SUSE-IU-2026:4714-1: Security update of sles-15-sp6-chost-byos-v20260617-arm64
sle-container-updates at lists.suse.com
sle-container-updates at lists.suse.com
Sat Jun 20 07:04:01 UTC 2026
SUSE Image Update Advisory: sles-15-sp6-chost-byos-v20260617-arm64
-----------------------------------------------------------------
Image Advisory ID : SUSE-IU-2026:4714-1
Image Tags : sles-15-sp6-chost-byos-v20260617-arm64:20260617
Image Release :
Severity : important
Type : security
References : 1255752 1259327 1259642 1261427 1261430 1261441 1261546 1261700
1262043 1262663 1263068 1263769 1263774 1263790 1263940 1263995
1264093 1264449 1264551 1264568 1264965 1264989 1265620 1265928
1265960 1266001 1266009 1266238 1266340 1266340 1266341 1266341
1266342 1266342 1266344 1266349 1266349 1266353 1266355 1266356
1266357 1266357 1266402 1266414 1266711 1266765 1266889 1266901
1266952 1266953 1266955 1266969 1266972 1267205 1267220 1267222
CVE-2026-31405 CVE-2026-31473 CVE-2026-31613 CVE-2026-31614 CVE-2026-31629
CVE-2026-31758 CVE-2026-33948 CVE-2026-34180 CVE-2026-34180 CVE-2026-34182
CVE-2026-34933 CVE-2026-3497 CVE-2026-35385 CVE-2026-35388 CVE-2026-35414
CVE-2026-42487 CVE-2026-42488 CVE-2026-42489 CVE-2026-42490 CVE-2026-42766
CVE-2026-42766 CVE-2026-42770 CVE-2026-43037 CVE-2026-43206 CVE-2026-43284
CVE-2026-43362 CVE-2026-43499 CVE-2026-43501 CVE-2026-43503 CVE-2026-45445
CVE-2026-45446 CVE-2026-45447 CVE-2026-45447 CVE-2026-45852 CVE-2026-45910
CVE-2026-45970 CVE-2026-46004 CVE-2026-46021 CVE-2026-46043 CVE-2026-46113
CVE-2026-46114 CVE-2026-46243 CVE-2026-7383 CVE-2026-7383 CVE-2026-9076
CVE-2026-9076
-----------------------------------------------------------------
The container sles-15-sp6-chost-byos-v20260617-arm64 was updated. The following patches have been included in this update:
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2026:2276-1
Released: Fri Jun 5 10:56:23 2026
Summary: Recommended update for apparmor
Type: recommended
Severity: important
References: 1265620
This update for apparmor fixes the following issues:
- Allow execution of /usr/bin/zstd (bsc#1265620)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2026:2278-1
Released: Fri Jun 5 11:00:12 2026
Summary: Recommended update for timezone
Type: recommended
Severity: important
References: 1264965
This update for timezone fixes the following issues:
- Update to 2026b:
* British Columbia moved to permanent -07 on 2026-03-09. (bsc#1264965)
* Some more overflow bugs have been fixed in zic.
- Update to 2026a:
* Moldova has used EU transition times since 2022.
* The 'right' TZif files are no longer installed by default.
* -DTZ_RUNTIME_LEAPS=0 disables runtime support for leap seconds.
* TZif files are no longer limited to 50 bytes of abbreviations.
* zic is no longer limited to 50 leap seconds.
* Several integer overflow bugs have been fixed.
- Update to 2025c:
* Update Baja California DST rules in 1953, 1961-1975
* An unset TZ is no longer invalid when /etc/localtime is
missing, and is abbreviated 'UTC' not '-00'. This reverts to 2024b behavior
* tzset etc. are now more cautious about questionable TZ settings.
* tzset etc. now treat ' ' like '_' in time zone abbreviations
* tzfree now preserves errno, consistently with POSIX.1-2024 'free'.
* zic has new options inspired by FreeBSD.
* multiple changes visible to developers
- Use 'REDO=posix_right' to keep installing 'right' TZif files.
