<div class="container">
<h1>Security update for build</h1>
<table class="table table-striped table-bordered">
<tbody>
<tr>
<th>Announcement ID:</th>
<td>SUSE-SU-2025:0857-1</td>
</tr>
<tr>
<th>Release Date:</th>
<td>2025-03-13T17:58:42Z</td>
</tr>
<tr>
<th>Rating:</th>
<td>important</td>
</tr>
<tr>
<th>References:</th>
<td>
<ul>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1217269">bsc#1217269</a>
</li>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1230469">bsc#1230469</a>
</li>
</ul>
</td>
</tr>
<tr>
<th>
Cross-References:
</th>
<td>
<ul>
<li style="display: inline;">
<a href="https://www.suse.com/security/cve/CVE-2024-22038.html">CVE-2024-22038</a>
</li>
</ul>
</td>
</tr>
<tr>
<th>CVSS scores:</th>
<td>
<ul class="list-group">
<li class="list-group-item">
<span class="cvss-reference">CVE-2024-22038</span>
<span class="cvss-source">
(
SUSE
):
</span>
<span class="cvss-score">6.8</span>
<span class="cvss-vector">CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2024-22038</span>
<span class="cvss-source">
(
SUSE
):
</span>
<span class="cvss-score">7.3</span>
<span class="cvss-vector">CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:H</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2024-22038</span>
<span class="cvss-source">
(
NVD
):
</span>
<span class="cvss-score">6.8</span>
<span class="cvss-vector">CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2024-22038</span>
<span class="cvss-source">
(
NVD
):
</span>
<span class="cvss-score">7.3</span>
<span class="cvss-vector">CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:H</span>
</li>
</ul>
</td>
</tr>
<tr>
<th>Affected Products:</th>
<td>
<ul class="list-group">
<li class="list-group-item">Development Tools Module 15-SP6</li>
<li class="list-group-item">openSUSE Leap 15.6</li>
<li class="list-group-item">SUSE Enterprise Storage 7.1</li>
<li class="list-group-item">SUSE Linux Enterprise Desktop 15 SP6</li>
<li class="list-group-item">SUSE Linux Enterprise High Performance Computing 15 SP3</li>
<li class="list-group-item">SUSE Linux Enterprise High Performance Computing 15 SP4</li>
<li class="list-group-item">SUSE Linux Enterprise High Performance Computing 15 SP5</li>
<li class="list-group-item">SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4</li>
<li class="list-group-item">SUSE Linux Enterprise High Performance Computing ESPOS 15 SP5</li>
<li class="list-group-item">SUSE Linux Enterprise High Performance Computing LTSS 15 SP3</li>
<li class="list-group-item">SUSE Linux Enterprise High Performance Computing LTSS 15 SP4</li>
<li class="list-group-item">SUSE Linux Enterprise High Performance Computing LTSS 15 SP5</li>
<li class="list-group-item">SUSE Linux Enterprise Real Time 15 SP6</li>
<li class="list-group-item">SUSE Linux Enterprise Server 15 SP3</li>
<li class="list-group-item">SUSE Linux Enterprise Server 15 SP3 LTSS</li>
<li class="list-group-item">SUSE Linux Enterprise Server 15 SP4</li>
<li class="list-group-item">SUSE Linux Enterprise Server 15 SP4 LTSS</li>
<li class="list-group-item">SUSE Linux Enterprise Server 15 SP5</li>
<li class="list-group-item">SUSE Linux Enterprise Server 15 SP5 LTSS</li>
<li class="list-group-item">SUSE Linux Enterprise Server 15 SP6</li>
<li class="list-group-item">SUSE Linux Enterprise Server for SAP Applications 15 SP3</li>
<li class="list-group-item">SUSE Linux Enterprise Server for SAP Applications 15 SP4</li>
<li class="list-group-item">SUSE Linux Enterprise Server for SAP Applications 15 SP5</li>
<li class="list-group-item">SUSE Linux Enterprise Server for SAP Applications 15 SP6</li>
</ul>
</td>
</tr>
</tbody>
</table>
<p>An update that solves one vulnerability and has one security fix can now be installed.</p>
<h2>Description:</h2>
