Mozjs115, FFmpeg 4, Apptainer, and more updates for SUSE Linux

SUSE 5648 Published by

SUSE has released a batch of security advisories addressing multiple vulnerabilities across its openSUSE Leap and SUSE Linux Enterprise distributions. These updates target critical packages like apptainer, mozjs115, and the Linux kernel live patch while also covering moderate risks in tools such as ffmpeg, glibc, and firewalld. Administrators should prioritize applying these patches immediately since several flaws could allow remote code execution or system crashes without proper authentication. The recommended installation method involves using zypper patch or YaST online_update to ensure all affected systems receive the necessary security fixes.

SUSE-SU-2026:1870-1: important: Security update for mozjs115
openSUSE-SU-2026:20726-1: moderate: Security update for ffmpeg-4
openSUSE-SU-2026:20730-1: critical: Security update for apptainer
openSUSE-SU-2026:20723-1: important: Security update for kdenlive
openSUSE-SU-2026:10775-1: moderate: rsync-3.4.1-5.1 on GA media
openSUSE-SU-2026:10776-1: moderate: tekton-cli-0.45.0-1.1 on GA media
openSUSE-SU-2026:10777-1: moderate: ImageMagick-7.1.2.22-1.1 on GA media
openSUSE-SU-2026:10774-1: moderate: perl-Text-CSV_XS-1.620.0-1.1 on GA media
openSUSE-SU-2026:10772-1: moderate: libIex-3_4-33-3.4.11-1.1 on GA media
openSUSE-SU-2026:10769-1: moderate: flux2-cli-2.8.7-1.1 on GA media
openSUSE-SU-2026:10770-1: moderate: glibc-2.43-3.1 on GA media
openSUSE-SU-2026:10768-1: moderate: ffmpeg-7-7.1.3-3.1 on GA media
openSUSE-SU-2026:10773-1: moderate: perl-CryptX-0.89.0-1.1 on GA media
openSUSE-SU-2026:0167-1: moderate: Security update for gosec
SUSE-SU-2026:1872-1: moderate: Security update for firewalld
SUSE-SU-2026:1871-1: moderate: Security update for openvswitch
SUSE-SU-2026:1873-1: important: Security update for the Linux Kernel (Live Patch 12 for SUSE Linux Enterprise 15 SP7)



SUSE-SU-2026:1870-1: important: Security update for mozjs115


# Security update for mozjs115

Announcement ID: SUSE-SU-2026:1870-1
Release Date: 2026-05-15T09:19:51Z
Rating: important
References:

* bsc#1259713
* bsc#1259728
* bsc#1259731

Cross-References:

* CVE-2026-32776
* CVE-2026-32777
* CVE-2026-32778

CVSS scores:

* CVE-2026-32776 ( SUSE ): 8.7
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
* CVE-2026-32776 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2026-32776 ( NVD ): 4.0 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
* CVE-2026-32776 ( NVD ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
* CVE-2026-32777 ( SUSE ): 8.7
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
* CVE-2026-32777 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2026-32777 ( NVD ): 4.0 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
* CVE-2026-32777 ( NVD ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
* CVE-2026-32778 ( SUSE ): 8.2
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
* CVE-2026-32778 ( SUSE ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2026-32778 ( NVD ): 2.9 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
* CVE-2026-32778 ( NVD ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Affected Products:

* Desktop Applications Module 15-SP7
* openSUSE Leap 15.6
* SUSE Linux Enterprise Desktop 15 SP7
* SUSE Linux Enterprise Real Time 15 SP7
* SUSE Linux Enterprise Server 15 SP6
* SUSE Linux Enterprise Server 15 SP6 LTSS
* SUSE Linux Enterprise Server 15 SP7
* SUSE Linux Enterprise Server for SAP Applications 15 SP6
* SUSE Linux Enterprise Server for SAP Applications 15 SP7

An update that solves three vulnerabilities can now be installed.

## Description:

This update for mozjs115 fixes the following issues

* CVE-2026-32776: libexpat: NULL pointer dereference when processing empty
external parameter entities inside an entity declaration value
(bsc#1259728).
* CVE-2026-32777: libexpat: denial of service due to infinite loop in DTD
content parsing (bsc#1259713).
* CVE-2026-32778: libexpat: NULL pointer dereference in `setContext` on retry
after an out-of-memory condition (bsc#1259731).

## Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

* openSUSE Leap 15.6
zypper in -t patch SUSE-2026-1870=1 openSUSE-SLE-15.6-2026-1870=1

* Desktop Applications Module 15-SP7
zypper in -t patch SUSE-SLE-Module-Desktop-Applications-15-SP7-2026-1870=1

* SUSE Linux Enterprise Server 15 SP6 LTSS
zypper in -t patch SUSE-SLE-Product-SLES-15-SP6-LTSS-2026-1870=1

* SUSE Linux Enterprise Server for SAP Applications 15 SP6
zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP6-2026-1870=1

## Package List:

* openSUSE Leap 15.6 (i686)
* mozjs115-115.4.0-150600.3.12.5
* libmozjs-115-0-115.4.0-150600.3.12.5
* mozjs115-debuginfo-115.4.0-150600.3.12.5
* libmozjs-115-0-debuginfo-115.4.0-150600.3.12.5
* mozjs115-debugsource-115.4.0-150600.3.12.5
* mozjs115-devel-115.4.0-150600.3.12.5
* openSUSE Leap 15.6 (aarch64 ppc64le s390x x86_64)
* mozjs115-115.4.0-150600.3.14.1
* mozjs115-debuginfo-115.4.0-150600.3.14.1
* mozjs115-devel-115.4.0-150600.3.14.1
* libmozjs-115-0-115.4.0-150600.3.14.1
* mozjs115-debugsource-115.4.0-150600.3.14.1
* libmozjs-115-0-debuginfo-115.4.0-150600.3.14.1
* Desktop Applications Module 15-SP7 (aarch64 ppc64le s390x x86_64)
* mozjs115-debuginfo-115.4.0-150600.3.14.1
* mozjs115-devel-115.4.0-150600.3.14.1
* libmozjs-115-0-115.4.0-150600.3.14.1
* mozjs115-debugsource-115.4.0-150600.3.14.1
* libmozjs-115-0-debuginfo-115.4.0-150600.3.14.1
* SUSE Linux Enterprise Server 15 SP6 LTSS (aarch64 ppc64le s390x x86_64)
* mozjs115-debuginfo-115.4.0-150600.3.14.1
* mozjs115-devel-115.4.0-150600.3.14.1
* libmozjs-115-0-115.4.0-150600.3.14.1
* mozjs115-debugsource-115.4.0-150600.3.14.1
* libmozjs-115-0-debuginfo-115.4.0-150600.3.14.1
* SUSE Linux Enterprise Server for SAP Applications 15 SP6 (ppc64le x86_64)
* mozjs115-debuginfo-115.4.0-150600.3.14.1
* mozjs115-devel-115.4.0-150600.3.14.1
* libmozjs-115-0-115.4.0-150600.3.14.1
* mozjs115-debugsource-115.4.0-150600.3.14.1
* libmozjs-115-0-debuginfo-115.4.0-150600.3.14.1

## References:

* https://www.suse.com/security/cve/CVE-2026-32776.html
* https://www.suse.com/security/cve/CVE-2026-32777.html
* https://www.suse.com/security/cve/CVE-2026-32778.html
* https://bugzilla.suse.com/show_bug.cgi?id=1259713
* https://bugzilla.suse.com/show_bug.cgi?id=1259728
* https://bugzilla.suse.com/show_bug.cgi?id=1259731



openSUSE-SU-2026:20726-1: moderate: Security update for ffmpeg-4


openSUSE security update: security update for ffmpeg-4
-------------------------------------------------------------

Announcement ID: openSUSE-SU-2026:20726-1
Rating: moderate
References:

* bsc#1262237

Cross-References:

* CVE-2026-40962

CVSS scores:

* CVE-2026-40962 ( SUSE ): 4.9 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
* CVE-2026-40962 ( SUSE ): 2.1 CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

Affected Products:

openSUSE Leap 16.0

-------------------------------------------------------------

An update that solves one vulnerability and has one bug fix can now be installed.

Description:

This update for ffmpeg-4 fixes the following issues:

Changes in ffmpeg-4:

- CVE-2026-40962: Fixed inadequate CENC subsample bounds checks that could lead to an integer overflow (bsc#1262237).

