SUSE 5696 Published by

Multiple SUSE and openSUSE security advisories address 38 vulnerabilities across widely used packages like Python 3.11, Tornado, Thunderbird, OpenBabel, and Transmission. The patches target openSUSE Leap 15.4, Leap 16.0, Tumbleweed, and SUSE Linux Enterprise Server 15 SP4 through SP7, fixing issues ranging from flawed base64 decoding and unsafe symlink handling to cross-origin header forwarding and clickjacking risks.

SUSE-SU-2026:2723-1: moderate: Security update for python311
SUSE-SU-2026:2724-1: moderate: Security update for python-python-dotenv
openSUSE-SU-2026:21190-1: critical: Security update for openbabel
openSUSE-SU-2026:21189-1: moderate: Security update for transmission
openSUSE-SU-2026:11162-1: moderate: trivy-0.71.2-2.1 on GA media
openSUSE-SU-2026:11167-1: moderate: kubectl-cnpg-1.29.2-1.1 on GA media
openSUSE-SU-2026:11170-1: moderate: python311-python-engineio-4.13.3-1.1 on GA media
openSUSE-SU-2026:11169-1: moderate: python3-onionshare-2.6.4-1.1 on GA media
openSUSE-SU-2026:11165-1: moderate: alloy-1.17.1-1.1 on GA media
openSUSE-SU-2026:11164-1: moderate: MozillaThunderbird-140.12.1-1.1 on GA media
openSUSE-SU-2026:11168-1: moderate: perl-CGI-Session-4.490.0-1.1 on GA media
openSUSE-SU-2026:11163-1: moderate: libxreaderdocument3-4.6.5-1.1 on GA media
openSUSE-SU-2026:11166-1: moderate: c3p0-0.14.1-1.1 on GA media
SUSE-SU-2026:2725-1: important: Security update for python-tornado6




SUSE-SU-2026:2723-1: moderate: Security update for python311


# Security update for python311

Announcement ID: SUSE-SU-2026:2723-1
Release Date: 2026-07-01T18:09:22Z
Rating: moderate
References:

* bsc#1258364
* bsc#1261970

Cross-References:

* CVE-2026-3446

CVSS scores:

* CVE-2026-3446 ( SUSE ): 6.0
CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
* CVE-2026-3446 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N
* CVE-2026-3446 ( NVD ): 6.0
CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Affected Products:

* openSUSE Leap 15.4
* Public Cloud Module 15-SP4
* SUSE Linux Enterprise High Performance Computing 15 SP4
* SUSE Linux Enterprise Server 15 SP4
* SUSE Linux Enterprise Server for SAP Applications 15 SP4
* SUSE Manager Proxy 4.3
* SUSE Manager Retail Branch Server 4.3
* SUSE Manager Server 4.3

An update that solves one vulnerability and has one security fix can now be
installed.

## Description:

This update for python311 fixes the following issues:

Security issues fixed:

* CVE-2026-3446: base64 decoding stops at first padded quad by default and
ignores other information that could be processed (bsc#1261970).

Other updates and bugfixes:

* Rewrite structure of Python interpreter packages. `python3*` symbols should
be now provided by real `python3` packages and its subpackages instead of
the virtual provides (bsc#1258364).

## Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

* Public Cloud Module 15-SP4
zypper in -t patch SUSE-SLE-Module-Public-Cloud-15-SP4-2026-2723=1

