SUSE-IU-2026:3686-1: Security update of sles-15-sp6-chost-byos-v20260518-arm64
sle-container-updates at lists.suse.com
sle-container-updates at lists.suse.com
Sat May 23 07:03:29 UTC 2026
SUSE Image Update Advisory: sles-15-sp6-chost-byos-v20260518-arm64
-----------------------------------------------------------------
Image Advisory ID : SUSE-IU-2026:3686-1
Image Tags : sles-15-sp6-chost-byos-v20260518-arm64:20260518
Image Release :
Severity : critical
Type : security
References : 1082318 1094836 1098360 1133233 1144060 1171566 1176006 1180165
1181400 1181869 1182850 1184124 1185897 1187536 1189139 1191422
1194735 1198323 1199026 1203823 1205502 1206627 1207266 1214806
1221622 1221941 1222465 1225307 1225811 1226413 1226591 1228081
1228490 1229003 1229997 1230861 1233265 1233563 1234736 1234842
1236818 1238591 1239439 1239625 1239637 1240789 1240871 1241002
1241345 1241437 1241474 1242696 1242909 1243055 1243195 1243443
1243443 1244449 1244550 1245569 1245728 1246052 1246184 1246399
1246447 1246505 1246602 1247030 1247432 1247712 1247850 1247858
1248097 1248211 1248356 1248586 1248600 1249307 1249385 1249998
1250032 1250082 1250553 1250553 1250553 1250705 1250748 1250754
1251135 1251186 1251966 1251971 1251979 1252073 1252266 1252511
1252712 1252900 1252911 1252924 1253049 1253060 1253087 1253122
1253223 1253451 1253679 1254202 1254264 1254293 1254299 1254306
1254324 1254378 1254447 1254465 1254510 1254541 1254563 1254670
1254670 1254767 1254842 1254845 1254992 1255084 1255377 1255401
1256389 1256427 1256455 1256528 1256564 1256609 1256610 1256612
1256616 1256617 1256623 1256641 1256645 1256664 1256665 1256682
1256690 1256716 1256726 1256728 1256759 1256779 1256792 1256807
1256808 1256809 1256811 1256812 1256906 1257029 1257031 1257041
1257042 1257044 1257046 1257144 1257154 1257158 1257181 1257231
1257232 1257235 1257236 1257296 1257332 1257396 1257463 1257466
1257472 1257473 1257473 1257490 1257496 1257506 1257593 1257594
1257595 1257603 1257625 1257667 1257732 1257735 1257749 1257773
1257790 1257825 1257891 1257952 1257960 1258002 1258020 1258022
1258045 1258049 1258054 1258080 1258081 1258083 1258181 1258229
1258265 1258311 1258319 1258338 1258340 1258376 1258377 1258392
1258395 1258406 1258424 1258464 1258518 1258524 1258720 1258730
1258832 1258849 1258850 1258859 1258928 1259051 1259070 1259090
1259188 1259204 1259247 1259248 1259362 1259362 1259363 1259364
1259365 1259377 1259418 1259441 1259461 1259543 1259580 1259611
1259619 1259650 1259697 1259707 1259711 1259726 1259729 1259734
1259735 1259797 1259825 1259845 1259857 1259924 1259985 1259989
1259998 1260005 1260009 1260026 1260078 1260082 1260347 1260441
1260441 1260442 1260442 1260443 1260443 1260444 1260444 1260445
1260471 1260486 1260562 1260730 1260754 1260755 1260805 1261155
1261191 1261271 1261412 1261420 1261427 1261430 1261498 1261678
1261678 1261809 1261833 1261957 1261969 1261970 1262098 1262144
1262319 1262573 1262631 1262632 1262635 1262636 1262638 1262654
1264013 1264449 1264450 1265209 1265308 916845 CVE-2013-4235
CVE-2021-45417 CVE-2023-40403 CVE-2023-4641 CVE-2023-53714 CVE-2023-53817
CVE-2024-2312 CVE-2024-38542 CVE-2024-42103 CVE-2024-53070 CVE-2024-53149
CVE-2024-55549 CVE-2024-58251 CVE-2025-10911 CVE-2025-10911 CVE-2025-10911
CVE-2025-11468 CVE-2025-11731 CVE-2025-12801 CVE-2025-13462 CVE-2025-14831
CVE-2025-15282 CVE-2025-15366 CVE-2025-15367 CVE-2025-22047 CVE-2025-24855
CVE-2025-37813 CVE-2025-37861 CVE-2025-38243 CVE-2025-38322 CVE-2025-38379
CVE-2025-38539 CVE-2025-39689 CVE-2025-39813 CVE-2025-39817 CVE-2025-39829
CVE-2025-39913 CVE-2025-39964 CVE-2025-39998 CVE-2025-40097 CVE-2025-40099
CVE-2025-40103 CVE-2025-40202 CVE-2025-40253 CVE-2025-40257 CVE-2025-40259
CVE-2025-45582 CVE-2025-53906 CVE-2025-54518 CVE-2025-68284 CVE-2025-68285
CVE-2025-68775 CVE-2025-68804 CVE-2025-68808 CVE-2025-68813 CVE-2025-68819
CVE-2025-69720 CVE-2025-70873 CVE-2025-71066 CVE-2025-71078 CVE-2025-71081
CVE-2025-71083 CVE-2025-71085 CVE-2025-71089 CVE-2025-71111 CVE-2025-71112
CVE-2025-71113 CVE-2025-71120 CVE-2025-71136 CVE-2025-71147 CVE-2025-71231
CVE-2025-7709 CVE-2025-7709 CVE-2025-8732 CVE-2025-9403 CVE-2026-0672
CVE-2026-0865 CVE-2026-0964 CVE-2026-0965 CVE-2026-0966 CVE-2026-0967
CVE-2026-0968 CVE-2026-0990 CVE-2026-0992 CVE-2026-1299 CVE-2026-1502
CVE-2026-1519 CVE-2026-1757 CVE-2026-1965 CVE-2026-1965 CVE-2026-22999
CVE-2026-23001 CVE-2026-23004 CVE-2026-23010 CVE-2026-23054 CVE-2026-23060
CVE-2026-23074 CVE-2026-23089 CVE-2026-23103 CVE-2026-23111 CVE-2026-23141
CVE-2026-23157 CVE-2026-23191 CVE-2026-23202 CVE-2026-23204 CVE-2026-23207
CVE-2026-23209 CVE-2026-23214 CVE-2026-23231 CVE-2026-23243 CVE-2026-23268
CVE-2026-23269 CVE-2026-23272 CVE-2026-23274 CVE-2026-23278 CVE-2026-23293
CVE-2026-23317 CVE-2026-23381 CVE-2026-23398 CVE-2026-23412 CVE-2026-23413
CVE-2026-23554 CVE-2026-23555 CVE-2026-24401 CVE-2026-24515 CVE-2026-24882
CVE-2026-25210 CVE-2026-25646 CVE-2026-26269 CVE-2026-27135 CVE-2026-27171
CVE-2026-28387 CVE-2026-28387 CVE-2026-28388 CVE-2026-28388 CVE-2026-28389
CVE-2026-28389 CVE-2026-28390 CVE-2026-28390 CVE-2026-28417 CVE-2026-29111
CVE-2026-31431 CVE-2026-31788 CVE-2026-31789 CVE-2026-31789 CVE-2026-31790
CVE-2026-3184 CVE-2026-32776 CVE-2026-32777 CVE-2026-32778 CVE-2026-33412
CVE-2026-33416 CVE-2026-33636 CVE-2026-3446 CVE-2026-34714 CVE-2026-34757
CVE-2026-3479 CVE-2026-34982 CVE-2026-35385 CVE-2026-35414 CVE-2026-35535
CVE-2026-3644 CVE-2026-3731 CVE-2026-3783 CVE-2026-3784 CVE-2026-3805
CVE-2026-39881 CVE-2026-4105 CVE-2026-4224 CVE-2026-43284 CVE-2026-43500
CVE-2026-4437 CVE-2026-4438 CVE-2026-4519 CVE-2026-46300 CVE-2026-46333
CVE-2026-4786 CVE-2026-4873 CVE-2026-4878 CVE-2026-5545 CVE-2026-5958
CVE-2026-6019 CVE-2026-6100 CVE-2026-6253 CVE-2026-6276 CVE-2026-6429
-----------------------------------------------------------------
The container sles-15-sp6-chost-byos-v20260518-arm64 was updated. The following patches have been included in this update:
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2018:2193-1
Released: Wed Oct 10 13:20:50 2018
Summary: Recommended update for dialog
Type: recommended
Severity: moderate
References: 1094836
This update for dialog fixes the following issues:
- Fixes a bug where scrolling is not possible (bsc#1094836)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2019:2116-1
Released: Tue Aug 13 07:43:01 2019
Summary: Recommended update for aide
Type: recommended
Severity: moderate
References: 1098360
This update for aide fixes the following issues:
- Remove not available gcrypt algorithm 7 DB_HAVAL (bsc#1098360).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:2080-1
Released: Wed Jul 29 20:09:09 2020
Summary: Recommended update for libtool
Type: recommended
Severity: moderate
References: 1171566
This update for libtool provides missing the libltdl 32bit library. (bsc#1171566)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:130-1
Released: Thu Jan 14 13:08:01 2021
Summary: Recommended update for aide
Type: recommended
Severity: moderate
References: 1180165
This update for aide fixes the following issue:
- Add a `syslog_format` to Advanced Intrusion Detection Environment (AIDE). (bsc#1180165)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:2179-1
Released: Mon Jun 28 17:36:37 2021
Summary: Recommended update for thin-provisioning-tools
Type: recommended
Severity: moderate
References: 1184124
This update for thin-provisioning-tools fixes the following issues:
- Link as position-independent executable (bsc#1184124)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:2895-1
Released: Tue Aug 31 19:40:32 2021
Summary: Recommended update for unixODBC
Type: recommended
Severity: moderate
References:
This update for unixODBC fixes the following issues:
- ECO: Update unixODBC to 2.3.9 in SLE 15. (jsc#SLE-18004)
- Fix incorrect permission for documentation files.
- Update requires and baselibs for new libodbc2.
- Employ shared library packaging guideline: new subpacakge libodbc2.
- Update to 2.3.9:
* Remove '#define UNIXODBC_SOURCE' from unixodbc_conf.h
- Update to 2.3.8:
* Add configure support for editline
* SQLDriversW was ignoring user config
* SQLDataSources Fix termination character
* Fix for pooling seg fault
* Make calling SQLSetStmtAttrW call the W function in the driver is its there
* Try and fix race condition clearing system odbc.ini file
* Remove trailing space from isql/iusql SQL
* When setting connection attributes set before connect also check if the W entry poins can be used
* Try calling the W error functions first if available in the driver
* Add iconvperdriver configure option to allow calling unicode_setup in SQLAllocHandle
* iconv handles was being lost when reusing pooled connection
* Catch null copy in iniPropertyInsert
* Fix a few leaks
- Update to 2.3.7:
* Fix for pkg-config file update on no linux platforms
* Add W entry for GUI work
* Various fixes for SQLBrowseConnect/W, SQLGetConnectAttr/W,and SQLSetConnectAttr/W
* Fix buffer overflows in SQLConnect/W and refine behaviour of SQLGet/WritePrivateProfileString
* SQLBrowseConnect/W allow disconnecting a started browse session after error
* Add --with-stats-ftok-name configure option to allow the selection of a file name
used to generate the IPC id when collecting stats. Default is the system odbc.ini file
* Improve diag record handling with the behavior of Windows DM and export SQLCancelHandle
* bug fix when SQLGetPrivateProfileString() is called to get a list of sections or a list of keys
* Connection pooling: Fix liveness check for Unicode drivers
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:3959-1
Released: Mon Dec 6 19:54:32 2021
Summary: Recommended update for aide
Type: recommended
Severity: moderate
References: 1191422
This update for aide fixes the following issues:
- Fix issue with Libgcrypt FIPS mode and AIDE by disabling MD5 in FIPS mode (bsc#1191422)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:150-1
Released: Fri Jan 21 11:24:43 2022
Summary: Security update for aide
Type: security
Severity: important
References: 1194735,CVE-2021-45417
This update for aide fixes the following issues:
- CVE-2021-45417: Fix a bufferoverflow in base64 functions (bsc#1194735)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:1342-1
Released: Thu Apr 18 16:35:47 2024
Summary: Recommended update for unixODBC, libtool and libssh2_org
Type: recommended
Severity: moderate
References: 1221622,1221941
This update for unixODBC, libtool and libssh2_org fixes the following issue:
- Ship 2 additional 32bit packages: unixODBC-32bit and libssh2-1-32bit for SLES (bsc#1221941).
- Fix an issue with Encrypt-then-MAC family. (bsc#1221622)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:2404-1
Released: Thu Jul 11 09:31:42 2024
Summary: Recommended update for mdadm
Type: recommended
Severity: moderate
References: 1225307
This update for mdadm fixes the following issues:
- util.c: change devnm to const in mdmon functions (bsc#1225307)
- Wait for mdmon when it is stared via systemd (bsc#1225307)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:3480-1
Released: Fri Sep 27 15:35:46 2024
Summary: Recommended update for mdadm
Type: recommended
Severity: moderate
References: 1226413
This update for mdadm fixes the following issues:
- Detail: remove duplicated code (bsc#1226413).
- mdadm: Fix native --detail --export (bsc#1226413).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2025:500-1
Released: Thu Feb 13 09:26:54 2025
Summary: Recommended update for mdadm
Type: recommended
Severity: moderate
References: 1233265
This update for mdadm fixes the following issue:
- mdopen: add /sbin to PATH when call system('modprobe md_mod') (bsc#1233265).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2025:1047-1
Released: Thu Mar 27 18:56:36 2025
Summary: Recommended update for branding-SLE
Type: recommended
Severity: moderate
References: 1236818
This update for branding-SLE fixes the following issue:
- Update plymouth theme to fix splash screen element placement issue (bsc#1236818).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2025:1125-1
Released: Thu Apr 3 13:49:28 2025
Summary: Security update for libxslt
Type: security
Severity: important
References: 1238591,1239625,1239637,CVE-2023-40403,CVE-2024-55549,CVE-2025-24855
This update for libxslt fixes the following issues:
- CVE-2023-40403: Fixed sensitive information disclosure during processing web content (bsc#1238591)
- CVE-2024-55549: Fixed use-after-free in xsltGetInheritedNsList (bsc#1239637)
- CVE-2025-24855: Fixed use-after-free in numbers.c (bsc#1239625)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2025:2247-1
Released: Tue Jul 8 10:59:37 2025
Summary: Recommended update for mdadm
Type: recommended
Severity: moderate
References: 1240789,1241474,1242696
This update for mdadm fixes the following issues:
- Add MAILFROM address to email envelope to avoid smtp auth errors (bsc#1241474).
