SUSE-CU-2026:6818-1: Security update of suse/multi-linux-manager/5.1/x86_64/proxy-salt-broker
sle-container-updates at lists.suse.com
sle-container-updates at lists.suse.com
Tue Jul 7 08:17:01 UTC 2026
SUSE Container Update Advisory: suse/multi-linux-manager/5.1/x86_64/proxy-salt-broker
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2026:6818-1
Container Tags : suse/multi-linux-manager/5.1/x86_64/proxy-salt-broker:5.1.4 , suse/multi-linux-manager/5.1/x86_64/proxy-salt-broker:5.1.4.9.22.2 , suse/multi-linux-manager/5.1/x86_64/proxy-salt-broker:latest
Container Release : 9.22.2
Severity : important
Type : security
References : 1158038 1208800 1226578 1233668 1234567 1238890 1239718 1242916
1243268 1245107 1246504 1247707 1247948 1248699 1249243 1249435
1250782 1250782 1252744 1253032 1253193 1253740 1254900 1254903
1254904 1254905 1255752 1257068 1257583 1257882 1257894 1258041
1258079 1258144 1258193 1258364 1258382 1258816 1259087 1259230
1259261 1259311 1259327 1259474 1259479 1259482 1259521 1259553
1259590 1259591 1259630 1259700 1259706 1259739 1259787 1259802
1259842 1259960 1260031 1260614 1260806 1261206 1261280 1261305
1261307 1261327 1261606 1261631 1261723 1261753 1261841 1261902
1261970 1262090 1262144 1262222 1262285 1262460 1262464 1262465
1262471 1262492 1262595 1262708 1262720 1262760 1262761 1262803
1262803 1262950 1263501 1263814 1263841 1263935 1263950 1263951
1263952 1263953 1263954 1263955 1263956 1263957 1263986 1263987
1264149 1264150 1264163 1264174 1264234 1264256 1264966 1264971
1265134 1265223 1265267 1265281 1265282 1265283 1265284 1265285
1265286 1265287 1265288 1265289 1265290 1265319 1265358 1265620
1265935 1265938 1265975 1266012 1266039 1266340 1266340 1266341
1266341 1266342 1266342 1266343 1266345 1266349 1266349 1266350
1266351 1266352 1266353 1266355 1266356 1266357 1266357 1266556
1266600 1267426 1267503 1267874 1267955 1267956 1267962 1267963
1267965 1267969 1267970 1267971 1267972 1267976 1267977 1267978
1268012 1268013 1268395 1268396 1268397 1269253 1269534 CVE-2022-21698
CVE-2024-52804 CVE-2025-47287 CVE-2025-67724 CVE-2025-67725 CVE-2025-67726
CVE-2026-11822 CVE-2026-11824 CVE-2026-23918 CVE-2026-24072 CVE-2026-25707
CVE-2026-27456 CVE-2026-28374 CVE-2026-28376 CVE-2026-28379 CVE-2026-28380
CVE-2026-28383 CVE-2026-28780 CVE-2026-29167 CVE-2026-29168 CVE-2026-29169
CVE-2026-29170 CVE-2026-31958 CVE-2026-33006 CVE-2026-33007 CVE-2026-33376
CVE-2026-33377 CVE-2026-33378 CVE-2026-33380 CVE-2026-33381 CVE-2026-33523
CVE-2026-33857 CVE-2026-34032 CVE-2026-34059 CVE-2026-34180 CVE-2026-34180
CVE-2026-34181 CVE-2026-34183 CVE-2026-34355 CVE-2026-34356 CVE-2026-3446
CVE-2026-34743 CVE-2026-34986 CVE-2026-39821 CVE-2026-40179 CVE-2026-4046
CVE-2026-40475 CVE-2026-40475 CVE-2026-41602 CVE-2026-42151 CVE-2026-42154
CVE-2026-42198 CVE-2026-42535 CVE-2026-42536 CVE-2026-42766 CVE-2026-42766
CVE-2026-42767 CVE-2026-42768 CVE-2026-42769 CVE-2026-42770 CVE-2026-43951
CVE-2026-44119 CVE-2026-44185 CVE-2026-44186 CVE-2026-44431 CVE-2026-44631
CVE-2026-44933 CVE-2026-44941 CVE-2026-44942 CVE-2026-45445 CVE-2026-45446
CVE-2026-45447 CVE-2026-45447 CVE-2026-48863 CVE-2026-48913 CVE-2026-49853
CVE-2026-49854 CVE-2026-49855 CVE-2026-49975 CVE-2026-5450 CVE-2026-5928
