Security updates have been released for SUSE Linux, including patches for various packages. The openSUSE project has issued the following security updates: coredns, python-urllib3, rabbitmq-server, chromium, libheif, buildah, and podman. These updates address potential security vulnerabilities in these applications. Users are advised to review the specific details of each update to determine which ones they need to install.

openSUSE-SU-2026:20099-1: important: Security update for coredns
openSUSE-SU-2026:20088-1: moderate: Security update for python-urllib3
openSUSE-SU-2026:20082-1: moderate: Security update for rabbitmq-server
openSUSE-SU-2026:20103-1: moderate: Security update for chromium
openSUSE-SU-2026:20076-1: moderate: Security update for libheif
openSUSE-SU-2026:20080-1: important: Security update for buildah
openSUSE-SU-2026:20072-1: important: Security update for podman

openSUSE-SU-2026:20099-1: important: Security update for coredns

openSUSE security update: security update for coredns
-------------------------------------------------------------

Announcement ID: openSUSE-SU-2026:20099-1
Rating: important
References:

* bsc#1239294
* bsc#1239728
* bsc#1249389
* bsc#1255345
* bsc#1256411

Cross-References:

* CVE-2024-51744
* CVE-2025-58063
* CVE-2025-68156
* CVE-2025-68161

CVSS scores:

* CVE-2024-51744 ( SUSE ): 3.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N
* CVE-2024-51744 ( SUSE ): 2.1 CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
* CVE-2025-58063 ( SUSE ): 5.4 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
* CVE-2025-68156 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2025-68156 ( SUSE ): 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
* CVE-2025-68161 ( SUSE ): 5.4 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N
* CVE-2025-68161 ( SUSE ): 6.3 CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Affected Products:

openSUSE Leap 16.0

-------------------------------------------------------------

An update that solves 4 vulnerabilities and has 5 bug fixes can now be installed.

Description:

This update for coredns fixes the following issues:

Changes in coredns:

- fix CVE-2025-68156 bsc#1255345
- fix CVE-2025-68161 bsc#1256411
- Update to version 1.14.0:
* core: Fix gosec G115 integer overflow warnings
* core: Add regex length limit
* plugin/azure: Fix slice init length
* plugin/errors: Add optional show_first flag to consolidate directive
* plugin/file: Fix for misleading SOA parser warnings
* plugin/kubernetes: Rate limits to api server
* plugin/metrics: Implement plugin chain tracking
* plugin/sign: Report parser err before missing SOA
* build(deps): bump github.com/expr-lang/expr from 1.17.6 to 1.17.7

- Update to version 1.13.2:
* core: Add basic support for DoH3
* core: Avoid proxy unnecessary alloc in Yield
* core: Fix usage of sync.Pool to save an alloc
* core: Fix data race with sync.RWMutex for uniq
* core: Prevent QUIC reload panic by lazily initializing the listener
* core: Refactor/use reflect.TypeFor
* plugin/auto: Limit regex length
* plugin/cache: Remove superfluous allocations in item.toMsg
* plugin/cache: Isolate metadata in prefetch goroutine
* plugin/cache: Correct spelling of MaximumDefaultTTL in cache and dnsutil
packages
* plugin/dnstap: Better error handling (redial & logging) when Dnstap is busy
* plugin/file: Performance finetuning
* plugin/forward: Disallow NOERROR in failover
* plugin/forward: Added support for per-nameserver TLS SNI
* plugin/forward: Prevent busy loop on connection err
* plugin/forward: Add max connect attempts knob
* plugin/geoip: Add ASN schema support
* plugin/geoip: Add support for subdivisions
* plugin/kubernetes: Fix kubernetes plugin logging
* plugin/multisocket: Cap num sockets to prevent OOM
* plugin/nomad: Support service filtering
* plugin/rewrite: Pre-compile CNAME rewrite regexp
* plugin/secondary: Fix reload causing secondary plugin goroutine to leak