* openSUSE Leap 15.4
zypper in -t patch SUSE-2026-2723=1

## Package List:

* openSUSE Leap 15.4 (aarch64 i586 ppc64le s390x x86_64)
* python311-core-debugsource-3.11.15-150400.9.88.1
* python311-testsuite-3.11.15-150400.9.88.1
* python311-curses-debuginfo-3.11.15-150400.9.88.1
* python311-doc-devhelp-3.11.15-150400.9.88.1
* python311-dbm-3.11.15-150400.9.88.1
* python311-testsuite-debuginfo-3.11.15-150400.9.88.1
* python311-idle-3.11.15-150400.9.88.1
* python311-debugsource-3.11.15-150400.9.88.1
* python311-tools-3.11.15-150400.9.88.1
* libpython3_11-1_0-3.11.15-150400.9.88.1
* python311-base-3.11.15-150400.9.88.1
* python311-doc-3.11.15-150400.9.88.1
* python311-curses-3.11.15-150400.9.88.1
* python311-devel-3.11.15-150400.9.88.1
* libpython3_11-1_0-debuginfo-3.11.15-150400.9.88.1
* python311-3.11.15-150400.9.88.1
* python311-tk-debuginfo-3.11.15-150400.9.88.1
* python311-tk-3.11.15-150400.9.88.1
* python311-dbm-debuginfo-3.11.15-150400.9.88.1
* python311-debuginfo-3.11.15-150400.9.88.1
* python311-base-debuginfo-3.11.15-150400.9.88.1
* openSUSE Leap 15.4 (x86_64)
* libpython3_11-1_0-32bit-debuginfo-3.11.15-150400.9.88.1
* python311-32bit-debuginfo-3.11.15-150400.9.88.1
* python311-base-32bit-debuginfo-3.11.15-150400.9.88.1
* python311-32bit-3.11.15-150400.9.88.1
* libpython3_11-1_0-32bit-3.11.15-150400.9.88.1
* python311-base-32bit-3.11.15-150400.9.88.1
* openSUSE Leap 15.4 (aarch64_ilp32)
* libpython3_11-1_0-64bit-debuginfo-3.11.15-150400.9.88.1
* python311-base-64bit-debuginfo-3.11.15-150400.9.88.1
* python311-64bit-3.11.15-150400.9.88.1
* libpython3_11-1_0-64bit-3.11.15-150400.9.88.1
* python311-64bit-debuginfo-3.11.15-150400.9.88.1
* python311-base-64bit-3.11.15-150400.9.88.1
* Public Cloud Module 15-SP4 (aarch64 ppc64le s390x x86_64)
* python311-base-3.11.15-150400.9.88.1
* python311-3.11.15-150400.9.88.1
* libpython3_11-1_0-3.11.15-150400.9.88.1

## References:

* https://www.suse.com/security/cve/CVE-2026-3446.html
* https://bugzilla.suse.com/show_bug.cgi?id=1258364
* https://bugzilla.suse.com/show_bug.cgi?id=1261970



SUSE-SU-2026:2724-1: moderate: Security update for python-python-dotenv


# Security update for python-python-dotenv

Announcement ID: SUSE-SU-2026:2724-1
Release Date: 2026-07-01T18:09:54Z
Rating: moderate
References:

* bsc#1262423

Cross-References:

* CVE-2026-28684

CVSS scores:

* CVE-2026-28684 ( SUSE ): 5.2
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:A/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N
* CVE-2026-28684 ( SUSE ): 6.6 CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:H
* CVE-2026-28684 ( NVD ): 6.6 CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:H

Affected Products:

* openSUSE Leap 15.4
* Python 3 Module 15-SP7
* SUSE Linux Enterprise Desktop 15 SP7
* SUSE Linux Enterprise Server 15 SP7
* SUSE Linux Enterprise Server for SAP Applications 15 SP7

An update that solves one vulnerability can now be installed.

## Description:

This update for python-python-dotenv fixes the following issue:

* CVE-2026-28684: follow symbolic links when rewriting `.env` files
(bsc#1262423)

## Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

* Python 3 Module 15-SP7
zypper in -t patch SUSE-SLE-Module-Python3-15-SP7-2026-2724=1

* openSUSE Leap 15.4
zypper in -t patch SUSE-2026-2724=1

## Package List:

* Python 3 Module 15-SP7 (noarch)
* python311-python-dotenv-1.0.0-150400.9.6.1
* openSUSE Leap 15.4 (noarch)
* python311-python-dotenv-1.0.0-150400.9.6.1