CVE-2026-5958 CVE-2026-7383 CVE-2026-7383 CVE-2026-9076 CVE-2026-9076
CVE-2026-9149 CVE-2026-9150
-----------------------------------------------------------------
The container suse/multi-linux-manager/5.1/x86_64/proxy-salt-broker was updated. The following patches have been included in this update:
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:4137-1
Released: Mon Dec 2 13:28:37 2024
Summary: Security update for python-tornado6
Type: security
Severity: moderate
References: 1233668,CVE-2024-52804
This update for python-tornado6 fixes the following issues:
- CVE-2024-52804: Fixed a denial of service caused by quadratic performance of cookie parsing (bsc#1233668)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2025:1649-1
Released: Thu May 22 09:44:52 2025
Summary: Security update for python-tornado6
Type: security
Severity: important
References: 1243268,CVE-2025-47287
This update for python-tornado6 fixes the following issues:
- CVE-2025-47287: excessive logging when parsing malformed `multipart/form-data` can lead to a denial-of-service
(bsc#1243268).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:10-1
Released: Mon Jan 5 11:26:28 2026
Summary: Security update for python-tornado6
Type: security
Severity: important
References: 1254903,1254904,1254905,CVE-2025-67724,CVE-2025-67725,CVE-2025-67726
This update for python-tornado6 fixes the following issues:
- CVE-2025-67724: unescaped `reason` argument used in HTTP headers and in HTML default error pages can be used by
attackers to launch header injection or XSS attacks (bsc#1254903).
- CVE-2025-67725: quadratic complexity of string concatenation operations used by the `HTTPHeaders.add` method can lead
to DoS when processing a maliciously crafted HTTP request (bsc#1254905).
- CVE-2025-67726: quadratic complexity algorithm used in the `_parseparam` function of `httputil.py` can lead to DoS
when processing maliciously crafted parameters in a `Content-Disposition` header (bsc#1254904).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:1064-1
Released: Thu Mar 26 11:37:21 2026
Summary: Security update for python-tornado6
Type: security
Severity: important
References: 1259553,1259630,CVE-2026-31958
This update for python-tornado6 fixes the following issues:
- CVE-2026-31958: parsing large multipart bodies with many parts can cause a denial of service (bsc#1259553).
- incomplete validation of cookie attributes allows for injection of user-controlled values in other cookie attributes
(bsc#1259630).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:1941-1
Released: Mon May 18 09:44:34 2026
Summary: Security update for sed
Type: security
Severity: moderate
References: 1262144,CVE-2026-5958
This update for sed fixes the following issue:
- CVE-2026-5958: a TOCTOU race can allow to read attacker-controlled content and write it to an unintended file (bsc#1262144).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2026:2041-1
Released: Thu May 21 16:29:18 2026
Summary: Recommended update for openssl-1_1
Type: recommended
Severity: moderate
References: 1250782
This update for openssl-1_1 fixes the following issues:
- Fix 30-test_fips_sli.t fails intermittently on s390x (bsc#1250782):
* Fix AES_GCM IV test sometimes failing on s390x.