<p>This update for build fixes the following issues:
- CVE-2024-22038: Fixed DoS attacks, information leaks with crafted Git repositories (bnc#1230469) </p>
<p>Other fixes:
- Fixed behaviour when using "--shell" aka "osc shell" option
in a VM build. Startup is faster and permissions stay intact
now.</p>
<ul>
<li>fixes for POSIX compatibility for obs-docker-support adn
mkbaselibs</li>
<li>Add support for apk in docker/podman builds</li>
<li>Add support for 'wget' in Docker images</li>
<li>Fix debian support for Dockerfile builds</li>
<li>Fix preinstallimages in containers</li>
<li>mkosi: add back system-packages used by build-recipe directly</li>
<li>
<p>pbuild: parse the Release files for debian repos</p>
</li>
<li>
<p>mkosi: drop most systemd/build-packages deps and use obs_scm
directory as source if present</p>
</li>
<li>improve source copy handling</li>
<li>
<p>Introduce --repos-directory and --containers-directory options</p>
</li>
<li>
<p>productcompose: support of building against a baseiso</p>
</li>
<li>preinstallimage: avoid inclusion of build script generated files</li>
<li>preserve timestamps on sources copy-in for kiwi and productcompose</li>
<li>alpine package support updates</li>
<li>
<p>tumbleweed config update</p>
</li>
<li>
<p>debian: Support installation of foreign architecture packages
(required for armv7l setups)</p>
</li>
<li>Parse unknown timezones as UTC</li>
<li>Apk (Alpine Linux) format support added</li>
<li>Implement default value in parameter expansion</li>
<li>Also support supplements that use & as "and"</li>
<li>Add workaround for skopeo's argument parser</li>
<li>add cap-htm=off on power9</li>
<li>Fixed usage of chown calls</li>
<li>
<p>Remove leading <code>go</code> from <code>purl</code> locators</p>
</li>
<li>
<p>container related:</p>
</li>
<li>Implement support for the new <containers> element in kiwi recipes</li>
<li>Fixes for SBOM and dependencies of multi stage container builds</li>
<li>obs-docker-support: enable dnf and yum substitutions</li>
<li>Arch Linux:</li>
<li>fix file path for Arch repo</li>
<li>exclude unsupported arch</li>
<li>Use root as download user</li>
<li>build-vm-qemu: force sv48 satp mode on riscv64</li>
<li>mkosi:</li>
<li>Create .sha256 files after mkosi builds</li>
<li>Always pass --image-version to mkosi</li>
<li>General improvements and bugfixes (mkosi, pbuild, appimage/livebuild,
obs work detection, documention, SBOM)</li>
<li>Support slsa v1 in unpack_slsa_provenance</li>
<li>generate_sbom: do not clobber spdx supplier</li>
<li>
<p>Harden export_debian_orig_from_git (bsc#1230469)</p>
</li>
<li>
<p>SBOM generation:</p>
</li>
<li>Adding golang introspection support</li>
<li>Adding rust binary introspection support</li>
<li>Keep track of unknwon licenses and add a "hasExtractedLicensingInfos"
section</li>
<li>Also normalize licenses for cyclonedx</li>
<li>Make generate_sbom errors fatal</li>
<li>general improvements</li>
<li>Fix noprep building not working because the buildir is removed</li>
<li>kiwi image: also detect a debian build if /var/lib/dpkg/status is present</li>
<li>Do not use the Encode module to convert a code point to utf8</li>
<li>Fix personality syscall number for riscv</li>
<li>add more required recommendations for KVM builds</li>
<li>set PACKAGER field in build-recipe-arch</li>
<li>fix writing _modulemd.yaml</li>
<li>pbuild: support --release and --baselibs option</li>
<li>container:</li>
<li>copy base container information from the annotation into the
containerinfo</li>
<li>track base containers over multiple stages</li>
<li>
<p>always put the base container last in the dependencies</p>
</li>
<li>
<p>providing fileprovides in createdirdeps tool</p>
</li>
<li>
<p>Introduce buildflag nochecks</p>
</li>
<li>
<p>productcompose: support <strong>all</strong> option</p>
