SUSE-IU-2026:5405-1: Security update of suse-sles-15-sp4-chost-byos-v20260701-hvm-ssd-x86_64

sle-container-updates at lists.suse.com sle-container-updates at lists.suse.com
Fri Jul 3 07:03:37 UTC 2026


SUSE Image Update Advisory: suse-sles-15-sp4-chost-byos-v20260701-hvm-ssd-x86_64
-----------------------------------------------------------------
Image Advisory ID : SUSE-IU-2026:5405-1
Image Tags        : suse-sles-15-sp4-chost-byos-v20260701-hvm-ssd-x86_64:20260701
Image Release     : 
Severity          : important
Type              : security
References        : 1158038 1204562 1239718 1246504 1247948 1249435 1252744 1253193
                        1253740 1254324 1255416 1257068 1257235 1257882 1258193 1258364
                        1258538 1259311 1259327 1259642 1259706 1259802 1259842 1260296
                        1260531 1261206 1261427 1261430 1261441 1261546 1261606 1261700
                        1261833 1261900 1261970 1262043 1262395 1262464 1262465 1262663
                        1262948 1262993 1263366 1263367 1263769 1263790 1263879 1263880
                        1263940 1263995 1264066 1264076 1264093 1264116 1264470 1264551
                        1264568 1264610 1264706 1264707 1264708 1264965 1265221 1265223
                        1265267 1265349 1265360 1265450 1265591 1265592 1265594 1265794
                        1265935 1265938 1266001 1266009 1266039 1266214 1266238 1266290
                        1266340 1266341 1266342 1266349 1266357 1266640 1266711 1266798
                        1266799 1266800 1266801 1266802 1266901 1266952 1266953 1266955
                        1266969 1267189 1267205 1267214 1267220 1267361 1267369 1267381
                        1267387 1267389 1267426 1267621 1267640 1267652 1267697 1267874
                        1268012 1268013 1268322 CVE-2024-58251 CVE-2025-10263 CVE-2025-54518
                        CVE-2025-68324 CVE-2026-11822 CVE-2026-11824 CVE-2026-12505 CVE-2026-23392
                        CVE-2026-24401 CVE-2026-25707 CVE-2026-27456 CVE-2026-3039 CVE-2026-31405
                        CVE-2026-31473 CVE-2026-31500 CVE-2026-31613 CVE-2026-31629 CVE-2026-31697
                        CVE-2026-31698 CVE-2026-31699 CVE-2026-31758 CVE-2026-31759 CVE-2026-33186
                        CVE-2026-33814 CVE-2026-33948 CVE-2026-34180 CVE-2026-3446 CVE-2026-34933
                        CVE-2026-3497 CVE-2026-34986 CVE-2026-35385 CVE-2026-35388 CVE-2026-35414
                        CVE-2026-3592 CVE-2026-39821 CVE-2026-39881 CVE-2026-40355 CVE-2026-40356
                        CVE-2026-4046 CVE-2026-42307 CVE-2026-42487 CVE-2026-42488 CVE-2026-42489
                        CVE-2026-42490 CVE-2026-42766 CVE-2026-43037 CVE-2026-43077 CVE-2026-43198
                        CVE-2026-43206 CVE-2026-43499 CVE-2026-43501 CVE-2026-43961 CVE-2026-44431
                        CVE-2026-44656 CVE-2026-44932 CVE-2026-44933 CVE-2026-44941 CVE-2026-44942
                        CVE-2026-45130 CVE-2026-45447 CVE-2026-45852 CVE-2026-45970 CVE-2026-45984
                        CVE-2026-46021 CVE-2026-46037 CVE-2026-46043 CVE-2026-46113 CVE-2026-46116
                        CVE-2026-46120 CVE-2026-46123 CVE-2026-46150 CVE-2026-46159 CVE-2026-46197
                        CVE-2026-46227 CVE-2026-46243 CVE-2026-46483 CVE-2026-48522 CVE-2026-48523
                        CVE-2026-48524 CVE-2026-48525 CVE-2026-48526 CVE-2026-48863 CVE-2026-5450
                        CVE-2026-5704 CVE-2026-5928 CVE-2026-5946 CVE-2026-6893 CVE-2026-7383
                        CVE-2026-9076 CVE-2026-9149 CVE-2026-9150 
-----------------------------------------------------------------

The container suse-sles-15-sp4-chost-byos-v20260701-hvm-ssd-x86_64 was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2026:2277-1
Released:    Fri Jun  5 10:59:09 2026
Summary:     Recommended update for timezone
Type:        recommended
Severity:    important
References:  1264965
This update for timezone fixes the following issues:

