SUSE-CU-2026:5680-1: Security update of suse/manager/5.0/x86_64/server-migration-14-16
sle-container-updates at lists.suse.com
sle-container-updates at lists.suse.com
Sun Jun 7 07:36:19 UTC 2026
SUSE Container Update Advisory: suse/manager/5.0/x86_64/server-migration-14-16
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2026:5680-1
Container Tags : suse/manager/5.0/x86_64/server-migration-14-16:5.0.8 , suse/manager/5.0/x86_64/server-migration-14-16:5.0.8.7.35.1 , suse/manager/5.0/x86_64/server-migration-14-16:latest
Container Release : 7.35.1
Severity : important
Type : security
References : 1222465 1234736 1250782 1254666 1257181 1258311 1258859 1259362
1259611 1259711 1259726 1259729 1259734 1259735 1259825 1259845
1259989 1260026 1260078 1260082 1260441 1260441 1260442 1260442
1260443 1260443 1260444 1260444 1260445 1261206 1261280 1261678
1261678 1261809 1261969 1261970 1262098 1262319 1262464 1262465
1262631 1262632 1262635 1262636 1262638 1262654 1263804 1263804
1263804 1265172 1265172 1265172 1265173 1265173 1265173 1265174
1265174 1265174 1265175 1265175 1265175 1265176 1265177 1265177
1265177 1265178 1265178 1265178 1265179 1265179 1265179 1265180
1265181 1265181 1265181 1265182 1265182 CVE-2025-13462 CVE-2025-14104
CVE-2026-1299 CVE-2026-1502 CVE-2026-1965 CVE-2026-27135 CVE-2026-28387
CVE-2026-28387 CVE-2026-28388 CVE-2026-28388 CVE-2026-28389 CVE-2026-28389
CVE-2026-28390 CVE-2026-28390 CVE-2026-31789 CVE-2026-31789 CVE-2026-31790
CVE-2026-3184 CVE-2026-32776 CVE-2026-32777 CVE-2026-32778 CVE-2026-3446
CVE-2026-34743 CVE-2026-3479 CVE-2026-3644 CVE-2026-4046 CVE-2026-4224
CVE-2026-4437 CVE-2026-4438 CVE-2026-4519 CVE-2026-4786 CVE-2026-4873
CVE-2026-4878 CVE-2026-5450 CVE-2026-5545 CVE-2026-5928 CVE-2026-6019
CVE-2026-6100 CVE-2026-6253 CVE-2026-6276 CVE-2026-6429 CVE-2026-6472
CVE-2026-6472 CVE-2026-6472 CVE-2026-6473 CVE-2026-6473 CVE-2026-6473
CVE-2026-6474 CVE-2026-6474 CVE-2026-6474 CVE-2026-6475 CVE-2026-6475
CVE-2026-6475 CVE-2026-6476 CVE-2026-6477 CVE-2026-6477 CVE-2026-6477
CVE-2026-6478 CVE-2026-6478 CVE-2026-6478 CVE-2026-6479 CVE-2026-6479
CVE-2026-6479 CVE-2026-6575 CVE-2026-6637 CVE-2026-6637 CVE-2026-6637
CVE-2026-6638 CVE-2026-6638
-----------------------------------------------------------------
The container suse/manager/5.0/x86_64/server-migration-14-16 was updated. The following patches have been included in this update:
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:115-1
Released: Mon Jan 12 16:03:42 2026
Summary: Security update for util-linux
Type: security
Severity: moderate
References: 1254666,CVE-2025-14104
This update for util-linux fixes the following issues:
- CVE-2025-14104: Fixed heap buffer overread in setpwnam() when processing 256-byte usernames (bsc#1254666).
