SUSE-CU-2026:6466-1: Security update of rancher/seedimage-builder

sle-container-updates at lists.suse.com sle-container-updates at lists.suse.com
Sat Jun 27 07:17:03 UTC 2026


SUSE Container Update Advisory: rancher/seedimage-builder
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2026:6466-1
Container Tags        : rancher/seedimage-builder:1.8.2 , rancher/seedimage-builder:1.8.2-5.18
Container Release     : 5.18
Severity              : important
Type                  : security
References            : 1232226 1245524 1252306 1253043 1257055 1257463 1259652 1259924
                        1261606 1262144 1262693 1263366 1263367 1264971 1266340 1266341
                        1266342 1266344 1266345 1266347 1266349 1266350 1266351 1266352
                        1266353 1266355 1266356 1266357 1266385 1268012 1268013 1268322
                        CVE-2025-69720 CVE-2026-11822 CVE-2026-11824 CVE-2026-2673 CVE-2026-27456
                        CVE-2026-34180 CVE-2026-34182 CVE-2026-34183 CVE-2026-40355 CVE-2026-40356
                        CVE-2026-41990 CVE-2026-42764 CVE-2026-42766 CVE-2026-42767 CVE-2026-42768
                        CVE-2026-42769 CVE-2026-42770 CVE-2026-45445 CVE-2026-45446 CVE-2026-45447
                        CVE-2026-5958 CVE-2026-6893 CVE-2026-7383 CVE-2026-9076 
-----------------------------------------------------------------

The container rancher/seedimage-builder was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: 955
Released:    Thu Jun 18 23:01:36 2026
Summary:     Security update for sqlite3
Type:        security
Severity:    important
References:  1268012,1268013,CVE-2026-11822,CVE-2026-11824
This update for sqlite3 fixes the following issues

Update to 3.53.2:

- CVE-2026-11822: memory corruption vulnerabilities in the FTS5 full-text search extension that allow attackers to cause
  process crashes, memory exhaustion, or arbitrary code execution (bsc#1268012).
- CVE-2026-11824: heap-based buffer overflow vulnerability in the FTS5 full-text search extension that allows attackers
  to cause a crash or execute arbitrary code (bsc#1268013).

Changes:

 * Add the Query Result Formatter (QRF) library for formatting the
 results of SQL queries for human readability on a fixed-pitch
 font screen.
 * Enhance ALTER TABLE to permit adding and removing NOT NULL and
 CHECK constraints.
 * The REINDEX EXPRESSIONS statement rebuilds expression indexes.
 * The body of TEMP triggers may now modify and/or query tables
 in the main schema.
 * Enhance VACUUM INTO so that if a URI filename is used as the
 target and that filename has a reserve=N query parameter with
 N between 0 and 255, then the reserve amount for the generated
 database copy is set to N.
 * New SQL functions json_array_insert() and jsonb_array_insert().
 * Renovations to the CLI.
 * New C-language interfaces: sqlite3_str_truncate(),
 sqlite3_str_free(), sqlite3_carray_bind_v2().
 * Add the SQLITE_PREPARE_FROM_DDL option to sqlite3_prepare_v3().
 * Added the SQLITE_UTF8_ZT constant which can be used as the
 encoding parameter to sqlite3_result_text64() or
 sqlite3_bind_text64() to indicate that the value is UTF-8
 encoded and zero terminated.
 * The SQLITE_LIMIT_PARSER_DEPTH option is added to
 sqlite3_limit().
 * The SQLITE_DBCONFIG_FP_DIGITS option is added to
 sqlite3_db_config().
 * Query planner improvements.
 * Add new interfaces to the session extension that enable an
 application to add changes one at a time to the
 sqlite3_changegroup object.
 * Improvements to floating-point <-> text conversions.
 * Added the self-healing index feature to deal with the stale
 expression index problem.
 * Add the '-p|--port' option to sqlite3_rsync.
 * Add the 'opfs-wl' VFS, functionally identical to the 'opfs' VFS
 but using Web Locks for locking, which can promise fairer lock
 sharing than the 'opfs' bespoke protocol can. 'opfs-wl'
 requires Atomics.waitAsync(), so requires newer browsers than
 'opfs' does.
 * Fixes for problems in 3.53.0 and 3.53.1 reported by users.
 * See the check-in timeline for details:
 https://sqlite.org/src/timeline?from=version-3.53.0&to=version-3.53.2

