SUSE-CU-2026:5109-1: Security update of suse/sle-micro/5.5/toolbox
sle-container-updates at lists.suse.com
sle-container-updates at lists.suse.com
Sat May 23 07:16:10 UTC 2026
SUSE Container Update Advisory: suse/sle-micro/5.5/toolbox
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2026:5109-1
Container Tags : suse/sle-micro/5.5/toolbox:16.3 , suse/sle-micro/5.5/toolbox:16.3-3.12.133 , suse/sle-micro/5.5/toolbox:latest
Container Release : 3.12.133
Severity : important
Type : security
References : 1216488 1221763 1222465 1229003 1229655 1232351 1234736 1238724
1240047 1240838 1241284 1244003 1244011 1244937 1245667 1246011
1246025 1246399 1246602 1246965 1247850 1247858 1248586 1249147
1249657 1250033 1250224 1250553 1251213 1251305 1252318 1252974
1253043 1254297 1254400 1254401 1254425 1254662 1254666 1254670
1254670 1254878 1254997 1255715 1255731 1255732 1255733 1255734
1255765 1256105 1256244 1256246 1256341 1256389 1256390 1256709
1256766 1256805 1256807 1256808 1256809 1256811 1256812 1256822
1256834 1256835 1256836 1256837 1256838 1256839 1256840 1257005
1257029 1257031 1257041 1257042 1257044 1257046 1257049 1257111
1257144 1257181 1257463 1257496 1257593 1257594 1257595 1258002
1258045 1258049 1258054 1258080 1258081 1258229 1258392 1258859
1259051 1259362 1259362 1259363 1259364 1259365 1259377 1259418
1259611 1259619 1259650 1259697 1259711 1259726 1259729 1259734
1259735 1259845 1259924 1259985 1259989 1260026 1260441 1260442
1260443 1260444 1261191 1261271 1261420 1261606 1261678 1261809
1261833 1261969 1261970 1262098 1262144 1262319 1262631 1262632
1262635 1262636 1262638 1262654 1263366 1263367 CVE-2025-10911
CVE-2025-11468 CVE-2025-11961 CVE-2025-12084 CVE-2025-13151 CVE-2025-13462
CVE-2025-13601 CVE-2025-13836 CVE-2025-13837 CVE-2025-14017 CVE-2025-14087
CVE-2025-14104 CVE-2025-14512 CVE-2025-14524 CVE-2025-14819 CVE-2025-15079
CVE-2025-15224 CVE-2025-15281 CVE-2025-15282 CVE-2025-15366 CVE-2025-15367
CVE-2025-45582 CVE-2025-53906 CVE-2025-6075 CVE-2025-68160 CVE-2025-68973
CVE-2025-69418 CVE-2025-69419 CVE-2025-69420 CVE-2025-69421 CVE-2025-69720
CVE-2025-70873 CVE-2025-7709 CVE-2025-7709 CVE-2025-8058 CVE-2025-8291
CVE-2025-8732 CVE-2026-0672 CVE-2026-0861 CVE-2026-0865 CVE-2026-0915
CVE-2026-0964 CVE-2026-0965 CVE-2026-0966 CVE-2026-0967 CVE-2026-0968
CVE-2026-0988 CVE-2026-0989 CVE-2026-0990 CVE-2026-0992 CVE-2026-1299
CVE-2026-1502 CVE-2026-1757 CVE-2026-1965 CVE-2026-1965 CVE-2026-22795
CVE-2026-22796 CVE-2026-24515 CVE-2026-25210 CVE-2026-26269 CVE-2026-27135
CVE-2026-27171 CVE-2026-27456 CVE-2026-28387 CVE-2026-28388 CVE-2026-28389
CVE-2026-28390 CVE-2026-28417 CVE-2026-29111 CVE-2026-31789 CVE-2026-3184
CVE-2026-32776 CVE-2026-32777 CVE-2026-32778 CVE-2026-33412 CVE-2026-3446
CVE-2026-34714 CVE-2026-3479 CVE-2026-34982 CVE-2026-35535 CVE-2026-3644
CVE-2026-3731 CVE-2026-3783 CVE-2026-3784 CVE-2026-3805 CVE-2026-39881
CVE-2026-40355 CVE-2026-40356 CVE-2026-4105 CVE-2026-4224 CVE-2026-4519
CVE-2026-4786 CVE-2026-4873 CVE-2026-4878 CVE-2026-5545 CVE-2026-5958
CVE-2026-6019 CVE-2026-6100 CVE-2026-6253 CVE-2026-6276 CVE-2026-6429
-----------------------------------------------------------------
The container suse/sle-micro/5.5/toolbox was updated. The following patches have been included in this update:
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2025:4362-1
Released: Thu Dec 11 11:08:27 2025
Summary: Recommended update for gcc15
Type: recommended
Severity: moderate
References: 1253043
This update for gcc15 fixes the following issues:
- Enable the use of _dl_find_object even when not available at build time. [bsc#1253043]
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2025:4368-1
Released: Thu Dec 11 16:12:16 2025
Summary: Security update for python3
Type: security
Severity: low
References: 1251305,1252974,CVE-2025-6075,CVE-2025-8291
This update for python3 fixes the following issues:
- CVE-2025-6075: quadratic complexity in `os.path.expandvars()` can lead to performance degradation when values passed
to it are user-controlled (bsc#1252974).
- CVE-2025-8291: lack of validity checks on the ZIP64 End of Central Directory (EOCD) record allows for the creation of
ZIP archives that are processed inconsistently by the `zipfile` module (bsc#1251305).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2025:4373-1
Released: Fri Dec 12 10:05:12 2025
Summary: Security update for container-suseconnect
Type: security
Severity: moderate
References:
This update for container-suseconnect rebuilds it against current go security release.
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2025:4504-1
Released: Mon Dec 22 17:29:14 2025
Summary: Security update for glib2
Type: security
Severity: important
References: 1254297,1254662,1254878,CVE-2025-13601,CVE-2025-14087,CVE-2025-14512
This update for glib2 fixes the following issues:
- CVE-2025-14512: integer overflow in the GIO `escape_byte_string()` function when processing malicious files or remote
filesystem attribute values can lead to denial-of-service (bsc#1254878).
- CVE-2025-14087: buffer underflow in the GVariant parser `bytestring_parse()` and `string_parse()` functions when
processing attacker-influenced data may lead to crash or code execution (bsc#1254662).
- CVE-2025-13601: heap-based buffer overflow in the `g_escape_uri_string()` function when processing strings with a
large number of unacceptable characters may lead to crash or code execution (bsc#1254297).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2026:1-1
Released: Fri Jan 2 11:26:18 2026
Summary: Recommended update for gdb
Type: recommended
Severity: moderate
References: 1216488,1221763,1238724,1240047,1240838,1250033,1251213
This update for gdb fixes the following issues:
GDB 16.3 changes:
* GDB now supports watchpoints for tagged data pointers (see
https://en.wikipedia.org/wiki/Tagged_pointer) on amd64, such
as the one used by the Linear Address Masking (LAM) feature
provided by Intel.
