SUSE-IU-2025:2059-1 SUSE Image security@suse.de SUSE Security Team SUSE Image SUSE-IU-2025:2059-1 Interim 1 1 2026-03-19T08:56:01Z current 2025-07-24T01:00:00Z 2025-07-24T01:00:00Z cve-database/bin/generate-cvrf-publiccloud.pl 2021-02-18T01:00:00Z Image update for SUSE-IU-2025:2059-1 / google/sles-sap-15-sp6-hardened-byos-v20250724-x86-64 This image update for google/sles-sap-15-sp6-hardened-byos-v20250724-x86-64 contains the following changes: Package SAPHanaSR was updated: - Version bump to 0.162.5 * SAPHanaSRTools.pm: fix problem with new pacemaker-node_state attribute content to show the correct node state in SAPHanaSR-monitor. (bsc#1243447, bsc#1243723) * enhance observability of the RAs and update version string * SAPHanaSR-hookHelper - use full path to call crm_node (bsc#1216918) * demo script SAPHanaSR-upgrade-to-angi-demo: fix check for package SAPHanaSR-angi available in the active repositories fix removal of the classic rpms * update man pages: SAPHanaSR_basic_cluster.7 SAPHanaSR.7 SAPHanaSR_upgrade_to_angi.7 SAPHanaSR_maintenance_examples.7 SAPHanaSR-showAttr.8 SAPHanaSR-upgrade-to-angi-demo.8 SAPHanaSR.py.7 susChkSrv.py.7 susCostOpt.py.7 ocf_suse_SAPHana.7 Package alsa-ucm-conf was updated: - Correct / update the previous backported patches - Improved HD-audio Mic LED handling (bsc#1243695): 0002-common-add-led.conf-with-SetLED-macro-to-hide-implem.patch 0003-ucm2-use-new-SetLED-macro-to-hide-the-implementation.patch 0004-ucm2-HDA-HiFi-analog-mic-Refactor-the-analog-mic-dis.patch 0005-ucm2-HDA-remove-HDA-Capture-value.conf-and-put-conte.patch 0006-HDA-move-led.conf-include-to-more-appropriate-place.patch 0007-HDA-mics-prefer-Mic-Jack-instead-Headphone-Jack.patch 0008-HDA-mics-improve-the-Jack-selection.patch 0009-HDA-mics-don-t-create-conflict-link-for-Headphone-Mi.patch 0010-acppdmmach-add-support-for-ACP-7.0.patch Package cifs-utils was updated: - Add patches: * 0001-cifs.upcall-correctly-treat-UPTARGET_UNSPECIFIED-as-.patch (bsc#1243488) * 0001-mount.cifs-retry-mount-on-EINPROGRESS.patch Package coreutils was updated: - coreutils-9.7-sort-CVE-2025-5278.patch: Add upstream patch: sort with key character offsets of SIZE_MAX, could induce a read of 1 byte before an allocated heap buffer. (CVE-2025-5278, bsc#1243767) Package crmsh was updated: - Update to version 4.6.2+20250630.2405120: * Fix: bootstrap: should fallback to default user when `core.hosts` is not availabe from the seed node (bsc#1245343) * Fix: log: Improve function confirm's logic (bsc#1245386) * Dev: bootstrap: Remove dead node from the cluster * Dev: Prevent actions when offline nodes are unreachable * Dev: xmlutil: Address circular import issue * Dev: bootstrap: Remove user@host item from /root/.config/crm/crm.conf when removing node * Dev: provide a friendly message when passwordless ssh does not work (bsc#1244525) * Dev: cibconfig: Prevent adding Pacemaker remote resources to groups, orders, or colocations * Fix: report.collect: Detect log existence before using it (bsc#1244515) Package samba was updated: - Windows security hardening locks out schannel'ed netlogon dc calls like netr_DsRGetDCName; (bsc#1246431); (bso#15876). Package cyrus-sasl was updated: - Add Channel Binding support for GSSAPI/GSS-SPNEGO; (bsc#1229655); (jsc#PED-12097); Add patch 0009-Add-Channel-Binding-support-for-GSSAPI-GSS-SPNEGO.patch - Add support for setting max ssf 0 to GSS-SPNEGO; (bsc#1229655); (jsc#PED-12097); Add patch 0010-Add-support-for-setting-max-ssf-0-to-GSS-SPNEGO.patch Package docker was updated: [ This update is a no-op, only needed to work around unfortunate automated packaging script behaviour on SLES. ] - The following patches were removed in openSUSE in the Docker 28.1.1-ce update, but the patch names were later renamed in a SLES-only update before Docker 28.1.1-ce was submitted to SLES. This causes the SLES build scripts to refuse the update because the patches are not referenced in the changelog. There is no obvious place to put the patch removals (the 28.1.1-ce update removing the patches chronologically predates their renaming in SLES), so they are included here a dummy changelog entry to work around the issue. - 0007-CVE-2025-22868-vendor-jws-split-token-into-fixed-num.patch - 0008-CVE-2025-22869-vendor-ssh-limit-the-size-of-the-inte.patch - Update to docker-buildx v0.25.0. Upstream changelog: &lt;https://github.com/docker/buildx/releases/tag/v0.25.0&gt; - Do not try to inject SUSEConnect secrets when in Rootless Docker mode, as Docker does not have permission to access the host zypper credentials in this mode (and unprivileged users cannot disable the feature using /etc/docker/suse-secrets-enable.) bsc#1240150 * 0003-SECRETS-SUSE-implement-SUSE-container-secrets.patch - Rebase patches: * 0001-SECRETS-SUSE-always-clear-our-internal-secrets.patch * 0002-SECRETS-daemon-allow-directory-creation-in-run-secre.patch * 0004-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch * 0005-bsc1073877-apparmor-clobber-docker-default-profile-o.patch * 0006-SLE12-revert-apparmor-remove-version-conditionals-fr.patch - Always clear SUSEConnect suse_* secrets when starting containers regardless of whether the daemon was built with SUSEConnect support. Not doing this causes containers from SUSEConnect-enabled daemons to fail to start when running with SUSEConnect-disabled (i.e. upstream) daemons. This was a long-standing issue with our secrets support but until recently this would've required migrating from SLE packages to openSUSE packages (which wasn't supported). However, as SLE Micro 6.x and SLES 16 will move away from in-built SUSEConnect support, this is now a practical issue users will run into. bsc#1244035 + 0001-SECRETS-SUSE-always-clear-our-internal-secrets.patch - Rearrange patches: - 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch + 0002-SECRETS-daemon-allow-directory-creation-in-run-secre.patch - 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch + 0003-SECRETS-SUSE-implement-SUSE-container-secrets.patch - 0003-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch + 0004-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch - 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch + 0005-bsc1073877-apparmor-clobber-docker-default-profile-o.patch - 0005-SLE12-revert-apparmor-remove-version-conditionals-fr.patch + 0006-SLE12-revert-apparmor-remove-version-conditionals-fr.patch [NOTE: This update was only ever released in SLES and Leap.] - Always clear SUSEConnect suse_* secrets when starting containers regardless of whether the daemon was built with SUSEConnect support. Not doing this causes containers from SUSEConnect-enabled daemons to fail to start when running with SUSEConnect-disabled (i.e. upstream) daemons. This was a long-standing issue with our secrets support but until recently this would've required migrating from SLE packages to openSUSE packages (which wasn't supported). However, as SLE Micro 6.x and SLES 16 will move away from in-built SUSEConnect support, this is now a practical issue users will run into. bsc#1244035 + 0001-SECRETS-SUSE-always-clear-our-internal-secrets.patch - Rearrange patches: - 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch + 0002-SECRETS-daemon-allow-directory-creation-in-run-secre.patch - 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch + 0003-SECRETS-SUSE-implement-SUSE-container-secrets.patch - 0003-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch + 0004-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch - 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch + 0005-bsc1073877-apparmor-clobber-docker-default-profile-o.patch - 0005-SLE12-revert-apparmor-remove-version-conditionals-fr.patch + 0006-SLE12-revert-apparmor-remove-version-conditionals-fr.patch - 0006-CVE-2025-22868-vendor-jws-split-token-into-fixed-num.patch + 0007-CVE-2025-22868-vendor-jws-split-token-into-fixed-num.patch - 0007-CVE-2025-22869-vendor-ssh-limit-the-size-of-the-inte.patch + 0008-CVE-2025-22869-vendor-ssh-limit-the-size-of-the-inte.patch - Update to Docker 28.2.2-ce. See upstream changelog online at &lt;https://github.com/moby/moby/releases/tag/v28.2.2&gt; - Rebase patches: * 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch * 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch * 0003-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch * 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch * 0005-SLE12-revert-apparmor-remove-version-conditionals-fr.patch - Update to Docker 28.2.1-ce. See upstream changelog online at &lt;https://docs.docker.com/engine/release-notes/28/#2820&gt; bsc#1243833 &lt;https://github.com/moby/moby/releases/tag/v28.2.1&gt; - Rebase patches: * 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch * 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch * 0003-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch * 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch * 0005-SLE12-revert-apparmor-remove-version-conditionals-fr.patch - Update to docker-buildx v0.24.0. Upstream changelog: &lt;https://github.com/docker/buildx/releases/tag/v0.24.0&gt; - Update to Docker 28.1.1-ce. See upstream changelog online at &lt;https://docs.docker.com/engine/release-notes/28/#2811&gt; bsc#1242114 Includes upstream fixes: - CVE-2025-22872 bsc#1241830 - Remove long-outdated build handling for deprecated and unsupported devicemapper and AUFS storage drivers. AUFS was removed in v24, and devicemapper was removed in v25. &lt;https://docs.docker.com/engine/deprecated/#aufs-storage-driver&gt; - Rebase patches: * 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch * 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch * 0003-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch * 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch * 0005-SLE12-revert-apparmor-remove-version-conditionals-fr.patch - Remove upstreamed patches: - 0006-CVE-2025-22868-vendor-jws-split-token-into-fixed-num.patch - 0007-CVE-2025-22869-vendor-ssh-limit-the-size-of-the-inte.patch - cli-0001-docs-include-required-tools-in-source-tree.patch - Update to docker-buildx v0.23.0. Upstream changelog: &lt;https://github.com/docker/buildx/releases/tag/v0.23.0&gt; - Update to docker-buildx v0.22.0. Upstream changelog: &lt;https://github.com/docker/buildx/releases/tag/v0.22.0&gt; * Includes fixes for CVE-2025-0495. bsc#1239765 - Disable transparent SUSEConnect support for SLE-16. PED-12534 When this patchset was first added in 2013 (and rewritten over the years), there was no upstream way to easily provide SLE customers with a way to build container images based on SLE using the host subscription. However, with docker-buildx you can now define secrets for builds (this is not entirely transparent, but we can easily document this new requirement for SLE-16). Users should use RUN --mount=type=secret,id=SCCcredentials zypper -n ... in their Dockerfiles, and docker buildx build --secret id=SCCcredentials,src=/etc/zypp/credentials.d/SCCcredentials,type=file . when doing their builds. - Now that the only blocker for docker-buildx support was removed for SLE-16, enable docker-buildx for SLE-16 as well. PED-8905 Package firewalld was updated: Package glib2 was updated: - Add glib2-CVE-2025-6052.patch: fix overflow check when expanding a GString (bsc#1244596 