There are three openSUSE security updates: one for FreeRDP, which solves 9 vulnerabilities and has no rating; one for Docker, which solves one vulnerability and has 4 bug fixes with a critical rating; and one for go-sendxmpp, which solves 3 vulnerabilities and has 3 bug fixes with a moderate rating. The Docker update is particularly noteworthy, as it includes multiple patches to address various issues related to authentication and build processes. In contrast, the FreeRDP update focuses on resolving several security-related bugs without any specific details provided about the impact of these vulnerabilities. Meanwhile, the go-sendxmpp update includes an upgrade to version 0.15.1 with additional features such as support for origin IDs in messages and improved error handling.

openSUSE-SU-2026:10059-1: moderate: freerdp-3.20.2-1.1 on GA media
openSUSE-SU-2026:20057-1: critical: Security update for docker
openSUSE-SU-2026:20058-1: moderate: Security update for go-sendxmpp
openSUSE-SU-2026:20056-1: critical: Security update for cpp-httplib

openSUSE-SU-2026:10059-1: moderate: freerdp-3.20.2-1.1 on GA media

# freerdp-3.20.2-1.1 on GA media

Announcement ID: openSUSE-SU-2026:10059-1
Rating: moderate

Cross-References:

* CVE-2026-22851
* CVE-2026-22852
* CVE-2026-22853
* CVE-2026-22854
* CVE-2026-22855
* CVE-2026-22856
* CVE-2026-22857
* CVE-2026-22858
* CVE-2026-22859

CVSS scores:

* CVE-2026-22851 ( SUSE ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2026-22851 ( SUSE ): 8.2 CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
* CVE-2026-22852 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
* CVE-2026-22852 ( SUSE ): 7.7 CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
* CVE-2026-22853 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
* CVE-2026-22853 ( SUSE ): 7.7 CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
* CVE-2026-22854 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
* CVE-2026-22854 ( SUSE ): 7.7 CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
* CVE-2026-22855 ( SUSE ): 6.8 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:H
* CVE-2026-22855 ( SUSE ): 6.1 CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N
* CVE-2026-22856 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
* CVE-2026-22856 ( SUSE ): 7.7 CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
* CVE-2026-22857 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
* CVE-2026-22857 ( SUSE ): 7.7 CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
* CVE-2026-22858 ( SUSE ): 6.8 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:H
* CVE-2026-22858 ( SUSE ): 6.1 CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N
* CVE-2026-22859 ( SUSE ): 6.8 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:H
* CVE-2026-22859 ( SUSE ): 6.1 CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N

Affected Products:

* openSUSE Tumbleweed

An update that solves 9 vulnerabilities can now be installed.

## Description:

These are all security issues fixed in the freerdp-3.20.2-1.1 package on the GA media of openSUSE Tumbleweed.

## Package List:

* openSUSE Tumbleweed:
* freerdp 3.20.2-1.1
* freerdp-devel 3.20.2-1.1
* freerdp-proxy 3.20.2-1.1
* freerdp-proxy-plugins 3.20.2-1.1
* freerdp-sdl 3.20.2-1.1
* freerdp-server 3.20.2-1.1
* freerdp-wayland 3.20.2-1.1
* libfreerdp-server-proxy3-3 3.20.2-1.1
* libfreerdp3-3 3.20.2-1.1
* librdtk0-0 3.20.2-1.1
* libuwac0-0 3.20.2-1.1
* libwinpr3-3 3.20.2-1.1
* rdtk0-devel 3.20.2-1.1
* uwac0-devel 3.20.2-1.1
* winpr-devel 3.20.2-1.1

## References:

* https://www.suse.com/security/cve/CVE-2026-22851.html
* https://www.suse.com/security/cve/CVE-2026-22852.html
* https://www.suse.com/security/cve/CVE-2026-22853.html
* https://www.suse.com/security/cve/CVE-2026-22854.html
* https://www.suse.com/security/cve/CVE-2026-22855.html
* https://www.suse.com/security/cve/CVE-2026-22856.html
* https://www.suse.com/security/cve/CVE-2026-22857.html
* https://www.suse.com/security/cve/CVE-2026-22858.html
* https://www.suse.com/security/cve/CVE-2026-22859.html

openSUSE-SU-2026:20057-1: critical: Security update for docker

openSUSE security update: security update for docker
-------------------------------------------------------------

Announcement ID: openSUSE-SU-2026:20057-1
Rating: critical
References:

* bsc#1247367
* bsc#1247594
* bsc#1248373
* bsc#1250508

Cross-References:

* CVE-2025-54388

CVSS scores:

* CVE-2025-54388 ( SUSE ): 5.2 CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
* CVE-2025-54388 ( SUSE ): 5.1 CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Affected Products:

openSUSE Leap 16.0

-------------------------------------------------------------

An update that solves one vulnerability and has 4 bug fixes can now be installed.

