suse-sle-micro-6-0-v20260218-x86_64-llc Package Source Changes

000release-packages:SL-Micro-release

n/a

cockpit

- Update dependencies for bsc#1257324/CVE-2025-13465

crun

- make sure the opened .krun_config.json is below the rootfs directory
  and we don't follow any symlink. (CVE-2025-24965, bsc#1237421)
  * krun-fix-CVE-2025-24965.patch

curl

- Security fix: [bsc#1256105, CVE-2025-14017]
  * call ldap_init() before setting the options
  * Add patch curl-CVE-2025-14017.patch

glib2

- Add CVE fixes:
  + glib2-CVE-2026-1484.patch (bsc#1257355 CVE-2026-1484
    glgo#GNOME/glib!4979).
  + glib2-CVE-2026-1485.patch (bsc#1257354 CVE-2026-1485
    glgo#GNOME/glib!4981).
  + glib2-CVE-2026-1489.patch (bsc#1257353 CVE-2026-1489
    glgo#GNOME/glib!4984).

- Add glib2-CVE-2026-0988.patch: fix a potential integer overflow
  in g_buffered_input_stream_peek (bsc#1257049 CVE-2026-0988
  glgo#GNOME/glib#3851).

gpg2

- Security fix [bsc#1257396, CVE-2026-24882]
  - gpg2: stack-based buffer overflow in TPM2 PKDECRYPT for TPM-backed RSA and ECC keys
  - Added gnupg-CVE-2026-24882.patch

- Security fix [bsc#1256389] (gpg.fail/filename)
  * Added gnupg-accepts-path-separators-literal-data.patch
  * GnuPG Accepts Path Separators and Path Traversals in Literal Data

util-linux

- Fix heap buffer overread in setpwnam() when processing 256-byte
  usernames (bsc#1254666, CVE-2025-14104,
  util-linux-CVE-2025-14104-1.patch,
  util-linux-CVE-2025-14104-2.patch).

- lscpu: Add support for NVIDIA Olympus arm64 core (jsc#PED-13682,
  util-linux-lscpu-add-arm64-NVIDIA-Olympus.patch).

curl:mini

- Security fix: [bsc#1256105, CVE-2025-14017]
  * call ldap_init() before setting the options
  * Add patch curl-CVE-2025-14017.patch

expat

- security update
- added patches
  CVE-2026-24515 [bsc#1257144], NULL dereference (CWE-476) due to function XML_ExternalEntityParserCreate() failing to copy the encoding handler data passed to XML_SetUnknownEncodingHandler() from the parent to the subparser
  * expat-CVE-2026-24515.patch
  CVE-2026-25210 [bsc#1257496], lack of buffer size check can lead to an integer overflow
  * expat-CVE-2026-25210.patch

openssl-3

- Security fixes:
  * Missing ASN1_TYPE validation in PKCS#12 parsing
  - openssl-CVE-2026-22795.patch [bsc#1256839, CVE-2026-22795]
  * ASN1_TYPE Type Confusion in the PKCS7_digest_from_attributes() function
  - openssl-CVE-2026-22795.patch [bsc#1256840, CVE-2026-22796]
  * Missing ASN1_TYPE validation in TS_RESP_verify_response() function
  - openssl-CVE-2025-69420.patch [bsc#1256837, CVE-2025-69420]
  * NULL Pointer Dereference in PKCS12_item_decrypt_d2i_ex function
  - openssl-CVE-2025-69421.patch [bsc#1256838, CVE-2025-69421]
  * Out of bounds write in PKCS12_get_friendlyname() UTF-8 conversion
  - openssl-CVE-2025-69419.patch [bsc#1256836, CVE-2025-69419]
  * Heap out-of-bounds write in BIO_f_linebuffer on short writes
  - openssl-CVE-2025-68160.patch [bsc#1256834, CVE-2025-68160]
  * Unauthenticated/unencrypted trailing bytes with low-level OCB function calls
  - openssl-CVE-2025-69418.patch [bsc#1256835, CVE-2025-69418]
  * Stack buffer overflow in CMS AuthEnvelopedData parsing
  - openssl-CVE-2025-15467.patch [bsc#1256830, CVE-2025-15467]
  - openssl-CVE-2025-15467-comments.patch
  - openssl-CVE-2025-15467-test.patch

