Security update for build
| Announcement ID: | SUSE-SU-2025:0857-1 |
|---|---|
| Release Date: | 2025-03-13T17:58:42Z |
| Rating: | important |
| References: | |
| Cross-References: | |
| CVSS scores: |
|
| Affected Products: |
|
An update that solves one vulnerability and has one security fix can now be installed.
Description:
This update for build fixes the following issues: - CVE-2024-22038: Fixed DoS attacks, information leaks with crafted Git repositories (bnc#1230469)
Other fixes: - Fixed behaviour when using "--shell" aka "osc shell" option in a VM build. Startup is faster and permissions stay intact now.
- fixes for POSIX compatibility for obs-docker-support adn mkbaselibs
- Add support for apk in docker/podman builds
- Add support for 'wget' in Docker images
- Fix debian support for Dockerfile builds
- Fix preinstallimages in containers
- mkosi: add back system-packages used by build-recipe directly
-
pbuild: parse the Release files for debian repos
-
mkosi: drop most systemd/build-packages deps and use obs_scm directory as source if present
- improve source copy handling
-
Introduce --repos-directory and --containers-directory options
-
productcompose: support of building against a baseiso
- preinstallimage: avoid inclusion of build script generated files
- preserve timestamps on sources copy-in for kiwi and productcompose
- alpine package support updates
-
tumbleweed config update
-
debian: Support installation of foreign architecture packages (required for armv7l setups)
- Parse unknown timezones as UTC
- Apk (Alpine Linux) format support added
- Implement default value in parameter expansion
- Also support supplements that use & as "and"
- Add workaround for skopeo's argument parser
- add cap-htm=off on power9
- Fixed usage of chown calls
-
Remove leading
gofrompurllocators -
container related:
- Implement support for the new <containers> element in kiwi recipes
- Fixes for SBOM and dependencies of multi stage container builds
- obs-docker-support: enable dnf and yum substitutions
- Arch Linux:
- fix file path for Arch repo
- exclude unsupported arch
- Use root as download user
- build-vm-qemu: force sv48 satp mode on riscv64
- mkosi:
- Create .sha256 files after mkosi builds
- Always pass --image-version to mkosi
- General improvements and bugfixes (mkosi, pbuild, appimage/livebuild, obs work detection, documention, SBOM)
- Support slsa v1 in unpack_slsa_provenance
- generate_sbom: do not clobber spdx supplier
-
Harden export_debian_orig_from_git (bsc#1230469)
-
SBOM generation:
- Adding golang introspection support
- Adding rust binary introspection support
- Keep track of unknwon licenses and add a "hasExtractedLicensingInfos" section
- Also normalize licenses for cyclonedx
- Make generate_sbom errors fatal
- general improvements
- Fix noprep building not working because the buildir is removed
- kiwi image: also detect a debian build if /var/lib/dpkg/status is present
- Do not use the Encode module to convert a code point to utf8
- Fix personality syscall number for riscv
- add more required recommendations for KVM builds
- set PACKAGER field in build-recipe-arch
- fix writing _modulemd.yaml
- pbuild: support --release and --baselibs option
- container:
- copy base container information from the annotation into the containerinfo
- track base containers over multiple stages
-
always put the base container last in the dependencies
-
providing fileprovides in createdirdeps tool
-
Introduce buildflag nochecks
-
productcompose: support all option
- config update: tumbleweed using preinstallexpand
-
minor improvements
-
tumbleweed build config update
- support the %load macro
- improve container filename generation (docker)
- fix hanging curl calls during build (docker)
-
productcompose: fix milestone query
-
tumbleweed build config update
- 15.6 build config fixes
- sourcerpm & sourcedep handling fixes
- productcompose:
- Fix milestone handling
- Support bcntsynctag
- Adding debian support to generate_sbom
- Add syscall for personality switch on loongarch64 kernel
- vm-build: ext3 & ext4: fix disk space allocation
- mkosi format updates, not fully working yet
- pbuild exception fixes
- Fixes for current fedora and centos distros
- Don't copy original dsc sources if OBS-DCH-RELEASE set
- Unbreak parsing of sources/patches
- Support ForceMultiVersion in the dockerfile parser
-
Support %bcond of rpm 4.17.1
-
Add a hack for systemd 255.3, creating an empty /etc/os-release if missing after preinstall.
