SUSE-CU-2026:221-1: Security update of rancher/seedimage-builder
sle-container-updates at lists.suse.com
sle-container-updates at lists.suse.com
Thu Jan 15 08:04:37 UTC 2026
SUSE Container Update Advisory: rancher/seedimage-builder
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2026:221-1
Container Tags : rancher/seedimage-builder:1.7.3 , rancher/seedimage-builder:1.7.3-3.47 , rancher/seedimage-builder:latest
Container Release : 3.47
Severity : important
Type : security
References : 1215377 1215484 1219276 1220905 1223903 1224386 1229122 1229163
1229164 1230642 1230840 1230944 1231591 1231605 1232411 1233606
1233608 1233609 1233610 1233612 1233613 1233614 1233615 1233616
1233617 1234022 1234881 1234958 1234959 1236217 1236217 1236316
1236317 1237002 1237006 1237008 1237009 1237010 1237011 1237012
1237013 1237014 1237147 1238572 1239182 1239749 1240550 1240764
1241205 1241872 1241938 1241957 1242011 1242300 1242631 1242715
1242971 1243106 1243268 1243314 1243332 1243422 1243423 1244156
1244157 1244449 1245551 1246934 1246974 1247242 1247286 1247495
1248158 1248356 1248501 1249140 1249191 1249348 1249367 1249375
1249584 1250232 1252930 1252931 1252932 1252933 1252934 1252935
1253741 1253757 1254157 1254158 1254159 1254160 1254441 1254480
1254563 1255731 1255732 1255733 1255734 528882 553466 CVE-2017-14992
CVE-2017-9232 CVE-2019-11243 CVE-2019-15119 CVE-2022-48622 CVE-2023-32198
CVE-2024-22031 CVE-2024-40635 CVE-2024-45774 CVE-2024-45775 CVE-2024-45776
CVE-2024-45777 CVE-2024-45778 CVE-2024-45779 CVE-2024-45780 CVE-2024-45781
CVE-2024-45782 CVE-2024-45783 CVE-2024-49504 CVE-2024-56737 CVE-2024-56738
CVE-2025-0622 CVE-2025-0624 CVE-2025-0677 CVE-2025-0678 CVE-2025-0684
CVE-2025-0685 CVE-2025-0686 CVE-2025-0689 CVE-2025-0690 CVE-2025-0913
CVE-2025-10148 CVE-2025-10158 CVE-2025-1118 CVE-2025-1125 CVE-2025-11563
CVE-2025-1386 CVE-2025-14524 CVE-2025-14819 CVE-2025-15079 CVE-2025-15224
CVE-2025-22247 CVE-2025-22870 CVE-2025-22871 CVE-2025-22871 CVE-2025-22872
CVE-2025-22873 CVE-2025-23390 CVE-2025-2424 CVE-2025-24358 CVE-2025-2475
CVE-2025-24839 CVE-2025-24866 CVE-2025-2564 CVE-2025-27538 CVE-2025-27571
CVE-2025-27936 CVE-2025-30204 CVE-2025-30206 CVE-2025-30215 CVE-2025-31363
CVE-2025-31483 CVE-2025-31489 CVE-2025-32024 CVE-2025-32025 CVE-2025-32093
CVE-2025-32386 CVE-2025-32387 CVE-2025-32431 CVE-2025-32445 CVE-2025-32777
CVE-2025-32793 CVE-2025-32963 CVE-2025-3416 CVE-2025-35965 CVE-2025-3801
CVE-2025-3879 CVE-2025-41395 CVE-2025-41423 CVE-2025-4166 CVE-2025-4210
CVE-2025-4382 CVE-2025-43859 CVE-2025-43970 CVE-2025-43971 CVE-2025-43972
CVE-2025-43973 CVE-2025-4476 CVE-2025-46327 CVE-2025-46342 CVE-2025-46569
CVE-2025-46599 CVE-2025-4673 CVE-2025-47268 CVE-2025-47287 CVE-2025-4945
CVE-2025-4948 CVE-2025-4969 CVE-2025-54770 CVE-2025-54771 CVE-2025-59375
CVE-2025-61661 CVE-2025-61662 CVE-2025-61663 CVE-2025-61664 CVE-2025-64505
CVE-2025-64506 CVE-2025-64720 CVE-2025-65018 CVE-2025-66293 CVE-2025-8114
CVE-2025-8277 CVE-2025-9086 CVE-2025-9230
-----------------------------------------------------------------
The container rancher/seedimage-builder was updated. The following patches have been included in this update:
-----------------------------------------------------------------
Advisory ID: 273
Released: Mon Sep 22 10:29:39 2025
Summary: Recommended update for audit
Type: recommended
Severity: moderate
References: 1215377,1236217,1238572,1239182,1240550,CVE-2025-22870,CVE-2025-22871
This update for audit fixes the following issues:
- Fix plugin termination when using systemd service units (bsc#1215377)
-----------------------------------------------------------------
Advisory ID: 286
Released: Fri Sep 26 11:21:50 2025
Summary: Security update for curl
Type: security
Severity: important
References: 1215484,1220905,1230642,1230944,1231605,1234022,1234881,1249191,1249348,1249367,CVE-2025-10148,CVE-2025-9086
This update for curl fixes the following issues:
- tool_operate: fix return code when --retry is used but not
triggered [bsc#1249367]
