Kernel, Go, Emacs, and more updates for SUSE

SUSE 5652 Published 2026-05-20 07:40 by Philipp Esselbach

News

SUSE-SU-2026:1997-1: important: Security update for the Linux Kernel (Live Patch 31 for SUSE Linux Enterprise 15 SP5)

# Security update for the Linux Kernel (Live Patch 31 for SUSE Linux Enterprise
15 SP5)

Announcement ID: SUSE-SU-2026:1997-1
Release Date: 2026-05-18T16:33:54Z
Rating: important
References:

* bsc#1264459

Cross-References:

* CVE-2026-43284

CVSS scores:

* CVE-2026-43284 ( SUSE ): 8.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
* CVE-2026-43284 ( NVD ): 7.8 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
* CVE-2026-43284 ( NVD ): 8.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Affected Products:

* openSUSE Leap 15.5
* SUSE Linux Enterprise High Performance Computing 15 SP5
* SUSE Linux Enterprise Live Patching 15-SP5
* SUSE Linux Enterprise Micro 5.5
* SUSE Linux Enterprise Real Time 15 SP5
* SUSE Linux Enterprise Server 15 SP5
* SUSE Linux Enterprise Server for SAP Applications 15 SP5

An update that solves one vulnerability can now be installed.

## Description:

This update for the SUSE Linux Enterprise Kernel 5.14.21-150500.55.124 fixes one
security issue

The following security issue was fixed:

* CVE-2026-43284: xfrm: esp: avoid in-place decrypt on shared skb frags
(bsc#1264459).

## Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

* openSUSE Leap 15.5
zypper in -t patch SUSE-2026-1997=1

* SUSE Linux Enterprise Live Patching 15-SP5
zypper in -t patch SUSE-SLE-Module-Live-Patching-15-SP5-2026-1997=1

## Package List:

* openSUSE Leap 15.5 (ppc64le s390x x86_64)
* kernel-livepatch-5_14_21-150500_55_124-default-10-150500.2.1
* kernel-livepatch-SLE15-SP5_Update_31-debugsource-10-150500.2.1
* kernel-livepatch-5_14_21-150500_55_124-default-debuginfo-10-150500.2.1
* SUSE Linux Enterprise Live Patching 15-SP5 (ppc64le s390x x86_64)
* kernel-livepatch-5_14_21-150500_55_124-default-10-150500.2.1
* kernel-livepatch-SLE15-SP5_Update_31-debugsource-10-150500.2.1
* kernel-livepatch-5_14_21-150500_55_124-default-debuginfo-10-150500.2.1

## References:

* https://www.suse.com/security/cve/CVE-2026-43284.html
* https://bugzilla.suse.com/show_bug.cgi?id=1264459

openSUSE-SU-2026:20762-1: important: Security update for go1.26

openSUSE security update: security update for go1.26
-------------------------------------------------------------

Announcement ID: openSUSE-SU-2026:20762-1
Rating: important
References:

* bsc#1170826
* bsc#1255111
* bsc#1264499
* bsc#1264500
* bsc#1264501
* bsc#1264502
* bsc#1264503
* bsc#1264504
* bsc#1264505
* bsc#1264506
* bsc#1264507
* bsc#1264508
* bsc#1264509

Cross-References:

* CVE-2026-33811
* CVE-2026-33814
* CVE-2026-39817
* CVE-2026-39819
* CVE-2026-39820
* CVE-2026-39823
* CVE-2026-39825
* CVE-2026-39826
* CVE-2026-39836
* CVE-2026-42499
* CVE-2026-42501

CVSS scores:

* CVE-2026-33811 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2026-33814 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2026-39817 ( SUSE ): 5.9 CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:N
* CVE-2026-39819 ( SUSE ): 5.3 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:N
* CVE-2026-39820 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2026-39823 ( SUSE ): 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
* CVE-2026-39825 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
* CVE-2026-39826 ( SUSE ): 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
* CVE-2026-39836 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2026-42499 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2026-42501 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

Affected Products:

openSUSE Leap 16.0

-------------------------------------------------------------

An update that solves 11 vulnerabilities and has 13 bug fixes can now be installed.

Description:

This update for go1.26 fixes the following issues

Security issues:

- CVE-2026-33811: net: crash when handling long CNAME response (bsc#1264508).
- CVE-2026-33814: net/http: infinite loop in HTTP/2 transport when given bad SETTINGS_MAX_FRAME_SIZE (bsc#1264506).
- CVE-2026-39817: cmd/go: "go tool pack" does not sanitize output paths (bsc#1264505).
- CVE-2026-39819: cmd/go: "go bug" follows symlinks in predictable temporary filenames (bsc#1264504).
- CVE-2026-39820: net/mail: quadratic string concatentation in consumeComment (bsc#1264503).
- CVE-2026-39823: html/template: bypass of meta content URL escaping causes XSS (bsc#1264509).
- CVE-2026-39825: net/http/httputil: ReverseProxy forwards queries with more than urlmaxqueryparams parameters
(bsc#1264500).
- CVE-2026-39826: html/template: escaper bypass leads to XSS (bsc#1264507).
- CVE-2026-39836: net: panic in Dial and LookupPort when handling NUL byte on Windows (bsc#1264501).
- CVE-2026-42499: net/mail: quadratic string concatenation in consumePhrase (bsc#1264502).
- CVE-2026-42501: cmd/go: malicious module proxy can bypass checksum database (bsc#1264499).

Non security issues:

- Updated to go1.26.3 (bsc#1255111).
- Go packages miss binutils-gold dependency (bsc#1170826).

Patch instructions:

To install this openSUSE security update use the suse recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

- openSUSE Leap 16.0

zypper in -t patch openSUSE-Leap-16.0-758=1

Package List:

- openSUSE Leap 16.0:

go1.26-1.26.3-160000.1.1
go1.26-doc-1.26.3-160000.1.1
go1.26-libstd-1.26.3-160000.1.1
go1.26-race-1.26.3-160000.1.1

References:

* https://www.suse.com/security/cve/CVE-2026-33811.html
* https://www.suse.com/security/cve/CVE-2026-33814.html
* https://www.suse.com/security/cve/CVE-2026-39817.html
* https://www.suse.com/security/cve/CVE-2026-39819.html
* https://www.suse.com/security/cve/CVE-2026-39820.html
* https://www.suse.com/security/cve/CVE-2026-39823.html
* https://www.suse.com/security/cve/CVE-2026-39825.html
* https://www.suse.com/security/cve/CVE-2026-39826.html
* https://www.suse.com/security/cve/CVE-2026-39836.html
* https://www.suse.com/security/cve/CVE-2026-42499.html
* https://www.suse.com/security/cve/CVE-2026-42501.html

openSUSE-SU-2026:20763-1: important: Security update for go1.25

openSUSE security update: security update for go1.25
-------------------------------------------------------------

Announcement ID: openSUSE-SU-2026:20763-1
Rating: important
References:

* bsc#1170826
* bsc#1244485
* bsc#1264499
* bsc#1264500
* bsc#1264501
* bsc#1264502
* bsc#1264503
* bsc#1264504
* bsc#1264505
* bsc#1264506
* bsc#1264507
* bsc#1264508
* bsc#1264509

Cross-References:

* CVE-2026-33811
* CVE-2026-33814
* CVE-2026-39817
* CVE-2026-39819
* CVE-2026-39820
* CVE-2026-39823
* CVE-2026-39825
* CVE-2026-39826
* CVE-2026-39836
* CVE-2026-42499
* CVE-2026-42501

CVSS scores:

* CVE-2026-33811 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2026-33814 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2026-39817 ( SUSE ): 5.9 CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:N
* CVE-2026-39819 ( SUSE ): 5.3 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:N
* CVE-2026-39820 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2026-39823 ( SUSE ): 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
* CVE-2026-39825 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
* CVE-2026-39826 ( SUSE ): 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
* CVE-2026-39836 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2026-42499 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2026-42501 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

Affected Products:

openSUSE Leap 16.0

-------------------------------------------------------------

An update that solves 11 vulnerabilities and has 13 bug fixes can now be installed.

Description:

This update for go1.25 fixes the following issues

Security issues:

- CVE-2026-33811: net: crash when handling long CNAME response (bsc#1264508).
- CVE-2026-33814: net/http: infinite loop in HTTP/2 transport when given bad SETTINGS_MAX_FRAME_SIZE (bsc#1264506).
- CVE-2026-39817: cmd/go: "go tool pack" does not sanitize output paths (bsc#1264505).
- CVE-2026-39819: cmd/go: "go bug" follows symlinks in predictable temporary filenames (bsc#1264504).
- CVE-2026-39820: net/mail: quadratic string concatentation in consumeComment (bsc#1264503).
- CVE-2026-39823: html/template: bypass of meta content URL escaping causes XSS (bsc#1264509).
- CVE-2026-39825: net/http/httputil: ReverseProxy forwards queries with more than urlmaxqueryparams parameters
(bsc#1264500).
- CVE-2026-39826: html/template: escaper bypass leads to XSS (bsc#1264507).
- CVE-2026-39836: net: panic in Dial and LookupPort when handling NUL byte on Windows (bsc#1264501).
- CVE-2026-42499: net/mail: quadratic string concatenation in consumePhrase (bsc#1264502).
- CVE-2026-42501: cmd/go: malicious module proxy can bypass checksum database (bsc#1264499).

Non security issues:

- Updated to go1.25.10 (bsc#1244485).
- Go packages miss binutils-gold dependency (bsc#1170826).

Patch instructions:

To install this openSUSE security update use the suse recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

- openSUSE Leap 16.0

zypper in -t patch openSUSE-Leap-16.0-760=1

Package List:

- openSUSE Leap 16.0:

go1.25-1.25.10-160000.1.1
go1.25-doc-1.25.10-160000.1.1
go1.25-libstd-1.25.10-160000.1.1
go1.25-race-1.25.10-160000.1.1

References:

* https://www.suse.com/security/cve/CVE-2026-33811.html
* https://www.suse.com/security/cve/CVE-2026-33814.html
* https://www.suse.com/security/cve/CVE-2026-39817.html
* https://www.suse.com/security/cve/CVE-2026-39819.html
* https://www.suse.com/security/cve/CVE-2026-39820.html
* https://www.suse.com/security/cve/CVE-2026-39823.html
* https://www.suse.com/security/cve/CVE-2026-39825.html
* https://www.suse.com/security/cve/CVE-2026-39826.html
* https://www.suse.com/security/cve/CVE-2026-39836.html
* https://www.suse.com/security/cve/CVE-2026-42499.html
* https://www.suse.com/security/cve/CVE-2026-42501.html

openSUSE-SU-2026:20764-1: important: Security update for glibc

openSUSE security update: security update for glibc
-------------------------------------------------------------

Announcement ID: openSUSE-SU-2026:20764-1
Rating: important
References:

* bsc#1261206
* bsc#1262464
* bsc#1262465

Cross-References:

* CVE-2026-4046
* CVE-2026-5450
* CVE-2026-5928

CVSS scores:

* CVE-2026-4046 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2026-4046 ( SUSE ): 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
* CVE-2026-5450 ( SUSE ): 5.9 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
* CVE-2026-5450 ( SUSE ): 5.1 CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N
* CVE-2026-5928 ( SUSE ): 5.7 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:H
* CVE-2026-5928 ( SUSE ): 5.9 CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N

Affected Products:

openSUSE Leap 16.0

-------------------------------------------------------------

An update that solves 3 vulnerabilities and has 3 bug fixes can now be installed.

Description:

This update for glibc fixes the following issues

- CVE-2026-4046: assertion failure when converting inputs may be used to remotely crash an application (bsc#1261206).
- CVE-2026-5450: stdio-common: scanf %mc pattern will cause heap overflow when width > 1024 (bsc#1262465).
- CVE-2026-5928: libio: ungetwc could be used to leak data on special conditions (bsc#1262464).

Patch instructions:

To install this openSUSE security update use the suse recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

- openSUSE Leap 16.0

zypper in -t patch openSUSE-Leap-16.0-761=1

Package List:

- openSUSE Leap 16.0:

cross-aarch64-glibc-devel-2.40-160000.5.1
cross-ppc64le-glibc-devel-2.40-160000.5.1
cross-riscv64-glibc-devel-2.40-160000.5.1
cross-s390x-glibc-devel-2.40-160000.5.1
glibc-2.40-160000.5.1
glibc-devel-2.40-160000.5.1
glibc-devel-static-2.40-160000.5.1
glibc-extra-2.40-160000.5.1
glibc-gconv-modules-extra-2.40-160000.5.1
glibc-html-2.40-160000.5.1
glibc-i18ndata-2.40-160000.5.1
glibc-info-2.40-160000.5.1
glibc-lang-2.40-160000.5.1
glibc-locale-2.40-160000.5.1
glibc-locale-base-2.40-160000.5.1
glibc-profile-2.40-160000.5.1
glibc-utils-2.40-160000.5.1

References:

* https://www.suse.com/security/cve/CVE-2026-4046.html
* https://www.suse.com/security/cve/CVE-2026-5450.html
* https://www.suse.com/security/cve/CVE-2026-5928.html

openSUSE-SU-2026:20759-1: moderate: Security update for emacs

openSUSE security update: security update for emacs
-------------------------------------------------------------

Announcement ID: openSUSE-SU-2026:20759-1
Rating: moderate
References:

* bsc#1262007
* bsc#1262611

Cross-References:

* CVE-2026-6861

CVSS scores:

* CVE-2026-6861 ( SUSE ): 6.1 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H
* CVE-2026-6861 ( SUSE ): 6.8 CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N

Affected Products:

openSUSE Leap 16.0

-------------------------------------------------------------

An update that solves one vulnerability and has 2 bug fixes can now be installed.

Description:

This update for emacs fixes the following issue:

- CVE-2026-6861: memory corruption when processing specially crafted SVG CSS data (bsc#1262611).
- Build with tree-sitter-0.26.8 security update (bsc#1262007).

Patch instructions:

To install this openSUSE security update use the suse recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

- openSUSE Leap 16.0

zypper in -t patch openSUSE-Leap-16.0-755=1

Package List:

- openSUSE Leap 16.0:

emacs-30.2-160000.2.1
emacs-el-30.2-160000.2.1
emacs-eln-30.2-160000.2.1
emacs-games-30.2-160000.2.1
emacs-info-30.2-160000.2.1
emacs-nox-30.2-160000.2.1
emacs-x11-30.2-160000.2.1
etags-30.2-160000.2.1

References:

* https://www.suse.com/security/cve/CVE-2026-6861.html

openSUSE-SU-2026:20753-1: important: Security update for agama

openSUSE security update: security update for agama
-------------------------------------------------------------

Announcement ID: openSUSE-SU-2026:20753-1
Rating: important
References:

* bsc#1257930

Cross-References:

* CVE-2026-25727

CVSS scores:

* CVE-2026-25727 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2026-25727 ( SUSE ): 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Affected Products:

openSUSE Leap 16.0

-------------------------------------------------------------

An update that solves one vulnerability and has one bug fix can now be installed.

Description:

This update for agama fixes the following issue

- CVE-2026-25727: time: parsing of user-provided input by the RFC 2822 date parser can lead to stack exhaustion
(bsc#1257930).

Changes for agama:

- Update "time" crate to version 0.3.47.

Patch instructions:

To install this openSUSE security update use the suse recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

- openSUSE Leap 16.0

zypper in -t patch openSUSE-Leap-16.0-748=1

Package List:

- openSUSE Leap 16.0:

agama-17+570.fe7244a50-160000.10.1
agama-autoinstall-17+570.fe7244a50-160000.10.1
agama-cli-17+570.fe7244a50-160000.10.1
agama-cli-bash-completion-17+570.fe7244a50-160000.10.2
agama-cli-fish-completion-17+570.fe7244a50-160000.10.2
agama-cli-zsh-completion-17+570.fe7244a50-160000.10.2
agama-openapi-17+570.fe7244a50-160000.10.1
agama-scripts-17+570.fe7244a50-160000.10.1

References:

* https://www.suse.com/security/cve/CVE-2026-25727.html

openSUSE-SU-2026:20761-1: important: Security update for google-guest-agent

openSUSE security update: security update for google-guest-agent
-------------------------------------------------------------

Announcement ID: openSUSE-SU-2026:20761-1
Rating: important
References:

* bsc#1260264

Cross-References:

* CVE-2026-33186

CVSS scores:

* CVE-2026-33186 ( SUSE ): 8.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
* CVE-2026-33186 ( SUSE ): 8.6 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Affected Products:

openSUSE Leap 16.0

-------------------------------------------------------------

An update that solves one vulnerability and has one bug fix can now be installed.

Description:

This update for google-guest-agent fixes the following issue

- CVE-2026-33186: google.golang.org/grpc: authorization bypass due to improper validation of the HTTP/2: path pseudo-
header (bsc#1260264).