- Update to 2026b:
    * British Columbia moved to permanent -07 on 2026-03-09. (bsc#1264965)
    * Some more overflow bugs have been fixed in zic.
- Update to 2026a:
    * Moldova has used EU transition times since 2022.
    * The 'right' TZif files are no longer installed by default.
    * -DTZ_RUNTIME_LEAPS=0 disables runtime support for leap seconds.
    * TZif files are no longer limited to 50 bytes of abbreviations.
    * zic is no longer limited to 50 leap seconds.
    * Several integer overflow bugs have been fixed.
- Update to 2025c:
    * Update Baja California DST rules in 1953, 1961-1975
    * An unset TZ is no longer invalid when /etc/localtime is
      missing, and is abbreviated 'UTC' not '-00'. This reverts to 2024b behavior
    * tzset etc. are now more cautious about questionable TZ settings.
    * tzset etc. now treat ' ' like '_' in time zone abbreviations
    * tzfree now preserves errno, consistently with POSIX.1-2024 'free'.
    * zic has new options inspired by FreeBSD.
    * multiple changes visible to developers
- Use 'REDO=posix_right' to keep installing 'right' TZif files.

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:2283-1
Released:    Fri Jun  5 14:14:57 2026
Summary:     Security update for jq
Type:        security
Severity:    moderate
References:  1262043,CVE-2026-33948
This update for jq fixes the following issue

- CVE-2026-33948: CLI input parsing may allow validation bypass via embedded NUL bytes (bsc#1262043)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:2311-1
Released:    Tue Jun  9 13:05:23 2026
Summary:     Security update for avahi
Type:        security
Severity:    moderate
References:  1257235,1261546,CVE-2026-24401,CVE-2026-34933
This update for avahi fixes the following issue:

- CVE-2026-24401: uncontrolled recursion in `lookup_handle_cname` can crash the `avahi-daemon` (bsc#1257235).
- CVE-2026-34933: reachable assertion in `transport_flags_from_domain` can crash the `avahi-daemon` (bsc#1261546).    

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:2313-1
Released:    Tue Jun  9 14:50:30 2026
Summary:     Security update for vim
Type:        security
Severity:    important
References:  1261833,1262395,1264706,1264707,1264708,1265349,1265360,CVE-2026-39881,CVE-2026-42307,CVE-2026-43961,CVE-2026-44656,CVE-2026-45130,CVE-2026-46483
This update for vim fixes the following issues

- CVE-2026-39881: command injection in NetBeans interface can lead to arbitrary file reads and writes (bsc#1261833).
- CVE-2026-42307: Prior to version 9.2.0383, an OS command injection vulnerability exists in the netrw standard plugin
  bundled with Vim (bsc#1264706).
- CVE-2026-43961: Vimscript Code Injection in netrw NetrwMarkFile() via crafted filename (bsc#1265349).
- CVE-2026-44656: Prior to version 9.2.0435, an OS command injection vulnerability exists in Vim's: find command-line
  completion (bsc#1264707).
- CVE-2026-45130: Prior to version 9.2.0450, a heap buffer overflow exists in read_compound() in src/spellfile.c when
  loading a crafted spell file (.spl) with UTF-8 encoding active (bsc#1264708).
- CVE-2026-46483: command injection via ` tar#Vimuntar()` in `runtime/autoload/tar.vim` when decompressing `.tgz`
  archives on Unix-like systems (bsc#1265360).

Changes for vim:

- Update to v9.2.0530.
- Fix for incorrectly detecting scientific parameter files as bitbake recipies. (bsc#1262395)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:2333-1
Released:    Wed Jun 10 10:41:58 2026
Summary:     Security update for glibc
Type:        security
Severity:    important
References:  1261206,1262464,1262465,CVE-2026-4046,CVE-2026-5450,CVE-2026-5928
This update for glibc fixes the following issues

- CVE-2026-4046: assertion failure when converting inputs may be used to remotely crash an application (bsc#1261206).
- CVE-2026-5450: stdio-common: scanf %mc pattern will cause heap overflow when width > 1024 (bsc#1262465).
- CVE-2026-5928: libio: ungetwc could be used to leak data on special conditions (bsc#1262464).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:2354-1
Released:    Wed Jun 10 16:55:33 2026
Summary:     Security update for wicked
Type:        security
Severity:    important
References:  1265221,CVE-2026-44932
This update for wicked fixes the following issues:

- CVE-2026-44932: Fixed indirect remote shell command injection via unsanitized DHCP options (bsc#1265221).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2026:2356-1
Released:    Wed Jun 10 18:40:21 2026
Summary:     Recommended update for dracut
Type:        recommended
Severity:    moderate
References:  1263940
This update for dracut fixes the following issues:

