SUSE-CU-2026:4471-1: Security update of suse/multi-linux-manager/5.1/x86_64/server
sle-container-updates at lists.suse.com
sle-container-updates at lists.suse.com
Thu Apr 23 08:22:44 UTC 2026
SUSE Container Update Advisory: suse/multi-linux-manager/5.1/x86_64/server
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2026:4471-1
Container Tags : suse/multi-linux-manager/5.1/x86_64/server:5.1.3 , suse/multi-linux-manager/5.1/x86_64/server:5.1.3.8.16.1 , suse/multi-linux-manager/5.1/x86_64/server:latest
Container Release : 8.16.1
Severity : important
Type : security
References : 1144060 1176006 1181400 1182850 1185897 1187536 1189139 1194037
1199026 1203823 1205502 1206627 1212476 1214806 1218718 1221126
1222465 1225498 1225811 1229003 1229147 1231475 1231476 1233593
1233594 1234736 1237414 1240871 1240895 1244081 1244321 1245302
1246052 1246315 1246399 1246578 1246602 1247432 1249090 1249385
1249675 1250367 1250417 1250417 1250553 1250557 1251821 1251865
1251995 1252098 1252548 1252638 1252793 1252867 1252927 1252964
1252974 1253004 1253034 1253144 1253174 1253230 1253347 1253659
1253712 1253738 1254108 1254154 1254182 1254259 1254262 1254299
1254324 1254400 1254401 1254415 1254471 1254472 1254585 1254589
1254619 1254629 1254670 1254867 1254997 1255340 1255588 1255588
1255743 1255781 1256044 1256392 1256422 1256493 1256512 1256583
1256590 1256734 1256736 1256738 1256739 1256791 1256803 1257022
1257029 1257029 1257029 1257031 1257031 1257031 1257041 1257041
1257042 1257042 1257042 1257044 1257044 1257046 1257046 1257046
1257108 1257144 1257181 1257181 1257235 1257329 1257329 1257337
1257349 1257359 1257442 1257442 1257447 1257463 1257496 1257509
1257621 1257647 1257660 1257674 1257717 1257760 1257823 1257841
1257841 1257897 1257897 1257941 1257941 1257950 1257960 1257967
1258002 1258008 1258008 1258009 1258009 1258010 1258010 1258011
1258011 1258012 1258015 1258017 1258022 1258045 1258049 1258054
1258080 1258081 1258083 1258106 1258136 1258168 1258229 1258311
1258319 1258371 1258378 1258382 1258385 1258387 1258392 1258568
1258754 1258754 1258796 1258859 1258893 1258907 1258908 1258909
1258913 1258927 1258942 1259051 1259057 1259127 1259137 1259202
1259208 1259230 1259240 1259243 1259250 1259253 1259287 1259313
1259316 1259362 1259363 1259364 1259365 1259377 1259381 1259416
1259418 1259436 1259441 1259471 1259475 1259502 1259519 1259543
1259545 1259590 1259611 1259616 1259619 1259650 1259697 1259711
1259726 1259729 1259734 1259735 1259803 1259803 1259804 1259808
1259825 1259829 1259845 1259901 1259902 1259924 1259989 1260026
1260078 1260082 1260322 1260409 1260413 1260441 1260441 1260442
1260442 1260443 1260443 1260444 1260444 1260445 1260567 1260568
1260569 1260754 1260755 1260805 1261031 1261043 1261420 1261670
1261678 1261678 1261809 1262136 916845 CVE-2006-10002 CVE-2006-10003
CVE-2013-4235 CVE-2021-45261 CVE-2023-4641 CVE-2024-11595 CVE-2024-11596
CVE-2024-2312 CVE-2024-58251 CVE-2024-9780 CVE-2024-9781 CVE-2025-10911
CVE-2025-11468 CVE-2025-11468 CVE-2025-11468 CVE-2025-12084 CVE-2025-12781
CVE-2025-12816 CVE-2025-12816 CVE-2025-13462 CVE-2025-13465 CVE-2025-13465
CVE-2025-13499 CVE-2025-13674 CVE-2025-13836 CVE-2025-13837 CVE-2025-13945
CVE-2025-13946 CVE-2025-14831 CVE-2025-1492 CVE-2025-15282 CVE-2025-15282
CVE-2025-15282 CVE-2025-15366 CVE-2025-15366 CVE-2025-15367 CVE-2025-15367
CVE-2025-3415 CVE-2025-45582 CVE-2025-53906 CVE-2025-5601 CVE-2025-6075
CVE-2025-61140 CVE-2025-61140 CVE-2025-66471 CVE-2025-66614 CVE-2025-68156
CVE-2025-69720 CVE-2025-70873 CVE-2025-7709 CVE-2025-9615 CVE-2025-9817
CVE-2026-0672 CVE-2026-0672 CVE-2026-0672 CVE-2026-0865 CVE-2026-0865
CVE-2026-0865 CVE-2026-0959 CVE-2026-0960 CVE-2026-0961 CVE-2026-0962
CVE-2026-0964 CVE-2026-0965 CVE-2026-0966 CVE-2026-0967 CVE-2026-0968
CVE-2026-1299 CVE-2026-1299 CVE-2026-1519 CVE-2026-1615 CVE-2026-1615
CVE-2026-1965 CVE-2026-2003 CVE-2026-2003 CVE-2026-2004 CVE-2026-2004
CVE-2026-2005 CVE-2026-2005 CVE-2026-2006 CVE-2026-2006 CVE-2026-2007
CVE-2026-21720 CVE-2026-21721 CVE-2026-21722 CVE-2026-2297 CVE-2026-23868
CVE-2026-24401 CVE-2026-24515 CVE-2026-24733 CVE-2026-24734 CVE-2026-25210
CVE-2026-25547 CVE-2026-25547 CVE-2026-26269 CVE-2026-27135 CVE-2026-27171
CVE-2026-27448 CVE-2026-27459 CVE-2026-27606 CVE-2026-27727 CVE-2026-2781
CVE-2026-27830 CVE-2026-28387 CVE-2026-28387 CVE-2026-28388 CVE-2026-28388
CVE-2026-28389 CVE-2026-28389 CVE-2026-28390 CVE-2026-28390 CVE-2026-28417
CVE-2026-29111 CVE-2026-30922 CVE-2026-30922 CVE-2026-3104 CVE-2026-3119
CVE-2026-31789 CVE-2026-31789 CVE-2026-31790 CVE-2026-3184 CVE-2026-3201
CVE-2026-3202 CVE-2026-3203 CVE-2026-32597 CVE-2026-32776 CVE-2026-32777
CVE-2026-32778 CVE-2026-33416 CVE-2026-33636 CVE-2026-33870 CVE-2026-33871
CVE-2026-3479 CVE-2026-35535 CVE-2026-3591 CVE-2026-3644 CVE-2026-3731
CVE-2026-3783 CVE-2026-3784 CVE-2026-3805 CVE-2026-4105 CVE-2026-4224
CVE-2026-4437 CVE-2026-4438 CVE-2026-4519 CVE-2026-4878
-----------------------------------------------------------------
The container suse/multi-linux-manager/5.1/x86_64/server was updated. The following patches have been included in this update:
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2026:636-1
Released: Wed Feb 25 12:59:46 2026
Summary: Recommended update for libvirt
Type: recommended
Severity: moderate
References:
This update for libvirt fixes the following issues:
- virsh: Introduce new hypervisor-cpu-models command (jsc#PED-13062)
- wireshark: Adapt to wireshark-4.6.0 (jsc#PED-15400)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2026:640-1
Released: Wed Feb 25 16:40:32 2026
Summary: Recommended update for sssd
Type: recommended
Severity: moderate
References: 1212476,1257509
This update for sssd fixes the following issues:
- Use %pre scriptlet instead of %pretrans to migrate from sssd-common (bsc#1257509)
- Update to release 2.10.2 (jsc#PED-12449):
* If the ssh responder is not running, sss_ssh_knownhosts will not fail
* SSSD is now capable of handling multiple services associated with the same port.
* sssd_pam, being a privileged binary, now clears the environment and
does not allow configuration of the PR_SET_DUMPABLE flag as a precaution.
- Changes from sssd 2.10.1:
* SSSD does not create anymore missing path components of DIR:/FILE: ccache types
while acquiring user's TGT. The parent directory of requested ccache directory must exist and the user
trying to log in must have rwx access to this directory. This matches behavior of /usr/bin/kinit.
* The option default_domain_suffix is deprecated.
- Changes from sssd 2.10.0:
* The ``sssctl cache-upgrade`` command was removed.
SSSD performs automatic upgrades at startup when needed.
* Support of ``enumeration`` feature for AD/IPA providers is deprecated and
might be removed in further releases.
* The new tool ``sss_ssh_knownhosts`` can be used with ssh's ``KnownHostsCommand``
configuration option to retrieve the host's public keys from a remote server.
It replaces ```sss_ssh_knownhostsproxy``.
* The default value for ``ldap_id_use_start_tls`` changed from false to true for improved security.
- Fix socket activation of responders
- Daemon runs now as unprivileged user 'sssd'
- Fix build parameter name omitted
- Update filelists involving memberof.so and idmap/sss.so to
avoid gobbling up one file into multiple sssd subpackages.
- Fix spec file for openSUSE ALP and SUSE SLFO, where the
python3_fix_shebang_path RPM macro is not available
- remove dependency on /usr/bin/python3 using
%python3_fix_shebang_path macro (bsc#1212476)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:646-1
Released: Wed Feb 25 17:29:20 2026
Summary: Security update for expat
Type: security
Severity: moderate
References: 1257144,1257496,CVE-2026-24515,CVE-2026-25210
This update for expat fixes the following issues:
- CVE-2026-24515: Fixed a null dereference in XML_ExternalEntityParserCreate. (bsc#1257144)
- CVE-2026-25210: Fixed an integer overflow in doContent. (bsc#1257496)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2026:654-1
Released: Thu Feb 26 14:54:49 2026
Summary: Recommended update for libgit2
Type: recommended
Severity: moderate
References: 1246578
This update for libgit2 fixes the following issues:
- Fix: libgit2: git_remote_fetch(): fatal: git upload-pack (bsc#1246578)
* clear data after negotiation
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:664-1
Released: Thu Feb 26 16:15:04 2026
Summary: Security update for python3
Type: security
Severity: important
References: 1257029,1257031,1257041,1257042,1257044,1257046,CVE-2025-11468,CVE-2025-15282,CVE-2025-15366,CVE-2025-15367,CVE-2026-0672,CVE-2026-0865
This update for python3 fixes the following issues:
- CVE-2025-11468: header injection when folding a long comment in an email header containing exclusively unfoldable
characters (bsc#1257029).
- CVE-2026-0672: HTTP header injection via user-controlled cookie values and parameters when using http.cookies.Morsel
(bsc#1257031).
- CVE-2026-0865: user-controlled header containing newlines can allow injecting HTTP headers (bsc#1257042).
- CVE-2025-15366: user-controlled command can allow additional commands injected using newlines (bsc#1257044).
- CVE-2025-15282: user-controlled data URLs parsed may allow injecting headers (bsc#1257046).
- CVE-2025-15367: control characters may allow the injection of additional commands (bsc#1257041).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2026:671-1
Released: Thu Feb 26 16:37:05 2026
Summary: Recommended update for adcli
Type: recommended
Severity: important
References: 1257717
This update for adcli fixes the following issues:
- Improve DC locator strategy, do not query more servers than necessary (bsc#1257717):
* Make adcli info DC location mechanism more compliant
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2026:677-1
Released: Fri Feb 27 10:13:42 2026
Summary: Recommended update for grub2
Type: recommended
Severity: important
References: 1254299,1254415,1258022
This update for grub2 fixes the following issues:
- Support dm multipath bootlist on PowerPC (bsc#1254415)
- Backport upstream's commit to prevent BIOS assert (bsc#1258022)
- Fix error 'grub-core/script/lexer.c:352:out of memory' after PowerPC CAS Reboot (bsc#1254299)
* Fix PowerPC CAS reboot to evaluate menu context
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2026:682-1
Released: Fri Feb 27 11:28:46 2026
Summary: Recommended update for fence-agents
Type: recommended
Severity: moderate
References: 1250417,1253230
This update for fence-agents fixes the following issues:
- add new skip_os_shutdown flag to fence_aws fence agent (bsc#1250417).
- Adding new fence agent for Nutanix AHV (jsc#PED-13087, bsc#1253230).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:741-1
Released: Mon Mar 2 09:11:04 2026
Summary: Security update for shim
Type: security
Severity: moderate
References: 1240871,1247432,CVE-2024-2312
This update for shim fixes the following issues:
shim is updated to version 16.1:
- shim_start_image(): fix guid/handle pairing when uninstalling protocols
- Fix uncompressed ipv6 netboot
- fix test segfaults caused by uninitialized memory
- SbatLevel_Variable.txt: minor typo fix.
