SUSE-IU-2026:5404-1: Security update of suse-sles-15-sp4-chost-byos-v20260701-x86_64-gen2
sle-container-updates at lists.suse.com
sle-container-updates at lists.suse.com
Fri Jul 3 07:03:18 UTC 2026
SUSE Image Update Advisory: suse-sles-15-sp4-chost-byos-v20260701-x86_64-gen2
-----------------------------------------------------------------
Image Advisory ID : SUSE-IU-2026:5404-1
Image Tags : suse-sles-15-sp4-chost-byos-v20260701-x86_64-gen2:20260701
Image Release :
Severity : important
Type : security
References : 1158038 1204562 1239718 1246504 1247948 1249435 1252744 1253193
1253740 1254324 1255416 1257068 1257235 1257882 1258193 1258538
1259311 1259327 1259642 1259706 1259802 1259842 1260296 1260531
1261206 1261427 1261430 1261441 1261546 1261606 1261700 1261833
1261900 1262043 1262395 1262464 1262465 1262663 1262948 1262993
1263366 1263367 1263769 1263790 1263879 1263880 1263940 1263995
1264066 1264076 1264093 1264116 1264470 1264551 1264568 1264610
1264706 1264707 1264708 1264965 1265221 1265223 1265267 1265349
1265360 1265450 1265591 1265592 1265594 1265794 1265935 1265938
1266001 1266009 1266039 1266214 1266238 1266290 1266340 1266341
1266342 1266349 1266357 1266640 1266711 1266798 1266799 1266800
1266801 1266802 1266901 1266952 1266953 1266955 1266969 1267189
1267205 1267214 1267220 1267361 1267369 1267381 1267387 1267389
1267426 1267621 1267640 1267652 1267697 1267874 1268012 1268013
1268322 CVE-2024-58251 CVE-2025-10263 CVE-2025-54518 CVE-2025-68324
CVE-2026-11822 CVE-2026-11824 CVE-2026-12505 CVE-2026-23392 CVE-2026-24401
CVE-2026-25707 CVE-2026-27456 CVE-2026-3039 CVE-2026-31405 CVE-2026-31473
CVE-2026-31500 CVE-2026-31613 CVE-2026-31629 CVE-2026-31697 CVE-2026-31698
CVE-2026-31699 CVE-2026-31758 CVE-2026-31759 CVE-2026-33186 CVE-2026-33814
CVE-2026-33948 CVE-2026-34180 CVE-2026-34933 CVE-2026-3497 CVE-2026-34986
CVE-2026-35385 CVE-2026-35388 CVE-2026-35414 CVE-2026-3592 CVE-2026-39821
CVE-2026-39881 CVE-2026-40355 CVE-2026-40356 CVE-2026-4046 CVE-2026-42307
CVE-2026-42487 CVE-2026-42488 CVE-2026-42489 CVE-2026-42490 CVE-2026-42766
CVE-2026-43037 CVE-2026-43077 CVE-2026-43198 CVE-2026-43206 CVE-2026-43499
CVE-2026-43501 CVE-2026-43961 CVE-2026-44431 CVE-2026-44656 CVE-2026-44932
CVE-2026-44933 CVE-2026-44941 CVE-2026-44942 CVE-2026-45130 CVE-2026-45447
CVE-2026-45852 CVE-2026-45970 CVE-2026-45984 CVE-2026-46021 CVE-2026-46037
CVE-2026-46043 CVE-2026-46113 CVE-2026-46116 CVE-2026-46120 CVE-2026-46123
CVE-2026-46150 CVE-2026-46159 CVE-2026-46197 CVE-2026-46227 CVE-2026-46243
CVE-2026-46483 CVE-2026-48522 CVE-2026-48523 CVE-2026-48524 CVE-2026-48525
CVE-2026-48526 CVE-2026-48863 CVE-2026-5450 CVE-2026-5704 CVE-2026-5928
CVE-2026-5946 CVE-2026-6893 CVE-2026-7383 CVE-2026-9076 CVE-2026-9149
CVE-2026-9150
-----------------------------------------------------------------
The container suse-sles-15-sp4-chost-byos-v20260701-x86_64-gen2 was updated. The following patches have been included in this update:
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2026:2277-1
Released: Fri Jun 5 10:59:09 2026
Summary: Recommended update for timezone
Type: recommended
Severity: important
References: 1264965
This update for timezone fixes the following issues:
- Update to 2026b:
* British Columbia moved to permanent -07 on 2026-03-09. (bsc#1264965)
* Some more overflow bugs have been fixed in zic.
