Fixed a CORS bug that leaked the anti-CSRF nonce. (#8938) Fixed a use-after-free bug in peer code. (#8921) Fixed build error when compiling with fmt 12.2.0. (#8942). -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2026-0c067e5040 2026-07-02 01:05:29.984018+00:00 -------------------------------------------------------------------------------- Name : transmission Product : Fedora 44 Version : 4.1.3 Release : 1.fc44 URL : http://www.transmissionbt.com Summary : A lightweight GTK+ BitTorrent client Description : Transmission is a free, lightweight BitTorrent client. It features a simple, intuitive interface on top on an efficient, cross-platform back-end. -------------------------------------------------------------------------------- Update Information: Fixed a CORS bug that leaked the anti-CSRF nonce. (#8938) Fixed a use-after-free bug in peer code. (#8921) Fixed build error when compiling with fmt 12.2.0. (#8942) -------------------------------------------------------------------------------- ChangeLog: * Tue Jun 30 2026 Gwyn Ciesla - 4.1.3-1 - 4.1.3 -------------------------------------------------------------------------------- References: [ 1 ] Bug #2494743 - transmission-4.1.3 is available https://bugzilla.redhat.com/show_bug.cgi?id=2494743 -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2026-0c067e5040' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys -------------------------------------------------------------------------------- -- _______________________________________________ package-announce mailing list --
0.9.34 - security fix for CVE-2026-27145. -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2026-00901a5e8f 2026-07-02 01:05:29.984014+00:00 -------------------------------------------------------------------------------- Name : ipp-usb Product : Fedora 44 Version : 0.9.34 Release : 2.fc44 URL : https://github.com/OpenPrinting/ipp-usb Summary : HTTP reverse proxy, backed by IPP-over-USB connection to device Description : HTTP reverse proxy, backed by IPP-over-USB connection to device. It enables driverless support for USB devices capable of using IPP-over-USB protocol. -------------------------------------------------------------------------------- Update Information: 0.9.34 - security fix for CVE-2026-27145 -------------------------------------------------------------------------------- ChangeLog: * Tue Jun 30 2026 Zdenek Dohnal - 0.9.34-2 - ipp-usb-0.9.34 is available (fedora#2463247, fedora#2484207, fedora#2494316) -------------------------------------------------------------------------------- References: [ 1 ] Bug #2484207 - CVE-2026-27145 crypto/x509: golang: golang crypto/x509: Denial of Service via excessive processing of DNS SAN entries https://bugzilla.redhat.com/show_bug.cgi?id=2484207 -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2026-00901a5e8f' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys -------------------------------------------------------------------------------- -- _______________________________________________ package-announce mailing list --
