SUSE-IU-2026:4245-1: Security update of sles-15-sp4-chost-byos-v20260601-arm64
sle-container-updates at lists.suse.com
sle-container-updates at lists.suse.com
Sat Jun 6 07:03:32 UTC 2026
SUSE Image Update Advisory: sles-15-sp4-chost-byos-v20260601-arm64
-----------------------------------------------------------------
Image Advisory ID : SUSE-IU-2026:4245-1
Image Tags : sles-15-sp4-chost-byos-v20260601-arm64:20260601
Image Release :
Severity : critical
Type : security
References : 1221010 1243603 1252963 1258248 1258518 1258718 1258849 1258850
1258854 1258855 1258856 1258857 1259484 1259485 1259857 1260010
1260018 1260522 1260526 1260983 1261158 1261160 1261161 1261163
1261280 1261287 1261295 1261427 1261430 1261638 1261710 1261779
1261781 1261796 1261797 1261957 1262179 1262181 1262602 1262734
1262758 1263065 1263085 1263095 1263131 1263141 1263165 1263170
1263176 1263582 1263600 1263668 1263704 1263705 1263707 1263708
1263709 1263710 1263711 1263712 1263713 1263714 1263715 1263723
1263882 1263901 1263931 1263933 1264059 1264082 1264086 1264450
1264482 1264634 1264651 1264848 1265085 1265090 1265119 1265126
1265308 1265456 1265626 1265960 CVE-2021-47103 CVE-2023-20585
CVE-2026-23209 CVE-2026-23239 CVE-2026-23240 CVE-2026-23268 CVE-2026-23269
CVE-2026-23271 CVE-2026-23273 CVE-2026-23351 CVE-2026-23393 CVE-2026-2340
CVE-2026-23403 CVE-2026-23404 CVE-2026-23405 CVE-2026-23406 CVE-2026-23407
CVE-2026-23408 CVE-2026-23409 CVE-2026-23410 CVE-2026-23411 CVE-2026-23449
CVE-2026-23458 CVE-2026-23462 CVE-2026-31402 CVE-2026-31403 CVE-2026-31408
CVE-2026-31436 CVE-2026-31504 CVE-2026-31507 CVE-2026-31512 CVE-2026-31533
CVE-2026-31570 CVE-2026-31586 CVE-2026-31588 CVE-2026-31602 CVE-2026-31607
CVE-2026-31649 CVE-2026-31656 CVE-2026-31662 CVE-2026-31669 CVE-2026-31685
CVE-2026-31694 CVE-2026-31700 CVE-2026-31738 CVE-2026-31787 CVE-2026-3238
CVE-2026-33845 CVE-2026-33846 CVE-2026-34743 CVE-2026-34757 CVE-2026-35385
CVE-2026-35414 CVE-2026-3833 CVE-2026-41054 CVE-2026-42009 CVE-2026-42010
CVE-2026-42011 CVE-2026-42012 CVE-2026-42013 CVE-2026-42014 CVE-2026-42015
CVE-2026-43025 CVE-2026-43027 CVE-2026-43050 CVE-2026-43110 CVE-2026-43126
CVE-2026-43190 CVE-2026-43214 CVE-2026-43329 CVE-2026-43334 CVE-2026-43365
CVE-2026-43437 CVE-2026-43494 CVE-2026-43500 CVE-2026-43503 CVE-2026-4408
CVE-2026-4480 CVE-2026-46333 CVE-2026-5260
-----------------------------------------------------------------
The container sles-15-sp4-chost-byos-v20260601-arm64 was updated. The following patches have been included in this update:
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:2008-1
Released: Tue May 19 13:54:28 2026
Summary: Security update for haveged
Type: security
Severity: important
References: 1264086,CVE-2026-41054
This update for haveged fixes the following issue
- CVE-2026-41054: missing exit out of permission check could lead to root exploit (bsc#1264086).
Changes for haveged:
- Improvements on the linux kernel random subsystem have made
move forward to socket communication within private network
- Fix 'stop' of service, the daemon in foreground actually
see daemon(7) for the rationale. Only 'simple' (default) and
the help of udev, as starting services while starved of entropy
- Add ppc64le support
- update to 1.8
* Correct additional run-time test aligment problems on mips.
- haveged 1.7a
* Correct VPATH issues and modify check target to support
parallel builds and changes in automake 1.13 test harness.
- Remove all sysvinit compatibility.
- fix powerpc detection
- Current version does support ARM, remove the ExcludeArch
need network and can use PrivateNetwork=yes
* Add online tests based on AIS-31
* Fix install target, move to bin and eliminate script if not daemon, now use sysv and systemd templates
- use -F with no arguments in haveged.service
- build with -fpie
- Use Service type 'simple' in systemd unit
- fix build on ia64, s390, s390x
- fix ppc64 build
present in old versions have been fixed in different ways.
