openSUSE has rolled out a batch of moderate security patches for several widely used packages across Tumbleweed and SLE backports environments. Administrators need to apply these updates promptly because flaws in apptainer, memcached, Python Authlib, live555 media libraries, and Perl YAML Syck could expose systems to remote exploitation. The fixes target multiple CVE identifiers that previously allowed attackers to trigger memory corruption or execute unauthorized commands through unpatched network services. You can deploy these corrections immediately using standard zypper patch routines or the YaST management console without interrupting daily operations.

openSUSE-SU-2026:10887-1: moderate: apptainer-1.4.5-6.1 on GA media
openSUSE-SU-2026:10883-1: moderate: python311-Authlib-1.7.2-1.1 on GA media
openSUSE-SU-2026:10882-1: moderate: memcached-1.6.42-1.1 on GA media
openSUSE-SU-2026:10881-1: moderate: libBasicUsageEnvironment2-2026.04.22-1.1 on GA media
openSUSE-SU-2026:0180-1: moderate: Security update for perl-YAML-Syck

openSUSE-SU-2026:10887-1: moderate: apptainer-1.4.5-6.1 on GA media

# apptainer-1.4.5-6.1 on GA media

Announcement ID: openSUSE-SU-2026:10887-1
Rating: moderate

Cross-References:

* CVE-2026-39821

CVSS scores:

* CVE-2026-39821 ( SUSE ): 7.4 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
* CVE-2026-39821 ( SUSE ): 9.1 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Affected Products:

* openSUSE Tumbleweed

An update that solves one vulnerability can now be installed.

## Description:

These are all security issues fixed in the apptainer-1.4.5-6.1 package on the GA media of openSUSE Tumbleweed.

## Package List:

* openSUSE Tumbleweed:
* apptainer 1.4.5-6.1
* apptainer-leap 1.4.5-6.1

## References:

* https://www.suse.com/security/cve/CVE-2026-39821.html

openSUSE-SU-2026:10883-1: moderate: python311-Authlib-1.7.2-1.1 on GA media

# python311-Authlib-1.7.2-1.1 on GA media

Announcement ID: openSUSE-SU-2026:10883-1
Rating: moderate

Cross-References:

* CVE-2026-44681

CVSS scores:

* CVE-2026-44681 ( SUSE ): 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Affected Products:

* openSUSE Tumbleweed

An update that solves one vulnerability can now be installed.

## Description:

These are all security issues fixed in the python311-Authlib-1.7.2-1.1 package on the GA media of openSUSE Tumbleweed.

## Package List:

* openSUSE Tumbleweed:
* python311-Authlib 1.7.2-1.1
* python313-Authlib 1.7.2-1.1
* python314-Authlib 1.7.2-1.1

## References:

* https://www.suse.com/security/cve/CVE-2026-44681.html

openSUSE-SU-2026:10882-1: moderate: memcached-1.6.42-1.1 on GA media

# memcached-1.6.42-1.1 on GA media

Announcement ID: openSUSE-SU-2026:10882-1
Rating: moderate

Cross-References:

* CVE-2026-47783
* CVE-2026-47784

CVSS scores:

* CVE-2026-47783 ( SUSE ): 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
* CVE-2026-47784 ( SUSE ): 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected Products:

* openSUSE Tumbleweed

An update that solves 2 vulnerabilities can now be installed.

## Description:

These are all security issues fixed in the memcached-1.6.42-1.1 package on the GA media of openSUSE Tumbleweed.

## Package List:

* openSUSE Tumbleweed:
* memcached 1.6.42-1.1
* memcached-devel 1.6.42-1.1

## References:

* https://www.suse.com/security/cve/CVE-2026-47783.html
* https://www.suse.com/security/cve/CVE-2026-47784.html

openSUSE-SU-2026:10881-1: moderate: libBasicUsageEnvironment2-2026.04.22-1.1 on GA media

# libBasicUsageEnvironment2-2026.04.22-1.1 on GA media

Announcement ID: openSUSE-SU-2026:10881-1
Rating: moderate

Cross-References:

* CVE-2026-41470

CVSS scores:

* CVE-2026-41470 ( SUSE ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

Affected Products:

* openSUSE Tumbleweed

An update that solves one vulnerability can now be installed.

## Description:

These are all security issues fixed in the libBasicUsageEnvironment2-2026.04.22-1.1 package on the GA media of openSUSE Tumbleweed.

