SuSE Local Security Checks : SUSE: Security Advisory (SUSE-SU-2025:0857-1)

Búsqueda de Vulnerabilidad		Buscar 324607 Descripciones CVE y 145615 Descripciones de Pruebas, accesos 10,000+ referencias cruzadas.
	Pruebas CVE Todos

ID de Prueba: 1.3.6.1.4.1.25623.1.1.4.2025.0857.1

Categoría: SuSE Local Security Checks

Título: SUSE: Security Advisory (SUSE-SU-2025:0857-1)

Resumen: The remote host is missing an update for the 'build' package(s) announced via the SUSE-SU-2025:0857-1 advisory.

Descripción: Summary:
The remote host is missing an update for the 'build' package(s) announced via the SUSE-SU-2025:0857-1 advisory.

Vulnerability Insight:
This update for build fixes the following issues:
- CVE-2024-22038: Fixed DoS attacks, information leaks with crafted Git repositories (bnc#1230469)

Other fixes:
- Fixed behaviour when using '--shell' aka 'osc shell' option
in a VM build. Startup is faster and permissions stay intact
now.

- fixes for POSIX compatibility for obs-docker-support adn
mkbaselibs
- Add support for apk in docker/podman builds
- Add support for 'wget' in Docker images
- Fix debian support for Dockerfile builds
- Fix preinstallimages in containers
- mkosi: add back system-packages used by build-recipe directly
- pbuild: parse the Release files for debian repos

- mkosi: drop most systemd/build-packages deps and use obs_scm
directory as source if present
- improve source copy handling
- Introduce --repos-directory and --containers-directory options

- productcompose: support of building against a baseiso
- preinstallimage: avoid inclusion of build script generated files
- preserve timestamps on sources copy-in for kiwi and productcompose
- alpine package support updates
- tumbleweed config update

- debian: Support installation of foreign architecture packages
(required for armv7l setups)
- Parse unknown timezones as UTC
- Apk (Alpine Linux) format support added
- Implement default value in parameter expansion
- Also support supplements that use & as 'and'
- Add workaround for skopeo's argument parser
- add cap-htm=off on power9
- Fixed usage of chown calls
- Remove leading `go` from `purl` locators

- container related:
* Implement support for the new element in kiwi recipes
* Fixes for SBOM and dependencies of multi stage container builds
* obs-docker-support: enable dnf and yum substitutions
- Arch Linux:
* fix file path for Arch repo
* exclude unsupported arch
* Use root as download user
- build-vm-qemu: force sv48 satp mode on riscv64
- mkosi:
* Create .sha256 files after mkosi builds
* Always pass --image-version to mkosi
- General improvements and bugfixes (mkosi, pbuild, appimage/livebuild,
obs work detection, documention, SBOM)
- Support slsa v1 in unpack_slsa_provenance
- generate_sbom: do not clobber spdx supplier
- Harden export_debian_orig_from_git (bsc#1230469)

- SBOM generation:
- Adding golang introspection support
- Adding rust binary introspection support
- Keep track of unknwon licenses and add a 'hasExtractedLicensingInfos'
section
- Also normalize licenses for cyclonedx
- Make generate_sbom errors fatal
- general improvements
- Fix noprep building not working because the buildir is removed
- kiwi image: also detect a debian build if /var/lib/dpkg/status is present
- Do not use the Encode module to convert a code point to utf8
- Fix personality syscall number for riscv
- add more required recommendations for KVM builds
- set PACKAGER field in build-recipe-arch
- fix writing _modulemd.yaml
- pbuild: support --release and --baselibs option
- ... [Please see the references for more information on the vulnerabilities]

Affected Software/OS:
'build' package(s) on SUSE Linux Enterprise Server 15-SP3, SUSE Linux Enterprise Server 15-SP4, SUSE Linux Enterprise Server 15-SP5, SUSE Linux Enterprise Server for SAP Applications 15-SP3, SUSE Linux Enterprise Server for SAP Applications 15-SP4, SUSE Linux Enterprise Server for SAP Applications 15-SP5.

Solution:
Please install the updated package(s).