CVE-2025-6052). - Add glib2-CVE-2025-4373.patch: carefully handle gssize parameters (bsc#1242844 CVE-2025-4373 glgo#GNOME/glib#3677). Package google-cloud-sap-agent was updated: - Update to version 3.8 (bsc#1244324, bsc#1244295) * Remove parsing of Pacemaker attribute is_ccm * Update spec file to remove GCBDR packages * Internal cleanup * Send agent status to WLM DW with WriteInsight() * Adds upcoming maintenance events chart and table to the maintenance system events dashboard * Fix Backint log_to_cloud configuration parameter * Update list of process metrics and hanamonitoring * Added Usage metrics to support bundle tool. * Enhance Support bundle collection * Updates to the maintenance dashboard with instructions on setup in the README.md * Update metric override file with new metrics marked for v3.8. * Dashboard updates * Add unit tests for gcealpha.go * Add unit tests for restore.go, remove unreachable code * Add unit tests for versionhandler * Outputting the agent status as a JSON string so it can be queried and parsed Log Analytics * Add usagemetrics for remaining OTEs * Increase coverage to &gt; 90% in processmetrics/networkstats test * Increase coverage to &gt; 90% in processmetrics/hanavolume test * Add unit tests for hanabackup * Added Test Case for GCE Service Creation Failure in Remote Validation Onetime Execution. * Internal change * Update below parameters in google-x4.conf file * Add Hana Monitoring metrics: * Add Hana log disk utilisation metric (in Kb) * Add Linux os metrics as part of process metrics * Make the bare metal metric resource type non-generic * Update TODO * Check the status of the WLM Data Warehouse API before starting metric collection. * Fix data race in status test * Make the bare metal metric resource type non-generic * Add WLM metric collection for SELinux config settings. * Adding the kernel version to the SAP System discovery data. * Collect SAP events in support bundle. * Adding support to collect hana monitoring metrics. * Auto updated compiled protocol buffers * Add Pacemaker WLM metrics: ASCS_IP, ERS_IP, ASCS_VIRTUAL_IP, ERS_VIRTUAL_IP * Add WLM metric collection for kernel version. * Fix github build failures. * Update Go version in build to 1.24.2. * Collect Status in daemon mode * Status OTE agent changes to use artifact registry list version * Add support for /var/log/messages collection including rolled over messages * Added timezone handling logic for querying process metrics * Add WLM metric: CLUSTER_HEALTHY for pacemaker * Collection definition test improvements. * Added support to collect pacemaker log files * Default Pacemaker PCMK fields to empty string. * Use correct destination folder in collectProcessMetrics * Ignore timestamps in test * Update process metrics query to use timestamp, before and after duration. * Add functionality to collect process metrics * Update SAP guest actions to utilize shared library * Update SAP Agent logusage command help message * Changes to the github action if commit/push of generated protos fails * Fix a couple of comments. * Adding support for collecting SapDiscovery logs from cloud logging. * Cleanup agentmetrics_test.go * Proto change - Adjust upstream source paths in spec file - Bump Go ABI version to 1.24 in BuildRequires - Add -buildmode=pie to go build command line (bsc#1239946) Package google-guest-configs was updated: - Check that %{_sysconfdir}/sysconfig/network/ifcfg-eth0 actually exists before making any modifications to it (bsc#1241112) Package google-guest-oslogin was updated: Package google-osconfig-agent was updated: - Update to version 20250416.02 (bsc#1244304, bsc#1244503) * defaultSleeper: tolerate 10% difference to reduce test flakiness (#810) * Add output of some packagemanagers to the testdata (#808) - from version 20250416.01 * Refactor OS Info package (#809) - from version 20250416.00 * Report RPM inventory as YUM instead of empty SoftwarePackage when neither Zypper nor YUM are installed. (#805) - from version 20250414.00 * Update hash computation algorithm (#799) - Update to version 20250320.00 * Bump github.com/envoyproxy/protoc-gen-validate from 1.1.0 to 1.2.1 (#797) - from version 20250318.00 * Bump go.opentelemetry.io/otel/sdk/metric from 1.32.0 to 1.35.0 (#793) - from version 20250317.02 * Bump cel.dev/expr from 0.18.0 to 0.22.0 (#792) * Bump github.com/golang/glog from 1.2.3 to 1.2.4 in the go_modules group (#785) - from version 20250317.01 * Bump cloud.google.com/go/logging from 1.12.0 to 1.13.0 (#774) - from version 20250317.00 * Add tests for retryutil package. (#795) - from version 20250306.00 * Update OWNERS (#794) - from version 20250206.01 * Use separate counters for pre- and post-patch reboots. (#788) - from version 20250206.00 * Update owners (#789) - from version 20250203.00 * Fix the vet errors for contants in logging (#786) - from version 20250122.00 * change available package check (#783) - from version 20250121.00 * Fix Inventory reporting e2e tests. (#782) - from version 20250120.00 * fix e2e tests (#781) - Add -buildmode=pie to go build command line (bsc#1239948) - Drop CVE-2024-45339.patch, merged upstream - Renumber patches Package gpg2 was updated: - Security fix: [bsc#1236931, bsc#1239119, CVE-2025-30258] * gpg: Fix regression for the recent malicious subkey DoS fix. * gpg: Fix another regression due to the T7547 fix. * gpg: Allow the use of an ADSK subkey as ADSK subkey. * Add patches: - gnupg-gpg-Fix-regression-for-the-recent-malicious-subkey-D.patch - gnupg-gpg-Fix-another-regression-due-to-the-T7547-fix.patch - gnupg-gpg-Allow-the-use-of-an-ADSK-subkey-as-ADSK-subkey.patch - Don't install expired sks certificate [bsc#1243069] * Add patch gnupg-dirmngr-Don-t-install-expired-sks-certificate.patch - Fix a verification DoS due to a malicious subkey in the keyring: [bsc#1239119] * Add patch gnupg-gpg-Fix-a-verification-DoS-due-to-a-malicious-subkey-in-the-keyring.patch Package iputils was updated: - Security fix [bsc#1243772, CVE-2025-48964] * Fix integer overflow in ping statistics via zero timestamp * Add iputils-CVE-2025-48964_01.patch * Add iputils-CVE-2025-48964_02.patch * Add iputils-CVE-2025-48964_03.patch * Add iputils-CVE-2025-48964_04.patch * Add iputils-CVE-2025-48964_regression.patch Package jq was updated: Package libbpf was updated: - Workaround kernel module size increase due to BTF deduplication issue since the introduction of TYPEOF_UNQUAL (poo#183503 bsc#1244135) * add 0001-libbpf-Add-identical-pointer-detection-to-btf_dedup_.patch Package mozilla-nss was updated: - update to NSS 3.112 * bmo#1963792 - Fix alias for mac workers on try * bmo#1966786 - ensure all options can be configured with SSL_OptionSet and SSL_OptionSetDefault * bmo#1931930 - ABI/API break in ssl certificate processing * bmo#1955971 - remove unnecessary assertion in sec_asn1d_init_state_based_on_template * bmo#1965754 - update taskgraph to v14.2.1 * bmo#1964358 - Workflow for automation of the release on GitHub when pushing a tag * bmo#1952860 - fix faulty assertions in SEC_ASN1DecoderUpdate * bmo#1934877 - Renegotiations should use a fresh ECH GREASE buffer * bmo#1951396 - update taskgraph to v14.1.1 * bmo#1962503 - Partial fix for ACVP build CI job * bmo#1961827 - Initialize find in sftk_searchDatabase * bmo#1963121 - Add clang-18 to extra builds * bmo#1963044 - Fault tolerant git fetch for fuzzing * bmo#1962556 - Tolerate intermittent failures in ssl_policy_pkix_ocsp * bmo#1962770 - fix compiler warnings when DEBUG_ASN1D_STATES or CMSDEBUG are set * bmo#1961835 - fix content type tag check in NSS_CMSMessage_ContainsCertsOrCrls * bmo#1963102 - Remove Cryptofuzz CI version check - update to NSS 3.111 * bmo#1930806 - FIPS changes need to be upstreamed: force ems policy * bmo#1957685 - Turn off Websites Trust Bit from CAs * bmo#1937338 - Update nssckbi version following April 2025 Batch of Changes * bmo#1943135 - Disable SMIME ‘trust bit’ for GoDaddy CAs * bmo#1874383 - Replaced deprecated sprintf function with snprintf in dbtool.c * bmo#1954612 - Need up update NSS for PKCS 3.1 * bmo#1773374 - avoid leaking localCert if it is already set in ssl3_FillInCachedSID * bmo#1953097 - Decrease ASAN quarantine size for Cryptofuzz in CI * bmo#1943962 - selfserv: Add support for zlib certificate compression - update to NSS 3.110 * bmo#1930806 - FIPS changes need to be upstreamed: force ems policy * bmo#1954724 - Prevent excess allocations in sslBuffer_Grow * bmo#1953429 - Remove Crl templates from ASN1 fuzz target * bmo#1953429 - Remove CERT_CrlTemplate from ASN1 fuzz target * bmo#1952855 - Fix memory leak in NSS_CMSMessage_IsSigned * bmo#1930807 - NSS policy updates * bmo#1951161 - Improve locking in nssPKIObject_GetInstances * bmo#1951394 - Fix race in sdb_GetMetaData * bmo#1951800 - Fix member access within null pointer * bmo#1950077 - Increase smime fuzzer memory limit * bmo#1949677 - Enable resumption when using custom extensions * bmo#1952568 - change CN of server12 test certificate * bmo#1949118 - Part 2: Add missing check in NSS_CMSDigestContext_FinishSingle * bmo#1949118 - Part 1: Fix smime UBSan errors * bmo#1930806 - FIPS changes need to be upstreamed: updated key checks * bmo#1951491 - Don't build libpkix in static builds * bmo#1951395 - handle `-p all` in try syntax * bmo#1951346 - fix opt-make builds to actually be opt * bmo#1951346 - fix opt-static builds to actually be opt * bmo#1916439 - Remove extraneous assert - Removed upstreamed nss-fips-stricter-dh.patch - Added bmo1962556.patch to fix test failures - Rebased nss-fips-approved-crypto-non-ec.patch nss-fips-combined-hash-sign-dsa-ecdsa.patch - update to NSS 3.109 * bmo#1939512 - Call BL_Init before RNG_RNGInit() so that special SHA instructions can be used if available * bmo#1930807 - NSS policy updates - fix inaccurate key policy issues * bmo#1945883 - SMIME fuzz target * bmo#1914256 - ASN1 decoder fuzz target * bmo#1936001 - Part 2: Revert “Extract testcases from ssl gtests for fuzzing” * bmo#1915155 - Add fuzz/README.md * bmo#1936001 - Part 4: Fix tstclnt arguments script * bmo#1944545 - Extend pkcs7 fuzz target * bmo#1912320 - Extend certDN fuzz target * bmo#1944300 - revert changes to HACL* files from bug 1866841 * bmo#1936001 - Part 3: Package frida corpus script - update to NSS 3.108 * bmo#1923285 - libclang-16 -&gt; libclang-19 * bmo#1939086 - Turn off Secure Email Trust Bit for Security Communication ECC RootCA1 * bmo#1937332 - Turn off Secure Email Trust Bit for BJCA Global Root CA1 and BJCA Global Root CA2 * bmo#1915902 - Remove SwissSign Silver CA – G2 * bmo#1938245 - Add D-Trust 2023 TLS Roots to NSS * bmo#1942301 - fix fips test failure on windows * bmo#1935925 - change default sensitivity of KEM keys * bmo#1936001 - Part 1: Introduce frida hooks and script * bmo#1942350 - add missing arm_neon.h include to gcm.c * bmo#1831552 - ci: update windows workers to win2022 * bmo#1831552 - strip trailing carriage returns in tools tests * bmo#1880256 - work around unix/windows path translation issues in cert test script * bmo#1831552 - ci: let the windows setup script work without $m * bmo#1880255 - detect msys * bmo#1936680 - add a specialized CTR_Update variant for AES-GCM * bmo#1930807 - NSS policy updates * bmo#1930806 - FIPS changes need to be upstreamed: FIPS 140-3 RNG * bmo#1930806 - FIPS changes