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:2051-1
Released: Mon May 25 15:59:43 2026
Summary: Security update for xz
Type: security
Severity: important
References: 1261280,CVE-2026-34743
This update for xz fixes the following issue
- CVE-2026-34743: buffer overflow in lzma_index_append() (bsc#1261280).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:2104-1
Released: Thu May 28 16:02:52 2026
Summary: Security update for apache2
Type: security
Severity: important
References: 1263935,1263950,1263951,1263952,1263953,1263954,1263955,1263956,1263957,1264150,1264163,CVE-2026-23918,CVE-2026-24072,CVE-2026-28780,CVE-2026-29168,CVE-2026-29169,CVE-2026-33006,CVE-2026-33007,CVE-2026-33523,CVE-2026-33857,CVE-2026-34032,CVE-2026-34059
This update for apache2 fixes the following issues
- CVE-2026-23918: http2: double free and possible RCE on early reset (bsc#1263957).
- CVE-2026-24072: mod_rewrite elevation of privileges via ap_expr (bsc#1263935).
- CVE-2026-28780: heap buffer overflow in `mod_proxy_ajp` via `ajp_msg_check_header()` (bsc#1264163).
- CVE-2026-29168: allocation of resources without limits in `mod_md` via OCSP response (bsc#1264150).
- CVE-2026-29169: NULL pointer dereference in `mod_dav_lock` allows server crash via malicious requests (bsc#1263956).
- CVE-2026-33006: `mod_auth_digest` timing attack allows bypass of Digest authentication (bsc#1263955).
- CVE-2026-33007: NULL pointer dereference in `mod_authn_socache` allows unauthenticated remote user to crash a child
processes (bsc#1263954).
- CVE-2026-33523: HTTP response splitting forwarding malicious status line (bsc#1263953).
- CVE-2026-33857: off-by-one OOB reads in AJP getter functions (bsc#1263952).
- CVE-2026-34032: heap buffer overread in `mod_proxy_ajp` due to missing null-termination check (bsc#1263951).
- CVE-2026-34059: heap buffer overread and memory disclosure via `ajp_parse_data()` (bsc#1263950).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:2231-1
Released: Wed Jun 3 12:57:18 2026
Summary: Security update for glibc
Type: security
Severity: important
References: 1261206,1262464,1262465,CVE-2026-4046,CVE-2026-5450,CVE-2026-5928
This update for glibc fixes the following issues
- CVE-2026-4046: assertion failure when converting inputs may be used to remotely crash an application (bsc#1261206).
- CVE-2026-5450: stdio-common: scanf %mc pattern will cause heap overflow when width > 1024 (bsc#1262465).
- CVE-2026-5928: libio: ungetwc could be used to leak data on special conditions (bsc#1262464).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:2259-1
Released: Wed Jun 3 17:31:35 2026
Summary: Security update for python3-pyOpenSSL
Type: security
Severity: moderate
References: 1262803,CVE-2026-40475
This update for python3-pyOpenSSL fixes the following issue
- CVE-2026-40475: improper input handling of null bytes can lead to silent data truncation and security-state
inconsistency (bsc#1262803).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:2261-1
Released: Wed Jun 3 17:32:08 2026
Summary: Security update for python-pyOpenSSL
Type: security
Severity: moderate
References: 1262803,CVE-2026-40475
This update for python-pyOpenSSL fixes the following issue
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2026:2276-1
Released: Fri Jun 5 10:56:23 2026
Summary: Recommended update for apparmor
Type: recommended
Severity: important
References: 1265620
This update for apparmor fixes the following issues:
- Allow execution of /usr/bin/zstd (bsc#1265620)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:2298-1
Released: Mon Jun 8 12:17:11 2026
Summary: Security update for python311
Type: security
Severity: moderate
References: 1258364,1261970,CVE-2026-3446
This update for python311 fixes the following issues:
- CVE-2026-3446: Base64 decoding stops at first padded quad by default (bsc#1261970).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:2392-1
Released: Mon Jun 15 10:05:31 2026
Summary: Security update for openssl-1_1
Type: security
Severity: important
References: 1250782,1266340,1266341,1266342,1266349,1266357,CVE-2026-34180,CVE-2026-42766,CVE-2026-45447,CVE-2026-7383,CVE-2026-9076
This update for openssl-1_1 fixes the following issues
- CVE-2026-7383: Possible Heap Buffer Overflow in ASN.1 Multibyte String Conversion (bsc#1266340).
