{"affected":[{"ecosystem_specific":{"binaries":[{"build":"20250306-150200.19.1","build-mkbaselibs":"20250306-150200.19.1"}]},"package":{"ecosystem":"SUSE:Linux Enterprise Module for Development Tools 15 SP6","name":"build","purl":"pkg:rpm/suse/build&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015%20SP6"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"20250306-150200.19.1"}],"type":"ECOSYSTEM"}]},{"ecosystem_specific":{"binaries":[{"build":"20250306-150200.19.1","build-mkbaselibs":"20250306-150200.19.1"}]},"package":{"ecosystem":"SUSE:Linux Enterprise High Performance Computing 15 SP3-LTSS","name":"build","purl":"pkg:rpm/suse/build&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP3-LTSS"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"20250306-150200.19.1"}],"type":"ECOSYSTEM"}]},{"ecosystem_specific":{"binaries":[{"build":"20250306-150200.19.1","build-mkbaselibs":"20250306-150200.19.1"}]},"package":{"ecosystem":"SUSE:Linux Enterprise High Performance Computing 15 SP4-ESPOS","name":"build","purl":"pkg:rpm/suse/build&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-ESPOS"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"20250306-150200.19.1"}],"type":"ECOSYSTEM"}]},{"ecosystem_specific":{"binaries":[{"build":"20250306-150200.19.1","build-mkbaselibs":"20250306-150200.19.1"}]},"package":{"ecosystem":"SUSE:Linux Enterprise High Performance Computing 15 SP4-LTSS","name":"build","purl":"pkg:rpm/suse/build&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-LTSS"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"20250306-150200.19.1"}],"type":"ECOSYSTEM"}]},{"ecosystem_specific":{"binaries":[{"build":"20250306-150200.19.1","build-mkbaselibs":"20250306-150200.19.1"}]},"package":{"ecosystem":"SUSE:Linux Enterprise High Performance Computing 15 SP5-ESPOS","name":"build","purl":"pkg:rpm/suse/build&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP5-ESPOS"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"20250306-150200.19.1"}],"type":"ECOSYSTEM"}]},{"ecosystem_specific":{"binaries":[{"build":"20250306-150200.19.1","build-mkbaselibs":"20250306-150200.19.1"}]},"package":{"ecosystem":"SUSE:Linux Enterprise High Performance Computing 15 SP5-LTSS","name":"build","purl":"pkg:rpm/suse/build&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP5-LTSS"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"20250306-150200.19.1"}],"type":"ECOSYSTEM"}]},{"ecosystem_specific":{"binaries":[{"build":"20250306-150200.19.1","build-mkbaselibs":"20250306-150200.19.1"}]},"package":{"ecosystem":"SUSE:Linux Enterprise Server 15 SP3-LTSS","name":"build","purl":"pkg:rpm/suse/build&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP3-LTSS"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"20250306-150200.19.1"}],"type":"ECOSYSTEM"}]},{"ecosystem_specific":{"binaries":[{"build":"20250306-150200.19.1","build-mkbaselibs":"20250306-150200.19.1"}]},"package":{"ecosystem":"SUSE:Linux Enterprise Server 15 SP4-LTSS","name":"build","purl":"pkg:rpm/suse/build&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP4-LTSS"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"20250306-150200.19.1"}],"type":"ECOSYSTEM"}]},{"ecosystem_specific":{"binaries":[{"build":"20250306-150200.19.1","build-mkbaselibs":"20250306-150200.19.1"}]},"package":{"ecosystem":"SUSE:Linux Enterprise Server 15 SP5-LTSS","name":"build","purl":"pkg:rpm/suse/build&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP5-LTSS"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"20250306-150200.19.1"}],"type":"ECOSYSTEM"}]},{"ecosystem_specific":{"binaries":[{"build":"20250306-150200.19.1","build-mkbaselibs":"20250306-150200.19.1"}]},"package":{"ecosystem":"SUSE:Linux Enterprise Server for SAP Applications 15 SP3","name":"build","purl":"pkg:rpm/suse/build&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP3"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"20250306-150200.19.1"}],"type":"ECOSYSTEM"}]},{"ecosystem_specific":{"binaries":[{"build":"20250306-150200.19.1","build-mkbaselibs":"20250306-150200.19.1"}]},"package":{"ecosystem":"SUSE:Linux Enterprise Server for SAP Applications 15 SP4","name":"build","purl":"pkg:rpm/suse/build&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP4"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"20250306-150200.19.1"}],"type":"ECOSYSTEM"}]},{"ecosystem_specific":{"binaries":[{"build":"20250306-150200.19.1","build-mkbaselibs":"20250306-150200.19.1"}]},"package":{"ecosystem":"SUSE:Linux Enterprise Server for SAP Applications 15 SP5","name":"build","purl":"pkg:rpm/suse/build&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP5"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"20250306-150200.19.1"}],"type":"ECOSYSTEM"}]},{"ecosystem_specific":{"binaries":[{"build":"20250306-150200.19.1","build-mkbaselibs":"20250306-150200.19.1"}]},"package":{"ecosystem":"SUSE:Enterprise