SUSE-CU-2026:2098-1: Security update of suse/manager/5.0/x86_64/proxy-ssh
sle-container-updates at lists.suse.com
sle-container-updates at lists.suse.com
Thu Mar 26 08:51:30 UTC 2026
SUSE Container Update Advisory: suse/manager/5.0/x86_64/proxy-ssh
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2026:2098-1
Container Tags : suse/manager/5.0/x86_64/proxy-ssh:5.0.7 , suse/manager/5.0/x86_64/proxy-ssh:5.0.7.7.32.2 , suse/manager/5.0/x86_64/proxy-ssh:latest
Container Release : 7.32.2
Severity : critical
Type : security
References : 1228081 1232526 1238491 1239566 1239938 1240788 1243794 1243991
1244050 1244449 1245199 1248356 1252160 1253043 1254202 1254293
1254400 1254401 1254563 1254997 1256427 1256437 1256766 1256822
1256830 1256834 1256834 1256835 1256835 1256836 1256836 1256837
1256837 1256838 1256838 1256839 1256839 1256840 1256840 1257005
1257029 1257031 1257041 1257042 1257044 1257046 1257144 1257463
1257496 1258319 1259418 1259650 1259697 CVE-2025-11468 CVE-2025-12084
CVE-2025-13836 CVE-2025-13837 CVE-2025-15281 CVE-2025-15282 CVE-2025-15366
CVE-2025-15367 CVE-2025-15467 CVE-2025-68160 CVE-2025-68160 CVE-2025-69418
CVE-2025-69418 CVE-2025-69419 CVE-2025-69419 CVE-2025-69420 CVE-2025-69420
CVE-2025-69421 CVE-2025-69421 CVE-2026-0672 CVE-2026-0861 CVE-2026-0865
CVE-2026-0915 CVE-2026-22795 CVE-2026-22795 CVE-2026-22796 CVE-2026-22796
CVE-2026-24515 CVE-2026-25210 CVE-2026-29111 CVE-2026-4105
-----------------------------------------------------------------
The container suse/manager/5.0/x86_64/proxy-ssh was updated. The following patches have been included in this update:
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2025:3836-1
Released: Tue Oct 28 11:38:00 2025
Summary: Recommended update for bash
Type: recommended
Severity: important
References: 1245199
This update for bash fixes the following issues:
- Fix histfile missing timestamp for the oldest record (bsc#1245199)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2025:3877-1
Released: Fri Oct 31 05:29:41 2025
Summary: Recommended update for libselinux
Type: recommended
Severity: important
References: 1252160
This update for libselinux fixes the following issues:
- Ship license file (bsc#1252160)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2025:3930-1
Released: Tue Nov 4 09:26:22 2025
Summary: Recommended update for gcc15
Type: recommended
Severity: moderate
References: 1232526,1238491,1239566,1239938,1240788,1243794,1243991,1244050
This update for gcc15 fixes the following issues:
This update ships the GNU Compiler Collection GCC 15.2. (jsc#PED-12029)
The compiler runtime libraries are provided for all SUSE Linux Enterprise 15
versions and replace the same named GCC 14 ones.
The new compilers for C, C++, and Fortran are provided for SUSE Linux
Enterprise 15 SP6 and SP7, and provided in the 'Development Tools' module.
The Go, D, Ada and Modula 2 language compiler parts are available
unsupported via the PackageHub repositories.
To use gcc15 compilers use:
- install 'gcc15' or 'gcc15-c++' or one of the other 'gcc15-COMPILER' frontend packages.
- override your Makefile to use CC=gcc15, CXX=g++15 and similar overrides for the other languages.
For a full changelog with all new GCC15 features, check out
https://gcc.gnu.org/gcc-15/changes.html
Update to GCC 15.2 release:
* the GCC 15.2 release contains regression fixes accumulated since
the GCC 15.1 release
- Prune the use of update-alternatives from openSUSE Factory and
SLFO.
- Adjust crosses to conflict consistently where they did not
already and make them use unsuffixed binaries.
