SUSE-IU-2025:935-1 SUSE Image security@suse.de SUSE Security Team SUSE Image SUSE-IU-2025:935-1 Interim 1 1 2025-10-09T17:06:02Z current 2025-04-08T01:00:00Z 2025-04-08T01:00:00Z cve-database/bin/generate-cvrf-publiccloud.pl 2021-02-18T01:00:00Z Image update for SUSE-IU-2025:935-1 / google/sles-15-sp6-chost-byos-v20250408-x86-64 This image update for google/sles-15-sp6-chost-byos-v20250408-x86-64 contains the following changes: Package apparmor was updated: - Allow dovecot-auth to execute unix_chkpwd from /sbin, not only from /usr/bin (bsc#1234452) * Update dovecot-unix_chkpwd.diff Package ca-certificates-mozilla was updated: - explit remove distruted certs, as the distrust does not get exported correctly and the SSL certs are still trusted. (bsc#1240343) - Entrust.net Premium 2048 Secure Server CA - Entrust Root Certification Authority - AffirmTrust Commercial - AffirmTrust Networking - AffirmTrust Premium - AffirmTrust Premium ECC - Entrust Root Certification Authority - G2 - Entrust Root Certification Authority - EC1 - GlobalSign Root E46 - GLOBALTRUST 2020 - remove-distrusted.patch: apply to certdata.txt - Fix awk to compare (missing a =) and give the following output: [#] NSS_BUILTINS_LIBRARY_VERSION "2.74" - pass file argument to awk (bsc#1240009) - update to 2.74 state of Mozilla SSL root CAs: Removed: * SwissSign Silver CA - G2 Added: * D-TRUST BR Root CA 2 2023 * D-TRUST EV Root CA 2 2023 - remove extensive signature printing in comments of the cert bundle - Define two macros to break a build cycle with p11-kit. - Updated to 2.72 state of Mozilla SSL root CAs (bsc#1234798) Removed: - SecureSign RootCA11 - Security Communication RootCA3 Added: - TWCA CYBER Root CA - TWCA Global Root CA G2 - SecureSign Root CA12 - SecureSign Root CA14 - SecureSign Root CA15 Package cpupower was updated: - For latest changelog entries, please look up the changelog of a kernel-FLAVOR or kernel-source with the exact same version and release build number. rpm -q --changelog kernel-source |grep "turbostat\|intel-speed-select|cpupower" Package docker was updated: - Don't use the new container-selinux conditional requires on SLE-12, as the RPM version there doesn't support it. Arguably the change itself is a bit suspect but we can fix that later. bsc#1237367 - Add backport for golang.org/x/oauth2 CVE-2025-22868 fix. bsc#1239185 + 0006-CVE-2025-22868-vendor-jws-split-token-into-fixed-num.patch - Add backport for golang.org/x/crypto CVE-2025-22869 fix. bsc#1239322 + 0007-CVE-2025-22869-vendor-ssh-limit-the-size-of-the-inte.patch - Refresh patches: * 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch * 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch * 0003-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch * 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch * 0005-SLE12-revert-apparmor-remove-version-conditionals-fr.patch - Make container-selinux requirement conditional on selinux-policy (bsc#1237367) Package dracut was updated: - Update to version 059+suse.557.gccd6ab94: * fix(iscsi): make sure services are shut down when switching root (bsc#1237695) * fix(iscsi): don't require network setup for qedi * fix(network-legacy): do not require pgrep when using wicked (bsc#1236982) Package gettext-runtime was updated: - Fix crash while handling po files with malformed header and process them properly (0003-Fix-malformed-header-processing.patch, boo#1227316). Package google-guest-agent was updated: - Update to version 20250327.01 (bsc#1239763, bsc#1239866) * Remove error messages from gce_workload_cert_refresh and metadata script runner (#527) - from version 20250327.00 * Update guest-logging-go dependency (#526) * Add 'created-by' metadata, and pass it as option to logging library (#508) * Revert "oslogin: Correctly handle newlines at the end of modified files (#520)" (#523) * Re-enable disabled services if the core plugin was enabled (#522) * Enable guest services on package upgrade (#519) * oslogin: Correctly handle newlines at the end of