- CVE-2026-9076: Out-of-Bounds Read in CMS Password-Based Decryption (bsc#1266341).
- CVE-2026-34180: Heap Buffer Over-read in ASN.1 Content Parsing (bsc#1266342).
- CVE-2026-42766: Possible NULL Dereference in Password-Based CMS Decryption (bsc#1266349).
- CVE-2026-45447: Heap Use-After-Free in OpenSSL PKCS7_verify() (bsc#1266357).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2026:2425-1
Released: Wed Jun 17 08:48:32 2026
Summary: Recommended update for iproute2
Type: recommended
Severity: important
References: 1255752
This update for iproute2 fixes the following issues:
- add DPLL support (bsc#1255752 jsc#PED-14083):
* dpll: add dpll command
* dpll: fix missing notifications in monitor mode
* dpll: send object per event in JSON monitor mode
* dpll: add client side filtering for device and pin show
* dpll: add direction and state filtering for pin show
* dpll: add mode setting support
* dpll: add pin filtering by parent device
* dpll: add support for fractional frequency offset
* dpll: fix pin id get type filter parsing
* lib: add string to boolean helper function
* lib: move mnlg to lib for shared use
* sync UAPI header copies with SL-16.0
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2026:2434-1
Released: Wed Jun 17 16:40:10 2026
Summary: Recommended update for coreutils
Type: recommended
Severity: important
References: 1259327
This update for coreutils fixes the following issues:
- proc: Use affinity mask even on systems with more than 1024 CPUs (bsc#1259327)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:2485-1
Released: Mon Jun 22 14:06:22 2026
Summary: Security update for util-linux
Type: security
Severity: moderate
References: 1261606,CVE-2026-27456
This update for util-linux fixes the following issue
- CVE-2026-27456: TOCTOU in the mount program when setting up loop devices (bsc#1261606).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:2486-1
Released: Mon Jun 22 14:07:07 2026
Summary: Security update for python-urllib3
Type: security
Severity: important
References: 1265267,CVE-2026-44431
This update for python-urllib3 fixes the following issue
- CVE-2026-44431: sensitive information disclosure due to sensitive headers being forwarded across origins in proxied
low-level redirects (bsc#1265267).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:2528-1
Released: Tue Jun 23 11:06:07 2026
Summary: Security update for sqlite3
Type: security
Severity: important
References: 1268012,1268013,CVE-2026-11822,CVE-2026-11824
This update for sqlite3 fixes the following issues
Update to 3.53.2:
- CVE-2026-11822: memory corruption vulnerabilities in the FTS5 full-text search extension that allow attackers to cause
process crashes, memory exhaustion, or arbitrary code execution (bsc#1268012).
- CVE-2026-11824: heap-based buffer overflow vulnerability in the FTS5 full-text search extension that allows attackers
to cause a crash or execute arbitrary code (bsc#1268013).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:2531-1
Released: Tue Jun 23 12:25:09 2026
Summary: Security update for libsolv, libzypp, zypper
Type: security
Severity: important
References: 1158038,1239718,1246504,1247948,1249435,1252744,1253193,1253740,1257068,1257882,1258193,1259311,1259706,1259802,1259842,1265223,1265935,1265938,1266039,1267426,1267874,CVE-2026-25707,CVE-2026-44933,CVE-2026-44941,CVE-2026-44942,CVE-2026-48863,CVE-2026-9149,CVE-2026-9150
This update for libsolv, libzypp, zypper fixes the following issues
- CVE-2026-9149: Heap buffer overflow in libsolv repo_add_solv via negative maxsize from crafted .solv file
(bsc#1265935).
- CVE-2026-9150: Stack-based buffer overflow in libsolv's Debian metadata parser when handling SHA384/SHA512 checksums
(bsc#1265938).
- CVE-2026-25707: Handcrafted repo metadata may cause arbitrary local files to be overwritten (bsc#1259802).
