SUSE-SU-2025:0857-1: important: Security update for build
SLE-SECURITY-UPDATES
null at suse.de
Thu Mar 13 20:30:25 UTC 2025
# Security update for build
Announcement ID: SUSE-SU-2025:0857-1
Release Date: 2025-03-13T17:58:42Z
Rating: important
References:
* bsc#1217269
* bsc#1230469
Cross-References:
* CVE-2024-22038
CVSS scores:
* CVE-2024-22038 ( SUSE ): 6.8
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N
* CVE-2024-22038 ( SUSE ): 7.3 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:H
* CVE-2024-22038 ( NVD ): 6.8
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
* CVE-2024-22038 ( NVD ): 7.3 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:H
Affected Products:
* Development Tools Module 15-SP6
* openSUSE Leap 15.6
* SUSE Enterprise Storage 7.1
* SUSE Linux Enterprise Desktop 15 SP6
* SUSE Linux Enterprise High Performance Computing 15 SP3
* SUSE Linux Enterprise High Performance Computing 15 SP4
* SUSE Linux Enterprise High Performance Computing 15 SP5
* SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4
* SUSE Linux Enterprise High Performance Computing ESPOS 15 SP5
* SUSE Linux Enterprise High Performance Computing LTSS 15 SP3
* SUSE Linux Enterprise High Performance Computing LTSS 15 SP4
* SUSE Linux Enterprise High Performance Computing LTSS 15 SP5
* SUSE Linux Enterprise Real Time 15 SP6
* SUSE Linux Enterprise Server 15 SP3
* SUSE Linux Enterprise Server 15 SP3 LTSS
* SUSE Linux Enterprise Server 15 SP4
* SUSE Linux Enterprise Server 15 SP4 LTSS
* SUSE Linux Enterprise Server 15 SP5
* SUSE Linux Enterprise Server 15 SP5 LTSS
* SUSE Linux Enterprise Server 15 SP6
* SUSE Linux Enterprise Server for SAP Applications 15 SP3
* SUSE Linux Enterprise Server for SAP Applications 15 SP4
* SUSE Linux Enterprise Server for SAP Applications 15 SP5
* SUSE Linux Enterprise Server for SAP Applications 15 SP6
An update that solves one vulnerability and has one security fix can now be
installed.
## Description:
This update for build fixes the following issues: \- CVE-2024-22038: Fixed DoS
attacks, information leaks with crafted Git repositories (bnc#1230469)
Other fixes: \- Fixed behaviour when using "\--shell" aka "osc shell" option in
a VM build. Startup is faster and permissions stay intact now.
* fixes for POSIX compatibility for obs-docker-support adn mkbaselibs
* Add support for apk in docker/podman builds
* Add support for 'wget' in Docker images
* Fix debian support for Dockerfile builds
* Fix preinstallimages in containers
* mkosi: add back system-packages used by build-recipe directly
* pbuild: parse the Release files for debian repos
* mkosi: drop most systemd/build-packages deps and use obs_scm directory as
source if present
* improve source copy handling
* Introduce --repos-directory and --containers-directory options
* productcompose: support of building against a baseiso
* preinstallimage: avoid inclusion of build script generated files
* preserve timestamps on sources copy-in for kiwi and productcompose
* alpine package support updates
* tumbleweed config update
* debian: Support installation of foreign architecture packages (required for
armv7l setups)
* Parse unknown timezones as UTC
* Apk (Alpine Linux) format support added
* Implement default value in parameter expansion
* Also support supplements that use & as "and"
* Add workaround for skopeo's argument parser
* add cap-htm=off on power9
* Fixed usage of chown calls
* Remove leading `go` from `purl` locators
* container related:
* Implement support for the new <containers> element in kiwi recipes
* Fixes for SBOM and dependencies of multi stage container builds
* obs-docker-support: enable dnf and yum substitutions
* Arch Linux:
* fix file path for Arch repo
* exclude unsupported arch
* Use root as download user
* build-vm-qemu: force sv48 satp mode on riscv64
* mkosi:
* Create .sha256 files after mkosi builds
* Always pass --image-version to mkosi
* General improvements and bugfixes (mkosi, pbuild, appimage/livebuild, obs
work detection, documention, SBOM)
* Support slsa v1 in unpack_slsa_provenance
* generate_sbom: do not clobber spdx supplier
* Harden export_debian_orig_from_git (bsc#1230469)
* SBOM generation:
* Adding golang introspection support
* Adding rust binary introspection support
* Keep track of unknwon licenses and add a "hasExtractedLicensingInfos"
section
* Also normalize licenses for cyclonedx
* Make generate_sbom errors fatal
* general improvements
* Fix noprep building not working because the buildir is removed
* kiwi image: also detect a debian build if /var/lib/dpkg/status is present
* Do not use the Encode module to convert a code point to utf8
* Fix personality syscall number for riscv
* add more required recommendations for KVM builds
* set PACKAGER field in build-recipe-arch
* fix writing _modulemd.yaml
* pbuild: support --release and --baselibs option
* container:
* copy base container information from the annotation into the containerinfo
* track base containers over multiple stages
* always put the base container last in the dependencies
* providing fileprovides in createdirdeps tool
* Introduce buildflag nochecks
* productcompose: support **all** option
* config update: tumbleweed using preinstallexpand
* minor improvements
* tumbleweed build config update
* support the %load macro
* improve container filename generation (docker)
* fix hanging curl calls during build (docker)
* productcompose: fix milestone query
* tumbleweed build config update
* 15.6 build config fixes
* sourcerpm & sourcedep handling fixes
* productcompose:
* Fix milestone handling
* Support bcntsynctag
* Adding debian support to generate_sbom
* Add syscall for personality switch on loongarch64 kernel
* vm-build: ext3 & ext4: fix disk space allocation
* mkosi format updates, not fully working yet
* pbuild exception fixes
* Fixes for current fedora and centos distros
* Don't copy original dsc sources if OBS-DCH-RELEASE set
* Unbreak parsing of sources/patches
* Support ForceMultiVersion in the dockerfile parser
* Support %bcond of rpm 4.17.1
* Add a hack for systemd 255.3, creating an empty /etc/os-release if missing
after preinstall.
