SUSE-IU-2025:1054-1 SUSE Image security@suse.de SUSE Security Team SUSE Image SUSE-IU-2025:1054-1 Interim 1 1 2025-11-28T07:07:20Z current 2025-04-14T01:00:00Z 2025-04-14T01:00:00Z cve-database/bin/generate-cvrf-publiccloud.pl 2021-02-18T01:00:00Z Image update for SUSE-IU-2025:1054-1 / google/sles-15-sp6-v20250414-arm64 This image update for google/sles-15-sp6-v20250414-arm64 contains the following changes: Package ca-certificates-mozilla was updated: - revert the distrusted certs for now. originally these only distrust "new issued" certs starting after a certain date, while old certs should still work. (bsc#1240343) - remove-distrusted.patch: removed Package glibc was updated: - pthread-wakeup.patch: pthreads NPTL: lost wakeup fix 2 (bsc#1234128, BZ [#25847]) - Mark functions in libc_nonshared.a as hidden (bsc#1239883) - Bump minimal kernel version to 4.3 to enable use of direct socketcalls on x86-32 and s390x (bsc#1234713) Package expat was updated: - version update to 2.7.1 Bug fixes: [#980] #989 Restore event pointer behavior from Expat 2.6.4 (that the fix to CVE-2024-8176 changed in 2.7.0); affected API functions are: - XML_GetCurrentByteCount - XML_GetCurrentByteIndex - XML_GetCurrentColumnNumber - XML_GetCurrentLineNumber - XML_GetInputContext Other changes: [#976] #977 Autotools: Integrate files "fuzz/xml_lpm_fuzzer.{cpp,proto}" with Automake that were missing from 2.7.0 release tarballs [#983] #984 Fix printf format specifiers for 32bit Emscripten [#992] docs: Promote OpenSSF Best Practices self-certification [#978] tests/benchmark: Resolve mistaken double close [#986] Address compiler warnings [#990] #993 Version info bumped from 11:1:10 (libexpat*.so.1.10.1) to 11:2:10 (libexpat*.so.1.10.2); see https://verbump.de/ for what these numbers do Infrastructure: [#982] CI: Start running Perl XML::Parser integration tests [#987] CI: Enforce Clang Static Analyzer clean code [#991] CI: Re-enable warning clang-analyzer-valist.Uninitialized for clang-tidy [#981] CI: Cover compilation with musl [#983] #984 CI: Cover compilation with 32bit Emscripten [#976] #977 CI: Protect against fuzzer files missing from future release archives - version update to 2.7.0 for SLE-15-SP4 - deleted patches - expat-CVE-2022-25235.patch (upstreamed) - expat-CVE-2022-25236-relax-fix.patch (upstreamed) - expat-CVE-2022-25236.patch (upstreamed) - expat-CVE-2022-25313-fix-regression.patch (upstreamed) - expat-CVE-2022-25313.patch (upstreamed) - expat-CVE-2022-25314.patch (upstreamed) - expat-CVE-2022-25315.patch (upstreamed) - expat-CVE-2022-40674.patch (upstreamed) - expat-CVE-2022-43680.patch (upstreamed) - expat-CVE-2023-52425-1.patch (upstreamed) - expat-CVE-2023-52425-2.patch (upstreamed) - expat-CVE-2023-52425-backport-parser-changes.patch (upstreamed) - expat-CVE-2023-52425-fix-tests.patch (upstreamed) - expat-CVE-2024-28757.patch (upstreamed) - expat-CVE-2024-45490.patch (upstreamed) - expat-CVE-2024-45491.patch (upstreamed) - expat-CVE-2024-45492.patch (upstreamed) - expat-CVE-2024-50602.patch (upstreamed) - version update to 2.7.0 (CVE-2024-8176 [bsc#1239618]) * Security fixes: [#893] #973 CVE-2024-8176 -- Fix crash from chaining a large number of entities caused by stack overflow by resolving use of recursion, for all three uses of entities: - general entities in character data ("<e>&g1;</e>") - general entities in attribute values ("<e k1='&g1;'/>") - parameter entities ("%p1;") Known impact is (reliable and easy) denial of service: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:H/RL:O/RC:C (Base Score: 7.5, Temporal Score: 7.2) Please note that a layer of compression around XML can significantly reduce the minimum attack payload size. * Other changes: [#935] #937 Autotools: Make generated CMake files look for libexpat.