modified files (#520) * Fix core plugin path (#518) * Fix package build issues (#517) * Fix dependencies ran go mod tidy -v (#515) * Fix debian build path (#514) * Bundle compat metadata script runner binary in package (#513) * Bump golang.org/x/net from 0.27.0 to 0.36.0 (#512) * Update startup/shutdown services to launch compat manager (#503) * Bundle new gce metadata script runner binary in agent package (#502) * Revert "Revert bundling new binaries in the package (#509)" (#511) - from version 20250326.00 * Re-enable disabled services if the core plugin was enabled (#521) - from version 20250324.00 * Enable guest services on package upgrade (#519) * oslogin: Correctly handle newlines at the end of modified files (#520) * Fix core plugin path (#518) * Fix package build issues (#517) * Fix dependencies ran go mod tidy -v (#515) * Fix debian build path (#514) * Bundle compat metadata script runner binary in package (#513) * Bump golang.org/x/net from 0.27.0 to 0.36.0 (#512) * Update startup/shutdown services to launch compat manager (#503) * Bundle new gce metadata script runner binary in agent package (#502) * Revert "Revert bundling new binaries in the package (#509)" (#511) * Revert bundling new binaries in the package (#509) * Fix typo in windows build script (#501) * Include core plugin binary for all packages (#500) * Update crypto library to fix CVE-2024-45337 (#499) * Start packaging compat manager (#498) * Start bundling ggactl_plugin_cleanup binary in all agent packages (#492) * scripts: introduce a wrapper to locally build deb package (#490) * Introduce compat-manager systemd unit (#497) - from version 20250317.00 * Revert "Revert bundling new binaries in the package (#509)" (#511) * Revert bundling new binaries in the package (#509) * Fix typo in windows build script (#501) * Include core plugin binary for all packages (#500) * Update crypto library to fix CVE-2024-45337 (#499) * Start packaging compat manager (#498) * Start bundling ggactl_plugin_cleanup binary in all agent packages (#492) * scripts: introduce a wrapper to locally build deb package (#490) * Introduce compat-manager systemd unit (#497) - from version 20250312.00 * Revert bundling new binaries in the package (#509) * Fix typo in windows build script (#501) * Include core plugin binary for all packages (#500) * Update crypto library to fix CVE-2024-45337 (#499) * Start packaging compat manager (#498) * Start bundling ggactl_plugin_cleanup binary in all agent packages (#492) * scripts: introduce a wrapper to locally build deb package (#490) * Introduce compat-manager systemd unit (#497) - from version 20250305.00 * Revert bundling new binaries in the package (#509) * Fix typo in windows build script (#501) * Include core plugin binary for all packages (#500) * Update crypto library to fix CVE-2024-45337 (#499) * Start packaging compat manager (#498) * Start bundling ggactl_plugin_cleanup binary in all agent packages (#492) * scripts: introduce a wrapper to locally build deb package (#490) * Introduce compat-manager systemd unit (#497) - from version 20250304.01 * Fix typo in windows build script (#501) - from version 20250214.01 * Include core plugin binary for all packages (#500) - from version 20250214.00 * Update crypto library to fix CVE-2024-45337 (#499) - from version 20250212.00 * Start packaging compat manager (#498) * Start bundling ggactl_plugin_cleanup binary in all agent packages (#492) - from version 20250211.00 * scripts: introduce a wrapper to locally build deb package (#490) * Introduce compat-manager systemd unit (#497) - from version 20250207.00 * vlan: toggle vlan configuration in debian packaging (#495) * vlan: move config out of unstable section (#494) * Add clarification to comments regarding invalid NICs and the `invalid` tag. (#493) * Include interfaces in lists even if it has an invalid MAC. (#489) * Fix windows package build failures (#491) * vlan: don't index based on the vlan ID (#486) * Revert PR #482 (#488) * Remove Amy and Zach from