- Allow any valid minor name in md device name (bsc#1240789).
- Add dependency on suse-module-tools for SLE15 (bsc#1242696).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2025:3875-1
Released: Thu Oct 30 16:26:57 2025
Summary: Security update for libxslt
Type: security
Severity: important
References: 1250553,1251979,CVE-2025-10911,CVE-2025-11731
This update for libxslt fixes the following issues:
- CVE-2025-11731: fixed a type confusion in exsltFuncResultComp function leading to denial of service (bsc#1251979)
- CVE-2025-10911: last fix caused a regression, patch was temporary disabled (bsc#1250553)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2025:3968-1
Released: Thu Nov 6 11:58:36 2025
Summary: Recommended update for libaio
Type: recommended
Severity: moderate
References: 1082318,1133233,1181869,1243195
This update for libaio fixes the following issues:
libaio was updated to 0.3.113 (jsc#PED-13433):
* Fix struct io_iocb_vector padding for 32bit architectures
* struct io_iocb_sockaddr padding for 32bit architectures
* Verify structure padding is correct at build time
* harness: add test for aio poll missed events
* Various patches for architectures/etc
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2025:4113-1
Released: Mon Nov 17 04:11:18 2025
Summary: Recommended update for python-kiwi
Type: recommended
Severity: critical
References: 1250754
This update for python-kiwi contains the following fix:
- Fixed transition from `python3-kiwi` to the successor `python311-kiwi` when using `zypper patch` (bsc#1250754)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2025:4430-1
Released: Wed Dec 17 13:03:53 2025
Summary: Recommended update for mdadm
Type: recommended
Severity: moderate
References: 1207266,1229997,1243443,1248097,1253060
This update for mdadm fixes the following issues:
- Update to version 4.3+33.g22c212a5.
- Fixing race conditions between mdcheck_start and mdcheck_continue services
(bsc#1243443, bsc#1248097).
- Fixing broken monitoring for mdadm in Leap 15.6 (bsc#1229997).
- Fixing systemd unit file handling in spec file (bsc#1207266).
- Upstream bug fixes since 4.4 (bsc#1253060).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2026:407-1
Released: Mon Feb 9 07:43:45 2026
Summary: Recommended update for systemd
Type: recommended
Severity: important
References: 1228081,1244449,1248356,1254202,1254293,1254563,1256427
This update for systemd fixes the following issues:
- Name libsystemd-{shared,core} based on the major version of systemd and
the package release number (bsc#1228081, bsc#1256427)
This way, both the old and new versions of the shared libraries will be
present during the update. This should prevent issues during package updates
when incompatible changes are introduced in the new versions of the shared libraries.
- detect-virt: bare-metal GCE only for x86 and i386 (bsc#1254293)
- timer: rebase last_trigger timestamp if needed
- timer: rebase the next elapse timestamp only if timer didn't already run
- timer: don't run service immediately after restart of a timer (bsc#1254563)
- test: check the next elapse timer timestamp after deserialization
- test: restarting elapsed timer shouldn't trigger the corresponding service
- Reintroduce systemd-network as a transitional dummy package containing no files (bsc#1254202)
The contents of this package were split into two independent packages:
systemd-networkd and systemd-resolved. However, the initial replacement caused
both network services to be disabled. Consequently, the original package has
been restored as an empty transitional package to prevent the disabling of the services.
It can be safely removed once the update is complete.
- units: don't force the loading of the loop and dm_mod modules in systemd-repart.service (bsc#1248356)
- units: add dep on systemd-logind.service by user at .service
- detect-virt: add bare-metal support for GCE (bsc#1244449)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:432-1
Released: Wed Feb 11 10:11:56 2026
Summary: Security update for sqlite3
Type: security
Severity: moderate
References: 1248586,1254670,CVE-2025-7709
This update for sqlite3 fixes the following issues:
- Update to v3.51.2:
- CVE-2025-7709: Fixed an integer overflow in the FTS5 extension. (bsc#1254670)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:434-1
Released: Wed Feb 11 10:23:18 2026
Summary: Security update for gpg2
Type: security
Severity: important
References: 1256389,1257396,CVE-2026-24882
This update for gpg2 fixes the following issues:
Security fixes:
- CVE-2026-24882: Fixed stack-based buffer overflow in TPM2
PKDECRYPT for TPM-backed RSA and ECC keys (bsc#1257396)
- Fixed GnuPG accepting Path Separators and Path Traversals in Literal
Data 'Filename' Field (bsc#1256389)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2026:462-1
Released: Thu Feb 12 08:38:20 2026
Summary: Recommended update for google-guest-configs
Type: recommended
Severity: important
References: 1198323,1256906
This update for google-guest-configs fixes the following issues:
- Update to version 20260116.00 (bsc#1256906)
* set_multiqueue: Only set XPS on 'multinic accelerator platforms'
- Update to version 20260112.00
* Make c4x a 'multinic accelerator platform'
* set_multiqueue xps: stop assuming 2 numa nodes
* Add IDPF irq setting; improve a4x-max performance
* Allow test injection of the root directory and metadata server endpoint
* add nic naming support for connextx VF in baremetal
* bugfix for idpf only rename got skipped.
* add a4x-max to google_set_multiqueue is_multinic_accelerator_platform
* remove unnecessary link up and down
* fix inconsistent NIC index between smart NICs and GPU NICs.
- Mark %{_modprobedir}/gce-blacklist.conf as %config(noreplace) (bsc#1198323)
- Update to version 20251014.00
- Update to version 20250913.00
* Swap guest-config rule from checking the build VM OS to taking in a variable for target version
- from version 20250826.00
* Moved tx/rx IRQ logging after assignment
* Fix core assignment in set_irq_range
* Correct IRQ tx/rx affinity core assignment
- Update to version 20250807.00
* Avoid duplicate entries for the metadata server in /etc/hosts
- Update to version 20250709.00
* Add comments in scripts to document the behavior in google hostname setting.
* Always use primary NIC IP for NetworkManager dispatcher hook.
- from version 20250626.00
* Fix spelling error: 'explicilty' to 'explicitly'
- Update to version 20250605.00
* Added comment to the bitmap conversion functions
* Remove IRQ affinity overwrite to XPS affinity
* Update XPS affinity to assign the remaining unassigned CPUs
to the last queue when populating the last queue
* Fix set_xps_affinity to correctly parse cpus array
* Update XPS CPU assignment logic
* Update CPU assignment algorithm in XPS affinity
* Remove commented code
* Update XPS affinity vCPU distribution algorithm s.t. the vCPUs assigned
to a queue are on the same core - fixed IRQ affinity on NUMA1 not using
the correct bind_cores_index
* Fixed NUMA comparison error in set_xps_affinity
* Update XPS affinity setup to be NUMA aware and support 64 bit CPU mask calculation
- from version 20250604.00
* Bug fix: bind_cores_begin to bind_cores_index
* Name smart NICs in lexicographic order
- Run %postun to modify %{_sysconfdir}/sysconfig/network/ifcfg-eth0
during uninstall only to avoid removal of POST_UP_SCRIPT on upgrade
- Update to version 20250516.00
* Remove unused fset
* Remove unused lines
* Update google_set_multiqueue to unpack IRQ ranges before core assignment
- Update to version 20250501.00
* Configure local domain as route only domain to support cloud dns local
domain but avoid adding it to the search path.
- from version 20250409.00
* Change RDMA test condition to ensure renaming race conditions can be detected.
- from version 20250328.00
* Revert 'Include systemd-networkd hook in Ubuntu packaging'
- from version 20250326.00
* Update google_set_multiqueue to check pnic_ids
- from version 20250221.00
* Make google_set_multiqueue aware A4X is multinic_accelerator_platform
- from version 20250207.00
* Update google_set_multiqueue to adapt A4 platform
* Merge branch 'GoogleCloudPlatform:master' into master
* Fix IS_A3_PLATFORM syntax
* Correct IS_A3_PLATFORM to save is_a3_platform results
* Remove excess empty line.
* Store is_a3_platform results into a global variable to avoid redundant curl calls
* Skip tx affinity binding on non-gvnic interfaces only on A3 platforms.
* Update comments for get_vcpu_ranges_on_accelerator_platform to reflect the expected vcpu ranges
* rename get_vcpu_ranges to get_vcpu_ranges_on_accelerator_platform
* Avoid IRQ binding on vCPU 0
* Fix returned value for get_vcpu_ranges
* Update get_vcpu_ranges to read from sys file instead of hardcoded value
* Update google_set_multiqueue to set vCPU ranges based on platform
* Add comment for handling IRQ binding on non-gvnic devices
* Update is_gvnic to include gvnic driver checks
* revert removed echo lines
* Update google_set_multiqueue to skip set_irq if nic is not a gvnic device.
* Update google_set_multiqueue to enable on A3Ultra family
- from version 20250124.00
* Fix missing files. This is a no-op.
* Also force virtio_scsi
- from version 20250116.00
* Add GPL-2 to licensing information
- from version 20250107.00
* Restore IDPF devices for renaming rules
- from version 20241213.00
* Remove Pat from owners file
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2026:465-1
Released: Thu Feb 12 10:53:02 2026
Summary: Recommended update for mdadm
Type: recommended
Severity: important
References: 1254541
This update for mdadm fixes the following issues:
- Update to version 4.3+34.g1edf7b5d:
* super1.c: fix crash with homehost=none (bsc#1254541)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:471-1
Released: Thu Feb 12 12:25:43 2026
Summary: Security update for the Linux Kernel
Type: security
Severity: important
References: 1228490,1233563,1234842,1241437,1242909,1246184,1246447,1247030,1247712,1248211,1249307,1250032,1250082,1250705,1250748,1252511,1252712,1252900,1253087,1253451,1254378,1254447,1254465,1254510,1254767,1254842,1254845,1255377,1255401,1256528,1256609,1256610,1256612,1256616,1256617,1256623,1256641,1256664,1256665,1256682,1256726,1256728,1256759,1256779,1256792,1257154,1257158,1257232,1257236,1257296,1257332,1257473,1257603,CVE-2023-53714,CVE-2024-42103,CVE-2024-53070,CVE-2024-53149,CVE-2025-22047,CVE-2025-37813,CVE-2025-38243,CVE-2025-38322,CVE-2025-38379,CVE-2025-38539,CVE-2025-39689,CVE-2025-39813,CVE-2025-39829,CVE-2025-39913,CVE-2025-40097,CVE-2025-40202,CVE-2025-40257,CVE-2025-40259,CVE-2025-68284,CVE-2025-68285,CVE-2025-68775,CVE-2025-68804,CVE-2025-68808,CVE-2025-68813,CVE-2025-68819,CVE-2025-71078,CVE-2025-71081,CVE-2025-71083,CVE-2025-71085,CVE-2025-71089,CVE-2025-71111,CVE-2025-71112,CVE-2025-71120,CVE-2025-71136,CVE-2025-71147,CVE-2026-22999,CVE-2026-23001,CVE-20
26-23010
The SUSE Linux Enterprise 15 SP6 kernel was updated to fix various security issues
The following security issues were fixed:
- CVE-2025-40257: mptcp: fix a race in mptcp_pm_del_add_timer() (bsc#1254842).
- CVE-2025-40259: scsi: sg: Do not sleep in atomic context (bsc#1254845).
- CVE-2025-68284: libceph: prevent potential out-of-bounds writes in handle_auth_session_key() (bsc#1255377).
- CVE-2025-68285: libceph: fix potential use-after-free in have_mon_and_osd_map() (bsc#1255401).
- CVE-2025-68775: net/handshake: duplicate handshake cancellations leak socket (bsc#1256665).
- CVE-2025-68813: ipvs: fix ipv4 null-ptr-deref in route error path (bsc#1256641).
- CVE-2025-71085: ipv6: BUG() in pskb_expand_head() as part of calipso_skbuff_setattr() (bsc#1256623).
- CVE-2025-71089: iommu: disable SVA when CONFIG_X86 is set (bsc#1256612).
- CVE-2025-71112: net: hns3: add VLAN id validation before using (bsc#1256726).
- CVE-2025-71120: SUNRPC: svcauth_gss: avoid NULL deref on zero length gss_token in gss_read_proxy_verf (bsc#1256779).
- CVE-2026-22999: net/sched: sch_qfq: do not free existing class in qfq_change_class() (bsc#1257236).
- CVE-2026-23001: macvlan: fix possible UAF in macvlan_forward_source() (bsc#1257232).
- CVE-2026-23010: ipv6: Fix use-after-free in inet6_addr_del() (bsc#1257332).
The following non security issues were fixed:
- bpf/selftests: test_select_reuseport_kern: Remove unused header (bsc#1257603).
- btrfs: do not strictly require dirty metadata threshold for metadata writepages (stable-fixes).
- cifs: Fix copy offload to flush destination region (bsc#1252511).
- cifs: Fix flushing, invalidation and file size with copy_file_range() (bsc#1252511).
- cifs: add new field to track the last access time of cfid (git-fixes).
- ext4: use optimized mballoc scanning regardless of inode format (bsc#1254378).
- ice: use netif_get_num_default_rss_queues() (bsc#1247712).
- mm, page_alloc, thp: prevent reclaim for __GFP_THISNODE THP allocations (bsc#1253087).
- net: hv_netvsc: reject RSS hash key programming without RX indirection table (bsc#1257473).
- net: tcp: allow zero-window ACK update the window (bsc#1254767).
- sched: Increase sched_tick_remote timeout (bsc#1254510).
- scsi: storvsc: Process unsupported MODE_SENSE_10 (bsc#1257296).
- smb: change return type of cached_dir_lease_break() to bool (git-fixes).
- smb: client: ensure open_cached_dir_by_dentry() only returns valid cfid (git-fixes).