## References:

* https://www.suse.com/security/cve/CVE-2026-28684.html
* https://bugzilla.suse.com/show_bug.cgi?id=1262423



openSUSE-SU-2026:21190-1: critical: Security update for openbabel


openSUSE security update: security update for openbabel
-------------------------------------------------------------

Announcement ID: openSUSE-SU-2026:21190-1
Rating: critical
References:

* bsc#1217676
* bsc#1258501
* bsc#1258507
* bsc#1259041

Cross-References:

* CVE-2022-37331
* CVE-2022-41793
* CVE-2022-42885
* CVE-2022-43467
* CVE-2022-43607
* CVE-2022-44451
* CVE-2022-46280
* CVE-2022-46289
* CVE-2022-46290
* CVE-2022-46291
* CVE-2022-46292
* CVE-2022-46294
* CVE-2022-46295
* CVE-2025-10994
* CVE-2025-10995
* CVE-2025-10996
* CVE-2025-10997
* CVE-2025-10998
* CVE-2025-10999
* CVE-2025-11000
* CVE-2026-2704
* CVE-2026-2705
* CVE-2026-3408

CVSS scores:

* CVE-2025-10994 ( SUSE ): 5.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
* CVE-2025-10995 ( SUSE ): 5.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
* CVE-2025-10996 ( SUSE ): 5.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
* CVE-2025-10997 ( SUSE ): 5.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
* CVE-2025-10998 ( SUSE ): 3.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
* CVE-2025-10999 ( SUSE ): 3.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

Affected Products:

openSUSE Leap 16.0

-------------------------------------------------------------

An update that solves 23 vulnerabilities and has 4 bug fixes can now be installed.

Description:

This update for openbabel fixes the following issues:

Changes in openbabel:

- Update to version 3.2.0:
* Add an L-BFGS optimizer, used by default for gen3d and
conformer searches
* New macrocycle ring builder (Dale codes) for better initial
3D geometry of large rings
* Add KET (Ketcher JSON) and ChemicalJSON (.cjson) format
support
* Drop Python 2 support; Python 3.13 supported
* Faster, vectorized distance-geometry implementation
* Full CMake 4 compatibility and modernized build
* Backwards compatible with 3.0 and 3.1
* Fix many crash and memory-safety bugs found via OSS-Fuzz
and TALOS, including the following security issues:
CVE-2022-37331 (boo#1217676), CVE-2022-41793, CVE-2022-42885,
CVE-2022-43467, CVE-2022-43607, CVE-2022-44451,
CVE-2022-46280, CVE-2022-46289, CVE-2022-46290,
CVE-2022-46291, CVE-2022-46292, CVE-2022-46294,
CVE-2022-46295, CVE-2025-10994, CVE-2025-10995,
CVE-2025-10996, CVE-2025-10997, CVE-2025-10998,
CVE-2025-10999, CVE-2025-11000,
CVE-2026-2704 (boo#1258501), CVE-2026-2705 (boo#1258507) and
CVE-2026-3408 (boo#1259041)

Patch instructions:

To install this openSUSE security update use the suse recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

- openSUSE Leap 16.0

zypper in -t patch openSUSE-Leap-16.0-packagehub-385=1

Package List:

- openSUSE Leap 16.0:

libopenbabel8-3.2.0-bp160.1.1
openbabel-3.2.0-bp160.1.1
openbabel-devel-3.2.0-bp160.1.1
openbabel-gui-3.2.0-bp160.1.1
python3-openbabel-3.2.0-bp160.1.1

References:

