Several security updates have been released for SUSE Linux, including important and moderate fixes. The Mozilla Thunderbird and Alloy packages received important updates, while Chromium, Erlang, and Bind also got security patches. Additionally, ChromeDriver was updated to version 144.0.7559.59-1.1 on the GA media, classified as moderate risk.

openSUSE-SU-2026:20046-1: important: Security update for MozillaThunderbird
openSUSE-SU-2026:20054-1: moderate: Security update for chromium
openSUSE-SU-2026:20043-1: moderate: Security update for erlang
openSUSE-SU-2026:20044-1: important: Security update for alloy
openSUSE-SU-2026:20039-1: important: Security update for bind
openSUSE-SU-2026:10057-1: moderate: chromedriver-144.0.7559.59-1.1 on GA media

openSUSE-SU-2026:20046-1: important: Security update for MozillaThunderbird

openSUSE security update: security update for mozillathunderbird
-------------------------------------------------------------

Announcement ID: openSUSE-SU-2026:20046-1
Rating: important
References:

* bsc#1254551

Cross-References:

* CVE-2025-14321
* CVE-2025-14322
* CVE-2025-14323
* CVE-2025-14324
* CVE-2025-14325
* CVE-2025-14328
* CVE-2025-14329
* CVE-2025-14330
* CVE-2025-14331
* CVE-2025-14333

CVSS scores:

* CVE-2025-14321 ( SUSE ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
* CVE-2025-14321 ( SUSE ): 8.6 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
* CVE-2025-14322 ( SUSE ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
* CVE-2025-14322 ( SUSE ): 8.6 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
* CVE-2025-14323 ( SUSE ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
* CVE-2025-14323 ( SUSE ): 8.6 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
* CVE-2025-14324 ( SUSE ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
* CVE-2025-14324 ( SUSE ): 8.6 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
* CVE-2025-14325 ( SUSE ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
* CVE-2025-14325 ( SUSE ): 8.6 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
* CVE-2025-14328 ( SUSE ): 6.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
* CVE-2025-14328 ( SUSE ): 5.1 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N
* CVE-2025-14329 ( SUSE ): 6.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
* CVE-2025-14329 ( SUSE ): 5.1 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N
* CVE-2025-14330 ( SUSE ): 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
* CVE-2025-14330 ( SUSE ): 5.1 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
* CVE-2025-14331 ( SUSE ): 5.4 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
* CVE-2025-14331 ( SUSE ): 5.1 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
* CVE-2025-14333 ( SUSE ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
* CVE-2025-14333 ( SUSE ): 8.6 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Affected Products:

openSUSE Leap 16.0

-------------------------------------------------------------

An update that solves 10 vulnerabilities and has one bug fix can now be installed.

Description:

This update for MozillaThunderbird fixes the following issues:

Changes in MozillaThunderbird:

- Mozilla Thunderbird 140.6.0 ESR
MFSA 2025-96 (bsc#1254551)
* CVE-2025-14321 (bmo#1992760)
Use-after-free in the WebRTC: Signaling component
* CVE-2025-14322 (bmo#1996473)
Sandbox escape due to incorrect boundary conditions in the
Graphics: CanvasWebGL component
* CVE-2025-14323 (bmo#1996555)
Privilege escalation in the DOM: Notifications component
* CVE-2025-14324 (bmo#1996840)
JIT miscompilation in the JavaScript Engine: JIT component
* CVE-2025-14325 (bmo#1998050)
JIT miscompilation in the JavaScript Engine: JIT component
* CVE-2025-14328 (bmo#1996761)
Privilege escalation in the Netmonitor component
* CVE-2025-14329 (bmo#1997018)
Privilege escalation in the Netmonitor component
* CVE-2025-14330 (bmo#1997503)
JIT miscompilation in the JavaScript Engine: JIT component
* CVE-2025-14331 (bmo#2000218)
Same-origin policy bypass in the Request Handling component
* CVE-2025-14333 (bmo#1966501, bmo#1997639)
Memory safety bugs fixed in Firefox ESR 140.6, Thunderbird
ESR 140.6, Firefox 146 and Thunderbird 146