need to be upstreamed: Add SafeZero * bmo#1930806 - FIPS changes need to be upstreamed - updated POST * bmo#1933031 - Segmentation fault in SECITEM_Hash during pkcs12 processing * bmo#1929922 - Extending NSS with LoadModuleFromFunction functionality * bmo#1935984 - Ensure zero-initialization of collectArgs.cert * bmo#1934526 - pkcs7 fuzz target use CERT_DestroyCertificate * bmo#1915898 - Fix actual underlying ODR violations issue * bmo#1184059 - mozilla::pkix: allow reference ID labels to begin and/or end with hyphens * bmo#1927953 - don't look for secmod.db in nssutil_ReadSecmodDB if NSS_DISABLE_DBM is set * bmo#1934526 - Fix memory leak in pkcs7 fuzz target * bmo#1934529 - Set -O2 for ASan builds in CI * bmo#1934543 - Change branch of tlsfuzzer dependency * bmo#1915898 - Run tests in CI for ASan builds with detect_odr_violation=1 * bmo#1934241 - Fix coverage failure in CI * bmo#1934213 - Add fuzzing for delegated credentials, DTLS short header and Tls13BackendEch * bmo#1927142 - Add fuzzing for SSL_EnableTls13GreaseEch and SSL_SetDtls13VersionWorkaround * bmo#1913677 - Part 3: Restructure fuzz/ * bmo#1931925 - Extract testcases from ssl gtests for fuzzing * bmo#1923037 - Force Cryptofuzz to use NSS in CI * bmo#1923037 - Fix Cryptofuzz on 32 bit in CI * bmo#1933154 - Update Cryptofuzz repository link * bmo#1926256 - fix build error from 9505f79d * bmo#1926256 - simplify error handling in get_token_objects_for_cache * bmo#1931973 - nss doc: fix a warning * bmo#1930797 - pkcs12 fixes from RHEL need to be picked up - remove obsolete patches * nss-fips-safe-memset.patch * nss-bmo1930797.patch - update to NSS 3.107 * bmo#1923038 - Remove MPI fuzz targets. * bmo#1925512 - Remove globals `lockStatus` and `locksEverDisabled`. * bmo#1919015 - Enable PKCS8 fuzz target. * bmo#1923037 - Integrate Cryptofuzz in CI. * bmo#1913677 - Part 2: Set tls server target socket options in config class * bmo#1913677 - Part 1: Set tls client target socket options in config class * bmo#1913680 - Support building with thread sanitizer. * bmo#1922392 - set nssckbi version number to 2.72. * bmo#1919913 - remove Websites Trust Bit from Entrust Root Certification Authority - G4. * bmo#1920641 - remove Security Communication RootCA3 root cert. * bmo#1918559 - remove SecureSign RootCA11 root cert. * bmo#1922387 - Add distrust-after for TLS to Entrust Roots. * bmo#1927096 - update expected error code in pk12util pbmac1 tests. * bmo#1929041 - Use random tstclnt args with handshake collection script * bmo#1920466 - Remove extraneous assert in ssl3gthr.c. * bmo#1928402 - Adding missing release notes for NSS_3_105. * bmo#1874451 - Enable the disabled mlkem tests for dtls. * bmo#1874451 - NSS gtests filter cleans up the constucted buffer before the use. * bmo#1925505 - Make ssl_SetDefaultsFromEnvironment thread-safe. * bmo#1925503 - Remove short circuit test from ssl_Init. - fix build on loongarch64 (setting it as 64bit arch) - Remove upstreamed bmo-1400603.patch - Added nss-bmo1930797.patch to fix failing tests in testsuite - update to NSS 3.106 * bmo#1925975 - NSS 3.106 should be distributed with NSPR 4.36. * bmo#1923767 - pk12util: improve error handling in p12U_ReadPKCS12File. * bmo#1899402 - Correctly destroy bulkkey in error scenario. * bmo#1919997 - PKCS7 fuzz target, r=djackson,nss-reviewers. * bmo#1923002 - Extract certificates with handshake collection script. * bmo#1923006 - Specify len_control for fuzz targets. * bmo#1923280 - Fix memory leak in dumpCertificatePEM. * bmo#1102981 - Fix UBSan errors for SECU_PrintCertificate and SECU_PrintCertificateBasicInfo. * bmo#1921528 - add new error codes to mozilla::pkix for Firefox to use. * bmo#1921768 - allow null phKey in NSC_DeriveKey. * bmo#1921801 - Only create seed corpus zip from existing corpus. * bmo#1826035 - Use explicit allowlist for for KDF PRFS. * bmo#1920138 - Increase optimization level for fuzz builds. * bmo#1920470 - Remove incorrect assert. * bmo#1914870 - Use libFuzzer options from fuzz/options/\*.options in CI. * bmo#1920945 - Polish corpus collection for automation. * bmo#1917572 - Detect new and unfuzzed SSL options. * bmo#1804646 - PKCS12 fuzzing target. - requires NSPR 4.36 - update to NSS 3.105 * bmo#1915792 - Allow importing PKCS#8 private EC keys missing public key * bmo#1909768 - UBSAN fix: applying zero offset to null pointer in sslsnce.c * bmo#1919577 - set KRML_MUSTINLINE=inline in makefile builds * bmo#1918965 - Don't set CKA_SIGN for CKK_EC_MONTGOMERY private keys * bmo#1918767 - override default definition of KRML_MUSTINLINE * bmo#1916525 - libssl support for mlkem768x25519 * bmo#1916524 - support for ML-KEM-768 in softoken and pk11wrap * bmo#1866841 - Add Libcrux implementation of ML-KEM 768 to FreeBL * bmo#1911912 - Avoid misuse of ctype(3) functions * bmo#1917311 - part 2: run clang-format * bmo#1917311 - part 1: upgrade to clang-format 13 * bmo#1916953 - clang-format fuzz * bmo#1910370 - DTLS client message buffer may not empty be on retransmit * bmo#1916413 - Optionally print config for TLS client and server fuzz target * bmo#1916059 - Fix some simple documentation issues in NSS. * bmo#1915439 - improve performance of NSC_FindObjectsInit when template has CKA_TOKEN attr * bmo#1912828 - define CKM_NSS_ECDHE_NO_PAIRWISE_CHECK_KEY_PAIR_GEN - Fix build error under Leap by rebasing nss-fips-safe-memset.patch. - update to NSS 3.104 * bmo#1910071 - Copy original corpus to heap-allocated buffer * bmo#1910079 - Fix min ssl version for DTLS client fuzzer * bmo#1908990 - Remove OS2 support just like we did on NSPR * bmo#1910605 - clang-format NSS improvements * bmo#1902078 - Adding basicutil.h to use HexString2SECItem function * bmo#1908990 - removing dirent.c from build * bmo#1902078 - Allow handing in keymaterial to shlibsign to make the output reproducible * bmo#1908990 - remove nec4.3, sunos4, riscos and SNI references * bmo#1908990 - remove other old OS (BSDI, old HP UX, NCR, openunix, sco, unixware or reliantUnix * bmo#1908990 - remove mentions of WIN95 * bmo#1908990 - remove mentions of WIN16 * bmo#1913750 - More explicit directory naming * bmo#1913755 - Add more options to TLS server fuzz target * bmo#1913675 - Add more options to TLS client fuzz target * bmo#1835240 - Use OSS-Fuzz corpus in NSS CI * bmo#1908012 - set nssckbi version number to 2.70. * bmo#1914499 - Remove Email Trust bit from ACCVRAIZ1 root cert. * bmo#1908009 - Remove Email Trust bit from certSIGN ROOT CA. * bmo#1908006 - Add Cybertrust Japan Roots to NSS. * bmo#1908004 - Add Taiwan CA Roots to NSS. * bmo#1911354 - remove search by decoded serial in nssToken_FindCertificateByIssuerAndSerialNumber * bmo#1913132 - Fix tstclnt CI build failure * bmo#1913047 - vfyserv: ensure peer cert chain is in db for CERT_VerifyCertificateNow * bmo#1912427 - Enable all supported protocol versions for UDP * bmo#1910361 - Actually use random PSK hash type * bmo#1911576 - Initialize NSS DB once * bmo#1910361 - Additional ECH cipher suites and PSK hash types * bmo#1903604 - Automate corpus file generation for TLS client Fuzzer * bmo#1910364 - Fix crash with UNSAFE_FUZZER_MODE * bmo#1910605 - clang-format shlibsign.c - remove obsolete nss-reproducible-builds.patch - update to NSS 3.103 * bmo#1908623 - move list size check after lock acquisition in sftk_PutObjectToList. * bmo#1899542 - Add fuzzing support for SSL_ENABLE_POST_HANDSHAKE_AUTH, * bmo#1909638 - Follow-up to fix test for presence of file nspr.patch. * bmo#1903783 - Adjust libFuzzer size limits * bmo#1899542 - Add fuzzing support for SSL_SetCertificateCompressionAlgorithm, SSL_SetClientEchConfigs, SSL_VersionRangeSet and SSL_AddExternalPsk * bmo#1899542 - Add fuzzing support for SSL_ENABLE_GREASE and SSL_ENABLE_CH_EXTENSION_PERMUTATION - Add nss-reproducible-builds.patch to make the rpms reproducible, by using a hardcoded, static key to generate the checksums (*.chk-files) - Updated nss-fips-approved-crypto-non-ec.patch to enforce approved curves with the CKK_EC_MONTGOMERY key type (bsc#1224113). - update to NSS 3.102.1 * bmo#1905691 - ChaChaXor to return after the function - update to NSS 3.102 * bmo#1880351 - Add Valgrind annotations to freebl Chacha20-Poly1305. * bmo#1901932 - missing sqlite header. * bmo#1901080 - GLOBALTRUST 2020: Set Distrust After for TLS and S/MIME. * bmo#1615298 - improve certutil keyUsage, extKeyUsage, and nsCertType keyword handling. * bmo#1660676 - correct length of raw SPKI data before printing in pp utility. - Add nss-reproducible-chksums.patch to make NSS-build reproducible Use key from openssl (bsc#1081723) - Updated nss-fips-approved-crypto-non-ec.patch to exclude the SHA-1 hash from SLI approval. Package libgcrypt was updated: - Security fix [bsc#1221107, CVE-2024-2236] * Add --enable-marvin-workaround to spec to enable workaround * Fix timing based side-channel in RSA implementation ( Marvin attack ) * Add libgcrypt-CVE-2024-2236_01.patch * Add libgcrypt-CVE-2024-2236_02.patch Package icu was updated: - Add icu-CVE-2025-5222.patch: Backport 2c667e3 from upstream, ICU-22973 Fix buffer overflow by using CharString. (CVE-2025-5222, bsc#1243721) Package nfs-utils was updated: - gssd: add support for an &quot;allowed-enctypes&quot; option in nfs.conf (bsc#1240899) - add 0008-gssd-add-support-for-an-allowed-enctypes-option-in-n.patch Package openssl-3 was updated: - Backport mdless cms signing support [jsc#PED-12895] * Add openssl-3-support-mdless-cms.patch Package libssh was updated: - Fix CVE-2025-5318: Likely read beyond bounds in sftp server handle management (bsc#1245311) * Add patch libssh-CVE-2025-5318.patch - Fix CVE-2025-4877: Write beyond bounds in binary to base64 conversion functions (bsc#1245309) * Add patch libssh-CVE-2025-4877.patch - Fix CVE-2025-4878: Use of uninitialized variable in privatekey_from_file() (bsc#1245310) * Add patches: - libssh-CVE-2025-4878-1.patch - libssh-CVE-2025-4878-2.patch - Fix CVE-2025-5372: ssh_kdf() returns a success code on certain failures (bsc#1245314) * Add patch libssh-CVE-2025-5372.patch Package systemd was updated: - Import commit 278fb676146e35a7b4057f52f34a7bbaf1b82369 aa12f501ae logs-show: get timestamp and boot ID only when necessary (bsc#1242827) e8b17d11bc sd-journal: drop to use Hashmap to manage journal files per boot ID ea80273738 tree-wide: set SD_JOURNAL_ASSUME_IMMUTABLE where appropriate a5b3b5344f sd-journal: introduce SD_JOURNAL_ASSUME_IMMUTABLE flag 5fa0600b34 sd-journal: make journal_file_read_tail_timestamp() notify to the caller that some new journal entries added 737e8193e7 sd-journal: cache last entry offset and journal file state 057dca426f sd-journal: fix typo in function name - Start the systemd-coredump.socket unit on systemd-coredump package installation. - Restore the kernel default values of the coredump sysctl settings on systemd-coredump package removal. - Import commit e08f49f2432509787abfb7f3fc0b2f2c459def04 (merge of v254.25) This merge includes the following fix: 7fc7aa5a4d coredump: use %d in kernel core pattern (bsc#1243935 CVE-2025-4598) For a complete list of changes, visit: https://github.com/openSUSE/systemd/compare/b0ae3b6e85b6a4030cf2adb88519a6ca0ffc1343...e08f49f2432509787abfb7f3fc0b2f2c459def04 - Drop 1021-Revert-macro-terminate-the-temporary-VA_ARGS_FOREACH.patch The SUSE specific patch has been