openSUSE has released several security updates, including one for python310 to fix six vulnerabilities and another for python-aiohttp and Brotli that solves eight vulnerabilities. Additionally, an update for go1.25 was released to fix two critical vulnerabilities, while a low-rated security update for python-pip fixed one vulnerability in openSUSE Leap 16.0. The company has also issued a security update for micropython, which resolves two vulnerabilities and provides several other changes. These updates aim to improve the overall security of openSUSE by addressing potential issues and providing patches for affected packages.

openSUSE-SU-2026:10200-1: moderate: python310-3.10.19-4.1 on GA media
openSUSE-SU-2026:20204-1: important: Security update for python-aiohttp, python-Brotli
openSUSE-SU-2026:20214-1: critical: Security update for go1.25
openSUSE-SU-2026:20202-1: low: Security update for python-pip
openSUSE-SU-2026:0050-1: Security update for micropython

openSUSE-SU-2026:10200-1: moderate: python310-3.10.19-4.1 on GA media

# python310-3.10.19-4.1 on GA media

Announcement ID: openSUSE-SU-2026:10200-1
Rating: moderate

Cross-References:

* CVE-2025-11468
* CVE-2025-15282
* CVE-2025-15366
* CVE-2025-15367
* CVE-2026-0672
* CVE-2026-0865

CVSS scores:

* CVE-2025-11468 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
* CVE-2025-11468 ( SUSE ): 7.1 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
* CVE-2025-15282 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H
* CVE-2025-15282 ( SUSE ): 5.9 CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N
* CVE-2025-15366 ( SUSE ): 6.7 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:H
* CVE-2025-15366 ( SUSE ): 6 CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N
* CVE-2025-15367 ( SUSE ): 6.7 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:H
* CVE-2025-15367 ( SUSE ): 6 CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N
* CVE-2026-0672 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
* CVE-2026-0672 ( SUSE ): 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
* CVE-2026-0865 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H
* CVE-2026-0865 ( SUSE ): 5.9 CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N

Affected Products:

* openSUSE Tumbleweed

An update that solves 6 vulnerabilities can now be installed.

## Description:

These are all security issues fixed in the python310-3.10.19-4.1 package on the GA media of openSUSE Tumbleweed.

## Package List:

* openSUSE Tumbleweed:
* python310 3.10.19-4.1
* python310-32bit 3.10.19-4.1
* python310-curses 3.10.19-4.1
* python310-dbm 3.10.19-4.1
* python310-idle 3.10.19-4.1
* python310-tk 3.10.19-4.1

## References:

* https://www.suse.com/security/cve/CVE-2025-11468.html
* https://www.suse.com/security/cve/CVE-2025-15282.html
* https://www.suse.com/security/cve/CVE-2025-15366.html
* https://www.suse.com/security/cve/CVE-2025-15367.html
* https://www.suse.com/security/cve/CVE-2026-0672.html
* https://www.suse.com/security/cve/CVE-2026-0865.html

openSUSE-SU-2026:20204-1: important: Security update for python-aiohttp, python-Brotli

openSUSE security update: security update for python-aiohttp, python-brotli
-------------------------------------------------------------

Announcement ID: openSUSE-SU-2026:20204-1
Rating: important
References:

* bsc#1246517
* bsc#1254867
* bsc#1256017
* bsc#1256018
* bsc#1256019
* bsc#1256020
* bsc#1256021
* bsc#1256022
* bsc#1256023

Cross-References:

* CVE-2025-53643
* CVE-2025-69223
* CVE-2025-69224
* CVE-2025-69225
* CVE-2025-69226
* CVE-2025-69227
* CVE-2025-69228
* CVE-2025-69229

CVSS scores:

* CVE-2025-53643 ( SUSE ): 3.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
* CVE-2025-53643 ( SUSE ): 6.3 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
* CVE-2025-69223 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2025-69223 ( SUSE ): 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
* CVE-2025-69224 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
* CVE-2025-69224 ( SUSE ): 6.3 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
* CVE-2025-69225 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
* CVE-2025-69225 ( SUSE ): 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
* CVE-2025-69226 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
* CVE-2025-69226 ( SUSE ): 6.3 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
* CVE-2025-69227 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2025-69227 ( SUSE ): 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
* CVE-2025-69228 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2025-69228 ( SUSE ): 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
* CVE-2025-69229 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2025-69229 ( SUSE ): 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Affected Products:

openSUSE Leap 16.0

-------------------------------------------------------------

An update that solves 8 vulnerabilities and has 9 bug fixes can now be installed.