</li>
<li>config update: tumbleweed using preinstallexpand</li>
<li>
<p>minor improvements</p>
</li>
<li>
<p>tumbleweed build config update</p>
</li>
<li>support the %load macro</li>
<li>improve container filename generation (docker)</li>
<li>fix hanging curl calls during build (docker)</li>
<li>
<p>productcompose: fix milestone query</p>
</li>
<li>
<p>tumbleweed build config update</p>
</li>
<li>15.6 build config fixes</li>
<li>sourcerpm & sourcedep handling fixes</li>
<li>productcompose:</li>
<li>Fix milestone handling</li>
<li>Support bcntsynctag</li>
<li>Adding debian support to generate_sbom</li>
<li>Add syscall for personality switch on loongarch64 kernel</li>
<li>vm-build: ext3 & ext4: fix disk space allocation</li>
<li>mkosi format updates, not fully working yet</li>
<li>pbuild exception fixes</li>
<li>Fixes for current fedora and centos distros</li>
<li>Don't copy original dsc sources if OBS-DCH-RELEASE set</li>
<li>Unbreak parsing of sources/patches</li>
<li>Support ForceMultiVersion in the dockerfile parser</li>
<li>
<p>Support %bcond of rpm 4.17.1</p>
</li>
<li>
<p>Add a hack for systemd 255.3, creating an empty /etc/os-release
if missing after preinstall.</p>
</li>
<li>docker: Fix HEAD request in dummyhttpserver</li>
<li>pbuild: Make docker-nobasepackages expand flag the default</li>
<li>rpm: Support a couple of builtin rpm macros</li>
<li>rpm: Implement argument expansion for define/with/bcond...</li>
<li>Fix multiline macro handling</li>
<li>Accept -N parameter of %autosetup</li>
<li>documentation updates</li>
<li>
<p>various code cleanup and speedup work.</p>
</li>
<li>
<p>ProductCompose: multiple improvements</p>
</li>
<li>Add buildflags:define_specfile support</li>
<li>Fix copy-in of git subdirectory sources</li>
<li>pbuild: Speed up XML parsing</li>
<li>pubild: product compose support</li>
<li>generate_sbom: add help option</li>
<li>podman: enforce runtime=runc</li>
<li>Implement direct conflicts from the distro config</li>
<li>changelog2spec: fix time zone handling</li>
<li>Do not unmount /proc/sys/fs/binfmt_misc before runnint the check scripts</li>
<li>spec file cleanup</li>
<li>
<p>documentation updates</p>
</li>
<li>
<p>productcompose:</p>
</li>
<li>support schema 0.1</li>
<li>support milestones</li>
<li>Leap 15.6 config</li>
<li>
<p>SLE 15 SP6 config</p>
</li>
<li>
<p>productcompose: follow incompatible flavor syntax change</p>
</li>
<li>
<p>pbuild: support for zstd</p>
</li>
<li>
<p>fixed handling for cmdline parameters via kernel packages</p>
</li>
<li>
<p>productcompose:</p>
</li>
<li>BREAKING: support new schema</li>
<li>
<p>adapt flavor architecture parsing</p>
</li>
<li>
<p>productcompose:</p>
</li>
<li>support filtered package lists</li>
<li>support default architecture listing</li>
<li>
<p>fix copy in binaries in VM builds^</p>
</li>
<li>
<p>obsproduct build type got renamed to productcompose</p>
</li>
<li>
<p>Support zstd compressed rpm-md meta data (bsc#1217269)</p>
</li>
<li>Added Debian 12 configuration</li>
<li>
<p>First ObsProduct build format support</p>
</li>
<li>
<p>fix SLE 15 SP5 build configuration</p>
</li>
<li>
<p>Improve user agent handling for obs repositories</p>
</li>
<li>
<p>Docker:</p>
</li>
<li>Support flavor specific build descriptions via Dockerfile.$flavor</li>
<li>support "PlusRecommended" hint to also provide recommended packages</li>
<li>use the name/version as filename if both are known</li>
<li>Produce docker format containers by default</li>
<li>pbuild: Support for signature authentification of OBS resources</li>
<li>Fix wiping build root for --vm-type podman</li>
<li>Put BUILD_RELEASE and BUILD_CHANGELOG_TIMESTAMP in the /.buildenv</li>
<li>build-vm-kvm: use -cpu host on riscv64</li>
<li>
<p>small fixes and cleanups</p>