* Debugging support for Intel MPX has been removed. This
includes the removal of:
* MPX register support
* the commands 'show/set mpx bound' (deprecated since GDB 15)
* i386 and amd64 implementation of the hooks report_signal_info
and get_siginfo_type.
* GDB now supports printing of asynchronous events from the
Intel Processor Trace during 'record instruction-history',
'record function-call-history' and all stepping commands.
This can be controlled with the new 'set record btrace pt
event-tracing' command.
* GDB now supports printing of ptwrite payloads from the Intel
Processor Trace during 'record instruction-history', 'record
function-call-history' and all stepping commands. The payload
is also accessible in Python as a RecordAuxiliary object.
Printing is customizable via a ptwrite filter function in
Python. By default, the raw ptwrite payload is printed for
each ptwrite that is encountered.
* For breakpoints that are created in the 'pending' state, any
'thread' or 'task' keywords are parsed at the time the
breakpoint is created, rather than at the time the breakpoint
becomes non-pending.
* Thread-specific breakpoints are only inserted into the
program space in which the thread of interest is running.
In most cases program spaces are unique for each inferior,
so this means that thread-specific breakpoints will usually
only be inserted for the inferior containing the thread of
interest. The breakpoint will be hit no less than before.
* For ARM targets, the offset of the pc in the jmp_buf has
been fixed to match glibc 2.20 and later. This should only
matter when not using libc probes. This may cause breakage
when using an incompatible libc, like uclibc or newlib, or
an older glibc.
* MTE (Memory Tagging Extension) debugging is now supported on
AArch64 baremetal targets.
* In a record session, when a forward emulation reaches the end
of the reverse history, the warning message has been changed
to indicate that the end of the history has been reached. It
also specifies that the forward execution can continue, and
the recording will also continue.
* The Ada 'Object_Size attribute is now supported.
* New bash script gstack uses GDB to print stack traces of
running processes.
* Python API:
* Added gdb.record.clear. Clears the trace data of the
current recording. This forces re-decoding of the trace for
successive commands.
* Added the new event source gdb.tui_enabled.
* New module gdb.missing_objfile that facilitates dealing with
missing objfiles when opening a core-file.
* New function gdb.missing_objfile.register_handler that can
register an instance of a sub-class of
gdb.missing_debug.MissingObjfileHandler as a handler for
missing objfiles.
* New class gdb.missing_objfile.MissingObjfileHandler which
can be sub-classed to create handlers for missing objfiles.
* The 'signed' argument to gdb.Architecture.integer_type()
will no longer accept non-bool types.
* The gdb.MICommand.installed property can only be set to True
or False.
* The 'qualified' argument to gdb.Breakpoint constructor will
no longer accept non-bool types.
* Added the gdb.Symbol.is_artificial attribute.
* Debugger Adapter Protocol changes:
* The 'scopes' request will now return a scope holding global
variables from the stack frame's compilation unit.
* The 'scopes' request will return a 'returnValue' scope
holding the return value from the latest 'stepOut' command,
when appropriate.
* The 'launch' and 'attach' requests were rewritten in
accordance with some clarifications to the spec. Now they
can be sent at any time after the 'initialized' event, but
will not take effect (or send a response) until after the
'configurationDone' request has been sent.
* The 'variables' request will not return artificial symbols.
* New commands:
* show jit-reader-directory
Show the name of the directory that 'jit-reader-load' uses
for relative file names.
* set style line-number foreground COLOR
set style line-number background COLOR
set style line-number intensity VALUE
Control the styling of line numbers printed by GDB.
* set style command foreground COLOR
set style command background COLOR
set style command intensity VALUE
Control the styling of GDB commands when displayed by GDB.
* set style title foreground COLOR
set style title background COLOR
set style title intensity VALUE
This style now applies to the header line of lists, for
example the first line of the output of 'info breakpoints'.
Previous uses of this style have been replaced with the new
'command' style.
* set warn-language-frame-mismatch [on|off]
show warn-language-frame-mismatch
Control the warning that is emitted when specifying a
language that does not match the current frame's language.
* maintenance info inline-frames [ADDRESS]
New command which displays GDB's inline-frame information
for the current address, or for ADDRESS if specified. The
output identifies inlined frames which start at the
specified address.
* maintenance info blocks [ADDRESS]
New command which displays information about all of the
blocks at ADDRESS, or at the current address if ADDRESS is
not given. Blocks are listed starting at the inner global
block out to the most inner block.
* info missing-objfile-handlers
List all the registered missing-objfile handlers.
* enable missing-objfile-handler LOCUS HANDLER
disable missing-objfile-handler LOCUS HANDLER
Enable or disable a missing-objfile handler with a name
matching the regular expression HANDLER, in LOCUS. LOCUS
can be 'global' to operate on global missing-objfile
handler, 'progspace' to operate on handlers within the
current program space, or can be a regular expression which
is matched against the filename of the primary executable in
each program space.
* Changed commands:
* remove-symbol-file
This command now supports file-name completion.
* remove-symbol-file -a ADDRESS
The ADDRESS expression can now be a full expression
consisting of multiple terms, e.g. 'function + 0x1000'
(without quotes), previously only a single term could be
given.
* target core
target exec
target tfile
target ctf
compile file
maint print c-tdesc
save gdb-index
These commands now require their filename argument to be
quoted if it contains white space or quote characters. If
the argument contains no such special characters then
quoting is not required.
* maintenance print remote-registers
Add an 'Expedited' column to the output of the command. It
indicates which registers were included in the last stop
reply packet received by GDB.
* show configuration
Now includes the version of GNU Readline library that GDB is
using.
* New remote packets:
* vFile:stat
Return information about files on the remote system. Like
vFile:fstat but takes a filename rather than an open file
descriptor.
* x addr,length
Given ADDR and LENGTH, fetch LENGTH units from the memory at
address ADDR and send the fetched data in binary format.
This packet is equivalent to 'm', except that the data in
the response are in binary format.
* binary-upload in qSupported reply
If the stub sends back 'binary-upload+' in it's qSupported
reply, then GDB will, where possible, make use of the 'x'
packet. If the stub doesn't report this feature supported,
then GDB will not use the 'x' packet.
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:27-1
Released: Mon Jan 5 13:45:08 2026
Summary: Security update for python3
Type: security
Severity: moderate
References: 1254400,1254401,1254997,CVE-2025-12084,CVE-2025-13836,CVE-2025-13837
This update for python3 fixes the following issues:
- CVE-2025-12084: cpython: Fixed quadratic algorithm in xml.dom.minidom leading to denial of service (bsc#1254997)
- CVE-2025-13836: Fixed default Content-Lenght read amount from HTTP response (bsc#1254400)
- CVE-2025-13837: Fixed plistlib module denial of service (bsc#1254401)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:117-1
Released: Tue Jan 13 05:33:38 2026
Summary: Security update for util-linux
Type: security
Severity: moderate
References: 1254666,CVE-2025-14104
This update for util-linux fixes the following issues:
- CVE-2025-14104: Fixed heap buffer overread in setpwnam() when processing 256-byte usernames (bsc#1254666).