 * https://sqlite.org/releaselog/3_53_0.html

-----------------------------------------------------------------
Advisory ID: 959
Released:    Fri Jun 19 07:10:33 2026
Summary:     Recommended update for libsemanage
Type:        recommended
Severity:    important
References:  1266385
This update for libsemanage fixes the following issues:

- Depend on libso before make pywrap is executed to avoid race conditions (bsc#1266385)
- Add CFLAGS to %make_install call for consistency with %make_build

-----------------------------------------------------------------
Advisory ID: 964
Released:    Fri Jun 19 16:14:03 2026
Summary:     Recommended update for gcc15
Type:        recommended
Severity:    important
References:  1252306,1253043,1257463
This update for gcc15 fixes the following issues:

Changes in gcc15:

- Update to GCC 15.3 release
- Drop -fhardened from RPM_OPT_FLAGS
- Avoid conflicts between %gcc_libc_bootstrap packages of different
  versions if update-alternatives are still in use (SLE 15 and older)
- Allow conversions from time_t to/from uint32_t.
  Filter out -Wtime_t-conversion from flags to build D target library files.
- SUSE-local -Wtime_t-conversion patch added.  [jsc#PED-15601]
- Fix for bogus expression simplification [bsc#1257463]
- Enable the use of _dl_find_object even when not available at build time.
  [bsc#1253043]
- Fix that cures a miscompile of libgo on arm.  [bsc#1252306]
- Fixes PR110812, Check availability of builtins at expand time

-----------------------------------------------------------------
Advisory ID: 1004
Released:    Sat Jun 20 20:11:34 2026
Summary:     Security update for ncurses
Type:        security
Severity:    moderate
References:  1259924,CVE-2025-69720
This update for ncurses fixes the following issue:

- CVE-2025-69720: buffer overflow in function `analyze_string()`of `progs/infocmp.c` (bsc#1259924).

-----------------------------------------------------------------
Advisory ID: 1000
Released:    Sat Jun 20 20:12:39 2026
Summary:     Recommended update for netcfg
Type:        recommended
Severity:    moderate
References:  
This update for netcfg fixes the following issues:

- Clarify /etc/services removal message

-----------------------------------------------------------------
Advisory ID: 996
Released:    Sat Jun 20 20:17:58 2026
Summary:     Recommended update for libselinux
Type:        recommended
Severity:    moderate
References:  1232226
This update for libselinux fixes the following issues:

- Backport patch for restorecon to log error on readonly fs (bsc#1232226)

-----------------------------------------------------------------
Advisory ID: 1017
Released:    Mon Jun 22 14:26:17 2026
Summary:     Security update for openssl-3
Type:        security
Severity:    important
References:  1259652,1266340,1266341,1266342,1266344,1266345,1266347,1266349,1266350,1266351,1266352,1266353,1266355,1266356,1266357,CVE-2026-2673,CVE-2026-34180,CVE-2026-34182,CVE-2026-34183,CVE-2026-42764,CVE-2026-42766,CVE-2026-42767,CVE-2026-42768,CVE-2026-42769,CVE-2026-42770,CVE-2026-45445,CVE-2026-45446,CVE-2026-45447,CVE-2026-7383,CVE-2026-9076
This update for openssl-3 fixes the following issues

