverified output for non-detached signatures (gpg.fail/detached) (bsc#1256244). - Fix Cleartext Signature Forgery in the NotDashEscaped header implementation in GnuPG (gpg.fail/notdash) (bsc#1256390). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:224-1 Released: Thu Jan 22 13:18:20 2026 Summary: Security update for libtasn1 Type: security Severity: moderate References: 1256341,CVE-2025-13151 This update for libtasn1 fixes the following issues: - CVE-2025-13151: stack-based buffer overflow in `asn1_expend_octet_string` (bsc#1256341). The following package changes have been done: - gpg2-2.2.27-150300.3.16.1 updated - libtasn1-6-4.13-150000.4.14.1 updated - libtasn1-4.13-150000.4.14.1 updated From sle-container-updates at lists.suse.com Fri Jan 23 08:30:36 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 23 Jan 2026 09:30:36 +0100 (CET) Subject: SUSE-CU-2026:369-1: Security update of suse/sle-micro/5.2/toolbox Message-ID: <20260123083036.7310BFF0C@maintenance.suse.de> SUSE Container Update Advisory: suse/sle-micro/5.2/toolbox ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2026:369-1 Container Tags : suse/sle-micro/5.2/toolbox:14.2 , suse/sle-micro/5.2/toolbox:14.2-7.11.229 , suse/sle-micro/5.2/toolbox:latest Container Release : 7.11.229 Severity : low Type : security References : 1257049 CVE-2026-0988 ----------------------------------------------------------------- The container suse/sle-micro/5.2/toolbox was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:264-1 Released: Fri Jan 23 05:33:52 2026 Summary: Security update for glib2 Type: security Severity: low References: 1257049,CVE-2026-0988 This update for glib2 fixes the following issues: - CVE-2026-0988: Fixed a potential integer overflow in g_buffered_input_stream_peek (bsc#1257049). The following package changes have been done: - libglib-2_0-0-2.62.6-150200.3.39.1 updated - libgmodule-2_0-0-2.62.6-150200.3.39.1 updated From sle-container-updates at lists.suse.com Sat Jan 24 08:04:57 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 24 Jan 2026 09:04:57 +0100 (CET) Subject: SUSE-IU-2026:276-1: Recommended update of suse/sl-micro/6.2/baremetal-os-container Message-ID: <20260124080457.DAF56FF0D@maintenance.suse.de> SUSE Image Update Advisory: suse/sl-micro/6.2/baremetal-os-container ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2026:276-1 Image Tags : suse/sl-micro/6.2/baremetal-os-container:2.3.0 , suse/sl-micro/6.2/baremetal-os-container:2.3.0-7.23 , suse/sl-micro/6.2/baremetal-os-container:latest Image Release : 7.23 Severity : important Type : recommended References : 1252338 ----------------------------------------------------------------- The container suse/sl-micro/6.2/baremetal-os-container was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: 184 Released: Fri Jan 23 10:02:18 2026 Summary: Recommended update for pciutils Type: recommended Severity: important References: 1252338 This update for pciutils fixes the following issues: - pciutils.spec: Add a strict dependency to libpci. (bsc#1252338) Mixing different versions of pciutils and libpci could result in a segmentation fault due to incompatible ABI. The following package changes have been done: - libpci3-3.13.0-160000.3.1 updated - pciutils-3.13.0-160000.3.1 updated From sle-container-updates at lists.suse.com Sat Jan 24 08:04:58 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 24 Jan 2026 09:04:58 +0100 (CET) Subject: SUSE-IU-2026:277-1: Recommended update of suse/sl-micro/6.2/baremetal-os-container Message-ID: <20260124080458.D0792FF0D@maintenance.suse.de> SUSE Image Update Advisory: suse/sl-micro/6.2/baremetal-os-container ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2026:277-1 Image Tags : suse/sl-micro/6.2/baremetal-os-container:2.3.0 , suse/sl-micro/6.2/baremetal-os-container:2.3.0-7.24 , suse/sl-micro/6.2/baremetal-os-container:latest Image Release : 7.24 Severity : moderate Type : recommended References : 1253029 1253960 1254873 ----------------------------------------------------------------- The container suse/sl-micro/6.2/baremetal-os-container was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: 182 Released: Fri Jan 23 09:24:13 2026 Summary: Recommended update for dracut Type: recommended Severity: moderate References: 1253029,1253960,1254873 This update for dracut fixes the following issues: - Fix and update testsuite (bsc#1254873): * test (FULL-SYSTEMD): + ignore errors in systemd-vconsole-setup.service + use poweroff to shut down test + no need to include dbus to the target rootfs * test: move /failed to /run/failed as rootfs might be read-only * test: make the size of all test drives 512 MB * fix (systemd): move installation of libkmod to udev-rules module * test: switch to virtio for the QEMU drive * test: increase test VM memory from 512M to 1024M to avoid OOM killer * test: move more common test code to test-functions * test: upgrade to ext4 - fix (nfs): do not execute logic in nfs hooks if netroot is not nfs (bsc#1253960) - fix (kernel-modules-extra): remove stray \ before / (bsc#1253029) The following package changes have been done: - dracut-059+suse.717.g75494a30-160000.1.1 updated - container:suse-sl-micro-6.2-base-os-container-latest-df0d36814431adf3551bf22f0a25eaf76d2222764730b33ddd5132c7cf9b66ce-0 updated From sle-container-updates at lists.suse.com Sat Jan 24 08:09:23 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 24 Jan 2026 09:09:23 +0100 (CET) Subject: SUSE-IU-2026:285-1: Recommended update of suse/sl-micro/6.2/kvm-os-container Message-ID: <20260124080923.5F98EFF0D@maintenance.suse.de> SUSE Image Update Advisory: suse/sl-micro/6.2/kvm-os-container ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2026:285-1 Image Tags : suse/sl-micro/6.2/kvm-os-container:2.3.0 , suse/sl-micro/6.2/kvm-os-container:2.3.0-7.17 , suse/sl-micro/6.2/kvm-os-container:latest Image Release : 7.17 Severity : moderate Type : recommended References : 1253029 1253960 1254873 ----------------------------------------------------------------- The container suse/sl-micro/6.2/kvm-os-container was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: 182 Released: Fri Jan 23 09:24:13 2026 Summary: Recommended update for dracut Type: recommended Severity: moderate References: 1253029,1253960,1254873 This update for dracut fixes the following issues: - Fix and update testsuite (bsc#1254873): * test (FULL-SYSTEMD): + ignore errors in systemd-vconsole-setup.service + use poweroff to shut down test + no need to include dbus to the target rootfs * test: move /failed to /run/failed as rootfs might be read-only * test: make the size of all test drives 512 MB * fix (systemd): move installation of libkmod to udev-rules module * test: switch to virtio for the QEMU drive * test: increase test VM memory from 512M to 1024M to avoid OOM killer * test: move more common test code to test-functions * test: upgrade to ext4 - fix (nfs): do not execute logic in nfs hooks if netroot is not nfs (bsc#1253960) - fix (kernel-modules-extra): remove stray \ before / (bsc#1253029) The following package changes have been done: - dracut-059+suse.717.g75494a30-160000.1.1 updated - container:suse-sl-micro-6.2-base-os-container-latest-df0d36814431adf3551bf22f0a25eaf76d2222764730b33ddd5132c7cf9b66ce-0 updated From sle-container-updates at lists.suse.com Sat Jan 24 08:10:14 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 24 Jan 2026 09:10:14 +0100 (CET) Subject: SUSE-IU-2026:291-1: Recommended update of suse/sl-micro/6.2/rt-os-container Message-ID: <20260124081014.E7453FF0D@maintenance.suse.de> SUSE Image Update Advisory: suse/sl-micro/6.2/rt-os-container ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2026:291-1 Image Tags : suse/sl-micro/6.2/rt-os-container:2.3.0 , suse/sl-micro/6.2/rt-os-container:2.3.0-6.23 , suse/sl-micro/6.2/rt-os-container:latest Image Release : 6.23 Severity : moderate Type : recommended References : 1253029 1253960 1254873 ----------------------------------------------------------------- The container suse/sl-micro/6.2/rt-os-container was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: 182 Released: Fri Jan 23 09:24:13 2026 Summary: Recommended update for dracut Type: recommended Severity: moderate References: 1253029,1253960,1254873 This update for dracut fixes the following issues: - Fix and update testsuite (bsc#1254873): * test (FULL-SYSTEMD): + ignore errors in systemd-vconsole-setup.service + use poweroff to shut down test + no need to include dbus to the target rootfs * test: move /failed to /run/failed as rootfs might be read-only * test: make the size of all test drives 512 MB * fix (systemd): move installation of libkmod to udev-rules module * test: switch to virtio for the QEMU drive * test: increase test VM memory from 512M to 1024M to avoid OOM killer * test: move more common test code to test-functions * test: upgrade to ext4 - fix (nfs): do not execute logic in nfs hooks if netroot is not nfs (bsc#1253960) - fix (kernel-modules-extra): remove stray \ before / (bsc#1253029) The following package changes have been done: - dracut-059+suse.717.g75494a30-160000.1.1 updated - container:suse-sl-micro-6.2-baremetal-os-container-latest-5f26902a53f899eb86c8cff5473aa18f3990cb9955576926d2ac352e7d521226-0 updated From sle-container-updates at lists.suse.com Tue Jan 27 08:05:00 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 27 Jan 2026 09:05:00 +0100 (CET) Subject: SUSE-CU-2026:370-1: Security update of private-registry/harbor-core Message-ID: <20260127080500.C3954FF0D@maintenance.suse.de> SUSE Container Update Advisory: private-registry/harbor-core ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2026:370-1 Container Tags : private-registry/harbor-core:1.1.0 , private-registry/harbor-core:1.1.0-1.10 , private-registry/harbor-core:latest Container Release : 1.10 Severity : moderate Type : security References : 1256341 CVE-2025-13151 ----------------------------------------------------------------- The container private-registry/harbor-core was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:224-1 Released: Thu Jan 22 13:18:20 2026 Summary: Security update for libtasn1 Type: security Severity: moderate References: 1256341,CVE-2025-13151 This update for libtasn1 fixes the following issues: - CVE-2025-13151: stack-based buffer overflow in `asn1_expend_octet_string` (bsc#1256341). The following package changes have been done: - libtasn1-6-4.13-150000.4.14.1 updated - libtasn1-4.13-150000.4.14.1 updated - system-user-harbor-2.14.2-150700.1.3 updated - harbor-core-2.14.2-150700.1.3 updated From sle-container-updates at lists.suse.com Tue Jan 27 08:05:32 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 27 Jan 2026 09:05:32 +0100 (CET) Subject: SUSE-CU-2026:371-1: Security update of private-registry/harbor-exporter Message-ID: <20260127080532.383CCFF0D@maintenance.suse.de> SUSE Container Update Advisory: private-registry/harbor-exporter ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2026:371-1 Container Tags : private-registry/harbor-exporter:1.1.0 , private-registry/harbor-exporter:1.1.0-1.10 , private-registry/harbor-exporter:latest Container Release : 1.10 Severity : moderate Type : security References : 1256341 CVE-2025-13151 ----------------------------------------------------------------- The container private-registry/harbor-exporter was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:224-1 Released: Thu Jan 22 13:18:20 2026 Summary: Security update for libtasn1 Type: security Severity: moderate References: 1256341,CVE-2025-13151 This update for libtasn1 fixes the following issues: - CVE-2025-13151: stack-based buffer overflow in `asn1_expend_octet_string` (bsc#1256341). The following package changes have been done: - harbor-exporter-2.14.2-150700.1.3 updated - libtasn1-6-4.13-150000.4.14.1 updated - libtasn1-4.13-150000.4.14.1 updated - system-user-harbor-2.14.2-150700.1.3 updated From sle-container-updates at lists.suse.com Tue Jan 27 08:06:03 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 27 Jan 2026 09:06:03 +0100 (CET) Subject: SUSE-CU-2026:372-1: Security update of private-registry/harbor-jobservice Message-ID: <20260127080603.EE915FF0D@maintenance.suse.de> SUSE Container Update Advisory: private-registry/harbor-jobservice ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2026:372-1 Container Tags : private-registry/harbor-jobservice:1.1.0 , private-registry/harbor-jobservice:1.1.0-1.10 , private-registry/harbor-jobservice:latest Container Release : 1.10 Severity : moderate Type : security References : 1256341 CVE-2025-13151 ----------------------------------------------------------------- The container private-registry/harbor-jobservice was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:224-1 Released: Thu Jan 22 13:18:20 2026 Summary: Security update for libtasn1 Type: security Severity: moderate References: 1256341,CVE-2025-13151 This update for libtasn1 fixes the following issues: - CVE-2025-13151: stack-based buffer overflow in `asn1_expend_octet_string` (bsc#1256341). The following package changes have been done: - libtasn1-6-4.13-150000.4.14.1 updated - libtasn1-4.13-150000.4.14.1 updated - system-user-harbor-2.14.2-150700.1.3 updated - harbor-jobservice-2.14.2-150700.1.3 updated From sle-container-updates at lists.suse.com Tue Jan 27 08:06:36 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 27 Jan 2026 09:06:36 +0100 (CET) Subject: SUSE-CU-2026:373-1: Security update of private-registry/harbor-portal Message-ID: <20260127080636.35865FF0D@maintenance.suse.de> SUSE Container Update Advisory: private-registry/harbor-portal ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2026:373-1 Container Tags : private-registry/harbor-portal:1.1.0 , private-registry/harbor-portal:1.1.0-1.11 , private-registry/harbor-portal:latest Container Release : 1.11 Severity : moderate Type : security References : 1252895 1256525 1256526 CVE-2026-22695 CVE-2026-22801 ----------------------------------------------------------------- The container private-registry/harbor-portal was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:234-1 Released: Thu Jan 22 13:24:43 2026 Summary: Security update for libpng16 Type: security Severity: moderate References: 1256525,1256526,CVE-2026-22695,CVE-2026-22801 This update for libpng16 fixes the following issues: - CVE-2026-22695: Fixed heap buffer over-read in png_image_finish_read (bsc#1256525) - CVE-2026-22801: Fixed integer truncation causing heap buffer over-read in png_image_write_* (bsc#1256526). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2026:249-1 Released: Thu Jan 22 16:23:36 2026 Summary: Recommended update for libwebp Type: recommended Severity: moderate References: 1252895 This update for libwebp ships the commandline tools to Package Hub. The following package changes have been done: - libwebp7-1.0.3-150200.3.14.1 updated - libpng16-16-1.6.40-150600.3.6.1 updated - system-user-harbor-2.14.2-150700.1.3 updated - harbor-portal-2.14.2-150700.1.3 updated From sle-container-updates at lists.suse.com Tue Jan 27 08:06:38 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 27 Jan 2026 09:06:38 +0100 (CET) Subject: SUSE-CU-2026:374-1: Security update of private-registry/harbor-registry Message-ID: <20260127080638.D0AA6FF0D@maintenance.suse.de> SUSE Container Update Advisory: private-registry/harbor-registry ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2026:374-1 Container Tags : private-registry/harbor-registry:1.1.0 , private-registry/harbor-registry:1.1.0-1.10 , private-registry/harbor-registry:latest Container Release : 1.10 Severity : moderate Type : security References : 1254666 1256341 CVE-2025-13151 CVE-2025-14104 ----------------------------------------------------------------- The container private-registry/harbor-registry was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:224-1 Released: Thu Jan 22 13:18:20 2026 Summary: Security update for libtasn1 Type: security Severity: moderate References: 1256341,CVE-2025-13151 This update for libtasn1 fixes the following issues: - CVE-2025-13151: stack-based buffer overflow in `asn1_expend_octet_string` (bsc#1256341). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:230-1 Released: Thu Jan 22 13:22:31 2026 Summary: Security update for util-linux Type: security Severity: moderate References: 1254666,CVE-2025-14104 This update for util-linux fixes the following issues: - CVE-2025-14104: Fixed heap buffer overread in setpwnam() when processing 256-byte usernames (bsc#1254666). - lscpu: Add support for NVIDIA Olympus arm64 core (jsc#PED-13682). The following package changes have been done: - libsmartcols1-2.40.4-150700.4.3.1 updated - libuuid1-2.40.4-150700.4.3.1 updated - libblkid1-2.40.4-150700.4.3.1 updated - libmount1-2.40.4-150700.4.3.1 updated - libfdisk1-2.40.4-150700.4.3.1 updated - libtasn1-6-4.13-150000.4.14.1 updated - libtasn1-4.13-150000.4.14.1 updated - system-user-harbor-2.14.2-150700.1.3 updated - util-linux-2.40.4-150700.4.3.1 updated - harbor-distribution-registry-2.8.3-150700.1.2 updated From sle-container-updates at lists.suse.com Tue Jan 27 08:07:10 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 27 Jan 2026 09:07:10 +0100 (CET) Subject: SUSE-CU-2026:375-1: Security update of private-registry/harbor-registryctl Message-ID: <20260127080710.9E46FFF0D@maintenance.suse.de> SUSE Container Update Advisory: private-registry/harbor-registryctl ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2026:375-1 Container Tags : private-registry/harbor-registryctl:1.1.0 , private-registry/harbor-registryctl:1.1.0-1.10 , private-registry/harbor-registryctl:latest Container Release : 1.10 Severity : moderate Type : security References : 1254666 1256341 CVE-2025-13151 CVE-2025-14104 ----------------------------------------------------------------- The container private-registry/harbor-registryctl was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:224-1 Released: Thu Jan 22 13:18:20 2026 Summary: Security update for libtasn1 Type: security Severity: moderate References: 1256341,CVE-2025-13151 This update for libtasn1 fixes the following issues: - CVE-2025-13151: stack-based buffer overflow in `asn1_expend_octet_string` (bsc#1256341). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:230-1 Released: Thu Jan 22 13:22:31 2026 Summary: Security update for util-linux Type: security Severity: moderate References: 1254666,CVE-2025-14104 This update for util-linux fixes the following issues: - CVE-2025-14104: Fixed heap buffer overread in setpwnam() when processing 256-byte usernames (bsc#1254666). - lscpu: Add support for NVIDIA Olympus arm64 core (jsc#PED-13682). The following package changes have been done: - libsmartcols1-2.40.4-150700.4.3.1 updated - libuuid1-2.40.4-150700.4.3.1 updated - libblkid1-2.40.4-150700.4.3.1 updated - libmount1-2.40.4-150700.4.3.1 updated - libfdisk1-2.40.4-150700.4.3.1 updated - libtasn1-6-4.13-150000.4.14.1 updated - libtasn1-4.13-150000.4.14.1 updated - system-user-harbor-2.14.2-150700.1.3 updated - util-linux-2.40.4-150700.4.3.1 updated - harbor-distribution-registry-2.8.3-150700.1.2 updated - harbor-registryctl-2.14.2-150700.1.3 updated From sle-container-updates at lists.suse.com Tue Jan 27 08:07:43 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 27 Jan 2026 09:07:43 +0100 (CET) Subject: SUSE-CU-2026:376-1: Security update of private-registry/harbor-trivy-adapter Message-ID: <20260127080743.698FBFF0D@maintenance.suse.de> SUSE Container Update Advisory: private-registry/harbor-trivy-adapter ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2026:376-1 Container Tags : private-registry/harbor-trivy-adapter:1.1.0 , private-registry/harbor-trivy-adapter:1.1.0-1.13 , private-registry/harbor-trivy-adapter:latest Container Release : 1.13 Severity : moderate Type : security References : 1251224 1256105 1256341 CVE-2025-13151 CVE-2025-14017 ----------------------------------------------------------------- The container private-registry/harbor-trivy-adapter was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:221-1 Released: Thu Jan 22 13:15:35 2026 Summary: Security update for curl Type: security Severity: moderate References: 1256105,CVE-2025-14017 This update for curl fixes the following issues: - CVE-2025-14017: Fixed broken TLS options for threaded LDAPS (bsc#1256105). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:224-1 Released: Thu Jan 22 13:18:20 2026 Summary: Security update for libtasn1 Type: security Severity: moderate References: 1256341,CVE-2025-13151 This update for libtasn1 fixes the following issues: - CVE-2025-13151: stack-based buffer overflow in `asn1_expend_octet_string` (bsc#1256341). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2026:242-1 Released: Thu Jan 22 14:57:13 2026 Summary: Recommended update for git Type: recommended Severity: moderate References: 1251224 This update for git fixes the following issue: - Revert incorrect AppArmor profile change, in SLE 15 the binaries remain in /usr/lib/git (bsc#1251224) The following package changes have been done: - libtasn1-6-4.13-150000.4.14.1 updated - libtasn1-4.13-150000.4.14.1 updated - libcurl4-8.14.1-150700.7.11.1 updated - git-core-2.51.0-150600.3.15.1 updated - harbor-scanner-trivy-0.34.2-150700.1.3 updated - system-user-harbor-2.14.2-150700.1.3 updated From sle-container-updates at lists.suse.com Tue Jan 27 08:08:10 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 27 Jan 2026 09:08:10 +0100 (CET) Subject: SUSE-IU-2026:500-1: Security update of suse/sl-micro/6.2/baremetal-os-container Message-ID: <20260127080810.2443AFF0D@maintenance.suse.de> SUSE Image Update Advisory: suse/sl-micro/6.2/baremetal-os-container ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2026:500-1 Image Tags : suse/sl-micro/6.2/baremetal-os-container:2.3.0 , suse/sl-micro/6.2/baremetal-os-container:2.3.0-7.26 , suse/sl-micro/6.2/baremetal-os-container:latest Image Release : 7.26 Severity : important Type : security References : 1254362 1256498 1256499 1256500 CVE-2025-68276 CVE-2025-68468 CVE-2025-68471 ----------------------------------------------------------------- The container suse/sl-micro/6.2/baremetal-os-container was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: 192 Released: Mon Jan 26 10:22:47 2026 Summary: Recommended update for runc Type: recommended Severity: important References: 1254362 This update for runc fixes the following issues: Changes in runc: - Update to runc v1.3.4. Upstream changelog is available from . bsc#1254362 ----------------------------------------------------------------- Advisory ID: 193 Released: Mon Jan 26 11:20:39 2026 Summary: Security update for avahi Type: security Severity: moderate References: 1256498,1256499,1256500,CVE-2025-68276,CVE-2025-68468,CVE-2025-68471 This update for avahi fixes the following issues: - CVE-2025-68276: Fixed refuse to create wide-area record browsers when wide-area is off (bsc#1256498) - CVE-2025-68471: Fixed DoS bug by changing assert to return (bsc#1256500) - CVE-2025-68468: Fixed DoS bug by removing incorrect assertion (bsc#1256499) The following package changes have been done: - libavahi-common3-0.8-160000.4.1 updated - runc-1.3.4-160000.1.1 updated - libavahi-core7-0.8-160000.4.1 updated - libavahi-client3-0.8-160000.4.1 updated - avahi-0.8-160000.4.1 updated From sle-container-updates at lists.suse.com Tue Jan 27 08:17:13 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 27 Jan 2026 09:17:13 +0100 (CET) Subject: SUSE-CU-2026:379-1: Security update of suse/kiosk/pulseaudio Message-ID: <20260127081713.CE64CFF0C@maintenance.suse.de> SUSE Container Update Advisory: suse/kiosk/pulseaudio ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2026:379-1 Container Tags : suse/kiosk/pulseaudio:17 , suse/kiosk/pulseaudio:17.0 , suse/kiosk/pulseaudio:17.0-68.8 , suse/kiosk/pulseaudio:latest Container Release : 68.8 Severity : moderate Type : security References : 1254666 1256459 1256525 1256526 1257049 CVE-2025-14104 CVE-2026-0988 CVE-2026-22693 CVE-2026-22695 CVE-2026-22801 ----------------------------------------------------------------- The container suse/kiosk/pulseaudio was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:230-1 Released: Thu Jan 22 13:22:31 2026 Summary: Security update for util-linux Type: security Severity: moderate References: 1254666,CVE-2025-14104 This update for util-linux fixes the following issues: - CVE-2025-14104: Fixed heap buffer overread in setpwnam() when processing 256-byte usernames (bsc#1254666). - lscpu: Add support for NVIDIA Olympus arm64 core (jsc#PED-13682). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:234-1 Released: Thu Jan 22 13:24:43 2026 Summary: Security update for libpng16 Type: security Severity: moderate References: 1256525,1256526,CVE-2026-22695,CVE-2026-22801 This update for libpng16 fixes the following issues: - CVE-2026-22695: Fixed heap buffer over-read in png_image_finish_read (bsc#1256525) - CVE-2026-22801: Fixed integer truncation causing heap buffer over-read in png_image_write_* (bsc#1256526). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:286-1 Released: Sat Jan 24 00:35:35 2026 Summary: Security update for glib2 Type: security Severity: low References: 1257049,CVE-2026-0988 This update for glib2 fixes the following issues: - CVE-2026-0988: Fixed a potential integer overflow in g_buffered_input_stream_peek (bsc#1257049). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:287-1 Released: Sat Jan 24 00:35:49 2026 Summary: Security update for harfbuzz Type: security Severity: moderate References: 1256459,CVE-2026-22693 This update for harfbuzz fixes the following issues: - CVE-2026-22693: Fixed a NULL pointer dereference in SubtableUnicodesCache::create (bsc#1256459). The following package changes have been done: - libglib-2_0-0-2.78.6-150600.4.28.1 updated - libsmartcols1-2.40.4-150700.4.3.1 updated - libuuid1-2.40.4-150700.4.3.1 updated - libblkid1-2.40.4-150700.4.3.1 updated - libgobject-2_0-0-2.78.6-150600.4.28.1 updated - libgmodule-2_0-0-2.78.6-150600.4.28.1 updated - libpng16-16-1.6.40-150600.3.6.1 updated - libmount1-2.40.4-150700.4.3.1 updated - libfdisk1-2.40.4-150700.4.3.1 updated - libharfbuzz0-8.3.0-150600.3.3.1 updated - libgio-2_0-0-2.78.6-150600.4.28.1 updated - glib2-tools-2.78.6-150600.4.28.1 updated - util-linux-2.40.4-150700.4.3.1 updated - container:suse-sle15-15.7-7970b1398395a13b38e858c60a7b75db5f5265dd7c0ecdabe8919a458b2f34e5-0 updated From sle-container-updates at lists.suse.com Tue Jan 27 08:17:43 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 27 Jan 2026 09:17:43 +0100 (CET) Subject: SUSE-CU-2026:380-1: Security update of bci/spack Message-ID: <20260127081743.E9ECAFF0C@maintenance.suse.de> SUSE Container Update Advisory: bci/spack ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2026:380-1 Container Tags : bci/spack:0.23 , bci/spack:0.23.1 , bci/spack:0.23.1-21.9 , bci/spack:latest Container Release : 21.9 Severity : moderate Type : security References : 1251224 1256105 1257049 CVE-2025-14017 CVE-2026-0988 ----------------------------------------------------------------- The container bci/spack was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:221-1 Released: Thu Jan 22 13:15:35 2026 Summary: Security update for curl Type: security Severity: moderate References: 1256105,CVE-2025-14017 This update for curl fixes the following issues: - CVE-2025-14017: Fixed broken TLS options for threaded LDAPS (bsc#1256105). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2026:242-1 Released: Thu Jan 22 14:57:13 2026 Summary: Recommended update for git Type: recommended Severity: moderate References: 1251224 This update for git fixes the following issue: - Revert incorrect AppArmor profile change, in SLE 15 the binaries remain in /usr/lib/git (bsc#1251224) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:286-1 Released: Sat Jan 24 00:35:35 2026 Summary: Security update for glib2 Type: security Severity: low References: 1257049,CVE-2026-0988 This update for glib2 fixes the following issues: - CVE-2026-0988: Fixed a potential integer overflow in g_buffered_input_stream_peek (bsc#1257049). The following package changes have been done: - libgmodule-2_0-0-2.78.6-150600.4.28.1 updated - libgobject-2_0-0-2.78.6-150600.4.28.1 updated - git-core-2.51.0-150600.3.15.1 updated - perl-Git-2.51.0-150600.3.15.1 updated - git-2.51.0-150600.3.15.1 updated - libgio-2_0-0-2.78.6-150600.4.28.1 updated - glib2-tools-2.78.6-150600.4.28.1 updated - libcurl-devel-8.14.1-150700.7.11.1 updated From sle-container-updates at lists.suse.com Tue Jan 27 08:18:04 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 27 Jan 2026 09:18:04 +0100 (CET) Subject: SUSE-CU-2026:381-1: Security update of suse/kiosk/xorg Message-ID: <20260127081804.85BACFF0C@maintenance.suse.de> SUSE Container Update Advisory: suse/kiosk/xorg ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2026:381-1 Container Tags : suse/kiosk/xorg:21 , suse/kiosk/xorg:21.1 , suse/kiosk/xorg:21.1-73.8 , suse/kiosk/xorg:latest , suse/kiosk/xorg:notaskbar Container Release : 73.8 Severity : moderate Type : security References : 1254666 1256525 1256526 1257049 CVE-2025-14104 CVE-2026-0988 CVE-2026-22695 CVE-2026-22801 ----------------------------------------------------------------- The container suse/kiosk/xorg was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:230-1 Released: Thu Jan 22 13:22:31 2026 Summary: Security update for util-linux Type: security Severity: moderate References: 1254666,CVE-2025-14104 This update for util-linux fixes the following issues: - CVE-2025-14104: Fixed heap buffer overread in setpwnam() when processing 256-byte usernames (bsc#1254666). - lscpu: Add support for NVIDIA Olympus arm64 core (jsc#PED-13682). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:234-1 Released: Thu Jan 22 13:24:43 2026 Summary: Security update for libpng16 Type: security Severity: moderate References: 1256525,1256526,CVE-2026-22695,CVE-2026-22801 This update for libpng16 fixes the following issues: - CVE-2026-22695: Fixed heap buffer over-read in png_image_finish_read (bsc#1256525) - CVE-2026-22801: Fixed integer truncation causing heap buffer over-read in png_image_write_* (bsc#1256526). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:286-1 Released: Sat Jan 24 00:35:35 2026 Summary: Security update for glib2 Type: security Severity: low References: 1257049,CVE-2026-0988 This update for glib2 fixes the following issues: - CVE-2026-0988: Fixed a potential integer overflow in g_buffered_input_stream_peek (bsc#1257049). The following package changes have been done: - libglib-2_0-0-2.78.6-150600.4.28.1 updated - libsmartcols1-2.40.4-150700.4.3.1 updated - libuuid1-2.40.4-150700.4.3.1 updated - libblkid1-2.40.4-150700.4.3.1 updated - libgobject-2_0-0-2.78.6-150600.4.28.1 updated - libgmodule-2_0-0-2.78.6-150600.4.28.1 updated - libpng16-16-1.6.40-150600.3.6.1 updated - libmount1-2.40.4-150700.4.3.1 updated - libfdisk1-2.40.4-150700.4.3.1 updated - libgio-2_0-0-2.78.6-150600.4.28.1 updated - glib2-tools-2.78.6-150600.4.28.1 updated - util-linux-2.40.4-150700.4.3.1 updated - container:suse-sle15-15.7-7970b1398395a13b38e858c60a7b75db5f5265dd7c0ecdabe8919a458b2f34e5-0 updated From sle-container-updates at lists.suse.com Wed Jan 28 08:17:00 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 28 Jan 2026 09:17:00 +0100 (CET) Subject: SUSE-CU-2026:399-1: Security update of suse/cosign Message-ID: <20260128081700.5E20DFF0C@maintenance.suse.de> SUSE Container Update Advisory: suse/cosign ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2026:399-1 Container Tags : suse/cosign:2 , suse/cosign:2.5 , suse/cosign:2.5.3 , suse/cosign:2.5.3-19.6 , suse/cosign:latest Container Release : 19.6 Severity : important Type : security References : 1255715 1256243 1256244 1256246 1256390 CVE-2025-68973 ----------------------------------------------------------------- The container suse/cosign was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:215-1 Released: Thu Jan 22 13:10:16 2026 Summary: Security update for gpg2 Type: security Severity: important References: 1255715,1256243,1256244,1256246,1256390,CVE-2025-68973 This update for gpg2 fixes the following issues: - CVE-2025-68973: Fix possible memory corruption in the armor parser (gpg.fail/memcpy)(bsc#1255715). - Avoid potential downgrade to SHA1 in 3rd party key signatures (gpg.fail/sha1) (bsc#1256246). - Error out on unverified output for non-detached signatures (gpg.fail/detached) (bsc#1256244). - Fix a memory leak in gpg2 agent (bsc#1256243). - Fix Cleartext Signature Forgery in the NotDashEscaped header implementation in GnuPG (gpg.fail/notdash) (bsc#1256390). The following package changes have been done: - patterns-base-fips-20200124-150700.36.1 added - gpg2-2.4.4-150600.3.12.1 updated - container:suse-sle15-15.7-7970b1398395a13b38e858c60a7b75db5f5265dd7c0ecdabe8919a458b2f34e5-0 updated - container:registry.suse.com-bci-bci-micro-15.7-55883c76f750bdb0fa8cf3fe2e43f19f9babc501efce9801e94a9c0c8d115a20-0 updated From sle-container-updates at lists.suse.com Wed Jan 28 08:17:13 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 28 Jan 2026 09:17:13 +0100 (CET) Subject: SUSE-CU-2026:400-1: Security update of suse/registry Message-ID: <20260128081713.064B7FF0C@maintenance.suse.de> SUSE Container Update Advisory: suse/registry ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2026:400-1 Container Tags : suse/registry:2.8 , suse/registry:2.8 , suse/registry:2.8-21.6 , suse/registry:latest Container Release : 21.6 Severity : moderate Type : security References : 1254666 1256341 CVE-2025-13151 CVE-2025-14104 ----------------------------------------------------------------- The container suse/registry was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:224-1 Released: Thu Jan 22 13:18:20 2026 Summary: Security update for libtasn1 Type: security Severity: moderate References: 1256341,CVE-2025-13151 This update for libtasn1 fixes the following issues: - CVE-2025-13151: stack-based buffer overflow in `asn1_expend_octet_string` (bsc#1256341). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:230-1 Released: Thu Jan 22 13:22:31 2026 Summary: Security update for util-linux Type: security Severity: moderate References: 1254666,CVE-2025-14104 This update for util-linux fixes the following issues: - CVE-2025-14104: Fixed heap buffer overread in setpwnam() when processing 256-byte usernames (bsc#1254666). - lscpu: Add support for NVIDIA Olympus arm64 core (jsc#PED-13682). The following package changes have been done: - patterns-base-fips-20200124-150700.36.1 added - libsmartcols1-2.40.4-150700.4.3.1 updated - libuuid1-2.40.4-150700.4.3.1 updated - libblkid1-2.40.4-150700.4.3.1 updated - libmount1-2.40.4-150700.4.3.1 updated - libfdisk1-2.40.4-150700.4.3.1 updated - libtasn1-6-4.13-150000.4.14.1 updated - libtasn1-4.13-150000.4.14.1 updated - libopenssl-3-fips-provider-3.2.3-150700.5.21.1 added - util-linux-2.40.4-150700.4.3.1 updated - container:suse-sle15-15.7-7970b1398395a13b38e858c60a7b75db5f5265dd7c0ecdabe8919a458b2f34e5-0 updated - container:registry.suse.com-bci-bci-micro-15.7-55883c76f750bdb0fa8cf3fe2e43f19f9babc501efce9801e94a9c0c8d115a20-0 updated From sle-container-updates at lists.suse.com Wed Jan 28 08:17:34 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 28 Jan 2026 09:17:34 +0100 (CET) Subject: SUSE-CU-2026:401-1: Security update of suse/git Message-ID: <20260128081734.9EDD5FF0C@maintenance.suse.de> SUSE Container Update Advisory: suse/git ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2026:401-1 Container Tags : suse/git:2 , suse/git:2.51 , suse/git:2.51.0 , suse/git:2.51.0-66.8 , suse/git:latest Container Release : 66.8 Severity : moderate Type : security References : 1251224 1256105 CVE-2025-14017 ----------------------------------------------------------------- The container suse/git was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:221-1 Released: Thu Jan 22 13:15:35 2026 Summary: Security update for curl Type: security Severity: moderate References: 1256105,CVE-2025-14017 This update for curl fixes the following issues: - CVE-2025-14017: Fixed broken TLS options for threaded LDAPS (bsc#1256105). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2026:242-1 Released: Thu Jan 22 14:57:13 2026 Summary: Recommended update for git Type: recommended Severity: moderate References: 1251224 This update for git fixes the following issue: - Revert incorrect AppArmor profile change, in SLE 15 the binaries remain in /usr/lib/git (bsc#1251224) The following package changes have been done: - patterns-base-fips-20200124-150700.36.1 added - libopenssl-3-fips-provider-3.2.3-150700.5.21.1 added - openssh-fips-9.6p1-150600.6.34.1 added - libcurl4-8.14.1-150700.7.11.1 updated - git-core-2.51.0-150600.3.15.1 updated - container:suse-sle15-15.7-7970b1398395a13b38e858c60a7b75db5f5265dd7c0ecdabe8919a458b2f34e5-0 updated - container:registry.suse.com-bci-bci-micro-15.7-55883c76f750bdb0fa8cf3fe2e43f19f9babc501efce9801e94a9c0c8d115a20-0 updated From sle-container-updates at lists.suse.com Wed Jan 28 08:17:50 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 28 Jan 2026 09:17:50 +0100 (CET) Subject: SUSE-CU-2026:402-1: Security update of suse/helm Message-ID: <20260128081750.393FCFF0C@maintenance.suse.de> SUSE Container Update Advisory: suse/helm ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2026:402-1 Container Tags : suse/helm:3 , suse/helm:3.19 , suse/helm:3.19.1 , suse/helm:3.19.1-62.6 , suse/helm:latest Container Release : 62.6 Severity : moderate Type : security References : 1256341 CVE-2025-13151 ----------------------------------------------------------------- The container suse/helm was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:224-1 Released: Thu Jan 22 13:18:20 2026 Summary: Security update for libtasn1 Type: security Severity: moderate References: 1256341,CVE-2025-13151 This update for libtasn1 fixes the following issues: - CVE-2025-13151: stack-based buffer overflow in `asn1_expend_octet_string` (bsc#1256341). The following package changes have been done: - patterns-base-fips-20200124-150700.36.1 added - libtasn1-6-4.13-150000.4.14.1 updated - libtasn1-4.13-150000.4.14.1 updated - libopenssl-3-fips-provider-3.2.3-150700.5.21.1 added - container:suse-sle15-15.7-7970b1398395a13b38e858c60a7b75db5f5265dd7c0ecdabe8919a458b2f34e5-0 updated - container:registry.suse.com-bci-bci-micro-15.7-55883c76f750bdb0fa8cf3fe2e43f19f9babc501efce9801e94a9c0c8d115a20-0 updated From sle-container-updates at lists.suse.com Wed Jan 28 08:18:03 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 28 Jan 2026 09:18:03 +0100 (CET) Subject: SUSE-CU-2026:403-1: Security update of suse/kubectl Message-ID: <20260128081803.672CAFF0C@maintenance.suse.de> SUSE Container Update Advisory: suse/kubectl ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2026:403-1 Container Tags : suse/kubectl:1.33 , suse/kubectl:1.33.7 , suse/kubectl:1.33.7-2.63.2 , suse/kubectl:oldstable , suse/kubectl:oldstable-2.63.2 Container Release : 63.2 Severity : important Type : security References : 1181419 1183043 1200441 1200528 1203054 1206467 1206469 1206471 1208084 1209670 1215588 1215711 1217013 1219969 1219969 1220207 1220207 1234482 1235318 1238688 1241802 1246152 1251442 1251649 CVE-2021-21272 CVE-2022-1996 CVE-2022-1996 CVE-2022-23524 CVE-2022-23525 CVE-2022-23526 CVE-2022-36055 CVE-2022-41723 CVE-2023-25165 CVE-2023-25173 CVE-2024-25620 CVE-2024-25620 CVE-2024-26147 CVE-2024-26147 CVE-2024-45337 CVE-2024-45338 CVE-2025-22870 CVE-2025-22872 CVE-2025-47911 CVE-2025-53547 CVE-2025-58190 ----------------------------------------------------------------- The container suse/kubectl was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:1253-1 Released: Tue Apr 19 09:00:06 2022 Summary: Recommended update for helm Type: recommended Severity: moderate References: This update for helm delivers helm 3.8.0 to the Containers module. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:3666-1 Released: Wed Oct 19 20:44:55 2022 Summary: Security update for helm Type: security Severity: important References: 1200528,1203054,CVE-2022-1996,CVE-2022-36055 This update for helm fixes the following issues: helm was updated to version 3.9.4: * CVE-2022-36055: Fixed denial of service through string value parsing (bsc#1203054). * Updating the certificates used for testing * Updating index handling helm was updated to version 3.9.3: - CVE-2022-1996: Updated kube-openapi to fix an issue that could result in a CORS protection bypass (bsc#1200528). * Fix missing array length check on release helm was updated to version 3.9.2: * Update of the circleci image helm was updated to version 3.9.1: * Update to support Kubernetes 1.24.2 * Improve logging and safety of statefulSetReady * Make token caching an opt-in feature * Bump github.com/lib/pq from 1.10.5 to 1.10.6 * Bump github.com/Masterminds/squirrel from 1.5.2 to 1.5.3 helm was updated to version 3.9.0: * Added a --quiet flag to helm lint * Added a --post-renderer-args flag to support arguments being passed to the post renderer * Added more checks during the signing process * Updated to add Kubernetes 1.24 support helm was updated to version 3.8.2: * Bump oras.land/oras-go from 1.1.0 to 1.1.1 * Fixing downloader plugin error handling * Simplify testdata charts * Simplify testdata charts * Add tests for multi-level dependencies. * Fix value precedence * Bumping Kubernetes package versions * Updating vcs to latest version * Dont modify provided transport * Pass http getter as pointer in tests * Add docs block * Add transport option and tests * Reuse http transport * Updating Kubernetes libs to 0.23.4 (latest) * fix: remove deadcode * fix: helm package tests * fix: helm package with dependency update for charts with OCI dependencies * Fix typo Unset the env var before func return in Unit Test * add legal name check * maint: fix syntax error in deploy.sh * linting issue fixed * only apply overwrite if version is canary * overwrite flag added to az storage blob upload-batch * Avoid querying for OCI tags can explicit version provided in chart dependencies * Management of bearer tokens for tag listing * Updating Kubernetes packages to 1.23.3 * refactor: use `os.ReadDir` for lightweight directory reading * Add IngressClass to manifests to be (un)installed * feat(comp): Shell completion for OCI * Fix install memory/goroutine leak ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:4606-1 Released: Thu Dec 22 09:32:03 2022 Summary: Security update for helm Type: security Severity: moderate References: 1181419,1206467,1206469,1206471,CVE-2021-21272,CVE-2022-1996,CVE-2022-23524,CVE-2022-23525,CVE-2022-23526 This update for helm fixes the following issues: Update to version 3.10.3: - CVE-2022-23524: Fixed a denial of service in the string value parsing (bsc#1206467). - CVE-2022-23525: Fixed a denial of service with the repository index file (bsc#1206469). - CVE-2022-23526: Fixed a denial of service in the schema file handling (bsc#1206471). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:1571-1 Released: Fri Mar 24 13:45:05 2023 Summary: Security update for helm Type: security Severity: moderate References: 1208084,CVE-2023-25165 This update for helm fixes the following issues: Update to version 3.11.1 (bsc#1208084): - CVE-2023-25165: Fixed a information disclosure problem via getHostByName injection inside a chart to get values to a malicious DNS server. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:1901-1 Released: Tue Apr 18 15:37:23 2023 Summary: Security update for helm Type: security Severity: moderate References: 1209670 This update for helm fixes the following issues: Update to version 3.11.2: * chore(deps): bump github.com/rubenv/sql-migrate from 1.2.0 to 1.3.1 * the linter varcheck and deadcode are deprecated (since v1.49.0) * fix template --output-dir issue * build against a supported go version: go1.19 (bsc#1209670) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:2179-1 Released: Thu May 11 14:13:44 2023 Summary: Security update for helm Type: security Severity: important References: 1200441 This update of helm fixes the following issues: - rebuild the package with the go 19.9 secure release (bsc#1200441). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4124-1 Released: Thu Oct 19 09:32:26 2023 Summary: Security update for helm Type: security Severity: important References: 1183043,1215588,1215711,CVE-2022-41723,CVE-2023-25173 This update for helm fixes the following issues: helm was updated to version 3.13.1: * Fixing precedence issue with the import of values. * Add missing with clause to release gh action * FIX Default ServiceAccount yaml * fix(registry): unswallow error * remove useless print during prepareUpgrade * fix(registry): address anonymous pull issue * Fix missing run statement on release action * Write latest version to get.helm.sh bucket * Increased release information key name max length. helm was updated to version 3.13.0 (bsc#1215588): * Fix leaking goroutines in Install * Update Helm to use k8s 1.28.2 libraries * make the dependabot k8s.io group explicit * use dependabot's group support for k8s.io dependencies * doc:Executing helm rollback release 0 will roll back to the previous release * Use labels instead of selectorLabels for pod labels * fix(helm): fix GetPodLogs, the hooks should be sorted before get the logs of each hook * chore: HTTPGetter add default timeout * Avoid nil dereference if passing a nil resolver * Add required changes after merge * Fix #3352, add support for --ignore-not-found just like kubectl delete * Fix helm may identify achieve of the application/x-gzip as application/vnd.ms-fontobject * Restore `helm get metadata` command * Revert 'Add `helm get metadata` command' * test: replace `ensure.TempDir` with `t.TempDir` * use json api url + report curl/wget error on fail * Added error in case try to supply custom label with name of system label during install/upgrade * fix(main): fix basic auth for helm pull or push * cmd: support generating index in JSON format * repo: detect JSON and unmarshal efficiently * Tweaking new dry-run internal handling * bump kubernetes modules to v0.27.3 * Remove warning for template directory not found. * Added tests for created OCI annotation time format * Add created OCI annotation * Fix multiple bugs in values handling * chore: fix a typo in `manager.go` * add GetRegistryClient method * oci: add tests for plain HTTP and insecure HTTPS registries * oci: Add flag `--plain-http` to enable working with HTTP registries * docs: add an example for using the upgrade command with existing values * Replace `fmt.Fprintf` with `fmt.Fprint` in get_metadata.go * Replace `fmt.Fprintln` with `fmt.Fprintf` in get_metadata.go * update kubernetes dependencies from v0.27.0 to v0.27.1 * Add ClientOptResolver to test util file * Check that missing keys are still handled in tpl * tests: change crd golden file to match after #11870 * Adding details on the Factory interface * update autoscaling/v2beta1 to autoscaling/v2 in skeleton chart * feat(helm): add ability for --dry-run to do lookup functions When a helm command is run with the --dry-run flag, it will try to connect to the cluster to be able to render lookup functions. Closes #8137 * bugfix:(#11391) helm lint infinite loop when malformed template object * pkg/engine: fix nil-dereference * pkg/chartutil: fix nil-dereference * pkg/action: fix nil-dereference * full source path when output-dir is not provided * added Contributing.md section and ref link in the README * feat(helm): add ability for --dry-run to do lookup functions When a helm command is run with the --dry-run flag, it will try to connect to the cluster if the value is 'server' to be able to render lookup functions. Closes #8137 * feat(helm): add ability for --dry-run to do lookup functions * Add `CHART`, `VERSION` and `APP_VERSION` fields to `get all` command output * Adjust `get` command description to account metadata * add volumes and volumeMounts in chartutil * Seed a default switch to control `automountServiceAccountToken` * Avoid confusing error when passing in '--version X.Y.Z' * Add `helm get metadata` command * Use wrapped error so that ErrNoObjectsVisited can be compared after return. * Add exact version test. * strict file permissions of repository.yaml * Check redefinition of define and include in tpl * Check that `.Template` is passed through `tpl` * Make sure empty `tpl` values render empty. * Pick the test improvement out of PR#8371 * #11369 Use the correct index repo cache directory in the `parallelRepoUpdate` method as well * #11369 Add a test case to prove the bug and its resolution * ref(helm): export DescriptorPullSummary fields * feat(helm): add 'ClientOptResolver' ClientOption * Fix flaky TestSQLCreate test by making sqlmock ignore order of sql requests * Fixing tests after adding labels to release fixture * Make default release fixture contain custom labels to make tests check that labels are not lost * Added support for storing custom labels in SQL storage driver * Adding support merging new custom labels with original release labels during upgrade * Added note to install/upgrade commands that original release labels wouldn't be persisted in upgraded release * Added unit tests for implemented install/upgrade labels logic * Remove redudant types from util_test.go * Added tests for newly introduced util.go functions * Fix broken tests for SQL storage driver * Fix broken tests for configmap and secret storage drivers * Make superseded releases keep labels * Support configmap storage driver for install/upgrade actions --labels argument * Added upgrade --install labels argument support * Add labels support for install action with secret storage backend * test: added tests to load plugin from home dir with space * fix: plugin does not load when helm base dir contains space * Add priority class to kind sorter * Fixes #10566 * test(search): add mixedCase test case * fix(search): print repo search result in original case * Adjust error message wrongly claiming that there is a resource conflict * Throw an error from jobReady() if the job exceeds its BackoffLimit * github: add Asset Transparency action for GitHub releases Update to version 3.12.3: * bump kubernetes modules to v0.27.3 * Add priority class to kind sorter Update to version 3.12.2: * add GetRegistryClient method Update to version 3.12.1: * bugfix:(#11391) helm lint infinite loop when malformed template object * update autoscaling/v2beta1 to autoscaling/v2 in skeleton chart * test(search): add mixedCase test case * fix(search): print repo search result in original case * strict file permissions of repository.yaml * update kubernetes dependencies from v0.27.0 to v0.27.1 Update to version 3.12.0: * Attach annotations to OCI artifacts * Fix goroutine leak in action install * fix quiet lint does not fail on non-linting errors * create failing test for quietly linting a chart that doesn't exist * Fixes Readiness Check for statefulsets using partitioned rolling update. (#11774) * fix: failed testcase on windows * Fix 32bit-x86 typo in testsuite * Handle failed DNS case for Go 1.20+ * Updating the Go version in go.mod * Fix goroutine leak in perform * Properly invalidate client after CRD install * Provide a helper to set the registryClient in cmd * Reimplemented change in httpgetter for insecure TLS option * Added insecure option to login subcommand * Added support for insecure OCI registries * Enable custom certificates option for OCI * Add testing to default and release branches * Remove job dependency. Should have done when I moved job to new file * Remove check to run only in helm org * Add why comments * Convert remaining CircleCI config to GitHub Actions * Changed how the setup-go action sets go version * chore:Use http constants as http.request parameters * update k8s registry domain * don't mark issues as stale where a PR is in progress * Update to func handling * Add option to support cascade deletion options * the linter varcheck and deadcode are deprecated (since v1.49.0) * Check status code before retrying request * Fix improper use of Table request/response to k8s API * fix template --output-dir issue * Add protection for stack-overflows for nested keys * feature(helm): add --set-literal flag for literal string interpretation Update to version 3.11.3: * Fix goroutine leak in perform * Fix goroutine leak in action install * Fix 32bit-x86 typo in testsuite * Fixes Readiness Check for statefulsets using partitioned rolling update. (#11774) - avoid CGO to workaround missing gold dependency (bsc#1183043) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:4509-1 Released: Tue Nov 21 13:36:00 2023 Summary: Recommended update for helm Type: recommended Severity: important References: 1217013 This update for helm fixes the following issues: - Update to version 3.13.2 (bsc#1217013) - Fixes a regression when helm can't be pulled anonymously from registries. (bsc#1217013) - Allow using label selectors for system labels for sql backend. - Allow using label selectors for system labels for secrets and configmap backends. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2024:1137-1 Released: Mon Apr 8 11:30:49 2024 Summary: Security update for helm Type: security Severity: moderate References: 1219969,1220207,CVE-2024-25620,CVE-2024-26147 This update for helm fixes the following issues: - CVE-2024-25620: Fixed with dependency management path traversal (bsc#1219969). - CVE-2024-26147: Fixed uninitialized variable in yaml parsing (bsc#1220207). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2024:4213-1 Released: Thu Dec 5 17:05:37 2024 Summary: Recommended update for helm Type: recommended Severity: moderate References: 1219969,1220207,CVE-2024-25620,CVE-2024-26147 helm was updated to fix the following issues: Update to version 3.16.3: * fix: fix label name * Fix typo in pkg/lint/rules/chartfile_test.go * Increasing the size of the runner used for releases. * fix(hooks): correct hooks delete order * Bump github.com/containerd/containerd from 1.7.12 to 1.7.23 Update to version 3.16.2: * Revering change unrelated to issue #13176 * adds tests for handling of Helm index with broken chart versions #13176 * improves handling of Helm index with broken helm chart versions #13176 * Bump the k8s-io group with 7 updates * adding check-latest:true * Grammar fixes * Fix typos Update to version 3.16.1: * bumping version to 1.22.7 * Merge pull request #13327 from mattfarina/revert-11726 Update to version 3.16.0: Helm v3.16.0 is a feature release. Users are encouraged to upgrade for the best experience. * Notable Changes - added sha512sum template function - added ActiveHelp for cmds that don't take any more args - drops very old Kubernetes versions support in helm create - add --skip-schema-validation flag to helm 'install', 'upgrade' and 'lint' - fixed bug to now use burst limit setting for discovery - Added windows arm64 support * Full changelog see https://github.com/helm/helm/releases/tag/v3.16.0 Update to version 3.15.4: * Bump the k8s-io group across 1 directory with 7 updates * Bump github.com/docker/docker ------------------------------------------------------------------- Thu Jul 11 05:39:32 UTC 2024 - opensuse_buildservice at ojkastl.de - Update to version 3.15.3: * fix(helm): Use burst limit setting for discovery * fixed dependency_update_test.go * fix(dependencyBuild): prevent race condition in concurrent helm dependency * fix: respect proxy envvars on helm install/upgrade * Merge pull request #13085 from alex-kattathra-johnson/issue-12961 Update to version 3.15.2: * fix: wrong cli description * fix typo in load_plugins.go * fix docs of DeployedAll * Bump github.com/docker/docker * bump oras minor version * feat(load.go): add warning on requirements.lock Update to version 3.15.1: * Fixing build issue where wrong version is used Update to version 3.15.0: Helm v3.15.0 is a feature release. Users are encouraged to upgrade for the best experience. * Updating to k8s 1.30 c4e37b3 (Matt Farina) * bump version to v3.15.0 d7afa3b (Matt Farina) * bump version to 7743467 (Matt Farina) * Fix namespace on kubeconfig error 214fb6e (Calvin Krist) * Update testdata PKI with keys that have validity until 3393 (Fixes #12880) 1b75d48 (Dirk M?ller) * Modified how created annotation is populated based on package creation time 0a69a0d (Andrew Block) * Enabling hide secrets on install and upgrade dry run 25c4738 (Matt Farina) * Fixing all the linting errors d58d7b3 (Robert Sirchia) * Add a note about --dry-run displaying secrets a23dd9e (Matt Farina) * Updating .gitignore 8b424ba (Robert Sirchia) * add error messages 8d19bcb (George Jenkins) * Fix: Ignore alias validation error for index load 68294fd (George Jenkins) * validation fix 8e6a514 (Matt Farina) * bug: add proxy support for oci getter 94c1dea (Ricardo Maraschini) * Update architecture detection method 57a1bb8 (weidongkl) * Improve release action 4790bb9 (George Jenkins) * Fix grammatical error c25736c (Matt Carr) * Updated for review comments d2cf8c6 (MichaelMorris) * Add robustness to wait status checks fc74964 (MichaelMorris) * refactor: create a helper for checking if a release is uninstalled f908379 (Alex Petrov) * fix: reinstall previously uninstalled chart with --keep-history 9e198fa (Alex Petrov) Update to version 3.14.4: Helm v3.14.4 is a patch release. Users are encouraged to upgrade for the best experience. Users are encouraged to upgrade for the best experience. * refactor: create a helper for checking if a release is uninstalled 81c902a (Alex Petrov) * fix: reinstall previously uninstalled chart with --keep-history 5a11c76 (Alex Petrov) * bug: add proxy support for oci getter aa7d953 (Ricardo Maraschini) Update to version 3.14.3: * Add a note about --dry-run displaying secrets * add error messages * Fix: Ignore alias validation error for index load * Update architecture detection method Update to version 3.14.2 (bsc#1220207, CVE-2024-26147): * Fix for uninitialized variable in yaml parsing Update to version 3.14.1 (bsc#1219969, CVE-2024-25620): * validation fix Update to version 3.14.0: * Notable Changes - New helm search flag of --fail-on-no-result - Allow a nested tpl invocation access to defines - Speed up the tpl function - Added qps/HELM_QPS parameter that tells Kubernetes packages how to operate - Added --kube-version to lint command - The ignore pkg is now public * Changelog - Improve release action - Fix issues when verify generation readiness was merged - fix test to use the default code's k8sVersionMinor - lint: Add --kube-version flag to set capabilities and deprecation rules - Removing Asset Transparency - tests(pkg/engine): test RenderWithClientProvider - Make the `ignore` pkg public again - feature(pkg/engine): introduce RenderWithClientProvider - Updating Helm libraries for k8s 1.28.4 - Remove excessive logging - Update CONTRIBUTING.md - Fixing release labelling in rollback - feat: move livenessProbe and readinessProbe values to default values file - Revert 'fix(main): fix basic auth for helm pull or push' - Revert 'fix(registry): address anonymous pull issue' - Update get-helm-3 - Drop filterSystemLabels usage from Query method - Apply review suggestions - Update get-helm-3 to get version through get.helm.sh - feat: print failed hook name - Fixing precedence issue with the import of values. - chore(create): indent to spaces - Allow using label selectors for system labels for sql backend. - Allow using label selectors for system labels for secrets and configmap backends. - remove useless print during prepareUpgrade - Add missing with clause to release gh action - FIX Default ServiceAccount yaml - fix(registry): address anonymous pull issue - fix(registry): unswallow error - Fix missing run statement on release action - Add qps/HELM_QPS parameter - Write latest version to get.helm.sh bucket - Increased release information key name max length. - Pin gox to specific commit - Remove `GoFish` from package managers for installing the binary - Test update for 'Allow a nested `tpl` invocation access to `defines` in a containing one' - Test update for 'Speed up `tpl`' - Add support for RISC-V - lint and validate dependency metadata to reference dependencies with a unique key (name or alias) - Work around template.Clone omitting options - fix: pass 'passCredentialsAll' as env-var to getter - feat: pass basic auth to env-vars when running download plugins - helm search: New CLI Flag --fail-on-no-result - Update pkg/kube/ready.go - fix post install hook deletion due to before-hook-creation policy - Allow a nested `tpl` invocation access to `defines` in a containing one - Remove the 'reference templates' concept - Speed up `tpl` - ready checker- comment update - ready checker- remove duplicate statefulset generational check - Verify generation in readiness checks - feat(helm): add --reset-then-reuse-values flag to 'helm upgrade' ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:602-1 Released: Thu Feb 20 10:15:21 2025 Summary: Security update for helm Type: security Severity: important References: 1234482,1235318,CVE-2024-45337,CVE-2024-45338 This update for helm fixes the following issues: Update to version 3.17.1: - CVE-2024-45338: Fixed denial of service due to non-linear parsing of case-insensitive content (bsc#1235318). - CVE-2024-45337: Fixed misuse of ServerConfig.PublicKeyCallback to prevent authorization bypass in golang.org/x/crypto (bsc#1234482). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1007-1 Released: Tue Mar 25 09:44:39 2025 Summary: Security update for helm Type: security Severity: moderate References: 1238688,CVE-2025-22870 This update for helm fixes the following issues: - CVE-2025-22870: Fixed proxy bypass using IPv6 zone IDs (bsc#1238688). Other fixes: - Updated to version 3.17.2 - Updated to 0.37.0 for x/net ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1596-1 Released: Tue May 20 09:55:02 2025 Summary: Security update for helm Type: security Severity: moderate References: This update for helm fixes the following issues: help was updated to version 3.17.3: Helm v3.17.3 is a security (patch) release. Users are strongly recommended to update to this release. * Changelog - Unarchiving fix e4da497 (Matt Farina) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2121-1 Released: Thu Jun 26 10:34:05 2025 Summary: Security update for helm Type: security Severity: important References: 1241802,CVE-2025-22872 This update for helm fixes the following issues: Update to version 3.18.3: * build(deps): bump golang.org/x/crypto from 0.38.0 to 0.39.0 6838ebc (dependabot[bot]) * fix: user username password for login 5b9e2f6 (Terry Howe) * Update pkg/registry/transport.go 2782412 (Terry Howe) * Update pkg/registry/transport.go e66cf6a (Terry Howe) * fix: add debug logging to oci transport 191f05c (Terry Howe) Update to version 3.18.2: * fix: legacy docker support broken for login 04cad46 (Terry Howe) * Handle an empty registry config file. bc9f8a2 (Matt Farina) Update to version 3.18.1: * Notes: - This release fixes regressions around template generation and OCI registry interaction in 3.18.0 - There are at least 2 known regressions unaddressed in this release. They are being worked on. - Empty registry configuration files. When the file exists but it is empty. - Login to Docker Hub on some domains fails. * Changelog - fix(client): skipnode utilization for PreCopy - fix(client): layers now returns manifest - remove duplicate from descriptors - fix(client): return nil on non-allowed media types - Prevent fetching newReference again as we have in calling method - Prevent failure when resolving version tags in oras memory store - Update pkg/plugin/plugin.go - Update pkg/plugin/plugin.go - Wait for Helm v4 before raising when platformCommand and Command are set - Fix 3.18.0 regression: registry login with scheme - Revert 'fix (helm) : toToml` renders int as float [ backport to v3 ]' Update to version 3.18.0 (bsc#1241802, CVE-2025-22872): * Notable Changes - Add support for JSON Schema 2020 - Enabled cpu and memory profiling - Add hook annotation to output hook logs to client on error * Changelog - build(deps): bump the k8s-io group with 7 updates - fix: govulncheck workflow - bump version to v3.18.0 - fix:add proxy support when mTLS configured - docs: Note about http fallback for OCI registries - Bump net package to avoid CVE on dev-v3 - Bump toml - backport #30677to dev3 - build(deps): bump github.com/rubenv/sql-migrate from 1.7.2 to 1.8.0 - Add install test for TakeOwnership flag - Fix --take-ownership - build(deps): bump github.com/rubenv/sql-migrate from 1.7.1 to 1.7.2 - build(deps): bump golang.org/x/crypto from 0.36.0 to 0.37.0 - build(deps): bump golang.org/x/term from 0.30.0 to 0.31.0 - Testing text bump - Permit more Go version and not only 1.23.8 - Bumps github.com/distribution/distribution/v3 from 3.0.0-rc.3 to 3.0.0 - Unarchiving fix - Fix typo - Report as debug log, the time spent waiting for resources - build(deps): bump github.com/containerd/containerd from 1.7.26 to 1.7.27 - Update pkg/registry/fallback.go - automatic fallback to http - chore(oci): upgrade to ORAS v2 - Updating to 0.37.0 for x/net - build(deps): bump the k8s-io group with 7 updates - build(deps): bump golang.org/x/crypto from 0.35.0 to 0.36.0 - build(deps): bump github.com/opencontainers/image-spec - build(deps): bump github.com/containerd/containerd from 1.7.25 to 1.7.26 - build(deps): bump golang.org/x/crypto from 0.33.0 to 0.35.0 - Fix cherry-pick helm.sh/helm/v4 -> helm.sh/helm/v3 - Add HookOutputFunc and generic yaml unmarshaller - clarify fix error message - fix err check - add short circuit return - Add hook annotations to output pod logs to client on success and fail - chore: use []error instead of []string - Update cmd/helm/profiling.go - chore: update profiling doc in CONTRIBUTING.md - Update CONTRIBUTING guide - Prefer environment variables to CLI flags - Move pprof paths to HELM_PPROF env variable - feat: Add flags to enable CPU and memory profiling - build(deps): bump github.com/distribution/distribution/v3 - build(deps): bump github.com/spf13/cobra from 1.8.1 to 1.9.1 - Moving to SetOut and SetErr for Cobra - build(deps): bump the k8s-io group with 7 updates - build(deps): bump golang.org/x/crypto from 0.32.0 to 0.33.0 - build(deps): bump golang.org/x/term from 0.28.0 to 0.29.0 - build(deps): bump golang.org/x/text from 0.21.0 to 0.22.0 - build(deps): bump github.com/spf13/pflag from 1.0.5 to 1.0.6 - build(deps): bump github.com/cyphar/filepath-securejoin - build(deps): bump github.com/evanphx/json-patch - build(deps): bump the k8s-io group with 7 updates - fix: check group for resource info match - Bump github.com/cyphar/filepath-securejoin from 0.3.6 to 0.4.0 - add test for nullifying nested global value - Ensuring the file paths are clean prior to passing to securejoin - Bump github.com/containerd/containerd from 1.7.24 to 1.7.25 - Bump golang.org/x/crypto from 0.31.0 to 0.32.0 - Bump golang.org/x/term from 0.27.0 to 0.28.0 - bump version to v3.17.0 - Bump github.com/moby/term from 0.5.0 to 0.5.2 - Add test case for removing an entire object - Tests for bugfix: Override subcharts with null values #12879 - feat: Added multi-platform plugin hook support to v3 - This commit fixes the issue where the yaml.Unmarshaller converts all int values into float64, this passes in option to decoder, which enables conversion of int into . - merge null child chart objects ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:4190-1 Released: Mon Nov 24 10:19:40 2025 Summary: Security update for helm Type: security Severity: important References: 1246152,1251442,1251649,CVE-2025-47911,CVE-2025-53547,CVE-2025-58190 This update for helm fixes the following issues: - Update to version 3.19.1 - CVE-2025-53547: Fixed local code execution in Helm Chart. (bsc#1246152) - CVE-2025-58190: Fixed excessive memory consumption by `html.ParseFragment` when processing specially crafted input. (bsc#1251649) - CVE-2025-47911: Fixed various algorithms with quadratic complexity when parsing HTML documents. (bsc#1251442) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:4437-1 Released: Wed Dec 17 15:44:48 2025 Summary: Security update for helm Type: security Severity: important References: This update for helm rebuilds it against current GO to fix security issues in go-stdlib. The following package changes have been done: - patterns-base-fips-20200124-150700.36.1 added - helm-3.19.1-150000.1.59.1 added - container:suse-sle15-15.7-7970b1398395a13b38e858c60a7b75db5f5265dd7c0ecdabe8919a458b2f34e5-0 updated - container:registry.suse.com-bci-bci-micro-15.7-55883c76f750bdb0fa8cf3fe2e43f19f9babc501efce9801e94a9c0c8d115a20-0 updated From sle-container-updates at lists.suse.com Wed Jan 28 08:18:16 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 28 Jan 2026 09:18:16 +0100 (CET) Subject: SUSE-CU-2026:404-1: Security update of suse/kubectl Message-ID: <20260128081816.E05C1FF0C@maintenance.suse.de> SUSE Container Update Advisory: suse/kubectl ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2026:404-1 Container Tags : suse/kubectl:1.35 , suse/kubectl:1.35.0 , suse/kubectl:1.35.0-1.63.2 , suse/kubectl:latest , suse/kubectl:stable , suse/kubectl:stable-1.63.2 Container Release : 63.2 Severity : important Type : security References : 1181419 1183043 1200441 1200528 1203054 1206467 1206469 1206471 1208084 1209670 1215588 1215711 1217013 1219969 1219969 1220207 1220207 1234482 1235318 1238688 1241802 1246152 1251442 1251649 CVE-2021-21272 CVE-2022-1996 CVE-2022-1996 CVE-2022-23524 CVE-2022-23525 CVE-2022-23526 CVE-2022-36055 CVE-2022-41723 CVE-2023-25165 CVE-2023-25173 CVE-2024-25620 CVE-2024-25620 CVE-2024-26147 CVE-2024-26147 CVE-2024-45337 CVE-2024-45338 CVE-2025-22870 CVE-2025-22872 CVE-2025-47911 CVE-2025-53547 CVE-2025-58190 ----------------------------------------------------------------- The container suse/kubectl was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:1253-1 Released: Tue Apr 19 09:00:06 2022 Summary: Recommended update for helm Type: recommended Severity: moderate References: This update for helm delivers helm 3.8.0 to the Containers module. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:3666-1 Released: Wed Oct 19 20:44:55 2022 Summary: Security update for helm Type: security Severity: important References: 1200528,1203054,CVE-2022-1996,CVE-2022-36055 This update for helm fixes the following issues: helm was updated to version 3.9.4: * CVE-2022-36055: Fixed denial of service through string value parsing (bsc#1203054). * Updating the certificates used for testing * Updating index handling helm was updated to version 3.9.3: - CVE-2022-1996: Updated kube-openapi to fix an issue that could result in a CORS protection bypass (bsc#1200528). * Fix missing array length check on release helm was updated to version 3.9.2: * Update of the circleci image helm was updated to version 3.9.1: * Update to support Kubernetes 1.24.2 * Improve logging and safety of statefulSetReady * Make token caching an opt-in feature * Bump github.com/lib/pq from 1.10.5 to 1.10.6 * Bump github.com/Masterminds/squirrel from 1.5.2 to 1.5.3 helm was updated to version 3.9.0: * Added a --quiet flag to helm lint * Added a --post-renderer-args flag to support arguments being passed to the post renderer * Added more checks during the signing process * Updated to add Kubernetes 1.24 support helm was updated to version 3.8.2: * Bump oras.land/oras-go from 1.1.0 to 1.1.1 * Fixing downloader plugin error handling * Simplify testdata charts * Simplify testdata charts * Add tests for multi-level dependencies. * Fix value precedence * Bumping Kubernetes package versions * Updating vcs to latest version * Dont modify provided transport * Pass http getter as pointer in tests * Add docs block * Add transport option and tests * Reuse http transport * Updating Kubernetes libs to 0.23.4 (latest) * fix: remove deadcode * fix: helm package tests * fix: helm package with dependency update for charts with OCI dependencies * Fix typo Unset the env var before func return in Unit Test * add legal name check * maint: fix syntax error in deploy.sh * linting issue fixed * only apply overwrite if version is canary * overwrite flag added to az storage blob upload-batch * Avoid querying for OCI tags can explicit version provided in chart dependencies * Management of bearer tokens for tag listing * Updating Kubernetes packages to 1.23.3 * refactor: use `os.ReadDir` for lightweight directory reading * Add IngressClass to manifests to be (un)installed * feat(comp): Shell completion for OCI * Fix install memory/goroutine leak ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:4606-1 Released: Thu Dec 22 09:32:03 2022 Summary: Security update for helm Type: security Severity: moderate References: 1181419,1206467,1206469,1206471,CVE-2021-21272,CVE-2022-1996,CVE-2022-23524,CVE-2022-23525,CVE-2022-23526 This update for helm fixes the following issues: Update to version 3.10.3: - CVE-2022-23524: Fixed a denial of service in the string value parsing (bsc#1206467). - CVE-2022-23525: Fixed a denial of service with the repository index file (bsc#1206469). - CVE-2022-23526: Fixed a denial of service in the schema file handling (bsc#1206471). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:1571-1 Released: Fri Mar 24 13:45:05 2023 Summary: Security update for helm Type: security Severity: moderate References: 1208084,CVE-2023-25165 This update for helm fixes the following issues: Update to version 3.11.1 (bsc#1208084): - CVE-2023-25165: Fixed a information disclosure problem via getHostByName injection inside a chart to get values to a malicious DNS server. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:1901-1 Released: Tue Apr 18 15:37:23 2023 Summary: Security update for helm Type: security Severity: moderate References: 1209670 This update for helm fixes the following issues: Update to version 3.11.2: * chore(deps): bump github.com/rubenv/sql-migrate from 1.2.0 to 1.3.1 * the linter varcheck and deadcode are deprecated (since v1.49.0) * fix template --output-dir issue * build against a supported go version: go1.19 (bsc#1209670) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:2179-1 Released: Thu May 11 14:13:44 2023 Summary: Security update for helm Type: security Severity: important References: 1200441 This update of helm fixes the following issues: - rebuild the package with the go 19.9 secure release (bsc#1200441). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4124-1 Released: Thu Oct 19 09:32:26 2023 Summary: Security update for helm Type: security Severity: important References: 1183043,1215588,1215711,CVE-2022-41723,CVE-2023-25173 This update for helm fixes the following issues: helm was updated to version 3.13.1: * Fixing precedence issue with the import of values. * Add missing with clause to release gh action * FIX Default ServiceAccount yaml * fix(registry): unswallow error * remove useless print during prepareUpgrade * fix(registry): address anonymous pull issue * Fix missing run statement on release action * Write latest version to get.helm.sh bucket * Increased release information key name max length. helm was updated to version 3.13.0 (bsc#1215588): * Fix leaking goroutines in Install * Update Helm to use k8s 1.28.2 libraries * make the dependabot k8s.io group explicit * use dependabot's group support for k8s.io dependencies * doc:Executing helm rollback release 0 will roll back to the previous release * Use labels instead of selectorLabels for pod labels * fix(helm): fix GetPodLogs, the hooks should be sorted before get the logs of each hook * chore: HTTPGetter add default timeout * Avoid nil dereference if passing a nil resolver * Add required changes after merge * Fix #3352, add support for --ignore-not-found just like kubectl delete * Fix helm may identify achieve of the application/x-gzip as application/vnd.ms-fontobject * Restore `helm get metadata` command * Revert 'Add `helm get metadata` command' * test: replace `ensure.TempDir` with `t.TempDir` * use json api url + report curl/wget error on fail * Added error in case try to supply custom label with name of system label during install/upgrade * fix(main): fix basic auth for helm pull or push * cmd: support generating index in JSON format * repo: detect JSON and unmarshal efficiently * Tweaking new dry-run internal handling * bump kubernetes modules to v0.27.3 * Remove warning for template directory not found. * Added tests for created OCI annotation time format * Add created OCI annotation * Fix multiple bugs in values handling * chore: fix a typo in `manager.go` * add GetRegistryClient method * oci: add tests for plain HTTP and insecure HTTPS registries * oci: Add flag `--plain-http` to enable working with HTTP registries * docs: add an example for using the upgrade command with existing values * Replace `fmt.Fprintf` with `fmt.Fprint` in get_metadata.go * Replace `fmt.Fprintln` with `fmt.Fprintf` in get_metadata.go * update kubernetes dependencies from v0.27.0 to v0.27.1 * Add ClientOptResolver to test util file * Check that missing keys are still handled in tpl * tests: change crd golden file to match after #11870 * Adding details on the Factory interface * update autoscaling/v2beta1 to autoscaling/v2 in skeleton chart * feat(helm): add ability for --dry-run to do lookup functions When a helm command is run with the --dry-run flag, it will try to connect to the cluster to be able to render lookup functions. Closes #8137 * bugfix:(#11391) helm lint infinite loop when malformed template object * pkg/engine: fix nil-dereference * pkg/chartutil: fix nil-dereference * pkg/action: fix nil-dereference * full source path when output-dir is not provided * added Contributing.md section and ref link in the README * feat(helm): add ability for --dry-run to do lookup functions When a helm command is run with the --dry-run flag, it will try to connect to the cluster if the value is 'server' to be able to render lookup functions. Closes #8137 * feat(helm): add ability for --dry-run to do lookup functions * Add `CHART`, `VERSION` and `APP_VERSION` fields to `get all` command output * Adjust `get` command description to account metadata * add volumes and volumeMounts in chartutil * Seed a default switch to control `automountServiceAccountToken` * Avoid confusing error when passing in '--version X.Y.Z' * Add `helm get metadata` command * Use wrapped error so that ErrNoObjectsVisited can be compared after return. * Add exact version test. * strict file permissions of repository.yaml * Check redefinition of define and include in tpl * Check that `.Template` is passed through `tpl` * Make sure empty `tpl` values render empty. * Pick the test improvement out of PR#8371 * #11369 Use the correct index repo cache directory in the `parallelRepoUpdate` method as well * #11369 Add a test case to prove the bug and its resolution * ref(helm): export DescriptorPullSummary fields * feat(helm): add 'ClientOptResolver' ClientOption * Fix flaky TestSQLCreate test by making sqlmock ignore order of sql requests * Fixing tests after adding labels to release fixture * Make default release fixture contain custom labels to make tests check that labels are not lost * Added support for storing custom labels in SQL storage driver * Adding support merging new custom labels with original release labels during upgrade * Added note to install/upgrade commands that original release labels wouldn't be persisted in upgraded release * Added unit tests for implemented install/upgrade labels logic * Remove redudant types from util_test.go * Added tests for newly introduced util.go functions * Fix broken tests for SQL storage driver * Fix broken tests for configmap and secret storage drivers * Make superseded releases keep labels * Support configmap storage driver for install/upgrade actions --labels argument * Added upgrade --install labels argument support * Add labels support for install action with secret storage backend * test: added tests to load plugin from home dir with space * fix: plugin does not load when helm base dir contains space * Add priority class to kind sorter * Fixes #10566 * test(search): add mixedCase test case * fix(search): print repo search result in original case * Adjust error message wrongly claiming that there is a resource conflict * Throw an error from jobReady() if the job exceeds its BackoffLimit * github: add Asset Transparency action for GitHub releases Update to version 3.12.3: * bump kubernetes modules to v0.27.3 * Add priority class to kind sorter Update to version 3.12.2: * add GetRegistryClient method Update to version 3.12.1: * bugfix:(#11391) helm lint infinite loop when malformed template object * update autoscaling/v2beta1 to autoscaling/v2 in skeleton chart * test(search): add mixedCase test case * fix(search): print repo search result in original case * strict file permissions of repository.yaml * update kubernetes dependencies from v0.27.0 to v0.27.1 Update to version 3.12.0: * Attach annotations to OCI artifacts * Fix goroutine leak in action install * fix quiet lint does not fail on non-linting errors * create failing test for quietly linting a chart that doesn't exist * Fixes Readiness Check for statefulsets using partitioned rolling update. (#11774) * fix: failed testcase on windows * Fix 32bit-x86 typo in testsuite * Handle failed DNS case for Go 1.20+ * Updating the Go version in go.mod * Fix goroutine leak in perform * Properly invalidate client after CRD install * Provide a helper to set the registryClient in cmd * Reimplemented change in httpgetter for insecure TLS option * Added insecure option to login subcommand * Added support for insecure OCI registries * Enable custom certificates option for OCI * Add testing to default and release branches * Remove job dependency. Should have done when I moved job to new file * Remove check to run only in helm org * Add why comments * Convert remaining CircleCI config to GitHub Actions * Changed how the setup-go action sets go version * chore:Use http constants as http.request parameters * update k8s registry domain * don't mark issues as stale where a PR is in progress * Update to func handling * Add option to support cascade deletion options * the linter varcheck and deadcode are deprecated (since v1.49.0) * Check status code before retrying request * Fix improper use of Table request/response to k8s API * fix template --output-dir issue * Add protection for stack-overflows for nested keys * feature(helm): add --set-literal flag for literal string interpretation Update to version 3.11.3: * Fix goroutine leak in perform * Fix goroutine leak in action install * Fix 32bit-x86 typo in testsuite * Fixes Readiness Check for statefulsets using partitioned rolling update. (#11774) - avoid CGO to workaround missing gold dependency (bsc#1183043) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:4509-1 Released: Tue Nov 21 13:36:00 2023 Summary: Recommended update for helm Type: recommended Severity: important References: 1217013 This update for helm fixes the following issues: - Update to version 3.13.2 (bsc#1217013) - Fixes a regression when helm can't be pulled anonymously from registries. (bsc#1217013) - Allow using label selectors for system labels for sql backend. - Allow using label selectors for system labels for secrets and configmap backends. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2024:1137-1 Released: Mon Apr 8 11:30:49 2024 Summary: Security update for helm Type: security Severity: moderate References: 1219969,1220207,CVE-2024-25620,CVE-2024-26147 This update for helm fixes the following issues: - CVE-2024-25620: Fixed with dependency management path traversal (bsc#1219969). - CVE-2024-26147: Fixed uninitialized variable in yaml parsing (bsc#1220207). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2024:4213-1 Released: Thu Dec 5 17:05:37 2024 Summary: Recommended update for helm Type: recommended Severity: moderate References: 1219969,1220207,CVE-2024-25620,CVE-2024-26147 helm was updated to fix the following issues: Update to version 3.16.3: * fix: fix label name * Fix typo in pkg/lint/rules/chartfile_test.go * Increasing the size of the runner used for releases. * fix(hooks): correct hooks delete order * Bump github.com/containerd/containerd from 1.7.12 to 1.7.23 Update to version 3.16.2: * Revering change unrelated to issue #13176 * adds tests for handling of Helm index with broken chart versions #13176 * improves handling of Helm index with broken helm chart versions #13176 * Bump the k8s-io group with 7 updates * adding check-latest:true * Grammar fixes * Fix typos Update to version 3.16.1: * bumping version to 1.22.7 * Merge pull request #13327 from mattfarina/revert-11726 Update to version 3.16.0: Helm v3.16.0 is a feature release. Users are encouraged to upgrade for the best experience. * Notable Changes - added sha512sum template function - added ActiveHelp for cmds that don't take any more args - drops very old Kubernetes versions support in helm create - add --skip-schema-validation flag to helm 'install', 'upgrade' and 'lint' - fixed bug to now use burst limit setting for discovery - Added windows arm64 support * Full changelog see https://github.com/helm/helm/releases/tag/v3.16.0 Update to version 3.15.4: * Bump the k8s-io group across 1 directory with 7 updates * Bump github.com/docker/docker ------------------------------------------------------------------- Thu Jul 11 05:39:32 UTC 2024 - opensuse_buildservice at ojkastl.de - Update to version 3.15.3: * fix(helm): Use burst limit setting for discovery * fixed dependency_update_test.go * fix(dependencyBuild): prevent race condition in concurrent helm dependency * fix: respect proxy envvars on helm install/upgrade * Merge pull request #13085 from alex-kattathra-johnson/issue-12961 Update to version 3.15.2: * fix: wrong cli description * fix typo in load_plugins.go * fix docs of DeployedAll * Bump github.com/docker/docker * bump oras minor version * feat(load.go): add warning on requirements.lock Update to version 3.15.1: * Fixing build issue where wrong version is used Update to version 3.15.0: Helm v3.15.0 is a feature release. Users are encouraged to upgrade for the best experience. * Updating to k8s 1.30 c4e37b3 (Matt Farina) * bump version to v3.15.0 d7afa3b (Matt Farina) * bump version to 7743467 (Matt Farina) * Fix namespace on kubeconfig error 214fb6e (Calvin Krist) * Update testdata PKI with keys that have validity until 3393 (Fixes #12880) 1b75d48 (Dirk M?ller) * Modified how created annotation is populated based on package creation time 0a69a0d (Andrew Block) * Enabling hide secrets on install and upgrade dry run 25c4738 (Matt Farina) * Fixing all the linting errors d58d7b3 (Robert Sirchia) * Add a note about --dry-run displaying secrets a23dd9e (Matt Farina) * Updating .gitignore 8b424ba (Robert Sirchia) * add error messages 8d19bcb (George Jenkins) * Fix: Ignore alias validation error for index load 68294fd (George Jenkins) * validation fix 8e6a514 (Matt Farina) * bug: add proxy support for oci getter 94c1dea (Ricardo Maraschini) * Update architecture detection method 57a1bb8 (weidongkl) * Improve release action 4790bb9 (George Jenkins) * Fix grammatical error c25736c (Matt Carr) * Updated for review comments d2cf8c6 (MichaelMorris) * Add robustness to wait status checks fc74964 (MichaelMorris) * refactor: create a helper for checking if a release is uninstalled f908379 (Alex Petrov) * fix: reinstall previously uninstalled chart with --keep-history 9e198fa (Alex Petrov) Update to version 3.14.4: Helm v3.14.4 is a patch release. Users are encouraged to upgrade for the best experience. Users are encouraged to upgrade for the best experience. * refactor: create a helper for checking if a release is uninstalled 81c902a (Alex Petrov) * fix: reinstall previously uninstalled chart with --keep-history 5a11c76 (Alex Petrov) * bug: add proxy support for oci getter aa7d953 (Ricardo Maraschini) Update to version 3.14.3: * Add a note about --dry-run displaying secrets * add error messages * Fix: Ignore alias validation error for index load * Update architecture detection method Update to version 3.14.2 (bsc#1220207, CVE-2024-26147): * Fix for uninitialized variable in yaml parsing Update to version 3.14.1 (bsc#1219969, CVE-2024-25620): * validation fix Update to version 3.14.0: * Notable Changes - New helm search flag of --fail-on-no-result - Allow a nested tpl invocation access to defines - Speed up the tpl function - Added qps/HELM_QPS parameter that tells Kubernetes packages how to operate - Added --kube-version to lint command - The ignore pkg is now public * Changelog - Improve release action - Fix issues when verify generation readiness was merged - fix test to use the default code's k8sVersionMinor - lint: Add --kube-version flag to set capabilities and deprecation rules - Removing Asset Transparency - tests(pkg/engine): test RenderWithClientProvider - Make the `ignore` pkg public again - feature(pkg/engine): introduce RenderWithClientProvider - Updating Helm libraries for k8s 1.28.4 - Remove excessive logging - Update CONTRIBUTING.md - Fixing release labelling in rollback - feat: move livenessProbe and readinessProbe values to default values file - Revert 'fix(main): fix basic auth for helm pull or push' - Revert 'fix(registry): address anonymous pull issue' - Update get-helm-3 - Drop filterSystemLabels usage from Query method - Apply review suggestions - Update get-helm-3 to get version through get.helm.sh - feat: print failed hook name - Fixing precedence issue with the import of values. - chore(create): indent to spaces - Allow using label selectors for system labels for sql backend. - Allow using label selectors for system labels for secrets and configmap backends. - remove useless print during prepareUpgrade - Add missing with clause to release gh action - FIX Default ServiceAccount yaml - fix(registry): address anonymous pull issue - fix(registry): unswallow error - Fix missing run statement on release action - Add qps/HELM_QPS parameter - Write latest version to get.helm.sh bucket - Increased release information key name max length. - Pin gox to specific commit - Remove `GoFish` from package managers for installing the binary - Test update for 'Allow a nested `tpl` invocation access to `defines` in a containing one' - Test update for 'Speed up `tpl`' - Add support for RISC-V - lint and validate dependency metadata to reference dependencies with a unique key (name or alias) - Work around template.Clone omitting options - fix: pass 'passCredentialsAll' as env-var to getter - feat: pass basic auth to env-vars when running download plugins - helm search: New CLI Flag --fail-on-no-result - Update pkg/kube/ready.go - fix post install hook deletion due to before-hook-creation policy - Allow a nested `tpl` invocation access to `defines` in a containing one - Remove the 'reference templates' concept - Speed up `tpl` - ready checker- comment update - ready checker- remove duplicate statefulset generational check - Verify generation in readiness checks - feat(helm): add --reset-then-reuse-values flag to 'helm upgrade' ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:602-1 Released: Thu Feb 20 10:15:21 2025 Summary: Security update for helm Type: security Severity: important References: 1234482,1235318,CVE-2024-45337,CVE-2024-45338 This update for helm fixes the following issues: Update to version 3.17.1: - CVE-2024-45338: Fixed denial of service due to non-linear parsing of case-insensitive content (bsc#1235318). - CVE-2024-45337: Fixed misuse of ServerConfig.PublicKeyCallback to prevent authorization bypass in golang.org/x/crypto (bsc#1234482). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1007-1 Released: Tue Mar 25 09:44:39 2025 Summary: Security update for helm Type: security Severity: moderate References: 1238688,CVE-2025-22870 This update for helm fixes the following issues: - CVE-2025-22870: Fixed proxy bypass using IPv6 zone IDs (bsc#1238688). Other fixes: - Updated to version 3.17.2 - Updated to 0.37.0 for x/net ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1596-1 Released: Tue May 20 09:55:02 2025 Summary: Security update for helm Type: security Severity: moderate References: This update for helm fixes the following issues: help was updated to version 3.17.3: Helm v3.17.3 is a security (patch) release. Users are strongly recommended to update to this release. * Changelog - Unarchiving fix e4da497 (Matt Farina) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2121-1 Released: Thu Jun 26 10:34:05 2025 Summary: Security update for helm Type: security Severity: important References: 1241802,CVE-2025-22872 This update for helm fixes the following issues: Update to version 3.18.3: * build(deps): bump golang.org/x/crypto from 0.38.0 to 0.39.0 6838ebc (dependabot[bot]) * fix: user username password for login 5b9e2f6 (Terry Howe) * Update pkg/registry/transport.go 2782412 (Terry Howe) * Update pkg/registry/transport.go e66cf6a (Terry Howe) * fix: add debug logging to oci transport 191f05c (Terry Howe) Update to version 3.18.2: * fix: legacy docker support broken for login 04cad46 (Terry Howe) * Handle an empty registry config file. bc9f8a2 (Matt Farina) Update to version 3.18.1: * Notes: - This release fixes regressions around template generation and OCI registry interaction in 3.18.0 - There are at least 2 known regressions unaddressed in this release. They are being worked on. - Empty registry configuration files. When the file exists but it is empty. - Login to Docker Hub on some domains fails. * Changelog - fix(client): skipnode utilization for PreCopy - fix(client): layers now returns manifest - remove duplicate from descriptors - fix(client): return nil on non-allowed media types - Prevent fetching newReference again as we have in calling method - Prevent failure when resolving version tags in oras memory store - Update pkg/plugin/plugin.go - Update pkg/plugin/plugin.go - Wait for Helm v4 before raising when platformCommand and Command are set - Fix 3.18.0 regression: registry login with scheme - Revert 'fix (helm) : toToml` renders int as float [ backport to v3 ]' Update to version 3.18.0 (bsc#1241802, CVE-2025-22872): * Notable Changes - Add support for JSON Schema 2020 - Enabled cpu and memory profiling - Add hook annotation to output hook logs to client on error * Changelog - build(deps): bump the k8s-io group with 7 updates - fix: govulncheck workflow - bump version to v3.18.0 - fix:add proxy support when mTLS configured - docs: Note about http fallback for OCI registries - Bump net package to avoid CVE on dev-v3 - Bump toml - backport #30677to dev3 - build(deps): bump github.com/rubenv/sql-migrate from 1.7.2 to 1.8.0 - Add install test for TakeOwnership flag - Fix --take-ownership - build(deps): bump github.com/rubenv/sql-migrate from 1.7.1 to 1.7.2 - build(deps): bump golang.org/x/crypto from 0.36.0 to 0.37.0 - build(deps): bump golang.org/x/term from 0.30.0 to 0.31.0 - Testing text bump - Permit more Go version and not only 1.23.8 - Bumps github.com/distribution/distribution/v3 from 3.0.0-rc.3 to 3.0.0 - Unarchiving fix - Fix typo - Report as debug log, the time spent waiting for resources - build(deps): bump github.com/containerd/containerd from 1.7.26 to 1.7.27 - Update pkg/registry/fallback.go - automatic fallback to http - chore(oci): upgrade to ORAS v2 - Updating to 0.37.0 for x/net - build(deps): bump the k8s-io group with 7 updates - build(deps): bump golang.org/x/crypto from 0.35.0 to 0.36.0 - build(deps): bump github.com/opencontainers/image-spec - build(deps): bump github.com/containerd/containerd from 1.7.25 to 1.7.26 - build(deps): bump golang.org/x/crypto from 0.33.0 to 0.35.0 - Fix cherry-pick helm.sh/helm/v4 -> helm.sh/helm/v3 - Add HookOutputFunc and generic yaml unmarshaller - clarify fix error message - fix err check - add short circuit return - Add hook annotations to output pod logs to client on success and fail - chore: use []error instead of []string - Update cmd/helm/profiling.go - chore: update profiling doc in CONTRIBUTING.md - Update CONTRIBUTING guide - Prefer environment variables to CLI flags - Move pprof paths to HELM_PPROF env variable - feat: Add flags to enable CPU and memory profiling - build(deps): bump github.com/distribution/distribution/v3 - build(deps): bump github.com/spf13/cobra from 1.8.1 to 1.9.1 - Moving to SetOut and SetErr for Cobra - build(deps): bump the k8s-io group with 7 updates - build(deps): bump golang.org/x/crypto from 0.32.0 to 0.33.0 - build(deps): bump golang.org/x/term from 0.28.0 to 0.29.0 - build(deps): bump golang.org/x/text from 0.21.0 to 0.22.0 - build(deps): bump github.com/spf13/pflag from 1.0.5 to 1.0.6 - build(deps): bump github.com/cyphar/filepath-securejoin - build(deps): bump github.com/evanphx/json-patch - build(deps): bump the k8s-io group with 7 updates - fix: check group for resource info match - Bump github.com/cyphar/filepath-securejoin from 0.3.6 to 0.4.0 - add test for nullifying nested global value - Ensuring the file paths are clean prior to passing to securejoin - Bump github.com/containerd/containerd from 1.7.24 to 1.7.25 - Bump golang.org/x/crypto from 0.31.0 to 0.32.0 - Bump golang.org/x/term from 0.27.0 to 0.28.0 - bump version to v3.17.0 - Bump github.com/moby/term from 0.5.0 to 0.5.2 - Add test case for removing an entire object - Tests for bugfix: Override subcharts with null values #12879 - feat: Added multi-platform plugin hook support to v3 - This commit fixes the issue where the yaml.Unmarshaller converts all int values into float64, this passes in option to decoder, which enables conversion of int into . - merge null child chart objects ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:4190-1 Released: Mon Nov 24 10:19:40 2025 Summary: Security update for helm Type: security Severity: important References: 1246152,1251442,1251649,CVE-2025-47911,CVE-2025-53547,CVE-2025-58190 This update for helm fixes the following issues: - Update to version 3.19.1 - CVE-2025-53547: Fixed local code execution in Helm Chart. (bsc#1246152) - CVE-2025-58190: Fixed excessive memory consumption by `html.ParseFragment` when processing specially crafted input. (bsc#1251649) - CVE-2025-47911: Fixed various algorithms with quadratic complexity when parsing HTML documents. (bsc#1251442) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:4437-1 Released: Wed Dec 17 15:44:48 2025 Summary: Security update for helm Type: security Severity: important References: This update for helm rebuilds it against current GO to fix security issues in go-stdlib. The following package changes have been done: - patterns-base-fips-20200124-150700.36.1 added - helm-3.19.1-150000.1.59.1 added - container:suse-sle15-15.7-7970b1398395a13b38e858c60a7b75db5f5265dd7c0ecdabe8919a458b2f34e5-0 updated - container:registry.suse.com-bci-bci-micro-15.7-55883c76f750bdb0fa8cf3fe2e43f19f9babc501efce9801e94a9c0c8d115a20-0 updated From sle-container-updates at lists.suse.com Wed Jan 28 08:19:17 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 28 Jan 2026 09:19:17 +0100 (CET) Subject: SUSE-CU-2026:408-1: Security update of suse/nginx Message-ID: <20260128081917.BBB99FF0C@maintenance.suse.de> SUSE Container Update Advisory: suse/nginx ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2026:408-1 Container Tags : suse/nginx:1.21 , suse/nginx:1.21-70.8 , suse/nginx:latest Container Release : 70.8 Severity : moderate Type : security References : 1252895 1256105 1256525 1256526 CVE-2025-14017 CVE-2026-22695 CVE-2026-22801 ----------------------------------------------------------------- The container suse/nginx was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:221-1 Released: Thu Jan 22 13:15:35 2026 Summary: Security update for curl Type: security Severity: moderate References: 1256105,CVE-2025-14017 This update for curl fixes the following issues: - CVE-2025-14017: Fixed broken TLS options for threaded LDAPS (bsc#1256105). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:234-1 Released: Thu Jan 22 13:24:43 2026 Summary: Security update for libpng16 Type: security Severity: moderate References: 1256525,1256526,CVE-2026-22695,CVE-2026-22801 This update for libpng16 fixes the following issues: - CVE-2026-22695: Fixed heap buffer over-read in png_image_finish_read (bsc#1256525) - CVE-2026-22801: Fixed integer truncation causing heap buffer over-read in png_image_write_* (bsc#1256526). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2026:249-1 Released: Thu Jan 22 16:23:36 2026 Summary: Recommended update for libwebp Type: recommended Severity: moderate References: 1252895 This update for libwebp ships the commandline tools to Package Hub. The following package changes have been done: - patterns-base-fips-20200124-150700.36.1 added - libwebp7-1.0.3-150200.3.14.1 updated - libpng16-16-1.6.40-150600.3.6.1 updated - libopenssl-3-fips-provider-3.2.3-150700.5.21.1 added - libcurl4-8.14.1-150700.7.11.1 updated - curl-8.14.1-150700.7.11.1 updated - container:suse-sle15-15.7-7970b1398395a13b38e858c60a7b75db5f5265dd7c0ecdabe8919a458b2f34e5-0 updated - container:registry.suse.com-bci-bci-micro-15.7-55883c76f750bdb0fa8cf3fe2e43f19f9babc501efce9801e94a9c0c8d115a20-0 updated From sle-container-updates at lists.suse.com Wed Jan 28 08:19:41 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 28 Jan 2026 09:19:41 +0100 (CET) Subject: SUSE-CU-2026:409-1: Security update of bci/nodejs Message-ID: <20260128081941.D4BA4FF0C@maintenance.suse.de> SUSE Container Update Advisory: bci/nodejs ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2026:409-1 Container Tags : bci/node:22 , bci/node:22.22.0 , bci/node:22.22.0-16.7 , bci/node:latest , bci/nodejs:22 , bci/nodejs:22.22.0 , bci/nodejs:22.22.0-16.7 , bci/nodejs:latest Container Release : 16.7 Severity : important Type : security References : 1251224 1256105 1256569 1256570 1256571 1256573 1256574 1256576 1256848 CVE-2025-14017 CVE-2025-55130 CVE-2025-55131 CVE-2025-55132 CVE-2025-59465 CVE-2025-59466 CVE-2026-21637 CVE-2026-22036 ----------------------------------------------------------------- The container bci/nodejs was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:221-1 Released: Thu Jan 22 13:15:35 2026 Summary: Security update for curl Type: security Severity: moderate References: 1256105,CVE-2025-14017 This update for curl fixes the following issues: - CVE-2025-14017: Fixed broken TLS options for threaded LDAPS (bsc#1256105). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2026:242-1 Released: Thu Jan 22 14:57:13 2026 Summary: Recommended update for git Type: recommended Severity: moderate References: 1251224 This update for git fixes the following issue: - Revert incorrect AppArmor profile change, in SLE 15 the binaries remain in /usr/lib/git (bsc#1251224) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:301-1 Released: Tue Jan 27 09:20:40 2026 Summary: Security update for nodejs22 Type: security Severity: important References: 1256569,1256570,1256571,1256573,1256574,1256576,1256848,CVE-2025-55130,CVE-2025-55131,CVE-2025-55132,CVE-2025-59465,CVE-2025-59466,CVE-2026-21637,CVE-2026-22036 This update for nodejs22 fixes the following issues: Security fixes: - CVE-2026-22036: Fixed unbounded decompression chain in HTTP response leading to resource exhaustion (bsc#1256848) - CVE-2026-21637: Fixed synchronous exceptions thrown during callbacks that bypass TLS error handling and causing denial of service (bsc#1256576) - CVE-2025-55132: Fixed futimes() ability to acces file even if process has read permissions only (bsc#1256571) - CVE-2025-55131: Fixed race condition that allowed allocations with leftover data leading to in-process secrets exposure (bsc#1256570) - CVE-2025-55130: Fixed filesystem permissions bypass via crafted symlinks (bsc#1256569) - CVE-2025-59465: Fixed malformed HTTP/2 HEADERS frame with invalid HPACK leading to crash (bsc#1256573) - CVE-2025-59466: Fixed uncatchable 'Maximum call stack size exceeded' error leading to crash (bsc#1256574) Other fixes: - Update to 22.22.0: * deps: updated undici to 6.23.0 * deps: updated bundled c-ares to 1.34.6 (if used) * add TLSSocket default error handler * disable futimes when permission model is enabled * require full read and write to symlink APIs * rethrow stack overflow exceptions in async_hooks * refactor unsafe buffer creation to remove zero-fill toggle * route callback exceptions through error handlers - Update to 22.21.1: * src: avoid unnecessary string -> char* -> string round trips * src: remove unnecessary shadowed functions on Utf8Value & BufferValue * process: fix hrtime fast call signatures * http: improve writeEarlyHints by avoiding for-of loop - Update to 22.21.0: * cli: add --use-env-proxy * http: support http proxy for fetch under NODE_USE_ENV_PROXY * http: add shouldUpgradeCallback to let servers control HTTP upgrades * http,https: add built-in proxy support in http/https.request and Agent * src: add percentage support to --max-old-space-size - Update to 22.20.0 * doc: stabilize --disable-sigusr1 * doc: mark path.matchesGlob as stable * http: add Agent.agentKeepAliveTimeoutBuffer option * http2: add support for raw header arrays in h2Stream.respond() * inspector: add http2 tracking support * sea: implement execArgvExtension * sea: support execArgv in sea config * stream: add brotli support to CompressionStream and DecompressionStream * test_runner: support object property mocking * worker: add cpu profile APIs for worker - Update to 22.19.0 * cli: add NODE_USE_SYSTEM_CA=1 * cli: support ${pid} placeholder in --cpu-prof-name * crypto: add tls.setDefaultCACertificates() * dns: support max timeout * doc: update the instruction on how to verify releases * esm: unflag --experimental-wasm-modules * http: add server.keepAliveTimeoutBuffer option * lib: docs deprecate _http_* * net: update net.blocklist to allow file save and file management * process: add threadCpuUsage * zlib: add dictionary support to zstdCompress and zstdDecompress - Update to 22.18.0: * deps: update amaro to 1.1.0 * doc: add all watch-mode related flags to node.1 * doc: add islandryu to collaborators * esm: implement import.meta.main * fs: allow correct handling of burst in fs-events with AsyncIterator * permission: propagate permission model flags on spawn * sqlite: add support for readBigInts option in db connection level * src,permission: add support to permission.has(addon) * url: add fileURLToPathBuffer API * watch: add --watch-kill-signal flag * worker: make Worker async disposable The following package changes have been done: - nodejs22-22.22.0-150700.3.6.1 updated - curl-8.14.1-150700.7.11.1 updated - npm22-22.22.0-150700.3.6.1 updated - git-core-2.51.0-150600.3.15.1 updated From sle-container-updates at lists.suse.com Wed Jan 28 08:20:01 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 28 Jan 2026 09:20:01 +0100 (CET) Subject: SUSE-CU-2026:410-1: Security update of suse/postgres Message-ID: <20260128082001.6C4A8FF0C@maintenance.suse.de> SUSE Container Update Advisory: suse/postgres ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2026:410-1 Container Tags : suse/postgres:16 , suse/postgres:16.11 , suse/postgres:16.11 , suse/postgres:16.11-83.7 Container Release : 83.7 Severity : moderate Type : security References : 1254666 1256105 CVE-2025-14017 CVE-2025-14104 ----------------------------------------------------------------- The container suse/postgres was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:221-1 Released: Thu Jan 22 13:15:35 2026 Summary: Security update for curl Type: security Severity: moderate References: 1256105,CVE-2025-14017 This update for curl fixes the following issues: - CVE-2025-14017: Fixed broken TLS options for threaded LDAPS (bsc#1256105). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:230-1 Released: Thu Jan 22 13:22:31 2026 Summary: Security update for util-linux Type: security Severity: moderate References: 1254666,CVE-2025-14104 This update for util-linux fixes the following issues: - CVE-2025-14104: Fixed heap buffer overread in setpwnam() when processing 256-byte usernames (bsc#1254666). - lscpu: Add support for NVIDIA Olympus arm64 core (jsc#PED-13682). The following package changes have been done: - patterns-base-fips-20200124-150700.36.1 added - libsmartcols1-2.40.4-150700.4.3.1 updated - libuuid1-2.40.4-150700.4.3.1 updated - libblkid1-2.40.4-150700.4.3.1 updated - libmount1-2.40.4-150700.4.3.1 updated - libfdisk1-2.40.4-150700.4.3.1 updated - libopenssl-3-fips-provider-3.2.3-150700.5.21.1 added - libcurl4-8.14.1-150700.7.11.1 updated - util-linux-2.40.4-150700.4.3.1 updated - container:suse-sle15-15.7-7970b1398395a13b38e858c60a7b75db5f5265dd7c0ecdabe8919a458b2f34e5-0 updated - container:registry.suse.com-bci-bci-micro-15.7-55883c76f750bdb0fa8cf3fe2e43f19f9babc501efce9801e94a9c0c8d115a20-0 updated From sle-container-updates at lists.suse.com Wed Jan 28 08:20:19 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 28 Jan 2026 09:20:19 +0100 (CET) Subject: SUSE-CU-2026:411-1: Security update of suse/postgres Message-ID: <20260128082019.8BA69FF0C@maintenance.suse.de> SUSE Container Update Advisory: suse/postgres ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2026:411-1 Container Tags : suse/postgres:17 , suse/postgres:17.7 , suse/postgres:17.7 , suse/postgres:17.7-73.7 Container Release : 73.7 Severity : moderate Type : security References : 1254666 1256105 CVE-2025-14017 CVE-2025-14104 ----------------------------------------------------------------- The container suse/postgres was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:221-1 Released: Thu Jan 22 13:15:35 2026 Summary: Security update for curl Type: security Severity: moderate References: 1256105,CVE-2025-14017 This update for curl fixes the following issues: - CVE-2025-14017: Fixed broken TLS options for threaded LDAPS (bsc#1256105). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:230-1 Released: Thu Jan 22 13:22:31 2026 Summary: Security update for util-linux Type: security Severity: moderate References: 1254666,CVE-2025-14104 This update for util-linux fixes the following issues: - CVE-2025-14104: Fixed heap buffer overread in setpwnam() when processing 256-byte usernames (bsc#1254666). - lscpu: Add support for NVIDIA Olympus arm64 core (jsc#PED-13682). The following package changes have been done: - patterns-base-fips-20200124-150700.36.1 added - libsmartcols1-2.40.4-150700.4.3.1 updated - libuuid1-2.40.4-150700.4.3.1 updated - libblkid1-2.40.4-150700.4.3.1 updated - libmount1-2.40.4-150700.4.3.1 updated - libfdisk1-2.40.4-150700.4.3.1 updated - libopenssl-3-fips-provider-3.2.3-150700.5.21.1 added - libcurl4-8.14.1-150700.7.11.1 updated - util-linux-2.40.4-150700.4.3.1 updated - container:suse-sle15-15.7-7970b1398395a13b38e858c60a7b75db5f5265dd7c0ecdabe8919a458b2f34e5-0 updated - container:registry.suse.com-bci-bci-micro-15.7-55883c76f750bdb0fa8cf3fe2e43f19f9babc501efce9801e94a9c0c8d115a20-0 updated From sle-container-updates at lists.suse.com Wed Jan 28 08:20:23 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 28 Jan 2026 09:20:23 +0100 (CET) Subject: SUSE-CU-2026:412-1: Security update of suse/postgres Message-ID: <20260128082023.9BAC1FF0C@maintenance.suse.de> SUSE Container Update Advisory: suse/postgres ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2026:412-1 Container Tags : suse/postgres:18 , suse/postgres:18.1 , suse/postgres:18.1 , suse/postgres:18.1-63.7 , suse/postgres:latest Container Release : 63.7 Severity : moderate Type : security References : 1254666 1256105 CVE-2025-14017 CVE-2025-14104 ----------------------------------------------------------------- The container suse/postgres was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:221-1 Released: Thu Jan 22 13:15:35 2026 Summary: Security update for curl Type: security Severity: moderate References: 1256105,CVE-2025-14017 This update for curl fixes the following issues: - CVE-2025-14017: Fixed broken TLS options for threaded LDAPS (bsc#1256105). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:230-1 Released: Thu Jan 22 13:22:31 2026 Summary: Security update for util-linux Type: security Severity: moderate References: 1254666,CVE-2025-14104 This update for util-linux fixes the following issues: - CVE-2025-14104: Fixed heap buffer overread in setpwnam() when processing 256-byte usernames (bsc#1254666). - lscpu: Add support for NVIDIA Olympus arm64 core (jsc#PED-13682). The following package changes have been done: - patterns-base-fips-20200124-150700.36.1 added - libsmartcols1-2.40.4-150700.4.3.1 updated - libuuid1-2.40.4-150700.4.3.1 updated - libblkid1-2.40.4-150700.4.3.1 updated - libmount1-2.40.4-150700.4.3.1 updated - libfdisk1-2.40.4-150700.4.3.1 updated - libopenssl-3-fips-provider-3.2.3-150700.5.21.1 added - libcurl4-8.14.1-150700.7.11.1 updated - util-linux-2.40.4-150700.4.3.1 updated - container:suse-sle15-15.7-7970b1398395a13b38e858c60a7b75db5f5265dd7c0ecdabe8919a458b2f34e5-0 updated - container:registry.suse.com-bci-bci-micro-15.7-55883c76f750bdb0fa8cf3fe2e43f19f9babc501efce9801e94a9c0c8d115a20-0 updated From sle-container-updates at lists.suse.com Wed Jan 28 08:20:54 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 28 Jan 2026 09:20:54 +0100 (CET) Subject: SUSE-CU-2026:414-1: Security update of suse/mariadb Message-ID: <20260128082054.8D576FF0C@maintenance.suse.de> SUSE Container Update Advisory: suse/mariadb ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2026:414-1 Container Tags : suse/mariadb:11.8 , suse/mariadb:11.8.5 , suse/mariadb:11.8.5-70.7 , suse/mariadb:latest Container Release : 70.7 Severity : moderate Type : security References : 1254666 CVE-2025-14104 ----------------------------------------------------------------- The container suse/mariadb was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:230-1 Released: Thu Jan 22 13:22:31 2026 Summary: Security update for util-linux Type: security Severity: moderate References: 1254666,CVE-2025-14104 This update for util-linux fixes the following issues: - CVE-2025-14104: Fixed heap buffer overread in setpwnam() when processing 256-byte usernames (bsc#1254666). - lscpu: Add support for NVIDIA Olympus arm64 core (jsc#PED-13682). The following package changes have been done: - patterns-base-fips-20200124-150700.36.1 added - libsmartcols1-2.40.4-150700.4.3.1 updated - libuuid1-2.40.4-150700.4.3.1 updated - libblkid1-2.40.4-150700.4.3.1 updated - libmount1-2.40.4-150700.4.3.1 updated - libfdisk1-2.40.4-150700.4.3.1 updated - libopenssl-3-fips-provider-3.2.3-150700.5.21.1 added - util-linux-2.40.4-150700.4.3.1 updated - container:suse-sle15-15.7-7970b1398395a13b38e858c60a7b75db5f5265dd7c0ecdabe8919a458b2f34e5-0 updated - container:registry.suse.com-bci-bci-micro-15.7-55883c76f750bdb0fa8cf3fe2e43f19f9babc501efce9801e94a9c0c8d115a20-0 updated From sle-container-updates at lists.suse.com Wed Jan 28 08:21:14 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 28 Jan 2026 09:21:14 +0100 (CET) Subject: SUSE-CU-2026:415-1: Security update of suse/samba-client Message-ID: <20260128082114.39437FF0C@maintenance.suse.de> SUSE Container Update Advisory: suse/samba-client ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2026:415-1 Container Tags : suse/samba-client:4.21 , suse/samba-client:4.21 , suse/samba-client:4.21-70.8 , suse/samba-client:latest Container Release : 70.8 Severity : important Type : security References : 1234210 1254439 1254586 1254926 1256341 1256498 1256499 1256500 CVE-2025-13151 CVE-2025-68276 CVE-2025-68468 CVE-2025-68471 ----------------------------------------------------------------- The container suse/samba-client was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:224-1 Released: Thu Jan 22 13:18:20 2026 Summary: Security update for libtasn1 Type: security Severity: moderate References: 1256341,CVE-2025-13151 This update for libtasn1 fixes the following issues: - CVE-2025-13151: stack-based buffer overflow in `asn1_expend_octet_string` (bsc#1256341). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:259-1 Released: Thu Jan 22 17:10:44 2026 Summary: Security update for avahi Type: security Severity: moderate References: 1256498,1256499,1256500,CVE-2025-68276,CVE-2025-68468,CVE-2025-68471 This update for avahi fixes the following issues: - CVE-2025-68276: Fixed refuse to create wide-area record browsers when wide-area is off (bsc#1256498) - CVE-2025-68471: Fixed DoS bug by changing assert to return (bsc#1256500) - CVE-2025-68468: Fixed DoS bug by removing incorrect assertion (bsc#1256499) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2026:261-1 Released: Thu Jan 22 17:13:51 2026 Summary: Recommended update for samba Type: recommended Severity: important References: 1234210,1254439,1254586,1254926 This update for samba fixes the following issues: - Fix testparm error handling the 'sync machine password to keytab' option (bsc#1254439) - Fix Samba printers reporting invalid sid during print jobs (bsc#1234210, bsc#1254926) - samba-bgqd can't find [printers] share (bsc#1254586) The following package changes have been done: - patterns-base-fips-20200124-150700.36.1 added - libavahi-common3-0.8-150600.15.12.1 updated - libldb2-4.21.10+git.449.dcced69e1b5-150700.3.19.1 updated - libopenssl-3-fips-provider-3.2.3-150700.5.21.1 added - libtasn1-6-4.13-150000.4.14.1 updated - libtasn1-4.13-150000.4.14.1 updated - libavahi-client3-0.8-150600.15.12.1 updated - samba-client-libs-4.21.10+git.449.dcced69e1b5-150700.3.19.1 updated - samba-client-4.21.10+git.449.dcced69e1b5-150700.3.19.1 updated - container:suse-sle15-15.7-7970b1398395a13b38e858c60a7b75db5f5265dd7c0ecdabe8919a458b2f34e5-0 updated - container:registry.suse.com-bci-bci-micro-15.7-55883c76f750bdb0fa8cf3fe2e43f19f9babc501efce9801e94a9c0c8d115a20-0 updated From sle-container-updates at lists.suse.com Wed Jan 28 08:21:36 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 28 Jan 2026 09:21:36 +0100 (CET) Subject: SUSE-CU-2026:416-1: Security update of suse/samba-server Message-ID: <20260128082136.7409DFF0C@maintenance.suse.de> SUSE Container Update Advisory: suse/samba-server ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2026:416-1 Container Tags : suse/samba-server:4.21 , suse/samba-server:4.21 , suse/samba-server:4.21-71.8 , suse/samba-server:latest Container Release : 71.8 Severity : important Type : security References : 1234210 1254439 1254586 1254926 1256341 1256498 1256499 1256500 CVE-2025-13151 CVE-2025-68276 CVE-2025-68468 CVE-2025-68471 ----------------------------------------------------------------- The container suse/samba-server was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:224-1 Released: Thu Jan 22 13:18:20 2026 Summary: Security update for libtasn1 Type: security Severity: moderate References: 1256341,CVE-2025-13151 This update for libtasn1 fixes the following issues: - CVE-2025-13151: stack-based buffer overflow in `asn1_expend_octet_string` (bsc#1256341). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:259-1 Released: Thu Jan 22 17:10:44 2026 Summary: Security update for avahi Type: security Severity: moderate References: 1256498,1256499,1256500,CVE-2025-68276,CVE-2025-68468,CVE-2025-68471 This update for avahi fixes the following issues: - CVE-2025-68276: Fixed refuse to create wide-area record browsers when wide-area is off (bsc#1256498) - CVE-2025-68471: Fixed DoS bug by changing assert to return (bsc#1256500) - CVE-2025-68468: Fixed DoS bug by removing incorrect assertion (bsc#1256499) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2026:261-1 Released: Thu Jan 22 17:13:51 2026 Summary: Recommended update for samba Type: recommended Severity: important References: 1234210,1254439,1254586,1254926 This update for samba fixes the following issues: - Fix testparm error handling the 'sync machine password to keytab' option (bsc#1254439) - Fix Samba printers reporting invalid sid during print jobs (bsc#1234210, bsc#1254926) - samba-bgqd can't find [printers] share (bsc#1254586) The following package changes have been done: - patterns-base-fips-20200124-150700.36.1 added - libavahi-common3-0.8-150600.15.12.1 updated - libldb2-4.21.10+git.449.dcced69e1b5-150700.3.19.1 updated - libopenssl-3-fips-provider-3.2.3-150700.5.21.1 added - libtasn1-6-4.13-150000.4.14.1 updated - libtasn1-4.13-150000.4.14.1 updated - libavahi-client3-0.8-150600.15.12.1 updated - samba-client-libs-4.21.10+git.449.dcced69e1b5-150700.3.19.1 updated - samba-libs-4.21.10+git.449.dcced69e1b5-150700.3.19.1 updated - samba-client-4.21.10+git.449.dcced69e1b5-150700.3.19.1 updated - samba-dcerpc-4.21.10+git.449.dcced69e1b5-150700.3.19.1 updated - samba-4.21.10+git.449.dcced69e1b5-150700.3.19.1 updated - container:suse-sle15-15.7-7970b1398395a13b38e858c60a7b75db5f5265dd7c0ecdabe8919a458b2f34e5-0 updated - container:registry.suse.com-bci-bci-micro-15.7-55883c76f750bdb0fa8cf3fe2e43f19f9babc501efce9801e94a9c0c8d115a20-0 updated From sle-container-updates at lists.suse.com Wed Jan 28 08:21:56 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 28 Jan 2026 09:21:56 +0100 (CET) Subject: SUSE-CU-2026:417-1: Security update of suse/samba-toolbox Message-ID: <20260128082156.AA74AFF0C@maintenance.suse.de> SUSE Container Update Advisory: suse/samba-toolbox ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2026:417-1 Container Tags : suse/samba-toolbox:4.21 , suse/samba-toolbox:4.21 , suse/samba-toolbox:4.21-71.8 , suse/samba-toolbox:latest Container Release : 71.8 Severity : important Type : security References : 1234210 1254439 1254586 1254926 1256341 1256498 1256499 1256500 CVE-2025-13151 CVE-2025-68276 CVE-2025-68468 CVE-2025-68471 ----------------------------------------------------------------- The container suse/samba-toolbox was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:224-1 Released: Thu Jan 22 13:18:20 2026 Summary: Security update for libtasn1 Type: security Severity: moderate References: 1256341,CVE-2025-13151 This update for libtasn1 fixes the following issues: - CVE-2025-13151: stack-based buffer overflow in `asn1_expend_octet_string` (bsc#1256341). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:259-1 Released: Thu Jan 22 17:10:44 2026 Summary: Security update for avahi Type: security Severity: moderate References: 1256498,1256499,1256500,CVE-2025-68276,CVE-2025-68468,CVE-2025-68471 This update for avahi fixes the following issues: - CVE-2025-68276: Fixed refuse to create wide-area record browsers when wide-area is off (bsc#1256498) - CVE-2025-68471: Fixed DoS bug by changing assert to return (bsc#1256500) - CVE-2025-68468: Fixed DoS bug by removing incorrect assertion (bsc#1256499) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2026:261-1 Released: Thu Jan 22 17:13:51 2026 Summary: Recommended update for samba Type: recommended Severity: important References: 1234210,1254439,1254586,1254926 This update for samba fixes the following issues: - Fix testparm error handling the 'sync machine password to keytab' option (bsc#1254439) - Fix Samba printers reporting invalid sid during print jobs (bsc#1234210, bsc#1254926) - samba-bgqd can't find [printers] share (bsc#1254586) The following package changes have been done: - patterns-base-fips-20200124-150700.36.1 added - libavahi-common3-0.8-150600.15.12.1 updated - libldb2-4.21.10+git.449.dcced69e1b5-150700.3.19.1 updated - libopenssl-3-fips-provider-3.2.3-150700.5.21.1 added - libtasn1-6-4.13-150000.4.14.1 updated - libtasn1-4.13-150000.4.14.1 updated - libavahi-client3-0.8-150600.15.12.1 updated - samba-client-libs-4.21.10+git.449.dcced69e1b5-150700.3.19.1 updated - samba-client-4.21.10+git.449.dcced69e1b5-150700.3.19.1 updated - container:suse-sle15-15.7-7970b1398395a13b38e858c60a7b75db5f5265dd7c0ecdabe8919a458b2f34e5-0 updated - container:registry.suse.com-bci-bci-micro-15.7-55883c76f750bdb0fa8cf3fe2e43f19f9babc501efce9801e94a9c0c8d115a20-0 updated From sle-container-updates at lists.suse.com Wed Jan 28 13:34:56 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 28 Jan 2026 14:34:56 +0100 (CET) Subject: SUSE-CU-2026:422-1: Security update of private-registry/harbor-core Message-ID: <20260128133456.DCC51FF0D@maintenance.suse.de> SUSE Container Update Advisory: private-registry/harbor-core ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2026:422-1 Container Tags : private-registry/harbor-core:1.1.1 , private-registry/harbor-core:1.1.1-1.15 , private-registry/harbor-core:latest Container Release : 1.15 Severity : critical Type : security References : 1256830 1256834 1256835 1256836 1256837 1256838 1256839 1256840 CVE-2025-15467 CVE-2025-68160 CVE-2025-69418 CVE-2025-69419 CVE-2025-69420 CVE-2025-69421 CVE-2026-22795 CVE-2026-22796 ----------------------------------------------------------------- The container private-registry/harbor-core was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:309-1 Released: Wed Jan 28 10:36:32 2026 Summary: Security update for openssl-3 Type: security Severity: critical References: 1256830,1256834,1256835,1256836,1256837,1256838,1256839,1256840,CVE-2025-15467,CVE-2025-68160,CVE-2025-69418,CVE-2025-69419,CVE-2025-69420,CVE-2025-69421,CVE-2026-22795,CVE-2026-22796 This update for openssl-3 fixes the following issues: - CVE-2025-15467: Stack buffer overflow in CMS AuthEnvelopedData parsing (bsc#1256830). - CVE-2025-68160: Heap out-of-bounds write in BIO_f_linebuffer on short writes (bsc#1256834). - CVE-2025-69418: Unauthenticated/unencrypted trailing bytes with low-level OCB function calls (bsc#1256835). - CVE-2025-69419: Out of bounds write in PKCS12_get_friendlyname() UTF-8 conversion (bsc#1256836). - CVE-2025-69420: Missing ASN1_TYPE validation in TS_RESP_verify_response() function (bsc#1256837). - CVE-2025-69421: NULL Pointer Dereference in PKCS12_item_decrypt_d2i_ex function (bsc#1256838). - CVE-2026-22795: Missing ASN1_TYPE validation in PKCS#12 parsing (bsc#1256839). - CVE-2026-22796: ASN1_TYPE Type Confusion in the PKCS7_digest_from_attributes() function (bsc#1256840). The following package changes have been done: - libopenssl3-3.2.3-150700.5.24.1 updated - openssl-3-3.2.3-150700.5.24.1 updated - libopenssl-3-fips-provider-3.2.3-150700.5.24.1 updated - system-user-harbor-2.14.2-150700.1.6 updated - harbor-core-2.14.2-150700.1.6 updated - container:suse-sle15-15.7-2e217e3a9e14d18fead6b6167ccf6d306a7ad7d2de7bc20ce0fadda9adc99003-0 updated From sle-container-updates at lists.suse.com Wed Jan 28 13:35:44 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 28 Jan 2026 14:35:44 +0100 (CET) Subject: SUSE-CU-2026:423-1: Security update of private-registry/harbor-exporter Message-ID: <20260128133544.D7F27FF0D@maintenance.suse.de> SUSE Container Update Advisory: private-registry/harbor-exporter ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2026:423-1 Container Tags : private-registry/harbor-exporter:1.1.1 , private-registry/harbor-exporter:1.1.1-1.15 , private-registry/harbor-exporter:latest Container Release : 1.15 Severity : critical Type : security References : 1256830 1256834 1256835 1256836 1256837 1256838 1256839 1256840 CVE-2025-15467 CVE-2025-68160 CVE-2025-69418 CVE-2025-69419 CVE-2025-69420 CVE-2025-69421 CVE-2026-22795 CVE-2026-22796 ----------------------------------------------------------------- The container private-registry/harbor-exporter was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:309-1 Released: Wed Jan 28 10:36:32 2026 Summary: Security update for openssl-3 Type: security Severity: critical References: 1256830,1256834,1256835,1256836,1256837,1256838,1256839,1256840,CVE-2025-15467,CVE-2025-68160,CVE-2025-69418,CVE-2025-69419,CVE-2025-69420,CVE-2025-69421,CVE-2026-22795,CVE-2026-22796 This update for openssl-3 fixes the following issues: - CVE-2025-15467: Stack buffer overflow in CMS AuthEnvelopedData parsing (bsc#1256830). - CVE-2025-68160: Heap out-of-bounds write in BIO_f_linebuffer on short writes (bsc#1256834). - CVE-2025-69418: Unauthenticated/unencrypted trailing bytes with low-level OCB function calls (bsc#1256835). - CVE-2025-69419: Out of bounds write in PKCS12_get_friendlyname() UTF-8 conversion (bsc#1256836). - CVE-2025-69420: Missing ASN1_TYPE validation in TS_RESP_verify_response() function (bsc#1256837). - CVE-2025-69421: NULL Pointer Dereference in PKCS12_item_decrypt_d2i_ex function (bsc#1256838). - CVE-2026-22795: Missing ASN1_TYPE validation in PKCS#12 parsing (bsc#1256839). - CVE-2026-22796: ASN1_TYPE Type Confusion in the PKCS7_digest_from_attributes() function (bsc#1256840). The following package changes have been done: - harbor-exporter-2.14.2-150700.1.6 updated - libopenssl3-3.2.3-150700.5.24.1 updated - openssl-3-3.2.3-150700.5.24.1 updated - libopenssl-3-fips-provider-3.2.3-150700.5.24.1 updated - system-user-harbor-2.14.2-150700.1.6 updated - container:suse-sle15-15.7-2e217e3a9e14d18fead6b6167ccf6d306a7ad7d2de7bc20ce0fadda9adc99003-0 updated From sle-container-updates at lists.suse.com Wed Jan 28 13:36:30 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 28 Jan 2026 14:36:30 +0100 (CET) Subject: SUSE-CU-2026:424-1: Security update of private-registry/harbor-jobservice Message-ID: <20260128133630.92D98FF0D@maintenance.suse.de> SUSE Container Update Advisory: private-registry/harbor-jobservice ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2026:424-1 Container Tags : private-registry/harbor-jobservice:1.1.1 , private-registry/harbor-jobservice:1.1.1-1.15 , private-registry/harbor-jobservice:latest Container Release : 1.15 Severity : critical Type : security References : 1256830 1256834 1256835 1256836 1256837 1256838 1256839 1256840 CVE-2025-15467 CVE-2025-68160 CVE-2025-69418 CVE-2025-69419 CVE-2025-69420 CVE-2025-69421 CVE-2026-22795 CVE-2026-22796 ----------------------------------------------------------------- The container private-registry/harbor-jobservice was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:309-1 Released: Wed Jan 28 10:36:32 2026 Summary: Security update for openssl-3 Type: security Severity: critical References: 1256830,1256834,1256835,1256836,1256837,1256838,1256839,1256840,CVE-2025-15467,CVE-2025-68160,CVE-2025-69418,CVE-2025-69419,CVE-2025-69420,CVE-2025-69421,CVE-2026-22795,CVE-2026-22796 This update for openssl-3 fixes the following issues: - CVE-2025-15467: Stack buffer overflow in CMS AuthEnvelopedData parsing (bsc#1256830). - CVE-2025-68160: Heap out-of-bounds write in BIO_f_linebuffer on short writes (bsc#1256834). - CVE-2025-69418: Unauthenticated/unencrypted trailing bytes with low-level OCB function calls (bsc#1256835). - CVE-2025-69419: Out of bounds write in PKCS12_get_friendlyname() UTF-8 conversion (bsc#1256836). - CVE-2025-69420: Missing ASN1_TYPE validation in TS_RESP_verify_response() function (bsc#1256837). - CVE-2025-69421: NULL Pointer Dereference in PKCS12_item_decrypt_d2i_ex function (bsc#1256838). - CVE-2026-22795: Missing ASN1_TYPE validation in PKCS#12 parsing (bsc#1256839). - CVE-2026-22796: ASN1_TYPE Type Confusion in the PKCS7_digest_from_attributes() function (bsc#1256840). The following package changes have been done: - libopenssl3-3.2.3-150700.5.24.1 updated - openssl-3-3.2.3-150700.5.24.1 updated - libopenssl-3-fips-provider-3.2.3-150700.5.24.1 updated - system-user-harbor-2.14.2-150700.1.6 updated - harbor-jobservice-2.14.2-150700.1.6 updated - container:suse-sle15-15.7-2e217e3a9e14d18fead6b6167ccf6d306a7ad7d2de7bc20ce0fadda9adc99003-0 updated From sle-container-updates at lists.suse.com Wed Jan 28 13:37:17 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 28 Jan 2026 14:37:17 +0100 (CET) Subject: SUSE-CU-2026:425-1: Security update of private-registry/harbor-portal Message-ID: <20260128133717.5FC53FF0D@maintenance.suse.de> SUSE Container Update Advisory: private-registry/harbor-portal ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2026:425-1 Container Tags : private-registry/harbor-portal:1.1.1 , private-registry/harbor-portal:1.1.1-1.16 , private-registry/harbor-portal:latest Container Release : 1.16 Severity : critical Type : security References : 1256830 1256834 1256835 1256836 1256837 1256838 1256839 1256840 CVE-2025-15467 CVE-2025-68160 CVE-2025-69418 CVE-2025-69419 CVE-2025-69420 CVE-2025-69421 CVE-2026-22795 CVE-2026-22796 ----------------------------------------------------------------- The container private-registry/harbor-portal was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:309-1 Released: Wed Jan 28 10:36:32 2026 Summary: Security update for openssl-3 Type: security Severity: critical References: 1256830,1256834,1256835,1256836,1256837,1256838,1256839,1256840,CVE-2025-15467,CVE-2025-68160,CVE-2025-69418,CVE-2025-69419,CVE-2025-69420,CVE-2025-69421,CVE-2026-22795,CVE-2026-22796 This update for openssl-3 fixes the following issues: - CVE-2025-15467: Stack buffer overflow in CMS AuthEnvelopedData parsing (bsc#1256830). - CVE-2025-68160: Heap out-of-bounds write in BIO_f_linebuffer on short writes (bsc#1256834). - CVE-2025-69418: Unauthenticated/unencrypted trailing bytes with low-level OCB function calls (bsc#1256835). - CVE-2025-69419: Out of bounds write in PKCS12_get_friendlyname() UTF-8 conversion (bsc#1256836). - CVE-2025-69420: Missing ASN1_TYPE validation in TS_RESP_verify_response() function (bsc#1256837). - CVE-2025-69421: NULL Pointer Dereference in PKCS12_item_decrypt_d2i_ex function (bsc#1256838). - CVE-2026-22795: Missing ASN1_TYPE validation in PKCS#12 parsing (bsc#1256839). - CVE-2026-22796: ASN1_TYPE Type Confusion in the PKCS7_digest_from_attributes() function (bsc#1256840). The following package changes have been done: - libopenssl3-3.2.3-150700.5.24.1 updated - libopenssl-3-fips-provider-3.2.3-150700.5.24.1 updated - system-user-harbor-2.14.2-150700.1.6 updated - harbor-portal-2.14.2-150700.1.6 updated - container:suse-sle15-15.7-2e217e3a9e14d18fead6b6167ccf6d306a7ad7d2de7bc20ce0fadda9adc99003-0 updated From sle-container-updates at lists.suse.com Wed Jan 28 13:37:24 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 28 Jan 2026 14:37:24 +0100 (CET) Subject: SUSE-CU-2026:426-1: Security update of private-registry/harbor-registry Message-ID: <20260128133724.74CA9FF0D@maintenance.suse.de> SUSE Container Update Advisory: private-registry/harbor-registry ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2026:426-1 Container Tags : private-registry/harbor-registry:1.1.1 , private-registry/harbor-registry:1.1.1-1.15 , private-registry/harbor-registry:latest Container Release : 1.15 Severity : critical Type : security References : 1256830 1256834 1256835 1256836 1256837 1256838 1256839 1256840 CVE-2025-15467 CVE-2025-68160 CVE-2025-69418 CVE-2025-69419 CVE-2025-69420 CVE-2025-69421 CVE-2026-22795 CVE-2026-22796 ----------------------------------------------------------------- The container private-registry/harbor-registry was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:309-1 Released: Wed Jan 28 10:36:32 2026 Summary: Security update for openssl-3 Type: security Severity: critical References: 1256830,1256834,1256835,1256836,1256837,1256838,1256839,1256840,CVE-2025-15467,CVE-2025-68160,CVE-2025-69418,CVE-2025-69419,CVE-2025-69420,CVE-2025-69421,CVE-2026-22795,CVE-2026-22796 This update for openssl-3 fixes the following issues: - CVE-2025-15467: Stack buffer overflow in CMS AuthEnvelopedData parsing (bsc#1256830). - CVE-2025-68160: Heap out-of-bounds write in BIO_f_linebuffer on short writes (bsc#1256834). - CVE-2025-69418: Unauthenticated/unencrypted trailing bytes with low-level OCB function calls (bsc#1256835). - CVE-2025-69419: Out of bounds write in PKCS12_get_friendlyname() UTF-8 conversion (bsc#1256836). - CVE-2025-69420: Missing ASN1_TYPE validation in TS_RESP_verify_response() function (bsc#1256837). - CVE-2025-69421: NULL Pointer Dereference in PKCS12_item_decrypt_d2i_ex function (bsc#1256838). - CVE-2026-22795: Missing ASN1_TYPE validation in PKCS#12 parsing (bsc#1256839). - CVE-2026-22796: ASN1_TYPE Type Confusion in the PKCS7_digest_from_attributes() function (bsc#1256840). The following package changes have been done: - libopenssl3-3.2.3-150700.5.24.1 updated - openssl-3-3.2.3-150700.5.24.1 updated - libopenssl-3-fips-provider-3.2.3-150700.5.24.1 updated - system-user-harbor-2.14.2-150700.1.6 updated - container:suse-sle15-15.7-2e217e3a9e14d18fead6b6167ccf6d306a7ad7d2de7bc20ce0fadda9adc99003-0 updated From sle-container-updates at lists.suse.com Wed Jan 28 13:38:09 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 28 Jan 2026 14:38:09 +0100 (CET) Subject: SUSE-CU-2026:427-1: Security update of private-registry/harbor-registryctl Message-ID: <20260128133809.6E65DFF0D@maintenance.suse.de> SUSE Container Update Advisory: private-registry/harbor-registryctl ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2026:427-1 Container Tags : private-registry/harbor-registryctl:1.1.1 , private-registry/harbor-registryctl:1.1.1-1.15 , private-registry/harbor-registryctl:latest Container Release : 1.15 Severity : critical Type : security References : 1256830 1256834 1256835 1256836 1256837 1256838 1256839 1256840 CVE-2025-15467 CVE-2025-68160 CVE-2025-69418 CVE-2025-69419 CVE-2025-69420 CVE-2025-69421 CVE-2026-22795 CVE-2026-22796 ----------------------------------------------------------------- The container private-registry/harbor-registryctl was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:309-1 Released: Wed Jan 28 10:36:32 2026 Summary: Security update for openssl-3 Type: security Severity: critical References: 1256830,1256834,1256835,1256836,1256837,1256838,1256839,1256840,CVE-2025-15467,CVE-2025-68160,CVE-2025-69418,CVE-2025-69419,CVE-2025-69420,CVE-2025-69421,CVE-2026-22795,CVE-2026-22796 This update for openssl-3 fixes the following issues: - CVE-2025-15467: Stack buffer overflow in CMS AuthEnvelopedData parsing (bsc#1256830). - CVE-2025-68160: Heap out-of-bounds write in BIO_f_linebuffer on short writes (bsc#1256834). - CVE-2025-69418: Unauthenticated/unencrypted trailing bytes with low-level OCB function calls (bsc#1256835). - CVE-2025-69419: Out of bounds write in PKCS12_get_friendlyname() UTF-8 conversion (bsc#1256836). - CVE-2025-69420: Missing ASN1_TYPE validation in TS_RESP_verify_response() function (bsc#1256837). - CVE-2025-69421: NULL Pointer Dereference in PKCS12_item_decrypt_d2i_ex function (bsc#1256838). - CVE-2026-22795: Missing ASN1_TYPE validation in PKCS#12 parsing (bsc#1256839). - CVE-2026-22796: ASN1_TYPE Type Confusion in the PKCS7_digest_from_attributes() function (bsc#1256840). The following package changes have been done: - libopenssl3-3.2.3-150700.5.24.1 updated - openssl-3-3.2.3-150700.5.24.1 updated - libopenssl-3-fips-provider-3.2.3-150700.5.24.1 updated - system-user-harbor-2.14.2-150700.1.6 updated - harbor-registryctl-2.14.2-150700.1.6 updated - container:suse-sle15-15.7-2e217e3a9e14d18fead6b6167ccf6d306a7ad7d2de7bc20ce0fadda9adc99003-0 updated From sle-container-updates at lists.suse.com Wed Jan 28 13:38:56 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 28 Jan 2026 14:38:56 +0100 (CET) Subject: SUSE-CU-2026:428-1: Security update of private-registry/harbor-trivy-adapter Message-ID: <20260128133856.AE7C4FF0D@maintenance.suse.de> SUSE Container Update Advisory: private-registry/harbor-trivy-adapter ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2026:428-1 Container Tags : private-registry/harbor-trivy-adapter:1.1.1 , private-registry/harbor-trivy-adapter:1.1.1-1.18 , private-registry/harbor-trivy-adapter:latest Container Release : 1.18 Severity : critical Type : security References : 1256830 1256834 1256835 1256836 1256837 1256838 1256839 1256840 CVE-2025-15467 CVE-2025-68160 CVE-2025-69418 CVE-2025-69419 CVE-2025-69420 CVE-2025-69421 CVE-2026-22795 CVE-2026-22796 ----------------------------------------------------------------- The container private-registry/harbor-trivy-adapter was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:309-1 Released: Wed Jan 28 10:36:32 2026 Summary: Security update for openssl-3 Type: security Severity: critical References: 1256830,1256834,1256835,1256836,1256837,1256838,1256839,1256840,CVE-2025-15467,CVE-2025-68160,CVE-2025-69418,CVE-2025-69419,CVE-2025-69420,CVE-2025-69421,CVE-2026-22795,CVE-2026-22796 This update for openssl-3 fixes the following issues: - CVE-2025-15467: Stack buffer overflow in CMS AuthEnvelopedData parsing (bsc#1256830). - CVE-2025-68160: Heap out-of-bounds write in BIO_f_linebuffer on short writes (bsc#1256834). - CVE-2025-69418: Unauthenticated/unencrypted trailing bytes with low-level OCB function calls (bsc#1256835). - CVE-2025-69419: Out of bounds write in PKCS12_get_friendlyname() UTF-8 conversion (bsc#1256836). - CVE-2025-69420: Missing ASN1_TYPE validation in TS_RESP_verify_response() function (bsc#1256837). - CVE-2025-69421: NULL Pointer Dereference in PKCS12_item_decrypt_d2i_ex function (bsc#1256838). - CVE-2026-22795: Missing ASN1_TYPE validation in PKCS#12 parsing (bsc#1256839). - CVE-2026-22796: ASN1_TYPE Type Confusion in the PKCS7_digest_from_attributes() function (bsc#1256840). The following package changes have been done: - libopenssl3-3.2.3-150700.5.24.1 updated - openssl-3-3.2.3-150700.5.24.1 updated - libopenssl-3-fips-provider-3.2.3-150700.5.24.1 updated - system-user-harbor-2.14.2-150700.1.6 updated - container:suse-sle15-15.7-2e217e3a9e14d18fead6b6167ccf6d306a7ad7d2de7bc20ce0fadda9adc99003-0 updated From sle-container-updates at lists.suse.com Wed Jan 28 13:51:53 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 28 Jan 2026 14:51:53 +0100 (CET) Subject: SUSE-CU-2026:429-1: Security update of suse/kiosk/firefox-esr Message-ID: <20260128135153.C5EC4FF0D@maintenance.suse.de> SUSE Container Update Advisory: suse/kiosk/firefox-esr ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2026:429-1 Container Tags : suse/kiosk/firefox-esr:140.7 , suse/kiosk/firefox-esr:140.7-70.13 , suse/kiosk/firefox-esr:esr , suse/kiosk/firefox-esr:latest Container Release : 70.13 Severity : important Type : security References : 1243867 1252895 1254666 1256105 1256340 1256341 1256459 1256498 1256499 1256500 1256525 1256526 1257049 CVE-2024-12224 CVE-2025-13151 CVE-2025-14017 CVE-2025-14104 CVE-2025-14327 CVE-2025-68276 CVE-2025-68468 CVE-2025-68471 CVE-2026-0877 CVE-2026-0878 CVE-2026-0879 CVE-2026-0880 CVE-2026-0882 CVE-2026-0883 CVE-2026-0884 CVE-2026-0885 CVE-2026-0886 CVE-2026-0887 CVE-2026-0890 CVE-2026-0891 CVE-2026-0988 CVE-2026-22693 CVE-2026-22695 CVE-2026-22801 ----------------------------------------------------------------- The container suse/kiosk/firefox-esr was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:221-1 Released: Thu Jan 22 13:15:35 2026 Summary: Security update for curl Type: security Severity: moderate References: 1256105,CVE-2025-14017 This update for curl fixes the following issues: - CVE-2025-14017: Fixed broken TLS options for threaded LDAPS (bsc#1256105). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:224-1 Released: Thu Jan 22 13:18:20 2026 Summary: Security update for libtasn1 Type: security Severity: moderate References: 1256341,CVE-2025-13151 This update for libtasn1 fixes the following issues: - CVE-2025-13151: stack-based buffer overflow in `asn1_expend_octet_string` (bsc#1256341). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:230-1 Released: Thu Jan 22 13:22:31 2026 Summary: Security update for util-linux Type: security Severity: moderate References: 1254666,CVE-2025-14104 This update for util-linux fixes the following issues: - CVE-2025-14104: Fixed heap buffer overread in setpwnam() when processing 256-byte usernames (bsc#1254666). - lscpu: Add support for NVIDIA Olympus arm64 core (jsc#PED-13682). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:234-1 Released: Thu Jan 22 13:24:43 2026 Summary: Security update for libpng16 Type: security Severity: moderate References: 1256525,1256526,CVE-2026-22695,CVE-2026-22801 This update for libpng16 fixes the following issues: - CVE-2026-22695: Fixed heap buffer over-read in png_image_finish_read (bsc#1256525) - CVE-2026-22801: Fixed integer truncation causing heap buffer over-read in png_image_write_* (bsc#1256526). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:243-1 Released: Thu Jan 22 14:57:36 2026 Summary: Security update for librsvg Type: security Severity: moderate References: 1243867,CVE-2024-12224 This update for librsvg fixes the following issues: Update to version 2.57.4 - bsc#1243867: + CVE-2024-12224: RUSTSEC-2024-0421 - idna accepts Punycode labels that do not produce any non-ASCII when decoded. + RUSTSEC-2024-0404 - Unsoundness in anstream. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2026:249-1 Released: Thu Jan 22 16:23:36 2026 Summary: Recommended update for libwebp Type: recommended Severity: moderate References: 1252895 This update for libwebp ships the commandline tools to Package Hub. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:259-1 Released: Thu Jan 22 17:10:44 2026 Summary: Security update for avahi Type: security Severity: moderate References: 1256498,1256499,1256500,CVE-2025-68276,CVE-2025-68468,CVE-2025-68471 This update for avahi fixes the following issues: - CVE-2025-68276: Fixed refuse to create wide-area record browsers when wide-area is off (bsc#1256498) - CVE-2025-68471: Fixed DoS bug by changing assert to return (bsc#1256500) - CVE-2025-68468: Fixed DoS bug by removing incorrect assertion (bsc#1256499) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:260-1 Released: Thu Jan 22 17:11:40 2026 Summary: Security update for MozillaFirefox Type: security Severity: important References: 1256340,CVE-2025-14327,CVE-2026-0877,CVE-2026-0878,CVE-2026-0879,CVE-2026-0880,CVE-2026-0882,CVE-2026-0883,CVE-2026-0884,CVE-2026-0885,CVE-2026-0886,CVE-2026-0887,CVE-2026-0890,CVE-2026-0891 This update for MozillaFirefox fixes the following issues: Update to Firefox Extended Support Release 140.7.0 ESR (bsc#1256340). - MFSA 2026-03 * CVE-2026-0877: Mitigation bypass in the DOM: Security component * CVE-2026-0878: Sandbox escape due to incorrect boundary conditions in the Graphics: CanvasWebGL component * CVE-2026-0879: Sandbox escape due to incorrect boundary conditions in the Graphics component * CVE-2026-0880: Sandbox escape due to integer overflow in the Graphics component * CVE-2026-0882: Use-after-free in the IPC component * CVE-2025-14327: Spoofing issue in the Downloads Panel component * CVE-2026-0883: Information disclosure in the Networking component * CVE-2026-0884: Use-after-free in the JavaScript Engine component * CVE-2026-0885: Use-after-free in the JavaScript: GC component * CVE-2026-0886: Incorrect boundary conditions in the Graphics component * CVE-2026-0887: Clickjacking issue, information disclosure in the PDF Viewer component * CVE-2026-0890: Spoofing issue in the DOM: Copy-Paste and Drag-Drop component * CVE-2026-0891: Memory safety bugs fixed in Firefox ESR 140.7, Thunderbird ESR 140.7, Firefox 147 and Thunderbird 147 ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:286-1 Released: Sat Jan 24 00:35:35 2026 Summary: Security update for glib2 Type: security Severity: low References: 1257049,CVE-2026-0988 This update for glib2 fixes the following issues: - CVE-2026-0988: Fixed a potential integer overflow in g_buffered_input_stream_peek (bsc#1257049). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:287-1 Released: Sat Jan 24 00:35:49 2026 Summary: Security update for harfbuzz Type: security Severity: moderate References: 1256459,CVE-2026-22693 This update for harfbuzz fixes the following issues: - CVE-2026-22693: Fixed a NULL pointer dereference in SubtableUnicodesCache::create (bsc#1256459). The following package changes have been done: - libavahi-common3-0.8-150600.15.12.1 updated - libglib-2_0-0-2.78.6-150600.4.28.1 updated - libsmartcols1-2.40.4-150700.4.3.1 updated - libuuid1-2.40.4-150700.4.3.1 updated - libwebp7-1.0.3-150200.3.14.1 updated - libblkid1-2.40.4-150700.4.3.1 updated - libgthread-2_0-0-2.78.6-150600.4.28.1 updated - libgobject-2_0-0-2.78.6-150600.4.28.1 updated - libgmodule-2_0-0-2.78.6-150600.4.28.1 updated - libwebpmux3-1.0.3-150200.3.14.1 updated - libpng16-16-1.6.40-150600.3.6.1 updated - libmount1-2.40.4-150700.4.3.1 updated - libfdisk1-2.40.4-150700.4.3.1 updated - libopenssl-3-fips-provider-3.2.3-150700.5.21.1 added - libtasn1-6-4.13-150000.4.14.1 updated - libtasn1-4.13-150000.4.14.1 updated - libgio-2_0-0-2.78.6-150600.4.28.1 updated - glib2-tools-2.78.6-150600.4.28.1 updated - libharfbuzz0-8.3.0-150600.3.3.1 updated - libavahi-client3-0.8-150600.15.12.1 updated - libcurl4-8.14.1-150700.7.11.1 updated - librsvg-2-2-2.57.4-150600.3.3.1 updated - gdk-pixbuf-loader-rsvg-2.57.4-150600.3.3.1 updated - util-linux-2.40.4-150700.4.3.1 updated - patterns-base-fips-20200124-150700.36.1 added - MozillaFirefox-140.7.0-150200.152.216.1 updated - container:registry.suse.com-bci-bci-micro-15.7-55883c76f750bdb0fa8cf3fe2e43f19f9babc501efce9801e94a9c0c8d115a20-0 updated From sle-container-updates at lists.suse.com Wed Jan 28 13:52:26 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 28 Jan 2026 14:52:26 +0100 (CET) Subject: SUSE-CU-2026:430-1: Security update of suse/nginx Message-ID: <20260128135226.C8CE8FF0D@maintenance.suse.de> SUSE Container Update Advisory: suse/nginx ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2026:430-1 Container Tags : suse/nginx:1.21 , suse/nginx:1.21-70.10 , suse/nginx:latest Container Release : 70.10 Severity : critical Type : security References : 1256830 1256834 1256835 1256836 1256837 1256838 1256839 1256840 CVE-2025-15467 CVE-2025-68160 CVE-2025-69418 CVE-2025-69419 CVE-2025-69420 CVE-2025-69421 CVE-2026-22795 CVE-2026-22796 ----------------------------------------------------------------- The container suse/nginx was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:309-1 Released: Wed Jan 28 10:36:32 2026 Summary: Security update for openssl-3 Type: security Severity: critical References: 1256830,1256834,1256835,1256836,1256837,1256838,1256839,1256840,CVE-2025-15467,CVE-2025-68160,CVE-2025-69418,CVE-2025-69419,CVE-2025-69420,CVE-2025-69421,CVE-2026-22795,CVE-2026-22796 This update for openssl-3 fixes the following issues: - CVE-2025-15467: Stack buffer overflow in CMS AuthEnvelopedData parsing (bsc#1256830). - CVE-2025-68160: Heap out-of-bounds write in BIO_f_linebuffer on short writes (bsc#1256834). - CVE-2025-69418: Unauthenticated/unencrypted trailing bytes with low-level OCB function calls (bsc#1256835). - CVE-2025-69419: Out of bounds write in PKCS12_get_friendlyname() UTF-8 conversion (bsc#1256836). - CVE-2025-69420: Missing ASN1_TYPE validation in TS_RESP_verify_response() function (bsc#1256837). - CVE-2025-69421: NULL Pointer Dereference in PKCS12_item_decrypt_d2i_ex function (bsc#1256838). - CVE-2026-22795: Missing ASN1_TYPE validation in PKCS#12 parsing (bsc#1256839). - CVE-2026-22796: ASN1_TYPE Type Confusion in the PKCS7_digest_from_attributes() function (bsc#1256840). The following package changes have been done: - libopenssl3-3.2.3-150700.5.24.1 updated - libopenssl-3-fips-provider-3.2.3-150700.5.24.1 updated - container:suse-sle15-15.7-2e217e3a9e14d18fead6b6167ccf6d306a7ad7d2de7bc20ce0fadda9adc99003-0 updated From sle-container-updates at lists.suse.com Wed Jan 28 13:52:48 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 28 Jan 2026 14:52:48 +0100 (CET) Subject: SUSE-CU-2026:431-1: Security update of suse/postgres Message-ID: <20260128135248.20FCBFF0D@maintenance.suse.de> SUSE Container Update Advisory: suse/postgres ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2026:431-1 Container Tags : suse/postgres:17 , suse/postgres:17.7 , suse/postgres:17.7 , suse/postgres:17.7-73.9 Container Release : 73.9 Severity : critical Type : security References : 1256830 1256834 1256835 1256836 1256837 1256838 1256839 1256840 CVE-2025-15467 CVE-2025-68160 CVE-2025-69418 CVE-2025-69419 CVE-2025-69420 CVE-2025-69421 CVE-2026-22795 CVE-2026-22796 ----------------------------------------------------------------- The container suse/postgres was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:309-1 Released: Wed Jan 28 10:36:32 2026 Summary: Security update for openssl-3 Type: security Severity: critical References: 1256830,1256834,1256835,1256836,1256837,1256838,1256839,1256840,CVE-2025-15467,CVE-2025-68160,CVE-2025-69418,CVE-2025-69419,CVE-2025-69420,CVE-2025-69421,CVE-2026-22795,CVE-2026-22796 This update for openssl-3 fixes the following issues: - CVE-2025-15467: Stack buffer overflow in CMS AuthEnvelopedData parsing (bsc#1256830). - CVE-2025-68160: Heap out-of-bounds write in BIO_f_linebuffer on short writes (bsc#1256834). - CVE-2025-69418: Unauthenticated/unencrypted trailing bytes with low-level OCB function calls (bsc#1256835). - CVE-2025-69419: Out of bounds write in PKCS12_get_friendlyname() UTF-8 conversion (bsc#1256836). - CVE-2025-69420: Missing ASN1_TYPE validation in TS_RESP_verify_response() function (bsc#1256837). - CVE-2025-69421: NULL Pointer Dereference in PKCS12_item_decrypt_d2i_ex function (bsc#1256838). - CVE-2026-22795: Missing ASN1_TYPE validation in PKCS#12 parsing (bsc#1256839). - CVE-2026-22796: ASN1_TYPE Type Confusion in the PKCS7_digest_from_attributes() function (bsc#1256840). The following package changes have been done: - libopenssl3-3.2.3-150700.5.24.1 updated - libopenssl-3-fips-provider-3.2.3-150700.5.24.1 updated - container:suse-sle15-15.7-2e217e3a9e14d18fead6b6167ccf6d306a7ad7d2de7bc20ce0fadda9adc99003-0 updated From sle-container-updates at lists.suse.com Wed Jan 28 13:52:53 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 28 Jan 2026 14:52:53 +0100 (CET) Subject: SUSE-CU-2026:432-1: Security update of suse/postgres Message-ID: <20260128135253.40CB5FF0D@maintenance.suse.de> SUSE Container Update Advisory: suse/postgres ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2026:432-1 Container Tags : suse/postgres:18 , suse/postgres:18.1 , suse/postgres:18.1 , suse/postgres:18.1-63.9 , suse/postgres:latest Container Release : 63.9 Severity : critical Type : security References : 1256830 1256834 1256835 1256836 1256837 1256838 1256839 1256840 CVE-2025-15467 CVE-2025-68160 CVE-2025-69418 CVE-2025-69419 CVE-2025-69420 CVE-2025-69421 CVE-2026-22795 CVE-2026-22796 ----------------------------------------------------------------- The container suse/postgres was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:309-1 Released: Wed Jan 28 10:36:32 2026 Summary: Security update for openssl-3 Type: security Severity: critical References: 1256830,1256834,1256835,1256836,1256837,1256838,1256839,1256840,CVE-2025-15467,CVE-2025-68160,CVE-2025-69418,CVE-2025-69419,CVE-2025-69420,CVE-2025-69421,CVE-2026-22795,CVE-2026-22796 This update for openssl-3 fixes the following issues: - CVE-2025-15467: Stack buffer overflow in CMS AuthEnvelopedData parsing (bsc#1256830). - CVE-2025-68160: Heap out-of-bounds write in BIO_f_linebuffer on short writes (bsc#1256834). - CVE-2025-69418: Unauthenticated/unencrypted trailing bytes with low-level OCB function calls (bsc#1256835). - CVE-2025-69419: Out of bounds write in PKCS12_get_friendlyname() UTF-8 conversion (bsc#1256836). - CVE-2025-69420: Missing ASN1_TYPE validation in TS_RESP_verify_response() function (bsc#1256837). - CVE-2025-69421: NULL Pointer Dereference in PKCS12_item_decrypt_d2i_ex function (bsc#1256838). - CVE-2026-22795: Missing ASN1_TYPE validation in PKCS#12 parsing (bsc#1256839). - CVE-2026-22796: ASN1_TYPE Type Confusion in the PKCS7_digest_from_attributes() function (bsc#1256840). The following package changes have been done: - libopenssl3-3.2.3-150700.5.24.1 updated - libopenssl-3-fips-provider-3.2.3-150700.5.24.1 updated - container:suse-sle15-15.7-2e217e3a9e14d18fead6b6167ccf6d306a7ad7d2de7bc20ce0fadda9adc99003-0 updated From sle-container-updates at lists.suse.com Wed Jan 28 13:53:47 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 28 Jan 2026 14:53:47 +0100 (CET) Subject: SUSE-CU-2026:434-1: Security update of bci/rust Message-ID: <20260128135347.A8BBBFF0D@maintenance.suse.de> SUSE Container Update Advisory: bci/rust ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2026:434-1 Container Tags : bci/rust:1.91 , bci/rust:1.91.0 , bci/rust:1.91.0-2.3.9 , bci/rust:oldstable , bci/rust:oldstable-2.3.9 Container Release : 3.9 Severity : moderate Type : security References : 1256105 1257049 CVE-2025-14017 CVE-2026-0988 ----------------------------------------------------------------- The container bci/rust was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:221-1 Released: Thu Jan 22 13:15:35 2026 Summary: Security update for curl Type: security Severity: moderate References: 1256105,CVE-2025-14017 This update for curl fixes the following issues: - CVE-2025-14017: Fixed broken TLS options for threaded LDAPS (bsc#1256105). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:286-1 Released: Sat Jan 24 00:35:35 2026 Summary: Security update for glib2 Type: security Severity: low References: 1257049,CVE-2026-0988 This update for glib2 fixes the following issues: - CVE-2026-0988: Fixed a potential integer overflow in g_buffered_input_stream_peek (bsc#1257049). The following package changes have been done: - libglib-2_0-0-2.78.6-150600.4.28.1 updated - libcurl4-8.14.1-150700.7.11.1 updated - container:registry.suse.com-bci-bci-base-15.7-2e217e3a9e14d18fead6b6167ccf6d306a7ad7d2de7bc20ce0fadda9adc99003-0 updated From sle-container-updates at lists.suse.com Wed Jan 28 13:54:19 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 28 Jan 2026 14:54:19 +0100 (CET) Subject: SUSE-CU-2026:435-1: Security update of bci/rust Message-ID: <20260128135419.A0621FF0D@maintenance.suse.de> SUSE Container Update Advisory: bci/rust ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2026:435-1 Container Tags : bci/rust:1.92 , bci/rust:1.92.0 , bci/rust:1.92.0-1.3.9 , bci/rust:latest , bci/rust:stable , bci/rust:stable-1.3.9 Container Release : 3.9 Severity : moderate Type : security References : 1256105 1257049 CVE-2025-14017 CVE-2026-0988 ----------------------------------------------------------------- The container bci/rust was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:221-1 Released: Thu Jan 22 13:15:35 2026 Summary: Security update for curl Type: security Severity: moderate References: 1256105,CVE-2025-14017 This update for curl fixes the following issues: - CVE-2025-14017: Fixed broken TLS options for threaded LDAPS (bsc#1256105). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:286-1 Released: Sat Jan 24 00:35:35 2026 Summary: Security update for glib2 Type: security Severity: low References: 1257049,CVE-2026-0988 This update for glib2 fixes the following issues: - CVE-2026-0988: Fixed a potential integer overflow in g_buffered_input_stream_peek (bsc#1257049). The following package changes have been done: - libglib-2_0-0-2.78.6-150600.4.28.1 updated - libcurl4-8.14.1-150700.7.11.1 updated - container:registry.suse.com-bci-bci-base-15.7-2e217e3a9e14d18fead6b6167ccf6d306a7ad7d2de7bc20ce0fadda9adc99003-0 updated From sle-container-updates at lists.suse.com Wed Jan 28 13:54:43 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 28 Jan 2026 14:54:43 +0100 (CET) Subject: SUSE-CU-2026:436-1: Security update of suse/samba-client Message-ID: <20260128135443.845BEFF0D@maintenance.suse.de> SUSE Container Update Advisory: suse/samba-client ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2026:436-1 Container Tags : suse/samba-client:4.21 , suse/samba-client:4.21 , suse/samba-client:4.21-70.10 , suse/samba-client:latest Container Release : 70.10 Severity : critical Type : security References : 1256830 1256834 1256835 1256836 1256837 1256838 1256839 1256840 CVE-2025-15467 CVE-2025-68160 CVE-2025-69418 CVE-2025-69419 CVE-2025-69420 CVE-2025-69421 CVE-2026-22795 CVE-2026-22796 ----------------------------------------------------------------- The container suse/samba-client was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:309-1 Released: Wed Jan 28 10:36:32 2026 Summary: Security update for openssl-3 Type: security Severity: critical References: 1256830,1256834,1256835,1256836,1256837,1256838,1256839,1256840,CVE-2025-15467,CVE-2025-68160,CVE-2025-69418,CVE-2025-69419,CVE-2025-69420,CVE-2025-69421,CVE-2026-22795,CVE-2026-22796 This update for openssl-3 fixes the following issues: - CVE-2025-15467: Stack buffer overflow in CMS AuthEnvelopedData parsing (bsc#1256830). - CVE-2025-68160: Heap out-of-bounds write in BIO_f_linebuffer on short writes (bsc#1256834). - CVE-2025-69418: Unauthenticated/unencrypted trailing bytes with low-level OCB function calls (bsc#1256835). - CVE-2025-69419: Out of bounds write in PKCS12_get_friendlyname() UTF-8 conversion (bsc#1256836). - CVE-2025-69420: Missing ASN1_TYPE validation in TS_RESP_verify_response() function (bsc#1256837). - CVE-2025-69421: NULL Pointer Dereference in PKCS12_item_decrypt_d2i_ex function (bsc#1256838). - CVE-2026-22795: Missing ASN1_TYPE validation in PKCS#12 parsing (bsc#1256839). - CVE-2026-22796: ASN1_TYPE Type Confusion in the PKCS7_digest_from_attributes() function (bsc#1256840). The following package changes have been done: - libopenssl3-3.2.3-150700.5.24.1 updated - libopenssl-3-fips-provider-3.2.3-150700.5.24.1 updated - container:suse-sle15-15.7-2e217e3a9e14d18fead6b6167ccf6d306a7ad7d2de7bc20ce0fadda9adc99003-0 updated From sle-container-updates at lists.suse.com Wed Jan 28 13:55:08 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 28 Jan 2026 14:55:08 +0100 (CET) Subject: SUSE-CU-2026:437-1: Security update of suse/sle15 Message-ID: <20260128135508.C2E90FF0D@maintenance.suse.de> SUSE Container Update Advisory: suse/sle15 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2026:437-1 Container Tags : bci/bci-base:15.7 , bci/bci-base:15.7-5.14.7 , bci/bci-base:latest , suse/sle15:15.7 , suse/sle15:15.7-5.14.7 , suse/sle15:latest Container Release : 5.14.7 Severity : important Type : security References : 1254666 1255715 1256105 1256243 1256244 1256246 1256341 1256390 1257049 CVE-2025-13151 CVE-2025-14017 CVE-2025-14104 CVE-2025-68973 CVE-2026-0988 ----------------------------------------------------------------- The container suse/sle15 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:215-1 Released: Thu Jan 22 13:10:16 2026 Summary: Security update for gpg2 Type: security Severity: important References: 1255715,1256243,1256244,1256246,1256390,CVE-2025-68973 This update for gpg2 fixes the following issues: - CVE-2025-68973: Fix possible memory corruption in the armor parser (gpg.fail/memcpy)(bsc#1255715). - Avoid potential downgrade to SHA1 in 3rd party key signatures (gpg.fail/sha1) (bsc#1256246). - Error out on unverified output for non-detached signatures (gpg.fail/detached) (bsc#1256244). - Fix a memory leak in gpg2 agent (bsc#1256243). - Fix Cleartext Signature Forgery in the NotDashEscaped header implementation in GnuPG (gpg.fail/notdash) (bsc#1256390). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:221-1 Released: Thu Jan 22 13:15:35 2026 Summary: Security update for curl Type: security Severity: moderate References: 1256105,CVE-2025-14017 This update for curl fixes the following issues: - CVE-2025-14017: Fixed broken TLS options for threaded LDAPS (bsc#1256105). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:224-1 Released: Thu Jan 22 13:18:20 2026 Summary: Security update for libtasn1 Type: security Severity: moderate References: 1256341,CVE-2025-13151 This update for libtasn1 fixes the following issues: - CVE-2025-13151: stack-based buffer overflow in `asn1_expend_octet_string` (bsc#1256341). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:230-1 Released: Thu Jan 22 13:22:31 2026 Summary: Security update for util-linux Type: security Severity: moderate References: 1254666,CVE-2025-14104 This update for util-linux fixes the following issues: - CVE-2025-14104: Fixed heap buffer overread in setpwnam() when processing 256-byte usernames (bsc#1254666). - lscpu: Add support for NVIDIA Olympus arm64 core (jsc#PED-13682). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:286-1 Released: Sat Jan 24 00:35:35 2026 Summary: Security update for glib2 Type: security Severity: low References: 1257049,CVE-2026-0988 This update for glib2 fixes the following issues: - CVE-2026-0988: Fixed a potential integer overflow in g_buffered_input_stream_peek (bsc#1257049). The following package changes have been done: - curl-8.14.1-150700.7.11.1 updated - gpg2-2.4.4-150600.3.12.1 updated - libblkid1-2.40.4-150700.4.3.1 updated - libcurl4-8.14.1-150700.7.11.1 updated - libfdisk1-2.40.4-150700.4.3.1 updated - libglib-2_0-0-2.78.6-150600.4.28.1 updated - libmount1-2.40.4-150700.4.3.1 updated - libsmartcols1-2.40.4-150700.4.3.1 updated - libtasn1-6-4.13-150000.4.14.1 updated - libtasn1-4.13-150000.4.14.1 updated - libuuid1-2.40.4-150700.4.3.1 updated - util-linux-2.40.4-150700.4.3.1 updated From sle-container-updates at lists.suse.com Wed Jan 28 13:55:24 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 28 Jan 2026 14:55:24 +0100 (CET) Subject: SUSE-CU-2026:438-1: Security update of suse/kiosk/xorg-client Message-ID: <20260128135524.60601FF0D@maintenance.suse.de> SUSE Container Update Advisory: suse/kiosk/xorg-client ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2026:438-1 Container Tags : suse/kiosk/xorg-client:21 , suse/kiosk/xorg-client:21-70.8 , suse/kiosk/xorg-client:latest Container Release : 70.8 Severity : moderate Type : security References : 1252895 1254666 1256525 1256526 CVE-2025-14104 CVE-2026-22695 CVE-2026-22801 ----------------------------------------------------------------- The container suse/kiosk/xorg-client was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:230-1 Released: Thu Jan 22 13:22:31 2026 Summary: Security update for util-linux Type: security Severity: moderate References: 1254666,CVE-2025-14104 This update for util-linux fixes the following issues: - CVE-2025-14104: Fixed heap buffer overread in setpwnam() when processing 256-byte usernames (bsc#1254666). - lscpu: Add support for NVIDIA Olympus arm64 core (jsc#PED-13682). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:234-1 Released: Thu Jan 22 13:24:43 2026 Summary: Security update for libpng16 Type: security Severity: moderate References: 1256525,1256526,CVE-2026-22695,CVE-2026-22801 This update for libpng16 fixes the following issues: - CVE-2026-22695: Fixed heap buffer over-read in png_image_finish_read (bsc#1256525) - CVE-2026-22801: Fixed integer truncation causing heap buffer over-read in png_image_write_* (bsc#1256526). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2026:249-1 Released: Thu Jan 22 16:23:36 2026 Summary: Recommended update for libwebp Type: recommended Severity: moderate References: 1252895 This update for libwebp ships the commandline tools to Package Hub. The following package changes have been done: - patterns-base-fips-20200124-150700.36.1 added - libsmartcols1-2.40.4-150700.4.3.1 updated - libuuid1-2.40.4-150700.4.3.1 updated - libwebp7-1.0.3-150200.3.14.1 updated - libblkid1-2.40.4-150700.4.3.1 updated - libwebpmux3-1.0.3-150200.3.14.1 updated - libpng16-16-1.6.40-150600.3.6.1 updated - libmount1-2.40.4-150700.4.3.1 updated - libfdisk1-2.40.4-150700.4.3.1 updated - libopenssl-3-fips-provider-3.2.3-150700.5.21.1 added - util-linux-2.40.4-150700.4.3.1 updated - container:registry.suse.com-bci-bci-micro-15.7-55883c76f750bdb0fa8cf3fe2e43f19f9babc501efce9801e94a9c0c8d115a20-0 updated From sle-container-updates at lists.suse.com Thu Jan 29 08:05:37 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Thu, 29 Jan 2026 09:05:37 +0100 (CET) Subject: SUSE-IU-2026:561-1: Security update of suse/sle-micro/base-5.5 Message-ID: <20260129080537.173AFFD1A@maintenance.suse.de> SUSE Image Update Advisory: suse/sle-micro/base-5.5 ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2026:561-1 Image Tags : suse/sle-micro/base-5.5:2.0.4 , suse/sle-micro/base-5.5:2.0.4-5.8.234 , suse/sle-micro/base-5.5:latest Image Release : 5.8.234 Severity : important Type : security References : 1065729 1193629 1194869 1196823 1204957 1205567 1206451 1206843 1206889 1207051 1207088 1207315 1207611 1207620 1207622 1207636 1207644 1207646 1207652 1207653 1208570 1208758 1209799 1209980 1210644 1210817 1210943 1211690 1213025 1213032 1213093 1213105 1213110 1213111 1213653 1213747 1213867 1214635 1214940 1214962 1214986 1214990 1216062 1224573 1225832 1226797 1226846 1228015 1233640 1235038 1237563 1249871 1252046 1252678 1253409 1254392 1254520 1254559 1254562 1254572 1254578 1254580 1254592 1254601 1254608 1254609 1254614 1254615 1254617 1254623 1254625 1254626 1254631 1254632 1254634 1254644 1254645 1254649 1254651 1254653 1254656 1254658 1254660 1254664 1254671 1254674 1254676 1254677 1254681 1254684 1254685 1254686 1254690 1254692 1254694 1254696 1254698 1254699 1254704 1254706 1254709 1254710 1254711 1254712 1254713 1254714 1254716 1254723 1254725 1254728 1254729 1254743 1254745 1254751 1254753 1254754 1254756 1254759 1254763 1254775 1254780 1254781 1254782 1254783 1254785 1254786 1254788 1254789 1254792 1254813 1254843 1254847 1254851 1254894 1254902 1254910 1254911 1254915 1254916 1254917 1254920 1254922 1254958 1254959 1254974 1254979 1254986 1254994 1255002 1255005 1255007 1255049 1255060 1255107 1255163 1255165 1255245 1255467 1255469 1255521 1255528 1255532 1255546 1255549 1255554 1255555 1255558 1255560 1255561 1255562 1255565 1255574 1255576 1255578 1255582 1255596 1255600 1255605 1255607 1255608 1255609 1255618 1255619 1255620 1255623 1255624 1255626 1255627 1255628 1255635 1255636 1255688 1255690 1255697 1255702 1255704 1255745 1255747 1255749 1255750 1255757 1255758 1255760 1255761 1255762 1255763 1255769 1255771 1255773 1255780 1255786 1255787 1255789 1255790 1255791 1255792 1255796 1255797 1255800 1255801 1255802 1255803 1255804 1255806 1255808 1255819 1255839 1255841 1255843 1255844 1255872 1255875 1255876 1255877 1255878 1255880 1255881 1255888 1255889 1255890 1255899 1255901 1255902 1255905 1255906 1255909 1255910 1255912 1255916 1255919 1255920 1255922 1255924 1255925 1255939 1255946 1255950 1255953 1255954 1255955 1255962 1255964 1255968 1255969 1255970 1255971 1255974 1255978 1255979 1255983 1255985 1255990 1255993 1255994 1255996 1255998 1256034 1256040 1256042 1256045 1256046 1256048 1256049 1256050 1256053 1256056 1256057 1256062 1256063 1256064 1256065 1256071 1256074 1256081 1256084 1256086 1256088 1256091 1256093 1256099 1256101 1256103 1256106 1256111 1256112 1256114 1256115 1256118 1256119 1256121 1256122 1256124 1256125 1256126 1256127 1256128 1256130 1256131 1256132 1256133 1256136 1256137 1256140 1256141 1256142 1256143 1256144 1256145 1256149 1256150 1256152 1256154 1256155 1256157 1256158 1256162 1256164 1256165 1256166 1256167 1256172 1256173 1256174 1256177 1256178 1256179 1256182 1256184 1256185 1256186 1256188 1256189 1256191 1256192 1256193 1256194 1256196 1256198 1256199 1256200 1256202 1256203 1256204 1256205 1256206 1256207 1256208 1256211 1256214 1256215 1256216 1256218 1256219 1256220 1256221 1256223 1256228 1256230 1256231 1256235 1256239 1256241 1256242 1256245 1256248 1256250 1256254 1256260 1256265 1256269 1256271 1256274 1256282 1256285 1256291 1256294 1256295 1256300 1256302 1256306 1256309 1256317 1256320 1256323 1256326 1256328 1256333 1256334 1256335 1256337 1256338 1256344 1256346 1256349 1256352 1256353 1256355 1256358 1256359 1256363 1256364 1256368 1256370 1256375 1256381 1256382 1256383 1256384 1256386 1256388 1256391 1256394 1256395 1256396 1256397 1256398 1256423 1256426 1256432 CVE-2022-0854 CVE-2022-48853 CVE-2022-50614 CVE-2022-50615 CVE-2022-50617 CVE-2022-50618 CVE-2022-50619 CVE-2022-50621 CVE-2022-50622 CVE-2022-50623 CVE-2022-50625 CVE-2022-50626 CVE-2022-50629 CVE-2022-50630 CVE-2022-50633 CVE-2022-50635 CVE-2022-50636 CVE-2022-50638 CVE-2022-50640 CVE-2022-50641 CVE-2022-50643 CVE-2022-50644 CVE-2022-50646 CVE-2022-50649 CVE-2022-50652 CVE-2022-50653 CVE-2022-50656 CVE-2022-50658 CVE-2022-50660 CVE-2022-50661 CVE-2022-50662 CVE-2022-50664 CVE-2022-50665 CVE-2022-50666 CVE-2022-50667 CVE-2022-50668 CVE-2022-50669 CVE-2022-50670 CVE-2022-50671 CVE-2022-50672 CVE-2022-50673 CVE-2022-50675 CVE-2022-50677 CVE-2022-50678 CVE-2022-50679 CVE-2022-50698 CVE-2022-50699 CVE-2022-50700 CVE-2022-50701 CVE-2022-50702 CVE-2022-50703 CVE-2022-50704 CVE-2022-50705 CVE-2022-50709 CVE-2022-50710 CVE-2022-50712 CVE-2022-50714 CVE-2022-50715 CVE-2022-50716 CVE-2022-50717 CVE-2022-50718 CVE-2022-50719 CVE-2022-50722 CVE-2022-50723 CVE-2022-50724 CVE-2022-50726 CVE-2022-50727 CVE-2022-50728 CVE-2022-50730 CVE-2022-50731 CVE-2022-50732 CVE-2022-50733 CVE-2022-50735 CVE-2022-50736 CVE-2022-50738 CVE-2022-50740 CVE-2022-50742 CVE-2022-50744 CVE-2022-50745 CVE-2022-50747 CVE-2022-50749 CVE-2022-50750 CVE-2022-50751 CVE-2022-50752 CVE-2022-50754 CVE-2022-50755 CVE-2022-50756 CVE-2022-50757 CVE-2022-50758 CVE-2022-50760 CVE-2022-50761 CVE-2022-50763 CVE-2022-50767 CVE-2022-50768 CVE-2022-50769 CVE-2022-50770 CVE-2022-50773 CVE-2022-50774 CVE-2022-50776 CVE-2022-50777 CVE-2022-50779 CVE-2022-50781 CVE-2022-50782 CVE-2022-50809 CVE-2022-50814 CVE-2022-50818 CVE-2022-50819 CVE-2022-50821 CVE-2022-50822 CVE-2022-50823 CVE-2022-50824 CVE-2022-50826 CVE-2022-50827 CVE-2022-50828 CVE-2022-50829 CVE-2022-50830 CVE-2022-50832 CVE-2022-50833 CVE-2022-50834 CVE-2022-50835 CVE-2022-50836 CVE-2022-50838 CVE-2022-50839 CVE-2022-50840 CVE-2022-50842 CVE-2022-50843 CVE-2022-50844 CVE-2022-50845 CVE-2022-50846 CVE-2022-50847 CVE-2022-50848 CVE-2022-50849 CVE-2022-50850 CVE-2022-50851 CVE-2022-50853 CVE-2022-50856 CVE-2022-50858 CVE-2022-50859 CVE-2022-50860 CVE-2022-50861 CVE-2022-50862 CVE-2022-50864 CVE-2022-50866 CVE-2022-50867 CVE-2022-50868 CVE-2022-50870 CVE-2022-50872 CVE-2022-50873 CVE-2022-50876 CVE-2022-50878 CVE-2022-50880 CVE-2022-50881 CVE-2022-50882 CVE-2022-50883 CVE-2022-50884 CVE-2022-50885 CVE-2022-50886 CVE-2022-50887 CVE-2022-50888 CVE-2022-50889 CVE-2023-23559 CVE-2023-53254 CVE-2023-53743 CVE-2023-53744 CVE-2023-53746 CVE-2023-53747 CVE-2023-53751 CVE-2023-53753 CVE-2023-53754 CVE-2023-53755 CVE-2023-53761 CVE-2023-53766 CVE-2023-53769 CVE-2023-53780 CVE-2023-53781 CVE-2023-53783 CVE-2023-53786 CVE-2023-53788 CVE-2023-53792 CVE-2023-53794 CVE-2023-53801 CVE-2023-53802 CVE-2023-53803 CVE-2023-53804 CVE-2023-53806 CVE-2023-53808 CVE-2023-53811 CVE-2023-53814 CVE-2023-53816 CVE-2023-53818 CVE-2023-53819 CVE-2023-53820 CVE-2023-53827 CVE-2023-53828 CVE-2023-53830 CVE-2023-53832 CVE-2023-53833 CVE-2023-53834 CVE-2023-53837 CVE-2023-53840 CVE-2023-53842 CVE-2023-53844 CVE-2023-53845 CVE-2023-53847 CVE-2023-53848 CVE-2023-53849 CVE-2023-53850 CVE-2023-53852 CVE-2023-53858 CVE-2023-53860 CVE-2023-53862 CVE-2023-53864 CVE-2023-53866 CVE-2023-53989 CVE-2023-53990 CVE-2023-53991 CVE-2023-53996 CVE-2023-53998 CVE-2023-54001 CVE-2023-54003 CVE-2023-54007 CVE-2023-54009 CVE-2023-54010 CVE-2023-54014 CVE-2023-54015 CVE-2023-54017 CVE-2023-54018 CVE-2023-54019 CVE-2023-54020 CVE-2023-54021 CVE-2023-54024 CVE-2023-54025 CVE-2023-54026 CVE-2023-54028 CVE-2023-54036 CVE-2023-54039 CVE-2023-54040 CVE-2023-54041 CVE-2023-54042 CVE-2023-54044 CVE-2023-54045 CVE-2023-54046 CVE-2023-54047 CVE-2023-54048 CVE-2023-54049 CVE-2023-54050 CVE-2023-54051 CVE-2023-54053 CVE-2023-54055 CVE-2023-54057 CVE-2023-54058 CVE-2023-54064 CVE-2023-54070 CVE-2023-54072 CVE-2023-54074 CVE-2023-54076 CVE-2023-54078 CVE-2023-54079 CVE-2023-54083 CVE-2023-54084 CVE-2023-54090 CVE-2023-54091 CVE-2023-54092 CVE-2023-54095 CVE-2023-54096 CVE-2023-54097 CVE-2023-54098 CVE-2023-54100 CVE-2023-54102 CVE-2023-54104 CVE-2023-54106 CVE-2023-54107 CVE-2023-54108 CVE-2023-54110 CVE-2023-54111 CVE-2023-54114 CVE-2023-54115 CVE-2023-54116 CVE-2023-54118 CVE-2023-54119 CVE-2023-54120 CVE-2023-54122 CVE-2023-54123 CVE-2023-54126 CVE-2023-54127 CVE-2023-54128 CVE-2023-54130 CVE-2023-54131 CVE-2023-54132 CVE-2023-54134 CVE-2023-54136 CVE-2023-54138 CVE-2023-54140 CVE-2023-54144 CVE-2023-54146 CVE-2023-54148 CVE-2023-54150 CVE-2023-54153 CVE-2023-54156 CVE-2023-54159 CVE-2023-54164 CVE-2023-54166 CVE-2023-54168 CVE-2023-54169 CVE-2023-54170 CVE-2023-54171 CVE-2023-54173 CVE-2023-54175 CVE-2023-54177 CVE-2023-54179 CVE-2023-54183 CVE-2023-54186 CVE-2023-54189 CVE-2023-54190 CVE-2023-54194 CVE-2023-54197 CVE-2023-54198 CVE-2023-54199 CVE-2023-54201 CVE-2023-54202 CVE-2023-54205 CVE-2023-54208 CVE-2023-54210 CVE-2023-54211 CVE-2023-54213 CVE-2023-54214 CVE-2023-54219 CVE-2023-54226 CVE-2023-54229 CVE-2023-54230 CVE-2023-54234 CVE-2023-54236 CVE-2023-54238 CVE-2023-54242 CVE-2023-54244 CVE-2023-54245 CVE-2023-54251 CVE-2023-54252 CVE-2023-54254 CVE-2023-54260 CVE-2023-54262 CVE-2023-54264 CVE-2023-54266 CVE-2023-54267 CVE-2023-54269 CVE-2023-54270 CVE-2023-54271 CVE-2023-54274 CVE-2023-54275 CVE-2023-54277 CVE-2023-54280 CVE-2023-54284 CVE-2023-54286 CVE-2023-54287 CVE-2023-54289 CVE-2023-54292 CVE-2023-54293 CVE-2023-54294 CVE-2023-54295 CVE-2023-54298 CVE-2023-54299 CVE-2023-54300 CVE-2023-54301 CVE-2023-54302 CVE-2023-54304 CVE-2023-54305 CVE-2023-54309 CVE-2023-54311 CVE-2023-54315 CVE-2023-54317 CVE-2023-54319 CVE-2023-54320 CVE-2023-54321 CVE-2023-54322 CVE-2023-54325 CVE-2023-54326 CVE-2024-36933 CVE-2024-53093 CVE-2024-56590 CVE-2025-39977 CVE-2025-40019 CVE-2025-40139 CVE-2025-40215 CVE-2025-40220 CVE-2025-40233 CVE-2025-40256 CVE-2025-40258 CVE-2025-40277 CVE-2025-40280 CVE-2025-40331 CVE-2025-68218 CVE-2025-68732 ----------------------------------------------------------------- The container suse/sle-micro/base-5.5 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:317-1 Released: Wed Jan 28 15:36:48 2026 Summary: Security update for the Linux Kernel Type: security Severity: important References: 1065729,1193629,1194869,1196823,1204957,1205567,1206451,1206843,1206889,1207051,1207088,1207315,1207611,1207620,1207622,1207636,1207644,1207646,1207652,1207653,1208570,1208758,1209799,1209980,1210644,1210817,1210943,1211690,1213025,1213032,1213093,1213105,1213110,1213111,1213653,1213747,1213867,1214635,1214940,1214962,1214986,1214990,1216062,1224573,1225832,1226797,1226846,1228015,1233640,1235038,1237563,1249871,1252046,1252678,1253409,1254392,1254520,1254559,1254562,1254572,1254578,1254580,1254592,1254601,1254608,1254609,1254614,1254615,1254617,1254623,1254625,1254626,1254631,1254632,1254634,1254644,1254645,1254649,1254651,1254653,1254656,1254658,1254660,1254664,1254671,1254674,1254676,1254677,1254681,1254684,1254685,1254686,1254690,1254692,1254694,1254696,1254698,1254699,1254704,1254706,1254709,1254710,1254711,1254712,1254713,1254714,1254716,1254723,1254725,1254728,1254729,1254743,1254745,1254751,1254753,1254754,1254756,1254759,1254763,1254775,1254780,1254781,1254782,1 254783,1254785,1254786,1254788,1254789,1254792,1254813,1254843,1254847,1254851,1254894,1254902,1254910,1254911,1254915,1254916,1254917,1254920,1254922,1254958,1254959,1254974,1254979,1254986,1254994,1255002,1255005,1255007,1255049,1255060,1255107,1255163,1255165,1255245,1255467,1255469,1255521,1255528,1255532,1255546,1255549,1255554,1255555,1255558,1255560,1255561,1255562,1255565,1255574,1255576,1255578,1255582,1255596,1255600,1255605,1255607,1255608,1255609,1255618,1255619,1255620,1255623,1255624,1255626,1255627,1255628,1255635,1255636,1255688,1255690,1255697,1255702,1255704,1255745,1255747,1255749,1255750,1255757,1255758,1255760,1255761,1255762,1255763,1255769,1255771,1255773,1255780,1255786,1255787,1255789,1255790,1255791,1255792,1255796,1255797,1255800,1255801,1255802,1255803,1255804,1255806,1255808,1255819,1255839,1255841,1255843,1255844,1255872,1255875,1255876,1255877,1255878,1255880,1255881,1255888,1255889,1255890,1255899,1255901,1255902,1255905,1255906,1255909,1255910,125591 2,1255916,1255919,1255920,1255922,1255924,1255925,1255939,1255946,1255950,1255953,1255954,1255955,1255962,1255964,1255968,1255969,1255970,1255971,1255974,1255978,1255979,1255983,1255985,1255990,1255993,1255994,1255996,1255998,1256034,1256040,1256042,1256045,1256046,1256048,1256049,1256050,1256053,1256056,1256057,1256062,1256063,1256064,1256065,1256071,1256074,1256081,1256084,1256086,1256088,1256091,1256093,1256099,1256101,1256103,1256106,1256111,1256112,1256114,1256115,1256118,1256119,1256121,1256122,1256124,1256125,1256126,1256127,1256128,1256130,1256131,1256132,1256133,1256136,1256137,1256140,1256141,1256142,1256143,1256144,1256145,1256149,1256150,1256152,1256154,1256155,1256157,1256158,1256162,1256164,1256165,1256166,1256167,1256172,1256173,1256174,1256177,1256178,1256179,1256182,1256184,1256185,1256186,1256188,1256189,1256191,1256192,1256193,1256194,1256196,1256198,1256199,1256200,1256202,1256203,1256204,1256205,1256206,1256207,1256208,1256211,1256214,1256215,1256216,1256218,125 6219,1256220,1256221,1256223,1256228,1256230,1256231,1256235,1256239,1256241,1256242,1256245,1256248,1256250,1256254,1256260,1256265,1256269,1256271,1256274,1256282,1256285,1256291,1256294,1256295,1256300,1256302,1256306,1256309,1256317,1256320,1256323,1256326,1256328,1256333,1256334,1256335,1256337,1256338,1256344,1256346,1256349,1256352,1256353,1256355,1256358,1256359,1256363,1256364,1256368,1256370,1256375,1256381,1256382,1256383,1256384,1256386,1256388,1256391,1256394,1256395,1256396,1256397,1256398,1256423,1256426,1256432,CVE-2022-0854,CVE-2022-48853,CVE-2022-50614,CVE-2022-50615,CVE-2022-50617,CVE-2022-50618,CVE-2022-50619,CVE-2022-50621,CVE-2022-50622,CVE-2022-50623,CVE-2022-50625,CVE-2022-50626,CVE-2022-50629,CVE-2022-50630,CVE-2022-50633,CVE-2022-50635,CVE-2022-50636,CVE-2022-50638,CVE-2022-50640,CVE-2022-50641,CVE-2022-50643,CVE-2022-50644,CVE-2022-50646,CVE-2022-50649,CVE-2022-50652,CVE-2022-50653,CVE-2022-50656,CVE-2022-50658,CVE-2022-50660,CVE-2022-50661,CVE-2022-50662, CVE-2022-50664,CVE-2022-50665,CVE-2022-50666,CVE-2022-50667,CVE-2022-50668,CVE-2022-50669,CVE-2022-50670,CVE-2022-50671,CVE-2022-50672,CVE-2022-50673,CVE-2022-50675,CVE-2022-50677,CVE-2022-50678,CVE-2022-50679,CVE-2022-50698,CVE-2022-50699,CVE-2022-50700,CVE-2022-50701,CVE-2022-50702,CVE-2022-50703,CVE-2022-50704,CVE-2022-50705,CVE-2022-50709,CVE-2022-50710,CVE-2022-50712,CVE-2022-50714,CVE-2022-50715,CVE-2022-50716,CVE-2022-50717,CVE-2022-50718,CVE-2022-50719,CVE-2022-50722,CVE-2022-50723,CVE-2022-50724,CVE-2022-50726,CVE-2022-50727,CVE-2022-50728,CVE-2022-50730,CVE-2022-50731,CVE-2022-50732,CVE-2022-50733,CVE-2022-50735,CVE-2022-50736,CVE-2022-50738,CVE-2022-50740,CVE-2022-50742,CVE-2022-50744,CVE-2022-50745,CVE-2022-50747,CVE-2022-50749,CVE-2022-50750,CVE-2022-50751,CVE-2022-50752,CVE-2022-50754,CVE-2022-50755,CVE-2022-50756,CVE-2022-50757,CVE-2022-50758,CVE-2022-50760,CVE-2022-50761,CVE-2022-50763,CVE-2022-50767,CVE-2022-50768,CVE-2022-50769,CVE-2022-50770,CVE-2022-50773,CVE-202 2-50774,CVE-2022-50776,CVE-2022-50777,CVE-2022-50779,CVE-2022-50781,CVE-2022-50782,CVE-2022-50809,CVE-2022-50814,CVE-2022-50818,CVE-2022-50819,CVE-2022-50821,CVE-2022-50822,CVE-2022-50823,CVE-2022-50824,CVE-2022-50826,CVE-2022-50827,CVE-2022-50828,CVE-2022-50829,CVE-2022-50830,CVE-2022-50832,CVE-2022-50833,CVE-2022-50834,CVE-2022-50835,CVE-2022-50836,CVE-2022-50838,CVE-2022-50839,CVE-2022-50840,CVE-2022-50842,CVE-2022-50843,CVE-2022-50844,CVE-2022-50845,CVE-2022-50846,CVE-2022-50847,CVE-2022-50848,CVE-2022-50849,CVE-2022-50850,CVE-2022-50851,CVE-2022-50853,CVE-2022-50856,CVE-2022-50858,CVE-2022-50859,CVE-2022-50860,CVE-2022-50861,CVE-2022-50862,CVE-2022-50864,CVE-2022-50866,CVE-2022-50867,CVE-2022-50868,CVE-2022-50870,CVE-2022-50872,CVE-2022-50873,CVE-2022-50876,CVE-2022-50878,CVE-2022-50880,CVE-2022-50881,CVE-2022-50882,CVE-2022-50883,CVE-2022-50884,CVE-2022-50885,CVE-2022-50886,CVE-2022-50887,CVE-2022-50888,CVE-2022-50889,CVE-2023-23559,CVE-2023-53254,CVE-2023-53743,CVE-2023-53744 ,CVE-2023-53746,CVE-2023-53747,CVE-2023-53751,CVE-2023-53753,CVE-2023-53754,CVE-2023-53755,CVE-2023-53761,CVE-2023-53766,CVE-2023-53769,CVE-2023-53780,CVE-2023-53781,CVE-2023-53783,CVE-2023-53786,CVE-2023-53788,CVE-2023-53792,CVE-2023-53794,CVE-2023-53801,CVE-2023-53802,CVE-2023-53803,CVE-2023-53804,CVE-2023-53806,CVE-2023-53808,CVE-2023-53811,CVE-2023-53814,CVE-2023-53816,CVE-2023-53818,CVE-2023-53819,CVE-2023-53820,CVE-2023-53827,CVE-2023-53828,CVE-2023-53830,CVE-2023-53832,CVE-2023-53833,CVE-2023-53834,CVE-2023-53837,CVE-2023-53840,CVE-2023-53842,CVE-2023-53844,CVE-2023-53845,CVE-2023-53847,CVE-2023-53848,CVE-2023-53849,CVE-2023-53850,CVE-2023-53852,CVE-2023-53858,CVE-2023-53860,CVE-2023-53862,CVE-2023-53864,CVE-2023-53866,CVE-2023-53989,CVE-2023-53990,CVE-2023-53991,CVE-2023-53996,CVE-2023-53998,CVE-2023-54001,CVE-2023-54003,CVE-2023-54007,CVE-2023-54009,CVE-2023-54010,CVE-2023-54014,CVE-2023-54015,CVE-2023-54017,CVE-2023-54018,CVE-2023-54019,CVE-2023-54020,CVE-2023-54021,CVE-20 23-54024,CVE-2023-54025,CVE-2023-54026,CVE-2023-54028,CVE-2023-54036,CVE-2023-54039,CVE-2023-54040,CVE-2023-54041,CVE-2023-54042,CVE-2023-54044,CVE-2023-54045,CVE-2023-54046,CVE-2023-54047,CVE-2023-54048,CVE-2023-54049,CVE-2023-54050,CVE-2023-54051,CVE-2023-54053,CVE-2023-54055,CVE-2023-54057,CVE-2023-54058,CVE-2023-54064,CVE-2023-54070,CVE-2023-54072,CVE-2023-54074,CVE-2023-54076,CVE-2023-54078,CVE-2023-54079,CVE-2023-54083,CVE-2023-54084,CVE-2023-54090,CVE-2023-54091,CVE-2023-54092,CVE-2023-54095,CVE-2023-54096,CVE-2023-54097,CVE-2023-54098,CVE-2023-54100,CVE-2023-54102,CVE-2023-54104,CVE-2023-54106,CVE-2023-54107,CVE-2023-54108,CVE-2023-54110,CVE-2023-54111,CVE-2023-54114,CVE-2023-54115,CVE-2023-54116,CVE-2023-54118,CVE-2023-54119,CVE-2023-54120,CVE-2023-54122,CVE-2023-54123,CVE-2023-54126,CVE-2023-54127,CVE-2023-54128,CVE-2023-54130,CVE-2023-54131,CVE-2023-54132,CVE-2023-54134,CVE-2023-54136,CVE-2023-54138,CVE-2023-54140,CVE-2023-54144,CVE-2023-54146,CVE-2023-54148,CVE-2023-5415 0,CVE-2023-54153,CVE-2023-54156,CVE-2023-54159,CVE-2023-54164,CVE-2023-54166,CVE-2023-54168,CVE-2023-54169,CVE-2023-54170,CVE-2023-54171,CVE-2023-54173,CVE-2023-54175,CVE-2023-54177,CVE-2023-54179,CVE-2023-54183,CVE-2023-54186,CVE-2023-54189,CVE-2023-54190,CVE-2023-54194,CVE-2023-54197,CVE-2023-54198,CVE-2023-54199,CVE-2023-54201,CVE-2023-54202,CVE-2023-54205,CVE-2023-54208,CVE-2023-54210,CVE-2023-54211,CVE-2023-54213,CVE-2023-54214,CVE-2023-54219,CVE-2023-54226,CVE-2023-54229,CVE-2023-54230,CVE-2023-54234,CVE-2023-54236,CVE-2023-54238,CVE-2023-54242,CVE-2023-54244,CVE-2023-54245,CVE-2023-54251,CVE-2023-54252,CVE-2023-54254,CVE-2023-54260,CVE-2023-54262,CVE-2023-54264,CVE-2023-54266,CVE-2023-54267,CVE-2023-54269,CVE-2023-54270,CVE-2023-54271,CVE-2023-54274,CVE-2023-54275,CVE-2023-54277,CVE-2023-54280,CVE-2023-54284,CVE-2023-54286,CVE-2023-54287,CVE-2023-54289,CVE-2023-54292,CVE-2023-54293,CVE-2023-54294,CVE-2023-54295,CVE-2023-54298,CVE-2023-54299,CVE-2023-54300,CVE-2023-54301,CVE-2 023-54302,CVE-2023-54304,CVE-2023-54305,CVE-2023-54309,CVE-2023-54311,CVE-2023-54315,CVE-2023-54317,CVE-2023-54319,CVE-2023-54320,CVE-2023-54321,CVE-2023-54322,CVE-2023-54325,CVE-2023-54326,CVE-2024-36933,CVE-2024-53093,CVE-2024-56590,CVE-2025-39977,CVE-2025-40019,CVE-2025-40139,CVE-2025-40215,CVE-2025-40220,CVE-2025-40233,CVE-2025-40256,CVE-2025-40258,CVE-2025-40277,CVE-2025-40280,CVE-2025-40331,CVE-2025-68218,CVE-2025-68732 The SUSE Linux Enterprise 15 SP5 kernel was updated to fix various security issues The following security issues were fixed: - CVE-2022-50630: mm: hugetlb: fix UAF in hugetlb_handle_userfault (bsc#1254785). - CVE-2022-50700: wifi: ath10k: Delay the unmapping of the buffer (bsc#1255576). - CVE-2023-53254: cacheinfo: Fix shared_cpu_map to handle shared caches at different levels (bsc#1249871). - CVE-2023-53781: smc: Fix use-after-free in tcp_write_timer_handler() (bsc#1254751). - CVE-2024-56590: Bluetooth: hci_core: Fix not checking skb length on hci_acldata_packet (bsc#1235038). - CVE-2025-39977: futex: Prevent use-after-free during requeue-PI (bsc#1252046). - CVE-2025-40019: crypto: essiv - Check ssize for decryption and in-place encryption (bsc#1252678). - CVE-2025-40139: smc: Use __sk_dst_get() and dst_dev_rcu() in in smc_clc_prfx_set() (bsc#1253409). - CVE-2025-40215: kABI: xfrm: delete x->tunnel as we delete x (bsc#1254959). - CVE-2025-40220: fuse: fix livelock in synchronous file put from fuseblk workers (bsc#1254520). - CVE-2025-40233: ocfs2: clear extent cache after moving/defragmenting extents (bsc#1254813). - CVE-2025-40258: mptcp: fix race condition in mptcp_schedule_work() (bsc#1254843). - CVE-2025-40277: drm/vmwgfx: Validate command header size against (bsc#1254894). - CVE-2025-40280: tipc: Fix use-after-free in tipc_mon_reinit_self() (bsc#1254847). - CVE-2025-40331: sctp: Prevent TOCTOU out-of-bounds write (bsc#1254615). - CVE-2025-68732: gpu: host1x: Fix race in syncpt alloc/free (bsc#1255688). The following non security issues were fixed: - ACPI/IORT: Fix memory leak in iort_rmr_alloc_sids() (git-fixes). - ACPI: PRM: Remove unnecessary strict handler address checks (git-fixes). - ACPI: property: Do not pass NULL handles to acpi_attach_data() (git-fixes). - ACPI: property: Fix buffer properties extraction for subnodes (git-fixes). - KVM: SVM: Fix TSC_AUX virtualization setup (git-fixes). - RDMA/cm: Rate limit destroy CM ID timeout error message (git-fixes). - RDMA/counter: Check CAP_NET_RAW check in user namespace for RDMA counters (git-fixes). - RDMA/hns: Fix the modification of max_send_sge (git-fixes). - RDMA/mlx5: Check CAP_NET_RAW in user namespace for anchor create (git-fixes). - RDMA/mlx5: Check CAP_NET_RAW in user namespace for devx create (git-fixes). - RDMA/mlx5: Check CAP_NET_RAW in user namespace for flow create (git-fixes). - RDMA/mlx5: Fix compilation warning when USER_ACCESS isn't set (git-fixes). - RDMA/nldev: Check CAP_NET_RAW in user namespace for QP modify (git-fixes). - RDMA/uverbs: Add empty rdma_uattrs_has_raw_cap() declaration (git-fixes). - RDMA/uverbs: Check CAP_NET_RAW in user namespace for QP create (git-fixes). - RDMA/uverbs: Check CAP_NET_RAW in user namespace for RAW QP create (git-fixes). - RDMA/uverbs: Check CAP_NET_RAW in user namespace for flow create (git-fixes). - arch/idle: Change arch_cpu_idle() behavior: always exit with IRQs disabled (git-fixes). - cpuidle/poll: Ensure IRQs stay disabled after cpuidle_state::enter() calls (git-fixes). - cpuidle: Move IRQ state validation (git-fixes). - cpuidle: haltpoll: Do not enable interrupts when entering idle (git-fixes). - dm: free table mempools if not used in __bind (git-fixes). - padata: Honor the caller's alignment in case of chunk_size 0 (bsc#1237563). - platform/x86/intel-uncore-freq: Fail module load when plat_info is NULL (git-fixes). - x86/bugs: Fix RSB clearing in indirect_branch_prediction_barrier() (git-fixes). - x86/bugs: Use SBPB in write_ibpb() if applicable (git-fixes). - x86/paravirt: Move halt paravirt calls under CONFIG_PARAVIRT (git-fixes). - x86/tdx: Drop flags from __tdx_hypercall() (git-fixes). - x86/tdx: Dynamically disable SEPT violations from causing #VEs (git-fixes). - x86/tdx: Emit warning if IRQs are enabled during HLT #VE handling (git-fixes). - x86/tdx: Extend TDX_MODULE_CALL to support more TDCALL/SEAMCALL leafs (git-fixes). - x86/tdx: Fix __noreturn build warning around __tdx_hypercall_failed() (git-fixes). - x86/tdx: Fix arch_safe_halt() execution for TDX VMs (git-fixes). - x86/tdx: Introduce wrappers to read and write TD metadata (git-fixes). - x86/tdx: Make TDX_HYPERCALL asm similar to TDX_MODULE_CALL (git-fixes). - x86/tdx: Make macros of TDCALLs consistent with the spec (git-fixes). - x86/tdx: Pass TDCALL/SEAMCALL input/output registers via a structure (git-fixes). - x86/tdx: Reimplement __tdx_hypercall() using TDX_MODULE_CALL asm (git-fixes). - x86/tdx: Remove 'struct tdx_hypercall_args' (git-fixes). - x86/tdx: Remove TDX_HCALL_ISSUE_STI (git-fixes). - x86/tdx: Rename __tdx_module_call() to __tdcall() (git-fixes). - x86/tdx: Rename tdx_parse_tdinfo() to tdx_setup() (git-fixes). - x86/tdx: Retry partially-completed page conversion hypercalls (git-fixes). - x86/tdx: Skip saving output regs when SEAMCALL fails with VMFailInvalid (git-fixes). - x86/tdx: Zero out the missing RSI in TDX_HYPERCALL macro (git-fixes). - x86/virt/tdx: Make TDX_MODULE_CALL handle SEAMCALL #UD and #GP (git-fixes). - x86/virt/tdx: Wire up basic SEAMCALL functions (git-fixes). - xfs: fix sparse inode limits on runt AG (bsc#1254392). The following package changes have been done: - kernel-default-5.14.21-150500.55.133.1 updated From sle-container-updates at lists.suse.com Thu Jan 29 08:06:52 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Thu, 29 Jan 2026 09:06:52 +0100 (CET) Subject: SUSE-IU-2026:562-1: Security update of suse/sle-micro/kvm-5.5 Message-ID: <20260129080652.8EBECFD1A@maintenance.suse.de> SUSE Image Update Advisory: suse/sle-micro/kvm-5.5 ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2026:562-1 Image Tags : suse/sle-micro/kvm-5.5:2.0.4 , suse/sle-micro/kvm-5.5:2.0.4-3.5.449 , suse/sle-micro/kvm-5.5:latest Image Release : 3.5.449 Severity : important Type : security References : 1065729 1193629 1194869 1196823 1204957 1205567 1206451 1206843 1206889 1207051 1207088 1207315 1207611 1207620 1207622 1207636 1207644 1207646 1207652 1207653 1208570 1208758 1209799 1209980 1210644 1210817 1210943 1211690 1213025 1213032 1213093 1213105 1213110 1213111 1213653 1213747 1213867 1214635 1214940 1214962 1214986 1214990 1216062 1224573 1225832 1226797 1226846 1228015 1233640 1235038 1237563 1249871 1252046 1252678 1253409 1254392 1254520 1254559 1254562 1254572 1254578 1254580 1254592 1254601 1254608 1254609 1254614 1254615 1254617 1254623 1254625 1254626 1254631 1254632 1254634 1254644 1254645 1254649 1254651 1254653 1254656 1254658 1254660 1254664 1254671 1254674 1254676 1254677 1254681 1254684 1254685 1254686 1254690 1254692 1254694 1254696 1254698 1254699 1254704 1254706 1254709 1254710 1254711 1254712 1254713 1254714 1254716 1254723 1254725 1254728 1254729 1254743 1254745 1254751 1254753 1254754 1254756 1254759 1254763 1254775 1254780 1254781 1254782 1254783 1254785 1254786 1254788 1254789 1254792 1254813 1254843 1254847 1254851 1254894 1254902 1254910 1254911 1254915 1254916 1254917 1254920 1254922 1254958 1254959 1254974 1254979 1254986 1254994 1255002 1255005 1255007 1255049 1255060 1255107 1255163 1255165 1255245 1255467 1255469 1255521 1255528 1255532 1255546 1255549 1255554 1255555 1255558 1255560 1255561 1255562 1255565 1255574 1255576 1255578 1255582 1255596 1255600 1255605 1255607 1255608 1255609 1255618 1255619 1255620 1255623 1255624 1255626 1255627 1255628 1255635 1255636 1255688 1255690 1255697 1255702 1255704 1255745 1255747 1255749 1255750 1255757 1255758 1255760 1255761 1255762 1255763 1255769 1255771 1255773 1255780 1255786 1255787 1255789 1255790 1255791 1255792 1255796 1255797 1255800 1255801 1255802 1255803 1255804 1255806 1255808 1255819 1255839 1255841 1255843 1255844 1255872 1255875 1255876 1255877 1255878 1255880 1255881 1255888 1255889 1255890 1255899 1255901 1255902 1255905 1255906 1255909 1255910 1255912 1255916 1255919 1255920 1255922 1255924 1255925 1255939 1255946 1255950 1255953 1255954 1255955 1255962 1255964 1255968 1255969 1255970 1255971 1255974 1255978 1255979 1255983 1255985 1255990 1255993 1255994 1255996 1255998 1256034 1256040 1256042 1256045 1256046 1256048 1256049 1256050 1256053 1256056 1256057 1256062 1256063 1256064 1256065 1256071 1256074 1256081 1256084 1256086 1256088 1256091 1256093 1256099 1256101 1256103 1256106 1256111 1256112 1256114 1256115 1256118 1256119 1256121 1256122 1256124 1256125 1256126 1256127 1256128 1256130 1256131 1256132 1256133 1256136 1256137 1256140 1256141 1256142 1256143 1256144 1256145 1256149 1256150 1256152 1256154 1256155 1256157 1256158 1256162 1256164 1256165 1256166 1256167 1256172 1256173 1256174 1256177 1256178 1256179 1256182 1256184 1256185 1256186 1256188 1256189 1256191 1256192 1256193 1256194 1256196 1256198 1256199 1256200 1256202 1256203 1256204 1256205 1256206 1256207 1256208 1256211 1256214 1256215 1256216 1256218 1256219 1256220 1256221 1256223 1256228 1256230 1256231 1256235 1256239 1256241 1256242 1256245 1256248 1256250 1256254 1256260 1256265 1256269 1256271 1256274 1256282 1256285 1256291 1256294 1256295 1256300 1256302 1256306 1256309 1256317 1256320 1256323 1256326 1256328 1256333 1256334 1256335 1256337 1256338 1256344 1256346 1256349 1256352 1256353 1256355 1256358 1256359 1256363 1256364 1256368 1256370 1256375 1256381 1256382 1256383 1256384 1256386 1256388 1256391 1256394 1256395 1256396 1256397 1256398 1256423 1256426 1256432 CVE-2022-0854 CVE-2022-48853 CVE-2022-50614 CVE-2022-50615 CVE-2022-50617 CVE-2022-50618 CVE-2022-50619 CVE-2022-50621 CVE-2022-50622 CVE-2022-50623 CVE-2022-50625 CVE-2022-50626 CVE-2022-50629 CVE-2022-50630 CVE-2022-50633 CVE-2022-50635 CVE-2022-50636 CVE-2022-50638 CVE-2022-50640 CVE-2022-50641 CVE-2022-50643 CVE-2022-50644 CVE-2022-50646 CVE-2022-50649 CVE-2022-50652 CVE-2022-50653 CVE-2022-50656 CVE-2022-50658 CVE-2022-50660 CVE-2022-50661 CVE-2022-50662 CVE-2022-50664 CVE-2022-50665 CVE-2022-50666 CVE-2022-50667 CVE-2022-50668 CVE-2022-50669 CVE-2022-50670 CVE-2022-50671 CVE-2022-50672 CVE-2022-50673 CVE-2022-50675 CVE-2022-50677 CVE-2022-50678 CVE-2022-50679 CVE-2022-50698 CVE-2022-50699 CVE-2022-50700 CVE-2022-50701 CVE-2022-50702 CVE-2022-50703 CVE-2022-50704 CVE-2022-50705 CVE-2022-50709 CVE-2022-50710 CVE-2022-50712 CVE-2022-50714 CVE-2022-50715 CVE-2022-50716 CVE-2022-50717 CVE-2022-50718 CVE-2022-50719 CVE-2022-50722 CVE-2022-50723 CVE-2022-50724 CVE-2022-50726 CVE-2022-50727 CVE-2022-50728 CVE-2022-50730 CVE-2022-50731 CVE-2022-50732 CVE-2022-50733 CVE-2022-50735 CVE-2022-50736 CVE-2022-50738 CVE-2022-50740 CVE-2022-50742 CVE-2022-50744 CVE-2022-50745 CVE-2022-50747 CVE-2022-50749 CVE-2022-50750 CVE-2022-50751 CVE-2022-50752 CVE-2022-50754 CVE-2022-50755 CVE-2022-50756 CVE-2022-50757 CVE-2022-50758 CVE-2022-50760 CVE-2022-50761 CVE-2022-50763 CVE-2022-50767 CVE-2022-50768 CVE-2022-50769 CVE-2022-50770 CVE-2022-50773 CVE-2022-50774 CVE-2022-50776 CVE-2022-50777 CVE-2022-50779 CVE-2022-50781 CVE-2022-50782 CVE-2022-50809 CVE-2022-50814 CVE-2022-50818 CVE-2022-50819 CVE-2022-50821 CVE-2022-50822 CVE-2022-50823 CVE-2022-50824 CVE-2022-50826 CVE-2022-50827 CVE-2022-50828 CVE-2022-50829 CVE-2022-50830 CVE-2022-50832 CVE-2022-50833 CVE-2022-50834 CVE-2022-50835 CVE-2022-50836 CVE-2022-50838 CVE-2022-50839 CVE-2022-50840 CVE-2022-50842 CVE-2022-50843 CVE-2022-50844 CVE-2022-50845 CVE-2022-50846 CVE-2022-50847 CVE-2022-50848 CVE-2022-50849 CVE-2022-50850 CVE-2022-50851 CVE-2022-50853 CVE-2022-50856 CVE-2022-50858 CVE-2022-50859 CVE-2022-50860 CVE-2022-50861 CVE-2022-50862 CVE-2022-50864 CVE-2022-50866 CVE-2022-50867 CVE-2022-50868 CVE-2022-50870 CVE-2022-50872 CVE-2022-50873 CVE-2022-50876 CVE-2022-50878 CVE-2022-50880 CVE-2022-50881 CVE-2022-50882 CVE-2022-50883 CVE-2022-50884 CVE-2022-50885 CVE-2022-50886 CVE-2022-50887 CVE-2022-50888 CVE-2022-50889 CVE-2023-23559 CVE-2023-53254 CVE-2023-53743 CVE-2023-53744 CVE-2023-53746 CVE-2023-53747 CVE-2023-53751 CVE-2023-53753 CVE-2023-53754 CVE-2023-53755 CVE-2023-53761 CVE-2023-53766 CVE-2023-53769 CVE-2023-53780 CVE-2023-53781 CVE-2023-53783 CVE-2023-53786 CVE-2023-53788 CVE-2023-53792 CVE-2023-53794 CVE-2023-53801 CVE-2023-53802 CVE-2023-53803 CVE-2023-53804 CVE-2023-53806 CVE-2023-53808 CVE-2023-53811 CVE-2023-53814 CVE-2023-53816 CVE-2023-53818 CVE-2023-53819 CVE-2023-53820 CVE-2023-53827 CVE-2023-53828 CVE-2023-53830 CVE-2023-53832 CVE-2023-53833 CVE-2023-53834 CVE-2023-53837 CVE-2023-53840 CVE-2023-53842 CVE-2023-53844 CVE-2023-53845 CVE-2023-53847 CVE-2023-53848 CVE-2023-53849 CVE-2023-53850 CVE-2023-53852 CVE-2023-53858 CVE-2023-53860 CVE-2023-53862 CVE-2023-53864 CVE-2023-53866 CVE-2023-53989 CVE-2023-53990 CVE-2023-53991 CVE-2023-53996 CVE-2023-53998 CVE-2023-54001 CVE-2023-54003 CVE-2023-54007 CVE-2023-54009 CVE-2023-54010 CVE-2023-54014 CVE-2023-54015 CVE-2023-54017 CVE-2023-54018 CVE-2023-54019 CVE-2023-54020 CVE-2023-54021 CVE-2023-54024 CVE-2023-54025 CVE-2023-54026 CVE-2023-54028 CVE-2023-54036 CVE-2023-54039 CVE-2023-54040 CVE-2023-54041 CVE-2023-54042 CVE-2023-54044 CVE-2023-54045 CVE-2023-54046 CVE-2023-54047 CVE-2023-54048 CVE-2023-54049 CVE-2023-54050 CVE-2023-54051 CVE-2023-54053 CVE-2023-54055 CVE-2023-54057 CVE-2023-54058 CVE-2023-54064 CVE-2023-54070 CVE-2023-54072 CVE-2023-54074 CVE-2023-54076 CVE-2023-54078 CVE-2023-54079 CVE-2023-54083 CVE-2023-54084 CVE-2023-54090 CVE-2023-54091 CVE-2023-54092 CVE-2023-54095 CVE-2023-54096 CVE-2023-54097 CVE-2023-54098 CVE-2023-54100 CVE-2023-54102 CVE-2023-54104 CVE-2023-54106 CVE-2023-54107 CVE-2023-54108 CVE-2023-54110 CVE-2023-54111 CVE-2023-54114 CVE-2023-54115 CVE-2023-54116 CVE-2023-54118 CVE-2023-54119 CVE-2023-54120 CVE-2023-54122 CVE-2023-54123 CVE-2023-54126 CVE-2023-54127 CVE-2023-54128 CVE-2023-54130 CVE-2023-54131 CVE-2023-54132 CVE-2023-54134 CVE-2023-54136 CVE-2023-54138 CVE-2023-54140 CVE-2023-54144 CVE-2023-54146 CVE-2023-54148 CVE-2023-54150 CVE-2023-54153 CVE-2023-54156 CVE-2023-54159 CVE-2023-54164 CVE-2023-54166 CVE-2023-54168 CVE-2023-54169 CVE-2023-54170 CVE-2023-54171 CVE-2023-54173 CVE-2023-54175 CVE-2023-54177 CVE-2023-54179 CVE-2023-54183 CVE-2023-54186 CVE-2023-54189 CVE-2023-54190 CVE-2023-54194 CVE-2023-54197 CVE-2023-54198 CVE-2023-54199 CVE-2023-54201 CVE-2023-54202 CVE-2023-54205 CVE-2023-54208 CVE-2023-54210 CVE-2023-54211 CVE-2023-54213 CVE-2023-54214 CVE-2023-54219 CVE-2023-54226 CVE-2023-54229 CVE-2023-54230 CVE-2023-54234 CVE-2023-54236 CVE-2023-54238 CVE-2023-54242 CVE-2023-54244 CVE-2023-54245 CVE-2023-54251 CVE-2023-54252 CVE-2023-54254 CVE-2023-54260 CVE-2023-54262 CVE-2023-54264 CVE-2023-54266 CVE-2023-54267 CVE-2023-54269 CVE-2023-54270 CVE-2023-54271 CVE-2023-54274 CVE-2023-54275 CVE-2023-54277 CVE-2023-54280 CVE-2023-54284 CVE-2023-54286 CVE-2023-54287 CVE-2023-54289 CVE-2023-54292 CVE-2023-54293 CVE-2023-54294 CVE-2023-54295 CVE-2023-54298 CVE-2023-54299 CVE-2023-54300 CVE-2023-54301 CVE-2023-54302 CVE-2023-54304 CVE-2023-54305 CVE-2023-54309 CVE-2023-54311 CVE-2023-54315 CVE-2023-54317 CVE-2023-54319 CVE-2023-54320 CVE-2023-54321 CVE-2023-54322 CVE-2023-54325 CVE-2023-54326 CVE-2024-36933 CVE-2024-53093 CVE-2024-56590 CVE-2025-39977 CVE-2025-40019 CVE-2025-40139 CVE-2025-40215 CVE-2025-40220 CVE-2025-40233 CVE-2025-40256 CVE-2025-40258 CVE-2025-40277 CVE-2025-40280 CVE-2025-40331 CVE-2025-68218 CVE-2025-68732 ----------------------------------------------------------------- The container suse/sle-micro/kvm-5.5 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:317-1 Released: Wed Jan 28 15:36:48 2026 Summary: Security update for the Linux Kernel Type: security Severity: important References: 1065729,1193629,1194869,1196823,1204957,1205567,1206451,1206843,1206889,1207051,1207088,1207315,1207611,1207620,1207622,1207636,1207644,1207646,1207652,1207653,1208570,1208758,1209799,1209980,1210644,1210817,1210943,1211690,1213025,1213032,1213093,1213105,1213110,1213111,1213653,1213747,1213867,1214635,1214940,1214962,1214986,1214990,1216062,1224573,1225832,1226797,1226846,1228015,1233640,1235038,1237563,1249871,1252046,1252678,1253409,1254392,1254520,1254559,1254562,1254572,1254578,1254580,1254592,1254601,1254608,1254609,1254614,1254615,1254617,1254623,1254625,1254626,1254631,1254632,1254634,1254644,1254645,1254649,1254651,1254653,1254656,1254658,1254660,1254664,1254671,1254674,1254676,1254677,1254681,1254684,1254685,1254686,1254690,1254692,1254694,1254696,1254698,1254699,1254704,1254706,1254709,1254710,1254711,1254712,1254713,1254714,1254716,1254723,1254725,1254728,1254729,1254743,1254745,1254751,1254753,1254754,1254756,1254759,1254763,1254775,1254780,1254781,1254782,1 254783,1254785,1254786,1254788,1254789,1254792,1254813,1254843,1254847,1254851,1254894,1254902,1254910,1254911,1254915,1254916,1254917,1254920,1254922,1254958,1254959,1254974,1254979,1254986,1254994,1255002,1255005,1255007,1255049,1255060,1255107,1255163,1255165,1255245,1255467,1255469,1255521,1255528,1255532,1255546,1255549,1255554,1255555,1255558,1255560,1255561,1255562,1255565,1255574,1255576,1255578,1255582,1255596,1255600,1255605,1255607,1255608,1255609,1255618,1255619,1255620,1255623,1255624,1255626,1255627,1255628,1255635,1255636,1255688,1255690,1255697,1255702,1255704,1255745,1255747,1255749,1255750,1255757,1255758,1255760,1255761,1255762,1255763,1255769,1255771,1255773,1255780,1255786,1255787,1255789,1255790,1255791,1255792,1255796,1255797,1255800,1255801,1255802,1255803,1255804,1255806,1255808,1255819,1255839,1255841,1255843,1255844,1255872,1255875,1255876,1255877,1255878,1255880,1255881,1255888,1255889,1255890,1255899,1255901,1255902,1255905,1255906,1255909,1255910,125591 2,1255916,1255919,1255920,1255922,1255924,1255925,1255939,1255946,1255950,1255953,1255954,1255955,1255962,1255964,1255968,1255969,1255970,1255971,1255974,1255978,1255979,1255983,1255985,1255990,1255993,1255994,1255996,1255998,1256034,1256040,1256042,1256045,1256046,1256048,1256049,1256050,1256053,1256056,1256057,1256062,1256063,1256064,1256065,1256071,1256074,1256081,1256084,1256086,1256088,1256091,1256093,1256099,1256101,1256103,1256106,1256111,1256112,1256114,1256115,1256118,1256119,1256121,1256122,1256124,1256125,1256126,1256127,1256128,1256130,1256131,1256132,1256133,1256136,1256137,1256140,1256141,1256142,1256143,1256144,1256145,1256149,1256150,1256152,1256154,1256155,1256157,1256158,1256162,1256164,1256165,1256166,1256167,1256172,1256173,1256174,1256177,1256178,1256179,1256182,1256184,1256185,1256186,1256188,1256189,1256191,1256192,1256193,1256194,1256196,1256198,1256199,1256200,1256202,1256203,1256204,1256205,1256206,1256207,1256208,1256211,1256214,1256215,1256216,1256218,125 6219,1256220,1256221,1256223,1256228,1256230,1256231,1256235,1256239,1256241,1256242,1256245,1256248,1256250,1256254,1256260,1256265,1256269,1256271,1256274,1256282,1256285,1256291,1256294,1256295,1256300,1256302,1256306,1256309,1256317,1256320,1256323,1256326,1256328,1256333,1256334,1256335,1256337,1256338,1256344,1256346,1256349,1256352,1256353,1256355,1256358,1256359,1256363,1256364,1256368,1256370,1256375,1256381,1256382,1256383,1256384,1256386,1256388,1256391,1256394,1256395,1256396,1256397,1256398,1256423,1256426,1256432,CVE-2022-0854,CVE-2022-48853,CVE-2022-50614,CVE-2022-50615,CVE-2022-50617,CVE-2022-50618,CVE-2022-50619,CVE-2022-50621,CVE-2022-50622,CVE-2022-50623,CVE-2022-50625,CVE-2022-50626,CVE-2022-50629,CVE-2022-50630,CVE-2022-50633,CVE-2022-50635,CVE-2022-50636,CVE-2022-50638,CVE-2022-50640,CVE-2022-50641,CVE-2022-50643,CVE-2022-50644,CVE-2022-50646,CVE-2022-50649,CVE-2022-50652,CVE-2022-50653,CVE-2022-50656,CVE-2022-50658,CVE-2022-50660,CVE-2022-50661,CVE-2022-50662, CVE-2022-50664,CVE-2022-50665,CVE-2022-50666,CVE-2022-50667,CVE-2022-50668,CVE-2022-50669,CVE-2022-50670,CVE-2022-50671,CVE-2022-50672,CVE-2022-50673,CVE-2022-50675,CVE-2022-50677,CVE-2022-50678,CVE-2022-50679,CVE-2022-50698,CVE-2022-50699,CVE-2022-50700,CVE-2022-50701,CVE-2022-50702,CVE-2022-50703,CVE-2022-50704,CVE-2022-50705,CVE-2022-50709,CVE-2022-50710,CVE-2022-50712,CVE-2022-50714,CVE-2022-50715,CVE-2022-50716,CVE-2022-50717,CVE-2022-50718,CVE-2022-50719,CVE-2022-50722,CVE-2022-50723,CVE-2022-50724,CVE-2022-50726,CVE-2022-50727,CVE-2022-50728,CVE-2022-50730,CVE-2022-50731,CVE-2022-50732,CVE-2022-50733,CVE-2022-50735,CVE-2022-50736,CVE-2022-50738,CVE-2022-50740,CVE-2022-50742,CVE-2022-50744,CVE-2022-50745,CVE-2022-50747,CVE-2022-50749,CVE-2022-50750,CVE-2022-50751,CVE-2022-50752,CVE-2022-50754,CVE-2022-50755,CVE-2022-50756,CVE-2022-50757,CVE-2022-50758,CVE-2022-50760,CVE-2022-50761,CVE-2022-50763,CVE-2022-50767,CVE-2022-50768,CVE-2022-50769,CVE-2022-50770,CVE-2022-50773,CVE-202 2-50774,CVE-2022-50776,CVE-2022-50777,CVE-2022-50779,CVE-2022-50781,CVE-2022-50782,CVE-2022-50809,CVE-2022-50814,CVE-2022-50818,CVE-2022-50819,CVE-2022-50821,CVE-2022-50822,CVE-2022-50823,CVE-2022-50824,CVE-2022-50826,CVE-2022-50827,CVE-2022-50828,CVE-2022-50829,CVE-2022-50830,CVE-2022-50832,CVE-2022-50833,CVE-2022-50834,CVE-2022-50835,CVE-2022-50836,CVE-2022-50838,CVE-2022-50839,CVE-2022-50840,CVE-2022-50842,CVE-2022-50843,CVE-2022-50844,CVE-2022-50845,CVE-2022-50846,CVE-2022-50847,CVE-2022-50848,CVE-2022-50849,CVE-2022-50850,CVE-2022-50851,CVE-2022-50853,CVE-2022-50856,CVE-2022-50858,CVE-2022-50859,CVE-2022-50860,CVE-2022-50861,CVE-2022-50862,CVE-2022-50864,CVE-2022-50866,CVE-2022-50867,CVE-2022-50868,CVE-2022-50870,CVE-2022-50872,CVE-2022-50873,CVE-2022-50876,CVE-2022-50878,CVE-2022-50880,CVE-2022-50881,CVE-2022-50882,CVE-2022-50883,CVE-2022-50884,CVE-2022-50885,CVE-2022-50886,CVE-2022-50887,CVE-2022-50888,CVE-2022-50889,CVE-2023-23559,CVE-2023-53254,CVE-2023-53743,CVE-2023-53744 ,CVE-2023-53746,CVE-2023-53747,CVE-2023-53751,CVE-2023-53753,CVE-2023-53754,CVE-2023-53755,CVE-2023-53761,CVE-2023-53766,CVE-2023-53769,CVE-2023-53780,CVE-2023-53781,CVE-2023-53783,CVE-2023-53786,CVE-2023-53788,CVE-2023-53792,CVE-2023-53794,CVE-2023-53801,CVE-2023-53802,CVE-2023-53803,CVE-2023-53804,CVE-2023-53806,CVE-2023-53808,CVE-2023-53811,CVE-2023-53814,CVE-2023-53816,CVE-2023-53818,CVE-2023-53819,CVE-2023-53820,CVE-2023-53827,CVE-2023-53828,CVE-2023-53830,CVE-2023-53832,CVE-2023-53833,CVE-2023-53834,CVE-2023-53837,CVE-2023-53840,CVE-2023-53842,CVE-2023-53844,CVE-2023-53845,CVE-2023-53847,CVE-2023-53848,CVE-2023-53849,CVE-2023-53850,CVE-2023-53852,CVE-2023-53858,CVE-2023-53860,CVE-2023-53862,CVE-2023-53864,CVE-2023-53866,CVE-2023-53989,CVE-2023-53990,CVE-2023-53991,CVE-2023-53996,CVE-2023-53998,CVE-2023-54001,CVE-2023-54003,CVE-2023-54007,CVE-2023-54009,CVE-2023-54010,CVE-2023-54014,CVE-2023-54015,CVE-2023-54017,CVE-2023-54018,CVE-2023-54019,CVE-2023-54020,CVE-2023-54021,CVE-20 23-54024,CVE-2023-54025,CVE-2023-54026,CVE-2023-54028,CVE-2023-54036,CVE-2023-54039,CVE-2023-54040,CVE-2023-54041,CVE-2023-54042,CVE-2023-54044,CVE-2023-54045,CVE-2023-54046,CVE-2023-54047,CVE-2023-54048,CVE-2023-54049,CVE-2023-54050,CVE-2023-54051,CVE-2023-54053,CVE-2023-54055,CVE-2023-54057,CVE-2023-54058,CVE-2023-54064,CVE-2023-54070,CVE-2023-54072,CVE-2023-54074,CVE-2023-54076,CVE-2023-54078,CVE-2023-54079,CVE-2023-54083,CVE-2023-54084,CVE-2023-54090,CVE-2023-54091,CVE-2023-54092,CVE-2023-54095,CVE-2023-54096,CVE-2023-54097,CVE-2023-54098,CVE-2023-54100,CVE-2023-54102,CVE-2023-54104,CVE-2023-54106,CVE-2023-54107,CVE-2023-54108,CVE-2023-54110,CVE-2023-54111,CVE-2023-54114,CVE-2023-54115,CVE-2023-54116,CVE-2023-54118,CVE-2023-54119,CVE-2023-54120,CVE-2023-54122,CVE-2023-54123,CVE-2023-54126,CVE-2023-54127,CVE-2023-54128,CVE-2023-54130,CVE-2023-54131,CVE-2023-54132,CVE-2023-54134,CVE-2023-54136,CVE-2023-54138,CVE-2023-54140,CVE-2023-54144,CVE-2023-54146,CVE-2023-54148,CVE-2023-5415 0,CVE-2023-54153,CVE-2023-54156,CVE-2023-54159,CVE-2023-54164,CVE-2023-54166,CVE-2023-54168,CVE-2023-54169,CVE-2023-54170,CVE-2023-54171,CVE-2023-54173,CVE-2023-54175,CVE-2023-54177,CVE-2023-54179,CVE-2023-54183,CVE-2023-54186,CVE-2023-54189,CVE-2023-54190,CVE-2023-54194,CVE-2023-54197,CVE-2023-54198,CVE-2023-54199,CVE-2023-54201,CVE-2023-54202,CVE-2023-54205,CVE-2023-54208,CVE-2023-54210,CVE-2023-54211,CVE-2023-54213,CVE-2023-54214,CVE-2023-54219,CVE-2023-54226,CVE-2023-54229,CVE-2023-54230,CVE-2023-54234,CVE-2023-54236,CVE-2023-54238,CVE-2023-54242,CVE-2023-54244,CVE-2023-54245,CVE-2023-54251,CVE-2023-54252,CVE-2023-54254,CVE-2023-54260,CVE-2023-54262,CVE-2023-54264,CVE-2023-54266,CVE-2023-54267,CVE-2023-54269,CVE-2023-54270,CVE-2023-54271,CVE-2023-54274,CVE-2023-54275,CVE-2023-54277,CVE-2023-54280,CVE-2023-54284,CVE-2023-54286,CVE-2023-54287,CVE-2023-54289,CVE-2023-54292,CVE-2023-54293,CVE-2023-54294,CVE-2023-54295,CVE-2023-54298,CVE-2023-54299,CVE-2023-54300,CVE-2023-54301,CVE-2 023-54302,CVE-2023-54304,CVE-2023-54305,CVE-2023-54309,CVE-2023-54311,CVE-2023-54315,CVE-2023-54317,CVE-2023-54319,CVE-2023-54320,CVE-2023-54321,CVE-2023-54322,CVE-2023-54325,CVE-2023-54326,CVE-2024-36933,CVE-2024-53093,CVE-2024-56590,CVE-2025-39977,CVE-2025-40019,CVE-2025-40139,CVE-2025-40215,CVE-2025-40220,CVE-2025-40233,CVE-2025-40256,CVE-2025-40258,CVE-2025-40277,CVE-2025-40280,CVE-2025-40331,CVE-2025-68218,CVE-2025-68732 The SUSE Linux Enterprise 15 SP5 kernel was updated to fix various security issues The following security issues were fixed: - CVE-2022-50630: mm: hugetlb: fix UAF in hugetlb_handle_userfault (bsc#1254785). - CVE-2022-50700: wifi: ath10k: Delay the unmapping of the buffer (bsc#1255576). - CVE-2023-53254: cacheinfo: Fix shared_cpu_map to handle shared caches at different levels (bsc#1249871). - CVE-2023-53781: smc: Fix use-after-free in tcp_write_timer_handler() (bsc#1254751). - CVE-2024-56590: Bluetooth: hci_core: Fix not checking skb length on hci_acldata_packet (bsc#1235038). - CVE-2025-39977: futex: Prevent use-after-free during requeue-PI (bsc#1252046). - CVE-2025-40019: crypto: essiv - Check ssize for decryption and in-place encryption (bsc#1252678). - CVE-2025-40139: smc: Use __sk_dst_get() and dst_dev_rcu() in in smc_clc_prfx_set() (bsc#1253409). - CVE-2025-40215: kABI: xfrm: delete x->tunnel as we delete x (bsc#1254959). - CVE-2025-40220: fuse: fix livelock in synchronous file put from fuseblk workers (bsc#1254520). - CVE-2025-40233: ocfs2: clear extent cache after moving/defragmenting extents (bsc#1254813). - CVE-2025-40258: mptcp: fix race condition in mptcp_schedule_work() (bsc#1254843). - CVE-2025-40277: drm/vmwgfx: Validate command header size against (bsc#1254894). - CVE-2025-40280: tipc: Fix use-after-free in tipc_mon_reinit_self() (bsc#1254847). - CVE-2025-40331: sctp: Prevent TOCTOU out-of-bounds write (bsc#1254615). - CVE-2025-68732: gpu: host1x: Fix race in syncpt alloc/free (bsc#1255688). The following non security issues were fixed: - ACPI/IORT: Fix memory leak in iort_rmr_alloc_sids() (git-fixes). - ACPI: PRM: Remove unnecessary strict handler address checks (git-fixes). - ACPI: property: Do not pass NULL handles to acpi_attach_data() (git-fixes). - ACPI: property: Fix buffer properties extraction for subnodes (git-fixes). - KVM: SVM: Fix TSC_AUX virtualization setup (git-fixes). - RDMA/cm: Rate limit destroy CM ID timeout error message (git-fixes). - RDMA/counter: Check CAP_NET_RAW check in user namespace for RDMA counters (git-fixes). - RDMA/hns: Fix the modification of max_send_sge (git-fixes). - RDMA/mlx5: Check CAP_NET_RAW in user namespace for anchor create (git-fixes). - RDMA/mlx5: Check CAP_NET_RAW in user namespace for devx create (git-fixes). - RDMA/mlx5: Check CAP_NET_RAW in user namespace for flow create (git-fixes). - RDMA/mlx5: Fix compilation warning when USER_ACCESS isn't set (git-fixes). - RDMA/nldev: Check CAP_NET_RAW in user namespace for QP modify (git-fixes). - RDMA/uverbs: Add empty rdma_uattrs_has_raw_cap() declaration (git-fixes). - RDMA/uverbs: Check CAP_NET_RAW in user namespace for QP create (git-fixes). - RDMA/uverbs: Check CAP_NET_RAW in user namespace for RAW QP create (git-fixes). - RDMA/uverbs: Check CAP_NET_RAW in user namespace for flow create (git-fixes). - arch/idle: Change arch_cpu_idle() behavior: always exit with IRQs disabled (git-fixes). - cpuidle/poll: Ensure IRQs stay disabled after cpuidle_state::enter() calls (git-fixes). - cpuidle: Move IRQ state validation (git-fixes). - cpuidle: haltpoll: Do not enable interrupts when entering idle (git-fixes). - dm: free table mempools if not used in __bind (git-fixes). - padata: Honor the caller's alignment in case of chunk_size 0 (bsc#1237563). - platform/x86/intel-uncore-freq: Fail module load when plat_info is NULL (git-fixes). - x86/bugs: Fix RSB clearing in indirect_branch_prediction_barrier() (git-fixes). - x86/bugs: Use SBPB in write_ibpb() if applicable (git-fixes). - x86/paravirt: Move halt paravirt calls under CONFIG_PARAVIRT (git-fixes). - x86/tdx: Drop flags from __tdx_hypercall() (git-fixes). - x86/tdx: Dynamically disable SEPT violations from causing #VEs (git-fixes). - x86/tdx: Emit warning if IRQs are enabled during HLT #VE handling (git-fixes). - x86/tdx: Extend TDX_MODULE_CALL to support more TDCALL/SEAMCALL leafs (git-fixes). - x86/tdx: Fix __noreturn build warning around __tdx_hypercall_failed() (git-fixes). - x86/tdx: Fix arch_safe_halt() execution for TDX VMs (git-fixes). - x86/tdx: Introduce wrappers to read and write TD metadata (git-fixes). - x86/tdx: Make TDX_HYPERCALL asm similar to TDX_MODULE_CALL (git-fixes). - x86/tdx: Make macros of TDCALLs consistent with the spec (git-fixes). - x86/tdx: Pass TDCALL/SEAMCALL input/output registers via a structure (git-fixes). - x86/tdx: Reimplement __tdx_hypercall() using TDX_MODULE_CALL asm (git-fixes). - x86/tdx: Remove 'struct tdx_hypercall_args' (git-fixes). - x86/tdx: Remove TDX_HCALL_ISSUE_STI (git-fixes). - x86/tdx: Rename __tdx_module_call() to __tdcall() (git-fixes). - x86/tdx: Rename tdx_parse_tdinfo() to tdx_setup() (git-fixes). - x86/tdx: Retry partially-completed page conversion hypercalls (git-fixes). - x86/tdx: Skip saving output regs when SEAMCALL fails with VMFailInvalid (git-fixes). - x86/tdx: Zero out the missing RSI in TDX_HYPERCALL macro (git-fixes). - x86/virt/tdx: Make TDX_MODULE_CALL handle SEAMCALL #UD and #GP (git-fixes). - x86/virt/tdx: Wire up basic SEAMCALL functions (git-fixes). - xfs: fix sparse inode limits on runt AG (bsc#1254392). The following package changes have been done: - kernel-default-base-5.14.21-150500.55.133.1.150500.6.65.1 updated - container:suse-sle-micro-base-5.5-latest-2.0.4-5.8.234 updated From sle-container-updates at lists.suse.com Thu Jan 29 08:08:47 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Thu, 29 Jan 2026 09:08:47 +0100 (CET) Subject: SUSE-IU-2026:563-1: Recommended update of suse/sl-micro/6.2/baremetal-os-container Message-ID: <20260129080847.B48B5FD1A@maintenance.suse.de> SUSE Image Update Advisory: suse/sl-micro/6.2/baremetal-os-container ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2026:563-1 Image Tags : suse/sl-micro/6.2/baremetal-os-container:2.3.0 , suse/sl-micro/6.2/baremetal-os-container:2.3.0-7.29 , suse/sl-micro/6.2/baremetal-os-container:latest Image Release : 7.29 Severity : important Type : recommended References : 1248516 ----------------------------------------------------------------- The container suse/sl-micro/6.2/baremetal-os-container was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: 206 Released: Wed Jan 28 12:26:08 2026 Summary: Recommended update for grub2 Type: recommended Severity: important References: 1248516 This update for grub2 fixes the following issues: - Optimize PBKDF2 to reduce the decryption time (bsc#1248516) * lib/crypto: Introduce new HMAC functions to reuse buffers * lib/pbkdf2: Optimize PBKDF2 by reusing HMAC handle * kern/misc: Implement faster grub_memcpy() for aligned buffers The following package changes have been done: - grub2-common-2.12-160000.4.1 updated - grub2-i386-pc-2.12-160000.4.1 updated - grub2-2.12-160000.4.1 updated - container:suse-sl-micro-6.2-base-os-container-latest-5366032056c01ad7b28878d79b88749eec0c78de0cc3325e8831c8c671ca54aa-0 updated From sle-container-updates at lists.suse.com Thu Jan 29 08:12:21 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Thu, 29 Jan 2026 09:12:21 +0100 (CET) Subject: SUSE-IU-2026:567-1: Recommended update of suse/sl-micro/6.2/kvm-os-container Message-ID: <20260129081221.3DEB2FD1A@maintenance.suse.de> SUSE Image Update Advisory: suse/sl-micro/6.2/kvm-os-container ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2026:567-1 Image Tags : suse/sl-micro/6.2/kvm-os-container:2.3.0 , suse/sl-micro/6.2/kvm-os-container:2.3.0-7.20 , suse/sl-micro/6.2/kvm-os-container:latest Image Release : 7.20 Severity : important Type : recommended References : 1248516 ----------------------------------------------------------------- The container suse/sl-micro/6.2/kvm-os-container was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: 206 Released: Wed Jan 28 12:26:08 2026 Summary: Recommended update for grub2 Type: recommended Severity: important References: 1248516 This update for grub2 fixes the following issues: - Optimize PBKDF2 to reduce the decryption time (bsc#1248516) * lib/crypto: Introduce new HMAC functions to reuse buffers * lib/pbkdf2: Optimize PBKDF2 by reusing HMAC handle * kern/misc: Implement faster grub_memcpy() for aligned buffers The following package changes have been done: - grub2-common-2.12-160000.4.1 updated - grub2-i386-pc-2.12-160000.4.1 updated - grub2-2.12-160000.4.1 updated - container:suse-sl-micro-6.2-base-os-container-latest-5366032056c01ad7b28878d79b88749eec0c78de0cc3325e8831c8c671ca54aa-0 updated From sle-container-updates at lists.suse.com Thu Jan 29 08:13:06 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Thu, 29 Jan 2026 09:13:06 +0100 (CET) Subject: SUSE-IU-2026:571-1: Recommended update of suse/sl-micro/6.2/rt-os-container Message-ID: <20260129081306.B9FECFD1A@maintenance.suse.de> SUSE Image Update Advisory: suse/sl-micro/6.2/rt-os-container ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2026:571-1 Image Tags : suse/sl-micro/6.2/rt-os-container:2.3.0 , suse/sl-micro/6.2/rt-os-container:2.3.0-6.28 , suse/sl-micro/6.2/rt-os-container:latest Image Release : 6.28 Severity : important Type : recommended References : 1248516 ----------------------------------------------------------------- The container suse/sl-micro/6.2/rt-os-container was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: 206 Released: Wed Jan 28 12:26:08 2026 Summary: Recommended update for grub2 Type: recommended Severity: important References: 1248516 This update for grub2 fixes the following issues: - Optimize PBKDF2 to reduce the decryption time (bsc#1248516) * lib/crypto: Introduce new HMAC functions to reuse buffers * lib/pbkdf2: Optimize PBKDF2 by reusing HMAC handle * kern/misc: Implement faster grub_memcpy() for aligned buffers The following package changes have been done: - grub2-common-2.12-160000.4.1 updated - grub2-i386-pc-2.12-160000.4.1 updated - grub2-2.12-160000.4.1 updated - container:suse-sl-micro-6.2-baremetal-os-container-latest-d0978c6c6f3866ad578d4bac8b6daaebb310ebb881daf640f0aff8a15360b8aa-0 updated From sle-container-updates at lists.suse.com Thu Jan 29 08:19:48 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Thu, 29 Jan 2026 09:19:48 +0100 (CET) Subject: SUSE-CU-2026:448-1: Security update of suse/kiosk/firefox-esr Message-ID: <20260129081948.B873FFCDB@maintenance.suse.de> SUSE Container Update Advisory: suse/kiosk/firefox-esr ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2026:448-1 Container Tags : suse/kiosk/firefox-esr:140.7 , suse/kiosk/firefox-esr:140.7-70.15 , suse/kiosk/firefox-esr:esr , suse/kiosk/firefox-esr:latest Container Release : 70.15 Severity : critical Type : security References : 1256830 1256834 1256835 1256836 1256837 1256838 1256839 1256840 CVE-2025-15467 CVE-2025-68160 CVE-2025-69418 CVE-2025-69419 CVE-2025-69420 CVE-2025-69421 CVE-2026-22795 CVE-2026-22796 ----------------------------------------------------------------- The container suse/kiosk/firefox-esr was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:309-1 Released: Wed Jan 28 10:36:32 2026 Summary: Security update for openssl-3 Type: security Severity: critical References: 1256830,1256834,1256835,1256836,1256837,1256838,1256839,1256840,CVE-2025-15467,CVE-2025-68160,CVE-2025-69418,CVE-2025-69419,CVE-2025-69420,CVE-2025-69421,CVE-2026-22795,CVE-2026-22796 This update for openssl-3 fixes the following issues: - CVE-2025-15467: Stack buffer overflow in CMS AuthEnvelopedData parsing (bsc#1256830). - CVE-2025-68160: Heap out-of-bounds write in BIO_f_linebuffer on short writes (bsc#1256834). - CVE-2025-69418: Unauthenticated/unencrypted trailing bytes with low-level OCB function calls (bsc#1256835). - CVE-2025-69419: Out of bounds write in PKCS12_get_friendlyname() UTF-8 conversion (bsc#1256836). - CVE-2025-69420: Missing ASN1_TYPE validation in TS_RESP_verify_response() function (bsc#1256837). - CVE-2025-69421: NULL Pointer Dereference in PKCS12_item_decrypt_d2i_ex function (bsc#1256838). - CVE-2026-22795: Missing ASN1_TYPE validation in PKCS#12 parsing (bsc#1256839). - CVE-2026-22796: ASN1_TYPE Type Confusion in the PKCS7_digest_from_attributes() function (bsc#1256840). The following package changes have been done: - libopenssl3-3.2.3-150700.5.24.1 updated - libopenssl-3-fips-provider-3.2.3-150700.5.24.1 updated - container:suse-sle15-15.7-2e217e3a9e14d18fead6b6167ccf6d306a7ad7d2de7bc20ce0fadda9adc99003-0 updated From sle-container-updates at lists.suse.com Thu Jan 29 08:20:15 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Thu, 29 Jan 2026 09:20:15 +0100 (CET) Subject: SUSE-CU-2026:449-1: Security update of suse/pcp Message-ID: <20260129082015.597A5FCDB@maintenance.suse.de> SUSE Container Update Advisory: suse/pcp ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2026:449-1 Container Tags : suse/pcp:6 , suse/pcp:6.2 , suse/pcp:6.2.0 , suse/pcp:6.2.0-70.9 , suse/pcp:latest Container Release : 70.9 Severity : moderate Type : security References : 1254666 1256498 1256499 1256500 CVE-2025-14104 CVE-2025-68276 CVE-2025-68468 CVE-2025-68471 ----------------------------------------------------------------- The container suse/pcp was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:230-1 Released: Thu Jan 22 13:22:31 2026 Summary: Security update for util-linux Type: security Severity: moderate References: 1254666,CVE-2025-14104 This update for util-linux fixes the following issues: - CVE-2025-14104: Fixed heap buffer overread in setpwnam() when processing 256-byte usernames (bsc#1254666). - lscpu: Add support for NVIDIA Olympus arm64 core (jsc#PED-13682). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:259-1 Released: Thu Jan 22 17:10:44 2026 Summary: Security update for avahi Type: security Severity: moderate References: 1256498,1256499,1256500,CVE-2025-68276,CVE-2025-68468,CVE-2025-68471 This update for avahi fixes the following issues: - CVE-2025-68276: Fixed refuse to create wide-area record browsers when wide-area is off (bsc#1256498) - CVE-2025-68471: Fixed DoS bug by changing assert to return (bsc#1256500) - CVE-2025-68468: Fixed DoS bug by removing incorrect assertion (bsc#1256499) The following package changes have been done: - libavahi-common3-0.8-150600.15.12.1 updated - util-linux-systemd-2.40.4-150700.4.3.1 updated - libavahi-client3-0.8-150600.15.12.1 updated From sle-container-updates at lists.suse.com Thu Jan 29 08:20:33 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Thu, 29 Jan 2026 09:20:33 +0100 (CET) Subject: SUSE-CU-2026:450-1: Security update of suse/samba-server Message-ID: <20260129082033.80FC8FCDB@maintenance.suse.de> SUSE Container Update Advisory: suse/samba-server ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2026:450-1 Container Tags : suse/samba-server:4.21 , suse/samba-server:4.21 , suse/samba-server:4.21-71.10 , suse/samba-server:latest Container Release : 71.10 Severity : critical Type : security References : 1256830 1256834 1256835 1256836 1256837 1256838 1256839 1256840 CVE-2025-15467 CVE-2025-68160 CVE-2025-69418 CVE-2025-69419 CVE-2025-69420 CVE-2025-69421 CVE-2026-22795 CVE-2026-22796 ----------------------------------------------------------------- The container suse/samba-server was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:309-1 Released: Wed Jan 28 10:36:32 2026 Summary: Security update for openssl-3 Type: security Severity: critical References: 1256830,1256834,1256835,1256836,1256837,1256838,1256839,1256840,CVE-2025-15467,CVE-2025-68160,CVE-2025-69418,CVE-2025-69419,CVE-2025-69420,CVE-2025-69421,CVE-2026-22795,CVE-2026-22796 This update for openssl-3 fixes the following issues: - CVE-2025-15467: Stack buffer overflow in CMS AuthEnvelopedData parsing (bsc#1256830). - CVE-2025-68160: Heap out-of-bounds write in BIO_f_linebuffer on short writes (bsc#1256834). - CVE-2025-69418: Unauthenticated/unencrypted trailing bytes with low-level OCB function calls (bsc#1256835). - CVE-2025-69419: Out of bounds write in PKCS12_get_friendlyname() UTF-8 conversion (bsc#1256836). - CVE-2025-69420: Missing ASN1_TYPE validation in TS_RESP_verify_response() function (bsc#1256837). - CVE-2025-69421: NULL Pointer Dereference in PKCS12_item_decrypt_d2i_ex function (bsc#1256838). - CVE-2026-22795: Missing ASN1_TYPE validation in PKCS#12 parsing (bsc#1256839). - CVE-2026-22796: ASN1_TYPE Type Confusion in the PKCS7_digest_from_attributes() function (bsc#1256840). The following package changes have been done: - libopenssl3-3.2.3-150700.5.24.1 updated - libopenssl-3-fips-provider-3.2.3-150700.5.24.1 updated - container:suse-sle15-15.7-2e217e3a9e14d18fead6b6167ccf6d306a7ad7d2de7bc20ce0fadda9adc99003-0 updated From sle-container-updates at lists.suse.com Thu Jan 29 08:20:51 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Thu, 29 Jan 2026 09:20:51 +0100 (CET) Subject: SUSE-CU-2026:451-1: Security update of suse/sle15 Message-ID: <20260129082051.894CAFCDB@maintenance.suse.de> SUSE Container Update Advisory: suse/sle15 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2026:451-1 Container Tags : bci/bci-base:15.7 , bci/bci-base:15.7-5.14.8 , bci/bci-base:latest , suse/sle15:15.7 , suse/sle15:15.7-5.14.8 , suse/sle15:latest Container Release : 5.14.8 Severity : critical Type : security References : 1256830 1256834 1256835 1256836 1256837 1256838 1256839 1256840 CVE-2025-15467 CVE-2025-68160 CVE-2025-69418 CVE-2025-69419 CVE-2025-69420 CVE-2025-69421 CVE-2026-22795 CVE-2026-22796 ----------------------------------------------------------------- The container suse/sle15 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:309-1 Released: Wed Jan 28 10:36:32 2026 Summary: Security update for openssl-3 Type: security Severity: critical References: 1256830,1256834,1256835,1256836,1256837,1256838,1256839,1256840,CVE-2025-15467,CVE-2025-68160,CVE-2025-69418,CVE-2025-69419,CVE-2025-69420,CVE-2025-69421,CVE-2026-22795,CVE-2026-22796 This update for openssl-3 fixes the following issues: - CVE-2025-15467: Stack buffer overflow in CMS AuthEnvelopedData parsing (bsc#1256830). - CVE-2025-68160: Heap out-of-bounds write in BIO_f_linebuffer on short writes (bsc#1256834). - CVE-2025-69418: Unauthenticated/unencrypted trailing bytes with low-level OCB function calls (bsc#1256835). - CVE-2025-69419: Out of bounds write in PKCS12_get_friendlyname() UTF-8 conversion (bsc#1256836). - CVE-2025-69420: Missing ASN1_TYPE validation in TS_RESP_verify_response() function (bsc#1256837). - CVE-2025-69421: NULL Pointer Dereference in PKCS12_item_decrypt_d2i_ex function (bsc#1256838). - CVE-2026-22795: Missing ASN1_TYPE validation in PKCS#12 parsing (bsc#1256839). - CVE-2026-22796: ASN1_TYPE Type Confusion in the PKCS7_digest_from_attributes() function (bsc#1256840). The following package changes have been done: - libopenssl-3-fips-provider-3.2.3-150700.5.24.1 updated - libopenssl3-3.2.3-150700.5.24.1 updated - openssl-3-3.2.3-150700.5.24.1 updated From sle-container-updates at lists.suse.com Thu Jan 29 08:21:22 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Thu, 29 Jan 2026 09:21:22 +0100 (CET) Subject: SUSE-CU-2026:452-1: Security update of bci/spack Message-ID: <20260129082122.B0D5EFCDB@maintenance.suse.de> SUSE Container Update Advisory: bci/spack ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2026:452-1 Container Tags : bci/spack:0.23 , bci/spack:0.23.1 , bci/spack:0.23.1-21.11 , bci/spack:latest Container Release : 21.11 Severity : critical Type : security References : 1254666 1255715 1256243 1256244 1256246 1256341 1256390 1256830 1256834 1256835 1256836 1256837 1256838 1256839 1256840 CVE-2025-13151 CVE-2025-14104 CVE-2025-15467 CVE-2025-68160 CVE-2025-68973 CVE-2025-69418 CVE-2025-69419 CVE-2025-69420 CVE-2025-69421 CVE-2026-22795 CVE-2026-22796 ----------------------------------------------------------------- The container bci/spack was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:215-1 Released: Thu Jan 22 13:10:16 2026 Summary: Security update for gpg2 Type: security Severity: important References: 1255715,1256243,1256244,1256246,1256390,CVE-2025-68973 This update for gpg2 fixes the following issues: - CVE-2025-68973: Fix possible memory corruption in the armor parser (gpg.fail/memcpy)(bsc#1255715). - Avoid potential downgrade to SHA1 in 3rd party key signatures (gpg.fail/sha1) (bsc#1256246). - Error out on unverified output for non-detached signatures (gpg.fail/detached) (bsc#1256244). - Fix a memory leak in gpg2 agent (bsc#1256243). - Fix Cleartext Signature Forgery in the NotDashEscaped header implementation in GnuPG (gpg.fail/notdash) (bsc#1256390). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:224-1 Released: Thu Jan 22 13:18:20 2026 Summary: Security update for libtasn1 Type: security Severity: moderate References: 1256341,CVE-2025-13151 This update for libtasn1 fixes the following issues: - CVE-2025-13151: stack-based buffer overflow in `asn1_expend_octet_string` (bsc#1256341). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:230-1 Released: Thu Jan 22 13:22:31 2026 Summary: Security update for util-linux Type: security Severity: moderate References: 1254666,CVE-2025-14104 This update for util-linux fixes the following issues: - CVE-2025-14104: Fixed heap buffer overread in setpwnam() when processing 256-byte usernames (bsc#1254666). - lscpu: Add support for NVIDIA Olympus arm64 core (jsc#PED-13682). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:309-1 Released: Wed Jan 28 10:36:32 2026 Summary: Security update for openssl-3 Type: security Severity: critical References: 1256830,1256834,1256835,1256836,1256837,1256838,1256839,1256840,CVE-2025-15467,CVE-2025-68160,CVE-2025-69418,CVE-2025-69419,CVE-2025-69420,CVE-2025-69421,CVE-2026-22795,CVE-2026-22796 This update for openssl-3 fixes the following issues: - CVE-2025-15467: Stack buffer overflow in CMS AuthEnvelopedData parsing (bsc#1256830). - CVE-2025-68160: Heap out-of-bounds write in BIO_f_linebuffer on short writes (bsc#1256834). - CVE-2025-69418: Unauthenticated/unencrypted trailing bytes with low-level OCB function calls (bsc#1256835). - CVE-2025-69419: Out of bounds write in PKCS12_get_friendlyname() UTF-8 conversion (bsc#1256836). - CVE-2025-69420: Missing ASN1_TYPE validation in TS_RESP_verify_response() function (bsc#1256837). - CVE-2025-69421: NULL Pointer Dereference in PKCS12_item_decrypt_d2i_ex function (bsc#1256838). - CVE-2026-22795: Missing ASN1_TYPE validation in PKCS#12 parsing (bsc#1256839). - CVE-2026-22796: ASN1_TYPE Type Confusion in the PKCS7_digest_from_attributes() function (bsc#1256840). The following package changes have been done: - libblkid1-2.40.4-150700.4.3.1 updated - libglib-2_0-0-2.78.6-150600.4.28.1 updated - libmount1-2.40.4-150700.4.3.1 updated - libcurl4-8.14.1-150700.7.11.1 updated - gpg2-2.4.4-150600.3.12.1 updated - libtasn1-6-4.13-150000.4.14.1 updated - libtasn1-4.13-150000.4.14.1 updated - curl-8.14.1-150700.7.11.1 updated - libopenssl-3-devel-3.2.3-150700.5.24.1 updated - container:registry.suse.com-bci-bci-base-15.7-2e217e3a9e14d18fead6b6167ccf6d306a7ad7d2de7bc20ce0fadda9adc99003-0 updated From sle-container-updates at lists.suse.com Thu Jan 29 08:24:26 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Thu, 29 Jan 2026 09:24:26 +0100 (CET) Subject: SUSE-CU-2026:458-1: Security update of suse/manager/4.3/proxy-httpd Message-ID: <20260129082426.6D147FCDB@maintenance.suse.de> SUSE Container Update Advisory: suse/manager/4.3/proxy-httpd ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2026:458-1 Container Tags : suse/manager/4.3/proxy-httpd:4.3.16.2 , suse/manager/4.3/proxy-httpd:4.3.16.2.9.73.8 , suse/manager/4.3/proxy-httpd:latest Container Release : 9.73.8 Severity : important Type : security References : 1239119 1255715 1256244 1256246 1256390 CVE-2025-30258 CVE-2025-68973 ----------------------------------------------------------------- The container suse/manager/4.3/proxy-httpd was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3986-1 Released: Fri Nov 7 11:31:03 2025 Summary: Security update for gpg2 Type: security Severity: low References: 1239119,CVE-2025-30258 This update for gpg2 fixes the following issues: - CVE-2025-30258: fixed a verification denial of service due to a malicious subkey in the keyring (bsc#1239119) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:214-1 Released: Thu Jan 22 13:09:26 2026 Summary: Security update for gpg2 Type: security Severity: important References: 1255715,1256244,1256246,1256390,CVE-2025-68973 This update for gpg2 fixes the following issues: - CVE-2025-68973: Fix possible memory corruption in the armor parser (gpg.fail/memcpy)(bsc#1255715). - Avoid potential downgrade to SHA1 in 3rd party key signatures (gpg.fail/sha1) (bsc#1256246). - Error out on unverified output for non-detached signatures (gpg.fail/detached) (bsc#1256244). - Fix Cleartext Signature Forgery in the NotDashEscaped header implementation in GnuPG (gpg.fail/notdash) (bsc#1256390). The following package changes have been done: - gpg2-2.2.27-150300.3.16.1 updated - container:sles15-ltss-image-15.4.0-6.3 updated From sle-container-updates at lists.suse.com Thu Jan 29 08:25:35 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Thu, 29 Jan 2026 09:25:35 +0100 (CET) Subject: SUSE-CU-2026:459-1: Security update of suse/manager/4.3/proxy-salt-broker Message-ID: <20260129082535.E35F2FCDB@maintenance.suse.de> SUSE Container Update Advisory: suse/manager/4.3/proxy-salt-broker ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2026:459-1 Container Tags : suse/manager/4.3/proxy-salt-broker:4.3.16.2 , suse/manager/4.3/proxy-salt-broker:4.3.16.2.9.63.8 , suse/manager/4.3/proxy-salt-broker:latest Container Release : 9.63.8 Severity : important Type : security References : 1239119 1255715 1256244 1256246 1256390 CVE-2025-30258 CVE-2025-68973 ----------------------------------------------------------------- The container suse/manager/4.3/proxy-salt-broker was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:3986-1 Released: Fri Nov 7 11:31:03 2025 Summary: Security update for gpg2 Type: security Severity: low References: 1239119,CVE-2025-30258 This update for gpg2 fixes the following issues: - CVE-2025-30258: fixed a verification denial of service due to a malicious subkey in the keyring (bsc#1239119) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:214-1 Released: Thu Jan 22 13:09:26 2026 Summary: Security update for gpg2 Type: security Severity: important References: 1255715,1256244,1256246,1256390,CVE-2025-68973 This update for gpg2 fixes the following issues: - CVE-2025-68973: Fix possible memory corruption in the armor parser (gpg.fail/memcpy)(bsc#1255715). - Avoid potential downgrade to SHA1 in 3rd party key signatures (gpg.fail/sha1) (bsc#1256246). - Error out on unverified output for non-detached signatures (gpg.fail/detached) (bsc#1256244). - Fix Cleartext Signature Forgery in the NotDashEscaped header implementation in GnuPG (gpg.fail/notdash) (bsc#1256390). The following package changes have been done: - gpg2-2.2.27-150300.3.16.1 updated - container:sles15-ltss-image-15.4.0-6.3 updated From sle-container-updates at lists.suse.com Thu Jan 29 08:30:56 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Thu, 29 Jan 2026 09:30:56 +0100 (CET) Subject: SUSE-CU-2026:463-1: Security update of suse/sle-micro/5.2/toolbox Message-ID: <20260129083057.396F5FCDB@maintenance.suse.de> SUSE Container Update Advisory: suse/sle-micro/5.2/toolbox ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2026:463-1 Container Tags : suse/sle-micro/5.2/toolbox:14.2 , suse/sle-micro/5.2/toolbox:14.2-7.11.230 , suse/sle-micro/5.2/toolbox:latest Container Release : 7.11.230 Severity : important Type : security References : ----------------------------------------------------------------- The container suse/sle-micro/5.2/toolbox was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:319-1 Released: Wed Jan 28 15:39:29 2026 Summary: Security update for container-suseconnect Type: security Severity: important References: This update for container-suseconnect rebuilds it against the current GO security release. The following package changes have been done: - container-suseconnect-2.5.5-150000.4.77.1 updated From sle-container-updates at lists.suse.com Fri Jan 30 08:08:41 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 30 Jan 2026 09:08:41 +0100 (CET) Subject: SUSE-IU-2026:577-1: Security update of suse/sl-micro/6.2/baremetal-os-container Message-ID: <20260130080841.ACA2DFD1A@maintenance.suse.de> SUSE Image Update Advisory: suse/sl-micro/6.2/baremetal-os-container ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2026:577-1 Image Tags : suse/sl-micro/6.2/baremetal-os-container:2.3.0 , suse/sl-micro/6.2/baremetal-os-container:2.3.0-7.32 , suse/sl-micro/6.2/baremetal-os-container:latest Image Release : 7.32 Severity : important Type : security References : 1236282 1241826 1241857 1251511 1251679 1253581 1253901 1254079 1256389 1256436 1256766 1256822 1257005 1257395 1257396 CVE-2025-0395 CVE-2025-15281 CVE-2025-22872 CVE-2025-47911 CVE-2025-47913 CVE-2025-47914 CVE-2025-58181 CVE-2025-58190 CVE-2026-0861 CVE-2026-0915 CVE-2026-24882 CVE-2026-24883 ----------------------------------------------------------------- The container suse/sl-micro/6.2/baremetal-os-container was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: 217 Released: Thu Jan 29 16:32:26 2026 Summary: Security update for elemental-register, elemental-toolkit Type: security Severity: important References: 1241826,1241857,1251511,1251679,1253581,1253901,1254079,CVE-2025-22872,CVE-2025-47911,CVE-2025-47913,CVE-2025-47914,CVE-2025-58181,CVE-2025-58190 This update for elemental-register, elemental-toolkit fixes the following issues: elemental-register was updated to 1.8.1: Changes on top of v1.8.1: * Update headers to 2026 * Update questions to include SL Micro 6.2 Update to v1.8.1: * Install yip config files in before-install step * Bump github.com/rancher-sandbox/go-tpm and its dependencies This includes few CVE fixes: * bsc#1241826 (CVE-2025-22872) * bsc#1241857 (CVE-2025-22872) * bsc#1251511 (CVE-2025-47911) * bsc#1251679 (CVE-2025-58190) elemental-toolkit was updated to v2.3.2: * Bump golang.org/x/crypto library This includes few CVE fixes: * bsc#1241826 (CVE-2025-22872) * bsc#1241857 (CVE-2025-22872) * bsc#1251511 (CVE-2025-47911) * bsc#1251679 (CVE-2025-58190) * bsc#1253581 (CVE-2025-47913) * bsc#1253901 (CVE-2025-58181) * bsc#1254079 (CVE-2025-47914) ----------------------------------------------------------------- Advisory ID: 221 Released: Thu Jan 29 17:14:38 2026 Summary: Security update for gpg2 Type: security Severity: important References: 1256389,1257395,1257396,CVE-2026-24882,CVE-2026-24883 This update for gpg2 fixes the following issues: - CVE-2026-24882: stack-based buffer overflow in TPM2 PKDECRYPT for TPM-backed RSA and ECC keys (bsc#1257396). - CVE-2026-24883: denial of service due to long signature packet length causing parse_signature to return success with sig->data[] set to a NULL value (bsc#1257395). - gpg.fail/filename: GnuPG Accepts Path Separators and Path Traversals in Literal Data 'Filename' Field (bsc#1256389). ----------------------------------------------------------------- Advisory ID: 218 Released: Thu Jan 29 18:44:57 2026 Summary: Security update for glibc Type: security Severity: important References: 1236282,1256436,1256766,1256822,1257005,CVE-2025-0395,CVE-2025-15281,CVE-2026-0861,CVE-2026-0915 This update for glibc fixes the following issues: Security fixes: - CVE-2025-0395: Fixed buffer overflow in the assert() function (bsc#1236282). - CVE-2026-0861: Fixed inadequate size check in the memalign suite may result in an integer overflow (bsc#1256766). - CVE-2026-0915: Fixed uninitialized stack buffer used as DNS query name when net==0 in _nss_dns_getnetbyaddr_r (bsc#1256822). - CVE-2025-15281: Fixed uninitialized memory may cause the process abort (bsc#1257005). Other fixes: - NPTL: Optimize trylock for high cache contention workloads (bsc#1256436) The following package changes have been done: - glibc-2.40-160000.3.1 updated - elemental-register-1.8.1-160000.1.1 updated - elemental-support-1.8.1-160000.1.1 updated - glibc-gconv-modules-extra-2.40-160000.3.1 updated - glibc-locale-base-2.40-160000.3.1 updated - elemental-toolkit-2.3.2-160000.1.1 updated - gpg2-2.5.5-160000.4.1 updated - container:suse-sl-micro-6.2-base-os-container-latest-e9cfd969c3c5fd78a09678865fbed96d8d124c381761efffca11c1b7cb64e48f-0 updated From sle-container-updates at lists.suse.com Fri Jan 30 08:12:34 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 30 Jan 2026 09:12:34 +0100 (CET) Subject: SUSE-IU-2026:585-1: Security update of suse/sl-micro/6.2/kvm-os-container Message-ID: <20260130081234.162ADFD1A@maintenance.suse.de> SUSE Image Update Advisory: suse/sl-micro/6.2/kvm-os-container ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2026:585-1 Image Tags : suse/sl-micro/6.2/kvm-os-container:2.3.0 , suse/sl-micro/6.2/kvm-os-container:2.3.0-7.22 , suse/sl-micro/6.2/kvm-os-container:latest Image Release : 7.22 Severity : important Type : security References : 1236282 1241826 1241857 1251511 1251679 1253581 1253901 1254079 1256436 1256766 1256822 1257005 CVE-2025-0395 CVE-2025-15281 CVE-2025-22872 CVE-2025-47911 CVE-2025-47913 CVE-2025-47914 CVE-2025-58181 CVE-2025-58190 CVE-2026-0861 CVE-2026-0915 ----------------------------------------------------------------- The container suse/sl-micro/6.2/kvm-os-container was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: 217 Released: Thu Jan 29 16:32:26 2026 Summary: Security update for elemental-register, elemental-toolkit Type: security Severity: important References: 1241826,1241857,1251511,1251679,1253581,1253901,1254079,CVE-2025-22872,CVE-2025-47911,CVE-2025-47913,CVE-2025-47914,CVE-2025-58181,CVE-2025-58190 This update for elemental-register, elemental-toolkit fixes the following issues: elemental-register was updated to 1.8.1: Changes on top of v1.8.1: * Update headers to 2026 * Update questions to include SL Micro 6.2 Update to v1.8.1: * Install yip config files in before-install step * Bump github.com/rancher-sandbox/go-tpm and its dependencies This includes few CVE fixes: * bsc#1241826 (CVE-2025-22872) * bsc#1241857 (CVE-2025-22872) * bsc#1251511 (CVE-2025-47911) * bsc#1251679 (CVE-2025-58190) elemental-toolkit was updated to v2.3.2: * Bump golang.org/x/crypto library This includes few CVE fixes: * bsc#1241826 (CVE-2025-22872) * bsc#1241857 (CVE-2025-22872) * bsc#1251511 (CVE-2025-47911) * bsc#1251679 (CVE-2025-58190) * bsc#1253581 (CVE-2025-47913) * bsc#1253901 (CVE-2025-58181) * bsc#1254079 (CVE-2025-47914) ----------------------------------------------------------------- Advisory ID: 218 Released: Thu Jan 29 18:44:57 2026 Summary: Security update for glibc Type: security Severity: important References: 1236282,1256436,1256766,1256822,1257005,CVE-2025-0395,CVE-2025-15281,CVE-2026-0861,CVE-2026-0915 This update for glibc fixes the following issues: Security fixes: - CVE-2025-0395: Fixed buffer overflow in the assert() function (bsc#1236282). - CVE-2026-0861: Fixed inadequate size check in the memalign suite may result in an integer overflow (bsc#1256766). - CVE-2026-0915: Fixed uninitialized stack buffer used as DNS query name when net==0 in _nss_dns_getnetbyaddr_r (bsc#1256822). - CVE-2025-15281: Fixed uninitialized memory may cause the process abort (bsc#1257005). Other fixes: - NPTL: Optimize trylock for high cache contention workloads (bsc#1256436) The following package changes have been done: - glibc-2.40-160000.3.1 updated - elemental-register-1.8.1-160000.1.1 updated - elemental-support-1.8.1-160000.1.1 updated - glibc-gconv-modules-extra-2.40-160000.3.1 updated - glibc-locale-base-2.40-160000.3.1 updated - elemental-toolkit-2.3.2-160000.1.1 updated - container:suse-sl-micro-6.2-base-os-container-latest-e9cfd969c3c5fd78a09678865fbed96d8d124c381761efffca11c1b7cb64e48f-0 updated From sle-container-updates at lists.suse.com Fri Jan 30 08:13:26 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 30 Jan 2026 09:13:26 +0100 (CET) Subject: SUSE-IU-2026:591-1: Security update of suse/sl-micro/6.2/rt-os-container Message-ID: <20260130081326.29997FD1A@maintenance.suse.de> SUSE Image Update Advisory: suse/sl-micro/6.2/rt-os-container ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2026:591-1 Image Tags : suse/sl-micro/6.2/rt-os-container:2.3.0 , suse/sl-micro/6.2/rt-os-container:2.3.0-6.31 , suse/sl-micro/6.2/rt-os-container:latest Image Release : 6.31 Severity : important Type : security References : 1236282 1241826 1241857 1251511 1251679 1253581 1253901 1254079 1256436 1256766 1256822 1257005 CVE-2025-0395 CVE-2025-15281 CVE-2025-22872 CVE-2025-47911 CVE-2025-47913 CVE-2025-47914 CVE-2025-58181 CVE-2025-58190 CVE-2026-0861 CVE-2026-0915 ----------------------------------------------------------------- The container suse/sl-micro/6.2/rt-os-container was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: 217 Released: Thu Jan 29 16:32:26 2026 Summary: Security update for elemental-register, elemental-toolkit Type: security Severity: important References: 1241826,1241857,1251511,1251679,1253581,1253901,1254079,CVE-2025-22872,CVE-2025-47911,CVE-2025-47913,CVE-2025-47914,CVE-2025-58181,CVE-2025-58190 This update for elemental-register, elemental-toolkit fixes the following issues: elemental-register was updated to 1.8.1: Changes on top of v1.8.1: * Update headers to 2026 * Update questions to include SL Micro 6.2 Update to v1.8.1: * Install yip config files in before-install step * Bump github.com/rancher-sandbox/go-tpm and its dependencies This includes few CVE fixes: * bsc#1241826 (CVE-2025-22872) * bsc#1241857 (CVE-2025-22872) * bsc#1251511 (CVE-2025-47911) * bsc#1251679 (CVE-2025-58190) elemental-toolkit was updated to v2.3.2: * Bump golang.org/x/crypto library This includes few CVE fixes: * bsc#1241826 (CVE-2025-22872) * bsc#1241857 (CVE-2025-22872) * bsc#1251511 (CVE-2025-47911) * bsc#1251679 (CVE-2025-58190) * bsc#1253581 (CVE-2025-47913) * bsc#1253901 (CVE-2025-58181) * bsc#1254079 (CVE-2025-47914) ----------------------------------------------------------------- Advisory ID: 218 Released: Thu Jan 29 18:44:57 2026 Summary: Security update for glibc Type: security Severity: important References: 1236282,1256436,1256766,1256822,1257005,CVE-2025-0395,CVE-2025-15281,CVE-2026-0861,CVE-2026-0915 This update for glibc fixes the following issues: Security fixes: - CVE-2025-0395: Fixed buffer overflow in the assert() function (bsc#1236282). - CVE-2026-0861: Fixed inadequate size check in the memalign suite may result in an integer overflow (bsc#1256766). - CVE-2026-0915: Fixed uninitialized stack buffer used as DNS query name when net==0 in _nss_dns_getnetbyaddr_r (bsc#1256822). - CVE-2025-15281: Fixed uninitialized memory may cause the process abort (bsc#1257005). Other fixes: - NPTL: Optimize trylock for high cache contention workloads (bsc#1256436) The following package changes have been done: - glibc-2.40-160000.3.1 updated - elemental-register-1.8.1-160000.1.1 updated - elemental-support-1.8.1-160000.1.1 updated - glibc-gconv-modules-extra-2.40-160000.3.1 updated - glibc-locale-base-2.40-160000.3.1 updated - elemental-toolkit-2.3.2-160000.1.1 updated - container:suse-sl-micro-6.2-baremetal-os-container-latest-759211de6b7c96bb94338c0229d245282eb21913e0261e1ba7e94cc4c6943238-0 updated From sle-container-updates at lists.suse.com Fri Jan 30 08:14:36 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 30 Jan 2026 09:14:36 +0100 (CET) Subject: SUSE-CU-2026:471-1: Security update of suse/ltss/sle12.5/sles12sp5 Message-ID: <20260130081436.37B61FCDB@maintenance.suse.de> SUSE Container Update Advisory: suse/ltss/sle12.5/sles12sp5 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2026:471-1 Container Tags : suse/ltss/sle12.5/sles12sp5:8.5.188 , suse/ltss/sle12.5/sles12sp5:latest Container Release : 8.5.188 Severity : moderate Type : security References : 1256805 1256834 1256837 1256838 1256840 CVE-2025-68160 CVE-2025-69420 CVE-2025-69421 CVE-2026-0989 CVE-2026-22796 ----------------------------------------------------------------- The container suse/ltss/sle12.5/sles12sp5 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:333-1 Released: Thu Jan 29 09:16:21 2026 Summary: Security update for openssl-1_0_0 Type: security Severity: moderate References: 1256834,1256837,1256838,1256840,CVE-2025-68160,CVE-2025-69420,CVE-2025-69421,CVE-2026-22796 This update for openssl-1_0_0 fixes the following issues: - CVE-2025-68160: Heap out-of-bounds write in BIO_f_linebuffer on short writes (bsc#1256834). - CVE-2025-69420: Missing ASN1_TYPE validation in TS_RESP_verify_response() function (bsc#1256837). - CVE-2025-69421: NULL Pointer Dereference in PKCS12_item_decrypt_d2i_ex function (bsc#1256838). - CVE-2026-22796: ASN1_TYPE Type Confusion in the PKCS7_digest_from_attributes() function (bsc#1256840). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:336-1 Released: Thu Jan 29 11:16:18 2026 Summary: Security update for libxml2 Type: security Severity: moderate References: 1256805,CVE-2026-0989 This update for libxml2 fixes the following issues: - CVE-2026-0989: Fixed call stack exhaustion leading to application crash due to RelaxNG parser not limiting the recursion depth when resolving `` directives (bsc#1256805). The following package changes have been done: - libopenssl1_0_0-1.0.2p-3.103.1 updated - libxml2-2-2.9.4-46.96.1 updated - openssl-1_0_0-1.0.2p-3.103.1 updated From sle-container-updates at lists.suse.com Fri Jan 30 08:19:22 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 30 Jan 2026 09:19:22 +0100 (CET) Subject: SUSE-CU-2026:476-1: Security update of suse/389-ds Message-ID: <20260130081922.500D5FCDB@maintenance.suse.de> SUSE Container Update Advisory: suse/389-ds ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2026:476-1 Container Tags : suse/389-ds:2.5 , suse/389-ds:2.5.3 , suse/389-ds:2.5.3-67.8 , suse/389-ds:latest Container Release : 67.8 Severity : critical Type : security References : 1256830 1256834 1256834 1256835 1256835 1256836 1256836 1256837 1256837 1256838 1256838 1256839 1256839 1256840 1256840 CVE-2025-15467 CVE-2025-68160 CVE-2025-68160 CVE-2025-69418 CVE-2025-69418 CVE-2025-69419 CVE-2025-69419 CVE-2025-69420 CVE-2025-69420 CVE-2025-69421 CVE-2025-69421 CVE-2026-22795 CVE-2026-22795 CVE-2026-22796 CVE-2026-22796 ----------------------------------------------------------------- The container suse/389-ds was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:309-1 Released: Wed Jan 28 10:36:32 2026 Summary: Security update for openssl-3 Type: security Severity: critical References: 1256830,1256834,1256835,1256836,1256837,1256838,1256839,1256840,CVE-2025-15467,CVE-2025-68160,CVE-2025-69418,CVE-2025-69419,CVE-2025-69420,CVE-2025-69421,CVE-2026-22795,CVE-2026-22796 This update for openssl-3 fixes the following issues: - CVE-2025-15467: Stack buffer overflow in CMS AuthEnvelopedData parsing (bsc#1256830). - CVE-2025-68160: Heap out-of-bounds write in BIO_f_linebuffer on short writes (bsc#1256834). - CVE-2025-69418: Unauthenticated/unencrypted trailing bytes with low-level OCB function calls (bsc#1256835). - CVE-2025-69419: Out of bounds write in PKCS12_get_friendlyname() UTF-8 conversion (bsc#1256836). - CVE-2025-69420: Missing ASN1_TYPE validation in TS_RESP_verify_response() function (bsc#1256837). - CVE-2025-69421: NULL Pointer Dereference in PKCS12_item_decrypt_d2i_ex function (bsc#1256838). - CVE-2026-22795: Missing ASN1_TYPE validation in PKCS#12 parsing (bsc#1256839). - CVE-2026-22796: ASN1_TYPE Type Confusion in the PKCS7_digest_from_attributes() function (bsc#1256840). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:331-1 Released: Wed Jan 28 18:12:49 2026 Summary: Security update for openssl-1_1 Type: security Severity: moderate References: 1256834,1256835,1256836,1256837,1256838,1256839,1256840,CVE-2025-68160,CVE-2025-69418,CVE-2025-69419,CVE-2025-69420,CVE-2025-69421,CVE-2026-22795,CVE-2026-22796 This update for openssl-1_1 fixes the following issues: - CVE-2026-22795: Missing ASN1_TYPE validation in PKCS#12 parsing (bsc#1256839). - CVE-2025-69420: Missing ASN1_TYPE validation in TS_RESP_verify_response() function (bsc#1256837). - CVE-2025-69421: NULL Pointer Dereference in PKCS12_item_decrypt_d2i_ex function (bsc#1256838). - CVE-2026-22796: ASN1_TYPE Type Confusion in the PKCS7_digest_from_attributes() function (bsc#1256840). - CVE-2025-68160: Heap out-of-bounds write in BIO_f_linebuffer on short writes (bsc#1256834). - CVE-2025-69418: Unauthenticated/unencrypted trailing bytes with low-level OCB function calls (bsc#1256835). - CVE-2025-69419: Out of bounds write in PKCS12_get_friendlyname() UTF-8 conversion (bsc#1256836). The following package changes have been done: - libopenssl3-3.2.3-150700.5.24.1 updated - libopenssl-3-fips-provider-3.2.3-150700.5.24.1 updated - openssl-3-3.2.3-150700.5.24.1 updated - libopenssl1_1-1.1.1w-150700.11.11.1 updated - container:registry.suse.com-bci-bci-base-15.7-9efe2e5a6c38d2f8c0921b1f30f01a84e5a8a968aaa4132bec532c8be84037c1-0 updated From sle-container-updates at lists.suse.com Fri Jan 30 08:19:30 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 30 Jan 2026 09:19:30 +0100 (CET) Subject: SUSE-CU-2026:478-1: Security update of bci/dotnet-aspnet Message-ID: <20260130081930.560E3FCDB@maintenance.suse.de> SUSE Container Update Advisory: bci/dotnet-aspnet ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2026:478-1 Container Tags : bci/dotnet-aspnet:10.0 , bci/dotnet-aspnet:10.0.2 , bci/dotnet-aspnet:10.0.2-8.5 , bci/dotnet-aspnet:latest Container Release : 8.5 Severity : moderate Type : security References : 1256834 1256835 1256836 1256837 1256838 1256839 1256840 CVE-2025-68160 CVE-2025-69418 CVE-2025-69419 CVE-2025-69420 CVE-2025-69421 CVE-2026-22795 CVE-2026-22796 ----------------------------------------------------------------- The container bci/dotnet-aspnet was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:331-1 Released: Wed Jan 28 18:12:49 2026 Summary: Security update for openssl-1_1 Type: security Severity: moderate References: 1256834,1256835,1256836,1256837,1256838,1256839,1256840,CVE-2025-68160,CVE-2025-69418,CVE-2025-69419,CVE-2025-69420,CVE-2025-69421,CVE-2026-22795,CVE-2026-22796 This update for openssl-1_1 fixes the following issues: - CVE-2026-22795: Missing ASN1_TYPE validation in PKCS#12 parsing (bsc#1256839). - CVE-2025-69420: Missing ASN1_TYPE validation in TS_RESP_verify_response() function (bsc#1256837). - CVE-2025-69421: NULL Pointer Dereference in PKCS12_item_decrypt_d2i_ex function (bsc#1256838). - CVE-2026-22796: ASN1_TYPE Type Confusion in the PKCS7_digest_from_attributes() function (bsc#1256840). - CVE-2025-68160: Heap out-of-bounds write in BIO_f_linebuffer on short writes (bsc#1256834). - CVE-2025-69418: Unauthenticated/unencrypted trailing bytes with low-level OCB function calls (bsc#1256835). - CVE-2025-69419: Out of bounds write in PKCS12_get_friendlyname() UTF-8 conversion (bsc#1256836). The following package changes have been done: - libopenssl1_1-1.1.1w-150700.11.11.1 updated - container:registry.suse.com-bci-bci-base-15.7-f9184822761ad484aca07587791f6b9d7abdb9a0b5cb88d5017f8891d8d8b001-0 updated From sle-container-updates at lists.suse.com Fri Jan 30 08:19:53 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 30 Jan 2026 09:19:53 +0100 (CET) Subject: SUSE-CU-2026:479-1: Security update of bci/dotnet-aspnet Message-ID: <20260130081953.CF304FCDB@maintenance.suse.de> SUSE Container Update Advisory: bci/dotnet-aspnet ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2026:479-1 Container Tags : bci/dotnet-aspnet:9.0 , bci/dotnet-aspnet:9.0.12 , bci/dotnet-aspnet:9.0.12-39.5 Container Release : 39.5 Severity : moderate Type : security References : 1256834 1256835 1256836 1256837 1256838 1256839 1256840 CVE-2025-68160 CVE-2025-69418 CVE-2025-69419 CVE-2025-69420 CVE-2025-69421 CVE-2026-22795 CVE-2026-22796 ----------------------------------------------------------------- The container bci/dotnet-aspnet was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:331-1 Released: Wed Jan 28 18:12:49 2026 Summary: Security update for openssl-1_1 Type: security Severity: moderate References: 1256834,1256835,1256836,1256837,1256838,1256839,1256840,CVE-2025-68160,CVE-2025-69418,CVE-2025-69419,CVE-2025-69420,CVE-2025-69421,CVE-2026-22795,CVE-2026-22796 This update for openssl-1_1 fixes the following issues: - CVE-2026-22795: Missing ASN1_TYPE validation in PKCS#12 parsing (bsc#1256839). - CVE-2025-69420: Missing ASN1_TYPE validation in TS_RESP_verify_response() function (bsc#1256837). - CVE-2025-69421: NULL Pointer Dereference in PKCS12_item_decrypt_d2i_ex function (bsc#1256838). - CVE-2026-22796: ASN1_TYPE Type Confusion in the PKCS7_digest_from_attributes() function (bsc#1256840). - CVE-2025-68160: Heap out-of-bounds write in BIO_f_linebuffer on short writes (bsc#1256834). - CVE-2025-69418: Unauthenticated/unencrypted trailing bytes with low-level OCB function calls (bsc#1256835). - CVE-2025-69419: Out of bounds write in PKCS12_get_friendlyname() UTF-8 conversion (bsc#1256836). The following package changes have been done: - libopenssl1_1-1.1.1w-150700.11.11.1 updated - container:registry.suse.com-bci-bci-base-15.7-f9184822761ad484aca07587791f6b9d7abdb9a0b5cb88d5017f8891d8d8b001-0 updated From sle-container-updates at lists.suse.com Fri Jan 30 08:20:10 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 30 Jan 2026 09:20:10 +0100 (CET) Subject: SUSE-CU-2026:480-1: Security update of suse/bind Message-ID: <20260130082010.33176FCDB@maintenance.suse.de> SUSE Container Update Advisory: suse/bind ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2026:480-1 Container Tags : suse/bind:9 , suse/bind:9.20 , suse/bind:9.20.15 , suse/bind:9.20.15-71.8 , suse/bind:latest Container Release : 71.8 Severity : critical Type : security References : 1256830 1256834 1256835 1256836 1256837 1256838 1256839 1256840 CVE-2025-15467 CVE-2025-68160 CVE-2025-69418 CVE-2025-69419 CVE-2025-69420 CVE-2025-69421 CVE-2026-22795 CVE-2026-22796 ----------------------------------------------------------------- The container suse/bind was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:309-1 Released: Wed Jan 28 10:36:32 2026 Summary: Security update for openssl-3 Type: security Severity: critical References: 1256830,1256834,1256835,1256836,1256837,1256838,1256839,1256840,CVE-2025-15467,CVE-2025-68160,CVE-2025-69418,CVE-2025-69419,CVE-2025-69420,CVE-2025-69421,CVE-2026-22795,CVE-2026-22796 This update for openssl-3 fixes the following issues: - CVE-2025-15467: Stack buffer overflow in CMS AuthEnvelopedData parsing (bsc#1256830). - CVE-2025-68160: Heap out-of-bounds write in BIO_f_linebuffer on short writes (bsc#1256834). - CVE-2025-69418: Unauthenticated/unencrypted trailing bytes with low-level OCB function calls (bsc#1256835). - CVE-2025-69419: Out of bounds write in PKCS12_get_friendlyname() UTF-8 conversion (bsc#1256836). - CVE-2025-69420: Missing ASN1_TYPE validation in TS_RESP_verify_response() function (bsc#1256837). - CVE-2025-69421: NULL Pointer Dereference in PKCS12_item_decrypt_d2i_ex function (bsc#1256838). - CVE-2026-22795: Missing ASN1_TYPE validation in PKCS#12 parsing (bsc#1256839). - CVE-2026-22796: ASN1_TYPE Type Confusion in the PKCS7_digest_from_attributes() function (bsc#1256840). The following package changes have been done: - libopenssl3-3.2.3-150700.5.24.1 updated - libopenssl-3-fips-provider-3.2.3-150700.5.24.1 updated - container:suse-sle15-15.7-9efe2e5a6c38d2f8c0921b1f30f01a84e5a8a968aaa4132bec532c8be84037c1-0 updated From sle-container-updates at lists.suse.com Fri Jan 30 08:20:18 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 30 Jan 2026 09:20:18 +0100 (CET) Subject: SUSE-CU-2026:481-1: Security update of bci/bci-busybox Message-ID: <20260130082018.222BAFCDB@maintenance.suse.de> SUSE Container Update Advisory: bci/bci-busybox ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2026:481-1 Container Tags : bci/bci-busybox:15.7 , bci/bci-busybox:15.7-19.8 , bci/bci-busybox:latest Container Release : 19.8 Severity : important Type : security References : 1236670 1241661 1249237 1253245 CVE-2025-46394 CVE-2025-60876 ----------------------------------------------------------------- The container bci/bci-busybox was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:235-1 Released: Thu Jan 22 13:25:01 2026 Summary: Security update for busybox Type: security Severity: important References: 1236670,1241661,1249237,1253245,CVE-2025-46394,CVE-2025-60876 This update for busybox fixes the following issues: Security issues: - CVE-2025-46394: Fixed tar hidden files via escape sequence (CVE-2025-46394, bsc#1241661) - CVE-2025-60876: Fixed HTTP request header injection in wget (CVE-2025-60876, bsc#1253245) Other issues: - Set CONFIG_FIRST_SYSTEM_ID to 201 to avoid confclict (bsc#1236670) - Fixed unshare -mrpf sh core dump on ppc64le (bsc#1249237) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2026:322-1 Released: Wed Jan 28 15:40:25 2026 Summary: Recommended update for busybox Type: recommended Severity: moderate References: This update for busybox ships missing subpackages. The following package changes have been done: - busybox-1.37.0-150700.18.12.1 updated - busybox-xz-1.37.0-150700.12.9.2 updated - busybox-whois-1.37.0-150700.12.9.2 updated - busybox-which-1.37.0-150700.12.9.2 updated - busybox-wget-1.37.0-150700.12.9.2 updated - busybox-vlan-1.37.0-150700.12.9.2 updated - busybox-vi-1.37.0-150700.12.9.2 updated - busybox-util-linux-1.37.0-150700.12.9.2 updated - busybox-unzip-1.37.0-150700.12.9.2 updated - busybox-udhcpc-1.37.0-150700.12.9.2 updated - busybox-tunctl-1.37.0-150700.12.9.2 updated - busybox-traceroute-1.37.0-150700.12.9.2 updated - busybox-time-1.37.0-150700.12.9.2 updated - busybox-tftp-1.37.0-150700.12.9.2 updated - busybox-telnet-1.37.0-150700.12.9.2 updated - busybox-tar-1.37.0-150700.12.9.2 updated - busybox-sysvinit-tools-1.37.0-150700.12.9.2 updated - busybox-syslogd-1.37.0-150700.12.9.2 updated - busybox-sharutils-1.37.0-150700.12.9.2 updated - busybox-sha3sum-1.37.0-150700.12.9.2 updated - busybox-sh-1.37.0-150700.12.9.2 updated - busybox-sendmail-1.37.0-150700.12.9.2 updated - busybox-selinux-tools-1.37.0-150700.12.9.2 updated - busybox-sed-1.37.0-150700.12.9.2 updated - busybox-psmisc-1.37.0-150700.12.9.2 updated - busybox-procps-1.37.0-150700.12.9.2 updated - busybox-policycoreutils-1.37.0-150700.12.9.2 updated - busybox-patch-1.37.0-150700.12.9.2 updated - busybox-netcat-1.37.0-150700.12.9.2 updated - busybox-net-tools-1.37.0-150700.12.9.2 updated - busybox-ncurses-utils-1.37.0-150700.12.9.2 updated - busybox-misc-1.37.0-150700.12.9.2 updated - busybox-man-1.37.0-150700.12.9.2 updated - busybox-less-1.37.0-150700.12.9.2 updated - busybox-kbd-1.37.0-150700.12.9.2 updated - busybox-iputils-1.37.0-150700.12.9.2 updated - busybox-iproute2-1.37.0-150700.12.9.2 updated - busybox-hostname-1.37.0-150700.12.9.2 updated - busybox-hexedit-1.37.0-150700.12.9.2 updated - busybox-grep-1.37.0-150700.12.9.2 updated - busybox-gawk-1.37.0-150700.12.9.2 updated - busybox-findutils-1.37.0-150700.12.9.2 updated - busybox-ed-1.37.0-150700.12.9.2 updated - busybox-dos2unix-1.37.0-150700.12.9.2 updated - busybox-diffutils-1.37.0-150700.12.9.2 updated - busybox-cpio-1.37.0-150700.12.9.2 updated - busybox-coreutils-1.37.0-150700.12.9.2 updated - busybox-bzip2-1.37.0-150700.12.9.2 updated - busybox-bind-utils-1.37.0-150700.12.9.2 updated - busybox-bc-1.37.0-150700.12.9.2 updated - busybox-attr-1.37.0-150700.12.9.2 updated - busybox-gzip-1.37.0-150700.12.9.2 updated - busybox-adduser-1.37.0-150700.12.9.2 updated - busybox-links-1.37.0-150700.12.9.2 updated - container:bci-bci-base-15.7-f9184822761ad484aca07587791f6b9d7abdb9a0b5cb88d5017f8891d8d8b001-0 added From sle-container-updates at lists.suse.com Fri Jan 30 08:20:31 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 30 Jan 2026 09:20:31 +0100 (CET) Subject: SUSE-CU-2026:482-1: Security update of suse/registry Message-ID: <20260130082031.23B76FCDB@maintenance.suse.de> SUSE Container Update Advisory: suse/registry ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2026:482-1 Container Tags : suse/registry:2.8 , suse/registry:2.8 , suse/registry:2.8-21.9 , suse/registry:latest Container Release : 21.9 Severity : critical Type : security References : 1256830 1256834 1256835 1256836 1256837 1256838 1256839 1256840 CVE-2025-15467 CVE-2025-68160 CVE-2025-69418 CVE-2025-69419 CVE-2025-69420 CVE-2025-69421 CVE-2026-22795 CVE-2026-22796 ----------------------------------------------------------------- The container suse/registry was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:309-1 Released: Wed Jan 28 10:36:32 2026 Summary: Security update for openssl-3 Type: security Severity: critical References: 1256830,1256834,1256835,1256836,1256837,1256838,1256839,1256840,CVE-2025-15467,CVE-2025-68160,CVE-2025-69418,CVE-2025-69419,CVE-2025-69420,CVE-2025-69421,CVE-2026-22795,CVE-2026-22796 This update for openssl-3 fixes the following issues: - CVE-2025-15467: Stack buffer overflow in CMS AuthEnvelopedData parsing (bsc#1256830). - CVE-2025-68160: Heap out-of-bounds write in BIO_f_linebuffer on short writes (bsc#1256834). - CVE-2025-69418: Unauthenticated/unencrypted trailing bytes with low-level OCB function calls (bsc#1256835). - CVE-2025-69419: Out of bounds write in PKCS12_get_friendlyname() UTF-8 conversion (bsc#1256836). - CVE-2025-69420: Missing ASN1_TYPE validation in TS_RESP_verify_response() function (bsc#1256837). - CVE-2025-69421: NULL Pointer Dereference in PKCS12_item_decrypt_d2i_ex function (bsc#1256838). - CVE-2026-22795: Missing ASN1_TYPE validation in PKCS#12 parsing (bsc#1256839). - CVE-2026-22796: ASN1_TYPE Type Confusion in the PKCS7_digest_from_attributes() function (bsc#1256840). The following package changes have been done: - libopenssl3-3.2.3-150700.5.24.1 updated - openssl-3-3.2.3-150700.5.24.1 updated - libopenssl-3-fips-provider-3.2.3-150700.5.24.1 updated - container:suse-sle15-15.7-9efe2e5a6c38d2f8c0921b1f30f01a84e5a8a968aaa4132bec532c8be84037c1-0 updated From sle-container-updates at lists.suse.com Fri Jan 30 08:20:38 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 30 Jan 2026 09:20:38 +0100 (CET) Subject: SUSE-CU-2026:483-1: Security update of bci/dotnet-sdk Message-ID: <20260130082038.2508DFCDB@maintenance.suse.de> SUSE Container Update Advisory: bci/dotnet-sdk ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2026:483-1 Container Tags : bci/dotnet-sdk:10.0 , bci/dotnet-sdk:10.0.2 , bci/dotnet-sdk:10.0.2-8.5 , bci/dotnet-sdk:latest Container Release : 8.5 Severity : moderate Type : security References : 1256834 1256835 1256836 1256837 1256838 1256839 1256840 CVE-2025-68160 CVE-2025-69418 CVE-2025-69419 CVE-2025-69420 CVE-2025-69421 CVE-2026-22795 CVE-2026-22796 ----------------------------------------------------------------- The container bci/dotnet-sdk was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:331-1 Released: Wed Jan 28 18:12:49 2026 Summary: Security update for openssl-1_1 Type: security Severity: moderate References: 1256834,1256835,1256836,1256837,1256838,1256839,1256840,CVE-2025-68160,CVE-2025-69418,CVE-2025-69419,CVE-2025-69420,CVE-2025-69421,CVE-2026-22795,CVE-2026-22796 This update for openssl-1_1 fixes the following issues: - CVE-2026-22795: Missing ASN1_TYPE validation in PKCS#12 parsing (bsc#1256839). - CVE-2025-69420: Missing ASN1_TYPE validation in TS_RESP_verify_response() function (bsc#1256837). - CVE-2025-69421: NULL Pointer Dereference in PKCS12_item_decrypt_d2i_ex function (bsc#1256838). - CVE-2026-22796: ASN1_TYPE Type Confusion in the PKCS7_digest_from_attributes() function (bsc#1256840). - CVE-2025-68160: Heap out-of-bounds write in BIO_f_linebuffer on short writes (bsc#1256834). - CVE-2025-69418: Unauthenticated/unencrypted trailing bytes with low-level OCB function calls (bsc#1256835). - CVE-2025-69419: Out of bounds write in PKCS12_get_friendlyname() UTF-8 conversion (bsc#1256836). The following package changes have been done: - libopenssl1_1-1.1.1w-150700.11.11.1 updated - container:registry.suse.com-bci-bci-base-15.7-f9184822761ad484aca07587791f6b9d7abdb9a0b5cb88d5017f8891d8d8b001-0 updated From sle-container-updates at lists.suse.com Fri Jan 30 08:21:03 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 30 Jan 2026 09:21:03 +0100 (CET) Subject: SUSE-CU-2026:484-1: Security update of bci/dotnet-sdk Message-ID: <20260130082103.57AF7FCDB@maintenance.suse.de> SUSE Container Update Advisory: bci/dotnet-sdk ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2026:484-1 Container Tags : bci/dotnet-sdk:8.0 , bci/dotnet-sdk:8.0.23 , bci/dotnet-sdk:8.0.23-80.5 Container Release : 80.5 Severity : moderate Type : security References : 1256834 1256835 1256836 1256837 1256838 1256839 1256840 CVE-2025-68160 CVE-2025-69418 CVE-2025-69419 CVE-2025-69420 CVE-2025-69421 CVE-2026-22795 CVE-2026-22796 ----------------------------------------------------------------- The container bci/dotnet-sdk was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:331-1 Released: Wed Jan 28 18:12:49 2026 Summary: Security update for openssl-1_1 Type: security Severity: moderate References: 1256834,1256835,1256836,1256837,1256838,1256839,1256840,CVE-2025-68160,CVE-2025-69418,CVE-2025-69419,CVE-2025-69420,CVE-2025-69421,CVE-2026-22795,CVE-2026-22796 This update for openssl-1_1 fixes the following issues: - CVE-2026-22795: Missing ASN1_TYPE validation in PKCS#12 parsing (bsc#1256839). - CVE-2025-69420: Missing ASN1_TYPE validation in TS_RESP_verify_response() function (bsc#1256837). - CVE-2025-69421: NULL Pointer Dereference in PKCS12_item_decrypt_d2i_ex function (bsc#1256838). - CVE-2026-22796: ASN1_TYPE Type Confusion in the PKCS7_digest_from_attributes() function (bsc#1256840). - CVE-2025-68160: Heap out-of-bounds write in BIO_f_linebuffer on short writes (bsc#1256834). - CVE-2025-69418: Unauthenticated/unencrypted trailing bytes with low-level OCB function calls (bsc#1256835). - CVE-2025-69419: Out of bounds write in PKCS12_get_friendlyname() UTF-8 conversion (bsc#1256836). The following package changes have been done: - libopenssl1_1-1.1.1w-150700.11.11.1 updated - container:registry.suse.com-bci-bci-base-15.7-f9184822761ad484aca07587791f6b9d7abdb9a0b5cb88d5017f8891d8d8b001-0 updated From sle-container-updates at lists.suse.com Fri Jan 30 08:21:27 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 30 Jan 2026 09:21:27 +0100 (CET) Subject: SUSE-CU-2026:485-1: Security update of bci/dotnet-sdk Message-ID: <20260130082127.8525EFCDB@maintenance.suse.de> SUSE Container Update Advisory: bci/dotnet-sdk ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2026:485-1 Container Tags : bci/dotnet-sdk:9.0 , bci/dotnet-sdk:9.0.12 , bci/dotnet-sdk:9.0.12-41.5 Container Release : 41.5 Severity : moderate Type : security References : 1256834 1256835 1256836 1256837 1256838 1256839 1256840 CVE-2025-68160 CVE-2025-69418 CVE-2025-69419 CVE-2025-69420 CVE-2025-69421 CVE-2026-22795 CVE-2026-22796 ----------------------------------------------------------------- The container bci/dotnet-sdk was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:331-1 Released: Wed Jan 28 18:12:49 2026 Summary: Security update for openssl-1_1 Type: security Severity: moderate References: 1256834,1256835,1256836,1256837,1256838,1256839,1256840,CVE-2025-68160,CVE-2025-69418,CVE-2025-69419,CVE-2025-69420,CVE-2025-69421,CVE-2026-22795,CVE-2026-22796 This update for openssl-1_1 fixes the following issues: - CVE-2026-22795: Missing ASN1_TYPE validation in PKCS#12 parsing (bsc#1256839). - CVE-2025-69420: Missing ASN1_TYPE validation in TS_RESP_verify_response() function (bsc#1256837). - CVE-2025-69421: NULL Pointer Dereference in PKCS12_item_decrypt_d2i_ex function (bsc#1256838). - CVE-2026-22796: ASN1_TYPE Type Confusion in the PKCS7_digest_from_attributes() function (bsc#1256840). - CVE-2025-68160: Heap out-of-bounds write in BIO_f_linebuffer on short writes (bsc#1256834). - CVE-2025-69418: Unauthenticated/unencrypted trailing bytes with low-level OCB function calls (bsc#1256835). - CVE-2025-69419: Out of bounds write in PKCS12_get_friendlyname() UTF-8 conversion (bsc#1256836). The following package changes have been done: - libopenssl1_1-1.1.1w-150700.11.11.1 updated - container:registry.suse.com-bci-bci-base-15.7-f9184822761ad484aca07587791f6b9d7abdb9a0b5cb88d5017f8891d8d8b001-0 updated From sle-container-updates at lists.suse.com Fri Jan 30 08:21:34 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 30 Jan 2026 09:21:34 +0100 (CET) Subject: SUSE-CU-2026:486-1: Security update of bci/dotnet-runtime Message-ID: <20260130082134.CF1E0FCDB@maintenance.suse.de> SUSE Container Update Advisory: bci/dotnet-runtime ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2026:486-1 Container Tags : bci/dotnet-runtime:10.0 , bci/dotnet-runtime:10.0.2 , bci/dotnet-runtime:10.0.2-8.5 , bci/dotnet-runtime:latest Container Release : 8.5 Severity : moderate Type : security References : 1256834 1256835 1256836 1256837 1256838 1256839 1256840 CVE-2025-68160 CVE-2025-69418 CVE-2025-69419 CVE-2025-69420 CVE-2025-69421 CVE-2026-22795 CVE-2026-22796 ----------------------------------------------------------------- The container bci/dotnet-runtime was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:331-1 Released: Wed Jan 28 18:12:49 2026 Summary: Security update for openssl-1_1 Type: security Severity: moderate References: 1256834,1256835,1256836,1256837,1256838,1256839,1256840,CVE-2025-68160,CVE-2025-69418,CVE-2025-69419,CVE-2025-69420,CVE-2025-69421,CVE-2026-22795,CVE-2026-22796 This update for openssl-1_1 fixes the following issues: - CVE-2026-22795: Missing ASN1_TYPE validation in PKCS#12 parsing (bsc#1256839). - CVE-2025-69420: Missing ASN1_TYPE validation in TS_RESP_verify_response() function (bsc#1256837). - CVE-2025-69421: NULL Pointer Dereference in PKCS12_item_decrypt_d2i_ex function (bsc#1256838). - CVE-2026-22796: ASN1_TYPE Type Confusion in the PKCS7_digest_from_attributes() function (bsc#1256840). - CVE-2025-68160: Heap out-of-bounds write in BIO_f_linebuffer on short writes (bsc#1256834). - CVE-2025-69418: Unauthenticated/unencrypted trailing bytes with low-level OCB function calls (bsc#1256835). - CVE-2025-69419: Out of bounds write in PKCS12_get_friendlyname() UTF-8 conversion (bsc#1256836). The following package changes have been done: - libopenssl1_1-1.1.1w-150700.11.11.1 updated - container:registry.suse.com-bci-bci-base-15.7-f9184822761ad484aca07587791f6b9d7abdb9a0b5cb88d5017f8891d8d8b001-0 updated From sle-container-updates at lists.suse.com Fri Jan 30 08:22:00 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 30 Jan 2026 09:22:00 +0100 (CET) Subject: SUSE-CU-2026:487-1: Security update of bci/dotnet-runtime Message-ID: <20260130082200.09DD9FCDB@maintenance.suse.de> SUSE Container Update Advisory: bci/dotnet-runtime ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2026:487-1 Container Tags : bci/dotnet-runtime:8.0 , bci/dotnet-runtime:8.0.23 , bci/dotnet-runtime:8.0.23-80.5 Container Release : 80.5 Severity : moderate Type : security References : 1256834 1256835 1256836 1256837 1256838 1256839 1256840 CVE-2025-68160 CVE-2025-69418 CVE-2025-69419 CVE-2025-69420 CVE-2025-69421 CVE-2026-22795 CVE-2026-22796 ----------------------------------------------------------------- The container bci/dotnet-runtime was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:331-1 Released: Wed Jan 28 18:12:49 2026 Summary: Security update for openssl-1_1 Type: security Severity: moderate References: 1256834,1256835,1256836,1256837,1256838,1256839,1256840,CVE-2025-68160,CVE-2025-69418,CVE-2025-69419,CVE-2025-69420,CVE-2025-69421,CVE-2026-22795,CVE-2026-22796 This update for openssl-1_1 fixes the following issues: - CVE-2026-22795: Missing ASN1_TYPE validation in PKCS#12 parsing (bsc#1256839). - CVE-2025-69420: Missing ASN1_TYPE validation in TS_RESP_verify_response() function (bsc#1256837). - CVE-2025-69421: NULL Pointer Dereference in PKCS12_item_decrypt_d2i_ex function (bsc#1256838). - CVE-2026-22796: ASN1_TYPE Type Confusion in the PKCS7_digest_from_attributes() function (bsc#1256840). - CVE-2025-68160: Heap out-of-bounds write in BIO_f_linebuffer on short writes (bsc#1256834). - CVE-2025-69418: Unauthenticated/unencrypted trailing bytes with low-level OCB function calls (bsc#1256835). - CVE-2025-69419: Out of bounds write in PKCS12_get_friendlyname() UTF-8 conversion (bsc#1256836). The following package changes have been done: - libopenssl1_1-1.1.1w-150700.11.11.1 updated - container:registry.suse.com-bci-bci-base-15.7-f9184822761ad484aca07587791f6b9d7abdb9a0b5cb88d5017f8891d8d8b001-0 updated From sle-container-updates at lists.suse.com Fri Jan 30 08:22:23 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 30 Jan 2026 09:22:23 +0100 (CET) Subject: SUSE-CU-2026:488-1: Security update of bci/dotnet-runtime Message-ID: <20260130082223.3705EFCDB@maintenance.suse.de> SUSE Container Update Advisory: bci/dotnet-runtime ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2026:488-1 Container Tags : bci/dotnet-runtime:9.0 , bci/dotnet-runtime:9.0.12 , bci/dotnet-runtime:9.0.12-39.5 Container Release : 39.5 Severity : moderate Type : security References : 1256834 1256835 1256836 1256837 1256838 1256839 1256840 CVE-2025-68160 CVE-2025-69418 CVE-2025-69419 CVE-2025-69420 CVE-2025-69421 CVE-2026-22795 CVE-2026-22796 ----------------------------------------------------------------- The container bci/dotnet-runtime was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:331-1 Released: Wed Jan 28 18:12:49 2026 Summary: Security update for openssl-1_1 Type: security Severity: moderate References: 1256834,1256835,1256836,1256837,1256838,1256839,1256840,CVE-2025-68160,CVE-2025-69418,CVE-2025-69419,CVE-2025-69420,CVE-2025-69421,CVE-2026-22795,CVE-2026-22796 This update for openssl-1_1 fixes the following issues: - CVE-2026-22795: Missing ASN1_TYPE validation in PKCS#12 parsing (bsc#1256839). - CVE-2025-69420: Missing ASN1_TYPE validation in TS_RESP_verify_response() function (bsc#1256837). - CVE-2025-69421: NULL Pointer Dereference in PKCS12_item_decrypt_d2i_ex function (bsc#1256838). - CVE-2026-22796: ASN1_TYPE Type Confusion in the PKCS7_digest_from_attributes() function (bsc#1256840). - CVE-2025-68160: Heap out-of-bounds write in BIO_f_linebuffer on short writes (bsc#1256834). - CVE-2025-69418: Unauthenticated/unencrypted trailing bytes with low-level OCB function calls (bsc#1256835). - CVE-2025-69419: Out of bounds write in PKCS12_get_friendlyname() UTF-8 conversion (bsc#1256836). The following package changes have been done: - libopenssl1_1-1.1.1w-150700.11.11.1 updated - container:registry.suse.com-bci-bci-base-15.7-f9184822761ad484aca07587791f6b9d7abdb9a0b5cb88d5017f8891d8d8b001-0 updated From sle-container-updates at lists.suse.com Fri Jan 30 08:22:48 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 30 Jan 2026 09:22:48 +0100 (CET) Subject: SUSE-CU-2026:489-1: Security update of bci/gcc Message-ID: <20260130082248.427A4FCDB@maintenance.suse.de> SUSE Container Update Advisory: bci/gcc ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2026:489-1 Container Tags : bci/gcc:14 , bci/gcc:14.3 , bci/gcc:14.3-17.12 , bci/gcc:latest Container Release : 17.12 Severity : critical Type : security References : 1251224 1256105 1256830 1256834 1256835 1256836 1256837 1256838 1256839 1256840 1257049 CVE-2025-14017 CVE-2025-15467 CVE-2025-68160 CVE-2025-69418 CVE-2025-69419 CVE-2025-69420 CVE-2025-69421 CVE-2026-0988 CVE-2026-22795 CVE-2026-22796 ----------------------------------------------------------------- The container bci/gcc was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:221-1 Released: Thu Jan 22 13:15:35 2026 Summary: Security update for curl Type: security Severity: moderate References: 1256105,CVE-2025-14017 This update for curl fixes the following issues: - CVE-2025-14017: Fixed broken TLS options for threaded LDAPS (bsc#1256105). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2026:242-1 Released: Thu Jan 22 14:57:13 2026 Summary: Recommended update for git Type: recommended Severity: moderate References: 1251224 This update for git fixes the following issue: - Revert incorrect AppArmor profile change, in SLE 15 the binaries remain in /usr/lib/git (bsc#1251224) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:286-1 Released: Sat Jan 24 00:35:35 2026 Summary: Security update for glib2 Type: security Severity: low References: 1257049,CVE-2026-0988 This update for glib2 fixes the following issues: - CVE-2026-0988: Fixed a potential integer overflow in g_buffered_input_stream_peek (bsc#1257049). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:309-1 Released: Wed Jan 28 10:36:32 2026 Summary: Security update for openssl-3 Type: security Severity: critical References: 1256830,1256834,1256835,1256836,1256837,1256838,1256839,1256840,CVE-2025-15467,CVE-2025-68160,CVE-2025-69418,CVE-2025-69419,CVE-2025-69420,CVE-2025-69421,CVE-2026-22795,CVE-2026-22796 This update for openssl-3 fixes the following issues: - CVE-2025-15467: Stack buffer overflow in CMS AuthEnvelopedData parsing (bsc#1256830). - CVE-2025-68160: Heap out-of-bounds write in BIO_f_linebuffer on short writes (bsc#1256834). - CVE-2025-69418: Unauthenticated/unencrypted trailing bytes with low-level OCB function calls (bsc#1256835). - CVE-2025-69419: Out of bounds write in PKCS12_get_friendlyname() UTF-8 conversion (bsc#1256836). - CVE-2025-69420: Missing ASN1_TYPE validation in TS_RESP_verify_response() function (bsc#1256837). - CVE-2025-69421: NULL Pointer Dereference in PKCS12_item_decrypt_d2i_ex function (bsc#1256838). - CVE-2026-22795: Missing ASN1_TYPE validation in PKCS#12 parsing (bsc#1256839). - CVE-2026-22796: ASN1_TYPE Type Confusion in the PKCS7_digest_from_attributes() function (bsc#1256840). The following package changes have been done: - libopenssl3-3.2.3-150700.5.24.1 updated - libopenssl-3-fips-provider-3.2.3-150700.5.24.1 updated - libglib-2_0-0-2.78.6-150600.4.28.1 updated - libcurl4-8.14.1-150700.7.11.1 updated - curl-8.14.1-150700.7.11.1 updated - git-core-2.51.0-150600.3.15.1 updated - container:registry.suse.com-bci-bci-base-15.7-f9184822761ad484aca07587791f6b9d7abdb9a0b5cb88d5017f8891d8d8b001-0 updated From sle-container-updates at lists.suse.com Fri Jan 30 08:23:07 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 30 Jan 2026 09:23:07 +0100 (CET) Subject: SUSE-CU-2026:490-1: Security update of suse/git Message-ID: <20260130082307.3F60FFCDB@maintenance.suse.de> SUSE Container Update Advisory: suse/git ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2026:490-1 Container Tags : suse/git:2 , suse/git:2.51 , suse/git:2.51.0 , suse/git:2.51.0-66.11 , suse/git:latest Container Release : 66.11 Severity : critical Type : security References : 1256830 1256834 1256835 1256836 1256837 1256838 1256839 1256840 CVE-2025-15467 CVE-2025-68160 CVE-2025-69418 CVE-2025-69419 CVE-2025-69420 CVE-2025-69421 CVE-2026-22795 CVE-2026-22796 ----------------------------------------------------------------- The container suse/git was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:309-1 Released: Wed Jan 28 10:36:32 2026 Summary: Security update for openssl-3 Type: security Severity: critical References: 1256830,1256834,1256835,1256836,1256837,1256838,1256839,1256840,CVE-2025-15467,CVE-2025-68160,CVE-2025-69418,CVE-2025-69419,CVE-2025-69420,CVE-2025-69421,CVE-2026-22795,CVE-2026-22796 This update for openssl-3 fixes the following issues: - CVE-2025-15467: Stack buffer overflow in CMS AuthEnvelopedData parsing (bsc#1256830). - CVE-2025-68160: Heap out-of-bounds write in BIO_f_linebuffer on short writes (bsc#1256834). - CVE-2025-69418: Unauthenticated/unencrypted trailing bytes with low-level OCB function calls (bsc#1256835). - CVE-2025-69419: Out of bounds write in PKCS12_get_friendlyname() UTF-8 conversion (bsc#1256836). - CVE-2025-69420: Missing ASN1_TYPE validation in TS_RESP_verify_response() function (bsc#1256837). - CVE-2025-69421: NULL Pointer Dereference in PKCS12_item_decrypt_d2i_ex function (bsc#1256838). - CVE-2026-22795: Missing ASN1_TYPE validation in PKCS#12 parsing (bsc#1256839). - CVE-2026-22796: ASN1_TYPE Type Confusion in the PKCS7_digest_from_attributes() function (bsc#1256840). The following package changes have been done: - libopenssl3-3.2.3-150700.5.24.1 updated - libopenssl-3-fips-provider-3.2.3-150700.5.24.1 updated - container:suse-sle15-15.7-9efe2e5a6c38d2f8c0921b1f30f01a84e5a8a968aaa4132bec532c8be84037c1-0 updated From sle-container-updates at lists.suse.com Fri Jan 30 08:23:35 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 30 Jan 2026 09:23:35 +0100 (CET) Subject: SUSE-CU-2026:491-1: Security update of bci/golang Message-ID: <20260130082335.B6BF3FCDB@maintenance.suse.de> SUSE Container Update Advisory: bci/golang ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2026:491-1 Container Tags : bci/golang:1.24 , bci/golang:1.24.12 , bci/golang:1.24.12-2.78.12 , bci/golang:oldstable , bci/golang:oldstable-2.78.12 Container Release : 78.12 Severity : critical Type : security References : 1236217 1251224 1256105 1256816 1256817 1256818 1256819 1256820 1256821 1256830 1256834 1256835 1256836 1256837 1256838 1256839 1256840 1257049 CVE-2025-14017 CVE-2025-15467 CVE-2025-61726 CVE-2025-61728 CVE-2025-61730 CVE-2025-61731 CVE-2025-68119 CVE-2025-68121 CVE-2025-68160 CVE-2025-69418 CVE-2025-69419 CVE-2025-69420 CVE-2025-69421 CVE-2026-0988 CVE-2026-22795 CVE-2026-22796 ----------------------------------------------------------------- The container bci/golang was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:219-1 Released: Thu Jan 22 13:13:43 2026 Summary: Security update for go1.24 Type: security Severity: important References: 1236217,1256816,1256817,1256818,1256819,1256820,1256821,CVE-2025-61726,CVE-2025-61728,CVE-2025-61730,CVE-2025-61731,CVE-2025-68119,CVE-2025-68121 This update for go1.24 fixes the following issues: Update to go1.24.12 (released 2026-01-15) (bsc#1236217) Security fixes: - CVE-2025-61730: crypto/tls: handshake messages may be processed at the incorrect encryption level (bsc#1256821). - CVE-2025-68119: cmd/go: unexpected code execution when invoking toolchain (bsc#1256820). - CVE-2025-61731: cmd/go: bypass of flag sanitization can lead to arbitrary code execution (bsc#1256819). - CVE-2025-61726: net/http: memory exhaustion in Request.ParseForm (bsc#1256817). - CVE-2025-61728: archive/zip: denial of service when parsing arbitrary ZIP archives (bsc#1256816). - CVE-2025-68121: crypto/tls: Config.Clone copies automatically generated session ticket keys, session resumption does not account for the expiration of full certificate chain (bsc#1256818). Other fixes: * go#76408 crypto/tls: earlyTrafficSecret should use ClientHelloInner if ECH enabled * go#76624 os: on Unix, Readdirnames skips directory entries with zero inodes * go#76760 runtime: stack split at bad time in os/signal with Go 1.25.4 windows 386 * go#76796 runtime: race detector crash on ppc64le * go#76966 cmd/compile/internal/ssa: Compile.func1(): panic during sccp while compiling <function>: runtime error: index out of range ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:221-1 Released: Thu Jan 22 13:15:35 2026 Summary: Security update for curl Type: security Severity: moderate References: 1256105,CVE-2025-14017 This update for curl fixes the following issues: - CVE-2025-14017: Fixed broken TLS options for threaded LDAPS (bsc#1256105). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2026:242-1 Released: Thu Jan 22 14:57:13 2026 Summary: Recommended update for git Type: recommended Severity: moderate References: 1251224 This update for git fixes the following issue: - Revert incorrect AppArmor profile change, in SLE 15 the binaries remain in /usr/lib/git (bsc#1251224) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:286-1 Released: Sat Jan 24 00:35:35 2026 Summary: Security update for glib2 Type: security Severity: low References: 1257049,CVE-2026-0988 This update for glib2 fixes the following issues: - CVE-2026-0988: Fixed a potential integer overflow in g_buffered_input_stream_peek (bsc#1257049). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:309-1 Released: Wed Jan 28 10:36:32 2026 Summary: Security update for openssl-3 Type: security Severity: critical References: 1256830,1256834,1256835,1256836,1256837,1256838,1256839,1256840,CVE-2025-15467,CVE-2025-68160,CVE-2025-69418,CVE-2025-69419,CVE-2025-69420,CVE-2025-69421,CVE-2026-22795,CVE-2026-22796 This update for openssl-3 fixes the following issues: - CVE-2025-15467: Stack buffer overflow in CMS AuthEnvelopedData parsing (bsc#1256830). - CVE-2025-68160: Heap out-of-bounds write in BIO_f_linebuffer on short writes (bsc#1256834). - CVE-2025-69418: Unauthenticated/unencrypted trailing bytes with low-level OCB function calls (bsc#1256835). - CVE-2025-69419: Out of bounds write in PKCS12_get_friendlyname() UTF-8 conversion (bsc#1256836). - CVE-2025-69420: Missing ASN1_TYPE validation in TS_RESP_verify_response() function (bsc#1256837). - CVE-2025-69421: NULL Pointer Dereference in PKCS12_item_decrypt_d2i_ex function (bsc#1256838). - CVE-2026-22795: Missing ASN1_TYPE validation in PKCS#12 parsing (bsc#1256839). - CVE-2026-22796: ASN1_TYPE Type Confusion in the PKCS7_digest_from_attributes() function (bsc#1256840). The following package changes have been done: - libopenssl3-3.2.3-150700.5.24.1 updated - libopenssl-3-fips-provider-3.2.3-150700.5.24.1 updated - libglib-2_0-0-2.78.6-150600.4.28.1 updated - libcurl4-8.14.1-150700.7.11.1 updated - curl-8.14.1-150700.7.11.1 updated - go1.24-doc-1.24.12-150000.1.53.1 updated - git-core-2.51.0-150600.3.15.1 updated - go1.24-1.24.12-150000.1.53.1 updated - go1.24-race-1.24.12-150000.1.53.1 updated - container:registry.suse.com-bci-bci-base-15.7-f9184822761ad484aca07587791f6b9d7abdb9a0b5cb88d5017f8891d8d8b001-0 updated From sle-container-updates at lists.suse.com Fri Jan 30 08:24:02 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 30 Jan 2026 09:24:02 +0100 (CET) Subject: SUSE-CU-2026:492-1: Security update of bci/golang Message-ID: <20260130082402.55AEFFCDB@maintenance.suse.de> SUSE Container Update Advisory: bci/golang ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2026:492-1 Container Tags : bci/golang:1.24-openssl , bci/golang:1.24.12-openssl , bci/golang:1.24.12-openssl-81.12 , bci/golang:oldstable-openssl , bci/golang:oldstable-openssl-81.12 Container Release : 81.12 Severity : critical Type : security References : 1236217 1245878 1247816 1248082 1249985 1251224 1251253 1251254 1251255 1251256 1251257 1251258 1251259 1251260 1251261 1251262 1254430 1254431 1256105 1256816 1256817 1256818 1256819 1256820 1256821 1256830 1256834 1256835 1256836 1256837 1256838 1256839 1256840 1257049 CVE-2025-14017 CVE-2025-15467 CVE-2025-47912 CVE-2025-58183 CVE-2025-58185 CVE-2025-58186 CVE-2025-58187 CVE-2025-58188 CVE-2025-58189 CVE-2025-61723 CVE-2025-61724 CVE-2025-61725 CVE-2025-61726 CVE-2025-61727 CVE-2025-61728 CVE-2025-61729 CVE-2025-61730 CVE-2025-61731 CVE-2025-68119 CVE-2025-68121 CVE-2025-68160 CVE-2025-69418 CVE-2025-69419 CVE-2025-69420 CVE-2025-69421 CVE-2026-0988 CVE-2026-22795 CVE-2026-22796 ----------------------------------------------------------------- The container bci/golang was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:221-1 Released: Thu Jan 22 13:15:35 2026 Summary: Security update for curl Type: security Severity: moderate References: 1256105,CVE-2025-14017 This update for curl fixes the following issues: - CVE-2025-14017: Fixed broken TLS options for threaded LDAPS (bsc#1256105). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2026:242-1 Released: Thu Jan 22 14:57:13 2026 Summary: Recommended update for git Type: recommended Severity: moderate References: 1251224 This update for git fixes the following issue: - Revert incorrect AppArmor profile change, in SLE 15 the binaries remain in /usr/lib/git (bsc#1251224) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:286-1 Released: Sat Jan 24 00:35:35 2026 Summary: Security update for glib2 Type: security Severity: low References: 1257049,CVE-2026-0988 This update for glib2 fixes the following issues: - CVE-2026-0988: Fixed a potential integer overflow in g_buffered_input_stream_peek (bsc#1257049). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:308-1 Released: Wed Jan 28 09:38:38 2026 Summary: Security update for go1.24-openssl Type: security Severity: important References: 1236217,1245878,1247816,1248082,1249985,1251253,1251254,1251255,1251256,1251257,1251258,1251259,1251260,1251261,1251262,1254430,1254431,1256816,1256817,1256818,1256819,1256820,1256821,CVE-2025-47912,CVE-2025-58183,CVE-2025-58185,CVE-2025-58186,CVE-2025-58187,CVE-2025-58188,CVE-2025-58189,CVE-2025-61723,CVE-2025-61724,CVE-2025-61725,CVE-2025-61726,CVE-2025-61727,CVE-2025-61728,CVE-2025-61729,CVE-2025-61730,CVE-2025-61731,CVE-2025-68119,CVE-2025-68121 This update for go1.24-openssl fixes the following issues: Update to version 1.24.12 (released 2026-01-15) (jsc#SLE-18320, bsc#1236217): Security fixes: - CVE-2025-47912: net/url: insufficient validation of bracketed IPv6 hostnames (bsc#1251257). - CVE-2025-58183: archive/tar: unbounded allocation when parsing GNU sparse map (bsc#1251261). - CVE-2025-58185: encoding/asn1: pre-allocating memory when parsing DER payload can cause memory exhaustion (bsc#1251258). - CVE-2025-58186: net/http: lack of limit when parsing cookies can cause memory exhaustion (bsc#1251259). - CVE-2025-58187: crypto/x509: quadratic complexity when checking name constraints (bsc#1251254). - CVE-2025-58188: crypto/x509: panic when validating certificates with DSA public keys (bsc#1251260). - CVE-2025-58189: crypto/tls: ALPN negotiation error contains attacker controlled information (bsc#1251255). - CVE-2025-61723: encoding/pem: quadratic complexity when parsing some invalid inputs (bsc#1251256). - CVE-2025-61724: net/textproto: excessive CPU consumption in Reader.ReadResponse (bsc#1251262). - CVE-2025-61725: net/mail: excessive CPU consumption in ParseAddress (bsc#1251253). - CVE-2025-61726: net/http: memory exhaustion in Request.ParseForm (bsc#1256817). - CVE-2025-61727: crypto/x509: excluded subdomain constraint doesn't preclude wildcard SAN (bsc#1254430). - CVE-2025-61728: archive/zip: denial of service when parsing arbitrary ZIP archives (bsc#1256816). - CVE-2025-61729: crypto/x509: excessive resource consumption in printing error string for host certificate validation (bsc#1254431). - CVE-2025-61730: crypto/tls: handshake messages may be processed at the incorrect encryption level (bsc#1256821). - CVE-2025-61731: cmd/go: bypass of flag sanitization can lead to arbitrary code execution (bsc#1256819). - CVE-2025-68119: cmd/go: unexpected code execution when invoking toolchain (bsc#1256820). - CVE-2025-68121: crypto/tls: Config.Clone copies automatically generated session ticket keys, session resumption does not account for the expiration of full certificate chain (bsc#1256818). Other fixes: * go#74818 net: WriteMsgUDPAddrPort should accept IPv4-mapped IPv6 destination addresses on IPv4 UDP sockets * go#74821 cmd/go: 'get toolchain at latest' should ignore release candidates * go#75007 os/exec: TestLookPath fails on plan9 after CL 685755 * go#75138 os: Root.OpenRoot sets incorrect name, losing prefix of original root * go#75220 debug/pe: pe.Open fails on object files produced by llvm-mingw 21 * go#75351 cmd/link: panic on riscv64 with CGO enabled due to empty container symbol * go#75356 net: new test TestIPv4WriteMsgUDPAddrPortTargetAddrIPVersion fails on plan9 * go#75359 os: new test TestOpenFileCreateExclDanglingSymlink fails on Plan 9 * go#75523 crypto/internal/fips140/rsa: requires a panic if self-tests fail * go#75538 net/http: internal error: connCount underflow * go#75594 cmd/compile: internal compiler error with GOEXPERIMENT=cgocheck2 on github.com/leodido/go-urn * go#75609 sync/atomic: comment for Uintptr.Or incorrectly describes return value * go#75831 net/url: ipv4 mapped ipv6 addresses should be valid in square brackets * go#75860 crypto/x509: TLS validation fails for FQDNs with trailing dot * go#75951 encoding/pem: regression when decoding blocks with leading garbage * go#76028 pem/encoding: malformed line endings can cause panics * go#76378 internal/cpu: incorrect CPU features bit parsing on loong64 cause illegal instruction core dumps on LA364 cores * go#76408 crypto/tls: earlyTrafficSecret should use ClientHelloInner if ECH enabled * go#76624 os: on Unix, Readdirnames skips directory entries with zero inodes * go#76760 runtime: stack split at bad time in os/signal with Go 1.25.4 windows 386 * go#76796 runtime: race detector crash on ppc64le * go#76966 cmd/compile/internal/ssa: Compile.func1(): panic during sccp while compiling <function>: runtime error: index out of range ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:309-1 Released: Wed Jan 28 10:36:32 2026 Summary: Security update for openssl-3 Type: security Severity: critical References: 1256830,1256834,1256835,1256836,1256837,1256838,1256839,1256840,CVE-2025-15467,CVE-2025-68160,CVE-2025-69418,CVE-2025-69419,CVE-2025-69420,CVE-2025-69421,CVE-2026-22795,CVE-2026-22796 This update for openssl-3 fixes the following issues: - CVE-2025-15467: Stack buffer overflow in CMS AuthEnvelopedData parsing (bsc#1256830). - CVE-2025-68160: Heap out-of-bounds write in BIO_f_linebuffer on short writes (bsc#1256834). - CVE-2025-69418: Unauthenticated/unencrypted trailing bytes with low-level OCB function calls (bsc#1256835). - CVE-2025-69419: Out of bounds write in PKCS12_get_friendlyname() UTF-8 conversion (bsc#1256836). - CVE-2025-69420: Missing ASN1_TYPE validation in TS_RESP_verify_response() function (bsc#1256837). - CVE-2025-69421: NULL Pointer Dereference in PKCS12_item_decrypt_d2i_ex function (bsc#1256838). - CVE-2026-22795: Missing ASN1_TYPE validation in PKCS#12 parsing (bsc#1256839). - CVE-2026-22796: ASN1_TYPE Type Confusion in the PKCS7_digest_from_attributes() function (bsc#1256840). The following package changes have been done: - libopenssl3-3.2.3-150700.5.24.1 updated - libopenssl-3-fips-provider-3.2.3-150700.5.24.1 updated - libglib-2_0-0-2.78.6-150600.4.28.1 updated - libcurl4-8.14.1-150700.7.11.1 updated - curl-8.14.1-150700.7.11.1 updated - go1.24-openssl-doc-1.24.12-150600.13.15.1 updated - git-core-2.51.0-150600.3.15.1 updated - libopenssl-3-devel-3.2.3-150700.5.24.1 updated - go1.24-openssl-1.24.12-150600.13.15.1 updated - go1.24-openssl-race-1.24.12-150600.13.15.1 updated - container:registry.suse.com-bci-bci-base-15.7-f9184822761ad484aca07587791f6b9d7abdb9a0b5cb88d5017f8891d8d8b001-0 updated From sle-container-updates at lists.suse.com Fri Jan 30 08:24:15 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 30 Jan 2026 09:24:15 +0100 (CET) Subject: SUSE-CU-2026:493-1: Security update of suse/helm Message-ID: <20260130082415.D5706FCDB@maintenance.suse.de> SUSE Container Update Advisory: suse/helm ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2026:493-1 Container Tags : suse/helm:3 , suse/helm:3.19 , suse/helm:3.19.1 , suse/helm:3.19.1-62.10 , suse/helm:latest Container Release : 62.10 Severity : critical Type : security References : 1256830 1256834 1256835 1256836 1256837 1256838 1256839 1256840 CVE-2025-15467 CVE-2025-68160 CVE-2025-69418 CVE-2025-69419 CVE-2025-69420 CVE-2025-69421 CVE-2026-22795 CVE-2026-22796 ----------------------------------------------------------------- The container suse/helm was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:309-1 Released: Wed Jan 28 10:36:32 2026 Summary: Security update for openssl-3 Type: security Severity: critical References: 1256830,1256834,1256835,1256836,1256837,1256838,1256839,1256840,CVE-2025-15467,CVE-2025-68160,CVE-2025-69418,CVE-2025-69419,CVE-2025-69420,CVE-2025-69421,CVE-2026-22795,CVE-2026-22796 This update for openssl-3 fixes the following issues: - CVE-2025-15467: Stack buffer overflow in CMS AuthEnvelopedData parsing (bsc#1256830). - CVE-2025-68160: Heap out-of-bounds write in BIO_f_linebuffer on short writes (bsc#1256834). - CVE-2025-69418: Unauthenticated/unencrypted trailing bytes with low-level OCB function calls (bsc#1256835). - CVE-2025-69419: Out of bounds write in PKCS12_get_friendlyname() UTF-8 conversion (bsc#1256836). - CVE-2025-69420: Missing ASN1_TYPE validation in TS_RESP_verify_response() function (bsc#1256837). - CVE-2025-69421: NULL Pointer Dereference in PKCS12_item_decrypt_d2i_ex function (bsc#1256838). - CVE-2026-22795: Missing ASN1_TYPE validation in PKCS#12 parsing (bsc#1256839). - CVE-2026-22796: ASN1_TYPE Type Confusion in the PKCS7_digest_from_attributes() function (bsc#1256840). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:326-1 Released: Wed Jan 28 15:54:58 2026 Summary: Security update for helm Type: security Severity: important References: This update for helm rebuilds it against the current GO security release. The following package changes have been done: - helm-3.19.1-150000.1.62.1 updated - libopenssl3-3.2.3-150700.5.24.1 updated - openssl-3-3.2.3-150700.5.24.1 updated - libopenssl-3-fips-provider-3.2.3-150700.5.24.1 updated - container:suse-sle15-15.7-9efe2e5a6c38d2f8c0921b1f30f01a84e5a8a968aaa4132bec532c8be84037c1-0 updated From sle-container-updates at lists.suse.com Fri Jan 30 16:31:57 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 30 Jan 2026 17:31:57 +0100 (CET) Subject: SUSE-CU-2026:494-1: Security update of bci/dotnet-aspnet Message-ID: <20260130163157.5A68EFD9A@maintenance.suse.de> SUSE Container Update Advisory: bci/dotnet-aspnet ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2026:494-1 Container Tags : bci/dotnet-aspnet:8.0 , bci/dotnet-aspnet:8.0.23 , bci/dotnet-aspnet:8.0.23-80.5 Container Release : 80.5 Severity : moderate Type : security References : 1256834 1256835 1256836 1256837 1256838 1256839 1256840 CVE-2025-68160 CVE-2025-69418 CVE-2025-69419 CVE-2025-69420 CVE-2025-69421 CVE-2026-22795 CVE-2026-22796 ----------------------------------------------------------------- The container bci/dotnet-aspnet was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:331-1 Released: Wed Jan 28 18:12:49 2026 Summary: Security update for openssl-1_1 Type: security Severity: moderate References: 1256834,1256835,1256836,1256837,1256838,1256839,1256840,CVE-2025-68160,CVE-2025-69418,CVE-2025-69419,CVE-2025-69420,CVE-2025-69421,CVE-2026-22795,CVE-2026-22796 This update for openssl-1_1 fixes the following issues: - CVE-2026-22795: Missing ASN1_TYPE validation in PKCS#12 parsing (bsc#1256839). - CVE-2025-69420: Missing ASN1_TYPE validation in TS_RESP_verify_response() function (bsc#1256837). - CVE-2025-69421: NULL Pointer Dereference in PKCS12_item_decrypt_d2i_ex function (bsc#1256838). - CVE-2026-22796: ASN1_TYPE Type Confusion in the PKCS7_digest_from_attributes() function (bsc#1256840). - CVE-2025-68160: Heap out-of-bounds write in BIO_f_linebuffer on short writes (bsc#1256834). - CVE-2025-69418: Unauthenticated/unencrypted trailing bytes with low-level OCB function calls (bsc#1256835). - CVE-2025-69419: Out of bounds write in PKCS12_get_friendlyname() UTF-8 conversion (bsc#1256836). The following package changes have been done: - libopenssl1_1-1.1.1w-150700.11.11.1 updated - container:registry.suse.com-bci-bci-base-15.7-f9184822761ad484aca07587791f6b9d7abdb9a0b5cb88d5017f8891d8d8b001-0 updated From sle-container-updates at lists.suse.com Fri Jan 30 16:32:17 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 30 Jan 2026 17:32:17 +0100 (CET) Subject: SUSE-CU-2026:496-1: Security update of suse/bind Message-ID: <20260130163217.6702CFD9A@maintenance.suse.de> SUSE Container Update Advisory: suse/bind ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2026:496-1 Container Tags : suse/bind:9 , suse/bind:9.20 , suse/bind:9.20.18 , suse/bind:9.20.18-71.11 , suse/bind:latest Container Release : 71.11 Severity : important Type : security References : 1256997 CVE-2025-13878 ----------------------------------------------------------------- The container suse/bind was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:348-1 Released: Fri Jan 30 12:17:00 2026 Summary: Security update for bind Type: security Severity: important References: 1256997,CVE-2025-13878 This update for bind fixes the following issues: Upgrade to release 9.20.18: - CVE-2025-13878: Fixed incorrect length checks for BRID and HHIT records (bsc#1256997) Feature Changes: * Add more information to the rndc recursing output about fetches. * Reduce the number of outgoing queries. * Provide more information when memory allocation fails. Bug Fixes: * Make DNSSEC key rollovers more robust. * Fix a catalog zone issue, where member zones could fail to load. * Allow glue in delegations with QTYPE=ANY. * Fix slow speed when signing a large delegation zone with NSEC3 opt-out. * Reconfiguring an NSEC3 opt-out zone to NSEC caused the zone to be invalid. * Fix a possible catalog zone issue during reconfiguration. * Fix the charts in the statistics channel. * Adding NSEC3 opt-out records could leave invalid records in chain. * Fix spurious timeouts while resolving names. * Fix bug where zone switches from NSEC3 to NSEC after retransfer. * AMTRELAY type 0 presentation format handling was wrong. * Fix parsing bug in remote-servers with key or TLS. * Fix DoT reconfigure/reload bug in the resolver. * Skip unsupported algorithms when looking for a signing key. * Fix dnssec-keygen key collision checking for KEY RRtype keys. * dnssec-verify now uses exit code 1 when failing due to illegal options. * Prevent assertion failures of dig when a server is specified before the -b option. * Skip buffer allocations if not logging. The following package changes have been done: - bind-utils-9.20.18-150700.3.15.1 updated - bind-9.20.18-150700.3.15.1 updated From sle-container-updates at lists.suse.com Fri Jan 30 16:33:39 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 30 Jan 2026 17:33:39 +0100 (CET) Subject: SUSE-CU-2026:500-1: Security update of bci/golang Message-ID: <20260130163339.00CE6FD9A@maintenance.suse.de> SUSE Container Update Advisory: bci/golang ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2026:500-1 Container Tags : bci/golang:1.25-openssl , bci/golang:1.25.6-openssl , bci/golang:1.25.6-openssl-81.13 , bci/golang:latest , bci/golang:stable-openssl , bci/golang:stable-openssl-81.13 Container Release : 81.13 Severity : critical Type : security References : 1244485 1245878 1246118 1247719 1247720 1247816 1248082 1249141 1249985 1251224 1251253 1251254 1251255 1251256 1251257 1251258 1251259 1251260 1251261 1251262 1254227 1254430 1254431 1256105 1256816 1256817 1256818 1256819 1256820 1256821 1256830 1256834 1256835 1256836 1256837 1256838 1256839 1256840 1257049 CVE-2025-14017 CVE-2025-15467 CVE-2025-4674 CVE-2025-47906 CVE-2025-47907 CVE-2025-47910 CVE-2025-47912 CVE-2025-58183 CVE-2025-58185 CVE-2025-58186 CVE-2025-58187 CVE-2025-58188 CVE-2025-58189 CVE-2025-61723 CVE-2025-61724 CVE-2025-61725 CVE-2025-61726 CVE-2025-61727 CVE-2025-61728 CVE-2025-61729 CVE-2025-61730 CVE-2025-61731 CVE-2025-68119 CVE-2025-68121 CVE-2025-68160 CVE-2025-69418 CVE-2025-69419 CVE-2025-69420 CVE-2025-69421 CVE-2026-0988 CVE-2026-22795 CVE-2026-22796 ----------------------------------------------------------------- The container bci/golang was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:221-1 Released: Thu Jan 22 13:15:35 2026 Summary: Security update for curl Type: security Severity: moderate References: 1256105,CVE-2025-14017 This update for curl fixes the following issues: - CVE-2025-14017: Fixed broken TLS options for threaded LDAPS (bsc#1256105). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2026:242-1 Released: Thu Jan 22 14:57:13 2026 Summary: Recommended update for git Type: recommended Severity: moderate References: 1251224 This update for git fixes the following issue: - Revert incorrect AppArmor profile change, in SLE 15 the binaries remain in /usr/lib/git (bsc#1251224) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:286-1 Released: Sat Jan 24 00:35:35 2026 Summary: Security update for glib2 Type: security Severity: low References: 1257049,CVE-2026-0988 This update for glib2 fixes the following issues: - CVE-2026-0988: Fixed a potential integer overflow in g_buffered_input_stream_peek (bsc#1257049). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:298-1 Released: Mon Jan 26 17:11:03 2026 Summary: Security update for go1.25-openssl Type: security Severity: important References: 1244485,1245878,1246118,1247719,1247720,1247816,1248082,1249141,1249985,1251253,1251254,1251255,1251256,1251257,1251258,1251259,1251260,1251261,1251262,1254227,1254430,1254431,1256816,1256817,1256818,1256819,1256820,1256821,CVE-2025-4674,CVE-2025-47906,CVE-2025-47907,CVE-2025-47910,CVE-2025-47912,CVE-2025-58183,CVE-2025-58185,CVE-2025-58186,CVE-2025-58187,CVE-2025-58188,CVE-2025-58189,CVE-2025-61723,CVE-2025-61724,CVE-2025-61725,CVE-2025-61726,CVE-2025-61727,CVE-2025-61728,CVE-2025-61729,CVE-2025-61730,CVE-2025-61731,CVE-2025-68119,CVE-2025-68121 This update for go1.25-openssl fixes the following issues: Update to version 1.25.6 (released 2026-01-15) (jsc#SLE-18320, bsc#1244485): Security fixes: - CVE-2025-4674 cmd/go: disable support for multiple vcs in one module (bsc#1246118). - CVE-2025-47906 os/exec: LookPath bug: incorrect expansion of '', '.' and '..' in some PATH configurations (bsc#1247719). - CVE-2025-47907 database/sql: incorrect results returned from Rows.Scan (bsc#1247720). - CVE-2025-47910 net/http: CrossOriginProtection insecure bypass patterns not limited to exact matches (bsc#1249141). - CVE-2025-47912 net/url: insufficient validation of bracketed IPv6 hostnames (bsc#1251257). - CVE-2025-58183 archive/tar: unbounded allocation when parsing GNU sparse map (bsc#1251261). - CVE-2025-58185 encoding/asn1: pre-allocating memory when parsing DER payload can cause memory exhaustion (bsc#1251258). - CVE-2025-58186 net/http: lack of limit when parsing cookies can cause memory exhaustion (bsc#1251259). - CVE-2025-58187 crypto/x509: quadratic complexity when checking name constraints (bsc#1251254). - CVE-2025-58188 crypto/x509: panic when validating certificates with DSA public keys (bsc#1251260). - CVE-2025-58189 crypto/tls: ALPN negotiation error contains attacker controlled information (bsc#1251255). - CVE-2025-61723 encoding/pem: quadratic complexity when parsing some invalid inputs (bsc#1251256). - CVE-2025-61724 net/textproto: excessive CPU consumption in Reader.ReadResponse (bsc#1251262). - CVE-2025-61725 net/mail: excessive CPU consumption in ParseAddress (bsc#1251253). - CVE-2025-61726 net/http: memory exhaustion in Request.ParseForm (bsc#1256817). - CVE-2025-61727 crypto/x509: excluded subdomain constraint doesn't preclude wildcard SAN (bsc#1254430). - CVE-2025-61728 archive/zip: denial of service when parsing arbitrary ZIP archives (bsc#1256816). - CVE-2025-61729 crypto/x509: excessive resource consumption in printing error string for host certificate validation (bsc#1254431). - CVE-2025-61730 crypto/tls: handshake messages may be processed at the incorrect encryption level (bsc#1256821). - CVE-2025-61731 cmd/go: bypass of flag sanitization can lead to arbitrary code execution (bsc#1256819). - CVE-2025-68119 cmd/go: unexpected code execution when invoking toolchain (bsc#1256820). - CVE-2025-68121 crypto/tls: Config.Clone copies automatically generated session ticket keys, session resumption does not account for the expiration of full certificate chain (bsc#1256818). Other fixes: * go#74822 cmd/go: 'get toolchain at latest' should ignore release candidates * go#74999 net: WriteMsgUDPAddrPort should accept IPv4-mapped IPv6 destination addresses on IPv4 UDP sockets * go#75008 os/exec: TestLookPath fails on plan9 after CL 685755 * go#75021 testing/synctest: bubble not terminating * go#75083 os: File.Seek doesn't set the correct offset with Windows overlapped handles * go#75111 os, syscall: volume handles with FILE_FLAG_OVERLAPPED fail when calling ReadAt * go#75116 os: Root.MkdirAll can return 'file exists' when called concurrently on the same path * go#75139 os: Root.OpenRoot sets incorrect name, losing prefix of original root * go#75221 debug/pe: pe.Open fails on object files produced by llvm-mingw 21 * go#75255 cmd/compile: export to DWARF types only referenced through interfaces * go#75347 testing/synctest: test timeout with no runnable goroutines * go#75357 net: new test TestIPv4WriteMsgUDPAddrPortTargetAddrIPVersion fails on plan9 * go#75480 cmd/link: linker panic and relocation errors with complex generics inlining * go#75524 crypto/internal/fips140/rsa: requires a panic if self-tests fail * go#75537 context: Err can return non-nil before Done channel is closed * go#75539 net/http: internal error: connCount underflow * go#75595 cmd/compile: internal compiler error with GOEXPERIMENT=cgocheck2 on github.com/leodido/go-urn * go#75610 sync/atomic: comment for Uintptr.Or incorrectly describes return value * go#75669 runtime: debug.decoratemappings don't work as expected * go#75775 runtime: build fails when run via QEMU for linux/amd64 running on linux/arm64 * go#75777 spec: Go1.25 spec should be dated closer to actual release date * go#75790 crypto/internal/fips140/subtle: Go 1.25 subtle.xorBytes panic on MIPS * go#75832 net/url: ipv4 mapped ipv6 addresses should be valid in square brackets * go#75861 crypto/x509: TLS validation fails for FQDNs with trailing dot * go#75952 encoding/pem: regression when decoding blocks with leading garbage * go#75989 os: on windows RemoveAll removing directories containing read-only files errors with unlinkat ... Access is denied * go#76010 cmd/compile: any(func(){})==any(func(){}) does not panic but should * go#76029 pem/encoding: malformed line endings can cause panics * go#76245 mime: FormatMediaType and ParseMediaType not compatible across 1.24 to 1.25 * go#76360 os: on windows RemoveAll removing directories containing read-only files errors with unlinkat ... Access is denied, ReOpenFile error handling followup * go#76392 os: package initialization hangs is Stdin is blocked * go#76409 crypto/tls: earlyTrafficSecret should use ClientHelloInner if ECH enabled * go#76620 os: on Unix, Readdirnames skips directory entries with zero inodes * go#76761 runtime: stack split at bad time in os/signal with Go 1.25.4 windows 386 * go#76776 runtime: race detector crash on ppc64le * go#76967 cmd/compile/internal/ssa: Compile.func1(): panic during sccp while compiling : runtime error: index out of range * go#76973 errors: errors.Join behavior changed in 1.25 ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:309-1 Released: Wed Jan 28 10:36:32 2026 Summary: Security update for openssl-3 Type: security Severity: critical References: 1256830,1256834,1256835,1256836,1256837,1256838,1256839,1256840,CVE-2025-15467,CVE-2025-68160,CVE-2025-69418,CVE-2025-69419,CVE-2025-69420,CVE-2025-69421,CVE-2026-22795,CVE-2026-22796 This update for openssl-3 fixes the following issues: - CVE-2025-15467: Stack buffer overflow in CMS AuthEnvelopedData parsing (bsc#1256830). - CVE-2025-68160: Heap out-of-bounds write in BIO_f_linebuffer on short writes (bsc#1256834). - CVE-2025-69418: Unauthenticated/unencrypted trailing bytes with low-level OCB function calls (bsc#1256835). - CVE-2025-69419: Out of bounds write in PKCS12_get_friendlyname() UTF-8 conversion (bsc#1256836). - CVE-2025-69420: Missing ASN1_TYPE validation in TS_RESP_verify_response() function (bsc#1256837). - CVE-2025-69421: NULL Pointer Dereference in PKCS12_item_decrypt_d2i_ex function (bsc#1256838). - CVE-2026-22795: Missing ASN1_TYPE validation in PKCS#12 parsing (bsc#1256839). - CVE-2026-22796: ASN1_TYPE Type Confusion in the PKCS7_digest_from_attributes() function (bsc#1256840). The following package changes have been done: - libopenssl3-3.2.3-150700.5.24.1 updated - libopenssl-3-fips-provider-3.2.3-150700.5.24.1 updated - libglib-2_0-0-2.78.6-150600.4.28.1 updated - libcurl4-8.14.1-150700.7.11.1 updated - curl-8.14.1-150700.7.11.1 updated - go1.25-openssl-doc-1.25.6-150600.13.9.1 updated - git-core-2.51.0-150600.3.15.1 updated - libopenssl-3-devel-3.2.3-150700.5.24.1 updated - go1.25-openssl-1.25.6-150600.13.9.1 updated - go1.25-openssl-race-1.25.6-150600.13.9.1 updated - container:registry.suse.com-bci-bci-base-15.7-f9184822761ad484aca07587791f6b9d7abdb9a0b5cb88d5017f8891d8d8b001-0 updated From sle-container-updates at lists.suse.com Fri Jan 30 16:33:54 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 30 Jan 2026 17:33:54 +0100 (CET) Subject: SUSE-CU-2026:493-1: Security update of suse/helm Message-ID: <20260130163354.A7268FD9A@maintenance.suse.de> SUSE Container Update Advisory: suse/helm ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2026:493-1 Container Tags : suse/helm:3 , suse/helm:3.19 , suse/helm:3.19.1 , suse/helm:3.19.1-62.10 , suse/helm:latest Container Release : 62.10 Severity : critical Type : security References : 1256830 1256834 1256835 1256836 1256837 1256838 1256839 1256840 CVE-2025-15467 CVE-2025-68160 CVE-2025-69418 CVE-2025-69419 CVE-2025-69420 CVE-2025-69421 CVE-2026-22795 CVE-2026-22796 ----------------------------------------------------------------- The container suse/helm was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:309-1 Released: Wed Jan 28 10:36:32 2026 Summary: Security update for openssl-3 Type: security Severity: critical References: 1256830,1256834,1256835,1256836,1256837,1256838,1256839,1256840,CVE-2025-15467,CVE-2025-68160,CVE-2025-69418,CVE-2025-69419,CVE-2025-69420,CVE-2025-69421,CVE-2026-22795,CVE-2026-22796 This update for openssl-3 fixes the following issues: - CVE-2025-15467: Stack buffer overflow in CMS AuthEnvelopedData parsing (bsc#1256830). - CVE-2025-68160: Heap out-of-bounds write in BIO_f_linebuffer on short writes (bsc#1256834). - CVE-2025-69418: Unauthenticated/unencrypted trailing bytes with low-level OCB function calls (bsc#1256835). - CVE-2025-69419: Out of bounds write in PKCS12_get_friendlyname() UTF-8 conversion (bsc#1256836). - CVE-2025-69420: Missing ASN1_TYPE validation in TS_RESP_verify_response() function (bsc#1256837). - CVE-2025-69421: NULL Pointer Dereference in PKCS12_item_decrypt_d2i_ex function (bsc#1256838). - CVE-2026-22795: Missing ASN1_TYPE validation in PKCS#12 parsing (bsc#1256839). - CVE-2026-22796: ASN1_TYPE Type Confusion in the PKCS7_digest_from_attributes() function (bsc#1256840). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:326-1 Released: Wed Jan 28 15:54:58 2026 Summary: Security update for helm Type: security Severity: important References: This update for helm rebuilds it against the current GO security release. The following package changes have been done: - helm-3.19.1-150000.1.62.1 updated - libopenssl3-3.2.3-150700.5.24.1 updated - openssl-3-3.2.3-150700.5.24.1 updated - libopenssl-3-fips-provider-3.2.3-150700.5.24.1 updated - container:suse-sle15-15.7-9efe2e5a6c38d2f8c0921b1f30f01a84e5a8a968aaa4132bec532c8be84037c1-0 updated From sle-container-updates at lists.suse.com Fri Jan 30 16:34:24 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 30 Jan 2026 17:34:24 +0100 (CET) Subject: SUSE-CU-2026:502-1: Security update of bci/bci-init Message-ID: <20260130163424.49310FD9A@maintenance.suse.de> SUSE Container Update Advisory: bci/bci-init ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2026:502-1 Container Tags : bci/bci-init:15.7 , bci/bci-init:15.7-48.10 , bci/bci-init:latest Container Release : 48.10 Severity : critical Type : security References : 1254666 1256830 1256834 1256835 1256836 1256837 1256838 1256839 1256840 1257049 CVE-2025-14104 CVE-2025-15467 CVE-2025-68160 CVE-2025-69418 CVE-2025-69419 CVE-2025-69420 CVE-2025-69421 CVE-2026-0988 CVE-2026-22795 CVE-2026-22796 ----------------------------------------------------------------- The container bci/bci-init was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:230-1 Released: Thu Jan 22 13:22:31 2026 Summary: Security update for util-linux Type: security Severity: moderate References: 1254666,CVE-2025-14104 This update for util-linux fixes the following issues: - CVE-2025-14104: Fixed heap buffer overread in setpwnam() when processing 256-byte usernames (bsc#1254666). - lscpu: Add support for NVIDIA Olympus arm64 core (jsc#PED-13682). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:286-1 Released: Sat Jan 24 00:35:35 2026 Summary: Security update for glib2 Type: security Severity: low References: 1257049,CVE-2026-0988 This update for glib2 fixes the following issues: - CVE-2026-0988: Fixed a potential integer overflow in g_buffered_input_stream_peek (bsc#1257049). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:309-1 Released: Wed Jan 28 10:36:32 2026 Summary: Security update for openssl-3 Type: security Severity: critical References: 1256830,1256834,1256835,1256836,1256837,1256838,1256839,1256840,CVE-2025-15467,CVE-2025-68160,CVE-2025-69418,CVE-2025-69419,CVE-2025-69420,CVE-2025-69421,CVE-2026-22795,CVE-2026-22796 This update for openssl-3 fixes the following issues: - CVE-2025-15467: Stack buffer overflow in CMS AuthEnvelopedData parsing (bsc#1256830). - CVE-2025-68160: Heap out-of-bounds write in BIO_f_linebuffer on short writes (bsc#1256834). - CVE-2025-69418: Unauthenticated/unencrypted trailing bytes with low-level OCB function calls (bsc#1256835). - CVE-2025-69419: Out of bounds write in PKCS12_get_friendlyname() UTF-8 conversion (bsc#1256836). - CVE-2025-69420: Missing ASN1_TYPE validation in TS_RESP_verify_response() function (bsc#1256837). - CVE-2025-69421: NULL Pointer Dereference in PKCS12_item_decrypt_d2i_ex function (bsc#1256838). - CVE-2026-22795: Missing ASN1_TYPE validation in PKCS#12 parsing (bsc#1256839). - CVE-2026-22796: ASN1_TYPE Type Confusion in the PKCS7_digest_from_attributes() function (bsc#1256840). The following package changes have been done: - libuuid1-2.40.4-150700.4.3.1 updated - libsmartcols1-2.40.4-150700.4.3.1 updated - libopenssl3-3.2.3-150700.5.24.1 updated - libblkid1-2.40.4-150700.4.3.1 updated - libopenssl-3-fips-provider-3.2.3-150700.5.24.1 updated - libfdisk1-2.40.4-150700.4.3.1 updated - libglib-2_0-0-2.78.6-150600.4.28.1 updated - libmount1-2.40.4-150700.4.3.1 updated - util-linux-2.40.4-150700.4.3.1 updated - container:registry.suse.com-bci-bci-base-15.7-f9184822761ad484aca07587791f6b9d7abdb9a0b5cb88d5017f8891d8d8b001-0 updated From sle-container-updates at lists.suse.com Fri Jan 30 16:34:47 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 30 Jan 2026 17:34:47 +0100 (CET) Subject: SUSE-CU-2026:503-1: Security update of suse/kea Message-ID: <20260130163447.227CDFD9A@maintenance.suse.de> SUSE Container Update Advisory: suse/kea ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2026:503-1 Container Tags : suse/kea:2.6 , suse/kea:2.6-69.10 , suse/kea:latest Container Release : 69.10 Severity : critical Type : security References : 1254666 1256105 1256830 1256834 1256834 1256835 1256835 1256836 1256836 1256837 1256837 1256838 1256838 1256839 1256839 1256840 1256840 CVE-2025-14017 CVE-2025-14104 CVE-2025-15467 CVE-2025-68160 CVE-2025-68160 CVE-2025-69418 CVE-2025-69418 CVE-2025-69419 CVE-2025-69419 CVE-2025-69420 CVE-2025-69420 CVE-2025-69421 CVE-2025-69421 CVE-2026-22795 CVE-2026-22795 CVE-2026-22796 CVE-2026-22796 ----------------------------------------------------------------- The container suse/kea was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:221-1 Released: Thu Jan 22 13:15:35 2026 Summary: Security update for curl Type: security Severity: moderate References: 1256105,CVE-2025-14017 This update for curl fixes the following issues: - CVE-2025-14017: Fixed broken TLS options for threaded LDAPS (bsc#1256105). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:230-1 Released: Thu Jan 22 13:22:31 2026 Summary: Security update for util-linux Type: security Severity: moderate References: 1254666,CVE-2025-14104 This update for util-linux fixes the following issues: - CVE-2025-14104: Fixed heap buffer overread in setpwnam() when processing 256-byte usernames (bsc#1254666). - lscpu: Add support for NVIDIA Olympus arm64 core (jsc#PED-13682). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:309-1 Released: Wed Jan 28 10:36:32 2026 Summary: Security update for openssl-3 Type: security Severity: critical References: 1256830,1256834,1256835,1256836,1256837,1256838,1256839,1256840,CVE-2025-15467,CVE-2025-68160,CVE-2025-69418,CVE-2025-69419,CVE-2025-69420,CVE-2025-69421,CVE-2026-22795,CVE-2026-22796 This update for openssl-3 fixes the following issues: - CVE-2025-15467: Stack buffer overflow in CMS AuthEnvelopedData parsing (bsc#1256830). - CVE-2025-68160: Heap out-of-bounds write in BIO_f_linebuffer on short writes (bsc#1256834). - CVE-2025-69418: Unauthenticated/unencrypted trailing bytes with low-level OCB function calls (bsc#1256835). - CVE-2025-69419: Out of bounds write in PKCS12_get_friendlyname() UTF-8 conversion (bsc#1256836). - CVE-2025-69420: Missing ASN1_TYPE validation in TS_RESP_verify_response() function (bsc#1256837). - CVE-2025-69421: NULL Pointer Dereference in PKCS12_item_decrypt_d2i_ex function (bsc#1256838). - CVE-2026-22795: Missing ASN1_TYPE validation in PKCS#12 parsing (bsc#1256839). - CVE-2026-22796: ASN1_TYPE Type Confusion in the PKCS7_digest_from_attributes() function (bsc#1256840). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:331-1 Released: Wed Jan 28 18:12:49 2026 Summary: Security update for openssl-1_1 Type: security Severity: moderate References: 1256834,1256835,1256836,1256837,1256838,1256839,1256840,CVE-2025-68160,CVE-2025-69418,CVE-2025-69419,CVE-2025-69420,CVE-2025-69421,CVE-2026-22795,CVE-2026-22796 This update for openssl-1_1 fixes the following issues: - CVE-2026-22795: Missing ASN1_TYPE validation in PKCS#12 parsing (bsc#1256839). - CVE-2025-69420: Missing ASN1_TYPE validation in TS_RESP_verify_response() function (bsc#1256837). - CVE-2025-69421: NULL Pointer Dereference in PKCS12_item_decrypt_d2i_ex function (bsc#1256838). - CVE-2026-22796: ASN1_TYPE Type Confusion in the PKCS7_digest_from_attributes() function (bsc#1256840). - CVE-2025-68160: Heap out-of-bounds write in BIO_f_linebuffer on short writes (bsc#1256834). - CVE-2025-69418: Unauthenticated/unencrypted trailing bytes with low-level OCB function calls (bsc#1256835). - CVE-2025-69419: Out of bounds write in PKCS12_get_friendlyname() UTF-8 conversion (bsc#1256836). The following package changes have been done: - libuuid1-2.40.4-150700.4.3.1 updated - libsmartcols1-2.40.4-150700.4.3.1 updated - libblkid1-2.40.4-150700.4.3.1 updated - libopenssl3-3.2.3-150700.5.24.1 updated - libfdisk1-2.40.4-150700.4.3.1 updated - libopenssl-3-fips-provider-3.2.3-150700.5.24.1 updated - libmount1-2.40.4-150700.4.3.1 updated - libcurl4-8.14.1-150700.7.11.1 updated - util-linux-2.40.4-150700.4.3.1 updated - libopenssl1_1-1.1.1w-150700.11.11.1 updated - container:registry.suse.com-bci-bci-base-15.7-9efe2e5a6c38d2f8c0921b1f30f01a84e5a8a968aaa4132bec532c8be84037c1-0 updated From sle-container-updates at lists.suse.com Fri Jan 30 16:35:26 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 30 Jan 2026 17:35:26 +0100 (CET) Subject: SUSE-CU-2026:505-1: Security update of suse/kiosk/firefox-esr Message-ID: <20260130163526.3020AFD9A@maintenance.suse.de> SUSE Container Update Advisory: suse/kiosk/firefox-esr ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2026:505-1 Container Tags : suse/kiosk/firefox-esr:140.7 , suse/kiosk/firefox-esr:140.7-70.17 , suse/kiosk/firefox-esr:esr , suse/kiosk/firefox-esr:latest Container Release : 70.17 Severity : low Type : security References : 1227412 CVE-2023-39327 ----------------------------------------------------------------- The container suse/kiosk/firefox-esr was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:330-1 Released: Wed Jan 28 17:27:08 2026 Summary: Security update for openjpeg2 Type: security Severity: low References: 1227412,CVE-2023-39327 This update for openjpeg2 fixes the following issues: - CVE-2023-39327: Fixed malicious files can cause a large loop that continuously prints warning messages on the terminal (bsc#1227412). The following package changes have been done: - libopenjp2-7-2.3.0-150000.3.24.1 updated - container:suse-sle15-15.7-9efe2e5a6c38d2f8c0921b1f30f01a84e5a8a968aaa4132bec532c8be84037c1-0 updated From sle-container-updates at lists.suse.com Fri Jan 30 16:35:27 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 30 Jan 2026 17:35:27 +0100 (CET) Subject: SUSE-CU-2026:506-1: Security update of suse/kiosk/firefox-esr Message-ID: <20260130163527.31CF0FD9A@maintenance.suse.de> SUSE Container Update Advisory: suse/kiosk/firefox-esr ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2026:506-1 Container Tags : suse/kiosk/firefox-esr:140.7 , suse/kiosk/firefox-esr:140.7-70.18 , suse/kiosk/firefox-esr:esr , suse/kiosk/firefox-esr:latest Container Release : 70.18 Severity : moderate Type : security References : 1237543 CVE-2025-0838 ----------------------------------------------------------------- The container suse/kiosk/firefox-esr was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:338-1 Released: Thu Jan 29 11:35:47 2026 Summary: Security update for abseil-cpp Type: security Severity: moderate References: 1237543,CVE-2025-0838 This update for abseil-cpp fixes the following issues: - CVE-2025-0838: Fixed heap buffer overflow in sized constructors, reserve(), and rehash() methods of absl:{flat,node}hash{set,map} (bsc#1237543). The following package changes have been done: - libabsl2401_0_0-20240116.3-150600.19.6.1 updated - container:suse-sle15-15.7-f9184822761ad484aca07587791f6b9d7abdb9a0b5cb88d5017f8891d8d8b001-0 updated From sle-container-updates at lists.suse.com Fri Jan 30 16:35:41 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 30 Jan 2026 17:35:41 +0100 (CET) Subject: SUSE-CU-2026:508-1: Security update of suse/kubectl Message-ID: <20260130163541.92861FD9A@maintenance.suse.de> SUSE Container Update Advisory: suse/kubectl ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2026:508-1 Container Tags : suse/kubectl:1.33 , suse/kubectl:1.33.7 , suse/kubectl:1.33.7-2.63.5 , suse/kubectl:oldstable , suse/kubectl:oldstable-2.63.5 Container Release : 63.5 Severity : important Type : security References : ----------------------------------------------------------------- The container suse/kubectl was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:326-1 Released: Wed Jan 28 15:54:58 2026 Summary: Security update for helm Type: security Severity: important References: This update for helm rebuilds it against the current GO security release. The following package changes have been done: - helm-3.19.1-150000.1.62.1 updated - container:suse-sle15-15.7-9efe2e5a6c38d2f8c0921b1f30f01a84e5a8a968aaa4132bec532c8be84037c1-0 updated From sle-container-updates at lists.suse.com Fri Jan 30 16:35:55 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 30 Jan 2026 17:35:55 +0100 (CET) Subject: SUSE-CU-2026:510-1: Security update of suse/kubectl Message-ID: <20260130163555.A50BBFD9A@maintenance.suse.de> SUSE Container Update Advisory: suse/kubectl ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2026:510-1 Container Tags : suse/kubectl:1.35 , suse/kubectl:1.35.0 , suse/kubectl:1.35.0-1.63.5 , suse/kubectl:latest , suse/kubectl:stable , suse/kubectl:stable-1.63.5 Container Release : 63.5 Severity : important Type : security References : ----------------------------------------------------------------- The container suse/kubectl was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:325-1 Released: Wed Jan 28 15:54:07 2026 Summary: Security update for kubernetes Type: security Severity: important References: This update for kubernetes rebuilds it against the current GO security release. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:326-1 Released: Wed Jan 28 15:54:58 2026 Summary: Security update for helm Type: security Severity: important References: This update for helm rebuilds it against the current GO security release. The following package changes have been done: - helm-3.19.1-150000.1.62.1 updated - kubernetes1.35-client-1.35.0-150600.13.23.1 updated - kubernetes1.35-client-common-1.35.0-150600.13.23.1 updated - container:suse-sle15-15.7-9efe2e5a6c38d2f8c0921b1f30f01a84e5a8a968aaa4132bec532c8be84037c1-0 updated From sle-container-updates at lists.suse.com Fri Jan 30 16:36:10 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 30 Jan 2026 17:36:10 +0100 (CET) Subject: SUSE-CU-2026:512-1: Security update of bci/bci-micro-fips Message-ID: <20260130163610.A449FFD9A@maintenance.suse.de> SUSE Container Update Advisory: bci/bci-micro-fips ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2026:512-1 Container Tags : bci/bci-micro-fips:15.7 , bci/bci-micro-fips:15.7-17.4 , bci/bci-micro-fips:latest Container Release : 17.4 Severity : critical Type : security References : 1256830 1256834 1256835 1256836 1256837 1256838 1256839 1256840 CVE-2025-15467 CVE-2025-68160 CVE-2025-69418 CVE-2025-69419 CVE-2025-69420 CVE-2025-69421 CVE-2026-22795 CVE-2026-22796 ----------------------------------------------------------------- The container bci/bci-micro-fips was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:309-1 Released: Wed Jan 28 10:36:32 2026 Summary: Security update for openssl-3 Type: security Severity: critical References: 1256830,1256834,1256835,1256836,1256837,1256838,1256839,1256840,CVE-2025-15467,CVE-2025-68160,CVE-2025-69418,CVE-2025-69419,CVE-2025-69420,CVE-2025-69421,CVE-2026-22795,CVE-2026-22796 This update for openssl-3 fixes the following issues: - CVE-2025-15467: Stack buffer overflow in CMS AuthEnvelopedData parsing (bsc#1256830). - CVE-2025-68160: Heap out-of-bounds write in BIO_f_linebuffer on short writes (bsc#1256834). - CVE-2025-69418: Unauthenticated/unencrypted trailing bytes with low-level OCB function calls (bsc#1256835). - CVE-2025-69419: Out of bounds write in PKCS12_get_friendlyname() UTF-8 conversion (bsc#1256836). - CVE-2025-69420: Missing ASN1_TYPE validation in TS_RESP_verify_response() function (bsc#1256837). - CVE-2025-69421: NULL Pointer Dereference in PKCS12_item_decrypt_d2i_ex function (bsc#1256838). - CVE-2026-22795: Missing ASN1_TYPE validation in PKCS#12 parsing (bsc#1256839). - CVE-2026-22796: ASN1_TYPE Type Confusion in the PKCS7_digest_from_attributes() function (bsc#1256840). The following package changes have been done: - libopenssl3-3.2.3-150700.5.24.1 updated - libopenssl-3-fips-provider-3.2.3-150700.5.24.1 updated - container:bci-bci-base-15.7-9efe2e5a6c38d2f8c0921b1f30f01a84e5a8a968aaa4132bec532c8be84037c1-0 updated From sle-container-updates at lists.suse.com Fri Jan 30 16:37:35 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 30 Jan 2026 17:37:35 +0100 (CET) Subject: SUSE-CU-2026:517-1: Security update of bci/nodejs Message-ID: <20260130163735.3A46CFD85@maintenance.suse.de> SUSE Container Update Advisory: bci/nodejs ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2026:517-1 Container Tags : bci/node:22 , bci/node:22.22.0 , bci/node:22.22.0-16.10 , bci/node:latest , bci/nodejs:22 , bci/nodejs:22.22.0 , bci/nodejs:22.22.0-16.10 , bci/nodejs:latest Container Release : 16.10 Severity : critical Type : security References : 1256830 1256834 1256835 1256836 1256837 1256838 1256839 1256840 CVE-2025-15467 CVE-2025-68160 CVE-2025-69418 CVE-2025-69419 CVE-2025-69420 CVE-2025-69421 CVE-2026-22795 CVE-2026-22796 ----------------------------------------------------------------- The container bci/nodejs was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:309-1 Released: Wed Jan 28 10:36:32 2026 Summary: Security update for openssl-3 Type: security Severity: critical References: 1256830,1256834,1256835,1256836,1256837,1256838,1256839,1256840,CVE-2025-15467,CVE-2025-68160,CVE-2025-69418,CVE-2025-69419,CVE-2025-69420,CVE-2025-69421,CVE-2026-22795,CVE-2026-22796 This update for openssl-3 fixes the following issues: - CVE-2025-15467: Stack buffer overflow in CMS AuthEnvelopedData parsing (bsc#1256830). - CVE-2025-68160: Heap out-of-bounds write in BIO_f_linebuffer on short writes (bsc#1256834). - CVE-2025-69418: Unauthenticated/unencrypted trailing bytes with low-level OCB function calls (bsc#1256835). - CVE-2025-69419: Out of bounds write in PKCS12_get_friendlyname() UTF-8 conversion (bsc#1256836). - CVE-2025-69420: Missing ASN1_TYPE validation in TS_RESP_verify_response() function (bsc#1256837). - CVE-2025-69421: NULL Pointer Dereference in PKCS12_item_decrypt_d2i_ex function (bsc#1256838). - CVE-2026-22795: Missing ASN1_TYPE validation in PKCS#12 parsing (bsc#1256839). - CVE-2026-22796: ASN1_TYPE Type Confusion in the PKCS7_digest_from_attributes() function (bsc#1256840). The following package changes have been done: - libopenssl3-3.2.3-150700.5.24.1 updated - libopenssl-3-fips-provider-3.2.3-150700.5.24.1 updated - libcurl4-8.14.1-150700.7.11.1 updated - container:registry.suse.com-bci-bci-base-15.7-9efe2e5a6c38d2f8c0921b1f30f01a84e5a8a968aaa4132bec532c8be84037c1-0 updated From sle-container-updates at lists.suse.com Fri Jan 30 16:38:08 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 30 Jan 2026 17:38:08 +0100 (CET) Subject: SUSE-CU-2026:519-1: Security update of bci/openjdk-devel Message-ID: <20260130163808.4CA7EFD85@maintenance.suse.de> SUSE Container Update Advisory: bci/openjdk-devel ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2026:519-1 Container Tags : bci/openjdk-devel:17 , bci/openjdk-devel:17.0.17.0 , bci/openjdk-devel:17.0.17.0-16.10 Container Release : 16.10 Severity : critical Type : security References : 1254666 1256341 1256525 1256526 1256830 1256834 1256835 1256836 1256837 1256838 1256839 1256840 CVE-2025-13151 CVE-2025-14104 CVE-2025-15467 CVE-2025-68160 CVE-2025-69418 CVE-2025-69419 CVE-2025-69420 CVE-2025-69421 CVE-2026-22695 CVE-2026-22795 CVE-2026-22796 CVE-2026-22801 ----------------------------------------------------------------- The container bci/openjdk-devel was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:224-1 Released: Thu Jan 22 13:18:20 2026 Summary: Security update for libtasn1 Type: security Severity: moderate References: 1256341,CVE-2025-13151 This update for libtasn1 fixes the following issues: - CVE-2025-13151: stack-based buffer overflow in `asn1_expend_octet_string` (bsc#1256341). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:230-1 Released: Thu Jan 22 13:22:31 2026 Summary: Security update for util-linux Type: security Severity: moderate References: 1254666,CVE-2025-14104 This update for util-linux fixes the following issues: - CVE-2025-14104: Fixed heap buffer overread in setpwnam() when processing 256-byte usernames (bsc#1254666). - lscpu: Add support for NVIDIA Olympus arm64 core (jsc#PED-13682). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:234-1 Released: Thu Jan 22 13:24:43 2026 Summary: Security update for libpng16 Type: security Severity: moderate References: 1256525,1256526,CVE-2026-22695,CVE-2026-22801 This update for libpng16 fixes the following issues: - CVE-2026-22695: Fixed heap buffer over-read in png_image_finish_read (bsc#1256525) - CVE-2026-22801: Fixed integer truncation causing heap buffer over-read in png_image_write_* (bsc#1256526). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:309-1 Released: Wed Jan 28 10:36:32 2026 Summary: Security update for openssl-3 Type: security Severity: critical References: 1256830,1256834,1256835,1256836,1256837,1256838,1256839,1256840,CVE-2025-15467,CVE-2025-68160,CVE-2025-69418,CVE-2025-69419,CVE-2025-69420,CVE-2025-69421,CVE-2026-22795,CVE-2026-22796 This update for openssl-3 fixes the following issues: - CVE-2025-15467: Stack buffer overflow in CMS AuthEnvelopedData parsing (bsc#1256830). - CVE-2025-68160: Heap out-of-bounds write in BIO_f_linebuffer on short writes (bsc#1256834). - CVE-2025-69418: Unauthenticated/unencrypted trailing bytes with low-level OCB function calls (bsc#1256835). - CVE-2025-69419: Out of bounds write in PKCS12_get_friendlyname() UTF-8 conversion (bsc#1256836). - CVE-2025-69420: Missing ASN1_TYPE validation in TS_RESP_verify_response() function (bsc#1256837). - CVE-2025-69421: NULL Pointer Dereference in PKCS12_item_decrypt_d2i_ex function (bsc#1256838). - CVE-2026-22795: Missing ASN1_TYPE validation in PKCS#12 parsing (bsc#1256839). - CVE-2026-22796: ASN1_TYPE Type Confusion in the PKCS7_digest_from_attributes() function (bsc#1256840). The following package changes have been done: - libuuid1-2.40.4-150700.4.3.1 updated - libsmartcols1-2.40.4-150700.4.3.1 updated - libblkid1-2.40.4-150700.4.3.1 updated - libopenssl3-3.2.3-150700.5.24.1 updated - libfdisk1-2.40.4-150700.4.3.1 updated - libopenssl-3-fips-provider-3.2.3-150700.5.24.1 updated - libmount1-2.40.4-150700.4.3.1 updated - util-linux-2.40.4-150700.4.3.1 updated - libtasn1-6-4.13-150000.4.14.1 updated - libtasn1-4.13-150000.4.14.1 updated - openssl-3-3.2.3-150700.5.24.1 updated - libpng16-16-1.6.40-150600.3.6.1 updated - container:bci-openjdk-17-15.7.17-15.9 updated From sle-container-updates at lists.suse.com Fri Jan 30 16:38:39 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 30 Jan 2026 17:38:39 +0100 (CET) Subject: SUSE-CU-2026:521-1: Security update of bci/openjdk Message-ID: <20260130163839.52558FD85@maintenance.suse.de> SUSE Container Update Advisory: bci/openjdk ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2026:521-1 Container Tags : bci/openjdk:17 , bci/openjdk:17.0.17.0 , bci/openjdk:17.0.17.0-15.10 Container Release : 15.10 Severity : critical Type : security References : 1251224 1256105 1256341 1256525 1256526 1256830 1256834 1256835 1256836 1256837 1256838 1256839 1256840 CVE-2025-13151 CVE-2025-14017 CVE-2025-15467 CVE-2025-68160 CVE-2025-69418 CVE-2025-69419 CVE-2025-69420 CVE-2025-69421 CVE-2026-22695 CVE-2026-22795 CVE-2026-22796 CVE-2026-22801 ----------------------------------------------------------------- The container bci/openjdk was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:221-1 Released: Thu Jan 22 13:15:35 2026 Summary: Security update for curl Type: security Severity: moderate References: 1256105,CVE-2025-14017 This update for curl fixes the following issues: - CVE-2025-14017: Fixed broken TLS options for threaded LDAPS (bsc#1256105). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:224-1 Released: Thu Jan 22 13:18:20 2026 Summary: Security update for libtasn1 Type: security Severity: moderate References: 1256341,CVE-2025-13151 This update for libtasn1 fixes the following issues: - CVE-2025-13151: stack-based buffer overflow in `asn1_expend_octet_string` (bsc#1256341). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:234-1 Released: Thu Jan 22 13:24:43 2026 Summary: Security update for libpng16 Type: security Severity: moderate References: 1256525,1256526,CVE-2026-22695,CVE-2026-22801 This update for libpng16 fixes the following issues: - CVE-2026-22695: Fixed heap buffer over-read in png_image_finish_read (bsc#1256525) - CVE-2026-22801: Fixed integer truncation causing heap buffer over-read in png_image_write_* (bsc#1256526). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2026:242-1 Released: Thu Jan 22 14:57:13 2026 Summary: Recommended update for git Type: recommended Severity: moderate References: 1251224 This update for git fixes the following issue: - Revert incorrect AppArmor profile change, in SLE 15 the binaries remain in /usr/lib/git (bsc#1251224) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:309-1 Released: Wed Jan 28 10:36:32 2026 Summary: Security update for openssl-3 Type: security Severity: critical References: 1256830,1256834,1256835,1256836,1256837,1256838,1256839,1256840,CVE-2025-15467,CVE-2025-68160,CVE-2025-69418,CVE-2025-69419,CVE-2025-69420,CVE-2025-69421,CVE-2026-22795,CVE-2026-22796 This update for openssl-3 fixes the following issues: - CVE-2025-15467: Stack buffer overflow in CMS AuthEnvelopedData parsing (bsc#1256830). - CVE-2025-68160: Heap out-of-bounds write in BIO_f_linebuffer on short writes (bsc#1256834). - CVE-2025-69418: Unauthenticated/unencrypted trailing bytes with low-level OCB function calls (bsc#1256835). - CVE-2025-69419: Out of bounds write in PKCS12_get_friendlyname() UTF-8 conversion (bsc#1256836). - CVE-2025-69420: Missing ASN1_TYPE validation in TS_RESP_verify_response() function (bsc#1256837). - CVE-2025-69421: NULL Pointer Dereference in PKCS12_item_decrypt_d2i_ex function (bsc#1256838). - CVE-2026-22795: Missing ASN1_TYPE validation in PKCS#12 parsing (bsc#1256839). - CVE-2026-22796: ASN1_TYPE Type Confusion in the PKCS7_digest_from_attributes() function (bsc#1256840). The following package changes have been done: - libopenssl3-3.2.3-150700.5.24.1 updated - libopenssl-3-fips-provider-3.2.3-150700.5.24.1 updated - libcurl4-8.14.1-150700.7.11.1 updated - curl-8.14.1-150700.7.11.1 updated - libtasn1-6-4.13-150000.4.14.1 updated - libtasn1-4.13-150000.4.14.1 updated - openssl-3-3.2.3-150700.5.24.1 updated - libpng16-16-1.6.40-150600.3.6.1 updated - git-core-2.51.0-150600.3.15.1 updated - container:registry.suse.com-bci-bci-base-15.7-f9184822761ad484aca07587791f6b9d7abdb9a0b5cb88d5017f8891d8d8b001-0 updated From sle-container-updates at lists.suse.com Fri Jan 30 16:39:10 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 30 Jan 2026 17:39:10 +0100 (CET) Subject: SUSE-CU-2026:522-1: Security update of bci/openjdk-devel Message-ID: <20260130163910.D8807FD85@maintenance.suse.de> SUSE Container Update Advisory: bci/openjdk-devel ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2026:522-1 Container Tags : bci/openjdk-devel:21 , bci/openjdk-devel:21.0.9.0 , bci/openjdk-devel:21.0.9.0-20.9 Container Release : 20.9 Severity : critical Type : security References : 1254666 1256341 1256525 1256526 1256830 1256834 1256835 1256836 1256837 1256838 1256839 1256840 CVE-2025-13151 CVE-2025-14104 CVE-2025-15467 CVE-2025-68160 CVE-2025-69418 CVE-2025-69419 CVE-2025-69420 CVE-2025-69421 CVE-2026-22695 CVE-2026-22795 CVE-2026-22796 CVE-2026-22801 ----------------------------------------------------------------- The container bci/openjdk-devel was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:224-1 Released: Thu Jan 22 13:18:20 2026 Summary: Security update for libtasn1 Type: security Severity: moderate References: 1256341,CVE-2025-13151 This update for libtasn1 fixes the following issues: - CVE-2025-13151: stack-based buffer overflow in `asn1_expend_octet_string` (bsc#1256341). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:230-1 Released: Thu Jan 22 13:22:31 2026 Summary: Security update for util-linux Type: security Severity: moderate References: 1254666,CVE-2025-14104 This update for util-linux fixes the following issues: - CVE-2025-14104: Fixed heap buffer overread in setpwnam() when processing 256-byte usernames (bsc#1254666). - lscpu: Add support for NVIDIA Olympus arm64 core (jsc#PED-13682). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:234-1 Released: Thu Jan 22 13:24:43 2026 Summary: Security update for libpng16 Type: security Severity: moderate References: 1256525,1256526,CVE-2026-22695,CVE-2026-22801 This update for libpng16 fixes the following issues: - CVE-2026-22695: Fixed heap buffer over-read in png_image_finish_read (bsc#1256525) - CVE-2026-22801: Fixed integer truncation causing heap buffer over-read in png_image_write_* (bsc#1256526). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:309-1 Released: Wed Jan 28 10:36:32 2026 Summary: Security update for openssl-3 Type: security Severity: critical References: 1256830,1256834,1256835,1256836,1256837,1256838,1256839,1256840,CVE-2025-15467,CVE-2025-68160,CVE-2025-69418,CVE-2025-69419,CVE-2025-69420,CVE-2025-69421,CVE-2026-22795,CVE-2026-22796 This update for openssl-3 fixes the following issues: - CVE-2025-15467: Stack buffer overflow in CMS AuthEnvelopedData parsing (bsc#1256830). - CVE-2025-68160: Heap out-of-bounds write in BIO_f_linebuffer on short writes (bsc#1256834). - CVE-2025-69418: Unauthenticated/unencrypted trailing bytes with low-level OCB function calls (bsc#1256835). - CVE-2025-69419: Out of bounds write in PKCS12_get_friendlyname() UTF-8 conversion (bsc#1256836). - CVE-2025-69420: Missing ASN1_TYPE validation in TS_RESP_verify_response() function (bsc#1256837). - CVE-2025-69421: NULL Pointer Dereference in PKCS12_item_decrypt_d2i_ex function (bsc#1256838). - CVE-2026-22795: Missing ASN1_TYPE validation in PKCS#12 parsing (bsc#1256839). - CVE-2026-22796: ASN1_TYPE Type Confusion in the PKCS7_digest_from_attributes() function (bsc#1256840). The following package changes have been done: - libuuid1-2.40.4-150700.4.3.1 updated - libsmartcols1-2.40.4-150700.4.3.1 updated - libblkid1-2.40.4-150700.4.3.1 updated - libopenssl3-3.2.3-150700.5.24.1 updated - libfdisk1-2.40.4-150700.4.3.1 updated - libopenssl-3-fips-provider-3.2.3-150700.5.24.1 updated - libmount1-2.40.4-150700.4.3.1 updated - util-linux-2.40.4-150700.4.3.1 updated - libtasn1-6-4.13-150000.4.14.1 updated - libtasn1-4.13-150000.4.14.1 updated - openssl-3-3.2.3-150700.5.24.1 updated - libpng16-16-1.6.40-150600.3.6.1 updated - container:bci-openjdk-21-15.7.21-19.9 updated From sle-container-updates at lists.suse.com Fri Jan 30 16:39:40 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 30 Jan 2026 17:39:40 +0100 (CET) Subject: SUSE-CU-2026:524-1: Security update of bci/openjdk Message-ID: <20260130163940.A4D8DFD85@maintenance.suse.de> SUSE Container Update Advisory: bci/openjdk ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2026:524-1 Container Tags : bci/openjdk:21 , bci/openjdk:21.0.9.0 , bci/openjdk:21.0.9.0-19.9 Container Release : 19.9 Severity : critical Type : security References : 1251224 1256105 1256341 1256525 1256526 1256830 1256834 1256835 1256836 1256837 1256838 1256839 1256840 CVE-2025-13151 CVE-2025-14017 CVE-2025-15467 CVE-2025-68160 CVE-2025-69418 CVE-2025-69419 CVE-2025-69420 CVE-2025-69421 CVE-2026-22695 CVE-2026-22795 CVE-2026-22796 CVE-2026-22801 ----------------------------------------------------------------- The container bci/openjdk was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:221-1 Released: Thu Jan 22 13:15:35 2026 Summary: Security update for curl Type: security Severity: moderate References: 1256105,CVE-2025-14017 This update for curl fixes the following issues: - CVE-2025-14017: Fixed broken TLS options for threaded LDAPS (bsc#1256105). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:224-1 Released: Thu Jan 22 13:18:20 2026 Summary: Security update for libtasn1 Type: security Severity: moderate References: 1256341,CVE-2025-13151 This update for libtasn1 fixes the following issues: - CVE-2025-13151: stack-based buffer overflow in `asn1_expend_octet_string` (bsc#1256341). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:234-1 Released: Thu Jan 22 13:24:43 2026 Summary: Security update for libpng16 Type: security Severity: moderate References: 1256525,1256526,CVE-2026-22695,CVE-2026-22801 This update for libpng16 fixes the following issues: - CVE-2026-22695: Fixed heap buffer over-read in png_image_finish_read (bsc#1256525) - CVE-2026-22801: Fixed integer truncation causing heap buffer over-read in png_image_write_* (bsc#1256526). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2026:242-1 Released: Thu Jan 22 14:57:13 2026 Summary: Recommended update for git Type: recommended Severity: moderate References: 1251224 This update for git fixes the following issue: - Revert incorrect AppArmor profile change, in SLE 15 the binaries remain in /usr/lib/git (bsc#1251224) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:309-1 Released: Wed Jan 28 10:36:32 2026 Summary: Security update for openssl-3 Type: security Severity: critical References: 1256830,1256834,1256835,1256836,1256837,1256838,1256839,1256840,CVE-2025-15467,CVE-2025-68160,CVE-2025-69418,CVE-2025-69419,CVE-2025-69420,CVE-2025-69421,CVE-2026-22795,CVE-2026-22796 This update for openssl-3 fixes the following issues: - CVE-2025-15467: Stack buffer overflow in CMS AuthEnvelopedData parsing (bsc#1256830). - CVE-2025-68160: Heap out-of-bounds write in BIO_f_linebuffer on short writes (bsc#1256834). - CVE-2025-69418: Unauthenticated/unencrypted trailing bytes with low-level OCB function calls (bsc#1256835). - CVE-2025-69419: Out of bounds write in PKCS12_get_friendlyname() UTF-8 conversion (bsc#1256836). - CVE-2025-69420: Missing ASN1_TYPE validation in TS_RESP_verify_response() function (bsc#1256837). - CVE-2025-69421: NULL Pointer Dereference in PKCS12_item_decrypt_d2i_ex function (bsc#1256838). - CVE-2026-22795: Missing ASN1_TYPE validation in PKCS#12 parsing (bsc#1256839). - CVE-2026-22796: ASN1_TYPE Type Confusion in the PKCS7_digest_from_attributes() function (bsc#1256840). The following package changes have been done: - libopenssl3-3.2.3-150700.5.24.1 updated - libopenssl-3-fips-provider-3.2.3-150700.5.24.1 updated - libcurl4-8.14.1-150700.7.11.1 updated - libtasn1-6-4.13-150000.4.14.1 updated - libtasn1-4.13-150000.4.14.1 updated - curl-8.14.1-150700.7.11.1 updated - openssl-3-3.2.3-150700.5.24.1 updated - libpng16-16-1.6.40-150600.3.6.1 updated - git-core-2.51.0-150600.3.15.1 updated - container:registry.suse.com-bci-bci-base-15.7-9efe2e5a6c38d2f8c0921b1f30f01a84e5a8a968aaa4132bec532c8be84037c1-0 updated From sle-container-updates at lists.suse.com Fri Jan 30 16:39:48 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 30 Jan 2026 17:39:48 +0100 (CET) Subject: SUSE-CU-2026:526-1: Security update of bci/openjdk-devel Message-ID: <20260130163948.20B60FD85@maintenance.suse.de> SUSE Container Update Advisory: bci/openjdk-devel ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2026:526-1 Container Tags : bci/openjdk-devel:25 , bci/openjdk-devel:25.0.1.0 , bci/openjdk-devel:25.0.1.0-4.9 , bci/openjdk-devel:latest Container Release : 4.9 Severity : critical Type : security References : 1254666 1256341 1256525 1256526 1256830 1256834 1256835 1256836 1256837 1256838 1256839 1256840 CVE-2025-13151 CVE-2025-14104 CVE-2025-15467 CVE-2025-68160 CVE-2025-69418 CVE-2025-69419 CVE-2025-69420 CVE-2025-69421 CVE-2026-22695 CVE-2026-22795 CVE-2026-22796 CVE-2026-22801 ----------------------------------------------------------------- The container bci/openjdk-devel was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:224-1 Released: Thu Jan 22 13:18:20 2026 Summary: Security update for libtasn1 Type: security Severity: moderate References: 1256341,CVE-2025-13151 This update for libtasn1 fixes the following issues: - CVE-2025-13151: stack-based buffer overflow in `asn1_expend_octet_string` (bsc#1256341). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:230-1 Released: Thu Jan 22 13:22:31 2026 Summary: Security update for util-linux Type: security Severity: moderate References: 1254666,CVE-2025-14104 This update for util-linux fixes the following issues: - CVE-2025-14104: Fixed heap buffer overread in setpwnam() when processing 256-byte usernames (bsc#1254666). - lscpu: Add support for NVIDIA Olympus arm64 core (jsc#PED-13682). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:234-1 Released: Thu Jan 22 13:24:43 2026 Summary: Security update for libpng16 Type: security Severity: moderate References: 1256525,1256526,CVE-2026-22695,CVE-2026-22801 This update for libpng16 fixes the following issues: - CVE-2026-22695: Fixed heap buffer over-read in png_image_finish_read (bsc#1256525) - CVE-2026-22801: Fixed integer truncation causing heap buffer over-read in png_image_write_* (bsc#1256526). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:309-1 Released: Wed Jan 28 10:36:32 2026 Summary: Security update for openssl-3 Type: security Severity: critical References: 1256830,1256834,1256835,1256836,1256837,1256838,1256839,1256840,CVE-2025-15467,CVE-2025-68160,CVE-2025-69418,CVE-2025-69419,CVE-2025-69420,CVE-2025-69421,CVE-2026-22795,CVE-2026-22796 This update for openssl-3 fixes the following issues: - CVE-2025-15467: Stack buffer overflow in CMS AuthEnvelopedData parsing (bsc#1256830). - CVE-2025-68160: Heap out-of-bounds write in BIO_f_linebuffer on short writes (bsc#1256834). - CVE-2025-69418: Unauthenticated/unencrypted trailing bytes with low-level OCB function calls (bsc#1256835). - CVE-2025-69419: Out of bounds write in PKCS12_get_friendlyname() UTF-8 conversion (bsc#1256836). - CVE-2025-69420: Missing ASN1_TYPE validation in TS_RESP_verify_response() function (bsc#1256837). - CVE-2025-69421: NULL Pointer Dereference in PKCS12_item_decrypt_d2i_ex function (bsc#1256838). - CVE-2026-22795: Missing ASN1_TYPE validation in PKCS#12 parsing (bsc#1256839). - CVE-2026-22796: ASN1_TYPE Type Confusion in the PKCS7_digest_from_attributes() function (bsc#1256840). The following package changes have been done: - libuuid1-2.40.4-150700.4.3.1 updated - libsmartcols1-2.40.4-150700.4.3.1 updated - libblkid1-2.40.4-150700.4.3.1 updated - libopenssl3-3.2.3-150700.5.24.1 updated - libfdisk1-2.40.4-150700.4.3.1 updated - libopenssl-3-fips-provider-3.2.3-150700.5.24.1 updated - libmount1-2.40.4-150700.4.3.1 updated - util-linux-2.40.4-150700.4.3.1 updated - libtasn1-6-4.13-150000.4.14.1 updated - libtasn1-4.13-150000.4.14.1 updated - openssl-3-3.2.3-150700.5.24.1 updated - libpng16-16-1.6.40-150600.3.6.1 updated - container:bci-openjdk-25-15.7.25-4.9 updated From sle-container-updates at lists.suse.com Fri Jan 30 16:39:49 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 30 Jan 2026 17:39:49 +0100 (CET) Subject: SUSE-CU-2026:527-1: Security update of bci/openjdk-devel Message-ID: <20260130163949.27D49FD85@maintenance.suse.de> SUSE Container Update Advisory: bci/openjdk-devel ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2026:527-1 Container Tags : bci/openjdk-devel:25 , bci/openjdk-devel:25.0.2.0 , bci/openjdk-devel:25.0.2.0-4.11 , bci/openjdk-devel:latest Container Release : 4.11 Severity : important Type : security References : 1257034 1257036 1257037 1257038 CVE-2026-21925 CVE-2026-21932 CVE-2026-21933 CVE-2026-21945 ----------------------------------------------------------------- The container bci/openjdk-devel was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:342-1 Released: Thu Jan 29 15:59:27 2026 Summary: Security update for java-25-openjdk Type: security Severity: important References: 1257034,1257036,1257037,1257038,CVE-2026-21925,CVE-2026-21932,CVE-2026-21933,CVE-2026-21945 This update for java-25-openjdk fixes the following issues: Update to upstream tag jdk-25.0.2+10 (January 2026 CPU) Security fixes: - CVE-2026-21925: Fixed Oracle Java SE component RMI (bsc#1257034). - CVE-2026-21932: Fixed Oracle Java SE component AWT and JavaFX (bsc#1257036). - CVE-2026-21933: Fixed Oracle Java SE component Networking (bsc#1257037). - CVE-2026-21945: Fixed Oracle Java SE component Security (bsc#1257038). Other fixes: - Do not depend on update-desktop-files (jsc#PED-14507, jsc#PED-15221). The following package changes have been done: - java-25-openjdk-headless-25.0.2.0-150700.15.7.1 updated - java-25-openjdk-25.0.2.0-150700.15.7.1 updated - java-25-openjdk-devel-25.0.2.0-150700.15.7.1 updated - container:bci-openjdk-25-15.7.25-4.11 updated From sle-container-updates at lists.suse.com Fri Jan 30 16:39:55 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 30 Jan 2026 17:39:55 +0100 (CET) Subject: SUSE-CU-2026:528-1: Security update of bci/openjdk Message-ID: <20260130163955.BCB4FFD85@maintenance.suse.de> SUSE Container Update Advisory: bci/openjdk ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2026:528-1 Container Tags : bci/openjdk:25 , bci/openjdk:25.0.2.0 , bci/openjdk:25.0.2.0-4.11 , bci/openjdk:latest Container Release : 4.11 Severity : critical Type : security References : 1251224 1256105 1256341 1256525 1256526 1256830 1256834 1256835 1256836 1256837 1256838 1256839 1256840 1257034 1257036 1257037 1257038 CVE-2025-13151 CVE-2025-14017 CVE-2025-15467 CVE-2025-68160 CVE-2025-69418 CVE-2025-69419 CVE-2025-69420 CVE-2025-69421 CVE-2026-21925 CVE-2026-21932 CVE-2026-21933 CVE-2026-21945 CVE-2026-22695 CVE-2026-22795 CVE-2026-22796 CVE-2026-22801 ----------------------------------------------------------------- The container bci/openjdk was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:221-1 Released: Thu Jan 22 13:15:35 2026 Summary: Security update for curl Type: security Severity: moderate References: 1256105,CVE-2025-14017 This update for curl fixes the following issues: - CVE-2025-14017: Fixed broken TLS options for threaded LDAPS (bsc#1256105). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:224-1 Released: Thu Jan 22 13:18:20 2026 Summary: Security update for libtasn1 Type: security Severity: moderate References: 1256341,CVE-2025-13151 This update for libtasn1 fixes the following issues: - CVE-2025-13151: stack-based buffer overflow in `asn1_expend_octet_string` (bsc#1256341). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:234-1 Released: Thu Jan 22 13:24:43 2026 Summary: Security update for libpng16 Type: security Severity: moderate References: 1256525,1256526,CVE-2026-22695,CVE-2026-22801 This update for libpng16 fixes the following issues: - CVE-2026-22695: Fixed heap buffer over-read in png_image_finish_read (bsc#1256525) - CVE-2026-22801: Fixed integer truncation causing heap buffer over-read in png_image_write_* (bsc#1256526). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2026:242-1 Released: Thu Jan 22 14:57:13 2026 Summary: Recommended update for git Type: recommended Severity: moderate References: 1251224 This update for git fixes the following issue: - Revert incorrect AppArmor profile change, in SLE 15 the binaries remain in /usr/lib/git (bsc#1251224) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:309-1 Released: Wed Jan 28 10:36:32 2026 Summary: Security update for openssl-3 Type: security Severity: critical References: 1256830,1256834,1256835,1256836,1256837,1256838,1256839,1256840,CVE-2025-15467,CVE-2025-68160,CVE-2025-69418,CVE-2025-69419,CVE-2025-69420,CVE-2025-69421,CVE-2026-22795,CVE-2026-22796 This update for openssl-3 fixes the following issues: - CVE-2025-15467: Stack buffer overflow in CMS AuthEnvelopedData parsing (bsc#1256830). - CVE-2025-68160: Heap out-of-bounds write in BIO_f_linebuffer on short writes (bsc#1256834). - CVE-2025-69418: Unauthenticated/unencrypted trailing bytes with low-level OCB function calls (bsc#1256835). - CVE-2025-69419: Out of bounds write in PKCS12_get_friendlyname() UTF-8 conversion (bsc#1256836). - CVE-2025-69420: Missing ASN1_TYPE validation in TS_RESP_verify_response() function (bsc#1256837). - CVE-2025-69421: NULL Pointer Dereference in PKCS12_item_decrypt_d2i_ex function (bsc#1256838). - CVE-2026-22795: Missing ASN1_TYPE validation in PKCS#12 parsing (bsc#1256839). - CVE-2026-22796: ASN1_TYPE Type Confusion in the PKCS7_digest_from_attributes() function (bsc#1256840). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:342-1 Released: Thu Jan 29 15:59:27 2026 Summary: Security update for java-25-openjdk Type: security Severity: important References: 1257034,1257036,1257037,1257038,CVE-2026-21925,CVE-2026-21932,CVE-2026-21933,CVE-2026-21945 This update for java-25-openjdk fixes the following issues: Update to upstream tag jdk-25.0.2+10 (January 2026 CPU) Security fixes: - CVE-2026-21925: Fixed Oracle Java SE component RMI (bsc#1257034). - CVE-2026-21932: Fixed Oracle Java SE component AWT and JavaFX (bsc#1257036). - CVE-2026-21933: Fixed Oracle Java SE component Networking (bsc#1257037). - CVE-2026-21945: Fixed Oracle Java SE component Security (bsc#1257038). Other fixes: - Do not depend on update-desktop-files (jsc#PED-14507, jsc#PED-15221). The following package changes have been done: - libopenssl3-3.2.3-150700.5.24.1 updated - libopenssl-3-fips-provider-3.2.3-150700.5.24.1 updated - libcurl4-8.14.1-150700.7.11.1 updated - curl-8.14.1-150700.7.11.1 updated - libtasn1-6-4.13-150000.4.14.1 updated - libtasn1-4.13-150000.4.14.1 updated - openssl-3-3.2.3-150700.5.24.1 updated - libpng16-16-1.6.40-150600.3.6.1 updated - git-core-2.51.0-150600.3.15.1 updated - java-25-openjdk-headless-25.0.2.0-150700.15.7.1 updated - java-25-openjdk-25.0.2.0-150700.15.7.1 updated - container:registry.suse.com-bci-bci-base-15.7-f9184822761ad484aca07587791f6b9d7abdb9a0b5cb88d5017f8891d8d8b001-0 updated From sle-container-updates at lists.suse.com Fri Jan 30 16:40:29 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 30 Jan 2026 17:40:29 +0100 (CET) Subject: SUSE-CU-2026:529-1: Security update of suse/pcp Message-ID: <20260130164029.8CC3CFD85@maintenance.suse.de> SUSE Container Update Advisory: suse/pcp ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2026:529-1 Container Tags : suse/pcp:6 , suse/pcp:6.2 , suse/pcp:6.2.0 , suse/pcp:6.2.0-70.10 , suse/pcp:latest Container Release : 70.10 Severity : critical Type : security References : 1256830 1256834 1256835 1256836 1256837 1256838 1256839 1256840 1257049 CVE-2025-15467 CVE-2025-68160 CVE-2025-69418 CVE-2025-69419 CVE-2025-69420 CVE-2025-69421 CVE-2026-0988 CVE-2026-22795 CVE-2026-22796 ----------------------------------------------------------------- The container suse/pcp was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:286-1 Released: Sat Jan 24 00:35:35 2026 Summary: Security update for glib2 Type: security Severity: low References: 1257049,CVE-2026-0988 This update for glib2 fixes the following issues: - CVE-2026-0988: Fixed a potential integer overflow in g_buffered_input_stream_peek (bsc#1257049). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:309-1 Released: Wed Jan 28 10:36:32 2026 Summary: Security update for openssl-3 Type: security Severity: critical References: 1256830,1256834,1256835,1256836,1256837,1256838,1256839,1256840,CVE-2025-15467,CVE-2025-68160,CVE-2025-69418,CVE-2025-69419,CVE-2025-69420,CVE-2025-69421,CVE-2026-22795,CVE-2026-22796 This update for openssl-3 fixes the following issues: - CVE-2025-15467: Stack buffer overflow in CMS AuthEnvelopedData parsing (bsc#1256830). - CVE-2025-68160: Heap out-of-bounds write in BIO_f_linebuffer on short writes (bsc#1256834). - CVE-2025-69418: Unauthenticated/unencrypted trailing bytes with low-level OCB function calls (bsc#1256835). - CVE-2025-69419: Out of bounds write in PKCS12_get_friendlyname() UTF-8 conversion (bsc#1256836). - CVE-2025-69420: Missing ASN1_TYPE validation in TS_RESP_verify_response() function (bsc#1256837). - CVE-2025-69421: NULL Pointer Dereference in PKCS12_item_decrypt_d2i_ex function (bsc#1256838). - CVE-2026-22795: Missing ASN1_TYPE validation in PKCS#12 parsing (bsc#1256839). - CVE-2026-22796: ASN1_TYPE Type Confusion in the PKCS7_digest_from_attributes() function (bsc#1256840). The following package changes have been done: - libuuid1-2.40.4-150700.4.3.1 updated - libsmartcols1-2.40.4-150700.4.3.1 updated - libopenssl3-3.2.3-150700.5.24.1 updated - libblkid1-2.40.4-150700.4.3.1 updated - libopenssl-3-fips-provider-3.2.3-150700.5.24.1 updated - libfdisk1-2.40.4-150700.4.3.1 updated - libglib-2_0-0-2.78.6-150600.4.28.1 updated - libmount1-2.40.4-150700.4.3.1 updated - util-linux-2.40.4-150700.4.3.1 updated - container:bci-bci-init-15.7-71a213669810de1ad1b7f75d4e50cbf6d1e2f036685860f6e85b4ed0a4999bb5-0 updated From sle-container-updates at lists.suse.com Fri Jan 30 16:41:02 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 30 Jan 2026 17:41:02 +0100 (CET) Subject: SUSE-CU-2026:530-1: Security update of bci/php-apache Message-ID: <20260130164102.3138BFD85@maintenance.suse.de> SUSE Container Update Advisory: bci/php-apache ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2026:530-1 Container Tags : bci/php-apache:8 , bci/php-apache:8.3.29 , bci/php-apache:8.3.29-18.11 , bci/php-apache:latest Container Release : 18.11 Severity : critical Type : security References : 1254666 1256105 1256341 1256830 1256834 1256835 1256836 1256837 1256838 1256839 1256840 CVE-2025-13151 CVE-2025-14017 CVE-2025-14104 CVE-2025-15467 CVE-2025-68160 CVE-2025-69418 CVE-2025-69419 CVE-2025-69420 CVE-2025-69421 CVE-2026-22795 CVE-2026-22796 ----------------------------------------------------------------- The container bci/php-apache was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:221-1 Released: Thu Jan 22 13:15:35 2026 Summary: Security update for curl Type: security Severity: moderate References: 1256105,CVE-2025-14017 This update for curl fixes the following issues: - CVE-2025-14017: Fixed broken TLS options for threaded LDAPS (bsc#1256105). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:224-1 Released: Thu Jan 22 13:18:20 2026 Summary: Security update for libtasn1 Type: security Severity: moderate References: 1256341,CVE-2025-13151 This update for libtasn1 fixes the following issues: - CVE-2025-13151: stack-based buffer overflow in `asn1_expend_octet_string` (bsc#1256341). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:230-1 Released: Thu Jan 22 13:22:31 2026 Summary: Security update for util-linux Type: security Severity: moderate References: 1254666,CVE-2025-14104 This update for util-linux fixes the following issues: - CVE-2025-14104: Fixed heap buffer overread in setpwnam() when processing 256-byte usernames (bsc#1254666). - lscpu: Add support for NVIDIA Olympus arm64 core (jsc#PED-13682). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:309-1 Released: Wed Jan 28 10:36:32 2026 Summary: Security update for openssl-3 Type: security Severity: critical References: 1256830,1256834,1256835,1256836,1256837,1256838,1256839,1256840,CVE-2025-15467,CVE-2025-68160,CVE-2025-69418,CVE-2025-69419,CVE-2025-69420,CVE-2025-69421,CVE-2026-22795,CVE-2026-22796 This update for openssl-3 fixes the following issues: - CVE-2025-15467: Stack buffer overflow in CMS AuthEnvelopedData parsing (bsc#1256830). - CVE-2025-68160: Heap out-of-bounds write in BIO_f_linebuffer on short writes (bsc#1256834). - CVE-2025-69418: Unauthenticated/unencrypted trailing bytes with low-level OCB function calls (bsc#1256835). - CVE-2025-69419: Out of bounds write in PKCS12_get_friendlyname() UTF-8 conversion (bsc#1256836). - CVE-2025-69420: Missing ASN1_TYPE validation in TS_RESP_verify_response() function (bsc#1256837). - CVE-2025-69421: NULL Pointer Dereference in PKCS12_item_decrypt_d2i_ex function (bsc#1256838). - CVE-2026-22795: Missing ASN1_TYPE validation in PKCS#12 parsing (bsc#1256839). - CVE-2026-22796: ASN1_TYPE Type Confusion in the PKCS7_digest_from_attributes() function (bsc#1256840). The following package changes have been done: - libuuid1-2.40.4-150700.4.3.1 updated - libopenssl3-3.2.3-150700.5.24.1 updated - libopenssl-3-fips-provider-3.2.3-150700.5.24.1 updated - libcurl4-8.14.1-150700.7.11.1 updated - libtasn1-6-4.13-150000.4.14.1 updated - libtasn1-4.13-150000.4.14.1 updated - container:registry.suse.com-bci-bci-base-15.7-f9184822761ad484aca07587791f6b9d7abdb9a0b5cb88d5017f8891d8d8b001-0 updated From sle-container-updates at lists.suse.com Fri Jan 30 16:58:00 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 30 Jan 2026 17:58:00 +0100 (CET) Subject: SUSE-CU-2026:530-1: Security update of bci/php-apache Message-ID: <20260130165800.899BFFD85@maintenance.suse.de> SUSE Container Update Advisory: bci/php-apache ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2026:530-1 Container Tags : bci/php-apache:8 , bci/php-apache:8.3.29 , bci/php-apache:8.3.29-18.11 , bci/php-apache:latest Container Release : 18.11 Severity : critical Type : security References : 1254666 1256105 1256341 1256830 1256834 1256835 1256836 1256837 1256838 1256839 1256840 CVE-2025-13151 CVE-2025-14017 CVE-2025-14104 CVE-2025-15467 CVE-2025-68160 CVE-2025-69418 CVE-2025-69419 CVE-2025-69420 CVE-2025-69421 CVE-2026-22795 CVE-2026-22796 ----------------------------------------------------------------- The container bci/php-apache was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:221-1 Released: Thu Jan 22 13:15:35 2026 Summary: Security update for curl Type: security Severity: moderate References: 1256105,CVE-2025-14017 This update for curl fixes the following issues: - CVE-2025-14017: Fixed broken TLS options for threaded LDAPS (bsc#1256105). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:224-1 Released: Thu Jan 22 13:18:20 2026 Summary: Security update for libtasn1 Type: security Severity: moderate References: 1256341,CVE-2025-13151 This update for libtasn1 fixes the following issues: - CVE-2025-13151: stack-based buffer overflow in `asn1_expend_octet_string` (bsc#1256341). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:230-1 Released: Thu Jan 22 13:22:31 2026 Summary: Security update for util-linux Type: security Severity: moderate References: 1254666,CVE-2025-14104 This update for util-linux fixes the following issues: - CVE-2025-14104: Fixed heap buffer overread in setpwnam() when processing 256-byte usernames (bsc#1254666). - lscpu: Add support for NVIDIA Olympus arm64 core (jsc#PED-13682). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:309-1 Released: Wed Jan 28 10:36:32 2026 Summary: Security update for openssl-3 Type: security Severity: critical References: 1256830,1256834,1256835,1256836,1256837,1256838,1256839,1256840,CVE-2025-15467,CVE-2025-68160,CVE-2025-69418,CVE-2025-69419,CVE-2025-69420,CVE-2025-69421,CVE-2026-22795,CVE-2026-22796 This update for openssl-3 fixes the following issues: - CVE-2025-15467: Stack buffer overflow in CMS AuthEnvelopedData parsing (bsc#1256830). - CVE-2025-68160: Heap out-of-bounds write in BIO_f_linebuffer on short writes (bsc#1256834). - CVE-2025-69418: Unauthenticated/unencrypted trailing bytes with low-level OCB function calls (bsc#1256835). - CVE-2025-69419: Out of bounds write in PKCS12_get_friendlyname() UTF-8 conversion (bsc#1256836). - CVE-2025-69420: Missing ASN1_TYPE validation in TS_RESP_verify_response() function (bsc#1256837). - CVE-2025-69421: NULL Pointer Dereference in PKCS12_item_decrypt_d2i_ex function (bsc#1256838). - CVE-2026-22795: Missing ASN1_TYPE validation in PKCS#12 parsing (bsc#1256839). - CVE-2026-22796: ASN1_TYPE Type Confusion in the PKCS7_digest_from_attributes() function (bsc#1256840). The following package changes have been done: - libuuid1-2.40.4-150700.4.3.1 updated - libopenssl3-3.2.3-150700.5.24.1 updated - libopenssl-3-fips-provider-3.2.3-150700.5.24.1 updated - libcurl4-8.14.1-150700.7.11.1 updated - libtasn1-6-4.13-150000.4.14.1 updated - libtasn1-4.13-150000.4.14.1 updated - container:registry.suse.com-bci-bci-base-15.7-f9184822761ad484aca07587791f6b9d7abdb9a0b5cb88d5017f8891d8d8b001-0 updated From sle-container-updates at lists.suse.com Fri Jan 30 16:58:25 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 30 Jan 2026 17:58:25 +0100 (CET) Subject: SUSE-CU-2026:531-1: Security update of bci/php-fpm Message-ID: <20260130165825.6840FFD85@maintenance.suse.de> SUSE Container Update Advisory: bci/php-fpm ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2026:531-1 Container Tags : bci/php-fpm:8 , bci/php-fpm:8.3.29 , bci/php-fpm:8.3.29-18.11 , bci/php-fpm:latest Container Release : 18.11 Severity : critical Type : security References : 1256105 1256341 1256830 1256834 1256835 1256836 1256837 1256838 1256839 1256840 CVE-2025-13151 CVE-2025-14017 CVE-2025-15467 CVE-2025-68160 CVE-2025-69418 CVE-2025-69419 CVE-2025-69420 CVE-2025-69421 CVE-2026-22795 CVE-2026-22796 ----------------------------------------------------------------- The container bci/php-fpm was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:221-1 Released: Thu Jan 22 13:15:35 2026 Summary: Security update for curl Type: security Severity: moderate References: 1256105,CVE-2025-14017 This update for curl fixes the following issues: - CVE-2025-14017: Fixed broken TLS options for threaded LDAPS (bsc#1256105). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:224-1 Released: Thu Jan 22 13:18:20 2026 Summary: Security update for libtasn1 Type: security Severity: moderate References: 1256341,CVE-2025-13151 This update for libtasn1 fixes the following issues: - CVE-2025-13151: stack-based buffer overflow in `asn1_expend_octet_string` (bsc#1256341). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:309-1 Released: Wed Jan 28 10:36:32 2026 Summary: Security update for openssl-3 Type: security Severity: critical References: 1256830,1256834,1256835,1256836,1256837,1256838,1256839,1256840,CVE-2025-15467,CVE-2025-68160,CVE-2025-69418,CVE-2025-69419,CVE-2025-69420,CVE-2025-69421,CVE-2026-22795,CVE-2026-22796 This update for openssl-3 fixes the following issues: - CVE-2025-15467: Stack buffer overflow in CMS AuthEnvelopedData parsing (bsc#1256830). - CVE-2025-68160: Heap out-of-bounds write in BIO_f_linebuffer on short writes (bsc#1256834). - CVE-2025-69418: Unauthenticated/unencrypted trailing bytes with low-level OCB function calls (bsc#1256835). - CVE-2025-69419: Out of bounds write in PKCS12_get_friendlyname() UTF-8 conversion (bsc#1256836). - CVE-2025-69420: Missing ASN1_TYPE validation in TS_RESP_verify_response() function (bsc#1256837). - CVE-2025-69421: NULL Pointer Dereference in PKCS12_item_decrypt_d2i_ex function (bsc#1256838). - CVE-2026-22795: Missing ASN1_TYPE validation in PKCS#12 parsing (bsc#1256839). - CVE-2026-22796: ASN1_TYPE Type Confusion in the PKCS7_digest_from_attributes() function (bsc#1256840). The following package changes have been done: - libopenssl3-3.2.3-150700.5.24.1 updated - libopenssl-3-fips-provider-3.2.3-150700.5.24.1 updated - libcurl4-8.14.1-150700.7.11.1 updated - libtasn1-6-4.13-150000.4.14.1 updated - libtasn1-4.13-150000.4.14.1 updated - container:registry.suse.com-bci-bci-base-15.7-f9184822761ad484aca07587791f6b9d7abdb9a0b5cb88d5017f8891d8d8b001-0 updated From sle-container-updates at lists.suse.com Fri Jan 30 16:58:50 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 30 Jan 2026 17:58:50 +0100 (CET) Subject: SUSE-CU-2026:532-1: Security update of bci/php Message-ID: <20260130165850.B3D33FD85@maintenance.suse.de> SUSE Container Update Advisory: bci/php ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2026:532-1 Container Tags : bci/php:8 , bci/php:8.3.29 , bci/php:8.3.29-18.11 , bci/php:latest Container Release : 18.11 Severity : critical Type : security References : 1256105 1256341 1256830 1256834 1256835 1256836 1256837 1256838 1256839 1256840 CVE-2025-13151 CVE-2025-14017 CVE-2025-15467 CVE-2025-68160 CVE-2025-69418 CVE-2025-69419 CVE-2025-69420 CVE-2025-69421 CVE-2026-22795 CVE-2026-22796 ----------------------------------------------------------------- The container bci/php was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:221-1 Released: Thu Jan 22 13:15:35 2026 Summary: Security update for curl Type: security Severity: moderate References: 1256105,CVE-2025-14017 This update for curl fixes the following issues: - CVE-2025-14017: Fixed broken TLS options for threaded LDAPS (bsc#1256105). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:224-1 Released: Thu Jan 22 13:18:20 2026 Summary: Security update for libtasn1 Type: security Severity: moderate References: 1256341,CVE-2025-13151 This update for libtasn1 fixes the following issues: - CVE-2025-13151: stack-based buffer overflow in `asn1_expend_octet_string` (bsc#1256341). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:309-1 Released: Wed Jan 28 10:36:32 2026 Summary: Security update for openssl-3 Type: security Severity: critical References: 1256830,1256834,1256835,1256836,1256837,1256838,1256839,1256840,CVE-2025-15467,CVE-2025-68160,CVE-2025-69418,CVE-2025-69419,CVE-2025-69420,CVE-2025-69421,CVE-2026-22795,CVE-2026-22796 This update for openssl-3 fixes the following issues: - CVE-2025-15467: Stack buffer overflow in CMS AuthEnvelopedData parsing (bsc#1256830). - CVE-2025-68160: Heap out-of-bounds write in BIO_f_linebuffer on short writes (bsc#1256834). - CVE-2025-69418: Unauthenticated/unencrypted trailing bytes with low-level OCB function calls (bsc#1256835). - CVE-2025-69419: Out of bounds write in PKCS12_get_friendlyname() UTF-8 conversion (bsc#1256836). - CVE-2025-69420: Missing ASN1_TYPE validation in TS_RESP_verify_response() function (bsc#1256837). - CVE-2025-69421: NULL Pointer Dereference in PKCS12_item_decrypt_d2i_ex function (bsc#1256838). - CVE-2026-22795: Missing ASN1_TYPE validation in PKCS#12 parsing (bsc#1256839). - CVE-2026-22796: ASN1_TYPE Type Confusion in the PKCS7_digest_from_attributes() function (bsc#1256840). The following package changes have been done: - libopenssl3-3.2.3-150700.5.24.1 updated - libopenssl-3-fips-provider-3.2.3-150700.5.24.1 updated - libcurl4-8.14.1-150700.7.11.1 updated - libtasn1-6-4.13-150000.4.14.1 updated - libtasn1-4.13-150000.4.14.1 updated - container:registry.suse.com-bci-bci-base-15.7-f9184822761ad484aca07587791f6b9d7abdb9a0b5cb88d5017f8891d8d8b001-0 updated From sle-container-updates at lists.suse.com Fri Jan 30 16:59:11 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 30 Jan 2026 17:59:11 +0100 (CET) Subject: SUSE-CU-2026:533-1: Security update of suse/postgres Message-ID: <20260130165911.533F1FD85@maintenance.suse.de> SUSE Container Update Advisory: suse/postgres ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2026:533-1 Container Tags : suse/postgres:16 , suse/postgres:16.11 , suse/postgres:16.11 , suse/postgres:16.11-83.10 Container Release : 83.10 Severity : critical Type : security References : 1256830 1256834 1256835 1256836 1256837 1256838 1256839 1256840 CVE-2025-15467 CVE-2025-68160 CVE-2025-69418 CVE-2025-69419 CVE-2025-69420 CVE-2025-69421 CVE-2026-22795 CVE-2026-22796 ----------------------------------------------------------------- The container suse/postgres was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:309-1 Released: Wed Jan 28 10:36:32 2026 Summary: Security update for openssl-3 Type: security Severity: critical References: 1256830,1256834,1256835,1256836,1256837,1256838,1256839,1256840,CVE-2025-15467,CVE-2025-68160,CVE-2025-69418,CVE-2025-69419,CVE-2025-69420,CVE-2025-69421,CVE-2026-22795,CVE-2026-22796 This update for openssl-3 fixes the following issues: - CVE-2025-15467: Stack buffer overflow in CMS AuthEnvelopedData parsing (bsc#1256830). - CVE-2025-68160: Heap out-of-bounds write in BIO_f_linebuffer on short writes (bsc#1256834). - CVE-2025-69418: Unauthenticated/unencrypted trailing bytes with low-level OCB function calls (bsc#1256835). - CVE-2025-69419: Out of bounds write in PKCS12_get_friendlyname() UTF-8 conversion (bsc#1256836). - CVE-2025-69420: Missing ASN1_TYPE validation in TS_RESP_verify_response() function (bsc#1256837). - CVE-2025-69421: NULL Pointer Dereference in PKCS12_item_decrypt_d2i_ex function (bsc#1256838). - CVE-2026-22795: Missing ASN1_TYPE validation in PKCS#12 parsing (bsc#1256839). - CVE-2026-22796: ASN1_TYPE Type Confusion in the PKCS7_digest_from_attributes() function (bsc#1256840). The following package changes have been done: - libopenssl3-3.2.3-150700.5.24.1 updated - libopenssl-3-fips-provider-3.2.3-150700.5.24.1 updated - container:suse-sle15-15.7-9efe2e5a6c38d2f8c0921b1f30f01a84e5a8a968aaa4132bec532c8be84037c1-0 updated From sle-container-updates at lists.suse.com Fri Jan 30 17:00:02 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 30 Jan 2026 18:00:02 +0100 (CET) Subject: SUSE-CU-2026:537-1: Security update of suse/kiosk/pulseaudio Message-ID: <20260130170002.30E5DFD9A@maintenance.suse.de> SUSE Container Update Advisory: suse/kiosk/pulseaudio ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2026:537-1 Container Tags : suse/kiosk/pulseaudio:17 , suse/kiosk/pulseaudio:17.0 , suse/kiosk/pulseaudio:17.0-68.14 , suse/kiosk/pulseaudio:latest Container Release : 68.14 Severity : critical Type : security References : 1237543 1256830 1256834 1256834 1256835 1256835 1256836 1256836 1256837 1256837 1256838 1256838 1256839 1256839 1256840 1256840 CVE-2025-0838 CVE-2025-15467 CVE-2025-68160 CVE-2025-68160 CVE-2025-69418 CVE-2025-69418 CVE-2025-69419 CVE-2025-69419 CVE-2025-69420 CVE-2025-69420 CVE-2025-69421 CVE-2025-69421 CVE-2026-22795 CVE-2026-22795 CVE-2026-22796 CVE-2026-22796 ----------------------------------------------------------------- The container suse/kiosk/pulseaudio was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:309-1 Released: Wed Jan 28 10:36:32 2026 Summary: Security update for openssl-3 Type: security Severity: critical References: 1256830,1256834,1256835,1256836,1256837,1256838,1256839,1256840,CVE-2025-15467,CVE-2025-68160,CVE-2025-69418,CVE-2025-69419,CVE-2025-69420,CVE-2025-69421,CVE-2026-22795,CVE-2026-22796 This update for openssl-3 fixes the following issues: - CVE-2025-15467: Stack buffer overflow in CMS AuthEnvelopedData parsing (bsc#1256830). - CVE-2025-68160: Heap out-of-bounds write in BIO_f_linebuffer on short writes (bsc#1256834). - CVE-2025-69418: Unauthenticated/unencrypted trailing bytes with low-level OCB function calls (bsc#1256835). - CVE-2025-69419: Out of bounds write in PKCS12_get_friendlyname() UTF-8 conversion (bsc#1256836). - CVE-2025-69420: Missing ASN1_TYPE validation in TS_RESP_verify_response() function (bsc#1256837). - CVE-2025-69421: NULL Pointer Dereference in PKCS12_item_decrypt_d2i_ex function (bsc#1256838). - CVE-2026-22795: Missing ASN1_TYPE validation in PKCS#12 parsing (bsc#1256839). - CVE-2026-22796: ASN1_TYPE Type Confusion in the PKCS7_digest_from_attributes() function (bsc#1256840). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:331-1 Released: Wed Jan 28 18:12:49 2026 Summary: Security update for openssl-1_1 Type: security Severity: moderate References: 1256834,1256835,1256836,1256837,1256838,1256839,1256840,CVE-2025-68160,CVE-2025-69418,CVE-2025-69419,CVE-2025-69420,CVE-2025-69421,CVE-2026-22795,CVE-2026-22796 This update for openssl-1_1 fixes the following issues: - CVE-2026-22795: Missing ASN1_TYPE validation in PKCS#12 parsing (bsc#1256839). - CVE-2025-69420: Missing ASN1_TYPE validation in TS_RESP_verify_response() function (bsc#1256837). - CVE-2025-69421: NULL Pointer Dereference in PKCS12_item_decrypt_d2i_ex function (bsc#1256838). - CVE-2026-22796: ASN1_TYPE Type Confusion in the PKCS7_digest_from_attributes() function (bsc#1256840). - CVE-2025-68160: Heap out-of-bounds write in BIO_f_linebuffer on short writes (bsc#1256834). - CVE-2025-69418: Unauthenticated/unencrypted trailing bytes with low-level OCB function calls (bsc#1256835). - CVE-2025-69419: Out of bounds write in PKCS12_get_friendlyname() UTF-8 conversion (bsc#1256836). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:338-1 Released: Thu Jan 29 11:35:47 2026 Summary: Security update for abseil-cpp Type: security Severity: moderate References: 1237543,CVE-2025-0838 This update for abseil-cpp fixes the following issues: - CVE-2025-0838: Fixed heap buffer overflow in sized constructors, reserve(), and rehash() methods of absl:{flat,node}hash{set,map} (bsc#1237543). The following package changes have been done: - libabsl2401_0_0-20240116.3-150600.19.6.1 updated - libopenssl3-3.2.3-150700.5.24.1 updated - libopenssl1_1-1.1.1w-150700.11.11.1 updated - libopenssl-3-fips-provider-3.2.3-150700.5.24.1 updated - container:suse-sle15-15.7-f9184822761ad484aca07587791f6b9d7abdb9a0b5cb88d5017f8891d8d8b001-0 updated From sle-container-updates at lists.suse.com Fri Jan 30 17:00:33 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 30 Jan 2026 18:00:33 +0100 (CET) Subject: SUSE-CU-2026:539-1: Security update of bci/python Message-ID: <20260130170033.38679FD9A@maintenance.suse.de> SUSE Container Update Advisory: bci/python ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2026:539-1 Container Tags : bci/python:3 , bci/python:3.11 , bci/python:3.11.14 , bci/python:3.11.14-80.14 Container Release : 80.14 Severity : critical Type : security References : 1251224 1254255 1254400 1254401 1254666 1254997 1256105 1256341 1256830 1256834 1256835 1256836 1256837 1256838 1256839 1256840 1257049 CVE-2025-12084 CVE-2025-13151 CVE-2025-13836 CVE-2025-13837 CVE-2025-14017 CVE-2025-14104 CVE-2025-15467 CVE-2025-68160 CVE-2025-69418 CVE-2025-69419 CVE-2025-69420 CVE-2025-69421 CVE-2026-0988 CVE-2026-22795 CVE-2026-22796 ----------------------------------------------------------------- The container bci/python was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:221-1 Released: Thu Jan 22 13:15:35 2026 Summary: Security update for curl Type: security Severity: moderate References: 1256105,CVE-2025-14017 This update for curl fixes the following issues: - CVE-2025-14017: Fixed broken TLS options for threaded LDAPS (bsc#1256105). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:224-1 Released: Thu Jan 22 13:18:20 2026 Summary: Security update for libtasn1 Type: security Severity: moderate References: 1256341,CVE-2025-13151 This update for libtasn1 fixes the following issues: - CVE-2025-13151: stack-based buffer overflow in `asn1_expend_octet_string` (bsc#1256341). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:230-1 Released: Thu Jan 22 13:22:31 2026 Summary: Security update for util-linux Type: security Severity: moderate References: 1254666,CVE-2025-14104 This update for util-linux fixes the following issues: - CVE-2025-14104: Fixed heap buffer overread in setpwnam() when processing 256-byte usernames (bsc#1254666). - lscpu: Add support for NVIDIA Olympus arm64 core (jsc#PED-13682). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2026:242-1 Released: Thu Jan 22 14:57:13 2026 Summary: Recommended update for git Type: recommended Severity: moderate References: 1251224 This update for git fixes the following issue: - Revert incorrect AppArmor profile change, in SLE 15 the binaries remain in /usr/lib/git (bsc#1251224) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2026:271-1 Released: Fri Jan 23 12:00:51 2026 Summary: Recommended update for python-setuptools Type: recommended Severity: important References: 1254255 This update for python-setuptools fixes the following issues: - Implement basic PEP 639 support, (jsc#PED-14457, bsc#1254255) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:286-1 Released: Sat Jan 24 00:35:35 2026 Summary: Security update for glib2 Type: security Severity: low References: 1257049,CVE-2026-0988 This update for glib2 fixes the following issues: - CVE-2026-0988: Fixed a potential integer overflow in g_buffered_input_stream_peek (bsc#1257049). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:309-1 Released: Wed Jan 28 10:36:32 2026 Summary: Security update for openssl-3 Type: security Severity: critical References: 1256830,1256834,1256835,1256836,1256837,1256838,1256839,1256840,CVE-2025-15467,CVE-2025-68160,CVE-2025-69418,CVE-2025-69419,CVE-2025-69420,CVE-2025-69421,CVE-2026-22795,CVE-2026-22796 This update for openssl-3 fixes the following issues: - CVE-2025-15467: Stack buffer overflow in CMS AuthEnvelopedData parsing (bsc#1256830). - CVE-2025-68160: Heap out-of-bounds write in BIO_f_linebuffer on short writes (bsc#1256834). - CVE-2025-69418: Unauthenticated/unencrypted trailing bytes with low-level OCB function calls (bsc#1256835). - CVE-2025-69419: Out of bounds write in PKCS12_get_friendlyname() UTF-8 conversion (bsc#1256836). - CVE-2025-69420: Missing ASN1_TYPE validation in TS_RESP_verify_response() function (bsc#1256837). - CVE-2025-69421: NULL Pointer Dereference in PKCS12_item_decrypt_d2i_ex function (bsc#1256838). - CVE-2026-22795: Missing ASN1_TYPE validation in PKCS#12 parsing (bsc#1256839). - CVE-2026-22796: ASN1_TYPE Type Confusion in the PKCS7_digest_from_attributes() function (bsc#1256840). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:314-1 Released: Wed Jan 28 14:28:46 2026 Summary: Security update for python311 Type: security Severity: moderate References: 1254400,1254401,1254997,CVE-2025-12084,CVE-2025-13836,CVE-2025-13837 This update for python311 fixes the following issues: - CVE-2025-12084: prevent quadratic behavior in node ID cache clearing (bsc#1254997). - CVE-2025-13836: prevent reading an HTTP response from a server, if no read amount is specified, with using Content-Length per default as the length (bsc#1254400). - CVE-2025-13837: protect against OOM when loading malicious content (bsc#1254401). The following package changes have been done: - libuuid1-2.40.4-150700.4.3.1 updated - libopenssl3-3.2.3-150700.5.24.1 updated - libopenssl-3-fips-provider-3.2.3-150700.5.24.1 updated - libglib-2_0-0-2.78.6-150600.4.28.1 updated - libcurl4-8.14.1-150700.7.11.1 updated - curl-8.14.1-150700.7.11.1 updated - libtasn1-6-4.13-150000.4.14.1 updated - libtasn1-4.13-150000.4.14.1 updated - openssl-3-3.2.3-150700.5.24.1 updated - libpython3_11-1_0-3.11.14-150600.3.41.2 updated - python311-base-3.11.14-150600.3.41.2 updated - python311-setuptools-67.7.2-150400.3.22.1 updated - python311-3.11.14-150600.3.41.2 updated - python311-devel-3.11.14-150600.3.41.2 updated - git-core-2.51.0-150600.3.15.1 updated - container:registry.suse.com-bci-bci-base-15.7-f9184822761ad484aca07587791f6b9d7abdb9a0b5cb88d5017f8891d8d8b001-0 updated From sle-container-updates at lists.suse.com Fri Jan 30 17:01:04 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 30 Jan 2026 18:01:04 +0100 (CET) Subject: SUSE-CU-2026:540-1: Security update of bci/python Message-ID: <20260130170104.C10B7FDC6@maintenance.suse.de> SUSE Container Update Advisory: bci/python ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2026:540-1 Container Tags : bci/python:3 , bci/python:3.13 , bci/python:3.13.11 , bci/python:3.13.11-82.13 , bci/python:latest Container Release : 82.13 Severity : critical Type : security References : 1251224 1254666 1256105 1256341 1256830 1256834 1256835 1256836 1256837 1256838 1256839 1256840 1257049 CVE-2025-13151 CVE-2025-14017 CVE-2025-14104 CVE-2025-15467 CVE-2025-68160 CVE-2025-69418 CVE-2025-69419 CVE-2025-69420 CVE-2025-69421 CVE-2026-0988 CVE-2026-22795 CVE-2026-22796 ----------------------------------------------------------------- The container bci/python was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:221-1 Released: Thu Jan 22 13:15:35 2026 Summary: Security update for curl Type: security Severity: moderate References: 1256105,CVE-2025-14017 This update for curl fixes the following issues: - CVE-2025-14017: Fixed broken TLS options for threaded LDAPS (bsc#1256105). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:224-1 Released: Thu Jan 22 13:18:20 2026 Summary: Security update for libtasn1 Type: security Severity: moderate References: 1256341,CVE-2025-13151 This update for libtasn1 fixes the following issues: - CVE-2025-13151: stack-based buffer overflow in `asn1_expend_octet_string` (bsc#1256341). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:230-1 Released: Thu Jan 22 13:22:31 2026 Summary: Security update for util-linux Type: security Severity: moderate References: 1254666,CVE-2025-14104 This update for util-linux fixes the following issues: - CVE-2025-14104: Fixed heap buffer overread in setpwnam() when processing 256-byte usernames (bsc#1254666). - lscpu: Add support for NVIDIA Olympus arm64 core (jsc#PED-13682). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2026:242-1 Released: Thu Jan 22 14:57:13 2026 Summary: Recommended update for git Type: recommended Severity: moderate References: 1251224 This update for git fixes the following issue: - Revert incorrect AppArmor profile change, in SLE 15 the binaries remain in /usr/lib/git (bsc#1251224) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:286-1 Released: Sat Jan 24 00:35:35 2026 Summary: Security update for glib2 Type: security Severity: low References: 1257049,CVE-2026-0988 This update for glib2 fixes the following issues: - CVE-2026-0988: Fixed a potential integer overflow in g_buffered_input_stream_peek (bsc#1257049). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:309-1 Released: Wed Jan 28 10:36:32 2026 Summary: Security update for openssl-3 Type: security Severity: critical References: 1256830,1256834,1256835,1256836,1256837,1256838,1256839,1256840,CVE-2025-15467,CVE-2025-68160,CVE-2025-69418,CVE-2025-69419,CVE-2025-69420,CVE-2025-69421,CVE-2026-22795,CVE-2026-22796 This update for openssl-3 fixes the following issues: - CVE-2025-15467: Stack buffer overflow in CMS AuthEnvelopedData parsing (bsc#1256830). - CVE-2025-68160: Heap out-of-bounds write in BIO_f_linebuffer on short writes (bsc#1256834). - CVE-2025-69418: Unauthenticated/unencrypted trailing bytes with low-level OCB function calls (bsc#1256835). - CVE-2025-69419: Out of bounds write in PKCS12_get_friendlyname() UTF-8 conversion (bsc#1256836). - CVE-2025-69420: Missing ASN1_TYPE validation in TS_RESP_verify_response() function (bsc#1256837). - CVE-2025-69421: NULL Pointer Dereference in PKCS12_item_decrypt_d2i_ex function (bsc#1256838). - CVE-2026-22795: Missing ASN1_TYPE validation in PKCS#12 parsing (bsc#1256839). - CVE-2026-22796: ASN1_TYPE Type Confusion in the PKCS7_digest_from_attributes() function (bsc#1256840). The following package changes have been done: - libuuid1-2.40.4-150700.4.3.1 updated - libopenssl3-3.2.3-150700.5.24.1 updated - libopenssl-3-fips-provider-3.2.3-150700.5.24.1 updated - libglib-2_0-0-2.78.6-150600.4.28.1 updated - libcurl4-8.14.1-150700.7.11.1 updated - curl-8.14.1-150700.7.11.1 updated - libtasn1-6-4.13-150000.4.14.1 updated - libtasn1-4.13-150000.4.14.1 updated - openssl-3-3.2.3-150700.5.24.1 updated - git-core-2.51.0-150600.3.15.1 updated - container:registry.suse.com-bci-bci-base-15.7-f9184822761ad484aca07587791f6b9d7abdb9a0b5cb88d5017f8891d8d8b001-0 updated From sle-container-updates at lists.suse.com Fri Jan 30 17:01:38 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 30 Jan 2026 18:01:38 +0100 (CET) Subject: SUSE-CU-2026:541-1: Security update of bci/python Message-ID: <20260130170138.0959DFDC6@maintenance.suse.de> SUSE Container Update Advisory: bci/python ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2026:541-1 Container Tags : bci/python:3 , bci/python:3.6 , bci/python:3.6.15 , bci/python:3.6.15-79.14 Container Release : 79.14 Severity : critical Type : security References : 1251224 1256105 1256341 1256830 1256834 1256834 1256835 1256835 1256836 1256836 1256837 1256837 1256838 1256838 1256839 1256839 1256840 1256840 1257049 CVE-2025-13151 CVE-2025-14017 CVE-2025-15467 CVE-2025-68160 CVE-2025-68160 CVE-2025-69418 CVE-2025-69418 CVE-2025-69419 CVE-2025-69419 CVE-2025-69420 CVE-2025-69420 CVE-2025-69421 CVE-2025-69421 CVE-2026-0988 CVE-2026-22795 CVE-2026-22795 CVE-2026-22796 CVE-2026-22796 ----------------------------------------------------------------- The container bci/python was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:221-1 Released: Thu Jan 22 13:15:35 2026 Summary: Security update for curl Type: security Severity: moderate References: 1256105,CVE-2025-14017 This update for curl fixes the following issues: - CVE-2025-14017: Fixed broken TLS options for threaded LDAPS (bsc#1256105). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:224-1 Released: Thu Jan 22 13:18:20 2026 Summary: Security update for libtasn1 Type: security Severity: moderate References: 1256341,CVE-2025-13151 This update for libtasn1 fixes the following issues: - CVE-2025-13151: stack-based buffer overflow in `asn1_expend_octet_string` (bsc#1256341). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2026:242-1 Released: Thu Jan 22 14:57:13 2026 Summary: Recommended update for git Type: recommended Severity: moderate References: 1251224 This update for git fixes the following issue: - Revert incorrect AppArmor profile change, in SLE 15 the binaries remain in /usr/lib/git (bsc#1251224) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:286-1 Released: Sat Jan 24 00:35:35 2026 Summary: Security update for glib2 Type: security Severity: low References: 1257049,CVE-2026-0988 This update for glib2 fixes the following issues: - CVE-2026-0988: Fixed a potential integer overflow in g_buffered_input_stream_peek (bsc#1257049). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:309-1 Released: Wed Jan 28 10:36:32 2026 Summary: Security update for openssl-3 Type: security Severity: critical References: 1256830,1256834,1256835,1256836,1256837,1256838,1256839,1256840,CVE-2025-15467,CVE-2025-68160,CVE-2025-69418,CVE-2025-69419,CVE-2025-69420,CVE-2025-69421,CVE-2026-22795,CVE-2026-22796 This update for openssl-3 fixes the following issues: - CVE-2025-15467: Stack buffer overflow in CMS AuthEnvelopedData parsing (bsc#1256830). - CVE-2025-68160: Heap out-of-bounds write in BIO_f_linebuffer on short writes (bsc#1256834). - CVE-2025-69418: Unauthenticated/unencrypted trailing bytes with low-level OCB function calls (bsc#1256835). - CVE-2025-69419: Out of bounds write in PKCS12_get_friendlyname() UTF-8 conversion (bsc#1256836). - CVE-2025-69420: Missing ASN1_TYPE validation in TS_RESP_verify_response() function (bsc#1256837). - CVE-2025-69421: NULL Pointer Dereference in PKCS12_item_decrypt_d2i_ex function (bsc#1256838). - CVE-2026-22795: Missing ASN1_TYPE validation in PKCS#12 parsing (bsc#1256839). - CVE-2026-22796: ASN1_TYPE Type Confusion in the PKCS7_digest_from_attributes() function (bsc#1256840). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:331-1 Released: Wed Jan 28 18:12:49 2026 Summary: Security update for openssl-1_1 Type: security Severity: moderate References: 1256834,1256835,1256836,1256837,1256838,1256839,1256840,CVE-2025-68160,CVE-2025-69418,CVE-2025-69419,CVE-2025-69420,CVE-2025-69421,CVE-2026-22795,CVE-2026-22796 This update for openssl-1_1 fixes the following issues: - CVE-2026-22795: Missing ASN1_TYPE validation in PKCS#12 parsing (bsc#1256839). - CVE-2025-69420: Missing ASN1_TYPE validation in TS_RESP_verify_response() function (bsc#1256837). - CVE-2025-69421: NULL Pointer Dereference in PKCS12_item_decrypt_d2i_ex function (bsc#1256838). - CVE-2026-22796: ASN1_TYPE Type Confusion in the PKCS7_digest_from_attributes() function (bsc#1256840). - CVE-2025-68160: Heap out-of-bounds write in BIO_f_linebuffer on short writes (bsc#1256834). - CVE-2025-69418: Unauthenticated/unencrypted trailing bytes with low-level OCB function calls (bsc#1256835). - CVE-2025-69419: Out of bounds write in PKCS12_get_friendlyname() UTF-8 conversion (bsc#1256836). The following package changes have been done: - libopenssl3-3.2.3-150700.5.24.1 updated - libopenssl-3-fips-provider-3.2.3-150700.5.24.1 updated - libglib-2_0-0-2.78.6-150600.4.28.1 updated - libcurl4-8.14.1-150700.7.11.1 updated - curl-8.14.1-150700.7.11.1 updated - libtasn1-6-4.13-150000.4.14.1 updated - libtasn1-4.13-150000.4.14.1 updated - openssl-3-3.2.3-150700.5.24.1 updated - libopenssl1_1-1.1.1w-150700.11.11.1 updated - git-core-2.51.0-150600.3.15.1 updated - container:registry.suse.com-bci-bci-base-15.7-f9184822761ad484aca07587791f6b9d7abdb9a0b5cb88d5017f8891d8d8b001-0 updated From sle-container-updates at lists.suse.com Fri Jan 30 17:01:52 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 30 Jan 2026 18:01:52 +0100 (CET) Subject: SUSE-CU-2026:542-1: Security update of suse/mariadb-client Message-ID: <20260130170152.845E4FDC6@maintenance.suse.de> SUSE Container Update Advisory: suse/mariadb-client ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2026:542-1 Container Tags : suse/mariadb-client:11.8 , suse/mariadb-client:11.8.5 , suse/mariadb-client:11.8.5-67.8 , suse/mariadb-client:latest Container Release : 67.8 Severity : critical Type : security References : 1256830 1256834 1256835 1256836 1256837 1256838 1256839 1256840 CVE-2025-15467 CVE-2025-68160 CVE-2025-69418 CVE-2025-69419 CVE-2025-69420 CVE-2025-69421 CVE-2026-22795 CVE-2026-22796 ----------------------------------------------------------------- The container suse/mariadb-client was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:309-1 Released: Wed Jan 28 10:36:32 2026 Summary: Security update for openssl-3 Type: security Severity: critical References: 1256830,1256834,1256835,1256836,1256837,1256838,1256839,1256840,CVE-2025-15467,CVE-2025-68160,CVE-2025-69418,CVE-2025-69419,CVE-2025-69420,CVE-2025-69421,CVE-2026-22795,CVE-2026-22796 This update for openssl-3 fixes the following issues: - CVE-2025-15467: Stack buffer overflow in CMS AuthEnvelopedData parsing (bsc#1256830). - CVE-2025-68160: Heap out-of-bounds write in BIO_f_linebuffer on short writes (bsc#1256834). - CVE-2025-69418: Unauthenticated/unencrypted trailing bytes with low-level OCB function calls (bsc#1256835). - CVE-2025-69419: Out of bounds write in PKCS12_get_friendlyname() UTF-8 conversion (bsc#1256836). - CVE-2025-69420: Missing ASN1_TYPE validation in TS_RESP_verify_response() function (bsc#1256837). - CVE-2025-69421: NULL Pointer Dereference in PKCS12_item_decrypt_d2i_ex function (bsc#1256838). - CVE-2026-22795: Missing ASN1_TYPE validation in PKCS#12 parsing (bsc#1256839). - CVE-2026-22796: ASN1_TYPE Type Confusion in the PKCS7_digest_from_attributes() function (bsc#1256840). The following package changes have been done: - libopenssl3-3.2.3-150700.5.24.1 updated - libopenssl-3-fips-provider-3.2.3-150700.5.24.1 updated - container:suse-sle15-15.7-9efe2e5a6c38d2f8c0921b1f30f01a84e5a8a968aaa4132bec532c8be84037c1-0 updated From sle-container-updates at lists.suse.com Fri Jan 30 17:02:10 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 30 Jan 2026 18:02:10 +0100 (CET) Subject: SUSE-CU-2026:544-1: Security update of suse/mariadb Message-ID: <20260130170210.E7937FD9A@maintenance.suse.de> SUSE Container Update Advisory: suse/mariadb ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2026:544-1 Container Tags : suse/mariadb:11.8 , suse/mariadb:11.8.5 , suse/mariadb:11.8.5-70.11 , suse/mariadb:latest Container Release : 70.11 Severity : critical Type : security References : 1256830 1256834 1256834 1256835 1256835 1256836 1256836 1256837 1256837 1256838 1256838 1256839 1256839 1256840 1256840 CVE-2025-15467 CVE-2025-68160 CVE-2025-68160 CVE-2025-69418 CVE-2025-69418 CVE-2025-69419 CVE-2025-69419 CVE-2025-69420 CVE-2025-69420 CVE-2025-69421 CVE-2025-69421 CVE-2026-22795 CVE-2026-22795 CVE-2026-22796 CVE-2026-22796 ----------------------------------------------------------------- The container suse/mariadb was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:309-1 Released: Wed Jan 28 10:36:32 2026 Summary: Security update for openssl-3 Type: security Severity: critical References: 1256830,1256834,1256835,1256836,1256837,1256838,1256839,1256840,CVE-2025-15467,CVE-2025-68160,CVE-2025-69418,CVE-2025-69419,CVE-2025-69420,CVE-2025-69421,CVE-2026-22795,CVE-2026-22796 This update for openssl-3 fixes the following issues: - CVE-2025-15467: Stack buffer overflow in CMS AuthEnvelopedData parsing (bsc#1256830). - CVE-2025-68160: Heap out-of-bounds write in BIO_f_linebuffer on short writes (bsc#1256834). - CVE-2025-69418: Unauthenticated/unencrypted trailing bytes with low-level OCB function calls (bsc#1256835). - CVE-2025-69419: Out of bounds write in PKCS12_get_friendlyname() UTF-8 conversion (bsc#1256836). - CVE-2025-69420: Missing ASN1_TYPE validation in TS_RESP_verify_response() function (bsc#1256837). - CVE-2025-69421: NULL Pointer Dereference in PKCS12_item_decrypt_d2i_ex function (bsc#1256838). - CVE-2026-22795: Missing ASN1_TYPE validation in PKCS#12 parsing (bsc#1256839). - CVE-2026-22796: ASN1_TYPE Type Confusion in the PKCS7_digest_from_attributes() function (bsc#1256840). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:331-1 Released: Wed Jan 28 18:12:49 2026 Summary: Security update for openssl-1_1 Type: security Severity: moderate References: 1256834,1256835,1256836,1256837,1256838,1256839,1256840,CVE-2025-68160,CVE-2025-69418,CVE-2025-69419,CVE-2025-69420,CVE-2025-69421,CVE-2026-22795,CVE-2026-22796 This update for openssl-1_1 fixes the following issues: - CVE-2026-22795: Missing ASN1_TYPE validation in PKCS#12 parsing (bsc#1256839). - CVE-2025-69420: Missing ASN1_TYPE validation in TS_RESP_verify_response() function (bsc#1256837). - CVE-2025-69421: NULL Pointer Dereference in PKCS12_item_decrypt_d2i_ex function (bsc#1256838). - CVE-2026-22796: ASN1_TYPE Type Confusion in the PKCS7_digest_from_attributes() function (bsc#1256840). - CVE-2025-68160: Heap out-of-bounds write in BIO_f_linebuffer on short writes (bsc#1256834). - CVE-2025-69418: Unauthenticated/unencrypted trailing bytes with low-level OCB function calls (bsc#1256835). - CVE-2025-69419: Out of bounds write in PKCS12_get_friendlyname() UTF-8 conversion (bsc#1256836). The following package changes have been done: - libopenssl3-3.2.3-150700.5.24.1 updated - libopenssl1_1-1.1.1w-150700.11.11.1 updated - openssl-3-3.2.3-150700.5.24.1 updated - libopenssl-3-fips-provider-3.2.3-150700.5.24.1 updated - container:suse-sle15-15.7-9efe2e5a6c38d2f8c0921b1f30f01a84e5a8a968aaa4132bec532c8be84037c1-0 updated From sle-container-updates at lists.suse.com Fri Jan 30 17:02:35 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 30 Jan 2026 18:02:35 +0100 (CET) Subject: SUSE-CU-2026:546-1: Security update of suse/rmt-server Message-ID: <20260130170235.D9822FD9A@maintenance.suse.de> SUSE Container Update Advisory: suse/rmt-server ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2026:546-1 Container Tags : suse/rmt-server:2 , suse/rmt-server:2.24 , suse/rmt-server:2.24-78.8 , suse/rmt-server:latest Container Release : 78.8 Severity : critical Type : security References : 1254666 1255715 1256243 1256244 1256246 1256390 1256830 1256834 1256834 1256835 1256835 1256836 1256836 1256837 1256837 1256838 1256838 1256839 1256839 1256840 1256840 CVE-2025-14104 CVE-2025-15467 CVE-2025-68160 CVE-2025-68160 CVE-2025-68973 CVE-2025-69418 CVE-2025-69418 CVE-2025-69419 CVE-2025-69419 CVE-2025-69420 CVE-2025-69420 CVE-2025-69421 CVE-2025-69421 CVE-2026-22795 CVE-2026-22795 CVE-2026-22796 CVE-2026-22796 ----------------------------------------------------------------- The container suse/rmt-server was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:215-1 Released: Thu Jan 22 13:10:16 2026 Summary: Security update for gpg2 Type: security Severity: important References: 1255715,1256243,1256244,1256246,1256390,CVE-2025-68973 This update for gpg2 fixes the following issues: - CVE-2025-68973: Fix possible memory corruption in the armor parser (gpg.fail/memcpy)(bsc#1255715). - Avoid potential downgrade to SHA1 in 3rd party key signatures (gpg.fail/sha1) (bsc#1256246). - Error out on unverified output for non-detached signatures (gpg.fail/detached) (bsc#1256244). - Fix a memory leak in gpg2 agent (bsc#1256243). - Fix Cleartext Signature Forgery in the NotDashEscaped header implementation in GnuPG (gpg.fail/notdash) (bsc#1256390). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:230-1 Released: Thu Jan 22 13:22:31 2026 Summary: Security update for util-linux Type: security Severity: moderate References: 1254666,CVE-2025-14104 This update for util-linux fixes the following issues: - CVE-2025-14104: Fixed heap buffer overread in setpwnam() when processing 256-byte usernames (bsc#1254666). - lscpu: Add support for NVIDIA Olympus arm64 core (jsc#PED-13682). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:309-1 Released: Wed Jan 28 10:36:32 2026 Summary: Security update for openssl-3 Type: security Severity: critical References: 1256830,1256834,1256835,1256836,1256837,1256838,1256839,1256840,CVE-2025-15467,CVE-2025-68160,CVE-2025-69418,CVE-2025-69419,CVE-2025-69420,CVE-2025-69421,CVE-2026-22795,CVE-2026-22796 This update for openssl-3 fixes the following issues: - CVE-2025-15467: Stack buffer overflow in CMS AuthEnvelopedData parsing (bsc#1256830). - CVE-2025-68160: Heap out-of-bounds write in BIO_f_linebuffer on short writes (bsc#1256834). - CVE-2025-69418: Unauthenticated/unencrypted trailing bytes with low-level OCB function calls (bsc#1256835). - CVE-2025-69419: Out of bounds write in PKCS12_get_friendlyname() UTF-8 conversion (bsc#1256836). - CVE-2025-69420: Missing ASN1_TYPE validation in TS_RESP_verify_response() function (bsc#1256837). - CVE-2025-69421: NULL Pointer Dereference in PKCS12_item_decrypt_d2i_ex function (bsc#1256838). - CVE-2026-22795: Missing ASN1_TYPE validation in PKCS#12 parsing (bsc#1256839). - CVE-2026-22796: ASN1_TYPE Type Confusion in the PKCS7_digest_from_attributes() function (bsc#1256840). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:331-1 Released: Wed Jan 28 18:12:49 2026 Summary: Security update for openssl-1_1 Type: security Severity: moderate References: 1256834,1256835,1256836,1256837,1256838,1256839,1256840,CVE-2025-68160,CVE-2025-69418,CVE-2025-69419,CVE-2025-69420,CVE-2025-69421,CVE-2026-22795,CVE-2026-22796 This update for openssl-1_1 fixes the following issues: - CVE-2026-22795: Missing ASN1_TYPE validation in PKCS#12 parsing (bsc#1256839). - CVE-2025-69420: Missing ASN1_TYPE validation in TS_RESP_verify_response() function (bsc#1256837). - CVE-2025-69421: NULL Pointer Dereference in PKCS12_item_decrypt_d2i_ex function (bsc#1256838). - CVE-2026-22796: ASN1_TYPE Type Confusion in the PKCS7_digest_from_attributes() function (bsc#1256840). - CVE-2025-68160: Heap out-of-bounds write in BIO_f_linebuffer on short writes (bsc#1256834). - CVE-2025-69418: Unauthenticated/unencrypted trailing bytes with low-level OCB function calls (bsc#1256835). - CVE-2025-69419: Out of bounds write in PKCS12_get_friendlyname() UTF-8 conversion (bsc#1256836). The following package changes have been done: - libuuid1-2.40.4-150700.4.3.1 updated - libsmartcols1-2.40.4-150700.4.3.1 updated - libblkid1-2.40.4-150700.4.3.1 updated - libopenssl3-3.2.3-150700.5.24.1 updated - libfdisk1-2.40.4-150700.4.3.1 updated - libopenssl-3-fips-provider-3.2.3-150700.5.24.1 updated - libmount1-2.40.4-150700.4.3.1 updated - gpg2-2.4.4-150600.3.12.1 updated - util-linux-2.40.4-150700.4.3.1 updated - libopenssl1_1-1.1.1w-150700.11.11.1 updated - container:registry.suse.com-bci-bci-base-15.7-9efe2e5a6c38d2f8c0921b1f30f01a84e5a8a968aaa4132bec532c8be84037c1-0 updated From sle-container-updates at lists.suse.com Fri Jan 30 17:03:09 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 30 Jan 2026 18:03:09 +0100 (CET) Subject: SUSE-CU-2026:548-1: Security update of bci/ruby Message-ID: <20260130170309.558E4FD9A@maintenance.suse.de> SUSE Container Update Advisory: bci/ruby ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2026:548-1 Container Tags : bci/ruby:2 , bci/ruby:2.5 , bci/ruby:2.5-21.13 Container Release : 21.13 Severity : critical Type : security References : 1251224 1254666 1256105 1256830 1256834 1256834 1256835 1256835 1256836 1256836 1256837 1256837 1256838 1256838 1256839 1256839 1256840 1256840 1257049 CVE-2025-14017 CVE-2025-14104 CVE-2025-15467 CVE-2025-68160 CVE-2025-68160 CVE-2025-69418 CVE-2025-69418 CVE-2025-69419 CVE-2025-69419 CVE-2025-69420 CVE-2025-69420 CVE-2025-69421 CVE-2025-69421 CVE-2026-0988 CVE-2026-22795 CVE-2026-22795 CVE-2026-22796 CVE-2026-22796 ----------------------------------------------------------------- The container bci/ruby was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:221-1 Released: Thu Jan 22 13:15:35 2026 Summary: Security update for curl Type: security Severity: moderate References: 1256105,CVE-2025-14017 This update for curl fixes the following issues: - CVE-2025-14017: Fixed broken TLS options for threaded LDAPS (bsc#1256105). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:230-1 Released: Thu Jan 22 13:22:31 2026 Summary: Security update for util-linux Type: security Severity: moderate References: 1254666,CVE-2025-14104 This update for util-linux fixes the following issues: - CVE-2025-14104: Fixed heap buffer overread in setpwnam() when processing 256-byte usernames (bsc#1254666). - lscpu: Add support for NVIDIA Olympus arm64 core (jsc#PED-13682). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2026:242-1 Released: Thu Jan 22 14:57:13 2026 Summary: Recommended update for git Type: recommended Severity: moderate References: 1251224 This update for git fixes the following issue: - Revert incorrect AppArmor profile change, in SLE 15 the binaries remain in /usr/lib/git (bsc#1251224) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:286-1 Released: Sat Jan 24 00:35:35 2026 Summary: Security update for glib2 Type: security Severity: low References: 1257049,CVE-2026-0988 This update for glib2 fixes the following issues: - CVE-2026-0988: Fixed a potential integer overflow in g_buffered_input_stream_peek (bsc#1257049). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:309-1 Released: Wed Jan 28 10:36:32 2026 Summary: Security update for openssl-3 Type: security Severity: critical References: 1256830,1256834,1256835,1256836,1256837,1256838,1256839,1256840,CVE-2025-15467,CVE-2025-68160,CVE-2025-69418,CVE-2025-69419,CVE-2025-69420,CVE-2025-69421,CVE-2026-22795,CVE-2026-22796 This update for openssl-3 fixes the following issues: - CVE-2025-15467: Stack buffer overflow in CMS AuthEnvelopedData parsing (bsc#1256830). - CVE-2025-68160: Heap out-of-bounds write in BIO_f_linebuffer on short writes (bsc#1256834). - CVE-2025-69418: Unauthenticated/unencrypted trailing bytes with low-level OCB function calls (bsc#1256835). - CVE-2025-69419: Out of bounds write in PKCS12_get_friendlyname() UTF-8 conversion (bsc#1256836). - CVE-2025-69420: Missing ASN1_TYPE validation in TS_RESP_verify_response() function (bsc#1256837). - CVE-2025-69421: NULL Pointer Dereference in PKCS12_item_decrypt_d2i_ex function (bsc#1256838). - CVE-2026-22795: Missing ASN1_TYPE validation in PKCS#12 parsing (bsc#1256839). - CVE-2026-22796: ASN1_TYPE Type Confusion in the PKCS7_digest_from_attributes() function (bsc#1256840). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:331-1 Released: Wed Jan 28 18:12:49 2026 Summary: Security update for openssl-1_1 Type: security Severity: moderate References: 1256834,1256835,1256836,1256837,1256838,1256839,1256840,CVE-2025-68160,CVE-2025-69418,CVE-2025-69419,CVE-2025-69420,CVE-2025-69421,CVE-2026-22795,CVE-2026-22796 This update for openssl-1_1 fixes the following issues: - CVE-2026-22795: Missing ASN1_TYPE validation in PKCS#12 parsing (bsc#1256839). - CVE-2025-69420: Missing ASN1_TYPE validation in TS_RESP_verify_response() function (bsc#1256837). - CVE-2025-69421: NULL Pointer Dereference in PKCS12_item_decrypt_d2i_ex function (bsc#1256838). - CVE-2026-22796: ASN1_TYPE Type Confusion in the PKCS7_digest_from_attributes() function (bsc#1256840). - CVE-2025-68160: Heap out-of-bounds write in BIO_f_linebuffer on short writes (bsc#1256834). - CVE-2025-69418: Unauthenticated/unencrypted trailing bytes with low-level OCB function calls (bsc#1256835). - CVE-2025-69419: Out of bounds write in PKCS12_get_friendlyname() UTF-8 conversion (bsc#1256836). The following package changes have been done: - libuuid1-2.40.4-150700.4.3.1 updated - libsmartcols1-2.40.4-150700.4.3.1 updated - libopenssl3-3.2.3-150700.5.24.1 updated - libblkid1-2.40.4-150700.4.3.1 updated - libopenssl-3-fips-provider-3.2.3-150700.5.24.1 updated - libfdisk1-2.40.4-150700.4.3.1 updated - libglib-2_0-0-2.78.6-150600.4.28.1 updated - libmount1-2.40.4-150700.4.3.1 updated - libcurl4-8.14.1-150700.7.11.1 updated - util-linux-2.40.4-150700.4.3.1 updated - curl-8.14.1-150700.7.11.1 updated - libopenssl1_1-1.1.1w-150700.11.11.1 updated - git-core-2.51.0-150600.3.15.1 updated - container:registry.suse.com-bci-bci-base-15.7-f9184822761ad484aca07587791f6b9d7abdb9a0b5cb88d5017f8891d8d8b001-0 updated From sle-container-updates at lists.suse.com Fri Jan 30 17:03:38 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 30 Jan 2026 18:03:38 +0100 (CET) Subject: SUSE-CU-2026:549-1: Security update of bci/ruby Message-ID: <20260130170338.6002DFD9A@maintenance.suse.de> SUSE Container Update Advisory: bci/ruby ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2026:549-1 Container Tags : bci/ruby:3 , bci/ruby:3.4 , bci/ruby:3.4-20.12 , bci/ruby:latest Container Release : 20.12 Severity : critical Type : security References : 1251224 1254666 1256105 1256830 1256834 1256835 1256836 1256837 1256838 1256839 1256840 1257049 CVE-2025-14017 CVE-2025-14104 CVE-2025-15467 CVE-2025-68160 CVE-2025-69418 CVE-2025-69419 CVE-2025-69420 CVE-2025-69421 CVE-2026-0988 CVE-2026-22795 CVE-2026-22796 ----------------------------------------------------------------- The container bci/ruby was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:221-1 Released: Thu Jan 22 13:15:35 2026 Summary: Security update for curl Type: security Severity: moderate References: 1256105,CVE-2025-14017 This update for curl fixes the following issues: - CVE-2025-14017: Fixed broken TLS options for threaded LDAPS (bsc#1256105). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:230-1 Released: Thu Jan 22 13:22:31 2026 Summary: Security update for util-linux Type: security Severity: moderate References: 1254666,CVE-2025-14104 This update for util-linux fixes the following issues: - CVE-2025-14104: Fixed heap buffer overread in setpwnam() when processing 256-byte usernames (bsc#1254666). - lscpu: Add support for NVIDIA Olympus arm64 core (jsc#PED-13682). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2026:242-1 Released: Thu Jan 22 14:57:13 2026 Summary: Recommended update for git Type: recommended Severity: moderate References: 1251224 This update for git fixes the following issue: - Revert incorrect AppArmor profile change, in SLE 15 the binaries remain in /usr/lib/git (bsc#1251224) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:286-1 Released: Sat Jan 24 00:35:35 2026 Summary: Security update for glib2 Type: security Severity: low References: 1257049,CVE-2026-0988 This update for glib2 fixes the following issues: - CVE-2026-0988: Fixed a potential integer overflow in g_buffered_input_stream_peek (bsc#1257049). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:309-1 Released: Wed Jan 28 10:36:32 2026 Summary: Security update for openssl-3 Type: security Severity: critical References: 1256830,1256834,1256835,1256836,1256837,1256838,1256839,1256840,CVE-2025-15467,CVE-2025-68160,CVE-2025-69418,CVE-2025-69419,CVE-2025-69420,CVE-2025-69421,CVE-2026-22795,CVE-2026-22796 This update for openssl-3 fixes the following issues: - CVE-2025-15467: Stack buffer overflow in CMS AuthEnvelopedData parsing (bsc#1256830). - CVE-2025-68160: Heap out-of-bounds write in BIO_f_linebuffer on short writes (bsc#1256834). - CVE-2025-69418: Unauthenticated/unencrypted trailing bytes with low-level OCB function calls (bsc#1256835). - CVE-2025-69419: Out of bounds write in PKCS12_get_friendlyname() UTF-8 conversion (bsc#1256836). - CVE-2025-69420: Missing ASN1_TYPE validation in TS_RESP_verify_response() function (bsc#1256837). - CVE-2025-69421: NULL Pointer Dereference in PKCS12_item_decrypt_d2i_ex function (bsc#1256838). - CVE-2026-22795: Missing ASN1_TYPE validation in PKCS#12 parsing (bsc#1256839). - CVE-2026-22796: ASN1_TYPE Type Confusion in the PKCS7_digest_from_attributes() function (bsc#1256840). The following package changes have been done: - libuuid1-2.40.4-150700.4.3.1 updated - libsmartcols1-2.40.4-150700.4.3.1 updated - libopenssl3-3.2.3-150700.5.24.1 updated - libblkid1-2.40.4-150700.4.3.1 updated - libopenssl-3-fips-provider-3.2.3-150700.5.24.1 updated - libfdisk1-2.40.4-150700.4.3.1 updated - libglib-2_0-0-2.78.6-150600.4.28.1 updated - libmount1-2.40.4-150700.4.3.1 updated - libcurl4-8.14.1-150700.7.11.1 updated - util-linux-2.40.4-150700.4.3.1 updated - curl-8.14.1-150700.7.11.1 updated - git-core-2.51.0-150600.3.15.1 updated - container:registry.suse.com-bci-bci-base-15.7-f9184822761ad484aca07587791f6b9d7abdb9a0b5cb88d5017f8891d8d8b001-0 updated From sle-container-updates at lists.suse.com Fri Jan 30 17:04:03 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 30 Jan 2026 18:04:03 +0100 (CET) Subject: SUSE-CU-2026:550-1: Security update of bci/rust Message-ID: <20260130170403.1DADAFD9A@maintenance.suse.de> SUSE Container Update Advisory: bci/rust ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2026:550-1 Container Tags : bci/rust:1.91 , bci/rust:1.91.0 , bci/rust:1.91.0-2.3.12 , bci/rust:oldstable , bci/rust:oldstable-2.3.12 Container Release : 3.12 Severity : critical Type : security References : 1256830 1256834 1256834 1256835 1256835 1256836 1256836 1256837 1256837 1256838 1256838 1256839 1256839 1256840 1256840 CVE-2025-15467 CVE-2025-68160 CVE-2025-68160 CVE-2025-69418 CVE-2025-69418 CVE-2025-69419 CVE-2025-69419 CVE-2025-69420 CVE-2025-69420 CVE-2025-69421 CVE-2025-69421 CVE-2026-22795 CVE-2026-22795 CVE-2026-22796 CVE-2026-22796 ----------------------------------------------------------------- The container bci/rust was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:309-1 Released: Wed Jan 28 10:36:32 2026 Summary: Security update for openssl-3 Type: security Severity: critical References: 1256830,1256834,1256835,1256836,1256837,1256838,1256839,1256840,CVE-2025-15467,CVE-2025-68160,CVE-2025-69418,CVE-2025-69419,CVE-2025-69420,CVE-2025-69421,CVE-2026-22795,CVE-2026-22796 This update for openssl-3 fixes the following issues: - CVE-2025-15467: Stack buffer overflow in CMS AuthEnvelopedData parsing (bsc#1256830). - CVE-2025-68160: Heap out-of-bounds write in BIO_f_linebuffer on short writes (bsc#1256834). - CVE-2025-69418: Unauthenticated/unencrypted trailing bytes with low-level OCB function calls (bsc#1256835). - CVE-2025-69419: Out of bounds write in PKCS12_get_friendlyname() UTF-8 conversion (bsc#1256836). - CVE-2025-69420: Missing ASN1_TYPE validation in TS_RESP_verify_response() function (bsc#1256837). - CVE-2025-69421: NULL Pointer Dereference in PKCS12_item_decrypt_d2i_ex function (bsc#1256838). - CVE-2026-22795: Missing ASN1_TYPE validation in PKCS#12 parsing (bsc#1256839). - CVE-2026-22796: ASN1_TYPE Type Confusion in the PKCS7_digest_from_attributes() function (bsc#1256840). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:331-1 Released: Wed Jan 28 18:12:49 2026 Summary: Security update for openssl-1_1 Type: security Severity: moderate References: 1256834,1256835,1256836,1256837,1256838,1256839,1256840,CVE-2025-68160,CVE-2025-69418,CVE-2025-69419,CVE-2025-69420,CVE-2025-69421,CVE-2026-22795,CVE-2026-22796 This update for openssl-1_1 fixes the following issues: - CVE-2026-22795: Missing ASN1_TYPE validation in PKCS#12 parsing (bsc#1256839). - CVE-2025-69420: Missing ASN1_TYPE validation in TS_RESP_verify_response() function (bsc#1256837). - CVE-2025-69421: NULL Pointer Dereference in PKCS12_item_decrypt_d2i_ex function (bsc#1256838). - CVE-2026-22796: ASN1_TYPE Type Confusion in the PKCS7_digest_from_attributes() function (bsc#1256840). - CVE-2025-68160: Heap out-of-bounds write in BIO_f_linebuffer on short writes (bsc#1256834). - CVE-2025-69418: Unauthenticated/unencrypted trailing bytes with low-level OCB function calls (bsc#1256835). - CVE-2025-69419: Out of bounds write in PKCS12_get_friendlyname() UTF-8 conversion (bsc#1256836). The following package changes have been done: - libopenssl3-3.2.3-150700.5.24.1 updated - libopenssl-3-fips-provider-3.2.3-150700.5.24.1 updated - libopenssl1_1-1.1.1w-150700.11.11.1 updated - container:registry.suse.com-bci-bci-base-15.7-f9184822761ad484aca07587791f6b9d7abdb9a0b5cb88d5017f8891d8d8b001-0 updated From sle-container-updates at lists.suse.com Fri Jan 30 17:04:23 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 30 Jan 2026 18:04:23 +0100 (CET) Subject: SUSE-CU-2026:551-1: Security update of suse/samba-client Message-ID: <20260130170423.350F2FD9A@maintenance.suse.de> SUSE Container Update Advisory: suse/samba-client ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2026:551-1 Container Tags : suse/samba-client:4.21 , suse/samba-client:4.21 , suse/samba-client:4.21-70.12 , suse/samba-client:latest Container Release : 70.12 Severity : moderate Type : security References : 1256834 1256835 1256836 1256837 1256838 1256839 1256840 CVE-2025-68160 CVE-2025-69418 CVE-2025-69419 CVE-2025-69420 CVE-2025-69421 CVE-2026-22795 CVE-2026-22796 ----------------------------------------------------------------- The container suse/samba-client was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:331-1 Released: Wed Jan 28 18:12:49 2026 Summary: Security update for openssl-1_1 Type: security Severity: moderate References: 1256834,1256835,1256836,1256837,1256838,1256839,1256840,CVE-2025-68160,CVE-2025-69418,CVE-2025-69419,CVE-2025-69420,CVE-2025-69421,CVE-2026-22795,CVE-2026-22796 This update for openssl-1_1 fixes the following issues: - CVE-2026-22795: Missing ASN1_TYPE validation in PKCS#12 parsing (bsc#1256839). - CVE-2025-69420: Missing ASN1_TYPE validation in TS_RESP_verify_response() function (bsc#1256837). - CVE-2025-69421: NULL Pointer Dereference in PKCS12_item_decrypt_d2i_ex function (bsc#1256838). - CVE-2026-22796: ASN1_TYPE Type Confusion in the PKCS7_digest_from_attributes() function (bsc#1256840). - CVE-2025-68160: Heap out-of-bounds write in BIO_f_linebuffer on short writes (bsc#1256834). - CVE-2025-69418: Unauthenticated/unencrypted trailing bytes with low-level OCB function calls (bsc#1256835). - CVE-2025-69419: Out of bounds write in PKCS12_get_friendlyname() UTF-8 conversion (bsc#1256836). The following package changes have been done: - libopenssl1_1-1.1.1w-150700.11.11.1 updated - container:suse-sle15-15.7-9efe2e5a6c38d2f8c0921b1f30f01a84e5a8a968aaa4132bec532c8be84037c1-0 updated From sle-container-updates at lists.suse.com Fri Jan 30 17:04:44 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 30 Jan 2026 18:04:44 +0100 (CET) Subject: SUSE-CU-2026:553-1: Security update of suse/samba-server Message-ID: <20260130170444.DDC7AFD9A@maintenance.suse.de> SUSE Container Update Advisory: suse/samba-server ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2026:553-1 Container Tags : suse/samba-server:4.21 , suse/samba-server:4.21 , suse/samba-server:4.21-71.12 , suse/samba-server:latest Container Release : 71.12 Severity : moderate Type : security References : 1256834 1256835 1256836 1256837 1256838 1256839 1256840 CVE-2025-68160 CVE-2025-69418 CVE-2025-69419 CVE-2025-69420 CVE-2025-69421 CVE-2026-22795 CVE-2026-22796 ----------------------------------------------------------------- The container suse/samba-server was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:331-1 Released: Wed Jan 28 18:12:49 2026 Summary: Security update for openssl-1_1 Type: security Severity: moderate References: 1256834,1256835,1256836,1256837,1256838,1256839,1256840,CVE-2025-68160,CVE-2025-69418,CVE-2025-69419,CVE-2025-69420,CVE-2025-69421,CVE-2026-22795,CVE-2026-22796 This update for openssl-1_1 fixes the following issues: - CVE-2026-22795: Missing ASN1_TYPE validation in PKCS#12 parsing (bsc#1256839). - CVE-2025-69420: Missing ASN1_TYPE validation in TS_RESP_verify_response() function (bsc#1256837). - CVE-2025-69421: NULL Pointer Dereference in PKCS12_item_decrypt_d2i_ex function (bsc#1256838). - CVE-2026-22796: ASN1_TYPE Type Confusion in the PKCS7_digest_from_attributes() function (bsc#1256840). - CVE-2025-68160: Heap out-of-bounds write in BIO_f_linebuffer on short writes (bsc#1256834). - CVE-2025-69418: Unauthenticated/unencrypted trailing bytes with low-level OCB function calls (bsc#1256835). - CVE-2025-69419: Out of bounds write in PKCS12_get_friendlyname() UTF-8 conversion (bsc#1256836). The following package changes have been done: - libopenssl1_1-1.1.1w-150700.11.11.1 updated - container:suse-sle15-15.7-9efe2e5a6c38d2f8c0921b1f30f01a84e5a8a968aaa4132bec532c8be84037c1-0 updated From sle-container-updates at lists.suse.com Fri Jan 30 17:05:04 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 30 Jan 2026 18:05:04 +0100 (CET) Subject: SUSE-CU-2026:555-1: Security update of suse/samba-toolbox Message-ID: <20260130170504.C843FFD9A@maintenance.suse.de> SUSE Container Update Advisory: suse/samba-toolbox ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2026:555-1 Container Tags : suse/samba-toolbox:4.21 , suse/samba-toolbox:4.21 , suse/samba-toolbox:4.21-71.12 , suse/samba-toolbox:latest Container Release : 71.12 Severity : critical Type : security References : 1256830 1256834 1256834 1256835 1256835 1256836 1256836 1256837 1256837 1256838 1256838 1256839 1256839 1256840 1256840 CVE-2025-15467 CVE-2025-68160 CVE-2025-68160 CVE-2025-69418 CVE-2025-69418 CVE-2025-69419 CVE-2025-69419 CVE-2025-69420 CVE-2025-69420 CVE-2025-69421 CVE-2025-69421 CVE-2026-22795 CVE-2026-22795 CVE-2026-22796 CVE-2026-22796 ----------------------------------------------------------------- The container suse/samba-toolbox was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:309-1 Released: Wed Jan 28 10:36:32 2026 Summary: Security update for openssl-3 Type: security Severity: critical References: 1256830,1256834,1256835,1256836,1256837,1256838,1256839,1256840,CVE-2025-15467,CVE-2025-68160,CVE-2025-69418,CVE-2025-69419,CVE-2025-69420,CVE-2025-69421,CVE-2026-22795,CVE-2026-22796 This update for openssl-3 fixes the following issues: - CVE-2025-15467: Stack buffer overflow in CMS AuthEnvelopedData parsing (bsc#1256830). - CVE-2025-68160: Heap out-of-bounds write in BIO_f_linebuffer on short writes (bsc#1256834). - CVE-2025-69418: Unauthenticated/unencrypted trailing bytes with low-level OCB function calls (bsc#1256835). - CVE-2025-69419: Out of bounds write in PKCS12_get_friendlyname() UTF-8 conversion (bsc#1256836). - CVE-2025-69420: Missing ASN1_TYPE validation in TS_RESP_verify_response() function (bsc#1256837). - CVE-2025-69421: NULL Pointer Dereference in PKCS12_item_decrypt_d2i_ex function (bsc#1256838). - CVE-2026-22795: Missing ASN1_TYPE validation in PKCS#12 parsing (bsc#1256839). - CVE-2026-22796: ASN1_TYPE Type Confusion in the PKCS7_digest_from_attributes() function (bsc#1256840). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:331-1 Released: Wed Jan 28 18:12:49 2026 Summary: Security update for openssl-1_1 Type: security Severity: moderate References: 1256834,1256835,1256836,1256837,1256838,1256839,1256840,CVE-2025-68160,CVE-2025-69418,CVE-2025-69419,CVE-2025-69420,CVE-2025-69421,CVE-2026-22795,CVE-2026-22796 This update for openssl-1_1 fixes the following issues: - CVE-2026-22795: Missing ASN1_TYPE validation in PKCS#12 parsing (bsc#1256839). - CVE-2025-69420: Missing ASN1_TYPE validation in TS_RESP_verify_response() function (bsc#1256837). - CVE-2025-69421: NULL Pointer Dereference in PKCS12_item_decrypt_d2i_ex function (bsc#1256838). - CVE-2026-22796: ASN1_TYPE Type Confusion in the PKCS7_digest_from_attributes() function (bsc#1256840). - CVE-2025-68160: Heap out-of-bounds write in BIO_f_linebuffer on short writes (bsc#1256834). - CVE-2025-69418: Unauthenticated/unencrypted trailing bytes with low-level OCB function calls (bsc#1256835). - CVE-2025-69419: Out of bounds write in PKCS12_get_friendlyname() UTF-8 conversion (bsc#1256836). The following package changes have been done: - libopenssl3-3.2.3-150700.5.24.1 updated - libopenssl1_1-1.1.1w-150700.11.11.1 updated - libopenssl-3-fips-provider-3.2.3-150700.5.24.1 updated - container:suse-sle15-15.7-9efe2e5a6c38d2f8c0921b1f30f01a84e5a8a968aaa4132bec532c8be84037c1-0 updated From sle-container-updates at lists.suse.com Fri Jan 30 17:05:31 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 30 Jan 2026 18:05:31 +0100 (CET) Subject: SUSE-CU-2026:557-1: Security update of suse/sle15 Message-ID: <20260130170531.26F4CFD9A@maintenance.suse.de> SUSE Container Update Advisory: suse/sle15 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2026:557-1 Container Tags : bci/bci-base:15.7 , bci/bci-base:15.7-5.14.9 , bci/bci-base:latest , suse/sle15:15.7 , suse/sle15:15.7-5.14.9 , suse/sle15:latest Container Release : 5.14.9 Severity : important Type : security References : ----------------------------------------------------------------- The container suse/sle15 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:319-1 Released: Wed Jan 28 15:39:29 2026 Summary: Security update for container-suseconnect Type: security Severity: important References: This update for container-suseconnect rebuilds it against the current GO security release. The following package changes have been done: - container-suseconnect-2.5.5-150000.4.77.1 updated From sle-container-updates at lists.suse.com Fri Jan 30 17:06:10 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 30 Jan 2026 18:06:10 +0100 (CET) Subject: SUSE-CU-2026:558-1: Security update of bci/spack Message-ID: <20260130170610.12B68FD9A@maintenance.suse.de> SUSE Container Update Advisory: bci/spack ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2026:558-1 Container Tags : bci/spack:0.23 , bci/spack:0.23.1 , bci/spack:0.23.1-21.13 , bci/spack:latest Container Release : 21.13 Severity : moderate Type : security References : 1256834 1256835 1256836 1256837 1256838 1256839 1256840 CVE-2025-68160 CVE-2025-69418 CVE-2025-69419 CVE-2025-69420 CVE-2025-69421 CVE-2026-22795 CVE-2026-22796 ----------------------------------------------------------------- The container bci/spack was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:331-1 Released: Wed Jan 28 18:12:49 2026 Summary: Security update for openssl-1_1 Type: security Severity: moderate References: 1256834,1256835,1256836,1256837,1256838,1256839,1256840,CVE-2025-68160,CVE-2025-69418,CVE-2025-69419,CVE-2025-69420,CVE-2025-69421,CVE-2026-22795,CVE-2026-22796 This update for openssl-1_1 fixes the following issues: - CVE-2026-22795: Missing ASN1_TYPE validation in PKCS#12 parsing (bsc#1256839). - CVE-2025-69420: Missing ASN1_TYPE validation in TS_RESP_verify_response() function (bsc#1256837). - CVE-2025-69421: NULL Pointer Dereference in PKCS12_item_decrypt_d2i_ex function (bsc#1256838). - CVE-2026-22796: ASN1_TYPE Type Confusion in the PKCS7_digest_from_attributes() function (bsc#1256840). - CVE-2025-68160: Heap out-of-bounds write in BIO_f_linebuffer on short writes (bsc#1256834). - CVE-2025-69418: Unauthenticated/unencrypted trailing bytes with low-level OCB function calls (bsc#1256835). - CVE-2025-69419: Out of bounds write in PKCS12_get_friendlyname() UTF-8 conversion (bsc#1256836). The following package changes have been done: - libopenssl3-3.2.3-150700.5.24.1 updated - libopenssl-3-fips-provider-3.2.3-150700.5.24.1 updated - openssl-3-3.2.3-150700.5.24.1 updated - libopenssl1_1-1.1.1w-150700.11.11.1 updated - container:registry.suse.com-bci-bci-base-15.7-9efe2e5a6c38d2f8c0921b1f30f01a84e5a8a968aaa4132bec532c8be84037c1-0 updated From sle-container-updates at lists.suse.com Fri Jan 30 17:06:25 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 30 Jan 2026 18:06:25 +0100 (CET) Subject: SUSE-CU-2026:560-1: Security update of suse/stunnel Message-ID: <20260130170625.8D90AFD9A@maintenance.suse.de> SUSE Container Update Advisory: suse/stunnel ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2026:560-1 Container Tags : suse/stunnel:5 , suse/stunnel:5.70 , suse/stunnel:5.70-71.7 , suse/stunnel:latest Container Release : 71.7 Severity : critical Type : security References : 1256830 1256834 1256835 1256836 1256837 1256838 1256839 1256840 CVE-2025-15467 CVE-2025-68160 CVE-2025-69418 CVE-2025-69419 CVE-2025-69420 CVE-2025-69421 CVE-2026-22795 CVE-2026-22796 ----------------------------------------------------------------- The container suse/stunnel was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:309-1 Released: Wed Jan 28 10:36:32 2026 Summary: Security update for openssl-3 Type: security Severity: critical References: 1256830,1256834,1256835,1256836,1256837,1256838,1256839,1256840,CVE-2025-15467,CVE-2025-68160,CVE-2025-69418,CVE-2025-69419,CVE-2025-69420,CVE-2025-69421,CVE-2026-22795,CVE-2026-22796 This update for openssl-3 fixes the following issues: - CVE-2025-15467: Stack buffer overflow in CMS AuthEnvelopedData parsing (bsc#1256830). - CVE-2025-68160: Heap out-of-bounds write in BIO_f_linebuffer on short writes (bsc#1256834). - CVE-2025-69418: Unauthenticated/unencrypted trailing bytes with low-level OCB function calls (bsc#1256835). - CVE-2025-69419: Out of bounds write in PKCS12_get_friendlyname() UTF-8 conversion (bsc#1256836). - CVE-2025-69420: Missing ASN1_TYPE validation in TS_RESP_verify_response() function (bsc#1256837). - CVE-2025-69421: NULL Pointer Dereference in PKCS12_item_decrypt_d2i_ex function (bsc#1256838). - CVE-2026-22795: Missing ASN1_TYPE validation in PKCS#12 parsing (bsc#1256839). - CVE-2026-22796: ASN1_TYPE Type Confusion in the PKCS7_digest_from_attributes() function (bsc#1256840). The following package changes have been done: - libopenssl3-3.2.3-150700.5.24.1 updated - libopenssl-3-fips-provider-3.2.3-150700.5.24.1 updated - container:suse-sle15-15.7-9efe2e5a6c38d2f8c0921b1f30f01a84e5a8a968aaa4132bec532c8be84037c1-0 updated From sle-container-updates at lists.suse.com Fri Jan 30 17:06:42 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 30 Jan 2026 18:06:42 +0100 (CET) Subject: SUSE-CU-2026:562-1: Security update of suse/valkey Message-ID: <20260130170642.DB9A9FD9A@maintenance.suse.de> SUSE Container Update Advisory: suse/valkey ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2026:562-1 Container Tags : suse/valkey:8 , suse/valkey:8.0 , suse/valkey:8.0.6 , suse/valkey:8.0.6-69.8 , suse/valkey:latest Container Release : 69.8 Severity : critical Type : security References : 1256830 1256834 1256835 1256836 1256837 1256838 1256839 1256840 CVE-2025-15467 CVE-2025-68160 CVE-2025-69418 CVE-2025-69419 CVE-2025-69420 CVE-2025-69421 CVE-2026-22795 CVE-2026-22796 ----------------------------------------------------------------- The container suse/valkey was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:309-1 Released: Wed Jan 28 10:36:32 2026 Summary: Security update for openssl-3 Type: security Severity: critical References: 1256830,1256834,1256835,1256836,1256837,1256838,1256839,1256840,CVE-2025-15467,CVE-2025-68160,CVE-2025-69418,CVE-2025-69419,CVE-2025-69420,CVE-2025-69421,CVE-2026-22795,CVE-2026-22796 This update for openssl-3 fixes the following issues: - CVE-2025-15467: Stack buffer overflow in CMS AuthEnvelopedData parsing (bsc#1256830). - CVE-2025-68160: Heap out-of-bounds write in BIO_f_linebuffer on short writes (bsc#1256834). - CVE-2025-69418: Unauthenticated/unencrypted trailing bytes with low-level OCB function calls (bsc#1256835). - CVE-2025-69419: Out of bounds write in PKCS12_get_friendlyname() UTF-8 conversion (bsc#1256836). - CVE-2025-69420: Missing ASN1_TYPE validation in TS_RESP_verify_response() function (bsc#1256837). - CVE-2025-69421: NULL Pointer Dereference in PKCS12_item_decrypt_d2i_ex function (bsc#1256838). - CVE-2026-22795: Missing ASN1_TYPE validation in PKCS#12 parsing (bsc#1256839). - CVE-2026-22796: ASN1_TYPE Type Confusion in the PKCS7_digest_from_attributes() function (bsc#1256840). The following package changes have been done: - libopenssl3-3.2.3-150700.5.24.1 updated - libopenssl-3-fips-provider-3.2.3-150700.5.24.1 updated - container:suse-sle15-15.7-9efe2e5a6c38d2f8c0921b1f30f01a84e5a8a968aaa4132bec532c8be84037c1-0 updated From sle-container-updates at lists.suse.com Sat Jan 31 08:12:49 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 31 Jan 2026 09:12:49 +0100 (CET) Subject: SUSE-CU-2026:563-1: Security update of bci/bci-base-fips Message-ID: <20260131081249.290D2FD1A@maintenance.suse.de> SUSE Container Update Advisory: bci/bci-base-fips ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2026:563-1 Container Tags : bci/bci-base-fips:15.7 , bci/bci-base-fips:15.7-17.9 , bci/bci-base-fips:latest Container Release : 17.9 Severity : critical Type : security References : 1254666 1256830 1256834 1256835 1256836 1256837 1256838 1256839 1256840 CVE-2025-14104 CVE-2025-15467 CVE-2025-68160 CVE-2025-69418 CVE-2025-69419 CVE-2025-69420 CVE-2025-69421 CVE-2026-22795 CVE-2026-22796 ----------------------------------------------------------------- The container bci/bci-base-fips was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:230-1 Released: Thu Jan 22 13:22:31 2026 Summary: Security update for util-linux Type: security Severity: moderate References: 1254666,CVE-2025-14104 This update for util-linux fixes the following issues: - CVE-2025-14104: Fixed heap buffer overread in setpwnam() when processing 256-byte usernames (bsc#1254666). - lscpu: Add support for NVIDIA Olympus arm64 core (jsc#PED-13682). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:309-1 Released: Wed Jan 28 10:36:32 2026 Summary: Security update for openssl-3 Type: security Severity: critical References: 1256830,1256834,1256835,1256836,1256837,1256838,1256839,1256840,CVE-2025-15467,CVE-2025-68160,CVE-2025-69418,CVE-2025-69419,CVE-2025-69420,CVE-2025-69421,CVE-2026-22795,CVE-2026-22796 This update for openssl-3 fixes the following issues: - CVE-2025-15467: Stack buffer overflow in CMS AuthEnvelopedData parsing (bsc#1256830). - CVE-2025-68160: Heap out-of-bounds write in BIO_f_linebuffer on short writes (bsc#1256834). - CVE-2025-69418: Unauthenticated/unencrypted trailing bytes with low-level OCB function calls (bsc#1256835). - CVE-2025-69419: Out of bounds write in PKCS12_get_friendlyname() UTF-8 conversion (bsc#1256836). - CVE-2025-69420: Missing ASN1_TYPE validation in TS_RESP_verify_response() function (bsc#1256837). - CVE-2025-69421: NULL Pointer Dereference in PKCS12_item_decrypt_d2i_ex function (bsc#1256838). - CVE-2026-22795: Missing ASN1_TYPE validation in PKCS#12 parsing (bsc#1256839). - CVE-2026-22796: ASN1_TYPE Type Confusion in the PKCS7_digest_from_attributes() function (bsc#1256840). The following package changes have been done: - libuuid1-2.40.4-150700.4.3.1 updated - libsmartcols1-2.40.4-150700.4.3.1 updated - libopenssl3-3.2.3-150700.5.24.1 updated - libblkid1-2.40.4-150700.4.3.1 updated - libopenssl-3-fips-provider-3.2.3-150700.5.24.1 updated - libfdisk1-2.40.4-150700.4.3.1 updated - libmount1-2.40.4-150700.4.3.1 updated - util-linux-2.40.4-150700.4.3.1 updated - container:registry.suse.com-bci-bci-base-15.7-f9184822761ad484aca07587791f6b9d7abdb9a0b5cb88d5017f8891d8d8b001-0 updated From sle-container-updates at lists.suse.com Sat Jan 31 08:13:30 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 31 Jan 2026 09:13:30 +0100 (CET) Subject: SUSE-CU-2026:565-1: Recommended update of bci/rust Message-ID: <20260131081330.9EF52FD1A@maintenance.suse.de> SUSE Container Update Advisory: bci/rust ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2026:565-1 Container Tags : bci/rust:1.92 , bci/rust:1.92.0 , bci/rust:1.92.0-2.2.1 , bci/rust:oldstable , bci/rust:oldstable-2.2.1 Container Release : 2.1 Severity : moderate Type : recommended References : ----------------------------------------------------------------- The container bci/rust was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:4519-1 Released: Wed Dec 24 06:35:21 2025 Summary: Recommended update for rust1.92 Type: recommended Severity: moderate References: This update for rust1.92 fixes the following issues: Added rust1.92. Release notes can be found externally: https://github.com/rust-lang/rust/releases/tag/1.92.0 The following package changes have been done: - rust1.92-1.92.0-150300.7.3.1 added - cargo1.92-1.92.0-150300.7.3.1 added - cargo1.91-1.91.0-150300.7.3.1 removed - rust1.91-1.91.0-150300.7.3.1 removed From sle-container-updates at lists.suse.com Sat Jan 31 08:14:02 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 31 Jan 2026 09:14:02 +0100 (CET) Subject: SUSE-CU-2026:566-1: Security update of bci/rust Message-ID: <20260131081402.14DECFCDB@maintenance.suse.de> SUSE Container Update Advisory: bci/rust ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2026:566-1 Container Tags : bci/rust:1.93 , bci/rust:1.93.0 , bci/rust:1.93.0-1.2.1 , bci/rust:latest , bci/rust:stable , bci/rust:stable-1.2.1 Container Release : 2.1 Severity : critical Type : security References : 1256830 1256834 1256834 1256835 1256835 1256836 1256836 1256837 1256837 1256838 1256838 1256839 1256839 1256840 1256840 CVE-2025-15467 CVE-2025-68160 CVE-2025-68160 CVE-2025-69418 CVE-2025-69418 CVE-2025-69419 CVE-2025-69419 CVE-2025-69420 CVE-2025-69420 CVE-2025-69421 CVE-2025-69421 CVE-2026-22795 CVE-2026-22795 CVE-2026-22796 CVE-2026-22796 ----------------------------------------------------------------- The container bci/rust was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:309-1 Released: Wed Jan 28 10:36:32 2026 Summary: Security update for openssl-3 Type: security Severity: critical References: 1256830,1256834,1256835,1256836,1256837,1256838,1256839,1256840,CVE-2025-15467,CVE-2025-68160,CVE-2025-69418,CVE-2025-69419,CVE-2025-69420,CVE-2025-69421,CVE-2026-22795,CVE-2026-22796 This update for openssl-3 fixes the following issues: - CVE-2025-15467: Stack buffer overflow in CMS AuthEnvelopedData parsing (bsc#1256830). - CVE-2025-68160: Heap out-of-bounds write in BIO_f_linebuffer on short writes (bsc#1256834). - CVE-2025-69418: Unauthenticated/unencrypted trailing bytes with low-level OCB function calls (bsc#1256835). - CVE-2025-69419: Out of bounds write in PKCS12_get_friendlyname() UTF-8 conversion (bsc#1256836). - CVE-2025-69420: Missing ASN1_TYPE validation in TS_RESP_verify_response() function (bsc#1256837). - CVE-2025-69421: NULL Pointer Dereference in PKCS12_item_decrypt_d2i_ex function (bsc#1256838). - CVE-2026-22795: Missing ASN1_TYPE validation in PKCS#12 parsing (bsc#1256839). - CVE-2026-22796: ASN1_TYPE Type Confusion in the PKCS7_digest_from_attributes() function (bsc#1256840). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:331-1 Released: Wed Jan 28 18:12:49 2026 Summary: Security update for openssl-1_1 Type: security Severity: moderate References: 1256834,1256835,1256836,1256837,1256838,1256839,1256840,CVE-2025-68160,CVE-2025-69418,CVE-2025-69419,CVE-2025-69420,CVE-2025-69421,CVE-2026-22795,CVE-2026-22796 This update for openssl-1_1 fixes the following issues: - CVE-2026-22795: Missing ASN1_TYPE validation in PKCS#12 parsing (bsc#1256839). - CVE-2025-69420: Missing ASN1_TYPE validation in TS_RESP_verify_response() function (bsc#1256837). - CVE-2025-69421: NULL Pointer Dereference in PKCS12_item_decrypt_d2i_ex function (bsc#1256838). - CVE-2026-22796: ASN1_TYPE Type Confusion in the PKCS7_digest_from_attributes() function (bsc#1256840). - CVE-2025-68160: Heap out-of-bounds write in BIO_f_linebuffer on short writes (bsc#1256834). - CVE-2025-69418: Unauthenticated/unencrypted trailing bytes with low-level OCB function calls (bsc#1256835). - CVE-2025-69419: Out of bounds write in PKCS12_get_friendlyname() UTF-8 conversion (bsc#1256836). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2026:349-1 Released: Fri Jan 30 12:35:07 2026 Summary: Recommended update for rust, rust1.93 Type: recommended Severity: moderate References: This update for rust, rust1.93 fixes the following issues: Changes in rust1.93: - Added rust1.93 - Release notes can be found externally: https://github.com/rust-lang/rust/releases/tag/1.93.0 The following package changes have been done: - libopenssl3-3.2.3-150700.5.24.1 updated - libopenssl-3-fips-provider-3.2.3-150700.5.24.1 updated - libopenssl1_1-1.1.1w-150700.11.11.1 updated - rust1.93-1.93.0-150300.7.3.1 added - cargo1.93-1.93.0-150300.7.3.1 added - container:registry.suse.com-bci-bci-base-15.7-f9184822761ad484aca07587791f6b9d7abdb9a0b5cb88d5017f8891d8d8b001-0 updated - cargo1.92-1.92.0-150300.7.3.1 removed - rust1.92-1.92.0-150300.7.3.1 removed From sle-container-updates at lists.suse.com Sat Jan 31 08:14:48 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 31 Jan 2026 09:14:48 +0100 (CET) Subject: SUSE-CU-2026:562-1: Security update of suse/valkey Message-ID: <20260131081448.D9171FCDB@maintenance.suse.de> SUSE Container Update Advisory: suse/valkey ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2026:562-1 Container Tags : suse/valkey:8 , suse/valkey:8.0 , suse/valkey:8.0.6 , suse/valkey:8.0.6-69.8 , suse/valkey:latest Container Release : 69.8 Severity : critical Type : security References : 1256830 1256834 1256835 1256836 1256837 1256838 1256839 1256840 CVE-2025-15467 CVE-2025-68160 CVE-2025-69418 CVE-2025-69419 CVE-2025-69420 CVE-2025-69421 CVE-2026-22795 CVE-2026-22796 ----------------------------------------------------------------- The container suse/valkey was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:309-1 Released: Wed Jan 28 10:36:32 2026 Summary: Security update for openssl-3 Type: security Severity: critical References: 1256830,1256834,1256835,1256836,1256837,1256838,1256839,1256840,CVE-2025-15467,CVE-2025-68160,CVE-2025-69418,CVE-2025-69419,CVE-2025-69420,CVE-2025-69421,CVE-2026-22795,CVE-2026-22796 This update for openssl-3 fixes the following issues: - CVE-2025-15467: Stack buffer overflow in CMS AuthEnvelopedData parsing (bsc#1256830). - CVE-2025-68160: Heap out-of-bounds write in BIO_f_linebuffer on short writes (bsc#1256834). - CVE-2025-69418: Unauthenticated/unencrypted trailing bytes with low-level OCB function calls (bsc#1256835). - CVE-2025-69419: Out of bounds write in PKCS12_get_friendlyname() UTF-8 conversion (bsc#1256836). - CVE-2025-69420: Missing ASN1_TYPE validation in TS_RESP_verify_response() function (bsc#1256837). - CVE-2025-69421: NULL Pointer Dereference in PKCS12_item_decrypt_d2i_ex function (bsc#1256838). - CVE-2026-22795: Missing ASN1_TYPE validation in PKCS#12 parsing (bsc#1256839). - CVE-2026-22796: ASN1_TYPE Type Confusion in the PKCS7_digest_from_attributes() function (bsc#1256840). The following package changes have been done: - libopenssl3-3.2.3-150700.5.24.1 updated - libopenssl-3-fips-provider-3.2.3-150700.5.24.1 updated - container:suse-sle15-15.7-9efe2e5a6c38d2f8c0921b1f30f01a84e5a8a968aaa4132bec532c8be84037c1-0 updated From sle-container-updates at lists.suse.com Sat Jan 31 08:15:03 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 31 Jan 2026 09:15:03 +0100 (CET) Subject: SUSE-CU-2026:569-1: Security update of suse/kiosk/xorg-client Message-ID: <20260131081503.F0288FCDB@maintenance.suse.de> SUSE Container Update Advisory: suse/kiosk/xorg-client ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2026:569-1 Container Tags : suse/kiosk/xorg-client:21 , suse/kiosk/xorg-client:21-70.14 , suse/kiosk/xorg-client:latest Container Release : 70.14 Severity : critical Type : security References : 1227412 1256830 1256834 1256835 1256836 1256837 1256838 1256839 1256840 CVE-2023-39327 CVE-2025-15467 CVE-2025-68160 CVE-2025-69418 CVE-2025-69419 CVE-2025-69420 CVE-2025-69421 CVE-2026-22795 CVE-2026-22796 ----------------------------------------------------------------- The container suse/kiosk/xorg-client was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:309-1 Released: Wed Jan 28 10:36:32 2026 Summary: Security update for openssl-3 Type: security Severity: critical References: 1256830,1256834,1256835,1256836,1256837,1256838,1256839,1256840,CVE-2025-15467,CVE-2025-68160,CVE-2025-69418,CVE-2025-69419,CVE-2025-69420,CVE-2025-69421,CVE-2026-22795,CVE-2026-22796 This update for openssl-3 fixes the following issues: - CVE-2025-15467: Stack buffer overflow in CMS AuthEnvelopedData parsing (bsc#1256830). - CVE-2025-68160: Heap out-of-bounds write in BIO_f_linebuffer on short writes (bsc#1256834). - CVE-2025-69418: Unauthenticated/unencrypted trailing bytes with low-level OCB function calls (bsc#1256835). - CVE-2025-69419: Out of bounds write in PKCS12_get_friendlyname() UTF-8 conversion (bsc#1256836). - CVE-2025-69420: Missing ASN1_TYPE validation in TS_RESP_verify_response() function (bsc#1256837). - CVE-2025-69421: NULL Pointer Dereference in PKCS12_item_decrypt_d2i_ex function (bsc#1256838). - CVE-2026-22795: Missing ASN1_TYPE validation in PKCS#12 parsing (bsc#1256839). - CVE-2026-22796: ASN1_TYPE Type Confusion in the PKCS7_digest_from_attributes() function (bsc#1256840). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:330-1 Released: Wed Jan 28 17:27:08 2026 Summary: Security update for openjpeg2 Type: security Severity: low References: 1227412,CVE-2023-39327 This update for openjpeg2 fixes the following issues: - CVE-2023-39327: Fixed malicious files can cause a large loop that continuously prints warning messages on the terminal (bsc#1227412). The following package changes have been done: - libopenjp2-7-2.3.0-150000.3.24.1 updated - libopenssl3-3.2.3-150700.5.24.1 updated - container:suse-sle15-15.7-f9184822761ad484aca07587791f6b9d7abdb9a0b5cb88d5017f8891d8d8b001-0 updated - container:registry.suse.com-bci-bci-micro-15.7-073b88c36aeb7a88b603ebf20eacc4ca496d3eca4e8dbbfda193f15dc5bb2069-0 updated - libopenssl-3-fips-provider-3.2.3-150700.5.21.1 removed - patterns-base-fips-20200124-150700.36.1 removed From sle-container-updates at lists.suse.com Sat Jan 31 08:15:32 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 31 Jan 2026 09:15:32 +0100 (CET) Subject: SUSE-CU-2026:570-1: Security update of suse/kiosk/xorg Message-ID: <20260131081532.0970EFCDB@maintenance.suse.de> SUSE Container Update Advisory: suse/kiosk/xorg ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2026:570-1 Container Tags : suse/kiosk/xorg:21 , suse/kiosk/xorg:21.1 , suse/kiosk/xorg:21.1-73.14 , suse/kiosk/xorg:latest , suse/kiosk/xorg:notaskbar Container Release : 73.14 Severity : critical Type : security References : 1256830 1256834 1256835 1256836 1256837 1256838 1256839 1256840 CVE-2025-15467 CVE-2025-68160 CVE-2025-69418 CVE-2025-69419 CVE-2025-69420 CVE-2025-69421 CVE-2026-22795 CVE-2026-22796 ----------------------------------------------------------------- The container suse/kiosk/xorg was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:309-1 Released: Wed Jan 28 10:36:32 2026 Summary: Security update for openssl-3 Type: security Severity: critical References: 1256830,1256834,1256835,1256836,1256837,1256838,1256839,1256840,CVE-2025-15467,CVE-2025-68160,CVE-2025-69418,CVE-2025-69419,CVE-2025-69420,CVE-2025-69421,CVE-2026-22795,CVE-2026-22796 This update for openssl-3 fixes the following issues: - CVE-2025-15467: Stack buffer overflow in CMS AuthEnvelopedData parsing (bsc#1256830). - CVE-2025-68160: Heap out-of-bounds write in BIO_f_linebuffer on short writes (bsc#1256834). - CVE-2025-69418: Unauthenticated/unencrypted trailing bytes with low-level OCB function calls (bsc#1256835). - CVE-2025-69419: Out of bounds write in PKCS12_get_friendlyname() UTF-8 conversion (bsc#1256836). - CVE-2025-69420: Missing ASN1_TYPE validation in TS_RESP_verify_response() function (bsc#1256837). - CVE-2025-69421: NULL Pointer Dereference in PKCS12_item_decrypt_d2i_ex function (bsc#1256838). - CVE-2026-22795: Missing ASN1_TYPE validation in PKCS#12 parsing (bsc#1256839). - CVE-2026-22796: ASN1_TYPE Type Confusion in the PKCS7_digest_from_attributes() function (bsc#1256840). The following package changes have been done: - libopenssl3-3.2.3-150700.5.24.1 updated - container:suse-sle15-15.7-f9184822761ad484aca07587791f6b9d7abdb9a0b5cb88d5017f8891d8d8b001-0 updated - container:registry.suse.com-bci-bci-micro-15.7-073b88c36aeb7a88b603ebf20eacc4ca496d3eca4e8dbbfda193f15dc5bb2069-0 updated - libopenssl-3-fips-provider-3.2.3-150700.5.21.1 removed - patterns-base-fips-20200124-150700.36.1 removed From sle-container-updates at lists.suse.com Sat Jan 31 08:23:08 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 31 Jan 2026 09:23:08 +0100 (CET) Subject: SUSE-CU-2026:577-1: Security update of suse/sle-micro/5.2/toolbox Message-ID: <20260131082308.05AEAFCDB@maintenance.suse.de> SUSE Container Update Advisory: suse/sle-micro/5.2/toolbox ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2026:577-1 Container Tags : suse/sle-micro/5.2/toolbox:14.2 , suse/sle-micro/5.2/toolbox:14.2-7.11.232 , suse/sle-micro/5.2/toolbox:latest Container Release : 7.11.232 Severity : low Type : security References : 1256805 CVE-2026-0989 ----------------------------------------------------------------- The container suse/sle-micro/5.2/toolbox was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:334-1 Released: Thu Jan 29 11:01:32 2026 Summary: Security update for libxml2 Type: security Severity: low References: 1256805,CVE-2026-0989 This update for libxml2 fixes the following issues: - CVE-2026-0989: Fixed call stack exhaustion leading to application crash due to RelaxNG parser not limiting the recursion depth when resolving `` directives (bsc#1256805) The following package changes have been done: - libxml2-2-2.9.7-150000.3.91.1 updated From sle-container-updates at lists.suse.com Sat Jan 31 08:23:08 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 31 Jan 2026 09:23:08 +0100 (CET) Subject: SUSE-CU-2026:578-1: Security update of suse/sle-micro/5.2/toolbox Message-ID: <20260131082308.E73E0FCDB@maintenance.suse.de> SUSE Container Update Advisory: suse/sle-micro/5.2/toolbox ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2026:578-1 Container Tags : suse/sle-micro/5.2/toolbox:14.2 , suse/sle-micro/5.2/toolbox:14.2-7.11.233 , suse/sle-micro/5.2/toolbox:latest Container Release : 7.11.233 Severity : moderate Type : security References : 1256834 1256835 1256836 1256837 1256838 1256839 1256840 CVE-2025-68160 CVE-2025-69418 CVE-2025-69419 CVE-2025-69420 CVE-2025-69421 CVE-2026-22795 CVE-2026-22796 ----------------------------------------------------------------- The container suse/sle-micro/5.2/toolbox was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:343-1 Released: Thu Jan 29 19:33:59 2026 Summary: Security update for openssl-1_1 Type: security Severity: moderate References: 1256834,1256835,1256836,1256837,1256838,1256839,1256840,CVE-2025-68160,CVE-2025-69418,CVE-2025-69419,CVE-2025-69420,CVE-2025-69421,CVE-2026-22795,CVE-2026-22796 This update for openssl-1_1 fixes the following issues: - CVE-2026-22795: Missing ASN1_TYPE validation in PKCS#12 parsing (bsc#1256839). - CVE-2025-69420: Missing ASN1_TYPE validation in TS_RESP_verify_response() function (bsc#1256837). - CVE-2025-69421: NULL Pointer Dereference in PKCS12_item_decrypt_d2i_ex function (bsc#1256838). - CVE-2026-22796: ASN1_TYPE Type Confusion in the PKCS7_digest_from_attributes() function (bsc#1256840). - CVE-2025-68160: Heap out-of-bounds write in BIO_f_linebuffer on short writes (bsc#1256834). - CVE-2025-69418: Unauthenticated/unencrypted trailing bytes with low-level OCB function calls (bsc#1256835). - CVE-2025-69419: Out of bounds write in PKCS12_get_friendlyname() UTF-8 conversion (bsc#1256836). The following package changes have been done: - libopenssl1_1-hmac-1.1.1d-150200.11.106.1 updated - libopenssl1_1-1.1.1d-150200.11.106.1 updated - openssl-1_1-1.1.1d-150200.11.106.1 updated From sle-container-updates at lists.suse.com Sat Jan 31 08:23:09 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 31 Jan 2026 09:23:09 +0100 (CET) Subject: SUSE-CU-2026:579-1: Security update of suse/sle-micro/5.2/toolbox Message-ID: <20260131082309.D9E0CFCDB@maintenance.suse.de> SUSE Container Update Advisory: suse/sle-micro/5.2/toolbox ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2026:579-1 Container Tags : suse/sle-micro/5.2/toolbox:14.2 , suse/sle-micro/5.2/toolbox:14.2-7.11.234 , suse/sle-micro/5.2/toolbox:latest Container Release : 7.11.234 Severity : important Type : security References : 1257353 1257354 1257355 CVE-2026-1484 CVE-2026-1485 CVE-2026-1489 ----------------------------------------------------------------- The container suse/sle-micro/5.2/toolbox was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:355-1 Released: Sat Jan 31 03:04:32 2026 Summary: Security update for glib2 Type: security Severity: important References: 1257353,1257354,1257355,CVE-2026-1484,CVE-2026-1485,CVE-2026-1489 This update for glib2 fixes the following issues: - CVE-2026-1485: Fixed buffer underflow and out-of-bounds access due to integer wraparound in content type parsing (bsc#1257354). - CVE-2026-1484: Fixed buffer underflow and out-of-bounds access due to miscalculated buffer boundaries in the Base64 encoding routine (bsc#1257355). - CVE-2026-1489: Fixed undersized heap allocation followed by out-of-bounds access due to integer overflow in Unicode case conversion (bsc#1257353). The following package changes have been done: - libglib-2_0-0-2.62.6-150200.3.42.1 updated - libgmodule-2_0-0-2.62.6-150200.3.42.1 updated From sle-container-updates at lists.suse.com Sat Jan 31 08:14:35 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 31 Jan 2026 08:14:35 -0000 Subject: SUSE-CU-2026:567-1: Security update of bci/bci-sle15-kernel-module-devel Message-ID: <20260131081434.6BBAAFCDB@maintenance.suse.de> SUSE Container Update Advisory: bci/bci-sle15-kernel-module-devel ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2026:567-1 Container Tags : bci/bci-sle15-kernel-module-devel:15.7 , bci/bci-sle15-kernel-module-devel:15.7-56.1 , bci/bci-sle15-kernel-module-devel:latest Container Release : 56.1 Severity : critical Type : security References : 1012628 1065729 1194869 1205462 1214285 1214635 1214847 1215146 1215211 1215344 1216062 1216436 1219165 1220419 1223731 1232223 1234163 1243112 1245193 1245449 1246328 1247500 1248886 1249256 1251224 1251752 1252046 1252342 1252686 1252776 1252808 1252824 1252861 1252919 1252973 1253155 1253262 1253342 1253365 1253386 1253400 1253402 1253408 1253413 1253442 1253458 1253463 1253623 1253647 1253674 1253739 1254119 1254126 1254235 1254244 1254363 1254373 1254378 1254477 1254518 1254520 1254599 1254606 1254611 1254613 1254615 1254616 1254621 1254623 1254626 1254648 1254649 1254653 1254655 1254657 1254660 1254661 1254663 1254666 1254669 1254677 1254678 1254688 1254690 1254691 1254693 1254695 1254698 1254701 1254704 1254705 1254707 1254712 1254715 1254717 1254723 1254724 1254732 1254733 1254737 1254739 1254742 1254743 1254749 1254750 1254753 1254754 1254758 1254761 1254762 1254765 1254782 1254791 1254793 1254794 1254795 1254796 1254797 1254798 1254813 1254815 1254824 1254825 1254827 1254828 1254829 1254830 1254832 1254840 1254843 1254846 1254847 1254849 1254850 1254851 1254854 1254856 1254858 1254860 1254864 1254869 1254894 1254918 1254957 1254959 1254983 1254996 1255005 1255009 1255025 1255026 1255030 1255033 1255034 1255035 1255039 1255041 1255042 1255046 1255057 1255062 1255064 1255065 1255068 1255071 1255072 1255075 1255077 1255081 1255082 1255083 1255085 1255087 1255092 1255094 1255095 1255097 1255100 1255101 1255116 1255121 1255122 1255124 1255131 1255134 1255135 1255136 1255142 1255145 1255146 1255149 1255152 1255154 1255155 1255163 1255167 1255169 1255171 1255175 1255179 1255181 1255182 1255187 1255190 1255193 1255196 1255197 1255199 1255202 1255203 1255206 1255209 1255218 1255220 1255221 1255224 1255227 1255230 1255233 1255234 1255242 1255245 1255246 1255247 1255251 1255252 1255253 1255256 1255259 1255262 1255272 1255273 1255274 1255276 1255279 1255280 1255281 1255297 1255316 1255318 1255325 1255329 1255346 1255349 1255351 1255357 1255380 1255395 1255415 1255428 1255433 1255434 1255463 1255480 1255483 1255489 1255493 1255495 1255505 1255507 1255538 1255540 1255545 1255549 1255550 1255553 1255557 1255558 1255563 1255564 1255567 1255570 1255578 1255579 1255580 1255583 1255591 1255601 1255603 1255605 1255611 1255614 1255616 1255617 1255618 1255621 1255628 1255629 1255630 1255632 1255636 1255688 1255691 1255702 1255704 1255706 1255707 1255709 1255722 1255723 1255724 1255758 1255759 1255760 1255763 1255769 1255770 1255772 1255774 1255775 1255776 1255780 1255785 1255786 1255789 1255790 1255792 1255793 1255795 1255798 1255800 1255801 1255806 1255807 1255809 1255810 1255812 1255814 1255820 1255838 1255842 1255843 1255872 1255875 1255879 1255883 1255884 1255886 1255888 1255890 1255891 1255892 1255899 1255902 1255907 1255911 1255915 1255918 1255921 1255924 1255925 1255931 1255932 1255934 1255943 1255944 1255949 1255951 1255952 1255955 1255957 1255961 1255963 1255964 1255967 1255974 1255978 1255984 1255988 1255990 1255992 1255993 1255994 1255996 1256033 1256034 1256045 1256050 1256058 1256071 1256074 1256081 1256082 1256083 1256084 1256085 1256090 1256093 1256094 1256095 1256096 1256099 1256100 1256104 1256105 1256106 1256107 1256117 1256119 1256121 1256145 1256153 1256178 1256197 1256231 1256233 1256234 1256238 1256263 1256267 1256268 1256271 1256273 1256274 1256279 1256285 1256291 1256292 1256300 1256301 1256302 1256335 1256348 1256351 1256354 1256358 1256361 1256364 1256366 1256367 1256368 1256369 1256370 1256371 1256373 1256375 1256379 1256387 1256394 1256395 1256396 1256528 1256830 1256834 1256834 1256835 1256835 1256836 1256836 1256837 1256837 1256838 1256838 1256839 1256839 1256840 1256840 1257049 CVE-2023-42752 CVE-2023-53743 CVE-2023-53750 CVE-2023-53752 CVE-2023-53759 CVE-2023-53762 CVE-2023-53766 CVE-2023-53768 CVE-2023-53777 CVE-2023-53778 CVE-2023-53782 CVE-2023-53784 CVE-2023-53785 CVE-2023-53787 CVE-2023-53791 CVE-2023-53792 CVE-2023-53793 CVE-2023-53794 CVE-2023-53795 CVE-2023-53797 CVE-2023-53799 CVE-2023-53807 CVE-2023-53808 CVE-2023-53813 CVE-2023-53815 CVE-2023-53819 CVE-2023-53821 CVE-2023-53823 CVE-2023-53825 CVE-2023-53828 CVE-2023-53831 CVE-2023-53834 CVE-2023-53836 CVE-2023-53839 CVE-2023-53841 CVE-2023-53842 CVE-2023-53843 CVE-2023-53844 CVE-2023-53846 CVE-2023-53847 CVE-2023-53848 CVE-2023-53850 CVE-2023-53851 CVE-2023-53852 CVE-2023-53855 CVE-2023-53856 CVE-2023-53857 CVE-2023-53858 CVE-2023-53860 CVE-2023-53861 CVE-2023-53863 CVE-2023-53864 CVE-2023-53865 CVE-2023-53989 CVE-2023-53992 CVE-2023-53994 CVE-2023-53995 CVE-2023-53996 CVE-2023-53997 CVE-2023-53998 CVE-2023-53999 CVE-2023-54000 CVE-2023-54001 CVE-2023-54005 CVE-2023-54006 CVE-2023-54008 CVE-2023-54014 CVE-2023-54016 CVE-2023-54017 CVE-2023-54019 CVE-2023-54022 CVE-2023-54023 CVE-2023-54025 CVE-2023-54026 CVE-2023-54027 CVE-2023-54030 CVE-2023-54031 CVE-2023-54032 CVE-2023-54035 CVE-2023-54037 CVE-2023-54038 CVE-2023-54042 CVE-2023-54045 CVE-2023-54048 CVE-2023-54049 CVE-2023-54051 CVE-2023-54052 CVE-2023-54060 CVE-2023-54064 CVE-2023-54066 CVE-2023-54067 CVE-2023-54069 CVE-2023-54070 CVE-2023-54072 CVE-2023-54076 CVE-2023-54080 CVE-2023-54081 CVE-2023-54083 CVE-2023-54088 CVE-2023-54089 CVE-2023-54091 CVE-2023-54092 CVE-2023-54093 CVE-2023-54094 CVE-2023-54095 CVE-2023-54096 CVE-2023-54099 CVE-2023-54101 CVE-2023-54104 CVE-2023-54106 CVE-2023-54112 CVE-2023-54113 CVE-2023-54115 CVE-2023-54117 CVE-2023-54121 CVE-2023-54125 CVE-2023-54127 CVE-2023-54133 CVE-2023-54134 CVE-2023-54135 CVE-2023-54136 CVE-2023-54137 CVE-2023-54140 CVE-2023-54141 CVE-2023-54142 CVE-2023-54143 CVE-2023-54145 CVE-2023-54148 CVE-2023-54149 CVE-2023-54153 CVE-2023-54154 CVE-2023-54155 CVE-2023-54156 CVE-2023-54164 CVE-2023-54166 CVE-2023-54169 CVE-2023-54170 CVE-2023-54171 CVE-2023-54172 CVE-2023-54173 CVE-2023-54177 CVE-2023-54178 CVE-2023-54179 CVE-2023-54181 CVE-2023-54183 CVE-2023-54185 CVE-2023-54189 CVE-2023-54194 CVE-2023-54201 CVE-2023-54204 CVE-2023-54207 CVE-2023-54209 CVE-2023-54210 CVE-2023-54211 CVE-2023-54215 CVE-2023-54219 CVE-2023-54220 CVE-2023-54221 CVE-2023-54223 CVE-2023-54224 CVE-2023-54225 CVE-2023-54227 CVE-2023-54229 CVE-2023-54230 CVE-2023-54235 CVE-2023-54240 CVE-2023-54241 CVE-2023-54246 CVE-2023-54247 CVE-2023-54251 CVE-2023-54253 CVE-2023-54254 CVE-2023-54255 CVE-2023-54258 CVE-2023-54261 CVE-2023-54263 CVE-2023-54264 CVE-2023-54266 CVE-2023-54267 CVE-2023-54271 CVE-2023-54276 CVE-2023-54278 CVE-2023-54281 CVE-2023-54282 CVE-2023-54283 CVE-2023-54285 CVE-2023-54289 CVE-2023-54291 CVE-2023-54292 CVE-2023-54293 CVE-2023-54296 CVE-2023-54297 CVE-2023-54299 CVE-2023-54300 CVE-2023-54302 CVE-2023-54303 CVE-2023-54304 CVE-2023-54309 CVE-2023-54312 CVE-2023-54313 CVE-2023-54314 CVE-2023-54315 CVE-2023-54316 CVE-2023-54318 CVE-2023-54319 CVE-2023-54322 CVE-2023-54324 CVE-2023-54326 CVE-2024-26944 CVE-2025-14017 CVE-2025-14104 CVE-2025-15467 CVE-2025-38321 CVE-2025-38728 CVE-2025-39977 CVE-2025-40006 CVE-2025-40024 CVE-2025-40033 CVE-2025-40042 CVE-2025-40053 CVE-2025-40081 CVE-2025-40102 CVE-2025-40123 CVE-2025-40134 CVE-2025-40135 CVE-2025-40153 CVE-2025-40158 CVE-2025-40160 CVE-2025-40167 CVE-2025-40170 CVE-2025-40178 CVE-2025-40179 CVE-2025-40187 CVE-2025-40190 CVE-2025-40211 CVE-2025-40213 CVE-2025-40215 CVE-2025-40219 CVE-2025-40220 CVE-2025-40223 CVE-2025-40225 CVE-2025-40231 CVE-2025-40233 CVE-2025-40240 CVE-2025-40242 CVE-2025-40244 CVE-2025-40248 CVE-2025-40250 CVE-2025-40251 CVE-2025-40252 CVE-2025-40256 CVE-2025-40258 CVE-2025-40262 CVE-2025-40263 CVE-2025-40268 CVE-2025-40269 CVE-2025-40271 CVE-2025-40272 CVE-2025-40273 CVE-2025-40274 CVE-2025-40275 CVE-2025-40276 CVE-2025-40277 CVE-2025-40278 CVE-2025-40279 CVE-2025-40280 CVE-2025-40282 CVE-2025-40283 CVE-2025-40284 CVE-2025-40287 CVE-2025-40288 CVE-2025-40289 CVE-2025-40292 CVE-2025-40293 CVE-2025-40294 CVE-2025-40297 CVE-2025-40301 CVE-2025-40302 CVE-2025-40304 CVE-2025-40306 CVE-2025-40307 CVE-2025-40308 CVE-2025-40309 CVE-2025-40310 CVE-2025-40311 CVE-2025-40312 CVE-2025-40314 CVE-2025-40315 CVE-2025-40316 CVE-2025-40317 CVE-2025-40318 CVE-2025-40319 CVE-2025-40320 CVE-2025-40321 CVE-2025-40322 CVE-2025-40323 CVE-2025-40324 CVE-2025-40329 CVE-2025-40330 CVE-2025-40331 CVE-2025-40332 CVE-2025-40337 CVE-2025-40338 CVE-2025-40339 CVE-2025-40340 CVE-2025-40342 CVE-2025-40343 CVE-2025-40345 CVE-2025-40346 CVE-2025-40347 CVE-2025-40349 CVE-2025-40351 CVE-2025-40354 CVE-2025-40357 CVE-2025-40359 CVE-2025-40360 CVE-2025-68160 CVE-2025-68160 CVE-2025-68168 CVE-2025-68170 CVE-2025-68172 CVE-2025-68176 CVE-2025-68180 CVE-2025-68181 CVE-2025-68183 CVE-2025-68184 CVE-2025-68185 CVE-2025-68190 CVE-2025-68192 CVE-2025-68194 CVE-2025-68195 CVE-2025-68197 CVE-2025-68201 CVE-2025-68204 CVE-2025-68206 CVE-2025-68207 CVE-2025-68208 CVE-2025-68209 CVE-2025-68217 CVE-2025-68218 CVE-2025-68222 CVE-2025-68223 CVE-2025-68230 CVE-2025-68233 CVE-2025-68235 CVE-2025-68237 CVE-2025-68238 CVE-2025-68239 CVE-2025-68244 CVE-2025-68249 CVE-2025-68252 CVE-2025-68255 CVE-2025-68257 CVE-2025-68258 CVE-2025-68259 CVE-2025-68264 CVE-2025-68286 CVE-2025-68287 CVE-2025-68289 CVE-2025-68290 CVE-2025-68298 CVE-2025-68302 CVE-2025-68303 CVE-2025-68305 CVE-2025-68306 CVE-2025-68307 CVE-2025-68308 CVE-2025-68312 CVE-2025-68313 CVE-2025-68328 CVE-2025-68330 CVE-2025-68331 CVE-2025-68332 CVE-2025-68335 CVE-2025-68339 CVE-2025-68340 CVE-2025-68345 CVE-2025-68346 CVE-2025-68347 CVE-2025-68351 CVE-2025-68354 CVE-2025-68362 CVE-2025-68378 CVE-2025-68380 CVE-2025-68724 CVE-2025-68732 CVE-2025-68734 CVE-2025-68740 CVE-2025-68742 CVE-2025-68744 CVE-2025-68746 CVE-2025-68747 CVE-2025-68749 CVE-2025-68750 CVE-2025-68753 CVE-2025-68757 CVE-2025-68758 CVE-2025-68759 CVE-2025-68765 CVE-2025-68766 CVE-2025-69418 CVE-2025-69418 CVE-2025-69419 CVE-2025-69419 CVE-2025-69420 CVE-2025-69420 CVE-2025-69421 CVE-2025-69421 CVE-2026-0988 CVE-2026-22795 CVE-2026-22795 CVE-2026-22796 CVE-2026-22796 ----------------------------------------------------------------- The container bci/bci-sle15-kernel-module-devel was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:221-1 Released: Thu Jan 22 13:15:35 2026 Summary: Security update for curl Type: security Severity: moderate References: 1256105,CVE-2025-14017 This update for curl fixes the following issues: - CVE-2025-14017: Fixed broken TLS options for threaded LDAPS (bsc#1256105). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:230-1 Released: Thu Jan 22 13:22:31 2026 Summary: Security update for util-linux Type: security Severity: moderate References: 1254666,CVE-2025-14104 This update for util-linux fixes the following issues: - CVE-2025-14104: Fixed heap buffer overread in setpwnam() when processing 256-byte usernames (bsc#1254666). - lscpu: Add support for NVIDIA Olympus arm64 core (jsc#PED-13682). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2026:242-1 Released: Thu Jan 22 14:57:13 2026 Summary: Recommended update for git Type: recommended Severity: moderate References: 1251224 This update for git fixes the following issue: - Revert incorrect AppArmor profile change, in SLE 15 the binaries remain in /usr/lib/git (bsc#1251224) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:286-1 Released: Sat Jan 24 00:35:35 2026 Summary: Security update for glib2 Type: security Severity: low References: 1257049,CVE-2026-0988 This update for glib2 fixes the following issues: - CVE-2026-0988: Fixed a potential integer overflow in g_buffered_input_stream_peek (bsc#1257049). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:309-1 Released: Wed Jan 28 10:36:32 2026 Summary: Security update for openssl-3 Type: security Severity: critical References: 1256830,1256834,1256835,1256836,1256837,1256838,1256839,1256840,CVE-2025-15467,CVE-2025-68160,CVE-2025-69418,CVE-2025-69419,CVE-2025-69420,CVE-2025-69421,CVE-2026-22795,CVE-2026-22796 This update for openssl-3 fixes the following issues: - CVE-2025-15467: Stack buffer overflow in CMS AuthEnvelopedData parsing (bsc#1256830). - CVE-2025-68160: Heap out-of-bounds write in BIO_f_linebuffer on short writes (bsc#1256834). - CVE-2025-69418: Unauthenticated/unencrypted trailing bytes with low-level OCB function calls (bsc#1256835). - CVE-2025-69419: Out of bounds write in PKCS12_get_friendlyname() UTF-8 conversion (bsc#1256836). - CVE-2025-69420: Missing ASN1_TYPE validation in TS_RESP_verify_response() function (bsc#1256837). - CVE-2025-69421: NULL Pointer Dereference in PKCS12_item_decrypt_d2i_ex function (bsc#1256838). - CVE-2026-22795: Missing ASN1_TYPE validation in PKCS#12 parsing (bsc#1256839). - CVE-2026-22796: ASN1_TYPE Type Confusion in the PKCS7_digest_from_attributes() function (bsc#1256840). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:315-1 Released: Wed Jan 28 15:34:15 2026 Summary: Security update for the Linux Kernel Type: security Severity: important References: 1012628,1065729,1194869,1205462,1214285,1214635,1214847,1215146,1215211,1215344,1216062,1216436,1219165,1220419,1223731,1232223,1234163,1243112,1245193,1245449,1246328,1247500,1248886,1249256,1251752,1252046,1252342,1252686,1252776,1252808,1252824,1252861,1252919,1252973,1253155,1253262,1253342,1253365,1253386,1253400,1253402,1253408,1253413,1253442,1253458,1253463,1253623,1253647,1253674,1253739,1254119,1254126,1254235,1254244,1254363,1254373,1254378,1254477,1254518,1254520,1254599,1254606,1254611,1254613,1254615,1254616,1254621,1254623,1254626,1254648,1254649,1254653,1254655,1254657,1254660,1254661,1254663,1254669,1254677,1254678,1254688,1254690,1254691,1254693,1254695,1254698,1254701,1254704,1254705,1254707,1254712,1254715,1254717,1254723,1254724,1254732,1254733,1254737,1254739,1254742,1254743,1254749,1254750,1254753,1254754,1254758,1254761,1254762,1254765,1254782,1254791,1254793,1254794,1254795,1254796,1254797,1254798,1254813,1254815,1254824,1254825,1254827,1254828,1 254829,1254830,1254832,1254840,1254843,1254846,1254847,1254849,1254850,1254851,1254854,1254856,1254858,1254860,1254864,1254869,1254894,1254918,1254957,1254959,1254983,1254996,1255005,1255009,1255025,1255026,1255030,1255033,1255034,1255035,1255039,1255041,1255042,1255046,1255057,1255062,1255064,1255065,1255068,1255071,1255072,1255075,1255077,1255081,1255082,1255083,1255085,1255087,1255092,1255094,1255095,1255097,1255100,1255101,1255116,1255121,1255122,1255124,1255131,1255134,1255135,1255136,1255142,1255145,1255146,1255149,1255152,1255154,1255155,1255163,1255167,1255169,1255171,1255175,1255179,1255181,1255182,1255187,1255190,1255193,1255196,1255197,1255199,1255202,1255203,1255206,1255209,1255218,1255220,1255221,1255224,1255227,1255230,1255233,1255234,1255242,1255245,1255246,1255247,1255251,1255252,1255253,1255256,1255259,1255262,1255272,1255273,1255274,1255276,1255279,1255280,1255281,1255297,1255316,1255318,1255325,1255329,1255346,1255349,1255351,1255357,1255380,1255395,1255415,125542 8,1255433,1255434,1255463,1255480,1255483,1255489,1255493,1255495,1255505,1255507,1255538,1255540,1255545,1255549,1255550,1255553,1255557,1255558,1255563,1255564,1255567,1255570,1255578,1255579,1255580,1255583,1255591,1255601,1255603,1255605,1255611,1255614,1255616,1255617,1255618,1255621,1255628,1255629,1255630,1255632,1255636,1255688,1255691,1255702,1255704,1255706,1255707,1255709,1255722,1255723,1255724,1255758,1255759,1255760,1255763,1255769,1255770,1255772,1255774,1255775,1255776,1255780,1255785,1255786,1255789,1255790,1255792,1255793,1255795,1255798,1255800,1255801,1255806,1255807,1255809,1255810,1255812,1255814,1255820,1255838,1255842,1255843,1255872,1255875,1255879,1255883,1255884,1255886,1255888,1255890,1255891,1255892,1255899,1255902,1255907,1255911,1255915,1255918,1255921,1255924,1255925,1255931,1255932,1255934,1255943,1255944,1255949,1255951,1255952,1255955,1255957,1255961,1255963,1255964,1255967,1255974,1255978,1255984,1255988,1255990,1255992,1255993,1255994,1255996,125 6033,1256034,1256045,1256050,1256058,1256071,1256074,1256081,1256082,1256083,1256084,1256085,1256090,1256093,1256094,1256095,1256096,1256099,1256100,1256104,1256106,1256107,1256117,1256119,1256121,1256145,1256153,1256178,1256197,1256231,1256233,1256234,1256238,1256263,1256267,1256268,1256271,1256273,1256274,1256279,1256285,1256291,1256292,1256300,1256301,1256302,1256335,1256348,1256351,1256354,1256358,1256361,1256364,1256366,1256367,1256368,1256369,1256370,1256371,1256373,1256375,1256379,1256387,1256394,1256395,1256396,1256528,CVE-2023-42752,CVE-2023-53743,CVE-2023-53750,CVE-2023-53752,CVE-2023-53759,CVE-2023-53762,CVE-2023-53766,CVE-2023-53768,CVE-2023-53777,CVE-2023-53778,CVE-2023-53782,CVE-2023-53784,CVE-2023-53785,CVE-2023-53787,CVE-2023-53791,CVE-2023-53792,CVE-2023-53793,CVE-2023-53794,CVE-2023-53795,CVE-2023-53797,CVE-2023-53799,CVE-2023-53807,CVE-2023-53808,CVE-2023-53813,CVE-2023-53815,CVE-2023-53819,CVE-2023-53821,CVE-2023-53823,CVE-2023-53825,CVE-2023-53828,CVE-2023-53831 ,CVE-2023-53834,CVE-2023-53836,CVE-2023-53839,CVE-2023-53841,CVE-2023-53842,CVE-2023-53843,CVE-2023-53844,CVE-2023-53846,CVE-2023-53847,CVE-2023-53848,CVE-2023-53850,CVE-2023-53851,CVE-2023-53852,CVE-2023-53855,CVE-2023-53856,CVE-2023-53857,CVE-2023-53858,CVE-2023-53860,CVE-2023-53861,CVE-2023-53863,CVE-2023-53864,CVE-2023-53865,CVE-2023-53989,CVE-2023-53992,CVE-2023-53994,CVE-2023-53995,CVE-2023-53996,CVE-2023-53997,CVE-2023-53998,CVE-2023-53999,CVE-2023-54000,CVE-2023-54001,CVE-2023-54005,CVE-2023-54006,CVE-2023-54008,CVE-2023-54014,CVE-2023-54016,CVE-2023-54017,CVE-2023-54019,CVE-2023-54022,CVE-2023-54023,CVE-2023-54025,CVE-2023-54026,CVE-2023-54027,CVE-2023-54030,CVE-2023-54031,CVE-2023-54032,CVE-2023-54035,CVE-2023-54037,CVE-2023-54038,CVE-2023-54042,CVE-2023-54045,CVE-2023-54048,CVE-2023-54049,CVE-2023-54051,CVE-2023-54052,CVE-2023-54060,CVE-2023-54064,CVE-2023-54066,CVE-2023-54067,CVE-2023-54069,CVE-2023-54070,CVE-2023-54072,CVE-2023-54076,CVE-2023-54080,CVE-2023-54081,CVE-20 23-54083,CVE-2023-54088,CVE-2023-54089,CVE-2023-54091,CVE-2023-54092,CVE-2023-54093,CVE-2023-54094,CVE-2023-54095,CVE-2023-54096,CVE-2023-54099,CVE-2023-54101,CVE-2023-54104,CVE-2023-54106,CVE-2023-54112,CVE-2023-54113,CVE-2023-54115,CVE-2023-54117,CVE-2023-54121,CVE-2023-54125,CVE-2023-54127,CVE-2023-54133,CVE-2023-54134,CVE-2023-54135,CVE-2023-54136,CVE-2023-54137,CVE-2023-54140,CVE-2023-54141,CVE-2023-54142,CVE-2023-54143,CVE-2023-54145,CVE-2023-54148,CVE-2023-54149,CVE-2023-54153,CVE-2023-54154,CVE-2023-54155,CVE-2023-54156,CVE-2023-54164,CVE-2023-54166,CVE-2023-54169,CVE-2023-54170,CVE-2023-54171,CVE-2023-54172,CVE-2023-54173,CVE-2023-54177,CVE-2023-54178,CVE-2023-54179,CVE-2023-54181,CVE-2023-54183,CVE-2023-54185,CVE-2023-54189,CVE-2023-54194,CVE-2023-54201,CVE-2023-54204,CVE-2023-54207,CVE-2023-54209,CVE-2023-54210,CVE-2023-54211,CVE-2023-54215,CVE-2023-54219,CVE-2023-54220,CVE-2023-54221,CVE-2023-54223,CVE-2023-54224,CVE-2023-54225,CVE-2023-54227,CVE-2023-54229,CVE-2023-5423 0,CVE-2023-54235,CVE-2023-54240,CVE-2023-54241,CVE-2023-54246,CVE-2023-54247,CVE-2023-54251,CVE-2023-54253,CVE-2023-54254,CVE-2023-54255,CVE-2023-54258,CVE-2023-54261,CVE-2023-54263,CVE-2023-54264,CVE-2023-54266,CVE-2023-54267,CVE-2023-54271,CVE-2023-54276,CVE-2023-54278,CVE-2023-54281,CVE-2023-54282,CVE-2023-54283,CVE-2023-54285,CVE-2023-54289,CVE-2023-54291,CVE-2023-54292,CVE-2023-54293,CVE-2023-54296,CVE-2023-54297,CVE-2023-54299,CVE-2023-54300,CVE-2023-54302,CVE-2023-54303,CVE-2023-54304,CVE-2023-54309,CVE-2023-54312,CVE-2023-54313,CVE-2023-54314,CVE-2023-54315,CVE-2023-54316,CVE-2023-54318,CVE-2023-54319,CVE-2023-54322,CVE-2023-54324,CVE-2023-54326,CVE-2024-26944,CVE-2025-38321,CVE-2025-38728,CVE-2025-39977,CVE-2025-40006,CVE-2025-40024,CVE-2025-40033,CVE-2025-40042,CVE-2025-40053,CVE-2025-40081,CVE-2025-40102,CVE-2025-40123,CVE-2025-40134,CVE-2025-40135,CVE-2025-40153,CVE-2025-40158,CVE-2025-40160,CVE-2025-40167,CVE-2025-40170,CVE-2025-40178,CVE-2025-40179,CVE-2025-40187,CVE-2 025-40190,CVE-2025-40211,CVE-2025-40213,CVE-2025-40215,CVE-2025-40219,CVE-2025-40220,CVE-2025-40223,CVE-2025-40225,CVE-2025-40231,CVE-2025-40233,CVE-2025-40240,CVE-2025-40242,CVE-2025-40244,CVE-2025-40248,CVE-2025-40250,CVE-2025-40251,CVE-2025-40252,CVE-2025-40256,CVE-2025-40258,CVE-2025-40262,CVE-2025-40263,CVE-2025-40268,CVE-2025-40269,CVE-2025-40271,CVE-2025-40272,CVE-2025-40273,CVE-2025-40274,CVE-2025-40275,CVE-2025-40276,CVE-2025-40277,CVE-2025-40278,CVE-2025-40279,CVE-2025-40280,CVE-2025-40282,CVE-2025-40283,CVE-2025-40284,CVE-2025-40287,CVE-2025-40288,CVE-2025-40289,CVE-2025-40292,CVE-2025-40293,CVE-2025-40294,CVE-2025-40297,CVE-2025-40301,CVE-2025-40302,CVE-2025-40304,CVE-2025-40306,CVE-2025-40307,CVE-2025-40308,CVE-2025-40309,CVE-2025-40310,CVE-2025-40311,CVE-2025-40312,CVE-2025-40314,CVE-2025-40315,CVE-2025-40316,CVE-2025-40317,CVE-2025-40318,CVE-2025-40319,CVE-2025-40320,CVE-2025-40321,CVE-2025-40322,CVE-2025-40323,CVE-2025-40324,CVE-2025-40329,CVE-2025-40330,CVE-2025-403 31,CVE-2025-40332,CVE-2025-40337,CVE-2025-40338,CVE-2025-40339,CVE-2025-40340,CVE-2025-40342,CVE-2025-40343,CVE-2025-40345,CVE-2025-40346,CVE-2025-40347,CVE-2025-40349,CVE-2025-40351,CVE-2025-40354,CVE-2025-40357,CVE-2025-40359,CVE-2025-40360,CVE-2025-68168,CVE-2025-68170,CVE-2025-68172,CVE-2025-68176,CVE-2025-68180,CVE-2025-68181,CVE-2025-68183,CVE-2025-68184,CVE-2025-68185,CVE-2025-68190,CVE-2025-68192,CVE-2025-68194,CVE-2025-68195,CVE-2025-68197,CVE-2025-68201,CVE-2025-68204,CVE-2025-68206,CVE-2025-68207,CVE-2025-68208,CVE-2025-68209,CVE-2025-68217,CVE-2025-68218,CVE-2025-68222,CVE-2025-68223,CVE-2025-68230,CVE-2025-68233,CVE-2025-68235,CVE-2025-68237,CVE-2025-68238,CVE-2025-68239,CVE-2025-68244,CVE-2025-68249,CVE-2025-68252,CVE-2025-68255,CVE-2025-68257,CVE-2025-68258,CVE-2025-68259,CVE-2025-68264,CVE-2025-68286,CVE-2025-68287,CVE-2025-68289,CVE-2025-68290,CVE-2025-68298,CVE-2025-68302,CVE-2025-68303,CVE-2025-68305,CVE-2025-68306,CVE-2025-68307,CVE-2025-68308,CVE-2025-68312,CVE- 2025-68313,CVE-2025-68328,CVE-2025-68330,CVE-2025-68331,CVE-2025-68332,CVE-2025-68335,CVE-2025-68339,CVE-2025-68340,CVE-2025-68345,CVE-2025-68346,CVE-2025-68347,CVE-2025-68351,CVE-2025-68354,CVE-2025-68362,CVE-2025-68378,CVE-2025-68380,CVE-2025-68724,CVE-2025-68732,CVE-2025-68734,CVE-2025-68740,CVE-2025-68742,CVE-2025-68744,CVE-2025-68746,CVE-2025-68747,CVE-2025-68749,CVE-2025-68750,CVE-2025-68753,CVE-2025-68757,CVE-2025-68758,CVE-2025-68759,CVE-2025-68765,CVE-2025-68766 The SUSE Linux Enterprise 15 SP7 kernel was updated to fix various security issues The following security issues were fixed: - CVE-2025-38321: smb: Log an error when close_all_cached_dirs fails (bsc#1246328). - CVE-2025-38728: smb3: fix for slab out of bounds on mount to ksmbd (bsc#1249256). - CVE-2025-39977: futex: Prevent use-after-free during requeue-PI (bsc#1252046). - CVE-2025-40006: mm/hugetlb: fix folio is still mapped when deleted (bsc#1252342). - CVE-2025-40024: vhost: Take a reference on the task in struct vhost_task (bsc#1252686). - CVE-2025-40033: remoteproc: pru: Fix potential NULL pointer dereference in pru_rproc_set_ctable() (bsc#1252824). - CVE-2025-40042: tracing: Fix race condition in kprobe initialization causing NULL pointer dereference (bsc#1252861). - CVE-2025-40053: net: dlink: handle copy_thresh allocation failure (bsc#1252808). - CVE-2025-40081: perf: arm_spe: Prevent overflow in PERF_IDX2OFF() (bsc#1252776). - CVE-2025-40102: KVM: arm64: Prevent access to vCPU events before init (bsc#1252919). - CVE-2025-40134: dm: fix NULL pointer dereference in __dm_suspend() (bsc#1253386). - CVE-2025-40135: ipv6: use RCU in ip6_xmit() (bsc#1253342). - CVE-2025-40153: mm: hugetlb: avoid soft lockup when mprotect to large memory area (bsc#1253408). - CVE-2025-40158: ipv6: use RCU in ip6_output() (bsc#1253402). - CVE-2025-40160: xen/events: Cleanup find_virq() return codes (bsc#1253400). - CVE-2025-40167: ext4: detect invalid INLINE_DATA + EXTENTS flag combination (bsc#1253458). - CVE-2025-40170: net: use dst_dev_rcu() in sk_setup_caps() (bsc#1253413). - CVE-2025-40178: pid: Add a judgment for ns null in pid_nr_ns (bsc#1253463). - CVE-2025-40179: ext4: verify orphan file size is not too big (bsc#1253442). - CVE-2025-40187: net/sctp: fix a null dereference in sctp_disposition sctp_sf_do_5_1D_ce() (bsc#1253647). - CVE-2025-40190: ext4: guard against EA inode refcount underflow in xattr update (bsc#1253623). - CVE-2025-40215: kABI: xfrm: delete x->tunnel as we delete x (bsc#1254959). - CVE-2025-40220: fuse: fix livelock in synchronous file put from fuseblk workers (bsc#1254520). - CVE-2025-40231: vsock: fix lock inversion in vsock_assign_transport() (bsc#1254815). - CVE-2025-40233: ocfs2: clear extent cache after moving/defragmenting extents (bsc#1254813). - CVE-2025-40240: sctp: avoid NULL dereference when chunk data buffer is missing (bsc#1254869). - CVE-2025-40242: gfs2: Fix unlikely race in gdlm_put_lock (bsc#1255075). - CVE-2025-40248: vsock: Ignore signal/timeout on connect() if already established (bsc#1254864). - CVE-2025-40250: net/mlx5: Clean up only new IRQ glue on request_irq() failure (bsc#1254854). - CVE-2025-40251: devlink: rate: Unset parent pointer in devl_rate_nodes_destroy (bsc#1254856). - CVE-2025-40252: net: qlogic/qede: fix potential out-of-bounds read in qede_tpa_cont() and qede_tpa_end() (bsc#1254849). - CVE-2025-40258: mptcp: fix race condition in mptcp_schedule_work() (bsc#1254843). - CVE-2025-40268: cifs: client: fix memory leak in smb3_fs_context_parse_param (bsc#1255082). - CVE-2025-40271: fs/proc: fix uaf in proc_readdir_de() (bsc#1255297). - CVE-2025-40274: KVM: guest_memfd: Remove bindings on memslot deletion when gmem is dying (bsc#1254830). - CVE-2025-40278: net: sched: act_ife: initialize struct tc_ife to fix KMSAN kernel-infoleak (bsc#1254825). - CVE-2025-40279: net: sched: act_connmark: initialize struct tc_ife to fix kernel leak (bsc#1254846). - CVE-2025-40280: tipc: Fix use-after-free in tipc_mon_reinit_self() (bsc#1254847). - CVE-2025-40287: exfat: fix improper check of dentry.stream.valid_size (bsc#1255030). - CVE-2025-40289: drm/amdgpu: hide VRAM sysfs attributes on GPUs without VRAM (bsc#1255042). - CVE-2025-40292: virtio-net: fix received length check in big packets (bsc#1255175). - CVE-2025-40293: iommufd: Don't overflow during division for dirty tracking (bsc#1255179). - CVE-2025-40297: net: bridge: fix use-after-free due to MST port state bypass (bsc#1255187). - CVE-2025-40307: exfat: validate cluster allocation bits of the allocation bitmap (bsc#1255039). - CVE-2025-40319: bpf: Sync pending IRQ work before freeing ring buffer (bsc#1254794). - CVE-2025-40330: bnxt_en: Shutdown FW DMA in bnxt_shutdown() (bsc#1254616). - CVE-2025-40331: sctp: Prevent TOCTOU out-of-bounds write (bsc#1254615). - CVE-2025-40337: net: stmmac: Correctly handle Rx checksum offload errors (bsc#1255081). - CVE-2025-40338: ASoC: Intel: avs: Do not share the name pointer between components (bsc#1255273). - CVE-2025-40346: arch_topology: Fix incorrect error check in topology_parse_cpu_capacity() (bsc#1255318). - CVE-2025-40357: net/smc: fix general protection fault in __smc_diag_dump (bsc#1255097). - CVE-2025-68197: bnxt_en: Fix null pointer dereference in bnxt_bs_trace_check_wrap() (bsc#1255242). - CVE-2025-68204: pmdomain: arm: scmi: Fix genpd leak on provider registration failure (bsc#1255224). - CVE-2025-68206: netfilter: nft_ct: add seqadj extension for natted connections (bsc#1255142). - CVE-2025-68208: bpf: account for current allocated stack depth in widen_imprecise_scalars() (bsc#1255227). - CVE-2025-68209: mlx5: Fix default values in create CQ (bsc#1255230). - CVE-2025-68239: binfmt_misc: restore write access before closing files opened by open_exec() (bsc#1255272). - CVE-2025-68255: staging: rtl8723bs: fix stack buffer overflow in OnAssocReq IE parsing (bsc#1255395). - CVE-2025-68259: KVM: SVM: Don't skip unrelated instruction if INT3/INTO is replaced (bsc#1255199). - CVE-2025-68264: ext4: refresh inline data size before write operations (bsc#1255380). - CVE-2025-68302: net: sxgbe: fix potential NULL dereference in sxgbe_rx() (bsc#1255121). - CVE-2025-68340: team: Move team device type change at the end of team_port_add (bsc#1255507). - CVE-2025-68378: bpf: Refactor stack map trace depth calculation into helper function (bsc#1255614). - CVE-2025-68742: bpf: Improve program stats run-time calculation (bsc#1255707). - CVE-2025-68744: bpf: Free special fields when update [lru_,]percpu_hash maps (bsc#1255709). The following non security issues were fixed: - ACPI: CPPC: Fix missing PCC check for guaranteed_perf (git-fixes). - ACPI: PCC: Fix race condition by removing static qualifier (git-fixes). - ACPI: processor_core: fix map_x2apic_id for amd-pstate on am4 (git-fixes). - ACPI: property: Fix fwnode refcount leak in acpi_fwnode_graph_parse_endpoint() (git-fixes). - ACPI: property: Use ACPI functions in acpi_graph_get_next_endpoint() only (stable-fixes). - ACPICA: Avoid walking the Namespace if start_node is NULL (stable-fixes). - ALSA: ac97: fix a double free in snd_ac97_controller_register() (git-fixes). - ALSA: dice: fix buffer overflow in detect_stream_formats() (git-fixes). - ALSA: firewire-motu: add bounds check in put_user loop for DSP events (git-fixes). - ALSA: firewire-motu: fix buffer overflow in hwdep read for DSP events (git-fixes). - ALSA: hda: cs35l41: Fix NULL pointer dereference in cs35l41_hda_read_acpi() (git-fixes). - ALSA: pcmcia: Fix resource leak in snd_pdacf_probe error path (git-fixes). - ALSA: uapi: Fix typo in asound.h comment (git-fixes). - ALSA: usb-audio: Add DSD quirk for LEAK Stereo 230 (stable-fixes). - ALSA: usb-audio: Add native DSD quirks for PureAudio DAC series (stable-fixes). - ALSA: usb-audio: fix uac2 clock source at terminal parser (git-fixes). - ALSA: usb-mixer: us16x08: validate meter packet indices (git-fixes). - ALSA: vxpocket: Fix resource leak in vxpocket_probe error path (git-fixes). - ASoC: Intel: catpt: Fix error path in hw_params() (git-fixes). - ASoC: ak4458: Disable regulator when error happens (git-fixes). - ASoC: ak4458: remove the reset operation in probe and remove (git-fixes). - ASoC: ak5558: Disable regulator when error happens (git-fixes). - ASoC: bcm: bcm63xx-pcm-whistler: Check return value of of_dma_configure() (git-fixes). - ASoC: codecs: lpass-tx-macro: fix SM6115 support (git-fixes). - ASoC: codecs: wcd938x: fix OF node leaks on probe failure (git-fixes). - ASoC: fsl_xcvr: clear the channel status control memory (git-fixes). - ASoC: qcom: q6adm: the the copp device only during last instance (git-fixes). - ASoC: qcom: q6apm-dai: set flags to reflect correct operation of appl_ptr (git-fixes). - ASoC: qcom: q6asm-dai: perform correct state check before closing (git-fixes). - ASoC: qcom: qdsp6: q6asm-dai: set 10 ms period and buffer alignment (git-fixes). - ASoC: stm32: sai: fix OF node leak on probe (git-fixes). - ASoC: stm32: sai: fix clk prepare imbalance on probe failure (git-fixes). - ASoC: stm32: sai: fix device leak on probe (git-fixes). - ASoC: sun4i-spdif: Add missing kerneldoc fields for sun4i_spdif_quirks (git-fixes). - Bluetooth: HCI: Fix tracking of advertisement set/instance 0x00 (git-fixes). - Bluetooth: MGMT: fix crash in set_mesh_sync and set_mesh_complete (git-fixes). - Bluetooth: SMP: Fix not generating mackey and ltk when repairing (git-fixes). - Bluetooth: btrtl: Avoid loading the config file on security chips (stable-fixes). - Bluetooth: btusb: Add new VID/PID 13d3/3533 for RTL8821CE (stable-fixes). - Bluetooth: btusb: Add new VID/PID 2b89/6275 for RTL8761BUV (stable-fixes). - Bluetooth: btusb: mediatek: Avoid btusb_mtk_claim_iso_intf() NULL deref (git-fixes). - Bluetooth: btusb: mediatek: Fix kernel crash when releasing mtk iso interface (git-fixes). - Bluetooth: btusb: revert use of devm_kzalloc in btusb (git-fixes). - Bluetooth: hci_sock: Prevent race in socket write iter and sock bind (git-fixes). - Documentation/kernel-parameters: fix typo in retbleed= kernel parameter description (git-fixes). - Documentation: hid-alps: Fix packet format section headings (git-fixes). - Documentation: parport-lowlevel: Separate function listing code blocks (git-fixes). - HID: apple: Add SONiX AK870 PRO to non_apple_keyboards quirk list (stable-fixes). - HID: elecom: Add support for ELECOM M-XT3URBK (018F) (stable-fixes). - HID: hid-input: Extend Elan ignore battery quirk to USB (stable-fixes). - HID: input: map HID_GD_Z to ABS_DISTANCE for stylus/pen (stable-fixes). - HID: logitech-dj: Remove duplicate error logging (git-fixes). - HID: logitech-hidpp: Do not assume FAP in hidpp_send_message_sync() (git-fixes). - HID: quirks: work around VID/PID conflict for appledisplay (git-fixes). - Input: atkbd - skip deactivate for HONOR FMB-P's internal keyboard (git-fixes). - Input: cros_ec_keyb - fix an invalid memory access (stable-fixes). - Input: goodix - add support for ACPI ID GDIX1003 (stable-fixes). - Input: goodix - add support for ACPI ID GDX9110 (stable-fixes). - Input: i8042 - add TUXEDO InfinityBook Max Gen10 AMD to i8042 quirk table (stable-fixes). - Input: ti_am335x_tsc - fix off-by-one error in wire_order validation (git-fixes). - KEYS: trusted: Fix a memory leak in tpm2_load_cmd (git-fixes). - KEYS: trusted_tpm1: Compare HMAC values in constant time (git-fixes). - KVM: SEV: Drop GHCB_VERSION_DEFAULT and open code it (bsc#1255463). - PCI/PM: Reinstate clearing state_saved in legacy and !PM codepaths (git-fixes). - PCI: dwc: Fix wrong PORT_LOGIC_LTSSM_STATE_MASK definition (git-fixes). - PCI: keystone: Exit ks_pcie_probe() for invalid mode (git-fixes). - PCI: rcar-gen2: Drop ARM dependency from PCI_RCAR_GEN2 (git-fixes). - PM: runtime: Do not clear needs_force_resume with enabled runtime PM (git-fixes). - Revert 'drm/amd/display: Fix pbn to kbps Conversion' (stable-fixes). - Revert 'drm/amd/display: Move setup_stream_attribute' (stable-fixes). - Revert 'drm/amd: Skip power ungate during suspend for VPE' (git-fixes). - Revert 'mtd: rawnand: marvell: fix layouts' (git-fixes). - Revert 'net: r8169: Disable multicast filter for RTL8168H and RTL8107E' (jsc#PED-14353). - Revert 'r8169: don't try to disable interrupts if NAPI is, scheduled already' (jsc#PED-14353). - USB: Fix descriptor count when handling invalid MBIM extended descriptor (git-fixes). - USB: lpc32xx_udc: Fix error handling in probe (git-fixes). - USB: serial: belkin_sa: fix TIOCMBIS and TIOCMBIC (git-fixes). - USB: serial: ftdi_sio: add support for u-blox EVK-M101 (stable-fixes). - USB: serial: ftdi_sio: match on interface number for jtag (stable-fixes). - USB: serial: kobil_sct: fix TIOCMBIS and TIOCMBIC (git-fixes). - USB: serial: option: add Foxconn T99W760 (stable-fixes). - USB: serial: option: add Quectel RG255C (stable-fixes). - USB: serial: option: add Telit Cinterion FE910C04 new compositions (stable-fixes). - USB: serial: option: add Telit FN920C04 ECM compositions (stable-fixes). - USB: serial: option: add UNISOC UIS7720 (stable-fixes). - USB: serial: option: add support for Rolling RW101R-GL (stable-fixes). - USB: serial: option: move Telit 0x10c7 composition in the right place (stable-fixes). - USB: storage: Remove subclass and protocol overrides from Novatek quirk (git-fixes). - accel/ivpu: Fix DCT active percent format (git-fixes). - accel/ivpu: Fix race condition when unbinding BOs (git-fixes). - arm64: zynqmp: Fix usb node drive strength and slew rate (git-fixes). - arm64: zynqmp: Revert usb node drive strength and slew rate for (git-fixes). - atm/fore200e: Fix possible data race in fore200e_open() (git-fixes). - atm: Fix dma_free_coherent() size (git-fixes). - atm: idt77252: Add missing `dma_map_error()` (stable-fixes). - backlight: led-bl: Add devlink to supplier LEDs (git-fixes). - backlight: lp855x: Fix lp855x.h kernel-doc warnings (git-fixes). - bpf: Do not limit bpf_cgroup_from_id to current's namespace (bsc#1255433). - bpf: Reject bpf_timer for PREEMPT_RT (git-fixes). - broadcom: b44: prevent uninitialized value usage (git-fixes). - btrfs: make sure extent and csum paths are always released in scrub_raid56_parity_stripe() (git-fixes). - can: gs_usb: gs_can_open(): fix error handling (git-fixes). - can: gs_usb: gs_usb_xmit_callback(): fix handling of failed transmitted URBs (git-fixes). - can: j1939: make j1939_sk_bind() fail if device is no longer registered (git-fixes). - can: kvaser_usb: leaf: Fix potential infinite loop in command parsers (git-fixes). - can: sja1000: fix max irq loop handling (git-fixes). - can: sun4i_can: sun4i_can_interrupt(): fix max irq loop handling (git-fixes). - cgroup: rstat: use LOCK CMPXCHG in css_rstat_updated (bsc#1255434). - char: applicom: fix NULL pointer dereference in ac_ioctl (stable-fixes). - cifs: Fix uncached read into ITER_KVEC iterator (bsc#1245449). - clk: qcom: camcc-sm6350: Fix PLL config of PLL2 (git-fixes). - clk: qcom: camcc-sm6350: Specify Titan GDSC power domain as a parent to other (git-fixes). - clk: renesas: cpg-mssr: Add missing 1ms delay into reset toggle callback (git-fixes). - clk: renesas: r9a06g032: Fix memory leak in error path (git-fixes). - clk: samsung: exynos-clkout: Assign .num before accessing .hws (git-fixes). - comedi: c6xdigio: Fix invalid PNP driver unregistration (git-fixes). - comedi: check device's attached status in compat ioctls (git-fixes). - comedi: multiq3: sanitize config options in multiq3_attach() (git-fixes). - comedi: pcl818: fix null-ptr-deref in pcl818_ai_cancel() (git-fixes). - cpufreq: intel_pstate: Check IDA only before MSR_IA32_PERF_CTL writes (git-fixes). - cpufreq: nforce2: fix reference count leak in nforce2 (git-fixes). - cpuidle: menu: Use residency threshold in polling state override decisions (bsc#1255026). - crypto: asymmetric_keys - prevent overflow in asymmetric_key_generate_id (git-fixes). - crypto: authenc - Correctly pass EINPROGRESS back up to the caller (git-fixes). - crypto: ccree - Correctly handle return of sg_nents_for_len (git-fixes). - crypto: hisilicon/qm - restore original qos values (git-fixes). - crypto: iaa - Fix incorrect return value in save_iaa_wq() (git-fixes). - crypto: qat - fix duplicate restarting msg during AER error (git-fixes). - crypto: rockchip - drop redundant crypto_skcipher_ivsize() calls (git-fixes). - crypto: seqiv - Do not use req->iv after crypto_aead_encrypt (git-fixes). - dm-integrity: limit MAX_TAG_SIZE to 255 (git-fixes). - dm-verity: fix unreliable memory allocation (git-fixes). - dm: fix queue start/stop imbalance under suspend/load/resume races (bsc#1253386). - drivers/usb/dwc3: fix PCI parent check (git-fixes). - drm/amd/amdgpu: reserve vm invalidation engine for uni_mes (stable-fixes). - drm/amd/display: Check NULL before accessing (stable-fixes). - drm/amd/display: Clear the CUR_ENABLE register on DCN20 on DPP5 (stable-fixes). - drm/amd/display: Don't change brightness for disabled connectors (stable-fixes). - drm/amd/display: Fix logical vs bitwise bug in get_embedded_panel_info_v2_1() (git-fixes). - drm/amd/display: Fix pbn to kbps Conversion (stable-fixes). - drm/amd/display: Fix scratch registers offsets for DCN35 (stable-fixes). - drm/amd/display: Fix scratch registers offsets for DCN351 (stable-fixes). - drm/amd/display: Increase DPCD read retries (stable-fixes). - drm/amd/display: Insert dccg log for easy debug (stable-fixes). - drm/amd/display: Move sleep into each retry for retrieve_link_cap() (stable-fixes). - drm/amd/display: Prevent Gating DTBCLK before It Is Properly Latched (git-fixes). - drm/amd/display: Use GFP_ATOMIC in dc_create_plane_state() (stable-fixes). - drm/amd/display: avoid reset DTBCLK at clock init (stable-fixes). - drm/amd/display: disable DPP RCG before DPP CLK enable (stable-fixes). - drm/amd: Skip power ungate during suspend for VPE (stable-fixes). - drm/amdgpu/gmc11: add amdgpu_vm_handle_fault() handling (stable-fixes). - drm/amdgpu/gmc12: add amdgpu_vm_handle_fault() handling (stable-fixes). - drm/amdgpu: Forward VMID reservation errors (git-fixes). - drm/amdgpu: Skip emit de meta data on gfx11 with rs64 enabled (stable-fixes). - drm/amdgpu: add missing lock to amdgpu_ttm_access_memory_sdma (git-fixes). - drm/amdgpu: fix cyan_skillfish2 gpu info fw handling (git-fixes). - drm/amdgpu: fix gpu page fault after hibernation on PF passthrough (stable-fixes). - drm/amdkfd: Export the cwsr_size and ctl_stack_size to userspace (stable-fixes). - drm/amdkfd: Fix GPU mappings for APU after prefetch (stable-fixes). - drm/amdkfd: Trap handler support for expert scheduling mode (stable-fixes). - drm/amdkfd: Use huge page size to check split svm range alignment (git-fixes). - drm/amdkfd: bump minimum vgpr size for gfx1151 (stable-fixes). - drm/displayid: add quirk to ignore DisplayID checksum errors (stable-fixes). - drm/displayid: pass iter to drm_find_displayid_extension() (stable-fixes). - drm/edid: add DRM_EDID_IDENT_INIT() to initialize struct drm_edid_ident (stable-fixes). - drm/gma500: Remove unused helper psb_fbdev_fb_setcolreg() (git-fixes). - drm/i915/dp: Initialize the source OUI write timestamp always (stable-fixes). - drm/i915/dp_mst: Disable Panel Replay (git-fixes). - drm/i915/gem: Zero-initialize the eb.vma array in i915_gem_do_execbuffer (git-fixes). - drm/i915: Fix format string truncation warning (git-fixes). - drm/imagination: Disallow exporting of PM/FW protected objects (git-fixes). - drm/imagination: Fix reference to devm_platform_get_and_ioremap_resource() (git-fixes). - drm/me/gsc: mei interrupt top half should be in irq disabled context (git-fixes). - drm/mediatek: Fix CCORR mtk_ctm_s31_32_to_s1_n function issue (git-fixes). - drm/mediatek: Fix device node reference leak in mtk_dp_dt_parse() (git-fixes). - drm/mediatek: Fix probe device leaks (git-fixes). - drm/mediatek: Fix