openSUSE-SU-2026:21230-1: important: Security update for keybase-client
openSUSE-SU-2026:21231-1: important: Security update for python-pydata-sphinx-theme
openSUSE-SU-2026:21228-1: moderate: Security update for glibc
openSUSE-SU-2026:21225-1: important: Security update for rmt-server
openSUSE-SU-2026:21222-1: important: Security update for systemd
openSUSE-SU-2026:21230-1: important: Security update for keybase-client
openSUSE security update: security update for keybase-client
-------------------------------------------------------------
Announcement ID: openSUSE-SU-2026:21230-1
Rating: important
References:
* bsc#1269600
Cross-References:
* CVE-2026-46604
CVSS scores:
* CVE-2026-46604 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Affected Products:
openSUSE Leap 16.0
-------------------------------------------------------------
An update that solves one vulnerability and has one bug fix can now be installed.
Description:
This update for keybase-client fixes the following issues:
Changes in keybase-client:
- CVE-2026-46604: TIFF decoder can panic when decoding an invalid
image with an out-of-bounds strip offset (bsc#1269600)
- Update to version 6.6.3
* Various bug fixes
Patch instructions:
To install this openSUSE security update use the suse recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Leap 16.0
zypper in -t patch openSUSE-Leap-16.0-packagehub-387=1
Package List:
- openSUSE Leap 16.0:
kbfs-6.6.3-bp160.1.1
kbfs-git-6.6.3-bp160.1.1
kbfs-tool-6.6.3-bp160.1.1
keybase-client-6.6.3-bp160.1.1
References:
* https://www.suse.com/security/cve/CVE-2026-46604.html
openSUSE-SU-2026:21231-1: important: Security update for python-pydata-sphinx-theme
openSUSE security update: security update for python-pydata-sphinx-theme
-------------------------------------------------------------
Announcement ID: openSUSE-SU-2026:21231-1
Rating: important
References:
* bsc#1269597
Cross-References:
* CVE-2026-13676
CVSS scores:
* CVE-2026-13676 ( SUSE ): 7.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
* CVE-2026-13676 ( SUSE ): 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N
Affected Products:
openSUSE Leap 16.0
-------------------------------------------------------------
An update that solves one vulnerability and has one bug fix can now be installed.
Description:
This update for python-pydata-sphinx-theme fixes the following issues:
Changes in python-pydata-sphinx-theme:
- CVE-2026-13676: fast-uri: failure to canonicalize Unicode/IDN
hostnames for HTTP-family URLs allows for bypass (bsc#1269597)
* revendor the vendored tarball with updated versions
Patch instructions:
To install this openSUSE security update use the suse recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Leap 16.0
zypper in -t patch openSUSE-Leap-16.0-packagehub-388=1
Package List:
- openSUSE Leap 16.0:
python313-pydata-sphinx-theme-0.16.1-bp160.3.1
References:
* https://www.suse.com/security/cve/CVE-2026-13676.html
openSUSE-SU-2026:21228-1: moderate: Security update for glibc
openSUSE security update: security update for glibc
-------------------------------------------------------------
Announcement ID: openSUSE-SU-2026:21228-1
Rating: moderate
References:
* bsc#1263656
* bsc#1263658
Cross-References:
* CVE-2026-5435
* CVE-2026-6238
CVSS scores:
* CVE-2026-5435 ( SUSE ): 5.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
* CVE-2026-5435 ( SUSE ): 4.8 CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N
* CVE-2026-6238 ( SUSE ): 5.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
* CVE-2026-6238 ( SUSE ): 4.8 CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N
Affected Products:
openSUSE Leap 16.0
-------------------------------------------------------------
An update that solves 2 vulnerabilities and has 2 bug fixes can now be installed.
Description:
This update for glibc fixes the following issues
- CVE-2026-5435: unchecked buffer writing in TSIG handling can lead to an out-of-bounds write (bsc#1263656).
- CVE-2026-6238: insufficient RDATA length validation can lead to application crashes or uninitialized memory disclosure
(bsc#1263658).
Patch instructions:
To install this openSUSE security update use the suse recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Leap 16.0
zypper in -t patch openSUSE-Leap-16.0-1157=1
Package List:
- openSUSE Leap 16.0:
cross-aarch64-glibc-devel-2.40-160000.6.1
cross-ppc64le-glibc-devel-2.40-160000.6.1
cross-riscv64-glibc-devel-2.40-160000.6.1
cross-s390x-glibc-devel-2.40-160000.6.1
glibc-2.40-160000.6.1
glibc-devel-2.40-160000.6.1
glibc-devel-static-2.40-160000.6.1
glibc-extra-2.40-160000.6.1
glibc-gconv-modules-extra-2.40-160000.6.1
glibc-html-2.40-160000.6.1
glibc-i18ndata-2.40-160000.6.1
glibc-info-2.40-160000.6.1
glibc-lang-2.40-160000.6.1
glibc-locale-2.40-160000.6.1
glibc-locale-base-2.40-160000.6.1
glibc-profile-2.40-160000.6.1
glibc-utils-2.40-160000.6.1
References:
* https://www.suse.com/security/cve/CVE-2026-5435.html
* https://www.suse.com/security/cve/CVE-2026-6238.html
openSUSE-SU-2026:21225-1: important: Security update for rmt-server
openSUSE security update: security update for rmt-server
-------------------------------------------------------------
Announcement ID: openSUSE-SU-2026:21225-1
Rating: important
References:
* bsc#1246976
* bsc#1248510
* bsc#1248869
* bsc#1251937
* bsc#1253146
* bsc#1253147
* bsc#1253953
* bsc#1256826
* bsc#1256883
* bsc#1257133
* bsc#1265369
Cross-References:
* CVE-2026-42256
CVSS scores:
* CVE-2026-42256 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2026-42256 ( SUSE ): 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
Affected Products:
openSUSE Leap 16.0
-------------------------------------------------------------
An update that solves one vulnerability and has 11 bug fixes can now be installed.