integrated into the SUSE/v254 git branch. Some of the imported commits from the stable tree rely on the macro now. - Import commit b0ae3b6e85b6a4030cf2adb88519a6ca0ffc1343 41d2be2fb5 Revert &quot;macro: terminate the temporary VA_ARGS_FOREACH() array with a sentinel&quot; (SUSE specific) Package libxml2 was updated: - security update- added patches CVE-2025-49794 [bsc#1244554], heap use after free (UAF) can lead to Denial of service (DoS) CVE-2025-49796 [bsc#1244557], type confusion may lead to Denial of service (DoS) + libxml2-CVE-2025-49794,49796.patch CVE-2025-49795 [bsc#1244555], null pointer dereference may lead to Denial of service (DoS) + libxml2-CVE-2025-49795.patch - security update - added patches CVE-2025-6170 [bsc#1244700], stack buffer overflow may lead to a crash CVE-2025-6021 [bsc#1244580], Integer Overflow in xmlBuildQName() Leads to Stack Buffer Overflow in libxml2 + libxml2-CVE-2025-6170,6021.patch Package libzypp was updated: - Fix credential handling in HEAD requests (bsc#1244105)- version 17.37.5 (35) - RepoInfo: use pathNameSetTrailingSlash (fixes #643) - Fix wrong userdata parameter type when running zypp with debug verbosity (bsc#1239012) - version 17.37.4 (35) - Do not warn about no mirrors if mirrorlist was switched on automatically. (bsc#1243901) - Relax permission of cached packages to 0644 &amp; ~umask (bsc#1243887) - version 17.37.3 (35) - Add a note to service maintained .repo file entries (fixes #638) - Support using %{url} variable in a RIS service's repo section. - version 17.37.2 (35) - Use a cookie file to validate mirrorlist cache. This patch extends the mirrorlist code to use a cookie file to validate the contents of the cache against the source URL, making sure that we do not accidentially use a old cache when the mirrorlist url was changed. For example when migrating a system from one release to the next where the same repo alias might just have a different URL. - Let Service define and update gpgkey, mirrorlist and metalink. - Preserve a mirrorlist file in the raw cache during refresh. - version 17.37.1 (35) - Code16: Enable curl2 backend and parallel package download by default. In Code15 it's optional. Environment variables ZYPP_CURL2=&lt;0|1&gt; and ZYPP_PCK_PRELOAD=&lt;0|1&gt; can be used to turn the features on or off. - Make gpgKeyUrl the default source for gpg keys. When refreshing zypp now primarily uses gpgKeyUrl information from the repo files and only falls back to a automatically generated key Url if a gpgKeyUrl was not specified. - Introduce mirrors into the Media backends (bsc#1240132) - Drop MediaMultiCurl backend. - Throttle progress updates when preloading packages (bsc#1239543) - Check if request is in valid state in CURL callbacks (fixes openSUSE/zypper#605) - spec/CMake: add conditional build '--with[out] classic_rpmtrans_as_default'. classic_rpmtrans is the current builtin default for SUSE, otherwise it's single_rpmtrans. The `enable_preview_single_rpmtrans_as_default_for_zypper` switch was removed from the spec file. Accordingly the CMake option ENABLE_PREVIEW_SINGLE_RPMTRANS_AS_DEFAULT_FOR_ZYPPER was removed. - version 17.37.0 (35) Package mozilla-nspr was updated: - update to version 4.36 * remove support for OS/2 * remove support for Unixware, Bsdi, old AIX, old HPUX9 &amp; scoos * remove support for Windows 16 bit * renamed the prwin16.h header to prwin.h * configure was updated from 2.69 to 2.71 * various build, test and automation script fixes * major parts of the source code were reformatted Package openssh was updated: Package pam-config was updated: - Stop adding pam_env in AUTH stack, and be sure to put this module at the really end of the SESSION stack. [bsc#1243226, CVE-2025-6018, remove-pam_env-from-auth-stack.patch] Package pam_pkcs11 was updated: - Removes pam_env from auth stack for security reason [bsc#1243226, CVE-2025-6018] Package pam was updated: - pam_namespace: convert functions that may operate on a user-controlled path to operate on file descriptors instead of absolute path. And keep the bind-mount protection from protect_mount() as a defense in depthmeasure. [bsc#1244509 pam_inline-introduce-pam_asprintf-pam_snprintf-and-p.patch, pam_namespace-fix-potential-privilege-escalation.patch, pam_namespace-add-flags-to-indicate-path-safety.patch, pam_namespace-secure_opendir-do-not-look-at-the-grou.patch] - pam_namespace-fix-potential-privilege-escalation.patch adapted and includes changes from upstream commits: ds6242a, bc856cd. * pam_namespace fix logic in return value handling * pam_namespace move functions around - pam_env: Change the default to not read the user .pam_environment file [bsc#1243226, CVE-2025-6018, pam_env-change-the-default-to-not-read-the-user-env.patch] Package perl was updated: - do not change the current directory when cloning an open directory handle [bnc#1244079] [CVE-2025-40909] new patch: perl-dirdup.diff Package python-instance-billing-flavor-check was updated: - Update to version 1.0.1 + Fix infinite loop (bsc#1242064) + Fix bug in update infrastructure request (bsc#1242064) Package salt was updated: - Add `minion_legacy_req_warnings` option to avoid noisy warnings- Require M2Crypto &gt;= 0.44.0 for SUSE Family distros - Added: * add-minion_legacy_req_warnings-option-to-avoid-noisy.patch - Prevent tests failures when pygit2 is not present - Several fixes for security issues (bsc#1244561, CVE-2024-38822) (bsc#1244564, CVE-2024-38823) (bsc#1244565, CVE-2024-38824) (bsc#1244566, CVE-2024-38825) (bsc#1244567, CVE-2025-22240) (bsc#1244568, CVE-2025-22236) (bsc#1244570, CVE-2025-22241) (bsc#1244571, CVE-2025-22237) (bsc#1244572, CVE-2025-22238) (bsc#1244574, CVE-2025-22239) (bsc#1244575, CVE-2025-22242) * Request server hardening * Prevent traversal in local_cache::save_minions * Add test and fix for file_recv cve * Fix traversal in gitfs find_file * Fix traversal in salt.utils.virt * Fix traversal in pub_ret * Reasonable failures when pillars timeout * Make send_req_async wait longer * Remove token to prevent decoding errors * Fix checking of non-url style git remotes * Allow subdirs in GitFS find_file check - Add subsystem filter to udev.exportdb (bsc#1236621) - tornado.httputil: raise errors instead of logging in multipart/form-data parsing (CVE-2025-47287, bsc#1243268) - Fix Ubuntu 24.04 edge-case test failures - Fix broken tests for Ubuntu 24.04 - Fix refresh of osrelease and related grains on Python 3.10+ - Make &quot;salt&quot; package to obsolete &quot;python3-salt&quot; package on SLE15SP7+ - Fix issue requiring proper Python flavor for dependencies and recommended package - Added: * fix-tests-issues-in-salt-shaker-environments-721.patch * several-fixes-for-security-issues.patch * add-subsystem-filter-to-udev.exportdb-bsc-1236621-71.patch * fix-of-cve-2025-47287-bsc-1243268-718.patch * fix-ubuntu-24.04-specific-failures-716.patch * fix-debian-tests-715.patch * fix-refresh-of-osrelease-and-related-grains-on-pytho.patch Package runc was updated: - Update to runc v1.2.6. Upstream changelog is available from &lt;https://github.com/opencontainers/runc/releases/tag/v1.2.6&gt;. - Update to runc v1.2.5. Upstream changelog is available from &lt;https://github.com/opencontainers/runc/releases/tag/v1.2.5&gt;. - Update to runc v1.2.4. Upstream changelog is available from &lt;https://github.com/opencontainers/runc/releases/tag/v1.2.4&gt;. - Update runc.keyring to match upstream. - Update to runc v1.2.3. Upstream changelog is available from &lt;https://github.com/opencontainers/runc/releases/tag/v1.2.3&gt;. - Update to runc v1.2.2. Upstream changelog is available from &lt;https://github.com/opencontainers/runc/releases/tag/v1.2.2&gt;. - Update to runc v1.2.1. Upstream changelog is available from &lt;https://github.com/opencontainers/runc/releases/tag/v1.2.1&gt;. - Update to runc v1.2.0. Upstream changelog is available from &lt;https://github.com/opencontainers/runc/releases/tag/v1.2.0&gt;. - Remove upstreamed patches. - 0001-bsc1221050-libct-seccomp-patchbpf-rm-duplicated-code.patch - 0002-bsc1221050-seccomp-patchbpf-rename-nativeArch-linuxA.patch - 0003-bsc1221050-seccomp-patchbpf-always-include-native-ar.patch - 0004-bsc1214960-nsenter-cloned_binary-remove-bindfd-logic.patch - Update to runc v1.2.0~rc3. Upstream changelog is available from &lt;https://github.com/opencontainers/runc/releases/tag/v1.2.0-rc.3&gt;. Includes the patch for CVE-2024-45310. bsc#1230092 Package screen was updated: - also use tty fd passing after a suspend (MSG_CONT) new patch: sendfdcont.diff - do not chmod the tty for multiattach, rely on tty fd passing instead [bsc#1242269] [CVE-2025-46802] new patch: nottychmod.diff - fix resume after suspend in multiuser mode new patch: multicont.diff Package sudo was updated: - Fix a possible local privilege escalation via the --host option [bsc#1245274, CVE-2025-32462] - Fix a possible local privilege Escalation via chroot option [bsc#1245275, CVE-2025-32463] Package sysstat was updated: - Automatically enable systemd timers upon installation.- Fix bsc#1244553. - Fix for PED#12914. * Add sysstat-PED-12914.patch. Package vim was updated: - Fix bsc#1228776 / CVE-2024-41965.- Fix bsc#1239602 / CVE-2025-29768. - Refresh patch: vim-7.3-sh_is_bash.patch - Update to 9.1.1406: 9.1.1406: crash when importing invalid tuple 9.1.1405: tests: no test for mapping with special keys in session file 9.1.1404: wrong link to Chapter 2 in new-tutor 9.1.1403: expansion of 'tabpanelopt' value adds wrong values 9.1.1402: multi-byte mappings not properly stored in session file 9.1.1401: list not materialized in prop_list() 9.1.1400: [security]: use-after-free when evaluating tuple fails 9.1.1399: tests: test_codestyle fails for auto-generated files 9.1.1398: completion: trunc does not follow Pmenu highlighting attributes 9.1.1397: tabpanel not correctly updated on :tabonly 9.1.1396: 'errorformat' is a global option 9.1.1395: search_stat not reset when pattern differs in case 9.1.1394: tabpanel not correctly redrawn on tabonly 9.1.1393: missing test for switching buffers and reusing curbuf 9.1.1392: missing patch number 9.1.1391: Vim does not have a vertical tabpanel 9.1.1390: style: more wrong indentation 9.1.1389: completion: still some issue when 'isexpand' contains a space 9.1.1388: Scrolling one line too far with 'nosmoothscroll' page scrolling 9.1.1387: memory leak when buflist_new() fails to reuse curbuf 9.1.1386: MS-Windows: some minor problems building on AARCH64 9.1.1385: inefficient loop for 'nosmoothscroll' scrolling 9.1.1384: still some problem with the new tutors filetype plugin 9.1.1383: completion: 'isexpand' option does not handle space char correct 9.1.1382: if_ruby: unused compiler warnings from ruby internals 9.1.1381: completion: cannot return to original text 9.1.1380: 'eventignorewin' only checked for current buffer 9.1.1379: MS-Windows: error when running evim when space in path 9.1.1378: sign without text overwrites number option 9.1.1377: patch v9.1.1370 causes some GTK warning messages 9.1.1376: quickfix dummy buffer may remain as dummy buffer 9.1.1375: [security]: possible heap UAF with quickfix dummy buffer 9.1.1374: completion: 'smartcase' not respected when filtering matches 9.1.1373: 'completeopt' checking logic can be simplified 9.1.1372: style: braces issues in various files 9.1.1371: style: indentation and brace issues in insexpand.c 9.1.1370: CI Tests favor GTK2 over GTK3 9.1.1369: configure still using autoconf 2.71 9.1.1368: GTK3 and GTK4 will drop numeric cursor support. 