Kubo, Skopeo, Tempo-CLI, and more updates for SUSE

SUSE 5624 Published by

OpenSUSE has released a series of moderate severity security updates covering several key packages across its Tumbleweed and Backports distributions. These patches address dozens of vulnerabilities in widely used software like kubo, chromedriver, bouncycastle, Pillow, Django, and Jetty. Each announcement provides specific CVE identifiers along with detailed installation commands for system administrators to apply the fixes quickly. Users should prioritize these updates to prevent potential exploitation of the newly disclosed flaws.

openSUSE-SU-2026:0135-1: moderate: Security update for kubo
openSUSE-SU-2026:10577-1: moderate: skopeo-1.22.1-1.1 on GA media
openSUSE-SU-2026:10578-1: moderate: tempo-cli-2.10.4-1.1 on GA media
openSUSE-SU-2026:10575-1: moderate: python311-Pillow-12.2.0-2.1 on GA media
openSUSE-SU-2026:10573-1: moderate: cpp-httplib-devel-0.42.0-1.1 on GA media
openSUSE-SU-2026:10571-1: moderate: bouncycastle-1.84-1.1 on GA media
openSUSE-SU-2026:10570-1: moderate: aardvark-dns-1.17.1-1.1 on GA media
openSUSE-SU-2026:10576-1: moderate: python311-jwcrypto-1.5.7-2.1 on GA media
openSUSE-SU-2026:10572-1: moderate: chromedriver-147.0.7727.101-1.1 on GA media
openSUSE-SU-2026:10574-1: moderate: jetty-annotations-9.4.58-4.1 on GA media
openSUSE-SU-2026:0138-1: moderate: Security update for python-djangorestframework, python-Django




openSUSE-SU-2026:0135-1: moderate: Security update for kubo


openSUSE Security Update: Security update for kubo
_______________________________

Announcement ID: openSUSE-SU-2026:0135-1
Rating: moderate
References: #1241776 #1251419 #1251613 #1253857 #1261818

Cross-References: CVE-2025-22872 CVE-2025-47911 CVE-2025-58181
CVE-2025-58190 CVE-2026-35480
CVSS scores:
CVE-2025-22872 (SUSE): 6.3 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L
CVE-2025-47911 (SUSE): 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
CVE-2025-58181 (SUSE): 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
CVE-2025-58190 (SUSE): 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
CVE-2026-35480 (SUSE): 6.9 CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Affected Products:
openSUSE Backports SLE-15-SP7
_______________________________

An update that fixes 5 vulnerabilities is now available.

Description:

This update for kubo fixes the following issues:

- Update to 0.40.1
* IPIP-499: UnixFS CID Profiles
* Automatic cleanup of interrupted imports
* Light clients can now use your node for delegated routing
* See total size when pinning
* IPIP-523: ?format= takes precedence over Accept header
* IPIP-524: Gateway codec conversion disabled by default
* More reliable IPNS over PubSub
* New ipfs diag datastore commands
* New ipfs swarm addrs autonat command
* Improved ipfs p2p tunnels with foreground mode
* Friendlier ipfs dag stat output
* ipfs key improvements
* More reliable content providing after startup
* No unnecessary DNS lookups for AutoTLS addresses
* Configurable gateway request duration limit
* Recovery from corrupted MFS root
* RPC Content-Type headers for binary responses
* New ipfs name get|put commands
* Long listing format for ipfs ls
* WebUI Improvements
* Fixed Prometheus metrics bloat on popular subdomain gateways
* libp2p announces all interface addresses
* Badger v1 datastore slated for removal this year
* Go 1.26
* Dependency updates
- github.com/ipld/go-ipld-prime v0.22.0 (boo#1261818, CVE-2026-35480)