- CVE-2026-44933: scan of the Mandatory signature verification plugin support (bsc#1265223).
- CVE-2026-44941: path traversal via 'keyhint' (bsc#1267426).
- CVE-2026-44942: .repo files can have an optional path which can lead to path traversal attacks (bsc#1267874).
- CVE-2026-48863: Fix buffer overflow when parsing EdDSA signature (bsc#1266039).
Changes in libzypp:
Updated to version 17.38.13 (35):
- A .repo files 'path=' entry must not refer to a location
outside the repo (bsc#1267874, CVE-2026-44942)
A 'path=' entry may solely denote a sub-directory of the baseurl
where the metadata are located. A relative path trying to access
data outside the baseurl is reported and sanitized.
- Fix potential crash on malformed or malicious repository
metadata (fixes #740)
- Repo metadata: discard entries referring to a location outside
the repo (bsc#1259802, CVE-2026-25707)
Mirroring those data locally would refer to a location outside
the repo's local cache directory. Those data entries are reported
and discarded.
- zypp.conf: Allow [env] section to add environment variables.
This feature is designed to enable environment-specific settings
or debugging options over an extended period. See zypp.conf(5).
- Prevent configured scripts from escaping the sigcheck directory
(bsc#1265223, CVE-2026-44933)
- StringV: guard hasPrefix/hasPrefixCI against reading past the
view end (fixes #735)
- Mandatory signature verification plugin support (PED#11922)
- Fix purge-kernel -rc kernel handling (bsc#1239718)
- Explicitly_set_pool_DISTTYPE_RPM (fixes #726)
- Check for trusted key updates when updating the general keyring
(bsc#1259706)
- Support multiple MirroredOrigin authorities (bsc#1253193)
- Workaround doxygen bug: doxygen/doxygen#12057
- libzypp.spec: Add missing graphviz-gd BuildRequires (boo#1259842)
- Fix preloader not caching packages from arch specific subrepos
(bsc#1253740)
- Deprioritize invalid mirrors (fixes openSUSE/zypper#636)
- Fix Product::referencePackage lookup (bsc#1259311)
Use a provided autoproduct() as hint to the package name of the
release package. It might be that not just multiple versions of
the same release package provide the same product version, but
also different release packages.
- specfile: on fedora use %{_prefix}/share as zyppconfdir if
%{_distconfdir} is undefined (fixes #693)
This will set '-DZYPPCONFDIR=%{zyppconfdir}' for cmake.
- Fall back to a writable location when precaching packages
without root (bsc#1247948)
- Prepare a legacy /etc/zypp/zypp.conf to be installed on old distros.
See the ZYPP.CONF(5) man page for details.
- Fix runtime check for broken rpm --runposttrans (bsc#1257068)
- Avoid libcurl-mini4 when building as it does not support ftp
protocol.
- Translation: updated .pot file.
- zypp.conf: follow the UAPI configuration file specification
(PED-14658)
In short terms it means we will no longer ship an
/etc/zypp/zypp.conf, but store our own defaults in
/usr/etc/zypp/zypp.conf. The systems administrator may choose to
keep a full copy in /etc/zypp/zypp.conf ignoring our config file
settings completely, or - the preferred way - to overwrite
specific settings via /etc/zypp/zypp.conf.d/*.conf overlay files.
See the ZYPP.CONF(5) man page for details.