- lscpu: Add support for NVIDIA Olympus arm64 core (jsc#PED-13682).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:214-1
Released: Thu Jan 22 13:09:26 2026
Summary: Security update for gpg2
Type: security
Severity: important
References: 1255715,1256244,1256246,1256390,CVE-2025-68973
This update for gpg2 fixes the following issues:
- CVE-2025-68973: Fix possible memory corruption in the armor parser (gpg.fail/memcpy)(bsc#1255715).
- Avoid potential downgrade to SHA1 in 3rd party key signatures (gpg.fail/sha1) (bsc#1256246).
- Error out on unverified output for non-detached signatures (gpg.fail/detached) (bsc#1256244).
- Fix Cleartext Signature Forgery in the NotDashEscaped header implementation in GnuPG (gpg.fail/notdash) (bsc#1256390).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:224-1
Released: Thu Jan 22 13:18:20 2026
Summary: Security update for libtasn1
Type: security
Severity: moderate
References: 1256341,CVE-2025-13151
This update for libtasn1 fixes the following issues:
- CVE-2025-13151: stack-based buffer overflow in `asn1_expend_octet_string` (bsc#1256341).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:319-1
Released: Wed Jan 28 15:39:29 2026
Summary: Security update for container-suseconnect
Type: security
Severity: important
References:
This update for container-suseconnect rebuilds it against the current GO security release.
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:359-1
Released: Mon Feb 2 10:54:54 2026
Summary: Security update for openssl-1_1
Type: security
Severity: moderate
References: 1256834,1256835,1256836,1256837,1256838,1256839,1256840,CVE-2025-68160,CVE-2025-69418,CVE-2025-69419,CVE-2025-69420,CVE-2025-69421,CVE-2026-22795,CVE-2026-22796
This update for openssl-1_1 fixes the following issues:
- CVE-2026-22795: Missing ASN1_TYPE validation in PKCS#12 parsing (bsc#1256839).
- CVE-2025-69420: Missing ASN1_TYPE validation in TS_RESP_verify_response() function (bsc#1256837).
- CVE-2025-69421: NULL Pointer Dereference in PKCS12_item_decrypt_d2i_ex function (bsc#1256838).
- CVE-2026-22796: ASN1_TYPE Type Confusion in the PKCS7_digest_from_attributes() function (bsc#1256840).
- CVE-2025-68160: Heap out-of-bounds write in BIO_f_linebuffer on short writes (bsc#1256834).
- CVE-2025-69418: Unauthenticated/unencrypted trailing bytes with low-level OCB function calls (bsc#1256835).
- CVE-2025-69419: Out of bounds write in PKCS12_get_friendlyname() UTF-8 conversion (bsc#1256836).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:391-1
Released: Thu Feb 5 15:23:42 2026
Summary: Security update for libxml2
Type: security
Severity: low
References: 1256805,CVE-2026-0989
This update for libxml2 fixes the following issues:
- CVE-2026-0989: Fixed call stack exhaustion leading to application
crash due to RelaxNG parser not limiting the recursion depth when
resolving `<include>` directives (bsc#1256805)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:432-1
Released: Wed Feb 11 10:11:56 2026
Summary: Security update for sqlite3
Type: security
Severity: moderate
References: 1248586,1254670,CVE-2025-7709
This update for sqlite3 fixes the following issues:
- Update to v3.51.2:
- CVE-2025-7709: Fixed an integer overflow in the FTS5 extension. (bsc#1254670)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:458-1
Released: Thu Feb 12 00:28:37 2026
Summary: Security update for glib2
Type: security
Severity: important
References: 1257049,CVE-2026-0988
This update for glib2 fixes the following issues:
- CVE-2026-1485: Fixed buffer underflow and out-of-bounds access due to integer wraparound in content type parsing (bsc#1257354).
- CVE-2026-1484: Fixed buffer underflow and out-of-bounds access due to miscalculated buffer boundaries in the Base64 encoding routine (bsc#1257355).
- CVE-2026-1489: Fixed undersized heap allocation followed by out-of-bounds access due to integer overflow in Unicode case conversion (bsc#1257353).
- CVE-2026-0988: Fixed a potential integer overflow in g_buffered_input_stream_peek (bsc#1257049).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2026:463-1
Released: Thu Feb 12 08:40:25 2026
Summary: Recommended update for supportutils
Type: recommended
Severity: important
References: 1232351,1241284,1244003,1244011,1244937,1245667,1246011,1246025,1249657,1250224,1252318,1254425,1256709
This update for supportutils fixes the following issues:
- scplugin.rc is restored in package 3.2.12.1 for continued compatibility (bsc#1256709)
- Changes to version 3.2.12:
* Optimized lsof usage and honors OPTION_OFILES (bsc#1232351)
* Run in containers without errors (bsc#1245667)
* Removed pmap PID from memory.txt (bsc#1246011)
* Added missing /proc/pagetypeinfo to memory.txt (bsc#1246025)
* Improved database perforce with kGraft patching (bsc#1249657)
* Using last boot for journalctl for optimization (bsc#1250224)
* Fixed extraction failures (bsc#1252318)
* Update supportconfig.conf path in docs (bsc#1254425)
* drm_sub_info: Catch error when dir doesn't exist
* Replace remaining `egrep` with `grep -E`
* Add process affinity to slert logs
* Reintroduce cgroup statistics (and v2)
* Minor changes to basic-health-check: improve information level
* Collect important machine health counters
* powerpc: collect hot-pluggable PCI and PHB slots
* podman: collect podman disk usage
* Exclude binary files in crondir
* kexec/kdump: collect everything under /sys/kernel/kexec dir
* Use short-iso for journalctl
- Changes to version 3.2.11:
* Collect rsyslog frule files (bsc#1244003)
* Remove proxy passwords (bsc#1244011)
* Missing NetworkManager information (bsc#1241284)
* Include agama logs bsc#1244937)
* Additional NFS conf files
* New fadump sysfs files
* Fixed change log dates
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2026:493-1
Released: Fri Feb 13 10:48:54 2026
Summary: Recommended update for container-suseconnect
Type: recommended
Severity: important
References:
This update for container-suseconnect fixes the following issues:
Update to version 2.5.6::
* Change the version logic
* Fix FIPS environment variable in CI
* Test in fips mode
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:508-1
Released: Fri Feb 13 15:50:21 2026
Summary: Security update for curl
Type: security
Severity: moderate
References: 1255731,1255732,1255733,1255734,1256105,CVE-2025-14017,CVE-2025-14524,CVE-2025-14819,CVE-2025-15079,CVE-2025-15224
This update for curl fixes the following issues:
- CVE-2025-14017: Fixed broken TLS options for threaded LDAPS (bsc#1256105).
- CVE-2025-14524: bearer token leak on cross-protocol redirect (bsc#1255731).
- CVE-2025-14819: libssh global knownhost override (bsc#1255732).
- CVE-2025-15079: libssh key passphrase bypass without agent set (bsc#1255733).
