Comprehensive Patches for Apache2, Xen, Firefox, Trivy, Docker, and CUPS for SUSE

SUSE 5661 Published 2026-05-29 07:51 by Philipp Esselbach

News

SUSE-SU-2026:2102-1: important: Security update for xen

# Security update for xen

Announcement ID: SUSE-SU-2026:2102-1
Release Date: 2026-05-28T07:14:07Z
Rating: important
References:

* bsc#1262178
* bsc#1262180
* bsc#1262428
* bsc#1264066

Cross-References:

* CVE-2025-54505
* CVE-2025-54518
* CVE-2026-23557
* CVE-2026-23558

CVSS scores:

* CVE-2025-54505 ( SUSE ): 6.9
CVSS:4.0/AV:L/AC:H/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N
* CVE-2025-54505 ( SUSE ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
* CVE-2025-54505 ( NVD ): 2.0
CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
* CVE-2025-54518 ( SUSE ): 7.3
CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
* CVE-2025-54518 ( SUSE ): 7.4 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
* CVE-2025-54518 ( NVD ): 7.3
CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
* CVE-2026-23557 ( SUSE ): 6.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H
* CVE-2026-23557 ( NVD ): 6.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H
* CVE-2026-23558 ( SUSE ): 7.3
CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
* CVE-2026-23558 ( SUSE ): 7.8 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
* CVE-2026-23558 ( NVD ): 7.8 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

Affected Products:

* openSUSE Leap 15.6
* SUSE Linux Enterprise Server 15 SP6
* SUSE Linux Enterprise Server 15 SP6 LTSS
* SUSE Linux Enterprise Server for SAP Applications 15 SP6

An update that solves four vulnerabilities can now be installed.

## Description:

This update for xen fixes the following issues

* CVE-2025-54505: Floating Point Divider State Sampling on AMD CPUs AMD-
SN-7053 (bsc#1262428).
* CVE-2025-54518: AMD-SN-7052: CPU OP Cache Corruption (bsc#1264066).
* CVE-2026-23557: Xenstored DoS via XS_RESET_WATCHES command (bsc#1262178).
* CVE-2026-23558: grant table v2 race in status page mapping (bsc#1262180).

## Special Instructions and Notes:

* Please reboot the system after installing this update.

## Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

* openSUSE Leap 15.6
zypper in -t patch SUSE-2026-2102=1

* SUSE Linux Enterprise Server 15 SP6 LTSS
zypper in -t patch SUSE-SLE-Product-SLES-15-SP6-LTSS-2026-2102=1

* SUSE Linux Enterprise Server for SAP Applications 15 SP6
zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP6-2026-2102=1

## Package List:

* openSUSE Leap 15.6 (aarch64 x86_64 i586)
* xen-debugsource-4.18.5_16-150600.3.45.1
* xen-tools-domU-4.18.5_16-150600.3.45.1
* xen-libs-4.18.5_16-150600.3.45.1
* xen-devel-4.18.5_16-150600.3.45.1
* xen-tools-domU-debuginfo-4.18.5_16-150600.3.45.1
* xen-libs-debuginfo-4.18.5_16-150600.3.45.1
* openSUSE Leap 15.6 (x86_64)
* xen-libs-32bit-4.18.5_16-150600.3.45.1
* xen-libs-32bit-debuginfo-4.18.5_16-150600.3.45.1
* openSUSE Leap 15.6 (aarch64 x86_64)
* xen-tools-debuginfo-4.18.5_16-150600.3.45.1
* xen-tools-4.18.5_16-150600.3.45.1
* xen-4.18.5_16-150600.3.45.1
* xen-doc-html-4.18.5_16-150600.3.45.1
* openSUSE Leap 15.6 (noarch)
* xen-tools-xendomains-wait-disk-4.18.5_16-150600.3.45.1
* openSUSE Leap 15.6 (aarch64_ilp32)
* xen-libs-64bit-debuginfo-4.18.5_16-150600.3.45.1
* xen-libs-64bit-4.18.5_16-150600.3.45.1
* SUSE Linux Enterprise Server 15 SP6 LTSS (x86_64)
* xen-tools-debuginfo-4.18.5_16-150600.3.45.1
* xen-debugsource-4.18.5_16-150600.3.45.1
* xen-tools-4.18.5_16-150600.3.45.1
* xen-4.18.5_16-150600.3.45.1
* xen-tools-domU-4.18.5_16-150600.3.45.1
* xen-libs-4.18.5_16-150600.3.45.1
* xen-devel-4.18.5_16-150600.3.45.1
* xen-tools-domU-debuginfo-4.18.5_16-150600.3.45.1
* xen-libs-debuginfo-4.18.5_16-150600.3.45.1
* SUSE Linux Enterprise Server 15 SP6 LTSS (noarch)
* xen-tools-xendomains-wait-disk-4.18.5_16-150600.3.45.1
* SUSE Linux Enterprise Server for SAP Applications 15 SP6 (x86_64)
* xen-tools-debuginfo-4.18.5_16-150600.3.45.1
* xen-debugsource-4.18.5_16-150600.3.45.1
* xen-tools-4.18.5_16-150600.3.45.1
* xen-4.18.5_16-150600.3.45.1
* xen-tools-domU-4.18.5_16-150600.3.45.1
* xen-libs-4.18.5_16-150600.3.45.1
* xen-devel-4.18.5_16-150600.3.45.1
* xen-tools-domU-debuginfo-4.18.5_16-150600.3.45.1
* xen-libs-debuginfo-4.18.5_16-150600.3.45.1
* SUSE Linux Enterprise Server for SAP Applications 15 SP6 (noarch)
* xen-tools-xendomains-wait-disk-4.18.5_16-150600.3.45.1

## References:

* https://www.suse.com/security/cve/CVE-2025-54505.html
* https://www.suse.com/security/cve/CVE-2025-54518.html
* https://www.suse.com/security/cve/CVE-2026-23557.html
* https://www.suse.com/security/cve/CVE-2026-23558.html
* https://bugzilla.suse.com/show_bug.cgi?id=1262178
* https://bugzilla.suse.com/show_bug.cgi?id=1262180
* https://bugzilla.suse.com/show_bug.cgi?id=1262428
* https://bugzilla.suse.com/show_bug.cgi?id=1264066

SUSE-SU-2026:2103-1: important: Security update for apache2

# Security update for apache2

Announcement ID: SUSE-SU-2026:2103-1
Release Date: 2026-05-28T12:34:10Z
Rating: important
References:

* bsc#1263935
* bsc#1263950
* bsc#1263951
* bsc#1263952
* bsc#1263953
* bsc#1263954
* bsc#1263955
* bsc#1263956
* bsc#1263957
* bsc#1264150
* bsc#1264163

Cross-References:

* CVE-2026-23918
* CVE-2026-24072
* CVE-2026-28780
* CVE-2026-29168
* CVE-2026-29169
* CVE-2026-33006
* CVE-2026-33007
* CVE-2026-33523
* CVE-2026-33857
* CVE-2026-34032
* CVE-2026-34059

CVSS scores:

* CVE-2026-23918 ( SUSE ): 9.2
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
* CVE-2026-23918 ( SUSE ): 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
* CVE-2026-23918 ( NVD ): 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
* CVE-2026-24072 ( SUSE ): 7.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
* CVE-2026-24072 ( NVD ): 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
* CVE-2026-28780 ( SUSE ): 8.3
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N
* CVE-2026-28780 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H
* CVE-2026-28780 ( NVD ): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
* CVE-2026-29168 ( SUSE ): 8.2
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
* CVE-2026-29168 ( SUSE ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2026-29168 ( NVD ): 7.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
* CVE-2026-29169 ( SUSE ): 8.2
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
* CVE-2026-29169 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2026-29169 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2026-33006 ( SUSE ): 9.1
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
* CVE-2026-33006 ( SUSE ): 7.4 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
* CVE-2026-33006 ( NVD ): 4.8 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
* CVE-2026-33007 ( SUSE ): 6.9
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
* CVE-2026-33007 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
* CVE-2026-33007 ( NVD ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
* CVE-2026-33523 ( SUSE ): 9.0
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:H/SI:H/SA:N
* CVE-2026-33523 ( SUSE ): 8.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N
* CVE-2026-33523 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
* CVE-2026-33857 ( SUSE ): 6.9
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
* CVE-2026-33857 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
* CVE-2026-33857 ( NVD ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
* CVE-2026-34032 ( SUSE ): 8.8
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N
* CVE-2026-34032 ( SUSE ): 8.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H
* CVE-2026-34032 ( NVD ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
* CVE-2026-34059 ( SUSE ): 8.8
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N
* CVE-2026-34059 ( SUSE ): 8.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H
* CVE-2026-34059 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Affected Products:

* openSUSE Leap 15.6
* SUSE Linux Enterprise Server 15 SP6
* SUSE Linux Enterprise Server 15 SP6 LTSS
* SUSE Linux Enterprise Server for SAP Applications 15 SP6

An update that solves 11 vulnerabilities can now be installed.

## Description:

This update for apache2 fixes the following issues

* CVE-2026-23918: http2: double free and possible RCE on early reset
(bsc#1263957).
* CVE-2026-24072: mod_rewrite elevation of privileges via ap_expr
(bsc#1263935).
* CVE-2026-28780: heap buffer overflow in `mod_proxy_ajp` via
`ajp_msg_check_header()` (bsc#1264163).
* CVE-2026-29168: allocation of resources without limits in `mod_md` via OCSP
response (bsc#1264150).
* CVE-2026-29169: NULL pointer dereference in `mod_dav_lock` allows server
crash via malicious requests (bsc#1263956).
* CVE-2026-33006: `mod_auth_digest` timing attack allows bypass of Digest
authentication (bsc#1263955).
* CVE-2026-33007: NULL pointer dereference in `mod_authn_socache` allows
unauthenticated remote user to crash a child processes (bsc#1263954).
* CVE-2026-33523: HTTP response splitting forwarding malicious status line
(bsc#1263953).
* CVE-2026-33857: off-by-one OOB reads in AJP getter functions (bsc#1263952).
* CVE-2026-34032: heap buffer overread in `mod_proxy_ajp` due to missing null-
termination check (bsc#1263951).
* CVE-2026-34059: heap buffer overread and memory disclosure via
`ajp_parse_data()` (bsc#1263950).

## Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

* openSUSE Leap 15.6
zypper in -t patch SUSE-2026-2103=1

* SUSE Linux Enterprise Server 15 SP6 LTSS
zypper in -t patch SUSE-SLE-Product-SLES-15-SP6-LTSS-2026-2103=1

* SUSE Linux Enterprise Server for SAP Applications 15 SP6
zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP6-2026-2103=1

## Package List:

* openSUSE Leap 15.6 (aarch64 ppc64le s390x x86_64 i586)
* apache2-2.4.66-150600.5.52.1
* apache2-prefork-debuginfo-2.4.66-150600.5.52.1
* apache2-event-debugsource-2.4.66-150600.5.52.1
* apache2-worker-debuginfo-2.4.66-150600.5.52.1
* apache2-worker-debugsource-2.4.66-150600.5.52.1
* apache2-debuginfo-2.4.66-150600.5.52.1
* apache2-utils-debuginfo-2.4.66-150600.5.52.1
* apache2-event-debuginfo-2.4.66-150600.5.52.1
* apache2-utils-debugsource-2.4.66-150600.5.52.1
* apache2-devel-2.4.66-150600.5.52.1
* apache2-prefork-2.4.66-150600.5.52.1
* apache2-debugsource-2.4.66-150600.5.52.1
* apache2-event-2.4.66-150600.5.52.1
* apache2-utils-2.4.66-150600.5.52.1
* apache2-prefork-debugsource-2.4.66-150600.5.52.1
* apache2-worker-2.4.66-150600.5.52.1
* openSUSE Leap 15.6 (noarch)
* apache2-manual-2.4.66-150600.5.52.1
* SUSE Linux Enterprise Server 15 SP6 LTSS (aarch64 ppc64le s390x x86_64)
* apache2-2.4.66-150600.5.52.1
* apache2-prefork-debuginfo-2.4.66-150600.5.52.1
* apache2-worker-debuginfo-2.4.66-150600.5.52.1
* apache2-worker-debugsource-2.4.66-150600.5.52.1
* apache2-debuginfo-2.4.66-150600.5.52.1
* apache2-utils-debuginfo-2.4.66-150600.5.52.1
* apache2-utils-debugsource-2.4.66-150600.5.52.1
* apache2-devel-2.4.66-150600.5.52.1
* apache2-prefork-2.4.66-150600.5.52.1
* apache2-debugsource-2.4.66-150600.5.52.1
* apache2-utils-2.4.66-150600.5.52.1
* apache2-prefork-debugsource-2.4.66-150600.5.52.1
* apache2-worker-2.4.66-150600.5.52.1
* SUSE Linux Enterprise Server 15 SP6 LTSS (noarch)
* apache2-manual-2.4.66-150600.5.52.1
* SUSE Linux Enterprise Server for SAP Applications 15 SP6 (ppc64le x86_64)
* apache2-2.4.66-150600.5.52.1
* apache2-prefork-debuginfo-2.4.66-150600.5.52.1
* apache2-worker-debuginfo-2.4.66-150600.5.52.1
* apache2-worker-debugsource-2.4.66-150600.5.52.1
* apache2-debuginfo-2.4.66-150600.5.52.1
* apache2-utils-debuginfo-2.4.66-150600.5.52.1
* apache2-utils-debugsource-2.4.66-150600.5.52.1
* apache2-devel-2.4.66-150600.5.52.1
* apache2-prefork-2.4.66-150600.5.52.1
* apache2-debugsource-2.4.66-150600.5.52.1
* apache2-utils-2.4.66-150600.5.52.1
* apache2-prefork-debugsource-2.4.66-150600.5.52.1
* apache2-worker-2.4.66-150600.5.52.1
* SUSE Linux Enterprise Server for SAP Applications 15 SP6 (noarch)
* apache2-manual-2.4.66-150600.5.52.1

## References:

* https://www.suse.com/security/cve/CVE-2026-23918.html
* https://www.suse.com/security/cve/CVE-2026-24072.html
* https://www.suse.com/security/cve/CVE-2026-28780.html
* https://www.suse.com/security/cve/CVE-2026-29168.html
* https://www.suse.com/security/cve/CVE-2026-29169.html
* https://www.suse.com/security/cve/CVE-2026-33006.html
* https://www.suse.com/security/cve/CVE-2026-33007.html
* https://www.suse.com/security/cve/CVE-2026-33523.html
* https://www.suse.com/security/cve/CVE-2026-33857.html
* https://www.suse.com/security/cve/CVE-2026-34032.html
* https://www.suse.com/security/cve/CVE-2026-34059.html
* https://bugzilla.suse.com/show_bug.cgi?id=1263935
* https://bugzilla.suse.com/show_bug.cgi?id=1263950
* https://bugzilla.suse.com/show_bug.cgi?id=1263951
* https://bugzilla.suse.com/show_bug.cgi?id=1263952
* https://bugzilla.suse.com/show_bug.cgi?id=1263953
* https://bugzilla.suse.com/show_bug.cgi?id=1263954
* https://bugzilla.suse.com/show_bug.cgi?id=1263955
* https://bugzilla.suse.com/show_bug.cgi?id=1263956
* https://bugzilla.suse.com/show_bug.cgi?id=1263957
* https://bugzilla.suse.com/show_bug.cgi?id=1264150
* https://bugzilla.suse.com/show_bug.cgi?id=1264163

openSUSE-SU-2026:20816-1: important: Security update for alloy

openSUSE security update: security update for alloy
-------------------------------------------------------------

Announcement ID: openSUSE-SU-2026:20816-1
Rating: important
References:

* bsc#1262955
* bsc#1263530

Cross-References:

* CVE-2026-34986
* CVE-2026-41602

CVSS scores:

* CVE-2026-34986 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2026-34986 ( SUSE ): 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
* CVE-2026-41602 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2026-41602 ( SUSE ): 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Affected Products:

openSUSE Leap 16.0

-------------------------------------------------------------

An update that solves 2 vulnerabilities and has 2 bug fixes can now be installed.

