SUSE-SU-2026:2466-1: important: Security update for azure-storage-azcopy
SLE-UPDATES
null at suse.de
Fri Jun 19 16:30:49 UTC 2026
# Security update for azure-storage-azcopy
Announcement ID: SUSE-SU-2026:2466-1
Release Date: 2026-06-19T11:02:49Z
Rating: important
References:
* bsc#1247720
* bsc#1260307
* bsc#1262962
* bsc#1265841
* bsc#1266311
* bsc#1266657
Cross-References:
* CVE-2025-47907
* CVE-2026-33186
* CVE-2026-33814
* CVE-2026-34986
* CVE-2026-39821
CVSS scores:
* CVE-2025-47907 ( SUSE ): 2.1
CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
* CVE-2025-47907 ( SUSE ): 5.7 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N
* CVE-2025-47907 ( NVD ): 7.0 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:L
* CVE-2026-33186 ( SUSE ): 8.6
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
* CVE-2026-33186 ( SUSE ): 8.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
* CVE-2026-33186 ( NVD ): 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
* CVE-2026-33814 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2026-33814 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2026-33814 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2026-34986 ( SUSE ): 8.7
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
* CVE-2026-34986 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2026-34986 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2026-39821 ( SUSE ): 9.1
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
* CVE-2026-39821 ( SUSE ): 7.4 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
* CVE-2026-39821 ( NVD ): 9.6 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
Affected Products:
* openSUSE Leap 15.4
* Public Cloud Module 15-SP4
* Public Cloud Module 15-SP5
* Public Cloud Module 15-SP6
* Public Cloud Module 15-SP7
* SUSE Linux Enterprise High Performance Computing 15 SP4
* SUSE Linux Enterprise High Performance Computing 15 SP5
* SUSE Linux Enterprise Server 15 SP4
* SUSE Linux Enterprise Server 15 SP5
* SUSE Linux Enterprise Server 15 SP6
* SUSE Linux Enterprise Server 15 SP7
* SUSE Linux Enterprise Server for SAP Applications 15 SP4
* SUSE Linux Enterprise Server for SAP Applications 15 SP5
* SUSE Linux Enterprise Server for SAP Applications 15 SP6
* SUSE Linux Enterprise Server for SAP Applications 15 SP7
* SUSE Manager Proxy 4.3
* SUSE Manager Retail Branch Server 4.3
* SUSE Manager Server 4.3
An update that solves five vulnerabilities and has one security fix can now be
installed.
## Description:
This update for azure-storage-azcopy fixes the following issues
Update to 10.32.4:
* CVE-2025-47907: database/sql: incorrect results returned from Rows.Scan
(bsc#1247720).
* CVE-2026-33186: google.golang.org/grpc: authorization bypass due to improper
validation of the HTTP/2: path pseudo- header (bsc#1260307).
* CVE-2026-33814: golang.org/x/net/http2: infinite loop in HTTP/2 transport
when given bad SETTINGS_MAX_FRAME_SIZE (bsc#1265841).
* CVE-2026-34986: github.com/go-jose/go-jose/v4: crafted JWE input with a
missing encrypted key can lead to a denial of service (bsc#1262962).
* CVE-2026-39821: golang.org/x/net/idna: failure to reject ASCII-only
Punycode-encoded labels allows for validation bypass and privilege
escalation (bsc#1266657).
Changes:
* Remove 32-bit Windows ARM7 build
* Cover other open CVEs (bsc#1266657, CVE-2026-39821)
* Update otel sdk
* Update packages and add patch version
* Update version.go
* Error formatting
* Add test to validate changes
* Update Changelog
* Alter intentional panics to return errors
* Correct issues re: MSRC case #110341
* Update offending packages
* cloud.google.com/go/storage v1.45.0 -> v1.50.0
* Golang 1.24.13 -> 1.25.8
* Golangci-lint v1.64.8 -> v2.11.3
* Fixed a regression where the folder tracker would panic with pre-existing
folders and --overwrite=ifSourceNewer. (#3403)
* Fixed a regression where cancellation was not working via stdin (#3373)
* Fixed a regression where we hit segfaults from logging to a nil logger in
the process checker. (#3384)
* Fixed a race condition panic from concurrent access to a shared metadata
resource by introducing thread safety. (#3341)
* Fixed a bug where --posix-properties-style was not being chained through the
copy flow correctly. (#3401)
* Fixed a regression where in tandem use of --list-of-files and --include-
pattern no longer worked. (#3389)
* Golang 1.24.11 -> 1.24.13
* Added support for AMLFS style posix metadata. (#3317)
* Fixed a bug where hdi_isfolder metadata key would sometimes not be sent in
all lowercase, resulting in unexpected behavior on the service side when
fetching properties. (#3312)
* Fixed a typo in the benchmark command, to allow the --put-md5 flag to work.
(#3324)
* Fixed a bug where network errors would not be retried on. (#3338)
* Fixed a bug where unexpected requests would be logged in syslog. (#3339)
* Fixed a bug where pre-existing folders would be recreated. (#3295)
* Updated README to clarify supported source-destination pairs and
authorization mechanisms. (#3213)
* Updated format of wiki generated docs to improve readability. (#3311)
* AzCopy download URLs starting with https://azcopyvnext-
awgzd8g7aagqhzhe.b02.azurefd.net/ are no longer supported.
* Fixed a bug where throughput was not being displayed for copy and resume.
(#3271)
* Fixed a bug where S3 and GCP transfers would panic. (#3273)
* Refactored copy, sync, resume, login, logout, login status business logic
into the azcopy package.
* Golang 1.24.4 -> 1.24.11
* golang.org/x/crypto 0.40.0 -> 0.45.0
* Azure Files SMB -> Azure Files NFS transfers.