Storage 7.1","name":"build","purl":"pkg:rpm/suse/build&distro=SUSE%20Enterprise%20Storage%207.1"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"20250306-150200.19.1"}],"type":"ECOSYSTEM"}]},{"ecosystem_specific":{"binaries":[{"build":"20250306-150200.19.1","build-initvm-aarch64":"20250306-150200.19.1","build-initvm-powerpc64le":"20250306-150200.19.1","build-initvm-s390x":"20250306-150200.19.1","build-initvm-x86_64":"20250306-150200.19.1","build-mkbaselibs":"20250306-150200.19.1","build-mkdrpms":"20250306-150200.19.1"}]},"package":{"ecosystem":"openSUSE:Leap 15.6","name":"build","purl":"pkg:rpm/opensuse/build&distro=openSUSE%20Leap%2015.6"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"20250306-150200.19.1"}],"type":"ECOSYSTEM"}]}],"aliases":[],"details":"This update for build fixes the following issues:\n-  CVE-2024-22038: Fixed DoS attacks, information leaks with crafted Git repositories (bnc#1230469) \n\nOther fixes:\n- Fixed behaviour when using '--shell' aka 'osc shell' option\n  in a VM build. Startup is faster and permissions stay intact\n  now.\n\n- fixes for POSIX compatibility for obs-docker-support adn\n  mkbaselibs\n- Add support for apk in docker/podman builds\n- Add support for 'wget' in Docker images\n- Fix debian support for Dockerfile builds\n- Fix preinstallimages in containers\n- mkosi: add back system-packages used by build-recipe directly\n- pbuild: parse the Release files for debian repos\n\n- mkosi: drop most systemd/build-packages deps and use obs_scm\n         directory as source if present\n- improve source copy handling\n- Introduce --repos-directory and --containers-directory options\n\n- productcompose: support of building against a baseiso\n- preinstallimage: avoid inclusion of build script generated files\n- preserve timestamps on sources copy-in for kiwi and productcompose\n- alpine package support updates\n- tumbleweed config update\n\n- debian: Support installation of foreign architecture packages\n          (required for armv7l setups)\n- Parse unknown timezones as UTC\n- Apk (Alpine Linux) format support added\n- Implement default value in parameter expansion\n- Also support supplements that use & as 'and'\n- Add workaround for skopeo's argument parser\n- add cap-htm=off on power9\n- Fixed usage of chown calls\n- Remove leading `go` from `purl` locators\n\n- container related:\n  * Implement support for the new <containers> element in kiwi recipes\n  * Fixes for SBOM and dependencies of multi stage container builds\n  * obs-docker-support: enable dnf and yum substitutions\n- Arch Linux:\n  * fix file path for Arch repo\n  * exclude unsupported arch\n  * Use root as download user\n- build-vm-qemu: force sv48 satp mode on riscv64\n- mkosi:\n  * Create .sha256 files after mkosi builds\n  * Always pass --image-version to mkosi\n- General improvements and bugfixes (mkosi, pbuild, appimage/livebuild,\n                                     obs work detection, documention, SBOM)\n- Support slsa v1 in unpack_slsa_provenance\n- generate_sbom: do not clobber spdx supplier\n- Harden export_debian_orig_from_git (bsc#1230469)\n\n- SBOM generation:\n  - Adding golang introspection support\n  - Adding rust binary introspection support\n  - Keep track of unknwon licenses and add a 'hasExtractedLicensingInfos'\n    section\n  - Also normalize licenses for cyclonedx\n  - Make generate_sbom errors fatal\n  - general improvements\n- Fix noprep building not working because the buildir is removed\n- kiwi image: also detect a debian build if /var/lib/dpkg/status is present\n- Do not use the Encode module to convert a code point to utf8\n- Fix personality syscall number for riscv\n- add more required recommendations for KVM builds\n- set PACKAGER field in build-recipe-arch\n- fix writing _modulemd.yaml\n- pbuild: support --release and --baselibs option\n- container:\n  - copy base container information from the annotation into the\n    containerinfo\n  - track base containers over multiple stages\n  - always put the base container last in the dependencies\n\n- providing fileprovides in createdirdeps tool\n- Introduce buildflag nochecks\n\n- productcompose: support __all__ option\n- config update: tumbleweed using preinstallexpand\n- minor improvements\n\n- tumbleweed build config update\n- support the %load macro\n- improve container filename generation (docker)\n- fix hanging curl calls during build (docker)\n- productcompose: fix milestone query\n\n- tumbleweed build config update\n- 15.6 build config fixes\n- sourcerpm & sourcedep handling fixes\n- productcompose:\n  - Fix milestone handling\n  - Support bcntsynctag\n- Adding debian support to generate_sbom\n- Add syscall for personality switch on loongarch64 kernel\n- vm-build: ext3 & ext4: fix disk space allocation\n- mkosi format updates, not fully working yet\n- pbuild exception fixes\n- Fixes for current fedora and centos distros\n- Don't copy original dsc sources if OBS-DCH-RELEASE set\n- Unbreak parsing of sources/patches\n- Support ForceMultiVersion in the dockerfile parser\n- Support %bcond of rpm 4.17.1\n\n- Add a hack for systemd 255.3, creating an empty /etc/os-release\n  if missing after preinstall.