- Security fixes:
* CVE-2025-9086: Fixed Out of bounds read for cookie path (bsc#1249191)
* CVE-2025-10148: Fixed predictable WebSocket mask (bsc#1249348)
-----------------------------------------------------------------
Advisory ID: 308
Released: Fri Oct 17 14:05:21 2025
Summary: Security update for grub2
Type: security
Severity: important
References: 1229163,1229164,1230840,1231591,1232411,1233606,1233608,1233609,1233610,1233612,1233613,1233614,1233615,1233616,1233617,1234958,1234959,1236316,1236317,1237002,1237006,1237008,1237009,1237010,1237011,1237012,1237013,1237014,1242971,1247242,1249140,CVE-2024-45774,CVE-2024-45775,CVE-2024-45776,CVE-2024-45777,CVE-2024-45778,CVE-2024-45779,CVE-2024-45780,CVE-2024-45781,CVE-2024-45782,CVE-2024-45783,CVE-2024-49504,CVE-2024-56737,CVE-2024-56738,CVE-2025-0622,CVE-2025-0624,CVE-2025-0677,CVE-2025-0678,CVE-2025-0684,CVE-2025-0685,CVE-2025-0686,CVE-2025-0689,CVE-2025-0690,CVE-2025-1118,CVE-2025-1125,CVE-2025-4382
This update for grub2 fixes the following issues:
- Fix error: /boot/grub2/x86_64-efi/bli.mod not found (bsc#1231591)
- Fix OOM error in loading loopback file (bsc#1230840) (bsc#1249140)
- Update the patch to fix 'SRK not matched' errors when unsealing
the key (bsc#1232411) (bsc#1247242)
Security fixes for 2024:
- Bump upstream SBAT generation to 5
- CVE-2024-45774: Fixed heap overflows in JPEG parser (bsc#1233609)
- CVE-2024-45775: Fixed missing NULL check in extcmd parser (bsc#1233610)
- CVE-2024-45776: Fixed overflow in .MO file (gettext) handling (bsc#1233612)
- CVE-2024-45777: Fixed integer overflow in gettext (bsc#1233613)
- CVE-2024-45778: Fixed bfs filesystem not fuzzing stable (bsc#1233606)
- CVE-2024-45779: Fixed bfs heap overflow (bsc#1233608)
- CVE-2024-45780: Fixed overflow in tar/cpio (bsc#1233614)
- CVE-2024-45781: Fixed ufs strcpy overflow(bsc#1233617)
- CVE-2024-45782: Fixed hfs strcpy overflow (bsc#1233615)
- CVE-2024-45783: Fixed hfsplus refcount overflow (bsc#1233616)
- CVE-2024-49504: Fixed bypassing TPM-bound disk encryption on SL(E)M
encrypted Images (bsc#1229163) (bsc#1229164)
- CVE-2024-56737: Fixed heap-based buffer overflow in fs/hfs.c via
crafted sblock data in an HFS filesystem (bsc#1234958)
- CVE-2024-56738: Fixed side-channel attack due to not constant-time
algorithm in grub_crypto_memcmp (bsc#1234959)
- CVE-2025-0622: Fixed command/gpg use-after-free due to hooks not being
removed on module unload (bsc#1236317)
- CVE-2025-0624: Fixed net Out-of-bounds write in grub_net_search_config_file() (bsc#1236316)
- CVE-2025-0677: Fixed UFS integer overflow may lead to heap based
out-of-bounds write when handling symlinks (bsc#1237002)
- CVE-2025-0678: Fixed squash4 Integer overflow may lead to heap based
out-of-bounds write when reading data (bsc#1237006)
- CVE-2025-0684: Fixed reiserfs Integer overflow when handling symlinks
may lead to heap based out-of-bounds write when reading data (bsc#1237008)
- CVE-2025-0685: Fixed jfs Integer overflow when handling symlinks may
lead to heap based out-of-bounds write when reading data (bsc#1237009)
- CVE-2025-0686: Fixed romfs Integer overflow when handling symlinks
may lead to heap based out-of-bounds write when reading data (bsc#1237010)
- CVE-2025-0689: Fixed udf heap based buffer overflow in
grub_udf_read_block() may lead to arbitrary code execution (bsc#1237011)
- CVE-2025-0690: Fixed 'read' integer overflow may lead to out-of-bounds write (bsc#1237012)
- CVE-2025-1118: Fixed commands/dump The dump command is not in lockdown when secure boot is enabled (bsc#1237013)
- CVE-2025-1125: Fixed fs/hfs interger overflow may lead to heap based out-of-bounds write (bsc#1237014)
- CVE-2025-4382: Fixed TPM auto-decryption data exposure (bsc#1242971)
- Restrict CLI access if the encrypted root device is automatically unlocked by
the TPM. LUKS password authentication is required for access to be granted
-----------------------------------------------------------------
Advisory ID: 310
Released: Mon Oct 20 18:26:21 2025