Patch instructions:

To install this openSUSE security update use the suse recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

- openSUSE Leap 16.0

zypper in -t patch openSUSE-Leap-16.0-757=1

Package List:

- openSUSE Leap 16.0:

google-guest-agent-20250506.01-160000.2.1

References:

* https://www.suse.com/security/cve/CVE-2026-33186.html

openSUSE-SU-2026:20758-1: important: Security update for the Linux Kernel

openSUSE security update: security update for the linux kernel
-------------------------------------------------------------

Announcement ID: openSUSE-SU-2026:20758-1
Rating: important
References:

* bsc#1264013
* bsc#1265209

Cross-References:

* CVE-2025-54518
* CVE-2026-46300

CVSS scores:

* CVE-2025-54518 ( SUSE ): 7.4 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
* CVE-2025-54518 ( SUSE ): 7.3 CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
* CVE-2026-46300 ( SUSE ): 8.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
* CVE-2026-46300 ( SUSE ): 8.6 CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Affected Products:

openSUSE Leap 16.0

-------------------------------------------------------------

An update that solves 2 vulnerabilities and has 2 bug fixes can now be installed.

Description:

The SUSE Linux Enterprise 16.0 kernel was updated to fix various security issues

The following security issues were fixed:

- CVE-2025-54518: x86/CPU/AMD: Prevent improper isolation of shared resources in Zen2's op cache (bsc#1264013).
- CVE-2026-46300: net: skbuff: propagate shared-frag marker through pskb_copy() (bsc#1265209).

Patch instructions:

To install this openSUSE security update use the suse recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

- openSUSE Leap 16.0

zypper in -t patch openSUSE-Leap-16.0-753=1

Package List:

- openSUSE Leap 16.0:

cluster-md-kmp-64kb-6.12.0-160000.31.1
cluster-md-kmp-azure-6.12.0-160000.31.1
cluster-md-kmp-default-6.12.0-160000.31.1
cluster-md-kmp-rt-6.12.0-160000.31.1
dlm-kmp-64kb-6.12.0-160000.31.1
dlm-kmp-azure-6.12.0-160000.31.1
dlm-kmp-default-6.12.0-160000.31.1
dlm-kmp-rt-6.12.0-160000.31.1
dtb-allwinner-6.12.0-160000.31.1
dtb-altera-6.12.0-160000.31.1
dtb-amazon-6.12.0-160000.31.1
dtb-amd-6.12.0-160000.31.1
dtb-amlogic-6.12.0-160000.31.1
dtb-apm-6.12.0-160000.31.1
dtb-apple-6.12.0-160000.31.1
dtb-arm-6.12.0-160000.31.1
dtb-broadcom-6.12.0-160000.31.1
dtb-cavium-6.12.0-160000.31.1
dtb-exynos-6.12.0-160000.31.1
dtb-freescale-6.12.0-160000.31.1
dtb-hisilicon-6.12.0-160000.31.1
dtb-lg-6.12.0-160000.31.1
dtb-marvell-6.12.0-160000.31.1
dtb-mediatek-6.12.0-160000.31.1
dtb-nvidia-6.12.0-160000.31.1
dtb-qcom-6.12.0-160000.31.1
dtb-renesas-6.12.0-160000.31.1
dtb-rockchip-6.12.0-160000.31.1
dtb-socionext-6.12.0-160000.31.1
dtb-sprd-6.12.0-160000.31.1
dtb-xilinx-6.12.0-160000.31.1
gfs2-kmp-64kb-6.12.0-160000.31.1
gfs2-kmp-azure-6.12.0-160000.31.1
gfs2-kmp-default-6.12.0-160000.31.1
gfs2-kmp-rt-6.12.0-160000.31.1
kernel-64kb-6.12.0-160000.31.1
kernel-64kb-devel-6.12.0-160000.31.1
kernel-64kb-extra-6.12.0-160000.31.1
kernel-64kb-optional-6.12.0-160000.31.1
kernel-azure-6.12.0-160000.31.1
kernel-azure-devel-6.12.0-160000.31.1
kernel-azure-extra-6.12.0-160000.31.1
kernel-azure-optional-6.12.0-160000.31.1
kernel-azure-vdso-6.12.0-160000.31.1
kernel-default-6.12.0-160000.31.1
kernel-default-base-6.12.0-160000.31.1.160000.2.12
kernel-default-devel-6.12.0-160000.31.1
kernel-default-extra-6.12.0-160000.31.1
kernel-default-optional-6.12.0-160000.31.1
kernel-default-vdso-6.12.0-160000.31.1
kernel-devel-6.12.0-160000.31.1
kernel-docs-6.12.0-160000.31.1
kernel-docs-html-6.12.0-160000.31.1
kernel-kvmsmall-6.12.0-160000.31.1
kernel-kvmsmall-devel-6.12.0-160000.31.1
kernel-kvmsmall-vdso-6.12.0-160000.31.1
kernel-macros-6.12.0-160000.31.1
kernel-obs-build-6.12.0-160000.31.1
kernel-obs-qa-6.12.0-160000.31.1
kernel-rt-6.12.0-160000.31.1
kernel-rt-devel-6.12.0-160000.31.1
kernel-rt-extra-6.12.0-160000.31.1
kernel-rt-optional-6.12.0-160000.31.1
kernel-rt-vdso-6.12.0-160000.31.1
kernel-source-6.12.0-160000.31.1
kernel-source-vanilla-6.12.0-160000.31.1
kernel-syms-6.12.0-160000.31.1
kernel-zfcpdump-6.12.0-160000.31.1
kselftests-kmp-64kb-6.12.0-160000.31.1
kselftests-kmp-azure-6.12.0-160000.31.1
kselftests-kmp-default-6.12.0-160000.31.1
kselftests-kmp-rt-6.12.0-160000.31.1
ocfs2-kmp-64kb-6.12.0-160000.31.1
ocfs2-kmp-azure-6.12.0-160000.31.1
ocfs2-kmp-default-6.12.0-160000.31.1
ocfs2-kmp-rt-6.12.0-160000.31.1

References:

* https://www.suse.com/security/cve/CVE-2025-54518.html
* https://www.suse.com/security/cve/CVE-2026-46300.html

openSUSE-SU-2026:20757-1: important: Security update for openssh

openSUSE security update: security update for openssh
-------------------------------------------------------------

Announcement ID: openSUSE-SU-2026:20757-1
Rating: important
References:

* bsc#1252890
* bsc#1261427
* bsc#1261430
* bsc#1262555

Cross-References:

* CVE-2026-35385
* CVE-2026-35414

CVSS scores:

* CVE-2026-35385 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
* CVE-2026-35385 ( SUSE ): 7.5 CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
* CVE-2026-35414 ( SUSE ): 4.2 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N
* CVE-2026-35414 ( SUSE ): 2.3 CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Affected Products:

openSUSE Leap 16.0

-------------------------------------------------------------

An update that solves 2 vulnerabilities and has 4 bug fixes can now be installed.

Description:

This update for openssh fixes the following issues

Security issues fixed:

- CVE-2026-35385: a file downloaded by scp may be installed setuid or setgid (bsc#1261427).
- CVE-2026-35414: mishandling of authorized_keys principals option (bsc#1261430).

Other issues fixed:

- SSH port not reachable on SLES-16.0-CHOST-BYOS since build 1.32 for both x86_64 and aarch64 (bsc#1262555).
- OpenSSH audit support causes connection lost with parallel sessions (bsc#1252890).

Patch instructions:

To install this openSUSE security update use the suse recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

- openSUSE Leap 16.0

zypper in -t patch openSUSE-Leap-16.0-752=1

Package List:

- openSUSE Leap 16.0:

openssh-10.0p2-160000.5.1
openssh-askpass-gnome-10.0p2-160000.5.1
openssh-cavs-10.0p2-160000.5.1
openssh-clients-10.0p2-160000.5.1
openssh-common-10.0p2-160000.5.1
openssh-helpers-10.0p2-160000.5.1
openssh-server-10.0p2-160000.5.1
openssh-server-config-rootlogin-10.0p2-160000.5.1

References:

* https://www.suse.com/security/cve/CVE-2026-35385.html
* https://www.suse.com/security/cve/CVE-2026-35414.html

openSUSE-SU-2026:20750-1: moderate: Security update for ibus-rime, librime

openSUSE security update: security update for ibus-rime, librime
-------------------------------------------------------------

Announcement ID: openSUSE-SU-2026:20750-1
Rating: moderate

Affected Products:

openSUSE Leap 16.0

-------------------------------------------------------------

An update that solves various issues can now be installed.

Description:

This update for ibus-rime and librime fixes the following issues:

ibus-rime is built against the current opencc version.

Patch instructions:

To install this openSUSE security update use the suse recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

- openSUSE Leap 16.0

zypper in -t patch openSUSE-Leap-16.0-744=1

Package List:

- openSUSE Leap 16.0:

ibus-rime-1.5.0-160000.1.3
librime-devel-1.10.0+git20240229.4ee471e-160000.1.3
librime-private-devel-1.10.0+git20240229.4ee471e-160000.1.3
librime1-1.10.0+git20240229.4ee471e-160000.1.3
rime-1.10.0+git20240229.4ee471e-160000.1.3

openSUSE-SU-2026:20755-1: important: Security update for openexr

openSUSE security update: security update for openexr
-------------------------------------------------------------

Announcement ID: openSUSE-SU-2026:20755-1
Rating: important
References:

* bsc#1264353
* bsc#1264354
* bsc#1264356

Cross-References:

* CVE-2026-41142
* CVE-2026-42216
* CVE-2026-42217

CVSS scores:

* CVE-2026-41142 ( SUSE ): 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
* CVE-2026-41142 ( SUSE ): 9.2 CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
* CVE-2026-42216 ( SUSE ): 8.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H
* CVE-2026-42216 ( SUSE ): 8.8 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N
* CVE-2026-42217 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:H
* CVE-2026-42217 ( SUSE ): 8.3 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N

Affected Products:

openSUSE Leap 16.0

-------------------------------------------------------------

An update that solves 3 vulnerabilities and has 3 bug fixes can now be installed.

Description:

This update for openexr fixes the following issues

- CVE-2026-41142: integer overflow in `ImageChannel: resize` can lead to a heap out-of-bounds write via OpenEXRUtil
public API (bsc#1264356).
- CVE-2026-42216: missing checks in `IDManifest: init()` can lead to out-of-bounds read during prefix expansion
(bsc#1264354).
- CVE-2026-42217: missing bounds check for shift counter in `readVariableLengthInteger` can lead to shift exponent
overflow and cause undefined behavior (bsc#1264353).

Patch instructions:

To install this openSUSE security update use the suse recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

- openSUSE Leap 16.0

zypper in -t patch openSUSE-Leap-16.0-750=1

Package List:

- openSUSE Leap 16.0:

libIex-3_2-31-3.2.2-160000.8.1
libIex-3_2-31-x86-64-v3-3.2.2-160000.8.1
libIlmThread-3_2-31-3.2.2-160000.8.1
libIlmThread-3_2-31-x86-64-v3-3.2.2-160000.8.1
libOpenEXR-3_2-31-3.2.2-160000.8.1
libOpenEXR-3_2-31-x86-64-v3-3.2.2-160000.8.1
libOpenEXRCore-3_2-31-3.2.2-160000.8.1
libOpenEXRCore-3_2-31-x86-64-v3-3.2.2-160000.8.1
libOpenEXRUtil-3_2-31-3.2.2-160000.8.1
libOpenEXRUtil-3_2-31-x86-64-v3-3.2.2-160000.8.1
openexr-3.2.2-160000.8.1
openexr-devel-3.2.2-160000.8.1
openexr-doc-3.2.2-160000.8.1

References:

* https://www.suse.com/security/cve/CVE-2026-41142.html
* https://www.suse.com/security/cve/CVE-2026-42216.html
* https://www.suse.com/security/cve/CVE-2026-42217.html

openSUSE-SU-2026:20754-1: important: Security update for rsync

openSUSE security update: security update for rsync
-------------------------------------------------------------

Announcement ID: openSUSE-SU-2026:20754-1
Rating: important
References:

* bsc#1254441
* bsc#1262223

Cross-References:

* CVE-2025-10158
* CVE-2026-41035

CVSS scores:

* CVE-2025-10158 ( SUSE ): 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
* CVE-2026-41035 ( SUSE ): 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
* CVE-2026-41035 ( SUSE ): 8.6 CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Affected Products:

openSUSE Leap 16.0

-------------------------------------------------------------

An update that solves 2 vulnerabilities and has 2 bug fixes can now be installed.

Description:

This update for rsync fixes the following issues

- CVE-2025-10158: Out of bounds array access via negative index (bsc#1254441).
- CVE-2026-41035: count of entries mismatch can lead to a use-after-free (bsc#1262223).

Patch instructions:

To install this openSUSE security update use the suse recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

- openSUSE Leap 16.0

zypper in -t patch openSUSE-Leap-16.0-749=1

Package List:

- openSUSE Leap 16.0:

rsync-3.4.1-160000.3.1

References:

* https://www.suse.com/security/cve/CVE-2025-10158.html
* https://www.suse.com/security/cve/CVE-2026-41035.html

openSUSE-SU-2026:20752-1: important: Security update for alloy

openSUSE security update: security update for alloy
-------------------------------------------------------------

Announcement ID: openSUSE-SU-2026:20752-1
Rating: important
References:

* bsc#1258099
* bsc#1258609
* bsc#1259919
* bsc#1260317

Cross-References:

* CVE-2026-25934
* CVE-2026-26958
* CVE-2026-33186
* CVE-2026-4427

CVSS scores:

* CVE-2026-25934 ( SUSE ): 4.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
* CVE-2026-25934 ( SUSE ): 5.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
* CVE-2026-26958 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:L
* CVE-2026-26958 ( SUSE ): 8.3 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N
* CVE-2026-33186 ( SUSE ): 8.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
* CVE-2026-33186 ( SUSE ): 8.6 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
* CVE-2026-4427 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2026-4427 ( SUSE ): 8.2 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Affected Products:

openSUSE Leap 16.0

-------------------------------------------------------------

An update that solves 4 vulnerabilities and has 4 bug fixes can now be installed.

Description:

This update for alloy fixes the following issues

Security issues:

- CVE-2026-4427: github.com/jackc/pgproto3/v2: improper validation of field length allows a malicious PostgreSQL server
to crash a client application via a DataRow message (bsc#1259919).
- CVE-2026-25934: github.com/go-git/go-git/v5: improper verification of data integrity values for .pack and .idx files
can lead to the consumption of corrupted files (bsc#1258099).
- CVE-2026-26958: filippo.io/edwards25519: failure to initialize receiver in MultiScalarMult can produce invalid results
and lead to undefined behavior (bsc#1258609).
- CVE-2026-33186: google.golang.org/grpc: authorization bypass due to improper validation of the HTTP/2: path pseudo-
header (bsc#1260317).

Non security issue:

- Updated to 1.16.0
- Use systemd tmpfiles.d to create /var/lib/alloy hierarchy (jsc#PED-14815)

Patch instructions:

To install this openSUSE security update use the suse recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

- openSUSE Leap 16.0

zypper in -t patch openSUSE-Leap-16.0-747=1

Package List:

- openSUSE Leap 16.0:

alloy-1.16.0-160000.1.1

References:

* https://www.suse.com/security/cve/CVE-2026-25934.html
* https://www.suse.com/security/cve/CVE-2026-26958.html
* https://www.suse.com/security/cve/CVE-2026-33186.html
* https://www.suse.com/security/cve/CVE-2026-4427.html

openSUSE-SU-2026:20749-1: important: Security update for tree-sitter

openSUSE security update: security update for tree-sitter
-------------------------------------------------------------

Announcement ID: openSUSE-SU-2026:20749-1
Rating: important
References:

* bsc#1259205
* bsc#1261839
* bsc#1261871
* bsc#1261894
* bsc#1261954
* bsc#1261963
* bsc#1261968
* bsc#1261974
* bsc#1262007
* bsc#1262032
* bsc#1262036
* bsc#1262040

Cross-References:

* CVE-2026-34941
* CVE-2026-34942
* CVE-2026-34943
* CVE-2026-34944
* CVE-2026-34945
* CVE-2026-34946
* CVE-2026-34987
* CVE-2026-34988
* CVE-2026-35186
* CVE-2026-35195

CVSS scores:

* CVE-2026-34941 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
* CVE-2026-34941 ( SUSE ): 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
* CVE-2026-34942 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2026-34942 ( SUSE ): 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
* CVE-2026-34943 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
* CVE-2026-34943 ( SUSE ): 6 CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
* CVE-2026-34944 ( SUSE ): 5 CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H
* CVE-2026-34944 ( SUSE ): 5.1 CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
* CVE-2026-34945 ( SUSE ): 6.3 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N
* CVE-2026-34945 ( SUSE ): 7 CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N
* CVE-2026-34946 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
* CVE-2026-34987 ( SUSE ): 8.5 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
* CVE-2026-34987 ( SUSE ): 9 CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
* CVE-2026-34988 ( SUSE ): 6.3 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N
* CVE-2026-34988 ( SUSE ): 7 CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N
* CVE-2026-35186 ( SUSE ): 6.4 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H
* CVE-2026-35186 ( SUSE ): 6.1 CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N
* CVE-2026-35195 ( SUSE ): 5.9 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:H
* CVE-2026-35195 ( SUSE ): 6 CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N

Affected Products:

openSUSE Leap 16.0

-------------------------------------------------------------

An update that solves 10 vulnerabilities and has 12 bug fixes can now be installed.