- CVE-2025-15224: OpenSSL partial chain store policy bypass (bsc#1255734).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:570-1
Released: Tue Feb 17 17:38:47 2026
Summary: Security update for libxml2
Type: security
Severity: moderate
References: 1247850,1247858,1250553,1256807,1256808,1256809,1256811,1256812,1257593,1257594,1257595,CVE-2025-10911,CVE-2025-8732,CVE-2026-0990,CVE-2026-0992,CVE-2026-1757
This update for libxml2 fixes the following issues:
- CVE-2026-0990: Fixed a call stack overflow leading to application crash due to infinite recursion in `xmlCatalogXMLResolveURI`. (bsc#1256807, bsc#1256811)
- CVE-2026-0992: Fixed an excessive resource consumption when processing XML catalogs due to exponential behavior. (bsc#1256809, bsc#1256812)
- CVE-2026-1757: Fixed a memory leak in the `xmllint` interactive shell. (bsc#1257594, bsc#1257595)
- CVE-2025-10911: Fixed a use-after-free with key data stored cross-RVT. (bsc#1250553)
- CVE-2025-8732: Fixed an infinite recursion in catalog parsing functions when processing malformed SGML catalog files. (bsc#1247858)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:575-1
Released: Wed Feb 18 10:10:36 2026
Summary: Security update for libpcap
Type: security
Severity: low
References: 1255765,CVE-2025-11961
This update for libpcap fixes the following issues:
- CVE-2025-11961: missing validation of provided MAC-48 address string in `pcap_ether_aton()` can lead to out-of-bounds
read and write (bsc#1255765).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2026:652-1
Released: Thu Feb 26 10:34:35 2026
Summary: Recommended update for sles-ltss-release
Type: recommended
Severity: moderate
References:
This update for sles-ltss-release fixes the following issue:
- Set correct EOL for SLES15-SP5 LTSS.
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:664-1
Released: Thu Feb 26 16:15:04 2026
Summary: Security update for python3
Type: security
Severity: important
References: 1257029,1257031,1257041,1257042,1257044,1257046,CVE-2025-11468,CVE-2025-15282,CVE-2025-15366,CVE-2025-15367,CVE-2026-0672,CVE-2026-0865
This update for python3 fixes the following issues:
- CVE-2025-11468: header injection when folding a long comment in an email header containing exclusively unfoldable
characters (bsc#1257029).
- CVE-2026-0672: HTTP header injection via user-controlled cookie values and parameters when using http.cookies.Morsel
(bsc#1257031).
- CVE-2026-0865: user-controlled header containing newlines can allow injecting HTTP headers (bsc#1257042).
- CVE-2025-15366: user-controlled command can allow additional commands injected using newlines (bsc#1257044).
- CVE-2025-15282: user-controlled data URLs parsed may allow injecting headers (bsc#1257046).
- CVE-2025-15367: control characters may allow the injection of additional commands (bsc#1257041).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:694-1
Released: Fri Feb 27 16:14:32 2026
Summary: Security update for gpg2
Type: security
Severity: moderate
References: 1256389
This update for gpg2 fixes the following issues:
Security fix:
- Fixed GnuPG accepting Path Separators and Path Traversals
in Literal Data (bsc#1256389)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:783-1
Released: Tue Mar 3 14:36:14 2026
Summary: Security update for zlib
Type: security
Severity: moderate
References: 1258392,CVE-2026-27171
This update for zlib fixes the following issue:
- CVE-2026-27171: Fixed infinite loop via the `crc32_combine64` and `crc32_combine_gen64` functions due to missing
checks for negative lengths (bsc#1258392).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2026:791-1
Released: Tue Mar 3 16:59:33 2026
Summary: Recommended update for gcc15
Type: recommended
Severity: moderate
References: 1257463
This update for gcc15 fixes the following issues:
- Fix bogus expression simplification (bsc#1257463)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:826-1
Released: Thu Mar 5 16:16:29 2026
Summary: Security update for expat
Type: security
Severity: moderate
References: 1257144,1257496,CVE-2026-24515,CVE-2026-25210
This update for expat fixes the following issues:
- CVE-2026-24515: Fixed a null dereference in XML_ExternalEntityParserCreate. (bsc#1257144)
- CVE-2026-25210: Fixed an integer overflow in doContent. (bsc#1257496)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:856-1
Released: Tue Mar 10 09:35:24 2026
Summary: Security update for util-linux
Type: security
Severity: moderate
References: 1258859,CVE-2026-3184
This update for util-linux fixes the following issues:
- CVE-2026-3184: Fix full hostname usage for PAM to ensure correct access control for 'login -h' (bsc#1258859).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:896-1
Released: Fri Mar 13 16:25:07 2026
Summary: Security update for glibc
Type: security
Severity: important
References: 1246965,1256766,1256822,1257005,CVE-2025-15281,CVE-2025-8058,CVE-2026-0861,CVE-2026-0915
This update for glibc fixes the following issues:
- CVE-2026-0861: memalign: reinstate alignment overflow check (bsc#1256766)
- CVE-2026-0915: resolv: Fix NSS DNS backend for getnetbyaddr (bsc#1256822)
- CVE-2025-15281: posix: Reset wordexp_t fields with WRDE_REUSE (bsc#1257005)
- CVE-2025-8058: posix: Fix double-free after allocation failure in regcomp (bsc#1246965)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:909-1
Released: Tue Mar 17 18:34:08 2026
Summary: Security update for container-suseconnect
Type: security
Severity: important
References:
This update for container-suseconnect rebuilds it against the current go 1.25 security release.
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:910-1
Released: Tue Mar 17 20:34:12 2026
Summary: Security update for vim
Type: security
Severity: moderate
References: 1246602,1258229,1259051,CVE-2025-53906,CVE-2026-26269,CVE-2026-28417
This update for vim fixes the following issues:
Update Vim to version 9.2.0110:
- CVE-2025-53906: malicious zip archive may cause a path traversal in Vim's zip (bsc#1246602).
- CVE-2026-26269: Netbeans specialKeys stack buffer overflow (bsc#1258229).
- CVE-2026-28417: crafted URL parsed by netrw plugin can lead to execute arbitrary shell commands (bsc#1259051).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:911-1
Released: Tue Mar 17 20:56:12 2026
Summary: Security update for curl
Type: security
Severity: important
References: 1259362,1259363,1259364,1259365,CVE-2026-1965,CVE-2026-3783,CVE-2026-3784,CVE-2026-3805
This update for curl fixes the following issues:
- CVE-2026-1965: bad reuse of HTTP Negotiate connection (bsc#1259362).
- CVE-2026-3783: token leak with redirect and netrc (bsc#1259363).
- CVE-2026-3784: wrong proxy connection reuse with credentials (bsc#1259364).
- CVE-2026-3805: use after free in SMB connection reuse (bsc#1259365).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2026:912-1
Released: Wed Mar 18 07:19:42 2026
Summary: Recommended update for ca-certificates-mozilla
Type: recommended
Severity: moderate
References: 1229003,1258002
This update for ca-certificates-mozilla fixes the following issues:
- test for a concretely missing certificate rather than
just the directory, as the latter is now also provided by openssl-3
- Re-create java-cacerts with SOURCE_DATE_EPOCH set
for reproducible builds (bsc#1229003)
- Also mark /usr/share/factory/var/lib/ca-certificates/ as writable by the user
during install: allow rpm to properly execute %clean when completed.
