SUSE-IU-2026:4896-1: Security update of suse/sl-micro/6.2/base-os-container

sle-container-updates at lists.suse.com sle-container-updates at lists.suse.com
Sun Jun 21 07:12:59 UTC 2026


SUSE Image Update Advisory: suse/sl-micro/6.2/base-os-container
-----------------------------------------------------------------
Image Advisory ID : SUSE-IU-2026:4896-1
Image Tags        : suse/sl-micro/6.2/base-os-container:2.3.1 , suse/sl-micro/6.2/base-os-container:2.3.1-8.11 , suse/sl-micro/6.2/base-os-container:latest
Image Release     : 8.11
Severity          : important
Type              : security
References        : 1239718 1246504 1252306 1253043 1253193 1255752 1257463 1259706
                        1259802 1259842 1265223 1265935 1265938 1266039 1266385 1267426
                        1267874 1268012 1268013 CVE-2026-11822 CVE-2026-11824 CVE-2026-25707
                        CVE-2026-44933 CVE-2026-44941 CVE-2026-44942 CVE-2026-48863 CVE-2026-9149
                        CVE-2026-9150 
-----------------------------------------------------------------

The container suse/sl-micro/6.2/base-os-container was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: 955
Released:    Thu Jun 18 23:01:36 2026
Summary:     Security update for sqlite3
Type:        security
Severity:    important
References:  1268012,1268013,CVE-2026-11822,CVE-2026-11824
This update for sqlite3 fixes the following issues

Update to 3.53.2:

- CVE-2026-11822: memory corruption vulnerabilities in the FTS5 full-text search extension that allow attackers to cause
  process crashes, memory exhaustion, or arbitrary code execution (bsc#1268012).
- CVE-2026-11824: heap-based buffer overflow vulnerability in the FTS5 full-text search extension that allows attackers
  to cause a crash or execute arbitrary code (bsc#1268013).

Changes:

 * Add the Query Result Formatter (QRF) library for formatting the
 results of SQL queries for human readability on a fixed-pitch
 font screen.
 * Enhance ALTER TABLE to permit adding and removing NOT NULL and
 CHECK constraints.
 * The REINDEX EXPRESSIONS statement rebuilds expression indexes.
 * The body of TEMP triggers may now modify and/or query tables
 in the main schema.
 * Enhance VACUUM INTO so that if a URI filename is used as the
 target and that filename has a reserve=N query parameter with
 N between 0 and 255, then the reserve amount for the generated
 database copy is set to N.
 * New SQL functions json_array_insert() and jsonb_array_insert().
 * Renovations to the CLI.
 * New C-language interfaces: sqlite3_str_truncate(),
 sqlite3_str_free(), sqlite3_carray_bind_v2().
 * Add the SQLITE_PREPARE_FROM_DDL option to sqlite3_prepare_v3().
 * Added the SQLITE_UTF8_ZT constant which can be used as the
 encoding parameter to sqlite3_result_text64() or
 sqlite3_bind_text64() to indicate that the value is UTF-8
 encoded and zero terminated.
 * The SQLITE_LIMIT_PARSER_DEPTH option is added to
 sqlite3_limit().
 * The SQLITE_DBCONFIG_FP_DIGITS option is added to
 sqlite3_db_config().
 * Query planner improvements.
 * Add new interfaces to the session extension that enable an
 application to add changes one at a time to the
 sqlite3_changegroup object.
 * Improvements to floating-point <-> text conversions.
 * Added the self-healing index feature to deal with the stale
 expression index problem.
 * Add the '-p|--port' option to sqlite3_rsync.
 * Add the 'opfs-wl' VFS, functionally identical to the 'opfs' VFS
 but using Web Locks for locking, which can promise fairer lock
 sharing than the 'opfs' bespoke protocol can. 'opfs-wl'
 requires Atomics.waitAsync(), so requires newer browsers than
 'opfs' does.
 * Fixes for problems in 3.53.0 and 3.53.1 reported by users.
 * See the check-in timeline for details:
 https://sqlite.org/src/timeline?from=version-3.53.0&to=version-3.53.2

 * https://sqlite.org/releaselog/3_53_0.html

-----------------------------------------------------------------
Advisory ID: 959
Released:    Fri Jun 19 07:10:33 2026
Summary:     Recommended update for libsemanage
Type:        recommended
Severity:    important
References:  1266385
This update for libsemanage fixes the following issues:

- Depend on libso before make pywrap is executed to avoid race conditions (bsc#1266385)
- Add CFLAGS to %make_install call for consistency with %make_build

-----------------------------------------------------------------
Advisory ID: 961
Released:    Fri Jun 19 09:35:00 2026
Summary:     Security update for zypper, libzypp, libsolv
Type:        security
Severity:    important
References:  1239718,1246504,1253193,1259706,1259802,1259842,1265223,1265935,1265938,1266039,1267426,1267874,CVE-2026-25707,CVE-2026-44933,CVE-2026-44941,CVE-2026-44942,CVE-2026-48863,CVE-2026-9149,CVE-2026-9150
This update for zypper, libzypp, libsolv fixes the following issues:

Changes in zypper:

Update to 1.14.98:

- Transactional systems: Delegate rw-commands to
  transactional-wrapper if available (jsc#PED-13680, jsc#PED-15607)
  On a transactional system where the root filesystem is mounted
  read-only, zypper commands that modify the system cannot be
  executed directly.
  If the system provides a transactional-wrapper utility, zypper
  will automatically attempt to invoke it. The wrapper
  transparently executes the zypper command within a new, writable
  snapshot and manages the lifecycle of that snapshot based on the
  command's exit status.
  On transactional systems lacking a transactional-wrapper, users
  must manually invoke specialized tools -such as
  transactional-update- to install, update, or remove software.
- Add --filter-version-change to zypper lu.
  Adds filtering by version change significance to reduce noise in
  update listings. Supports levels: rebuild (hides rebuild-only
  changes) and package (hides all release-only changes).
- Autorefresh ris-services the way as plugin-services (bsc#1246504)
  It's actually wrong to treat service refreshes different
  depending on the service type. For the purpose of a service it
  makes no difference how the data about the repos to use are
  acquired.

