SUSE-FU-2026:20990-1: important: Feature update for himmelblau
SLE-UPDATES
null at suse.de
Thu Apr 9 16:30:39 UTC 2026
# Feature update for himmelblau
Announcement ID: SUSE-FU-2026:20990-1
Release Date: 2026-04-01T09:26:05Z
Rating: important
References:
* bsc#1247735
* bsc#1249013
* bsc#1257904
* bsc#1258236
* bsc#1259548
* jsc#PED-14511
Cross-References:
* CVE-2025-54882
* CVE-2025-58160
* CVE-2026-25727
* CVE-2026-31979
CVSS scores:
* CVE-2025-54882 ( SUSE ): 8.4
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
* CVE-2025-54882 ( SUSE ): 7.1 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
* CVE-2025-54882 ( NVD ): 7.1 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
* CVE-2025-58160 ( SUSE ): 2.3
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
* CVE-2025-58160 ( SUSE ): 3.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N
* CVE-2025-58160 ( NVD ): 2.3
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
* CVE-2026-25727 ( SUSE ): 8.7
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
* CVE-2026-25727 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2026-25727 ( NVD ): 6.8
CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
* CVE-2026-25727 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
* CVE-2026-31979 ( NVD ): 8.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
* CVE-2026-31979 ( NVD ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Affected Products:
* SUSE Linux Enterprise Server - BCI 16.0
An update that solves four vulnerabilities, contains one feature and has one fix
can now be installed.
## Description:
This update for himmelblau fixes the following issues:
Update to himmelblau 2.3.8 (jsc#PED-14511):
Security issues:
* CVE-2025-54882: world readable cloud TGT token (bsc#1247735).
* CVE-2025-58160: tracing-subscriber: Tracing log pollution (bsc#1249013).
* CVE-2026-25727: time: parsing of user-provided input by the RFC 2822 date
parser can lead to stack exhaustion (bsc#1257904).
* CVE-2026-31979: race condition when accessiung /tmp/krb5cc_<uid>
(bsc#1259548).
Non security issues:
* Fix SELinux module packaging to use standard policy macros (bsc#1258236).
Changelog:
Version 2.3.8:
* Add PrivateTmp back to Tasks Daemon
* Drop dead code
* Drop krb5 ccache dir code
* Add a TODO comment
* Drop non working packaged krb5 snippet file
* Write kerberos config snippet
* Extend resolver interface to return kerberos config together with TGTs
* Backport SELinux fixes from main
* Use libkrimes to store TGTs
Version 2.3.7:
* cargo vet
* Fix AWS-LC has PKCS7_verify Certificate Chain Validation Bypass
* Revert dependency change which broke the nightly build
* gen_dockerfiles: only himmelblaud has tpm feature, fix all others
* fix(build): gen_dockerfiles.py mutates shared features list mid-loop
Version 2.3.5:
* Better handle Intune API version
* Update make vet from main branch
* pam_himmelblau: call split_username once in chauthtok
* pam_himmelblau: return PAM_IGNORE in chauthtok for local users
* Don't attempt a DAG when Hello fails with SSPR demand
Version 2.3.4:
* deps(rust): bump the all-cargo-updates group across 1 directory with 8
updates
* Revert sketching update (which breaks SLE16 build)
Version 2.3.3:
* /var/cache/private/himmelblaud should not be created tmpfiles
* Updatee python vers for dataclasses dep
* deps(rust): bump the all-cargo-updates group across 1 directory with 3
updates
* Generate pin init service file systemd < 250
* Checkin missing himmelblaud.if file for SELinux
* Resolve typos in selinux package commands
Version 2.3.2:
* Compile SELinux policy at install time for cross-distro compatibility
* Improve PAM configuration on openSUSE/SLE
* Fix SELinux policy
* Add a git hook to ensure selinux policy is tested
* Ignore generated himmelblau-hsm-pin-init service file
* Refactor SELinux policy for cross-distro compatibility
* Fix NSS lookup for mapped local users
* Skip OS version compliance checks when min/max values are empty
Version 2.3.1:
* Remove references to qrcodegen (these are 3.x features)