- Tune for power10 for SLES 16. [jsc#PED-12029]
- Tune for z15 for SLES 16. [jsc#PED-253]
- Fix PR120827, ICE due to splitter emitting constant loads directly
- Exclude shared objects present for link editing in the GCC specific
subdirectory from provides processing via __provides_exclude_from.
[bsc#1244050][bsc#1243991]
- Make cross-*-gcc15-bootstrap package conflict with the non-bootstrap
variant conflict with the unversioned cross-*-gcc package.
- Enable C++ for offload compilers. [bsc#1243794]
- Add libgcobol and libquadmath-devel dependence to the cobol frontend
package.
Update to GCC 15 branch head, 15.1.1+git9595
* includes GCC 15.1 release
- Enable gfx9-generic, gfx10-3-generic and gfx11-generic multilibs
for the AMD GCN offload compiler when llvm is new enough.
- Make sure link editing is done against our own shared library
copy rather than the installed system runtime. [bsc#1240788]
- Fix newlib libm miscompilation for GCN offloading.
Update to GCC trunk head, 15.0.1+git9001
* includes -msplit-patch-nops required for user-space livepatching
on powerpc
* includes fix for Ada build with --enable-host-pie
- Build GCC executables PIE on SLE. [bsc#1239938]
- Includes change to also record -D_FORTIFY_SOURCE=2 in the DWARF
debug info DW_AT_producer string. [bsc#1239566]
- Package GCC COBOL compiler for openSUSE Factory for supported
targets which are x86_64, aarch64 and ppc64le.
- Disable profiling during build when %want_reproducible_builds is set
[bsc#1238491]
- Includes fix for emacs JIT use
- Bumps libgo SONAME to libgo24 which should fix go1.9 build
- Adjust cross compiler requirements to use %requires_ge
- For cross compilers require the same or newer binutils, newlib
or cross-glibc that was used at build time. [bsc#1232526]
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2025:4362-1
Released: Thu Dec 11 11:08:27 2025
Summary: Recommended update for gcc15
Type: recommended
Severity: moderate
References: 1253043
This update for gcc15 fixes the following issues:
- Enable the use of _dl_find_object even when not available at build time. [bsc#1253043]
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:27-1
Released: Mon Jan 5 13:45:08 2026
Summary: Security update for python3
Type: security
Severity: moderate
References: 1254400,1254401,1254997,CVE-2025-12084,CVE-2025-13836,CVE-2025-13837
This update for python3 fixes the following issues:
- CVE-2025-12084: cpython: Fixed quadratic algorithm in xml.dom.minidom leading to denial of service (bsc#1254997)
- CVE-2025-13836: Fixed default Content-Lenght read amount from HTTP response (bsc#1254400)
- CVE-2025-13837: Fixed plistlib module denial of service (bsc#1254401)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:312-1
Released: Wed Jan 28 10:37:55 2026
Summary: Security update for openssl-3
Type: security
Severity: critical
References: 1256830,1256834,1256835,1256836,1256837,1256838,1256839,1256840,CVE-2025-15467,CVE-2025-68160,CVE-2025-69418,CVE-2025-69419,CVE-2025-69420,CVE-2025-69421,CVE-2026-22795,CVE-2026-22796
This update for openssl-3 fixes the following issues:
- CVE-2025-15467: Stack buffer overflow in CMS AuthEnvelopedData parsing (bsc#1256830).
- CVE-2025-68160: Heap out-of-bounds write in BIO_f_linebuffer on short writes (bsc#1256834).
- CVE-2025-69418: Unauthenticated/unencrypted trailing bytes with low-level OCB function calls (bsc#1256835).
- CVE-2025-69419: Out of bounds write in PKCS12_get_friendlyname() UTF-8 conversion (bsc#1256836).
- CVE-2025-69420: Missing ASN1_TYPE validation in TS_RESP_verify_response() function (bsc#1256837).
- CVE-2025-69421: NULL Pointer Dereference in PKCS12_item_decrypt_d2i_ex function (bsc#1256838).
- CVE-2026-22795: Missing ASN1_TYPE validation in PKCS#12 parsing (bsc#1256839).
