SUSE-SU-2026:21518-1: moderate: Security update for build, product-composer
SLE-SECURITY-UPDATES
null at suse.de
Mon May 11 08:36:53 UTC 2026
# Security update for build, product-composer
Announcement ID: SUSE-SU-2026:21518-1
Release Date: 2026-05-05T06:52:08Z
Rating: moderate
References:
* bsc#1230469
Cross-References:
* CVE-2024-22038
CVSS scores:
* CVE-2024-22038 ( SUSE ): 6.8
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N
* CVE-2024-22038 ( SUSE ): 7.3 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:H
* CVE-2024-22038 ( NVD ): 6.8
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
* CVE-2024-22038 ( NVD ): 7.3 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:H
Affected Products:
* SUSE Linux Micro 6.2
* SUSE Linux Micro Extras 6.2
An update that solves one vulnerability can now be installed.
## Description:
This update for build, product-composer fixes the following issues:
Changes in build:
* Support a new "IgnoreRebuild" config.
* build-recipe-kiwi:
* Add support for oci containers
* Avoid needlessly compressing container images
* Detect container images based on build result file name
* Fix queryrecipe to use the summary and the description from the main package
* config: Add slfo-main build configuration
* drop the inner quotes, not needed on bash 4 and breaks on bash 3
* build: in the ccache case, after test -e also accept -L
* container:
* Add microdnf package manager support
* Add experimental support for the container-timestamp build option
* sbom:
* allow to create v1 intoto data
* spdx: connect OPERATING-SYSTEM package to the root package
* Transfer product vcs and disturl
* Support --cms-nocerts and --cms-keyid in the signdummy
* Support chroot builds inside of containers
* runservice tool, allow to specify the modes. Can be used on plain git source
now also
* Support --mtime option for cpio creation
* generate_sbom:
* Support also unzck compressed repomd files
* Fail when given --product directory is missing
* support zstd compressed repomd data
* build-vm-lxc: support lxc >= 5
* vc: Hide an annoying error message when not using NIS
* added leap-16.0 and leap-16.1 build configs. (not named sl16.0 anymore, but
using same string as the git branch)
* Implement cmssign support in signdummy
* pbuild: mark git assets with a fixed commit as immutable
* mkosi
* check if old parameters are supported before passing them
* support old bash version
* Do not crash on small files that start with the PE magic
* Harden export_debian_orig_from_git (CVE-2024-22038, boo#1230469)
Changes in product-composer:
update to version 0.9.6:
* Speed-up reading of rpm headers
* Flush output lines to get get correct timestamps in OBS
update to version 0.9.5:
* Be a bit more verbose to track used times per step in OBS
* Fix a crash when doing version compare with an epoch
update to version 0.9.4:
* Give an error when trying to add updateinfo meta data without all binary
revisions.
* Hand over vcs and disturl data to generate_sbom. (We require a recent build
package therefore)
## Patch Instructions:
To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
* SUSE Linux Micro Extras 6.2
zypper in -t patch SUSE-SLE-Micro-Extras-6.2-678=1
## Package List:
* SUSE Linux Micro Extras 6.2 (noarch)
* build-mkbaselibs-20260415-160000.1.1
## References:
* https://www.suse.com/security/cve/CVE-2024-22038.html
* https://bugzilla.suse.com/show_bug.cgi?id=1230469
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.suse.com/pipermail/sle-security-updates/attachments/20260511/db0a6aac/attachment.htm>
More information about the sle-security-updates
mailing list