SUSE-SU-2026:20988-1: important: Security update for gnome-online-accounts, gvfs
SLE-UPDATES
null at suse.de
Thu Apr 9 16:30:47 UTC 2026
# Security update for gnome-online-accounts, gvfs
Announcement ID: SUSE-SU-2026:20988-1
Release Date: 2026-03-31T09:11:58Z
Rating: important
References:
* bsc#1258953
* bsc#1258954
Cross-References:
* CVE-2026-28295
* CVE-2026-28296
CVSS scores:
* CVE-2026-28295 ( SUSE ): 5.3
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
* CVE-2026-28295 ( SUSE ): 4.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
* CVE-2026-28295 ( NVD ): 4.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
* CVE-2026-28296 ( SUSE ): 6.9
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N
* CVE-2026-28296 ( SUSE ): 7.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
* CVE-2026-28296 ( NVD ): 4.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
Affected Products:
* SUSE Linux Enterprise Server - BCI 16.0
An update that solves two vulnerabilities can now be installed.
## Description:
This update for gnome-online-accounts, gvfs fixes the following issues:
Changes for gvfs:
Update gvfs to 1.59.90:
* CVE-2026-28295: information disclosure when processing untrusted PASV
responses from FTP servers (bsc#1258953).
* CVE-2026-28296: arbitrary FTP command injection due to unsanitized CRLF
sequences in user supplied file paths (bsc#1258954).
Changelog:
Update to version 1.59.90:
* client: Fix use-after-free when creating async proxy failed
* udisks2: Emit changed signals from update_all()
* daemon: Fix race on subscribers list when on thread
* ftp: Validate fe_size when parsing symlink target
* ftp: Check localtime() return value before use
* gphoto2: Use g_try_realloc() instead of g_realloc()
* cdda: Reject path traversal in mount URI host
* client: Fail when URI has invalid UTF-8 chars
* udisks2: Fix memory corruption with duplicate mount paths
* build: Update GOA dependency to > 3.57.0
* Some other fixes
* ftp: Use control connection address for PASV data.
* ftp: Reject paths containing CR/LF characters
Update to version 1.59.1:
* mtp: replace Android extension checks with capability checks
* dav: Add X-OC-Mtime header on push to preserve last modified time
* udisks2: Use hash tables in the volume monitor to improve performance
* onedrive: Check for identity instead of presentation identity
* build: Disable google option and mark as deprecated
Update to version 1.58.2:
* ftp: Use control connection address for PASV data
* ftp: Reject paths containing CR/LF characters
Update to version 1.58.1:
* cdda: Fix duration of last track for some media
* build: Fix build when google option is disabled
* Fix various memory leaks
* Updated translations.
Update to version 1.58.0:
* mtp: Allow cancelling ongoing folder enumerations
* wsdd: Use socket-activated service if available
* onedrive: Set emblem for remote data
* fix: Add file rename support in MTP backend move operation
* mtp: Fix -Wmaybe-uninitialized warning in pad_file
* fuse: use fuse_(un)set_feature_flag for libfuse 3.17+
* smbbrowse: Purge server cache for next auth try
* metatree: Open files with O_CLOEXEC
* cdda: Fix incorrect track duration for 99-track CDs
* metadata: Fix journal file permissions inconsistency
* dav: recognize 308 Permanent Redirect
Changes for gnome-online-accounts:
Update to version 3.58.0:
* SMTP server without password cannot be configured
* Remove unneeded SMTP password escaping
* build: Disable google provider Files feature
* MS365: Fix mail address and name
* Google: Set mail name to presentation identity
* Updated translations.
Update to version 3.57.1:
* Default Microsoft 365 client is unverified
* Microsoft 365: Make use of email for id
* goadaemon: Allow manage system notifications
* goamsgraphprovider: bump credentials generation
* goaprovider: Allow to disable, instead of enable, selected providers
Changes from version 3.57.0:
* Support for saving a Kerberos password to the keychain after the first login
* changing expired kerberos password is not supported.