\n- docker: Fix HEAD request in dummyhttpserver\n- pbuild: Make docker-nobasepackages expand flag the default\n- rpm: Support a couple of builtin rpm macros\n- rpm: Implement argument expansion for define/with/bcond...\n- Fix multiline macro handling\n- Accept -N parameter of %autosetup\n- documentation updates\n- various code cleanup and speedup work.\n\n- ProductCompose: multiple improvements\n- Add buildflags:define_specfile support\n- Fix copy-in of git subdirectory sources\n- pbuild: Speed up XML parsing\n- pubild: product compose support\n- generate_sbom: add help option\n- podman: enforce runtime=runc\n- Implement direct conflicts from the distro config\n- changelog2spec: fix time zone handling\n- Do not unmount /proc/sys/fs/binfmt_misc before runnint the check scripts\n- spec file cleanup\n- documentation updates\n\n- productcompose:\n  - support schema 0.1\n  - support milestones\n- Leap 15.6 config\n- SLE 15 SP6 config\n\n- productcompose: follow incompatible flavor syntax change\n- pbuild: support for zstd\n\n- fixed handling for cmdline parameters via kernel packages\n\n- productcompose:\n  * BREAKING: support new schema\n  * adapt flavor architecture parsing\n\n- productcompose:\n  * support filtered package lists\n  * support default architecture listing\n  * fix copy in binaries in VM builds^\n\n- obsproduct build type got renamed to productcompose\n\n- Support zstd compressed rpm-md meta data (bsc#1217269)\n- Added Debian 12 configuration\n- First ObsProduct build format support\n\n- fix SLE 15 SP5 build configuration\n- Improve user agent handling for obs repositories\n\n- Docker:\n  - Support flavor specific build descriptions via Dockerfile.$flavor\n  - support 'PlusRecommended' hint to also provide recommended packages\n  - use the name/version as filename if both are known\n  - Produce docker format containers by default\n- pbuild: Support for signature authentification of OBS resources\n- Fix wiping build root for --vm-type podman\n- Put BUILD_RELEASE and BUILD_CHANGELOG_TIMESTAMP in the /.buildenv\n- build-vm-kvm: use -cpu host on riscv64\n- small fixes and cleanups\n\n- Added parser for BcntSyncTag in sources\n\n- pbuild:\n  * fix dependency expansion for build types other than spec\n  * Reworked cycle handling code\n  * add --extra-packs option\n  * add debugflags option\n- Pass-through --buildtool-opt\n- Parse Patch and Source lines more accurately\n- fix tunefs functionality\n- minor bugfixes\n\n- --vm-type=podman added (supports also root-less builds)\n- Also support build constraints in the Dockerfile\n- minor fixes\n\n- Add SUSE ALP build config\n\n- BREAKING: Record errors when parsing the project config\n            former behaviour was undefined\n- container: Support compression format configuration option\n- Don't setup ccache with --no-init\n- improved loongarch64 support\n- sbom: SPDX supplier tag added\n- kiwi: support different versions per profile\n- preinstallimage: fail when recompression fails\n- Add support for recommends and supplements dependencies\n- Support the 'keepfilerequires' expand flag\n- add '--buildtool-opt=OPTIONS' to pass options to the used build tool\n- distro config updates\n  * ArchLinux\n  * Tumbleweed\n- documentation updates\n\n- openSUSE Tumbleweed: sync config and move to suse_version 1699.\n\n- universal post-build hook, just place a file in /usr/lib/build/post_build.d/\n- mkbaselibs/hwcaps, fix pattern name once again (x86_64_v3)\n- KiwiProduct: add --use-newest-package hint if the option is set\n\n- Dockerfile support:\n  * export multibuild flavor as argument\n  * allow parameters in FROM .. scratch lines\n  * include OS name in build result if != linux\n- Workaround directory->symlink usrmerge problems for cross arch sysroot\n- multiple fixes for SBOM support\n\n- KIWI VM image SBOM support added\n","id":"SUSE-SU-2025:0857-1","modified":"2025-03-13T17:58:06Z","published":"2025-03-13T17:58:06Z","references":[{"type":"ADVISORY","url":"https://www.suse.com/support/update/announcement/2025/suse-su-20250857-1/"},{"type":"REPORT","url":"https://bugzilla.suse.com/1217269"},{"type":"REPORT","url":"https://bugzilla.suse.com/1230469"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2024-22038"}],"related":["CVE-2024-22038"],"summary":"Security update for build","upstream":["CVE-2024-22038"]}