SUSE-CU-2026:4708-1: Security update of rancher/seedimage-builder
sle-container-updates at lists.suse.com
sle-container-updates at lists.suse.com
Thu May 7 07:17:33 UTC 2026
SUSE Container Update Advisory: rancher/seedimage-builder
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2026:4708-1
Container Tags : rancher/seedimage-builder:1.6.10 , rancher/seedimage-builder:1.6.10-9.51
Container Release : 9.51
Severity : critical
Type : security
References : 1216378 1228081 1233593 1233594 1233773 1238724 1239941 1246965
1247850 1247858 1249147 1250410 1250553 1251213 1252048 1252148
1254293 1254666 1254867 1255066 1255066 1255768 1256105 1256427
1256525 1256526 1256766 1256804 1256805 1256805 1256807 1256808
1256809 1256810 1256811 1256812 1256822 1256830 1256834 1256835
1256836 1256837 1256838 1256839 1256840 1256876 1256878 1256880
1257005 1257111 1257144 1257359 1257364 1257365 1257496 1257593
1257594 1257595 1258002 1258005 1258020 1258143 1258311 1258371
1258392 1258655 1258859 1259118 1259126 1259271 1259362 1259362
1259363 1259364 1259365 1259418 1259472 1259502 1259623 1259650
1259697 1259711 1259726 1259729 1259816 1259825 1259845 1259859
1259859 1259859 1259924 1260078 1260082 1260265 1260441 1260442
1260443 1260444 1260445 1260754 1260755 1261209 1261621 1261622
1261624 1261630 1261630 1261634 1261678 1261696 1261705 1261706
1261708 1261712 1261717 1261718 1261720 1261809 1261845 1261845
1261850 1261851 1261852 1261853 1261854 1261855 1261856 1261857
1261876 1261957 1262144 1262216 1262220 1262254 1262255 1262425
1262426 1262631 1262632 1262635 1262636 1262638 1263689 1263689
CVE-2023-45853 CVE-2024-10524 CVE-2024-11595 CVE-2024-11596 CVE-2025-10911
CVE-2025-11187 CVE-2025-14017 CVE-2025-14104 CVE-2025-15281 CVE-2025-15467
CVE-2025-15467 CVE-2025-15468 CVE-2025-28162 CVE-2025-28164 CVE-2025-39977
CVE-2025-40309 CVE-2025-40309 CVE-2025-66471 CVE-2025-66614 CVE-2025-67746
CVE-2025-68160 CVE-2025-69418 CVE-2025-69419 CVE-2025-69420 CVE-2025-69421
CVE-2025-69720 CVE-2025-71066 CVE-2025-8058 CVE-2025-8732 CVE-2025-9230
CVE-2025-9615 CVE-2026-0861 CVE-2026-0915 CVE-2026-0989 CVE-2026-0989
CVE-2026-0990 CVE-2026-0992 CVE-2026-1757 CVE-2026-1965 CVE-2026-1965
CVE-2026-22695 CVE-2026-22795 CVE-2026-22796 CVE-2026-22801 CVE-2026-23004
CVE-2026-23204 CVE-2026-23268 CVE-2026-23268 CVE-2026-23268 CVE-2026-23437
CVE-2026-23437 CVE-2026-23865 CVE-2026-23868 CVE-2026-24515 CVE-2026-24880
CVE-2026-25075 CVE-2026-25210 CVE-2026-25646 CVE-2026-25854 CVE-2026-27135
CVE-2026-27171 CVE-2026-28387 CVE-2026-28388 CVE-2026-28389 CVE-2026-28390
CVE-2026-29111 CVE-2026-29129 CVE-2026-29145 CVE-2026-29146 CVE-2026-31406
CVE-2026-31406 CVE-2026-31431 CVE-2026-31431 CVE-2026-31789 CVE-2026-31790
CVE-2026-31812 CVE-2026-3184 CVE-2026-32776 CVE-2026-32777 CVE-2026-32778
CVE-2026-32990 CVE-2026-33186 CVE-2026-33416 CVE-2026-33636 CVE-2026-34379
CVE-2026-34380 CVE-2026-34483 CVE-2026-34486 CVE-2026-34487 CVE-2026-34500
CVE-2026-34588 CVE-2026-34589 CVE-2026-34757 CVE-2026-35328 CVE-2026-35329
CVE-2026-35330 CVE-2026-35331 CVE-2026-35332 CVE-2026-35333 CVE-2026-35334
CVE-2026-3783 CVE-2026-3784 CVE-2026-3805 CVE-2026-40176 CVE-2026-40244
CVE-2026-40250 CVE-2026-40261 CVE-2026-4046 CVE-2026-40706 CVE-2026-4105
CVE-2026-41651 CVE-2026-4437 CVE-2026-4438 CVE-2026-4873 CVE-2026-4878
CVE-2026-5545 CVE-2026-5958 CVE-2026-6253 CVE-2026-6276 CVE-2026-6429
-----------------------------------------------------------------
The container rancher/seedimage-builder was updated. The following patches have been included in this update:
-----------------------------------------------------------------
Advisory ID: 109
Released: Thu May 15 11:36:36 2025
Summary: Security update for wget
Type: security
Severity: moderate
References: 1233593,1233594,1233773,CVE-2024-10524,CVE-2024-11595,CVE-2024-11596
This update for wget fixes the following issues:
- CVE-2024-10524: Drop support for shorthand URLs (bsc#1233773).
