SUSE-CU-2026:2106-1: Security update of suse/manager/5.0/x86_64/server
sle-container-updates at lists.suse.com
sle-container-updates at lists.suse.com
Thu Mar 26 08:52:11 UTC 2026
SUSE Container Update Advisory: suse/manager/5.0/x86_64/server
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2026:2106-1
Container Tags : suse/manager/5.0/x86_64/server:5.0.7 , suse/manager/5.0/x86_64/server:5.0.7.7.39.2 , suse/manager/5.0/x86_64/server:latest
Container Release : 7.39.2
Severity : critical
Type : security
References : 1194037 1212476 1220899 1228081 1229003 1229147 1229655 1230348
1231335 1231335 1232351 1232783 1237181 1238217 1239557 1239787
1240017 1240871 1241284 1241901 1244003 1244011 1244177 1244449
1244937 1245302 1245667 1246011 1246025 1246315 1246602 1247432
1247544 1247722 1247850 1247858 1248356 1248586 1248783 1249041
1249425 1249657 1250224 1250417 1250553 1250553 1250561 1251865
1251995 1251995 1252098 1252318 1252388 1252638 1252645 1252665
1252908 1252937 1253004 1253174 1253174 1253197 1253230 1253249
1253278 1253285 1253322 1253347 1253501 1253659 1253659 1253660
1253703 1253711 1253712 1253738 1253773 1254157 1254158 1254159
1254160 1254202 1254251 1254293 1254297 1254299 1254400 1254401
1254425 1254441 1254480 1254511 1254512 1254514 1254515 1254563
1254589 1254662 1254666 1254670 1254866 1254867 1254878 1254997
1255048 1255089 1255176 1255298 1255340 1255427 1255446 1255491
1255588 1255588 1255634 1255653 1255715 1255731 1255732 1255733
1255734 1255743 1255764 1255781 1255857 1256070 1256070 1256105
1256243 1256244 1256246 1256297 1256331 1256341 1256389 1256390
1256427 1256437 1256498 1256499 1256500 1256525 1256526 1256766
1256803 1256805 1256807 1256808 1256809 1256811 1256812 1256822
1256830 1256834 1256834 1256835 1256835 1256836 1256836 1256837
1256837 1256838 1256838 1256839 1256839 1256840 1256840 1256902
1256991 1257005 1257029 1257031 1257034 1257036 1257037 1257038
1257041 1257042 1257044 1257046 1257049 1257144 1257173 1257255
1257329 1257329 1257337 1257349 1257353 1257354 1257355 1257364
1257365 1257396 1257442 1257442 1257463 1257496 1257509 1257538
1257593 1257594 1257595 1257717 1257841 1257841 1257897 1257897
1257941 1257960 1257992 1258002 1258008 1258008 1258009 1258009
1258010 1258010 1258011 1258011 1258012 1258020 1258022 1258045
1258049 1258054 1258080 1258081 1258083 1258136 1258229 1258319
1258345 1258371 1258385 1258387 1258392 1258568 1258754 1258754
1258859 1258893 1258913 1258942 1259051 1259057 1259250 1259313
1259362 1259363 1259364 1259365 1259381 1259418 1259475 1259650
1259697 CVE-2021-45261 CVE-2024-2312 CVE-2024-29371 CVE-2025-10158
CVE-2025-10911 CVE-2025-10911 CVE-2025-11468 CVE-2025-12084 CVE-2025-12748
CVE-2025-12816 CVE-2025-12816 CVE-2025-13151 CVE-2025-13193 CVE-2025-13465
CVE-2025-13465 CVE-2025-13601 CVE-2025-13836 CVE-2025-13837 CVE-2025-14017
CVE-2025-14087 CVE-2025-14104 CVE-2025-14512 CVE-2025-14524 CVE-2025-14819
CVE-2025-14831 CVE-2025-15079 CVE-2025-15224 CVE-2025-15281 CVE-2025-15282
CVE-2025-15366 CVE-2025-15367 CVE-2025-15444 CVE-2025-15444 CVE-2025-15467
CVE-2025-28162 CVE-2025-28164 CVE-2025-3415 CVE-2025-53906 CVE-2025-55753
CVE-2025-58098 CVE-2025-61140 CVE-2025-61140 CVE-2025-64505 CVE-2025-64506
CVE-2025-64720 CVE-2025-65018 CVE-2025-65082 CVE-2025-66200 CVE-2025-66293
CVE-2025-66418 CVE-2025-66471 CVE-2025-66614 CVE-2025-67735 CVE-2025-68156
CVE-2025-68160 CVE-2025-68160 CVE-2025-68161 CVE-2025-68276 CVE-2025-68468
CVE-2025-68471 CVE-2025-68615 CVE-2025-68973 CVE-2025-69277 CVE-2025-69418
CVE-2025-69418 CVE-2025-69419 CVE-2025-69419 CVE-2025-69420 CVE-2025-69420
CVE-2025-69421 CVE-2025-69421 CVE-2025-7709 CVE-2025-8732 CVE-2026-0672
CVE-2026-0861 CVE-2026-0865 CVE-2026-0915 CVE-2026-0964 CVE-2026-0965
CVE-2026-0966 CVE-2026-0967 CVE-2026-0968 CVE-2026-0988 CVE-2026-0989
CVE-2026-0990 CVE-2026-0992 CVE-2026-0994 CVE-2026-1484 CVE-2026-1485
CVE-2026-1489 CVE-2026-1615 CVE-2026-1615 CVE-2026-1757 CVE-2026-1965
CVE-2026-2003 CVE-2026-2003 CVE-2026-2004 CVE-2026-2004 CVE-2026-2005
CVE-2026-2005 CVE-2026-2006 CVE-2026-2006 CVE-2026-2007 CVE-2026-21441
CVE-2026-21720 CVE-2026-21721 CVE-2026-21722 CVE-2026-21925 CVE-2026-21932
CVE-2026-21933 CVE-2026-21945 CVE-2026-22185 CVE-2026-22695 CVE-2026-22795
CVE-2026-22795 CVE-2026-22796 CVE-2026-22796 CVE-2026-22801 CVE-2026-23490
CVE-2026-24515 CVE-2026-24733 CVE-2026-24734 CVE-2026-24882 CVE-2026-25210
CVE-2026-25547 CVE-2026-25547 CVE-2026-25646 CVE-2026-26269 CVE-2026-27171
CVE-2026-27606 CVE-2026-27727 CVE-2026-2781 CVE-2026-27830 CVE-2026-28417
CVE-2026-29111 CVE-2026-3184 CVE-2026-3783 CVE-2026-3784 CVE-2026-3805
CVE-2026-4105
-----------------------------------------------------------------
The container suse/manager/5.0/x86_64/server was updated. The following patches have been included in this update:
-----------------------------------------------------------------
Advisory ID: SUSE-feature-2024:2194-1
Released: Tue Jun 25 11:44:03 2024
Summary: Feature update for openldap2_5
Type: feature
Severity: moderate
References:
This update for openldap2_5 fixes the following issues:
Added initial OpenLDAP 2.5 version 2.5.17+50, (jsc#PED-7178,jsc#PED-7240)
This version is in parallel to the existing openldap 2.4 version.
The openldap 2.5 server is also shipped in the openldap2_5 package.
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:4108-1
Released: Thu Nov 28 16:13:51 2024
Summary: Recommended update for openldap2_5
Type: recommended
Severity: moderate
References: 1231335
This update for openldap2_5 fixes the following issue:
- Update openldap2.conf for tmpfiles to create
and manage /run/slapd (bsc#1231335).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:4164-1
Released: Wed Dec 4 09:18:15 2024
Summary: Recommended update for openldap2_5
Type: recommended
Severity: moderate
References: 1231335,1232783
This update for openldap2_5 fixes the following issues:
- Enable sasl passthrough authentication (bsc#1232783).
Update to upstream patch/stabilty fix version 2.5.18+31
* https://www.openldap.org/software/release/changes_lts.html
- slapd service does not start due to missing ldapi:// socket directory
(1231335).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2025:1328-1
Released: Wed Apr 16 11:59:33 2025
Summary: Recommended update for openldap2_5
Type: recommended
Severity: moderate
References: 1238217,1239557,1239787,1240017
This update for openldap2_5 fixes the following issues:
- Version update v2.5.18+34
- Set default ldapi path to be consistent for SUSE (bsc#1239557).
- Adding admin guide.html (bsc#1238217).
- Enable argon2id, argon2 module missing in package (bsc#1240017).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2025:4085-1
Released: Wed Nov 12 15:39:17 2025
Summary: Recommended update for openldap2_5
Type: recommended
Severity: moderate
References: 1241901
This update for openldap2_5 fixes the following issues:
Version update 2.5.20
- Enabling LTO objects for static libraries compilation.
- Upstream patch rollup (bsc#1241901).
- Re-enable libldapcpp for yast2-users.
- Add provides for openldap2-devel.
- added ppolicy-check-password module (jsc#PED-13741)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2025:4489-1
Released: Fri Dec 19 12:01:53 2025
Summary: Security update for netty
Type: security
Severity: moderate
References: 1255048,CVE-2025-67735
This update for netty fixes the following issues:
Update to upstream version 4.1.130.
Security issues fixed:
- CVE-2025-67735: lack of URI sanitization in `HttpRequestEncoder` allows for CRLF injection through a request URI and
can lead to request smuggling (bsc#1255048).
Other updates and bugfixes:
- Version 4.1.130:
* Update `lz4-java` version to 1.10.1
* Close `Channel` and fail bootstrap when setting a `ChannelOption` causes an error
* Discard the following `HttpContent` for preflight request
* Fix race condition in `NonStickyEventExecutorGroup` causing incorrect `inEventLoop()` results
* Fix Zstd compression for large data
* Fix `ZstdEncoder` not producing data when source is smaller than block
* Make big endian ASCII hashcode consistent with little endian
* Fix reentrancy bug in `ByteToMessageDecoder`
* Add 32k and 64k size classes to adaptive allocator
* Re-enable reflective field accesses in native images
* Correct HTTP/2 padding length check
* Fix HTTP startline validation
* Fix `MpscIntQueue` bug
- Build against the `org.jboss:jdk-misc` artifact that is implementing the `sun.misc` classes removed in Java 25
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2025:4494-1
Released: Fri Dec 19 14:14:12 2025
Summary: Security update for libpng16
Type: security
Severity: important
References: 1254157,1254158,1254159,1254160,1254480,CVE-2025-64505,CVE-2025-64506,CVE-2025-64720,CVE-2025-65018,CVE-2025-66293
This update for libpng16 fixes the following issues:
- CVE-2025-65018: Fixed heap buffer overflow in `png_combine_row` triggered via `png_image_finish_read` (bsc#1254160)
- CVE-2025-66293: Fixed LIBPNG out-of-bounds read in `png_image_read_composite` (bsc#1254480)
- CVE-2025-64506: Fixed heap buffer over-read in `png_write_image_8bit` with 8-bit input and `convert_to_8bit` enabled (bsc#1254158)
- CVE-2025-64720: Fixed buffer overflow in `png_image_read_composite` via incorrect palette premultiplication (bsc#1254159)
- CVE-2025-64505: Fixed heap buffer over-read in `png_do_quantize` via malformed palette index (bsc#1254157)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2025:4511-1
Released: Tue Dec 23 13:14:27 2025
Summary: Security update for rsync
Type: security
Severity: moderate
References: 1254441,CVE-2025-10158
This update for rsync fixes the following issues:
- CVE-2025-10158: Fixed out-of-bounds array access via negative index (bsc#1254441)
-----------------------------------------------------------------
Advisory ID: SUSE-OU-2025:4513-1
Released: Tue Dec 23 14:36:56 2025
Summary: Optional update for python3-ldap
Type: optional
Severity: low
References: 1252645
This update for python3-ldap fixes the following issue:
- ship package in correct versions to match the quarterly refresh.