* Provided Files URI does not override undiscovered endpoint
* DAV client rejects 204 status in OPTIONS request handler
* Include emblem-default-symbolic.svg
* Connecting a Runbox CardDAV/CalDAV account hangs/freezes after sign in
* i81n: fix translatable string
* goaimapsmptprovider: fix accounts without SMTP or authentication-less SMTP
* build: only install icons for the goabackend build
* build: don't require goabackend to build documentation
* ci: test the build without gtk4
* DAV-client: Added short path for SOGo
Update to version 3.56.4:
* Bugs fixed:
* Unclear which part of "IMAP+SMTP" account test failed
* Adding nextcloud account which has a subfolder does not work
* goadaemon: Handle broken account configs
Update to version 3.56.3:
* Add DAV detection and configuration for SOGo
* DAV discovery fails when certain SRV lookups fail
Update to version 3.56.1:
* Support for saving a Kerberos password after the first login
* Changing expired kerberos password is not supported
* Provided Files URI does not override undiscovered endpoint
* DAV client rejects 204 status in OPTIONS request handler
Update to version 3.56.0:
* Code style and logging cleanups
* Updated translations
Update to version 3.55.2:
* goaoauth2provider: improve error handling for auth/token endpoints
Update to version 3.55.1:
* Support Webflow authentication for Nextcloud
* Rename dconf key in gnome-online-accounts settings
* "Account Name" GUI field is a bit ambiguous
* Failed to generate a new POT file for the user interface of "gnome-online-
accounts" (domain: "po") and some missing files from POTFILES.in
Update to version 3.55.0:
* Add progress spinner for OAuth2 dialogs
* Remove Windows Live! option
* Improve goa_oauth2_provider_ensure_credentials_sync
* Authentication failure in goa IMAP accounts
* Missing files from POTFILES.in
* WebDAV not detected for mail.ru
* goaoauth2provider: fix task chaining for subclasses
* Always lowercase domains when looking up base
* goadavclient: check Nextcloud fallback last
* goabackend: add a composite widget for authflow links
* goadavclient: fix the mailbox.org preconfig
Update to version 3.54.5:
* Adding GOA account fails with sonic.net IMAP service
* Cannot add a ProtonMail bridge with IMAP + TLS
* Nextcloud login does not work anymore due to OPTIONS /login request
* Linked online accounts no longer work
* Invalid URI when adding Google account
* goamsgraphprovider: ensure a valid PresentationIdentity
* goadaemon: complete GTasks to avoid a scary debug warning
## Patch Instructions:
To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
* SUSE Linux Enterprise Server - BCI 16.0
zypper in -t patch SUSE-SLES-16.0-469=1
## Package List:
* SUSE Linux Enterprise Server - BCI 16.0 (aarch64 ppc64le s390x x86_64)
* gvfs-debuginfo-1.59.90-160000.1.1
* gvfs-fuse-debuginfo-1.59.90-160000.1.1
* gnome-online-accounts-debuginfo-3.58.0-160000.1.1
* gvfs-debugsource-1.59.90-160000.1.1
* typelib-1_0-Goa-1_0-3.58.0-160000.1.1
* gvfs-backends-1.59.90-160000.1.1
* gvfs-fuse-1.59.90-160000.1.1
* gnome-online-accounts-debugsource-3.58.0-160000.1.1
* libgoa-backend-1_0-2-3.58.0-160000.1.1
* libgoa-backend-1_0-2-debuginfo-3.58.0-160000.1.1
* gvfs-1.59.90-160000.1.1
* gvfs-backends-debuginfo-1.59.90-160000.1.1
* libgoa-1_0-0-3.58.0-160000.1.1
* libgoa-1_0-0-debuginfo-3.58.0-160000.1.1
* SUSE Linux Enterprise Server - BCI 16.0 (noarch)
* gvfs-lang-1.59.90-160000.1.1
## References:
* https://www.suse.com/security/cve/CVE-2026-28295.html
* https://www.suse.com/security/cve/CVE-2026-28296.html
* https://bugzilla.suse.com/show_bug.cgi?id=1258953
* https://bugzilla.suse.com/show_bug.cgi?id=1258954
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.suse.com/pipermail/sle-updates/attachments/20260409/ef38e8e7/attachment.htm>
More information about the sle-updates
mailing list