- Update to 2026a:
* Moldova has used EU transition times since 2022.
* The 'right' TZif files are no longer installed by default.
* -DTZ_RUNTIME_LEAPS=0 disables runtime support for leap seconds.
* TZif files are no longer limited to 50 bytes of abbreviations.
* zic is no longer limited to 50 leap seconds.
* Several integer overflow bugs have been fixed.
- Update to 2025c:
* Update Baja California DST rules in 1953, 1961-1975
* An unset TZ is no longer invalid when /etc/localtime is
missing, and is abbreviated 'UTC' not '-00'. This reverts to 2024b behavior
* tzset etc. are now more cautious about questionable TZ settings.
* tzset etc. now treat ' ' like '_' in time zone abbreviations
* tzfree now preserves errno, consistently with POSIX.1-2024 'free'.
* zic has new options inspired by FreeBSD.
* multiple changes visible to developers
- Use 'REDO=posix_right' to keep installing 'right' TZif files.
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:2283-1
Released: Fri Jun 5 14:14:57 2026
Summary: Security update for jq
Type: security
Severity: moderate
References: 1262043,CVE-2026-33948
This update for jq fixes the following issue
- CVE-2026-33948: CLI input parsing may allow validation bypass via embedded NUL bytes (bsc#1262043)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:2311-1
Released: Tue Jun 9 13:05:23 2026
Summary: Security update for avahi
Type: security
Severity: moderate
References: 1257235,1261546,CVE-2026-24401,CVE-2026-34933
This update for avahi fixes the following issue:
- CVE-2026-24401: uncontrolled recursion in `lookup_handle_cname` can crash the `avahi-daemon` (bsc#1257235).
- CVE-2026-34933: reachable assertion in `transport_flags_from_domain` can crash the `avahi-daemon` (bsc#1261546).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:2313-1
Released: Tue Jun 9 14:50:30 2026
Summary: Security update for vim
Type: security
Severity: important
References: 1261833,1262395,1264706,1264707,1264708,1265349,1265360,CVE-2026-39881,CVE-2026-42307,CVE-2026-43961,CVE-2026-44656,CVE-2026-45130,CVE-2026-46483
This update for vim fixes the following issues
- CVE-2026-39881: command injection in NetBeans interface can lead to arbitrary file reads and writes (bsc#1261833).
- CVE-2026-42307: Prior to version 9.2.0383, an OS command injection vulnerability exists in the netrw standard plugin
bundled with Vim (bsc#1264706).
- CVE-2026-43961: Vimscript Code Injection in netrw NetrwMarkFile() via crafted filename (bsc#1265349).
- CVE-2026-44656: Prior to version 9.2.0435, an OS command injection vulnerability exists in Vim's: find command-line
completion (bsc#1264707).
- CVE-2026-45130: Prior to version 9.2.0450, a heap buffer overflow exists in read_compound() in src/spellfile.c when
loading a crafted spell file (.spl) with UTF-8 encoding active (bsc#1264708).
- CVE-2026-46483: command injection via ` tar#Vimuntar()` in `runtime/autoload/tar.vim` when decompressing `.tgz`
archives on Unix-like systems (bsc#1265360).
Changes for vim:
- Update to v9.2.0530.
- Fix for incorrectly detecting scientific parameter files as bitbake recipies. (bsc#1262395)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:2333-1
Released: Wed Jun 10 10:41:58 2026
Summary: Security update for glibc
Type: security
Severity: important
References: 1261206,1262464,1262465,CVE-2026-4046,CVE-2026-5450,CVE-2026-5928
This update for glibc fixes the following issues
- CVE-2026-4046: assertion failure when converting inputs may be used to remotely crash an application (bsc#1261206).
- CVE-2026-5450: stdio-common: scanf %mc pattern will cause heap overflow when width > 1024 (bsc#1262465).