Description:

This update for alloy fixes the following issues

- CVE-2026-34986: github.com/go-jose/go-jose/v4: crafted JWE input with a missing encrypted key can lead to a denial of
service (bsc#1262955).
- CVE-2026-41602: github.com/apache/thrift: TFramedTransport frame size headers can lead to a uint32 integer overflow
(bsc#1263530).

Changes for alloy:

- Update to version 1.16.1
* Bug Fixes
logging: Fix startup deadlock when components log before
logging config is evaluated
Update to Beyla 3.9.8
Migrate from Docker to Moby

Patch instructions:

To install this openSUSE security update use the suse recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

- openSUSE Leap 16.0

zypper in -t patch openSUSE-Leap-16.0-807=1

Package List:

- openSUSE Leap 16.0:

alloy-1.16.1-160000.1.1

References:

* https://www.suse.com/security/cve/CVE-2026-34986.html
* https://www.suse.com/security/cve/CVE-2026-41602.html

openSUSE-SU-2026:20815-1: important: Security update for google-osconfig-agent

openSUSE security update: security update for google-osconfig-agent
-------------------------------------------------------------

Announcement ID: openSUSE-SU-2026:20815-1
Rating: important
References:

* bsc#1236533
* bsc#1260264

Cross-References:

* CVE-2023-45288
* CVE-2026-33186

CVSS scores:

* CVE-2023-45288 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
* CVE-2023-45288 ( SUSE ): 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
* CVE-2026-33186 ( SUSE ): 8.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
* CVE-2026-33186 ( SUSE ): 8.6 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Affected Products:

openSUSE Leap 16.0

-------------------------------------------------------------

An update that solves 2 vulnerabilities and has 2 bug fixes can now be installed.

Description:

This update for google-osconfig-agent fixes the following issues

- CVE-2023-45288: golang.org/x/net/http2: close connections when receiving too many headers (bsc#1236533).
- CVE-2026-33186: google.golang.org/grpc: authorization bypass due to improper validation of the HTTP/2: path pseudo-
header (bsc#1260264).

Patch instructions:

To install this openSUSE security update use the suse recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

- openSUSE Leap 16.0

zypper in -t patch openSUSE-Leap-16.0-805=1

Package List:

- openSUSE Leap 16.0:

google-osconfig-agent-20250416.02-160000.3.1

References:

* https://www.suse.com/security/cve/CVE-2023-45288.html
* https://www.suse.com/security/cve/CVE-2026-33186.html

openSUSE-SU-2026:20813-1: important: Security update for xz

openSUSE security update: security update for xz
-------------------------------------------------------------

Announcement ID: openSUSE-SU-2026:20813-1
Rating: important
References:

* bsc#1261280

Cross-References:

* CVE-2026-34743

CVSS scores:

* CVE-2026-34743 ( SUSE ): 7.4 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
* CVE-2026-34743 ( SUSE ): 7.5 CVSS:4.0/AV:L/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Affected Products:

openSUSE Leap 16.0

-------------------------------------------------------------

An update that solves one vulnerability and has one bug fix can now be installed.

Description:

This update for xz fixes the following issue

- CVE-2026-34743: buffer overflow in lzma_index_append() (bsc#1261280).

Patch instructions:

To install this openSUSE security update use the suse recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

- openSUSE Leap 16.0

zypper in -t patch openSUSE-Leap-16.0-803=1

Package List:

- openSUSE Leap 16.0:

liblzma5-5.8.1-160000.3.1
liblzma5-x86-64-v3-5.8.1-160000.3.1
xz-5.8.1-160000.3.1
xz-devel-5.8.1-160000.3.1
xz-lang-5.8.1-160000.3.1

References:

* https://www.suse.com/security/cve/CVE-2026-34743.html

openSUSE-SU-2026:20814-1: important: Security update for docker-stable

openSUSE security update: security update for docker-stable
-------------------------------------------------------------

Announcement ID: openSUSE-SU-2026:20814-1
Rating: important
References:

* bsc#1260967
* bsc#1261078

Cross-References:

* CVE-2026-33747
* CVE-2026-33748

CVSS scores:

* CVE-2026-33747 ( SUSE ): 8.4 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
* CVE-2026-33747 ( SUSE ): 8.6 CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
* CVE-2026-33748 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
* CVE-2026-33748 ( SUSE ): 8.2 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Affected Products:

openSUSE Leap 16.0

-------------------------------------------------------------

An update that solves 2 vulnerabilities and has 2 bug fixes can now be installed.

Description:

This update for docker-stable fixes the following issues

- CVE-2026-33747: github.com/moby/buildkit: malicious frontends can craft API messages that cause files to be written
outside of the BuildKit state directory (bsc#1260967).
- CVE-2026-33748: github.com/moby/buildkit: insufficient validation of Git URL fragment subdir components may allow
access to files outside the checked-out Git repository (bsc#1261078).

Patch instructions:

To install this openSUSE security update use the suse recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

- openSUSE Leap 16.0

zypper in -t patch openSUSE-Leap-16.0-804=1

Package List:

- openSUSE Leap 16.0:

docker-stable-24.0.9_ce-160000.5.1
docker-stable-bash-completion-24.0.9_ce-160000.5.1
docker-stable-buildx-0.25.0-160000.5.1
docker-stable-fish-completion-24.0.9_ce-160000.5.1
docker-stable-rootless-extras-24.0.9_ce-160000.5.1
docker-stable-zsh-completion-24.0.9_ce-160000.5.1

References:

* https://www.suse.com/security/cve/CVE-2026-33747.html
* https://www.suse.com/security/cve/CVE-2026-33748.html

openSUSE-SU-2026:20812-1: important: Security update for cups

openSUSE security update: security update for cups
-------------------------------------------------------------

Announcement ID: openSUSE-SU-2026:20812-1
Rating: important
References:

* bsc#1261568
* bsc#1261569
* bsc#1261570
* bsc#1261571
* bsc#1261572
* bsc#1261742
* bsc#1261743
* bsc#1263116

Cross-References:

* CVE-2026-27447
* CVE-2026-34978
* CVE-2026-34979
* CVE-2026-34980
* CVE-2026-34990
* CVE-2026-39314
* CVE-2026-39316
* CVE-2026-41079

CVSS scores:

* CVE-2026-27447 ( SUSE ): 4.8 CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:L/A:N
* CVE-2026-34978 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
* CVE-2026-34979 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
* CVE-2026-34980 ( SUSE ): 6.4 CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:L
* CVE-2026-34990 ( SUSE ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
* CVE-2026-39314 ( SUSE ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
* CVE-2026-39314 ( SUSE ): 6.8 CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
* CVE-2026-39316 ( SUSE ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
* CVE-2026-39316 ( SUSE ): 6.8 CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
* CVE-2026-41079 ( SUSE ): 3.5 CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
* CVE-2026-41079 ( SUSE ): 5.1 CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Affected Products:

openSUSE Leap 16.0

-------------------------------------------------------------

An update that solves 8 vulnerabilities and has 8 bug fixes can now be installed.

Description:

This update for cups fixes the following issues

- CVE-2026-27447: Authorization bypass via case-insensitive group-member lookup (bsc#1261572).
- CVE-2026-34978: Path traversal in RSS notify-recipient-uri enables file write outside CacheDir/rss (bsc#1261571).
- CVE-2026-34979: Heap overflow in `get_options()` (bsc#1261570).
- CVE-2026-34980: Shared PostScript queue lets anonymous Print-Job requests reach `lp` code execution over the network
(bsc#1261569).
- CVE-2026-34990: Local print admin token disclosure using temporary printers (bsc#1261568).
- CVE-2026-39314: negative `job-password-supported` attribute can lead to a denial of service (bsc#1261743).
- CVE-2026-39316: dangling subscription pointer can lead to a denial of service (bsc#1261742).
- CVE-2026-41079: crafted SNMP response can lead to stack-based out-of-bounds read and sensitive memory disclosure
(bsc#1263116).

Changes for cups:

- Version upgrade to 2.4.19.

- Version upgrade to 2.4.18.

- Version upgrade to 2.4.17:

* The scheduler followed symbolic links when cleaning out
its temporary directory (Issue #1448)
* Updated `cupsFileGetConf` and `cupsFilePutConf` to escape
more characters.
* Updated man page `cancel` (Issue #984)
* Updated `cupsRasterReadHeader` to validate more of the
page header values (Issue #1501)
* Fixed an issue with the class/printer CGI name checking.
* Fixed infinite loop in `http_write()` on busy print servers
(Issue #827)
* Fixed potential TLS blocking issues (Issue #1128)
* Fixed a job history bug in the scheduler (Issue #1440)
* Fixed notifier logging bug that would result in nul bytes
getting into the log (Issue #1450)
* Fixed possible use-after-free in `cupsdReadClient()`
(Issue #1454)
* Fixed a document format bug in the IPP backend (Issue #1457)
* Fixed DRAIN_OUTPUT race condition (Issue #1461)
* Fixed a bug when then `ippFindXxx` and `ippSetXxx` functions
were mixed.
* Fixed the mapping of supply type keywords to SNMP names.
* Fixed a bug in the IPP backend when SNMP was disabled.
* Fixed a crash bug in the rastertoepson filter.
* Fixed a bug in cgiCheckVariables.
* Fixed handling read/write errors with OpenSSL (Issue #1506)
* Fixed handling rehandshake error in `_httpTLSRead`
(Issue #1508)
* Fixed a debug printf bug on Windows (Issue #1529)
* Fixed a recursion issue with encoding of nested collections
(Issue #1539)
* Fixed parsing of the `LimitRequestBody`, `MaxLogSize`,
and `MaxRequestSize` directives in "cupsd.conf" (Issue #1540)
* Fixed a parsing bug in `ipptool` (Issue #1542)
* Fixed blank line detection in the `rastertolabel` filter
(Issue #1545)
* Fixed `httpPeek` edge case on compressed streams

Patch instructions:

To install this openSUSE security update use the suse recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

- openSUSE Leap 16.0

zypper in -t patch openSUSE-Leap-16.0-802=1

Package List:

- openSUSE Leap 16.0:

cups-2.4.19-160000.1.1
cups-client-2.4.19-160000.1.1
cups-config-2.4.19-160000.1.1
cups-ddk-2.4.19-160000.1.1
cups-devel-2.4.19-160000.1.1
libcups2-2.4.19-160000.1.1
libcupsimage2-2.4.19-160000.1.1

References:

* https://www.suse.com/security/cve/CVE-2026-27447.html
* https://www.suse.com/security/cve/CVE-2026-34978.html
* https://www.suse.com/security/cve/CVE-2026-34979.html
* https://www.suse.com/security/cve/CVE-2026-34980.html
* https://www.suse.com/security/cve/CVE-2026-34990.html
* https://www.suse.com/security/cve/CVE-2026-39314.html
* https://www.suse.com/security/cve/CVE-2026-39316.html
* https://www.suse.com/security/cve/CVE-2026-41079.html

openSUSE-SU-2026:20810-1: important: Security update for apache2

openSUSE security update: security update for apache2
-------------------------------------------------------------

Announcement ID: openSUSE-SU-2026:20810-1
Rating: important

Cross-References:

* CVE-2024-42516
* CVE-2024-43204
* CVE-2024-47252
* CVE-2025-23048
* CVE-2025-49630
* CVE-2025-49812
* CVE-2025-53020
* CVE-2025-55753
* CVE-2025-58098
* CVE-2025-59775
* CVE-2025-65082
* CVE-2025-66200

CVSS scores:

* CVE-2024-42516 ( SUSE ): 4 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N
* CVE-2024-42516 ( SUSE ): 6.3 CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
* CVE-2024-43204 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
* CVE-2024-43204 ( SUSE ): 6.3 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
* CVE-2024-47252 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
* CVE-2024-47252 ( SUSE ): 6.3 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
* CVE-2025-23048 ( SUSE ): 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
* CVE-2025-23048 ( SUSE ): 7.7 CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
* CVE-2025-49630 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2025-49630 ( SUSE ): 8.2 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
* CVE-2025-49812 ( SUSE ): 7 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:L
* CVE-2025-49812 ( SUSE ): 8.3 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N
* CVE-2025-53020 ( SUSE ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2025-53020 ( SUSE ): 8.2 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
* CVE-2025-55753 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
* CVE-2025-55753 ( SUSE ): 6 CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
* CVE-2025-58098 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
* CVE-2025-58098 ( SUSE ): 6 CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
* CVE-2025-65082 ( SUSE ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
* CVE-2025-65082 ( SUSE ): 6.8 CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
* CVE-2025-66200 ( SUSE ): 6.2 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
* CVE-2025-66200 ( SUSE ): 5.7 CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Affected Products:

openSUSE Leap 16.0

-------------------------------------------------------------

An update that solves 12 vulnerabilities can now be installed.

