SUSE-CU-2026:429-1: Security update of suse/kiosk/firefox-esr
sle-container-updates at lists.suse.com
sle-container-updates at lists.suse.com
Wed Jan 28 13:51:53 UTC 2026
SUSE Container Update Advisory: suse/kiosk/firefox-esr
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2026:429-1
Container Tags : suse/kiosk/firefox-esr:140.7 , suse/kiosk/firefox-esr:140.7-70.13 , suse/kiosk/firefox-esr:esr , suse/kiosk/firefox-esr:latest
Container Release : 70.13
Severity : important
Type : security
References : 1243867 1252895 1254666 1256105 1256340 1256341 1256459 1256498
1256499 1256500 1256525 1256526 1257049 CVE-2024-12224 CVE-2025-13151
CVE-2025-14017 CVE-2025-14104 CVE-2025-14327 CVE-2025-68276 CVE-2025-68468
CVE-2025-68471 CVE-2026-0877 CVE-2026-0878 CVE-2026-0879 CVE-2026-0880
CVE-2026-0882 CVE-2026-0883 CVE-2026-0884 CVE-2026-0885 CVE-2026-0886
CVE-2026-0887 CVE-2026-0890 CVE-2026-0891 CVE-2026-0988 CVE-2026-22693
CVE-2026-22695 CVE-2026-22801
-----------------------------------------------------------------
The container suse/kiosk/firefox-esr was updated. The following patches have been included in this update:
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:221-1
Released: Thu Jan 22 13:15:35 2026
Summary: Security update for curl
Type: security
Severity: moderate
References: 1256105,CVE-2025-14017
This update for curl fixes the following issues:
- CVE-2025-14017: Fixed broken TLS options for threaded LDAPS (bsc#1256105).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:224-1
Released: Thu Jan 22 13:18:20 2026
Summary: Security update for libtasn1
Type: security
Severity: moderate
References: 1256341,CVE-2025-13151
This update for libtasn1 fixes the following issues:
- CVE-2025-13151: stack-based buffer overflow in `asn1_expend_octet_string` (bsc#1256341).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:230-1
Released: Thu Jan 22 13:22:31 2026
Summary: Security update for util-linux
Type: security
Severity: moderate
References: 1254666,CVE-2025-14104
This update for util-linux fixes the following issues:
- CVE-2025-14104: Fixed heap buffer overread in setpwnam() when processing 256-byte usernames (bsc#1254666).
- lscpu: Add support for NVIDIA Olympus arm64 core (jsc#PED-13682).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:234-1
Released: Thu Jan 22 13:24:43 2026
Summary: Security update for libpng16
Type: security
Severity: moderate
References: 1256525,1256526,CVE-2026-22695,CVE-2026-22801
This update for libpng16 fixes the following issues:
- CVE-2026-22695: Fixed heap buffer over-read in png_image_finish_read (bsc#1256525)
- CVE-2026-22801: Fixed integer truncation causing heap buffer over-read in png_image_write_* (bsc#1256526).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:243-1
Released: Thu Jan 22 14:57:36 2026
Summary: Security update for librsvg
Type: security
Severity: moderate
References: 1243867,CVE-2024-12224
This update for librsvg fixes the following issues:
Update to version 2.57.4 - bsc#1243867:
+ CVE-2024-12224: RUSTSEC-2024-0421 - idna accepts Punycode labels that do not produce any non-ASCII when decoded.
+ RUSTSEC-2024-0404 - Unsoundness in anstream.
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2026:249-1
Released: Thu Jan 22 16:23:36 2026
Summary: Recommended update for libwebp
Type: recommended
Severity: moderate
References: 1252895
This update for libwebp ships the commandline tools to Package Hub.
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:259-1
Released: Thu Jan 22 17:10:44 2026
Summary: Security update for avahi
Type: security
Severity: moderate
References: 1256498,1256499,1256500,CVE-2025-68276,CVE-2025-68468,CVE-2025-68471
This update for avahi fixes the following issues:
- CVE-2025-68276: Fixed refuse to create wide-area record browsers when
wide-area is off (bsc#1256498)
- CVE-2025-68471: Fixed DoS bug by changing assert to return (bsc#1256500)
- CVE-2025-68468: Fixed DoS bug by removing incorrect assertion (bsc#1256499)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:260-1
Released: Thu Jan 22 17:11:40 2026
Summary: Security update for MozillaFirefox
Type: security
Severity: important
References: 1256340,CVE-2025-14327,CVE-2026-0877,CVE-2026-0878,CVE-2026-0879,CVE-2026-0880,CVE-2026-0882,CVE-2026-0883,CVE-2026-0884,CVE-2026-0885,CVE-2026-0886,CVE-2026-0887,CVE-2026-0890,CVE-2026-0891
This update for MozillaFirefox fixes the following issues:
Update to Firefox Extended Support Release 140.7.0 ESR (bsc#1256340).
