SUSE Package Hub - SUSE-PackageHub-16.0-678

Update Info

SUSE-PackageHub-16.0-678

Security update for build, product-composer

Type: security

Severity: moderate

Issued: 2026-05-05

Description:

This update for build, product-composer fixes the following issues:

Changes in build:

- Support a new "IgnoreRebuild" config.

- build-recipe-kiwi:

  * Add support for oci containers
  * Avoid needlessly compressing container images
  * Detect container images based on build result file name

- Fix queryrecipe to use the summary and the description from the main package

- config: Add slfo-main build configuration
- drop the inner quotes, not needed on bash 4 and breaks on bash 3
- build: in the ccache case, after test -e also accept -L

- container:

  * Add microdnf package manager support
  * Add experimental support for the container-timestamp build option

- sbom:

  * allow to create v1 intoto data
  * spdx: connect OPERATING-SYSTEM package to the root package
  * Transfer product vcs and disturl

- Support --cms-nocerts and --cms-keyid in the signdummy
- Support chroot builds inside of containers
- runservice tool, allow to specify the modes. Can be
  used on plain git source now also
- Support --mtime option for cpio creation
- generate_sbom:

   * Support also unzck compressed repomd files
   * Fail when given --product directory is missing
   * support zstd compressed repomd data

- build-vm-lxc: support lxc >= 5
- vc: Hide an annoying error message when not using NIS

- added leap-16.0 and leap-16.1 build configs.
  (not named sl16.0 anymore, but using same string as the git branch)

- Implement cmssign support in signdummy
- pbuild: mark git assets with a fixed commit as immutable
- mkosi
  * check if old parameters are supported before passing them
  * support old bash version
- Do not crash on small files that start with the PE magic

- Harden export_debian_orig_from_git (CVE-2024-22038, boo#1230469)

Changes in product-composer:

update to version 0.9.6:

  * Speed-up reading of rpm headers
  * Flush output lines to get get correct timestamps in OBS

update to version 0.9.5:

  * Be a bit more verbose to track used times per step in OBS
  * Fix a crash when doing version compare with an epoch

update to version 0.9.4:

  * Give an error when trying to add updateinfo meta data
    without all binary revisions.
  * Hand over vcs and disturl data to generate_sbom.
    (We require a recent build package therefore)

References

CVE: CVE-2024-22038
Bugzilla: 1230469 https://bugzilla.suse.com/show_bug.cgi?id=1230469

Packages

build-20260415-160000.1.1

product-composer-0.9.6-160000.1.1