- run spec cleaner
- Link with full RELRO (-Wl,-z,relro,-z,now)
- add systemd support
- Drop as much capabilitites as possible using libcap-ng
- I meant Enhances not Supplements
- Implement hack to start by default only in VMs
- use O_CLOEXEC on fds
- add proper Requires(pre)
- add a SUSE standard init script
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:2024-1
Released: Wed May 20 09:23:16 2026
Summary: Security update for openssh
Type: security
Severity: important
References: 1261427,1261430,CVE-2026-35385,CVE-2026-35414
This update for openssh fixes the following issues
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:2031-1
Released: Wed May 20 11:34:19 2026
Summary: Security update for runc
Type: security
Severity: important
References:
This update for runc rebuilds it against the current go security release.
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:2057-1
Released: Mon May 25 16:04:05 2026
Summary: Security update for libpng16
Type: security
Severity: moderate
References: 1261957,CVE-2026-34757
This update for libpng16 fixes the following issue:
- CVE-2026-34757: information disclosure and data corruption due to use-after-free in `png_set_PLTE`, `png_set_tRNS`
and `png_set_hIST` (bsc#1261957).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:2087-1
Released: Wed May 27 09:57:23 2026
Summary: Security update for gnutls
Type: security
Severity: important
References: 1263704,1263705,1263707,1263708,1263709,1263710,1263711,1263712,1263713,1263714,1263715,CVE-2026-33845,CVE-2026-33846,CVE-2026-3833,CVE-2026-42009,CVE-2026-42010,CVE-2026-42011,CVE-2026-42012,CVE-2026-42013,CVE-2026-42014,CVE-2026-42015,CVE-2026-5260
This update for gnutls fixes the following issues
- CVE-2026-3833: x509/name-constraints: compare domain names case-insensitive (bsc#1263707).
- CVE-2026-5260: lib/pkcs11_privkey: guard against overreading on short ciphertexts (bsc#1263715).
- CVE-2026-33845: buffers: switch from end_offset over to frag_length (bsc#1263704).
- CVE-2026-33846: buffers: add more checks to DTLS reassembly (bsc#1263705).
- CVE-2026-42009: lib/buffers: ensure packets have differing sequence numbers (bsc#1263708).
- CVE-2026-42010: lib/auth/rsa_psk: fix binary PSK identity lookup (bsc#1263709).
- CVE-2026-42011: x509/name_constraints: fix intersecting empty constraints (bsc#1263710).
- CVE-2026-42012: x509/hostname-verify: make URI/SRV SAN preclude CN fallback (bsc#1263711).
- CVE-2026-42013: x509: prevent fallback on oversized SAN (bsc#1263712).
- CVE-2026-42014: pkcs11_write: fix UAF and leak in gnutls_pkcs11_token_set_pin (bsc#1263713).
- CVE-2026-42015: x509/pkcs12_bag: fix off-by-one in bag element bounds chec (bsc#1263714).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:2108-1
Released: Fri May 29 09:19:46 2026
Summary: Security update for samba
Type: security
Severity: critical
References: 1252963,1261158,1261160,1261161,1261163,CVE-2026-2340,CVE-2026-3238,CVE-2026-4408,CVE-2026-4480
This update for samba fixes the following issues
- CVE-2026-2340: vfs_worm does not block directory modification (bsc#1261158).
- CVE-2026-3238: unauthenticated udp packet crashes AD DC nbt server (bsc#1261160).
- CVE-2026-4408: Remote Code Execution in SAMR (bsc#1261163).
- CVE-2026-4480: Unauthenticated Remote Code Execution (bsc#1261161).
