- libxslt
-
- security update
- added patches
CVE-2025-11731 [bsc#1251979], type confusion in exsltFuncResultCompfunction leading to denial of service
* libxslt-CVE-2025-11731.patch
- propagate test failure into build failure
- added sources
* libxslt-test-results.ref
- python3
-
- Readjust CVE-2025-4435-normalize-lnk-trgts-tarfile.patch on the
top of the previous patch. Security fixes for CVE-2025-4517,
CVE-2025-4330, CVE-2025-4138, CVE-2024-12718, CVE-2025-4435 on
tarfile (bsc#1244032, bsc#1244061, bsc#1244059, bsc#1244060,
bsc#1244056). The backported fixes do not contain changes for
ntpath.py and related tests, because the support for symlinks
and junctions were added later in Python 3.9, and it does not
make sense to backport them to 3.6 here. The patch is contains
the following changes:
- python@42deeab fixes symlink handling for tarfile.data_filter
- python@9d2c2a8 fixes handling of existing files/symlinks in
tarfile
- python@00af979 adds a new "strict" argument to realpath()
- python@dd8f187 fixes mulriple CVE fixes in the tarfile module
- downstream only fixes that makes the changes work and
compatible with Python 3.6
- Readjust CVE-2025-8194-tarfile-no-neg-offsets.patch on the top
of the previous two patches
- Add remove-usr-local-bin-shebangs.patch for removing two
shebangs with /usr/local/bin/python (with the complexity of the
current patchset fiddling with the files with `sed` makes those
patches unmaintainable).
- Finally ported CVE-2007-4559-filter-tarfile_extractall.patch
for Python 3.4 (CVE-2007-4559, bsc#1203750, bsc#1251841).
- Add CVE-2025-13836-http-resp-cont-len.patch (bsc#1254400,
CVE-2025-13836) to prevent reading an HTTP response from
a server, if no read amount is specified, with using
Content-Length per default as the length.
- Add CVE-2025-12084-minidom-quad-search.patch prevent quadratic
behavior in node ID cache clearing (CVE-2025-12084,
bsc#1254997).
- Add CVE-2025-13837-plistlib-mailicious-length.patch protect
against OOM when loading malicious content (CVE-2025-13837,
bsc#1254401).
- Fix the build system with two patches:
- spc-tab-Makefile-pre-in.patch there are space-indended lines
in the Makefile.pre.in in tarball (!!!), fix that
- Modules_Setup.patch, Modules/makesetup script is kind of
broken (gh#python/cpython!4338 among others)
- time-static.patch make time module statically built into the
interpreter
- Add s390-build.patch to skip failing test on s390.
- Add CVE-2025-6075-expandvars-perf-degrad.patch avoid simple
quadratic complexity vulnerabilities of os.path.expandvars()
(CVE-2025-6075, bsc#1252974).
- Add also two small patches:
- lchmod-non-support.patch adding @requires_lchmod operator
for skipping tests on platforms were changing the mode of
symbolic links is supported (which it isn’t in SLE-12,
apparently).
- locale-test_float_with_commad.patch for decoding byte strings
in localeconv() for consistent output
- Update pip wheel to pip-20.2.3-py2.py3-none-any.whl.
- Add CVE-2025-8291-consistency-zip64.patch which checks
consistency of the zip64 end of central directory record, and
preventing obfuscation of the payload, i.e., you scanning for
malicious content in a ZIP file with one ZIP parser (let's say
a Rust one) then unpack it in production with another (e.g.,
the Python one) and get malicious content that the other parser
did not see (CVE-2025-8291, bsc#1251305)
- Readjust patches while synchronizing between openSUSE and SLE trees:
- 99366-patch.dict-can-decorate-async.patch
- CVE-2007-4559-filter-tarfile_extractall.patch
- CVE-2020-10735-DoS-no-limit-int-size.patch
- CVE-2024-6232-ReDOS-backtrack-tarfile.patch
- CVE-2025-4435-normalize-lnk-trgts-tarfile.patch
- CVE-2025-8194-tarfile-no-neg-offsets.patch
- python-3.6.0-multilib-new.patch
- python3-sorted_tar.patch
- pciutils
-
- pciutils.spec: Add a strict dependency to libpci. [bsc#1252338]
Mixing different versions of pciutils and libpci could result in
a segmentation fault due to incompatible ABI.
