SUSE-CU-2026:5679-1: Security update of suse/manager/5.0/x86_64/server
sle-container-updates at lists.suse.com
sle-container-updates at lists.suse.com
Sun Jun 7 07:36:08 UTC 2026
SUSE Container Update Advisory: suse/manager/5.0/x86_64/server
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2026:5679-1
Container Tags : suse/manager/5.0/x86_64/server:5.0.8 , suse/manager/5.0/x86_64/server:5.0.8.7.44.2 , suse/manager/5.0/x86_64/server:latest
Container Release : 7.44.2
Severity : critical
Type : security
References : 1144060 1176006 1181400 1182850 1185897 1187536 1189139 1199026
1203823 1205502 1206627 1214806 1218718 1222465 1225498 1225811
1234100 1234101 1234102 1234103 1234104 1234736 1235475 1240895
1245107 1246052 1246196 1246399 1248699 1248707 1249385 1249675
1250417 1250782 1252927 1252964 1254182 1254324 1254427 1254441
1254619 1254670 1254867 1255857 1256392 1256953 1257181 1257235
1257359 1257621 1257941 1258041 1258106 1258109 1258311 1258371
1258378 1258382 1258595 1258796 1258873 1258893 1258927 1259118
1259127 1259148 1259208 1259243 1259253 1259261 1259310 1259362
1259377 1259436 1259436 1259441 1259502 1259543 1259545 1259611
1259616 1259619 1259711 1259726 1259729 1259734 1259735 1259803
1259825 1259829 1259845 1259901 1259902 1259924 1259985 1259989
1259996 1259999 1260026 1260078 1260082 1260263 1260267 1260322
1260409 1260413 1260414 1260441 1260441 1260442 1260442 1260443
1260443 1260444 1260444 1260445 1260589 1260754 1260755 1260805
1260878 1260881 1260903 1261025 1261026 1261027 1261029 1261031
1261043 1261158 1261159 1261160 1261161 1261163 1261191 1261206
1261271 1261280 1261307 1261420 1261427 1261430 1261670 1261678
1261678 1261809 1261810 1261833 1261850 1261851 1261852 1261853
1261854 1261855 1261856 1261857 1261957 1261969 1261970 1262050
1262091 1262092 1262093 1262098 1262144 1262222 1262223 1262319
1262395 1262464 1262465 1262490 1262494 1262495 1262496 1262497
1262500 1262501 1262631 1262632 1262635 1262636 1262638 1262654
1262741 1262803 1262950 1263501 1263704 1263705 1263707 1263708
1263709 1263710 1263711 1263712 1263713 1263714 1263715 1263716
1263804 1263804 1263816 1263935 1263950 1263951 1263952 1263953
1263954 1263955 1263956 1263957 1263986 1263987 1264150 1264163
1264174 1264185 1264256 1264511 1264512 1264513 1264514 1264515
1264706 1264707 1264708 1265172 1265172 1265173 1265173 1265174
1265174 1265175 1265175 1265176 1265177 1265177 1265178 1265178
1265179 1265179 1265180 1265181 1265181 1265182 1265182 1265267
1265296 1265349 1265360 916845 CVE-2006-10002 CVE-2006-10003
CVE-2013-4235 CVE-2022-21698 CVE-2023-4641 CVE-2024-12084 CVE-2024-12085
CVE-2024-12086 CVE-2024-12087 CVE-2024-12088 CVE-2024-12747 CVE-2024-58251
CVE-2025-10158 CVE-2025-13462 CVE-2025-29923 CVE-2025-45582 CVE-2025-66471
CVE-2025-66614 CVE-2025-69720 CVE-2025-70873 CVE-2025-7709 CVE-2025-9615
CVE-2026-1299 CVE-2026-1502 CVE-2026-1519 CVE-2026-1965 CVE-2026-21724
CVE-2026-21725 CVE-2026-22007 CVE-2026-22013 CVE-2026-22016 CVE-2026-22018
CVE-2026-22021 CVE-2026-2340 CVE-2026-23865 CVE-2026-23868 CVE-2026-23918
CVE-2026-24072 CVE-2026-24401 CVE-2026-24880 CVE-2026-25645 CVE-2026-25854
CVE-2026-26958 CVE-2026-27135 CVE-2026-27606 CVE-2026-27876 CVE-2026-27877
CVE-2026-27879 CVE-2026-28375 CVE-2026-28387 CVE-2026-28387 CVE-2026-28388
CVE-2026-28388 CVE-2026-28389 CVE-2026-28389 CVE-2026-28390 CVE-2026-28390
CVE-2026-28780 CVE-2026-29129 CVE-2026-29145 CVE-2026-29146 CVE-2026-29168
CVE-2026-29169 CVE-2026-29518 CVE-2026-3012 CVE-2026-30922 CVE-2026-31789
CVE-2026-31789 CVE-2026-31790 CVE-2026-3238 CVE-2026-32597 CVE-2026-32776
CVE-2026-32777 CVE-2026-32778 CVE-2026-32990 CVE-2026-33006 CVE-2026-33007
CVE-2026-33186 CVE-2026-33375 CVE-2026-33412 CVE-2026-33416 CVE-2026-33523
CVE-2026-33554 CVE-2026-33636 CVE-2026-33845 CVE-2026-33846 CVE-2026-33857
CVE-2026-33870 CVE-2026-33871 CVE-2026-34032 CVE-2026-34059 CVE-2026-34268
CVE-2026-34282 CVE-2026-3446 CVE-2026-34477 CVE-2026-34479 CVE-2026-34480
CVE-2026-34481 CVE-2026-34483 CVE-2026-34486 CVE-2026-34487 CVE-2026-34500
CVE-2026-34714 CVE-2026-34743 CVE-2026-34757 CVE-2026-3479 CVE-2026-34982
CVE-2026-34986 CVE-2026-35385 CVE-2026-35414 CVE-2026-35535 CVE-2026-3644
CVE-2026-3731 CVE-2026-3833 CVE-2026-39881 CVE-2026-40179 CVE-2026-4046
CVE-2026-40475 CVE-2026-41035 CVE-2026-41602 CVE-2026-42009 CVE-2026-42010
CVE-2026-42011 CVE-2026-42012 CVE-2026-42013 CVE-2026-42014 CVE-2026-42015
CVE-2026-42151 CVE-2026-42154 CVE-2026-42198 CVE-2026-4224 CVE-2026-42307
CVE-2026-43617 CVE-2026-43618 CVE-2026-43619 CVE-2026-43620 CVE-2026-43961
CVE-2026-4408 CVE-2026-4437 CVE-2026-4438 CVE-2026-44431 CVE-2026-44656
CVE-2026-4480 CVE-2026-45130 CVE-2026-4519 CVE-2026-45232 CVE-2026-46483
CVE-2026-4786 CVE-2026-4873 CVE-2026-4878 CVE-2026-4948 CVE-2026-5260
CVE-2026-5419 CVE-2026-5450 CVE-2026-5545 CVE-2026-5928 CVE-2026-5958
CVE-2026-6019 CVE-2026-6100 CVE-2026-6253 CVE-2026-6276 CVE-2026-6429
CVE-2026-6472 CVE-2026-6472 CVE-2026-6473 CVE-2026-6473 CVE-2026-6474
CVE-2026-6474 CVE-2026-6475 CVE-2026-6475 CVE-2026-6476 CVE-2026-6477
CVE-2026-6477 CVE-2026-6478 CVE-2026-6478 CVE-2026-6479 CVE-2026-6479
CVE-2026-6575 CVE-2026-6637 CVE-2026-6637 CVE-2026-6638 CVE-2026-6638
-----------------------------------------------------------------
The container suse/manager/5.0/x86_64/server was updated. The following patches have been included in this update:
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:1065-1
Released: Thu Mar 26 11:38:12 2026
Summary: Security update for sqlite3
Type: security
Severity: moderate
References: 1254670,1259619,CVE-2025-70873,CVE-2025-7709
This update for sqlite3 fixes the following issues:
Update sqlite3 to 3.51.3:
- CVE-2025-7709: Integer Overflow in FTS5 Extension (bsc#1254670).
- CVE-2025-70873: SQLite zipfile extension may disclose uninitialized heap memory during inflation (bsc#1259619).
Changelog:
* Fix the WAL-reset database corruption bug:
https://sqlite.org/wal.html#walresetbug
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:1067-1
Released: Thu Mar 26 11:39:01 2026
Summary: Security update for python-urllib3
Type: security
Severity: moderate
References: 1254867,1259829,CVE-2025-66471
This update for python-urllib3 fixes the following issue:
- CVE-2025-66471: excessive resource consumption via decompression of highly compressed data in Streaming API
(bsc#1254867).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:1090-1
Released: Thu Mar 26 18:44:54 2026
Summary: Security update for python3
Type: security
Severity: important
References: 1257181,CVE-2026-1299
This update for python3 fixes the following issues:
- CVE-2026-1299: header injection when an email is serialized due to improper newline quoting in BytesGenerator (bsc#1257181).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2026:1113-1
Released: Fri Mar 27 10:34:35 2026
Summary: Recommended update for crypto-policies
Type: recommended
Severity: moderate
References: 1258311,1259825
This update for crypto-policies fixes the following issues:
Enables PQC key exchange support for OpenSSH (bsc#1258311, bsc#1259825)
* The sntrup761x25519-sha512 hybrid keyexchange for OpenSSH is enabled.
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:1153-1
Released: Tue Mar 31 10:40:03 2026
Summary: Security update for perl-XML-Parser
Type: security
Severity: important
References: 1259901,1259902,CVE-2006-10002,CVE-2006-10003
This update for perl-XML-Parser fixes the following issues:
- CVE-2006-10002: heap buffer overflow in `parse_stream` when processing UTF-8 input streams (bsc#1259901).
- CVE-2006-10003: off-by-one heap buffer overflow in `st_serial_stack` (bsc#1259902).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:1158-1
Released: Tue Mar 31 13:55:47 2026
Summary: Security update for python-pyasn1
Type: security
Severity: important
References: 1259803,CVE-2026-30922
This update for python-pyasn1 fixes the following issues:
- CVE-2026-30922: Denial of Service via Unbounded Recursion (bsc#1259803).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:1166-1
Released: Thu Apr 2 03:08:04 2026
Summary: Security update for expat
Type: security
Severity: important
References: 1259711,1259726,1259729,CVE-2026-32776,CVE-2026-32777,CVE-2026-32778
This update for expat fixes the following issues:
- CVE-2026-32776: NULL pointer dereference when processing empty external parameter entities inside an entity
declaration value (bsc#1259726).
- CVE-2026-32777: denial of service due to infinite loop in DTD content parsing (bsc#1259711).
- CVE-2026-32778: NULL pointer dereference in `setContext` on retry after an out-of-memory condition (bsc#1259729).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2026:1168-1
Released: Thu Apr 2 08:23:44 2026
Summary: Recommended update for apache2
Type: recommended
Severity: important
References: 1254182
This update for apache2 fixes the following issues:
- Update to 2.4.66:
* ECO: (jsc#PED-15953):
* Fix: apache2-worker segfaults (bsc#1254182)
- Removed patches, as they've been merged/fixed upstream.
- Removed these FIPS-related patches too, as they too have been merged upstream
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:1177-1
Released: Thu Apr 2 17:00:30 2026
Summary: Security update for tar
Type: security
Severity: important
References: 1246399,CVE-2025-45582
This update for tar fixes the following issue:
- CVE-2025-45582: file overwrite via directory traversal in crafted TAR archives (bsc#1246399).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:1215-1
Released: Wed Apr 8 14:27:57 2026
Summary: Security update for openssl-3
Type: security
Severity: important
References: 1260441,1260442,1260443,1260444,1260445,CVE-2026-28387,CVE-2026-28388,CVE-2026-28389,CVE-2026-31789,CVE-2026-31790
This update for openssl-3 fixes the following issues:
- CVE-2026-28387: Potential use-after-free in DANE client code (bsc#1260441).
