openSUSE-SU-2026:21173-1: important: Security update for python-pydata-sphinx-theme
openSUSE-SU-2026:21169-1: moderate: Security update for python-biopython
openSUSE-SU-2026:21171-1: important: Security update for gimp
openSUSE-SU-2026:21163-1: important: Security update for yt-dlp
openSUSE-SU-2026:21157-1: important: Security update for golang-github-prometheus-alertmanager
openSUSE-SU-2026:21155-1: moderate: Security update for hamlib
openSUSE-SU-2026:21154-1: important: Security update for ofono
openSUSE-SU-2026:21153-1: moderate: Security update for xar
openSUSE-SU-2026:21168-1: critical: Security update for MozillaThunderbird
openSUSE-SU-2026:21166-1: moderate: Security update for nano
openSUSE-SU-2026:21159-1: important: Security update for python-py7zr
openSUSE-SU-2026:21161-1: moderate: Security update for python-pdm
openSUSE-SU-2026:21144-1: critical: Security update for mbedtls
openSUSE-SU-2026:21142-1: critical: Security update for perl-Compress-Raw-Zlib
openSUSE-SU-2026:21152-1: important: Security update for atril
openSUSE-SU-2026:21146-1: moderate: Security update for lldpd
openSUSE-SU-2026:21149-1: important: Security update for bitcoin
openSUSE-SU-2026:21151-1: important: Security update for warewulf4
openSUSE-SU-2026:21143-1: moderate: Security update for gleam
openSUSE-SU-2026:21140-1: critical: Security update for perl-Cpanel-JSON-XS
openSUSE-SU-2026:21145-1: moderate: Security update for mbedtls-2
openSUSE-SU-2026:21137-1: important: Security update for perl-Crypt-PasswdMD5
openSUSE-SU-2026:21136-1: moderate: Security update for golang-github-prometheus-alertmanager
openSUSE-SU-2026:21134-1: moderate: Security update for glycin-loaders
openSUSE-SU-2026:21129-1: important: Security update for webkit2gtk3
openSUSE-SU-2026:21135-1: important: Security update for chromium
openSUSE-SU-2026:21130-1: moderate: Security update for glib-networking
openSUSE-SU-2026:21127-1: moderate: Security update for python-paramiko
openSUSE-SU-2026:21126-1: moderate: Security update for perl-HTML-Parser
openSUSE-SU-2026:21123-1: important: Security update for bind
openSUSE-SU-2026:21125-1: important: Security update for perl-Protocol-HTTP2
openSUSE-SU-2026:21124-1: important: Security update for graphite2
openSUSE-SU-2026:21120-1: important: Security update for mcphost
openSUSE-SU-2026:21122-1: important: Security update for tomcat10
openSUSE-SU-2026:21119-1: important: Security update for perl-HTTP-Daemon
openSUSE-SU-2026:21117-1: important: Security update for tomcat
openSUSE-SU-2026:21121-1: important: Security update for tomcat11
openSUSE-SU-2026:21115-1: important: Security update for apache2
openSUSE-SU-2026:21114-1: important: Security update for mozjs128
openSUSE-SU-2026:21118-1: important: Security update for LibVNCServer
openSUSE-SU-2026:21116-1: important: Security update for freerdp
openSUSE-SU-2026:21113-1: important: Security update for libyang
openSUSE-SU-2026:21059-1: important: Security update for openCryptoki
openSUSE-SU-2026:21111-1: important: Security update for himmelblau
openSUSE-SU-2026:21112-1: important: Security update for xwayland
openSUSE-SU-2026:21108-1: important: Security update for ignition
openSUSE-SU-2026:21109-1: important: Security update for dovecot24
openSUSE-SU-2026:21101-1: important: Security update for libcaca
openSUSE-SU-2026:21106-1: important: Security update for papers
openSUSE-SU-2026:21104-1: important: Security update for postgresql16
openSUSE-SU-2026:21025-1: moderate: Security update for keylime
openSUSE-SU-2026:21098-1: important: Security update for python-aiohttp
openSUSE-SU-2026:21096-1: important: Security update for zypper, libzypp, libsolv
openSUSE-SU-2026:21102-1: important: Security update for postgresql14
openSUSE-SU-2026:21107-1: important: Security update for nginx
openSUSE-SU-2026:21103-1: important: Security update for postgresql15
openSUSE-SU-2026:21100-1: important: Security update for libjxl
openSUSE-SU-2026:21092-1: important: Security update for strongswan
openSUSE-SU-2026:21095-1: important: Security update for python-PyJWT
openSUSE-SU-2026:21097-1: important: Security update for ansible-core
openSUSE-SU-2026:21078-1: moderate: Security update for python-ecdsa
openSUSE-SU-2026:21093-1: important: Security update for ldns
openSUSE-SU-2026:21088-1: important: Security update for freeipmi
openSUSE-SU-2026:21091-1: important: Security update for libinput
openSUSE-SU-2026:21090-1: important: Security update for sqlite3
openSUSE-SU-2026:21083-1: important: Security update for unbound
openSUSE-SU-2026:21084-1: important: Security update for distribution
openSUSE-SU-2026:21075-1: moderate: Security update for alsa
openSUSE-SU-2026:21074-1: low: Security update for loupe
openSUSE-SU-2026:21067-1: important: Security update for python-tornado6
openSUSE-SU-2026:21076-1: important: Security update for giflib
openSUSE-SU-2026:21079-1: important: Security update for amazon-ssm-agent
openSUSE-SU-2026:21072-1: important: Security update for trivy
openSUSE-SU-2026:21070-1: important: Security update for tar
openSUSE-SU-2026:21069-1: important: Security update for google-guest-agent
openSUSE-SU-2026:21071-1: important: Security update for ImageMagick
openSUSE-SU-2026:21063-1: important: Security update for python-Markdown, python-joblib, python-handy-archives, python-apache-libcloud, python-WebOb, python-PyGithub, python-soupsieve
openSUSE-SU-2026:21061-1: important: Security update for libaom
openSUSE-SU-2026:21062-1: moderate: Security update for capnproto
openSUSE-SU-2026:21066-1: important: Security update for python-python-multipart
openSUSE-SU-2026:21054-1: important: Security update for dracut
openSUSE-SU-2026:21053-1: important: Security update for python-starlette
openSUSE-SU-2026:21055-1: important: Security update for libnfs
openSUSE-SU-2026:21057-1: important: Security update for libssh2_org
openSUSE-SU-2026:21047-1: low: Security update for libgcrypt
openSUSE-SU-2026:21045-1: moderate: Security update for perl-libwww-perl
openSUSE-SU-2026:21048-1: moderate: Security update for python-idna
openSUSE-SU-2026:21043-1: important: Security update for MozillaFirefox
openSUSE-SU-2026:21044-1: moderate: Security update for openssh
openSUSE-SU-2026:21040-1: important: Security update for sg3_utils
openSUSE-SU-2026:21038-1: important: Security update for 7zip
openSUSE-SU-2026:21032-1: moderate: Security update for firewalld
openSUSE-SU-2026:21036-1: moderate: Security update for cosign
openSUSE-SU-2026:21029-1: important: Security update for perl-DBI
openSUSE-SU-2026:21024-1: moderate: Security update for sed
openSUSE-SU-2026:21019-1: moderate: Security update for rpcbind
openSUSE-SU-2026:21020-1: moderate: Security update for postfix
openSUSE-SU-2026:21016-1: moderate: Security update for mutt
openSUSE-SU-2026:21021-1: moderate: Security update for krb5
openSUSE-SU-2026:21015-1: moderate: Security update for dnsdist
openSUSE-SU-2026:21012-1: important: Security update for perl-Config-IniFiles
openSUSE-SU-2026:21017-1: moderate: Security update for python-click
openSUSE-SU-2026:21014-1: moderate: Security update for avahi
openSUSE-SU-2026:21013-1: important: Security update for amazon-ecs-init
openSUSE-SU-2026:21011-1: important: Security update for 389-ds
openSUSE-SU-2026:21010-1: important: Security update for google-cloud-sap-agent
openSUSE-SU-2026:20993-1: important: Security update for python-pip
openSUSE-SU-2026:21005-1: important: Security update for openssl-3
openSUSE-SU-2026:21004-1: important: Security update for gsasl
openSUSE-SU-2026:20994-1: important: Security update for helm
SUSE-SU-2026:2686-1: important: Security update for apache2
openSUSE-SU-2026:11146-1: moderate: libonnxruntime1-1.26.0-1.1 on GA media
openSUSE-SU-2026:11151-1: moderate: socat-1.8.1.3-1.1 on GA media
SUSE-SU-2026:2688-1: important: Security update for sg3_utils
SUSE-SU-2026:2690-1: important: Security update for sg3_utils
SUSE-SU-2026:2696-1: important: Security update for 7zip
SUSE-SU-2026:2693-1: important: Security update for podman
SUSE-SU-2026:2691-1: important: Security update for sg3_utils
SUSE-SU-2026:2697-1: important: Security update for opensc
SUSE-SU-2026:2699-1: important: Security update for cifs-utils
SUSE-SU-2026:2701-1: important: Security update for pacemaker
SUSE-SU-2026:2706-1: important: Security update for buildah
SUSE-SU-2026:2704-1: moderate: Security update for exiv2-0_26
SUSE-SU-2026:2715-1: important: Security update for podman
SUSE-SU-2026:2712-1: moderate: Security update for xdg-desktop-portal
openSUSE-SU-2026:21173-1: important: Security update for python-pydata-sphinx-theme
openSUSE security update: security update for python-pydata-sphinx-theme
-------------------------------------------------------------
Announcement ID: openSUSE-SU-2026:21173-1
Rating: important
References:
* bsc#1264374
* bsc#1268957
Cross-References:
* CVE-2026-48779
* CVE-2026-6321
CVSS scores:
* CVE-2026-48779 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
* CVE-2026-48779 ( SUSE ): 7.1 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
* CVE-2026-6321 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
* CVE-2026-6321 ( SUSE ): 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
Affected Products:
openSUSE Leap 16.0
-------------------------------------------------------------
An update that solves 2 vulnerabilities and has 2 bug fixes can now be installed.
