SUSE-IU-2025:1360-1 SUSE Image security@suse.de SUSE Security Team SUSE Image SUSE-IU-2025:1360-1 Interim 1 1 2025-12-07T16:00:58Z current 2025-05-14T01:00:00Z 2025-05-14T01:00:00Z cve-database/bin/generate-cvrf-publiccloud.pl 2021-02-18T01:00:00Z Image update for SUSE-IU-2025:1360-1 / google/sles-15-sp6-chost-byos-v20250514-arm64 This image update for google/sles-15-sp6-chost-byos-v20250514-arm64 contains the following changes: Package apparmor was updated: - Add dac_read_search capability for unix_chkpwd to allow it to read the shadow file even if it has 000 permissions. This is needed after the CVE-2024-10041 fix in PAM. * unix-chkpwd-add-read-capability.path, bsc#1241678 - Allow pam_unix to execute unix_chkpwd with abi/3.0 - remove dovecot-unix_chkpwd.diff - Add allow-pam_unix-to-execute-unix_chkpwd.patch - Add revert-abi-change-for-unix_chkpwd.patch (bsc#1234452, bsc#1232234) Package cifs-utils was updated: - CVE-2025-2312: cifs-utils: cifs.upcall makes an upcall to the wrong namespace in containerized environments while trying to get Kerberos credentials (bsc#1239680) * add New-mount-option-for-cifs.upcall-namespace-reso.patch Package containerd was updated: - Update to containerd v1.7.27. Upstream release notes: <https://github.com/containerd/containerd/releases/tag/v1.7.27> bsc#1239749 CVE-2024-40635 - Rebase patches: * 0001-BUILD-SLE12-revert-btrfs-depend-on-kernel-UAPI-inste.patch - Update to containerd v1.7.26. Upstream release notes: <https://github.com/containerd/containerd/releases/tag/v1.7.26> - Rebase patches: * 0001-BUILD-SLE12-revert-btrfs-depend-on-kernel-UAPI-inste.patch - Update to containerd v1.7.25. Upstream release notes: <https://github.com/containerd/containerd/releases/tag/v1.7.25> <https://github.com/containerd/containerd/releases/tag/v1.7.24> - Rebase patches: * 0001-BUILD-SLE12-revert-btrfs-depend-on-kernel-UAPI-inste.patch Package glib2 was updated: - Add glib2-CVE-2025-3360.patch: Backport 8d60d7dc from upstream, Fix integer overflow when parsing very long ISO8601 inputs. This will only happen with invalid (or maliciously invalid) potential ISO8601 strings, but `g_date_time_new_from_iso8601()` needs to be robust against that. (CVE-2025-3360, bsc#1240897) Package glibc was updated: Package iproute2 was updated: - avoid spurious cgroup warning (bsc#1234383): - ss-Tone-down-cgroup-path-resolution.patch Package augeas was updated: - Add patch, fix for bsc#1239909 / CVE-2025-2588: * CVE-2025-2588.patch Package lvm2 was updated: - LVM filter behaves unexpectedly for MPIO devices in SLES15SP5 (bsc#1216938) * set lvm.conf devices.multipath_wwids_file="" Package freetype2 was updated: Package libgcrypt was updated: - FIPS: Pad PKCS1.5 signatures with SHA3 correctly [bsc#1241605] * Add libgcrypt-FIPS-sha3-asn.patch Package openssl-3 was updated: - Security fix: [bsc#1240366] * Minerva side channel vulnerability in P-384 on PPC arch * Add openssl-3-p384-minerva-ppc.patch * Add openssl-3-p384-minerva-ppc-p9.patch - Security fix: [bsc#1240607] * Check ssl/ssl3_read_internal null pointer [from commit 38b051a] * Add openssl-check-ssl_read_internal-nullptr.patch - FIPS: Fix EMS in crypto-policies FIPS:NO-ENFORCE-EMS * [bsc#1230959, bsc#1232326, bsc#1231748] * Add patch openssl-FIPS-fix-EMS-support.patch Package libsolv was updated: - build both static and dynamic libraries on new suse distros- support the apk package and repository format (both v2 and v3) - new dataiterator_final_{repo,solvable} functions - bump version to 0.7.32 - Provide a symbol specific for the ruby-version so yast does not break across updates (boo#1235598) Package sqlite3 was updated: - Sync version 3.49.1 from Factory (jsc#SLE-16032): * CVE-2025-29087, bsc#1241020: Fix a bug in the concat_ws() function, introduced in version 3.44.0, that could lead to a memory error if the separator string is very large (hundreds of megabytes). * CVE-2025-29088, bsc#1241078: Enhanced the SQLITE_DBCONFIG_LOOKASIDE interface to make it more robust against misuse. * Obsoletes sqlite3-rtree-i686.patch Package libxml2 was updated: - security update- added patches CVE-2025-32414 [bsc#1241551], out-of-bounds read when parsing text via the Python API + libxml2-CVE-2025-32414.patch CVE-2025-32415 [bsc#1241453], a crafted XML document may lead to a heap-based buffer under-read + libxml2-CVE-2025-32415.patch Package libzypp was updated: - fixed build with boost 1.88.