- CVE-2026-28388: NULL Pointer Dereference When Processing a Delta CRL (bsc#1260442).
- CVE-2026-28389: Possible NULL dereference when processing CMS KeyAgreeRecipientInfo (bsc#1260443).
- CVE-2026-31789: Heap buffer overflow in hexadecimal conversion (bsc#1260444).
- CVE-2026-31790: Incorrect failure handling in RSA KEM RSASVE encapsulation (bsc#1260445).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2026:1228-1
Released: Thu Apr 9 10:27:25 2026
Summary: Recommended update for shadow
Type: recommended
Severity: important
References: 1144060,1176006,1181400,1182850,1185897,1187536,1189139,1199026,1203823,1205502,1206627,1214806,1246052,916845,CVE-2013-4235,CVE-2023-4641
This update for shadow fixes the following issues:
shadow is updated to 4.17.2 to bring lots of features and bug fixes.
- util-linux-2.41 introduced new variable: LOGIN_ENV_SAFELIST. Recognize
it and update dependencies.
- Set SYS_{UID,GID}_MIN to 201:
After repeated similar requests to change the ID ranges we set the
above mentioned value to 201. The max value will stay at 499.
This range should be sufficient and will give us leeway for the
future.
It's not straightforward to find out which static UIDs/GIDs are
used in all packages.
Update to 4.17.2:
* src/login_nopam.c: Fix compiler warnings #1170
* lib/chkname.c: Put limits for LOGIN_NAME_MAX and sysconf(_SC_LOGIN_NAME_MAX) #1169
* Use HTTPS in link to Wikipedia article on password strength #1164
* lib/attr.h: use C23 attributes only with gcc >= 10 #1172
* login: Fix no-pam authorization regression #1174
* man: Add Portuguese translation #1178
* Update French translation #1177
* Add cheap defense mechanisms #1171
* Add Romanian translation #1176
Update to 4.17.1:
* Fix `su -` regression #1163
Update to 4.17.0:
* Fix the lower part of the domain of csrand_uniform()
* Fix use of volatile pointer
* Use str2[u]l() instead of atoi(3)
* Use a2i() in various places
* Fix const correctness
* Use uid_t for holding UIDs (and GIDs)
* Move all sprintf(3)-like APIs to a subdirectory
* Move all copying APIs to a subdirectory
* Fix forever loop on ENOMEM
* Fix REALLOC() nmemb calculation
* Remove id(1)
* Remove groups(1)
* Use local time for human-readable dates
* Use %F instead of %Y-%m-%d with strftime(3)
* is_valid{user,group}_name(): Set errno to distinguish the reasons
* Recommend --badname only if it is useful
* Add fmkomstemp() to fix mode of /etc/default/useradd
* Fix use-after-free bug in sgetgrent()
* Update Catalan translation
* Remove references to cppw, cpgr
* groupadd, groupmod: Update gshadow file with -U
* Added option -a for listing active users only, optimized using if aflg,return
* Added information in lastlog man page for new option '-a'
* Plenty of code cleanup and clarifications
- Disable flushing sssd caches. The sssd's files provider is no
longer available.
Update to 4.16.0:
* The shadow implementations of id(1) and groups(1) are deprecated
in favor of the GNU coreutils and binutils versions.
They will be removed in 4.17.0.
* The rlogind implementation has been removed.
* The libsubid major version has been bumped, since it now requires
specification of the module's free() implementation.
Update to 4.15.1:
* Fix a bug that caused spurious error messages about unknown
login.defs configuration options #967
* Adding checks for fd omission #964
* Use temporary stat buffer #974
* Fix wrong french translation #975
Update to 4.15.0
* libshadow:
+ Use utmpx instead of utmp. This fixes a regression introduced
in 4.14.0.
+ Fix build error (parameter name omitted).
* Build system:
+ Link correctly with libdl.
+ Install pam configs for chpasswd(8) and newusers(8) when using
./configure --with-libpam --disable-account-tools-setuid.
+ Merge libshadow and libmisc into a single libshadow. This fixes
problems in the linker, which were reported at least in Gentoo.
+ Fix build with musl libc.
+ Support out of tree builds
* useradd(8):
+ Set proper SELinux labels for def_usrtemplate
Update to 4.14.6:
* login(1):
+ Fix off-by-one bugs.
* passwd(1):
+ Don't silently truncate passwords of length >= 200 characters.
Instead, accept a length of PASS_MAX, and reject longer ones.
* libshadow:
+ Fix calculation in strtoday(), which caused a wrong half-day
offset in some cases (bsc#1176006)
+ Fix parsing of dates in get_date() (bsc#1176006)
+ Use utmpx instead of utmp. This fixes a regression introduced in
4.14.0.
Update to 4.14.5:
* Build system:
+ Fix regression introduced in 4.14.4, due to a typo. chgpasswd had
been deleted from a Makefile variable, but it should have been
chpasswd.
Update to 4.14.4:
* Build system:
+ Link correctly with libdl.
+ Install pam configs for chpasswd(8) and newusers(8) when using
./configure --with-libpam --disable-account-tools-setuid.
* libshadow:
+ Fix build error (parameter name omitted).
+ Fix off-by-one bug.
+ Remove warning.
Update to 4.14.3:
* libshadow: Avoid null pointer dereference (#904)
* Remove pam_keyinit from PAM configuration. (bsc#1199026 bsc#1203823)
This was introduced for bsc#1144060.
Update to 4.14.2:
* libshadow:
+ Fix build with musl libc.
+ Avoid NULL dereference.
+ Update utmp at an initial login
* useradd(8):
+ Set proper SELinux labels for def_usrtemplate
* Manual:
+ Document --prefix in chage(1), chpasswd(8), and passwd(1)
Update to 4.14.1:
Build system: Merge libshadow and libmisc into a single libshadow.
This fixes problems in the linker, which were reported at least
in Gentoo. #791
- Set proper SELinux labels for new homedirs.
Update to 4.14.0:
* configure: add with-libbsd option
* Code cleanup
* Replace utmp interface #757
* new option enable-logind #674
* shadow userdel: add the adaptation to the busybox ps in 01-kill_user_procs.sh
* chsh: warn if root sets a shell not listed in /etc/shells #535
* newgrp: fix potential string injection
* lastlog: fix alignment of Latest header
* Fix yescrypt support #748
* chgpasswd: Fix segfault in command-line options
* gpasswd: Fix password leak (bsc#1214806, CVE-2023-4641)
* Add --prefix to passwd, chpasswd and chage #714 (bsc#1206627)
* usermod: fix off-by-one issues #701
* ch(g)passwd: Check selinux permissions upon startup #675
* sub_[ug]id_{add,remove}: fix return values
* chsh: Verify that login shell path is absolute #730
* process_prefix_flag: Drop privileges
* run_parts for groupadd and groupdel #706
* newgrp/useradd: always set SIGCHLD to default
* useradd/usermod: add --selinux-range argument #698
* sssd: skip flushing if executable does not exist #699
* semanage: Do not set default SELinux range #676
* Add control character check #687
* usermod: respect --prefix for --gid option
* Fix null dereference in basename
* newuidmap and newgidmap: support passing pid as fd
* Prevent out of boundary access #633
* Explicitly override only newlines #633
* Correctly handle illegal system file in tz #633
* Supporting vendor given -shells- configuration file #599
* Warn if failed to read existing /etc/nsswitch.conf
* chfn: new_fields: fix wrong fields printed
* Allow supplementary groups to be added via config file #586
* useradd: check if subid range exists for user #592 (rh#2012929)
- Rename lastlog to lastlog.legacy to be able to switch to
Y2038 safe lastlog2 as default [jsc#PED-3144]
- bsc#1205502: Fix useradd audit event logging of ID field
Update to 4.13:
* useradd.8: fix default group ID
* Revert drop of subid_init()
* Georgian translation
* useradd: Avoid taking unneeded space: do not reset non-existent data in lastlog
* relax username restrictions
* selinux: check MLS enabled before setting serange
* copy_tree: use fchmodat instead of chmod
* copy_tree: don't block on FIFOs
* add shell linter
* copy_tree: carefully treat permissions
* lib/commonio: make lock failures more detailed
* lib: use strzero and memzero where applicable
* Update Dutch translation
* Don't test for NULL before calling free
* Use libc MAX() and MIN()
* chage: Fix regression in print_date
* usermod: report error if homedir does not exist
* libmisc: minimum id check for system accounts
* fix usermod -rG x y wrongly adding a group
* man: add missing space in useradd.8.xml
* lastlog: check for localtime() return value
* Raise limit for passwd and shadow entry length
* Remove adduser-old.c
* useradd: Fix buffer overflow when using a prefix
* Don't warn when failed to open /etc/nsswitch.conf
Update to 4.12.3:
Revert removal of subid_init, which should have bumped soname.
So note that 4.12 through 4.12.2 were broken for subid users.
Update to 4.12.2:
* Address CVE-2013-4235 (TOCTTOU when copying directories) [bsc#916845]
Update to 4.12.1:
* Fix uk manpages
Update to 4.12:
* Add absolute path hint to --root
* Various cleanups
* Fix Ubuntu release used in CI tests
* add -F options to userad
* useradd manpage updates
* Check for ownerid (not just username) in subid ranges
* Declare file local functions static
* Use strict prototypes
* Do not drop const qualifier for Basename
* Constify various pointers
* Don't return uninitialized memory
* Don't let compiler optimize away memory cleaning
* Remove many obsolete compatibility checks and defines
* Modify ID range check in useradd
* Use 'extern 'C'' to make libsubid easier to use from C++
* French translation updates
* Fix s/with-pam/with-libpam/
* Spanish translation updates
* French translation fixes
* Default max group name length to 32
* Fix PAM service files without-selinux
* Improve manpages
- groupadd, useradd, usermod
- groups and id
- pwck
* Fix condition under which pw_dir check happens
* logoutd: switch to strncat
* AUTHORS: improve markdown output
* Handle ERANGE errors correctly
* Check for fopen NULL return
* Split get_salt() into its own fn juyin)
* Get salt before chroot to ensure /dev/urandom.
* Chpasswd code cleanup
* Work around git safe.directory enforcement
* Alphabetize order in usermod help
* Erase password copy on error branches
* Suggest using --badname if needed
* Update translation files
* Correct badnames option to badname
* configure: replace obsolete autoconf macros
* tests: replace egrep with grep -E
* Update Ukrainian translations
* Cleanups
- Remove redeclared variable
- Remove commented out code and FIXMEs
- Add header guards
- Initialize local variables
* CI updates
- Create github workflow to install dependencies
- Enable CodeQL
- Update actions version
* libmisc: use /dev/urandom as fallback if other methods fail
Provide /etc/login.defs.d on SLE15 since we support and use it
Update to 4.11.1:
* build: include lib/shadowlog_internal.h in dist tarballs
Update to 4.11:
* Handle possible TOCTTOU issues in usermod/userdel
- (CVE-2013-4235)
- Use O_NOFOLLOW when copying file
- Kill all user tasks in userdel
* Fix useradd -D segfault
* Clean up obsolete libc feature-check ifdefs
* Fix -fno-common build breaks due to duplicate Prog declarations
* Have single date_to_str definition
* Fix libsubid SONAME version
* Clarify licensing info, use SPDX.
Update to 4.10:
* From this release forward, su from this package should be
considered deprecated. Please replace any users of it with su
rom util-linux
* libsubid fixes
* Rename the test program list_subid_ranges to getsubids, write
a manpage, so distros can ship it.
