SUSE-IU-2025:587-1 SUSE Image security@suse.de SUSE Security Team SUSE Image SUSE-IU-2025:587-1 Interim 1 1 2025-11-06T13:52:40Z current 2025-02-12T01:00:00Z 2025-02-12T01:00:00Z cve-database/bin/generate-cvrf-publiccloud.pl 2021-02-18T01:00:00Z Image update for SUSE-IU-2025:587-1 / google/sles-15-sp5-chost-byos-v20250212-arm64 This image update for google/sles-15-sp5-chost-byos-v20250212-arm64 contains the following changes: Package bind was updated: - Limit additional section processing for large RDATA sets. When answering queries, don’t add data to the additional section if the answer has more than 13 names in the RDATA. This limits the number of lookups into the database(s) during a single client query, reducing the query-processing load. (CVE-2024-11187) [bsc#1236596, bind-9.16-CVE-2024-11187.patch] Package curl was updated: - Security fix: [bsc#1236590, CVE-2025-0725] * content_encoding: drop support for zlib before 1.2.0.4 * content_encoding: put the decomp buffers into the writer structs * Add curl-CVE-2025-0725.patch - Security fix: [bsc#1236588, CVE-2025-0167] * netrc: 'default' with no credentials is not a match * Add curl-CVE-2025-0167.patch Package google-guest-configs was updated: - Add ggc-no-dup-metasrv-entry.patch + Follow up to (bsc#1234289, bsc#1234293). Avoid duplicate entries for the metadata server in /etc/hosts - Update to version 20241205.00 (bsc#1234254, bsc#1234255) * Update google_set_multiqueue to configure vCPU ranges based on VM platform (#90) - from version 20241204.00 * Restore google_set_multiqueue changes for A3Ultra (#93) * Depend on networkd-dispatcher in Ubuntu (#94) - Include components to set hostname and /etc/hosts entries (bsc#1234289, bsc#1234293) * Add sysconfig and sysconfig-network to BuildRequires * Install google_set_hostname into %{_bindir} * Install google_up.sh into %{_sysconfdir}/sysconfig/network/scripts/ * Add code to add and remove POST_UP_SCRIPT="compat:suse:google_up.sh" to /etc/sysconfig/network/ifcfg-eth0 in %post and %postun sections Package google-osconfig-agent was updated: - Update to version 20250115.01 (bsc#1236406, bsc#1236407) * Bump cloud.google.com/go/osconfig from 1.14.2 to 1.14.3 (#772) - from version 20250115.00 * Bump cloud.google.com/go/auth from 0.10.2 to 0.14.0 (#767) * Bump go.opentelemetry.io/otel from 1.32.0 to 1.33.0 (#771) * Bump google.golang.org/protobuf from 1.35.1 to 1.36.2 (#763) - from version 20250114.00 * Bump golang.org/x/time from 0.8.0 to 0.9.0 (#770) - from version 20250113.01 * Bump cloud.google.com/go/auth/oauth2adapt from 0.2.5 to 0.2.7 (#766) - from version 20250113.00 * Bump golang.org/x/net from 0.31.0 to 0.34.0 (#769) - from version 20250110.00 * Bump golang.org/x/crypto from 0.29.0 to 0.31.0 in the go_modules group (#760) * Bump cloud.google.com/go/longrunning from 0.6.2 to 0.6.3 (#744) - from version 20241218.00 * Scanners fixes (#720) * Bump cloud.google.com/go/storage from 1.46.0 to 1.47.0 (#736) * Bump go.opentelemetry.io/contrib/detectors/gcp from 1.29.0 to 1.32.0 (#730) * Bump go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp (#738) * Bump golang.org/x/net from 0.30.0 to 0.31.0 (#731) - from version 20241118.01 * Bump github.com/googleapis/gax-go/v2 from 2.13.0 to 2.14.0 (#737) - from version 20241118.00 * move example to appropriate directory (#740) - from version 20241115.00 * Replace sles-15-sp3-sap old deprecated image in e2e tests (#739) * Bump golang.org/x/time from 0.7.0 to 0.8.0 (#734) - from version 20241114.03 * Bump github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp (#735) - from version 20241114.02 * Bump go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc (#729) - from version 20241114.01 * Remove SLES-15-SP2-SAP from e2e tests and add the new SLES-15-SP6 (#733) * Bump golang.org/x/crypto