- CVE-2026-5928: libio: ungetwc could be used to leak data on special conditions (bsc#1262464).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:2354-1
Released: Wed Jun 10 16:55:33 2026
Summary: Security update for wicked
Type: security
Severity: important
References: 1265221,CVE-2026-44932
This update for wicked fixes the following issues:
- CVE-2026-44932: Fixed indirect remote shell command injection via unsanitized DHCP options (bsc#1265221).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2026:2356-1
Released: Wed Jun 10 18:40:21 2026
Summary: Recommended update for dracut
Type: recommended
Severity: moderate
References: 1263940
This update for dracut fixes the following issues:
- Update to version 055+suse.363.gea2753a:
* fix(systemd): explicitly install /bin/bash (bsc#1263940)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:2375-1
Released: Thu Jun 11 18:05:37 2026
Summary: Security update for openssh
Type: security
Severity: important
References: 1259642,1261427,1261430,1261441,1264568,CVE-2026-3497,CVE-2026-35385,CVE-2026-35388,CVE-2026-35414
This update for openssh fixes the following issues
- CVE-2026-3497: information disclosure or denial of service due to uninitialized variables (bsc#1259642).
- CVE-2026-35385: a file downloaded by scp may be installed setuid or setgid (bsc#1261427).
- CVE-2026-35388: omitted connection multiplexing confirmation for proxy-mode multiplexing sessions (bsc#1261441).
- CVE-2026-35414: mishandling of authorized_keys principals option (bsc#1261430).
- potential security issue when validating mac (bsc#1264568).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2026:2382-1
Released: Fri Jun 12 10:07:34 2026
Summary: Recommended update for hwdata
Type: recommended
Severity: moderate
References:
This update for hwdata fixes the following issues:
- update to version 0.406:
* Update pci and vendor ids
- update to version 0.405:
* Update pci and vendor ids
- Update to version 0.397:
* Update pci and vendor ids
- Update to version 0.395:
* Update pci and vendor ids
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:2383-1
Released: Fri Jun 12 11:14:06 2026
Summary: Security update for the Linux Kernel
Type: security
Severity: important
References: 1261700,1263790,1263995,1264093,1264551,1266001,1266009,1266238,1266711,1266901,1266969,1267205,1267220,CVE-2026-31405,CVE-2026-31629,CVE-2026-31758,CVE-2026-43037,CVE-2026-43206,CVE-2026-43499,CVE-2026-43501,CVE-2026-45852,CVE-2026-45970,CVE-2026-46021,CVE-2026-46043,CVE-2026-46113,CVE-2026-46243
The SUSE Linux Enterprise 15 SP4 kernel was updated to fix various security issues
The following security issues were fixed:
- CVE-2026-31405: media: dvb-net: fix OOB access in ULE extension header tables (bsc#1261700).
- CVE-2026-31629: nfc: llcp: add missing return after LLCP_CLOSED checks (bsc#1263790).
- CVE-2026-31758: usb: usbtmc: Flush anchored URBs in usbtmc_release (bsc#1264093).
- CVE-2026-43037: ip6_tunnel: clear skb2->cb in ip4ip6_err() (bsc#1263995).
- CVE-2026-43206: drm/amdkfd: Fix out-of-bounds write in kfd_event_page_set() (bsc#1264551).
- CVE-2026-43499: rtmutex: Use waiter::task instead of current in remove_waiter() (bsc#1266001).
- CVE-2026-43501: ipv6: rpl: reserve mac_len headroom when recompressed SRH grows (bsc#1266009).
- CVE-2026-45852: RDMA/rxe: Fix double free in rxe_srq_from_init (bsc#1266711).
- CVE-2026-45970: bonding: alb: fix UAF in rlb_arp_recv during bond up/down (bsc#1267205).
- CVE-2026-46021: thermal: core: Fix thermal zone governor cleanup issues (bsc#1267220).
- CVE-2026-46043: RDMA/rxe: Validate pad and ICRC before payload_size() in rxe_rcv (bsc#1266901).
- CVE-2026-46113: KVM: x86: Fix shadow paging use-after-free due to unexpected GFN (bsc#1266969).
- CVE-2026-46243: smb: client: reject userspace cifs.spnego descriptions (bsc#1266238).
The following non security issues were fixed:
- arm64: tlb: Allow XZR argument to TLBI ops (git-fixes).
- arm64: tlb: Optimize ARM64_WORKAROUND_REPEAT_TLBI (git-fixes).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:2414-1
Released: Tue Jun 16 14:21:30 2026
Summary: Security update for runc
Type: security
Severity: important
References:
This update for runc rebuilds it against the current go security release.
