SUSE-IU-2026:4512-1: Security update of suse/sl-micro/6.0/rt-os-container
sle-container-updates at lists.suse.com
sle-container-updates at lists.suse.com
Fri Jun 12 07:42:01 UTC 2026
SUSE Image Update Advisory: suse/sl-micro/6.0/rt-os-container
-----------------------------------------------------------------
Image Advisory ID : SUSE-IU-2026:4512-1
Image Tags : suse/sl-micro/6.0/rt-os-container:2.1.3 , suse/sl-micro/6.0/rt-os-container:2.1.3-7.185 , suse/sl-micro/6.0/rt-os-container:latest
Image Release : 7.185
Severity : important
Type : security
References : 1260277 1266340 1266341 1266342 1266344 1266349 1266353 1266355
1266356 1266357 CVE-2026-33186 CVE-2026-34180 CVE-2026-34182
CVE-2026-42766 CVE-2026-42770 CVE-2026-45445 CVE-2026-45446 CVE-2026-45447
CVE-2026-7383 CVE-2026-9076
-----------------------------------------------------------------
The container suse/sl-micro/6.0/rt-os-container was updated. The following patches have been included in this update:
-----------------------------------------------------------------
Advisory ID: 752
Released: Thu Jun 11 12:02:22 2026
Summary: Security update for openssl-3
Type: security
Severity: important
References: 1266340,1266341,1266342,1266344,1266349,1266353,1266355,1266356,1266357,CVE-2026-34180,CVE-2026-34182,CVE-2026-42766,CVE-2026-42770,CVE-2026-45445,CVE-2026-45446,CVE-2026-45447,CVE-2026-7383,CVE-2026-9076
This update for openssl-3 fixes the following issues
- CVE-2026-7383: Possible Heap Buffer Overflow in ASN.1 Multibyte String Conversion (bsc#1266340).
- CVE-2026-9076: Out-of-Bounds Read in CMS Password-Based Decryption (bsc#1266341).
- CVE-2026-34180: Heap Buffer Over-read in ASN.1 Content Parsing (bsc#1266342).
- CVE-2026-34182: CMS AuthEnvelopedData Processing May Accept Forged Messages (bsc#1266344).
- CVE-2026-42766: Possible NULL Dereference in Password-Based CMS Decryption (bsc#1266349).
- CVE-2026-42770: FFC-DH Peer Validation Uses Attacker-Supplied q (bsc#1266353).
- CVE-2026-45445: AES-OCB IV Ignored on EVP_Cipher() Path (bsc#1266355).
- CVE-2026-45446: Incorrect Tag Processing for Empty Messages in AES-GCM-SIV and AES-SIV modes (bsc#1266356).
- CVE-2026-45447: Heap Use-After-Free in OpenSSL PKCS7_verify() (bsc#1266357).
-----------------------------------------------------------------
Advisory ID: 751
Released: Thu Jun 11 12:08:55 2026
Summary: Security update for elemental-system-agent
Type: security
Severity: important
References: 1260277,CVE-2026-33186
This update for elemental-system-agent fixes the following issue
- CVE-2026-33186: google.golang.org/grpc: authorization bypass due to improper validation of the HTTP/2 :path pseudo-
header (bsc#1260277).
Changes for elemental-system-agent:
- Update to version 0.3.16:
* setup for immutable releases (#274)
* align system-agent image publishing for signed releases (#270)
* Bumo github.com/docker/cli to v29.2.0 and go.opentelemetry.io/otel to v1.43.0
* run go mod tidy in /test folder
* Bump google.golang.org/grpc from 1.75.0 to 1.79.3 (bsc#1260277 CVE-2026-33186)
* Bump github.com/docker/cli in /test
* export CATTLE_NODE_NAME if SYSTEM_UPGRADE_NODE_NAME is set
* use correct prefix for system-agent binary (#273)
* checksum validation (#271)
* Add `validate` subcommand for configuration validation (#250)
* Update CODEOWNERS
* Pin GH Actions to commit sha
* chore: bump sles to 15.7
* Extend remote plan e2e tests
* Fix agent restart issue and introduce constants
* chore: bump go to v1.25
* Setup e2e test infrastructure
* chores(deps): Bump k8s dependencies
* Define linter rules
* Fix CI failures
* Introduce an extended Makefile
* Switch workflows to use name makefile
* Replace dapper with multi stage builds
* Remove dapper scripts
* Add multiple improvements for ignore files
* fix: remove umask command from the system-agent unit-file
* fix-system-agent-umask
* [1.34] bumped dependencies for 1.34 support (#242)
* Bump K8s patch level to 1.33.5 and Go patch level to 1.24.6
* fix: properly handle traps after unsuccessful SUC job execution
* fix: do not unconditionally reset failure-counts
* fix: remove resetFailureCountOnStartup, always reset failure counts on first start
* un-rc wrangler and lasso
* drop windows 2019 when running PR CI
- Update to version 0.3.13:
* Bumped dependencies for k8s v1.33
* Add delete for plan.File
* fix dispatch
* fix: add retry logic for one time instruction
* Get UID/GID for current user in write file_test.go
* Update secrets for dispatch
* fix golangci
* support k8s 1.32.2
* Add GitHub App token generation and dispatch job for System Agent Upgrade workflow.
* Add ResetFailureCountOnServiceRestart, if true reset plan failure count after each restart of the system-agent
* Bump wharfie to v0.6.7
* Add tests and update CI
* Windows updates
- Update to version 0.3.9:
* Properly install grep and kubectl into the SUC image (#196)
* Add default fallback values (`/opt/rke2/bin`, `/opt/bin`) to the PATH if `/usr/local/bin` is read-only (#195)
* use bci-base to run zypper then layer the result onto bci-micro (#194)
* Change base images to `bci-micro` (#169)
* Add CATTLE_AGENT_FALLBACK_PATH
* Fix if statement in install.sh
* bump Go version to 1.22, kube-related modules to v0.29.7 to eliminate CVEs
* Update module github.com/rancher/wharfie to v0.6.6
The following package changes have been done:
- libopenssl3-3.1.4-14.1 updated
- SL-Micro-release-6.0-25.102 updated
- elemental-system-agent-0.3.16-1.1 updated
- container:SL-Micro-container-2.1.3-6.189 updated
More information about the sle-container-updates
mailing list