9.1.1367: too many strlen() calls in gui.c 9.1.1366: v9.1.1364 unintentionally changed sign.c and sound.c 9.1.1365: MS-Windows: compile warnings and too many strlen() calls 9.1.1364: style: more indentation issues 9.1.1363: style: inconsistent indentation in various files 9.1.1362: Vim9: type ignored when adding tuple to instance list var 9.1.1361: [security]: possible use-after-free when closing a buffer 9.1.1360: filetype: GNU Radio companion files are not recognized 9.1.1359: filetype: GNU Radio config files are not recognized 9.1.1358: if_lua: compile warnings with gcc15 9.1.1357: Vim incorrectly escapes tags with &quot;[&quot; in a help buffer 9.1.1356: Vim9: crash when unletting variable 9.1.1355: The pum_redraw() function is too complex 9.1.1354: tests: Test_terminalwinscroll_topline() fails on Windows 9.1.1353: missing change from v9.1.1350 9.1.1352: style: inconsistent indent in insexpand.c 9.1.1351: Return value of getcmdline() inconsistent in CmdlineLeavePre 9.1.1350: tests: typo in Test_CmdlineLeavePre_cabbr() 9.1.1349: CmdlineLeavePre may trigger twice 9.1.1348: still E315 with the terminal feature 9.1.1347: small problems with gui_w32.c 9.1.1346: missing out-of-memory check in textformat.c 9.1.1345: tests: Test_xxd_color2() test failure dump diff is misleading 9.1.1344: double free in f_complete_match() (after v9.1.1341) 9.1.1343: filetype: IPython files are not recognized 9.1.1342: Shebang filetype detection can be improved 9.1.1341: cannot define completion triggers 9.1.1340: cannot complete :filetype arguments 9.1.1339: missing out-of-memory checks for enc_to_utf16()/utf16_to_enc() 9.1.1338: Calling expand() interferes with cmdcomplete_info() 9.1.1337: Undo corrupted with 'completeopt' &quot;preinsert&quot; when switching buffer 9.1.1336: comment plugin does not support case-insensitive 'commentstring' 9.1.1335: Coverity complains about Null pointer dereferences 9.1.1334: Coverity complains about unchecked return value 9.1.1333: Coverity: complains about unutilized variable 9.1.1332: Vim9: segfault when using super within a lambda 9.1.1331: Leaking memory with cmdcomplete() 9.1.1330: may receive E315 in terminal 9.1.1329: cannot get information about command line completion 9.1.1328: too many strlen() calls in indent.c 9.1.1327: filetype: nroff detection can be improved 9.1.1326: invalid cursor position after 'tagfunc' 9.1.1325: tests: not checking error numbers properly 9.1.1324: undefined behaviour if X11 connection dies 9.1.1323: b:undo_ftplugin not executed when re-using buffer 9.1.1322: small delete register cannot paste multi-line correctly 9.1.1321: filetype: MS ixx and mpp files are not recognized 9.1.1320: filetype: alsoft config files are not recognized 9.1.1319: Various typos in the code, issue with test_inst_complete.vim 9.1.1318: tests: test_format fails 9.1.1317: noisy error when restoring folds from session fails 9.1.1316: missing memory allocation failure in os_mswin.c 9.1.1315: completion: issue with fuzzy completion and 'completefuzzycollect' 9.1.1314: max allowed string width too small 9.1.1313: compile warning about uninitialized value 9.1.1312: tests: Test_backupskip() fails when HOME is defined 9.1.1311: completion: not possible to limit number of matches 9.1.1310: completion: redundant check for preinsert effect 9.1.1309: tests: no test for 'pummaxwidth' with non-truncated &quot;kind&quot; 9.1.1308: completion: cannot order matches by distance to cursor 9.1.1307: make syntax does not reliably detect different flavors 9.1.1306: completion menu rendering can be improved 9.1.1305: completion menu active after switching windows/tabs 9.1.1304: filetype: some man files are not recognized 9.1.1303: missing out-of-memory check in linematch.c 9.1.1302: Coverity warns about using uninitialized value 9.1.1301: completion: cannot configure completion functions with 'complete' 9.1.1300: wrong detection of -inf 9.1.1299: filetype: mbsyncrc files are not recognized 9.1.1298: define_function() is too long 9.1.1297: Ctrl-D scrolling can get stuck 9.1.1296: completion: incorrect truncation logic 9.1.1295: clientserver: does not handle :stopinsert correctly 9.1.1294: gui tabline menu does not use confirm when closing tabs 9.1.1293: comment plugin does not handle 'exclusive' selection for comment object 9.1.1292: statusline not correctly evaluated 9.1.1291: too many strlen() calls in buffer.c 9.1.1290: tests: missing cleanup in test_filetype.vim 9.1.1289: tests: no test for matchparen plugin with WinScrolled event 9.1.1288: Using wrong window in ll_resize_stack() 9.1.1287: quickfix code can be further improved 9.1.1286: filetype: help files not detected when 'iskeyword' includes &quot;:&quot; 9.1.1285: Vim9: no error message for missing method after &quot;super.&quot; 9.1.1284: not possible to configure pum truncation char 9.1.1283: quickfix stack is limited to 10 items 9.1.1282: Build and test failure without job feature 9.1.1281: extra newline output when editing stdin 9.1.1280: trailing additional semicolon in get_matches_in_str() 9.1.1279: Vim9: null_object and null_class are no reserved names 9.1.1278: Vim9: too long functions in vim9type.c 9.1.1277: tests: trailing comment char in test_popupwin 9.1.1276: inline word diff treats multibyte chars as word char 9.1.1275: MS-Windows: Not possible to pass additional flags to Make_mvc 9.1.1274: Vim9: no support for object&lt;type&gt; as variable type 9.1.1273: Coverity warns about using uninitialized value 9.1.1272: completion: in keyword completion Ctrl_P cannot go back after Ctrl_N 9.1.1271: filetype: Power Query files are not recognized 9.1.1270: missing out-of-memory checks in buffer.c 9.1.1269: completion: compl_shown_match is updated when starting keyword completion 9.1.1268: filetype: dax files are not recognized 9.1.1267: Vim9: no support for type list/dict&lt;object&lt;any&gt;&gt; 9.1.1266: MS-Windows: type conversion warnings 9.1.1265: tests: no tests for typing normal char during completion 9.1.1264: Vim9: error when comparing objects 9.1.1263: string length wrong in get_last_inserted_save() 9.1.1262: heap-buffer-overflow with narrow 'pummaxwidth' value 9.1.1261: No test for 'pummaxwidth' non-truncated items 9.1.1260: Hang when filtering buffer with NUL bytes 9.1.1259: some issues with comment package and tailing spaces 9.1.1258: regexp: max \U and \%U value is limited by INT_MAX 9.1.1257: Mixing vim_strsize() with mb_ptr2cells() in pum_redraw() 9.1.1256: if_python: duplicate tuple data entries 9.1.1255: missing test condition for 'pummaxwidth' setting 9.1.1254: need more tests for the comment plugin 9.1.1253: abort when closing window with attached quickfix data 9.1.1252: typos in code and docs related to 'diffopt' &quot;inline:&quot; 9.1.1251: if_python: build error with tuples and dynamic python 9.1.1250: cannot set the maximum popup menu width 9.1.1249: tests: no test that 'listchars' &quot;eol&quot; doesn't affect &quot;gM&quot; 9.1.1248: compile error when building without FEAT_QUICKFIX 9.1.1247: fragile setup to get (preferred) keys from key_name_entry 9.1.1246: coverity complains about some changes in v9.1.1243 9.1.1245: need some more tests for curly braces evaluation 9.1.1244: part of patch v9.1.1242 was wrong 9.1.1243: diff mode is lacking for changes within lines 9.1.1242: Crash when evaluating variable name 9.1.1241: wrong preprocessort indentation in term.c 9.1.1240: Regression with ic/ac text objects and comment plugin 9.1.1239: if_python: no tuple data type support 9.1.1238: wrong cursor column with 'set splitkeep=screen' 9.1.1237: Compile error with C89 compiler in term.c 9.1.1236: tests: test_comments leaves swapfiles around 9.1.1235: cproto files are outdated 9.1.1234: Compile error when SIZE_MAX is not defined 9.1.1233: Coverity warns about NULL pointer when triggering WinResized 9.1.1232: Vim script is missing the tuple data type 9.1.1231: filetype: SPA JSON files are not recognized 9.1.1230: inconsistent CTRL-C behaviour for popup windows 9.1.1229: the comment plugin can be improved 9.1.1228: completion: current position column wrong after got a match 9.1.1227: no tests for the comment package 9.1.1226: &quot;shellcmdline&quot; completion doesn't work with input() 9.1.1225: extra NULL check in VIM_CLEAR() 9.1.1224: cannot :put while keeping indent 9.1.1223: wrong translation used for encoding failures 9.1.1222: using wrong length for last inserted string 9.1.1221: Wrong cursor pos when leaving Insert mode just after 'autoindent' 9.1.1220: filetype: uv.lock file not recognized 9.1.1219: Strange error with wrong type for matchfuzzy() &quot;camelcase&quot; 9.1.1218: missing out-of-memory check in filepath.c 9.1.1217: tests: typos in test_matchfuzzy.vim 9.1.1216: Pasting the '.' register multiple times may not work 9.1.1215: Patch 9.1.1213 has some issues 9.1.1214: matchfuzzy() can be improved for camel case matches 9.1.1213: cannot :put while keeping indent 9.1.1212: too many strlen() calls in edit.c 9.1.1212: filetype: logrotate'd pacmanlogs are not recognized 9.1.1211: TabClosedPre is triggered just before the tab is being freed 9.1.1210: translation(ru): missing Russian translation for the new tutor 9.1.1209: colorcolumn not drawn after virtual text lines 9.1.1208: MS-Windows: not correctly restoring alternate screen on Win 10 9.1.1207: MS-Windows: build warning in filepath.c 9.1.1206: tests: test_filetype fails when a file is a directory 9.1.1205: completion: preinserted text not removed when closing pum 9.1.1204: MS-Windows: crash when passing long string to expand() 9.1.1203: matchparen keeps cursor on case label in sh filetype 9.1.1202: Missing TabClosedPre autocommand 9.1.1201: 'completefuzzycollect' does not handle dictionary correctly 9.1.1200: cmdline pum not cleared for input() completion 9.1.1199: gvim uses hardcoded xpm icon file 9.1.1198: [security]: potential data loss with zip.vim 9.1.1197: process_next_cpt_value() uses wrong condition 9.1.1196: filetype: config files for container tools are not recognized 9.1.1195: inside try-block: fn body executed with default arg undefined 9.1.1194: filetype: false positive help filetype detection 9.1.1193: Unnecessary use of STRCAT() in au_event_disable() 9.1.1192: Vim crashes with term response debug logging enabled 9.1.1191: tests: test for patch 9.1.1186 doesn't fail without the patch 9.1.1190: C indentation does not detect multibyte labels 9.1.1189: if_python: build error due to incompatible pointer types 9.1.1188: runtime(tera): tera support can be improved 9.1.1187: matchparen plugin wrong highlights shell case statement 9.1.1186: filetype: help files in git repos are not detected 9.1.1185: endless loop with completefuzzycollect and no match found 9.1.1184: Unnecessary use of vim_tolower() in vim_strnicmp_asc() 9.1.1083: &quot;above&quot; virtual text breaks cursorlineopt=number 9.1.1182: No cmdline completion for 'completefuzzycollect' 9.1.1181: Unnecessary STRLEN() calls in insexpand.c 9.1.1180: short-description 9.1.1179: too many strlen() calls in misc2.c 9.1.1178: not possible to generate completion