openSUSE-SU-2026:0115-1: critical: Security update for osslsigncode
openSUSE-SU-2026:0117-1: important: Security update for keybase-client
openSUSE-SU-2026:0116-1: critical: Security update for osslsigncode
openSUSE-SU-2026:10482-1: moderate: osslsigncode-2.13-1.1 on GA media
openSUSE-SU-2026:10481-1: moderate: python314-3.14.3-4.1 on GA media
openSUSE-SU-2026:10480-1: moderate: python313-3.13.12-3.1 on GA media
openSUSE-SU-2026:0115-1: critical: Security update for osslsigncode
openSUSE Security Update: Security update for osslsigncode
_______________________________
Announcement ID: openSUSE-SU-2026:0115-1
Rating: critical
References: #1260680
Cross-References: CVE-2025-70888
Affected Products:
openSUSE Backports SLE-15-SP6
_______________________________
An update that fixes one vulnerability is now available.
Description:
This update for osslsigncode fixes the following issues:
- Update to 2.13 (boo#1260680, CVE-2025-70888):
* fixed integer overflows when processing APPX compressed data streams
* fixed double-free vulnerabilities in APPX file processing
* fixed multiple memory corruption issues in PE page hash computation
- Changes from 2.12:
* fixed a buffer overflow while extracting message digests
- Changes from 2.11:
* added keyUsage validation for signer certificate
* added printing CRL details during signature verification
* implemented a workaround for CRL servers returning the HTTP
Content-Type header other than application/pkix-crl
* fixed HTTP keep-alive handling
* fixed macOS compiler and linker flags
* fixed undefined BIO_get_fp() behavior with BIO_FLAGS_UPLINK_INTERNAL
- update to 2.10:
* added JavaScript signing
* added PKCS#11 provider support (requires OpenSSL 3.0+)
* added support for providers without specifying "-pkcs11module" option
* (OpenSSL 3.0+, e.g., for the upcoming CNG provider)
* added compatibility with the CNG engine version 1.1 or later
* added the "-engineCtrl" option to control hardware and CNG engines
* added the '-blobFile' option to specify a file containing the blob
content
* improved unauthenticated blob support (thanks to Asger Hautop Drewsen)
* improved UTF-8 handling for certificate subjects and issuers
* fixed support for multiple signerInfo contentType OIDs (CTL and
Authenticode)
* fixed tests for python-cryptography >= 43.0.0
- update to version 2.9:
* added a 64 bit long pseudo-random NONCE in the TSA request
* missing NID_pkcs9_signingTime is no longer an error
* added support for PEM-encoded CRLs
* fixed the APPX central directory sorting order
* added a special "-" file name to read the passphrase from stdin
* used native HTTP client with OpenSSL 3.x, removing libcurl dependency
* added '-login' option to force a login to PKCS11 engines
* added the "-ignore-crl" option to disable fetching and verifying CRL
Distribution Points
* changed error output to stderr instead of stdout
* various testing framework improvements
* various memory corruption fixes
- update to version 2.8:
* Microsoft PowerShell signing sponsored by Cisco Systems, Inc.
