SUSE-IU-2026:5441-1: Security update of suse/sl-micro/6.1/baremetal-os-container

sle-container-updates at lists.suse.com sle-container-updates at lists.suse.com
Sat Jul 4 07:14:56 UTC 2026


SUSE Image Update Advisory: suse/sl-micro/6.1/baremetal-os-container
-----------------------------------------------------------------
Image Advisory ID : SUSE-IU-2026:5441-1
Image Tags        : suse/sl-micro/6.1/baremetal-os-container:2.2.1 , suse/sl-micro/6.1/baremetal-os-container:2.2.1-7.130 , suse/sl-micro/6.1/baremetal-os-container:latest
Image Release     : 7.130
Severity          : important
Type              : security
References        : 1216378 1258392 1262043 1262044 1262069 1262070 1262071 1262072
                        1265060 1265061 1265062 1265070 CVE-2023-45853 CVE-2026-27171
                        CVE-2026-32316 CVE-2026-33947 CVE-2026-33948 CVE-2026-39956 CVE-2026-39979
                        CVE-2026-40164 CVE-2026-40612 CVE-2026-41256 CVE-2026-41257 CVE-2026-43894
-----------------------------------------------------------------

The container suse/sl-micro/6.1/baremetal-os-container was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: 610
Released:    Fri Jul  3 14:16:11 2026
Summary:     Security update for jq
Type:        security
Severity:    important
References:  1216378,1258392,1262043,1262044,1262069,1262070,1262071,1262072,1265060,1265061,1265062,1265070,CVE-2023-45853,CVE-2026-27171,CVE-2026-32316,CVE-2026-33947,CVE-2026-33948,CVE-2026-39956,CVE-2026-39979,CVE-2026-40164,CVE-2026-40612,CVE-2026-41256,CVE-2026-41257,CVE-2026-43894
This update for jq fixes the following issues:

- CVE-2026-32316: integer overflow within the `jvp_string_append()` and `jvp_string_copy_replace_bad` functions can
  lead to heap buffer overflow when evaluating untrusted jq queries (bsc#1262044).
- CVE-2026-33947: unbounded recursion in functions `jv_setpath()`, `jv_getpath()`, and `delpaths_sorted()` can lead to
  excessive resource consumption when processing crafted JSON input (bsc#1262069).
- CVE-2026-39956: missing runtime type checks in `_strindices` and `jv_string_indexes()` can lead to a crash when
  evaluating untrusted jq filters against a release build (bsc#1262070).
- CVE-2026-39979: incorrect processing of non-nul-terminated counted buffers in `jv_parse_sized` can lead to an
  out-of-bounds read when processing malformed JSON (bsc#1262071).
- CVE-2026-40164: use of `MurmurHash3` with a hardcoded seed allows pre-computation of key collisions and can lead to a
  denial of service via resource exhaustion when processing crafted JSON objects (bsc#1262072).
- CVE-2026-40612: recursion into nested arrays/objects with no depth limit in `jv_contains` can lead to a C stack
  exhaustion when processing crafted input (bsc#1265060).
- CVE-2026-41256: truncation of top-level jq programs loaded with `-f` and can lead to the execution of unintended
  programs (bsc#1265061).
- CVE-2026-41257: integer overflow in `stack_reallocate` can lead to memory corruption and DoS when processing jq
  bytecode (bsc#1265062).
- CVE-2026-43894: signed integer overflow in the `decNumberFromString` `D2U()` macro can lead to an out-of-bounds
  memory write when processing large number literals (bsc#1265070).
- CVE-2026-33948: improper handling of buffer sizes via `strlen()` instead of `fgets()` in CLI input parsing allows
  validation bypass via embedded NUL bytes (bsc#1262043).


The following package changes have been done:

- libjq1-1.7.1-slfo.1.1_3.1 updated
- jq-1.7.1-slfo.1.1_3.1 updated


More information about the sle-container-updates mailing list