- smb: client: remove unused fid_lock (git-fixes).
- smb: client: short-circuit in open_cached_dir_by_dentry() if !dentry (git-fixes).
- smb: client: split cached_fid bitfields to avoid shared-byte RMW races (bsc#1250748).
- smb: client: update cfid->last_access_time in open_cached_dir_by_dentry() (git-fixes).
- smb: improve directory cache reuse for readdir operations (bsc#1252712).
- x86: make page fault handling disable interrupts properly (git-fixes).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2026:485-1
Released: Thu Feb 12 19:45:39 2026
Summary: Recommended update for suse-module-tools
Type: recommended
Severity: important
References: 1253679,1254264
This update for suse-module-tools fixes the following issues:
- Update to version 15.6.14:
* 80-hotplug-cpu-mem.rules: remount tmpfs on 'online' uevents (bsc#1254264)
* udev: use systemd service to remount tmpfs (bsc#1253679)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:570-1
Released: Tue Feb 17 17:38:47 2026
Summary: Security update for libxml2
Type: security
Severity: moderate
References: 1247850,1247858,1250553,1256807,1256808,1256809,1256811,1256812,1257593,1257594,1257595,CVE-2025-10911,CVE-2025-8732,CVE-2026-0990,CVE-2026-0992,CVE-2026-1757
This update for libxml2 fixes the following issues:
- CVE-2026-0990: Fixed a call stack overflow leading to application crash due to infinite recursion in `xmlCatalogXMLResolveURI`. (bsc#1256807, bsc#1256811)
- CVE-2026-0992: Fixed an excessive resource consumption when processing XML catalogs due to exponential behavior. (bsc#1256809, bsc#1256812)
- CVE-2026-1757: Fixed a memory leak in the `xmllint` interactive shell. (bsc#1257594, bsc#1257595)
- CVE-2025-10911: Fixed a use-after-free with key data stored cross-RVT. (bsc#1250553)
- CVE-2025-8732: Fixed an infinite recursion in catalog parsing functions when processing malformed SGML catalog files. (bsc#1247858)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:597-1
Released: Mon Feb 23 16:58:08 2026
Summary: Security update for libpng16
Type: security
Severity: important
References: 1258020,CVE-2026-25646
This update for libpng16 fixes the following issues:
- CVE-2026-25646: heap buffer overflow vulnerability in png_set_dither/png_set_quantize (bsc#1258020).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2026:637-1
Released: Wed Feb 25 13:13:52 2026
Summary: Recommended update for grub2
Type: recommended
Severity: important
References: 1254299,1258022
This update for grub2 fixes the following issues:
- Backport upstream's commit to prevent BIOS assert (bsc#1258022)
- Fix error 'grub-core/script/lexer.c:352:out of memory' after PowerPC CAS Reboot (bsc#1254299)
* Fix PowerPC CAS reboot to evaluate menu context
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:664-1
Released: Thu Feb 26 16:15:04 2026
Summary: Security update for python3
Type: security
Severity: important
References: 1257029,1257031,1257041,1257042,1257044,1257046,CVE-2025-11468,CVE-2025-15282,CVE-2025-15366,CVE-2025-15367,CVE-2026-0672,CVE-2026-0865
This update for python3 fixes the following issues:
- CVE-2025-11468: header injection when folding a long comment in an email header containing exclusively unfoldable
characters (bsc#1257029).
- CVE-2026-0672: HTTP header injection via user-controlled cookie values and parameters when using http.cookies.Morsel
(bsc#1257031).
- CVE-2026-0865: user-controlled header containing newlines can allow injecting HTTP headers (bsc#1257042).
- CVE-2025-15366: user-controlled command can allow additional commands injected using newlines (bsc#1257044).
- CVE-2025-15282: user-controlled data URLs parsed may allow injecting headers (bsc#1257046).
- CVE-2025-15367: control characters may allow the injection of additional commands (bsc#1257041).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2026:676-1
Released: Fri Feb 27 09:44:00 2026
Summary: Recommended update for makedumpfile
Type: recommended
Severity: important
References: 1245569,1256455
This update for makedumpfile fixes the following issues:
- Fix a data race in multi-threading mode (--num-threads=N) (bsc#1245569, bsc#1256455).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:741-1
Released: Mon Mar 2 09:11:04 2026
Summary: Security update for shim
Type: security
Severity: moderate
References: 1240871,1247432,CVE-2024-2312
This update for shim fixes the following issues:
shim is updated to version 16.1:
- shim_start_image(): fix guid/handle pairing when uninstalling protocols
- Fix uncompressed ipv6 netboot
- fix test segfaults caused by uninitialized memory
- SbatLevel_Variable.txt: minor typo fix.
- Realloc() needs to allocate one more byte for sprintf()
- IPv6: Add more check to avoid multiple double colon and illegal char
- Loader proto v2
- loader-protocol: add workaround for EDK2 2025.02 page fault on FreePages
- Generate Authenticode for the entire PE file
- README: mention new loader protocol and interaction with UKIs
- shim: change automatically enable MOK_POLICY_REQUIRE_NX
- Save var info
- add SbatLevel entry 2025051000 for PSA-2025-00012-1
- Coverity fixes 20250804
- fix http boot
- Fix double free and leak in the loader protocol
shim is updated to version 16.0:
- Validate that a supplied vendor cert is not in PEM format
- sbat: Add grub.peimage,2 to latest (CVE-2024-2312)
- sbat: Also bump latest for grub,4 (and to todays date)
- undo change that limits certificate files to a single file
- shim: don't set second_stage to the empty string
- Fix SBAT.md for today's consensus about numbers
- Update Code of Conduct contact address
- make-certs: Handle missing OpenSSL installation
- Update MokVars.txt
- export DEFINES for sub makefile
- Drop unused EFI_IMAGE_SECURITY_DATABASE_GUID definition
- Null-terminate 'arguments' in fallback
- Fix 'Verifiying' typo in error message
- Update Fedora CI targets
- Force gcc to produce DWARF4 so that gdb can use it
- Minor housekeeping 2024121700
- Discard load-options that start with WINDOWS
- Fix the issue that the gBS->LoadImage pointer was empty.
- shim: Allow data after the end of device path node in load options
- Handle network file not found like disks
- Update gnu-efi submodule for EFI_HTTP_ERROR
- Increase EFI file alignment
- avoid EFIv2 runtime services on Apple x86 machines
- Improve shortcut performance when comparing two boolean expressions
- Provide better error message when MokManager is not found
- tpm: Boot with a warning if the event log is full
- MokManager: remove redundant logical constraints
- Test import_mok_state() when MokListRT would be bigger than available size
- test-mok-mirror: minor bug fix
- Fix file system browser hang when enrolling MOK from disk
- Ignore a minor clang-tidy nit
- Allow fallback to default loader when encountering errors on network boot
- test.mk: don't use a temporary random.bin
- pe: Enhance debug report for update_mem_attrs
- Multiple certificate handling improvements
- Generate SbatLevel Metadata from SbatLevel_Variable.txt
- Apply EKU check with compile option
- Add configuration option to boot an alternative 2nd stage
- Loader protocol (with Device Path resolution support)
- netboot cleanup for additional files
- Document how revocations can be delivered
- post-process-pe: add tests to validate NX compliance
- regression: CopyMem() in ad8692e copies out of bounds
- Save the debug and error logs in mok-variables
- Add features for the Host Security ID program
- Mirror some more efi variables to mok-variables
- This adds DXE Services measurements to HSI and uses them for NX
- Add shim's current NX_COMPAT status to HSIStatus
- README.tpm: reflect that vendor_db is in fact logged as 'vendor_db'
- Reject HTTP message with duplicate Content-Length header fields
- Disable log saving
- fallback: don't add new boot order entries backwards
- README.tpm: Update MokList entry to MokListRT
- SBAT Level update for February 2025 GRUB CVEs
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:779-1
Released: Tue Mar 3 14:25:07 2026
Summary: Security update for libssh
Type: security
Severity: moderate
References: 1258045,1258049,1258054,1258080,1258081,CVE-2026-0964,CVE-2026-0965,CVE-2026-0966,CVE-2026-0967,CVE-2026-0968
This update for libssh fixes the following issues:
- CVE-2026-0964: improper sanitation of paths received from SCP servers can cause path traversal (bsc#1258049).
- CVE-2026-0965: possible denial of service when parsing unexpected configuration files (bsc#1258045).
- CVE-2026-0966: buffer underflow in ssh_get_hexa() on invalid input (bsc#1258054).
- CVE-2026-0967: specially crafted patterns could cause denial of service (bsc#1258081).
- CVE-2026-0968: malformed SFTP message can lead to out of bound read (bsc#1258080).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:783-1
Released: Tue Mar 3 14:36:14 2026
Summary: Security update for zlib
Type: security
Severity: moderate
References: 1258392,CVE-2026-27171
This update for zlib fixes the following issue:
- CVE-2026-27171: Fixed infinite loop via the `crc32_combine64` and `crc32_combine_gen64` functions due to missing
checks for negative lengths (bsc#1258392).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2026:791-1
Released: Tue Mar 3 16:59:33 2026
Summary: Recommended update for gcc15
Type: recommended
Severity: moderate
References: 1257463
This update for gcc15 fixes the following issues:
- Fix bogus expression simplification (bsc#1257463)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:801-1
Released: Wed Mar 4 13:33:26 2026
Summary: Security update for libxslt
Type: security
Severity: moderate
References: 1250553,CVE-2025-10911
This update for libxslt fixes the following issues:
- CVE-2025-10911: use-after-free will be fixed on libxml2 side instead (bsc#1250553).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:803-1
Released: Wed Mar 4 13:57:07 2026
Summary: Security update for util-linux
Type: security
Severity: moderate
References: 1258859,CVE-2026-3184
This update for util-linux fixes the following issues:
- CVE-2026-3184: Fix full hostname usage for PAM to ensure correct access control for 'login -h' (bsc#1258859).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:826-1
Released: Thu Mar 5 16:16:29 2026
Summary: Security update for expat
Type: security
Severity: moderate
References: 1257144,1257496,CVE-2026-24515,CVE-2026-25210
This update for expat fixes the following issues:
- CVE-2026-24515: Fixed a null dereference in XML_ExternalEntityParserCreate. (bsc#1257144)
- CVE-2026-25210: Fixed an integer overflow in doContent. (bsc#1257496)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:829-1
Released: Thu Mar 5 16:17:08 2026
Summary: Security update for gnutls
Type: security
Severity: moderate
References: 1257960,1258083,CVE-2025-14831
This update for gnutls fixes the following issues:
Security issue:
- CVE-2025-14831: excessive resource consumption when verifying specially crafted malicious certificates containing a
large number of name constraints and subject alternative names (bsc#1257960).
Other updates and bugfixes:
- update libgnutls package to avoid binder getting calculated with SHA256 (bsc#1258083, jsc#PED-15752, jsc#PED-15753).
- lib/psk: Add gnutls_psk_allocate_{client,server}_credentials2
- tests/psk-file: Add testing for _credentials2 functions
- lib/psk: add null check for binder algo
- pre_shared_key: fix memleak when retrying with different binder algo
- pre_shared_key: add null check on pskcred
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2026:837-1
Released: Fri Mar 6 08:30:05 2026
Summary: Recommended update for syslogd
Type: recommended
Severity: moderate
References:
This update for syslogd fixes the following issues:
- Drop last sysvinit Requirement/Provide (jsc#PED-13698)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2026:844-1
Released: Fri Mar 6 16:45:31 2026
Summary: Recommended update for glibc
Type: recommended
Severity: moderate
References: 1258319
This update for glibc fixes the following issues:
- nss: Missing checks in __nss_configure_lookup, __nss_database_get (bsc#1258319, BZ #28940)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2026:863-1
Released: Wed Mar 11 13:41:48 2026
Summary: Recommended update for openldap2
Type: recommended
Severity: moderate
References:
This update for openldap2 fixes the following issues:
- expose ldap_log.h in -devel (jsc#PED-15735)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:885-1
Released: Thu Mar 12 15:50:16 2026
Summary: Security update for curl
Type: security
Severity: important
References: 1259362,1259363,1259364,1259365,CVE-2026-1965,CVE-2026-3783,CVE-2026-3784,CVE-2026-3805
This update for curl fixes the following issues:
- CVE-2026-1965: bad reuse of HTTP Negotiate connection (bsc#1259362).
- CVE-2026-3783: token leak with redirect and netrc (bsc#1259363).
- CVE-2026-3784: wrong proxy connection reuse with credentials (bsc#1259364).
- CVE-2026-3805: use after free in SMB connection reuse (bsc#1259365).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:908-1
Released: Tue Mar 17 17:32:39 2026
Summary: Security update for xen
Type: security
Severity: important
References: 1259247,1259248,CVE-2026-23554,CVE-2026-23555
This update for xen fixes the following issues:
- CVE-2026-23554: xen: Use after free of paging structures in EPT (bsc#1259247, XSA-480)
- CVE-2026-23555: xen: Xenstored DoS by unprivileged domain (bsc#1259248, XSA-481)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:910-1
Released: Tue Mar 17 20:34:12 2026
Summary: Security update for vim
Type: security
Severity: moderate
References: 1246602,1258229,1259051,CVE-2025-53906,CVE-2026-26269,CVE-2026-28417
This update for vim fixes the following issues:
Update Vim to version 9.2.0110:
- CVE-2025-53906: malicious zip archive may cause a path traversal in Vim's zip (bsc#1246602).
- CVE-2026-26269: Netbeans specialKeys stack buffer overflow (bsc#1258229).
- CVE-2026-28417: crafted URL parsed by netrw plugin can lead to execute arbitrary shell commands (bsc#1259051).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2026:912-1
Released: Wed Mar 18 07:19:42 2026
Summary: Recommended update for ca-certificates-mozilla
Type: recommended
Severity: moderate
References: 1229003,1258002
This update for ca-certificates-mozilla fixes the following issues:
- test for a concretely missing certificate rather than
just the directory, as the latter is now also provided by openssl-3
- Re-create java-cacerts with SOURCE_DATE_EPOCH set
for reproducible builds (bsc#1229003)
- Also mark /usr/share/factory/var/lib/ca-certificates/ as writable by the user
during install: allow rpm to properly execute %clean when completed.