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:18-1
Released: Mon Jan 5 11:52:25 2026
Summary: Security update for glib2
Type: security
Severity: important
References: 1254297,1254662,1254878,CVE-2025-13601,CVE-2025-14087,CVE-2025-14512
This update for glib2 fixes the following issues:
- CVE-2025-14512: integer overflow in the GIO `escape_byte_string()` function when processing malicious files or remote
filesystem attribute values can lead to denial-of-service (bsc#1254878).
- CVE-2025-14087: buffer underflow in the GVariant parser `bytestring_parse()` and `string_parse()`functions when
processing attacker-influenced data may lead to crash or code execution (bsc#1254662).
- CVE-2025-13601: heap-based buffer overflow in the `g_escape_uri_string()` function when processing strings with a
large number of unacceptable characters may lead to crash or code execution (bsc#1254297).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:20-1
Released: Mon Jan 5 12:08:28 2026
Summary: Security update for apache2
Type: security
Severity: important
References: 1254511,1254512,1254514,1254515,CVE-2025-55753,CVE-2025-58098,CVE-2025-65082,CVE-2025-66200
This update for apache2 fixes the following issues:
- CVE-2025-55753: Fixed mod_md (ACME) unintended retry intervals (bsc#1254511)
- CVE-2025-65082: Fixed CGI environment variable override (bsc#1254514)
- CVE-2025-58098: Fixed Server Side Includes adding query string to #exec cmd=... (bsc#1254512)
- CVE-2025-66200: Fixed mod_userdir+suexec bypass via AllowOverride FileInfo (bsc#1254515)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:27-1
Released: Mon Jan 5 13:45:08 2026
Summary: Security update for python3
Type: security
Severity: moderate
References: 1254400,1254401,1254997,CVE-2025-12084,CVE-2025-13836,CVE-2025-13837
This update for python3 fixes the following issues:
- CVE-2025-12084: cpython: Fixed quadratic algorithm in xml.dom.minidom leading to denial of service (bsc#1254997)
- CVE-2025-13836: Fixed default Content-Lenght read amount from HTTP response (bsc#1254400)
- CVE-2025-13837: Fixed plistlib module denial of service (bsc#1254401)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:50-1
Released: Wed Jan 7 10:28:14 2026
Summary: Security update for curl
Type: security
Severity: moderate
References: 1255731,1255732,1255733,1255734,CVE-2025-14524,CVE-2025-14819,CVE-2025-15079,CVE-2025-15224
This update for curl fixes the following issues:
- CVE-2025-14524: bearer token leak on cross-protocol redirect (bsc#1255731).
- CVE-2025-14819: libssh global knownhost override (bsc#1255732).
- CVE-2025-15079: libssh key passphrase bypass without agent set (bsc#1255733).
- CVE-2025-15224: OpenSSL partial chain store policy bypass (bsc#1255734).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2026:55-1
Released: Wed Jan 7 16:11:00 2026
Summary: Recommended update for sssd
Type: recommended
Severity: moderate
References: 1230348
This update for sssd fixes the following issues:
- Fix sssctl config-check exit code when the conf.d snippets directory does not exist (bsc#1230348)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:68-1
Released: Thu Jan 8 13:22:38 2026
Summary: Security update for libvirt
Type: security
Severity: moderate
References: 1253278,1253703,CVE-2025-12748,CVE-2025-13193
This update for libvirt fixes the following issues:
- CVE-2025-13193: Fixed umask for 'qemu-img' when creating external inactive snapshots (bsc#1253703)
- CVE-2025-12748: Fixed Check ACLs before parsing the whole domain XML (bsc#1253278)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:77-1
Released: Thu Jan 8 20:03:59 2026
Summary: Security update for curl
Type: security
Severity: moderate
References: 1256105,CVE-2025-14017
This update for curl fixes the following issues:
- CVE-2025-14017: Fixed broken TLS options for threaded LDAPS (bsc#1256105).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:115-1
Released: Mon Jan 12 16:03:42 2026
Summary: Security update for util-linux
Type: security
Severity: moderate
References: 1254666,CVE-2025-14104
This update for util-linux fixes the following issues:
- CVE-2025-14104: Fixed heap buffer overread in setpwnam() when processing 256-byte usernames (bsc#1254666).
- lscpu: Add support for NVIDIA Olympus arm64 core (jsc#PED-13682).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:215-1
Released: Thu Jan 22 13:10:16 2026
Summary: Security update for gpg2
Type: security
Severity: important
References: 1255715,1256243,1256244,1256246,1256390,CVE-2025-68973
This update for gpg2 fixes the following issues:
- CVE-2025-68973: Fix possible memory corruption in the armor parser (gpg.fail/memcpy)(bsc#1255715).
- Avoid potential downgrade to SHA1 in 3rd party key signatures (gpg.fail/sha1) (bsc#1256246).
- Error out on unverified output for non-detached signatures (gpg.fail/detached) (bsc#1256244).
- Fix a memory leak in gpg2 agent (bsc#1256243).
- Fix Cleartext Signature Forgery in the NotDashEscaped header implementation in GnuPG (gpg.fail/notdash) (bsc#1256390).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:223-1
Released: Thu Jan 22 13:17:49 2026
Summary: Security update for libsodium
Type: security
Severity: moderate
References: 1256070,CVE-2025-15444
This update for libsodium fixes the following issues:
- CVE-2025-15444: fixed cryptographic bypass via improper elliptic curve point validation (bsc#1256070).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:224-1
Released: Thu Jan 22 13:18:20 2026
Summary: Security update for libtasn1
Type: security
Severity: moderate
References: 1256341,CVE-2025-13151
This update for libtasn1 fixes the following issues:
- CVE-2025-13151: stack-based buffer overflow in `asn1_expend_octet_string` (bsc#1256341).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:228-1
Released: Thu Jan 22 13:21:51 2026
Summary: Security update for net-snmp
Type: security
Severity: important
References: 1255491,CVE-2025-68615
This update for net-snmp fixes the following issues:
- CVE-2025-68615: Fixed snmptrapd buffer overflow (bsc#1255491)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:234-1
Released: Thu Jan 22 13:24:43 2026
Summary: Security update for libpng16
Type: security
Severity: moderate
References: 1256525,1256526,CVE-2026-22695,CVE-2026-22801
This update for libpng16 fixes the following issues:
- CVE-2026-22695: Fixed heap buffer over-read in png_image_finish_read (bsc#1256525)
- CVE-2026-22801: Fixed integer truncation causing heap buffer over-read in png_image_write_* (bsc#1256526).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:254-1
Released: Thu Jan 22 17:08:23 2026
Summary: Security update for log4j
Type: security
Severity: moderate
References: 1255427,CVE-2025-68161
This update for log4j fixes the following issues:
Security fixes:
- CVE-2025-68161: Fixed absent TLS hostname verification
that may allow a man-in-the-middle attack (bsc#1255427)
Other fixes:
- Upgrade to 2.18.0
* Added
+ Add support for Jakarta Mail API in the SMTP appender.
+ Add support for custom Log4j 1.x levels.
+ Add support for adding and retrieving appenders in Log4j 1.x
bridge.
+ Add support for custom LMAX disruptor WaitStrategy
configuration.
+ Add support for Apache Extras' RollingFileAppender in Log4j
1.x bridge.
+ Add MutableThreadContextMapFilter.
+ Add support for 24 colors in highlighting
* Changed
+ Improves ServiceLoader support on servlet containers.
+ Make the default disruptor WaitStrategy used by Async Loggers
garbage-free.
+ Do not throw UnsupportedOperationException when JUL
ApiLogger::setLevel is called.
+ Support Spring 2.6.x.
+ Move perf tests to log4j-core-its
+ Upgrade the Flume Appender to Flume 1.10.0
* Fixed
+ Fix minor typo #792.
+ Improve validation and reporting of configuration errors.
+ Allow enterprise id to be an OID fragment.
+ Fix problem with non-uppercase custom levels.
+ Avoid ClassCastException in JeroMqManager with custom
LoggerContextFactory #791.
+ DirectWriteRolloverStrategy should use the current time when
creating files.
+ Fixes the syslog appender in Log4j 1.x bridge, when used with
a custom layout.
+ log4j-1.2-api 2.17.2 throws NullPointerException while
removing appender with name as null.
+ Improve JsonTemplateLayout performance.
+ Fix resolution of non-Log4j properties.
+ Fixes Spring Boot logging system registration in a
multi-application environment.
+ JAR file containing Log4j configuration isn’t closed.
+ Properties defined in configuration using a value attribute
(as opposed to element) are read correctly.
+ Syslog appender lacks the SocketOptions setting.
+ Log4j 1.2 bridge should not wrap components unnecessarily.
+ Update 3rd party dependencies for 2.18.0.
+ SizeBasedTriggeringPolicy would fail to rename files properly
when integer pattern contained a leading zero.
+ Fixes default SslConfiguration, when a custom keystore is
used.
+ Fixes appender concurrency problems in Log4j 1.x bridge.
+ Fix and test for race condition in FileUtils.mkdir().
+ LocalizedMessage logs misleading errors on the console.
+ Add missing message parameterization in RegexFilter.
+ Add the missing context stack to JsonLayout template.
+ HttpWatcher did not pass credentials when polling.
+ UrlConnectionFactory.createConnection now accepts an
AuthorizationProvider as a parameter.
+ The DirectWriteRolloverStrategy was not detecting the correct
index to use during startup.
+ Async Loggers were including the location information by
default.
+ ClassArbiter’s newBuilder method referenced the wrong class.
+ Don’t use Paths.get() to avoid circular file systems.
+ Fix parsing error, when XInclude is disabled.
+ Fix LevelRangeFilterBuilder to align with log4j1’s behavior.
+ Fixes problem with wrong ANSI escape code for bright colors
+ Log4j 1.2 bridge should generate Log4j 2.x messages based on
the parameter runtime type.
- Update to 2.19.0
* Added
+ Add implementation of SLF4J2 fluent API.
+ Add support for SLF4J2 stack-valued MDC.
* Changed
+ Add getExplicitLevel method to LoggerConfig.
+ Allow PropertySources to be added.
+ Allow Plugins to be injected with the LoggerContext reference.
* Fixed
+ Add correct manifest entries for OSGi to log4j-jcl
+ Improve support for passwordless keystores.
+ SystemPropertyArbiter was assigning the value as the name.
+ Make JsonTemplateLayout stack trace truncation operate for
each label block.
+ Fix recursion between Log4j 1.2 LogManager and Category.
+ Fix resolution of properties not starting with log4j2..
+ Logger$PrivateConfig.filter(Level, Marker, String) was
allocating empty varargs array.
+ Allows a space separated list of style specifiers in the
%style pattern for consistency with %highlight.
+ Fix NPE in log4j-to-jul in the case the root logger level is
null.
+ Fix RollingRandomAccessFileAppender with
DirectWriteRolloverStrategy can’t create the first log file of
different directory.
+ Generate new SSL certs for testing.
+ Fix ServiceLoaderUtil behavior in the presence of a
SecurityManager.