probe memory leak (git-fixes). - drm/mediatek: Fix probe resource leaks (git-fixes). - drm/mediatek: ovl_adaptor: Fix probe device leaks (git-fixes). - drm/mgag200: Fix big-endian support (git-fixes). - drm/msm/a2xx: stop over-complaining about the legacy firmware (git-fixes). - drm/msm/a6xx: Fix out of bound IO access in a6xx_get_gmu_registers (git-fixes). - drm/msm/a6xx: Fix the gemnoc workaround (git-fixes). - drm/msm/a6xx: Flush LRZ cache before PT switch (git-fixes). - drm/msm/a6xx: Improve MX rail fallback in RPMH vote init (git-fixes). - drm/msm/dpu: Add missing NULL pointer check for pingpong interface (git-fixes). - drm/msm/dpu: Remove dead-code in dpu_encoder_helper_reset_mixers() (git-fixes). - drm/msm/dpu: drop dpu_hw_dsc_destroy() prototype (git-fixes). - drm/nouveau/dispnv50: Don't call drm_atomic_get_crtc_state() in prepare_fb (git-fixes). - drm/nouveau: refactor deprecated strcpy (git-fixes). - drm/nouveau: restrict the flush page to a 32-bit address (git-fixes). - drm/panel: sony-td4353-jdi: Enable prepare_prev_first (git-fixes). - drm/panel: visionox-rm69299: Don't clear all mode flags (git-fixes). - drm/panthor: Avoid adding of kernel BOs to extobj list (git-fixes). - drm/panthor: Fix UAF on kernel BO VA nodes (git-fixes). - drm/panthor: Fix group_free_queue() for partially initialized queues (git-fixes). - drm/panthor: Fix potential memleak of vma structure (git-fixes). - drm/panthor: Fix race with suspend during unplug (git-fixes). - drm/panthor: Flush shmem writes before mapping buffers CPU-uncached (git-fixes). - drm/panthor: Handle errors returned by drm_sched_entity_init() (git-fixes). - drm/pl111: Fix error handling in pl111_amba_probe (git-fixes). - drm/plane: Fix IS_ERR() vs NULL check in drm_plane_create_hotspot_properties() (git-fixes). - drm/radeon: delete radeon_fence_process in is_signaled, no deadlock (stable-fixes). - drm/sched: Fix race in drm_sched_entity_select_rq() (git-fixes). - drm/tilcdc: Fix removal actions in case of failed probe (git-fixes). - drm/tilcdc: request and mapp iomem with devres (stable-fixes). - drm/ttm: Avoid NULL pointer deref for evicted BOs (git-fixes). - drm/vgem-fence: Fix potential deadlock on release (git-fixes). - drm/vmwgfx: Use kref in vmw_bo_dirty (stable-fixes). - drm/xe/bo: Don't include the CCS metadata in the dma-buf sg-table (git-fixes). - drm/xe/oa: Disallow 0 OA property values (git-fixes). - drm/xe/oa: Fix potential UAF in xe_oa_add_config_ioctl() (git-fixes). - drm/xe/oa: Limit num_syncs to prevent oversized allocations (git-fixes). - drm/xe: Adjust long-running workload timeslices to reasonable values (git-fixes). - drm/xe: Drop preempt-fences when destroying imported dma-bufs (git-fixes). - drm/xe: Fix conversion from clock ticks to milliseconds (git-fixes). - drm/xe: Limit num_syncs to prevent oversized allocations (git-fixes). - drm/xe: Prevent BIT() overflow when handling invalid prefetch region (git-fixes). - drm/xe: Restore engine registers before restarting schedulers after GT reset (git-fixes). - drm/xe: Use usleep_range for accurate long-running workload timeslicing (git-fixes). - drm: atmel-hlcdc: fix atmel_xlcdc_plane_setup_scaler() (git-fixes). - drm: nouveau: Replace sprintf() with sysfs_emit() (git-fixes). - drm: sti: fix device leaks at component probe (git-fixes). - efi/libstub: Avoid physical address 0x0 when doing random allocation (stable-fixes). - efi/libstub: Describe missing 'out' parameter in efi_load_initrd (git-fixes). - efi/libstub: Fix page table access in 5-level to 4-level paging transition (git-fixes). - efi: stmm: Fix incorrect buffer allocation method (git-fixes). - efi: stmm: fix kernel-doc 'bad line' warnings (git-fixes). - exfat: add a check for invalid data size (git-fixes). - exfat: using hweight instead of internal logic (git-fixes). - ext4: use optimized mballoc scanning regardless of inode format (bsc#1254378). - ext4: wait for ongoing I/O to complete before freeing blocks (bsc#1256366). - fbdev: gbefb: fix to use physical address instead of dma address (stable-fixes). - fbdev: pxafb: Fix multiple clamped values in pxafb_adjust_timing (git-fixes). - fbdev: ssd1307fb: fix potential page leak in ssd1307fb_probe() (git-fixes). - fbdev: tcx.c fix mem_map to correct smem_start offset (git-fixes). - firewire: nosy: Fix dma_free_coherent() size (git-fixes). - firmware: imx: scu-irq: Init workqueue before request mbox channel (stable-fixes). - firmware: imx: scu-irq: fix OF node leak in (git-fixes). - firmware: stratix10-svc: Add mutex in stratix10 memory management (git-fixes). - firmware: stratix10-svc: fix bug in saving controller data (git-fixes). - firmware: stratix10-svc: fix make htmldocs warning for stratix10_svc (git-fixes). - fs: dlm: allow to F_SETLKW getting interrupted (bsc#1255025). - ftrace: bpf: Fix IPMODIFY + DIRECT in modify_ftrace_direct() (git-fixes). - genalloc.h: fix htmldocs warning (git-fixes). - gpio: rockchip: mark the GPIO controller as sleeping (git-fixes). - gpu: host1x: Fix race in syncpt alloc/free (git-fixes). - hwmon: (ibmpex) fix use-after-free in high/low store (git-fixes). - hwmon: (max16065) Use local variable to avoid TOCTOU (git-fixes). - hwmon: (tmp401) fix overflow caused by default conversion rate value (git-fixes). - hwmon: (w83791d) Convert macros to functions to avoid TOCTOU (git-fixes). - hwmon: (w83l786ng) Convert macros to functions to avoid TOCTOU (git-fixes). - hwmon: sy7636a: Fix regulator_enable resource leak on error path (git-fixes). - i2c: amd-mp2: fix reference leak in MP2 PCI device (git-fixes). - i2c: designware: Disable SMBus interrupts to prevent storms from mis-configured firmware (stable-fixes). - i2c: i2c.h: fix a bad kernel-doc line (git-fixes). - i3c: fix refcount inconsistency in i3c_master_register (git-fixes). - i3c: master: Inherit DMA masks and parameters from parent device (stable-fixes). - i3c: master: svc: Prevent incomplete IBI transaction (git-fixes). - idr: fix idr_alloc() returning an ID out of range (git-fixes). - iio: accel: bmc150: Fix irq assumption regression (stable-fixes). - iio: accel: fix ADXL355 startup race condition (git-fixes). - iio: adc: ad7280a: fix ad7280_store_balance_timer() (git-fixes). - iio: adc: ti_am335x_adc: Limit step_avg to valid range for gcc complains (stable-fixes). - iio: core: Clean up device correctly on iio_device_alloc() failure (git-fixes). - iio: core: add missing mutex_destroy in iio_dev_release() (git-fixes). - iio: imu: st_lsm6dsx: Fix measurement unit for odr struct member (git-fixes). - iio: imu: st_lsm6dsx: fix array size for st_lsm6dsx_settings fields (git-fixes). - iio: st_lsm6dsx: Fixed calibrated timestamp calculation (git-fixes). - ima: Handle error code returned by ima_filter_rule_match() (git-fixes). - intel_th: Fix error handling in intel_th_output_open (git-fixes). - ipmi: Fix __scan_channels() failing to rescan channels (stable-fixes). - ipmi: Fix handling of messages with provided receive message pointer (git-fixes). - ipmi: Fix the race between __scan_channels() and deliver_response() (stable-fixes). - ipmi: Rework user message limit handling (git-fixes). - irqchip/mchp-eic: Fix error code in mchp_eic_domain_alloc() (git-fixes). - kconfig/mconf: Initialize the default locale at startup (stable-fixes). - kconfig/nconf: Initialize the default locale at startup (stable-fixes). - leds: leds-lp50xx: Allow LED 0 to be added to module bank (git-fixes). - leds: leds-lp50xx: Enable chip before any communication (git-fixes). - leds: leds-lp50xx: LP5009 supports 3 modules for a total of 9 LEDs (git-fixes). - leds: netxbig: Fix GPIO descriptor leak in error paths (git-fixes). - lib/vsprintf: Check pointer before dereferencing in time_and_date() (git-fixes). - mailbox: mailbox-test: Fix debugfs_create_dir error checking (git-fixes). - media: TDA1997x: Remove redundant cancel_delayed_work in probe (git-fixes). - media: adv7842: Avoid possible out-of-bounds array accesses in adv7842_cp_log_status() (git-fixes). - media: amphion: Add a frame flush mode for decoder (stable-fixes). - media: amphion: Cancel message work before releasing the VPU core (git-fixes). - media: amphion: Make some vpu_v4l2 functions static (stable-fixes). - media: amphion: Remove vpu_vb_is_codecconfig (git-fixes). - media: atomisp: Prefix firmware paths with 'intel/ipu/' (bsc#1252973). - media: atomisp: Remove firmware_name module parameter (bsc#1252973). - media: cec: Fix debugfs leak on bus_register() failure (git-fixes). - media: dvb-usb: dtv5100: fix out-of-bounds in dtv5100_i2c_msg() (git-fixes). - media: i2c: ADV7604: Remove redundant cancel_delayed_work in probe (git-fixes). - media: i2c: adv7842: Remove redundant cancel_delayed_work in probe (git-fixes). - media: imx-mipi-csis: Drop extra clock enable at probe() (git-fixes). - media: msp3400: Avoid possible out-of-bounds array accesses in msp3400c_thread() (git-fixes). - media: nxp: imx8-isi: Mark all crossbar sink pads as MUST_CONNECT (stable-fixes). - media: ov5640: fix vblank unchange issue when work at dvp mode (git-fixes). - media: pci: ivtv: Don't create fake v4l2_fh (stable-fixes). - media: pvrusb2: Fix incorrect variable used in trace message (git-fixes). - media: qcom: camss: Fix genpd cleanup (git-fixes). - media: qcom: camss: Fix ordering of pm_runtime_enable (git-fixes). - media: qcom: camss: cleanup media device allocated resource on error path (git-fixes). - media: qcom: venus: fix incorrect return value (stable-fixes). - media: radio-isa: use dev_name to fill in bus_info (stable-fixes). - media: rc: st_rc: Fix reset control resource leak (git-fixes). - media: renesas: rcar_drif: fix device node reference leak in rcar_drif_bond_enabled (git-fixes). - media: s5p-mfc: Fix potential deadlock on condlock (stable-fixes). - media: samsung: exynos4-is: fix potential ABBA deadlock on init (git-fixes). - media: uvcvideo: Force UVC version to 1.0a for 0408:4033 (stable-fixes). - media: v4l2-mem2mem: Fix outdated documentation (git-fixes). - media: verisilicon: Fix CPU stalls on G2 bus error (git-fixes). - media: verisilicon: Protect G2 HEVC decoder against invalid DPB index (git-fixes). - media: verisilicon: Store chroma and motion vectors offset (stable-fixes). - media: verisilicon: g2: Use common helpers to compute chroma and mv offsets (stable-fixes). - media: videobuf2: Fix device reference leak in vb2_dc_alloc error path (git-fixes). - media: vidtv: initialize local pointers upon transfer of memory ownership (git-fixes). - media: vpif_capture: fix section mismatch (git-fixes). - media: vpif_display: fix section mismatch (git-fixes). - mei: gsc: add dependency on Xe driver (git-fixes). - mei: me: add wildcat lake P DID (stable-fixes). - mfd: altera-sysmgr: Fix device leak on sysmgr regmap lookup (git-fixes). - mfd: da9055: Fix missing regmap_del_irq_chip() in error path (git-fixes). - mfd: max77620: Fix potential IRQ chip conflict when probing two devices (git-fixes). - mfd: mt6358-irq: Fix missing irq_domain_remove() in error path (git-fixes). - mfd: mt6397-irq: Fix missing irq_domain_remove() in error path (git-fixes). - mmc: sdhci-esdhc-imx: add alternate ARCH_S32 dependency to Kconfig (git-fixes). - mmc: sdhci-msm: Avoid early clock doubling during HS400 transition (stable-fixes). - most: usb: fix double free on late probe failure (git-fixes). - mt76: mt7615: Fix memory leak in mt7615_mcu_wtbl_sta_add() (git-fixes). - mtd: lpddr_cmds: fix signed shifts in lpddr_cmds (git-fixes). - mtd: maps: pcmciamtd: fix potential memory leak in pcmciamtd_detach() (git-fixes). - mtd: nand: relax ECC parameter validation check (git-fixes). - mtd: rawnand: lpc32xx_slc: fix GPIO descriptor leak on probe error and remove (git-fixes). - mtd: rawnand: renesas: Handle devm_pm_runtime_enable() errors (git-fixes). - net: mdio: aspeed: add dummy read to avoid read-after-write issue (git-fixes). - net: nfc: fix deadlock between nfc_unregister_device and rfkill_fop_write (git-fixes). - net: phy: adin1100: Fix software power-down ready condition (git-fixes). - net: phy: mxl-gpy: fix bogus error on USXGMII and integrated PHY (git-fixes). - net: phy: mxl-gpy: fix link properties on USXGMII and internal PHYs (git-fixes). - net: r8169: Disable multicast filter for RTL8168H and RTL8107E (jsc#PED-14353). - net: rose: fix invalid array index in rose_kill_by_device() (git-fixes). - net: usb: pegasus: fix memory leak in update_eth_regs_async() (git-fixes). - net: usb: rtl8150: fix memory leak on usb_submit_urb() failure (git-fixes). - net: usb: sr9700: fix incorrect command used to write single register (git-fixes). - net: wwan: iosm: Fix memory leak in ipc_mux_deinit() (git-fixes). - netdevsim: print human readable IP address (bsc#1255071). - nfc: pn533: Fix error code in pn533_acr122_poweron_rdr() (git-fixes). - nfsd: do not defer requests during idmap lookup in v4 compound decode (bsc#1232223). - nfsd: fix return error codes for nfsd_map_name_to_id (bsc#1232223). - nvme: Use non zero KATO for persistent discovery connections (git-fixes). - orangefs: fix xattr related buffer overflow.. (git-fixes). - perf list: Add IBM z17 event descriptions (jsc#PED-13611). - perf/x86/intel: Fix KASAN global-out-of-bounds warning (git-fixes). - phy: broadcom: bcm63xx-usbh: fix section mismatches (git-fixes). - phy: renesas: rcar-gen3-usb2: Fix an error handling path in rcar_gen3_phy_usb2_probe() (git-fixes). - pinctrl: qcom: lpass-lpi: mark the GPIO controller as sleeping (git-fixes). - pinctrl: qcom: msm: Fix deadlock in pinmux configuration (stable-fixes). - pinctrl: single: Fix PIN_CONFIG_BIAS_DISABLE handling (stable-fixes). - pinctrl: single: Fix incorrect type for error return variable (git-fixes). - pinctrl: stm32: fix hwspinlock resource leak in probe function (git-fixes). - platform/chrome: cros_ec_ishtp: Fix UAF after unbinding driver (git-fixes). - platform/mellanox: mlxbf-pmc: Remove trailing whitespaces from event names (git-fixes). - platform/x86/amd/pmc: Add spurious_8042 to Xbox Ally (stable-fixes). - platform/x86/amd: pmc: Add Lenovo Legion Go 2 to pmc quirk list (stable-fixes). - platform/x86/intel/hid: Add Dell Pro Rugged 10/12 tablet to VGBS DMI quirks (stable-fixes). - platform/x86: acer-wmi: Ignore backlight event (stable-fixes). - platform/x86: asus-wmi: use brightness_set_blocking() for kbd led (git-fixes). - platform/x86: hp-bioscfg: Fix out-of-bounds array access in ACPI package parsing (git-fixes). - platform/x86: huawei-wmi: add keys for HONOR models (stable-fixes). - platform/x86: ibm_rtl: fix EBDA signature search pointer arithmetic (git-fixes). - platform/x86: intel: chtwc_int33fe: don't dereference swnode args (git-fixes). - platform/x86: intel: punit_ipc: fix memory corruption (git-fixes). - platform/x86: msi-laptop: add missing sysfs_remove_group() (git-fixes). - power: supply: apm_power: only unset own apm_get_power_status (git-fixes). - power: supply: cw2015: Check devm_delayed_work_autocancel() return code (git-fixes). - power: supply: rt9467: Prevent using uninitialized local variable in rt9467_set_value_from_ranges() (git-fixes). - power: supply: rt9467: Return error on failure in rt9467_set_value_from_ranges() (git-fixes). - power: supply: wm831x: Check wm831x_set_bits() return value (git-fixes). - powerpc/64s/slb: Fix SLB multihit issue during SLB preload (bac#1236022 ltc#211187). - powerpc/eeh: fix recursive pci_lock_rescan_remove locking in EEH event handling (bsc#1253262 ltc#216029). - powerpc/kexec: Enable SMT before waking offline CPUs (bsc#1214285 bsc#1205462 ltc#200161 ltc#200588 git-fixes bsc#1253739 ltc#211493 bsc#1254244 ltc#216496). - pwm: bcm2835: Make sure the channel is enabled after pwm_request() (git-fixes). - r8169: Fix spelling mistake: 'tx_underun' -> 'tx_underrun' (jsc#PED-14353). - r8169: Use PCI_IRQ_INTX instead of PCI_IRQ_LEGACY (jsc#PED-14353). - r8169: add MODULE_FIRMWARE entry for RTL8126A (jsc#PED-14353). - r8169: add PHY c45 ops for MDIO_MMD_VENDOR2 registers (jsc#PED-14353). - r8169: add generic rtl_set_eee_txidle_timer function (jsc#PED-14353). - r8169: add missing MODULE_FIRMWARE entry for RTL8126A rev.b (jsc#PED-14353). - r8169: add support for Intel Killer E5000 (jsc#PED-14353). - r8169: add support for RTL8125BP rev.b (jsc#PED-14353). - r8169: add support for RTL8125D (jsc#PED-14353). - r8169: add support for RTL8125D rev.b (jsc#PED-14353). - r8169: add support for RTL8126A rev.b (jsc#PED-14353). - r8169: add support for RTL8168M (jsc#PED-14353). - r8169: add support for returning tx_lpi_timer in ethtool get_eee (jsc#PED-14353). - r8169: add support for the temperature sensor being available from RTL8125B (jsc#PED-14353). - r8169: adjust version numbering for RTL8126 (jsc#PED-14353). - r8169: align RTL8125 EEE config with vendor driver (jsc#PED-14353). - r8169: align RTL8125/RTL8126 PHY config with vendor driver (jsc#PED-14353). - r8169: align RTL8126 EEE config with vendor driver (jsc#PED-14353). - r8169: align WAKE_PHY handling with r8125/r8126 vendor drivers (jsc#PED-14353). - r8169: avoid duplicated messages if loading firmware fails and switch to warn level (jsc#PED-14353). - r8169: avoid unsolicited interrupts (jsc#PED-14353). - r8169: check for PCI read error in probe (jsc#PED-14353). - r8169: disable ALDPS per default for RTL8125 (jsc#PED-14353). - r8169: disable RTL8126 ZRX-DC timeout (jsc#PED-14353). - r8169: disable interrupt source RxOverflow (jsc#PED-14353). - r8169: don't apply UDP padding quirk on RTL8126A (jsc#PED-14353). - r8169: don't increment tx_dropped in case of NETDEV_TX_BUSY (jsc#PED-14353). - r8169: don't scan PHY addresses > 0 (jsc#PED-14353). - r8169: don't take RTNL lock in rtl_task() (jsc#PED-14353). - r8169: enable EEE at 2.5G per default on RTL8125B (jsc#PED-14353). - r8169: enable RTL8168H/RTL8168EP/RTL8168FP ASPM support (jsc#PED-14353). - r8169: fix RTL8117 Wake-on-Lan in DASH mode (git-fixes). - r8169: fix inconsistent indenting in rtl8169_get_eth_mac_stats (jsc#PED-14353). - r8169: implement additional ethtool stats ops (jsc#PED-14353). - r8169: improve RTL8411b phy-down fixup (jsc#PED-14353). - r8169: improve __rtl8169_set_wol (jsc#PED-14353). - r8169: improve handling task scheduling (jsc#PED-14353). - r8169: improve initialization of RSS registers on RTL8125/RTL8126 (jsc#PED-14353). - r8169: improve rtl_set_d3_pll_down (jsc#PED-14353). - r8169: increase max jumbo packet size on RTL8125/RTL8126 (jsc#PED-14353). - r8169: remove detection of chip version 11 (early RTL8168b) (jsc#PED-14353). - r8169: remove leftover locks after reverted change (jsc#PED-14353). - r8169: remove multicast filter limit (jsc#PED-14353). - r8169: remove not needed check in rtl_fw_write_firmware (jsc#PED-14353). - r8169: remove original workaround for RTL8125 broken rx issue (jsc#PED-14353). - r8169: remove redundant hwmon support (jsc#PED-14353). - r8169: remove rtl_dash_loop_wait_high/low (jsc#PED-14353). - r8169: remove support for chip version 11 (jsc#PED-14353). - r8169: remove unused flag RTL_FLAG_TASK_RESET_NO_QUEUE_WAKE (jsc#PED-14353). - r8169: set EEE speed down ratio to 1 (stable-fixes). - r8169: simplify EEE handling (jsc#PED-14353). - r8169: simplify code by using core-provided pcpu stats allocation (jsc#PED-14353). - r8169: support setting the EEE tx idle timer on RTL8168h (jsc#PED-14353). - r8169: use dev_err_probe in all appropriate places in rtl_init_one() (jsc#PED-14353). - r8169: use helper r8169_mod_reg8_cond to simplify rtl_jumbo_config (jsc#PED-14353). - regulator: core: Protect regulator_supply_alias_list with regulator_list_mutex (git-fixes). - regulator: core: disable supply if enabling main regulator fails (git-fixes). - reset: fix BIT macro reference (stable-fixes). - rpmsg: glink: fix rpmsg device leak (git-fixes). - rtc: gamecube: Check the return value of ioremap() (git-fixes). - scsi: lpfc: Add capability to register Platform Name ID to fabric (bsc#1254119). - scsi: lpfc: Allow support for BB credit recovery in point-to-point topology (bsc#1254119). - scsi: lpfc: Ensure unregistration of rpis for received PLOGIs (bsc#1254119). - scsi: lpfc: Fix leaked ndlp krefs when in point-to-point topology (bsc#1254119). - scsi: lpfc: Fix reusing an ndlp that is marked NLP_DROPPED during FLOGI (bsc#1254119). - scsi: lpfc: Modify kref handling for Fabric Controller ndlps (bsc#1254119). - scsi: lpfc: Remove redundant NULL ptr assignment in lpfc_els_free_iocb() (bsc#1254119). - scsi: lpfc: Revise discovery related function headers and comments (bsc#1254119). - scsi: lpfc: Update lpfc version to 14.4.0.12 (bsc#1254119). - scsi: lpfc: Update various NPIV diagnostic log messaging (bsc#1254119). - scsi: mpi3mr: Fix I/O failures during controller reset (bsc#1251752 jsc#PED-14280). - scsi: mpi3mr: Fix controller init failure on fault during queue creation (bsc#1251752 jsc#PED-14280). - scsi: mpi3mr: Fix device loss during enclosure reboot due to zero link speed (bsc#1251752 jsc#PED-14280). - scsi: mpi3mr: Fix premature TM timeouts on virtual drives (bsc#1251752 jsc#PED-14280). - scsi: mpi3mr: Update MPI headers to revision 37 (bsc#1251752 jsc#PED-14280). - scsi: mpi3mr: Update driver version to 8.14.0.5.50 (bsc#1251752 jsc#PED-14280). - scsi: mpi3mr: Update driver version to 8.15.0.5.50 (bsc#1251752 jsc#PED-14280). - selftests/bpf: Skip timer cases when bpf_timer is not supported (git-fixes). - selftests/net: calibrate txtimestamp (bsc#1255085). - selftests/net: convert fcnal-test.sh to run it in unique namespace (bsc#1254235). - selftests/net: convert fib-onlink-tests.sh to run it in unique namespace (bsc#1254235). - selftests/net: convert fib_nexthop_multiprefix to run it in unique namespace (bsc#1254235). - selftests/net: convert fib_nexthop_nongw.sh to run it in unique namespace (bsc#1254235). - selftests/net: convert fib_nexthops.sh to run it in unique namespace (bsc#1254235). - selftests/net: convert fib_rule_tests.sh to run it in unique namespace (bsc#1254235). - selftests/net: convert fib_tests.sh to run it in unique namespace (bsc#1254235). - selftests/net: convert srv6_end_dt46_l3vpn_test.sh to run it in unique namespace (bsc#1254235). - selftests/net: convert srv6_end_dt4_l3vpn_test.sh to run it in unique namespace (bsc#1254235). - selftests/net: convert srv6_end_dt6_l3vpn_test.sh to run it in unique namespace (bsc#1254235). - selftests/net: convert test_vxlan_vnifiltering.sh to run it in unique namespace (bsc#1255349). - selftests/net: convert vrf_route_leaking.sh to run it in unique namespace (bsc#1255349). - selftests/net: synchronize udpgro tests' tx and rx connection (bsc#1254235). - selftests: Introduce Makefile variable to list shared bash scripts (bsc#1254235). - selftests: bonding: Add net/forwarding/lib.sh to TEST_INCLUDES (bsc#1254235). - selftests: dsa: Replace test symlinks by wrapper script (bsc#1254235). - selftests: net: Remove executable bits from library scripts (bsc#1254235). - selftests: net: explicitly wait for listener ready (bsc#1254235). - selftests: net: fib-onlink-tests: Set high metric for default IPv6 route (bsc#1255346). - selftests: net: include forwarding lib (bsc#1254235). - selftests: net: included needed helper in the install targets (bsc#1254235). - selftests: net: more strict check in net_helper (bsc#1254235). - selftests: net: use slowwait to make sure IPv6 setup finished (bsc#1255349). - selftests: net: use slowwait to stabilize vrf_route_leaking test (bsc#1255349). - selftests: net: veth: test the ability to independently manipulate GRO and XDP (bsc#1255101). - selftests: team: Add shared library scripts to TEST_INCLUDES (bsc#1254235). - selftests: vrf_route_leaking: remove ipv6_ping_frag from default testing (bsc#1255349). - serial: add support of CPCI cards (stable-fixes). - serial: amba-pl011: prefer dma_mapping_error() over explicit address checking (git-fixes). - serial: core: Fix serial device initialization (git-fixes). - serial: core: Restore sysfs fwnode information (git-fixes). - serial: sprd: Return -EPROBE_DEFER when uart clock is not ready (stable-fixes). - slimbus: ngd: Fix reference count leak in qcom_slim_ngd_notify_slaves (git-fixes). - smc91x: fix broken irq-context in PREEMPT_RT (git-fixes). - soc/tegra: fuse: speedo-tegra210: Update speedo IDs (git-fixes). - soc: amlogic: canvas: fix device leak on lookup (git-fixes). - soc: qcom: ocmem: fix device leak on lookup (git-fixes). - soc: qcom: smem: fix hwspinlock resource leak in probe error paths (git-fixes). - spi: amlogic-spifc-a1: Handle devm_pm_runtime_enable() errors (git-fixes). - spi: bcm63xx: drop wrong casts in probe() (git-fixes). - spi: bcm63xx: fix premature CS deassertion on RX-only transactions (git-fixes). - spi: fsl-cpm: Check length parity before switching to 16 bit mode (git-fixes). - spi: imx: keep dma request disabled before dma transfer setup (stable-fixes). - spi: tegra210-qspi: Remove cache operations (git-fixes). - spi: tegra210-quad: Add support for internal DMA (git-fixes). - spi: tegra210-quad: Check hardware status on timeout (bsc#1253155). - spi: tegra210-quad: Fix timeout handling (bsc#1253155). - spi: tegra210-quad: Fix timeout handling (git-fixes). - spi: tegra210-quad: Refactor error handling into helper functions (bsc#1253155). - spi: tegra210-quad: Update dummy sequence configuration (git-fixes). - spi: xilinx: increase number of retries before declaring stall (stable-fixes). - staging: fbtft: core: fix potential memory leak in fbtft_probe_common() (git-fixes). - staging: rtl8723bs: fix out-of-bounds read in OnBeacon ESR IE parsing (stable-fixes). - staging: rtl8723bs: fix out-of-bounds read in rtw_get_ie() parser (stable-fixes). - thunderbolt: Add support for Intel Wildcat Lake (stable-fixes). - tick/sched: Limit non-timekeeper CPUs calling jiffies update (bsc#1254477). - tracing: Fix access to trace_event_file (bsc#1254373). - uio: uio_fsl_elbc_gpcm:: Add null pointer check to uio_fsl_elbc_gpcm_probe (git-fixes). - usb: cdns3: Fix double resource release in cdns3_pci_probe (git-fixes). - usb: chaoskey: fix locking for O_NONBLOCK (git-fixes). - usb: chipidea: udc: limit usb request length to max 16KB (stable-fixes). - usb: dwc2: disable platform lowlevel hw resources during shutdown (stable-fixes). - usb: dwc2: fix hang during shutdown if set as peripheral (git-fixes). - usb: dwc2: fix hang during suspend if set as peripheral (git-fixes). - usb: dwc3: Abort suspend on soft disconnect failure (git-fixes). - usb: dwc3: Fix race condition between concurrent dwc3_remove_requests() call paths (git-fixes). - usb: dwc3: keep susphy enabled during exit to avoid controller faults (git-fixes). - usb: dwc3: of-simple: fix clock resource leak in dwc3_of_simple_probe (git-fixes). - usb: dwc3: pci: Sort out the Intel device IDs (stable-fixes). - usb: dwc3: pci: add support for the Intel Nova Lake -S (stable-fixes). - usb: gadget: configfs: Correctly set use_os_string at bind (git-fixes). - usb: gadget: f_eem: Fix memory leak in eem_unwrap (git-fixes). - usb: gadget: lpc32xx_udc: fix clock imbalance in error path (git-fixes). - usb: gadget: renesas_usbf: Handle devm_pm_runtime_enable() errors (git-fixes). - usb: gadget: tegra-xudc: Always reinitialize data toggle when clear halt (git-fixes). - usb: ohci-nxp: Use helper function devm_clk_get_enabled() (stable-fixes). - usb: ohci-nxp: fix device leak on probe failure (git-fixes). - usb: phy: Initialize struct usb_phy list_head (git-fixes). - usb: phy: isp1301: fix non-OF device reference imbalance (git-fixes). - usb: raw-gadget: cap raw_io transfer length to KMALLOC_MAX_SIZE (git-fixes). - usb: raw-gadget: do not limit transfer length (git-fixes). - usb: renesas_usbhs: Fix a resource leak in usbhs_pipe_malloc() (git-fixes). - usb: storage: Fix memory leak in USB bulk transport (git-fixes). - usb: storage: sddr55: Reject out-of-bound new_pba (stable-fixes). - usb: typec: tipd: Clear interrupts first (git-fixes). - usb: typec: ucsi: Handle incorrect num_connectors capability (stable-fixes). - usb: typec: ucsi: psy: Set max current to zero when disconnected (git-fixes). - usb: uas: fix urb unmapping issue when the uas device is remove during ongoing data transfer (git-fixes). - usb: udc: Add trace event for usb_gadget_set_state (stable-fixes). - usb: usb-storage: Maintain minimal modifications to the bcdDevice range (git-fixes). - usb: usb-storage: No additional quirks need to be added to the EL-R12 optical drive (stable-fixes). - usb: vhci-hcd: Prevent suspending virtually attached devices (git-fixes). - usb: xhci: limit run_graceperiod for only usb 3.0 devices (stable-fixes). - usbip: Fix locking bug in RT-enabled kernels (stable-fixes). - via_wdt: fix critical boot hang due to unnamed resource allocation (stable-fixes). - virtio_console: fix order of fields cols and rows (stable-fixes). - watchdog: wdat_wdt: Fix ACPI table leak in probe function (git-fixes). - wifi: ath10k: Add missing include of export.h (stable-fixes). - wifi: ath10k: Avoid vdev delete timeout when firmware is already down (stable-fixes). - wifi: ath10k: move recovery check logic into a new work (git-fixes). - wifi: ath11k: fix peer HE MCS assignment (git-fixes). - wifi: ath11k: restore register window after global reset (git-fixes). - wifi: ath12k: fix potential memory leak in ath12k_wow_arp_ns_offload() (git-fixes). - wifi: avoid kernel-infoleak from struct iw_point (git-fixes). - wifi: brcmfmac: Add DMI nvram filename quirk for Acer A1 840 tablet (stable-fixes). - wifi: cfg80211: sme: store capped length in __cfg80211_connect_result() (git-fixes). - wifi: cfg80211: stop radar detection in cfg80211_leave() (stable-fixes). - wifi: cfg80211: use cfg80211_leave() in iftype change (stable-fixes). - wifi: cw1200: Fix potential memory leak in cw1200_bh_rx_helper() (git-fixes). - wifi: ieee80211: correct FILS status codes (git-fixes). - wifi: mac80211: do not use old MBSSID elements (git-fixes). - wifi: mac80211: fix CMAC functions not handling errors (git-fixes). - wifi: mac80211: restore non-chanctx injection behaviour (git-fixes). - wifi: mt76: Fix DTS power-limits on little endian systems (git-fixes). - wifi: mt76: mt7925: fix CLC command timeout when suspend/resume (stable-fixes). - wifi: mt76: mt7925: fix the unfinished command of regd_notifier before suspend (stable-fixes). - wifi: mt76: mt792x: fix wifi init fail by setting MCU_RUNNING after CLC load (stable-fixes). - wifi: nl80211: vendor-cmd: intel: fix a blank kernel-doc line warning (git-fixes). - wifi: rtl818x: Fix potential memory leaks in rtl8180_init_rx_ring() (git-fixes). - wifi: rtl818x: rtl8187: Fix potential buffer underflow in rtl8187_rx_cb() (git-fixes). - wifi: rtlwifi: 8192cu: fix tid out of range in rtl92cu_tx_fill_desc() (git-fixes). - wifi: rtw88: Add USB ID 2001:3329 for D-Link AC13U rev. A1 (stable-fixes). - wifi: rtw88: limit indirect IO under powered off for RTL8822CS (git-fixes). - x86/hyperv: Fix APIC ID and VP index confusion in hv_snp_boot_ap() (git-fixes). - x86/microcode/AMD: Add TSA microcode SHAs (bsc#1256528). - x86/microcode/AMD: Add Zen5 model 0x44, stepping 0x1 minrev (bsc#1256528). - x86/microcode/AMD: Add more known models to entry sign checking (bsc#1256528). - x86/microcode/AMD: Add some forgotten models to the SHA check (bsc#1256528). - x86/microcode/AMD: Clean the cache if update did not load microcode (bsc#1256528). - x86/microcode/AMD: Extend the SHA check to Zen5, block loading of any unreleased standalone Zen5 microcode patches (bsc#1256528). - x86/microcode/AMD: Fix Entrysign revision check for Zen5/Strix Halo (bsc#1256528). - x86/microcode/AMD: Fix __apply_microcode_amd()'s return value (bsc#1256528). - x86/microcode/AMD: Limit Entrysign signature checking to known generations (bsc#1256528). - x86/microcode/AMD: Load only SHA256-checksummed patches (bsc#1256528). - x86/microcode/AMD: Select which microcode patch to load (bsc#1256528). - x86/microcode/AMD: Use sha256() instead of init/update/final (bsc#1256528). - x86/microcode: Fix Entrysign revision check for Zen1/Naples (bsc#1256528). - xhci: dbgtty: fix device unregister (git-fixes). - xhci: fix stale flag preventig URBs after link state error is cleared (git-fixes). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2026:331-1 Released: Wed Jan 28 18:12:49 2026 Summary: Security update for openssl-1_1 Type: security Severity: moderate References: 1256834,1256835,1256836,1256837,1256838,1256839,1256840,CVE-2025-68160,CVE-2025-69418,CVE-2025-69419,CVE-2025-69420,CVE-2025-69421,CVE-2026-22795,CVE-2026-22796 This update for openssl-1_1 fixes the following issues: - CVE-2026-22795: Missing ASN1_TYPE validation in PKCS#12 parsing (bsc#1256839). - CVE-2025-69420: Missing ASN1_TYPE validation in TS_RESP_verify_response() function (bsc#1256837). - CVE-2025-69421: NULL Pointer Dereference in PKCS12_item_decrypt_d2i_ex function (bsc#1256838). - CVE-2026-22796: ASN1_TYPE Type Confusion in the PKCS7_digest_from_attributes() function (bsc#1256840). - CVE-2025-68160: Heap out-of-bounds write in BIO_f_linebuffer on short writes (bsc#1256834). - CVE-2025-69418: Unauthenticated/unencrypted trailing bytes with low-level OCB function calls (bsc#1256835). - CVE-2025-69419: Out of bounds write in PKCS12_get_friendlyname() UTF-8 conversion (bsc#1256836). The following package changes have been done: - libuuid1-2.40.4-150700.4.3.1 updated - libsmartcols1-2.40.4-150700.4.3.1 updated - libopenssl3-3.2.3-150700.5.24.1 updated - libblkid1-2.40.4-150700.4.3.1 updated - libopenssl-3-fips-provider-3.2.3-150700.5.24.1 updated - libfdisk1-2.40.4-150700.4.3.1 updated - libglib-2_0-0-2.78.6-150600.4.28.1 updated - libmount1-2.40.4-150700.4.3.1 updated - libcurl4-8.14.1-150700.7.11.1 updated - util-linux-2.40.4-150700.4.3.1 updated - openssl-3-3.2.3-150700.5.24.1 updated - kernel-macros-6.4.0-150700.53.28.1 updated - libopenssl1_1-1.1.1w-150700.11.11.1 updated - kernel-devel-6.4.0-150700.53.28.1 updated - git-core-2.51.0-150600.3.15.1 updated - kernel-default-devel-6.4.0-150700.53.28.1 updated - kernel-syms-6.4.0-150700.53.28.1 updated - container:registry.suse.com-bci-bci-base-15.7-f9184822761ad484aca07587791f6b9d7abdb9a0b5cb88d5017f8891d8d8b001-0 updated From sle-container-updates at lists.suse.com Sat Jan 31 08:16:46 2026 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 31 Jan 2026 08:16:46 -0000 Subject: SUSE-CU-2026:571-1: Security update of suse/sles/16.0/toolbox Message-ID: <20260131081645.46A0FFCDB@maintenance.suse.de> SUSE Container Update Advisory: suse/sles/16.0/toolbox ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2026:571-1 Container Tags : suse/sles/16.0/toolbox:16.3 , suse/sles/16.0/toolbox:16.3-1.17 , suse/sles/16.0/toolbox:latest Container Release : 1.17 Severity : important Type : security References : 1232351 1236282 1240874 1244680 1244705 1245667 1246011 1246025 1247249 1249657 1250224 1251305 1252318 1252974 1254400 1254401 1254425 1254997 1255715 1255731 1255732 1255733 1255734 1255765 1256105 1256244 1256246 1256389 1256390 1256436 1256766 1256822 1257005 1257395 1257396 CVE-2025-0395 CVE-2025-11961 CVE-2025-12084 CVE-2025-13836 CVE-2025-13837 CVE-2025-14017 CVE-2025-14524 CVE-2025-14819 CVE-2025-15079 CVE-2025-15224 CVE-2025-15281 CVE-2025-6069 CVE-2025-6075 CVE-2025-68973 CVE-2025-8194 CVE-2025-8291 CVE-2026-0861 CVE-2026-0915 CVE-2026-24882 CVE-2026-24883 ----------------------------------------------------------------- The container suse/sles/16.0/toolbox was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: 138 Released: Wed Jan 14 11:23:16 2026 Summary: Security update for gpg2 Type: security Severity: important References: 1255715,1256244,1256246,1256390,CVE-2025-68973 This update for gpg2 fixes the following issues: - CVE-2025-68973: out-of-bounds write when processing specially crafted input in the armor parser can lead to memory corruption (bsc#1255715). Other security fixes: - gpg: Avoid potential downgrade to SHA1 in 3rd party key signatures (bsc#1256246). - gpg: Error out on unverified output for non-detached signatures (bsc#1256244). - gpg: Deprecate the option --not-dash-escaped (bsc#1256390). ----------------------------------------------------------------- Advisory ID: 140 Released: Wed Jan 14 12:01:44 2026 Summary: Security update for curl Type: security Severity: moderate References: 1255731,1255732,1255733,1255734,1256105,CVE-2025-14017,CVE-2025-14524,CVE-2025-14819,CVE-2025-15079,CVE-2025-15224 This update for curl fixes the following issues: This update for curl fixes the following issues: - CVE-2025-14017: broken TLS options for threaded LDAPS (bsc#1256105). - CVE-2025-14524: bearer token leak on cross-protocol redirect (bsc#1255731). - CVE-2025-14819: libssh global knownhost override (bsc#1255732). - CVE-2025-15079: libssh key passphrase bypass without agent set (bsc#1255733). - CVE-2025-15224: OpenSSL partial chain store policy bypass (bsc#1255734). ----------------------------------------------------------------- Advisory ID: 164 Released: Thu Jan 22 11:13:12 2026 Summary: Security update for libpcap Type: security Severity: low References: 1255765,CVE-2025-11961 This update for libpcap fixes the following issues: - CVE-2025-11961: missing validation of provided MAC-48 address string in `pcap_ether_aton()` can lead to out-of-bounds read and write (bsc#1255765). ----------------------------------------------------------------- Advisory ID: 170 Released: Thu Jan 22 14:47:27 2026 Summary: Security update for python313 Type: security Severity: moderate References: 1244680,1244705,1247249,1251305,1252974,1254400,1254401,1254997,CVE-2025-12084,CVE-2025-13836,CVE-2025-13837,CVE-2025-6069,CVE-2025-6075,CVE-2025-8194,CVE-2025-8291 This update for python313 fixes the following issues: - Update to 3.13.11: - Security - CVE-2025-12084: cpython: Fixed quadratic algorithm in xml.dom.minidom leading to denial of service (bsc#1254997) - CVE-2025-13836: Fixed default Content-Lenght read amount from HTTP response (bsc#1254400) - CVE-2025-13837: Fixed plistlib module denial of service (bsc#1254401) - CVE-2025-8291: Fixed validity of the ZIP64 End of Central Directory (EOCD) not checked by the 'zipfile' module (bsc#1251305) - gh-137836: Add support of the ???plaintext??? element, RAWTEXT elements ???xmp???, ???iframe???, ???noembed??? and ???noframes???, and optionally RAWTEXT element ???noscript??? in html.parser.HTMLParser. - gh-136063: email.message: ensure linear complexity for legacy HTTP parameters parsing. Patch by B??n??dikt Tran. - CVE-2025-6075: Fixed performance issues caused by user-controller os.path.expandvars() (bsc#1252974) - Library - gh-140797: Revert changes to the undocumented re.Scanner class. Capturing groups are still allowed for backward compatibility, although using them can lead to incorrect result. They will be forbidden in future Python versions. - gh-142206: The resource tracker in the multiprocessing module now uses the original communication protocol, as in Python 3.14.0 and below, by default. This avoids issues with upgrading Python while it is running. (Note that such ???in-place??? upgrades are not tested.) The tracker remains compatible with subprocesses that use new protocol (that is, subprocesses using Python 3.13.10, 3.14.1 and 3.15). - Core and Builtins - gh-142218: Fix crash when inserting into a split table dictionary with a non str key that matches an existing key. - Update to 3.13.10: - Tools/Demos - gh-141442: The iOS testbed now correctly handles test arguments that contain spaces. - Tests - gh-140482: Preserve and restore the state of stty echo as part of the test environment. - gh-140082: Update python -m test to set FORCE_COLOR=1 when being run with color enabled so that unittest which is run by it with redirected output will output in color. - gh-136442: Use exitcode 1 instead of 5 if unittest.TestCase.setUpClass() raises an exception - Library - gh-74389: When the stdin being used by a subprocess.Popen instance is closed, this is now ignored in subprocess.Popen.communicate() instead of leaving the class in an inconsistent state. - gh-87512: Fix subprocess.Popen.communicate() timeout handling on Windows when writing large input. Previously, the timeout was ignored during stdin writing, causing the method to block indefinitely if the child process did not consume input quickly. The stdin write is now performed in a background thread, allowing the timeout to be properly enforced. - gh-141473: When subprocess.Popen.communicate() was called with input and a timeout and is called for a second time after a TimeoutExpired exception before the process has died, it should no longer hang. - gh-59000: Fix pdb breakpoint resolution for class methods when the module defining the class is not imported. - gh-141570: Support file-like object raising OSError from fileno() in color detection (_colorize.can_colorize()). This can occur when sys.stdout is redirected. - gh-141659: Fix bad file descriptor errors from _posixsubprocess on AIX. - gh-141497: ipaddress: ensure that the methods IPv4Network.hosts() and IPv6Network.hosts() always return an iterator. - gh-140938: The statistics.stdev() and statistics.pstdev() functions now raise a ValueError when the input contains an infinity or a NaN. - gh-124111: Updated Tcl threading configuration in _tkinter to assume that threads are always available in Tcl 9 and later. - gh-137109: The os.fork and related forking APIs will no longer warn in the common case where Linux or macOS platform APIs return the number of threads in a process and find the answer to be 1 even when a os.register_at_fork() after_in_parent= callback (re)starts a thread. - gh-141314: Fix assertion failure in io.TextIOWrapper.tell() when reading files with standalone carriage return (\r) line endings. - gh-141311: Fix assertion failure in io.BytesIO.readinto() and undefined behavior arising when read position is above capcity in io.BytesIO. - gh-141141: Fix a thread safety issue with base64.b85decode(). Contributed by Benel Tayar. - gh-140911: collections: Ensure that the methods UserString.rindex() and UserString.index() accept collections.UserString instances as the sub argument. - gh-140797: The undocumented re.Scanner class now forbids regular expressions containing capturing groups in its lexicon patterns. Patterns using capturing groups could previously lead to crashes with segmentation fault. Use non-capturing groups (?:???) instead. - gh-140815: faulthandler now detects if a frame or a code object is invalid or freed. Patch by Victor Stinner. - gh-100218: Correctly set errno when socket.if_nametoindex() or socket.if_indextoname() raise an OSError. Patch by B??n??dikt Tran. - gh-140875: Fix handling of unclosed character references (named and numerical) followed by the end of file in html.parser.HTMLParser with convert_charrefs=False. - gh-140734: multiprocessing: fix off-by-one error when checking the length of a temporary socket file path. Patch by B??n??dikt Tran. - gh-140874: Bump the version of pip bundled in ensurepip to version 25.3 - gh-140691: In urllib.request, when opening a FTP URL fails because a data connection cannot be made, the control connection???s socket is now closed to avoid a ResourceWarning. - gh-103847: Fix hang when cancelling process created by asyncio.create_subprocess_exec() or asyncio.create_subprocess_shell(). Patch by Kumar Aditya. - gh-140590: Fix arguments checking for the functools.partial.__setstate__() that may lead to internal state corruption and crash. Patch by Sergey Miryanov. - gh-140634: Fix a reference counting bug in os.sched_param.__reduce__(). - gh-140633: Ignore AttributeError when setting a module???s __file__ attribute when loading an extension module packaged as Apple Framework. - gh-140593: xml.parsers.expat: Fix a memory leak that could affect users with ElementDeclHandler() set to a custom element declaration handler. Patch by Sebastian Pipping. - gh-140607: Inside io.RawIOBase.read(), validate that the count of bytes returned by io.RawIOBase.readinto() is valid (inside the provided buffer). - gh-138162: Fix logging.LoggerAdapter with merge_extra=True and without the extra argument. - gh-140474: Fix memory leak in array.array when creating arrays from an empty str and the u type code. - gh-140272: Fix memory leak in the clear() method of the dbm.gnu database. - gh-140041: Fix import of ctypes on Android and Cygwin when ABI flags are present. - gh-139905: Add suggestion to error message for typing.Generic subclasses when cls.__parameters__ is missing due to a parent class failing to call super().__init_subclass__() in its __init_subclass__. - gh-139845: Fix to not print KeyboardInterrupt twice in default asyncio REPL. - gh-139783: Fix inspect.getsourcelines() for the case when a decorator is followed by a comment or an empty line. - gh-70765: http.server: fix default handling of HTTP/0.9 requests in BaseHTTPRequestHandler. Previously, BaseHTTPRequestHandler.parse_request() incorrectly waited for headers in the request although those are not supported in HTTP/0.9. Patch by B??n??dikt Tran. - gh-139391: Fix an issue when, on non-Windows platforms, it was not possible to gracefully exit a python -m asyncio process suspended by Ctrl+Z and later resumed by fg other than with kill. - gh-101828: Fix 'shift_jisx0213', 'shift_jis_2004', 'euc_jisx0213' and 'euc_jis_2004' codecs truncating null chars as they were treated as part of multi-character sequences. - gh-139246: fix: paste zero-width in default repl width is wrong. - gh-90949: Add SetAllocTrackerActivationThreshold() and SetAllocTrackerMaximumAmplification() to xmlparser objects to prevent use of disproportional amounts of dynamic memory from within an Expat parser. Patch by B??n??dikt Tran. - gh-139065: Fix trailing space before a wrapped long word if the line length is exactly width in textwrap. - gh-138993: Dedent credits text. - gh-138859: Fix generic type parameterization raising a TypeError when omitting a ParamSpec that has a default which is not a list of types. - gh-138775: Use of python -m with base64 has been fixed to detect input from a terminal so that it properly notices EOF. - gh-98896: Fix a failure in multiprocessing resource_tracker when SharedMemory names contain colons. Patch by Rani Pinchuk. - gh-75989: tarfile.TarFile.extractall() and tarfile.TarFile.extract() now overwrite symlinks when extracting hardlinks. (Contributed by Alexander Enrique Urieles Nieto in gh-75989.) - gh-83424: Allows creating a ctypes.CDLL without name when passing a handle as an argument. - gh-136234: Fix asyncio.WriteTransport.writelines() to be robust to connection failure, by using the same behavior as write(). - gh-136057: Fixed the bug in pdb and bdb where next and step can???t go over the line if a loop exists in the line. - gh-135307: email: Fix exception in set_content() when encoding text and max_line_length is set to 0 or None (unlimited). - gh-134453: Fixed subprocess.Popen.communicate() input= handling of memoryview instances that were non-byte shaped on POSIX platforms. Those are now properly cast to a byte shaped view instead of truncating the input. Windows platforms did not have this bug. - gh-102431: Clarify constraints for ???logical??? arguments in methods of decimal.Context. - IDLE - gh-96491: Deduplicate version number in IDLE shell title bar after saving to a file. - Documentation - gh-141994: xml.sax.handler: Make Documentation of xml.sax.handler.feature_external_ges warn of opening up to external entity attacks. Patch by Sebastian Pipping. - gh-140578: Remove outdated sencence in the documentation for multiprocessing, that implied that concurrent.futures.ThreadPoolExecutor did not exist. - Core and Builtins - gh-142048: Fix quadratically increasing garbage collection delays in free-threaded build. - gh-141930: When importing a module, use Python???s regular file object to ensure that writes to .pyc files are complete or an appropriate error is raised. - gh-120158: Fix inconsistent state when enabling or disabling monitoring events too many times. - gh-141579: Fix sys.activate_stack_trampoline() to properly support the perf_jit backend. Patch by Pablo Galindo. - gh-141312: Fix the assertion failure in the __setstate__ method of the range iterator when a non-integer argument is passed. Patch by Sergey Miryanov. - gh-140939: Fix memory leak when bytearray or bytes is formated with the %*b format with a large width that results in %a MemoryError. - gh-140530: Fix a reference leak when raise exc from cause fails. Patch by B??n??dikt Tran. - gh-140576: Fixed crash in tokenize.generate_tokens() in case of specific incorrect input. Patch by Mikhail Efimov. - gh-140551: Fixed crash in dict if dict.clear() is called at the lookup stage. Patch by Mikhail Efimov and Inada Naoki. - gh-140471: Fix potential buffer overflow in ast.AST node initialization when encountering malformed _fields containing non-str. - gh-140406: Fix memory leak when an object???s __hash__() method returns an object that isn???t an int. - gh-140306: Fix memory leaks in cross-interpreter channel operations and shared namespace handling. - gh-140301: Fix memory leak of PyConfig in subinterpreters. - gh-140000: Fix potential memory leak when a reference cycle exists between an instance of typing.TypeAliasType, typing.TypeVar, typing.ParamSpec, or typing.TypeVarTuple and its __name__ attribute. Patch by Mikhail Efimov. - gh-139748: Fix reference leaks in error branches of functions accepting path strings or bytes such as compile() and os.system(). Patch by B??n??dikt Tran. - gh-139516: Fix lambda colon erroneously start format spec in f-string in tokenizer. - gh-139640: Fix swallowing some syntax warnings in different modules if they accidentally have the same message and are emitted from the same line. Fix duplicated warnings in the finally block. - gh-137400: Fix a crash in the free threading build when disabling profiling or tracing across all threads with PyEval_SetProfileAllThreads() or PyEval_SetTraceAllThreads() or their Python equivalents threading.settrace_all_threads() and threading.setprofile_all_threads(). - gh-133400: Fixed Ctrl+D (^D) behavior in _pyrepl module to match old pre-3.13 REPL behavior. - C API - gh-140042: Removed the sqlite3_shutdown call that could cause closing connections for sqlite when used with multiple sub interpreters. - gh-140487: Fix Py_RETURN_NOTIMPLEMENTED in limited C API 3.11 and older: don???t treat Py_NotImplemented as immortal. Patch by Victor Stinner. - Update to 3.13.9: - Library - gh-139783: Fix inspect.getsourcelines() for the case when a decorator is followed by a comment or an empty line. - Update to 3.13.8: - Tools/Demos - gh-139330: SBOM generation tool didn???t cross-check the version and checksum values against the Modules/expat/refresh.sh script, leading to the values becoming out-of-date during routine updates. - gh-137873: The iOS test runner has been simplified, resolving some issues that have been observed using the runner in GitHub Actions and Azure Pipelines test environments. - Tests - gh-139208: Fix regrtest --fast-ci --verbose: don???t ignore the --verbose option anymore. Patch by Victor Stinner. - Security - gh-139400: xml.parsers.expat: Make sure that parent Expat parsers are only garbage-collected once they are no longer referenced by subparsers created by ExternalEntityParserCreate(). Patch by Sebastian Pipping. - gh-139283: sqlite3: correctly handle maximum number of rows to fetch in Cursor.fetchmany and reject negative values for Cursor.arraysize. Patch by B??n??dikt Tran. - gh-135661: Fix CDATA section parsing in html.parser.HTMLParser according to the HTML5 standard: ] ]> and ]] > no longer end the CDATA section. Add private method _set_support_cdata() which can be used to specify how to parse <[CDATA[ ??? as a CDATA section in foreign content (SVG or MathML) or as a bogus comment in the HTML namespace. - Library - gh-139312: Upgrade bundled libexpat to 2.7.3 - gh-139289: Do a real lazy-import on rlcompleter in pdb and restore the existing completer after importing rlcompleter. - gh-139210: Fix use-after-free when reporting unknown event in xml.etree.ElementTree.iterparse(). Patch by Ken Jin. - gh-138860: Lazy import rlcompleter in pdb to avoid deadlock in subprocess. - gh-112729: Fix crash when calling _interpreters.create when the process is out of memory. - gh-139076: Fix a bug in the pydoc module that was hiding functions in a Python module if they were implemented in an extension module and the module did not have __all__. - gh-138998: Update bundled libexpat to 2.7.2 - gh-130567: Fix possible crash in locale.strxfrm() due to a platform bug on macOS. - gh-138779: Support device numbers larger than 2**63-1 for the st_rdev field of the os.stat_result structure. - gh-128636: Fix crash in PyREPL when os.environ is overwritten with an invalid value for mac - gh-88375: Fix normalization of the robots.txt rules and URLs in the urllib.robotparser module. No longer ignore trailing ?. Distinguish raw special characters ?, = and & from the percent-encoded ones. - gh-138515: email is added to Emscripten build. - gh-111788: Fix parsing errors in the urllib.robotparser module. Don???t fail trying to parse weird paths. Don???t fail trying to decode non-UTF-8 robots.txt files. - gh-138432: zoneinfo.reset_tzpath() will now convert any os.PathLike objects it receives into strings before adding them to TZPATH. It will raise TypeError if anything other than a string is found after this conversion. If given an os.PathLike object that represents a relative path, it will now raise ValueError instead of TypeError, and present a more informative error message. - gh-138008: Fix segmentation faults in the ctypes module due to invalid argtypes. Patch by Dung Nguyen. - gh-60462: Fix locale.strxfrm() on Solaris (and possibly other platforms). - gh-138204: Forbid expansion of shared anonymous memory maps on Linux, which caused a bus error. - gh-138010: Fix an issue where defining a class with a @warnings.deprecated-decorated base class may not invoke the correct __init_subclass__() method in cases involving multiple inheritance. Patch by Brian Schubert. - gh-138133: Prevent infinite traceback loop when sending CTRL^C to Python through strace. - gh-134869: Fix an issue where pressing Ctrl+C during tab completion in the REPL would leave the autocompletion menu in a corrupted state. - gh-137317: inspect.signature() now correctly handles classes that use a descriptor on a wrapped __init__() or __new__() method. Contributed by Yongyu Yan. - gh-137754: Fix import of the zoneinfo module if the C implementation of the datetime module is not available. - gh-137490: Handle ECANCELED in the same way as EINTR in signal.sigwaitinfo() on NetBSD. - gh-137477: Fix inspect.getblock(), inspect.getsourcelines() and inspect.getsource() for generator expressions. - gh-137017: Fix threading.Thread.is_alive to remain True until the underlying OS thread is fully cleaned up. This avoids false negatives in edge cases involving thread monitoring or premature threading.Thread.is_alive calls. - gh-136134: SMTP.auth_cram_md5() now raises an SMTPException instead of a ValueError if Python has been built without MD5 support. In particular, SMTP clients will not attempt to use this method even if the remote server is assumed to support it. Patch by B??n??dikt Tran. - gh-136134: IMAP4.login_cram_md5 now raises an IMAP4.error if CRAM-MD5 authentication is not supported. Patch by B??n??dikt Tran. - gh-135386: Fix opening a dbm.sqlite3 database for reading from read-only file or directory. - gh-126631: Fix multiprocessing forkserver bug which prevented __main__ from being preloaded. - gh-123085: In a bare call to importlib.resources.files(), ensure the caller???s frame is properly detected when importlib.resources is itself available as a compiled module only (no source). - gh-118981: Fix potential hang in multiprocessing.popen_spawn_posix that can happen when the child proc dies early by closing the child fds right away. - gh-78319: UTF8 support for the IMAP APPEND command has been made RFC compliant. - bpo-38735: Fix failure when importing a module from the root directory on unix-like platforms with sys.pycache_prefix set. - bpo-41839: Allow negative priority values from os.sched_get_priority_min() and os.sched_get_priority_max() functions. - Core and Builtins - gh-134466: Don???t run PyREPL in a degraded environment where setting termios attributes is not allowed. - gh-71810: Raise OverflowError for (-1).to_bytes() for signed conversions when bytes count is zero. Patch by Sergey B Kirpichev. - gh-105487: Remove non-existent __copy__(), __deepcopy__(), and __bases__ from the __dir__() entries of types.GenericAlias. - gh-134163: Fix a hang when the process is out of memory inside an exception handler. - gh-138479: Fix a crash when a generic object???s __typing_subst__ returns an object that isn???t a tuple. - gh-137576: Fix for incorrect source code being shown in tracebacks from the Basic REPL when PYTHONSTARTUP is given. Patch by Adam Hartz. - gh-132744: Certain calls now check for runaway recursion and respect the system recursion limit. - C API - gh-87135: Attempting to acquire the GIL after runtime finalization has begun in a different thread now causes the thread to hang rather than terminate, which avoids potential crashes or memory corruption caused by attempting to terminate a thread that is running code not specifically designed to support termination. In most cases this hanging is harmless since the process will soon exit anyway. While not officially marked deprecated until 3.14, PyThread_exit_thread is no longer called internally and remains solely for interface compatibility. Its behavior is inconsistent across platforms, and it can only be used safely in the unlikely case that every function in the entire call stack has been designed to support the platform-dependent termination mechanism. It is recommended that users of this function change their design to not require thread termination. In the unlikely case that thread termination is needed and can be done safely, users may migrate to calling platform-specific APIs such as pthread_exit (POSIX) or _endthreadex (Windows) directly. - Build - gh-135734: Python can correctly be configured and built with ./configure --enable-optimizations --disable-test-modules. Previously, the profile data generation step failed due to PGO tests where immortalization couldn???t be properly suppressed. - Update to 3.13.7: - gh-137583: Fix a deadlock introduced in 3.13.6 when a call to ssl.SSLSocket.recv was blocked in one thread, and then another method on the object (such as ssl.SSLSocket.send) was subsequently called in another thread. - gh-137044: Return large limit values as positive integers instead of negative integers in resource.getrlimit(). Accept large values and reject negative values (except RLIM_INFINITY) for limits in resource.setrlimit(). - gh-136914: Fix retrieval of doctest.DocTest.lineno for objects decorated with functools.cache() or functools.cached_property. - gh-131788: Make ResourceTracker.send from multiprocessing re-entrant safe - gh-136155: We are now checking for fatal errors in EPUB builds in CI. - gh-137400: Fix a crash in the free threading build when disabling profiling or tracing across all threads with PyEval_SetProfileAllThreads() or PyEval_SetTraceAllThreads() or their Python equivalents threading.settrace_all_threads() and threading.setprofile_all_threads(). - Update to 3.13.6: - Security - gh-135661: Fix parsing start and end tags in html.parser.HTMLParser according to the HTML5 standard. - gh-102555: Fix comment parsing in html.parser.HTMLParser according to the HTML5 standard. - CVE-2025-6069: Fix quadratic complexity in processing specially crafted input in html.parser.HTMLParser. End-of-file errors are now handled according to the HTML5 specs ??? comments and declarations are automatically closed, tags are ignored (gh-135462, bsc#1244705). - CVE-2025-8194: tarfile now validates archives to ensure member offsets are non-negative. (gh-130577, bsc#1247249). - gh-118350: Fix support of escapable raw text mode (elements ???textarea??? and ???title???) in html.parser.HTMLParser. - Core and Builtins - gh-58124: Fix name of the Python encoding in Unicode errors of the code page codec: use ???cp65000??? and ???cp65001??? instead of ???CP_UTF7??? and ???CP_UTF8??? which are not valid Python code names. Patch by Victor Stinner. - gh-137314: Fixed a regression where raw f-strings incorrectly interpreted escape sequences in format specifications. Raw f-strings now properly preserve literal backslashes in format specs, matching the behavior from Python 3.11. For example, rf'{obj:\xFF}' now correctly produces '\\xFF' instead of '??'. Patch by Pablo Galindo. - gh-136541: Fix some issues with the perf trampolines on x86-64 and aarch64. The trampolines were not being generated correctly for some cases, which could lead to the perf integration not working correctly. Patch by Pablo Galindo. - gh-109700: Fix memory error handling in PyDict_SetDefault(). - gh-78465: Fix error message for cls.__new__(cls, ...) where cls is not instantiable builtin or extension type (with tp_new set to NULL). - gh-135871: Non-blocking mutex lock attempts now return immediately when the lock is busy instead of briefly spinning in the free threading build. - gh-135607: Fix potential weakref races in an object???s destructor on the free threaded build. - gh-135496: Fix typo in the f-string conversion type error (???exclamanation??? -> ???exclamation???). - gh-130077: Properly raise custom syntax errors when incorrect syntax containing names that are prefixes of soft keywords is encountered. Patch by Pablo Galindo. - gh-135148: Fixed a bug where f-string debug expressions (using =) would incorrectly strip out parts of strings containing escaped quotes and # characters. Patch by Pablo Galindo. - gh-133136: Limit excess memory usage in the free threading build when a large dictionary or list is resized and accessed by multiple threads. - gh-132617: Fix dict.update() modification check that could incorrectly raise a ???dict mutated during update??? error when a different dictionary was modified that happens to share the same underlying keys object. - gh-91153: Fix a crash when a bytearray is concurrently mutated during item assignment. - gh-127971: Fix off-by-one read beyond the end of a string in string search. - gh-125723: Fix crash with gi_frame.f_locals when generator frames outlive their generator. Patch by Mikhail Efimov. - Library - gh-132710: If possible, ensure that uuid.getnode() returns the same result even across different processes. Previously, the result was constant only within the same process. Patch by B??n??dikt Tran. - gh-137273: Fix debug assertion failure in locale.setlocale() on Windows. - gh-137257: Bump the version of pip bundled in ensurepip to version 25.2 - gh-81325: tarfile.TarFile now accepts a path-like when working on a tar archive. (Contributed by Alexander Enrique Urieles Nieto in gh-81325.) - gh-130522: Fix unraisable TypeError raised during interpreter shutdown in the threading module. - gh-136549: Fix signature of threading.excepthook(). - gh-136523: Fix wave.Wave_write emitting an unraisable when open raises. - gh-52876: Add missing keepends (default True) parameter to codecs.StreamReaderWriter.readline() and codecs.StreamReaderWriter.readlines(). - gh-85702: If zoneinfo._common.load_tzdata is given a package without a resource a zoneinfo.ZoneInfoNotFoundError is raised rather than a PermissionError. Patch by Victor Stinner. - gh-134759: Fix UnboundLocalError in email.message.Message.get_payload() when the payload to decode is a bytes object. Patch by Kliment Lamonov. - gh-136028: Fix parsing month names containing ???????? (U+0130, LATIN CAPITAL LETTER I WITH DOT ABOVE) in time.strptime(). This affects locales az_AZ, ber_DZ, ber_MA and crh_UA. - gh-135995: In the palmos encoding, make byte 0x9b decode to ??? (U+203A - SINGLE RIGHT-POINTING ANGLE QUOTATION MARK). - gh-53203: Fix time.strptime() for %c and %x formats on locales byn_ER, wal_ET and lzh_TW, and for %X format on locales ar_SA, bg_BG and lzh_TW. - gh-91555: An earlier change, which was introduced in 3.13.4, has been reverted. It disabled logging for a logger during handling of log messages for that logger. Since the reversion, the behaviour should be as it was before 3.13.4. - gh-135878: Fixes a crash of types.SimpleNamespace on free threading builds, when several threads were calling its __repr__() method at the same time. - gh-135836: Fix IndexError in asyncio.loop.create_connection() that could occur when non-OSError exception is raised during connection and socket???s close() raises OSError. - gh-135836: Fix IndexError in asyncio.loop.create_connection() that could occur when the Happy Eyeballs algorithm resulted in an empty exceptions list during connection attempts. - gh-135855: Raise TypeError instead of SystemError when _interpreters.set___main___attrs() is passed a non-dict object. Patch by Brian Schubert. - gh-135815: netrc: skip security checks if os.getuid() is missing. Patch by B??n??dikt Tran. - gh-135640: Address bug where it was possible to call xml.etree.ElementTree.ElementTree.write() on an ElementTree object with an invalid root element. This behavior blanked the file passed to write if it already existed. - gh-135444: Fix asyncio.DatagramTransport.sendto() to account for datagram header size when data cannot be sent. - gh-135497: Fix os.getlogin() failing for longer usernames on BSD-based platforms. - gh-135487: Fix reprlib.Repr.repr_int() when given integers with more than sys.get_int_max_str_digits() digits. Patch by B??n??dikt Tran. - gh-135335: multiprocessing: Flush stdout and stderr after preloading modules in the forkserver. - gh-135244: uuid: when the MAC address cannot be determined, the 48-bit node ID is now generated with a cryptographically-secure pseudo-random number generator (CSPRNG) as per RFC 9562, ??6.10.3. This affects uuid1(). - gh-135069: Fix the ???Invalid error handling??? exception in encodings.idna.IncrementalDecoder to correctly replace the ???errors??? parameter. - gh-134698: Fix a crash when calling methods of ssl.SSLContext or ssl.SSLSocket across multiple threads. - gh-132124: On POSIX-compliant systems, multiprocessing.util.get_temp_dir() now ignores TMPDIR (and similar environment variables) if the path length of AF_UNIX socket files exceeds the platform-specific maximum length when using the forkserver start method. Patch by B??n??dikt Tran. - gh-133439: Fix dot commands with trailing spaces are mistaken for multi-line SQL statements in the sqlite3 command-line interface. - gh-132969: Prevent the ProcessPoolExecutor executor thread, which remains running when shutdown(wait=False), from attempting to adjust the pool???s worker processes after the object state has already been reset during shutdown. A combination of conditions, including a worker process having terminated abormally, resulted in an exception and a potential hang when the still-running executor thread attempted to replace dead workers within the pool. - gh-130664: Support the '_' digit separator in formatting of the integral part of Decimal???s. Patch by Sergey B Kirpichev. - gh-85702: If zoneinfo._common.load_tzdata is given a package without a resource a ZoneInfoNotFoundError is raised rather than a IsADirectoryError. - gh-130664: Handle corner-case for Fraction???s formatting: treat zero-padding (preceding the width field by a zero ('0') character) as an equivalent to a fill character of '0' with an alignment type of '=', just as in case of float???s. - Tools/Demos - gh-135968: Stubs for strip are now provided as part of an iOS install. - Tests - gh-135966: The iOS testbed now handles the app_packages folder as a site directory. - gh-135494: Fix regrtest to support excluding tests from --pgo tests. Patch by Victor Stinner. - gh-135489: Show verbose output for failing tests during PGO profiling step with ???enable-optimizations. - Documentation - gh-135171: Document that the iterator for the leftmost for clause in the generator expression is created immediately. - Build - gh-135497: Fix the detection of MAXLOGNAME in the configure.ac script. ----------------------------------------------------------------- Advisory ID: 183 Released: Fri Jan 23 10:02:18 2026 Summary: Recommended update for supportutils Type: recommended Severity: important References: 1232351,1245667,1246011,1246025,1249657,1250224,1252318,1254425 This update for supportutils fixes the following issues: - Optimized lsof usage and honors OPTION_OFILES (bsc#1232351) - Run in containers without errors (bsc#1245667) - Removed pmap PID from memory.txt (bsc#1246011) - Added missing /proc/pagetypeinfo to memory.txt (bsc#1246025) - Improved database perforce with kGraft patching (bsc#1249657) - Using last boot for journalctl for optimization (bsc#1250224) - Fixed extraction failures (bsc#1252318) - Update supportconfig.conf path in docs (bsc#1254425) - drm_sub_info: Catch error when dir doesn't exist - Replace remaining `egrep` with `grep -E` - Add process affinity to slert logs - Reintroduce cgroup statistics (and v2) - Minor changes to basic-health-check: improve information level - Collect important machine health counters - powerpc: collect hot-pluggable PCI and PHB slots - podman: collect podman disk usage - Exclude binary files in crondir - kexec/kdump: collect everything under /sys/kernel/kexec dir - Use short-iso for journalctl ----------------------------------------------------------------- Advisory ID: 186 Released: Fri Jan 23 15:16:57 2026 Summary: Recommended update for man Type: recommended Severity: moderate References: 1240874 This update for man fixes the following issues: - Do not masked out the already existing %ghost file entry - Extend tmpfiles template man-db.conf (jsc#PED-14862) * Create cache directories with systemd tmpfiles service - Update to man-db 2.13.1: * Update various manual page translation * Fix various minor formatting issues in manual pages. * Tolerate additional spaces in preprocessor strings. * Fix check for generated source files in out-of-tree builds. * Fix building with the `musl` C library. * Recognize another Ukrainian translation of the `NAME` section. * Increase the maximum size of the `NAME` section from 8192 to 16384 bytes. - Port patches - Avoid latest gettextize as it breaks build now - If a section is specified do not show the list (bsc#1240874) - Wait 15 seconds instead of 7 instead for a choice - Explicit mention `export' instead of `set' for MAN_POSIXLY_CORRECT ----------------------------------------------------------------- Advisory ID: 221 Released: Thu Jan 29 17:14:38 2026 Summary: Security update for gpg2 Type: security Severity: important References: 1256389,1257395,1257396,CVE-2026-24882,CVE-2026-24883 This update for gpg2 fixes the following issues: - CVE-2026-24882: stack-based buffer overflow in TPM2 PKDECRYPT for TPM-backed RSA and ECC keys (bsc#1257396). - CVE-2026-24883: denial of service due to long signature packet length causing parse_signature to return success with sig->data[] set to a NULL value (bsc#1257395). - gpg.fail/filename: GnuPG Accepts Path Separators and Path Traversals in Literal Data 'Filename' Field (bsc#1256389). ----------------------------------------------------------------- Advisory ID: 218 Released: Thu Jan 29 18:44:57 2026 Summary: Security update for glibc Type: security Severity: important References: 1236282,1256436,1256766,1256822,1257005,CVE-2025-0395,CVE-2025-15281,CVE-2026-0861,CVE-2026-0915 This update for glibc fixes the following issues: Security fixes: - CVE-2025-0395: Fixed buffer overflow in the assert() function (bsc#1236282). - CVE-2026-0861: Fixed inadequate size check in the memalign suite may result in an integer overflow (bsc#1256766). - CVE-2026-0915: Fixed uninitialized stack buffer used as DNS query name when net==0 in _nss_dns_getnetbyaddr_r (bsc#1256822). - CVE-2025-15281: Fixed uninitialized memory may cause the process abort (bsc#1257005). Other fixes: - NPTL: Optimize trylock for high cache contention workloads (bsc#1256436) The following package changes have been done: - curl-8.14.1-160000.4.1 updated - file-5.46-160000.2.2 added - findutils-4.10.0-160000.2.2 added - glibc-locale-base-2.40-160000.3.1 updated - glibc-locale-2.40-160000.3.1 updated - glibc-2.40-160000.3.1 updated - gpg2-2.5.5-160000.4.1 updated - libcurl-mini4-8.14.1-160000.4.1 updated - libpcap1-1.10.5-160000.4.1 updated - libpython3_13-1_0-3.13.11-160000.1.1 updated - libseccomp2-2.6.0-160000.2.2 added - man-2.13.1-160000.1.1 updated - python313-base-3.13.11-160000.1.1 updated - supportutils-3.2.12.2-160000.1.1 updated - iproute2-6.12-160000.2.2 removed - libbpf1-1.6.1-160000.1.2 removed - libmnl0-1.0.5-160000.2.2 removed - libxtables12-1.8.11-160000.2.2 removed - which-2.23-160000.2.2 removed