Security update for buildah, docker

Announcement ID:	SUSE-SU-2024:3120-1
Rating:	critical
References:	bsc#1214855 bsc#1219267 bsc#1219268 bsc#1219438 bsc#1221243 bsc#1221677 bsc#1221916 bsc#1223409 bsc#1224117 bsc#1228324
Cross-References:	CVE-2024-1753 CVE-2024-23651 CVE-2024-23652 CVE-2024-23653 CVE-2024-24786 CVE-2024-28180 CVE-2024-3727 CVE-2024-41110
CVSS scores:	CVE-2024-1753 ( SUSE ): 8.6 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H CVE-2024-23651 ( SUSE ): 7.4 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2024-23651 ( NVD ): 7.4 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N CVE-2024-23652 ( SUSE ): 6.7 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H CVE-2024-23652 ( NVD ): 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H CVE-2024-23653 ( SUSE ): 7.0 CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2024-23653 ( NVD ): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2024-24786 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2024-3727 ( SUSE ): 8.3 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H CVE-2024-41110 ( SUSE ): 9.9 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Affected Products:	Containers Module 15-SP5 Containers Module 15-SP6 openSUSE Leap 15.3 openSUSE Leap 15.5 openSUSE Leap 15.6 openSUSE Leap Micro 5.5 SUSE Enterprise Storage 7.1 SUSE Linux Enterprise High Performance Computing 15 SP2 SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 SUSE Linux Enterprise High Performance Computing 15 SP3 SUSE Linux Enterprise High Performance Computing 15 SP4 SUSE Linux Enterprise High Performance Computing 15 SP5 SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 SUSE Linux Enterprise Micro 5.1 SUSE Linux Enterprise Micro 5.2 SUSE Linux Enterprise Micro 5.3 SUSE Linux Enterprise Micro 5.4 SUSE Linux Enterprise Micro 5.5 SUSE Linux Enterprise Micro for Rancher 5.2 SUSE Linux Enterprise Micro for Rancher 5.3 SUSE Linux Enterprise Micro for Rancher 5.4 SUSE Linux Enterprise Real Time 15 SP5 SUSE Linux Enterprise Real Time 15 SP6 SUSE Linux Enterprise Server 15 SP2 SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 SUSE Linux Enterprise Server 15 SP3 SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 SUSE Linux Enterprise Server 15 SP4 SUSE Linux Enterprise Server 15 SP4 LTSS 15-SP4 SUSE Linux Enterprise Server 15 SP5 SUSE Linux Enterprise Server 15 SP6 SUSE Linux Enterprise Server for SAP Applications 15 SP2 SUSE Linux Enterprise Server for SAP Applications 15 SP3 SUSE Linux Enterprise Server for SAP Applications 15 SP4 SUSE Linux Enterprise Server for SAP Applications 15 SP5 SUSE Linux Enterprise Server for SAP Applications 15 SP6

An update that solves eight vulnerabilities and has two security fixes can now be installed.

Description:

This update for buildah, docker fixes the following issues:

Changes in docker: - CVE-2024-23651: Fixed arbitrary files write due to race condition on mounts (bsc#1219267) - CVE-2024-23652: Fixed insufficient validation of parent directory on mount (bsc#1219268) - CVE-2024-23653: Fixed insufficient validation on entitlement on container creation via buildkit (bsc#1219438) - CVE-2024-41110: A Authz zero length regression that could lead to authentication bypass was fixed (bsc#1228324)

Other fixes:

• Update to Docker 25.0.6-ce. See upstream changelog online at <https://docs.docker.com/engine/release-notes/25.0/#2506>

• Update to Docker 25.0.5-ce (bsc#1223409)

• Fix BuildKit's symlink resolution logic to correctly handle non-lexical symlinks. (bsc#1221916)

• Write volume options atomically so sudden system crashes won't result in future Docker starts failing due to empty files. (bsc#1214855)

Changes in buildah: - Update to version 1.35.4: * [release-1.35] Bump to Buildah v1.35.4 * [release-1.35] CVE-2024-3727 updates (bsc#1224117) * integration test: handle new labels in "bud and test --unsetlabel" * [release-1.35] Bump go-jose CVE-2024-28180 * [release-1.35] Bump ocicrypt and go-jose CVE-2024-28180

• Update to version 1.35.3:
• [release-1.35] Bump to Buildah v1.35.3
• [release-1.35] correctly configure /etc/hosts and resolv.conf
• [release-1.35] buildah: refactor resolv/hosts setup.
• [release-1.35] rename the hostFile var to reflect
• [release-1.35] Bump c/common to v0.58.1
• [release-1.35] Bump Buildah to v1.35.2
• [release-1.35] CVE-2024-24786 protobuf to 1.33