+ Fix regression in Rfc5424Layout default values.
+ Harden InstantFormatter against delegate failures.
+ Add async support to Log4jServletFilter.
* Removed
+ Removed build page in favor of a single build instructions
file.
+ Remove SLF4J 1.8.x binding.
- Update to 2.20.0
* Added
+ Add support for timezones in RollingFileAppender date pattern
+ Add LogEvent timestamp to ProducerRecord in KafkaAppender
+ Add PatternLayout support for abbreviating the name of all
logger components except the 2 rightmost
+ Removes internal field that leaked into public API.
+ Add a LogBuilder#logAndGet() method to emulate the
Logger#traceEntry method.
* Changed
+ Simplify site generation
+ Switch the issue tracker from JIRA to GitHub Issues
+ Remove liquibase-log4j2 maven module
+ Fix order of stacktrace elements, that causes cache misses in
ThrowableProxyHelper.
+ Switch from com.sun.mail to Eclipse Angus.
+ Add Log4j2 Core as default runtime dependency of the
SLF4J2-to-Log4j2 API bridge.
+ Replace maven-changes-plugin with a custom changelog
implementation
+ Moved log4j-api and log4j-core artifacts with classifier tests
to log4j-api-test and log4j-core-test respectively.
* Deprecated
+ Deprecate support for package scanning for plugins
* Fixed
+ Copy programmatically supplied location even if
includeLocation='false'.
+ Eliminate status logger warning, when disableAnsi or
noConsoleNoAnsi is used the style and highlight patterns.
+ Fix detection of location requirements in RewriteAppender.
+ Replace regex with manual code to escape characters in
Rfc5424Layout.
+ Fix java.sql.Time object formatting in MapMessage
+ Fix previous fire time computation in CronTriggeringPolicy
+ Correct default to not include location for AsyncRootLoggers
+ Make StatusConsoleListener use SimpleLogger internally.
+ Lazily evaluate the level of a SLF4J LogEventBuilder
+ Fixes priority of Legacy system properties, which are now back
to having higher priority than Environment variables.
+ Protects ServiceLoaderUtil from unchecked ServiceLoader
exceptions.
+ Fix Configurator#setLevel for internal classes
+ Fix level propagation in Log4jBridgeHandler
+ Disable OsgiServiceLocator if not running in OSGI container.
+ When using a Date Lookup in the file pattern the current time
should be used.
+ Fixed LogBuilder filtering in the presence of global filters.
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:256-1
Released: Thu Jan 22 17:08:54 2026
Summary: Security update for openldap2_5
Type: security
Severity: moderate
References: 1256297,CVE-2026-22185
This update for openldap2_5 fixes the following issues:
Security fixes:
- CVE-2026-22185: Fixed possible crash in malicious DB (bsc#1256297)
Other fixes:
- Update to version 2.5.20+11:
* ITS#10421 mdb_load: check for malicious input
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:259-1
Released: Thu Jan 22 17:10:44 2026
Summary: Security update for avahi
Type: security
Severity: moderate
References: 1256498,1256499,1256500,CVE-2025-68276,CVE-2025-68468,CVE-2025-68471
This update for avahi fixes the following issues:
- CVE-2025-68276: Fixed refuse to create wide-area record browsers when
wide-area is off (bsc#1256498)
- CVE-2025-68471: Fixed DoS bug by changing assert to return (bsc#1256500)
- CVE-2025-68468: Fixed DoS bug by removing incorrect assertion (bsc#1256499)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:286-1
Released: Sat Jan 24 00:35:35 2026
Summary: Security update for glib2
Type: security
Severity: low
References: 1257049,CVE-2026-0988
This update for glib2 fixes the following issues:
- CVE-2026-0988: Fixed a potential integer overflow in g_buffered_input_stream_peek (bsc#1257049).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:312-1
Released: Wed Jan 28 10:37:55 2026
Summary: Security update for openssl-3
Type: security
Severity: critical
References: 1256830,1256834,1256835,1256836,1256837,1256838,1256839,1256840,CVE-2025-15467,CVE-2025-68160,CVE-2025-69418,CVE-2025-69419,CVE-2025-69420,CVE-2025-69421,CVE-2026-22795,CVE-2026-22796
This update for openssl-3 fixes the following issues:
- CVE-2025-15467: Stack buffer overflow in CMS AuthEnvelopedData parsing (bsc#1256830).
- CVE-2025-68160: Heap out-of-bounds write in BIO_f_linebuffer on short writes (bsc#1256834).
- CVE-2025-69418: Unauthenticated/unencrypted trailing bytes with low-level OCB function calls (bsc#1256835).
- CVE-2025-69419: Out of bounds write in PKCS12_get_friendlyname() UTF-8 conversion (bsc#1256836).
- CVE-2025-69420: Missing ASN1_TYPE validation in TS_RESP_verify_response() function (bsc#1256837).
- CVE-2025-69421: NULL Pointer Dereference in PKCS12_item_decrypt_d2i_ex function (bsc#1256838).
- CVE-2026-22795: Missing ASN1_TYPE validation in PKCS#12 parsing (bsc#1256839).
- CVE-2026-22796: ASN1_TYPE Type Confusion in the PKCS7_digest_from_attributes() function (bsc#1256840).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2026:324-1
Released: Wed Jan 28 15:53:56 2026
Summary: Recommended update for supportutils
Type: recommended
Severity: important
References: 1232351,1241284,1244003,1244011,1244937,1245667,1246011,1246025,1249657,1250224,1252318,1254425
This update for supportutils fixes the following issues:
- Changes to version 3.2.12
* Optimized lsof usage and honors OPTION_OFILES (bsc#1232351)
* Run in containers without errors (bsc#1245667)
* Removed pmap PID from memory.txt (bsc#1246011)
* Added missing /proc/pagetypeinfo to memory.txt (bsc#1246025)
* Improved database perforce with kGraft patching (bsc#1249657)
* Using last boot for journalctl for optimization (bsc#1250224)
* Fixed extraction failures (bsc#1252318)
* Update supportconfig.conf path in docs (bsc#1254425)
* drm_sub_info: Catch error when dir doesn't exist
* Replace remaining `egrep` with `grep -E`
* Add process affinity to slert logs
* Reintroduce cgroup statistics (and v2)
* Minor changes to basic-health-check: improve information level
* Collect important machine health counters
* powerpc: collect hot-pluggable PCI and PHB slots
* podman: collect podman disk usage
* Exclude binary files in crondir
* kexec/kdump: collect everything under /sys/kernel/kexec dir
* Use short-iso for journalctl
- Changes to version 3.2.11
* Collect rsyslog frule files (bsc#1244003)
* Remove proxy passwords (bsc#1244011)
* Missing NetworkManager information (bsc#1241284)
* Include agama logs bsc#1244937)
* Additional NFS conf files
* New fadump sysfs files
* Fixed change log dates
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:346-1
Released: Fri Jan 30 10:01:27 2026
Summary: Security update for openssl-1_1
Type: security
Severity: moderate
References: 1256834,1256835,1256836,1256837,1256838,1256839,1256840,CVE-2025-68160,CVE-2025-69418,CVE-2025-69419,CVE-2025-69420,CVE-2025-69421,CVE-2026-22795,CVE-2026-22796
This update for openssl-1_1 fixes the following issues:
- CVE-2026-22795: Missing ASN1_TYPE validation in PKCS#12 parsing (bsc#1256839).
- CVE-2025-69420: Missing ASN1_TYPE validation in TS_RESP_verify_response() function (bsc#1256837).
- CVE-2025-69421: NULL Pointer Dereference in PKCS12_item_decrypt_d2i_ex function (bsc#1256838).
- CVE-2026-22796: ASN1_TYPE Type Confusion in the PKCS7_digest_from_attributes() function (bsc#1256840).
- CVE-2025-68160: Heap out-of-bounds write in BIO_f_linebuffer on short writes (bsc#1256834).
- CVE-2025-69418: Unauthenticated/unencrypted trailing bytes with low-level OCB function calls (bsc#1256835).
- CVE-2025-69419: Out of bounds write in PKCS12_get_friendlyname() UTF-8 conversion (bsc#1256836).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:364-1
Released: Tue Feb 3 10:50:53 2026
Summary: Security update for libpng16
Type: security
Severity: moderate
References: 1257364,1257365,CVE-2025-28162,CVE-2025-28164
This update for libpng16 fixes the following issues:
- CVE-2025-28162: memory leaks when running `pngimage` (bsc#1257364).
- CVE-2025-28164: memory leaks when running `pngimage` (bsc#1257365).
- CVE-2026-22695: Fixed heap buffer over-read in png_image_finish_read (bsc#1256525).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:368-1
Released: Tue Feb 3 14:40:37 2026
Summary: Security update for libsodium
Type: security
Severity: moderate
References: 1255764,1256070,CVE-2025-15444,CVE-2025-69277
This update for libsodium fixes the following issues:
- CVE-2025-15444: Fixed cryptographic bypass via improper elliptic curve point validation (bsc#1256070).
- CVE-2025-69277: Fixed incorrect validation of elliptic curve points in crypto_core_ed25519_is_valid_point function (bsc#1255764).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:371-1
Released: Tue Feb 3 19:08:49 2026
Summary: Security update for glibc
Type: security
Severity: important
References: 1256437,1256766,1256822,1257005,CVE-2025-15281,CVE-2026-0861,CVE-2026-0915
This update for glibc fixes the following issues:
Security fixes:
- CVE-2026-0861: Fixed inadequate size check in the memalign suite may result in an integer overflow (bsc#1256766).
- CVE-2026-0915: Fixed uninitialized stack buffer used as DNS query name when net==0 in _nss_dns_getnetbyaddr_r (bsc#1256822).
- CVE-2025-15281: Fixed uninitialized memory may cause the process abort (bsc#1257005).
Other fixes:
- NPTL: Optimize trylock for high cache contention workloads (bsc#1256437).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:373-1
Released: Wed Feb 4 03:50:41 2026
Summary: Security update for glib2
Type: security
Severity: important
References: 1257353,1257354,1257355,CVE-2026-1484,CVE-2026-1485,CVE-2026-1489
This update for glib2 fixes the following issues:
- CVE-2026-1485: Fixed buffer underflow and out-of-bounds access due to integer wraparound in content type parsing (bsc#1257354).
- CVE-2026-1484: Fixed buffer underflow and out-of-bounds access due to miscalculated buffer boundaries in the Base64 encoding routine (bsc#1257355).
- CVE-2026-1489: Fixed undersized heap allocation followed by out-of-bounds access due to integer overflow in Unicode case conversion (bsc#1257353).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:374-1
Released: Wed Feb 4 08:03:34 2026
Summary: Security update for protobuf
Type: security
Severity: moderate
References: 1257173,CVE-2026-0994
This update for protobuf fixes the following issues:
- CVE-2026-0994: Fixed google.protobuf.Any recursion depth bypass in Python json_format.ParseDict (bsc#1257173).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:391-1
Released: Thu Feb 5 15:23:42 2026
Summary: Security update for libxml2
Type: security
Severity: low
References: 1256805,CVE-2026-0989
This update for libxml2 fixes the following issues:
- CVE-2026-0989: Fixed call stack exhaustion leading to application
crash due to RelaxNG parser not limiting the recursion depth when
resolving `<include>` directives (bsc#1256805)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2026:407-1
Released: Mon Feb 9 07:43:45 2026
Summary: Recommended update for systemd
Type: recommended
Severity: important
References: 1228081,1244449,1248356,1254202,1254293,1254563,1256427
This update for systemd fixes the following issues:
- Name libsystemd-{shared,core} based on the major version of systemd and
the package release number (bsc#1228081, bsc#1256427)
This way, both the old and new versions of the shared libraries will be
present during the update. This should prevent issues during package updates
when incompatible changes are introduced in the new versions of the shared libraries.