- Update to version 1.13.1:
* core: Avoid string concatenation in loops
* core: Update golang to 1.25.2 and golang.org/x/net to v0.45.0 on CVE fixes
* plugin/sign: Reject invalid UTF???8 dbfile token

- Update to version 1.13.0:
* core: Export timeout values in dnsserver.Server
* core: Fix Corefile infinite loop on unclosed braces
* core: Fix Corefile related import cycle issue
* core: Normalize panics on invalid origins
* core: Rely on dns.Server.ShutdownContext to gracefully stop
* plugin/dnstap: Add bounds for plugin args
* plugin/file: Fix data race in tree Elem.Name
* plugin/forward: No failover to next upstream when receiving SERVFAIL or
REFUSED response codes
* plugin/grpc: Enforce DNS message size limits
* plugin/loop: Prevent panic when ListenHosts is empty
* plugin/loop: Avoid panic on invalid server block
* plugin/nomad: Add a Nomad plugin
* plugin/reload: Prevent SIGTERM/reload deadlock

- fix CVE-2025-58063 bsc#1249389
- Update to version 1.12.4:
* bump deps
* fix(transfer): goroutine leak on axfr err (#7516)
* plugin/etcd: fix import order for ttl test (#7515)
* fix(grpc): check proxy list length in policies (#7512)
* fix(https): propagate HTTP request context (#7491)
* fix(plugin): guard nil lookups across plugins (#7494)
* lint: add missing prealloc to backend lookup test (#7510)
* fix(grpc): span leak on error attempt (#7487)
* test(plugin): improve backend lookup coverage (#7496)
* lint: enable prealloc (#7493)
* lint: enable durationcheck (#7492)
* Add Sophotech to adopters list (#7495)
* plugin: Use %w to wrap user error (#7489)
* fix(metrics): add timeouts to metrics HTTP server (#7469)
* chore(ci): restrict token permissions (#7470)
* chore(ci): pin workflow dependencies (#7471)
* fix(forward): use netip package for parsing (#7472)
* test(plugin): improve test coverage for pprof (#7473)
* build(deps): bump github.com/go-viper/mapstructure/v2 (#7468)
* plugin/file: fix label offset problem in ClosestEncloser (#7465)
* feat(trace): migrate dd-trace-go v1 to v2 (#7466)
* test(multisocket): deflake restart by using a fresh port and coordinated cleanup (#7438)
* chore: update Go version to 1.24.6 (#7437)
* plugin/header: Remove deprecated syntax (#7436)
* plugin/loadbalance: support prefer option (#7433)
* Improve caddy.GracefulServer conformance checks (#7416)

