Chromium, Nginx, OpenSSH, WebKit2GTK3, and more updates for SUSE

SUSE 5675 Published by

SUSE have released a major batch of security updates addressing dozens of critical vulnerabilities across widely used software packages like Chromium, Nginx, OpenSSH, and WebKit2GTK3. These patches fix severe issues ranging from heap buffer overflows to privilege escalation flaws that could easily compromise system integrity if left unaddressed. System administrators must apply the recommended zypper or YaST updates immediately to protect their Linux environments from potential exploitation.

openSUSE-SU-2024:0302-1: important: Security update for chromium
openSUSE-SU-2024:0328-1: moderate: Security update for roundcubemail
openSUSE-SU-2026:0183-1: important: Security update for roundcubemail
openSUSE-SU-2026:0087-1: important: Security update for python-simpleeval
SUSE-SU-2026:2370-1: important: Security update for nginx
SUSE-SU-2026:2368-1: important: Security update for strongswan
SUSE-SU-2026:2371-1: important: Security update for openssh
SUSE-SU-2026:2376-1: important: Security update for webkit2gtk3
SUSE-SU-2026:2374-1: important: Security update for tomcat11
SUSE-SU-2026:2375-1: important: Security update for openssh
SUSE-SU-2026:2378-1: important: Security update for webkit2gtk3
openSUSE-SU-2025:0270-1: moderate: Security update for xtrabackup
openSUSE-SU-2026:10984-1: moderate: libzypp-17.38.13-1.1 on GA media
openSUSE-SU-2026:10989-1: moderate: python311-Django4-4.2.30-3.1 on GA media
openSUSE-SU-2026:10986-1: moderate: perl-DBI-1.648.0-1.1 on GA media
openSUSE-SU-2026:10985-1: moderate: libIex-3_4-33-3.4.12-1.1 on GA media
openSUSE-SU-2026:10983-1: moderate: gdk-pixbuf-loader-libheif-1.23.0-2.1 on GA media
openSUSE-SU-2026:10987-1: moderate: perl-Git-Repository-1.326.0-1.1 on GA media
openSUSE-SU-2026:10988-1: moderate: perl-Protocol-HTTP2-1.130.0-1.1 on GA media
openSUSE-SU-2026:10982-1: moderate: graphite2-1.3.15-1.1 on GA media
openSUSE-SU-2026:10981-1: moderate: grafana-11.6.14+security04-2.1 on GA media
openSUSE-SU-2026:10980-1: moderate: flannel-0.28.5-1.1 on GA media
SUSE-SU-2026:2365-1: moderate: Security update for cosign
openSUSE-SU-2026:0200-1: important: Security update for NetworkManager-libreswan
openSUSE-SU-2026:0198-1: critical: Security update for kanidm




openSUSE-SU-2024:0302-1: important: Security update for chromium


openSUSE Security Update: Security update for chromium
_______________________________

Announcement ID: openSUSE-SU-2024:0302-1
Rating: important
References: #1230391
Cross-References: CVE-2024-8636 CVE-2024-8637 CVE-2024-8638
CVE-2024-8639
Affected Products:
openSUSE Backports SLE-15-SP6
_______________________________

An update that fixes four vulnerabilities is now available.

Description:

This update for chromium fixes the following issues:

Chromium 128.0.6613.137 (released 2024-09-10) (boo#1230391)

* CVE-2024-8636: Heap buffer overflow in Skia
* CVE-2024-8637: Use after free in Media Router
* CVE-2024-8638: Type Confusion in V8
* CVE-2024-8639: Use after free in Autofill

Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Backports SLE-15-SP6:

zypper in -t patch openSUSE-2024-302=1

Package List:

- openSUSE Backports SLE-15-SP6 (aarch64 x86_64):

chromedriver-128.0.6613.137-bp156.2.26.1
chromedriver-debuginfo-128.0.6613.137-bp156.2.26.1
chromium-128.0.6613.137-bp156.2.26.1
chromium-debuginfo-128.0.6613.137-bp156.2.26.1

References:

https://www.suse.com/security/cve/CVE-2024-8636.html
https://www.suse.com/security/cve/CVE-2024-8637.html
https://www.suse.com/security/cve/CVE-2024-8638.html
https://www.suse.com/security/cve/CVE-2024-8639.html
https://bugzilla.suse.com/1230391



openSUSE-SU-2024:0328-1: moderate: Security update for roundcubemail


openSUSE Security Update: Security update for roundcubemail
_______________________________

Announcement ID: openSUSE-SU-2024:0328-1
Rating: moderate
References: #1228900 #1228901
Cross-References: CVE-2024-42008 CVE-2024-42009 CVE-2024-42010

Affected Products:
openSUSE Backports SLE-15-SP6
_______________________________

An update that fixes three vulnerabilities is now available.

Description:

This update for roundcubemail fixes the following issues:

Update to 1.6.8 This is a security update to the stable version 1.6 of
Roundcube Webmail. It provides fixes to recently reported security
vulnerabilities:

* Fix XSS vulnerability in post-processing of sanitized HTML content
[CVE-2024-42009]
* Fix XSS vulnerability in serving of attachments other than HTML or SVG
[CVE-2024-42008]
* Fix information leak (access to remote content) via insufficient CSS
filtering [CVE-2024-42010]

CHANGELOG

* Managesieve: Protect special scripts in managesieve_kolab_master mode
* Fix newmail_notifier notification focus in Chrome (#9467)
* Fix fatal error when parsing some TNEF attachments (#9462)
* Fix double scrollbar when composing a mail with many plain text lines
(#7760)
* Fix decoding mail parts with multiple base64-encoded text blocks
(#9290)
* Fix bug where some messages could get malformed in an import from a
MBOX file (#9510)
* Fix invalid line break characters in multi-line text in Sieve scripts
(#9543)
* Fix bug where "with attachment" filter could fail on some fts engines
(#9514)
* Fix bug where an unhandled exception was caused by an invalid image
attachment (#9475)
* Fix bug where a long subject title could not be displayed in some
cases (#9416)
* Fix infinite loop when parsing malformed Sieve script (#9562)
* Fix bug where imap_conn_option's 'socket' was ignored (#9566)
* Fix XSS vulnerability in post-processing of sanitized HTML content
[CVE-2024-42009]
* Fix XSS vulnerability in serving of attachments other than HTML or SVG
[CVE-2024-42008]
* Fix information leak (access to remote content) via insufficient CSS
filtering [CVE-2024-42010]

Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Backports SLE-15-SP6:

zypper in -t patch openSUSE-2024-328=1

Package List:

- openSUSE Backports SLE-15-SP6 (noarch):

roundcubemail-1.6.8-bp156.2.3.1

References:

https://www.suse.com/security/cve/CVE-2024-42008.html
https://www.suse.com/security/cve/CVE-2024-42009.html
https://www.suse.com/security/cve/CVE-2024-42010.html
https://bugzilla.suse.com/1228900
https://bugzilla.suse.com/1228901



openSUSE-SU-2026:0183-1: important: Security update for roundcubemail


openSUSE Security Update: Security update for roundcubemail
_______________________________

Announcement ID: openSUSE-SU-2026:0183-1
Rating: important
References: #1266329 #1266331 #1266332 #1266333 #1266334
#1266335 #1266336 #1266337
Cross-References: CVE-2026-48842 CVE-2026-48843 CVE-2026-48844
CVE-2026-48845 CVE-2026-48846 CVE-2026-48847
CVE-2026-48848 CVE-2026-48849
Affected Products:
openSUSE Backports SLE-15-SP6
openSUSE Backports SLE-15-SP7
_______________________________

An update that fixes 8 vulnerabilities is now available.

Description:

This update for roundcubemail fixes the following issues:

Update to 1.6.16

- Fix potential too long value in IMAP ID command (#10136)
- CVE-2026-48849: Fix stored XSS/HTML/CSS injection in subject field of
the draft restore dialog [boo#1266337]
- CVE-2026-48848: Fix CSS injection bypass in HTML sanitizer via SVG
[boo#1266336]
- CVE-2026-48842: Fix pre-auth SQL injection in virtuser_query plugin via
preg_replace backslash escape bypass [boo#1266329]
- CVE-2026-48843: Fix SSRF bypass via specific local address URLs
[boo#1266331]
- CVE-2026-48846: Fix bypass of remote image blocking via CSS var()
[boo#1266334]
- CVE-2026-48845: Fix local/private URL fetch bypass when remote resources
were not allowed [boo#1266333]
- CVE-2026-48847: Fix pre-auth arbitrary file delete via redis/memcache
session poisoning bypass [boo#1266335]
- CVE-2026-48844: Fix code injection vulnerability - remove support for
code evaluation in LDAP autovalues option [boo#1266332]

Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Backports SLE-15-SP7:

zypper in -t patch openSUSE-2026-183=1

- openSUSE Backports SLE-15-SP6:

zypper in -t patch openSUSE-2026-183=1

Package List:

- openSUSE Backports SLE-15-SP7 (noarch):

roundcubemail-1.6.16-bp157.2.12.1

- openSUSE Backports SLE-15-SP6 (noarch):

roundcubemail-1.6.16-bp156.2.18.1

References:

https://www.suse.com/security/cve/CVE-2026-48842.html
https://www.suse.com/security/cve/CVE-2026-48843.html
https://www.suse.com/security/cve/CVE-2026-48844.html
https://www.suse.com/security/cve/CVE-2026-48845.html
https://www.suse.com/security/cve/CVE-2026-48846.html
https://www.suse.com/security/cve/CVE-2026-48847.html
https://www.suse.com/security/cve/CVE-2026-48848.html
https://www.suse.com/security/cve/CVE-2026-48849.html
https://bugzilla.suse.com/1266329
https://bugzilla.suse.com/1266331
https://bugzilla.suse.com/1266332
https://bugzilla.suse.com/1266333
https://bugzilla.suse.com/1266334
https://bugzilla.suse.com/1266335
https://bugzilla.suse.com/1266336
https://bugzilla.suse.com/1266337



openSUSE-SU-2026:0087-1: important: Security update for python-simpleeval


openSUSE Security Update: Security update for python-simpleeval
_______________________________

Announcement ID: openSUSE-SU-2026:0087-1
Rating: important
References: #1259685
Cross-References: CVE-2026-32640
Affected Products:
openSUSE Backports SLE-15-SP7
_______________________________

An update that fixes one vulnerability is now available.

Description:

This update for python-simpleeval fixes the following issues:

- CVE-2026-32640: Objects (including modules) can leak dangerous modules
through to direct access inside the sandbox (boo#1259685)

Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Backports SLE-15-SP7:

zypper in -t patch openSUSE-2026-87=1

Package List:

- openSUSE Backports SLE-15-SP7 (noarch):

python311-simpleeval-0.9.13-bp157.2.3.1

References:

https://www.suse.com/security/cve/CVE-2026-32640.html
https://bugzilla.suse.com/1259685



SUSE-SU-2026:2370-1: important: Security update for nginx


# Security update for nginx

Announcement ID: SUSE-SU-2026:2370-1
Release Date: 2026-06-11T13:23:43Z
Rating: important
References:

* bsc#1260415
* bsc#1260420
* bsc#1265229
* bsc#1265231
* bsc#1265232
* bsc#1265233
* bsc#1266215

Cross-References:

* CVE-2026-27651
* CVE-2026-32647
* CVE-2026-40701
* CVE-2026-42934
* CVE-2026-42945
* CVE-2026-42946
* CVE-2026-9256

CVSS scores:

* CVE-2026-27651 ( SUSE ): 8.2
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
* CVE-2026-27651 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2026-27651 ( NVD ): 8.7
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
* CVE-2026-27651 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2026-32647 ( SUSE ): 7.3
CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
* CVE-2026-32647 ( SUSE ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
* CVE-2026-32647 ( NVD ): 8.5
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
* CVE-2026-32647 ( NVD ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
* CVE-2026-40701 ( SUSE ): 6.3
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N
* CVE-2026-40701 ( SUSE ): 5.6 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
* CVE-2026-40701 ( NVD ): 6.3
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
* CVE-2026-40701 ( NVD ): 4.8 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L
* CVE-2026-42934 ( SUSE ): 6.3
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
* CVE-2026-42934 ( SUSE ): 4.8 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L
* CVE-2026-42934 ( NVD ): 6.3
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
* CVE-2026-42934 ( NVD ): 4.8 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L
* CVE-2026-42945 ( SUSE ): 8.3
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N
* CVE-2026-42945 ( SUSE ): 8.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H
* CVE-2026-42945 ( NVD ): 9.2
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
* CVE-2026-42945 ( NVD ): 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
* CVE-2026-42946 ( SUSE ): 8.3
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
* CVE-2026-42946 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:L
* CVE-2026-42946 ( NVD ): 8.3
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
* CVE-2026-42946 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:L
* CVE-2026-9256 ( SUSE ): 9.2
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
* CVE-2026-9256 ( SUSE ): 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected Products:

* openSUSE Leap 15.4
* SUSE Linux Enterprise High Performance Computing 15 SP4
* SUSE Linux Enterprise High Performance Computing 15 SP5
* SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4
* SUSE Linux Enterprise High Performance Computing ESPOS 15 SP5
* SUSE Linux Enterprise High Performance Computing LTSS 15 SP4
* SUSE Linux Enterprise High Performance Computing LTSS 15 SP5
* SUSE Linux Enterprise Server 15 SP4
* SUSE Linux Enterprise Server 15 SP4 LTSS
* SUSE Linux Enterprise Server 15 SP5
* SUSE Linux Enterprise Server 15 SP5 LTSS
* SUSE Linux Enterprise Server for SAP Applications 15 SP4
* SUSE Linux Enterprise Server for SAP Applications 15 SP5

An update that solves seven vulnerabilities can now be installed.

## Description:

This update for nginx fixes the following issues

* CVE-2026-9256: heap buffer overflow in the `ngx_http_rewrite_module` when
using a configuration with overlapping captures (bsc#1266215).
* CVE-2026-27651: denial of service via undisclosed requests when the
`ngx_mail_auth_http_module` is enabled (bsc#1260415).
* CVE-2026-32647: NGINX worker memory over-read or over-write via a specially
crafted MP4 file (bsc#1260420).
* CVE-2026-40701: heap use-after-free in the worker process when the
`ssl_verify_client` and the `ssl_ocsp` directives are set due to issue in
the `ngx_http_ssl_module` module (bsc#1265229).
* CVE-2026-42934: heap buffer overread in the worker process due to issue in
the `ngx_http_charset_module` module (bsc#1265231).
* CVE-2026-42945: heap buffer overflow via crafted HTTP requests due to issue
in `ngx_http_rewrite_module` (bsc#1265232).
* CVE-2026-42946: excessive memory allocation and data overread due to issue
in the `ngx_http_scgi_module` and `ngx_http_uwsgi_module` modules
(bsc#1265233).

## Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

* SUSE Linux Enterprise Server 15 SP5 LTSS
zypper in -t patch SUSE-SLE-Product-SLES-15-SP5-LTSS-2026-2370=1

* SUSE Linux Enterprise Server for SAP Applications 15 SP4
zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP4-2026-2370=1

* openSUSE Leap 15.4
zypper in -t patch SUSE-2026-2370=1

* SUSE Linux Enterprise Server for SAP Applications 15 SP5
zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP5-2026-2370=1

* SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4
zypper in -t patch SUSE-SLE-Product-HPC-15-SP4-ESPOS-2026-2370=1

* SUSE Linux Enterprise High Performance Computing LTSS 15 SP4
zypper in -t patch SUSE-SLE-Product-HPC-15-SP4-LTSS-2026-2370=1

* SUSE Linux Enterprise High Performance Computing ESPOS 15 SP5
zypper in -t patch SUSE-SLE-Product-HPC-15-SP5-ESPOS-2026-2370=1

* SUSE Linux Enterprise High Performance Computing LTSS 15 SP5
zypper in -t patch SUSE-SLE-Product-HPC-15-SP5-LTSS-2026-2370=1

* SUSE Linux Enterprise Server 15 SP4 LTSS
zypper in -t patch SUSE-SLE-Product-SLES-15-SP4-LTSS-2026-2370=1

## Package List:

* SUSE Linux Enterprise Server 15 SP5 LTSS (noarch)
* nginx-source-1.21.5-150400.3.20.1
* SUSE Linux Enterprise Server 15 SP5 LTSS (aarch64 ppc64le s390x x86_64)
* nginx-debugsource-1.21.5-150400.3.20.1
* nginx-1.21.5-150400.3.20.1
* nginx-debuginfo-1.21.5-150400.3.20.1
* SUSE Linux Enterprise Server for SAP Applications 15 SP4 (ppc64le x86_64)
* nginx-debugsource-1.21.5-150400.3.20.1
* nginx-1.21.5-150400.3.20.1
* nginx-debuginfo-1.21.5-150400.3.20.1
* SUSE Linux Enterprise Server for SAP Applications 15 SP4 (noarch)
* nginx-source-1.21.5-150400.3.20.1
* openSUSE Leap 15.4 (aarch64 ppc64le s390x x86_64 i586)
* nginx-debugsource-1.21.5-150400.3.20.1
* nginx-debuginfo-1.21.5-150400.3.20.1
* nginx-1.21.5-150400.3.20.1
* openSUSE Leap 15.4 (noarch)
* nginx-source-1.21.5-150400.3.20.1
* SUSE Linux Enterprise Server for SAP Applications 15 SP5 (ppc64le x86_64)
* nginx-debugsource-1.21.5-150400.3.20.1
* nginx-1.21.5-150400.3.20.1
* nginx-debuginfo-1.21.5-150400.3.20.1
* SUSE Linux Enterprise Server for SAP Applications 15 SP5 (noarch)
* nginx-source-1.21.5-150400.3.20.1
* SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (aarch64
x86_64)
* nginx-debugsource-1.21.5-150400.3.20.1
* nginx-1.21.5-150400.3.20.1
* nginx-debuginfo-1.21.5-150400.3.20.1
* SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (noarch)
* nginx-source-1.21.5-150400.3.20.1
* SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (aarch64
x86_64)
* nginx-debugsource-1.21.5-150400.3.20.1
* nginx-1.21.5-150400.3.20.1
* nginx-debuginfo-1.21.5-150400.3.20.1
* SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (noarch)
* nginx-source-1.21.5-150400.3.20.1
* SUSE Linux Enterprise High Performance Computing ESPOS 15 SP5 (aarch64
x86_64)
* nginx-debugsource-1.21.5-150400.3.20.1
* nginx-1.21.5-150400.3.20.1
* nginx-debuginfo-1.21.5-150400.3.20.1
* SUSE Linux Enterprise High Performance Computing ESPOS 15 SP5 (noarch)
* nginx-source-1.21.5-150400.3.20.1
* SUSE Linux Enterprise High Performance Computing LTSS 15 SP5 (aarch64
x86_64)
* nginx-debugsource-1.21.5-150400.3.20.1
* nginx-1.21.5-150400.3.20.1
* nginx-debuginfo-1.21.5-150400.3.20.1
* SUSE Linux Enterprise High Performance Computing LTSS 15 SP5 (noarch)
* nginx-source-1.21.5-150400.3.20.1
* SUSE Linux Enterprise Server 15 SP4 LTSS (aarch64 ppc64le s390x x86_64)
* nginx-debugsource-1.21.5-150400.3.20.1
* nginx-1.21.5-150400.3.20.1
* nginx-debuginfo-1.21.5-150400.3.20.1
* SUSE Linux Enterprise Server 15 SP4 LTSS (noarch)
* nginx-source-1.21.5-150400.3.20.1