- Update to version 055+suse.363.gea2753a:
  * fix(systemd): explicitly install /bin/bash (bsc#1263940)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:2375-1
Released:    Thu Jun 11 18:05:37 2026
Summary:     Security update for openssh
Type:        security
Severity:    important
References:  1259642,1261427,1261430,1261441,1264568,CVE-2026-3497,CVE-2026-35385,CVE-2026-35388,CVE-2026-35414
This update for openssh fixes the following issues

- CVE-2026-3497: information disclosure or denial of service due to uninitialized variables (bsc#1259642).
- CVE-2026-35385: a file downloaded by scp may be installed setuid or setgid (bsc#1261427).
- CVE-2026-35388: omitted connection multiplexing confirmation for proxy-mode multiplexing sessions (bsc#1261441).
- CVE-2026-35414: mishandling of authorized_keys principals option (bsc#1261430).
- potential security issue when validating mac (bsc#1264568).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2026:2382-1
Released:    Fri Jun 12 10:07:34 2026
Summary:     Recommended update for hwdata
Type:        recommended
Severity:    moderate
References:  
This update for hwdata fixes the following issues:

- update to version 0.406:
    * Update pci and vendor ids
- update to version 0.405:
    * Update pci and vendor ids
- Update to version 0.397:
    * Update pci and vendor ids
- Update to version 0.395:
    * Update pci and vendor ids

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:2383-1
Released:    Fri Jun 12 11:14:06 2026
Summary:     Security update for the Linux Kernel
Type:        security
Severity:    important
References:  1261700,1263790,1263995,1264093,1264551,1266001,1266009,1266238,1266711,1266901,1266969,1267205,1267220,CVE-2026-31405,CVE-2026-31629,CVE-2026-31758,CVE-2026-43037,CVE-2026-43206,CVE-2026-43499,CVE-2026-43501,CVE-2026-45852,CVE-2026-45970,CVE-2026-46021,CVE-2026-46043,CVE-2026-46113,CVE-2026-46243

The SUSE Linux Enterprise 15 SP4 kernel was updated to fix various security issues

The following security issues were fixed:

- CVE-2026-31405: media: dvb-net: fix OOB access in ULE extension header tables (bsc#1261700).
- CVE-2026-31629: nfc: llcp: add missing return after LLCP_CLOSED checks (bsc#1263790).
- CVE-2026-31758: usb: usbtmc: Flush anchored URBs in usbtmc_release (bsc#1264093).
- CVE-2026-43037: ip6_tunnel: clear skb2->cb in ip4ip6_err() (bsc#1263995).
- CVE-2026-43206: drm/amdkfd: Fix out-of-bounds write in kfd_event_page_set() (bsc#1264551).
- CVE-2026-43499: rtmutex: Use waiter::task instead of current in remove_waiter() (bsc#1266001).
- CVE-2026-43501: ipv6: rpl: reserve mac_len headroom when recompressed SRH grows (bsc#1266009).
- CVE-2026-45852: RDMA/rxe: Fix double free in rxe_srq_from_init (bsc#1266711).
- CVE-2026-45970: bonding: alb: fix UAF in rlb_arp_recv during bond up/down (bsc#1267205).
- CVE-2026-46021: thermal: core: Fix thermal zone governor cleanup issues (bsc#1267220).
- CVE-2026-46043: RDMA/rxe: Validate pad and ICRC before payload_size() in rxe_rcv (bsc#1266901).
- CVE-2026-46113: KVM: x86: Fix shadow paging use-after-free due to unexpected GFN (bsc#1266969).
- CVE-2026-46243: smb: client: reject userspace cifs.spnego descriptions (bsc#1266238).

The following non security issues were fixed:

- arm64: tlb: Allow XZR argument to TLBI ops (git-fixes).
- arm64: tlb: Optimize ARM64_WORKAROUND_REPEAT_TLBI (git-fixes).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:2414-1
Released:    Tue Jun 16 14:21:30 2026
Summary:     Security update for runc
Type:        security
Severity:    important
References:  

This update for runc rebuilds it against the current go security release.