- detect-virt: bare-metal GCE only for x86 and i386 (bsc#1254293)
- timer: rebase last_trigger timestamp if needed
- timer: rebase the next elapse timestamp only if timer didn't already run
- timer: don't run service immediately after restart of a timer (bsc#1254563)
- test: check the next elapse timer timestamp after deserialization
- test: restarting elapsed timer shouldn't trigger the corresponding service
- Reintroduce systemd-network as a transitional dummy package containing no files (bsc#1254202)
The contents of this package were split into two independent packages:
systemd-networkd and systemd-resolved. However, the initial replacement caused
both network services to be disabled. Consequently, the original package has
been restored as an empty transitional package to prevent the disabling of the services.
It can be safely removed once the update is complete.
- units: don't force the loading of the loop and dm_mod modules in systemd-repart.service (bsc#1248356)
- units: add dep on systemd-logind.service by user at .service
- detect-virt: add bare-metal support for GCE (bsc#1244449)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:415-1
Released: Tue Feb 10 09:35:19 2026
Summary: Security update for java-17-openjdk
Type: security
Severity: important
References: 1255446,1257034,1257036,1257037,1257038,CVE-2026-21925,CVE-2026-21932,CVE-2026-21933,CVE-2026-21945
This update for java-17-openjdk fixes the following issues:
Upgrade to upstream tag jdk-17.0.18+8 (January 2026 CPU)
Security fixes:
- CVE-2026-21925: Fixed Oracle Java SE component RMI (bsc#1257034).
- CVE-2026-21932: Fixed Oracle Java SE component AWT and JavaFX (bsc#1257036).
- CVE-2026-21933: Fixed Oracle Java SE component Networking (bsc#1257037).
- CVE-2026-21945: Fixed Oracle Java SE component Security (bsc#1257038).
Other fixes:
- OpenJDK rendering blue borders when it should not, due to missing the fix for JDK-6304250 from upstream (bsc#1255446).
- Do not depend on update-desktop-files (jsc#PED-14507, jsc#PED-15216).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:430-1
Released: Wed Feb 11 09:43:42 2026
Summary: Security update for python-pyasn1
Type: security
Severity: important
References: 1256902,CVE-2026-23490
This update for python-pyasn1 fixes the following issues:
- CVE-2026-23490: Fixed malformed RELATIVE-OID with excessive continuation
octets leading to Denial of Service (bsc#1256902)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:432-1
Released: Wed Feb 11 10:11:56 2026
Summary: Security update for sqlite3
Type: security
Severity: moderate
References: 1248586,1254670,CVE-2025-7709
This update for sqlite3 fixes the following issues:
- Update to v3.51.2:
- CVE-2025-7709: Fixed an integer overflow in the FTS5 extension. (bsc#1254670)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:434-1
Released: Wed Feb 11 10:23:18 2026
Summary: Security update for gpg2
Type: security
Severity: important
References: 1256389,1257396,CVE-2026-24882
This update for gpg2 fixes the following issues:
Security fixes:
- CVE-2026-24882: Fixed stack-based buffer overflow in TPM2
PKDECRYPT for TPM-backed RSA and ECC keys (bsc#1257396)
- Fixed GnuPG accepting Path Separators and Path Traversals in Literal
Data 'Filename' Field (bsc#1256389)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:443-1
Released: Wed Feb 11 10:46:43 2026
Summary: Security update for python-urllib3
Type: security
Severity: moderate
References: 1254866,1254867,1256331,CVE-2025-66418,CVE-2025-66471,CVE-2026-21441
This update for python-urllib3_1 fixes the following issues:
- CVE-2025-66471: excessive resource consumption via decompression of highly compressed data in Streaming API (bsc#1254867).
- CVE-2025-66418: resource exhaustion via unbounded number of links in the decompression chain (bsc#1254866).
- CVE-2026-21441: excessive resource consumption during decompression of data in HTTP redirect responses (bsc#1256331).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:570-1
Released: Tue Feb 17 17:38:47 2026
Summary: Security update for libxml2
Type: security
Severity: moderate
References: 1247850,1247858,1250553,1256807,1256808,1256809,1256811,1256812,1257593,1257594,1257595,CVE-2025-10911,CVE-2025-8732,CVE-2026-0990,CVE-2026-0992,CVE-2026-1757
This update for libxml2 fixes the following issues:
- CVE-2026-0990: Fixed a call stack overflow leading to application crash due to infinite recursion in `xmlCatalogXMLResolveURI`. (bsc#1256807, bsc#1256811)
- CVE-2026-0992: Fixed an excessive resource consumption when processing XML catalogs due to exponential behavior. (bsc#1256809, bsc#1256812)
- CVE-2026-1757: Fixed a memory leak in the `xmllint` interactive shell. (bsc#1257594, bsc#1257595)
- CVE-2025-10911: Fixed a use-after-free with key data stored cross-RVT. (bsc#1250553)
- CVE-2025-8732: Fixed an infinite recursion in catalog parsing functions when processing malformed SGML catalog files. (bsc#1247858)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:597-1
Released: Mon Feb 23 16:58:08 2026
Summary: Security update for libpng16
Type: security
Severity: important
References: 1258020,CVE-2026-25646
This update for libpng16 fixes the following issues:
- CVE-2026-25646: heap buffer overflow vulnerability in png_set_dither/png_set_quantize (bsc#1258020).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2026:637-1
Released: Wed Feb 25 13:13:52 2026
Summary: Recommended update for grub2
Type: recommended
Severity: important
References: 1254299,1258022
This update for grub2 fixes the following issues:
- Backport upstream's commit to prevent BIOS assert (bsc#1258022)
- Fix error 'grub-core/script/lexer.c:352:out of memory' after PowerPC CAS Reboot (bsc#1254299)
* Fix PowerPC CAS reboot to evaluate menu context
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2026:651-1
Released: Wed Feb 25 20:20:20 2026
Summary: Recommended update for sssd
Type: recommended
Severity: moderate
References: 1212476,1257509
This update for sssd fixes the following issues:
- Use %pre scriptlet instead of %pretrans to migrate from sssd-common (bsc#1257509).
- Update to release 2.10.2 (jsc#PED-12449):
* If the ssh responder is not running, sss_ssh_knownhosts will not fail
* SSSD is now capable of handling multiple services associated with the same port.
* sssd_pam, being a privileged binary, now clears the environment and
does not allow configuration of the PR_SET_DUMPABLE flag as a precaution.
- Changes from sssd 2.10.1:
* SSSD does not create anymore missing path components of DIR:/FILE: ccache types
while acquiring user's TGT. The parent directory of requested ccache directory must exist and the user
trying to log in must have rwx access to this directory. This matches behavior of /usr/bin/kinit.
* The option default_domain_suffix is deprecated.
- Changes from sssd 2.10.0:
* The ``sssctl cache-upgrade`` command was removed.
SSSD performs automatic upgrades at startup when needed.
* Support of ``enumeration`` feature for AD/IPA providers is deprecated and
might be removed in further releases.
* The new tool ``sss_ssh_knownhosts`` can be used with ssh's ``KnownHostsCommand``
configuration option to retrieve the host's public keys from a remote server.
It replaces ```sss_ssh_knownhostsproxy``.
* The default value for ``ldap_id_use_start_tls`` changed from false to true for improved security.
- Fix socket activation of responders
- Daemon runs now as unprivileged user 'sssd'
- Fix build parameter name omitted
- Update filelists involving memberof.so and idmap/sss.so to
avoid gobbling up one file into multiple sssd subpackages.
- Fix spec file for openSUSE ALP and SUSE SLFO, where the
python3_fix_shebang_path RPM macro is not available
- remove dependency on /usr/bin/python3 using
%python3_fix_shebang_path macro (bsc#1212476)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:664-1
Released: Thu Feb 26 16:15:04 2026
Summary: Security update for python3
Type: security
Severity: important
References: 1257029,1257031,1257041,1257042,1257044,1257046,CVE-2025-11468,CVE-2025-15282,CVE-2025-15366,CVE-2025-15367,CVE-2026-0672,CVE-2026-0865
This update for python3 fixes the following issues:
- CVE-2025-11468: header injection when folding a long comment in an email header containing exclusively unfoldable
characters (bsc#1257029).
- CVE-2026-0672: HTTP header injection via user-controlled cookie values and parameters when using http.cookies.Morsel
(bsc#1257031).
- CVE-2026-0865: user-controlled header containing newlines can allow injecting HTTP headers (bsc#1257042).
- CVE-2025-15366: user-controlled command can allow additional commands injected using newlines (bsc#1257044).
- CVE-2025-15282: user-controlled data URLs parsed may allow injecting headers (bsc#1257046).
- CVE-2025-15367: control characters may allow the injection of additional commands (bsc#1257041).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2026:671-1
Released: Thu Feb 26 16:37:05 2026
Summary: Recommended update for adcli
Type: recommended
Severity: important
References: 1257717
This update for adcli fixes the following issues:
- Improve DC locator strategy, do not query more servers than necessary (bsc#1257717):
* Make adcli info DC location mechanism more compliant
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2026:682-1
Released: Fri Feb 27 11:28:46 2026
Summary: Recommended update for fence-agents
Type: recommended
Severity: moderate
References: 1250417,1253230
This update for fence-agents fixes the following issues:
- add new skip_os_shutdown flag to fence_aws fence agent (bsc#1250417).
- Adding new fence agent for Nutanix AHV (jsc#PED-13087, bsc#1253230).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:741-1
Released: Mon Mar 2 09:11:04 2026
Summary: Security update for shim
Type: security
Severity: moderate
References: 1240871,1247432,CVE-2024-2312
This update for shim fixes the following issues:
shim is updated to version 16.1:
- shim_start_image(): fix guid/handle pairing when uninstalling protocols
- Fix uncompressed ipv6 netboot
- fix test segfaults caused by uninitialized memory
- SbatLevel_Variable.txt: minor typo fix.
- Realloc() needs to allocate one more byte for sprintf()
- IPv6: Add more check to avoid multiple double colon and illegal char
- Loader proto v2
- loader-protocol: add workaround for EDK2 2025.02 page fault on FreePages
- Generate Authenticode for the entire PE file
- README: mention new loader protocol and interaction with UKIs
- shim: change automatically enable MOK_POLICY_REQUIRE_NX
- Save var info
- add SbatLevel entry 2025051000 for PSA-2025-00012-1
- Coverity fixes 20250804
- fix http boot
- Fix double free and leak in the loader protocol
shim is updated to version 16.0:
- Validate that a supplied vendor cert is not in PEM format
- sbat: Add grub.peimage,2 to latest (CVE-2024-2312)
- sbat: Also bump latest for grub,4 (and to todays date)
- undo change that limits certificate files to a single file
- shim: don't set second_stage to the empty string
- Fix SBAT.md for today's consensus about numbers
- Update Code of Conduct contact address
- make-certs: Handle missing OpenSSL installation
- Update MokVars.txt
- export DEFINES for sub makefile
- Drop unused EFI_IMAGE_SECURITY_DATABASE_GUID definition
- Null-terminate 'arguments' in fallback
- Fix 'Verifiying' typo in error message
- Update Fedora CI targets
- Force gcc to produce DWARF4 so that gdb can use it
- Minor housekeeping 2024121700
- Discard load-options that start with WINDOWS
- Fix the issue that the gBS->LoadImage pointer was empty.