## References:

* https://www.suse.com/security/cve/CVE-2026-27651.html
* https://www.suse.com/security/cve/CVE-2026-32647.html
* https://www.suse.com/security/cve/CVE-2026-40701.html
* https://www.suse.com/security/cve/CVE-2026-42934.html
* https://www.suse.com/security/cve/CVE-2026-42945.html
* https://www.suse.com/security/cve/CVE-2026-42946.html
* https://www.suse.com/security/cve/CVE-2026-9256.html
* https://bugzilla.suse.com/show_bug.cgi?id=1260415
* https://bugzilla.suse.com/show_bug.cgi?id=1260420
* https://bugzilla.suse.com/show_bug.cgi?id=1265229
* https://bugzilla.suse.com/show_bug.cgi?id=1265231
* https://bugzilla.suse.com/show_bug.cgi?id=1265232
* https://bugzilla.suse.com/show_bug.cgi?id=1265233
* https://bugzilla.suse.com/show_bug.cgi?id=1266215



SUSE-SU-2026:2368-1: important: Security update for strongswan


# Security update for strongswan

Announcement ID: SUSE-SU-2026:2368-1
Release Date: 2026-06-11T12:22:00Z
Rating: important
References:

* bsc#1261705
* bsc#1261706
* bsc#1261708
* bsc#1261712
* bsc#1261717
* bsc#1261718
* bsc#1261720
* bsc#1266360

Cross-References:

* CVE-2026-35328
* CVE-2026-35329
* CVE-2026-35330
* CVE-2026-35331
* CVE-2026-35332
* CVE-2026-35333
* CVE-2026-35334
* CVE-2026-47895

CVSS scores:

* CVE-2026-35328 ( SUSE ): 8.7
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
* CVE-2026-35328 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2026-35329 ( SUSE ): 8.7
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
* CVE-2026-35329 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2026-35330 ( SUSE ): 9.2
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
* CVE-2026-35330 ( SUSE ): 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
* CVE-2026-35331 ( SUSE ): 6.3
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
* CVE-2026-35331 ( SUSE ): 4.8 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
* CVE-2026-35332 ( SUSE ): 8.7
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
* CVE-2026-35332 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2026-35333 ( SUSE ): 8.7
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
* CVE-2026-35333 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2026-35334 ( SUSE ): 8.7
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
* CVE-2026-35334 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2026-47895 ( SUSE ): 7.7
CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
* CVE-2026-47895 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Affected Products:

* openSUSE Leap 15.4
* SUSE Linux Enterprise High Performance Computing 15 SP4
* SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4
* SUSE Linux Enterprise High Performance Computing LTSS 15 SP4
* SUSE Linux Enterprise Server 15 SP4
* SUSE Linux Enterprise Server 15 SP4 LTSS
* SUSE Linux Enterprise Server for SAP Applications 15 SP4

An update that solves eight vulnerabilities can now be installed.

## Description:

This update for strongswan fixes the following issues

* CVE-2026-35328: infinite loop when handling supported versions TLS extension
(bsc#1261712).
* CVE-2026-35329: null pointer dereference when processing padding in PKCS#7
(bsc#1261717).
* CVE-2026-35330: integer underflow when handling EAP-SIM/AKA attributes
(bsc#1261705).
* CVE-2026-35331: accepting certificates violating name constraints
(bsc#1261718).
* CVE-2026-35332: null pointer dereference when handling ECDH public value in
TLS (bsc#1261708).
* CVE-2026-35333: integer underflow when handling RADIUS attributes
(bsc#1261706).
* CVE-2026-35334: possible null pointer dereference in RSA decryption
(bsc#1261720).
* CVE-2026-47895: double-free when destroying certain cloned identities
(bsc#1266360).

## Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

* SUSE Linux Enterprise High Performance Computing LTSS 15 SP4
zypper in -t patch SUSE-SLE-Product-HPC-15-SP4-LTSS-2026-2368=1

* SUSE Linux Enterprise Server 15 SP4 LTSS
zypper in -t patch SUSE-SLE-Product-SLES-15-SP4-LTSS-2026-2368=1

* openSUSE Leap 15.4
zypper in -t patch SUSE-2026-2368=1

* SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4
zypper in -t patch SUSE-SLE-Product-HPC-15-SP4-ESPOS-2026-2368=1

* SUSE Linux Enterprise Server for SAP Applications 15 SP4
zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP4-2026-2368=1

## Package List:

* SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (aarch64
x86_64)
* strongswan-libs0-5.9.11-150400.19.35.1
* strongswan-5.9.11-150400.19.35.1
* strongswan-ipsec-debuginfo-5.9.11-150400.19.35.1
* strongswan-debuginfo-5.9.11-150400.19.35.1
* strongswan-debugsource-5.9.11-150400.19.35.1
* strongswan-ipsec-5.9.11-150400.19.35.1
* strongswan-hmac-5.9.11-150400.19.35.1
* strongswan-libs0-debuginfo-5.9.11-150400.19.35.1
* SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (noarch)
* strongswan-doc-5.9.11-150400.19.35.1
* SUSE Linux Enterprise Server 15 SP4 LTSS (aarch64 ppc64le s390x x86_64)
* strongswan-libs0-5.9.11-150400.19.35.1
* strongswan-5.9.11-150400.19.35.1
* strongswan-ipsec-debuginfo-5.9.11-150400.19.35.1
* strongswan-debuginfo-5.9.11-150400.19.35.1
* strongswan-debugsource-5.9.11-150400.19.35.1
* strongswan-ipsec-5.9.11-150400.19.35.1
* strongswan-hmac-5.9.11-150400.19.35.1
* strongswan-libs0-debuginfo-5.9.11-150400.19.35.1
* SUSE Linux Enterprise Server 15 SP4 LTSS (noarch)
* strongswan-doc-5.9.11-150400.19.35.1
* openSUSE Leap 15.4 (aarch64 ppc64le s390x x86_64 i586)
* strongswan-nm-5.9.11-150400.19.35.1
* strongswan-libs0-5.9.11-150400.19.35.1
* strongswan-5.9.11-150400.19.35.1
* strongswan-ipsec-debuginfo-5.9.11-150400.19.35.1
* strongswan-nm-debuginfo-5.9.11-150400.19.35.1
* strongswan-debuginfo-5.9.11-150400.19.35.1
* strongswan-debugsource-5.9.11-150400.19.35.1
* strongswan-ipsec-5.9.11-150400.19.35.1
* strongswan-sqlite-debuginfo-5.9.11-150400.19.35.1
* strongswan-mysql-debuginfo-5.9.11-150400.19.35.1
* strongswan-sqlite-5.9.11-150400.19.35.1
* strongswan-hmac-5.9.11-150400.19.35.1
* strongswan-libs0-debuginfo-5.9.11-150400.19.35.1
* strongswan-mysql-5.9.11-150400.19.35.1
* openSUSE Leap 15.4 (noarch)
* strongswan-doc-5.9.11-150400.19.35.1
* SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (aarch64
x86_64)
* strongswan-libs0-5.9.11-150400.19.35.1
* strongswan-5.9.11-150400.19.35.1
* strongswan-ipsec-debuginfo-5.9.11-150400.19.35.1
* strongswan-debuginfo-5.9.11-150400.19.35.1
* strongswan-debugsource-5.9.11-150400.19.35.1
* strongswan-ipsec-5.9.11-150400.19.35.1
* strongswan-hmac-5.9.11-150400.19.35.1
* strongswan-libs0-debuginfo-5.9.11-150400.19.35.1
* SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (noarch)
* strongswan-doc-5.9.11-150400.19.35.1
* SUSE Linux Enterprise Server for SAP Applications 15 SP4 (ppc64le x86_64)
* strongswan-libs0-5.9.11-150400.19.35.1
* strongswan-5.9.11-150400.19.35.1
* strongswan-ipsec-debuginfo-5.9.11-150400.19.35.1
* strongswan-debuginfo-5.9.11-150400.19.35.1
* strongswan-debugsource-5.9.11-150400.19.35.1
* strongswan-ipsec-5.9.11-150400.19.35.1
* strongswan-hmac-5.9.11-150400.19.35.1
* strongswan-libs0-debuginfo-5.9.11-150400.19.35.1
* SUSE Linux Enterprise Server for SAP Applications 15 SP4 (noarch)
* strongswan-doc-5.9.11-150400.19.35.1

## References:

* https://www.suse.com/security/cve/CVE-2026-35328.html
* https://www.suse.com/security/cve/CVE-2026-35329.html
* https://www.suse.com/security/cve/CVE-2026-35330.html
* https://www.suse.com/security/cve/CVE-2026-35331.html
* https://www.suse.com/security/cve/CVE-2026-35332.html
* https://www.suse.com/security/cve/CVE-2026-35333.html
* https://www.suse.com/security/cve/CVE-2026-35334.html
* https://www.suse.com/security/cve/CVE-2026-47895.html
* https://bugzilla.suse.com/show_bug.cgi?id=1261705
* https://bugzilla.suse.com/show_bug.cgi?id=1261706
* https://bugzilla.suse.com/show_bug.cgi?id=1261708
* https://bugzilla.suse.com/show_bug.cgi?id=1261712
* https://bugzilla.suse.com/show_bug.cgi?id=1261717
* https://bugzilla.suse.com/show_bug.cgi?id=1261718
* https://bugzilla.suse.com/show_bug.cgi?id=1261720
* https://bugzilla.suse.com/show_bug.cgi?id=1266360



SUSE-SU-2026:2371-1: important: Security update for openssh


# Security update for openssh

Announcement ID: SUSE-SU-2026:2371-1
Release Date: 2026-06-11T14:01:54Z
Rating: important
References:

* bsc#1259642
* bsc#1261427
* bsc#1261430
* bsc#1261441
* bsc#1264568

Cross-References:

* CVE-2026-3497
* CVE-2026-35385
* CVE-2026-35388
* CVE-2026-35414

CVSS scores:

* CVE-2026-3497 ( SUSE ): 6.9
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N
* CVE-2026-3497 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
* CVE-2026-3497 ( NVD ): 6.9
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
* CVE-2026-3497 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2026-35385 ( SUSE ): 7.5
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
* CVE-2026-35385 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
* CVE-2026-35385 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
* CVE-2026-35385 ( NVD ): 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
* CVE-2026-35388 ( SUSE ): 2.1
CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
* CVE-2026-35388 ( SUSE ): 2.5 CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N
* CVE-2026-35388 ( NVD ): 2.5 CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N
* CVE-2026-35388 ( NVD ): 2.5 CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N
* CVE-2026-35414 ( SUSE ): 2.3
CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
* CVE-2026-35414 ( SUSE ): 4.2 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N
* CVE-2026-35414 ( NVD ): 4.2 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N
* CVE-2026-35414 ( NVD ): 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected Products:

* Basesystem Module 15-SP7
* Desktop Applications Module 15-SP7
* openSUSE Leap 15.6
* SUSE Linux Enterprise Desktop 15 SP7
* SUSE Linux Enterprise Real Time 15 SP7
* SUSE Linux Enterprise Server 15 SP6
* SUSE Linux Enterprise Server 15 SP6 LTSS
* SUSE Linux Enterprise Server 15 SP7
* SUSE Linux Enterprise Server for SAP Applications 15 SP6
* SUSE Linux Enterprise Server for SAP Applications 15 SP7

An update that solves four vulnerabilities and has one security fix can now be
installed.

## Description:

This update for openssh fixes the following issues

* CVE-2026-3497: information disclosure or denial of service due to
uninitialized variables (bsc#1259642).
* CVE-2026-35385: a file downloaded by scp may be installed setuid or setgid
(bsc#1261427).
* CVE-2026-35388: omitted connection multiplexing confirmation for proxy-mode
multiplexing sessions (bsc#1261441).
* CVE-2026-35414: mishandling of authorized_keys principals option
(bsc#1261430).
* potential security issue when validating mac (bsc#1264568).

## Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

* openSUSE Leap 15.6
zypper in -t patch SUSE-2026-2371=1

* Basesystem Module 15-SP7
zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP7-2026-2371=1

* Desktop Applications Module 15-SP7
zypper in -t patch SUSE-SLE-Module-Desktop-Applications-15-SP7-2026-2371=1

* SUSE Linux Enterprise Server 15 SP6 LTSS
zypper in -t patch SUSE-SLE-Product-SLES-15-SP6-LTSS-2026-2371=1

* SUSE Linux Enterprise Server for SAP Applications 15 SP6
zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP6-2026-2371=1

## Package List:

* openSUSE Leap 15.6 (aarch64 ppc64le s390x x86_64 i586)
* openssh-askpass-gnome-9.6p1-150600.6.42.1
* openssh-helpers-debuginfo-9.6p1-150600.6.42.1
* openssh-common-debuginfo-9.6p1-150600.6.42.1
* openssh-server-config-disallow-rootlogin-9.6p1-150600.6.42.1
* openssh-clients-9.6p1-150600.6.42.1
* openssh-9.6p1-150600.6.42.1
* openssh-common-9.6p1-150600.6.42.1
* openssh-server-9.6p1-150600.6.42.1
* openssh-fips-9.6p1-150600.6.42.1
* openssh-clients-debuginfo-9.6p1-150600.6.42.1
* openssh-debuginfo-9.6p1-150600.6.42.1
* openssh-helpers-9.6p1-150600.6.42.1
* openssh-server-debuginfo-9.6p1-150600.6.42.1
* openssh-askpass-gnome-debugsource-9.6p1-150600.6.42.1
* openssh-cavs-9.6p1-150600.6.42.1
* openssh-cavs-debuginfo-9.6p1-150600.6.42.1
* openssh-askpass-gnome-debuginfo-9.6p1-150600.6.42.1
* openssh-debugsource-9.6p1-150600.6.42.1
* Basesystem Module 15-SP7 (aarch64 ppc64le s390x x86_64)
* openssh-helpers-debuginfo-9.6p1-150600.6.42.1
* openssh-common-debuginfo-9.6p1-150600.6.42.1
* openssh-server-config-disallow-rootlogin-9.6p1-150600.6.42.1
* openssh-clients-9.6p1-150600.6.42.1
* openssh-9.6p1-150600.6.42.1
* openssh-common-9.6p1-150600.6.42.1
* openssh-server-9.6p1-150600.6.42.1
* openssh-fips-9.6p1-150600.6.42.1
* openssh-debuginfo-9.6p1-150600.6.42.1
* openssh-helpers-9.6p1-150600.6.42.1
* openssh-clients-debuginfo-9.6p1-150600.6.42.1
* openssh-server-debuginfo-9.6p1-150600.6.42.1
* openssh-debugsource-9.6p1-150600.6.42.1
* Desktop Applications Module 15-SP7 (aarch64 ppc64le s390x x86_64)
* openssh-askpass-gnome-debugsource-9.6p1-150600.6.42.1
* openssh-askpass-gnome-9.6p1-150600.6.42.1
* openssh-askpass-gnome-debuginfo-9.6p1-150600.6.42.1
* SUSE Linux Enterprise Server 15 SP6 LTSS (aarch64 ppc64le s390x x86_64)
* openssh-helpers-debuginfo-9.6p1-150600.6.42.1
* openssh-askpass-gnome-9.6p1-150600.6.42.1
* openssh-server-config-disallow-rootlogin-9.6p1-150600.6.42.1
* openssh-common-debuginfo-9.6p1-150600.6.42.1
* openssh-clients-9.6p1-150600.6.42.1
* openssh-9.6p1-150600.6.42.1
* openssh-common-9.6p1-150600.6.42.1
* openssh-server-9.6p1-150600.6.42.1
* openssh-fips-9.6p1-150600.6.42.1
* openssh-clients-debuginfo-9.6p1-150600.6.42.1
* openssh-helpers-9.6p1-150600.6.42.1
* openssh-debuginfo-9.6p1-150600.6.42.1
* openssh-server-debuginfo-9.6p1-150600.6.42.1
* openssh-askpass-gnome-debugsource-9.6p1-150600.6.42.1
* openssh-askpass-gnome-debuginfo-9.6p1-150600.6.42.1
* openssh-debugsource-9.6p1-150600.6.42.1
* SUSE Linux Enterprise Server for SAP Applications 15 SP6 (ppc64le x86_64)
* openssh-askpass-gnome-9.6p1-150600.6.42.1
* openssh-helpers-debuginfo-9.6p1-150600.6.42.1
* openssh-common-debuginfo-9.6p1-150600.6.42.1
* openssh-server-config-disallow-rootlogin-9.6p1-150600.6.42.1
* openssh-clients-9.6p1-150600.6.42.1
* openssh-9.6p1-150600.6.42.1
* openssh-common-9.6p1-150600.6.42.1
* openssh-server-9.6p1-150600.6.42.1
* openssh-fips-9.6p1-150600.6.42.1
* openssh-clients-debuginfo-9.6p1-150600.6.42.1
* openssh-debuginfo-9.6p1-150600.6.42.1
* openssh-helpers-9.6p1-150600.6.42.1
* openssh-server-debuginfo-9.6p1-150600.6.42.1
* openssh-askpass-gnome-debugsource-9.6p1-150600.6.42.1
* openssh-askpass-gnome-debuginfo-9.6p1-150600.6.42.1
* openssh-debugsource-9.6p1-150600.6.42.1

## References:

* https://www.suse.com/security/cve/CVE-2026-3497.html
* https://www.suse.com/security/cve/CVE-2026-35385.html
* https://www.suse.com/security/cve/CVE-2026-35388.html
* https://www.suse.com/security/cve/CVE-2026-35414.html
* https://bugzilla.suse.com/show_bug.cgi?id=1259642
* https://bugzilla.suse.com/show_bug.cgi?id=1261427
* https://bugzilla.suse.com/show_bug.cgi?id=1261430
* https://bugzilla.suse.com/show_bug.cgi?id=1261441
* https://bugzilla.suse.com/show_bug.cgi?id=1264568



SUSE-SU-2026:2376-1: important: Security update for webkit2gtk3


# Security update for webkit2gtk3

Announcement ID: SUSE-SU-2026:2376-1
Release Date: 2026-06-11T16:07:26Z
Rating: important
References:

* bsc#1264745
* bsc#1267506
* bsc#1267507
* bsc#1267508
* bsc#1267509
* bsc#1267510
* bsc#1267511
* bsc#1267512
* bsc#1267513
* bsc#1267514
* bsc#1267515
* bsc#1267516
* bsc#1267517
* bsc#1267518
* bsc#1267519
* bsc#1267520
* bsc#1267521

Cross-References:

* CVE-2026-28847
* CVE-2026-28883
* CVE-2026-28901
* CVE-2026-28902
* CVE-2026-28903
* CVE-2026-28904
* CVE-2026-28905
* CVE-2026-28907
* CVE-2026-28942
* CVE-2026-28946
* CVE-2026-28947
* CVE-2026-28953
* CVE-2026-28955
* CVE-2026-28958
* CVE-2026-43658
* CVE-2026-43660

CVSS scores:

* CVE-2026-28847 ( SUSE ): 8.7
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
* CVE-2026-28847 ( SUSE ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
* CVE-2026-28847 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
* CVE-2026-28883 ( SUSE ): 7.7
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
* CVE-2026-28883 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
* CVE-2026-28883 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
* CVE-2026-28901 ( SUSE ): 7.1
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
* CVE-2026-28901 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
* CVE-2026-28901 ( NVD ): 4.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
* CVE-2026-28902 ( SUSE ): 7.1
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
* CVE-2026-28902 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
* CVE-2026-28902 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
* CVE-2026-28903 ( SUSE ): 7.1
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
* CVE-2026-28903 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
* CVE-2026-28903 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
* CVE-2026-28904 ( SUSE ): 7.1
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
* CVE-2026-28904 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
* CVE-2026-28904 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
* CVE-2026-28905 ( SUSE ): 7.1
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
* CVE-2026-28905 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
* CVE-2026-28905 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
* CVE-2026-28907 ( SUSE ): 7.1
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N
* CVE-2026-28907 ( SUSE ): 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N
* CVE-2026-28907 ( NVD ): 8.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
* CVE-2026-28942 ( SUSE ): 7.7
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
* CVE-2026-28942 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
* CVE-2026-28942 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
* CVE-2026-28946 ( SUSE ): 7.7
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
* CVE-2026-28946 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
* CVE-2026-28946 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
* CVE-2026-28947 ( SUSE ): 7.7
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
* CVE-2026-28947 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
* CVE-2026-28947 ( NVD ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
* CVE-2026-28953 ( SUSE ): 7.1
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
* CVE-2026-28953 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
* CVE-2026-28953 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
* CVE-2026-28955 ( SUSE ): 7.7
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
* CVE-2026-28955 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
* CVE-2026-28955 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2026-28958 ( SUSE ): 7.1
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
* CVE-2026-28958 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
* CVE-2026-28958 ( NVD ): 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
* CVE-2026-43658 ( SUSE ): 7.1
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
* CVE-2026-43658 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
* CVE-2026-43658 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
* CVE-2026-43660 ( SUSE ): 7.1
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N
* CVE-2026-43660 ( SUSE ): 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N
* CVE-2026-43660 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Affected Products:

* Basesystem Module 15-SP7
* Desktop Applications Module 15-SP7
* Development Tools Module 15-SP7
* openSUSE Leap 15.6
* SUSE Linux Enterprise Desktop 15 SP7
* SUSE Linux Enterprise Real Time 15 SP7
* SUSE Linux Enterprise Server 15 SP6
* SUSE Linux Enterprise Server 15 SP6 LTSS
* SUSE Linux Enterprise Server 15 SP7
* SUSE Linux Enterprise Server for SAP Applications 15 SP6
* SUSE Linux Enterprise Server for SAP Applications 15 SP7

An update that solves 16 vulnerabilities and has one security fix can now be
installed.

## Description:

This update for webkit2gtk3 fixes the following issues

Update to version 2.52.4:

Security fixes:

* CVE-2026-28847: processing maliciously crafted web content may lead to an
unexpected process crash or arbitrary code execution due to a heap buffer
overflow (bsc#1267506).
* CVE-2026-28883: processing maliciously crafted web content may lead to an
unexpected process crash due to a use-after- free issue (bsc#1267507).
* CVE-2026-28901: processing maliciously crafted web content may lead to an
unexpected process crash due to improper memory handling (bsc#1267508).
* CVE-2026-28902: processing maliciously crafted web content may lead to an
unexpected process crash due to improper memory handling (bsc#1267509).
* CVE-2026-28903: processing maliciously crafted web content may lead to an
unexpected process crash due to improper memory handling (bsc#1267510).
* CVE-2026-28904: processing maliciously crafted web content may lead to an
unexpected process crash due to improper memory handling (bsc#1267511).
* CVE-2026-28905: processing maliciously crafted web content may lead to an
unexpected process crash due to improper memory handling (bsc#1267512).
* CVE-2026-28907: processing maliciously crafted web content may prevent
Content Security Policy from being enforced due to improper input validation
(bsc#1267513).
* CVE-2026-28942: processing maliciously crafted web content may lead to an
unexpected crash due to use-after-free (bsc#1267514).
* CVE-2026-28946: processing maliciously crafted web content may lead to an
unexpected crash due to a use-after-free (bsc#1267515).
* CVE-2026-28947: rocessing maliciously crafted web content may lead to an
unexpected crash due to a use-after-free (bsc#1267516).
* CVE-2026-28953: processing maliciously crafted web content may lead to an
unexpected process crash due to improper memory handling (bsc#1267517).
* CVE-2026-28955: processing maliciously crafted web content may lead to an
unexpected process crash due to improper memory handling (bsc#1267518).
* CVE-2026-28958: an app may be able to access sensitive user data due to
improper data protection (bsc#1267519).
* CVE-2026-43658: processing maliciously crafted web content may lead to an
unexpected crash due to improper memory handling (bsc#1267520).
* CVE-2026-43660: processing maliciously crafted web content may prevent
Content Security Policy from being enforced due to issues with logic
(bsc#1267521).

Other fixes:

* Add patch to fix a crash on evolution (bsc#1264745).

Changes:

* Add support for half-width fonts.
* Improve content filter compilation by avoiding file copies.
* Improve handling of out of disk space conditions when the NetworkProcess
tried to write data in caches.
* Improve how the CMake build system checks whether libatomic is required.
* Fix painting scrollbars when their width changes.
* Fix playback of certain YouTube videos with low frame rates.
* Fix webkit://gpu not working in systems where neither libGL.so.1 nor
libOpenGL.so.0 are available.
* Fix the build with librice 0.4 or newer when the GStreamer WebRTC backend is
enabled at build configuration time.
* Fix the build with USE_GSTREAMER_WEBRTC=OFF.
* Fix the build with USE_GBM=OFF.
* Fix several crashes and rendering issues.
* Add support for the "scrollbar-color" CSS property.
* Fix some emoji glyphs being rendered as missing glyph boxes.
* Fix JavaScriptCore crashes on architectures other than x86_64.
* Fix the build on s390x.
* Changes in version 2.52.2:
* Improve handling of real-time threads.
* Fix scrollbar rendering glitches visible in some GPU configurations.
* Fix V4L2 hardware accelerated media codecs now working due to overly
restrictive sandbox device access rules.
* Fix leak of bitmap images in webkit_favicon_database_get_favicon_finish().
* Fix the build with USE_GTK4=OFF.

## Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

* openSUSE Leap 15.6
zypper in -t patch SUSE-2026-2376=1

* Basesystem Module 15-SP7
zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP7-2026-2376=1

* Desktop Applications Module 15-SP7
zypper in -t patch SUSE-SLE-Module-Desktop-Applications-15-SP7-2026-2376=1

* Development Tools Module 15-SP7
zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP7-2026-2376=1

* SUSE Linux Enterprise Server 15 SP6 LTSS
zypper in -t patch SUSE-SLE-Product-SLES-15-SP6-LTSS-2026-2376=1

* SUSE Linux Enterprise Server for SAP Applications 15 SP6
zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP6-2026-2376=1

## Package List:

* openSUSE Leap 15.6 (aarch64 ppc64le s390x x86_64 i586)
* typelib-1_0-WebKit2WebExtension-4_1-2.52.4-150600.12.68.1
* webkit2gtk4-devel-2.52.4-150600.12.68.1
* webkit-jsc-4.1-debuginfo-2.52.4-150600.12.68.1
* webkit2gtk3-minibrowser-2.52.4-150600.12.68.1
* libwebkitgtk-6_0-4-debuginfo-2.52.4-150600.12.68.1
* typelib-1_0-WebKit-6_0-2.52.4-150600.12.68.1
* libjavascriptcoregtk-4_0-18-debuginfo-2.52.4-150600.12.68.1
* webkit2gtk3-minibrowser-debuginfo-2.52.4-150600.12.68.1
* typelib-1_0-JavaScriptCore-4_0-2.52.4-150600.12.68.1
* typelib-1_0-WebKit2-4_1-2.52.4-150600.12.68.1
* webkit-jsc-4.1-2.52.4-150600.12.68.1
* webkit2gtk3-soup2-devel-2.52.4-150600.12.68.1
* webkit2gtk3-soup2-minibrowser-2.52.4-150600.12.68.1
* typelib-1_0-JavaScriptCore-6_0-2.52.4-150600.12.68.1
* webkit2gtk4-minibrowser-2.52.4-150600.12.68.1
* libjavascriptcoregtk-6_0-1-debuginfo-2.52.4-150600.12.68.1
* webkit2gtk-4_0-injected-bundles-debuginfo-2.52.4-150600.12.68.1
* webkit2gtk-4_1-injected-bundles-debuginfo-2.52.4-150600.12.68.1
* webkit-jsc-6.0-debuginfo-2.52.4-150600.12.68.1
* libwebkit2gtk-4_1-0-2.52.4-150600.12.68.1
* webkit2gtk3-soup2-minibrowser-debuginfo-2.52.4-150600.12.68.1
* webkit-jsc-4-2.52.4-150600.12.68.1
* typelib-1_0-WebKitWebProcessExtension-6_0-2.52.4-150600.12.68.1
* libwebkit2gtk-4_1-0-debuginfo-2.52.4-150600.12.68.1
* webkit2gtk4-minibrowser-debuginfo-2.52.4-150600.12.68.1
* libwebkit2gtk-4_0-37-2.52.4-150600.12.68.1
* webkit-jsc-4-debuginfo-2.52.4-150600.12.68.1
* webkit2gtk-4_0-injected-bundles-2.52.4-150600.12.68.1
* webkitgtk-6_0-injected-bundles-2.52.4-150600.12.68.1
* webkit2gtk-4_1-injected-bundles-2.52.4-150600.12.68.1
* libjavascriptcoregtk-4_1-0-2.52.4-150600.12.68.1
* libjavascriptcoregtk-6_0-1-2.52.4-150600.12.68.1
* webkit2gtk3-devel-2.52.4-150600.12.68.1
* typelib-1_0-WebKit2WebExtension-4_0-2.52.4-150600.12.68.1
* webkit2gtk4-debugsource-2.52.4-150600.12.68.1
* libwebkit2gtk-4_0-37-debuginfo-2.52.4-150600.12.68.1
* webkit2gtk3-soup2-debugsource-2.52.4-150600.12.68.1
* typelib-1_0-JavaScriptCore-4_1-2.52.4-150600.12.68.1
* libjavascriptcoregtk-4_0-18-2.52.4-150600.12.68.1
* webkit-jsc-6.0-2.52.4-150600.12.68.1
* libwebkitgtk-6_0-4-2.52.4-150600.12.68.1
* webkit2gtk3-debugsource-2.52.4-150600.12.68.1
* webkitgtk-6_0-injected-bundles-debuginfo-2.52.4-150600.12.68.1
* typelib-1_0-WebKit2-4_0-2.52.4-150600.12.68.1
* libjavascriptcoregtk-4_1-0-debuginfo-2.52.4-150600.12.68.1
* openSUSE Leap 15.6 (noarch)
* WebKitGTK-4.1-lang-2.52.4-150600.12.68.1
* WebKitGTK-4.0-lang-2.52.4-150600.12.68.1
* WebKitGTK-6.0-lang-2.52.4-150600.12.68.1
* openSUSE Leap 15.6 (x86_64)
* libwebkit2gtk-4_1-0-32bit-debuginfo-2.52.4-150600.12.68.1
* libjavascriptcoregtk-4_1-0-32bit-debuginfo-2.52.4-150600.12.68.1
* libjavascriptcoregtk-4_0-18-32bit-2.52.4-150600.12.68.1
* libjavascriptcoregtk-4_1-0-32bit-2.52.4-150600.12.68.1
* libwebkit2gtk-4_0-37-32bit-2.52.4-150600.12.68.1
* libwebkit2gtk-4_1-0-32bit-2.52.4-150600.12.68.1
* libwebkit2gtk-4_0-37-32bit-debuginfo-2.52.4-150600.12.68.1
* libjavascriptcoregtk-4_0-18-32bit-debuginfo-2.52.4-150600.12.68.1
* openSUSE Leap 15.6 (aarch64_ilp32)
* libjavascriptcoregtk-4_0-18-64bit-2.52.4-150600.12.68.1
* libwebkit2gtk-4_1-0-64bit-debuginfo-2.52.4-150600.12.68.1
* libjavascriptcoregtk-4_1-0-64bit-debuginfo-2.52.4-150600.12.68.1
* libwebkit2gtk-4_0-37-64bit-debuginfo-2.52.4-150600.12.68.1
* libjavascriptcoregtk-4_0-18-64bit-debuginfo-2.52.4-150600.12.68.1
* libjavascriptcoregtk-4_1-0-64bit-2.52.4-150600.12.68.1
* libwebkit2gtk-4_1-0-64bit-2.52.4-150600.12.68.1
* libwebkit2gtk-4_0-37-64bit-2.52.4-150600.12.68.1
* Basesystem Module 15-SP7 (aarch64 ppc64le s390x x86_64)
* libwebkit2gtk-4_0-37-debuginfo-2.52.4-150600.12.68.1
* webkit2gtk4-debugsource-2.52.4-150600.12.68.1
* webkit2gtk3-soup2-debugsource-2.52.4-150600.12.68.1
* webkit2gtk-4_0-injected-bundles-2.52.4-150600.12.68.1
* libjavascriptcoregtk-4_0-18-2.52.4-150600.12.68.1
* libwebkitgtk-6_0-4-debuginfo-2.52.4-150600.12.68.1
* libwebkitgtk-6_0-4-2.52.4-150600.12.68.1
* libwebkit2gtk-4_0-37-2.52.4-150600.12.68.1
* typelib-1_0-JavaScriptCore-4_0-2.52.4-150600.12.68.1
* webkit2gtk3-soup2-devel-2.52.4-150600.12.68.1
* libjavascriptcoregtk-4_0-18-debuginfo-2.52.4-150600.12.68.1
* webkitgtk-6_0-injected-bundles-2.52.4-150600.12.68.1
* webkit2gtk-4_0-injected-bundles-debuginfo-2.52.4-150600.12.68.1
* webkitgtk-6_0-injected-bundles-debuginfo-2.52.4-150600.12.68.1
* libjavascriptcoregtk-6_0-1-2.52.4-150600.12.68.1
* typelib-1_0-WebKit2WebExtension-4_0-2.52.4-150600.12.68.1
* typelib-1_0-WebKit2-4_0-2.52.4-150600.12.68.1
* libjavascriptcoregtk-6_0-1-debuginfo-2.52.4-150600.12.68.1
* Basesystem Module 15-SP7 (noarch)
* WebKitGTK-4.0-lang-2.52.4-150600.12.68.1
* WebKitGTK-6.0-lang-2.52.4-150600.12.68.1
* Desktop Applications Module 15-SP7 (noarch)
* WebKitGTK-4.1-lang-2.52.4-150600.12.68.1
* Desktop Applications Module 15-SP7 (aarch64 ppc64le s390x x86_64)
* typelib-1_0-WebKit2WebExtension-4_1-2.52.4-150600.12.68.1
* libwebkit2gtk-4_1-0-debuginfo-2.52.4-150600.12.68.1
* typelib-1_0-JavaScriptCore-4_1-2.52.4-150600.12.68.1
* webkit2gtk3-debugsource-2.52.4-150600.12.68.1
* typelib-1_0-WebKit2-4_1-2.52.4-150600.12.68.1
* webkit2gtk-4_1-injected-bundles-2.52.4-150600.12.68.1
* libjavascriptcoregtk-4_1-0-2.52.4-150600.12.68.1
* webkit2gtk-4_1-injected-bundles-debuginfo-2.52.4-150600.12.68.1
* libwebkit2gtk-4_1-0-2.52.4-150600.12.68.1
* webkit2gtk3-devel-2.52.4-150600.12.68.1
* libjavascriptcoregtk-4_1-0-debuginfo-2.52.4-150600.12.68.1
* Development Tools Module 15-SP7 (aarch64 ppc64le s390x x86_64)
* typelib-1_0-WebKitWebProcessExtension-6_0-2.52.4-150600.12.68.1
* webkit2gtk4-debugsource-2.52.4-150600.12.68.1
* webkit2gtk4-devel-2.52.4-150600.12.68.1
* typelib-1_0-WebKit-6_0-2.52.4-150600.12.68.1
* typelib-1_0-JavaScriptCore-6_0-2.52.4-150600.12.68.1
* SUSE Linux Enterprise Server 15 SP6 LTSS (noarch)
* WebKitGTK-4.1-lang-2.52.4-150600.12.68.1
* WebKitGTK-4.0-lang-2.52.4-150600.12.68.1
* WebKitGTK-6.0-lang-2.52.4-150600.12.68.1
* SUSE Linux Enterprise Server 15 SP6 LTSS (aarch64 ppc64le s390x x86_64)
* typelib-1_0-WebKit2WebExtension-4_1-2.52.4-150600.12.68.1
* webkit2gtk4-devel-2.52.4-150600.12.68.1
* libwebkitgtk-6_0-4-debuginfo-2.52.4-150600.12.68.1
* typelib-1_0-WebKit-6_0-2.52.4-150600.12.68.1
* libjavascriptcoregtk-4_0-18-debuginfo-2.52.4-150600.12.68.1
* typelib-1_0-JavaScriptCore-4_0-2.52.4-150600.12.68.1
* webkit2gtk3-soup2-devel-2.52.4-150600.12.68.1
* typelib-1_0-WebKit2-4_1-2.52.4-150600.12.68.1
* typelib-1_0-JavaScriptCore-6_0-2.52.4-150600.12.68.1
* libjavascriptcoregtk-6_0-1-debuginfo-2.52.4-150600.12.68.1
* webkit2gtk-4_0-injected-bundles-debuginfo-2.52.4-150600.12.68.1
* webkit2gtk-4_1-injected-bundles-debuginfo-2.52.4-150600.12.68.1
* libwebkit2gtk-4_1-0-2.52.4-150600.12.68.1
* typelib-1_0-WebKitWebProcessExtension-6_0-2.52.4-150600.12.68.1
* libwebkit2gtk-4_1-0-debuginfo-2.52.4-150600.12.68.1
* libwebkit2gtk-4_0-37-2.52.4-150600.12.68.1
* webkit2gtk-4_0-injected-bundles-2.52.4-150600.12.68.1
* webkitgtk-6_0-injected-bundles-2.52.4-150600.12.68.1
* webkit2gtk-4_1-injected-bundles-2.52.4-150600.12.68.1
* libjavascriptcoregtk-4_1-0-2.52.4-150600.12.68.1
* libjavascriptcoregtk-6_0-1-2.52.4-150600.12.68.1
* webkit2gtk3-devel-2.52.4-150600.12.68.1
* typelib-1_0-WebKit2WebExtension-4_0-2.52.4-150600.12.68.1
* libwebkit2gtk-4_0-37-debuginfo-2.52.4-150600.12.68.1
* webkit2gtk4-debugsource-2.52.4-150600.12.68.1
* webkit2gtk3-soup2-debugsource-2.52.4-150600.12.68.1
* typelib-1_0-JavaScriptCore-4_1-2.52.4-150600.12.68.1
* libjavascriptcoregtk-4_0-18-2.52.4-150600.12.68.1
* libwebkitgtk-6_0-4-2.52.4-150600.12.68.1
* webkit2gtk3-debugsource-2.52.4-150600.12.68.1
* webkitgtk-6_0-injected-bundles-debuginfo-2.52.4-150600.12.68.1
* typelib-1_0-WebKit2-4_0-2.52.4-150600.12.68.1
* libjavascriptcoregtk-4_1-0-debuginfo-2.52.4-150600.12.68.1
* SUSE Linux Enterprise Server for SAP Applications 15 SP6 (noarch)
* WebKitGTK-4.1-lang-2.52.4-150600.12.68.1
* WebKitGTK-4.0-lang-2.52.4-150600.12.68.1
* WebKitGTK-6.0-lang-2.52.4-150600.12.68.1
* SUSE Linux Enterprise Server for SAP Applications 15 SP6 (ppc64le x86_64)
* typelib-1_0-WebKit2WebExtension-4_1-2.52.4-150600.12.68.1
* webkit2gtk4-devel-2.52.4-150600.12.68.1
* libwebkitgtk-6_0-4-debuginfo-2.52.4-150600.12.68.1
* typelib-1_0-WebKit-6_0-2.52.4-150600.12.68.1
* libjavascriptcoregtk-4_0-18-debuginfo-2.52.4-150600.12.68.1
* typelib-1_0-JavaScriptCore-4_0-2.52.4-150600.12.68.1
* webkit2gtk3-soup2-devel-2.52.4-150600.12.68.1
* typelib-1_0-WebKit2-4_1-2.52.4-150600.12.68.1
* typelib-1_0-JavaScriptCore-6_0-2.52.4-150600.12.68.1
* libjavascriptcoregtk-6_0-1-debuginfo-2.52.4-150600.12.68.1
* webkit2gtk-4_0-injected-bundles-debuginfo-2.52.4-150600.12.68.1
* webkit2gtk-4_1-injected-bundles-debuginfo-2.52.4-150600.12.68.1
* libwebkit2gtk-4_1-0-2.52.4-150600.12.68.1
* typelib-1_0-WebKitWebProcessExtension-6_0-2.52.4-150600.12.68.1
* libwebkit2gtk-4_1-0-debuginfo-2.52.4-150600.12.68.1
* libwebkit2gtk-4_0-37-2.52.4-150600.12.68.1
* webkit2gtk-4_0-injected-bundles-2.52.4-150600.12.68.1
* webkitgtk-6_0-injected-bundles-2.52.4-150600.12.68.1
* webkit2gtk-4_1-injected-bundles-2.52.4-150600.12.68.1
* libjavascriptcoregtk-4_1-0-2.52.4-150600.12.68.1
* libjavascriptcoregtk-6_0-1-2.52.4-150600.12.68.1
* webkit2gtk3-devel-2.52.4-150600.12.68.1
* typelib-1_0-WebKit2WebExtension-4_0-2.52.4-150600.12.68.1
* libwebkit2gtk-4_0-37-debuginfo-2.52.4-150600.12.68.1
* webkit2gtk4-debugsource-2.52.4-150600.12.68.1
* webkit2gtk3-soup2-debugsource-2.52.4-150600.12.68.1
* typelib-1_0-JavaScriptCore-4_1-2.52.4-150600.12.68.1
* libjavascriptcoregtk-4_0-18-2.52.4-150600.12.68.1
* libwebkitgtk-6_0-4-2.52.4-150600.12.68.1
* webkit2gtk3-debugsource-2.52.4-150600.12.68.1
* webkitgtk-6_0-injected-bundles-debuginfo-2.52.4-150600.12.68.1
* typelib-1_0-WebKit2-4_0-2.52.4-150600.12.68.1
* libjavascriptcoregtk-4_1-0-debuginfo-2.52.4-150600.12.68.1