- Update to 0.39.0
* Made DHT Sweep provider the default
* Fast root CID providing for immediate content discovery
* Persist provider state across restarts
* Detailed statistics with ipfs provide stat
* Add warnings about slow reprovide
* Rename: provider_provides_total
* Automatic UPnP recovery after router restarts
* No longer publish deprecated go-ipfs name
* Limit for gateway range request for CDN compatibility
- golang.org/x/net v0.47.0 (boo#1251613, CVE-2025-58190, boo#1251419,
CVE-2025-47911)
- golang.org/x/crypto v0.45.0 (boo#1253857, CVE-2025-58181)
- 0.38.0
* Repository migration: simplified provide configuration
* Add Experimental Sweeping DHT Provider
* Expose DHT metrics
* Improve gateway error pages with diagnostic tools
* Update WebUI
* Pin name improvements
* Enforce identity CID size and ipfs files write fixes
* Provide Filestore and Urlstore blocks on write
* Limit MFS operation for --flush=false

- Bump golang build requirement to 1.25
- Update to 0.37.0:
* Anonymous telemetry for better feature prioritization
* Repository migration from v16 to v17 with embedded tooling
* Gateway concurrent request limits and retrieval timeouts
* AutoConf: Complete control over network defaults
* Clear provide queue when reprovide strategy changes
* Revamped ipfs log level command
* Named pins in ipfs add command
* New IPNS publishing options
* Custom sequence numbers in ipfs name publish
* Reprovider.Strategy is now consistently respected
* Reprovider.Strategy=all: improved memory efficiency
* Removed unnecessary dependencies
* Improved ipfs cid
* Deprecated ipfs stats reprovide
* AutoRelay now uses all connected peers for relay discovery
* Full changelog at https://github.com/ipfs/kubo/releases/tag/v0.37.0

- Update to 0.36.0:
* Full changelog at https://github.com/ipfs/kubo/releases/tag/v0.36.0
* HTTP Retrieval Client Now Enabled by Default
* Bitswap Broadcast Reduction
* Update go-log to v2
* Kubo now uses AutoNATv2 as a client
* Overwrite option for files cp command
* Gateway now supports negative HTTP Range requests
* Option for filestore command to remove bad blocks
* ConnMgr.SilencePeriod configuration setting exposed
* Fix handling of EDITOR env var
* Dependency updates

Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Backports SLE-15-SP7:

zypper in -t patch openSUSE-2026-135=1

Package List:

- openSUSE Backports SLE-15-SP7 (aarch64 i586 ppc64le s390x x86_64):

kubo-0.40.1-bp157.2.9.1

References:

https://www.suse.com/security/cve/CVE-2025-22872.html
https://www.suse.com/security/cve/CVE-2025-47911.html
https://www.suse.com/security/cve/CVE-2025-58181.html
https://www.suse.com/security/cve/CVE-2025-58190.html
https://www.suse.com/security/cve/CVE-2026-35480.html
https://bugzilla.suse.com/1241776
https://bugzilla.suse.com/1251419
https://bugzilla.suse.com/1251613
https://bugzilla.suse.com/1253857
https://bugzilla.suse.com/1261818



openSUSE-SU-2026:10577-1: moderate: skopeo-1.22.1-1.1 on GA media


# skopeo-1.22.1-1.1 on GA media

Announcement ID: openSUSE-SU-2026:10577-1
Rating: moderate

Cross-References:

* CVE-2026-34986

Affected Products:

* openSUSE Tumbleweed

An update that solves one vulnerability can now be installed.

## Description:

These are all security issues fixed in the skopeo-1.22.1-1.1 package on the GA media of openSUSE Tumbleweed.

## Package List:

* openSUSE Tumbleweed:
* skopeo 1.22.1-1.1
* skopeo-bash-completion 1.22.1-1.1
* skopeo-fish-completion 1.22.1-1.1
* skopeo-zsh-completion 1.22.1-1.1

## References:

* https://www.suse.com/security/cve/CVE-2026-34986.html



openSUSE-SU-2026:10578-1: moderate: tempo-cli-2.10.4-1.1 on GA media


# tempo-cli-2.10.4-1.1 on GA media

Announcement ID: openSUSE-SU-2026:10578-1
Rating: moderate

Cross-References:

* CVE-2026-25679

CVSS scores:

* CVE-2026-25679 ( SUSE ): 3.3 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
* CVE-2026-25679 ( SUSE ): 4.6 CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Affected Products:

* openSUSE Tumbleweed

An update that solves one vulnerability can now be installed.