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2026:2434-1
Released:    Wed Jun 17 16:40:10 2026
Summary:     Recommended update for coreutils
Type:        recommended
Severity:    important
References:  1259327
This update for coreutils fixes the following issues:

- proc: Use affinity mask even on systems with more than 1024 CPUs (bsc#1259327)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:2449-1
Released:    Thu Jun 18 14:52:09 2026
Summary:     Security update for krb5
Type:        security
Severity:    moderate
References:  1263366,1263367,CVE-2026-40355,CVE-2026-40356
This update for krb5 fixes the following issues



-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:2486-1
Released:    Mon Jun 22 14:07:07 2026
Summary:     Security update for python-urllib3
Type:        security
Severity:    important
References:  1265267,CVE-2026-44431
This update for python-urllib3 fixes the following issue

- CVE-2026-44431: sensitive information disclosure due to sensitive headers being forwarded across origins in proxied
  low-level redirects (bsc#1265267).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:2528-1
Released:    Tue Jun 23 11:06:07 2026
Summary:     Security update for sqlite3
Type:        security
Severity:    important
References:  1268012,1268013,CVE-2026-11822,CVE-2026-11824
This update for sqlite3 fixes the following issues

Update to 3.53.2:

- CVE-2026-11822: memory corruption vulnerabilities in the FTS5 full-text search extension that allow attackers to cause
  process crashes, memory exhaustion, or arbitrary code execution (bsc#1268012).
- CVE-2026-11824: heap-based buffer overflow vulnerability in the FTS5 full-text search extension that allows attackers
  to cause a crash or execute arbitrary code (bsc#1268013).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:2613-1
Released:    Wed Jun 24 11:01:35 2026
Summary:     Security update for xen
Type:        security
Severity:    important
References:  1264066,1266952,1266953,1266955,CVE-2025-54518,CVE-2026-42487,CVE-2026-42488,CVE-2026-42489,CVE-2026-42490
This update for xen fixes the following issues

- CVE-2025-54518: AMD-SN-7052: CPU OP Cache Corruption (bsc#1264066).
- CVE-2026-42487: x86 HVM I/O port list traversal (bsc#1266952).
- CVE-2026-42488: x86: mismatched mapcache metadata (bsc#1266955).
- CVE-2026-42489,CVE-2026-42490: domctl lock open to abuse (bsc#1266953).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:2614-1
Released:    Wed Jun 24 11:02:07 2026
Summary:     Security update for openssl-1_1
Type:        security
Severity:    important
References:  1266340,1266341,1266342,1266349,1266357,CVE-2026-34180,CVE-2026-42766,CVE-2026-45447,CVE-2026-7383,CVE-2026-9076
This update for openssl-1_1 fixes the following issues:

- CVE-2026-45447: Heap Use-After-Free in OpenSSL PKCS7_verify() (bsc#1266357).
- CVE-2026-42766: Possible NULL Dereference in Password-Based CMS Decryption (bsc#1266349).
- CVE-2026-9076:  Out-of-Bounds Read in CMS Password-Based Decryption (bsc#1266341).
- CVE-2026-7383:  Possible Heap Buffer Overflow in ASN.1 Multibyte String Conversion (bsc#1266340).
- CVE-2026-34180: Heap Buffer Over-read in ASN.1 Content Parsing (bsc#1266342).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:2617-1
Released:    Wed Jun 24 11:03:27 2026
Summary:     Security update for bind
Type:        security
Severity:    important
References:  1265591,1265592,1265594,CVE-2026-3039,CVE-2026-3592,CVE-2026-5946
This update for bind fixes the following issues:

- CVE-2026-3592: Amplification vulnerabilities via self-pointed glue records (bsc#1265592).
- CVE-2026-3039: BIND 9 server memory exhaustion during GSS-API TKEY negotiation (bsc#1265591).
- CVE-2026-5946: Invalid handling of CLASS != IN (bsc#1265594).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:2620-1
Released:    Wed Jun 24 11:04:06 2026
Summary:     Security update for iproute2
Type:        security
Severity:    low
References:  1204562,1254324,CVE-2024-58251
This update for iproute2 fixes the following issue

- CVE-2024-58251: denial of service via terminal escape sequences (bsc#1254324).

Other updates:

- support display of bound but unconnected sockets (bsc#1204562)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:2626-1
Released:    Thu Jun 25 10:10:54 2026
Summary:     Security update for python-PyJWT
Type:        security
Severity:    important
References:  1266798,1266799,1266800,1266801,1266802,CVE-2026-48522,CVE-2026-48523,CVE-2026-48524,CVE-2026-48525,CVE-2026-48526
This update for python-PyJWT fixes the following issues