## References:

* https://www.suse.com/security/cve/CVE-2026-28847.html
* https://www.suse.com/security/cve/CVE-2026-28883.html
* https://www.suse.com/security/cve/CVE-2026-28901.html
* https://www.suse.com/security/cve/CVE-2026-28902.html
* https://www.suse.com/security/cve/CVE-2026-28903.html
* https://www.suse.com/security/cve/CVE-2026-28904.html
* https://www.suse.com/security/cve/CVE-2026-28905.html
* https://www.suse.com/security/cve/CVE-2026-28907.html
* https://www.suse.com/security/cve/CVE-2026-28942.html
* https://www.suse.com/security/cve/CVE-2026-28946.html
* https://www.suse.com/security/cve/CVE-2026-28947.html
* https://www.suse.com/security/cve/CVE-2026-28953.html
* https://www.suse.com/security/cve/CVE-2026-28955.html
* https://www.suse.com/security/cve/CVE-2026-28958.html
* https://www.suse.com/security/cve/CVE-2026-43658.html
* https://www.suse.com/security/cve/CVE-2026-43660.html
* https://bugzilla.suse.com/show_bug.cgi?id=1264745
* https://bugzilla.suse.com/show_bug.cgi?id=1267506
* https://bugzilla.suse.com/show_bug.cgi?id=1267507
* https://bugzilla.suse.com/show_bug.cgi?id=1267508
* https://bugzilla.suse.com/show_bug.cgi?id=1267509
* https://bugzilla.suse.com/show_bug.cgi?id=1267510
* https://bugzilla.suse.com/show_bug.cgi?id=1267511
* https://bugzilla.suse.com/show_bug.cgi?id=1267512
* https://bugzilla.suse.com/show_bug.cgi?id=1267513
* https://bugzilla.suse.com/show_bug.cgi?id=1267514
* https://bugzilla.suse.com/show_bug.cgi?id=1267515
* https://bugzilla.suse.com/show_bug.cgi?id=1267516
* https://bugzilla.suse.com/show_bug.cgi?id=1267517
* https://bugzilla.suse.com/show_bug.cgi?id=1267518
* https://bugzilla.suse.com/show_bug.cgi?id=1267519
* https://bugzilla.suse.com/show_bug.cgi?id=1267520
* https://bugzilla.suse.com/show_bug.cgi?id=1267521



SUSE-SU-2026:2374-1: important: Security update for tomcat11


# Security update for tomcat11

Announcement ID: SUSE-SU-2026:2374-1
Release Date: 2026-06-11T15:34:50Z
Rating: important
References:

* bsc#1265145
* bsc#1265162
* bsc#1265163
* bsc#1265165
* bsc#1265166
* bsc#1265167
* bsc#1265168

Cross-References:

* CVE-2026-41284
* CVE-2026-41293
* CVE-2026-42498
* CVE-2026-43512
* CVE-2026-43513
* CVE-2026-43514
* CVE-2026-43515

CVSS scores:

* CVE-2026-41284 ( SUSE ): 7.1
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
* CVE-2026-41284 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
* CVE-2026-41284 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2026-41293 ( SUSE ): 8.7
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
* CVE-2026-41293 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2026-41293 ( NVD ): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
* CVE-2026-42498 ( SUSE ): 6.9
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
* CVE-2026-42498 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
* CVE-2026-42498 ( NVD ): 7.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
* CVE-2026-43512 ( SUSE ): 6.9
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N
* CVE-2026-43512 ( SUSE ): 7.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
* CVE-2026-43512 ( NVD ): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
* CVE-2026-43513 ( SUSE ): 5.3
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
* CVE-2026-43513 ( SUSE ): 5.4 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
* CVE-2026-43513 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
* CVE-2026-43514 ( SUSE ): 6.9
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
* CVE-2026-43514 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
* CVE-2026-43514 ( NVD ): 3.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
* CVE-2026-43515 ( SUSE ): 8.7
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
* CVE-2026-43515 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
* CVE-2026-43515 ( NVD ): 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Affected Products:

* openSUSE Leap 15.6
* SUSE Linux Enterprise Server 15 SP6
* SUSE Linux Enterprise Server 15 SP6 LTSS
* SUSE Linux Enterprise Server 15 SP7
* SUSE Linux Enterprise Server for SAP Applications 15 SP6
* SUSE Linux Enterprise Server for SAP Applications 15 SP7
* Web and Scripting Module 15-SP7

An update that solves seven vulnerabilities can now be installed.

## Description:

This update for tomcat11 fixes the following issues

Update to Tomcat 11.0.22:

* CVE-2026-41284: Unbounded read in WebDAV LOCK and PROPFIND handling
(bsc#1265162).
* CVE-2026-41293: HTTP/2 request headers not validated (bsc#1265163).
* CVE-2026-42498: WebSocket authentication header exposure (bsc#1265165).
* CVE-2026-43512: digest authenticator will authenticate any unknown user
(bsc#1265145).
* CVE-2026-43513: LockOutRealm treats user names as case-sensitive
(bsc#1265166).
* CVE-2026-43514: AJP secret compared in non-constant time (bsc#1265167).
* CVE-2026-43515: Security constraints not correctly applied (bsc#1265168).

Changes:

* Catalina
* Add: Enhance version.sh and version.bat to display APR, Tomcat Native, and
OpenSSL version information (both APR and FFM implementations), along with
version compatibility warnings and third-party library version information.
(csutherl)
* Code: Refactor generation of the remote user element in the access log to
remove unnecessary code. (markt)
* Fix: Fix a regression in the previous release that meant ?- could appear in
the access log rather than ? when the query string was present but empty.
(markt)
* Fix: Failed precondition should make WebDAV DELETE fail. #982 submitted by
Mahmoud Alarby. (remm)
* Fix: Align the escaping in ExtendedAccessLogValve with the other
AccessLogValve implementations. (markt)
* Fix: 70000: fix duplication of special headers in the response after commit,
following fix for 69967. (remm)
* Fix: Correct the handling of URIs mapped to a security constraint that only
specifies the special ** role for all authenticated users. Requests without
authentication were receiving 403 responses rather than 401 responses.
(markt)
* Fix: Fix a race condition in StandardContext.getServletContext() that could
cause the jakarta.servlet.context.tempdir attribute to be lost during a
context reload. Make the context field volatile and use locking to ensure
only one ApplicationContext instance is created. (dsoumis)
* Fix: Update the Windows authentication (kerberos) documentation to reflect
that both Java and Windows are removing / have removed support for RC4-HMAC.
The guide now uses AES256-SHA1. (markt)
* Fix: Add a new initialisation parameter for WebDAV, maxRequestBodySize which
limits the size of a WebDAV request body for LOCK and PROPFIND. The default
value is 4096 bytes. (markt)
* Add: Add a new caseSensitive attribute to the LockOutRealm that controls the
manner in which user names are treated when making locking decisions. The
default is false, meaning user names are treated in a case insensitive
manner. (markt)
* Fix: Correct the handling of invalid users with DIGEST authentication.
(markt)
* Fix: Ensure RealmBase finds all matching extension based security
constraints. (markt)
* Coyote
* Fix: Avoid various edge cases if Content-Length is set via
setHeader(String,String) or addHeader(String,String) with an invalid value
by always clearing the previous value whether the new value is valid or not
and ignoring any invalid new value. (markt)
* Code: Refactor the calculation of the real index in the HPACK dynamic header
table implementation to reduce code duplication. (markt)
* Fix: Fix various minor issues with some HTTP/2 stream error messages for
HTTP/2. (markt)
* Fix: Consistently reject URIs containing NULL bytes when normalizing.
* Fix: Fix a few minor memory leaks on error paths reading TLS keys and
certificates when using FFM. (markt)
* Fix: Refactor clean-up after HTTP/2 headers have been processed to aid GC
after a stream reset. (markt)
* Fix: Align HTTP/2 trailer fields with HTTP/1.1 and filter out any fields not
permitted in trailers. (markt)
* Fix: Free private keys after use in FFM based connector configuration.
* Fix: Correct an unlikely edge-case parsing bug in the HTTP/2 HPACK header
decoding that could result in a valid header triggering an unexpected
connection close. (markt)
* Fix: Refactor HTTP/2 HPACK encoding so header field names are only converted
to lower case once during the encoding process. (markt)
* Fix: Refactor HTTP/2 header field validation so it occurs earlier. Extend
validation to check for disallowed characters as well as upper case
characters. (markt)
* Fix: Add TLS 1.3 groups added in OpenSSL 4.0. (remm)
* Fix: Add validation that the HTTP/2 :scheme pseudo-header is consistent with
the use (or not) of TLS. (markt)
* Fix: Correct the validation of pseudo headers and CONNECT requests to align
Tomcat's behaviour with RFC 9113, section 8.5. (markt)
* Fix: Fix a potential integer overflow when allocating capacity from a
connection level window update to individual HTTP/2 streams. Based on #996
by Mike Tingey Jr. (markt)
* Fix: Switch AJP secret comparison to a constant time algorithm. (markt)
* WebSocket
* Fix: Fix the initial connection to a WebSocket end point where the
connection is made via a proxy that requires DIGEST authentication.
* Other
* Fix: 69993: Update the URL to the CDDL 1.0 license. (markt)
* Add: Add warning when OpenSSL binary is not found. (csutherl)
* Add: Add check for Tomcat Native library, and log warning when it's not
found to make it easier to see when it's not used by the suite. (csutherl)
* Update: Update Byte Buddy to 1.18.8. (markt)
* Update: Update Bouncy Castle to 1.84. (markt)
* Update: Improvements to French translations. (remm)
* Update: Improvements to Japanese translations provided by tak7iji. (markt)

## Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

* openSUSE Leap 15.6
zypper in -t patch SUSE-2026-2374=1

* Web and Scripting Module 15-SP7
zypper in -t patch SUSE-SLE-Module-Web-Scripting-15-SP7-2026-2374=1

* SUSE Linux Enterprise Server 15 SP6 LTSS
zypper in -t patch SUSE-SLE-Product-SLES-15-SP6-LTSS-2026-2374=1

* SUSE Linux Enterprise Server for SAP Applications 15 SP6
zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP6-2026-2374=1

## Package List:

* openSUSE Leap 15.6 (noarch)
* tomcat11-embed-11.0.22-150600.13.21.1
* tomcat11-jsp-4_0-api-11.0.22-150600.13.21.1
* tomcat11-lib-11.0.22-150600.13.21.1
* tomcat11-webapps-11.0.22-150600.13.21.1
* tomcat11-docs-webapp-11.0.22-150600.13.21.1
* tomcat11-jsvc-11.0.22-150600.13.21.1
* tomcat11-doc-11.0.22-150600.13.21.1
* tomcat11-servlet-6_1-api-11.0.22-150600.13.21.1
* tomcat11-11.0.22-150600.13.21.1
* tomcat11-admin-webapps-11.0.22-150600.13.21.1
* tomcat11-el-6_0-api-11.0.22-150600.13.21.1
* Web and Scripting Module 15-SP7 (noarch)
* tomcat11-jsp-4_0-api-11.0.22-150600.13.21.1
* tomcat11-lib-11.0.22-150600.13.21.1
* tomcat11-webapps-11.0.22-150600.13.21.1
* tomcat11-servlet-6_1-api-11.0.22-150600.13.21.1
* tomcat11-11.0.22-150600.13.21.1
* tomcat11-admin-webapps-11.0.22-150600.13.21.1
* tomcat11-el-6_0-api-11.0.22-150600.13.21.1
* SUSE Linux Enterprise Server 15 SP6 LTSS (noarch)
* tomcat11-jsp-4_0-api-11.0.22-150600.13.21.1
* tomcat11-lib-11.0.22-150600.13.21.1
* tomcat11-webapps-11.0.22-150600.13.21.1
* tomcat11-servlet-6_1-api-11.0.22-150600.13.21.1
* tomcat11-11.0.22-150600.13.21.1
* tomcat11-admin-webapps-11.0.22-150600.13.21.1
* tomcat11-el-6_0-api-11.0.22-150600.13.21.1
* SUSE Linux Enterprise Server for SAP Applications 15 SP6 (noarch)
* tomcat11-jsp-4_0-api-11.0.22-150600.13.21.1
* tomcat11-lib-11.0.22-150600.13.21.1
* tomcat11-webapps-11.0.22-150600.13.21.1
* tomcat11-servlet-6_1-api-11.0.22-150600.13.21.1
* tomcat11-11.0.22-150600.13.21.1
* tomcat11-admin-webapps-11.0.22-150600.13.21.1
* tomcat11-el-6_0-api-11.0.22-150600.13.21.1

## References:

* https://www.suse.com/security/cve/CVE-2026-41284.html
* https://www.suse.com/security/cve/CVE-2026-41293.html
* https://www.suse.com/security/cve/CVE-2026-42498.html
* https://www.suse.com/security/cve/CVE-2026-43512.html
* https://www.suse.com/security/cve/CVE-2026-43513.html
* https://www.suse.com/security/cve/CVE-2026-43514.html
* https://www.suse.com/security/cve/CVE-2026-43515.html
* https://bugzilla.suse.com/show_bug.cgi?id=1265145
* https://bugzilla.suse.com/show_bug.cgi?id=1265162
* https://bugzilla.suse.com/show_bug.cgi?id=1265163
* https://bugzilla.suse.com/show_bug.cgi?id=1265165
* https://bugzilla.suse.com/show_bug.cgi?id=1265166
* https://bugzilla.suse.com/show_bug.cgi?id=1265167
* https://bugzilla.suse.com/show_bug.cgi?id=1265168



SUSE-SU-2026:2375-1: important: Security update for openssh


# Security update for openssh

Announcement ID: SUSE-SU-2026:2375-1
Release Date: 2026-06-11T16:06:35Z
Rating: important
References:

* bsc#1259642
* bsc#1261427
* bsc#1261430
* bsc#1261441
* bsc#1264568

Cross-References:

* CVE-2026-3497
* CVE-2026-35385
* CVE-2026-35388
* CVE-2026-35414

CVSS scores:

* CVE-2026-3497 ( SUSE ): 6.9
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N
* CVE-2026-3497 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
* CVE-2026-3497 ( NVD ): 6.9
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
* CVE-2026-3497 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2026-35385 ( SUSE ): 7.5
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
* CVE-2026-35385 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
* CVE-2026-35385 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
* CVE-2026-35385 ( NVD ): 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
* CVE-2026-35388 ( SUSE ): 2.1
CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
* CVE-2026-35388 ( SUSE ): 2.5 CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N
* CVE-2026-35388 ( NVD ): 2.5 CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N
* CVE-2026-35388 ( NVD ): 2.5 CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N
* CVE-2026-35414 ( SUSE ): 2.3
CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
* CVE-2026-35414 ( SUSE ): 4.2 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N
* CVE-2026-35414 ( NVD ): 4.2 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N
* CVE-2026-35414 ( NVD ): 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected Products:

* openSUSE Leap 15.3
* SUSE Linux Enterprise High Performance Computing 15 SP4
* SUSE Linux Enterprise High Performance Computing 15 SP5
* SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4
* SUSE Linux Enterprise High Performance Computing ESPOS 15 SP5
* SUSE Linux Enterprise High Performance Computing LTSS 15 SP4
* SUSE Linux Enterprise High Performance Computing LTSS 15 SP5
* SUSE Linux Enterprise Micro 5.3
* SUSE Linux Enterprise Micro 5.4
* SUSE Linux Enterprise Micro 5.5
* SUSE Linux Enterprise Micro for Rancher 5.3
* SUSE Linux Enterprise Micro for Rancher 5.4
* SUSE Linux Enterprise Server 15 SP4
* SUSE Linux Enterprise Server 15 SP4 LTSS
* SUSE Linux Enterprise Server 15 SP5
* SUSE Linux Enterprise Server 15 SP5 LTSS
* SUSE Linux Enterprise Server for SAP Applications 15 SP4
* SUSE Linux Enterprise Server for SAP Applications 15 SP5

An update that solves four vulnerabilities and has one security fix can now be
installed.

