<div class="container">
<h1>Security update for gnome-online-accounts, gvfs</h1>
<table class="table table-striped table-bordered">
<tbody>
<tr>
<th>Announcement ID:</th>
<td>SUSE-SU-2026:20988-1</td>
</tr>
<tr>
<th>Release Date:</th>
<td>2026-03-31T09:11:58Z</td>
</tr>
<tr>
<th>Rating:</th>
<td>important</td>
</tr>
<tr>
<th>References:</th>
<td>
<ul>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1258953">bsc#1258953</a>
</li>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1258954">bsc#1258954</a>
</li>
</ul>
</td>
</tr>
<tr>
<th>
Cross-References:
</th>
<td>
<ul>
<li style="display: inline;">
<a href="https://www.suse.com/security/cve/CVE-2026-28295.html">CVE-2026-28295</a>
</li>
<li style="display: inline;">
<a href="https://www.suse.com/security/cve/CVE-2026-28296.html">CVE-2026-28296</a>
</li>
</ul>
</td>
</tr>
<tr>
<th>CVSS scores:</th>
<td>
<ul class="list-group">
<li class="list-group-item">
<span class="cvss-reference">CVE-2026-28295</span>
<span class="cvss-source">
(
SUSE
):
</span>
<span class="cvss-score">5.3</span>
<span class="cvss-vector">CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2026-28295</span>
<span class="cvss-source">
(
SUSE
):
</span>
<span class="cvss-score">4.3</span>
<span class="cvss-vector">CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2026-28295</span>
<span class="cvss-source">
(
NVD
):
</span>
<span class="cvss-score">4.3</span>
<span class="cvss-vector">CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2026-28296</span>
<span class="cvss-source">
(
SUSE
):
</span>
<span class="cvss-score">6.9</span>
<span class="cvss-vector">CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2026-28296</span>
<span class="cvss-source">
(
SUSE
):
</span>
<span class="cvss-score">7.3</span>
<span class="cvss-vector">CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2026-28296</span>
<span class="cvss-source">
(
NVD
):
</span>
<span class="cvss-score">4.3</span>
<span class="cvss-vector">CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N</span>
</li>
</ul>
</td>
</tr>
<tr>
<th>Affected Products:</th>
<td>
<ul class="list-group">
<li class="list-group-item">SUSE Linux Enterprise Server - BCI 16.0</li>
</ul>
</td>
</tr>
</tbody>
</table>
<p>An update that solves two vulnerabilities can now be installed.</p>
<h2>Description:</h2>
<p>This update for gnome-online-accounts, gvfs fixes the following issues:</p>
<p>Changes for gvfs:</p>
<p>Update gvfs to 1.59.90:</p>
<ul>
<li>CVE-2026-28295: information disclosure when processing untrusted PASV responses from FTP servers (bsc#1258953).</li>
<li>CVE-2026-28296: arbitrary FTP command injection due to unsanitized CRLF sequences in user supplied file paths
(bsc#1258954).</li>
</ul>
<p>Changelog:</p>
<p>Update to version 1.59.90:</p>
<ul>
<li>client: Fix use-after-free when creating async proxy failed</li>
<li>udisks2: Emit changed signals from update_all()</li>
<li>daemon: Fix race on subscribers list when on thread</li>
<li>ftp: Validate fe_size when parsing symlink target</li>
<li>ftp: Check localtime() return value before use</li>
<li>gphoto2: Use g_try_realloc() instead of g_realloc()</li>
<li>cdda: Reject path traversal in mount URI host</li>
<li>client: Fail when URI has invalid UTF-8 chars</li>
<li>udisks2: Fix memory corruption with duplicate mount paths</li>
<li>build: Update GOA dependency to > 3.57.0</li>
<li>Some other fixes</li>
<li>ftp: Use control connection address for PASV data.</li>
<li>ftp: Reject paths containing CR/LF characters</li>
</ul>
<p>Update to version 1.59.1:</p>
<ul>