* QR Greeter compatibility for old GNOME
* Enable QR greeter automatically
* ci: Use latest cargo-vet from git to fix CI
* Fix HSM pin migration failure on Debian/Ubuntu upgrades from v1.4.x
Version 2.3.0:
* Autostart the daemons on fresh install or upgrade
* Restart sshd when installing the ssh config
* Allow tasks daemon to write krb ccache
* Do not enumerate mapped users in NSS
* Update libhimmelblau to latest version
* Fix Tumbleweed build
Version 2.2.0:
* Update libhimmelblau to 0.8.x series
* deps(rust): bump the all-cargo-updates group with 17 updates
* Only use OpenSSH bug workaround for ssh service
* Fix debug noise from removing user from sudo group
* systemd: install files to /usr/lib/, not /etc/
Version 2.1.0:
* Fix nightly authselect build failure
* Generate the authselect profiles for each distro
* Improve pam config handling in aad-tool
* Make `aad-tool configure-pam` detect location of pam files
Version 2.0.5:
* /var/lib/private/himmelblaud should be owned by root
* Use tmpfiles.d to create himmelblaud private data directory
* deps(rust): bump the all-cargo-updates group with 13 updates
Version 2.0.4:
* Update kanidm_build_profiles mask version
* Utilize cargo vet from main
* Add policies cache patch via systemd-tmpfiles
* Fix man page comments about change idmap_range
* Stub picky-krb for osc build
* Stub a kanidm_build_profiles which builds in osc
* Ensure nss cache is created on Ubuntu/Debian
* Request a user token if NSS hasn't been called
Version 2.0.3:
* Add nss cache patch via systemd-tmpfiles
Version 2.0.2:
* Recommend `patch` with the pam package
* Fix passwordless FIDO authentication not being used when available
* Git workflow updates for stable-2.x
* Only warn on Intune failure
Version 2.0.1:
* Force o365 desktop files to always rebuild
* Always rebuild the o365 apps
* Add restart on-failure to systemd services
* Clarify `domain` SHOULD match login domain
* Remove warning about `domain` himmelblau.conf opt
* Pseudo eliminate multi-tenant and domains section
* Revert "Fix Hello PIN lookup when an alias domain"
* Comment out `KbdInteractiveAuthentication on` in sshd conf
* Check the nxset sooner, to avoid unwanted errors
* Recommend oddjob_mkhomedir with authselect
* Pin libhimmelblau to 0.7.x
* Deprecate Fedora 41
* deps(rust): bump the all-cargo-updates group with 11 updates
* Bump github/codeql-action from 4.30.8 to 4.31.2
* Bump cachix/install-nix-action from 31.8.1 to 31.8.2
* Bump actions/upload-artifact from 4.6.2 to 5.0.0
* cargo clippy and rebase fix
* fixup! add extra debug output to NotFound error code
* force error output to show up in CI logs
* wrap repeated sources of IdpError::NotFound in helper functions
* add extra debug output to NotFound error code
* use direnv for loading the nix devshell
* We should still encourage mapping by name
* Add support for Fedora 43
* Provide a offline 'breakglass' mode
* cargo clippy
* Add warning about incorrect nsswitch configuration
* Distinguish between online and offline token fail
* Ensure user token uses original name
* Fix alias domain in auth result causing failure
* Resolve cargo clippy warnings
* Only map on cn name for the primary domain
* Install systemd in build scripts for gen service
* Fix systemd version parsing
* Update libhimmelblau to 0.7.19
* Resolve SELinux build failures in nightly (part 2)
* Rocky container image updates were failing
* Warn instead of error when no idmap_range specified
* deps(rust): bump the all-cargo-updates group across 1 directory with 7
updates
* Trim whitespace from local group names
* Fix borrowing error
* Fix reference to local_sudo_group in condition
* Only run sudo_groups if local_groups does not contain local_sudo_group
* Leave SELinux in permissive mode for Himmelblau
* Resolve SELinux build failures in nightly
* nix: add join_type option to nixos-module settings
* Build host configuration changes
* Ensure that hsm_pin isn't present decrypted
* Document Soft HSM changes to TPM bound
* Disable SELinux by default on NixOS
* sh doesn't have `source`