- cmake: correctly detect rpm6 (fixes #689)
- Use 'zypp.tmp' as temp directory component to ease setting up
SELinux policies (bsc#1249435)
- zyppng: Update Provider to current MediaCurl2 download
approach, drop Metalink ( fixes #682 )
Changes in libsolv:
Updated to version 0.7.39:
- fix solv_chksum_free segfault when called with a NULL pointer
- made repo_add_solv more robust against corrupt files
[bsc#1265935] [CVE-2026-9149]
- fix potential buffer overflow when verifying EdDSA signatures
[bsc#1266039] [CVE-2026-48863]
- added limit checks in multiple places to catch overflows
- reduce the size of the language id cache
- fixed Debian canon selection
- fixed dbpath detection in repo_rpmdb_librpm
- reduced stack usage in repo page compression (needed for musl)
- fix parsing of sha512 checksums in debian repositories
[bsc#1265938] [CVE-2026-9150]
- improve speed of dirpool_add_dir makeing parsing of filelists.xml
twice as fast
- fix parsing of recommends in the old Mandriva synthesis format
- respect the 'default' attribute in environment optionlist in
the comps parser
- support suse namespace deps in boolean dependencies [bsc#1258193]
- support for the Elbrus2000 (e2k) architecture
- support language() suse namespace rewriting
Changes in zypper:
Update to version 1.14.98:
- Transactional systems: Delegate rw-commands to
transactional-wrapper if available (jsc#PED-13680, jsc#PED-15607)
On a transactional system where the root filesystem is mounted
read-only, zypper commands that modify the system cannot be
executed directly.
If the system provides a transactional-wrapper utility, zypper
will automatically attempt to invoke it. The wrapper
transparently executes the zypper command within a new, writable
snapshot and manages the lifecycle of that snapshot based on the
command's exit status.
On transactional systems lacking a transactional-wrapper, users
must manually invoke specialized tools -such as
transactional-update- to install, update, or remove software.
- Add --filter-version-change to zypper lu.
Adds filtering by version change significance to reduce noise in
update listings. Supports levels: rebuild (hides rebuild-only
changes) and package (hides all release-only changes).
- Autorefresh ris-services the way as plugin-services (bsc#1246504)
It's actually wrong to treat service refreshes different
depending on the service type. For the purpose of a service it
makes no difference how the data about the repos to use are
acquired.
- Report download progress for command line rpms (fixes #613)
- Hint to '-vv ref' to see the mirrors used to download the
metadata (bsc#1257882)
- Service: Allow 'zypper ls SERVICE ...' to test whether a
service with this alias is defined (bsc#1252744)
The command prints an abstract of all services passed on the
command line. It returns 3-ZYPPER_EXIT_ERR_INVALID_ARGS if some
argument does not name an existing service.
- Keep repo data when updating the service settings (bsc#1252744)
- info: Enhance pattern content table (bsc#1158038)
Alternatives (multiple packages providing the same requirement)
are now listed as a single entry in the content table. The entry
shows either the installed package which satisfies the
requirement or the requirement itself as type 'Provides'.
Listing all potential alternatives was miss leading, especially
if the alternatives were mutual exclusive. It looked like an
installed pattern had not-installed requirements and it was not
possible to install all requirements at the same time.
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:2648-1
Released: Fri Jun 26 13:05:57 2026
Summary: Security update for openssl-3
Type: security
Severity: important
References: 1266340,1266341,1266342,1266343,1266345,1266349,1266350,1266351,1266352,1266353,1266355,1266356,1266357,CVE-2026-34180,CVE-2026-34181,CVE-2026-34183,CVE-2026-42766,CVE-2026-42767,CVE-2026-42768,CVE-2026-42769,CVE-2026-42770,CVE-2026-45445,CVE-2026-45446,CVE-2026-45447,CVE-2026-7383,CVE-2026-9076
This update for openssl-3 fixes the following issues
- CVE-2026-7383: Possible Heap Buffer Overflow in ASN.1 Multibyte String Conversion (bsc#1266340).
- CVE-2026-9076: Out-of-Bounds Read in CMS Password-Based Decryption (bsc#1266341).
- CVE-2026-34180: Heap Buffer Over-read in ASN.1 Content Parsing (bsc#1266342).
- CVE-2026-34181: PKCS#12 Files with PBMAC1 Are Accepted with Short HMAC Keys (bsc#1266343).
- CVE-2026-34183: Unbounded Memory Growth in the QUIC PATH_CHALLENGE Handler (bsc#1266345).
- CVE-2026-42766: Possible NULL Dereference in Password-Based CMS Decryption (bsc#1266349).