Security update resolving 17 CVEs across both caddy itself and its vendored libraries.. -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2026-950cac64f2 2026-07-02 01:05:29.983957+00:00 -------------------------------------------------------------------------------- Name : caddy Product : Fedora 44 Version : 2.10.2 Release : 9.fc44 URL : https://caddyserver.com Summary : Web server with automatic HTTPS Description : Caddy is an extensible server platform that uses TLS by default. -------------------------------------------------------------------------------- Update Information: Security update resolving 17 CVEs across both caddy itself and its vendored libraries. -------------------------------------------------------------------------------- ChangeLog: * Tue Jun 23 2026 Carl George - 2.10.2-9 - Port to new golang packaging guidelines - Backport upstream fix for CVE-2026-27585 - Backport upstream fix for CVE-2026-27586 - Backport upstream fix for CVE-2026-27587 - Backport upstream fix for CVE-2026-27588 - Backport upstream fix for CVE-2026-27589 - Backport upstream fix for CVE-2026-27590 - Backport upstream fix for CVE-2026-30851 - Backport upstream fix for CVE-2026-30852 - Update vendored github.com/quic-go/quic-go to v0.57.0 for CVE-2025-64702 - Update vendored golang.org/x/crypto to v0.52.0 for CVE-2025-47913, CVE-2026-39828, CVE-2026-39829, and CVE-2026-39830 - Update vendored github.com/smallstep/certificates to v0.30.0 for CVE-2025-44005 and CVE-2026-40097 - Update vendored github.com/go-chi/chi/v5 to v5.2.5 for CVE-2025-69725 - Update vendored github.com/yuin/goldmark/renderer/html to v1.7.17 for CVE-2026-5160 -------------------------------------------------------------------------------- References: [ 1 ] Bug #2488094 - CVE-2026-30851 caddy: Caddy: Privilege escalation via identity injection due to unstripped client headers [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2488094 [ 2 ] Bug #2488095 - CVE-2026-30852 caddy: Caddy: Information disclosure via double-expansion of user-controlled input [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2488095 [ 3 ] Bug #2488141 - CVE-2026-40097 caddy: Step CA: Denial of Service via crafted attestation key certificate [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2488141 [ 4 ] Bug #2488502 - CVE-2026-27585 caddy: Caddy: Path security bypass due to unsanitized backslashes [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2488502 [ 5 ] Bug #2488503 - CVE-2026-27586 caddy: Caddy: Authentication bypass via mTLS client certificate validation failure [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2488503 [ 6 ] Bug #2488514 - CVE-2026-27587 caddy: Caddy: Access control bypass due to improper handling of percent-escape sequences in HTTP path matcher [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2488514 [ 7 ] Bug #2488516 - CVE-2026-27588 caddy: Caddy: Access control bypass due to case-sensitive host matching [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2488516 [ 8 ] Bug #2488517 - CVE-2026-27589 caddy: Caddy: Unauthorized configuration modification via cross-origin requests to the admin API [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2488517 [ 9 ] Bug #2488518 - CVE-2026-27590 caddy: Caddy: Remote Code Execution via FastCGI path confusion [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2488518 [ 10 ] Bug #2488661 - CVE-2025-64702 caddy: quic-go HTTP/3 QPACK Header Expansion DoS [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2488661 [ 11 ] Bug #2488663 - CVE-2025-47913 caddy: golang.org/x/crypto/ssh/agent: SSH client panic due to unexpected SSH_AGENT_SUCCESS [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2488663 [ 12 ] Bug #2488665 - CVE-2025-44005 caddy:github.com/smallstep/certificates: Authorization bypass allows unauthorized certificate creation [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2488665 [ 13 ] Bug #2488666 - CVE-2025-69725 caddy: Go-chi/chi: Open Redirect vulnerability allows redirection to malicious websites [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2488666 [ 14 ] Bug #2488667 - CVE-2026-5160 caddy: github.com/yuin/goldmark/renderer/html: Cross-site Scripting due to improper URL validation [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2488667 [ 15 ] Bug #2489962 - CVE-2026-39828 caddy: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2489962 [ 16 ] Bug #2490067 - CVE-2026-39829 caddy: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2490067 [ 17 ] Bug #2490486 - CVE-2026-39830 caddy: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2490486 -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2026-950cac64f2' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys -------------------------------------------------------------------------------- -- _______________________________________________ package-announce mailing list --
Update to 1.74.3. -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2026-6145ae14ca 2026-07-02 01:05:29.983954+00:00 -------------------------------------------------------------------------------- Name : rclone Product : Fedora 44 Version : 1.74.3 Release : 1.fc44 URL : https://github.com/rclone/rclone Summary : Rsync for cloud storage Description : "rsync for cloud storage" - Google Drive, S3, Dropbox, Backblaze B2, One Drive, Swift, Hubic, Wasabi, Google Cloud Storage, Azure Blob, Azure Files, Yandex Files. -------------------------------------------------------------------------------- Update Information: Update to 1.74.3 -------------------------------------------------------------------------------- ChangeLog: * Sat Jun 6 2026 Packit - 1.74.3-1 - Update to 1.74.3 upstream release - Resolves: rhbz#2485621 * Sat May 23 2026 Packit - 1.74.2-1 - Update to 1.74.2 upstream release - Resolves: rhbz#2468412 -------------------------------------------------------------------------------- References: [ 1 ] Bug #2486295 - CVE-2026-45287 rclone: OpenTelemetry-Go: Denial of Service due to file descriptor leak [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2486295 [ 2 ] Bug #2489905 - CVE-2026-39828 rclone: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2489905 [ 3 ] Bug #2490091 - CVE-2026-39829 rclone: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2490091 [ 4 ] Bug #2490402 - CVE-2026-39830 rclone: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2490402 -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2026-6145ae14ca' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys -------------------------------------------------------------------------------- -- _______________________________________________ package-announce mailing list --
Update bundled golang.org/x/crypto to 0.53.0. -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2026-7794729685 2026-07-02 01:05:29.983902+00:00 -------------------------------------------------------------------------------- Name : opkssh Product : Fedora 44 Version : 0.14.0 Release : 3.fc44 URL : https://github.com/openpubkey/opkssh Summary : OpenPubkey SSH Description : OpenPubkey SSH is a tool which enables ssh to be used with OpenID Connect allowing SSH access to be managed via identities like
Update! Close Go standard library CVE bugs that are solved by a rebuild. -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2026-ed208f5337 2026-07-02 01:05:29.983895+00:00 -------------------------------------------------------------------------------- Name : hut Product : Fedora 44 Version : 0.8.0 Release : 1.fc44 URL : https://git.sr.ht/~xenrox/hut Summary : A CLI tool for Sourcehut Description : hut is a CLI tool for interacting with Sourcehut instances. It supports git.sr.ht as well as self-hosted Sourcehut