• [release-1.35] Bump to v1.35.2-dev

• Update to version 1.35.1:

• [release-1.35] Bump to v1.35.1

• [release-1.35] CVE-2024-1753 container escape fix (bsc#1221677)

• Buildah dropped cni support, require netavark instead (bsc#1221243)

• Remove obsolete requires libcontainers-image & libcontainers-storage

• Require passt for rootless networking (poo#156955) Buildah moved to passt/pasta for rootless networking from slirp4netns (https://github.com/containers/common/pull/1846)

• Update to version 1.35.0:

• Bump v1.35.0
• Bump c/common v0.58.0, c/image v5.30.0, c/storage v1.53.0
• conformance tests: don't break on trailing zeroes in layer blobs
• Add a conformance test for copying to a mounted prior stage
• fix(deps): update module github.com/stretchr/testify to v1.9.0
• cgroups: reuse version check from c/common
• Update vendor of containers/(common,image)
• fix(deps): update github.com/containers/storage digest to eadc620
• fix(deps): update github.com/containers/luksy digest to ceb12d4
• fix(deps): update github.com/containers/image/v5 digest to cdc6802
• manifest add: complain if we get artifact flags without --artifact
• Use retry logic from containers/common
• Vendor in containers/(storage,image,common)
• Update module golang.org/x/crypto to v0.20.0
• Add comment re: Total Success task name
• tests: skip_if_no_unshare(): check for --setuid
• Properly handle build --pull=false
• [skip-ci] Update tim-actions/get-pr-commits action to v1.3.1
• Update module go.etcd.io/bbolt to v1.3.9
• Revert "Reduce official image size"
• Update module github.com/opencontainers/image-spec to v1.1.0
• Reduce official image size
• Build with CNI support on FreeBSD
• build --all-platforms: skip some base "image" platforms
• Bump main to v1.35.0-dev
• Vendor in latest containers/(storage,image,common)
• Split up error messages for missing --sbom related flags
• buildah manifest: add artifact-related options
• cmd/buildah/manifest.go: lock lists before adding/annotating/pushing
• cmd/buildah/manifest.go: don't make struct declarations aliases
• Use golang.org/x/exp/slices.Contains
• Disable loong64 again
• Fix a couple of typos in one-line comments
• egrep is obsolescent; use grep -E
• Try Cirrus with a newer VM version
• Set CONTAINERS_CONF in the chroot-mount-flags integration test
• Update to match dependency API update
• Update github.com/openshift/imagebuilder and containers/common
• docs: correct default authfile path
• fix(deps): update module github.com/containerd/containerd to v1.7.13
• tests: retrofit test for heredoc summary
• build, heredoc: show heredoc summary in build output
• manifest, push: add support for --retry and --retry-delay
• fix(deps): update github.com/openshift/imagebuilder digest to b767bc3
• imagebuildah: fix crash with empty RUN
• fix(deps): update github.com/containers/luksy digest to b62d551
• fix(deps): update module github.com/opencontainers/runc to v1.1.12 [security]
• fix(deps): update module github.com/moby/buildkit to v0.12.5 [security]
• Make buildah match podman for handling of ulimits
• docs: move footnotes to where they're applicable
• Allow users to specify no-dereference
• Run codespell on code
• Fix FreeBSD version parsing
• Fix a build break on FreeBSD
• Remove a bad FROM line
• fix(deps): update module github.com/onsi/gomega to v1.31.1
• fix(deps): update module github.com/opencontainers/image-spec to v1.1.0-rc6
• docs: use reversed logo for dark theme in README
• build,commit: add --sbom to scan and produce SBOMs when committing
• commit: force omitHistory if the parent has layers but no history
• docs: fix a couple of typos
• internal/mkcw.Archive(): handle extra image content
• stage_executor,heredoc: honor interpreter in heredoc
• stage_executor,layers: burst cache if heredoc content is changed
• fix(deps): update module golang.org/x/crypto to v0.18.0
• Replace map[K]bool with map[K]struct{} where it makes sense
• fix(deps): update module golang.org/x/sync to v0.6.0
• fix(deps): update module golang.org/x/term to v0.16.0
• Bump CI VMs
• Replace strings.SplitN with strings.Cut
• fix(deps): update github.com/containers/storage digest to ef81e9b
• fix(deps): update github.com/containers/image/v5 digest to 1b221d4
• fix(deps): update module github.com/fsouza/go-dockerclient to v1.10.1
• Document use of containers-transports values in buildah
• fix(deps): update module golang.org/x/crypto to v0.17.0 [security]
• chore(deps): update dependency containers/automation_images to v20231208
• manifest: addCompression use default from containers.conf
• commit: add a --add-file flag
• mkcw: populate the rootfs using an overlay
• chore(deps): update dependency containers/automation_images to v20230517
• [skip-ci] Update actions/stale action to v9
• fix(deps): update module github.com/containernetworking/plugins to v1.4.0
• fix(deps): update github.com/containers/image/v5 digest to 7a40fee
• Bump to v1.34.1-dev
• Ignore errors if label.Relabel returns ENOSUP