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2026:2434-1
Released: Wed Jun 17 16:40:10 2026
Summary: Recommended update for coreutils
Type: recommended
Severity: important
References: 1259327
This update for coreutils fixes the following issues:
- proc: Use affinity mask even on systems with more than 1024 CPUs (bsc#1259327)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:2449-1
Released: Thu Jun 18 14:52:09 2026
Summary: Security update for krb5
Type: security
Severity: moderate
References: 1263366,1263367,CVE-2026-40355,CVE-2026-40356
This update for krb5 fixes the following issues
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:2486-1
Released: Mon Jun 22 14:07:07 2026
Summary: Security update for python-urllib3
Type: security
Severity: important
References: 1265267,CVE-2026-44431
This update for python-urllib3 fixes the following issue
- CVE-2026-44431: sensitive information disclosure due to sensitive headers being forwarded across origins in proxied
low-level redirects (bsc#1265267).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:2528-1
Released: Tue Jun 23 11:06:07 2026
Summary: Security update for sqlite3
Type: security
Severity: important
References: 1268012,1268013,CVE-2026-11822,CVE-2026-11824
This update for sqlite3 fixes the following issues
Update to 3.53.2:
- CVE-2026-11822: memory corruption vulnerabilities in the FTS5 full-text search extension that allow attackers to cause
process crashes, memory exhaustion, or arbitrary code execution (bsc#1268012).
- CVE-2026-11824: heap-based buffer overflow vulnerability in the FTS5 full-text search extension that allows attackers
to cause a crash or execute arbitrary code (bsc#1268013).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:2613-1
Released: Wed Jun 24 11:01:35 2026
Summary: Security update for xen
Type: security
Severity: important
References: 1264066,1266952,1266953,1266955,CVE-2025-54518,CVE-2026-42487,CVE-2026-42488,CVE-2026-42489,CVE-2026-42490
This update for xen fixes the following issues
- CVE-2025-54518: AMD-SN-7052: CPU OP Cache Corruption (bsc#1264066).
- CVE-2026-42487: x86 HVM I/O port list traversal (bsc#1266952).
- CVE-2026-42488: x86: mismatched mapcache metadata (bsc#1266955).
- CVE-2026-42489,CVE-2026-42490: domctl lock open to abuse (bsc#1266953).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:2614-1
Released: Wed Jun 24 11:02:07 2026
Summary: Security update for openssl-1_1
Type: security
Severity: important
References: 1266340,1266341,1266342,1266349,1266357,CVE-2026-34180,CVE-2026-42766,CVE-2026-45447,CVE-2026-7383,CVE-2026-9076
This update for openssl-1_1 fixes the following issues:
- CVE-2026-45447: Heap Use-After-Free in OpenSSL PKCS7_verify() (bsc#1266357).
- CVE-2026-42766: Possible NULL Dereference in Password-Based CMS Decryption (bsc#1266349).
- CVE-2026-9076: Out-of-Bounds Read in CMS Password-Based Decryption (bsc#1266341).
- CVE-2026-7383: Possible Heap Buffer Overflow in ASN.1 Multibyte String Conversion (bsc#1266340).
- CVE-2026-34180: Heap Buffer Over-read in ASN.1 Content Parsing (bsc#1266342).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:2617-1
Released: Wed Jun 24 11:03:27 2026
Summary: Security update for bind
Type: security
Severity: important
References: 1265591,1265592,1265594,CVE-2026-3039,CVE-2026-3592,CVE-2026-5946
This update for bind fixes the following issues:
- CVE-2026-3592: Amplification vulnerabilities via self-pointed glue records (bsc#1265592).
- CVE-2026-3039: BIND 9 server memory exhaustion during GSS-API TKEY negotiation (bsc#1265591).
- CVE-2026-5946: Invalid handling of CLASS != IN (bsc#1265594).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:2620-1
Released: Wed Jun 24 11:04:06 2026
Summary: Security update for iproute2
Type: security
Severity: low
References: 1204562,1254324,CVE-2024-58251
This update for iproute2 fixes the following issue
- CVE-2024-58251: denial of service via terminal escape sequences (bsc#1254324).
Other updates:
- support display of bound but unconnected sockets (bsc#1204562)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:2626-1
Released: Thu Jun 25 10:10:54 2026
Summary: Security update for python-PyJWT
Type: security
Severity: important
References: 1266798,1266799,1266800,1266801,1266802,CVE-2026-48522,CVE-2026-48523,CVE-2026-48524,CVE-2026-48525,CVE-2026-48526
This update for python-PyJWT fixes the following issues
- CVE-2026-48522: `PyJWKClient` passes URI arguments directly to `urllib.request.urlopen()` and allows for SSRF and
token forgery (bsc#1266798).