Patch instructions:

To install this openSUSE security update use the suse recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

- openSUSE Leap 16.0

zypper in -t patch openSUSE-Leap-16.0-packagehub-72=1

Package List:

- openSUSE Leap 16.0:

MozillaThunderbird-140.6.0-bp160.1.1
MozillaThunderbird-openpgp-librnp-140.6.0-bp160.1.1
MozillaThunderbird-translations-common-140.6.0-bp160.1.1
MozillaThunderbird-translations-other-140.6.0-bp160.1.1

References:

* https://www.suse.com/security/cve/CVE-2025-14321.html
* https://www.suse.com/security/cve/CVE-2025-14322.html
* https://www.suse.com/security/cve/CVE-2025-14323.html
* https://www.suse.com/security/cve/CVE-2025-14324.html
* https://www.suse.com/security/cve/CVE-2025-14325.html
* https://www.suse.com/security/cve/CVE-2025-14328.html
* https://www.suse.com/security/cve/CVE-2025-14329.html
* https://www.suse.com/security/cve/CVE-2025-14330.html
* https://www.suse.com/security/cve/CVE-2025-14331.html
* https://www.suse.com/security/cve/CVE-2025-14333.html

openSUSE-SU-2026:20054-1: moderate: Security update for chromium

openSUSE security update: security update for chromium
-------------------------------------------------------------

Announcement ID: openSUSE-SU-2026:20054-1
Rating: moderate
References:

* bsc#1256614

Cross-References:

* CVE-2026-0899
* CVE-2026-0900
* CVE-2026-0901
* CVE-2026-0902
* CVE-2026-0903
* CVE-2026-0904
* CVE-2026-0905
* CVE-2026-0906
* CVE-2026-0907
* CVE-2026-0908

Affected Products:

openSUSE Leap 16.0

-------------------------------------------------------------

An update that solves 10 vulnerabilities and has one bug fix can now be installed.

Description:

This update for chromium fixes the following issues:

Changes in chromium:

- Chromium 144.0.7559.59 (boo#1256614)
* CVE-2026-0899: Out of bounds memory access in V8
* CVE-2026-0900: Inappropriate implementation in V8
* CVE-2026-0901: Inappropriate implementation in Blink
* CVE-2026-0902: Inappropriate implementation in V8
* CVE-2026-0903: Insufficient validation of untrusted input in Downloads
* CVE-2026-0904: Incorrect security UI in Digital Credentials
* CVE-2026-0905: Insufficient policy enforcement in Network
* CVE-2026-0906: Incorrect security UI
* CVE-2026-0907: Incorrect security UI in Split View
* CVE-2026-0908: Use after free in ANGLE
- use noopenh264 where available

Patch instructions:

To install this openSUSE security update use the suse recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

- openSUSE Leap 16.0

zypper in -t patch openSUSE-Leap-16.0-packagehub-80=1

Package List:

- openSUSE Leap 16.0:

chromedriver-144.0.7559.59-bp160.1.1
chromium-144.0.7559.59-bp160.1.1

References:

* https://www.suse.com/security/cve/CVE-2026-0899.html
* https://www.suse.com/security/cve/CVE-2026-0900.html
* https://www.suse.com/security/cve/CVE-2026-0901.html
* https://www.suse.com/security/cve/CVE-2026-0902.html
* https://www.suse.com/security/cve/CVE-2026-0903.html
* https://www.suse.com/security/cve/CVE-2026-0904.html
* https://www.suse.com/security/cve/CVE-2026-0905.html
* https://www.suse.com/security/cve/CVE-2026-0906.html
* https://www.suse.com/security/cve/CVE-2026-0907.html
* https://www.suse.com/security/cve/CVE-2026-0908.html

openSUSE-SU-2026:20043-1: moderate: Security update for erlang

openSUSE security update: security update for erlang
-------------------------------------------------------------

