SUSE-CU-2026:4882-1: Security update of suse/sle-micro/5.4/toolbox
sle-container-updates at lists.suse.com
sle-container-updates at lists.suse.com
Wed May 13 07:25:27 UTC 2026
SUSE Container Update Advisory: suse/sle-micro/5.4/toolbox
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2026:4882-1
Container Tags : suse/sle-micro/5.4/toolbox:16.3 , suse/sle-micro/5.4/toolbox:16.3-5.19.222 , suse/sle-micro/5.4/toolbox:latest
Container Release : 5.19.222
Severity : important
Type : security
References : 1216488 1221763 1222465 1229003 1232351 1234736 1238724 1240047
1240838 1241284 1244003 1244011 1244937 1245667 1246011 1246025
1246399 1246602 1246965 1248586 1249147 1249657 1250033 1250224
1250553 1251213 1251305 1252318 1252974 1253043 1254297 1254400
1254401 1254425 1254662 1254666 1254670 1254670 1254878 1254997
1255715 1255731 1255732 1255733 1255734 1255765 1256105 1256244
1256246 1256341 1256389 1256390 1256709 1256766 1256804 1256805
1256807 1256808 1256809 1256810 1256811 1256812 1256822 1256834
1256835 1256836 1256837 1256838 1256839 1256840 1257005 1257029
1257031 1257041 1257042 1257044 1257046 1257049 1257111 1257144
1257181 1257463 1257496 1257593 1257594 1257595 1258002 1258045
1258049 1258054 1258080 1258081 1258229 1258859 1259051 1259362
1259362 1259363 1259364 1259365 1259377 1259418 1259611 1259619
1259650 1259697 1259711 1259726 1259729 1259734 1259735 1259845
1259924 1259985 1259989 1260026 1260441 1260442 1260443 1260444
1260445 1261191 1261271 1261420 1261678 1261809 1261969 1261970
1262098 1262144 1262319 1262631 1262632 1262635 1262636 1262638
1262654 CVE-2025-10911 CVE-2025-11468 CVE-2025-11961 CVE-2025-12084
CVE-2025-13151 CVE-2025-13462 CVE-2025-13601 CVE-2025-13836 CVE-2025-13837
CVE-2025-14017 CVE-2025-14087 CVE-2025-14104 CVE-2025-14512 CVE-2025-14524
CVE-2025-14819 CVE-2025-15079 CVE-2025-15224 CVE-2025-15281 CVE-2025-15282
CVE-2025-15366 CVE-2025-15367 CVE-2025-45582 CVE-2025-53906 CVE-2025-6075
CVE-2025-68160 CVE-2025-68973 CVE-2025-69418 CVE-2025-69419 CVE-2025-69420
CVE-2025-69421 CVE-2025-69720 CVE-2025-70873 CVE-2025-7709 CVE-2025-7709
CVE-2025-8058 CVE-2025-8291 CVE-2026-0672 CVE-2026-0861 CVE-2026-0865
CVE-2026-0915 CVE-2026-0964 CVE-2026-0965 CVE-2026-0966 CVE-2026-0967
CVE-2026-0968 CVE-2026-0988 CVE-2026-0989 CVE-2026-0990 CVE-2026-0992
CVE-2026-1299 CVE-2026-1502 CVE-2026-1757 CVE-2026-1965 CVE-2026-1965
CVE-2026-22795 CVE-2026-22796 CVE-2026-24515 CVE-2026-25210 CVE-2026-26269
CVE-2026-27135 CVE-2026-28387 CVE-2026-28388 CVE-2026-28389 CVE-2026-28390
CVE-2026-28417 CVE-2026-29111 CVE-2026-31789 CVE-2026-31790 CVE-2026-3184
CVE-2026-32776 CVE-2026-32777 CVE-2026-32778 CVE-2026-33412 CVE-2026-3446
CVE-2026-34714 CVE-2026-3479 CVE-2026-34982 CVE-2026-35535 CVE-2026-3644
CVE-2026-3731 CVE-2026-3783 CVE-2026-3784 CVE-2026-3805 CVE-2026-4105
CVE-2026-4224 CVE-2026-4519 CVE-2026-4786 CVE-2026-4873 CVE-2026-4878
CVE-2026-5545 CVE-2026-5958 CVE-2026-6019 CVE-2026-6100 CVE-2026-6253
CVE-2026-6276 CVE-2026-6429
-----------------------------------------------------------------
The container suse/sle-micro/5.4/toolbox was updated. The following patches have been included in this update:
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2025:4362-1
Released: Thu Dec 11 11:08:27 2025
Summary: Recommended update for gcc15
Type: recommended
Severity: moderate
References: 1253043
This update for gcc15 fixes the following issues:
- Enable the use of _dl_find_object even when not available at build time. [bsc#1253043]
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2025:4368-1
Released: Thu Dec 11 16:12:16 2025
Summary: Security update for python3
Type: security
Severity: low
References: 1251305,1252974,CVE-2025-6075,CVE-2025-8291
This update for python3 fixes the following issues:
- CVE-2025-6075: quadratic complexity in `os.path.expandvars()` can lead to performance degradation when values passed
to it are user-controlled (bsc#1252974).
- CVE-2025-8291: lack of validity checks on the ZIP64 End of Central Directory (EOCD) record allows for the creation of
ZIP archives that are processed inconsistently by the `zipfile` module (bsc#1251305).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2025:4373-1
Released: Fri Dec 12 10:05:12 2025
Summary: Security update for container-suseconnect
Type: security
Severity: moderate
References:
This update for container-suseconnect rebuilds it against current go security release.