- CVE-2026-48522: `PyJWKClient` passes URI arguments directly to `urllib.request.urlopen()` and allows for SSRF and
  token forgery (bsc#1266798).
- CVE-2026-48523: verifier-side algorithm allow-list bypass when `jwt.decode()` or `jwt.decode_complete()` are called
  with a PyJWK key (bsc#1266799).
- CVE-2026-48524: unlimited processing of JWTs with unknown kid values by `PyJWKClient.get_signing_key()` leads to
  unbounded JWKS endpoint requests and DoS (bsc#1266800).
- CVE-2026-48525: unbounded Base64URL decoding of unused payload segment in `b64=false` detached JWS allows for DoS
  (bsc#1266801).
- CVE-2026-48526: no validation of use of JSON Web Keys in HMAC algorithm when decoding JSON Web Tokens allows for
  forged HS256 tokens (bsc#1266802).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:2638-1
Released:    Fri Jun 26 08:36:59 2026
Summary:     Security update for the Linux Kernel
Type:        security
Severity:    important
References:  1255416,1258538,1260531,1262663,1262993,1263769,1263879,1263880,1264076,1264116,1264470,1264610,1266214,1266290,1267214,1267361,1267369,1267381,1267387,1267621,1267640,1267652,1267697,CVE-2025-10263,CVE-2025-68324,CVE-2026-23392,CVE-2026-31473,CVE-2026-31500,CVE-2026-31613,CVE-2026-31697,CVE-2026-31698,CVE-2026-31699,CVE-2026-31759,CVE-2026-43077,CVE-2026-43198,CVE-2026-45984,CVE-2026-46037,CVE-2026-46116,CVE-2026-46120,CVE-2026-46123,CVE-2026-46150,CVE-2026-46159,CVE-2026-46197,CVE-2026-46227

The SUSE Linux Enterprise 15 SP4 kernel was updated to fix various security issues

The following security issues were fixed:

- CVE-2025-10263: arm64: errata: Mitigate TLBI errata on various Arm CPUs (bsc#1266290).
- CVE-2025-68324: scsi: imm: Fix use-after-free bug caused by unfinished delayed work (bsc#1255416).
- CVE-2026-23392: netfilter: nf_tables: release flowtable after rcu grace period on error (bsc#1260531).
- CVE-2026-31473: media: mc, v4l2: serialize REINIT and REQBUFS with req_queue_mutex (bsc#1262663).
- CVE-2026-31500: Bluetooth: btintel: serialize btintel_hw_error() with hci_req_sync_lock (bsc#1262993).
- CVE-2026-31613: smb: client: fix OOB reads parsing symlink error response (bsc#1263769).
- CVE-2026-31697: crypto: ccp: Don't attempt to copy ID to userspace if PSP command failed (bsc#1264116).
- CVE-2026-31698: crypto: ccp: Don't attempt to copy PDH cert to userspace if PSP command failed (bsc#1263880).
- CVE-2026-31699: crypto: ccp: Don't attempt to copy CSR to userspace if PSP command failed (bsc#1263879).
- CVE-2026-31759: usb: ulpi: fix double free in ulpi_register_interface() error path (bsc#1264076).
- CVE-2026-43077: crypto: algif_aead - Fix minimum RX size check for decryption (bsc#1264470).
- CVE-2026-43198: tcp: fix potential race in tcp_v6_syn_recv_sock() (bsc#1264610).
- CVE-2026-45984: gfs2: Move the inode glock locking to gfs2_file_buffered_write (bsc#1267214).
- CVE-2026-46037: ipv4: icmp: validate reply type before using icmp_pointers (bsc#1267361).
- CVE-2026-46116: xfrm: defensively unhash xfrm_state lists in __xfrm_state_delete (bsc#1267369).
- CVE-2026-46120: ip6_gre: Use cached t->net in ip6erspan_changelink() (bsc#1267640).
- CVE-2026-46123: Bluetooth: virtio_bt: clamp rx length before skb_put (bsc#1267621).
- CVE-2026-46150: fanotify: fix false positive on permission events (bsc#1267387).
- CVE-2026-46159: btrfs: fix btrfs_ioctl_space_info() slot_count TOCTOU which can lead to info-leak (bsc#1267652).
- CVE-2026-46197: drm/amdkfd: validate SVM ioctl nattr against buffer size (bsc#1267381).
- CVE-2026-46227: sctp: revalidate list cursor after sctp_sendmsg_to_asoc() in SCTP_SENDALL (bsc#1267697).

