# Security update for build Announcement ID: SUSE-SU-2025:0857-1 Release Date: 2025-03-13T17:58:42Z Rating: important References: * bsc#1217269 * bsc#1230469 Cross-References: * CVE-2024-22038 CVSS scores: * CVE-2024-22038 ( SUSE ): 6.8 CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N * CVE-2024-22038 ( SUSE ): 7.3 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:H * CVE-2024-22038 ( NVD ): 6.8 CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X * CVE-2024-22038 ( NVD ): 7.3 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:H Affected Products: * Development Tools Module 15-SP6 * openSUSE Leap 15.6 * SUSE Enterprise Storage 7.1 * SUSE Linux Enterprise Desktop 15 SP6 * SUSE Linux Enterprise High Performance Computing 15 SP3 * SUSE Linux Enterprise High Performance Computing 15 SP4 * SUSE Linux Enterprise High Performance Computing 15 SP5 * SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 * SUSE Linux Enterprise High Performance Computing ESPOS 15 SP5 * SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 * SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 * SUSE Linux Enterprise High Performance Computing LTSS 15 SP5 * SUSE Linux Enterprise Real Time 15 SP6 * SUSE Linux Enterprise Server 15 SP3 * SUSE Linux Enterprise Server 15 SP3 LTSS * SUSE Linux Enterprise Server 15 SP4 * SUSE Linux Enterprise Server 15 SP4 LTSS * SUSE Linux Enterprise Server 15 SP5 * SUSE Linux Enterprise Server 15 SP5 LTSS * SUSE Linux Enterprise Server 15 SP6 * SUSE Linux Enterprise Server for SAP Applications 15 SP3 * SUSE Linux Enterprise Server for SAP Applications 15 SP4 * SUSE Linux Enterprise Server for SAP Applications 15 SP5 * SUSE Linux Enterprise Server for SAP Applications 15 SP6 An update that solves one vulnerability and has one security fix can now be installed. ## Description: This update for build fixes the following issues: \- CVE-2024-22038: Fixed DoS attacks, information leaks with crafted Git repositories (bnc#1230469) Other fixes: \- Fixed behaviour when using "\--shell" aka "osc shell" option in a VM build. Startup is faster and permissions stay intact now. * fixes for POSIX compatibility for obs-docker-support adn mkbaselibs * Add support for apk in docker/podman builds * Add support for 'wget' in Docker images * Fix debian support for Dockerfile builds * Fix preinstallimages in containers * mkosi: add back system-packages used by build-recipe directly * pbuild: parse the Release files for debian repos * mkosi: drop most systemd/build-packages deps and use obs_scm directory as source if present * improve source copy handling * Introduce --repos-directory and --containers-directory options * productcompose: support of building against a baseiso * preinstallimage: avoid inclusion of build script generated files * preserve timestamps on sources copy-in for kiwi and productcompose * alpine package support updates * tumbleweed config update * debian: Support installation of foreign architecture packages (required for armv7l setups) * Parse unknown timezones as UTC * Apk (Alpine Linux) format support added * Implement default value in parameter expansion * Also support supplements that use & as "and" * Add workaround for skopeo's argument parser * add cap-htm=off on power9 * Fixed usage of chown calls * Remove leading `go` from `purl` locators * container related: * Implement support for the new <containers> element in kiwi recipes * Fixes for SBOM and dependencies of multi stage container builds * obs-docker-support: enable dnf and yum substitutions * Arch Linux: * fix file path for Arch repo * exclude unsupported arch * Use root as download user * build-vm-qemu: force sv48 satp mode on riscv64 * mkosi: * Create .sha256 files after mkosi builds * Always pass --image-version to mkosi * General improvements and bugfixes (mkosi, pbuild, appimage/livebuild, obs work detection, documention, SBOM) * Support slsa v1 in unpack_slsa_provenance * generate_sbom: do not clobber spdx supplier * Harden export_debian_orig_from_git (bsc#1230469) * SBOM generation: * Adding golang introspection support * Adding rust binary introspection support * Keep track of unknwon licenses and add a "hasExtractedLicensingInfos" section * Also normalize licenses for cyclonedx * Make generate_sbom errors fatal * general improvements * Fix noprep building not working because the buildir is removed * kiwi image: also detect a debian build if /var/lib/dpkg/status is present * Do not use the Encode module to convert a code