- XmlReader: Fix detection of bad input streams (fixes #635) libxml2 2.14 potentially reads the complete stream, so it may have the 'eof' bit set. Which is not 'good' but also not 'bad'. - rpm: Fix detection of %triggerscript starts (bsc#1222044) - RepoindexFileReader: add more <repo> related attributes a service may set. Add optional attributes gpgcheck, repo_gpgcheck, pkg_gpgcheck, keeppackages, gpgkey, mirrorlist, and metalink with the same semantic as in a .repo file. - version 17.36.7 (35) - Drop workaround for broken rpm-4.18 in Code16 (bsc#1237172) - BuildRequires: %{libsolv_devel_package} >= 0.7.32. Code16 moved static libs to libsolv-devel-static. - Drop usage of SHA1 hash algorithm because it will become unavailable in FIPS mode (bsc#1240529) - Fix zypp.conf dupAllowVendorChange to reflect the correct default (false). The default was true in Code12 (libzypp-16.x) and changed to false with Code15 (libzypp-17.x). Unfortunately this was done by shipping a modified zypp.conf file rather than fixing the code. - zypp.conf: Add `lock_timeout` ($ZYPP_LOCK_TIMEOUT) (bsc#1239809) - version 17.36.6 (35) - Fix computation of RepStatus if Repo URLs change. - Fix lost double slash when appending to an absolute FTP url (bsc#1238315) Ftp actually differs between absolute and relative URL paths. Absolute path names begin with a double slash encoded as '/%2F'. This must be preserved when manipulating the path. - version 17.36.5 (35) - Add a transaction package preloader (fixes openSUSE/zypper#104) This patch adds a preloader that concurrently downloads files during a transaction commit. It's not yet enabled per default. To enable the preview set ZYPP_CURL2=1 and ZYPP_PCK_PRELOAD=1 in the environment. - RpmPkgSigCheck_test: Exchange the test package signingkey (fixes #622) - Exclude MediaCurl tests if DISABLE_MEDIABACKEND_TESTS (fixes #626) - Strip a mediahandler tag from baseUrl querystrings. - version 17.36.4 (35) Package nvme-cli was updated: - Update to version 2.8+88.g21612f53: * sed: perform a tper revert after lsp revert (bsc#1240656) Package pam was updated: - pam_unix/passverify: (get_account_info) [!HELPER_COMPILE]: Always return PAM_UNIX_RUN_HELPER instead of trying to obtain the shadow password file entry. [passverify-always-run-the-helper-to-obtain-shadow_pwd.patch, bsc#1232234, CVE-2024-10041] - Do not reject the user with a hash assuming it's non-empty. [pam_unix-allow-empty-passwords-with-non-empty-hashes.patch] Package samba was updated: - Fix Samba printers reporting invalid sid during print jobs; (bsc#1234210); (bso#15792). Package timezone was updated: - Update to 2025b: * New zone for AysÃ©n Region in Chile (America/Coyhaique) which moves from -04/-03 to -03 - Refresh patches * revert-philippines-historical-data.patch * tzdata-china.diff Package zypper was updated: - Updated translations (bsc#1230267)- version 1.14.89 - Do not double encode URL strings passed on the commandline (bsc#1237587) URLs passed on the commandline must have their special chars encoded already. We just want to check and encode forgotten unsafe chars like a blank. A '%' however must not be encoded again. - version 1.14.88 - Package preloader that concurrently downloads files. It's not yet enabled per default. To enable the preview set ZYPP_CURL2=1 and ZYPP_PCK_PRELOAD=1 in the environment. (#104) - BuildRequires: libzypp-devel >= 17.36.4. - version 1.14.87 - refresh: add --include-all-archs (fixes #598) Future multi-arch repos may allow to download only those metadata which refer to packages actually compatible with the systems architecture. Some tools however want zypp to provide the full metadata of a repository without filtering incompatible architectures. - info,search: add option to search and list Enhances (bsc#1237949) - version 1.14.86 The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). https://publiccloudimagechangeinfo.suse.com/google/sles-15-sp6-chost-byos-v20250514-arm64/ Public Cloud Image Info https://www.suse.com/support/security/rating/ SUSE Security Ratings Public Cloud Image google/sles-15-sp6-chost-byos-v20250514-arm64 apparmor-abstractions-3.1.7-150600.5.9.1 apparmor-parser-3.1.7-150600.5.9.1 cifs-utils-6.15-150400.3.12.1 containerd-1.7.27-150000.123.1 containerd-ctr-1.7.27-150000.123.1 glib2-tools-2.78.6-150600.4.11.1 glibc-2.38-150600.14.29.1 glibc-locale-2.38-150600.14.29.1 glibc-locale-base-2.38-150600.14.29.1 google-guest-oslogin-20240311.00-150000.1.50.1 iproute2-6.4-150600.7.6.1 