<div class="container">
<h1>Recommended update of flake-pilot</h1>
<table class="table table-striped table-bordered">
<tbody>
<tr>
<th>Announcement ID:</th>
<td>SUSE-SU-2025:20921-1</td>
</tr>
<tr>
<th>Release Date:</th>
<td>2025-10-15T12:01:21Z</td>
</tr>
<tr>
<th>Rating:</th>
<td>moderate</td>
</tr>
<tr>
<th>References:</th>
<td>
<ul>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1248004">bsc#1248004</a>
</li>
</ul>
</td>
</tr>
<tr>
<th>
Cross-References:
</th>
<td>
<ul>
<li style="display: inline;">
<a href="https://www.suse.com/security/cve/CVE-2025-55159.html">CVE-2025-55159</a>
</li>
</ul>
</td>
</tr>
<tr>
<th>CVSS scores:</th>
<td>
<ul class="list-group">
<li class="list-group-item">
<span class="cvss-reference">CVE-2025-55159</span>
<span class="cvss-source">
(
SUSE
):
</span>
<span class="cvss-score">5.8</span>
<span class="cvss-vector">CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2025-55159</span>
<span class="cvss-source">
(
SUSE
):
</span>
<span class="cvss-score">5.8</span>
<span class="cvss-vector">CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:H</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2025-55159</span>
<span class="cvss-source">
(
NVD
):
</span>
<span class="cvss-score">5.1</span>
<span class="cvss-vector">CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X</span>
</li>
</ul>
</td>
</tr>
<tr>
<th>Affected Products:</th>
<td>
<ul class="list-group">
<li class="list-group-item">SUSE Linux Enterprise Server 16.0</li>
<li class="list-group-item">SUSE Linux Enterprise Server for SAP Applications 16.0</li>
</ul>
</td>
</tr>
</tbody>
</table>
<p>An update that solves one vulnerability can now be installed.</p>
<h2>Description:</h2>
<p>This update for flake-pilot fixes the following issues:</p>
<p>Update version to 3.1.22.</p>
<ul>
<li>Fixes to use flakes as normal user</li>
</ul>
<p>Running a flake is a container based instance provisioning
and startup. Some part of this process requires root permissions
for example mounting the container instance store for the
provisioning step. This commit fixes the required calls to
be properly managed by sudo.</p>
<ul>
<li>
<p>seed from entropy</p>
</li>
<li>
<p>Fix assignment of random sequence number</p>
</li>
</ul>
<p>We should use a seed for the sequence as described in
https://rust-random.github.io/book/guide-seeding.html#a-simple-number
In addition the logic when a random sequence number should
be used was wrong and needed a fix regarding resume and
attach type flakes which must not use a random sequence</p>
<ul>
<li>Pass --init option for resume type flakes</li>
</ul>
<p>In resume mode a sleep command is used to keep the container
open. However, without the --init option there is no signal
handling available. This commit fixes it</p>
<ul>
<li>Revert "kill prior remove when using %remove flag"</li>
</ul>
<p>This reverts commit 06c7d4aa71f74865dfecba399fd08cc2fde2e1f2.
no hard killing needed with the event loop entrypoint</p>
<ul>
<li>Fixed CVE-2025-55159 slab: incorrect bounds check</li>
</ul>
<p>Update to slab 0.4.11 to fix the mentioned CVE.
This Fixes bsc#1248004</p>
<ul>
<li>
<p>Apply clippy fixes</p>
</li>
<li>
<p>Create sequence number for the same invocation</p>
</li>
</ul>
<p>If a flake which is not a resume or attach flake is called twice
with the same invocation arguments an error message is displayed
to give this invocation a new name via the @NAME runtime option.
This commit makes this more comfortable and automatically assigns
a random sequence number for the call if no @NAME is given.</p>
<ul>
<li>kill prior remove when using %remove flag</li>
</ul>
<p>In case the container instance should be removed via the %remove
flag, send a kill first, followed by a force remove. The reason
for this is because we use a never ending sleep command as entry
point for resume type containers. If they should be removed the
standard signal send on podman rm will not stop the sleep and
after a period of 10 seconds podman sends a kill signal itself.
We can speedup this process as we know the entry point command
and send the kill signal first followed by the remove which
saves us some wait time spent in podman otherwise.</p>
<ul>
<li>Fix clippy hints</li>
</ul>
<p>variables can be used directly in the format! string</p>
<ul>
<li>Prune old images after load</li>
</ul>
<p>Make sure no <none> image references stay in the registry</p>
<h2>Patch Instructions:</h2>
<p>
To install this SUSE update use the SUSE recommended
installation methods like YaST online_update or "zypper patch".<br/>
Alternatively you can run the command listed for your product:
</p>
<ul class="list-group">
<li class="list-group-item">
SUSE Linux Enterprise Server 16.0
<br/>
<code>zypper in -t patch SUSE-SLES-16.0-2=1</code>
</li>
<li class="list-group-item">
SUSE Linux Enterprise Server for SAP Applications 16.0
<br/>
<code>zypper in -t patch SUSE-SLES-16.0-2=1</code>
</li>
</ul>
<h2>Package List:</h2>
<ul>
<li>
SUSE Linux Enterprise Server 16.0 (aarch64 ppc64le s390x x86_64)
<ul>
<li>flake-pilot-3.1.22-160000.1.1</li>
<li>flake-pilot-podman-3.1.22-160000.1.1</li>
</ul>
</li>
<li>
SUSE Linux Enterprise Server 16.0 (aarch64 s390x x86_64)
<ul>
<li>flake-pilot-debuginfo-3.1.22-160000.1.1</li>
</ul>
</li>
<li>
SUSE Linux Enterprise Server for SAP Applications 16.0 (ppc64le x86_64)
<ul>
<li>flake-pilot-3.1.22-160000.1.1</li>
<li>flake-pilot-podman-3.1.22-160000.1.1</li>
</ul>
</li>
<li>
SUSE Linux Enterprise Server for SAP Applications 16.0 (x86_64)
<ul>
<li>flake-pilot-debuginfo-3.1.22-160000.1.1</li>
</ul>
</li>
</ul>
<h2>References:</h2>
<ul>
<li>
<a href="https://www.suse.com/security/cve/CVE-2025-55159.html">https://www.suse.com/security/cve/CVE-2025-55159.html</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1248004">https://bugzilla.suse.com/show_bug.cgi?id=1248004</a>
</li>
</ul>
</div>