Changes in libzypp:

Updated to 17.38.13:

- A .repo files 'path=' entry must not refer to a location
  outside the repo (bsc#1267874, CVE-2026-44942)
  A 'path=' entry may solely denote a sub-directory of the baseurl
  where the metadata are located. A relative path trying to access
  data outside the baseurl is reported and sanitized.
- Repo 'keyhint' must denote a filename, no path (bsc#1267426,
  CVE-2026-44941)
- Fix potential crash on malformed or malicious repository
  metadata (fixes #740)
- Repo metadata: discard entries referring to a location outside
  the repo (bsc#1259802, CVE-2026-25707)
  Mirroring those data locally would refer to a location outside
  the repo's local cache directory. Those data entries are reported
  and discarded.
- zypp.conf: Allow [env] section to add environment variables.
  This feature is designed to enable environment-specific settings
  or debugging options over an extended period. See zypp.conf(5).
- Prevent configured scripts from escaping the sigcheck directory
  (bsc#1265223, CVE-2026-44933)
- StringV: guard hasPrefix/hasPrefixCI against reading past the
  view end (fixes #735)
- Mandatory signature verification plugin support (PED#11922)
- Fix purge-kernel -rc kernel handling (bsc#1239718)
- Explicitly_set_pool_DISTTYPE_RPM (fixes #726)
- Check for trusted key updates when updating the general keyring
  (bsc#1259706)
- Support multiple MirroredOrigin authorities (bsc#1253193)
- Workaround doxygen bug: doxygen/doxygen#12057
- libzypp.spec: Add missing graphviz-gd BuildRequires (boo#1259842)

Changes in libsolv:

Updated to 0.7.39:

- fix solv_chksum_free segfault when called with a NULL pointer
- made repo_add_solv more robust against corrupt files
  [bsc#1265935] [CVE-2026-9149]
- fix potential buffer overflow when verifying EdDSA signatures
  [bsc#1266039] [CVE-2026-48863]
- added limit checks in multiple places to catch overflows
- reduce the size of the language id cache
- fixed Debian canon selection
- fixed dbpath detection in repo_rpmdb_librpm
- reduced stack usage in repo page compression (needed for musl)
- fix parsing of sha512 checksums in debian repositories
  [bsc#1265938] [CVE-2026-9150]
- improve speed of dirpool_add_dir makeing parsing of filelists.xml
  twice as fast
- fix parsing of recommends in the old Mandriva synthesis format

-----------------------------------------------------------------
Advisory ID: 964
Released:    Fri Jun 19 16:14:03 2026
Summary:     Recommended update for gcc15
Type:        recommended
Severity:    important
References:  1252306,1253043,1257463
This update for gcc15 fixes the following issues:

Changes in gcc15:

- Update to GCC 15.3 release
- Drop -fhardened from RPM_OPT_FLAGS
- Avoid conflicts between %gcc_libc_bootstrap packages of different
  versions if update-alternatives are still in use (SLE 15 and older)
- Allow conversions from time_t to/from uint32_t.
  Filter out -Wtime_t-conversion from flags to build D target library files.
- SUSE-local -Wtime_t-conversion patch added.  [jsc#PED-15601]
- Fix for bogus expression simplification [bsc#1257463]
- Enable the use of _dl_find_object even when not available at build time.
  [bsc#1253043]
- Fix that cures a miscompile of libgo on arm.  [bsc#1252306]
- Fixes PR110812, Check availability of builtins at expand time

-----------------------------------------------------------------
Advisory ID: 975
Released:    Fri Jun 19 18:54:15 2026
Summary:     Recommended update for iproute2
Type:        recommended
Severity:    important
References:  1255752
This update for iproute2 fixes the following issues:

- add DPLL support (bsc#1255752 jsc#PED-14083):
    * dpll: add dpll command
    * dpll: fix missing notifications in monitor mode
    * dpll: send object per event in JSON monitor mode
    * dpll: add client side filtering for device and pin show
    * dpll: add direction and state filtering for pin show
    * dpll: add mode setting support
    * dpll: add pin filtering by parent device
    * dpll: add support for fractional frequency offset
    * dpll: fix pin id get type filter parsing
    * lib: add string to boolean helper function
    * lib: move mnlg to lib for shared use
    * sync UAPI header copies with SL-16.0


The following package changes have been done:

- libsemanage-conf-3.8.1-160000.3.1 updated
- libsqlite3-0-3.53.2-160000.1.1 updated
- libgcc_s1-15.3.0+git11272-160000.1.1 updated
- libstdc++6-15.3.0+git11272-160000.1.1 updated
- libsemanage2-3.8.1-160000.3.1 updated
- iproute2-6.12-160000.4.1 updated
- libsolv-tools-base-0.7.39-160000.1.1 updated
- libzypp-17.38.13-160000.1.1 updated
- zypper-1.14.98-160000.1.1 updated


More information about the sle-container-updates mailing list