- CVE-2026-48523: verifier-side algorithm allow-list bypass when `jwt.decode()` or `jwt.decode_complete()` are called
with a PyJWK key (bsc#1266799).
- CVE-2026-48524: unlimited processing of JWTs with unknown kid values by `PyJWKClient.get_signing_key()` leads to
unbounded JWKS endpoint requests and DoS (bsc#1266800).
- CVE-2026-48525: unbounded Base64URL decoding of unused payload segment in `b64=false` detached JWS allows for DoS
(bsc#1266801).
- CVE-2026-48526: no validation of use of JSON Web Keys in HMAC algorithm when decoding JSON Web Tokens allows for
forged HS256 tokens (bsc#1266802).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:2638-1
Released: Fri Jun 26 08:36:59 2026
Summary: Security update for the Linux Kernel
Type: security
Severity: important
References: 1255416,1258538,1260531,1262663,1262993,1263769,1263879,1263880,1264076,1264116,1264470,1264610,1266214,1266290,1267214,1267361,1267369,1267381,1267387,1267621,1267640,1267652,1267697,CVE-2025-10263,CVE-2025-68324,CVE-2026-23392,CVE-2026-31473,CVE-2026-31500,CVE-2026-31613,CVE-2026-31697,CVE-2026-31698,CVE-2026-31699,CVE-2026-31759,CVE-2026-43077,CVE-2026-43198,CVE-2026-45984,CVE-2026-46037,CVE-2026-46116,CVE-2026-46120,CVE-2026-46123,CVE-2026-46150,CVE-2026-46159,CVE-2026-46197,CVE-2026-46227
The SUSE Linux Enterprise 15 SP4 kernel was updated to fix various security issues
The following security issues were fixed:
- CVE-2025-10263: arm64: errata: Mitigate TLBI errata on various Arm CPUs (bsc#1266290).
- CVE-2025-68324: scsi: imm: Fix use-after-free bug caused by unfinished delayed work (bsc#1255416).
- CVE-2026-23392: netfilter: nf_tables: release flowtable after rcu grace period on error (bsc#1260531).
- CVE-2026-31473: media: mc, v4l2: serialize REINIT and REQBUFS with req_queue_mutex (bsc#1262663).
- CVE-2026-31500: Bluetooth: btintel: serialize btintel_hw_error() with hci_req_sync_lock (bsc#1262993).
- CVE-2026-31613: smb: client: fix OOB reads parsing symlink error response (bsc#1263769).
- CVE-2026-31697: crypto: ccp: Don't attempt to copy ID to userspace if PSP command failed (bsc#1264116).
- CVE-2026-31698: crypto: ccp: Don't attempt to copy PDH cert to userspace if PSP command failed (bsc#1263880).
- CVE-2026-31699: crypto: ccp: Don't attempt to copy CSR to userspace if PSP command failed (bsc#1263879).
- CVE-2026-31759: usb: ulpi: fix double free in ulpi_register_interface() error path (bsc#1264076).
- CVE-2026-43077: crypto: algif_aead - Fix minimum RX size check for decryption (bsc#1264470).
- CVE-2026-43198: tcp: fix potential race in tcp_v6_syn_recv_sock() (bsc#1264610).
- CVE-2026-45984: gfs2: Move the inode glock locking to gfs2_file_buffered_write (bsc#1267214).
- CVE-2026-46037: ipv4: icmp: validate reply type before using icmp_pointers (bsc#1267361).
- CVE-2026-46116: xfrm: defensively unhash xfrm_state lists in __xfrm_state_delete (bsc#1267369).
- CVE-2026-46120: ip6_gre: Use cached t->net in ip6erspan_changelink() (bsc#1267640).
- CVE-2026-46123: Bluetooth: virtio_bt: clamp rx length before skb_put (bsc#1267621).
- CVE-2026-46150: fanotify: fix false positive on permission events (bsc#1267387).
- CVE-2026-46159: btrfs: fix btrfs_ioctl_space_info() slot_count TOCTOU which can lead to info-leak (bsc#1267652).
- CVE-2026-46197: drm/amdkfd: validate SVM ioctl nattr against buffer size (bsc#1267381).
- CVE-2026-46227: sctp: revalidate list cursor after sctp_sendmsg_to_asoc() in SCTP_SENDALL (bsc#1267697).
