Stay Secure with the Latest Linux Advisories
Refine advisories
X Clear Filters
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Loading...
Explore Latest Linux Security advisories
We found 9,991 articles for you...
89
security advisoryfedoraauthenticationFedora 43 python-wsgidav Medium Auth Risk CVE-2026-48099
4.3.4 / 2026-05-24 Resolve security advisory CVE-2026-48099. -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2026-7d942b469f 2026-06-03 01:17:29.592069+00:00 -------------------------------------------------------------------------------- Name : python-wsgidav Product : Fedora 43 Version : 4.3.4 Release : 1.fc43 URL : https://github.com/mar10/wsgidav Summary : Generic and extendable WebDAV server based on WSGI Description : A generic and extendable WebDAV server written in Python and based on WSGI. Main features: • WsgiDAV is a stand-alone WebDAV server with SSL support, that can be installed and run as Python command line script. • The python-pam library is needed as extra requirement if pam-login authentication is used on Linux or OSX. • WebDAV is a superset of HTTP, so WsgiDAV is also a performant, multi-threaded web server with SSL support. • WsgiDAV is also a Python library that implements the WSGI protocol and can be run behind any WSGI compliant web server. • WsgiDAV is implemented as a configurable stack of WSGI middleware applications. Its open architecture allows to extend the functionality and integrate WebDAV services into your project. Typical use cases are: • Expose data structures as virtual, editable file systems. • Allow online editing of MS Office documents. -------------------------------------------------------------------------------- Update Information: 4.3.4 / 2026-05-24 Resolve security advisory CVE-2026-48099 -------------------------------------------------------------------------------- ChangeLog: * Mon May 25 2026 Benjamin A. Beasley - 4.3.4-1 - Update to 4.3.4 upstream release - Resolves: rhbz#2481045 * Wed May 20 2026 Benjamin A. Beasley - 4.3.3-21 - Use various long options * Wed May 20 2026 Benjamin A. Beasley - 4.3.3-20 - Use long pyprojectoptions -------------------------------------------------------------------------------- References: [ 1 ] Bug #2481045 - python-wsgidav-4.3.4 is available https://bugzilla.redhat.com/show_bug.cgi?id=2481045 -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2026-7d942b469f' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys -------------------------------------------------------------------------------- . Update for python-wsgidav resolves CVE-2026-48099 in Fedora 43, addressing potential authentication risks.. python webdav server, fedora update, python-wsgidav security. . Severity: Medium. LinuxSecurity.com Team
Jun 03, 2026
•Medium
Fedora
89
security advisorysecurity issuefedoraFedora 44 xorg-x11-server Key Security Updates ZDI-CAN-30136-30168 Info
Update to xserver 21.1.23, security fixes for: ZDI-CAN-30136, ZDI-CAN-30159, ZDI-CAN-30160, ZDI-CAN-30161, ZDI-CAN-30163, ZDI-CAN-30164, ZDI-CAN-30165, ZDI-CAN-30168. -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2026-7e38f57cef 2026-06-03 00:50:32.709810+00:00 -------------------------------------------------------------------------------- Name : xorg-x11-server Product : Fedora 44 Version : 21.1.23 Release : 1.fc44 URL : http://www.x.org Summary : X.Org X11 X server Description : X.Org X11 X server. -------------------------------------------------------------------------------- Update Information: Update to xserver 21.1.23, security fixes for: ZDI-CAN-30136, ZDI-CAN-30159, ZDI-CAN-30160, ZDI-CAN-30161, ZDI-CAN-30163, ZDI-CAN-30164, ZDI-CAN-30165, ZDI-CAN-30168 -------------------------------------------------------------------------------- ChangeLog: * Tue Jun 2 2026 Peter Hutterer - 21.1.23-1 - Update to xserver 21.1.23 Security fixes for: ZDI-CAN-30136, ZDI-CAN-30159, ZDI-CAN-30160, ZDI-CAN-30161, ZDI-CAN-30163, ZDI-CAN-30164, ZDI-CAN-30165, ZDI-CAN-30168 -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2026-7e38f57cef' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys -------------------------------------------------------------------------------- -- _______________________________________________ package-announce mailing list --
