openSUSE Local Security Checks : openSUSE Security Advisory (SUSE-SU-2025:0857-1)

Vulnerability Search		Search 324607 CVE descriptions and 145615 test descriptions, access 10,000+ cross references.
	Tests CVE All

Test ID: 1.3.6.1.4.1.25623.1.1.18.2.2025.0857.1

Category: openSUSE Local Security Checks

Title: openSUSE Security Advisory (SUSE-SU-2025:0857-1)

Summary: The remote host is missing an update for the 'build' package(s) announced via the SUSE-SU-2025:0857-1 advisory.

Description: Summary:
The remote host is missing an update for the 'build' package(s) announced via the SUSE-SU-2025:0857-1 advisory.

Vulnerability Insight:
This update for build fixes the following issues:
- CVE-2024-22038: Fixed DoS attacks, information leaks with crafted Git repositories (bnc#1230469)

Other fixes:
- Fixed behaviour when using '--shell' aka 'osc shell' option
in a VM build. Startup is faster and permissions stay intact
now.

- fixes for POSIX compatibility for obs-docker-support adn
mkbaselibs
- Add support for apk in docker/podman builds
- Add support for 'wget' in Docker images
- Fix debian support for Dockerfile builds
- Fix preinstallimages in containers
- mkosi: add back system-packages used by build-recipe directly
- pbuild: parse the Release files for debian repos

- mkosi: drop most systemd/build-packages deps and use obs_scm
directory as source if present
- improve source copy handling
- Introduce --repos-directory and --containers-directory options

- productcompose: support of building against a baseiso
- preinstallimage: avoid inclusion of build script generated files
- preserve timestamps on sources copy-in for kiwi and productcompose
- alpine package support updates
- tumbleweed config update

- debian: Support installation of foreign architecture packages
(required for armv7l setups)
- Parse unknown timezones as UTC
- Apk (Alpine Linux) format support added
- Implement default value in parameter expansion
- Also support supplements that use & as 'and'
- Add workaround for skopeo's argument parser
- add cap-htm=off on power9
- Fixed usage of chown calls
- Remove leading `go` from `purl` locators

- container related:
* Implement support for the new element in kiwi recipes
* Fixes for SBOM and dependencies of multi stage container builds
* obs-docker-support: enable dnf and yum substitutions
- Arch Linux:
* fix file path for Arch repo
* exclude unsupported arch
* Use root as download user
- build-vm-qemu: force sv48 satp mode on riscv64
- mkosi:
* Create .sha256 files after mkosi builds
* Always pass --image-version to mkosi
- General improvements and bugfixes (mkosi, pbuild, appimage/livebuild,
obs work detection, documention, SBOM)
- Support slsa v1 in unpack_slsa_provenance
- generate_sbom: do not clobber spdx supplier
- Harden export_debian_orig_from_git (bsc#1230469)

- SBOM generation:
- Adding golang introspection support
- Adding rust binary introspection support
- Keep track of unknwon licenses and add a 'hasExtractedLicensingInfos'
section
- Also normalize licenses for cyclonedx
- Make generate_sbom errors fatal
- general improvements
- Fix noprep building not working because the buildir is removed
- kiwi image: also detect a debian build if /var/lib/dpkg/status is present
- Do not use the Encode module to convert a code point to utf8
- Fix personality syscall number for riscv
- add more required recommendations for KVM builds
- set PACKAGER field in build-recipe-arch
- fix writing _modulemd.yaml
- pbuild: support --release and --baselibs option
- ... [Please see the references for more information on the vulnerabilities]

Affected Software/OS:
'build' package(s) on openSUSE Leap 15.6.

Solution:
Please install the updated package(s).

CVSS Score:
5.0

CVSS Vector:
AV:N/AC:L/Au:N/C:P/I:N/A:N

Cross-Ref: Common Vulnerability Exposure (CVE) ID: CVE-2024-22038

Copyright Copyright (C) 2025 Greenbone AG

This is only one of 145615 vulnerability tests in our test suite. Find out more about running a complete security audit.
To run a free test of this vulnerability against your system, register below.

Test ID:	1.3.6.1.4.1.25623.1.1.18.2.2025.0857.1
Category:	openSUSE Local Security Checks
Title:	openSUSE Security Advisory (SUSE-SU-2025:0857-1)
Summary:	The remote host is missing an update for the 'build' package(s) announced via the SUSE-SU-2025:0857-1 advisory.
Description:	Summary: The remote host is missing an update for the 'build' package(s) announced via the SUSE-SU-2025:0857-1 advisory. Vulnerability Insight: This update for build fixes the following issues: - CVE-2024-22038: Fixed DoS attacks, information leaks with crafted Git repositories (bnc#1230469) Other fixes: - Fixed behaviour when using '--shell' aka 'osc shell' option in a VM build. Startup is faster and permissions stay intact now. - fixes for POSIX compatibility for obs-docker-support adn mkbaselibs - Add support for apk in docker/podman builds - Add support for 'wget' in Docker images - Fix debian support for Dockerfile builds - Fix preinstallimages in containers - mkosi: add back system-packages used by build-recipe directly - pbuild: parse the Release files for debian repos - mkosi: drop most systemd/build-packages deps and use obs_scm directory as source if present - improve source copy handling - Introduce --repos-directory and --containers-directory options - productcompose: support of building against a baseiso - preinstallimage: avoid inclusion of build script generated files - preserve timestamps on sources copy-in for kiwi and productcompose - alpine package support updates - tumbleweed config update - debian: Support installation of foreign architecture packages (required for armv7l setups) - Parse unknown timezones as UTC - Apk (Alpine Linux) format support added - Implement default value in parameter expansion - Also support supplements that use & as 'and' - Add workaround for skopeo's argument parser - add cap-htm=off on power9 - Fixed usage of chown calls - Remove leading `go` from `purl` locators - container related: * Implement support for the new element in kiwi recipes * Fixes for SBOM and dependencies of multi stage container builds * obs-docker-support: enable dnf and yum substitutions - Arch Linux: * fix file path for Arch repo * exclude unsupported arch * Use root as download user - build-vm-qemu: force sv48 satp mode on riscv64 - mkosi: * Create .sha256 files after mkosi builds * Always pass --image-version to mkosi - General improvements and bugfixes (mkosi, pbuild, appimage/livebuild, obs work detection, documention, SBOM) - Support slsa v1 in unpack_slsa_provenance - generate_sbom: do not clobber spdx supplier - Harden export_debian_orig_from_git (bsc#1230469) - SBOM generation: - Adding golang introspection support - Adding rust binary introspection support - Keep track of unknwon licenses and add a 'hasExtractedLicensingInfos' section - Also normalize licenses for cyclonedx - Make generate_sbom errors fatal - general improvements - Fix noprep building not working because the buildir is removed - kiwi image: also detect a debian build if /var/lib/dpkg/status is present - Do not use the Encode module to convert a code point to utf8 - Fix personality syscall number for riscv - add more required recommendations for KVM builds - set PACKAGER field in build-recipe-arch - fix writing _modulemd.yaml - pbuild: support --release and --baselibs option - ... [Please see the references for more information on the vulnerabilities] Affected Software/OS: 'build' package(s) on openSUSE Leap 15.6. Solution: Please install the updated package(s). CVSS Score: 5.0 CVSS Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N
Cross-Ref:	Common Vulnerability Exposure (CVE) ID: CVE-2024-22038
Copyright	Copyright (C) 2025 Greenbone AG