Summary: Recommended update for aaa_base
Type: recommended
Severity: important
References: 1219276,1223903,1241205,1242011,1247286,1247495,1248158,CVE-2022-48622
This update for aaa_base fixes the following issues:
Update to version 84.87+git20250903.33e5ba4:
* Correct fix for bsc#1247495 (bsc#1248158)
Update to version 84.87+git20250805.3069494:
* Remove initviocons for tcsh as well and
* Update csh.login
* Add missing quoting and remove unneeded uses of eval
Update to version 84.87+git20250801.f305627:
* Remove sysconfig.language [bsc#1247286]
Update to version 84.87+git20250801.b2fa3fe:
* Allow /etc/locale.conf to have no newline
Update to version 84.87+git20250429.1cad3bc:
* Remove alias 'you' (bsc#1242011)
Update to version 84.87+git20250425.1664836:
* alias.bash: future-proof egrep/fgrep color aliases
Update to version 84.87+git20250410.71df276:
* Modern s390x uses TERM=linux for ttysclp<X>
Update to version 84.87+git20250313.4dd1cfd:
* DIR_COLORS: add backup and temporary file extensions
* DIR_COLORS: sort audio formats
* DIR_COLORS: use cyan for audio formats instead of green
* DIR_COLORS: add 'avif' to image formats
* DIR_COLORS: add updated and sorted list of archive formats
* DIR_COLORS: don't colour DOS/Windows executables
* DIR_COLORS: update existing colours and add missing ones
* DIR_COLORS: add COLORTERM and 'st' terminal
* DIR_COLORS: update file description
* DIR_COLORS: sort TERM entries
* DIR_COLORS: remove COLOR, OPTIONS and EIGHTBIT
Update to version 84.87+git20250313.e71c2f4:
* Respect PROFILEREAD/CSHRCREAD at shell switch
* Modernize specfile
* Add safety quotes and proper escaping
* Avoid bashisms in build recipe
* Add setup-systemd-proxy-env
* profile.{sh,csh}: Drop useless proxy variables cleanup
Update to version 84.87+git20250102.c08e614:
* Load distrobox_profile.sh
-----------------------------------------------------------------
Advisory ID: 309
Released: Mon Oct 20 18:31:36 2025
Summary: Security update for libssh
Type: security
Severity: moderate
References: 1239749,1246974,1249375,CVE-2024-40635,CVE-2025-8114,CVE-2025-8277
This update for libssh fixes the following issues:
- CVE-2025-8114: Fixed NULL pointer dereference when calculating the session ID
during the key exchange (KEX) process (bsc#1246974)
- CVE-2025-8277: Fixed Memory Exhaustion via Repeated Key Exchange (bsc#1249375)
-----------------------------------------------------------------
Advisory ID: 316
Released: Wed Oct 22 14:12:39 2025
Summary: Security update for openssl-3
Type: security
Severity: important
References: 1236217,1240764,1242715,1250232,CVE-2025-22873,CVE-2025-9230
This update for openssl-3 fixes the following issues:
Security issues:
- CVE-2025-9230: Fix out-of-bounds read & write in RFC 3211 KEK unwrap (bsc#1250232)
- Disable LTO for userspace livepatching [jsc#PED-13245]
-----------------------------------------------------------------
Advisory ID: 315
Released: Wed Oct 22 14:12:39 2025
Summary: Security update for expat
Type: security
Severity: important
References: 1249584,CVE-2017-14992,CVE-2017-9232,CVE-2019-11243,CVE-2019-15119,CVE-2023-32198,CVE-2024-22031,CVE-2025-1386,CVE-2025-22871,CVE-2025-22872,CVE-2025-23390,CVE-2025-2424,CVE-2025-24358,CVE-2025-2475,CVE-2025-24839,CVE-2025-24866,CVE-2025-2564,CVE-2025-27538,CVE-2025-27571,CVE-2025-27936,CVE-2025-30204,CVE-2025-30206,CVE-2025-30215,CVE-2025-31363,CVE-2025-31483,CVE-2025-31489,CVE-2025-32024,CVE-2025-32025,CVE-2025-32093,CVE-2025-32386,CVE-2025-32387,CVE-2025-32431,CVE-2025-32445,CVE-2025-32777,CVE-2025-32793,CVE-2025-32963,CVE-2025-35965,CVE-2025-3801,CVE-2025-3879,CVE-2025-41395,CVE-2025-41423,CVE-2025-4166,CVE-2025-4210,CVE-2025-43970,CVE-2025-43971,CVE-2025-43972,CVE-2025-43973,CVE-2025-46327,CVE-2025-46342,CVE-2025-46569,CVE-2025-46599,CVE-2025-59375
This update for expat fixes the following issues:
- CVE-2025-59375: memory amplification vulnerability allows attackers to trigger excessive dynamic memory allocations
by submitting crafted XML input (bsc#1249584).