Description:

This update for apache2 fixes the following issues:

Changes in apache2:

Version update to 2.4.66 (jsc#PED-16181)

*) SECURITY: CVE-2025-66200: Apache HTTP Server: mod_userdir+suexec
bypass via AllowOverride FileInfo.
mod_userdir+suexec bypass via AllowOverride FileInfo
vulnerability in Apache HTTP Server. Users with access to use
the RequestHeader directive in htaccess can cause some CGI
scripts to run under an unexpected userid.
This issue affects Apache HTTP Server: from 2.4.7 through
2.4.65.
*) SECURITY: CVE-2025-65082: Apache HTTP Server: CGI environment
variable override.
Improper Neutralization of Escape, Meta, or Control Sequences
vulnerability in Apache HTTP Server through environment
variables set via the Apache configuration unexpectedly
superseding variables calculated by the server for CGI programs.
This issue affects Apache HTTP Server from 2.4.0 through 2.4.65.
*) SECURITY: CVE-2025-59775: Apache HTTP Server: NTLM Leakage on
Windows through UNC SSRF.
Server-Side Request Forgery (SSRF) vulnerability in Apache HTTP
Server on Windows with AllowEncodedSlashes On and MergeSlashes Off
allows to potentially leak NTLM hashes to a malicious server via
SSRF and malicious requests or
content
*) SECURITY: CVE-2025-58098: Apache HTTP Server: Server Side
Includes adds query string to #exec cmd=...
Apache HTTP Server 2.4.65 and earlier with Server Side Includes
(SSI) enabled and mod_cgid (but not mod_cgi) passes the
shell-escaped query string to #exec cmd="..." directives.
This issue affects Apache HTTP Server before 2.4.66.
*) SECURITY: CVE-2025-55753: Apache HTTP Server: mod_md (ACME),
unintended retry intervals
An integer overflow in the case of failed ACME certificate
renewal leads, after a number of failures (~30 days in default
configurations), to the backoff timer becoming 0. Attempts to
renew the certificate then are repeated without delays until it
succeeds.
This issue affects Apache HTTP Server: from 2.4.30 before 2.4.66.
*) mod_http2: Fix handling of 304 responses from mod_cache.
*) mod_http2/mod_proxy_http2: fix a bug in calculating the log2 value of
integers, used in push diaries and proxy window size calculations.
*) mod_md: update to version 2.6.5
- New directive `MDInitialDelay`, controlling how longer to wait after
a server restart before checking certificates for renewal.
[Michael Kaufmann]
- Hardening: when build with OpenSSL older than 1.0.2 or old libressl
versions, the parsing of ASN.1 time strings did not do a length check.
- Hardening: when reading back OCSP responses stored in the local JSON
store, missing 'valid' key led to uninitialized values, resulting in
wrong refresh behaviour.
*) mod_md: update to version 2.6.6
- Fix a small memory leak when using OpenSSL's BIGNUMs.
- Fix reuse of curl easy handles by resetting them.
*) mod_http2: update to version 2.0.35
New directive `H2MaxStreamErrors` to control how much bad behaviour
by clients is tolerated before the connection is closed.
*) mod_proxy_http2: add support for ProxyErrorOverride directive.
*) mpm_common: Add new ListenTCPDeferAccept directive that allows to specify
the value set for the TCP_DEFER_ACCEPT socket option on listen sockets.
*) mod_ssl: Add SSLVHostSNIPolicy directive to control the virtual
host compatibility policy.
*) mod_md: update to version 2.6.2
- Fix error retry delay calculation to not already doubling the wait
on the first error.
*) mod_md: update to version 2.6.1
- Increasing default `MDRetryDelay` to 30 seconds to generate less bursty
traffic on errored renewals for the ACME CA. This leads to error retries
of 30s, 1 minute, 2, 4, etc. up to daily attempts.
- Checking that configuring `MDRetryDelay` will result in a positive
duration. A delay of 0 is not accepted.
- Fix a bug in checking Content-Type of responses from the ACME server.
- Added ACME ARI support (rfc9773) to the module. Enabled by default. New
directive "MDRenewViaARI on|off" for controlling this.
- Removing tailscale support. It has not been working for a long time
as the company decided to change their APIs. Away with the dead code,
documentation and tests.
- Fixed a compilation issue with pre-industrial versions of libcurl.

Patch instructions:

To install this openSUSE security update use the suse recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

- openSUSE Leap 16.0

zypper in -t patch openSUSE-Leap-16.0-800=1

Package List:

- openSUSE Leap 16.0:

apache2-2.4.66-160000.1.1
apache2-devel-2.4.66-160000.1.1
apache2-event-2.4.66-160000.1.1
apache2-manual-2.4.66-160000.1.1
apache2-prefork-2.4.66-160000.1.1
apache2-utils-2.4.66-160000.1.1
apache2-worker-2.4.66-160000.1.1

References:

* https://www.suse.com/security/cve/CVE-2024-42516.html
* https://www.suse.com/security/cve/CVE-2024-43204.html
* https://www.suse.com/security/cve/CVE-2024-47252.html
* https://www.suse.com/security/cve/CVE-2025-23048.html
* https://www.suse.com/security/cve/CVE-2025-49630.html
* https://www.suse.com/security/cve/CVE-2025-49812.html
* https://www.suse.com/security/cve/CVE-2025-53020.html
* https://www.suse.com/security/cve/CVE-2025-55753.html
* https://www.suse.com/security/cve/CVE-2025-58098.html
* https://www.suse.com/security/cve/CVE-2025-59775.html
* https://www.suse.com/security/cve/CVE-2025-65082.html
* https://www.suse.com/security/cve/CVE-2025-66200.html

openSUSE-SU-2026:20809-1: important: Security update for trivy

openSUSE security update: security update for trivy
-------------------------------------------------------------

Announcement ID: openSUSE-SU-2026:20809-1
Rating: important
References:

* bsc#1255366
* bsc#1258094
* bsc#1258513
* bsc#1260193
* bsc#1260971
* bsc#1261052
* bsc#1262389
* bsc#1262893
* bsc#1264873

Cross-References:

* CVE-2025-64702
* CVE-2025-69725
* CVE-2026-25934
* CVE-2026-33186
* CVE-2026-33747
* CVE-2026-33748
* CVE-2026-34986
* CVE-2026-39984
* CVE-2026-41506

CVSS scores:

* CVE-2025-64702 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
* CVE-2025-64702 ( SUSE ): 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
* CVE-2025-69725 ( SUSE ): 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
* CVE-2025-69725 ( SUSE ): 2.3 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:L/SI:N/SA:N
* CVE-2026-25934 ( SUSE ): 4.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
* CVE-2026-25934 ( SUSE ): 5.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
* CVE-2026-33186 ( SUSE ): 8.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
* CVE-2026-33186 ( SUSE ): 8.6 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
* CVE-2026-33747 ( SUSE ): 8.4 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
* CVE-2026-33747 ( SUSE ): 8.6 CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
* CVE-2026-33748 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
* CVE-2026-33748 ( SUSE ): 8.2 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
* CVE-2026-34986 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2026-34986 ( SUSE ): 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
* CVE-2026-39984 ( SUSE ): 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
* CVE-2026-39984 ( SUSE ): 6.8 CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
* CVE-2026-41506 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
* CVE-2026-41506 ( SUSE ): 7.1 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Affected Products:

openSUSE Leap 16.0

-------------------------------------------------------------

An update that solves 9 vulnerabilities and has 9 bug fixes can now be installed.

Description:

This update for trivy fixes the following issues

- CVE-2025-64702: github.com/quic-go/quic-go/http3: quic-go HTTP/3 QPACK Header Expansion DoS (bsc#1255366).
- CVE-2025-69725: github.com/go-chi/chi/v5: incorrect input validation in the RedirectSlashes function can lead to an
open redirect (bsc#1258513).
- CVE-2026-25934: github.com/go-git/go-git/v5: improper verification of data integrity values for .pack and .idx files
can lead to the consumption of corrupted files (bsc#1258094).
- CVE-2026-33186: google.golang.org/grpc: authorization bypass due to improper validation of the HTTP/2: path pseudo-
header (bsc#1260193).
- CVE-2026-33747: github.com/moby/buildkit: malicious frontends can craft API messages that cause files to be written
outside of the BuildKit state directory (bsc#1260971).
- CVE-2026-33748: github.com/moby/buildkit: insufficient validation of Git URL fragment subdir components may allow
access to files outside the checked-out Git repository (bsc#1261052).
- CVE-2026-34986: github.com/go-jose/go-jose/v4: crafted JWE input with a missing encrypted key can lead to a denial of
service (bsc#1262893).
- CVE-2026-39984: github.com/sigstore/timestamp-authority/v2/pkg/verification: improper certificate validation can be
used to bypass some authorization controls (bsc#1262389).
- CVE-2026-41506: github.com/go-git/go-git/v5: HTTP authentication credential leak when following redirects during
smart-HTTP clone and fetch operations (bsc#1264873).

Changes for trivy:

- Updated go-git to 5.18.0.
- Updated to version 0.70.0.

Patch instructions:

To install this openSUSE security update use the suse recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

- openSUSE Leap 16.0

zypper in -t patch openSUSE-Leap-16.0-759=1

Package List:

- openSUSE Leap 16.0:

trivy-0.70.0-160000.1.1

References:

* https://www.suse.com/security/cve/CVE-2025-64702.html
* https://www.suse.com/security/cve/CVE-2025-69725.html
* https://www.suse.com/security/cve/CVE-2026-25934.html
* https://www.suse.com/security/cve/CVE-2026-33186.html
* https://www.suse.com/security/cve/CVE-2026-33747.html
* https://www.suse.com/security/cve/CVE-2026-33748.html
* https://www.suse.com/security/cve/CVE-2026-34986.html
* https://www.suse.com/security/cve/CVE-2026-39984.html
* https://www.suse.com/security/cve/CVE-2026-41506.html

openSUSE-SU-2026:20811-1: important: Security update for bubblewrap

openSUSE security update: security update for bubblewrap
-------------------------------------------------------------

Announcement ID: openSUSE-SU-2026:20811-1
Rating: important
References:

* bsc#1263113

Cross-References:

* CVE-2026-41163

CVSS scores:

* CVE-2026-41163 ( SUSE ): 7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
* CVE-2026-41163 ( SUSE ): 7.3 CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Affected Products:

openSUSE Leap 16.0

-------------------------------------------------------------

An update that solves one vulnerability and has one bug fix can now be installed.

Description:

This update for bubblewrap fixes the following issue

- CVE-2026-41163: improper process attachment via ptrace can lead to arbitrary privileged operations and local root
escalation (bsc#1263113).

Patch instructions:

To install this openSUSE security update use the suse recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

- openSUSE Leap 16.0

zypper in -t patch openSUSE-Leap-16.0-801=1

Package List:

- openSUSE Leap 16.0:

bubblewrap-0.11.0-160000.3.1
bubblewrap-zsh-completion-0.11.0-160000.3.1

References:

* https://www.suse.com/security/cve/CVE-2026-41163.html

openSUSE-SU-2026:20803-1: moderate: Security update for patterns-glibc-hwcaps

openSUSE security update: security update for patterns-glibc-hwcaps
-------------------------------------------------------------

Announcement ID: openSUSE-SU-2026:20803-1
Rating: moderate

Affected Products:

openSUSE Leap 16.0

-------------------------------------------------------------

An update that solves various issues can now be installed.

Description:

This update for patterns-glibc-hwcaps fixes the following issues:

The pattern is moved from PackageHub to regular SLES.

It requires packages for the x86_64 v3 architecture and is automatically
pulled in when this architecture is present.

These packages are optimized for the x86_64 v3 architecture to increase performance.

Patch instructions:

To install this openSUSE security update use the suse recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

- openSUSE Leap 16.0

zypper in -t patch openSUSE-Leap-16.0-494=1

Package List:

- openSUSE Leap 16.0:

patterns-glibc-hwcaps-x86_64_v3-20230201-160000.1.1

openSUSE-SU-2026:20798-1: important: Security update for trivy

openSUSE security update: security update for trivy
-------------------------------------------------------------

Announcement ID: openSUSE-SU-2026:20798-1
Rating: important
References:

* bsc#1227010
* bsc#1232948
* bsc#1234512
* bsc#1235265
* bsc#1237618
* bsc#1239225
* bsc#1239385
* bsc#1240466
* bsc#1241724
* bsc#1243633
* bsc#1246151
* bsc#1246730
* bsc#1248897
* bsc#1248937
* bsc#1250625
* bsc#1251363
* bsc#1251547
* bsc#1253512
* bsc#1253786
* bsc#1253977

Cross-References:

* CVE-2024-3817
* CVE-2024-45337
* CVE-2024-45338
* CVE-2024-51744
* CVE-2025-11065
* CVE-2025-21613
* CVE-2025-21614
* CVE-2025-22868
* CVE-2025-22869
* CVE-2025-22872
* CVE-2025-27144
* CVE-2025-30204
* CVE-2025-46569
* CVE-2025-47291
* CVE-2025-47911
* CVE-2025-47913
* CVE-2025-47914
* CVE-2025-53547
* CVE-2025-58058
* CVE-2025-58181
* CVE-2025-58190

CVSS scores:

* CVE-2024-45337 ( SUSE ): 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
* CVE-2024-45338 ( SUSE ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2024-45338 ( SUSE ): 8.2 CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
* CVE-2024-51744 ( SUSE ): 3.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N
* CVE-2024-51744 ( SUSE ): 2.1 CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
* CVE-2025-11065 ( SUSE ): 4.5 CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N
* CVE-2025-11065 ( SUSE ): 5.7 CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
* CVE-2025-21613 ( SUSE ): 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
* CVE-2025-22868 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2025-22868 ( SUSE ): 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
* CVE-2025-22869 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2025-22869 ( SUSE ): 8.2 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
* CVE-2025-22872 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L
* CVE-2025-22872 ( SUSE ): 6.3 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L
* CVE-2025-27144 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2025-27144 ( SUSE ): 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
* CVE-2025-30204 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2025-30204 ( SUSE ): 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
* CVE-2025-46569 ( SUSE ): 8.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
* CVE-2025-46569 ( SUSE ): 7.6 CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N
* CVE-2025-47291 ( SUSE ): 6.2 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2025-47291 ( SUSE ): 6.9 CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
* CVE-2025-47911 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
* CVE-2025-47911 ( SUSE ): 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
* CVE-2025-47913 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2025-47913 ( SUSE ): 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
* CVE-2025-47914 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
* CVE-2025-47914 ( SUSE ): 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
* CVE-2025-53547 ( SUSE ): 8.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:H
* CVE-2025-53547 ( SUSE ): 8.4 CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:L/VI:H/VA:H/SC:L/SI:H/SA:H
* CVE-2025-58058 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
* CVE-2025-58058 ( SUSE ): 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
* CVE-2025-58181 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
* CVE-2025-58181 ( SUSE ): 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
* CVE-2025-58190 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
* CVE-2025-58190 ( SUSE ): 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

Affected Products:

openSUSE Leap 16.0

-------------------------------------------------------------

An update that solves 21 vulnerabilities and has 20 bug fixes can now be installed.

