Explore top 10 tips to secure your open-source projects now. Read More
×An update that solves 3 vulnerabilities and has 3 bug fixes can now be installed.. openSUSE security update: security update for openqa, os-autoinst ------------------------------------------------------------- Announcement ID: openSUSE-SU-2026:21266-1 Rating: important References: * bsc#1258632 * bsc#1259005 * bsc#1264376 Cross-References: * CVE-2026-26996 * CVE-2026-27904 * CVE-2026-6321 CVSS scores: * CVE-2026-26996 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2026-26996 ( SUSE ): 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X * CVE-2026-27904 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2026-27904 ( SUSE ): 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N * CVE-2026-6321 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N * CVE-2026-6321 ( SUSE ): 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N Affected Products: openSUSE Leap 16.0 ------------------------------------------------------------- An update that solves 3 vulnerabilities and has 3 bug fixes can now be installed. Description: This update for openQA, os-autoinst fixes the following issues: Changes in openQA: - Update to version 5.1783076943.6691832d: * test: Stabilize `t/05-scheduler-full.t` - Clarify resolution of three CVEs * The following CVEs have been fixed (see previous changelog entries that mentioned only the according Bugzilla tickets): - bsc#1259005 - CVE-2026-27904 - bsc#1264376 - CVE-2026-6321 - bsc#1258632 - CVE-2026-26996 - Update to version 5.1782995932.ffeb09be: * feat: throw 404 for nonexistent groups in overview * feat: Avoid logwarn notifications for non-critical auth error * chore(deps): Dependency cron 2026-07-02 * git subrepo pull (merge) external/os-autoinst-common * fix: Check also hidden files in checklist plugin * test:Enable faster re-connects in full scheduler test consistently * test: Avoid silent daemons in verbose mode * test: Allow running `t/43-…-scalability.t` in parallel * test: Allow running `t/05-scheduler-full.t` in parallel * test: Avoid race condition when generating ports in `25-cache.t` * test: Avoid wasting seconds in `40-script_load_dump_templates.t` * refactor: Remove disabled code in `openqa-load-templates` * test: Avoid race condition when generating ports in many tests * chore(deps): Dependency cron 2026-07-01 * fix(ci): format inline comments in workflows to pass yamllint * test: Avoid running into "Address already in use" in fullstack test * feat(ci): pin GitHub Actions by commit hash Changes in os-autoinst: - Update to version 5.1783082953.c3cb41d: * test: Disable unstable `t/28-signalblocker.t` on ppc64le OBS builds * fix: Check also hidden files in checklist plugin * feat(ci): disable Mergify interactive queue controls in PR comments * test: assert pipe size adjustment dynamically * test: assert terminal session boundary safety * refactor: support pretty markers in script_sudo and become_root * fix: mmapi test failures and infinite loop hangs * test: simplify Level 3 pretty marker detection * fix: exclude virt-firmware on all older Leap archs - Update to version 5.1782917048.dcc97e9: * fix: Check also hidden files in checklist plugin * feat(ci): disable Mergify interactive queue controls in PR comments * fix(ci): format inline comments in workflows to pass yamllint * feat(ci): pin GitHub Actions by commit hash * test: assert pipe size adjustment dynamically * test: assert terminal session boundary safety * refactor: support pretty markers in script_sudo and become_root * fix: mmapi test failures and infinite loop hangs * test: simplify Level 3 pretty marker detection * fix: exclude virt-firmware on all older Leap archs Patch instructions: To install this openSUSE security update use the suse recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Leap 16.0 zypper in -t patch openSUSE-Leap-16.0-packagehub-395=1 Package List: - openSUSE Leap 16.0: openQA-5.1783076943.6691832d-bp160.1.1 openQA-auto-update-5.1783076943.6691832d-bp160.1.1 openQA-bootstrap-5.1783076943.6691832d-bp160.1.1 openQA-client-5.1783076943.6691832d-bp160.1.1 openQA-client-bash-completion-5.1783076943.6691832d-bp160.1.1 openQA-client-zsh-completion-5.1783076943.6691832d-bp160.1.1 openQA-common-5.1783076943.6691832d-bp160.1.1 openQA-continuous-update-5.1783076943.6691832d-bp160.1.1 openQA-devel-5.1783076943.6691832d-bp160.1.1 openQA-doc-5.1783076943.6691832d-bp160.1.1 openQA-llm-server-5.1783076943.6691832d-bp160.1.1 openQA-local-db-5.1783076943.6691832d-bp160.1.1 openQA-mcp-5.1783076943.6691832d-bp160.1.1 openQA-munin-5.1783076943.6691832d-bp160.1.1 openQA-python-scripts-5.1783076943.6691832d-bp160.1.1 openQA-single-instance-5.1783076943.6691832d-bp160.1.1 openQA-single-instance-nginx-5.1783076943.6691832d-bp160.1.1 openQA-worker-5.1783076943.6691832d-bp160.1.1 os-autoinst-5.1783082953.c3cb41d-bp160.1.1 os-autoinst-devel-5.1783082953.c3cb41d-bp160.1.1 os-autoinst-ipmi-deps-5.1783082953.c3cb41d-bp160.1.1 os-autoinst-openvswitch-5.1783082953.c3cb41d-bp160.1.1 os-autoinst-qemu-kvm-5.1783082953.c3cb41d-bp160.1.1 os-autoinst-qemu-x86-5.1783082953.c3cb41d-bp160.1.1 os-autoinst-s390-deps-5.1783082953.c3cb41d-bp160.1.1 os-autoinst-swtpm-5.1783082953.c3cb41d-bp160.1.1 References: * https://www.suse.com/security/cve/CVE-2026-26996.html * https://www.suse.com/security/cve/CVE-2026-27904.html * https://www.suse.com/security/cve/CVE-2026-6321.html . Find critical updates for openSUSE addressing security risks in openQA and os-autoinst with bug fixes and patches.. openSUSE updates, security issues, openQA fixes, os-autoinst patches. . LinuxSecurity.com Team