@SO_MAJOR@.dylib on macOS [#925] Autotools: Sync CMake templates with CMake 3.29 [#945] #962 #966 CMake: Drop support for CMake <3.13 [#942] CMake: Small fuzzing related improvements [#921] docs: Add missing documentation of error code XML_ERROR_NOT_STARTED that was introduced with 2.6.4 [#941] docs: Document need for C++11 compiler for use from C++ [#959] tests/benchmark: Fix a (harmless) TOCTTOU [#944] Windows: Fix installer target location of file xmlwf.xml for CMake [#953] Windows: Address warning -Wunknown-warning-option about -Wno-pedantic-ms-format from LLVM MinGW [#971] Address Cppcheck warnings [#969] #970 Mass-migrate links from http:// to https:// [#947] #958 .. [#974] #975 Document changes since the previous release [#974] #975 Version info bumped from 11:0:10 (libexpat*.so.1.10.0) to 11:1:10 (libexpat*.so.1.10.1); see https://verbump.de/ for what these numbers do - no source changes, just adding jira reference: jsc#SLE-21253 Package supportutils was updated: - Changes to version 3.2.10 + network.txt collect all firewalld zones (pr#233) + Collects gfs2 info (PED-11853, pr#235, pr#236) + Ignore tasks/threads to prevent collecting duplicate fd data in open_files (bsc#1230371, pr#237) + Added openldap2_5 support for SLES (pr#238) + Collects additional hawk details (pr#239) + Optimized filtering D/Z processes (pr#241) + Collect firewalld permanent configuration (pr#243) + ldap_info: support for multiple DBs and sanitize olcRootPW (bsc#1231838, pr#247) + Added dbus_info for dbus.txt (bsc#1222650, pr#248) - Changes to version 3.2.9 + Map running PIDs to RPM package owner aiding BPF program detection (bsc#1222896, bsc#1213291, PED-8221) + Supportconfig available in current distro (PED-7131) + Corrected display issues (bsc#1231396) + NFS takes too long, showmount times out (bsc#1231423) + Merged sle15 and master branches (bsc#1233726, PED-11669) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). https://publiccloudimagechangeinfo.suse.com/google/sles-15-sp6-v20250414-arm64/ Public Cloud Image Info https://www.suse.com/support/security/rating/ SUSE Security Ratings Public Cloud Image google/sles-15-sp6-v20250414-arm64 ca-certificates-mozilla-2.74-150200.41.1 glibc-2.38-150600.14.26.1 glibc-i18ndata-2.38-150600.14.26.1 glibc-locale-2.38-150600.14.26.1 glibc-locale-base-2.38-150600.14.26.1 libexpat1-2.7.1-150400.3.28.1 nscd-2.38-150600.14.26.1 supportutils-3.2.10-150600.3.6.5 ca-certificates-mozilla-2.74-150200.41.1 as a component of Public Cloud Image google/sles-15-sp6-v20250414-arm64 glibc-2.38-150600.14.26.1 as a component of Public Cloud Image google/sles-15-sp6-v20250414-arm64 glibc-i18ndata-2.38-150600.14.26.1 as a component of Public Cloud Image google/sles-15-sp6-v20250414-arm64 glibc-locale-2.38-150600.14.26.1 as a component of Public Cloud Image google/sles-15-sp6-v20250414-arm64 glibc-locale-base-2.38-150600.14.26.1 as a component of Public Cloud Image google/sles-15-sp6-v20250414-arm64 libexpat1-2.7.1-150400.3.28.1 as a component of Public Cloud Image google/sles-15-sp6-v20250414-arm64 nscd-2.38-150600.14.26.1 as a component of Public Cloud Image google/sles-15-sp6-v20250414-arm64 supportutils-3.2.10-150600.3.6.5 as a component of Public Cloud Image google/sles-15-sp6-v20250414-arm64 xmltok_impl.c in Expat (aka libexpat) before 2.4.5 lacks certain validation of encoding, such as checks for whether a UTF-8 character is valid in a certain context. CVE-2022-25235 Public Cloud Image google/sles-15-sp6-v20250414-arm64:libexpat1-2.7.1-150400.3.28.1 important 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P xmlparse.c