* fixed setting unauthenticated attributes (Countersignature,
Unauthenticated
* Data Blob) in a nested signature
* added the "-index" option to verify a specific signature or modify its
unauthenticated attributes
* added CAT file verification
* added listing the contents of a CAT file with the "-verbose"
option
* added the new "extract-data" command to extract a PKCS#7 data content
to be signed with "sign" and attached with "attach-signature"
* added PKCS9_SEQUENCE_NUMBER authenticated attribute support
* added the "-ignore-cdp" option to disable CRL Distribution Points
(CDP) online verification
* unsuccessful CRL retrieval and verification changed into a critical
error the "-p" option modified to also use to configured proxy to
connect CRL Distribution Points
* added implicit allowlisting of the Microsoft Root Authority serial
number 00C1008B3C3C8811D13EF663ECDF40
* added listing of certificate chain retrieved from the signature in
case of verification failure
- update to 2.7.0
* fixed signing CAB files (by Michael Brown)
* fixed handling of unsupported commands (by Maxim Bagryantsev)
* fixed writing DIFAT sectors
* added APPX support (by Maciej Panek and Ma??gorzata Olsz??wka)
* added a built-in TSA response generation (-TSA-certs, -TSA-key and
-TSA-time options)
* added verification of CRLs specified in the signing certificate
* added MSI DIFAT sectors support (by Max Bagryantsev)
* added the "-h" option to set the cryptographic hash function for the
"attach -signature" and "add" commands
* set the default hash function to "sha256"
* added the "attach-signature" option to compute and compare the leaf
certificate hash for the "add" command
* renamed the "-st" option "-time"
* updated the "-time" option to also set explicit verification time
* added the "-ignore-timestamp" option
* removed the "-timestamp-expiration" option
* numerous bugfixes
* documentation updates
Patch Instructions:
To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Backports SLE-15-SP6:
zypper in -t patch openSUSE-2026-115=1
Package List:
- openSUSE Backports SLE-15-SP6 (aarch64 i586 ppc64le s390x x86_64):
osslsigncode-2.13-bp156.2.3.1
References:
https://www.suse.com/security/cve/CVE-2025-70888.html
https://bugzilla.suse.com/1260680
openSUSE-SU-2026:0117-1: important: Security update for keybase-client
openSUSE Security Update: Security update for keybase-client
_______________________________
Announcement ID: openSUSE-SU-2026:0117-1
Rating: important
References: #1253563 #1253864 #1254023
Cross-References: CVE-2025-47913 CVE-2025-47914 CVE-2025-58181
CVSS scores:
CVE-2025-47913 (SUSE): 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
CVE-2025-47914 (SUSE): 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
CVE-2025-58181 (SUSE): 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
Affected Products:
openSUSE Backports SLE-15-SP6
openSUSE Backports SLE-15-SP7
_______________________________
An update that fixes three vulnerabilities is now available.
Description:
This update for keybase-client fixes the following issues:
- CVE-2025-47914: golang.org/x/crypto/ssh/agent: non validated message
size can cause a panic due to an out of bounds read (boo#1254023)
- CVE-2025-47913: golang.org/x/crypto/ssh/agent: client process
termination when receiving an unexpected message type in response to a
key listing or signing request (boo#1253563)
- CVE-2025-58181: golang.org/x/crypto/ssh: invalidated number of
mechanisms can cause unbounded memory consumption (boo#1253864)
Patch Instructions:
To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Backports SLE-15-SP7:
zypper in -t patch openSUSE-2026-117=1
- openSUSE Backports SLE-15-SP6:
zypper in -t patch openSUSE-2026-117=1
Package List:
- openSUSE Backports SLE-15-SP7 (aarch64 i586 ppc64le s390x x86_64):
kbfs-6.2.8-bp157.2.3.15
kbfs-debuginfo-6.2.8-bp157.2.3.15
kbfs-git-6.2.8-bp157.2.3.15
kbfs-git-debuginfo-6.2.8-bp157.2.3.15
kbfs-tool-6.2.8-bp157.2.3.15
kbfs-tool-debuginfo-6.2.8-bp157.2.3.15
keybase-client-6.2.8-bp157.2.3.15
keybase-client-debuginfo-6.2.8-bp157.2.3.15
- openSUSE Backports SLE-15-SP6 (aarch64 i586 ppc64le s390x x86_64):
kbfs-6.2.8-bp156.2.9.16
kbfs-git-6.2.8-bp156.2.9.16
kbfs-tool-6.2.8-bp156.2.9.16
keybase-client-6.2.8-bp156.2.9.16
References:
https://www.suse.com/security/cve/CVE-2025-47913.html
https://www.suse.com/security/cve/CVE-2025-47914.html
https://www.suse.com/security/cve/CVE-2025-58181.html
https://bugzilla.suse.com/1253563
https://bugzilla.suse.com/1253864
https://bugzilla.suse.com/1254023
openSUSE-SU-2026:0116-1: critical: Security update for osslsigncode
openSUSE Security Update: Security update for osslsigncode
_______________________________
Announcement ID: openSUSE-SU-2026:0116-1
Rating: critical
References: #1260680
Cross-References: CVE-2025-70888
Affected Products:
openSUSE Backports SLE-15-SP7
_______________________________
An update that fixes one vulnerability is now available.