OWNERS (#487) * Skip interfaces in interfaceNames() instead of erroring if there is an (#482) * Fix Debian packaging if guest agent manager is not checked out (#485) - from version 20250204.02 * force concourse to move version forward. - from version 20250204.01 * vlan: toggle vlan configuration in debian packaging (#495) - from version 20250204.00 * vlan: move config out of unstable section (#494) * Add clarification to comments regarding invalid NICs and the `invalid` tag. (#493) - from version 20250203.01 * Include interfaces in lists even if it has an invalid MAC. (#489) - from version 20250203.00 * Fix windows package build failures (#491) * vlan: don't index based on the vlan ID (#486) * Revert PR #482 (#488) * Remove Amy and Zach from OWNERS (#487) * Skip interfaces in interfaceNames() instead of erroring if there is an (#482) * Fix Debian packaging if guest agent manager is not checked out (#485) - from version 20250122.00 * networkd(vlan): remove the interface in addition to config (#468) * Implement support for vlan dynamic removal, update dhclient to remove only if configured (#465) * Update logging library (#479) * Remove Pat from owners file. (#478) - Add patch to fix unexpected memory consumption during token parsing in golang.org/x/oauth2 (bsc#1239197, CVE-2025-22868) * CVE-2025-22868.patch Package google-osconfig-agent was updated: - Add patch to fix unexpected memory consumption during token parsing in golang.org/x/oauth2 (bsc#1239197, CVE-2025-22868) * CVE-2025-22868.patch Package hwinfo was updated: - merge gh#openSUSE/hwinfo#152- avoid reporting of spurious usb storage devices (bsc#1223330) - 21.87 - merge gh#openSUSE/hwinfo#151 - do not overdo usb device de-duplication (bsc#1239663) - 21.86 Package freetype2 was updated: - Added patch: * CVE-2025-27363.patch + fixes bsc#1239465, CVE-2025-27363: out-of-bounds write when attempting to parse font subglyph structures related to TrueType GX and variable font files Package xz was updated: - Add CVE-2025-31115.patch * Fix heap use after free and writing to an address based on the null pointer plus an offset (CVE-2025-31115, bsc#1240414) Package python3 was updated: - Update CVE-2024-11168-validation-IPv6-addrs.patch according to the Debian version (gh#python/cpython#103848#issuecomment-2708135083). Package systemd was updated: - Import commit 83b9060b6e4c9cdffbbed0e27467cbd2f806dc0d 09b7477895 udev: allow/denylist for reading sysfs attributes when composing a NIC name (bsc#1234015) - Drop 5004-udev-allow-denylist-for-reading-sysfs-attributes-whe.patch The path has been merged into the SUSE/v254 branch. - Import commit 2b599c7501253b0e6b7987fdb2676af21bc72ab3 (merge of v254.24) For a complete list of changes, visit: https://github.com/openSUSE/systemd/compare/b25faa18ee7ef3c2d0b16416dfa331d0013dd112...2b599c7501253b0e6b7987fdb2676af21bc72ab3 - Import commit b25faa18ee7ef3c2d0b16416dfa331d0013dd112 b4693652f3 journald: close runtime journals before their parent directory removed 044d051f0c journald: reset runtime seqnum data when flushing to system journal (bsc#1236886) - Move systemd-userwork from the experimental sub-package to the main package (bsc#1236643) It is likely an oversight from when systemd-userdb was migrated from the experimental package to the main one. Package openssh was updated: - Fix ssh client segfault with GSSAPIKeyExchange=yes in ssh_kex2 due to gssapi proposal not being correctly initialized (bsc#1236826). The problem was introduced in the rebase of the patch for 9.6p1: * openssh-8.0p1-gssapi-keyex.patch - Rebase patch and apply it: * fix-memleak-in-process_server_config_line_depth.patch Package suse-build-key was updated: - changed keys to use SHA256 UIDs instead of SHA1. (bsc#1237294 bsc#1236779 jsc#PED-12321) - gpg-pubkey-3fa1d6ce-67c856ee.asc to gpg-pubkey-09d9ea69-67c857f3.asc - gpg-pubkey-09d9ea69-645b99ce.asc to gpg-pubkey-3fa1d6ce-63c9481c.asc - suse_ptf_key_2023.asc, suse_ptf_key.asc: adjusted Package vim was updated: - Introduce patch to fix