<div class="container">
<h1>Security update for distribution</h1>
<table class="table table-striped table-bordered">
<tbody>
<tr>
<th>Announcement ID:</th>
<td>SUSE-SU-2026:21560-1</td>
</tr>
<tr>
<th>Release Date:</th>
<td>2026-05-06T00:34:11Z</td>
</tr>
<tr>
<th>Rating:</th>
<td>important</td>
</tr>
<tr>
<th>References:</th>
<td>
<ul>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1259718">bsc#1259718</a>
</li>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1260283">bsc#1260283</a>
</li>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1261793">bsc#1261793</a>
</li>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1262096">bsc#1262096</a>
</li>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1262951">bsc#1262951</a>
</li>
<li style="display: inline;">
<a href="https://jira.suse.com/browse/PED-14747">jsc#PED-14747</a>
</li>
</ul>
</td>
</tr>
<tr>
<th>
Cross-References:
</th>
<td>
<ul>
<li style="display: inline;">
<a href="https://www.suse.com/security/cve/CVE-2026-33186.html">CVE-2026-33186</a>
</li>
<li style="display: inline;">
<a href="https://www.suse.com/security/cve/CVE-2026-33540.html">CVE-2026-33540</a>
</li>
<li style="display: inline;">
<a href="https://www.suse.com/security/cve/CVE-2026-34986.html">CVE-2026-34986</a>
</li>
<li style="display: inline;">
<a href="https://www.suse.com/security/cve/CVE-2026-35172.html">CVE-2026-35172</a>
</li>
</ul>
</td>
</tr>
<tr>
<th>CVSS scores:</th>
<td>
<ul class="list-group">
<li class="list-group-item">
<span class="cvss-reference">CVE-2026-33186</span>
<span class="cvss-source">
(
SUSE
):
</span>
<span class="cvss-score">8.6</span>
<span class="cvss-vector">CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2026-33186</span>
<span class="cvss-source">
(
SUSE
):
</span>
<span class="cvss-score">8.1</span>
<span class="cvss-vector">CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2026-33186</span>
<span class="cvss-source">
(
NVD
):
</span>
<span class="cvss-score">9.1</span>
<span class="cvss-vector">CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2026-33540</span>
<span class="cvss-source">
(
SUSE
):
</span>
<span class="cvss-score">3.1</span>
<span class="cvss-vector">CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2026-33540</span>
<span class="cvss-source">
(
NVD
):
</span>
<span class="cvss-score">7.5</span>
<span class="cvss-vector">CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2026-34986</span>
<span class="cvss-source">
(
SUSE
):
</span>
<span class="cvss-score">8.7</span>
<span class="cvss-vector">CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2026-34986</span>
<span class="cvss-source">
(
SUSE
):
</span>
<span class="cvss-score">7.5</span>
<span class="cvss-vector">CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2026-34986</span>
<span class="cvss-source">
(
NVD
):
</span>
<span class="cvss-score">7.5</span>
<span class="cvss-vector">CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2026-35172</span>
<span class="cvss-source">
(
SUSE
):
</span>
<span class="cvss-score">7.5</span>
<span class="cvss-vector">CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2026-35172</span>
<span class="cvss-source">
(
NVD
):
</span>
<span class="cvss-score">7.5</span>
<span class="cvss-vector">CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N</span>
</li>
</ul>
</td>
</tr>
<tr>
<th>Affected Products:</th>
<td>
<ul class="list-group">
<li class="list-group-item">SUSE Linux Enterprise Server 16.0</li>
<li class="list-group-item">SUSE Linux Enterprise Server for SAP applications 16.0</li>
</ul>
</td>
</tr>
</tbody>
</table>
<p>An update that solves four vulnerabilities, contains one feature and has one fix can now be installed.</p>
<h2>Description:</h2>
<p>This update for distribution fixes the following issues</p>
<p>Security issues:</p>
<ul>
<li>CVE-2026-33186: google.golang.org/grpc: authorization bypass due to improper validation of the HTTP/2: path pseudo-
header (bsc#1260283).</li>
<li>CVE-2026-33540: information disclosure via improper validation of authentication realm URL (bsc#1261793).</li>
<li>CVE-2026-34986: github.com/go-jose/go-jose/v4: crafted JWE input with a missing encrypted key can lead to a denial of
service (bsc#1262951).</li>
<li>CVE-2026-35172: information disclosure via stale references after content deletion (bsc#1262096).</li>
</ul>
<p>Non security issues:</p>
<ul>