* Encrypt hsm-pin using systemd-creds
* Recommend uuid id mapping
* Improve himmelblau.conf man page formatting
* Implement Local User Mapping
* Add o365 dependency for jq
* Add selinux rules for gdm login
* Narrow the scope of selinux policy with audit2allow
* Generate the systemd service files
* Fix selinux build for SLE16
* Resolve SLE16 build dependency failure
* Fix the rawhide build
* Mask the sshkey-attest package
* Bump cachix/install-nix-action from 31.7.0 to 31.8.1
* cargo vet dependency updates
* deps(rust): bump the all-cargo-updates group across 1 directory with 13
updates
* Bump actions/dependency-review-action from 4.8.0 to 4.8.1
* Bump cachix/install-nix-action from 31.7.0 to 31.8.0
* Bump github/codeql-action from 3.30.5 to 4.30.8
* Bump ossf/scorecard-action from 2.4.2 to 2.4.3
* SELinux improvements
* Fix a typo in package gen scripts
* cargo fmt
* Permit NSS response for mapped primary fake group
* Fix Nix Error With Fuzz
* Decrease CI fuzzer setup time
* Document join types
* Support for Entra registered devices
* Run `cargo test` in a container
* Bump cachix/install-nix-action from 31.6.2 to 31.7.0
* deps(rust): bump the all-cargo-updates group across 1 directory with 2
updates
* Bump github/codeql-action from 3.30.4 to 3.30.5
* Use pastey crate instead of unmaintained paste
* Pin unmaintained serde_cbor dep to serde_cbor_2
* Resolve tower-http `cargo audit` warning
* Replace unmaintained fxhash with own version
* Resolve warning about workflow top level write permissions
* Remove dependabot automerge
* Resolve division by 0 in idmap code
* [StepSecurity] ci: Harden GitHub Actions
* Only idmap against initialized domains
* Resolve invalid init of idmap with same domain
* Add fuzzing of idmap code
* Add basic fuzzing of the config options
* Resolve error found by fuzzing
* cargo vet prune
* deps(rust): bump regex in the all-cargo-updates group
* Bump actions/dependency-review-action from 4.7.3 to 4.8.0
* Bump actions/checkout from 3.6.0 to 5.0.0
* Bump cachix/cachix-action from 14 to 16
* Bump ossf/scorecard-action from 2.4.0 to 2.4.2
* Bump cachix/install-nix-action from 25 to 31
* Add the OpenSSF Best Practices badge
* Add scorecard badge
* [StepSecurity] Apply security best practices
* Fix group static mapping
* Move aad-tool idmap cache clear to the idmap cmd
* Resolve errant "Hello key missing." messages
* Update flake.nix
* Slow the dependabot update frequency
* Audit dependabot updates
* deps(rust): bump the all-cargo-updates group across 1 directory with 11
updates
* feat: Add support for aarch64 on Debian-based distributions
* Resolve possible invalid pointer dereferences
* Avoid revealing account ids in debug log
* Cause doc links to open in the correct apps
* Permit opening multiple instances of Word/Excel
* Modify systray and app close behavior
* Don't use questionably licensed icons for o365
* Resolve NixOS CI failure
* Fix building w/out deprecated interactive feature
* Update himmelblau.conf.5 sudo_groups example
* Entra group based sudo access
* Audited the cargo updates
* deps(rust): bump the all-cargo-updates group with 6 updates
* Vet libhimmelblau
* Add `make vet` command
* Update deny.toml
* Remove incompatible licenses from deps
* Fix RHEL8 package signing
* Add SBOM generation
* Add an IRP checklist for security incidents
* Run the nixos build/release on the correct version
* Add crate dependency auditing on MR
* Add some exceptions
* Initialize cargo vet
* Remove in-tree kanidm dependencies
* Fix Hello PIN lookup when an alias domain
* Raise maximum group lookup from 100 to 999
* Always work with lowercase account names
* Modify FUNDING.yml for funding sources
* Remove glib dependency
* deps(rust): bump the all-cargo-updates group with 10 updates
* Add CI check for licenses
* Update dependabot.yml to target all stable branches
* Add authselect module for Rocky/Fedora
* Recommend packages, instead of require
* Add a Contributing document
* Add a Code of Conduct
* add withSelinux flag to nix build, brings SELinux binaries into the build
environment.