The following non security issues were fixed:
- smb: client: correctly handle ErrorContextData as a flexible array (git-fixes).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:2639-1
Released: Fri Jun 26 09:04:53 2026
Summary: Security update for containerd
Type: security
Severity: important
References: 1260296,1262948,1265794,1266640,CVE-2026-33186,CVE-2026-33814,CVE-2026-34986,CVE-2026-39821
This update for containerd fixes the following issues
- CVE-2026-33186: google.golang.org/grpc: authorization bypass due to improper validation of the HTTP/2 :path pseudo-
header (bsc#1260296).
- CVE-2026-33814: golang.org/x/net/http2: infinite loop in HTTP/2 transport when given bad SETTINGS_MAX_FRAME_SIZE
(bsc#1265794).
- CVE-2026-34986: github.com/go-jose/go-jose/v3: crafted JWE input with a missing encrypted key can lead to a denial of
service (bsc#1262948).
- CVE-2026-39821: golang.org/x/net/idna: failure to reject ASCII-only Punycode-encoded labels allows for validation
bypass and privilege escalation (bsc#1266640).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:2653-1
Released: Fri Jun 26 14:22:17 2026
Summary: Security update for util-linux
Type: security
Severity: moderate
References: 1261606,CVE-2026-27456
This update for util-linux fixes the following issue
- CVE-2026-27456: TOCTOU in the mount program when setting up loop devices (bsc#1261606).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:2674-1
Released: Mon Jun 29 11:36:33 2026
Summary: Security update for libsolv, libzypp, zypper
Type: security
Severity: important
References: 1158038,1239718,1246504,1247948,1249435,1252744,1253193,1253740,1257068,1257882,1258193,1259311,1259706,1259802,1259842,1265223,1265935,1265938,1266039,1267426,1267874,CVE-2026-25707,CVE-2026-44933,CVE-2026-44941,CVE-2026-44942,CVE-2026-48863,CVE-2026-9149,CVE-2026-9150
This update for libsolv, libzypp, zypper fixes the following issues
- CVE-2026-9149: Heap buffer overflow in libsolv repo_add_solv via negative maxsize from crafted .solv file
(bsc#1265935).
- CVE-2026-9150: Stack-based buffer overflow in libsolv's Debian metadata parser when handling SHA384/SHA512 checksums
(bsc#1265938).
- CVE-2026-25707: Handcrafted repo metadata may cause arbitrary local files to be overwritten (bsc#1259802).
- CVE-2026-44933: scan of the Mandatory signature verification plugin support (bsc#1265223).
- CVE-2026-44941: path traversal via 'keyhint' (bsc#1267426).
- CVE-2026-44942: .repo files can have an optional path which can lead to path traversal attacks (bsc#1267874).
- CVE-2026-48863: Fix buffer overflow when parsing EdDSA signature (bsc#1266039).
Changes in libzypp:
Updated to version 17.38.13 (35):
- A .repo files 'path=' entry must not refer to a location
outside the repo (bsc#1267874, CVE-2026-44942)
A 'path=' entry may solely denote a sub-directory of the baseurl
where the metadata are located. A relative path trying to access
data outside the baseurl is reported and sanitized.
- Fix potential crash on malformed or malicious repository
metadata (fixes #740)
- Repo metadata: discard entries referring to a location outside
the repo (bsc#1259802, CVE-2026-25707)
Mirroring those data locally would refer to a location outside
the repo's local cache directory. Those data entries are reported
and discarded.
- zypp.conf: Allow [env] section to add environment variables.
This feature is designed to enable environment-specific settings
or debugging options over an extended period. See zypp.conf(5).
- Prevent configured scripts from escaping the sigcheck directory
(bsc#1265223, CVE-2026-44933)
- StringV: guard hasPrefix/hasPrefixCI against reading past the
view end (fixes #735)
- Mandatory signature verification plugin support (PED#11922)
- Fix purge-kernel -rc kernel handling (bsc#1239718)
- Explicitly_set_pool_DISTTYPE_RPM (fixes #726)
- Check for trusted key updates when updating the general keyring
(bsc#1259706)
- Support multiple MirroredOrigin authorities (bsc#1253193)
- Workaround doxygen bug: doxygen/doxygen#12057
- libzypp.spec: Add missing graphviz-gd BuildRequires (boo#1259842)
- Fix preloader not caching packages from arch specific subrepos
(bsc#1253740)
- Deprioritize invalid mirrors (fixes openSUSE/zypper#636)
- Fix Product::referencePackage lookup (bsc#1259311)
Use a provided autoproduct() as hint to the package name of the
release package. It might be that not just multiple versions of
the same release package provide the same product version, but
also different release packages.