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2025:4504-1
Released: Mon Dec 22 17:29:14 2025
Summary: Security update for glib2
Type: security
Severity: important
References: 1254297,1254662,1254878,CVE-2025-13601,CVE-2025-14087,CVE-2025-14512
This update for glib2 fixes the following issues:
- CVE-2025-14512: integer overflow in the GIO `escape_byte_string()` function when processing malicious files or remote
filesystem attribute values can lead to denial-of-service (bsc#1254878).
- CVE-2025-14087: buffer underflow in the GVariant parser `bytestring_parse()` and `string_parse()` functions when
processing attacker-influenced data may lead to crash or code execution (bsc#1254662).
- CVE-2025-13601: heap-based buffer overflow in the `g_escape_uri_string()` function when processing strings with a
large number of unacceptable characters may lead to crash or code execution (bsc#1254297).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2026:1-1
Released: Fri Jan 2 11:23:47 2026
Summary: Recommended update for gdb
Type: recommended
Severity: moderate
References: 1216488,1221763,1238724,1240047,1240838,1250033,1251213
This update for gdb fixes the following issues:
GDB 16.3 changes:
* GDB now supports watchpoints for tagged data pointers (see
https://en.wikipedia.org/wiki/Tagged_pointer) on amd64, such
as the one used by the Linear Address Masking (LAM) feature
provided by Intel.
* Debugging support for Intel MPX has been removed. This
includes the removal of:
* MPX register support
* the commands 'show/set mpx bound' (deprecated since GDB 15)
* i386 and amd64 implementation of the hooks report_signal_info
and get_siginfo_type.
* GDB now supports printing of asynchronous events from the
Intel Processor Trace during 'record instruction-history',
'record function-call-history' and all stepping commands.
This can be controlled with the new 'set record btrace pt
event-tracing' command.
* GDB now supports printing of ptwrite payloads from the Intel
Processor Trace during 'record instruction-history', 'record
function-call-history' and all stepping commands. The payload
is also accessible in Python as a RecordAuxiliary object.
Printing is customizable via a ptwrite filter function in
Python. By default, the raw ptwrite payload is printed for
each ptwrite that is encountered.
* For breakpoints that are created in the 'pending' state, any
'thread' or 'task' keywords are parsed at the time the
breakpoint is created, rather than at the time the breakpoint
becomes non-pending.
* Thread-specific breakpoints are only inserted into the
program space in which the thread of interest is running.
In most cases program spaces are unique for each inferior,
so this means that thread-specific breakpoints will usually
only be inserted for the inferior containing the thread of
interest. The breakpoint will be hit no less than before.
* For ARM targets, the offset of the pc in the jmp_buf has
been fixed to match glibc 2.20 and later. This should only
matter when not using libc probes. This may cause breakage
when using an incompatible libc, like uclibc or newlib, or
an older glibc.
* MTE (Memory Tagging Extension) debugging is now supported on
AArch64 baremetal targets.
* In a record session, when a forward emulation reaches the end
of the reverse history, the warning message has been changed
to indicate that the end of the history has been reached. It
also specifies that the forward execution can continue, and
the recording will also continue.
* The Ada 'Object_Size attribute is now supported.
* New bash script gstack uses GDB to print stack traces of
running processes.
* Python API:
* Added gdb.record.clear. Clears the trace data of the
current recording. This forces re-decoding of the trace for
successive commands.
* Added the new event source gdb.tui_enabled.
* New module gdb.missing_objfile that facilitates dealing with
missing objfiles when opening a core-file.
* New function gdb.missing_objfile.register_handler that can
register an instance of a sub-class of
gdb.missing_debug.MissingObjfileHandler as a handler for
missing objfiles.
* New class gdb.missing_objfile.MissingObjfileHandler which
can be sub-classed to create handlers for missing objfiles.
* The 'signed' argument to gdb.Architecture.integer_type()
will no longer accept non-bool types.
* The gdb.MICommand.installed property can only be set to True
or False.
* The 'qualified' argument to gdb.Breakpoint constructor will
no longer accept non-bool types.
* Added the gdb.Symbol.is_artificial attribute.
* Debugger Adapter Protocol changes:
* The 'scopes' request will now return a scope holding global
variables from the stack frame's compilation unit.
* The 'scopes' request will return a 'returnValue' scope
holding the return value from the latest 'stepOut' command,
when appropriate.
* The 'launch' and 'attach' requests were rewritten in
accordance with some clarifications to the spec. Now they
can be sent at any time after the 'initialized' event, but
will not take effect (or send a response) until after the
'configurationDone' request has been sent.
* The 'variables' request will not return artificial symbols.
* New commands:
* show jit-reader-directory
Show the name of the directory that 'jit-reader-load' uses
for relative file names.
* set style line-number foreground COLOR
set style line-number background COLOR
set style line-number intensity VALUE
Control the styling of line numbers printed by GDB.
* set style command foreground COLOR
set style command background COLOR
set style command intensity VALUE
Control the styling of GDB commands when displayed by GDB.
* set style title foreground COLOR
set style title background COLOR
set style title intensity VALUE
This style now applies to the header line of lists, for
example the first line of the output of 'info breakpoints'.
Previous uses of this style have been replaced with the new
'command' style.
* set warn-language-frame-mismatch [on|off]
show warn-language-frame-mismatch
Control the warning that is emitted when specifying a
language that does not match the current frame's language.
* maintenance info inline-frames [ADDRESS]
New command which displays GDB's inline-frame information
for the current address, or for ADDRESS if specified. The
output identifies inlined frames which start at the
specified address.
* maintenance info blocks [ADDRESS]
New command which displays information about all of the
blocks at ADDRESS, or at the current address if ADDRESS is
not given. Blocks are listed starting at the inner global
block out to the most inner block.
* info missing-objfile-handlers
List all the registered missing-objfile handlers.