* Symlink support for Azure Files NFS shares.
* Introduced support for symbolic links in Azure Files NFS shares.
* Symlinks can be preserved, skipped, or followed based on command-line flags.
* Added a --check-version flag to make version checking an opt in feature.
(#3173)
* \--include-root flag now allows customers to preserve root properties when
used in conjunction with --preserve-XXXX flags. (#3163)
* Golang 1.24.4 -> 1.24.6 (#3154)
* Fixed a bug to retry on various network errors. (#3237) (#3252)
(bsc#1266311)
* Fixed a bug where remove would not work on paths with encoded characters.
(#2977)
* Fixed a bug where jobs resume would not produce any output for previously
failed jobs. (#3103)
* Fixed a bug where FileBlob transfers with EntraID on the source would pass
the wrong service version. (#3242)
* Fixed a bug to retry on WSAETIMEDOUT on Windows. (#3195)
* Fixed a bug with the folder creation tracker which caused folder creation
calls to happen more often than necessary. (#3151)
* Fixed a bug to redact x-ams-credential from logs. (#3206)
* Fixed a bug where powershell login would fail with older versions of
Az.Accounts. (#3191)
* Fixed a bug where symlink direct targets would be handled as a file instead
of a symlink. (#3222)
* Refactored traverser related code into its own package. (#3251)
* Refactored OAuth token manager access to use a client-based pattern instead
of global singleton access. (#3260)
* Removed unused code related to credential management. (#3260)
* Refactored Lifecycle UI code into the cmd package (#3262).
* Error handling code is now injected into JobMgr, or appropriately bubbled
upwards instead of using global LCM error handling. (#3262)
* AzCopy no longer checks version by default. (#3173)
* Fixed --exclude-path flag not available in remove operations. (#3165)
(#3159)
* Fixed regression where AzCopy was not honoring concurrency value in copy
operations (#3192)
* Fixed the incorrect JSON output format of the warning message when there are
multiple AzCopy processes running. (#3188) (#3182)
* Fixed latest_version.txt from being wrongly created in users current
directory. (#3179)(#3176)
* Fixed AzCopy crashing during sync operation from a nil pointer deref in the
destination authentication policy. (#3186) (#3109) (#3156) (#3175)
* Golang 1.24.2 -> 1.24.6 (CVE-2025-47907) (#3154)
* For transfers involving Azure Files (NFS or SMB), AzCopy will not auto
create file shares.
* AzCopy binaries and latest version information will now be distributed from
Github releases instead of the static website. (#3014)
* Azure Files NFS Support via REST.
* Added support to retry on copy source error code and status code for service
to service copies. (#3105)
* Added support for service to service copies from Azure Files to Blob Storage
using EntraID. (#3053)
* Fixed a bug where when copying a file that has already been deleted with
\--trailing-dot=Disable resulted in the wrong error instead of a 404.
(#3092)
* Removed the warning message when failing to create a container. This message
can be misleading when there is insufficient permissions to create a
container and the container already exists. (#3045)
* Improved the error message returned when block size is larger than bandwidth
limit. (#3051)
* Warn user if transfer is going to exceed 10M objects. (#3111)
* Warn user if multiple AzCopy processes are running. (#3128)
* Golang 1.24.2 -> 1.24.4 (#3085)
* Azure Files NFS Support via REST API
## Patch Instructions:
To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
* openSUSE Leap 15.4
zypper in -t patch SUSE-2026-2466=1
* Public Cloud Module 15-SP4
zypper in -t patch SUSE-SLE-Module-Public-Cloud-15-SP4-2026-2466=1
* Public Cloud Module 15-SP5
zypper in -t patch SUSE-SLE-Module-Public-Cloud-15-SP5-2026-2466=1
* Public Cloud Module 15-SP6
zypper in -t patch SUSE-SLE-Module-Public-Cloud-15-SP6-2026-2466=1
* Public Cloud Module 15-SP7
zypper in -t patch SUSE-SLE-Module-Public-Cloud-15-SP7-2026-2466=1
## Package List:
* openSUSE Leap 15.4 (aarch64 ppc64le x86_64)
* azure-storage-azcopy-10.32.4-150400.9.11.1
* Public Cloud Module 15-SP4 (aarch64 ppc64le x86_64)
* azure-storage-azcopy-10.32.4-150400.9.11.1
* Public Cloud Module 15-SP5 (aarch64 ppc64le x86_64)
* azure-storage-azcopy-10.32.4-150400.9.11.1
* Public Cloud Module 15-SP6 (aarch64 ppc64le x86_64)
* azure-storage-azcopy-10.32.4-150400.9.11.1
* Public Cloud Module 15-SP7 (aarch64 ppc64le x86_64)
* azure-storage-azcopy-10.32.4-150400.9.11.1
## References:
* https://www.suse.com/security/cve/CVE-2025-47907.html
* https://www.suse.com/security/cve/CVE-2026-33186.html
* https://www.suse.com/security/cve/CVE-2026-33814.html
* https://www.suse.com/security/cve/CVE-2026-34986.html
* https://www.suse.com/security/cve/CVE-2026-39821.html
* https://bugzilla.suse.com/show_bug.cgi?id=1247720
* https://bugzilla.suse.com/show_bug.cgi?id=1260307
* https://bugzilla.suse.com/show_bug.cgi?id=1262962
* https://bugzilla.suse.com/show_bug.cgi?id=1265841
* https://bugzilla.suse.com/show_bug.cgi?id=1266311
* https://bugzilla.suse.com/show_bug.cgi?id=1266657
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.suse.com/pipermail/sle-updates/attachments/20260619/7bee9e26/attachment.htm>
More information about the sle-updates
mailing list