Description:

This update for trivy fixes the following issues:

Update to version 0.68.2:

Security fixes:

- CVE-2024-3817: hashicorp/go-getter: argument injection when fetching remote default git branches (bsc#1227010).
- CVE-2024-45337: golang.org/x/crypto/ssh: Misuse of ServerConfig.PublicKeyCallback may cause authorization bypass in golang.org/x/crypto (bsc#1234512).
- CVE-2024-45338: golang.org/x/net/html: denial of service due to non-linear parsing of case-insensitive content (bsc#1235265).
- CVE-2024-51744: github.com/golang-jwt/jwt/v4: Bad documentation of error handling in ParseWithClaims can lead to potentially dangerous situations in golang-jwt (bsc#1232948).
- CVE-2025-11065: github.com/go-viper/mapstructure/v2: sensitive Information leak in logs (bsc#1250625).
- CVE-2025-22868: golang.org/x/oauth2/jws: Unexpected memory consumption during token parsing in golang.org/x/oauth2 (bsc#1239225).
- CVE-2025-22869: golang.org/x/crypto/ssh: Denial of Service in the Key Exchange of golang.org/x/crypto/ssh (bsc#1239385).
- CVE-2025-22872: golang.org/x/net/html: incorrectly interpreted tags can cause content to be placed wrong scope during DOM construction (bsc#1241724).
- CVE-2025-27144: gopkg.in/go-jose/go-jose.v2: Go JOSE's Parsing Vulnerable to Denial of Service (bsc#1237618).
- CVE-2025-30204: github.com/golang-jwt/jwt/v4,github.com/golang-jwt/jwt/v5: jwt-go allows excessive memory allocation during header parsing (bsc#1240466).
- CVE-2025-46569: github.com/open-policy-agent/opa: HTTP request path can be crafted to inject Rego code into a constructed query when a virtual document is requested through the Data API (bsc#1246730).
- CVE-2025-47291: github.com/containerd/containerd/v2: Incorrect cgroup hierarchy assignment for containers running in usernamespaced Kubernetes pods. (bsc#1243633).
- CVE-2025-47911: golang.org/x/net/html: various algorithms with quadratic complexity when parsing HTML documents (bsc#1251363).
- CVE-2025-47913: golang.org/x/crypto/ssh/agent: client process termination when receiving an unexpected message type in response to a key listing or signing request (bsc#1253512).
- CVE-2025-47914: golang.org/x/crypto/ssh/agent: non validated message size can cause a panic due to an out of bounds read (bsc#1253977).
- CVE-2025-53547: helm.sh/helm/v3: Helm Chart Code Execution (bsc#1246151).
- CVE-2025-58058: github.com/ulikunitz/xz: github.com/ulikunitz/xz leaks memory (bsc#1248937, bsc#1248897).
- CVE-2025-58181: golang.org/x/crypto/ssh: invalidated number of mechanisms can cause unbounded memory consumption (bsc#1253786).
- CVE-2025-58190: golang.org/x/net/html: excessive memory consumption by `html.ParseFragment` when processing specially crafted input (bsc#1251547).

Other fixes:

- Update installation.md (#8979)
- chore(alpine): add EOL date for Alpine 3.21 (#8221)
- chore(alpine): add EOL date for Alpine 3.22 (#8992)
- chore(cli): Remove Trivy Cloud (#9847)
- chore(deps): Bump trivy-checks (#7819)
- chore(deps): Bump trivy-checks (#8310)
- chore(deps): Bump trivy-checks (#8619)
- chore(deps): Bump trivy-checks (#8934)
- chore(deps): Bump trivy-checks to v1.7.1 (#8467)
- chore(deps): Bump up trivy-checks to v1.3.0 (#7959)
- chore(deps): Switch to go-viper/mapstructure (#9579)
- chore(deps): Update trivy-checks (#8798)
- chore(deps): Upgrade trivy-checks (#8018)
- chore(deps): bump Go to `v1.23.5` (#8341)
- chore(deps): bump Go to `v1.23.5` [backport: release/v0.59] (#8343)
- chore(deps): bump `github.com/CycloneDX/cyclonedx-go` from `v0.9.1` to `v0.9.2` (#8105)
- chore(deps): bump `github.com/CycloneDX/cyclonedx-go` from `v0.9.1` to `v0.9.2` [backport: release/v0.58] (#8136)
- chore(deps): bump `golang.org/x/net` from `v0.32.0` to `v0.33.0` (#8140)
- chore(deps): bump `golang.org/x/net` from `v0.32.0` to `v0.33.0` [backport: release/v0.58] (#8142)
- chore(deps): bump alpine from 3.20.0 to 3.21.0 in the docker group across 1 directory (#8196)
- chore(deps): bump alpine from 3.21.0 to 3.21.3 in the docker group across 1 directory (#8490)
- chore(deps): bump alpine from 3.21.4 to 3.22.1 (#9301)
- chore(deps): bump github.com/containerd/containerd from 1.7.28 to 1.7.29 (#9764)
- chore(deps): bump github.com/containerd/containerd/v2 from 2.1.0 to 2.1.1 (#8901)
- chore(deps): bump github.com/containerd/containerd/v2 from 2.1.4 to 2.1.5 (#9763)
- chore(deps): bump github.com/docker/docker from 28.3.2+incompatible to 28.3.3+incompatible (#9274)
- chore(deps): bump github.com/go-jose/go-jose/v4 from 4.0.4 to 4.0.5 (#8443)
- chore(deps): bump github.com/go-viper/mapstructure/v2 from 2.2.1 to 2.3.0 (#9088)
- chore(deps): bump github.com/golang-jwt/jwt/v4 from 4.5.0 to 4.5.1 (#7868)
- chore(deps): bump github.com/golang-jwt/jwt/v4 from 4.5.1 to 4.5.2 (#8597)
- chore(deps): bump github.com/moby/buildkit from 0.17.0 to 0.17.2 in the docker group across 1 directory (#7990)
- chore(deps): bump github.com/moby/buildkit from 0.17.2 to 0.18.0 in the docker group (#8029)
- chore(deps): bump github.com/opencontainers/selinux from 1.12.0 to 1.13.0 (#9778)
- chore(deps): bump github.com/quic-go/quic-go from 0.52.0 to 0.54.1 (#9694)
- chore(deps): bump github.com/ulikunitz/xz from 0.5.12 to 0.5.14 (#9403)
- chore(deps): bump golang.org/x/crypto from 0.30.0 to 0.31.0 (#8103)
- chore(deps): bump golang.org/x/crypto from 0.30.0 to 0.31.0 [backport: release/v0.58] (#8122)
- chore(deps): bump golang.org/x/crypto from 0.41.0 to 0.45.0 (#9827)
- chore(deps): bump golang.org/x/sync from 0.13.0 to 0.14.0 in the common group (#8822)
- chore(deps): bump golangci-lint to v2.1.2 (#8766)
- chore(deps): bump helm.sh/helm/v3 from 3.18.3 to 3.18.4 (#9164)
- chore(deps): bump the aws group across 1 directory with 5 updates (#8652)
- chore(deps): bump the aws group across 1 directory with 6 updates (#8074)
- chore(deps): bump the aws group across 1 directory with 6 updates (#8163)
- chore(deps): bump the aws group across 1 directory with 7 updates (#7991)
- chore(deps): bump the aws group across 1 directory with 7 updates (#8468)
- chore(deps): bump the aws group with 6 updates (#7902)
- chore(deps): bump the aws group with 6 updates (#9383)
- chore(deps): bump the aws group with 6 updates (#9481)
- chore(deps): bump the aws group with 6 updates (#9547)
- chore(deps): bump the aws group with 7 updates (#8299)
- chore(deps): bump the aws group with 7 updates (#9311)
- chore(deps): bump the aws group with 7 updates (#9419)
- chore(deps): bump the aws group with 7 updates (#9691)
- chore(deps): bump the common group across 1 directory with 10 updates (#8566)
- chore(deps): bump the common group across 1 directory with 10 updates (#8817)
- chore(deps): bump the common group across 1 directory with 10 updates [backport: release/v0.62] (#8831)
- chore(deps): bump the common group across 1 directory with 11 updates (#8381)
- chore(deps): bump the common group across 1 directory with 13 updates (#8491)
- chore(deps): bump the common group across 1 directory with 14 updates (#8126)
- chore(deps): bump the common group across 1 directory with 20 updates (#7876)
- chore(deps): bump the common group across 1 directory with 20 updates (#9840)
- chore(deps): bump the common group across 1 directory with 23 updates (#8733)
- chore(deps): bump the common group across 1 directory with 24 updates (#9228)
- chore(deps): bump the common group across 1 directory with 24 updates (#9507)
- chore(deps): bump the common group across 1 directory with 26 updates (#9063)
- chore(deps): bump the common group across 1 directory with 26 updates (#9347)
- chore(deps): bump the common group across 1 directory with 29 updates (#8261)
- chore(deps): bump the common group across 1 directory with 7 updates (#9590)
- chore(deps): bump the common group across 1 directory with 9 updates (#8887)
- chore(deps): bump the common group across 1 directory with 9 updates (#9153)
- chore(deps): bump the common group with 12 updates (#8301)
- chore(deps): bump the common group with 4 updates (#7949)
- chore(deps): bump the common group with 6 updates (#7904)
- chore(deps): bump the common group with 6 updates (#8162)
- chore(deps): bump the common group with 6 updates (#8411)
- chore(deps): bump the common group with 7 updates (#9382)
- chore(deps): bump the docker group across 1 directory with 3 updates (#8127)
- chore(deps): bump the docker group across 1 directory with 3 updates (#8762)
- chore(deps): bump the docker group with 3 updates (#9545)
- chore(deps): bump the docker group with 3 updates (#9776)
- chore(deps): bump the github-actions group across 1 directory with 2 updates (#7854)
- chore(deps): bump the github-actions group across 1 directory with 2 updates (#8962)
- chore(deps): bump the github-actions group across 1 directory with 4 updates (#8331)
- chore(deps): bump the github-actions group across 1 directory with 9 updates (#9563)
- chore(deps): bump the github-actions group with 3 updates (#8473)
- chore(deps): bump the github-actions group with 4 updates (#9739)
- chore(deps): bump the testcontainers group with 2 updates (#8650)
- chore(deps): bump the testcontainers group with 2 updates (#9506)
- chore(deps): bump to alpine from `3.21.3` to `3.21.4` (#9283)
- chore(deps): bump up Trivy-kubernetes to v0.9.1 (#9214)
- chore(deps): remove missed replace of `trivy-db` (#8492)
- chore(deps): update Docker to v28.2.2 and fix compatibility issues (#9037)
- chore(deps): update Go to 1.24 and switch to go-version-file (#8388)
- chore(deps): update csaf module dependency from csaf-poc to gocsaf (#7992)
- chore(deps): update go-rustaudit location (#8450)
- chore(deps): update to module-compatible docker-credential-gcr/v2 (#9591)
- chore(deps): use aqua forks for `github.com/liamg/jfather` and `github.com/liamg/iamgo` (#8289)
- chore(k8s): enhance k8s scan log (#6997)
- chore(k8s): update comments with deprecated command format (#8964)
- chore(license): add missed spdx exceptions: (#9147)
- chore(secret): add reported issues related to secrets in junit template (#8193)
- chore(terraform): add accessors to underlying raw hcl values (#8306)
- chore(terraform): assign *terraform.Module 'parent' field (#8444)
- chore(terraform): export module path on terraform modules (#8374)
- chore(terraform): option to pass in instanced logger (#8738)
- chore(terraform): remove os.OpenPath call from terraform file functions (#8737)
- chore(vex): suppress CVE-2024-45337 (#8101)
- chore(vex): suppress CVE-2024-45338 (#8137)
- chore: Update release flow to include chocolatey (#9460)
- chore: Update release workflow to trigger version updates (#9162)
- chore: add an issue template for maintainers (#8838)
- chore: add context to the cache interface (#9565)
- chore: add debug log to show image source location (#9163)
- chore: add modernize tool integration for code modernization (#9251)
- chore: bump Go to 1.24.7 (#9435)
- chore: bump `mockery` to update v2.52.2 version and rebuild mock files (#8390)
- chore: bump containerd to v2.0.0 (#7875)
- chore: bump go to 1.23.4 (#8123)
- chore: bump golangci-lint to v1.61.0 (#7853)
- chore: bump up Go version to 1.24.4 (#9031)
- chore: downgrade the failed block expand message to debug (#7964)
- chore: drop FreeBSD 32-bit support (#9102)
- chore: enable int-conversion from perfsprint (#8194)
- chore: enable staticcheck (#8815)
- chore: fix errors and typos in docs (#8963)
- chore: fix some function names in comment (#9314)
- chore: implement process-safe temp file cleanup (#9241)
- chore: lint `errors.Join` (#7845)
- chore: migrate protoc setup from Docker to buf CLI (#9184)
- chore: remove Go checks (#7907)
- chore: remove aws iam related scripts (#8179)
- chore: remove debug prints (#8347)
- chore: remove mockery (#8417)
- chore: replace deprecated tenv linter with usetesting (#8504)
- chore: trigger the trivy-www workflow (#9737)
- chore: typo fix to replace `rego` with `repo` on the RepoFlagGroup options error output (#8643)
- chore: update Docker lib (#8681)
- chore: update code owners (#8303)
- chore: update template URL for brew formula (#9221)
- chore: update the rpm download Update (#9202)
- chore: use go.mod for managing Go tools (#8493)
- chore: use require.ErrorContains when possible (#8291)
- ci(deps): add 3-day cooldown period for Dependabot updates (#9475)
- ci(helm): auto public Helm chart after PR merged (#7526)
- ci(helm): bump Trivy version to 0.57.1 for Trivy Helm Chart 0.9.0 (#7945)
- ci(helm): bump Trivy version to 0.58.0 for Trivy Helm Chart 0.10.0 (#8038)
- ci(helm): bump Trivy version to 0.58.1 for Trivy Helm Chart 0.10.0 (#8170)
- ci(helm): bump Trivy version to 0.59.0 for Trivy Helm Chart 0.11.0 (#8311)
- ci(helm): bump Trivy version to 0.59.1 for Trivy Helm Chart 0.11.1 (#8354)
- ci(helm): bump Trivy version to 0.60.0 for Trivy Helm Chart 0.12.0 (#8494)
- ci(helm): bump Trivy version to 0.61.0 for Trivy Helm Chart 0.13.0 (#8638)
- ci(helm): bump Trivy version to 0.61.1 for Trivy Helm Chart 0.13.1 (#8753)
- ci(helm): bump Trivy version to 0.62.0 for Trivy Helm Chart 0.14.0 (#8802)
- ci(helm): bump Trivy version to 0.62.1 for Trivy Helm Chart 0.14.1 (#8836)
- ci(helm): bump Trivy version to 0.63.0 for Trivy Helm Chart 0.15.0 (#8946)
- ci(helm): bump Trivy version to 0.64.0 for Trivy Helm Chart 0.16.0 (#9107)
- ci(helm): bump Trivy version to 0.64.1 for Trivy Helm Chart 0.16.1 (#9135)
- ci(helm): bump Trivy version to 0.65.0 for Trivy Helm Chart 0.17.0 (#9288)
- ci(helm): bump Trivy version to 0.66.0 for Trivy Helm Chart 0.18.0 (#9425)
- ci(helm): bump Trivy version to 0.67.0 for Trivy Helm Chart 0.19.0 (#9554)
- ci(helm): bump Trivy version to 0.67.2 for Trivy Helm Chart 0.19.1 (#9641)
- ci(helm): create a helm branch for patches from main (#8673)
- ci(spdx): add `aqua-installer` step to fix `mage` error (#8353)
- ci(vuln): reduce github action script injection attack risk (#8610)
- ci: add API diff workflow (#9600)
- ci: add auto-ready-for-review workflow (#9179)
- ci: add workflow to restrict direct PRs to release branches (#8240)
- ci: delete cache after artifacts upload in canary workflow (#9177)
- ci: enable `check-latest` for `setup-go` [backport: release/v0.68] (#9946)
- ci: fix path to main dir for canary builds (#8231)
- ci: get base_sha using base.ref (#9704)
- ci: improve PR title validation workflow (#8720)
- ci: migrate GitHub Actions from version tags to SHA pinning (#9405)
- ci: move runner.os context from job-level env to step-level in canary workflow (#9233)
- ci: optimize golangci-lint performance with cache-based strategy (#9173)
- ci: remove invalid `--confirm` flag from `gh cache delete` command in canary builds (#9236)
- ci: remove unused preinstalled software/images for build tests to free up disk space. (#9814)
- ci: skip undefined labels in discussion triage action (#9175)
- ci: specify repository for `gh cache delete` in canary worklfow (#9240)
- ci: update GitHub Actions cache to v4 (#8475)
- ci: use `Skitionek/notify-microsoft-teams` instead of `aquasecurity` fork (#8740)
- ci: use `github.event.pull_request.user.login` for release PR check workflow (#8702)
- ci: use environment variables in GitHub Actions for improved security (#9433)
- ci: use gh pr view to get PR number for forked repositories in auto-ready workflow (#9183)
- ci: use merge commit for apidiff to avoid false positives (#9622)
- ci: use pull_request_target for apidiff workflow to support fork PRs (#9605)
- docs(cli): improve flag value display format (#8560)
- docs(java): Update info about dev deps in gradle lock (#8830)
- docs(java): add info about supported scopes (#7842)
- docs(k8s): add a note about multi-container pods (#7815)
- docs(misconf): Remove duplicate sections (#9819)
- docs(misconf): Reorganize misconfiguration scan pages (#8206)
- docs(misconf): simplify misconfiguration docs (#9030)
- docs(python): Mention pip-compile (#8484)
- docs(python): fix type with METADATA file name (#9090)
- docs(report): Improve SARIF reporting doc (#7655)
- docs(report): add nuanses about secret/license scanner in summary table (#9442)
- docs(report): fix reporting doc format (#7671)
- docs(server): fix info about scanning licenses on the client side. (#9805)
- docs(vex): use debian minor version in examples (#8166)
- docs(vuln): remove OSV for Python from data sources (#8841)
- docs: Add info about helm charts release (#8640)
- docs: Fix broken link to "Built-in Checks" (#9375)
- docs: Fix broken links (#7900)
- docs: Fix typo in terraform docs (#9492)
- docs: Fix typos and linguistic errors in documentation / hacktoberfest (#9586)
- docs: Fix typos in documentation (#8361)
- docs: Update maintainer docs (#8674)
- docs: Updated JSON schema version 2 in the trivy documentation (#8188)
- docs: add Headlamp to the Trivy Ecosystem page (#7916)
- docs: add PR review policy for maintainers (#9032)
- docs: add Windows install instructions (#7800)
- docs: add `overview` page for `others` (#7972)
- docs: add abbreviation list (#8453)
- docs: add commercial content (#8030)
- docs: add example of creating whitelist of checks (#7821)
- docs: add explanation for how to use non-system certificates (#9081)
- docs: add info about `java-db` subdir (#9706)
- docs: add info that `SSL_CERT_FILE` works on `Unix systems other than macOS` only (#9772)
- docs: add note about disabled DS016 check (#7724)
- docs: add note about temporary podman socket (#7921)
- docs: add partners page (#8988)
- docs: add section on customizing default check data (#9114)
- docs: add terminology page to explain Trivy concepts (#7996)
- docs: add vulnerability database contribution guide (#9667)
- docs: apt-transport-https is a transitional package (#7678)
- docs: bump pygments from 2.18.0 to 2.19.2 (#9596)
- docs: catch some missed docs -> guide (#9850)
- docs: change --disable-metrics to --disable-telemetry in example (#8999) (#9003)
- docs: change SecObserve URLs in documentatio (#9771)
- docs: change in java.md: fix the Trity -to-> Trivy typo (#8813)
- docs: clarify inline ignore limitations for resource-less checks (#9537)
- docs: combine trivy.dev into trivy docs (#7884)
- docs: correct Ruby documentation (#8402)
- docs: document eol supportability (#9434)
- docs: drop AWS account scanning (#7997)
- docs: fix a broken link (#8546)
- docs: fix assets with versioning (#8996)
- docs: fix dead links (#7998)
- docs: fix mistakes/typos (#7942)
- docs: fix modules path and update code example (#9539)
- docs: fix navigate links (#8336)
- docs: improve databases documentation (#7732)
- docs: improve documentation for scanning raw IaC configurations (#9571)
- docs: improve skipping files documentation (#8749)
- docs: move info about `detection priority` into coverage section (#9469)
- docs: partners page content updates (#9149)
- docs: remove slack (#8565)
- docs: replace short codes with Unicode emojis (#8296)
- docs: restructure docs for new hosting (#9799)
- docs: trivy partners page updates (#9133)
- docs: update VEX documentation index page (#8458)
- docs: update links to Semaphore pages (#9352)
- docs: update vulnerability reporting guidelines in SECURITY.md (#9395)
- feat(alma): add AlmaLinux 10 support (#9207)
- feat(alpine): add maintainer field extraction for APK packages (#8930)
- feat(aws): Add support for dualstack ECR endpoints (#9862)
- feat(cli): Add available version checking (#8553)
- feat(cli): Add trivy cloud suppport (#9637)
- feat(cli): add `trivy auth` (#7664)
- feat(cli): add version constraints to annoucements (#9023)
- feat(cli): change --list-all-pkgs default to true (#9510)
- feat(cli): error out when ignore file cannot be found (#7624)
- feat(cli): rename `trivy auth` to `trivy registry` (#7727)
- feat(cloudformation): support default values and list results in Fn::FindInMap (#9515)
- feat(cyclonedx): Add initial support for loading external VEX files from SBOM references (#8254)
- feat(cyclonedx): add file checksums to `CycloneDX` reports (#7507)
- feat(cyclonedx): preserve SBOM structure when scanning SBOM files with vulnerability updates (#9439)
- feat(db): append errors (#7843)
- feat(db): enable concurrent access to vulnerability database (#9750)
- feat(dotnet): add dependency graph support for .deps.json files (#9726)
- feat(echo): Add Echo Support (#8833)
- feat(flag): add `--cacert` flag (#9781)
- feat(flag): add schema validation for `--server` flag (#9270)
- feat(fs): change artifact type to repository when git info is detected (#9613)
- feat(fs): optimize scanning performance by direct file access for known paths (#8525)
- feat(fs): use git commit hash as cache key for clean repositories (#8278)
- feat(go): construct dependencies in the parser (#7973)
- feat(go): construct dependencies of `go.mod` main module in the parser (#7977)
- feat(go): fix parsing main module version for go >= 1.24 (#8433)
- feat(go): support license scanning in both GOPATH and vendor (#8843)
- feat(image): add Docker context resolution (#9166)
- feat(image): add RepoTags support for Docker archives (#9690)
- feat(image): add Sigstore bundle SBOM support (#9516)
- feat(image): pass global context to docker/podman image save func (#9733)
- feat(image): prevent scanning oversized container images (#8178)
- feat(image): return error early if total size of layers exceeds limit (#8294)
- feat(image): save layers metadata into report (#8394)
- feat(java): add support remote repositories from settings.xml files (#9708)
- feat(java): dereference all maven settings.xml env placeholders (#9024)
- feat(k8s): add default commands for unknown platform (#7863)
- feat(k8s): add support for controllers (#8614)
- feat(k8s): get components from namespaced resources (#8918)
- feat(k8s): improve artifact selections for specific namespaces (#8248)
- feat(license): Support compound licenses (licenses using SPDX operators) (#8816)
- feat(license): improve work text licenses with custom classification (#8888)
- feat(license): improve work with custom classification of licenses from config file (#8861)
- feat(license): observe pkg types option in license scanner (#9091)
- feat(license): scan vendor directory for license for go.mod files (#8689)
- feat(license): use separate SPDX ids to ignore SPDX expressions (#9087)
- feat(minimos): Add support for MinimOS (#8792)
- feat(misconf): Add RoleAssignments attribute (#9396)
- feat(misconf): Add support for `Minimum Trivy Version` (#8880)
- feat(misconf): Add support for aws_ami (#8499)
- feat(misconf): Add support for configurable Rego error limit (#9657)
- feat(misconf): Show misconfig ID in output (#7762)
- feat(misconf): Update AppService schema (#9792)
- feat(misconf): Update Azure Compute schema (#9675)
- feat(misconf): Update Azure Container Schema (#9673)
- feat(misconf): Update Azure network schema for new checks (#9791)
- feat(misconf): Update SecurityCenter schema (#9674)
- feat(misconf): Update azure storage schema (#9728)
- feat(misconf): adapt AWS::DynamoDB::Table (#8529)
- feat(misconf): adapt AWS::EC2::VPC (#8534)
- feat(misconf): adapt aws_default_security_group (#8538)
- feat(misconf): adapt aws_opensearch_domain (#8550)
- feat(misconf): add OpenTofu file extension support (#8747)
- feat(misconf): add agentpools to azure container schema (#9714)
- feat(misconf): add misconfiguration location to junit template (#8793)
- feat(misconf): add option to pass Rego scanner to IaC scanner (#8369)
- feat(misconf): add private ip google access attribute to subnetwork (#9199)
- feat(misconf): added audit config attribute (#9249)
- feat(misconf): added logging and versioning to the gcp storage bucket (#9226)
- feat(misconf): convert AWS managed policy to document (#8757)
- feat(misconf): export raw Terraform data to Rego (#8741)
- feat(misconf): export unresolvable field of IaC types to Rego (#7765)
- feat(misconf): generate placeholders for random provider resources (#8051)
- feat(misconf): include map key in manifest snippet for diagnostics (#9681)
- feat(misconf): log causes of HCL file parsing errors (#7634)
- feat(misconf): normalize CreatedBy for buildah and legacy docker builder (#8953)
- feat(misconf): public network support for Azure Storage Account (#7601)
- feat(misconf): render causes for Terraform (#8360)
- feat(misconf): ssl_mode support for GCP SQL DB instance (#7564)
- feat(misconf): support auto_provisioning_defaults in google_container_cluster (#8705)
- feat(misconf): support for ignoring by inline comments for Dockerfile (#8115)
- feat(misconf): support for ignoring by inline comments for Helm (#8138)
- feat(misconf): support https_traffic_only_enabled in Az storage account (#9784)
- feat(nodejs): add a bun.lock analyzer (#8897)
- feat(nodejs): add bun.lock parser (#8851)
- feat(nodejs): add root and workspace for `yarn` packages (#8535)
- feat(nodejs): respect peer dependencies for dependency tree (#7989)
- feat(oracle): add `flavors` support (#7858)
- feat(parser): ignore white space in pom.xml files (#7747)
- feat(python): add support for poetry dev dependencies (#8152)
- feat(python): add support for uv (#8080)
- feat(python): add support for uv dev and optional dependencies (#8134)
- feat(redhat): Add EOL date for RHEL 10. (#8910)
- feat(redhat): add os-release detection for RHEL-based images (#9458)
- feat(repo): add git repository metadata to reports (#9252)
- feat(report): add CVSS vectors in sarif report (#9157)
- feat(report): add fingerprint generation for vulnerabilities (#9794)
- feat(report): add image reference to report metadata (#9729)
- feat(report): switch ReportID from UUIDv4 to UUIDv7 (#9749)
- feat(report): update gitlab template to populate operating_system value (#7735)
- feat(rust): add root and workspace relationships/package for `cargo` lock files (#8676)
- feat(sbom): add SHA-512 hash support for CycloneDX SBOM (#9126)
- feat(sbom): add manufacturer field to CycloneDX tools metadata (#9019)
- feat(sbom): add support for SPDX attestations (#9829)
- feat(sbom): added support for CoreOS (#9448)
- feat(sbom): use SPDX license IDs list to validate SPDX IDs (#9569)
- feat(seal): add seal support (#9370)
- feat(secret): Add built-in secrets rules for Private Packagist (#7826)
- feat(secret): implement streaming secret scanner with byte offset tracking (#9264)
- feat(suse): Add new openSUSE, Micro and SLES releases end of life dates (#9788)
- feat(suse): Align SUSE/OpenSUSE OS Identifiers (#7965)
- feat(terraform): add partial evaluation for policy templates (#8967)
- feat(terraform): use .terraform cache for remote modules in plan scanning (#9277)
- feat(ubuntu): add end of life date for Ubuntu 25.04 (#9077)
- feat(ubuntu): add eol date for 20.04-ESM (#8981)
- feat(vuln): add Root.io support for container image scanning (#9073)
- feat: Update registry fallbacks (#7679)
- feat: Update registry fallbacks [backport: release/v0.57] (#7944)
- feat: add ArtifactID field to uniquely identify scan targets (#9663)
- feat: add Bottlerocket OS package analyzer (#8653)
- feat: add HTTP request/response tracing support (#9125)
- feat: add JSONC support for comments and trailing commas (#8862)
- feat: add ReportID field to scan reports (#9670)
- feat: add `--distro` flag to manually specify OS distribution for vulnerability scanning (#8070)
- feat: add `--vuln-severity-source` flag (#8269)
- feat: add `workspaceRelationship` (#7889)
- feat: add a examples field to check metadata (#8068)
- feat: add cvss v4 score and vector in scan response (#7968)
- feat: add documentation URL for database lock errors (#9531)
- feat: add end of life date for Ubuntu 24.10 (#7787)
- feat: add graceful shutdown with signal handling (#9242)
- feat: add report summary table (#8177)
- feat: add support for registry mirrors (#8244)
- feat: add timeout handling for cache database operations (#9307)
- feat: allow ignoring findings by type in Rego (#9578)
- feat: include registry and repository in artifact ID calculation (#9689)
- feat: reject unsupported artifact types in remote image retrieval (#9052)
- feat: replace TinyGo with standard Go for WebAssembly modules (#8496)
- feat: terraform parser option to set current working directory (#8909)
- fix(alma): parse epochs from rpmqa file (#9101)
- fix(alma): parse epochs from rpmqa file [backport: release/v0.64] (#9119)
- fix(alpine): add `UID` for removed packages (#7887)
- fix(aws): change CPU and Memory type of ContainerDefinition to a string (#7995)
