SUSE-SU-2026:21560-1: important: Security update for distribution
SLE-UPDATES
null at suse.de
Mon May 11 08:32:03 UTC 2026
# Security update for distribution
Announcement ID: SUSE-SU-2026:21560-1
Release Date: 2026-05-06T00:34:11Z
Rating: important
References:
* bsc#1259718
* bsc#1260283
* bsc#1261793
* bsc#1262096
* bsc#1262951
* jsc#PED-14747
Cross-References:
* CVE-2026-33186
* CVE-2026-33540
* CVE-2026-34986
* CVE-2026-35172
CVSS scores:
* CVE-2026-33186 ( SUSE ): 8.6
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
* CVE-2026-33186 ( SUSE ): 8.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
* CVE-2026-33186 ( NVD ): 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
* CVE-2026-33540 ( SUSE ): 3.1 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
* CVE-2026-33540 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
* CVE-2026-34986 ( SUSE ): 8.7
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
* CVE-2026-34986 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2026-34986 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2026-35172 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
* CVE-2026-35172 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Affected Products:
* SUSE Linux Enterprise Server 16.0
* SUSE Linux Enterprise Server for SAP applications 16.0
An update that solves four vulnerabilities, contains one feature and has one fix
can now be installed.
## Description:
This update for distribution fixes the following issues
Security issues:
* CVE-2026-33186: google.golang.org/grpc: authorization bypass due to improper
validation of the HTTP/2: path pseudo- header (bsc#1260283).
* CVE-2026-33540: information disclosure via improper validation of
authentication realm URL (bsc#1261793).
* CVE-2026-34986: github.com/go-jose/go-jose/v4: crafted JWE input with a
missing encrypted key can lead to a denial of service (bsc#1262951).
* CVE-2026-35172: information disclosure via stale references after content
deletion (bsc#1262096).
Non security issues:
* add distribution-registry.tmpfiles (jsc#PED-14747).
* distribution builds against go1.24 EOL (bsc#1259718).
Changes for distribution:
* update to 3.1.0
* Adds support for tag pagination
* Fixes default credentials in Azure storage provider
* Drops support for go1.23 and go1.24 and updates to go1.25
* See the full changelog below for the full list of changes.
* docs: Update to refer to new image tag v3
* Fix default_credentials in azure storage provider
* chore: make function comment match function name
* build(deps): bump golang.org/x/net from 0.37.0 to 0.38.0 in the go_modules
group across 1 directory
* fix: implement JWK thumbprint for Ed25519 public keys
* fix: Annotate code block from validation.indexes configuration docs
* feat: extract redis config to separate struct
* Fix: resolve issue #4478 by using a temporary file for non- append writes
* build(deps): bump ossf/scorecard-action from 2.4.1 to 2.4.2
* docs: Add note about `OTEL_TRACES_EXPORTER`
* fix: set OTEL traces to disabled by default
* Fix markdown syntax for OTEL traces link in docs
* Switch UUIDs to UUIDv7
* refactor: replace map iteration with maps.Copy/Clone
* s3-aws: fix build for 386
* docs: Add OpenTelemetry links to quickstart docs
* Fix S3 driver loglevel param
* Fixed data race in TestSchedule test
* Fixes #4683 - uses X/Y instead of Gx/Gy for thumbprint of ecdsa keys
* build(deps): bump actions/checkout from 4 to 5
* Fix broken link to Docker Hub fair use policy
* fix(registry/handlers/app): redis CAs
* build(deps): bump actions/labeler from 5 to 6
* build(deps): bump actions/setup-go from 5 to 6
* build(deps): bump actions/upload-pages-artifact from 3 to 4
* build(deps): bump ossf/scorecard-action from 2.4.2 to 2.4.3
* build(deps): bump github/codeql-action from 3.26.5 to 4.30.7
* build(deps): bump github/codeql-action from 4.30.7 to 4.30.8
* chore: labeler: add area/client mapping for internal/client/**
* client: add Accept headers to Exists() HEAD
* feat(registry): Make graceful shutdown test robust
* fix(registry): Correct log formatting for upstream challenge
* build(deps): bump github/codeql-action from 4.30.8 to 4.30.9
* build(deps): bump github/codeql-action from 4.30.9 to 4.31.3
* refactor: remove redundant variable declarations in for loops
* "should" -> "must" regarding redis eviction policy
* build(deps): bump actions/checkout from 5 to 6
* Incorrect warning hint
* Add return error when list object
* build(deps): bump actions/checkout from 5.0.1 to 6.0.0