-----------------------------------------------------------------
Advisory ID: 327
Released: Mon Nov 3 08:33:37 2025
Summary: Recommended update for libgcrypt
Type: recommended
Severity: moderate
References: 1241872,1246934,CVE-2025-43859
This update for libgcrypt fixes the following issues:
- Fix running the test suite in FIPS mode (bsc#1246934)
-----------------------------------------------------------------
Advisory ID: 341
Released: Fri Nov 21 14:08:21 2025
Summary: Security update for grub2
Type: security
Severity: moderate
References: 1241957,1252930,1252931,1252932,1252933,1252934,1252935,CVE-2025-54770,CVE-2025-54771,CVE-2025-61661,CVE-2025-61662,CVE-2025-61663,CVE-2025-61664
This update for grub2 fixes the following issues:
- CVE-2025-54770: Missing unregister call for net_set_vlan command may lead to use-after-free (bsc#1252930)
- CVE-2025-54771: grub_file_close() does not properly controls the fs refcount (bsc#1252931)
- CVE-2025-61661: Out-of-bounds write in grub_usb_get_string() function (bsc#1252932)
- CVE-2025-61662: Missing unregister call for gettext command may lead to use-after-free (bsc#1252933)
- CVE-2025-61663: Missing unregister call for normal commands may lead to use-after-free (bsc#1252934)
- CVE-2025-61664: Missing unregister call for normal_exit command may lead to use-after-free (bsc#1252935)
-----------------------------------------------------------------
Advisory ID: 345
Released: Mon Dec 1 09:58:15 2025
Summary: Recommended update for kmod
Type: recommended
Severity: important
References: 1237147,1241938,1243106,1253741,CVE-2025-22247
This update for kmod fixes the following issues:
- Fix modprobe.d confusion on man page (bsc#1253741):
* document the config file order handling
-----------------------------------------------------------------
Advisory ID: 346
Released: Tue Dec 9 17:34:04 2025
Summary: Security update for curl
Type: security
Severity: moderate
References: 1242300,1253757,CVE-2025-11563,CVE-2025-47268
This update for curl fixes the following issues:
- CVE-2025-11563: Fixed wcurl path traversal with percent-encoded slashes (bsc#1253757).
-----------------------------------------------------------------
Advisory ID: 354
Released: Tue Dec 16 09:24:29 2025
Summary: Security update for libpng16
Type: security
Severity: important
References: 1242631,1254157,1254158,1254159,1254160,1254480,CVE-2025-3416,CVE-2025-64505,CVE-2025-64506,CVE-2025-64720,CVE-2025-65018,CVE-2025-66293
This update for libpng16 fixes the following issues:
- CVE-2025-66293: Fixed out-of-bounds read in png_image_read_composite (bsc#1254480).
- CVE-2025-64505: Fixed heap buffer over-read in `png_do_quantize` via malformed palette index (bsc#1254157).
- CVE-2025-64506: Fixed heap buffer over-read in `png_write_image_8bit` with 8-bit input and `convert_to_8bit` enabled (bsc#1254158).
- CVE-2025-64720: Fixed buffer overflow in `png_image_read_composite` via incorrect palette premultiplication (bsc#1254159).