point to utf8 * Fix personality syscall number for riscv * add more required recommendations for KVM builds * set PACKAGER field in build-recipe-arch * fix writing _modulemd.yaml * pbuild: support --release and --baselibs option * container: * copy base container information from the annotation into the containerinfo * track base containers over multiple stages * always put the base container last in the dependencies * providing fileprovides in createdirdeps tool * Introduce buildflag nochecks * productcompose: support **all** option * config update: tumbleweed using preinstallexpand * minor improvements * tumbleweed build config update * support the %load macro * improve container filename generation (docker) * fix hanging curl calls during build (docker) * productcompose: fix milestone query * tumbleweed build config update * 15.6 build config fixes * sourcerpm & sourcedep handling fixes * productcompose: * Fix milestone handling * Support bcntsynctag * Adding debian support to generate_sbom * Add syscall for personality switch on loongarch64 kernel * vm-build: ext3 & ext4: fix disk space allocation * mkosi format updates, not fully working yet * pbuild exception fixes * Fixes for current fedora and centos distros * Don't copy original dsc sources if OBS-DCH-RELEASE set * Unbreak parsing of sources/patches * Support ForceMultiVersion in the dockerfile parser * Support %bcond of rpm 4.17.1 * Add a hack for systemd 255.3, creating an empty /etc/os-release if missing after preinstall. * docker: Fix HEAD request in dummyhttpserver * pbuild: Make docker-nobasepackages expand flag the default * rpm: Support a couple of builtin rpm macros * rpm: Implement argument expansion for define/with/bcond... * Fix multiline macro handling * Accept -N parameter of %autosetup * documentation updates * various code cleanup and speedup work. * ProductCompose: multiple improvements * Add buildflags:define_specfile support * Fix copy-in of git subdirectory sources * pbuild: Speed up XML parsing * pubild: product compose support * generate_sbom: add help option * podman: enforce runtime=runc * Implement direct conflicts from the distro config * changelog2spec: fix time zone handling * Do not unmount /proc/sys/fs/binfmt_misc before runnint the check scripts * spec file cleanup * documentation updates * productcompose: * support schema 0.1 * support milestones * Leap 15.6 config * SLE 15 SP6 config * productcompose: follow incompatible flavor syntax change * pbuild: support for zstd * fixed handling for cmdline parameters via kernel packages * productcompose: * BREAKING: support new schema * adapt flavor architecture parsing * productcompose: * support filtered package lists * support default architecture listing * fix copy in binaries in VM builds^ * obsproduct build type got renamed to productcompose * Support zstd compressed rpm-md meta data (bsc#1217269) * Added Debian 12 configuration * First ObsProduct build format support * fix SLE 15 SP5 build configuration * Improve user agent handling for obs repositories * Docker: * Support flavor specific build descriptions via Dockerfile.$flavor * support "PlusRecommended" hint to also provide recommended packages * use the name/version as filename if both are known * Produce docker format containers by default * pbuild: Support for signature authentification of OBS resources * Fix wiping build root for --vm-type podman * Put BUILD_RELEASE and BUILD_CHANGELOG_TIMESTAMP in the /.buildenv * build-vm-kvm: use -cpu host on riscv64 * small fixes and cleanups * Added parser for BcntSyncTag in sources * pbuild: * fix dependency expansion for build types other than spec * Reworked cycle handling code * add --extra-packs option * add debugflags option * Pass-through --buildtool-opt * Parse Patch and Source lines more accurately * fix tunefs functionality * minor bugfixes * \--vm-type=podman added (supports also root-less builds) * Also support build constraints in the Dockerfile * minor fixes * Add SUSE ALP build config * BREAKING: Record errors when parsing the project config former behaviour was undefined * container: Support compression format configuration option * Don't setup ccache with --no-init * improved loongarch64 support * sbom: SPDX supplier tag added * kiwi: support different versions per profile * preinstallimage: fail when recompression fails * Add support for recommends and supplements dependencies * Support the "keepfilerequires" expand flag * add '\--buildtool-opt=OPTIONS' to pass