Patch instructions:

To install this openSUSE security update use the suse recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

- openSUSE Leap 16.0

zypper in -t patch openSUSE-Leap-16.0-packagehub-251=1

Package List:

- openSUSE Leap 16.0:

ffmpeg-4-4.4.6-bp160.2.1
ffmpeg-4-libavcodec-devel-4.4.6-bp160.2.1
ffmpeg-4-libavdevice-devel-4.4.6-bp160.2.1
ffmpeg-4-libavfilter-devel-4.4.6-bp160.2.1
ffmpeg-4-libavformat-devel-4.4.6-bp160.2.1
ffmpeg-4-libavresample-devel-4.4.6-bp160.2.1
ffmpeg-4-libavutil-devel-4.4.6-bp160.2.1
ffmpeg-4-libpostproc-devel-4.4.6-bp160.2.1
ffmpeg-4-libswresample-devel-4.4.6-bp160.2.1
ffmpeg-4-libswscale-devel-4.4.6-bp160.2.1
ffmpeg-4-private-devel-4.4.6-bp160.2.1
libavcodec58_134-4.4.6-bp160.2.1
libavdevice58_13-4.4.6-bp160.2.1
libavfilter7_110-4.4.6-bp160.2.1
libavformat58_76-4.4.6-bp160.2.1
libavresample4_0-4.4.6-bp160.2.1
libavutil56_70-4.4.6-bp160.2.1
libpostproc55_9-4.4.6-bp160.2.1
libswresample3_9-4.4.6-bp160.2.1
libswscale5_9-4.4.6-bp160.2.1

References:

* https://www.suse.com/security/cve/CVE-2026-40962.html



openSUSE-SU-2026:20730-1: critical: Security update for apptainer


openSUSE security update: security update for apptainer
-------------------------------------------------------------

Announcement ID: openSUSE-SU-2026:20730-1
Rating: critical
References:

* bsc#1228324
* bsc#1234595
* bsc#1234794
* bsc#1235211
* bsc#1236528
* bsc#1237679
* bsc#1238611
* bsc#1239341
* bsc#1253924
* bsc#1255462
* bsc#1258047
* bsc#1258048
* bsc#1260311
* bsc#1262956
* bsc#1264177

Cross-References:

* CVE-2023-45288
* CVE-2024-28180
* CVE-2024-3727
* CVE-2024-41110
* CVE-2024-45337
* CVE-2024-45338
* CVE-2025-22869
* CVE-2025-22870
* CVE-2025-22872
* CVE-2025-27144
* CVE-2025-47911
* CVE-2025-47913
* CVE-2025-47914
* CVE-2025-58181
* CVE-2025-58190
* CVE-2025-65105
* CVE-2025-8556
* CVE-2026-24137
* CVE-2026-33186
* CVE-2026-34986

CVSS scores:

* CVE-2023-45288 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
* CVE-2023-45288 ( SUSE ): 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
* CVE-2024-28180 ( SUSE ): 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
* CVE-2024-28180 ( SUSE ): 2.3 CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
* CVE-2024-3727 ( SUSE ): 8.3 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
* CVE-2024-41110 ( SUSE ): 9.9 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
* CVE-2024-45337 ( SUSE ): 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
* CVE-2024-45338 ( SUSE ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2024-45338 ( SUSE ): 8.2 CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
* CVE-2025-22869 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2025-22869 ( SUSE ): 8.2 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
* CVE-2025-22870 ( SUSE ): 4.4 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L
* CVE-2025-22870 ( SUSE ): 4.8 CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N
* CVE-2025-22872 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L
* CVE-2025-22872 ( SUSE ): 6.3 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L
* CVE-2025-27144 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2025-27144 ( SUSE ): 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
* CVE-2025-47911 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
* CVE-2025-47911 ( SUSE ): 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
* CVE-2025-47913 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2025-47913 ( SUSE ): 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
* CVE-2025-47914 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
* CVE-2025-47914 ( SUSE ): 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
* CVE-2025-58181 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
* CVE-2025-58181 ( SUSE ): 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
* CVE-2025-58190 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
* CVE-2025-58190 ( SUSE ): 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
* CVE-2025-65105 ( SUSE ): 5.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
* CVE-2026-24137 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N
* CVE-2026-24137 ( SUSE ): 6 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
* CVE-2026-33186 ( SUSE ): 8.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
* CVE-2026-33186 ( SUSE ): 8.6 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
* CVE-2026-34986 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2026-34986 ( SUSE ): 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Affected Products:

openSUSE Leap 16.0

-------------------------------------------------------------

An update that solves 20 vulnerabilities and has 15 bug fixes can now be installed.

Description:

This update for apptainer fixes the following issues:

Changes in apptainer:

- Fix CVE-2026-34986 (bsc#1262956)
* github.com/go-jose/go-jose/v4@v4.1.4
CVE-2026-33186 GO-2026-4762 (bsc#1260311)
* google.golang.org/grpc@v1.79.3
CVE-2026-24137 GO-2026-4358 (bsc#1264177)
* github.com/sigstore/sigstore@v1.10.4
Fix fallout:
github.com/moby/go-archive@v0.1.0
github.com/containers/image/v5=github.com/containers/image/v5@v5.36.0

- Fix HTML parser misimplementation of a part of the HTML
specification for table related tags (CVE-2025-58190,
GO-2026-4441, bsc#1258048).
- Fix issue where the HTML parser takes a very long time or
even never returns (CVE-2025-47911, GO-2026-4440, bsc#1258047).

- Update ot 1.4.5
* Fix for moderate severity GO-2025-4176 / CVE-2025-65105 /
GHSA-j3rw-fx6g-q46j (bsc#1255462):
Ineffective application of selinux / apparmor --security option.
Updates of a few dependent go libraries for related security fixes.
* Other fix
Run FUSE processes in a separate process group. This detaches them
from the main process so they don't receive signals such as interrupts
sent to a terminal there. This was not a problem with interactive
shells because they start their own group, but was a problem with
some programs with interactive Read/Eval/Print/Loops such as python.
An interrupt there would kill the FUSE processes.
- From 1.4.4
* By applying patches to the bundled fuse2fs, allow again the possibility
of using a non-writable ext3 image file as an overlay. Fixes regression
introduced in 1.4.3.
* If an overlay or bound data image is asked to be mounted writable but
the user has no write access to the image, show a warning message
instead of silently switching to readonly.
* Avoid a fatal error when starting fakeroot from suid mode while
in an NFS directory.
* Fix 32-bit builds which were accidentally broken by a library
upgrade that was done for a minor security issue.
- Fix CVEs:
* GO-2025-4135 - CVE-2025-47914
Malformed constraint may cause denial of service in
golang.org/x/crypto/ssh/agent.
* GO-2025-4134 - CVE-2025-58181 - bsc#1253924
Unbounded memory consumption in golang.org/x/crypto/ssh.
* GO-2025-4116 - CVE-2025-47913
Potential denial of service in golang.org/x/crypto/ssh/agent.
* GO-2025-3595 - CVE-2025-22872
Incorrect Neutralization of Input During Web Page Generation
in x/net.
* GO-2025-3503 - CVE-2025-22870
HTTP Proxy bypass using IPv6 Zone IDs in golang.org/x/net.
* GO-2025-3487 - CVE-2025-22869
Potential denial of service in golang.org/x/crypto.
* GO-2025-3485 - CVE-2025-27144
DoS in go-jose Parsing in github.com/go-jose/go-jose.
* GO-2025-3754 - CVE-2025-8556
CIRCL-Fourq: Missing and wrong validation can lead to
incorrect results in github.com/cloudflare/circl.

- No need for binutils-gold for aarch64

- Update to 1.4.3
* Corrected the mconfig -s option for statically building apptainer
and starter binaries.
* Resolved an issue where the Makefile generated by mconfig -b
failed when the build directory was not a subdirectory of the
Apptainer source code.
* Fixed %files in definition files to correctly copy symlinks
pointing above the destination directory but within the
destination stage root filesystem.
* Addressed a typo in nvliblist.conf ( libnvoptix.so.1 was
corrected to libnvoptix.so).
* Prevented timeouts during cleanup after building
gocryptfs-encrypted SIF files.
* Fixed a bug that prevented build with --passphrase or --pem-path
(without --encrypt) from implying fakeroot.
* Resolved a hang when copying files between build stages while
using suid mode without user namespaces.
* Fixed issues with running and building containers of different
architectures than the host via binfmt_misc when using rootless
fakeroot.
* Corrected "target: no such file or directory" errors when
extracting layers from certain OCI images that manipulate hard
links across layers.
* Fixed a crash when executing a privilege-encrypted container as
root.
* Improved documentation for the remote list command.
* Removed the fakerootcallback functionality.
* Updated the default pacman confURL for Bootstrap: arch container
builds.
* Updated bundled fuse programs to their latest releases.
* Changed the default message level from silent to normal in
nested apptainer executions of a build's %post section, and
suppressed an unnecessary warning.
* Invalid environment variables are now ignored when pulling
oci/docker containers.
- Add definition file for SLE 16 (SLE-16.def).
- Remove definition files for SLE15 SP5 (SLE-15SP5.def) and
SP6 (SLE-15SP6.def).