Jun 03, 2026
•Important
Fedora
89
security advisoryfedoraupdateFedora 44 python-wsgidav Security Advisory CVE-2026-48099
4.3.4 / 2026-05-24 Resolve security advisory CVE-2026-48099. -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2026-b2212b4742 2026-06-03 00:50:32.709749+00:00 -------------------------------------------------------------------------------- Name : python-wsgidav Product : Fedora 44 Version : 4.3.4 Release : 1.fc44 URL : https://github.com/mar10/wsgidav Summary : Generic and extendable WebDAV server based on WSGI Description : A generic and extendable WebDAV server written in Python and based on WSGI. Main features: • WsgiDAV is a stand-alone WebDAV server with SSL support, that can be installed and run as Python command line script. • The python-pam library is needed as extra requirement if pam-login authentication is used on Linux or OSX. • WebDAV is a superset of HTTP, so WsgiDAV is also a performant, multi-threaded web server with SSL support. • WsgiDAV is also a Python library that implements the WSGI protocol and can be run behind any WSGI compliant web server. • WsgiDAV is implemented as a configurable stack of WSGI middleware applications. Its open architecture allows to extend the functionality and integrate WebDAV services into your project. Typical use cases are: • Expose data structures as virtual, editable file systems. • Allow online editing of MS Office documents. -------------------------------------------------------------------------------- Update Information: 4.3.4 / 2026-05-24 Resolve security advisory CVE-2026-48099 -------------------------------------------------------------------------------- ChangeLog: * Mon May 25 2026 Benjamin A. Beasley - 4.3.4-1 - Update to 4.3.4 upstream release - Resolves: rhbz#2481045 * Wed May 20 2026 Benjamin A. Beasley - 4.3.3-21 - Use various long options * Wed May 20 2026 Benjamin A. Beasley - 4.3.3-20 - Use long pyprojectoptions -------------------------------------------------------------------------------- References: [ 1 ] Bug #2481045 - python-wsgidav-4.3.4 is available https://bugzilla.redhat.com/show_bug.cgi?id=2481045 -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2026-b2212b4742' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys -------------------------------------------------------------------------------- . Critical update for Fedora 44 resolving python-wsgidav security issue CVE-2026-48099 with detailed installation guide.. Fedora 44 Update, python-wsgidav, security fix, CVE details, advisory notification. . Severity: Critical. LinuxSecurity.com Team
Jun 03, 2026
•Critical
Fedora
89
security advisorySQL InjectionfedoraFedora 44 RoundcubeMail Critical SQL Injection XSS Issues 2026-2b956d89d3
Release 1.7.1 Enigma: Support automatic public key lookup (import) using HKP v1 protocol (#5314) Managesieve: Fix error when a mail message contains duplicate List-Id header (#10186). -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2026-2b956d89d3 2026-06-03 00:50:32.709746+00:00 -------------------------------------------------------------------------------- Name : roundcubemail Product : Fedora 44 Version : 1.7.1 Release : 1.fc44 URL : http://www.roundcube.net Summary : Round Cube Webmail is a browser-based multilingual IMAP client Description : RoundCube Webmail is a browser-based multilingual IMAP client with an application-like user interface. It provides full functionality you expect from an e-mail client, including MIME support, address book, folder manipulation, message searching and spell checking. RoundCube Webmail is written