## Package List:

* openSUSE Tumbleweed:
* libBasicUsageEnvironment2 2026.04.22-1.1
* libUsageEnvironment3 2026.04.22-1.1
* libgroupsock33 2026.04.22-1.1
* libliveMedia118 2026.04.22-1.1
* live555 2026.04.22-1.1
* live555-devel 2026.04.22-1.1

## References:

* https://www.suse.com/security/cve/CVE-2026-41470.html

openSUSE-SU-2026:0180-1: moderate: Security update for perl-YAML-Syck

openSUSE Security Update: Security update for perl-YAML-Syck
_______________________________

Announcement ID: openSUSE-SU-2026:0180-1
Rating: moderate
References: #1252111 #1259757
Cross-References: CVE-2025-11683 CVE-2026-4177
CVSS scores:
CVE-2025-11683 (SUSE): 6.5 CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Affected Products:
openSUSE Backports SLE-15-SP7
_______________________________

An update that fixes two vulnerabilities is now available.

Description:

This update for perl-YAML-Syck fixes the following issues:

updated to 1.450.0 (1.45) see
/usr/share/doc/packages/perl-YAML-Syck/Changes

* 1.45 Apr 23 2026

[Bug Fixes]

- Fix: use syck_base64_free() to fix Windows "Free to wrong pool"
crash in base64 encode/decode buffers; also plugs a memory leak (PR
#189)
- Fix: clear type tag on blessed scalar alias early-return so the
stale tag no longer leaks onto the next emitted item (GH #193, PR
#194)
- Fix: negative float#base60 values produce wrong results; strip sign
before accumulating and avoid negative zero for portable
stringification (PR #191)
- Fix: prevent memory leaks when Load/LoadJSON croak on parse errors
(PR #192)

[Maintenance]

- Test: add coverage for SortKeys and JSON MaxDepth (PR #188)
- Test: add error handling coverage for LoadFile/DumpFile (PR #190)
- Update README

updated to 1.440.0 (1.44) see
/usr/share/doc/packages/perl-YAML-Syck/Changes

* 1.44 Apr 02 2026

[Bug Fixes]

- Fix: positive hex and octal values parsed as 0 with ImplicitTyping
(PR #187)
- Fix: resolve uintptr_t redefinition error on Win64 MinGW (PR #186)

* 1.43 Apr 01 2026

[Bug Fixes]

- Fix: prevent resource leaks on croak/early-return paths in Dump (PR
#161)
- Fix: prevent output SV leaks on croak in Dump/DumpFile callers (PR
#163)
- Fix: Load() in list context returns empty list for empty/undef
input; also applies to LoadBytes and LoadUTF8 (GH #164, PR #165)
- Fix: DumpCode serializes prototype string instead of code body (PR
#168)
- Fix: memory leak in !perl/scalar Load newRV_inc should be
newRV_noinc (PR #170)
- Fix: add pTHX_ to SAVEDESTRUCTOR_X callback for threaded Perl (GH
#175, PR #176)
- Fix: add TODO guard for eval_pv leak on Perl < 5.14 (GH #179, PR
#180)
- Fix: negative hex and octal values parsed as 0 with ImplicitTyping
(PR #183)
- Fix: negative int#base60 values produce unsigned wraparound (PR #185)

[Improvements]

- Modernize META_MERGE for CPANTS compliance (PR #162)
- Fix hash table size handling and remove compile warnings in syck_st
(PR #174)

[Maintenance]

- Restore TODO guard for Dump code leak test on Perl < 5.26 (PR #167)
- Resolve 2010 TODO in perl_json_postprocess with test coverage (PR
#166)
- CI: upgrade actions to resolve Node.js 20 deprecation warnings (PR
#177)

* 1.42 Mar 27 2026

[Bug Fixes]

- Fix: replace strtok() with strpbrk() and fix sign-compare warnings
in perl_syck.h (PR #145)
- Fix: terminate plain scalars at document boundaries --- and ... (PR
#150)
- Fix: skip %TAG and %YAML directives in document header (PR #151)
- Fix: plug SV leak when eval_pv croaks on bad perl/code blocks (PR
#153)
- Fix: allow non-specific tag '!' before block scalars (GH #27, PR
#102)
- Fix: remove spurious %type for indent_open in gram.y (GH
#157, PR #158)
- Fix: use modern bison %define api.prefix directive (GH #159, PR #160)

[Improvements]

- Implement YAML merge key (