- CVE-2025-65018: Fixed heap buffer overflow in `png_combine_row` triggered via `png_image_finish_read` (bsc#1254160).
-----------------------------------------------------------------
Advisory ID: 355
Released: Fri Dec 19 15:37:03 2025
Summary: Recommended update for systemd
Type: recommended
Severity: important
References: 1224386,1229122,1244156,1244157,1244449,1245551,1248356,1248501,1254563,CVE-2025-0913,CVE-2025-4673
This update for systemd fixes the following issues:
- timer: rebase last_trigger timestamp if needed
- timer: rebase the next elapse timestamp only if timer didn't already run
- timer: don't run service immediately after restart of a timer (bsc#1254563)
- test: check the next elapse timer timestamp after deserialization
- test: restarting elapsed timer shouldn't trigger the corresponding service
- units: don't force the loading of the loop and dm_mod modules in systemd-repart.service (bsc#1248356)
- units: add dep on systemd-logind.service by user at .service
- detect-virt: add bare-metal support for GCE (bsc#1244449)
- Sync systemd-update-helper with the version shipped in Base:System
- systemd-update-helper: do not stop or disable services when they are migrated
to other packages. This can occur during package renaming or splitting.
- systemd-update-helper: Fix invalid use of 'break' in case statement
- systemd-update-helper: fix regression introduced when support for package
renaming/splitting was added (bsc#1245551)
- systemd-update-helper:
* Since user at .service has `Type=notify-reload` and reloading implies reexecuting
with `ReloadSignal=RTMIN+25`, reexecuting user managers synchronously
can be achieved with `systemctl reload user@*.service' now.
- systemd.spec: use %sysusers_generate_pre so that some systemd users are
already available in %pre (bsc#1248501)
- Split systemd-network into two new sub-packages: systemd-networkd and
systemd-resolved (bsc#1224386 jsc#PED-12669)
-----------------------------------------------------------------
Advisory ID: 365
Released: Fri Jan 2 12:13:06 2026
Summary: Security update for rsync
Type: security
Severity: moderate
References: 1243268,1254441,CVE-2025-10158,CVE-2025-47287
This update for rsync fixes the following issues:
- CVE-2025-10158: Fixed out of bounds array access via negative index (bsc#1254441)
-----------------------------------------------------------------
Advisory ID: 368
Released: Thu Jan 8 15:51:43 2026
Summary: Security update for curl
Type: security
Severity: moderate
References: 1243314,1243332,1243422,1243423,1255731,1255732,1255733,1255734,528882,553466,CVE-2025-14524,CVE-2025-14819,CVE-2025-15079,CVE-2025-15224,CVE-2025-4476,CVE-2025-4945,CVE-2025-4948,CVE-2025-4969
This update for curl fixes the following issues:
- CVE-2025-14524: bearer token leak on cross-protocol redirect (bsc#1255731).
- CVE-2025-14819: libssh global knownhost override (bsc#1255732).
- CVE-2025-15079: libssh key passphrase bypass without agent set (bsc#1255733).
- CVE-2025-15224: OpenSSL partial chain store policy bypass (bsc#1255734).
The following package changes have been done:
- libssh-config-0.10.6-slfo.1.1_3.1 updated
- libtasn1-6-4.19.0-slfo.1.1_3.1 updated
- libexpat1-2.7.1-slfo.1.1_3.1 updated
- libaudit1-3.1.1-slfo.1.1_2.1 updated
- libpng16-16-1.6.43-slfo.1.1_2.1 updated
- libgcrypt20-1.10.3-slfo.1.1_3.1 updated
- libudev1-254.27-slfo.1.1_2.1 updated
- libsystemd0-254.27-slfo.1.1_2.1 updated
- libopenssl3-3.1.4-slfo.1.1_7.1 updated
- pam-1.6.1-slfo.1.1_4.1 updated
- grub2-2.12-slfo.1.1_3.1 updated
- grub2-i386-pc-2.12-slfo.1.1_3.1 updated
- kmod-32-slfo.1.1_2.1 updated
- rsync-3.3.0-slfo.1.1_4.1 updated
- libkmod2-32-slfo.1.1_2.1 updated
- libssh4-0.10.6-slfo.1.1_3.1 updated
- aaa_base-84.87+git20250903.33e5ba4-slfo.1.1_1.1 updated
- libcurl4-8.14.1-slfo.1.1_4.1 updated
- curl-8.14.1-slfo.1.1_4.1 updated
- systemd-254.27-slfo.1.1_2.1 updated
- udev-254.27-slfo.1.1_2.1 updated
- container:suse-toolbox-image-1.0.0-4.100 updated
More information about the sle-container-updates
mailing list