- lscpu: Add support for NVIDIA Olympus arm64 core (jsc#PED-13682).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:803-1
Released: Wed Mar 4 13:57:07 2026
Summary: Security update for util-linux
Type: security
Severity: moderate
References: 1258859,CVE-2026-3184
This update for util-linux fixes the following issues:
- CVE-2026-3184: Fix full hostname usage for PAM to ensure correct access control for 'login -h' (bsc#1258859).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:1090-1
Released: Thu Mar 26 18:44:54 2026
Summary: Security update for python3
Type: security
Severity: important
References: 1257181,CVE-2026-1299
This update for python3 fixes the following issues:
- CVE-2026-1299: header injection when an email is serialized due to improper newline quoting in BytesGenerator (bsc#1257181).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2026:1113-1
Released: Fri Mar 27 10:34:35 2026
Summary: Recommended update for crypto-policies
Type: recommended
Severity: moderate
References: 1258311,1259825
This update for crypto-policies fixes the following issues:
Enables PQC key exchange support for OpenSSH (bsc#1258311, bsc#1259825)
* The sntrup761x25519-sha512 hybrid keyexchange for OpenSSH is enabled.
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:1166-1
Released: Thu Apr 2 03:08:04 2026
Summary: Security update for expat
Type: security
Severity: important
References: 1259711,1259726,1259729,CVE-2026-32776,CVE-2026-32777,CVE-2026-32778
This update for expat fixes the following issues:
- CVE-2026-32776: NULL pointer dereference when processing empty external parameter entities inside an entity
declaration value (bsc#1259726).
- CVE-2026-32777: denial of service due to infinite loop in DTD content parsing (bsc#1259711).
- CVE-2026-32778: NULL pointer dereference in `setContext` on retry after an out-of-memory condition (bsc#1259729).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:1215-1
Released: Wed Apr 8 14:27:57 2026
Summary: Security update for openssl-3
Type: security
Severity: important
References: 1260441,1260442,1260443,1260444,1260445,CVE-2026-28387,CVE-2026-28388,CVE-2026-28389,CVE-2026-31789,CVE-2026-31790
This update for openssl-3 fixes the following issues:
- CVE-2026-28387: Potential use-after-free in DANE client code (bsc#1260441).
- CVE-2026-28388: NULL Pointer Dereference When Processing a Delta CRL (bsc#1260442).
- CVE-2026-28389: Possible NULL dereference when processing CMS KeyAgreeRecipientInfo (bsc#1260443).
- CVE-2026-31789: Heap buffer overflow in hexadecimal conversion (bsc#1260444).
- CVE-2026-31790: Incorrect failure handling in RSA KEM RSASVE encapsulation (bsc#1260445).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:1350-1
Released: Wed Apr 15 15:36:20 2026
Summary: Security update for nghttp2
Type: security
Severity: important
References: 1259845,CVE-2026-27135
This update for nghttp2 fixes the following issue:
- CVE-2026-27135: assertion failure due to missing state validation can lead to DoS (bsc#1259845).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:1369-1
Released: Wed Apr 15 16:42:55 2026
Summary: Security update for glibc
Type: security
Severity: important
References: 1260078,1260082,CVE-2026-4437,CVE-2026-4438
This update for glibc fixes the following issues:
- CVE-2026-4437: incorrect DNS response parsing via crafted DNS server response (bsc#1260078).
- CVE-2026-4438: invalid DNS hostname returned via gethostbyaddr functions (bsc#1260082).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2026:1410-1
Released: Thu Apr 16 14:41:43 2026
Summary: Recommended update for util-linux
Type: recommended
Severity: moderate
References: 1222465,1234736
This update for util-linux fixes the following issues:
- recognize fuse 'portal' as a virtual file system (bsc#1234736).
- fdisk: Fix possible partition overlay and data corruption if EBR gap is missing (bsc#1222465).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:1432-1
Released: Fri Apr 17 12:12:08 2026
Summary: Security update for libcap
Type: security
Severity: important
References: 1261809,CVE-2026-4878
This update for libcap fixes the following issue:
- CVE-2026-4878: Address a potential TOCTOU race condition in cap_set_file() (bsc#1261809).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:1577-1
Released: Thu Apr 23 17:53:45 2026
Summary: Security update for openssl-1_1
Type: security
Severity: important
References: 1260441,1260442,1260443,1260444,1261678,CVE-2026-28387,CVE-2026-28388,CVE-2026-28389,CVE-2026-28390,CVE-2026-31789
This update for openssl-1_1 fixes the following issues:
- CVE-2026-28387: Potential use-after-free in DANE client code (bsc#1260441).