The following non security issues were fixed:

- smb: client: correctly handle ErrorContextData as a flexible array (git-fixes).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:2639-1
Released:    Fri Jun 26 09:04:53 2026
Summary:     Security update for containerd
Type:        security
Severity:    important
References:  1260296,1262948,1265794,1266640,CVE-2026-33186,CVE-2026-33814,CVE-2026-34986,CVE-2026-39821
This update for containerd fixes the following issues

- CVE-2026-33186: google.golang.org/grpc: authorization bypass due to improper validation of the HTTP/2 :path pseudo-
  header (bsc#1260296).
- CVE-2026-33814: golang.org/x/net/http2: infinite loop in HTTP/2 transport when given bad SETTINGS_MAX_FRAME_SIZE
  (bsc#1265794).
- CVE-2026-34986: github.com/go-jose/go-jose/v3: crafted JWE input with a missing encrypted key can lead to a denial of
  service (bsc#1262948).
- CVE-2026-39821: golang.org/x/net/idna: failure to reject ASCII-only Punycode-encoded labels allows for validation
  bypass and privilege escalation (bsc#1266640).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:2653-1
Released:    Fri Jun 26 14:22:17 2026
Summary:     Security update for util-linux
Type:        security
Severity:    moderate
References:  1261606,CVE-2026-27456
This update for util-linux fixes the following issue

- CVE-2026-27456: TOCTOU in the mount program when setting up loop devices (bsc#1261606).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:2674-1
Released:    Mon Jun 29 11:36:33 2026
Summary:     Security update for libsolv, libzypp, zypper
Type:        security
Severity:    important
References:  1158038,1239718,1246504,1247948,1249435,1252744,1253193,1253740,1257068,1257882,1258193,1259311,1259706,1259802,1259842,1265223,1265935,1265938,1266039,1267426,1267874,CVE-2026-25707,CVE-2026-44933,CVE-2026-44941,CVE-2026-44942,CVE-2026-48863,CVE-2026-9149,CVE-2026-9150
This update for libsolv, libzypp, zypper fixes the following issues

- CVE-2026-9149: Heap buffer overflow in libsolv repo_add_solv via negative maxsize from crafted .solv file
  (bsc#1265935).
- CVE-2026-9150: Stack-based buffer overflow in libsolv's Debian metadata parser when handling SHA384/SHA512 checksums
  (bsc#1265938).
- CVE-2026-25707: Handcrafted repo metadata may cause arbitrary local files to be overwritten (bsc#1259802).
- CVE-2026-44933: scan of the Mandatory signature verification plugin support (bsc#1265223).
- CVE-2026-44941: path traversal via 'keyhint' (bsc#1267426).
- CVE-2026-44942: .repo files can have an optional path which can lead to path traversal attacks (bsc#1267874).
- CVE-2026-48863: Fix buffer overflow when parsing EdDSA signature (bsc#1266039).

Changes in libzypp:

Updated to version 17.38.13 (35):

- A .repo files 'path=' entry must not refer to a location
  outside the repo (bsc#1267874, CVE-2026-44942)
  A 'path=' entry may solely denote a sub-directory of the baseurl
  where the metadata are located. A relative path trying to access
  data outside the baseurl is reported and sanitized.
- Fix potential crash on malformed or malicious repository
  metadata (fixes #740)
- Repo metadata: discard entries referring to a location outside
  the repo (bsc#1259802, CVE-2026-25707)
  Mirroring those data locally would refer to a location outside
  the repo's local cache directory. Those data entries are reported
  and discarded.
- zypp.conf: Allow [env] section to add environment variables.
  This feature is designed to enable environment-specific settings
  or debugging options over an extended period. See zypp.conf(5).
- Prevent configured scripts from escaping the sigcheck directory
  (bsc#1265223, CVE-2026-44933)
- StringV: guard hasPrefix/hasPrefixCI against reading past the
  view end (fixes #735)
- Mandatory signature verification plugin support (PED#11922)
- Fix purge-kernel -rc kernel handling (bsc#1239718)
- Explicitly_set_pool_DISTTYPE_RPM (fixes #726)
- Check for trusted key updates when updating the general keyring
  (bsc#1259706)
- Support multiple MirroredOrigin authorities (bsc#1253193)
- Workaround doxygen bug: doxygen/doxygen#12057
- libzypp.spec: Add missing graphviz-gd BuildRequires (boo#1259842)
- Fix preloader not caching packages from arch specific subrepos
  (bsc#1253740)
- Deprioritize invalid mirrors (fixes openSUSE/zypper#636)
- Fix Product::referencePackage lookup (bsc#1259311)
  Use a provided autoproduct() as hint to the package name of the
  release package. It might be that not just multiple versions of
  the same release package provide the same product version, but
  also different release packages.
- specfile: on fedora use %{_prefix}/share as zyppconfdir if
  %{_distconfdir} is undefined (fixes #693)
  This will set '-DZYPPCONFDIR=%{zyppconfdir}' for cmake.
- Fall back to a writable location when precaching packages
  without root (bsc#1247948)
- Prepare a legacy /etc/zypp/zypp.conf to be installed on old distros.
  See the ZYPP.CONF(5) man page for details.
- Fix runtime check for broken rpm --runposttrans (bsc#1257068)
- Avoid libcurl-mini4 when building as it does not support ftp
  protocol.
- Translation: updated .pot file.
- zypp.conf: follow the UAPI configuration file specification
  (PED-14658)
  In short terms it means we will no longer ship an
  /etc/zypp/zypp.conf, but store our own defaults in
  /usr/etc/zypp/zypp.conf. The systems administrator may choose to
  keep a full copy in /etc/zypp/zypp.conf ignoring our config file
  settings completely, or - the preferred way - to overwrite
  specific settings via /etc/zypp/zypp.conf.d/*.conf overlay files.
  See the ZYPP.CONF(5) man page for details.
- cmake: correctly detect rpm6 (fixes #689)
- Use 'zypp.tmp' as temp directory component to ease setting up
  SELinux policies (bsc#1249435)
- zyppng: Update Provider to current MediaCurl2 download
  approach, drop Metalink ( fixes #682 )

