SUSE-CU-2026:5403-1: Security update of suse/sl-micro/6.0/toolbox

sle-container-updates at lists.suse.com sle-container-updates at lists.suse.com
Wed Jun 3 07:42:07 UTC 2026 

SUSE Container Update Advisory: suse/sl-micro/6.0/toolbox
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2026:5403-1
Container Tags        : suse/sl-micro/6.0/toolbox:13.2 , suse/sl-micro/6.0/toolbox:13.2-9.117 , suse/sl-micro/6.0/toolbox:latest
Container Release     : 9.117
Severity              : important
Type                  : security
References            : 1259802 1265935 1265938 1266039 CVE-2026-25707 CVE-2026-48863
                        CVE-2026-9149 CVE-2026-9150 
-----------------------------------------------------------------

The container suse/sl-micro/6.0/toolbox was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: 739
Released:    Tue Jun  2 17:57:44 2026
Summary:     Security update for libzypp, libsolv
Type:        security
Severity:    important
References:  1259802,1265935,1265938,1266039,CVE-2026-25707,CVE-2026-48863,CVE-2026-9149,CVE-2026-9150
This update for libzypp, libsolv fixes the following issues:

libsolv was updated to 0.7.39:

- fix solv_chksum_free segfault when called with a NULL pointer
- made repo_add_solv more robust against corrupt files
  [bsc#1265935] [CVE-2026-9149]
- fix potential buffer overflow when verifying EdDSA signatures
  [bsc#1266039] [CVE-2026-48863]
- added limit checks in multiple places to catch overflows
- reduce the size of the language id cache
- fixed Debian canon selection
- fixed dbpath detection in repo_rpmdb_librpm
- reduced stack usage in repo page compression (needed for musl)
- Fixed in earlier release: [bsc#1265938] [CVE-2026-9150]
- fix parsing of recommends in the old Mandriva synthesis format

libzypp was updated to 17.38.11:

- Fix potential crash on malformed or malicious repository
  metadata (fixes #740)
- Repo metadata: discard entries referring to a location outside
  the repo (bsc#1259802, CVE-2026-25707)
  Mirroring those data locally would refer to a location outside
  the repo's local cache directory. Those data entries are reported
  and discarded.
- zypp.conf: Allow [env] section to add environment variables.
  This feature is designed to enable environment-specific settings
  or debugging options over an extended period. See zypp.conf(5).


The following package changes have been done:

- libsolv-tools-base-0.7.39-1.1 updated
- libzypp-17.38.11-1.1 updated

More information about the sle-container-updates mailing list