* docker: Fix HEAD request in dummyhttpserver
* pbuild: Make docker-nobasepackages expand flag the default
* rpm: Support a couple of builtin rpm macros
* rpm: Implement argument expansion for define/with/bcond...
* Fix multiline macro handling
* Accept -N parameter of %autosetup
* documentation updates
* various code cleanup and speedup work.
* ProductCompose: multiple improvements
* Add buildflags:define_specfile support
* Fix copy-in of git subdirectory sources
* pbuild: Speed up XML parsing
* pubild: product compose support
* generate_sbom: add help option
* podman: enforce runtime=runc
* Implement direct conflicts from the distro config
* changelog2spec: fix time zone handling
* Do not unmount /proc/sys/fs/binfmt_misc before runnint the check scripts
* spec file cleanup
* documentation updates
* productcompose:
* support schema 0.1
* support milestones
* Leap 15.6 config
* SLE 15 SP6 config
* productcompose: follow incompatible flavor syntax change
* pbuild: support for zstd
* fixed handling for cmdline parameters via kernel packages
* productcompose:
* BREAKING: support new schema
* adapt flavor architecture parsing
* productcompose:
* support filtered package lists
* support default architecture listing
* fix copy in binaries in VM builds^
* obsproduct build type got renamed to productcompose
* Support zstd compressed rpm-md meta data (bsc#1217269)
* Added Debian 12 configuration
* First ObsProduct build format support
* fix SLE 15 SP5 build configuration
* Improve user agent handling for obs repositories
* Docker:
* Support flavor specific build descriptions via Dockerfile.$flavor
* support "PlusRecommended" hint to also provide recommended packages
* use the name/version as filename if both are known
* Produce docker format containers by default
* pbuild: Support for signature authentification of OBS resources
* Fix wiping build root for --vm-type podman
* Put BUILD_RELEASE and BUILD_CHANGELOG_TIMESTAMP in the /.buildenv
* build-vm-kvm: use -cpu host on riscv64
* small fixes and cleanups
* Added parser for BcntSyncTag in sources
* pbuild:
* fix dependency expansion for build types other than spec
* Reworked cycle handling code
* add --extra-packs option
* add debugflags option
* Pass-through --buildtool-opt
* Parse Patch and Source lines more accurately
* fix tunefs functionality
* minor bugfixes
* \--vm-type=podman added (supports also root-less builds)
* Also support build constraints in the Dockerfile
* minor fixes
* Add SUSE ALP build config
* BREAKING: Record errors when parsing the project config former behaviour was
undefined
* container: Support compression format configuration option
* Don't setup ccache with --no-init
* improved loongarch64 support
* sbom: SPDX supplier tag added
* kiwi: support different versions per profile
* preinstallimage: fail when recompression fails
* Add support for recommends and supplements dependencies
* Support the "keepfilerequires" expand flag
* add '\--buildtool-opt=OPTIONS' to pass options to the used build tool
* distro config updates
* ArchLinux
* Tumbleweed
* documentation updates
* openSUSE Tumbleweed: sync config and move to suse_version 1699.