in PHP and requires a database: MySQL, PostgreSQL and SQLite are known to work. The user interface is fully skinnable using XHTML and CSS 2. -------------------------------------------------------------------------------- Update Information: Release 1.7.1 Enigma: Support automatic public key lookup (import) using HKP v1 protocol (#5314) Managesieve: Fix error when a mail message contains duplicate List-Id header (#10186) Clarified Elastic installation instructions (#10163) Added HTMLFormElement.requestSubmit() polyfill for older browsers (#10179) Fix so "has:attachment" search uses $HasAttachment/$HasNoAttachment keywords (#10168) Fix potential too long value in IMAP ID command (#10136) Fix redis/memcache disconnection in rcube::sleep() (#10127) Fix so static resources, e.g. skin_logo can be put inside the public_html directory (#10160) Fix so REQUEST_URI is used as a fallback if PATH_INFO is not set in static.php (#10181) Fix assets_path feature and remove dependency on PATH_INFO (#10185) Fix MySQL upgrade on MySQL < 8.0 and MariaDB <10.5.3 (#10188) Security: Fix stored XSS/HTML/CSS injection in subject field of the draft restore dialog Security: Fix CSS injection bypass in HTML sanitizer via SVG Security: Fix pre-auth SQL injection in virtuser_query plugin via preg_replace backslash escape bypass Security: Fix SSRF bypass via specific local address URLs Security: Fix bypass of remote image blocking via CSS var() Security: Fix local/private URL fetch bypass when remote resources were not allowed Security: Fix pre-auth arbitrary file delete via redis/memcache session poisoning bypass Security: Fix code injection vulnerability - remove support for code evaluation in LDAP autovalues option -------------------------------------------------------------------------------- ChangeLog: * Mon May 25 2026 Remi Collet - 1.7.1-1 - update to 1.7.1 -------------------------------------------------------------------------------- References: [ 1 ] Bug #2481615 - CVE-2026-48842 roundcubemail: pre-auth SQL injection in the virtuser_query plugin via a preg_replace() backslash escape bypass [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2481615 [ 2 ] Bug #2481617 - CVE-2026-48844 roundcubemail: code injection via insecure LDAP autovalues option [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2481617 [ 3 ] Bug #2481619 - CVE-2026-48843 roundcubemail: information disclosure and Server-Side Request Forgery via insufficient CSS sanitization [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2481619 [ 4 ] Bug #2481622 - CVE-2026-48845 roundcubemail: privilege escalation via remote image blocking bypass [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2481622 [ 5 ] Bug #2481624 - CVE-2026-48848 roundcubemail: CSS injection via an SVG document that has an animate element with the attributeName attribute [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2481624 [ 6 ] Bug #2481626 - CVE-2026-48847 roundcubemail: arbitrary file deletion viaredis/memcache session poisoning bypass [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2481626 [ 7 ] Bug #2481628 - CVE-2026-48846 roundcubemail: remote image blocking feature can be bypassed via a crafted CSS var() value in an e-mail message [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2481628 [ 8 ] Bug #2481629 - CVE-2026-48849 roundcubemail: XSS via unsanitized subject field in the draft restored value [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2481629 -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2026-2b956d89d3' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys -------------------------------------------------------------------------------- -- _______________________________________________ package-announce mailing list --
Jun 03, 2026
•Critical
Fedora
202
security advisorybuffer overflowimportantopenSUSE Backports libjxl Important Input Length Issue CVE-2025-70103
