openSUSE-SU-2026:20893-1: important: Security update for cloudflared
openSUSE-SU-2026:20888-1: important: Security update for apptainer
openSUSE-SU-2026:20887-1: important: Security update for python-PyMuPDF
openSUSE-SU-2026:20892-1: important: Security update for yq
openSUSE-SU-2026:20885-1: moderate: Security update for python-Flask
openSUSE-SU-2026:20886-1: moderate: Security update for python-CairoSVG
openSUSE-SU-2026:20877-1: important: Security update for rsync
openSUSE-SU-2026:20884-1: important: Security update for memcached
openSUSE-SU-2026:20883-1: important: Security update for busybox
openSUSE-SU-2026:20878-1: important: Security update for sdbootutil
openSUSE-SU-2026:20880-1: moderate: Security update for python-pip
openSUSE-SU-2026:20871-1: important: Security update for python-urllib3_1
openSUSE-SU-2026:20875-1: important: Security update for ovmf
openSUSE-SU-2026:20860-1: important: Security update for helm
openSUSE-SU-2026:20891-1: moderate: Security update for vorbis-tools
openSUSE-SU-2026:20861-1: important: Security update for python-urllib3
openSUSE-SU-2026:20863-1: important: Security update for tree-sitter
openSUSE-SU-2026:20889-1: moderate: Security update for tor
openSUSE-SU-2026:20864-1: moderate: Security update for evolution-data-server
openSUSE-SU-2026:10917-1: moderate: libsoup-2_4-1-2.74.3-21.1 on GA media
openSUSE-SU-2026:10916-1: moderate: libgphoto2-6-2.5.34-1.1 on GA media
openSUSE-SU-2026:10915-1: moderate: bind-9.20.23-2.1 on GA media
openSUSE-SU-2026:10919-1: moderate: apache-sshd-2.18.0-1.1 on GA media
openSUSE-SU-2026:10913-1: moderate: golang-github-v2fly-v2ray-core-5.51.2-1.1 on GA media
openSUSE-SU-2026:10911-1: moderate: libsoup-3_0-0-3.6.6-5.1 on GA media
openSUSE-SU-2026:10912-1: moderate: restic-0.18.1-3.1 on GA media
openSUSE-SU-2026:10910-1: moderate: libjxl-devel-0.11.2-2.1 on GA media
openSUSE-SU-2026:10914-1: moderate: atril-1.28.4-1.1 on GA media
SUSE-SU-2026:2252-1: important: Security update for salt
SUSE-SU-2026:2256-1: important: Security update for salt
SUSE-SU-2026:2259-1: moderate: Security update for python3-pyOpenSSL
SUSE-SU-2026:2261-1: moderate: Security update for python-pyOpenSSL
openSUSE-SU-2026:20893-1: important: Security update for cloudflared
openSUSE security update: security update for cloudflared
-------------------------------------------------------------
Announcement ID: openSUSE-SU-2026:20893-1
Rating: important
References:
* bsc#1234582
* bsc#1239422
* bsc#1253918
* bsc#1265920
* bsc#1266794
Cross-References:
* CVE-2024-45337
* CVE-2025-22869
* CVE-2025-58181
* CVE-2026-33814
* CVE-2026-39821
CVSS scores:
* CVE-2024-45337 ( SUSE ): 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
* CVE-2025-22869 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2025-22869 ( SUSE ): 8.2 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
* CVE-2025-58181 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
* CVE-2025-58181 ( SUSE ): 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
* CVE-2026-33814 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2026-39821 ( SUSE ): 7.4 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
* CVE-2026-39821 ( SUSE ): 9.1 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
Affected Products:
openSUSE Leap 16.0
-------------------------------------------------------------
An update that solves 5 vulnerabilities and has 5 bug fixes can now be installed.