Description:
This update for python-pydata-sphinx-theme fixes the following issues:
Changes in python-pydata-sphinx-theme:
- Refresh js dependencies:
* ws to 7.5.11 (bsc#1268957, CVE-2026-48779)
- Refresh vendored tarball (CVE-2026-6321, bsc#1264374)
Patch instructions:
To install this openSUSE security update use the suse recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Leap 16.0
zypper in -t patch openSUSE-Leap-16.0-packagehub-368=1
Package List:
- openSUSE Leap 16.0:
python313-pydata-sphinx-theme-0.16.1-bp160.2.1
References:
* https://www.suse.com/security/cve/CVE-2026-48779.html
* https://www.suse.com/security/cve/CVE-2026-6321.html
openSUSE-SU-2026:21169-1: moderate: Security update for python-biopython
openSUSE security update: security update for python-biopython
-------------------------------------------------------------
Announcement ID: openSUSE-SU-2026:21169-1
Rating: moderate
References:
* bsc#1255465
Cross-References:
* CVE-2025-68463
Affected Products:
openSUSE Leap 16.0
-------------------------------------------------------------
An update that solves one vulnerability and has one bug fix can now be installed.
Description:
This update for python-biopython fixes the following issues:
Changes in python-biopython:
- CVE-2025-68463: Fixed a information disclosure caused by a XXE vulnerability (boo#1255465).
Patch instructions:
To install this openSUSE security update use the suse recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Leap 16.0
zypper in -t patch openSUSE-Leap-16.0-packagehub-364=1
Package List:
- openSUSE Leap 16.0:
python313-biopython-1.85-bp160.2.1
References:
* https://www.suse.com/security/cve/CVE-2025-68463.html
openSUSE-SU-2026:21171-1: important: Security update for gimp
openSUSE security update: security update for gimp
-------------------------------------------------------------
Announcement ID: openSUSE-SU-2026:21171-1
Rating: important
References:
* bsc#1262199
Cross-References:
* CVE-2026-40917
Affected Products:
openSUSE Leap 16.0
-------------------------------------------------------------
An update that solves one vulnerability and has one bug fix can now be installed.
Description:
This update for gimp fixes the following issues:
Changes in gimp:
- CVE-2026-40917: plug-ins: Clean up ICNS file loading (bsc#1262199).
Patch instructions:
To install this openSUSE security update use the suse recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Leap 16.0
zypper in -t patch openSUSE-Leap-16.0-packagehub-366=1
Package List:
- openSUSE Leap 16.0:
gimp-3.0.8-bp160.4.1
gimp-devel-3.0.8-bp160.4.1
gimp-extension-goat-excercises-3.0.8-bp160.4.1
gimp-lang-3.0.8-bp160.4.1
gimp-plugin-aa-3.0.8-bp160.4.1
gimp-plugin-python3-3.0.8-bp160.4.1
gimp-vala-3.0.8-bp160.4.1
libgimp-3_0-0-3.0.8-bp160.4.1
libgimpui-3_0-0-3.0.8-bp160.4.1
References:
* https://www.suse.com/security/cve/CVE-2026-40917.html
openSUSE-SU-2026:21163-1: important: Security update for yt-dlp
openSUSE security update: security update for yt-dlp
-------------------------------------------------------------
Announcement ID: openSUSE-SU-2026:21163-1
Rating: important
Cross-References:
* CVE-2026-50019
* CVE-2026-50023
* CVE-2026-50574
Affected Products:
openSUSE Leap 16.0
-------------------------------------------------------------
An update that solves 3 vulnerabilities can now be installed.
Description:
This update for yt-dlp fixes the following issues:
Changes in yt-dlp:
- Update to version 2026.06.09
* Fixed [CVE-2026-50019]: File Downloader cookie leak with curl
* Fixed [CVE-2026-50023]: Dangerous file type creation via
insufficient filename sanitization
* Fixed [CVE-2026-50574]: Arbitrary code execution via manifest
downloads with aria2c
* Added lockfile and pinned extras
* Removed url, desktop and webloc from safe extensions
* Extract supplemental codecs from DASH manifests
* abematv: Extract subtitles
* ard: Support new ardsounds domain
* monstercat: Support older URLs
* pornhub: Support browser impersonation
* reddit: Fix unauthenticated extraction
* rtp: Support multi-part episodes and --no-playlist
* s4c: Extract more metadata
* soop: Adapt extractors to new domain
* soundcloud: Support --extractor-retries for original formats
* twitch: Remove dead rechat subtitles
* twitter: Fix view_count extraction
* external: aria2c: Remove support for m3u8/dash protocols
* ffmpegmetadata: Avoid erroneous ISO 639 conversions
Patch instructions:
To install this openSUSE security update use the suse recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Leap 16.0
zypper in -t patch openSUSE-Leap-16.0-packagehub-358=1
Package List:
- openSUSE Leap 16.0:
python313-yt-dlp-2026.06.09-bp160.1.1
yt-dlp-2026.06.09-bp160.1.1
yt-dlp-youtube-dl-2026.06.09-bp160.1.1
References:
* https://www.suse.com/security/cve/CVE-2026-50019.html
* https://www.suse.com/security/cve/CVE-2026-50023.html
* https://www.suse.com/security/cve/CVE-2026-50574.html
openSUSE-SU-2026:21157-1: important: Security update for golang-github-prometheus-alertmanager
openSUSE security update: security update for golang-github-prometheus-alertmanager
-------------------------------------------------------------
Announcement ID: openSUSE-SU-2026:21157-1
Rating: important
References:
* bsc#1266615
Cross-References:
* CVE-2026-39821
CVSS scores:
* CVE-2026-39821 ( SUSE ): 7.4 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
* CVE-2026-39821 ( SUSE ): 9.1 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
Affected Products:
openSUSE Leap 16.0
-------------------------------------------------------------
An update that solves one vulnerability and has one bug fix can now be installed.
Description:
This update for golang-github-prometheus-alertmanager fixes the following issues:
Changes in golang-github-prometheus-alertmanager:
- CVE-2026-39821: Fix validation bypass and privilege escalation by
updating golang.org/x/net to version 0.55.0 (bsc#1266615)
Patch instructions:
To install this openSUSE security update use the suse recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Leap 16.0
zypper in -t patch openSUSE-Leap-16.0-packagehub-352=1
Package List:
- openSUSE Leap 16.0:
golang-github-prometheus-alertmanager-0.28.1-bp160.2.1
References:
* https://www.suse.com/security/cve/CVE-2026-39821.html
openSUSE-SU-2026:21155-1: moderate: Security update for hamlib
openSUSE security update: security update for hamlib
-------------------------------------------------------------
Announcement ID: openSUSE-SU-2026:21155-1
Rating: moderate
References:
* bsc#1268628
* bsc#1268629
Cross-References:
* CVE-2026-54634
Affected Products:
openSUSE Leap 16.0
-------------------------------------------------------------
An update that solves one vulnerability and has 2 bug fixes can now be installed.
Description:
This update for hamlib fixes the following issues:
Changes in hamlib:
- Update to 4.7.2:
* Fix IC-7600/IC-7610 clock commands
* Icom: Add CWR to modes eligible for DSP filtering
* Kenwood: New model Hamgeek uSGX
* Various fixes for Skywatcher, DX-SR8, FT-710, FTX-1, IC-705, X6100
* rigctld: Fix send_raw stack out-of-bounds write and
uninitialized memory CVE-2026-54634 (boo#1268628)
* rigctld: Fix stack/heap overflow primitive in
read_string_generic + auth bypass in rigctld + weak password
handling (boo#1268629)
- Update to 4.7.1:
* Various compiler and portability fixes
* Fix rig port timeout
* Fix various FTX-1 meter, level and CTCSS table
* Add power off capability to Flrig backend
* Add SWR to supported 'get levels' for K3/K4
* Add get_split_vfo to TS-850 backend
* New simplecat backend
* Fix and generalize clock handling for Icom radios
* Fix Yaesu attenuator levels and LVL_KEYSPD reinitialization
* Add new rig model Harris PRC-138
* Various FT-710 fixes, eespecially handling SH format and RX bandwidth
* Ensure FT-710 simulator rejects RF command
* Fix low power calculation for K3/K3S
* Fix FTX-1 SH bandwidth command in set/get_mode
- Update to 4.7.0:
* Revamp Kenwood voice memory handler - Fixes TS-890S & TS-990S
* libusb is now detected using the pkg-config facility.
* Functions rig_get_conf, rot_get_conf, amp_get_conf deprecated
use *_get_conf2() instead
* rig_set_trn and rig_get_trn deprecated.
* Many fixes for SWIG binding generation and improved Python
support and testing
* Fix AGC for IC-R75, fix AGC for all Icom rigs
* New Drake R8 backend
* New AF6SA WRC rotator backend
* New Yaesu FTX-1 model support (alpha)
* Update QRPLabs QMX backend for max serial rate of 230400 bps
* Updates to Icom IC-F8101
* New rig model Icom ID-52A/W Plus
* Fix memory leaks in rigctld and rigctltcp
* Fix Skywatcher backend for firmware that doesn't echo commands
* Additional Yaesu FTX-1 capabilities
* Add extended commands for the IC-7300MK2--
* Revert updating FLRig model name
* Add manual pages for rigctltcp, rigtestlibusb, rigtestmcast,
and rigtestmcastrx
* Pause building rigfreqwalk as the code does not align with the
required commandline parameters
* Developer visible changes, code moves and refactoring
- Update to 4.6.5:
* Update Kenwood CW buffer max message size, fix one byte buffer
overrun
* Fix segmentation Faults
Patch instructions:
To install this openSUSE security update use the suse recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Leap 16.0
zypper in -t patch openSUSE-Leap-16.0-packagehub-350=1
Package List:
- openSUSE Leap 16.0:
hamlib-4.7.2-bp160.1.1
hamlib-devel-4.7.2-bp160.1.1
libhamlib++4-4.7.2-bp160.1.1
libhamlib4-4.7.2-bp160.1.1
lua-Hamliblua-4.7.2-bp160.1.1
perl-Hamlib-4.7.2-bp160.1.1
python3-Hamlib-4.7.2-bp160.1.1
tcl-Hamlib-4.7.2-bp160.1.1
References:
* https://www.suse.com/security/cve/CVE-2026-54634.html
openSUSE-SU-2026:21154-1: important: Security update for ofono
openSUSE security update: security update for ofono
-------------------------------------------------------------
Announcement ID: openSUSE-SU-2026:21154-1
Rating: important
References:
* bsc#1218292
* bsc#1218293
* bsc#1218294
* bsc#1218295
* bsc#1218296
* bsc#1228903
* bsc#1228904
* bsc#1228905
* bsc#1228906
* bsc#1228907
* bsc#1228908
* bsc#1228910
* bsc#1228913
* bsc#1228914
* bsc#1228916
* bsc#1228917
Cross-References:
* CVE-2023-2794
* CVE-2023-4232
* CVE-2023-4233
* CVE-2023-4234
* CVE-2023-4235
* CVE-2024-7537
* CVE-2024-7538
* CVE-2024-7539
* CVE-2024-7540
* CVE-2024-7541
* CVE-2024-7542
* CVE-2024-7543
* CVE-2024-7544
* CVE-2024-7545
* CVE-2024-7546
* CVE-2024-7547
Affected Products:
openSUSE Leap 16.0
-------------------------------------------------------------
An update that solves 16 vulnerabilities and has 16 bug fixes can now be installed.
