SUSE-CU-2026:4854-1: Security update of suse/multi-linux-manager/5.1/x86_64/server
sle-container-updates at lists.suse.com
sle-container-updates at lists.suse.com
Mon May 11 07:21:55 UTC 2026
SUSE Container Update Advisory: suse/multi-linux-manager/5.1/x86_64/server
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2026:4854-1
Container Tags : suse/multi-linux-manager/5.1/x86_64/server:5.1.3.1 , suse/multi-linux-manager/5.1/x86_64/server:5.1.3.1.8.19.2 , suse/multi-linux-manager/5.1/x86_64/server:latest
Container Release : 8.19.2
Severity : important
Type : security
References : 1258371 1259118 1259148 1259310 1259436 1259611 1259734 1259735
1259985 1259989 1259996 1260026 1260414 1260589 1260589 1261191
1261271 1261850 1261851 1261852 1261853 1261854 1261855 1261856
1261857 1261957 1261969 1261970 1262098 1262319 1262490 1262494
1262495 1262496 1262497 1262500 1262501 1262654 1262760 1263007
CVE-2025-13462 CVE-2025-66614 CVE-2026-1502 CVE-2026-22007 CVE-2026-22013
CVE-2026-22016 CVE-2026-22018 CVE-2026-22021 CVE-2026-23865 CVE-2026-24880
CVE-2026-25645 CVE-2026-25645 CVE-2026-25854 CVE-2026-29129 CVE-2026-29145
CVE-2026-29146 CVE-2026-32990 CVE-2026-33412 CVE-2026-33554 CVE-2026-34268
CVE-2026-34282 CVE-2026-3446 CVE-2026-34483 CVE-2026-34486 CVE-2026-34487
CVE-2026-34500 CVE-2026-34714 CVE-2026-34757 CVE-2026-3479 CVE-2026-34982
CVE-2026-3644 CVE-2026-4224 CVE-2026-4519 CVE-2026-4786 CVE-2026-6019
CVE-2026-6100
-----------------------------------------------------------------
The container suse/multi-linux-manager/5.1/x86_64/server was updated. The following patches have been included in this update:
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2026:1536-1
Released: Tue Apr 21 16:49:27 2026
Summary: Recommended update for release-notes-multi-linux-manager
Type: recommended
Severity: moderate
References:
This update for release-notes-multi-linux-manager fixes the following issues:
* Added support for Liberty Linux 10 as client.
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2026:1545-1
Released: Wed Apr 22 11:21:10 2026
Summary: Recommended update for ipmitool
Type: recommended
Severity: moderate
References: 1259310
This update for ipmitool fixes the following issue:
- Fix bad pid file creation in ipmievd (bsc#1259310).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2026:1552-1
Released: Wed Apr 22 14:23:56 2026
Summary: Recommended update for adcli
Type: recommended
Severity: moderate
References: 1259148,1259996
This update for adcli fixes the following issues:
- Build with openldap 2.5 to support TLS channel binding;
(bsc#1259148);
- Add missing use-ldaps option; (bsc#1259996)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2026:1559-1
Released: Thu Apr 23 06:44:53 2026
Summary: Recommended update for python-apache-libcloud, python3-apache-libcloud
Type: recommended
Severity: moderate
References:
This update for python-apache-libcloud fixes the following issues:
python-apache-libcloud:
- Deliver the Python 3.11 flavor as python311-apache-libcloud (jsc#PED-14450)
- Package version at 3.8.0
python3-apache-libcloud:
- Deliver the Python 3.6 flavor as python3-apache-libcloud (jsc#PED-14450)
- Source package was renamed from python-apache-libcloud to python3-apache-libcloud
to avoid conflicts with the Python 3.11 flavor
- Package version at 3.3.1
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2026:1561-1
Released: Thu Apr 23 08:34:49 2026
Summary: Recommended update for mozilla-nss
Type: recommended
Severity: moderate
References:
This update for mozilla-nss fixes the following issues:
Update to NSS 3.112.4:
* improve error handling in PK11_ImportPrivateKeyInfoAndReturnKey.
* Improving the allocation of S/MIME DecryptSymKey.
* store email on subject cache_entry in NSS trust domain.
* Heap use-after-free in cert_VerifyCertChainOld via dangling certsList[] entry on NameConstraints violation.
* Improve size calculations in CMS content buffering.
* avoid integer overflow while escaping RFC822 Names.
* Reject excessively large ASN.1 SEQUENCE OF in quickder.