* https://www.suse.com/security/cve/CVE-2022-37331.html
* https://www.suse.com/security/cve/CVE-2022-41793.html
* https://www.suse.com/security/cve/CVE-2022-42885.html
* https://www.suse.com/security/cve/CVE-2022-43467.html
* https://www.suse.com/security/cve/CVE-2022-43607.html
* https://www.suse.com/security/cve/CVE-2022-44451.html
* https://www.suse.com/security/cve/CVE-2022-46280.html
* https://www.suse.com/security/cve/CVE-2022-46289.html
* https://www.suse.com/security/cve/CVE-2022-46290.html
* https://www.suse.com/security/cve/CVE-2022-46291.html
* https://www.suse.com/security/cve/CVE-2022-46292.html
* https://www.suse.com/security/cve/CVE-2022-46294.html
* https://www.suse.com/security/cve/CVE-2022-46295.html
* https://www.suse.com/security/cve/CVE-2025-10994.html
* https://www.suse.com/security/cve/CVE-2025-10995.html
* https://www.suse.com/security/cve/CVE-2025-10996.html
* https://www.suse.com/security/cve/CVE-2025-10997.html
* https://www.suse.com/security/cve/CVE-2025-10998.html
* https://www.suse.com/security/cve/CVE-2025-10999.html
* https://www.suse.com/security/cve/CVE-2025-11000.html
* https://www.suse.com/security/cve/CVE-2026-2704.html
* https://www.suse.com/security/cve/CVE-2026-2705.html
* https://www.suse.com/security/cve/CVE-2026-3408.html



openSUSE-SU-2026:21189-1: moderate: Security update for transmission


openSUSE security update: security update for transmission
-------------------------------------------------------------

Announcement ID: openSUSE-SU-2026:21189-1
Rating: moderate
References:

* bsc#1267404

Cross-References:

* CVE-2026-38978

Affected Products:

openSUSE Leap 16.0

-------------------------------------------------------------

An update that solves one vulnerability and has one bug fix can now be installed.

Description:

This update for transmission fixes the following issues:

Changes in transmission:

- CVE-2026-38978: add clickjack safeguards when serving http responses (bsc#1267404).

Patch instructions:

To install this openSUSE security update use the suse recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

- openSUSE Leap 16.0

zypper in -t patch openSUSE-Leap-16.0-packagehub-384=1

Package List:

- openSUSE Leap 16.0:

system-user-transmission-4.0.6-bp160.2.1
transmission-4.0.6-bp160.2.1
transmission-common-4.0.6-bp160.2.1
transmission-daemon-4.0.6-bp160.2.1
transmission-gtk-4.0.6-bp160.2.1
transmission-gtk-lang-4.0.6-bp160.2.1
transmission-qt-4.0.6-bp160.2.1
transmission-qt-lang-4.0.6-bp160.2.1

References:

* https://www.suse.com/security/cve/CVE-2026-38978.html



openSUSE-SU-2026:11162-1: moderate: trivy-0.71.2-2.1 on GA media


# trivy-0.71.2-2.1 on GA media

Announcement ID: openSUSE-SU-2026:11162-1
Rating: moderate

Cross-References:

* CVE-2026-54448
* CVE-2026-55092

CVSS scores:

* CVE-2026-54448 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
* CVE-2026-54448 ( SUSE ): 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
* CVE-2026-55092 ( SUSE ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
* CVE-2026-55092 ( SUSE ): 8.6 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Affected Products:

* openSUSE Tumbleweed

An update that solves 2 vulnerabilities can now be installed.

## Description:

These are all security issues fixed in the trivy-0.71.2-2.1 package on the GA media of openSUSE Tumbleweed.

## Package List:

* openSUSE Tumbleweed:
* trivy 0.71.2-2.1

## References:

* https://www.suse.com/security/cve/CVE-2026-54448.html
* https://www.suse.com/security/cve/CVE-2026-55092.html



openSUSE-SU-2026:11167-1: moderate: kubectl-cnpg-1.29.2-1.1 on GA media


# kubectl-cnpg-1.29.2-1.1 on GA media

Announcement ID: openSUSE-SU-2026:11167-1
Rating: moderate

Cross-References:

* CVE-2018-1058
* CVE-2026-55765
* CVE-2026-55769

CVSS scores:

* CVE-2018-1058 ( SUSE ): 6.5 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Affected Products:

* openSUSE Tumbleweed

An update that solves 3 vulnerabilities can now be installed.