* enable missing-objfile-handler LOCUS HANDLER
disable missing-objfile-handler LOCUS HANDLER
Enable or disable a missing-objfile handler with a name
matching the regular expression HANDLER, in LOCUS. LOCUS
can be 'global' to operate on global missing-objfile
handler, 'progspace' to operate on handlers within the
current program space, or can be a regular expression which
is matched against the filename of the primary executable in
each program space.
* Changed commands:
* remove-symbol-file
This command now supports file-name completion.
* remove-symbol-file -a ADDRESS
The ADDRESS expression can now be a full expression
consisting of multiple terms, e.g. 'function + 0x1000'
(without quotes), previously only a single term could be
given.
* target core
target exec
target tfile
target ctf
compile file
maint print c-tdesc
save gdb-index
These commands now require their filename argument to be
quoted if it contains white space or quote characters. If
the argument contains no such special characters then
quoting is not required.
* maintenance print remote-registers
Add an 'Expedited' column to the output of the command. It
indicates which registers were included in the last stop
reply packet received by GDB.
* show configuration
Now includes the version of GNU Readline library that GDB is
using.
* New remote packets:
* vFile:stat
Return information about files on the remote system. Like
vFile:fstat but takes a filename rather than an open file
descriptor.
* x addr,length
Given ADDR and LENGTH, fetch LENGTH units from the memory at
address ADDR and send the fetched data in binary format.
This packet is equivalent to 'm', except that the data in
the response are in binary format.
* binary-upload in qSupported reply
If the stub sends back 'binary-upload+' in it's qSupported
reply, then GDB will, where possible, make use of the 'x'
packet. If the stub doesn't report this feature supported,
then GDB will not use the 'x' packet.
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:27-1
Released: Mon Jan 5 13:45:08 2026
Summary: Security update for python3
Type: security
Severity: moderate
References: 1254400,1254401,1254997,CVE-2025-12084,CVE-2025-13836,CVE-2025-13837
This update for python3 fixes the following issues:
- CVE-2025-12084: cpython: Fixed quadratic algorithm in xml.dom.minidom leading to denial of service (bsc#1254997)
- CVE-2025-13836: Fixed default Content-Lenght read amount from HTTP response (bsc#1254400)
- CVE-2025-13837: Fixed plistlib module denial of service (bsc#1254401)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:214-1
Released: Thu Jan 22 13:09:26 2026
Summary: Security update for gpg2
Type: security
Severity: important
References: 1255715,1256244,1256246,1256390,CVE-2025-68973
This update for gpg2 fixes the following issues:
- CVE-2025-68973: Fix possible memory corruption in the armor parser (gpg.fail/memcpy)(bsc#1255715).
- Avoid potential downgrade to SHA1 in 3rd party key signatures (gpg.fail/sha1) (bsc#1256246).
- Error out on unverified output for non-detached signatures (gpg.fail/detached) (bsc#1256244).
- Fix Cleartext Signature Forgery in the NotDashEscaped header implementation in GnuPG (gpg.fail/notdash) (bsc#1256390).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:224-1
Released: Thu Jan 22 13:18:20 2026
Summary: Security update for libtasn1
Type: security
Severity: moderate
References: 1256341,CVE-2025-13151
This update for libtasn1 fixes the following issues:
- CVE-2025-13151: stack-based buffer overflow in `asn1_expend_octet_string` (bsc#1256341).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:319-1
Released: Wed Jan 28 15:39:29 2026
Summary: Security update for container-suseconnect
Type: security
Severity: important
References:
This update for container-suseconnect rebuilds it against the current GO security release.
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:360-1
Released: Mon Feb 2 10:55:33 2026
Summary: Security update for openssl-1_1
Type: security
Severity: moderate
References: 1256834,1256835,1256836,1256837,1256838,1256839,1256840,CVE-2025-68160,CVE-2025-69418,CVE-2025-69419,CVE-2025-69420,CVE-2025-69421,CVE-2026-22795,CVE-2026-22796
This update for openssl-1_1 fixes the following issues:
- CVE-2026-22795: Missing ASN1_TYPE validation in PKCS#12 parsing (bsc#1256839).
- CVE-2025-69420: Missing ASN1_TYPE validation in TS_RESP_verify_response() function (bsc#1256837).
- CVE-2025-69421: NULL Pointer Dereference in PKCS12_item_decrypt_d2i_ex function (bsc#1256838).
- CVE-2026-22796: ASN1_TYPE Type Confusion in the PKCS7_digest_from_attributes() function (bsc#1256840).
- CVE-2025-68160: Heap out-of-bounds write in BIO_f_linebuffer on short writes (bsc#1256834).
- CVE-2025-69418: Unauthenticated/unencrypted trailing bytes with low-level OCB function calls (bsc#1256835).
- CVE-2025-69419: Out of bounds write in PKCS12_get_friendlyname() UTF-8 conversion (bsc#1256836).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:432-1
Released: Wed Feb 11 10:11:56 2026
Summary: Security update for sqlite3
Type: security
Severity: moderate
References: 1248586,1254670,CVE-2025-7709
This update for sqlite3 fixes the following issues:
- Update to v3.51.2:
- CVE-2025-7709: Fixed an integer overflow in the FTS5 extension. (bsc#1254670)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:458-1
Released: Thu Feb 12 00:28:37 2026
Summary: Security update for glib2
Type: security
Severity: important
References: 1257049,CVE-2026-0988
This update for glib2 fixes the following issues:
- CVE-2026-1485: Fixed buffer underflow and out-of-bounds access due to integer wraparound in content type parsing (bsc#1257354).
- CVE-2026-1484: Fixed buffer underflow and out-of-bounds access due to miscalculated buffer boundaries in the Base64 encoding routine (bsc#1257355).
- CVE-2026-1489: Fixed undersized heap allocation followed by out-of-bounds access due to integer overflow in Unicode case conversion (bsc#1257353).