Announcement ID: openSUSE-SU-2026:20043-1
Rating: moderate
References:

* bsc#1249469
* bsc#1249470
* bsc#1249472

Cross-References:

* CVE-2025-48038
* CVE-2025-48039
* CVE-2025-48040

CVSS scores:

* CVE-2025-48038 ( SUSE ): 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
* CVE-2025-48038 ( SUSE ): 5.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
* CVE-2025-48039 ( SUSE ): 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
* CVE-2025-48039 ( SUSE ): 5.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
* CVE-2025-48040 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
* CVE-2025-48040 ( SUSE ): 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Affected Products:

openSUSE Leap 16.0

-------------------------------------------------------------

An update that solves 3 vulnerabilities and has 3 bug fixes can now be installed.

Description:

This update for erlang fixes the following issues:

Update the ssh component to the latest in the maint-27 branch.

Security issues fixed:

- CVE-2025-48040: ssh: overly tolerant handling of data received from unauthenticated users when processing key
exchange messages may lead to excessive resource consumption (bsc#1249472).
- CVE-2025-48039: ssh: unverified paths from authenticated SFTP users may lead to excessive resource consumption
(bsc#1249469).
- CVE-2025-48038: ssh: unverified file handles from authenticated SFTP users may lead to excessive resource consumption
(bsc#1249470).

Patch instructions:

To install this openSUSE security update use the suse recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

- openSUSE Leap 16.0

zypper in -t patch openSUSE-Leap-16.0-148=1

Package List:

- openSUSE Leap 16.0:

erlang-27.1.3-160000.3.1
erlang-debugger-27.1.3-160000.3.1
erlang-debugger-src-27.1.3-160000.3.1
erlang-dialyzer-27.1.3-160000.3.1
erlang-dialyzer-src-27.1.3-160000.3.1
erlang-diameter-27.1.3-160000.3.1
erlang-diameter-src-27.1.3-160000.3.1
erlang-doc-27.1.3-160000.3.1
erlang-epmd-27.1.3-160000.3.1
erlang-et-27.1.3-160000.3.1
erlang-et-src-27.1.3-160000.3.1
erlang-jinterface-27.1.3-160000.3.1
erlang-jinterface-src-27.1.3-160000.3.1
erlang-observer-27.1.3-160000.3.1
erlang-observer-src-27.1.3-160000.3.1
erlang-reltool-27.1.3-160000.3.1
erlang-reltool-src-27.1.3-160000.3.1
erlang-src-27.1.3-160000.3.1
erlang-wx-27.1.3-160000.3.1
erlang-wx-src-27.1.3-160000.3.1

References:

* https://www.suse.com/security/cve/CVE-2025-48038.html
* https://www.suse.com/security/cve/CVE-2025-48039.html
* https://www.suse.com/security/cve/CVE-2025-48040.html

openSUSE-SU-2026:20044-1: important: Security update for alloy

openSUSE security update: security update for alloy
-------------------------------------------------------------

Announcement ID: openSUSE-SU-2026:20044-1
Rating: important
References:

* bsc#1251509
* bsc#1251716
* bsc#1253609

Cross-References:

* CVE-2025-47911
* CVE-2025-47913
* CVE-2025-58190

CVSS scores:

* CVE-2025-47911 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
* CVE-2025-47911 ( SUSE ): 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
* CVE-2025-47913 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2025-47913 ( SUSE ): 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
* CVE-2025-58190 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
* CVE-2025-58190 ( SUSE ): 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

Affected Products:

openSUSE Leap 16.0

-------------------------------------------------------------

An update that solves 3 vulnerabilities and has 3 bug fixes can now be installed.

Description:

This update for alloy fixes the following issues:

Upgrade to version 1.12.1.

Security issues fixed:

- CVE-2025-47911: golang.org/x/net/html: quadratic complexity algorithms used when parsing untrusted HTML documents
(bsc#1251509).
- CVE-2025-58190: golang.org/x/net/html: excessive memory consumption by `html.ParseFragment` when processing specially
crafted input (bsc#1251716).
- CVE-2025-47913: golang.org/x/crypto: early client process termination when receiving an unexpected message type in
response to a key listing or signing request (bsc#1253609).