- Realloc() needs to allocate one more byte for sprintf()
- IPv6: Add more check to avoid multiple double colon and illegal char
- Loader proto v2
- loader-protocol: add workaround for EDK2 2025.02 page fault on FreePages
- Generate Authenticode for the entire PE file
- README: mention new loader protocol and interaction with UKIs
- shim: change automatically enable MOK_POLICY_REQUIRE_NX
- Save var info
- add SbatLevel entry 2025051000 for PSA-2025-00012-1
- Coverity fixes 20250804
- fix http boot
- Fix double free and leak in the loader protocol
shim is updated to version 16.0:
- Validate that a supplied vendor cert is not in PEM format
- sbat: Add grub.peimage,2 to latest (CVE-2024-2312)
- sbat: Also bump latest for grub,4 (and to todays date)
- undo change that limits certificate files to a single file
- shim: don't set second_stage to the empty string
- Fix SBAT.md for today's consensus about numbers
- Update Code of Conduct contact address
- make-certs: Handle missing OpenSSL installation
- Update MokVars.txt
- export DEFINES for sub makefile
- Drop unused EFI_IMAGE_SECURITY_DATABASE_GUID definition
- Null-terminate 'arguments' in fallback
- Fix 'Verifiying' typo in error message
- Update Fedora CI targets
- Force gcc to produce DWARF4 so that gdb can use it
- Minor housekeeping 2024121700
- Discard load-options that start with WINDOWS
- Fix the issue that the gBS->LoadImage pointer was empty.
- shim: Allow data after the end of device path node in load options
- Handle network file not found like disks
- Update gnu-efi submodule for EFI_HTTP_ERROR
- Increase EFI file alignment
- avoid EFIv2 runtime services on Apple x86 machines
- Improve shortcut performance when comparing two boolean expressions
- Provide better error message when MokManager is not found
- tpm: Boot with a warning if the event log is full
- MokManager: remove redundant logical constraints
- Test import_mok_state() when MokListRT would be bigger than available size
- test-mok-mirror: minor bug fix
- Fix file system browser hang when enrolling MOK from disk
- Ignore a minor clang-tidy nit
- Allow fallback to default loader when encountering errors on network boot
- test.mk: don't use a temporary random.bin
- pe: Enhance debug report for update_mem_attrs
- Multiple certificate handling improvements
- Generate SbatLevel Metadata from SbatLevel_Variable.txt
- Apply EKU check with compile option
- Add configuration option to boot an alternative 2nd stage
- Loader protocol (with Device Path resolution support)
- netboot cleanup for additional files
- Document how revocations can be delivered
- post-process-pe: add tests to validate NX compliance
- regression: CopyMem() in ad8692e copies out of bounds
- Save the debug and error logs in mok-variables
- Add features for the Host Security ID program
- Mirror some more efi variables to mok-variables
- This adds DXE Services measurements to HSI and uses them for NX
- Add shim's current NX_COMPAT status to HSIStatus
- README.tpm: reflect that vendor_db is in fact logged as 'vendor_db'
- Reject HTTP message with duplicate Content-Length header fields
- Disable log saving
- fallback: don't add new boot order entries backwards
- README.tpm: Update MokList entry to MokListRT
- SBAT Level update for February 2025 GRUB CVEs
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:767-1
Released: Tue Mar 3 14:05:42 2026
Summary: Security update for python311
Type: security
Severity: important
References: 1257029,1257031,1257041,1257042,1257044,1257046,1257108,CVE-2025-11468,CVE-2025-12781,CVE-2025-15282,CVE-2025-15366,CVE-2025-15367,CVE-2026-0672,CVE-2026-0865
This update for python311 fixes the following issues:
- CVE-2025-11468: header injection when folding a long comment in an email header containing exclusively unfoldable
characters (bsc#1257029).
- CVE-2025-12781: inadequate parameter check can cause data integrity issues (bsc#1257108).
- CVE-2025-15282: user-controlled data URLs parsed may allow injecting headers (bsc#1257046).
- CVE-2025-15366: user-controlled command can allow additional commands injected using newlines (bsc#1257044).
- CVE-2025-15367: control characters may allow the injection of additional commands (bsc#1257041).
- CVE-2026-0672: HTTP header injection via user-controlled cookie values and parameters when using http.cookies.Morsel
(bsc#1257031).
- CVE-2026-0865: user-controlled header containing newlines can allow injecting HTTP headers (bsc#1257042).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:779-1
Released: Tue Mar 3 14:25:07 2026
Summary: Security update for libssh
Type: security
Severity: moderate
References: 1258045,1258049,1258054,1258080,1258081,CVE-2026-0964,CVE-2026-0965,CVE-2026-0966,CVE-2026-0967,CVE-2026-0968
This update for libssh fixes the following issues:
- CVE-2026-0964: improper sanitation of paths received from SCP servers can cause path traversal (bsc#1258049).
- CVE-2026-0965: possible denial of service when parsing unexpected configuration files (bsc#1258045).
- CVE-2026-0966: buffer underflow in ssh_get_hexa() on invalid input (bsc#1258054).
- CVE-2026-0967: specially crafted patterns could cause denial of service (bsc#1258081).
- CVE-2026-0968: malformed SFTP message can lead to out of bound read (bsc#1258080).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:781-1
Released: Tue Mar 3 14:28:04 2026
Summary: Security update for patch
Type: security
Severity: low
References: 1194037,CVE-2021-45261
This update for patch fixes the following issues:
- CVE-2021-45261: Clear range of pointers before they are used/freed (bsc#1194037).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:783-1
Released: Tue Mar 3 14:36:14 2026
Summary: Security update for zlib
Type: security
Severity: moderate
References: 1258392,CVE-2026-27171
This update for zlib fixes the following issue:
- CVE-2026-27171: Fixed infinite loop via the `crc32_combine64` and `crc32_combine_gen64` functions due to missing
checks for negative lengths (bsc#1258392).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2026:791-1
Released: Tue Mar 3 16:59:33 2026
Summary: Recommended update for gcc15
Type: recommended
Severity: moderate
References: 1257463
This update for gcc15 fixes the following issues:
- Fix bogus expression simplification (bsc#1257463)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:801-1
Released: Wed Mar 4 13:33:26 2026
Summary: Security update for libxslt
Type: security
Severity: moderate
References: 1250553,CVE-2025-10911
This update for libxslt fixes the following issues:
- CVE-2025-10911: use-after-free will be fixed on libxml2 side instead (bsc#1250553).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:813-1
Released: Thu Mar 5 09:33:59 2026
Summary: Security update for mozilla-nss
Type: security
Severity: moderate
References: 1258568,CVE-2026-2781
This update for mozilla-nss fixes the following issues:
Update to NSS 3.112.3:
* CVE-2026-2781: Avoid integer overflow in platform-independent ghash (bsc#1258568)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:829-1
Released: Thu Mar 5 16:17:08 2026
Summary: Security update for gnutls
Type: security
Severity: moderate
References: 1257960,1258083,CVE-2025-14831
This update for gnutls fixes the following issues:
Security issue:
- CVE-2025-14831: excessive resource consumption when verifying specially crafted malicious certificates containing a
large number of name constraints and subject alternative names (bsc#1257960).
Other updates and bugfixes:
- update libgnutls package to avoid binder getting calculated with SHA256 (bsc#1258083, jsc#PED-15752, jsc#PED-15753).
- lib/psk: Add gnutls_psk_allocate_{client,server}_credentials2
- tests/psk-file: Add testing for _credentials2 functions
- lib/psk: add null check for binder algo
- pre_shared_key: fix memleak when retrying with different binder algo
- pre_shared_key: add null check on pskcred
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2026:835-1
Released: Fri Mar 6 08:27:09 2026
Summary: Recommended update for apache2
Type: recommended
Severity: moderate
References: 1229147
This update for apache2 fixes the following issues:
- Fix: apache2 default config gives a warning AH00317 (bsc#1229147).
* The default value for MaxRequestWorkers should be a multiple of 25,
so we're setting it from 256 down to 250, which is what Apache was
doing during runtime in any case.
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2026:844-1
Released: Fri Mar 6 16:45:31 2026
Summary: Recommended update for glibc
Type: recommended
Severity: moderate
References: 1258319
This update for glibc fixes the following issues:
- nss: Missing checks in __nss_configure_lookup, __nss_database_get (bsc#1258319, BZ #28940)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:855-1
Released: Tue Mar 10 06:06:34 2026
Summary: Security update for c3p0 and mchange-commons
Type: security
Severity: important
References: 1258913,1258942,1259313,CVE-2026-27727,CVE-2026-27830
This update for c3p0 and mchange-commons fixes the following issues:
c3p0:
- Security issues fixed:
- CVE-2026-27830: Fixed unsafe object deserialization (bsc#1258942)
- Fix the null pointer exception in the userOverridesAsString
method (bsc#1259313).
mchange-commons:
- Security issues fixed:
- CVE-2026-27727: Disabled remote ClassLoading when dereferencing javax.naming.Reference instances (bsc#1258913)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2026:863-1
Released: Wed Mar 11 13:41:48 2026
Summary: Recommended update for openldap2
Type: recommended
Severity: moderate
References:
This update for openldap2 fixes the following issues:
- expose ldap_log.h in -devel (jsc#PED-15735)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:881-1
Released: Thu Mar 12 11:18:51 2026
Summary: Security update for postgresql18
Type: security
Severity: important
References: 1258008,1258009,1258010,1258011,1258012,1258754,CVE-2026-2003,CVE-2026-2004,CVE-2026-2005,CVE-2026-2006,CVE-2026-2007
This update for postgresql18 fixes the following issues:
Update to version 18.3 (bsc#1258754).
Security issues fixed:
- CVE-2026-2003: improper validation of type 'oidvector' may allow disclose a few bytes of server memory (bsc#1258008).
- CVE-2026-2004: intarray missing validation of type of input to selectivity estimator could lead to arbitrary code
execution (bsc#1258009).
- CVE-2026-2005: buffer overrun in contrib/pgcrypto's PGP decryption functions could lead to arbitrary code execution
(bsc#1258010).
- CVE-2026-2006: inadequate validation of multibyte character lengths could lead to arbitrary code execution
(bsc#1258011).
- CVE-2026-2007: pg_trgm heap buffer overflow can cause to write pattern onto server memory (bsc#1258012).
Regression fixes:
- the substring() function raises an error 'invalid byte sequence for encoding' on non-ASCII text values if the
source of that value is a database column (caused by CVE-2026-2006 fix).
- a standby may halt and return an error 'could not access status of transaction'.
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:882-1
Released: Thu Mar 12 11:19:24 2026
Summary: Security update for postgresql16
Type: security
Severity: important
References: 1258008,1258009,1258010,1258011,1258754,CVE-2026-2003,CVE-2026-2004,CVE-2026-2005,CVE-2026-2006
This update for postgresql16 fixes the following issues:
Update to version 16.13 (bsc#1258754).
Security issues fixed:
- CVE-2026-2003: improper validation of type 'oidvector' may allow disclose a few bytes of server memory (bsc#1258008).
- CVE-2026-2004: intarray missing validation of type of input to selectivity estimator could lead to arbitrary code
execution (bsc#1258009).
- CVE-2026-2005: buffer overrun in contrib/pgcrypto's PGP decryption functions could lead to arbitrary code execution
(bsc#1258010).
- CVE-2026-2006: inadequate validation of multibyte character lengths could lead to arbitrary code execution
(bsc#1258011).
Regression fixes:
- the substring() function raises an error 'invalid byte sequence for encoding' on non-ASCII text values if the
source of that value is a database column (caused by CVE-2026-2006 fix).
- a standby may halt and return an error 'could not access status of transaction'.
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:903-1
Released: Tue Mar 17 11:04:44 2026
Summary: Security update for curl
Type: security
Severity: important
References: 1259362,1259363,1259364,1259365,CVE-2026-1965,CVE-2026-3783,CVE-2026-3784,CVE-2026-3805
This update for curl fixes the following issues:
- CVE-2026-1965: bad reuse of HTTP Negotiate connection (bsc#1259362).
- CVE-2026-3783: token leak with redirect and netrc (bsc#1259363).
- CVE-2026-3784: wrong proxy connection reuse with credentials (bsc#1259364).
- CVE-2026-3805: use after free in SMB connection reuse (bsc#1259365).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:910-1
Released: Tue Mar 17 20:34:12 2026
Summary: Security update for vim
Type: security
Severity: moderate
References: 1246602,1258229,1259051,CVE-2025-53906,CVE-2026-26269,CVE-2026-28417
This update for vim fixes the following issues:
Update Vim to version 9.2.0110:
- CVE-2025-53906: malicious zip archive may cause a path traversal in Vim's zip (bsc#1246602).
- CVE-2026-26269: Netbeans specialKeys stack buffer overflow (bsc#1258229).