Description:

This update for tree-sitter fixes the following issues

Security issues:

- CVE-2026-34941: wasmtime: crafted input string can lead to an out-of-bound read (bsc#1261871).
- CVE-2026-34942: wasmtime: unaligned pointers can lead to a denial of service (bsc#1261894).
- CVE-2026-34943: wasmtime: lifting `flags` component value can lead to a denial of service (bsc#1261954).
- CVE-2026-34944: wasmtime: out-of-bounds read during WebAssembly compilation can lead to a denial of service
(bsc#1261963).
- CVE-2026-34945: wasmtime: incorrectly translated table.size could lead to disclosing data (bsc#1262007).
- CVE-2026-34946: wasmtime: denial of service due to WebAssembly compilation error (bsc#1261974).
- CVE-2026-34987: wasmtime: winch compiler backend may allow a sandbox-escaping memory access (bsc#1262032).
- CVE-2026-34988: wasmtime: pooling allocator instances can cause data leakage (bsc#1261968).
- CVE-2026-35186: wasmtime: translating the table.grow operator can cause a masked return value (bsc#1262036).
- CVE-2026-35195: wasmtime: transcoding strings can lead to an out of bound write or a crash (bsc#1262040).

Changes for tree-sitter:

- update to 0.26.8:

* fix(generate): allow disabling qjs-rt feature from CLI by @WillLillis in
#5448
* fix(lib): document invariants that must be upheld for TSInputEdit by
@WillLillis in #5452
* fix(cli): correct typo in parse command's help text by @WillLillis in #5465
* perf(cli): misc. improvements by @tree-sitter-ci-bot[bot] in #5476
* Fix wasm loading of languages w/ multiple reserved word sets by
@tree-sitter-ci-bot[bot] in #5477
* generate: avoid panicking when a supertype only has hidden external token
children by @tree-sitter-ci-bot[bot] in #5478

Patch instructions:

To install this openSUSE security update use the suse recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

- openSUSE Leap 16.0

zypper in -t patch openSUSE-Leap-16.0-743=1

Package List:

- openSUSE Leap 16.0:

libtree-sitter0_26-0.26.8-160000.1.1
libtree-sitter0_26-x86-64-v3-0.26.8-160000.1.1
tree-sitter-0.26.8-160000.1.1
tree-sitter-devel-0.26.8-160000.1.1

References:

* https://www.suse.com/security/cve/CVE-2026-34941.html
* https://www.suse.com/security/cve/CVE-2026-34942.html
* https://www.suse.com/security/cve/CVE-2026-34943.html
* https://www.suse.com/security/cve/CVE-2026-34944.html
* https://www.suse.com/security/cve/CVE-2026-34945.html
* https://www.suse.com/security/cve/CVE-2026-34946.html
* https://www.suse.com/security/cve/CVE-2026-34987.html
* https://www.suse.com/security/cve/CVE-2026-34988.html
* https://www.suse.com/security/cve/CVE-2026-35186.html
* https://www.suse.com/security/cve/CVE-2026-35195.html

openSUSE-SU-2026:20745-1: critical: Security update for php8

openSUSE security update: security update for php8
-------------------------------------------------------------

Announcement ID: openSUSE-SU-2026:20745-1
Rating: critical
References:

* bsc#1264769
* bsc#1264770
* bsc#1264771
* bsc#1264772
* bsc#1264773
* bsc#1264774
* bsc#1264775
* bsc#1264776
* bsc#1264777
* bsc#1264778

Cross-References:

* CVE-2025-14179
* CVE-2026-6104
* CVE-2026-6722
* CVE-2026-6735
* CVE-2026-7258
* CVE-2026-7259
* CVE-2026-7261
* CVE-2026-7262
* CVE-2026-7263
* CVE-2026-7568

CVSS scores:

* CVE-2025-14179 ( SUSE ): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
* CVE-2025-14179 ( SUSE ): 9.2 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
* CVE-2026-6104 ( SUSE ): 8.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H
* CVE-2026-6104 ( SUSE ): 8.3 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N
* CVE-2026-6722 ( SUSE ): 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
* CVE-2026-6722 ( SUSE ): 9.2 CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
* CVE-2026-6735 ( SUSE ): 6.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
* CVE-2026-6735 ( SUSE ): 2.3 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N
* CVE-2026-7258 ( SUSE ): 8.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H
* CVE-2026-7258 ( SUSE ): 8.3 CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N
* CVE-2026-7259 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2026-7259 ( SUSE ): 8.2 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
* CVE-2026-7261 ( SUSE ): 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
* CVE-2026-7261 ( SUSE ): 9.2 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
* CVE-2026-7262 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
* CVE-2026-7262 ( SUSE ): 6.3 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
* CVE-2026-7263 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2026-7263 ( SUSE ): 8.2 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
* CVE-2026-7568 ( SUSE ): 7 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H
* CVE-2026-7568 ( SUSE ): 8.3 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N

Affected Products:

openSUSE Leap 16.0

-------------------------------------------------------------

An update that solves 10 vulnerabilities and has 10 bug fixes can now be installed.

Description:

This update for php8 fixes the following issues

- CVE-2025-14179: improper handling of NULL bytes by the PDO Firebird driver when preparing SQL queries can lead to SQL
injection (bsc#1264778).
- CVE-2026-6104: out-of-bounds read when processing an encoding name containing an embedded NULL byte in
`mb_convert_encoding()` can lead to information disclosure and denial of service (bsc#1264777).
- CVE-2026-6722: use-after-free in SOAP using Apache map can lead to remote code execution (bsc#1264776).
- CVE-2026-6735: improper validation of the request URI within the PHP-FPM status page can lead to XSS (bsc#1264775).
- CVE-2026-7258: signed `char` values passed to `ctype` functions like `isxdigit` can lead to OOB access and denial of
service (bsc#1264774).
- CVE-2026-7259: NULL pointer dereference in `php_mb_check_encoding()` via `mb_ereg_search_init()` can lead to a denial
of service (bsc#1264773).
- CVE-2026-7261: use-after-free due to incorrectly handled persistence of handler objects when SOAP_PERSISTENCE_SESSION
is configured can lead to memory corruption, information disclosure and process crashes (bsc#1264772).
- CVE-2026-7262: NULL pointer dereference caused by mistake in the SOAP decoding process when a typemap is configured
can lead to a denial of service (bsc#1264771).
- CVE-2026-7263: incorrect processing of XML data in the `DOMNode: C14N()` method can lead to an infinite loop and a
denial of service (bsc#1264770).
- CVE-2026-7568: integer overflow in the `metaphone` function can lead to undefined behavior and affect the availability
of the PHPprocess (bsc#1264769).

Other updates:

- Updated to 8.4.21.

Patch instructions:

To install this openSUSE security update use the suse recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

- openSUSE Leap 16.0

zypper in -t patch openSUSE-Leap-16.0-738=1

Package List:

- openSUSE Leap 16.0:

apache2-mod_php8-8.4.21-160000.1.1
php8-8.4.21-160000.1.1
php8-bcmath-8.4.21-160000.1.1
php8-bz2-8.4.21-160000.1.1
php8-calendar-8.4.21-160000.1.1
php8-cli-8.4.21-160000.1.1
php8-ctype-8.4.21-160000.1.1
php8-curl-8.4.21-160000.1.1
php8-dba-8.4.21-160000.1.1
php8-devel-8.4.21-160000.1.1
php8-dom-8.4.21-160000.1.1
php8-embed-8.4.21-160000.1.1
php8-enchant-8.4.21-160000.1.1
php8-exif-8.4.21-160000.1.1
php8-fastcgi-8.4.21-160000.1.1
php8-ffi-8.4.21-160000.1.1
php8-fileinfo-8.4.21-160000.1.1
php8-fpm-8.4.21-160000.1.1
php8-fpm-apache-8.4.21-160000.1.1
php8-ftp-8.4.21-160000.1.1
php8-gd-8.4.21-160000.1.1
php8-gettext-8.4.21-160000.1.1
php8-gmp-8.4.21-160000.1.1
php8-iconv-8.4.21-160000.1.1
php8-intl-8.4.21-160000.1.1
php8-ldap-8.4.21-160000.1.1
php8-mbstring-8.4.21-160000.1.1
php8-mysql-8.4.21-160000.1.1
php8-odbc-8.4.21-160000.1.1
php8-opcache-8.4.21-160000.1.1
php8-openssl-8.4.21-160000.1.1
php8-pcntl-8.4.21-160000.1.1
php8-pdo-8.4.21-160000.1.1
php8-pgsql-8.4.21-160000.1.1
php8-phar-8.4.21-160000.1.1
php8-posix-8.4.21-160000.1.1
php8-readline-8.4.21-160000.1.1
php8-shmop-8.4.21-160000.1.1
php8-snmp-8.4.21-160000.1.1
php8-soap-8.4.21-160000.1.1
php8-sockets-8.4.21-160000.1.1
php8-sodium-8.4.21-160000.1.1
php8-sqlite-8.4.21-160000.1.1
php8-sysvmsg-8.4.21-160000.1.1
php8-sysvsem-8.4.21-160000.1.1
php8-sysvshm-8.4.21-160000.1.1
php8-test-8.4.21-160000.1.1
php8-tidy-8.4.21-160000.1.1
php8-tokenizer-8.4.21-160000.1.1
php8-xmlreader-8.4.21-160000.1.1
php8-xmlwriter-8.4.21-160000.1.1
php8-xsl-8.4.21-160000.1.1
php8-zip-8.4.21-160000.1.1
php8-zlib-8.4.21-160000.1.1

References:

* https://www.suse.com/security/cve/CVE-2025-14179.html
* https://www.suse.com/security/cve/CVE-2026-6104.html
* https://www.suse.com/security/cve/CVE-2026-6722.html
* https://www.suse.com/security/cve/CVE-2026-6735.html
* https://www.suse.com/security/cve/CVE-2026-7258.html
* https://www.suse.com/security/cve/CVE-2026-7259.html
* https://www.suse.com/security/cve/CVE-2026-7261.html
* https://www.suse.com/security/cve/CVE-2026-7262.html
* https://www.suse.com/security/cve/CVE-2026-7263.html
* https://www.suse.com/security/cve/CVE-2026-7568.html

openSUSE-SU-2026:20747-1: important: Security update for ImageMagick

openSUSE security update: security update for imagemagick
-------------------------------------------------------------

Announcement ID: openSUSE-SU-2026:20747-1
Rating: important
References:

* bsc#1259528

Cross-References:

* CVE-2026-31853

CVSS scores:

* CVE-2026-31853 ( SUSE ): 8.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H
* CVE-2026-31853 ( SUSE ): 8.3 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N

Affected Products:

openSUSE Leap 16.0

-------------------------------------------------------------

An update that solves one vulnerability and has one bug fix can now be installed.

Description:

This update for ImageMagick fixes the following issue

- CVE-2026-31853: heap buffer overflow leads to crash in the SFW decoder of 32-bit systems when processing extremely
large images (bsc#1259528).

Patch instructions:

To install this openSUSE security update use the suse recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

- openSUSE Leap 16.0

zypper in -t patch openSUSE-Leap-16.0-740=1

Package List:

- openSUSE Leap 16.0:

ImageMagick-7.1.2.0-160000.9.1
ImageMagick-config-7-SUSE-7.1.2.0-160000.9.1
ImageMagick-config-7-upstream-limited-7.1.2.0-160000.9.1
ImageMagick-config-7-upstream-open-7.1.2.0-160000.9.1
ImageMagick-config-7-upstream-secure-7.1.2.0-160000.9.1
ImageMagick-config-7-upstream-websafe-7.1.2.0-160000.9.1
ImageMagick-devel-7.1.2.0-160000.9.1
ImageMagick-doc-7.1.2.0-160000.9.1
ImageMagick-extra-7.1.2.0-160000.9.1
libMagick++-7_Q16HDRI5-7.1.2.0-160000.9.1
libMagick++-devel-7.1.2.0-160000.9.1
libMagickCore-7_Q16HDRI10-7.1.2.0-160000.9.1
libMagickWand-7_Q16HDRI10-7.1.2.0-160000.9.1
perl-PerlMagick-7.1.2.0-160000.9.1

References:

* https://www.suse.com/security/cve/CVE-2026-31853.html

openSUSE-SU-2026:20743-1: important: Security update for the Linux Kernel

openSUSE security update: security update for the linux kernel
-------------------------------------------------------------

Announcement ID: openSUSE-SU-2026:20743-1
Rating: important
References:

* bsc#1264449
* bsc#1264450

Cross-References:

* CVE-2026-43284
* CVE-2026-43500

CVSS scores:

* CVE-2026-43284 ( SUSE ): 8.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
* CVE-2026-43500 ( SUSE ): 8.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Affected Products:

openSUSE Leap 16.0

-------------------------------------------------------------

An update that solves 2 vulnerabilities and has 2 bug fixes can now be installed.

Description:

The SUSE Linux Enterprise 16.0 kernel was updated to fix various security issues

The following security issues were fixed:

Dirty Frag fixes:

- CVE-2026-43500: supported.conf: drop rxrpc completely (bsc#1264450)
- CVE-2026-43284: xfrm: esp: avoid in-place decrypt on shared skb frags (bsc#1264449).

Patch instructions:

To install this openSUSE security update use the suse recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

- openSUSE Leap 16.0

zypper in -t patch openSUSE-Leap-16.0-734=1

Package List:

- openSUSE Leap 16.0:

cluster-md-kmp-64kb-6.12.0-160000.30.1
cluster-md-kmp-azure-6.12.0-160000.30.1
cluster-md-kmp-default-6.12.0-160000.30.1
cluster-md-kmp-rt-6.12.0-160000.30.1
dlm-kmp-64kb-6.12.0-160000.30.1
dlm-kmp-azure-6.12.0-160000.30.1
dlm-kmp-default-6.12.0-160000.30.1
dlm-kmp-rt-6.12.0-160000.30.1
dtb-allwinner-6.12.0-160000.30.1
dtb-altera-6.12.0-160000.30.1
dtb-amazon-6.12.0-160000.30.1
dtb-amd-6.12.0-160000.30.1
dtb-amlogic-6.12.0-160000.30.1
dtb-apm-6.12.0-160000.30.1
dtb-apple-6.12.0-160000.30.1
dtb-arm-6.12.0-160000.30.1
dtb-broadcom-6.12.0-160000.30.1
dtb-cavium-6.12.0-160000.30.1
dtb-exynos-6.12.0-160000.30.1
dtb-freescale-6.12.0-160000.30.1
dtb-hisilicon-6.12.0-160000.30.1
dtb-lg-6.12.0-160000.30.1
dtb-marvell-6.12.0-160000.30.1
dtb-mediatek-6.12.0-160000.30.1
dtb-nvidia-6.12.0-160000.30.1
dtb-qcom-6.12.0-160000.30.1
dtb-renesas-6.12.0-160000.30.1
dtb-rockchip-6.12.0-160000.30.1
dtb-socionext-6.12.0-160000.30.1
dtb-sprd-6.12.0-160000.30.1
dtb-xilinx-6.12.0-160000.30.1
gfs2-kmp-64kb-6.12.0-160000.30.1
gfs2-kmp-azure-6.12.0-160000.30.1
gfs2-kmp-default-6.12.0-160000.30.1
gfs2-kmp-rt-6.12.0-160000.30.1
kernel-64kb-6.12.0-160000.30.1
kernel-64kb-devel-6.12.0-160000.30.1
kernel-64kb-extra-6.12.0-160000.30.1
kernel-64kb-optional-6.12.0-160000.30.1
kernel-azure-6.12.0-160000.30.1
kernel-azure-devel-6.12.0-160000.30.1
kernel-azure-extra-6.12.0-160000.30.1
kernel-azure-optional-6.12.0-160000.30.1
kernel-azure-vdso-6.12.0-160000.30.1
kernel-default-6.12.0-160000.30.1
kernel-default-base-6.12.0-160000.30.1.160000.2.11
kernel-default-devel-6.12.0-160000.30.1
kernel-default-extra-6.12.0-160000.30.1
kernel-default-optional-6.12.0-160000.30.1
kernel-default-vdso-6.12.0-160000.30.1
kernel-devel-6.12.0-160000.30.1
kernel-docs-6.12.0-160000.30.1
kernel-docs-html-6.12.0-160000.30.1
kernel-kvmsmall-6.12.0-160000.30.1
kernel-kvmsmall-devel-6.12.0-160000.30.1
kernel-kvmsmall-vdso-6.12.0-160000.30.1
kernel-macros-6.12.0-160000.30.1
kernel-obs-build-6.12.0-160000.30.1
kernel-obs-qa-6.12.0-160000.30.1
kernel-rt-6.12.0-160000.30.1
kernel-rt-devel-6.12.0-160000.30.1
kernel-rt-extra-6.12.0-160000.30.1
kernel-rt-optional-6.12.0-160000.30.1
kernel-rt-vdso-6.12.0-160000.30.1
kernel-source-6.12.0-160000.30.1
kernel-source-vanilla-6.12.0-160000.30.1
kernel-syms-6.12.0-160000.30.1
kernel-zfcpdump-6.12.0-160000.30.1
kselftests-kmp-64kb-6.12.0-160000.30.1
kselftests-kmp-azure-6.12.0-160000.30.1
kselftests-kmp-default-6.12.0-160000.30.1
kselftests-kmp-rt-6.12.0-160000.30.1
ocfs2-kmp-64kb-6.12.0-160000.30.1
ocfs2-kmp-azure-6.12.0-160000.30.1
ocfs2-kmp-default-6.12.0-160000.30.1
ocfs2-kmp-rt-6.12.0-160000.30.1

References:

* https://www.suse.com/security/cve/CVE-2026-43284.html
* https://www.suse.com/security/cve/CVE-2026-43500.html

openSUSE-SU-2026:20742-1: moderate: Security update for ongres-scram, ongres-stringprep, plexus-testing, maven, maven-doxia, mojo-parent, sisu

openSUSE security update: security update for ongres-scram, ongres-stringprep, plexus-testing, maven, maven-doxia, mojo-parent, sisu
-------------------------------------------------------------

Announcement ID: openSUSE-SU-2026:20742-1
Rating: moderate
References:

* bsc#1250399

Cross-References:

* CVE-2025-59432

CVSS scores:

* CVE-2025-59432 ( SUSE ): 6.8 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N
* CVE-2025-59432 ( SUSE ): 8.2 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Affected Products:

openSUSE Leap 16.0

-------------------------------------------------------------

An update that solves one vulnerability and has one bug fix can now be installed.