Other updates and bugfixes:

- Version 1.12.1:
* Bugfixes
- update to Beyla 2.7.10.

- Version 1.12.0:
* Breaking changes
- `prometheus.exporter.blackbox`, `prometheus.exporter.snmp` and `prometheus.exporter.statsd` now use the component
ID instead of the hostname as their instance label in their exported metrics.
* Features
- (Experimental) Add an `otelcol.receiver.cloudflare` component to receive logs pushed by Cloudflare's LogPush
jobs.
- (Experimental) Additions to experimental `database_observability.mysql` component:
- `explain_plans`
- collector now changes schema before returning the connection to the pool.
- collector now passes queries more permissively.
- enable `explain_plans` collector by default
- (Experimental) Additions to experimental `database_observability.postgres` component:
- `explain_plans`
- added the explain plan collector.
- collector now passes queries more permissively.
- `query_samples`
- add user field to wait events within `query_samples` collector.
- rework the query samples collector to buffer per-query execution state across scrapes and emit finalized
entries.
- process turned idle rows to calculate finalization times precisely and emit first seen idle rows.
- `query_details`
- escape queries coming from `pg_stat_statements` with quotes.
- enable `explain_plans` collector by default.
- safely generate `server_id` when UDP socket used for database connection.
- add table registry and include "validated" in parsed table name logs.
- Add `otelcol.exporter.googlecloudpubsub` community component to export metrics, traces, and logs to Google Cloud
Pub/Sub topic.
- Add `structured_metadata_drop` stage for `loki.process` to filter structured metadata.
- Send remote config status to the remote server for the `remotecfg` service.
- Send effective config to the remote server for the `remotecfg` service.
- Add a `stat_statements` configuration block to the `prometheus.exporter.postgres` component to enable selecting
both the query ID and the full SQL statement. The new block includes one option to enable statement selection,
and another to configure the maximum length of the statement text.
- Add truncate stage for `loki.process` to truncate log entries, label values, and `structured_metadata` values.
- Add `u_probe_links` & `load_probe` configuration fields to alloy `pyroscope.ebpf` to extend configuration of
the `opentelemetry-ebpf-profiler` to allow uprobe profiling and dynamic probing.
- Add `verbose_mode` configuration fields to `alloy pyroscope.ebpf` to be enable `ebpf-profiler` verbose mode.
- Add `file_match` block to `loki.source.file` for built-in file discovery using glob patterns.
- Add a regex argument to the `structured_metadata` stage in `loki.process` to extract labels matching a regular
expression.
- OpenTelemetry Collector dependencies upgraded from v0.134.0 to v0.139.0.
- See the upstream
[core]( https://github.com/open-telemetry/opentelemetry-collector/blob/v0.139.0/CHANGELOG.md)
and
[contrib]( https://github.com/open-telemetry/opentelemetry-collector-contrib/blob/v0.139.0/CHANGELOG.md)
changelogs for more details.
- A new `mimir.alerts.kubernetes` component which discovers AlertmanagerConfig Kubernetes resources and loads them
into a Mimir instance.
- Mark `stage.windowsevent` block in the `loki.process` component as GA.
* Enhancements
- Add per-application rate limiting with the strategy attribute in the `faro.receiver` component, to prevent one
application from consuming the rate limit quota of others.
- Add support of tls in components `loki.source.(awsfirehose|gcplog|heroku|api)` and `prometheus.receive_http` and
`pyroscope.receive_http`.
- Remove `SendSIGKILL=no` from unit files and recommendations.
- Reduce memory overhead of `prometheus.remote_write`'s WAL by lowering the size of the allocated series storage.
- Reduce lock wait/contention on the `labelstore.LabelStore` by removing unecessary usage from
`prometheus.relabel`.
- `prometheus.exporter.postgres` dependency has been updated to v0.18.1.
- Update Beyla component to 2.7.8.
- Support delimiters in `stage.luhn`.
- `pyroscope.java`: update `async-profiler` to 4.2.
- `prometheus.exporter.unix`: Add an arp config block to configure the ARP collector.
- `prometheus.exporter.snowflake` dependency has been updated to 20251016132346-6d442402afb2.
- `loki.source.podlogs` now supports `preserve_discovered_labels` parameter to preserve discovered pod metadata
labels for use by downstream components.
- Rework underlying framework of Alloy UI to use Vite instead of Create React App.
- Use POST requests for remote config requests to avoid hitting http2 header limits.
- `loki.source.api` during component shutdown will now reject all the inflight requests with status code 503 after
`graceful_shutdown_timeout` has expired.
- `kubernetes.discovery`: Add support for attaching namespace metadata.
- Add `meta_cache_address` to `beyla.ebpf` component.
* Bugfixes
- Stop `loki.source.kubernetes` discarding log lines with duplicate timestamps.
- Fix direction of arrows for pyroscope components in UI graph.
- Only log EOF errors for syslog port investigations in `loki.source.syslog` as Debug, not Warn.
- Fix `prometheus.exporter.process` ignoring the `remove_empty_groups` argument.
- Fix issues with "unknown series ref when trying to add exemplar" from `prometheus.remote_write` by allowing
series ref links to be updated if they change.
- Fix `loki.source.podlogs` component to register the Kubernetes field index for `spec.nodeName` when node
filtering is enabled, preventing "Index with name `field:spec.nodeName` does not exist" errors.
- Fix issue in `loki.source.file` where scheduling files could take too long.
- Fix `loki.write` no longer includes internal labels __.
- Fix missing native histograms custom buckets (NHCB) samples from `prometheus.remote_write`.
- `otelcol.receiver.prometheus` now supports mixed histograms if `prometheus.scrape` has `honor_metadata` set to
true.
- `loki.source.file` has better support for non-UTF-8 encoded files.
- Fix the `loki.write` endpoint block's `enable_http2` attribute to actually affect the client.
- Optionally remove trailing newlines before appending entries in `stage.multiline`.
- `loki.source.api` no longer drops request when relabel rules drops a specific stream.