- fix(aws): update amazon linux 2 EOL date (#9176)
- fix(aws): use `BuildableClient` insead of `xhttp.Client` (#9436)
- fix(cli): Add more non-sensitive flags to telemetry (#9110)
- fix(cli): Add more non-sensitive flags to telemetry [backport: release/v0.64] (#9124)
- fix(cli): Handle empty ignore files more gracefully (#7962)
- fix(cli): `clean --all` deletes only relevant dirs (#7704)
- fix(cli): add config name to skip-policy-update alias (#7820)
- fix(cli): add some values to the telemetry call (#9056)
- fix(cli): disable `--skip-dir` and `--skip-files` flags for `sbom` command (#8886)
- fix(cli): don't use allow values for `--compliance` flag (#8881)
- fix(cli): ensure correct command is picked by telemetry (#9260)
- fix(cli): panic: attempt to get os.Args[1] when len(os.Args) < 2 (#9206)
- fix(conda): memory leak by adding closure method for `package.json` file (#9349)
- fix(cyclonedx): handle multiple license types (#9378)
- fix(db): Dowload database when missing but metadata still exists (#9393)
- fix(db): fix case when 2 trivy-db were copied at the same time (#8452)
- fix(db): fix javadb downloading error handling (#7642)
- fix(debian): don't include empty licenses for `dpkgs` (#8623)
- fix(debian): infinite loop (#7928)
- fix(deps): bump alpine from `3.22.1` to `3.23.0` [backport: release/v0.68] (#9949)
- fix(flag): remove viper.SetDefault to fix IsSet() for config-only flags (#9732)
- fix(flag): skip hidden flags for `--generate-default-config` command (#8046)
- fix(fs): add missing defered Cleanup() call to post analyzer fs (#7882)
- fix(fs): avoid shadowing errors in file.glob (#9286)
- fix(fs): check postAnalyzers for StaticPaths (#8543)
- fix(fs): fix cache key generation to use UUID (#8275)
- fix(go): Do not trim v prefix from versions in Go Mod Analyzer (#7733)
- fix(go): merge nested flags into string for ldflags for Go binaries (#8368)
- fix(helm): properly handle multiple archived dependencies (#7782)
- fix(image): disable AVD-DS-0007 for history scanning (#8366)
- fix(image): use standardized HTTP client for ECR authentication (#9322)
- fix(java): correctly inherit `version` and `scope` from upper/root `depManagement` and `dependencies` into parents (#7541)
- fix(java): correctly overwrite version from depManagement if dependency uses `project.*` props (#8050)
- fix(java): correctly overwrite version from depManagement if dependency uses `project.*` props [backport: release/v0.58] (#8119)
- fix(java): exclude dev dependencies in gradle lockfile (#8803)
- fix(java): update order for resolving package fields from multiple demManagement (#9575)
- fix(java): use `true` as default value for Repository Release|Snapshot Enabled in pom.xml and settings.xml files (#9751)
- fix(julia): add `Relationship` field support (#8939)
- fix(k8s)!: support k8s multi container (#7444)
- fix(k8s): add missed option `PkgRelationships` (#8442)
- fix(k8s): check all results for vulnerabilities (#7946)
- fix(k8s): correct compare artifact versions (#8682)
- fix(k8s): correct compare artifact versions [backport: release/v0.61] (#8699)
- fix(k8s): disable parallel traversal with fs cache for k8s images (#9534)
- fix(k8s): remove using `last-applied-configuration` (#8791)
- fix(k8s): show report for `--report all` (#8613)
- fix(k8s): skip passed misconfigs for the summary report (#8684)
- fix(k8s): skip passed misconfigs for the summary report [backport: release/v0.61] (#8748)
- fix(k8s): skip resources without misconfigs (#7797)
- fix(k8s): support kubernetes v1.31 (#7810)
- fix(k8s): use in-memory cache backend during misconfig scanning (#8873)
- fix(license): add missed `GFDL-NIV-1.1` and `GFDL-NIV-1.2` into Trivy mapping (#9116)
- fix(license): always trim leading and trailing spaces for licenses (#8095)
- fix(license): don't normalize `unlicensed` licenses into `unlicense` (#9611)
- fix(license): fix license normalization for Universal Permissive License (#7766)
- fix(license): handle SPDX WITH exceptions as single license in category detection (#9380)
- fix(license): handle WITH operator for `LaxSplitLicenses` (#9232)
- fix(misconf): .Config.User always takes precedence over USER in .History (#9050)
- fix(misconf): Check values wholly prior to evalution (#8604)
- fix(misconf): Improve logging for unsupported checks (#8634)
- fix(misconf): Update trivy-checks default repo to `mirror.gcr.io` (#7953)
- fix(misconf): add ephemeral block type to config schema (#8513)
- fix(misconf): add missing variable as unknown (#8683)
- fix(misconf): allow null values only for tf variables (#8112)
- fix(misconf): allow null values only for tf variables [backport: release/v0.58] (#8238)
- fix(misconf): change default ACL of digitalocean_spaces_bucket to private (#7577)
- fix(misconf): check if for-each is known when expanding dyn block (#8808)
- fix(misconf): check if for-each is known when expanding dyn block [backport: release/v0.62] (#8826)
- fix(misconf): check if metadata is not nil (#8647)
- fix(misconf): check if property is not nil before conversion (#7578)
- fix(misconf): correct Azure value-to-time conversion in AsTimeValue (#9015)
- fix(misconf): correctly adapt azure storage account (#9138)
- fix(misconf): correctly handle all YAML tags in K8S templates (#8259)
- fix(misconf): correctly parse empty port ranges in google_compute_firewall (#9237)
- fix(misconf): disable git terminal prompt on tf module load (#8026)
- fix(misconf): do not erase variable type for child modules (#7941)
- fix(misconf): do not log scanners when misconfig scanning is disabled (#8345)
- fix(misconf): do not log scanners when misconfig scanning is disabled [backport: release/v0.59] (#8349)
- fix(misconf): do not skip loading documents from subdirectories (#8526)
- fix(misconf): do not use cty.NilVal for non-nil values (#8567)
- fix(misconf): ecs include enhanced for container insights (#8326)
- fix(misconf): ensure boolean metadata values are correctly interpreted (#9770)
- fix(misconf): ensure ignore rules respect subdirectory chart paths (#9324)
- fix(misconf): ensure module source is known (#9404)
- fix(misconf): ensure value used as ignore marker is non-null and known (#9835)
- fix(misconf): filter null nodes when parsing json manifest (#8785)
- fix(misconf): fix for Azure Storage Account network acls adaptation (#7602)
- fix(misconf): fix incorrect k8s locations due to JSON to YAML conversion (#8073)
- fix(misconf): fix log bucket in schema (#9235)
- fix(misconf): handle heredocs in dockerfile instructions (#8284)
- fix(misconf): handle null properties in CloudFormation templates (#7813)
- fix(misconf): handle tofu files in module detection (#9486)
- fix(misconf): handle unsupported experimental flags in Dockerfile (#9769)
- fix(misconf): identify the chart file exactly by name (#8590)
- fix(misconf): load full Terraform module (#7925)
- fix(misconf): map healthcheck start period flag to --start-period instead of --startPeriod (#9837)
- fix(misconf): move disabled checks filtering after analyzer scan (#9002)
- fix(misconf): perform operations on attribute safely (#8774)
- fix(misconf): populate context correctly for module instances (#8656)
- fix(misconf): preserve original paths of remote submodules from .terraform (#9294)
- fix(misconf): properly expand dynamic blocks (#7612)
- fix(misconf): properly resolve local Terraform cache (#7983)
- fix(misconf): reduce log noise on incompatible check (#9029)
- fix(misconf): set default values for AWS::EKS::Cluster.ResourcesVpcConfig (#8548)
- fix(misconf): skip Azure CreateUiDefinition (#8503)
- fix(misconf): skip rewriting expr if attr is nil (#9113)
- fix(misconf): skip rewriting expr if attr is nil [backport: release/v0.64] (#9127)
- fix(misconf): strip build metadata suffixes from image history (#9498)
- fix(misconf): unmark cty values before access (#9495)
- fix(misconf): use argument value in WithIncludeDeprecatedChecks (#8942)
- fix(misconf): use correct field log_bucket instead of target_bucket in gcp bucket (#9296)
- fix(misconf): use log instead of fmt for logging (#8033)
- fix(misconf): wrap AWS EnvVar to iac types (#7407)
- fix(misconf): wrap legacy ENV values in quotes to preserve spaces (#9497)
- fix(nodejs): correctly parse `packages` array of `bun.lock` file (#8998)
- fix(nodejs): don't use prerelease logic for compare npm constraints (#9208)
- fix(nodejs): fix npmjs parser.pkgNameFromPath() panic issue (#9688)
- fix(nodejs): parse workspaces as objects for package-lock.json files (#9518)
- fix(nodejs): use snapshot string as `Package.ID` for pnpm packages (#9330)
- fix(nodejs): use the default ID format to match licenses in pnpm packages. (#9661)
- fix(oracle): add architectures support for advisories (#4809)
- fix(oracle): add architectures support for advisories [backport: release/v0.58] (#8125)
- fix(os): Add photon 5.0 in supported OS (#9724)
- fix(os): add mapping OS aliases (#8466)
- fix(plugin): don't remove plugins when updating index.yaml file (#9358)
- fix(python): add `poetry` v2 support (#8323)
- fix(python): add `poetry` v2 support [backport: release/v0.59] (#8335)
- fix(python): impove package name normalization (#9290)
- fix(python): skip dev group's deps for poetry (#8106)
- fix(python): skip dev group's deps for poetry [backport: release/v0.58] (#8158)
- fix(redhat): Also try to find buildinfo in root layer (layer 0) (#8924)
- fix(redhat): check `usr/share/buildinfo/` dir to detect content sets (#8222)
- fix(redhat): correct rewriting of recommendations for the same vulnerability (#8063)
- fix(redhat): correct rewriting of recommendations for the same vulnerability [backport: release/v0.58] (#8135)
- fix(redhat): don't return error if `root/buildinfo/content_manifests/` contains files that are not `contentSets` files (#7912)
- fix(redhat): don't return error if `root/buildinfo/content_manifests/` contains files that are not `contentSets` files [backport: release/v0.57] (#7939)
- fix(redhat): include arch in PURL qualifiers (#7654)
- fix(redhat): include arch in PURL qualifiers [backport: release/v0.56] (#7702)
- fix(redhat): save contentSets for OS packages in fs/vm modes (#8820)
- fix(redhat): trim invalid suffix from content_sets in manifest parsing (#8818)
- fix(redhat): trim invalid suffix from content_sets in manifest parsing [backport: release/v0.62] (#8824)
- fix(repo): `git clone` output to Stderr (#7561)
- fix(repo): preserve RepoMetadata on FS cache hit (#9389)
- fix(repo): sanitize git repo URL before inserting into report metadata (#9391)
- fix(report): Fix invalid URI in SARIF report (#7645)
- fix(report): clean buffer after flushing (#8725)
- fix(report): correct field order in SARIF license results (#9712)
- fix(report): don't panic when report contains vulns, but doesn't contain packages for `table` format (#8549)
- fix(report): handle `git@github.com` schema for misconfigs in `sarif` report (#7898)
- fix(report): remove html escaping for `shortDescription` and `fullDescription` fields for sarif reports (#8344)
- fix(rootio): check full version to detect `root.io` packages (#9117)
- fix(rootio): check full version to detect `root.io` packages [backport: release/v0.64] (#9120)
- fix(rootio): fix severity selection (#9181)
- fix(sbom): use `Annotation` instead of `AttributionTexts` for `SPDX` formats (#7811)
- fix(sbom): Fixes for Programming Language Vulnerabilities and SBOM Package Maintainer Details (#7871)
- fix(sbom): add SBOM file's filePath as Application FilePath if we can't detect its path (#8346)
- fix(sbom): add `buildInfo` info as properties (#9683)
- fix(sbom): add options for DBs in private registries (#7660)
- fix(sbom): add options for DBs in private registries [backport: release/v0.56] (#7691)
- fix(sbom): add support for `file` component type of `CycloneDX` (#9372)
- fix(sbom): attach nested packages to Application (#8144)
- fix(sbom): attach nested packages to Application [backport: release/v0.58] (#8168)
- fix(sbom): don???t panic on SBOM format if scanned CycloneDX file has empty metadata (#9562)
- fix(sbom): fix wrong overwriting of applications obtained from different sbom files but having same app type (#8052)
- fix(sbom): fix wrong overwriting of applications obtained from different sbom files but having same app type [backport: release/v0.58] (#8124)
- fix(sbom): improve logic for binding direct dependency to parent component (#8489)
- fix(sbom): merge in-graph and out-of-graph OS packages in scan results (#9194)
- fix(sbom): preserve OS packages from multiple SBOMs (#8325)
- fix(sbom): preserve OS packages from multiple SBOMs [backport: release/v0.59] (#8333)
- fix(sbom): remove unnecessary OS detection check in SBOM decoding (#9034)
- fix(sbom): scan results of SBOMs generated from container images are missing layers (#7635)
- fix(sbom): use correct field for licenses in CycloneDX reports (#9057)
- fix(sbom): use root package for `unknown` dependencies (if exists) (#8104)
- fix(sbom): use root package for `unknown` dependencies (if exists) [backport: release/v0.58] (#8156)
- fix(secret): add UTF-8 validation in secret scanner to prevent protobuf marshalling errors (#9253)
- fix(secret): fix line numbers for multiple-line secrets (#9104)
- fix(secret): ignore .dist-info directories during secret scanning (#8646)
- fix(server): add HTTP transport setup to server mode (#9217)
- fix(server): add missed Relationship field for `rpc` (#8872)
- fix(server): fix redis key when trying to delete blob (#8649)
- fix(server): secrets inspectation for the config analyzer in client server mode (#8418)
- fix(spdx): init `pkgFilePaths` map for all formats (#8380)
- fix(spdx): save text licenses into `otherLicenses` without normalize (#8502)
- fix(spdx): use the `hasExtractedLicensingInfos` field for licenses that are not listed in the SPDX (#8077)
- fix(suse): SUSE - update OSType constants and references for compatility (#8236)
- fix(suse): SUSE - update OSType constants and references for compatility [backport: release/v0.58] (#8237)
- fix(terraform): `evaluateStep` to correctly set `EvalContext` for multiple instances of blocks (#8555)
- fix(terraform): `for_each` on a map returns a resource for every key (#9156)
- fix(terraform): apply parser options to submodule parsing (#8377)
- fix(terraform): hcl object expressions to return references (#8271)
- fix(terraform): set null value as fallback for missing variables (#7669)
- fix(vex): don't suppress vulns for packages with infinity loop (#9465)
- fix(vex): don't use reused BOM (#9604)
- fix(vex): don't use reused BOM [backport: release/v0.67] (#9612)
- fix(vex): use `lo.IsNil` to check `VEX` from OCI artifact (#8858)
- fix(vex): use a separate `visited` set for each DFS path (#9760)
- fix(vuln): compare `nuget` package names in lower case (#9456)
- fix(wolfi): support new APK database location (#8937)
- fix: Add missing version check flags (#8951)
- fix: CVE-2024-45337: Misuse of ServerConfig.PublicKeyCallback may cause authorization bypass (#8088)
- fix: CVE-2025-21613 and CVE-2025-21614 : go-git: argument injection via the URL field (#8207)
- fix: CVE-2025-21613 and CVE-2025-21614 : go-git: argument injection via the URL field [backport: release/v0.58] (#8215)
- fix: Correctly check for semver versions for trivy version check (#8948)
- fix: Improve version comparisons when build identifiers are present (#7873)
- fix: Trim the end-of-range suffix (#9618)
- fix: Updated twitter icon (#7772)
- fix: Use `fetch-level: 1` to check out trivy-repo in the release workflow (#9636)
- fix: Use `fetch-level: 1` to check out trivy-repo in the release workflow [backport: release/v0.67] (#9638)
- fix: add `buildInfo` for `BlobInfo` in `rpc` package (#9608)
- fix: add `buildInfo` for `BlobInfo` in `rpc` package [backport: release/v0.67] (#9615)
- fix: also check `filepath` when removing duplicate packages (#9142)
- fix: check post-analyzers for StaticPaths (#8904)
- fix: close all opened resources if an error occurs (#9665)
- fix: close file descriptors and pipes on error paths (#9536)
- fix: create temp file under composite fs dir (#9387)
- fix: de-duplicate same `dpkg` packages with different filePaths from different layers (#8298)
- fix: don't show corrupted trivy-db warning for first run (#8991)
- fix: don't use `scope` for `trivy registry login` command (#8393)
- fix: early-return, indent-error-flow and superfluous-else rules from revive (#8796)
- fix: enable err-error and errorf rules from perfsprint linter (#7859)
- fix: enable usestdlibvars linter (#7770)
- fix: filter all files when processing files installed from package managers (#8842)
- fix: handle `BLOW_UNKNOWN` error to download DBs (#8060)
- fix: handle `BLOW_UNKNOWN` error to download DBs [backport: release/v0.58] (#8121)
- fix: improve conversion of image config to Dockerfile (#8308)
- fix: julia parser panicing (#8883)
- fix: migrate from `*.list` to `*.md5sums` files for `dpkg` (#9131)
- fix: more revive rules (#8814)
- fix: octalLiteral from go-critic (#8811)
- fix: persistent flag option typo (#9374)
- fix: prevent graceful shutdown message on normal exit (#9244)
- fix: respect GITHUB_TOKEN to download artifacts from GHCR (#7580)
- fix: restore compatibility for google.protobuf.Value (#9559)
- fix: restore compatibility for google.protobuf.Value [backport: release/v0.67] (#9631)
- fix: supporting .egg-info/METADATA in python.Packaging analyzer (#9151)
- fix: suppress debug log for context cancellation errors (#9298)
- fix: testifylint last issues (#8768)
- fix: unused-parameter rule from revive (#8794)
- fix: update all documentation links (#8045)
- fix: update all documentation links (#9777)
- fix: update cosing settings for GoReleaser after bumping cosing to v3 (#9863)
- fix: use `--file-patterns` flag for all post analyzers (#7365)
- fix: use context for analyzers (#9538)
- fix: use-any from revive (#8810)
- fix: using SrcVersion instead of Version for echo detector (#9552)
- fix: using SrcVersion instead of Version for echo detector [backport: release/v0.67] (#9629)
- fix: validate backport branch name (#9548)
- fix: wasm module test (#8099)
- perf(misconf): parse input for Rego once (#8483)
- perf(misconf): retrieve check metadata from annotations once (#8478)
- perf(secret): only match secrets of meaningful length, allow example strings to not be matched (#8602)
- perf: avoid heap allocation in applier findPackage (#7883)
- refactor(cli): Update the cloud config command (#9676)
- refactor(cloudformation): remove unused ScanFile method from Scanner (#8927)
- refactor(db): change logic to detect wrong DB (#8864)
- refactor(db): use `Getter` interface with `GetParams` for trivy-db sources (#9239)
- refactor(flag): improve flag system architecture and extensibility (#8718)
- refactor(fs): use underlyingPath to determine virtual files more reliably (#9302)
- refactor(k8s): add v prefix for Go packages (#7839)
- refactor(k8s): scan config files as a folder (#7690)
- refactor(license): improve license expression normalization (#8257)
- refactor(license): simplify compound license scanning (#8896)
- refactor(misconf): Deprecate `EXCEPTIONS` for misconfiguration scanning (#7776)
- refactor(misconf): Remove unused options (#7896)
- refactor(misconf): Simplify misconfig checks bundle parsing (#8533)
- refactor(misconf): add ID to scan.Rule (#9573)
- refactor(misconf): add ManifestFromYAML for unified manifest parsing (#9680)
- refactor(misconf): decouple input fs and track extracted files with fs references (#9281)
- refactor(misconf): get a block or attribute without calling HasChild (#8586)
- refactor(misconf): introduce generic scanner (#7515)
- refactor(misconf): make Rego scanner independent of config type (#7517)
- refactor(misconf): mark AVDID fields as deprecated and use ID internally (#9576)
- refactor(misconf): migrate from custom Azure JSON parser (#9222)
- refactor(misconf): parse azure_policy_enabled to addonprofile.azurepolicy.enabled (#9851)
- refactor(misconf): remove module outputs from parser.EvaluateAll (#8587)
- refactor(misconf): remove unused methods for ec2.Instance (#8536)
- refactor(misconf): remove unused methods from iac types (#8782)
- refactor(misconf): remove unused methods from providers (#8781)
- refactor(misconf): remove unused terraform attribute methods (#8657)
- refactor(misconf): replace github.com/liamg/memoryfs with internal mapfs and testing/fstest (#9282)
- refactor(misconf): rewrite Rego module filtering using functional filters (#9061)
- refactor(misconf): set Trivy version by default in Rego scanner (#9001)
- refactor(misconf): simplify k8s scanner (#7717)
- refactor(misconf): switch to x/json (#8719)
- refactor(misconf): type-safe parser results in generic scanner (#9685)
- refactor(misconf): use OPA v1 (#8518)
- refactor(misconf): use atomic.Int32 (#9385)
- refactor(python): use once + debug for `License acquired from METADATA...` logs (#8175)
- refactor(report): write tables after rendering all results (#8357)
- refactor(sbom): simplify relationship generation (#7985)
- refactor(secret): clarify secret scanner messages (#9409)
- refactor(secret): optimize performance by moving ToLower operation outside loop (#7862)
- refactor(server): change custom advisory and vulnerability data types fr??? (#8923)
- refactor(terraform): make Scan method of Terraform plan scanner private (#9272)
- refactor(terraform): remove result sorting from scanner (#8928)
- refactor(terraform): simplify AllReferences method signature in Attribute (#8906)
- refactor(ubuntu): update time handling for fixing time (#8780)
- refactor(vex): improve SBOM reference handling with project standards (#8457)
- refactor: add case-insensitive string set implementation (#9720)
- refactor: add generic Set implementation (#8149)
- refactor: add hook interface for extended functionality (#8585)
- refactor: centralize HTTP transport configuration (#9058)
- refactor: export `systemFileFiltering` Post Handler (#9359)
- refactor: migrate from `github.com/aquasecurity/jfather` to `github.com/go-json-experiment/json` (#8591)
- refactor: migrate from go-json-experiment to encoding/json/v2 (#9422)
- refactor: move the aws config (#9617)
- refactor: remove aws flag helper message (#9080)
- refactor: remove google/wire dependency and implement manual DI (#9509)
- refactor: remove support for custom Terraform checks (#7901)
- refactor: rename scanner to service (#8584)
- refactor: simplify Detect function signature (#9280)
- refactor: switch to stable azcontainerregistry SDK package (#9319)
- refactor: use slices package instead of custom function (#8172)
- refactor: use strings.SplitSeq instead of strings.Split in for-loop (#8983)
- refactor: use trivy-checks/pkg/specs package (#8226)
- release: v0.56.2 [release/v0.56] (#7694)
- release: v0.57.0 [main] (#7710)
- release: v0.57.1 [release/v0.57] (#7943)
- release: v0.58.0 [main] (#7874)
- release: v0.58.1 [release/v0.58] (#8120)
- release: v0.58.2 [release/v0.58] (#8216)
- release: v0.59.0 [main] (#8041)
- release: v0.59.1 [release/v0.59] (#8334)
- release: v0.60.0 [main] (#8327)
- release: v0.61.0 [main] (#8507)
- release: v0.61.1 [release/v0.61] (#8704)
- release: v0.62.0 [main] (#8669)
- release: v0.62.1 [release/v0.62] (#8825)
- release: v0.63.0 [main] (#8809)
- release: v0.64.0 [main] (#8955)
- release: v0.64.1 [release/v0.64] (#9122)
- release: v0.65.0 [main] (#9108)
- release: v0.66.0 [main] (#9289)
- release: v0.67.0 [main] (#9432)
- release: v0.67.1 [release/v0.67] (#9614)
- release: v0.67.2 [release/v0.67] (#9639)
- release: v0.68.0 [main] (#9549)
- release: v0.68.1 [main] (#9867)
- release: v0.68.2 [release/v0.68] (#9950)
- style: Fix MD syntax in self-hosting.md (#8523)
- test(go): refactor mod_test.go to use txtar format (#9775)
- test(go): set `GOPATH` for tests (#9785)
- test(helm): bump up Yamale dependency for Helm chart-testing-action (#9653)
- test(k8s): update k8s integrtion test (#9725)
- test(k8s): use a specific bundle for k8s misconfig scan (#9633)
- test(misconf): drop gcp iam test covered by another case (#9285)
- test(misconf): move terraform scan tests to integration tests (#9271)
- test(misconf): remove BenchmarkCalculate using outdated check metadata (#9291)
- test(server): replace mock driver with memory cache in server tests (#8416)
- test: add HTTP basic authentication to git test server (#9407)
- test: add end-to-end testing framework with image scan and proxy tests (#9231)
- test: change branch in spdx schema link to check in integration tests (#7935)
- test: change branch in spdx schema link to check in integration tests [backport: release/v0.57] (#7940)
- test: define constants for test images (#7739)
- test: improve and extend tests for iac/adapters/arm (#9028)
- test: improve golden file management in integration tests (#9699)
- test: include integration tests in linting and fix all issues (#9060)
- test: replace Go checks with Rego (#7867)
- test: replace mock with memory cache and fix non-deterministic tests (#8410)
- test: replace mock with memory cache in scanner tests (#8413)
- test: save `containerd` image into archive and use in tests (#7816)
- test: set dummy value for NUGET_PACKAGES (#8107)
- test: update golden files for TestRepository* integration tests (#9684)
- test: use `aquasecurity` repository for test images (#8677)
- test: use `aquasecurity` repository for test images [backport: release/v0.61] (#8698)
- test: use forked images (#7755)
- test: use memory cache (#8403)
- test: use table-driven tests in Helm scanner tests (#8592)