An update that solves 6 vulnerabilities and has 2 bug fixes can now be installed.. openSUSE security update: security update for hauler ------------------------------------------------------------- Announcement ID: openSUSE-SU-2026:21262-1 Rating: important References: * bsc#1267150 * bsc#1269433 Cross-References: * CVE-2026-25680 * CVE-2026-25681 * CVE-2026-27136 * CVE-2026-42502 * CVE-2026-42506 * CVE-2026-48702 CVSS scores: * CVE-2026-25680 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2026-25680 ( SUSE ): 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N * CVE-2026-25681 ( SUSE ): 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N * CVE-2026-25681 ( SUSE ): 5.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N * CVE-2026-27136 ( SUSE ): 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N * CVE-2026-27136 ( SUSE ): 5.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N * CVE-2026-42502 ( SUSE ): 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N * CVE-2026-42502 ( SUSE ): 5.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N * CVE-2026-42506 ( SUSE ): 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N * CVE-2026-42506 ( SUSE ): 5.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N * CVE-2026-48702 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2026-48702 ( SUSE ): 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N Affected Products: openSUSE Leap 16.0 ------------------------------------------------------------- An update that solves 6 vulnerabilities and has 2 bug fixes can now be installed. Description: This update for hauler fixes the following issues: Changes in hauler: - update to 2.0.1 (bsc#1269433, CVE-2026-48702): * bump go to 1.26.4 to squash CVE noise * Full v2 Release notes: https://github.com/hauler- dev/hauler/releases/tag/v2.0.0 - update to 2.0.0: * `v2.0.0` is a **major** release. It replacesHauler's entire OCI plumbing... the ORAS v1 dependency and the in-house cosign fork with a native containerd based implementation, drops the deprecated `v1alpha1` API, and layers on a meaningful set of new capabilities and reliability fixes on top of that new foundation. * **Removed the ORAS v1 dependency** - push/pull is now driven directly by containerd's docker resolver and `google/go- containerregistry`, new `pkg/content/registry.go` (`RegistryTarget`) and `pkg/content/types.go` (`Target` interface, `IoContentWriter`) replaces what ORAS used to own. * **Removed the hauler-maintained cosign fork** - `pkg/cosign` is now a thin verify only wrapper around upstream `sigstore/cosign/v3`. Images are added through a native `s.AddImage()` path in `pkg/store` * **Added OCI 1.1 Referrers support** - signatures, attestations, and SBOMs are discovered both via the classic cosign tag convention (`sha256-.sig` / `.att` / `.sbom`) and the modern Referrers API, then correctly through the OCI layout - update x/net to v0.55.0 (bsc#1266602, CVE-2026-39821, bsc#1267150, CVE-2026-25680, CVE-2026-42502, CVE-2026-27136, CVE-2026-25681, CVE-2026-42506) Patch instructions: To install this openSUSE security update use the suse recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Leap 16.0 zypper in -t patch openSUSE-Leap-16.0-packagehub-391=1 Package List: - openSUSE Leap 16.0: hauler-2.0.1-bp160.1.1 References: * https://www.suse.com/security/cve/CVE-2026-25680.html * https://www.suse.com/security/cve/CVE-2026-25681.html * https://www.suse.com/security/cve/CVE-2026-27136.html * https://www.suse.com/security/cve/CVE-2026-42502.html * https://www.suse.com/security/cve/CVE-2026-42506.html * https://www.suse.com/security/cve/CVE-2026-48702.html . This update for openSUSE solves 6 issues in hauler with 2 important bug fixesto enhance system security and performance.. openSUSE security update, hauler update, important patches, CVE security issues. . LinuxSecurity.com Team
An update that solves 24 vulnerabilities and has 28 bug fixes can now be installed.. openSUSE security update: security update for go1.26-openssl ------------------------------------------------------------- Announcement ID: openSUSE-SU-2026:21254-1 Rating: important References: * bsc#1170826 * bsc#1245878 * bsc#1255111 * bsc#1261653 * bsc#1261654 * bsc#1261655 * bsc#1261656 * bsc#1261657 * bsc#1261658 * bsc#1261659 * bsc#1261660 * bsc#1261661 * bsc#1261662 * bsc#1264395 * bsc#1264499 * bsc#1264500 * bsc#1264501 * bsc#1264502 * bsc#1264503 * bsc#1264504 * bsc#1264505 * bsc#1264506 * bsc#1264507 * bsc#1264508 * bsc#1264509 * bsc#1267442 * bsc#1267444 * bsc#1267450 Cross-References: * CVE-2026-27140 * CVE-2026-27143 * CVE-2026-27144 * CVE-2026-27145 * CVE-2026-32280 * CVE-2026-32281 * CVE-2026-32282 * CVE-2026-32283 * CVE-2026-32288 * CVE-2026-32289 * CVE-2026-33810 * CVE-2026-33811 * CVE-2026-33814 * CVE-2026-39817 * CVE-2026-39819 * CVE-2026-39820 * CVE-2026-39823 * CVE-2026-39825 * CVE-2026-39826 * CVE-2026-39836 * CVE-2026-42499 * CVE-2026-42501 * CVE-2026-42504 * CVE-2026-42507 CVSS scores: * CVE-2026-27140 ( SUSE ): 7 CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H * CVE-2026-27143 ( SUSE ): 7.4 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N * CVE-2026-27144 ( SUSE ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N * CVE-2026-27145 ( SUSE ): 3.3 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L * CVE-2026-27145 ( SUSE ): 4.6 CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N * CVE-2026-32280 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2026-32281 ( SUSE ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2026-32282 ( SUSE ): 6.3 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N * CVE-2026-32283 ( SUSE ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2026-32288 ( SUSE ): 4.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L * CVE-2026-32289 (SUSE ): 5.4 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N * CVE-2026-33810 ( SUSE ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N * CVE-2026-33811 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2026-33814 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2026-39817 ( SUSE ): 5.9 CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:N * CVE-2026-39819 ( SUSE ): 5.3 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:N * CVE-2026-39820 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2026-39823 ( SUSE ): 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N * CVE-2026-39825 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N * CVE-2026-39826 ( SUSE ): 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N * CVE-2026-39836 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2026-42499 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2026-42501 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H * CVE-2026-42504 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H * CVE-2026-42504 ( SUSE ): 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N * CVE-2026-42507 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N * CVE-2026-42507 ( SUSE ): 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N