- Create /var/lib/ca-certificates during build to ensure rpm gives
the %ghost'ed directory proper mode attributes.
- Updated to 2.84 state (bsc#1258002)
* Removed:
+ Baltimore CyberTrust Root
+ CommScope Public Trust ECC Root-01
+ CommScope Public Trust ECC Root-02
+ CommScope Public Trust RSA Root-01
+ CommScope Public Trust RSA Root-02
+ DigiNotar Root CA
* Added:
+ e-Szigno TLS Root CA 2023
+ OISTE Client Root ECC G1
+ OISTE Client Root RSA G1
+ OISTE Server Root ECC G1
+ OISTE Server Root RSA G1
+ SwissSign RSA SMIME Root CA 2022 - 1
+ SwissSign RSA TLS Root CA 2022 - 1
+ TrustAsia SMIME ECC Root CA
+ TrustAsia SMIME RSA Root CA
+ TrustAsia TLS ECC Root CA
+ TrustAsia TLS RSA Root CA
- reenable the distrusted certs again. the distrust is only for certs
issued after the distrust date, not for all certs of a CA.
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:931-1
Released: Thu Mar 19 09:23:14 2026
Summary: Security update for jq
Type: security
Severity: low
References: 1248600,CVE-2025-9403
This update for jq fixes the following issue:
- CVE-2025-9403: test suite assertion failure in JSON parsing consistency validation (bsc#1248600).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:949-1
Released: Fri Mar 20 19:08:19 2026
Summary: Security update for runc
Type: security
Severity: important
References:
This update for runc rebuilds it against the current go 1.25 security release.
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:1040-1
Released: Wed Mar 25 13:43:08 2026
Summary: Security update for systemd
Type: security
Severity: important
References: 1259418,1259650,1259697,CVE-2026-29111,CVE-2026-4105
This update for systemd fixes the following issues:
- CVE-2026-4105: privilege escalation due to improper access control in RegisterMachine D-Bus method (bsc#1259650).
- CVE-2026-29111: local unprivileged user can trigger an assert in systemd (bsc#1259418).
- udev: check for invalid chars in various fields received from the kernel (bsc#1259697).
Changelog:
- a943e3ce2f machined: reject invalid class types when registering machines
- 71593f77db udev: fix review mixup
- 73a89810b4 udev-builtin-net-id: print cescaped bad attributes
- 0f360bfdc0 udev-builtin-net_id: do not assume the current interface name is ethX
- 40905232e2 udev: ensure tag parsing stays within bounds
- 7bce9026e3 udev: ensure there is space for trailing NUL before calling sprintf
- d018ac1ea3 udev: check for invalid chars in various fields received from the kernel
- aef6e11921 core/cgroup: avoid one unnecessary strjoina()
- cc7426f38a sd-json: fix off-by-one issue when updating parent for array elements
- 26a748f727 core: validate input cgroup path more prudently
- 99d8308fde core/dbus-manager: propagate meaningful dbus errors from EnqueueMarkedJobs
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:1041-1
Released: Wed Mar 25 15:13:19 2026
Summary: Security update for the Linux Kernel
Type: security
Severity: important
References: 1226591,1241345,1243055,1245728,1249998,1251135,1251186,1251966,1251971,1252266,1252911,1252924,1253049,1254306,1254992,1255084,1256564,1256645,1256690,1256716,1257231,1257466,1257472,1257473,1257732,1257735,1257749,1257790,1257891,1257952,1258181,1258338,1258340,1258376,1258377,1258395,1258424,1258464,1258518,1258524,1258832,1258849,1258850,1258928,1259070,1259857,CVE-2023-53817,CVE-2024-38542,CVE-2025-37861,CVE-2025-39817,CVE-2025-39964,CVE-2025-40099,CVE-2025-40103,CVE-2025-40253,CVE-2025-71066,CVE-2025-71113,CVE-2025-71231,CVE-2026-23004,CVE-2026-23054,CVE-2026-23060,CVE-2026-23074,CVE-2026-23089,CVE-2026-23111,CVE-2026-23141,CVE-2026-23157,CVE-2026-23191,CVE-2026-23202,CVE-2026-23204,CVE-2026-23207,CVE-2026-23209,CVE-2026-23214,CVE-2026-23268,CVE-2026-23269
The SUSE Linux Enterprise 15 SP6 kernel was updated to receive various security bugfixes.
The following security bugs were fixed:
- CVE-2023-53817: crypto: lib/mpi - avoid null pointer deref in mpi_cmp_ui() (bsc#1254992).
- CVE-2024-38542: RDMA/mana_ib: boundary check before installing cq callbacks (bsc#1226591).
- CVE-2025-37861: scsi: mpi3mr: Synchronous access b/w reset and tm thread for reply queue (bsc#1243055).
- CVE-2025-39817: efivarfs: Fix slab-out-of-bounds in efivarfs_d_compare (bsc#1249998).
- CVE-2025-39964: crypto: af_alg - Disallow concurrent writes in af_alg_sendmsg (bsc#1251966).
- CVE-2025-40099: cifs: parse_dfs_referrals: prevent oob on malformed input (bsc#1252911).
- CVE-2025-40103: smb: client: Fix refcount leak for cifs_sb_tlink (bsc#1252924).
- CVE-2025-40253: s390/ctcm: Fix double-kfree (bsc#1255084).
- CVE-2025-71066: net/sched: ets: Always remove class from active list before deleting in ets_qdisc_change (bsc#1256645).
- CVE-2025-71113: crypto: af_alg - zero initialize memory allocated via sock_kmalloc (bsc#1256716).
- CVE-2025-71231: crypto: iaa - Fix out-of-bounds index in find_empty_iaa_compression_mode (bsc#1258424).
- CVE-2026-23004: dst: fix races in rt6_uncached_list_del() and rt_del_uncached_list() (bsc#1257231).
- CVE-2026-23060: crypto: authencesn - reject too-short AAD (assoclen<8) to match ESP/ESN spec (bsc#1257735).
- CVE-2026-23074: net/sched: Enforce that teql can only be used as root qdisc (bsc#1257749).
- CVE-2026-23089: ALSA: usb-audio: Fix use-after-free in snd_usb_mixer_free() (bsc#1257790).
- CVE-2026-23111: netfilter: nf_tables: fix inverted genmask check in nft_map_catchall_activate() (bsc#1258181).
- CVE-2026-23141: btrfs: send: check for inline extents in range_is_hole_in_parent() (bsc#1258377).
- CVE-2026-23191: ALSA: aloop: Fix racy access at PCM trigger (bsc#1258395).
- CVE-2026-23204: net/sched: cls_u32: use skb_header_pointer_careful() (bsc#1258340).
- CVE-2026-23209: macvlan: fix error recovery in macvlan_common_newlink() (bsc#1258518).
- CVE-2026-23214: btrfs: reject new transactions if the fs is fully read-only (bsc#1258464).
- CVE-2026-23268: apparmor: fix unprivileged local user can do privileged policy management (bsc#1258850).
- CVE-2026-23269: apparmor: validate DFA start states are in bounds in unpack_pdb (bsc#1259857).
The following non-security bugs were fixed:
- Add bugnumber to existing mana change (bsc#1251971).
- Drivers: hv: fix missing kernel-doc description for 'size' in request_arr_init() (git-fixes).
- Drivers: hv: remove stale comment (git-fixes).
- Drivers: hv: vmbus: Clean up sscanf format specifier in target_cpu_store() (git-fixes).
- Drivers: hv: vmbus: Fix sysfs output format for ring buffer index (git-fixes).
- Drivers: hv: vmbus: Fix typos in vmbus_drv.c (git-fixes).
- PCI: hv: Correct a comment (git-fixes).
- PCI: hv: Remove unnecessary flex array in struct pci_packet (git-fixes).
- PCI: hv: Remove unused field pci_bus in struct hv_pcibus_device (git-fixes).
- PCI: hv: remove unnecessary module_init/exit functions (git-fixes).
- RDMA/mana_ib: Access remote atomic for MRs (bsc#1251135).
- RDMA/mana_ib: Add EQ creation for rnic adapter (git-fixes).
- RDMA/mana_ib: Add device statistics support (git-fixes).
- RDMA/mana_ib: Add device-memory support (git-fixes).
- RDMA/mana_ib: Add port statistics support (git-fixes).
- RDMA/mana_ib: Add support of 4M, 1G, and 2G pages (git-fixes).
- RDMA/mana_ib: Add support of mana_ib for RNIC and ETH nic (git-fixes).
- RDMA/mana_ib: Adding and deleting GIDs (git-fixes).
- RDMA/mana_ib: Allow registration of DMA-mapped memory in PDs (git-fixes).
- RDMA/mana_ib: Configure mac address in RNIC (git-fixes).
- RDMA/mana_ib: Create and destroy RC QP (git-fixes).
- RDMA/mana_ib: Create and destroy UD/GSI QP (git-fixes).
- RDMA/mana_ib: Create and destroy rnic adapter (git-fixes).
- RDMA/mana_ib: Drain send wrs of GSI QP (git-fixes).
- RDMA/mana_ib: Enable RoCE on port 1 (git-fixes).
- RDMA/mana_ib: Extend modify QP (git-fixes).
- RDMA/mana_ib: Fix DSCP value in modify QP (git-fixes).
- RDMA/mana_ib: Fix error code in probe() (git-fixes).
- RDMA/mana_ib: Fix integer overflow during queue creation (bsc#1251135).
- RDMA/mana_ib: Fix missing ret value (git-fixes).
- RDMA/mana_ib: Handle net event for pointing to the current netdev (bsc#1256690).
- RDMA/mana_ib: Implement DMABUF MR support (git-fixes).
- RDMA/mana_ib: Implement port parameters (git-fixes).
- RDMA/mana_ib: Implement uapi to create and destroy RC QP (git-fixes).
- RDMA/mana_ib: Introduce helpers to create and destroy mana queues (git-fixes).
- RDMA/mana_ib: Introduce mana_ib_get_netdev helper function (git-fixes).
- RDMA/mana_ib: Introduce mana_ib_install_cq_cb helper function (git-fixes).
- RDMA/mana_ib: Introduce mdev_to_gc helper function (git-fixes).
- RDMA/mana_ib: Modify QP state (git-fixes).
- RDMA/mana_ib: Process QP error events in mana_ib (git-fixes).
- RDMA/mana_ib: Query feature_flags bitmask from FW (git-fixes).
- RDMA/mana_ib: Set correct device into ib (git-fixes).
- RDMA/mana_ib: Take CQ type from the device type (git-fixes).
- RDMA/mana_ib: UD/GSI QP creation for kernel (git-fixes).
- RDMA/mana_ib: UD/GSI work requests (git-fixes).
- RDMA/mana_ib: Use num_comp_vectors of ib_device (git-fixes).
- RDMA/mana_ib: Use safer allocation function() (bsc#1251135).
- RDMA/mana_ib: Use struct mana_ib_queue for CQs (git-fixes).
- RDMA/mana_ib: Use struct mana_ib_queue for RAW QPs (git-fixes).
- RDMA/mana_ib: Use struct mana_ib_queue for WQs (git-fixes).
- RDMA/mana_ib: add additional port counters (bsc#1251135).
- RDMA/mana_ib: add support of multiple ports (bsc#1251135).
- RDMA/mana_ib: check cqe length for kernel CQs (git-fixes).
- RDMA/mana_ib: create EQs for RNIC CQs (git-fixes).
- RDMA/mana_ib: create and destroy RNIC cqs (git-fixes).
- RDMA/mana_ib: create kernel-level CQs (git-fixes).
- RDMA/mana_ib: create/destroy AH (git-fixes).
- RDMA/mana_ib: extend mana QP table (git-fixes).
- RDMA/mana_ib: extend query device (git-fixes).
- RDMA/mana_ib: helpers to allocate kernel queues (git-fixes).
- RDMA/mana_ib: implement get_dma_mr (git-fixes).
- RDMA/mana_ib: implement req_notify_cq (git-fixes).
- RDMA/mana_ib: implement uapi for creation of rnic cq (git-fixes).
- RDMA/mana_ib: indicate CM support (git-fixes).
- RDMA/mana_ib: introduce a helper to remove cq callbacks (git-fixes).
- RDMA/mana_ib: polling of CQs for GSI/UD (git-fixes).
- RDMA/mana_ib: remove useless return values from dbg prints (git-fixes).
- RDMA/mana_ib: request error CQEs when supported (git-fixes).
- RDMA/mana_ib: set node_guid (git-fixes).
- RDMA/mana_ib: support of the zero based MRs (bsc#1251135).
- RDMA/mana_ib: unify mana_ib functions to support any gdma device (git-fixes).
- apparmor: Fix double free of ns_name in aa_replace_profiles() (bsc#1258849).
- apparmor: fix differential encoding verification (bsc#1258849).
- apparmor: fix memory leak in verify_header (bsc#1258849).
- apparmor: fix missing bounds check on DEFAULT table in verify_dfa() (bsc#1258849).
- apparmor: fix race between freeing data and fs accessing it (bsc#1258849).
- apparmor: fix race on rawdata dereference (bsc#1258849).
- apparmor: fix side-effect bug in match_char() macro usage (bsc#1258849).
- apparmor: fix unprivileged local user can do privileged policy management (bsc#1258849).
- apparmor: fix: limit the number of levels of policy namespaces (bsc#1258849).
- apparmor: replace recursive profile removal with iterative approach (bsc#1258849).
- apparmor: validate DFA start states are in bounds in unpack_pdb (bsc#1258849).
- btrfs: scrub: always update btrfs_scrub_progress::last_physical (git-fixes).
- cifs: add xid to query server interface call (git-fixes).
- clocksource: Print durations for sync check unconditionally (bsc#1241345).
- clocksource: Reduce watchdog readout delay limit to prevent false positives (bsc#1241345).
- hv/hv_kvp_daemon: Handle IPv4 and Ipv6 combination for keyfile format (git-fixes).
- hv/hv_kvp_daemon: Pass NIC name to hv_get_dns_info as well (git-fixes).
- net/mana: Null service_wq on setup error to prevent double destroy (git-fix).
- net: mana: Add metadata support for xdp mode (git-fixes).
- net: mana: Add standard counter rx_missed_errors (git-fixes).
- net: mana: Add support for auxiliary device servicing events (bsc#1251971).
