SUSE-IU-2026:3756-1: Security update of suse/sl-micro/6.2/baremetal-os-container

Wed May 27 07:34:08 UTC 2026

SUSE Image Update Advisory: suse/sl-micro/6.2/baremetal-os-container
-----------------------------------------------------------------
Image Advisory ID : SUSE-IU-2026:3756-1
Image Tags        : suse/sl-micro/6.2/baremetal-os-container:2.3.0 , suse/sl-micro/6.2/baremetal-os-container:2.3.0-7.159 , suse/sl-micro/6.2/baremetal-os-container:latest
Image Release     : 7.159
Severity          : important
Type              : security
References        : 1230348 1254903 1254904 1254905 1257509 1257643 1258174 1258710
                        1259253 1259436 1259475 1261568 1261568 1261568 1261569 1261569
                        1261569 1261570 1261570 1261570 1261571 1261571 1261571 1261572
                        1261572 1261572 1261742 1261742 1261742 1261743 1261743 1261743
                        1263116 1263116 1263116 CVE-2025-67724 CVE-2025-67725 CVE-2025-67726
                        CVE-2026-27447 CVE-2026-27447 CVE-2026-27447 CVE-2026-34978 CVE-2026-34978
                        CVE-2026-34978 CVE-2026-34979 CVE-2026-34979 CVE-2026-34979 CVE-2026-34980
                        CVE-2026-34980 CVE-2026-34980 CVE-2026-34990 CVE-2026-34990 CVE-2026-34990
                        CVE-2026-39314 CVE-2026-39314 CVE-2026-39314 CVE-2026-39316 CVE-2026-39316
                        CVE-2026-39316 CVE-2026-41079 CVE-2026-41079 CVE-2026-41079 
-----------------------------------------------------------------

The container suse/sl-micro/6.2/baremetal-os-container was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: 549
Released:    Tue Apr 14 10:13:38 2026
Summary:     Recommended update for suse-migration-services
Type:        recommended
Severity:    important
References:  1254903,1254904,1254905,1258174,1258710,1261568,1261569,1261570,1261571,1261572,1261742,1261743,1263116,CVE-2025-67724,CVE-2025-67725,CVE-2025-67726,CVE-2026-27447,CVE-2026-34978,CVE-2026-34979,CVE-2026-34980,CVE-2026-34990,CVE-2026-39314,CVE-2026-39316,CVE-2026-41079
This update for suse-migration-services fixes the following issues:

- Bump version to 2.1.33:
    * Fix btrfs snapshot services
      Do not perform snapshot operations if the root filesystem is not btrfs based.
    * Fix lsm precheck
      Yet another test that doesn't restrict the scope of its runtime environment.
    * Fixed scope check for cpu_arch and check_ha
    * Update documentation
- Bump version to2.1.32:
    * Fixed dataProvider setup in regionserverclnt.cfg
      In case of Azure the dataProvider information gets a device parameter added.
      This parameter must be added only once or not at all if it is already present.
    * Fixup import of certificates
      Only import if the file exists and is not a directory. We still assume that the file content of
      the pki trust directories matches certificates and not random non certificate files.
    * Fix consistency of regionserverclnt.cfg (bsc#1258710)
- Bump version to 2.1.31:
    * Doc update
      Weave in more updates about the SLE 15 to 16 migration. While we have updated the code to support
      the migration to 16, the doc has been lacking appropriate references.
    * Fix setup of migration target for pre-check (bsc#1258174)
    * Make sure to fallback to scc.suse.com
      Systems that are not providing /etc/SUSEConnect should fallback to
      the default registration server which is https://scc.suse.com
    * Update test data
    * Switch reboot default
    * Be more explicit about kexec example
      Make it more explicit that Xen is only one example where kexec does not work.
    * Update documentation
    * Add wicked2nm-continue-migration to user doc
    * Move default container to official devel project
    * Fixed disk device name passed to azuremetadata
    * Fix SLES SAP migration 12 - 15 in public clouds
    * Fix python compatibility on latest zypper change
    * Manage documentation version
      Make sure documentation version and code version are consistently managed.

-----------------------------------------------------------------
Advisory ID: 729
Released:    Mon May 11 14:02:48 2026
Summary:     Recommended update for sssd
Type:        recommended
Severity:    important
References:  1230348,1257509,1257643,1259253,1259436,1259475,1261568,1261569,1261570,1261571,1261572,1261742,1261743,1263116,CVE-2026-27447,CVE-2026-34978,CVE-2026-34979,CVE-2026-34980,CVE-2026-34990,CVE-2026-39314,CVE-2026-39316,CVE-2026-41079
This update for sssd fixes the following issues:

- With the 2.10 update sssd runs under unprivileged user which is not possible in certain scenarios.
  This update reverts to run as root with minimum privileges (bsc#1259436);
- Let krb5 child tolerate missing capabilities;
- Add support for UsrEtc; (bsc#1257643);
- The default configuration file is installed now in /usr/etc/sssd/sssd.conf.
  It can be completely overridden by manually creating the system specific config file
  /etc/sssd/sssd.conf, or partially overridden by creating config snippets in
  /etc/sssd/conf.d/ directory. Check sssd.conf manpage for more details.
- Fix ldap_child process started by the backend process ending in defunc state.
- Create the secrets directory for the KCM service; (bsc#1259253);
- Make sure previously rotated logs are chown-ed as well (bsc#1259475);
- Use %pre scriptlet instead of %pretrans to migrate from sssd-common (bsc#1257509);
- Update to release 2.10.2; (jsc#PED-12449):
    * If the ssh responder is not running, sss_ssh_knownhosts will not fail.
    * SSSD is now capable of handling multiple services associated with the same port.
    * sssd_pam, being a privileged binary, now clears the environment and
      does not allow configuration of the PR_SET_DUMPABLE flag as a precaution.
- Changes from sssd 2.10.1:
    * SSSD does not create anymore missing path components of DIR:/FILE:
      ccache types while acquiring user's TGT.
    * The option default_domain_suffix is deprecated.
- Changes from sssd 2.10.0:
    * The ``sssctl cache-upgrade`` command was removed.
      SSSD performs automatic upgrades at startup when needed.
    * Support of ``enumeration`` feature for AD/IPA providers is deprecated and
      might be removed in further releases.
    * The new tool ``sss_ssh_knownhosts`` can be used with ssh's ``KnownHostsCommand`` configuration option
      to retrieve the host's public keys from a remote server. It replaces ```sss_ssh_knownhostsproxy``.
    * The default value for ``ldap_id_use_start_tls`` changed from false to true for improved security.
- Fix socket activation of responders
- Daemon runs now as unprivileged user 'sssd'
- Fix sssctl config-check exit code when the conf.d snippets directory does not exist (bsc#1230348);

-----------------------------------------------------------------
Advisory ID: 802
Released:    Tue May 26 14:19:57 2026
Summary:     Security update for cups
Type:        security
Severity:    important
References:  1261568,1261569,1261570,1261571,1261572,1261742,1261743,1263116,CVE-2026-27447,CVE-2026-34978,CVE-2026-34979,CVE-2026-34980,CVE-2026-34990,CVE-2026-39314,CVE-2026-39316,CVE-2026-41079
This update for cups fixes the following issues

- CVE-2026-27447: Authorization bypass via case-insensitive group-member lookup (bsc#1261572).
- CVE-2026-34978: Path traversal in RSS notify-recipient-uri enables file write outside CacheDir/rss (bsc#1261571).
- CVE-2026-34979: Heap overflow in `get_options()` (bsc#1261570).
- CVE-2026-34980: Shared PostScript queue lets anonymous Print-Job requests reach `lp` code execution over the network
  (bsc#1261569).
- CVE-2026-34990: Local print admin token disclosure using temporary printers (bsc#1261568).
- CVE-2026-39314: negative `job-password-supported` attribute can lead to a denial of service (bsc#1261743).
- CVE-2026-39316: dangling subscription pointer can lead to a denial of service (bsc#1261742).
- CVE-2026-41079: crafted SNMP response can lead to stack-based out-of-bounds read and sensitive memory disclosure
  (bsc#1263116).

Changes for cups:

- Version upgrade to 2.4.19.

- Version upgrade to 2.4.18.

- Version upgrade to 2.4.17:

 * The scheduler followed symbolic links when cleaning out
 its temporary directory (Issue #1448)
 * Updated `cupsFileGetConf` and `cupsFilePutConf` to escape
 more characters.
 * Updated man page `cancel` (Issue #984)
 * Updated `cupsRasterReadHeader` to validate more of the
 page header values (Issue #1501)
 * Fixed an issue with the class/printer CGI name checking.
 * Fixed infinite loop in `http_write()` on busy print servers
 (Issue #827)
 * Fixed potential TLS blocking issues (Issue #1128)
 * Fixed a job history bug in the scheduler (Issue #1440)
 * Fixed notifier logging bug that would result in nul bytes
 getting into the log (Issue #1450)
 * Fixed possible use-after-free in `cupsdReadClient()`
 (Issue #1454)
 * Fixed a document format bug in the IPP backend (Issue #1457)
 * Fixed DRAIN_OUTPUT race condition (Issue #1461)
 * Fixed a bug when then `ippFindXxx` and `ippSetXxx` functions
 were mixed.
 * Fixed the mapping of supply type keywords to SNMP names.
 * Fixed a bug in the IPP backend when SNMP was disabled.
 * Fixed a crash bug in the rastertoepson filter.
 * Fixed a bug in cgiCheckVariables.
 * Fixed handling read/write errors with OpenSSL (Issue #1506)
 * Fixed handling rehandshake error in `_httpTLSRead`
 (Issue #1508)
 * Fixed a debug printf bug on Windows (Issue #1529)
 * Fixed a recursion issue with encoding of nested collections
 (Issue #1539)
 * Fixed parsing of the `LimitRequestBody`, `MaxLogSize`,
 and `MaxRequestSize` directives in 'cupsd.conf' (Issue #1540)
 * Fixed a parsing bug in `ipptool` (Issue #1542)
 * Fixed blank line detection in the `rastertolabel` filter
 (Issue #1545)
 * Fixed `httpPeek` edge case on compressed streams

The following package changes have been done:

- cups-config-2.4.19-160000.1.1 updated
- libcups2-2.4.19-160000.1.1 updated