Patch instructions:

To install this openSUSE security update use the suse recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

- openSUSE Leap 16.0

zypper in -t patch openSUSE-Leap-16.0-273=1

Package List:

- openSUSE Leap 16.0:

trivy-0.68.2-160000.1.1

References:

* https://www.suse.com/security/cve/CVE-2024-3817.html
* https://www.suse.com/security/cve/CVE-2024-45337.html
* https://www.suse.com/security/cve/CVE-2024-45338.html
* https://www.suse.com/security/cve/CVE-2024-51744.html
* https://www.suse.com/security/cve/CVE-2025-11065.html
* https://www.suse.com/security/cve/CVE-2025-21613.html
* https://www.suse.com/security/cve/CVE-2025-21614.html
* https://www.suse.com/security/cve/CVE-2025-22868.html
* https://www.suse.com/security/cve/CVE-2025-22869.html
* https://www.suse.com/security/cve/CVE-2025-22872.html
* https://www.suse.com/security/cve/CVE-2025-27144.html
* https://www.suse.com/security/cve/CVE-2025-30204.html
* https://www.suse.com/security/cve/CVE-2025-46569.html
* https://www.suse.com/security/cve/CVE-2025-47291.html
* https://www.suse.com/security/cve/CVE-2025-47911.html
* https://www.suse.com/security/cve/CVE-2025-47913.html
* https://www.suse.com/security/cve/CVE-2025-47914.html
* https://www.suse.com/security/cve/CVE-2025-53547.html
* https://www.suse.com/security/cve/CVE-2025-58058.html
* https://www.suse.com/security/cve/CVE-2025-58181.html
* https://www.suse.com/security/cve/CVE-2025-58190.html

openSUSE-SU-2026:10865-1: moderate: beets-2.11.0-1.1 on GA media

# beets-2.11.0-1.1 on GA media

Announcement ID: openSUSE-SU-2026:10865-1
Rating: moderate

Cross-References:

* CVE-2026-42052

Affected Products:

* openSUSE Tumbleweed

An update that solves one vulnerability can now be installed.

## Description:

These are all security issues fixed in the beets-2.11.0-1.1 package on the GA media of openSUSE Tumbleweed.