Description:
This update for osslsigncode fixes the following issues:
- Update to 2.13 (boo#1260680, CVE-2025-70888):
* fixed integer overflows when processing APPX compressed data streams
* fixed double-free vulnerabilities in APPX file processing
* fixed multiple memory corruption issues in PE page hash computation
- Changes from 2.12:
* fixed a buffer overflow while extracting message digests
- Changes from 2.11:
* added keyUsage validation for signer certificate
* added printing CRL details during signature verification
* implemented a workaround for CRL servers returning the HTTP
Content-Type header other than application/pkix-crl
* fixed HTTP keep-alive handling
* fixed macOS compiler and linker flags
* fixed undefined BIO_get_fp() behavior with BIO_FLAGS_UPLINK_INTERNAL
- update to 2.10:
* added JavaScript signing
* added PKCS#11 provider support (requires OpenSSL 3.0+)
* added support for providers without specifying "-pkcs11module" option
* (OpenSSL 3.0+, e.g., for the upcoming CNG provider)
* added compatibility with the CNG engine version 1.1 or later
* added the "-engineCtrl" option to control hardware and CNG engines
* added the '-blobFile' option to specify a file containing the blob
content
* improved unauthenticated blob support (thanks to Asger Hautop Drewsen)
* improved UTF-8 handling for certificate subjects and issuers
* fixed support for multiple signerInfo contentType OIDs (CTL and
Authenticode)
* fixed tests for python-cryptography >= 43.0.0
- update to version 2.9:
* added a 64 bit long pseudo-random NONCE in the TSA request
* missing NID_pkcs9_signingTime is no longer an error
* added support for PEM-encoded CRLs
* fixed the APPX central directory sorting order
* added a special "-" file name to read the passphrase from stdin
* used native HTTP client with OpenSSL 3.x, removing libcurl dependency
* added '-login' option to force a login to PKCS11 engines
* added the "-ignore-crl" option to disable fetching and verifying CRL
Distribution Points
* changed error output to stderr instead of stdout
* various testing framework improvements
* various memory corruption fixes
- update to version 2.8:
* Microsoft PowerShell signing sponsored by Cisco Systems, Inc.
* fixed setting unauthenticated attributes (Countersignature,
Unauthenticated
* Data Blob) in a nested signature
* added the "-index" option to verify a specific signature or modify its
unauthenticated attributes
* added CAT file verification
* added listing the contents of a CAT file with the "-verbose"
option
* added the new "extract-data" command to extract a PKCS#7 data content
to be signed with "sign" and attached with "attach-signature"
* added PKCS9_SEQUENCE_NUMBER authenticated attribute support
* added the "-ignore-cdp" option to disable CRL Distribution Points
(CDP) online verification
* unsuccessful CRL retrieval and verification changed into a critical
error the "-p" option modified to also use to configured proxy to
connect CRL Distribution Points
* added implicit allowlisting of the Microsoft Root Authority serial
number 00C1008B3C3C8811D13EF663ECDF40
* added listing of certificate chain retrieved from the signature in
case of verification failure
- update to 2.7.0
* fixed signing CAB files (by Michael Brown)
* fixed handling of unsupported commands (by Maxim Bagryantsev)
* fixed writing DIFAT sectors
* added APPX support (by Maciej Panek and Ma??gorzata Olsz??wka)
* added a built-in TSA response generation (-TSA-certs, -TSA-key and
-TSA-time options)
* added verification of CRLs specified in the signing certificate
* added MSI DIFAT sectors support (by Max Bagryantsev)
* added the "-h" option to set the cryptographic hash function for the
"attach -signature" and "add" commands
* set the default hash function to "sha256"
* added the "attach-signature" option to compute and compare the leaf
certificate hash for the "add" command
* renamed the "-st" option "-time"
* updated the "-time" option to also set explicit verification time
* added the "-ignore-timestamp" option
* removed the "-timestamp-expiration" option
* numerous bugfixes
* documentation updates
Patch Instructions:
To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Backports SLE-15-SP7:
zypper in -t patch openSUSE-2026-116=1
Package List:
- openSUSE Backports SLE-15-SP7 (aarch64 i586 ppc64le s390x x86_64):
osslsigncode-2.13-bp157.2.3.1
References:
https://www.suse.com/security/cve/CVE-2025-70888.html
https://bugzilla.suse.com/1260680
openSUSE-SU-2026:10482-1: moderate: osslsigncode-2.13-1.1 on GA media
# osslsigncode-2.13-1.1 on GA media
Announcement ID: openSUSE-SU-2026:10482-1
Rating: moderate
Cross-References:
* CVE-2025-70888
Affected Products:
* openSUSE Tumbleweed
An update that solves one vulnerability can now be installed.