## Description:

These are all security issues fixed in the tempo-cli-2.10.4-1.1 package on the GA media of openSUSE Tumbleweed.

## Package List:

* openSUSE Tumbleweed:
* tempo-cli 2.10.4-1.1

## References:

* https://www.suse.com/security/cve/CVE-2026-25679.html



openSUSE-SU-2026:10575-1: moderate: python311-Pillow-12.2.0-2.1 on GA media


# python311-Pillow-12.2.0-2.1 on GA media

Announcement ID: openSUSE-SU-2026:10575-1
Rating: moderate

Cross-References:

* CVE-2026-40192

CVSS scores:

* CVE-2026-40192 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2026-40192 ( SUSE ): 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Affected Products:

* openSUSE Tumbleweed

An update that solves one vulnerability can now be installed.

## Description:

These are all security issues fixed in the python311-Pillow-12.2.0-2.1 package on the GA media of openSUSE Tumbleweed.

## Package List:

* openSUSE Tumbleweed:
* python311-Pillow 12.2.0-2.1
* python311-Pillow-tk 12.2.0-2.1
* python313-Pillow 12.2.0-2.1
* python313-Pillow-tk 12.2.0-2.1
* python314-Pillow 12.2.0-2.1
* python314-Pillow-tk 12.2.0-2.1

## References:

* https://www.suse.com/security/cve/CVE-2026-40192.html



openSUSE-SU-2026:10573-1: moderate: cpp-httplib-devel-0.42.0-1.1 on GA media


# cpp-httplib-devel-0.42.0-1.1 on GA media

Announcement ID: openSUSE-SU-2026:10573-1
Rating: moderate

Cross-References:

* CVE-2026-33745
* CVE-2026-34441

CVSS scores:

* CVE-2026-33745 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
* CVE-2026-33745 ( SUSE ): 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
* CVE-2026-34441 ( SUSE ): 4.8 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
* CVE-2026-34441 ( SUSE ): 6.3 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Affected Products:

* openSUSE Tumbleweed

An update that solves 2 vulnerabilities can now be installed.

## Description:

These are all security issues fixed in the cpp-httplib-devel-0.42.0-1.1 package on the GA media of openSUSE Tumbleweed.

## Package List:

* openSUSE Tumbleweed:
* cpp-httplib-devel 0.42.0-1.1
* libcpp-httplib0_42 0.42.0-1.1

## References:

* https://www.suse.com/security/cve/CVE-2026-33745.html
* https://www.suse.com/security/cve/CVE-2026-34441.html



openSUSE-SU-2026:10571-1: moderate: bouncycastle-1.84-1.1 on GA media


# bouncycastle-1.84-1.1 on GA media

Announcement ID: openSUSE-SU-2026:10571-1
Rating: moderate

Cross-References:

* CVE-2025-14813
* CVE-2026-0636
* CVE-2026-3505
* CVE-2026-5588
* CVE-2026-5598

CVSS scores:

* CVE-2025-14813 ( SUSE ): 8.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
* CVE-2025-14813 ( SUSE ): 8.3 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N
* CVE-2026-0636 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
* CVE-2026-0636 ( SUSE ): 6.3 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
* CVE-2026-3505 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2026-3505 ( SUSE ): 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
* CVE-2026-5588 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
* CVE-2026-5588 ( SUSE ): 6.3 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
* CVE-2026-5598 ( SUSE ): 8.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
* CVE-2026-5598 ( SUSE ): 8.8 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N

Affected Products:

* openSUSE Tumbleweed

An update that solves 5 vulnerabilities can now be installed.

## Description:

These are all security issues fixed in the bouncycastle-1.84-1.1 package on the GA media of openSUSE Tumbleweed.