Description:

This update for docker fixes the following issues:

Changes in docker:

- Update to Docker 28.5.1-ce. See upstream changelog online at
( https://docs.docker.com/engine/release-notes/28/#2851)

- Update to Docker 28.5.0-ce. See upstream changelog online at
( https://docs.docker.com/engine/release-notes/28/#2850)

- Update to docker-buildx v0.29.0. Upstream changelog:
( https://github.com/docker/buildx/releases/tag/v0.29.0)

- Remove git-core recommends on SLE. Most SLE systems have
installRecommends=yes by default and thus end up installing git with Docker.
bsc#1250508

This feature is mostly intended for developers ("docker build git://") so
most users already have the dependency installed, and the error when git is
missing is fairly straightforward (so they can easily figure out what they
need to install).

- Update to docker-buildx v0.28.0. Upstream changelog:
( https://github.com/docker/buildx/releases/tag/v0.28.0)

- Update to Docker 28.4.0-ce. See upstream changelog online at
( https://docs.docker.com/engine/release-notes/28/#2840)
* Fixes a nil pointer panic in "docker push". bsc#1248373

- Update warnings and errors related to "docker buildx ..." so that they
reference our openSUSE docker-buildx packages.

- Enable building docker-buildx for SLE15 systems with SUSEConnect secret
injection enabled. PED-12534 PED-8905 bsc#1247594

As docker-buildx does not support our SUSEConnect secret injection (and some
users depend "docker build" working transparently), patch the docker CLI so
that "docker build" will no longer automatically call "docker buildx build",
effectively making DOCKER_BUILDKIT=0 the default configuration. Users can
manually use "docker buildx ..." commands or set DOCKER_BUILDKIT=1 in order
to opt-in to using docker-buildx.

Users can silence the "docker build" warning by setting DOCKER_BUILDKIT=0
explicitly.

In order to inject SCC credentials with docker-buildx, users should use

RUN --mount=type=secret,id=SCCcredentials zypper -n ...

in their Dockerfiles, and

docker buildx build --secret id=SCCcredentials,src=/etc/zypp/credentials.d/SCCcredentials,type=file .

when doing their builds.

- Update to Docker 28.3.3-ce. See upstream changelog online at
( https://docs.docker.com/engine/release-notes/28/#2833)
CVE-2025-54388 bsc#1247367

- Update to docker-buildx v0.26.1. Upstream changelog:
( https://github.com/docker/buildx/releases/tag/v0.26.1)

- Update to docker-buildx v0.26.0. Upstream changelog:
( https://github.com/docker/buildx/releases/tag/v0.26.0)

Patch instructions:

To install this openSUSE security update use the suse recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

- openSUSE Leap 16.0

zypper in -t patch openSUSE-Leap-16.0-151=1

Package List:

- openSUSE Leap 16.0:

docker-28.5.1_ce-160000.4.1
docker-bash-completion-28.5.1_ce-160000.4.1
docker-buildx-0.29.0-160000.4.1
docker-fish-completion-28.5.1_ce-160000.4.1
docker-rootless-extras-28.5.1_ce-160000.4.1
docker-zsh-completion-28.5.1_ce-160000.4.1

References:

* https://www.suse.com/security/cve/CVE-2025-54388.html

openSUSE-SU-2026:20058-1: moderate: Security update for go-sendxmpp

openSUSE security update: security update for go-sendxmpp
-------------------------------------------------------------

Announcement ID: openSUSE-SU-2026:20058-1
Rating: moderate
References:

* bsc#1241814
* bsc#1251461
* bsc#1251677

Cross-References:

* CVE-2025-22872
* CVE-2025-47911
* CVE-2025-58190

CVSS scores:

* CVE-2025-22872 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L
* CVE-2025-22872 ( SUSE ): 6.3 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L
* CVE-2025-47911 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
* CVE-2025-47911 ( SUSE ): 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
* CVE-2025-58190 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
* CVE-2025-58190 ( SUSE ): 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

Affected Products:

openSUSE Leap 16.0

-------------------------------------------------------------

An update that solves 3 vulnerabilities and has 3 bug fixes can now be installed.

Description:

This update for go-sendxmpp fixes the following issues:

Changes in go-sendxmpp:

- Update to 0.15.1:
Added
* Add XEP-0359 Origin-ID to messages (requires go-xmpp >= v0.2.18).
Changed
* HTTP upload: Ignore timeouts on disco IQs as some components do
not reply.
- Upgrades the embedded golang.org/x/net to 0.46.0
* Fixes: bsc#1251461, CVE-2025-47911: various algorithms with
quadratic complexity when parsing HTML documents
* Fixes: bsc#1251677, CVE-2025-58190: excessive memory consumption
by 'html.ParseFragment' when processing specially crafted input

- Update to 0.15.0:
Added:
* Add flag --verbose to show debug information.
* Add flag --recipients to specify recipients by file.
* Add flag --retry-connect to try after a waiting time if the connection fails.
* Add flag --retry-connect-max to specify the amount of retry attempts.
* Add flag --legacy-pgp for using XEP-0027 PGP encryption with Ox keys.
* Add support for punycode domains.
Changed:
* Update gopenpgp library to v3.
* Improve error detection for MUC joins.
* Don't try to connect to other SRV record targets if error contains 'auth-failure'.
* Remove support for old SSDP version (via go-xmpp v0.2.15).
* Http-upload: Stop checking other disco items after finding upload component.
* Increase default TLS version to 1.3.
- bsc#1241814 (CVE-2025-22872): This update includes golang.org/x/net/html 0.43.0

- Update to 0.14.1:
* Use prettier date format for error messages.
* Update XEP-0474 to version 0.4.0 (requires go-xmpp >= 0.2.10).