- CVE-2026-28417: crafted URL parsed by netrw plugin can lead to execute arbitrary shell commands (bsc#1259051).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2026:912-1
Released: Wed Mar 18 07:19:42 2026
Summary: Recommended update for ca-certificates-mozilla
Type: recommended
Severity: moderate
References: 1229003,1258002
This update for ca-certificates-mozilla fixes the following issues:
- test for a concretely missing certificate rather than
just the directory, as the latter is now also provided by openssl-3
- Re-create java-cacerts with SOURCE_DATE_EPOCH set
for reproducible builds (bsc#1229003)
- Also mark /usr/share/factory/var/lib/ca-certificates/ as writable by the user
during install: allow rpm to properly execute %clean when completed.
- Create /var/lib/ca-certificates during build to ensure rpm gives
the %ghost'ed directory proper mode attributes.
- Updated to 2.84 state (bsc#1258002)
* Removed:
+ Baltimore CyberTrust Root
+ CommScope Public Trust ECC Root-01
+ CommScope Public Trust ECC Root-02
+ CommScope Public Trust RSA Root-01
+ CommScope Public Trust RSA Root-02
+ DigiNotar Root CA
* Added:
+ e-Szigno TLS Root CA 2023
+ OISTE Client Root ECC G1
+ OISTE Client Root RSA G1
+ OISTE Server Root ECC G1
+ OISTE Server Root RSA G1
+ SwissSign RSA SMIME Root CA 2022 - 1
+ SwissSign RSA TLS Root CA 2022 - 1
+ TrustAsia SMIME ECC Root CA
+ TrustAsia SMIME RSA Root CA
+ TrustAsia TLS ECC Root CA
+ TrustAsia TLS RSA Root CA
- reenable the distrusted certs again. the distrust is only for certs
issued after the distrust date, not for all certs of a CA.
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:932-1
Released: Thu Mar 19 11:26:45 2026
Summary: Security update for tomcat
Type: security
Severity: important
References: 1258371,1258385,1258387,CVE-2025-66614,CVE-2026-24733,CVE-2026-24734
This update for tomcat fixes the following issues:
Update to Tomcat 9.0.115:
- CVE-2025-66614: client certificate verification bypass due to virtual host mapping (bsc#1258371).
- CVE-2026-24733: improper input validation on HTTP/0.9 requests (bsc#1258385).
- CVE-2026-24734: certificate revocation bypass due to incomplete OCSP verification checks (bsc#1258387).
Changelog:
* Catalina
+ Fix: 69623: Additional fix for the long standing regression that meant
that calls to ClassLoader.getResource().getContent() failed when made from
within a web application with resource caching enabled if the target
resource was packaged in a JAR file. (markt)
+ Fix: Pull request #923: Avoid adding multiple CSRF tokens to a URL in the
CsrfPreventionFilter. (schultz)
+ Fix: 69918: Ensure request parameters are correctly parsed for HTTP/2
requests when the content-length header is not set. (dsoumis)
+ Update: Update the minimum and recommended versions for Tomcat Native to
1.3.4. (markt)
+ Add: Add a new ssoReauthenticationMode to the Tomcat provided
Authenticators that provides a per Authenticator override of the SSO Valve
requireReauthentication attribute. (markt)
+ Fix: Ensure URL encoding errors in the Rewrite Valve trigger an exception
rather than silently using a replacement character. (markt)
+ Fix: 69871: Increase log level to INFO for missing configuration for the
rewrite valve. (remm)
+ Fix: Add log warnings for additional Host appBase suspicious values.
(remm)
+ Fix: Remove hard dependency on tomcat-jni.jar for catalina.jar.
org.apache.catalina.Connector no longer requires
org.apache.tomcat.jni.AprStatus to be present. (markt)
+ Add: Add the ability to use a custom function to generate the client
identifier in the CrawlerSessionManagerValve. This is only available
programmatically. Pull request #902 by Brian Matzon. (markt)
+ Fix: Change the SSO reauthentication behaviour for SPNEGO authentication
so that a normal SPNEGO authentication is performed if the SSL Valve is
configured with reauthentication enabled. This is so that the delegated
credentials will be available to the web application. (markt)
+ Fix: When generating the class path in the Loader, re-order the check on
individual class path components to avoid a potential
NullPointerException. Identified by Coverity Scan. (markt)
+ Fix: Fix SSL socket factory configuration in the JNDI realm. Based on pull
request #915 by Joshua Rogers. (remm)
+ Update: Add an attribute, digestInRfc3112Order, to
MessageDigestCredentialHandler to control the order in which the
credential and salt are digested. By default, the current, non-RFC 3112
compliant, order of salt then credential will be used. This default will
change in Tomcat 12 to the RFC 3112 compliant order of credential then
salt. (markt)
* Cluster
+ Add: 62814: Document that human-readable names maybe used for
mapSendOptions and align documentation with channelSendOptions. Based on
pull request #929 by archan0621. (markt)
* Clustering
+ Fix: Correct a regression introduced in 9.0.109 that broke some clustering
configurations. (markt)
* Coyote
+ Fix: Prevent concurrent release of OpenSSLEngine resources and the
termination of the Tomcat Native library as it can cause crashes during
Tomcat shutdown. (markt)
+ Fix: Avoid possible NPEs when using a TLS enabled custom connector. (remm)
+ Fix: Improve warnings when setting ciphers lists in the FFM code,
mirroring the tomcat-native changes. (remm)
+ Fix: 69910: Dereference TLS objects right after closing a socket to
improve memory efficiency. (remm)
+ Fix: Relax the JSSE vs OpenSSL configuration style checks on SSLHostConfig
to reflect the existing implementation that allows one configuration style
to be used for the trust attributes and a different style for all the
other attributes. (markt)
+ Fix: Better warning message when OpenSSLConf configuration elements are
used with a JSSE TLS implementation. (markt)
+ Fix: When using OpenSSL via FFM, don't log a warning about missing CA
certificates unless CA certificates were configured and the configuration
failed. (markt)
+ Add: For configuration consistency between OpenSSL and JSSE TLS
implementations, TLSv1.3 cipher suites included in the ciphers attribute
of an SSLHostConfig are now always ignored (previously they would be
ignored with OpenSSL implementations and used with JSSE implementations)
and a warning is logged that the cipher suite has been ignored. (markt)
+ Add: Add the ciphersuite attribute to SSLHostConfig to configure the
TLSv1.3 cipher suites. (markt)
+ Add: Add OCSP support to JSSE based TLS connectors and make the use of
OCSP configurable per connector for both JSSE and OpenSSL based TLS
implementations. Align the checks performed by OpenSSL with those
performed by JSSE. (markt)
+ Add: Add support for soft failure of OCSP checks with soft failure support
disabled by default. (markt)
+ Add: Add support for configuring the verification flags passed to
OCSP_basic_verify when using an OpenSSL based TLS implementation. (markt)
+ Fix: Fix OpenSSL FFM code compatibility with LibreSSL versions below 3.5.
+ Fix: Don't log an incorrect certificate KeyStore location when creating a
TLS connector if the KeyStore instance has been set directly on the
connector. (markt)
+ Fix: HTTP/0.9 only allows GET as the HTTP method. (remm)
+ Add: Add strictSni attribute on the Connector to allow matching the
SSLHostConfig configuration associated with the SNI host name to the
SSLHostConfig configuration matched from the HTTP protocol host name. Non
matching configurations will cause the request to be rejected. The
attribute default value is true, enabling the matching. (remm)
+ Fix: Graceful failure for OCSP on BoringSSL in the FFM code. (remm)
+ Fix: 69866: Fix a memory leak when using a trust store with the OpenSSL
provider. Pull request #912 by aogburn. (markt)
+ Fix: Fix AJP message length check. Pull request #916 by Joshua Rogers.
* Jasper
+ Fix: 69333: Correct a regression in the previous fix for 69333 and ensure
that reuse() or release() is always called for a tag. (markt)
+ Fix: 69877: Catch IllegalArgumentException when processing URIs when
creating the classpath to handle invalid URIs. (remm)
+ Fix: Fix populating the classpath with the webapp classloader
repositories. (remm)
+ Fix: 69862: Avoid NPE unwrapping Servlet exception which would hide some
exception details. Patch submitted by Eric Blanquer. (remm)
* Jdbc-pool
+ Fix: 64083: If the underlying connection has been closed, don't add it to
the pool when it is returned. Pull request #235 by Alex Panchenko. (markt)
* Web applications
+ Fix: Manager: Fix abrupt truncation of the HTML and JSON complete server
status output if one or more of the web applications failed to start.
(schultz)
+ Add: Manager: Include web application state in the HTML and JSON complete
server status output. (markt)
+ Add: Documentation: Expand the documentation to better explain when OCSP
is supported and when it is not. (markt)
* Websocket
+ Fix: 69920: When attempting to write to a closed Writer or OutputStream
obtained from a WebSocket session, throw an IOException rather than an
IllegalStateExcpetion as required by Writer and strongly suggested by
OutputStream. (markt)
* Other
+ Add: Add property 'gpg.sign.files' to optionally disable release artefact
signing with GPG. (rjung)
+ Add: Add test.silent property to suppress JUnit console output during test
execution. Useful for cleaner console output when running tests with
multiple threads. (csutherl)
+ Update: Update the internal fork of Commons Pool to 2.13.1. (markt)
+ Update: Update the internal fork of Commons DBCP to 2.14.0. (markt)
+ Update: Update Commons Daemon to 1.5.1. (markt)
+ Update: Update ByteBuddy to 1.18.3. (markt)
+ Update: Update UnboundID to 7.0.4. (markt)
+ Update: Update Checkstyle to 12.3.1. (markt)
+ Add: Improvements to French translations. (markt)
+ Add: Improvements to Japanese translations provided by tak7iji. (markt)
+ Add: Improvements to Chinese translations provided by Yang. vincent.h and
yong hu. (markt)
+ Update: Update Tomcat Native to 1.3.5. (markt)
+ Add: Add test profile system for selective test execution. Profiles can be
specified via -Dtest.profile=<name> to run specific test subsets without
using patterns directly. Profile patterns are defined in
test-profiles.properties. (csutherl)
+ Update: Update file extension to media type mappings to align with the
current list used by the Apache Web Server (httpd). (markt)
+ Update: Update Commons Daemon to 1.5.0. (markt)
+ Update: Update Byte Buddy to 1.18.2. (markt)
+ Update: Update Checkstyle to 12.2.0. (markt)
+ Add: Improvements to Spanish translations provided by White Vogel. (markt)
+ Add: Improvements to French translations. (remm)
+ Update: Update the internal fork of Apache Commons BCEL to 6.11.0. (markt)
+ Update: Update to Byte Buddy 1.17.8. (markt)
+ Update: Update to Checkstyle 12.1.1. (markt)
+ Update: Update to Jacoco 0.8.14. (markt)
+ Update: Update to SpotBugs 4.9.8. (markt)
+ Update: Update to JSign 7.4. (markt)
+ Update: Update Maven Resolver Ant Tasks to 1.6.0. (rjung)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2026:966-1
Released: Mon Mar 23 14:50:14 2026
Summary: Recommended update for sssd
Type: recommended
Severity: important
References: 1259250,1259381,1259475
This update for sssd fixes the following issues:
- Restore default config file installation (bsc#1259250)
- Make sure previously rotated logs are chown-ed as well (bsc#1259475)
- Fix sss_obfuscate crash with python 3.6 (bsc#1259381)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:1008-1
Released: Wed Mar 25 11:07:21 2026
Summary: Security update for Prometheus
Type: security
Severity: important
References: 1255588,1257329,1257442,1257841,1257897,CVE-2025-12816,CVE-2025-13465,CVE-2025-61140,CVE-2026-1615,CVE-2026-25547
This update for Prometheus fixes the following issues:
golang-github-prometheus-alertmanager, golang-github-prometheus-node_exporter:
- Internal changes to fix build issues with no impact for customers
golang-github-prometheus-prometheus:
- Security issues fixed:
* CVE-2026-27606: Fixed arbitrary file write via path traversal in rollup (bsc#1258893)
* CVE-2026-25547: Fixed unbounded brace range expansion leading to excessive CPU and memory consumption (bsc#1257841)
* CVE-2026-1615, CVE-2025-61140 The old web UI is no longer built due to security issues (bsc#1257897, bsc#1257442)
* CVE-2025-13465: Bump lodash package to version 4.17.23 to fix prototype pollution vulnerability (bsc#1257329)
* CVE-2025-12816: Interpretation conflict vulnerability allowing bypassing cryptographic verifications (bsc#1255588)
- Version update from 2.53.4 to 3.5.0 with the following highlighted changes (jsc#PED-13824):
* Modernized Interface: Introduced a brand-new UI
* Enhanced Cloud and Auth: Added unified AWS service discovery (EC2, ECS, Lightsail) and Azure Workload Identity support
for more secure, native cloudauthentication.