- shim: Allow data after the end of device path node in load options
- Handle network file not found like disks
- Update gnu-efi submodule for EFI_HTTP_ERROR
- Increase EFI file alignment
- avoid EFIv2 runtime services on Apple x86 machines
- Improve shortcut performance when comparing two boolean expressions
- Provide better error message when MokManager is not found
- tpm: Boot with a warning if the event log is full
- MokManager: remove redundant logical constraints
- Test import_mok_state() when MokListRT would be bigger than available size
- test-mok-mirror: minor bug fix
- Fix file system browser hang when enrolling MOK from disk
- Ignore a minor clang-tidy nit
- Allow fallback to default loader when encountering errors on network boot
- test.mk: don't use a temporary random.bin
- pe: Enhance debug report for update_mem_attrs
- Multiple certificate handling improvements
- Generate SbatLevel Metadata from SbatLevel_Variable.txt
- Apply EKU check with compile option
- Add configuration option to boot an alternative 2nd stage
- Loader protocol (with Device Path resolution support)
- netboot cleanup for additional files
- Document how revocations can be delivered
- post-process-pe: add tests to validate NX compliance
- regression: CopyMem() in ad8692e copies out of bounds
- Save the debug and error logs in mok-variables
- Add features for the Host Security ID program
- Mirror some more efi variables to mok-variables
- This adds DXE Services measurements to HSI and uses them for NX
- Add shim's current NX_COMPAT status to HSIStatus
- README.tpm: reflect that vendor_db is in fact logged as 'vendor_db'
- Reject HTTP message with duplicate Content-Length header fields
- Disable log saving
- fallback: don't add new boot order entries backwards
- README.tpm: Update MokList entry to MokListRT
- SBAT Level update for February 2025 GRUB CVEs
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:779-1
Released: Tue Mar 3 14:25:07 2026
Summary: Security update for libssh
Type: security
Severity: moderate
References: 1258045,1258049,1258054,1258080,1258081,CVE-2026-0964,CVE-2026-0965,CVE-2026-0966,CVE-2026-0967,CVE-2026-0968
This update for libssh fixes the following issues:
- CVE-2026-0964: improper sanitation of paths received from SCP servers can cause path traversal (bsc#1258049).
- CVE-2026-0965: possible denial of service when parsing unexpected configuration files (bsc#1258045).
- CVE-2026-0966: buffer underflow in ssh_get_hexa() on invalid input (bsc#1258054).
- CVE-2026-0967: specially crafted patterns could cause denial of service (bsc#1258081).
- CVE-2026-0968: malformed SFTP message can lead to out of bound read (bsc#1258080).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:781-1
Released: Tue Mar 3 14:28:04 2026
Summary: Security update for patch
Type: security
Severity: low
References: 1194037,CVE-2021-45261
This update for patch fixes the following issues:
- CVE-2021-45261: Clear range of pointers before they are used/freed (bsc#1194037).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:783-1
Released: Tue Mar 3 14:36:14 2026
Summary: Security update for zlib
Type: security
Severity: moderate
References: 1258392,CVE-2026-27171
This update for zlib fixes the following issue:
- CVE-2026-27171: Fixed infinite loop via the `crc32_combine64` and `crc32_combine_gen64` functions due to missing
checks for negative lengths (bsc#1258392).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2026:791-1
Released: Tue Mar 3 16:59:33 2026
Summary: Recommended update for gcc15
Type: recommended
Severity: moderate
References: 1257463
This update for gcc15 fixes the following issues:
- Fix bogus expression simplification (bsc#1257463)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:801-1
Released: Wed Mar 4 13:33:26 2026
Summary: Security update for libxslt
Type: security
Severity: moderate
References: 1250553,CVE-2025-10911
This update for libxslt fixes the following issues:
- CVE-2025-10911: use-after-free will be fixed on libxml2 side instead (bsc#1250553).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:803-1
Released: Wed Mar 4 13:57:07 2026
Summary: Security update for util-linux
Type: security
Severity: moderate
References: 1258859,CVE-2026-3184
This update for util-linux fixes the following issues:
- CVE-2026-3184: Fix full hostname usage for PAM to ensure correct access control for 'login -h' (bsc#1258859).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:813-1
Released: Thu Mar 5 09:33:59 2026
Summary: Security update for mozilla-nss
Type: security
Severity: moderate
References: 1258568,CVE-2026-2781
This update for mozilla-nss fixes the following issues:
Update to NSS 3.112.3:
* CVE-2026-2781: Avoid integer overflow in platform-independent ghash (bsc#1258568)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:826-1
Released: Thu Mar 5 16:16:29 2026
Summary: Security update for expat
Type: security
Severity: moderate
References: 1257144,1257496,CVE-2026-24515,CVE-2026-25210
This update for expat fixes the following issues:
- CVE-2026-24515: Fixed a null dereference in XML_ExternalEntityParserCreate. (bsc#1257144)
- CVE-2026-25210: Fixed an integer overflow in doContent. (bsc#1257496)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:829-1
Released: Thu Mar 5 16:17:08 2026
Summary: Security update for gnutls
Type: security
Severity: moderate
References: 1257960,1258083,CVE-2025-14831
This update for gnutls fixes the following issues:
Security issue:
- CVE-2025-14831: excessive resource consumption when verifying specially crafted malicious certificates containing a
large number of name constraints and subject alternative names (bsc#1257960).
Other updates and bugfixes:
- update libgnutls package to avoid binder getting calculated with SHA256 (bsc#1258083, jsc#PED-15752, jsc#PED-15753).
- lib/psk: Add gnutls_psk_allocate_{client,server}_credentials2
- tests/psk-file: Add testing for _credentials2 functions
- lib/psk: add null check for binder algo
- pre_shared_key: fix memleak when retrying with different binder algo
- pre_shared_key: add null check on pskcred
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2026:836-1
Released: Fri Mar 6 08:27:48 2026
Summary: Recommended update for apache2
Type: recommended
Severity: moderate
References: 1229147
This update for apache2 fixes the following issues:
- Fix: apache2 default config gives a warning AH00317 (bsc#1229147).
* The default value for MaxRequestWorkers should be a multiple of 25,
so we're setting it from 256 down to 250, which is what Apache was
doing during runtime in any case.
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2026:844-1
Released: Fri Mar 6 16:45:31 2026
Summary: Recommended update for glibc
Type: recommended
Severity: moderate
References: 1258319
This update for glibc fixes the following issues:
- nss: Missing checks in __nss_configure_lookup, __nss_database_get (bsc#1258319, BZ #28940)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:855-1
Released: Tue Mar 10 06:06:34 2026
Summary: Security update for c3p0 and mchange-commons
Type: security
Severity: important
References: 1258913,1258942,1259313,CVE-2026-27727,CVE-2026-27830
This update for c3p0 and mchange-commons fixes the following issues:
c3p0:
- Security issues fixed:
- CVE-2026-27830: Fixed unsafe object deserialization (bsc#1258942)
- Fix the null pointer exception in the userOverridesAsString
method (bsc#1259313).
mchange-commons:
- Security issues fixed:
- CVE-2026-27727: Disabled remote ClassLoading when dereferencing javax.naming.Reference instances (bsc#1258913)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2026:863-1
Released: Wed Mar 11 13:41:48 2026
Summary: Recommended update for openldap2
Type: recommended
Severity: moderate
References:
This update for openldap2 fixes the following issues:
- expose ldap_log.h in -devel (jsc#PED-15735)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2026:867-1
Released: Wed Mar 11 14:44:32 2026
Summary: Recommended update for libvirt
Type: recommended
Severity: important
References: 1258345
This update for libvirt fixes the following issues:
- rpc: avoid leak of GSource in use for interrupting main loop (bsc#1258345)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:881-1
Released: Thu Mar 12 11:18:51 2026
Summary: Security update for postgresql18
Type: security
Severity: important
References: 1258008,1258009,1258010,1258011,1258012,1258754,CVE-2026-2003,CVE-2026-2004,CVE-2026-2005,CVE-2026-2006,CVE-2026-2007
This update for postgresql18 fixes the following issues:
Update to version 18.3 (bsc#1258754).
Security issues fixed:
- CVE-2026-2003: improper validation of type 'oidvector' may allow disclose a few bytes of server memory (bsc#1258008).
- CVE-2026-2004: intarray missing validation of type of input to selectivity estimator could lead to arbitrary code
execution (bsc#1258009).
- CVE-2026-2005: buffer overrun in contrib/pgcrypto's PGP decryption functions could lead to arbitrary code execution
(bsc#1258010).
- CVE-2026-2006: inadequate validation of multibyte character lengths could lead to arbitrary code execution
(bsc#1258011).
- CVE-2026-2007: pg_trgm heap buffer overflow can cause to write pattern onto server memory (bsc#1258012).
Regression fixes:
- the substring() function raises an error 'invalid byte sequence for encoding' on non-ASCII text values if the
source of that value is a database column (caused by CVE-2026-2006 fix).
- a standby may halt and return an error 'could not access status of transaction'.
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:882-1
Released: Thu Mar 12 11:19:24 2026
Summary: Security update for postgresql16
Type: security
Severity: important
References: 1258008,1258009,1258010,1258011,1258754,CVE-2026-2003,CVE-2026-2004,CVE-2026-2005,CVE-2026-2006
This update for postgresql16 fixes the following issues:
Update to version 16.13 (bsc#1258754).
Security issues fixed:
- CVE-2026-2003: improper validation of type 'oidvector' may allow disclose a few bytes of server memory (bsc#1258008).
- CVE-2026-2004: intarray missing validation of type of input to selectivity estimator could lead to arbitrary code
execution (bsc#1258009).
- CVE-2026-2005: buffer overrun in contrib/pgcrypto's PGP decryption functions could lead to arbitrary code execution
(bsc#1258010).
- CVE-2026-2006: inadequate validation of multibyte character lengths could lead to arbitrary code execution
(bsc#1258011).
Regression fixes:
- the substring() function raises an error 'invalid byte sequence for encoding' on non-ASCII text values if the
source of that value is a database column (caused by CVE-2026-2006 fix).
- a standby may halt and return an error 'could not access status of transaction'.
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:885-1
Released: Thu Mar 12 15:50:16 2026
Summary: Security update for curl
Type: security
Severity: important
References: 1259362,1259363,1259364,1259365,CVE-2026-1965,CVE-2026-3783,CVE-2026-3784,CVE-2026-3805
This update for curl fixes the following issues:
- CVE-2026-1965: bad reuse of HTTP Negotiate connection (bsc#1259362).
- CVE-2026-3783: token leak with redirect and netrc (bsc#1259363).
- CVE-2026-3784: wrong proxy connection reuse with credentials (bsc#1259364).
- CVE-2026-3805: use after free in SMB connection reuse (bsc#1259365).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:910-1
Released: Tue Mar 17 20:34:12 2026
Summary: Security update for vim
Type: security
Severity: moderate
References: 1246602,1258229,1259051,CVE-2025-53906,CVE-2026-26269,CVE-2026-28417
This update for vim fixes the following issues:
Update Vim to version 9.2.0110:
- CVE-2025-53906: malicious zip archive may cause a path traversal in Vim's zip (bsc#1246602).