<li>add distribution-registry.tmpfiles (jsc#PED-14747).</li>
<li>distribution builds against go1.24 EOL (bsc#1259718).</li>
</ul>
<p>Changes for distribution:</p>
<ul>
<li>
<p>update to 3.1.0</p>
</li>
<li>
<p>Adds support for tag pagination</p>
</li>
<li>Fixes default credentials in Azure storage provider</li>
<li>Drops support for go1.23 and go1.24 and updates to go1.25</li>
<li>See the full changelog below for the full list of changes.</li>
<li>docs: Update to refer to new image tag v3</li>
<li>Fix default_credentials in azure storage provider</li>
<li>chore: make function comment match function name</li>
<li>build(deps): bump golang.org/x/net from 0.37.0 to 0.38.0 in
the go_modules group across 1 directory</li>
<li>fix: implement JWK thumbprint for Ed25519 public keys</li>
<li>fix: Annotate code block from validation.indexes
configuration docs</li>
<li>feat: extract redis config to separate struct</li>
<li>Fix: resolve issue #4478 by using a temporary file for non-
append writes</li>
<li>build(deps): bump ossf/scorecard-action from 2.4.1 to 2.4.2</li>
<li>docs: Add note about <code>OTEL_TRACES_EXPORTER</code></li>
<li>fix: set OTEL traces to disabled by default</li>
<li>Fix markdown syntax for OTEL traces link in docs</li>
<li>Switch UUIDs to UUIDv7</li>
<li>refactor: replace map iteration with maps.Copy/Clone</li>
<li>s3-aws: fix build for 386</li>
<li>docs: Add OpenTelemetry links to quickstart docs</li>
<li>Fix S3 driver loglevel param</li>
<li>Fixed data race in TestSchedule test</li>
<li>Fixes #4683 - uses X/Y instead of Gx/Gy for thumbprint of
ecdsa keys</li>
<li>build(deps): bump actions/checkout from 4 to 5</li>
<li>Fix broken link to Docker Hub fair use policy</li>
<li>fix(registry/handlers/app): redis CAs</li>
<li>build(deps): bump actions/labeler from 5 to 6</li>
<li>build(deps): bump actions/setup-go from 5 to 6</li>
<li>build(deps): bump actions/upload-pages-artifact from 3 to 4</li>
<li>build(deps): bump ossf/scorecard-action from 2.4.2 to 2.4.3</li>
<li>build(deps): bump github/codeql-action from 3.26.5 to 4.30.7</li>
<li>build(deps): bump github/codeql-action from 4.30.7 to 4.30.8</li>
<li>chore: labeler: add area/client mapping for
internal/client/**</li>
<li>client: add Accept headers to Exists() HEAD</li>
<li>feat(registry): Make graceful shutdown test robust</li>
<li>fix(registry): Correct log formatting for upstream challenge</li>
<li>build(deps): bump github/codeql-action from 4.30.8 to 4.30.9</li>
<li>build(deps): bump github/codeql-action from 4.30.9 to 4.31.3</li>
<li>refactor: remove redundant variable declarations in for loops</li>
<li>"should" -> "must" regarding redis eviction policy</li>
<li>build(deps): bump actions/checkout from 5 to 6</li>
<li>Incorrect warning hint</li>
<li>Add return error when list object</li>
<li>build(deps): bump actions/checkout from 5.0.1 to 6.0.0</li>
<li>build(deps): bump peter-evans/dockerhub-description from 4 to
5</li>
<li>fix: Logging regression for manifest HEAD requests</li>
<li>Add boolean parsing util</li>
<li>Expose <code>useFIPSEndpoint</code> for S3</li>
<li>Add Cloudfleet Container Registry to adopters</li>
<li>fix(ci): Fix broken Azure e2e storage tests</li>
<li>BUG: Fix notification filtering to work with actions when
mediatypes is empty</li>
<li>build(deps): bump actions/checkout from 6.0.0 to 6.0.1</li>
<li>build(deps): bump actions/upload-artifact from 4.6.2 to 6.0.0</li>
<li>build(deps): bump github/codeql-action from 4.31.3 to 4.31.10</li>
<li>build(deps): bump github/codeql-action from 4.31.10 to 4.32.2</li>
<li>build(deps): bump actions/checkout from 6.0.1 to 6.0.2</li>
<li>update golangci-lint to v2.9 and fix linting issues</li>
<li>update to go1.25.7, alpine 3.23, xx v1.9.0</li>
<li>vendor: github.com/sirupsen/logrus v1.9.4</li>
<li>vendor: update golang.org/x/* dependencies</li>
<li>vendor: github.com/docker/docker-credential-helpers v0.9.5</li>
<li>vendor: github.com/opencontainers/image-spec v1.1.1</li>
<li>vendor: github.com/klauspost/compress v1.18.4</li>
<li>fix: prefer otel variables over hard coded service name</li>
<li>vendor: github.com/spf13/cobra v1.10.2</li>
<li>vendor: github.com/bshuster-repo/logrus-logstash-hook v1.1.0</li>
<li>fix: sync parent dir to ensure data is reliably stored</li>
<li>modernize code</li>
<li>vendor: github.com/docker/go-events 605354379745</li>
<li>vendor: github.com/go-jose/go-jose/v4 v4.1.3</li>