- Update to 1.4.2
* Restore looking for registry mirrors in /etc/containers/registry.conf
and related files. This had been inadvertently dropped beginning in 1.4.0.
* Fix use of the image cache when the home directory contains @ characters.
Previously it would assume that it was the start of a digest in the oci-dir.
* Fix signature verification failures on unsigned images.
* Add additional .deb packages to the release assets that include the label
trixie+ to indicate that they are for installing on Debian 13 or later.
Those packages are necessary to work with the new libfuse3 library in
Debian13. They also support libsubid, unlike the default packages because
they are built on Debian 11 which doesn't have that library.
* Add automatic triggering of Ubuntu PPA builds whenever there's a new
apptainer release.

- Update to 1.4.1
* Fix the use of libsubid which had been broken by the revision
applied in 1.4.0-rc.2.
* Fix a bug introduced in 1.4.0 that caused arm64 to be
mis-converted to arm64v8 and resulted in a failure when pulling
OCI containers.
* Fix user database lookup in master process preventing instance
from starting correctly on systems using winbind.
* Check for existence of `/run/systemd/system` when verifying
cgroups can be used via systemd manager.
* Add a clear error message if someone tries to use privileged
network options while not using setuid mode.
* Allow multi-arch oci-archive files that have a nested index
with the manifest. This is the default format (both for Docker
and OCI) when using `nerdctl save`.
* Test if docker-archive is actually an oci-archive (since Docker
version 25), and if it is oci then use the OCI parser to avoid
bugs in the Docker parser. Save the daemon-daemon references
to a temporary docker-archive, to benefit from the same
improvements also for those references. Parse as oci-archive.

- New Features & Functionality in from ineherited 1.4.0
* Add new build option `--mksquashfs-args` to pass additional
arguments to the `mksquashfs` command when building SIF files.
If a compression method other than gzip is selected, the SIF
file might not work with older installations of Apptainer
or Singularity, so an INFO message about that is printed. On
the other hand, an INFO message that was printed (twice) when
running an image with non-gzip compression has been removed.
* If the `mksquashfs` version is new enough (version 4.6 in
Leaep 16.0), then show a percentage progress bar (with ETA)
during SIF creation in the default log level. If the `mksquashfs`
version is older, then in verbose or debug log level show the
output of mksquashfs with its own progress bar.
* Statistics are now normally available for instances that are
started by non-root users on cgroups v2 systems. The instance
will be started in the current cgroup. Information about
configuration issues that prevent collection of statistics are
displayed as INFO messages by default.
* Add a `--sandbox` option to `apptainer pull`.
* Add configuration file binding to the `--nv` option. Files
that are recognized in the NVIDIA Container Toolkit, including
files for EGL ICD, were added to the default `nvliblist.conf`.
* It is now possible to use multiple environment variable files
using the `--env-file` flag. Files can be specified as a
comma-separated list or by using the flag multiple times.
Variables defined in later files take precedence over earlier
files.
* The registry login and registry logout commands now support a
`--authfile ` option, which causes OCI credentials to be
written to / removed from a custom file located at ``
instead of the default location (`$HOME/.apptainer/docker-config.json`).
The commands `pull`, `push`, `run`, `exec`, `shell` and
instance start can now also be passed a `--authfile `
option, to read OCI registry credentials from this custom file.
* A new `--netns-path` option takes a path to a network
namespace to join when starting a container. The root user
may join any network namespace. An unprivileged user can only
join a network namespace specified in the new `allow netns
paths` directive in `apptainer.conf`, if they are also listed
in `allow net users` / `allow net groups` and apptainer is
installed with setuid privileges. Not supported with
`--fakeroot`.
* `apptainer.conf` now accepts setting the following options:
`allow ipc ns` -- Default value is `yes`; when set to `no`,
it will disable the use of the `--ipc` flag.
`allow uts ns` -- Default value is `yes`; when set to `no`,
it will invalidate the use of the `--uts` and `--hostname`
flags.
`allow user ns` -- Default value is `yes`; when set to
`no`, it will disable creation of user namespaces. Note
that this will prevent execution of containers with the
`--userns` or `--fakeroot` flags and with unprivileged
installations of Apptainer.
- Changed defaults / behaviours
* Label the starter process seen in `ps` with the image filename,
for example: Apptainer runtime parent: `example.sif`.
* Remove runtime and compute libraries from `rocmliblist.conf`.
They should instead be provided by the container image.
* Allow overriding the build architecture with `--arch` and
`--arch-variant`, to build images for another architecture
than the current host arch. This requires that the host has
been set up to support multiple architectures (`binfmt_misc`).
* Complete the previously partial support for the riscv64
architecture.
* Show a warning message if changing directory to the cwd
fails, instead of silently switching to the home directory
or `/`.
* Write starter messages to stderr when an instance fails to
start. Previously they were incorrectly written to stdout.
* Skip attempting to bind inaccessible mount points when
handling the `mount hostfs = yes` configuration option.
* Fix storage of credentials for `docker.io` to behave the same
as for `index.docker.io`.
* Change message log level from warning to debug when environment
variables set inside a container or by `APPTAINERENV` have a
different value than the environment variable on the host.
* Change the default message level from silent to the normal
level in the nested apptainer that executes a build's `%post`
section, and suppress an unnecessary warning message.
* Ignore invalid environment variables when pulling oci/docker
containers.
* Remove the little-known `fakerootcallback` functionality.
* Update the default pacman confURL for `Bootstrap: arch`
container builds.
* Update the bundled fuse programs to their latest releases.
- Bug fixes
* Fix the `mconfig -s` option to build the apptainer and starter
binaries statically as documented.
* `%files from` in a definition file will now correctly copy
symlinks that `%point` to a target above the destination
directory but inside the `%destination` stage root filesystem.
* Fixed typo in `nvliblist.conf` (`libnvoptix.so.1` -> `libnvoptix.so`).
* Avoid timeouts when cleaning up from building gocryptfs-encrypted
SIF files.
* Fix bug that prevented build with `--passphrase` or
`--pem-path` but without `--encrypt` from implying fakeroot.
* Fix hang when copying files between build stages while using
suid mode without user namespaces.
* Fix running and building containers of different architectures
than the host via binfmt_misc when using rootless fakeroot.
* Fix `target: no such file or directory` error when extracting
layers from certain OCI images that manipulate hard links
across layers.
* Fix the crash that happened when executing a privilege-encrypted
container as root.

- Fix CVE-2024-45338, CVE-2025-22870, CVE-2024-45337, CVE-2025-22869, CVE-2025-27144 CVE-2024-41110
* GO-2024-3333 CVE-2024-45338 (bsc#1234794)
GO-2025-3503 CVE-2025-22870 (bsc#1238611):
Update to: golang.org/x/net@v0.36.0
* GO-2024-3321 CVE-2024-45337 (bsc#1234595)
GO-2025-3487 CVE-2025-22869 (bsc#1239341):
Update to: golang.org/x/crypto@v0.35.0
* GO-2025-3485 CVE-2025-27144 (bsc#1237679):
Update to: github.com/go-jose/go-jose/v3@v3.0.4
* GO-2024-3005 CVE-2024-41110 (bsc#1228324):
Update to: github.com/docker/docker@v25.0.6+incompatible

- Update golang.org/x/net to v0.23 to fix CVE-2023-45288 (bnc#1236528).

- Update to version 1.3.6
* Avoid using kernel overlayfs when the lower layer is a sandbox
on an incompatible filesystem type such as GPFS or Lustre.
For those cases use fuse-overlayfs instead. This fixes a
regression introduced in 1.3.0. The regression didn't much
impact Lustre because kernel overlayfs refused to try to use
it and Apptainer proceeded to use fuse-overlayfs anyway, but
with GPFS the kernel overlayfs allowed mounting but returned
stale file handle errors.

- Version 1.3.5
* Fix a regression introduced in 1.3.4 that overwrote existing
standard `/.singularity.d` files such as `runscript` in
container images even if they had been modified.
* Skip attempting to bind inaccessible mount points when
handling the `mount hostfs = yes` configuration option.
* Support parsing nested variables defined inside `%arguments`
section of definition files.
* Ignore invalid environment variables when pulling oci/docker
containers.