- docker: Fix HEAD request in dummyhttpserver
- pbuild: Make docker-nobasepackages expand flag the default
- rpm: Support a couple of builtin rpm macros
- rpm: Implement argument expansion for define/with/bcond...
- Fix multiline macro handling
- Accept -N parameter of %autosetup
- documentation updates
-
various code cleanup and speedup work.
-
ProductCompose: multiple improvements
- Add buildflags:define_specfile support
- Fix copy-in of git subdirectory sources
- pbuild: Speed up XML parsing
- pubild: product compose support
- generate_sbom: add help option
- podman: enforce runtime=runc
- Implement direct conflicts from the distro config
- changelog2spec: fix time zone handling
- Do not unmount /proc/sys/fs/binfmt_misc before runnint the check scripts
- spec file cleanup
-
documentation updates
-
productcompose:
- support schema 0.1
- support milestones
- Leap 15.6 config
-
SLE 15 SP6 config
-
productcompose: follow incompatible flavor syntax change
-
pbuild: support for zstd
-
fixed handling for cmdline parameters via kernel packages
-
productcompose:
- BREAKING: support new schema
-
adapt flavor architecture parsing
-
productcompose:
- support filtered package lists
- support default architecture listing
-
fix copy in binaries in VM builds^
-
obsproduct build type got renamed to productcompose
-
Support zstd compressed rpm-md meta data (bsc#1217269)
- Added Debian 12 configuration
-
First ObsProduct build format support
-
fix SLE 15 SP5 build configuration
-
Improve user agent handling for obs repositories
-
Docker:
- Support flavor specific build descriptions via Dockerfile.$flavor
- support "PlusRecommended" hint to also provide recommended packages
- use the name/version as filename if both are known
- Produce docker format containers by default
- pbuild: Support for signature authentification of OBS resources
- Fix wiping build root for --vm-type podman
- Put BUILD_RELEASE and BUILD_CHANGELOG_TIMESTAMP in the /.buildenv
- build-vm-kvm: use -cpu host on riscv64
-
small fixes and cleanups
-
Added parser for BcntSyncTag in sources
-
pbuild:
- fix dependency expansion for build types other than spec
- Reworked cycle handling code
- add --extra-packs option
- add debugflags option
- Pass-through --buildtool-opt
- Parse Patch and Source lines more accurately
- fix tunefs functionality
-
minor bugfixes
-
--vm-type=podman added (supports also root-less builds)
- Also support build constraints in the Dockerfile
-
minor fixes
-
Add SUSE ALP build config
-
BREAKING: Record errors when parsing the project config former behaviour was undefined
- container: Support compression format configuration option
- Don't setup ccache with --no-init
- improved loongarch64 support
- sbom: SPDX supplier tag added
- kiwi: support different versions per profile
- preinstallimage: fail when recompression fails
- Add support for recommends and supplements dependencies
- Support the "keepfilerequires" expand flag
- add '--buildtool-opt=OPTIONS' to pass options to the used build tool
- distro config updates
- ArchLinux
- Tumbleweed
-
documentation updates
-
openSUSE Tumbleweed: sync config and move to suse_version 1699.