- specfile: on fedora use %{_prefix}/share as zyppconfdir if
%{_distconfdir} is undefined (fixes #693)
This will set '-DZYPPCONFDIR=%{zyppconfdir}' for cmake.
- Fall back to a writable location when precaching packages
without root (bsc#1247948)
- Prepare a legacy /etc/zypp/zypp.conf to be installed on old distros.
See the ZYPP.CONF(5) man page for details.
- Fix runtime check for broken rpm --runposttrans (bsc#1257068)
- Avoid libcurl-mini4 when building as it does not support ftp
protocol.
- Translation: updated .pot file.
- zypp.conf: follow the UAPI configuration file specification
(PED-14658)
In short terms it means we will no longer ship an
/etc/zypp/zypp.conf, but store our own defaults in
/usr/etc/zypp/zypp.conf. The systems administrator may choose to
keep a full copy in /etc/zypp/zypp.conf ignoring our config file
settings completely, or - the preferred way - to overwrite
specific settings via /etc/zypp/zypp.conf.d/*.conf overlay files.
See the ZYPP.CONF(5) man page for details.
- cmake: correctly detect rpm6 (fixes #689)
- Use 'zypp.tmp' as temp directory component to ease setting up
SELinux policies (bsc#1249435)
- zyppng: Update Provider to current MediaCurl2 download
approach, drop Metalink ( fixes #682 )
Changes in libsolv:
Updated to version 0.7.39:
- fix solv_chksum_free segfault when called with a NULL pointer
- made repo_add_solv more robust against corrupt files
[bsc#1265935] [CVE-2026-9149]
- fix potential buffer overflow when verifying EdDSA signatures
[bsc#1266039] [CVE-2026-48863]
- added limit checks in multiple places to catch overflows
- reduce the size of the language id cache
- fixed Debian canon selection
- fixed dbpath detection in repo_rpmdb_librpm
- reduced stack usage in repo page compression (needed for musl)
- fix parsing of sha512 checksums in debian repositories
[bsc#1265938] [CVE-2026-9150]
- improve speed of dirpool_add_dir makeing parsing of filelists.xml
twice as fast
- fix parsing of recommends in the old Mandriva synthesis format
- respect the 'default' attribute in environment optionlist in
the comps parser
- support suse namespace deps in boolean dependencies [bsc#1258193]
- support for the Elbrus2000 (e2k) architecture
- support language() suse namespace rewriting
Changes in zypper:
Update to version 1.14.98:
- Transactional systems: Delegate rw-commands to
transactional-wrapper if available (jsc#PED-13680, jsc#PED-15607)
On a transactional system where the root filesystem is mounted
read-only, zypper commands that modify the system cannot be
executed directly.
If the system provides a transactional-wrapper utility, zypper
will automatically attempt to invoke it. The wrapper
transparently executes the zypper command within a new, writable
snapshot and manages the lifecycle of that snapshot based on the
command's exit status.
On transactional systems lacking a transactional-wrapper, users
must manually invoke specialized tools -such as
transactional-update- to install, update, or remove software.
- Add --filter-version-change to zypper lu.
Adds filtering by version change significance to reduce noise in
update listings. Supports levels: rebuild (hides rebuild-only
changes) and package (hides all release-only changes).
- Autorefresh ris-services the way as plugin-services (bsc#1246504)
It's actually wrong to treat service refreshes different
depending on the service type. For the purpose of a service it
makes no difference how the data about the repos to use are
acquired.
- Report download progress for command line rpms (fixes #613)
- Hint to '-vv ref' to see the mirrors used to download the
metadata (bsc#1257882)
- Service: Allow 'zypper ls SERVICE ...' to test whether a
service with this alias is defined (bsc#1252744)
The command prints an abstract of all services passed on the
command line. It returns 3-ZYPPER_EXIT_ERR_INVALID_ARGS if some
argument does not name an existing service.
- Keep repo data when updating the service settings (bsc#1252744)
- info: Enhance pattern content table (bsc#1158038)
Alternatives (multiple packages providing the same requirement)
are now listed as a single entry in the content table. The entry
shows either the installed package which satisfies the
requirement or the requirement itself as type 'Provides'.
Listing all potential alternatives was miss leading, especially
if the alternatives were mutual exclusive. It looked like an
installed pattern had not-installed requirements and it was not
possible to install all requirements at the same time.