- Version 1.3.4
* Fixed sif-embedded overlay partitions for containers that are
larger than 2 gigabytes.
* Fixed the failure when starting apptainer with
`instance --fakeroot`.
* `apptainer build -B ...` can now be used to mount custom
resolv.conf and hosts files from non-standard outside locations.
This can be used to run `apptainer build` in a nix-build sandbox
that has no `/etc/resolv.conf`.
* Fixed failing builds from local images that have symbolic links
for paths that are part of the base container environment (e.g.
/var/tmp -> /tmp).
* Show info messages suggesting to use
`enable underlay = preferred` or the `--underlay` flag when
overlay is implied for bind mounts but the kernel is too old
to support fuse mounts in user namespaces and so tries to use
fusermount.
* When someone uses a `yum` bootstrap to build a container
without using subuid-based fakeroot or root, warn that it is
unlikely to work.
* Allow a writable `--overlay` to be used with `--nvccli` instead
of `--writable-tmpfs`.
* If an error "no descriptor found for reference" is seen while
getting an oci container, retry the operation up to five times.
* Make fakeroot Recommended for SUSE rpms instead of Required.
* Allow bind mounts onto existing files on r/o NFS filesystems.
* If an error is seen in the %post section when building a
container using fakeroot mode 3 (with the fakeroot command)
then show a message suggesting using `--ignore-fakeroot-command`
and referring to the documentation about how to install and use
it inside the container definition file.
* Show a more helpful error message when using fakeroot in suid
mode and there's an `/etc/subuid` mapping even though user
namespaces are not available (user namespaces are required for
`/etc/subuid` mapping).

- Version 1.3.3
* Added libcudadebugger.so to nvliblist.conf to support cuda-gdb
in CUDA 12+.
* Ensure opened/kept file descriptors in stage 1 are not closed
during the Go garbage collection to avoid "bad file descriptor"
errors at startup.
* Fixed a segmentation violation issue when running Apptainer
checkpoint.
* Fixed an issue that Apptainer won't read default docker
credentials.

- Version 1.3.2
* Fix for
[CVE-2024-3727]( https://bugzilla.suse.com/show_bug.cgi?id=1224114)
in a dependent library which describes a flaw that can allow
attackers to trigger unexpected authenticated registry accesses
due to object digest values not being validated in all cases.
* Fixed the issue when nesting `apptainer instance start` inside
a container on cgroups-v2 capable host.
* Fixed the issue that oras download progress bar gets stuck
when downloading large images.

- Version 1.3.1
* Make 'apptainer build' work with signed Docker containers.
* Fixed regression introduced in 1.3.0 that prevented closing
cryptsetup and the corresponding loop device after running
an encrypted sif container file in suid mode.
* Stopped binding over the default timezone in the container
with the host's timezone, which led to unexpected behavior if
the application changed timezones.
* Added progress bars for `oras://` push and pull.
* Hide `Instance stats will not be available` message under
`--sharens` mode.
* Fix problem where credentials locally stored with
`registry login` command were not usable in some execution
flows. Run `registry login` again with latest version to ensure
credentials are stored correctly.
* Make runscript timeout configurable.
* Return invalid bind path mount options during bind path
parsing.
* Make the INFO message more helpful when a running background
process at exit time causes a FUSE mount to not shut down
cleanly.
* Fixed the wrong mediaType in the oras push manifest.
- Add Apptainer definition template for SLE15-SP7.

- Make sure, build is reproducible by setting the GNU build ID to one
derived from the Go one. See https://pkg.go.dev/cmd/link.

- Use go-jose version with fix for CVE-2024-28180 (bsc#1235211).

Patch instructions:

To install this openSUSE security update use the suse recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

- openSUSE Leap 16.0

zypper in -t patch openSUSE-Leap-16.0-packagehub-255=1

Package List:

- openSUSE Leap 16.0:

apptainer-1.4.5-bp160.1.1
apptainer-leap-1.4.5-bp160.1.1
apptainer-sle15_7-1.4.5-bp160.1.1
apptainer-sle16-1.4.5-bp160.1.1

References:

* https://www.suse.com/security/cve/CVE-2023-45288.html
* https://www.suse.com/security/cve/CVE-2024-28180.html
* https://www.suse.com/security/cve/CVE-2024-3727.html
* https://www.suse.com/security/cve/CVE-2024-41110.html
* https://www.suse.com/security/cve/CVE-2024-45337.html
* https://www.suse.com/security/cve/CVE-2024-45338.html
* https://www.suse.com/security/cve/CVE-2025-22869.html
* https://www.suse.com/security/cve/CVE-2025-22870.html
* https://www.suse.com/security/cve/CVE-2025-22872.html
* https://www.suse.com/security/cve/CVE-2025-27144.html
* https://www.suse.com/security/cve/CVE-2025-47911.html
* https://www.suse.com/security/cve/CVE-2025-47913.html
* https://www.suse.com/security/cve/CVE-2025-47914.html
* https://www.suse.com/security/cve/CVE-2025-58181.html
* https://www.suse.com/security/cve/CVE-2025-58190.html
* https://www.suse.com/security/cve/CVE-2025-65105.html
* https://www.suse.com/security/cve/CVE-2025-8556.html
* https://www.suse.com/security/cve/CVE-2026-24137.html
* https://www.suse.com/security/cve/CVE-2026-33186.html
* https://www.suse.com/security/cve/CVE-2026-34986.html



openSUSE-SU-2026:20723-1: important: Security update for kdenlive


openSUSE security update: security update for kdenlive
-------------------------------------------------------------

Announcement ID: openSUSE-SU-2026:20723-1
Rating: important
References:

* bsc#1264711

Cross-References:

* CVE-2026-45184

Affected Products:

openSUSE Leap 16.0

-------------------------------------------------------------

An update that solves one vulnerability and has one bug fix can now be installed.

Description:

This update for kdenlive fixes the following issues:

Changes in kdenlive:

- CVE-2026-45184: Fixed a remote code execution through opening a malicious project file (boo#1264711).

Patch instructions:

To install this openSUSE security update use the suse recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

- openSUSE Leap 16.0

zypper in -t patch openSUSE-Leap-16.0-packagehub-248=1

Package List:

- openSUSE Leap 16.0:

kdenlive-25.04.3-bp160.2.1
kdenlive-lang-25.04.3-bp160.2.1

References:

* https://www.suse.com/security/cve/CVE-2026-45184.html



openSUSE-SU-2026:10775-1: moderate: rsync-3.4.1-5.1 on GA media


# rsync-3.4.1-5.1 on GA media

Announcement ID: openSUSE-SU-2026:10775-1
Rating: moderate

Cross-References:

* CVE-2026-41035

CVSS scores:

* CVE-2026-41035 ( SUSE ): 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
* CVE-2026-41035 ( SUSE ): 8.6 CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Affected Products:

* openSUSE Tumbleweed

An update that solves one vulnerability can now be installed.

## Description:

These are all security issues fixed in the rsync-3.4.1-5.1 package on the GA media of openSUSE Tumbleweed.

## Package List:

* openSUSE Tumbleweed:
* rsync 3.4.1-5.1

## References:

* https://www.suse.com/security/cve/CVE-2026-41035.html



openSUSE-SU-2026:10776-1: moderate: tekton-cli-0.45.0-1.1 on GA media


# tekton-cli-0.45.0-1.1 on GA media

Announcement ID: openSUSE-SU-2026:10776-1
Rating: moderate

Cross-References:

* CVE-2026-25679

CVSS scores:

* CVE-2026-25679 ( SUSE ): 3.3 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
* CVE-2026-25679 ( SUSE ): 4.6 CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Affected Products:

* openSUSE Tumbleweed

An update that solves one vulnerability can now be installed.

## Description:

These are all security issues fixed in the tekton-cli-0.45.0-1.1 package on the GA media of openSUSE Tumbleweed.

## Package List:

* openSUSE Tumbleweed:
* tekton-cli 0.45.0-1.1
* tekton-cli-bash-completion 0.45.0-1.1
* tekton-cli-fish-completion 0.45.0-1.1
* tekton-cli-zsh-completion 0.45.0-1.1

## References:

* https://www.suse.com/security/cve/CVE-2026-25679.html



openSUSE-SU-2026:10777-1: moderate: ImageMagick-7.1.2.22-1.1 on GA media


# ImageMagick-7.1.2.22-1.1 on GA media

Announcement ID: openSUSE-SU-2026:10777-1
Rating: moderate

Cross-References:

* CVE-2026-42050

CVSS scores:

* CVE-2026-42050 ( SUSE ): 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

Affected Products:

* openSUSE Tumbleweed

An update that solves one vulnerability can now be installed.

## Description:

These are all security issues fixed in the ImageMagick-7.1.2.22-1.1 package on the GA media of openSUSE Tumbleweed.