Description:
This update for ofono fixes the following issues:
Changes in ofono:
- Reference the tracking bugs for the SMS/STK/USSD decoder security
fixes applied upstream across the 2.14-2.17 updates:
* SMS decoder stack buffer overflows: CVE-2023-2794 (boo#1218292),
CVE-2023-4232 (boo#1218293), CVE-2023-4233 (boo#1218294),
CVE-2023-4234 (boo#1218295), CVE-2023-4235 (boo#1218296)
* SMS PDU / message-list parsing overflows and OOB read:
CVE-2024-7537 (boo#1228903), CVE-2024-7547 (boo#1228917)
* AT-command / USSD response parsing overflows: CVE-2024-7538
(boo#1228904), CVE-2024-7539 (boo#1228905)
* Uninitialized-memory information disclosure: CVE-2024-7540
(boo#1228906), CVE-2024-7541 (boo#1228907), CVE-2024-7542
(boo#1228908)
* STK command PDU heap overflows: CVE-2024-7543 (boo#1228910),
CVE-2024-7544 (boo#1228913), CVE-2024-7545 (boo#1228914),
CVE-2024-7546 (boo#1228916)
- Update to version 2.19
* Add support for PPP reset workaround for SIM7100 modem.
* Add support for Qualcomm RAW-IP only devices.
- Update to version 2.18
* Fix issue with QMI and handling SMS message acknowledgement.
* Fix issue with handling SIM7100 modem ready detection.
* Add support for forbidden operator list.
- Update to version 2.17
* Fix issue with SMS and possible buffer overflow.
- Update to version 2.16
* Add support for QMI service request rate limiting.
- Update to version 2.15
* Fix issue with SMS and uninitialized buffers.
* Fix issue with USSD and uninitialized buffers.
* Add support for the Test Anything Protocol.
- Update to version 2.14
* Fix issue with STK and buffer length checks.
* Fix issue with SMS and buffer length checks.
* Fix issue with QMI and handling RAT detection.
* Fix issue with QMI and handling call forwarding.
* Add support for handling MHI network interfaces.
- Update to version 2.13
* Add support for handling QMI PIN and Lock methods.
* Add support for handling QMI WWAN interfaces.
* Add support for handling RMNet interfaces.
- Update to version 2.12
* Fix issue with access technology reporting.
* Fix issue with detecting Phonet devices.
- Update to version 2.11
* Add support for SIMCom A7672E-FASE modem.
* Add support for Quectel EG916Q-GL modem.
Patch instructions:
To install this openSUSE security update use the suse recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Leap 16.0
zypper in -t patch openSUSE-Leap-16.0-packagehub-349=1
Package List:
- openSUSE Leap 16.0:
ofono-2.19-bp160.1.1
ofono-devel-2.19-bp160.1.1
ofono-tests-2.19-bp160.1.1
References:
* https://www.suse.com/security/cve/CVE-2023-2794.html
* https://www.suse.com/security/cve/CVE-2023-4232.html
* https://www.suse.com/security/cve/CVE-2023-4233.html
* https://www.suse.com/security/cve/CVE-2023-4234.html
* https://www.suse.com/security/cve/CVE-2023-4235.html
* https://www.suse.com/security/cve/CVE-2024-7537.html
* https://www.suse.com/security/cve/CVE-2024-7538.html
* https://www.suse.com/security/cve/CVE-2024-7539.html
* https://www.suse.com/security/cve/CVE-2024-7540.html
* https://www.suse.com/security/cve/CVE-2024-7541.html
* https://www.suse.com/security/cve/CVE-2024-7542.html
* https://www.suse.com/security/cve/CVE-2024-7543.html
* https://www.suse.com/security/cve/CVE-2024-7544.html
* https://www.suse.com/security/cve/CVE-2024-7545.html
* https://www.suse.com/security/cve/CVE-2024-7546.html
* https://www.suse.com/security/cve/CVE-2024-7547.html
openSUSE-SU-2026:21153-1: moderate: Security update for xar
openSUSE security update: security update for xar
-------------------------------------------------------------
Announcement ID: openSUSE-SU-2026:21153-1
Rating: moderate
References:
* bsc#1047874
* bsc#1047875
* bsc#1108595
* bsc#1108596
Cross-References:
* CVE-2017-11124
* CVE-2017-11125
* CVE-2018-17093
* CVE-2018-17094
Affected Products:
openSUSE Leap 16.0
-------------------------------------------------------------
An update that solves 4 vulnerabilities and has 4 bug fixes can now be installed.
Description:
This update for xar fixes the following issues:
Changes in xar:
- Switch to the maintained Apple xar lineage (build 503, versioned
1.8.0.0.503): the mackyle 1.6.1 fork this package tracked has been
dead since 2012, and Debian, Fedora and Gentoo all moved to Apple's
xar (apple-oss-distributions/xar). This resolves the long-standing
NULL-pointer dereferences in xar_get_path() and xar_unserialize()
when parsing malformed archives:
* CVE-2017-11124 (boo#1047875)
* CVE-2017-11125 (boo#1047874)
* CVE-2018-17093 (boo#1108595)
* CVE-2018-17094 (boo#1108596)
Patch instructions:
To install this openSUSE security update use the suse recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Leap 16.0
zypper in -t patch openSUSE-Leap-16.0-packagehub-348=1
Package List:
- openSUSE Leap 16.0:
libxar-devel-1.8.0.0.503-bp160.1.1
libxar1-1.8.0.0.503-bp160.1.1
xar-1.8.0.0.503-bp160.1.1
References:
* https://www.suse.com/security/cve/CVE-2017-11124.html
* https://www.suse.com/security/cve/CVE-2017-11125.html
* https://www.suse.com/security/cve/CVE-2018-17093.html
* https://www.suse.com/security/cve/CVE-2018-17094.html
openSUSE-SU-2026:21168-1: critical: Security update for MozillaThunderbird
openSUSE security update: security update for mozillathunderbird
-------------------------------------------------------------
Announcement ID: openSUSE-SU-2026:21168-1
Rating: critical
References:
* bsc#1158957
* bsc#1263110
* bsc#1264378
* bsc#1265212
* bsc#1268071
Cross-References:
* CVE-2026-12289
* CVE-2026-12290
* CVE-2026-12291
* CVE-2026-12292
* CVE-2026-12294
* CVE-2026-12295
* CVE-2026-12296
* CVE-2026-12297
* CVE-2026-12298
* CVE-2026-12299
* CVE-2026-12302
* CVE-2026-12304
* CVE-2026-12305
* CVE-2026-12306
* CVE-2026-12307
* CVE-2026-12308
* CVE-2026-12309
* CVE-2026-12310
* CVE-2026-12311
* CVE-2026-12312
* CVE-2026-12313
* CVE-2026-12314
* CVE-2026-12315
* CVE-2026-12324
* CVE-2026-12325
* CVE-2026-12327
* CVE-2026-12328
* CVE-2026-12329
* CVE-2026-12330
* CVE-2026-7320
* CVE-2026-7321
* CVE-2026-7322
* CVE-2026-7323
* CVE-2026-8090
* CVE-2026-8092
* CVE-2026-8094
* CVE-2026-8388
* CVE-2026-8391
* CVE-2026-8401
* CVE-2026-8946
* CVE-2026-8947
* CVE-2026-8949
* CVE-2026-8950
* CVE-2026-8953
* CVE-2026-8954
* CVE-2026-8955
* CVE-2026-8956
* CVE-2026-8957
* CVE-2026-8958
* CVE-2026-8959
* CVE-2026-8961
* CVE-2026-8962
* CVE-2026-8968
* CVE-2026-8970
* CVE-2026-8974
* CVE-2026-8975
CVSS scores:
* CVE-2026-12290 ( SUSE ): 8.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
* CVE-2026-12291 ( SUSE ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
* CVE-2026-12292 ( SUSE ): 6.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
* CVE-2026-12294 ( SUSE ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
* CVE-2026-12295 ( SUSE ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
* CVE-2026-12296 ( SUSE ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
* CVE-2026-12297 ( SUSE ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
* CVE-2026-12298 ( SUSE ): 5.4 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
* CVE-2026-12299 ( SUSE ): 5.4 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
* CVE-2026-12302 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
* CVE-2026-12304 ( SUSE ): 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
* CVE-2026-12305 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2026-12306 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
* CVE-2026-12307 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
* CVE-2026-12308 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
* CVE-2026-12309 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L
* CVE-2026-12310 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
* CVE-2026-12311 ( SUSE ): 4.7 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N
* CVE-2026-12312 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
* CVE-2026-12313 ( SUSE ): 4.7 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N
* CVE-2026-12314 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
* CVE-2026-12315 ( SUSE ): 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
* CVE-2026-12324 ( SUSE ): 7.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
* CVE-2026-12325 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
* CVE-2026-12327 ( SUSE ): 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
* CVE-2026-12328 ( SUSE ): 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
* CVE-2026-12329 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
* CVE-2026-12330 ( SUSE ): 5.4 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
* CVE-2026-8090 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
* CVE-2026-8092 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
* CVE-2026-8094 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
* CVE-2026-8401 ( SUSE ): 8.3 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
* CVE-2026-8946 ( SUSE ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
* CVE-2026-8947 ( SUSE ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
* CVE-2026-8949 ( SUSE ): 6.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
* CVE-2026-8950 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
* CVE-2026-8953 ( SUSE ): 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
* CVE-2026-8954 ( SUSE ): 7.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L
* CVE-2026-8955 ( SUSE ): 6.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
* CVE-2026-8956 ( SUSE ): 6.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
* CVE-2026-8957 ( SUSE ): 6.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
* CVE-2026-8958 ( SUSE ): 8.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
* CVE-2026-8959 ( SUSE ): 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
* CVE-2026-8961 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
* CVE-2026-8962 ( SUSE ): 5.4 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
* CVE-2026-8968 ( SUSE ): 4.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
* CVE-2026-8970 ( SUSE ): 6.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
* CVE-2026-8974 ( SUSE ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
* CVE-2026-8975 ( SUSE ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Affected Products:
openSUSE Leap 16.0
-------------------------------------------------------------
An update that solves 56 vulnerabilities and has 5 bug fixes can now be installed.
