<div class="container">
<h1>Security update for build, product-composer</h1>
<table class="table table-striped table-bordered">
<tbody>
<tr>
<th>Announcement ID:</th>
<td>SUSE-SU-2026:21518-1</td>
</tr>
<tr>
<th>Release Date:</th>
<td>2026-05-05T06:52:08Z</td>
</tr>
<tr>
<th>Rating:</th>
<td>moderate</td>
</tr>
<tr>
<th>References:</th>
<td>
<ul>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1230469">bsc#1230469</a>
</li>
</ul>
</td>
</tr>
<tr>
<th>
Cross-References:
</th>
<td>
<ul>
<li style="display: inline;">
<a href="https://www.suse.com/security/cve/CVE-2024-22038.html">CVE-2024-22038</a>
</li>
</ul>
</td>
</tr>
<tr>
<th>CVSS scores:</th>
<td>
<ul class="list-group">
<li class="list-group-item">
<span class="cvss-reference">CVE-2024-22038</span>
<span class="cvss-source">
(
SUSE
):
</span>
<span class="cvss-score">6.8</span>
<span class="cvss-vector">CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2024-22038</span>
<span class="cvss-source">
(
SUSE
):
</span>
<span class="cvss-score">7.3</span>
<span class="cvss-vector">CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:H</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2024-22038</span>
<span class="cvss-source">
(
NVD
):
</span>
<span class="cvss-score">6.8</span>
<span class="cvss-vector">CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2024-22038</span>
<span class="cvss-source">
(
NVD
):
</span>
<span class="cvss-score">7.3</span>
<span class="cvss-vector">CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:H</span>
</li>
</ul>
</td>
</tr>
<tr>
<th>Affected Products:</th>
<td>
<ul class="list-group">
<li class="list-group-item">SUSE Linux Micro 6.2</li>
<li class="list-group-item">SUSE Linux Micro Extras 6.2</li>
</ul>
</td>
</tr>
</tbody>
</table>
<p>An update that solves one vulnerability can now be installed.</p>
<h2>Description:</h2>
<p>This update for build, product-composer fixes the following issues:</p>
<p>Changes in build:</p>
<ul>
<li>
<p>Support a new "IgnoreRebuild" config.</p>
</li>
<li>
<p>build-recipe-kiwi:</p>
</li>
<li>
<p>Add support for oci containers</p>
</li>
<li>Avoid needlessly compressing container images</li>
<li>
<p>Detect container images based on build result file name</p>
</li>
<li>
<p>Fix queryrecipe to use the summary and the description from the main package</p>
</li>
<li>
<p>config: Add slfo-main build configuration</p>
</li>
<li>drop the inner quotes, not needed on bash 4 and breaks on bash 3</li>
<li>
<p>build: in the ccache case, after test -e also accept -L</p>
</li>
<li>
<p>container:</p>
</li>
<li>
<p>Add microdnf package manager support</p>
</li>
<li>
<p>Add experimental support for the container-timestamp build option</p>
</li>
<li>
<p>sbom:</p>
</li>
<li>
<p>allow to create v1 intoto data</p>
</li>
<li>spdx: connect OPERATING-SYSTEM package to the root package</li>
<li>
<p>Transfer product vcs and disturl</p>
</li>
<li>
<p>Support --cms-nocerts and --cms-keyid in the signdummy</p>
</li>
<li>Support chroot builds inside of containers</li>
<li>runservice tool, allow to specify the modes. Can be
used on plain git source now also</li>
<li>Support --mtime option for cpio creation</li>
<li>
<p>generate_sbom:</p>
</li>
<li>
<p>Support also unzck compressed repomd files</p>
</li>
<li>Fail when given --product directory is missing</li>
<li>
<p>support zstd compressed repomd data</p>
</li>
<li>
<p>build-vm-lxc: support lxc >= 5</p>
</li>
<li>
<p>vc: Hide an annoying error message when not using NIS</p>
</li>
<li>
<p>added leap-16.0 and leap-16.1 build configs.
(not named sl16.0 anymore, but using same string as the git branch)</p>
</li>
<li>
<p>Implement cmssign support in signdummy</p>
</li>
<li>pbuild: mark git assets with a fixed commit as immutable</li>
<li>mkosi</li>
<li>check if old parameters are supported before passing them</li>
<li>support old bash version</li>
<li>
<p>Do not crash on small files that start with the PE magic</p>
</li>
<li>
<p>Harden export_debian_orig_from_git (CVE-2024-22038, boo#1230469)</p>
</li>
</ul>
<p>Changes in product-composer:</p>
<p>update to version 0.9.6:</p>
<ul>
<li>Speed-up reading of rpm headers</li>
<li>Flush output lines to get get correct timestamps in OBS</li>
</ul>
<p>update to version 0.9.5:</p>
<ul>
<li>Be a bit more verbose to track used times per step in OBS</li>
<li>Fix a crash when doing version compare with an epoch</li>
</ul>
<p>update to version 0.9.4:</p>
<ul>
<li>Give an error when trying to add updateinfo meta data
without all binary revisions.</li>
<li>Hand over vcs and disturl data to generate_sbom.
(We require a recent build package therefore)</li>
</ul>
<h2>Patch Instructions:</h2>
<p>
To install this SUSE update use the SUSE recommended
installation methods like YaST online_update or "zypper patch".<br/>
Alternatively you can run the command listed for your product:
</p>
<ul class="list-group">
<li class="list-group-item">
SUSE Linux Micro Extras 6.2
<br/>
<code>zypper in -t patch SUSE-SLE-Micro-Extras-6.2-678=1</code>
</li>
</ul>
<h2>Package List:</h2>
<ul>
<li>
SUSE Linux Micro Extras 6.2 (noarch)
<ul>
<li>build-mkbaselibs-20260415-160000.1.1</li>
</ul>
</li>
</ul>
<h2>References:</h2>
<ul>
<li>
<a href="https://www.suse.com/security/cve/CVE-2024-22038.html">https://www.suse.com/security/cve/CVE-2024-22038.html</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1230469">https://bugzilla.suse.com/show_bug.cgi?id=1230469</a>
</li>
</ul>
</div>