-----------------------------------------------------------------
Advisory ID: 570
Released: Thu Feb 12 14:57:47 2026
Summary: Security update for util-linux
Type: security
Severity: moderate
References: 1254666,1257359,1259472,CVE-2025-14104,CVE-2025-9615,CVE-2026-25075
This update for util-linux fixes the following issues:
- CVE-2025-14104: Fixed heap buffer overread in setpwnam() when processing 256-byte usernames (bsc#1254666).
- lscpu: Add support for NVIDIA Olympus arm64 core (jsc#PED-13682).
-----------------------------------------------------------------
Advisory ID: 569
Released: Thu Feb 12 15:05:28 2026
Summary: Security update for curl
Type: security
Severity: important
References: 1239941,1256105,CVE-2025-14017
This update for curl fixes the following issues:
- CVE-2025-14017: Fixed broken TLS options for threaded LDAPS (bsc#1256105).
-----------------------------------------------------------------
Advisory ID: 572
Released: Thu Feb 12 15:47:03 2026
Summary: Security update for openssl-3
Type: security
Severity: critical
References: 1256830,1256834,1256835,1256836,1256837,1256838,1256839,1256840,1261696,CVE-2025-15467,CVE-2025-68160,CVE-2025-69418,CVE-2025-69419,CVE-2025-69420,CVE-2025-69421,CVE-2026-22795,CVE-2026-22796
This update for openssl-3 fixes the following issues:
- CVE-2025-15467: Stack buffer overflow in CMS AuthEnvelopedData parsing (bsc#1256830).
- CVE-2025-68160: Heap out-of-bounds write in BIO_f_linebuffer on short writes (bsc#1256834).
- CVE-2025-69418: Unauthenticated/unencrypted trailing bytes with low-level OCB function calls (bsc#1256835).
- CVE-2025-69419: Out of bounds write in PKCS12_get_friendlyname() UTF-8 conversion (bsc#1256836).
- CVE-2025-69420: Missing ASN1_TYPE validation in TS_RESP_verify_response() function (bsc#1256837).
- CVE-2025-69421: NULL Pointer Dereference in PKCS12_item_decrypt_d2i_ex function (bsc#1256838).
- CVE-2026-22795: Missing ASN1_TYPE validation in PKCS#12 parsing (bsc#1256839).
- CVE-2026-22796: ASN1_TYPE Type Confusion in the PKCS7_digest_from_attributes() function (bsc#1256840).
-----------------------------------------------------------------
Advisory ID: 576
Released: Fri Feb 13 17:46:23 2026
Summary: Security update for expat
Type: security
Severity: moderate
References: 1257144,1257496,1258143,CVE-2026-24515,CVE-2026-25210
This update for expat fixes the following issues:
- CVE-2026-24515: failure to copy the encoding handler data passed to XML_SetUnknownEncodingHandler may cause a NULL
dereference (bsc#1257144).
- CVE-2026-25210: lack of buffer size check can lead to an integer overflow (bsc#1257496).
-----------------------------------------------------------------
Advisory ID: 578
Released: Mon Feb 16 09:28:24 2026
Summary: Security update for libxml2
Type: security
Severity: moderate
References: 1256805,1259816,1260265,CVE-2026-0989,CVE-2026-33186
This update for libxml2 fixes the following issues:
- CVE-2026-0989: Fixed call stack exhaustion leading to application crash
due to RelaxNG parser not limiting the recursion depth when
resolving `<include>` directives (bsc#1256805).
