SUSE-IU-2025:1509-1 SUSE Image security@suse.de SUSE Security Team SUSE Image SUSE-IU-2025:1509-1 Interim 1 1 2025-12-07T16:01:35Z current 2025-06-09T01:00:00Z 2025-06-09T01:00:00Z cve-database/bin/generate-cvrf-publiccloud.pl 2021-02-18T01:00:00Z Image update for SUSE-IU-2025:1509-1 / google/sles-15-sp6-hardened-byos-v20250609-x86-64 This image update for google/sles-15-sp6-hardened-byos-v20250609-x86-64 contains the following changes: Package cloud-netconfig was updated: - Update to version 1.15 + Add support for creating IPv6 default route in GCE (bsc#1240869) + Minor fix when looking up IPv6 default route Package google-guest-agent was updated: - Update to version 20250506.01 (bsc#1243254, bsc#1243505) * Make sure agent added connections are activated by NM (#534) - from version 20250506.00 * wrap NSS cache refresh in a goroutine (#533) - from version 20250502.01 * Wicked: Only reload interfaces for which configurations are written or changed. (#524) - from version 20250502.00 * Add AuthorizedKeysCompat to windows packaging (#530) * Remove error messages from gce_workload_cert_refresh and metadata script runner (#527) * Update guest-logging-go dependency (#526) * Add 'created-by' metadata, and pass it as option to logging library (#508) * Revert "oslogin: Correctly handle newlines at the end of modified files (#520)" (#523) * Re-enable disabled services if the core plugin was enabled (#522) * Enable guest services on package upgrade (#519) * oslogin: Correctly handle newlines at the end of modified files (#520) * Fix core plugin path (#518) * Fix package build issues (#517) * Fix dependencies ran go mod tidy -v (#515) * Fix debian build path (#514) * Bundle compat metadata script runner binary in package (#513) * Bump golang.org/x/net from 0.27.0 to 0.36.0 (#512) * Update startup/shutdown services to launch compat manager (#503) * Bundle new gce metadata script runner binary in agent package (#502) * Revert "Revert bundling new binaries in the package (#509)" (#511) - from version 20250418.00 * Re-enable disabled services if the core plugin was enabled (#521) - from version 20250414.00 * Add AuthorizedKeysCompat to windows packaging (#530) * Remove error messages from gce_workload_cert_refresh and metadata script runner (#527) * Update guest-logging-go dependency (#526) * Add 'created-by' metadata, and pass it as option to logging library (#508) * Revert "oslogin: Correctly handle newlines at the end of modified files (#520)" (#523) * Re-enable disabled services if the core plugin was enabled (#522) * Enable guest services on package upgrade (#519) * oslogin: Correctly handle newlines at the end of modified files (#520) * Fix core plugin path (#518) * Fix package build issues (#517) * Fix dependencies ran go mod tidy -v (#515) * Fix debian build path (#514) * Bundle compat metadata script runner binary in package (#513) * Bump golang.org/x/net from 0.27.0 to 0.36.0 (#512) * Update startup/shutdown services to launch compat manager (#503) * Bundle new gce metadata script runner binary in agent package (#502) * Revert "Revert bundling new binaries in the package (#509)" (#511) Package iputils was updated: - Security fix [bsc#1242300, CVE-2025-47268] * integer overflow in RTT calculation can lead to undefined behavior * Add iputils-CVE-2025-47268.patch Package krb5 was updated: - Remove references to the LMDB backend in the kdc.conf manpage; (bsc#1242060); Package systemd was updated: - Import commit a4100e9c74b0eafae18a13e9d1d988ebc8376c6a 806c21e22b umount: do not move busy network mounts (bsc#1236177) - Apply coredump sysctl settings on systemd-coredump updates/removals. - Add 1003-journal-again-create-user-journals-for-users-with-hi.patch (bsc#1242938) Don't write messages sent from users with UID falling into the container UID range to the