Affected Products: openSUSE Leap 16.0 ------------------------------------------------------------- An update that solves 24 vulnerabilities and has 28 bug fixes can now be installed. Description: This update for go1.26-openssl fixes the following issues: Update to go1.26.4 (bsc#1255111). Security issues fixed: - CVE-2026-27140: cmd/go: trust layer bypass when using cgo and SWIG (bsc#1261653). - CVE-2026-27143: cmd/compile: possible memory corruption after bound check elimination (bsc#1261654). - CVE-2026-27144: cmd/compile: no-op interface conversion bypasses overlap checking (bsc#1261655). - CVE-2026-27145: crypto/x509: split candidate hostname only once (bsc#1267450). -CVE-2026-32280: crypto/x509: unexpected work during chain building (bsc#1261656). - CVE-2026-32281: crypto/x509: inefficient policy validation (bsc#1261657). - CVE-2026-32282: os: `Root.Chmod` can follow symlinks out of the root on Linux (bsc#1261658). - CVE-2026-32283: crypto/tls: multiple key update handshake messages can cause connection to deadlock (bsc#1261659). - CVE-2026-32288: archive/tar: unbounded allocation when parsing old format GNU sparse map (bsc#1261660). - CVE-2026-32289: html/template: JS template literal context incorrectly tracked (bsc#1261661). - CVE-2026-33810: crypto/x509: excluded DNS constraints not properly applied to wildcard domains (bsc#1261662). - CVE-2026-33811: net: crash when handling long `CNAME` response (bsc#1264508). - CVE-2026-33814: net/http: infinite loop in HTTP/2 transport when given bad `SETTINGS_MAX_FRAME_SIZE` (bsc#1264506). - CVE-2026-39817: cmd/go: `go tool pack` does not sanitize output paths (bsc#1264505). - CVE-2026-39819: cmd/go: `go bug` follows symlinks in predictable temporary filenames (bsc#1264504). - CVE-2026-39820: net/mail: quadratic string concatentation in `consumeComment` (bsc#1264503). - CVE-2026-39823: html/template: bypass of meta content URL escaping causes XSS (bsc#1264509). - CVE-2026-39825: net/http/httputil: `ReverseProxy` forwards queries with more than `urlmaxqueryparams` parameters (bsc#1264500). - CVE-2026-39826: html/template: escaper bypass leads to XSS (bsc#1264507). - CVE-2026-39836: net: panic in `Dial` and `LookupPort` when handling `NUL` byte on Windows (bsc#1264501). - CVE-2026-42499: net/mail: quadratic string concatenation in `consumePhrase` (bsc#1264502). - CVE-2026-42501: cmd/go: malicious module proxy can bypass checksum database (bsc#1264499). - CVE-2026-42504: mime: quadratic complexity in `WordDecoder.DecodeHeader` (bsc#1267442). - CVE-2026-42507: net/textproto: arbitrary input is included in errors without any escaping (bsc#1267444). Other updates and security fixes: - Go packages miss `binutils-gold` dependency(bsc#1170826). - Drop subpackage `go1.x-libstd` `std` library `.so` refs (jsc#PED-1962). - Use `libalternatives` only on `suse_version > = 1610` and keep `update-alternatives` support for older distributions. - Drop the `update-alternatives` migration path for `libalternatives` builds. - Enable `libalternatives` for SLE16.1 and Tumbleweed (bsc#1245878). - Drop go1.26 dependency on `update-alternatives` (bsc#1264395) - Update to version 1.26.3 cut from the `go1.25-fips-release` branch at the revision tagged `go1.26.3-1-openssl-fips` (jsc#SLE-18320). Patch instructions: To install this openSUSE security update use the suse recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Leap 16.0 zypper in -t patch openSUSE-Leap-16.0-1175=1 Package List: - openSUSE Leap 16.0: go1.26-openssl-1.26.4-160000.1.1 go1.26-openssl-doc-1.26.4-160000.1.1 go1.26-openssl-race-1.26.4-160000.1.1 References: * https://www.suse.com/security/cve/CVE-2026-27140.html * https://www.suse.com/security/cve/CVE-2026-27143.html * https://www.suse.com/security/cve/CVE-2026-27144.html * https://www.suse.com/security/cve/CVE-2026-27145.html * https://www.suse.com/security/cve/CVE-2026-32280.html * https://www.suse.com/security/cve/CVE-2026-32281.html * https://www.suse.com/security/cve/CVE-2026-32282.html * https://www.suse.com/security/cve/CVE-2026-32283.html * https://www.suse.com/security/cve/CVE-2026-32288.html * https://www.suse.com/security/cve/CVE-2026-32289.html * https://www.suse.com/security/cve/CVE-2026-33810.html * https://www.suse.com/security/cve/CVE-2026-33811.html * https://www.suse.com/security/cve/CVE-2026-33814.html * https://www.suse.com/security/cve/CVE-2026-39817.html * https://www.suse.com/security/cve/CVE-2026-39819.html * https://www.suse.com/security/cve/CVE-2026-39820.html * https://www.suse.com/security/cve/CVE-2026-39823.html *https://www.suse.com/security/cve/CVE-2026-39825.html * https://www.suse.com/security/cve/CVE-2026-39826.html * https://www.suse.com/security/cve/CVE-2026-39836.html * https://www.suse.com/security/cve/CVE-2026-42499.html * https://www.suse.com/security/cve/CVE-2026-42501.html * https://www.suse.com/security/cve/CVE-2026-42504.html * https://www.suse.com/security/cve/CVE-2026-42507.html . Update fixes 24 issues in go1.26-openssl on openSUSE Leap, enhancing security and stability.. openSUSE security patch openSUSE Leap software update. . LinuxSecurity.com Team
An update that solves 8 vulnerabilities and has 8 bug fixes can now be installed.. openSUSE security update: security update for clamav ------------------------------------------------------------- Announcement ID: openSUSE-SU-2026:21252-1 Rating: important References: * bsc#1270085 * bsc#1270088 * bsc#1270089 * bsc#1270091 * bsc#1270092 * bsc#1270106 * bsc#1270107 * bsc#1270138 Cross-References: * CVE-2026-20213 * CVE-2026-20214 * CVE-2026-20215 * CVE-2026-20216 * CVE-2026-20217 * CVE-2026-20243 * CVE-2026-20244 * CVE-2026-41676 CVSS scores: * CVE-2026-20213 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2026-20214 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2026-20215 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2026-20216 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2026-20217 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2026-20243 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2026-20244 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2026-41676 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H * CVE-2026-41676 ( SUSE ): 8.3 CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N Affected Products: openSUSE Leap 16.0 ------------------------------------------------------------- An update that solves 8 vulnerabilities and has 8 bug fixes can now be installed. Description: This update for clamav fixes the following issues: Update to version 1.5.3. Security issues fixed: - CVE-2026-20213: out-of-bounds write due to improper boundary checks for content in PE files during scanning (bsc#1270107). - CVE-2026-20214: out-of-bounds write due to improper boundary checks for content in FSG files during scanning (bsc#1270085). - CVE-2026-20215: out-of-bounds write due to improper boundary checks for content in 7z files during scanning (bsc#1270088). - CVE-2026-20216: denial of service dueto improper handling of temporary resources during InstallShield file scanning (bsc#1270089). - CVE-2026-20217: out-of-bounds write due to improper boundary checks for content in PESpin files during scanning (bsc#1270091). - CVE-2026-20243: out-of-bounds write due to improper boundary checks for content in ALZ files during scanning (bsc#1270092). - CVE-2026-20244: integer overflow and DoS due to improper boundary checks for content in DMG files during scanning (bsc#1270106). - CVE-2026-41676: buffer overflow due to missing checks via `Deriver:derive`, `PkeyCtxRef:derive` and OpenSSL 1.1.1 (bsc#1270138). Other updates and bugfixes: - Version 1.5.3: * Fixed a bug in the PESpin unpacker cleanup path that could free pointers into the scanned file buffer and crash the scanner. * Fixed an integer overflow in PE rebuild size calculations that could be reached through a malformed Aspack-packed PE file and lead to a heap buffer overflow write. * Fixed an InstallShield archive extraction limit bypass that could write far more temporary data than intended and exhaust temporary storage. * Fixed an FSG unpacker loop underflow that could write past the section array while scanning a malformed PE file. * Fixed ALZ parser size handling bugs that could cause malformed ALZ archives to panic, abort the scanner, or skip expected scan-limit handling. * Fixed a 7z parser substream count overflow that could under-allocate parser metadata arrays and write past them while reading a malformed archive. * Fixed 32-bit DMG parser size checks that could let a short mish stripe table pass validation and crash 32-bit scanner builds. * Hardened clamscan, clamdscan, and clamonacc quarantine actions against time-of-check/time-of-use races that could redirect copied, moved, or removed files under unsafe quarantine directory configurations. * Upgraded the Rust tar dependency to resolve the RUSTSEC-2026-0067 and RUSTSEC-2026-0068 advisories, and upgraded the Rust openssl dependency to resolveCVE-2026-41676. * Raised the minimum required CMake version to 3.17 to fix Linux builds with libcurl v8.21.0 when linking static library dependencies. * Metadata preclass scans now run before the final scan verdict. * ClamOnAcc: Fixed errors when recursively excluded paths are children of an included path. * ClamOnAcc: Fixed hash bucket list corruption when two watched paths collide in the same bucket. Patch instructions: To install this openSUSE security update use the suse recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Leap 16.0 zypper in -t patch openSUSE-Leap-16.0-1173=1 Package List: - openSUSE Leap 16.0: clamav-1.5.3-160000.1.1 clamav-devel-1.5.3-160000.1.1 clamav-docs-html-1.5.3-160000.1.1 clamav-milter-1.5.3-160000.1.1 libclamav12-1.5.3-160000.1.1 libclammspack0-1.5.3-160000.1.1 libfreshclam4-1.5.3-160000.1.1 References: * https://www.suse.com/security/cve/CVE-2026-20213.html * https://www.suse.com/security/cve/CVE-2026-20214.html * https://www.suse.com/security/cve/CVE-2026-20215.html * https://www.suse.com/security/cve/CVE-2026-20216.html * https://www.suse.com/security/cve/CVE-2026-20217.html * https://www.suse.com/security/cve/CVE-2026-20243.html * https://www.suse.com/security/cve/CVE-2026-20244.html * https://www.suse.com/security/cve/CVE-2026-41676.html . Severity update for clamav in openSUSE fixes 8 security issues including buffer overflow and DoS vulnerabilities. Install recommended patches.. clamav security update, openSUSE vulnerabilities, important patch release, clamav DoS fix, openSUSE advisory security. . LinuxSecurity.com Team
An update that solves 26 vulnerabilities and has 10 bug fixes can now be installed.. openSUSE security update: security update for alloy ------------------------------------------------------------- Announcement ID: openSUSE-SU-2026:21251-1 Rating: important References: * bsc#1260981 * bsc#1265440 * bsc#1266196 * bsc#1266654 * bsc#1267185 * bsc#1267333 * bsc#1267481 * bsc#1267485 * bsc#1267488 * bsc#1267489 Cross-References: * CVE-2026-25680 * CVE-2026-25681 * CVE-2026-27136 * CVE-2026-33532 * CVE-2026-39821 * CVE-2026-39827 * CVE-2026-39828 * CVE-2026-39829 * CVE-2026-39830 * CVE-2026-39831 * CVE-2026-39832 * CVE-2026-39833 * CVE-2026-39834 * CVE-2026-39835 * CVE-2026-41889 * CVE-2026-42502 * CVE-2026-42506 * CVE-2026-42508 * CVE-2026-44740 * CVE-2026-45678 * CVE-2026-45682 * CVE-2026-45685 * CVE-2026-45686 * CVE-2026-46595 * CVE-2026-46597 * CVE-2026-46598 CVSS scores: * CVE-2026-25680 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2026-25680 ( SUSE ): 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N * CVE-2026-25681 ( SUSE ): 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N * CVE-2026-25681 ( SUSE ): 5.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N * CVE-2026-27136 ( SUSE ): 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N * CVE-2026-27136 ( SUSE ): 5.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N * CVE-2026-33532 ( SUSE ): 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L * CVE-2026-33532 ( SUSE ): 5.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N * CVE-2026-39821 ( SUSE ): 7.4 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N * CVE-2026-39821 ( SUSE ): 9.1 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N * CVE-2026-39827 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H * CVE-2026-39827 ( SUSE ): 7.1 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N * CVE-2026-39828 ( SUSE ):8.