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:2283-1
Released: Fri Jun 5 14:14:57 2026
Summary: Security update for jq
Type: security
Severity: moderate
References: 1262043,CVE-2026-33948
This update for jq fixes the following issue
- CVE-2026-33948: CLI input parsing may allow validation bypass via embedded NUL bytes (bsc#1262043)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:2297-1
Released: Mon Jun 8 12:16:51 2026
Summary: Security update for avahi
Type: security
Severity: moderate
References: 1261546,CVE-2026-34933
This update for avahi fixes the following issue:
- CVE-2026-34933: Prior to version 0.9-rc4, any unprivileged local user can crash avahi-daemon by sending a single D-Bus
method call with conflicting publish flags (bsc#1261546).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:2310-1
Released: Tue Jun 9 10:18:26 2026
Summary: Security update for the Linux Kernel
Type: security
Severity: important
References: 1261700,1262663,1263068,1263769,1263774,1263790,1263995,1264093,1264449,1264551,1264989,1265928,1265960,1266001,1266009,1266238,1266402,1266414,1266711,1266765,1266889,1266901,1266969,1266972,1267205,1267220,1267222,CVE-2026-31405,CVE-2026-31473,CVE-2026-31613,CVE-2026-31614,CVE-2026-31629,CVE-2026-31758,CVE-2026-43037,CVE-2026-43206,CVE-2026-43284,CVE-2026-43362,CVE-2026-43499,CVE-2026-43501,CVE-2026-43503,CVE-2026-45852,CVE-2026-45910,CVE-2026-45970,CVE-2026-46004,CVE-2026-46021,CVE-2026-46043,CVE-2026-46113,CVE-2026-46114,CVE-2026-46243
The SUSE Linux Enterprise 15 SP6 kernel was updated to fix various security issues
The following security issues were fixed:
- CVE-2026-31405: media: dvb-net: fix OOB access in ULE extension header tables (bsc#1261700).
- CVE-2026-31473: media: mc, v4l2: serialize REINIT and REQBUFS with req_queue_mutex (bsc#1262663).
- CVE-2026-31613: smb: client: fix OOB reads parsing symlink error response (bsc#1263769).
- CVE-2026-31614: smb: client: fix off-by-8 bounds check in check_wsl_eas() (bsc#1263774).
- CVE-2026-31629: nfc: llcp: add missing return after LLCP_CLOSED checks (bsc#1263790).
- CVE-2026-31758: usb: usbtmc: Flush anchored URBs in usbtmc_release (bsc#1264093).
- CVE-2026-43037: ip6_tunnel: clear skb2->cb in ip4ip6_err() (bsc#1263995).
- CVE-2026-43206: drm/amdkfd: Fix out-of-bounds write in kfd_event_page_set() (bsc#1264551).
- CVE-2026-43362: smb: client: fix in-place encryption corruption in SMB2_write() (bsc#1264989).
- CVE-2026-43499: rtmutex: Use waiter::task instead of current in remove_waiter() (bsc#1266001).
- CVE-2026-43501: ipv6: rpl: reserve mac_len headroom when recompressed SRH grows (bsc#1266009).
- CVE-2026-43503: net: skbuff: propagate shared-frag marker through frag-transfer helpers (bsc#1265960).
- CVE-2026-45852: RDMA/rxe: Fix double free in rxe_srq_from_init (bsc#1266711).
- CVE-2026-45910: RDMA/rxe: Fix race condition in QP timer handlers (bsc#1266889).
- CVE-2026-45970: bonding: alb: fix UAF in rlb_arp_recv during bond up/down (bsc#1267205).
- CVE-2026-46004: ALSA: caiaq: Handle probe errors properly (bsc#1267222).
- CVE-2026-46021: thermal: core: Fix thermal zone governor cleanup issues (bsc#1267220).
- CVE-2026-46043: RDMA/rxe: Validate pad and ICRC before payload_size() in rxe_rcv (bsc#1266901).
- CVE-2026-46113: KVM: x86: Fix shadow paging use-after-free due to unexpected GFN (bsc#1266969).
- CVE-2026-46114: RDMA/rxe: Reject non-8-byte ATOMIC_WRITE payloads (bsc#1266972).
- CVE-2026-46243: smb: client: reject userspace cifs.spnego descriptions (bsc#1266238).
The following non security issues were fixed:
- arm64: tlb: Allow XZR argument to TLBI ops (git-fixes).
- arm64: tlb: Optimize ARM64_WORKAROUND_REPEAT_TLBI (git-fixes).
- drm/hyperv: validate resolution_count and fix WIN8 fallback (git-fixes).
- drm/hyperv: validate VMBus packet size in receive callback (git-fixes).