* Deep copy profile data in CERT_FindSMimeProfile.
* Improve input validation in DSAU signature decoding.
* avoid integer overflow in RSA_EMSAEncodePSS.
* RSA_EMSAEncodePSS should validate the length of mHash.
* Add a maximum cert uncompressed len and tests.
* Clarify extension negotiation mechanism for TLS Handshakes.
* ensure permittedSubtrees don't match wildcards that could be outside the permitted tree.
* Fix integer underflow in tls13_AEAD when ciphertext is shorter than tag.
* Remove invalid PORT_Free().
* free digest objects in SEC_PKCS7DecoderFinish if they haven't already been freed.
* make ss->ssl3.hs.cookie an owned-copy of the cookie.
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:1602-1
Released: Fri Apr 24 13:46:25 2026
Summary: Security update for libpng16
Type: security
Severity: moderate
References: 1261957,CVE-2026-34757
This update for libpng16 fixes the following issue:
- CVE-2026-34757: information disclosure and data corruption due to use-after-free in `png_set_PLTE`, `png_set_tRNS`
and `png_set_hIST` (bsc#1261957).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:1604-1
Released: Fri Apr 24 13:48:06 2026
Summary: Security update for tomcat
Type: security
Severity: important
References: 1258371,1261850,1261851,1261852,1261853,1261854,1261855,1261856,1261857,CVE-2025-66614,CVE-2026-24880,CVE-2026-25854,CVE-2026-29129,CVE-2026-29145,CVE-2026-29146,CVE-2026-32990,CVE-2026-34483,CVE-2026-34486,CVE-2026-34487,CVE-2026-34500
This update for tomcat fixes the following issues:
Security fixes:
- CVE-2026-24880: Request smuggling via invalid chunk extension (bsc#1261850).
- CVE-2026-25854: Occasionally open redirect (bsc#1261851).
- CVE-2026-29129: TLS cipher order is not preserved (bsc#1261852).
- CVE-2026-29145: OCSP checks sometimes soft-fail even when soft-fail is disabled (bsc#1261853).
- CVE-2026-29146,CVE-2026-34486: Fix for allowed bypass of EncryptInterceptor (bsc#1261854).
- CVE-2026-34483: Incomplete escaping of JSON access logs (bsc#1261855).
- CVE-2026-34487: Cloud membership for clustering component exposed the Kubernetes bearer token (bsc#1261856).
- CVE-2026-34500: OCSP checks sometimes soft-fail with FFM even when soft-fail is disabled (bsc#1261857).
- CVE-2026-32990: The fix for CVE-2025-66614 was incomplete, so this CVE completes it (bsc#1258371).
Other fixes:
- Update to Tomcat 9.0.117
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:1607-1
Released: Fri Apr 24 13:50:52 2026
Summary: Security update for vim
Type: security
Severity: important
References: 1259985,1261191,1261271,CVE-2026-33412,CVE-2026-34714,CVE-2026-34982
This update for vim fixes the following issues:
Update to version 9.2.0280.
- CVE-2026-34982: missing input validation allows for a modeline sandbox bypass and can lead to arbitrary OS command
execution (bsc#1261271).
- CVE-2026-34714: missing checks allow for a `tabpanel` modeline escape and can lead to arbitrary OS command execution
(bsc#1261191).
- CVE-2026-33412: improper escaping of newline characters allows for command injection in `glob` and can lead to
arbitrary code execution (bsc#1259985).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:1644-1
Released: Tue Apr 28 15:31:39 2026
Summary: Security update for python-requests
Type: security
Severity: moderate
References: 1260589,CVE-2026-25645
This update for python-requests fixes the following issues:
- CVE-2026-25645: `extract_zipped_paths()` uses predictable filenames when extracting files from zip archives and
reuses target files that already exist without validation (bsc#1260589).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:1647-1
Released: Tue Apr 28 20:02:59 2026
Summary: Security update for python-requests
Type: security
Severity: moderate
References: 1260589,CVE-2026-25645
This update for python-requests fixes the following issues:
- CVE-2026-25645: `extract_zipped_paths()` uses predictable filenames when extracting files from zip archives and
reuses target files that already exist without validation (bsc#1260589).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:1715-1
Released: Wed May 6 14:09:30 2026
Summary: Security update for python3
Type: security
Severity: important
References: 1259611,1259734,1259735,1259989,1260026,1261969,1261970,1262098,1262319,1262654,CVE-2025-13462,CVE-2026-1502,CVE-2026-3446,CVE-2026-3479,CVE-2026-3644,CVE-2026-4224,CVE-2026-4519,CVE-2026-4786,CVE-2026-6019,CVE-2026-6100
This update for python3 fixes the following issues:
- CVE-2025-13462: incorrect parsing of TarInfo when GNU long name and type AREGTYPE are combined can lead to
misinterpretation of tar archives (bsc#1259611).