* Add libeconf dep for new*idmap
* Allow all group types with usermod -G
* Avoid useradd generating empty subid range
* Handle NULL pw_passwd
* Fix default value SHA_get_salt_rounds
* Use https where possible in README
* Update content and format of README
* Translation updates
* Switch from xml2po to itstool in 'make dist'
* Fix double frees
* Add LOG_INIT configurable to useradd
* Add CREATE_MAIL_SPOOL documentation
* Create a security.md
* Fix su never being SIGKILLd when trapping TERM
* Fix wrong SELinux labels in several possible cases
* Fix missing chmod in chadowtb_move
* Handle malformed hushlogins entries
* Fix groupdel segv when passwd does not exist
* Fix covscan-found newgrp segfault
* Remove trailing slash on hoedir
* Fix passwd -l message - it does not change expirey
* Fix SIGCHLD handling bugs in su and vipw
* Remove special case for '' in usermod
* Implement usermod -rG to remove a specific group
* call pam_end() after fork in child path for su and login
* useradd: In absence of /etc/passwd, assume 0 == root
* lib: check NULL before freeing data
* Fix pwck segfault
- Really enable USERGROUPS_ENAB [bsc#1189139].
Added hardening to systemd service(s) (bsc#1181400).
* Add LOGIN_KEEP_USERNAME to login.defs.
* Remove PREVENT_NO_AUTH from login.defs. Only used by the
unpackaged login and su.
* Remove variables BCRYPT_MIN_ROUNDS, BCRYPT_MAX_ROUNDS,
YESCRYPT_COST_FACTOR, not supported by the current
configuratiton.
* login.defs: Enable USERGROUPS_ENAB and CREATE_HOME to
be compatible with other Linux distros and the other tools
creating user accounts in use on openSUSE. Set HOME_MODE to 700
for security reasons and compatibility. [bsc#1189139] [bsc#1182850]
Update to 4.9:
* Updated translations
* Major salt updates
* Various coverity and cleanup fixes
* Consistently use 0 to disable PASS_MIN_DAYS in man
* Implement NSS support for subids and a libsubid
* setfcap: retain setfcap when mapping uid 0
* login.defs: include HMAC_CRYPTO_ALGO key
* selinux fixes
* Fix path prefix path handling
* Manpage updates
* Treat an empty passwd field as invalid(Haelwenn Monnier)
* newxidmap: allow running under alternative gid
* usermod: check that shell is executable
* Add yescript support
* useradd memleak fixes
* useradd: use built-in settings by default
* getdefs: add foreign
* buffer overflow fixes
* Adding run-parts style for pre and post useradd/del
- login.defs/MOTD_FILE: Use '' instead of blank entry [bsc#1187536]
- Add /etc/login.defs.d directory
- Enable shadowgrp so that we can set more secure group passwords
using shadow.
- Disable MOTD_FILE to allow the use of pam_motd to unify motd
message output [bsc#1185897]. Else motd entries of e.g. cockpit
will not be shown.
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:1310-1
Released: Tue Apr 14 12:42:12 2026
Summary: Security update for libssh
Type: security
Severity: moderate
References: 1259377,CVE-2026-3731
This update for libssh fixes the following issues:
- CVE-2026-3731: Denial of Service via out-of-bounds read in SFTP extension name handler (bsc#1259377).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:1312-1
Released: Tue Apr 14 12:46:30 2026
Summary: Security update for bind
Type: security
Severity: important
References: 1260805,CVE-2026-1519
This update for bind fixes the following issues:
- CVE-2026-1519: high CPU load during insecure delegation validation due to excessive NSEC3 iterations (bsc#1260805).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:1338-1
Released: Wed Apr 15 09:33:50 2026
Summary: Security update for giflib
Type: security
Severity: moderate
References: 1259502,CVE-2026-23868
This update for giflib fixes the following issue:
- CVE-2026-23868: double-free result of a shallow copy can lead to memory corruption (bsc#1259502).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:1350-1
Released: Wed Apr 15 15:36:20 2026
Summary: Security update for nghttp2
Type: security
Severity: important
References: 1259845,CVE-2026-27135
This update for nghttp2 fixes the following issue:
- CVE-2026-27135: assertion failure due to missing state validation can lead to DoS (bsc#1259845).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:1353-1
Released: Wed Apr 15 15:37:16 2026
Summary: Security update for netty, netty-tcnative
Type: security
Severity: important
References: 1261031,1261043,CVE-2026-33870,CVE-2026-33871
This update for netty, netty-tcnative fixes the following issues:
Upidate to 4.1.132:
- CVE-2026-33870: incorrectly parses quoted strings in HTTP/1.1 can lead to request smuggling (bsc#1261031).
- CVE-2026-33871: sending a flood of CONTINUATION frames can lead to a denial of service (bsc#1261043).
Changelog:
- Upgrade to upstream version 4.1.132
* Fixes:
+ Fix Incorrect nanos-to-millis conversion in epoll_wait EINTR
retry loop
+ Make RefCntOpenSslContext.deallocate more robust
+ HTTP2: Correctly account for padding when decompress
+ Fix high-order bit aliasing in HttpUtil.validateToken
+ fix: the precedence of + is higher than >>
+ AdaptiveByteBufAllocator: make sure byteBuf.capacity() not
greater than byteBuf.maxCapacity()
+ AdaptivePoolingAllocator: call unreserveMatchingBuddy(...)
if byteBuf initialization failed
+ Don't assume CertificateFactory is thread-safe
+ Fix HttpObjectAggregator leaving connection stuck after 413
with AUTO_READ=false
+ HTTP2: Ensure preface is flushed in all cases
+ Fix UnsupportedOperationException in readTrailingHeaders
+ Fix client_max_window_bits parameter handling in
permessage-deflate extension
+ Native transports: Fix possible fd leak when fcntl fails.
+ Kqueue: Fix undefined behaviour when GetStringUTFChars fails
and SO_ACCEPTFILTER is supported
+ Kqueue: Possible overflow when using
netty_kqueue_bsdsocket_setAcceptFilter(...)
+ Native transports: Fix undefined behaviour when
GetStringUTFChars fails while open FD
+ Epoll: Add null checks for safety reasons
+ Epoll: Use correct value to initialize mmsghdr.msg_namelen
+ Epoll: Fix support for IP_RECVORIGDSTADDR
+ AdaptivePoolingAllocator: remove ensureAccessible() call in
capacity(int) method
+ Epoll: setTcpMg5Sig(...) might overflow
+ JdkZlibDecoder: accumulate decompressed output before firing
channelRead
+ Limit the number of Continuation frames per HTTP2 Headers
(bsc#1261043, CVE-2026-33871)
+ Stricter HTTP/1.1 chunk extension parsing (bsc#1261031,
CVE-2026-33870)
+ rediff
- Upgrade to upstream version 4.1.131
+ NioDatagramChannel.block(...) does not early return on failure
+ Support for AWS Libcrypto (AWS-LC) netty-tcnative build
+ codec-dns: Decompress MX RDATA exchange domain names during
DNS record decoding
+ Buddy allocation for large buffers in adaptive allocator
+ SslHandler: Only resume on EventLoop if EventLoop is not
shutting down already
+ Wrap ECONNREFUSED in PortUnreachableException for UDP
+ Bump com.ning:compress-lzf (4.1)
+ Fix adaptive allocator bug from not noticing failed allocation
+ Avoid loosing original read exception
+ Backport multiple adaptive allocator changes
- Upgrade to version 4.1.130
- Upgrade to version 2.0.75 Final
* No formal changelog present
* Needed by netty >= 4.2.11
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:1359-1
Released: Wed Apr 15 16:06:45 2026
Summary: Security update for sudo
Type: security
Severity: important
References: 1261420,CVE-2026-35535
This update for sudo fixes the following issue:
- CVE-2026-35535: Fixed potential privilege escalation when running the mailer (bsc#1261420).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:1368-1
Released: Wed Apr 15 16:35:24 2026
Summary: Security update for libpng16
Type: security
Severity: important
References: 1260754,1260755,CVE-2026-33416,CVE-2026-33636
This update for libpng16 fixes the following issues:
- CVE-2026-33416: use-after-free via pointer aliasing in `png_set_tRNS` and `png_set_PLTE` can lead to arbitrary code
execution (bsc#1260754).
- CVE-2026-33636: out-of-bounds read/write in the palette expansion on ARM Neon can lead to information leak and
crashes (bsc#1260755).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:1369-1
Released: Wed Apr 15 16:42:55 2026
Summary: Security update for glibc
Type: security
Severity: important
References: 1260078,1260082,CVE-2026-4437,CVE-2026-4438
This update for glibc fixes the following issues:
- CVE-2026-4437: incorrect DNS response parsing via crafted DNS server response (bsc#1260078).
- CVE-2026-4438: invalid DNS hostname returned via gethostbyaddr functions (bsc#1260082).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2026:1377-1
Released: Thu Apr 16 09:19:21 2026
Summary: Recommended update for libtcnative-1-0
Type: recommended
Severity: important
References: 1260322
This update for libtcnative-1-0 fixes the following issues:
Update to 1.3.7: [bsc#1260322]
1.3.7:
* Code: Refactor access to ASN1_OCTET_STRING to use setters to fix
errors when building against the latest OpenSSL 4.0.x code. (markt)
* Fix: Fix the handling of OCSP requests with multiple responder URIs.
(jfclere)
* Fix: Fix the handling of TRY_AGAIN responses to OCSP requests when
soft fail is disabled. (jfclere)
1.3.6:
* Code: Refactor the SSL_CONF_CTX clean-up to align it with SSL and
SSL_CTX clean-up. (markt)
* Fix: Fix unnecessarily large buffer allocation when filtering out NULL
and export ciphers. Pull requests #35 and #37 provided by chenjp.
(markt)
* Fix: Fix a potential memory leak if an invalid OpenSSLConf is
provided. Pull request #36 provided by chenjp. (markt)
* Fix: Refactor setting of OCSP configuration defaults as they were only
applied if the SSL_CONF_CTX was used. While one was always used with
Tomcat versions aware of the OCSP configuration options, one was not
always used with Tomcat versions unaware of the OCSP configuration
options leading to OCSP verification being enabled by default when the
expected behaviour was disabled by default. (markt)
* Code: Improve performance for the rare case of handling large OCSP
responses. (markt)
1.3.5:
* Fix: Remove group write permissions from the files in the tar.gz
source archive. (markt)
* Fix: Clear an additional error in OCSP processing that was preventing
OCSP soft fail working with Tomcat's APR/native connector. (markt)
1.3.4:
* Fix: Correct logic error that prevented the configuration of TLS 1.3
cipher suites. (markt)
1.3.3;
* Fix: Refactor the addition of TLS 1.3 cipher suite configuration to
avoid a regression when running a version of Tomcat that pre-dates
this change. (markt)
1.3.2:
* Update: Rename configure.in to modern autotools style configure.ac.
(rjung)
* Update: Fix incomplete updates for autotools generated files during
'buildconf' execution. (rjung)
* Update: Improve quoting in tcnative.m4. (rjung)
* Update: Update the minimum version of autoconf for releasing to 2.68.
(rjung)
* Fix: Fix the autoconf warnings when creating a release. (markt)
* Update: The Windows binaries are now built with OCSP support enabled
by default. (markt)
* Add: Include a nonce with OCSP requests and check the nonce, if any,
in the OCSP response. (markt)
* Add: Expand verification of OCSP responses. (markt)
* Add: Add the ability to configure the OCSP checks to soft-fail - i.e.
if the responder cannot be contacted or fails to respond in a timely
manner the OCSP check will not fail. (markt)
* Add: Add a configurable timeout to the writing of OCSP requests and
reading of OCSP responses. (markt)
* Add: Add the ability to control the OCSP verification flags. (markt)
* Add: Configure TLS 1.3 connections from the provided ciphers list as
well as connections using TLS 1.2 and earlier. Pull request provided
by gastush. (markt)
* Update: Update the Windows build environment to use Visual Studio
2022. (markt)
1.3.1:
* Fix: Fix a crash on Windows when SSLContext.setCACertificate() is
invoked with a null value for caCertificateFile and a non-null value
for caCertificatePath until properly addressed with
https://github.com/openssl/openssl/issues/24416. (michaelo)
* Add: Use ERR_error_string_n with a definite buffer length as a named
constant. (schultz)
* Add: Ensure local reference capacity is available when creating new
arrays and Strings. (schultz)
* Update: Update the recommended minimum version of OpenSSL to 3.0.14.