- CVE-2026-0988: Fixed a potential integer overflow in g_buffered_input_stream_peek (bsc#1257049).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2026:463-1
Released: Thu Feb 12 08:40:25 2026
Summary: Recommended update for supportutils
Type: recommended
Severity: important
References: 1232351,1241284,1244003,1244011,1244937,1245667,1246011,1246025,1249657,1250224,1252318,1254425,1256709
This update for supportutils fixes the following issues:
- scplugin.rc is restored in package 3.2.12.1 for continued compatibility (bsc#1256709)
- Changes to version 3.2.12:
* Optimized lsof usage and honors OPTION_OFILES (bsc#1232351)
* Run in containers without errors (bsc#1245667)
* Removed pmap PID from memory.txt (bsc#1246011)
* Added missing /proc/pagetypeinfo to memory.txt (bsc#1246025)
* Improved database perforce with kGraft patching (bsc#1249657)
* Using last boot for journalctl for optimization (bsc#1250224)
* Fixed extraction failures (bsc#1252318)
* Update supportconfig.conf path in docs (bsc#1254425)
* drm_sub_info: Catch error when dir doesn't exist
* Replace remaining `egrep` with `grep -E`
* Add process affinity to slert logs
* Reintroduce cgroup statistics (and v2)
* Minor changes to basic-health-check: improve information level
* Collect important machine health counters
* powerpc: collect hot-pluggable PCI and PHB slots
* podman: collect podman disk usage
* Exclude binary files in crondir
* kexec/kdump: collect everything under /sys/kernel/kexec dir
* Use short-iso for journalctl
- Changes to version 3.2.11:
* Collect rsyslog frule files (bsc#1244003)
* Remove proxy passwords (bsc#1244011)
* Missing NetworkManager information (bsc#1241284)
* Include agama logs bsc#1244937)
* Additional NFS conf files
* New fadump sysfs files
* Fixed change log dates
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2026:493-1
Released: Fri Feb 13 10:48:54 2026
Summary: Recommended update for container-suseconnect
Type: recommended
Severity: important
References:
This update for container-suseconnect fixes the following issues:
Update to version 2.5.6::
* Change the version logic
* Fix FIPS environment variable in CI
* Test in fips mode
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:508-1
Released: Fri Feb 13 15:50:21 2026
Summary: Security update for curl
Type: security
Severity: moderate
References: 1255731,1255732,1255733,1255734,1256105,CVE-2025-14017,CVE-2025-14524,CVE-2025-14819,CVE-2025-15079,CVE-2025-15224
This update for curl fixes the following issues:
- CVE-2025-14017: Fixed broken TLS options for threaded LDAPS (bsc#1256105).
- CVE-2025-14524: bearer token leak on cross-protocol redirect (bsc#1255731).
- CVE-2025-14819: libssh global knownhost override (bsc#1255732).
- CVE-2025-15079: libssh key passphrase bypass without agent set (bsc#1255733).
- CVE-2025-15224: OpenSSL partial chain store policy bypass (bsc#1255734).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:510-1
Released: Fri Feb 13 15:52:36 2026
Summary: Security update for util-linux
Type: security
Severity: moderate
References: 1254666,CVE-2025-14104
This update for util-linux fixes the following issues:
- CVE-2025-14104: Fixed heap buffer overread in setpwnam() when processing 256-byte usernames (bsc#1254666).
- lscpu: Add support for NVIDIA Olympus arm64 core (jsc#PED-13682).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:575-1
Released: Wed Feb 18 10:10:36 2026
Summary: Security update for libpcap
Type: security
Severity: low
References: 1255765,CVE-2025-11961
This update for libpcap fixes the following issues:
- CVE-2025-11961: missing validation of provided MAC-48 address string in `pcap_ether_aton()` can lead to out-of-bounds
read and write (bsc#1255765).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:606-1
Released: Tue Feb 24 12:19:29 2026
Summary: Security update for libxml2
Type: security
Severity: moderate
References: 1250553,1256804,1256805,1256807,1256808,1256809,1256810,1256811,1256812,1257593,1257594,1257595,CVE-2025-10911,CVE-2026-0989,CVE-2026-0990,CVE-2026-0992,CVE-2026-1757
This update for libxml2 fixes the following issues:
- CVE-2026-0990: Fixed a call stack overflow leading to application crash due to infinite recursion in `xmlCatalogXMLResolveURI`. (bsc#1256807, bsc#1256811)
- CVE-2026-0992: Fixed an excessive resource consumption when processing XML catalogs due to exponential behavior. (bsc#1256809, bsc#1256812)
- CVE-2026-1757: Fixed a memory leak in the `xmllint` interactive shell. (bsc#1257594, bsc#1257595)
- CVE-2025-10911: Fixed a use-after-free with key data stored cross-RVT. (bsc#1250553)
- CVE-2026-0989: Fixe a call stack exhaustion leading to application crash due to RelaxNG parser not limiting the recursion depth. (bsc#1256805, bsc#1256810)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:664-1
Released: Thu Feb 26 16:15:04 2026
Summary: Security update for python3
Type: security
Severity: important
References: 1257029,1257031,1257041,1257042,1257044,1257046,CVE-2025-11468,CVE-2025-15282,CVE-2025-15366,CVE-2025-15367,CVE-2026-0672,CVE-2026-0865
This update for python3 fixes the following issues:
- CVE-2025-11468: header injection when folding a long comment in an email header containing exclusively unfoldable
characters (bsc#1257029).
- CVE-2026-0672: HTTP header injection via user-controlled cookie values and parameters when using http.cookies.Morsel
(bsc#1257031).
- CVE-2026-0865: user-controlled header containing newlines can allow injecting HTTP headers (bsc#1257042).
- CVE-2025-15366: user-controlled command can allow additional commands injected using newlines (bsc#1257044).
- CVE-2025-15282: user-controlled data URLs parsed may allow injecting headers (bsc#1257046).