bsc#1235751 (regression). * vim-9.1.1134-revert-putty-terminal-colors.patch - Update to 9.1.1176. Changes: * 9.1.1176: wrong indent when expanding multiple lines * 9.1.1175: inconsistent behaviour with exclusive selection and motion commands * 9.1.1174: tests: Test_complete_cmdline() may fail * 9.1.1173: filetype: ABNF files are not detected * 9.1.1172: [security]: overflow with 'nostartofline' and Ex command in tag file * 9.1.1171: tests: wrong arguments passed to assert_equal() * 9.1.1170: wildmenu highlighting in popup can be improved * 9.1.1169: using global variable for get_insert()/get_lambda_name() * 9.1.1168: wrong flags passed down to nextwild() * 9.1.1167: mark '] wrong after copying text object * 9.1.1166: command-line auto-completion hard with wildmenu * 9.1.1165: diff: regression with multi-file diff blocks * 9.1.1164: [security]: code execution with tar.vim and special crafted tar files * 9.1.1163: $MYVIMDIR is set too late * 9.1.1162: completion popup not cleared in cmdline * 9.1.1161: preinsert requires bot "menu" and "menuone" to be set * 9.1.1160: Ctrl-Y does not work well with "preinsert" when completing items * 9.1.1159: $MYVIMDIR may not always be set * 9.1.1158: :verbose set has wrong file name with :compiler! * 9.1.1157: command completion wrong for input() * 9.1.1156: tests: No test for what patch 9.1.1152 fixes * 9.1.1155: Mode message not cleared after :silent message * 9.1.1154: Vim9: not able to use autoload class accross scripts * 9.1.1153: build error on Haiku * 9.1.1152: Patch v9.1.1151 causes problems * 9.1.1151: too many strlen() calls in getchar.c * 9.1.1150: :hi completion may complete to wrong value * 9.1.1149: Unix Makefile does not support Brazilian lang for the installer * 9.1.1148: Vim9: finding imported scripts can be further improved * 9.1.1147: preview-window does not scroll correctly * 9.1.1146: Vim9: wrong context being used when evaluating class member * 9.1.1145: multi-line completion has wrong indentation for last line * 9.1.1144: no way to create raw strings from a blob * 9.1.1143: illegal memory access when putting a register * 9.1.1142: tests: test_startup fails if $HOME/$XDG_CONFIG_HOME is defined * 9.1.1141: Misplaced comment in readfile() * 9.1.1140: filetype: m17ndb files are not detected * 9.1.1139: [fifo] is not displayed when editing a fifo * 9.1.1138: cmdline completion for :hi is too simplistic * 9.1.1137: ins_str() is inefficient by calling STRLEN() * 9.1.1136: Match highlighting marks a buffer region as changed * 9.1.1135: 'suffixesadd' doesn't work with multiple items * 9.1.1134: filetype: Guile init file not recognized * 9.1.1133: filetype: xkb files not recognized everywhere * 9.1.1132: Mark positions wrong after triggering multiline completion * 9.1.1131: potential out-of-memory issue in search.c * 9.1.1130: 'listchars' "precedes" is not drawn on Tabs. * 9.1.1129: missing out-of-memory test in buf_write() * 9.1.1128: patch 9.1.1119 caused a regression with imports * 9.1.1127: preinsert text is not cleaned up correctly * 9.1.1126: patch 9.1.1121 used a wrong way to handle enter * 9.1.1125: cannot loop through pum menu with multiline items * 9.1.1124: No test for 'listchars' "precedes" with double-width char * 9.1.1123: popup hi groups not falling back to defaults * 9.1.1122: too many strlen() calls in findfile.c * 9.1.1121: Enter does not insert newline with "noselect" * 9.1.1120: tests: Test_registers fails * 9.1.1119: Vim9: Not able to use an autoloaded class from another autoloaded script * 9.1.1118: tests: test_termcodes fails * 9.1.1117: there are a few minor style issues * 9.1.1116: Vim9: super not supported in lambda expressions * 9.1.1115: [security]: use-after-free in str_to_reg() * 9.1.1114: enabling termguicolors automatically confuses users * 9.1.1113: tests: Test_terminal_builtin_without_gui waits 2 seconds * 9.1.1112: Inconsistencies in get_next_or_prev_match() * 9.1.1111: Vim9: variable not found in transitive import * 9.1.1110: Vim tests are slow and flaky * 9.1.1109: cmdexpand.c hard to read * 9.1.1108: 'smoothscroll' gets stuck with 'listchars' "eol" * 9.1.1107: cannot loop through completion menu with fuzzy * 9.1.1106: tests: Test_log_nonexistent() causes asan failure * 9.1.1105: Vim9: no support for protected new() method * 9.1.1104: CI: using Ubuntu 22.04 Github runners * 9.1.1103: if_perl: still some compile errors with Perl 5.38 * 9.1.1102: tests: Test_WinScrolled_Resized_eiw() uses wrong filename Package xen was updated: - bsc#1219354 - xen channels and domU console 67c86fc1-xl-fix-channel-configuration-setting.patch - bsc#1237692 - When attempting to start guest vm's libxl fills disk with errors 67d2a3fe-libxl-avoid-infinite-loop-in-libxl__remove_directory.patch - Upstream bug fixes (bsc#1027519) 67b4961e-console-dont-truncate-panic-messages.patch 67b49d86-memory-resource_max_frames-retval.patch 67b5d27c-SVM-separate-STI-from-VMRUN.patch 67cb03e0-x86-vlapic-ESR-write-handling.patch 67d17edd-x86-expose-MSR_FAM10H_MMIO_CONF_BASE-on-AMD.patch 67d17ede-VT-x-PI-usage-of-msi_desc-msg-field.patch - bsc#1238043 - VUL-0: CVE-2025-1713: xen: deadlock potential with VT-d and legacy PCI device pass-through (XSA-467) 67c06178-x86-IOMMU-bus-to-bridge-lock-acquired-IRQ-safe.patch - Xen call trace and APIC Error found after reboot operation on AMD machine (bsc#1233796) 67acb684-x86-offline-APs-with-IRQs-disabled.patch 67acb685-x86-SMP-disable-IRQs-ahead-of-AP-shutdown.patch 67acb686-x86-PCI-disable-MSI-at-shutdown.patch 67acb687-x86-IOMMU-disable-IRQs-at-shutdown.patch - Upstream bug fixes (bsc#1027519) 66dedebf-x86-HVM-recursion-in-linear-rw.patch 677bcb65-x86-traps-rework-LER-init-and.patch 677c1a7c-x86-AMD-misc-setup-for-Fam1A.patch 67921698-x86-HVM-MMIO-emul-cache-bounds-check.patch 67935a31-x86-HVM-dyn-alloc-emul-cache-ents.patch 67935a4c-x86-HVM-rw-split-at-page.patch 67977673-x86-IOMMU-check-CMPXCHG16B-when-enabling.patch 67977677-AMD-IOMMU-atomically-update-IRTE.patch 679796ff-x86-PV-further-harden-guest-mem-access.patch 67a5cb5f-radix-tree-purge-node-alloc-hooks.patch 67a5cb94-radix-tree-introduce-RADIX_TREE_INIT.patch The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). https://publiccloudimagechangeinfo.suse.com/google/sles-15-sp6-chost-byos-v20250408-x86-64/ Public Cloud Image Info https://www.suse.com/support/security/rating/ SUSE Security Ratings Public Cloud Image google/sles-15-sp6-chost-byos-v20250408-x86-64 apparmor-abstractions-3.1.7-150600.5.3.2 apparmor-parser-3.1.7-150600.5.3.2 ca-certificates-mozilla-2.74-150200.38.1 cpupower-6.4.0-150600.4.3.1 docker-27.5.1_ce-150000.218.1 dracut-059+suse.557.gccd6ab94-150600.3.20.2 gettext-runtime-0.21.1-150600.3.3.2 google-guest-agent-20250327.01-150000.1.60.1 google-osconfig-agent-20250115.01-150000.1.47.1 hwinfo-21.87-150500.3.6.1 libapparmor1-3.1.7-150600.5.3.2 libcpupower1-6.4.0-150600.4.3.1 libfreetype6-2.10.4-150000.4.18.1 liblzma5-5.4.1-150600.3.3.1 libpython3_6m1_0-3.6.15-150300.10.84.1 libsystemd0-254.24-150600.4.28.1 libtextstyle0-0.21.1-150600.3.3.2 libudev1-254.24-150600.4.28.1 openssh-9.6p1-150600.6.18.4 openssh-clients-9.6p1-150600.6.18.4 openssh-common-9.6p1-150600.6.18.4 openssh-server-9.6p1-150600.6.18.4 python3-base-3.6.15-150300.10.84.1 suse-build-key-12.0-150000.8.58.1 systemd-254.24-150600.4.28.1 udev-254.24-150600.4.28.1 vim-9.1.1176-150500.20.24.2 vim-data-common-9.1.1176-150500.20.24.2 xen-libs-4.18.4_06-150600.3.20.1 xz-5.4.1-150600.3.3.1 apparmor-abstractions-3.1.7-150600.5.3.2 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20250408-x86-64 apparmor-parser-3.1.7-150600.5.3.2 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20250408-x86-64 ca-certificates-mozilla-2.74-150200.38.1 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20250408-x86-64 cpupower-6.4.0-150600.4.3.1 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20250408-x86-64 docker-27.5.1_ce-150000.218.1 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20250408-x86-64 dracut-059+suse.557.gccd6ab94-150600.3.20.2 