from 0.28.0 to 0.29.0 (#728) * Bump go.opentelemetry.io/otel/sdk/metric from 1.30.0 to 1.32.0 (#727) - from version 20241114.00 * Add example to run exec script from the gcs bucket (#732) * Bump cel.dev/expr from 0.16.1 to 0.18.0 (#723) - from version 20241112.00 * Bump golang.org/x/oauth2 from 0.23.0 to 0.24.0 (#722) * Bump github.com/GoogleCloudPlatform/opentelemetry-operations-go/exporter/metric (#721) * Bump google.golang.org/grpc from 1.67.1 to 1.68.0 (#725) * Bump github.com/golang/glog from 1.2.2 to 1.2.3 (#715) * Bump google.golang.org/api from 0.203.0 to 0.205.0 (#716) - from version 20241107.01 * Bump github.com/envoyproxy/go-control-plane from 0.13.0 to 0.13.1 (#717) * Bump github.com/GoogleCloudPlatform/opentelemetry-operations-go/internal/resourcemapping (#718) * Bump cloud.google.com/go/auth from 0.10.0 to 0.10.1 (#719) - from version 20241107.00 * Bump cloud.google.com/go/logging from 1.11.0 to 1.12.0 (#709) * Bump cloud.google.com/go/iam from 1.2.1 to 1.2.2 (#710) * Bump cloud.google.com/go/storage from 1.43.0 to 1.46.0 (#713) * Bump cloud.google.com/go/osconfig from 1.14.1 to 1.14.2 (#708) * Bump cloud.google.com/go/auth/oauth2adapt from 0.2.4 to 0.2.5 (#712) - from version 20241106.00 * Update OWNERS (#714) - from version 20241029.01 * remove toolchain override (#706) * Bump go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp (#701) - from version 20241029.00 * Bump go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc (#702) - from version 20241028.00 * Bump cloud.google.com/go/longrunning from 0.6.0 to 0.6.2 (#705) - from version 20241017.00 * Add a new CloudBuild trigger config-file for auto updating the presubmit test container image on every new commit (#704) - from version 20241004.00 * Add new packagebuild presubmit that will use cloud-build (#694) - from version 20240927.00 * Third batch of dependencies upgrade (#690) - Bump the golang compiler version to 1.22.4 (bsc#1225974, CVE-2024-24790) Package krb5 was updated: - Prevent overflow when calculating ulog block size. An authenticated attacker can cause kadmind to write beyond the end of the mapped region for the iprop log file, likely causing a process crash; (CVE-2025-24528); (bsc#1236619). - Add patch 0012-Prevent-overflow-when-calculating-ulog-block-size.patch Package openssl-1_1 was updated: - Security fix: [bsc#1236136, CVE-2024-13176] * timing side-channel in the ECDSA signature computation * Add openssl-CVE-2024-13176.patch Package libxml2 was updated: - security update- added patches fix CVE-2022-49043 [bsc#1236460], use-after-free in xmlXIncludeAddNode + libxml2-CVE-2022-49043.patch Package libzypp was updated: - Create '.keep_packages' in the package cache dir to enforce keeping downloaded packages of all repos cahed there (bsc#1232458) - version 17.35.19 (35) - Fix missing UID checks in repomanager workflow (fixes #603) - version 17.35.18 (35) - Move cmake config files to LIB_INSTALL_DIR/cmake/Zypp (fixes #28) - Fix 'zypper ps' when running in incus container (bsc#1229106) Should apply to lxc and lxd containers as well. - Re-enable 'rpm --runposttrans' usage for chrooted systems (bsc#1216091) - version 17.35.17 (35) Package python-instance-billing-flavor-check was updated: - Version 0.1.2 (bsc#1234444) + Improve detection of IPv4 and IPv6 network setup and use appropriate IP version for access the update servers + Improve reliability of flavor detection. Try an update server multiple times to get an answer, if we hit timeouts return the value flavor value from a cahce file. - Version 0.1.1 (bsc#1235991, bsc#1235992) + Add time stamp to log - From version 0.1.0 + Doc improvements clarifying exit staus codes Package 000release-packages:sle-module-basesystem-release was updated: Package 000release-packages:sle-module-containers-release