SUSE-CU-2026:4023-1: Security update of private-registry/harbor-portal
sle-container-updates at lists.suse.com
sle-container-updates at lists.suse.com
Thu Apr 16 07:08:26 UTC 2026
SUSE Container Update Advisory: private-registry/harbor-portal
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2026:4023-1
Container Tags : private-registry/harbor-portal:1.1.2 , private-registry/harbor-portal:1.1.2-2.17 , private-registry/harbor-portal:latest
Container Release : 2.17
Severity : important
Type : security
References : 1259711 1259726 1259729 1260441 1260442 1260443 1260444 1260445
1260754 1260755 1261678 CVE-2026-28387 CVE-2026-28388 CVE-2026-28389
CVE-2026-28390 CVE-2026-31789 CVE-2026-31790 CVE-2026-32776 CVE-2026-32777
CVE-2026-32778 CVE-2026-33416 CVE-2026-33636
-----------------------------------------------------------------
The container private-registry/harbor-portal was updated. The following patches have been included in this update:
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:1352-1
Released: Wed Apr 15 15:36:49 2026
Summary: Security update for expat
Type: security
Severity: important
References: 1259711,1259726,1259729,CVE-2026-32776,CVE-2026-32777,CVE-2026-32778
This update for expat fixes the following issues:
- CVE-2026-32776: NULL pointer dereference when processing empty external parameter entities inside an entity
declaration value (bsc#1259726).
- CVE-2026-32777: denial of service due to infinite loop in DTD content parsing (bsc#1259711).
- CVE-2026-32778: NULL pointer dereference in `setContext` on retry after an out-of-memory condition (bsc#1259729).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:1368-1
Released: Wed Apr 15 16:35:24 2026
Summary: Security update for libpng16
Type: security
Severity: important
References: 1260754,1260755,CVE-2026-33416,CVE-2026-33636
This update for libpng16 fixes the following issues:
- CVE-2026-33416: use-after-free via pointer aliasing in `png_set_tRNS` and `png_set_PLTE` can lead to arbitrary code
execution (bsc#1260754).
- CVE-2026-33636: out-of-bounds read/write in the palette expansion on ARM Neon can lead to information leak and
crashes (bsc#1260755).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:1375-1
Released: Wed Apr 15 19:25:40 2026
Summary: Security update for openssl-3
Type: security
Severity: important
References: 1260441,1260442,1260443,1260444,1260445,1261678,CVE-2026-28387,CVE-2026-28388,CVE-2026-28389,CVE-2026-28390,CVE-2026-31789,CVE-2026-31790
This update for openssl-3 fixes the following issues:
Security issues fixed:
- CVE-2026-28387: Potential use-after-free in DANE client code (bsc#1260441).
- CVE-2026-28388: NULL Pointer Dereference When Processing a Delta CRL (bsc#1260442).
- CVE-2026-28389: Possible NULL dereference when processing CMS KeyAgreeRecipientInfo (bsc#1260443).
- CVE-2026-31789: Heap buffer overflow in hexadecimal conversion (bsc#1260444).
- CVE-2026-31790: Incorrect failure handling in RSA KEM RSASVE encapsulation (bsc#1260445).
- CVE-2026-28390: NULL pointer dereference during processing of a crafted CMS EnvelopedData message with
KeyTransportRecipientInfo (bsc#1261678).
Other updates and bugfixes:
- Enable MD2 in legacy provider (jsc#PED-15724).
The following package changes have been done:
- libexpat1-2.7.1-150700.3.12.1 updated
- libpng16-16-1.6.40-150600.3.17.1 updated
- libopenssl3-3.2.3-150700.5.31.1 updated
- system-user-harbor-2.14.3-150700.1.9 updated
- harbor-portal-2.14.3-150700.1.9 updated
More information about the sle-container-updates
mailing list