- net: gro: don't merge zcopy skbs (git-fixes).
- net: mana: Add NULL guards in teardown path to prevent panic on attach failure (git-fixes).
- net: mana: Expose hardware diagnostic info via debugfs (bsc#1266414).
- net: mana: Fix TOCTOU double-fetch of hwc_msg_id from DMA buffer (bsc#1265928).
- net: mana: hardening: Reject zero max_num_queues from GDMA_QUERY_MAX_RESOURCES (git-fixes).
- net: mana: Skip redundant detach on already-detached port (git-fixes).
- net: mana: Use kvmalloc for large RX queue and buffer allocations (bsc#1266765).
- net: mana: Use per-queue allocation for tx_qp to reduce allocation size (bsc#1266765).
- net: mana: validate rx_req_idx to prevent out-of-bounds array access (bsc#1266402).
- RDMA/mana_ib: Report max_msg_sz in mana_ib_query_port (git-fixes).
- s390/barrier: Make array_index_mask_nospec() __always_inline (bsc#1263068).
- s390/entry: Scrub r12 register on kernel entry (bsc#1263068).
- s390/syscalls: Add spectre boundary for syscall dispatch table (bsc#1263068).
- smb: client: correctly handle ErrorContextData as a flexible array (git-fixes).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:2329-1
Released: Wed Jun 10 09:39:33 2026
Summary: Security update for xen
Type: security
Severity: important
References: 1266952,1266953,1266955,CVE-2026-42487,CVE-2026-42488,CVE-2026-42489,CVE-2026-42490
This update for xen fixes the following issues:
- CVE-2026-42487: x86 HVM I/O port list traversal (bsc#1266952).
- CVE-2026-42488: x86: mismatched mapcache metadata (bsc#1266955).
- CVE-2026-42489,CVE-2026-42490: domctl lock open to abuse (bsc#1266953).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2026:2359-1
Released: Wed Jun 10 18:42:04 2026
Summary: Recommended update for dracut
Type: recommended
Severity: moderate
References: 1263940
This update for dracut fixes the following issues:
- Update to version 059+suse.563.gb5b26e30:
* fix(systemd): explicitly install /bin/bash (bsc#1263940)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:2371-1
Released: Thu Jun 11 16:01:35 2026
Summary: Security update for openssh
Type: security
Severity: important
References: 1259642,1261427,1261430,1261441,1264568,CVE-2026-3497,CVE-2026-35385,CVE-2026-35388,CVE-2026-35414
This update for openssh fixes the following issues
- CVE-2026-3497: information disclosure or denial of service due to uninitialized variables (bsc#1259642).
- CVE-2026-35385: a file downloaded by scp may be installed setuid or setgid (bsc#1261427).
- CVE-2026-35388: omitted connection multiplexing confirmation for proxy-mode multiplexing sessions (bsc#1261441).
- CVE-2026-35414: mishandling of authorized_keys principals option (bsc#1261430).
- potential security issue when validating mac (bsc#1264568).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2026:2382-1
Released: Fri Jun 12 10:07:34 2026
Summary: Recommended update for hwdata
Type: recommended
Severity: moderate
References:
This update for hwdata fixes the following issues:
- update to version 0.406:
* Update pci and vendor ids
- update to version 0.405:
* Update pci and vendor ids
- Update to version 0.397:
* Update pci and vendor ids
- Update to version 0.395:
* Update pci and vendor ids
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:2393-1
Released: Mon Jun 15 10:06:00 2026
Summary: Security update for openssl-3
Type: security
Severity: important
References: 1266340,1266341,1266342,1266344,1266349,1266353,1266355,1266356,1266357,CVE-2026-34180,CVE-2026-34182,CVE-2026-42766,CVE-2026-42770,CVE-2026-45445,CVE-2026-45446,CVE-2026-45447,CVE-2026-7383,CVE-2026-9076
This update for openssl-3 fixes the following issues
- CVE-2026-7383: Possible Heap Buffer Overflow in ASN.1 Multibyte String Conversion (bsc#1266340).
- CVE-2026-9076: Out-of-Bounds Read in CMS Password-Based Decryption (bsc#1266341).
- CVE-2026-34180: Heap Buffer Over-read in ASN.1 Content Parsing (bsc#1266342).
- CVE-2026-34182: CMS AuthEnvelopedData Processing May Accept Forged Messages (bsc#1266344).
