SUSE-IU-2025:1529-1 SUSE Image security@suse.de SUSE Security Team SUSE Image SUSE-IU-2025:1529-1 Interim 1 1 2026-01-24T16:04:12Z current 2025-06-10T01:00:00Z 2025-06-10T01:00:00Z cve-database/bin/generate-cvrf-publiccloud.pl 2021-02-18T01:00:00Z Image update for SUSE-IU-2025:1529-1 / google/sles-15-sp5-hardened-byos-v20250610-x86-64 This image update for google/sles-15-sp5-hardened-byos-v20250610-x86-64 contains the following changes: Package cloud-netconfig was updated: - Update to version 1.15 + Add support for creating IPv6 default route in GCE (bsc#1240869) + Minor fix when looking up IPv6 default route Package glibc was updated: - static-setuid-ld-library-path.patch: elf: Ignore LD_LIBRARY_PATH and debug env var for setuid for static (CVE-2025-4802, bsc#1243317) - pthread-wakeup.patch: pthreads NPTL: lost wakeup fix 2 (bsc#1234128, BZ [#25847]) Package google-guest-agent was updated: - Update to version 20250506.01 (bsc#1243254, bsc#1243505) * Make sure agent added connections are activated by NM (#534) - from version 20250506.00 * wrap NSS cache refresh in a goroutine (#533) - from version 20250502.01 * Wicked: Only reload interfaces for which configurations are written or changed. (#524) - from version 20250502.00 * Add AuthorizedKeysCompat to windows packaging (#530) * Remove error messages from gce_workload_cert_refresh and metadata script runner (#527) * Update guest-logging-go dependency (#526) * Add 'created-by' metadata, and pass it as option to logging library (#508) * Revert "oslogin: Correctly handle newlines at the end of modified files (#520)" (#523) * Re-enable disabled services if the core plugin was enabled (#522) * Enable guest services on package upgrade (#519) * oslogin: Correctly handle newlines at the end of modified files (#520) * Fix core plugin path (#518) * Fix package build issues (#517) * Fix dependencies ran go mod tidy -v (#515) * Fix debian build path (#514) * Bundle compat metadata script runner binary in package (#513) * Bump golang.org/x/net from 0.27.0 to 0.36.0 (#512) * Update startup/shutdown services to launch compat manager (#503) * Bundle new gce metadata script runner binary in agent package (#502) * Revert "Revert bundling new binaries in the package (#509)" (#511) - from version 20250418.00 * Re-enable disabled services if the core plugin was enabled (#521) - from version 20250414.00 * Add AuthorizedKeysCompat to windows packaging (#530) * Remove error messages from gce_workload_cert_refresh and metadata script runner (#527) * Update guest-logging-go dependency (#526) * Add 'created-by' metadata, and pass it as option to logging library (#508) * Revert "oslogin: Correctly handle newlines at the end of modified files (#520)" (#523) * Re-enable disabled services if the core plugin was enabled (#522) * Enable guest services on package upgrade (#519) * oslogin: Correctly handle newlines at the end of modified files (#520) * Fix core plugin path (#518) * Fix package build issues (#517) * Fix dependencies ran go mod tidy -v (#515) * Fix debian build path (#514) * Bundle compat metadata script runner binary in package (#513) * Bump golang.org/x/net from 0.27.0 to 0.36.0 (#512) * Update startup/shutdown services to launch compat manager (#503) * Bundle new gce metadata script runner binary in agent package (#502) * Revert "Revert bundling new binaries in the package (#509)" (#511) Package iputils was updated: - Security fix [bsc#1242300, CVE-2025-47268] * integer overflow in RTT calculation can lead to undefined behavior * Add iputils-CVE-2025-47268.patch Package kexec-tools was updated: - add support for lockless ringbuffer (bsc#1241249) - kexec-tools-Cleanup-remove-the-read_elf_kcore.patch - kexec-tools-Fix-an-error-definition-about-the-variable-fname.patch - kexec-tools-Cleanup-move-it-back-from-util_lib-elf_info.c.patch - kexec-tools-printk-add-support-for-lockless-ringbuffer.patch Package ncurses was updated: - Modify patch ncurses-5.9-ibm327x.dif * Backport sclp terminfo description entry if for s390 sclp terminal lines * Add a further sclp entry for qemu s390 based systems * Make use of dumb Package python-pyzmq was updated: - Prevent open files leak by closing sockets on timeout (bsc#1241624)- Added: * close-socket-on-timeout.patch Package python3-setuptools was updated: - Add patch CVE-2025-47273.patch to fix A path traversal vulnerability. (bsc#1243313, CVE-2025-47273, gh#pypa/setuptools@250a6d17978f) Package 000release-packages:sle-module-basesystem-release was updated: Package 000release-packages:sle-module-containers-release was updated: Package 000release-packages:sle-module-desktop-applications-release