SUSE-CU-2026:1969-1: Security update of suse/sl-micro/6.0/toolbox

sle-container-updates at lists.suse.com sle-container-updates at lists.suse.com
Thu Mar 19 15:59:44 UTC 2026 

SUSE Container Update Advisory: suse/sl-micro/6.0/toolbox
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2026:1969-1
Container Tags        : suse/sl-micro/6.0/toolbox:13.2 , suse/sl-micro/6.0/toolbox:13.2-9.81 , suse/sl-micro/6.0/toolbox:latest
Container Release     : 9.81
Severity              : important
Type                  : security
References            : 1252974 1254400 1254401 1254670 1254997 1257029 1257031 1257042
                        1257046 1259619 CVE-2025-11468 CVE-2025-12084 CVE-2025-13836
                        CVE-2025-13837 CVE-2025-15282 CVE-2025-6075 CVE-2025-70873 CVE-2025-7709
                        CVE-2026-0672 CVE-2026-0865 
-----------------------------------------------------------------

The container suse/sl-micro/6.0/toolbox was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: 631
Released:    Thu Mar 19 13:20:26 2026
Summary:     Security update for sqlite3
Type:        security
Severity:    moderate
References:  1254670,1259619,CVE-2025-70873,CVE-2025-7709
This update for sqlite3 fixes the following issues:

Update to version 3.51.3:

- CVE-2025-7709: Integer Overflow in FTS5 Extension (bsc#1254670).
- CVE-2025-70873: SQLite zipfile extension may disclose uninitialized heap memory during inflation (bsc#1259619).

Changelog:

Update to version 3.51.3:
  
 * Fix the WAL-reset database corruption bug:
   https://sqlite.org/wal.html#walresetbug
 * Other minor bug fixes.
  
Update to version 3.51.2:
 
 * Fix an obscure deadlock in the new broken-posix-lock detection
   logic.
 * Fix multiple problems in the EXISTS-to-JOIN optimization.
  
Update to version 3.51.1:
 
 * Fix incorrect results from nested EXISTS queries caused by the
   optimization in item 6b in the 3.51.0 release.
 * Fix a latent bug in fts5vocab virtual table, exposed by new
   optimizations in the 3.51.0 release
  
Update to version 3.51.0:
 
 * New macros in sqlite3.h:
   - SQLITE_SCM_BRANCH -> the name of the branch from which the
     source code is taken.
   - SQLITE_SCM_TAGS -> space-separated list of tags on the source
     code check-in.
   - SQLITE_SCM_DATETIME -> ISO-8601 date and time of the source
 * Two new JSON functions, jsonb_each() and jsonb_tree() work the
   same as the existing json_each() and json_tree() functions
   except that they return JSONB for the 'value' column when the
   'type' is 'array' or 'object'.
 * The carray and percentile extensions are now built into the
   amalgamation, though they are disabled by default and must be
   activated at compile-time using the -DSQLITE_ENABLE_CARRAY
   and/or -DSQLITE_ENABLE_PERCENTILE options, respectively.
 * Enhancements to TCL Interface:
   - Add the -asdict flag to the eval command to have it set the
     row data as a dict instead of an array.
   - User-defined functions may now break to return an SQL NULL.
 * CLI enhancements:
   - Increase the precision of '.timer' to microseconds.
   - Enhance the 'box' and 'column' formatting modes to deal with
     double-wide characters.
   - The '.imposter' command provides read-only imposter tables
     that work with VACUUM and do not require the --unsafe-testing
     option.
   - Add the --ifexists option to the CLI command-line option and
     to the .open command.
   - Limit columns widths set by the '.width' command to 30,000 or
     less, as there is not good reason to have wider columns, but
     supporting wider columns provides opportunity to malefactors.
 * Performance enhancements:
   - Use fewer CPU cycles to commit a read transaction.
   - Early detection of joins that return no rows due to one or
     more of the tables containing no rows.
   - Avoid evaluation of scalar subqueries if the result of the
     subquery does not change the result of the overall expression.
   - Faster window function queries when using
     'BETWEEN :x FOLLOWING AND :y FOLLOWING' with a large :y.
 * Add the PRAGMA wal_checkpoint=NOOP; command and the
   SQLITE_CHECKPOINT_NOOP argument for sqlite3_wal_checkpoint_v2().
 * Add the sqlite3_set_errmsg() API for use by extensions.
 * Add the sqlite3_db_status64() API, which works just like the
   existing sqlite3_db_status() API except that it returns 64-bit
   results.
 * Add the SQLITE_DBSTATUS_TEMPBUF_SPILL option to the
   sqlite3_db_status() and sqlite3_db_status64() interfaces.
 * In the session extension add the sqlite3changeset_apply_v3()
   interface.
 * For the built-in printf() and the format() SQL function, omit
   the leading '-' from negative floating point numbers if the '+'
   flag is omitted and the '#' flag is present and all displayed
   digits are '0'. Use '%#f' or similar to avoid outputs like
   '-0.00' and instead show just '0.00'.
 * Improved error messages generated by FTS5.
 * Enforce STRICT typing on computed columns.
 * Improved support for VxWorks
 * JavaScript/WASM now supports 64-bit WASM. The canonical builds
   continue to be 32-bit but creating one's own 64-bit build is
   now as simple as running 'make'.

-----------------------------------------------------------------
Advisory ID: 630
Released:    Thu Mar 19 13:47:35 2026
Summary:     Security update for python311
Type:        security
Severity:    important
References:  1252974,1254400,1254401,1254997,1257029,1257031,1257042,1257046,CVE-2025-11468,CVE-2025-12084,CVE-2025-13836,CVE-2025-13837,CVE-2025-15282,CVE-2025-6075,CVE-2026-0672,CVE-2026-0865
This update for python311 fixes the following issues:

Updated to Python 3.11.15:
  
- CVE-2025-6075: quadratic complexity in os.path.expandvars() (bsc#1252974).
- CVE-2025-11468: header injection with carefully crafted inputs (bsc#1257029).
- CVE-2025-12084: quadratic complexity in xml.minidom node ID cache clearing (bsc#1254997).
- CVE-2025-13836: potential memory denial of service in the http.client module (bsc#1254400).
- CVE-2025-13837: potential memory denial of service in the plistlib module (bsc#1254401).
- CVE-2025-15282: control characters in URL media types data (bsc#1257046).
- CVE-2026-0672: control characters in http.cookies.Morsel fields and values (bsc#1257031).
- CVE-2026-0865: C0 control characters within wsgiref.headers.Headers fields, values, and parameters (bsc#1257042).


The following package changes have been done:

- SL-Micro-release-6.0-25.77 updated
- libpython3_11-1_0-3.11.15-1.1 updated
- libsqlite3-0-3.51.3-1.1 updated
- python311-base-3.11.15-1.1 updated
- skelcd-EULA-SL-Micro-2024.01.19-8.76 updated

More information about the sle-container-updates mailing list