SUSE-CU-2026:4832-1: Security update of suse/sl-micro/6.0/toolbox
sle-container-updates at lists.suse.com
sle-container-updates at lists.suse.com
Sun May 10 07:20:51 UTC 2026
SUSE Container Update Advisory: suse/sl-micro/6.0/toolbox
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2026:4832-1
Container Tags : suse/sl-micro/6.0/toolbox:13.2 , suse/sl-micro/6.0/toolbox:13.2-9.106 , suse/sl-micro/6.0/toolbox:latest
Container Release : 9.106
Severity : important
Type : security
References : 1158038 1239718 1246504 1247948 1252048 1252744 1253193 1253740
1254157 1254158 1254159 1254160 1254480 1257882 1258005 1258193
1258655 1259126 1259311 1259706 1259842 1261630 1261845 1263689
CVE-2025-39977 CVE-2025-64505 CVE-2025-64506 CVE-2025-64720 CVE-2025-65018
CVE-2025-66293 CVE-2025-71066 CVE-2026-23004 CVE-2026-23204 CVE-2026-23437
CVE-2026-31406 CVE-2026-31431
-----------------------------------------------------------------
The container suse/sl-micro/6.0/toolbox was updated. The following patches have been included in this update:
-----------------------------------------------------------------
Advisory ID: 536
Released: Tue Dec 16 09:31:52 2025
Summary: Security update for libpng16
Type: security
Severity: important
References: 1158038,1247948,1252744,1253740,1254157,1254158,1254159,1254160,1254480,1257882,1258193,1259311,CVE-2025-64505,CVE-2025-64506,CVE-2025-64720,CVE-2025-65018,CVE-2025-66293
This update for libpng16 fixes the following issues:
- CVE-2025-66293: Fixed out-of-bounds read in png_image_read_composite (bsc#1254480).
- CVE-2025-64505: Fixed heap buffer over-read in `png_do_quantize` via malformed palette index (bsc#1254157).
- CVE-2025-64506: Fixed heap buffer over-read in `png_write_image_8bit` with 8-bit input and `convert_to_8bit` enabled (bsc#1254158).
- CVE-2025-64720: Fixed buffer overflow in `png_image_read_composite` via incorrect palette premultiplication (bsc#1254159).
- CVE-2025-65018: Fixed heap buffer overflow in `png_combine_row` triggered via `png_image_finish_read` (bsc#1254160).
-----------------------------------------------------------------
Advisory ID: 698
Released: Sat May 9 19:38:20 2026
Summary: Recommended update for libzypp, zypper
Type: recommended
Severity: moderate
References: 1239718,1246504,1252048,1253193,1258005,1258655,1259126,1259706,1259842,1261630,1261845,1263689,CVE-2025-39977,CVE-2025-71066,CVE-2026-23004,CVE-2026-23204,CVE-2026-23437,CVE-2026-31406,CVE-2026-31431
This update for libzypp, zypper fixes the following issues:
Changes in libzypp:
- Update to version 17.38.7:
* Fix purge-kernel -rc kernel handling (bsc#1239718)
* Explicitly_set_pool_DISTTYPE_RPM
- Update to version 17.38.6:
* Check for trusted key updates when updating the general keyring (bsc#1259706)
* Support multiple MirroredOrigin authorities (bsc#1253193)
* Workaround a doxygen bug
* libzypp.spec: Add missing graphviz-gd BuildRequires (bsc#1259842)
Changes in zypper:
- Update to version 1.14.96:
- Autorefresh ris-services the way as plugin-services (bsc#1246504)
It's actually wrong to treat service refreshes different
depending on the service type. For the purpose of a service it
makes no difference how the data about the repos to use are acquired.
The following package changes have been done:
- SL-Micro-release-6.0-25.94 updated
- libzypp-17.38.7-1.1 updated
- skelcd-EULA-SL-Micro-2024.01.19-8.93 updated
- zypper-1.14.96-1.1 updated
More information about the sle-container-updates
mailing list