SUSE-CU-2026:5445-1: Security update of suse/sles/16.0/toolbox
sle-container-updates at lists.suse.com
sle-container-updates at lists.suse.com
Wed Jun 3 08:44:13 UTC 2026
SUSE Container Update Advisory: suse/sles/16.0/toolbox
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2026:5445-1
Container Tags : suse/sles/16.0/toolbox:16.3 , suse/sles/16.0/toolbox:16.3-1.72 , suse/sles/16.0/toolbox:latest
Container Release : 1.72
Severity : important
Type : security
References : 1253261 1253542 1253993 1255835 1256518 1259220 1259221 1259373
1264965 1264965 1264965 CVE-2025-47913 CVE-2025-47914 CVE-2026-21428
CVE-2026-22776 CVE-2026-28434 CVE-2026-28435 CVE-2026-29076
-----------------------------------------------------------------
The container suse/sles/16.0/toolbox was updated. The following patches have been included in this update:
-----------------------------------------------------------------
Advisory ID: 543
Released: Mon Apr 13 14:55:40 2026
Summary: Recommended update for rsyslog
Type: recommended
Severity: moderate
References: 1253261,1253542,1253993,1264965,CVE-2025-47913,CVE-2025-47914
This update for rsyslog fixes the following issues:
- Fix SELinux context of rsyslog run directory (bsc#1253261)
-----------------------------------------------------------------
Advisory ID: 724
Released: Fri May 8 12:00:29 2026
Summary: Security update for cpp-httplib
Type: security
Severity: important
References: 1255835,1256518,1259220,1259221,1259373,1264965,CVE-2026-21428,CVE-2026-22776,CVE-2026-28434,CVE-2026-28435,CVE-2026-29076
This update for cpp-httplib fixes the following issues
- CVE-2026-21428: server-side request forgery via header injection (bsc#1255835).
- CVE-2026-22776: unsafe handling of compressed HTTP request can cause a denial of service (bsc#1256518).
- CVE-2026-28434: default exception handler may leak e.what() to clients via EXCEPTION_WHAT response header
(bsc#1259221).
- CVE-2026-28435: payload size limit bypass via gzip decompression in ContentReader (streaming) can lead to denial of
service (bsc#1259220).
- CVE-2026-29076: denial of service via crafted HTTP POST request (bsc#1259373).
-----------------------------------------------------------------
Advisory ID: 871
Released: Tue Jun 2 14:37:03 2026
Summary: Recommended update for timezone
Type: recommended
Severity: important
References: 1264965
This update for timezone fixes the following issues:
- Update to 2026b:
* British Columbia moved to permanent -07 on 2026-03-09. (bsc#1264965)
* Some more overflow bugs have been fixed in zic.
- Update to 2026a:
* Moldova has used EU transition times since 2022.
* The 'right' TZif files are no longer installed by default.
* -DTZ_RUNTIME_LEAPS=0 disables runtime support for leap seconds.
* TZif files are no longer limited to 50 bytes of abbreviations.
* zic is no longer limited to 50 leap seconds.
* Several integer overflow bugs have been fixed.
- Update to 2025c:
* Update Baja California DST rules in 1953, 1961-1975
* An unset TZ is no longer invalid when /etc/localtime is
missing, and is abbreviated 'UTC' not '-00'. This reverts to 2024b behavior
* tzset etc. are now more cautious about questionable TZ settings.
* tzset etc. now treat ' ' like '_' in time zone abbreviations
* tzfree now preserves errno, consistently with POSIX.1-2024 'free'.
* zic has new options inspired by FreeBSD.
* multiple changes visible to developers
- Use 'REDO=posix_right' to keep installing 'right' TZif files.
The following package changes have been done:
- timezone-2026b-160000.1.1 updated
More information about the sle-container-updates
mailing list