- CVE-2026-42767: NULL Pointer Dereference in CRMF EncryptedValue Decryption (bsc#1266350).
- CVE-2026-42768: Multi-RecipientInfo Bleichenbacher Oracle in CMS_decrypt() and PKCS7_decrypt() (bsc#1266351).
- CVE-2026-42769: Trust-Anchor Substitution via cert/issuer Typo in CMP rootCaKeyUpdate (bsc#1266352).
- CVE-2026-42770: FFC-DH Peer Validation Uses Attacker-Supplied q (bsc#1266353).
- CVE-2026-45445: AES-OCB IV Ignored on EVP_Cipher() Path (bsc#1266355).
- CVE-2026-45446: Incorrect Tag Processing for Empty Messages in AES-GCM-SIV and AES-SIV modes (bsc#1266356).
- CVE-2026-45447: Heap Use-After-Free in OpenSSL PKCS7_verify() (bsc#1266357).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2026:2661-1
Released: Fri Jun 26 15:15:48 2026
Summary: Recommended update for curl
Type: recommended
Severity: important
References: 1264971
This update for curl fixes the following issues:
- Call http_size() first to prioritize Transfer-Encoding: chunked over a zero
Content-Length empty body check (bsc#1264971)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:2725-1
Released: Thu Jul 2 15:52:16 2026
Summary: Security update for python-tornado6
Type: security
Severity: important
References: 1268395,1268396,1268397,CVE-2026-49853,CVE-2026-49854,CVE-2026-49855
This update for python-tornado6 fixes the following issues
- CVE-2026-49853: authorization header forwarded across cross-origin redirects in SimpleAsyncHTTPClient (bsc#1268395).
- CVE-2026-49854: out-of-bounds memory access via C extension (bsc#1268396).
- CVE-2026-49855: AsyncHTTPClient accumulates decompressed chunks without size limit (bsc#1268397).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:2759-1
Released: Mon Jul 6 04:04:11 2026
Summary: Security update for apache2
Type: security
Severity: important
References: 1267503,1267955,1267956,1267962,1267963,1267965,1267969,1267970,1267971,1267972,1267976,1267977,1267978,CVE-2026-29167,CVE-2026-29170,CVE-2026-34355,CVE-2026-34356,CVE-2026-42535,CVE-2026-42536,CVE-2026-43951,CVE-2026-44119,CVE-2026-44185,CVE-2026-44186,CVE-2026-44631,CVE-2026-48913,CVE-2026-49975
This update for apache2 fixes the following issues
- CVE-2026-29167: mod_ldap per-dir use-after-free (bsc#1267976).
- CVE-2026-29170: mod_proxy_ftp XSS (bsc#1267977).
- CVE-2026-34355: mod_proxy_html buffer overflow (bsc#1267978).
- CVE-2026-34356: malicious backend servers can lead to a heap-based buffer overflow (bsc#1267955).
- CVE-2026-42535: malicious path manipulation can lead to child process crashes (bsc#1267956).
- CVE-2026-42536: processing untrusted content can lead to a heap-based buffer overflow (bsc#1267962).
- CVE-2026-43951: out-of-bound read in `merge_response_headers` can cause crash (bsc#1267963).
- CVE-2026-44119: improper privilege management can lead to an unauthorized read (bsc#1267965).
- CVE-2026-44185: Stack Buffer Over-Read in mod_ssl OCSP `send_request` (bsc#1267969).
- CVE-2026-44186: responses from an attacker-controlled FTP backend can lead to resource exhaustion and a denial of
service (bsc#1267970).
- CVE-2026-44631: crafted regular expression can lead to a buffer underwrite (bsc#1267971).
- CVE-2026-48913: file handle exhaustion during request processing in mod_http2 can lead to a use-after-free
(bsc#1267972).