- CVE-2025-15367: control characters may allow the injection of additional commands (bsc#1257041).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:694-1
Released: Fri Feb 27 16:14:32 2026
Summary: Security update for gpg2
Type: security
Severity: moderate
References: 1256389
This update for gpg2 fixes the following issues:
Security fix:
- Fixed GnuPG accepting Path Separators and Path Traversals
in Literal Data (bsc#1256389)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2026:791-1
Released: Tue Mar 3 16:59:33 2026
Summary: Recommended update for gcc15
Type: recommended
Severity: moderate
References: 1257463
This update for gcc15 fixes the following issues:
- Fix bogus expression simplification (bsc#1257463)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:826-1
Released: Thu Mar 5 16:16:29 2026
Summary: Security update for expat
Type: security
Severity: moderate
References: 1257144,1257496,CVE-2026-24515,CVE-2026-25210
This update for expat fixes the following issues:
- CVE-2026-24515: Fixed a null dereference in XML_ExternalEntityParserCreate. (bsc#1257144)
- CVE-2026-25210: Fixed an integer overflow in doContent. (bsc#1257496)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:896-1
Released: Fri Mar 13 16:25:07 2026
Summary: Security update for glibc
Type: security
Severity: important
References: 1246965,1256766,1256822,1257005,CVE-2025-15281,CVE-2025-8058,CVE-2026-0861,CVE-2026-0915
This update for glibc fixes the following issues:
- CVE-2026-0861: memalign: reinstate alignment overflow check (bsc#1256766)
- CVE-2026-0915: resolv: Fix NSS DNS backend for getnetbyaddr (bsc#1256822)
- CVE-2025-15281: posix: Reset wordexp_t fields with WRDE_REUSE (bsc#1257005)
- CVE-2025-8058: posix: Fix double-free after allocation failure in regcomp (bsc#1246965)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:909-1
Released: Tue Mar 17 18:34:08 2026
Summary: Security update for container-suseconnect
Type: security
Severity: important
References:
This update for container-suseconnect rebuilds it against the current go 1.25 security release.
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:911-1
Released: Tue Mar 17 20:56:12 2026
Summary: Security update for curl
Type: security
Severity: important
References: 1259362,1259363,1259364,1259365,CVE-2026-1965,CVE-2026-3783,CVE-2026-3784,CVE-2026-3805
This update for curl fixes the following issues:
- CVE-2026-1965: bad reuse of HTTP Negotiate connection (bsc#1259362).
- CVE-2026-3783: token leak with redirect and netrc (bsc#1259363).
- CVE-2026-3784: wrong proxy connection reuse with credentials (bsc#1259364).
- CVE-2026-3805: use after free in SMB connection reuse (bsc#1259365).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2026:912-1
Released: Wed Mar 18 07:19:42 2026
Summary: Recommended update for ca-certificates-mozilla
Type: recommended
Severity: moderate
References: 1229003,1258002
This update for ca-certificates-mozilla fixes the following issues:
- test for a concretely missing certificate rather than
just the directory, as the latter is now also provided by openssl-3
- Re-create java-cacerts with SOURCE_DATE_EPOCH set
for reproducible builds (bsc#1229003)
- Also mark /usr/share/factory/var/lib/ca-certificates/ as writable by the user
during install: allow rpm to properly execute %clean when completed.
- Create /var/lib/ca-certificates during build to ensure rpm gives
the %ghost'ed directory proper mode attributes.
- Updated to 2.84 state (bsc#1258002)
* Removed:
+ Baltimore CyberTrust Root
+ CommScope Public Trust ECC Root-01
+ CommScope Public Trust ECC Root-02
+ CommScope Public Trust RSA Root-01
+ CommScope Public Trust RSA Root-02
+ DigiNotar Root CA
* Added:
+ e-Szigno TLS Root CA 2023
+ OISTE Client Root ECC G1
+ OISTE Client Root RSA G1
+ OISTE Server Root ECC G1
+ OISTE Server Root RSA G1
+ SwissSign RSA SMIME Root CA 2022 - 1
+ SwissSign RSA TLS Root CA 2022 - 1
+ TrustAsia SMIME ECC Root CA
+ TrustAsia SMIME RSA Root CA
+ TrustAsia TLS ECC Root CA
+ TrustAsia TLS RSA Root CA
- reenable the distrusted certs again. the distrust is only for certs
issued after the distrust date, not for all certs of a CA.
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:982-1
Released: Mon Mar 23 17:48:23 2026
Summary: Security update for util-linux
Type: security
Severity: moderate
References: 1258859,CVE-2026-3184
This update for util-linux fixes the following issues:
- CVE-2026-3184: Fix full hostname usage for PAM to ensure correct access control for 'login -h' (bsc#1258859).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:1061-1
Released: Thu Mar 26 11:35:08 2026
Summary: Security update for systemd
Type: security
Severity: important
References: 1259418,1259650,1259697,CVE-2026-29111,CVE-2026-4105
This update for systemd fixes the following issues:
- CVE-2026-4105: privilege escalation due to improper access control in RegisterMachine D-Bus method (bsc#1259650).
- CVE-2026-29111: local unprivileged user can trigger an assert in systemd (bsc#1259418).
- udev: check for invalid chars in various fields received from the kernel (bsc#1259697).