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N * CVE-2026-39828 ( SUSE ): 8.6 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N * CVE-2026-39829 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2026-39829 ( SUSE ): 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N * CVE-2026-39830 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H * CVE-2026-39830 ( SUSE ): 7.1 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N * CVE-2026-39831 ( SUSE ): 8.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N * CVE-2026-39831 ( SUSE ): 8.6 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N * CVE-2026-39832 ( SUSE ): 8.4 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N * CVE-2026-39832 ( SUSE ): 6.2 CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N * CVE-2026-39833 ( SUSE ): 7.7 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N * CVE-2026-39833 ( SUSE ): 8.5 CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N * CVE-2026-39834 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2026-39834 ( SUSE ): 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N * CVE-2026-39835 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2026-39835 ( SUSE ): 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N * CVE-2026-41889 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H * CVE-2026-41889 ( SUSE ): 7.7 CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N * CVE-2026-42502 ( SUSE ): 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N * CVE-2026-42502 ( SUSE ): 5.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N * CVE-2026-42506 ( SUSE ): 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N * CVE-2026-42506 ( SUSE ): 5.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N * CVE-2026-42508 ( SUSE ): 8.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N * CVE-2026-42508 ( SUSE ): 8.6CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N * CVE-2026-44740 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2026-44740 ( SUSE ): 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N * CVE-2026-45678 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2026-45678 ( SUSE ): 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N * CVE-2026-45682 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2026-45682 ( SUSE ): 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N * CVE-2026-45685 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2026-45685 ( SUSE ): 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N * CVE-2026-45686 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2026-45686 ( SUSE ): 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N * CVE-2026-46595 ( SUSE ): 8.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N * CVE-2026-46595 ( SUSE ): 8.6 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N * CVE-2026-46597 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2026-46597 ( SUSE ): 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N * CVE-2026-46598 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2026-46598 ( SUSE ): 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N Affected Products: openSUSE Leap 16.0 ------------------------------------------------------------- An update that solves 26 vulnerabilities and has 10 bug fixes can now be installed. Description: This update for alloy fixes the following issues: Update to version 1.17.0. Security issues fixed: - CVE-2026-25680: golang.org/x/net/html: parsing arbitrary HTML can consume excessive CPU time, possibly leading to denial of service (bsc#1267185). - CVE-2026-25681: golang.org/x/net/html: parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree and allows for XSS (bsc#1267185). - CVE-2026-27136: golang.org/x/net/html: parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree and allows for XSS (bsc#1267185). - CVE-2026-33532: yaml: parsing input with deeply nestes collections may throw a `RangeError` due to a stack overflow and cause to a denial of service (bsc#1260981). - CVE-2026-39821: golang.org/x/net/idna: failure to reject ASCII-only Punycode-encoded labels allows for validation bypass and privilege escalation (bsc#1266654). - CVE-2026-39827: golang.org/x/crypto/ssh: authenticated SSH clients that repeatedly open channels which were rejected by the server can cause unbounded memory growth and a crash (bsc#1266196). - CVE-2026-39828: golang.org/x/crypto/ssh: permissions discarded when an SSH server authentication callback returns `PartialSuccessError` with non-`nil` permissions (bsc#1266196). - CVE-2026-39829: golang.org/x/crypto/ssh: unenforced size limits on key parameters by the the RSA and DSA public key parsers can lead to excessive CPU consumption when processing a crafted public key (bsc#1266196). - CVE-2026-39830: golang.org/x/crypto/ssh: malicious SSH peers sending unsolicited global request responses can block a connection's read loop and cause a resource leak (bsc#1266196). - CVE-2026-39831: golang.org/x/crypto/ssh: missing `User Presence` flag checks in the `Verify()` method for FIDO/U2F security key types cause signatures generated without physical touch to be accepted (bsc#1266196). - CVE-2026-39832: golang.org/x/crypto/ssh: destination restrictions are silently stripped when forwarding keys and allow for unrestricted use of a key on a remote host (bsc#1266196). - CVE-2026-39833: golang.org/x/crypto/ssh: in-memory keyring returned by `NewKeyring()` silently accepts keys with the `ConfirmBeforeUse` constraint but never enforces it (bsc#1266196). - CVE-2026-39834: golang.org/x/crypto/ssh: writing data larger than 4GB in a single `Write` call on an SSHchannel leads to an integer overflow and an infinite loop that sends empty packets (bsc#1266196). - CVE-2026-39835: golang.org/x/crypto/ssh: processing of certificates by SSH servers using `CertChecker` as a public key callback without setting `IsUserAuthority` or `IsHostAuthority` can lead to a panic (bsc#1266196). - CVE-2026-41889: github.com/jackc/pgx/v5/internal/sanitize: use placeholders in dollar-quoted string literals in an SQL query can lead to a SQL injection (bsc#1265440). - CVE-2026-42502: golang.org/x/net/html: parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree and allows for XSS (bsc#1267185). - CVE-2026-42506: golang.org/x/net/html: parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree and allows for XSS (bsc#1267185). - CVE-2026-42508: golang.org/x/crypto/ssh: revoked `SignatureKey`s belonging to a CA are not correctly checked for revocation (bsc#1266196). - CVE-2026-44740: github.com/go-git/go-billy/v5: improper input