- CVE-2026-49975: Fix cookie header accounting against LimitRequestFields (bsc#1267503).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:2774-1
Released: Mon Jul 6 09:52:16 2026
Summary: Maintenance update for Multi-Linux Manager 5.1: Server, Proxy and Retail Branch Server
Type: security
Severity: important
References: 1208800,1226578,1234567,1238890,1242916,1245107,1247707,1248699,1249243,1253032,1254900,1257583,1257894,1258041,1258079,1258144,1258382,1258816,1259087,1259230,1259261,1259474,1259479,1259482,1259521,1259590,1259591,1259700,1259739,1259787,1259960,1260031,1260614,1260806,1261305,1261307,1261327,1261631,1261723,1261753,1261841,1261902,1262090,1262222,1262285,1262460,1262471,1262492,1262595,1262708,1262720,1262760,1262761,1262950,1263501,1263814,1263841,1263986,1263987,1264149,1264174,1264234,1264256,1264966,1265134,1265281,1265282,1265283,1265284,1265285,1265286,1265287,1265288,1265289,1265290,1265319,1265358,1265975,1266012,1266556,1266600,1269253,1269534,CVE-2022-21698,CVE-2026-28374,CVE-2026-28376,CVE-2026-28379,CVE-2026-28380,CVE-2026-28383,CVE-2026-33376,CVE-2026-33377,CVE-2026-33378,CVE-2026-33380,CVE-2026-33381,CVE-2026-34986,CVE-2026-39821,CVE-2026-40179,CVE-2026-41602,CVE-2026-42151,CVE-2026-42154,CVE-2026-42198
Maintenance update for Multi-Linux Manager 5.1: Server, Proxy and Retail Branch Server
This is a codestream only update
The following package changes have been done:
- glibc-2.38-150600.14.49.1 updated
- libuuid1-2.40.4-150700.4.13.1 updated
- libsqlite3-0-3.53.2-150000.3.42.1 updated
- libsmartcols1-2.40.4-150700.4.13.1 updated
- liblzma5-5.4.1-150600.3.6.1 updated
- libopenssl3-3.2.3-150700.5.36.1 updated
- libblkid1-2.40.4-150700.4.13.1 updated
- sed-4.9-150600.3.3.1 updated
- coreutils-8.32-150400.9.12.1 updated
- libopenssl-3-fips-provider-3.2.3-150700.5.36.1 updated
- libmount1-2.40.4-150700.4.13.1 updated
- libfdisk1-2.40.4-150700.4.13.1 updated
- libcurl4-8.14.1-150700.7.17.1 updated
- libsolv-tools-base-0.7.39-150700.11.10.1 updated
- libzypp-17.38.13-150700.6.13.1 updated
- zypper-1.14.98-150700.13.6.1 updated
- util-linux-2.40.4-150700.4.13.1 updated
- curl-8.14.1-150700.7.17.1 updated
- openssl-3-3.2.3-150700.5.36.1 updated
- libapparmor1-3.1.7-150600.5.15.1 updated
- libopenssl1_1-1.1.1w-150700.11.22.1 updated
- xz-5.4.1-150600.3.6.1 updated
- libpython3_11-1_0-3.11.15-150600.3.56.1 updated
- python311-base-3.11.15-150600.3.56.1 updated
- python311-3.11.15-150600.3.56.1 updated
- iproute2-6.4-150600.7.15.1 updated
- python311-tornado6-6.3.2-150400.9.18.1 added
- apache2-prefork-2.4.66-150700.4.23.1 updated
- python3-uyuni-common-libs-5.1.6-150700.3.6.1 updated
- python311-pyOpenSSL-23.2.0-150400.3.16.1 updated
- python311-urllib3-2.0.7-150400.7.30.1 updated
- apache2-2.4.66-150700.4.23.1 updated
- python3-pyOpenSSL-21.0.0-150400.13.1 updated
- python311-salt-3006.0-150700.14.23.4 updated
- salt-3006.0-150700.14.23.4 updated
- spacewalk-backend-5.1.17-150700.3.12.7 updated
- container:bci-bci-base-15.7-d2aab68ae05470b62bbe38c4ca03ff5bf72b405197482ed96e34dd0087d7bde2-0 updated
More information about the sle-container-updates
mailing list