Description:

This update for ongres-scram, ongres-stringprep, plexus-testing, maven, maven-doxia, mojo-parent, sisu fixes the following issues:

Changes in ongres-scram:

- Version 3.2
* Fix Timing Attack Vulnerability in SCRAM Authentication
(bsc#1250399, CVE-2025-59432)
* Updated dependencies and maven plugins
* Use central-publishing-maven-plugin to deploy to Maven Central.

- Do not create multirelease jar if the only Java 9+ class file is
module-info.class

Changes in ongres-stringprep:

- Do not create multirelease jar if the only Java 9+ class file is
module-info.class

Changes in plexus-testing:

- The build without tests does not need the full junit5; the
junit5-minimal (built with ant) is enough

Changes in maven:

- Upgrade to upstream version 3.9.14

* Bug Fixes

+ plexus-testing dependencies should be used in test scope

- Upgrade to upstream version 3.9.13
* Bug Fixes
+ Bug: SecDispatcher is managed by legacy Plexus DI
+ [3.9.x] MavenPluginJavaPrerequisiteChecker: Handle 8/1.8
Java version in ranges as well

* Maintenance

+ Update Maven plugin versions in default-bindings.xml
+ Migrate to JUnit 5 - avoid using TestCase

Changes in maven-doxia:

Upgrade to upstream version 2.1.0:

* New features and improvements

+ Distinguish between linebreaks for formatting markup and
linebreaks in output
+ Return SinkEventAttributes instead of super class
MutableAttributeSet for filterAttributes
+ Optionally leave fragments of internal links untouched
Support strikethrough for Markdown sink
+ DOXIA-770: Only escape when necessary
+ DOXIA-760: Clarify table justification semantics and introduce
new "JUSTIFY_DEFAULT" alignment
+ DOXIA-756: Allow to customize macro execution
+ DOXIA-759: Support anchors in MarkdownSink

* Bug Fixes

+ MarkdownSink: Fix verbatim inside table cell
+ Make sure to emit metadata prior everything else
+ Convert all globally available attributes to HTML5 compliant
ones
+ Html5BaseSink: Convert non-compliant HTML5 attributes to
compliant ones
+ Support "name" attribute in "a" element still in XHTML5
+ Never emit Markdown inside HTML context
+ Use JSoup to convert HTML to XHTML after parsing with Flexmark
+ DOXIA-764: Strip leading newline after
+ DOXIA-763: Distinguish between verbatim source and non-source
in MarkdownSink
+ DOXIA-758: Consider emitComments flag in MarkdownSink
+ DOXIA-757: Don't strip leading "#" from link names
+ DOXIA-753: Do not end lists with a blank line
+ DOXIA-751: Linked inline code must be emitted in right order
+ DOXIA-749: Correctly indent and separate blocks inside list
items
+ DOXIA-750: Properly apply inlines inside HTML blocks
+ DOXIA-747: Emit headings at beginning of line for Markdown

* Documentation updates

+ Site: Convert APT to Markdown
+ Improve documentation of supported extensions
+ (doc) Fix missing references in JavaDocs

* Maintenance

+ Cleanup tests
+ JUnit Jupiter best practices
+ Remove commons-lang3 and commons-text dependencies
+ feat: enable prevent branch protection rules
+ Cleanup pom, remove redundant dependencies
+ Drop almost all usages of plexus-utils
+ Remove not used and outdated clirr-maven-plugin
+ Enable Github Issues
+ DOXIA-772: Deprecate Sink.sectionTitle() and sectionTitle_()
+ DOXIA-754: Clarify method order for nested lists

Changes in mojo-parent:

- Do not import junit-bom in the parent. This creates unnecessary
build cycles with junit5.

Patch instructions:

To install this openSUSE security update use the suse recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

- openSUSE Leap 16.0

zypper in -t patch openSUSE-Leap-16.0-733=1

Package List:

- openSUSE Leap 16.0:

maven-3.9.14-160000.1.1
maven-doxia-core-2.1.0-160000.1.1
maven-doxia-javadoc-2.1.0-160000.1.1
maven-doxia-module-apt-2.1.0-160000.1.1
maven-doxia-module-fml-2.1.0-160000.1.1
maven-doxia-module-xdoc-2.1.0-160000.1.1
maven-doxia-module-xhtml5-2.1.0-160000.1.1
maven-doxia-sink-api-2.1.0-160000.1.1
maven-doxia-test-docs-2.1.0-160000.1.1
maven-javadoc-3.9.14-160000.1.1
maven-lib-3.9.14-160000.1.1
mojo-parent-82-160000.3.1
ongres-scram-3.2-160000.4.1
ongres-scram-client-3.2-160000.4.1
ongres-scram-javadoc-3.2-160000.4.1
ongres-stringprep-2.2-160000.3.1
ongres-stringprep-javadoc-2.2-160000.3.1
plexus-testing-2.1.0-160000.2.1
plexus-testing-javadoc-2.1.0-160000.2.1
sisu-inject-1.0.0-160000.2.1
sisu-inject-extender-1.0.0-160000.2.1
sisu-javadoc-1.0.0-160000.2.1
sisu-mojos-1.0.0-160000.2.1
sisu-mojos-javadoc-1.0.0-160000.2.1
sisu-plexus-1.0.0-160000.2.1
sisu-plexus-extender-1.0.0-160000.2.1
xmvn-4.3.0-160000.3.3
xmvn-api-4.3.0-160000.3.1
xmvn-connector-4.3.0-160000.3.1
xmvn-connector-javadoc-4.3.0-160000.3.1
xmvn-core-4.3.0-160000.3.1
xmvn-install-4.3.0-160000.3.1
xmvn-minimal-4.3.0-160000.3.3
xmvn-mojo-4.3.0-160000.3.1
xmvn-mojo-javadoc-4.3.0-160000.3.1
xmvn-parent-4.3.0-160000.3.1
xmvn-resolve-4.3.0-160000.3.1
xmvn-subst-4.3.0-160000.3.1
xmvn-tools-javadoc-4.3.0-160000.3.1

References:

* https://www.suse.com/security/cve/CVE-2025-59432.html

openSUSE-SU-2026:20737-1: moderate: Security update for python-lxml

openSUSE security update: security update for python-lxml
-------------------------------------------------------------

Announcement ID: openSUSE-SU-2026:20737-1
Rating: moderate
References:

* bsc#1263254

Cross-References:

* CVE-2026-41066

CVSS scores:

* CVE-2026-41066 ( SUSE ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
* CVE-2026-41066 ( SUSE ): 6 CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Affected Products:

openSUSE Leap 16.0

-------------------------------------------------------------

An update that solves one vulnerability and has one bug fix can now be installed.

Description:

This update for python-lxml fixes the following issue

- CVE-2026-41066: Information disclosure via untrusted XML input leading to local file read (bsc#1263254).

Patch instructions:

To install this openSUSE security update use the suse recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

- openSUSE Leap 16.0

zypper in -t patch openSUSE-Leap-16.0-728=1

Package List:

- openSUSE Leap 16.0:

python-lxml-doc-5.4.0-160000.3.1
python313-lxml-5.4.0-160000.3.1
python313-lxml-devel-5.4.0-160000.3.1

References:

* https://www.suse.com/security/cve/CVE-2026-41066.html

openSUSE-SU-2026:20748-1: important: Security update for dnsmasq

openSUSE security update: security update for dnsmasq
-------------------------------------------------------------

Announcement ID: openSUSE-SU-2026:20748-1
Rating: important
References:

* bsc#1235517
* bsc#1235834
* bsc#1247812
* bsc#1257934
* bsc#1258251
* bsc#1262487
* bsc#1265001
* bsc#1265002
* bsc#1265003
* bsc#1265004
* bsc#1265006

Cross-References:

* CVE-2026-2291
* CVE-2026-4890
* CVE-2026-4891
* CVE-2026-4892
* CVE-2026-4893
* CVE-2026-5172
* CVE-2026-6507

CVSS scores:

* CVE-2026-2291 ( SUSE ): 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
* CVE-2026-2291 ( SUSE ): 9.2 CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
* CVE-2026-4890 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2026-4891 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
* CVE-2026-4892 ( SUSE ): 8.4 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
* CVE-2026-4893 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
* CVE-2026-5172 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2026-6507 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2026-6507 ( SUSE ): 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Affected Products:

openSUSE Leap 16.0

-------------------------------------------------------------

An update that solves 7 vulnerabilities and has 11 bug fixes can now be installed.

Description:

This update for dnsmasq fixes the following issues

Security issues:

- CVE-2026-2291: dnsmasq can be abused to record false cached data enabling DoS or attacker redirect
(bsc#1258251).
- CVE-2026-4890: DoS vulnerability in the DNSSEC validation (bsc#1265001).
- CVE-2026-4891: heap-based out-of-bounds read vulnerability in the DNSSEC validation (bsc#1265002).
- CVE-2026-4892: heap-based out-of-bounds write vulnerability in the DHCPv6 implementation (bsc#1265003).
- CVE-2026-4893: information disclosure vulnerability in dnsmasq allows remote attackers to bypass source checks
(bsc#1265004).
- CVE-2026-5172: buffer overflow in dnsmasq's extract_addresses() function (bsc#1265006).
- CVE-2026-6507: out-of-bounds write in DHCP BOOTREPLY processing can lead to denial of service (bsc#1262487).

Non security issues:

- aardvark-dns upstream tests make dnsmasq dump core (bsc#1247812).
- Drop rcFOO symlinks for CODE16 (jsc#PED-266.
- libnettle: update to 4.0 breaks dnsmasq and gnutls (bsc#1257934).
- unknown user or group: dnsmasq with latest proposed dnsmasq update when doing virsh net-start (bsc#1235517).
- Update to security release 2.92rel2.

Patch instructions:

To install this openSUSE security update use the suse recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

- openSUSE Leap 16.0

zypper in -t patch openSUSE-Leap-16.0-742=1

Package List:

- openSUSE Leap 16.0:

dnsmasq-2.92rel2-160000.1.1
dnsmasq-utils-2.92rel2-160000.1.1

References:

* https://www.suse.com/security/cve/CVE-2026-2291.html
* https://www.suse.com/security/cve/CVE-2026-4890.html
* https://www.suse.com/security/cve/CVE-2026-4891.html
* https://www.suse.com/security/cve/CVE-2026-4892.html
* https://www.suse.com/security/cve/CVE-2026-4893.html
* https://www.suse.com/security/cve/CVE-2026-5172.html
* https://www.suse.com/security/cve/CVE-2026-6507.html

openSUSE-SU-2026:20741-1: moderate: Security update for MozillaFirefox

openSUSE security update: security update for mozillafirefox
-------------------------------------------------------------

Announcement ID: openSUSE-SU-2026:20741-1
Rating: moderate
References:

* bsc#1264378

Cross-References:

* CVE-2026-8090
* CVE-2026-8091
* CVE-2026-8092
* CVE-2026-8094

CVSS scores:

* CVE-2026-8090 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
* CVE-2026-8091 ( SUSE ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
* CVE-2026-8092 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
* CVE-2026-8094 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

Affected Products:

openSUSE Leap 16.0

-------------------------------------------------------------

An update that solves 4 vulnerabilities and has one bug fix can now be installed.

Description:

This update for MozillaFirefox fixes the following issues

Updated to Firefox Extended Support Release 140.10.2 ESR (bsc#1264378,MFSA 2026-41):

- CVE-2026-8090: Use-after-free in the DOM: Networking component.
- CVE-2026-8091: Incorrect boundary conditions in the Audio/Video: Playback component.
- CVE-2026-8092: Memory safety bugs fixed in Firefox ESR 115.35.2, Firefox ESR 140.10.2 and Firefox 150.0.2.
- CVE-2026-8094: Other issue in the WebRTC component.

Patch instructions:

To install this openSUSE security update use the suse recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

- openSUSE Leap 16.0

zypper in -t patch openSUSE-Leap-16.0-732=1

Package List:

- openSUSE Leap 16.0:

MozillaFirefox-140.10.2-160000.1.1
MozillaFirefox-branding-upstream-140.10.2-160000.1.1
MozillaFirefox-devel-140.10.2-160000.1.2
MozillaFirefox-translations-common-140.10.2-160000.1.1
MozillaFirefox-translations-other-140.10.2-160000.1.1

References:

* https://www.suse.com/security/cve/CVE-2026-8090.html
* https://www.suse.com/security/cve/CVE-2026-8091.html
* https://www.suse.com/security/cve/CVE-2026-8092.html
* https://www.suse.com/security/cve/CVE-2026-8094.html

openSUSE-SU-2026:10805-1: moderate: perl-HTTP-Tiny-0.094-1.1 on GA media

# perl-HTTP-Tiny-0.094-1.1 on GA media

Announcement ID: openSUSE-SU-2026:10805-1
Rating: moderate

Cross-References:

* CVE-2026-7010

Affected Products:

* openSUSE Tumbleweed

An update that solves one vulnerability can now be installed.

## Description:

These are all security issues fixed in the perl-HTTP-Tiny-0.094-1.1 package on the GA media of openSUSE Tumbleweed.

## Package List:

* openSUSE Tumbleweed:
* perl-HTTP-Tiny 0.094-1.1

## References:

* https://www.suse.com/security/cve/CVE-2026-7010.html

openSUSE-SU-2026:10808-1: moderate: postgresql16-16.14-1.1 on GA media

# postgresql16-16.14-1.1 on GA media

Announcement ID: openSUSE-SU-2026:10808-1
Rating: moderate

Cross-References:

* CVE-2026-6472
* CVE-2026-6473
* CVE-2026-6474
* CVE-2026-6475
* CVE-2026-6477
* CVE-2026-6478
* CVE-2026-6479
* CVE-2026-6637
* CVE-2026-6638

CVSS scores:

* CVE-2026-6472 ( SUSE ): 5.4 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
* CVE-2026-6473 ( SUSE ): 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
* CVE-2026-6474 ( SUSE ): 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
* CVE-2026-6475 ( SUSE ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
* CVE-2026-6477 ( SUSE ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
* CVE-2026-6478 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
* CVE-2026-6479 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2026-6637 ( SUSE ): 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
* CVE-2026-6638 ( SUSE ): 3.7 CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N

Affected Products:

* openSUSE Tumbleweed

An update that solves 9 vulnerabilities can now be installed.

## Description:

These are all security issues fixed in the postgresql16-16.14-1.1 package on the GA media of openSUSE Tumbleweed.

