SUSE-CU-2026:1679-1: Security update of suse/sl-micro/6.0/base-iso-image

sle-container-updates at lists.suse.com sle-container-updates at lists.suse.com
Fri Mar 13 08:06:17 UTC 2026 

SUSE Container Update Advisory: suse/sl-micro/6.0/base-iso-image
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2026:1679-1
Container Tags        : suse/sl-micro/6.0/base-iso-image:2.1.4 , suse/sl-micro/6.0/base-iso-image:2.1.4-5.135 , suse/sl-micro/6.0/base-iso-image:latest
Container Release     : 5.135
Severity              : important
Type                  : security
References            : 1192869 1217580 1217584 1217585 1241661 1253245 1258163 1258167
                        CVE-2021-42380 CVE-2023-42363 CVE-2023-42364 CVE-2023-42365 CVE-2025-46394
                        CVE-2025-60876 CVE-2026-26157 CVE-2026-26158 
-----------------------------------------------------------------

The container suse/sl-micro/6.0/base-iso-image was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: 619
Released:    Thu Mar 12 18:27:13 2026
Summary:     Security update for busybox
Type:        security
Severity:    important
References:  1192869,1217580,1217584,1217585,1241661,1253245,1258163,1258167,CVE-2021-42380,CVE-2023-42363,CVE-2023-42364,CVE-2023-42365,CVE-2025-46394,CVE-2025-60876,CVE-2026-26157,CVE-2026-26158
This update for busybox fixes the following issues:

- CVE-2023-42363: use-after-free vulnerability in xasprintf function in xfuncs_printf.c (bsc#1217580).
- CVE-2023-42364: use-after-free in the awk.c evaluate function (bsc#1217584).
- CVE-2023-42365: use-after-free in the awk.c copyvar function (bsc#1217585).
- CVE-2025-46394: files in a TAR archive can have their filenames hidden from a listing if terminal escape sequences are
  used when naming other files included in the archive (bsc#1241661).
- CVE-2025-60876: request line incorrectly neutralized mat lead to header injection (bsc#1253245).
- CVE-2026-26157: Arbitrary file overwrite and potential code execution via incomplete path sanitization (bsc#1258163).
- CVE-2026-26158: Arbitrary file modification and privilege escalation via unvalidated tar archive entries
  (bsc#1258167).
- CVE-2021-42380: Additional fix for use-after-realloc in awk (bsc#1192869).


The following package changes have been done:

- busybox-1.36.1-3.1 updated

More information about the sle-container-updates mailing list