- python36
-
- Add CVE-2025-13836-http-resp-cont-len.patch (bsc#1254400,
CVE-2025-13836) to prevent reading an HTTP response from
a server, if no read amount is specified, with using
Content-Length per default as the length.
- Add CVE-2025-12084-minidom-quad-search.patch prevent quadratic
behavior in node ID cache clearing (CVE-2025-12084,
bsc#1254997).
- Add CVE-2025-13837-plistlib-mailicious-length.patch protect
against OOM when loading malicious content (CVE-2025-13837,
bsc#1254401).
- Add CVE-2025-6075-expandvars-perf-degrad.patch avoid simple
quadratic complexity vulnerabilities of os.path.expandvars()
(CVE-2025-6075, bsc#1252974).
- Skip test_curses on ppc64le (gh#python/cpython#141534)
- Add CVE-2025-8291-consistency-zip64.patch which checks
consistency of the zip64 end of central directory record, and
preventing obfuscation of the payload, i.e., you scanning for
malicious content in a ZIP file with one ZIP parser (let's say
a Rust one) then unpack it in production with another (e.g.,
the Python one) and get malicious content that the other parser
did not see (CVE-2025-8291, bsc#1251305)
- Readjust patches while synchronizing between openSUSE and SLE trees:
- F00251-change-user-install-location.patch
- doc-py38-to-py36.patch
- gh126985-mv-pyvenv.cfg2getpath.patch
- python-azure-agent
-
- Update to version 2.14.0.1 (bsc#1253001)
+ Drop - included upstream
~ agent-btrfs-use-f.patch included upstream
~ remove-mock.patch
+ FIPS 140-3 support
+ Block extensions disallowed by policy
+ Report ext policy errors in heartbeat
+ Implement signature validation helper functions
+ Prevent ssh public key override
+ Use proper filesystem creation flag for btrfs
+ Enable resource monitoring in cgroup v2 machines
+ Update agent cgroup cleanup
+ Add cgroupv2 distros to supported list
+ Clean old agent cgroup setup
+ Redact sas tokens in telemetry events and agent log
+ Add conf option to use hardcoded wireserver ip instead of dhcp request
to discover wireserver ip
+ Support for python 3.12
+ Update telemetry message for agent updates and send new telemetry for
ext resource governance
+ Disable rsm downgrade
+ Add community support for Chainguard OS
+ Swap out legacycrypt for crypt-r for Python 3.13+
+ Pin setuptools version
+ Set the agent config file path for FreeBSD
+ Handle errors importing crypt module
- From 2.13.1.1
+ Setup: Fix install_requires list syntax
+ Pickup latest goal state on tenant certificate rotation + Avoid
infinite loop when the tenant certificate is missing
+ Fix unsupported syntax in py2.6
+ Cgroup rewrite: uses systemctl for expressing desired configuration
instead drop-in files
+ Remove usages of tempfile.mktemp
+ Use random time for attempting new Agent update
+ Enable logcollector in v2 machines
+ Clean history files
+ Missing firewall rules reason
+ Add support for nftables (+ refactoring of firewall code)
+ Create walinuxagent nftable atomically
- bash
-
- Add patch bsc1245199.patch
* Fix histfile missing timestamp for the oldest record (bsc#1245199)
- docker
-
- Enable SELinux in default daemon.json config (--selinux-enabled). This has no
practical impact on non-SELinux systems. bsc#1252290
- Update to Docker 28.5.1-ce. See upstream changelog online at
<https://docs.docker.com/engine/release-notes/28/#2851>
- Rebased patches:
* 0001-SECRETS-SUSE-always-clear-our-internal-secrets.patch
* 0002-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
* 0003-SECRETS-SUSE-implement-SUSE-container-secrets.patch
* 0004-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch
* 0005-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
* 0006-SLE12-revert-apparmor-remove-version-conditionals-fr.patch
* cli-0001-openSUSE-point-users-to-docker-buildx-package.patch
* cli-0002-SECRETS-SUSE-default-to-DOCKER_BUILDKIT-0-for-docker.patch
- Remove upstreamed patch:
- 0007-Add-back-vendor.sum.patch
- Update to Docker 28.5.0-ce. See upstream changelog online at
<https://docs.docker.com/engine/release-notes/28/#2850>
- Backport <https://github.com/moby/moby/pull/51091> to re-add vendor.sum,
fixing our builds.