- Create /var/lib/ca-certificates during build to ensure rpm gives
the %ghost'ed directory proper mode attributes.
- Updated to 2.84 state (bsc#1258002)
* Removed:
+ Baltimore CyberTrust Root
+ CommScope Public Trust ECC Root-01
+ CommScope Public Trust ECC Root-02
+ CommScope Public Trust RSA Root-01
+ CommScope Public Trust RSA Root-02
+ DigiNotar Root CA
* Added:
+ e-Szigno TLS Root CA 2023
+ OISTE Client Root ECC G1
+ OISTE Client Root RSA G1
+ OISTE Server Root ECC G1
+ OISTE Server Root RSA G1
+ SwissSign RSA SMIME Root CA 2022 - 1
+ SwissSign RSA TLS Root CA 2022 - 1
+ TrustAsia SMIME ECC Root CA
+ TrustAsia SMIME RSA Root CA
+ TrustAsia TLS ECC Root CA
+ TrustAsia TLS RSA Root CA
- reenable the distrusted certs again. the distrust is only for certs
issued after the distrust date, not for all certs of a CA.
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:1061-1
Released: Thu Mar 26 11:35:08 2026
Summary: Security update for systemd
Type: security
Severity: important
References: 1259418,1259650,1259697,CVE-2026-29111,CVE-2026-4105
This update for systemd fixes the following issues:
- CVE-2026-4105: privilege escalation due to improper access control in RegisterMachine D-Bus method (bsc#1259650).
- CVE-2026-29111: local unprivileged user can trigger an assert in systemd (bsc#1259418).
- udev: check for invalid chars in various fields received from the kernel (bsc#1259697).
Changelog:
- 6a38d88a42 machined: reject invalid class types when registering machines
- 8c9a592e5a udev: fix review mixup
- b57007a917 udev-builtin-net-id: print cescaped bad attributes
- ee23c7604b udev-builtin-net_id: do not assume the current interface name is ethX
- 0f63e799e6 udev: ensure tag parsing stays within bounds
- 046f52ec12 udev: ensure there is space for trailing NUL before calling sprintf
- 5be21460ce udev: check for invalid chars in various fields received from the kernel
- 9559607b16 core/cgroup: avoid one unnecessary strjoina()
- fcae348ca4 core: validate input cgroup path more prudently
- a3ca6b3031 alloc-util: add strdupa_safe() + strndupa_safe() and use it everywhere
- 08125d6b06 units: add dep on systemd-logind.service by user at .service
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:1065-1
Released: Thu Mar 26 11:38:12 2026
Summary: Security update for sqlite3
Type: security
Severity: moderate
References: 1254670,1259619,CVE-2025-70873,CVE-2025-7709
This update for sqlite3 fixes the following issues:
Update sqlite3 to 3.51.3:
- CVE-2025-7709: Integer Overflow in FTS5 Extension (bsc#1254670).
- CVE-2025-70873: SQLite zipfile extension may disclose uninitialized heap memory during inflation (bsc#1259619).
Changelog:
* Fix the WAL-reset database corruption bug:
https://sqlite.org/wal.html#walresetbug
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2026:1087-1
Released: Thu Mar 26 16:20:57 2026
Summary: Recommended update for util-linux
Type: recommended
Severity: moderate
References: 1222465,1234736
This update for util-linux fixes the following issues:
- recognize fuse 'portal' as a virtual file system (bsc#1234736).
- fdisk: Fix possible partition overlay and data corruption if EBR gap is missing (bsc#1222465).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:1090-1
Released: Thu Mar 26 18:44:54 2026
Summary: Security update for python3
Type: security
Severity: important
References: 1257181,CVE-2026-1299
This update for python3 fixes the following issues:
- CVE-2026-1299: header injection when an email is serialized due to improper newline quoting in BytesGenerator (bsc#1257181).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:1166-1
Released: Thu Apr 2 03:08:04 2026
Summary: Security update for expat
Type: security
Severity: important
References: 1259711,1259726,1259729,CVE-2026-32776,CVE-2026-32777,CVE-2026-32778
This update for expat fixes the following issues:
- CVE-2026-32776: NULL pointer dereference when processing empty external parameter entities inside an entity
declaration value (bsc#1259726).
- CVE-2026-32777: denial of service due to infinite loop in DTD content parsing (bsc#1259711).
- CVE-2026-32778: NULL pointer dereference in `setContext` on retry after an out-of-memory condition (bsc#1259729).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:1177-1
Released: Thu Apr 2 17:00:30 2026
Summary: Security update for tar
Type: security
Severity: important
References: 1246399,CVE-2025-45582
This update for tar fixes the following issue:
- CVE-2025-45582: file overwrite via directory traversal in crafted TAR archives (bsc#1246399).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:1247-1
Released: Fri Apr 10 12:34:39 2026
Summary: Security update for nghttp2
Type: security
Severity: important
References: 1259845,CVE-2026-27135
This update for nghttp2 fixes the following issue:
- CVE-2026-27135: assertion failure due to missing state validation can lead to DoS (bsc#1259845).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:1290-1
Released: Mon Apr 13 10:08:34 2026
Summary: Security update for openssl-1_1
Type: security
Severity: important
References: 1260441,1260442,1260443,1260444,CVE-2026-28387,CVE-2026-28388,CVE-2026-28389,CVE-2026-31789
This update for openssl-1_1 fixes the following issues:
- CVE-2026-28387: Potential use-after-free in DANE client code (bsc#1260441).
- CVE-2026-28388: NULL Pointer Dereference When Processing a Delta CRL (bsc#1260442).
- CVE-2026-28389: Possible NULL dereference when processing CMS KeyAgreeRecipientInfo (bsc#1260443).
- CVE-2026-31789: Heap buffer overflow in hexadecimal conversion (bsc#1260444).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:1308-1
Released: Tue Apr 14 12:37:49 2026
Summary: Security update for sudo
Type: security
Severity: important
References: 1261420,CVE-2026-35535
This update for sudo fixes the following issue:
- CVE-2026-35535: Fixed potential privilege escalation when running the mailer (bsc#1261420).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2026:1357-1
Released: Wed Apr 15 15:44:21 2026
Summary: Recommended update for gdb
Type: recommended
Severity: important
References: 1249147,1257111
This update for gdb fixes the following issues:
- Testsuite fixes:
* Add proc subst_vars, an alias of subst -nobackslashes -nocommands
* gdb/testsuite: Fix printf regexp for ppc64le with glibc
* gdb/testsuite: Fix another timeout in gdb.mi/mi-multi-commands.exp
* gdb/testsuite: Remove guile 'test byte at sp, before flush' test
* gdb: Fix gdb.base/inline-frame-cycle-unwind.exp for s390x
- Re-enable ptype /o for flexible array member types (bsc#1249147):
* gdb: Minor refactoring of is_dynamic_type_internal
* gdb: Simplify is_dynamic_type_internal by factoring out is_dynamic_type_internal_1,
leaving only the handling of the top_level parameter in is_dynamic_type_internal.