- CVE-2026-28388: NULL Pointer Dereference When Processing a Delta CRL (bsc#1260442).
- CVE-2026-28389: Possible NULL dereference when processing CMS KeyAgreeRecipientInfo (bsc#1260443).
- CVE-2026-28390: NULL pointer dereference during processing of a crafted CMS EnvelopedData message with
KeyTransportRecipientInfo (bsc#1261678).
- CVE-2026-31789: Heap buffer overflow in hexadecimal conversion (bsc#1260444).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:1605-1
Released: Fri Apr 24 13:48:53 2026
Summary: Security update for openssl-3
Type: security
Severity: moderate
References: 1261678,CVE-2026-28390
This update for openssl-3 fixes the following issue:
Security issues fixed:
- CVE-2026-28390: NULL pointer dereference during processing of a crafted CMS EnvelopedData message with
KeyTransportRecipientInfo (bsc#1261678).
Other updates and bugfixes:
- Enable MD2 in legacy provider (jsc#PED-15724).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:1715-1
Released: Wed May 6 14:09:30 2026
Summary: Security update for python3
Type: security
Severity: important
References: 1259611,1259734,1259735,1259989,1260026,1261969,1261970,1262098,1262319,1262654,CVE-2025-13462,CVE-2026-1502,CVE-2026-3446,CVE-2026-3479,CVE-2026-3644,CVE-2026-4224,CVE-2026-4519,CVE-2026-4786,CVE-2026-6019,CVE-2026-6100
This update for python3 fixes the following issues:
- CVE-2025-13462: incorrect parsing of TarInfo when GNU long name and type AREGTYPE are combined can lead to
misinterpretation of tar archives (bsc#1259611).
- CVE-2026-1502: HTTP client proxy tunnel headers not validated for CR/LF (bsc#1261969).
- CVE-2026-3446: base64 decoding stops at first padded quad by default and ignores other information that could be
processed (bsc#1261970).
- CVE-2026-3479: improper resource argument validation in `pkgutil.get_data()` can lead to path traversal (bsc#1259989).
- CVE-2026-3644: incomplete control character validation in http.cookies can lead to input validation bypass
(bsc#1259734).
- CVE-2026-4224: parsing XML with deeply nested DTD content models can lead to C stack overflow (bsc#1259735).
- CVE-2026-4519: failure to sanitize leading dashes in URLs in the `webbrowser.open()` API can lead to web browser
command line option injection (bsc#1260026).
- CVE-2026-4786: URLs prefixed with `%action` can pass the dash-prefix safety check and allow for command injection
(bsc#1262319).
- CVE-2026-6019: `BaseCookie.js_output()` does not neutralize characters in cookie values embedded in JS (bsc#1262654).
- CVE-2026-6100: use-after-free in `lzma.LZMADecompressor`, `bz2.BZ2Decompressor`, and `gzip.GzipFile` when process is
under memory pressure(bsc#1262098).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:1940-1
Released: Mon May 18 09:44:14 2026
Summary: Security update for curl
Type: security
Severity: important
References: 1259362,1262631,1262632,1262635,1262636,1262638,CVE-2026-1965,CVE-2026-4873,CVE-2026-5545,CVE-2026-6253,CVE-2026-6276,CVE-2026-6429
This update for curl fixes the following issues:
Security issues fixed:
- CVE-2026-4873: connection reuse ignores TLS requirement (bsc#1262631).
- CVE-2026-5545: wrong reuse of HTTP Negotiate connection (bsc#1262632).
- CVE-2026-6253: proxy credentials leak over redirect-to proxy (bsc#1262635).
- CVE-2026-6276: stale custom cookie host causes cookie leak (bsc#1262636).
- CVE-2026-6429: netrc credential leak with reused proxy connection (bsc#1262638).