## Package List:

* openSUSE Tumbleweed:
* beets 2.11.0-1.1

## References:

* https://www.suse.com/security/cve/CVE-2026-42052.html

openSUSE-SU-2026:10863-1: moderate: MozillaFirefox-151.0.1-1.1 on GA media

# MozillaFirefox-151.0.1-1.1 on GA media

Announcement ID: openSUSE-SU-2026:10863-1
Rating: moderate

Cross-References:

* CVE-2026-8945
* CVE-2026-8946
* CVE-2026-8947
* CVE-2026-8948
* CVE-2026-8949
* CVE-2026-8950
* CVE-2026-8951
* CVE-2026-8952
* CVE-2026-8953
* CVE-2026-8954
* CVE-2026-8955
* CVE-2026-8956
* CVE-2026-8957
* CVE-2026-8958
* CVE-2026-8959
* CVE-2026-8960
* CVE-2026-8961
* CVE-2026-8962
* CVE-2026-8963
* CVE-2026-8964
* CVE-2026-8965
* CVE-2026-8966
* CVE-2026-8967
* CVE-2026-8968
* CVE-2026-8969
* CVE-2026-8970
* CVE-2026-8971
* CVE-2026-8972
* CVE-2026-8973
* CVE-2026-8974
* CVE-2026-8975

CVSS scores:

* CVE-2026-8945 ( SUSE ): 8.3 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
* CVE-2026-8946 ( SUSE ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
* CVE-2026-8947 ( SUSE ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
* CVE-2026-8948 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
* CVE-2026-8949 ( SUSE ): 6.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
* CVE-2026-8950 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
* CVE-2026-8951 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
* CVE-2026-8952 ( SUSE ): 6.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
* CVE-2026-8953 ( SUSE ): 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
* CVE-2026-8954 ( SUSE ): 7.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L
* CVE-2026-8955 ( SUSE ): 6.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
* CVE-2026-8956 ( SUSE ): 6.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
* CVE-2026-8957 ( SUSE ): 6.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
* CVE-2026-8958 ( SUSE ): 8.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
* CVE-2026-8959 ( SUSE ): 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
* CVE-2026-8960 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
* CVE-2026-8961 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
* CVE-2026-8962 ( SUSE ): 5.4 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
* CVE-2026-8963 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
* CVE-2026-8964 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
* CVE-2026-8965 ( SUSE ): 4.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
* CVE-2026-8966 ( SUSE ): 4.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
* CVE-2026-8967 ( SUSE ): 4.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
* CVE-2026-8968 ( SUSE ): 4.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
* CVE-2026-8969 ( SUSE ): 5.4 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
* CVE-2026-8970 ( SUSE ): 6.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
* CVE-2026-8971 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
* CVE-2026-8972 ( SUSE ): 6.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
* CVE-2026-8973 ( SUSE ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
* CVE-2026-8974 ( SUSE ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
* CVE-2026-8975 ( SUSE ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Affected Products:

* openSUSE Tumbleweed

An update that solves 31 vulnerabilities can now be installed.

## Description:

These are all security issues fixed in the MozillaFirefox-151.0.1-1.1 package on the GA media of openSUSE Tumbleweed.

## Package List:

* openSUSE Tumbleweed:
* MozillaFirefox 151.0.1-1.1
* MozillaFirefox-branding-upstream 151.0.1-1.1
* MozillaFirefox-devel 151.0.1-1.1
* MozillaFirefox-translations-common 151.0.1-1.1
* MozillaFirefox-translations-other 151.0.1-1.1

## References:

* https://www.suse.com/security/cve/CVE-2026-8945.html
* https://www.suse.com/security/cve/CVE-2026-8946.html
* https://www.suse.com/security/cve/CVE-2026-8947.html
* https://www.suse.com/security/cve/CVE-2026-8948.html
* https://www.suse.com/security/cve/CVE-2026-8949.html
* https://www.suse.com/security/cve/CVE-2026-8950.html
* https://www.suse.com/security/cve/CVE-2026-8951.html
* https://www.suse.com/security/cve/CVE-2026-8952.html
* https://www.suse.com/security/cve/CVE-2026-8953.html
* https://www.suse.com/security/cve/CVE-2026-8954.html
* https://www.suse.com/security/cve/CVE-2026-8955.html
* https://www.suse.com/security/cve/CVE-2026-8956.html
* https://www.suse.com/security/cve/CVE-2026-8957.html
* https://www.suse.com/security/cve/CVE-2026-8958.html
* https://www.suse.com/security/cve/CVE-2026-8959.html
* https://www.suse.com/security/cve/CVE-2026-8960.html
* https://www.suse.com/security/cve/CVE-2026-8961.html
* https://www.suse.com/security/cve/CVE-2026-8962.html
* https://www.suse.com/security/cve/CVE-2026-8963.html
* https://www.suse.com/security/cve/CVE-2026-8964.html
* https://www.suse.com/security/cve/CVE-2026-8965.html
* https://www.suse.com/security/cve/CVE-2026-8966.html
* https://www.suse.com/security/cve/CVE-2026-8967.html
* https://www.suse.com/security/cve/CVE-2026-8968.html
* https://www.suse.com/security/cve/CVE-2026-8969.html
* https://www.suse.com/security/cve/CVE-2026-8970.html
* https://www.suse.com/security/cve/CVE-2026-8971.html
* https://www.suse.com/security/cve/CVE-2026-8972.html
* https://www.suse.com/security/cve/CVE-2026-8973.html
* https://www.suse.com/security/cve/CVE-2026-8974.html
* https://www.suse.com/security/cve/CVE-2026-8975.html

openSUSE-SU-2026:10867-1: moderate: ffmpeg-7-7.1.4-2.1 on GA media

# ffmpeg-7-7.1.4-2.1 on GA media

Announcement ID: openSUSE-SU-2026:10867-1
Rating: moderate

Cross-References:

* CVE-2024-35366
* CVE-2025-10256
* CVE-2025-1594
* CVE-2025-9951

CVSS scores:

* CVE-2024-35366 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
* CVE-2024-35366 ( SUSE ): 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
* CVE-2025-10256 ( SUSE ): 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
* CVE-2025-10256 ( SUSE ): 6.8 CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
* CVE-2025-1594 ( SUSE ): 6.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
* CVE-2025-1594 ( SUSE ): 5.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N
* CVE-2025-9951 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
* CVE-2025-9951 ( SUSE ): 6.3 CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N

Affected Products:

* openSUSE Tumbleweed

An update that solves 4 vulnerabilities can now be installed.

## Description:

These are all security issues fixed in the ffmpeg-7-7.1.4-2.1 package on the GA media of openSUSE Tumbleweed.

## Package List:

* openSUSE Tumbleweed:
* ffmpeg-7 7.1.4-2.1
* ffmpeg-7-libavcodec-devel 7.1.4-2.1
* ffmpeg-7-libavdevice-devel 7.1.4-2.1
* ffmpeg-7-libavfilter-devel 7.1.4-2.1
* ffmpeg-7-libavformat-devel 7.1.4-2.1
* ffmpeg-7-libavutil-devel 7.1.4-2.1
* ffmpeg-7-libpostproc-devel 7.1.4-2.1
* ffmpeg-7-libswresample-devel 7.1.4-2.1
* ffmpeg-7-libswscale-devel 7.1.4-2.1
* libavcodec61 7.1.4-2.1
* libavdevice61 7.1.4-2.1
* libavfilter10 7.1.4-2.1
* libavformat61 7.1.4-2.1
* libavutil59 7.1.4-2.1
* libpostproc58 7.1.4-2.1
* libswresample5 7.1.4-2.1
* libswscale8 7.1.4-2.1

## References:

* https://www.suse.com/security/cve/CVE-2024-35366.html
* https://www.suse.com/security/cve/CVE-2025-10256.html
* https://www.suse.com/security/cve/CVE-2025-1594.html
* https://www.suse.com/security/cve/CVE-2025-9951.html

openSUSE-SU-2026:10864-1: moderate: MozillaThunderbird-140.11.1-1.1 on GA media

# MozillaThunderbird-140.11.1-1.1 on GA media

Announcement ID: openSUSE-SU-2026:10864-1
Rating: moderate

Cross-References:

* CVE-2026-8388
* CVE-2026-8391
* CVE-2026-8401
* CVE-2026-8946
* CVE-2026-8947
* CVE-2026-8949
* CVE-2026-8950
* CVE-2026-8953
* CVE-2026-8954
* CVE-2026-8955
* CVE-2026-8956
* CVE-2026-8957
* CVE-2026-8958
* CVE-2026-8959
* CVE-2026-8961
* CVE-2026-8962
* CVE-2026-8968
* CVE-2026-8970
* CVE-2026-8974
* CVE-2026-8975

CVSS scores:

* CVE-2026-8401 ( SUSE ): 8.3 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
* CVE-2026-8946 ( SUSE ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
* CVE-2026-8947 ( SUSE ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
* CVE-2026-8949 ( SUSE ): 6.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
* CVE-2026-8950 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
* CVE-2026-8953 ( SUSE ): 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
* CVE-2026-8954 ( SUSE ): 7.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L
* CVE-2026-8955 ( SUSE ): 6.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
* CVE-2026-8956 ( SUSE ): 6.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
* CVE-2026-8957 ( SUSE ): 6.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
* CVE-2026-8958 ( SUSE ): 8.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
* CVE-2026-8959 ( SUSE ): 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
* CVE-2026-8961 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
* CVE-2026-8962 ( SUSE ): 5.4 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
* CVE-2026-8968 ( SUSE ): 4.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
* CVE-2026-8970 ( SUSE ): 6.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
* CVE-2026-8974 ( SUSE ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
* CVE-2026-8975 ( SUSE ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Affected Products:

* openSUSE Tumbleweed

An update that solves 20 vulnerabilities can now be installed.

## Description:

These are all security issues fixed in the MozillaThunderbird-140.11.1-1.1 package on the GA media of openSUSE Tumbleweed.

## Package List:

* openSUSE Tumbleweed:
* MozillaThunderbird 140.11.1-1.1
* MozillaThunderbird-openpgp-librnp 140.11.1-1.1
* MozillaThunderbird-translations-common 140.11.1-1.1
* MozillaThunderbird-translations-other 140.11.1-1.1

## References:

* https://www.suse.com/security/cve/CVE-2026-8388.html
* https://www.suse.com/security/cve/CVE-2026-8391.html
* https://www.suse.com/security/cve/CVE-2026-8401.html
* https://www.suse.com/security/cve/CVE-2026-8946.html
* https://www.suse.com/security/cve/CVE-2026-8947.html
* https://www.suse.com/security/cve/CVE-2026-8949.html
* https://www.suse.com/security/cve/CVE-2026-8950.html
* https://www.suse.com/security/cve/CVE-2026-8953.html
* https://www.suse.com/security/cve/CVE-2026-8954.html
* https://www.suse.com/security/cve/CVE-2026-8955.html
* https://www.suse.com/security/cve/CVE-2026-8956.html
* https://www.suse.com/security/cve/CVE-2026-8957.html
* https://www.suse.com/security/cve/CVE-2026-8958.html
* https://www.suse.com/security/cve/CVE-2026-8959.html
* https://www.suse.com/security/cve/CVE-2026-8961.html
* https://www.suse.com/security/cve/CVE-2026-8962.html
* https://www.suse.com/security/cve/CVE-2026-8968.html
* https://www.suse.com/security/cve/CVE-2026-8970.html
* https://www.suse.com/security/cve/CVE-2026-8974.html
* https://www.suse.com/security/cve/CVE-2026-8975.html

openSUSE-SU-2026:10866-1: moderate: ffmpeg-4-4.4.7-2.1 on GA media

# ffmpeg-4-4.4.7-2.1 on GA media

Announcement ID: openSUSE-SU-2026:10866-1
Rating: moderate

Cross-References:

* CVE-2024-35366
* CVE-2025-10256
* CVE-2025-1594
* CVE-2025-9951

CVSS scores:

* CVE-2024-35366 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
* CVE-2024-35366 ( SUSE ): 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
* CVE-2025-10256 ( SUSE ): 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
* CVE-2025-10256 ( SUSE ): 6.8 CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
* CVE-2025-1594 ( SUSE ): 6.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
* CVE-2025-1594 ( SUSE ): 5.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N
* CVE-2025-9951 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
* CVE-2025-9951 ( SUSE ): 6.3 CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N

Affected Products:

* openSUSE Tumbleweed

An update that solves 4 vulnerabilities can now be installed.

## Description:

These are all security issues fixed in the ffmpeg-4-4.4.7-2.1 package on the GA media of openSUSE Tumbleweed.

## Package List:

* openSUSE Tumbleweed:
* ffmpeg-4 4.4.7-2.1
* ffmpeg-4-libavcodec-devel 4.4.7-2.1
* ffmpeg-4-libavdevice-devel 4.4.7-2.1
* ffmpeg-4-libavfilter-devel 4.4.7-2.1
* ffmpeg-4-libavformat-devel 4.4.7-2.1
* ffmpeg-4-libavresample-devel 4.4.7-2.1
* ffmpeg-4-libavutil-devel 4.4.7-2.1
* ffmpeg-4-libpostproc-devel 4.4.7-2.1
* ffmpeg-4-libswresample-devel 4.4.7-2.1
* ffmpeg-4-libswscale-devel 4.4.7-2.1
* ffmpeg-4-private-devel 4.4.7-2.1
* libavcodec58_134 4.4.7-2.1
* libavdevice58_13 4.4.7-2.1
* libavfilter7_110 4.4.7-2.1
* libavformat58_76 4.4.7-2.1
* libavresample4_0 4.4.7-2.1
* libavutil56_70 4.4.7-2.1
* libpostproc55_9 4.4.7-2.1
* libswresample3_9 4.4.7-2.1
* libswscale5_9 4.4.7-2.1

## References:

* https://www.suse.com/security/cve/CVE-2024-35366.html
* https://www.suse.com/security/cve/CVE-2025-10256.html
* https://www.suse.com/security/cve/CVE-2025-1594.html
* https://www.suse.com/security/cve/CVE-2025-9951.html

Critical .NET, Firefox, Thunderbird, DNS and System Library Updates for Rocky Linux

OpenJDK, Apache HTTP Server, PHP, and more updates for Ubuntu

SUSE-SU-2026:2102-1: important: Security update for xen

SUSE-SU-2026:2103-1: important: Security update for apache2

openSUSE-SU-2026:20816-1: important: Security update for alloy

openSUSE-SU-2026:20815-1: important: Security update for google-osconfig-agent

openSUSE-SU-2026:20813-1: important: Security update for xz

openSUSE-SU-2026:20814-1: important: Security update for docker-stable

openSUSE-SU-2026:20812-1: important: Security update for cups

openSUSE-SU-2026:20810-1: important: Security update for apache2

openSUSE-SU-2026:20809-1: important: Security update for trivy

openSUSE-SU-2026:20811-1: important: Security update for bubblewrap

openSUSE-SU-2026:20803-1: moderate: Security update for patterns-glibc-hwcaps

openSUSE-SU-2026:20798-1: important: Security update for trivy

openSUSE-SU-2026:10865-1: moderate: beets-2.11.0-1.1 on GA media

openSUSE-SU-2026:10863-1: moderate: MozillaFirefox-151.0.1-1.1 on GA media

openSUSE-SU-2026:10867-1: moderate: ffmpeg-7-7.1.4-2.1 on GA media

openSUSE-SU-2026:10864-1: moderate: MozillaThunderbird-140.11.1-1.1 on GA media

openSUSE-SU-2026:10866-1: moderate: ffmpeg-4-4.4.7-2.1 on GA media

Windows

Linux

macOS

Community