Description:
This update for MozillaThunderbird fixes the following issues:
Changes in MozillaThunderbird:
- Mozilla Thunderbird 140.12.0 ESR
MFSA 2026-61 (bsc#1268071)
* CVE-2026-12289 (bmo#2023443)
Privilege escalation in the Graphics: WebRender component
* CVE-2026-12290 (bmo#2024852)
Memory safety bug fixed in Thunderbird ESR 140.12
* CVE-2026-12291 (bmo#2036929)
Use-after-free in the Networking: HTTP component
* CVE-2026-12292 (bmo#2038465)
Incorrect boundary conditions in the Web Audio component
* CVE-2026-12294 (bmo#2039873)
Sandbox escape in the DOM: Workers component
* CVE-2026-12295 (bmo#2040160)
Sandbox escape in the DOM: Navigation component
* CVE-2026-12298 (bmo#2041981)
Memory safety bug fixed in Thunderbird ESR 140.12
* CVE-2026-12296 (bmo#2040515)
Sandbox escape in the Security: Process Sandboxing component
* CVE-2026-12297 (bmo#2041610)
Sandbox escape due to incorrect boundary conditions in the
Networking component
* CVE-2026-12299 (bmo#2043139)
JIT miscompilation in the DOM: Core & HTML component
* CVE-2026-12329 (bmo#2044738)
Memory safety bug fixed in Thunderbird ESR 140.12
* CVE-2026-12302 (bmo#2034489)
Mitigation bypass in the DOM: Security component
* CVE-2026-12304 (bmo#2034944)
Same-origin policy bypass in the Networking: Cookies component
* CVE-2026-12305 (bmo#2037290)
Memory safety bug fixed in Thunderbird ESR 140.12
* CVE-2026-12306 (bmo#2037323)
Memory safety bug fixed in Thunderbird ESR 140.12
* CVE-2026-12307 (bmo#2038133)
Memory safety bug fixed in Thunderbird ESR 140.12
* CVE-2026-12308 (bmo#2038302)
Memory safety bug fixed in Thunderbird ESR 140.12
* CVE-2026-12309 (bmo#2038476)
Memory safety bug fixed in Thunderbird ESR 140.12
* CVE-2026-12310 (bmo#2039707)
Memory safety bug fixed in Thunderbird ESR 140.12
* CVE-2026-12311 (bmo#2040177)
Information disclosure, sandbox escape in the Security:
Process Sandboxing component
* CVE-2026-12312 (bmo#2040383)
Memory safety bug fixed in Thunderbird ESR 140.12
* CVE-2026-12313 (bmo#2040477)
Information disclosure, sandbox escape in the Security:
Process Sandboxing component
* CVE-2026-12314 (bmo#2041856)
Memory safety bug fixed in Thunderbird ESR 140.12
* CVE-2026-12315 (bmo#2042058)
Mitigation bypass in the DOM: Security component
* CVE-2026-12330 (bmo#2029326)
Incorrect boundary conditions in the Internationalization
component
* CVE-2026-12324 (bmo#2038444)
Incorrect boundary conditions in the Graphics: CanvasWebGL
component
* CVE-2026-12325 (bmo#2039443)
Denial-of-service in the Graphics: ImageLib component
* CVE-2026-12327 (bmo#2011842, bmo#2023902, bmo#2025512, bmo#2027312,
bmo#2029444, bmo#2036571, bmo#2036900, bmo#2036936, bmo#2037995,
bmo#2038551, bmo#2040717, bmo#2042724)
Memory safety bugs fixed in Firefox ESR 140.12, Thunderbird
ESR 140.12, Firefox 152 and Thunderbird 152
* CVE-2026-12328 (bmo#2029402, bmo#2038477, bmo#2039726, bmo#2041373,
bmo#2042268, bmo#2042451, bmo#2042782, bmo#2042858, bmo#2042929,
bmo#2042965, bmo#2043213)
Memory safety bugs fixed in Firefox ESR 115.37, Firefox ESR
140.12, Thunderbird ESR 140.12, Firefox 152 and Thunderbird 152
- Mozilla Thunderbird 140.11.0 ESR
MFSA 2026-51 (bsc#1265212)
* CVE-2026-8946 (bmo#2029070)
Incorrect boundary conditions in the Audio/Video: Web Codecs
component
* CVE-2026-8388 (bmo#2036978)
Incorrect boundary conditions in the JavaScript Engine: JIT
component
* CVE-2026-8947 (bmo#2038439)
Use-after-free in the DOM: Bindings (WebIDL) component
* CVE-2026-8391 (bmo#2038575)
Other issue in the JavaScript Engine component
* CVE-2026-8401 (bmo#2038679)
Sandbox escape in the Profile Backup component
* CVE-2026-8949 (bmo#1355639)
Integer overflow in the Widget: Win32 component
* CVE-2026-8950 (bmo#1965430)
Same-origin policy bypass in the Networking: HTTP component
* CVE-2026-8953 (bmo#2029511)
Sandbox escape due to use-after-free in the Disability Access
APIs component
* CVE-2026-8954 (bmo#2030747)
Incorrect boundary conditions, integer overflow in the
Audio/Video component
* CVE-2026-8955 (bmo#2031064)
Privilege escalation in the DOM: Workers component
* CVE-2026-8956 (bmo#2032427)
Integer overflow in the Networking: JAR component
* CVE-2026-8957 (bmo#2033850)
Privilege escalation in the Enterprise Policies component
* CVE-2026-8958 (bmo#2034713)
Information disclosure, sandbox escape in the Security:
Process Sandboxing component
* CVE-2026-8959 (bmo#2034754)
Sandbox escape due to incorrect boundary conditions in the
Widget: Win32 component
* CVE-2026-8961 (bmo#1962625)
Spoofing issue in the Form Autofill component
* CVE-2026-8962 (bmo#2004804)
Mitigation bypass in the DOM: Security component
* CVE-2026-8968 (bmo#2030467)
Denial-of-service due to invalid pointer in the Audio/Video:
Web Codecs component
* CVE-2026-8970 (bmo#2032174)
Privilege escalation in the Security component
* CVE-2026-8974 (bmo#1784128, bmo#1883230, bmo#1983677, bmo#2022390,
bmo#2023116, bmo#2023657, bmo#2024255, bmo#2024418, bmo#2024441,
bmo#2024447, bmo#2024966, bmo#2025412, bmo#2025467, bmo#2025940,
bmo#2025950, bmo#2025956, bmo#2026284, bmo#2027247, bmo#2027255,
bmo#2027288, bmo#2027306, bmo#2027322, bmo#2027332, bmo#2027333,
bmo#2028266, bmo#2028292, bmo#2028319, bmo#2028526, bmo#2028870,
bmo#2028876, bmo#2028882, bmo#2029062, bmo#2029309, bmo#2029414,
bmo#2029422, bmo#2029428, bmo#2029447, bmo#2029732, bmo#2029785,
bmo#2029793, bmo#2029813, bmo#2029899, bmo#2031028, bmo#2031457,
bmo#2032039, bmo#2033610, bmo#2033854, bmo#2034498, bmo#2034628,
bmo#2034978, bmo#2035966, bmo#2036668, bmo#2036905, bmo#2036930)
Memory safety bugs fixed in Thunderbird 140.11 and Thunderbird 151
* CVE-2026-8975 (bmo#1860195, bmo#2029325, bmo#2029429, bmo#2029910,
bmo#2035915, bmo#2038669, bmo#2038678)
Memory safety bugs fixed in Thunderbird 140.11 and Thunderbird 151
- Mozilla Thunderbird 140.10.2
MFSA 2026-44 (bsc#1264378)
* CVE-2026-8090 (bmo#2034352)
Use-after-free in the DOM: Networking component
* CVE-2026-8094 (bmo#2035939)
Other issue in the WebRTC component
* CVE-2026-8092 (bmo#1806249, bmo#2021977, bmo#2022576, bmo#2022722,
bmo#2024439, bmo#2027883, bmo#2029463, bmo#2030323, bmo#2032042,
bmo#2032043, bmo#2033270, bmo#2033637, bmo#2034422, bmo#2034496,
bmo#2035879, bmo#2036516)
Memory safety bugs fixed in Thunderbird ESR 140.10.2 and
Thunderbird 150.0.2
- Mozilla Thunderbird 140.10.1 ESR
MFSA 2026-39 (bsc#1263110)
* CVE-2026-7320 (bmo#2027433)
Information disclosure due to incorrect boundary conditions
in the Audio/Video component
* CVE-2026-7321 (bmo#2029461)
Sandbox escape due to incorrect boundary conditions in the
WebRTC: Networking component
* CVE-2026-7322 (bmo#2021904, bmo#2022731, bmo#2027158,
bmo#2027733, bmo#2027973, bmo#2027976, bmo#2028231,
bmo#2028731, bmo#2028886, bmo#2029067, bmo#2029700,
bmo#2029724, bmo#2029806, bmo#2029814, bmo#2030108,
bmo#2030111, bmo#2031524, bmo#2031921, bmo#2032040)
Memory safety bugs fixed in Thunderbird ESR 140.10.1 and
Thunderbird 150.0.1
* CVE-2026-7323 (bmo#2028537, bmo#2029911, bmo#2031121,
bmo#2033602)
Memory safety bugs fixed in Thunderbird ESR 140.10.1 and
Thunderbird 150.0.1
Patch instructions:
To install this openSUSE security update use the suse recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Leap 16.0
zypper in -t patch openSUSE-Leap-16.0-packagehub-363=1
Package List:
- openSUSE Leap 16.0:
MozillaThunderbird-140.12.0-bp160.1.1
MozillaThunderbird-openpgp-librnp-140.12.0-bp160.1.1
MozillaThunderbird-translations-common-140.12.0-bp160.1.1
MozillaThunderbird-translations-other-140.12.0-bp160.1.1
References:
* https://www.suse.com/security/cve/CVE-2026-12289.html
* https://www.suse.com/security/cve/CVE-2026-12290.html
* https://www.suse.com/security/cve/CVE-2026-12291.html
* https://www.suse.com/security/cve/CVE-2026-12292.html
* https://www.suse.com/security/cve/CVE-2026-12294.html
* https://www.suse.com/security/cve/CVE-2026-12295.html
* https://www.suse.com/security/cve/CVE-2026-12296.html
* https://www.suse.com/security/cve/CVE-2026-12297.html
* https://www.suse.com/security/cve/CVE-2026-12298.html
* https://www.suse.com/security/cve/CVE-2026-12299.html
* https://www.suse.com/security/cve/CVE-2026-12302.html
* https://www.suse.com/security/cve/CVE-2026-12304.html
* https://www.suse.com/security/cve/CVE-2026-12305.html
* https://www.suse.com/security/cve/CVE-2026-12306.html
* https://www.suse.com/security/cve/CVE-2026-12307.html
* https://www.suse.com/security/cve/CVE-2026-12308.html
* https://www.suse.com/security/cve/CVE-2026-12309.html
* https://www.suse.com/security/cve/CVE-2026-12310.html
* https://www.suse.com/security/cve/CVE-2026-12311.html
* https://www.suse.com/security/cve/CVE-2026-12312.html
* https://www.suse.com/security/cve/CVE-2026-12313.html
* https://www.suse.com/security/cve/CVE-2026-12314.html
* https://www.suse.com/security/cve/CVE-2026-12315.html
* https://www.suse.com/security/cve/CVE-2026-12324.html
* https://www.suse.com/security/cve/CVE-2026-12325.html
* https://www.suse.com/security/cve/CVE-2026-12327.html
* https://www.suse.com/security/cve/CVE-2026-12328.html
* https://www.suse.com/security/cve/CVE-2026-12329.html