* Performance Standards: Fully integrated OpenTelemetry (OTLP) ingestion and moved Native Histograms from experimental
to a stable feature.
* Advanced Data Export: Rolled out Remote Write 2.0, offering better performance and metadata handling when sending
data to external systems.
* Query Power: Added new PromQL functions (like first_over_time and last_over_time) and optimization for grouping
operations.
* Better Visibility: The UI now displays detailed relabeling steps, scrape intervals, and timeouts, making it easier
to troubleshoot why targets aren't reporting correctly.
* Critical Fixes: Resolved significant memory leaks related to query logging and fixed bugs where targets were
accidentally being scraped multiple times.
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:1013-1
Released: Wed Mar 25 11:11:46 2026
Summary: Security update 5.0.7 for Multi-Linux Manager Client Tools
Type: security
Severity: important
References: 1245302,1251995,1253004,1253174,1253347,1253659,1253738,1254589,1255340,1255588,1255781,1256803,1257329,1257337,1257349,1257442,1257841,1257897,1257941,1258136,1258893,CVE-2025-12816,CVE-2025-13465,CVE-2025-3415,CVE-2025-61140,CVE-2025-68156,CVE-2026-1615,CVE-2026-21720,CVE-2026-21721,CVE-2026-21722,CVE-2026-25547,CVE-2026-27606
This update fixes the following issues:
dracut-saltboot:
- Version update to 1.1.0:
* Retry DHCP requests up to 3 times (bsc#1253004)
golang-github-QubitProducts-exporter_exporter:
- Non-customer-facing optimization and update
golang-github-boynux-squid_exporter:
- Version update from 1.6.0 to 1.13.0 with the following highlighted changes and fixes (jsc#PED-14971):
* Added compatibility for Squid 6 and support for the squid-internal-mgr metrics path
* Added TLS and Basic Authentication to the exporter’s web interface
* Added support for the exporter to authenticate against the Squid proxy itself
* Allow the gathering of process information without requiring root privileges
* The exporter can now be configured using environment variables
* Added support for custom labels to all exported metrics for better data filtering
* New metrics to track if Squid is running (squid_up), how long a scrape takes, and if any errors occurred
* Added 'service time' metrics to analyze proxy speed and performance.
* Added a metric for open file descriptors (process_open_fds) to help prevent connection bottlenecks
* Corrected the squid_client_http_requests_total metric to ensure accurate reporting
golang-github-lusitaniae-apache_exporter:
- Version update from 1.0.8 to 1.0.10:
* Updated github.com/prometheus/client_golang to 1.21.1
* Updated github.com/prometheus/common to 0.63.0
* Updated github.com/prometheus/exporter-toolkit to 0.14.0
* Fixed signal handler logging
golang-github-prometheus-prometheus:
- Security issues fixed:
* CVE-2026-27606: Fixed arbitrary file write via path traversal in rollup (bsc#1258893)
* CVE-2026-25547: Fixed unbounded brace range expansion leading to excessive CPU and memory consumption (bsc#1257841)
* CVE-2026-1615, CVE-2025-61140 The old web UI is no longer built due to security issues (bsc#1257897, bsc#1257442)
* CVE-2025-13465: Bump lodash package to version 4.17.23 to fix prototype pollution vulnerability (bsc#1257329)
* CVE-2025-12816: Interpretation conflict vulnerability allowing bypassing cryptographic verifications (bsc#1255588)
- Version update from 2.53.4 to 3.5.0 with the following highlighted changes (jsc#PED-13824):
* Modernized Interface: Introduced a brand-new UI
* Enhanced Cloud and Auth: Added unified AWS service discovery (EC2, ECS, Lightsail) and Azure Workload Identity support
for more secure, native cloudauthentication.
* Performance Standards: Fully integrated OpenTelemetry (OTLP) ingestion and moved Native Histograms from experimental
to a stable feature.
* Advanced Data Export: Rolled out Remote Write 2.0, offering better performance and metadata handling when sending
data to external systems.
* Query Power: Added new PromQL functions (like first_over_time and last_over_time) and optimization for grouping
operations
* Better Visibility: The UI now displays detailed relabeling steps, scrape intervals, and timeouts, making it easier
to troubleshoot why targets aren't reporting correctly.
* Critical Fixes: Resolved significant memory leaks related to query logging and fixed bugs where targets were
accidentally being scraped multiple times
grafana:
- Security issues fixed:
* CVE-2026-21722: Public dashboards annotations: use dashboard timerange if time selection disabled (bsc#1258136)
* CVE-2026-21721: Fixed access control by the dashboard permissions API (bsc#1257337)
* CVE-2026-21720: Fixed unauthenticated DoS (bsc#1257349)
* CVE-2025-68156: Fixed potential DoS via unbounded recursion in builtin functions (bsc#1255340)
* CVE-2025-3415: Fixedexposure of DingDing alerting integration URL to Viewer level users (bsc#1245302)
- Version update from 11.5.10 to 11.6.11 with the following highlighted changes and fixes:
* Performance Boost: Introduced WebGL-powered geomaps for smoother map visualizations and
removed blurred backgrounds from UI overlays to speed up the interface
* One-Click Actions: Visualizations now support faster navigation via one-click links and actions
* Alerting History: Added version history for alert rules, allowing you to track changes over time
* Service Accounts: Automated the migration of old API keys to more secure Service Accounts upon startup
* Cron Support: Annotations now support Cron syntax for more flexible scheduling
* Identity and Auth: Hardened the Avatar feature (now requires sign-in) and fixed several login redirection issues
when Grafana is hosted on a subpath
* Data Source Support: Added support for Cloud Partner Prometheus data sources and improved Azure legend formatting
* Alerting Limits: Added size limits for expanded notification templates to prevent system strain
* RBAC: Integrated Role-Based Access Control (RBAC) into the Alertmanager via the reqAction field
* Data Consistency: Fixed several issues with Graphite and InfluxDB regarding how variables are handled in repeated
rows or nested queries
* Dashboard Reliability: Resolved bugs involving row repeats and 'self-referencing' data links
* Alerting Fixes: Patched a critical 'panic' (crash) caused by a race condition in alert rules and fixed issues where
contact points weren't working correctly
* URL Handling: Fixed a bug where 'true' values in URL parameters weren't being read correctly
prometheus-blackbox_exporter:
- Non-customer-facing optimization and update
spacecmd:
- Version update to 5.0.15:
* Fixed typo in spacecmd help ca-cert flag (bsc#1253174)
* Convert cached IDs to integer values (bsc#1251995)
* Fixed spacecmd binary file upload (bsc#1253659)
uyuni-tools:
- Version update to 0.1.38:
* Fixed cobbler configuration when migrating to standalone files (bsc#1256803)
* Detect custom apache and squid config in the /etc/uyuni/proxy folder
* Add ssh tuning to configure sshd (bsc#1253738)
* Ignore supportconfig errors (bsc#1255781)
* Bumped the default image tag to 5.0.7
* Removed cgroup mount for podman containers (bsc#1253347)
* Registry flag can be a string (bsc#1254589)
* Use static supportconfig name to avoid dynamic search (bsc#1257941)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:1040-1
Released: Wed Mar 25 13:43:08 2026
Summary: Security update for systemd
Type: security
Severity: important
References: 1259418,1259650,1259697,CVE-2026-29111,CVE-2026-4105
This update for systemd fixes the following issues:
- CVE-2026-4105: privilege escalation due to improper access control in RegisterMachine D-Bus method (bsc#1259650).
- CVE-2026-29111: local unprivileged user can trigger an assert in systemd (bsc#1259418).
- udev: check for invalid chars in various fields received from the kernel (bsc#1259697).
Changelog:
- a943e3ce2f machined: reject invalid class types when registering machines
- 71593f77db udev: fix review mixup
- 73a89810b4 udev-builtin-net-id: print cescaped bad attributes
- 0f360bfdc0 udev-builtin-net_id: do not assume the current interface name is ethX
- 40905232e2 udev: ensure tag parsing stays within bounds
- 7bce9026e3 udev: ensure there is space for trailing NUL before calling sprintf
- d018ac1ea3 udev: check for invalid chars in various fields received from the kernel
- aef6e11921 core/cgroup: avoid one unnecessary strjoina()
- cc7426f38a sd-json: fix off-by-one issue when updating parent for array elements
- 26a748f727 core: validate input cgroup path more prudently
- 99d8308fde core/dbus-manager: propagate meaningful dbus errors from EnqueueMarkedJobs
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:1065-1
Released: Thu Mar 26 11:38:12 2026
Summary: Security update for sqlite3
Type: security
Severity: moderate
References: 1254670,1259619,CVE-2025-70873,CVE-2025-7709
This update for sqlite3 fixes the following issues:
Update sqlite3 to 3.51.3:
- CVE-2025-7709: Integer Overflow in FTS5 Extension (bsc#1254670).
- CVE-2025-70873: SQLite zipfile extension may disclose uninitialized heap memory during inflation (bsc#1259619).
Changelog:
* Fix the WAL-reset database corruption bug:
https://sqlite.org/wal.html#walresetbug
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:1067-1
Released: Thu Mar 26 11:39:01 2026
Summary: Security update for python-urllib3
Type: security
Severity: moderate
References: 1254867,1259829,CVE-2025-66471
This update for python-urllib3 fixes the following issue:
- CVE-2025-66471: excessive resource consumption via decompression of highly compressed data in Streaming API
(bsc#1254867).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:1074-1
Released: Thu Mar 26 13:39:49 2026
Summary: Security update for nghttp2
Type: security
Severity: important
References: 1259845,CVE-2026-27135
This update for nghttp2 fixes the following issues:
- CVE-2026-27135: Assertion failure due to missing state validation can lead to DoS (bsc#1259845).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:1075-1
Released: Thu Mar 26 13:41:20 2026
Summary: Security update for python-pyasn1
Type: security
Severity: important
References: 1259803,CVE-2026-30922
This update for python-pyasn1 fixes the following issues:
- CVE-2026-30922: Denial of Service via Unbounded Recursion (bsc#1259803).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:1090-1
Released: Thu Mar 26 18:44:54 2026
Summary: Security update for python3
Type: security
Severity: important
References: 1257181,CVE-2026-1299
This update for python3 fixes the following issues:
- CVE-2026-1299: header injection when an email is serialized due to improper newline quoting in BytesGenerator (bsc#1257181).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2026:1113-1
Released: Fri Mar 27 10:34:35 2026
Summary: Recommended update for crypto-policies
Type: recommended
Severity: moderate
References: 1258311,1259825
This update for crypto-policies fixes the following issues:
Enables PQC key exchange support for OpenSSH (bsc#1258311, bsc#1259825)
* The sntrup761x25519-sha512 hybrid keyexchange for OpenSSH is enabled.
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:1153-1
Released: Tue Mar 31 10:40:03 2026
Summary: Security update for perl-XML-Parser
Type: security
Severity: important
References: 1259901,1259902,CVE-2006-10002,CVE-2006-10003
This update for perl-XML-Parser fixes the following issues:
- CVE-2006-10002: heap buffer overflow in `parse_stream` when processing UTF-8 input streams (bsc#1259901).
- CVE-2006-10003: off-by-one heap buffer overflow in `st_serial_stack` (bsc#1259902).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:1158-1
Released: Tue Mar 31 13:55:47 2026
Summary: Security update for python-pyasn1
Type: security
Severity: important
References: 1259803,CVE-2026-30922
This update for python-pyasn1 fixes the following issues:
- CVE-2026-30922: Denial of Service via Unbounded Recursion (bsc#1259803).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2026:1167-1
Released: Thu Apr 2 08:23:20 2026
Summary: Recommended update for apache2
Type: recommended
Severity: important
References: 1254182
This update for apache2 fixes the following issues:
- Update to 2.4.66:
* ECO: (jsc#PED-15953):
* Fix: apache2-worker segfaults (bsc#1254182)
- Removed patches, as they've been merged/fixed upstream.
- Removed these FIPS-related patches too, as they too have been merged upstream
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:1169-1
Released: Thu Apr 2 10:29:20 2026
Summary: Security update for wireshark
Type: security
Severity: important
References: 1231475,1231476,1233593,1233594,1237414,1244081,1249090,1254108,1254262,1254471,1254472,1256734,1256736,1256738,1256739,1258907,1258908,1258909,CVE-2024-11595,CVE-2024-11596,CVE-2024-9780,CVE-2024-9781,CVE-2025-13499,CVE-2025-13674,CVE-2025-13945,CVE-2025-13946,CVE-2025-1492,CVE-2025-5601,CVE-2025-9817,CVE-2026-0959,CVE-2026-0960,CVE-2026-0961,CVE-2026-0962,CVE-2026-3201,CVE-2026-3202,CVE-2026-3203
This update for wireshark fixes the following issues:
Update Wireshark to version 4.6.4 (jsc#PED-15400).
- CVE-2024-9780: ITS dissector crash (bsc#1231475).