- net: mana: Change the function signature of mana_get_primary_netdev_rcu (bsc#1256690).
- net: mana: Drop TX skb on post_work_request failure and unmap resources (git-fixes).
- net: mana: Fix double destroy_workqueue on service rescan PCI path (git-fixes).
- net: mana: Fix use-after-free in reset service rescan path (git-fixes).
- net: mana: Fix warnings for missing export.h header inclusion (git-fixes).
- net: mana: Handle Reset Request from MANA NIC (bsc#1245728 bsc#1251971).
- net: mana: Handle SKB if TX SGEs exceed hardware limit (git-fixes).
- net: mana: Handle hardware recovery events when probing the device (bsc#1257466).
- net: mana: Handle unsupported HWC commands (git-fixes).
- net: mana: Implement ndo_tx_timeout and serialize queue resets per port (bsc#1257472).
- net: mana: Move hardware counter stats from per-port to per-VF context (git-fixes).
- net: mana: Probe rdma device in mana driver (git-fixes).
- net: mana: Reduce waiting time if HWC not responding (bsc#1252266).
- net: mana: Ring doorbell at 4 CQ wraparounds (git-fixes).
- net: mana: Support HW link state events (bsc#1253049).
- net: mana: Use mana_cleanup_port_context() for rxq cleanup (git-fixes).
- net: mana: fix spelling for mana_gd_deregiser_irq() (git-fixes).
- net: mana: use ethtool string helpers (git-fixes).
- s390: Disable ARCH_WANT_OPTIMIZE_HUGETLB_VMEMMAP (bsc#1254306).
- scsi: mpi3mr: Event processing debug improvement (bsc#1251186, bsc#1258832).
- scsi: storvsc: Fix scheduling while atomic on PREEMPT_RT (git-fixes).
- scsi: storvsc: Remove redundant ternary operators (git-fixes).
- shrink_slab_memcg: clear_bits of skipped shrinkers (bsc#1256564).
- spi: tegra210-quad: Move curr_xfer read inside spinlock (bsc#1257952)
- spi: tegra210-quad: Protect curr_xfer assignment in (bsc#1257952)
- spi: tegra210-quad: Protect curr_xfer check in IRQ handler (bsc#1257952)
- spi: tegra210-quad: Protect curr_xfer clearing in (bsc#1257952)
- spi: tegra210-quad: Protect curr_xfer in tegra_qspi_combined_seq_xfer (bsc#1257952)
- spi: tegra210-quad: Return IRQ_HANDLED when timeout already processed (bsc#1257952)
- tools/hv: add a .gitignore file (git-fixes).
- tools/hv: reduce resouce usage in hv_get_dns_info helper (git-fixes).
- tools/hv: reduce resource usage in hv_kvp_daemon (git-fixes).
- tools: hv: Enable debug logs for hv_kvp_daemon (git-fixes).
- tools: hv: lsvmbus: change shebang to use python3 (git-fixes).
- workqueue: mark power efficient workqueue as unbounded if (bsc#1257891)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:1065-1
Released: Thu Mar 26 11:38:12 2026
Summary: Security update for sqlite3
Type: security
Severity: moderate
References: 1254670,1259619,CVE-2025-70873,CVE-2025-7709
This update for sqlite3 fixes the following issues:
Update sqlite3 to 3.51.3:
- CVE-2025-7709: Integer Overflow in FTS5 Extension (bsc#1254670).
- CVE-2025-70873: SQLite zipfile extension may disclose uninitialized heap memory during inflation (bsc#1259619).
Changelog:
* Fix the WAL-reset database corruption bug:
https://sqlite.org/wal.html#walresetbug
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:1090-1
Released: Thu Mar 26 18:44:54 2026
Summary: Security update for python3
Type: security
Severity: important
References: 1257181,CVE-2026-1299
This update for python3 fixes the following issues:
- CVE-2026-1299: header injection when an email is serialized due to improper newline quoting in BytesGenerator (bsc#1257181).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:1105-1
Released: Fri Mar 27 08:03:05 2026
Summary: Security update for containerd
Type: security
Severity: important
References:
This update for containerd rebuilds it against the current go 1.25 security release.
-----------------------------------------------------------------
Advisory ID: SUSE-OU-2026:1111-1
Released: Fri Mar 27 10:33:51 2026
Summary: Optional update for rsyslog
Type: optional
Severity: moderate
References:
This update for rsyslog fixes the following issue:
- add the rsyslog-module-ossl (openssl TLS support).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2026:1113-1
Released: Fri Mar 27 10:34:35 2026
Summary: Recommended update for crypto-policies
Type: recommended
Severity: moderate
References: 1258311,1259825
This update for crypto-policies fixes the following issues:
Enables PQC key exchange support for OpenSSH (bsc#1258311, bsc#1259825)
* The sntrup761x25519-sha512 hybrid keyexchange for OpenSSH is enabled.
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:1166-1
Released: Thu Apr 2 03:08:04 2026
Summary: Security update for expat
Type: security
Severity: important
References: 1259711,1259726,1259729,CVE-2026-32776,CVE-2026-32777,CVE-2026-32778
This update for expat fixes the following issues:
- CVE-2026-32776: NULL pointer dereference when processing empty external parameter entities inside an entity
declaration value (bsc#1259726).
- CVE-2026-32777: denial of service due to infinite loop in DTD content parsing (bsc#1259711).
- CVE-2026-32778: NULL pointer dereference in `setContext` on retry after an out-of-memory condition (bsc#1259729).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:1177-1
Released: Thu Apr 2 17:00:30 2026
Summary: Security update for tar
Type: security
Severity: important
References: 1246399,CVE-2025-45582
This update for tar fixes the following issue:
- CVE-2025-45582: file overwrite via directory traversal in crafted TAR archives (bsc#1246399).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:1215-1
Released: Wed Apr 8 14:27:57 2026
Summary: Security update for openssl-3
Type: security
Severity: important
References: 1260441,1260442,1260443,1260444,1260445,CVE-2026-28387,CVE-2026-28388,CVE-2026-28389,CVE-2026-31789,CVE-2026-31790
This update for openssl-3 fixes the following issues:
- CVE-2026-28387: Potential use-after-free in DANE client code (bsc#1260441).
- CVE-2026-28388: NULL Pointer Dereference When Processing a Delta CRL (bsc#1260442).
- CVE-2026-28389: Possible NULL dereference when processing CMS KeyAgreeRecipientInfo (bsc#1260443).
- CVE-2026-31789: Heap buffer overflow in hexadecimal conversion (bsc#1260444).
- CVE-2026-31790: Incorrect failure handling in RSA KEM RSASVE encapsulation (bsc#1260445).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2026:1228-1
Released: Thu Apr 9 10:27:25 2026
Summary: Recommended update for shadow
Type: recommended
Severity: important
References: 1144060,1176006,1181400,1182850,1185897,1187536,1189139,1199026,1203823,1205502,1206627,1214806,1246052,916845,CVE-2013-4235,CVE-2023-4641
This update for shadow fixes the following issues:
shadow is updated to 4.17.2 to bring lots of features and bug fixes.
- util-linux-2.41 introduced new variable: LOGIN_ENV_SAFELIST. Recognize
it and update dependencies.
- Set SYS_{UID,GID}_MIN to 201:
After repeated similar requests to change the ID ranges we set the
above mentioned value to 201. The max value will stay at 499.
This range should be sufficient and will give us leeway for the
future.
It's not straightforward to find out which static UIDs/GIDs are
used in all packages.
Update to 4.17.2:
* src/login_nopam.c: Fix compiler warnings #1170
* lib/chkname.c: Put limits for LOGIN_NAME_MAX and sysconf(_SC_LOGIN_NAME_MAX) #1169
* Use HTTPS in link to Wikipedia article on password strength #1164
* lib/attr.h: use C23 attributes only with gcc >= 10 #1172
* login: Fix no-pam authorization regression #1174
* man: Add Portuguese translation #1178
* Update French translation #1177
* Add cheap defense mechanisms #1171
* Add Romanian translation #1176
Update to 4.17.1:
* Fix `su -` regression #1163
Update to 4.17.0:
* Fix the lower part of the domain of csrand_uniform()
* Fix use of volatile pointer
* Use str2[u]l() instead of atoi(3)
* Use a2i() in various places
* Fix const correctness
* Use uid_t for holding UIDs (and GIDs)
* Move all sprintf(3)-like APIs to a subdirectory
* Move all copying APIs to a subdirectory
* Fix forever loop on ENOMEM
* Fix REALLOC() nmemb calculation
* Remove id(1)
* Remove groups(1)
* Use local time for human-readable dates
* Use %F instead of %Y-%m-%d with strftime(3)
* is_valid{user,group}_name(): Set errno to distinguish the reasons
* Recommend --badname only if it is useful
* Add fmkomstemp() to fix mode of /etc/default/useradd
* Fix use-after-free bug in sgetgrent()
* Update Catalan translation
* Remove references to cppw, cpgr
* groupadd, groupmod: Update gshadow file with -U
* Added option -a for listing active users only, optimized using if aflg,return
* Added information in lastlog man page for new option '-a'
* Plenty of code cleanup and clarifications
- Disable flushing sssd caches. The sssd's files provider is no
longer available.
Update to 4.16.0:
* The shadow implementations of id(1) and groups(1) are deprecated
in favor of the GNU coreutils and binutils versions.
They will be removed in 4.17.0.
* The rlogind implementation has been removed.
* The libsubid major version has been bumped, since it now requires
specification of the module's free() implementation.
Update to 4.15.1:
* Fix a bug that caused spurious error messages about unknown
login.defs configuration options #967
* Adding checks for fd omission #964
* Use temporary stat buffer #974
* Fix wrong french translation #975
Update to 4.15.0
* libshadow:
+ Use utmpx instead of utmp. This fixes a regression introduced
in 4.14.0.
+ Fix build error (parameter name omitted).
* Build system:
+ Link correctly with libdl.
+ Install pam configs for chpasswd(8) and newusers(8) when using
./configure --with-libpam --disable-account-tools-setuid.
+ Merge libshadow and libmisc into a single libshadow. This fixes
problems in the linker, which were reported at least in Gentoo.
+ Fix build with musl libc.
+ Support out of tree builds
* useradd(8):
+ Set proper SELinux labels for def_usrtemplate
Update to 4.14.6:
* login(1):
+ Fix off-by-one bugs.
* passwd(1):
+ Don't silently truncate passwords of length >= 200 characters.
Instead, accept a length of PASS_MAX, and reject longer ones.
* libshadow:
+ Fix calculation in strtoday(), which caused a wrong half-day
offset in some cases (bsc#1176006)
+ Fix parsing of dates in get_date() (bsc#1176006)
+ Use utmpx instead of utmp. This fixes a regression introduced in
4.14.0.
Update to 4.14.5:
* Build system:
+ Fix regression introduced in 4.14.4, due to a typo. chgpasswd had
been deleted from a Makefile variable, but it should have been
chpasswd.
Update to 4.14.4:
* Build system:
+ Link correctly with libdl.
+ Install pam configs for chpasswd(8) and newusers(8) when using
./configure --with-libpam --disable-account-tools-setuid.
* libshadow:
+ Fix build error (parameter name omitted).
+ Fix off-by-one bug.
+ Remove warning.
Update to 4.14.3:
* libshadow: Avoid null pointer dereference (#904)
* Remove pam_keyinit from PAM configuration. (bsc#1199026 bsc#1203823)
This was introduced for bsc#1144060.
Update to 4.14.2:
* libshadow:
+ Fix build with musl libc.
+ Avoid NULL dereference.
+ Update utmp at an initial login
* useradd(8):
+ Set proper SELinux labels for def_usrtemplate
* Manual:
+ Document --prefix in chage(1), chpasswd(8), and passwd(1)
Update to 4.14.1:
Build system: Merge libshadow and libmisc into a single libshadow.
This fixes problems in the linker, which were reported at least
in Gentoo. #791
- Set proper SELinux labels for new homedirs.
Update to 4.14.0:
* configure: add with-libbsd option
* Code cleanup
* Replace utmp interface #757
* new option enable-logind #674
* shadow userdel: add the adaptation to the busybox ps in 01-kill_user_procs.sh
* chsh: warn if root sets a shell not listed in /etc/shells #535
* newgrp: fix potential string injection
* lastlog: fix alignment of Latest header
* Fix yescrypt support #748
* chgpasswd: Fix segfault in command-line options
* gpasswd: Fix password leak (bsc#1214806, CVE-2023-4641)
* Add --prefix to passwd, chpasswd and chage #714 (bsc#1206627)
* usermod: fix off-by-one issues #701
* ch(g)passwd: Check selinux permissions upon startup #675
* sub_[ug]id_{add,remove}: fix return values
* chsh: Verify that login shell path is absolute #730
* process_prefix_flag: Drop privileges
* run_parts for groupadd and groupdel #706
* newgrp/useradd: always set SIGCHLD to default
* useradd/usermod: add --selinux-range argument #698
* sssd: skip flushing if executable does not exist #699
* semanage: Do not set default SELinux range #676
* Add control character check #687
* usermod: respect --prefix for --gid option
* Fix null dereference in basename
* newuidmap and newgidmap: support passing pid as fd
* Prevent out of boundary access #633
* Explicitly override only newlines #633
* Correctly handle illegal system file in tz #633
* Supporting vendor given -shells- configuration file #599
* Warn if failed to read existing /etc/nsswitch.conf
* chfn: new_fields: fix wrong fields printed
* Allow supplementary groups to be added via config file #586
* useradd: check if subid range exists for user #592 (rh#2012929)
- Rename lastlog to lastlog.legacy to be able to switch to
Y2038 safe lastlog2 as default [jsc#PED-3144]
- bsc#1205502: Fix useradd audit event logging of ID field
Update to 4.13:
* useradd.8: fix default group ID
* Revert drop of subid_init()
* Georgian translation
* useradd: Avoid taking unneeded space: do not reset non-existent data in lastlog
* relax username restrictions
* selinux: check MLS enabled before setting serange
* copy_tree: use fchmodat instead of chmod
* copy_tree: don't block on FIFOs
* add shell linter
* copy_tree: carefully treat permissions
* lib/commonio: make lock failures more detailed
* lib: use strzero and memzero where applicable
* Update Dutch translation
* Don't test for NULL before calling free
* Use libc MAX() and MIN()
* chage: Fix regression in print_date
* usermod: report error if homedir does not exist
* libmisc: minimum id check for system accounts
* fix usermod -rG x y wrongly adding a group
* man: add missing space in useradd.8.xml
* lastlog: check for localtime() return value
* Raise limit for passwd and shadow entry length
* Remove adduser-old.c
* useradd: Fix buffer overflow when using a prefix
* Don't warn when failed to open /etc/nsswitch.conf
Update to 4.12.3:
Revert removal of subid_init, which should have bumped soname.