* https://www.suse.com/security/cve/CVE-2026-12330.html
* https://www.suse.com/security/cve/CVE-2026-7320.html
* https://www.suse.com/security/cve/CVE-2026-7321.html
* https://www.suse.com/security/cve/CVE-2026-7322.html
* https://www.suse.com/security/cve/CVE-2026-7323.html
* https://www.suse.com/security/cve/CVE-2026-8090.html
* https://www.suse.com/security/cve/CVE-2026-8092.html
* https://www.suse.com/security/cve/CVE-2026-8094.html
* https://www.suse.com/security/cve/CVE-2026-8388.html
* https://www.suse.com/security/cve/CVE-2026-8391.html
* https://www.suse.com/security/cve/CVE-2026-8401.html
* https://www.suse.com/security/cve/CVE-2026-8946.html
* https://www.suse.com/security/cve/CVE-2026-8947.html
* https://www.suse.com/security/cve/CVE-2026-8949.html
* https://www.suse.com/security/cve/CVE-2026-8950.html
* https://www.suse.com/security/cve/CVE-2026-8953.html
* https://www.suse.com/security/cve/CVE-2026-8954.html
* https://www.suse.com/security/cve/CVE-2026-8955.html
* https://www.suse.com/security/cve/CVE-2026-8956.html
* https://www.suse.com/security/cve/CVE-2026-8957.html
* https://www.suse.com/security/cve/CVE-2026-8958.html
* https://www.suse.com/security/cve/CVE-2026-8959.html
* https://www.suse.com/security/cve/CVE-2026-8961.html
* https://www.suse.com/security/cve/CVE-2026-8962.html
* https://www.suse.com/security/cve/CVE-2026-8968.html
* https://www.suse.com/security/cve/CVE-2026-8970.html
* https://www.suse.com/security/cve/CVE-2026-8974.html
* https://www.suse.com/security/cve/CVE-2026-8975.html
openSUSE-SU-2026:21166-1: moderate: Security update for nano
openSUSE security update: security update for nano
-------------------------------------------------------------
Announcement ID: openSUSE-SU-2026:21166-1
Rating: moderate
References:
* bsc#1258260
* bsc#1262643
* bsc#1263022
* bsc#1263437
Cross-References:
* CVE-2026-40556
* CVE-2026-6842
* CVE-2026-6843
Affected Products:
openSUSE Leap 16.0
-------------------------------------------------------------
An update that solves 3 vulnerabilities and has 4 bug fixes can now be installed.
Description:
This update for nano fixes the following issues:
Changes in nano:
- Update to version 9.1:
* When searching, the viewport is placed snug left where
possible.
* The ability to read and write files in old Mac format (a lone
carriage return as line ending) was removed.
* The ^T toggle between WhereIs and GotoLine was dropped.
* Fix backups that were missing or had a wrong timestamp when
--backup is active.
* On a crash or kill, a .save file is no longer chmodded or
chowned to the base file's permissions and owner.
* The history code now creates the ~/.local directory with
limited access rights (boo#1263437; the referenced
CVE-2026-40556 was rejected upstream).
* M-Ins and M-Del have become rebindable.
- GNU nano 9.0:
* When the cursor almost goes offscreen to the right, all lines
are now scrolled sideways together, by just the amount needed
to keep the cursor in view.
Use --solosidescroll or 'set solosidescroll' to get back the
old, jerky, single-line horizontal scrolling.
* The viewport can be scrolled sideways (in steps of one
tabsize) with M-< and M->. See `man nanorc` if M-< and M->
should switch between buffers (as they did earlier).
* M-Left, M-Right, M-Up, and M-Down have become rebindable.
* Stopping the recording of a macro immediately after starting
it cancels the recording and leaves an existing macro in place.
* Feature toggles no longer break a chain of ^K cuts or M-6
copies, except the M-K cut-from-cursor toggle.
* With --mouse and --indicator, one can click in the scrollbar
area to roughly navigate within the buffer.
* CVE-2026-6843: format string vulnerability leads to denial of
service (boo#1262643)
* create the ~/.local directory with limited access rights
(CVE-2026-6842 boo#1263022, CVE-2026-40556 boo#1263437)
- GNU nano 8.7.1:
* fix build against glibc-2.43 (boo#1258260)
- GNU nano 8.7:
* At the Execute prompt, preceding the command with two pipe
symbols allows implementing a copy-to-clipboard feature in
nanorc on terminals that support OSC 52. See doc/sample.nanorc
Patch instructions:
To install this openSUSE security update use the suse recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Leap 16.0
zypper in -t patch openSUSE-Leap-16.0-packagehub-361=1
Package List:
- openSUSE Leap 16.0:
nano-9.1-bp160.1.1
nano-lang-9.1-bp160.1.1
References:
* https://www.suse.com/security/cve/CVE-2026-40556.html
* https://www.suse.com/security/cve/CVE-2026-6842.html
* https://www.suse.com/security/cve/CVE-2026-6843.html
openSUSE-SU-2026:21159-1: important: Security update for python-py7zr
openSUSE security update: security update for python-py7zr
-------------------------------------------------------------
Announcement ID: openSUSE-SU-2026:21159-1
Rating: important
References:
* bsc#1268665
* bsc#1268666
* bsc#1268669
Cross-References:
* CVE-2026-23879
* CVE-2026-55195
* CVE-2026-55206
Affected Products:
openSUSE Leap 16.0
-------------------------------------------------------------
An update that solves 3 vulnerabilities and has 3 bug fixes can now be installed.
Description:
This update for python-py7zr fixes the following issues:
Changes in python-py7zr:
- CVE-2026-23879: crafted malicious symbolic link chains in an archive can
lead to an arbitrary file write (bsc#1268669)
- CVE-2026-55195: unchecked extraction size can cause a denial of service (bsc#1268665)
- CVE-2026-55206: crafted .7z archive with a large numstreams value can
cause a denial of service (bsc#1268666)
Patch instructions:
To install this openSUSE security update use the suse recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Leap 16.0
zypper in -t patch openSUSE-Leap-16.0-packagehub-354=1
Package List:
- openSUSE Leap 16.0:
python313-py7zr-1.0.0-bp160.2.1
References:
* https://www.suse.com/security/cve/CVE-2026-23879.html
* https://www.suse.com/security/cve/CVE-2026-55195.html
* https://www.suse.com/security/cve/CVE-2026-55206.html
openSUSE-SU-2026:21161-1: moderate: Security update for python-pdm
openSUSE security update: security update for python-pdm
-------------------------------------------------------------
Announcement ID: openSUSE-SU-2026:21161-1
Rating: moderate
References:
* bsc#1268384
* bsc#1268385
* bsc#1268386
Cross-References:
* CVE-2026-47763
* CVE-2026-47764
* CVE-2026-47781
Affected Products:
openSUSE Leap 16.0
-------------------------------------------------------------
An update that solves 3 vulnerabilities and has 3 bug fixes can now be installed.
Description:
This update for python-pdm fixes the following issues:
Changes in python-pdm:
- CVE-2026-47763: Do not follow symlinks when writing config files (bsc#1268384)
- CVE-2026-47763: Do not write to paths outside the scheme dir (bsc#1268385)
- CVE-2026-47781: Update plugin installation path to use project_plugins_dir (bsc#1268386)
Patch instructions:
To install this openSUSE security update use the suse recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Leap 16.0
zypper in -t patch openSUSE-Leap-16.0-packagehub-356=1
Package List:
- openSUSE Leap 16.0:
python313-pdm-2.22.3-bp160.2.1
References:
* https://www.suse.com/security/cve/CVE-2026-47763.html
* https://www.suse.com/security/cve/CVE-2026-47764.html
* https://www.suse.com/security/cve/CVE-2026-47781.html
openSUSE-SU-2026:21144-1: critical: Security update for mbedtls
openSUSE security update: security update for mbedtls
-------------------------------------------------------------
Announcement ID: openSUSE-SU-2026:21144-1
Rating: critical
References:
* bsc#1231708
* bsc#1240051
* bsc#1240052
* bsc#1245808
* bsc#1245809
* bsc#1245810
* bsc#1245811
* bsc#1246783
* bsc#1246784
* bsc#1246973
* bsc#1252341
* bsc#1252454
Cross-References:
* CVE-2024-49195
* CVE-2025-27809
* CVE-2025-27810
* CVE-2025-47917
* CVE-2025-48965
* CVE-2025-49087
* CVE-2025-49600
* CVE-2025-49601
* CVE-2025-52496
* CVE-2025-52497
* CVE-2025-54764
* CVE-2025-59438
* CVE-2026-25833
* CVE-2026-25834
* CVE-2026-25835
CVSS scores:
* CVE-2024-49195 ( SUSE ): 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
* CVE-2024-49195 ( SUSE ): 9.2 CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
* CVE-2025-59438 ( SUSE ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
* CVE-2025-59438 ( SUSE ): 5.7 CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
* CVE-2026-25833 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2026-25833 ( SUSE ): 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
* CVE-2026-25834 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L
* CVE-2026-25834 ( SUSE ): 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N
* CVE-2026-25835 ( SUSE ): 7.7 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
* CVE-2026-25835 ( SUSE ): 8.5 CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
Affected Products:
openSUSE Leap 16.0
-------------------------------------------------------------
An update that solves 15 vulnerabilities and has 12 bug fixes can now be installed.