-----------------------------------------------------------------
Advisory ID: 593
Released: Thu Feb 26 11:51:48 2026
Summary: Security update for libpng16
Type: security
Severity: important
References: 1256525,1256526,1257364,1257365,1258020,1259623,1261876,CVE-2025-28162,CVE-2025-28164,CVE-2026-22695,CVE-2026-22801,CVE-2026-25646,CVE-2026-31812
This update for libpng16 fixes the following issues:
- CVE-2025-28162: memory leaks when running `pngimage` (bsc#1257364).
- CVE-2025-28164: memory leaks when running `pngimage` (bsc#1257365).
- CVE-2026-22695: heap buffer over-read in png_image_finish_read (bsc#1256525).
- CVE-2026-22801: integer truncation causing heap buffer over-read in png_image_write_* (bsc#1256526).
- CVE-2026-25646: heap buffer overflow vulnerability in png_set_dither/png_set_quantize (bsc#1258020).
-----------------------------------------------------------------
Advisory ID: 597
Released: Thu Feb 26 12:33:53 2026
Summary: Security update for glibc
Type: security
Severity: important
References: 1246965,1256766,1256822,1257005,CVE-2025-15281,CVE-2025-8058,CVE-2026-0861,CVE-2026-0915
This update for glibc fixes the following issues:
- CVE-2026-0861: inadequate size check in the memalign suite may result in an integer overflow (bsc#1256766).
- CVE-2026-0915: uninitialized stack buffer used as DNS query name when net==0 in _nss_dns_getnetbyaddr_r (bsc#1256822).
- CVE-2025-15281: uninitialized memory may cause the process abort (bsc#1257005).
- CVE-2025-8058: a malloc failure in regcomp function can lead to a double free (bsc#1246965).
-----------------------------------------------------------------
Advisory ID: 604
Released: Wed Mar 4 09:37:59 2026
Summary: Security update for ca-certificates-mozilla
Type: security
Severity: moderate
References: 1238724,1249147,1251213,1257111,1258002
This update for ca-certificates-mozilla fixes the following issues:
- Updated to 2.84 state of Mozilla SSL root CAs (bsc#1258002)
- Removed:
- Baltimore CyberTrust Root
- CommScope Public Trust ECC Root-01
- CommScope Public Trust ECC Root-02
- CommScope Public Trust RSA Root-01
- CommScope Public Trust RSA Root-02
- DigiNotar Root CA
- Added:
- e-Szigno TLS Root CA 2023
- OISTE Client Root ECC G1
- OISTE Client Root RSA G1
- OISTE Server Root ECC G1
- OISTE Server Root RSA G1
- SwissSign RSA SMIME Root CA 2022 - 1
- SwissSign RSA TLS Root CA 2022 - 1
- TrustAsia SMIME ECC Root CA
- TrustAsia SMIME RSA Root CA
- TrustAsia TLS ECC Root CA
- TrustAsia TLS RSA Root CA
-----------------------------------------------------------------
Advisory ID: 608
Released: Fri Mar 6 12:53:41 2026
Summary: Security update for libxslt, libxml2
Type: security
Severity: moderate
References: 1247850,1247858,1250553,1255066,1256804,1256805,1256807,1256808,1256809,1256810,1256811,1256812,1257593,1257594,1257595,1259859,CVE-2025-10911,CVE-2025-40309,CVE-2025-8732,CVE-2026-0989,CVE-2026-0990,CVE-2026-0992,CVE-2026-1757,CVE-2026-23268
This update for libxslt, libxml2 fixes the following issues:
Changes in libxml2:
- CVE-2026-0990: call stack overflow may lead to application crash due to infinite recursion in
`xmlCatalogXMLResolveURI` (bsc#1256807, bsc#1256811).
- CVE-2026-0992: excessive resource consumption when processing XML catalogs due to exponential behavior when handling
`nextCatalog` elements (bsc#1256809, bsc#1256812).
- CVE-2025-8732: infinite recursion in catalog parsing functions when processing malformed SGML catalog files
(bsc#1247858).
- CVE-2026-1757: memory leak in the `xmllint` interactive shell (bsc#1257594, bsc#1257595).
- CVE-2025-10911: parsing xsl nodes may lead to use-after-free with key data stored cross-RVT (bsc#1250553).