- CVE-2026-1502: HTTP client proxy tunnel headers not validated for CR/LF (bsc#1261969).
- CVE-2026-3446: base64 decoding stops at first padded quad by default and ignores other information that could be
processed (bsc#1261970).
- CVE-2026-3479: improper resource argument validation in `pkgutil.get_data()` can lead to path traversal (bsc#1259989).
- CVE-2026-3644: incomplete control character validation in http.cookies can lead to input validation bypass
(bsc#1259734).
- CVE-2026-4224: parsing XML with deeply nested DTD content models can lead to C stack overflow (bsc#1259735).
- CVE-2026-4519: failure to sanitize leading dashes in URLs in the `webbrowser.open()` API can lead to web browser
command line option injection (bsc#1260026).
- CVE-2026-4786: URLs prefixed with `%action` can pass the dash-prefix safety check and allow for command injection
(bsc#1262319).
- CVE-2026-6019: `BaseCookie.js_output()` does not neutralize characters in cookie values embedded in JS (bsc#1262654).
- CVE-2026-6100: use-after-free in `lzma.LZMADecompressor`, `bz2.BZ2Decompressor`, and `gzip.GzipFile` when process is
under memory pressure(bsc#1262098).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2026:1719-1
Released: Wed May 6 16:42:23 2026
Summary: Recommended update for sssd
Type: recommended
Severity: important
References: 1259436
This update for sssd fixes the following issues:
- With the 2.10 update sssd runs under unprivileged user which is not possible in certain scenarios.
This update reverts to run as root with minimum privileges (bsc#1259436);
- Let krb5 child tolerate missing capabilities;
- Fix systemd try-restart warning when updating
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:1732-1
Released: Thu May 7 02:43:10 2026
Summary: Security update for java-17-openjdk
Type: security
Severity: important
References: 1259118,1262490,1262494,1262495,1262496,1262497,1262500,1262501,CVE-2026-22007,CVE-2026-22013,CVE-2026-22016,CVE-2026-22018,CVE-2026-22021,CVE-2026-23865,CVE-2026-34268,CVE-2026-34282
This update for java-17-openjdk fixes the following issues:
Upgrade to upstream tag jdk-17.0.19+10 (April 2026 CPU).
Security issues fixed:
- CVE-2026-22007: Security: unauthenticated attacker with logon to the infrastructure where java executes can gain
unauthorized read access to a subset of accessible data (bsc#1262490).
- CVE-2026-22013: JGSS: unauthenticated attacker with network access via multiple protocols can gain unauthorized
access to critical data (bsc#1262494).
- CVE-2026-22016: JAXP: unauthenticated attacker with network access via multiple protocols can gain unauthorized
to access critical data (bsc#1262495).
- CVE-2026-22018: Libraries: unauthenticated attacker with network access via multiple protocols can cause a partial
denial of service (bsc#1262496).
- CVE-2026-22021: JSSE: unauthenticated attacker with network access via HTTPS can cause a partial denial of service
(bsc#1262497).
- CVE-2026-23865: freetype2: integer overflow in the `tt_var_load_item_variation_store` function allows for an
out-of-bounds read when parsing HVAR/VVAR/MVAR tables in OpenType variable fonts(bsc#1259118).
- CVE-2026-34268: Security: unauthenticated attacker with logon to the infrastructure where java executes can gain
unauthorized read access to a subset of data (bsc#1262500).
- CVE-2026-34282: Networking: unauthenticated attacker with network access via multiple protocols can cause a hang or
frequently repeatable crash (bsc#1262501).