Description:
This update for rmt-server fixes the following issue
Update to 3.0.0:
- CVE-2026-42256: net-imap: hostile server can perform a DoS on client authenticating a connection with SCRAM-SHA1 or
SCRAM-SHA2 (bsc#1265369).
Changes for rmt-server:
- Version 3.0.0
* Security fix: Remove unused ActionMailer/ActionMailbox components to
eliminate CVE-2026-42256 (bsc#1265369)
* Split Rails meta-gem into individual components for better security control
- Version 2.26
* Add support for processing, storing, and syncing system profiles (jsc#TEL-265)
- Version 2.25
* fix rmt-cli list and purge commands for large data (bsc#1253146 and bsc#1253147)
* Fix mirroring of SLE16 NVIDIA-GPU-Compute-Toolkit-CUDA repo (bsc#1256826)
* Support for new redirect_repo_hosts config, to exclude some repo hosts
from mirroring, and send clients directly there (jsc#SCC-452)
* rmt-server-pubcloud
* Clearer error message (bsc#1256883)
* Handle zypper response when data exporter raises an error (bsc#1257133)
* Add Valkey + Sidekiq for async processing
* Enable mirroring xz compressed repositories (bsc#1246976)
* Rack 2.2.20 security update (bsc#1253953, bsc#1251937)
* Drop some de-published products from RMT
* Include Live-Patching for SLES 15.X (jsc#PCT-630)
* Handle only one data exporter (bsc#1248869)
* Do not decode instance data from db to access registry (bsc#1248510)
* Handle instance verification exceptions
Patch instructions:
To install this openSUSE security update use the suse recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Leap 16.0
zypper in -t patch openSUSE-Leap-16.0-1154=1
Package List:
- openSUSE Leap 16.0:
ansible-rmt-server-3.0.0-160000.1.1
rmt-server-3.0.0-160000.1.1
rmt-server-config-3.0.0-160000.1.1
rmt-server-pubcloud-3.0.0-160000.1.1
References:
* https://www.suse.com/security/cve/CVE-2026-42256.html
openSUSE-SU-2026:21222-1: important: Security update for systemd
openSUSE security update: security update for systemd
-------------------------------------------------------------
Announcement ID: openSUSE-SU-2026:21222-1
Rating: important
References:
* bsc#1245551
* bsc#1248261
* bsc#1251948
* bsc#1254924
* bsc#1259071
* bsc#1260357
* bsc#1261982
* bsc#1261983
* bsc#1262305
* bsc#1263117
* bsc#1267644
* bsc#1267647
Affected Products:
openSUSE Leap 16.0
-------------------------------------------------------------
An update that has 12 bug fixes can now be installed.
Description:
This update for systemd fixes the following issues:
Changes in systemd:
- Better handle TLS allocation failure (bsc#1254924).
- Disable mounting `debugfs` by default (jsc#PED-8812).
- Import commit 9e8b5afe0fb2061f4a17a3022469dd62f2683960 (bsc#1267647 bsc#1267644 bsc#1262305 bsc#1263117).
- Move `systemd-pcrlock` out from the experimental sub-package to `udev` (bsc#1248261 jsc#PED-15946).
- Add a weak runtime dependency on `libtss2-tcti-device0` (bsc#1260357).
- Import commit 59336000ef7850eba0963c6a690ff3371c425929 (bsc#1261982 bsc#1261983).
- Add a weak runtime dependency on `polkit` (bsc#1259071).
- systemd-update-helper: fix the clean-state command only removing `$STATE_DIR/system` instead of `$STATE_DIR/`.
- systemd-update-helper: add `--root` option for testing convenience.
- systemd-update-helper: fix incorrect skipping of `systemctl disable` during package removal (bsc#1245551).
- systemd-update-helper: fix `do_install_units()` incorrectly returning 1 when no units need preset.
- systemd.spec: introduce `%bcond_without` docs to allow skipping man pages and `devel-doc`.
- systemd.spec: drop the `%{release}` number from the SBAT version (bsc#1251948).
Patch instructions:
To install this openSUSE security update use the suse recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Leap 16.0
zypper in -t patch openSUSE-Leap-16.0-1151=1
Package List:
- openSUSE Leap 16.0:
libsystemd0-257.13-160000.2.1
libudev1-257.13-160000.2.1
systemd-257.13-160000.2.1
systemd-boot-257.13-160000.2.1
systemd-container-257.13-160000.2.1
systemd-devel-257.13-160000.2.1
systemd-doc-257.13-160000.2.1
systemd-experimental-257.13-160000.2.1
systemd-homed-257.13-160000.2.1
systemd-journal-remote-257.13-160000.2.1
systemd-lang-257.13-160000.2.1
systemd-mini-experimental-257.13-160000.2.1
systemd-networkd-257.13-160000.2.1
systemd-portable-257.13-160000.2.1
systemd-resolved-257.13-160000.2.1
systemd-testsuite-257.13-160000.2.1
udev-257.13-160000.2.1