- CVE-2024-9781: AppleTalk and RELOAD Framing dissector crash (bsc#1231476).
- CVE-2024-11595: Loop with Unreachable Exit Condition ('Infinite Loop') in Wireshark (bsc#1233594).
- CVE-2024-11596: Buffer Over-read in Wireshark (bsc#1233593).
- CVE-2025-1492: Uncontrolled Recursion in Wireshark (bsc#1237414).
- CVE-2025-5601: Column handling crashes in Wireshark allows denial of service (bsc#1244081).
- CVE-2025-9817: NULL Pointer Dereference in ssh dissector (bsc#1249090).
- CVE-2025-13499: a malformed packet can lead to a Kafka dissector crash (bsc#1254108).
- CVE-2025-13674: injecting a malformed packet can cause a crash (bsc#1254262).
- CVE-2025-13945: HTTP3 dissector crash in Wireshark 4.6.0 and 4.6.1 allows denial of service (bsc#1254471).
- CVE-2025-13946: MEGACO dissector infinite loop in Wireshark 4.6.0 to 4.6.1 and 4.4.0 to 4.4.11 allows denial of
service (bsc#1254472).
- CVE-2026-0959: denial of service via IEEE 802.11 protocol dissector crash (bsc#1256734).
- CVE-2026-0960: denial of Service via HTTP3 protocol dissector infinite loop (bsc#1256736).
- CVE-2026-0961: denial of Service vulnerability in BLF file parser (bsc#1256738).
- CVE-2026-0962: denial of Service via SOME/IP-SD protocol dissector crash (bsc#1256739).
- CVE-2026-3201: missing limit checks in USB HID protocol dissector's `parse_report_descriptor` function can lead to
memory exhaustion (bsc#1258907).
- CVE-2026-3202: missing checks in NTS-KE protocol dissector can lead to crash (bsc#1258908).
- CVE-2026-3203: missing length checks in the RF4CE Profile protocol dissector can lead to illegal memory access and
crash (bsc#1258909).
Also libvirt was rebuilt against wireshark for the libvirt plugin.
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:1177-1
Released: Thu Apr 2 17:00:30 2026
Summary: Security update for tar
Type: security
Severity: important
References: 1246399,CVE-2025-45582
This update for tar fixes the following issue:
- CVE-2025-45582: file overwrite via directory traversal in crafted TAR archives (bsc#1246399).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:1192-1
Released: Tue Apr 7 10:39:28 2026
Summary: Security update for python-pyOpenSSL
Type: security
Severity: important
References: 1259804,1259808,CVE-2026-27448,CVE-2026-27459
This update for python-pyOpenSSL fixes the following issues:
- CVE-2026-27448: unhandled exception can result in connection not being cancelled (bsc#1259804).
- CVE-2026-27459: large cookie value can lead to a buffer overflow (bsc#1259808).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2026:1228-1
Released: Thu Apr 9 10:27:25 2026
Summary: Recommended update for shadow
Type: recommended
Severity: important
References: 1144060,1176006,1181400,1182850,1185897,1187536,1189139,1199026,1203823,1205502,1206627,1214806,1246052,916845,CVE-2013-4235,CVE-2023-4641
This update for shadow fixes the following issues:
shadow is updated to 4.17.2 to bring lots of features and bug fixes.
- util-linux-2.41 introduced new variable: LOGIN_ENV_SAFELIST. Recognize
it and update dependencies.
- Set SYS_{UID,GID}_MIN to 201:
After repeated similar requests to change the ID ranges we set the
above mentioned value to 201. The max value will stay at 499.
This range should be sufficient and will give us leeway for the
future.
It's not straightforward to find out which static UIDs/GIDs are
used in all packages.
Update to 4.17.2:
* src/login_nopam.c: Fix compiler warnings #1170
* lib/chkname.c: Put limits for LOGIN_NAME_MAX and sysconf(_SC_LOGIN_NAME_MAX) #1169
* Use HTTPS in link to Wikipedia article on password strength #1164
* lib/attr.h: use C23 attributes only with gcc >= 10 #1172
* login: Fix no-pam authorization regression #1174
* man: Add Portuguese translation #1178
* Update French translation #1177
* Add cheap defense mechanisms #1171
* Add Romanian translation #1176
Update to 4.17.1:
* Fix `su -` regression #1163
Update to 4.17.0:
* Fix the lower part of the domain of csrand_uniform()
* Fix use of volatile pointer
* Use str2[u]l() instead of atoi(3)
* Use a2i() in various places
* Fix const correctness
* Use uid_t for holding UIDs (and GIDs)
* Move all sprintf(3)-like APIs to a subdirectory
* Move all copying APIs to a subdirectory
* Fix forever loop on ENOMEM
* Fix REALLOC() nmemb calculation
* Remove id(1)
* Remove groups(1)
* Use local time for human-readable dates
* Use %F instead of %Y-%m-%d with strftime(3)
* is_valid{user,group}_name(): Set errno to distinguish the reasons
* Recommend --badname only if it is useful
* Add fmkomstemp() to fix mode of /etc/default/useradd
* Fix use-after-free bug in sgetgrent()
* Update Catalan translation
* Remove references to cppw, cpgr
* groupadd, groupmod: Update gshadow file with -U
* Added option -a for listing active users only, optimized using if aflg,return
* Added information in lastlog man page for new option '-a'
* Plenty of code cleanup and clarifications
- Disable flushing sssd caches. The sssd's files provider is no
longer available.
Update to 4.16.0:
* The shadow implementations of id(1) and groups(1) are deprecated
in favor of the GNU coreutils and binutils versions.
They will be removed in 4.17.0.
* The rlogind implementation has been removed.
* The libsubid major version has been bumped, since it now requires
specification of the module's free() implementation.
Update to 4.15.1:
* Fix a bug that caused spurious error messages about unknown
login.defs configuration options #967
* Adding checks for fd omission #964
* Use temporary stat buffer #974
* Fix wrong french translation #975
Update to 4.15.0
* libshadow:
+ Use utmpx instead of utmp. This fixes a regression introduced
in 4.14.0.
+ Fix build error (parameter name omitted).
* Build system:
+ Link correctly with libdl.
+ Install pam configs for chpasswd(8) and newusers(8) when using
./configure --with-libpam --disable-account-tools-setuid.
+ Merge libshadow and libmisc into a single libshadow. This fixes
problems in the linker, which were reported at least in Gentoo.
+ Fix build with musl libc.
+ Support out of tree builds
* useradd(8):
+ Set proper SELinux labels for def_usrtemplate
Update to 4.14.6:
* login(1):
+ Fix off-by-one bugs.
* passwd(1):
+ Don't silently truncate passwords of length >= 200 characters.
Instead, accept a length of PASS_MAX, and reject longer ones.
* libshadow:
+ Fix calculation in strtoday(), which caused a wrong half-day
offset in some cases (bsc#1176006)
+ Fix parsing of dates in get_date() (bsc#1176006)
+ Use utmpx instead of utmp. This fixes a regression introduced in
4.14.0.
Update to 4.14.5:
* Build system:
+ Fix regression introduced in 4.14.4, due to a typo. chgpasswd had
been deleted from a Makefile variable, but it should have been
chpasswd.
Update to 4.14.4:
* Build system:
+ Link correctly with libdl.
+ Install pam configs for chpasswd(8) and newusers(8) when using
./configure --with-libpam --disable-account-tools-setuid.
* libshadow:
+ Fix build error (parameter name omitted).
+ Fix off-by-one bug.
+ Remove warning.
Update to 4.14.3:
* libshadow: Avoid null pointer dereference (#904)
* Remove pam_keyinit from PAM configuration. (bsc#1199026 bsc#1203823)
This was introduced for bsc#1144060.
Update to 4.14.2:
* libshadow:
+ Fix build with musl libc.
+ Avoid NULL dereference.
+ Update utmp at an initial login
* useradd(8):
+ Set proper SELinux labels for def_usrtemplate
* Manual:
+ Document --prefix in chage(1), chpasswd(8), and passwd(1)
Update to 4.14.1:
Build system: Merge libshadow and libmisc into a single libshadow.
This fixes problems in the linker, which were reported at least
in Gentoo. #791
- Set proper SELinux labels for new homedirs.
Update to 4.14.0:
* configure: add with-libbsd option
* Code cleanup
* Replace utmp interface #757
* new option enable-logind #674
* shadow userdel: add the adaptation to the busybox ps in 01-kill_user_procs.sh
* chsh: warn if root sets a shell not listed in /etc/shells #535
* newgrp: fix potential string injection
* lastlog: fix alignment of Latest header
* Fix yescrypt support #748
* chgpasswd: Fix segfault in command-line options
* gpasswd: Fix password leak (bsc#1214806, CVE-2023-4641)
* Add --prefix to passwd, chpasswd and chage #714 (bsc#1206627)
* usermod: fix off-by-one issues #701
* ch(g)passwd: Check selinux permissions upon startup #675
* sub_[ug]id_{add,remove}: fix return values
* chsh: Verify that login shell path is absolute #730
* process_prefix_flag: Drop privileges
* run_parts for groupadd and groupdel #706
* newgrp/useradd: always set SIGCHLD to default
* useradd/usermod: add --selinux-range argument #698
* sssd: skip flushing if executable does not exist #699
* semanage: Do not set default SELinux range #676
* Add control character check #687
* usermod: respect --prefix for --gid option
* Fix null dereference in basename
* newuidmap and newgidmap: support passing pid as fd
* Prevent out of boundary access #633
* Explicitly override only newlines #633
* Correctly handle illegal system file in tz #633
* Supporting vendor given -shells- configuration file #599
* Warn if failed to read existing /etc/nsswitch.conf
* chfn: new_fields: fix wrong fields printed
* Allow supplementary groups to be added via config file #586
* useradd: check if subid range exists for user #592 (rh#2012929)
- Rename lastlog to lastlog.legacy to be able to switch to
Y2038 safe lastlog2 as default [jsc#PED-3144]
- bsc#1205502: Fix useradd audit event logging of ID field
Update to 4.13:
* useradd.8: fix default group ID
* Revert drop of subid_init()
* Georgian translation
* useradd: Avoid taking unneeded space: do not reset non-existent data in lastlog
* relax username restrictions
* selinux: check MLS enabled before setting serange
* copy_tree: use fchmodat instead of chmod
* copy_tree: don't block on FIFOs
* add shell linter
* copy_tree: carefully treat permissions
* lib/commonio: make lock failures more detailed
* lib: use strzero and memzero where applicable
* Update Dutch translation
* Don't test for NULL before calling free
* Use libc MAX() and MIN()
* chage: Fix regression in print_date
* usermod: report error if homedir does not exist
* libmisc: minimum id check for system accounts
* fix usermod -rG x y wrongly adding a group
* man: add missing space in useradd.8.xml
* lastlog: check for localtime() return value
* Raise limit for passwd and shadow entry length
* Remove adduser-old.c
* useradd: Fix buffer overflow when using a prefix
* Don't warn when failed to open /etc/nsswitch.conf
Update to 4.12.3:
Revert removal of subid_init, which should have bumped soname.
So note that 4.12 through 4.12.2 were broken for subid users.
Update to 4.12.2:
* Address CVE-2013-4235 (TOCTTOU when copying directories) [bsc#916845]
Update to 4.12.1:
* Fix uk manpages
Update to 4.12:
* Add absolute path hint to --root
* Various cleanups
* Fix Ubuntu release used in CI tests
* add -F options to userad
* useradd manpage updates
* Check for ownerid (not just username) in subid ranges
* Declare file local functions static
* Use strict prototypes
* Do not drop const qualifier for Basename
* Constify various pointers
* Don't return uninitialized memory
* Don't let compiler optimize away memory cleaning
* Remove many obsolete compatibility checks and defines
* Modify ID range check in useradd
* Use 'extern 'C'' to make libsubid easier to use from C++
* French translation updates
* Fix s/with-pam/with-libpam/
* Spanish translation updates
* French translation fixes
* Default max group name length to 32
* Fix PAM service files without-selinux
* Improve manpages
- groupadd, useradd, usermod
- groups and id
- pwck
* Fix condition under which pw_dir check happens
* logoutd: switch to strncat
* AUTHORS: improve markdown output
* Handle ERANGE errors correctly
* Check for fopen NULL return
* Split get_salt() into its own fn juyin)
* Get salt before chroot to ensure /dev/urandom.