(markt)
1.3.0:
* Update: Drop useless compile.optimize option. (michaelo)
* Update: Align Java source compile configuration with Tomcat.
(michaelo)
* Fix: Fix version set in DLL header on Windows. (michaelo)
* Update: Remove an unreachable if condition around CRLs in
sslcontext.c. (michaelo)
* Fix: 67818: When calling SSL.setVerify() or SSLContext.setVerify(),
the default verify paths are no longer set. Only the explicitly
configured trust store, if any, will be used. (michaelo)
* Update: Update the minimum supported version of LibreSSL to 3.5.2.
(markt)
* Design: Remove NPN support as NPN was never standardised and browser
support was removed in 2019. (markt)
* Update: Update the recommended minimum version of OpenSSL to 3.0.13.
(markt)
Update to 1.2.39:
* Fix: 67061: If the insecure optionalNoCA certificate verification
mode is used, disable OCSP if enabled else client certificates
from unknown certificate authorities will be rejected.
* Update: Update the recommended minimum version of OpenSSL to
3.0.11.
* Change the hardcoded libopenssl-1_1-devel to libopenssl-devel
for distributions that have the right version
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:1400-1
Released: Thu Apr 16 12:47:09 2026
Summary: Security update for python-PyJWT
Type: security
Severity: important
References: 1259616,CVE-2026-32597
This update for python-PyJWT fixes the following issues:
- CVE-2026-32597: Fixed unknown `crit` header extensions accepts (bsc#1259616).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2026:1404-1
Released: Thu Apr 16 14:27:19 2026
Summary: Recommended update for fence-agents
Type: recommended
Severity: important
References: 1218718,1250417,1261670
This update for fence-agents fixes the following issues:
- fence_vmware_rest:
* a fix seems to be missing in the latest version (bsc#1261670)
* monitoring is not detecting problems accessing the fence device (bsc#1218718)
- fence_aws: Fix shebang to be able to use python3.11 if it is installed (bsc#1250417).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2026:1409-1
Released: Thu Apr 16 14:40:17 2026
Summary: Recommended update for sssd
Type: recommended
Severity: important
References: 1259253,1259436,1259545,1260409,1260413
This update for sssd fixes the following issues:
- Do not package capabilities, will be applied by %set_permissions rpm macro (bsc#1259436);
- Silence noisy warning from sss_cache if run prior starting the daemon and
config.ldb does not exist (bsc#1259545);
- Fix ldap_child process started by the backend process ending in defunc state.
- Create the secrets directory for the KCM service (bsc#1259253);
- Fix missing nss library in 32bit package (bsc#1260409);
- Fix packaging wrong permissions for /usr/share/polkit-1/rules.d (bsc#1260413);
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2026:1410-1
Released: Thu Apr 16 14:41:43 2026
Summary: Recommended update for util-linux
Type: recommended
Severity: moderate
References: 1222465,1234736
This update for util-linux fixes the following issues:
- recognize fuse 'portal' as a virtual file system (bsc#1234736).
- fdisk: Fix possible partition overlay and data corruption if EBR gap is missing (bsc#1222465).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:1418-1
Released: Thu Apr 16 18:43:02 2026
Summary: Security update for iproute2
Type: security
Severity: low
References: 1254324,CVE-2024-58251
This update for iproute2 fixes the following issue:
- CVE-2024-58251: denial of service via terminal escape sequences (bsc#1254324).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:1432-1
Released: Fri Apr 17 12:12:08 2026
Summary: Security update for libcap
Type: security
Severity: important
References: 1261809,CVE-2026-4878
This update for libcap fixes the following issue:
- CVE-2026-4878: Address a potential TOCTOU race condition in cap_set_file() (bsc#1261809).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2026:1434-1
Released: Fri Apr 17 12:49:03 2026
Summary: Recommended update for apparmor
Type: recommended
Severity: moderate
References: 1225811,1259441
This update for apparmor fixes the following issues:
- samba gives denied in audit with apparmor (bsc#1225811).
- apparmor denies printing with profiles on sle15-sp7 (bsc#1259441).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:1441-1
Released: Fri Apr 17 16:18:19 2026
Summary: Security update for avahi
Type: security
Severity: moderate
References: 1257235,CVE-2026-24401
This update for avahi fixes the following issue:
- CVE-2026-24401: avahi-daemon can be crashed via a segmentation fault by sending an unsolicited mDNS response
containing a recursive CNAME record (bsc#1257235).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:1443-1
Released: Fri Apr 17 16:40:44 2026
Summary: Security update for NetworkManager
Type: security
Severity: moderate
References: 1225498,1257359,CVE-2025-9615
This update for NetworkManager fixes the following issue:
Security fixes:
- CVE-2025-9615: Fixed non-admin user using others' certificates (bsc#1257359).
Other fixes:
- Don't renew DHCP lease when software devices' MAC is empty (bsc#1225498).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2026:1473-1
Released: Mon Apr 20 11:32:05 2026
Summary: Recommended update for grub2
Type: recommended
Severity: important
References: 1249385,1259543
This update for grub2 fixes the following issues:
- Fix PowerPC network boot prefix to correctly locate grub.cfg (bsc#1249385)
* use net config for boot location instead of
- Fix double free in xen booting if root filesystem is Btrfs (bsc#1259543)
* btrfs: add ability to boot from subvolumes
* btrfs: get default subvolume
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:1510-1
Released: Tue Apr 21 08:28:12 2026
Summary: Security update for ncurses
Type: security
Severity: moderate
References: 1259924,CVE-2025-69720
This update for ncurses fixes the following issue:
- CVE-2025-69720: buffer overflow in function `analyze_string()`of `progs/infocmp.c` (bsc#1259924).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2026:1546-1
Released: Wed Apr 22 11:27:19 2026
Summary: Recommended update for ipmitool
Type: recommended
Severity: moderate
References: 1259310
This update for ipmitool fixes the following issue:
- Fix bad pid file creation in ipmievd (bsc#1259310).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2026:1552-1
Released: Wed Apr 22 14:23:56 2026
Summary: Recommended update for adcli
Type: recommended
Severity: moderate
References: 1259148,1259996
This update for adcli fixes the following issues:
- Build with openldap 2.5 to support TLS channel binding;
(bsc#1259148);
- Add missing use-ldaps option; (bsc#1259996)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2026:1559-1
Released: Thu Apr 23 06:44:53 2026
Summary: Recommended update for python-apache-libcloud, python3-apache-libcloud
Type: recommended
Severity: moderate
References:
This update for python-apache-libcloud fixes the following issues:
python-apache-libcloud:
- Deliver the Python 3.11 flavor as python311-apache-libcloud (jsc#PED-14450)
- Package version at 3.8.0
python3-apache-libcloud:
- Deliver the Python 3.6 flavor as python3-apache-libcloud (jsc#PED-14450)
- Source package was renamed from python-apache-libcloud to python3-apache-libcloud
to avoid conflicts with the Python 3.11 flavor
- Package version at 3.3.1
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2026:1561-1
Released: Thu Apr 23 08:34:49 2026
Summary: Recommended update for mozilla-nss
Type: recommended
Severity: moderate
References:
This update for mozilla-nss fixes the following issues:
Update to NSS 3.112.4:
* improve error handling in PK11_ImportPrivateKeyInfoAndReturnKey.
* Improving the allocation of S/MIME DecryptSymKey.
* store email on subject cache_entry in NSS trust domain.
* Heap use-after-free in cert_VerifyCertChainOld via dangling certsList[] entry on NameConstraints violation.
* Improve size calculations in CMS content buffering.
* avoid integer overflow while escaping RFC822 Names.
* Reject excessively large ASN.1 SEQUENCE OF in quickder.
* Deep copy profile data in CERT_FindSMimeProfile.
* Improve input validation in DSAU signature decoding.
* avoid integer overflow in RSA_EMSAEncodePSS.
* RSA_EMSAEncodePSS should validate the length of mHash.
* Add a maximum cert uncompressed len and tests.
* Clarify extension negotiation mechanism for TLS Handshakes.
* ensure permittedSubtrees don't match wildcards that could be outside the permitted tree.
* Fix integer underflow in tls13_AEAD when ciphertext is shorter than tag.
* Remove invalid PORT_Free().
* free digest objects in SEC_PKCS7DecoderFinish if they haven't already been freed.
* make ss->ssl3.hs.cookie an owned-copy of the cookie.
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:1577-1
Released: Thu Apr 23 17:53:45 2026
Summary: Security update for openssl-1_1
Type: security
Severity: important
References: 1260441,1260442,1260443,1260444,1261678,CVE-2026-28387,CVE-2026-28388,CVE-2026-28389,CVE-2026-28390,CVE-2026-31789
This update for openssl-1_1 fixes the following issues:
- CVE-2026-28387: Potential use-after-free in DANE client code (bsc#1260441).
- CVE-2026-28388: NULL Pointer Dereference When Processing a Delta CRL (bsc#1260442).
- CVE-2026-28389: Possible NULL dereference when processing CMS KeyAgreeRecipientInfo (bsc#1260443).
- CVE-2026-28390: NULL pointer dereference during processing of a crafted CMS EnvelopedData message with
KeyTransportRecipientInfo (bsc#1261678).
- CVE-2026-31789: Heap buffer overflow in hexadecimal conversion (bsc#1260444).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:1602-1
Released: Fri Apr 24 13:46:25 2026
Summary: Security update for libpng16
Type: security
Severity: moderate
References: 1261957,CVE-2026-34757
This update for libpng16 fixes the following issue:
- CVE-2026-34757: information disclosure and data corruption due to use-after-free in `png_set_PLTE`, `png_set_tRNS`
and `png_set_hIST` (bsc#1261957).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:1604-1
Released: Fri Apr 24 13:48:06 2026
Summary: Security update for tomcat
Type: security
Severity: important
References: 1258371,1261850,1261851,1261852,1261853,1261854,1261855,1261856,1261857,CVE-2025-66614,CVE-2026-24880,CVE-2026-25854,CVE-2026-29129,CVE-2026-29145,CVE-2026-29146,CVE-2026-32990,CVE-2026-34483,CVE-2026-34486,CVE-2026-34487,CVE-2026-34500
This update for tomcat fixes the following issues:
Security fixes:
- CVE-2026-24880: Request smuggling via invalid chunk extension (bsc#1261850).
- CVE-2026-25854: Occasionally open redirect (bsc#1261851).
- CVE-2026-29129: TLS cipher order is not preserved (bsc#1261852).
- CVE-2026-29145: OCSP checks sometimes soft-fail even when soft-fail is disabled (bsc#1261853).
- CVE-2026-29146,CVE-2026-34486: Fix for allowed bypass of EncryptInterceptor (bsc#1261854).
- CVE-2026-34483: Incomplete escaping of JSON access logs (bsc#1261855).
- CVE-2026-34487: Cloud membership for clustering component exposed the Kubernetes bearer token (bsc#1261856).
- CVE-2026-34500: OCSP checks sometimes soft-fail with FFM even when soft-fail is disabled (bsc#1261857).
- CVE-2026-32990: The fix for CVE-2025-66614 was incomplete, so this CVE completes it (bsc#1258371).
Other fixes:
- Update to Tomcat 9.0.117
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:1605-1
Released: Fri Apr 24 13:48:53 2026
Summary: Security update for openssl-3
Type: security
Severity: moderate
References: 1261678,CVE-2026-28390
This update for openssl-3 fixes the following issue:
Security issues fixed:
- CVE-2026-28390: NULL pointer dereference during processing of a crafted CMS EnvelopedData message with
KeyTransportRecipientInfo (bsc#1261678).