+ 0007-Add-back-vendor.sum.patch
- Rebased patches:
* 0001-SECRETS-SUSE-always-clear-our-internal-secrets.patch
* 0002-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
* 0003-SECRETS-SUSE-implement-SUSE-container-secrets.patch
* 0004-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch
* 0005-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
* 0006-SLE12-revert-apparmor-remove-version-conditionals-fr.patch
* cli-0001-openSUSE-point-users-to-docker-buildx-package.patch
* cli-0002-SECRETS-SUSE-default-to-DOCKER_BUILDKIT-0-for-docker.patch
- Update to docker-buildx v0.29.0. Upstream changelog:
<https://github.com/docker/buildx/releases/tag/v0.29.0>
- Remove git-core recommends also on openSUSE: the below argument
is valid for those users too.
- Remove git-core recommends on SLE. Most SLE systems have
installRecommends=yes by default and thus end up installing git with Docker.
bsc#1250508
This feature is mostly intended for developers ("docker build git://") so
most users already have the dependency installed, and the error when git is
missing is fairly straightforward (so they can easily figure out what they
need to install).
- openssh
-
- Add openssh-cve-2025-61984-username-validation.patch
(bsc#1251198, CVE-2025-61984).
- grub2
-
- Fix CVE-2025-54771 (bsc#1252931)
* 0001-kern-file-Call-grub_dl_unref-after-fs-fs_close.patch
- Fix CVE-2025-61662 (bsc#1252933)
* 0002-gettext-gettext-Unregister-gettext-command-on-module.patch
- Fix CVE-2025-61663 (bsc#1252934)
- Fix CVE-2025-61664 (bsc#1252935)
* 0003-normal-main-Unregister-commands-on-module-unload.patch
* 0004-tests-lib-functional_test-Unregister-commands-on-mod.patch
- Fix CVE-2025-61661 (bsc#1252932)
* 0005-commands-usbtest-Use-correct-string-length-field.patch
* 0006-commands-usbtest-Ensure-string-length-is-sufficient-.patch
- Bump upstream SBAT generation to 6
- mozilla-nspr
-
- update to NSPR 4.36.2
* Fixed a syntax error in test file parsetm.c,
which was introduced in 4.36.1
- update to NSPR 4.36.1
* Incorrect time value produced by PR_ParseTimeString and
PR_ParseTimeStringToExplodedTime if input string doesn't
specify seconds.
- azure-cli-core
-
- Add patch to fix improper neutralization of special elements
used in a command which allows an unauthorized attacker to
elevate privileges locally
+ CVE-2025-24049.patch (bsc#1239460, CVE-2025-24049)
- libtasn1
-
- Security fix: [bsc#1256341, CVE-2025-13151]
* Stack-based buffer overflow. The function asn1_expend_octet_string()
fails to validate the size of input data resulting in a buffer overflow.
* Add libtasn1-CVE-2025-13151.patch
- mozilla-nss
-
- Add bmo1990242.patch to move NSS DB password hash away from SHA-1
- update to NSS 3.112.2
* bmo#1970079 - Prevent leaks during pkcs12 decoding.
* bmo#1988046 - SEC_ASN1Decode* should ensure it has read as many bytes as each length field indicates
- Adding patch bmo1980465.patch to fix bug on s390x (bmo#1980465)
- Adding patch bmo1956754.patch to fix possible undefined behaviour (bmo#1956754)
- update to NSS 3.112.1
* bmo#1982742 - restore support for finding certificates by decoded serial number.