* Chpasswd code cleanup
* Work around git safe.directory enforcement
* Alphabetize order in usermod help
* Erase password copy on error branches
* Suggest using --badname if needed
* Update translation files
* Correct badnames option to badname
* configure: replace obsolete autoconf macros
* tests: replace egrep with grep -E
* Update Ukrainian translations
* Cleanups
- Remove redeclared variable
- Remove commented out code and FIXMEs
- Add header guards
- Initialize local variables
* CI updates
- Create github workflow to install dependencies
- Enable CodeQL
- Update actions version
* libmisc: use /dev/urandom as fallback if other methods fail
Provide /etc/login.defs.d on SLE15 since we support and use it
Update to 4.11.1:
* build: include lib/shadowlog_internal.h in dist tarballs
Update to 4.11:
* Handle possible TOCTTOU issues in usermod/userdel
- (CVE-2013-4235)
- Use O_NOFOLLOW when copying file
- Kill all user tasks in userdel
* Fix useradd -D segfault
* Clean up obsolete libc feature-check ifdefs
* Fix -fno-common build breaks due to duplicate Prog declarations
* Have single date_to_str definition
* Fix libsubid SONAME version
* Clarify licensing info, use SPDX.
Update to 4.10:
* From this release forward, su from this package should be
considered deprecated. Please replace any users of it with su
rom util-linux
* libsubid fixes
* Rename the test program list_subid_ranges to getsubids, write
a manpage, so distros can ship it.
* Add libeconf dep for new*idmap
* Allow all group types with usermod -G
* Avoid useradd generating empty subid range
* Handle NULL pw_passwd
* Fix default value SHA_get_salt_rounds
* Use https where possible in README
* Update content and format of README
* Translation updates
* Switch from xml2po to itstool in 'make dist'
* Fix double frees
* Add LOG_INIT configurable to useradd
* Add CREATE_MAIL_SPOOL documentation
* Create a security.md
* Fix su never being SIGKILLd when trapping TERM
* Fix wrong SELinux labels in several possible cases
* Fix missing chmod in chadowtb_move
* Handle malformed hushlogins entries
* Fix groupdel segv when passwd does not exist
* Fix covscan-found newgrp segfault
* Remove trailing slash on hoedir
* Fix passwd -l message - it does not change expirey
* Fix SIGCHLD handling bugs in su and vipw
* Remove special case for '' in usermod
* Implement usermod -rG to remove a specific group
* call pam_end() after fork in child path for su and login
* useradd: In absence of /etc/passwd, assume 0 == root
* lib: check NULL before freeing data
* Fix pwck segfault
- Really enable USERGROUPS_ENAB [bsc#1189139].
Added hardening to systemd service(s) (bsc#1181400).
* Add LOGIN_KEEP_USERNAME to login.defs.
* Remove PREVENT_NO_AUTH from login.defs. Only used by the
unpackaged login and su.
* Remove variables BCRYPT_MIN_ROUNDS, BCRYPT_MAX_ROUNDS,
YESCRYPT_COST_FACTOR, not supported by the current
configuratiton.
* login.defs: Enable USERGROUPS_ENAB and CREATE_HOME to
be compatible with other Linux distros and the other tools
creating user accounts in use on openSUSE. Set HOME_MODE to 700
for security reasons and compatibility. [bsc#1189139] [bsc#1182850]
Update to 4.9:
* Updated translations
* Major salt updates
* Various coverity and cleanup fixes
* Consistently use 0 to disable PASS_MIN_DAYS in man
* Implement NSS support for subids and a libsubid
* setfcap: retain setfcap when mapping uid 0
* login.defs: include HMAC_CRYPTO_ALGO key
* selinux fixes
* Fix path prefix path handling
* Manpage updates
* Treat an empty passwd field as invalid(Haelwenn Monnier)
* newxidmap: allow running under alternative gid
* usermod: check that shell is executable
* Add yescript support
* useradd memleak fixes
* useradd: use built-in settings by default
* getdefs: add foreign
* buffer overflow fixes
* Adding run-parts style for pre and post useradd/del
- login.defs/MOTD_FILE: Use '' instead of blank entry [bsc#1187536]
- Add /etc/login.defs.d directory
- Enable shadowgrp so that we can set more secure group passwords
using shadow.
- Disable MOTD_FILE to allow the use of pam_motd to unify motd
message output [bsc#1185897]. Else motd entries of e.g. cockpit
will not be shown.
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:1310-1
Released: Tue Apr 14 12:42:12 2026
Summary: Security update for libssh
Type: security
Severity: moderate
References: 1259377,CVE-2026-3731
This update for libssh fixes the following issues:
- CVE-2026-3731: Denial of Service via out-of-bounds read in SFTP extension name handler (bsc#1259377).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:1338-1
Released: Wed Apr 15 09:33:50 2026
Summary: Security update for giflib
Type: security
Severity: moderate
References: 1259502,CVE-2026-23868
This update for giflib fixes the following issue:
- CVE-2026-23868: double-free result of a shallow copy can lead to memory corruption (bsc#1259502).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:1349-1
Released: Wed Apr 15 15:35:54 2026
Summary: Security update for python311
Type: security
Severity: important
References: 1252974,1254400,1254401,1254997,1257029,1257031,1257042,1257046,1257181,1259240,1259611,1259734,1259735,1259989,1260026,CVE-2025-11468,CVE-2025-12084,CVE-2025-13462,CVE-2025-13836,CVE-2025-13837,CVE-2025-15282,CVE-2025-6075,CVE-2026-0672,CVE-2026-0865,CVE-2026-1299,CVE-2026-2297,CVE-2026-3479,CVE-2026-3644,CVE-2026-4224,CVE-2026-4519
This update for python311 fixes the following issues:
- Updated to Python 3.11.15
- CVE-2025-6075: If the value passed to os.path.expandvars() is user-controlled a performance degradation is possible when expanding environment variables (bsc#1252974).
- CVE-2025-11468: header injection when folding a long comment in an email header containing exclusively unfoldable characters (bsc#1257029).
- CVE-2025-12084: cpython: python: cpython: Quadratic algorithm in xml.dom.minidom leads to denial of service (bsc#1254997).
- CVE-2025-13462: incorrect parsing of TarInfo header when GNU long name and type AREGTYPE are combined (bsc#1259611).
- CVE-2025-13836: When reading an HTTP response from a server, if no read amount is specified, the default behavior will be to use Content-Length (bsc#1254400).
- CVE-2025-13837: When loading a plist file, the plistlib module reads data in size specified by the file itself, meaning a malicious file can cause OOM and DoS issues (bsc#1254401).
- CVE-2025-15282: user-controlled data URLs parsed may allow injecting headers (bsc#1257046).
- CVE-2026-0672: HTTP header injection via user-controlled cookie values and parameters when using http.cookies.Morsel (bsc#1257031).
- CVE-2026-0865: user-controlled header containing newlines can allow injecting HTTP headers (bsc#1257042).
- CVE-2026-1299: header injection when an email is serialized due to improper newline quoting in `BytesGenerator` (bsc#1257181).
- CVE-2026-2297: cpython: incorrectly handled hook in FileLoader can lead to validation bypass (bsc#1259240).
- CVE-2026-3479: python: improper resource argument validation can allow path traversal (bsc#1259989).
- CVE-2026-3644: incomplete control character validation in http.cookies (bsc#1259734).
- CVE-2026-4224: C stack overflow when parsing XML with deeply nested DTD content models (bsc#1259735).
- CVE-2026-4519: leading dashes in URLs are accepted by the `webbrowser.open()` API and allow for web browser command line option injection (bsc#1260026).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:1351-1
Released: Wed Apr 15 15:36:38 2026
Summary: Security update for bind
Type: security
Severity: important
References: 1259202,1260567,1260568,1260569,1260805,CVE-2026-1519,CVE-2026-3104,CVE-2026-3119,CVE-2026-3591
This update for bind fixes the following issues:
Security issues:
- CVE-2026-1519: maliciously crafted DNSSEC-validated zone can lead to denial of service (bsc#1260805).
- CVE-2026-3104: memory leak in code preparing DNSSEC proofs of non-existence allows for DoS (bsc#1260567).
- CVE-2026-3119: authenticated queries containing a TKEY record may cause `named` to terminate unexpectedly
(bsc#1260568).
- CVE-2026-3591: stack use-after-return flaw in SIG(0) handling code allows for ACL bypass (bsc#1260569).
- use-after-free error in `dns_client_resolve()` triggered by a DNAME response (bsc#1259202).
Upgrade to release 9.20.21
Security Fixes:
* Fix unbounded NSEC3 iterations when validating referrals to
unsigned delegations.
(CVE-2026-1519)
[bsc#1260805]
* Fix memory leaks in code preparing DNSSEC proofs of
non-existence.
(CVE-2026-3104)
[bsc#1260567]
* Prevent a crash in code processing queries containing a TKEY
record.
(CVE-2026-3119)
[bsc#1260568]
* Fix a stack use-after-return flaw in SIG(0) handling code.
(CVE-2026-3591)
[bsc#1260569]
* Fix a use-after-free error in dns_client_resolve() triggered by
a DNAME response. This issue only affected the delv tool and it
has now been fixed.
[bsc#1259202]
Feature Changes:
* Record query time for all dnstap responses.
* Optimize TCP source port selection on Linux.
Bug Fixes:
* Fix the handling of key statements defined inside views.
* Fix an assertion failure triggered by non-minimal IXFRs.
* Fix a crash when retrying a NOTIFY over TCP.
* Fetch loop detection improvements.
* Randomize nameserver selection.
* Fix dnstap logging of forwarded queries.
* A stale answer could have been served in case of multiple
upstream failures when following CNAME chains. This has been
fixed.
* Fail DNSKEY validation when supported but invalid DS is found.
* Importing an invalid SKR file might corrupt stack memory.
* Return FORMERR for queries with the EDNS Client Subnet FAMILY
field set to 0.
* Fix inbound IXFR performance regression.
* Make catalog zone names and member zones' entry names
case-insensitive.
* Fix implementation of BRID and HHIT record types.
* Fix implementation of DSYNC record type.
* Fix response policy and catalog zones to work with $INCLUDE
directive.
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:1352-1
Released: Wed Apr 15 15:36:49 2026
Summary: Security update for expat
Type: security
Severity: important
References: 1259711,1259726,1259729,CVE-2026-32776,CVE-2026-32777,CVE-2026-32778
This update for expat fixes the following issues:
- CVE-2026-32776: NULL pointer dereference when processing empty external parameter entities inside an entity
declaration value (bsc#1259726).
- CVE-2026-32777: denial of service due to infinite loop in DTD content parsing (bsc#1259711).
- CVE-2026-32778: NULL pointer dereference in `setContext` on retry after an out-of-memory condition (bsc#1259729).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:1353-1
Released: Wed Apr 15 15:37:16 2026
Summary: Security update for netty, netty-tcnative
Type: security
Severity: important
References: 1261031,1261043,CVE-2026-33870,CVE-2026-33871
This update for netty, netty-tcnative fixes the following issues:
Upidate to 4.1.132:
- CVE-2026-33870: incorrectly parses quoted strings in HTTP/1.1 can lead to request smuggling (bsc#1261031).
- CVE-2026-33871: sending a flood of CONTINUATION frames can lead to a denial of service (bsc#1261043).
Changelog:
- Upgrade to upstream version 4.1.132
* Fixes:
+ Fix Incorrect nanos-to-millis conversion in epoll_wait EINTR
retry loop
+ Make RefCntOpenSslContext.deallocate more robust
+ HTTP2: Correctly account for padding when decompress
+ Fix high-order bit aliasing in HttpUtil.validateToken
+ fix: the precedence of + is higher than >>
+ AdaptiveByteBufAllocator: make sure byteBuf.capacity() not
greater than byteBuf.maxCapacity()
+ AdaptivePoolingAllocator: call unreserveMatchingBuddy(...)
if byteBuf initialization failed
+ Don't assume CertificateFactory is thread-safe
+ Fix HttpObjectAggregator leaving connection stuck after 413
with AUTO_READ=false
+ HTTP2: Ensure preface is flushed in all cases
+ Fix UnsupportedOperationException in readTrailingHeaders
+ Fix client_max_window_bits parameter handling in
permessage-deflate extension
+ Native transports: Fix possible fd leak when fcntl fails.
+ Kqueue: Fix undefined behaviour when GetStringUTFChars fails
and SO_ACCEPTFILTER is supported
+ Kqueue: Possible overflow when using
netty_kqueue_bsdsocket_setAcceptFilter(...)