Other updates and bugfixes:
- Enable MD2 in legacy provider (jsc#PED-15724).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:1607-1
Released: Fri Apr 24 13:50:52 2026
Summary: Security update for vim
Type: security
Severity: important
References: 1259985,1261191,1261271,CVE-2026-33412,CVE-2026-34714,CVE-2026-34982
This update for vim fixes the following issues:
Update to version 9.2.0280.
- CVE-2026-34982: missing input validation allows for a modeline sandbox bypass and can lead to arbitrary OS command
execution (bsc#1261271).
- CVE-2026-34714: missing checks allow for a `tabpanel` modeline escape and can lead to arbitrary OS command execution
(bsc#1261191).
- CVE-2026-33412: improper escaping of newline characters allows for command injection in `glob` and can lead to
arbitrary code execution (bsc#1259985).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:1644-1
Released: Tue Apr 28 15:31:39 2026
Summary: Security update for python-requests
Type: security
Severity: moderate
References: 1260589,CVE-2026-25645
This update for python-requests fixes the following issues:
- CVE-2026-25645: `extract_zipped_paths()` uses predictable filenames when extracting files from zip archives and
reuses target files that already exist without validation (bsc#1260589).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:1715-1
Released: Wed May 6 14:09:30 2026
Summary: Security update for python3
Type: security
Severity: important
References: 1259611,1259734,1259735,1259989,1260026,1261969,1261970,1262098,1262319,1262654,CVE-2025-13462,CVE-2026-1502,CVE-2026-3446,CVE-2026-3479,CVE-2026-3644,CVE-2026-4224,CVE-2026-4519,CVE-2026-4786,CVE-2026-6019,CVE-2026-6100
This update for python3 fixes the following issues:
- CVE-2025-13462: incorrect parsing of TarInfo when GNU long name and type AREGTYPE are combined can lead to
misinterpretation of tar archives (bsc#1259611).
- CVE-2026-1502: HTTP client proxy tunnel headers not validated for CR/LF (bsc#1261969).
- CVE-2026-3446: base64 decoding stops at first padded quad by default and ignores other information that could be
processed (bsc#1261970).
- CVE-2026-3479: improper resource argument validation in `pkgutil.get_data()` can lead to path traversal (bsc#1259989).
- CVE-2026-3644: incomplete control character validation in http.cookies can lead to input validation bypass
(bsc#1259734).
- CVE-2026-4224: parsing XML with deeply nested DTD content models can lead to C stack overflow (bsc#1259735).
- CVE-2026-4519: failure to sanitize leading dashes in URLs in the `webbrowser.open()` API can lead to web browser
command line option injection (bsc#1260026).
- CVE-2026-4786: URLs prefixed with `%action` can pass the dash-prefix safety check and allow for command injection
(bsc#1262319).
- CVE-2026-6019: `BaseCookie.js_output()` does not neutralize characters in cookie values embedded in JS (bsc#1262654).
- CVE-2026-6100: use-after-free in `lzma.LZMADecompressor`, `bz2.BZ2Decompressor`, and `gzip.GzipFile` when process is
under memory pressure(bsc#1262098).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2026:1720-1
Released: Wed May 6 16:42:49 2026
Summary: Recommended update for sssd
Type: recommended
Severity: important
References: 1259436
This update for sssd fixes the following issues:
- With the 2.10 update sssd runs under unprivileged user which is not possible in certain scenarios.
This update reverts to run as root with minimum privileges (bsc#1259436);
- Let krb5 child tolerate missing capabilities;
- Fix systemd try-restart warning when updating
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:1732-1
Released: Thu May 7 02:43:10 2026
Summary: Security update for java-17-openjdk
Type: security
Severity: important
References: 1259118,1262490,1262494,1262495,1262496,1262497,1262500,1262501,CVE-2026-22007,CVE-2026-22013,CVE-2026-22016,CVE-2026-22018,CVE-2026-22021,CVE-2026-23865,CVE-2026-34268,CVE-2026-34282
This update for java-17-openjdk fixes the following issues:
Upgrade to upstream tag jdk-17.0.19+10 (April 2026 CPU).
Security issues fixed:
- CVE-2026-22007: Security: unauthenticated attacker with logon to the infrastructure where java executes can gain
unauthorized read access to a subset of accessible data (bsc#1262490).
- CVE-2026-22013: JGSS: unauthenticated attacker with network access via multiple protocols can gain unauthorized
access to critical data (bsc#1262494).
- CVE-2026-22016: JAXP: unauthenticated attacker with network access via multiple protocols can gain unauthorized
to access critical data (bsc#1262495).
- CVE-2026-22018: Libraries: unauthenticated attacker with network access via multiple protocols can cause a partial
denial of service (bsc#1262496).
- CVE-2026-22021: JSSE: unauthenticated attacker with network access via HTTPS can cause a partial denial of service
(bsc#1262497).
- CVE-2026-23865: freetype2: integer overflow in the `tt_var_load_item_variation_store` function allows for an
out-of-bounds read when parsing HVAR/VVAR/MVAR tables in OpenType variable fonts(bsc#1259118).
- CVE-2026-34268: Security: unauthenticated attacker with logon to the infrastructure where java executes can gain
unauthorized read access to a subset of data (bsc#1262500).
- CVE-2026-34282: Networking: unauthenticated attacker with network access via multiple protocols can cause a hang or
frequently repeatable crash (bsc#1262501).
Other updates and bugfixes:
- Provide the timezone-java and tzdata-java (jsc#PED-15898).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:1755-1
Released: Thu May 7 15:54:52 2026
Summary: Security update for freeipmi
Type: security
Severity: important
References: 1260414,CVE-2026-33554
This update for freeipmi fixes the following issue:
- CVE-2026-33554: improper memory handling and data validation can lead to stack buffer overflows and acceptance of
malformed payloads/responses (bsc#1260414).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:1843-1
Released: Wed May 13 17:24:48 2026
Summary: Security update for log4j
Type: security
Severity: moderate
References: 1262050,1262091,1262092,1262093,CVE-2026-34477,CVE-2026-34479,CVE-2026-34480,CVE-2026-34481
This update for log4j fixes the following issues:
- CVE-2026-34477: TLS connections vulnerable to interception due to incomplete hostname verification configuration
checks (bsc#1262050).
- CVE-2026-34479: silent log event loss due to improper XML escaping in `Log4j1XmlLayout` (bsc#1262091).
- CVE-2026-34480: silent log event loss due to improper XML escaping in `XmlLayout` (bsc#1262092).
- CVE-2026-34481: silent log event loss due to improper serialization of non-finite floating-point values in
`JsonTemplateLayout` (bsc#1262093).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:1872-1
Released: Fri May 15 17:22:29 2026
Summary: Security update for firewalld
Type: security
Severity: moderate
References: 1260903,CVE-2026-4948
This update for firewalld fixes the following issue:
- CVE-2026-4948: local unprivileged users can modify the runtime firewall state without proper authentication due to
D-Bus setter mis-authorizations (bsc#1260903).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:1876-1
Released: Sat May 16 00:06:36 2026
Summary: Security update for openssh
Type: security
Severity: important
References: 1261427,1261430,CVE-2026-35385,CVE-2026-35414
This update for openssh fixes the following issues
- CVE-2026-35385: a file downloaded by scp may be installed setuid or setgid (bsc#1261427).
- CVE-2026-35414: mishandling of authorized_keys principals option (bsc#1261430).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:1940-1
Released: Mon May 18 09:44:14 2026
Summary: Security update for curl
Type: security
Severity: important
References: 1259362,1262631,1262632,1262635,1262636,1262638,CVE-2026-1965,CVE-2026-4873,CVE-2026-5545,CVE-2026-6253,CVE-2026-6276,CVE-2026-6429
This update for curl fixes the following issues:
Security issues fixed:
- CVE-2026-4873: connection reuse ignores TLS requirement (bsc#1262631).
- CVE-2026-5545: wrong reuse of HTTP Negotiate connection (bsc#1262632).
- CVE-2026-6253: proxy credentials leak over redirect-to proxy (bsc#1262635).
- CVE-2026-6276: stale custom cookie host causes cookie leak (bsc#1262636).
- CVE-2026-6429: netrc credential leak with reused proxy connection (bsc#1262638).
Other updates and bugfixes:
- sws: prevent 'connection monitor' to say disconnect twice (bsc#1259362).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:1941-1
Released: Mon May 18 09:44:34 2026
Summary: Security update for sed
Type: security
Severity: moderate
References: 1262144,CVE-2026-5958
This update for sed fixes the following issue:
- CVE-2026-5958: a TOCTOU race can allow to read attacker-controlled content and write it to an unintended file (bsc#1262144).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:1944-1
Released: Mon May 18 09:47:19 2026
Summary: Security update for postgresql18
Type: security
Severity: important
References: 1263804,1265172,1265173,1265174,1265175,1265176,1265177,1265178,1265179,1265180,1265181,1265182,CVE-2026-6472,CVE-2026-6473,CVE-2026-6474,CVE-2026-6475,CVE-2026-6476,CVE-2026-6477,CVE-2026-6478,CVE-2026-6479,CVE-2026-6575,CVE-2026-6637,CVE-2026-6638
This update for postgresql18 fixes the following issues
Update to version 18.4.
Security issues:
- CVE-2026-6472: ensure the user has CREATE privilege on the schema specified (bsc#1265172).
- CVE-2026-6473: integer overflows in memory-allocation calculations (bsc#1265173).
- CVE-2026-6474: Guard against malicious time zone names (bsc#1265174).
- CVE-2026-6475: Prevent path traversal in pg_basebackup and pg_rewind (bsc#1265175).
- CVE-2026-6476: Properly quote subscription names in pg_createsubscriber (bsc#1265176).
- CVE-2026-6477: Mark PQfn() as unsafe, and avoid using it within libpq (bsc#1265177).
- CVE-2026-6478: Use timing-safe string comparisons in authentication code (bsc#1265178).
- CVE-2026-6479: Prevent unbounded recursion while processing startup packets (bsc#1265179).
- CVE-2026-6575: Detect faulty input when restoring attribute MCV statistics (bsc#1265180).
- CVE-2026-6637: Prevent SQL injection and buffer overruns in contrib/spi (bsc#1265181).
- CVE-2026-6638: Properly quote object names in logical replication origin checks (bsc#1265182).
Non security issue:
- Get rid of update-alternatives for openSUSE/SLE 16.0 and newer to support immutable systems and transactional
updates (jsc#PED-14820).
- /usr/bin/pg_config is missing after migrating away from update-alternatives (bsc#1263804).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:2001-1
Released: Tue May 19 10:20:57 2026
Summary: Security update for postgresql16
Type: security
Severity: important
References: 1263804,1265172,1265173,1265174,1265175,1265177,1265178,1265179,1265181,1265182,CVE-2026-6472,CVE-2026-6473,CVE-2026-6474,CVE-2026-6475,CVE-2026-6477,CVE-2026-6478,CVE-2026-6479,CVE-2026-6637,CVE-2026-6638
This update for postgresql16 fixes the following issues
Update to version 16.13.
Security issues:
- CVE-2026-6472: ensure the user has CREATE privilege on the schema specified (bsc#1265172).
- CVE-2026-6473: integer overflows in memory-allocation calculations (bsc#1265173).
- CVE-2026-6474: Guard against malicious time zone names (bsc#1265174).
- CVE-2026-6475: Prevent path traversal in pg_basebackup and pg_rewind (bsc#1265175).
- CVE-2026-6477: Mark PQfn() as unsafe, and avoid using it within libpq (bsc#1265177).
- CVE-2026-6478: Use timing-safe string comparisons in authentication code (bsc#1265178).
- CVE-2026-6479: Prevent unbounded recursion while processing startup packets (bsc#1265179).
- CVE-2026-6637: Prevent SQL injection and buffer overruns in contrib/spi (bsc#1265181).