- rsync
-
- Security update (CVE-2025-10158, bsc#1254441): rsync: Out of
bounds array access via negative index
- Add rsync-CVE-2025-10158.patch
- libxml2
-
- security update
- added patches
https://gitlab.gnome.org/GNOME/libxml2/-/commit/852c93a2dc2224f020aab55a9702f992db404836
* libxml2-CVE-2025-9714-0.patch
https://gitlab.gnome.org/GNOME/libxml2/-/commit/5153c7baceca65f575efdcbb0244860d97031f96
* libxml2-CVE-2025-9714-1.patch
https://gitlab.gnome.org/GNOME/libxml2/-/commit/64115ed62dd01dab81a9157a54738523fe117333
* libxml2-CVE-2025-9714-2.patch
https://gitlab.gnome.org/GNOME/libxml2/-/commit/2d97a97aa515f1bd3efc35c8ea2aa68676c6f8e1
* libxml2-CVE-2025-9714-3.patch
https://gitlab.gnome.org/GNOME/libxml2/-/commit/012f8e92847a4e5ff684e7bd8e81a0b1ad104e32
* libxml2-CVE-2025-9714-4.patch
https://gitlab.gnome.org/GNOME/libxml2/-/commit/949eced484520bdde3348e55eba048501b809127
* libxml2-CVE-2025-9714-5.patch
https://gitlab.gnome.org/GNOME/libxml2/-/commit/390f05e7033fa8658f310dce9704f4f88e84b7fe
* libxml2-CVE-2025-9714-6.patch
https://gitlab.gnome.org/GNOME/libxml2/-/commit/429d4ecaae5d61d591f279220125a583836fb84e
* libxml2-CVE-2025-9714-7.patch
https://gitlab.gnome.org/GNOME/libxml2/-/commit/6f1470a5d6e3e369fe93f52d5760ba7c947f0cd1
* libxml2-CVE-2025-9714-8.patch
https://gitlab.gnome.org/GNOME/libxml2/-/commit/677a42645ef22b5a50741bad5facf9d8a8bc6d21
* libxml2-CVE-2025-9714.patch
- security update
- added patches
CVE-2025-8732 [bsc#1247850], infinite recursion in catalog parsing functions when processing malformed SGML catalog files
* libxml2-CVE-2025-8732.patch
- bind
-
- Security Fixes:
* Address various spoofing attacks.
[CVE-2025-40778, bsc#1252379, bind-9.11-CVE-2025-40778.patch]
- containerd
-
- Update to containerd v1.7.29. Upstream release notes:
<https://github.com/containerd/containerd/releases/tag/v1.7.29>
* CVE-2024-25621 bsc#1253126
* CVE-2025-64329 bsc#1253132
- Rebase patches:
* 0001-BUILD-SLE12-revert-btrfs-depend-on-kernel-UAPI-inste.patch
- Update to containerd v1.7.28. Upstream release notes:
<https://github.com/containerd/containerd/releases/tag/v1.7.28>
- _product:sle-sdk-release
-
n/a
- python
-
- Add CVE-2025-13836-http-resp-cont-len.patch (bsc#1254400,
CVE-2025-13836) to prevent reading an HTTP response from
a server, if no read amount is specified, with using
Content-Length per default as the length.
- Add CVE-2025-12084-minidom-quad-search.patch prevent quadratic
behavior in node ID cache clearing (CVE-2025-12084,
bsc#1254997).
- Add CVE-2025-8291-consistency-zip64.patch which checks
consistency of the zip64 end of central directory record, and
preventing obfuscation of the payload, i.e., you scanning for
malicious content in a ZIP file with one ZIP parser (let's say
a Rust one) then unpack it in production with another (e.g.,
the Python one) and get malicious content that the other parser
did not see (CVE-2025-8291, bsc#1251305)
- cups
-
- cups-1.7.5-CVE-2025-61915.patch is based on
https://github.com/OpenPrinting/cups-ghsa-hxm8-vfpq-jrfc/pull/2
backported to CUPS 1.7.5 to fix CVE-2025-61915
"Local denial-of-service via cupsd.conf update
and related issues"
https://github.com/OpenPrinting/cups/security/advisories/GHSA-hxm8-vfpq-jrfc
bsc#1253783
- In general regarding CUPS security issues and/or DoS issues see
https://en.opensuse.org/SDB:CUPS_and_SANE_Firewall_settings
- glib2
-
- Add glib2-CVE-2026-0988.patch: fix a potential integer overflow
in g_buffered_input_stream_peek (bsc#1257049 CVE-2026-0988
glgo#GNOME/glib#3851).
- Add CVE fixes:
+ glib2-CVE-2025-13601.patch (bsc#1254297 CVE-2025-13601
glgo#GNOME/glib#3827).
+ glib2-CVE-2025-14087-1.patch, glib2-CVE-2025-14087-2.patch,
glib2-CVE-2025-14087-3.patch (bsc#1254662 CVE-2025-14087
glgo#GNOME/glib#3834).
+ glib2-CVE-2025-14512.patch (bsc#1254878 CVE-2025-14512
glgo#GNOME/glib#3845).
- Add glib2-CVE-2025-7039.patch: fix computation of temporary file
name (bsc#1249055 CVE-2025-7039 glgo#GNOME/glib#3716).