CVSS Score:
5.0

CVSS Vector:
AV:N/AC:L/Au:N/C:P/I:N/A:N

Referencia Cruzada: Common Vulnerability Exposure (CVE) ID: CVE-2024-22038

Copyright Copyright (C) 2025 Greenbone AG

Esta es sólo una de 145615 pruebas de vulnerabilidad en nuestra serie de pruebas. Encuentre más sobre cómo ejecutar una auditoría de seguridad completa.
Para ejecutar una prueba gratuita de esta vulnerabilidad contra su sistema, regístrese ahora.

ID de Prueba:	1.3.6.1.4.1.25623.1.1.4.2025.0857.1
Categoría:	SuSE Local Security Checks
Título:	SUSE: Security Advisory (SUSE-SU-2025:0857-1)
Resumen:	The remote host is missing an update for the 'build' package(s) announced via the SUSE-SU-2025:0857-1 advisory.
Descripción:	Summary: The remote host is missing an update for the 'build' package(s) announced via the SUSE-SU-2025:0857-1 advisory. Vulnerability Insight: This update for build fixes the following issues: - CVE-2024-22038: Fixed DoS attacks, information leaks with crafted Git repositories (bnc#1230469) Other fixes: - Fixed behaviour when using '--shell' aka 'osc shell' option in a VM build. Startup is faster and permissions stay intact now. - fixes for POSIX compatibility for obs-docker-support adn mkbaselibs - Add support for apk in docker/podman builds - Add support for 'wget' in Docker images - Fix debian support for Dockerfile builds - Fix preinstallimages in containers - mkosi: add back system-packages used by build-recipe directly - pbuild: parse the Release files for debian repos - mkosi: drop most systemd/build-packages deps and use obs_scm directory as source if present - improve source copy handling - Introduce --repos-directory and --containers-directory options - productcompose: support of building against a baseiso - preinstallimage: avoid inclusion of build script generated files - preserve timestamps on sources copy-in for kiwi and productcompose - alpine package support updates - tumbleweed config update - debian: Support installation of foreign architecture packages (required for armv7l setups) - Parse unknown timezones as UTC - Apk (Alpine Linux) format support added - Implement default value in parameter expansion - Also support supplements that use & as 'and' - Add workaround for skopeo's argument parser - add cap-htm=off on power9 - Fixed usage of chown calls - Remove leading `go` from `purl` locators - container related: * Implement support for the new element in kiwi recipes * Fixes for SBOM and dependencies of multi stage container builds * obs-docker-support: enable dnf and yum substitutions - Arch Linux: * fix file path for Arch repo * exclude unsupported arch * Use root as download user - build-vm-qemu: force sv48 satp mode on riscv64 - mkosi: * Create .sha256 files after mkosi builds * Always pass --image-version to mkosi - General improvements and bugfixes (mkosi, pbuild, appimage/livebuild, obs work detection, documention, SBOM) - Support slsa v1 in unpack_slsa_provenance - generate_sbom: do not clobber spdx supplier - Harden export_debian_orig_from_git (bsc#1230469) - SBOM generation: - Adding golang introspection support - Adding rust binary introspection support - Keep track of unknwon licenses and add a 'hasExtractedLicensingInfos' section - Also normalize licenses for cyclonedx - Make generate_sbom errors fatal - general improvements - Fix noprep building not working because the buildir is removed - kiwi image: also detect a debian build if /var/lib/dpkg/status is present - Do not use the Encode module to convert a code point to utf8 - Fix personality syscall number for riscv - add more required recommendations for KVM builds - set PACKAGER field in build-recipe-arch - fix writing _modulemd.yaml - pbuild: support --release and --baselibs option - ... [Please see the references for more information on the vulnerabilities] Affected Software/OS: 'build' package(s) on SUSE Linux Enterprise Server 15-SP3, SUSE Linux Enterprise Server 15-SP4, SUSE Linux Enterprise Server 15-SP5, SUSE Linux Enterprise Server for SAP Applications 15-SP3, SUSE Linux Enterprise Server for SAP Applications 15-SP4, SUSE Linux Enterprise Server for SAP Applications 15-SP5. Solution: Please install the updated package(s). CVSS Score: 5.0 CVSS Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N
Referencia Cruzada:	Common Vulnerability Exposure (CVE) ID: CVE-2024-22038
Copyright	Copyright (C) 2025 Greenbone AG