* gdb: Enable ptype /o for some dynamic types
- Fix TUI crash when encountering a debuginfod query while entering TUI
* gdb: Simplify debuginfod_is_enabled
* gdb: Add debuginfod_enabled_ask_p
* gdb: Add defaulted_query_auto_answers_p
* gdb/tui: Don't enter TUI if debuginfod enabled == ask
- Fix a case on x86_64/-m32 where displaced stepping steps out of the displaced stepping buffer
* gdb/tdep: Fix unrelocated pc in i386_displaced_step_fixup
- Fix generation of core files using gcore for glibc 2.42
* gcore: Handle unreadable pages within readable memory regions
* gcore: Query auxv for AT_PAGESZ in gcore_copy_callback
- Maintenance script qa.sh cleanup:
* Remove kfail_s390 and kfail_sle11.
* Remove gdb.reverse/{solib-precsave,solib-reverse}.exp kfail.
* Remove gdb.base/gdb-rhbz1156192-recursive-dlopen.exp kfail.
- Fix slow symbol lookup with dwz-compressed debuginfo (bsc#1257111):
* gdb/symtab: Fix slow symbol lookup with dwz
- Fix failure to list source file with dwz-compressed debuginfo (brc#2403580):
* fix rhbz2403580 - misplaced symtabs due to dwz
* gdb: Test for misplaced symtab causing file not found
* gdb/testsuite: Add missing require in gdb.debuginfod/solib-with-dwz.exp
* gdb/testsuite: Launch debuginfod without -vvvv
- Fix slow symbol table reading with dwz-compressed debuginfo:
* gdb/symtab: Cache dw2_get_file_names result for dummy CU
- Fix heap-use-after-free, reported by TSAN:
* gdb/symtab: Handle zero opcode_base in line number program header
- Fix backtrace through signal trampoline on s390x:
* gdb/tdep: Fix gdb.base/siginfo.exp on s390x-linux
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2026:1403-1
Released: Thu Apr 16 13:34:01 2026
Summary: Recommended update for cyrus-sasl
Type: recommended
Severity: moderate
References: 1229655
This update for cyrus-sasl fixes the following issues:
- Add Channel Binding support for GSSAPI/GSS-SPNEGO (bsc#1229655, jsc#PED-12097)
- Add support for setting max ssf 0 to GSS-SPNEGO
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:1432-1
Released: Fri Apr 17 12:12:08 2026
Summary: Security update for libcap
Type: security
Severity: important
References: 1261809,CVE-2026-4878
This update for libcap fixes the following issue:
- CVE-2026-4878: Address a potential TOCTOU race condition in cap_set_file() (bsc#1261809).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:1484-1
Released: Mon Apr 20 15:34:51 2026
Summary: Security update for container-suseconnect
Type: security
Severity: important
References:
This update for container-suseconnect rebuilds it against the current go 1.25 security release.
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:1510-1
Released: Tue Apr 21 08:28:12 2026
Summary: Security update for ncurses
Type: security
Severity: moderate
References: 1259924,CVE-2025-69720
This update for ncurses fixes the following issue:
- CVE-2025-69720: buffer overflow in function `analyze_string()`of `progs/infocmp.c` (bsc#1259924).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:1550-1
Released: Wed Apr 22 11:41:14 2026
Summary: Security update for openssl-1_1
Type: security
Severity: moderate
References: 1261678,CVE-2026-28390
This update for openssl-1_1 fixes the following issues:
- CVE-2026-28390: NULL pointer dereference during processing of a crafted CMS EnvelopedData message with
KeyTransportRecipientInfo (bsc#1261678).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:1565-1
Released: Thu Apr 23 09:08:29 2026
Summary: Security update for libssh
Type: security
Severity: moderate
References: 1258045,1258049,1258054,1258080,1258081,1259377,CVE-2026-0964,CVE-2026-0965,CVE-2026-0966,CVE-2026-0967,CVE-2026-0968,CVE-2026-3731
This update for libssh fixes the following issues:
- CVE-2026-0964: improper sanitation of paths received from SCP servers can cause path traversal (bsc#1258049).
- CVE-2026-0965: possible denial of service when parsing unexpected configuration files (bsc#1258045).
- CVE-2026-0966: buffer underflow in ssh_get_hexa() on invalid input (bsc#1258054).
- CVE-2026-0967: specially crafted patterns could cause denial of service (bsc#1258081).
- CVE-2026-0968: malformed SFTP message can lead to out of bound read (bsc#1258080).
- CVE-2026-3731: denial of service via out-of-bounds read in SFTP extension name handler (bsc#1259377).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:1607-1
Released: Fri Apr 24 13:50:52 2026
Summary: Security update for vim
Type: security
Severity: important
References: 1259985,1261191,1261271,CVE-2026-33412,CVE-2026-34714,CVE-2026-34982
This update for vim fixes the following issues:
Update to version 9.2.0280.
- CVE-2026-34982: missing input validation allows for a modeline sandbox bypass and can lead to arbitrary OS command
execution (bsc#1261271).
- CVE-2026-34714: missing checks allow for a `tabpanel` modeline escape and can lead to arbitrary OS command execution
(bsc#1261191).
- CVE-2026-33412: improper escaping of newline characters allows for command injection in `glob` and can lead to
arbitrary code execution (bsc#1259985).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:1659-1
Released: Wed Apr 29 13:09:06 2026
Summary: Security update for sed
Type: security
Severity: moderate
References: 1262144,CVE-2026-5958
This update for sed fixes the following issues:
- CVE-2026-5958: TOCTOU race allows write of user-controlled content to unintended files and can lead to arbitrary file
overwrite (bsc#1262144).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:1715-1
Released: Wed May 6 14:09:30 2026
Summary: Security update for python3
Type: security
Severity: important
References: 1259611,1259734,1259735,1259989,1260026,1261969,1261970,1262098,1262319,1262654,CVE-2025-13462,CVE-2026-1502,CVE-2026-3446,CVE-2026-3479,CVE-2026-3644,CVE-2026-4224,CVE-2026-4519,CVE-2026-4786,CVE-2026-6019,CVE-2026-6100
This update for python3 fixes the following issues:
- CVE-2025-13462: incorrect parsing of TarInfo when GNU long name and type AREGTYPE are combined can lead to
misinterpretation of tar archives (bsc#1259611).
- CVE-2026-1502: HTTP client proxy tunnel headers not validated for CR/LF (bsc#1261969).
- CVE-2026-3446: base64 decoding stops at first padded quad by default and ignores other information that could be
processed (bsc#1261970).
- CVE-2026-3479: improper resource argument validation in `pkgutil.get_data()` can lead to path traversal (bsc#1259989).
- CVE-2026-3644: incomplete control character validation in http.cookies can lead to input validation bypass
(bsc#1259734).
- CVE-2026-4224: parsing XML with deeply nested DTD content models can lead to C stack overflow (bsc#1259735).
- CVE-2026-4519: failure to sanitize leading dashes in URLs in the `webbrowser.open()` API can lead to web browser
command line option injection (bsc#1260026).
- CVE-2026-4786: URLs prefixed with `%action` can pass the dash-prefix safety check and allow for command injection
(bsc#1262319).
- CVE-2026-6019: `BaseCookie.js_output()` does not neutralize characters in cookie values embedded in JS (bsc#1262654).