## Description:

These are all security issues fixed in the kubectl-cnpg-1.29.2-1.1 package on the GA media of openSUSE Tumbleweed.

## Package List:

* openSUSE Tumbleweed:
* kubectl-cnpg 1.29.2-1.1
* kubectl-cnpg-bash-completion 1.29.2-1.1
* kubectl-cnpg-fish-completion 1.29.2-1.1
* kubectl-cnpg-zsh-completion 1.29.2-1.1

## References:

* https://www.suse.com/security/cve/CVE-2018-1058.html
* https://www.suse.com/security/cve/CVE-2026-55765.html
* https://www.suse.com/security/cve/CVE-2026-55769.html



openSUSE-SU-2026:11170-1: moderate: python311-python-engineio-4.13.3-1.1 on GA media


# python311-python-engineio-4.13.3-1.1 on GA media

Announcement ID: openSUSE-SU-2026:11170-1
Rating: moderate

Cross-References:

* CVE-2026-48809

CVSS scores:

* CVE-2026-48809 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2026-48809 ( SUSE ): 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Affected Products:

* openSUSE Tumbleweed

An update that solves one vulnerability can now be installed.

## Description:

These are all security issues fixed in the python311-python-engineio-4.13.3-1.1 package on the GA media of openSUSE Tumbleweed.

## Package List:

* openSUSE Tumbleweed:
* python311-python-engineio 4.13.3-1.1
* python313-python-engineio 4.13.3-1.1
* python314-python-engineio 4.13.3-1.1

## References:

* https://www.suse.com/security/cve/CVE-2026-48809.html



openSUSE-SU-2026:11169-1: moderate: python3-onionshare-2.6.4-1.1 on GA media


# python3-onionshare-2.6.4-1.1 on GA media

Announcement ID: openSUSE-SU-2026:11169-1
Rating: moderate

Cross-References:

* CVE-2026-54706
* CVE-2026-54707

Affected Products:

* openSUSE Tumbleweed

An update that solves 2 vulnerabilities can now be installed.

## Description:

These are all security issues fixed in the python3-onionshare-2.6.4-1.1 package on the GA media of openSUSE Tumbleweed.

## Package List:

* openSUSE Tumbleweed:
* python3-onionshare 2.6.4-1.1

## References:

* https://www.suse.com/security/cve/CVE-2026-54706.html
* https://www.suse.com/security/cve/CVE-2026-54707.html



openSUSE-SU-2026:11165-1: moderate: alloy-1.17.1-1.1 on GA media


# alloy-1.17.1-1.1 on GA media

Announcement ID: openSUSE-SU-2026:11165-1
Rating: moderate

Cross-References:

* CVE-2026-10722

CVSS scores:

* CVE-2026-10722 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2026-10722 ( SUSE ): 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Affected Products:

* openSUSE Tumbleweed

An update that solves one vulnerability can now be installed.

## Description:

These are all security issues fixed in the alloy-1.17.1-1.1 package on the GA media of openSUSE Tumbleweed.

## Package List:

* openSUSE Tumbleweed:
* alloy 1.17.1-1.1

## References:

* https://www.suse.com/security/cve/CVE-2026-10722.html



openSUSE-SU-2026:11164-1: moderate: MozillaThunderbird-140.12.1-1.1 on GA media


# MozillaThunderbird-140.12.1-1.1 on GA media

Announcement ID: openSUSE-SU-2026:11164-1
Rating: moderate

Cross-References:

* CVE-2026-57962
* CVE-2026-57963

CVSS scores:

* CVE-2026-57962 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H
* CVE-2026-57963 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Affected Products:

* openSUSE Tumbleweed

An update that solves 2 vulnerabilities can now be installed.

## Description:

These are all security issues fixed in the MozillaThunderbird-140.12.1-1.1 package on the GA media of openSUSE Tumbleweed.