Description:
This update for mbedtls fixes the following issues:
Changes in mbedtls:
- Update to 3.6.6 (LTS maintenance update from 3.6.1); security fixes
accumulated across the 3.6.2-3.6.6 releases:
* CVE-2024-49195 (boo#1231708): buffer underrun in pkwrite when
writing an opaque key pair
* CVE-2025-27809 (boo#1240051): certificate verification accepted
arbitrary hostnames
* CVE-2025-27810 (boo#1240052): possible authentication bypass on
failed memory allocation / hardware errors
* CVE-2025-47917 (boo#1246783): misleading memory management in
mbedtls_x509_string_to_names()
* CVE-2025-48965 (boo#1246784): NULL pointer dereference after
mbedtls_asn1_store_named_data()
* CVE-2025-49087 (boo#1246973): timing side channel in PKCS#7
padding removal
* CVE-2025-49600 (boo#1245808): unchecked return values in LMS
verification allow signature bypass via fault injection
* CVE-2025-49601 (boo#1245809): out-of-bounds read in
mbedtls_lms_import_public_key()
* CVE-2025-52496 (boo#1245810): race in AES-NI support detection can
lead to AES key extraction or GCM forgery
* CVE-2025-52497 (boo#1245811): one-byte heap underflow when parsing
PEM-encrypted material
* CVE-2025-54764 (boo#1252341): timing attacks in RSA operations
* CVE-2025-59438 (boo#1252454): padding-oracle attack via timing of
cipher error reporting
* CVE-2026-25833: PSA RNG state duplicated across fork()
* CVE-2026-25834: TLS 1.3 HelloRetryRequest man-in-the-middle
session-resumption downgrade
* CVE-2026-25835: RNG state duplicated when application/VM state is
cloned
Patch instructions:
To install this openSUSE security update use the suse recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Leap 16.0
zypper in -t patch openSUSE-Leap-16.0-packagehub-339=1
Package List:
- openSUSE Leap 16.0:
libeverest-3.6.6-bp160.1.1
libeverest-x86-64-v3-3.6.6-bp160.1.1
libmbedcrypto16-3.6.6-bp160.1.1
libmbedcrypto16-x86-64-v3-3.6.6-bp160.1.1
libmbedtls21-3.6.6-bp160.1.1
libmbedtls21-x86-64-v3-3.6.6-bp160.1.1
libmbedx509-7-3.6.6-bp160.1.1
libmbedx509-7-x86-64-v3-3.6.6-bp160.1.1
libp256m-3.6.6-bp160.1.1
libp256m-x86-64-v3-3.6.6-bp160.1.1
mbedtls-devel-3.6.6-bp160.1.1
References:
* https://www.suse.com/security/cve/CVE-2024-49195.html
* https://www.suse.com/security/cve/CVE-2025-27809.html
* https://www.suse.com/security/cve/CVE-2025-27810.html
* https://www.suse.com/security/cve/CVE-2025-47917.html
* https://www.suse.com/security/cve/CVE-2025-48965.html
* https://www.suse.com/security/cve/CVE-2025-49087.html
* https://www.suse.com/security/cve/CVE-2025-49600.html
* https://www.suse.com/security/cve/CVE-2025-49601.html
* https://www.suse.com/security/cve/CVE-2025-52496.html
* https://www.suse.com/security/cve/CVE-2025-52497.html
* https://www.suse.com/security/cve/CVE-2025-54764.html
* https://www.suse.com/security/cve/CVE-2025-59438.html
* https://www.suse.com/security/cve/CVE-2026-25833.html
* https://www.suse.com/security/cve/CVE-2026-25834.html
* https://www.suse.com/security/cve/CVE-2026-25835.html
openSUSE-SU-2026:21142-1: critical: Security update for perl-Compress-Raw-Zlib
openSUSE security update: security update for perl-compress-raw-zlib
-------------------------------------------------------------
Announcement ID: openSUSE-SU-2026:21142-1
Rating: critical
Cross-References:
* CVE-2026-3381
Affected Products:
openSUSE Leap 16.0
-------------------------------------------------------------
An update that solves one vulnerability can now be installed.
Description:
This update for perl-Compress-Raw-Zlib fixes the following issues:
Changes in perl-Compress-Raw-Zlib:
- updated to 2.222
see /usr/share/doc/packages/perl-Compress-Raw-Zlib/Changes
2.222 27 February 2026
* Add SECURITY.md. Fixes #40
* Fix spelling typos
2.221 27 February 2026
* Merge remote-tracking branch 'refs/remotes/origin/master'
* Merge pull request #39 from jkeenan/correct-changes-date-20260227
* Update to 2.221
* Version number wrong in Changes file. Fixes #38
2.220 27 February 2026
* Update to version 2.220
* zlib 1.3.2: Update references to zlib 1.3.1 to use zlib 1.3.2
CVE-2026-3381
* zlib 1.3.2: Add "Perl_crz" prefix to "z_errmsg". Fixes #32
* Fix spelling typo
2.219 23 February 2026
* Update to version 2.219
* zlib 1.3.2: Add a few casts to allow zlib sources to build with C++
* Test workflows with upstream zlib 1.32
* zlib 1.3.2: Add "Perl_crz_" prefix to exported symbols
* zlib-1.3.2: Force include of to get definition for NULL
* Refresh zlib-src directory with unmodified zlib-1.3.2 files
- updated to 2.218
see /usr/share/doc/packages/perl-Compress-Raw-Zlib/Changes
2.218 3 February 2026
* Update version to 2.218
* Fix for regression of #34
2.217 31 January 2026
* Update version to 2.217
- updated to 2.214
see /usr/share/doc/packages/perl-Compress-Raw-Zlib/Changes
2.214 28 October 2025
* version 2.214
* remove 1.2.13 from mac upstream zlib build
* Disable some older zlib versions
* Bump actions/checkout from 1 to 5
* remove target-branch from dependabot
* Add dependabot.yml to police workflow files
* disable push and pull_request
* Add perl 5.42 to workflow files
* Add support for zlib-ng 2.2.5
* get_Bufsize is correct, but the document says get_BufSize - Fixes #34
* add zlib-ng 2.2.4 to workflow
* add zlib-ng 2.2.3
* More updates for zlib-ng 2.2.2 and 2.1.8
* Add zlib-ng 2.2.2 and 2.18 to GitHub workflows
Patch instructions:
To install this openSUSE security update use the suse recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Leap 16.0
zypper in -t patch openSUSE-Leap-16.0-packagehub-337=1
Package List:
- openSUSE Leap 16.0:
perl-Compress-Raw-Zlib-2.222-bp160.1.1
References:
* https://www.suse.com/security/cve/CVE-2026-3381.html
openSUSE-SU-2026:21152-1: important: Security update for atril
openSUSE security update: security update for atril
-------------------------------------------------------------
Announcement ID: openSUSE-SU-2026:21152-1
Rating: important
References:
* bsc#1265880
Cross-References:
* CVE-2026-46519
Affected Products:
openSUSE Leap 16.0
-------------------------------------------------------------
An update that solves one vulnerability and has one bug fix can now be installed.
Description:
This update for atril fixes the following issues:
Changes in atril:
- Update to version 1.28.4 (bsc#1265880 CVE-2026-46519):
* Build fixes
* Fix tests imported from XReader
* Fix tests with AT-SPI2 >= 2.53
* Improve search system
* pdf: Always use poppler_document_save to avoid data loss
* Use properties for can-zoom-in and -out
* libview: Allow zooming to the limits of the scale
* shell: Fix Max zoom in UI
- Update to version 1.28.2:
* epub: Disable thumbnailing sidebar
* Fix .cbr mimetype
* Wayland: stop segfaults on some systems
* replace deprecated gtk_menu_tool_button_new_from_stock
* libview/ev-document-model.c remove one more deprecation warning
* replace ev_document_model_get_dual_page with
- Update to version 1.28.1:
* Update CBR library to libarchive in README.md
* ci: fix travis build failures caused by recent travis changes
* Cleanup icons Makefile
* icons: Include higher resolution icons
* Updated translations.
Patch instructions:
To install this openSUSE security update use the suse recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Leap 16.0
zypper in -t patch openSUSE-Leap-16.0-packagehub-347=1
Package List:
- openSUSE Leap 16.0:
atril-1.28.4-bp160.1.1
atril-backends-1.28.4-bp160.1.1
atril-devel-1.28.4-bp160.1.1
atril-doc-1.28.4-bp160.1.1
atril-lang-1.28.4-bp160.1.1
atril-thumbnailer-1.28.4-bp160.1.1
caja-extension-atril-1.28.4-bp160.1.1
libatrildocument3-1.28.4-bp160.1.1
libatrilview3-1.28.4-bp160.1.1
typelib-1_0-AtrilDocument-1_5_0-1.28.4-bp160.1.1
typelib-1_0-AtrilView-1_5_0-1.28.4-bp160.1.1
References:
* https://www.suse.com/security/cve/CVE-2026-46519.html
openSUSE-SU-2026:21146-1: moderate: Security update for lldpd
openSUSE security update: security update for lldpd
-------------------------------------------------------------
Announcement ID: openSUSE-SU-2026:21146-1
Rating: moderate
Cross-References:
* CVE-2026-46433
Affected Products:
openSUSE Leap 16.0
-------------------------------------------------------------
An update that solves one vulnerability can now be installed.
Description:
This update for lldpd fixes the following issues:
Changes in lldpd:
- Update to version 1.0.22
* Fix CVE-2026-46433, out-of-bound read access when removing
VLAN tag (#787).
* Reject 0-length management address in LLDP.
* Fix race condition when creating the control socket.
* Fix FDP MAC address.
* Fix memory leak in the BSD bridge query path.
* Fix duplicate management addresses when merging EDP VLAN
frames.
- Update to version 1.0.21
Changes:
* Add "configure lldp portdescription-source" to choose how to
populate port description.
Fix:
* Fix path traversal vulnerabilities in the privileged process.
* Fix arbitrary file deletion in the privileged process.
* Fix accuracy of Dot3 MAU types advertised and add support for
200G and 400G.
* Fix detection of wireless interfaces.
- Update to version 1.0.20
Changes:
* Enable fast start unconditionally (and move its configuration
in "configure lldp").
* Make VLAN advertisements configurable.
Fix:
* Do not break zero-copy traffic on Linux.
* Fix crash on rapid addition/removal of interfaces.