</li>
<li>
<p>Added parser for BcntSyncTag in sources</p>
</li>
<li>
<p>pbuild:</p>
</li>
<li>fix dependency expansion for build types other than spec</li>
<li>Reworked cycle handling code</li>
<li>add --extra-packs option</li>
<li>add debugflags option</li>
<li>Pass-through --buildtool-opt</li>
<li>Parse Patch and Source lines more accurately</li>
<li>fix tunefs functionality</li>
<li>
<p>minor bugfixes</p>
</li>
<li>
<p>--vm-type=podman added (supports also root-less builds)</p>
</li>
<li>Also support build constraints in the Dockerfile</li>
<li>
<p>minor fixes</p>
</li>
<li>
<p>Add SUSE ALP build config</p>
</li>
<li>
<p>BREAKING: Record errors when parsing the project config
former behaviour was undefined</p>
</li>
<li>container: Support compression format configuration option</li>
<li>Don't setup ccache with --no-init</li>
<li>improved loongarch64 support</li>
<li>sbom: SPDX supplier tag added</li>
<li>kiwi: support different versions per profile</li>
<li>preinstallimage: fail when recompression fails</li>
<li>Add support for recommends and supplements dependencies</li>
<li>Support the "keepfilerequires" expand flag</li>
<li>add '--buildtool-opt=OPTIONS' to pass options to the used build tool</li>
<li>distro config updates</li>
<li>ArchLinux</li>
<li>Tumbleweed</li>
<li>
<p>documentation updates</p>
</li>
<li>
<p>openSUSE Tumbleweed: sync config and move to suse_version 1699.</p>
</li>
<li>
<p>universal post-build hook, just place a file in /usr/lib/build/post_build.d/</p>
</li>
<li>mkbaselibs/hwcaps, fix pattern name once again (x86_64_v3)</li>
<li>
<p>KiwiProduct: add --use-newest-package hint if the option is set</p>
</li>
<li>
<p>Dockerfile support:</p>
</li>
<li>export multibuild flavor as argument</li>
<li>allow parameters in FROM .. scratch lines</li>
<li>include OS name in build result if != linux</li>
<li>Workaround directory->symlink usrmerge problems for cross arch sysroot</li>
<li>
<p>multiple fixes for SBOM support</p>
</li>
<li>
<p>KIWI VM image SBOM support added</p>
</li>
</ul>
<h2>Patch Instructions:</h2>
<p>
To install this SUSE update use the SUSE recommended
installation methods like YaST online_update or "zypper patch".<br/>
Alternatively you can run the command listed for your product:
</p>
<ul class="list-group">
<li class="list-group-item">
SUSE Linux Enterprise Server for SAP Applications 15 SP5
<br/>
<code>zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP5-2025-857=1</code>
</li>
<li class="list-group-item">
SUSE Enterprise Storage 7.1
<br/>
<code>zypper in -t patch SUSE-Storage-7.1-2025-857=1</code>
</li>
<li class="list-group-item">
openSUSE Leap 15.6
<br/>
<code>zypper in -t patch openSUSE-SLE-15.6-2025-857=1</code>
</li>
<li class="list-group-item">
Development Tools Module 15-SP6
<br/>
<code>zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP6-2025-857=1</code>
</li>
<li class="list-group-item">
SUSE Linux Enterprise High Performance Computing LTSS 15 SP3
<br/>
<code>zypper in -t patch SUSE-SLE-Product-HPC-15-SP3-LTSS-2025-857=1</code>
</li>
<li class="list-group-item">
SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4
<br/>
<code>zypper in -t patch SUSE-SLE-Product-HPC-15-SP4-ESPOS-2025-857=1</code>
</li>
<li class="list-group-item">
SUSE Linux Enterprise High Performance Computing LTSS 15 SP4
<br/>
<code>zypper in -t patch SUSE-SLE-Product-HPC-15-SP4-LTSS-2025-857=1</code>
</li>
<li class="list-group-item">
SUSE Linux Enterprise High Performance Computing ESPOS 15 SP5
<br/>
<code>zypper in -t patch SUSE-SLE-Product-HPC-15-SP5-ESPOS-2025-857=1</code>
</li>
<li class="list-group-item">
SUSE Linux Enterprise High Performance Computing LTSS 15 SP5
<br/>
<code>zypper in -t patch SUSE-SLE-Product-HPC-15-SP5-LTSS-2025-857=1</code>
</li>