- CVE-2026-22796: ASN1_TYPE Type Confusion in the PKCS7_digest_from_attributes() function (bsc#1256840).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:346-1
Released: Fri Jan 30 10:01:27 2026
Summary: Security update for openssl-1_1
Type: security
Severity: moderate
References: 1256834,1256835,1256836,1256837,1256838,1256839,1256840,CVE-2025-68160,CVE-2025-69418,CVE-2025-69419,CVE-2025-69420,CVE-2025-69421,CVE-2026-22795,CVE-2026-22796
This update for openssl-1_1 fixes the following issues:
- CVE-2026-22795: Missing ASN1_TYPE validation in PKCS#12 parsing (bsc#1256839).
- CVE-2025-69420: Missing ASN1_TYPE validation in TS_RESP_verify_response() function (bsc#1256837).
- CVE-2025-69421: NULL Pointer Dereference in PKCS12_item_decrypt_d2i_ex function (bsc#1256838).
- CVE-2026-22796: ASN1_TYPE Type Confusion in the PKCS7_digest_from_attributes() function (bsc#1256840).
- CVE-2025-68160: Heap out-of-bounds write in BIO_f_linebuffer on short writes (bsc#1256834).
- CVE-2025-69418: Unauthenticated/unencrypted trailing bytes with low-level OCB function calls (bsc#1256835).
- CVE-2025-69419: Out of bounds write in PKCS12_get_friendlyname() UTF-8 conversion (bsc#1256836).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:371-1
Released: Tue Feb 3 19:08:49 2026
Summary: Security update for glibc
Type: security
Severity: important
References: 1256437,1256766,1256822,1257005,CVE-2025-15281,CVE-2026-0861,CVE-2026-0915
This update for glibc fixes the following issues:
Security fixes:
- CVE-2026-0861: Fixed inadequate size check in the memalign suite may result in an integer overflow (bsc#1256766).
- CVE-2026-0915: Fixed uninitialized stack buffer used as DNS query name when net==0 in _nss_dns_getnetbyaddr_r (bsc#1256822).
- CVE-2025-15281: Fixed uninitialized memory may cause the process abort (bsc#1257005).
Other fixes:
- NPTL: Optimize trylock for high cache contention workloads (bsc#1256437).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2026:407-1
Released: Mon Feb 9 07:43:45 2026
Summary: Recommended update for systemd
Type: recommended
Severity: important
References: 1228081,1244449,1248356,1254202,1254293,1254563,1256427
This update for systemd fixes the following issues:
- Name libsystemd-{shared,core} based on the major version of systemd and
the package release number (bsc#1228081, bsc#1256427)
This way, both the old and new versions of the shared libraries will be
present during the update. This should prevent issues during package updates
when incompatible changes are introduced in the new versions of the shared libraries.
- detect-virt: bare-metal GCE only for x86 and i386 (bsc#1254293)
- timer: rebase last_trigger timestamp if needed
- timer: rebase the next elapse timestamp only if timer didn't already run
- timer: don't run service immediately after restart of a timer (bsc#1254563)
- test: check the next elapse timer timestamp after deserialization
- test: restarting elapsed timer shouldn't trigger the corresponding service
- Reintroduce systemd-network as a transitional dummy package containing no files (bsc#1254202)
The contents of this package were split into two independent packages:
systemd-networkd and systemd-resolved. However, the initial replacement caused
both network services to be disabled. Consequently, the original package has
been restored as an empty transitional package to prevent the disabling of the services.
It can be safely removed once the update is complete.
- units: don't force the loading of the loop and dm_mod modules in systemd-repart.service (bsc#1248356)
- units: add dep on systemd-logind.service by user at .service
- detect-virt: add bare-metal support for GCE (bsc#1244449)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:664-1
Released: Thu Feb 26 16:15:04 2026
Summary: Security update for python3
Type: security
Severity: important
References: 1257029,1257031,1257041,1257042,1257044,1257046,CVE-2025-11468,CVE-2025-15282,CVE-2025-15366,CVE-2025-15367,CVE-2026-0672,CVE-2026-0865
This update for python3 fixes the following issues:
- CVE-2025-11468: header injection when folding a long comment in an email header containing exclusively unfoldable
characters (bsc#1257029).