handling in many components can lead to DoS via infinite loops, panics or resource consumption (bsc#1267333). - CVE-2026-45678: go.opentelemetry.io/obi: Postgres BIND parsing can lead to a panic when malformed payloads are processed (bsc#1267481). - CVE-2026-45682: go.opentelemetry.io/obi: keys not deleted by `CappedConcurrentHashMap` after removals allows repeated connection churn to grow the queue without bound and exhaust heap memory (bsc#1267485). - CVE-2026-45685: go.opentelemetry.io/obi: MongoDB TCP parser panics on malformed wire messages and causes a DoS (bsc#1267488). - CVE-2026-45686: go.opentelemetry.io/obi: integer overflow in memcached text protocol parser can crash the OBI process and cause denial of service (bsc#1267489). - CVE-2026-46595: golang.org/x/crypto/ssh: source-address validation is skipped if any other type of callback is passed other than public key (bsc#1266196). - CVE-2026-46597: golang.org/x/crypto/ssh: incorrectly placed cast from bytes toint in the AES-GCM packet decoder when processing specially crafted input can lead to for server-side panic (bsc#1266196). - CVE-2026-46598: golang.org/x/crypto/ssh: `ed25519.PrivateKey` created by casting malformed wire bytes due to processing of certain crafted inputs can lead to panic when used (bsc#1266196). Other updates and bugfixes: - Version 1.17.0: * Features * Add GraphQL server and `gql` subcommand. * `otelcol`: Add Nginx receiver. * `otelcol.exporter.prometheus`: Convert classic histograms to NHCB. * `database_observability`: Various enhancements for MySQL and Postgres. * `faro.receiver`: Support gzip-compressed request bodies. * Update to Beyla 3.9.8. * Bug Fixes * security: Update `x/crypto`, `x/net`, `jackc/pgx/v5`, and `obi`. * cluster: Fix nodes failing to join the cluster with TLS enabled. * `loki.process`: Fix potential deadlocks and limit stage shutdown. * Update Go to v1.26.4. - Version 1.16.3: * cluster: Fix nodes failing to join the cluster when TLS is enabled. - Version 1.16.2: * `loki.process`: No longer mutate rules in `stage.truncate` causing every config update to reload pipeline when this stage is used. * `loki.process`: Potential deadlock on update with stage and receiver changes. * `otelcol.exporter.awss3`: Add missing `unique_key_func_name` attribute. - Remove dependency on vulnerable `yaml` library. Patch instructions: To install this openSUSE security update use the suse recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Leap 16.0 zypper in -t patch openSUSE-Leap-16.0-1172=1 Package List: - openSUSE Leap 16.0: alloy-1.17.0-160000.1.1 References: * https://www.suse.com/security/cve/CVE-2026-25680.html * https://www.suse.com/security/cve/CVE-2026-25681.html * https://www.suse.com/security/cve/CVE-2026-27136.html * https://www.suse.com/security/cve/CVE-2026-33532.html *https://www.suse.com/security/cve/CVE-2026-39821.html * https://www.suse.com/security/cve/CVE-2026-39827.html * https://www.suse.com/security/cve/CVE-2026-39828.html * https://www.suse.com/security/cve/CVE-2026-39829.html * https://www.suse.com/security/cve/CVE-2026-39830.html * https://www.suse.com/security/cve/CVE-2026-39831.html * https://www.suse.com/security/cve/CVE-2026-39832.html * https://www.suse.com/security/cve/CVE-2026-39833.html * https://www.suse.com/security/cve/CVE-2026-39834.html * https://www.suse.com/security/cve/CVE-2026-39835.html * https://www.suse.com/security/cve/CVE-2026-41889.html * https://www.suse.com/security/cve/CVE-2026-42502.html * https://www.suse.com/security/cve/CVE-2026-42506.html * https://www.suse.com/security/cve/CVE-2026-42508.html * https://www.suse.com/security/cve/CVE-2026-44740.html * https://www.suse.com/security/cve/CVE-2026-45678.html * https://www.suse.com/security/cve/CVE-2026-45682.html * https://www.suse.com/security/cve/CVE-2026-45685.html * https://www.suse.com/security/cve/CVE-2026-45686.html * https://www.suse.com/security/cve/CVE-2026-46595.html * https://www.suse.com/security/cve/CVE-2026-46597.html * https://www.suse.com/security/cve/CVE-2026-46598.html . Critical openSUSE security update for alloy resolves 26 issues, enhancing stability and preventing service disruptions.. openSUSE security advisory software update vulnerabilities patch. . LinuxSecurity.com Team
An update that solves 2 vulnerabilities and has 2 bug fixes can now be installed.. openSUSE security update: security update for trivy ------------------------------------------------------------- Announcement ID: openSUSE-SU-2026:21249-1 Rating: important References: * bsc#1269269 * bsc#1269271 Cross-References: * CVE-2026-54448 * CVE-2026-55092 CVSS scores: * CVE-2026-54448 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H * CVE-2026-54448 ( SUSE ): 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N * CVE-2026-55092 ( SUSE ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H * CVE-2026-55092 ( SUSE ): 8.6 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N Affected Products: openSUSE Leap 16.0 ------------------------------------------------------------- An update that solves 2 vulnerabilities and has 2 bug fixes can now be installed. Description: This update for trivy fixes the following issues Update to version 0.72.0. - CVE-2026-54448: tar unpacker reads scanned Helm chart archives (.tgz) with `io.ReadAll(tr)` and defines no size limit, which can lead to a DoS (bsc#1269271). - CVE-2026-55092: `org.opencontainers.image.title` annotation from OCI artifact manifest is used as a destination filename without validation and can lead to arbitrary file writes (bsc#1269269). Other updates and bugfixes: - Version 0.72.0: * feat(bottlerocket): add vulnerability matching for Bottlerocket OS (#10893) * fix(misconf): support github_repository_vulnerability_alerts resource (#10680) * feat(java): detect JAR licenses from packaged LICENSE files (#10856) * fix(nodejs): parse project dependencies from multi-document pnpm-lock.yaml (#10861) * fix(server): propagate package repository class in client/server mode (#10874) * chore(deps): bump github.com/containerd/containerd/v2 from 2.3.1 to 2.3.2 (#10888) * fix(vuln): fall back to UNKNOWN severity when vulnerability details are missing (#10795) * feat(java): detect JARlicenses from the embedded pom.xml (#10851) * chore(deps): Upgrade github.com/cenkalti/backoff to v6 (#10863) * ci(helm): bump Trivy