- Update to 0.14.0:
Added:
* Add --fast-invalidate to allow invalidating the FAST token.
Changed:
* Don't create legacy Ox private key directory in ~/.local/share/go-sendxmpp/oxprivkeys.
* Delete legacy Ox private key directory if it's empty.
* Show proper error if saved FAST mechanism isn't usable with current TLS version (requires go-xmpp >= 0.2.9).
* Print debug output to stdout, not stderr (requires go-xmpp >= 0.2.9).
* Show RECV: and SEND: prefix for debug output (requires go-xmpp >= 0.2.9).
* Delete stored fast token if --fast-invalidate and --fast-off are set.
* Show error when FAST creds are stored but non-FAST mechanism is requested.

- Update to 0.13.0:
Added:
* Add --anonymous to support anonymous authentication (requires go-xmpp >= 0.2.8).
* Add XEP-0480: SASL Upgrade Tasks support (requires go-xmpp >= 0.2.8).
* Add support for see-other-host stream error (requires go-xmpp >= 0.2.8).
Changed:
* Don't automatically try other auth mechanisms if FAST authentication fails.

- Update to 0.12.1:
Changed:
* Print error instead of quitting if a message of type error is received.
* Allow upload of multiple files.
Added:
* Add flag --suppress-root-warning to suppress the warning when go-sendxmpp is used by the root user.

- Update to 0.12.0:
Added:
* Add possibility to look up direct TLS connection endpoint via hostmeta2 (requires xmppsrv >= 0.3.3).
* Add flag --allow-plain to allow PLAIN authentication (requires go-xmpp >= 0.2.5).
Changed:
* Disable PLAIN authentication per default.
* Disable PLAIN authentication after first use of a SCRAM auth mechanism (overrides --allow-plain) (requires
go-xmpp >= 0.2.5).

- Update to 0.11.4:
* Fix bug in SCRAM-SHA-256-PLUS (via go-xmpp >= 0.2.4).

- Update to 0.11.3:
* Add go-xmpp library version to --version output (requires go-xmpp >= 0.2.2).
* Fix XEP-0474: SASL SCRAM Downgrade Protection hash calculation bug (via go-xmpp >= v0.2.3).
* [gocritic]: Improve code quality.

Patch instructions:

To install this openSUSE security update use the suse recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

- openSUSE Leap 16.0

zypper in -t patch openSUSE-Leap-16.0-packagehub-82=1

Package List:

- openSUSE Leap 16.0:

go-sendxmpp-0.15.1-bp160.1.1

References:

* https://www.suse.com/security/cve/CVE-2025-22872.html
* https://www.suse.com/security/cve/CVE-2025-47911.html
* https://www.suse.com/security/cve/CVE-2025-58190.html

openSUSE-SU-2026:20056-1: critical: Security update for cpp-httplib

openSUSE security update: security update for cpp-httplib
-------------------------------------------------------------

Announcement ID: openSUSE-SU-2026:20056-1
Rating: critical
References:

* bsc#1254734
* bsc#1254735

Cross-References:

* CVE-2025-66570
* CVE-2025-66577

CVSS scores:

* CVE-2025-66570 ( SUSE ): 10 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N
* CVE-2025-66570 ( SUSE ): 9.1 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
* CVE-2025-66577 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
* CVE-2025-66577 ( SUSE ): 6.3 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Affected Products:

openSUSE Leap 16.0

-------------------------------------------------------------

An update that solves 2 vulnerabilities and has 2 bug fixes can now be installed.

Description:

This update for cpp-httplib fixes the following issues:

- CVE-2025-66570: IP spoofing, log poisoning, and authorization bypass via header shadowing due to acceptance and
parsing of client-controlled injected HTTP headers in incoming requests (bsc#1254734).
- CVE-2025-66577: access and error log poisoning with spoofed client IPs due to unconditional acceptance of
client-controlled `X-Forwarded-For` and `X-Real-IP` headers (bsc#1254735).

Patch instructions:

To install this openSUSE security update use the suse recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

- openSUSE Leap 16.0

zypper in -t patch openSUSE-Leap-16.0-150=1

Package List:

- openSUSE Leap 16.0:

cpp-httplib-devel-0.22.0-160000.3.1
libcpp-httplib0_22-0.22.0-160000.3.1

References:

* https://www.suse.com/security/cve/CVE-2025-66570.html
* https://www.suse.com/security/cve/CVE-2025-66577.html