- CVE-2026-2673: TLS 1.3 servers may choose unexpected key agreement group (bsc#1259652).
- CVE-2026-7383: Possible Heap Buffer Overflow in ASN.1 Multibyte String Conversion (bsc#1266340).
- CVE-2026-9076: Out-of-Bounds Read in CMS Password-Based Decryption (bsc#1266341).
- CVE-2026-34180: Heap Buffer Over-read in ASN.1 Content Parsing (bsc#1266342).
- CVE-2026-34182: CMS AuthEnvelopedData Processing May Accept Forged Messages (bsc#1266344).
- CVE-2026-34183: Unbounded Memory Growth in the QUIC PATH_CHALLENGE Handler (bsc#1266345).
- CVE-2026-42764: NULL pointer dereference in QUIC server initial packet handling (bsc#1266347).
- CVE-2026-42766: Possible NULL Dereference in Password-Based CMS Decryption (bsc#1266349).
- CVE-2026-42767: NULL Pointer Dereference in CRMF EncryptedValue Decryption (bsc#1266350).
- CVE-2026-42768: Multi-RecipientInfo Bleichenbacher Oracle in CMS_decrypt() and PKCS7_decrypt() (bsc#1266351).
- CVE-2026-42769: Trust-Anchor Substitution via cert/issuer Typo in CMP rootCaKeyUpdate (bsc#1266352).
- CVE-2026-42770: FFC-DH Peer Validation Uses Attacker-Supplied q (bsc#1266353).
- CVE-2026-45445: AES-OCB IV Ignored on EVP_Cipher() Path (bsc#1266355).
- CVE-2026-45446: Incorrect Tag Processing for Empty Messages in AES-GCM-SIV and AES-SIV modes (bsc#1266356).
- CVE-2026-45447: Heap Use-After-Free in OpenSSL PKCS7_verify() (bsc#1266357).

-----------------------------------------------------------------
Advisory ID: 1033
Released:    Mon Jun 22 16:30:37 2026
Summary:     Security update for krb5
Type:        security
Severity:    moderate
References:  1263366,1263367,CVE-2026-40355,CVE-2026-40356
This update for krb5 fixes the following issues

- CVE-2026-40355: Denial of Service via NULL pointer dereference in NegoEx mechanism (bsc#1263366).
- CVE-2026-40356: Denial of Service via integer underflow and out-of-bounds read (bsc#1263367).

-----------------------------------------------------------------
Advisory ID: 1036
Released:    Mon Jun 22 16:30:37 2026
Summary:     Security update for sed
Type:        security
Severity:    moderate
References:  1262144,CVE-2026-5958
This update for sed fixes the following issue

- CVE-2026-5958: a TOCTOU race can allow to read attacker-controlled content and write it to an unintended file
  (bsc#1262144).

-----------------------------------------------------------------
Advisory ID: 1040
Released:    Mon Jun 22 16:34:40 2026
Summary:     Security update for util-linux
Type:        security
Severity:    moderate
References:  1261606,CVE-2026-27456
This update for util-linux fixes the following issue

- CVE-2026-27456: TOCTOU in the mount program when setting up loop devices (bsc#1261606).

-----------------------------------------------------------------
Advisory ID: 1047
Released:    Mon Jun 22 17:08:34 2026
Summary:     Recommended update for suse-module-tools
Type:        recommended
Severity:    moderate
References:  1257055
This update for suse-module-tools fixes the following issues:

- Update to version 16.0.65:
    * Remove erofs from the list of blacklisted file systems (jsc#PED-14573)
    * weak-modules2: don't remove symlinks in the rpm --reinstall case (bsc#1257055)

-----------------------------------------------------------------
Advisory ID: 1052
Released:    Tue Jun 23 15:42:56 2026
Summary:     Recommended update for curl
Type:        recommended
Severity:    important
References:  1264971
This update for curl fixes the following issues:

- Call http_size() first to prioritize Transfer-Encoding:
  chunked over a zero Content-Length empty body check (bsc#1264971)

-----------------------------------------------------------------
Advisory ID: 1060
Released:    Wed Jun 24 23:36:29 2026
Summary:     Security update for libgcrypt
Type:        security
Severity:    low
References:  1262693,CVE-2026-41990
This update for libgcrypt fixes the following issue

- CVE-2026-41990: lack of bound check can lead to mishandling of Dilithium signing (bsc#1262693).