version to 0.71.2 for Trivy Helm Chart 0.23.2 (#10873) * chore(deps): bump alpine to 3.24.1 (#10868) * docs: fix article typo in plugin developer guide (#10860) * feat(misconf): Adds CloudFront standard logging v2 support to AVD-AWS-0010 (#10848) * docs: fix typos (#10857) * fix(terraform): avoid data race on global getter.Getters in remote module resolver (#10843) * feat(secret): support new stateless format for GitHub App installation tokens (#10826) * fix: correct format verbs in diagnostic messages (#10805) * ci(helm): bump Trivy version to 0.71.1 for Trivy Helm Chart 0.23.1 (#10845) * refactor: use ParseErrorsAllowlist instead of ParseErrorsWhitelist (#10830) * docs: fix repository scan heading typo (#10828) * fix: forward ospkg detector options through ospkg.NewScanner (#10811) * chore(deps): bump github.com/bufbuild/buf to v1.70.0 (#10801) * fix(vex): load VEX documents from within the repository directory (#10820) * ci!: migrate docker config to dockers_v2 (#10783) * feat(dotnet): detect bundled runtime in self-contained deployments (#10786) * feat(secret): add OpenAI secret detection rules (#10798) * ci: expect GitHub App bot as backport PR author (#10813) * fix: surface the original analysis error instead of context cancellation (#10793) * chore(deps): bump the github-actions group across 1 directory with 11 updates (#10803) * chore(deps): bump the common group with 4 updates (#10797) * chore(deps): bump the aws group with 4 updates (#10796) * fix: use random suffix for process temp directory instead of PID (#10431) * docs: update signature verification for deb and rpm packages (#10784) * fix(image): lookup origin layer for custom resources in merged layers (#10788) * ci: bump GoReleaser to v2.16.0 (#10774) * docs: fix broken nixpkgs reference link in installation guide (#10776) * fix(image): deterministic OSpackage deduplication for images with embedded SBOMs (#10777) * fix(spdx): guard against nil root component in SPDX marshaler (#10771) * ci(helm): bump Trivy version to 0.71.0 for Trivy Helm Chart 0.23.0 (#10768) Patch instructions: To install this openSUSE security update use the suse recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Leap 16.0 zypper in -t patch openSUSE-Leap-16.0-1170=1 Package List: - openSUSE Leap 16.0: trivy-0.72.0-160000.1.1 References: * https://www.suse.com/security/cve/CVE-2026-54448.html * https://www.suse.com/security/cve/CVE-2026-55092.html . Updates for openSUSE's trivy resolve significant issues including denial of service and file write vulnerabilities. Stay secure!. openSUSE security. . LinuxSecurity.com Team
An update that solves 4 vulnerabilities and has 4 bug fixes can now be installed.. openSUSE security update: security update for docker-compose ------------------------------------------------------------- Announcement ID: openSUSE-SU-2026:21247-1 Rating: important References: * bsc#1239340 * bsc#1239766 * bsc#1265782 * bsc#1266625 Cross-References: * CVE-2025-0495 * CVE-2025-22869 * CVE-2026-33814 * CVE-2026-39821 CVSS scores: * CVE-2025-0495 ( SUSE ): 5.9 CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N * CVE-2025-0495 ( SUSE ): 4.1 CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:L/VI:N/VA:N/SC:H/SI:N/SA:N * CVE-2025-22869 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2025-22869 ( SUSE ): 8.2 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N * CVE-2026-33814 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2026-39821 ( SUSE ): 7.4 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N * CVE-2026-39821 ( SUSE ): 9.1 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N Affected Products: openSUSE Leap 16.0 ------------------------------------------------------------- An update that solves 4 vulnerabilities and has 4 bug fixes can now be installed. Description: This update for docker-compose fixes the following issues - CVE-2025-0495: buildx: credential leakage to telemetry endpoints when credentials allowed to be set as attribute values in cache-to/cache-from configuration (bsc#1239766). - CVE-2025-22869: golang.org/x/crypto/ssh: Denial of Service in the Key Exchange of golang.org/x/crypto/ssh (bsc#1239340). - CVE-2026-33814: golang.org/x/net/http2: infinite loop in HTTP/2 transport when given bad SETTINGS_MAX_FRAME_SIZE (bsc#1265782). - CVE-2026-39821: golang.org/x/net/idna: failure to reject ASCII-only Punycode-encoded labels allows for validation bypass and privilege escalation (bsc#1266625). Patch instructions: To install this openSUSE security update use the suse recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Leap 16.0 zypper in -t patch openSUSE-Leap-16.0-1168=1 Package List: - openSUSE Leap 16.0: docker-compose-2.33.1-160000.5.1 References: * https://www.suse.com/security/cve/CVE-2025-0495.html * https://www.suse.com/security/cve/CVE-2025-22869.html * https://www.suse.com/security/cve/CVE-2026-33814.html * https://www.suse.com/security/cve/CVE-2026-39821.html . An important update for openSUSE addresses four significant issues in docker-compose, enhancing its security and reliability.. openSUSE update security docker-compose important. . LinuxSecurity.com Team
An update that solves 20 vulnerabilities and has 2 bug fixes can now be installed.. openSUSE security update: security update for podman ------------------------------------------------------------- Announcement ID: openSUSE-SU-2026:21244-1 Rating: important References: * bsc#1262856 * bsc#1266125 Cross-References: * CVE-2025-22869 * CVE-2025-47913 * CVE-2025-47914 * CVE-2025-52881 * CVE-2025-6032 * CVE-2025-9566 * CVE-2026-34986 * CVE-2026-39827 * CVE-2026-39828 * CVE-2026-39829 * CVE-2026-39830 * CVE-2026-39831 * CVE-2026-39832 * CVE-2026-39833 * CVE-2026-39834 * CVE-2026-39835 * CVE-2026-42508 * CVE-2026-46595 * CVE-2026-46597 * CVE-2026-46598 CVSS scores: * CVE-2025-22869 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2025-22869 ( SUSE ): 8.2 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N * CVE-2025-47913 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2025-47913 ( SUSE ): 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N * CVE-2025-47914 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L * CVE-2025-47914 ( SUSE ): 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N * CVE-2025-52881 ( SUSE ): 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H * CVE-2025-52881 ( SUSE ): 7.3 CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H * CVE-2025-6032 ( SUSE ): 8.3 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H * CVE-2025-6032 ( SUSE ): 9 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H * CVE-2025-9566 ( SUSE ): 8.