- Update to version 1.12.3:
* chore: Minor changes to `Dockerfile` (#7428)
* Properly create hostname from IPv6 (#7431)
* Bump deps
* fix: handle cached connection closure in forward plugin (#7427)
* plugin/test: fix TXT record comparison for multi-chunk vs multiple records
* plugin/file: preserve case in SRV record names and targets per RFC 6763
* fix(auto/file): return REFUSED when no next plugin is available (#7381)
* Port to AWS Go SDK v2 (#6588)
* fix(cache): data race when refreshing cached messages (#7398)
* fix(cache): data race when updating the TTL of cached messages (#7397)
* chore: fix docs incompatibility (#7390)
* plugin/rewrite: Add EDNS0 Unset Action (#7380)
* add args: startup_timeout for kubernetes plugin (#7068)
* [plugin/cache] create a copy of a response to ensure original data is never
modified
* Add support for fallthrough to the grpc plugin (#7359)
* view: Add IPv6 example match (#7355)
* chore: enable more rules from revive (#7352)
* chore: enable early-return and superfluous-else from revive (#7129)
* test(plugin): improve tests for auto (#7348)
* fix(proxy): flaky dial tests (#7349)
* test: add t.Helper() calls to test helper functions (#7351)
* fix(kubernetes): multicluster DNS race condition (#7350)
* lint: enable wastedassign linter (#7340)
* test(plugin): add tests for any (#7341)
* Actually invoke make release -f Makefile.release during test (#7338)
* Keep golang to 1.24.2 due to build issues in 1.24.3 (#7337)
* lint: enable protogetter linter (#7336)
* lint: enable nolintlint linter (#7332)
* fix: missing intrange lint fix (#7333)
* perf(kubernetes): optimize AutoPath slice allocation (#7323)
* lint: enable intrange linter (#7331)
* feat(plugin/file): fallthrough (#7327)
* lint: enable canonicalheader linter (#7330)
* fix(proxy): avoid Dial hang after Transport stopped (#7321)
* test(plugin): add tests for pkg/rand (#7320)
* test(dnsserver): add unit tests for gRPC and QUIC servers (#7319)
* fix: loop variable capture and linter (#7328)
* lint: enable usetesting linter (#7322)
* test: skip certain network-specific tests on non-Linux (#7318)
* test(dnsserver): improve core/dnsserver test coverage (#7317)
* fix(metrics): preserve request size from plugins (#7313)
* fix: ensure DNS query name reset in plugin.NS error path (#7142)
* feat: enable plugins via environment during build (#7310)
* fix(plugin/bind): remove zone for link-local IPv4 (#7295)
* test(request): improve coverage across package (#7307)
* test(coremain): Add unit tests (#7308)
* ci(test-e2e): add Go version setup to workflow (#7309)
* kubernetes: add multicluster support (#7266)
* chore: Add new maintainer thevilledev (#7298)
* Update golangci-lint (#7294)
* feat: limit concurrent DoQ streams and goroutines (#7296)
* docs: add man page for multisocket plugin (#7297)
* Prepare for the k8s api upgrade (#7293)
* fix(rewrite): truncated upstream response (#7277)
* fix(plugin/secondary): make transfer property mandatory (#7249)
* plugin/bind: remove macOS bug mention in docs (#7250)
* Remove `?bla=foo:443` for `POST` DoH (#7257)
* Do not interrupt querying readiness probes for plugins (#6975)
* Added `SetProxyOptions` function for `forward` plugin (#7229)

- Backported quic-go PR #5094: Fix parsing of ifindex from packets
to ensure compatibility with big-endian architectures
(see quic-go/quic-go#4978, coredns/coredns#6682).

- Update to version 1.12.1:
* core: Increase CNAME lookup limit from 7 to 10 (#7153)
* plugin/kubernetes: Fix handling of pods having DeletionTimestamp set
* plugin/kubernetes: Revert "only create PTR records for endpoints with
hostname defined"
* plugin/forward: added option failfast_all_unhealthy_upstreams to return
servfail if all upstreams are down
* bump dependencies, fixing bsc#1239294 and bsc#1239728

- Update to version 1.12.0:
* New multisocket plugin - allows CoreDNS to listen on multiple sockets
* bump deps

- Update to version 1.11.4:
* forward plugin: new option next, to try alternate upstreams when receiving
specified response codes upstreams on (functions like the external plugin
alternate)
* dnssec plugin: new option to load keys from AWS Secrets Manager
* rewrite plugin: new option to revert EDNS0 option rewrites in responses