* deps(rust): bump tracing-subscriber in the cargo group
* Don't overwrite the himmelblau.conf on rpm upgrade
* Add help output to the Makefile
* Fix building packages with docker in root mode
* Update to latest libhimmelblau and identity_dbus_broker
* Make PRT SSO cookie via broker work as well for Edge
* Make broker work for Edge
* Generate Office 365 desktop apps
* Update README
* Add `make uninstall` command
* Remove the deprecated tests suite
* Himmelblau no longer has git submodules
* Make install using packages
* Add Debian 13 packages
* Generate Dockerfiles automatically
* Add SELinux configuration
* Himmelblau daemon requires system tss user
* Add cron dependency for Intune scripts
* Do not mangle /usr/etc configuration files
* deps(rust): bump the all-cargo-updates group with 7 updates
* Add SLE16 (beta) build target
* Automatically append to nsswitch.conf in postinst
* Correct the RPM postinst script syntax
* Fix Kerberos credential cache permissions
* Set file owner and group before writing its content
* Create SECURITY.md
* Rev the dev version to 2.0.0
* Ensure alias domains match when checking Intune device id
* Debian 12 doesn't support ConditionPathExists and notify-reload
* Write scripts policy to a readable directory
* Apply Intune policies right after enrollment
* Add more debug instrumentation
* Provide device_id to Intune enrollment if not cached
* Ensure nss cache directory is created during install
* Remove /var/cache/himmelblaud access from tasks daemon
* Resolve daemon startup absolute path warnings
* Delay Intune enrollment on Device Auth fail
* Do not leak the Intune IW service token in the logs
Version 1.4.2:
* Revert libhimmelblau unstable update
Version 1.4.1:
* Update Intune to use app version 1.2511.7
Version 1.4.0:
* Resolve build failures
* deps(rust): bump the all-cargo-updates group across 1 directory with 6
updates
Version 1.3.0:
* Revert the self-hosted runner name
* deps(rust): bump the all-cargo-updates group with 23 updates
* Include latest branch in CI
* Self hosted runners
Version 1.1.0:
* Fix policy application
* Add remaining Linux password compliance policies
* Add custom compliance enforcement
* deps(rust): bump the all-cargo-updates group with 3 updates
* deps(rust): bump the all-cargo-updates group with 5 updates
* Add SLE15SP7 build target
* Add RHEL 10 build target
* Fix Intermittent auth issue AADSTSError 16000
* Remove old utf8proc dependency
* Add `fedora42` build target
* Handle PRT expiration and tie to offline auth
* Correctly delete the Hello keys on bad pin count
* Add ability to disable Hello PIN per-service
* Update NixOS support to 25.05
* Handle disabled device by attempting re-enrollment
* Always attempt confidential client creds for aad-tool
* Include HSM option defs in himmelblau.conf man page
* Improve the aad-tool cache-clear command
* Add `mfaSshWorkaroundFlag` configuration option to Nix Flake.