## Description:

This update for openssh fixes the following issues

* CVE-2026-3497: information disclosure or denial of service due to
uninitialized variables (bsc#1259642).
* CVE-2026-35385: a file downloaded by scp may be installed setuid or setgid
(bsc#1261427).
* CVE-2026-35388: omitted connection multiplexing confirmation for proxy-mode
multiplexing sessions (bsc#1261441).
* CVE-2026-35414: mishandling of authorized_keys principals option
(bsc#1261430).
* potential security issue when validating mac (bsc#1264568).

## Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

* openSUSE Leap 15.3
zypper in -t patch SUSE-2026-2375=1

* SUSE Linux Enterprise Micro 5.5
zypper in -t patch SUSE-SLE-Micro-5.5-2026-2375=1

* SUSE Linux Enterprise Micro for Rancher 5.3
zypper in -t patch SUSE-SLE-Micro-5.3-2026-2375=1

* SUSE Linux Enterprise Micro 5.3
zypper in -t patch SUSE-SLE-Micro-5.3-2026-2375=1

* SUSE Linux Enterprise Micro for Rancher 5.4
zypper in -t patch SUSE-SLE-Micro-5.4-2026-2375=1

* SUSE Linux Enterprise Micro 5.4
zypper in -t patch SUSE-SLE-Micro-5.4-2026-2375=1

* SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4
zypper in -t patch SUSE-SLE-Product-HPC-15-SP4-ESPOS-2026-2375=1

* SUSE Linux Enterprise High Performance Computing LTSS 15 SP4
zypper in -t patch SUSE-SLE-Product-HPC-15-SP4-LTSS-2026-2375=1

* SUSE Linux Enterprise High Performance Computing ESPOS 15 SP5
zypper in -t patch SUSE-SLE-Product-HPC-15-SP5-ESPOS-2026-2375=1

* SUSE Linux Enterprise High Performance Computing LTSS 15 SP5
zypper in -t patch SUSE-SLE-Product-HPC-15-SP5-LTSS-2026-2375=1

* SUSE Linux Enterprise Server 15 SP4 LTSS
zypper in -t patch SUSE-SLE-Product-SLES-15-SP4-LTSS-2026-2375=1

* SUSE Linux Enterprise Server 15 SP5 LTSS
zypper in -t patch SUSE-SLE-Product-SLES-15-SP5-LTSS-2026-2375=1

* SUSE Linux Enterprise Server for SAP Applications 15 SP4
zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP4-2026-2375=1

* SUSE Linux Enterprise Server for SAP Applications 15 SP5
zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP5-2026-2375=1

## Package List:

* openSUSE Leap 15.3 (aarch64 ppc64le s390x x86_64 i586)
* openssh-helpers-8.4p1-150300.3.65.1
* openssh-askpass-gnome-8.4p1-150300.3.65.1
* openssh-common-debuginfo-8.4p1-150300.3.65.1
* openssh-common-8.4p1-150300.3.65.1
* openssh-cavs-debuginfo-8.4p1-150300.3.65.1
* openssh-server-debuginfo-8.4p1-150300.3.65.1
* openssh-askpass-gnome-debugsource-8.4p1-150300.3.65.1
* openssh-debuginfo-8.4p1-150300.3.65.1
* openssh-clients-debuginfo-8.4p1-150300.3.65.1
* openssh-askpass-gnome-debuginfo-8.4p1-150300.3.65.1
* openssh-cavs-8.4p1-150300.3.65.1
* openssh-debugsource-8.4p1-150300.3.65.1
* openssh-clients-8.4p1-150300.3.65.1
* openssh-helpers-debuginfo-8.4p1-150300.3.65.1
* openssh-8.4p1-150300.3.65.1
* openssh-server-8.4p1-150300.3.65.1
* openssh-fips-8.4p1-150300.3.65.1
* SUSE Linux Enterprise Micro 5.5 (aarch64 ppc64le s390x x86_64)
* openssh-common-debuginfo-8.4p1-150300.3.65.1
* openssh-common-8.4p1-150300.3.65.1
* openssh-server-debuginfo-8.4p1-150300.3.65.1
* openssh-debuginfo-8.4p1-150300.3.65.1
* openssh-clients-debuginfo-8.4p1-150300.3.65.1
* openssh-debugsource-8.4p1-150300.3.65.1
* openssh-server-8.4p1-150300.3.65.1
* openssh-clients-8.4p1-150300.3.65.1
* openssh-8.4p1-150300.3.65.1
* openssh-fips-8.4p1-150300.3.65.1
* SUSE Linux Enterprise Micro for Rancher 5.3 (aarch64 s390x x86_64)
* openssh-common-debuginfo-8.4p1-150300.3.65.1
* openssh-common-8.4p1-150300.3.65.1
* openssh-server-debuginfo-8.4p1-150300.3.65.1
* openssh-debuginfo-8.4p1-150300.3.65.1
* openssh-clients-debuginfo-8.4p1-150300.3.65.1
* openssh-debugsource-8.4p1-150300.3.65.1
* openssh-server-8.4p1-150300.3.65.1
* openssh-clients-8.4p1-150300.3.65.1
* openssh-8.4p1-150300.3.65.1
* openssh-fips-8.4p1-150300.3.65.1
* SUSE Linux Enterprise Micro 5.3 (aarch64 s390x x86_64)
* openssh-common-debuginfo-8.4p1-150300.3.65.1
* openssh-common-8.4p1-150300.3.65.1
* openssh-server-debuginfo-8.4p1-150300.3.65.1
* openssh-debuginfo-8.4p1-150300.3.65.1
* openssh-clients-debuginfo-8.4p1-150300.3.65.1
* openssh-debugsource-8.4p1-150300.3.65.1
* openssh-server-8.4p1-150300.3.65.1
* openssh-clients-8.4p1-150300.3.65.1
* openssh-8.4p1-150300.3.65.1
* openssh-fips-8.4p1-150300.3.65.1
* SUSE Linux Enterprise Micro for Rancher 5.4 (aarch64 s390x x86_64)
* openssh-common-debuginfo-8.4p1-150300.3.65.1
* openssh-common-8.4p1-150300.3.65.1
* openssh-server-debuginfo-8.4p1-150300.3.65.1
* openssh-debuginfo-8.4p1-150300.3.65.1
* openssh-clients-debuginfo-8.4p1-150300.3.65.1
* openssh-debugsource-8.4p1-150300.3.65.1
* openssh-server-8.4p1-150300.3.65.1
* openssh-clients-8.4p1-150300.3.65.1
* openssh-8.4p1-150300.3.65.1
* openssh-fips-8.4p1-150300.3.65.1
* SUSE Linux Enterprise Micro 5.4 (aarch64 s390x x86_64)
* openssh-common-debuginfo-8.4p1-150300.3.65.1
* openssh-common-8.4p1-150300.3.65.1
* openssh-server-debuginfo-8.4p1-150300.3.65.1
* openssh-debuginfo-8.4p1-150300.3.65.1
* openssh-clients-debuginfo-8.4p1-150300.3.65.1
* openssh-debugsource-8.4p1-150300.3.65.1
* openssh-server-8.4p1-150300.3.65.1
* openssh-clients-8.4p1-150300.3.65.1
* openssh-8.4p1-150300.3.65.1
* openssh-fips-8.4p1-150300.3.65.1
* SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (aarch64
x86_64)
* openssh-helpers-8.4p1-150300.3.65.1
* openssh-askpass-gnome-8.4p1-150300.3.65.1
* openssh-common-debuginfo-8.4p1-150300.3.65.1
* openssh-common-8.4p1-150300.3.65.1
* openssh-server-debuginfo-8.4p1-150300.3.65.1
* openssh-askpass-gnome-debugsource-8.4p1-150300.3.65.1
* openssh-debuginfo-8.4p1-150300.3.65.1
* openssh-clients-debuginfo-8.4p1-150300.3.65.1
* openssh-askpass-gnome-debuginfo-8.4p1-150300.3.65.1
* openssh-debugsource-8.4p1-150300.3.65.1
* openssh-helpers-debuginfo-8.4p1-150300.3.65.1
* openssh-clients-8.4p1-150300.3.65.1
* openssh-server-8.4p1-150300.3.65.1
* openssh-8.4p1-150300.3.65.1
* openssh-fips-8.4p1-150300.3.65.1
* SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (aarch64
x86_64)
* openssh-helpers-8.4p1-150300.3.65.1
* openssh-askpass-gnome-8.4p1-150300.3.65.1
* openssh-common-debuginfo-8.4p1-150300.3.65.1
* openssh-common-8.4p1-150300.3.65.1
* openssh-server-debuginfo-8.4p1-150300.3.65.1
* openssh-askpass-gnome-debugsource-8.4p1-150300.3.65.1
* openssh-debuginfo-8.4p1-150300.3.65.1
* openssh-clients-debuginfo-8.4p1-150300.3.65.1
* openssh-askpass-gnome-debuginfo-8.4p1-150300.3.65.1
* openssh-debugsource-8.4p1-150300.3.65.1
* openssh-helpers-debuginfo-8.4p1-150300.3.65.1
* openssh-clients-8.4p1-150300.3.65.1
* openssh-server-8.4p1-150300.3.65.1
* openssh-8.4p1-150300.3.65.1
* openssh-fips-8.4p1-150300.3.65.1
* SUSE Linux Enterprise High Performance Computing ESPOS 15 SP5 (aarch64
x86_64)
* openssh-helpers-8.4p1-150300.3.65.1
* openssh-askpass-gnome-8.4p1-150300.3.65.1
* openssh-common-debuginfo-8.4p1-150300.3.65.1
* openssh-common-8.4p1-150300.3.65.1
* openssh-server-debuginfo-8.4p1-150300.3.65.1
* openssh-askpass-gnome-debugsource-8.4p1-150300.3.65.1
* openssh-debuginfo-8.4p1-150300.3.65.1
* openssh-clients-debuginfo-8.4p1-150300.3.65.1
* openssh-askpass-gnome-debuginfo-8.4p1-150300.3.65.1
* openssh-debugsource-8.4p1-150300.3.65.1
* openssh-helpers-debuginfo-8.4p1-150300.3.65.1
* openssh-clients-8.4p1-150300.3.65.1
* openssh-server-8.4p1-150300.3.65.1
* openssh-8.4p1-150300.3.65.1
* openssh-fips-8.4p1-150300.3.65.1
* SUSE Linux Enterprise High Performance Computing LTSS 15 SP5 (aarch64
x86_64)
* openssh-helpers-8.4p1-150300.3.65.1
* openssh-askpass-gnome-8.4p1-150300.3.65.1
* openssh-common-debuginfo-8.4p1-150300.3.65.1
* openssh-common-8.4p1-150300.3.65.1
* openssh-server-debuginfo-8.4p1-150300.3.65.1
* openssh-askpass-gnome-debugsource-8.4p1-150300.3.65.1
* openssh-debuginfo-8.4p1-150300.3.65.1
* openssh-clients-debuginfo-8.4p1-150300.3.65.1
* openssh-askpass-gnome-debuginfo-8.4p1-150300.3.65.1
* openssh-debugsource-8.4p1-150300.3.65.1
* openssh-helpers-debuginfo-8.4p1-150300.3.65.1
* openssh-clients-8.4p1-150300.3.65.1
* openssh-server-8.4p1-150300.3.65.1
* openssh-8.4p1-150300.3.65.1
* openssh-fips-8.4p1-150300.3.65.1
* SUSE Linux Enterprise Server 15 SP4 LTSS (aarch64 ppc64le s390x x86_64)
* openssh-helpers-8.4p1-150300.3.65.1
* openssh-askpass-gnome-8.4p1-150300.3.65.1
* openssh-common-debuginfo-8.4p1-150300.3.65.1
* openssh-common-8.4p1-150300.3.65.1
* openssh-server-debuginfo-8.4p1-150300.3.65.1
* openssh-askpass-gnome-debugsource-8.4p1-150300.3.65.1
* openssh-debuginfo-8.4p1-150300.3.65.1
* openssh-clients-debuginfo-8.4p1-150300.3.65.1
* openssh-askpass-gnome-debuginfo-8.4p1-150300.3.65.1
* openssh-debugsource-8.4p1-150300.3.65.1
* openssh-helpers-debuginfo-8.4p1-150300.3.65.1
* openssh-clients-8.4p1-150300.3.65.1
* openssh-server-8.4p1-150300.3.65.1
* openssh-8.4p1-150300.3.65.1
* openssh-fips-8.4p1-150300.3.65.1
* SUSE Linux Enterprise Server 15 SP5 LTSS (aarch64 ppc64le s390x x86_64)
* openssh-helpers-8.4p1-150300.3.65.1
* openssh-askpass-gnome-8.4p1-150300.3.65.1
* openssh-common-debuginfo-8.4p1-150300.3.65.1
* openssh-common-8.4p1-150300.3.65.1
* openssh-server-debuginfo-8.4p1-150300.3.65.1
* openssh-askpass-gnome-debugsource-8.4p1-150300.3.65.1
* openssh-debuginfo-8.4p1-150300.3.65.1
* openssh-clients-debuginfo-8.4p1-150300.3.65.1
* openssh-askpass-gnome-debuginfo-8.4p1-150300.3.65.1
* openssh-debugsource-8.4p1-150300.3.65.1
* openssh-helpers-debuginfo-8.4p1-150300.3.65.1
* openssh-clients-8.4p1-150300.3.65.1
* openssh-server-8.4p1-150300.3.65.1
* openssh-8.4p1-150300.3.65.1
* openssh-fips-8.4p1-150300.3.65.1
* SUSE Linux Enterprise Server for SAP Applications 15 SP4 (ppc64le x86_64)
* openssh-helpers-8.4p1-150300.3.65.1
* openssh-askpass-gnome-8.4p1-150300.3.65.1
* openssh-common-debuginfo-8.4p1-150300.3.65.1
* openssh-common-8.4p1-150300.3.65.1
* openssh-server-debuginfo-8.4p1-150300.3.65.1
* openssh-askpass-gnome-debugsource-8.4p1-150300.3.65.1
* openssh-debuginfo-8.4p1-150300.3.65.1
* openssh-clients-debuginfo-8.4p1-150300.3.65.1
* openssh-askpass-gnome-debuginfo-8.4p1-150300.3.65.1
* openssh-debugsource-8.4p1-150300.3.65.1
* openssh-helpers-debuginfo-8.4p1-150300.3.65.1
* openssh-clients-8.4p1-150300.3.65.1
* openssh-server-8.4p1-150300.3.65.1
* openssh-8.4p1-150300.3.65.1
* openssh-fips-8.4p1-150300.3.65.1
* SUSE Linux Enterprise Server for SAP Applications 15 SP5 (ppc64le x86_64)
* openssh-helpers-8.4p1-150300.3.65.1
* openssh-askpass-gnome-8.4p1-150300.3.65.1
* openssh-common-debuginfo-8.4p1-150300.3.65.1
* openssh-common-8.4p1-150300.3.65.1
* openssh-server-debuginfo-8.4p1-150300.3.65.1
* openssh-askpass-gnome-debugsource-8.4p1-150300.3.65.1
* openssh-debuginfo-8.4p1-150300.3.65.1
* openssh-clients-debuginfo-8.4p1-150300.3.65.1
* openssh-debugsource-8.4p1-150300.3.65.1
* openssh-server-8.4p1-150300.3.65.1
* openssh-helpers-debuginfo-8.4p1-150300.3.65.1
* openssh-clients-8.4p1-150300.3.65.1
* openssh-askpass-gnome-debuginfo-8.4p1-150300.3.65.1
* openssh-8.4p1-150300.3.65.1
* openssh-fips-8.4p1-150300.3.65.1

## References:

* https://www.suse.com/security/cve/CVE-2026-3497.html
* https://www.suse.com/security/cve/CVE-2026-35385.html
* https://www.suse.com/security/cve/CVE-2026-35388.html
* https://www.suse.com/security/cve/CVE-2026-35414.html
* https://bugzilla.suse.com/show_bug.cgi?id=1259642
* https://bugzilla.suse.com/show_bug.cgi?id=1261427
* https://bugzilla.suse.com/show_bug.cgi?id=1261430
* https://bugzilla.suse.com/show_bug.cgi?id=1261441
* https://bugzilla.suse.com/show_bug.cgi?id=1264568



SUSE-SU-2026:2378-1: important: Security update for webkit2gtk3


# Security update for webkit2gtk3

Announcement ID: SUSE-SU-2026:2378-1
Release Date: 2026-06-11T16:10:30Z
Rating: important
References:

* bsc#1267506
* bsc#1267507
* bsc#1267508
* bsc#1267509
* bsc#1267510
* bsc#1267511
* bsc#1267512
* bsc#1267513
* bsc#1267514
* bsc#1267515
* bsc#1267516
* bsc#1267517
* bsc#1267518
* bsc#1267519
* bsc#1267520
* bsc#1267521