## Package List:

* openSUSE Tumbleweed:
* bouncycastle 1.84-1.1
* bouncycastle-javadoc 1.84-1.1
* bouncycastle-jmail 1.84-1.1
* bouncycastle-mail 1.84-1.1
* bouncycastle-pg 1.84-1.1
* bouncycastle-pkix 1.84-1.1
* bouncycastle-tls 1.84-1.1
* bouncycastle-util 1.84-1.1

## References:

* https://www.suse.com/security/cve/CVE-2025-14813.html
* https://www.suse.com/security/cve/CVE-2026-0636.html
* https://www.suse.com/security/cve/CVE-2026-3505.html
* https://www.suse.com/security/cve/CVE-2026-5588.html
* https://www.suse.com/security/cve/CVE-2026-5598.html



openSUSE-SU-2026:10570-1: moderate: aardvark-dns-1.17.1-1.1 on GA media


# aardvark-dns-1.17.1-1.1 on GA media

Announcement ID: openSUSE-SU-2026:10570-1
Rating: moderate

Cross-References:

* CVE-2026-35406

CVSS scores:

* CVE-2026-35406 ( SUSE ): 6.2 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2026-35406 ( SUSE ): 6.9 CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Affected Products:

* openSUSE Tumbleweed

An update that solves one vulnerability can now be installed.

## Description:

These are all security issues fixed in the aardvark-dns-1.17.1-1.1 package on the GA media of openSUSE Tumbleweed.

## Package List:

* openSUSE Tumbleweed:
* aardvark-dns 1.17.1-1.1

## References:

* https://www.suse.com/security/cve/CVE-2026-35406.html



openSUSE-SU-2026:10576-1: moderate: python311-jwcrypto-1.5.7-2.1 on GA media


# python311-jwcrypto-1.5.7-2.1 on GA media

Announcement ID: openSUSE-SU-2026:10576-1
Rating: moderate

Cross-References:

* CVE-2026-39373

CVSS scores:

* CVE-2026-39373 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2026-39373 ( SUSE ): 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Affected Products:

* openSUSE Tumbleweed

An update that solves one vulnerability can now be installed.

## Description:

These are all security issues fixed in the python311-jwcrypto-1.5.7-2.1 package on the GA media of openSUSE Tumbleweed.

## Package List:

* openSUSE Tumbleweed:
* python311-jwcrypto 1.5.7-2.1
* python313-jwcrypto 1.5.7-2.1
* python314-jwcrypto 1.5.7-2.1

## References:

* https://www.suse.com/security/cve/CVE-2026-39373.html



openSUSE-SU-2026:10572-1: moderate: chromedriver-147.0.7727.101-1.1 on GA media


# chromedriver-147.0.7727.101-1.1 on GA media

Announcement ID: openSUSE-SU-2026:10572-1
Rating: moderate

Cross-References:

* CVE-2026-6296
* CVE-2026-6297
* CVE-2026-6298
* CVE-2026-6299
* CVE-2026-6300
* CVE-2026-6301
* CVE-2026-6302
* CVE-2026-6303
* CVE-2026-6304
* CVE-2026-6305
* CVE-2026-6306
* CVE-2026-6307
* CVE-2026-6308
* CVE-2026-6309
* CVE-2026-6310
* CVE-2026-6311
* CVE-2026-6312
* CVE-2026-6313
* CVE-2026-6314
* CVE-2026-6315
* CVE-2026-6316
* CVE-2026-6317
* CVE-2026-6318
* CVE-2026-6319
* CVE-2026-6358
* CVE-2026-6359
* CVE-2026-6360
* CVE-2026-6361
* CVE-2026-6362
* CVE-2026-6363
* CVE-2026-6364

Affected Products:

* openSUSE Tumbleweed

An update that solves 31 vulnerabilities can now be installed.

## Description:

These are all security issues fixed in the chromedriver-147.0.7727.101-1.1 package on the GA media of openSUSE Tumbleweed.