-----------------------------------------------------------------
Advisory ID: 1067
Released:    Wed Jun 24 23:37:46 2026
Summary:     Security update for dracut
Type:        security
Severity:    important
References:  1268322,CVE-2026-6893
This update for dracut fixes the following issue

- CVE-2026-6893: Root code execution via DHCP options command injection (bsc#1268322).

Changes for dracut:

- Update to version 059+suse.722.gdd9d67ff5:
 * fix(network-legacy): sanitize DHCP values in dhclient-script.sh (bsc#1268322, CVE-2026-6893)
 * fix(network-legacy): add input validation to RFC 3442 route parser

-----------------------------------------------------------------
Advisory ID: 1064
Released:    Wed Jun 24 23:38:49 2026
Summary:     Recommended update for pam
Type:        recommended
Severity:    moderate
References:  1245524
This update for pam fixes the following issues:

- pam_mkhomedir: building with vendordir option allows fetching skeleton directory
  from the vendor directory when creating the user home directory (bsc#1245524)
- disable unix_chkpwd by default, only used as fallback again
- pam_modutil_get*: overwrite password at free

-----------------------------------------------------------------
Advisory ID: 1085
Released:    Fri Jun 26 10:11:56 2026
Summary:     Recommended update for rsync
Type:        recommended
Severity:    moderate
References:  
This update for rsync fixes the following issue:

- Remove unused patch from package


The following package changes have been done:

- elemental-httpfy-1.8.2-160000.1.8 updated
- elemental-seedimage-hooks-1.8.2-160000.1.8 updated
- libsemanage-conf-3.8.1-160000.3.1 updated
- terminfo-base-6.5.20250531-160000.3.1 updated
- libncurses6-6.5.20250531-160000.3.1 updated
- ncurses-utils-6.5.20250531-160000.3.1 updated
- libuuid1-2.41.1-160000.4.1 updated
- libsqlite3-0-3.53.2-160000.1.1 updated
- libsmartcols1-2.41.1-160000.4.1 updated
- libgcc_s1-15.3.0+git11272-160000.1.1 updated
- liblastlog2-2-2.41.1-160000.4.1 updated
- libselinux1-3.8.1-160000.4.1 updated
- netcfg-11.6-160000.3.1 updated
- libgcrypt20-1.12.1-160000.2.1 updated
- libstdc++6-15.3.0+git11272-160000.1.1 updated
- libblkid1-2.41.1-160000.4.1 updated
- sed-4.9-160000.3.1 updated
- libsemanage2-3.8.1-160000.3.1 updated
- libmount1-2.41.1-160000.4.1 updated
- libfdisk1-2.41.1-160000.4.1 updated
- libopenssl3-3.5.0-160000.8.1 updated
- pam-1.7.1-160000.4.1 updated
- rsync-3.4.1-160000.5.1 updated
- krb5-1.21.3-160000.3.1 updated
- util-linux-2.41.1-160000.4.1 updated
- pam-extra-1.7.1-160000.4.1 updated
- libcurl4-8.14.1-160000.7.1 updated
- curl-8.14.1-160000.7.1 updated
- util-linux-systemd-2.41.1-160000.4.1 updated
- suse-module-tools-16.0.65-160000.1.1 updated
- dracut-059+suse.722.gdd9d67ff5-160000.1.1 updated
- container:bci-bci-base-16.0-805467666d108312e881b9628f4665193ecf336170d383c8c4781efce42503dc-0 updated


More information about the sle-container-updates mailing list