Non security issues:
- Fix pthreadpool_tevent race conditions accessing both
pthreadpool_tevent.jobs list and pthreadpool_tevent.glue_list
(bsc#1252963)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:2118-1
Released: Fri May 29 17:31:19 2026
Summary: Security update for xz
Type: security
Severity: important
References: 1261280,CVE-2026-34743
This update for xz fixes the following issue
- CVE-2026-34743: buffer overflow in lzma_index_append() (bsc#1261280).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:2202-1
Released: Mon Jun 1 12:01:33 2026
Summary: Security update for the Linux Kernel
Type: security
Severity: important
References: 1221010,1243603,1258248,1258518,1258718,1258849,1258850,1258854,1258855,1258856,1258857,1259484,1259485,1259857,1260010,1260018,1260522,1260526,1260983,1261287,1261295,1261638,1261710,1261779,1261781,1261796,1261797,1262179,1262181,1262602,1262734,1262758,1263065,1263085,1263095,1263131,1263141,1263165,1263170,1263176,1263582,1263600,1263668,1263723,1263882,1263901,1263931,1263933,1264059,1264082,1264450,1264482,1264634,1264651,1264848,1265085,1265090,1265119,1265126,1265308,1265456,1265626,1265960,CVE-2021-47103,CVE-2023-20585,CVE-2026-23209,CVE-2026-23239,CVE-2026-23240,CVE-2026-23268,CVE-2026-23269,CVE-2026-23271,CVE-2026-23273,CVE-2026-23351,CVE-2026-23393,CVE-2026-23403,CVE-2026-23404,CVE-2026-23405,CVE-2026-23406,CVE-2026-23407,CVE-2026-23408,CVE-2026-23409,CVE-2026-23410,CVE-2026-23411,CVE-2026-23449,CVE-2026-23458,CVE-2026-23462,CVE-2026-31402,CVE-2026-31403,CVE-2026-31408,CVE-2026-31436,CVE-2026-31504,CVE-2026-31507,CVE-2026-31512,CVE-2026-31533,CVE-2026-31570,C
VE-2026-31586,CVE-2026-31588,CVE-2026-31602,CVE-2026-31607,CVE-2026-31649,CVE-2026-31656,CVE-2026-31662,CVE-2026-31669,CVE-2026-31685,CVE-2026-31694,CVE-2026-31700,CVE-2026-31738,CVE-2026-31787,CVE-2026-43025,CVE-2026-43027,CVE-2026-43050,CVE-2026-43110,CVE-2026-43126,CVE-2026-43190,CVE-2026-43214,CVE-2026-43329,CVE-2026-43334,CVE-2026-43365,CVE-2026-43437,CVE-2026-43494,CVE-2026-43500,CVE-2026-43503,CVE-2026-46333
The SUSE Linux Enterprise 15 SP4 kernel was updated to fix various security issues
The following security issues were fixed:
- CVE-2021-47103: inet: fully convert sk->sk_rx_dst to RCU rules (bsc#1221010).
- CVE-2023-20585: x86/CPU: Fix FPDSS on Zen1 (bsc#1243603).
- CVE-2026-23239: espintcp: Fix race condition in espintcp_close() (bsc#1259485).
- CVE-2026-23240: tls: Fix race condition in tls_sw_cancel_work_tx() (bsc#1259484).
- CVE-2026-23271: perf: Fix __perf_event_overflow() vs perf_remove_from_context() race (bsc#1260018).
- CVE-2026-23351: netfilter: nft_set_pipapo: split gc into unlink and reclaim phase (bsc#1260526).
- CVE-2026-23393: bridge: cfm: Fix race condition in peer_mep deletion (bsc#1260522).
- CVE-2026-23449: net/sched: teql: Fix double-free in teql_master_xmit (bsc#1261779).
- CVE-2026-23458: netfilter: ctnetlink: fix use-after-free in ctnetlink_dump_exp_ct() (bsc#1261781).
- CVE-2026-23462: Bluetooth: HIDP: Fix possible UAF (bsc#1261710).
- CVE-2026-31402: nfsd: fix heap overflow in NFSv4.0 LOCK replay cache (bsc#1261638).
- CVE-2026-31403: NFSD: Hold net reference for the lifetime of /proc/fs/nfs/exports fd (bsc#1261796).
- CVE-2026-31408: Bluetooth: SCO: Fix use-after-free in sco_recv_frame() due to missing sock_hold (bsc#1261797).
- CVE-2026-31436: dmaengine: idxd: fix possible wrong descriptor completion in llist_abort_desc() (bsc#1262602).
- CVE-2026-31504: net: fix fanout UAF in packet_release() via NETDEV_UP race (bsc#1263085).
- CVE-2026-31507: net/smc: fix double-free of smc_spd_priv when tee() duplicates splice pipe buffer (bsc#1263095).
- CVE-2026-31512: Bluetooth: L2CAP: Validate PDU length before reading SDU length in l2cap_ecred_data_rcv()
(bsc#1262734).
- CVE-2026-31533: net/tls: fix use-after-free in -EBUSY error path of tls_do_encryption (bsc#1262758).
- CVE-2026-31570: can: gw: fix OOB heap access in cgw_csum_crc8_rel() (bsc#1263065).
- CVE-2026-31586: mm: blk-cgroup: fix use-after-free in cgwb_release_workfn() (bsc#1263176).
- CVE-2026-31588: KVM: x86: Use scratch field in MMIO fragment to hold small write values (bsc#1263165).
- CVE-2026-31602: ALSA: ctxfi: Limit PTP to a single page (bsc#1263723).
- CVE-2026-31607: usbip: validate number_of_packets in usbip_pack_ret_submit() (bsc#1263600).