## Package List:

* openSUSE Tumbleweed:
* postgresql16 16.14-1.1
* postgresql16-contrib 16.14-1.1
* postgresql16-devel 16.14-1.1
* postgresql16-docs 16.14-1.1
* postgresql16-llvmjit 16.14-1.1
* postgresql16-llvmjit-devel 16.14-1.1
* postgresql16-plperl 16.14-1.1
* postgresql16-plpython 16.14-1.1
* postgresql16-pltcl 16.14-1.1
* postgresql16-server 16.14-1.1
* postgresql16-server-devel 16.14-1.1
* postgresql16-test 16.14-1.1

## References:

* https://www.suse.com/security/cve/CVE-2026-6472.html
* https://www.suse.com/security/cve/CVE-2026-6473.html
* https://www.suse.com/security/cve/CVE-2026-6474.html
* https://www.suse.com/security/cve/CVE-2026-6475.html
* https://www.suse.com/security/cve/CVE-2026-6477.html
* https://www.suse.com/security/cve/CVE-2026-6478.html
* https://www.suse.com/security/cve/CVE-2026-6479.html
* https://www.suse.com/security/cve/CVE-2026-6637.html
* https://www.suse.com/security/cve/CVE-2026-6638.html

openSUSE-SU-2026:10806-1: moderate: postgresql14-14.23-1.1 on GA media

# postgresql14-14.23-1.1 on GA media

Announcement ID: openSUSE-SU-2026:10806-1
Rating: moderate

Cross-References:

* CVE-2026-6472
* CVE-2026-6473
* CVE-2026-6474
* CVE-2026-6475
* CVE-2026-6477
* CVE-2026-6478
* CVE-2026-6479
* CVE-2026-6637

CVSS scores:

* CVE-2026-6472 ( SUSE ): 5.4 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
* CVE-2026-6473 ( SUSE ): 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
* CVE-2026-6474 ( SUSE ): 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
* CVE-2026-6475 ( SUSE ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
* CVE-2026-6477 ( SUSE ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
* CVE-2026-6478 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
* CVE-2026-6479 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2026-6637 ( SUSE ): 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Affected Products:

* openSUSE Tumbleweed

An update that solves 8 vulnerabilities can now be installed.

## Description:

These are all security issues fixed in the postgresql14-14.23-1.1 package on the GA media of openSUSE Tumbleweed.

## Package List:

* openSUSE Tumbleweed:
* postgresql14 14.23-1.1
* postgresql14-contrib 14.23-1.1
* postgresql14-devel 14.23-1.1
* postgresql14-docs 14.23-1.1
* postgresql14-llvmjit 14.23-1.1
* postgresql14-llvmjit-devel 14.23-1.1
* postgresql14-plperl 14.23-1.1
* postgresql14-plpython 14.23-1.1
* postgresql14-pltcl 14.23-1.1
* postgresql14-server 14.23-1.1
* postgresql14-server-devel 14.23-1.1
* postgresql14-test 14.23-1.1

## References:

* https://www.suse.com/security/cve/CVE-2026-6472.html
* https://www.suse.com/security/cve/CVE-2026-6473.html
* https://www.suse.com/security/cve/CVE-2026-6474.html
* https://www.suse.com/security/cve/CVE-2026-6475.html
* https://www.suse.com/security/cve/CVE-2026-6477.html
* https://www.suse.com/security/cve/CVE-2026-6478.html
* https://www.suse.com/security/cve/CVE-2026-6479.html
* https://www.suse.com/security/cve/CVE-2026-6637.html

openSUSE-SU-2026:10810-1: moderate: traefik-3.6.17-1.1 on GA media

# traefik-3.6.17-1.1 on GA media

Announcement ID: openSUSE-SU-2026:10810-1
Rating: moderate

Cross-References:

* CVE-2026-44774

Affected Products:

* openSUSE Tumbleweed

An update that solves one vulnerability can now be installed.

## Description:

These are all security issues fixed in the traefik-3.6.17-1.1 package on the GA media of openSUSE Tumbleweed.

## Package List:

* openSUSE Tumbleweed:
* traefik 3.6.17-1.1

## References:

* https://www.suse.com/security/cve/CVE-2026-44774.html

openSUSE-SU-2026:10804-1: moderate: openssh-10.3p1-4.1 on GA media

# openssh-10.3p1-4.1 on GA media

Announcement ID: openSUSE-SU-2026:10804-1
Rating: moderate

Cross-References:

* CVE-2026-35385
* CVE-2026-35414

CVSS scores:

* CVE-2026-35385 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
* CVE-2026-35385 ( SUSE ): 7.5 CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
* CVE-2026-35414 ( SUSE ): 4.2 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N
* CVE-2026-35414 ( SUSE ): 2.3 CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Affected Products:

* openSUSE Tumbleweed

An update that solves 2 vulnerabilities can now be installed.

## Description:

These are all security issues fixed in the openssh-10.3p1-4.1 package on the GA media of openSUSE Tumbleweed.

## Package List:

* openSUSE Tumbleweed:
* openssh 10.3p1-4.1
* openssh-cavs 10.3p1-4.1
* openssh-clients 10.3p1-4.1
* openssh-common 10.3p1-4.1
* openssh-helpers 10.3p1-4.1
* openssh-server 10.3p1-4.1
* openssh-server-config-rootlogin 10.3p1-4.1

## References:

* https://www.suse.com/security/cve/CVE-2026-35385.html
* https://www.suse.com/security/cve/CVE-2026-35414.html

SUSE-SU-2026:1999-1: important: Security update for postgresql15

# Security update for postgresql15

Announcement ID: SUSE-SU-2026:1999-1
Release Date: 2026-05-19T08:19:36Z
Rating: important
References:

* bsc#1263804
* bsc#1265172
* bsc#1265173
* bsc#1265174
* bsc#1265175
* bsc#1265177
* bsc#1265178
* bsc#1265179
* bsc#1265181
* jsc#PED-14823

Cross-References:

* CVE-2026-6472
* CVE-2026-6473
* CVE-2026-6474
* CVE-2026-6475
* CVE-2026-6477
* CVE-2026-6478
* CVE-2026-6479
* CVE-2026-6637

CVSS scores:

* CVE-2026-6472 ( SUSE ): 5.4 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
* CVE-2026-6472 ( NVD ): 5.4 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
* CVE-2026-6473 ( SUSE ): 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
* CVE-2026-6473 ( NVD ): 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
* CVE-2026-6474 ( SUSE ): 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
* CVE-2026-6474 ( NVD ): 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
* CVE-2026-6475 ( SUSE ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
* CVE-2026-6475 ( NVD ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
* CVE-2026-6477 ( SUSE ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
* CVE-2026-6477 ( NVD ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
* CVE-2026-6478 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
* CVE-2026-6478 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
* CVE-2026-6479 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2026-6479 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2026-6637 ( SUSE ): 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
* CVE-2026-6637 ( NVD ): 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Affected Products:

* Legacy Module 15-SP7
* openSUSE Leap 15.6
* SUSE Linux Enterprise Server 15 SP6
* SUSE Linux Enterprise Server 15 SP6 LTSS
* SUSE Linux Enterprise Server 15 SP7
* SUSE Linux Enterprise Server for SAP Applications 15 SP6
* SUSE Linux Enterprise Server for SAP Applications 15 SP7

An update that solves eight vulnerabilities, contains one feature and has one
security fix can now be installed.

## Description:

This update for postgresql15 fixes the following issues

Update to version 15.18.

Security issues:

* CVE-2026-6472: ensure the user has CREATE privilege on the schema specified
(bsc#1265172).
* CVE-2026-6473: integer overflows in memory-allocation calculations
(bsc#1265173).
* CVE-2026-6474: Guard against malicious time zone names (bsc#1265174).
* CVE-2026-6475: Prevent path traversal in pg_basebackup and pg_rewind
(bsc#1265175).
* CVE-2026-6477: Mark PQfn() as unsafe, and avoid using it within libpq
(bsc#1265177).
* CVE-2026-6478: Use timing-safe string comparisons in authentication code
(bsc#1265178).
* CVE-2026-6479: Prevent unbounded recursion while processing startup packets
(bsc#1265179).
* CVE-2026-6637: Prevent SQL injection and buffer overruns in contrib/spi
(bsc#1265181).

Non security issue:

* Get rid of update-alternatives for openSUSE/SLE 16.0 and newer to support
immutable systems and transactional updates (jsc#PED-14823).
* /usr/bin/pg_config is missing after migrating away from update-alternatives
(bsc#1263804).

## Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

* openSUSE Leap 15.6
zypper in -t patch SUSE-2026-1999=1

* Legacy Module 15-SP7
zypper in -t patch SUSE-SLE-Module-Legacy-15-SP7-2026-1999=1

* SUSE Linux Enterprise Server 15 SP6 LTSS
zypper in -t patch SUSE-SLE-Product-SLES-15-SP6-LTSS-2026-1999=1

* SUSE Linux Enterprise Server for SAP Applications 15 SP6
zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP6-2026-1999=1

## Package List:

* openSUSE Leap 15.6 (aarch64 ppc64le s390x x86_64 i586)
* postgresql15-server-debuginfo-15.18-150600.16.31.1
* postgresql15-llvmjit-debuginfo-15.18-150600.16.31.1
* postgresql15-test-15.18-150600.16.31.1
* postgresql15-plpython-debuginfo-15.18-150600.16.31.1
* postgresql15-server-devel-debuginfo-15.18-150600.16.31.1
* postgresql15-pltcl-debuginfo-15.18-150600.16.31.1
* postgresql15-plpython-15.18-150600.16.31.1
* postgresql15-debugsource-15.18-150600.16.31.1
* postgresql15-server-15.18-150600.16.31.1
* postgresql15-15.18-150600.16.31.1
* postgresql15-debuginfo-15.18-150600.16.31.1
* postgresql15-plperl-debuginfo-15.18-150600.16.31.1
* postgresql15-devel-15.18-150600.16.31.1
* postgresql15-pltcl-15.18-150600.16.31.1
* postgresql15-contrib-debuginfo-15.18-150600.16.31.1
* postgresql15-devel-debuginfo-15.18-150600.16.31.1
* postgresql15-contrib-15.18-150600.16.31.1
* postgresql15-server-devel-15.18-150600.16.31.1
* postgresql15-plperl-15.18-150600.16.31.1
* postgresql15-llvmjit-15.18-150600.16.31.1
* postgresql15-llvmjit-devel-15.18-150600.16.31.1
* openSUSE Leap 15.6 (noarch)
* postgresql15-docs-15.18-150600.16.31.1
* Legacy Module 15-SP7 (aarch64 ppc64le s390x x86_64)
* postgresql15-server-debuginfo-15.18-150600.16.31.1
* postgresql15-server-15.18-150600.16.31.1
* postgresql15-devel-15.18-150600.16.31.1
* postgresql15-plperl-debuginfo-15.18-150600.16.31.1
* postgresql15-pltcl-15.18-150600.16.31.1
* postgresql15-plpython-debuginfo-15.18-150600.16.31.1
* postgresql15-15.18-150600.16.31.1
* postgresql15-contrib-debuginfo-15.18-150600.16.31.1
* postgresql15-devel-debuginfo-15.18-150600.16.31.1
* postgresql15-server-devel-debuginfo-15.18-150600.16.31.1
* postgresql15-contrib-15.18-150600.16.31.1
* postgresql15-pltcl-debuginfo-15.18-150600.16.31.1
* postgresql15-server-devel-15.18-150600.16.31.1
* postgresql15-plpython-15.18-150600.16.31.1
* postgresql15-debuginfo-15.18-150600.16.31.1
* postgresql15-plperl-15.18-150600.16.31.1
* postgresql15-debugsource-15.18-150600.16.31.1
* SUSE Linux Enterprise Server 15 SP6 LTSS (aarch64 ppc64le s390x x86_64)
* postgresql15-server-debuginfo-15.18-150600.16.31.1
* postgresql15-server-15.18-150600.16.31.1
* postgresql15-devel-15.18-150600.16.31.1
* postgresql15-plperl-debuginfo-15.18-150600.16.31.1
* postgresql15-pltcl-15.18-150600.16.31.1
* postgresql15-plpython-debuginfo-15.18-150600.16.31.1
* postgresql15-15.18-150600.16.31.1
* postgresql15-contrib-debuginfo-15.18-150600.16.31.1
* postgresql15-devel-debuginfo-15.18-150600.16.31.1
* postgresql15-server-devel-debuginfo-15.18-150600.16.31.1
* postgresql15-contrib-15.18-150600.16.31.1
* postgresql15-pltcl-debuginfo-15.18-150600.16.31.1
* postgresql15-server-devel-15.18-150600.16.31.1
* postgresql15-plpython-15.18-150600.16.31.1
* postgresql15-debuginfo-15.18-150600.16.31.1
* postgresql15-plperl-15.18-150600.16.31.1
* postgresql15-debugsource-15.18-150600.16.31.1
* SUSE Linux Enterprise Server 15 SP6 LTSS (noarch)
* postgresql15-docs-15.18-150600.16.31.1
* SUSE Linux Enterprise Server for SAP Applications 15 SP6 (ppc64le x86_64)
* postgresql15-server-debuginfo-15.18-150600.16.31.1
* postgresql15-server-15.18-150600.16.31.1
* postgresql15-devel-15.18-150600.16.31.1
* postgresql15-plperl-debuginfo-15.18-150600.16.31.1
* postgresql15-pltcl-15.18-150600.16.31.1
* postgresql15-plpython-debuginfo-15.18-150600.16.31.1
* postgresql15-15.18-150600.16.31.1
* postgresql15-contrib-debuginfo-15.18-150600.16.31.1
* postgresql15-devel-debuginfo-15.18-150600.16.31.1
* postgresql15-server-devel-debuginfo-15.18-150600.16.31.1
* postgresql15-contrib-15.18-150600.16.31.1
* postgresql15-pltcl-debuginfo-15.18-150600.16.31.1
* postgresql15-server-devel-15.18-150600.16.31.1
* postgresql15-plpython-15.18-150600.16.31.1
* postgresql15-debuginfo-15.18-150600.16.31.1
* postgresql15-plperl-15.18-150600.16.31.1
* postgresql15-debugsource-15.18-150600.16.31.1
* SUSE Linux Enterprise Server for SAP Applications 15 SP6 (noarch)
* postgresql15-docs-15.18-150600.16.31.1

## References:

* https://www.suse.com/security/cve/CVE-2026-6472.html
* https://www.suse.com/security/cve/CVE-2026-6473.html
* https://www.suse.com/security/cve/CVE-2026-6474.html
* https://www.suse.com/security/cve/CVE-2026-6475.html
* https://www.suse.com/security/cve/CVE-2026-6477.html
* https://www.suse.com/security/cve/CVE-2026-6478.html
* https://www.suse.com/security/cve/CVE-2026-6479.html
* https://www.suse.com/security/cve/CVE-2026-6637.html
* https://bugzilla.suse.com/show_bug.cgi?id=1263804
* https://bugzilla.suse.com/show_bug.cgi?id=1265172
* https://bugzilla.suse.com/show_bug.cgi?id=1265173
* https://bugzilla.suse.com/show_bug.cgi?id=1265174
* https://bugzilla.suse.com/show_bug.cgi?id=1265175
* https://bugzilla.suse.com/show_bug.cgi?id=1265177
* https://bugzilla.suse.com/show_bug.cgi?id=1265178
* https://bugzilla.suse.com/show_bug.cgi?id=1265179
* https://bugzilla.suse.com/show_bug.cgi?id=1265181
* https://jira.suse.com/browse/PED-14823

SUSE-SU-2026:2003-1: moderate: Security update for GraphicsMagick

# Security update for GraphicsMagick

Announcement ID: SUSE-SU-2026:2003-1
Release Date: 2026-05-19T08:22:18Z
Rating: moderate
References:

* bsc#1265048

Cross-References:

* CVE-2026-42050

CVSS scores:

* CVE-2026-42050 ( SUSE ): 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
* CVE-2026-42050 ( NVD ): 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

Affected Products:

* openSUSE Leap 15.6
* SUSE Linux Enterprise Desktop 15 SP7
* SUSE Linux Enterprise Real Time 15 SP7
* SUSE Linux Enterprise Server 15 SP7
* SUSE Linux Enterprise Server for SAP Applications 15 SP7
* SUSE Package Hub 15 15-SP7

An update that solves one vulnerability can now be installed.

## Description:

This update for GraphicsMagick fixes the following issue

* CVE-2026-42050: Stack buffer overflow in XTileImage (bsc#1265048).

## Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

* SUSE Package Hub 15 15-SP7
zypper in -t patch SUSE-SLE-Module-Packagehub-Subpackages-15-SP7-2026-2003=1

* openSUSE Leap 15.6
zypper in -t patch SUSE-2026-2003=1

## Package List:

* SUSE Package Hub 15 15-SP7 (aarch64 ppc64le s390x x86_64)
* libGraphicsMagick++-devel-1.3.42-150600.3.24.1
* GraphicsMagick-devel-1.3.42-150600.3.24.1
* libGraphicsMagick++-Q16-12-1.3.42-150600.3.24.1
* GraphicsMagick-debuginfo-1.3.42-150600.3.24.1
* GraphicsMagick-debugsource-1.3.42-150600.3.24.1
* libGraphicsMagick++-Q16-12-debuginfo-1.3.42-150600.3.24.1
* libGraphicsMagickWand-Q16-2-debuginfo-1.3.42-150600.3.24.1
* perl-GraphicsMagick-1.3.42-150600.3.24.1
* libGraphicsMagick3-config-1.3.42-150600.3.24.1
* perl-GraphicsMagick-debuginfo-1.3.42-150600.3.24.1
* libGraphicsMagickWand-Q16-2-1.3.42-150600.3.24.1
* libGraphicsMagick-Q16-3-debuginfo-1.3.42-150600.3.24.1
* libGraphicsMagick-Q16-3-1.3.42-150600.3.24.1
* GraphicsMagick-1.3.42-150600.3.24.1
* openSUSE Leap 15.6 (aarch64 ppc64le s390x x86_64 i586)
* libGraphicsMagick++-devel-1.3.42-150600.3.24.1
* GraphicsMagick-devel-1.3.42-150600.3.24.1
* libGraphicsMagick++-Q16-12-1.3.42-150600.3.24.1
* GraphicsMagick-debuginfo-1.3.42-150600.3.24.1
* GraphicsMagick-debugsource-1.3.42-150600.3.24.1
* libGraphicsMagick++-Q16-12-debuginfo-1.3.42-150600.3.24.1
* libGraphicsMagickWand-Q16-2-debuginfo-1.3.42-150600.3.24.1
* perl-GraphicsMagick-1.3.42-150600.3.24.1
* libGraphicsMagick3-config-1.3.42-150600.3.24.1
* perl-GraphicsMagick-debuginfo-1.3.42-150600.3.24.1
* libGraphicsMagickWand-Q16-2-1.3.42-150600.3.24.1
* libGraphicsMagick-Q16-3-debuginfo-1.3.42-150600.3.24.1
* libGraphicsMagick-Q16-3-1.3.42-150600.3.24.1
* GraphicsMagick-1.3.42-150600.3.24.1

## References:

* https://www.suse.com/security/cve/CVE-2026-42050.html
* https://bugzilla.suse.com/show_bug.cgi?id=1265048

SUSE-SU-2026:2001-1: important: Security update for postgresql16

# Security update for postgresql16

Announcement ID: SUSE-SU-2026:2001-1
Release Date: 2026-05-19T08:21:21Z
Rating: important
References:

* bsc#1263804
* bsc#1265172
* bsc#1265173
* bsc#1265174
* bsc#1265175
* bsc#1265177
* bsc#1265178
* bsc#1265179
* bsc#1265181
* bsc#1265182
* jsc#PED-14824

Cross-References:

* CVE-2026-6472
* CVE-2026-6473
* CVE-2026-6474
* CVE-2026-6475
* CVE-2026-6477
* CVE-2026-6478
* CVE-2026-6479
* CVE-2026-6637
* CVE-2026-6638

CVSS scores:

* CVE-2026-6472 ( SUSE ): 5.4 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
* CVE-2026-6472 ( NVD ): 5.4 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
* CVE-2026-6473 ( SUSE ): 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
* CVE-2026-6473 ( NVD ): 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
* CVE-2026-6474 ( SUSE ): 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
* CVE-2026-6474 ( NVD ): 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
* CVE-2026-6475 ( SUSE ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
* CVE-2026-6475 ( NVD ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
* CVE-2026-6477 ( SUSE ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
* CVE-2026-6477 ( NVD ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
* CVE-2026-6478 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
* CVE-2026-6478 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
* CVE-2026-6479 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2026-6479 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2026-6637 ( SUSE ): 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
* CVE-2026-6637 ( NVD ): 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
* CVE-2026-6638 ( SUSE ): 3.7 CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N
* CVE-2026-6638 ( NVD ): 3.7 CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N
* CVE-2026-6638 ( NVD ): 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Affected Products:

* Legacy Module 15-SP7
* openSUSE Leap 15.6
* Server Applications Module 15-SP7
* SUSE Linux Enterprise Desktop 15 SP7
* SUSE Linux Enterprise Real Time 15 SP7
* SUSE Linux Enterprise Server 15 SP6
* SUSE Linux Enterprise Server 15 SP6 LTSS
* SUSE Linux Enterprise Server 15 SP7
* SUSE Linux Enterprise Server for SAP Applications 15 SP6
* SUSE Linux Enterprise Server for SAP Applications 15 SP7
* SUSE Package Hub 15 15-SP7

An update that solves nine vulnerabilities, contains one feature and has one
security fix can now be installed.

## Description:

This update for postgresql16 fixes the following issues

Update to version 16.13.

Security issues:

* CVE-2026-6472: ensure the user has CREATE privilege on the schema specified
(bsc#1265172).
* CVE-2026-6473: integer overflows in memory-allocation calculations
(bsc#1265173).
* CVE-2026-6474: Guard against malicious time zone names (bsc#1265174).
* CVE-2026-6475: Prevent path traversal in pg_basebackup and pg_rewind
(bsc#1265175).
* CVE-2026-6477: Mark PQfn() as unsafe, and avoid using it within libpq
(bsc#1265177).
* CVE-2026-6478: Use timing-safe string comparisons in authentication code
(bsc#1265178).
* CVE-2026-6479: Prevent unbounded recursion while processing startup packets
(bsc#1265179).
* CVE-2026-6637: Prevent SQL injection and buffer overruns in contrib/spi
(bsc#1265181).
* CVE-2026-6638: Properly quote object names in logical replication origin
checks (bsc#1265182).

Non security issue:

* Get rid of update-alternatives for openSUSE/SLE 16.0 and newer to support
immutable systems and transactional updates (jsc#PED-14824).
* /usr/bin/pg_config is missing after migrating away from update-alternatives
(bsc#1263804).

## Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

* openSUSE Leap 15.6
zypper in -t patch SUSE-2026-2001=1

* Server Applications Module 15-SP7
zypper in -t patch SUSE-SLE-Module-Server-Applications-15-SP7-2026-2001=1

* SUSE Linux Enterprise Server 15 SP6 LTSS
zypper in -t patch SUSE-SLE-Product-SLES-15-SP6-LTSS-2026-2001=1

* Legacy Module 15-SP7
zypper in -t patch SUSE-SLE-Module-Legacy-15-SP7-2026-2001=1

* SUSE Linux Enterprise Server for SAP Applications 15 SP6
zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP6-2026-2001=1

* SUSE Package Hub 15 15-SP7
zypper in -t patch SUSE-SLE-Module-Packagehub-Subpackages-15-SP7-2026-2001=1

## Package List:

* openSUSE Leap 15.6 (aarch64 ppc64le s390x x86_64 i586)
* postgresql16-pltcl-16.14-150600.16.33.1
* postgresql16-devel-debuginfo-16.14-150600.16.33.1
* postgresql16-server-devel-16.14-150600.16.33.1
* postgresql16-contrib-16.14-150600.16.33.1
* postgresql16-16.14-150600.16.33.1
* postgresql16-server-16.14-150600.16.33.1
* postgresql16-server-devel-debuginfo-16.14-150600.16.33.1
* postgresql16-contrib-debuginfo-16.14-150600.16.33.1
* postgresql16-server-debuginfo-16.14-150600.16.33.1
* postgresql16-llvmjit-devel-16.14-150600.16.33.1
* postgresql16-plpython-debuginfo-16.14-150600.16.33.1
* postgresql16-devel-16.14-150600.16.33.1
* postgresql16-test-16.14-150600.16.33.1
* postgresql16-pltcl-debuginfo-16.14-150600.16.33.1
* postgresql16-plperl-16.14-150600.16.33.1
* postgresql16-plperl-debuginfo-16.14-150600.16.33.1
* postgresql16-llvmjit-debuginfo-16.14-150600.16.33.1
* postgresql16-debuginfo-16.14-150600.16.33.1
* postgresql16-llvmjit-16.14-150600.16.33.1
* postgresql16-plpython-16.14-150600.16.33.1
* postgresql16-debugsource-16.14-150600.16.33.1
* openSUSE Leap 15.6 (noarch)
* postgresql16-docs-16.14-150600.16.33.1
* Server Applications Module 15-SP7 (aarch64 ppc64le s390x x86_64)
* postgresql16-server-16.14-150600.16.33.1
* postgresql16-debuginfo-16.14-150600.16.33.1
* postgresql16-server-devel-16.14-150600.16.33.1
* postgresql16-server-debuginfo-16.14-150600.16.33.1
* postgresql16-debugsource-16.14-150600.16.33.1
* postgresql16-16.14-150600.16.33.1
* SUSE Linux Enterprise Server 15 SP6 LTSS (aarch64 ppc64le s390x x86_64)
* postgresql16-debuginfo-16.14-150600.16.33.1
* postgresql16-server-16.14-150600.16.33.1
* postgresql16-contrib-debuginfo-16.14-150600.16.33.1
* postgresql16-server-devel-debuginfo-16.14-150600.16.33.1
* postgresql16-devel-16.14-150600.16.33.1
* postgresql16-pltcl-16.14-150600.16.33.1
* postgresql16-devel-debuginfo-16.14-150600.16.33.1
* postgresql16-pltcl-debuginfo-16.14-150600.16.33.1
* postgresql16-server-devel-16.14-150600.16.33.1
* postgresql16-contrib-16.14-150600.16.33.1
* postgresql16-server-debuginfo-16.14-150600.16.33.1
* postgresql16-plpython-debuginfo-16.14-150600.16.33.1
* postgresql16-plperl-16.14-150600.16.33.1
* postgresql16-debugsource-16.14-150600.16.33.1
* postgresql16-16.14-150600.16.33.1
* postgresql16-plperl-debuginfo-16.14-150600.16.33.1
* postgresql16-plpython-16.14-150600.16.33.1
* SUSE Linux Enterprise Server 15 SP6 LTSS (noarch)
* postgresql16-docs-16.14-150600.16.33.1
* Legacy Module 15-SP7 (aarch64 ppc64le s390x x86_64)
* postgresql16-debuginfo-16.14-150600.16.33.1
* postgresql16-contrib-debuginfo-16.14-150600.16.33.1
* postgresql16-devel-16.14-150600.16.33.1
* postgresql16-devel-debuginfo-16.14-150600.16.33.1
* postgresql16-contrib-16.14-150600.16.33.1
* postgresql16-debugsource-16.14-150600.16.33.1
* SUSE Linux Enterprise Server for SAP Applications 15 SP6 (ppc64le x86_64)
* postgresql16-debuginfo-16.14-150600.16.33.1
* postgresql16-server-16.14-150600.16.33.1
* postgresql16-contrib-debuginfo-16.14-150600.16.33.1
* postgresql16-server-devel-debuginfo-16.14-150600.16.33.1
* postgresql16-devel-16.14-150600.16.33.1
* postgresql16-pltcl-16.14-150600.16.33.1
* postgresql16-devel-debuginfo-16.14-150600.16.33.1
* postgresql16-pltcl-debuginfo-16.14-150600.16.33.1
* postgresql16-server-devel-16.14-150600.16.33.1
* postgresql16-contrib-16.14-150600.16.33.1
* postgresql16-server-debuginfo-16.14-150600.16.33.1
* postgresql16-plpython-debuginfo-16.14-150600.16.33.1
* postgresql16-plperl-16.14-150600.16.33.1
* postgresql16-debugsource-16.14-150600.16.33.1
* postgresql16-16.14-150600.16.33.1
* postgresql16-plperl-debuginfo-16.14-150600.16.33.1
* postgresql16-plpython-16.14-150600.16.33.1
* SUSE Linux Enterprise Server for SAP Applications 15 SP6 (noarch)
* postgresql16-docs-16.14-150600.16.33.1
* SUSE Package Hub 15 15-SP7 (aarch64 ppc64le s390x x86_64)
* postgresql16-debuginfo-16.14-150600.16.33.1
* postgresql16-llvmjit-16.14-150600.16.33.1
* postgresql16-test-16.14-150600.16.33.1
* postgresql16-llvmjit-devel-16.14-150600.16.33.1
* postgresql16-debugsource-16.14-150600.16.33.1
* postgresql16-llvmjit-debuginfo-16.14-150600.16.33.1

## References:

* https://www.suse.com/security/cve/CVE-2026-6472.html
* https://www.suse.com/security/cve/CVE-2026-6473.html
* https://www.suse.com/security/cve/CVE-2026-6474.html
* https://www.suse.com/security/cve/CVE-2026-6475.html
* https://www.suse.com/security/cve/CVE-2026-6477.html
* https://www.suse.com/security/cve/CVE-2026-6478.html
* https://www.suse.com/security/cve/CVE-2026-6479.html
* https://www.suse.com/security/cve/CVE-2026-6637.html
* https://www.suse.com/security/cve/CVE-2026-6638.html
* https://bugzilla.suse.com/show_bug.cgi?id=1263804
* https://bugzilla.suse.com/show_bug.cgi?id=1265172
* https://bugzilla.suse.com/show_bug.cgi?id=1265173
* https://bugzilla.suse.com/show_bug.cgi?id=1265174
* https://bugzilla.suse.com/show_bug.cgi?id=1265175
* https://bugzilla.suse.com/show_bug.cgi?id=1265177
* https://bugzilla.suse.com/show_bug.cgi?id=1265178
* https://bugzilla.suse.com/show_bug.cgi?id=1265179
* https://bugzilla.suse.com/show_bug.cgi?id=1265181
* https://bugzilla.suse.com/show_bug.cgi?id=1265182
* https://jira.suse.com/browse/PED-14824

SUSE-SU-2026:2004-1: important: Security update for python-Pillow

# Security update for python-Pillow

Announcement ID: SUSE-SU-2026:2004-1
Release Date: 2026-05-19T08:23:00Z
Rating: important
References:

* bsc#1265359

Cross-References:

* CVE-2026-42308

CVSS scores:

* CVE-2026-42308 ( SUSE ): 8.7
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
* CVE-2026-42308 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2026-42308 ( NVD ): 5.1
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
* CVE-2026-42308 ( NVD ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Affected Products:

* openSUSE Leap 15.3
* SUSE Linux Enterprise Desktop 15 SP7
* SUSE Linux Enterprise Real Time 15 SP7
* SUSE Linux Enterprise Server 15 SP7
* SUSE Linux Enterprise Server for SAP Applications 15 SP7
* SUSE Package Hub 15 15-SP7

An update that solves one vulnerability can now be installed.

## Description:

This update for python-Pillow fixes the following issue

* CVE-2026-42308: integer overflow in font processing can lead to denial of
service (bsc#1265359).

## Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

* openSUSE Leap 15.3
zypper in -t patch SUSE-2026-2004=1

* SUSE Package Hub 15 15-SP7
zypper in -t patch SUSE-SLE-Module-Packagehub-Subpackages-15-SP7-2026-2004=1

## Package List:

* openSUSE Leap 15.3 (aarch64 ppc64le s390x x86_64 i586)
* python3-Pillow-tk-7.2.0-150300.3.24.1
* python-Pillow-debuginfo-7.2.0-150300.3.24.1
* python3-Pillow-tk-debuginfo-7.2.0-150300.3.24.1
* python3-Pillow-7.2.0-150300.3.24.1
* python3-Pillow-debuginfo-7.2.0-150300.3.24.1
* python-Pillow-debugsource-7.2.0-150300.3.24.1
* SUSE Package Hub 15 15-SP7 (aarch64 ppc64le s390x x86_64)
* python-Pillow-debugsource-7.2.0-150300.3.24.1
* python3-Pillow-7.2.0-150300.3.24.1
* python3-Pillow-debuginfo-7.2.0-150300.3.24.1
* python-Pillow-debuginfo-7.2.0-150300.3.24.1

## References:

* https://www.suse.com/security/cve/CVE-2026-42308.html
* https://bugzilla.suse.com/show_bug.cgi?id=1265359

SUSE-SU-2026:2008-1: important: Security update for haveged

# Security update for haveged

Announcement ID: SUSE-SU-2026:2008-1
Release Date: 2026-05-19T11:55:08Z
Rating: important
References:

* bsc#1264086

Cross-References:

* CVE-2026-41054

CVSS scores:

* CVE-2026-41054 ( SUSE ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Affected Products:

* openSUSE Leap 15.4
* SUSE Linux Enterprise High Performance Computing 15 SP4
* SUSE Linux Enterprise High Performance Computing 15 SP5
* SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4
* SUSE Linux Enterprise High Performance Computing ESPOS 15 SP5
* SUSE Linux Enterprise High Performance Computing LTSS 15 SP4
* SUSE Linux Enterprise High Performance Computing LTSS 15 SP5
* SUSE Linux Enterprise Micro 5.3
* SUSE Linux Enterprise Micro 5.4
* SUSE Linux Enterprise Micro 5.5
* SUSE Linux Enterprise Micro for Rancher 5.3
* SUSE Linux Enterprise Micro for Rancher 5.4
* SUSE Linux Enterprise Server 15 SP4
* SUSE Linux Enterprise Server 15 SP4 LTSS
* SUSE Linux Enterprise Server 15 SP5
* SUSE Linux Enterprise Server 15 SP5 LTSS
* SUSE Linux Enterprise Server for SAP Applications 15 SP4
* SUSE Linux Enterprise Server for SAP Applications 15 SP5

An update that solves one vulnerability can now be installed.