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• openSUSE Leap 15.3
  zypper in -t patch SUSE-2024-3120=1
• openSUSE Leap Micro 5.5
  zypper in -t patch openSUSE-Leap-Micro-5.5-2024-3120=1
• openSUSE Leap 15.5
  zypper in -t patch openSUSE-SLE-15.5-2024-3120=1
• openSUSE Leap 15.6
  zypper in -t patch openSUSE-SLE-15.6-2024-3120=1
• SUSE Linux Enterprise Micro for Rancher 5.3
  zypper in -t patch SUSE-SLE-Micro-5.3-2024-3120=1
• SUSE Linux Enterprise Micro 5.3
  zypper in -t patch SUSE-SLE-Micro-5.3-2024-3120=1
• SUSE Linux Enterprise Micro for Rancher 5.4
  zypper in -t patch SUSE-SLE-Micro-5.4-2024-3120=1
• SUSE Linux Enterprise Micro 5.4
  zypper in -t patch SUSE-SLE-Micro-5.4-2024-3120=1
• SUSE Linux Enterprise Micro 5.5
  zypper in -t patch SUSE-SLE-Micro-5.5-2024-3120=1
• Containers Module 15-SP5
  zypper in -t patch SUSE-SLE-Module-Containers-15-SP5-2024-3120=1
• Containers Module 15-SP6
  zypper in -t patch SUSE-SLE-Module-Containers-15-SP6-2024-3120=1
• SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2
  zypper in -t patch SUSE-SLE-Product-HPC-15-SP2-LTSS-2024-3120=1
• SUSE Linux Enterprise High Performance Computing LTSS 15 SP3
  zypper in -t patch SUSE-SLE-Product-HPC-15-SP3-LTSS-2024-3120=1
• SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4
  zypper in -t patch SUSE-SLE-Product-HPC-15-SP4-ESPOS-2024-3120=1
• SUSE Linux Enterprise High Performance Computing LTSS 15 SP4
  zypper in -t patch SUSE-SLE-Product-HPC-15-SP4-LTSS-2024-3120=1
• SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2
  zypper in -t patch SUSE-SLE-Product-SLES-15-SP2-LTSS-2024-3120=1
• SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3
  zypper in -t patch SUSE-SLE-Product-SLES-15-SP3-LTSS-2024-3120=1
• SUSE Linux Enterprise Server 15 SP4 LTSS 15-SP4
  zypper in -t patch SUSE-SLE-Product-SLES-15-SP4-LTSS-2024-3120=1
• SUSE Linux Enterprise Server for SAP Applications 15 SP2
  zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP2-2024-3120=1
• SUSE Linux Enterprise Server for SAP Applications 15 SP3
  zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP3-2024-3120=1
• SUSE Linux Enterprise Server for SAP Applications 15 SP4
  zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP4-2024-3120=1
• SUSE Enterprise Storage 7.1
  zypper in -t patch SUSE-Storage-7.1-2024-3120=1
• SUSE Linux Enterprise Micro 5.1
  zypper in -t patch SUSE-SUSE-MicroOS-5.1-2024-3120=1
• SUSE Linux Enterprise Micro 5.2
  zypper in -t patch SUSE-SUSE-MicroOS-5.2-2024-3120=1
• SUSE Linux Enterprise Micro for Rancher 5.2
  zypper in -t patch SUSE-SUSE-MicroOS-5.2-2024-3120=1

Package List:

• openSUSE Leap 15.3 (aarch64 ppc64le s390x x86_64 i586)
  • buildah-1.35.4-150300.8.25.1
• openSUSE Leap Micro 5.5 (aarch64 s390x x86_64)
  • docker-25.0.6_ce-150000.207.1
  • docker-debuginfo-25.0.6_ce-150000.207.1
• openSUSE Leap 15.5 (aarch64 ppc64le s390x x86_64)
  • docker-25.0.6_ce-150000.207.1
  • docker-debuginfo-25.0.6_ce-150000.207.1
• openSUSE Leap 15.5 (noarch)
  • docker-rootless-extras-25.0.6_ce-150000.207.1
  • docker-zsh-completion-25.0.6_ce-150000.207.1
  • docker-bash-completion-25.0.6_ce-150000.207.1
  • docker-fish-completion-25.0.6_ce-150000.207.1
• openSUSE Leap 15.6 (aarch64 ppc64le s390x x86_64)
  • docker-25.0.6_ce-150000.207.1
  • docker-debuginfo-25.0.6_ce-150000.207.1
• openSUSE Leap 15.6 (noarch)
  • docker-rootless-extras-25.0.6_ce-150000.207.1
  • docker-zsh-completion-25.0.6_ce-150000.207.1
  • docker-bash-completion-25.0.6_ce-150000.207.1
  • docker-fish-completion-25.0.6_ce-150000.207.1
• SUSE Linux Enterprise Micro for Rancher 5.3 (aarch64 s390x x86_64)
  • docker-25.0.6_ce-150000.207.1
  • docker-debuginfo-25.0.6_ce-150000.207.1
• SUSE Linux Enterprise Micro 5.3 (aarch64 s390x x86_64)
  • docker-25.0.6_ce-150000.207.1
  • docker-debuginfo-25.0.6_ce-150000.207.1
• SUSE Linux Enterprise Micro for Rancher 5.4 (aarch64 s390x x86_64)
  • docker-25.0.6_ce-150000.207.1
  • docker-debuginfo-25.0.6_ce-150000.207.1
• SUSE Linux Enterprise Micro 5.4 (aarch64 s390x x86_64)
  • docker-25.0.6_ce-150000.207.1
  • docker-debuginfo-25.0.6_ce-150000.207.1
• SUSE Linux Enterprise Micro 5.5 (aarch64 ppc64le s390x x86_64)
  • docker-25.0.6_ce-150000.207.1
  • docker-debuginfo-25.0.6_ce-150000.207.1
• Containers Module 15-SP5 (aarch64 ppc64le s390x x86_64)
  • docker-25.0.6_ce-150000.207.1
  • docker-debuginfo-25.0.6_ce-150000.207.1
• Containers Module 15-SP5 (noarch)
  • docker-rootless-extras-25.0.6_ce-150000.207.1
  • docker-bash-completion-25.0.6_ce-150000.207.1
• Containers Module 15-SP6 (aarch64 ppc64le s390x x86_64)
  • docker-25.0.6_ce-150000.207.1
  • docker-debuginfo-25.0.6_ce-150000.207.1
• Containers Module 15-SP6 (noarch)
  • docker-rootless-extras-25.0.6_ce-150000.207.1
  • docker-bash-completion-25.0.6_ce-150000.207.1
• SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (aarch64 x86_64)
  • docker-25.0.6_ce-150000.207.1
  • docker-debuginfo-25.0.6_ce-150000.207.1
• SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (noarch)
  • docker-bash-completion-25.0.6_ce-150000.207.1
• SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (aarch64 x86_64)
  • docker-25.0.6_ce-150000.207.1
  • buildah-1.35.4-150300.8.25.1
  • docker-debuginfo-25.0.6_ce-150000.207.1
• SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (noarch)
  • docker-bash-completion-25.0.6_ce-150000.207.1
  • docker-fish-completion-25.0.6_ce-150000.207.1
• SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (aarch64 x86_64)
  • docker-25.0.6_ce-150000.207.1
  • docker-debuginfo-25.0.6_ce-150000.207.1
• SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (noarch)
  • docker-rootless-extras-25.0.6_ce-150000.207.1
  • docker-bash-completion-25.0.6_ce-150000.207.1
• SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (aarch64 x86_64)
  • docker-25.0.6_ce-150000.207.1
  • docker-debuginfo-25.0.6_ce-150000.207.1
• SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (noarch)
  • docker-rootless-extras-25.0.6_ce-150000.207.1
  • docker-bash-completion-25.0.6_ce-150000.207.1
• SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (aarch64 ppc64le s390x x86_64)