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:2699-1
Released: Tue Jun 30 11:19:23 2026
Summary: Security update for cifs-utils
Type: security
Severity: important
References: 1267389,CVE-2026-12505
This update for cifs-utils fixes the following issue
- CVE-2026-12505: cifs.upcall local privilege escalation via request_key-controlled namespace switch and NSS loading
(bsc#1267389).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:2714-1
Released: Tue Jun 30 14:02:53 2026
Summary: Security update for tar
Type: security
Severity: important
References: 1261900,1265450,1267189,CVE-2026-5704
This update for tar fixes the following issues
Security fixes:
- CVE-2026-5704: crafted archives can be used to to hide file injection (bsc#1261900).
Other fixes:
- Fix tar changing dir permissions temporarily even when using --no-overwrite-dir.
- Fix --dereference/-h not working properly after CVE-2025-45582 fix (bsc#1265450).
- Fix extraction failure for paths like 'a/./b' caused by the gnulib openat2
implementation (bsc#1267189).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:2720-1
Released: Wed Jul 1 15:14:47 2026
Summary: Security update for dracut
Type: security
Severity: important
References: 1268322,CVE-2026-6893
This update for dracut fixes the following issue
- CVE-2026-6893: Root code execution via DHCP options command injection (bsc#1268322).
Changes for dracut:
- Update to version 055+suse.365.g79144c5:
* fix(network-legacy): sanitize DHCP values in dhclient-script.sh (bsc#1268322, CVE-2026-6893)
* fix(network-legacy): add input validation to RFC 3442 route parser
The following package changes have been done:
- bind-utils-9.16.50-150400.5.62.1 updated
- cifs-utils-6.15-150400.3.21.1 updated
- containerd-ctr-1.7.29-150000.137.1 updated
- containerd-1.7.29-150000.137.1 updated
- coreutils-8.32-150400.9.12.1 updated
- dracut-055+suse.365.g79144c5-150400.3.49.1 updated
- glibc-locale-base-2.31-150300.101.1 updated
- glibc-locale-2.31-150300.101.1 updated
- glibc-2.31-150300.101.1 updated
- hwdata-0.406-150000.3.80.1 updated
- iproute2-5.14-150400.3.6.1 updated
- jq-1.6-150000.3.15.1 updated
- kernel-default-5.14.21-150400.24.225.2 updated
- krb5-1.19.2-150400.3.21.1 updated
- libavahi-client3-0.8-150400.7.31.2 updated
- libavahi-common3-0.8-150400.7.31.2 updated
- libblkid1-2.37.2-150400.8.47.1 updated
- libfdisk1-2.37.2-150400.8.47.1 updated
- libjq1-1.6-150000.3.15.1 updated
- libmount1-2.37.2-150400.8.47.1 updated
- libopenssl1_1-1.1.1l-150400.7.96.2 updated
- libsmartcols1-2.37.2-150400.8.47.1 updated
- libsolv-tools-base-0.7.39-150400.3.46.1 updated
- libsolv-tools-0.7.39-150400.3.46.1 updated
- libsqlite3-0-3.53.2-150000.3.42.1 updated
- libuuid1-2.37.2-150400.8.47.1 updated
- libzypp-17.38.13-150400.3.158.1 updated
- openssh-clients-8.4p1-150300.3.65.1 updated
- openssh-common-8.4p1-150300.3.65.1 updated
- openssh-server-8.4p1-150300.3.65.1 updated
- openssh-8.4p1-150300.3.65.1 updated
- openssl-1_1-1.1.1l-150400.7.96.2 updated
- python3-bind-9.16.50-150400.5.62.1 updated
- python311-PyJWT-2.8.0-150400.8.13.1 updated
- python311-urllib3-2.0.7-150400.7.30.1 updated
- runc-1.3.4-150000.96.1 updated
- tar-1.34-150000.3.42.1 updated
- timezone-2026b-150000.75.37.1 updated
- util-linux-systemd-2.37.2-150400.8.47.1 updated
- util-linux-2.37.2-150400.8.47.1 updated
- vim-data-common-9.2.0530-150000.5.94.1 updated
- vim-9.2.0530-150000.5.94.1 updated
- wicked-service-0.6.79-150400.3.39.1 updated
- wicked-0.6.79-150400.3.39.1 updated
- xen-libs-4.16.7_10-150400.4.86.2 updated
- zypper-1.14.98-150400.3.104.1 updated
More information about the sle-container-updates
mailing list