## Description:

This update for haveged fixes the following issue

* CVE-2026-41054: missing exit out of permission check could lead to root
exploit (bsc#1264086).

Changes for haveged:

* Improvements on the linux kernel random subsystem have made move forward to
socket communication within private network
* Fix "stop" of service, the daemon in foreground actually see daemon(7) for
the rationale. Only "simple" (default) and the help of udev, as starting
services while starved of entropy
* Add ppc64le support
* update to 1.8
* Correct additional run-time test aligment problems on mips.
* haveged 1.7a
* Correct VPATH issues and modify check target to support parallel builds and
changes in automake 1.13 test harness.
* Remove all sysvinit compatibility.
* fix powerpc detection
* Current version does support ARM, remove the ExcludeArch need network and
can use PrivateNetwork=yes
* Add online tests based on AIS-31
* Fix install target, move to bin and eliminate script if not daemon, now use
sysv and systemd templates
* use -F with no arguments in haveged.service
* build with -fpie
* Use Service type "simple" in systemd unit
* fix build on ia64, s390, s390x
* fix ppc64 build present in old versions have been fixed in different ways.
* run spec cleaner
* Link with full RELRO (-Wl,-z,relro,-z,now)
* add systemd support
* Drop as much capabilitites as possible using libcap-ng
* I meant Enhances not Supplements
* Implement hack to start by default only in VMs
* use O_CLOEXEC on fds
* add proper Requires(pre)
* add a SUSE standard init script

## Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

* SUSE Linux Enterprise High Performance Computing ESPOS 15 SP5
zypper in -t patch SUSE-SLE-Product-HPC-15-SP5-ESPOS-2026-2008=1

* SUSE Linux Enterprise High Performance Computing LTSS 15 SP5
zypper in -t patch SUSE-SLE-Product-HPC-15-SP5-LTSS-2026-2008=1

* openSUSE Leap 15.4
zypper in -t patch SUSE-2026-2008=1

* SUSE Linux Enterprise Micro for Rancher 5.3
zypper in -t patch SUSE-SLE-Micro-5.3-2026-2008=1

* SUSE Linux Enterprise Micro 5.3
zypper in -t patch SUSE-SLE-Micro-5.3-2026-2008=1

* SUSE Linux Enterprise Micro for Rancher 5.4
zypper in -t patch SUSE-SLE-Micro-5.4-2026-2008=1

* SUSE Linux Enterprise Micro 5.4
zypper in -t patch SUSE-SLE-Micro-5.4-2026-2008=1

* SUSE Linux Enterprise Micro 5.5
zypper in -t patch SUSE-SLE-Micro-5.5-2026-2008=1

* SUSE Linux Enterprise Server for SAP Applications 15 SP4
zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP4-2026-2008=1

* SUSE Linux Enterprise Server for SAP Applications 15 SP5
zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP5-2026-2008=1

* SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4
zypper in -t patch SUSE-SLE-Product-HPC-15-SP4-ESPOS-2026-2008=1

* SUSE Linux Enterprise High Performance Computing LTSS 15 SP4
zypper in -t patch SUSE-SLE-Product-HPC-15-SP4-LTSS-2026-2008=1

* SUSE Linux Enterprise Server 15 SP4 LTSS
zypper in -t patch SUSE-SLE-Product-SLES-15-SP4-LTSS-2026-2008=1

* SUSE Linux Enterprise Server 15 SP5 LTSS
zypper in -t patch SUSE-SLE-Product-SLES-15-SP5-LTSS-2026-2008=1

## Package List:

* SUSE Linux Enterprise High Performance Computing ESPOS 15 SP5 (aarch64
x86_64)
* libhavege2-1.9.14-150400.3.11.1
* haveged-1.9.14-150400.3.11.1
* haveged-devel-1.9.14-150400.3.11.1
* haveged-debuginfo-1.9.14-150400.3.11.1
* haveged-debugsource-1.9.14-150400.3.11.1
* libhavege2-debuginfo-1.9.14-150400.3.11.1
* SUSE Linux Enterprise High Performance Computing LTSS 15 SP5 (aarch64
x86_64)
* libhavege2-1.9.14-150400.3.11.1
* libhavege2-debuginfo-1.9.14-150400.3.11.1
* haveged-1.9.14-150400.3.11.1
* haveged-devel-1.9.14-150400.3.11.1
* haveged-debuginfo-1.9.14-150400.3.11.1
* haveged-debugsource-1.9.14-150400.3.11.1
* openSUSE Leap 15.4 (aarch64 ppc64le s390x x86_64 i586)
* libhavege2-1.9.14-150400.3.11.1
* libhavege2-debuginfo-1.9.14-150400.3.11.1
* haveged-1.9.14-150400.3.11.1
* haveged-devel-1.9.14-150400.3.11.1
* haveged-debuginfo-1.9.14-150400.3.11.1
* haveged-debugsource-1.9.14-150400.3.11.1
* SUSE Linux Enterprise Micro for Rancher 5.3 (aarch64 s390x x86_64)
* libhavege2-1.9.14-150400.3.11.1
* haveged-1.9.14-150400.3.11.1
* haveged-debuginfo-1.9.14-150400.3.11.1
* haveged-debugsource-1.9.14-150400.3.11.1
* libhavege2-debuginfo-1.9.14-150400.3.11.1
* SUSE Linux Enterprise Micro 5.3 (aarch64 s390x x86_64)
* libhavege2-1.9.14-150400.3.11.1
* haveged-1.9.14-150400.3.11.1
* haveged-debuginfo-1.9.14-150400.3.11.1
* haveged-debugsource-1.9.14-150400.3.11.1
* libhavege2-debuginfo-1.9.14-150400.3.11.1
* SUSE Linux Enterprise Micro for Rancher 5.4 (aarch64 s390x x86_64)
* libhavege2-1.9.14-150400.3.11.1
* haveged-1.9.14-150400.3.11.1
* haveged-debuginfo-1.9.14-150400.3.11.1
* haveged-debugsource-1.9.14-150400.3.11.1
* libhavege2-debuginfo-1.9.14-150400.3.11.1
* SUSE Linux Enterprise Micro 5.4 (aarch64 s390x x86_64)
* libhavege2-1.9.14-150400.3.11.1
* haveged-1.9.14-150400.3.11.1
* haveged-debuginfo-1.9.14-150400.3.11.1
* haveged-debugsource-1.9.14-150400.3.11.1
* libhavege2-debuginfo-1.9.14-150400.3.11.1
* SUSE Linux Enterprise Micro 5.5 (aarch64 ppc64le s390x x86_64)
* libhavege2-1.9.14-150400.3.11.1
* haveged-1.9.14-150400.3.11.1
* haveged-debuginfo-1.9.14-150400.3.11.1
* haveged-debugsource-1.9.14-150400.3.11.1
* libhavege2-debuginfo-1.9.14-150400.3.11.1
* SUSE Linux Enterprise Server for SAP Applications 15 SP4 (ppc64le x86_64)
* libhavege2-1.9.14-150400.3.11.1
* haveged-1.9.14-150400.3.11.1
* haveged-devel-1.9.14-150400.3.11.1
* haveged-debuginfo-1.9.14-150400.3.11.1
* haveged-debugsource-1.9.14-150400.3.11.1
* libhavege2-debuginfo-1.9.14-150400.3.11.1
* SUSE Linux Enterprise Server for SAP Applications 15 SP5 (ppc64le x86_64)
* libhavege2-1.9.14-150400.3.11.1
* libhavege2-debuginfo-1.9.14-150400.3.11.1
* haveged-1.9.14-150400.3.11.1
* haveged-devel-1.9.14-150400.3.11.1
* haveged-debuginfo-1.9.14-150400.3.11.1
* haveged-debugsource-1.9.14-150400.3.11.1
* SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (aarch64
x86_64)
* libhavege2-1.9.14-150400.3.11.1
* libhavege2-debuginfo-1.9.14-150400.3.11.1
* haveged-1.9.14-150400.3.11.1
* haveged-devel-1.9.14-150400.3.11.1
* haveged-debuginfo-1.9.14-150400.3.11.1
* haveged-debugsource-1.9.14-150400.3.11.1
* SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (aarch64
x86_64)
* libhavege2-1.9.14-150400.3.11.1
* libhavege2-debuginfo-1.9.14-150400.3.11.1
* haveged-1.9.14-150400.3.11.1
* haveged-devel-1.9.14-150400.3.11.1
* haveged-debuginfo-1.9.14-150400.3.11.1
* haveged-debugsource-1.9.14-150400.3.11.1
* SUSE Linux Enterprise Server 15 SP4 LTSS (aarch64 ppc64le s390x x86_64)
* libhavege2-1.9.14-150400.3.11.1
* libhavege2-debuginfo-1.9.14-150400.3.11.1
* haveged-1.9.14-150400.3.11.1
* haveged-devel-1.9.14-150400.3.11.1
* haveged-debuginfo-1.9.14-150400.3.11.1
* haveged-debugsource-1.9.14-150400.3.11.1
* SUSE Linux Enterprise Server 15 SP5 LTSS (aarch64 ppc64le s390x x86_64)
* libhavege2-1.9.14-150400.3.11.1
* libhavege2-debuginfo-1.9.14-150400.3.11.1
* haveged-1.9.14-150400.3.11.1
* haveged-devel-1.9.14-150400.3.11.1
* haveged-debuginfo-1.9.14-150400.3.11.1
* haveged-debugsource-1.9.14-150400.3.11.1

## References:

* https://www.suse.com/security/cve/CVE-2026-41054.html
* https://bugzilla.suse.com/show_bug.cgi?id=1264086

SUSE-SU-2026:2010-1: important: Security update for erlang26

# Security update for erlang26

Announcement ID: SUSE-SU-2026:2010-1
Release Date: 2026-05-19T11:56:06Z
Rating: important
References:

* bsc#1258663
* bsc#1259681
* bsc#1259682
* bsc#1259687
* bsc#1261728
* bsc#1262503
* jsc#PED-15166

Cross-References:

* CVE-2026-21620
* CVE-2026-23941
* CVE-2026-23942
* CVE-2026-23943
* CVE-2026-28808
* CVE-2026-32147

CVSS scores:

* CVE-2026-21620 ( SUSE ): 7.6
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
* CVE-2026-21620 ( SUSE ): 8.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
* CVE-2026-21620 ( NVD ): 2.3
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
* CVE-2026-23941 ( SUSE ): 6.3
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
* CVE-2026-23941 ( SUSE ): 4.8 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
* CVE-2026-23941 ( NVD ): 7.0
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
* CVE-2026-23942 ( SUSE ): 5.3
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
* CVE-2026-23942 ( SUSE ): 5.4 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
* CVE-2026-23942 ( NVD ): 5.3
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
* CVE-2026-23943 ( SUSE ): 6.9
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
* CVE-2026-23943 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
* CVE-2026-23943 ( NVD ): 6.9
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
* CVE-2026-28808 ( SUSE ): 9.1
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
* CVE-2026-28808 ( SUSE ): 7.4 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
* CVE-2026-28808 ( NVD ): 8.3
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
* CVE-2026-28808 ( NVD ): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
* CVE-2026-32147 ( SUSE ): 5.3
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
* CVE-2026-32147 ( SUSE ): 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
* CVE-2026-32147 ( NVD ): 5.3
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Affected Products:

* openSUSE Leap 15.3
* Server Applications Module 15-SP7
* SUSE Linux Enterprise Real Time 15 SP7
* SUSE Linux Enterprise Server 15 SP6
* SUSE Linux Enterprise Server 15 SP6 LTSS
* SUSE Linux Enterprise Server 15 SP7
* SUSE Linux Enterprise Server for SAP Applications 15 SP6
* SUSE Linux Enterprise Server for SAP Applications 15 SP7

An update that solves six vulnerabilities and contains one feature can now be
installed.

## Description:

This update for erlang26 fixes the following issues

Security issues:

* CVE-2026-21620: remote arbitrary read/write via TFTP relative path traversal
(bsc#1258663).
* CVE-2026-23941: HTTP Request Smuggling in Erlang OTP (bsc#1259687).
* CVE-2026-23942: path traversal vulnerability in Erlang OTP (bsc#1259681).
* CVE-2026-23943: denial of service due to improper handling of highly
compressed data in Erlang OTP ssh (bsc#1259682).
* CVE-2026-28808: incorrect authorization can lead to unauthenticated access
to protected CGI scripts (bsc#1261728).
* CVE-2026-32147: Improper Limitation of a Pathname to a Restricted Directory
('Path Traversal') in SFTP chroot (bsc#1262503).

Non security issue:

* Fixes for FIPS mode (jsc#PED-15166.

## Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

* openSUSE Leap 15.3
zypper in -t patch SUSE-2026-2010=1

* Server Applications Module 15-SP7
zypper in -t patch SUSE-SLE-Module-Server-Applications-15-SP7-2026-2010=1

* SUSE Linux Enterprise Server 15 SP6 LTSS
zypper in -t patch SUSE-SLE-Product-SLES-15-SP6-LTSS-2026-2010=1

* SUSE Linux Enterprise Server for SAP Applications 15 SP6
zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP6-2026-2010=1

## Package List:

* openSUSE Leap 15.3 (aarch64 ppc64le s390x x86_64 i586)
* erlang26-diameter-src-26.2.1-150300.7.25.1
* erlang26-et-src-26.2.1-150300.7.25.1
* erlang26-diameter-26.2.1-150300.7.25.1
* erlang26-observer-src-26.2.1-150300.7.25.1
* erlang26-debugger-src-26.2.1-150300.7.25.1
* erlang26-reltool-src-26.2.1-150300.7.25.1
* erlang26-dialyzer-debuginfo-26.2.1-150300.7.25.1
* erlang26-jinterface-src-26.2.1-150300.7.25.1
* erlang26-src-26.2.1-150300.7.25.1
* erlang26-dialyzer-26.2.1-150300.7.25.1
* erlang26-debugger-26.2.1-150300.7.25.1
* erlang26-et-26.2.1-150300.7.25.1
* erlang26-reltool-26.2.1-150300.7.25.1
* erlang26-dialyzer-src-26.2.1-150300.7.25.1
* erlang26-wx-debuginfo-26.2.1-150300.7.25.1
* erlang26-debuginfo-26.2.1-150300.7.25.1
* erlang26-debugsource-26.2.1-150300.7.25.1
* erlang26-doc-26.2.1-150300.7.25.1
* erlang26-epmd-debuginfo-26.2.1-150300.7.25.1
* erlang26-epmd-26.2.1-150300.7.25.1
* erlang26-jinterface-26.2.1-150300.7.25.1
* erlang26-26.2.1-150300.7.25.1
* erlang26-wx-26.2.1-150300.7.25.1
* erlang26-wx-src-26.2.1-150300.7.25.1
* erlang26-observer-26.2.1-150300.7.25.1
* Server Applications Module 15-SP7 (aarch64 ppc64le s390x x86_64)
* erlang26-26.2.1-150300.7.25.1
* erlang26-epmd-26.2.1-150300.7.25.1
* erlang26-debuginfo-26.2.1-150300.7.25.1
* erlang26-debugsource-26.2.1-150300.7.25.1
* erlang26-epmd-debuginfo-26.2.1-150300.7.25.1
* SUSE Linux Enterprise Server 15 SP6 LTSS (aarch64 ppc64le s390x x86_64)
* erlang26-26.2.1-150300.7.25.1
* erlang26-epmd-26.2.1-150300.7.25.1
* erlang26-debuginfo-26.2.1-150300.7.25.1
* erlang26-debugsource-26.2.1-150300.7.25.1
* erlang26-epmd-debuginfo-26.2.1-150300.7.25.1
* SUSE Linux Enterprise Server for SAP Applications 15 SP6 (ppc64le x86_64)
* erlang26-26.2.1-150300.7.25.1
* erlang26-epmd-26.2.1-150300.7.25.1
* erlang26-debuginfo-26.2.1-150300.7.25.1
* erlang26-debugsource-26.2.1-150300.7.25.1
* erlang26-epmd-debuginfo-26.2.1-150300.7.25.1

## References:

* https://www.suse.com/security/cve/CVE-2026-21620.html
* https://www.suse.com/security/cve/CVE-2026-23941.html
* https://www.suse.com/security/cve/CVE-2026-23942.html
* https://www.suse.com/security/cve/CVE-2026-23943.html
* https://www.suse.com/security/cve/CVE-2026-28808.html
* https://www.suse.com/security/cve/CVE-2026-32147.html
* https://bugzilla.suse.com/show_bug.cgi?id=1258663
* https://bugzilla.suse.com/show_bug.cgi?id=1259681
* https://bugzilla.suse.com/show_bug.cgi?id=1259682
* https://bugzilla.suse.com/show_bug.cgi?id=1259687
* https://bugzilla.suse.com/show_bug.cgi?id=1261728
* https://bugzilla.suse.com/show_bug.cgi?id=1262503
* https://jira.suse.com/browse/PED-15166

SUSE-SU-2026:2009-1: important: Security update for haveged

# Security update for haveged

Announcement ID: SUSE-SU-2026:2009-1
Release Date: 2026-05-19T11:55:29Z
Rating: important
References:

* bsc#1264086

Cross-References:

* CVE-2026-41054

CVSS scores:

* CVE-2026-41054 ( SUSE ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Affected Products:

* Basesystem Module 15-SP7
* openSUSE Leap 15.6
* SUSE Linux Enterprise Desktop 15 SP7
* SUSE Linux Enterprise Real Time 15 SP7
* SUSE Linux Enterprise Server 15 SP6
* SUSE Linux Enterprise Server 15 SP6 LTSS
* SUSE Linux Enterprise Server 15 SP7
* SUSE Linux Enterprise Server for SAP Applications 15 SP6
* SUSE Linux Enterprise Server for SAP Applications 15 SP7

An update that solves one vulnerability can now be installed.