## Package List:

* openSUSE Tumbleweed:
* ImageMagick 7.1.2.22-1.1
* ImageMagick-config-7-SUSE 7.1.2.22-1.1
* ImageMagick-devel 7.1.2.22-1.1
* ImageMagick-devel-32bit 7.1.2.22-1.1
* ImageMagick-doc 7.1.2.22-1.1
* ImageMagick-extra 7.1.2.22-1.1
* libMagick++-7_Q16HDRI5 7.1.2.22-1.1
* libMagick++-7_Q16HDRI5-32bit 7.1.2.22-1.1
* libMagick++-devel 7.1.2.22-1.1
* libMagick++-devel-32bit 7.1.2.22-1.1
* libMagickCore-7_Q16HDRI10 7.1.2.22-1.1
* libMagickCore-7_Q16HDRI10-32bit 7.1.2.22-1.1
* libMagickWand-7_Q16HDRI10 7.1.2.22-1.1
* libMagickWand-7_Q16HDRI10-32bit 7.1.2.22-1.1
* perl-PerlMagick 7.1.2.22-1.1

## References:

* https://www.suse.com/security/cve/CVE-2026-42050.html



openSUSE-SU-2026:10774-1: moderate: perl-Text-CSV_XS-1.620.0-1.1 on GA media


# perl-Text-CSV_XS-1.620.0-1.1 on GA media

Announcement ID: openSUSE-SU-2026:10774-1
Rating: moderate

Cross-References:

* CVE-2026-7111

CVSS scores:

* CVE-2026-7111 ( SUSE ): 8.4 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
* CVE-2026-7111 ( SUSE ): 8.6 CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Affected Products:

* openSUSE Tumbleweed

An update that solves one vulnerability can now be installed.

## Description:

These are all security issues fixed in the perl-Text-CSV_XS-1.620.0-1.1 package on the GA media of openSUSE Tumbleweed.

## Package List:

* openSUSE Tumbleweed:
* perl-Text-CSV_XS 1.620.0-1.1

## References:

* https://www.suse.com/security/cve/CVE-2026-7111.html



openSUSE-SU-2026:10772-1: moderate: libIex-3_4-33-3.4.11-1.1 on GA media


# libIex-3_4-33-3.4.11-1.1 on GA media

Announcement ID: openSUSE-SU-2026:10772-1
Rating: moderate

Cross-References:

* CVE-2026-41142
* CVE-2026-42216
* CVE-2026-42217

CVSS scores:

* CVE-2026-41142 ( SUSE ): 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
* CVE-2026-41142 ( SUSE ): 9.2 CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
* CVE-2026-42216 ( SUSE ): 8.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H
* CVE-2026-42216 ( SUSE ): 8.8 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N
* CVE-2026-42217 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:H
* CVE-2026-42217 ( SUSE ): 8.3 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N

Affected Products:

* openSUSE Tumbleweed

An update that solves 3 vulnerabilities can now be installed.

## Description:

These are all security issues fixed in the libIex-3_4-33-3.4.11-1.1 package on the GA media of openSUSE Tumbleweed.

## Package List:

* openSUSE Tumbleweed:
* libIex-3_4-33 3.4.11-1.1
* libIex-3_4-33-32bit 3.4.11-1.1
* libIex-3_4-33-x86-64-v3 3.4.11-1.1
* libIlmThread-3_4-33 3.4.11-1.1
* libIlmThread-3_4-33-32bit 3.4.11-1.1
* libIlmThread-3_4-33-x86-64-v3 3.4.11-1.1
* libOpenEXR-3_4-33 3.4.11-1.1
* libOpenEXR-3_4-33-32bit 3.4.11-1.1
* libOpenEXR-3_4-33-x86-64-v3 3.4.11-1.1
* libOpenEXRCore-3_4-33 3.4.11-1.1
* libOpenEXRCore-3_4-33-32bit 3.4.11-1.1
* libOpenEXRCore-3_4-33-x86-64-v3 3.4.11-1.1
* libOpenEXRUtil-3_4-33 3.4.11-1.1
* libOpenEXRUtil-3_4-33-32bit 3.4.11-1.1
* libOpenEXRUtil-3_4-33-x86-64-v3 3.4.11-1.1
* openexr 3.4.11-1.1
* openexr-devel 3.4.11-1.1
* openexr-doc 3.4.11-1.1

## References:

* https://www.suse.com/security/cve/CVE-2026-41142.html
* https://www.suse.com/security/cve/CVE-2026-42216.html
* https://www.suse.com/security/cve/CVE-2026-42217.html



openSUSE-SU-2026:10769-1: moderate: flux2-cli-2.8.7-1.1 on GA media


# flux2-cli-2.8.7-1.1 on GA media

Announcement ID: openSUSE-SU-2026:10769-1
Rating: moderate

Cross-References:

* CVE-2026-45022

Affected Products:

* openSUSE Tumbleweed

An update that solves one vulnerability can now be installed.

## Description:

These are all security issues fixed in the flux2-cli-2.8.7-1.1 package on the GA media of openSUSE Tumbleweed.

## Package List:

* openSUSE Tumbleweed:
* flux2-cli 2.8.7-1.1
* flux2-cli-bash-completion 2.8.7-1.1
* flux2-cli-fish-completion 2.8.7-1.1
* flux2-cli-zsh-completion 2.8.7-1.1

## References:

* https://www.suse.com/security/cve/CVE-2026-45022.html



openSUSE-SU-2026:10770-1: moderate: glibc-2.43-3.1 on GA media


# glibc-2.43-3.1 on GA media

Announcement ID: openSUSE-SU-2026:10770-1
Rating: moderate

Cross-References:

* CVE-2026-5450
* CVE-2026-5928

CVSS scores:

* CVE-2026-5450 ( SUSE ): 5.9 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
* CVE-2026-5450 ( SUSE ): 5.1 CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N
* CVE-2026-5928 ( SUSE ): 5.7 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:H
* CVE-2026-5928 ( SUSE ): 5.9 CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N

Affected Products:

* openSUSE Tumbleweed

An update that solves 2 vulnerabilities can now be installed.

## Description:

These are all security issues fixed in the glibc-2.43-3.1 package on the GA media of openSUSE Tumbleweed.

## Package List:

* openSUSE Tumbleweed:
* glibc 2.43-3.1
* glibc-devel 2.43-3.1
* glibc-devel-static 2.43-3.1
* glibc-extra 2.43-3.1
* glibc-gconv-modules-extra 2.43-3.1
* glibc-html 2.43-3.1
* glibc-i18ndata 2.43-3.1
* glibc-info 2.43-3.1
* glibc-lang 2.43-3.1
* glibc-locale 2.43-3.1
* glibc-locale-base 2.43-3.1
* glibc-profile 2.43-3.1

## References:

* https://www.suse.com/security/cve/CVE-2026-5450.html
* https://www.suse.com/security/cve/CVE-2026-5928.html



openSUSE-SU-2026:10768-1: moderate: ffmpeg-7-7.1.3-3.1 on GA media


# ffmpeg-7-7.1.3-3.1 on GA media

Announcement ID: openSUSE-SU-2026:10768-1
Rating: moderate

Cross-References:

* CVE-2026-40962

CVSS scores:

* CVE-2026-40962 ( SUSE ): 4.9 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
* CVE-2026-40962 ( SUSE ): 2.1 CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

Affected Products:

* openSUSE Tumbleweed

An update that solves one vulnerability can now be installed.

## Description:

These are all security issues fixed in the ffmpeg-7-7.1.3-3.1 package on the GA media of openSUSE Tumbleweed.

## Package List:

* openSUSE Tumbleweed:
* ffmpeg-7 7.1.3-3.1
* ffmpeg-7-libavcodec-devel 7.1.3-3.1
* ffmpeg-7-libavdevice-devel 7.1.3-3.1
* ffmpeg-7-libavfilter-devel 7.1.3-3.1
* ffmpeg-7-libavformat-devel 7.1.3-3.1
* ffmpeg-7-libavutil-devel 7.1.3-3.1
* ffmpeg-7-libpostproc-devel 7.1.3-3.1
* ffmpeg-7-libswresample-devel 7.1.3-3.1
* ffmpeg-7-libswscale-devel 7.1.3-3.1
* libavcodec61 7.1.3-3.1
* libavdevice61 7.1.3-3.1
* libavfilter10 7.1.3-3.1
* libavformat61 7.1.3-3.1
* libavutil59 7.1.3-3.1
* libpostproc58 7.1.3-3.1
* libswresample5 7.1.3-3.1
* libswscale8 7.1.3-3.1

## References:

* https://www.suse.com/security/cve/CVE-2026-40962.html



openSUSE-SU-2026:10773-1: moderate: perl-CryptX-0.89.0-1.1 on GA media


# perl-CryptX-0.89.0-1.1 on GA media

Announcement ID: openSUSE-SU-2026:10773-1
Rating: moderate

Cross-References:

* CVE-2026-41564

Affected Products:

* openSUSE Tumbleweed

An update that solves one vulnerability can now be installed.

## Description:

These are all security issues fixed in the perl-CryptX-0.89.0-1.1 package on the GA media of openSUSE Tumbleweed.

