SUSE-CU-2026:4852-1: Security update of suse/multi-linux-manager/5.1/x86_64/server-attestation

sle-container-updates at lists.suse.com sle-container-updates at lists.suse.com
Mon May 11 07:21:43 UTC 2026 

SUSE Container Update Advisory: suse/multi-linux-manager/5.1/x86_64/server-attestation
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2026:4852-1
Container Tags        : suse/multi-linux-manager/5.1/x86_64/server-attestation:5.1.3.1 , suse/multi-linux-manager/5.1/x86_64/server-attestation:5.1.3.1.8.21.1 , suse/multi-linux-manager/5.1/x86_64/server-attestation:latest
Container Release     : 8.21.1
Severity              : important
Type                  : security
References            : 1259118 1261957 1262490 1262494 1262495 1262496 1262497 1262500
                        1262501 CVE-2026-22007 CVE-2026-22013 CVE-2026-22016 CVE-2026-22018
                        CVE-2026-22021 CVE-2026-23865 CVE-2026-34268 CVE-2026-34282 CVE-2026-34757
-----------------------------------------------------------------

The container suse/multi-linux-manager/5.1/x86_64/server-attestation was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2026:1561-1
Released:    Thu Apr 23 08:34:49 2026
Summary:     Recommended update for mozilla-nss
Type:        recommended
Severity:    moderate
References:  
This update for mozilla-nss fixes the following issues:

Update to NSS 3.112.4:

  * improve error handling in PK11_ImportPrivateKeyInfoAndReturnKey.
  * Improving the allocation of S/MIME DecryptSymKey.
  * store email on subject cache_entry in NSS trust domain.
  * Heap use-after-free in cert_VerifyCertChainOld via dangling certsList[] entry on NameConstraints violation.
  * Improve size calculations in CMS content buffering.
  * avoid integer overflow while escaping RFC822 Names.
  * Reject excessively large ASN.1 SEQUENCE OF in quickder.
  * Deep copy profile data in CERT_FindSMimeProfile.
  * Improve input validation in DSAU signature decoding.
  * avoid integer overflow in RSA_EMSAEncodePSS.
  * RSA_EMSAEncodePSS should validate the length of mHash.
  * Add a maximum cert uncompressed len and tests.
  * Clarify extension negotiation mechanism for TLS Handshakes.
  * ensure permittedSubtrees don't match wildcards that could be outside the permitted tree.
  * Fix integer underflow in tls13_AEAD when ciphertext is shorter than tag.
  * Remove invalid PORT_Free().
  * free digest objects in SEC_PKCS7DecoderFinish if they haven't already been freed.
  * make ss->ssl3.hs.cookie an owned-copy of the cookie. 

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:1602-1
Released:    Fri Apr 24 13:46:25 2026
Summary:     Security update for libpng16
Type:        security
Severity:    moderate
References:  1261957,CVE-2026-34757
This update for libpng16 fixes the following issue:

- CVE-2026-34757: information disclosure and data corruption due to use-after-free in `png_set_PLTE`, `png_set_tRNS`
  and `png_set_hIST` (bsc#1261957).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:1732-1
Released:    Thu May  7 02:43:10 2026
Summary:     Security update for java-17-openjdk
Type:        security
Severity:    important
References:  1259118,1262490,1262494,1262495,1262496,1262497,1262500,1262501,CVE-2026-22007,CVE-2026-22013,CVE-2026-22016,CVE-2026-22018,CVE-2026-22021,CVE-2026-23865,CVE-2026-34268,CVE-2026-34282
This update for java-17-openjdk fixes the following issues:

Upgrade to upstream tag jdk-17.0.19+10 (April 2026 CPU).

Security issues fixed:

- CVE-2026-22007: Security: unauthenticated attacker with logon to the infrastructure where java executes can gain
  unauthorized read access to a subset of accessible data (bsc#1262490).
- CVE-2026-22013: JGSS: unauthenticated attacker with network access via multiple protocols can gain unauthorized
  access to critical data (bsc#1262494).
- CVE-2026-22016: JAXP: unauthenticated attacker with network access via multiple protocols can gain unauthorized
  to access critical data (bsc#1262495).
- CVE-2026-22018: Libraries: unauthenticated attacker with network access via multiple protocols can cause a partial
  denial of service (bsc#1262496).
- CVE-2026-22021: JSSE: unauthenticated attacker with network access via HTTPS can cause a partial denial of service
  (bsc#1262497).
- CVE-2026-23865: freetype2: integer overflow in the `tt_var_load_item_variation_store` function allows for an
  out-of-bounds read when parsing HVAR/VVAR/MVAR tables in OpenType variable fonts(bsc#1259118).
- CVE-2026-34268: Security: unauthenticated attacker with logon to the infrastructure where java executes can gain
  unauthorized read access to a subset of data (bsc#1262500).
- CVE-2026-34282: Networking: unauthenticated attacker with network access via multiple protocols can cause a hang or
  frequently repeatable crash (bsc#1262501).

Other updates and bugfixes:

- Provide the timezone-java and tzdata-java (jsc#PED-15898).


The following package changes have been done:

- libfreebl3-3.112.4-150400.3.66.1 updated
- libpng16-16-1.6.40-150600.3.20.1 updated
- mozilla-nss-certs-3.112.4-150400.3.66.1 updated
- mozilla-nss-3.112.4-150400.3.66.1 updated
- libsoftokn3-3.112.4-150400.3.66.1 updated
- java-17-openjdk-headless-17.0.19.0-150400.3.66.2 updated
- container:bci-bci-base-15.7-07d8c80b3c1b8287450453b5fb7fab24c31e32ee657f87deeb820b65120b8658-0 updated

More information about the sle-container-updates mailing list