libsolv

- fixed rare crash in the handling of allowuninstall in combination
  with forcebest updates
- new pool_satisfieddep_map feature to test if a set of packages
  satisfies a dependency
- bump version to 0.7.35

libxml2

- Add patch libxml2-CVE-2026-0989.patch, to fix call stack exhaustion
  leading to application crash due to RelaxNG parser not limiting the
  recursion depth when resolving `<include>` directives
  CVE-2026-0989, bsc#1256805, https://gitlab.gnome.org/GNOME/libxml2/-/merge_requests/374

libzypp

- Prepare a legacy /etc/zypp/zypp.conf to be installed on old distros.
  See the ZYPP.CONF(5) man page for details.
- Fix runtime check for broken rpm --runposttrans (bsc#1257068)
- version 17.38.2 (35)

- Avoid libcurl-mini4 when building as it does not support ftp
  protocol.
- Translation: updated .pot file.
- version 17.38.1 (35)

- zypp.conf: follow the UAPI configuration file specification
  (PED-14658)
  In short terms it means we will no longer ship an
  /etc/zypp/zypp.conf, but store our own defaults in
  /usr/etc/zypp/zypp.conf. The systems administrator may choose to
  keep a full copy in /etc/zypp/zypp.conf ignoring our config file
  settings completely, or - the preferred way - to overwrite
  specific settings via /etc/zypp/zypp.conf.d/*.conf overlay files.
  See the ZYPP.CONF(5) man page for details.
- cmake: correctly detect rpm6 (fixes #689)
- Use 'zypp.tmp' as temp directory component to ease setting up
  SELinux policies (bsc#1249435)
- zyppng: Update Provider to current MediaCurl2 download
  approach, drop Metalink ( fixes #682 )
- version 17.38.0 (35)

podman

- Add symlink to catatonit in /usr/libexec/podman (bsc#1248988)

libxml2:python

- Add patch libxml2-CVE-2026-0989.patch, to fix call stack exhaustion
  leading to application crash due to RelaxNG parser not limiting the
  recursion depth when resolving `<include>` directives
  CVE-2026-0989, bsc#1256805, https://gitlab.gnome.org/GNOME/libxml2/-/merge_requests/374

python-pyasn1

- Add CVE-2026-23490.patch to fix CVE-2026-23490 (bsc#1256902)
- fix broken changelog entries

python-urllib3

- Add security patches:
  * CVE-2025-66471 (bsc#1254867)
  * CVE-2025-66418 (bsc#1254866)

suseconnect-ng

- Update version to 1.20:
  - Update error message for Public Cloud instances with registercloudguest
    installed. SUSEConnect -d is disabled on PYAG and BYOS when the
    registercloudguest command is available. (bsc#1230861)
  - Enhanced SAP detected. Take TREX into account and remove empty values when
    only /usr/sap but no installation exists (bsc#1241002)
  - Fixed modules and extension link to point to version less documentation. (bsc#1239439)
  - Fixed SAP instance detection (bsc#1244550)
  - Remove link to extensions documentation (bsc#1239439)
  - Migrate to the public library

- Version 1.14 public library release
  This version is only available on Github as a tag to release the
  new golang public library which can be consumed without the need
  to interface with SUSEConnect directly.

util-linux:systemd

- Fix heap buffer overread in setpwnam() when processing 256-byte
  usernames (bsc#1254666, CVE-2025-14104,
  util-linux-CVE-2025-14104-1.patch,
  util-linux-CVE-2025-14104-2.patch).

- lscpu: Add support for NVIDIA Olympus arm64 core (jsc#PED-13682,
  util-linux-lscpu-add-arm64-NVIDIA-Olympus.patch).