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H * CVE-2025-9566 ( SUSE ): 7.2 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N * CVE-2026-34986 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2026-34986 ( SUSE ): 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N * CVE-2026-39827 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H * CVE-2026-39827 ( SUSE): 7.1 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N * CVE-2026-39828 ( SUSE ): 8.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N * CVE-2026-39828 ( SUSE ): 8.6 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N * CVE-2026-39829 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2026-39829 ( SUSE ): 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N * CVE-2026-39830 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H * CVE-2026-39830 ( SUSE ): 7.1 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N * CVE-2026-39831 ( SUSE ): 8.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N * CVE-2026-39831 ( SUSE ): 8.6 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N * CVE-2026-39832 ( SUSE ): 8.4 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N * CVE-2026-39832 ( SUSE ): 6.2 CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N * CVE-2026-39833 ( SUSE ): 7.7 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N * CVE-2026-39833 ( SUSE ): 8.5 CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N * CVE-2026-39834 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2026-39834 ( SUSE ): 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N * CVE-2026-39835 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2026-39835 ( SUSE ): 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N * CVE-2026-42508 ( SUSE ): 8.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N * CVE-2026-42508 ( SUSE ): 8.6 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N * CVE-2026-46595 ( SUSE ): 8.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N * CVE-2026-46595 ( SUSE ): 8.6 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N * CVE-2026-46597 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2026-46597 ( SUSE ): 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N * CVE-2026-46598 ( SUSE ): 7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2026-46598 ( SUSE ): 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N Affected Products: openSUSE Leap 16.0 ------------------------------------------------------------- An update that solves 20 vulnerabilities and has 2 bug fixes can now be installed. Description: This update for podman fixes the following issues - CVE-2026-34986: github.com/go-jose/go-jose/v4,github.com/go-jose/go-jose/v3: crafted JWE input with a missing encrypted key can lead to a denial of service (bsc#1262856). - CVE-2026-39827: Invoking memory leak when rejecting channels can lead to DoS in golang.org/x/crypto/ssh (bsc#1266125). - CVE-2026-39828: Invoking bypass of certificate restrictions in golang.org/x/crypto/ssh (bsc#1266125). - CVE-2026-39829: Invoking pathological RSA/DSA parameters may cause DoS in golang.org/x/crypto/ssh (bsc#1266125). - CVE-2026-39830: Invoking client can cause server deadlock on unexpected responses in golang.org/x/crypto/ssh (bsc#1266125). - CVE-2026-39831: Invoking bypass of FIDO/U2F security keys physical interaction in golang.org/x/crypto/ssh (bsc#1266125). - CVE-2026-39832: Invoking agent constraints dropped when forwarding keys in golang.org/x/crypto/ssh/agent (bsc#1266125). - CVE-2026-39833: Invoking key constraints not enforced in golang.org/x/crypto/ssh/agent (bsc#1266125). - CVE-2026-39834: Invoking infinite loop on large channel writes in golang.org/x/crypto/ssh (bsc#1266125). - CVE-2026-39835: Invoking server panic during CheckHostKey/Authenticate in golang.org/x/crypto/ssh (bsc#1266125). - CVE-2026-42508: Invoking auth bypass via unenforced @revoked status in golang.org/x/crypto/ssh/knownhosts (bsc#1266125). - CVE-2026-46595: Invoking VerifiedPublicKeyCallback permissions skip enforcement in golang.org/x/crypto/ssh (bsc#1266125). - CVE-2026-46597: Invoking byte arithmetic causes underflow and panic in golang.org/x/crypto/ssh (bsc#1266125). - CVE-2026-46598: Invoking pathological inputs can lead toclient panic in golang.org/x/crypto/ssh/agent (bsc#1266125). Patch instructions: To install this openSUSE security update use the suse recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Leap 16.0 zypper in -t patch openSUSE-Leap-16.0-1165=1 Package List: - openSUSE Leap 16.0: podman-5.4.2-160000.5.1 podman-docker-5.4.2-160000.5.1 podman-remote-5.4.2-160000.5.1 podmansh-5.4.2-160000.5.1 References: * https://www.suse.com/security/cve/CVE-2025-22869.html * https://www.suse.com/security/cve/CVE-2025-47913.html * https://www.suse.com/security/cve/CVE-2025-47914.html * https://www.suse.com/security/cve/CVE-2025-52881.html * https://www.suse.com/security/cve/CVE-2025-6032.html * https://www.suse.com/security/cve/CVE-2025-9566.html * https://www.suse.com/security/cve/CVE-2026-34986.html * https://www.suse.com/security/cve/CVE-2026-39827.html * https://www.suse.com/security/cve/CVE-2026-39828.html * https://www.suse.com/security/cve/CVE-2026-39829.html * https://www.suse.com/security/cve/CVE-2026-39830.html * https://www.suse.com/security/cve/CVE-2026-39831.html * https://www.suse.com/security/cve/CVE-2026-39832.html * https://www.suse.com/security/cve/CVE-2026-39833.html * https://www.suse.com/security/cve/CVE-2026-39834.html * https://www.suse.com/security/cve/CVE-2026-39835.html * https://www.suse.com/security/cve/CVE-2026-42508.html * https://www.suse.com/security/cve/CVE-2026-46595.html * https://www.suse.com/security/cve/CVE-2026-46597.html * https://www.suse.com/security/cve/CVE-2026-46598.html . This security update resolves 20 issues in podman on openSUSE, ensuring system integrity and performance. Recommended action: update.. opensuse update, podman security, important advisory. . LinuxSecurity.com Team
Get the latest Linux and open source security news straight to your inbox.