Changes in libsolv:

Updated to version 0.7.39:

- fix solv_chksum_free segfault when called with a NULL pointer
- made repo_add_solv more robust against corrupt files
  [bsc#1265935] [CVE-2026-9149]
- fix potential buffer overflow when verifying EdDSA signatures
  [bsc#1266039] [CVE-2026-48863]
- added limit checks in multiple places to catch overflows
- reduce the size of the language id cache
- fixed Debian canon selection
- fixed dbpath detection in repo_rpmdb_librpm
- reduced stack usage in repo page compression (needed for musl)
- fix parsing of sha512 checksums in debian repositories
  [bsc#1265938] [CVE-2026-9150]
- improve speed of dirpool_add_dir makeing parsing of filelists.xml
  twice as fast
- fix parsing of recommends in the old Mandriva synthesis format
- respect the 'default' attribute in environment optionlist in
  the comps parser
- support suse namespace deps in boolean dependencies [bsc#1258193]
- support for the Elbrus2000 (e2k) architecture
- support language() suse namespace rewriting

Changes in zypper:

Update to version 1.14.98:

- Transactional systems: Delegate rw-commands to
  transactional-wrapper if available (jsc#PED-13680, jsc#PED-15607)
  On a transactional system where the root filesystem is mounted
  read-only, zypper commands that modify the system cannot be
  executed directly.
  If the system provides a transactional-wrapper utility, zypper
  will automatically attempt to invoke it. The wrapper
  transparently executes the zypper command within a new, writable
  snapshot and manages the lifecycle of that snapshot based on the
  command's exit status.
  On transactional systems lacking a transactional-wrapper, users
  must manually invoke specialized tools -such as
  transactional-update- to install, update, or remove software.
- Add --filter-version-change to zypper lu.
  Adds filtering by version change significance to reduce noise in
  update listings. Supports levels: rebuild (hides rebuild-only
  changes) and package (hides all release-only changes).
- Autorefresh ris-services the way as plugin-services (bsc#1246504)
  It's actually wrong to treat service refreshes different
  depending on the service type. For the purpose of a service it
  makes no difference how the data about the repos to use are
  acquired.
- Report download progress for command line rpms (fixes #613)
- Hint to '-vv ref' to see the mirrors used to download the
  metadata (bsc#1257882)
- Service: Allow 'zypper ls SERVICE ...' to test whether a
  service with this alias is defined (bsc#1252744)
  The command prints an abstract of all services passed on the
  command line. It returns 3-ZYPPER_EXIT_ERR_INVALID_ARGS if some
  argument does not name an existing service.
- Keep repo data when updating the service settings (bsc#1252744)
- info: Enhance pattern content table (bsc#1158038)
  Alternatives (multiple packages providing the same requirement)
  are now listed as a single entry in the content table. The entry
  shows either the installed package which satisfies the
  requirement or the requirement itself as type 'Provides'.
  Listing all potential alternatives was miss leading, especially
  if the alternatives were mutual exclusive. It looked like an
  installed pattern had not-installed requirements and it was not
  possible to install all requirements at the same time.

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:2699-1
Released:    Tue Jun 30 11:19:23 2026
Summary:     Security update for cifs-utils
Type:        security
Severity:    important
References:  1267389,CVE-2026-12505
This update for cifs-utils fixes the following issue

- CVE-2026-12505: cifs.upcall local privilege escalation via request_key-controlled namespace switch and NSS loading
  (bsc#1267389).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:2714-1
Released:    Tue Jun 30 14:02:53 2026
Summary:     Security update for tar
Type:        security
Severity:    important
References:  1261900,1265450,1267189,CVE-2026-5704
This update for tar fixes the following issues

Security fixes:

- CVE-2026-5704: crafted archives can be used to to hide file injection (bsc#1261900).