Changelog:
- 6a38d88a42 machined: reject invalid class types when registering machines
- 8c9a592e5a udev: fix review mixup
- b57007a917 udev-builtin-net-id: print cescaped bad attributes
- ee23c7604b udev-builtin-net_id: do not assume the current interface name is ethX
- 0f63e799e6 udev: ensure tag parsing stays within bounds
- 046f52ec12 udev: ensure there is space for trailing NUL before calling sprintf
- 5be21460ce udev: check for invalid chars in various fields received from the kernel
- 9559607b16 core/cgroup: avoid one unnecessary strjoina()
- fcae348ca4 core: validate input cgroup path more prudently
- a3ca6b3031 alloc-util: add strdupa_safe() + strndupa_safe() and use it everywhere
- 08125d6b06 units: add dep on systemd-logind.service by user at .service
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:1065-1
Released: Thu Mar 26 11:38:12 2026
Summary: Security update for sqlite3
Type: security
Severity: moderate
References: 1254670,1259619,CVE-2025-70873,CVE-2025-7709
This update for sqlite3 fixes the following issues:
Update sqlite3 to 3.51.3:
- CVE-2025-7709: Integer Overflow in FTS5 Extension (bsc#1254670).
- CVE-2025-70873: SQLite zipfile extension may disclose uninitialized heap memory during inflation (bsc#1259619).
Changelog:
* Fix the WAL-reset database corruption bug:
https://sqlite.org/wal.html#walresetbug
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:1090-1
Released: Thu Mar 26 18:44:54 2026
Summary: Security update for python3
Type: security
Severity: important
References: 1257181,CVE-2026-1299
This update for python3 fixes the following issues:
- CVE-2026-1299: header injection when an email is serialized due to improper newline quoting in BytesGenerator (bsc#1257181).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:1095-1
Released: Thu Mar 26 19:05:08 2026
Summary: Security update for vim
Type: security
Severity: moderate
References: 1246602,1258229,1259051,CVE-2025-53906,CVE-2026-26269,CVE-2026-28417
This update for vim fixes the following issues:
Update Vim to version 9.2.0110:
- CVE-2025-53906: malicious zip archive may cause a path traversal in Vim's zip (bsc#1246602).
- CVE-2026-26269: Netbeans specialKeys stack buffer overflow (bsc#1258229).
- CVE-2026-28417: crafted URL parsed by netrw plugin can lead to execute arbitrary shell commands (bsc#1259051).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:1166-1
Released: Thu Apr 2 03:08:04 2026
Summary: Security update for expat
Type: security
Severity: important
References: 1259711,1259726,1259729,CVE-2026-32776,CVE-2026-32777,CVE-2026-32778
This update for expat fixes the following issues:
- CVE-2026-32776: NULL pointer dereference when processing empty external parameter entities inside an entity
declaration value (bsc#1259726).
- CVE-2026-32777: denial of service due to infinite loop in DTD content parsing (bsc#1259711).
- CVE-2026-32778: NULL pointer dereference in `setContext` on retry after an out-of-memory condition (bsc#1259729).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:1177-1
Released: Thu Apr 2 17:00:30 2026
Summary: Security update for tar
Type: security
Severity: important
References: 1246399,CVE-2025-45582
This update for tar fixes the following issue:
- CVE-2025-45582: file overwrite via directory traversal in crafted TAR archives (bsc#1246399).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:1247-1
Released: Fri Apr 10 12:34:39 2026
Summary: Security update for nghttp2
Type: security
Severity: important
References: 1259845,CVE-2026-27135
This update for nghttp2 fixes the following issue:
- CVE-2026-27135: assertion failure due to missing state validation can lead to DoS (bsc#1259845).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:1257-1
Released: Fri Apr 10 16:59:14 2026
Summary: Security update for openssl-1_1
Type: security
Severity: important
References: 1260441,1260442,1260443,1260444,1260445,CVE-2026-28387,CVE-2026-28388,CVE-2026-28389,CVE-2026-31789,CVE-2026-31790
This update for openssl-1_1 fixes the following issues:
- CVE-2026-28387: Potential use-after-free in DANE client code (bsc#1260441).
- CVE-2026-28388: NULL Pointer Dereference When Processing a Delta CRL (bsc#1260442).
- CVE-2026-28389: Possible NULL dereference when processing CMS KeyAgreeRecipientInfo (bsc#1260443).
- CVE-2026-31789: Heap buffer overflow in hexadecimal conversion (bsc#1260444).
- CVE-2026-31790: Incorrect failure handling in RSA KEM RSASVE encapsulation (bsc#1260445).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:1309-1
Released: Tue Apr 14 12:39:22 2026
Summary: Security update for sudo
Type: security
Severity: important
References: 1261420,CVE-2026-35535
This update for sudo fixes the following issue:
- CVE-2026-35535: Fixed potential privilege escalation when running the mailer (bsc#1261420).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2026:1357-1
Released: Wed Apr 15 15:44:21 2026
Summary: Recommended update for gdb
Type: recommended
Severity: important
References: 1249147,1257111
This update for gdb fixes the following issues:
- Testsuite fixes:
* Add proc subst_vars, an alias of subst -nobackslashes -nocommands
* gdb/testsuite: Fix printf regexp for ppc64le with glibc
* gdb/testsuite: Fix another timeout in gdb.mi/mi-multi-commands.exp
* gdb/testsuite: Remove guile 'test byte at sp, before flush' test
* gdb: Fix gdb.base/inline-frame-cycle-unwind.exp for s390x
- Re-enable ptype /o for flexible array member types (bsc#1249147):
* gdb: Minor refactoring of is_dynamic_type_internal
* gdb: Simplify is_dynamic_type_internal by factoring out is_dynamic_type_internal_1,
leaving only the handling of the top_level parameter in is_dynamic_type_internal.
* gdb: Enable ptype /o for some dynamic types
- Fix TUI crash when encountering a debuginfod query while entering TUI
* gdb: Simplify debuginfod_is_enabled
* gdb: Add debuginfod_enabled_ask_p
* gdb: Add defaulted_query_auto_answers_p
* gdb/tui: Don't enter TUI if debuginfod enabled == ask
- Fix a case on x86_64/-m32 where displaced stepping steps out of the displaced stepping buffer
* gdb/tdep: Fix unrelocated pc in i386_displaced_step_fixup
- Fix generation of core files using gcore for glibc 2.42
* gcore: Handle unreadable pages within readable memory regions
* gcore: Query auxv for AT_PAGESZ in gcore_copy_callback
- Maintenance script qa.sh cleanup:
* Remove kfail_s390 and kfail_sle11.