libapparmor1-3.1.7-150600.5.9.1 libaugeas0-1.14.1-150600.3.3.1 libdevmapper1_03-2.03.22_1.02.196-150600.3.6.1 libfa1-1.14.1-150600.3.3.1 libfreetype6-2.10.4-150000.4.22.1 libgcrypt20-1.10.3-150600.3.6.1 libgio-2_0-0-2.78.6-150600.4.11.1 libglib-2_0-0-2.78.6-150600.4.11.1 libgmodule-2_0-0-2.78.6-150600.4.11.1 libgobject-2_0-0-2.78.6-150600.4.11.1 libopenssl3-3.1.4-150600.5.27.1 libsolv-tools-base-0.7.32-150600.8.10.1 libsqlite3-0-3.49.1-150000.3.27.1 libxml2-2-2.10.3-150500.5.26.1 libzypp-17.36.7-150600.3.53.1 nvme-cli-2.8+88.g21612f53-150600.3.15.1 openssl-3-3.1.4-150600.5.27.1 pam-1.3.0-150000.6.76.1 samba-client-libs-4.19.8+git.422.34307c5a3aa-150600.3.15.1 timezone-2025b-150600.91.6.2 zypper-1.14.89-150600.10.31.1 apparmor-abstractions-3.1.7-150600.5.9.1 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20250514-arm64 apparmor-parser-3.1.7-150600.5.9.1 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20250514-arm64 cifs-utils-6.15-150400.3.12.1 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20250514-arm64 containerd-1.7.27-150000.123.1 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20250514-arm64 containerd-ctr-1.7.27-150000.123.1 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20250514-arm64 glib2-tools-2.78.6-150600.4.11.1 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20250514-arm64 glibc-2.38-150600.14.29.1 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20250514-arm64 glibc-locale-2.38-150600.14.29.1 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20250514-arm64 glibc-locale-base-2.38-150600.14.29.1 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20250514-arm64 google-guest-oslogin-20240311.00-150000.1.50.1 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20250514-arm64 iproute2-6.4-150600.7.6.1 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20250514-arm64 libapparmor1-3.1.7-150600.5.9.1 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20250514-arm64 libaugeas0-1.14.1-150600.3.3.1 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20250514-arm64 libdevmapper1_03-2.03.22_1.02.196-150600.3.6.1 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20250514-arm64 libfa1-1.14.1-150600.3.3.1 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20250514-arm64 libfreetype6-2.10.4-150000.4.22.1 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20250514-arm64 libgcrypt20-1.10.3-150600.3.6.1 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20250514-arm64 libgio-2_0-0-2.78.6-150600.4.11.1 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20250514-arm64 libglib-2_0-0-2.78.6-150600.4.11.1 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20250514-arm64 libgmodule-2_0-0-2.78.6-150600.4.11.1 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20250514-arm64 libgobject-2_0-0-2.78.6-150600.4.11.1 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20250514-arm64 libopenssl3-3.1.4-150600.5.27.1 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20250514-arm64 libsolv-tools-base-0.7.32-150600.8.10.1 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20250514-arm64 libsqlite3-0-3.49.1-150000.3.27.1 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20250514-arm64 libxml2-2-2.10.3-150500.5.26.1 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20250514-arm64 libzypp-17.36.7-150600.3.53.1 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20250514-arm64 nvme-cli-2.8+88.g21612f53-150600.3.15.1 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20250514-arm64 openssl-3-3.1.4-150600.5.27.1 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20250514-arm64 pam-1.3.0-150000.6.76.1 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20250514-arm64 samba-client-libs-4.19.8+git.422.34307c5a3aa-150600.3.15.1 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20250514-arm64 timezone-2025b-150600.91.6.2 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20250514-arm64 zypper-1.14.89-150600.10.31.1 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20250514-arm64 A vulnerability was found in PAM. The secret information is stored in memory, where the attacker can trigger the victim program to execute by sending characters to its standard input (stdin). As this occurs, the attacker can train the branch predictor to execute an ROP chain speculatively. This flaw could result in leaked passwords, such as those found in /etc/shadow while performing authentications. CVE-2024-10041 Public