instances. -------------------------------------------------------------------------------- Update Information: Update! Close Go standard library CVE bugs that are solved by a rebuild -------------------------------------------------------------------------------- ChangeLog: * Tue Jun 23 2026 Javier Olaechea - 0.8.0-1 - Update to 0.8.0. Fixes rhbz#2451702. -------------------------------------------------------------------------------- References: [ 1 ] Bug #2408304 - CVE-2025-58189 hut: go crypto/tls ALPN negotiation error contains attacker controlled information [fedora-43] https://bugzilla.redhat.com/show_bug.cgi?id=2408304 [ 2 ] Bug #2408723 - CVE-2025-61725 hut: Excessive CPU consumption in ParseAddress in net/mail [fedora-43] https://bugzilla.redhat.com/show_bug.cgi?id=2408723 [ 3 ] Bug #2409777 - CVE-2025-61723 hut: Quadratic complexity when parsing some invalid inputs in encoding/pem [fedora-43] https://bugzilla.redhat.com/show_bug.cgi?id=2409777 [ 4 ] Bug #2410727 - CVE-2025-58185 hut: Parsing DER payload can cause memory exhaustion in encoding/asn1 [fedora-43] https://bugzilla.redhat.com/show_bug.cgi?id=2410727 [ 5 ] Bug #2411623 - CVE-2025-58188 hut: Panic when validating certificates with DSA public keys in crypto/x509 [fedora-43] https://bugzilla.redhat.com/show_bug.cgi?id=2411623 [ 6 ] Bug #2412711- CVE-2025-58183 hut: Unbounded allocation when parsing GNU sparse map [fedora-43] https://bugzilla.redhat.com/show_bug.cgi?id=2412711 [ 7 ] Bug #2451702 - hut-0.8.0 is available https://bugzilla.redhat.com/show_bug.cgi?id=2451702 -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2026-ed208f5337' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys -------------------------------------------------------------------------------- -- _______________________________________________ package-announce mailing list --
An update that solves one vulnerability can now be installed.. # Security update for dracut Announcement ID: SUSE-SU-2026:2720-1 Release Date: 2026-07-01T13:15:19Z Rating: important References: * bsc#1268322 Cross-References: * CVE-2026-6893 CVSS scores: * CVE-2026-6893 ( SUSE ): 8.7 CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N * CVE-2026-6893 ( SUSE ): 8.8 CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H * CVE-2026-6893 ( NVD ): 7.5 CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H * CVE-2026-6893 ( NVD ): 7.5 CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Affected Products: * openSUSE Leap 15.4 * SUSE Linux Enterprise High Performance Computing 15 SP4 * SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 * SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 * SUSE Linux Enterprise Micro 5.3 * SUSE Linux Enterprise Micro 5.4 * SUSE Linux Enterprise Micro for Rancher 5.3 * SUSE Linux Enterprise Micro for Rancher 5.4 * SUSE Linux Enterprise Server 15 SP4 * SUSE Linux Enterprise Server 15 SP4 LTSS * SUSE Linux Enterprise Server for SAP Applications 15 SP4 An update that solves one vulnerability can now be installed. ## Description: This update for dracut fixes the following issue * CVE-2026-6893: Root code execution via DHCP options command injection (bsc#1268322). Changes for dracut: * Update to version 055+suse.365.g79144c5: * fix(network-legacy): sanitize DHCP values in dhclient-script.sh (bsc#1268322, CVE-2026-6893) * fix(network-legacy): add input validation to RFC 3442 route parser ## Patch Instructions: To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: * SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 zypper in -t patch SUSE-SLE-Product-HPC-15-SP4-LTSS-2026-2720=1 * SUSE Linux Enterprise Server 15 SP4 LTSS zypper in -t