* universal post-build hook, just place a file in /usr/lib/build/post_build.d/
* mkbaselibs/hwcaps, fix pattern name once again (x86_64_v3)
* KiwiProduct: add --use-newest-package hint if the option is set
* Dockerfile support:
* export multibuild flavor as argument
* allow parameters in FROM .. scratch lines
* include OS name in build result if != linux
* Workaround directory->symlink usrmerge problems for cross arch sysroot
* multiple fixes for SBOM support
* KIWI VM image SBOM support added
## Patch Instructions:
To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
* SUSE Linux Enterprise Server for SAP Applications 15 SP5
zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP5-2025-857=1
* SUSE Enterprise Storage 7.1
zypper in -t patch SUSE-Storage-7.1-2025-857=1
* openSUSE Leap 15.6
zypper in -t patch openSUSE-SLE-15.6-2025-857=1
* Development Tools Module 15-SP6
zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP6-2025-857=1
* SUSE Linux Enterprise High Performance Computing LTSS 15 SP3
zypper in -t patch SUSE-SLE-Product-HPC-15-SP3-LTSS-2025-857=1
* SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4
zypper in -t patch SUSE-SLE-Product-HPC-15-SP4-ESPOS-2025-857=1
* SUSE Linux Enterprise High Performance Computing LTSS 15 SP4
zypper in -t patch SUSE-SLE-Product-HPC-15-SP4-LTSS-2025-857=1
* SUSE Linux Enterprise High Performance Computing ESPOS 15 SP5
zypper in -t patch SUSE-SLE-Product-HPC-15-SP5-ESPOS-2025-857=1
* SUSE Linux Enterprise High Performance Computing LTSS 15 SP5
zypper in -t patch SUSE-SLE-Product-HPC-15-SP5-LTSS-2025-857=1
* SUSE Linux Enterprise Server 15 SP3 LTSS
zypper in -t patch SUSE-SLE-Product-SLES-15-SP3-LTSS-2025-857=1
* SUSE Linux Enterprise Server 15 SP4 LTSS
zypper in -t patch SUSE-SLE-Product-SLES-15-SP4-LTSS-2025-857=1
* SUSE Linux Enterprise Server 15 SP5 LTSS
zypper in -t patch SUSE-SLE-Product-SLES-15-SP5-LTSS-2025-857=1
* SUSE Linux Enterprise Server for SAP Applications 15 SP3
zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP3-2025-857=1
* SUSE Linux Enterprise Server for SAP Applications 15 SP4
zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP4-2025-857=1
## Package List:
* SUSE Linux Enterprise Server for SAP Applications 15 SP5 (noarch)
* build-mkbaselibs-20250306-150200.19.1
* build-20250306-150200.19.1
* SUSE Enterprise Storage 7.1 (noarch)
* build-mkbaselibs-20250306-150200.19.1
* build-20250306-150200.19.1
* openSUSE Leap 15.6 (noarch)
* build-mkbaselibs-20250306-150200.19.1
* build-initvm-x86_64-20250306-150200.19.1
* build-initvm-aarch64-20250306-150200.19.1
* build-initvm-s390x-20250306-150200.19.1
* build-mkdrpms-20250306-150200.19.1
* build-initvm-powerpc64le-20250306-150200.19.1
* build-20250306-150200.19.1
* Development Tools Module 15-SP6 (noarch)
* build-mkbaselibs-20250306-150200.19.1
* build-20250306-150200.19.1
* SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (noarch)
* build-mkbaselibs-20250306-150200.19.1
* build-20250306-150200.19.1
* SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (noarch)
* build-mkbaselibs-20250306-150200.19.1
* build-20250306-150200.19.1
* SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (noarch)
* build-mkbaselibs-20250306-150200.19.1
* build-20250306-150200.19.1
* SUSE Linux Enterprise High Performance Computing ESPOS 15 SP5 (noarch)
* build-mkbaselibs-20250306-150200.19.1
* build-20250306-150200.19.1
* SUSE Linux Enterprise High Performance Computing LTSS 15 SP5 (noarch)
* build-mkbaselibs-20250306-150200.19.1
* build-20250306-150200.19.1
* SUSE Linux Enterprise Server 15 SP3 LTSS (noarch)
* build-mkbaselibs-20250306-150200.19.1
* build-20250306-150200.19.1
* SUSE Linux Enterprise Server 15 SP4 LTSS (noarch)
* build-mkbaselibs-20250306-150200.19.1
* build-20250306-150200.19.1
* SUSE Linux Enterprise Server 15 SP5 LTSS (noarch)
* build-mkbaselibs-20250306-150200.19.1
* build-20250306-150200.19.1
* SUSE Linux Enterprise Server for SAP Applications 15 SP3 (noarch)
* build-mkbaselibs-20250306-150200.19.1
* build-20250306-150200.19.1
* SUSE Linux Enterprise Server for SAP Applications 15 SP4 (noarch)
* build-mkbaselibs-20250306-150200.19.1
* build-20250306-150200.19.1
## References:
* https://www.suse.com/security/cve/CVE-2024-22038.html
* https://bugzilla.suse.com/show_bug.cgi?id=1217269
* https://bugzilla.suse.com/show_bug.cgi?id=1230469
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.suse.com/pipermail/sle-security-updates/attachments/20250313/255f0046/attachment.htm>
More information about the sle-security-updates
mailing list