-----------------------------------------------------------------
Advisory ID: 610
Released: Mon Mar 9 10:54:57 2026
Summary: Security update for zlib
Type: security
Severity: moderate
References: 1216378,1255066,1258392,1259859,CVE-2023-45853,CVE-2025-40309,CVE-2026-23268,CVE-2026-27171
This update for zlib fixes the following issues:
- CVE-2026-27171: Fixed an infinite loop via the crc32_combine64 and crc32_combine_gen64 functions due to missing checks for negative lengths. (bsc#1258392)
- CVE-2023-45853: Fixed an integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_6. (bsc#1216378)
-----------------------------------------------------------------
Advisory ID: 612
Released: Tue Mar 10 09:40:03 2026
Summary: Security update for util-linux
Type: security
Severity: moderate
References: 1258859,1259502,CVE-2026-23868,CVE-2026-3184
This update for util-linux fixes the following issue:
- CVE-2026-3184: access control bypass due to improper hostname canonicalization in `login` (bsc#1258859).
-----------------------------------------------------------------
Advisory ID: 617
Released: Thu Mar 12 10:40:37 2026
Summary: Security update for curl
Type: security
Severity: important
References: 1259362,1259363,1259364,1259365,1261621,1261622,1261624,1261634,CVE-2026-1965,CVE-2026-34379,CVE-2026-34380,CVE-2026-34588,CVE-2026-34589,CVE-2026-3783,CVE-2026-3784,CVE-2026-3805
This update for curl fixes the following issues:
- CVE-2026-1965: bad reuse of HTTP Negotiate connection (bsc#1259362).
- CVE-2026-3783: token leak with redirect and netrc (bsc#1259363).
- CVE-2026-3784: wrong proxy connection reuse with credentials (bsc#1259364).
- CVE-2026-3805: use after free in SMB connection reuse (bsc#1259365).
-----------------------------------------------------------------
Advisory ID: 623
Released: Mon Mar 16 14:23:56 2026
Summary: Security update for freetype2
Type: security
Severity: moderate
References: 1252148,1258371,1259118,1261850,1261851,1261852,1261853,1261854,1261855,1261856,1261857,CVE-2025-66614,CVE-2026-23865,CVE-2026-24880,CVE-2026-25854,CVE-2026-29129,CVE-2026-29145,CVE-2026-29146,CVE-2026-32990,CVE-2026-34483,CVE-2026-34486,CVE-2026-34487,CVE-2026-34500
This update for freetype2 fixes the following issue:
Update to freetype2 2.14.2:
- CVE-2026-23865: Integer overflow in the tt_var_load_item_variation_store function (bsc#1259118).
Changelog:
* Several changes related to LCD filtering are implemented to
achieve better performance and encourage sound practices.
* Instead of blanket LCD filtering over the entire bitmap, it
is now applied only to non-zero spans using direct rendering.
This speeds up the ClearType-like rendering by more than 40%
at sizes above 32 ppem.
* Setting the filter weights with FT_Face_Properties is no
longer supported. The default and light filters are optimized
to work with any face.
* The legacy libXft LCD filter algorithm is no longer provided.
* The italic angle in `PS_FontInfo` is now stored as a fixed-point
value in degrees for all Type 1 fonts and their derivatives,
consistent with CFF fonts and common practices. The broken
underline position and thickness values are fixed for CFF fonts.
* The `x` field in the `FT_Span` structure is now unsigned.
* Demo program `ftgrid` got an option `-m` to select a start
character to display.
* Similarly, demo program `ftmulti` got an option `-m` to select a
text string for rendering.
* Option `-d` in the demo program `ttdebug` is now called `-a`,
expecting a comma-separated list of axis values. The user
interface is also slightly improved.
* The `ftinspect` demo program can now be compiled with Qt6, too.
* The auto-hinter got new abilities. It can now better separate
diacritic glyphs from base glyphs at small sizes by
artificially moving diacritics up (or down) if necessary
* Tilde accent glyphs get vertically stretched at small sizes so
that they don't degenerate to horizontal lines.
* Diacritics directly attached to a base glyph (like the ogonek in
character 'Ä™') no longer distort the shape of the base glyph
* The TrueType instruction interpreter was optimized to
produce a 15% gain in the glyph loading speed.
* Handling of Variation Fonts is now considerably faster
* TrueType and CFF glyph loading speed has been improved by 5-10%
on modern 64-bit platforms as a result of better handling of
fixed-point multiplication.
* The BDF driver now loads fonts 75% faster.