<li>build(deps): bump github/codeql-action from 4.32.2 to 4.32.5</li>
<li>build(deps): bump docker/login-action from 3 to 4</li>
<li>build(deps): bump actions/upload-artifact from 6.0.0 to 7.0.0</li>
<li>build(deps): bump docker/setup-buildx-action from 3 to 4</li>
<li>build(deps): bump docker/bake-action from 6 to 7</li>
<li>build(deps): bump docker/metadata-action from 5 to 6</li>
<li>fix: nil-check scheduler in <code>proxyingRegistry.Close()</code></li>
<li>fix: set MD5 on GCS writer before first <code>Write</code> call in
<code>putContent</code></li>
<li>docs: pull through cache will pull from remote multiple times</li>
<li>Update s3.md regionendpoint option</li>
<li>chore(deps): Bump Go to latest 1.25 in CI workflows and
go.mod</li>
<li>fix: correct Ed25519 JWK thumbprint <code>kty</code> from <code>"OTP"</code> to
<code>"OKP"</code></li>
<li>Update vacuum.go</li>
<li>Opt: refector tag list pagination support (stage 1)</li>
<li>Correctly match environment variables to YAML-inlined structs
in configuration</li>
<li>Enable Redis TLS without client certificates</li>
<li>build(deps): bump actions/deploy-pages from 4 to 5</li>
<li>build(deps): bump github/codeql-action from 4.32.5 to 4.34.1</li>
<li>fix(registry/proxy): use detached context when flushing write
buffer</li>
<li>ci: pin actions and apply zizmor auto-fixes</li>
<li>build(deps): bump actions/setup-go from 6.3.0 to 6.4.0</li>
<li>build(deps): bump github.com/go-jose/go-jose/v4 from 4.1.3 to
4.1.4 in the go_modules group across 1 directory</li>
<li>chore(app): warn when partial TLS config is used in Redis</li>
<li>feat(registry): enhance authentication checks in htpasswd
implementation</li>
<li>Opt: refactor tag list pagination support</li>
<li>build(deps): bump codecov/codecov-action from 5.5.4 to 6.0.0</li>
<li>build(deps): bump actions/configure-pages from 5.0.0 to 6.0.0</li>
<li>fix(vendor): fix broke vendor validation</li>
<li>chore(ci): Prep for v3.1 release</li>
<li>Update to version 3.1.0:</li>
<li>fix(vendor): fix broke vendpor validation</li>
<li>fix redis repo-scoped blob descriptor revocation</li>
<li>proxy: bind bearer realms to upstream trust boundary</li>
<li>restore directory ownership after last change</li>
<li>Move config files in systemd tmpfiles dir for immutable mode</li>
</ul>
<h2>Patch Instructions:</h2>
<p>
To install this SUSE update use the SUSE recommended
installation methods like YaST online_update or "zypper patch".<br/>
Alternatively you can run the command listed for your product:
</p>
<ul class="list-group">
<li class="list-group-item">
SUSE Linux Enterprise Server for SAP applications 16.0
<br/>
<code>zypper in -t patch SUSE-SLES-16.0-703=1</code>
</li>
<li class="list-group-item">
SUSE Linux Enterprise Server 16.0
<br/>
<code>zypper in -t patch SUSE-SLES-16.0-703=1</code>
</li>
</ul>
<h2>Package List:</h2>
<ul>
<li>
SUSE Linux Enterprise Server for SAP applications 16.0 (ppc64le x86_64)
<ul>
<li>distribution-registry-3.1.0-160000.1.1</li>
</ul>
</li>
<li>
SUSE Linux Enterprise Server 16.0 (aarch64 ppc64le s390x x86_64)
<ul>
<li>distribution-registry-3.1.0-160000.1.1</li>
</ul>
</li>
</ul>
<h2>References:</h2>
<ul>
<li>
<a href="https://www.suse.com/security/cve/CVE-2026-33186.html">https://www.suse.com/security/cve/CVE-2026-33186.html</a>
</li>
<li>
<a href="https://www.suse.com/security/cve/CVE-2026-33540.html">https://www.suse.com/security/cve/CVE-2026-33540.html</a>
</li>
<li>
<a href="https://www.suse.com/security/cve/CVE-2026-34986.html">https://www.suse.com/security/cve/CVE-2026-34986.html</a>
</li>
<li>
<a href="https://www.suse.com/security/cve/CVE-2026-35172.html">https://www.suse.com/security/cve/CVE-2026-35172.html</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1259718">https://bugzilla.suse.com/show_bug.cgi?id=1259718</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1260283">https://bugzilla.suse.com/show_bug.cgi?id=1260283</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1261793">https://bugzilla.suse.com/show_bug.cgi?id=1261793</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1262096">https://bugzilla.suse.com/show_bug.cgi?id=1262096</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1262951">https://bugzilla.suse.com/show_bug.cgi?id=1262951</a>
</li>
<li>
<a href="https://jira.suse.com/browse/PED-14747">https://jira.suse.com/browse/PED-14747</a>
</li>
</ul>
</div>