SUSE-IU-2026:4512-1: Security update of suse/sl-micro/6.0/rt-os-container

sle-container-updates at lists.suse.com sle-container-updates at lists.suse.com
Sat Jun 13 07:35:42 UTC 2026


SUSE Image Update Advisory: suse/sl-micro/6.0/rt-os-container
-----------------------------------------------------------------
Image Advisory ID : SUSE-IU-2026:4512-1
Image Tags        : suse/sl-micro/6.0/rt-os-container:2.1.3 , suse/sl-micro/6.0/rt-os-container:2.1.3-7.185 , suse/sl-micro/6.0/rt-os-container:latest
Image Release     : 7.185
Severity          : important
Type              : security
References        : 1260277 1266340 1266341 1266342 1266344 1266349 1266353 1266355
                        1266356 1266357 CVE-2026-33186 CVE-2026-34180 CVE-2026-34182
                        CVE-2026-42766 CVE-2026-42770 CVE-2026-45445 CVE-2026-45446 CVE-2026-45447
                        CVE-2026-7383 CVE-2026-9076 
-----------------------------------------------------------------

The container suse/sl-micro/6.0/rt-os-container was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: 752
Released:    Thu Jun 11 12:02:22 2026
Summary:     Security update for openssl-3
Type:        security
Severity:    important
References:  1266340,1266341,1266342,1266344,1266349,1266353,1266355,1266356,1266357,CVE-2026-34180,CVE-2026-34182,CVE-2026-42766,CVE-2026-42770,CVE-2026-45445,CVE-2026-45446,CVE-2026-45447,CVE-2026-7383,CVE-2026-9076
This update for openssl-3 fixes the following issues

- CVE-2026-7383: Possible Heap Buffer Overflow in ASN.1 Multibyte String Conversion (bsc#1266340).
- CVE-2026-9076: Out-of-Bounds Read in CMS Password-Based Decryption (bsc#1266341).
- CVE-2026-34180: Heap Buffer Over-read in ASN.1 Content Parsing (bsc#1266342).
- CVE-2026-34182: CMS AuthEnvelopedData Processing May Accept Forged Messages (bsc#1266344).
- CVE-2026-42766: Possible NULL Dereference in Password-Based CMS Decryption (bsc#1266349).
- CVE-2026-42770: FFC-DH Peer Validation Uses Attacker-Supplied q (bsc#1266353).
- CVE-2026-45445: AES-OCB IV Ignored on EVP_Cipher() Path (bsc#1266355).
- CVE-2026-45446: Incorrect Tag Processing for Empty Messages in AES-GCM-SIV and AES-SIV modes (bsc#1266356).
- CVE-2026-45447: Heap Use-After-Free in OpenSSL PKCS7_verify() (bsc#1266357).

-----------------------------------------------------------------
Advisory ID: 751
Released:    Thu Jun 11 12:08:55 2026
Summary:     Security update for elemental-system-agent
Type:        security
Severity:    important
References:  1260277,CVE-2026-33186
This update for elemental-system-agent fixes the following issue

- CVE-2026-33186: google.golang.org/grpc: authorization bypass due to improper validation of the HTTP/2 :path pseudo-
  header (bsc#1260277).

Changes for elemental-system-agent:

- Update to version 0.3.16:
 * setup for immutable releases (#274)
 * align system-agent image publishing for signed releases (#270)
 * Bumo github.com/docker/cli to v29.2.0 and go.opentelemetry.io/otel to v1.43.0
 * run go mod tidy in /test folder
 * Bump google.golang.org/grpc from 1.75.0 to 1.79.3 (bsc#1260277 CVE-2026-33186)
 * Bump github.com/docker/cli in /test
 * export CATTLE_NODE_NAME if SYSTEM_UPGRADE_NODE_NAME is set
 * use correct prefix for system-agent binary (#273)
 * checksum validation (#271)
 * Add `validate` subcommand for configuration validation (#250)
 * Update CODEOWNERS
 * Pin GH Actions to commit sha
 * chore: bump sles to 15.7
 * Extend remote plan e2e tests
 * Fix agent restart issue and introduce constants
 * chore: bump go to v1.25
 * Setup e2e test infrastructure
 * chores(deps): Bump k8s dependencies
 * Define linter rules
 * Fix CI failures
 * Introduce an extended Makefile
 * Switch workflows to use name makefile
 * Replace dapper with multi stage builds
 * Remove dapper scripts
 * Add multiple improvements for ignore files
 * fix: remove umask command from the system-agent unit-file
 * fix-system-agent-umask
 * [1.34] bumped dependencies for 1.34 support (#242)
 * Bump K8s patch level to 1.33.5 and Go patch level to 1.24.6
 * fix: properly handle traps after unsuccessful SUC job execution
 * fix: do not unconditionally reset failure-counts
 * fix: remove resetFailureCountOnStartup, always reset failure counts on first start
 * un-rc wrangler and lasso
 * drop windows 2019 when running PR CI
- Update to version 0.3.13:
 * Bumped dependencies for k8s v1.33
 * Add delete for plan.File
 * fix dispatch
 * fix: add retry logic for one time instruction
 * Get UID/GID for current user in write file_test.go
 * Update secrets for dispatch
 * fix golangci
 * support k8s 1.32.2
 * Add GitHub App token generation and dispatch job for System Agent Upgrade workflow.
 * Add ResetFailureCountOnServiceRestart, if true reset plan failure count after each restart of the system-agent
 * Bump wharfie to v0.6.7
 * Add tests and update CI
 * Windows updates
- Update to version 0.3.9:
 * Properly install grep and kubectl into the SUC image (#196)
 * Add default fallback values (`/opt/rke2/bin`, `/opt/bin`) to the PATH if `/usr/local/bin` is read-only (#195)
 * use bci-base to run zypper then layer the result onto bci-micro (#194)
 * Change base images to `bci-micro` (#169)
 * Add CATTLE_AGENT_FALLBACK_PATH
 * Fix if statement in install.sh
 * bump Go version to 1.22, kube-related modules to v0.29.7 to eliminate CVEs
 * Update module github.com/rancher/wharfie to v0.6.6


The following package changes have been done:

- libopenssl3-3.1.4-14.1 updated
- SL-Micro-release-6.0-25.102 updated
- elemental-system-agent-0.3.16-1.1 updated
- container:SL-Micro-container-2.1.3-6.189 updated


More information about the sle-container-updates mailing list