## Package List:

* openSUSE Tumbleweed:
* perl-CryptX 0.89.0-1.1

## References:

* https://www.suse.com/security/cve/CVE-2026-41564.html



openSUSE-SU-2026:0167-1: moderate: Security update for gosec


openSUSE Security Update: Security update for gosec
_______________________________

Announcement ID: openSUSE-SU-2026:0167-1
Rating: moderate
References:
Cross-References: CVE-2025-22891
Affected Products:
openSUSE Backports SLE-15-SP7
_______________________________

An update that fixes one vulnerability is now available.

Description:

This update for gosec fixes the following issues:

- Update to version 2.26.1:
* Update cosign to v3.0.6 (#1659)
* Sync taint rule docs and add missing CWE mappings for G113/G307 (#1658)
* Update all dependencies (#1657)
* Add G710 rule for open redirect via taint analysis (#1654)
* Fix formatting
* Update the default models use by autofix and phase out the older models
* Format and clean-up the README
* Add HTTP file-serving function to the skins of pathtraversal analyzer
(#1647)
* Skip flaging the TLS min version for go 1.18+ (#1646)
* chore(deps): bump go.opentelemetry.io/otel from 1.39.0 to 1.41.0
(#1645)
* Added filepath.Abs as a sanitizer (#1643)
* Allow rune to byte conversion (#1642)
* Allow platform specific conversions (#1641)
* chore(deps): update all dependencies (#1639)
* chore(deps): update all dependencies (#1634)
* chore(go): update supported Go versions to 1.25.9 and 1.26.2 (#1633)
* Fix: Bump go-version: 1.25.8 to 1.25.9 in ci (#1632)
* fix(taint): gate *http.Request auto-taint on entry-point detection
(#1630)
* chore(deps): update all dependencies (#1631)
* Added a visited cycle-detection guard in the *ssa.Phi case (#1626)
* chore(deps): update all dependencies (#1625)
* fix(G706): scope slog sinks to msg arg only to prevent false positives
on structured attributes (#1623)
* Gate the AI security review by the security-review environment (#1621)
* Fix anthropic autofix after dependencies update (#1620)
* chore(deps): update all dependencies (#1619)
* chore(action): bump gosec to 2.25.0 (#1618)

- Update to version 2.25.0:
* chore(deps): bump google.golang.org/grpc from 1.75.0 to 1.79.3 (#1617)
* fix: allow barry action to access secrets on fork PRs (#1616)
* fix: reduce G117 false positives for custom marshalers and transformed
values (#1614) (#1615)
* Add barry security scanner as a step in the CI (#1612)
* chore(deps): update all dependencies (#1611)
* fix: prevent taint analysis hang on packages with many CHA call graph
edges (#1608) (#1610)
* Add some skills for claude code to automate some tasks (#1609)
* Add G701-G706 rule-to-CWE mappings and CWE-117, CWE-918 entries (#1606)
* fix: skip SSA analysis on ill-typed packages to prevent panic (#1607)
* Port G120 from SSA-based to taint analysis (fixes #1600, #1603) (#1605)
* fix(G118): eliminate false positive for package-level cancel variables
(#1602)
* feat: add G124 rule for insecure HTTP cookie configuration (#1599)
* feat: add G709 rule for unsafe deserialization of untrusted data
(#1598)
* feat: add G708 rule for server-side template injection via
text/template (#1597)
* fix(G118): eliminate false positive when cancel is called via struct
field in a closure (#1596)
* Fix infinite recursion in interprocedural taint analysis (#1594)
* Fix G118 false positive when cancel is stored in returned struct field
(#1593)
* Fix G118 false positive on cancel called inside goroutine closure
(#1592)
* fix(analyzer): per-package rule instantiation eliminates concurrent
map crash (#1589)
* chore(deps): update all dependencies (#1588)
* fix(G118): treat returned cancel func as called (fixes #1584) (#1585)
* chore(go): update supported Go versions to 1.25.8 and 1.26.1 (#1583)
* Update the README with the correct version of the Github action for
gosec (#1582)
* chore(deps): update all dependencies (#1579)
* Fix G115 false positives for guarded int64-to-byte conversions (#1578)
* Update the container image migration notice (#1576)
* chore(action): bump gosec to 2.24.7 (#1575)

- Update to version 2.24.7:
* Ignore nosec comments in action integration workflow to generate some
warnings (#1573)
* Add a workflow for action integration test (#1571)
* fix(sarif): avoid invalid null relationships in SARIF output (#1569)
* chore: migrate gosec container image references to GHCR (#1567)
* Update gorelease to use the latest cosign bundle argument (#1565)
* Migrate goreleaser to use the proper cosign arguments (#1564)
* Update the cosing to version v3.0.5 (#1563)
* fix(release): use existing cosign-installer action version (#1562)
* chore(prompts): add skill and prompt to update supported Go versions
(#1561)
* chore(prompts): add action version update skill and prompt (#1560)
* fix(analyzers): avoid SSA dependency cycle blowups in issue #1555
paths (#1559)
* Add a SKILL and PROMPT for fixing a GitHub issue (#1558)
* Add a SKILL and PROMPT for generating rules with AI (#1557)
* fix(G120): prevent hang-like analysis blowup in wrapper protection
checks (#1556)
* fix(G705): eliminate false positive when guard type cannot be resolved
(#1554)
* Remove gcmurphy from funding list
* Extend the release workflow to push the container images also to GHCR
* Update to gosec to v2.24.0 in the action and fix the docker image
signing (#1552)

- Update to version 2.24.0:
* fix: G704 false positive on const URL (#1551)
* fix(G705): eliminate false positive for non-HTTP io.Writer (#1550)
* G120: avoid false positive when MaxBytesReader is applied in
middleware (#1547)
* Fix G602 regression coverage for issue #1545 and stabilize G117 TOML
test dependency (#1546)
* taint: skip `context.Context` arguments during taint propagation to
fix false positives (#1543)
* test: add missing rules to formatter report tests (#1540)
* chore(deps): update all dependencies (#1541)
* Regenrate the TLS config rule (#1539)
* Improve documentation (#1538)
* Expand analyzer-core test coverage for orchestration, go/analysis
adapter logic, and taint integration (#1537)
* Add unit tests for CLI orchestration, TLS config generation, and SSA
cache behavior (#1536)
* Add G707 taint analyzer for SMTP command/header injection (#1535)
* Add G123 analyzer for tls.VerifyPeerCertificate resumption bypass risk
(#1534)
* Add G122 SSA analyzer for filepath.Walk/WalkDir symlink TOCTOU race
risks (#1532)
* fix(G602): avoid false positives for range-over-array indexing (#1531)
* Improve taint analyzer performance with shared SSA cache, parallel
analyzer execution, and CI regression guard (#1530)
* fix: taint analysis false positives with G703,G705 (#1522)
* Extend the G117 rule to cover other types of serialization such as
yaml/xml/toml (#1529)
* Fix the G117 rule to take the JSON serialization into account (#1528)
* (docs) fix justification format (#1524)
* Add G121 analyzer for unsafe CORS bypass patterns in
CrossOriginProtection (#1521)
* Add G120 SSA analyzer for unbounded form parsing in HTTP handlers
(#1520)
* Add G119 analyzer for unsafe redirect header propagation in
CheckRedirect callbacks (#1519)
* Fix G115 false positives and negatives (Issue #1501) (#1518)
* chore(deps): update all dependencies (#1517)
* Add G118 SSA analyzer for context propagation failures that can cause
goroutine/resource leaks (#1516)
* Add G113: Detect HTTP Request Smuggling via conflicting headers
(CVE-2025-22891, CWE-444) (#1515)
* Add G408: SSH PublicKeyCallback Authentication Bypass Analyzer (#1513)
* Add more unit tests to improve coverage (#1512)
* Improve test coverage in various areas (#1511)
* Imprve the test coverage (#1510)
* Fix incorrect detection of fixed iv in G407 (#1509)
* Add support for go 1.26.x and removed support for go 1.24.x (#1508)
* Fix the sonar report to follow the latest schema (#1507)
* fix: broken taint analysis causing false positives (#1506)
* fix: panic on float constants in overflow analyzer (#1505)
* fix: panic when scanning multi-module repos from root (#1504)
* fix: G602 false positive for array element access (#1499)
* Update gosec to version v2.23.0 in the Github action (#1496)