- Update to version 1.11.3+git129.387f34d:
* fix CVE-2024-51744 ( https://bugzilla.suse.com/show_bug.cgi?id=1232991)
build(deps): bump github.com/golang-jwt/jwt/v4 from 4.5.0 to 4.5.1 (#6955)
* core: set cache-control max-age as integer, not float (#6764)
* Issue-6671: Fixed the order of plugins. (#6729)
* `root`: explicit mark `dnssec` support (#6753)
* feat: dnssec load keys from AWS Secrets Manager (#6618)
* fuzzing: fix broken oss-fuzz build (#6880)
* Replace k8s.io/utils/strings/slices by Go stdlib slices (#6863)
* Update .go-version to 1.23.2 (#6920)
* plugin/rewrite: Add "revert" parameter for EDNS0 options (#6893)
* Added OpenSSF Scorecard Badge (#6738)
* fix(cwd): Restored backwards compatibility of Current Workdir (#6731)
* fix: plugin/auto: call OnShutdown() for each zone at its own OnShutdown() (#6705)
* feature: log queue and buffer memory size configuration (#6591)
* plugin/bind: add zone for link-local IPv6 instead of skipping (#6547)
* only create PTR records for endpoints with hostname defined (#6898)
* fix: reverter should execute the reversion in reversed order (#6872)
* plugin/etcd: fix etcd connection leakage when reload (#6646)
* kubernetes: Add useragent (#6484)
* Update build (#6836)
* Update grpc library use (#6826)
* Bump go version from 1.21.11 to 1.21.12 (#6800)
* Upgrade antonmedv/expr to expr-lang/expr (#6814)
* hosts: add hostsfile as label for coredns_hosts_entries (#6801)
* fix TestCorefile1 panic for nil handling (#6802)

Patch instructions:

To install this openSUSE security update use the suse recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

- openSUSE Leap 16.0

zypper in -t patch openSUSE-Leap-16.0-packagehub-87=1

Package List:

- openSUSE Leap 16.0:

coredns-1.14.0-bp160.1.1
coredns-extras-1.14.0-bp160.1.1

References:

* https://www.suse.com/security/cve/CVE-2024-51744.html
* https://www.suse.com/security/cve/CVE-2025-58063.html
* https://www.suse.com/security/cve/CVE-2025-68156.html
* https://www.suse.com/security/cve/CVE-2025-68161.html

openSUSE-SU-2026:20088-1: moderate: Security update for python-urllib3

openSUSE security update: security update for python-urllib3
-------------------------------------------------------------

Announcement ID: openSUSE-SU-2026:20088-1
Rating: moderate
References:

* bsc#1256331

Cross-References:

* CVE-2026-21441

CVSS scores:

* CVE-2026-21441 ( SUSE ): 4.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
* CVE-2026-21441 ( SUSE ): 2.3 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

Affected Products:

openSUSE Leap 16.0

-------------------------------------------------------------

An update that solves one vulnerability and has one bug fix can now be installed.

Description:

This update for python-urllib3 fixes the following issues:

- CVE-2026-21441: Fixed excessive resource consumption during decompression of data in HTTP redirect responses (bsc#1256331).

Patch instructions:

To install this openSUSE security update use the suse recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

- openSUSE Leap 16.0

zypper in -t patch openSUSE-Leap-16.0-177=1

Package List:

- openSUSE Leap 16.0:

python313-urllib3-2.5.0-160000.3.1

References:

* https://www.suse.com/security/cve/CVE-2026-21441.html

openSUSE-SU-2026:20082-1: moderate: Security update for rabbitmq-server

openSUSE security update: security update for rabbitmq-server
-------------------------------------------------------------

Announcement ID: openSUSE-SU-2026:20082-1
Rating: moderate
References:

* bsc#1246091

Cross-References:

* CVE-2025-30219

CVSS scores:

* CVE-2025-30219 ( SUSE ): 6.1 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:L
* CVE-2025-30219 ( SUSE ): 5.7 CVSS:4.0/AV:L/AC:H/AT:P/PR:H/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N

Affected Products:

openSUSE Leap 16.0

-------------------------------------------------------------

An update that solves one vulnerability and has one bug fix can now be installed.

