SUSE-IU-2026:13-1: Security update of suse/sl-micro/6.0/kvm-os-container
sle-container-updates at lists.suse.com
sle-container-updates at lists.suse.com
Tue Jan 6 16:10:31 UTC 2026
SUSE Image Update Advisory: suse/sl-micro/6.0/kvm-os-container
-----------------------------------------------------------------
Image Advisory ID : SUSE-IU-2026:13-1
Image Tags : suse/sl-micro/6.0/kvm-os-container:2.1.3 , suse/sl-micro/6.0/kvm-os-container:2.1.3-6.100 , suse/sl-micro/6.0/kvm-os-container:latest
Image Release : 6.100
Severity : important
Type : security
References : 1230042 1240157 1243013 1246566 1250984 1252768 1253002 1254286
CVE-2025-11234 CVE-2025-12464
-----------------------------------------------------------------
The container suse/sl-micro/6.0/kvm-os-container was updated. The following patches have been included in this update:
-----------------------------------------------------------------
Advisory ID: 545
Released: Tue Jan 6 12:41:24 2026
Summary: Security update for qemu
Type: security
Severity: important
References: 1230042,1240157,1243013,1246566,1250984,1252768,1253002,1254286,CVE-2025-11234,CVE-2025-12464
This update for qemu fixes the following issues:
Update to version 8.2.10.
Security issues fixed:
- CVE-2025-12464: stack-based buffer overflow in the e1000 network device operations can be exploited by a malicious
guest user to crash the QEMU process on the host (bsc#1253002).
- CVE-2025-11234: use-after-free in WebSocket handshake operations can be exploited by a malicious client with network
access to the VNC WebSocket port to cause a denial-of-service (bsc#1250984).
Other updates and bugfixes:
- [openSUSE][RPM] spec: require qemu-hw-display-virtio-gpu-pci for x86 too.
- [openSUSE][RPM]: really fix *-virtio-gpu-pci dependency on ARM (bsc#1254286).
- block/curl: fix curl internal handles handling (bsc#1252768).
- [openSUSE][RPM]: spec: qemu-vgabios is required on ppc (bsc#1230042).
- [roms] seabios: include 'pciinit: don't misalign large BARs' (bsc#1246566).
- [openSUSE][RPM] spec: Require ipxe and virtio-gpu packages for more arch-es (bsc#1240157).
- [openSUSE][RPM]: disable LTO for userspace emulation on 15.6 (bsc#1243013).
- Version 8.2.10 changes:
* Full changelog: https://lore.kernel.org/qemu-devel/7dd1fbc7-a58f-4b2c-82b9-735840246ab2@tls.msk.ru/
* Some backports:
- hw/misc/aspeed_hace: Fix buffer overflow in has_padding function
- target/ppc: Fix e200 duplicate SPRs
- linux-user/riscv: Fix handling of cpu mask in riscv_hwprobe syscall
- docs/about/emulation: Fix broken link
- vdpa: Allow vDPA to work on big-endian machine
- vdpa: Fix endian bugs in shadow virtqueue
- target/loongarch: Fix vldi inst
- target/arm: Simplify pstate_sm check in sve_access_check
- target/arm: Make DisasContext.{fp, sve}_access_checked tristate
- util/cacheflush: Make first DSB unconditional on aarch64
- ui/cocoa: Temporarily ignore annoying deprecated declaration warnings
- docs: Rename default-configs to configs
- block: Zero block driver state before reopening
- hw/xen/hvm: Fix Aarch64 typo
- hw/net/smc91c111: Don't allow data register access to overrun buffer
- hw/net/smc91c111: Sanitize packet length on tx
- hw/net/smc91c111: Sanitize packet numbers
- hw/net/smc91c111: Ignore attempt to pop from empty RX fifo
- ppc/pnv/occ: Fix common area sensor offsets
- net: move backend cleanup to NIC cleanup
- net: parameterize the removing client from nc list
- util/qemu-timer.c: Don't warp timer from timerlist_rearm()
- target/arm: Correct STRD atomicity
- target/arm: Correct LDRD atomicity and fault behaviour
The following package changes have been done:
- qemu-guest-agent-8.2.10-1.1 updated
More information about the sle-container-updates
mailing list