- Update to version 2.23.0:
* feat: Support for adding taint analysis engine (#1486)
* chore(deps): update all dependencies (#1494)
* chore(deps): update all dependencies (#1494)
* chore(deps): update all dependencies (#1488)
* Fix G602 analyzer panic that kills gosec process (#1491)
* update go version to 1.25.7 (#1492)
* Fix URL regexp and remove redundant Google regex patterns (#1485)
* feat: implement global cache usage in rules (#1480)
* chore(deps): update module google.golang.org/genai to v1.43.0 (#1484)
* refactor: optimize nosec parsing and reduce allocations (#1478)
* Fix SARIF artifactChanges null validation error (#1483)
* feat: optimize GetCallInfo with per-package sync.Pool caching (#1481)
* feat: implement entropy pre-filtering to optimize secret detection
(#1479)
* feat: ensure GoVersion is cached using sync.Once (#1477)
* Fix #1240: nosec comments now work with trailing open brackets (#1475)
* Debug Build Profiling Support: Code improvement suggestions for
PR#1471 (#1476)
* Update the go version to 1.25.6 and 1.24.12 (#1474)
* G115: Enhance RangeAnalyzer with constant propagation and chained
arithmetic support (#1470)
* chore(deps): update all dependencies (#1473)
* feat: support path-based rule exclusions via exclude-rules (#1465)
* Optimize analyzer with parallel package processing (#1466)
* feat: add goanalysis package for nogo (#1449)
* Refactor Analyzers: Unify Range Logic & Optimize Allocations (#1464)
* Optimize G115, G602, G407 analyzers to reduce allocations and memory
(#1463)
* refactor(g115): improve coverage (#1462)
* Refine G407 to improve detection and coverage of hardcoded nonces
(#1460)
* chore(deps): update all dependencies (#1461)
* Refactor rules to use callListRule base structure (#1458)
* feat(slice): enhance slice bounds analysis with dynamic bounds
handling (#1457)
* remove deprecated ast.Object (#1455)
* feat(sql): enhance SQL injection detection with improved string
concatenation checks (#1454)
* feat(rules): enhance subprocess variable checks (#1453)
* feat(resolve): enhance TryResolve to handle KeyValueExpr, IndexExpr,
and SliceExpr (#1452)
* feat: add secrets serialization G117 (#1451)
* feat(rules): add support for detecting high entropy strings in
composite literals (#1447)
* whitelist crypto/rand Read from error checks (#1446)
* chore(deps): update all dependencies (#1443)
* Improve slice bound check (#1442)
* docs: add documentation for using gosec with private modules (#1441)
* chore(deps): update all dependencies (#1440)
* docs: add G116 rule description to README (#1439)
* Update GitHub action to gosec 2.22.11 (#1438)

- Update to version 2.22.11:
* feature: add rule for trojan source (#1431)
* feat(ai): add OpenAI and custom API provider support (#1424)
* chore: Migrate from gopkg.in/yaml.v3 to go.yaml.in/yaml/v3 (#1437)
* chore(deps): update module google.golang.org/genai to v1.37.0 (#1435)
* refactor: simplify report functions in main.go (#1434)
* Update go to 1.25.5 and 1.24.11 in CI (#1433)
* chore(deps): update all dependencies (#1425)
* feat(ai): add support for latest Claude models and update provider
flags (#1423)
* Bump golang.org/x/crypto from 0.43.0 to 0.45.0 (#1427)
* chore(deps): update module golang.org/x/crypto to v0.45.0 [security]
(#1428)
* fix: correct schema with temporary placeholder (#1418)
* perf: skip SSA analysis if no analyzers are loaded (#1419)
* test: add sarif validation (#1417)
* chore(deps): update all dependencies (#1421)
* Update go to version 1.25.4 and 1.24.10 in CI (#1415)
* fix: build tag parsing. (#1413)
* chore(deps): update all dependencies (#1411)
* chore(deps): update all dependencies (#1409)
* chore(deps): update all dependencies (#1408)
* Update gosec to version v2.22.10 in the github action (#1405)

- Update to version 2.22.10:
* Update go to version 1.25.3 and 1.24.9 in CI (#1404)
* chore(deps): update all dependencies (#1402)
* Update go to version 1.25.2 and 2.24.8 in CI (#1401)
* chore(deps): update all dependencies (#1399)
* check nil slices, partially check bounds (#1396)
* Remove unused target from the makefile
* Use the ginkgo command install by the dependencies
* Keep the go module at 1.24 version for compatibility reasons
* Remove manual test deps
* fix: text must be supplied when markdown is used
* fix: improve error message of CheckAnalyzers
* fix: log panic on SSA
* chore(deps): update all dependencies
* Update gosec to version v.22.9 in the github action

- Update to version 2.22.9:
* Update cosign to v2.6.0 and go in the CI to latest version
* fix(autofix): unnecessary conversion
* feat(autofix): update gemini sdk and add anthropic claude
* feat(G304): add os.Root remediation hint (Autofix) when Go >= 1.24
* chore(deps): update all dependencies
* refactor(G304): remove unused trackJoin helper; no functional change
* style: gofmt rules/readfile.go
* test(g304): add samples for var perm and var flag with cleaned
path\n\n- Ensure G304 does not fire when only non-path args
(flag/perm) are variables\n- Both samples use filepath.Clean on the
path arg\n- Rules suite remains green (42 passed)
* rules(G304): analyze only path arg; ignore flag/perm vars; track Clean
and safe Join; fix nil-context panic\n\n- Limit G304 checks to first
arg (path) for os.Open/OpenFile/ReadFile, avoiding false positives
when flag/perm are variables\n- Track filepath.Clean so cleaned
identifiers are treated as safe\n- Consider safe joins:
filepath.Join(const|resolvedBase, Clean(var)|cleanedIdent)\n- Record
Join(...) assigned to identifiers and allow if later cleaned\n- Fix
panic by passing non-nil context in trackJoinAssignStmt\n- All rules
tests: 42 passed
* rules(G202): detect SQL concat in ValueSpec declarations; add test
sample\n\n- Handle var query string = 'SELECT ...' + user style
declarations\n- Reuse existing binary expr detection on
ValueSpec.Values\n- Add postgres sample mirroring issue #1309
report\n- Rules tests: 42 passed
* chore(deps): update all dependencies
* chore(deps): update all dependencies
* chore(deps): update all dependencies
* Update gosec version to v2.22.8 in the Github action

- Update to version 2.22.8:
* Add support for go version 1.25.0
* Update go version in CI to 1.24.6 and 1.23.12
* chore(deps): update all dependencies
* chore(deps): update all dependencies
* Update github action to release v2.22.7

- Update to version 2.22.7:
* Fix crash in hardcoded_nonce analyzer
* Update go action to use release v2.22.6
* Update go version to 1.24.5 and 1.23.11 in the CI
* chore(deps): update module google.golang.org/api to v0.242.0
* chore(deps): update all dependencies
* chore(deps): update all dependencies
* chore(deps): update all dependencies
* chore(deps): update all dependencies
* Do not allow dashes in file names
* Update gosec to version 2.22.5 in Github action

- Update to version 2.22.5:
* Switch back go.mod to minimum 1.23.0
* Update dependencies
* Update go version 1.24.4 and 1.23.10 in CI
* chore(deps): update all dependencies
* G201/G202: add checks for injection into sql.Conn methods
* chore(deps): update module google.golang.org/api to v0.235.0
* chore(deps): update module google.golang.org/api to v0.234.0
* chore(deps): update module google.golang.org/api to v0.233.0
* chore(deps): update module google.golang.org/api to v0.232.0

- Switch vendor from gz to xz for consistency

- Switch from version to revision in _service

Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Backports SLE-15-SP7:

zypper in -t patch openSUSE-2026-167=1

Package List:

- openSUSE Backports SLE-15-SP7 (aarch64 i586 ppc64le s390x x86_64):

gosec-2.26.1-bp157.2.6.1

References:

https://www.suse.com/security/cve/CVE-2025-22891.html



SUSE-SU-2026:1872-1: moderate: Security update for firewalld


# Security update for firewalld

Announcement ID: SUSE-SU-2026:1872-1
Release Date: 2026-05-15T15:22:47Z
Rating: moderate
References:

* bsc#1260903

Cross-References:

* CVE-2026-4948

CVSS scores:

* CVE-2026-4948 ( SUSE ): 6.8
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
* CVE-2026-4948 ( SUSE ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
* CVE-2026-4948 ( NVD ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Affected Products:

* Basesystem Module 15-SP7
* Desktop Applications Module 15-SP7
* Development Tools Module 15-SP7
* openSUSE Leap 15.6
* Python 3 Module 15-SP7
* SUSE Linux Enterprise Desktop 15 SP7
* SUSE Linux Enterprise Real Time 15 SP7
* SUSE Linux Enterprise Server 15 SP7
* SUSE Linux Enterprise Server for SAP Applications 15 SP7

An update that solves one vulnerability can now be installed.

## Description:

This update for firewalld fixes the following issue:

* CVE-2026-4948: local unprivileged users can modify the runtime firewall
state without proper authentication due to D-Bus setter mis-authorizations
(bsc#1260903).

## Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

* openSUSE Leap 15.6
zypper in -t patch SUSE-2026-1872=1

* Basesystem Module 15-SP7
zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP7-2026-1872=1

* Desktop Applications Module 15-SP7
zypper in -t patch SUSE-SLE-Module-Desktop-Applications-15-SP7-2026-1872=1

* Development Tools Module 15-SP7
zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP7-2026-1872=1

* Python 3 Module 15-SP7
zypper in -t patch SUSE-SLE-Module-Python3-15-SP7-2026-1872=1

## Package List:

* openSUSE Leap 15.6 (noarch)
* firewall-macros-2.0.1-150600.3.15.1
* firewalld-test-2.0.1-150600.3.15.1
* python3-firewall-2.0.1-150600.3.15.1
* python311-firewall-2.0.1-150600.3.15.1
* firewalld-lang-2.0.1-150600.3.15.1
* firewalld-2.0.1-150600.3.15.1
* firewall-config-2.0.1-150600.3.15.1
* firewalld-zsh-completion-2.0.1-150600.3.15.1
* firewall-applet-2.0.1-150600.3.15.1
* firewalld-bash-completion-2.0.1-150600.3.15.1
* Basesystem Module 15-SP7 (noarch)
* python3-firewall-2.0.1-150600.3.15.1
* firewalld-lang-2.0.1-150600.3.15.1
* firewalld-2.0.1-150600.3.15.1
* firewalld-zsh-completion-2.0.1-150600.3.15.1
* firewalld-bash-completion-2.0.1-150600.3.15.1
* Desktop Applications Module 15-SP7 (noarch)
* firewall-applet-2.0.1-150600.3.15.1
* firewall-config-2.0.1-150600.3.15.1
* Development Tools Module 15-SP7 (noarch)
* firewall-macros-2.0.1-150600.3.15.1
* Python 3 Module 15-SP7 (noarch)
* python311-firewall-2.0.1-150600.3.15.1

## References:

* https://www.suse.com/security/cve/CVE-2026-4948.html
* https://bugzilla.suse.com/show_bug.cgi?id=1260903



SUSE-SU-2026:1871-1: moderate: Security update for openvswitch


# Security update for openvswitch

Announcement ID: SUSE-SU-2026:1871-1
Release Date: 2026-05-15T15:22:14Z
Rating: moderate
References:

* bsc#1261273

Cross-References:

* CVE-2026-34956

CVSS scores:

* CVE-2026-34956 ( SUSE ): 8.2
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
* CVE-2026-34956 ( SUSE ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2026-34956 ( NVD ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

Affected Products:

* openSUSE Leap 15.4

An update that solves one vulnerability can now be installed.

## Description:

This update for openvswitch fixes the following issue:

* CVE-2026-34956: Invalid memory access in conntrack FTP alg (bsc#1261273).

## Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

* openSUSE Leap 15.4
zypper in -t patch SUSE-2026-1871=1

## Package List:

* openSUSE Leap 15.4 (aarch64 ppc64le s390x x86_64 i586)
* libopenvswitch-2_14-0-debuginfo-2.14.2-150400.24.32.1
* openvswitch-debugsource-2.14.2-150400.24.32.1
* openvswitch-pki-2.14.2-150400.24.32.1
* libovn-20_06-0-20.06.2-150400.24.32.1
* ovn-vtep-debuginfo-20.06.2-150400.24.32.1
* python3-ovs-2.14.2-150400.24.32.1
* ovn-vtep-20.06.2-150400.24.32.1
* libovn-20_06-0-debuginfo-20.06.2-150400.24.32.1
* ovn-docker-20.06.2-150400.24.32.1
* ovn-20.06.2-150400.24.32.1
* openvswitch-test-debuginfo-2.14.2-150400.24.32.1
* ovn-central-20.06.2-150400.24.32.1
* openvswitch-2.14.2-150400.24.32.1
* openvswitch-vtep-debuginfo-2.14.2-150400.24.32.1
* openvswitch-vtep-2.14.2-150400.24.32.1
* ovn-host-debuginfo-20.06.2-150400.24.32.1
* ovn-central-debuginfo-20.06.2-150400.24.32.1
* ovn-host-20.06.2-150400.24.32.1
* openvswitch-test-2.14.2-150400.24.32.1
* openvswitch-ipsec-2.14.2-150400.24.32.1
* libopenvswitch-2_14-0-2.14.2-150400.24.32.1
* ovn-debuginfo-20.06.2-150400.24.32.1
* openvswitch-debuginfo-2.14.2-150400.24.32.1
* ovn-devel-20.06.2-150400.24.32.1
* openvswitch-devel-2.14.2-150400.24.32.1
* openSUSE Leap 15.4 (noarch)
* openvswitch-doc-2.14.2-150400.24.32.1
* ovn-doc-20.06.2-150400.24.32.1

## References:

* https://www.suse.com/security/cve/CVE-2026-34956.html
* https://bugzilla.suse.com/show_bug.cgi?id=1261273



SUSE-SU-2026:1873-1: important: Security update for the Linux Kernel (Live Patch 12 for SUSE Linux Enterprise 15 SP7)


# Security update for the Linux Kernel (Live Patch 12 for SUSE Linux Enterprise
15 SP7)

Announcement ID: SUSE-SU-2026:1873-1
Release Date: 2026-05-15T15:36:21Z
Rating: important
References:

* bsc#1264459

Cross-References:

* CVE-2026-43284

CVSS scores:

* CVE-2026-43284 ( SUSE ): 8.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
* CVE-2026-43284 ( NVD ): 7.8 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
* CVE-2026-43284 ( NVD ): 8.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Affected Products:

* openSUSE Leap 15.4
* SUSE Linux Enterprise High Performance Computing 15 SP4
* SUSE Linux Enterprise Live Patching 15-SP4
* SUSE Linux Enterprise Live Patching 15-SP7
* SUSE Linux Enterprise Micro 5.3
* SUSE Linux Enterprise Micro 5.4
* SUSE Linux Enterprise Real Time 15 SP4
* SUSE Linux Enterprise Real Time 15 SP7
* SUSE Linux Enterprise Server 15 SP4
* SUSE Linux Enterprise Server 15 SP7
* SUSE Linux Enterprise Server for SAP Applications 15 SP4
* SUSE Linux Enterprise Server for SAP Applications 15 SP7

An update that solves one vulnerability can now be installed.

## Description:

This update for the SUSE Linux Enterprise Kernel 6.4.0-53.40 fixes one security
issue

The following security issue was fixed:

* CVE-2026-43284: xfrm: esp: avoid in-place decrypt on shared skb frags
(bsc#1264459).

## Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

* openSUSE Leap 15.4
zypper in -t patch SUSE-2026-1873=1

* SUSE Linux Enterprise Live Patching 15-SP4
zypper in -t patch SUSE-SLE-Module-Live-Patching-15-SP4-2026-1873=1

* SUSE Linux Enterprise Live Patching 15-SP7
zypper in -t patch SUSE-SLE-Module-Live-Patching-15-SP7-2026-1874=1

## Package List:

* openSUSE Leap 15.4 (ppc64le s390x x86_64)
* kernel-livepatch-5_14_21-150400_24_205-default-debuginfo-2-150400.2.1
* kernel-livepatch-5_14_21-150400_24_205-default-2-150400.2.1
* kernel-livepatch-SLE15-SP4_Update_51-debugsource-2-150400.2.1
* SUSE Linux Enterprise Live Patching 15-SP4 (ppc64le s390x x86_64)
* kernel-livepatch-5_14_21-150400_24_205-default-debuginfo-2-150400.2.1
* kernel-livepatch-5_14_21-150400_24_205-default-2-150400.2.1
* kernel-livepatch-SLE15-SP4_Update_51-debugsource-2-150400.2.1
* SUSE Linux Enterprise Live Patching 15-SP7 (ppc64le s390x x86_64)
* kernel-livepatch-SLE15-SP7_Update_12-debugsource-2-150700.2.1
* kernel-livepatch-6_4_0-150700_53_40-default-debuginfo-2-150700.2.1
* kernel-livepatch-6_4_0-150700_53_40-default-2-150700.2.1

## References:

* https://www.suse.com/security/cve/CVE-2026-43284.html
* https://bugzilla.suse.com/show_bug.cgi?id=1264459


Kernel and Dnsmasq updates for Slackware

Liquorix Linux Kernel 7.0-8 released

Windows

Linux

macOS

Community

  • Lexonight
    Hey everyone,Wanted to share a project I've been b ...
  • SeveG
    need some help here... situationPC= Packard BellOS= win1 ...
  • dhamu
    Hello Phil, I have a Linux Tutorial website that curre ...