Cloud Image google/sles-15-sp6-chost-byos-v20250514-arm64:apparmor-abstractions-3.1.7-150600.5.9.1 Public Cloud Image google/sles-15-sp6-chost-byos-v20250514-arm64:apparmor-parser-3.1.7-150600.5.9.1 Public Cloud Image google/sles-15-sp6-chost-byos-v20250514-arm64:pam-1.3.0-150000.6.76.1 moderate containerd is an open-source container runtime. A bug was found in containerd prior to versions 1.6.38, 1.7.27, and 2.0.4 where containers launched with a User set as a `UID:GID` larger than the maximum 32-bit signed integer can cause an overflow condition where the container ultimately runs as root (UID 0). This could cause unexpected behavior for environments that require containers to run as a non-root user. This bug has been fixed in containerd 1.6.38, 1.7.27, and 2.04. As a workaround, ensure that only trusted images are used and that only trusted users have permissions to import images. CVE-2024-40635 Public Cloud Image google/sles-15-sp6-chost-byos-v20250514-arm64:containerd-1.7.27-150000.123.1 Public Cloud Image google/sles-15-sp6-chost-byos-v20250514-arm64:containerd-ctr-1.7.27-150000.123.1 moderate A flaw was found in cifs-utils. When trying to obtain Kerberos credentials, the cifs.upcall program from the cifs-utils package makes an upcall to the wrong namespace in containerized environments. This issue may lead to disclosing sensitive data from the host's Kerberos credentials cache. CVE-2025-2312 Public Cloud Image google/sles-15-sp6-chost-byos-v20250514-arm64:cifs-utils-6.15-150400.3.12.1 moderate A vulnerability has been found in Hercules Augeas 1.14.1 and classified as problematic. This vulnerability affects the function re_case_expand of the file src/fa.c. The manipulation of the argument re leads to null pointer dereference. Attacking locally is a requirement. The exploit has been disclosed to the public and may be used. CVE-2025-2588 Public Cloud Image google/sles-15-sp6-chost-byos-v20250514-arm64:libaugeas0-1.14.1-150600.3.3.1 Public Cloud Image google/sles-15-sp6-chost-byos-v20250514-arm64:libfa1-1.14.1-150600.3.3.1 low In SQLite 3.44.0 through 3.49.0 before 3.49.1, the concat_ws() SQL function can cause memory to be written beyond the end of a malloc-allocated buffer. If the separator argument is attacker-controlled and has a large string (e.g., 2MB or more), an integer overflow occurs in calculating the size of the result buffer, and thus malloc may not allocate enough memory. CVE-2025-29087 Public Cloud Image google/sles-15-sp6-chost-byos-v20250514-arm64:libsqlite3-0-3.49.1-150000.3.27.1 moderate In SQLite 3.49.0 before 3.49.1, certain argument values to sqlite3_db_config (in the C-language API) can cause a denial of service (application crash). An sz*nBig multiplication is not cast to a 64-bit integer, and consequently some memory allocations may be incorrect. CVE-2025-29088 Public Cloud Image google/sles-15-sp6-chost-byos-v20250514-arm64:libsqlite3-0-3.49.1-150000.3.27.1 moderate In libxml2 before 2.13.8 and 2.14.x before 2.14.2, out-of-bounds memory access can occur in the Python API (Python bindings) because of an incorrect return value. This occurs in xmlPythonFileRead and xmlPythonFileReadRaw because of a difference between bytes and characters. CVE-2025-32414 Public Cloud Image google/sles-15-sp6-chost-byos-v20250514-arm64:libxml2-2-2.10.3-150500.5.26.1 moderate In libxml2 before 2.13.8 and 2.14.x before 2.14.2, xmlSchemaIDCFillNodeTables in xmlschemas.c has a heap-based buffer under-read. To exploit this, a crafted XML document must be validated against an XML schema with certain identity constraints, or a crafted XML schema must be used. CVE-2025-32415 Public Cloud Image google/sles-15-sp6-chost-byos-v20250514-arm64:libxml2-2-2.10.3-150500.5.26.1 low A flaw was found in GLib. An integer overflow and buffer under-read occur when parsing a long invalid ISO 8601 timestamp with the g_date_time_new_from_iso8601() function. CVE-2025-3360 Public Cloud Image google/sles-15-sp6-chost-byos-v20250514-arm64:glib2-tools-2.78.6-150600.4.11.1 Public Cloud Image google/sles-15-sp6-chost-byos-v20250514-arm64:libgio-2_0-0-2.78.6-150600.4.11.1 Public Cloud Image google/sles-15-sp6-chost-byos-v20250514-arm64:libglib-2_0-0-2.78.6-150600.4.11.1 Public Cloud Image google/sles-15-sp6-chost-byos-v20250514-arm64:libgmodule-2_0-0-2.78.6-150600.4.11.1 Public Cloud Image google/sles-15-sp6-chost-byos-v20250514-arm64:libgobject-2_0-0-2.78.6-150600.4.11.1 moderate