Patch instructions:

To install this openSUSE security update use the suse recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

- openSUSE Leap 16.0

zypper in -t patch openSUSE-Leap-16.0-149=1

Package List:

- openSUSE Leap 16.0:

alloy-1.12.1-160000.1.1

References:

* https://www.suse.com/security/cve/CVE-2025-47911.html
* https://www.suse.com/security/cve/CVE-2025-47913.html
* https://www.suse.com/security/cve/CVE-2025-58190.html

openSUSE-SU-2026:20039-1: important: Security update for bind

openSUSE security update: security update for bind
-------------------------------------------------------------

Announcement ID: openSUSE-SU-2026:20039-1
Rating: important
References:

* bsc#1230649
* bsc#1252378
* bsc#1252379
* bsc#1252380

Cross-References:

* CVE-2025-40778
* CVE-2025-40780
* CVE-2025-8677

CVSS scores:

* CVE-2025-40778 ( SUSE ): 8.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N
* CVE-2025-40778 ( SUSE ): 9.2 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N
* CVE-2025-40780 ( SUSE ): 8.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N
* CVE-2025-40780 ( SUSE ): 9.2 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N
* CVE-2025-8677 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2025-8677 ( SUSE ): 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Affected Products:

openSUSE Leap 16.0

-------------------------------------------------------------

An update that solves 3 vulnerabilities and has 4 bug fixes can now be installed.

Description:

This update for bind fixes the following issues:

- Upgrade to release 9.20.15
Security Fixes:
* CVE-2025-40778: Fixed cache poisoning attacks with unsolicited RRs (bsc#1252379)
* CVE-2025-40780: Fixed cache poisoning due to weak PRNG (bsc#1252380)
* CVE-2025-8677: Fixed resource exhaustion via malformed DNSKEY handling (bsc#1252378)

New Features:
* Add dnssec-policy keys configuration check to named-checkconf.
* Add a new option `manual-mode` to dnssec-policy.
* Add a new option `servfail-until-ready` to response-policy
zones.
* Support for parsing HHIT and BRID records has been added.
* Support for parsing DSYNC records has been added.