-----------------------------------------------------------------
Advisory ID: 638
Released: Tue Mar 24 10:27:18 2026
Summary: Security update for systemd
Type: security
Severity: important
References: 1228081,1254293,1256427,1259418,1259650,1259697,1259859,CVE-2026-23268,CVE-2026-29111,CVE-2026-4105
This update for systemd fixes the following issues:
Security issues:
- CVE-2026-4105: privilege escalation due to improper access control in RegisterMachine D-Bus method (bsc#1259650).
- CVE-2026-29111: local unprivileged user can trigger an assert in systemd (bsc#1259418).
- udev: check for invalid chars in various fields received from the kernel (bsc#1259697).
Non security issues:
- Name libsystemd-{shared,core} based on the major version of systemd and the
package release number (bsc#1228081, bsc#1256427)
- detect-virt: bare-metal GCE only for x86 and i386 (bsc#1254293)
Changelog:
- a943e3ce2f machined: reject invalid class types when registering machines
- 71593f77db udev: fix review mixup
- 73a89810b4 udev-builtin-net-id: print cescaped bad attributes
- 0f360bfdc0 udev-builtin-net_id: do not assume the current interface name is ethX
- 40905232e2 udev: ensure tag parsing stays within bounds
- 7bce9026e3 udev: ensure there is space for trailing NUL before calling sprintf
- d018ac1ea3 udev: check for invalid chars in various fields received from the kernel
- aef6e11921 core/cgroup: avoid one unnecessary strjoina()
- cc7426f38a sd-json: fix off-by-one issue when updating parent for array elements
- 26a748f727 core: validate input cgroup path more prudently
- 99d8308fde core/dbus-manager: propagate meaningful dbus errors from EnqueueMarkedJobs
- 8bbac1d508 detect-virt: bare-metal GCE only for x86 and i386
-----------------------------------------------------------------
Advisory ID: 644
Released: Thu Mar 26 10:10:44 2026
Summary: Security update for nghttp2
Type: security
Severity: important
References: 1259845,CVE-2026-27135
This update for nghttp2 fixes the following issue:
- CVE-2026-27135: assertion failure due to missing state validation can lead to DoS (bsc#1259845).
-----------------------------------------------------------------
Advisory ID: 651
Released: Thu Apr 2 14:55:24 2026
Summary: Recommended update for crypto-policies
Type: recommended
Severity: important
References: 1258311,1259825,1261209,CVE-2026-4046
This update for crypto-policies fixes the following issues:
- Add PQC support for OpenSSH (bsc#1258311, bsc#1259825)
* Enable and prioritize sntrup761x25519-sha512 for OpenSSH by default
-----------------------------------------------------------------
Advisory ID: 654
Released: Tue Apr 7 20:52:31 2026
Summary: Security update for expat
Type: security
Severity: important
References: 1259711,1259726,1259729,1262220,CVE-2026-32776,CVE-2026-32777,CVE-2026-32778,CVE-2026-41651
This update for expat fixes the following issues:
- CVE-2026-32776: NULL pointer dereference when processing empty external parameter entities inside an entity
declaration value (bsc#1259726).
- CVE-2026-32777: denial of service due to infinite loop in DTD content parsing (bsc#1259711).
- CVE-2026-32778: NULL pointer dereference in `setContext` on retry after an out-of-memory condition (bsc#1259729).
-----------------------------------------------------------------
Advisory ID: 657
Released: Wed Apr 8 18:32:18 2026
Summary: Security update for openssl-3
Type: security
Severity: important
References: 1254867,1260441,1260442,1260443,1260444,1260445,CVE-2025-66471,CVE-2026-28387,CVE-2026-28388,CVE-2026-28389,CVE-2026-31789,CVE-2026-31790
This update for openssl-3 fixes the following issues:
- CVE-2026-28387: Potential use-after-free in DANE client code (bsc#1260441).
- CVE-2026-28388: NULL Pointer Dereference When Processing a Delta CRL (bsc#1260442).
- CVE-2026-28389: Possible NULL dereference when processing CMS KeyAgreeRecipientInfo (bsc#1260443).
- CVE-2026-31789: Heap buffer overflow in hexadecimal conversion (bsc#1260444).
- CVE-2026-31790: Incorrect failure handling in RSA KEM RSASVE encapsulation (bsc#1260445).
-----------------------------------------------------------------
Advisory ID: 660
Released: Thu Apr 9 12:16:32 2026
Summary: Security update for libpng16
Type: security
Severity: important
References: 1260754,1260755,1262425,1262426,CVE-2026-33416,CVE-2026-33636,CVE-2026-40244,CVE-2026-40250
This update for libpng16 fixes the following issues:
- CVE-2026-33416: use-after-free via pointer aliasing in `png_set_tRNS` and `png_set_PLTE` can lead to arbitrary code
execution (bsc#1260754).