- CVE-2026-31649: net: stmmac: fix integer underflow in chain mode (bsc#1263582).
- CVE-2026-31656: drm/i915/gt: fix refcount underflow in intel_engine_park_heartbeat (bsc#1263170).
- CVE-2026-31662: tipc: fix bc_ackers underflow on duplicate GRP_ACK_MSG (bsc#1263131).
- CVE-2026-31669: mptcp: fix slab-use-after-free in __inet_lookup_established (bsc#1263141).
- CVE-2026-31685: netfilter: ip6t_eui64: reject invalid MAC header for all packets (bsc#1263668).
- CVE-2026-31694: fuse: reject oversized dirents in page cache (bsc#1263901).
- CVE-2026-31700: net/packet: fix TOCTOU race on mmap'd vnet_hdr in tpacket_snd() (bsc#1263882).
- CVE-2026-31738: vxlan: validate ND option lengths in vxlan_na_create (bsc#1264059).
- CVE-2026-31787: xen/privcmd: fix double free via VMA splitting (bsc#1262181).
- CVE-2026-43025: netfilter: ctnetlink: ignore explicit helper on new expectations (bsc#1263931).
- CVE-2026-43027: netfilter: nf_conntrack_helper: pass helper to expect cleanup (bsc#1263933).
- CVE-2026-43050: atm: lec: fix use-after-free in sock_def_readable() (bsc#1264082).
- CVE-2026-43110: wifi: brcmfmac: validate bsscfg indices in IF events (bsc#1264482).
- CVE-2026-43126: ALSA: mixer: oss: Add card disconnect checkpoints (bsc#1264634).
- CVE-2026-43190: netfilter: xt_tcpmss: check remaining length before reading optlen (bsc#1264848).
- CVE-2026-43214: KVM: x86: Add SRCU protection for reading PDPTRs in __get_sregs2() (bsc#1264651).
- CVE-2026-43329: netfilter: flowtable: strictly check for maximum number of actions (bsc#1265085).
- CVE-2026-43334: Bluetooth: SMP: force responder MITM requirements before building the pairing response (bsc#1265090).
- CVE-2026-43365: xfs: fix undersized l_iclog_roundoff values (bsc#1265119).
- CVE-2026-43437: ALSA: pcm: fix use-after-free on linked stream runtime in snd_pcm_drain() (bsc#1265126).
- CVE-2026-43494: net/rds: reset op_nents when zerocopy page pin fails (bsc#1265626).
- CVE-2026-43500: supported.conf: drop rxrpc and af_kfs (bsc#1264450).
- CVE-2026-43503: net: skbuff: propagate shared-frag marker through frag-transfer helpers (bsc#1265960).
- CVE-2026-46333: ptrace: slightly saner 'get_dumpable()' logic (bsc#1265308).
The following non security issues were fixed:
- check-for-config-changes: Exclude CC_MS_EXTENSIONS.
- check-for-config-changes: Exclude HAVE_CFI_ICALL_NORMALIZE_INTEGERS{,_RUSTC}.
- crypto: qat - fix ring to service map for QAT GEN4 (bsc#1258248).
- crypto: qat - refactor fw config related functions (bsc#1258248).
- crypto: qat - use masks for AE groups (bsc#1258248).
- dm init: ensure device probing has finished in dm-mod.waitfor= (git-fixes).
- mkspec: Add signature to source list only when it exists.
- net/rds: reset op_nents when zerocopy page pin fails (bsc#1265626).
- net: gro: don't merge zcopy skbs (git-fixes).
- nvmet-rdma: fix possible bad dereference when freeing rsps (bsc#1260983).
- ocfs2: fix possible deadlock between unlink and dio_end_io_write (bsc#1258718).
- ocfs2: split transactions in dio completion to avoid credit exhaustion (bsc#1258718).
- xfrm: esp: avoid in-place decrypt on shared skb frags.
The following package changes have been done:
- haveged-1.9.14-150400.3.11.1 updated
- kernel-default-5.14.21-150400.24.219.1 updated
- libgnutls30-3.7.3-150400.4.59.1 updated
- libhavege2-1.9.14-150400.3.11.1 updated
- liblzma5-5.2.3-150000.4.10.1 updated
- libpng16-16-1.6.34-150000.3.25.1 updated
- openssh-clients-8.4p1-150300.3.60.1 updated
- openssh-common-8.4p1-150300.3.60.1 updated
- openssh-server-8.4p1-150300.3.60.1 updated
- openssh-8.4p1-150300.3.60.1 updated
- runc-1.3.4-150000.94.1 updated
- samba-client-libs-4.15.13+git.780.d2f53cbcded-150400.3.49.1 updated
- xz-5.2.3-150000.4.10.1 updated
More information about the sle-container-updates
mailing list