-
universal post-build hook, just place a file in /usr/lib/build/post_build.d/
- mkbaselibs/hwcaps, fix pattern name once again (x86_64_v3)
-
KiwiProduct: add --use-newest-package hint if the option is set
-
Dockerfile support:
- export multibuild flavor as argument
- allow parameters in FROM .. scratch lines
- include OS name in build result if != linux
- Workaround directory->symlink usrmerge problems for cross arch sysroot
-
multiple fixes for SBOM support
-
KIWI VM image SBOM support added
Patch Instructions:
To install this SUSE update use the SUSE recommended
installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
-
SUSE Linux Enterprise Server for SAP Applications 15 SP5
zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP5-2025-857=1 -
SUSE Enterprise Storage 7.1
zypper in -t patch SUSE-Storage-7.1-2025-857=1 -
openSUSE Leap 15.6
zypper in -t patch openSUSE-SLE-15.6-2025-857=1 -
Development Tools Module 15-SP6
zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP6-2025-857=1 -
SUSE Linux Enterprise High Performance Computing LTSS 15 SP3
zypper in -t patch SUSE-SLE-Product-HPC-15-SP3-LTSS-2025-857=1 -
SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4
zypper in -t patch SUSE-SLE-Product-HPC-15-SP4-ESPOS-2025-857=1 -
SUSE Linux Enterprise High Performance Computing LTSS 15 SP4
zypper in -t patch SUSE-SLE-Product-HPC-15-SP4-LTSS-2025-857=1 -
SUSE Linux Enterprise High Performance Computing ESPOS 15 SP5
zypper in -t patch SUSE-SLE-Product-HPC-15-SP5-ESPOS-2025-857=1 -
SUSE Linux Enterprise High Performance Computing LTSS 15 SP5
zypper in -t patch SUSE-SLE-Product-HPC-15-SP5-LTSS-2025-857=1 -
SUSE Linux Enterprise Server 15 SP3 LTSS
zypper in -t patch SUSE-SLE-Product-SLES-15-SP3-LTSS-2025-857=1 -
SUSE Linux Enterprise Server 15 SP4 LTSS
zypper in -t patch SUSE-SLE-Product-SLES-15-SP4-LTSS-2025-857=1 -
SUSE Linux Enterprise Server 15 SP5 LTSS
zypper in -t patch SUSE-SLE-Product-SLES-15-SP5-LTSS-2025-857=1 -
SUSE Linux Enterprise Server for SAP Applications 15 SP3
zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP3-2025-857=1 -
SUSE Linux Enterprise Server for SAP Applications 15 SP4
zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP4-2025-857=1
Package List:
-
SUSE Linux Enterprise Server for SAP Applications 15 SP5 (noarch)
- build-mkbaselibs-20250306-150200.19.1
- build-20250306-150200.19.1
-
SUSE Enterprise Storage 7.1 (noarch)
- build-mkbaselibs-20250306-150200.19.1
- build-20250306-150200.19.1
-
openSUSE Leap 15.6 (noarch)
- build-mkbaselibs-20250306-150200.19.1
- build-initvm-x86_64-20250306-150200.19.1
- build-initvm-aarch64-20250306-150200.19.1
- build-initvm-s390x-20250306-150200.19.1
- build-mkdrpms-20250306-150200.19.1
- build-initvm-powerpc64le-20250306-150200.19.1
- build-20250306-150200.19.1
-
Development Tools Module 15-SP6 (noarch)
- build-mkbaselibs-20250306-150200.19.1
- build-20250306-150200.19.1
-
SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (noarch)
- build-mkbaselibs-20250306-150200.19.1
- build-20250306-150200.19.1
-
SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (noarch)
- build-mkbaselibs-20250306-150200.19.1
- build-20250306-150200.19.1
-
SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (noarch)
- build-mkbaselibs-20250306-150200.19.1
- build-20250306-150200.19.1
-
SUSE Linux Enterprise High Performance Computing ESPOS 15 SP5 (noarch)
- build-mkbaselibs-20250306-150200.19.1
- build-20250306-150200.19.1
-
SUSE Linux Enterprise High Performance Computing LTSS 15 SP5 (noarch)
- build-mkbaselibs-20250306-150200.19.1
- build-20250306-150200.19.1
-
SUSE Linux Enterprise Server 15 SP3 LTSS (noarch)
- build-mkbaselibs-20250306-150200.19.1
- build-20250306-150200.19.1
-
SUSE Linux Enterprise Server 15 SP4 LTSS (noarch)
- build-mkbaselibs-20250306-150200.19.1
- build-20250306-150200.19.1
-
SUSE Linux Enterprise Server 15 SP5 LTSS (noarch)
- build-mkbaselibs-20250306-150200.19.1
- build-20250306-150200.19.1
-
SUSE Linux Enterprise Server for SAP Applications 15 SP3 (noarch)
- build-mkbaselibs-20250306-150200.19.1
- build-20250306-150200.19.1
-
SUSE Linux Enterprise Server for SAP Applications 15 SP4 (noarch)
- build-mkbaselibs-20250306-150200.19.1
- build-20250306-150200.19.1