- CVE-2026-33636: out-of-bounds read/write in the palette expansion on ARM Neon can lead to information leak and
crashes (bsc#1260755).
-----------------------------------------------------------------
Advisory ID: 659
Released: Thu Apr 9 13:02:01 2026
Summary: Security update for glibc
Type: security
Severity: important
References: 1260078,1260082,1262216,CVE-2026-40706,CVE-2026-4437,CVE-2026-4438
This update for glibc fixes the following issues:
- CVE-2026-4437: incorrect DNS response parsing via crafted DNS server response (bsc#1260078).
- CVE-2026-4438: invalid DNS hostname returned via gethostbyaddr functions (bsc#1260082).
-----------------------------------------------------------------
Advisory ID: 675
Released: Mon Apr 20 14:43:53 2026
Summary: Security update for libcap
Type: security
Severity: important
References: 1250410,1256876,1256878,1256880,1259271,1261809,CVE-2025-11187,CVE-2025-15467,CVE-2025-15468,CVE-2025-9230,CVE-2026-4878
This update for libcap fixes the following issues:
- CVE-2026-4878: local privilege escalation through file capability injection due to TOCTOU race condition in
`cap_set_file()` (bsc#1261809).
-----------------------------------------------------------------
Advisory ID: 672
Released: Mon Apr 20 14:56:30 2026
Summary: Security update for openssl-3
Type: security
Severity: moderate
References: 1255768,1261678,1262254,1262255,CVE-2025-67746,CVE-2026-28390,CVE-2026-40176,CVE-2026-40261
This update for openssl-3 fixes the following issues:
- CVE-2026-28390: NULL pointer dereference during processing of a crafted CMS EnvelopedData message with
KeyTransportRecipientInfo (bsc#1261678).
-----------------------------------------------------------------
Advisory ID: 681
Released: Tue Apr 21 10:57:05 2026
Summary: Security update for ncurses
Type: security
Severity: moderate
References: 1259924,CVE-2025-69720
This update for ncurses fixes the following issue:
- CVE-2025-69720: buffer overflow in function `analyze_string()`of `progs/infocmp.c` (bsc#1259924).
-----------------------------------------------------------------
Advisory ID: 680
Released: Tue Apr 21 11:02:28 2026
Summary: Security update for libpng16
Type: security
Severity: moderate
References: 1261705,1261706,1261708,1261712,1261717,1261718,1261720,1261957,CVE-2026-34757,CVE-2026-35328,CVE-2026-35329,CVE-2026-35330,CVE-2026-35331,CVE-2026-35332,CVE-2026-35333,CVE-2026-35334
This update for libpng16 fixes the following issue:
- CVE-2026-34757: libpng: Information disclosure and data corruption via use-after-free vulnerability (bsc#1261957).
-----------------------------------------------------------------
Advisory ID: 688
Released: Mon Apr 27 19:25:16 2026
Summary: Security update for sed
Type: security
Severity: moderate
References: 1261630,1261845,1262144,1263689,CVE-2026-23437,CVE-2026-31406,CVE-2026-31431,CVE-2026-5958
This update for sed fixes the following issue:
- CVE-2026-5958: TOCTOU race allows write of user-controlled content to unintended files and can lead to arbitrary file
overwrite (bsc#1262144).
-----------------------------------------------------------------
Advisory ID: 695
Released: Thu Apr 30 17:04:03 2026
Summary: Security update for curl
Type: security
Severity: important
References: 1252048,1258005,1258655,1259126,1259362,1261630,1261845,1262631,1262632,1262635,1262636,1262638,1263689,CVE-2025-39977,CVE-2025-71066,CVE-2026-1965,CVE-2026-23004,CVE-2026-23204,CVE-2026-23437,CVE-2026-31406,CVE-2026-31431,CVE-2026-4873,CVE-2026-5545,CVE-2026-6253,CVE-2026-6276,CVE-2026-6429
This update for curl fixes the following issues:
Security issues fixed:
- CVE-2026-4873: connection reuse ignores TLS requirement (bsc#1262631).
- CVE-2026-5545: wrong reuse of HTTP Negotiate connection (bsc#1262632).
- CVE-2026-6253: proxy credentials leak over redirect-to proxy (bsc#1262635).