Other fixes:

- Fix tar changing dir permissions temporarily even when using --no-overwrite-dir.
- Fix --dereference/-h not working properly after CVE-2025-45582 fix (bsc#1265450).
- Fix extraction failure for paths like 'a/./b' caused by the gnulib openat2
 implementation (bsc#1267189).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:2720-1
Released:    Wed Jul  1 15:14:47 2026
Summary:     Security update for dracut
Type:        security
Severity:    important
References:  1268322,CVE-2026-6893
This update for dracut fixes the following issue

- CVE-2026-6893: Root code execution via DHCP options command injection (bsc#1268322).

Changes for dracut:

- Update to version 055+suse.365.g79144c5:
 * fix(network-legacy): sanitize DHCP values in dhclient-script.sh (bsc#1268322, CVE-2026-6893)
 * fix(network-legacy): add input validation to RFC 3442 route parser

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:2723-1
Released:    Wed Jul  1 20:06:53 2026
Summary:     Security update for python311
Type:        security
Severity:    moderate
References:  1258364,1261970,CVE-2026-3446
This update for python311 fixes the following issues:

Security issues fixed:

- CVE-2026-3446: base64 decoding stops at first padded quad by default and ignores other information that could be
  processed (bsc#1261970).

Other updates and bugfixes:

- Rewrite structure of Python interpreter packages. `python3*` symbols should be now provided by real `python3`
  packages and its subpackages instead of the virtual provides (bsc#1258364).


The following package changes have been done:

- bind-utils-9.16.50-150400.5.62.1 updated
- cifs-utils-6.15-150400.3.21.1 updated
- containerd-ctr-1.7.29-150000.137.1 updated
- containerd-1.7.29-150000.137.1 updated
- coreutils-8.32-150400.9.12.1 updated
- dracut-055+suse.365.g79144c5-150400.3.49.1 updated
- glibc-locale-base-2.31-150300.101.1 updated
- glibc-locale-2.31-150300.101.1 updated
- glibc-2.31-150300.101.1 updated
- hwdata-0.406-150000.3.80.1 updated
- iproute2-5.14-150400.3.6.1 updated
- jq-1.6-150000.3.15.1 updated
- kernel-default-5.14.21-150400.24.225.2 updated
- krb5-1.19.2-150400.3.21.1 updated
- libavahi-client3-0.8-150400.7.31.2 updated
- libavahi-common3-0.8-150400.7.31.2 updated
- libblkid1-2.37.2-150400.8.47.1 updated
- libfdisk1-2.37.2-150400.8.47.1 updated
- libjq1-1.6-150000.3.15.1 updated
- libmount1-2.37.2-150400.8.47.1 updated
- libopenssl1_1-1.1.1l-150400.7.96.2 updated
- libpython3_11-1_0-3.11.15-150400.9.88.1 updated
- libsmartcols1-2.37.2-150400.8.47.1 updated
- libsolv-tools-base-0.7.39-150400.3.46.1 updated
- libsolv-tools-0.7.39-150400.3.46.1 updated
- libsqlite3-0-3.53.2-150000.3.42.1 updated
- libuuid1-2.37.2-150400.8.47.1 updated
- libzypp-17.38.13-150400.3.158.1 updated
- openssh-clients-8.4p1-150300.3.65.1 updated
- openssh-common-8.4p1-150300.3.65.1 updated
- openssh-server-8.4p1-150300.3.65.1 updated
- openssh-8.4p1-150300.3.65.1 updated
- openssl-1_1-1.1.1l-150400.7.96.2 updated
- python3-bind-9.16.50-150400.5.62.1 updated
- python311-PyJWT-2.8.0-150400.8.13.1 updated
- python311-base-3.11.15-150400.9.88.1 updated
- python311-urllib3-2.0.7-150400.7.30.1 updated
- python311-3.11.15-150400.9.88.1 updated
- runc-1.3.4-150000.96.1 updated
- tar-1.34-150000.3.42.1 updated
- timezone-2026b-150000.75.37.1 updated
- util-linux-systemd-2.37.2-150400.8.47.1 updated
- util-linux-2.37.2-150400.8.47.1 updated
- vim-data-common-9.2.0530-150000.5.94.1 updated
- vim-9.2.0530-150000.5.94.1 updated
- wicked-service-0.6.79-150400.3.39.1 updated
- wicked-0.6.79-150400.3.39.1 updated
- xen-libs-4.16.7_10-150400.4.86.2 updated
- xen-tools-domU-4.16.7_10-150400.4.86.2 updated
- zypper-1.14.98-150400.3.104.1 updated


More information about the sle-container-updates mailing list