SUSE-CU-2026:6552-1: Security update of suse/sle-micro/5.3/toolbox
sle-container-updates at lists.suse.com
sle-container-updates at lists.suse.com
Tue Jun 30 07:17:29 UTC 2026
SUSE Container Update Advisory: suse/sle-micro/5.3/toolbox
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2026:6552-1
Container Tags : suse/sle-micro/5.3/toolbox:16.3 , suse/sle-micro/5.3/toolbox:16.3-6.11.242 , suse/sle-micro/5.3/toolbox:latest
Container Release : 6.11.242
Severity : important
Type : security
References : 1158038 1239718 1246504 1247948 1249435 1252744 1253193 1253740
1257068 1257882 1258193 1259311 1259706 1259802 1259842 1265223
1265935 1265938 1266039 1267426 1267874 CVE-2026-25707 CVE-2026-44933
CVE-2026-44941 CVE-2026-44942 CVE-2026-48863 CVE-2026-9149 CVE-2026-9150
-----------------------------------------------------------------
The container suse/sle-micro/5.3/toolbox was updated. The following patches have been included in this update:
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:2674-1
Released: Mon Jun 29 11:36:33 2026
Summary: Security update for libsolv, libzypp, zypper
Type: security
Severity: important
References: 1158038,1239718,1246504,1247948,1249435,1252744,1253193,1253740,1257068,1257882,1258193,1259311,1259706,1259802,1259842,1265223,1265935,1265938,1266039,1267426,1267874,CVE-2026-25707,CVE-2026-44933,CVE-2026-44941,CVE-2026-44942,CVE-2026-48863,CVE-2026-9149,CVE-2026-9150
This update for libsolv, libzypp, zypper fixes the following issues
- CVE-2026-9149: Heap buffer overflow in libsolv repo_add_solv via negative maxsize from crafted .solv file
(bsc#1265935).
- CVE-2026-9150: Stack-based buffer overflow in libsolv's Debian metadata parser when handling SHA384/SHA512 checksums
(bsc#1265938).
- CVE-2026-25707: Handcrafted repo metadata may cause arbitrary local files to be overwritten (bsc#1259802).
- CVE-2026-44933: scan of the Mandatory signature verification plugin support (bsc#1265223).
- CVE-2026-44941: path traversal via 'keyhint' (bsc#1267426).
- CVE-2026-44942: .repo files can have an optional path which can lead to path traversal attacks (bsc#1267874).
- CVE-2026-48863: Fix buffer overflow when parsing EdDSA signature (bsc#1266039).
Changes in libzypp:
Updated to version 17.38.13 (35):
- A .repo files 'path=' entry must not refer to a location
outside the repo (bsc#1267874, CVE-2026-44942)
A 'path=' entry may solely denote a sub-directory of the baseurl
where the metadata are located. A relative path trying to access
data outside the baseurl is reported and sanitized.
- Fix potential crash on malformed or malicious repository
metadata (fixes #740)
- Repo metadata: discard entries referring to a location outside
the repo (bsc#1259802, CVE-2026-25707)
Mirroring those data locally would refer to a location outside
the repo's local cache directory. Those data entries are reported
and discarded.
- zypp.conf: Allow [env] section to add environment variables.
This feature is designed to enable environment-specific settings
or debugging options over an extended period. See zypp.conf(5).
- Prevent configured scripts from escaping the sigcheck directory
(bsc#1265223, CVE-2026-44933)
- StringV: guard hasPrefix/hasPrefixCI against reading past the
view end (fixes #735)
- Mandatory signature verification plugin support (PED#11922)
- Fix purge-kernel -rc kernel handling (bsc#1239718)
- Explicitly_set_pool_DISTTYPE_RPM (fixes #726)
- Check for trusted key updates when updating the general keyring
(bsc#1259706)
- Support multiple MirroredOrigin authorities (bsc#1253193)
- Workaround doxygen bug: doxygen/doxygen#12057
- libzypp.spec: Add missing graphviz-gd BuildRequires (boo#1259842)
- Fix preloader not caching packages from arch specific subrepos
(bsc#1253740)
- Deprioritize invalid mirrors (fixes openSUSE/zypper#636)
- Fix Product::referencePackage lookup (bsc#1259311)
Use a provided autoproduct() as hint to the package name of the
release package. It might be that not just multiple versions of
the same release package provide the same product version, but
also different release packages.
- specfile: on fedora use %{_prefix}/share as zyppconfdir if
%{_distconfdir} is undefined (fixes #693)
This will set '-DZYPPCONFDIR=%{zyppconfdir}' for cmake.
