Security update for build SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2025:0857-1 Final 1 1 2025-03-13T17:58:06Z current 2025-03-13T17:58:06Z 2025-03-13T17:58:06Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for build This update for build fixes the following issues: - CVE-2024-22038: Fixed DoS attacks, information leaks with crafted Git repositories (bnc#1230469) Other fixes: - Fixed behaviour when using '--shell' aka 'osc shell' option in a VM build. Startup is faster and permissions stay intact now. - fixes for POSIX compatibility for obs-docker-support adn mkbaselibs - Add support for apk in docker/podman builds - Add support for 'wget' in Docker images - Fix debian support for Dockerfile builds - Fix preinstallimages in containers - mkosi: add back system-packages used by build-recipe directly - pbuild: parse the Release files for debian repos - mkosi: drop most systemd/build-packages deps and use obs_scm directory as source if present - improve source copy handling - Introduce --repos-directory and --containers-directory options - productcompose: support of building against a baseiso - preinstallimage: avoid inclusion of build script generated files - preserve timestamps on sources copy-in for kiwi and productcompose - alpine package support updates - tumbleweed config update - debian: Support installation of foreign architecture packages (required for armv7l setups) - Parse unknown timezones as UTC - Apk (Alpine Linux) format support added - Implement default value in parameter expansion - Also support supplements that use & as 'and' - Add workaround for skopeo's argument parser - add cap-htm=off on power9 - Fixed usage of chown calls - Remove leading `go` from `purl` locators - container related: * Implement support for the new <containers> element in kiwi recipes * Fixes for SBOM and dependencies of multi stage container builds * obs-docker-support: enable dnf and yum substitutions - Arch Linux: * fix file path for Arch repo * exclude unsupported arch * Use root as download user - build-vm-qemu: force sv48 satp mode on riscv64 - mkosi: * Create .sha256 files after mkosi builds * Always pass --image-version to mkosi - General improvements and bugfixes (mkosi, pbuild, appimage/livebuild, obs work detection, documention, SBOM) - Support slsa v1 in unpack_slsa_provenance - generate_sbom: do not clobber spdx supplier - Harden export_debian_orig_from_git (bsc#1230469) - SBOM generation: - Adding golang introspection support - Adding rust binary introspection support - Keep track of unknwon licenses and add a 'hasExtractedLicensingInfos' section - Also normalize licenses for cyclonedx - Make generate_sbom errors fatal - general improvements - Fix noprep building not working because the buildir is removed - kiwi image: also detect a debian build if /var/lib/dpkg/status is present - Do not use the Encode module to convert a code point to utf8 - Fix personality syscall number for riscv - add more required recommendations for KVM builds - set PACKAGER field in build-recipe-arch - fix writing _modulemd.yaml - pbuild: support --release and --baselibs option - container: - copy base container information from the annotation into the containerinfo - track base containers over multiple stages - always put the base container last in the dependencies - providing fileprovides in createdirdeps tool - Introduce buildflag nochecks - productcompose: support __all__ option - config update: tumbleweed using preinstallexpand - minor improvements - tumbleweed build config update - support the %load macro - improve container filename generation (docker) - fix hanging curl calls during build (docker) - productcompose: fix milestone query - tumbleweed build config update - 15.6 build config fixes - sourcerpm & sourcedep handling fixes - productcompose: - Fix milestone handling - Support bcntsynctag - Adding debian support to generate_sbom - Add syscall for personality switch on loongarch64 kernel - vm-build: ext3 & ext4: fix disk space allocation - mkosi format updates, not fully working yet - pbuild exception fixes - Fixes for current fedora and centos distros - Don't copy original dsc sources if OBS-DCH-RELEASE set - Unbreak parsing of sources/patches - Support ForceMultiVersion in the dockerfile parser - Support %bcond of rpm 4.17.1 - Add a hack for systemd 255.3, creating an empty /etc/os-release if missing after preinstall. - docker: Fix HEAD request in dummyhttpserver - pbuild: Make docker-nobasepackages expand flag the default - rpm: Support a couple of builtin rpm macros - rpm: Implement argument expansion for define/with/bcond... - Fix multiline macro handling - Accept -N parameter of %autosetup - documentation updates - various code cleanup and speedup work. - ProductCompose: multiple improvements - Add buildflags:define_specfile support - Fix copy-in of git subdirectory sources - pbuild: Speed up XML parsing - pubild: product compose support - generate_sbom: add help option - podman: enforce runtime=runc - Implement direct conflicts from the distro config - changelog2spec: fix time zone handling - Do not unmount /proc/sys/fs/binfmt_misc before runnint the check scripts - spec file cleanup - documentation updates - productcompose: - support schema 0.1 - support milestones - Leap 15.6 config - SLE 15 SP6 config - productcompose: follow incompatible flavor syntax change - pbuild: support for zstd - fixed handling for cmdline parameters via kernel packages - productcompose: * BREAKING: support new schema * adapt flavor architecture parsing - productcompose: * support filtered package lists * support default architecture listing * fix copy in binaries in VM builds^ - obsproduct build type got renamed to productcompose - Support zstd compressed rpm-md meta data (bsc#1217269) - Added Debian 12 configuration - First ObsProduct build format support - fix SLE 15 SP5 build configuration - Improve user agent handling for obs repositories - Docker: - Support flavor specific build descriptions via Dockerfile.$flavor - support 'PlusRecommended' hint to also provide recommended packages - use the name/version as filename if both are known - Produce docker format containers by default - pbuild: Support for signature authentification of OBS resources - Fix wiping build root for --vm-type podman - Put BUILD_RELEASE and BUILD_CHANGELOG_TIMESTAMP in the /.buildenv - build-vm-kvm: use -cpu host on riscv64 - small fixes and cleanups - Added parser for BcntSyncTag in sources - pbuild: * fix dependency expansion for build types other than spec * Reworked cycle handling code * add --extra-packs option * add debugflags option - Pass-through --buildtool-opt - Parse Patch and Source lines more accurately - fix tunefs functionality - minor bugfixes - --vm-type=podman added (supports also root-less builds) - Also support build constraints in the Dockerfile - minor fixes - Add SUSE ALP build config - BREAKING: Record errors when parsing the project config former behaviour was undefined - container: Support compression format configuration option - Don't setup ccache with --no-init - improved loongarch64 support - sbom: SPDX supplier tag added - kiwi: support different versions per profile - preinstallimage: fail when recompression fails - Add support for recommends and supplements dependencies - Support the 'keepfilerequires' expand flag - add '--buildtool-opt=OPTIONS' to pass options to the used build tool - distro config updates * ArchLinux * Tumbleweed - documentation updates - openSUSE Tumbleweed: sync config and move to suse_version 1699. - universal post-build hook, just place a file in /usr/lib/build/post_build.d/ - mkbaselibs/hwcaps, fix pattern name once again (x86_64_v3) - KiwiProduct: add --use-newest-package hint if the option is set - Dockerfile support: * export multibuild flavor as argument * allow parameters in FROM .. scratch lines * include OS name in build result if != linux - Workaround directory->symlink usrmerge problems for