was updated: Package 000release-packages:sle-module-public-cloud-release was updated: Package 000release-packages:sle-module-server-applications-release was updated: Package wget was updated: - If wget for an http URL is redirected to a different site (hostname parts of URLs differ), then any "Authenticate" and "Cookie" header entries are discarded. [bsc#1185551, wget-do-not-propagate-credentials.patch, bsc#1230795, CVE-2021-31879] Package zypper was updated: - lr: show the repositories keep-packages flag (bsc#1232458) It is shown in the details view or by using -k,--keep-packages. In addition libyzpp supports to enforce keeping downloaded packages of all repos within a package cache by creating a '.keep_packages' file there. - version 1.14.81 - Try to refresh update repos first to have updated GPG keys on the fly (bsc#1234752) An update repo may contain a prolonged GPG key for the GA repo. Refreshing the update repo first updates a trusted key on the fly and avoids a 'key has expired' warning being issued when refreshing the GA repo. - Refresh: restore legacy behavior and suppress Exception reporting as non-root (bsc#1235636) - version 1.14.80 The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). https://publiccloudimagechangeinfo.suse.com/google/sles-15-sp5-chost-byos-v20250212-arm64/ Public Cloud Image Info https://www.suse.com/support/security/rating/ SUSE Security Ratings Public Cloud Image google/sles-15-sp5-chost-byos-v20250212-arm64 bind-utils-9.16.50-150500.8.24.1 curl-8.0.1-150400.5.62.1 google-guest-configs-20241205.00-150400.13.17.1 google-osconfig-agent-20250115.01-150000.1.41.1 krb5-1.20.1-150500.3.12.1 libcurl4-8.0.1-150400.5.62.1 libopenssl1_1-1.1.1l-150500.17.40.1 libxml2-2-2.10.3-150500.5.20.1 libzypp-17.35.19-150500.6.36.1 openssl-1_1-1.1.1l-150500.17.40.1 python-instance-billing-flavor-check-0.1.2-150000.1.17.1 python3-bind-9.16.50-150500.8.24.1 wget-1.20.3-150000.3.29.1 zypper-1.14.81-150500.6.20.1 bind-utils-9.16.50-150500.8.24.1 as a component of Public Cloud Image google/sles-15-sp5-chost-byos-v20250212-arm64 curl-8.0.1-150400.5.62.1 as a component of Public Cloud Image google/sles-15-sp5-chost-byos-v20250212-arm64 google-guest-configs-20241205.00-150400.13.17.1 as a component of Public Cloud Image google/sles-15-sp5-chost-byos-v20250212-arm64 google-osconfig-agent-20250115.01-150000.1.41.1 as a component of Public Cloud Image google/sles-15-sp5-chost-byos-v20250212-arm64 krb5-1.20.1-150500.3.12.1 as a component of Public Cloud Image google/sles-15-sp5-chost-byos-v20250212-arm64 libcurl4-8.0.1-150400.5.62.1 as a component of Public Cloud Image google/sles-15-sp5-chost-byos-v20250212-arm64 libopenssl1_1-1.1.1l-150500.17.40.1 as a component of Public Cloud Image google/sles-15-sp5-chost-byos-v20250212-arm64 libxml2-2-2.10.3-150500.5.20.1 as a component of Public Cloud Image google/sles-15-sp5-chost-byos-v20250212-arm64 libzypp-17.35.19-150500.6.36.1 as a component of Public Cloud Image google/sles-15-sp5-chost-byos-v20250212-arm64 openssl-1_1-1.1.1l-150500.17.40.1 as a component of Public Cloud Image google/sles-15-sp5-chost-byos-v20250212-arm64 python-instance-billing-flavor-check-0.1.2-150000.1.17.1 as a component of Public Cloud Image google/sles-15-sp5-chost-byos-v20250212-arm64 python3-bind-9.16.50-150500.8.24.1 as a component of Public Cloud Image google/sles-15-sp5-chost-byos-v20250212-arm64 wget-1.20.3-150000.3.29.1 as a component of Public Cloud Image google/sles-15-sp5-chost-byos-v20250212-arm64 zypper-1.14.81-150500.6.20.1 as a component of Public Cloud Image google/sles-15-sp5-chost-byos-v20250212-arm64 GNU Wget through 1.21.1 does not omit the Authorization header upon a redirect to a different origin, a related issue to CVE-2018-1000007. CVE-2021-31879 Public Cloud Image