- CVE-2026-26269: Netbeans specialKeys stack buffer overflow (bsc#1258229).
- CVE-2026-28417: crafted URL parsed by netrw plugin can lead to execute arbitrary shell commands (bsc#1259051).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2026:912-1
Released: Wed Mar 18 07:19:42 2026
Summary: Recommended update for ca-certificates-mozilla
Type: recommended
Severity: moderate
References: 1229003,1258002
This update for ca-certificates-mozilla fixes the following issues:
- test for a concretely missing certificate rather than
just the directory, as the latter is now also provided by openssl-3
- Re-create java-cacerts with SOURCE_DATE_EPOCH set
for reproducible builds (bsc#1229003)
- Also mark /usr/share/factory/var/lib/ca-certificates/ as writable by the user
during install: allow rpm to properly execute %clean when completed.
- Create /var/lib/ca-certificates during build to ensure rpm gives
the %ghost'ed directory proper mode attributes.
- Updated to 2.84 state (bsc#1258002)
* Removed:
+ Baltimore CyberTrust Root
+ CommScope Public Trust ECC Root-01
+ CommScope Public Trust ECC Root-02
+ CommScope Public Trust RSA Root-01
+ CommScope Public Trust RSA Root-02
+ DigiNotar Root CA
* Added:
+ e-Szigno TLS Root CA 2023
+ OISTE Client Root ECC G1
+ OISTE Client Root RSA G1
+ OISTE Server Root ECC G1
+ OISTE Server Root RSA G1
+ SwissSign RSA SMIME Root CA 2022 - 1
+ SwissSign RSA TLS Root CA 2022 - 1
+ TrustAsia SMIME ECC Root CA
+ TrustAsia SMIME RSA Root CA
+ TrustAsia TLS ECC Root CA
+ TrustAsia TLS RSA Root CA
- reenable the distrusted certs again. the distrust is only for certs
issued after the distrust date, not for all certs of a CA.
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:932-1
Released: Thu Mar 19 11:26:45 2026
Summary: Security update for tomcat
Type: security
Severity: important
References: 1258371,1258385,1258387,CVE-2025-66614,CVE-2026-24733,CVE-2026-24734
This update for tomcat fixes the following issues:
Update to Tomcat 9.0.115:
- CVE-2025-66614: client certificate verification bypass due to virtual host mapping (bsc#1258371).
- CVE-2026-24733: improper input validation on HTTP/0.9 requests (bsc#1258385).
- CVE-2026-24734: certificate revocation bypass due to incomplete OCSP verification checks (bsc#1258387).
Changelog:
* Catalina
+ Fix: 69623: Additional fix for the long standing regression that meant
that calls to ClassLoader.getResource().getContent() failed when made from
within a web application with resource caching enabled if the target
resource was packaged in a JAR file. (markt)
+ Fix: Pull request #923: Avoid adding multiple CSRF tokens to a URL in the
CsrfPreventionFilter. (schultz)
+ Fix: 69918: Ensure request parameters are correctly parsed for HTTP/2
requests when the content-length header is not set. (dsoumis)
+ Update: Update the minimum and recommended versions for Tomcat Native to
1.3.4. (markt)
+ Add: Add a new ssoReauthenticationMode to the Tomcat provided
Authenticators that provides a per Authenticator override of the SSO Valve
requireReauthentication attribute. (markt)
+ Fix: Ensure URL encoding errors in the Rewrite Valve trigger an exception
rather than silently using a replacement character. (markt)
+ Fix: 69871: Increase log level to INFO for missing configuration for the
rewrite valve. (remm)
+ Fix: Add log warnings for additional Host appBase suspicious values.
(remm)
+ Fix: Remove hard dependency on tomcat-jni.jar for catalina.jar.
org.apache.catalina.Connector no longer requires
org.apache.tomcat.jni.AprStatus to be present. (markt)
+ Add: Add the ability to use a custom function to generate the client
identifier in the CrawlerSessionManagerValve. This is only available
programmatically. Pull request #902 by Brian Matzon. (markt)
+ Fix: Change the SSO reauthentication behaviour for SPNEGO authentication
so that a normal SPNEGO authentication is performed if the SSL Valve is
configured with reauthentication enabled. This is so that the delegated
credentials will be available to the web application. (markt)
+ Fix: When generating the class path in the Loader, re-order the check on
individual class path components to avoid a potential
NullPointerException. Identified by Coverity Scan. (markt)
+ Fix: Fix SSL socket factory configuration in the JNDI realm. Based on pull
request #915 by Joshua Rogers. (remm)
+ Update: Add an attribute, digestInRfc3112Order, to
MessageDigestCredentialHandler to control the order in which the
credential and salt are digested. By default, the current, non-RFC 3112
compliant, order of salt then credential will be used. This default will
change in Tomcat 12 to the RFC 3112 compliant order of credential then
salt. (markt)
* Cluster
+ Add: 62814: Document that human-readable names maybe used for
mapSendOptions and align documentation with channelSendOptions. Based on
pull request #929 by archan0621. (markt)
* Clustering
+ Fix: Correct a regression introduced in 9.0.109 that broke some clustering
configurations. (markt)
* Coyote
+ Fix: Prevent concurrent release of OpenSSLEngine resources and the
termination of the Tomcat Native library as it can cause crashes during
Tomcat shutdown. (markt)
+ Fix: Avoid possible NPEs when using a TLS enabled custom connector. (remm)
+ Fix: Improve warnings when setting ciphers lists in the FFM code,
mirroring the tomcat-native changes. (remm)
+ Fix: 69910: Dereference TLS objects right after closing a socket to
improve memory efficiency. (remm)
+ Fix: Relax the JSSE vs OpenSSL configuration style checks on SSLHostConfig
to reflect the existing implementation that allows one configuration style
to be used for the trust attributes and a different style for all the
other attributes. (markt)
+ Fix: Better warning message when OpenSSLConf configuration elements are
used with a JSSE TLS implementation. (markt)
+ Fix: When using OpenSSL via FFM, don't log a warning about missing CA
certificates unless CA certificates were configured and the configuration
failed. (markt)
+ Add: For configuration consistency between OpenSSL and JSSE TLS
implementations, TLSv1.3 cipher suites included in the ciphers attribute
of an SSLHostConfig are now always ignored (previously they would be
ignored with OpenSSL implementations and used with JSSE implementations)
and a warning is logged that the cipher suite has been ignored. (markt)
+ Add: Add the ciphersuite attribute to SSLHostConfig to configure the
TLSv1.3 cipher suites. (markt)
+ Add: Add OCSP support to JSSE based TLS connectors and make the use of
OCSP configurable per connector for both JSSE and OpenSSL based TLS
implementations. Align the checks performed by OpenSSL with those
performed by JSSE. (markt)
+ Add: Add support for soft failure of OCSP checks with soft failure support
disabled by default. (markt)
+ Add: Add support for configuring the verification flags passed to
OCSP_basic_verify when using an OpenSSL based TLS implementation. (markt)
+ Fix: Fix OpenSSL FFM code compatibility with LibreSSL versions below 3.5.
+ Fix: Don't log an incorrect certificate KeyStore location when creating a
TLS connector if the KeyStore instance has been set directly on the
connector. (markt)
+ Fix: HTTP/0.9 only allows GET as the HTTP method. (remm)
+ Add: Add strictSni attribute on the Connector to allow matching the
SSLHostConfig configuration associated with the SNI host name to the
SSLHostConfig configuration matched from the HTTP protocol host name. Non
matching configurations will cause the request to be rejected. The
attribute default value is true, enabling the matching. (remm)
+ Fix: Graceful failure for OCSP on BoringSSL in the FFM code. (remm)
+ Fix: 69866: Fix a memory leak when using a trust store with the OpenSSL
provider. Pull request #912 by aogburn. (markt)
+ Fix: Fix AJP message length check. Pull request #916 by Joshua Rogers.
* Jasper
+ Fix: 69333: Correct a regression in the previous fix for 69333 and ensure
that reuse() or release() is always called for a tag. (markt)
+ Fix: 69877: Catch IllegalArgumentException when processing URIs when
creating the classpath to handle invalid URIs. (remm)
+ Fix: Fix populating the classpath with the webapp classloader
repositories. (remm)
+ Fix: 69862: Avoid NPE unwrapping Servlet exception which would hide some
exception details. Patch submitted by Eric Blanquer. (remm)
* Jdbc-pool
+ Fix: 64083: If the underlying connection has been closed, don't add it to
the pool when it is returned. Pull request #235 by Alex Panchenko. (markt)
* Web applications
+ Fix: Manager: Fix abrupt truncation of the HTML and JSON complete server
status output if one or more of the web applications failed to start.
(schultz)
+ Add: Manager: Include web application state in the HTML and JSON complete
server status output. (markt)
+ Add: Documentation: Expand the documentation to better explain when OCSP
is supported and when it is not. (markt)
* Websocket
+ Fix: 69920: When attempting to write to a closed Writer or OutputStream
obtained from a WebSocket session, throw an IOException rather than an
IllegalStateExcpetion as required by Writer and strongly suggested by
OutputStream. (markt)
* Other
+ Add: Add property 'gpg.sign.files' to optionally disable release artefact
signing with GPG. (rjung)
+ Add: Add test.silent property to suppress JUnit console output during test
execution. Useful for cleaner console output when running tests with
multiple threads. (csutherl)
+ Update: Update the internal fork of Commons Pool to 2.13.1. (markt)
+ Update: Update the internal fork of Commons DBCP to 2.14.0. (markt)
+ Update: Update Commons Daemon to 1.5.1. (markt)
+ Update: Update ByteBuddy to 1.18.3. (markt)
+ Update: Update UnboundID to 7.0.4. (markt)
+ Update: Update Checkstyle to 12.3.1. (markt)
+ Add: Improvements to French translations. (markt)
+ Add: Improvements to Japanese translations provided by tak7iji. (markt)
+ Add: Improvements to Chinese translations provided by Yang. vincent.h and
yong hu. (markt)
+ Update: Update Tomcat Native to 1.3.5. (markt)
+ Add: Add test profile system for selective test execution. Profiles can be
specified via -Dtest.profile=<name> to run specific test subsets without
using patterns directly. Profile patterns are defined in
test-profiles.properties. (csutherl)
+ Update: Update file extension to media type mappings to align with the
current list used by the Apache Web Server (httpd). (markt)
+ Update: Update Commons Daemon to 1.5.0. (markt)
+ Update: Update Byte Buddy to 1.18.2. (markt)
+ Update: Update Checkstyle to 12.2.0. (markt)
+ Add: Improvements to Spanish translations provided by White Vogel. (markt)
+ Add: Improvements to French translations. (remm)
+ Update: Update the internal fork of Apache Commons BCEL to 6.11.0. (markt)
+ Update: Update to Byte Buddy 1.17.8. (markt)
+ Update: Update to Checkstyle 12.1.1. (markt)
+ Update: Update to Jacoco 0.8.14. (markt)
+ Update: Update to SpotBugs 4.9.8. (markt)
+ Update: Update to JSign 7.4. (markt)
+ Update: Update Maven Resolver Ant Tasks to 1.6.0. (rjung)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2026:965-1
Released: Mon Mar 23 14:49:59 2026
Summary: Recommended update for sssd
Type: recommended
Severity: important
References: 1229655,1259250,1259381,1259475
This update for sssd fixes the following issues:
- Build with openldap 2.5 which supports TLS channel binding (bsc#1229655, jsc#PED-12097)
- Restore default config file installation; (bsc#1259250)
- Make sure previously rotated logs are chown-ed as well (bsc#1259475)
- Fix sss_obfuscate crash with python 3.6 (bsc#1259381)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:1008-1
Released: Wed Mar 25 11:07:21 2026
Summary: Security update for Prometheus
Type: security
Severity: important
References: 1255588,1257329,1257442,1257841,1257897,CVE-2025-12816,CVE-2025-13465,CVE-2025-61140,CVE-2026-1615,CVE-2026-25547
This update for Prometheus fixes the following issues:
golang-github-prometheus-alertmanager, golang-github-prometheus-node_exporter:
- Internal changes to fix build issues with no impact for customers
golang-github-prometheus-prometheus:
- Security issues fixed:
* CVE-2026-27606: Fixed arbitrary file write via path traversal in rollup (bsc#1258893)
* CVE-2026-25547: Fixed unbounded brace range expansion leading to excessive CPU and memory consumption (bsc#1257841)
* CVE-2026-1615, CVE-2025-61140 The old web UI is no longer built due to security issues (bsc#1257897, bsc#1257442)
* CVE-2025-13465: Bump lodash package to version 4.17.23 to fix prototype pollution vulnerability (bsc#1257329)
* CVE-2025-12816: Interpretation conflict vulnerability allowing bypassing cryptographic verifications (bsc#1255588)
- Version update from 2.53.4 to 3.5.0 with the following highlighted changes (jsc#PED-13824):
* Modernized Interface: Introduced a brand-new UI
* Enhanced Cloud and Auth: Added unified AWS service discovery (EC2, ECS, Lightsail) and Azure Workload Identity support
for more secure, native cloudauthentication.