* build(deps): bump peter-evans/dockerhub-description from 4 to 5
* fix: Logging regression for manifest HEAD requests
* Add boolean parsing util
* Expose `useFIPSEndpoint` for S3
* Add Cloudfleet Container Registry to adopters
* fix(ci): Fix broken Azure e2e storage tests
* BUG: Fix notification filtering to work with actions when mediatypes is
empty
* build(deps): bump actions/checkout from 6.0.0 to 6.0.1
* build(deps): bump actions/upload-artifact from 4.6.2 to 6.0.0
* build(deps): bump github/codeql-action from 4.31.3 to 4.31.10
* build(deps): bump github/codeql-action from 4.31.10 to 4.32.2
* build(deps): bump actions/checkout from 6.0.1 to 6.0.2
* update golangci-lint to v2.9 and fix linting issues
* update to go1.25.7, alpine 3.23, xx v1.9.0
* vendor: github.com/sirupsen/logrus v1.9.4
* vendor: update golang.org/x/* dependencies
* vendor: github.com/docker/docker-credential-helpers v0.9.5
* vendor: github.com/opencontainers/image-spec v1.1.1
* vendor: github.com/klauspost/compress v1.18.4
* fix: prefer otel variables over hard coded service name
* vendor: github.com/spf13/cobra v1.10.2
* vendor: github.com/bshuster-repo/logrus-logstash-hook v1.1.0
* fix: sync parent dir to ensure data is reliably stored
* modernize code
* vendor: github.com/docker/go-events 605354379745
* vendor: github.com/go-jose/go-jose/v4 v4.1.3
* build(deps): bump github/codeql-action from 4.32.2 to 4.32.5
* build(deps): bump docker/login-action from 3 to 4
* build(deps): bump actions/upload-artifact from 6.0.0 to 7.0.0
* build(deps): bump docker/setup-buildx-action from 3 to 4
* build(deps): bump docker/bake-action from 6 to 7
* build(deps): bump docker/metadata-action from 5 to 6
* fix: nil-check scheduler in `proxyingRegistry.Close()`
* fix: set MD5 on GCS writer before first `Write` call in `putContent`
* docs: pull through cache will pull from remote multiple times
* Update s3.md regionendpoint option
* chore(deps): Bump Go to latest 1.25 in CI workflows and go.mod
* fix: correct Ed25519 JWK thumbprint `kty` from `"OTP"` to
`"OKP"`
* Update vacuum.go
* Opt: refector tag list pagination support (stage 1)
* Correctly match environment variables to YAML-inlined structs in
configuration
* Enable Redis TLS without client certificates
* build(deps): bump actions/deploy-pages from 4 to 5
* build(deps): bump github/codeql-action from 4.32.5 to 4.34.1
* fix(registry/proxy): use detached context when flushing write buffer
* ci: pin actions and apply zizmor auto-fixes
* build(deps): bump actions/setup-go from 6.3.0 to 6.4.0
* build(deps): bump github.com/go-jose/go-jose/v4 from 4.1.3 to 4.1.4 in the
go_modules group across 1 directory
* chore(app): warn when partial TLS config is used in Redis
* feat(registry): enhance authentication checks in htpasswd implementation
* Opt: refactor tag list pagination support
* build(deps): bump codecov/codecov-action from 5.5.4 to 6.0.0
* build(deps): bump actions/configure-pages from 5.0.0 to 6.0.0
* fix(vendor): fix broke vendor validation
* chore(ci): Prep for v3.1 release
* Update to version 3.1.0:
* fix(vendor): fix broke vendpor validation
* fix redis repo-scoped blob descriptor revocation
* proxy: bind bearer realms to upstream trust boundary
* restore directory ownership after last change
* Move config files in systemd tmpfiles dir for immutable mode
## Patch Instructions:
To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
* SUSE Linux Enterprise Server for SAP applications 16.0
zypper in -t patch SUSE-SLES-16.0-703=1
* SUSE Linux Enterprise Server 16.0
zypper in -t patch SUSE-SLES-16.0-703=1
## Package List:
* SUSE Linux Enterprise Server for SAP applications 16.0 (ppc64le x86_64)
* distribution-registry-3.1.0-160000.1.1
* SUSE Linux Enterprise Server 16.0 (aarch64 ppc64le s390x x86_64)
* distribution-registry-3.1.0-160000.1.1
## References:
* https://www.suse.com/security/cve/CVE-2026-33186.html
* https://www.suse.com/security/cve/CVE-2026-33540.html
* https://www.suse.com/security/cve/CVE-2026-34986.html
* https://www.suse.com/security/cve/CVE-2026-35172.html
* https://bugzilla.suse.com/show_bug.cgi?id=1259718
* https://bugzilla.suse.com/show_bug.cgi?id=1260283
* https://bugzilla.suse.com/show_bug.cgi?id=1261793
* https://bugzilla.suse.com/show_bug.cgi?id=1262096
* https://bugzilla.suse.com/show_bug.cgi?id=1262951
* https://jira.suse.com/browse/PED-14747
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.suse.com/pipermail/sle-updates/attachments/20260511/dd7cd312/attachment.htm>
More information about the sle-updates
mailing list