An update that fixes one vulnerability is now available.. openSUSE Security Update: Security update for libjxl ______________________________________________________________________________ Announcement ID: openSUSE-SU-2026:0182-1 Rating: important References: #1266460 Cross-References: CVE-2025-70103 CVSS scores: CVE-2025-70103 (SUSE): 9.2 CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N Affected Products: openSUSE Backports SLE-15-SP7 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for libjxl fixes the following issues: - CVE-2025-70103: take EC into account when checking required PNM input length (boo#1266460). Patch Instructions: To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Backports SLE-15-SP7: zypper in -t patch openSUSE-2026-182=1 Package List: - openSUSE Backports SLE-15-SP7 (aarch64 i586 ppc64le s390x x86_64): gdk-pixbuf-loader-jxl-0.8.5-bp157.2.6.1 gimp-plugin-jxl-0.8.5-bp157.2.6.1 libjxl-devel-0.8.5-bp157.2.6.1 libjxl-tools-0.8.5-bp157.2.6.1 libjxl0_8-0.8.5-bp157.2.6.1 - openSUSE Backports SLE-15-SP7 (aarch64_ilp32): libjxl0_8-64bit-0.8.5-bp157.2.6.1 - openSUSE Backports SLE-15-SP7 (noarch): jxl-thumbnailer-0.8.5-bp157.2.6.1 - openSUSE Backports SLE-15-SP7 (x86_64): libjxl0_8-32bit-0.8.5-bp157.2.6.1 References: https://www.suse.com/security/cve/CVE-2025-70103.html https://bugzilla.suse.com/1266460 . Update available for libjxl addressing CVE-2025-70103 with important severity. Ensure to apply the patch promptly.. libjxl security update, openSUSE patches, important vulnerabilities. . Severity: Important. LinuxSecurity.com Team
Jun 02, 2026
•Important
OpenSUSE
172
security advisorydenial of serviceupdateUbuntu 20.04 Unbound Critical Denial of Service Issues USN-8282-2
Several security issues were fixed in Unbound.. ========================================================================== Ubuntu Security Notice USN-8282-2 June 02, 2026 unbound vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 20.04 LTS - Ubuntu 18.04 LTS - Ubuntu 16.04 LTS - Ubuntu 14.04 LTS Summary: Several security issues were fixed in Unbound. Software Description: - unbound: validating, recursive, caching DNS resolver Details: USN-8282-1 fixed vulnerabilities in Unbound. This update provides the corresponding updates for CVE-2026-41292 in Ubuntu 18.04 LTS and Ubuntu 20.04 LTS and CVE-2026-42959, CVE-2026-42960 in Ubuntu 14.04 LTS, Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, and Ubuntu 20.04 LTS. Original advisory details: Andrew Griffiths discovered that Unbound did not properly handle certain DNSCrypt packets. A remote attacker could possibly use this issue to cause Unbound to crash, resulting in a denial of service. (CVE-2026-32792) Qifan Zhang discovered that Unbound incorrectly handled DNSSEC validation in certain situations. A remote attacker could possibly use this issue to execute arbitrary code. This issue only affected Ubuntu 24.04 LTS, Ubuntu 25.10, and Ubuntu 26.04 LTS. (CVE-2026-33278) Qifan Zhang discovered that Unbound incorrectly handled certain ghost domain name records. A remote attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 24.04 LTS, Ubuntu 25.10, and Ubuntu 26.04 LTS. (CVE-2026-40622) Qifan Zhang discovered that Unbound did not properly limit processing of long EDNS option lists. A remote attacker could possibly use this issue to cause Unbound to use excessive resources, leading to a denial of service. (CVE-2026-41292) Qifan Zhang discovered that Unbound incorrectly handled jostle logic under certain circumstances. A remote attacker could possibly use this issue to cause Unbound to useexcessive resources, leading to a denial of service. (CVE-2026-42534) Qifan Zhang discovered that Unbound did not properly bound NSEC3 hash calculations. A remote attacker could possibly use this issue to cause Unbound to use excessive resources, leading to a denial of service. (CVE-2026-42923) Qifan Zhang discovered that Unbound incorrectly handled multiple