* Performance Standards: Fully integrated OpenTelemetry (OTLP) ingestion and moved Native Histograms from experimental
to a stable feature.
* Advanced Data Export: Rolled out Remote Write 2.0, offering better performance and metadata handling when sending
data to external systems.
* Query Power: Added new PromQL functions (like first_over_time and last_over_time) and optimization for grouping
operations.
* Better Visibility: The UI now displays detailed relabeling steps, scrape intervals, and timeouts, making it easier
to troubleshoot why targets aren't reporting correctly.
* Critical Fixes: Resolved significant memory leaks related to query logging and fixed bugs where targets were
accidentally being scraped multiple times.
-----------------------------------------------------------------
Advisory ID: SUSE-Manager-5.0-2026-1010
Released: Wed Mar 25 11:09:52 2026
Summary: Maintenance update for Multi-Linux Manager 5.0: Server, Proxy and Retail Branch Server
Type: security
Severity: important
References: 1220899,1237181,1244177,1246315,1247544,1247722,1248783,1249041,1249425,1250561,1251865,1251995,1252098,1252388,1252638,1252665,1252908,1252937,1253174,1253197,1253249,1253285,1253322,1253501,1253659,1253660,1253711,1253712,1253773,1254251,1255089,1255176,1255298,1255634,1255653,1255743,1255857,1256991,1257255,1257538,1257992,1259057,CVE-2024-29371
Maintenance update for Multi-Linux Manager 5.0: Server, Proxy and Retail Branch Server
This is a codestream only update
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:1013-1
Released: Wed Mar 25 11:11:46 2026
Summary: Security update 5.0.7 for Multi-Linux Manager Client Tools
Type: security
Severity: important
References: 1245302,1251995,1253004,1253174,1253347,1253659,1253738,1254589,1255340,1255588,1255781,1256803,1257329,1257337,1257349,1257442,1257841,1257897,1257941,1258136,1258893,CVE-2025-12816,CVE-2025-13465,CVE-2025-3415,CVE-2025-61140,CVE-2025-68156,CVE-2026-1615,CVE-2026-21720,CVE-2026-21721,CVE-2026-21722,CVE-2026-25547,CVE-2026-27606
This update fixes the following issues:
dracut-saltboot:
- Version update to 1.1.0:
* Retry DHCP requests up to 3 times (bsc#1253004)
golang-github-QubitProducts-exporter_exporter:
- Non-customer-facing optimization and update
golang-github-boynux-squid_exporter:
- Version update from 1.6.0 to 1.13.0 with the following highlighted changes and fixes (jsc#PED-14971):
* Added compatibility for Squid 6 and support for the squid-internal-mgr metrics path
* Added TLS and Basic Authentication to the exporter’s web interface
* Added support for the exporter to authenticate against the Squid proxy itself
* Allow the gathering of process information without requiring root privileges
* The exporter can now be configured using environment variables
* Added support for custom labels to all exported metrics for better data filtering
* New metrics to track if Squid is running (squid_up), how long a scrape takes, and if any errors occurred
* Added 'service time' metrics to analyze proxy speed and performance.
* Added a metric for open file descriptors (process_open_fds) to help prevent connection bottlenecks
* Corrected the squid_client_http_requests_total metric to ensure accurate reporting
golang-github-lusitaniae-apache_exporter:
- Version update from 1.0.8 to 1.0.10:
* Updated github.com/prometheus/client_golang to 1.21.1
* Updated github.com/prometheus/common to 0.63.0
* Updated github.com/prometheus/exporter-toolkit to 0.14.0
* Fixed signal handler logging
golang-github-prometheus-prometheus:
- Security issues fixed:
* CVE-2026-27606: Fixed arbitrary file write via path traversal in rollup (bsc#1258893)
* CVE-2026-25547: Fixed unbounded brace range expansion leading to excessive CPU and memory consumption (bsc#1257841)
* CVE-2026-1615, CVE-2025-61140 The old web UI is no longer built due to security issues (bsc#1257897, bsc#1257442)
* CVE-2025-13465: Bump lodash package to version 4.17.23 to fix prototype pollution vulnerability (bsc#1257329)
* CVE-2025-12816: Interpretation conflict vulnerability allowing bypassing cryptographic verifications (bsc#1255588)
- Version update from 2.53.4 to 3.5.0 with the following highlighted changes (jsc#PED-13824):
* Modernized Interface: Introduced a brand-new UI
* Enhanced Cloud and Auth: Added unified AWS service discovery (EC2, ECS, Lightsail) and Azure Workload Identity support
for more secure, native cloudauthentication.
* Performance Standards: Fully integrated OpenTelemetry (OTLP) ingestion and moved Native Histograms from experimental
to a stable feature.
* Advanced Data Export: Rolled out Remote Write 2.0, offering better performance and metadata handling when sending
data to external systems.
* Query Power: Added new PromQL functions (like first_over_time and last_over_time) and optimization for grouping
operations
* Better Visibility: The UI now displays detailed relabeling steps, scrape intervals, and timeouts, making it easier
to troubleshoot why targets aren't reporting correctly.
* Critical Fixes: Resolved significant memory leaks related to query logging and fixed bugs where targets were
accidentally being scraped multiple times
grafana:
- Security issues fixed:
* CVE-2026-21722: Public dashboards annotations: use dashboard timerange if time selection disabled (bsc#1258136)
* CVE-2026-21721: Fixed access control by the dashboard permissions API (bsc#1257337)
* CVE-2026-21720: Fixed unauthenticated DoS (bsc#1257349)
* CVE-2025-68156: Fixed potential DoS via unbounded recursion in builtin functions (bsc#1255340)
* CVE-2025-3415: Fixedexposure of DingDing alerting integration URL to Viewer level users (bsc#1245302)
- Version update from 11.5.10 to 11.6.11 with the following highlighted changes and fixes:
* Performance Boost: Introduced WebGL-powered geomaps for smoother map visualizations and
removed blurred backgrounds from UI overlays to speed up the interface
* One-Click Actions: Visualizations now support faster navigation via one-click links and actions
* Alerting History: Added version history for alert rules, allowing you to track changes over time
* Service Accounts: Automated the migration of old API keys to more secure Service Accounts upon startup
* Cron Support: Annotations now support Cron syntax for more flexible scheduling
* Identity and Auth: Hardened the Avatar feature (now requires sign-in) and fixed several login redirection issues
when Grafana is hosted on a subpath
* Data Source Support: Added support for Cloud Partner Prometheus data sources and improved Azure legend formatting
* Alerting Limits: Added size limits for expanded notification templates to prevent system strain
* RBAC: Integrated Role-Based Access Control (RBAC) into the Alertmanager via the reqAction field
* Data Consistency: Fixed several issues with Graphite and InfluxDB regarding how variables are handled in repeated
rows or nested queries
* Dashboard Reliability: Resolved bugs involving row repeats and 'self-referencing' data links
* Alerting Fixes: Patched a critical 'panic' (crash) caused by a race condition in alert rules and fixed issues where
contact points weren't working correctly
* URL Handling: Fixed a bug where 'true' values in URL parameters weren't being read correctly
prometheus-blackbox_exporter:
- Non-customer-facing optimization and update
spacecmd:
- Version update to 5.0.15:
* Fixed typo in spacecmd help ca-cert flag (bsc#1253174)
* Convert cached IDs to integer values (bsc#1251995)
* Fixed spacecmd binary file upload (bsc#1253659)
uyuni-tools:
- Version update to 0.1.38:
* Fixed cobbler configuration when migrating to standalone files (bsc#1256803)
* Detect custom apache and squid config in the /etc/uyuni/proxy folder
* Add ssh tuning to configure sshd (bsc#1253738)
* Ignore supportconfig errors (bsc#1255781)
* Bumped the default image tag to 5.0.7
* Removed cgroup mount for podman containers (bsc#1253347)
* Registry flag can be a string (bsc#1254589)
* Use static supportconfig name to avoid dynamic search (bsc#1257941)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:1040-1
Released: Wed Mar 25 13:43:08 2026
Summary: Security update for systemd
Type: security
Severity: important
References: 1259418,1259650,1259697,CVE-2026-29111,CVE-2026-4105
This update for systemd fixes the following issues:
- CVE-2026-4105: privilege escalation due to improper access control in RegisterMachine D-Bus method (bsc#1259650).
- CVE-2026-29111: local unprivileged user can trigger an assert in systemd (bsc#1259418).
- udev: check for invalid chars in various fields received from the kernel (bsc#1259697).
