SUSE 5704 Published by

SUSE distributed a series of security updates, addressing over one hundred vulnerabilities across multiple Linux distributions. The announcements target important and moderate ratings for foundational software including the Linux Kernel, Chromium browser, Rust toolchain, ClamAV, and various multimedia libraries. Patches resolve high-severity memory corruption flaws in graphics processing tools, authentication bypass risks in kerberos packages, and remote code execution hazards within the web browser and system kernel.

SUSE-SU-2026:2820-1: important: Security update for GraphicsMagick
SUSE-SU-2026:2819-1: moderate: Security update for python-Django
SUSE-SU-2026:2828-1: moderate: Security update for python-idna
SUSE-SU-2026:2827-1: important: Security update for cosign
SUSE-SU-2026:2829-1: important: Security update for libaom
SUSE-SU-2026:2830-1: important: Security update for warewulf4
SUSE-SU-2026:2832-1: important: Security update for rustup
SUSE-SU-2026:2831-1: important: Security update for rustup
SUSE-SU-2026:2834-1: important: Security update for clamav
SUSE-SU-2026:2835-1: important: Security update for clamav
openSUSE-SU-2026:0239-1: important: Security update for flannel
openSUSE-SU-2026:0238-1: important: Security update for chromium
SUSE-SU-2026:2844-1: important: Security update for gstreamer-plugins-good
SUSE-SU-2026:2842-1: important: Security update for gstreamer-plugins-good
SUSE-SU-2026:2843-1: important: Security update for gstreamer-plugins-good
SUSE-SU-2026:2847-1: important: Security update for krb5
SUSE-SU-2026:2848-1: important: Security update for krb5, krb5-mini
openSUSE-SU-2026:21274-1: important: Security update for rust-keylime
openSUSE-SU-2026:11221-1: moderate: python313-sqlparse-0.5.5-2.1 on GA media
openSUSE-SU-2026:11223-1: moderate: rustup-1.28.2~0-5.1 on GA media
openSUSE-SU-2026:11217-1: moderate: nasm-3.02-1.1 on GA media
openSUSE-SU-2026:11218-1: moderate: libIex-3_4-33-3.4.13-1.1 on GA media
openSUSE-SU-2026:11224-1: moderate: sccache-0.16.0~0-3.1 on GA media
openSUSE-SU-2026:11220-1: moderate: python313-pytest-html-4.2.0-4.1 on GA media
openSUSE-SU-2026:11215-1: moderate: libmbedtls23-4.2.0-1.1 on GA media
SUSE-SU-2026:2840-1: important: Security update for the Linux Kernel




SUSE-SU-2026:2820-1: important: Security update for GraphicsMagick


# Security update for GraphicsMagick

Announcement ID: SUSE-SU-2026:2820-1
Release Date: 2026-07-09T18:01:15Z
Rating: important
References:

* bsc#1269891

Cross-References:

* CVE-2026-13606

CVSS scores:

* CVE-2026-13606 ( SUSE ): 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Affected Products:

* openSUSE Leap 15.6
* SUSE Linux Enterprise Desktop 15 SP7
* SUSE Linux Enterprise Real Time 15 SP7
* SUSE Linux Enterprise Server 15 SP7
* SUSE Linux Enterprise Server for SAP Applications 15 SP7
* SUSE Package Hub 15 15-SP7

An update that solves one vulnerability can now be installed.

## Description:

This update for GraphicsMagick fixes the following issue

* CVE-2026-13606: crafted Photo CD (PCD) file can cause memory corruption
(bsc#1269891).

## Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

* SUSE Package Hub 15 15-SP7
zypper in -t patch SUSE-SLE-Module-Packagehub-Subpackages-15-SP7-2026-2820=1

* openSUSE Leap 15.6
zypper in -t patch SUSE-2026-2820=1

## Package List:

* openSUSE Leap 15.6 (aarch64 i586 ppc64le s390x x86_64)
* GraphicsMagick-debuginfo-1.3.42-150600.3.33.1
* GraphicsMagick-devel-1.3.42-150600.3.33.1
* libGraphicsMagick-Q16-3-1.3.42-150600.3.33.1
* libGraphicsMagick++-Q16-12-debuginfo-1.3.42-150600.3.33.1
* perl-GraphicsMagick-debuginfo-1.3.42-150600.3.33.1
* GraphicsMagick-1.3.42-150600.3.33.1
* libGraphicsMagick-Q16-3-debuginfo-1.3.42-150600.3.33.1
* libGraphicsMagick++-devel-1.3.42-150600.3.33.1
* perl-GraphicsMagick-1.3.42-150600.3.33.1
* libGraphicsMagickWand-Q16-2-debuginfo-1.3.42-150600.3.33.1
* libGraphicsMagick3-config-1.3.42-150600.3.33.1
* libGraphicsMagick++-Q16-12-1.3.42-150600.3.33.1
* libGraphicsMagickWand-Q16-2-1.3.42-150600.3.33.1
* GraphicsMagick-debugsource-1.3.42-150600.3.33.1
* SUSE Package Hub 15 15-SP7 (aarch64 ppc64le s390x x86_64)
* GraphicsMagick-debuginfo-1.3.42-150600.3.33.1
* GraphicsMagick-devel-1.3.42-150600.3.33.1
* libGraphicsMagick-Q16-3-1.3.42-150600.3.33.1
* libGraphicsMagick++-Q16-12-debuginfo-1.3.42-150600.3.33.1
* libGraphicsMagickWand-Q16-2-1.3.42-150600.3.33.1
* perl-GraphicsMagick-debuginfo-1.3.42-150600.3.33.1
* GraphicsMagick-1.3.42-150600.3.33.1
* libGraphicsMagick-Q16-3-debuginfo-1.3.42-150600.3.33.1
* libGraphicsMagick++-devel-1.3.42-150600.3.33.1
* perl-GraphicsMagick-1.3.42-150600.3.33.1
* libGraphicsMagickWand-Q16-2-debuginfo-1.3.42-150600.3.33.1
* libGraphicsMagick++-Q16-12-1.3.42-150600.3.33.1
* libGraphicsMagick3-config-1.3.42-150600.3.33.1
* GraphicsMagick-debugsource-1.3.42-150600.3.33.1

## References:

* https://www.suse.com/security/cve/CVE-2026-13606.html
* https://bugzilla.suse.com/show_bug.cgi?id=1269891



SUSE-SU-2026:2819-1: moderate: Security update for python-Django


# Security update for python-Django

Announcement ID: SUSE-SU-2026:2819-1
Release Date: 2026-07-09T17:12:22Z
Rating: moderate
References:

* bsc#1271029
* bsc#1271030

Cross-References:

* CVE-2026-48588
* CVE-2026-53877

CVSS scores:

* CVE-2026-48588 ( SUSE ): 3.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N
* CVE-2026-48588 ( NVD ): 2.3
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
* CVE-2026-48588 ( NVD ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
* CVE-2026-48588 ( NVD ): 3.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N
* CVE-2026-53877 ( SUSE ): 4.8 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L
* CVE-2026-53877 ( NVD ): 6.3
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
* CVE-2026-53877 ( NVD ): 4.8 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L

Affected Products:

* openSUSE Leap 15.6
* SUSE Linux Enterprise Desktop 15 SP7
* SUSE Linux Enterprise Real Time 15 SP7
* SUSE Linux Enterprise Server 15 SP7
* SUSE Linux Enterprise Server for SAP Applications 15 SP7
* SUSE Package Hub 15 15-SP7

An update that solves two vulnerabilities can now be installed.

## Description:

This update for python-Django fixes the following issues:

* CVE-2026-48588: potential exposure of private data via cached `Set-Cookie`
response (bsc#1271029).
* CVE-2026-53877: information disclosure via 32-byte heap buffer overread in
`GDALRaster` (bsc#1271030).

## Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

* SUSE Package Hub 15 15-SP7
zypper in -t patch SUSE-SLE-Module-Packagehub-Subpackages-15-SP7-2026-2819=1

* openSUSE Leap 15.6
zypper in -t patch SUSE-2026-2819=1

## Package List:

* SUSE Package Hub 15 15-SP7 (noarch)
* python311-Django-4.2.11-150600.3.62.1
* openSUSE Leap 15.6 (noarch)
* python311-Django-4.2.11-150600.3.62.1

## References:

* https://www.suse.com/security/cve/CVE-2026-48588.html
* https://www.suse.com/security/cve/CVE-2026-53877.html
* https://bugzilla.suse.com/show_bug.cgi?id=1271029
* https://bugzilla.suse.com/show_bug.cgi?id=1271030



SUSE-SU-2026:2828-1: moderate: Security update for python-idna


# Security update for python-idna

Announcement ID: SUSE-SU-2026:2828-1
Release Date: 2026-07-09T18:30:14Z
Rating: moderate
References:

* bsc#1265413

Cross-References:

* CVE-2026-45409

CVSS scores:

* CVE-2026-45409 ( SUSE ): 6.9
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
* CVE-2026-45409 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
* CVE-2026-45409 ( NVD ): 6.9
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
* CVE-2026-45409 ( NVD ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Affected Products:

* openSUSE Leap 15.4
* Public Cloud Module 15-SP4
* Python 3 Module 15-SP7
* SUSE Linux Enterprise Desktop 15 SP7
* SUSE Linux Enterprise High Performance Computing 15 SP4
* SUSE Linux Enterprise Server 15 SP4
* SUSE Linux Enterprise Server 15 SP7
* SUSE Linux Enterprise Server for SAP Applications 15 SP4
* SUSE Linux Enterprise Server for SAP Applications 15 SP7
* SUSE Manager Proxy 4.3
* SUSE Manager Retail Branch Server 4.3
* SUSE Manager Server 4.3

An update that solves one vulnerability can now be installed.

## Description:

This update for python-idna fixes the following issue

* CVE-2026-45409: specially crafted inputs to idna.encode() can bypass earlier
security fix (bsc#1265413).

## Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

* Python 3 Module 15-SP7
zypper in -t patch SUSE-SLE-Module-Python3-15-SP7-2026-2828=1

* Public Cloud Module 15-SP4
zypper in -t patch SUSE-SLE-Module-Public-Cloud-15-SP4-2026-2828=1

* openSUSE Leap 15.4
zypper in -t patch SUSE-2026-2828=1

## Package List:

* Python 3 Module 15-SP7 (noarch)
* python311-idna-3.4-150400.11.13.1
* Public Cloud Module 15-SP4 (noarch)
* python311-idna-3.4-150400.11.13.1
* openSUSE Leap 15.4 (noarch)
* python311-idna-3.4-150400.11.13.1

## References:

* https://www.suse.com/security/cve/CVE-2026-45409.html
* https://bugzilla.suse.com/show_bug.cgi?id=1265413



SUSE-SU-2026:2827-1: important: Security update for cosign


# Security update for cosign

Announcement ID: SUSE-SU-2026:2827-1
Release Date: 2026-07-09T18:28:33Z
Rating: important
References:

* bsc#1261811
* bsc#1266049
* bsc#1267044

Cross-References:

* CVE-2026-25680
* CVE-2026-25681
* CVE-2026-27136
* CVE-2026-33815
* CVE-2026-39827
* CVE-2026-39828
* CVE-2026-39829
* CVE-2026-39830
* CVE-2026-39831
* CVE-2026-39832
* CVE-2026-39833
* CVE-2026-39834
* CVE-2026-39835
* CVE-2026-42502
* CVE-2026-42506
* CVE-2026-42508
* CVE-2026-46595
* CVE-2026-46597
* CVE-2026-46598

CVSS scores:

* CVE-2026-25680 ( SUSE ): 8.7
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
* CVE-2026-25680 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2026-25680 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
* CVE-2026-25681 ( SUSE ): 5.3
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N
* CVE-2026-25681 ( SUSE ): 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
* CVE-2026-25681 ( NVD ): 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
* CVE-2026-27136 ( SUSE ): 5.3
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N
* CVE-2026-27136 ( SUSE ): 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
* CVE-2026-27136 ( NVD ): 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
* CVE-2026-33815 ( SUSE ): 8.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
* CVE-2026-33815 ( NVD ): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
* CVE-2026-33815 ( NVD ): 8.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
* CVE-2026-39827 ( SUSE ): 7.1
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
* CVE-2026-39827 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
* CVE-2026-39827 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
* CVE-2026-39828 ( SUSE ): 8.6
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
* CVE-2026-39828 ( SUSE ): 8.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
* CVE-2026-39828 ( NVD ): 6.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
* CVE-2026-39828 ( NVD ): 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
* CVE-2026-39829 ( SUSE ): 8.7
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
* CVE-2026-39829 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2026-39829 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2026-39829 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2026-39830 ( SUSE ): 7.1
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
* CVE-2026-39830 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
* CVE-2026-39830 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2026-39830 ( NVD ): 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
* CVE-2026-39831 ( SUSE ): 8.6
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
* CVE-2026-39831 ( SUSE ): 8.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
* CVE-2026-39831 ( NVD ): 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
* CVE-2026-39832 ( SUSE ): 6.2
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N
* CVE-2026-39832 ( SUSE ): 8.4 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
* CVE-2026-39832 ( NVD ): 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
* CVE-2026-39832 ( NVD ): 8.7 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
* CVE-2026-39833 ( SUSE ): 8.5
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
* CVE-2026-39833 ( SUSE ): 7.7 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
* CVE-2026-39833 ( NVD ): 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
* CVE-2026-39834 ( SUSE ): 8.7
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
* CVE-2026-39834 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2026-39834 ( NVD ): 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
* CVE-2026-39835 ( SUSE ): 8.7
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
* CVE-2026-39835 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2026-39835 ( NVD ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
* CVE-2026-39835 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2026-42502 ( SUSE ): 5.3
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N
* CVE-2026-42502 ( SUSE ): 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
* CVE-2026-42502 ( NVD ): 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
* CVE-2026-42506 ( SUSE ): 5.3
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N
* CVE-2026-42506 ( SUSE ): 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
* CVE-2026-42506 ( NVD ): 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
* CVE-2026-42508 ( SUSE ): 8.6
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
* CVE-2026-42508 ( SUSE ): 8.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
* CVE-2026-42508 ( NVD ): 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
* CVE-2026-42508 ( NVD ): 7.4 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
* CVE-2026-46595 ( SUSE ): 8.6
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
* CVE-2026-46595 ( SUSE ): 8.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
* CVE-2026-46595 ( NVD ): 10.0 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L
* CVE-2026-46595 ( NVD ): 7.1 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L
* CVE-2026-46597 ( SUSE ): 8.7
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
* CVE-2026-46597 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2026-46597 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2026-46598 ( SUSE ): 8.7
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
* CVE-2026-46598 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2026-46598 ( NVD ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Affected Products:

* Basesystem Module 15-SP7
* openSUSE Leap 15.4
* SUSE Linux Enterprise Desktop 15 SP7
* SUSE Linux Enterprise High Performance Computing 15 SP4
* SUSE Linux Enterprise High Performance Computing 15 SP5
* SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4
* SUSE Linux Enterprise High Performance Computing ESPOS 15 SP5
* SUSE Linux Enterprise High Performance Computing LTSS 15 SP4
* SUSE Linux Enterprise High Performance Computing LTSS 15 SP5
* SUSE Linux Enterprise Real Time 15 SP7
* SUSE Linux Enterprise Server 15 SP4
* SUSE Linux Enterprise Server 15 SP4 LTSS
* SUSE Linux Enterprise Server 15 SP5
* SUSE Linux Enterprise Server 15 SP5 LTSS
* SUSE Linux Enterprise Server 15 SP6
* SUSE Linux Enterprise Server 15 SP6 LTSS
* SUSE Linux Enterprise Server 15 SP7
* SUSE Linux Enterprise Server for SAP Applications 15 SP4
* SUSE Linux Enterprise Server for SAP Applications 15 SP5
* SUSE Linux Enterprise Server for SAP Applications 15 SP6
* SUSE Linux Enterprise Server for SAP Applications 15 SP7

An update that solves 19 vulnerabilities can now be installed.

## Description:

This update for cosign fixes the following issues

* CVE-2026-25680,CVE-2026-25681,CVE-2026-27136,CVE-2026-42502,CVE-2026-42506:
multiple issues when parsing HTML files (bsc#1267044).
* CVE-2026-33815: memory-safety vulnerability (bsc#1261811).
*
CVE-2026-39827,CVE-2026-39828,CVE-2026-39829,CVE-2026-39830,CVE-2026-39831,CVE-2026-39832,CVE-2026-39833,
CVE-2026-39834,CVE-2026-39835,CVE-2026-42508,CVE-2026-46595,CVE-2026-46597,CVE-2026-46598:
Fixed multiple issues in golang.org/x/crypto/ssh (bsc#1266049).

## Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

* SUSE Linux Enterprise Server 15 SP6 LTSS
zypper in -t patch SUSE-SLE-Product-SLES-15-SP6-LTSS-2026-2827=1

* openSUSE Leap 15.4
zypper in -t patch SUSE-2026-2827=1

* Basesystem Module 15-SP7
zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP7-2026-2827=1

* SUSE Linux Enterprise Server for SAP Applications 15 SP5
zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP5-2026-2827=1

* SUSE Linux Enterprise Server 15 SP4 LTSS
zypper in -t patch SUSE-SLE-Product-SLES-15-SP4-LTSS-2026-2827=1

* SUSE Linux Enterprise Server 15 SP5 LTSS
zypper in -t patch SUSE-SLE-Product-SLES-15-SP5-LTSS-2026-2827=1

* SUSE Linux Enterprise Server for SAP Applications 15 SP6
zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP6-2026-2827=1

* SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4
zypper in -t patch SUSE-SLE-Product-HPC-15-SP4-ESPOS-2026-2827=1

* SUSE Linux Enterprise High Performance Computing ESPOS 15 SP5
zypper in -t patch SUSE-SLE-Product-HPC-15-SP5-ESPOS-2026-2827=1

* SUSE Linux Enterprise Server for SAP Applications 15 SP4
zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP4-2026-2827=1

* SUSE Linux Enterprise High Performance Computing LTSS 15 SP4
zypper in -t patch SUSE-SLE-Product-HPC-15-SP4-LTSS-2026-2827=1

* SUSE Linux Enterprise High Performance Computing LTSS 15 SP5
zypper in -t patch SUSE-SLE-Product-HPC-15-SP5-LTSS-2026-2827=1

## Package List:

* Basesystem Module 15-SP7 (noarch)
* cosign-bash-completion-3.1.1-150400.3.45.1
* cosign-zsh-completion-3.1.1-150400.3.45.1
* Basesystem Module 15-SP7 (aarch64 ppc64le s390x x86_64)
* cosign-3.1.1-150400.3.45.1
* cosign-debuginfo-3.1.1-150400.3.45.1
* SUSE Linux Enterprise Server for SAP Applications 15 SP4 (ppc64le x86_64)
* cosign-3.1.1-150400.3.45.1
* SUSE Linux Enterprise Server 15 SP6 LTSS (aarch64 ppc64le s390x x86_64)
* cosign-3.1.1-150400.3.45.1
* cosign-debuginfo-3.1.1-150400.3.45.1
* SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (aarch64
x86_64)
* cosign-3.1.1-150400.3.45.1
* openSUSE Leap 15.4 (aarch64 i586 ppc64le s390x x86_64)
* cosign-3.1.1-150400.3.45.1
* cosign-debuginfo-3.1.1-150400.3.45.1
* openSUSE Leap 15.4 (noarch)
* cosign-bash-completion-3.1.1-150400.3.45.1
* cosign-fish-completion-3.1.1-150400.3.45.1
* cosign-zsh-completion-3.1.1-150400.3.45.1
* SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (aarch64
x86_64)
* cosign-3.1.1-150400.3.45.1
* SUSE Linux Enterprise Server 15 SP4 LTSS (aarch64 ppc64le s390x x86_64)
* cosign-3.1.1-150400.3.45.1
* SUSE Linux Enterprise Server 15 SP5 LTSS (aarch64 ppc64le s390x x86_64)
* cosign-3.1.1-150400.3.45.1
* SUSE Linux Enterprise High Performance Computing LTSS 15 SP5 (aarch64
x86_64)
* cosign-3.1.1-150400.3.45.1
* SUSE Linux Enterprise Server for SAP Applications 15 SP6 (ppc64le x86_64)
* cosign-3.1.1-150400.3.45.1
* cosign-debuginfo-3.1.1-150400.3.45.1
* SUSE Linux Enterprise Server for SAP Applications 15 SP5 (ppc64le x86_64)
* cosign-3.1.1-150400.3.45.1
* SUSE Linux Enterprise High Performance Computing ESPOS 15 SP5 (aarch64
x86_64)
* cosign-3.1.1-150400.3.45.1

## References:

* https://www.suse.com/security/cve/CVE-2026-25680.html
* https://www.suse.com/security/cve/CVE-2026-25681.html
* https://www.suse.com/security/cve/CVE-2026-27136.html
* https://www.suse.com/security/cve/CVE-2026-33815.html
* https://www.suse.com/security/cve/CVE-2026-39827.html
* https://www.suse.com/security/cve/CVE-2026-39828.html
* https://www.suse.com/security/cve/CVE-2026-39829.html
* https://www.suse.com/security/cve/CVE-2026-39830.html
* https://www.suse.com/security/cve/CVE-2026-39831.html
* https://www.suse.com/security/cve/CVE-2026-39832.html
* https://www.suse.com/security/cve/CVE-2026-39833.html
* https://www.suse.com/security/cve/CVE-2026-39834.html
* https://www.suse.com/security/cve/CVE-2026-39835.html
* https://www.suse.com/security/cve/CVE-2026-42502.html
* https://www.suse.com/security/cve/CVE-2026-42506.html
* https://www.suse.com/security/cve/CVE-2026-42508.html
* https://www.suse.com/security/cve/CVE-2026-46595.html
* https://www.suse.com/security/cve/CVE-2026-46597.html
* https://www.suse.com/security/cve/CVE-2026-46598.html
* https://bugzilla.suse.com/show_bug.cgi?id=1261811
* https://bugzilla.suse.com/show_bug.cgi?id=1266049
* https://bugzilla.suse.com/show_bug.cgi?id=1267044



SUSE-SU-2026:2829-1: important: Security update for libaom


# Security update for libaom

Announcement ID: SUSE-SU-2026:2829-1
Release Date: 2026-07-09T18:40:25Z
Rating: important
References:

* bsc#1268650
* bsc#1268651
* bsc#1268653
* bsc#1268655

Cross-References:

* CVE-2026-56208
* CVE-2026-56209
* CVE-2026-56210
* CVE-2026-56211

CVSS scores:

* CVE-2026-56208 ( SUSE ): 6.0
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:A/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N
* CVE-2026-56208 ( SUSE ): 7.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:H
* CVE-2026-56208 ( NVD ): 7.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H
* CVE-2026-56208 ( NVD ): 7.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H
* CVE-2026-56209 ( SUSE ): 7.0
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N
* CVE-2026-56209 ( SUSE ): 8.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H
* CVE-2026-56209 ( NVD ): 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H
* CVE-2026-56209 ( NVD ): 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H
* CVE-2026-56210 ( SUSE ): 7.0
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N
* CVE-2026-56210 ( SUSE ): 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H
* CVE-2026-56210 ( NVD ): 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H
* CVE-2026-56210 ( NVD ): 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H
* CVE-2026-56211 ( SUSE ): 7.5
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
* CVE-2026-56211 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
* CVE-2026-56211 ( NVD ): 7.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:H
* CVE-2026-56211 ( NVD ): 7.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:H

Affected Products:

* openSUSE Leap 15.4
* SUSE Linux Enterprise High Performance Computing 15 SP4
* SUSE Linux Enterprise High Performance Computing 15 SP5
* SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4
* SUSE Linux Enterprise High Performance Computing ESPOS 15 SP5
* SUSE Linux Enterprise High Performance Computing LTSS 15 SP4
* SUSE Linux Enterprise High Performance Computing LTSS 15 SP5
* SUSE Linux Enterprise Server 15 SP4
* SUSE Linux Enterprise Server 15 SP4 LTSS
* SUSE Linux Enterprise Server 15 SP5
* SUSE Linux Enterprise Server 15 SP5 LTSS
* SUSE Linux Enterprise Server for SAP Applications 15 SP4
* SUSE Linux Enterprise Server for SAP Applications 15 SP5

An update that solves four vulnerabilities can now be installed.