- CVE-2026-6276: stale custom cookie host causes cookie leak (bsc#1262636).
- CVE-2026-6429: netrc credential leak with reused proxy connection (bsc#1262638).
Other updates and bugfixes:
- sws: prevent 'connection monitor' to say disconnect twice (bsc#1259362).
The following package changes have been done:
- boost-license1_84_0-1.84.0-1.4 added
- btrfsprogs-udev-rules-6.1.3-6.19 added
- compat-usrmerge-tools-84.87-3.1 added
- crypto-policies-20230920.570ea89-2.1 added
- elemental-httpfy-1.6.10-1.1 added
- elemental-seedimage-hooks-1.6.10-1.1 added
- file-magic-5.44-4.151 added
- kbd-legacy-2.6.4-1.3 added
- libsemanage-conf-3.5-3.1 added
- pkgconf-m4-1.8.0-2.205 added
- system-user-root-20190513-2.208 added
- filesystem-84.87-5.2 added
- glibc-2.38-12.1 added
- libzstd1-1.5.5-8.142 added
- libz1-1.2.13-7.1 added
- libxxhash0-0.8.1-2.194 added
- libuuid1-2.39.3-6.1 added
- liburcu8-0.14.0-2.8 added
- libunistring5-1.1-3.1 added
- libtextstyle0-0.21.1-6.1 added
- libtasn1-6-4.19.0-5.1 added
- libsmartcols1-2.39.3-6.1 added
- libsepol2-3.5-3.1 added
- libseccomp2-2.5.4-3.1 added
- libpopt0-1.19-2.184 added
- libpkgconf3-1.8.0-2.205 added
- libpcre2-8-0-10.42-2.179 added
- libparted-fs-resize0-3.5-2.11 added
- libnss_usrfiles2-2.27-3.1 added
- libnghttp2-14-1.52.0-6.1 added
- liblzo2-2-2.10-3.1 added
- liblzma5-5.4.3-5.1 added
- liblz4-1-1.9.4-4.1 added
- liblua5_4-5-5.4.6-1.68 added
- libjson-c5-0.16-3.1 added
- libjitterentropy3-3.4.1-3.1 added
- libip4tc2-1.8.9-4.1 added
- libgpg-error0-1.47-4.136 added
- libgmp10-6.3.0-1.119 added
- libgcc_s1-13.3.0+git8781-2.1 added
- libfuse2-2.9.9-3.1 added
- libffi8-3.4.4-3.1 added
- libexpat1-2.7.1-5.1 added
- libeconf0-0.6.1-1.13 added
- libcrypt1-4.4.36-1.134 added
- libcom_err2-1.47.0-3.1 added
- libcap2-2.69-3.1 added
- libcap-ng0-0.8.3-4.1 added
- libbz2-1-1.0.8-3.1 added
- libburn4-1.5.4-1.9 added
- libbtrfsutil1-6.1.3-6.19 added
- libbtrfs0-6.1.3-6.19 added
- libbrotlicommon1-1.1.0-1.6 added
- libblkid1-2.39.3-6.1 added
- libaudit1-3.0.9-4.1 added
- libattr1-2.5.1-3.1 added
- libargon2-1-20190702-3.1 added
- libalternatives1-1.2+30.a5431e9-3.1 added
- libaio1-0.3.113-3.1 added
- libacl1-2.3.1-3.1 added
- fillup-1.42-3.1 added
- dosfstools-4.2-2.9 added
- diffutils-3.10-2.101 added
- libpng16-16-1.6.43-5.1 added
- libidn2-0-2.3.4-3.1 added
- pkgconf-1.8.0-2.205 added
- libselinux1-3.5-3.1 added
- netcfg-11.6-4.42 added
- libxml2-2-2.11.6-12.1 added
- squashfs-4.6.1-3.7 added
- libgcrypt20-1.10.3-3.1 added
- libstdc++6-13.3.0+git8781-2.1 added
- libp11-kit0-0.25.3-1.6 added
- perl-base-5.38.2-4.1 added
- libext2fs2-1.47.0-3.1 added
- libudev1-254.27-3.1 added
- chkstat-1600_20240206-1.8 added
- libzio1-1.08-3.1 added
- libmagic1-5.44-4.151 added
- libjte2-1.22-1.8 added
- libbrotlidec1-1.1.0-1.6 added
- libfdisk1-2.39.3-6.1 added
- alts-1.2+30.a5431e9-3.1 added
- libpsl5-0.21.2-3.1 added
- sed-4.9-3.1 added
- libsubid4-4.15.1-1.1 added