<li>mtp: replace Android extension checks with capability checks</li>
<li>dav: Add X-OC-Mtime header on push to preserve last modified
time</li>
<li>udisks2: Use hash tables in the volume monitor to improve
performance</li>
<li>onedrive: Check for identity instead of presentation identity</li>
<li>build: Disable google option and mark as deprecated</li>
</ul>
<p>Update to version 1.58.2:</p>
<ul>
<li>ftp: Use control connection address for PASV data</li>
<li>ftp: Reject paths containing CR/LF characters</li>
</ul>
<p>Update to version 1.58.1:</p>
<ul>
<li>cdda: Fix duration of last track for some media</li>
<li>build: Fix build when google option is disabled</li>
<li>Fix various memory leaks</li>
<li>Updated translations.</li>
</ul>
<p>Update to version 1.58.0:</p>
<ul>
<li>mtp: Allow cancelling ongoing folder enumerations</li>
<li>wsdd: Use socket-activated service if available</li>
<li>onedrive: Set emblem for remote data</li>
<li>fix: Add file rename support in MTP backend move operation</li>
<li>mtp: Fix -Wmaybe-uninitialized warning in pad_file</li>
<li>fuse: use fuse_(un)set_feature_flag for libfuse 3.17+</li>
<li>smbbrowse: Purge server cache for next auth try</li>
<li>metatree: Open files with O_CLOEXEC</li>
<li>cdda: Fix incorrect track duration for 99-track CDs</li>
<li>metadata: Fix journal file permissions inconsistency</li>
<li>dav: recognize 308 Permanent Redirect</li>
</ul>
<p>Changes for gnome-online-accounts:</p>
<p>Update to version 3.58.0:</p>
<ul>
<li>SMTP server without password cannot be configured</li>
<li>Remove unneeded SMTP password escaping</li>
<li>build: Disable google provider Files feature</li>
<li>MS365: Fix mail address and name</li>
<li>Google: Set mail name to presentation identity</li>
<li>Updated translations.</li>
</ul>
<p>Update to version 3.57.1:</p>
<ul>
<li>Default Microsoft 365 client is unverified</li>
<li>Microsoft 365: Make use of email for id</li>
<li>goadaemon: Allow manage system notifications</li>
<li>goamsgraphprovider: bump credentials generation</li>
<li>goaprovider: Allow to disable, instead of enable, selected
providers</li>
</ul>
<p>Changes from version 3.57.0:</p>
<ul>
<li>Support for saving a Kerberos password to the keychain after
the first login</li>
<li>changing expired kerberos password is not supported.</li>
<li>Provided Files URI does not override undiscovered endpoint</li>
<li>DAV client rejects 204 status in OPTIONS request handler</li>
<li>Include emblem-default-symbolic.svg</li>
<li>Connecting a Runbox CardDAV/CalDAV account hangs/freezes after
sign in</li>
<li>i81n: fix translatable string</li>
<li>goaimapsmptprovider: fix accounts without SMTP or
authentication-less SMTP</li>
<li>build: only install icons for the goabackend build</li>
<li>build: don't require goabackend to build documentation</li>
<li>ci: test the build without gtk4</li>
<li>DAV-client: Added short path for SOGo</li>
</ul>
<p>Update to version 3.56.4:</p>
<ul>
<li>Bugs fixed:</li>
<li>Unclear which part of "IMAP+SMTP" account test failed</li>
<li>Adding nextcloud account which has a subfolder does not work</li>
<li>goadaemon: Handle broken account configs</li>
</ul>
<p>Update to version 3.56.3:</p>
<ul>
<li>Add DAV detection and configuration for SOGo</li>
<li>DAV discovery fails when certain SRV lookups fail</li>
</ul>
<p>Update to version 3.56.1:</p>
<ul>
<li>Support for saving a Kerberos password after the first login</li>
<li>Changing expired kerberos password is not supported</li>
<li>Provided Files URI does not override undiscovered endpoint</li>