## Description:

This update for libaom fixes the following issues:

* CVE-2026-56208: untrusted encoder configuration inputs can lead to a heap-
based buffer overflow and a process crash (bsc#1268650).
* CVE-2026-56209: crafted video frames with specific Y-plane pixel values can
lead to an arbitrary memory write (bsc#1268651).
* CVE-2026-56210: missing bounds check on layer_id inputs can lead to an out-
of-bounds heap read (bsc#1268653).
* CVE-2026-56211: out-of-range spatial/temporal layer selection can lead to
remote code execution (bsc#1268655).

## Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

* SUSE Linux Enterprise High Performance Computing LTSS 15 SP4
zypper in -t patch SUSE-SLE-Product-HPC-15-SP4-LTSS-2026-2829=1

* SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4
zypper in -t patch SUSE-SLE-Product-HPC-15-SP4-ESPOS-2026-2829=1

* SUSE Linux Enterprise Server for SAP Applications 15 SP4
zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP4-2026-2829=1

* SUSE Linux Enterprise High Performance Computing LTSS 15 SP5
zypper in -t patch SUSE-SLE-Product-HPC-15-SP5-LTSS-2026-2829=1

* SUSE Linux Enterprise Server 15 SP4 LTSS
zypper in -t patch SUSE-SLE-Product-SLES-15-SP4-LTSS-2026-2829=1

* SUSE Linux Enterprise High Performance Computing ESPOS 15 SP5
zypper in -t patch SUSE-SLE-Product-HPC-15-SP5-ESPOS-2026-2829=1

* SUSE Linux Enterprise Server 15 SP5 LTSS
zypper in -t patch SUSE-SLE-Product-SLES-15-SP5-LTSS-2026-2829=1

* SUSE Linux Enterprise Server for SAP Applications 15 SP5
zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP5-2026-2829=1

* openSUSE Leap 15.4
zypper in -t patch SUSE-2026-2829=1

## Package List:

* SUSE Linux Enterprise High Performance Computing LTSS 15 SP5 (aarch64
x86_64)
* libaom-debugsource-3.7.1-150400.3.12.1
* aom-tools-debuginfo-3.7.1-150400.3.12.1
* libaom3-3.7.1-150400.3.12.1
* libaom-devel-3.7.1-150400.3.12.1
* aom-tools-3.7.1-150400.3.12.1
* libaom3-debuginfo-3.7.1-150400.3.12.1
* SUSE Linux Enterprise High Performance Computing LTSS 15 SP5 (noarch)
* libaom-devel-doc-3.7.1-150400.3.12.1
* SUSE Linux Enterprise Server 15 SP5 LTSS (aarch64 ppc64le s390x x86_64)
* libaom-debugsource-3.7.1-150400.3.12.1
* aom-tools-debuginfo-3.7.1-150400.3.12.1
* libaom3-3.7.1-150400.3.12.1
* libaom-devel-3.7.1-150400.3.12.1
* aom-tools-3.7.1-150400.3.12.1
* libaom3-debuginfo-3.7.1-150400.3.12.1
* SUSE Linux Enterprise Server 15 SP5 LTSS (noarch)
* libaom-devel-doc-3.7.1-150400.3.12.1
* SUSE Linux Enterprise Server for SAP Applications 15 SP5 (ppc64le x86_64)
* libaom-debugsource-3.7.1-150400.3.12.1
* aom-tools-debuginfo-3.7.1-150400.3.12.1
* libaom3-3.7.1-150400.3.12.1
* libaom-devel-3.7.1-150400.3.12.1
* aom-tools-3.7.1-150400.3.12.1
* libaom3-debuginfo-3.7.1-150400.3.12.1
* SUSE Linux Enterprise Server for SAP Applications 15 SP5 (noarch)
* libaom-devel-doc-3.7.1-150400.3.12.1
* SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (noarch)
* libaom-devel-doc-3.7.1-150400.3.12.1
* SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (aarch64
x86_64)
* libaom-debugsource-3.7.1-150400.3.12.1
* aom-tools-debuginfo-3.7.1-150400.3.12.1
* libaom3-3.7.1-150400.3.12.1
* libaom-devel-3.7.1-150400.3.12.1
* aom-tools-3.7.1-150400.3.12.1
* libaom3-debuginfo-3.7.1-150400.3.12.1
* SUSE Linux Enterprise Server for SAP Applications 15 SP4 (ppc64le x86_64)
* libaom-debugsource-3.7.1-150400.3.12.1
* aom-tools-debuginfo-3.7.1-150400.3.12.1
* libaom3-3.7.1-150400.3.12.1
* libaom-devel-3.7.1-150400.3.12.1
* aom-tools-3.7.1-150400.3.12.1
* libaom3-debuginfo-3.7.1-150400.3.12.1
* SUSE Linux Enterprise Server for SAP Applications 15 SP4 (noarch)
* libaom-devel-doc-3.7.1-150400.3.12.1
* SUSE Linux Enterprise Server 15 SP4 LTSS (noarch)
* libaom-devel-doc-3.7.1-150400.3.12.1
* SUSE Linux Enterprise Server 15 SP4 LTSS (aarch64 ppc64le s390x x86_64)
* libaom-debugsource-3.7.1-150400.3.12.1
* aom-tools-debuginfo-3.7.1-150400.3.12.1
* libaom3-3.7.1-150400.3.12.1
* libaom-devel-3.7.1-150400.3.12.1
* aom-tools-3.7.1-150400.3.12.1
* libaom3-debuginfo-3.7.1-150400.3.12.1
* SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (aarch64
x86_64)
* libaom-debugsource-3.7.1-150400.3.12.1
* aom-tools-debuginfo-3.7.1-150400.3.12.1
* libaom3-3.7.1-150400.3.12.1
* libaom-devel-3.7.1-150400.3.12.1
* aom-tools-3.7.1-150400.3.12.1
* libaom3-debuginfo-3.7.1-150400.3.12.1
* SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (noarch)
* libaom-devel-doc-3.7.1-150400.3.12.1
* openSUSE Leap 15.4 (aarch64 i586 ppc64le s390x x86_64)
* libaom-debugsource-3.7.1-150400.3.12.1
* aom-tools-debuginfo-3.7.1-150400.3.12.1
* libaom3-3.7.1-150400.3.12.1
* libaom-devel-3.7.1-150400.3.12.1
* aom-tools-3.7.1-150400.3.12.1
* libaom3-debuginfo-3.7.1-150400.3.12.1
* openSUSE Leap 15.4 (aarch64_ilp32)
* libaom3-64bit-debuginfo-3.7.1-150400.3.12.1
* libaom3-64bit-3.7.1-150400.3.12.1
* openSUSE Leap 15.4 (x86_64)
* libaom3-32bit-3.7.1-150400.3.12.1
* libaom3-32bit-debuginfo-3.7.1-150400.3.12.1
* openSUSE Leap 15.4 (noarch)
* libaom-devel-doc-3.7.1-150400.3.12.1
* SUSE Linux Enterprise High Performance Computing ESPOS 15 SP5 (aarch64
x86_64)
* libaom-debugsource-3.7.1-150400.3.12.1
* aom-tools-debuginfo-3.7.1-150400.3.12.1
* libaom3-3.7.1-150400.3.12.1
* libaom-devel-3.7.1-150400.3.12.1
* aom-tools-3.7.1-150400.3.12.1
* libaom3-debuginfo-3.7.1-150400.3.12.1
* SUSE Linux Enterprise High Performance Computing ESPOS 15 SP5 (noarch)
* libaom-devel-doc-3.7.1-150400.3.12.1

## References:

* https://www.suse.com/security/cve/CVE-2026-56208.html
* https://www.suse.com/security/cve/CVE-2026-56209.html
* https://www.suse.com/security/cve/CVE-2026-56210.html
* https://www.suse.com/security/cve/CVE-2026-56211.html
* https://bugzilla.suse.com/show_bug.cgi?id=1268650
* https://bugzilla.suse.com/show_bug.cgi?id=1268651
* https://bugzilla.suse.com/show_bug.cgi?id=1268653
* https://bugzilla.suse.com/show_bug.cgi?id=1268655



SUSE-SU-2026:2830-1: important: Security update for warewulf4


# Security update for warewulf4

Announcement ID: SUSE-SU-2026:2830-1
Release Date: 2026-07-09T18:42:10Z
Rating: important
References:

* bsc#1254470
* bsc#1258511
* bsc#1262810
* bsc#1265653
* bsc#1266483
* bsc#1268790

Cross-References:

* CVE-2025-69725
* CVE-2026-33814
* CVE-2026-34986
* CVE-2026-39821

CVSS scores:

* CVE-2025-69725 ( SUSE ): 2.3
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:L/SI:N/SA:N
* CVE-2025-69725 ( SUSE ): 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
* CVE-2025-69725 ( NVD ): 4.7 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N
* CVE-2026-33814 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2026-33814 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2026-33814 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2026-33814 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2026-34986 ( SUSE ): 8.7
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
* CVE-2026-34986 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2026-34986 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2026-34986 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2026-39821 ( SUSE ): 9.1
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
* CVE-2026-39821 ( SUSE ): 7.4 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
* CVE-2026-39821 ( NVD ): 9.6 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
* CVE-2026-39821 ( NVD ): 8.2 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N

Affected Products:

* HPC Module 15-SP7
* openSUSE Leap 15.5
* SUSE Linux Enterprise High Performance Computing 15 SP5
* SUSE Linux Enterprise High Performance Computing ESPOS 15 SP5
* SUSE Linux Enterprise High Performance Computing LTSS 15 SP5
* SUSE Linux Enterprise Server 15 SP6
* SUSE Linux Enterprise Server 15 SP6 LTSS
* SUSE Linux Enterprise Server 15 SP7

An update that solves four vulnerabilities and has two security fixes can now be
installed.

## Description:

This update for warewulf4 fixes the following issues:

Update to v4.7.0.

Security issues fixed:

* CVE-2025-69725: incorrect input validation in the `RedirectSlashes` function
can lead to an open redirect (bsc#1258511).
* CVE-2026-33814: golang.org/x/net/http2: infinite loop in HTTP/2 transport
when given bad `SETTINGS_MAX_FRAME_SIZE` can lead to a denial of service
(bsc#1265653).
* CVE-2026-34986: github.com/go-jose/go-jose/v4: crafted JWE input with a
missing encrypted key can lead to a denial of service (bsc#1262810).
* CVE-2026-39821: golang.org/x/net/idna: failure to reject ASCII-only
Punycode-encoded labels allows for validation bypass and privilege
escalation (bsc#1266483).

Other updates and bugfixes:

* Add correct flag `--update-overlays` fix (bsc#1268790).
* v4.7.0:
* New `wwctl` unset command
* Refactored server routes (URLs)
* New `/files/` route for serving individual files and templates
* Server TLS support
* Removed support for fetching individual overlays and individual files from
overlays
* Fixed whitespace handling around template functions
* Security fixes, including updated Go and library versions
* v4.6.5:
* New wwctl overlay info command
* Fixed `wwctl` image import `--update` option
* Cross-arch support for `wwclient`
* Improved IPv6 support
* Improved support for bonded interfaces
* Renamed `debian.interfaces` overlay to `ifupdown`
* New `systemd-networkd` overlay
* `warewulf-dracut` fixes, including `provision-to-disk` fixes
* Remove `slurm-overlay` package.
* Fix `wwctl` image import `--update` option (bsc#1254470).

## Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

* SUSE Linux Enterprise High Performance Computing ESPOS 15 SP5
zypper in -t patch SUSE-SLE-Product-HPC-15-SP5-ESPOS-2026-2830=1

* SUSE Linux Enterprise Server 15 SP6 LTSS
zypper in -t patch SUSE-SLE-Product-SLES-15-SP6-LTSS-2026-2830=1

* SUSE Linux Enterprise High Performance Computing LTSS 15 SP5
zypper in -t patch SUSE-SLE-Product-HPC-15-SP5-LTSS-2026-2830=1

* openSUSE Leap 15.5
zypper in -t patch SUSE-2026-2830=1

* HPC Module 15-SP7
zypper in -t patch SUSE-SLE-Module-HPC-15-SP7-2026-2830=1

## Package List:

* openSUSE Leap 15.5 (noarch)
* warewulf4-dracut-4.7.0-150500.6.42.1
* warewulf4-reference-doc-4.7.0-150500.6.42.1
* warewulf4-man-4.7.0-150500.6.42.1
* warewulf4-overlay-rke2-4.7.0-150500.6.42.1
* openSUSE Leap 15.5 (aarch64 x86_64)
* warewulf4-overlay-4.7.0-150500.6.42.1
* warewulf4-4.7.0-150500.6.42.1
* SUSE Linux Enterprise High Performance Computing LTSS 15 SP5 (aarch64
x86_64)
* warewulf4-overlay-4.7.0-150500.6.42.1
* warewulf4-4.7.0-150500.6.42.1
* SUSE Linux Enterprise High Performance Computing LTSS 15 SP5 (noarch)
* warewulf4-dracut-4.7.0-150500.6.42.1
* warewulf4-man-4.7.0-150500.6.42.1
* warewulf4-reference-doc-4.7.0-150500.6.42.1
* SUSE Linux Enterprise High Performance Computing ESPOS 15 SP5 (aarch64
x86_64)
* warewulf4-overlay-4.7.0-150500.6.42.1
* warewulf4-4.7.0-150500.6.42.1
* SUSE Linux Enterprise High Performance Computing ESPOS 15 SP5 (noarch)
* warewulf4-dracut-4.7.0-150500.6.42.1
* warewulf4-man-4.7.0-150500.6.42.1
* warewulf4-reference-doc-4.7.0-150500.6.42.1
* HPC Module 15-SP7 (aarch64 x86_64)
* warewulf4-overlay-4.7.0-150500.6.42.1
* warewulf4-4.7.0-150500.6.42.1
* HPC Module 15-SP7 (noarch)
* warewulf4-dracut-4.7.0-150500.6.42.1
* warewulf4-reference-doc-4.7.0-150500.6.42.1
* warewulf4-man-4.7.0-150500.6.42.1
* SUSE Linux Enterprise Server 15 SP6 LTSS (aarch64 x86_64)
* warewulf4-overlay-4.7.0-150500.6.42.1
* warewulf4-4.7.0-150500.6.42.1
* SUSE Linux Enterprise Server 15 SP6 LTSS (noarch)
* warewulf4-dracut-4.7.0-150500.6.42.1
* warewulf4-reference-doc-4.7.0-150500.6.42.1
* warewulf4-man-4.7.0-150500.6.42.1

## References:

* https://www.suse.com/security/cve/CVE-2025-69725.html
* https://www.suse.com/security/cve/CVE-2026-33814.html
* https://www.suse.com/security/cve/CVE-2026-34986.html
* https://www.suse.com/security/cve/CVE-2026-39821.html
* https://bugzilla.suse.com/show_bug.cgi?id=1254470
* https://bugzilla.suse.com/show_bug.cgi?id=1258511
* https://bugzilla.suse.com/show_bug.cgi?id=1262810
* https://bugzilla.suse.com/show_bug.cgi?id=1265653
* https://bugzilla.suse.com/show_bug.cgi?id=1266483
* https://bugzilla.suse.com/show_bug.cgi?id=1268790



SUSE-SU-2026:2832-1: important: Security update for rustup


# Security update for rustup

Announcement ID: SUSE-SU-2026:2832-1
Release Date: 2026-07-09T19:02:15Z
Rating: important
References:

* bsc#1203257
* bsc#1230032
* bsc#1243862
* bsc#1249008
* bsc#1270186
* bsc#1270521
* bsc#1270619
* bsc#1270644
* bsc#1270795
* bsc#1270870
* bsc#1270874
* bsc#1270989

Cross-References:

* CVE-2024-12224
* CVE-2025-58160
* CVE-2026-41676
* CVE-2026-41677
* CVE-2026-41678
* CVE-2026-41681
* CVE-2026-41898
* CVE-2026-42327
* CVE-2026-44662
* CVE-2026-45784

CVSS scores:

* CVE-2024-12224 ( SUSE ): 2.1
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
* CVE-2024-12224 ( SUSE ): 4.2 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N
* CVE-2024-12224 ( NVD ): 5.1
CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
* CVE-2025-58160 ( SUSE ): 2.3
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
* CVE-2025-58160 ( SUSE ): 3.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N
* CVE-2025-58160 ( NVD ): 2.3
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
* CVE-2026-41676 ( SUSE ): 8.3
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N
* CVE-2026-41676 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H
* CVE-2026-41676 ( NVD ): 7.2
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
* CVE-2026-41676 ( NVD ): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
* CVE-2026-41677 ( SUSE ): 1.7
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:U
* CVE-2026-41677 ( SUSE ): 3.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
* CVE-2026-41677 ( NVD ): 1.7
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
* CVE-2026-41677 ( NVD ): 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
* CVE-2026-41678 ( SUSE ): 8.3
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N
* CVE-2026-41678 ( SUSE ): 7.4 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H
* CVE-2026-41678 ( NVD ): 7.2
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
* CVE-2026-41678 ( NVD ): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
* CVE-2026-41681 ( SUSE ): 8.2
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
* CVE-2026-41681 ( SUSE ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
* CVE-2026-41681 ( NVD ): 8.1
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
* CVE-2026-41681 ( NVD ): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
* CVE-2026-41898 ( SUSE ): 8.3
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:L/SC:N/SI:N/SA:N
* CVE-2026-41898 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:L
* CVE-2026-41898 ( NVD ): 8.3
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
* CVE-2026-41898 ( NVD ): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
* CVE-2026-42327 ( SUSE ): 8.7
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
* CVE-2026-42327 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
* CVE-2026-42327 ( NVD ): 8.7
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
* CVE-2026-44662 ( SUSE ): 5.1
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N
* CVE-2026-44662 ( SUSE ): 4.8 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L
* CVE-2026-44662 ( NVD ): 5.1
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
* CVE-2026-45784 ( SUSE ): 5.1
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N
* CVE-2026-45784 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

Affected Products:

* Development Tools Module 15-SP7
* openSUSE Leap 15.6
* SUSE Linux Enterprise Desktop 15 SP7
* SUSE Linux Enterprise Real Time 15 SP7
* SUSE Linux Enterprise Server 15 SP6
* SUSE Linux Enterprise Server 15 SP6 LTSS
* SUSE Linux Enterprise Server 15 SP7
* SUSE Linux Enterprise Server for SAP Applications 15 SP6
* SUSE Linux Enterprise Server for SAP Applications 15 SP7

An update that solves 10 vulnerabilities and has two security fixes can now be
installed.

## Description:

This update for rustup fixes the following issues

Security issues:

* CVE-2024-12224: idna: idna accepts Punycode labels that do not produce any
non-ASCII when decoded (bsc#1243862).
* CVE-2025-58160: tracing-subscriber: Tracing log pollution (bsc#1249008).
* CVE-2026-41676: openssl: `Deriver:derive` and `PkeyCtxRef:derive` can
overflow short buffers on OpenSSL 1.1.1 (bsc#1270186).
* CVE-2026-41677: openssl: out-of-bounds read in PEM password callback when
returning an oversized length in rust- openssl crate (bsc#1270619).
* CVE-2026-41678: openssl: incorrect bounds assertion in aes key wrap in rust-
openssl crate (bsc#1270644).
* CVE-2026-41681: openssl: MdCtxRef::digest_final() writes past caller buffer
with no length check in rust-openssl crate (bsc#1270795).
* CVE-2026-41898: openssl: unchecked callback-returned length in PSK and
cookie generate trampolines can leak adjacent memory in rust-openssl crate
(bsc#1270870).
* CVE-2026-42327: openssl: arbitrary code execution via specially crafted
certificate in rust-openssl crate (bsc#1270521).
* CVE-2026-44662: openssl: heap buffer overflow when encrypting with AES key-
wrap-with-padding in rust-openssl crate (bsc#1270874).
* CVE-2026-45784: openssl: out-of-bounds write in
`CipherCtxRef::cipher_update_inplace` for AES-KW-PAD ciphers in rust-
openssl crate (bsc#1270989).
* rust-shlex: Multiple issues involving quote API ( RUSTSEC-2024-0006,
GHSA-r7qv-8r2h-pg27) (bsc#1230032).

Non security issue:

* devel:languages:rust/rustup: Missing symlink for rust-analyzer
(bsc#1203257).

## Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

* SUSE Linux Enterprise Server for SAP Applications 15 SP6
zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP6-2026-2832=1

* openSUSE Leap 15.6
zypper in -t patch SUSE-2026-2832=1

* SUSE Linux Enterprise Server 15 SP6 LTSS
zypper in -t patch SUSE-SLE-Product-SLES-15-SP6-LTSS-2026-2832=1

* Development Tools Module 15-SP7
zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP7-2026-2832=1

## Package List:

* SUSE Linux Enterprise Server 15 SP6 LTSS (aarch64 x86_64)
* rustup-1.28.2~0-150600.10.13.1
* rustup-debuginfo-1.28.2~0-150600.10.13.1
* Development Tools Module 15-SP7 (aarch64 x86_64)
* rustup-1.28.2~0-150600.10.13.1
* rustup-debuginfo-1.28.2~0-150600.10.13.1
* openSUSE Leap 15.6 (aarch64 x86_64)
* rustup-1.28.2~0-150600.10.13.1
* rustup-debugsource-1.28.2~0-150600.10.13.1
* rustup-debuginfo-1.28.2~0-150600.10.13.1
* SUSE Linux Enterprise Server for SAP Applications 15 SP6 (x86_64)
* rustup-1.28.2~0-150600.10.13.1
* rustup-debuginfo-1.28.2~0-150600.10.13.1

## References:

* https://www.suse.com/security/cve/CVE-2024-12224.html
* https://www.suse.com/security/cve/CVE-2025-58160.html
* https://www.suse.com/security/cve/CVE-2026-41676.html
* https://www.suse.com/security/cve/CVE-2026-41677.html
* https://www.suse.com/security/cve/CVE-2026-41678.html
* https://www.suse.com/security/cve/CVE-2026-41681.html
* https://www.suse.com/security/cve/CVE-2026-41898.html
* https://www.suse.com/security/cve/CVE-2026-42327.html
* https://www.suse.com/security/cve/CVE-2026-44662.html
* https://www.suse.com/security/cve/CVE-2026-45784.html
* https://bugzilla.suse.com/show_bug.cgi?id=1203257
* https://bugzilla.suse.com/show_bug.cgi?id=1230032
* https://bugzilla.suse.com/show_bug.cgi?id=1243862
* https://bugzilla.suse.com/show_bug.cgi?id=1249008
* https://bugzilla.suse.com/show_bug.cgi?id=1270186
* https://bugzilla.suse.com/show_bug.cgi?id=1270521
* https://bugzilla.suse.com/show_bug.cgi?id=1270619
* https://bugzilla.suse.com/show_bug.cgi?id=1270644
* https://bugzilla.suse.com/show_bug.cgi?id=1270795
* https://bugzilla.suse.com/show_bug.cgi?id=1270870
* https://bugzilla.suse.com/show_bug.cgi?id=1270874
* https://bugzilla.suse.com/show_bug.cgi?id=1270989



SUSE-SU-2026:2831-1: important: Security update for rustup


# Security update for rustup

Announcement ID: SUSE-SU-2026:2831-1
Release Date: 2026-07-09T18:55:58Z
Rating: important
References:

* bsc#1203257
* bsc#1230032
* bsc#1243862
* bsc#1249008
* bsc#1257902
* bsc#1270186
* bsc#1270521
* bsc#1270619
* bsc#1270644
* bsc#1270795
* bsc#1270870
* bsc#1270874
* bsc#1270989

Cross-References:

* CVE-2024-12224
* CVE-2025-58160
* CVE-2026-25727
* CVE-2026-41676
* CVE-2026-41677
* CVE-2026-41678
* CVE-2026-41681
* CVE-2026-41898
* CVE-2026-42327
* CVE-2026-44662
* CVE-2026-45784

CVSS scores:

* CVE-2024-12224 ( SUSE ): 2.1
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
* CVE-2024-12224 ( SUSE ): 4.2 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N
* CVE-2024-12224 ( NVD ): 5.1
CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
* CVE-2025-58160 ( SUSE ): 2.3
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
* CVE-2025-58160 ( SUSE ): 3.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N
* CVE-2025-58160 ( NVD ): 2.3
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
* CVE-2026-25727 ( SUSE ): 8.7
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
* CVE-2026-25727 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2026-25727 ( NVD ): 6.8
CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
* CVE-2026-25727 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
* CVE-2026-41676 ( SUSE ): 8.3
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N
* CVE-2026-41676 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H
* CVE-2026-41676 ( NVD ): 7.2
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
* CVE-2026-41676 ( NVD ): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
* CVE-2026-41677 ( SUSE ): 1.7
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:U
* CVE-2026-41677 ( SUSE ): 3.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
* CVE-2026-41677 ( NVD ): 1.7
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
* CVE-2026-41677 ( NVD ): 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
* CVE-2026-41678 ( SUSE ): 8.3
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N
* CVE-2026-41678 ( SUSE ): 7.4 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H
* CVE-2026-41678 ( NVD ): 7.2
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
* CVE-2026-41678 ( NVD ): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
* CVE-2026-41681 ( SUSE ): 8.2
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
* CVE-2026-41681 ( SUSE ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
* CVE-2026-41681 ( NVD ): 8.1
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
* CVE-2026-41681 ( NVD ): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
* CVE-2026-41898 ( SUSE ): 8.3
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:L/SC:N/SI:N/SA:N
* CVE-2026-41898 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:L
* CVE-2026-41898 ( NVD ): 8.3
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
* CVE-2026-41898 ( NVD ): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
* CVE-2026-42327 ( SUSE ): 8.7
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
* CVE-2026-42327 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
* CVE-2026-42327 ( NVD ): 8.7
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
* CVE-2026-44662 ( SUSE ): 5.1
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N
* CVE-2026-44662 ( SUSE ): 4.8 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L
* CVE-2026-44662 ( NVD ): 5.1
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
* CVE-2026-45784 ( SUSE ): 5.1
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N
* CVE-2026-45784 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

Affected Products:

* openSUSE Leap 15.4
* SUSE Linux Enterprise High Performance Computing 15 SP4
* SUSE Linux Enterprise High Performance Computing 15 SP5
* SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4
* SUSE Linux Enterprise High Performance Computing ESPOS 15 SP5
* SUSE Linux Enterprise High Performance Computing LTSS 15 SP4
* SUSE Linux Enterprise High Performance Computing LTSS 15 SP5
* SUSE Linux Enterprise Server 15 SP4
* SUSE Linux Enterprise Server 15 SP4 LTSS
* SUSE Linux Enterprise Server 15 SP5
* SUSE Linux Enterprise Server 15 SP5 LTSS
* SUSE Linux Enterprise Server for SAP Applications 15 SP4
* SUSE Linux Enterprise Server for SAP Applications 15 SP5

An update that solves 11 vulnerabilities and has two security fixes can now be
installed.

## Description:

This update for rustup fixes the following issues

Security issues:

* CVE-2024-12224: idna: idna accepts Punycode labels that do not produce any
non-ASCII when decoded (bsc#1243862).
* CVE-2025-58160: tracing-subscriber: Tracing log pollution (bsc#1249008).
* CVE-2026-25727: time: parsing of user-provided input by the RFC 2822 date
parser can lead to stack exhaustion (bsc#1257902).
* CVE-2026-41676: openssl: `Deriver:derive` and `PkeyCtxRef:derive` can
overflow short buffers on OpenSSL 1.1.1 (bsc#1270186).
* CVE-2026-41677: openssl: out-of-bounds read in PEM password callback when
returning an oversized length in rust- openssl crate (bsc#1270619).
* CVE-2026-41678: openssl: incorrect bounds assertion in aes key wrap in rust-
openssl crate (bsc#1270644).
* CVE-2026-41681: openssl: MdCtxRef::digest_final() writes past caller buffer
with no length check in rust-openssl crate (bsc#1270795).
* CVE-2026-41898: openssl: unchecked callback-returned length in PSK and
cookie generate trampolines can leak adjacent memory in rust-openssl crate
(bsc#1270870).
* CVE-2026-42327: openssl: arbitrary code execution via specially crafted
certificate in rust-openssl crate (bsc#1270521).
* CVE-2026-44662: openssl: heap buffer overflow when encrypting with AES key-
wrap-with-padding in rust-openssl crate (bsc#1270874).
* CVE-2026-45784: openssl: out-of-bounds write in
`CipherCtxRef::cipher_update_inplace` for AES-KW-PAD ciphers in rust-
openssl crate (bsc#1270989).
* rust-shlex: Multiple issues involving quote API ( RUSTSEC-2024-0006,
GHSA-r7qv-8r2h-pg27) (bsc#1230032).

Non security issue:

* devel:languages:rust/rustup: Missing symlink for rust-analyzer
(bsc#1203257).

Changes for rustup:

* Completely drop openssl to prevent future security issues

Update to version 1.28.2~0:

* Deprecate native-tls as well
* Enable HTTP/2 support for reqwest download backend
* Emit tracing events from log facade calls
* download: show Debug representation for errors
* Avoid repeated globals in tracing events
* Log original download errors immediately
* feat(cli/rustup-mode): add aliases to `rustup component remove`
* Switch flate2 to use the zlib-rs backend
* Hardlink proxies if symlinks aren't reachable
* Add powerpc64le-unknown-linux-musl support
* Add toolchain_name to not installed bail msg
* Warn about using curl
* Drop workspace indirection
* Fold download crate back into rustup
* download: merge integration test files
* chore(deps): lock file maintenance
* Test CARGO environment replacement
* Update CARGO env var if it is a rustup proxy
* Tweak toolchain subcommand help text
* Move toolchain and default commands first
* show toolchain paths in rustup show -v output
* refactor(cli/self-update): save allocations in `Nu::rcfiles()`
* fix(cli/self-update)!: stop appending to `env.nu` due to deprecation
* fix(cli/self-update): consider Windows paths in Nushell suggestions
* refactor(cli/self-update): use `path add` in `env.nu` template
* fix(cli/self-update): use interpolated string in `env.nu` template
* Upgrade dependencies
* docs(user-guide/environment-variables): document `RUSTUP_VERSION`
* feat(rustup-init/sh): allow setting `RUSTUP_VERSION` during installation
* feat(cli/self-update): allow setting `RUSTUP_VERSION` for arbitrary
downgrades
* feat(test/clitools): add `Config::expect_ok_ex_env()`
* fix(errors)!: improve error messages for
`RustupError::ToolchainNotInstalled`
* Add set auto-install disable
* Use `cursor: pointer` for copy button on website
* fix(dist): refine suggestions about missing targets
* Append Windows bin directory to PATH by default
* Remove validation for custom toolchains when reading rust-toolchain.toml
* document RUSTUP_AUTO_INSTALL
* Fix build script `cargo` instructions

Update to version 1.28.1~0:

* dist(rustup-init/sh): update commit shasum
* Update changelog for 1.28.1
* fix!(config): re-enable implicit toolchain installation in
`Cfg::local_toolchain()` with optional opt-out
* refactor(test/clitools): extract `Config::expect_err_env()`
* Use relative symlinks when possible
* docs: update CHANGELOG for v1.28.1 release
* fix!(config): re-enable active toolchain installation in
`Cfg::find_active_toolchain()` with optional opt-out
* config: make Config::find_active_toolchain() async
* Use terse output for rustup show active-toolchain
* Use read_timeout for reqwest instead of timeout
* test: turn set_current_dist_date() into a Config method
* test: privatize clitools module
* test: remove function wrappers for cmd() and env()
* test: privatize mock module
* test: move create_mock_dist_server() to Scenario::write_to()
* test: move Release into dist
* test: turn channel builders into constructors
* test: move mock channel builders into dist
* test: move arch consts into top-level module
* test: turn build_*_installer() functions into constructors
* test: move installer builders into mock module
* test: privatize items in clitools
* test: keep Config impl close to type definition
* test: privatize dist module
* test: privatize items in test::dist
* test: inline short module topical_doc_data
* Remove level of nesting in test module
* Tweak SanitizedOutput style
* docs: update `CHANGELOG` for v1.28.0 release
* Have mocked cargo better adhere to cargo conventions
* Do not append `EXE_SUFFIX` in `Config::cmd`
* Add `TryFrom<Output>` for `SanitizedOutput`
* refactor(test): replace `(before|after)_test_async()` with
`TestProcess::_telemetry_guard`
* style(rustup-init): reorganize imports
* refactor(log): introduce `GlobalTelemetryGuard`
* refactor(process): rename `TestProcess::_guard` to `_tracing_guard`
* chore(deps): update opentelemetry
* fix(deps): update rust crate windows-registry to 0.5.0
* refactor: improve binary suffix stripping
* build: bump the codebase Language Edition to 2024
* style(cli/job): fix `unsafe-op-in-unsafe-fn`
* style(cli/log): use precise capturing when necessary
* chore: use unsafe versions of `(add|remove)_var()`
* style: remove redundant `ref` keywords
* style: partially migrate away from `if-let`
* style: format sources with the 2024 Style Edition
* chore: fix new `clippy` warnings
* fix(deps): update rust crate pulldown-cmark to 0.13
* feat(rustup-init/sh): add env var to print arch detection result
* refactor(component): reduce allocations in `ComponentPart::encode()`
* refactor(component)!: extract `ComponentPartKind`
* style(component): reduce right drift in `ComponentPart::decode()`
* refactor(component)!: turn `ComponentPart`'s fields into named ones
* fix(dist/prefix): normalize path separators in `REL_MANIFEST_DIR`
* fix(component): normalize path separators during
`ComponentPart::(en|de)code()`
* Upgrade to rand 0.9
* fix(ci/doc): fix typo in renovate `datasource`
* ci(doc): make `renovatebot` bump locked `mdbook`
* ci(doc): pin `mdbook` to `0.4.43`
* ci(schedule): run cron tasks more times per week
* ci(schedule): promote to use the `stable` job list
* ci(doc): fix stable build of `user-guide`
* ci(linux): enable the full test suite for `aarch64-unknown-linux-gnu`
* ci(linux): use public ARM64 Linux runners
* ci(deploy-docs): merge with `test-docs`
* ci(deploy-docs): enable on PR without uploads
* ci(deploy-docs): build one book per workflow step
* ci(deploy-docs): install `mdbook` with `install-action`
* Change installation of dependencies for Aarch64 Dockerfile
* Run Aarch64 jobs on PRs
* Use ARM based runners for ARM CI targets
* style: fix `clippy` warnings
* docs(user-guide/components): add deprecation notice for `wasm32-wasi`
* Update Windows dependencies
* feat(cli/rustup-mode)!: simplify error message for `rustup show active-
toolchain`
* fix(cli/rustup-mode): make `rustup show active-toolchain` exit with `1` when
none is active
* fix(cli/rustup-mode): make `rustup default` exit with `1` when there's no
default
* fix(cli/rustup-mode)!: change `rustup doc --error_codes` to `--error-codes`
* fix(deps): update rust crate itertools to 0.14
* fix(cli): align `rustup show`'s `--verbose` behavior with `rustup show
active-toolchain`
* feat(cli): show the toolchain path with `rustup show active-toolchain
--verbose`
* feat(test): accept more than one args in `for_host*!()`
* fix(ci): fix installation of `cargo-all-features`
* docs(user-guide/installation): update "General tips"
* move deps around
* fix(deps): update rust crate rustls-platform-verifier to 0.5
* fix(rustup-init/sh): don't emit "unknown macOS major version" for macOS v11+
* refactor(rustup-init/sh): extract `$_os_major`
* refactor(rustup-init/sh): extract `$_os_version`
* ci(linux): move `bindgen-cli` installation into `run.bash`
* ci(stable): enable `loongarch64-unknown-linux-musl` builds
* ci(linux): disable `reqwest-rustls-tls` for unsupported platforms
* ci(linux): configure `gcc-multilib` and `libclang` for some *nix builds
* chore(deps): bump `aws-lc-rs` and `aws-lc-sys`
* download: clean up TLS feature guards
* download: simplify feature guards
* download: attach download functions to Backend type
* download: remove intermediate reqwest-backend feature
* Implement more complete backend selection
* Simplify logic for download backend notification
* docs(dev-guide/tracing): make "Adding instrumentation" a level-2 title
* ci(windows): don't install `awscli` via `choco`
* test(mock/topical-doc-data): add test cases with both a flag and a topic
* refactor(test/mock): use tuples for `topical_doc_data::TEST_CASES`
* feat(cli/rustup-mode): allow `rustup doc` with both a flag and a topic
* refactor(toolchain): allow passing a fragment in `Toolchain::doc_path()`
* refactor(toolchain): allow absolute paths in `Toolchain::doc_path()`
* refactor(toolchain): simplify `Toolchain::doc_path()`
* refactor(cli/rustup-mode): rename `doc_url` to `doc_path`
* refactor(cli/rustup-mode): make `DocPage::path()` return
`Option<&Path>`
* refactor(cli/rustup-mode): move `DocPage::name()` to a separate `impl` block
* refactor(cli/topical-doc): clean up some funtions
* refactor(cli/rustup-mode): use early return in `doc()`
* Update semver-compatible dependencies
* fix: make sure no overflow on small screens
* feat: make the box white
* feat: use the color form the rust website for tags, hr and copy button
* Add the main element and header to setup new layout
* chore: remove the old pitch first
* Apply clippy suggestions
* Append to 1.28.0 changelog
* Bump version, commit and date in rustup-init.sh
* Clean up trailing whitespace in rustup-init.sh
* Add changelog for 1.28.0
* Bump version to 1.28.0
* chore(deps): update remove-dir-all to 1.0
* Add aliases for remove/uninstall/unset commands
* feat: add nushell support
* Upgrade to opentelemetry 0.27
* fix: add missing close body tag
* Upgrade thiserror to 2
* Upgrade to rustls-platform-verifier 0.4
* fix(cli/rustup-mode): remove `.num_args()` when
`.value_delimiter(',')` is present
* refactor(cli/rustup-mode): remove deprecated `.use_value_delimiter()`
* chore(config): migrate config .github/renovate.json
* docs: update channel toolchain syntax
* feat(cli/rustup-mode): support more books in `rustup doc`
* style(cli/rustup-mode): reorder items in `docs_data![]`
* fix: add powerpc64 and s390x to known target_arch values for tests
* style(utils): put the `mod` declarations below the imports
* style: regroup some imports
* refactor(utils): hoist `utils::utils` into `utils`
* feat(rustup-init): detect and warn about existing `settings.toml`
* fix: fix typo in `check_existence_of_rustc_or_cargo_in_path()`
* style: allow using `dbg!()` across `rustup::test`
* refactor(diskio): replace `eprintln!()` with `debug!()`
* style: enable `clippy::(dbg_macro|todo)` across the workspace
* style: enable `clippy::print_std(err|out)` when applicable
* style: introduce workspace-wide lint tables
* build: use `workspace.package` properties in `Cargo.toml`
* fix(config): improve error when overridden active custom toolchain isn't
installed
* fix(config): print special error for invalid toolchain name in override file
* Update semver-compatible dependencies, except openssl-src
* style(rustup-init/sh): ignore `shellcheck` SC2086 false positives
* fix(rustup-init/sh): fix incorrect TLS warning with curl v8.10
* tests: rust-toolchain + profile in settings
* Remove unnecessary methods
* replace `winreg` dependency
* Update remove_dir_all
* refactor(cli/common)!: deny installing a host-incompatible toolchain w/o
`--force-non-host`
* refactor(cli/common)!: take in `toolchain: String` in
`warn_if_host_is_incompatible()`
* feat(cli/rustup-mode): add `--force-non-host` to `rustup default`
* refactor(config)!: pass the `force_non_host` flag to
`Cfg::ensure_installed()`
* refactor(cli/rustup-mode): rename `forced` to `force_non_host`
* docs(README): Point out where to find nightly/master docs.
* Note that selecting VS lang packs is optional
* Make symlink_or_hardlink_file remove dest
* Try symlinking proxies first
* Apply clippy suggestions from 1.81
* feat(cli/rustup-mode)!: set log level to `INFO`/`DEBUG` on
`--quiet`/`--verbose` if `RUSTUP_LOG` is unset
* refactor(cli/setup-mode): extract `update_console_logger()`
* fix(cli/setup-mode): simplify description for `--quiet`
* feat(cli/setup-mode)!: set log level to `DEBUG` on `--verbose` if
`RUSTUP_LOG` is unset
* refactor(common)!: remove `verbose` flag in several places
* refactor(config): simplify `find_or_install_active_toolchain()`
* refactor(config)!: return `LocalToolchainName` from
`find_or_install_active_toolchain()`
* refactor(config): simplify `resolve_toolchain()`
* refactor(config): simplify `toolchain_from_partial()`
* chore(triage): allow transferring issues to other org repos
* Allow `rustup doc` to search for unions
* docs(user-guide): add a link to the latest "Previous components" section
* test(cli_v2): introduce `update_removed_component_toolchain()`
* feat(dist): add notes for `stable` and `beta` in `components_missing_msg()`
* refactor(dist): inline some const strings in `components_missing_msg()`
* refactor(dist): extract "nightly tips" out of the match block in
`components_missing_msg()`
* fix: fix typo in several places
* Upgrade pulldown-cmark to 0.12
* fix(manifest): consider possible renames in `Component::try_new()`
* ci(macos): install `awscli` from `brew`
* refactor(config)!: make `toolchain_from_partial()` sync
* feat(config)!: remove implicit installation from `toolchain_from_partial()`
* refactor(config)!: make `resolve_toolchain()` sync
* feat(config)!: remove implicit installation from `resolve_toolchain()`
* test(cli-rustup): remove `heal_damaged_toolchain()`
* refactor(config): extract `local_toolchain()` from
`resolve_local_toolchain()`
* refactor(config): extract `toolchain` variable from
`resolve_local_toolchain()`
* refactor(config)!: make `resolve_local_toolchain()` sync
* feat(config)!: remove implicit installation from `resolve_local_toolchain()`
* refactor(config)!: rename `local_toolchain()` to `resolve_local_toolchain()`
* feat(rustup-mode): install the active toolchain by default on `rustup
toolchain install`
* fix(rustup-mode): adjust descriptions for `rustup toolchain uninstall`
* feat(rustup-mode)!: add `ensure_active_toolchain` flag to `update()`
* feat(config)!: add `verbose` flag to `find_or_install_active_toolchain()`
* style(config): replace `dist::Profile` with `Profile`
* style(config): replace `dist::TargetTriple` with `TargetTriple`
* fix(config): call `warn_if_host_is_incompatible()` in `ensure_installed()`
* refactor(common): use early return in `warn_if_host_is_incompatible()`
* refactor(rustup-mode): extract `warn_if_host_is_incompatible()`
* style(common): merge imports
* refactor(distributable)!: avoid unnecessary clones
* refactor(distributable)!: replace `install_if_not_installed()` with
`ensure_installed()`
* feat(config)!: add `verbose` flag to `ensure_installed()`
* feat(config)!: return `UpdateStatus` from `ensure_installed()`
* feat(config)!: use `Cfg::get_profile()` for unspecified profile in
`ensure_installed()`
* chore(config): add `#[tracing::instrument]` to `ensure_installed()`
* ci(freebsd): fix build failure related to `aws-lc`
* ci(windows): don't install OpenSSL via `choco`
* ci(run): remove redundant `if` predicate
* ci(run): use the detected number of test threads
* feat(download/rustls): use `aws-lc` instead of `ring`
* style(taplo): enable `reorder_keys` for `*dependencies` in `Cargo.toml`
* Upgrade windows-sys to 0.59
* fix: fix unreachable code lints on Android
* docs(dev-guide): remove descriptions of `rustup_macros`
* docs(dev-guide): update description of `rustup::process`
* Remove `once_cell` dependency
* docs(dev-guide): add guideline for atomic commits to the developer guide
* fix: fix `clippy` lints
* docs(user-guide): use `brew install rustup` instead of `rustup-init`
* Bump fs_at to 0.2.1
* chore(deps/renovate): disable `automerge`
* Upgrade to opentelemetry 0.24
* build(windows): don't link against `powrprof`
* build(windows): fix typo in `build.rs`
* fix(utils): make `ExitCode` `#[must_use]`
* refactor(rustup-mode): introduce `ExitCode::bitand*()`
* fix(rustup-mode): return `ExitCode(1)` when `update()` fails
* refactor(rustup-mode)!: remove redundant `ExitCode` in `self_update()`'s
callback
* test(cli-misc): simplify `version_mentions_rustc_version_confusion()`
* fix(rustup-mode): refine output for `rustup --version`
* fix(rustup-mode)!: don't install toolchain on `rustup --version`
* chore(deps/renovate): update `automerge` schedule for `lockFileMaintenance`
* ci(check): add `taplo fmt` test for TOMLs
* style: reformat all TOMLs with `taplo`
* ci(gen-workflows): remove `--quiet` from `git diff`
* refactor: use `#[cfg()]` instead of `cfg!()` when possible
* refactor(self-update): remove outdated `do_pre_install_sanity_checks`
* Add help message for missing toolchain
* Rename OSProcess to OsProcess
* Rename currentprocess to process
* Forward to Process::var_os() directly
* Fix home_dir() and current_dir() regression
* feat(log): set level of `#[tracing::instrument(err)]` to `TRACE`
* feat(log): unhide `tracing::instrument` from behind `feature =
"otel"`
* ci(windows): increase stack size to 16MiB
* Upload Windows artifacts into correct subdirectory
* Fix uploading of Windows build artifacts
* Prepare deployment on master branch
* Grant GitHub Actions workflows access to OIDC token
* chore(deps): update aws-actions/configure-aws-credentials action to v4
* Authenticate CI uploads with OIDC
* Upload release artifacts to new S3 bucket
* chore(deps/renovate): set `prCreation` to `immediate`
* feat(dist): refine suggestions regarding manifest checksum mismatches
* refactor(config): extract `dist_root_server()`
* refactor(dist): use `let-else` in `dl_v2_manifest()`
* refactor(dist/notifications)!: inline usages of
`Notification::ManifestChecksumFailedHack`
* refactor(install): avoid extra clone in `InstallMethod::install`
* Reorder operations in order to simplify
* Deduplicate handling of environnment variables
* Move if_not_empty() to calling module
* feat(cli): warn when removing the default/active toolchain
* feat(cli): improve warning when removing the last/host target for a
toolchain
* docs(ci): simplify the target policy in the README
* Add loongarch64-unknown-linux-musl support
* fix(download): fix build error with `--no-default-features --features=curl-
backend`
* feat(rustup-init): set log level to `WARN` on `-q` if `RUSTUP_LOG` is unset
* implements quiet flag in `rustup-init.sh`
* test(manifestation): introduce and migrate tests to `TestContext`
* chore(manifestation): organize imports
* add regression tests for smart guess
* apply smart guess to `rustup update/uninstall self`
* Disable automatic self updates in CI environments
* feat(download/rustls): use `rustls-platform-verifier`
* ci(windows): run `cargo all-features`
* fix(self-update/windows): address some `unused_imports` warnings
* fix(rustup-mode): improve `clap` error format
* Add period in warning while checking existing rust installations
* Move Windows-only test code into windows module
* Asyncify CLI tests
* Use guard type to replace with_saved_path()
* Refactor test registry state to be more type safe
* Inline single-use with_saved_global_state() function
* Privatize with_saved_global_state()
* Move change_dir() into CliTestContext
* Move with_update_server() into CliTestContext
* Remove Config::with_scenario()
* Port cli_v2 to CliTestContext
* Port cli_v1 to CliTestContext
* Port cli_self_upd to CliTestContext
* Port cli_rustup to CliTestContext
* Port cli_paths to CliTestContext
* Port cli_misc to CliTestContext
* Port cli_inst_interactive to CliTestContext
* Port cli_exact to CliTestContext
* Use CliTestContext directly in self_update_setup()
* Start CliTestContext type wrapper
* docs(dev-guide/tracing): mention `RUSTUP_LOG` and console-based tracing
* docs(dev-guide/linting): improve wording
* test(dist): add simple tests for `PartialVersion`
* chore(dist): add some doc comments
* fix(dist): throw an error when a `PartialVersion` string doesn't start with
an ASCII digit
* ci(all-features): add `-D warnings` to `cargo check-all-features`
* fix(currentprocess/filesource): address some `unused_imports` warnings
* fix(currentprocess): address some `unused_imports` warnings
* fix(regex): replace `\d` to `[0-9]` to avoid matching non-ASCII digits
* refactor(toolchain/names): replace `toolchain_sort` with `ToolchainName`'s
`Ord` instance
* refactor(dist)!: make `ToolchainDesc.channel` more strongly typed
* Remove unnecessary lint suppressions
* Use local suppression for clippy::too_many_arguments
* Rename desc fields to toolchain
* Remove intermediate state from error handling
* Remove indirection in update error handling
* Inline wrapper function
* Reduce rightward drift
* Propagate use of DistOptions
* Avoid unnecessary unwrapping
* Extract struct from InstallMethods::Dist variant
* refactor(log): replace the `TELEMETRY_DEFAULT_TARCER` singleton with a
function
* test(clitools): revive `run_inprocess()`
* fix(dist/arm): don't assume `armv7` if `/proc/cpuinfo` is unavailable
* fix(dist): add fallbacks to `/proc/self/exe` in `rustup-init.sh`
* Rename default-tls to native-tls
* Inline small errors module
* Inline addition/removal to programs
* Move windows-only self_update code into windows module
* Reorganize platform-dependent imports in self_update
* refactor(log): replace `[Ww]arning:` log line prefix with `warn:`
* refactor(log): rename `NotificationLevel::Debug` to `Trace` and `Verbose` to
`Debug`
* Remove unused code
* Hoist Toolchain up into top-level toolchain module
* Remove unused derived sorting implementations
* Privatize internal organization of toolchain module
* Inline argument
* Inline trivial wrapper
* Move toolchain resolution into Cfg method
* Check settings version on Cfg construction
* Move proxy toolchain resolution logic into Cfg method
* Move rustc_version() function into Cfg
* Expose higher-level interface in Toolchain
* Move DistributableToolchain::installed_paths() into Cfg
* No need to store cfg in DistributableToolchain
* Reduce indirection in Cfg::from_partial()
* Move Toolchain::from_partial() to Cfg
* Take owned LocalToolchainName in Toolchain::from_local()
* Simplify Toolchain::from_local()
* refactor(dist): hoist `dist::dist` into `dist`
* refactor(dist): privatize imports from `dist::dist`
* Fix the `TODO` in `src\toolchain\toolchain.rs`
* Use tracing macros directly
* Inline single-caller maybe_trace_rustup()
* Remove rustup test wrapper macros
* Use tokio::main attribute
* Attach Process-dependent utils to Process
* Remove with_runtime()
* fix(config): fix typo in `ActiveReason`
* fix(log): use `RUSTUP_LOG` for internal `tracing` instead of `RUST_LOG`
* refactor(currentprocess): make use of `Arc::default()`
* refactor(currentprocess): rename `TestProcess.guard` to `_guard`
* Remove currentprocess::with()
* Privatize most TestProcess fields
* Remove unused TestProcess::id
* Pass Process around explicitly
* Let argument parser handle SelfUpdateMode conversion
* Let argument parser handle Profile conversion
* Use simpler form for string concatenation
* Reduce rightward drift by duplicating some Ok-wrapping
* Rename _install_selection() to IInstallOpts::install()
* Inline async closure
* Move error mapping out of validation function
* Rename do_pre_install_options_sanity_checks() to InstallOpts::validate()
* Rename customize_install() to InstallOpts::customize()
* Pass InstallOpts around directly
* refactor(terminalsource): use `.eq_ignore_ascii_case()` in
`ColorableTerminal::new`
* chore(notify): sort logging macros and `NotificationLevel` on verbosity
* chore(env): retire `RUSTUP_DEBUG` in favor of `RUST_LOG`
* feat(log): make `console_logger()` accept `RUSTUP_TERM_COLOR` and `NO_COLOR`
* refactor(log): reimplement `log` using `tracing`
* refactor(test): clean up `before_test_async()`
* chore(deps): make `tracing-subscriber` a hard requirement
* refactor(test): setup `tracing` subscriber in `before_test_async()`
* test(clitools): disable `run_inprocess()`
* refactor(test): execute all `#[rustup_macros::unit_test]`s within a `tokio`
context
* refactor(log): extract `telemetry()`
* Remove noop functions in favor of conditional compilation
* Avoid trivial wrapper functions
* Store process name in error variant directly
* Inline trivial wrapper function
* Fix misleading "uninstalled toolchain" notification
* refactor(ci/run): use more `target_cargo()` in `run.bash`
* Remove trivial new() implementation
* Use serde to encode/decode mock manifests
* Use serde to encode/decode rustup manifests
* Use serde to encode/decode config
* Represent config version as an enum
* Use serde to encode/decode manifests
* Represent manifest version as enum
* Use serde to encode/decode settings
* Add tests for settings encoding
* Derive Default for Settings
* Represent metadata version as an enum
* Use Default impl for Settings::profile default
* Derive Default for Profile
* Discard unnecessary layer of Arc
* Externalize wrapping of DownloadTracker
* Inline NotifyOnConsole
* Internalize interior mutability for Notifier
* Decouple Cfg from Notifier initialization
* fix(dist/triple): ensure `dist::triple::known` is up to date with
`platforms`
* refactor(toolchain): reuse `dist::triple::known` in `toolchain::names`
* refactor(dist/triple): move known triples to `dist::triple::known`
* refactor(build): use `platforms` to verify `RUSTUP_OVERRIDE_BUILD_TRIPLE`
* refactor(build): simplify the code obtaining the current triple
* feat(cli): add `--quiet` to `rustup (target|component) list`
* feat(cli): add `--quiet` to `rustup toolchain list`
* Inline trivial single-use function utils::to_absolute()
* Inline trivial single-use function Cfg::which_binary()
* Inline short single-use function direct_proxy()
* Rename new_toolchain_with_reason() to Toolchain::with_reason()
* Move Cfg::maybe_do_cargo_fallback() to Toolchain
* Move Cfg::create_command_for_toolchain() to Toolchain::command()
* Extract common usage of Cfg::create_command_for_toolchain()
* Inline trivial single-use function Cfg::create_command_for_dir()
* Inline simple function Cfg::create_command_for_toolchain()
* Move toolchain construction out of Cfg::create_command_for_toolchain()
* Inline single-use function
* Improve error message for failing .rustup creation
* Inline trivial single-use function
* Inline utils::current_dir()
* Take explicit current_dir argument in to_absolute()
* Pass current_dir down from main()
* Update rustup.rs website to offer Rustup on Windows on Arm
* Use Cfg::current_dir in override_remove()
* Use Cfg::current_dir in override_add()
* Use Cfg::current_dir in find_or_install_active_toolchain()
* Use Cfg::current_dir for create_command_for_dir()
* Use Cfg::current_dir for find_or_install_active_toolchain()
* Store current_dir in Cfg for use in find_active_toolchain()
* Enable building Rustup win-aarch64 on PR
* Add aarch64-apple-darwin and aarch64-pc-windows-msvc to cloudfront-
invalidation.txt
* Update Other installation methods page to include aarch64-pc-windows-msvc
* Remove unnecessary trait abstraction
* Simplify process access to current_dir
* Simplify process access to environment variables
* Remove unnecessary trait bound for home::Env
* Simplify process access to pid
* Simplify process access to stdin
* Simplify process access to stderr
* Simplify process access to stdout
* Simplify process access to argument iterator
* fix(download): work around `hyper` hang issue by adjusting `reqwest` config
* test(download): fix clippy warnings regarding `Mutex` in `async`
* test(dist): add regression tests for parsing beta versions with tags
* test(dist): introduce scenario `BetaTag` with mock test data
* feat(dist): add support for parsing beta versions with tags in the toolchain
* refactor(utils): move `run_future()` under `manifestation`
* feat(config): make `create_command_for_toolchain()` async
* refactor(config): make `update_all_channels()` async
* refactor(self_update): make `maybe_install_rust()` async
* refactor(config): make `ensure_installed` async
* fix expected path-separators on windows
* add a regression test
* consistently add context with file path when parsing fails
* ci(windows/gnu): install `mingw` via `bwoodsend/setup-winlibs-action`
* ci(windows): enable CI on `x86_64-pc-windows-gnu`
* Make manifestation test update_from_dist async
* Make update async
* Make default_ async
* Make check_updates async
* Make target_add async
* Make target_remove async
* Make component_add async
* Make component_remove async
* Make update_all_channels async
* Make toolchain_link async
* Make override_add async
* Make DistributableToolchain::remove_component async
* Make DistributableToolchain::add_component async
* Make DistributableTool::install_if_not_installed async
* Make DistributableToolChain::install async
* Make toolchain.update async
* Make update_extra async
* Make show_dist_version async
* Make InstallMethod::install async
* Make InstallMethod::run async
* Make update_from_dist async
* Make update_from_dist_ async
* Make try_update_from_dist_ async
* Make update_v1 async
* Make dist::dl_*_manifest async
* Make common::self_update async
* Make manifestation::update async
* Make download retries async
* Make DownloadCfg::download_and_check async
* Make DownloadCfg::download_hash async
* Make self_update::update async
* Make check_rustup_update async
* Make prepare_update async
* Make get_available_rustup_version async
* Make setup_mode::main async
* Make self_update::install async
* Make try_install_msvc async
* Make download_file async
* Make DownloadCfg::download async
* Make download_file_with_resume async
* Make download_file_ async
* Make download_to_path_with_backend async
* Make download_with_backend async
* Make rustup_mode::main async
* Convert run_rustup_inner to async
* Make run_rustup async
* Remove maybe_trace_rustup runtime setup
* Make maybe_trace_rustup async
* Convert main to using a tokio runtime always
* Ring 0.17.x support Windows on ARM
* ci(macos): use `macos-latest` instead of `macos-14`
* fix(deps): update rust crate itertools to 0.13
* fix(deps): update rust crate pulldown-cmark to 0.11
* Avoid unnecessary allocations
* Attempt to reduce duplication by adding a little abstraction
* Move explicit_desc_or_dir_toolchain() to Toolchain::from_partial()
* Propagate ExitStatus instead of custom ExitCode
* Use precise internal imports
* Use idiomatic way to proxy str data
* Inline RustupSubcmd::dispatch()
* refactor(filesource): replace repetitive `#[cfg()]` usages with a new `mod`
* Fix ETA display after regression
* Stop showing ETA after download is complete
* refactor(cli): hoist the `handle_epipe()` call out of the `match`
* refactor(cli): rewrite `rustup` itself with `clap-derive`
* refactor(cli): rewrite `rustup (self|set)` with `clap-derive`
* refactor(cli): rewrite `rustup (man|completions)` with `clap-derive`
* refactor(cli): rewrite `rustup doc` with `clap-derive`
* refactor(cli): rewrite `rustup (run|which|dump-testament)` with `clap-
derive`
* refactor(cli): rewrite `rustup override` with `clap-derive`
* refactor(cli): rewrite `rustup component` with `clap-derive`
* refactor(cli): rewrite `rustup target` with `clap-derive`
* refactor(cli): rewrite `rustup (check|default)` with `clap-derive`
* refactor(cli): rewrite `rustup (toolchain|update|(un)?install)` with `clap-
derive`
* refactor(cli): remove `deprecated()`
* refactor(cli): rewrite `rustup show` with `clap_derive`
* fix(rustup-init): fix typo in `rustup-init[.sh]` args
* feat(download): reflect the download/TLS backends in the user agent
* Make find_override_from_dir_walk return OverrideCfg
* Make settings file allow multiple borrows
* Fix doc error with `rust-toolchain.toml` custom TC
* Make `rustup default` not error if no default
* Update format of `toolchain list`
* Update format of `show` and `show active-toolchain`
* Redesign OverrideCfg to be more type-driven
* Pull match statement out in OverrideCfg::from_file()
* Change find_override to find_active_toolchain
* Pull out `new_toolchain_with_reason()`
* Pull out `ensure_installed()`
* refactor(cli): reorder `if` statement in `cli::setup_mode::main()`
* refactor(cli): rewrite `rustup-init` with `clap_derive`
* Avoid code duplication for printing target/component items
* Deduplicate code to get components from distributable
* Merge list_{,installed_}targets
* Merge list_{,installed_}components functions
* fix(filesource): make some constructs only available via the `test` feature
* fix(ci/freebsd): install ca certs to prevent `invalid peer certificate:
UnknownIssuer`
* feat(download-backend)!: make `reqwest/rustls` the new default
* feat(download-backend)!: refine selection logic
* Update MSVC requirements to VS 2017 to match Rust repo
* refactor(download): use `DownloadCallBack` in `download_with_backend()`
* ci: don't build for `i686-linux-android` due to OpenSSL v3 atomic issues
* ci(android): update NDK version
* fix(deps): update rust crate openssl-src to v300
* ci(linux-gnu): install `perl-IPC-Cmd` to make OpenSSL v3 happy
* chore(deps): update ubuntu docker tag to v24
* docs(dev-guide): remove "pushing to master" in the release process
* Replace remaining winapi usage with windows-sys