Description:

This update for rabbitmq-server fixes the following issues:

Changes in rabbitmq-server:

Update to 4.1.5:

* Highlights

- Khepri, an alternative schema data store developed to replace Mnesia,
has matured and is now fully supported (it previously was an experimental feature)
- AMQP 1.0 is now a core protocol that is always enabled. Its plugin is now a no-op that only exists to simplify upgrades.
- The AMQP 1.0 implementation is now significantly more efficient: its peak throughput is more than double than that of 3.13.x
on some workloads
- Efficient sub-linear quorum queue recovery on node startup using checkpoints
- Quorum queues now support priorities (but not exactly the same way as classic queues)
- AMQP 1.0 clients now can manage topologies similarly to how AMQP 0-9-1 clients do it
- The AMQP 1.0 convention (address format) used for interacting with with AMQP 0-9-1 entities is now easier to reason about
- Mirroring (replication) of classic queues was removed after several years of deprecation. For replicated messaging data types,
use quorum queues and/or streams. Non-replicated classic queues remain and their development continues
- Classic queue storage efficiency improvements, in particular recovery time and storage of multi-MiB messages
- Nodes with multiple enabled plugins and little on disk data to recover now start up to 20-30% faster
- New exchange type: Local Random Exchange
- Quorum queue log reads are now offloaded to channels (sessions, connections).
- Initial Support for AMQP 1.0 Filter Expressions
- Feature Flags Quality of Life Improvements
- rabbitmqadmin v2

* Breaking Changes

- Before a client connection can negotiate a maximum frame size (frame_max), it must authenticate
successfully. Before the authenticated phase, a special lower frame_max value
is used.
- With this release, the value was increased from the original 4096 bytes to 8192
to accommodate larger JWT tokens.
- amqplib is a popular client library that has been using
a low frame_max default of 4096. Its users must upgrade to a compatible version
(starting with 0.10.7) or explicitly use a higher frame_max.
amqplib versions older than 0.10.7 will not be able to connect to
RabbitMQ 4.1.0 and later versions due to the initial AMQP 0-9-1 maximum frame size
increase covered above.
- The default MQTT Maximum Packet Size changed from 256 MiB to 16 MiB.
- The following rabbitmq.conf settings are unsupported:

- cluster_formation.etcd.ssl_options.fail_if_no_peer_cert
- cluster_formation.etcd.ssl_options.dh
- cluster_formation.etcd.ssl_options.dhfile

- Classic Queues is Now a Non-Replicated Queue Type
- Quorum Queues Now Have a Default Redelivery Limit
- Up to RabbitMQ 3.13, when an AMQP 0.9.1 client (re-)published a message to RabbitMQ, RabbitMQ interpreted the
- AMQP 0.9.1 x-death header in the published message's basic_message.content.properties.headers field.
- RabbitMQ 4.x will not interpret this x-death header anymore when clients (re-)publish a message.
- CQv1 Storage Implementation was Removed
- Settings cluster_formation.randomized_startup_delay_range.* were Removed
- Several Disk I/O-Related Metrics were Removed
- Default Maximum Message Size Reduced to 16 MiB
- RabbitMQ 3.13 rabbitmq.conf setting rabbitmq_amqp1_0.default_vhost is unsupported in RabbitMQ 4.0.
- RabbitMQ 3.13 rabbitmq.conf settings mqtt.default_user, mqtt.default_password,
and amqp1_0.default_user are unsupported in RabbitMQ 4.0.
- Starting with Erlang 26, client side TLS peer certificate chain verification settings are enabled by default in most contexts:
from federation links to shovels to TLS-enabled LDAP client connections.
- RabbitMQ Shovels will be able connect to a RabbitMQ 4.0 node via AMQP 1.0 only when the Shovel runs on a RabbitMQ node >= 3.13.7.