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20250408-x86-64 gettext-runtime-0.21.1-150600.3.3.2 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20250408-x86-64 google-guest-agent-20250327.01-150000.1.60.1 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20250408-x86-64 google-osconfig-agent-20250115.01-150000.1.47.1 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20250408-x86-64 hwinfo-21.87-150500.3.6.1 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20250408-x86-64 libapparmor1-3.1.7-150600.5.3.2 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20250408-x86-64 libcpupower1-6.4.0-150600.4.3.1 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20250408-x86-64 libfreetype6-2.10.4-150000.4.18.1 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20250408-x86-64 liblzma5-5.4.1-150600.3.3.1 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20250408-x86-64 libpython3_6m1_0-3.6.15-150300.10.84.1 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20250408-x86-64 libsystemd0-254.24-150600.4.28.1 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20250408-x86-64 libtextstyle0-0.21.1-150600.3.3.2 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20250408-x86-64 libudev1-254.24-150600.4.28.1 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20250408-x86-64 openssh-9.6p1-150600.6.18.4 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20250408-x86-64 openssh-clients-9.6p1-150600.6.18.4 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20250408-x86-64 openssh-common-9.6p1-150600.6.18.4 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20250408-x86-64 openssh-server-9.6p1-150600.6.18.4 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20250408-x86-64 python3-base-3.6.15-150300.10.84.1 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20250408-x86-64 suse-build-key-12.0-150000.8.58.1 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20250408-x86-64 systemd-254.24-150600.4.28.1 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20250408-x86-64 udev-254.24-150600.4.28.1 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20250408-x86-64 vim-9.1.1176-150500.20.24.2 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20250408-x86-64 vim-data-common-9.1.1176-150500.20.24.2 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20250408-x86-64 xen-libs-4.18.4_06-150600.3.20.1 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20250408-x86-64 xz-5.4.1-150600.3.3.1 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20250408-x86-64 The urllib.parse.urlsplit() and urlparse() functions improperly validated bracketed hosts (`[]`), allowing hosts that weren't IPv6 or IPvFuture. This behavior was not conformant to RFC 3986 and potentially enabled SSRF if a URL is processed by more than one URL parser. CVE-2024-11168 low Applications and libraries which misuse connection.serverAuthenticate (via callback field ServerConfig.PublicKeyCallback) may be susceptible to an authorization bypass. The documentation for ServerConfig.PublicKeyCallback says that "A call to this function does not guarantee that the key offered is in fact used to authenticate." Specifically, the SSH protocol allows clients to inquire about whether a public key is acceptable before proving control of the corresponding private key. PublicKeyCallback may be called with multiple keys, and the order in which the keys were provided cannot be used to infer which key the client successfully authenticated with, if any. Some applications, which store the key(s) passed to PublicKeyCallback (or derived information) and make security relevant determinations based on it once the connection is established, may make incorrect assumptions. For example, an attacker may send public keys A and B, and then authenticate with A. PublicKeyCallback would be called only twice, first with A and then with B. A vulnerable application may then make authorization decisions based on key B for which the attacker does not actually control the private key. Since this API is widely misused, as a partial mitigation golang.org/x/cry...