Cross-References:

* CVE-2026-28847
* CVE-2026-28883
* CVE-2026-28901
* CVE-2026-28902
* CVE-2026-28903
* CVE-2026-28904
* CVE-2026-28905
* CVE-2026-28907
* CVE-2026-28942
* CVE-2026-28946
* CVE-2026-28947
* CVE-2026-28953
* CVE-2026-28955
* CVE-2026-28958
* CVE-2026-43658
* CVE-2026-43660

CVSS scores:

* CVE-2026-28847 ( SUSE ): 8.7
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
* CVE-2026-28847 ( SUSE ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
* CVE-2026-28847 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
* CVE-2026-28883 ( SUSE ): 7.7
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
* CVE-2026-28883 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
* CVE-2026-28883 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
* CVE-2026-28901 ( SUSE ): 7.1
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
* CVE-2026-28901 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
* CVE-2026-28901 ( NVD ): 4.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
* CVE-2026-28902 ( SUSE ): 7.1
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
* CVE-2026-28902 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
* CVE-2026-28902 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
* CVE-2026-28903 ( SUSE ): 7.1
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
* CVE-2026-28903 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
* CVE-2026-28903 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
* CVE-2026-28904 ( SUSE ): 7.1
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
* CVE-2026-28904 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
* CVE-2026-28904 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
* CVE-2026-28905 ( SUSE ): 7.1
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
* CVE-2026-28905 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
* CVE-2026-28905 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
* CVE-2026-28907 ( SUSE ): 7.1
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N
* CVE-2026-28907 ( SUSE ): 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N
* CVE-2026-28907 ( NVD ): 8.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
* CVE-2026-28942 ( SUSE ): 7.7
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
* CVE-2026-28942 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
* CVE-2026-28942 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
* CVE-2026-28946 ( SUSE ): 7.7
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
* CVE-2026-28946 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
* CVE-2026-28946 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
* CVE-2026-28947 ( SUSE ): 7.7
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
* CVE-2026-28947 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
* CVE-2026-28947 ( NVD ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
* CVE-2026-28953 ( SUSE ): 7.1
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
* CVE-2026-28953 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
* CVE-2026-28953 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
* CVE-2026-28955 ( SUSE ): 7.7
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
* CVE-2026-28955 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
* CVE-2026-28955 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2026-28958 ( SUSE ): 7.1
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
* CVE-2026-28958 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
* CVE-2026-28958 ( NVD ): 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
* CVE-2026-43658 ( SUSE ): 7.1
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
* CVE-2026-43658 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
* CVE-2026-43658 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
* CVE-2026-43660 ( SUSE ): 7.1
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N
* CVE-2026-43660 ( SUSE ): 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N
* CVE-2026-43660 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Affected Products:

* openSUSE Leap 15.4
* SUSE Linux Enterprise High Performance Computing 15 SP4
* SUSE Linux Enterprise High Performance Computing 15 SP5
* SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4
* SUSE Linux Enterprise High Performance Computing ESPOS 15 SP5
* SUSE Linux Enterprise Server 15 SP4
* SUSE Linux Enterprise Server 15 SP4 LTSS
* SUSE Linux Enterprise Server 15 SP5
* SUSE Linux Enterprise Server 15 SP5 LTSS
* SUSE Linux Enterprise Server for SAP Applications 15 SP5

An update that solves 16 vulnerabilities can now be installed.

## Description:

This update for webkit2gtk3 fixes the following issues

Update to version 2.52.4:

* CVE-2026-28847: processing maliciously crafted web content may lead to an
unexpected process crash or arbitrary code execution due to a heap buffer
overflow (bsc#1267506).
* CVE-2026-28883: processing maliciously crafted web content may lead to an
unexpected process crash due to a use-after- free issue (bsc#1267507).
* CVE-2026-28901: processing maliciously crafted web content may lead to an
unexpected process crash due to improper memory handling (bsc#1267508).
* CVE-2026-28902: processing maliciously crafted web content may lead to an
unexpected process crash due to improper memory handling (bsc#1267509).
* CVE-2026-28903: processing maliciously crafted web content may lead to an
unexpected process crash due to improper memory handling (bsc#1267510).
* CVE-2026-28904: processing maliciously crafted web content may lead to an
unexpected process crash due to improper memory handling (bsc#1267511).
* CVE-2026-28905: processing maliciously crafted web content may lead to an
unexpected process crash due to improper memory handling (bsc#1267512).
* CVE-2026-28907: processing maliciously crafted web content may prevent
Content Security Policy from being enforced due to improper input validation
(bsc#1267513).
* CVE-2026-28942: processing maliciously crafted web content may lead to an
unexpected crash due to use-after-free (bsc#1267514).
* CVE-2026-28946: processing maliciously crafted web content may lead to an
unexpected crash due to a use-after-free (bsc#1267515).
* CVE-2026-28947: rocessing maliciously crafted web content may lead to an
unexpected crash due to a use-after-free (bsc#1267516).
* CVE-2026-28953: processing maliciously crafted web content may lead to an
unexpected process crash due to improper memory handling (bsc#1267517).
* CVE-2026-28955: processing maliciously crafted web content may lead to an
unexpected process crash due to improper memory handling (bsc#1267518).
* CVE-2026-28958: an app may be able to access sensitive user data due to
improper data protection (bsc#1267519).
* CVE-2026-43658: processing maliciously crafted web content may lead to an
unexpected crash due to improper memory handling (bsc#1267520).
* CVE-2026-43660: processing maliciously crafted web content may prevent
Content Security Policy from being enforced due to issues with logic
(bsc#1267521).

Changes:

* Add support for half-width fonts.
* Improve content filter compilation by avoiding file copies.
* Improve handling of out of disk space conditions when the NetworkProcess
tried to write data in caches.
* Improve how the CMake build system checks whether libatomic is required.
* Fix painting scrollbars when their width changes.
* Fix playback of certain YouTube videos with low frame rates.
* Fix webkit://gpu not working in systems where neither libGL.so.1 nor
libOpenGL.so.0 are available.
* Fix the build with librice 0.4 or newer when the GStreamer WebRTC backend is
enabled at build configuration time.
* Fix the build with USE_GSTREAMER_WEBRTC=OFF.
* Fix the build with USE_GBM=OFF.
* Fix several crashes and rendering issues.
* Add support for the "scrollbar-color" CSS property.
* Fix some emoji glyphs being rendered as missing glyph boxes.
* Fix JavaScriptCore crashes on architectures other than x86_64.
* Fix the build on s390x.
* Changes in version 2.52.2:
* Improve handling of real-time threads.
* Fix scrollbar rendering glitches visible in some GPU configurations.
* Fix V4L2 hardware accelerated media codecs now working due to overly
restrictive sandbox device access rules.
* Fix leak of bitmap images in webkit_favicon_database_get_favicon_finish().
* Fix the build with USE_GTK4=OFF.

## Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

* openSUSE Leap 15.4
zypper in -t patch SUSE-2026-2378=1

* SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4
zypper in -t patch SUSE-SLE-Product-HPC-15-SP4-ESPOS-2026-2378=1

* SUSE Linux Enterprise High Performance Computing ESPOS 15 SP5
zypper in -t patch SUSE-SLE-Product-HPC-15-SP5-ESPOS-2026-2378=1

* SUSE Linux Enterprise Server 15 SP4 LTSS
zypper in -t patch SUSE-SLE-Product-SLES-15-SP4-LTSS-2026-2378=1

* SUSE Linux Enterprise Server 15 SP5 LTSS
zypper in -t patch SUSE-SLE-Product-SLES-15-SP5-LTSS-2026-2378=1

* SUSE Linux Enterprise Server for SAP Applications 15 SP5
zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP5-2026-2378=1

## Package List:

* openSUSE Leap 15.4 (noarch)
* WebKitGTK-4.1-lang-2.52.4-150400.4.143.1
* WebKitGTK-4.0-lang-2.52.4-150400.4.143.1
* WebKitGTK-6.0-lang-2.52.4-150400.4.143.1
* openSUSE Leap 15.4 (aarch64 ppc64le s390x x86_64 i586)
* webkit-jsc-4-debuginfo-2.52.4-150400.4.143.1
* libwebkit2gtk-4_0-37-2.52.4-150400.4.143.1
* webkitgtk-6_0-injected-bundles-2.52.4-150400.4.143.1
* libjavascriptcoregtk-6_0-1-debuginfo-2.52.4-150400.4.143.1
* webkit2gtk4-debugsource-2.52.4-150400.4.143.1
* webkit2gtk3-soup2-minibrowser-2.52.4-150400.4.143.1
* webkit-jsc-4.1-debuginfo-2.52.4-150400.4.143.1
* webkit2gtk-4_1-injected-bundles-debuginfo-2.52.4-150400.4.143.1
* libjavascriptcoregtk-4_1-0-debuginfo-2.52.4-150400.4.143.1
* typelib-1_0-WebKit2WebExtension-4_0-2.52.4-150400.4.143.1
* libjavascriptcoregtk-6_0-1-2.52.4-150400.4.143.1
* webkit2gtk-4_1-injected-bundles-2.52.4-150400.4.143.1
* libjavascriptcoregtk-4_0-18-2.52.4-150400.4.143.1
* webkit2gtk-4_0-injected-bundles-2.52.4-150400.4.143.1
* typelib-1_0-WebKit2WebExtension-4_1-2.52.4-150400.4.143.1
* webkit2gtk3-soup2-minibrowser-debuginfo-2.52.4-150400.4.143.1
* libwebkitgtk-6_0-4-debuginfo-2.52.4-150400.4.143.1
* typelib-1_0-WebKit2-4_1-2.52.4-150400.4.143.1
* webkit2gtk-4_0-injected-bundles-debuginfo-2.52.4-150400.4.143.1
* webkit-jsc-6.0-2.52.4-150400.4.143.1
* libjavascriptcoregtk-4_1-0-2.52.4-150400.4.143.1
* libwebkit2gtk-4_0-37-debuginfo-2.52.4-150400.4.143.1
* typelib-1_0-WebKit-6_0-2.52.4-150400.4.143.1
* libwebkit2gtk-4_1-0-debuginfo-2.52.4-150400.4.143.1
* typelib-1_0-JavaScriptCore-4_0-2.52.4-150400.4.143.1
* webkit-jsc-6.0-debuginfo-2.52.4-150400.4.143.1
* webkit2gtk4-devel-2.52.4-150400.4.143.1
* webkit-jsc-4.1-2.52.4-150400.4.143.1
* webkit-jsc-4-2.52.4-150400.4.143.1
* typelib-1_0-WebKitWebProcessExtension-6_0-2.52.4-150400.4.143.1
* webkit2gtk3-devel-2.52.4-150400.4.143.1
* webkit2gtk3-soup2-debugsource-2.52.4-150400.4.143.1
* webkit2gtk4-minibrowser-2.52.4-150400.4.143.1
* webkitgtk-6_0-injected-bundles-debuginfo-2.52.4-150400.4.143.1
* webkit2gtk3-minibrowser-2.52.4-150400.4.143.1
* typelib-1_0-WebKit2-4_0-2.52.4-150400.4.143.1
* webkit2gtk4-minibrowser-debuginfo-2.52.4-150400.4.143.1
* libwebkitgtk-6_0-4-2.52.4-150400.4.143.1
* typelib-1_0-JavaScriptCore-4_1-2.52.4-150400.4.143.1
* webkit2gtk3-minibrowser-debuginfo-2.52.4-150400.4.143.1
* typelib-1_0-JavaScriptCore-6_0-2.52.4-150400.4.143.1
* libjavascriptcoregtk-4_0-18-debuginfo-2.52.4-150400.4.143.1
* webkit2gtk3-debugsource-2.52.4-150400.4.143.1
* webkit2gtk3-soup2-devel-2.52.4-150400.4.143.1
* libwebkit2gtk-4_1-0-2.52.4-150400.4.143.1
* openSUSE Leap 15.4 (x86_64)
* libjavascriptcoregtk-4_0-18-32bit-2.52.4-150400.4.143.1
* libwebkit2gtk-4_0-37-32bit-debuginfo-2.52.4-150400.4.143.1
* libjavascriptcoregtk-4_0-18-32bit-debuginfo-2.52.4-150400.4.143.1
* libwebkit2gtk-4_0-37-32bit-2.52.4-150400.4.143.1
* libjavascriptcoregtk-4_1-0-32bit-debuginfo-2.52.4-150400.4.143.1
* libjavascriptcoregtk-4_1-0-32bit-2.52.4-150400.4.143.1
* libwebkit2gtk-4_1-0-32bit-2.52.4-150400.4.143.1
* libwebkit2gtk-4_1-0-32bit-debuginfo-2.52.4-150400.4.143.1
* openSUSE Leap 15.4 (aarch64_ilp32)
* libjavascriptcoregtk-4_1-0-64bit-2.52.4-150400.4.143.1
* libjavascriptcoregtk-4_0-18-64bit-2.52.4-150400.4.143.1
* libwebkit2gtk-4_0-37-64bit-debuginfo-2.52.4-150400.4.143.1
* libjavascriptcoregtk-4_0-18-64bit-debuginfo-2.52.4-150400.4.143.1
* libwebkit2gtk-4_1-0-64bit-debuginfo-2.52.4-150400.4.143.1
* libwebkit2gtk-4_0-37-64bit-2.52.4-150400.4.143.1
* libjavascriptcoregtk-4_1-0-64bit-debuginfo-2.52.4-150400.4.143.1
* libwebkit2gtk-4_1-0-64bit-2.52.4-150400.4.143.1
* SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (noarch)
* WebKitGTK-4.1-lang-2.52.4-150400.4.143.1
* WebKitGTK-4.0-lang-2.52.4-150400.4.143.1
* WebKitGTK-6.0-lang-2.52.4-150400.4.143.1
* SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (aarch64
x86_64)
* libwebkit2gtk-4_0-37-2.52.4-150400.4.143.1
* webkitgtk-6_0-injected-bundles-2.52.4-150400.4.143.1
* libjavascriptcoregtk-6_0-1-debuginfo-2.52.4-150400.4.143.1
* webkit2gtk4-debugsource-2.52.4-150400.4.143.1
* webkit2gtk-4_1-injected-bundles-debuginfo-2.52.4-150400.4.143.1
* libjavascriptcoregtk-4_1-0-debuginfo-2.52.4-150400.4.143.1
* typelib-1_0-WebKit2WebExtension-4_0-2.52.4-150400.4.143.1
* libjavascriptcoregtk-6_0-1-2.52.4-150400.4.143.1
* webkit2gtk-4_1-injected-bundles-2.52.4-150400.4.143.1
* libjavascriptcoregtk-4_0-18-2.52.4-150400.4.143.1
* webkit2gtk-4_0-injected-bundles-2.52.4-150400.4.143.1
* typelib-1_0-WebKit2WebExtension-4_1-2.52.4-150400.4.143.1
* libwebkitgtk-6_0-4-debuginfo-2.52.4-150400.4.143.1
* typelib-1_0-WebKit2-4_1-2.52.4-150400.4.143.1
* webkit2gtk-4_0-injected-bundles-debuginfo-2.52.4-150400.4.143.1
* libjavascriptcoregtk-4_1-0-2.52.4-150400.4.143.1
* libwebkit2gtk-4_0-37-debuginfo-2.52.4-150400.4.143.1
* libwebkit2gtk-4_1-0-debuginfo-2.52.4-150400.4.143.1
* typelib-1_0-JavaScriptCore-4_0-2.52.4-150400.4.143.1
* webkit2gtk3-devel-2.52.4-150400.4.143.1
* webkit2gtk3-soup2-debugsource-2.52.4-150400.4.143.1
* typelib-1_0-WebKit2-4_0-2.52.4-150400.4.143.1
* libwebkitgtk-6_0-4-2.52.4-150400.4.143.1
* typelib-1_0-JavaScriptCore-4_1-2.52.4-150400.4.143.1
* libjavascriptcoregtk-4_0-18-debuginfo-2.52.4-150400.4.143.1
* webkit2gtk3-debugsource-2.52.4-150400.4.143.1
* webkit2gtk3-soup2-devel-2.52.4-150400.4.143.1
* libwebkit2gtk-4_1-0-2.52.4-150400.4.143.1
* SUSE Linux Enterprise High Performance Computing ESPOS 15 SP5 (noarch)
* WebKitGTK-4.1-lang-2.52.4-150400.4.143.1
* WebKitGTK-4.0-lang-2.52.4-150400.4.143.1
* WebKitGTK-6.0-lang-2.52.4-150400.4.143.1
* SUSE Linux Enterprise High Performance Computing ESPOS 15 SP5 (aarch64
x86_64)
* libwebkit2gtk-4_0-37-2.52.4-150400.4.143.1
* webkitgtk-6_0-injected-bundles-2.52.4-150400.4.143.1
* libjavascriptcoregtk-6_0-1-debuginfo-2.52.4-150400.4.143.1
* webkit2gtk4-debugsource-2.52.4-150400.4.143.1
* webkit2gtk-4_1-injected-bundles-debuginfo-2.52.4-150400.4.143.1
* libjavascriptcoregtk-4_1-0-debuginfo-2.52.4-150400.4.143.1
* typelib-1_0-WebKit2WebExtension-4_0-2.52.4-150400.4.143.1
* libjavascriptcoregtk-6_0-1-2.52.4-150400.4.143.1
* webkit2gtk-4_1-injected-bundles-2.52.4-150400.4.143.1
* libjavascriptcoregtk-4_0-18-2.52.4-150400.4.143.1
* webkit2gtk-4_0-injected-bundles-2.52.4-150400.4.143.1
* typelib-1_0-WebKit2WebExtension-4_1-2.52.4-150400.4.143.1
* libwebkitgtk-6_0-4-debuginfo-2.52.4-150400.4.143.1
* typelib-1_0-WebKit2-4_1-2.52.4-150400.4.143.1
* webkit2gtk-4_0-injected-bundles-debuginfo-2.52.4-150400.4.143.1
* libjavascriptcoregtk-4_1-0-2.52.4-150400.4.143.1
* libwebkit2gtk-4_0-37-debuginfo-2.52.4-150400.4.143.1
* libwebkit2gtk-4_1-0-debuginfo-2.52.4-150400.4.143.1
* typelib-1_0-JavaScriptCore-4_0-2.52.4-150400.4.143.1
* webkit2gtk3-devel-2.52.4-150400.4.143.1
* webkit2gtk3-soup2-debugsource-2.52.4-150400.4.143.1
* typelib-1_0-WebKit2-4_0-2.52.4-150400.4.143.1
* libwebkitgtk-6_0-4-2.52.4-150400.4.143.1
* typelib-1_0-JavaScriptCore-4_1-2.52.4-150400.4.143.1
* libjavascriptcoregtk-4_0-18-debuginfo-2.52.4-150400.4.143.1
* webkit2gtk3-debugsource-2.52.4-150400.4.143.1
* webkit2gtk3-soup2-devel-2.52.4-150400.4.143.1
* libwebkit2gtk-4_1-0-2.52.4-150400.4.143.1
* SUSE Linux Enterprise Server 15 SP4 LTSS (noarch)
* WebKitGTK-4.1-lang-2.52.4-150400.4.143.1
* WebKitGTK-4.0-lang-2.52.4-150400.4.143.1
* WebKitGTK-6.0-lang-2.52.4-150400.4.143.1
* SUSE Linux Enterprise Server 15 SP4 LTSS (ppc64le s390x x86_64)
* libwebkit2gtk-4_0-37-2.52.4-150400.4.143.1
* webkitgtk-6_0-injected-bundles-2.52.4-150400.4.143.1
* libjavascriptcoregtk-6_0-1-debuginfo-2.52.4-150400.4.143.1
* webkit2gtk4-debugsource-2.52.4-150400.4.143.1
* webkit2gtk-4_1-injected-bundles-debuginfo-2.52.4-150400.4.143.1
* libjavascriptcoregtk-4_1-0-debuginfo-2.52.4-150400.4.143.1
* typelib-1_0-WebKit2WebExtension-4_0-2.52.4-150400.4.143.1
* libjavascriptcoregtk-6_0-1-2.52.4-150400.4.143.1
* webkit2gtk-4_1-injected-bundles-2.52.4-150400.4.143.1
* libjavascriptcoregtk-4_0-18-2.52.4-150400.4.143.1
* webkit2gtk-4_0-injected-bundles-2.52.4-150400.4.143.1
* typelib-1_0-WebKit2WebExtension-4_1-2.52.4-150400.4.143.1
* libwebkitgtk-6_0-4-debuginfo-2.52.4-150400.4.143.1
* typelib-1_0-WebKit2-4_1-2.52.4-150400.4.143.1
* webkit2gtk-4_0-injected-bundles-debuginfo-2.52.4-150400.4.143.1
* libjavascriptcoregtk-4_1-0-2.52.4-150400.4.143.1
* libwebkit2gtk-4_0-37-debuginfo-2.52.4-150400.4.143.1
* libwebkit2gtk-4_1-0-debuginfo-2.52.4-150400.4.143.1
* typelib-1_0-JavaScriptCore-4_0-2.52.4-150400.4.143.1
* webkit2gtk3-devel-2.52.4-150400.4.143.1
* webkit2gtk3-soup2-debugsource-2.52.4-150400.4.143.1
* typelib-1_0-WebKit2-4_0-2.52.4-150400.4.143.1
* libwebkitgtk-6_0-4-2.52.4-150400.4.143.1
* typelib-1_0-JavaScriptCore-4_1-2.52.4-150400.4.143.1
* libjavascriptcoregtk-4_0-18-debuginfo-2.52.4-150400.4.143.1
* webkit2gtk3-debugsource-2.52.4-150400.4.143.1
* webkit2gtk3-soup2-devel-2.52.4-150400.4.143.1
* libwebkit2gtk-4_1-0-2.52.4-150400.4.143.1
* SUSE Linux Enterprise Server 15 SP5 LTSS (noarch)
* WebKitGTK-4.1-lang-2.52.4-150400.4.143.1
* WebKitGTK-4.0-lang-2.52.4-150400.4.143.1
* WebKitGTK-6.0-lang-2.52.4-150400.4.143.1
* SUSE Linux Enterprise Server 15 SP5 LTSS (aarch64 s390x)
* libwebkit2gtk-4_0-37-2.52.4-150400.4.143.1
* webkitgtk-6_0-injected-bundles-2.52.4-150400.4.143.1
* libjavascriptcoregtk-6_0-1-debuginfo-2.52.4-150400.4.143.1
* webkit2gtk4-debugsource-2.52.4-150400.4.143.1
* webkit2gtk-4_1-injected-bundles-debuginfo-2.52.4-150400.4.143.1
* libjavascriptcoregtk-4_1-0-debuginfo-2.52.4-150400.4.143.1
* typelib-1_0-WebKit2WebExtension-4_0-2.52.4-150400.4.143.1
* libjavascriptcoregtk-6_0-1-2.52.4-150400.4.143.1
* webkit2gtk-4_1-injected-bundles-2.52.4-150400.4.143.1
* libjavascriptcoregtk-4_0-18-2.52.4-150400.4.143.1
* webkit2gtk-4_0-injected-bundles-2.52.4-150400.4.143.1
* typelib-1_0-WebKit2WebExtension-4_1-2.52.4-150400.4.143.1
* libwebkitgtk-6_0-4-debuginfo-2.52.4-150400.4.143.1
* typelib-1_0-WebKit2-4_1-2.52.4-150400.4.143.1
* webkit2gtk-4_0-injected-bundles-debuginfo-2.52.4-150400.4.143.1
* libjavascriptcoregtk-4_1-0-2.52.4-150400.4.143.1
* libwebkit2gtk-4_0-37-debuginfo-2.52.4-150400.4.143.1
* libwebkit2gtk-4_1-0-debuginfo-2.52.4-150400.4.143.1
* typelib-1_0-JavaScriptCore-4_0-2.52.4-150400.4.143.1
* webkit2gtk3-devel-2.52.4-150400.4.143.1
* webkit2gtk3-soup2-debugsource-2.52.4-150400.4.143.1
* typelib-1_0-WebKit2-4_0-2.52.4-150400.4.143.1
* libwebkitgtk-6_0-4-2.52.4-150400.4.143.1
* typelib-1_0-JavaScriptCore-4_1-2.52.4-150400.4.143.1
* libjavascriptcoregtk-4_0-18-debuginfo-2.52.4-150400.4.143.1
* webkit2gtk3-debugsource-2.52.4-150400.4.143.1
* webkit2gtk3-soup2-devel-2.52.4-150400.4.143.1
* libwebkit2gtk-4_1-0-2.52.4-150400.4.143.1
* SUSE Linux Enterprise Server for SAP Applications 15 SP5 (noarch)
* WebKitGTK-4.1-lang-2.52.4-150400.4.143.1
* WebKitGTK-4.0-lang-2.52.4-150400.4.143.1
* WebKitGTK-6.0-lang-2.52.4-150400.4.143.1
* SUSE Linux Enterprise Server for SAP Applications 15 SP5 (ppc64le)
* libwebkit2gtk-4_0-37-2.52.4-150400.4.143.1
* webkitgtk-6_0-injected-bundles-2.52.4-150400.4.143.1
* libjavascriptcoregtk-6_0-1-debuginfo-2.52.4-150400.4.143.1
* webkit2gtk4-debugsource-2.52.4-150400.4.143.1
* webkit2gtk-4_1-injected-bundles-debuginfo-2.52.4-150400.4.143.1
* libjavascriptcoregtk-4_1-0-debuginfo-2.52.4-150400.4.143.1
* typelib-1_0-WebKit2WebExtension-4_0-2.52.4-150400.4.143.1
* libjavascriptcoregtk-6_0-1-2.52.4-150400.4.143.1
* webkit2gtk-4_1-injected-bundles-2.52.4-150400.4.143.1
* libjavascriptcoregtk-4_0-18-2.52.4-150400.4.143.1
* webkit2gtk-4_0-injected-bundles-2.52.4-150400.4.143.1
* typelib-1_0-WebKit2WebExtension-4_1-2.52.4-150400.4.143.1
* libwebkitgtk-6_0-4-debuginfo-2.52.4-150400.4.143.1
* typelib-1_0-WebKit2-4_1-2.52.4-150400.4.143.1
* webkit2gtk-4_0-injected-bundles-debuginfo-2.52.4-150400.4.143.1
* libjavascriptcoregtk-4_1-0-2.52.4-150400.4.143.1
* libwebkit2gtk-4_0-37-debuginfo-2.52.4-150400.4.143.1
* libwebkit2gtk-4_1-0-debuginfo-2.52.4-150400.4.143.1
* typelib-1_0-JavaScriptCore-4_0-2.52.4-150400.4.143.1
* webkit2gtk3-devel-2.52.4-150400.4.143.1
* webkit2gtk3-soup2-debugsource-2.52.4-150400.4.143.1
* typelib-1_0-WebKit2-4_0-2.52.4-150400.4.143.1
* libwebkitgtk-6_0-4-2.52.4-150400.4.143.1
* typelib-1_0-JavaScriptCore-4_1-2.52.4-150400.4.143.1
* libjavascriptcoregtk-4_0-18-debuginfo-2.52.4-150400.4.143.1
* webkit2gtk3-debugsource-2.52.4-150400.4.143.1
* webkit2gtk3-soup2-devel-2.52.4-150400.4.143.1
* libwebkit2gtk-4_1-0-2.52.4-150400.4.143.1