Other updates and bugfixes:
- Provide the timezone-java and tzdata-java (jsc#PED-15898).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:1755-1
Released: Thu May 7 15:54:52 2026
Summary: Security update for freeipmi
Type: security
Severity: important
References: 1260414,CVE-2026-33554
This update for freeipmi fixes the following issue:
- CVE-2026-33554: improper memory handling and data validation can lead to stack buffer overflows and acceptance of
malformed payloads/responses (bsc#1260414).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2026:1807-1
Released: Mon May 11 08:03:00 2026
Summary: Maintenance update for Multi-Linux Manager 5.1: Server, Proxy and Retail Branch Server
Type: recommended
Severity: moderate
References: 1262760,1263007
Maintenance update for Multi-Linux Manager 5.1: Server, Proxy and Retail Branch Server
This is a codestream only update
The following package changes have been done:
- libfreebl3-3.112.4-150400.3.66.1 updated
- libfreeipmi17-1.6.8-150400.3.3.1 updated
- libipa_hbac0-2.10.2-150700.9.28.1 updated
- libpng16-16-1.6.40-150600.3.20.1 updated
- libsss_idmap0-2.10.2-150700.9.28.1 updated
- libsss_nss_idmap0-2.10.2-150700.9.28.1 updated
- release-notes-multi-linux-manager-5.1.3-150700.5.23.1 updated
- susemanager-schema-utility-5.1.18-150700.3.19.1 updated
- vim-data-common-9.2.0280-150500.20.46.1 updated
- ipmitool-1.8.19.13.gbe11d94-150700.3.3.1 updated
- libpython3_6m1_0-3.6.15-150300.10.118.1 updated
- python3-base-3.6.15-150300.10.118.1 updated
- python3-3.6.15-150300.10.118.1 updated
- python3-curses-3.6.15-150300.10.118.1 updated
- libsss_certmap0-2.10.2-150700.9.28.1 updated
- mozilla-nss-certs-3.112.4-150400.3.66.1 updated
- spacewalk-java-lib-5.1.25-150700.3.19.1 updated
- vim-9.2.0280-150500.20.46.1 updated
- adcli-0.8.2-150600.22.5.1 updated
- mozilla-nss-3.112.4-150400.3.66.1 updated
- libsoftokn3-3.112.4-150400.3.66.1 updated
- susemanager-schema-5.1.18-150700.3.19.1 updated
- sssd-ldap-2.10.2-150700.9.28.1 updated
- sssd-2.10.2-150700.9.28.1 updated
- sssd-krb5-common-2.10.2-150700.9.28.1 updated
- java-17-openjdk-headless-17.0.19.0-150400.3.66.2 updated
- sssd-krb5-2.10.2-150700.9.28.1 updated
- sssd-dbus-2.10.2-150700.9.28.1 updated
- python3-sssd-config-2.10.2-150700.9.28.1 updated
- sssd-ad-2.10.2-150700.9.28.1 updated
- tomcat-servlet-4_0-api-9.0.117-150200.105.1 updated
- tomcat-el-3_0-api-9.0.117-150200.105.1 updated
- java-17-openjdk-17.0.19.0-150400.3.66.2 updated
- spacewalk-base-minimal-5.1.20-150700.3.17.1 updated
- sssd-tools-2.10.2-150700.9.28.1 updated
- sssd-ipa-2.10.2-150700.9.28.1 updated
- tomcat-jsp-2_3-api-9.0.117-150200.105.1 updated
- spacewalk-base-minimal-config-5.1.20-150700.3.17.1 updated
- tomcat-lib-9.0.117-150200.105.1 updated
- spacewalk-base-5.1.20-150700.3.17.1 updated
- python311-requests-2.31.0-150400.6.21.1 updated
- python3-requests-2.25.1-150300.3.21.1 updated
- salt-3006.0-150700.14.18.1 updated
- python311-salt-3006.0-150700.14.18.1 updated
- python3-apache-libcloud-3.3.1-150400.9.3.1 updated
- salt-master-3006.0-150700.14.18.1 updated
- tomcat-9.0.117-150200.105.1 updated
- salt-api-3006.0-150700.14.18.1 updated
- spacewalk-java-postgresql-5.1.25-150700.3.19.1 updated
- spacewalk-java-config-5.1.25-150700.3.19.1 updated
- spacewalk-taskomatic-5.1.25-150700.3.19.1 updated
- spacewalk-java-5.1.25-150700.3.19.1 updated
- spacewalk-html-5.1.20-150700.3.17.1 updated
- susemanager-tools-5.1.16-150700.3.12.1 updated
- susemanager-5.1.16-150700.3.12.1 updated
- container:bci-bci-init-15.7-4a0adf5155548b683c66ff485a7e982a444ac8c4fe688a46b0fc9ce7bf332fb6-0 updated
More information about the sle-container-updates
mailing list