## Package List:

* openSUSE Tumbleweed:
* MozillaThunderbird 140.12.1-1.1
* MozillaThunderbird-openpgp-librnp 140.12.1-1.1
* MozillaThunderbird-translations-common 140.12.1-1.1
* MozillaThunderbird-translations-other 140.12.1-1.1

## References:

* https://www.suse.com/security/cve/CVE-2026-57962.html
* https://www.suse.com/security/cve/CVE-2026-57963.html



openSUSE-SU-2026:11168-1: moderate: perl-CGI-Session-4.490.0-1.1 on GA media


# perl-CGI-Session-4.490.0-1.1 on GA media

Announcement ID: openSUSE-SU-2026:11168-1
Rating: moderate

Cross-References:

* CVE-2026-56016

Affected Products:

* openSUSE Tumbleweed

An update that solves one vulnerability can now be installed.

## Description:

These are all security issues fixed in the perl-CGI-Session-4.490.0-1.1 package on the GA media of openSUSE Tumbleweed.

## Package List:

* openSUSE Tumbleweed:
* perl-CGI-Session 4.490.0-1.1

## References:

* https://www.suse.com/security/cve/CVE-2026-56016.html



openSUSE-SU-2026:11163-1: moderate: libxreaderdocument3-4.6.5-1.1 on GA media


# libxreaderdocument3-4.6.5-1.1 on GA media

Announcement ID: openSUSE-SU-2026:11163-1
Rating: moderate

Cross-References:

* CVE-2026-46529

CVSS scores:

* CVE-2026-46529 ( SUSE ): 7 CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
* CVE-2026-46529 ( SUSE ): 7.5 CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Affected Products:

* openSUSE Tumbleweed

An update that solves one vulnerability can now be installed.

## Description:

These are all security issues fixed in the libxreaderdocument3-4.6.5-1.1 package on the GA media of openSUSE Tumbleweed.

## Package List:

* openSUSE Tumbleweed:
* libxreaderdocument3 4.6.5-1.1
* libxreaderview3 4.6.5-1.1
* typelib-1_0-XreaderDocument-1_5 4.6.5-1.1
* typelib-1_0-XreaderView-1_5 4.6.5-1.1
* xreader 4.6.5-1.1
* xreader-devel 4.6.5-1.1
* xreader-lang 4.6.5-1.1
* xreader-plugin-comicsdocument 4.6.5-1.1
* xreader-plugin-djvudocument 4.6.5-1.1
* xreader-plugin-dvidocument 4.6.5-1.1
* xreader-plugin-pdfdocument 4.6.5-1.1
* xreader-plugin-pixbufdocument 4.6.5-1.1
* xreader-plugin-psdocument 4.6.5-1.1
* xreader-plugin-tiffdocument 4.6.5-1.1
* xreader-plugin-xpsdocument 4.6.5-1.1

## References:

* https://www.suse.com/security/cve/CVE-2026-46529.html



openSUSE-SU-2026:11166-1: moderate: c3p0-0.14.1-1.1 on GA media


# c3p0-0.14.1-1.1 on GA media

Announcement ID: openSUSE-SU-2026:11166-1
Rating: moderate

Cross-References:

* CVE-2026-55223

Affected Products:

* openSUSE Tumbleweed

An update that solves one vulnerability can now be installed.

## Description:

These are all security issues fixed in the c3p0-0.14.1-1.1 package on the GA media of openSUSE Tumbleweed.