candidates using fuzzy matching 9.1.1177: filetype: tera files not detected Package xen was updated: - bsc#1246112, bsc#1238896 - VUL-0: xen: More AMD transient execution attack (CVE-2024-36350, CVE-2024-36357, XSA-471) 66f28b47-x86-cpufeature-reposition-ext-leaf-21-EAX.patch 685c29cf-x86-idle-Move-monitor-mwait-wrappers.patch 685c29d0-x86-idle-remove-MFENCEs-for-CLFLUSH_MONITOR.patch 685c29d1-revert-part-of-mwait-idle-disable-IBRS-.patch 686277ed-x86-cpu-policy-simplify-logic-in-gcdfa.patch 68656b6f-x86-cpu-policy-leaf-80000021-handling.patch 68681770-x86-idle-remove-broken-MWAIT-implementation.patch 68681771-x86-idle-drop-incorrect-smp_mb-in-.patch 68681772-x86-idle-convert-force_mwait_ipi_wakeup-to-.patch 68681773-rework-arch_skip_send_event_check-into-.patch 68681774-x86-new-MWAIT-IPI-elision-algorithm.patch 68681775-x86-idle-fix-IRQ-enable-before-C1-on-Xeons.patch xsa471-13.patch 686d2646-x86-cpu-policy-rearrange-gc_fa.patch 686d2647-x86-cpu-policy-CPUID-leaf-0x80000021-ecx.patch 686d2648-x86-AMD-ucode-digests-for-TSA.patch 686d2649-x86-idle-rearrange-VERW-and-MONITOR-in-.patch 686d264a-x86-spec-ctrl-mitigate-Transitive-Scheduler-Attacks.patch - bsc#1244644 - VUL-0: CVE-2025-27465: xen: x86: Incorrect stubs exception handling for flags recovery (XSA-470) 6863cd0b-x86emul-extable-registration-in-invoke_stub.patch Replaces xsa470.patch - Upstream bug fixes (bsc#1027519) 6835a042-VMX-VMEntry-failure-on-ADL-SPR-with-shadow.patch 6835a043-x86-PV-breakpoint-reporting.patch - bsc#1244644 - VUL-0: CVE-2025-27465: xen: x86: Incorrect stubs exception handling for flags recovery (XSA-470) xsa470.patch Package zsh was updated: - Update to version 5.8.1 * Dropped patches, which are included upstream now: - CVE-2019-20044.patch - CVE-2021-45444.patch * See included NEWS file for complete changes * Implements ECO PED-12771 Package zypper was updated: - BuildRequires: libzypp-devel &gt;= 17.37.0.- Use libzypp improvements for preload and mirror handling. - xmlout.rnc: Update repo-element (bsc#1241463) Add the &quot;metalink&quot; attribute and reflect that the &quot;url&quot; elements list may in fact be empty, if no baseurls are defined in the .repo files. - man: update --allow-unsigned-rpm description. Explain how to achieve the same for packages provided by repositories. - version 1.14.90 The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). https://publiccloudimagechangeinfo.suse.com/google/sles-sap-15-sp6-hardened-byos-v20250724-x86-64/ Public Cloud Image Info https://www.suse.com/support/security/rating/ SUSE Security Ratings Public Cloud Image google/sles-sap-15-sp6-hardened-byos-v20250724-x86-64 SAPHanaSR-0.162.5-150000.4.47.1 SAPHanaSR-doc-0.162.5-150000.4.47.1 alsa-ucm-conf-1.2.10-150600.3.5.1 cifs-utils-6.15-150400.3.15.1 coreutils-8.32-150400.9.9.1 crmsh-4.6.2+20250630.2405120-150600.3.38.2 crmsh-scripts-4.6.2+20250630.2405120-150600.3.38.2 ctdb-4.19.8+git.430.a10fe64854c-150600.3.18.2 cyrus-sasl-2.1.28-150600.7.6.2 cyrus-sasl-digestmd5-2.1.28-150600.7.6.2 cyrus-sasl-gssapi-2.1.28-150600.7.6.2 cyrus-sasl-plain-2.1.28-150600.7.6.2 cyrus-sasl-saslauthd-2.1.28-150600.7.6.2 docker-28.2.2_ce-150000.227.1 firewalld-2.0.1-150600.3.9.1 firewalld-lang-2.0.1-150600.3.9.1 glib2-tools-2.78.6-150600.4.16.1 google-cloud-sap-agent-3.8-150100.3.50.1 google-guest-configs-20241205.00-150400.13.22.1 google-guest-oslogin-20240311.01-150000.1.53.1 google-osconfig-agent-20250416.02-150000.1.50.1 gpg2-2.4.4-150600.3.9.1 iputils-20221126-150500.3.14.1 jq-1.6-150000.3.6.1 libbpf1-1.2.2-150600.3.6.2 libfreebl3-3.112-150400.3.57.1 libgcrypt20-1.10.3-150600.3.9.1 libgio-2_0-0-2.78.6-150600.4.16.1 libglib-2_0-0-2.78.6-150600.4.16.1 libgmodule-2_0-0-2.78.6-150600.4.16.1 libgobject-2_0-0-2.78.6-150600.4.16.1 libgthread-2_0-0-2.78.6-150600.4.16.1 libicu-suse65_1-65.1-150200.4.15.1 libicu65_1-ledata-65.1-150200.4.15.1 libjq1-1.6-150000.3.6.1 libnfsidmap1-1.0-150600.28.12.1 libopenssl3-3.1.4-150600.5.33.1 libsasl2-3-2.1.28-150600.7.6.2 libsoftokn3-3.112-150400.3.57.1 libssh-config-0.9.8-150600.11.3.1 libssh4-0.9.8-150600.11.3.1 libsystemd0-254.25-150600.4.40.1 libudev1-254.25-150600.4.40.1 libxml2-2-2.10.3-150500.5.29.1 libxml2-tools-2.10.3-150500.5.29.1 libzypp-17.37.5-150600.3.60.1 mozilla-nspr-4.36-150000.3.32.1 mozilla-nss-3.112-150400.3.57.1 mozilla-nss-certs-3.112-150400.3.57.1 mozilla-nss-tools-3.112-150400.3.57.1 openssh-9.6p1-150600.6.29.2 openssh-clients-9.6p1-150600.6.29.2 openssh-common-9.6p1-150600.6.29.2 openssh-server-9.6p1-150600.6.29.2 openssh-server-config-disallow-rootlogin-9.6p1-150600.6.29.2 openssl-3-3.1.4-150600.5.33.1 pam-1.3.0-150000.6.83.1 pam-config-1.1-150600.16.8.1 pam_pkcs11-0.6.10-150600.16.8.1 perl-5.26.1-150300.17.20.1 perl-base-5.26.1-150300.17.20.1 python-instance-billing-flavor-check-1.0.1-150000.1.23.1 python3-firewall-2.0.1-150600.3.9.1 python3-salt-3006.0-150500.4.55.1 runc-1.2.6-150000.73.2 salt-3006.0-150500.4.55.1 salt-minion-3006.0-150500.4.55.1 salt-standalone-formulas-configuration-3006.0-150500.4.55.1 samba-client-libs-4.19.8+git.430.a10fe64854c-150600.3.18.2 samba-libs-4.19.8+git.430.a10fe64854c-150600.3.18.2 screen-4.6.2-150000.5.8.1 sudo-1.9.15p5-150600.3.9.1 sysstat-12.0.2-150000.3.45.3 systemd-254.25-150600.4.40.1 systemd-sysvcompat-254.25-150600.4.40.1 udev-254.25-150600.4.40.1 vim-9.1.1406-150500.20.27.1 vim-data-common-9.1.1406-150500.20.27.1 xen-libs-4.18.5_04-150600.3.28.1 zsh-5.8.1-150600.18.3.2 zypper-1.14.90-150600.10.34.3 SAPHanaSR-0.162.5-150000.4.47.1 as a component of Public Cloud Image google/sles-sap-15-sp6-hardened-byos-v20250724-x86-64 SAPHanaSR-doc-0.162.5-150000.4.47.1 as a component of Public Cloud Image google/sles-sap-15-sp6-hardened-byos-v20250724-x86-64 alsa-ucm-conf-1.2.10-150600.3.5.1 as a component of Public Cloud Image google/sles-sap-15-sp6-hardened-byos-v20250724-x86-64 cifs-utils-6.15-150400.3.15.1 as a component of Public Cloud Image google/sles-sap-15-sp6-hardened-byos-v20250724-x86-64 coreutils-8.32-150400.9.9.1 as a component of Public Cloud Image google/sles-sap-15-sp6-hardened-byos-v20250724-x86-64 crmsh-4.6.2+20250630.2405120-150600.3.38.2 as a component of Public Cloud Image google/sles-sap-15-sp6-hardened-byos-v20250724-x86-64 crmsh-scripts-4.6.2+20250630.2405120-150600.3.38.2 as a component of Public Cloud Image google/sles-sap-15-sp6-hardened-byos-v20250724-x86-64 ctdb-4.19.8+git.430.a10fe64854c-150600.3.18.2 as a component of Public Cloud Image google/sles-sap-15-sp6-hardened-byos-v20250724-x86-64 cyrus-sasl-2.1.28-150600.7.6.2 as a component of Public Cloud Image google/sles-sap-15-sp6-hardened-byos-v20250724-x86-64 cyrus-sasl-digestmd5-2.1.28-150600.7.6.2 as a component of Public Cloud Image google/sles-sap-15-sp6-hardened-byos-v20250724-x86-64 cyrus-sasl-gssapi-2.1.28-150600.7.6.2 as a component of Public Cloud Image google/sles-sap-15-sp6-hardened-byos-v20250724-x86-64 cyrus-sasl-plain-2.1.28-150600.7.6.2 as a component of Public Cloud Image google/sles-sap-15-sp6-hardened-byos-v20250724-x86-64 cyrus-sasl-saslauthd-2.1.28-150600.7.6.2 as a component of Public Cloud Image google/sles-sap-15-sp6-hardened-byos-v20250724-x86-64 docker-28.2.2_ce-150000.227.1 as a component of Public Cloud Image google/sles-sap-15-sp6-hardened-byos-v20250724-x86-64 firewalld-2.0.1-150600.3.9.1 as a component of Public Cloud Image google/sles-sap-15-sp6-hardened-byos-v20250724-x86-64 firewalld-lang-2.0.1-150600.3.9.1 as a component of Public Cloud Image google/sles-sap-15-sp6-hardened-byos-v20250724-x86-64 glib2-tools-2.78.6-150600.4.16.1 as a component of Public Cloud Image google/sles-sap-15-sp6-hardened-byos-v20250724-x86-64 google-cloud-sap-agent-3.8-150100.3.50.1 as a component of Public Cloud Image google/sles-sap-15-sp6-hardened-byos-v20250724-x86-64 google-guest-configs-20241205.00-150400.13.22.1 as a component of Public Cloud Image google/sles-sap-15-sp6-hardened-byos-v20250724-x86-64 google-guest-oslogin-20240311.01-150000.1.53.1 as a component of Public Cloud Image google/sles-sap-15-sp6-hardened-byos-v20250724-x86-64 google-osconfig-agent-20250416.02-150000.1.50.1 as a component of Public Cloud Image google/sles-sap-15-sp6-hardened-byos-v20250724-x86-64 gpg2-2.4.4-150600.3.9.1 as a component of Public Cloud Image google/sles-sap-15-sp6-hardened-byos-v20250724-x86-64 iputils-20221126-150500.3.14.1 as a component of Public Cloud Image google/sles-sap-15-sp6-hardened-byos-v20250724-x86-64 jq-1.6-150000.3.6.1 as a component of Public Cloud Image google/sles-sap-15-sp6-hardened-byos-v20250724-x86-64 libbpf1-1.2.2-150600.3.6.2 as a component of Public Cloud Image google/sles-sap-15-sp6-hardened-byos-v20250724-x86-64 libfreebl3-3.112-150400.3.57.1 as a component of Public Cloud Image google/sles-sap-15-sp6-hardened-byos-v20250724-x86-64 libgcrypt20-1.10.3-150600.3.9.1 as a component of Public Cloud Image google/sles-sap-15-sp6-hardened-byos-v20250724-x86-64 libgio-2_0-0-2.78.6-150600.4.16.1 as a component of Public Cloud Image google/sles-sap-15-sp6-hardened-byos-v20250724-x86-64 libglib-2_0-0-2.78.6-150600.4.16.1 as a component of Public Cloud Image google/sles-sap-15-sp6-hardened-byos-v20250724-x86-64 libgmodule-2_0-0-2.78.6-150600.4.16.1 as a component of Public Cloud Image google/sles-sap-15-sp6-hardened-byos-v20250724-x86-64 libgobject-2_0-0-2.78.6-150600.4.16.1 as a component of Public Cloud Image google/sles-sap-15-sp6-hardened-byos-v20250724-x86-64 libgthread-2_0-0-2.78.6-150600.4.16.1 as a component of Public Cloud Image google/sles-sap-15-sp6-hardened-byos-v20250724-x86-64 libicu-suse65_1-65.1-150200.4.15.1 as a component of Public Cloud Image google/sles-sap-15-sp6-hardened-byos-v20250724-x86-64 libicu65_1-ledata-65.1-150200.4.15.1 as a component of Public Cloud Image google/sles-sap-15-sp6-hardened-byos-v20250724-x86-64 libjq1-1.6-150000.3.6.1 as a component of Public Cloud Image google/sles-sap-15-sp6-hardened-byos-v20250724-x86-64 libnfsidmap1-1.0-150600.28.12.1 as a component of Public Cloud Image google/sles-sap-15-sp6-hardened-byos-v20250724-x86-64 libopenssl3-3.1.4-150600.5.33.1 as a component of Public Cloud Image google/sles-sap-15-sp6-hardened-byos-v20250724-x86-64 libsasl2-3-2.1.28-150600.7.6.2 as a component of Public Cloud Image google/sles-sap-15-sp6-hardened-byos-v20250724-x86-64 libsoftokn3-3.112-150400.3.57.1 as a component of Public Cloud Image google/sles-sap-15-sp6-hardened-byos-v20250724-x86-64 libssh-config-0.9.8-150600.11.3.1 as a component of Public Cloud Image google/sles-sap-15-sp6-hardened-byos-v20250724-x86-64 libssh4-0.9.8-150600.11.3.1 as a component of Public Cloud Image google/sles-sap-15-sp6-hardened-byos-v20250724-x86-64 libsystemd0-254.25-150600.4.40.1 as a component of Public Cloud Image google/sles-sap-15-sp6-hardened-byos-v20250724-x86-64 libudev1-254.25-150600.4.40.1 as a component of Public Cloud Image google/sles-sap-15-sp6-hardened-byos-v20250724-x86-64 libxml2-2-2.10.3-150500.5.29.1 as a component of Public Cloud Image google/sles-sap-15-sp6-hardened-byos-v20250724-x86-64 libxml2-tools-2.10.3-150500.5.29.1 as a component of Public Cloud Image google/sles-sap-15-sp6-hardened-byos-v20250724-x86-64 libzypp-17.37.5-150600.3.60.1 as a component of Public Cloud Image google/sles-sap-15-sp6-hardened-byos-v20250724-x86-64 mozilla-nspr-4.36-150000.3.32.1 as a component of Public Cloud Image