+ Native transports: Fix undefined behaviour when
GetStringUTFChars fails while open FD
+ Epoll: Add null checks for safety reasons
+ Epoll: Use correct value to initialize mmsghdr.msg_namelen
+ Epoll: Fix support for IP_RECVORIGDSTADDR
+ AdaptivePoolingAllocator: remove ensureAccessible() call in
capacity(int) method
+ Epoll: setTcpMg5Sig(...) might overflow
+ JdkZlibDecoder: accumulate decompressed output before firing
channelRead
+ Limit the number of Continuation frames per HTTP2 Headers
(bsc#1261043, CVE-2026-33871)
+ Stricter HTTP/1.1 chunk extension parsing (bsc#1261031,
CVE-2026-33870)
+ rediff
- Upgrade to upstream version 4.1.131
+ NioDatagramChannel.block(...) does not early return on failure
+ Support for AWS Libcrypto (AWS-LC) netty-tcnative build
+ codec-dns: Decompress MX RDATA exchange domain names during
DNS record decoding
+ Buddy allocation for large buffers in adaptive allocator
+ SslHandler: Only resume on EventLoop if EventLoop is not
shutting down already
+ Wrap ECONNREFUSED in PortUnreachableException for UDP
+ Bump com.ning:compress-lzf (4.1)
+ Fix adaptive allocator bug from not noticing failed allocation
+ Avoid loosing original read exception
+ Backport multiple adaptive allocator changes
- Upgrade to version 4.1.130
- Upgrade to version 2.0.75 Final
* No formal changelog present
* Needed by netty >= 4.2.11
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2026:1358-1
Released: Wed Apr 15 15:46:03 2026
Summary: Recommended update for sssd
Type: recommended
Severity: important
References: 1259253,1259436,1259545,1260409,1260413
This update for sssd fixes the following issues:
- Do not package capabilities, will be applied by %set_permissions rpm macro (bsc#1259436);
- Silence noisy warning from sss_cache if run prior starting the daemon and
config.ldb does not exist (bsc#1259545);
- Fix ldap_child process started by the backend process ending in defunc state.
- Create the secrets directory for the KCM service; (bsc#1259253);
- Fix missing nss library in 32bit package; (bsc#1260409);
- Fix packaging wrong permissions for /usr/share/polkit-1/rules.d (bsc#1260413);
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:1359-1
Released: Wed Apr 15 16:06:45 2026
Summary: Security update for sudo
Type: security
Severity: important
References: 1261420,CVE-2026-35535
This update for sudo fixes the following issue:
- CVE-2026-35535: Fixed potential privilege escalation when running the mailer (bsc#1261420).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:1368-1
Released: Wed Apr 15 16:35:24 2026
Summary: Security update for libpng16
Type: security
Severity: important
References: 1260754,1260755,CVE-2026-33416,CVE-2026-33636
This update for libpng16 fixes the following issues:
- CVE-2026-33416: use-after-free via pointer aliasing in `png_set_tRNS` and `png_set_PLTE` can lead to arbitrary code
execution (bsc#1260754).
- CVE-2026-33636: out-of-bounds read/write in the palette expansion on ARM Neon can lead to information leak and
crashes (bsc#1260755).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:1369-1
Released: Wed Apr 15 16:42:55 2026
Summary: Security update for glibc
Type: security
Severity: important
References: 1260078,1260082,CVE-2026-4437,CVE-2026-4438
This update for glibc fixes the following issues:
- CVE-2026-4437: incorrect DNS response parsing via crafted DNS server response (bsc#1260078).
- CVE-2026-4438: invalid DNS hostname returned via gethostbyaddr functions (bsc#1260082).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:1375-1
Released: Wed Apr 15 19:25:40 2026
Summary: Security update for openssl-3
Type: security
Severity: important
References: 1260441,1260442,1260443,1260444,1260445,1261678,CVE-2026-28387,CVE-2026-28388,CVE-2026-28389,CVE-2026-28390,CVE-2026-31789,CVE-2026-31790
This update for openssl-3 fixes the following issues:
Security issues fixed:
- CVE-2026-28387: Potential use-after-free in DANE client code (bsc#1260441).
- CVE-2026-28388: NULL Pointer Dereference When Processing a Delta CRL (bsc#1260442).
- CVE-2026-28389: Possible NULL dereference when processing CMS KeyAgreeRecipientInfo (bsc#1260443).
- CVE-2026-31789: Heap buffer overflow in hexadecimal conversion (bsc#1260444).
- CVE-2026-31790: Incorrect failure handling in RSA KEM RSASVE encapsulation (bsc#1260445).
- CVE-2026-28390: NULL pointer dereference during processing of a crafted CMS EnvelopedData message with
KeyTransportRecipientInfo (bsc#1261678).
Other updates and bugfixes:
- Enable MD2 in legacy provider (jsc#PED-15724).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2026:1377-1
Released: Thu Apr 16 09:19:21 2026
Summary: Recommended update for libtcnative-1-0
Type: recommended
Severity: important
References: 1260322
This update for libtcnative-1-0 fixes the following issues:
Update to 1.3.7: [bsc#1260322]
1.3.7:
* Code: Refactor access to ASN1_OCTET_STRING to use setters to fix
errors when building against the latest OpenSSL 4.0.x code. (markt)
* Fix: Fix the handling of OCSP requests with multiple responder URIs.
(jfclere)
* Fix: Fix the handling of TRY_AGAIN responses to OCSP requests when
soft fail is disabled. (jfclere)
1.3.6:
* Code: Refactor the SSL_CONF_CTX clean-up to align it with SSL and
SSL_CTX clean-up. (markt)
* Fix: Fix unnecessarily large buffer allocation when filtering out NULL
and export ciphers. Pull requests #35 and #37 provided by chenjp.
(markt)
* Fix: Fix a potential memory leak if an invalid OpenSSLConf is
provided. Pull request #36 provided by chenjp. (markt)
* Fix: Refactor setting of OCSP configuration defaults as they were only
applied if the SSL_CONF_CTX was used. While one was always used with
Tomcat versions aware of the OCSP configuration options, one was not
always used with Tomcat versions unaware of the OCSP configuration
options leading to OCSP verification being enabled by default when the
expected behaviour was disabled by default. (markt)
* Code: Improve performance for the rare case of handling large OCSP
responses. (markt)
1.3.5:
* Fix: Remove group write permissions from the files in the tar.gz
source archive. (markt)
* Fix: Clear an additional error in OCSP processing that was preventing
OCSP soft fail working with Tomcat's APR/native connector. (markt)
1.3.4:
* Fix: Correct logic error that prevented the configuration of TLS 1.3
cipher suites. (markt)
1.3.3;
* Fix: Refactor the addition of TLS 1.3 cipher suite configuration to
avoid a regression when running a version of Tomcat that pre-dates
this change. (markt)
1.3.2:
* Update: Rename configure.in to modern autotools style configure.ac.
(rjung)
* Update: Fix incomplete updates for autotools generated files during
'buildconf' execution. (rjung)
* Update: Improve quoting in tcnative.m4. (rjung)
* Update: Update the minimum version of autoconf for releasing to 2.68.
(rjung)
* Fix: Fix the autoconf warnings when creating a release. (markt)
* Update: The Windows binaries are now built with OCSP support enabled
by default. (markt)
* Add: Include a nonce with OCSP requests and check the nonce, if any,
in the OCSP response. (markt)
* Add: Expand verification of OCSP responses. (markt)
* Add: Add the ability to configure the OCSP checks to soft-fail - i.e.
if the responder cannot be contacted or fails to respond in a timely
manner the OCSP check will not fail. (markt)
* Add: Add a configurable timeout to the writing of OCSP requests and
reading of OCSP responses. (markt)
* Add: Add the ability to control the OCSP verification flags. (markt)
* Add: Configure TLS 1.3 connections from the provided ciphers list as
well as connections using TLS 1.2 and earlier. Pull request provided
by gastush. (markt)
* Update: Update the Windows build environment to use Visual Studio
2022. (markt)
1.3.1:
* Fix: Fix a crash on Windows when SSLContext.setCACertificate() is
invoked with a null value for caCertificateFile and a non-null value
for caCertificatePath until properly addressed with
https://github.com/openssl/openssl/issues/24416. (michaelo)
* Add: Use ERR_error_string_n with a definite buffer length as a named
constant. (schultz)
* Add: Ensure local reference capacity is available when creating new
arrays and Strings. (schultz)
* Update: Update the recommended minimum version of OpenSSL to 3.0.14.
(markt)
1.3.0:
* Update: Drop useless compile.optimize option. (michaelo)
* Update: Align Java source compile configuration with Tomcat.
(michaelo)
* Fix: Fix version set in DLL header on Windows. (michaelo)
* Update: Remove an unreachable if condition around CRLs in
sslcontext.c. (michaelo)
* Fix: 67818: When calling SSL.setVerify() or SSLContext.setVerify(),
the default verify paths are no longer set. Only the explicitly
configured trust store, if any, will be used. (michaelo)
* Update: Update the minimum supported version of LibreSSL to 3.5.2.
(markt)
* Design: Remove NPN support as NPN was never standardised and browser
support was removed in 2019. (markt)
* Update: Update the recommended minimum version of OpenSSL to 3.0.13.
(markt)
Update to 1.2.39:
* Fix: 67061: If the insecure optionalNoCA certificate verification
mode is used, disable OCSP if enabled else client certificates
from unknown certificate authorities will be rejected.
* Update: Update the recommended minimum version of OpenSSL to
3.0.11.
* Change the hardcoded libopenssl-1_1-devel to libopenssl-devel
for distributions that have the right version
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:1386-1
Released: Thu Apr 16 11:17:06 2026
Summary: Security update for openssl-1_1
Type: security
Severity: important
References: 1260441,1260442,1260443,1260444,1261678,CVE-2026-28387,CVE-2026-28388,CVE-2026-28389,CVE-2026-28390,CVE-2026-31789
This update for openssl-1_1 fixes the following issues:
- CVE-2026-28387: Potential use-after-free in DANE client code (bsc#1260441).
- CVE-2026-28388: NULL Pointer Dereference When Processing a Delta CRL (bsc#1260442).
- CVE-2026-28389: Possible NULL dereference when processing CMS KeyAgreeRecipientInfo (bsc#1260443).
- CVE-2026-28390: NULL pointer dereference during processing of a crafted CMS EnvelopedData message with
KeyTransportRecipientInfo (bsc#1261678).
- CVE-2026-31789: Heap buffer overflow in hexadecimal conversion (bsc#1260444).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:1400-1
Released: Thu Apr 16 12:47:09 2026
Summary: Security update for python-PyJWT
Type: security
Severity: important
References: 1259616,CVE-2026-32597
This update for python-PyJWT fixes the following issues:
- CVE-2026-32597: Fixed unknown `crit` header extensions accepts (bsc#1259616).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2026:1404-1
Released: Thu Apr 16 14:27:19 2026
Summary: Recommended update for fence-agents
Type: recommended
Severity: important
References: 1218718,1250417,1261670
This update for fence-agents fixes the following issues:
- fence_vmware_rest:
* a fix seems to be missing in the latest version (bsc#1261670)
* monitoring is not detecting problems accessing the fence device (bsc#1218718)
- fence_aws: Fix shebang to be able to use python3.11 if it is installed (bsc#1250417).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:1406-1
Released: Thu Apr 16 14:35:15 2026
Summary: Security update for util-linux
Type: security
Severity: moderate
References: 1222465,1234736,1258859,CVE-2026-3184
This update for util-linux fixes the following issues:
Security issue:
- CVE-2026-3184: access control bypass due to improper hostname canonicalization in `login` (bsc#1258859).
Non security issues:
- recognize fuse 'portal' as a virtual file system (bsc#1234736).
- fdisk: fix possible partition overlay and data corruption if EBR gap is missing (bsc#1222465).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:1418-1
Released: Thu Apr 16 18:43:02 2026
Summary: Security update for iproute2
Type: security
Severity: low
References: 1254324,CVE-2024-58251
This update for iproute2 fixes the following issue:
- CVE-2024-58251: denial of service via terminal escape sequences (bsc#1254324).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2026:1426-1
Released: Fri Apr 17 10:56:41 2026
Summary: Recommended update for grub2
Type: recommended
Severity: important
References: 1221126,1249385,1259543
This update for grub2 fixes the following issues:
- Fix missing install device check in grub2-install on PowerPC which could lead
to bootlist corruption (bsc#1221126)
* add mandatoryminstallmdevicemcheckmformPowerPC
- Fix PowerPC network boot prefix to correctly locate grub.cfg (bsc#1249385)
* use net config for boot location instead of
- Fix double free in xen booting if root filesystem is Btrfs (bsc#1259543)
* btrfs: add ability to boot from subvolumes
* btrfs: get default subvolume
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:1432-1
Released: Fri Apr 17 12:12:08 2026
Summary: Security update for libcap
Type: security
Severity: important
References: 1261809,CVE-2026-4878
This update for libcap fixes the following issue:
- CVE-2026-4878: Address a potential TOCTOU race condition in cap_set_file() (bsc#1261809).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2026:1434-1
Released: Fri Apr 17 12:49:03 2026
Summary: Recommended update for apparmor
Type: recommended
Severity: moderate
References: 1225811,1259441
This update for apparmor fixes the following issues:
- samba gives denied in audit with apparmor (bsc#1225811).