## Package List:

* openSUSE Tumbleweed:
* c3p0 0.14.1-1.1
* c3p0-javadoc 0.14.1-1.1

## References:

* https://www.suse.com/security/cve/CVE-2026-55223.html



SUSE-SU-2026:2725-1: important: Security update for python-tornado6


# Security update for python-tornado6

Announcement ID: SUSE-SU-2026:2725-1
Release Date: 2026-07-02T13:52:50Z
Rating: important
References:

* bsc#1268395
* bsc#1268396
* bsc#1268397

Cross-References:

* CVE-2026-49853
* CVE-2026-49854
* CVE-2026-49855

CVSS scores:

* CVE-2026-49853 ( SUSE ): 7.4 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N
* CVE-2026-49854 ( SUSE ): 3.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
* CVE-2026-49855 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Affected Products:

* openSUSE Leap 15.4
* Python 3 Module 15-SP7
* SUSE Linux Enterprise Desktop 15 SP7
* SUSE Linux Enterprise High Performance Computing 15 SP4
* SUSE Linux Enterprise High Performance Computing 15 SP5
* SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4
* SUSE Linux Enterprise High Performance Computing ESPOS 15 SP5
* SUSE Linux Enterprise High Performance Computing LTSS 15 SP4
* SUSE Linux Enterprise High Performance Computing LTSS 15 SP5
* SUSE Linux Enterprise Server 15 SP4
* SUSE Linux Enterprise Server 15 SP4 LTSS
* SUSE Linux Enterprise Server 15 SP5
* SUSE Linux Enterprise Server 15 SP5 LTSS
* SUSE Linux Enterprise Server 15 SP6
* SUSE Linux Enterprise Server 15 SP6 LTSS
* SUSE Linux Enterprise Server 15 SP7
* SUSE Linux Enterprise Server for SAP Applications 15 SP4
* SUSE Linux Enterprise Server for SAP Applications 15 SP5
* SUSE Linux Enterprise Server for SAP Applications 15 SP6
* SUSE Linux Enterprise Server for SAP Applications 15 SP7

An update that solves three vulnerabilities can now be installed.

## Description:

This update for python-tornado6 fixes the following issues

* CVE-2026-49853: authorization header forwarded across cross-origin redirects
in SimpleAsyncHTTPClient (bsc#1268395).
* CVE-2026-49854: out-of-bounds memory access via C extension (bsc#1268396).
* CVE-2026-49855: AsyncHTTPClient accumulates decompressed chunks without size
limit (bsc#1268397).

## Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

* SUSE Linux Enterprise Server 15 SP5 LTSS
zypper in -t patch SUSE-SLE-Product-SLES-15-SP5-LTSS-2026-2725=1

* SUSE Linux Enterprise Server 15 SP4 LTSS
zypper in -t patch SUSE-SLE-Product-SLES-15-SP4-LTSS-2026-2725=1

* Python 3 Module 15-SP7
zypper in -t patch SUSE-SLE-Module-Python3-15-SP7-2026-2725=1

* SUSE Linux Enterprise Server 15 SP6 LTSS
zypper in -t patch SUSE-SLE-Product-SLES-15-SP6-LTSS-2026-2725=1

* openSUSE Leap 15.4
zypper in -t patch SUSE-2026-2725=1

* SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4
zypper in -t patch SUSE-SLE-Product-HPC-15-SP4-ESPOS-2026-2725=1

* SUSE Linux Enterprise Server for SAP Applications 15 SP4
zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP4-2026-2725=1

* SUSE Linux Enterprise High Performance Computing LTSS 15 SP4
zypper in -t patch SUSE-SLE-Product-HPC-15-SP4-LTSS-2026-2725=1

* SUSE Linux Enterprise Server for SAP Applications 15 SP6
zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP6-2026-2725=1

* SUSE Linux Enterprise High Performance Computing LTSS 15 SP5
zypper in -t patch SUSE-SLE-Product-HPC-15-SP5-LTSS-2026-2725=1

* SUSE Linux Enterprise Server for SAP Applications 15 SP5
zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP5-2026-2725=1

* SUSE Linux Enterprise High Performance Computing ESPOS 15 SP5
zypper in -t patch SUSE-SLE-Product-HPC-15-SP5-ESPOS-2026-2725=1

