SUSE-IU-2026:4527-1: Security update of suse/sl-micro/6.1/kvm-os-container
sle-container-updates at lists.suse.com
sle-container-updates at lists.suse.com
Sat Jun 13 07:49:25 UTC 2026
SUSE Image Update Advisory: suse/sl-micro/6.1/kvm-os-container
-----------------------------------------------------------------
Image Advisory ID : SUSE-IU-2026:4527-1
Image Tags : suse/sl-micro/6.1/kvm-os-container:2.2.1 , suse/sl-micro/6.1/kvm-os-container:2.2.1-5.141 , suse/sl-micro/6.1/kvm-os-container:latest
Image Release : 5.141
Severity : important
Type : security
References : 1230698 1244485 1245878 1254227 1254430 1254431 1256816 1256817
1256818 1256819 1256820 1256821 1257144 1257496 1260277 1260446
1261678 1266340 1266341 1266342 1266344 1266349 1266353 1266355
1266356 1266357 CVE-2024-41996 CVE-2025-61726 CVE-2025-61727
CVE-2025-61728 CVE-2025-61729 CVE-2025-61730 CVE-2025-61731 CVE-2025-68119
CVE-2025-68121 CVE-2026-24515 CVE-2026-25210 CVE-2026-28390 CVE-2026-33186
CVE-2026-34180 CVE-2026-34182 CVE-2026-42766 CVE-2026-42770 CVE-2026-45445
CVE-2026-45446 CVE-2026-45447 CVE-2026-7383 CVE-2026-9076
-----------------------------------------------------------------
The container suse/sl-micro/6.1/kvm-os-container was updated. The following patches have been included in this update:
-----------------------------------------------------------------
Advisory ID: 574
Released: Thu Jun 11 11:43:01 2026
Summary: Security update for elemental-system-agent
Type: security
Severity: important
References: 1244485,1245878,1254227,1254430,1254431,1256816,1256817,1256818,1256819,1256820,1256821,1260277,CVE-2025-61726,CVE-2025-61727,CVE-2025-61728,CVE-2025-61729,CVE-2025-61730,CVE-2025-61731,CVE-2025-68119,CVE-2025-68121,CVE-2026-33186
This update for elemental-system-agent fixes the following issue
- CVE-2026-33186: google.golang.org/grpc: authorization bypass due to improper validation of the HTTP/2 :path pseudo-
header (bsc#1260277).
Changes for elemental-system-agent:
- Update to version 0.3.16:
* setup for immutable releases (#274)
* align system-agent image publishing for signed releases (#270)
* Bumo github.com/docker/cli to v29.2.0 and go.opentelemetry.io/otel to v1.43.0
* run go mod tidy in /test folder
* Bump google.golang.org/grpc from 1.75.0 to 1.79.3 (bsc#1260277 CVE-2026-33186)
* Bump github.com/docker/cli in /test
* export CATTLE_NODE_NAME if SYSTEM_UPGRADE_NODE_NAME is set
* use correct prefix for system-agent binary (#273)
* checksum validation (#271)
* Add `validate` subcommand for configuration validation (#250)
* Update CODEOWNERS
* Pin GH Actions to commit sha
* chore: bump sles to 15.7
* Extend remote plan e2e tests
* Fix agent restart issue and introduce constants
* chore: bump go to v1.25
* Setup e2e test infrastructure
* chores(deps): Bump k8s dependencies
* Define linter rules
* Fix CI failures
* Introduce an extended Makefile
* Switch workflows to use name makefile
* Replace dapper with multi stage builds
* Remove dapper scripts
* Add multiple improvements for ignore files
* fix: remove umask command from the system-agent unit-file
* fix-system-agent-umask
* [1.34] bumped dependencies for 1.34 support (#242)
* Bump K8s patch level to 1.33.5 and Go patch level to 1.24.6
* fix: properly handle traps after unsuccessful SUC job execution
* fix: do not unconditionally reset failure-counts
* fix: remove resetFailureCountOnStartup, always reset failure counts on first start
* un-rc wrangler and lasso
* drop windows 2019 when running PR CI
- Update to version 0.3.13:
* Bumped dependencies for k8s v1.33
* Add delete for plan.File
* fix dispatch
* fix: add retry logic for one time instruction
* Get UID/GID for current user in write file_test.go
* Update secrets for dispatch
* fix golangci
* support k8s 1.32.2
* Add GitHub App token generation and dispatch job for System Agent Upgrade workflow.
* Add ResetFailureCountOnServiceRestart, if true reset plan failure count after each restart of the system-agent
* Bump wharfie to v0.6.7
* Add tests and update CI
* Windows updates
-----------------------------------------------------------------
Advisory ID: 576
Released: Thu Jun 11 14:50:14 2026
Summary: Security update for openssl-3
Type: security
Severity: important
References: 1230698,1257144,1257496,1260446,1261678,1266340,1266341,1266342,1266344,1266349,1266353,1266355,1266356,1266357,CVE-2024-41996,CVE-2026-24515,CVE-2026-25210,CVE-2026-28390,CVE-2026-34180,CVE-2026-34182,CVE-2026-42766,CVE-2026-42770,CVE-2026-45445,CVE-2026-45446,CVE-2026-45447,CVE-2026-7383,CVE-2026-9076
This update for openssl-3 fixes the following issues
- CVE-2024-41996: DHEATATTACK: Validating the order of the public keys in the Diffie-Hellman Key Agreement Protocol,
when an approved safe prime is used, allows remote attackers to trigger expensive server-side DHE (bsc#1230698).
- CVE-2026-7383: Possible Heap Buffer Overflow in ASN.1 Multibyte String Conversion (bsc#1266340).
- CVE-2026-9076: Out-of-Bounds Read in CMS Password-Based Decryption (bsc#1266341).
- CVE-2026-28390: NULL pointer dereference during processing of a crafted CMS EnvelopedData message with
KeyTransportRecipientInfo (bsc#1261678).
- CVE-2026-34180: Heap Buffer Over-read in ASN.1 Content Parsing (bsc#1266342).
- CVE-2026-34182: CMS AuthEnvelopedData Processing May Accept Forged Messages (bsc#1266344).
- CVE-2026-42766: Possible NULL Dereference in Password-Based CMS Decryption (bsc#1266349).
- CVE-2026-42770: FFC-DH Peer Validation Uses Attacker-Supplied q (bsc#1266353).
- CVE-2026-45445: AES-OCB IV Ignored on EVP_Cipher() Path (bsc#1266355).
- CVE-2026-45446: Incorrect Tag Processing for Empty Messages in AES-GCM-SIV and AES-SIV modes (bsc#1266356).
- CVE-2026-45447: Heap Use-After-Free in OpenSSL PKCS7_verify() (bsc#1266357).
The following package changes have been done:
- libopenssl3-3.1.4-slfo.1.1_10.1 updated
- SL-Micro-release-6.1-slfo.1.12.46 updated
- elemental-system-agent-0.3.16-slfo.1.1_1.1 updated
- container:SL-Micro-base-container-2.2.1-5.141 updated
More information about the sle-container-updates
mailing list