- CVE-2026-42766: Possible NULL Dereference in Password-Based CMS Decryption (bsc#1266349).
- CVE-2026-42770: FFC-DH Peer Validation Uses Attacker-Supplied q (bsc#1266353).
- CVE-2026-45445: AES-OCB IV Ignored on EVP_Cipher() Path (bsc#1266355).
- CVE-2026-45446: Incorrect Tag Processing for Empty Messages in AES-GCM-SIV and AES-SIV modes (bsc#1266356).
- CVE-2026-45447: Heap Use-After-Free in OpenSSL PKCS7_verify() (bsc#1266357).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:2404-1
Released: Tue Jun 16 08:53:46 2026
Summary: Security update for openssl-1_1
Type: security
Severity: important
References: 1266340,1266341,1266342,1266349,1266357,CVE-2026-34180,CVE-2026-42766,CVE-2026-45447,CVE-2026-7383,CVE-2026-9076
This update for openssl-1_1 fixes the following issues:
- CVE-2026-45447: Heap Use-After-Free in OpenSSL PKCS7_verify() (bsc#1266357).
- CVE-2026-42766: Possible NULL Dereference in Password-Based CMS Decryption (bsc#1266349).
- CVE-2026-9076: Out-of-Bounds Read in CMS Password-Based Decryption (bsc#1266341).
- CVE-2026-7383: Possible Heap Buffer Overflow in ASN.1 Multibyte String Conversion (bsc#1266340).
- CVE-2026-34180: Heap Buffer Over-read in ASN.1 Content Parsing (bsc#1266342).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:2414-1
Released: Tue Jun 16 14:21:30 2026
Summary: Security update for runc
Type: security
Severity: important
References:
This update for runc rebuilds it against the current go security release.
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2026:2425-1
Released: Wed Jun 17 08:48:32 2026
Summary: Recommended update for iproute2
Type: recommended
Severity: important
References: 1255752
This update for iproute2 fixes the following issues:
- add DPLL support (bsc#1255752 jsc#PED-14083):
* dpll: add dpll command
* dpll: fix missing notifications in monitor mode
* dpll: send object per event in JSON monitor mode
* dpll: add client side filtering for device and pin show
* dpll: add direction and state filtering for pin show
* dpll: add mode setting support
* dpll: add pin filtering by parent device
* dpll: add support for fractional frequency offset
* dpll: fix pin id get type filter parsing
* lib: add string to boolean helper function
* lib: move mnlg to lib for shared use
* sync UAPI header copies with SL-16.0
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2026:2434-1
Released: Wed Jun 17 16:40:10 2026
Summary: Recommended update for coreutils
Type: recommended
Severity: important
References: 1259327
This update for coreutils fixes the following issues:
- proc: Use affinity mask even on systems with more than 1024 CPUs (bsc#1259327)
The following package changes have been done:
- apparmor-abstractions-3.1.7-150600.5.15.1 updated
- apparmor-parser-3.1.7-150600.5.15.1 updated
- coreutils-8.32-150400.9.12.1 updated
- dracut-059+suse.563.gb5b26e30-150600.3.26.2 updated
- hwdata-0.406-150000.3.80.1 updated
- iproute2-6.4-150600.7.15.1 updated
- jq-1.6-150000.3.15.1 updated
- kernel-default-6.4.0-150600.23.115.1 updated
- libapparmor1-3.1.7-150600.5.15.1 updated
- libavahi-client3-0.8-150600.15.18.1 updated
- libavahi-common3-0.8-150600.15.18.1 updated
- libjq1-1.6-150000.3.15.1 updated
- libopenssl1_1-1.1.1w-150600.5.32.1 updated
- libopenssl3-3.1.4-150600.5.53.1 updated
- openssh-clients-9.6p1-150600.6.42.1 updated
- openssh-common-9.6p1-150600.6.42.1 updated
- openssh-server-config-disallow-rootlogin-9.6p1-150600.6.42.1 updated
- openssh-server-9.6p1-150600.6.42.1 updated
- openssh-9.6p1-150600.6.42.1 updated
- openssl-3-3.1.4-150600.5.53.1 updated
- runc-1.3.4-150000.96.1 updated
- scap-security-guide-0.1.80-150600.1.8 updated
- timezone-2026b-150600.91.9.1 updated
- xen-libs-4.18.5_18-150600.3.50.1 updated
More information about the sle-container-updates
mailing list