in Expat (aka libexpat) before 2.4.5 allows attackers to insert namespace-separator characters into namespace URIs. CVE-2022-25236 Public Cloud Image google/sles-15-sp6-v20250414-arm64:libexpat1-2.7.1-150400.3.28.1 important 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P In Expat (aka libexpat) before 2.4.5, an attacker can trigger stack exhaustion in build_model via a large nesting depth in the DTD element. CVE-2022-25313 Public Cloud Image google/sles-15-sp6-v20250414-arm64:libexpat1-2.7.1-150400.3.28.1 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P In Expat (aka libexpat) before 2.4.5, there is an integer overflow in copyString. CVE-2022-25314 Public Cloud Image google/sles-15-sp6-v20250414-arm64:libexpat1-2.7.1-150400.3.28.1 important 5 AV:N/AC:L/Au:N/C:N/I:N/A:P In Expat (aka libexpat) before 2.4.5, there is an integer overflow in storeRawNames. CVE-2022-25315 Public Cloud Image google/sles-15-sp6-v20250414-arm64:libexpat1-2.7.1-150400.3.28.1 important 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P libexpat before 2.4.9 has a use-after-free in the doContent function in xmlparse.c. CVE-2022-40674 Public Cloud Image google/sles-15-sp6-v20250414-arm64:libexpat1-2.7.1-150400.3.28.1 important In libexpat through 2.4.9, there is a use-after free caused by overeager destruction of a shared DTD in XML_ExternalEntityParserCreate in out-of-memory situations. CVE-2022-43680 Public Cloud Image google/sles-15-sp6-v20250414-arm64:libexpat1-2.7.1-150400.3.28.1 important libexpat through 2.5.0 allows a denial of service (resource consumption) because many full reparsings are required in the case of a large token for which multiple buffer fills are needed. CVE-2023-52425 Public Cloud Image google/sles-15-sp6-v20250414-arm64:libexpat1-2.7.1-150400.3.28.1 moderate libexpat through 2.6.1 allows an XML Entity Expansion attack when there is isolated use of external parsers (created via XML_ExternalEntityParserCreate). CVE-2024-28757 Public Cloud Image google/sles-15-sp6-v20250414-arm64:libexpat1-2.7.1-150400.3.28.1 important An issue was discovered in libexpat before 2.6.3. xmlparse.c does not reject a negative length for XML_ParseBuffer. CVE-2024-45490 Public Cloud Image google/sles-15-sp6-v20250414-arm64:libexpat1-2.7.1-150400.3.28.1 moderate An issue was discovered in libexpat before 2.6.3. dtdCopy in xmlparse.c can have an integer overflow for nDefaultAtts on 32-bit platforms (where UINT_MAX equals SIZE_MAX). CVE-2024-45491 Public Cloud Image google/sles-15-sp6-v20250414-arm64:libexpat1-2.7.1-150400.3.28.1 moderate An issue was discovered in libexpat before 2.6.3. nextScaffoldPart in xmlparse.c can have an integer overflow for m_groupSize on 32-bit platforms (where UINT_MAX equals SIZE_MAX). CVE-2024-45492 Public Cloud Image google/sles-15-sp6-v20250414-arm64:libexpat1-2.7.1-150400.3.28.1 moderate An issue was discovered in libexpat before 2.6.4. There is a crash within the XML_ResumeParser function because XML_StopParser can stop/suspend an unstarted parser. CVE-2024-50602 Public Cloud Image google/sles-15-sp6-v20250414-arm64:libexpat1-2.7.1-150400.3.28.1 moderate A stack overflow vulnerability exists in the libexpat library due to the way it handles recursive entity expansion in XML documents. When parsing an XML document with deeply nested entity references, libexpat can be forced to recurse indefinitely, exhausting the stack space and causing a crash. This issue could lead to denial of service (DoS) or, in some cases, exploitable memory corruption, depending on the environment and library usage. CVE-2024-8176 Public Cloud Image google/sles-15-sp6-v20250414-arm64:libexpat1-2.7.1-150400.3.28.1 important