@v0.31.0 enforces the property that, when successfully authenticating via public key, the last key passed to ServerConfig.PublicKeyCallback will be the key used to authenticate the connection. PublicKeyCallback will now be called multiple times with the same key, if necessary. Note that the client may still not control the last key passed to PublicKeyCallback if the connection is then authenticated with a different method, such as PasswordCallback, KeyboardInteractiveCallback, or NoClientAuth. Users should be using the Extensions field of the Permissions return value from the various authentication callbacks to record data associated with the authentication attempt instead of referencing external state. Once the connection is established the state corresponding to the successful authentication attempt can be retrieved via the ServerConn.Permissions field. Note that some third-party libraries misuse the Permissions type by sharing it across authentication attempts; users of third-party libraries should refer to the relevant projects for guidance. CVE-2024-45337 Public Cloud Image google/sles-15-sp6-chost-byos-v20250408-x86-64:google-guest-agent-20250327.01-150000.1.60.1 important When setting up interrupt remapping for legacy PCI(-X) devices, including PCI(-X) bridges, a lookup of the upstream bridge is required. This lookup, itself involving acquiring of a lock, is done in a context where acquiring that lock is unsafe. This can lead to a deadlock. CVE-2025-1713 Public Cloud Image google/sles-15-sp6-chost-byos-v20250408-x86-64:xen-libs-4.18.4_06-150600.3.20.1 moderate An attacker can pass a malicious malformed token which causes unexpected memory to be consumed during parsing. CVE-2025-22868 Public Cloud Image google/sles-15-sp6-chost-byos-v20250408-x86-64:docker-27.5.1_ce-150000.218.1 Public Cloud Image google/sles-15-sp6-chost-byos-v20250408-x86-64:google-guest-agent-20250327.01-150000.1.60.1 Public Cloud Image google/sles-15-sp6-chost-byos-v20250408-x86-64:google-osconfig-agent-20250115.01-150000.1.47.1 important SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients which complete the key exchange slowly, or not at all, causing pending content to be read into memory, but never transmitted. CVE-2025-22869 Public Cloud Image google/sles-15-sp6-chost-byos-v20250408-x86-64:docker-27.5.1_ce-150000.218.1 important An out of bounds write exists in FreeType versions 2.13.0 and below (newer versions of FreeType are not vulnerable) when attempting to parse font subglyph structures related to TrueType GX and variable font files. The vulnerable code assigns a signed short value to an unsigned long and then adds a static value causing it to wrap around and allocate too small of a heap buffer. The code then writes up to 6 signed long integers out of bounds relative to this buffer. This may result in arbitrary code execution. This vulnerability may have been exploited in the wild. CVE-2025-27363 Public Cloud Image google/sles-15-sp6-chost-byos-v20250408-x86-64:libfreetype6-2.10.4-150000.4.18.1 important XZ Utils provide a general-purpose data-compression library plus command-line tools. In XZ Utils 5.3.3alpha to 5.8.0, the multithreaded .xz decoder in liblzma has a bug where invalid input can at least result in a crash. The effects include heap use after free and writing to an address based on the null pointer plus an offset. Applications and libraries that use the lzma_stream_decoder_mt function are affected. The bug has been fixed in XZ Utils 5.8.1, and the fix has been committed to the v5.4, v5.6, v5.8, and master branches in the xz Git repository. No new release packages will be made from the old stable branches, but a standalone patch is available that applies to all affected releases. CVE-2025-31115 Public Cloud Image google/sles-15-sp6-chost-byos-v20250408-x86-64:liblzma5-5.4.1-150600.3.3.1 Public Cloud Image google/sles-15-sp6-chost-byos-v20250408-x86-64:xz-5.4.1-150600.3.3.1 important