google/sles-sap-15-sp6-hardened-byos-v20250724-x86-64 mozilla-nss-3.112-150400.3.57.1 as a component of Public Cloud Image google/sles-sap-15-sp6-hardened-byos-v20250724-x86-64 mozilla-nss-certs-3.112-150400.3.57.1 as a component of Public Cloud Image google/sles-sap-15-sp6-hardened-byos-v20250724-x86-64 mozilla-nss-tools-3.112-150400.3.57.1 as a component of Public Cloud Image google/sles-sap-15-sp6-hardened-byos-v20250724-x86-64 openssh-9.6p1-150600.6.29.2 as a component of Public Cloud Image google/sles-sap-15-sp6-hardened-byos-v20250724-x86-64 openssh-clients-9.6p1-150600.6.29.2 as a component of Public Cloud Image google/sles-sap-15-sp6-hardened-byos-v20250724-x86-64 openssh-common-9.6p1-150600.6.29.2 as a component of Public Cloud Image google/sles-sap-15-sp6-hardened-byos-v20250724-x86-64 openssh-server-9.6p1-150600.6.29.2 as a component of Public Cloud Image google/sles-sap-15-sp6-hardened-byos-v20250724-x86-64 openssh-server-config-disallow-rootlogin-9.6p1-150600.6.29.2 as a component of Public Cloud Image google/sles-sap-15-sp6-hardened-byos-v20250724-x86-64 openssl-3-3.1.4-150600.5.33.1 as a component of Public Cloud Image google/sles-sap-15-sp6-hardened-byos-v20250724-x86-64 pam-1.3.0-150000.6.83.1 as a component of Public Cloud Image google/sles-sap-15-sp6-hardened-byos-v20250724-x86-64 pam-config-1.1-150600.16.8.1 as a component of Public Cloud Image google/sles-sap-15-sp6-hardened-byos-v20250724-x86-64 pam_pkcs11-0.6.10-150600.16.8.1 as a component of Public Cloud Image google/sles-sap-15-sp6-hardened-byos-v20250724-x86-64 perl-5.26.1-150300.17.20.1 as a component of Public Cloud Image google/sles-sap-15-sp6-hardened-byos-v20250724-x86-64 perl-base-5.26.1-150300.17.20.1 as a component of Public Cloud Image google/sles-sap-15-sp6-hardened-byos-v20250724-x86-64 python-instance-billing-flavor-check-1.0.1-150000.1.23.1 as a component of Public Cloud Image google/sles-sap-15-sp6-hardened-byos-v20250724-x86-64 python3-firewall-2.0.1-150600.3.9.1 as a component of Public Cloud Image google/sles-sap-15-sp6-hardened-byos-v20250724-x86-64 python3-salt-3006.0-150500.4.55.1 as a component of Public Cloud Image google/sles-sap-15-sp6-hardened-byos-v20250724-x86-64 runc-1.2.6-150000.73.2 as a component of Public Cloud Image google/sles-sap-15-sp6-hardened-byos-v20250724-x86-64 salt-3006.0-150500.4.55.1 as a component of Public Cloud Image google/sles-sap-15-sp6-hardened-byos-v20250724-x86-64 salt-minion-3006.0-150500.4.55.1 as a component of Public Cloud Image google/sles-sap-15-sp6-hardened-byos-v20250724-x86-64 salt-standalone-formulas-configuration-3006.0-150500.4.55.1 as a component of Public Cloud Image google/sles-sap-15-sp6-hardened-byos-v20250724-x86-64 samba-client-libs-4.19.8+git.430.a10fe64854c-150600.3.18.2 as a component of Public Cloud Image google/sles-sap-15-sp6-hardened-byos-v20250724-x86-64 samba-libs-4.19.8+git.430.a10fe64854c-150600.3.18.2 as a component of Public Cloud Image google/sles-sap-15-sp6-hardened-byos-v20250724-x86-64 screen-4.6.2-150000.5.8.1 as a component of Public Cloud Image google/sles-sap-15-sp6-hardened-byos-v20250724-x86-64 sudo-1.9.15p5-150600.3.9.1 as a component of Public Cloud Image google/sles-sap-15-sp6-hardened-byos-v20250724-x86-64 sysstat-12.0.2-150000.3.45.3 as a component of Public Cloud Image google/sles-sap-15-sp6-hardened-byos-v20250724-x86-64 systemd-254.25-150600.4.40.1 as a component of Public Cloud Image google/sles-sap-15-sp6-hardened-byos-v20250724-x86-64 systemd-sysvcompat-254.25-150600.4.40.1 as a component of Public Cloud Image google/sles-sap-15-sp6-hardened-byos-v20250724-x86-64 udev-254.25-150600.4.40.1 as a component of Public Cloud Image google/sles-sap-15-sp6-hardened-byos-v20250724-x86-64 vim-9.1.1406-150500.20.27.1 as a component of Public Cloud Image google/sles-sap-15-sp6-hardened-byos-v20250724-x86-64 vim-data-common-9.1.1406-150500.20.27.1 as a component of Public Cloud Image google/sles-sap-15-sp6-hardened-byos-v20250724-x86-64 xen-libs-4.18.5_04-150600.3.28.1 as a component of Public Cloud Image google/sles-sap-15-sp6-hardened-byos-v20250724-x86-64 zsh-5.8.1-150600.18.3.2 as a component of Public Cloud Image google/sles-sap-15-sp6-hardened-byos-v20250724-x86-64 zypper-1.14.90-150600.10.34.3 as a component of Public Cloud Image google/sles-sap-15-sp6-hardened-byos-v20250724-x86-64 In Zsh before 5.8, attackers able to execute commands can regain privileges dropped by the --no-PRIVILEGED option. Zsh fails to overwrite the saved uid, so the original privileges can be restored by executing MODULE_PATH=/dir/with/module zmodload with a module that calls setuid(). CVE-2019-20044 important 7.2 AV:L/AC:L/Au:N/C:C/I:C/A:C In zsh before 5.8.1, an attacker can achieve code execution if they control a command output inside the prompt, as demonstrated by a %F argument. This occurs because of recursive PROMPT_SUBST expansion. CVE-2021-45444 important 5.1 AV:N/AC:H/Au:N/C:P/I:P/A:P A timing-based side-channel flaw was found in libgcrypt's RSA implementation. This issue may allow a remote attacker to initiate a Bleichenbacher-style attack, which can lead to the decryption of RSA ciphertexts. CVE-2024-2236 moderate jq is a command-line JSON processor. In versions up to and including 1.7.1, an integer overflow arises when assigning value using an index of 2147483647, the signed integer limit. This causes a denial of service. Commit de21386681c0df0104a99d9d09db23a9b2a78b1e contains a patch for the issue. CVE-2024-23337 moderate A transient execution vulnerability in some AMD processors may allow an attacker to infer data from previous stores, potentially resulting in the leakage of privileged information. CVE-2024-36350 moderate Multiple methods in the salt master skip minion token validation. Therefore a misbehaving minion can impersonate another minion. CVE-2024-38822 low Salt's request server is vulnerable to replay attacks when not using a TLS encrypted transport. CVE-2024-38823 moderate Directory traversal vulnerability in recv_file method allows arbitrary files to be written to the master cache directory. CVE-2024-38824 critical The salt.auth.pki module does not properly authenticate callers. The "password" field contains a public certificate which is validated against a CA certificate by the module. This is not pki authentication, as the caller does not need access to the corresponding private key for the authentication attempt to be accepted. CVE-2024-38825 moderate Vim is an open source command line text editor. double-free in dialog_changed() in Vim < v9.1.0648. When abandoning a buffer, Vim may ask the user what to do with the modified buffer. If the user wants the changed buffer to be saved, Vim may create a new Untitled file, if the buffer did not have a name yet. However, when setting the buffer name to Unnamed, Vim will falsely free a pointer twice, leading to a double-free and possibly later to a heap-use-after-free, which can lead to a crash. The issue has been fixed as of Vim patch v9.1.0648. CVE-2024-41965 low runc is a CLI tool for spawning and running containers according to the OCI specification. runc 1.1.13 and earlier, as well as 1.2.0-rc2 and earlier, can be tricked into creating empty files or directories in arbitrary locations in the host filesystem by sharing a volume between two containers and exploiting a race with `os.MkdirAll`. While this could be used to create empty files, existing files would not be truncated. An attacker must have the ability to start containers using some kind of custom volume configuration. Containers using user namespaces are still affected, but the scope of places an attacker can create inodes can be significantly reduced. Sufficiently strict LSM policies (SELinux/Apparmor) can also in principle block this attack -- we suspect the industry standard SELinux policy may restrict this attack's scope but the exact scope of protection hasn't been analysed. This is exploitable using runc directly as well as through Docker and Kubernetes. The issue is fixed in runc v1.1.14 and v1.2.0-rc3. Some workarounds are available. Using user namespaces restricts this attack fairly significantly such that the attacker can only create inodes in directories that the remapped root user/group has write access to. Unless the root user is remapped to an actual user on the host (such as with rootless containers that don't use `/etc/sub[ug]id`), this in practice means that an attacker would only be able to create inodes in world-writable directories. A strict enough SELinux or AppArmor policy could in principle also restrict the scope if a specific label is applied to the runc runtime, though neither the extent to which the standard existing policies block this attack nor what exact policies are needed to sufficiently restrict this attack have been thoroughly tested. CVE-2024-45310 low When logs are written to a widely-writable directory (the default), an unprivileged attacker may predict a privileged process's log file path and pre-create a symbolic link to a sensitive file in its place. When that privileged process runs, it will follow the planted symlink and overwrite that sensitive file. To fix that, glog now causes the program to exit (with status code 2) when it finds that the configured log file already exists. CVE-2024-45339 important Buildx is a Docker CLI plugin that extends build capabilities using BuildKit. Cache backends support credentials by setting secrets directly as attribute values in cache-to/cache-from configuration. When supplied as user input, these secure values may be inadvertently captured in OpenTelemetry traces as part of the arguments and flags for the traced CLI command. OpenTelemetry traces are also saved in BuildKit daemon's history records. This vulnerability does not impact secrets passed to the Github cache backend via environment variables or registry authentication. CVE-2025-0495 moderate Minion event bus authorization bypass. An attacker with access to a minion key can craft a message which may be able to execute a job on other minions (>= 3007.0). CVE-2025-22236 important An attacker with access to a minion key can exploit the 'on demand' pillar functionality with a specially crafted git url which could cause and arbitrary command to be run on the master with the same privileges as the master process. CVE-2025-22237 moderate Directory traversal attack in minion file cache creation. The master's default cache is vulnerable to a directory traversal attack. Which could be leveraged to write or overwrite 'cache' files outside of the cache directory. CVE-2025-22238 moderate Arbitrary event injection on Salt Master. The master's "_minion_event" method can be used by and authorized minion to send arbitrary events onto the master's event bus. CVE-2025-22239 important Arbitrary directory creation or file deletion. In the find_file method of the GitFS class, a path is created using os.path.join using unvalidated input from the “tgt_env” variable. This can be exploited by an attacker to delete any file on the Master's process has permissions to. CVE-2025-22240 moderate File contents overwrite the VirtKey class is called when “on-demand pillar” data is requested and uses un-validated input to create paths to the “pki directory”. The functionality is used to auto-accept