SUSE Image Update Advisory: suse/sle-micro/base-5.5
-----------------------------------------------------------------
Image Advisory ID : SUSE-IU-2024:322-1
Image Tags        : suse/sle-micro/base-5.5:2.0.2 , suse/sle-micro/base-5.5:2.0.2-4.2.51 , suse/sle-micro/base-5.5:latest
Image Release     : 4.2.51
Severity          : important
Type              : security
References        : 1107342 1207987 1210959 1211886 1214934 1215377 1215434 1215698
                        1217445 1217450 1217589 1217667 1218232 1218492 1218571 1218782
                        1218831 1218866 1219031 1219238 1219243 1219321 1219442 1219520
                        1219576 1220061 1220385 1220441 1220724 1220770 1220771 1220772
                        1221218 1221239 1221399 1221665 1221667 1221831 CVE-2023-45918
                        CVE-2023-7207 CVE-2024-0727 CVE-2024-2004 CVE-2024-2398 CVE-2024-25062
                        CVE-2024-26458 CVE-2024-26461 CVE-2024-26462 CVE-2024-28085 CVE-2024-28182
-----------------------------------------------------------------

The container suse/sle-micro/base-5.5 was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:322-1
Released:    Fri Feb  2 15:13:26 2024
Summary:     Recommended update for aaa_base
Type:        recommended
Severity:    moderate
References:  1107342,1215434
This update for aaa_base fixes the following issues:

- Set JAVA_HOME correctly (bsc#1107342, bsc#1215434)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:480-1
Released:    Thu Feb 15 12:35:51 2024
Summary:     Recommended update for libsolv
Type:        recommended
Severity:    important
References:  1215698,1218782,1218831,1219442
This update for libsolv, libzypp fixes the following issues:

- build for multiple python versions [jsc#PED-6218]
- applydeltaprm: Create target directory if it does not exist (bsc#1219442)
- Fix problems with EINTR in ExternalDataSource::getline (bsc#1215698)
- CheckAccessDeleted: fix running_in_container detection (bsc#1218782)
- Detect CURLOPT_REDIR_PROTOCOLS_STR availability at runtime (bsc#1218831) 

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:549-1
Released:    Tue Feb 20 17:05:52 2024
Summary:     Security update for openssl-1_1
Type:        security
Severity:    moderate
References:  1219243,CVE-2024-0727
This update for openssl-1_1 fixes the following issues:

- CVE-2024-0727: Denial of service when processing a maliciously formatted PKCS12 file (bsc#1219243).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:555-1
Released:    Tue Feb 20 17:22:17 2024
Summary:     Security update for libxml2
Type:        security
Severity:    moderate
References:  1219576,CVE-2024-25062
This update for libxml2 fixes the following issues:

- CVE-2024-25062: Fixed use-after-free in XMLReader (bsc#1219576).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:615-1
Released:    Mon Feb 26 11:32:32 2024
Summary:     Recommended update for netcfg
Type:        recommended
Severity:    moderate
References:  1211886
This update for netcfg fixes the following issues:

- Add krb-prop entry (bsc#1211886)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:766-1
Released:    Tue Mar  5 13:50:28 2024
Summary:     Recommended update for libssh
Type:        recommended
Severity:    important
References:  1220385
This update for libssh fixes the following issues:

- Fix regression parsing IPv6 addresses provided as hostname (bsc#1220385)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:305-1
Released:    Mon Mar 11 14:15:37 2024
Summary:     Security update for cpio
Type:        security
Severity:    moderate
References:  1218571,1219238,CVE-2023-7207
This update for cpio fixes the following issues:

- Fixed cpio not extracting correctly when using --no-absolute-filenames option the security fix for CVE-2023-7207 (bsc#1218571, bsc#1219238)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:861-1
Released:    Wed Mar 13 09:12:30 2024
Summary:     Recommended update for aaa_base
Type:        recommended
Severity:    moderate
References:  1218232
This update for aaa_base fixes the following issues:

- Silence the output in the case of broken symlinks (bsc#1218232)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:870-1
Released:    Wed Mar 13 13:05:14 2024
Summary:     Security update for glibc
Type:        security
Severity:    moderate
References:  1217445,1217589,1218866
This update for glibc fixes the following issues:

Security issues fixed:

- qsort: harden handling of degenerated / non transient compare function (bsc#1218866)

Other issues fixed:

- getaddrinfo: translate ENOMEM to EAI_MEMORY (bsc#1217589, BZ #31163)
- aarch64: correct CFI in rawmemchr (bsc#1217445, BZ #31113)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:907-1
Released:    Fri Mar 15 08:57:38 2024
Summary:     Recommended update for audit
Type:        recommended
Severity:    moderate
References:  1215377
This update for audit fixes the following issue:

- Fix plugin termination when using systemd service units (bsc#1215377)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:929-1
Released:    Tue Mar 19 06:36:24 2024
Summary:     Recommended update for coreutils
Type:        recommended
Severity:    moderate
References:  1219321
This update for coreutils fixes the following issues:

- tail: fix tailing sysfs files where PAGE_SIZE > BUFSIZ (bsc#1219321)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:997-1
Released:    Tue Mar 26 11:03:37 2024
Summary:     Security update for krb5
Type:        security
Severity:    important
References:  1220770,1220771,1220772,CVE-2024-26458,CVE-2024-26461,CVE-2024-26462
This update for krb5 fixes the following issues:

- CVE-2024-26458: Fixed memory leak at /krb5/src/lib/rpc/pmap_rmt.c (bsc#1220770).
- CVE-2024-26461: Fixed memory leak at /krb5/src/lib/gssapi/krb5/k5sealv3.c (bsc#1220771).
- CVE-2024-26462: Fixed memory leak at /krb5/src/kdc/ndr.c (bsc#1220772).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:1015-1
Released:    Thu Mar 28 06:08:11 2024
Summary:     Recommended update for sed
Type:        recommended
Severity:    important
References:  1221218
This update for sed fixes the following issues:

- 'sed -i' now creates temporary files with correct umask (bsc#1221218)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:1133-1
Released:    Mon Apr  8 11:29:02 2024
Summary:     Security update for ncurses
Type:        security
Severity:    moderate
References:  1220061,CVE-2023-45918
This update for ncurses fixes the following issues:

- CVE-2023-45918: Fixed NULL pointer dereference via corrupted xterm-256color file (bsc#1220061).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:1151-1
Released:    Mon Apr  8 11:36:23 2024
Summary:     Security update for curl
Type:        security
Severity:    moderate
References:  1221665,1221667,CVE-2024-2004,CVE-2024-2398
This update for curl fixes the following issues:

- CVE-2024-2004: Fix the uUsage of disabled protocol logic. (bsc#1221665)
- CVE-2024-2398: Fix HTTP/2 push headers memory-leak. (bsc#1221667)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:1167-1
Released:    Mon Apr  8 15:11:11 2024
Summary:     Security update for nghttp2
Type:        security
Severity:    important
References:  1221399,CVE-2024-28182
This update for nghttp2 fixes the following issues:

- CVE-2024-28182: Fixed denial of service via http/2 continuation frames (bsc#1221399)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:1172-1
Released:    Tue Apr  9 09:52:32 2024
Summary:     Security update for util-linux
Type:        security
Severity:    important
References:  1207987,1221831,CVE-2024-28085
This update for util-linux fixes the following issues:

- CVE-2024-28085: Properly neutralize escape sequences in wall. (bsc#1221831)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:1231-1
Released:    Thu Apr 11 15:20:40 2024
Summary:     Recommended update for glibc
Type:        recommended
Severity:    moderate
References:  1220441
This update for glibc fixes the following issues:

- duplocale: protect use of global locale (bsc#1220441, BZ #23970)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:1253-1
Released:    Fri Apr 12 08:15:18 2024
Summary:     Recommended update for gcc13
Type:        recommended
Severity:    moderate
References:  1210959,1214934,1217450,1217667,1218492,1219031,1219520,1220724,1221239
This update for gcc13 fixes the following issues:

- Fix unwinding for JIT code.  [bsc#1221239] 
- Revert libgccjit dependency change.  [bsc#1220724]
- Remove crypt and crypt_r interceptors. The crypt API change in SLE15 SP3
  breaks them.  [bsc#1219520]
- Add support for -fmin-function-alignment.  [bsc#1214934]
- Use %{_target_cpu} to determine host and build.
- Fix for building TVM.  [bsc#1218492]
- Add cross-X-newlib-devel requires to newlib cross compilers.
  [bsc#1219031]
- Package m2rte.so plugin in the gcc13-m2 sub-package rather than in gcc13-devel.  [bsc#1210959]
- Require libstdc++6-devel-gcc13 from gcc13-m2 as m2 programs are linked against libstdc++6.
- Fixed building mariadb on i686.  [bsc#1217667]
- Avoid update-alternatives dependency for accelerator crosses.
- Package tool links to llvm in cross-amdgcn-gcc13 rather than in
  cross-amdgcn-newlib13-devel since that also has the dependence.
- Depend on llvmVER instead of llvm with VER equal to
  %product_libs_llvm_ver where available and adjust tool discovery
  accordingly.  This should also properly trigger re-builds when
  the patchlevel version of llvmVER changes, possibly changing
  the binary names we link to.  [bsc#1217450]


The following package changes have been done:

- libssh-config-0.9.8-150400.3.6.1 updated
- glibc-2.31-150300.71.1 updated
- libuuid1-2.37.4-150500.9.6.1 updated
- libsmartcols1-2.37.4-150500.9.6.1 updated
- libblkid1-2.37.4-150500.9.6.1 updated
- libfdisk1-2.37.4-150500.9.6.1 updated
- libnghttp2-14-1.40.0-150200.17.1 updated
- libaudit1-3.0.6-150400.4.16.1 updated
- libgcc_s1-13.2.1+git8285-150000.1.9.1 updated
- libstdc++6-13.2.1+git8285-150000.1.9.1 updated
- libncurses6-6.1-150000.5.24.1 updated
- terminfo-base-6.1-150000.5.24.1 updated
- ncurses-utils-6.1-150000.5.24.1 updated
- login_defs-4.8.1-150400.10.15.1 updated
- cpio-2.13-150400.3.6.1 updated
- libxml2-2-2.10.3-150500.5.14.1 updated
- libopenssl1_1-1.1.1l-150500.17.25.1 updated
- libopenssl1_1-hmac-1.1.1l-150500.17.25.1 updated
- libmount1-2.37.4-150500.9.6.1 updated
- krb5-1.20.1-150500.3.6.1 updated
- libssh4-0.9.8-150400.3.6.1 updated
- coreutils-8.32-150400.9.3.1 updated
- libcurl4-8.0.1-150400.5.44.1 updated
- sed-4.4-150300.13.3.1 updated
- libsolv-tools-0.7.28-150400.3.16.2 updated
- libzypp-17.31.31-150400.3.52.2 updated
- shadow-4.8.1-150400.10.15.1 updated
- util-linux-2.37.4-150500.9.6.1 updated
- aaa_base-84.87+git20180409.04c9dae-150300.10.12.1 updated
- netcfg-11.6-150000.3.6.1 updated
- curl-8.0.1-150400.5.44.1 updated
- openssl-1_1-1.1.1l-150500.17.25.1 updated
- timezone-2023c-150000.75.23.1 removed