Changelog:
- a943e3ce2f machined: reject invalid class types when registering machines
- 71593f77db udev: fix review mixup
- 73a89810b4 udev-builtin-net-id: print cescaped bad attributes
- 0f360bfdc0 udev-builtin-net_id: do not assume the current interface name is ethX
- 40905232e2 udev: ensure tag parsing stays within bounds
- 7bce9026e3 udev: ensure there is space for trailing NUL before calling sprintf
- d018ac1ea3 udev: check for invalid chars in various fields received from the kernel
- aef6e11921 core/cgroup: avoid one unnecessary strjoina()
- cc7426f38a sd-json: fix off-by-one issue when updating parent for array elements
- 26a748f727 core: validate input cgroup path more prudently
- 99d8308fde core/dbus-manager: propagate meaningful dbus errors from EnqueueMarkedJobs
The following package changes have been done:
- libtasn1-4.13-150000.4.14.1 updated
- libstdc++6-15.2.0+git10201-150000.1.9.1 updated
- libz1-1.2.13-150500.4.6.1 updated
- ca-certificates-mozilla-2.84-150200.44.1 updated
- libldap-data-2.4.46-150600.25.3.1 updated
- libuuid1-2.39.3-150600.4.18.1 updated
- libopenssl3-3.1.4-150600.5.42.1 updated
- libfdisk1-2.39.3-150600.4.18.1 updated
- golang-github-QubitProducts-exporter_exporter-0.4.0-150000.1.21.1 updated
- libmount1-2.39.3-150600.4.18.1 updated
- branch-network-formula-1.1.0-150600.3.9.3 updated
- libtasn1-6-4.13-150000.4.14.1 updated
- openssl-3-3.1.4-150600.5.42.1 updated
- libexpat1-2.7.1-150400.3.34.1 updated
- libblkid1-2.39.3-150600.4.18.1 updated
- libssh4-0.9.8-150600.11.9.1 updated
- glibc-2.38-150600.14.43.1 updated
- libglib-2_0-0-2.78.6-150600.4.35.1 updated
- libldap-2_4-2-2.4.46-150600.25.3.1 updated
- libatomic1-15.2.0+git10201-150000.1.9.1 updated
- inter-server-sync-0.3.10-150600.3.12.3 updated
- glibc-locale-base-2.38-150600.14.43.1 updated
- jose4j-0.9.5-150600.3.3.3 updated
- libopenssl-3-fips-provider-3.1.4-150600.5.42.1 updated
- liberate-formula-0.1.2-150600.3.6.3 updated
- libfreebl3-3.112.3-150400.3.63.1 updated
- libgomp1-15.2.0+git10201-150000.1.9.1 updated
- gpg2-2.4.4-150600.3.15.1 updated
- adcli-0.8.2-150400.17.11.1 updated
- libssh-config-0.9.8-150600.11.9.1 updated
- libxml2-2-2.10.3-150500.5.38.1 updated
- util-linux-2.39.3-150600.4.18.1 updated
- libavahi-common3-0.8-150600.15.12.1 updated
- curl-8.14.1-150600.4.40.1 updated
- libsqlite3-0-3.51.2-150000.3.36.1 updated
- libsmartcols1-2.39.3-150600.4.18.1 updated
- libgcc_s1-15.2.0+git10201-150000.1.9.1 updated
- libudev1-254.27-150600.4.62.1 updated
- libsystemd0-254.27-150600.4.62.1 updated
- libcurl4-8.14.1-150600.4.40.1 updated
- systemd-254.27-150600.4.62.1 updated
- libgmodule-2_0-0-2.78.6-150600.4.35.1 updated
- libgobject-2_0-0-2.78.6-150600.4.35.1 updated
- libipa_hbac0-2.10.2-150600.3.41.1 updated
- libitm1-15.2.0+git10201-150000.1.9.1 updated
- liblsan0-15.2.0+git10201-150000.1.9.1 updated
- libopenssl1_1-1.1.1w-150600.5.21.1 updated
- libpng16-16-1.6.40-150600.3.12.1 updated
- libpq5-18.3-150600.13.8.1 updated
- libquadmath0-15.2.0+git10201-150000.1.9.1 updated
- libsodium23-1.0.18-150000.4.14.1 updated
- libsss_idmap0-2.10.2-150600.3.41.1 updated
- libsss_nss_idmap0-2.10.2-150600.3.41.1 updated
- libxml2-tools-2.10.3-150500.5.38.1 updated
- libxslt1-1.1.34-150400.3.16.1 updated
- patch-2.7.6-150000.5.9.1 updated
- release-notes-susemanager-5.0.7-150600.11.50.1 updated
- snmp-mibs-5.9.4-150600.24.10.1 updated
- susemanager-schema-utility-5.0.19-150600.3.25.4 updated
- uyuni-config-modules-5.0.21-150600.3.30.3 updated
- vim-data-common-9.2.0110-150500.20.43.1 updated
- supportutils-3.2.12.2-150600.3.9.1 updated
- glibc-locale-2.38-150600.14.43.1 updated
- libavahi-client3-0.8-150600.15.12.1 updated
- libpython3_6m1_0-3.6.15-150300.10.106.1 updated
- python3-base-3.6.15-150300.10.106.1 updated
- python3-3.6.15-150300.10.106.1 updated
- python3-curses-3.6.15-150300.10.106.1 updated
- libldap-2_5-0-2.5.20+11-150500.11.38.1 added
- postgresql16-16.13-150600.16.30.1 updated
- libsss_certmap0-2.10.2-150600.3.41.1 updated
- libxslt-tools-1.1.34-150400.3.16.1 updated
- glibc-devel-2.38-150600.14.43.1 updated
- mozilla-nss-certs-3.112.3-150400.3.63.1 updated
- susemanager-docs_en-5.0.6-150600.11.21.3 updated
- libgio-2_0-0-2.78.6-150600.4.35.1 updated
- glib2-tools-2.78.6-150600.4.35.1 updated
- spacewalk-java-lib-5.0.31-150600.3.44.8 updated
- golang-github-prometheus-node_exporter-1.9.1-150100.3.38.1 updated
- shim-16.1-150300.4.31.3 updated
- vim-9.2.0110-150500.20.43.1 updated
- libsnmp40-5.9.4-150600.24.10.1 updated
- apache2-prefork-2.4.58-150600.5.44.1 updated
- libgnutls30-3.8.3-150600.4.17.1 updated
- python3-pyasn1-0.4.2-150000.3.13.1 updated
- postgresql16-server-16.13-150600.16.30.1 updated
- mozilla-nss-3.112.3-150400.3.63.1 updated
- libsoftokn3-3.112.3-150400.3.63.1 updated
- susemanager-docs_en-pdf-5.0.6-150600.11.21.3 updated
- susemanager-schema-5.0.19-150600.3.25.4 updated
- rsync-3.2.7-150600.3.14.1 updated
- perl-SNMP-5.9.4-150600.24.10.1 updated
- net-snmp-5.9.4-150600.24.10.1 updated
- apache2-2.4.58-150600.5.44.1 updated
- grub2-2.12-150600.8.49.1 updated
- grub2-i386-pc-2.12-150600.8.49.1 updated
- libvirt-libs-10.0.0-150600.8.15.1 updated
- python3-libxml2-2.10.3-150500.5.38.1 updated
- postgresql16-contrib-16.13-150600.16.30.1 updated
- sssd-ldap-2.10.2-150600.3.41.1 updated
- sssd-2.10.2-150600.3.41.1 updated
- sssd-krb5-common-2.10.2-150600.3.41.1 updated
- java-17-openjdk-headless-17.0.18.0-150400.3.63.1 updated
- susemanager-build-keys-15.5.3-150600.5.15.3 updated
- grub2-x86_64-efi-2.12-150600.8.49.1 updated
- grub2-powerpc-ieee1275-2.12-150600.8.49.1 updated
- grub2-arm64-efi-2.12-150600.8.49.1 updated
- spacecmd-5.0.15-150600.4.21.3 updated
- python3-ldap-3.4.0-150400.8.1 updated
- spacewalk-backend-sql-postgresql-5.0.17-150600.4.26.5 updated
- sssd-krb5-2.10.2-150600.3.41.1 updated
- sssd-dbus-2.10.2-150600.3.41.1 updated
- python3-sssd-config-2.10.2-150600.3.41.1 updated
- sssd-ad-2.10.2-150600.3.41.1 updated
- tomcat-servlet-4_0-api-9.0.115-150200.102.1 updated
- tomcat-el-3_0-api-9.0.115-150200.102.1 updated
- mchange-commons-0.2.20-150400.3.3.1 updated
- java-17-openjdk-17.0.18.0-150400.3.63.1 updated
- spacewalk-base-minimal-5.0.26-150600.3.36.8 updated
- susemanager-build-keys-web-15.5.3-150600.5.15.3 updated
- spacewalk-config-5.0.9-150600.3.18.3 updated
- sssd-tools-2.10.2-150600.3.41.1 updated
- sssd-ipa-2.10.2-150600.3.41.1 updated
- tomcat-jsp-2_3-api-9.0.115-150200.102.1 updated
- c3p0-0.9.5.5-150400.3.5.1 updated
- netty-4.1.130-150200.4.40.1 updated
- spacewalk-base-minimal-config-5.0.26-150600.3.36.8 updated
- tomcat-lib-9.0.115-150200.102.1 updated
- log4j-2.20.0-150200.4.30.1 updated
- protobuf-java-25.1-150600.16.16.1 updated
- python3-urllib3-1.25.10-150300.4.21.1 updated
- log4j-jcl-2.20.0-150200.4.30.1 updated
- log4j-slf4j-2.20.0-150200.4.30.1 updated
- spacewalk-backend-5.0.17-150600.4.26.5 updated
- python3-spacewalk-client-tools-5.0.12-150600.4.18.5 updated
- spacewalk-client-tools-5.0.12-150600.4.18.5 updated
- spacewalk-base-5.0.26-150600.3.36.8 updated
- salt-3006.0-150600.8.15.5 updated
- python3-salt-3006.0-150600.8.15.5 updated
- fence-agents-4.13.1+git.1704296072.32469f29-150600.3.27.2 updated
- spacewalk-backend-sql-5.0.17-150600.4.26.5 updated
- python3-spacewalk-certs-tools-5.0.13-150600.3.20.3 updated
- spacewalk-certs-tools-5.0.13-150600.3.20.3 updated
- tomcat-9.0.115-150200.102.1 updated
- salt-master-3006.0-150600.8.15.5 updated
- cobbler-3.3.3-150600.5.20.4 updated
- spacewalk-backend-server-5.0.17-150600.4.26.5 updated
- susemanager-sls-5.0.21-150600.3.30.3 updated
- spacewalk-java-postgresql-5.0.31-150600.3.44.8 updated
- spacewalk-java-config-5.0.31-150600.3.44.8 updated
- salt-api-3006.0-150600.8.15.5 updated
- spacewalk-backend-xmlrpc-5.0.17-150600.4.26.5 updated
- spacewalk-backend-xml-export-libs-5.0.17-150600.4.26.5 updated
- spacewalk-backend-package-push-server-5.0.17-150600.4.26.5 updated
- spacewalk-backend-iss-5.0.17-150600.4.26.5 updated
- spacewalk-backend-app-5.0.17-150600.4.26.5 updated
- spacewalk-html-5.0.26-150600.3.36.8 updated
- spacewalk-taskomatic-5.0.31-150600.3.44.8 updated
- spacewalk-java-5.0.31-150600.3.44.8 updated
- spacewalk-backend-iss-export-5.0.17-150600.4.26.5 updated
- susemanager-tools-5.0.17-150600.3.25.3 updated
- spacewalk-backend-tools-5.0.17-150600.4.26.5 updated
- susemanager-5.0.17-150600.3.25.3 updated
- container:bci-bci-init-15.6-14906ac7eff908b0914018f3b3be9441e4d11e052ce975100be46d188581cd46-0 added
- container:suse-manager-5.0-init-5.0.6-5.0.6-7.27.8 removed
- libestr0-0.1.10-1.25 removed
- libfastjson4-0.99.9-150400.3.3.1 removed
- liblogging0-1.0.6-3.21 removed
- liblognorm5-2.0.6-150000.3.3.1 removed
- librdkafka1-0.11.6-150600.16.3.1 removed
- libwayland-client0-1.22.0-150600.1.6 removed
- rsyslog-8.2406.0-150600.12.8.1 removed
- sysconfig-0.85.10-150200.15.1 removed
- sysconfig-netconfig-0.85.10-150200.15.1 removed
- syslog-service-2.0-11.2 removed
- util-linux-systemd-2.39.3-150600.4.12.2 removed
- wicked-0.6.77-150600.11.15.1 removed
- wicked-service-0.6.77-150600.11.15.1 removed
More information about the sle-container-updates
mailing list