So note that 4.12 through 4.12.2 were broken for subid users.
Update to 4.12.2:
* Address CVE-2013-4235 (TOCTTOU when copying directories) [bsc#916845]
Update to 4.12.1:
* Fix uk manpages
Update to 4.12:
* Add absolute path hint to --root
* Various cleanups
* Fix Ubuntu release used in CI tests
* add -F options to userad
* useradd manpage updates
* Check for ownerid (not just username) in subid ranges
* Declare file local functions static
* Use strict prototypes
* Do not drop const qualifier for Basename
* Constify various pointers
* Don't return uninitialized memory
* Don't let compiler optimize away memory cleaning
* Remove many obsolete compatibility checks and defines
* Modify ID range check in useradd
* Use 'extern 'C'' to make libsubid easier to use from C++
* French translation updates
* Fix s/with-pam/with-libpam/
* Spanish translation updates
* French translation fixes
* Default max group name length to 32
* Fix PAM service files without-selinux
* Improve manpages
- groupadd, useradd, usermod
- groups and id
- pwck
* Fix condition under which pw_dir check happens
* logoutd: switch to strncat
* AUTHORS: improve markdown output
* Handle ERANGE errors correctly
* Check for fopen NULL return
* Split get_salt() into its own fn juyin)
* Get salt before chroot to ensure /dev/urandom.
* Chpasswd code cleanup
* Work around git safe.directory enforcement
* Alphabetize order in usermod help
* Erase password copy on error branches
* Suggest using --badname if needed
* Update translation files
* Correct badnames option to badname
* configure: replace obsolete autoconf macros
* tests: replace egrep with grep -E
* Update Ukrainian translations
* Cleanups
- Remove redeclared variable
- Remove commented out code and FIXMEs
- Add header guards
- Initialize local variables
* CI updates
- Create github workflow to install dependencies
- Enable CodeQL
- Update actions version
* libmisc: use /dev/urandom as fallback if other methods fail
Provide /etc/login.defs.d on SLE15 since we support and use it
Update to 4.11.1:
* build: include lib/shadowlog_internal.h in dist tarballs
Update to 4.11:
* Handle possible TOCTTOU issues in usermod/userdel
- (CVE-2013-4235)
- Use O_NOFOLLOW when copying file
- Kill all user tasks in userdel
* Fix useradd -D segfault
* Clean up obsolete libc feature-check ifdefs
* Fix -fno-common build breaks due to duplicate Prog declarations
* Have single date_to_str definition
* Fix libsubid SONAME version
* Clarify licensing info, use SPDX.
Update to 4.10:
* From this release forward, su from this package should be
considered deprecated. Please replace any users of it with su
rom util-linux
* libsubid fixes
* Rename the test program list_subid_ranges to getsubids, write
a manpage, so distros can ship it.
* Add libeconf dep for new*idmap
* Allow all group types with usermod -G
* Avoid useradd generating empty subid range
* Handle NULL pw_passwd
* Fix default value SHA_get_salt_rounds
* Use https where possible in README
* Update content and format of README
* Translation updates
* Switch from xml2po to itstool in 'make dist'
* Fix double frees
* Add LOG_INIT configurable to useradd
* Add CREATE_MAIL_SPOOL documentation
* Create a security.md
* Fix su never being SIGKILLd when trapping TERM
* Fix wrong SELinux labels in several possible cases
* Fix missing chmod in chadowtb_move
* Handle malformed hushlogins entries
* Fix groupdel segv when passwd does not exist
* Fix covscan-found newgrp segfault
* Remove trailing slash on hoedir
* Fix passwd -l message - it does not change expirey
* Fix SIGCHLD handling bugs in su and vipw
* Remove special case for '' in usermod
* Implement usermod -rG to remove a specific group
* call pam_end() after fork in child path for su and login
* useradd: In absence of /etc/passwd, assume 0 == root
* lib: check NULL before freeing data
* Fix pwck segfault
- Really enable USERGROUPS_ENAB [bsc#1189139].
Added hardening to systemd service(s) (bsc#1181400).
* Add LOGIN_KEEP_USERNAME to login.defs.
* Remove PREVENT_NO_AUTH from login.defs. Only used by the
unpackaged login and su.
* Remove variables BCRYPT_MIN_ROUNDS, BCRYPT_MAX_ROUNDS,
YESCRYPT_COST_FACTOR, not supported by the current
configuratiton.
* login.defs: Enable USERGROUPS_ENAB and CREATE_HOME to
be compatible with other Linux distros and the other tools
creating user accounts in use on openSUSE. Set HOME_MODE to 700
for security reasons and compatibility. [bsc#1189139] [bsc#1182850]
Update to 4.9:
* Updated translations
* Major salt updates
* Various coverity and cleanup fixes
* Consistently use 0 to disable PASS_MIN_DAYS in man
* Implement NSS support for subids and a libsubid
* setfcap: retain setfcap when mapping uid 0
* login.defs: include HMAC_CRYPTO_ALGO key
* selinux fixes
* Fix path prefix path handling
* Manpage updates
* Treat an empty passwd field as invalid(Haelwenn Monnier)
* newxidmap: allow running under alternative gid
* usermod: check that shell is executable
* Add yescript support
* useradd memleak fixes
* useradd: use built-in settings by default
* getdefs: add foreign
* buffer overflow fixes
* Adding run-parts style for pre and post useradd/del
- login.defs/MOTD_FILE: Use '' instead of blank entry [bsc#1187536]
- Add /etc/login.defs.d directory
- Enable shadowgrp so that we can set more secure group passwords
using shadow.
- Disable MOTD_FILE to allow the use of pam_motd to unify motd
message output [bsc#1185897]. Else motd entries of e.g. cockpit
will not be shown.
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:1310-1
Released: Tue Apr 14 12:42:12 2026
Summary: Security update for libssh
Type: security
Severity: moderate
References: 1259377,CVE-2026-3731
This update for libssh fixes the following issues:
- CVE-2026-3731: Denial of Service via out-of-bounds read in SFTP extension name handler (bsc#1259377).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:1312-1
Released: Tue Apr 14 12:46:30 2026
Summary: Security update for bind
Type: security
Severity: important
References: 1260805,CVE-2026-1519
This update for bind fixes the following issues:
- CVE-2026-1519: high CPU load during insecure delegation validation due to excessive NSEC3 iterations (bsc#1260805).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:1350-1
Released: Wed Apr 15 15:36:20 2026
Summary: Security update for nghttp2
Type: security
Severity: important
References: 1259845,CVE-2026-27135
This update for nghttp2 fixes the following issue:
- CVE-2026-27135: assertion failure due to missing state validation can lead to DoS (bsc#1259845).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:1356-1
Released: Wed Apr 15 15:43:42 2026
Summary: Security update for nfs-utils
Type: security
Severity: moderate
References: 1246505,1259204,CVE-2025-12801
This update for nfs-utils fixes the following issue:
Security fixes:
- CVE-2025-12801: rpc.mountd allows a NFSv3 client to escalate their privileges and access subdirectories and subtrees
of an exported directory (bsc#1259204).
Other fixes:
- Split from nfs-utils into its own spec and changelog file (bsc#1246505).
- Split legacy libnfsidmap0 into a separate spec file (bsc#1246505).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:1359-1
Released: Wed Apr 15 16:06:45 2026
Summary: Security update for sudo
Type: security
Severity: important
References: 1261420,CVE-2026-35535
This update for sudo fixes the following issue:
- CVE-2026-35535: Fixed potential privilege escalation when running the mailer (bsc#1261420).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:1368-1
Released: Wed Apr 15 16:35:24 2026
Summary: Security update for libpng16
Type: security
Severity: important
References: 1260754,1260755,CVE-2026-33416,CVE-2026-33636
This update for libpng16 fixes the following issues:
- CVE-2026-33416: use-after-free via pointer aliasing in `png_set_tRNS` and `png_set_PLTE` can lead to arbitrary code
execution (bsc#1260754).
- CVE-2026-33636: out-of-bounds read/write in the palette expansion on ARM Neon can lead to information leak and
crashes (bsc#1260755).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:1369-1
Released: Wed Apr 15 16:42:55 2026
Summary: Security update for glibc
Type: security
Severity: important
References: 1260078,1260082,CVE-2026-4437,CVE-2026-4438
This update for glibc fixes the following issues:
- CVE-2026-4437: incorrect DNS response parsing via crafted DNS server response (bsc#1260078).
- CVE-2026-4438: invalid DNS hostname returned via gethostbyaddr functions (bsc#1260082).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2026:1372-1
Released: Wed Apr 15 19:07:33 2026
Summary: Recommended update for tpm2-0-tss
Type: recommended
Severity: moderate
References: 1258720
This update for tpm2-0-tss fixes the following issue:
- When installing libtss2-fapi errors from systemd-tmpfiles can appear.
Adding 'Requires' to libtss2-fapi to pull in the tss user (bsc#1258720).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2026:1382-1
Released: Thu Apr 16 11:14:10 2026
Summary: Recommended update for suseconnect-ng
Type: recommended
Severity: important
References: 1230861,1239439,1241002,1244550,1257490,1257625,1257667,1257825,1261155
This update for suseconnect-ng fixes the following issues:
- Update version to 1.21.1:
* Fix nil token handling (bsc#1261155)
* Switch to using go1.24-openssl as the default Go version to
install to support building the package (jsc#SCC-585).
- Update version to 1.21:
* Add expanded metric collection for kernel modules and hardware detection (jsc#TEL-226).
* Support new profile based metric collection
* Fix ignored --root parameter hanbling when reading and writing configuration (bsc#1257667)
* Add expanded metric collection for system vendor/manfacturer (jsc#TEL-260).
* Removed backport patch
* Add missing product id to allow yast2-registration to not break (bsc#1257825)
* Fix libsuseconnect APIError detection logic (bsc#1257825)
- Regressions found during QA test runs:
* Ignore product in announce call (bsc#1257490)
* Registration to SMT server with failed (bsc#1257625)
- Update version to 1.20:
* Update error message for Public Cloud instances with registercloudguest installed.
SUSEConnect -d is disabled on PYAG and BYOS when
the registercloudguest command is available. (bsc#1230861)
* Enhanced SAP detected. Take TREX into account and remove empty values when
only /usr/sap but no installation exists (bsc#1241002)
* Fixed modules and extension link to point to version less documentation. (bsc#1239439)
* Fixed SAP instance detection (bsc#1244550)
* Remove link to extensions documentation (bsc#1239439)
* Migrate to the public library
- Version 1.14 public library release
This version is only available on Github as a tag to release the new golang public library
which can be consumed without the need to interface with SUSEConnect directly.
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2026:1391-1
Released: Thu Apr 16 11:37:51 2026
Summary: Recommended update for mdadm
Type: recommended
Severity: important
References: 1243443,1258265,1259090
This update for mdadm fixes the following issues:
- Update to version 4.3+36.g12cb7035:
* avoid mdcheck_continue.timer and mdcheck_start.timer
firing simultaneously (bsc#1243443, bsc#1259090)
- Update to version 4.3+35.gd30fc922:
* platform-intel: Deal with hot-unplugged devices (bsc#1258265)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2026:1410-1
Released: Thu Apr 16 14:41:43 2026
Summary: Recommended update for util-linux
Type: recommended
Severity: moderate
References: 1222465,1234736
This update for util-linux fixes the following issues:
- recognize fuse 'portal' as a virtual file system (bsc#1234736).
- fdisk: Fix possible partition overlay and data corruption if EBR gap is missing (bsc#1222465).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:1418-1
Released: Thu Apr 16 18:43:02 2026
Summary: Security update for iproute2
Type: security
Severity: low
References: 1254324,CVE-2024-58251
This update for iproute2 fixes the following issue:
- CVE-2024-58251: denial of service via terminal escape sequences (bsc#1254324).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:1432-1
Released: Fri Apr 17 12:12:08 2026
Summary: Security update for libcap
Type: security
Severity: important
References: 1261809,CVE-2026-4878
This update for libcap fixes the following issue:
- CVE-2026-4878: Address a potential TOCTOU race condition in cap_set_file() (bsc#1261809).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2026:1434-1
Released: Fri Apr 17 12:49:03 2026
Summary: Recommended update for apparmor
Type: recommended
Severity: moderate
References: 1225811,1259441
This update for apparmor fixes the following issues:
- samba gives denied in audit with apparmor (bsc#1225811).
- apparmor denies printing with profiles on sle15-sp7 (bsc#1259441).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:1441-1
Released: Fri Apr 17 16:18:19 2026
Summary: Security update for avahi
Type: security
Severity: moderate
References: 1257235,CVE-2026-24401
This update for avahi fixes the following issue:
- CVE-2026-24401: avahi-daemon can be crashed via a segmentation fault by sending an unsolicited mDNS response
containing a recursive CNAME record (bsc#1257235).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2026:1473-1
Released: Mon Apr 20 11:32:05 2026
Summary: Recommended update for grub2
Type: recommended
Severity: important
References: 1249385,1259543
This update for grub2 fixes the following issues:
- Fix PowerPC network boot prefix to correctly locate grub.cfg (bsc#1249385)
* use net config for boot location instead of
- Fix double free in xen booting if root filesystem is Btrfs (bsc#1259543)
* btrfs: add ability to boot from subvolumes
* btrfs: get default subvolume
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:1487-1
Released: Mon Apr 20 17:52:11 2026
Summary: Security update for runc
Type: security
Severity: important
References:
This update for runc rebuilds it against the current go 1.25 security release.
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:1495-1
Released: Mon Apr 20 17:59:12 2026
Summary: Security update for containerd
Type: security
Severity: important
References:
This update for containerd rebuilds it against the current go 1.25 security release.