- libsemanage2-3.5-3.1 added
- libmount1-2.39.3-6.1 added
- findutils-4.9.0-4.1 added
- libsystemd0-254.27-3.1 added
- libncurses6-6.4.20240224-11.1 added
- terminfo-base-6.4.20240224-11.1 added
- libinih0-56-3.1 added
- libboost_thread1_84_0-1.84.0-1.4 added
- p11-kit-0.25.3-1.6 added
- p11-kit-tools-0.25.3-1.6 added
- libisofs6-1.5.4-1.9 added
- libfreetype6-2.14.2-1.1 added
- ncurses-utils-6.4.20240224-11.1 added
- libreadline8-8.2-2.180 added
- libedit0-20210910.3.1-9.169 added
- gptfdisk-1.0.9-4.1 added
- libisoburn1-1.5.4-1.9 added
- bash-5.2.15-3.1 added
- bash-sh-5.2.15-3.1 added
- xz-5.4.3-5.1 added
- systemd-default-settings-branding-openSUSE-0.7-2.4 added
- systemd-default-settings-0.7-2.4 added
- pkgconf-pkg-config-1.8.0-2.205 added
- login_defs-4.15.1-1.1 added
- libdevmapper1_03-2.03.22_1.02.196-1.8 added
- gzip-1.13-1.50 added
- grep-3.11-4.8 added
- gettext-runtime-0.21.1-6.1 added
- coreutils-9.4-5.1 added
- ALP-dummy-release-0.1-8.67 added
- libparted2-3.5-2.11 added
- libdevmapper-event1_03-2.03.22_1.02.196-1.8 added
- info-7.0.3-4.1 added
- xfsprogs-6.5.0-1.9 added
- thin-provisioning-tools-0.9.0-2.10 added
- systemd-rpm-macros-24-1.205 added
- systemd-presets-common-SUSE-15-5.1 added
- rpm-config-SUSE-20240214-1.1 added
- rpm-4.18.0-7.1 added
- permissions-config-1600_20240206-1.8 added
- glibc-locale-base-2.38-12.1 added
- e2fsprogs-1.47.0-3.1 added
- ca-certificates-2+git20230406.2dae8b7-3.1 added
- ca-certificates-mozilla-2.84-1.1 added
- btrfsprogs-6.1.3-6.19 added
- parted-3.5-2.11 added
- liblvm2cmd2_03-2.03.22-1.8 added
- xorriso-1.5.4-1.9 added
- device-mapper-2.03.22_1.02.196-1.8 added
- systemd-presets-branding-ALP-transactional-20230214-3.1 added
- permissions-1600_20240206-1.8 added
- mtools-4.0.43-4.9 added
- libopenssl3-3.1.4-13.1 added
- pam-1.6.0-5.1 added
- grub2-2.12~rc1-7.1 added
- grub2-i386-pc-2.12~rc1-7.1 added
- suse-module-tools-16.0.43-1.1 added
- kmod-30-11.1 added
- rsync-3.2.7-5.1 added
- libkmod2-30-11.1 added
- libcurl-mini4-8.14.1-6.1 added
- libcryptsetup12-2.6.1-4.13 added
- util-linux-2.39.3-6.1 added
- shadow-4.15.1-1.1 added
- pam-config-2.11-2.1 added
- kbd-2.6.4-1.3 added
- curl-8.14.1-6.1 added
- libsnapper7-0.10.5-2.10 added
- aaa_base-84.87+git20240906.742565b-1.1 added
- dbus-1-daemon-1.14.10-1.11 added
- dbus-1-tools-1.14.10-1.11 added
- systemd-254.27-3.1 added
- sysuser-shadow-3.1-2.197 added
- dbus-1-common-1.14.10-1.11 added
- libdbus-1-3-1.14.10-1.11 added
- dbus-1-1.14.10-1.11 added
- system-group-kvm-20170617-2.197 added
- system-group-hardware-20170617-2.197 added
- udev-254.27-3.1 added
- snapper-0.10.5-2.10 added
- lvm2-2.03.22-1.8 added
- elemental-toolkit-2.1.5-1.1 added
- container:suse-toolbox-image-1.0.0-9.105 added
- container:bci-bci-base-16.0-6dac57506c189189476aff26919b9d9bd02d27b746266a8ef6fcadfa1d47a922-0 removed
More information about the sle-container-updates
mailing list