system journal. Daemons in the container don't talk to the outside journald as they talk to the inner one directly, which does its journal splitting based on shifted uids. - Import commit 2f79a45369489b656be509a1517afcae4fe3ee20 ebdfa3e44e man/pstore.conf: pstore.conf template is not always installed in /etc 304ed20aab man: coredump.conf template is not always installed in /etc (bsc#1237496) Package python-pyzmq was updated: - Prevent open files leak by closing sockets on timeout (bsc#1241624)- Added: * close-socket-on-timeout.patch Package python3-setuptools was updated: - Add patch CVE-2025-47273.patch to fix A path traversal vulnerability. (bsc#1243313, CVE-2025-47273, gh#pypa/setuptools@250a6d17978f) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). https://publiccloudimagechangeinfo.suse.com/google/sles-15-sp6-hardened-byos-v20250609-x86-64/ Public Cloud Image Info https://www.suse.com/support/security/rating/ SUSE Security Ratings Public Cloud Image google/sles-15-sp6-hardened-byos-v20250609-x86-64 cloud-netconfig-gce-1.15-150000.25.26.1 google-guest-agent-20250506.01-150000.1.63.1 iputils-20221126-150500.3.11.1 krb5-1.20.1-150600.11.11.2 krb5-client-1.20.1-150600.11.11.2 libsystemd0-254.24-150600.4.33.1 libudev1-254.24-150600.4.33.1 python3-pyzmq-17.1.2-150000.3.8.1 python3-setuptools-44.1.1-150400.9.12.1 systemd-254.24-150600.4.33.1 systemd-sysvcompat-254.24-150600.4.33.1 udev-254.24-150600.4.33.1 cloud-netconfig-gce-1.15-150000.25.26.1 as a component of Public Cloud Image google/sles-15-sp6-hardened-byos-v20250609-x86-64 google-guest-agent-20250506.01-150000.1.63.1 as a component of Public Cloud Image google/sles-15-sp6-hardened-byos-v20250609-x86-64 iputils-20221126-150500.3.11.1 as a component of Public Cloud Image google/sles-15-sp6-hardened-byos-v20250609-x86-64 krb5-1.20.1-150600.11.11.2 as a component of Public Cloud Image google/sles-15-sp6-hardened-byos-v20250609-x86-64 krb5-client-1.20.1-150600.11.11.2 as a component of Public Cloud Image google/sles-15-sp6-hardened-byos-v20250609-x86-64 libsystemd0-254.24-150600.4.33.1 as a component of Public Cloud Image google/sles-15-sp6-hardened-byos-v20250609-x86-64 libudev1-254.24-150600.4.33.1 as a component of Public Cloud Image google/sles-15-sp6-hardened-byos-v20250609-x86-64 python3-pyzmq-17.1.2-150000.3.8.1 as a component of Public Cloud Image google/sles-15-sp6-hardened-byos-v20250609-x86-64 python3-setuptools-44.1.1-150400.9.12.1 as a component of Public Cloud Image google/sles-15-sp6-hardened-byos-v20250609-x86-64 systemd-254.24-150600.4.33.1 as a component of Public Cloud Image google/sles-15-sp6-hardened-byos-v20250609-x86-64 systemd-sysvcompat-254.24-150600.4.33.1 as a component of Public Cloud Image google/sles-15-sp6-hardened-byos-v20250609-x86-64 udev-254.24-150600.4.33.1 as a component of Public Cloud Image google/sles-15-sp6-hardened-byos-v20250609-x86-64 ping in iputils before 20250602 allows a denial of service (application error or incorrect data collection) via a crafted ICMP Echo Reply packet, because of a signed 64-bit integer overflow in timestamp multiplication. CVE-2025-47268 Public Cloud Image google/sles-15-sp6-hardened-byos-v20250609-x86-64:iputils-20221126-150500.3.11.1 moderate setuptools is a package that allows users to download, build, install, upgrade, and uninstall Python packages. A path traversal vulnerability in `PackageIndex` is present in setuptools prior to version 78.1.1. An attacker would be allowed to write files to arbitrary locations on the filesystem with the permissions of the process running the Python code, which could escalate to remote code execution depending on the context. Version 78.1.1 fixes the issue. CVE-2025-47273 Public Cloud Image google/sles-15-sp6-hardened-byos-v20250609-x86-64:python3-setuptools-44.1.1-150400.9.12.1 important