Description:
This update for cloudflared fixes the following issues:
Changes in cloudflared:
- Update version to 2026.5.2
* Add more information to proxy-dns removal message
* Update tail command to use /management/logs endpoint
* Add cloudflared management token command
* Fix bugs
* Update golang.org/x/net to 0.55.0 (boo#1266794, boo#1265920, CVE-2026-39821
CVE-2026-33814)
- Update version to 2026.2.0
* Fix bugs
- Update version to 2025.11.1
* bump coredns to solve CVE
* add vulncheck to cloudflared
* Remove references to cloudflare-go
* Add logging format as JSON
* Centralize UDP origin proxy dialing as ingress service
* Add virtual DNS service
* Add OriginDialerService to include TCP
* Add --dns-resolver-addrs flag
* Remove P256Kyber768Draft00PQKex curve from nonFips curve preferences
* Bump go-boring from 1.24.2 to 1.24.4
* Add metrics for virtual DNS origin
* set proper url and hostname for cloudflared tail command
* Add support for login interstitial auto closure
* update fed callback url for login helper
* Correct QUIC connection management for datagram handlers
* Set endpoint in tunnel credentials when generating locally managed tunnel
with a Fed token
* Migrate cloudflared-ci pipelines to Gitlab CI
* Add support for FedRAMP in originRequest Access config
* Add buffers for UDP and ICMP datagrams in datagram v3
* Add write deadline for UDP origin writes
* Improve metrics for datagram v3
* Force usage of go-boring 1.24
* Fix import of GPG keys when two keys are provided
* Fix parameter order when uploading RPM .repo file to R2
* Add new datagram v3 feature flag
* Bump datagram v3 write channel capacity
* Fix upload of RPM repo file during double signing
* Fix the cloudflared binary path used in the component test
* Fix typo causing r2-release-next deployment to fail
* Update from go1.24.6 to go1.24.9
* Fix systemd service installation hanging
* Add cf-proxy-* to control response headers
* Add pipelines for linux packaging
* Prefix gitlab steps with operating system
* Fix docker hub push step
* Fix CVE-2025-58181 boo#1253918
* Fix CVE-2025-22869 boo#1239422
- Update version to 2025.6.0
* Remove dynamic reloading of features for datagram v3
* Add metric for unsupported RPC commands for datagram v3
* Add dynamic loading of features to connections via ConnectionOptionsSnapshot
* Use is_default_network instead of is_default to create vnet's
* Update go to 1.24
- Update version to 2025.4.2
* emit explicit errors for the service command on unsupported OSes
* Fix some issues
- Update version to 2024.12.1
* TUN-8748: Migrated datagram V3 flows to use migrated context
* TUN-8737: update metrics server port selection
* TUN-8731: Implement diag/system endpoint
* TUN-8728: implement diag/tunnel endpoint
* TUN-8730: implement diag/configuration
* TUN-8735: add managed/local log collection
* TUN-8733: add log collection for docker
* TUN-8734: add log collection for kubernetes
* TUN-8640: Refactor ICMPRouter to support new ICMPResponders
* TUN-8729: implement network collection for diagnostic procedure
* TUN-8727: implement metrics, runtime, system, and tunnelstate in diagnostic
http client
* TUN-8726: implement compression routine to be used in diagnostic procedure
* TUN-8732: implement port selection algorithm
* TUN-8762: fix argument order when invoking tracert and modify network info
output parsing
* TUN-8769: fix k8s log collector arguments
* TUN-8727: extend client to include function to get cli configuration
and tunnel configuration
* TUN-8725: implement diagnostic procedure
* TUN-8767: include raw output from network collector in diagnostic zip file
* TUN-8770: add cli configuration and tunnel configuration to diagnostic zipfile
* TUN-8768: add job report to diagnostic zipfile
* TUN-8775: Make sure the session Close can only be called once
* TUN-8781: Add Trixie, drop Buster. Default to Bookworm
* TUN-8640: Add ICMP support for datagram V3
* TUN-8789: make python package installation consistent
* TUN-8795: update createrepo to createrepo_c to fix the release_pkgs.py
script
- fix CVE-2024-45337 and boo#1234582
- Update version to 2024.11.1
* Add cloudflared tunnel health command
* PPIP-2310: Update quick tunnel disclaimer
* TUN-8621: Prevent QUIC connection from closing before grace period
after unregistering
* TUN-8484: Print response when QuickTunnel can't be unmarshalled
* TUN-8592: Use metadata from the edge to determine if request body is
empty for QUIC transport
* TUN-8621: Fix cloudflared version in change notes to account for
release date
* TUN-8638: Add datagram v3 serializers and deserializers
* TUN-8685: Bump coredns dependency
* TUN-8688: Correct UDP bind for IPv6 edge connectivity on macOS
* TUN-8694: Fix github release script
* TUN-8694: Rework release script
* TUN-8661: Refactor connection methods to support future different
datagram muxing methods
* TUN-8692: remove dashes from session id
* TUN-8708: Bump python min version to 3.10
* TUN-8667: Add datagram v3 session manager
* TUN-8553: Bump go to 1.22.5 and go-boring 1.22.5-1
* TUN-8700: Add datagram v3 muxer
* TUN-8646: Allow experimental feature support for datagram v3
* TUN-8641: Expose methods to simplify V3 Datagram parsing on the edge
* VULN-66059: remove ssh server tests
* TUN-8709: Add session migration for datagram v3
* TUN-8701: Add metrics and adjust logs for datagram v3
* add: new go-fuzz targets
* TUN-8701: Simplify flow registration logs for datagram v3