## References:

* https://www.suse.com/security/cve/CVE-2026-28847.html
* https://www.suse.com/security/cve/CVE-2026-28883.html
* https://www.suse.com/security/cve/CVE-2026-28901.html
* https://www.suse.com/security/cve/CVE-2026-28902.html
* https://www.suse.com/security/cve/CVE-2026-28903.html
* https://www.suse.com/security/cve/CVE-2026-28904.html
* https://www.suse.com/security/cve/CVE-2026-28905.html
* https://www.suse.com/security/cve/CVE-2026-28907.html
* https://www.suse.com/security/cve/CVE-2026-28942.html
* https://www.suse.com/security/cve/CVE-2026-28946.html
* https://www.suse.com/security/cve/CVE-2026-28947.html
* https://www.suse.com/security/cve/CVE-2026-28953.html
* https://www.suse.com/security/cve/CVE-2026-28955.html
* https://www.suse.com/security/cve/CVE-2026-28958.html
* https://www.suse.com/security/cve/CVE-2026-43658.html
* https://www.suse.com/security/cve/CVE-2026-43660.html
* https://bugzilla.suse.com/show_bug.cgi?id=1267506
* https://bugzilla.suse.com/show_bug.cgi?id=1267507
* https://bugzilla.suse.com/show_bug.cgi?id=1267508
* https://bugzilla.suse.com/show_bug.cgi?id=1267509
* https://bugzilla.suse.com/show_bug.cgi?id=1267510
* https://bugzilla.suse.com/show_bug.cgi?id=1267511
* https://bugzilla.suse.com/show_bug.cgi?id=1267512
* https://bugzilla.suse.com/show_bug.cgi?id=1267513
* https://bugzilla.suse.com/show_bug.cgi?id=1267514
* https://bugzilla.suse.com/show_bug.cgi?id=1267515
* https://bugzilla.suse.com/show_bug.cgi?id=1267516
* https://bugzilla.suse.com/show_bug.cgi?id=1267517
* https://bugzilla.suse.com/show_bug.cgi?id=1267518
* https://bugzilla.suse.com/show_bug.cgi?id=1267519
* https://bugzilla.suse.com/show_bug.cgi?id=1267520
* https://bugzilla.suse.com/show_bug.cgi?id=1267521



openSUSE-SU-2025:0270-1: moderate: Security update for xtrabackup


openSUSE Security Update: Security update for xtrabackup
_______________________________

Announcement ID: openSUSE-SU-2025:0270-1
Rating: moderate
References: #1244333 #1244383 #1244389
Cross-References: CVE-2025-5914 CVE-2025-5916 CVE-2025-5917

CVSS scores:
CVE-2025-5914 (SUSE): 7.3 CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CVE-2025-5916 (SUSE): 4.6 CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N
CVE-2025-5917 (SUSE): 2.4 CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

Affected Products:
openSUSE Backports SLE-15-SP7
_______________________________

An update that fixes three vulnerabilities is now available.

Description:

This update for xtrabackup fixes the following issues:

- CVE-2025-5916: Prevented signed integer overflow while reading warcfile
(boo#1244383).
- CVE-2025-5917: Fixed overflow in build_ustar_entry_name() (boo#1244333).
- CVE-2025-5914: Fixed double free due to an integer overflow
(boo#1244389).

Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Backports SLE-15-SP7:

zypper in -t patch openSUSE-2025-270=1

Package List:

- openSUSE Backports SLE-15-SP7 (aarch64 i586 ppc64le s390x x86_64):

xtrabackup-2.4.26-bp157.2.3.1
xtrabackup-test-2.4.26-bp157.2.3.1

References:

https://www.suse.com/security/cve/CVE-2025-5914.html
https://www.suse.com/security/cve/CVE-2025-5916.html
https://www.suse.com/security/cve/CVE-2025-5917.html
https://bugzilla.suse.com/1244333
https://bugzilla.suse.com/1244383
https://bugzilla.suse.com/1244389



openSUSE-SU-2026:10984-1: moderate: libzypp-17.38.13-1.1 on GA media


# libzypp-17.38.13-1.1 on GA media

Announcement ID: openSUSE-SU-2026:10984-1
Rating: moderate

Cross-References:

* CVE-2026-44941
* CVE-2026-44942

CVSS scores:

* CVE-2026-44941 ( SUSE ): 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
* CVE-2026-44941 ( SUSE ): 7.5 CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
* CVE-2026-44942 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
* CVE-2026-44942 ( SUSE ): 6 CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Affected Products:

* openSUSE Tumbleweed

An update that solves 2 vulnerabilities can now be installed.

## Description:

These are all security issues fixed in the libzypp-17.38.13-1.1 package on the GA media of openSUSE Tumbleweed.

## Package List:

* openSUSE Tumbleweed:
* libzypp 17.38.13-1.1
* libzypp-devel 17.38.13-1.1
* libzypp-devel-doc 17.38.13-1.1

## References:

* https://www.suse.com/security/cve/CVE-2026-44941.html
* https://www.suse.com/security/cve/CVE-2026-44942.html



openSUSE-SU-2026:10989-1: moderate: python311-Django4-4.2.30-3.1 on GA media


# python311-Django4-4.2.30-3.1 on GA media

Announcement ID: openSUSE-SU-2026:10989-1
Rating: moderate

Cross-References:

* CVE-2026-35193
* CVE-2026-48587
* CVE-2026-6873
* CVE-2026-7666
* CVE-2026-8404

CVSS scores:

* CVE-2026-35193 ( SUSE ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
* CVE-2026-35193 ( SUSE ): 8.2 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
* CVE-2026-48587 ( SUSE ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
* CVE-2026-48587 ( SUSE ): 8.2 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
* CVE-2026-6873 ( SUSE ): 4.8 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
* CVE-2026-6873 ( SUSE ): 6.3 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
* CVE-2026-7666 ( SUSE ): 7.4 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
* CVE-2026-7666 ( SUSE ): 9.1 CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
* CVE-2026-8404 ( SUSE ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
* CVE-2026-8404 ( SUSE ): 8.2 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Affected Products:

* openSUSE Tumbleweed

An update that solves 5 vulnerabilities can now be installed.

## Description:

These are all security issues fixed in the python311-Django4-4.2.30-3.1 package on the GA media of openSUSE Tumbleweed.

## Package List:

* openSUSE Tumbleweed:
* python311-Django4 4.2.30-3.1
* python313-Django4 4.2.30-3.1
* python314-Django4 4.2.30-3.1

## References:

* https://www.suse.com/security/cve/CVE-2026-35193.html
* https://www.suse.com/security/cve/CVE-2026-48587.html
* https://www.suse.com/security/cve/CVE-2026-6873.html
* https://www.suse.com/security/cve/CVE-2026-7666.html
* https://www.suse.com/security/cve/CVE-2026-8404.html



openSUSE-SU-2026:10986-1: moderate: perl-DBI-1.648.0-1.1 on GA media


# perl-DBI-1.648.0-1.1 on GA media

Announcement ID: openSUSE-SU-2026:10986-1
Rating: moderate

Cross-References:

* CVE-2026-10879
* CVE-2026-9698

CVSS scores:

* CVE-2026-10879 ( SUSE ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
* CVE-2026-10879 ( SUSE ): 6.8 CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
* CVE-2026-9698 ( SUSE ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Affected Products:

* openSUSE Tumbleweed

An update that solves 2 vulnerabilities can now be installed.

## Description:

These are all security issues fixed in the perl-DBI-1.648.0-1.1 package on the GA media of openSUSE Tumbleweed.

## Package List:

* openSUSE Tumbleweed:
* perl-DBI 1.648.0-1.1

## References:

* https://www.suse.com/security/cve/CVE-2026-10879.html
* https://www.suse.com/security/cve/CVE-2026-9698.html



openSUSE-SU-2026:10985-1: moderate: libIex-3_4-33-3.4.12-1.1 on GA media


# libIex-3_4-33-3.4.12-1.1 on GA media

Announcement ID: openSUSE-SU-2026:10985-1
Rating: moderate

Cross-References:

* CVE-2026-44663
* CVE-2026-45696

Affected Products:

* openSUSE Tumbleweed

An update that solves 2 vulnerabilities can now be installed.

## Description:

These are all security issues fixed in the libIex-3_4-33-3.4.12-1.1 package on the GA media of openSUSE Tumbleweed.

## Package List:

* openSUSE Tumbleweed:
* libIex-3_4-33 3.4.12-1.1
* libIex-3_4-33-32bit 3.4.12-1.1
* libIex-3_4-33-x86-64-v3 3.4.12-1.1
* libIlmThread-3_4-33 3.4.12-1.1
* libIlmThread-3_4-33-32bit 3.4.12-1.1
* libIlmThread-3_4-33-x86-64-v3 3.4.12-1.1
* libOpenEXR-3_4-33 3.4.12-1.1
* libOpenEXR-3_4-33-32bit 3.4.12-1.1
* libOpenEXR-3_4-33-x86-64-v3 3.4.12-1.1
* libOpenEXRCore-3_4-33 3.4.12-1.1
* libOpenEXRCore-3_4-33-32bit 3.4.12-1.1
* libOpenEXRCore-3_4-33-x86-64-v3 3.4.12-1.1
* libOpenEXRUtil-3_4-33 3.4.12-1.1
* libOpenEXRUtil-3_4-33-32bit 3.4.12-1.1
* libOpenEXRUtil-3_4-33-x86-64-v3 3.4.12-1.1
* openexr 3.4.12-1.1
* openexr-devel 3.4.12-1.1
* openexr-doc 3.4.12-1.1

## References:

* https://www.suse.com/security/cve/CVE-2026-44663.html
* https://www.suse.com/security/cve/CVE-2026-45696.html



openSUSE-SU-2026:10983-1: moderate: gdk-pixbuf-loader-libheif-1.23.0-2.1 on GA media


# gdk-pixbuf-loader-libheif-1.23.0-2.1 on GA media

Announcement ID: openSUSE-SU-2026:10983-1
Rating: moderate

Cross-References:

* CVE-2026-49271
* CVE-2026-50142

CVSS scores:

* CVE-2026-49271 ( SUSE ): 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
* CVE-2026-49271 ( SUSE ): 6.7 CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
* CVE-2026-50142 ( SUSE ): 6.2 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2026-50142 ( SUSE ): 6.9 CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Affected Products:

* openSUSE Tumbleweed

An update that solves 2 vulnerabilities can now be installed.