google/sles-15-sp5-chost-byos-v20250212-arm64:wget-1.20.3-150000.3.29.1 moderate 5.8 AV:N/AC:M/Au:N/C:P/I:P/A:N xmlXIncludeAddNode in xinclude.c in libxml2 before 2.11.0 has a use-after-free. CVE-2022-49043 Public Cloud Image google/sles-15-sp5-chost-byos-v20250212-arm64:libxml2-2-2.10.3-150500.5.20.1 important It is possible to construct a zone such that some queries to it will generate responses containing numerous records in the Additional section. An attacker sending many such queries can cause either the authoritative server itself or an independent resolver to use disproportionate resources processing the queries. Zones will usually need to have been deliberately crafted to attack this exposure. This issue affects BIND 9 versions 9.11.0 through 9.11.37, 9.16.0 through 9.16.50, 9.18.0 through 9.18.32, 9.20.0 through 9.20.4, 9.21.0 through 9.21.3, 9.11.3-S1 through 9.11.37-S1, 9.16.8-S1 through 9.16.50-S1, and 9.18.11-S1 through 9.18.32-S1. CVE-2024-11187 Public Cloud Image google/sles-15-sp5-chost-byos-v20250212-arm64:bind-utils-9.16.50-150500.8.24.1 Public Cloud Image google/sles-15-sp5-chost-byos-v20250212-arm64:python3-bind-9.16.50-150500.8.24.1 important Issue summary: A timing side-channel which could potentially allow recovering the private key exists in the ECDSA signature computation. Impact summary: A timing side-channel in ECDSA signature computations could allow recovering the private key by an attacker. However, measuring the timing would require either local access to the signing application or a very fast network connection with low latency. There is a timing signal of around 300 nanoseconds when the top word of the inverted ECDSA nonce value is zero. This can happen with significant probability only for some of the supported elliptic curves. In particular the NIST P-521 curve is affected. To be able to measure this leak, the attacker process must either be located in the same physical computer or must have a very fast network connection with low latency. For that reason the severity of this vulnerability is Low. The FIPS modules in 3.4, 3.3, 3.2, 3.1 and 3.0 are affected by this issue. CVE-2024-13176 Public Cloud Image google/sles-15-sp5-chost-byos-v20250212-arm64:libopenssl1_1-1.1.1l-150500.17.40.1 Public Cloud Image google/sles-15-sp5-chost-byos-v20250212-arm64:openssl-1_1-1.1.1l-150500.17.40.1 moderate The various Is methods (IsPrivate, IsLoopback, etc) did not work as expected for IPv4-mapped IPv6 addresses, returning false for addresses which would return true in their traditional IPv4 forms. CVE-2024-24790 Public Cloud Image google/sles-15-sp5-chost-byos-v20250212-arm64:google-osconfig-agent-20250115.01-150000.1.41.1 moderate When asked to use a `.netrc` file for credentials **and** to follow HTTP redirects, curl could leak the password used for the first host to the followed-to host under certain circumstances. This flaw only manifests itself if the netrc file has a `default` entry that omits both login and password. A rare circumstance. CVE-2025-0167 Public Cloud Image google/sles-15-sp5-chost-byos-v20250212-arm64:curl-8.0.1-150400.5.62.1 Public Cloud Image google/sles-15-sp5-chost-byos-v20250212-arm64:libcurl4-8.0.1-150400.5.62.1 moderate When libcurl is asked to perform automatic gzip decompression of content-encoded HTTP responses with the `CURLOPT_ACCEPT_ENCODING` option, **using zlib 1.2.0.3 or older**, an attacker-controlled integer overflow would make libcurl perform a buffer overflow. CVE-2025-0725 Public Cloud Image google/sles-15-sp5-chost-byos-v20250212-arm64:curl-8.0.1-150400.5.62.1 Public Cloud Image google/sles-15-sp5-chost-byos-v20250212-arm64:libcurl4-8.0.1-150400.5.62.1 moderate unknown CVE-2025-24528 Public Cloud Image google/sles-15-sp5-chost-byos-v20250212-arm64:krb5-1.20.1-150500.3.12.1 moderate