Update to version 1.27.1~0:

* chore(dist): update commit shasum in `rustup-init.sh`, take 2
* fix(ci/linux): don't use `pip3` to install `awscli`
* fix(ci/macos): don't use `pip3` to install `awscli`
* chore(dist): update commit shasum in `rustup-init.sh`
* docs: update CHANGELOG for v1.27.1
* feat(dist): improve `changelog_helper` script
* dist: bump `rustup` version to `1.27.1`
* chore: fix some typos in comments
* Remove TryFrom for TargetTriple
* Add tests for add/remove components by name with target triple
* Replace Component::new_with_target by Component::try_new
* refactor(self-update)!: remove confusing `get_path()` impl on Unix
* test(self-update): ensure the resolution of #3739
* feat(self-update): add `with_saved_reg_value()`
* refactor(self-update): extract `(get|restore)_reg_value()`
* refactor(self-update): extract `with_saved_global_state()`
* refactor(self-update): use `std::io`
* fix(self-update): replace some `#[cfg(not(unix))]` usages with
`#[cfg(windows)]`
* feat(self-update): improve error messages on Windows
* fix(self-update): run `do_update_programs_display_version()` on
`run_update()`
* refactor(self-update): extract `get_and_parse_new_rustup_version()`
* refactor(self-update): extract `do_update_programs_display_version()`
* ci: don't test for FreeBSD on PRs
* docs(user-guide): update `environment-variables`
* refactor(self-update): eliminate needless clone
* feat(self-update): log `RUSTUP_DIST_*` if it's set
* feat(self-update): log `RUSTUP_UPDATE_ROOT` if it's set
* refactor(self-update): rename `UPDATE_ROOT` to `DEFAULT_UPDATE_ROOT`
* refactor(self-update): extract `update_root()`
* once_cell only used with reqwest in download crate, so gate it
* tracing unsed only from otel feature, so move it to optional
* Add loongarch64-unknown-linux-gnu to installation docs
* Add loongarch64-unknown-linux-gnu to cloudfront invalidations
* Use pattern matching to make Debug impl for Cfg more robust
* Use std IsTerminal interface
* Rename temp::Cfg to Context
* temp: keep definitions and impls together
* Remove derivative dependency in favor of manual implementation
* docs(dev-guide): move all mentions of `cargo clippy` to `linting.md`
* docs(dev-guide): mention that we need to keep mdBook links stable
* refactor(utils)!: rename `delete_dir_contents()` to
`delete_dir_contents_following_links()`
* fix(utils): resolve input path in `delete_dir_contents()` if it's a link
* test(cli): ensure the resolution of #3344
* Revert "fix(utils): unlink input path in `delete_dir_contents()` if it's a
link"
* Revert "refactor(utils)!: rename `delete_dir_contents()` to
`delete_dir_contents_or_unlink()`"
* Revert "test(cli): ensure the resolution of #3344"
* refactor(utils)!: rename `delete_dir_contents()` to
`delete_dir_contents_or_unlink()`
* fix(utils): unlink input path in `delete_dir_contents()` if it's a link
* test(cli): ensure the resolution of #3737
* refactor(util)!: rename `open_dir()` to `open_dir_following_links()`
* fix(utils): don't use `O_NOFOLLOW` in `open_dir()`
* chore: fix typo in `CHANGELOG`
* chore(meta): update `bug_report` issue template
* Add hr to Windows instructions
* fix(doc): don't show the opening message when --path is used
* chore: remove repetitive words
* fix(deps): update rust crate opener to 0.7.0
* fix(config): remove unnecessary debug print
* fix(ci): fix file paths in CI-generated `*.sha256` files on *nix
* fix(ci): correct error message after bumping reqwest
* fix(deps): update rust crate reqwest to 0.12
* doc(dev-guide): Fix test Lint and add explanation
* Fix "component add" error message
* ci: use `stable` Rust for all clippy lints
* style: apply clippy suggestions from Rust 1.78.0
* fix(ci/windows): disable `cargo clippy` on `*-windows-gnu`
* fix(shell): create parent dir before appending to rcfiles
* fix(fish): fix definition of `Fish::update_rcs`
* docs(dev-guide): update `release-process.md` to match the new workflow based
on GitHub Merge Queue
* ci(macos): add `MACOSX_DEPLOYMENT_TARGET` and friends
* Replaced `.` with `source` in fish shell's `source_string`
* Deny clippy warnings in CI
* Rely on implicit conversion to OperationResult
* Extract closure from match scrutinee
* fix(cli): fix incorrect color state after `ColorableTerminal::reset`
* docs: Add note about stability of llvm-tools.
* Change default for RUSTUP_WINDOWS_PATH_ADD_BIN
* ci: remove direct `renovate/*` tests
* Fix dead_code and unused_imports warnings

Update to version 1.27.0~0:

* docs: update `CHANGELOG` for v1.27.0
* hack(deps): pin `openssl-sys` to 0.9.92
* fix #3663. Feedback in terminal when opening browser for docs
* Fix copy icon position in Safari
* Upgrade to opentelemetry 0.22
* fix ambiguous prompt after setting up custom installation
* docs: rephrase and split sentence about Visual Studio license
* Add comment on why we prefer symlinks to junctions
* Windows: Try using symlinks if they're allowed
* chore(ci): unify the matrix format to (mode, target)
* ci: update runners for macOS-related workflows
* docs: mention `apt` in installation methods
* docs: fix missing links in `CHANGELOG.md`
* chore(deps): update rust crate trycmd to 0.15.0
* fix(deps): downgrade `openssl-sys` to 0.9.92
* ci: remove the now-tier3 `mips*-unknown-linux-gnu*` targets from the build
* Update mdbook and fix some source issues.
* Rename `.cargo/config` to `.cargo/config.toml`
* chore: update `CHANGELOG.md`
* dist: bump `rustup-init.sh` version to `1.27.0`
* dist: bump `rustup` version to `1.27.0`
* feat: introduce `changelog_helper` script
* Upgrade to pulldown-cmark 0.10
* Fix some typos
* fix(deps): update rust crate libc to 0.2.153
* Download rust CI Docker images from a registry
* Component is now named 'llvm-tools'
* chore: add docstring to `is_32bit_userspace()`
* chore: disable some unix-only helper functions on Windows
* chore(deps): update actions/cache action to v4
* refactor(cli): simplify case splitting on `clap::error::ErrorKind`
* refactor(names): replace `maybe_official_toolchainame_parser` with `impl
FromStr`
* refactor: simplify `is_proxyable_tools`
* refactor(distributable): import `ComponentStatus`
* refactor(cli): avoid nested combinators in `has_at_most_one_target`
* feat(cli): warn when removing the last/host target for a toolchain
* refactor(toolchain): extract `DistributableToolchain::components()`
* www: detect RISC-V 64 platform
* fix(deps): update rust crate strsim to 0.11
* chore(deps): update `renovate.json` to remove version bumps covered by
lockfile maintenance PRs, take 3
* feat(ci): configure `merge_queue` to be a PR-like event
* feat(ci): enable the `merge_group` trigger
* fix(ci): use `github.event_name == 'schedule'` instead of
`github.event.schedule`
* chore(deps): update `renovate.json` to remove version bumps covered by
lockfile maintenance PRs, take 2
* fix(deps): update rust crate clap to v4.4.13
* fix(deps): update rust crate syn to v2.0.48
* chore(deps): update rust crate opentelemetry_sdk to v0.21.2
* fix(ci): use `github.event_name == 'push'` instead of
`github.event.push`
* feat(ci): add CI workflow generation checks
* refactor(ci): disassemble and reorganize `ci/cirrus-templates`
* feat(ci): add `conclusion` job
* refactor(ci): move `freebsd-builds` to GitHub Actions
* refactor(ci): merge all current GitHub Actions workflows into `ci.yaml`
* chore(ci): clean up current CI files
* chore(deps): update `renovate.json` to remove version bumps covered by
lockfile maintenance PRs
* fix(deps): update rust crate syn to v2.0.47
* fix(deps): update rust crate proc-macro2 to v1.0.75
* fix(deps): update rust crate clap_complete to v4.4.6
* fix(deps): update rust crate serde to v1.0.194
* fix(deps): update rust crate semver to v1.0.21
* chore(deps): update rust crate thiserror to v1.0.56
* chore(deps): update rust crate anyhow to v1.0.79
* fix(deps): update rust crate syn to v2.0.45
* fix(deps): update rust crate proc-macro2 to v1.0.73
* fix(deps): update rust crate syn to v2.0.44
* fix(deps): update rust crate quote to v1.0.34
* fix(deps): update rust crate proc-macro2 to v1.0.72
* chore(deps): update rust crate anyhow to v1.0.78
* chore(deps): update rust crate thiserror to v1.0.53
* fix(deps): update rust crate clap to v4.4.12
* chore(deps): update rust crate tempfile to v3.9.0
* fix(deps): update rust crate clap_complete to v4.4.5
* chore(deps): update rust crate anyhow to v1.0.77
* chore(deps): update rust crate thiserror to v1.0.52
* fix(deps): update rust crate syn to v2.0.43
* fix(deps): update rust crate openssl to v0.10.62
* fix(deps): update rust crate proc-macro2 to v1.0.71
* fix(deps): update rust crate syn to v2.0.42
* chore(deps): update rust crate anyhow to v1.0.76
* chore(deps): update rust crate hyper-util to v0.1.2
* chore(deps): update rust crate tokio to v1.35.1
* fix(deps): update rust crate reqwest to v0.11.23
* chore(deps): update rust crate hyper to v1.1.0
* docs: move "rls" and "rust-analysis" to separate section "previous..."
(#3591)
* chore(deps): update actions/upload-artifact action to v4
* Fix rustup-init failure to read ZDOTDIR from zsh when SHELL is not zsh
(#3584)
* CI: Enable rustls on loongarch64
* CI: Revert "Disable openssl for loongarch64-unknown-linux-gnu"
* fix(deps): update rust crate openssl-src to v300.2.1+3.2.0
* fix(deps): update rust crate syn to v2.0.41
* fix(deps): update rust crate syn to v2.0.40
* fix(deps): update rust crate libc to v0.2.151
* chore(deps): update rust crate once_cell to v1.19.0
* fix(deps): update rust crate clap to v4.4.11
* fix(deps): update rust crate openssl to v0.10.61
* Fix test permanently adding to PATH
* chore(deps): revert `Cargo.toml` bump in #3540
* chore(deps): revert `Cargo.toml` bump in #3532
* chore(renovate): prevent unnecessary `Cargo.toml` bumps
* Lock file maintenance
* Fix panic in `component list --toolchain stable`
* Upgrade hyper to 1.0 (#3543)
* Clarify several docs and help messages
* Remove rel paths from rust-toolchain.toml docs
* CI: Disable openssl for loongarch64-unknown-linux-gnu
* Update Rust crate url to 2.5
* Update Rust crate winreg to 0.52
* Update Rust crate windows-sys to 0.52.0
* Update Rust crate termcolor to 1.4
* Streamline dependencies in `Cargo.toml`
* Update opentelemetry
* [doc] windows.md: fix link
* Inline channel pattern list
* Remove unused import
* Explicitly import symbols
* Remove unused dependencies from macros crate
* Replace usage of lazy_static with once_cell
* Use more conventional field order in package table
* Remove authors from Cargo manifest (per RFC 3052)
* Use uniform dependency specification style
* Inline `semver::Version` in `toolchain_sort`
* Add docs specifying `toolchain_sort`'s expected behavior
* Change key used in `toolchain_sort`
* Inline `special_version` in `toolchain_sort`
* Inline `toolchain_sort_key` in `toolchain_sort`
* Replace `sort_by` with `sort_by_key` in `toolchain_sort`
* Refine `test_toolchain_sort`
* Suggest installing MSYS2 for `windows-gnu`
* Fix the test toolchain_broken_symlink on Windows
* Move `TOOLSTATE_MSG` to `dist` to serve toolchain-wide operations
* Add test to ensure resolution of #3418
* Add `Panics` sections to docstrings
* Refactor `components_*_msg`
* Delete suggestions of removing the relevant component from
`component_unavailable_msg`
* Clean up some `manifestation` logic
* Warn when running under Rosetta emulation
* Typo fixed in tips-and-tricks.md file
* Adjust suggestions about sourcing `env` files
* Restrict zsh `shwordsplit` to `downloader()`
* Update Rust crate zstd to 0.13
* Apply `clippy` suggestions
* Extract `post_install_msg_unix_source_env!()`
* Add suggestions to mention sourcing `env.fish`
* Fix zsh word splitting for curl "\--retry 3"
* Add ksh compatibility for latest illumos and others
* Remove redundant message if an error occurs during package extraction
* Update Rust crate regex to 1.10.0
* Write a custom env script for fish
* Fix fish config dir paths
* Update all rc fish scripts
* Try to add support for fish shell
* Clarify the origin of `rust-$TARGET` CI Docker images
* Apply more `clippy` suggestions
* Capturing IO error in download_file_with_resume (#3421)
* Adjust instructions for manual installation (#3502)
* Windows: Load DLLs from system32
* When running a 32-bit rustup on an aarch64 CPU, select a 32-bit toolchain
* Do not fallback to "arm" in rustup-init.sh on aarch64 with 32-bit userland
* Update Rust crate toml to 0.8
* Mention `brew install rustup-init` in the user guide
* Adjust section titles in the user guide
* Update actions/checkout action to v4
* Avoid warning for unused variant
* fix invalid link for 1.25.2
* 1.26.0 should not be unreleased in the changelog
* Refactor test case `install_uninstall_affect_path`
* Update Rust crate winreg to 0.51
* Apply clippy suggestions from Rust 1.74 (#3497)
* Fix rustup_only_options_stdout
* Bring additional help section style in line with clap 4
* Upgrade to clap 4
* Avoid deprecated clap API
* Isolate trycmd tests from environment
* Update Rust crate tracing-opentelemetry to 0.21.0
* buf writes to components
* Update Rust crate tempfile to 3.8
* Return the right lifetime from DistributableToolchain::install
* Fix handling of async tests
* Improve CI debugability
* Refactor: Use download_cfg.notify_handler in update()
* Authenticate when installing protoc
* Avoid installing protoc for most CI workflows
* Refine suggestions of sourcing `$HOME/.cargo/env`
* Avoid `sysctl: unknown oid` stderr output and/or non-zero exit code
* Configure automerge in Renovate
* Fix renovate.json
* Make `RUSTUP_TERM_COLOR`'s value case insensitive
* Add unit tests for `RUSTUP_TERM_COLOR`
* Support `RUSTUP_TERM_COLOR` as an override environment variable
* macOS `uname -m` can lie due to Rosetta shenanigans
* Migrate CONTRIBUTING.md to an mdbook
* Build docs during CI
* Move the user guide from doc to doc/user-guide
* Update Rust crate tempfile to 3.7
* Use available_parallelism replace the `num_cpus`crate
* rustup-init.sh: Check for kernel UAPI compatibility on LoongArch
* Enable loongarch64-linux-gnu builds on stable
* allow `clippy::arc_with_non_send_sync`
* Address `#[warn(clippy::useless_vec)]`
* Address `#[warn(clippy::needless_borrow)]`
* Address `#[warn(clippy::useless_conversion)]`
* Address `#[warn(clippy::redundant_pattern_matching)]`
* Address `#[warn(clippy::redundant_field_names)]`
* Bump proc-macro2 v1.0.51 -> v1.0.63
* Bump the openssl v0.10.52 -> v0.10.55
* Fix typo: prerequistes -> prerequisites
* update installation methods to use TLS v1.2
* Disable the "oldtime" feature of chrono
* Update Rust crate tempfile to 3.6
* Update Rust crate url to 2.4
* Update Rust crate once_cell to 1.18.0
* Make download_tracker thread safe.
* Enable broken color in MSYS2 shells
* Add suggest_message helper for errors
* replace term with termcolor
* Tweak docs
* Improve error message for removing uninstalled target
* Improve error message for adding unknown target
* CI support for loongarch64-unknown-linux-gnu
* Fix compile on rust nightly
* Group updates to opentelemetry together
* Improve CurrentProcess
* Update dependencies
* TestProcess and friends should be test only
* Update Rust crate windows-sys to 0.48.0
* Rework Toolchain model and drop relative file path overrides
* Add in opentelemetry tracing as a feature
* Remove repeated definite article
* Make clippy happy
* Update Rust crate toml to 0.7.3
* Suggest right toolchain when running clippy
* Fix small typo
* Update Rust crate winreg to 0.50
* Update Rust crate tempfile to 3.5
* Compile static Mutex where possible
* Upgrade CI image to FreeBSD 13.2
* Update Rust crate opener to 0.6.0
* Update Rust crate enum-map to 2.5.0
* Bumped retry

## Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

* SUSE Linux Enterprise Server for SAP Applications 15 SP5
zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP5-2026-2831=1

* SUSE Linux Enterprise Server 15 SP5 LTSS
zypper in -t patch SUSE-SLE-Product-SLES-15-SP5-LTSS-2026-2831=1

* SUSE Linux Enterprise High Performance Computing ESPOS 15 SP5
zypper in -t patch SUSE-SLE-Product-HPC-15-SP5-ESPOS-2026-2831=1

* SUSE Linux Enterprise High Performance Computing LTSS 15 SP5
zypper in -t patch SUSE-SLE-Product-HPC-15-SP5-LTSS-2026-2831=1

* SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4
zypper in -t patch SUSE-SLE-Product-HPC-15-SP4-ESPOS-2026-2831=1

* SUSE Linux Enterprise Server 15 SP4 LTSS
zypper in -t patch SUSE-SLE-Product-SLES-15-SP4-LTSS-2026-2831=1

* SUSE Linux Enterprise High Performance Computing LTSS 15 SP4
zypper in -t patch SUSE-SLE-Product-HPC-15-SP4-LTSS-2026-2831=1

* openSUSE Leap 15.4
zypper in -t patch SUSE-2026-2831=1

* SUSE Linux Enterprise Server for SAP Applications 15 SP4
zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP4-2026-2831=1

## Package List:

* SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (aarch64
x86_64)
* rustup-debugsource-1.28.2~0-150400.3.13.1
* rustup-debuginfo-1.28.2~0-150400.3.13.1
* rustup-1.28.2~0-150400.3.13.1
* SUSE Linux Enterprise Server 15 SP4 LTSS (aarch64 x86_64)
* rustup-debugsource-1.28.2~0-150400.3.13.1
* rustup-debuginfo-1.28.2~0-150400.3.13.1
* rustup-1.28.2~0-150400.3.13.1
* SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (aarch64
x86_64)
* rustup-debuginfo-1.28.2~0-150400.3.13.1
* rustup-debugsource-1.28.2~0-150400.3.13.1
* rustup-1.28.2~0-150400.3.13.1
* SUSE Linux Enterprise Server for SAP Applications 15 SP5 (x86_64)
* rustup-debuginfo-1.28.2~0-150400.3.13.1
* rustup-debugsource-1.28.2~0-150400.3.13.1
* rustup-1.28.2~0-150400.3.13.1
* SUSE Linux Enterprise High Performance Computing ESPOS 15 SP5 (aarch64
x86_64)
* rustup-debugsource-1.28.2~0-150400.3.13.1
* rustup-debuginfo-1.28.2~0-150400.3.13.1
* rustup-1.28.2~0-150400.3.13.1
* openSUSE Leap 15.4 (aarch64 x86_64)
* rustup-debugsource-1.28.2~0-150400.3.13.1
* rustup-debuginfo-1.28.2~0-150400.3.13.1
* rustup-1.28.2~0-150400.3.13.1
* SUSE Linux Enterprise High Performance Computing LTSS 15 SP5 (aarch64
x86_64)
* rustup-debuginfo-1.28.2~0-150400.3.13.1
* rustup-debugsource-1.28.2~0-150400.3.13.1
* rustup-1.28.2~0-150400.3.13.1
* SUSE Linux Enterprise Server 15 SP5 LTSS (aarch64 x86_64)
* rustup-1.28.2~0-150400.3.13.1
* rustup-debuginfo-1.28.2~0-150400.3.13.1
* rustup-debugsource-1.28.2~0-150400.3.13.1
* SUSE Linux Enterprise Server for SAP Applications 15 SP4 (x86_64)
* rustup-1.28.2~0-150400.3.13.1
* rustup-debuginfo-1.28.2~0-150400.3.13.1
* rustup-debugsource-1.28.2~0-150400.3.13.1

## References:

* https://www.suse.com/security/cve/CVE-2024-12224.html
* https://www.suse.com/security/cve/CVE-2025-58160.html
* https://www.suse.com/security/cve/CVE-2026-25727.html
* https://www.suse.com/security/cve/CVE-2026-41676.html
* https://www.suse.com/security/cve/CVE-2026-41677.html
* https://www.suse.com/security/cve/CVE-2026-41678.html
* https://www.suse.com/security/cve/CVE-2026-41681.html
* https://www.suse.com/security/cve/CVE-2026-41898.html
* https://www.suse.com/security/cve/CVE-2026-42327.html
* https://www.suse.com/security/cve/CVE-2026-44662.html
* https://www.suse.com/security/cve/CVE-2026-45784.html
* https://bugzilla.suse.com/show_bug.cgi?id=1203257
* https://bugzilla.suse.com/show_bug.cgi?id=1230032
* https://bugzilla.suse.com/show_bug.cgi?id=1243862
* https://bugzilla.suse.com/show_bug.cgi?id=1249008
* https://bugzilla.suse.com/show_bug.cgi?id=1257902
* https://bugzilla.suse.com/show_bug.cgi?id=1270186
* https://bugzilla.suse.com/show_bug.cgi?id=1270521
* https://bugzilla.suse.com/show_bug.cgi?id=1270619
* https://bugzilla.suse.com/show_bug.cgi?id=1270644
* https://bugzilla.suse.com/show_bug.cgi?id=1270795
* https://bugzilla.suse.com/show_bug.cgi?id=1270870
* https://bugzilla.suse.com/show_bug.cgi?id=1270874
* https://bugzilla.suse.com/show_bug.cgi?id=1270989



SUSE-SU-2026:2834-1: important: Security update for clamav


# Security update for clamav

Announcement ID: SUSE-SU-2026:2834-1
Release Date: 2026-07-09T19:12:56Z
Rating: important
References:

* bsc#1270085
* bsc#1270088
* bsc#1270089
* bsc#1270091
* bsc#1270092
* bsc#1270106
* bsc#1270107
* bsc#1270138

Cross-References:

* CVE-2026-20213
* CVE-2026-20214
* CVE-2026-20215
* CVE-2026-20216
* CVE-2026-20217
* CVE-2026-20243
* CVE-2026-20244
* CVE-2026-41676

CVSS scores:

* CVE-2026-20213 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2026-20213 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2026-20214 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2026-20214 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2026-20215 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2026-20215 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2026-20216 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2026-20216 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2026-20217 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2026-20217 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2026-20243 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2026-20243 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2026-20244 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2026-20244 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2026-41676 ( SUSE ): 8.3
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N
* CVE-2026-41676 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H
* CVE-2026-41676 ( NVD ): 7.2
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
* CVE-2026-41676 ( NVD ): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected Products:

* openSUSE Leap 15.4
* SUSE Linux Enterprise High Performance Computing 15 SP4
* SUSE Linux Enterprise High Performance Computing 15 SP5
* SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4
* SUSE Linux Enterprise High Performance Computing ESPOS 15 SP5
* SUSE Linux Enterprise High Performance Computing LTSS 15 SP4
* SUSE Linux Enterprise High Performance Computing LTSS 15 SP5
* SUSE Linux Enterprise Server 15 SP4
* SUSE Linux Enterprise Server 15 SP4 LTSS
* SUSE Linux Enterprise Server 15 SP5
* SUSE Linux Enterprise Server 15 SP5 LTSS
* SUSE Linux Enterprise Server for SAP Applications 15 SP4
* SUSE Linux Enterprise Server for SAP Applications 15 SP5

An update that solves eight vulnerabilities can now be installed.

## Description:

This update for clamav fixes the following issues

* CVE-2026-20213: PE file format parser could allow an unauthenticated, remote
attacker to cause a denial of service (bsc#1270107).
* CVE-2026-20214: FSG file format parser could allow an unauthenticated,
remote attacker to cause a denial of service (bsc#1270085).
* CVE-2026-20215: 7z file format parser could allow an unauthenticated, remote
attacker to cause a denial of service (bsc#1270088).
* CVE-2026-20216: InstallShield file format parser could allow an
unauthenticated, remote attacker to cause a denial of service (bsc#1270089).
* CVE-2026-20217: PESpin file format parser could allow an unauthenticated,
remote attacker to cause a denial of service (bsc#1270091).
* CVE-2026-20243: ALZ file format parser could allow an unauthenticated,
remote attacker to cause a denial of service (bsc#1270092).
* CVE-2026-20244: DMG file format parser could allow an unauthenticated,
remote attacker to cause a denial of service on 32-bit platforms only
(bsc#1270106).
* CVE-2026-41676: rust-openssl: `Deriver:derive` and `PkeyCtxRef:derive` can
overflow short buffers on OpenSSL 1.1.1 (bsc#1270138).

Changes for clamav:

* Update to 1.5.3:

* Hardened clamscan, clamdscan, and clamonacc quarantine actions against time-
of-check/time-of-use races that could redirect copied, moved, or removed
files under unsafe quarantine directory configurations.

* Raised the minimum required CMake version to 3.17 to fix Linux builds with
libcurl v8.21.0 when linking static library dependencies.
* Metadata preclass scans now run before the final scan verdict.
* ClamOnAcc: Fixed errors when recursively excluded paths are children of an
included path.
* ClamOnAcc: Fixed hash bucket list corruption when two watched paths collide
in the same bucket.

## Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

* SUSE Linux Enterprise Server 15 SP4 LTSS
zypper in -t patch SUSE-SLE-Product-SLES-15-SP4-LTSS-2026-2834=1

* SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4
zypper in -t patch SUSE-SLE-Product-HPC-15-SP4-ESPOS-2026-2834=1

* SUSE Linux Enterprise Server for SAP Applications 15 SP4
zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP4-2026-2834=1

* SUSE Linux Enterprise Server 15 SP5 LTSS
zypper in -t patch SUSE-SLE-Product-SLES-15-SP5-LTSS-2026-2834=1

* SUSE Linux Enterprise High Performance Computing LTSS 15 SP4
zypper in -t patch SUSE-SLE-Product-HPC-15-SP4-LTSS-2026-2834=1

* SUSE Linux Enterprise Server for SAP Applications 15 SP5
zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP5-2026-2834=1

* SUSE Linux Enterprise High Performance Computing LTSS 15 SP5
zypper in -t patch SUSE-SLE-Product-HPC-15-SP5-LTSS-2026-2834=1

* openSUSE Leap 15.4
zypper in -t patch SUSE-2026-2834=1

* SUSE Linux Enterprise High Performance Computing ESPOS 15 SP5
zypper in -t patch SUSE-SLE-Product-HPC-15-SP5-ESPOS-2026-2834=1

## Package List:

* SUSE Linux Enterprise Server 15 SP5 LTSS (aarch64 ppc64le s390x x86_64)
* libclammspack0-1.5.3-150400.13.8.1
* libclamav12-1.5.3-150400.13.8.1
* libclamav12-debuginfo-1.5.3-150400.13.8.1
* libfreshclam4-debuginfo-1.5.3-150400.13.8.1
* clamav-devel-1.5.3-150400.13.8.1
* clamav-debuginfo-1.5.3-150400.13.8.1
* clamav-debugsource-1.5.3-150400.13.8.1
* clamav-1.5.3-150400.13.8.1
* clamav-milter-1.5.3-150400.13.8.1
* clamav-milter-debuginfo-1.5.3-150400.13.8.1
* libfreshclam4-1.5.3-150400.13.8.1
* libclammspack0-debuginfo-1.5.3-150400.13.8.1
* SUSE Linux Enterprise Server 15 SP5 LTSS (noarch)
* clamav-docs-html-1.5.3-150400.13.8.1
* openSUSE Leap 15.4 (aarch64 ppc64le s390x x86_64)
* libclammspack0-1.5.3-150400.13.8.1
* libclamav12-1.5.3-150400.13.8.1
* libclamav12-debuginfo-1.5.3-150400.13.8.1
* clamav-devel-1.5.3-150400.13.8.1
* libfreshclam4-debuginfo-1.5.3-150400.13.8.1
* clamav-debuginfo-1.5.3-150400.13.8.1
* clamav-debugsource-1.5.3-150400.13.8.1
* clamav-1.5.3-150400.13.8.1
* clamav-milter-1.5.3-150400.13.8.1
* clamav-milter-debuginfo-1.5.3-150400.13.8.1
* libfreshclam4-1.5.3-150400.13.8.1
* libclammspack0-debuginfo-1.5.3-150400.13.8.1
* openSUSE Leap 15.4 (noarch)
* clamav-docs-html-1.5.3-150400.13.8.1
* SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (aarch64
x86_64)
* libclammspack0-1.5.3-150400.13.8.1
* libclamav12-1.5.3-150400.13.8.1
* libclamav12-debuginfo-1.5.3-150400.13.8.1
* clamav-devel-1.5.3-150400.13.8.1
* libfreshclam4-debuginfo-1.5.3-150400.13.8.1
* clamav-debuginfo-1.5.3-150400.13.8.1
* clamav-debugsource-1.5.3-150400.13.8.1
* clamav-1.5.3-150400.13.8.1
* clamav-milter-1.5.3-150400.13.8.1
* clamav-milter-debuginfo-1.5.3-150400.13.8.1
* libfreshclam4-1.5.3-150400.13.8.1
* libclammspack0-debuginfo-1.5.3-150400.13.8.1
* SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (noarch)
* clamav-docs-html-1.5.3-150400.13.8.1
* SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (aarch64
x86_64)
* libclammspack0-1.5.3-150400.13.8.1
* libclamav12-1.5.3-150400.13.8.1
* libclamav12-debuginfo-1.5.3-150400.13.8.1
* clamav-devel-1.5.3-150400.13.8.1
* libfreshclam4-debuginfo-1.5.3-150400.13.8.1
* clamav-debuginfo-1.5.3-150400.13.8.1
* clamav-debugsource-1.5.3-150400.13.8.1
* clamav-1.5.3-150400.13.8.1
* clamav-milter-1.5.3-150400.13.8.1
* clamav-milter-debuginfo-1.5.3-150400.13.8.1
* libfreshclam4-1.5.3-150400.13.8.1
* libclammspack0-debuginfo-1.5.3-150400.13.8.1
* SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (noarch)
* clamav-docs-html-1.5.3-150400.13.8.1
* SUSE Linux Enterprise High Performance Computing ESPOS 15 SP5 (noarch)
* clamav-docs-html-1.5.3-150400.13.8.1
* SUSE Linux Enterprise High Performance Computing ESPOS 15 SP5 (aarch64
x86_64)
* libclammspack0-1.5.3-150400.13.8.1
* libclamav12-1.5.3-150400.13.8.1
* libclamav12-debuginfo-1.5.3-150400.13.8.1
* libfreshclam4-debuginfo-1.5.3-150400.13.8.1
* clamav-devel-1.5.3-150400.13.8.1
* clamav-debuginfo-1.5.3-150400.13.8.1
* clamav-debugsource-1.5.3-150400.13.8.1
* clamav-1.5.3-150400.13.8.1
* clamav-milter-1.5.3-150400.13.8.1
* clamav-milter-debuginfo-1.5.3-150400.13.8.1
* libfreshclam4-1.5.3-150400.13.8.1
* libclammspack0-debuginfo-1.5.3-150400.13.8.1
* SUSE Linux Enterprise Server for SAP Applications 15 SP5 (ppc64le x86_64)
* libclammspack0-1.5.3-150400.13.8.1
* libclamav12-1.5.3-150400.13.8.1
* libclamav12-debuginfo-1.5.3-150400.13.8.1
* clamav-devel-1.5.3-150400.13.8.1
* libfreshclam4-debuginfo-1.5.3-150400.13.8.1
* clamav-debuginfo-1.5.3-150400.13.8.1
* clamav-debugsource-1.5.3-150400.13.8.1
* clamav-1.5.3-150400.13.8.1
* clamav-milter-1.5.3-150400.13.8.1
* clamav-milter-debuginfo-1.5.3-150400.13.8.1
* libfreshclam4-1.5.3-150400.13.8.1
* libclammspack0-debuginfo-1.5.3-150400.13.8.1
* SUSE Linux Enterprise Server for SAP Applications 15 SP5 (noarch)
* clamav-docs-html-1.5.3-150400.13.8.1
* SUSE Linux Enterprise Server 15 SP4 LTSS (aarch64 ppc64le s390x x86_64)
* libclammspack0-1.5.3-150400.13.8.1
* libclamav12-1.5.3-150400.13.8.1
* libclamav12-debuginfo-1.5.3-150400.13.8.1
* libfreshclam4-debuginfo-1.5.3-150400.13.8.1
* clamav-devel-1.5.3-150400.13.8.1
* clamav-debuginfo-1.5.3-150400.13.8.1
* clamav-debugsource-1.5.3-150400.13.8.1
* clamav-1.5.3-150400.13.8.1
* clamav-milter-1.5.3-150400.13.8.1
* clamav-milter-debuginfo-1.5.3-150400.13.8.1
* libfreshclam4-1.5.3-150400.13.8.1
* libclammspack0-debuginfo-1.5.3-150400.13.8.1
* SUSE Linux Enterprise Server 15 SP4 LTSS (noarch)
* clamav-docs-html-1.5.3-150400.13.8.1
* SUSE Linux Enterprise Server for SAP Applications 15 SP4 (noarch)
* clamav-docs-html-1.5.3-150400.13.8.1
* SUSE Linux Enterprise Server for SAP Applications 15 SP4 (ppc64le x86_64)
* libclammspack0-1.5.3-150400.13.8.1
* libclamav12-1.5.3-150400.13.8.1
* libclamav12-debuginfo-1.5.3-150400.13.8.1
* libfreshclam4-debuginfo-1.5.3-150400.13.8.1
* clamav-devel-1.5.3-150400.13.8.1
* clamav-debugsource-1.5.3-150400.13.8.1
* clamav-debuginfo-1.5.3-150400.13.8.1
* clamav-1.5.3-150400.13.8.1
* clamav-milter-1.5.3-150400.13.8.1
* clamav-milter-debuginfo-1.5.3-150400.13.8.1
* libfreshclam4-1.5.3-150400.13.8.1
* libclammspack0-debuginfo-1.5.3-150400.13.8.1
* SUSE Linux Enterprise High Performance Computing LTSS 15 SP5 (aarch64
x86_64)
* libclammspack0-1.5.3-150400.13.8.1
* libclamav12-1.5.3-150400.13.8.1
* libclamav12-debuginfo-1.5.3-150400.13.8.1
* clamav-devel-1.5.3-150400.13.8.1
* libfreshclam4-debuginfo-1.5.3-150400.13.8.1
* clamav-debuginfo-1.5.3-150400.13.8.1
* clamav-debugsource-1.5.3-150400.13.8.1
* clamav-1.5.3-150400.13.8.1
* clamav-milter-1.5.3-150400.13.8.1
* clamav-milter-debuginfo-1.5.3-150400.13.8.1
* libfreshclam4-1.5.3-150400.13.8.1
* libclammspack0-debuginfo-1.5.3-150400.13.8.1
* SUSE Linux Enterprise High Performance Computing LTSS 15 SP5 (noarch)
* clamav-docs-html-1.5.3-150400.13.8.1