- CVE-2026-6638: Properly quote object names in logical replication origin checks (bsc#1265182).
Non security issue:
- Get rid of update-alternatives for openSUSE/SLE 16.0 and newer to support immutable systems and transactional
updates (jsc#PED-14824).
- /usr/bin/pg_config is missing after migrating away from update-alternatives (bsc#1263804).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2026:2014-1
Released: Tue May 19 16:13:13 2026
Summary: Recommended update for fence-agents
Type: recommended
Severity: important
References: 1263816
This update for fence-agents fixes the following issues:
- azure-cli - Stonith failing to start - 'raise ValueError('API version {}
does not have operation group 'virtual_machines''.format(api_version))' (bsc#1263816)
- fence_vmware_rest: monitoring is not detecting problems accessing the fence device
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2026:2026-1
Released: Wed May 20 10:14:01 2026
Summary: Recommended update for sssd
Type: recommended
Severity: important
References: 1246196,1264185
This update for sssd fixes the following issues:
- Reduce the message severity logged when the LDAP server hosts multiple
naming contexts without defining a default one in the rootdse (bsc#1264185);
- Do not ignore tests result at build time (bsc#1246196);
- Skip tests depending on soft-hsm;
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:2028-1
Released: Wed May 20 11:07:11 2026
Summary: Security update for postgresql-jdbc
Type: security
Severity: important
References: 1264174,CVE-2026-42198
This update for postgresql-jdbc fixes the following issue
- CVE-2026-42198: client-side denial of service via malicious SCRAM-SHA-256 authentication (bsc#1264174).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:2029-1
Released: Wed May 20 11:18:08 2026
Summary: Security update for vim
Type: security
Severity: moderate
References: 1261833,CVE-2026-39881
This update for vim fixes the following issue:
Security fixes:
- CVE-2026-39881: command injection in NetBeans interface can lead to arbitrary file reads and writes (bsc#1261833).
Other fixes:
- Update to 9.2.0398.
* 9.2.0398: MS-Windows: missing strptime() support
* 9.2.0397: tabpanel: double-click opens a new tab
* 9.2.0396: tests: Test_error_callback_terminal is flaky on macOS
* 9.2.0395: tests: Test_backupskip() may read from $HOME
* 9.2.0394: xxd: offsets greater than LONG_MAX print as negative
* 9.2.0393: MS-Windows: link error with XPM support on UCRT64
* 9.2.0392: tests: Some tests are flaky
* 9.2.0391: tests: Comment in test_vim9_cmd breaks syntax highlighting
* 9.2.0390: filetype: some Beancount files are not recognized
* 9.2.0389: DECRQM still leaves stray 'pp' on Apple Terminal.app
* 9.2.0388: strange indent in update_topline()
* 9.2.0387: DECRQM request may leave stray chars in terminal
* 9.2.0386: No scroll/scrollbar support in the tabpanel
* 9.2.0385: Integer overflow with 'ze' and large 'sidescrolloff'
* 9.2.0384: stale Insstart after <Cmd> cursor move breaks undo
* 9.2.0383: [security]: runtime(netrw): shell-injection via sftp: and file: URLs
* 9.2.0382: Wayland: focus-stealing is non-working
* 9.2.0381: Vim9: Missing check_secure() in exec_instructions()
* 9.2.0380: completion: a few issues in completion code
* 9.2.0379: gui.color_approx is never used
* 9.2.0378: Using int as bool type in win_T struct
* 9.2.0377: Using int as bool type in gui_T struct
* 9.2.0376: Vim9: elseif condition compiled in dead branch
* 9.2.0375: prop_find() does not find a virt text in starting line
* 9.2.0374: c_CTRL-{G,T} does not handle offset
* 9.2.0373: Ctrl-R mapping not triggered during completion
* 9.2.0372: pum: rendering issues with multibyte text and opacity
* 9.2.0371: filetype: ghostty config files are not recognized
* 9.2.0370: duplicate code with literal string_T assignment
* 9.2.0369: multiple definitions of STRING_INIT macro
* 9.2.0368: too many strlen() calls when adding strings to dicts
* 9.2.0367: runtime(netrw): ~ note expanded on MS Windows
* 9.2.0366: pum: flicker when updating pum in place
* 9.2.0365: using int as bool
* 9.2.0364: tests: test_smoothscroll_textoff_showbreak() fails
* 9.2.0363: Vim9: variable shadowed by script-local function
* 9.2.0362: division by zero with smoothscroll and small windows
* 9.2.0361: tests: no tests for ch_listen() with IPs
* 9.2.0360: Cannot handle mouse-clicks in the tabpanel
* 9.2.0359: wrong VertSplitNC highlighting on winbar
* 9.2.0358: runtime(vimball): still path traversal attacks possible
* 9.2.0357: [security]: command injection via backticks in tag files
* 9.2.0356: Cannot apply 'scrolloff' context lines at end of file
* 9.2.0355: runtime(tar): missing path traversal checks in tar#Extract()
* 9.2.0354: filetype: not all Bitbake include files are recognized
* 9.2.0353: Missing out-of-memory check in register.c
* 9.2.0352: 'winhighlight' of left window blends into right window
* 9.2.0351: repeat_string() can be improved
* 9.2.0350: Enabling modelines poses a risk
* 9.2.0349: cannot style non-current window separator
* 9.2.0348: potential buffer underrun when setting statusline like option
* 9.2.0347: Vim9: script-local variable not found
* 9.2.0346: Wrong cursor position when entering command line window
* 9.2.0345: Wrong autoformatting with 'autocomplete'
* 9.2.0344: channel: ch_listen() can bind to network interface
* 9.2.0343: tests: test_clientserver may fail on slower systems
* 9.2.0342: tests: test_excmd.vim leaves swapfiles behind
* 9.2.0341: some functions can be run from the sandbox
* 9.2.0340: pum_redraw() may cause flicker
* 9.2.0339: regexp: nfa_regmatch() allocates and frees too often
* 9.2.0338: Cannot handle mouseclicks in the tabline
* 9.2.0337: list indexing broken on big-endian 32-bit platforms
* 9.2.0336: libvterm: no terminal reflow support
* 9.2.0335: json_encode() uses recursive algorithm
* 9.2.0334: GTK: window geometry shrinks with with client-side decorations
* 9.2.0333: filetype: PklProject files are not recognized
* 9.2.0332: popup: still opacity rendering issues
* 9.2.0331: spellfile: stack buffer overflows in spell file generation
* 9.2.0330: tests: some patterns in tar and zip plugin tests not strict enough
* 9.2.0329: tests: test_indent.vim leaves swapfiles behind
* 9.2.0328: Cannot handle mouseclicks in the statusline
* 9.2.0327: filetype: uv scripts are not detected
* 9.2.0326: runtime(tar): but with dotted path
* 9.2.0325: runtime(tar): bug in zstd handling
* 9.2.0324: 0x9b byte not unescaped in <Cmd> mapping
* 9.2.0323: filetype: buf.lock files are not recognized
* 9.2.0322: tests: test_popupwin fails
* 9.2.0321: MS-Windows: No OpenType font support
* 9.2.0320: several bugs with text properties
* 9.2.0319: popup: rendering issues with partially transparent popups
* 9.2.0318: cannot configure opacity for popup menu
* 9.2.0317: listener functions do not check secure flag
* 9.2.0316: [security]: command injection in netbeans interface via defineAnnoType
* 9.2.0315: missing bound-checks
* 9.2.0314: channel: can bind to all network interfaces
* 9.2.0313: Callback channel not registered in GUI
* 9.2.0312: C-type names are marked as translatable
* 9.2.0311: redrawing logic with text properties can be improved
* 9.2.0310: unnecessary work in vim_strchr() and find_term_bykeys()
* 9.2.0309: Missing out-of-memory check to may_get_cmd_block()
* 9.2.0308: Error message E1547 is wrong
* 9.2.0307: more mismatches between return types and documentation
* 9.2.0306: runtime(tar): some issues with lz4 support
* 9.2.0305: mismatch between return types and documentation
* 9.2.0304: tests: test for 9.2.0285 doesn't always fail without the fix
* 9.2.0303: tests: zip plugin tests don't check for warning message properly
* 9.2.0302: runtime(netrw): RFC2396 decoding double escaping spaces
* 9.2.0301: Vim9: void function return value inconsistent
* 9.2.0300: The vimball plugin needs some love
* 9.2.0299: runtime(zip): may write using absolute paths
* 9.2.0298: Some internal variables are not modified
* 9.2.0297: libvterm: can improve CSI overflow code
* 9.2.0296: Redundant and incorrect integer pointer casts in drawline.c
* 9.2.0295: 'showcmd' shows wrong Visual block size with 'linebreak'
* 9.2.0294: if_lua: lua interface does not work with lua 5.5
* 9.2.0293: :packadd may lead to heap-buffer-overflow
* 9.2.0292: E340 internal error when using method call on void value
* 9.2.0291: too many strlen() calls
* 9.2.0290: Amiga: no support for AmigaOS 3.x
* 9.2.0289: 'linebreak' may lead to wrong Visual block highlighting
* 9.2.0288: libvterm: signed integer overflow parsing long CSI args
* 9.2.0287: filetype: not all ObjectScript routines are recognized
* 9.2.0286: still some unnecessary (int) casts in alloc()
* 9.2.0285: :syn sync grouphere may go beyond end of line
* 9.2.0284: tabpanel: crash when tabpanel expression returns variable line count
* 9.2.0283: unnecessary (int) casts before alloc() calls
* 9.2.0282: tests: Test_viminfo_len_overflow() fails
* 9.2.0281: tests: Test_netrw_FileUrlEdit.. fails on Windows
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:2038-1
Released: Thu May 21 15:33:31 2026
Summary: Security update for rsync
Type: security
Severity: important
References: 1234100,1234101,1234102,1234103,1234104,1235475,1254441,1262223,1264511,1264512,1264513,1264514,1264515,1265296,CVE-2024-12084,CVE-2024-12085,CVE-2024-12086,CVE-2024-12087,CVE-2024-12088,CVE-2024-12747,CVE-2025-10158,CVE-2026-29518,CVE-2026-41035,CVE-2026-43617,CVE-2026-43618,CVE-2026-43619,CVE-2026-43620,CVE-2026-45232
This update for rsync fixes the following issues
- CVE-2026-29518: Symlink-Race TOCTOU in Daemon (bsc#1264511).
- CVE-2026-41035: Count of entries mismatch can lead to a use-after-free (bsc#1262223)
- CVE-2026-43617: Authorization Bypass via Hostname Resolution (bsc#1264515).
- CVE-2026-43618: Integer Overflow Information Disclosure (bsc#1264512).
- CVE-2026-43619: Symlink Race Condition via Path-Based Syscalls (bsc#1264514).
- CVE-2026-43620: Out-of-Bounds Array Read via recv_files() (bsc#1264513).
- CVE-2026-45232: Off-by-one stack OOB write in HTTP CONNECT proxy response parsing (bsc#1265296).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:2051-1
Released: Mon May 25 15:59:43 2026
Summary: Security update for xz
Type: security
Severity: important
References: 1261280,CVE-2026-34743
This update for xz fixes the following issue
- CVE-2026-34743: buffer overflow in lzma_index_append() (bsc#1261280).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2026:2061-1
Released: Tue May 26 07:14:34 2026
Summary: Recommended update for openssl-1_1
Type: recommended
Severity: moderate
References: 1250782
This update for openssl-1_1 fixes the following issues:
- Fix 30-test_fips_sli.t fails intermittently on s390x (bsc#1250782):
* Fix AES_GCM IV test sometimes failing on s390x.
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:2074-1
Released: Tue May 26 14:35:51 2026
Summary: Security update for samba
Type: security
Severity: critical
References: 1261158,1261159,1261160,1261161,1261163,CVE-2026-2340,CVE-2026-3012,CVE-2026-3238,CVE-2026-4408,CVE-2026-4480
This update for samba fixes the following issues
- CVE-2026-2340: vfs_worm does not block directory modification (bsc#1261158).