## Package List:

* openSUSE Tumbleweed:
* chromedriver 147.0.7727.101-1.1
* chromium 147.0.7727.101-1.1

## References:

* https://www.suse.com/security/cve/CVE-2026-6296.html
* https://www.suse.com/security/cve/CVE-2026-6297.html
* https://www.suse.com/security/cve/CVE-2026-6298.html
* https://www.suse.com/security/cve/CVE-2026-6299.html
* https://www.suse.com/security/cve/CVE-2026-6300.html
* https://www.suse.com/security/cve/CVE-2026-6301.html
* https://www.suse.com/security/cve/CVE-2026-6302.html
* https://www.suse.com/security/cve/CVE-2026-6303.html
* https://www.suse.com/security/cve/CVE-2026-6304.html
* https://www.suse.com/security/cve/CVE-2026-6305.html
* https://www.suse.com/security/cve/CVE-2026-6306.html
* https://www.suse.com/security/cve/CVE-2026-6307.html
* https://www.suse.com/security/cve/CVE-2026-6308.html
* https://www.suse.com/security/cve/CVE-2026-6309.html
* https://www.suse.com/security/cve/CVE-2026-6310.html
* https://www.suse.com/security/cve/CVE-2026-6311.html
* https://www.suse.com/security/cve/CVE-2026-6312.html
* https://www.suse.com/security/cve/CVE-2026-6313.html
* https://www.suse.com/security/cve/CVE-2026-6314.html
* https://www.suse.com/security/cve/CVE-2026-6315.html
* https://www.suse.com/security/cve/CVE-2026-6316.html
* https://www.suse.com/security/cve/CVE-2026-6317.html
* https://www.suse.com/security/cve/CVE-2026-6318.html
* https://www.suse.com/security/cve/CVE-2026-6319.html
* https://www.suse.com/security/cve/CVE-2026-6358.html
* https://www.suse.com/security/cve/CVE-2026-6359.html
* https://www.suse.com/security/cve/CVE-2026-6360.html
* https://www.suse.com/security/cve/CVE-2026-6361.html
* https://www.suse.com/security/cve/CVE-2026-6362.html
* https://www.suse.com/security/cve/CVE-2026-6363.html
* https://www.suse.com/security/cve/CVE-2026-6364.html



openSUSE-SU-2026:10574-1: moderate: jetty-annotations-9.4.58-4.1 on GA media


# jetty-annotations-9.4.58-4.1 on GA media

Announcement ID: openSUSE-SU-2026:10574-1
Rating: moderate

Cross-References:

* CVE-2026-2332
* CVE-2026-5795

CVSS scores:

* CVE-2026-2332 ( SUSE ): 7.4 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
* CVE-2026-5795 ( SUSE ): 7.4 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
* CVE-2026-5795 ( SUSE ): 9.1 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Affected Products:

* openSUSE Tumbleweed

An update that solves 2 vulnerabilities can now be installed.

## Description:

These are all security issues fixed in the jetty-annotations-9.4.58-4.1 package on the GA media of openSUSE Tumbleweed.

## Package List:

* openSUSE Tumbleweed:
* jetty-annotations 9.4.58-4.1
* jetty-ant 9.4.58-4.1
* jetty-cdi 9.4.58-4.1
* jetty-client 9.4.58-4.1
* jetty-continuation 9.4.58-4.1
* jetty-deploy 9.4.58-4.1
* jetty-fcgi 9.4.58-4.1
* jetty-http 9.4.58-4.1
* jetty-http-spi 9.4.58-4.1
* jetty-io 9.4.58-4.1
* jetty-jaas 9.4.58-4.1
* jetty-jaspi 9.4.58-4.1
* jetty-jmx 9.4.58-4.1
* jetty-jndi 9.4.58-4.1
* jetty-jsp 9.4.58-4.1
* jetty-minimal-javadoc 9.4.58-4.1
* jetty-openid 9.4.58-4.1
* jetty-plus 9.4.58-4.1
* jetty-project 9.4.58-4.1
* jetty-proxy 9.4.58-4.1
* jetty-quickstart 9.4.58-4.1
* jetty-rewrite 9.4.58-4.1
* jetty-security 9.4.58-4.1
* jetty-server 9.4.58-4.1
* jetty-servlet 9.4.58-4.1
* jetty-servlets 9.4.58-4.1
* jetty-start 9.4.58-4.1
* jetty-util 9.4.58-4.1
* jetty-util-ajax 9.4.58-4.1
* jetty-webapp 9.4.58-4.1
* jetty-xml 9.4.58-4.1