## References:

* https://www.suse.com/security/cve/CVE-2026-20213.html
* https://www.suse.com/security/cve/CVE-2026-20214.html
* https://www.suse.com/security/cve/CVE-2026-20215.html
* https://www.suse.com/security/cve/CVE-2026-20216.html
* https://www.suse.com/security/cve/CVE-2026-20217.html
* https://www.suse.com/security/cve/CVE-2026-20243.html
* https://www.suse.com/security/cve/CVE-2026-20244.html
* https://www.suse.com/security/cve/CVE-2026-41676.html
* https://bugzilla.suse.com/show_bug.cgi?id=1270085
* https://bugzilla.suse.com/show_bug.cgi?id=1270088
* https://bugzilla.suse.com/show_bug.cgi?id=1270089
* https://bugzilla.suse.com/show_bug.cgi?id=1270091
* https://bugzilla.suse.com/show_bug.cgi?id=1270092
* https://bugzilla.suse.com/show_bug.cgi?id=1270106
* https://bugzilla.suse.com/show_bug.cgi?id=1270107
* https://bugzilla.suse.com/show_bug.cgi?id=1270138



SUSE-SU-2026:2835-1: important: Security update for clamav


# Security update for clamav

Announcement ID: SUSE-SU-2026:2835-1
Release Date: 2026-07-09T19:13:18Z
Rating: important
References:

* bsc#1270085
* bsc#1270088
* bsc#1270089
* bsc#1270091
* bsc#1270092
* bsc#1270106
* bsc#1270107
* bsc#1270138

Cross-References:

* CVE-2026-20213
* CVE-2026-20214
* CVE-2026-20215
* CVE-2026-20216
* CVE-2026-20217
* CVE-2026-20243
* CVE-2026-20244
* CVE-2026-41676

CVSS scores:

* CVE-2026-20213 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2026-20213 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2026-20214 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2026-20214 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2026-20215 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2026-20215 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2026-20216 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2026-20216 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2026-20217 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2026-20217 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2026-20243 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2026-20243 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2026-20244 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2026-20244 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2026-41676 ( SUSE ): 8.3
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N
* CVE-2026-41676 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H
* CVE-2026-41676 ( NVD ): 7.2
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
* CVE-2026-41676 ( NVD ): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected Products:

* Basesystem Module 15-SP7
* openSUSE Leap 15.6
* SUSE Linux Enterprise Desktop 15 SP7
* SUSE Linux Enterprise Real Time 15 SP7
* SUSE Linux Enterprise Server 15 SP6
* SUSE Linux Enterprise Server 15 SP6 LTSS
* SUSE Linux Enterprise Server 15 SP7
* SUSE Linux Enterprise Server for SAP Applications 15 SP6
* SUSE Linux Enterprise Server for SAP Applications 15 SP7

An update that solves eight vulnerabilities can now be installed.

## Description:

This update for clamav fixes the following issues

* CVE-2026-20213: PE file format parser could allow an unauthenticated, remote
attacker to cause a denial of service (bsc#1270107).
* CVE-2026-20214: FSG file format parser could allow an unauthenticated,
remote attacker to cause a denial of service (bsc#1270085).
* CVE-2026-20215: 7z file format parser could allow an unauthenticated, remote
attacker to cause a denial of service (bsc#1270088).
* CVE-2026-20216: InstallShield file format parser could allow an
unauthenticated, remote attacker to cause a denial of service (bsc#1270089).
* CVE-2026-20217: PESpin file format parser could allow an unauthenticated,
remote attacker to cause a denial of service (bsc#1270091).
* CVE-2026-20243: ALZ file format parser could allow an unauthenticated,
remote attacker to cause a denial of service (bsc#1270092).
* CVE-2026-20244: DMG file format parser could allow an unauthenticated,
remote attacker to cause a denial of service on 32-bit platforms only
(bsc#1270106).
* CVE-2026-41676: rust-openssl: `Deriver:derive` and `PkeyCtxRef:derive` can
overflow short buffers on OpenSSL 1.1.1 (bsc#1270138).

Changes for clamav:

* Update to 1.5.3:

* Hardened clamscan, clamdscan, and clamonacc quarantine actions against time-
of-check/time-of-use races that could redirect copied, moved, or removed
files under unsafe quarantine directory configurations.

* Raised the minimum required CMake version to 3.17 to fix Linux builds with
libcurl v8.21.0 when linking static library dependencies.
* Metadata preclass scans now run before the final scan verdict.
* ClamOnAcc: Fixed errors when recursively excluded paths are children of an
included path.
* ClamOnAcc: Fixed hash bucket list corruption when two watched paths collide
in the same bucket.

## Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

* SUSE Linux Enterprise Server 15 SP6 LTSS
zypper in -t patch SUSE-SLE-Product-SLES-15-SP6-LTSS-2026-2835=1

* Basesystem Module 15-SP7
zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP7-2026-2835=1

* openSUSE Leap 15.6
zypper in -t patch SUSE-2026-2835=1

* SUSE Linux Enterprise Server for SAP Applications 15 SP6
zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP6-2026-2835=1

## Package List:

* Basesystem Module 15-SP7 (aarch64 ppc64le s390x x86_64)
* libclammspack0-1.5.3-150600.18.28.1
* clamav-milter-1.5.3-150600.18.28.1
* clamav-debugsource-1.5.3-150600.18.28.1
* clamav-1.5.3-150600.18.28.1
* clamav-devel-1.5.3-150600.18.28.1
* libfreshclam4-debuginfo-1.5.3-150600.18.28.1
* libclamav12-1.5.3-150600.18.28.1
* libclamav12-debuginfo-1.5.3-150600.18.28.1
* clamav-milter-debuginfo-1.5.3-150600.18.28.1
* libclammspack0-debuginfo-1.5.3-150600.18.28.1
* libfreshclam4-1.5.3-150600.18.28.1
* clamav-debuginfo-1.5.3-150600.18.28.1
* Basesystem Module 15-SP7 (noarch)
* clamav-docs-html-1.5.3-150600.18.28.1
* SUSE Linux Enterprise Server 15 SP6 LTSS (noarch)
* clamav-docs-html-1.5.3-150600.18.28.1
* SUSE Linux Enterprise Server 15 SP6 LTSS (aarch64 ppc64le s390x x86_64)
* libclammspack0-1.5.3-150600.18.28.1
* clamav-milter-1.5.3-150600.18.28.1
* clamav-debugsource-1.5.3-150600.18.28.1
* clamav-1.5.3-150600.18.28.1
* clamav-devel-1.5.3-150600.18.28.1
* libfreshclam4-debuginfo-1.5.3-150600.18.28.1
* libclamav12-1.5.3-150600.18.28.1
* clamav-milter-debuginfo-1.5.3-150600.18.28.1
* libclamav12-debuginfo-1.5.3-150600.18.28.1
* libclammspack0-debuginfo-1.5.3-150600.18.28.1
* libfreshclam4-1.5.3-150600.18.28.1
* clamav-debuginfo-1.5.3-150600.18.28.1
* SUSE Linux Enterprise Server for SAP Applications 15 SP6 (ppc64le x86_64)
* libclammspack0-1.5.3-150600.18.28.1
* clamav-milter-1.5.3-150600.18.28.1
* clamav-debugsource-1.5.3-150600.18.28.1
* clamav-1.5.3-150600.18.28.1
* clamav-devel-1.5.3-150600.18.28.1
* libfreshclam4-debuginfo-1.5.3-150600.18.28.1
* libclamav12-1.5.3-150600.18.28.1
* libclamav12-debuginfo-1.5.3-150600.18.28.1
* clamav-milter-debuginfo-1.5.3-150600.18.28.1
* libclammspack0-debuginfo-1.5.3-150600.18.28.1
* libfreshclam4-1.5.3-150600.18.28.1
* clamav-debuginfo-1.5.3-150600.18.28.1
* SUSE Linux Enterprise Server for SAP Applications 15 SP6 (noarch)
* clamav-docs-html-1.5.3-150600.18.28.1
* openSUSE Leap 15.6 (aarch64 ppc64le s390x x86_64)
* libclammspack0-1.5.3-150600.18.28.1
* clamav-milter-1.5.3-150600.18.28.1
* clamav-debugsource-1.5.3-150600.18.28.1
* clamav-1.5.3-150600.18.28.1
* clamav-devel-1.5.3-150600.18.28.1
* libfreshclam4-debuginfo-1.5.3-150600.18.28.1
* libclamav12-1.5.3-150600.18.28.1
* libclamav12-debuginfo-1.5.3-150600.18.28.1
* clamav-milter-debuginfo-1.5.3-150600.18.28.1
* libclammspack0-debuginfo-1.5.3-150600.18.28.1
* libfreshclam4-1.5.3-150600.18.28.1
* clamav-debuginfo-1.5.3-150600.18.28.1
* openSUSE Leap 15.6 (noarch)
* clamav-docs-html-1.5.3-150600.18.28.1

## References:

* https://www.suse.com/security/cve/CVE-2026-20213.html
* https://www.suse.com/security/cve/CVE-2026-20214.html
* https://www.suse.com/security/cve/CVE-2026-20215.html
* https://www.suse.com/security/cve/CVE-2026-20216.html
* https://www.suse.com/security/cve/CVE-2026-20217.html
* https://www.suse.com/security/cve/CVE-2026-20243.html
* https://www.suse.com/security/cve/CVE-2026-20244.html
* https://www.suse.com/security/cve/CVE-2026-41676.html
* https://bugzilla.suse.com/show_bug.cgi?id=1270085
* https://bugzilla.suse.com/show_bug.cgi?id=1270088
* https://bugzilla.suse.com/show_bug.cgi?id=1270089
* https://bugzilla.suse.com/show_bug.cgi?id=1270091
* https://bugzilla.suse.com/show_bug.cgi?id=1270092
* https://bugzilla.suse.com/show_bug.cgi?id=1270106
* https://bugzilla.suse.com/show_bug.cgi?id=1270107
* https://bugzilla.suse.com/show_bug.cgi?id=1270138



openSUSE-SU-2026:0239-1: important: Security update for flannel


openSUSE Security Update: Security update for flannel
_______________________________

Announcement ID: openSUSE-SU-2026:0239-1
Rating: important
References: #1265780 #1266620
Cross-References: CVE-2026-33814 CVE-2026-39821
CVSS scores:
CVE-2026-33814 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVE-2026-39821 (SUSE): 9.1 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Affected Products:
openSUSE Backports SLE-15-SP7
_______________________________

An update that fixes two vulnerabilities is now available.

Description:

This update for flannel fixes the following issues:

- Update to version 0.28.7:
* prepare for release v0.28.7 (#2485)
* fix: use install-conf in chart (#2484)
* fix: use semver tag type in Docker meta to support release events
(#2483)
* build(deps): bump github/codeql-action/upload-sarif (#2480)
* build(deps): bump golang.org/x/net from 0.54.0 to 0.55.0 (#2473), fix
for CVE-2026-33814 (boo#1265780) and CVE-2026-39821 (boo#1266620)
* build(deps): bump docker/build-push-action from 7.2.0 to 7.3.0 (#2479)
* build(deps): bump golangci/golangci-lint-action from 9.2.1 to 9.3.0
(#2478)
* build(deps): bump docker/metadata-action from 6.1.0 to 6.2.0 (#2476)
* build(deps): bump the tencent group with 2 updates (#2475)
* build(deps): bump the etcd group with 4 updates (#2474)
* fix: skip invalid CIDRs in subnet file readers (#2454)
* subnet/etcd: recover subnet watch from compaction (#2471)
* Bump the tencent group across 1 directory with 2 updates (#2461)
* Bump actions/attest-build-provenance from 4.1.0 to 4.1.1 (#2467)
* Bump actions/setup-go from 6.4.0 to 6.5.0 (#2468)
* feat: new install_conf cmd to install flannel's config file (#2466)
* Bump the other-go-modules group with 2 updates (#2464)
* Bump actions/checkout from 6.0.2 to 7.0.0 (#2465)
* Bump github/codeql-action from 4.36.0 to 4.36.2 (#2463)

Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Backports SLE-15-SP7:

zypper in -t patch openSUSE-2026-239=1

Package List:

- openSUSE Backports SLE-15-SP7 (aarch64 i586 ppc64le s390x x86_64):

flannel-0.28.7-bp157.2.12.1

- openSUSE Backports SLE-15-SP7 (noarch):

flannel-k8s-yaml-0.28.7-bp157.2.12.1

References:

https://www.suse.com/security/cve/CVE-2026-33814.html
https://www.suse.com/security/cve/CVE-2026-39821.html
https://bugzilla.suse.com/1265780
https://bugzilla.suse.com/1266620



openSUSE-SU-2026:0238-1: important: Security update for chromium


openSUSE Security Update: Security update for chromium
_______________________________

Announcement ID: openSUSE-SU-2026:0238-1
Rating: important
References: #1271093
Cross-References: CVE-2026-15107 CVE-2026-15108 CVE-2026-15109
CVE-2026-15110 CVE-2026-15111 CVE-2026-15112
CVE-2026-15113 CVE-2026-15114 CVE-2026-15115
CVE-2026-15116 CVE-2026-15117 CVE-2026-15118
CVE-2026-15119 CVE-2026-15120 CVE-2026-15121
CVE-2026-15122 CVE-2026-15123 CVE-2026-15124
CVE-2026-15125 CVE-2026-15126 CVE-2026-15127
CVE-2026-15128 CVE-2026-15129 CVE-2026-15130
CVE-2026-15131 CVE-2026-15132 CVE-2026-15133

Affected Products:
openSUSE Backports SLE-15-SP7
_______________________________

An update that fixes 27 vulnerabilities is now available.

Description:

This update for chromium fixes the following issues:

- Chromium 150.0.7871.114 (boo#1271093):
* CVE-2026-15112: Use after free in Ozone
* CVE-2026-15129: Use after free in Views
* CVE-2026-15132: Uninitialized Use in V8
* CVE-2026-15133: Use after free in InterestGroups
* CVE-2026-15108: Integer overflow in Extensions API
* CVE-2026-15109: Uninitialized Use in ANGLE
* CVE-2026-15110: Use after free in Extensions
* CVE-2026-15111: Use after free in Views
* CVE-2026-15113: Use after free in Autofill
* CVE-2026-15114: Out of bounds read and write in Codecs
* CVE-2026-15115: Insufficient validation of untrusted input in
WebAppInstalls
* CVE-2026-15116: Use after free in Actor
* CVE-2026-15117: Use after free in Payments
* CVE-2026-15118: Use after free in Input
* CVE-2026-15119: Inappropriate implementation in GetUserMedia
* CVE-2026-15120: Use after free in Core
* CVE-2026-15121: Use after free in WebRTC
* CVE-2026-15122: Insufficient validation of untrusted input in Codecs
* CVE-2026-15123: Insufficient data validation in DOM
* CVE-2026-15124: Insufficient policy enforcement in Passwords
* CVE-2026-15125: Inappropriate implementation in Forms
* CVE-2026-15126: Use after free in Forms
* CVE-2026-15127: Inappropriate implementation in WebGL
* CVE-2026-15128: Inappropriate implementation in Forms
* CVE-2026-15130: Insufficient policy enforcement in Navigation
* CVE-2026-15107: Use after free in IndexedDB
* CVE-2026-15131: Insufficient data validation in Navigation

- Chromium 150.0.7871.100:
* stability improvements, no further information available

Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Backports SLE-15-SP7:

zypper in -t patch openSUSE-2026-238=1

Package List:

- openSUSE Backports SLE-15-SP7 (aarch64 ppc64le x86_64):

chromedriver-150.0.7871.114-bp157.2.184.1
chromium-150.0.7871.114-bp157.2.184.1

References:

https://www.suse.com/security/cve/CVE-2026-15107.html
https://www.suse.com/security/cve/CVE-2026-15108.html
https://www.suse.com/security/cve/CVE-2026-15109.html
https://www.suse.com/security/cve/CVE-2026-15110.html
https://www.suse.com/security/cve/CVE-2026-15111.html
https://www.suse.com/security/cve/CVE-2026-15112.html
https://www.suse.com/security/cve/CVE-2026-15113.html
https://www.suse.com/security/cve/CVE-2026-15114.html
https://www.suse.com/security/cve/CVE-2026-15115.html
https://www.suse.com/security/cve/CVE-2026-15116.html
https://www.suse.com/security/cve/CVE-2026-15117.html
https://www.suse.com/security/cve/CVE-2026-15118.html
https://www.suse.com/security/cve/CVE-2026-15119.html
https://www.suse.com/security/cve/CVE-2026-15120.html
https://www.suse.com/security/cve/CVE-2026-15121.html
https://www.suse.com/security/cve/CVE-2026-15122.html
https://www.suse.com/security/cve/CVE-2026-15123.html
https://www.suse.com/security/cve/CVE-2026-15124.html
https://www.suse.com/security/cve/CVE-2026-15125.html
https://www.suse.com/security/cve/CVE-2026-15126.html
https://www.suse.com/security/cve/CVE-2026-15127.html
https://www.suse.com/security/cve/CVE-2026-15128.html
https://www.suse.com/security/cve/CVE-2026-15129.html
https://www.suse.com/security/cve/CVE-2026-15130.html
https://www.suse.com/security/cve/CVE-2026-15131.html
https://www.suse.com/security/cve/CVE-2026-15132.html
https://www.suse.com/security/cve/CVE-2026-15133.html
https://bugzilla.suse.com/1271093



SUSE-SU-2026:2844-1: important: Security update for gstreamer-plugins-good


# Security update for gstreamer-plugins-good

Announcement ID: SUSE-SU-2026:2844-1
Release Date: 2026-07-10T10:29:20Z
Rating: important
References:

* bsc#1268449

Cross-References:

* CVE-2026-53705

CVSS scores:

* CVE-2026-53705 ( SUSE ): 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H
* CVE-2026-53705 ( NVD ): 7.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H
* CVE-2026-53705 ( NVD ): 7.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H

Affected Products:

* openSUSE Leap 15.4
* SUSE Linux Enterprise High Performance Computing 15 SP4
* SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4
* SUSE Linux Enterprise High Performance Computing LTSS 15 SP4
* SUSE Linux Enterprise Server 15 SP4
* SUSE Linux Enterprise Server 15 SP4 LTSS
* SUSE Linux Enterprise Server for SAP Applications 15 SP4

An update that solves one vulnerability can now be installed.

## Description:

This update for gstreamer-plugins-good fixes the following issue

* CVE-2026-53705: Heap buffer overflow in WavPack decoder via integer overflow
(bsc#1268449).

## Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

* SUSE Linux Enterprise Server 15 SP4 LTSS
zypper in -t patch SUSE-SLE-Product-SLES-15-SP4-LTSS-2026-2844=1

* SUSE Linux Enterprise Server for SAP Applications 15 SP4
zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP4-2026-2844=1

* SUSE Linux Enterprise High Performance Computing LTSS 15 SP4
zypper in -t patch SUSE-SLE-Product-HPC-15-SP4-LTSS-2026-2844=1

* SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4
zypper in -t patch SUSE-SLE-Product-HPC-15-SP4-ESPOS-2026-2844=1

* openSUSE Leap 15.4
zypper in -t patch SUSE-2026-2844=1

## Package List:

* SUSE Linux Enterprise Server 15 SP4 LTSS (aarch64 ppc64le s390x x86_64)
* gstreamer-plugins-good-1.20.1-150400.3.17.1
* gstreamer-plugins-good-debugsource-1.20.1-150400.3.17.1
* gstreamer-plugins-good-debuginfo-1.20.1-150400.3.17.1
* SUSE Linux Enterprise Server 15 SP4 LTSS (noarch)
* gstreamer-plugins-good-lang-1.20.1-150400.3.17.1
* openSUSE Leap 15.4 (aarch64_ilp32)
* gstreamer-plugins-good-extra-64bit-1.20.1-150400.3.17.1
* gstreamer-plugins-good-jack-64bit-debuginfo-1.20.1-150400.3.17.1
* gstreamer-plugins-good-jack-64bit-1.20.1-150400.3.17.1
* gstreamer-plugins-good-extra-64bit-debuginfo-1.20.1-150400.3.17.1
* gstreamer-plugins-good-64bit-1.20.1-150400.3.17.1
* gstreamer-plugins-good-64bit-debuginfo-1.20.1-150400.3.17.1
* openSUSE Leap 15.4 (aarch64 i586 ppc64le s390x x86_64)
* gstreamer-plugins-good-gtk-1.20.1-150400.3.17.1
* gstreamer-plugins-good-debugsource-1.20.1-150400.3.17.1
* gstreamer-plugins-good-debuginfo-1.20.1-150400.3.17.1
* gstreamer-plugins-good-1.20.1-150400.3.17.1
* gstreamer-plugins-good-qtqml-debuginfo-1.20.1-150400.3.17.1
* gstreamer-plugins-good-qtqml-1.20.1-150400.3.17.1
* gstreamer-plugins-good-extra-1.20.1-150400.3.17.1
* gstreamer-plugins-good-jack-1.20.1-150400.3.17.1
* gstreamer-plugins-good-gtk-debuginfo-1.20.1-150400.3.17.1
* gstreamer-plugins-good-jack-debuginfo-1.20.1-150400.3.17.1
* gstreamer-plugins-good-extra-debuginfo-1.20.1-150400.3.17.1
* openSUSE Leap 15.4 (x86_64)
* gstreamer-plugins-good-jack-32bit-debuginfo-1.20.1-150400.3.17.1
* gstreamer-plugins-good-32bit-1.20.1-150400.3.17.1
* gstreamer-plugins-good-32bit-debuginfo-1.20.1-150400.3.17.1
* gstreamer-plugins-good-jack-32bit-1.20.1-150400.3.17.1
* gstreamer-plugins-good-extra-32bit-1.20.1-150400.3.17.1
* gstreamer-plugins-good-extra-32bit-debuginfo-1.20.1-150400.3.17.1
* openSUSE Leap 15.4 (noarch)
* gstreamer-plugins-good-lang-1.20.1-150400.3.17.1
* SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (noarch)
* gstreamer-plugins-good-lang-1.20.1-150400.3.17.1
* SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (aarch64
x86_64)
* gstreamer-plugins-good-1.20.1-150400.3.17.1
* gstreamer-plugins-good-debugsource-1.20.1-150400.3.17.1
* gstreamer-plugins-good-debuginfo-1.20.1-150400.3.17.1
* SUSE Linux Enterprise Server for SAP Applications 15 SP4 (ppc64le x86_64)
* gstreamer-plugins-good-debugsource-1.20.1-150400.3.17.1
* gstreamer-plugins-good-1.20.1-150400.3.17.1
* gstreamer-plugins-good-debuginfo-1.20.1-150400.3.17.1
* SUSE Linux Enterprise Server for SAP Applications 15 SP4 (noarch)
* gstreamer-plugins-good-lang-1.20.1-150400.3.17.1
* SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (noarch)
* gstreamer-plugins-good-lang-1.20.1-150400.3.17.1
* SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (aarch64
x86_64)
* gstreamer-plugins-good-debugsource-1.20.1-150400.3.17.1
* gstreamer-plugins-good-1.20.1-150400.3.17.1
* gstreamer-plugins-good-debuginfo-1.20.1-150400.3.17.1

## References:

* https://www.suse.com/security/cve/CVE-2026-53705.html
* https://bugzilla.suse.com/show_bug.cgi?id=1268449



SUSE-SU-2026:2842-1: important: Security update for gstreamer-plugins-good


# Security update for gstreamer-plugins-good

Announcement ID: SUSE-SU-2026:2842-1
Release Date: 2026-07-10T10:25:06Z
Rating: important
References:

* bsc#1268449

Cross-References:

* CVE-2026-53705

CVSS scores:

* CVE-2026-53705 ( SUSE ): 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H
* CVE-2026-53705 ( NVD ): 7.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H
* CVE-2026-53705 ( NVD ): 7.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H

Affected Products:

* openSUSE Leap 15.5
* SUSE Linux Enterprise High Performance Computing 15 SP5
* SUSE Linux Enterprise High Performance Computing ESPOS 15 SP5
* SUSE Linux Enterprise High Performance Computing LTSS 15 SP5
* SUSE Linux Enterprise Server 15 SP5
* SUSE Linux Enterprise Server 15 SP5 LTSS
* SUSE Linux Enterprise Server for SAP Applications 15 SP5

An update that solves one vulnerability can now be installed.

## Description:

This update for gstreamer-plugins-good fixes the following issue

* CVE-2026-53705: Heap buffer overflow in WavPack decoder via integer overflow
(bsc#1268449).

## Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

* SUSE Linux Enterprise Server for SAP Applications 15 SP5
zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP5-2026-2842=1

* SUSE Linux Enterprise High Performance Computing LTSS 15 SP5
zypper in -t patch SUSE-SLE-Product-HPC-15-SP5-LTSS-2026-2842=1

* SUSE Linux Enterprise Server 15 SP5 LTSS
zypper in -t patch SUSE-SLE-Product-SLES-15-SP5-LTSS-2026-2842=1

* SUSE Linux Enterprise High Performance Computing ESPOS 15 SP5
zypper in -t patch SUSE-SLE-Product-HPC-15-SP5-ESPOS-2026-2842=1

* openSUSE Leap 15.5
zypper in -t patch SUSE-2026-2842=1

## Package List:

* openSUSE Leap 15.5 (aarch64 i586 ppc64le s390x x86_64)
* gstreamer-plugins-good-qtqml-1.22.0-150500.4.13.1
* gstreamer-plugins-good-gtk-debuginfo-1.22.0-150500.4.13.1
* gstreamer-plugins-good-qtqml-debuginfo-1.22.0-150500.4.13.1
* gstreamer-plugins-good-extra-1.22.0-150500.4.13.1
* gstreamer-plugins-good-jack-debuginfo-1.22.0-150500.4.13.1
* gstreamer-plugins-good-jack-1.22.0-150500.4.13.1
* gstreamer-plugins-good-debugsource-1.22.0-150500.4.13.1
* gstreamer-plugins-good-extra-debuginfo-1.22.0-150500.4.13.1
* gstreamer-plugins-good-1.22.0-150500.4.13.1
* gstreamer-plugins-good-gtk-1.22.0-150500.4.13.1
* gstreamer-plugins-good-debuginfo-1.22.0-150500.4.13.1
* openSUSE Leap 15.5 (noarch)
* gstreamer-plugins-good-lang-1.22.0-150500.4.13.1
* openSUSE Leap 15.5 (x86_64)
* gstreamer-plugins-good-32bit-1.22.0-150500.4.13.1
* gstreamer-plugins-good-jack-32bit-1.22.0-150500.4.13.1
* gstreamer-plugins-good-jack-32bit-debuginfo-1.22.0-150500.4.13.1
* gstreamer-plugins-good-32bit-debuginfo-1.22.0-150500.4.13.1
* gstreamer-plugins-good-extra-32bit-debuginfo-1.22.0-150500.4.13.1
* gstreamer-plugins-good-extra-32bit-1.22.0-150500.4.13.1
* openSUSE Leap 15.5 (aarch64_ilp32)
* gstreamer-plugins-good-jack-64bit-1.22.0-150500.4.13.1
* gstreamer-plugins-good-jack-64bit-debuginfo-1.22.0-150500.4.13.1
* gstreamer-plugins-good-64bit-debuginfo-1.22.0-150500.4.13.1
* gstreamer-plugins-good-64bit-1.22.0-150500.4.13.1
* gstreamer-plugins-good-extra-64bit-1.22.0-150500.4.13.1
* gstreamer-plugins-good-extra-64bit-debuginfo-1.22.0-150500.4.13.1
* SUSE Linux Enterprise Server for SAP Applications 15 SP5 (noarch)
* gstreamer-plugins-good-lang-1.22.0-150500.4.13.1
* SUSE Linux Enterprise Server for SAP Applications 15 SP5 (ppc64le x86_64)
* gstreamer-plugins-good-debugsource-1.22.0-150500.4.13.1
* gstreamer-plugins-good-1.22.0-150500.4.13.1
* gstreamer-plugins-good-debuginfo-1.22.0-150500.4.13.1
* SUSE Linux Enterprise High Performance Computing ESPOS 15 SP5 (aarch64
x86_64)
* gstreamer-plugins-good-debugsource-1.22.0-150500.4.13.1
* gstreamer-plugins-good-1.22.0-150500.4.13.1
* gstreamer-plugins-good-debuginfo-1.22.0-150500.4.13.1
* SUSE Linux Enterprise High Performance Computing ESPOS 15 SP5 (noarch)
* gstreamer-plugins-good-lang-1.22.0-150500.4.13.1
* SUSE Linux Enterprise Server 15 SP5 LTSS (aarch64 ppc64le s390x x86_64)
* gstreamer-plugins-good-debugsource-1.22.0-150500.4.13.1
* gstreamer-plugins-good-1.22.0-150500.4.13.1
* gstreamer-plugins-good-debuginfo-1.22.0-150500.4.13.1
* SUSE Linux Enterprise Server 15 SP5 LTSS (noarch)
* gstreamer-plugins-good-lang-1.22.0-150500.4.13.1
* SUSE Linux Enterprise High Performance Computing LTSS 15 SP5 (aarch64
x86_64)
* gstreamer-plugins-good-debugsource-1.22.0-150500.4.13.1
* gstreamer-plugins-good-1.22.0-150500.4.13.1
* gstreamer-plugins-good-debuginfo-1.22.0-150500.4.13.1
* SUSE Linux Enterprise High Performance Computing LTSS 15 SP5 (noarch)
* gstreamer-plugins-good-lang-1.22.0-150500.4.13.1

## References:

* https://www.suse.com/security/cve/CVE-2026-53705.html
* https://bugzilla.suse.com/show_bug.cgi?id=1268449



SUSE-SU-2026:2843-1: important: Security update for gstreamer-plugins-good


# Security update for gstreamer-plugins-good

Announcement ID: SUSE-SU-2026:2843-1
Release Date: 2026-07-10T10:28:30Z
Rating: important
References:

* bsc#1268449

Cross-References:

* CVE-2026-53705

CVSS scores:

* CVE-2026-53705 ( SUSE ): 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H
* CVE-2026-53705 ( NVD ): 7.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H
* CVE-2026-53705 ( NVD ): 7.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H

Affected Products:

* Basesystem Module 15-SP7
* openSUSE Leap 15.6
* SUSE Linux Enterprise Desktop 15 SP7
* SUSE Linux Enterprise Real Time 15 SP7
* SUSE Linux Enterprise Server 15 SP6
* SUSE Linux Enterprise Server 15 SP6 LTSS
* SUSE Linux Enterprise Server 15 SP7
* SUSE Linux Enterprise Server for SAP Applications 15 SP6
* SUSE Linux Enterprise Server for SAP Applications 15 SP7
* SUSE Linux Enterprise Workstation Extension 15 SP7

An update that solves one vulnerability can now be installed.

## Description:

This update for gstreamer-plugins-good fixes the following issue

* CVE-2026-53705: Heap buffer overflow in WavPack decoder via integer overflow
(bsc#1268449).

## Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

* openSUSE Leap 15.6
zypper in -t patch SUSE-2026-2843=1

* SUSE Linux Enterprise Server for SAP Applications 15 SP6
zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP6-2026-2843=1

* SUSE Linux Enterprise Server 15 SP6 LTSS
zypper in -t patch SUSE-SLE-Product-SLES-15-SP6-LTSS-2026-2843=1

* Basesystem Module 15-SP7
zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP7-2026-2843=1

* SUSE Linux Enterprise Workstation Extension 15 SP7
zypper in -t patch SUSE-SLE-Product-WE-15-SP7-2026-2843=1

## Package List:

* SUSE Linux Enterprise Server 15 SP6 LTSS (aarch64 ppc64le s390x x86_64)
* gstreamer-plugins-good-debugsource-1.24.0-150600.3.10.1
* gstreamer-plugins-good-1.24.0-150600.3.10.1
* gstreamer-plugins-good-debuginfo-1.24.0-150600.3.10.1
* SUSE Linux Enterprise Server 15 SP6 LTSS (noarch)
* gstreamer-plugins-good-lang-1.24.0-150600.3.10.1
* Basesystem Module 15-SP7 (aarch64 ppc64le s390x x86_64)
* gstreamer-plugins-good-debugsource-1.24.0-150600.3.10.1
* gstreamer-plugins-good-1.24.0-150600.3.10.1
* gstreamer-plugins-good-debuginfo-1.24.0-150600.3.10.1
* Basesystem Module 15-SP7 (noarch)
* gstreamer-plugins-good-lang-1.24.0-150600.3.10.1
* openSUSE Leap 15.6 (aarch64_ilp32)
* gstreamer-plugins-good-jack-64bit-1.24.0-150600.3.10.1
* gstreamer-plugins-good-64bit-1.24.0-150600.3.10.1
* gstreamer-plugins-good-extra-64bit-1.24.0-150600.3.10.1
* gstreamer-plugins-good-jack-64bit-debuginfo-1.24.0-150600.3.10.1
* gstreamer-plugins-good-extra-64bit-debuginfo-1.24.0-150600.3.10.1
* gstreamer-plugins-good-64bit-debuginfo-1.24.0-150600.3.10.1
* openSUSE Leap 15.6 (aarch64 i586 ppc64le s390x x86_64)
* gstreamer-plugins-good-gtk-debuginfo-1.24.0-150600.3.10.1
* gstreamer-plugins-good-debuginfo-1.24.0-150600.3.10.1
* gstreamer-plugins-good-gtk-1.24.0-150600.3.10.1
* gstreamer-plugins-good-jack-debuginfo-1.24.0-150600.3.10.1
* gstreamer-plugins-good-extra-1.24.0-150600.3.10.1
* gstreamer-plugins-good-qtqml-1.24.0-150600.3.10.1
* gstreamer-plugins-good-extra-debuginfo-1.24.0-150600.3.10.1
* gstreamer-plugins-good-debugsource-1.24.0-150600.3.10.1
* gstreamer-plugins-good-jack-1.24.0-150600.3.10.1
* gstreamer-plugins-good-qtqml-debuginfo-1.24.0-150600.3.10.1
* gstreamer-plugins-good-1.24.0-150600.3.10.1
* openSUSE Leap 15.6 (x86_64)
* gstreamer-plugins-good-32bit-debuginfo-1.24.0-150600.3.10.1
* gstreamer-plugins-good-extra-32bit-debuginfo-1.24.0-150600.3.10.1
* gstreamer-plugins-good-extra-32bit-1.24.0-150600.3.10.1
* gstreamer-plugins-good-jack-32bit-debuginfo-1.24.0-150600.3.10.1
* gstreamer-plugins-good-32bit-1.24.0-150600.3.10.1
* gstreamer-plugins-good-jack-32bit-1.24.0-150600.3.10.1
* openSUSE Leap 15.6 (noarch)
* gstreamer-plugins-good-lang-1.24.0-150600.3.10.1
* SUSE Linux Enterprise Server for SAP Applications 15 SP6 (noarch)
* gstreamer-plugins-good-lang-1.24.0-150600.3.10.1
* SUSE Linux Enterprise Server for SAP Applications 15 SP6 (ppc64le x86_64)
* gstreamer-plugins-good-debugsource-1.24.0-150600.3.10.1
* gstreamer-plugins-good-1.24.0-150600.3.10.1
* gstreamer-plugins-good-debuginfo-1.24.0-150600.3.10.1
* SUSE Linux Enterprise Workstation Extension 15 SP7 (x86_64)
* gstreamer-plugins-good-debugsource-1.24.0-150600.3.10.1
* gstreamer-plugins-good-gtk-debuginfo-1.24.0-150600.3.10.1
* gstreamer-plugins-good-debuginfo-1.24.0-150600.3.10.1
* gstreamer-plugins-good-gtk-1.24.0-150600.3.10.1

## References:

* https://www.suse.com/security/cve/CVE-2026-53705.html
* https://bugzilla.suse.com/show_bug.cgi?id=1268449



SUSE-SU-2026:2847-1: important: Security update for krb5


# Security update for krb5

Announcement ID: SUSE-SU-2026:2847-1
Release Date: 2026-07-10T11:38:37Z
Rating: important
References:

* bsc#1268131

Cross-References:

* CVE-2026-11850

CVSS scores:

* CVE-2026-11850 ( SUSE ): 5.9 CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:H
* CVE-2026-11850 ( NVD ): 5.0 CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:H

Affected Products:

* openSUSE Leap 15.5
* SUSE Linux Enterprise High Performance Computing 15 SP5
* SUSE Linux Enterprise High Performance Computing ESPOS 15 SP5
* SUSE Linux Enterprise High Performance Computing LTSS 15 SP5
* SUSE Linux Enterprise Micro 5.5
* SUSE Linux Enterprise Server 15 SP5
* SUSE Linux Enterprise Server 15 SP5 LTSS
* SUSE Linux Enterprise Server for SAP Applications 15 SP5

An update that solves one vulnerability can now be installed.

## Description:

This update for krb5 fixes the following issue

* CVE-2026-11850: integer underflow in berval2tl_data() leads to heap out-of-
bounds read (bsc#1268131).

## Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

* SUSE Linux Enterprise Micro 5.5
zypper in -t patch SUSE-SLE-Micro-5.5-2026-2847=1

* SUSE Linux Enterprise High Performance Computing LTSS 15 SP5
zypper in -t patch SUSE-SLE-Product-HPC-15-SP5-LTSS-2026-2847=1

* SUSE Linux Enterprise Server 15 SP5 LTSS
zypper in -t patch SUSE-SLE-Product-SLES-15-SP5-LTSS-2026-2847=1

* SUSE Linux Enterprise Server for SAP Applications 15 SP5
zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP5-2026-2847=1

* openSUSE Leap 15.5
zypper in -t patch SUSE-2026-2847=1

* SUSE Linux Enterprise High Performance Computing ESPOS 15 SP5
zypper in -t patch SUSE-SLE-Product-HPC-15-SP5-ESPOS-2026-2847=1

## Package List:

* SUSE Linux Enterprise Server 15 SP5 LTSS (aarch64 ppc64le s390x x86_64)
* krb5-devel-1.20.1-150500.3.23.1
* krb5-plugin-kdb-ldap-1.20.1-150500.3.23.1
* krb5-client-debuginfo-1.20.1-150500.3.23.1
* krb5-server-debuginfo-1.20.1-150500.3.23.1
* krb5-plugin-preauth-pkinit-1.20.1-150500.3.23.1
* krb5-plugin-preauth-otp-1.20.1-150500.3.23.1
* krb5-client-1.20.1-150500.3.23.1
* krb5-plugin-kdb-ldap-debuginfo-1.20.1-150500.3.23.1
* krb5-plugin-preauth-otp-debuginfo-1.20.1-150500.3.23.1
* krb5-1.20.1-150500.3.23.1
* krb5-debugsource-1.20.1-150500.3.23.1
* krb5-plugin-preauth-pkinit-debuginfo-1.20.1-150500.3.23.1
* krb5-debuginfo-1.20.1-150500.3.23.1
* krb5-server-1.20.1-150500.3.23.1
* SUSE Linux Enterprise Server 15 SP5 LTSS (x86_64)
* krb5-32bit-debuginfo-1.20.1-150500.3.23.1
* krb5-32bit-1.20.1-150500.3.23.1
* openSUSE Leap 15.5 (aarch64 i586 ppc64le s390x x86_64)
* krb5-client-1.20.1-150500.3.23.1
* krb5-plugin-kdb-ldap-debuginfo-1.20.1-150500.3.23.1
* krb5-plugin-kdb-ldap-1.20.1-150500.3.23.1
* krb5-server-debuginfo-1.20.1-150500.3.23.1
* krb5-plugin-preauth-otp-1.20.1-150500.3.23.1
* krb5-mini-debugsource-1.20.1-150500.3.23.1
* krb5-1.20.1-150500.3.23.1
* krb5-plugin-preauth-pkinit-debuginfo-1.20.1-150500.3.23.1
* krb5-debuginfo-1.20.1-150500.3.23.1
* krb5-plugin-preauth-pkinit-1.20.1-150500.3.23.1
* krb5-client-debuginfo-1.20.1-150500.3.23.1
* krb5-mini-1.20.1-150500.3.23.1
* krb5-plugin-preauth-otp-debuginfo-1.20.1-150500.3.23.1
* krb5-debugsource-1.20.1-150500.3.23.1
* krb5-plugin-preauth-spake-debuginfo-1.20.1-150500.3.23.1
* krb5-devel-1.20.1-150500.3.23.1
* krb5-mini-debuginfo-1.20.1-150500.3.23.1
* krb5-mini-devel-1.20.1-150500.3.23.1
* krb5-plugin-preauth-spake-1.20.1-150500.3.23.1
* krb5-server-1.20.1-150500.3.23.1
* openSUSE Leap 15.5 (aarch64_ilp32)
* krb5-devel-64bit-1.20.1-150500.3.23.1
* krb5-64bit-debuginfo-1.20.1-150500.3.23.1
* krb5-64bit-1.20.1-150500.3.23.1
* openSUSE Leap 15.5 (x86_64)
* krb5-devel-32bit-1.20.1-150500.3.23.1
* krb5-32bit-debuginfo-1.20.1-150500.3.23.1
* krb5-32bit-1.20.1-150500.3.23.1
* SUSE Linux Enterprise Micro 5.5 (aarch64 ppc64le s390x x86_64)
* krb5-1.20.1-150500.3.23.1
* krb5-debugsource-1.20.1-150500.3.23.1
* krb5-debuginfo-1.20.1-150500.3.23.1
* krb5-client-1.20.1-150500.3.23.1
* SUSE Linux Enterprise Server for SAP Applications 15 SP5 (ppc64le x86_64)
* krb5-plugin-kdb-ldap-1.20.1-150500.3.23.1
* krb5-devel-1.20.1-150500.3.23.1
* krb5-server-1.20.1-150500.3.23.1
* krb5-client-debuginfo-1.20.1-150500.3.23.1
* krb5-server-debuginfo-1.20.1-150500.3.23.1
* krb5-plugin-preauth-otp-1.20.1-150500.3.23.1
* krb5-client-1.20.1-150500.3.23.1
* krb5-plugin-kdb-ldap-debuginfo-1.20.1-150500.3.23.1
* krb5-plugin-preauth-otp-debuginfo-1.20.1-150500.3.23.1
* krb5-1.20.1-150500.3.23.1
* krb5-debugsource-1.20.1-150500.3.23.1
* krb5-plugin-preauth-pkinit-debuginfo-1.20.1-150500.3.23.1
* krb5-debuginfo-1.20.1-150500.3.23.1
* krb5-plugin-preauth-pkinit-1.20.1-150500.3.23.1
* SUSE Linux Enterprise Server for SAP Applications 15 SP5 (x86_64)
* krb5-32bit-debuginfo-1.20.1-150500.3.23.1
* krb5-32bit-1.20.1-150500.3.23.1
* SUSE Linux Enterprise High Performance Computing ESPOS 15 SP5 (aarch64
x86_64)
* krb5-plugin-kdb-ldap-1.20.1-150500.3.23.1
* krb5-devel-1.20.1-150500.3.23.1
* krb5-server-1.20.1-150500.3.23.1
* krb5-server-debuginfo-1.20.1-150500.3.23.1
* krb5-client-debuginfo-1.20.1-150500.3.23.1
* krb5-plugin-preauth-otp-1.20.1-150500.3.23.1
* krb5-client-1.20.1-150500.3.23.1
* krb5-plugin-kdb-ldap-debuginfo-1.20.1-150500.3.23.1
* krb5-plugin-preauth-otp-debuginfo-1.20.1-150500.3.23.1
* krb5-1.20.1-150500.3.23.1
* krb5-debugsource-1.20.1-150500.3.23.1
* krb5-plugin-preauth-pkinit-debuginfo-1.20.1-150500.3.23.1
* krb5-debuginfo-1.20.1-150500.3.23.1
* krb5-plugin-preauth-pkinit-1.20.1-150500.3.23.1
* SUSE Linux Enterprise High Performance Computing ESPOS 15 SP5 (x86_64)
* krb5-32bit-debuginfo-1.20.1-150500.3.23.1
* krb5-32bit-1.20.1-150500.3.23.1
* SUSE Linux Enterprise High Performance Computing LTSS 15 SP5 (aarch64
x86_64)
* krb5-plugin-kdb-ldap-1.20.1-150500.3.23.1
* krb5-devel-1.20.1-150500.3.23.1
* krb5-client-debuginfo-1.20.1-150500.3.23.1
* krb5-server-debuginfo-1.20.1-150500.3.23.1
* krb5-plugin-preauth-pkinit-1.20.1-150500.3.23.1
* krb5-plugin-preauth-otp-1.20.1-150500.3.23.1
* krb5-client-1.20.1-150500.3.23.1
* krb5-plugin-kdb-ldap-debuginfo-1.20.1-150500.3.23.1
* krb5-plugin-preauth-otp-debuginfo-1.20.1-150500.3.23.1
* krb5-1.20.1-150500.3.23.1
* krb5-debugsource-1.20.1-150500.3.23.1
* krb5-plugin-preauth-pkinit-debuginfo-1.20.1-150500.3.23.1
* krb5-debuginfo-1.20.1-150500.3.23.1
* krb5-server-1.20.1-150500.3.23.1
* SUSE Linux Enterprise High Performance Computing LTSS 15 SP5 (x86_64)
* krb5-32bit-debuginfo-1.20.1-150500.3.23.1
* krb5-32bit-1.20.1-150500.3.23.1

## References:

* https://www.suse.com/security/cve/CVE-2026-11850.html
* https://bugzilla.suse.com/show_bug.cgi?id=1268131



SUSE-SU-2026:2848-1: important: Security update for krb5, krb5-mini


# Security update for krb5, krb5-mini

Announcement ID: SUSE-SU-2026:2848-1
Release Date: 2026-07-10T11:39:12Z
Rating: important
References:

* bsc#1263366
* bsc#1263367
* bsc#1268131

Cross-References:

* CVE-2026-11850
* CVE-2026-40355
* CVE-2026-40356

CVSS scores:

* CVE-2026-11850 ( SUSE ): 5.9 CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:H
* CVE-2026-11850 ( NVD ): 5.0 CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:H
* CVE-2026-40355 ( SUSE ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2026-40355 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2026-40355 ( NVD ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2026-40356 ( SUSE ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2026-40356 ( NVD ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2026-40356 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Affected Products:

* Basesystem Module 15-SP7
* openSUSE Leap 15.6
* Server Applications Module 15-SP7
* SUSE Linux Enterprise Desktop 15 SP7
* SUSE Linux Enterprise Real Time 15 SP7
* SUSE Linux Enterprise Server 15 SP6
* SUSE Linux Enterprise Server 15 SP6 LTSS
* SUSE Linux Enterprise Server 15 SP7
* SUSE Linux Enterprise Server for SAP Applications 15 SP6
* SUSE Linux Enterprise Server for SAP Applications 15 SP7

An update that solves three vulnerabilities can now be installed.