Patch instructions:
To install this openSUSE security update use the suse recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Leap 16.0
zypper in -t patch openSUSE-Leap-16.0-packagehub-295=1
Package List:
- openSUSE Leap 16.0:
cloudflared-2026.5.2-bp160.1.1
References:
* https://www.suse.com/security/cve/CVE-2024-45337.html
* https://www.suse.com/security/cve/CVE-2025-22869.html
* https://www.suse.com/security/cve/CVE-2025-58181.html
* https://www.suse.com/security/cve/CVE-2026-33814.html
* https://www.suse.com/security/cve/CVE-2026-39821.html
openSUSE-SU-2026:20888-1: important: Security update for apptainer
openSUSE security update: security update for apptainer
-------------------------------------------------------------
Announcement ID: openSUSE-SU-2026:20888-1
Rating: important
References:
* bsc#1266656
Cross-References:
* CVE-2026-39821
CVSS scores:
* CVE-2026-39821 ( SUSE ): 7.4 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
* CVE-2026-39821 ( SUSE ): 9.1 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
Affected Products:
openSUSE Leap 16.0
-------------------------------------------------------------
An update that solves one vulnerability and has one bug fix can now be installed.
Description:
This update for apptainer fixes the following issues:
Changes in apptainer:
- CVE-2026-39821: Update golang.org/x/net to 0.55.0. (bsc#1266656)
- Add improved handling of suid-starter:
* Add system group `apptainer`
* Make sure, only users belonging to this group are able to
run the application.
* Document this in a README and point user to it if execution
fails.
Building of the 'suid-root' starter is still optional.
Patch instructions:
To install this openSUSE security update use the suse recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Leap 16.0
zypper in -t patch openSUSE-Leap-16.0-packagehub-290=1
Package List:
- openSUSE Leap 16.0:
apptainer-1.4.5-bp160.3.1
apptainer-leap-1.4.5-bp160.3.1
References:
* https://www.suse.com/security/cve/CVE-2026-39821.html
openSUSE-SU-2026:20887-1: important: Security update for python-PyMuPDF
openSUSE security update: security update for python-pymupdf
-------------------------------------------------------------
Announcement ID: openSUSE-SU-2026:20887-1
Rating: important
References:
* bsc#1259921
Cross-References:
* CVE-2026-3029
Affected Products:
openSUSE Leap 16.0
-------------------------------------------------------------
An update that solves one vulnerability and has one bug fix can now be installed.
Description:
This update for python-PyMuPDF fixes the following issues:
Changes in python-PyMuPDF:
- CVE-2026-3029: Fixed path traversal and arbitrary file write via the
`embedded_get` function in `_main_.py` (bsc#1259921)
Patch instructions:
To install this openSUSE security update use the suse recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Leap 16.0
zypper in -t patch openSUSE-Leap-16.0-leap-15=1
Package List:
- openSUSE Leap 16.0:
python313-PyMuPDF-1.21.1-lp160.5.1
References:
* https://www.suse.com/security/cve/CVE-2026-3029.html
openSUSE-SU-2026:20892-1: important: Security update for yq
openSUSE security update: security update for yq
-------------------------------------------------------------
Announcement ID: openSUSE-SU-2026:20892-1
Rating: important
References:
* bsc#1241719
* bsc#1251339
* bsc#1251540
* bsc#1266248
* bsc#1267053
* bsc#1267199
Cross-References:
* CVE-2024-45338
* CVE-2025-22872
* CVE-2025-47911
* CVE-2025-58190
* CVE-2026-25680
* CVE-2026-25681
* CVE-2026-27136
* CVE-2026-33814
* CVE-2026-39821
* CVE-2026-42502
* CVE-2026-42506
CVSS scores:
* CVE-2024-45338 ( SUSE ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2024-45338 ( SUSE ): 8.2 CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
* CVE-2025-22872 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L
* CVE-2025-22872 ( SUSE ): 6.3 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L
* CVE-2025-47911 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
* CVE-2025-47911 ( SUSE ): 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
* CVE-2025-58190 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
* CVE-2025-58190 ( SUSE ): 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
* CVE-2026-25680 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2026-25680 ( SUSE ): 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
* CVE-2026-25681 ( SUSE ): 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
* CVE-2026-25681 ( SUSE ): 5.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N
* CVE-2026-27136 ( SUSE ): 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
* CVE-2026-27136 ( SUSE ): 5.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N
* CVE-2026-33814 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2026-39821 ( SUSE ): 7.4 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
* CVE-2026-39821 ( SUSE ): 9.1 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
* CVE-2026-42502 ( SUSE ): 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
* CVE-2026-42502 ( SUSE ): 5.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N
* CVE-2026-42506 ( SUSE ): 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
* CVE-2026-42506 ( SUSE ): 5.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N
Affected Products:
openSUSE Leap 16.0
-------------------------------------------------------------
An update that solves 11 vulnerabilities and has 6 bug fixes can now be installed.