## Package List:

* SUSE Linux Enterprise Server 15 SP5 LTSS (aarch64 ppc64le s390x x86_64)
* python311-tornado6-debuginfo-6.3.2-150400.9.18.1
* python-tornado6-debugsource-6.3.2-150400.9.18.1
* python311-tornado6-6.3.2-150400.9.18.1
* SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (aarch64
x86_64)
* python311-tornado6-debuginfo-6.3.2-150400.9.18.1
* python-tornado6-debugsource-6.3.2-150400.9.18.1
* python311-tornado6-6.3.2-150400.9.18.1
* SUSE Linux Enterprise Server for SAP Applications 15 SP4 (ppc64le x86_64)
* python311-tornado6-debuginfo-6.3.2-150400.9.18.1
* python-tornado6-debugsource-6.3.2-150400.9.18.1
* python311-tornado6-6.3.2-150400.9.18.1
* openSUSE Leap 15.4 (aarch64 i586 ppc64le s390x x86_64)
* python311-tornado6-debuginfo-6.3.2-150400.9.18.1
* python-tornado6-debugsource-6.3.2-150400.9.18.1
* python311-tornado6-6.3.2-150400.9.18.1
* SUSE Linux Enterprise Server for SAP Applications 15 SP5 (ppc64le x86_64)
* python311-tornado6-debuginfo-6.3.2-150400.9.18.1
* python-tornado6-debugsource-6.3.2-150400.9.18.1
* python311-tornado6-6.3.2-150400.9.18.1
* SUSE Linux Enterprise High Performance Computing ESPOS 15 SP5 (aarch64
x86_64)
* python311-tornado6-debuginfo-6.3.2-150400.9.18.1
* python-tornado6-debugsource-6.3.2-150400.9.18.1
* python311-tornado6-6.3.2-150400.9.18.1
* Python 3 Module 15-SP7 (aarch64 ppc64le s390x x86_64)
* python311-tornado6-debuginfo-6.3.2-150400.9.18.1
* python-tornado6-debugsource-6.3.2-150400.9.18.1
* python311-tornado6-6.3.2-150400.9.18.1
* SUSE Linux Enterprise Server 15 SP4 LTSS (aarch64 ppc64le s390x x86_64)
* python311-tornado6-debuginfo-6.3.2-150400.9.18.1
* python-tornado6-debugsource-6.3.2-150400.9.18.1
* python311-tornado6-6.3.2-150400.9.18.1
* SUSE Linux Enterprise Server for SAP Applications 15 SP6 (ppc64le x86_64)
* python311-tornado6-debuginfo-6.3.2-150400.9.18.1
* python-tornado6-debugsource-6.3.2-150400.9.18.1
* python311-tornado6-6.3.2-150400.9.18.1
* SUSE Linux Enterprise High Performance Computing LTSS 15 SP5 (aarch64
x86_64)
* python311-tornado6-debuginfo-6.3.2-150400.9.18.1
* python-tornado6-debugsource-6.3.2-150400.9.18.1
* python311-tornado6-6.3.2-150400.9.18.1
* SUSE Linux Enterprise Server 15 SP6 LTSS (aarch64 ppc64le s390x x86_64)
* python311-tornado6-debuginfo-6.3.2-150400.9.18.1
* python-tornado6-debugsource-6.3.2-150400.9.18.1
* python311-tornado6-6.3.2-150400.9.18.1
* SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (aarch64
x86_64)
* python311-tornado6-debuginfo-6.3.2-150400.9.18.1
* python-tornado6-debugsource-6.3.2-150400.9.18.1
* python311-tornado6-6.3.2-150400.9.18.1

## References:

* https://www.suse.com/security/cve/CVE-2026-49853.html
* https://www.suse.com/security/cve/CVE-2026-49854.html
* https://www.suse.com/security/cve/CVE-2026-49855.html
* https://bugzilla.suse.com/show_bug.cgi?id=1268395
* https://bugzilla.suse.com/show_bug.cgi?id=1268396
* https://bugzilla.suse.com/show_bug.cgi?id=1268397