SUSE Container Update Advisory: suse/sle15 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2022:1706-1 Container Tags : bci/bci-base:15.4 , bci/bci-base:15.4.27.11.7 , suse/sle15:15.4 , suse/sle15:15.4.27.11.7 Container Release : 27.11.7 Severity : important Type : security References : 1194550 1196490 1197684 1199042 1199132 CVE-2022-23308 CVE-2022-29824 ----------------------------------------------------------------- The container suse/sle15 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:2552-1 Released: Tue Jul 26 14:55:40 2022 Summary: Security update for libxml2 Type: security Severity: important References: 1196490,1199132,CVE-2022-23308,CVE-2022-29824 This update for libxml2 fixes the following issues: Update to 2.9.14: - CVE-2022-29824: Fixed integer overflow that could have led to an out-of-bounds write in buf.c (xmlBuf*) and tree.c (xmlBuffer*) (bsc#1199132). Update to version 2.9.13: - CVE-2022-23308: Fixed a use-after-free of ID and IDREF attributes. (bsc#1196490) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:2573-1 Released: Thu Jul 28 04:24:19 2022 Summary: Recommended update for libzypp, zypper Type: recommended Severity: moderate References: 1194550,1197684,1199042 This update for libzypp, zypper fixes the following issues: libzypp: - appdata plugin: Pass path to the repodata/ directory inside the cache (bsc#1197684) - zypp-rpm: flush rpm script output buffer before sending endOfScriptTag - PluginRepoverification: initial version hooked into repo::Downloader and repo refresh - Immediately start monitoring the download.transfer_timeout. Do not wait until the first data arrived (bsc#1199042) - singletrans: no dry-run commit if doing just download-only - Work around cases where sat repo.start points to an invalid solvable. May happen if (wrong arch) solvables were removed at the beginning of the repo. - Fix misplaced #endif SINGLE_RPMTRANS_AS_DEFAULT_FOR_ZYPPER zypper: - Basic JobReport for 'cmdout/monitor' - versioncmp: if verbose, also print the edition 'parts' which are compared - Make sure MediaAccess is closed on exception (bsc#1194550) - Display plus-content hint conditionally - Honor the NO_COLOR environment variable when auto-detecting whether to use color - Define table columns which should be sorted natural [case insensitive] - lr/ls: Use highlight color on name and alias as well The following package changes have been done: - libxml2-2-2.9.14-150400.5.7.1 updated - libzypp-17.30.2-150400.3.3.1 updated - zypper-1.14.53-150400.3.3.1 updated