* Fix management address selection when pattern is a negative
IP address.
- Update to version 1.0.19
Changes:
* Add cvlan/svlan/tpmr capabilities.
* Add lldpctl_watch_sync_unblock to liblldpctl.
* Add C++ wrapper for lldpctl.
Fix:
* Fix AppArmor policy for /run/lldpd/lldpd.socket.lock.
* Do not query stats for a down interface on Linux.
Patch instructions:
To install this openSUSE security update use the suse recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Leap 16.0
zypper in -t patch openSUSE-Leap-16.0-packagehub-341=1
Package List:
- openSUSE Leap 16.0:
liblldpctl4-1.0.22-bp160.1.1
lldpd-1.0.22-bp160.1.1
lldpd-devel-1.0.22-bp160.1.1
References:
* https://www.suse.com/security/cve/CVE-2026-46433.html
openSUSE-SU-2026:21149-1: important: Security update for bitcoin
openSUSE security update: security update for bitcoin
-------------------------------------------------------------
Announcement ID: openSUSE-SU-2026:21149-1
Rating: important
References:
* bsc#1125092
* bsc#1149711
* bsc#1181784
* bsc#1181786
* bsc#1217678
* bsc#1231507
Cross-References:
* CVE-2018-20587
* CVE-2019-15947
* CVE-2020-14198
* CVE-2021-3195
* CVE-2023-37192
* CVE-2024-35202
Affected Products:
openSUSE Leap 16.0
-------------------------------------------------------------
An update that solves 6 vulnerabilities and has 6 bug fixes can now be installed.
Description:
This update for bitcoin fixes the following issues:
Changes in bitcoin:
- Reference the tracking bugs for CVEs already fixed in current bitcoin
(the affected versions all predate the shipped release):
* CVE-2018-20587 (boo#1125092)
* CVE-2019-15947 (boo#1149711)
* CVE-2020-14198 (boo#1181786)
* CVE-2021-3195 (boo#1181784)
* CVE-2023-37192 (boo#1217678)
* CVE-2024-35202 (boo#1231507)
Patch instructions:
To install this openSUSE security update use the suse recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Leap 16.0
zypper in -t patch openSUSE-Leap-16.0-packagehub-344=1
Package List:
- openSUSE Leap 16.0:
bitcoin-qt5-27.1-bp160.2.1
bitcoin-test-27.1-bp160.2.1
bitcoin-utils-27.1-bp160.2.1
bitcoind-27.1-bp160.2.1
libbitcoinconsensus-devel-27.1-bp160.2.1
libbitcoinconsensus0-27.1-bp160.2.1
References:
* https://www.suse.com/security/cve/CVE-2018-20587.html
* https://www.suse.com/security/cve/CVE-2019-15947.html
* https://www.suse.com/security/cve/CVE-2020-14198.html
* https://www.suse.com/security/cve/CVE-2021-3195.html
* https://www.suse.com/security/cve/CVE-2023-37192.html
* https://www.suse.com/security/cve/CVE-2024-35202.html
openSUSE-SU-2026:21151-1: important: Security update for warewulf4
openSUSE security update: security update for warewulf4
-------------------------------------------------------------
Announcement ID: openSUSE-SU-2026:21151-1
Rating: important
References:
* bsc#1254470
* bsc#1258511
* bsc#1262810
* bsc#1265653
* bsc#1266483
Cross-References:
* CVE-2025-58058
* CVE-2025-69725
* CVE-2026-33814
* CVE-2026-34986
* CVE-2026-39821
CVSS scores:
* CVE-2025-58058 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
* CVE-2025-58058 ( SUSE ): 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
* CVE-2025-69725 ( SUSE ): 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
* CVE-2025-69725 ( SUSE ): 2.3 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:L/SI:N/SA:N
* CVE-2026-33814 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2026-34986 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2026-34986 ( SUSE ): 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
* CVE-2026-39821 ( SUSE ): 7.4 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
* CVE-2026-39821 ( SUSE ): 9.1 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
Affected Products:
openSUSE Leap 16.0
-------------------------------------------------------------
An update that solves 5 vulnerabilities and has 5 bug fixes can now be installed.
Description:
This update for warewulf4 fixes the following issues:
Changes in warewulf4:
- updated go-jose to fix CVE-2026-34986 (bsc#1262810)
- chi is fixed in the upstream project
- updating to v4.7.0 with following security fixes
* fixed CVE-2026-39821 (bsc#1266483)
* fixed CVE-2026-33814 (bsc#1265653)
- v4.7.0 with significant changes relative to the v4.6.x series which are:
* New wwctl unset command
* Refactored server routes (URLs)
* New /files/ route for serving individual files and templates
* Server TLS support
* Removed support for fetching individual overlays and individual files from overlays
* Fixed whitespace handling around template functions
* Security fixes, including updated Go and library versions
- changes from v4.6.5:
* new wwctl overlay info command
* fixed wwctl image import --update option
* cross-arch support for wwclient
* improved IPv6 support
* improved support for bonded interfaces
* renamed debian.interfaces overlay to ifupdown
* new systemd-networkd overlay
* warewulf-dracut fixes, including "provision-to-disk" fixes
- remove slurm-overlay package
- fix CVE-2025-69725 (bsc#1258511) by updating chi
- updated to v4.6.5 with following changes:
* new wwctl overlay info command
* fixed wwctl image import --update option (bsc#1254470)
* cross-arch support for wwclient
* improved IPv6 support
* improved support for bonded interfaces
* renamed debian.interfaces overlay to ifupdown
* new systemd-networkd overlay
* warewulf-dracut fixes, including "provision-to-disk" fixes
- default to dnsmasq instead of dhcpd and tftp
Patch instructions:
To install this openSUSE security update use the suse recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Leap 16.0
zypper in -t patch openSUSE-Leap-16.0-packagehub-346=1
Package List:
- openSUSE Leap 16.0:
warewulf4-4.7.0-bp160.1.1
warewulf4-dracut-4.7.0-bp160.1.1
warewulf4-man-4.7.0-bp160.1.1
warewulf4-overlay-4.7.0-bp160.1.1
warewulf4-overlay-rke2-4.7.0-bp160.1.1
warewulf4-reference-doc-4.7.0-bp160.1.1
References:
* https://www.suse.com/security/cve/CVE-2025-58058.html
* https://www.suse.com/security/cve/CVE-2025-69725.html
* https://www.suse.com/security/cve/CVE-2026-33814.html
* https://www.suse.com/security/cve/CVE-2026-34986.html
* https://www.suse.com/security/cve/CVE-2026-39821.html
openSUSE-SU-2026:21143-1: moderate: Security update for gleam
openSUSE security update: security update for gleam
-------------------------------------------------------------
Announcement ID: openSUSE-SU-2026:21143-1
Rating: moderate
References:
* bsc#1267396
* bsc#1267397
* bsc#1267398
Cross-References:
* CVE-2026-32685
* CVE-2026-42795
* CVE-2026-43965
Affected Products:
openSUSE Leap 16.0
-------------------------------------------------------------
An update that solves 3 vulnerabilities and has 3 bug fixes can now be installed.
Description:
This update for gleam fixes the following issues:
Changes in gleam:
- Update to 1.17.0:
* Fixed security vulnerabilities:
- Restrict custom documentation page `path` and `source` values so
`gleam docs build` cannot escape the docs output directory or project
root (bsc#1267396, CVE-2026-32685)
- Restrict publication tarball creation so they cannot contain files
from outside the project root (bsc#1267397, CVE-2026-42795)
- Stricter deserialisation rules for files internal the build directory
to reject corrupted data (bsc#1267398, CVE-2026-43965)
* All features and bug fixes are extensively highlighted with
examples in the upstream blog post at
https://gleam.run/news/single-file-gleam-beam-programs-with-escript/
and changelog at
https://github.com/gleam-lang/gleam/blob/v1.17.0/CHANGELOG.md some of
the highlights include:
- Various JavaScript code generation fixes and optimization
- Various compiler error handling improvements
- Ability to use the `todo` keyword in constants
- Improved handling of Git monorepos during package management
- Ability to create escripts from Gleam programs
- Various language server improvements like reference highlighting,
record hovering and code actions
- Update to 1.16.0:
* Changelog v1.16.0: https://gleam.run/news/javascript-source-maps/
- Update to 1.15.1:
* Changelog v1.12.0: https://gleam.run/news/no-more-dependency-management-headaches/
* Changelog v1.13.0: https://gleam.run/news/formalising-external-apis/
* Changelog v1.14.0: https://gleam.run/news/the-happy-holidays-2025-release/
* Changelog v1.15.0: https://gleam.run/news/upgrading-hex-security/
- Replace deprecated "disabled" mode with "manual" in _service
- Update to 1.11.0:
* The displaying of internal types in HTML documentation has been
improved
* A warning is now emitted when the same module is imported
multiple times into the same module with different aliases
* Fixed a bug where a bit array segment matching on a floating
point number would match with NaN or Infinity on the JavaScript
target
* https://github.com/gleam-lang/gleam/blob/v1.11.1/CHANGELOG.md
- Update to 1.10.0:
* Changelog: https://gleam.run/news/global-rename-and-find-references/
- skip unit tests that requires networking upon build
- Update to 1.9.0:
* Changelog: https://gleam.run/news/hello-echo-hello-git/
- Update to 1.8.1:
* Fixed a metadata caching bug where accessors for opaque types
could sometimes be used in other modules. (Louis Pilfold)
* Changelog: https://gleam.run/news/gleam-gets-rename-variable/
- Update to 1.7.0:
* Changelog: https://gleam.run/news/improved-performance-and-publishing/
- Update to 1.6.3:
* Fixed a bug where Gleam would be unable to compile to BEAM
bytecode on older versions of Erlang/OTP. (yoshi)
- Update to 1.6.2:
* Fixed a bug where patterns in use expressions would not be checked
to ensure that they were exhaustive. (Surya Rose)
- Update to 1.6.1:
* fix update use_manifest logic (Jason Sipula)
* 1.6.0 Changelog: https://gleam.run/news/context-aware-compilation/
Patch instructions:
To install this openSUSE security update use the suse recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Leap 16.0
zypper in -t patch openSUSE-Leap-16.0-packagehub-338=1
Package List:
- openSUSE Leap 16.0:
gleam-1.17.0-bp160.1.1
References:
* https://www.suse.com/security/cve/CVE-2026-32685.html
* https://www.suse.com/security/cve/CVE-2026-42795.html
* https://www.suse.com/security/cve/CVE-2026-43965.html
openSUSE-SU-2026:21140-1: critical: Security update for perl-Cpanel-JSON-XS
openSUSE security update: security update for perl-cpanel-json-xs
-------------------------------------------------------------
Announcement ID: openSUSE-SU-2026:21140-1
Rating: critical
References:
* bsc#1249331
* bsc#1267546
* bsc#1267547
Cross-References:
* CVE-2025-40929
* CVE-2026-9334
* CVE-2026-9516
CVSS scores:
* CVE-2025-40929 ( SUSE ): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
* CVE-2025-40929 ( SUSE ): 9.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
* CVE-2026-9334 ( SUSE ): 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
* CVE-2026-9334 ( SUSE ): 9.2 CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
* CVE-2026-9516 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2026-9516 ( SUSE ): 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
Affected Products:
openSUSE Leap 16.0
-------------------------------------------------------------
An update that solves 3 vulnerabilities and has 3 bug fixes can now be installed.