- CVE-2026-6100: use-after-free in `lzma.LZMADecompressor`, `bz2.BZ2Decompressor`, and `gzip.GzipFile` when process is
under memory pressure(bsc#1262098).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:1717-1
Released: Wed May 6 14:13:17 2026
Summary: Security update for curl
Type: security
Severity: important
References: 1259362,1262631,1262632,1262635,1262636,1262638,CVE-2026-1965,CVE-2026-4873,CVE-2026-5545,CVE-2026-6253,CVE-2026-6276,CVE-2026-6429
This update for curl fixes the following issues:
Security issues fixed:
- CVE-2026-4873: connection reuse ignores TLS requirement (bsc#1262631).
- CVE-2026-5545: wrong reuse of HTTP Negotiate connection (bsc#1262632).
- CVE-2026-6253: proxy credentials leak over redirect-to proxy (bsc#1262635).
- CVE-2026-6276: stale custom cookie host causes cookie leak (bsc#1262636).
- CVE-2026-6429: netrc credential leak with reused proxy connection (bsc#1262638).
Other updates and bugfixes:
- sws: prevent 'connection monitor' to say disconnect twice (bsc#1259362).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2026:1814-1
Released: Mon May 11 17:16:51 2026
Summary: Recommended update for suse-build-key
Type: recommended
Severity: moderate
References:
This update for suse-build-key fixes the following issues:
- Import all keys if they are not yet in the RPM db.
- Added post quantum cryptographic keys for SLES 15 and SLES 16:
* build-pqc-15.pem
* build-pqc-16.pem
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:1816-1
Released: Tue May 12 09:56:32 2026
Summary: Security update for krb5
Type: security
Severity: moderate
References: 1263366,1263367,CVE-2026-40355,CVE-2026-40356
This update for krb5 fixes the following issues
- CVE-2026-40355: Denial of Service via NULL pointer dereference in NegoEx mechanism (bsc#1263366).
- CVE-2026-40356: Denial of Service via integer underflow and out-of-bounds read (bsc#1263367).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:1962-1
Released: Mon May 18 10:07:58 2026
Summary: Security update for util-linux
Type: security
Severity: moderate
References: 1261606,CVE-2026-27456
This update for util-linux fixes the following issue
- CVE-2026-27456: TOCTOU in the mount program when setting up loop devices (bsc#1261606).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:2029-1
Released: Wed May 20 11:18:08 2026
Summary: Security update for vim
Type: security
Severity: moderate
References: 1261833,CVE-2026-39881
This update for vim fixes the following issue:
Security fixes:
- CVE-2026-39881: command injection in NetBeans interface can lead to arbitrary file reads and writes (bsc#1261833).
Other fixes:
- Update to 9.2.0398.
* 9.2.0398: MS-Windows: missing strptime() support
* 9.2.0397: tabpanel: double-click opens a new tab
* 9.2.0396: tests: Test_error_callback_terminal is flaky on macOS
* 9.2.0395: tests: Test_backupskip() may read from $HOME
* 9.2.0394: xxd: offsets greater than LONG_MAX print as negative
* 9.2.0393: MS-Windows: link error with XPM support on UCRT64
* 9.2.0392: tests: Some tests are flaky
* 9.2.0391: tests: Comment in test_vim9_cmd breaks syntax highlighting
* 9.2.0390: filetype: some Beancount files are not recognized
* 9.2.0389: DECRQM still leaves stray 'pp' on Apple Terminal.app
* 9.2.0388: strange indent in update_topline()
* 9.2.0387: DECRQM request may leave stray chars in terminal
* 9.2.0386: No scroll/scrollbar support in the tabpanel
* 9.2.0385: Integer overflow with 'ze' and large 'sidescrolloff'
* 9.2.0384: stale Insstart after <Cmd> cursor move breaks undo
* 9.2.0383: [security]: runtime(netrw): shell-injection via sftp: and file: URLs
* 9.2.0382: Wayland: focus-stealing is non-working
* 9.2.0381: Vim9: Missing check_secure() in exec_instructions()
* 9.2.0380: completion: a few issues in completion code
* 9.2.0379: gui.color_approx is never used
* 9.2.0378: Using int as bool type in win_T struct
* 9.2.0377: Using int as bool type in gui_T struct
* 9.2.0376: Vim9: elseif condition compiled in dead branch
* 9.2.0375: prop_find() does not find a virt text in starting line
* 9.2.0374: c_CTRL-{G,T} does not handle offset
* 9.2.0373: Ctrl-R mapping not triggered during completion
* 9.2.0372: pum: rendering issues with multibyte text and opacity
* 9.2.0371: filetype: ghostty config files are not recognized
* 9.2.0370: duplicate code with literal string_T assignment
* 9.2.0369: multiple definitions of STRING_INIT macro
* 9.2.0368: too many strlen() calls when adding strings to dicts
* 9.2.0367: runtime(netrw): ~ note expanded on MS Windows
* 9.2.0366: pum: flicker when updating pum in place
* 9.2.0365: using int as bool
* 9.2.0364: tests: test_smoothscroll_textoff_showbreak() fails
* 9.2.0363: Vim9: variable shadowed by script-local function
* 9.2.0362: division by zero with smoothscroll and small windows
* 9.2.0361: tests: no tests for ch_listen() with IPs
* 9.2.0360: Cannot handle mouse-clicks in the tabpanel
* 9.2.0359: wrong VertSplitNC highlighting on winbar
* 9.2.0358: runtime(vimball): still path traversal attacks possible
* 9.2.0357: [security]: command injection via backticks in tag files
* 9.2.0356: Cannot apply 'scrolloff' context lines at end of file
* 9.2.0355: runtime(tar): missing path traversal checks in tar#Extract()
* 9.2.0354: filetype: not all Bitbake include files are recognized
* 9.2.0353: Missing out-of-memory check in register.c
* 9.2.0352: 'winhighlight' of left window blends into right window
* 9.2.0351: repeat_string() can be improved
* 9.2.0350: Enabling modelines poses a risk
* 9.2.0349: cannot style non-current window separator
* 9.2.0348: potential buffer underrun when setting statusline like option
* 9.2.0347: Vim9: script-local variable not found
* 9.2.0346: Wrong cursor position when entering command line window
* 9.2.0345: Wrong autoformatting with 'autocomplete'
* 9.2.0344: channel: ch_listen() can bind to network interface
* 9.2.0343: tests: test_clientserver may fail on slower systems
* 9.2.0342: tests: test_excmd.vim leaves swapfiles behind
* 9.2.0341: some functions can be run from the sandbox
* 9.2.0340: pum_redraw() may cause flicker
* 9.2.0339: regexp: nfa_regmatch() allocates and frees too often