EDNS options in certain situations. A remote attacker could possibly use this issue to cause Unbound to crash, resulting in a denial of service, or execute arbitrary code. This issue only affected Ubuntu 24.04 LTS, Ubuntu 25.10, and Ubuntu 26.04 LTS. (CVE-2026-42944) Qifan Zhang discovered that Unbound incorrectly handled DNSSEC validation of malicious content. A remote attacker could possibly use this issue to cause Unbound to crash, resulting in a denial of service. (CVE-2026-42959) TaoFei Guo, Yang Luo, and JianJun Chen discovered that Unbound incorrectly handled delegation processing in certain situations. A remote attacker could possibly use this issue to poison the DNS cache and obtain sensitive information. (CVE-2026-42960) Qifan Zhang discovered that Unbound did not properly bound name compression in certain cases. A remote attacker could possibly use this issue to cause Unbound to use excessive resources, leading to a denial of service. (CVE-2026-44390) Qifan Zhang discovered that Unbound had a use-after-free issue in RPZ handling. A remote attacker could possibly use this issue to cause Unbound to crash, resulting in a denial of service, or execute arbitrary code. This issue only affected Ubuntu 24.04 LTS, Ubuntu 25.10, and Ubuntu 26.04 LTS. (CVE-2026-44608) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 20.04 LTS libunbound8 1.9.4-2ubuntu1.11+esm1 Available with Ubuntu Pro unbound 1.9.4-2ubuntu1.11+esm1 Available with UbuntuPro Ubuntu 18.04 LTS libunbound2 1.6.7-1ubuntu2.6+esm4 Available with Ubuntu Pro unbound 1.6.7-1ubuntu2.6+esm4 Available with Ubuntu Pro Ubuntu 16.04 LTS libunbound2 1.5.8-1ubuntu1.1+esm3 Available with Ubuntu Pro unbound 1.5.8-1ubuntu1.1+esm3 Available with Ubuntu Pro Ubuntu 14.04 LTS libunbound2 1.4.22-1ubuntu4.14.04.3+esm3 Available with Ubuntu Pro unbound 1.4.22-1ubuntu4.14.04.3+esm3 Available with Ubuntu Pro In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-8282-2 https://ubuntu.com/security/notices/USN-8282-1 CVE-2026-41292, CVE-2026-42959, CVE-2026-42960 . Several security issues addressed in Unbound for Ubuntu 14.04 to 20.04 LTS. Immediate update recommended for users.. Unbound security, Ubuntu update, DNS resolver fix, denial of service. . Severity: Critical. LinuxSecurity.com Team
Jun 02, 2026
•Critical
Ubuntu
202
security advisorybuffer overflowimportantopenSUSE Leap 16.0 Severe Fixes for Mapserver Vulnerabilities 2026-20857-1
An update that solves 2 vulnerabilities and has 2 bug fixes can now be installed.. openSUSE security update: security update for mapserver ------------------------------------------------------------- Announcement ID: openSUSE-SU-2026:20857-1 Rating: important References: * bsc#1260869 * bsc#1266663 Cross-References: * CVE-2026-33721 * CVE-2026-45104 Affected Products: openSUSE Leap 16.0 ------------------------------------------------------------- An update that solves 2 vulnerabilities and has 2 bug fixes can now be installed. Description: This update for mapserver fixes the following issues: Changes in mapserver: - Update to releasee 8.6.3 * SLD parser: fix out of bounds access on SLD with only a Rule with a ElseFilter but without a symbolizer [CVE-2026-33721, boo#1260869] [CVE-2026-45104, boo#1266663] Patch instructions: To install this openSUSE security update use the suse recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Leap 16.0 zypper in -t patch openSUSE-Leap-16.0-packagehub-287=1 Package List: - openSUSE Leap 16.0: libjavamapscript-8.6.3-bp160.1.1 libmapserver2-8.6.3-bp160.1.1 mapserver-8.6.3-bp160.1.1 mapserver-devel-8.6.3-bp160.1.1 perl-mapscript-8.6.3-bp160.1.1 php-mapscriptng-8.6.3-bp160.1.1 python313-mapserver-8.6.3-bp160.1.1 References: * https://www.suse.com/security/cve/CVE-2026-33721.html * https://www.suse.com/security/cve/CVE-2026-45104.html . Update for openSUSE Leap 16.0 mapserver addresses critical bugs and security issues requiring immediate attention.. openSUSE mapserver update security vulnerabilities. . Severity: Important. LinuxSecurity.com Team