<li class="list-group-item">
SUSE Linux Enterprise Server 15 SP3 LTSS
<br/>
<code>zypper in -t patch SUSE-SLE-Product-SLES-15-SP3-LTSS-2025-857=1</code>
</li>
<li class="list-group-item">
SUSE Linux Enterprise Server 15 SP4 LTSS
<br/>
<code>zypper in -t patch SUSE-SLE-Product-SLES-15-SP4-LTSS-2025-857=1</code>
</li>
<li class="list-group-item">
SUSE Linux Enterprise Server 15 SP5 LTSS
<br/>
<code>zypper in -t patch SUSE-SLE-Product-SLES-15-SP5-LTSS-2025-857=1</code>
</li>
<li class="list-group-item">
SUSE Linux Enterprise Server for SAP Applications 15 SP3
<br/>
<code>zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP3-2025-857=1</code>
</li>
<li class="list-group-item">
SUSE Linux Enterprise Server for SAP Applications 15 SP4
<br/>
<code>zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP4-2025-857=1</code>
</li>
</ul>
<h2>Package List:</h2>
<ul>
<li>
SUSE Linux Enterprise Server for SAP Applications 15 SP5 (noarch)
<ul>
<li>build-mkbaselibs-20250306-150200.19.1</li>
<li>build-20250306-150200.19.1</li>
</ul>
</li>
<li>
SUSE Enterprise Storage 7.1 (noarch)
<ul>
<li>build-mkbaselibs-20250306-150200.19.1</li>
<li>build-20250306-150200.19.1</li>
</ul>
</li>
<li>
openSUSE Leap 15.6 (noarch)
<ul>
<li>build-mkbaselibs-20250306-150200.19.1</li>
<li>build-initvm-x86_64-20250306-150200.19.1</li>
<li>build-initvm-aarch64-20250306-150200.19.1</li>
<li>build-initvm-s390x-20250306-150200.19.1</li>
<li>build-mkdrpms-20250306-150200.19.1</li>
<li>build-initvm-powerpc64le-20250306-150200.19.1</li>
<li>build-20250306-150200.19.1</li>
</ul>
</li>
<li>
Development Tools Module 15-SP6 (noarch)
<ul>
<li>build-mkbaselibs-20250306-150200.19.1</li>
<li>build-20250306-150200.19.1</li>
</ul>
</li>
<li>
SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (noarch)
<ul>
<li>build-mkbaselibs-20250306-150200.19.1</li>
<li>build-20250306-150200.19.1</li>
</ul>
</li>
<li>
SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (noarch)
<ul>
<li>build-mkbaselibs-20250306-150200.19.1</li>
<li>build-20250306-150200.19.1</li>
</ul>
</li>
<li>
SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (noarch)
<ul>
<li>build-mkbaselibs-20250306-150200.19.1</li>
<li>build-20250306-150200.19.1</li>
</ul>
</li>
<li>
SUSE Linux Enterprise High Performance Computing ESPOS 15 SP5 (noarch)
<ul>
<li>build-mkbaselibs-20250306-150200.19.1</li>
<li>build-20250306-150200.19.1</li>
</ul>
</li>
<li>
SUSE Linux Enterprise High Performance Computing LTSS 15 SP5 (noarch)
<ul>
<li>build-mkbaselibs-20250306-150200.19.1</li>
<li>build-20250306-150200.19.1</li>
</ul>
</li>
<li>
SUSE Linux Enterprise Server 15 SP3 LTSS (noarch)
<ul>
<li>build-mkbaselibs-20250306-150200.19.1</li>
<li>build-20250306-150200.19.1</li>
</ul>
</li>
<li>
SUSE Linux Enterprise Server 15 SP4 LTSS (noarch)
<ul>
<li>build-mkbaselibs-20250306-150200.19.1</li>
<li>build-20250306-150200.19.1</li>
</ul>
</li>
<li>
SUSE Linux Enterprise Server 15 SP5 LTSS (noarch)
<ul>
<li>build-mkbaselibs-20250306-150200.19.1</li>
<li>build-20250306-150200.19.1</li>
</ul>
</li>
<li>
SUSE Linux Enterprise Server for SAP Applications 15 SP3 (noarch)
<ul>
<li>build-mkbaselibs-20250306-150200.19.1</li>
<li>build-20250306-150200.19.1</li>
</ul>
</li>
<li>
SUSE Linux Enterprise Server for SAP Applications 15 SP4 (noarch)
<ul>
<li>build-mkbaselibs-20250306-150200.19.1</li>
<li>build-20250306-150200.19.1</li>
</ul>
</li>
</ul>
<h2>References:</h2>
<ul>
<li>
<a href="https://www.suse.com/security/cve/CVE-2024-22038.html">https://www.suse.com/security/cve/CVE-2024-22038.html</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1217269">https://bugzilla.suse.com/show_bug.cgi?id=1217269</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1230469">https://bugzilla.suse.com/show_bug.cgi?id=1230469</a>
</li>
</ul>
</div>