* Remove gdb.reverse/{solib-precsave,solib-reverse}.exp kfail.
* Remove gdb.base/gdb-rhbz1156192-recursive-dlopen.exp kfail.
- Fix slow symbol lookup with dwz-compressed debuginfo (bsc#1257111):
* gdb/symtab: Fix slow symbol lookup with dwz
- Fix failure to list source file with dwz-compressed debuginfo (brc#2403580):
* fix rhbz2403580 - misplaced symtabs due to dwz
* gdb: Test for misplaced symtab causing file not found
* gdb/testsuite: Add missing require in gdb.debuginfod/solib-with-dwz.exp
* gdb/testsuite: Launch debuginfod without -vvvv
- Fix slow symbol table reading with dwz-compressed debuginfo:
* gdb/symtab: Cache dw2_get_file_names result for dummy CU
- Fix heap-use-after-free, reported by TSAN:
* gdb/symtab: Handle zero opcode_base in line number program header
- Fix backtrace through signal trampoline on s390x:
* gdb/tdep: Fix gdb.base/siginfo.exp on s390x-linux
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:1387-1
Released: Thu Apr 16 11:17:48 2026
Summary: Security update for vim
Type: security
Severity: important
References: 1259985,1261191,1261271,CVE-2026-33412,CVE-2026-34714,CVE-2026-34982
This update for vim fixes the following issues:
Update to version 9.2.0280.
- CVE-2026-34982: missing input validation allows for a modeline sandbox bypass and can lead to arbitrary OS command
execution (bsc#1261271).
- CVE-2026-34714: missing checks allow for a `tabpanel` modeline escape and can lead to arbitrary OS command execution
(bsc#1261191).
- CVE-2026-33412: improper escaping of newline characters allows for command injection in `glob` and can lead to
arbitrary code execution (bsc#1259985).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:1432-1
Released: Fri Apr 17 12:12:08 2026
Summary: Security update for libcap
Type: security
Severity: important
References: 1261809,CVE-2026-4878
This update for libcap fixes the following issue:
- CVE-2026-4878: Address a potential TOCTOU race condition in cap_set_file() (bsc#1261809).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:1484-1
Released: Mon Apr 20 15:34:51 2026
Summary: Security update for container-suseconnect
Type: security
Severity: important
References:
This update for container-suseconnect rebuilds it against the current go 1.25 security release.
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:1510-1
Released: Tue Apr 21 08:28:12 2026
Summary: Security update for ncurses
Type: security
Severity: moderate
References: 1259924,CVE-2025-69720
This update for ncurses fixes the following issue:
- CVE-2025-69720: buffer overflow in function `analyze_string()`of `progs/infocmp.c` (bsc#1259924).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:1562-1
Released: Thu Apr 23 09:05:52 2026
Summary: Security update for openssl-1_1
Type: security
Severity: moderate
References: 1261678,CVE-2026-28390
This update for openssl-1_1 fixes the following issues:
- CVE-2026-28390: NULL pointer dereference during processing of a crafted CMS EnvelopedData message with
KeyTransportRecipientInfo (bsc#1261678).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:1565-1
Released: Thu Apr 23 09:08:29 2026
Summary: Security update for libssh
Type: security
Severity: moderate
References: 1258045,1258049,1258054,1258080,1258081,1259377,CVE-2026-0964,CVE-2026-0965,CVE-2026-0966,CVE-2026-0967,CVE-2026-0968,CVE-2026-3731
This update for libssh fixes the following issues:
- CVE-2026-0964: improper sanitation of paths received from SCP servers can cause path traversal (bsc#1258049).
- CVE-2026-0965: possible denial of service when parsing unexpected configuration files (bsc#1258045).
- CVE-2026-0966: buffer underflow in ssh_get_hexa() on invalid input (bsc#1258054).
- CVE-2026-0967: specially crafted patterns could cause denial of service (bsc#1258081).
- CVE-2026-0968: malformed SFTP message can lead to out of bound read (bsc#1258080).
- CVE-2026-3731: denial of service via out-of-bounds read in SFTP extension name handler (bsc#1259377).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:1659-1
Released: Wed Apr 29 13:09:06 2026
Summary: Security update for sed
Type: security
Severity: moderate
References: 1262144,CVE-2026-5958
This update for sed fixes the following issues:
- CVE-2026-5958: TOCTOU race allows write of user-controlled content to unintended files and can lead to arbitrary file
overwrite (bsc#1262144).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2026:1665-1
Released: Thu Apr 30 16:53:18 2026
Summary: Recommended update for util-linux
Type: recommended
Severity: moderate
References: 1222465,1234736
This update for util-linux fixes the following issues:
- Recognize fuse 'portal' as a virtual file system (bsc#1234736).
- fdisk: Fix possible partition overlay and data corruption if EBR gap is missing (bsc#1222465).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:1715-1
Released: Wed May 6 14:09:30 2026
Summary: Security update for python3
Type: security
Severity: important
References: 1259611,1259734,1259735,1259989,1260026,1261969,1261970,1262098,1262319,1262654,CVE-2025-13462,CVE-2026-1502,CVE-2026-3446,CVE-2026-3479,CVE-2026-3644,CVE-2026-4224,CVE-2026-4519,CVE-2026-4786,CVE-2026-6019,CVE-2026-6100
This update for python3 fixes the following issues:
- CVE-2025-13462: incorrect parsing of TarInfo when GNU long name and type AREGTYPE are combined can lead to
misinterpretation of tar archives (bsc#1259611).
- CVE-2026-1502: HTTP client proxy tunnel headers not validated for CR/LF (bsc#1261969).
