SUSE-IU-2026:4087-1: Security update of suse/sl-micro/6.2/baremetal-os-container

sle-container-updates at lists.suse.com sle-container-updates at lists.suse.com
Wed Jun 3 08:00:16 UTC 2026 

SUSE Image Update Advisory: suse/sl-micro/6.2/baremetal-os-container
-----------------------------------------------------------------
Image Advisory ID : SUSE-IU-2026:4087-1
Image Tags        : suse/sl-micro/6.2/baremetal-os-container:2.3.0 , suse/sl-micro/6.2/baremetal-os-container:2.3.0-7.173 , suse/sl-micro/6.2/baremetal-os-container:latest
Image Release     : 7.173
Severity          : important
Type              : security
References        : 1254441 1255835 1256518 1259220 1259221 1259373 1262223 1264511
                        1264512 1264513 1264514 1264515 1264965 1264965 1265296 CVE-2025-10158
                        CVE-2026-21428 CVE-2026-22776 CVE-2026-28434 CVE-2026-28435 CVE-2026-29076
                        CVE-2026-29518 CVE-2026-41035 CVE-2026-43617 CVE-2026-43618 CVE-2026-43619
                        CVE-2026-43620 CVE-2026-45232 
-----------------------------------------------------------------

The container suse/sl-micro/6.2/baremetal-os-container was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: 724
Released:    Fri May  8 12:00:29 2026
Summary:     Security update for cpp-httplib
Type:        security
Severity:    important
References:  1255835,1256518,1259220,1259221,1259373,1264965,CVE-2026-21428,CVE-2026-22776,CVE-2026-28434,CVE-2026-28435,CVE-2026-29076
This update for cpp-httplib fixes the following issues

- CVE-2026-21428: server-side request forgery via header injection (bsc#1255835).
- CVE-2026-22776: unsafe handling of compressed HTTP request can cause a denial of service (bsc#1256518).
- CVE-2026-28434: default exception handler may leak e.what() to clients via EXCEPTION_WHAT response header
  (bsc#1259221).
- CVE-2026-28435: payload size limit bypass via gzip decompression in ContentReader (streaming) can lead to denial of
  service (bsc#1259220).
- CVE-2026-29076: denial of service via crafted HTTP POST request (bsc#1259373).

-----------------------------------------------------------------
Advisory ID: 861
Released:    Tue Jun  2 09:22:47 2026
Summary:     Recommended update for aaa_base
Type:        recommended
Severity:    moderate
References:  
This update for aaa_base fixes the following issues:

- Update to version 84.87+git20260529.c4391e5:
    * $status to $?
    * Simplifying the sh part too
    * Addressing review comments and simplifying a bit
    * Handle javas managed by libalternatives and by update-alternatives alike

-----------------------------------------------------------------
Advisory ID: 867
Released:    Tue Jun  2 11:13:41 2026
Summary:     Security update for rsync
Type:        security
Severity:    important
References:  1254441,1262223,1264511,1264512,1264513,1264514,1264515,1265296,CVE-2025-10158,CVE-2026-29518,CVE-2026-41035,CVE-2026-43617,CVE-2026-43618,CVE-2026-43619,CVE-2026-43620,CVE-2026-45232
This update for rsync fixes the following issues

- CVE-2025-10158: Out of bounds array access via negative index (bsc#1254441).
- CVE-2026-29518: Symlink-Race TOCTOU in Daemon (use chroot = no) (bsc#1264511).
- CVE-2026-41035: count of entries mismatch can lead to a use-after-free (bsc#1262223).
- CVE-2026-43617: Authorization Bypass via Hostname Resolution (bsc#1264515).
- CVE-2026-43618: Integer Overflow Information Disclosure (bsc#1264512).
- CVE-2026-43619: Symlink Race Condition via Path-Based Syscalls (bsc#1264514).
- CVE-2026-43620: Out-of-Bounds Array Read via recv_files() (bsc#1264513).
- CVE-2026-45232: Off-by-one stack OOB write in HTTP CONNECT proxy response parsing (bsc#1265296).

-----------------------------------------------------------------
Advisory ID: 871
Released:    Tue Jun  2 14:37:03 2026
Summary:     Recommended update for timezone
Type:        recommended
Severity:    important
References:  1264965
This update for timezone fixes the following issues:

- Update to 2026b:
    * British Columbia moved to permanent -07 on 2026-03-09. (bsc#1264965)
    * Some more overflow bugs have been fixed in zic.
- Update to 2026a:
    * Moldova has used EU transition times since 2022.
    * The 'right' TZif files are no longer installed by default.
    * -DTZ_RUNTIME_LEAPS=0 disables runtime support for leap seconds.
    * TZif files are no longer limited to 50 bytes of abbreviations.
    * zic is no longer limited to 50 leap seconds.
    * Several integer overflow bugs have been fixed.
- Update to 2025c:
    * Update Baja California DST rules in 1953, 1961-1975
    * An unset TZ is no longer invalid when /etc/localtime is
      missing, and is abbreviated 'UTC' not '-00'. This reverts to 2024b behavior
    * tzset etc. are now more cautious about questionable TZ settings.
    * tzset etc. now treat ' ' like '_' in time zone abbreviations
    * tzfree now preserves errno, consistently with POSIX.1-2024 'free'.
    * zic has new options inspired by FreeBSD.
    * multiple changes visible to developers
- Use 'REDO=posix_right' to keep installing 'right' TZif files.


The following package changes have been done:

- aaa_base-84.87+git20260529.c4391e5-160000.1.1 updated
- rsync-3.4.1-160000.4.1 updated
- timezone-2026b-160000.1.1 updated
- container:suse-sl-micro-6.2-base-os-container-latest-39473802561802ed8e68ccba21e4722d2ac094578e52e9ccd1f62dd5250cb737-0 updated

More information about the sle-container-updates mailing list