- CVE-2026-0672: HTTP header injection via user-controlled cookie values and parameters when using http.cookies.Morsel
(bsc#1257031).
- CVE-2026-0865: user-controlled header containing newlines can allow injecting HTTP headers (bsc#1257042).
- CVE-2025-15366: user-controlled command can allow additional commands injected using newlines (bsc#1257044).
- CVE-2025-15282: user-controlled data URLs parsed may allow injecting headers (bsc#1257046).
- CVE-2025-15367: control characters may allow the injection of additional commands (bsc#1257041).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2026:791-1
Released: Tue Mar 3 16:59:33 2026
Summary: Recommended update for gcc15
Type: recommended
Severity: moderate
References: 1257463
This update for gcc15 fixes the following issues:
- Fix bogus expression simplification (bsc#1257463)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:826-1
Released: Thu Mar 5 16:16:29 2026
Summary: Security update for expat
Type: security
Severity: moderate
References: 1257144,1257496,CVE-2026-24515,CVE-2026-25210
This update for expat fixes the following issues:
- CVE-2026-24515: Fixed a null dereference in XML_ExternalEntityParserCreate. (bsc#1257144)
- CVE-2026-25210: Fixed an integer overflow in doContent. (bsc#1257496)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2026:844-1
Released: Fri Mar 6 16:45:31 2026
Summary: Recommended update for glibc
Type: recommended
Severity: moderate
References: 1258319
This update for glibc fixes the following issues:
- nss: Missing checks in __nss_configure_lookup, __nss_database_get (bsc#1258319, BZ #28940)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:1040-1
Released: Wed Mar 25 13:43:08 2026
Summary: Security update for systemd
Type: security
Severity: important
References: 1259418,1259650,1259697,CVE-2026-29111,CVE-2026-4105
This update for systemd fixes the following issues:
- CVE-2026-4105: privilege escalation due to improper access control in RegisterMachine D-Bus method (bsc#1259650).
- CVE-2026-29111: local unprivileged user can trigger an assert in systemd (bsc#1259418).
- udev: check for invalid chars in various fields received from the kernel (bsc#1259697).
Changelog:
- a943e3ce2f machined: reject invalid class types when registering machines
- 71593f77db udev: fix review mixup
- 73a89810b4 udev-builtin-net-id: print cescaped bad attributes
- 0f360bfdc0 udev-builtin-net_id: do not assume the current interface name is ethX
- 40905232e2 udev: ensure tag parsing stays within bounds
- 7bce9026e3 udev: ensure there is space for trailing NUL before calling sprintf
- d018ac1ea3 udev: check for invalid chars in various fields received from the kernel
- aef6e11921 core/cgroup: avoid one unnecessary strjoina()
- cc7426f38a sd-json: fix off-by-one issue when updating parent for array elements
- 26a748f727 core: validate input cgroup path more prudently
- 99d8308fde core/dbus-manager: propagate meaningful dbus errors from EnqueueMarkedJobs
The following package changes have been done:
- glibc-2.38-150600.14.43.1 updated
- libgcc_s1-15.2.0+git10201-150000.1.9.1 updated
- libstdc++6-15.2.0+git10201-150000.1.9.1 updated
- libselinux1-3.5-150600.3.3.1 updated
- libreadline7-7.0-150400.27.6.1 updated
- bash-4.4-150400.27.6.1 updated
- bash-sh-4.4-150400.27.6.1 updated
- libudev1-254.27-150600.4.55.1 updated
- libopenssl3-3.1.4-150600.5.42.1 updated
- libopenssl-3-fips-provider-3.1.4-150600.5.42.1 updated
- libexpat1-2.7.1-150400.3.34.1 updated
- libopenssl1_1-1.1.1w-150600.5.21.1 updated
- libsystemd0-254.27-150600.4.62.1 updated
- libpython3_6m1_0-3.6.15-150300.10.106.1 updated
- python3-base-3.6.15-150300.10.106.1 updated
- python3-3.6.15-150300.10.106.1 updated
- container:sles15-ltss-image-15.6.0-5.32 added
- container:sles15-image-15.6.0-47.24.1 removed
More information about the sle-container-updates
mailing list