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:1510-1
Released: Tue Apr 21 08:28:12 2026
Summary: Security update for ncurses
Type: security
Severity: moderate
References: 1259924,CVE-2025-69720
This update for ncurses fixes the following issue:
- CVE-2025-69720: buffer overflow in function `analyze_string()`of `progs/infocmp.c` (bsc#1259924).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:1577-1
Released: Thu Apr 23 17:53:45 2026
Summary: Security update for openssl-1_1
Type: security
Severity: important
References: 1260441,1260442,1260443,1260444,1261678,CVE-2026-28387,CVE-2026-28388,CVE-2026-28389,CVE-2026-28390,CVE-2026-31789
This update for openssl-1_1 fixes the following issues:
- CVE-2026-28387: Potential use-after-free in DANE client code (bsc#1260441).
- CVE-2026-28388: NULL Pointer Dereference When Processing a Delta CRL (bsc#1260442).
- CVE-2026-28389: Possible NULL dereference when processing CMS KeyAgreeRecipientInfo (bsc#1260443).
- CVE-2026-28390: NULL pointer dereference during processing of a crafted CMS EnvelopedData message with
KeyTransportRecipientInfo (bsc#1261678).
- CVE-2026-31789: Heap buffer overflow in hexadecimal conversion (bsc#1260444).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:1602-1
Released: Fri Apr 24 13:46:25 2026
Summary: Security update for libpng16
Type: security
Severity: moderate
References: 1261957,CVE-2026-34757
This update for libpng16 fixes the following issue:
- CVE-2026-34757: information disclosure and data corruption due to use-after-free in `png_set_PLTE`, `png_set_tRNS`
and `png_set_hIST` (bsc#1261957).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:1605-1
Released: Fri Apr 24 13:48:53 2026
Summary: Security update for openssl-3
Type: security
Severity: moderate
References: 1261678,CVE-2026-28390
This update for openssl-3 fixes the following issue:
Security issues fixed:
- CVE-2026-28390: NULL pointer dereference during processing of a crafted CMS EnvelopedData message with
KeyTransportRecipientInfo (bsc#1261678).
Other updates and bugfixes:
- Enable MD2 in legacy provider (jsc#PED-15724).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:1607-1
Released: Fri Apr 24 13:50:52 2026
Summary: Security update for vim
Type: security
Severity: important
References: 1259985,1261191,1261271,CVE-2026-33412,CVE-2026-34714,CVE-2026-34982
This update for vim fixes the following issues:
Update to version 9.2.0280.
- CVE-2026-34982: missing input validation allows for a modeline sandbox bypass and can lead to arbitrary OS command
execution (bsc#1261271).
- CVE-2026-34714: missing checks allow for a `tabpanel` modeline escape and can lead to arbitrary OS command execution
(bsc#1261191).
- CVE-2026-33412: improper escaping of newline characters allows for command injection in `glob` and can lead to
arbitrary code execution (bsc#1259985).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:1643-1
Released: Tue Apr 28 15:27:13 2026
Summary: Security update for the Linux Kernel
Type: security
Severity: important
References: 1252073,1253122,1257506,1257773,1259188,1259461,1259580,1259707,1259797,1259998,1260005,1260009,1260347,1260471,1260486,1260562,1260730,1261412,1261498,CVE-2025-39998,CVE-2026-23103,CVE-2026-23231,CVE-2026-23243,CVE-2026-23272,CVE-2026-23274,CVE-2026-23278,CVE-2026-23293,CVE-2026-23317,CVE-2026-23381,CVE-2026-23398,CVE-2026-23412,CVE-2026-23413,CVE-2026-31788
The SUSE Linux Enterprise 15 SP6 kernel was updated to fix various security issues
The following security issues were fixed:
- CVE-2025-39998: scsi: target: target_core_configfs: Add length check to avoid buffer overflow (bsc#1252073).
- CVE-2026-23103: ipvlan: Make the addrs_lock be per port (bsc#1257773).
- CVE-2026-23231: netfilter: nf_tables: fix use-after-free in nf_tables_addchain() (bsc#1259188).
- CVE-2026-23243: RDMA/umad: Reject negative data_len in ib_umad_write (bsc#1259797).
- CVE-2026-23272: netfilter: nf_tables: unconditionally bump set->nelems before insertion (bsc#1260009).
- CVE-2026-23274: netfilter: xt_IDLETIMER: reject rev0 reuse of ALARM timer labels (bsc#1260005).
- CVE-2026-23278: netfilter: nf_tables: always walk all pending catchall elements (bsc#1259998).
- CVE-2026-23293: net: vxlan: fix nd_tbl NULL dereference when IPv6 is disabled (bsc#1260486).
- CVE-2026-23317: drm/vmwgfx: Return the correct value in vmw_translate_ptr functions (bsc#1260562).
- CVE-2026-23381: net: bridge: fix nd_tbl NULL dereference when IPv6 is disabled (bsc#1260471).
- CVE-2026-23398: icmp: fix NULL pointer dereference in icmp_tag_validation() (bsc#1260730).
- CVE-2026-23412: netfilter: bpf: defer hook memory release until rcu readers are done (bsc#1261412).
- CVE-2026-23413: clsact: Fix use-after-free in init/destroy rollback asymmetry (bsc#1261498).
- CVE-2026-31788: xen/privcmd: restrict usage in unprivileged domU (bsc#1259707).
The following non security issues were fixed:
- KVM: x86/mmu: Drop/zap existing present SPTE even when creating an MMIO SPTE (bsc#1259461).
- KVM: x86/mmu: Retry fault before acquiring mmu_lock if mapping is changing (bsc#1253122).
- net: mana: fix use-after-free in add_adev() error path (git-fixes).
- net: mana: Trigger VF reset/recovery on health check failure due to HWC timeout (bsc#1259580).
- x86/platform/uv: Handle deconfigured sockets (bsc#1260347).
- xen/privcmd: unregister xenstore notifier on module exit (git-fixes).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:1671-1
Released: Sat May 2 08:00:54 2026
Summary: Security update for the Linux Kernel
Type: security
Severity: important
References: 1262573,CVE-2026-31431
The SUSE Linux Enterprise 15 SP5 kernel was updated to fix one security issue
The following security issue was fixed:
- CVE-2026-31431: The copy.fail security issue is fixed by revert to operating out-of-place in algif_aead (bsc#1262573).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:1715-1
Released: Wed May 6 14:09:30 2026
Summary: Security update for python3
Type: security
Severity: important
References: 1259611,1259734,1259735,1259989,1260026,1261969,1261970,1262098,1262319,1262654,CVE-2025-13462,CVE-2026-1502,CVE-2026-3446,CVE-2026-3479,CVE-2026-3644,CVE-2026-4224,CVE-2026-4519,CVE-2026-4786,CVE-2026-6019,CVE-2026-6100
This update for python3 fixes the following issues:
- CVE-2025-13462: incorrect parsing of TarInfo when GNU long name and type AREGTYPE are combined can lead to
misinterpretation of tar archives (bsc#1259611).
- CVE-2026-1502: HTTP client proxy tunnel headers not validated for CR/LF (bsc#1261969).
- CVE-2026-3446: base64 decoding stops at first padded quad by default and ignores other information that could be
processed (bsc#1261970).
- CVE-2026-3479: improper resource argument validation in `pkgutil.get_data()` can lead to path traversal (bsc#1259989).
- CVE-2026-3644: incomplete control character validation in http.cookies can lead to input validation bypass
(bsc#1259734).
- CVE-2026-4224: parsing XML with deeply nested DTD content models can lead to C stack overflow (bsc#1259735).
- CVE-2026-4519: failure to sanitize leading dashes in URLs in the `webbrowser.open()` API can lead to web browser
command line option injection (bsc#1260026).
- CVE-2026-4786: URLs prefixed with `%action` can pass the dash-prefix safety check and allow for command injection
(bsc#1262319).
- CVE-2026-6019: `BaseCookie.js_output()` does not neutralize characters in cookie values embedded in JS (bsc#1262654).
- CVE-2026-6100: use-after-free in `lzma.LZMADecompressor`, `bz2.BZ2Decompressor`, and `gzip.GzipFile` when process is
under memory pressure(bsc#1262098).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2026:1721-1
Released: Wed May 6 16:43:37 2026
Summary: Recommended update for cloud-netconfig
Type: recommended
Severity: important
References: 1253223,1258406,1258730
This update for cloud-netconfig fixes the following issues:
- Update to version 1.19:
* Make sure IPADDR variable is stripped of netmask
- Update to version 1.18:
* Fix issue with link-local address routing (bsc#1258730)
- Update to version 1.17:
* Do not set broadcast address explicitly (bsc#1258406)
- Update to version 1.16:
* Fix query of default CLOUD_NETCONFIG_MANAGE (bsc#1253223)
* Fix variable names in the README
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2026:1814-1
Released: Mon May 11 17:16:51 2026
Summary: Recommended update for suse-build-key
Type: recommended
Severity: moderate
References:
This update for suse-build-key fixes the following issues:
- Import all keys if they are not yet in the RPM db.
- Added post quantum cryptographic keys for SLES 15 and SLES 16:
* build-pqc-15.pem
* build-pqc-16.pem
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:1840-1
Released: Wed May 13 12:05:10 2026
Summary: Security update for the Linux Kernel
Type: security
Severity: important
References: 1264449,1264450,CVE-2026-43284,CVE-2026-43500
The SUSE Linux Enterprise 15 SP6 kernel was updated to fix the following issue:
- CVE-2026-43284: xfrm: esp: avoid in-place decrypt on shared skb frags (bsc#1264449).
- CVE-2026-43500: rxrpc: Also unshare DATA/RESPONSE packets when paged frags are present (bsc#1264450).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:1876-1
Released: Sat May 16 00:06:36 2026
Summary: Security update for openssh
Type: security
Severity: important
References: 1261427,1261430,CVE-2026-35385,CVE-2026-35414
This update for openssh fixes the following issues
- CVE-2026-35385: a file downloaded by scp may be installed setuid or setgid (bsc#1261427).
- CVE-2026-35414: mishandling of authorized_keys principals option (bsc#1261430).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:1908-1
Released: Sun May 17 19:14:31 2026
Summary: Security update for the Linux Kernel
Type: security
Severity: important
References: 1264013,1265209,1265308,CVE-2025-54518,CVE-2026-46300,CVE-2026-46333
The SUSE Linux Enterprise 15 SP6 kernel was updated to fix various security issues
The following security issues were fixed:
- CVE-2025-54518: x86/CPU/AMD: Prevent improper isolation of shared resources in Zen2's op cache (bsc#1264013).
- CVE-2026-46300: net: skbuff: propagate shared-frag marker through pskb_copy() (bsc#1265209).
- CVE-2026-46333: Fixed logic bug in the Linux kernel's __ptrace_may_access() function (bsc#1265308).
The following non security issues were fixed:
- io-wq: check that the predecessor is hashed in io_wq_remove_pending() (git-fixes).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:1940-1
Released: Mon May 18 09:44:14 2026
Summary: Security update for curl
Type: security
Severity: important
References: 1259362,1262631,1262632,1262635,1262636,1262638,CVE-2026-1965,CVE-2026-4873,CVE-2026-5545,CVE-2026-6253,CVE-2026-6276,CVE-2026-6429
This update for curl fixes the following issues:
Security issues fixed:
- CVE-2026-4873: connection reuse ignores TLS requirement (bsc#1262631).
- CVE-2026-5545: wrong reuse of HTTP Negotiate connection (bsc#1262632).
- CVE-2026-6253: proxy credentials leak over redirect-to proxy (bsc#1262635).
- CVE-2026-6276: stale custom cookie host causes cookie leak (bsc#1262636).
- CVE-2026-6429: netrc credential leak with reused proxy connection (bsc#1262638).
Other updates and bugfixes:
- sws: prevent 'connection monitor' to say disconnect twice (bsc#1259362).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:1941-1
Released: Mon May 18 09:44:34 2026
Summary: Security update for sed
Type: security
Severity: moderate
References: 1262144,CVE-2026-5958
This update for sed fixes the following issue:
- CVE-2026-5958: a TOCTOU race can allow to read attacker-controlled content and write it to an unintended file (bsc#1262144).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:2029-1
Released: Wed May 20 11:18:08 2026
Summary: Security update for vim
Type: security
Severity: moderate
References: 1261833,CVE-2026-39881
This update for vim fixes the following issue:
Security fixes:
- CVE-2026-39881: command injection in NetBeans interface can lead to arbitrary file reads and writes (bsc#1261833).
Other fixes:
- Update to 9.2.0398.