- CVE-2026-3012: group policy certificate enrollment uses http: // without validation (bsc#1261159).
- CVE-2026-3238: unauthenticated udp packet crashes AD DC nbt server (bsc#1261160).
- CVE-2026-4408: Remote Code Execution in SAMR (bsc#1261163).
- CVE-2026-4480: Unauthenticated Remote Code Execution (bsc#1261161).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:2103-1
Released: Thu May 28 14:34:03 2026
Summary: Security update for apache2
Type: security
Severity: important
References: 1263935,1263950,1263951,1263952,1263953,1263954,1263955,1263956,1263957,1264150,1264163,CVE-2026-23918,CVE-2026-24072,CVE-2026-28780,CVE-2026-29168,CVE-2026-29169,CVE-2026-33006,CVE-2026-33007,CVE-2026-33523,CVE-2026-33857,CVE-2026-34032,CVE-2026-34059
This update for apache2 fixes the following issues
- CVE-2026-23918: http2: double free and possible RCE on early reset (bsc#1263957).
- CVE-2026-24072: mod_rewrite elevation of privileges via ap_expr (bsc#1263935).
- CVE-2026-28780: heap buffer overflow in `mod_proxy_ajp` via `ajp_msg_check_header()` (bsc#1264163).
- CVE-2026-29168: allocation of resources without limits in `mod_md` via OCSP response (bsc#1264150).
- CVE-2026-29169: NULL pointer dereference in `mod_dav_lock` allows server crash via malicious requests (bsc#1263956).
- CVE-2026-33006: `mod_auth_digest` timing attack allows bypass of Digest authentication (bsc#1263955).
- CVE-2026-33007: NULL pointer dereference in `mod_authn_socache` allows unauthenticated remote user to crash a child
processes (bsc#1263954).
- CVE-2026-33523: HTTP response splitting forwarding malicious status line (bsc#1263953).
- CVE-2026-33857: off-by-one OOB reads in AJP getter functions (bsc#1263952).
- CVE-2026-34032: heap buffer overread in `mod_proxy_ajp` due to missing null-termination check (bsc#1263951).
- CVE-2026-34059: heap buffer overread and memory disclosure via `ajp_parse_data()` (bsc#1263950).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:2115-1
Released: Fri May 29 17:27:13 2026
Summary: Security update for gnutls
Type: security
Severity: important
References: 1263704,1263705,1263707,1263708,1263709,1263710,1263711,1263712,1263713,1263714,1263715,1263716,CVE-2026-33845,CVE-2026-33846,CVE-2026-3833,CVE-2026-42009,CVE-2026-42010,CVE-2026-42011,CVE-2026-42012,CVE-2026-42013,CVE-2026-42014,CVE-2026-42015,CVE-2026-5260,CVE-2026-5419
This update for gnutls fixes the following issues
- CVE-2026-3833: x509/name-constraints: compare domain names case-insensitive (bsc#1263707).
- CVE-2026-5260: lib/pkcs11_privkey: guard against overreading on short ciphertexts (bsc#1263715).
- CVE-2026-5419: gnutls_cipher_decrypt3: make PKCS#7 unpadding branch free (bsc#1263716).
- CVE-2026-33845: buffers: switch from end_offset over to frag_length (bsc#1263704).
- CVE-2026-33846: buffers: add more checks to DTLS reassembly (bsc#1263705).
- CVE-2026-42009: lib/buffers: ensure packets have differing sequence numbers (bsc#1263708).
- CVE-2026-42010: lib/auth/rsa_psk: fix binary PSK identity lookup (bsc#1263709).
- CVE-2026-42011: x509/name_constraints: fix intersecting empty constraints (bsc#1263710).
- CVE-2026-42012: x509/hostname-verify: make URI/SRV SAN preclude CN fallback (bsc#1263711).
- CVE-2026-42013: x509: prevent fallback on oversized SAN (bsc#1263712).
- CVE-2026-42014: pkcs11_write: fix UAF and leak in gnutls_pkcs11_token_set_pin (bsc#1263713).
- CVE-2026-42015: x509/pkcs12_bag: fix off-by-one in bag element bounds chec (bsc#1263714).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:2119-1
Released: Fri May 29 17:33:15 2026
Summary: Security update for python-urllib3
Type: security
Severity: important
References: 1265267,CVE-2026-44431
This update for python-urllib3 fixes the following issue
- CVE-2026-44431: sensitive information disclosure due to sensitive headers being forwarded across origins in proxied
low-level redirects (bsc#1265267).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:2231-1
Released: Wed Jun 3 12:57:18 2026
Summary: Security update for glibc
Type: security
Severity: important
References: 1261206,1262464,1262465,CVE-2026-4046,CVE-2026-5450,CVE-2026-5928
This update for glibc fixes the following issues
- CVE-2026-4046: assertion failure when converting inputs may be used to remotely crash an application (bsc#1261206).
- CVE-2026-5450: stdio-common: scanf %mc pattern will cause heap overflow when width > 1024 (bsc#1262465).
- CVE-2026-5928: libio: ungetwc could be used to leak data on special conditions (bsc#1262464).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:2236-1
Released: Wed Jun 3 13:00:40 2026
Summary: Security update for vim
Type: security
Severity: important
References: 1262395,1264706,1264707,1264708,1265349,1265360,CVE-2026-42307,CVE-2026-43961,CVE-2026-44656,CVE-2026-45130,CVE-2026-46483
This update for vim fixes the following issues
- CVE-2026-42307: Prior to version 9.2.0383, an OS command injection vulnerability exists in the netrw standard plugin
bundled with Vim (bsc#1264706).
- CVE-2026-43961: Vimscript Code Injection in netrw NetrwMarkFile() via crafted filename (bsc#1265349).
- CVE-2026-44656: Prior to version 9.2.0435, an OS command injection vulnerability exists in Vim's: find command-line
completion (bsc#1264707).
- CVE-2026-45130: Prior to version 9.2.0450, a heap buffer overflow exists in read_compound() in src/spellfile.c when
loading a crafted spell file (.spl) with UTF-8 encoding active (bsc#1264708).
- CVE-2026-46483: command injection via ` tar#Vimuntar()` in `runtime/autoload/tar.vim` when decompressing `.tgz`
archives on Unix-like systems (bsc#1265360).
Changes for vim:
- Update to v9.2.0530.
- Fix for incorrectly detecting scientific parameter files as bitbake recipies. (bsc#1262395)
-----------------------------------------------------------------
Advisory ID: SUSE-Manager-5.0-2026-2240
Released: Wed Jun 3 15:51:03 2026
Summary: Maintenance update for Multi-Linux Manager 5.0: Server, Proxy and Retail
Type: recommended
Severity: moderate
References: 1240895,1245107,1249675,1252927,1254427,1255857,1256392,1256953,1257621,1258041,1258106,1258109,1258378,1258382,1258796,1259127,1259243,1259261,1261307,1262741,1264256
Maintenance update for Multi-Linux Manager 5.0: Server, Proxy and Retail Branch Server
This is a codestream only update
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:2243-1
Released: Wed Jun 3 16:09:25 2026
Summary: Security update 5.0.8 for Multi-Linux Manager Client Tools
Type: security
Severity: important
References: 1248699,1248707,1252964,1254619,1257941,1258595,1258873,1258893,1258927,1259208,1259999,1260263,1260267,1260878,1260881,1261025,1261026,1261027,1261029,1261810,1262222,1262950,1263501,1263986,1263987,CVE-2022-21698,CVE-2025-29923,CVE-2026-21724,CVE-2026-21725,CVE-2026-26958,CVE-2026-27606,CVE-2026-27876,CVE-2026-27877,CVE-2026-27879,CVE-2026-28375,CVE-2026-33186,CVE-2026-33375,CVE-2026-34986,CVE-2026-40179,CVE-2026-41602,CVE-2026-42151,CVE-2026-42154
This update fixes the following issues:
golang-github-QubitProducts-exporter_exporter:
- Security Fixes:
- CVE-2022-21698: Fixed denial of service using InstrumentHandlerCounter (bsc#1248707)
golang-github-prometheus-node_exporter:
- Backward Compatibility and packaging changes:
- Added compatibility for Go 1.22/1.23 needed in older RHEL toolchains
- Pinned golang.org/x/net to v0.37.0 for Go 1.22 compatibility
- Version 1.10.2:
- Fixed typo in Zswap metric name (meminfo)
- Version 1.10.1:
- Fixed mount points being collected multiple times (filesystem)
- Refactored mountinfo parsing (bsc#1261810)
- Added Zswap/Zswapped metrics (meminfo)
- Version 1.10.0:
- New collectors: PCIe devices, swaps
- Added systemd virtualization metrics, AIX metrics
- WiFi packet metrics, additional PCIe and TLB metrics
- Changed mdadm to use sysfs, added erofs to excluded filesystems
- Fixed bugs: cpufreq collector, ethtool metrics
golang-github-prometheus-prometheus:
- Security issues fixed:
- CVE-2026-42151: AzureAD remote write: Fixed OAuth client_secret
being exposed in plaintext via /-/config endpoint (bsc#1263986)
- CVE-2026-42154: Remote-read: Reject snappy-compressed requests
whose declared decoded length exceeds the decode limit
(bsc#1263987).
- CVE-2026-40179: UI: Fixed stored XSS via unescaped le label
values in old UI heatmap chart tick labels (bsc#1262222)
- CVE-2026-33186: Fixed authorization bypass due to improper
validation of the HTTP/2 :path pseudo-header (bsc#1260267)
* Bump google.golang.org/grpc to version 1.79.3
- CVE-2026-27606: Fixed arbitrary file write via path traversal in
rollup (bsc#1258893)
* Bump rollup to version 4.59.0
- Other changes:
- Remote-Write: Reject snappy-compressed requests whose
declared decoded length exceeds the decode limit.
- Use systemd tmpfiles.d to create /var/lib/prometheus hierarchy (jsc#PED-14816)
prometheus-postgres_exporter:
- Security Fixes:
- CVE-2026-42154: Remote-read: Reject snappy-compressed requests whose declared decoded length exceeds the decode
limit (bsc#1263987)
- CVE-2026-42151: AzureAD remote write: Fixed OAuth client_secret being exposed in plaintext via /-/config endpoint
(bsc#1263986)
- CVE-2022-21698: Fixed denial of service using InstrumentHandlerCounter (bsc#1248699)
- Highlights of other changes and bug fixes:
- Use systemd tmpfiles.d to create /var/lib/prometheus hierarchy
grafana was updated from version 11.6.11 to 11.6.14+security01:
- Security Fixes:
- CVE-2026-34986: Fixed unrecoverable error in JWE decryption that could lead to a denial of service (bsc#1262950)
- CVE-2026-41602: Fixed Integer Overflow or Wraparound vulnerability in Apache Thrift (bsc#1263501)
- CVE-2026-26958: Ensure that MultiScalarMult properly handles initialization and produces correct results
(bsc#1258595)
- CVE-2026-21725: Fixed missing UID when deleting datasource by name (bsc#1258873)
- CVE-2026-33375: Fixed denial of Service via out-of-memory exhaustion in MSSQL data source plugin (bsc#1260881)
- CVE-2026-27876: Fixed remote arbitrary code execution via chained SQL Expressions (bsc#1261025)
- CVE-2026-27877: Fixed information disclosure of data-source passwords via public dashboards (bsc#1261026)
- CVE-2026-28375: Fixed denial of service via testdata data-source (bsc#1261029)
- CVE-2026-27879: Fixed denial of service via resample query (bsc#1261027)
- CVE-2026-33186: Fixed authorization bypass due to improper validation of the HTTP/2 :path pseudo-header
(bsc#1260263)
- CVE-2026-21724: Fixed authorization bypass allows modification of protected webhook URLs (bsc#1260878)
- Highlights of other changes and bug fixes:
- Version 11.6.13:
- Wire the public dashboard service to the HTTP server
- Version 11.6.12:
- Update authentication redirect logic
- Fixed single panel render with variable references
spacecmd:
- Version 5.0.16-0:
- Update translation strings
uyuni-tools:
- Version 0.1.39-0:
- mgrpxy ssh tuning should happen before crypto policies (bsc#1254619)
- Fixed default value for helm registry (bsc#1258927).