## Description:

This update for krb5, krb5-mini fixes the following issues

* CVE-2026-11850: integer underflow in berval2tl_data() leads to heap out-of-
bounds read (bsc#1268131).
* CVE-2026-40355: Denial of Service via NULL pointer dereference in NegoEx
mechanism (bsc#1263366).
* CVE-2026-40356: Denial of Service via integer underflow and out-of-bounds
read (bsc#1263367).

## Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

* Basesystem Module 15-SP7
zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP7-2026-2848=1

* Server Applications Module 15-SP7
zypper in -t patch SUSE-SLE-Module-Server-Applications-15-SP7-2026-2848=1

* openSUSE Leap 15.6
zypper in -t patch SUSE-2026-2848=1

* SUSE Linux Enterprise Server for SAP Applications 15 SP6
zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP6-2026-2848=1

* SUSE Linux Enterprise Server 15 SP6 LTSS
zypper in -t patch SUSE-SLE-Product-SLES-15-SP6-LTSS-2026-2848=1

## Package List:

* Basesystem Module 15-SP7 (aarch64 ppc64le s390x x86_64)
* krb5-1.20.1-150600.11.19.1
* krb5-plugin-preauth-pkinit-debuginfo-1.20.1-150600.11.19.1
* krb5-debugsource-1.20.1-150600.11.19.1
* krb5-devel-1.20.1-150600.11.19.1
* krb5-client-1.20.1-150600.11.19.1
* krb5-plugin-preauth-pkinit-1.20.1-150600.11.19.1
* krb5-debuginfo-1.20.1-150600.11.19.1
* krb5-plugin-preauth-otp-1.20.1-150600.11.19.1
* krb5-plugin-preauth-otp-debuginfo-1.20.1-150600.11.19.1
* krb5-client-debuginfo-1.20.1-150600.11.19.1
* Basesystem Module 15-SP7 (x86_64)
* krb5-32bit-debuginfo-1.20.1-150600.11.19.1
* krb5-32bit-1.20.1-150600.11.19.1
* SUSE Linux Enterprise Server 15 SP6 LTSS (aarch64 ppc64le s390x x86_64)
* krb5-plugin-preauth-pkinit-debuginfo-1.20.1-150600.11.19.1
* krb5-1.20.1-150600.11.19.1
* krb5-debugsource-1.20.1-150600.11.19.1
* krb5-devel-1.20.1-150600.11.19.1
* krb5-server-debuginfo-1.20.1-150600.11.19.1
* krb5-client-1.20.1-150600.11.19.1
* krb5-plugin-preauth-pkinit-1.20.1-150600.11.19.1
* krb5-debuginfo-1.20.1-150600.11.19.1
* krb5-plugin-preauth-otp-1.20.1-150600.11.19.1
* krb5-plugin-preauth-otp-debuginfo-1.20.1-150600.11.19.1
* krb5-plugin-kdb-ldap-debuginfo-1.20.1-150600.11.19.1
* krb5-plugin-kdb-ldap-1.20.1-150600.11.19.1
* krb5-server-1.20.1-150600.11.19.1
* krb5-client-debuginfo-1.20.1-150600.11.19.1
* SUSE Linux Enterprise Server 15 SP6 LTSS (x86_64)
* krb5-32bit-debuginfo-1.20.1-150600.11.19.1
* krb5-32bit-1.20.1-150600.11.19.1
* SUSE Linux Enterprise Server for SAP Applications 15 SP6 (ppc64le x86_64)
* krb5-plugin-preauth-pkinit-debuginfo-1.20.1-150600.11.19.1
* krb5-1.20.1-150600.11.19.1
* krb5-debugsource-1.20.1-150600.11.19.1
* krb5-devel-1.20.1-150600.11.19.1
* krb5-client-1.20.1-150600.11.19.1
* krb5-server-debuginfo-1.20.1-150600.11.19.1
* krb5-plugin-preauth-pkinit-1.20.1-150600.11.19.1
* krb5-debuginfo-1.20.1-150600.11.19.1
* krb5-plugin-preauth-otp-1.20.1-150600.11.19.1
* krb5-plugin-preauth-otp-debuginfo-1.20.1-150600.11.19.1
* krb5-plugin-kdb-ldap-debuginfo-1.20.1-150600.11.19.1
* krb5-plugin-kdb-ldap-1.20.1-150600.11.19.1
* krb5-server-1.20.1-150600.11.19.1
* krb5-client-debuginfo-1.20.1-150600.11.19.1
* SUSE Linux Enterprise Server for SAP Applications 15 SP6 (x86_64)
* krb5-32bit-debuginfo-1.20.1-150600.11.19.1
* krb5-32bit-1.20.1-150600.11.19.1
* openSUSE Leap 15.6 (aarch64 i586 ppc64le s390x x86_64)
* krb5-1.20.1-150600.11.19.1
* krb5-debugsource-1.20.1-150600.11.19.1
* krb5-debuginfo-1.20.1-150600.11.19.1
* krb5-mini-devel-1.20.1-150600.11.19.1
* krb5-plugin-preauth-otp-1.20.1-150600.11.19.1
* krb5-plugin-kdb-ldap-debuginfo-1.20.1-150600.11.19.1
* krb5-plugin-kdb-ldap-1.20.1-150600.11.19.1
* krb5-client-debuginfo-1.20.1-150600.11.19.1
* krb5-devel-1.20.1-150600.11.19.1
* krb5-mini-debuginfo-1.20.1-150600.11.19.1
* krb5-plugin-preauth-spake-1.20.1-150600.11.19.1
* krb5-server-debuginfo-1.20.1-150600.11.19.1
* krb5-client-1.20.1-150600.11.19.1
* krb5-server-1.20.1-150600.11.19.1
* krb5-mini-debugsource-1.20.1-150600.11.19.1
* krb5-plugin-preauth-pkinit-debuginfo-1.20.1-150600.11.19.1
* krb5-plugin-preauth-spake-debuginfo-1.20.1-150600.11.19.1
* krb5-mini-1.20.1-150600.11.19.1
* krb5-plugin-preauth-pkinit-1.20.1-150600.11.19.1
* krb5-plugin-preauth-otp-debuginfo-1.20.1-150600.11.19.1
* openSUSE Leap 15.6 (x86_64)
* krb5-devel-32bit-1.20.1-150600.11.19.1
* krb5-32bit-1.20.1-150600.11.19.1
* krb5-32bit-debuginfo-1.20.1-150600.11.19.1
* openSUSE Leap 15.6 (aarch64_ilp32)
* krb5-64bit-debuginfo-1.20.1-150600.11.19.1
* krb5-64bit-1.20.1-150600.11.19.1
* krb5-devel-64bit-1.20.1-150600.11.19.1
* Server Applications Module 15-SP7 (aarch64 ppc64le s390x x86_64)
* krb5-debugsource-1.20.1-150600.11.19.1
* krb5-server-debuginfo-1.20.1-150600.11.19.1
* krb5-debuginfo-1.20.1-150600.11.19.1
* krb5-plugin-kdb-ldap-debuginfo-1.20.1-150600.11.19.1
* krb5-plugin-kdb-ldap-1.20.1-150600.11.19.1
* krb5-server-1.20.1-150600.11.19.1

## References:

* https://www.suse.com/security/cve/CVE-2026-11850.html
* https://www.suse.com/security/cve/CVE-2026-40355.html
* https://www.suse.com/security/cve/CVE-2026-40356.html
* https://bugzilla.suse.com/show_bug.cgi?id=1263366
* https://bugzilla.suse.com/show_bug.cgi?id=1263367
* https://bugzilla.suse.com/show_bug.cgi?id=1268131



openSUSE-SU-2026:21274-1: important: Security update for rust-keylime


openSUSE security update: security update for rust-keylime
-------------------------------------------------------------

Announcement ID: openSUSE-SU-2026:21274-1
Rating: important
References:

* bsc#1260596
* bsc#1270174
* bsc#1270523
* bsc#1270614
* bsc#1270699
* bsc#1270792
* bsc#1270842
* bsc#1270903
* bsc#1270999

Cross-References:

* CVE-2026-41676
* CVE-2026-41677
* CVE-2026-41678
* CVE-2026-41681
* CVE-2026-41898
* CVE-2026-42327
* CVE-2026-44662
* CVE-2026-45784

CVSS scores:

* CVE-2026-41676 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H
* CVE-2026-41676 ( SUSE ): 8.3 CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N
* CVE-2026-41677 ( SUSE ): 3.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
* CVE-2026-41677 ( SUSE ): 1.7 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:U
* CVE-2026-41678 ( SUSE ): 7.4 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H
* CVE-2026-41678 ( SUSE ): 8.3 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N
* CVE-2026-41681 ( SUSE ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
* CVE-2026-41681 ( SUSE ): 8.2 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
* CVE-2026-41898 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:L
* CVE-2026-41898 ( SUSE ): 8.3 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:L/SC:N/SI:N/SA:N
* CVE-2026-42327 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
* CVE-2026-42327 ( SUSE ): 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
* CVE-2026-44662 ( SUSE ): 4.8 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L
* CVE-2026-44662 ( SUSE ): 5.1 CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N
* CVE-2026-45784 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
* CVE-2026-45784 ( SUSE ): 5.1 CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N

Affected Products:

openSUSE Leap 16.0

-------------------------------------------------------------

An update that solves 8 vulnerabilities and has 9 bug fixes can now be installed.

Description:

This update for rust-keylime fixes the following issues:

Update to version 0.2.9+49.

Security issues fixed:

- CVE-2026-41676: openssl: `Deriver:derive` and `PkeyCtxRef:derive` can overflow short buffers on OpenSSL 1.1.1
(bsc#1270174).
- CVE-2026-41677: openssl: out-of-bounds read in PEM password callback when returning an oversized length
(bsc#1270614).
- CVE-2026-41678: openssl: out-of-bounds write due to incorrect bounds assertion in `aes::unwrap_key()` (bsc#1270699).
- CVE-2026-41681: openssl: `MdCtxRef::digest_final()` writes past caller buffer with no length check (bsc#1270792).
- CVE-2026-41898: openssl: unchecked callback-returned length in PSK and cookie generate trampolines can leak adjacent
memory to the network (bsc#1270842).
- CVE-2026-42327: openssl: undefined behavior in `X509Ref::ocsp_responders` for certificates with non-UTF-8 OCSP URLs
(bsc#1270523).
- CVE-2026-44662: openssl: heap buffer overflow when encrypting with AES key-wrap-with-padding due to incorrectly sized
output buffers (bsc#1270903).
- CVE-2026-45784: openssl: out-of-bounds write in `CipherCtxRef::cipher_update_inplace` for AES-KW-PAD ciphers due to
incorrectly sized output buffer (bsc#1270999).

Other updates and bugfixes:

- Update openssl to 0.10.81.
- Make tss-esai-sys depend on bindgen 72.1 to support llvm > 21.
- Build with Clang cb in ip6_err_gen_icmpv6_unreach()
(bsc#1264097).
* CVE-2026-46090: ALSA: aloop: Fix peer runtime UAF during format-change stop
(bsc#1267531).
* CVE-2026-46173: exit: prevent preemption of oopsing TASK_DEAD task
(bsc#1267722).
* CVE-2026-46197: drm/amdkfd: validate SVM ioctl nattr against buffer size
(bsc#1267381).
* CVE-2026-46229: drm/amdkfd: Clear VRAM on allocation to prevent stale data
exposure (bsc#1267567).
* CVE-2026-46253: pstore/ram: fix buffer overflow in persistent_ram_save_old()
(bsc#1267635).
* CVE-2026-46266: inet: RAW sockets using IPPROTO_RAW MUST drop incoming ICMP
(bsc#1267684).
* CVE-2026-46319: net/sched: act_ct: Only release RCU read lock after ct_ft
(bsc#1268022).
* CVE-2026-46320: tap: free page on error paths in tap_get_user_xdp()
(bsc#1267993).
* CVE-2026-46330: Revert "net/smc: Introduce TCP ULP support" (bsc#1268049).
* CVE-2026-46331: net/sched: fix pedit partial COW leading to page cache
(bsc#1265421).
* CVE-2026-52909: ip6_vti: set netns_immutable on the fallback device
(bsc#1268660).
* CVE-2026-52918: Bluetooth: serialize accept_q access (bsc#1269100).
* CVE-2026-52923: ipc: limit next_id allocation to the valid ID range
(bsc#1269033).
* CVE-2026-52924: sctp: purge outqueue on stale COOKIE-ECHO handling
(bsc#1269036).
* CVE-2026-52943: net: skbuff: fix missing zerocopy reference in pskb_carve
helpers (bsc#1269022).
* CVE-2026-52955: libceph: Fix potential out-of-bounds access in
crush_decode() (bsc#1269159).
* CVE-2026-52969: KVM: Reject wrapped offset in kvm_reset_dirty_gfn()
(bsc#1269184).
* CVE-2026-52972: crypto: af_alg - Cap AEAD AD length to 0x80000000
(bsc#1269195).
* CVE-2026-52993: tipc: fix double-free in tipc_buf_append() (bsc#1269193).
* CVE-2026-53016: crypto: ccp - copy IV using skcipher ivsize (bsc#1269090).
* CVE-2026-53041: ocfs2: fix listxattr handling when the buffer is full
(bsc#1269398).
* CVE-2026-53053: iommu/amd: Fix clone_alias() to use the original device's
devid (bsc#1269310).
* CVE-2026-53071: Bluetooth: l2cap: Add missing chan lock in
l2cap_ecred_reconf_rsp (bsc#1269678).
* CVE-2026-53072: Bluetooth: fix locking in hci_conn_request_evt() with
HCI_PROTO_DEFER (bsc#1269681).
* CVE-2026-53133: RDMA/umem: Fix truncation for block sizes >= 4G
(bsc#1269821).
* CVE-2026-53253: Bluetooth: bnep: reject short frames before parsing
(bsc#1269574).
* CVE-2026-53359: KVM: x86: Fix shadow paging use-after-free due to unexpected
role (bsc#1270059).

## Special Instructions and Notes:

* Please reboot the system after installing this update.

## Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

* SUSE Linux Enterprise Micro 5.5
zypper in -t patch SUSE-SLE-Micro-5.5-2026-2840=1

* openSUSE Leap 15.5
zypper in -t patch SUSE-2026-2840=1

## Package List:

* openSUSE Leap 15.5 (x86_64)
* kernel-rt-livepatch-5.14.21-150500.13.151.1
* kernel-rt-optional-5.14.21-150500.13.151.1
* kernel-rt_debug-devel-5.14.21-150500.13.151.1
* kernel-rt-optional-debuginfo-5.14.21-150500.13.151.1
* dlm-kmp-rt-5.14.21-150500.13.151.1
* kselftests-kmp-rt-5.14.21-150500.13.151.1
* kernel-rt_debug-vdso-debuginfo-5.14.21-150500.13.151.1
* kernel-rt_debug-debugsource-5.14.21-150500.13.151.1
* kselftests-kmp-rt-debuginfo-5.14.21-150500.13.151.1
* kernel-rt-devel-debuginfo-5.14.21-150500.13.151.1
* reiserfs-kmp-rt-debuginfo-5.14.21-150500.13.151.1
* kernel-rt-vdso-debuginfo-5.14.21-150500.13.151.1
* kernel-rt-vdso-5.14.21-150500.13.151.1
* cluster-md-kmp-rt-debuginfo-5.14.21-150500.13.151.1
* kernel-rt-devel-5.14.21-150500.13.151.1
* ocfs2-kmp-rt-5.14.21-150500.13.151.1
* kernel-rt_debug-debuginfo-5.14.21-150500.13.151.1
* kernel-rt-debugsource-5.14.21-150500.13.151.1
* kernel-rt_debug-devel-debuginfo-5.14.21-150500.13.151.1
* gfs2-kmp-rt-debuginfo-5.14.21-150500.13.151.1
* kernel-rt_debug-vdso-5.14.21-150500.13.151.1
* cluster-md-kmp-rt-5.14.21-150500.13.151.1
* dlm-kmp-rt-debuginfo-5.14.21-150500.13.151.1
* ocfs2-kmp-rt-debuginfo-5.14.21-150500.13.151.1
* kernel-rt-extra-debuginfo-5.14.21-150500.13.151.1
* kernel-syms-rt-5.14.21-150500.13.151.1
* kernel-rt-extra-5.14.21-150500.13.151.1
* kernel-rt-debuginfo-5.14.21-150500.13.151.1
* gfs2-kmp-rt-5.14.21-150500.13.151.1
* kernel-rt-livepatch-devel-5.14.21-150500.13.151.1
* reiserfs-kmp-rt-5.14.21-150500.13.151.1
* openSUSE Leap 15.5 (nosrc x86_64)
* kernel-rt-5.14.21-150500.13.151.1
* kernel-rt_debug-5.14.21-150500.13.151.1
* openSUSE Leap 15.5 (noarch)
* kernel-devel-rt-5.14.21-150500.13.151.1
* kernel-source-rt-5.14.21-150500.13.151.1
* SUSE Linux Enterprise Micro 5.5 (x86_64)
* kernel-rt-debuginfo-5.14.21-150500.13.151.1
* kernel-rt-debugsource-5.14.21-150500.13.151.1
* SUSE Linux Enterprise Micro 5.5 (noarch)
* kernel-devel-rt-5.14.21-150500.13.151.1
* kernel-source-rt-5.14.21-150500.13.151.1
* SUSE Linux Enterprise Micro 5.5 (nosrc x86_64)
* kernel-rt-5.14.21-150500.13.151.1

## References:

* https://www.suse.com/security/cve/CVE-2026-31771.html
* https://www.suse.com/security/cve/CVE-2026-43038.html
* https://www.suse.com/security/cve/CVE-2026-46090.html
* https://www.suse.com/security/cve/CVE-2026-46173.html
* https://www.suse.com/security/cve/CVE-2026-46197.html
* https://www.suse.com/security/cve/CVE-2026-46229.html
* https://www.suse.com/security/cve/CVE-2026-46253.html
* https://www.suse.com/security/cve/CVE-2026-46266.html
* https://www.suse.com/security/cve/CVE-2026-46274.html
* https://www.suse.com/security/cve/CVE-2026-46319.html
* https://www.suse.com/security/cve/CVE-2026-46320.html
* https://www.suse.com/security/cve/CVE-2026-46330.html
* https://www.suse.com/security/cve/CVE-2026-46331.html
* https://www.suse.com/security/cve/CVE-2026-52909.html
* https://www.suse.com/security/cve/CVE-2026-52918.html
* https://www.suse.com/security/cve/CVE-2026-52923.html
* https://www.suse.com/security/cve/CVE-2026-52924.html
* https://www.suse.com/security/cve/CVE-2026-52943.html
* https://www.suse.com/security/cve/CVE-2026-52955.html
* https://www.suse.com/security/cve/CVE-2026-52969.html
* https://www.suse.com/security/cve/CVE-2026-52972.html
* https://www.suse.com/security/cve/CVE-2026-52993.html
* https://www.suse.com/security/cve/CVE-2026-53016.html
* https://www.suse.com/security/cve/CVE-2026-53041.html
* https://www.suse.com/security/cve/CVE-2026-53053.html
* https://www.suse.com/security/cve/CVE-2026-53071.html
* https://www.suse.com/security/cve/CVE-2026-53072.html
* https://www.suse.com/security/cve/CVE-2026-53133.html
* https://www.suse.com/security/cve/CVE-2026-53253.html
* https://www.suse.com/security/cve/CVE-2026-53359.html
* https://bugzilla.suse.com/show_bug.cgi?id=1264097
* https://bugzilla.suse.com/show_bug.cgi?id=1264145
* https://bugzilla.suse.com/show_bug.cgi?id=1265421
* https://bugzilla.suse.com/show_bug.cgi?id=1267381
* https://bugzilla.suse.com/show_bug.cgi?id=1267531
* https://bugzilla.suse.com/show_bug.cgi?id=1267567
* https://bugzilla.suse.com/show_bug.cgi?id=1267635
* https://bugzilla.suse.com/show_bug.cgi?id=1267684
* https://bugzilla.suse.com/show_bug.cgi?id=1267722
* https://bugzilla.suse.com/show_bug.cgi?id=1267918
* https://bugzilla.suse.com/show_bug.cgi?id=1267993
* https://bugzilla.suse.com/show_bug.cgi?id=1268022
* https://bugzilla.suse.com/show_bug.cgi?id=1268049
* https://bugzilla.suse.com/show_bug.cgi?id=1268660
* https://bugzilla.suse.com/show_bug.cgi?id=1269022
* https://bugzilla.suse.com/show_bug.cgi?id=1269033
* https://bugzilla.suse.com/show_bug.cgi?id=1269036
* https://bugzilla.suse.com/show_bug.cgi?id=1269090
* https://bugzilla.suse.com/show_bug.cgi?id=1269100
* https://bugzilla.suse.com/show_bug.cgi?id=1269159
* https://bugzilla.suse.com/show_bug.cgi?id=1269184
* https://bugzilla.suse.com/show_bug.cgi?id=1269193
* https://bugzilla.suse.com/show_bug.cgi?id=1269195
* https://bugzilla.suse.com/show_bug.cgi?id=1269310
* https://bugzilla.suse.com/show_bug.cgi?id=1269398
* https://bugzilla.suse.com/show_bug.cgi?id=1269574
* https://bugzilla.suse.com/show_bug.cgi?id=1269678
* https://bugzilla.suse.com/show_bug.cgi?id=1269681
* https://bugzilla.suse.com/show_bug.cgi?id=1269821
* https://bugzilla.suse.com/show_bug.cgi?id=1270059