Other updates and bugfixes:
- sws: prevent 'connection monitor' to say disconnect twice (bsc#1259362).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:1944-1
Released: Mon May 18 09:47:19 2026
Summary: Security update for postgresql18
Type: security
Severity: important
References: 1263804,1265172,1265173,1265174,1265175,1265176,1265177,1265178,1265179,1265180,1265181,1265182,CVE-2026-6472,CVE-2026-6473,CVE-2026-6474,CVE-2026-6475,CVE-2026-6476,CVE-2026-6477,CVE-2026-6478,CVE-2026-6479,CVE-2026-6575,CVE-2026-6637,CVE-2026-6638
This update for postgresql18 fixes the following issues
Update to version 18.4.
Security issues:
- CVE-2026-6472: ensure the user has CREATE privilege on the schema specified (bsc#1265172).
- CVE-2026-6473: integer overflows in memory-allocation calculations (bsc#1265173).
- CVE-2026-6474: Guard against malicious time zone names (bsc#1265174).
- CVE-2026-6475: Prevent path traversal in pg_basebackup and pg_rewind (bsc#1265175).
- CVE-2026-6476: Properly quote subscription names in pg_createsubscriber (bsc#1265176).
- CVE-2026-6477: Mark PQfn() as unsafe, and avoid using it within libpq (bsc#1265177).
- CVE-2026-6478: Use timing-safe string comparisons in authentication code (bsc#1265178).
- CVE-2026-6479: Prevent unbounded recursion while processing startup packets (bsc#1265179).
- CVE-2026-6575: Detect faulty input when restoring attribute MCV statistics (bsc#1265180).
- CVE-2026-6637: Prevent SQL injection and buffer overruns in contrib/spi (bsc#1265181).
- CVE-2026-6638: Properly quote object names in logical replication origin checks (bsc#1265182).
Non security issue:
- Get rid of update-alternatives for openSUSE/SLE 16.0 and newer to support immutable systems and transactional
updates (jsc#PED-14820).
- /usr/bin/pg_config is missing after migrating away from update-alternatives (bsc#1263804).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:2001-1
Released: Tue May 19 10:20:57 2026
Summary: Security update for postgresql16
Type: security
Severity: important
References: 1263804,1265172,1265173,1265174,1265175,1265177,1265178,1265179,1265181,1265182,CVE-2026-6472,CVE-2026-6473,CVE-2026-6474,CVE-2026-6475,CVE-2026-6477,CVE-2026-6478,CVE-2026-6479,CVE-2026-6637,CVE-2026-6638
This update for postgresql16 fixes the following issues
Update to version 16.13.
Security issues:
- CVE-2026-6472: ensure the user has CREATE privilege on the schema specified (bsc#1265172).
- CVE-2026-6473: integer overflows in memory-allocation calculations (bsc#1265173).
- CVE-2026-6474: Guard against malicious time zone names (bsc#1265174).
- CVE-2026-6475: Prevent path traversal in pg_basebackup and pg_rewind (bsc#1265175).
- CVE-2026-6477: Mark PQfn() as unsafe, and avoid using it within libpq (bsc#1265177).
- CVE-2026-6478: Use timing-safe string comparisons in authentication code (bsc#1265178).
- CVE-2026-6479: Prevent unbounded recursion while processing startup packets (bsc#1265179).
- CVE-2026-6637: Prevent SQL injection and buffer overruns in contrib/spi (bsc#1265181).
- CVE-2026-6638: Properly quote object names in logical replication origin checks (bsc#1265182).
Non security issue:
- Get rid of update-alternatives for openSUSE/SLE 16.0 and newer to support immutable systems and transactional
updates (jsc#PED-14824).
- /usr/bin/pg_config is missing after migrating away from update-alternatives (bsc#1263804).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:2051-1
Released: Mon May 25 15:59:43 2026
Summary: Security update for xz
Type: security
Severity: important
References: 1261280,CVE-2026-34743
This update for xz fixes the following issue
- CVE-2026-34743: buffer overflow in lzma_index_append() (bsc#1261280).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2026:2061-1
Released: Tue May 26 07:14:34 2026
Summary: Recommended update for openssl-1_1
Type: recommended
Severity: moderate
References: 1250782
This update for openssl-1_1 fixes the following issues:
- Fix 30-test_fips_sli.t fails intermittently on s390x (bsc#1250782):
* Fix AES_GCM IV test sometimes failing on s390x.