* Add the ability to remove confidential client creds
* If bad PIN count is exceeded, delete the Hello key
* deps(rust): bump the all-cargo-updates group with 4 updates
* Add instructions for creating developer builds
* Fix GDM3 first time login password prompt
* Default HsmType should be soft
* Add himmelblaud to tss group for TPM startup
* Enforce strict order for the systemd units
* Update libhimmelblau and compact_jwt
* Fix builds w/tpm
* aad-tool Authentication flow improvements
* Filter out irrelevant debug in aad-tool
* Create a unified login experience for aad-tool
* Utilize confidential creds for aad-tool enumerate
* himmelblau should get posix attributes w/out delegate user access
* Always use the Object Id for mapping Group to GID
* Update enhancement-request.md for SPI donations
* Update bug_report.md with SPI donation
* Update build requires in README.md
* Update FUNDING.yml with SPI Paypal donation button
* Don't break from tasks loop when policies fail
* Enroll in Intune as soon as it is enabled
* Implement `decoupled hello` behavior
* Cache encrypted PRT to disk for offline login SSO
* Update to latest hsm-crypto
* Enable tpm functionality
* Allow altering the password and PIN prompt messages
* Ensure Hello PIN lockout happens when online
* Cache the build target output to improve build times
* Easier build selection w/ Makefile
* Revert mistaken removal from Makefile
* Make the user wait longer with each incorrect PIN
* Make the bad PIN count configurable
* Improve aad-tool manpage
* aad-tool fails if the user has FIDO2 enabled
* Offline auth permits authentication with invalid Hello PIN
* PIN complexity to match Windows
* Update to latest SSSD idmap code
* Add aad-tool options for setting posix attrs
* Add scopes and redirect uris aad-tool application create
* Add aad-tool commands for managaging extension attrs
* Utilize the sidtoname call for object id mapping
* Add commands for listing/creating App registrations
* Potential fix for code scanning alert no. 2: Workflow does not contain
permissions
* Potential fix for code scanning alert no. 4: Workflow does not contain
permissions
* Potential fix for code scanning alert: Workflow does not contain permissions
* Never write the app_id to the server config
* Disable passwordless Fido by default
* Stop using deprecated `users` crate
* When group membership lookup fails, use cached groups
* aad-tool command for enumerating users and groups
* Name-Based Group Matching in `pam_allow_groups` Leads to Potential Security
Bypass
* Add the configure-pam option to aad-tool man page
* Add static idmap cache for on-prem to cloud migration
* Update bug_report.md with request for himmelblau.conf
* deps(rust): bump the all-cargo-updates group with 2 updates
* Update crates in a group
* Update crate bumps
* Utilize new Intune compliance enforcement via libhimmelblau
* Correct the README regarding Intune policy compliance
* Disable Chromium policy
* Re-enable Intune policy and add scripts and compliance policies
* himmelblau.conf alias `domain` as `domains`
* Support Fido auth in pam passwd
* Add TAP support to himmelblaud and pam passwd
* Mixed case names should properly identify Hello Key
* Update linux-entra-sso to latest version
* Fix group lookup for Entra Id group name
* Fix mixed case name lookup from PRT cache
* Crate updates
* Fix tasks daemon debug output
* Remove write locks where unecessary
* Fix deadlock in nss
* systemd notify fixes
* Console
* Address Feedback
* Order services before gdb/nss-user-target
* deps(rust): bump rpassword from 7.3.1 to 7.4.0
* deps(rust): bump tokio from 1.44.2 to 1.45.0
* deps(rust): bump sha2 from 0.10.8 to 0.10.9
* deps(rust): bump systemd-journal-logger from 2.2.0 to 2.2.2
* deps(rust): bump clap from 4.5.31 to 4.5.38
* Update notify-debouncer-full
* Update opentelemetry
* Update dependencies
* deps(rust): bump time from 0.3.39 to 0.3.41
* Replace source filter that blacklists files with filter that whitelists
files.
* Mark himmelblau.conf as config in rpm
* Update README.md
* Ensure only the base URL is printed to log
* If unix_user_get fails, wait, and try again
* Supplying a PRT cookie to SSO doesn't require network
* Don't send a password prompt if the network is down
* Auth via MFA if Hello PIN fails 3 times
* Improve Hello PIN failed auth error
* Fix rocky9 build
* deps(rust): bump anyhow from 1.0.96 to 1.0.98
* deps(rust): bump libc from 0.2.170 to 0.2.172