cross arch sysroot - multiple fixes for SBOM support - KIWI VM image SBOM support added The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2025-857,SUSE-SLE-Module-Development-Tools-15-SP6-2025-857,SUSE-SLE-Product-HPC-15-SP3-LTSS-2025-857,SUSE-SLE-Product-HPC-15-SP4-ESPOS-2025-857,SUSE-SLE-Product-HPC-15-SP4-LTSS-2025-857,SUSE-SLE-Product-HPC-15-SP5-ESPOS-2025-857,SUSE-SLE-Product-HPC-15-SP5-LTSS-2025-857,SUSE-SLE-Product-SLES-15-SP3-LTSS-2025-857,SUSE-SLE-Product-SLES-15-SP4-LTSS-2025-857,SUSE-SLE-Product-SLES-15-SP5-LTSS-2025-857,SUSE-SLE-Product-SLES_SAP-15-SP3-2025-857,SUSE-SLE-Product-SLES_SAP-15-SP4-2025-857,SUSE-SLE-Product-SLES_SAP-15-SP5-2025-857,SUSE-Storage-7.1-2025-857,openSUSE-SLE-15.6-2025-857 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2025/suse-su-20250857-1/ Link for SUSE-SU-2025:0857-1 https://lists.suse.com/pipermail/sle-security-updates/2025-March/020511.html E-Mail link for SUSE-SU-2025:0857-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1217269 SUSE Bug 1217269 https://bugzilla.suse.com/1230469 SUSE Bug 1230469 https://www.suse.com/security/cve/CVE-2024-22038/ SUSE CVE CVE-2024-22038 page SUSE Enterprise Storage 7.1 SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS SUSE Linux Enterprise Module for Development Tools 15 SP6 SUSE Linux Enterprise Server 15 SP3-LTSS SUSE Linux Enterprise Server 15 SP4-LTSS SUSE Linux Enterprise Server 15 SP5-LTSS SUSE Linux Enterprise Server for SAP Applications 15 SP3 SUSE Linux Enterprise Server for SAP Applications 15 SP4 SUSE Linux Enterprise Server for SAP Applications 15 SP5 openSUSE Leap 15.6 build-20250306-150200.19.1 build-initvm-aarch64-20250306-150200.19.1 build-initvm-i586-20250306-150200.19.1 build-initvm-powerpc64le-20250306-150200.19.1 build-initvm-s390x-20250306-150200.19.1 build-initvm-x86_64-20250306-150200.19.1 build-mkbaselibs-20250306-150200.19.1 build-mkdrpms-20250306-150200.19.1 build-20250306-150200.19.1 as a component of SUSE Enterprise Storage 7.1 build-mkbaselibs-20250306-150200.19.1 as a component of SUSE Enterprise Storage 7.1 build-20250306-150200.19.1 as a component of SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS build-mkbaselibs-20250306-150200.19.1 as a component of SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS build-20250306-150200.19.1 as a component of SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS build-mkbaselibs-20250306-150200.19.1 as a component of SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS build-20250306-150200.19.1 as a component of SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS build-mkbaselibs-20250306-150200.19.1 as a component of SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS build-20250306-150200.19.1 as a component of SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS build-mkbaselibs-20250306-150200.19.1 as a component of SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS build-20250306-150200.19.1 as a component of SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS build-mkbaselibs-20250306-150200.19.1 as a component of SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS build-20250306-150200.19.1 as a component of SUSE Linux Enterprise Module for Development Tools 15 SP6 build-mkbaselibs-20250306-150200.19.1 as a component of SUSE Linux Enterprise Module for Development Tools 15 SP6 build-20250306-150200.19.1 as a component of SUSE Linux Enterprise Server 15 SP3-LTSS build-mkbaselibs-20250306-150200.19.1 as a component of SUSE Linux Enterprise Server 15 SP3-LTSS build-20250306-150200.19.1 as a component of SUSE Linux Enterprise Server 15 SP4-LTSS build-mkbaselibs-20250306-150200.19.1 as a component of SUSE Linux Enterprise Server 15 SP4-LTSS build-20250306-150200.19.1 as a component of SUSE Linux Enterprise Server 15 SP5-LTSS build-mkbaselibs-20250306-150200.19.1 as a component of SUSE Linux Enterprise Server 15 SP5-LTSS build-20250306-150200.19.1 as a component of SUSE Linux Enterprise Server for SAP