- CVE-2026-3446: base64 decoding stops at first padded quad by default and ignores other information that could be
processed (bsc#1261970).
- CVE-2026-3479: improper resource argument validation in `pkgutil.get_data()` can lead to path traversal (bsc#1259989).
- CVE-2026-3644: incomplete control character validation in http.cookies can lead to input validation bypass
(bsc#1259734).
- CVE-2026-4224: parsing XML with deeply nested DTD content models can lead to C stack overflow (bsc#1259735).
- CVE-2026-4519: failure to sanitize leading dashes in URLs in the `webbrowser.open()` API can lead to web browser
command line option injection (bsc#1260026).
- CVE-2026-4786: URLs prefixed with `%action` can pass the dash-prefix safety check and allow for command injection
(bsc#1262319).
- CVE-2026-6019: `BaseCookie.js_output()` does not neutralize characters in cookie values embedded in JS (bsc#1262654).
- CVE-2026-6100: use-after-free in `lzma.LZMADecompressor`, `bz2.BZ2Decompressor`, and `gzip.GzipFile` when process is
under memory pressure(bsc#1262098).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:1717-1
Released: Wed May 6 14:13:17 2026
Summary: Security update for curl
Type: security
Severity: important
References: 1259362,1262631,1262632,1262635,1262636,1262638,CVE-2026-1965,CVE-2026-4873,CVE-2026-5545,CVE-2026-6253,CVE-2026-6276,CVE-2026-6429
This update for curl fixes the following issues:
Security issues fixed:
- CVE-2026-4873: connection reuse ignores TLS requirement (bsc#1262631).
- CVE-2026-5545: wrong reuse of HTTP Negotiate connection (bsc#1262632).
- CVE-2026-6253: proxy credentials leak over redirect-to proxy (bsc#1262635).
- CVE-2026-6276: stale custom cookie host causes cookie leak (bsc#1262636).
- CVE-2026-6429: netrc credential leak with reused proxy connection (bsc#1262638).
Other updates and bugfixes:
- sws: prevent 'connection monitor' to say disconnect twice (bsc#1259362).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2026:1814-1
Released: Mon May 11 17:16:51 2026
Summary: Recommended update for suse-build-key
Type: recommended
Severity: moderate
References:
This update for suse-build-key fixes the following issues:
- Import all keys if they are not yet in the RPM db.
- Added post quantum cryptographic keys for SLES 15 and SLES 16:
* build-pqc-15.pem
* build-pqc-16.pem
The following package changes have been done:
- ca-certificates-mozilla-2.84-150200.44.1 updated
- container-suseconnect-2.5.6-150000.4.84.1 updated
- curl-8.14.1-150400.5.83.1 updated
- gdb-16.3-150400.15.29.1 updated
- glibc-locale-base-2.31-150300.98.1 updated
- glibc-locale-2.31-150300.98.1 updated
- glibc-2.31-150300.98.1 updated
- gpg2-2.2.27-150300.3.19.1 updated
- libblkid1-2.37.2-150400.8.44.1 updated
- libcap-progs-2.63-150400.3.6.1 updated
- libcap2-2.63-150400.3.6.1 updated
- libcurl4-8.14.1-150400.5.83.1 updated
- libexpat1-2.7.1-150400.3.37.1 updated
- libfdisk1-2.37.2-150400.8.44.1 updated
- libgcc_s1-15.2.0+git10201-150000.1.9.1 updated
- libglib-2_0-0-2.70.5-150400.3.34.1 updated
- libgmodule-2_0-0-2.70.5-150400.3.34.1 updated
- libmount1-2.37.2-150400.8.44.1 updated
- libncurses6-6.1-150000.5.33.1 updated
- libnghttp2-14-1.40.0-150200.22.1 updated
- libopenssl1_1-hmac-1.1.1l-150400.7.93.1 updated
- libopenssl1_1-1.1.1l-150400.7.93.1 updated
- libpcap1-1.10.1-150400.3.9.1 updated
- libpython3_6m1_0-3.6.15-150300.10.118.1 updated
- libsmartcols1-2.37.2-150400.8.44.1 updated
- libsource-highlight4-3.1.9-150000.3.9.1 updated
- libsqlite3-0-3.51.3-150000.3.39.1 updated
- libssh-config-0.9.8-150400.3.17.1 updated
- libssh4-0.9.8-150400.3.17.1 updated
- libstdc++6-15.2.0+git10201-150000.1.9.1 updated
- libsystemd0-249.17-150400.8.55.1 updated
- libtasn1-6-4.13-150000.4.14.1 updated
- libtasn1-4.13-150000.4.14.1 updated
- libudev1-249.17-150400.8.55.1 updated
- libuuid1-2.37.2-150400.8.44.1 updated
- libxml2-2-2.9.14-150400.5.55.1 updated
- ncurses-utils-6.1-150000.5.33.1 updated
- openssl-1_1-1.1.1l-150400.7.93.1 updated
- python3-base-3.6.15-150300.10.118.1 updated
- python3-rpm-4.14.3-150400.59.16.1 added
- sed-4.4-150300.13.6.1 updated
- sudo-1.9.9-150400.4.42.1 updated
- supportutils-3.2.12.1-150300.7.35.39.1 updated
- suse-build-key-12.0-150000.8.64.1 updated
- tar-1.34-150000.3.37.1 updated
- terminfo-base-6.1-150000.5.33.1 updated
- util-linux-2.37.2-150400.8.44.1 updated
- vim-data-common-9.2.0280-150000.5.89.1 updated
- vim-9.2.0280-150000.5.89.1 updated
- iproute2-5.14-150400.3.3.1 removed
- libmnl0-1.0.4-1.25 removed
- libxtables12-1.8.7-1.1 removed
More information about the sle-container-updates
mailing list