* 9.2.0398: MS-Windows: missing strptime() support
* 9.2.0397: tabpanel: double-click opens a new tab
* 9.2.0396: tests: Test_error_callback_terminal is flaky on macOS
* 9.2.0395: tests: Test_backupskip() may read from $HOME
* 9.2.0394: xxd: offsets greater than LONG_MAX print as negative
* 9.2.0393: MS-Windows: link error with XPM support on UCRT64
* 9.2.0392: tests: Some tests are flaky
* 9.2.0391: tests: Comment in test_vim9_cmd breaks syntax highlighting
* 9.2.0390: filetype: some Beancount files are not recognized
* 9.2.0389: DECRQM still leaves stray 'pp' on Apple Terminal.app
* 9.2.0388: strange indent in update_topline()
* 9.2.0387: DECRQM request may leave stray chars in terminal
* 9.2.0386: No scroll/scrollbar support in the tabpanel
* 9.2.0385: Integer overflow with 'ze' and large 'sidescrolloff'
* 9.2.0384: stale Insstart after <Cmd> cursor move breaks undo
* 9.2.0383: [security]: runtime(netrw): shell-injection via sftp: and file: URLs
* 9.2.0382: Wayland: focus-stealing is non-working
* 9.2.0381: Vim9: Missing check_secure() in exec_instructions()
* 9.2.0380: completion: a few issues in completion code
* 9.2.0379: gui.color_approx is never used
* 9.2.0378: Using int as bool type in win_T struct
* 9.2.0377: Using int as bool type in gui_T struct
* 9.2.0376: Vim9: elseif condition compiled in dead branch
* 9.2.0375: prop_find() does not find a virt text in starting line
* 9.2.0374: c_CTRL-{G,T} does not handle offset
* 9.2.0373: Ctrl-R mapping not triggered during completion
* 9.2.0372: pum: rendering issues with multibyte text and opacity
* 9.2.0371: filetype: ghostty config files are not recognized
* 9.2.0370: duplicate code with literal string_T assignment
* 9.2.0369: multiple definitions of STRING_INIT macro
* 9.2.0368: too many strlen() calls when adding strings to dicts
* 9.2.0367: runtime(netrw): ~ note expanded on MS Windows
* 9.2.0366: pum: flicker when updating pum in place
* 9.2.0365: using int as bool
* 9.2.0364: tests: test_smoothscroll_textoff_showbreak() fails
* 9.2.0363: Vim9: variable shadowed by script-local function
* 9.2.0362: division by zero with smoothscroll and small windows
* 9.2.0361: tests: no tests for ch_listen() with IPs
* 9.2.0360: Cannot handle mouse-clicks in the tabpanel
* 9.2.0359: wrong VertSplitNC highlighting on winbar
* 9.2.0358: runtime(vimball): still path traversal attacks possible
* 9.2.0357: [security]: command injection via backticks in tag files
* 9.2.0356: Cannot apply 'scrolloff' context lines at end of file
* 9.2.0355: runtime(tar): missing path traversal checks in tar#Extract()
* 9.2.0354: filetype: not all Bitbake include files are recognized
* 9.2.0353: Missing out-of-memory check in register.c
* 9.2.0352: 'winhighlight' of left window blends into right window
* 9.2.0351: repeat_string() can be improved
* 9.2.0350: Enabling modelines poses a risk
* 9.2.0349: cannot style non-current window separator
* 9.2.0348: potential buffer underrun when setting statusline like option
* 9.2.0347: Vim9: script-local variable not found
* 9.2.0346: Wrong cursor position when entering command line window
* 9.2.0345: Wrong autoformatting with 'autocomplete'
* 9.2.0344: channel: ch_listen() can bind to network interface
* 9.2.0343: tests: test_clientserver may fail on slower systems
* 9.2.0342: tests: test_excmd.vim leaves swapfiles behind
* 9.2.0341: some functions can be run from the sandbox
* 9.2.0340: pum_redraw() may cause flicker
* 9.2.0339: regexp: nfa_regmatch() allocates and frees too often
* 9.2.0338: Cannot handle mouseclicks in the tabline
* 9.2.0337: list indexing broken on big-endian 32-bit platforms
* 9.2.0336: libvterm: no terminal reflow support
* 9.2.0335: json_encode() uses recursive algorithm
* 9.2.0334: GTK: window geometry shrinks with with client-side decorations
* 9.2.0333: filetype: PklProject files are not recognized
* 9.2.0332: popup: still opacity rendering issues
* 9.2.0331: spellfile: stack buffer overflows in spell file generation
* 9.2.0330: tests: some patterns in tar and zip plugin tests not strict enough
* 9.2.0329: tests: test_indent.vim leaves swapfiles behind
* 9.2.0328: Cannot handle mouseclicks in the statusline
* 9.2.0327: filetype: uv scripts are not detected
* 9.2.0326: runtime(tar): but with dotted path
* 9.2.0325: runtime(tar): bug in zstd handling
* 9.2.0324: 0x9b byte not unescaped in <Cmd> mapping
* 9.2.0323: filetype: buf.lock files are not recognized
* 9.2.0322: tests: test_popupwin fails
* 9.2.0321: MS-Windows: No OpenType font support
* 9.2.0320: several bugs with text properties
* 9.2.0319: popup: rendering issues with partially transparent popups
* 9.2.0318: cannot configure opacity for popup menu
* 9.2.0317: listener functions do not check secure flag
* 9.2.0316: [security]: command injection in netbeans interface via defineAnnoType
* 9.2.0315: missing bound-checks
* 9.2.0314: channel: can bind to all network interfaces
* 9.2.0313: Callback channel not registered in GUI
* 9.2.0312: C-type names are marked as translatable
* 9.2.0311: redrawing logic with text properties can be improved
* 9.2.0310: unnecessary work in vim_strchr() and find_term_bykeys()
* 9.2.0309: Missing out-of-memory check to may_get_cmd_block()
* 9.2.0308: Error message E1547 is wrong
* 9.2.0307: more mismatches between return types and documentation
* 9.2.0306: runtime(tar): some issues with lz4 support
* 9.2.0305: mismatch between return types and documentation
* 9.2.0304: tests: test for 9.2.0285 doesn't always fail without the fix
* 9.2.0303: tests: zip plugin tests don't check for warning message properly
* 9.2.0302: runtime(netrw): RFC2396 decoding double escaping spaces
* 9.2.0301: Vim9: void function return value inconsistent
* 9.2.0300: The vimball plugin needs some love
* 9.2.0299: runtime(zip): may write using absolute paths
* 9.2.0298: Some internal variables are not modified
* 9.2.0297: libvterm: can improve CSI overflow code
* 9.2.0296: Redundant and incorrect integer pointer casts in drawline.c
* 9.2.0295: 'showcmd' shows wrong Visual block size with 'linebreak'
* 9.2.0294: if_lua: lua interface does not work with lua 5.5
* 9.2.0293: :packadd may lead to heap-buffer-overflow
* 9.2.0292: E340 internal error when using method call on void value
* 9.2.0291: too many strlen() calls
* 9.2.0290: Amiga: no support for AmigaOS 3.x
* 9.2.0289: 'linebreak' may lead to wrong Visual block highlighting
* 9.2.0288: libvterm: signed integer overflow parsing long CSI args
* 9.2.0287: filetype: not all ObjectScript routines are recognized
* 9.2.0286: still some unnecessary (int) casts in alloc()
* 9.2.0285: :syn sync grouphere may go beyond end of line
* 9.2.0284: tabpanel: crash when tabpanel expression returns variable line count
* 9.2.0283: unnecessary (int) casts before alloc() calls
* 9.2.0282: tests: Test_viminfo_len_overflow() fails
* 9.2.0281: tests: Test_netrw_FileUrlEdit.. fails on Windows
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:2031-1
Released: Wed May 20 11:34:19 2026
Summary: Security update for runc
Type: security
Severity: important
References:
This update for runc rebuilds it against the current go security release.
The following package changes have been done:
- aide-0.16-24.1 added
- apparmor-abstractions-3.1.7-150600.5.12.2 updated
- apparmor-parser-3.1.7-150600.5.12.2 updated
- audit-audispd-plugins-3.0.6-150400.4.16.1 added
- bc-1.07.1-11.37 added
- bind-utils-9.18.33-150600.3.21.1 updated
- btrfsprogs-udev-rules-6.5.1-150600.2.4 added
- btrfsprogs-6.5.1-150600.2.4 added
- ca-certificates-mozilla-2.84-150200.44.1 updated
- cloud-netconfig-gce-1.19-150000.25.31.1 updated
- containerd-ctr-1.7.29-150000.132.1 updated
- containerd-1.7.29-150000.132.1 updated
- crypto-policies-20230920.570ea89-150600.3.16.1 updated
- cryptsetup-2.7.0-150600.3.3.1 added
- curl-8.14.1-150600.4.43.1 updated
- device-mapper-2.03.22_1.02.196-150600.3.9.3 added
- dialog-1.3-3.3.7 added
- dracut-kiwi-lib-10.2.33-150600.14.10.2 added
- dracut-kiwi-oem-repart-10.2.33-150600.14.10.2 added
- glibc-locale-base-2.38-150600.14.46.1 updated
- glibc-2.38-150600.14.46.1 updated
- google-guest-configs-20260116.00-150400.13.25.1 updated
- gpg2-2.4.4-150600.3.15.1 updated
- grub2-branding-SLE-15-150600.45.3.2 added
- grub2-i386-pc-2.12-150600.8.52.1 updated
- grub2-snapper-plugin-2.12-150600.8.52.1 added
- grub2-x86_64-efi-2.12-150600.8.52.1 updated
- grub2-2.12-150600.8.52.1 updated
- iproute2-6.4-150600.7.12.1 added
- jq-1.6-150000.3.12.1 updated
- kernel-default-6.4.0-150600.23.109.1 updated
- libaio1-0.3.113-150600.15.3.1 added
- libapparmor1-3.1.7-150600.5.12.2 updated
- libavahi-client3-0.8-150600.15.15.1 updated
- libavahi-common3-0.8-150600.15.15.1 updated
- libblkid1-2.39.3-150600.4.21.1 updated
- libbpf1-1.2.2-150600.3.6.2 added
- libcap2-2.63-150400.3.6.1 updated
- libcurl4-8.14.1-150600.4.43.1 updated
- libdevmapper-event1_03-2.03.22_1.02.196-150600.3.9.3 added
- libdialog14-1.3-3.3.7 added
- libexpat1-2.7.1-150400.3.37.1 updated
- libfdisk1-2.39.3-150600.4.21.1 updated
- libgcc_s1-15.2.0+git10201-150000.1.9.1 updated
- libgnutls30-3.8.3-150600.4.17.1 updated
- libjq1-1.6-150000.3.12.1 updated
- libldap-2_4-2-2.4.46-150600.25.3.1 updated
- libldap-data-2.4.46-150600.25.3.1 updated
- libltdl7-2.4.6-150000.3.8.1 added
- liblvm2cmd2_03-2.03.22-150600.3.9.3 added
- libmount1-2.39.3-150600.4.21.1 updated
- libncurses6-6.1-150000.5.33.1 updated
- libnfsidmap1-1.0-150600.28.19.1 updated
- libnghttp2-14-1.40.0-150600.25.5.1 updated
- libopenscap25-1.3.6-150600.17.2 added
- libopenssl1_1-1.1.1w-150600.5.26.2 updated
- libopenssl3-3.1.4-150600.5.50.1 updated
- libpng16-16-1.6.40-150600.3.20.1 updated
- libpwquality1-1.4.5-150600.2.3 added
- libpython3_6m1_0-3.6.15-150300.10.118.1 updated
- libreiserfscore0-3.6.27-2.24 added
- libsmartcols1-2.39.3-150600.4.21.1 updated
- libsqlite3-0-3.51.3-150000.3.39.1 updated
- libssh-config-0.9.8-150600.11.12.1 updated
- libssh4-0.9.8-150600.11.12.1 updated
- libstdc++6-15.2.0+git10201-150000.1.9.1 updated
- libsubid5-4.17.2-150600.17.18.1 added
- libsystemd0-254.27-150600.4.62.1 updated
- libtss2-esys0-3.1.1-150600.4.3.2 updated
- libtss2-fapi1-3.1.1-150600.4.3.2 updated
- libtss2-mu0-3.1.1-150600.4.3.2 updated
- libtss2-rc0-3.1.1-150600.4.3.2 updated
- libtss2-sys1-3.1.1-150600.4.3.2 updated
- libtss2-tctildr0-3.1.1-150600.4.3.2 updated
- libudev1-254.27-150600.4.62.1 updated
- libuuid1-2.39.3-150600.4.21.1 updated
- libxml2-2-2.10.3-150500.5.38.1 updated
- libxml2-tools-2.10.3-150500.5.38.1 added
- libxmlsec1-1-1.2.37-150600.19.3 added
- libxmlsec1-openssl1-1.2.37-150600.19.3 added
- libxslt1-1.1.34-150400.3.16.1 added
- libz1-1.2.13-150500.4.6.1 updated
- login_defs-4.17.2-150600.17.18.1 updated
- lvm2-2.03.22-150600.3.9.3 added
- makedumpfile-1.7.4-150600.3.6.1 updated
- mdadm-4.3+36.g12cb7035-150600.3.23.1 added
- ncurses-utils-6.1-150000.5.33.1 updated
- nfs-client-2.6.4-150600.28.19.1 updated
- openscap-utils-1.3.6-150600.17.2 added
- openscap-1.3.6-150600.17.2 added
- openssh-clients-9.6p1-150600.6.37.1 updated
- openssh-common-9.6p1-150600.6.37.1 updated
- openssh-server-config-disallow-rootlogin-9.6p1-150600.6.37.1 updated
- openssh-server-9.6p1-150600.6.37.1 updated
- openssh-9.6p1-150600.6.37.1 updated
- openssl-3-3.1.4-150600.5.50.1 updated
- pv-1.7.24-150600.3.3 added
- python3-base-3.6.15-150300.10.118.1 updated
- rsyslog-module-relp-8.2406.0-150600.12.10.1 updated
- rsyslog-8.2406.0-150600.12.10.1 updated
- runc-1.3.4-150000.94.1 updated
- scap-security-guide-0.1.80-150600.1.2 added
- sed-4.9-150600.3.3.1 updated
- shadow-4.17.2-150600.17.18.1 updated
- shim-16.1-150300.4.31.3 updated
- sudo-1.9.15p5-150600.3.15.1 updated
- suse-build-key-12.0-150000.8.64.1 updated
- suse-module-tools-15.6.14-150600.3.17.1 updated
- suseconnect-ng-1.21.1-150600.3.18.1 updated
- syslog-service-2.0-150300.13.3.1 updated
- system-user-tss-20170617-150400.24.2.1 added
- systemd-254.27-150600.4.62.1 updated
- tar-1.34-150000.3.37.1 updated
- terminfo-base-6.1-150000.5.33.1 updated
- terminfo-6.1-150000.5.33.1 updated
- thin-provisioning-tools-0.7.5-3.3.1 added
- udev-254.27-150600.4.62.1 updated
- util-linux-systemd-2.39.3-150600.4.21.1 updated
- util-linux-2.39.3-150600.4.21.1 updated
- vim-data-common-9.2.0398-150500.20.49.1 updated
- vim-9.2.0398-150500.20.49.1 updated
- xen-libs-4.18.5_12-150600.3.40.1 updated
- glibc-locale-2.38-150600.14.40.1 removed
- growpart-0.31-5.9.3 removed
- growpart-rootgrow-1.0.7-150400.1.14.7 removed
- libwayland-client0-1.22.0-150600.1.6 removed
- python3-appdirs-1.4.3-150000.3.3.1 removed
- python3-ordered-set-4.0.2-150400.8.34 removed
- python3-packaging-21.3-150200.3.6.1 removed
- python3-pyparsing-2.4.7-150300.3.3.1 removed
- python3-setuptools-44.1.1-150400.9.15.1 removed
- python3-six-1.14.0-150200.15.1 removed
More information about the sle-container-updates
mailing list