SUSE-CU-2026:6233-1: Security update of suse/sles/16.0/toolbox
sle-container-updates at lists.suse.com
sle-container-updates at lists.suse.com
Sat Jun 20 08:16:03 UTC 2026
SUSE Container Update Advisory: suse/sles/16.0/toolbox
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2026:6233-1
Container Tags : suse/sles/16.0/toolbox:16.3 , suse/sles/16.0/toolbox:16.3-1.81 , suse/sles/16.0/toolbox:latest
Container Release : 1.81
Severity : important
Type : security
References : 1239718 1246504 1252306 1253043 1253193 1257463 1259706 1259802
1259842 1265223 1265935 1265938 1266039 1266385 1267426 1267874
CVE-2026-25707 CVE-2026-44933 CVE-2026-44941 CVE-2026-44942 CVE-2026-48863
CVE-2026-9149 CVE-2026-9150
-----------------------------------------------------------------
The container suse/sles/16.0/toolbox was updated. The following patches have been included in this update:
-----------------------------------------------------------------
Advisory ID: 959
Released: Fri Jun 19 07:10:33 2026
Summary: Recommended update for libsemanage
Type: recommended
Severity: important
References: 1266385
This update for libsemanage fixes the following issues:
- Depend on libso before make pywrap is executed to avoid race conditions (bsc#1266385)
- Add CFLAGS to %make_install call for consistency with %make_build
-----------------------------------------------------------------
Advisory ID: 961
Released: Fri Jun 19 09:35:00 2026
Summary: Security update for zypper, libzypp, libsolv
Type: security
Severity: important
References: 1239718,1246504,1253193,1259706,1259802,1259842,1265223,1265935,1265938,1266039,1267426,1267874,CVE-2026-25707,CVE-2026-44933,CVE-2026-44941,CVE-2026-44942,CVE-2026-48863,CVE-2026-9149,CVE-2026-9150
This update for zypper, libzypp, libsolv fixes the following issues:
Changes in zypper:
Update to 1.14.98:
- Transactional systems: Delegate rw-commands to
transactional-wrapper if available (jsc#PED-13680, jsc#PED-15607)
On a transactional system where the root filesystem is mounted
read-only, zypper commands that modify the system cannot be
executed directly.
If the system provides a transactional-wrapper utility, zypper
will automatically attempt to invoke it. The wrapper
transparently executes the zypper command within a new, writable
snapshot and manages the lifecycle of that snapshot based on the
command's exit status.
On transactional systems lacking a transactional-wrapper, users
must manually invoke specialized tools -such as
transactional-update- to install, update, or remove software.
- Add --filter-version-change to zypper lu.
Adds filtering by version change significance to reduce noise in
update listings. Supports levels: rebuild (hides rebuild-only
changes) and package (hides all release-only changes).
- Autorefresh ris-services the way as plugin-services (bsc#1246504)
It's actually wrong to treat service refreshes different
depending on the service type. For the purpose of a service it
makes no difference how the data about the repos to use are
acquired.
Changes in libzypp:
Updated to 17.38.13:
- A .repo files 'path=' entry must not refer to a location
outside the repo (bsc#1267874, CVE-2026-44942)
A 'path=' entry may solely denote a sub-directory of the baseurl
where the metadata are located. A relative path trying to access
data outside the baseurl is reported and sanitized.
- Repo 'keyhint' must denote a filename, no path (bsc#1267426,
CVE-2026-44941)
- Fix potential crash on malformed or malicious repository
metadata (fixes #740)
- Repo metadata: discard entries referring to a location outside
the repo (bsc#1259802, CVE-2026-25707)
Mirroring those data locally would refer to a location outside
the repo's local cache directory. Those data entries are reported
and discarded.
- zypp.conf: Allow [env] section to add environment variables.
This feature is designed to enable environment-specific settings
or debugging options over an extended period. See zypp.conf(5).
- Prevent configured scripts from escaping the sigcheck directory
(bsc#1265223, CVE-2026-44933)
- StringV: guard hasPrefix/hasPrefixCI against reading past the
view end (fixes #735)
- Mandatory signature verification plugin support (PED#11922)
- Fix purge-kernel -rc kernel handling (bsc#1239718)
- Explicitly_set_pool_DISTTYPE_RPM (fixes #726)
- Check for trusted key updates when updating the general keyring
(bsc#1259706)
- Support multiple MirroredOrigin authorities (bsc#1253193)
- Workaround doxygen bug: doxygen/doxygen#12057
- libzypp.spec: Add missing graphviz-gd BuildRequires (boo#1259842)
Changes in libsolv:
Updated to 0.7.39:
- fix solv_chksum_free segfault when called with a NULL pointer
- made repo_add_solv more robust against corrupt files
[bsc#1265935] [CVE-2026-9149]
- fix potential buffer overflow when verifying EdDSA signatures
[bsc#1266039] [CVE-2026-48863]
- added limit checks in multiple places to catch overflows
- reduce the size of the language id cache
- fixed Debian canon selection
- fixed dbpath detection in repo_rpmdb_librpm
- reduced stack usage in repo page compression (needed for musl)
- fix parsing of sha512 checksums in debian repositories
[bsc#1265938] [CVE-2026-9150]
- improve speed of dirpool_add_dir makeing parsing of filelists.xml
twice as fast
- fix parsing of recommends in the old Mandriva synthesis format
-----------------------------------------------------------------
Advisory ID: 964
Released: Fri Jun 19 16:14:03 2026
Summary: Recommended update for gcc15
Type: recommended
Severity: important
References: 1252306,1253043,1257463
This update for gcc15 fixes the following issues:
Changes in gcc15:
- Update to GCC 15.3 release
- Drop -fhardened from RPM_OPT_FLAGS
- Avoid conflicts between %gcc_libc_bootstrap packages of different
versions if update-alternatives are still in use (SLE 15 and older)
- Allow conversions from time_t to/from uint32_t.
Filter out -Wtime_t-conversion from flags to build D target library files.
- SUSE-local -Wtime_t-conversion patch added. [jsc#PED-15601]
- Fix for bogus expression simplification [bsc#1257463]
- Enable the use of _dl_find_object even when not available at build time.
[bsc#1253043]
- Fix that cures a miscompile of libgo on arm. [bsc#1252306]
- Fixes PR110812, Check availability of builtins at expand time
The following package changes have been done:
- libgcc_s1-15.3.0+git11272-160000.1.1 updated
- libgomp1-15.3.0+git11272-160000.1.1 updated
- libsemanage-conf-3.8.1-160000.3.1 updated
- libsemanage2-3.8.1-160000.3.1 updated
- libsolv-tools-base-0.7.39-160000.1.1 updated
- libstdc++6-15.3.0+git11272-160000.1.1 updated
- libzypp-17.38.13-160000.1.1 updated
- zypper-1.14.98-160000.1.1 updated
More information about the sle-container-updates
mailing list