  • docker-25.0.6_ce-150000.207.1
  • docker-debuginfo-25.0.6_ce-150000.207.1
• SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (noarch)
  • docker-bash-completion-25.0.6_ce-150000.207.1
• SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (aarch64 ppc64le s390x x86_64)
  • docker-25.0.6_ce-150000.207.1
  • buildah-1.35.4-150300.8.25.1
  • docker-debuginfo-25.0.6_ce-150000.207.1
• SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (noarch)
  • docker-bash-completion-25.0.6_ce-150000.207.1
  • docker-fish-completion-25.0.6_ce-150000.207.1
• SUSE Linux Enterprise Server 15 SP4 LTSS 15-SP4 (aarch64 ppc64le s390x x86_64)
  • docker-25.0.6_ce-150000.207.1
  • docker-debuginfo-25.0.6_ce-150000.207.1
• SUSE Linux Enterprise Server 15 SP4 LTSS 15-SP4 (noarch)
  • docker-rootless-extras-25.0.6_ce-150000.207.1
  • docker-bash-completion-25.0.6_ce-150000.207.1
• SUSE Linux Enterprise Server for SAP Applications 15 SP2 (ppc64le x86_64)
  • docker-25.0.6_ce-150000.207.1
  • docker-debuginfo-25.0.6_ce-150000.207.1
• SUSE Linux Enterprise Server for SAP Applications 15 SP2 (noarch)
  • docker-bash-completion-25.0.6_ce-150000.207.1
• SUSE Linux Enterprise Server for SAP Applications 15 SP3 (ppc64le x86_64)
  • docker-25.0.6_ce-150000.207.1
  • buildah-1.35.4-150300.8.25.1
  • docker-debuginfo-25.0.6_ce-150000.207.1
• SUSE Linux Enterprise Server for SAP Applications 15 SP3 (noarch)
  • docker-bash-completion-25.0.6_ce-150000.207.1
  • docker-fish-completion-25.0.6_ce-150000.207.1
• SUSE Linux Enterprise Server for SAP Applications 15 SP4 (ppc64le x86_64)
  • docker-25.0.6_ce-150000.207.1
  • docker-debuginfo-25.0.6_ce-150000.207.1
• SUSE Linux Enterprise Server for SAP Applications 15 SP4 (noarch)
  • docker-rootless-extras-25.0.6_ce-150000.207.1
  • docker-bash-completion-25.0.6_ce-150000.207.1
• SUSE Enterprise Storage 7.1 (aarch64 x86_64)
  • docker-25.0.6_ce-150000.207.1
  • buildah-1.35.4-150300.8.25.1
  • docker-debuginfo-25.0.6_ce-150000.207.1
• SUSE Enterprise Storage 7.1 (noarch)
  • docker-bash-completion-25.0.6_ce-150000.207.1
  • docker-fish-completion-25.0.6_ce-150000.207.1
• SUSE Linux Enterprise Micro 5.1 (aarch64 s390x x86_64)
  • docker-25.0.6_ce-150000.207.1
  • docker-debuginfo-25.0.6_ce-150000.207.1
• SUSE Linux Enterprise Micro 5.2 (aarch64 s390x x86_64)
  • docker-25.0.6_ce-150000.207.1
  • docker-debuginfo-25.0.6_ce-150000.207.1
• SUSE Linux Enterprise Micro for Rancher 5.2 (aarch64 s390x x86_64)
  • docker-25.0.6_ce-150000.207.1
  • docker-debuginfo-25.0.6_ce-150000.207.1

References:

• https://www.suse.com/security/cve/CVE-2024-1753.html
• https://www.suse.com/security/cve/CVE-2024-23651.html
• https://www.suse.com/security/cve/CVE-2024-23652.html
• https://www.suse.com/security/cve/CVE-2024-23653.html
• https://www.suse.com/security/cve/CVE-2024-24786.html
• https://www.suse.com/security/cve/CVE-2024-28180.html
• https://www.suse.com/security/cve/CVE-2024-3727.html
• https://www.suse.com/security/cve/CVE-2024-41110.html
• https://bugzilla.suse.com/show_bug.cgi?id=1214855
• https://bugzilla.suse.com/show_bug.cgi?id=1219267
• https://bugzilla.suse.com/show_bug.cgi?id=1219268
• https://bugzilla.suse.com/show_bug.cgi?id=1219438
• https://bugzilla.suse.com/show_bug.cgi?id=1221243
• https://bugzilla.suse.com/show_bug.cgi?id=1221677
• https://bugzilla.suse.com/show_bug.cgi?id=1221916
• https://bugzilla.suse.com/show_bug.cgi?id=1223409
• https://bugzilla.suse.com/show_bug.cgi?id=1224117
• https://bugzilla.suse.com/show_bug.cgi?id=1228324