patchSUSE-SLE-Product-SLES-15-SP4-LTSS-2026-2720=1 * SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 zypper in -t patch SUSE-SLE-Product-HPC-15-SP4-ESPOS-2026-2720=1 * SUSE Linux Enterprise Micro for Rancher 5.4 zypper in -t patch SUSE-SLE-Micro-5.4-2026-2720=1 * SUSE Linux Enterprise Micro 5.4 zypper in -t patch SUSE-SLE-Micro-5.4-2026-2720=1 * openSUSE Leap 15.4 zypper in -t patch SUSE-2026-2720=1 * SUSE Linux Enterprise Micro for Rancher 5.3 zypper in -t patch SUSE-SLE-Micro-5.3-2026-2720=1 * SUSE Linux Enterprise Micro 5.3 zypper in -t patch SUSE-SLE-Micro-5.3-2026-2720=1 * SUSE Linux Enterprise Server for SAP Applications 15 SP4 zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP4-2026-2720=1 ## Package List: * openSUSE Leap 15.4 (aarch64 i586 ppc64le s390x x86_64) * dracut-extra-055+suse.365.g79144c5-150400.3.49.1 * dracut-055+suse.365.g79144c5-150400.3.49.1 * dracut-mkinitrd-deprecated-055+suse.365.g79144c5-150400.3.49.1 * dracut-debuginfo-055+suse.365.g79144c5-150400.3.49.1 * dracut-tools-055+suse.365.g79144c5-150400.3.49.1 * dracut-ima-055+suse.365.g79144c5-150400.3.49.1 * dracut-fips-055+suse.365.g79144c5-150400.3.49.1 * dracut-debugsource-055+suse.365.g79144c5-150400.3.49.1 * SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (aarch64 x86_64) * dracut-debuginfo-055+suse.365.g79144c5-150400.3.49.1 * dracut-055+suse.365.g79144c5-150400.3.49.1 * dracut-mkinitrd-deprecated-055+suse.365.g79144c5-150400.3.49.1 * dracut-fips-055+suse.365.g79144c5-150400.3.49.1 * dracut-ima-055+suse.365.g79144c5-150400.3.49.1 * dracut-debugsource-055+suse.365.g79144c5-150400.3.49.1 * SUSE Linux Enterprise Server 15 SP4 LTSS (aarch64 ppc64le s390x x86_64) * dracut-debuginfo-055+suse.365.g79144c5-150400.3.49.1 * dracut-mkinitrd-deprecated-055+suse.365.g79144c5-150400.3.49.1 * dracut-055+suse.365.g79144c5-150400.3.49.1 *dracut-fips-055+suse.365.g79144c5-150400.3.49.1 * dracut-ima-055+suse.365.g79144c5-150400.3.49.1 * dracut-debugsource-055+suse.365.g79144c5-150400.3.49.1 * SUSE Linux Enterprise Micro for Rancher 5.3 (aarch64 s390x x86_64) * dracut-055+suse.365.g79144c5-150400.3.49.1 * dracut-mkinitrd-deprecated-055+suse.365.g79144c5-150400.3.49.1 * dracut-debuginfo-055+suse.365.g79144c5-150400.3.49.1 * dracut-fips-055+suse.365.g79144c5-150400.3.49.1 * dracut-debugsource-055+suse.365.g79144c5-150400.3.49.1 * SUSE Linux Enterprise Micro 5.3 (aarch64 s390x x86_64) * dracut-055+suse.365.g79144c5-150400.3.49.1 * dracut-mkinitrd-deprecated-055+suse.365.g79144c5-150400.3.49.1 * dracut-debuginfo-055+suse.365.g79144c5-150400.3.49.1 * dracut-fips-055+suse.365.g79144c5-150400.3.49.1 * dracut-debugsource-055+suse.365.g79144c5-150400.3.49.1 * SUSE Linux Enterprise Server for SAP Applications 15 SP4 (ppc64le x86_64) * dracut-debuginfo-055+suse.365.g79144c5-150400.3.49.1 * dracut-mkinitrd-deprecated-055+suse.365.g79144c5-150400.3.49.1 * dracut-055+suse.365.g79144c5-150400.3.49.1 * dracut-fips-055+suse.365.g79144c5-150400.3.49.1 * dracut-ima-055+suse.365.g79144c5-150400.3.49.1 * dracut-debugsource-055+suse.365.g79144c5-150400.3.49.1 * SUSE Linux Enterprise Micro for Rancher 5.4 (aarch64 s390x x86_64) * dracut-055+suse.365.g79144c5-150400.3.49.1 * dracut-mkinitrd-deprecated-055+suse.365.g79144c5-150400.3.49.1 * dracut-debuginfo-055+suse.365.g79144c5-150400.3.49.1 * dracut-fips-055+suse.365.g79144c5-150400.3.49.1 * dracut-debugsource-055+suse.365.g79144c5-150400.3.49.1 * SUSE Linux Enterprise Micro 5.4 (aarch64 s390x x86_64) * dracut-055+suse.365.g79144c5-150400.3.49.1 * dracut-mkinitrd-deprecated-055+suse.365.g79144c5-150400.3.49.1 * dracut-debuginfo-055+suse.365.g79144c5-150400.3.49.1 * dracut-fips-055+suse.365.g79144c5-150400.3.49.1 * dracut-debugsource-055+suse.365.g79144c5-150400.3.49.1 * SUSE Linux Enterprise HighPerformance Computing LTSS 15 SP4 (aarch64 x86_64) * dracut-mkinitrd-deprecated-055+suse.365.g79144c5-150400.3.49.1 * dracut-055+suse.365.g79144c5-150400.3.49.1 * dracut-debuginfo-055+suse.365.g79144c5-150400.3.49.1 * dracut-fips-055+suse.365.g79144c5-150400.3.49.1 * dracut-ima-055+suse.365.g79144c5-150400.3.49.1 * dracut-debugsource-055+suse.365.g79144c5-150400.3.49.1 ## References: * https://www.suse.com/security/cve/CVE-2026-6893.html * https://bugzilla.suse.com/show_bug.cgi?id=1268322 . Critical update for dracut resolving root code execution flaw, impacting multiple openSUSE and SUSE systems.. dracut update, root code execution, openSUSE security fix, CVE-2026-6893, SUSE advisory. . LinuxSecurity.com Team
An update that solves one vulnerability can now be installed.. # Security update for dracut Announcement ID: SUSE-SU-2026:2720-1 Release Date: 2026-07-01T13:15:19Z Rating: important References: * bsc#1268322 Cross-References: * CVE-2026-6893 CVSS scores: * CVE-2026-6893 ( SUSE ): 8.7 CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N * CVE-2026-6893 ( SUSE ): 8.8 CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H * CVE-2026-6893 ( NVD ): 7.5 CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H * CVE-2026-6893 ( NVD ): 7.5 CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Affected Products: * openSUSE Leap 15.4 * SUSE Linux Enterprise High Performance Computing 15 SP4 * SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 * SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 * SUSE Linux Enterprise Micro 5.3 * SUSE Linux Enterprise Micro 5.4 * SUSE Linux Enterprise Micro for Rancher 5.3 * SUSE Linux Enterprise Micro for Rancher 5.4 * SUSE Linux Enterprise Server 15 SP4 * SUSE Linux Enterprise Server 15 SP4 LTSS * SUSE Linux Enterprise Server for SAP Applications 15 SP4 An update that solves one vulnerability can now be installed. ## Description: This update for dracut fixes the following issue * CVE-2026-6893: Root code execution via DHCP options command injection (bsc#1268322). Changes for dracut: * Update to version 055+suse.365.g79144c5: * fix(network-legacy): sanitize DHCP values in dhclient-script.sh (bsc#1268322, CVE-2026-6893) * fix(network-legacy): add input validation to RFC 3442 route parser ## Patch Instructions: To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: * SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 zypper in -t patch SUSE-SLE-Product-HPC-15-SP4-LTSS-2026-2720=1 * SUSE Linux Enterprise Server 15 SP4 LTSS zypper in -t patchSUSE-SLE-Product-SLES-15-SP4-LTSS-2026-2720=1 * SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 zypper in -t patch SUSE-SLE-Product-HPC-15-SP4-ESPOS-2026-2720=1 * SUSE Linux Enterprise Micro for Rancher 5.4 zypper in -t patch SUSE-SLE-Micro-5.4-2026-2720=1 * SUSE Linux Enterprise Micro 5.4 zypper in -t patch SUSE-SLE-Micro-5.4-2026-2720=1 * openSUSE Leap 15.4 zypper in -t patch SUSE-2026-2720=1 * SUSE Linux Enterprise Micro for Rancher 5.3 zypper in -t patch SUSE-SLE-Micro-5.3-2026-2720=1 * SUSE Linux Enterprise Micro 5.3 zypper in -t patch SUSE-SLE-Micro-5.3-2026-2720=1 * SUSE Linux Enterprise Server for SAP Applications 15 SP4 zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP4-2026-2720=1 ## Package List: * openSUSE Leap 15.4 (aarch64 i586 ppc64le s390x x86_64) * dracut-extra-055+suse.365.g79144c5-150400.3.49.1 * dracut-055+suse.365.g79144c5-150400.3.49.1 * dracut-mkinitrd-deprecated-055+suse.365.g79144c5-150400.3.49.1 * dracut-debuginfo-055+suse.365.g79144c5-150400.3.49.1 * dracut-tools-055+suse.365.g79144c5-150400.3.49.1 * dracut-ima-055+suse.365.g79144c5-150400.3.49.1 * dracut-fips-055+suse.365.g79144c5-150400.3.49.1 * dracut-debugsource-055+suse.365.g79144c5-150400.3.49.1 * SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (aarch64 x86_64) * dracut-debuginfo-055+suse.365.g79144c5-150400.3.49.1 * dracut-055+suse.365.g79144c5-150400.3.49.1 * dracut-mkinitrd-deprecated-055+suse.365.g79144c5-150400.3.49.1 * dracut-fips-055+suse.365.g79144c5-150400.3.49.1 * dracut-ima-055+suse.365.g79144c5-150400.3.49.1 * dracut-debugsource-055+suse.365.g79144c5-150400.3.49.1 * SUSE Linux Enterprise Server 15 SP4 LTSS (aarch64 ppc64le s390x x86_64) * dracut-debuginfo-055+suse.365.g79144c5-150400.3.49.1 * dracut-mkinitrd-deprecated-055+suse.365.g79144c5-150400.3.49.1 * dracut-055+suse.365.g79144c5-150400.3.49.1 *dracut-fips-055+suse.365.g79144c5-150400.3.49.1 * dracut-ima-055+suse.365.g79144c5-150400.3.49.1 * dracut-debugsource-055+suse.365.g79144c5-150400.3.49.1 * SUSE Linux Enterprise Micro for Rancher 5.3 (aarch64 s390x x86_64) * dracut-055+suse.365.g79144c5-150400.3.49.1 * dracut-mkinitrd-deprecated-055+suse.365.g79144c5-150400.3.49.1 * dracut-debuginfo-055+suse.365.g79144c5-150400.3.49.1 * dracut-fips-055+suse.365.g79144c5-150400.3.49.1 * dracut-debugsource-055+suse.365.g79144c5-150400.3.49.1 * SUSE Linux Enterprise Micro 5.3 (aarch64 s390x x86_64) * dracut-055+suse.365.g79144c5-150400.3.49.1 * dracut-mkinitrd-deprecated-055+suse.365.g79144c5-150400.3.49.1 * dracut-debuginfo-055+suse.365.g79144c5-150400.3.49.1 * dracut-fips-055+suse.365.g79144c5-150400.3.49.1 * dracut-debugsource-055+suse.365.g79144c5-150400.3.49.1 * SUSE Linux Enterprise Server for SAP Applications 15 SP4 (ppc64le x86_64) * dracut-debuginfo-055+suse.365.g79144c5-150400.3.49.1 * dracut-mkinitrd-deprecated-055+suse.365.g79144c5-150400.3.49.1 * dracut-055+suse.365.g79144c5-150400.3.49.1 * dracut-fips-055+suse.365.g79144c5-150400.3.49.1 * dracut-ima-055+suse.365.g79144c5-150400.3.49.1 * dracut-debugsource-055+suse.365.g79144c5-150400.3.49.1 * SUSE Linux Enterprise Micro for Rancher 5.4 (aarch64 s390x x86_64) * dracut-055+suse.365.g79144c5-150400.3.49.1 * dracut-mkinitrd-deprecated-055+suse.365.g79144c5-150400.3.49.1 * dracut-debuginfo-055+suse.365.g79144c5-150400.3.49.1 * dracut-fips-055+suse.365.g79144c5-150400.3.49.1 * dracut-debugsource-055+suse.365.g79144c5-150400.3.49.1 * SUSE Linux Enterprise Micro 5.4 (aarch64 s390x x86_64) * dracut-055+suse.365.g79144c5-150400.3.49.1 * dracut-mkinitrd-deprecated-055+suse.365.g79144c5-150400.3.49.1 * dracut-debuginfo-055+suse.365.g79144c5-150400.3.49.1 * dracut-fips-055+suse.365.g79144c5-150400.3.49.1 * dracut-debugsource-055+suse.365.g79144c5-150400.3.49.1 * SUSE Linux Enterprise HighPerformance Computing LTSS 15 SP4 (aarch64 x86_64) * dracut-mkinitrd-deprecated-055+suse.365.g79144c5-150400.3.49.1 * dracut-055+suse.365.g79144c5-150400.3.49.1 * dracut-debuginfo-055+suse.365.g79144c5-150400.3.49.1 * dracut-fips-055+suse.365.g79144c5-150400.3.49.1 * dracut-ima-055+suse.365.g79144c5-150400.3.49.1 * dracut-debugsource-055+suse.365.g79144c5-150400.3.49.1 ## References: * https://www.suse.com/security/cve/CVE-2026-6893.html * https://bugzilla.suse.com/show_bug.cgi?id=1268322 . # Security update for dracut Announcement ID: SUSE-SU-2026:2720-1 Release Date: 2026-07-01T13:15:19Z. update, solves, vulnerability, installed, security, dracut, announcem. . LinuxSecurity.com Team
Get the latest Linux and open source security news straight to your inbox.