SUSE Package Hub - SUSE-PackageHub-16.0-packagehub-93

Update Info

SUSE-PackageHub-16.0-packagehub-93

Security update for sbctl

Type: security
Severity: moderate
Issued: 2026-01-23
Description:
This update for sbctl fixes the following issues:

Changes in sbctl:

- Upgrade the embedded golang.org/x/net to 0.46.0
  * Fixes: bsc#1251399, CVE-2025-47911: various algorithms with
    quadratic complexity when parsing HTML documents
  * Fixes: bsc#1251609, CVE-2025-58190: excessive memory consumption
    by 'html.ParseFragment' when processing specially crafted input

- Update to version 0.18:
  * logging: fixup new go vet warning
  * workflows: add cc for cross compile
  * workflow: add sudo to apt
  * workflow: add pcsclite to ci
  * workflow: try enable cgo
  * go.mod: update golang.org/x/ dependencies
  * fix: avoid adding bogus Country attribute to subject DNs
  * sbctl: only store file if we did actually sign the file
  * installkernel: add post install hook for Debian's traditional installkernel
  * CI: missing libpcsclite pkg
  * workflows: add missing depends and new pattern keyword
  * Add yubikey example for create keys to the README
  * Initial yubikey backend keytype support
  * verify: ensure we pass args in correct order

- bsc#1248949 (CVE-2025-58058):
  Bump xz to 0.5.14

- Update to version 0.17:
  * Ensure we don't wrongly compare input/output files when signing
  * Added --json supprt to sbctl verify
  * Ensure sbctl setup with no arguments returns a helpful output
  * Import latest Microsoft keys for KEK and db databases
  * Ensure we print the path of the file when encountering an invalid PE file
  * Misc fixups in tests
  * Misc typo fixes in prints

- Update to version 0.16:
  * Ensure sbctl reads --config even if /etc/sbctl/sbctl.conf is
    present
  * Fixed a bug where sbctl would abort if the TPM eventlog
    contains the same byte multiple times
  * Fixed a landlock bug where enroll-keys --export did not work
  * Fixed a bug where an ESP mounted to multiple paths would not be
    detected
  * Exporting keys without efivars present work again
  * sbctl sign will now use the saved output path if the signed
    file is enrolled
  * enroll-keys --append will now work without --force.
- Updates from version 0.15.4:
  * Fixed an issue where sign-all did not report a non-zero exit
    code when something failed
  * Fixed and issue where we couldn't write to a file with landlock
  * Fixed an issue where --json would print the human readable
    output and the json
  * Fixes landlock for UKI/bundles by disabling the sandbox feature
  * Some doc fixups that mentioned /usr/share/
References

Packages

sbctl-0.18-bp160.1.1