- Fall back to a writable location when precaching packages
without root (bsc#1247948)
- Prepare a legacy /etc/zypp/zypp.conf to be installed on old distros.
See the ZYPP.CONF(5) man page for details.
- Fix runtime check for broken rpm --runposttrans (bsc#1257068)
- Avoid libcurl-mini4 when building as it does not support ftp
protocol.
- Translation: updated .pot file.
- zypp.conf: follow the UAPI configuration file specification
(PED-14658)
In short terms it means we will no longer ship an
/etc/zypp/zypp.conf, but store our own defaults in
/usr/etc/zypp/zypp.conf. The systems administrator may choose to
keep a full copy in /etc/zypp/zypp.conf ignoring our config file
settings completely, or - the preferred way - to overwrite
specific settings via /etc/zypp/zypp.conf.d/*.conf overlay files.
See the ZYPP.CONF(5) man page for details.
- cmake: correctly detect rpm6 (fixes #689)
- Use 'zypp.tmp' as temp directory component to ease setting up
SELinux policies (bsc#1249435)
- zyppng: Update Provider to current MediaCurl2 download
approach, drop Metalink ( fixes #682 )
Changes in libsolv:
Updated to version 0.7.39:
- fix solv_chksum_free segfault when called with a NULL pointer
- made repo_add_solv more robust against corrupt files
[bsc#1265935] [CVE-2026-9149]
- fix potential buffer overflow when verifying EdDSA signatures
[bsc#1266039] [CVE-2026-48863]
- added limit checks in multiple places to catch overflows
- reduce the size of the language id cache
- fixed Debian canon selection
- fixed dbpath detection in repo_rpmdb_librpm
- reduced stack usage in repo page compression (needed for musl)
- fix parsing of sha512 checksums in debian repositories
[bsc#1265938] [CVE-2026-9150]
- improve speed of dirpool_add_dir makeing parsing of filelists.xml
twice as fast
- fix parsing of recommends in the old Mandriva synthesis format
- respect the 'default' attribute in environment optionlist in
the comps parser
- support suse namespace deps in boolean dependencies [bsc#1258193]
- support for the Elbrus2000 (e2k) architecture
- support language() suse namespace rewriting
Changes in zypper:
Update to version 1.14.98:
- Transactional systems: Delegate rw-commands to
transactional-wrapper if available (jsc#PED-13680, jsc#PED-15607)
On a transactional system where the root filesystem is mounted
read-only, zypper commands that modify the system cannot be
executed directly.
If the system provides a transactional-wrapper utility, zypper
will automatically attempt to invoke it. The wrapper
transparently executes the zypper command within a new, writable
snapshot and manages the lifecycle of that snapshot based on the
command's exit status.
On transactional systems lacking a transactional-wrapper, users
must manually invoke specialized tools -such as
transactional-update- to install, update, or remove software.
- Add --filter-version-change to zypper lu.
Adds filtering by version change significance to reduce noise in
update listings. Supports levels: rebuild (hides rebuild-only
changes) and package (hides all release-only changes).
- Autorefresh ris-services the way as plugin-services (bsc#1246504)
It's actually wrong to treat service refreshes different
depending on the service type. For the purpose of a service it
makes no difference how the data about the repos to use are
acquired.
- Report download progress for command line rpms (fixes #613)
- Hint to '-vv ref' to see the mirrors used to download the
metadata (bsc#1257882)
- Service: Allow 'zypper ls SERVICE ...' to test whether a
service with this alias is defined (bsc#1252744)
The command prints an abstract of all services passed on the
command line. It returns 3-ZYPPER_EXIT_ERR_INVALID_ARGS if some
argument does not name an existing service.
- Keep repo data when updating the service settings (bsc#1252744)
- info: Enhance pattern content table (bsc#1158038)
Alternatives (multiple packages providing the same requirement)
are now listed as a single entry in the content table. The entry
shows either the installed package which satisfies the
requirement or the requirement itself as type 'Provides'.
Listing all potential alternatives was miss leading, especially
if the alternatives were mutual exclusive. It looked like an
installed pattern had not-installed requirements and it was not
possible to install all requirements at the same time.
The following package changes have been done:
- libsolv-tools-base-0.7.39-150400.3.46.1 updated
- libsolv-tools-0.7.39-150400.3.46.1 updated
- libzypp-17.38.13-150400.3.158.1 updated
- zypper-1.14.98-150400.3.104.1 updated
More information about the sle-container-updates
mailing list