## Description:

These are all security issues fixed in the gdk-pixbuf-loader-libheif-1.23.0-2.1 package on the GA media of openSUSE Tumbleweed.

## Package List:

* openSUSE Tumbleweed:
* gdk-pixbuf-loader-libheif 1.23.0-2.1
* libheif-aom 1.23.0-2.1
* libheif-dav1d 1.23.0-2.1
* libheif-devel 1.23.0-2.1
* libheif-ffmpeg 1.23.0-2.1
* libheif-jpeg 1.23.0-2.1
* libheif-openh264 1.23.0-2.1
* libheif-openjpeg 1.23.0-2.1
* libheif-rav1e 1.23.0-2.1
* libheif-svtenc 1.23.0-2.1
* libheif1 1.23.0-2.1
* libheif1-32bit 1.23.0-2.1

## References:

* https://www.suse.com/security/cve/CVE-2026-49271.html
* https://www.suse.com/security/cve/CVE-2026-50142.html



openSUSE-SU-2026:10987-1: moderate: perl-Git-Repository-1.326.0-1.1 on GA media


# perl-Git-Repository-1.326.0-1.1 on GA media

Announcement ID: openSUSE-SU-2026:10987-1
Rating: moderate

Cross-References:

* CVE-2022-39253

CVSS scores:

* CVE-2022-39253 ( SUSE ): 4.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Affected Products:

* openSUSE Tumbleweed

An update that solves one vulnerability can now be installed.

## Description:

These are all security issues fixed in the perl-Git-Repository-1.326.0-1.1 package on the GA media of openSUSE Tumbleweed.

## Package List:

* openSUSE Tumbleweed:
* perl-Git-Repository 1.326.0-1.1

## References:

* https://www.suse.com/security/cve/CVE-2022-39253.html



openSUSE-SU-2026:10988-1: moderate: perl-Protocol-HTTP2-1.130.0-1.1 on GA media


# perl-Protocol-HTTP2-1.130.0-1.1 on GA media

Announcement ID: openSUSE-SU-2026:10988-1
Rating: moderate

Cross-References:

* CVE-2026-10725

CVSS scores:

* CVE-2026-10725 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Affected Products:

* openSUSE Tumbleweed

An update that solves one vulnerability can now be installed.

## Description:

These are all security issues fixed in the perl-Protocol-HTTP2-1.130.0-1.1 package on the GA media of openSUSE Tumbleweed.

## Package List:

* openSUSE Tumbleweed:
* perl-Protocol-HTTP2 1.130.0-1.1

## References:

* https://www.suse.com/security/cve/CVE-2026-10725.html



openSUSE-SU-2026:10982-1: moderate: graphite2-1.3.15-1.1 on GA media


# graphite2-1.3.15-1.1 on GA media

Announcement ID: openSUSE-SU-2026:10982-1
Rating: moderate

Cross-References:

* CVE-2026-50593

CVSS scores:

* CVE-2026-50593 ( SUSE ): 7.1 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H
* CVE-2026-50593 ( SUSE ): 4.6 CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N

Affected Products:

* openSUSE Tumbleweed

An update that solves one vulnerability can now be installed.

## Description:

These are all security issues fixed in the graphite2-1.3.15-1.1 package on the GA media of openSUSE Tumbleweed.

## Package List:

* openSUSE Tumbleweed:
* graphite2 1.3.15-1.1
* graphite2-devel 1.3.15-1.1
* libgraphite2-3 1.3.15-1.1
* libgraphite2-3-32bit 1.3.15-1.1

## References:

* https://www.suse.com/security/cve/CVE-2026-50593.html



openSUSE-SU-2026:10981-1: moderate: grafana-11.6.14+security04-2.1 on GA media


# grafana-11.6.14+security04-2.1 on GA media

Announcement ID: openSUSE-SU-2026:10981-1
Rating: moderate

Cross-References:

* CVE-2026-39821

CVSS scores:

* CVE-2026-39821 ( SUSE ): 7.4 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
* CVE-2026-39821 ( SUSE ): 9.1 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Affected Products:

* openSUSE Tumbleweed

An update that solves one vulnerability can now be installed.

## Description:

These are all security issues fixed in the grafana-11.6.14+security04-2.1 package on the GA media of openSUSE Tumbleweed.

## Package List:

* openSUSE Tumbleweed:
* grafana 11.6.14+security04-2.1

## References:

* https://www.suse.com/security/cve/CVE-2026-39821.html



openSUSE-SU-2026:10980-1: moderate: flannel-0.28.5-1.1 on GA media


# flannel-0.28.5-1.1 on GA media

Announcement ID: openSUSE-SU-2026:10980-1
Rating: moderate

Cross-References:

* CVE-2026-44283

CVSS scores:

* CVE-2026-44283 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
* CVE-2026-44283 ( SUSE ): 7.1 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Affected Products:

* openSUSE Tumbleweed

An update that solves one vulnerability can now be installed.

## Description:

These are all security issues fixed in the flannel-0.28.5-1.1 package on the GA media of openSUSE Tumbleweed.

## Package List:

* openSUSE Tumbleweed:
* flannel 0.28.5-1.1
* flannel-k8s-yaml 0.28.5-1.1

## References:

* https://www.suse.com/security/cve/CVE-2026-44283.html



SUSE-SU-2026:2365-1: moderate: Security update for cosign


# Security update for cosign

Announcement ID: SUSE-SU-2026:2365-1
Release Date: 2026-06-11T07:58:20Z
Rating: moderate
References:

* bsc#1261859

Cross-References:

* CVE-2026-39395

CVSS scores:

* CVE-2026-39395 ( SUSE ): 6.9
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
* CVE-2026-39395 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
* CVE-2026-39395 ( NVD ): 4.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
* CVE-2026-39395 ( NVD ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Affected Products:

* Basesystem Module 15-SP7
* openSUSE Leap 15.4
* SUSE Linux Enterprise Desktop 15 SP7
* SUSE Linux Enterprise Real Time 15 SP7
* SUSE Linux Enterprise Server 15 SP7
* SUSE Linux Enterprise Server for SAP Applications 15 SP7

An update that solves one vulnerability can now be installed.

## Description:

This update for cosign fixes the following issue

* CVE-2026-39395: Incorrect attestation verification due to malformed payloads
or mismatched predicate types (bsc#1261859).

Changes for cosign:

* update to 3.0.6:
* Fix DSSE predicate check (GHSA-w6c6-c85g-mmv6) (#4801)
* Handle whitespace-only certificate annotation (#4760)
* fix(sign): closing SignerVerifier too early when signing with a security key
(#4761)
* Disallow --new-bundle-format and --rfc3161-timestamp (#4762)
* support managed keys in conformance testing (#4728)
* Add support for GCE metadata server env var (#4732)
* fix: preserve per-layer annotations in WriteAttestationsReferrer (#4709)
* Fix parsing of in-toto for string predicates
* Mark batch of flags for deprecation (#4698)
* disallow key and cert identity being used together during verification
(#4636)
* support key creation in GitLab group (#4704)
* Set CGO_ENABLED=1 for fixing s390x failed build
* build against a maintained golang version (upstream uses go1.20)

## Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

* openSUSE Leap 15.4
zypper in -t patch SUSE-2026-2365=1

* Basesystem Module 15-SP7
zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP7-2026-2365=1

## Package List:

* openSUSE Leap 15.4 (aarch64 ppc64le s390x x86_64 i586)
* cosign-3.0.6-150400.3.42.1
* cosign-debuginfo-3.0.6-150400.3.42.1
* openSUSE Leap 15.4 (noarch)
* cosign-bash-completion-3.0.6-150400.3.42.1
* cosign-zsh-completion-3.0.6-150400.3.42.1
* cosign-fish-completion-3.0.6-150400.3.42.1
* Basesystem Module 15-SP7 (aarch64 ppc64le s390x x86_64)
* cosign-3.0.6-150400.3.42.1
* cosign-debuginfo-3.0.6-150400.3.42.1
* Basesystem Module 15-SP7 (noarch)
* cosign-bash-completion-3.0.6-150400.3.42.1
* cosign-zsh-completion-3.0.6-150400.3.42.1

## References:

* https://www.suse.com/security/cve/CVE-2026-39395.html
* https://bugzilla.suse.com/show_bug.cgi?id=1261859



openSUSE-SU-2026:0200-1: important: Security update for NetworkManager-libreswan


openSUSE Security Update: Security update for NetworkManager-libreswan
_______________________________

Announcement ID: openSUSE-SU-2026:0200-1
Rating: important
References: #1232040
Cross-References: CVE-2024-9050
Affected Products:
openSUSE Backports SLE-15-SP7
_______________________________

An update that fixes one vulnerability is now available.

Description:

This update for NetworkManager-libreswan fixes the following issues:

- Update to version 1.2.24 (boo#1232040):
+ Fixed formatting of ipsec.conf snippet. This is a security issue with
severity of "Important." (CVE-2024-9050).
+ Added support for "require-id-on-certificate" setting.
+ Updated translations.
- Changes from version 1.2.22:
+ Add IPv6 support.
- Changes from version 1.2.20:
+ Support setting "leftmodecfgclient" to "no"
+ Support for the "type", "hostaddrfamily" and "clientaddrfamily",
"leftsubnet" and "rightcert" parameters.
- Changes from version 1.2.18:
+ Drop libnm-glib compatibility (NetworkManager < 1.0).
+ Add support for the "authby", "dpdaction", "dpddelay", "dpdtimeout",
"ipsec-interface" parameters.

Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Backports SLE-15-SP7:

zypper in -t patch openSUSE-2026-200=1

Package List:

- openSUSE Backports SLE-15-SP7 (aarch64 i586 ppc64le s390x x86_64):

NetworkManager-libreswan-1.2.24-bp157.3.3.1
NetworkManager-libreswan-gnome-1.2.24-bp157.3.3.1

- openSUSE Backports SLE-15-SP7 (noarch):

NetworkManager-libreswan-lang-1.2.24-bp157.3.3.1

References:

https://www.suse.com/security/cve/CVE-2024-9050.html
https://bugzilla.suse.com/1232040



openSUSE-SU-2026:0198-1: critical: Security update for kanidm


openSUSE Security Update: Security update for kanidm
_______________________________

Announcement ID: openSUSE-SU-2026:0198-1
Rating: critical
References:
Affected Products:
openSUSE Backports SLE-15-SP6
_______________________________

An update that contains security fixes can now be installed.

Description:

This update for kanidm fixes the following issues:

- Update to version 1.10.2~git0.f3dc9ef1f:
* Release 1.10.2
* Security - CRITICAL - authenticated user privilege escalation
* Refactor modification access paths to remove duplication
* Revert ClientID header (#4334)
* Disable prompt=login (#4340)
* Add missing `/sbin/kanidm-mail-sender` (#4323)
* Remove debug symbols in release builds. (#4319)

- Update to version 1.10.1~git0.d02660a98:
* Release 1.10.1
* Fix copy in TOTP removal prompt and align TOTP case (#4314)
* Resolve base64 encoding of webauthn fields (#4312)

- Update to version 1.10.0-pre~git1.32e2f8ec6:
* Release 1.10.0
* Release 1.10.0-pre
* Release notes (#4304)
* Update ldap3/webauthn-rs (#4302)
* Merge commit from fork
* Merge commit from fork
* Merge commit from fork
* Merge commit from fork
* Add notes on server migration (#4301)
* 20260517 sparkle (#4280)
* Bump mozilla-actions/sccache-action in the all group (#4298)
* Bump the all group with 6 updates (#4299)
* Bump the all group across 1 directory with 3 updates (#4283)
* 20260331 send account recovery emails (#4259)
* Update oauth2 well known urls (#4296)
* Clippy for Rust 1.95 (#4291)
* Invert incorrect thread count logic (#4294)
* Allow modification of OAuth2 Refresh Expiry (#4276)
* 20260327 Introspection token auth metadata (#4230)
* fix: add missing kanidm-mail-sender binary (#4279)
* Correctly handle deleted accounts during page visits (#4275)
* don't fail auth when passed ui_locales (#4288)
* Bump actions/upload-pages-artifact from 4 to 5 in the all group (#4284)
* Fix link formatting in oauth2.rs documentation (#4278)
* Feat: Add OIDC Prompt Support (#4224)
* Handle multivalue URLs in SCIM (#4271)
* Correctly encode ssh tag values (#4272)
* Bump the all group with 2 updates (#4263)
* Bump the all group in /rlm_python with 4 updates (#4262)
* Bump the all group with 8 updates (#4264)
* Update deployment.md with configuration notes (#4258)
* Add .well-known/passkey-endpoints (#4255)
* show repl cert metadata and also handle socket timeouts (#4252)
* Update docs regarding replication cert lifetime (#4251)
* Log cleanup (#4248)
* adding timeouts and tests and port docs for mail_sender (#4246)
* Bump the all group with 5 updates (#4247)
* add dependency data to released containers (#4239)
* Fix to end code block and render remaining md correctly (#4241)
* Update readme.md for replication (#4236)
* Added note on primary email address and email aliases (#4237)
* Bump the all group with 6 updates (#4235)
* Bump the all group with 2 updates (#4234)
* Bump the uv group across 1 directory with 2 updates (#4231)
* cli: allow clearing person's legalname attribute (#4228)
* Add shell diagnostics (#4220)
* OpenSSL shall be vanquished (#4219)
* Bump the all group across 1 directory with 16 updates (#4225)
* Bump rustls-webpki from 0.103.9 to 0.103.10 (#4223)
* Bump flatted (#4222)
* Tabular data is tabular (#4221)
* Example sshd-config fragment, deployment de-activated on Debian (#4214)
* Update RELEASE_NOTES.md (#4215)
* fix(debian): Use correct bin path for kanidmd reload (#4212)
* Allow urlencoded client_id in basic auth (#4141)
* add nsswitch config check to unixd (#4210)
* 20260311 zxcvbn check (#4206)
* Enhance Traefik documentation (#4194)
* Re-add incorrectly removed utopia feature flag (#4207)
* Update ldap3 to 0.7.0 to resolve config filter issue (#4205)
* Added PasswordChangedTime attribute and database field (#3999)
* Defer on some routes (#4202)
* Remove thread local storage (#4204)
* Improve FreeBSD building, fully drop ring as a dependency.
* 20260218 credential reset emails (authenticated only) (#4151)
* android support for cli (#4197)
* Bump the all group with 4 updates (#4198)
* Bump the all group with 7 updates (#4199)
* feat: bind mount home strategy (#3997)
* Bump the all group with 2 updates (#4183)
* Bump the all group with 8 updates (#4184)
* Bump minimatch (#4180)
* Disable multithreading on RADIUS when DEBUG is False. (#4177)
* Don't revert admin changes in some groups during migrcation (#4176)
* Fix bug where DEBUG is always true in RADIUS entrypoint. (#4169)
* 20260220 prevent migration accidents (#4156)
* Bump the all group across 1 directory with 20 updates (#4163)
* Move the grafana group creation step (#4160)
* Alert on unsaved changes (#4155)
* pykanidm v1.3.0 - major rewrite to use openapi-generated codebase
based on 1.9.0 spec (#4149)
* Warn about systemd-userdb (#4147)
* Dont require basic auth on token introspection (#4142)
* Dont be as upset when migration dir doesnt exist (#4146)
* Add AGENTS.md instructions (#4148)
* Feature OIDC updated at (#4007)
* pykanidm: clarify token use with service accounts (#4043)
* Fixed small typo in how_does_oauth2_work.md (#4138)
* Bye bye lazy static (#4134)
* Allow LDAP CA verification to be disabled in sync (#4133)
* Add oauth2 example, fix inter-migration reference handling (#4136)
* Add missing future migration in domain check (#4132)
* Corrected recycle_bin.md typo (#4135)
* 20260211 dev version (#4131)

- Update to version 1.9.3~git0.7d4108698:
* Release 1.9.3
* Security - High: SCIM Filters did not contain a bound on their parsing
depth allowing stack exhaustion to occur leading to Denial of Service
by an unauthenticated user
* Security - Moderate: PNG Image validation did not correctly handle
short images allowing a panic to occur in a worker thread. This may
lead to system instability over time
* Security - Low: HTML injection via user DisplayName in Passkey
enrolment dialogs. This allows an admin to execute JS in the context
of a users browser. Since the admin already can reset the users
credentials, the impact of this is minimal.
* Security - Low: non-constant time comparison of OAuth2 client secret
may allow a remote attacker to remotely recovery the bytes of the
secret. Due to the length of the secret (48 chars) this is infeasible
practically.
* Security - Low: incorrect handling of origin validation in Webauthn-RS
allowed a malicious domain to collide with a valid one (badexample.com
would match with example.com). This is mitigated by browsers detecting
the forgery and preventing the authentication from proceeding.
* Security - High: LDAP Filters did not contain a bound on their parsing
depth allowing stack exhaustion to occur leading to Denial of Service
by an unauthenticated user.
* Update two vulnerable dependencies
* Release 1.9.2
* Allow urlencoded client_id in basic auth (#4141)
* Update ldap3 to 0.7.0 to resolve config filter issue (#4205)
* Remove thread local storage (#4204)

- Update to version 1.9.2~git6.896acba35:
* Release 1.9.3
* Merge commit from fork
* Merge commit from fork
* Merge commit from fork
* Merge commit from fork
* Update two vulnerable dependencies

- Update to version 1.9.2~git0.6a2bb66bd:
* Release 1.9.2
* Allow urlencoded client_id in basic auth (#4141)
* Update ldap3 to 0.7.0 to resolve config filter issue (#4205)
* Remove thread local storage (#4204)
* Disable multithreading on RADIUS when DEBUG is False. (#4177)
* Fix bug where DEBUG is always true in RADIUS entrypoint. (#4169)

Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Backports SLE-15-SP6:

zypper in -t patch openSUSE-2026-198=1

Package List:

- openSUSE Backports SLE-15-SP6 (aarch64 x86_64):

kanidm-1.10.2~git0.f3dc9ef1f-bp156.64.1
kanidm-clients-1.10.2~git0.f3dc9ef1f-bp156.64.1
kanidm-docs-1.10.2~git0.f3dc9ef1f-bp156.64.1
kanidm-server-1.10.2~git0.f3dc9ef1f-bp156.64.1
kanidm-unixd-clients-1.10.2~git0.f3dc9ef1f-bp156.64.1

References:


Kernel, Bind, Samba and Redis updates for Rocky Linux

.NET, Linux Kernels, and OpenStack updates for Ubuntu

Windows

Linux

macOS

Community

  • Lexonight
    Hey everyone,Wanted to share a project I've been b ...
  • SeveG
    need some help here... situationPC= Packard BellOS= win1 ...
  • dhamu
    Hello Phil, I have a Linux Tutorial website that curre ...