## Description:
These are all security issues fixed in the osslsigncode-2.13-1.1 package on the GA media of openSUSE Tumbleweed.
## Package List:
* openSUSE Tumbleweed:
* osslsigncode 2.13-1.1
## References:
* https://www.suse.com/security/cve/CVE-2025-70888.html
openSUSE-SU-2026:10481-1: moderate: python314-3.14.3-4.1 on GA media
# python314-3.14.3-4.1 on GA media
Announcement ID: openSUSE-SU-2026:10481-1
Rating: moderate
Cross-References:
* CVE-2025-13462
* CVE-2026-3644
* CVE-2026-4224
* CVE-2026-4519
CVSS scores:
* CVE-2025-13462 ( SUSE ): 2.5 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N
* CVE-2025-13462 ( SUSE ): 2 CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
* CVE-2026-3644 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
* CVE-2026-3644 ( SUSE ): 6.3 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
* CVE-2026-4224 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2026-4224 ( SUSE ): 8.2 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
* CVE-2026-4519 ( SUSE ): 6.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:H/A:N
* CVE-2026-4519 ( SUSE ): 7.1 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:H/VA:N/SC:L/SI:H/SA:N
Affected Products:
* openSUSE Tumbleweed
An update that solves 4 vulnerabilities can now be installed.
## Description:
These are all security issues fixed in the python314-3.14.3-4.1 package on the GA media of openSUSE Tumbleweed.
## Package List:
* openSUSE Tumbleweed:
* python314 3.14.3-4.1
* python314-32bit 3.14.3-4.1
* python314-curses 3.14.3-4.1
* python314-dbm 3.14.3-4.1
* python314-idle 3.14.3-4.1
* python314-tk 3.14.3-4.1
* python314-x86-64-v3 3.14.3-4.1
## References:
* https://www.suse.com/security/cve/CVE-2025-13462.html
* https://www.suse.com/security/cve/CVE-2026-3644.html
* https://www.suse.com/security/cve/CVE-2026-4224.html
* https://www.suse.com/security/cve/CVE-2026-4519.html
openSUSE-SU-2026:10480-1: moderate: python313-3.13.12-3.1 on GA media
# python313-3.13.12-3.1 on GA media
Announcement ID: openSUSE-SU-2026:10480-1
Rating: moderate
Cross-References:
* CVE-2025-13462
* CVE-2026-3644
* CVE-2026-4224
* CVE-2026-4519
CVSS scores:
* CVE-2025-13462 ( SUSE ): 2.5 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N
* CVE-2025-13462 ( SUSE ): 2 CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
* CVE-2026-3644 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
* CVE-2026-3644 ( SUSE ): 6.3 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
* CVE-2026-4224 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2026-4224 ( SUSE ): 8.2 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
* CVE-2026-4519 ( SUSE ): 6.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:H/A:N
* CVE-2026-4519 ( SUSE ): 7.1 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:H/VA:N/SC:L/SI:H/SA:N
Affected Products:
* openSUSE Tumbleweed
An update that solves 4 vulnerabilities can now be installed.
## Description:
These are all security issues fixed in the python313-3.13.12-3.1 package on the GA media of openSUSE Tumbleweed.
## Package List:
* openSUSE Tumbleweed:
* python313 3.13.12-3.1
* python313-32bit 3.13.12-3.1
* python313-curses 3.13.12-3.1
* python313-dbm 3.13.12-3.1
* python313-idle 3.13.12-3.1
* python313-tk 3.13.12-3.1
* python313-x86-64-v3 3.13.12-3.1
## References:
* https://www.suse.com/security/cve/CVE-2025-13462.html
* https://www.suse.com/security/cve/CVE-2026-3644.html
* https://www.suse.com/security/cve/CVE-2026-4224.html
* https://www.suse.com/security/cve/CVE-2026-4519.html