- apparmor denies printing with profiles on sle15-sp7 (bsc#1259441).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:1441-1
Released: Fri Apr 17 16:18:19 2026
Summary: Security update for avahi
Type: security
Severity: moderate
References: 1257235,CVE-2026-24401
This update for avahi fixes the following issue:
- CVE-2026-24401: avahi-daemon can be crashed via a segmentation fault by sending an unsolicited mDNS response
containing a recursive CNAME record (bsc#1257235).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:1443-1
Released: Fri Apr 17 16:40:44 2026
Summary: Security update for NetworkManager
Type: security
Severity: moderate
References: 1225498,1257359,CVE-2025-9615
This update for NetworkManager fixes the following issue:
Security fixes:
- CVE-2025-9615: Fixed non-admin user using others' certificates (bsc#1257359).
Other fixes:
- Don't renew DHCP lease when software devices' MAC is empty (bsc#1225498).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2026:1475-1
Released: Mon Apr 20 12:02:25 2026
Summary: Recommended update for sles-release
Type: recommended
Severity: low
References:
This update for sles-release fixes the following issue:
- Adjust product and codestream EOL.
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:1510-1
Released: Tue Apr 21 08:28:12 2026
Summary: Security update for ncurses
Type: security
Severity: moderate
References: 1259924,CVE-2025-69720
This update for ncurses fixes the following issue:
- CVE-2025-69720: buffer overflow in function `analyze_string()`of `progs/infocmp.c` (bsc#1259924).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2026:1526-1
Released: Tue Apr 21 11:28:26 2026
Summary: Maintenance update for Multi-Linux Manager 5.1: Server, Proxy and Retail Branch Server
Type: recommended
Severity: moderate
References: 1240895,1244321,1246315,1249675,1250367,1250557,1251821,1251865,1252098,1252548,1252638,1252793,1252867,1252927,1252964,1253034,1253144,1253712,1254154,1254259,1254585,1254619,1254629,1255743,1256044,1256392,1256422,1256493,1256512,1256583,1256590,1256791,1257022,1257447,1257621,1257647,1257660,1257674,1257760,1257823,1257941,1257950,1257967,1258015,1258017,1258106,1258168,1258378,1258382,1258796,1258927,1259057,1259127,1259137,1259208,1259230,1259243,1259287,1259316,1259416,1259471,1259519,1259590,1262136
Maintenance update for Multi-Linux Manager 5.1: Server, Proxy and Retail Branch Server
This is a codestream only update
The following package changes have been done:
- crypto-policies-20230920.570ea89-150600.3.16.1 updated
- libldap-data-2.4.46-150600.25.3.1 updated
- libcap2-2.63-150400.3.6.1 updated
- libssh-config-0.9.8-150600.11.12.1 updated
- login_defs-4.17.2-150600.17.18.1 updated
- libapparmor1-3.1.7-150600.5.12.2 updated
- libz1-1.2.13-150500.4.6.1 updated
- libsqlite3-0-3.51.3-150000.3.39.1 updated
- libsubid5-4.17.2-150600.17.18.1 added
- libnghttp2-14-1.64.0-150700.3.3.1 updated
- libgcc_s1-15.2.0+git10201-150000.1.9.1 updated
- libstdc++6-15.2.0+git10201-150000.1.9.1 updated
- openssl-3-3.2.3-150700.5.31.1 updated
- libblkid1-2.40.4-150700.4.10.1 updated
- libmount1-2.40.4-150700.4.10.1 updated
- libssh4-0.9.8-150600.11.12.1 updated
- libuuid1-2.40.4-150700.4.10.1 updated
- libatomic1-15.2.0+git10201-150000.1.9.1 updated
- libudev1-254.27-150600.4.62.1 updated
- ncurses-utils-6.1-150000.5.33.1 updated
- libldap-2_4-2-2.4.46-150600.25.3.1 updated
- libopenssl-3-fips-provider-3.2.3-150700.5.31.1 updated
- inter-server-sync-0.3.11-150700.3.9.2 updated
- libcurl4-8.14.1-150700.7.14.1 updated
- glibc-2.38-150600.14.46.1 updated
- libsmartcols1-2.40.4-150700.4.10.1 updated
- libopenssl3-3.2.3-150700.5.31.1 updated
- libexpat1-2.7.1-150700.3.12.1 updated
- curl-8.14.1-150700.7.14.1 updated
- tar-1.34-150000.3.37.1 updated
- libncurses6-6.1-150000.5.33.1 updated
- golang-github-QubitProducts-exporter_exporter-0.4.0-150000.1.21.1 updated
- ca-certificates-mozilla-2.84-150200.44.1 updated
- shadow-4.17.2-150600.17.18.1 updated
- libsystemd0-254.27-150600.4.62.1 updated
- systemd-254.27-150600.4.62.1 updated
- terminfo-base-6.1-150000.5.33.1 updated
- adcli-0.8.2-150400.17.11.1 updated
- sles-release-15.7-150700.67.6.1 updated
- libavahi-common3-0.8-150600.15.15.1 updated
- libfdisk1-2.40.4-150700.4.10.1 updated
- util-linux-2.40.4-150700.4.10.1 updated
- glibc-locale-base-2.38-150600.14.46.1 updated
- libfreebl3-3.112.3-150400.3.63.1 updated
- libgif7-5.2.2-150000.4.19.1 updated
- libgomp1-15.2.0+git10201-150000.1.9.1 updated
- libipa_hbac0-2.10.2-150700.9.25.1 updated
- libitm1-15.2.0+git10201-150000.1.9.1 updated
- liblsan0-15.2.0+git10201-150000.1.9.1 updated
- libopenssl1_1-1.1.1w-150700.11.16.1 updated
- libpng16-16-1.6.40-150600.3.17.1 updated
- libpq5-18.3-150600.13.8.1 updated
- libquadmath0-15.2.0+git10201-150000.1.9.1 updated
- libsss_idmap0-2.10.2-150700.9.25.1 updated
- libsss_nss_idmap0-2.10.2-150700.9.25.1 updated
- libxslt1-1.1.34-150400.3.16.1 updated
- patch-2.7.6-150000.5.9.1 updated
- python311-base-3.11.15-150600.3.53.1 updated
- libpython3_11-1_0-3.11.15-150600.3.53.1 updated
- release-notes-multi-linux-manager-5.1.3-150700.5.20.1 updated
- sudo-1.9.15p5-150600.3.15.1 updated
- susemanager-schema-utility-5.1.17-150700.3.16.1 updated
- uyuni-config-modules-5.1.24-150700.3.26.1 updated
- vim-data-common-9.2.0110-150500.20.43.1 updated
- glibc-locale-2.38-150600.14.46.1 updated
- libavahi-client3-0.8-150600.15.15.1 updated
- libtcnative-1-0-1.3.7-150600.16.3.1 updated
- libpython3_6m1_0-3.6.15-150300.10.109.1 updated
- python3-base-3.6.15-150300.10.109.1 updated
- python3-3.6.15-150300.10.109.1 updated
- python3-curses-3.6.15-150300.10.109.1 updated
- postgresql16-16.13-150600.16.30.1 updated
- libgit2-1_7-1.7.2-150600.3.6.1 updated
- libsss_certmap0-2.10.2-150700.9.25.1 updated
- bind-utils-9.20.21-150700.3.18.1 updated
- libxslt-tools-1.1.34-150400.3.16.1 updated
- iproute2-6.4-150600.7.12.1 updated
- glibc-devel-2.38-150600.14.46.1 updated
- mozilla-nss-certs-3.112.3-150400.3.63.1 updated
- python311-3.11.15-150600.3.53.1 updated
- susemanager-docs_en-5.1-150700.10.9.1 updated
- spacewalk-java-lib-5.1.24-150700.3.16.8 updated
- golang-github-prometheus-node_exporter-1.9.1-150100.3.38.1 updated
- shim-16.1-150300.4.31.3 updated
- vim-9.2.0110-150500.20.43.1 updated
- apache2-prefork-2.4.66-150700.4.15.1 updated
- libgnutls30-3.8.3-150600.4.17.1 updated
- python3-pyasn1-0.4.2-150000.3.16.1 updated
- mozilla-nss-3.112.3-150400.3.63.1 updated
- libsoftokn3-3.112.3-150400.3.63.1 updated
- python311-pyasn1-0.5.0-150400.12.13.1 updated
- susemanager-docs_en-pdf-5.1-150700.10.9.1 updated
- susemanager-schema-5.1.17-150700.3.16.1 updated
- susemanager-sync-data-5.1.8-150700.3.9.1 updated
- apache2-2.4.66-150700.4.15.1 updated
- grub2-2.12-150700.19.29.1 updated
- grub2-i386-pc-2.12-150700.19.29.1 updated
- libvirt-libs-11.0.0-150700.4.19.1 updated
- spacewalk-backend-sql-postgresql-5.1.16-150700.3.9.8 updated
- sssd-ldap-2.10.2-150700.9.25.1 updated
- sssd-2.10.2-150700.9.25.1 updated
- sssd-krb5-common-2.10.2-150700.9.25.1 updated
- libnm0-1.44.2-150600.3.7.1 updated
- susemanager-build-keys-15.5.3-150700.5.11.1 updated
- grub2-x86_64-efi-2.12-150700.19.29.1 updated
- grub2-powerpc-ieee1275-2.12-150700.19.29.1 updated
- grub2-arm64-efi-2.12-150700.19.29.1 updated
- spacecmd-5.1.13-150700.3.9.1 updated
- sssd-krb5-2.10.2-150700.9.25.1 updated
- sssd-dbus-2.10.2-150700.9.25.1 updated
- python3-sssd-config-2.10.2-150700.9.25.1 updated
- sssd-ad-2.10.2-150700.9.25.1 updated
- typelib-1_0-NM-1_0-1.44.2-150600.3.7.1 updated
- tomcat-servlet-4_0-api-9.0.115-150200.102.1 updated
- tomcat-el-3_0-api-9.0.115-150200.102.1 updated
- mchange-commons-0.2.20-150400.3.3.1 updated
- spacewalk-base-minimal-5.1.19-150700.3.14.12 updated
- susemanager-build-keys-web-15.5.3-150700.5.11.1 updated
- sssd-tools-2.10.2-150700.9.25.1 updated
- sssd-ipa-2.10.2-150700.9.25.1 updated
- tomcat-jsp-2_3-api-9.0.115-150200.102.1 updated
- c3p0-0.9.5.5-150400.3.5.1 updated
- netty-4.1.132-150200.4.43.1 updated
- python311-pyOpenSSL-23.2.0-150400.3.13.1 updated
- spacewalk-base-minimal-config-5.1.19-150700.3.14.12 updated
- perl-XML-Parser-2.44-150000.3.3.1 updated
- python3-PyJWT-2.4.0-150200.3.11.1 updated
- tomcat-lib-9.0.115-150200.102.1 updated
- python3-urllib3-1.25.10-150300.4.24.1 updated
- spacewalk-base-5.1.19-150700.3.14.12 updated
- spacewalk-backend-5.1.16-150700.3.9.8 updated
- salt-3006.0-150700.14.15.6 updated
- python311-salt-3006.0-150700.14.15.6 updated
- subscription-matcher-0.43-150700.3.3.1 updated
- fence-agents-4.13.1+git.1704296072.32469f29-150600.3.32.1 updated
- spacewalk-backend-sql-5.1.16-150700.3.9.8 updated
- python3-spacewalk-certs-tools-5.1.11-150700.3.13.1 updated
- spacewalk-certs-tools-5.1.11-150700.3.13.1 updated
- salt-master-3006.0-150700.14.15.6 updated
- tomcat-9.0.115-150200.102.1 updated
- spacewalk-backend-server-5.1.16-150700.3.9.8 updated
- salt-api-3006.0-150700.14.15.6 updated
- spacewalk-java-postgresql-5.1.24-150700.3.16.8 updated
- spacewalk-java-config-5.1.24-150700.3.16.8 updated
- spacewalk-backend-xmlrpc-5.1.16-150700.3.9.8 updated
- spacewalk-backend-xml-export-libs-5.1.16-150700.3.9.8 updated
- spacewalk-backend-package-push-server-5.1.16-150700.3.9.8 updated
- spacewalk-backend-app-5.1.16-150700.3.9.8 updated
- spacewalk-taskomatic-5.1.24-150700.3.16.8 updated
- spacewalk-java-5.1.24-150700.3.16.8 updated
- spacewalk-html-5.1.19-150700.3.14.12 updated
- billing-data-service-5.1.4-150700.3.6.1 updated
- susemanager-tools-5.1.15-150700.3.9.1 updated
- spacewalk-backend-tools-5.1.16-150700.3.9.8 updated
- spacewalk-admin-5.1.8-150700.3.9.1 updated
- susemanager-sls-5.1.24-150700.3.26.1 updated
- saltboot-formula-1.0.0-150700.3.6.1 updated
- susemanager-5.1.15-150700.3.9.1 updated
- spacewalk-utils-5.1.9-150700.3.9.1 updated
- container:bci-bci-init-15.7-84d04f73f0961e261d36a2f22c44433b417ac0bce354e5b1b89063270453d785-0 updated
- libwayland-client0-1.23.1-150700.1.3 removed
More information about the sle-container-updates
mailing list