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:2117-1
Released: Fri May 29 17:29:37 2026
Summary: Security update for postgresql14
Type: security
Severity: important
References: 1263804,1265172,1265173,1265174,1265175,1265177,1265178,1265179,1265181,CVE-2026-6472,CVE-2026-6473,CVE-2026-6474,CVE-2026-6475,CVE-2026-6477,CVE-2026-6478,CVE-2026-6479,CVE-2026-6637
This update for postgresql14 fixes the following issues
Update to version 14.23.
Security issues:
- CVE-2026-6472: ensure the user has CREATE privilege on the schema specified (bsc#1265172).
- CVE-2026-6473: integer overflows in memory-allocation calculations (bsc#1265173).
- CVE-2026-6474: Guard against malicious time zone names (bsc#1265174).
- CVE-2026-6475: Prevent path traversal in pg_basebackup and pg_rewind (bsc#1265175).
- CVE-2026-6477: Mark PQfn() as unsafe, and avoid using it within libpq (bsc#1265177).
- CVE-2026-6478: Use timing-safe string comparisons in authentication code (bsc#1265178).
- CVE-2026-6479: Prevent unbounded recursion while processing startup packets (bsc#1265179).
- CVE-2026-6637: Prevent SQL injection and buffer overruns in contrib/spi (bsc#1265181).
Non security issue:
- Get rid of update-alternatives for openSUSE/SLE 16.0 and newer to support immutable systems and transactional
updates (jsc#PED-14823).
- /usr/bin/pg_config is missing after migrating away from update-alternatives (bsc#1263804).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:2231-1
Released: Wed Jun 3 12:57:18 2026
Summary: Security update for glibc
Type: security
Severity: important
References: 1261206,1262464,1262465,CVE-2026-4046,CVE-2026-5450,CVE-2026-5928
This update for glibc fixes the following issues
- CVE-2026-4046: assertion failure when converting inputs may be used to remotely crash an application (bsc#1261206).
- CVE-2026-5450: stdio-common: scanf %mc pattern will cause heap overflow when width > 1024 (bsc#1262465).
- CVE-2026-5928: libio: ungetwc could be used to leak data on special conditions (bsc#1262464).
The following package changes have been done:
- crypto-policies-20230920.570ea89-150600.3.16.1 updated
- glibc-2.38-150600.14.46.1 updated
- libuuid1-2.39.3-150600.4.21.1 updated
- libnghttp2-14-1.40.0-150600.25.5.1 updated
- liblzma5-5.4.1-150600.3.6.1 updated
- libcap2-2.63-150400.3.6.1 updated
- libopenssl3-3.1.4-150600.5.50.1 updated
- libopenssl-3-fips-provider-3.1.4-150600.5.50.1 updated
- libcurl4-8.14.1-150600.4.43.1 updated
- glibc-locale-base-2.38-150600.14.49.1 updated
- libexpat1-2.7.1-150400.3.37.1 updated
- libopenssl1_1-1.1.1w-150600.5.29.1 updated
- libpq5-18.4-150600.13.11.1 updated
- glibc-locale-2.38-150600.14.49.1 updated
- libpython3_6m1_0-3.6.15-150300.10.118.1 updated
- python3-base-3.6.15-150300.10.118.1 updated
- postgresql14-14.23-150600.16.31.1 updated
- postgresql16-16.14-150600.16.33.1 updated
- postgresql14-server-14.23-150600.16.31.1 updated
- postgresql16-server-16.14-150600.16.33.1 updated
- postgresql16-contrib-16.14-150600.16.33.1 updated
- postgresql14-contrib-14.23-150600.16.31.1 updated
- container:sles15-ltss-image-15.6.0-5.58 updated
More information about the sle-container-updates
mailing list