* See https://github.com/rabbitmq/rabbitmq-server/releases/tag/v4.0.1
* and https://github.com/rabbitmq/rabbitmq-server/releases/tag/v4.1.0 for more info

- Restore SLES logrotate file, (bsc#1246091)

Patch instructions:

To install this openSUSE security update use the suse recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

- openSUSE Leap 16.0

zypper in -t patch openSUSE-Leap-16.0-171=1

Package List:

- openSUSE Leap 16.0:

erlang-rabbitmq-client-4.1.5-160000.1.1
rabbitmq-server-4.1.5-160000.1.1
rabbitmq-server-bash-completion-4.1.5-160000.1.1
rabbitmq-server-plugins-4.1.5-160000.1.1
rabbitmq-server-zsh-completion-4.1.5-160000.1.1

References:

* https://www.suse.com/security/cve/CVE-2025-30219.html

openSUSE-SU-2026:20103-1: moderate: Security update for chromium

openSUSE security update: security update for chromium
-------------------------------------------------------------

Announcement ID: openSUSE-SU-2026:20103-1
Rating: moderate
References:

* bsc#1256938
* bsc#1257011

Cross-References:

* CVE-2026-1220

Affected Products:

openSUSE Leap 16.0

-------------------------------------------------------------

An update that solves one vulnerability and has 2 bug fixes can now be installed.

Description:

This update for chromium fixes the following issues:

Changes in chromium:

- Chromium 144.0.7559.96 (boo#1257011)
* CVE-2026-1220: Race in V8

- update INSTALL.sh to handle the addded tags in the desktop file (boo#1256938)

Patch instructions:

To install this openSUSE security update use the suse recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

- openSUSE Leap 16.0

zypper in -t patch openSUSE-Leap-16.0-packagehub-91=1

Package List:

- openSUSE Leap 16.0:

chromedriver-144.0.7559.96-bp160.1.1
chromium-144.0.7559.96-bp160.1.1

References:

* https://www.suse.com/security/cve/CVE-2026-1220.html

openSUSE-SU-2026:20076-1: moderate: Security update for libheif

openSUSE security update: security update for libheif
-------------------------------------------------------------

Announcement ID: openSUSE-SU-2026:20076-1
Rating: moderate
References:

* bsc#1255735

Cross-References:

* CVE-2025-68431

CVSS scores:

* CVE-2025-68431 ( SUSE ): 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
* CVE-2025-68431 ( SUSE ): 6.8 CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Affected Products:

openSUSE Leap 16.0

-------------------------------------------------------------

An update that solves one vulnerability and has one bug fix can now be installed.

Description:

This update for libheif fixes the following issues:

- CVE-2025-68431: heap buffer over-read in `HeifPixelImage::overlay()` via crafted HEIF file that exercises the overlay
image item path (bsc#1255735).

Patch instructions:

To install this openSUSE security update use the suse recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

- openSUSE Leap 16.0

zypper in -t patch openSUSE-Leap-16.0-165=1

Package List:

- openSUSE Leap 16.0:

gdk-pixbuf-loader-libheif-1.19.7-160000.3.1
libheif-aom-1.19.7-160000.3.1
libheif-dav1d-1.19.7-160000.3.1
libheif-devel-1.19.7-160000.3.1
libheif-ffmpeg-1.19.7-160000.3.1
libheif-jpeg-1.19.7-160000.3.1
libheif-openjpeg-1.19.7-160000.3.1
libheif-rav1e-1.19.7-160000.3.1
libheif-svtenc-1.19.7-160000.3.1
libheif1-1.19.7-160000.3.1

References:

* https://www.suse.com/security/cve/CVE-2025-68431.html

openSUSE-SU-2026:20080-1: important: Security update for buildah

openSUSE security update: security update for buildah
-------------------------------------------------------------

Announcement ID: openSUSE-SU-2026:20080-1
Rating: important
References:

* bsc#1253096
* bsc#1253598
* bsc#1254054

Cross-References:

* CVE-2025-31133
* CVE-2025-47913
* CVE-2025-47914
* CVE-2025-52565
* CVE-2025-52881

CVSS scores:

* CVE-2025-31133 ( SUSE ): 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
* CVE-2025-31133 ( SUSE ): 7.3 CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
* CVE-2025-47913 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2025-47913 ( SUSE ): 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
* CVE-2025-47914 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
* CVE-2025-47914 ( SUSE ): 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
* CVE-2025-52565 ( SUSE ): 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
* CVE-2025-52565 ( SUSE ): 7.3 CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
* CVE-2025-52881 ( SUSE ): 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
* CVE-2025-52881 ( SUSE ): 7.3 CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Affected Products:

openSUSE Leap 16.0

-------------------------------------------------------------

An update that solves 5 vulnerabilities and has 3 bug fixes can now be installed.

Description:

This update for buildah fixes the following issues:

- CVE-2025-47914: golang.org/x/crypto/ssh/agent: Fixed non validated message size causing a panic due to an out
of bounds read (bsc#1254054)
- CVE-2025-47913: golang.org/x/crypto/ssh/agent: Fixed client process termination when receiving an unexpected
message type in response to a key listing or signing request (bsc#1253598)
- CVE-2025-31133,CVE-2025-52565,CVE-2025-52881: Fixed container breakouts by bypassing runc's restrictions for writing to arbitrary /proc
files (bsc#1253096)

Other fixes:

- Updated to version 1.39.5.

Patch instructions:

To install this openSUSE security update use the suse recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

- openSUSE Leap 16.0

zypper in -t patch openSUSE-Leap-16.0-169=1

Package List:

- openSUSE Leap 16.0:

buildah-1.39.5-160000.1.1

References:

* https://www.suse.com/security/cve/CVE-2025-31133.html
* https://www.suse.com/security/cve/CVE-2025-47913.html
* https://www.suse.com/security/cve/CVE-2025-47914.html
* https://www.suse.com/security/cve/CVE-2025-52565.html
* https://www.suse.com/security/cve/CVE-2025-52881.html

openSUSE-SU-2026:20072-1: important: Security update for podman

openSUSE security update: security update for podman
-------------------------------------------------------------

Announcement ID: openSUSE-SU-2026:20072-1
Rating: important
References:

* bsc#1249154
* bsc#1252376

Cross-References:

* CVE-2025-31133
* CVE-2025-52565
* CVE-2025-52881
* CVE-2025-9566

CVSS scores:

* CVE-2025-31133 ( SUSE ): 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
* CVE-2025-31133 ( SUSE ): 7.3 CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
* CVE-2025-52565 ( SUSE ): 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
* CVE-2025-52565 ( SUSE ): 7.3 CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
* CVE-2025-52881 ( SUSE ): 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
* CVE-2025-52881 ( SUSE ): 7.3 CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
* CVE-2025-9566 ( SUSE ): 8.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
* CVE-2025-9566 ( SUSE ): 7.2 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N

Affected Products:

openSUSE Leap 16.0

-------------------------------------------------------------

An update that solves 4 vulnerabilities and has 2 bug fixes can now be installed.

Description:

This update for podman fixes the following issues:

- CVE-2025-31133,CVE-2025-52565,CVE-2025-52881: container breakouts by bypassing runc's restrictions for writing to arbitrary /proc files (bsc#1252376).
- CVE-2025-9566: kube play command may overwrite host files (bsc#1249154).

Patch instructions:

To install this openSUSE security update use the suse recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

- openSUSE Leap 16.0

zypper in -t patch openSUSE-Leap-16.0-161=1

Package List:

- openSUSE Leap 16.0:

podman-5.4.2-160000.3.1
podman-docker-5.4.2-160000.3.1
podman-remote-5.4.2-160000.3.1
podmansh-5.4.2-160000.3.1

References:

* https://www.suse.com/security/cve/CVE-2025-31133.html
* https://www.suse.com/security/cve/CVE-2025-52565.html
* https://www.suse.com/security/cve/CVE-2025-52881.html
* https://www.suse.com/security/cve/CVE-2025-9566.html