* 9.2.0338: Cannot handle mouseclicks in the tabline
* 9.2.0337: list indexing broken on big-endian 32-bit platforms
* 9.2.0336: libvterm: no terminal reflow support
* 9.2.0335: json_encode() uses recursive algorithm
* 9.2.0334: GTK: window geometry shrinks with with client-side decorations
* 9.2.0333: filetype: PklProject files are not recognized
* 9.2.0332: popup: still opacity rendering issues
* 9.2.0331: spellfile: stack buffer overflows in spell file generation
* 9.2.0330: tests: some patterns in tar and zip plugin tests not strict enough
* 9.2.0329: tests: test_indent.vim leaves swapfiles behind
* 9.2.0328: Cannot handle mouseclicks in the statusline
* 9.2.0327: filetype: uv scripts are not detected
* 9.2.0326: runtime(tar): but with dotted path
* 9.2.0325: runtime(tar): bug in zstd handling
* 9.2.0324: 0x9b byte not unescaped in <Cmd> mapping
* 9.2.0323: filetype: buf.lock files are not recognized
* 9.2.0322: tests: test_popupwin fails
* 9.2.0321: MS-Windows: No OpenType font support
* 9.2.0320: several bugs with text properties
* 9.2.0319: popup: rendering issues with partially transparent popups
* 9.2.0318: cannot configure opacity for popup menu
* 9.2.0317: listener functions do not check secure flag
* 9.2.0316: [security]: command injection in netbeans interface via defineAnnoType
* 9.2.0315: missing bound-checks
* 9.2.0314: channel: can bind to all network interfaces
* 9.2.0313: Callback channel not registered in GUI
* 9.2.0312: C-type names are marked as translatable
* 9.2.0311: redrawing logic with text properties can be improved
* 9.2.0310: unnecessary work in vim_strchr() and find_term_bykeys()
* 9.2.0309: Missing out-of-memory check to may_get_cmd_block()
* 9.2.0308: Error message E1547 is wrong
* 9.2.0307: more mismatches between return types and documentation
* 9.2.0306: runtime(tar): some issues with lz4 support
* 9.2.0305: mismatch between return types and documentation
* 9.2.0304: tests: test for 9.2.0285 doesn't always fail without the fix
* 9.2.0303: tests: zip plugin tests don't check for warning message properly
* 9.2.0302: runtime(netrw): RFC2396 decoding double escaping spaces
* 9.2.0301: Vim9: void function return value inconsistent
* 9.2.0300: The vimball plugin needs some love
* 9.2.0299: runtime(zip): may write using absolute paths
* 9.2.0298: Some internal variables are not modified
* 9.2.0297: libvterm: can improve CSI overflow code
* 9.2.0296: Redundant and incorrect integer pointer casts in drawline.c
* 9.2.0295: 'showcmd' shows wrong Visual block size with 'linebreak'
* 9.2.0294: if_lua: lua interface does not work with lua 5.5
* 9.2.0293: :packadd may lead to heap-buffer-overflow
* 9.2.0292: E340 internal error when using method call on void value
* 9.2.0291: too many strlen() calls
* 9.2.0290: Amiga: no support for AmigaOS 3.x
* 9.2.0289: 'linebreak' may lead to wrong Visual block highlighting
* 9.2.0288: libvterm: signed integer overflow parsing long CSI args
* 9.2.0287: filetype: not all ObjectScript routines are recognized
* 9.2.0286: still some unnecessary (int) casts in alloc()
* 9.2.0285: :syn sync grouphere may go beyond end of line
* 9.2.0284: tabpanel: crash when tabpanel expression returns variable line count
* 9.2.0283: unnecessary (int) casts before alloc() calls
* 9.2.0282: tests: Test_viminfo_len_overflow() fails
* 9.2.0281: tests: Test_netrw_FileUrlEdit.. fails on Windows
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:2042-1
Released: Fri May 22 07:52:48 2026
Summary: Security update for container-suseconnect
Type: security
Severity: important
References:
This update for container-suseconnect rebuilds it against the current go security release.
The following package changes have been done:
- ca-certificates-mozilla-2.84-150200.44.1 updated
- container-suseconnect-2.5.6-150000.4.86.1 updated
- curl-8.14.1-150400.5.83.1 updated
- gdb-16.3-150400.15.29.1 updated
- glibc-locale-base-2.31-150300.98.1 updated
- glibc-locale-2.31-150300.98.1 updated
- glibc-2.31-150300.98.1 updated
- gpg2-2.2.27-150300.3.19.1 updated
- krb5-1.20.1-150500.3.20.1 updated
- libblkid1-2.37.4-150500.9.29.1 updated
- libcap-progs-2.63-150400.3.6.1 updated
- libcap2-2.63-150400.3.6.1 updated
- libcurl4-8.14.1-150400.5.83.1 updated
- libexpat1-2.7.1-150400.3.37.1 updated
- libfdisk1-2.37.4-150500.9.29.1 updated
- libgcc_s1-15.2.0+git10201-150000.1.9.1 updated
- libglib-2_0-0-2.70.5-150400.3.34.1 updated
- libgmodule-2_0-0-2.70.5-150400.3.34.1 updated
- libmount1-2.37.4-150500.9.29.1 updated
- libncurses6-6.1-150000.5.33.1 updated
- libnghttp2-14-1.40.0-150200.22.1 updated
- libopenssl1_1-hmac-1.1.1l-150500.17.54.1 updated
- libopenssl1_1-1.1.1l-150500.17.54.1 updated
- libpcap1-1.10.1-150400.3.9.1 updated
- libpython3_6m1_0-3.6.15-150300.10.118.1 updated
- libsasl2-3-2.1.28-150500.3.3.1 updated
- libsmartcols1-2.37.4-150500.9.29.1 updated
- libsource-highlight4-3.1.9-150000.3.9.1 updated
- libsqlite3-0-3.51.3-150000.3.39.1 updated
- libssh-config-0.9.8-150400.3.17.1 updated
- libssh4-0.9.8-150400.3.17.1 updated
- libstdc++6-15.2.0+git10201-150000.1.9.1 updated
- libsystemd0-249.17-150400.8.55.1 updated
- libtasn1-6-4.13-150000.4.14.1 updated
- libtasn1-4.13-150000.4.14.1 updated
- libudev1-249.17-150400.8.55.1 updated
- libuuid1-2.37.4-150500.9.29.1 updated
- libxml2-2-2.10.3-150500.5.38.1 updated
- libz1-1.2.13-150500.4.6.1 updated
- ncurses-utils-6.1-150000.5.33.1 updated
- openssl-1_1-1.1.1l-150500.17.54.1 updated
- python3-base-3.6.15-150300.10.118.1 updated
- python3-rpm-4.14.3-150400.59.16.1 added
- sed-4.4-150300.13.6.1 updated
- sles-ltss-release-15.5-150500.16.7.1 updated
- sudo-1.9.12p1-150500.7.16.1 updated
- supportutils-3.2.12.1-150300.7.35.39.1 updated
- suse-build-key-12.0-150000.8.64.1 updated
- tar-1.34-150000.3.37.1 updated
- terminfo-base-6.1-150000.5.33.1 updated
- util-linux-2.37.4-150500.9.29.1 updated
- vim-data-common-9.2.0398-150500.20.49.1 updated
- vim-9.2.0398-150500.20.49.1 updated
- iproute2-5.14-150400.3.3.1 removed
- libmnl0-1.0.4-1.25 removed
- libwayland-client0-1.21.0-150500.1.1 removed
- libxtables12-1.8.7-1.1 removed
More information about the sle-container-updates
mailing list