SUSE-IU-2026:4083-1: Security update of suse/sl-micro/6.1/base-os-container

sle-container-updates at lists.suse.com sle-container-updates at lists.suse.com
Wed Jun 3 07:46:24 UTC 2026 

SUSE Image Update Advisory: suse/sl-micro/6.1/base-os-container
-----------------------------------------------------------------
Image Advisory ID : SUSE-IU-2026:4083-1
Image Tags        : suse/sl-micro/6.1/base-os-container:2.2.1 , suse/sl-micro/6.1/base-os-container:2.2.1-5.136 , suse/sl-micro/6.1/base-os-container:latest
Image Release     : 5.136
Severity          : important
Type              : security
References        : 1255715 1256243 1256244 1256246 1256390 1259802 1265935 1265938
                        1266039 CVE-2025-68973 CVE-2026-25707 CVE-2026-48863 CVE-2026-9149
                        CVE-2026-9150 
-----------------------------------------------------------------

The container suse/sl-micro/6.1/base-os-container was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: 560
Released:    Tue Jun  2 18:20:17 2026
Summary:     Security update for libzypp, libsolv
Type:        security
Severity:    important
References:  1255715,1256243,1256244,1256246,1256390,1259802,1265935,1265938,1266039,CVE-2025-68973,CVE-2026-25707,CVE-2026-48863,CVE-2026-9149,CVE-2026-9150
This update for libzypp, libsolv fixes the following issues:

libsolv was updated to 0.7.39.

- fix solv_chksum_free segfault when called with a NULL pointer
- made repo_add_solv more robust against corrupt files
  [bsc#1265935] [CVE-2026-9149]
- fix potential buffer overflow when verifying EdDSA signatures
  [bsc#1266039] [CVE-2026-48863]
- added limit checks in multiple places to catch overflows
- reduce the size of the language id cache
- fixed Debian canon selection
- fixed dbpath detection in repo_rpmdb_librpm
- reduced stack usage in repo page compression (needed for musl)
- fixed in earlier release: [bsc#1265938] [CVE-2026-9150]
- fix parsing of recommends in the old Mandriva synthesis format

libzypp was updated to 17.38.11:

- Fix potential crash on malformed or malicious repository
  metadata (fixes #740)
- Repo metadata: discard entries referring to a location outside
  the repo (bsc#1259802, CVE-2026-25707)
  Mirroring those data locally would refer to a location outside
  the repo's local cache directory. Those data entries are reported
  and discarded.
- zypp.conf: Allow [env] section to add environment variables.
  This feature is designed to enable environment-specific settings
  or debugging options over an extended period. See zypp.conf(5).


The following package changes have been done:

- libsolv-tools-base-0.7.39-slfo.1.1_1.1 updated
- libzypp-17.38.11-slfo.1.1_1.1 updated
- container:suse-toolbox-image-1.0.0-5.61 updated

More information about the sle-container-updates mailing list