Removed Features:
* Deprecate the `tkey-gssapi-credential` statement.
* Obsolete the `tkey-domain` statement.

Feature Changes:
* Add deprecation warnings for RSASHA1, RSASHA1-NSEC3SHA1, and DS
digest type 1.

Bug Fixes:
* Missing DNSSEC information when CD bit is set in query.
* rndc sign during ZSK rollover will now replace signatures.
* Use signer name when disabling DNSSEC algorithms.
* Preserve cache when reload fails and reload the server again.
* Prevent spurious SERVFAILs for certain 0-TTL resource records.
* Fix unexpected termination if catalog-zones had undefined
`default-primaries`.
* Stale RRsets in a CNAME chain were not always refreshed.
* Add RPZ extended DNS error for zones with a CNAME override
policy configured.
* Fix dig +keepopen option.
* Log dropped or slipped responses in the query-errors category.
* Fix synth-from-dnssec not working in some scenarios.
* Clean enough memory when adding new ADB names/entries under
memory pressure.
* Prevent spurious validation failures.
* Ensure file descriptors 0-2 are in use before using libuv
[bsc#1230649]

Patch instructions:

To install this openSUSE security update use the suse recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

- openSUSE Leap 16.0

zypper in -t patch openSUSE-Leap-16.0-144=1

Package List:

- openSUSE Leap 16.0:

bind-9.20.15-160000.1.1
bind-doc-9.20.15-160000.1.1
bind-modules-bdbhpt-9.20.15-160000.1.1
bind-modules-generic-9.20.15-160000.1.1
bind-modules-ldap-9.20.15-160000.1.1
bind-modules-mysql-9.20.15-160000.1.1
bind-modules-perl-9.20.15-160000.1.1
bind-modules-sqlite3-9.20.15-160000.1.1
bind-utils-9.20.15-160000.1.1

References:

* https://www.suse.com/security/cve/CVE-2025-40778.html
* https://www.suse.com/security/cve/CVE-2025-40780.html
* https://www.suse.com/security/cve/CVE-2025-8677.html

openSUSE-SU-2026:10057-1: moderate: chromedriver-144.0.7559.59-1.1 on GA media

# chromedriver-144.0.7559.59-1.1 on GA media

Announcement ID: openSUSE-SU-2026:10057-1
Rating: moderate

Cross-References:

* CVE-2026-0899
* CVE-2026-0900
* CVE-2026-0901
* CVE-2026-0902
* CVE-2026-0903
* CVE-2026-0904
* CVE-2026-0905
* CVE-2026-0906
* CVE-2026-0907
* CVE-2026-0908

Affected Products:

* openSUSE Tumbleweed

An update that solves 10 vulnerabilities can now be installed.

## Description:

These are all security issues fixed in the chromedriver-144.0.7559.59-1.1 package on the GA media of openSUSE Tumbleweed.

## Package List:

* openSUSE Tumbleweed:
* chromedriver 144.0.7559.59-1.1
* chromium 144.0.7559.59-1.1

## References:

* https://www.suse.com/security/cve/CVE-2026-0899.html
* https://www.suse.com/security/cve/CVE-2026-0900.html
* https://www.suse.com/security/cve/CVE-2026-0901.html
* https://www.suse.com/security/cve/CVE-2026-0902.html
* https://www.suse.com/security/cve/CVE-2026-0903.html
* https://www.suse.com/security/cve/CVE-2026-0904.html
* https://www.suse.com/security/cve/CVE-2026-0905.html
* https://www.suse.com/security/cve/CVE-2026-0906.html
* https://www.suse.com/security/cve/CVE-2026-0907.html
* https://www.suse.com/security/cve/CVE-2026-0908.html