* deps(rust): bump cc from 1.2.16 to 1.2.19
* deps(rust): bump tokio from 1.43.0 to 1.44.2
* deps(rust): bump openssl from 0.10.71 to 0.10.72 in the cargo group
* deps(rust): bump reqwest from 0.12.12 to 0.12.15
* Update libhimmelblau in Cargo.lock
* Fix nss and offline checks for domain aliases
* Report error when MS Authenticator denies authorization
* Bail out of invalid offline auth
* Handle AADSTS errors from BeginAuth response
* Never dump failed reqwests to the log
* Update sccache-action version to use new cache service
* Permit daemon to start when network is down
* Add an nss cache for when daemon is down
* Additional pam info cues
* Proceed with Hello auth even with net down
* Indicate to the user what the password and PIN are
* Ensure pam messages are seen
* Display the minimum PIN length during Hello setup
* PAM should loop, not die on error
* Ensure prompt msg remains for confirmation
* Update bug_report.md
* Ignore demands for setting up MS Authenticator
* Login fails if Entra is configured to recommend MS authenticator
* Add pam configure command to aad-tool
* Update README.md with pam passwd instructions
* aad-tool authtest needs to map names
* Update demo video in README.md
* Sign RPM packages
* Ensure the pam module is installed correctly for SLE
* Improve pam error handling and messaging
* Only push cachix builds for stable releases
* Terminate linux-entra-sso when browser terminates
* On deb, push pam config after install
* Increase priority of deb PAM passwd for Himmelblau
* Improve offline state handling
* Specify request for Entra Id password in PAM
* QR Greeter also supports gnome-shell 47
* Fix profile photo loading
* Clarify pam_allow_groups in himmelblau.conf man page
* Don't hide debug for pam_allow_groups miss
* Handle failures in passwordless auth
* build all root packages
* split config options that can be defined per-domain from those which are
global only
* configure cachix signing and upload in ci
* deps(rust): bump serde_json from 1.0.138 to 1.0.140
* deps(rust): bump serde from 1.0.218 to 1.0.219
* deps(rust): bump time from 0.3.37 to 0.3.39
* deps(rust): bump bytes from 1.10.0 to 1.10.1
* deps(rust): bump pkg-config from 0.3.31 to 0.3.32
* Entra Id is case insensitive, cache lookup must match
* deps(rust): bump ring from 0.17.9 to 0.17.13 in the cargo group
* Support CompanionAppsNotification mfa method
* QR code for gnome-shell greeter
* Allow tasks to start if AccountsService dir missing
* Remove invalid python dependency from sso package
* Fixes https://github.com/himmelblau-idm/himmelblau/issues/397
* Clear server config when clearing cache
* Update version in the Cargo.lock
* deps(rust): bump async-trait from 0.1.86 to 0.1.87
* deps(rust): bump chrono from 0.4.39 to 0.4.40
* Fix himmelblau.conf man page cn_name_mapping entry
* deps(rust): bump pem from 3.0.4 to 3.0.5
* deps(rust): bump serde from 1.0.217 to 1.0.218
Version 1.0.0:
* deps(rust): bump cc from 1.2.15 to 1.2.16
* Update workflow versions
## Patch Instructions:
To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
* SUSE Linux Enterprise Server - BCI 16.0
zypper in -t patch SUSE-SLES-16.0-471=1
## Package List:
* SUSE Linux Enterprise Server - BCI 16.0 (aarch64 x86_64)
* libnss_himmelblau2-2.3.8+git0.dec3693-160000.1.1
* himmelblau-debuginfo-2.3.8+git0.dec3693-160000.1.1
* pam-himmelblau-2.3.8+git0.dec3693-160000.1.1
* himmelblau-2.3.8+git0.dec3693-160000.1.1
* himmelblau-sso-2.3.8+git0.dec3693-160000.1.1
* himmelblau-sso-debuginfo-2.3.8+git0.dec3693-160000.1.1
* SUSE Linux Enterprise Server - BCI 16.0 (noarch)
* himmelblau-qr-greeter-2.3.8+git0.dec3693-160000.1.1
* himmelblau-sshd-config-2.3.8+git0.dec3693-160000.1.1
## References:
* https://www.suse.com/security/cve/CVE-2025-54882.html
* https://www.suse.com/security/cve/CVE-2025-58160.html
* https://www.suse.com/security/cve/CVE-2026-25727.html
* https://www.suse.com/security/cve/CVE-2026-31979.html
* https://bugzilla.suse.com/show_bug.cgi?id=1247735
* https://bugzilla.suse.com/show_bug.cgi?id=1249013
* https://bugzilla.suse.com/show_bug.cgi?id=1257904
* https://bugzilla.suse.com/show_bug.cgi?id=1258236
* https://bugzilla.suse.com/show_bug.cgi?id=1259548
* https://jira.suse.com/browse/PED-14511
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.suse.com/pipermail/sle-updates/attachments/20260409/7ac0b82c/attachment.htm>
More information about the sle-updates
mailing list