SUSE-IU-2026:3932-1: Security update of suse/sl-micro/6.2/baremetal-os-container

sle-container-updates at lists.suse.com sle-container-updates at lists.suse.com
Fri May 29 07:26:38 UTC 2026 

SUSE Image Update Advisory: suse/sl-micro/6.2/baremetal-os-container
-----------------------------------------------------------------
Image Advisory ID : SUSE-IU-2026:3932-1
Image Tags        : suse/sl-micro/6.2/baremetal-os-container:2.3.0 , suse/sl-micro/6.2/baremetal-os-container:2.3.0-7.164 , suse/sl-micro/6.2/baremetal-os-container:latest
Image Release     : 7.164
Severity          : important
Type              : security
References        : 1218762 1218763 1258005 1258655 1259126 1259434 1261630 1261833
                        1261833 1261833 1261845 1262395 1263689 1264706 1264707 1264708
                        1265349 1265360 CVE-2025-71066 CVE-2026-23004 CVE-2026-23204
                        CVE-2026-23437 CVE-2026-31406 CVE-2026-31431 CVE-2026-39881 CVE-2026-39881
                        CVE-2026-39881 CVE-2026-42307 CVE-2026-43961 CVE-2026-44656 CVE-2026-45130
                        CVE-2026-46483 
-----------------------------------------------------------------

The container suse/sl-micro/6.2/baremetal-os-container was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: 515
Released:    Thu Apr  9 20:49:53 2026
Summary:     Recommended update for agama
Type:        recommended
Severity:    moderate
References:  1218762,1218763,1259434,1261833,CVE-2026-39881
This update for agama fixes the following issue:

Change in agama:

- Add error reporting when working with AutoYaST profiles (bsc#1259434).

-----------------------------------------------------------------
Advisory ID: 691
Released:    Tue May  5 21:50:31 2026
Summary:     Security update for the Linux Kernel (Live Patch 4 for SUSE Linux Enterprise 16)
Type:        security
Severity:    important
References:  1258005,1258655,1259126,1261630,1261833,1261845,1263689,CVE-2025-71066,CVE-2026-23004,CVE-2026-23204,CVE-2026-23437,CVE-2026-31406,CVE-2026-31431,CVE-2026-39881

This update for the SUSE Linux Enterprise Kernel 6.12.0-160000.9.1 fixes various security issues

The following security issues were fixed:

- CVE-2025-71066: net/sched: ets: Always remove class from active list before deleting in ets_qdisc_change
  (bsc#1258005).
- CVE-2026-23004: dst: fix races in rt6_uncached_list_del() and rt_del_uncached_list() (bsc#1258655).
- CVE-2026-23204: net/sched: cls_u32: use skb_header_pointer_careful() (bsc#1259126).
- CVE-2026-23437: net: shaper: protect late read accesses to the hierarchy (bsc#1261845).
- CVE-2026-31406: xfrm: Fix work re-schedule after cancel in xfrm_nat_keepalive_net_fini() (bsc#1261630).
- CVE-2026-31431: crypto: algif_aead - Revert to operating out-of-place (bsc#1263689).


-----------------------------------------------------------------
Advisory ID: 817
Released:    Thu May 28 14:13:40 2026
Summary:     Security update for vim
Type:        security
Severity:    important
References:  1261833,1262395,1264706,1264707,1264708,1265349,1265360,CVE-2026-39881,CVE-2026-42307,CVE-2026-43961,CVE-2026-44656,CVE-2026-45130,CVE-2026-46483
This update for vim fixes the following issues

- CVE-2026-39881: command injection in NetBeans interface can lead to arbitrary file reads and writes (bsc#1261833).
- CVE-2026-42307: Prior to version 9.2.0383, an OS command injection vulnerability exists in the netrw standard plugin
  bundled with Vim (bsc#1264706).
- CVE-2026-43961: Vimscript Code Injection in netrw NetrwMarkFile() via crafted filename (bsc#1265349).
- CVE-2026-44656: Prior to version 9.2.0435, an OS command injection vulnerability exists in Vim's: find command-line
  completion (bsc#1264707).
- CVE-2026-45130: Prior to version 9.2.0450, a heap buffer overflow exists in read_compound() in src/spellfile.c when
  loading a crafted spell file (.spl) with UTF-8 encoding active (bsc#1264708).
- CVE-2026-46483: command injection via ` tar#Vimuntar()` in `runtime/autoload/tar.vim` when decompressing `.tgz`
  archives on Unix-like systems (bsc#1265360).

Changes for vim:

- Update to v9.2.0530.
- Fix for incorrectly detecting scientific parameter files as bitbake recipies. (bsc#1262395)


The following package changes have been done:

- vim-data-common-9.2.0530-160000.1.1 updated
- vim-small-9.2.0530-160000.1.1 updated

More information about the sle-container-updates mailing list