was updated: Package 000release-packages:sle-module-development-tools-release was updated: Package 000release-packages:sle-module-public-cloud-release was updated: Package 000release-packages:sle-module-server-applications-release was updated: The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). https://publiccloudimagechangeinfo.suse.com/google/sles-15-sp5-hardened-byos-v20250610-x86-64/ Public Cloud Image Info https://www.suse.com/support/security/rating/ SUSE Security Ratings Public Cloud Image google/sles-15-sp5-hardened-byos-v20250610-x86-64 cloud-netconfig-gce-1.15-150000.25.26.1 glibc-2.31-150300.95.1 glibc-i18ndata-2.31-150300.95.1 glibc-locale-2.31-150300.95.1 glibc-locale-base-2.31-150300.95.1 google-guest-agent-20250506.01-150000.1.63.1 iputils-20221126-150500.3.11.1 kexec-tools-2.0.20-150500.20.3.1 libncurses6-6.1-150000.5.30.1 ncurses-utils-6.1-150000.5.30.1 nscd-2.31-150300.95.1 python3-pyzmq-17.1.2-150000.3.8.1 python3-setuptools-44.1.1-150400.9.12.1 terminfo-6.1-150000.5.30.1 terminfo-base-6.1-150000.5.30.1 cloud-netconfig-gce-1.15-150000.25.26.1 as a component of Public Cloud Image google/sles-15-sp5-hardened-byos-v20250610-x86-64 glibc-2.31-150300.95.1 as a component of Public Cloud Image google/sles-15-sp5-hardened-byos-v20250610-x86-64 glibc-i18ndata-2.31-150300.95.1 as a component of Public Cloud Image google/sles-15-sp5-hardened-byos-v20250610-x86-64 glibc-locale-2.31-150300.95.1 as a component of Public Cloud Image google/sles-15-sp5-hardened-byos-v20250610-x86-64 glibc-locale-base-2.31-150300.95.1 as a component of Public Cloud Image google/sles-15-sp5-hardened-byos-v20250610-x86-64 google-guest-agent-20250506.01-150000.1.63.1 as a component of Public Cloud Image google/sles-15-sp5-hardened-byos-v20250610-x86-64 iputils-20221126-150500.3.11.1 as a component of Public Cloud Image google/sles-15-sp5-hardened-byos-v20250610-x86-64 kexec-tools-2.0.20-150500.20.3.1 as a component of Public Cloud Image google/sles-15-sp5-hardened-byos-v20250610-x86-64 libncurses6-6.1-150000.5.30.1 as a component of Public Cloud Image google/sles-15-sp5-hardened-byos-v20250610-x86-64 ncurses-utils-6.1-150000.5.30.1 as a component of Public Cloud Image google/sles-15-sp5-hardened-byos-v20250610-x86-64 nscd-2.31-150300.95.1 as a component of Public Cloud Image google/sles-15-sp5-hardened-byos-v20250610-x86-64 python3-pyzmq-17.1.2-150000.3.8.1 as a component of Public Cloud Image google/sles-15-sp5-hardened-byos-v20250610-x86-64 python3-setuptools-44.1.1-150400.9.12.1 as a component of Public Cloud Image google/sles-15-sp5-hardened-byos-v20250610-x86-64 terminfo-6.1-150000.5.30.1 as a component of Public Cloud Image google/sles-15-sp5-hardened-byos-v20250610-x86-64 terminfo-base-6.1-150000.5.30.1 as a component of Public Cloud Image google/sles-15-sp5-hardened-byos-v20250610-x86-64 ping in iputils before 20250602 allows a denial of service (application error or incorrect data collection) via a crafted ICMP Echo Reply packet, because of a signed 64-bit integer overflow in timestamp multiplication. CVE-2025-47268 Public Cloud Image google/sles-15-sp5-hardened-byos-v20250610-x86-64:iputils-20221126-150500.3.11.1 moderate setuptools is a package that allows users to download, build, install, upgrade, and uninstall Python packages. A path traversal vulnerability in `PackageIndex` is present in setuptools prior to version 78.1.1. An attacker would be allowed to write files to arbitrary locations on the filesystem with the permissions of the process running the Python code, which could escalate to remote code execution depending on the context. Version 78.1.1 fixes the issue. CVE-2025-47273 Public Cloud Image google/sles-15-sp5-hardened-byos-v20250610-x86-64:python3-setuptools-44.1.1-150400.9.12.1 important Untrusted LD_LIBRARY_PATH environment variable vulnerability in the GNU C Library version 2.27 to 2.38 allows attacker controlled loading of dynamically shared library in statically compiled setuid binaries that call dlopen (including internal dlopen calls after setlocale or calls to NSS functions such as getaddrinfo). CVE-2025-4802 Public Cloud Image google/sles-15-sp5-hardened-byos-v20250610-x86-64:glibc-2.31-150300.95.1 Public Cloud Image google/sles-15-sp5-hardened-byos-v20250610-x86-64:glibc-i18ndata-2.31-150300.95.1 Public Cloud Image google/sles-15-sp5-hardened-byos-v20250610-x86-64:glibc-locale-2.31-150300.95.1 Public Cloud Image google/sles-15-sp5-hardened-byos-v20250610-x86-64:glibc-locale-base-2.31-150300.95.1 Public Cloud Image google/sles-15-sp5-hardened-byos-v20250610-x86-64:nscd-2.31-150300.95.1 important