Description:
This update for perl-Cpanel-JSON-XS fixes the following issues:
Changes in perl-Cpanel-JSON-XS:
- updated to 4.420.0 (4.42)
see /usr/share/doc/packages/perl-Cpanel-JSON-XS/Changes
4.42 2026-06-27 (rurban)
- Ensure encode with a type spec hashref does not change the hashref argument (GH #240)
- Fix -e docs: "written" ??? "read" (GH #239, reported by Ron Savage).
- Fix Boolean eq overload matching undef (GH #207, reported by fd-t).
Cpanel::JSON::XS::Boolean overloaded eq would match undef as equal
to false because undef stringifies to "". Added defined() guard.
- Fix error messages showing overloaded stringification for blessed
objects (GH #191, reported by karenetheridge). Error messages now
use ClassName=TYPE(addr) format, bypassing any "" overload.
- Fix type_all_string overriding allow_blessed/convert_blessed (GH #175,
reported by alpha6). With type_all_string + allow_blessed, blessed
objects are now encoded as null (not stringified as HASH address).
- Fix infinite recursion when encode is called from a "" overload
(GH #128, reported by pbrthemaster). The recursion guard temporarily
clears convert_blessed and allow_stringify flags on the JSON object
before calling the overload, preventing re-entrant encode loops.
- Fix $obj->new creating a broken object (GH #93, reported by cpansprout).
When new() is called on an existing object (e.g. $json->new->new),
the class name is now extracted from the object's stash rather than
using the stringified reference.
- Change allow_nonref default to true (GH #241, matching JSON::PP and
JSON::XS 4.0+ and the insecure RFC 7159).
encode and decode now accept non-reference values by default.
decode_json() with an explicit 0/1 second argument still works.
allow_nonref(0) to disable scalars-only for secure JSON.
- Fix minor t/12_blessed.t typo.
- Fix GH #112: encode large whole-number NV values without .0 on
32-bit Perl (values exceeding UV_MAX that Perl stores as float).
- Fix GH #197: prefer IOK over pNOK when encoding values where
IV is accurate but NV is imprecise (SvNOK not set).
- updated to 4.410.0 (4.41)
see /usr/share/doc/packages/perl-Cpanel-JSON-XS/Changes
4.41 2026-05-27 (rurban)
- Fix BOM-shift PV-corruption SIGABRT (CVE-2026-9516) (patch by Paul Johnson) bsc#1267547
- Fix dupkeys_as_arrayref type confusion (CVE-2026-9334) (patch by Paul Johnson) bsc#1267546
- Fix incr_parse single-quote string delimiter (GH #245, reported by
Paul Johnson)
- Fix a one-byte out-of-bounds heap read reachable via allow_barekey on
truncated input (GH #244, reported by Paul Johnson)
- updated to 4.400.0 (4.40)
see /usr/share/doc/packages/perl-Cpanel-JSON-XS/Changes
4.40 2025-09-07 (rurban)
- Fix CVE-2025-40929 overflow with overlong numbers, fuzzing only.
- Detect more malformed numbers, with two decimal points.
- Pin github actions to latest @v via pinact run -u
(bsc#1249331)
- updated to 4.390.0 (4.39)
see /usr/share/doc/packages/perl-Cpanel-JSON-XS/Changes
4.39 2024-12-12 (rurban)
- Fix Windows -Dusequadmath (sisyphus GH #235, GH #229)
- Fix inconsistent behavior between decoding escaped and unescaped
surrogates, and escaped non-characters vs non-escaped non-characters.
Now aligned to JSON::PP (Gavin Hayes GH #233, GH #227)
- Add type_all_string tests (Bernhard Schmalhofer GH #236)
- Silence UV to char cast warnings (bulk88 GH #232)
- Fix MSVC preprocessor errors (bulk88 GH #232)
- Fix -Wformat warnings on Windows (sisyphus GH #228)
- Clarify BigInt decoding (GH #226)
Patch instructions:
To install this openSUSE security update use the suse recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Leap 16.0
zypper in -t patch openSUSE-Leap-16.0-packagehub-335=1
Package List:
- openSUSE Leap 16.0:
perl-Cpanel-JSON-XS-4.420.0-bp160.1.1
References:
* https://www.suse.com/security/cve/CVE-2025-40929.html
* https://www.suse.com/security/cve/CVE-2026-9334.html
* https://www.suse.com/security/cve/CVE-2026-9516.html
openSUSE-SU-2026:21145-1: moderate: Security update for mbedtls-2
openSUSE security update: security update for mbedtls-2
-------------------------------------------------------------
Announcement ID: openSUSE-SU-2026:21145-1
Rating: moderate
References:
* bsc#1230310
* bsc#1240051
* bsc#1240052
Cross-References:
* CVE-2024-45157
* CVE-2025-27809
* CVE-2025-27810
Affected Products:
openSUSE Leap 16.0
-------------------------------------------------------------
An update that solves 3 vulnerabilities and has 3 bug fixes can now be installed.
Description:
This update for mbedtls-2 fixes the following issues:
Changes in mbedtls-2:
- Enable SRTP and DTLS protocols needed by some software.
- Update to version 2.28.10:
Default behavior changes
* In TLS clients, if mbedtls_ssl_set_hostname() has not been called,
mbedtls_ssl_handshake() now fails with
MBEDTLS_ERR_SSL_CERTIFICATE_VERIFICATION_WITHOUT_HOSTNAME
if certificate-based authentication of the server is attempted.
This is because authenticating a server without knowing what name
to expect is usually insecure. To restore the old behavior, either
call mbedtls_ssl_set_hostname() with NULL as the hostname, or
enable the new compile-time option
MBEDTLS_SSL_CLI_ALLOW_WEAK_CERTIFICATE_VERIFICATION_WITHOUT_HOSTNAME.
The content of ssl->hostname after mbedtls_ssl_set_hostname(ssl, NULL)
has changed, see the documentation of the hostname field in the
mbedtls_ssl_context struct type for details.
Security
* Note that TLS clients should generally call mbedtls_ssl_set_hostname()
if they use certificate authentication (i.e. not pre-shared keys).
Otherwise, in many scenarios, the server could be impersonated.
The library will now prevent the handshake and return
MBEDTLS_ERR_SSL_CERTIFICATE_VERIFICATION_WITHOUT_HOSTNAME
if mbedtls_ssl_set_hostname() has not been called.
CVE-2025-27809 (boo#1240051)
* Zeroize temporary heap buffers used in PSA operations.
* Fix a vulnerability in the TLS 1.2 handshake. If memory allocation failed
or there was a cryptographic hardware failure when calculating the
Finished message, it could be calculated incorrectly. This would break
the security guarantees of the TLS handshake.
CVE-2025-27810 (boo#1240052)
Bugfix
* Use 'mbedtls_net_close' instead of 'close' in 'mbedtls_net_bind'
and 'mbedtls_net_connect' to prevent possible double close fd
problems. Fixes gh#Mbed-TLS/mbedtls#9711.
* Fix compilation on MS-DOS DJGPP. Fixes gh#Mbed-TLS/mbedtls#9813.
* Fix missing constraints on the AES-NI inline assembly which is used on
GCC-like compilers when building AES for generic x86_64 targets. This
may have resulted in incorrect code with some compilers, depending on
optimizations. Fixes gh#Mbed-TLS/mbedtls#9819.
* Fix issue where psa_key_derivation_input_integer() is not detecting
bad state after an operation has been aborted.
* Fix definition of MBEDTLS_PRINTF_SIZET to prevent runtime crashes that
occurred whenever SSL debugging was enabled on a copy of Mbed TLS built
with Visual Studio 2013 or MinGW.
Fixes gh#Mbed-TLS/mbedtls#10017.
* Remove Everest Visual Studio 2010 compatibility headers, which could
shadow standard CRT headers inttypes.h and stdbool.h with incomplete
implementatios if placed on the include path, eg. when building Mbed TLS
with the .sln file shipped with the project.
Patch instructions:
To install this openSUSE security update use the suse recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Leap 16.0
zypper in -t patch openSUSE-Leap-16.0-packagehub-340=1
Package List:
- openSUSE Leap 16.0:
libmbedcrypto7-2.28.10-bp160.1.1
libmbedcrypto7-x86-64-v3-2.28.10-bp160.1.1
libmbedtls14-2.28.10-bp160.1.1
libmbedtls14-x86-64-v3-2.28.10-bp160.1.1
libmbedx509-1-2.28.10-bp160.1.1
libmbedx509-1-x86-64-v3-2.28.10-bp160.1.1
mbedtls-2-devel-2.28.10-bp160.1.1
References:
* https://www.suse.com/security/cve/CVE-2024-45157.html
* https://www.suse.com/security/cve/CVE-2025-27809.html
* https://www.suse.com/security/cve/CVE-2025-27810.html
openSUSE-SU-2026:21137-1: important: Security update for perl-Crypt-PasswdMD5
openSUSE security update: security update for perl-crypt-passwdmd5
-------------------------------------------------------------
Announcement ID: openSUSE-SU-2026:21137-1
Rating: important
References:
* bsc#1264705
Cross-References:
* CVE-2026-6659
Affected Products:
openSUSE Leap 16.0
-------------------------------------------------------------
An update that solves one vulnerability and has one bug fix can now be installed.
Description:
This update for perl-Crypt-PasswdMD5 fixes the following issues:
Changes in perl-Crypt-PasswdMD5:
- updated to 1.430.0 (1.43)
see /usr/share/doc/packages/perl-Crypt-PasswdMD5/Changelog.ini
[V 1.43]
Date=2026-05-23T08:14:00
Deploy.Action=Upgrade
Deploy.Reason=Security
Comments=