Description:

This update for python-aiohttp, python-Brotli fixes the following issues:

Changes in python-aiohttp:

- CVE-2025-69228: Fixed denial of service through large payloads (bsc#1256022).
- CVE-2025-69226: Fixed brute-force leak of internal static file path components (bsc#1256020).
- CVE-2025-69224: Fixed unicode processing of header values could cause parsing discrepancies (bsc#1256018).
- CVE-2025-69223: Fixed aiohttp HTTP Parser auto_decompress feature susceptible to zip bomb (bsc#1256017).
- CVE-2025-69227: Fixed DoS when bypassing asserts (bsc#1256021).
- CVE-2025-69225: Fixed unicode match groups in regexes for ASCII protocol elements (bsc#1256019).
- CVE-2025-69229: Fixed DoS through chunked messages (bsc#1256023).
- CVE-2025-53643: Fixed request smuggling due to incorrect parsing of chunked trailer section (bsc#1246517).

Changes in python-Brotli:

- Add max length decompression (bsc#1254867, bsc#1256017).

Patch instructions:

To install this openSUSE security update use the suse recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

- openSUSE Leap 16.0

zypper in -t patch openSUSE-Leap-16.0-259=1

Package List:

- openSUSE Leap 16.0:

python313-Brotli-1.1.0-160000.3.1
python313-aiohttp-3.11.16-160000.3.1

References:

* https://www.suse.com/security/cve/CVE-2025-53643.html
* https://www.suse.com/security/cve/CVE-2025-69223.html
* https://www.suse.com/security/cve/CVE-2025-69224.html
* https://www.suse.com/security/cve/CVE-2025-69225.html
* https://www.suse.com/security/cve/CVE-2025-69226.html
* https://www.suse.com/security/cve/CVE-2025-69227.html
* https://www.suse.com/security/cve/CVE-2025-69228.html
* https://www.suse.com/security/cve/CVE-2025-69229.html

openSUSE-SU-2026:20214-1: critical: Security update for go1.25

openSUSE security update: security update for go1.25
-------------------------------------------------------------

Announcement ID: openSUSE-SU-2026:20214-1
Rating: critical
References:

* bsc#1244485
* bsc#1256818
* bsc#1257692

Cross-References:

* CVE-2025-61732
* CVE-2025-68121

CVSS scores:

* CVE-2025-61732 ( SUSE ): 9.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
* CVE-2025-61732 ( SUSE ): 9.4 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
* CVE-2025-68121 ( SUSE ): 7.4 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
* CVE-2025-68121 ( SUSE ): 7.6 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Affected Products:

openSUSE Leap 16.0

-------------------------------------------------------------

An update that solves 2 vulnerabilities and has 3 bug fixes can now be installed.

Description:

This update for go1.25 fixes the following issues:

Update to version 1.25.7.

Security issues fixed:

- CVE-2025-61732: cmd/go: discrepancy between Go and C/C++ comment parsing allows for C code smuggling (bsc#1257692).
- CVE-2025-68121: crypto/tls: Config.Clone copies automatically generated session ticket keys, session resumption does
not account for the expiration of full certificate chain (bsc#1256818).

Other updates and bugfixes:

- version update to 1.25.7:

* go#75844 cmd/compile: OOM killed on linux/arm64
* go#77323 crypto/x509: single-label excluded DNS name constraints incorrectly match all wildcard SANs
* go#77425 crypto/tls: CL 737700 broke session resumption on macOS

Patch instructions:

To install this openSUSE security update use the suse recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

- openSUSE Leap 16.0

zypper in -t patch openSUSE-Leap-16.0-269=1

Package List:

- openSUSE Leap 16.0:

go1.25-1.25.7-160000.1.1
go1.25-doc-1.25.7-160000.1.1
go1.25-libstd-1.25.7-160000.1.1
go1.25-race-1.25.7-160000.1.1