options to the used build tool * distro config updates * ArchLinux * Tumbleweed * documentation updates * openSUSE Tumbleweed: sync config and move to suse_version 1699. * universal post-build hook, just place a file in /usr/lib/build/post_build.d/ * mkbaselibs/hwcaps, fix pattern name once again (x86_64_v3) * KiwiProduct: add --use-newest-package hint if the option is set * Dockerfile support: * export multibuild flavor as argument * allow parameters in FROM .. scratch lines * include OS name in build result if != linux * Workaround directory->symlink usrmerge problems for cross arch sysroot * multiple fixes for SBOM support * KIWI VM image SBOM support added ## Patch Instructions: To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: * SUSE Linux Enterprise Server for SAP Applications 15 SP5 zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP5-2025-857=1 * SUSE Enterprise Storage 7.1 zypper in -t patch SUSE-Storage-7.1-2025-857=1 * openSUSE Leap 15.6 zypper in -t patch openSUSE-SLE-15.6-2025-857=1 * Development Tools Module 15-SP6 zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP6-2025-857=1 * SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 zypper in -t patch SUSE-SLE-Product-HPC-15-SP3-LTSS-2025-857=1 * SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 zypper in -t patch SUSE-SLE-Product-HPC-15-SP4-ESPOS-2025-857=1 * SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 zypper in -t patch SUSE-SLE-Product-HPC-15-SP4-LTSS-2025-857=1 * SUSE Linux Enterprise High Performance Computing ESPOS 15 SP5 zypper in -t patch SUSE-SLE-Product-HPC-15-SP5-ESPOS-2025-857=1 * SUSE Linux Enterprise High Performance Computing LTSS 15 SP5 zypper in -t patch SUSE-SLE-Product-HPC-15-SP5-LTSS-2025-857=1 * SUSE Linux Enterprise Server 15 SP3 LTSS zypper in -t patch SUSE-SLE-Product-SLES-15-SP3-LTSS-2025-857=1 * SUSE Linux Enterprise Server 15 SP4 LTSS zypper in -t patch SUSE-SLE-Product-SLES-15-SP4-LTSS-2025-857=1 * SUSE Linux Enterprise Server 15 SP5 LTSS zypper in -t patch SUSE-SLE-Product-SLES-15-SP5-LTSS-2025-857=1 * SUSE Linux Enterprise Server for SAP Applications 15 SP3 zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP3-2025-857=1 * SUSE Linux Enterprise Server for SAP Applications 15 SP4 zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP4-2025-857=1 ## Package List: * SUSE Linux Enterprise Server for SAP Applications 15 SP5 (noarch) * build-mkbaselibs-20250306-150200.19.1 * build-20250306-150200.19.1 * SUSE Enterprise Storage 7.1 (noarch) * build-mkbaselibs-20250306-150200.19.1 * build-20250306-150200.19.1 * openSUSE Leap 15.6 (noarch) * build-mkbaselibs-20250306-150200.19.1 * build-initvm-x86_64-20250306-150200.19.1 * build-initvm-aarch64-20250306-150200.19.1 * build-initvm-s390x-20250306-150200.19.1 * build-mkdrpms-20250306-150200.19.1 * build-initvm-powerpc64le-20250306-150200.19.1 * build-20250306-150200.19.1 * Development Tools Module 15-SP6 (noarch) * build-mkbaselibs-20250306-150200.19.1 * build-20250306-150200.19.1 * SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (noarch) * build-mkbaselibs-20250306-150200.19.1 * build-20250306-150200.19.1 * SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (noarch) * build-mkbaselibs-20250306-150200.19.1 * build-20250306-150200.19.1 * SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (noarch) * build-mkbaselibs-20250306-150200.19.1 * build-20250306-150200.19.1 * SUSE Linux Enterprise High Performance Computing ESPOS 15 SP5 (noarch) * build-mkbaselibs-20250306-150200.19.1 * build-20250306-150200.19.1 * SUSE Linux Enterprise High Performance Computing LTSS 15 SP5 (noarch) * build-mkbaselibs-20250306-150200.19.1 * build-20250306-150200.19.1 * SUSE Linux Enterprise Server 15 SP3 LTSS (noarch) * build-mkbaselibs-20250306-150200.19.1 * build-20250306-150200.19.1 * SUSE Linux Enterprise Server 15 SP4 LTSS (noarch) * build-mkbaselibs-20250306-150200.19.1 * build-20250306-150200.19.1 * SUSE Linux Enterprise Server 15 SP5 LTSS (noarch) * build-mkbaselibs-20250306-150200.19.1 * build-20250306-150200.19.1 * SUSE Linux Enterprise Server for SAP Applications 15 SP3 (noarch) * build-mkbaselibs-20250306-150200.19.1 * build-20250306-150200.19.1 * SUSE Linux Enterprise Server for SAP Applications 15 SP4 (noarch) * build-mkbaselibs-20250306-150200.19.1 * build-20250306-150200.19.1 ## References: * https://www.suse.com/security/cve/CVE-2024-22038.html * https://bugzilla.suse.com/show_bug.cgi?id=1217269 * https://bugzilla.suse.com/show_bug.cgi?id=1230469