Jun 02, 2026
•Important
OpenSUSE
202
security advisorycriticalprivilege escalationopenSUSE Leap 16.0 HPLIP Critical Command Injection Vuln 2026-20858-1
An update that solves 3 vulnerabilities and has 5 bug fixes can now be installed.. openSUSE security update: security update for hplip ------------------------------------------------------------- Announcement ID: openSUSE-SU-2026:20858-1 Rating: critical References: * bsc#1250481 * bsc#1257529 * bsc#1266023 * bsc#1266024 * bsc#1266031 Cross-References: * CVE-2025-43023 * CVE-2026-8631 * CVE-2026-8632 CVSS scores: * CVE-2025-43023 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H * CVE-2025-43023 ( SUSE ): 7.5 CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N * CVE-2026-8631 ( SUSE ): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H * CVE-2026-8631 ( SUSE ): 9.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X * CVE-2026-8632 ( SUSE ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H * CVE-2026-8632 ( SUSE ): 8.5 CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X Affected Products: openSUSE Leap 16.0 ------------------------------------------------------------- An update that solves 3 vulnerabilities and has 5 bug fixes can now be installed. Description: This update for hplip fixes the following issues: Changes in hplip: - Update to HPLIP 3.26.4 * CVE-2026-8631: Fixed privileges escalation and/or arbitrary code execution via an integer overflow in the hpcups processing path (bsc#1266023) * CVE-2026-8632: Fixed privileges escalation and/or arbitrary code execution via operating system command injection (bsc#1266024) - Add support for the following new printers: * HP LaserJet Pro MFP 3106sdw * HP LaserJet Pro MFP 3105sdw * HP Envy 6500e series * HP Envy 6500 series * HP OfficeJet Pro 9730 Series * HP OfficeJet Pro 9730e Series * HP OfficeJet Pro 9720 Series * HPOfficeJet Pro 9720e Series * HP OfficeJet Pro 8130e All-in-One series * HP OfficeJet Pro 8130 All-in-One series * HP OfficeJet 8130e All-in-One series * HP OfficeJet 8130 All-in-One series * HP OfficeJet Pro 8120e All-in-One series * HP OfficeJet Pro 8120 All-in-One series * HP OfficeJet 8120e All-in-One series * HP OfficeJet 8120 All-in-One series * HP DeskJet Ink Advantage ultra 5800 All-in-One Printer series * HP DeskJet Ink Advantage ultra 5100 All-in-One Printer series * HP DeskJet 4300e All-in-One Printer series * HP DeskJet Ink Advantage 4300 All-in-One Printer series * HP DeskJet 4300 All-in-One Printer series * HP DeskJet 2900e All-in-One Printer series * HP DeskJet Ink Advantage 2900 All-in-One Printer series * HP DeskJet 2900 All-in-One Printer series - Update to HPLIP 3.25.8 - Added support for the following new Printers: * HP LaserJet Enterprise Flow MFP 8601z * HP LaserJet Enterprise 5501 * HP LaserJet Enterprise MFP 5601dn * HP LaserJet Enterprise 6500dn * HP LaserJet Enterprise 5501n * HP LaserJet Enterprise MFP 5601 * HP LaserJet Enterprise 6500 * HP LaserJet Enterprise 5502dn * HP LaserJet Enterprise MFP 5602dn * HP LaserJet Enterprise 6500n * HP LaserJet Enterprise 5502 * HP LaserJet Enterprise MFP 5602f * HP LaserJet Enterprise 6501dn * HP LaserJet Enterprise X50452dn * HP LaserJet Enterprise Flow MFP 5602zfw * HP LaserJet Enterprise 6501 * HP LaserJet Enterprise X50452 * HP LaserJet Enterprise MFP 5602 * HP LaserJet Enterprise X60257dn * HP LaserJet Enterprise MFP X53052dn * HP LaserJet Enterprise Flow MFP X530 * HP LaserJet Enterprise X60257 * HP LaserJet Enterprise MFP X53052 * HP LaserJet Enterprise X60357dn * HP LaserJet Enterprise X60357 * HP LaserJet Enterprise MFP 6600dn * HP LaserJet Enterprise Flow MFP 6600zfw * HP LaserJet Enterprise MFP 6600 * HP LaserJet Enterprise Flow MFP 6600zfsw * HP LaserJet Enterprise MFP X62757dn * HP LaserJet Enterprise Flow MFP X62757zs * HP LaserJetEnterprise MFP X62757 * DEX D50452dn * DEX MFP D53052dn - Fix handling of readfp() and read_filke() for ConfigParser objects, avoiding confusing error messages (lp#2139771) - Fix compiler warnings on SLE15 - Fix "Found No Section" error with python (lp#2095776) - Fix PPD lookup by moving PPDs from manufacturer-PPDs/hplip-fax to manufacturer-PPDs/hplip/fax etc (boo#1257529) - Move more utilities from hplip-utils to hplip-base. * hplip-base now contains all utilities that are not totally useless and can run without the Qt GUI. - Update fix for support of new GPG key, as the key has now been uploaded to GPG keyservers (lp#2120738) - This fixes CVE-2025-43023 (bsc#1266031) - Drop dependency on cups-ppdc. It isn't necessary, as PPD generation on target system is done by cups-driverd. - The old and outdated 'hpijs' driver support is finally dropped (the 'hpcups' driver is the default driver since 2009) so that there is no need for foomatic-filters (boo#1250481) - Continue refactoring: * move GUI tools to "hplip-utils" subpackage * convert "hplip" into an empty metapackage that pulls in hplip-utils and all drivers / PPDs (except hpijs PPDs). - Refactor package structure: * hplip: full set of utilities. Pulls in almost all subpackages to deliver the "traditional" hplip experience * hplip-base: small set of basic utilities that can be run without GUI. Includes hp-probe and hp-plugin * hplip-cups: minimal package for printing, without PPDs or setup helpers * hplip-sane: scanning support (unchanged) * hplip-driver-hpcups: hpcups.drv for generating hpcups PPDs on the fly (requires ppdc). The functionality of this package is similar to the old (misnamed) "hplip-hpijs" package. * hplip-driver-hpijs: hpijs.drv for generating PPDs for the deprecated hpijs / foomatic_rip filter. Note that this functionality was not part of the late hplip-hpijs package, because upstream hasn't ship foomatic PPDs since hplip 3.17.11. *hplip-ppds-{hpcups,hpps,postscript,hpijs,fax,plugin}: static PPD files for different printer types. hplip-ppds-hpcups is an alternative to hplip-driver-hpcups. * libhplip0: shared library package, used by hplip-cups and hplip-sane * hplip-common: configuration files and directories used by all hplip packages. - Other spec file changes: * Skip deprecated suse_update_desktop_file by default on TW * Don't mess with sane configuration in udev rules * Only the hpijs packages depend on foomatic-rip, which is only provided by cups-filters-1.x. The other packages can be used with cups-filters2. * Remove Obsoletes: for ancient predecessor packages * Remove outdated comments from spec file * Shorten package descriptions * Fix a couple of rpmlint issues - Fix printer probing using avahi (lp#2120947) Patch instructions: To install this openSUSE security update use the suse recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Leap 16.0 zypper in -t patch openSUSE-Leap-16.0-packagehub-288=1 Package List: - openSUSE Leap 16.0: hplip-3.26.4-bp160.1.1 hplip-base-3.26.4-bp160.1.1 hplip-common-3.26.4-bp160.1.1 hplip-cups-3.26.4-bp160.1.1 hplip-devel-3.26.4-bp160.1.1 hplip-driver-hpcups-3.26.4-bp160.1.1 hplip-ppds-fax-3.26.4-bp160.1.1 hplip-ppds-hpcups-3.26.4-bp160.1.1 hplip-ppds-hpps-3.26.4-bp160.1.1 hplip-ppds-plugin-3.26.4-bp160.1.1 hplip-ppds-postscript-3.26.4-bp160.1.1 hplip-sane-3.26.4-bp160.1.1 hplip-utils-3.26.4-bp160.1.1 libhplip0-3.26.4-bp160.1.1 References: * https://www.suse.com/security/cve/CVE-2025-43023.html * https://www.suse.com/security/cve/CVE-2026-8631.html * https://www.suse.com/security/cve/CVE-2026-8632.html . Critical update for openSUSE hplip fixes 3 issues with privilege escalation and command injection vulnerabilities.. openSUSE HPLIP update command injection privilege escalation. . Severity: Critical.LinuxSecurity.com Team
Jun 02, 2026
•Critical
OpenSUSE
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Search Topics
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!