References:

* https://www.suse.com/security/cve/CVE-2025-61732.html
* https://www.suse.com/security/cve/CVE-2025-68121.html

openSUSE-SU-2026:20202-1: low: Security update for python-pip

openSUSE security update: security update for python-pip
-------------------------------------------------------------

Announcement ID: openSUSE-SU-2026:20202-1
Rating: low
References:

* bsc#1257599

Cross-References:

* CVE-2026-1703

CVSS scores:

* CVE-2026-1703 ( SUSE ): 3.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N
* CVE-2026-1703 ( SUSE ): 2.1 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Affected Products:

openSUSE Leap 16.0

-------------------------------------------------------------

An update that solves one vulnerability and has one bug fix can now be installed.

Description:

This update for python-pip fixes the following issues:

- CVE-2026-1703: files may be extracted outside the installation directory when installing and extracting maliciously
crafted wheel archives (bsc#1257599).

Patch instructions:

To install this openSUSE security update use the suse recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

- openSUSE Leap 16.0

zypper in -t patch openSUSE-Leap-16.0-256=1

Package List:

- openSUSE Leap 16.0:

python313-pip-25.0.1-160000.3.1
python313-pip-wheel-25.0.1-160000.3.1

References:

* https://www.suse.com/security/cve/CVE-2026-1703.html

openSUSE-SU-2026:0050-1: Security update for micropython

openSUSE Security Update: Security update for micropython
_______________________________

Announcement ID: openSUSE-SU-2026:0050-1
Rating: low
References: #1257803
Cross-References: CVE-2025-59438 CVE-2026-1998
CVSS scores:
CVE-2025-59438 (SUSE): 5.7 CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Affected Products:
openSUSE Backports SLE-15-SP7
_______________________________

An update that fixes two vulnerabilities is now available.

Description:

This update for micropython fixes the following issues:

- CVE-2026-1998: Fixed a segmentation fault in 'mp_map_lookup' via
'mp_import_all' (boo#1257803)

- Version 1.26.1
* esp32: update esp_tinyusb component to v1.7.6
* tools: add an environment variable MICROPY_MAINTAINER_BUILD
* esp32: add IDF Component Lockfiles to git repo
* shared/tinyusb: fix hang from new tx_overwritabe_if_not_connected flag
* shared/tinyusb/mp_usbd_cdc: rewrite USB CDC TX loop
* tools/mpremote: don't apply Espressif DTR/RTS quirk to TinyUSB CDC dev

- Fix building on single core systems
* Skip tests/thread/stress_schedule.py when single core system detected

- Build with mbedtls-3.6.5 instead of bundled 3.6.2 to fix CVE-2025-59438

- Version 1.26.0
* Added machine.I2CTarget for creating I2C target devices on multiple
ports.
* New MCU support: STM32N6xx (800 MHz, ML accel) and ESP32-C2 (WiFi +
BLE).
* Major float accuracy boost (~28% ~98%), constant folding in compiler.
* Optimized native/Viper emitters; reduced heap use for slices.
* Time functions standardized (1970 2099); new boards across ESP32,
SAMD, STM32, Zephyr.
* ESP32: ESP-IDF 5.4.2, flash auto-detect, PCNT class, LAN8670 PHY.
* RP2: compressed errors, better lightsleep, hard IRQ timers.
* Zephyr v4.0.0: PWM, SoftI2C/SPI, BLE runtime services, boot.py/main.py
support.
* mpremote adds fs tree, improved df, portable config paths.
* Updated lwIP, LittleFS, libhydrogen, stm32lib; expanded hardware/CI
tests.

Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Backports SLE-15-SP7:

zypper in -t patch openSUSE-2026-50=1

Package List:

- openSUSE Backports SLE-15-SP7 (aarch64 x86_64):

micropython-1.26.1-bp157.5.1
mpy-tools-1.26.1-bp157.5.1

- openSUSE Backports SLE-15-SP7 (noarch):

mpremote-1.26.1-bp157.5.1

References:

https://www.suse.com/security/cve/CVE-2025-59438.html
https://www.suse.com/security/cve/CVE-2026-1998.html
https://bugzilla.suse.com/1257803