<li>DAV client rejects 204 status in OPTIONS request handler</li>
</ul>
<p>Update to version 3.56.0:</p>
<ul>
<li>Code style and logging cleanups</li>
<li>Updated translations</li>
</ul>
<p>Update to version 3.55.2:</p>
<ul>
<li>goaoauth2provider: improve error handling for auth/token
endpoints</li>
</ul>
<p>Update to version 3.55.1:</p>
<ul>
<li>Support Webflow authentication for Nextcloud</li>
<li>Rename dconf key in gnome-online-accounts settings</li>
<li>"Account Name" GUI field is a bit ambiguous</li>
<li>Failed to generate a new POT file for the user interface of
"gnome-online-accounts" (domain: "po") and some missing files
from POTFILES.in</li>
</ul>
<p>Update to version 3.55.0:</p>
<ul>
<li>Add progress spinner for OAuth2 dialogs</li>
<li>Remove Windows Live! option</li>
<li>Improve goa_oauth2_provider_ensure_credentials_sync</li>
<li>Authentication failure in goa IMAP accounts</li>
<li>Missing files from POTFILES.in</li>
<li>WebDAV not detected for mail.ru</li>
<li>goaoauth2provider: fix task chaining for subclasses</li>
<li>Always lowercase domains when looking up base</li>
<li>goadavclient: check Nextcloud fallback last</li>
<li>goabackend: add a composite widget for authflow links</li>
<li>goadavclient: fix the mailbox.org preconfig</li>
</ul>
<p>Update to version 3.54.5:</p>
<ul>
<li>Adding GOA account fails with sonic.net IMAP service</li>
<li>Cannot add a ProtonMail bridge with IMAP + TLS</li>
<li>Nextcloud login does not work anymore due to OPTIONS /login
request</li>
<li>Linked online accounts no longer work</li>
<li>Invalid URI when adding Google account</li>
<li>goamsgraphprovider: ensure a valid PresentationIdentity</li>
<li>goadaemon: complete GTasks to avoid a scary debug warning</li>
</ul>
<h2>Patch Instructions:</h2>
<p>
To install this SUSE update use the SUSE recommended
installation methods like YaST online_update or "zypper patch".<br/>
Alternatively you can run the command listed for your product:
</p>
<ul class="list-group">
<li class="list-group-item">
SUSE Linux Enterprise Server - BCI 16.0
<br/>
<code>zypper in -t patch SUSE-SLES-16.0-469=1</code>
</li>
</ul>
<h2>Package List:</h2>
<ul>
<li>
SUSE Linux Enterprise Server - BCI 16.0 (aarch64 ppc64le s390x x86_64)
<ul>
<li>gvfs-debuginfo-1.59.90-160000.1.1</li>
<li>gvfs-fuse-debuginfo-1.59.90-160000.1.1</li>
<li>gnome-online-accounts-debuginfo-3.58.0-160000.1.1</li>
<li>gvfs-debugsource-1.59.90-160000.1.1</li>
<li>typelib-1_0-Goa-1_0-3.58.0-160000.1.1</li>
<li>gvfs-backends-1.59.90-160000.1.1</li>
<li>gvfs-fuse-1.59.90-160000.1.1</li>
<li>gnome-online-accounts-debugsource-3.58.0-160000.1.1</li>
<li>libgoa-backend-1_0-2-3.58.0-160000.1.1</li>
<li>libgoa-backend-1_0-2-debuginfo-3.58.0-160000.1.1</li>
<li>gvfs-1.59.90-160000.1.1</li>
<li>gvfs-backends-debuginfo-1.59.90-160000.1.1</li>
<li>libgoa-1_0-0-3.58.0-160000.1.1</li>
<li>libgoa-1_0-0-debuginfo-3.58.0-160000.1.1</li>
</ul>
</li>
<li>
SUSE Linux Enterprise Server - BCI 16.0 (noarch)
<ul>
<li>gvfs-lang-1.59.90-160000.1.1</li>
</ul>
</li>
</ul>
<h2>References:</h2>
<ul>
<li>
<a href="https://www.suse.com/security/cve/CVE-2026-28295.html">https://www.suse.com/security/cve/CVE-2026-28295.html</a>
</li>
<li>
<a href="https://www.suse.com/security/cve/CVE-2026-28296.html">https://www.suse.com/security/cve/CVE-2026-28296.html</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1258953">https://bugzilla.suse.com/show_bug.cgi?id=1258953</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1258954">https://bugzilla.suse.com/show_bug.cgi?id=1258954</a>
</li>
</ul>
</div>