- libpcap
-
- Security fix: [bsc#1255765, CVE-2025-11961]
* Fix out-of-bound-write and out-of-bound-read in pcap_ether_aton()
due to missing validation of provided MAC-48 address string
* Add libpcap-CVE-2025-11961.patch
- libsodium
-
- Security fix: [bsc#1256070, CVE-2025-15444]
* check Y==Z in addition to X==0
* Add patch libsodium-CVE-2025-15444.patch
- libyui-ncurses
-
- Backport: Prevent buffer overflow when drawing very wide labels
(originally for bsc#1211354, now also for bsc#1247975)
- 2.48.3
- curl
-
- Security fix: [bsc#1256105, CVE-2025-14017]
* call ldap_init() before setting the options
* Add patch curl-CVE-2025-14017.patch
- Security fixes:
* [bsc#1255731, CVE-2025-14524] bearer token leak on cross-protocol redirect
* [bsc#1255733, CVE-2025-15079] set both knownhosts options to the same file
* [bsc#1255732, CVE-2025-14819] toggling CURLSSLOPT_NO_PARTIALCHAIN makes a different CA cache
* Add patches:
- curl-CVE-2025-14524.patch
- curl-CVE-2025-15079.patch
- curl-CVE-2025-14819.patch
- runc
-
- Update to runc v1.3.4. Upstream changelog is available from
<https://github.com/opencontainers/runc/releases/tag/v1.3.4>. bsc#1254362
- Update to runc v1.3.3. Upstream changelog is available from
<https://github.com/opencontainers/runc/releases/tag/v1.3.3>. bsc#1252232
* CVE-2025-31133
* CVE-2025-52565
* CVE-2025-52881
- Remove upstreamed patches for bsc#1252232:
- 2025-11-05-CVEs.patch
[ This update was only released for SLE 12 and 15. ]
- Backport patches for three CVEs. All three vulnerabilities ultimately allow
(through different methods) for full container breakouts by bypassing runc's
restrictions for writing to arbitrary /proc files. bsc#1252232
* CVE-2025-31133
* CVE-2025-52565
* CVE-2025-52881
+ 2025-11-05-CVEs.patch
[ This update was only released for SLE 12 and 15. ]
- Update to runc v1.2.7. Upstream changelog is available from
<https://github.com/opencontainers/runc/releases/tag/v1.2.7>.
- Update to runc v1.3.2. Upstream changelog is available from
<https://github.com/opencontainers/runc/releases/tag/v1.3.2> bsc#1252110
- Includes an important fix for the CPUSet translation for cgroupv2.
- Update to runc v1.3.1. Upstream changelog is available from
<https://github.com/opencontainers/runc/releases/tag/v1.3.1>
- Fix runc 1.3.x builds on SLE-12 by enabling --std=gnu11.
- Update to runc v1.3.0. Upstream changelog is available from
<https://github.com/opencontainers/runc/releases/tag/v1.3.0>
- vim
-
- Fix for bsc#1229750.
- nocompatible must be set before the syntax highlighting is turned on.
- libpng16
-
- security update
- added patches
CVE-2026-22695 [bsc#1256525], Heap buffer over-read in png_image_finish_read
* libpng16-CVE-2026-22695.patch
- security update
- added patches
CVE-2025-66293 [bsc#1254480], LIBPNG out-of-bounds read in png_image_read_composite
* libpng16-CVE-2025-66293-1.patch
* libpng16-CVE-2025-66293-2.patch
- security update
- modified patches
* libpng16-1.6.8-CVE-2014-0333.patch (-p1)
* libpng16-CVE-2014-9495.patch (-p1)
* libpng16-CVE-2015-0973.patch (-p1)
* libpng16-CVE-2015-8126-complete.patch (-p1)
* libpng16-CVE-2015-8126.patch (-p1)
- added patches
CVE-2025-64505 [bsc#1254157], heap buffer over-read in `png_do_quantize` via malformed palette index
* libpng16-CVE-2025-64505.patch
CVE-2025-64506 [bsc#1254158], heap buffer over-read in `png_write_image_8bit` with 8-bit input and `convert_to_8bit` enabled
* libpng16-CVE-2025-64506.patch
CVE-2025-64720 [bsc#1254159], buffer overflow in `png_image_read_composite` via incorrect palette premultiplication
* libpng16-CVE-2025-64720.patch
CVE-2025-65018 [bsc#1254160], heap buffer overflow in `png_combine_row` triggered via `png_image_finish_read`
* libpng16-CVE-2025-65018.patch