- Use static supportconfig name to avoid dynamic search
(bsc#1257941)
- Do not nest multiple tarball files and instead collect
all files into one tarball (bsc#1252964)
- Show where final tarball was generated (bsc#1259208)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:2259-1
Released: Wed Jun 3 17:31:35 2026
Summary: Security update for python3-pyOpenSSL
Type: security
Severity: moderate
References: 1262803,CVE-2026-40475
This update for python3-pyOpenSSL fixes the following issue
- CVE-2026-40475: improper input handling of null bytes can lead to silent data truncation and security-state
inconsistency (bsc#1262803).
The following package changes have been done:
- crypto-policies-20230920.570ea89-150600.3.16.1 updated
- libuuid1-2.39.3-150600.4.21.1 updated
- login_defs-4.17.2-150600.17.18.1 updated
- libsqlite3-0-3.51.3-150000.3.39.1 updated
- libsmartcols1-2.39.3-150600.4.21.1 updated
- libexpat1-2.7.1-150400.3.37.1 updated
- tar-1.34-150000.3.37.1 updated
- liblzma5-5.4.1-150600.3.6.1 updated
- libapparmor1-3.1.7-150600.5.12.2 updated
- libnghttp2-14-1.40.0-150600.25.5.1 updated
- libblkid1-2.39.3-150600.4.21.1 updated
- libopenssl-3-fips-provider-3.1.4-150600.5.50.1 updated
- libfreeipmi17-1.6.8-150400.3.3.1 updated
- libipa_hbac0-2.10.2-150600.3.50.1 updated
- golang-github-QubitProducts-exporter_exporter-0.4.0-150000.1.24.2 updated
- libavahi-common3-0.8-150600.15.15.1 updated
- ncurses-utils-6.1-150000.5.33.1 updated
- util-linux-2.39.3-150600.4.21.1 updated
- libmount1-2.39.3-150600.4.21.1 updated
- sed-4.9-150600.3.3.1 updated
- glibc-locale-base-2.38-150600.14.49.1 updated
- libgif7-5.2.2-150000.4.19.1 updated
- libcap2-2.63-150400.3.6.1 updated
- shadow-4.17.2-150600.17.18.1 updated
- libssh-config-0.9.8-150600.11.12.1 updated
- libopenssl3-3.1.4-150600.5.50.1 updated
- libncurses6-6.1-150000.5.33.1 updated
- terminfo-base-6.1-150000.5.33.1 updated
- libfreebl3-3.112.4-150400.3.66.1 updated
- libsubid5-4.17.2-150600.17.18.1 added
- libssh4-0.9.8-150600.11.12.1 updated
- glibc-2.38-150600.14.49.1 updated
- rpm-ndb-4.14.3-150400.59.16.1 added
- openssl-3-3.1.4-150600.5.50.1 updated
- libfdisk1-2.39.3-150600.4.21.1 updated
- libcurl4-8.14.1-150600.4.43.1 updated
- curl-8.14.1-150600.4.43.1 updated
- libopenssl1_1-1.1.1w-150600.5.29.1 updated
- libpng16-16-1.6.40-150600.3.20.1 updated
- libpq5-18.4-150600.13.11.1 updated
- libsss_idmap0-2.10.2-150600.3.50.1 updated
- libsss_nss_idmap0-2.10.2-150600.3.50.1 updated
- openssh-common-9.6p1-150600.6.37.1 updated
- release-notes-susemanager-5.0.8-150600.11.53.1 updated
- sudo-1.9.15p5-150600.3.15.1 updated
- susemanager-schema-utility-5.0.20-150600.3.28.3 updated
- vim-data-common-9.2.0530-150500.20.52.1 updated
- xz-5.4.1-150600.3.6.1 updated
- glibc-locale-2.38-150600.14.49.1 updated
- libavahi-client3-0.8-150600.15.15.1 updated
- ipmitool-1.8.18.238.gb7adc1d-150600.10.3.3 updated
- libtcnative-1-0-1.3.7-150600.16.3.1 updated
- libpython3_6m1_0-3.6.15-150300.10.118.1 updated
- python3-base-3.6.15-150300.10.118.1 updated
- python3-3.6.15-150300.10.118.1 updated
- python3-curses-3.6.15-150300.10.118.1 updated
- postgresql16-16.14-150600.16.33.1 updated
- libsss_certmap0-2.10.2-150600.3.50.1 updated
- bind-utils-9.18.33-150600.3.21.1 updated
- iproute2-6.4-150600.7.12.1 updated
- glibc-devel-2.38-150600.14.49.1 updated
- mozilla-nss-certs-3.112.4-150400.3.66.1 updated
- openssh-fips-9.6p1-150600.6.37.1 updated
- susemanager-docs_en-5.0.6-150600.11.24.1 updated
- spacewalk-java-lib-5.0.32-150600.3.47.6 updated
- prometheus-postgres_exporter-0.10.1-150000.1.20.2 updated
- golang-github-prometheus-node_exporter-1.10.2-150100.3.41.2 updated
- vim-9.2.0530-150500.20.52.1 updated
- apache2-prefork-2.4.66-150600.5.52.1 updated
- openssh-server-9.6p1-150600.6.37.1 updated
- openssh-clients-9.6p1-150600.6.37.1 updated
- libgnutls30-3.8.3-150600.4.20.1 updated
- python3-pyasn1-0.4.2-150000.3.16.1 updated
- adcli-0.8.2-150600.22.5.1 updated
- postgresql16-server-16.14-150600.16.33.1 updated
- mozilla-nss-3.112.4-150400.3.66.1 updated
- libsoftokn3-3.112.4-150400.3.66.1 updated
- susemanager-docs_en-pdf-5.0.6-150600.11.24.1 updated
- susemanager-schema-5.0.20-150600.3.28.3 updated
- susemanager-sync-data-5.0.15-150600.3.28.1 updated
- rsync-3.2.7-150600.3.21.1 updated
- apache2-2.4.66-150600.5.52.1 updated
- openssh-9.6p1-150600.6.37.1 updated
- grub2-2.12-150600.8.52.1 updated
- grub2-i386-pc-2.12-150600.8.52.1 updated
- postgresql16-contrib-16.14-150600.16.33.1 updated
- sssd-ldap-2.10.2-150600.3.50.1 updated
- sssd-2.10.2-150600.3.50.1 updated
- sssd-krb5-common-2.10.2-150600.3.50.1 updated
- samba-client-libs-4.19.8+git.473.51d12fd320c-150600.3.26.1 updated
- libnm0-1.44.2-150600.3.7.1 updated
- java-17-openjdk-headless-17.0.19.0-150400.3.66.2 updated
- grub2-x86_64-efi-2.12-150600.8.52.1 updated
- grub2-powerpc-ieee1275-2.12-150600.8.52.1 updated
- grub2-arm64-efi-2.12-150600.8.52.1 updated
- spacecmd-5.0.16-150600.4.24.1 updated
- spacewalk-backend-sql-postgresql-5.0.18-150600.4.29.4 updated
- uyuni-setup-reportdb-5.0.4-150600.3.3.1 updated
- sssd-krb5-2.10.2-150600.3.50.1 updated
- sssd-dbus-2.10.2-150600.3.50.1 updated
- python3-sssd-config-2.10.2-150600.3.50.1 updated
- sssd-ad-2.10.2-150600.3.50.1 updated
- typelib-1_0-NM-1_0-1.44.2-150600.3.7.1 updated
- tomcat-servlet-4_0-api-9.0.117-150200.105.1 updated
- tomcat-el-3_0-api-9.0.117-150200.105.1 updated
- java-17-openjdk-17.0.19.0-150400.3.66.2 updated
- spacewalk-base-minimal-5.0.27-150600.3.39.5 updated
- sssd-tools-2.10.2-150600.3.50.1 updated
- sssd-ipa-2.10.2-150600.3.50.1 updated
- tomcat-jsp-2_3-api-9.0.117-150200.105.1 updated
- netty-4.1.132-150200.4.43.1 updated
- python3-firewall-2.0.1-150600.3.15.1 updated
- spacewalk-base-minimal-config-5.0.27-150600.3.39.5 updated
- perl-XML-Parser-2.44-150000.3.3.1 updated
- python3-pyOpenSSL-21.0.0-150400.13.1 updated
- python3-PyJWT-2.4.0-150200.3.11.1 updated
- tomcat-lib-9.0.117-150200.105.1 updated
- log4j-2.20.0-150200.4.33.1 updated
- firewalld-2.0.1-150600.3.15.1 updated
- python3-urllib3-1.25.10-150300.4.27.1 updated
- log4j-jcl-2.20.0-150200.4.33.1 updated
- log4j-slf4j-2.20.0-150200.4.33.1 updated
- python3-requests-2.25.1-150300.3.21.1 updated
- spacewalk-backend-5.0.18-150600.4.29.4 updated
- python3-spacewalk-client-tools-5.0.13-150600.4.21.4 updated
- spacewalk-client-tools-5.0.13-150600.4.21.4 updated
- spacewalk-base-5.0.27-150600.3.39.5 updated
- postgresql-jdbc-42.2.25-150400.3.15.1 updated
- subscription-matcher-0.44-150600.3.11.1 updated
- salt-3006.0-150600.8.22.1 updated
- python3-salt-3006.0-150600.8.22.1 updated
- python3-apache-libcloud-3.3.1-150400.9.3.1 updated
- fence-agents-4.13.1+git.1704296072.32469f29-150600.3.35.1 updated
- spacewalk-backend-sql-5.0.18-150600.4.29.4 updated
- python3-spacewalk-certs-tools-5.0.14-150600.3.23.1 updated
- spacewalk-certs-tools-5.0.14-150600.3.23.1 updated
- tomcat-9.0.117-150200.105.1 updated
- salt-master-3006.0-150600.8.22.1 updated
- cobbler-3.3.3-150600.5.23.5 updated
- spacewalk-backend-server-5.0.18-150600.4.29.4 updated
- spacewalk-java-postgresql-5.0.32-150600.3.47.6 updated
- spacewalk-java-config-5.0.32-150600.3.47.6 updated
- salt-api-3006.0-150600.8.22.1 updated
- spacewalk-backend-xmlrpc-5.0.18-150600.4.29.4 updated
- spacewalk-backend-xml-export-libs-5.0.18-150600.4.29.4 updated
- spacewalk-backend-package-push-server-5.0.18-150600.4.29.4 updated
- spacewalk-backend-iss-5.0.18-150600.4.29.4 updated
- spacewalk-backend-app-5.0.18-150600.4.29.4 updated
- saltboot-formula-1.0.0-150600.3.12.1 updated
- spacewalk-html-5.0.27-150600.3.39.5 updated
- spacewalk-taskomatic-5.0.32-150600.3.47.6 updated
- spacewalk-java-5.0.32-150600.3.47.6 updated
- spacewalk-backend-iss-export-5.0.18-150600.4.29.4 updated
- billing-data-service-5.0.4-150600.3.3.1 updated
- susemanager-tools-5.0.18-150600.3.28.1 updated
- spacewalk-backend-tools-5.0.18-150600.4.29.4 updated
- spacewalk-common-5.0.5-150600.3.6.1 updated
- spacewalk-utils-5.0.9-150600.3.15.1 updated
- spacewalk-postgresql-5.0.5-150600.3.6.1 updated
- susemanager-5.0.18-150600.3.28.1 updated
More information about the sle-container-updates
mailing list