## Description:

This update for haveged fixes the following issue

* CVE-2026-41054: missing exit out of permission check could lead to root
exploit (bsc#1264086).

Changes for haveged:

* Improvements on the linux kernel random subsystem have made move forward to
socket communication within private network
* Fix "stop" of service, the daemon in foreground actually see daemon(7) for
the rationale. Only "simple" (default) and the help of udev, as starting
services while starved of entropy
* Add ppc64le support
* update to 1.8
* Correct additional run-time test aligment problems on mips.
* haveged 1.7a
* Correct VPATH issues and modify check target to support parallel builds and
changes in automake 1.13 test harness.
* Remove all sysvinit compatibility.
* fix powerpc detection
* Current version does support ARM, remove the ExcludeArch need network and
can use PrivateNetwork=yes
* Add online tests based on AIS-31
* Fix install target, move to bin and eliminate script if not daemon, now use
sysv and systemd templates
* use -F with no arguments in haveged.service
* build with -fpie
* Use Service type "simple" in systemd unit
* fix build on ia64, s390, s390x
* fix ppc64 build present in old versions have been fixed in different ways.
* run spec cleaner
* Link with full RELRO (-Wl,-z,relro,-z,now)
* add systemd support
* Drop as much capabilitites as possible using libcap-ng
* I meant Enhances not Supplements
* Implement hack to start by default only in VMs
* use O_CLOEXEC on fds
* add proper Requires(pre)
* add a SUSE standard init script

## Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

* openSUSE Leap 15.6
zypper in -t patch SUSE-2026-2009=1

* Basesystem Module 15-SP7
zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP7-2026-2009=1

* SUSE Linux Enterprise Server 15 SP6 LTSS
zypper in -t patch SUSE-SLE-Product-SLES-15-SP6-LTSS-2026-2009=1

* SUSE Linux Enterprise Server for SAP Applications 15 SP6
zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP6-2026-2009=1

## Package List:

* openSUSE Leap 15.6 (aarch64 ppc64le s390x x86_64 i586)
* haveged-debugsource-1.9.14-150600.11.6.1
* libhavege2-1.9.14-150600.11.6.1
* libhavege2-debuginfo-1.9.14-150600.11.6.1
* haveged-devel-1.9.14-150600.11.6.1
* haveged-1.9.14-150600.11.6.1
* haveged-debuginfo-1.9.14-150600.11.6.1
* Basesystem Module 15-SP7 (aarch64 ppc64le s390x x86_64)
* haveged-debugsource-1.9.14-150600.11.6.1
* libhavege2-1.9.14-150600.11.6.1
* libhavege2-debuginfo-1.9.14-150600.11.6.1
* haveged-devel-1.9.14-150600.11.6.1
* haveged-1.9.14-150600.11.6.1
* haveged-debuginfo-1.9.14-150600.11.6.1
* SUSE Linux Enterprise Server 15 SP6 LTSS (aarch64 ppc64le s390x x86_64)
* haveged-debugsource-1.9.14-150600.11.6.1
* libhavege2-1.9.14-150600.11.6.1
* libhavege2-debuginfo-1.9.14-150600.11.6.1
* haveged-devel-1.9.14-150600.11.6.1
* haveged-1.9.14-150600.11.6.1
* haveged-debuginfo-1.9.14-150600.11.6.1
* SUSE Linux Enterprise Server for SAP Applications 15 SP6 (ppc64le x86_64)
* haveged-debugsource-1.9.14-150600.11.6.1
* libhavege2-1.9.14-150600.11.6.1
* libhavege2-debuginfo-1.9.14-150600.11.6.1
* haveged-devel-1.9.14-150600.11.6.1
* haveged-1.9.14-150600.11.6.1
* haveged-debuginfo-1.9.14-150600.11.6.1

## References:

* https://www.suse.com/security/cve/CVE-2026-41054.html
* https://bugzilla.suse.com/show_bug.cgi?id=1264086

openSUSE-SU-2026:0171-1: important: Security update for git-bug

openSUSE Security Update: Security update for git-bug
_______________________________

Announcement ID: openSUSE-SU-2026:0171-1
Rating: important
References: #1253506 #1253930 #1254084 #1264955 #1265416

Cross-References: CVE-2025-47913 CVE-2025-47914 CVE-2025-58181
CVE-2026-1229 CVE-2026-41506
CVSS scores:
CVE-2025-47913 (SUSE): 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
CVE-2025-47914 (SUSE): 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
CVE-2025-58181 (SUSE): 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
CVE-2026-1229 (SUSE): 8.3 CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N
CVE-2026-41506 (SUSE): 7.1 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Affected Products:
openSUSE Backports SLE-15-SP7
_______________________________

An update that fixes 5 vulnerabilities is now available.

Description:

This update for git-bug fixes the following issues:

- Fix CVE-2026-1229 and CVE-2026-41506
- CVE-2026-1229: CIRCL has an incorrect calculation in secp384r1
CombinedMult (boo#1265416, GO-2026-4550) update
github.com/cloudflare/circl to v1.6.3
- CVE-2026-41506: HTTP authentication credential leak when following
redirects during smart-HTTP clone and fetch
operations (boo#1264955, GO-2026-4910), update
github.com/go-git/go-git/v5 to v5.17.1

- Revendor to include fixed version of depending libraries:
- GO-2025-4116 (CVE-2025-47913, boo#1253506) upgrade golang.org/x/crypto
to v0.43.0
- GO-2025-3900 (GHSA-2464-8j7c-4cjm) upgrade
github.com/go-viper/mapstructure/v2 to v2.4.0
- GO-2025-3787 (GHSA-fv92-fjc5-jj9h) included in the previous
- GO-2025-3754 (GHSA-2x5j-vhc8-9cwm) upgrade github.com/cloudflare/circl
to v1.6.1
- GO-2025-4134 (CVE-2025-58181, boo#1253930) upgrade
golang.org/x/crypto/ssh to v0.45.0
- GO-2025-4135 (CVE-2025-47914, boo#1254084) upgrade
golang.org/x/crypto/ssh/agent to v0.45.0

Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Backports SLE-15-SP7:

zypper in -t patch openSUSE-2026-171=1

Package List:

- openSUSE Backports SLE-15-SP7 (aarch64 i586 ppc64le s390x x86_64):

git-bug-0.10.1-bp157.2.6.1

- openSUSE Backports SLE-15-SP7 (noarch):

git-bug-bash-completion-0.10.1-bp157.2.6.1
git-bug-fish-completion-0.10.1-bp157.2.6.1
git-bug-zsh-completion-0.10.1-bp157.2.6.1

References:

https://www.suse.com/security/cve/CVE-2025-47913.html
https://www.suse.com/security/cve/CVE-2025-47914.html
https://www.suse.com/security/cve/CVE-2025-58181.html
https://www.suse.com/security/cve/CVE-2026-1229.html
https://www.suse.com/security/cve/CVE-2026-41506.html
https://bugzilla.suse.com/1253506
https://bugzilla.suse.com/1253930
https://bugzilla.suse.com/1254084
https://bugzilla.suse.com/1264955
https://bugzilla.suse.com/1265416

openSUSE-SU-2026:0170-1: important: Security update for perl-CryptX

openSUSE Security Update: Security update for perl-CryptX
_______________________________

Announcement ID: openSUSE-SU-2026:0170-1
Rating: important
References: #1244472 #1262697
Cross-References: CVE-2025-40914 CVE-2026-41564
Affected Products:
openSUSE Backports SLE-15-SP7
_______________________________

An update that fixes two vulnerabilities is now available.

Description:

This update for perl-CryptX fixes the following issues:

- updated to 0.89.0 (0.089) 0.089 2026-05-10
- new: Crypt::ASN1
- new: Crypt::AuthEnc::SIV
- new: Crypt::AuthEnc::XChaCha20Poly1305
- new: Crypt::Cipher::SM4
- new: Crypt::Digest::TurboSHAKE
- new: Crypt::Digest::KangarooTwelve
- new: Crypt::PK::Ed448
- new: Crypt::PK::X448
- new: Crypt::Stream::XChaCha
- new: Crypt::Stream::XSalsa20
- Crypt::PK::Ed25519 - new functions: sign_message_ctx,
verify_message_ctx, sign_message_ph, verify_message_ph
- Crypt::Digest: object digest accessors now finalize the
object; use reset() before reuse
- Crypt::Mac + Crypt::AuthEnc: finalized-object lifecycle is now
enforced consistently
- security/hardening fixes across
Digest/Mac/AuthEnc/Mode/Stream/PK/PRNG
- fixes related to wycheproof test suite
- documentation cleanup & improvements
- support for RFC 8702 RSA-PSS-SHAKE128/256 and
ECDSA-SHAKE128/256
- support for FRP256v1 elliptic-curve
- bundled libtomcrypt update branch:develop (commit: 8b5af49b
2026-05-06) 0.088 2026-04-23
- Crypt::KeyDerivation - new functions: pbkdf1_openssl,
bcrypt_pbkdf, scrypt_pbkdf, argon2_pbkdf
- Crypt::Misc - new functions: random_v7uuid, is_uuid
- bundled libtomcrypt update branch:develop (commit: 2e441a17
2026-04-15)
- bundled libtommath update branch:develop (commit: ae40a87
2026-04-20)
- security fix CVE-2026-41564
https://github.com/DCIT/perl-CryptX/security/advisories/GHSA-24c2-gp6c-24c6
(boo#1262697)

- updated to 0.87.0 (0.087) 0.087 2025-06-11
- bundled libtomcrypt update branch:develop (commit: d448df1
2025-05-06)
- bundled libtommath update branch:develop (commit: 839ae9e
2025-06-11)
- fix #120 Create SECURITY.md
- fix #121 Failures on ARM after upgrading libtommath
- security fix CVE-2025-40914
https://github.com/DCIT/perl-CryptX/security/advisories/GHSA-6fh3-7qjq-8v22
(boo#1244472)

- updated to 0.86.0 (0.086) 0.086 2025-05-02
- fixe #118 Syncing with recent Math-BigInt
- bundled libtomcrypt update branch:develop (commit:3905c289
2025-04-23)

- updated to 0.85.0 (0.085) 0.085 2025-02-08
- fix #114 #113 #112 (improved detection of Apple+x86_64 / AESNI)
- fix #115 Crypt::PRNG - fix typo and specify ChaCha20 is the
default

- updated to 0.84.0 (0.084) 0.084 2024-10-16
- libtommath: fix cpantesters crash on freebsd/i386
- updated ppport.h 0.083 2024-10-15
- fix #110 regression: 0.081 fails to parse PEMs that 0.080
parsed fine
- bundled libtomcrypt update branch:develop (commit:cbb01b37
2024-10-14) 0.082 2024-10-07
- fix #111 libcryptx-perl: t/sshkey.t fails on some architectures
- CHANGE: Crypt::Cipher::Blowfish max key size increased to 72
bytes
- bundled libtomcrypt update branch:develop (commit:29af8922
2024-10-07) 0.081 2024-09-08
- fix #107 Drop -msse4.1 -maes for libtomcrypt
- fix #105 Several functions in CryptX::AuthEnc deal weirdly
with non-simple-string plaintext
- fix #104 Add ethereum format signature
- fix #103 Use standard __asm__ blocks instead of asm
- fix #99 ltc: fix aesni flag handling
- fix #87 Add possibility to use different hash algorithms in
RSAES-OAEP
- BIG CHANGE switch to PEM/SSH key loading via libtomcrypt
- bundled libtomcrypt update branch:develop (commit:ce904c86
2024-09-02)

Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Backports SLE-15-SP7:

zypper in -t patch openSUSE-2026-170=1

Package List:

- openSUSE Backports SLE-15-SP7 (aarch64 i586 ppc64le s390x x86_64):

perl-CryptX-0.89.0-bp157.2.3.1

References:

https://www.suse.com/security/cve/CVE-2025-40914.html
https://www.suse.com/security/cve/CVE-2026-41564.html
https://bugzilla.suse.com/1244472
https://bugzilla.suse.com/1262697

LibPNG, Nginx, Ruby, and more updates for Rocky Linux

Kernel, Highlight.js, Smarty updates for Ubuntu

Kernel, Go, Emacs, and more updates for SUSE

SUSE-SU-2026:1997-1: important: Security update for the Linux Kernel (Live Patch 31 for SUSE Linux Enterprise 15 SP5)

openSUSE-SU-2026:20762-1: important: Security update for go1.26

openSUSE-SU-2026:20763-1: important: Security update for go1.25

openSUSE-SU-2026:20764-1: important: Security update for glibc

openSUSE-SU-2026:20759-1: moderate: Security update for emacs

openSUSE-SU-2026:20753-1: important: Security update for agama

openSUSE-SU-2026:20761-1: important: Security update for google-guest-agent

openSUSE-SU-2026:20758-1: important: Security update for the Linux Kernel

openSUSE-SU-2026:20757-1: important: Security update for openssh

openSUSE-SU-2026:20750-1: moderate: Security update for ibus-rime, librime

openSUSE-SU-2026:20755-1: important: Security update for openexr

openSUSE-SU-2026:20754-1: important: Security update for rsync

openSUSE-SU-2026:20752-1: important: Security update for alloy

openSUSE-SU-2026:20749-1: important: Security update for tree-sitter

openSUSE-SU-2026:20745-1: critical: Security update for php8

openSUSE-SU-2026:20747-1: important: Security update for ImageMagick

openSUSE-SU-2026:20743-1: important: Security update for the Linux Kernel

openSUSE-SU-2026:20742-1: moderate: Security update for ongres-scram, ongres-stringprep, plexus-testing, maven, maven-doxia, mojo-parent, sisu

openSUSE-SU-2026:20737-1: moderate: Security update for python-lxml

openSUSE-SU-2026:20748-1: important: Security update for dnsmasq

openSUSE-SU-2026:20741-1: moderate: Security update for MozillaFirefox

openSUSE-SU-2026:10805-1: moderate: perl-HTTP-Tiny-0.094-1.1 on GA media

openSUSE-SU-2026:10808-1: moderate: postgresql16-16.14-1.1 on GA media

openSUSE-SU-2026:10806-1: moderate: postgresql14-14.23-1.1 on GA media

openSUSE-SU-2026:10810-1: moderate: traefik-3.6.17-1.1 on GA media

openSUSE-SU-2026:10804-1: moderate: openssh-10.3p1-4.1 on GA media

SUSE-SU-2026:1999-1: important: Security update for postgresql15

SUSE-SU-2026:2003-1: moderate: Security update for GraphicsMagick

SUSE-SU-2026:2001-1: important: Security update for postgresql16

SUSE-SU-2026:2004-1: important: Security update for python-Pillow

SUSE-SU-2026:2008-1: important: Security update for haveged

SUSE-SU-2026:2010-1: important: Security update for erlang26

SUSE-SU-2026:2009-1: important: Security update for haveged

openSUSE-SU-2026:0171-1: important: Security update for git-bug

openSUSE-SU-2026:0170-1: important: Security update for perl-CryptX

Windows

Linux

macOS

Community