Applications 15 SP3 build-mkbaselibs-20250306-150200.19.1 as a component of SUSE Linux Enterprise Server for SAP Applications 15 SP3 build-20250306-150200.19.1 as a component of SUSE Linux Enterprise Server for SAP Applications 15 SP4 build-mkbaselibs-20250306-150200.19.1 as a component of SUSE Linux Enterprise Server for SAP Applications 15 SP4 build-20250306-150200.19.1 as a component of SUSE Linux Enterprise Server for SAP Applications 15 SP5 build-mkbaselibs-20250306-150200.19.1 as a component of SUSE Linux Enterprise Server for SAP Applications 15 SP5 build-20250306-150200.19.1 as a component of openSUSE Leap 15.6 build-initvm-aarch64-20250306-150200.19.1 as a component of openSUSE Leap 15.6 build-initvm-powerpc64le-20250306-150200.19.1 as a component of openSUSE Leap 15.6 build-initvm-s390x-20250306-150200.19.1 as a component of openSUSE Leap 15.6 build-initvm-x86_64-20250306-150200.19.1 as a component of openSUSE Leap 15.6 build-mkbaselibs-20250306-150200.19.1 as a component of openSUSE Leap 15.6 build-mkdrpms-20250306-150200.19.1 as a component of openSUSE Leap 15.6 Various problems in obs-scm-bridge allows attackers that create specially crafted git repositories to leak information of cause denial of service. CVE-2024-22038 SUSE Enterprise Storage 7.1:build-20250306-150200.19.1 SUSE Enterprise Storage 7.1:build-mkbaselibs-20250306-150200.19.1 SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:build-20250306-150200.19.1 SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:build-mkbaselibs-20250306-150200.19.1 SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:build-20250306-150200.19.1 SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:build-mkbaselibs-20250306-150200.19.1 SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:build-20250306-150200.19.1 SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:build-mkbaselibs-20250306-150200.19.1 SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:build-20250306-150200.19.1 SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:build-mkbaselibs-20250306-150200.19.1 SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:build-20250306-150200.19.1 SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:build-mkbaselibs-20250306-150200.19.1 SUSE Linux Enterprise Module for Development Tools 15 SP6:build-20250306-150200.19.1 SUSE Linux Enterprise Module for Development Tools 15 SP6:build-mkbaselibs-20250306-150200.19.1 SUSE Linux Enterprise Server 15 SP3-LTSS:build-20250306-150200.19.1 SUSE Linux Enterprise Server 15 SP3-LTSS:build-mkbaselibs-20250306-150200.19.1 SUSE Linux Enterprise Server 15 SP4-LTSS:build-20250306-150200.19.1 SUSE Linux Enterprise Server 15 SP4-LTSS:build-mkbaselibs-20250306-150200.19.1 SUSE Linux Enterprise Server 15 SP5-LTSS:build-20250306-150200.19.1 SUSE Linux Enterprise Server 15 SP5-LTSS:build-mkbaselibs-20250306-150200.19.1 SUSE Linux Enterprise Server for SAP Applications 15 SP3:build-20250306-150200.19.1 SUSE Linux Enterprise Server for SAP Applications 15 SP3:build-mkbaselibs-20250306-150200.19.1 SUSE Linux Enterprise Server for SAP Applications 15 SP4:build-20250306-150200.19.1 SUSE Linux Enterprise Server for SAP Applications 15 SP4:build-mkbaselibs-20250306-150200.19.1 SUSE Linux Enterprise Server for SAP Applications 15 SP5:build-20250306-150200.19.1 SUSE Linux Enterprise Server for SAP Applications 15 SP5:build-mkbaselibs-20250306-150200.19.1 openSUSE Leap 15.6:build-20250306-150200.19.1 openSUSE Leap 15.6:build-initvm-aarch64-20250306-150200.19.1 openSUSE Leap 15.6:build-initvm-powerpc64le-20250306-150200.19.1 openSUSE Leap 15.6:build-initvm-s390x-20250306-150200.19.1 openSUSE Leap 15.6:build-initvm-x86_64-20250306-150200.19.1 openSUSE Leap 15.6:build-mkbaselibs-20250306-150200.19.1 openSUSE Leap 15.6:build-mkdrpms-20250306-150200.19.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20250857-1/ https://www.suse.com/security/cve/CVE-2024-22038.html CVE-2024-22038 https://bugzilla.suse.com/1230469 SUSE Bug 1230469