Minion authentication keys based on a pre-placed “authorization file” at a specific location and is present in the default configuration. CVE-2025-22241 moderate Worker process denial of service through file read operation. .A vulnerability exists in the Master's “pub_ret” method which is exposed to all minions. The un-sanitized input value “jid” is used to construct a path which is then opened for reading. An attacker could exploit this vulnerabilities by attempting to read from a filename that will not return any data, e.g. by targeting a pipe node on the proc file system. CVE-2025-22242 moderate An attacker can pass a malicious malformed token which causes unexpected memory to be consumed during parsing. CVE-2025-22868 important SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients which complete the key exchange slowly, or not at all, causing pending content to be read into memory, but never transmitted. CVE-2025-22869 important The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character (/) as self-closing. When directly using Tokenizer, this can result in such tags incorrectly being marked as self-closing, and when using the Parse functions, this can result in content following such tags as being placed in the wrong scope during DOM construction, but only when tags are in foreign content (e.g. <math>, <svg>, etc contexts). CVE-2025-22872 moderate Certain instructions need intercepting and emulating by Xen. In some cases Xen emulates the instruction by replaying it, using an executable stub. Some instructions may raise an exception, which is supposed to be handled gracefully. Certain replayed instructions have additional logic to set up and recover the changes to the arithmetic flags. For replayed instructions where the flags recovery logic is used, the metadata for exception handling was incorrect, preventing Xen from handling the the exception gracefully, treating it as fatal instead. CVE-2025-27465 important Vim, a text editor, is vulnerable to potential data loss with zip.vim and special crafted zip files in versions prior to 9.1.1198. The impact is medium because a user must be made to view such an archive with Vim and then press 'x' on such a strange filename. The issue has been fixed as of Vim patch v9.1.1198. CVE-2025-29768 moderate In GnuPG before 2.5.5, if a user chooses to import a certificate with certain crafted subkey data that lacks a valid backsig or that has incorrect usage flags, the user loses the ability to verify signatures made from certain other signing keys, aka a "verification DoS." CVE-2025-30258 low Sudo before 1.9.17p1, when used with a sudoers file that specifies a host that is neither the current host nor ALL, allows listed users to execute commands on unintended machines. CVE-2025-32462 important Sudo before 1.9.17p1 allows local users to obtain root access because /etc/nsswitch.conf from a user-controlled directory is used with the --chroot option. CVE-2025-32463 important Perl threads have a working directory race condition where file operations may target unintended paths. If a directory handle is open at thread creation, the process-wide current working directory is temporarily changed in order to clone that handle for the new thread, which is visible from any third (or more) thread already running. This may lead to unintended operations such as loading code or accessing files from unexpected locations, which a local attacker may be able to exploit. The bug was introduced in commit 11a11ecf4bea72b17d250cfb43c897be1341861e and released in Perl version 5.13.6 CVE-2025-40909 moderate A flaw was found in GLib, which is vulnerable to an integer overflow in the g_string_insert_unichar() function. When the position at which to insert the character is large, the position will overflow, leading to a buffer underwrite. CVE-2025-4373 moderate A vulnerability was found in systemd-coredump. This flaw allows an attacker to force a SUID process to crash and replace it with a non-SUID binary to access the original's privileged process coredump, allowing the attacker to read sensitive data, such as /etc/shadow content, loaded by the original process. A SUID binary or process has a special type of permission, which allows the process to run with the file owner's permissions, regardless of the user executing the binary. This allows the process to access more restricted data than unprivileged users or processes would be able to. An attacker can leverage this flaw by forcing a SUID process to crash and force the Linux kernel to recycle the process PID before systemd-coredump can analyze the /proc/pid/auxv file. If the attacker wins the race condition, they gain access to the original's SUID process coredump file. They can read sensitive content loaded into memory by the original binary, affecting data confidentiality. CVE-2025-4598 moderate For a short time they PTY is set to mode 666, allowing any user on the system to connect to the screen session. CVE-2025-46802 moderate Tornado is a Python web framework and asynchronous networking library. When Tornado's ``multipart/form-data`` parser encounters certain errors, it logs a warning but continues trying to parse the remainder of the data. This allows remote attackers to generate an extremely high volume of logs, constituting a DoS attack. This DoS is compounded by the fact that the logging subsystem is synchronous. All versions of Tornado prior to 6.5.0 are affected. The vulnerable parser is enabled by default. Upgrade to Tornado version 6.50 to receive a patch. As a workaround, risk can be mitigated by blocking `Content-Type: multipart/form-data` in a proxy. CVE-2025-47287 important There's a vulnerability in the libssh package where when a libssh consumer passes in an unexpectedly large input buffer to ssh_get_fingerprint_hash() function. In such cases the bin_to_base64() function can experience an integer overflow leading to a memory under allocation, when that happens it's possible that the program perform out of bounds write leading to a heap corruption. This issue affects only 32-bits builds of libssh. CVE-2025-4877 moderate A vulnerability was found in libssh, where an uninitialized variable exists under certain conditions in the privatekey_from_file() function. This flaw can be triggered if the file specified by the filename doesn't exist and may lead to possible signing failures or heap corruption. CVE-2025-4878 moderate ping in iputils before 20250602 allows a denial of service (application error in adaptive ping mode or incorrect data collection) via a crafted ICMP Echo Reply packet, because a zero timestamp can lead to large intermediate values that have an integer overflow when squared during statistics calculations. NOTE: this issue exists because of an incomplete fix for CVE-2025-47268 (that fix was only about timestamp calculations, and it did not account for a specific scenario where the original timestamp in the ICMP payload is zero). CVE-2025-48964 moderate A use-after-free vulnerability was found in libxml2. This issue occurs when parsing XPath elements under certain circumstances when the XML schematron has the <sch:name path="..."/> schema elements. This flaw allows a malicious actor to craft a malicious XML document used as input for libxml, resulting in the program's crash using libxml or other possible undefined behaviors. CVE-2025-49794 important A NULL pointer dereference vulnerability was found in libxml2 when processing XPath XML expressions. This flaw allows an attacker to craft a malicious XML input to libxml2, leading to a denial of service. CVE-2025-49795 important A vulnerability was found in libxml2. Processing certain sch:name elements from the input XML file can trigger a memory corruption issue. This flaw allows an attacker to craft a malicious XML input file that can lead libxml to crash, resulting in a denial of service or other possible undefined behavior due to sensitive data being corrupted in memory. CVE-2025-49796 important A stack buffer overflow was found in Internationl components for unicode (ICU ). While running the genrb binary, the 'subtag' struct overflowed at the SRBRoot::addTag function. This issue may lead to memory corruption and local arbitrary code execution. CVE-2025-5222 important A flaw was found in GNU Coreutils. The sort utility's begfield() function is vulnerable to a heap buffer under-read. The program may access memory outside the allocated buffer if a user runs a crafted command using the traditional key format. A malicious input could lead to a crash or leak sensitive data. CVE-2025-5278 moderate A flaw was found in the libssh library in versions less than 0.11.2. An out-of-bounds read can be triggered in the sftp_handle function due to an incorrect comparison check that permits the function to access memory beyond the valid handle list and to return an invalid pointer, which is used in further processing. This vulnerability allows an authenticated remote attacker to potentially read unintended memory regions, exposing sensitive information or affect service behavior. CVE-2025-5318 moderate A flaw was found in libssh versions built with OpenSSL versions older than 3.0, specifically in the ssh_kdf() function responsible for key derivation. Due to inconsistent interpretation of return values where OpenSSL uses 0 to indicate failure and libssh uses 0 for success-the function may mistakenly return a success status even when key derivation fails. This results in uninitialized cryptographic key buffers being used in subsequent communication, potentially compromising SSH sessions' confidentiality, integrity, and availability. CVE-2025-5372 important A Local Privilege Escalation (LPE) vulnerability has been discovered in pam-config within Linux Pluggable Authentication Modules (PAM). This flaw allows an unprivileged local attacker (for example, a user logged in via SSH) to obtain the elevated privileges normally reserved for a physically present, "allow_active" user. The highest risk is that the attacker can then perform all allow_active yes Polkit actions, which are typically restricted to console users, potentially gaining unauthorized control over system configurations, services, or other sensitive operations. CVE-2025-6018 important A flaw was found in libxml2's xmlBuildQName function, where integer overflows in buffer size calculations can lead to a stack-based buffer overflow. This issue can result in memory corruption or a denial of service when processing crafted input. CVE-2025-6021 important A flaw was found in how GLib's GString manages memory when adding data to strings. If a string is already very large, combining it with more input can cause a hidden overflow in the size calculation. This makes the system think it has enough memory when it doesn't. As a result, data may be written past the end of the allocated memory, leading to crashes or memory corruption. CVE-2025-6052 important A flaw was found in the interactive shell of the xmllint command-line tool, used for parsing XML files. When a user inputs an overly long command, the program does not check the input size properly, which can cause it to crash. This issue might allow attackers to run harmful code in rare configurations without modern protections. CVE-2025-6170 moderate