Description:
This update for yq fixes the following issues:
Changes in yq:
- Fix multiple CVEs:
* CVE-2026-27136 (GO-2026-5030)
CVE-2026-25681 (GO-2026-5029)
CVE-2026-25680 (GO-2026-5028)
CVE-2026-42502 (GO-2026-5027)
CVE-2026-42506 (GO-2026-5025) (bsc#1267053)
CVE-2026-39821 (GO-2026-5026) (bsc#1267199)
- update to v4.53.2
* Add system(command; args) operator (disabled by default).
* TOML encoder: prefer readable table sections over inline tables.
* Fix TOML encoder to quote keys containing special characters.
* Add string slicing support.
* Fix findInArray misuse on MappingNodes in equality and contains.
* Fix panic on negative slice indices that underflow after adjustment.
* Fix stack overflow from circular alias in traverse.
* Fix panic and OOM in repeatString for large repeat counts.
- update to v4.52.5
* Fix: reset TOML decoder state between files.
* Fix: preserve original filename when using --front-matter.
- Integrate vulnchecker support into %check stage (optional: set `%%_with_vulncheck 1`).
- Fix CVE-2026-33814 (bsc#1266248):
* update golang.org/x/net to v0.53.0.
- update to 4.52.4:
* Dropping windows/arm - no longer supported in cross-compile
* Fixing comments in TOML arrays
* Bumped dependencies
- update to 4.52.2:
* Fixed bad instructions file breaking go-install (#2587)
Thanks @theyoprst
* Fixed TOML table scope after comments (#2588) Thanks @tomers
* Multiply uses a readonly context
* Fixed merge globbing wildcards in keys
* Fixing TOML subarray parsing issue
- update to 4.52.1:
* TOML encoder support - you can now roundtrip! #1364
* Parent now supports negative indices, and added a 'root'
command for referencing the top level document
* Fixed scalar encoding for HCL
* Add --yaml-compact-seq-indent / -c flag for compact sequence
indentation (#2583) Thanks @jfenal
* Add symlink check to file rename util (#2576) Thanks @Elias-
elastisys
* Powershell fixed default command used for __completeNoDesc
alias (#2568) Thanks @teejaded
* Unwrap scalars in shell output mode. (#2548) Thanks
@flintwinters
* Added K8S KYAML output format support (#2560) Thanks @robbat2
- update to 4.50.1:
* Added HCL Support - First cut - hopefully it works well!
* Fixing handling of CRLF #2352
- update to 4.49.2:
* Fixing escape character bugs :sweat: #2517
* Fixing snap release pipeline #2518 Thanks @aalexjo
- update to 4.49.1:
* Added `--security` flags to disable env and file ops #2515
* Fixing TOML ArrayTable parsing issues #1758
* Fixing parsing of escaped characters #2506
- update to 4.48.2:
* Strip whitespace when decoding base64 #2507
* Upgraded to go-yaml v4! (thanks @ccoVeille, @ingydotnet)
* Add linux/loong64 to release target (thanks @znley)
* Added --shell-key-separator flag for customizable shell
output format #2497 (thanks @rsleedbx)
- update to 4.48.1:
* Added 'parents' operator, to return a list of all the
hierarchical parents of a node
* Added 'first(exp)' operator, to return the first entry
matching an expression in an array
* Fixed xml namespace prefixes #1730 (thanks @baodrate)
* Fixed out of range panic in yaml decoder #2460 (thanks
@n471d)
* Fixes CVE-2025-58190 (GO-2026-4441) (bsc#1251540)
CVE-2025-47911 (GO-2026-4440) (bsc#1251339) by
updating golang.org/x/net to v0.46.0.
- update to 4.47.2:
* Conversion from TOML to JSON no longer omits empty tables
#2459 (thanks @louislouislouislouis)
- update to 4.47.1:
* Fixed merge anchor behaviour (`