- MFSA 2026-03
* CVE-2026-0877: Mitigation bypass in the DOM: Security component
* CVE-2026-0878: Sandbox escape due to incorrect boundary conditions in the Graphics: CanvasWebGL component
* CVE-2026-0879: Sandbox escape due to incorrect boundary conditions in the Graphics component
* CVE-2026-0880: Sandbox escape due to integer overflow in the Graphics component
* CVE-2026-0882: Use-after-free in the IPC component
* CVE-2025-14327: Spoofing issue in the Downloads Panel component
* CVE-2026-0883: Information disclosure in the Networking component
* CVE-2026-0884: Use-after-free in the JavaScript Engine component
* CVE-2026-0885: Use-after-free in the JavaScript: GC component
* CVE-2026-0886: Incorrect boundary conditions in the Graphics component
* CVE-2026-0887: Clickjacking issue, information disclosure in the PDF Viewer component
* CVE-2026-0890: Spoofing issue in the DOM: Copy-Paste and Drag-Drop component
* CVE-2026-0891: Memory safety bugs fixed in Firefox ESR 140.7, Thunderbird ESR 140.7, Firefox 147 and Thunderbird 147
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:286-1
Released: Sat Jan 24 00:35:35 2026
Summary: Security update for glib2
Type: security
Severity: low
References: 1257049,CVE-2026-0988
This update for glib2 fixes the following issues:
- CVE-2026-0988: Fixed a potential integer overflow in g_buffered_input_stream_peek (bsc#1257049).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:287-1
Released: Sat Jan 24 00:35:49 2026
Summary: Security update for harfbuzz
Type: security
Severity: moderate
References: 1256459,CVE-2026-22693
This update for harfbuzz fixes the following issues:
- CVE-2026-22693: Fixed a NULL pointer dereference in SubtableUnicodesCache::create (bsc#1256459).
The following package changes have been done:
- libavahi-common3-0.8-150600.15.12.1 updated
- libglib-2_0-0-2.78.6-150600.4.28.1 updated
- libsmartcols1-2.40.4-150700.4.3.1 updated
- libuuid1-2.40.4-150700.4.3.1 updated
- libwebp7-1.0.3-150200.3.14.1 updated
- libblkid1-2.40.4-150700.4.3.1 updated
- libgthread-2_0-0-2.78.6-150600.4.28.1 updated
- libgobject-2_0-0-2.78.6-150600.4.28.1 updated
- libgmodule-2_0-0-2.78.6-150600.4.28.1 updated
- libwebpmux3-1.0.3-150200.3.14.1 updated
- libpng16-16-1.6.40-150600.3.6.1 updated
- libmount1-2.40.4-150700.4.3.1 updated
- libfdisk1-2.40.4-150700.4.3.1 updated
- libopenssl-3-fips-provider-3.2.3-150700.5.21.1 added
- libtasn1-6-4.13-150000.4.14.1 updated
- libtasn1-4.13-150000.4.14.1 updated
- libgio-2_0-0-2.78.6-150600.4.28.1 updated
- glib2-tools-2.78.6-150600.4.28.1 updated
- libharfbuzz0-8.3.0-150600.3.3.1 updated
- libavahi-client3-0.8-150600.15.12.1 updated
- libcurl4-8.14.1-150700.7.11.1 updated
- librsvg-2-2-2.57.4-150600.3.3.1 updated
- gdk-pixbuf-loader-rsvg-2.57.4-150600.3.3.1 updated
- util-linux-2.40.4-150700.4.3.1 updated
- patterns-base-fips-20200124-150700.36.1 added
- MozillaFirefox-140.7.0-150200.152.216.1 updated
- container:registry.suse.com-bci-bci-micro-15.7-55883c76f750bdb0fa8cf3fe2e43f19f9babc501efce9801e94a9c0c8d115a20-0 updated
More information about the sle-container-updates
mailing list