## References:

* https://www.suse.com/security/cve/CVE-2026-2332.html
* https://www.suse.com/security/cve/CVE-2026-5795.html



openSUSE-SU-2026:0138-1: moderate: Security update for python-djangorestframework, python-Django


openSUSE Security Update: Security update for python-djangorestframework, python-Django
_______________________________

Announcement ID: openSUSE-SU-2026:0138-1
Rating: moderate
References: #1227077 #1259142 #1261722 #1261731 #1261732
PED-8919
Cross-References: CVE-2024-21520 CVE-2026-25674 CVE-2026-33033
CVE-2026-4277 CVE-2026-4292
CVSS scores:
CVE-2024-21520 (SUSE): 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CVE-2026-25674 (SUSE): 6.3 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
CVE-2026-33033 (SUSE): 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
CVE-2026-4277 (SUSE): 5.4 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
CVE-2026-4292 (SUSE): 2.7 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N

Affected Products:
openSUSE Backports SLE-15-SP6
_______________________________

An update that fixes 5 vulnerabilities, contains one
feature is now available.

Description:

This update for python-djangorestframework, python-Django fixes the
following issues:

python-djangorestframework:

- CVE-2024-21520: Fixed improper input sanitization before splitting and
joining with 'br' tags (boo#1227077)
- Tests can be run only on (newer) python311 stack
- Make it at least installable on python3 stack (no guarantees for it to
run)
- Use sle15allpythons to get the Python 3.6 packages too (jsc#PED-8919)

python-Django:

- CVE-2026-4277: Privilege abuse in GenericInlineModelAdmin (boo#1261731)
- CVE-2026-4292: Privilege abuse in ModelAdmin.list_editable (boo#1261732)
- CVE-2026-33033: Potential denial-of-service vulnerability in
MultiPartParser via base64-encoded file upload (boo#1261722)
- CVE-2026-25674: Fixed a race condition that could lead to potential
incorrect permissions on newly created file system objects (boo#1259142)
- Let django-admin be the master alternative
* django-admin.py was dropped in newer releases of Django
* uninstall the alternatives in postun as is standard in SUSE

Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Backports SLE-15-SP6:

zypper in -t patch openSUSE-2026-138=1

Package List:

- openSUSE Backports SLE-15-SP6 (noarch):

python3-Django-2.2.28-bp156.39.1
python3-djangorestframework-3.14.0-bp156.2.3.1
python311-djangorestframework-3.14.0-bp156.2.3.1

References:

https://www.suse.com/security/cve/CVE-2024-21520.html
https://www.suse.com/security/cve/CVE-2026-25674.html
https://www.suse.com/security/cve/CVE-2026-33033.html
https://www.suse.com/security/cve/CVE-2026-4277.html
https://www.suse.com/security/cve/CVE-2026-4292.html
https://bugzilla.suse.com/1227077
https://bugzilla.suse.com/1259142
https://bugzilla.suse.com/1261722
https://bugzilla.suse.com/1261731
https://bugzilla.suse.com/1261732


Libarchive, OpenEXR, Grafana, and more updates for RHEL

Floating Point Divider State Sampling update for Qubes OS

Windows

Linux

macOS

Community

  • Lexonight
    Hey everyone,Wanted to share a project I've been b ...
  • SeveG
    need some help here... situationPC= Packard BellOS= win1 ...
  • dhamu
    Hello Phil, I have a Linux Tutorial website that curre ...