Tiff, PHP-Composer, OpenSSH, and more updates for SUSE

SUSE 5651 Published 2026-05-19 07:06 by Philipp Esselbach

News

SUSE-SU-2026:1967-1: important: Security update for tiff

# Security update for tiff

Announcement ID: SUSE-SU-2026:1967-1
Release Date: 2026-05-18T08:13:02Z
Rating: important
References:

* bsc#1260411

Cross-References:

* CVE-2026-4775

CVSS scores:

* CVE-2026-4775 ( SUSE ): 8.8
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N
* CVE-2026-4775 ( SUSE ): 8.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H
* CVE-2026-4775 ( NVD ): 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Affected Products:

* Basesystem Module 15-SP7
* openSUSE Leap 15.6
* SUSE Linux Enterprise Desktop 15 SP7
* SUSE Linux Enterprise Real Time 15 SP7
* SUSE Linux Enterprise Server 15 SP6
* SUSE Linux Enterprise Server 15 SP6 LTSS
* SUSE Linux Enterprise Server 15 SP7
* SUSE Linux Enterprise Server for SAP Applications 15 SP6
* SUSE Linux Enterprise Server for SAP Applications 15 SP7
* SUSE Package Hub 15 15-SP7

An update that solves one vulnerability can now be installed.

## Description:

This update for tiff fixes the following issue

* CVE-2026-4775: signed integer overflow in the `putcontig8bitYCbCr44tile`
function (bsc#1260411).

## Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

* openSUSE Leap 15.6
zypper in -t patch SUSE-2026-1967=1

* Basesystem Module 15-SP7
zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP7-2026-1967=1

* SUSE Package Hub 15 15-SP7
zypper in -t patch SUSE-SLE-Module-Packagehub-Subpackages-15-SP7-2026-1967=1

* SUSE Linux Enterprise Server 15 SP6 LTSS
zypper in -t patch SUSE-SLE-Product-SLES-15-SP6-LTSS-2026-1967=1

* SUSE Linux Enterprise Server for SAP Applications 15 SP6
zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP6-2026-1967=1

## Package List:

* openSUSE Leap 15.6 (aarch64 ppc64le s390x x86_64 i586)
* tiff-debugsource-4.7.1-150600.3.26.1
* tiff-debuginfo-4.7.1-150600.3.26.1
* libtiff-devel-4.7.1-150600.3.26.1
* libtiff6-4.7.1-150600.3.26.1
* tiff-4.7.1-150600.3.26.1
* libtiff6-debuginfo-4.7.1-150600.3.26.1
* openSUSE Leap 15.6 (aarch64_ilp32)
* libtiff-devel-64bit-4.7.1-150600.3.26.1
* libtiff6-64bit-debuginfo-4.7.1-150600.3.26.1
* libtiff6-64bit-4.7.1-150600.3.26.1
* openSUSE Leap 15.6 (x86_64)
* libtiff6-32bit-debuginfo-4.7.1-150600.3.26.1
* libtiff-devel-32bit-4.7.1-150600.3.26.1
* libtiff6-32bit-4.7.1-150600.3.26.1
* openSUSE Leap 15.6 (noarch)
* tiff-docs-4.7.1-150600.3.26.1
* libtiff-devel-docs-4.7.1-150600.3.26.1
* Basesystem Module 15-SP7 (aarch64 ppc64le s390x x86_64)
* tiff-debugsource-4.7.1-150600.3.26.1
* tiff-debuginfo-4.7.1-150600.3.26.1
* libtiff-devel-4.7.1-150600.3.26.1
* libtiff6-4.7.1-150600.3.26.1
* libtiff6-debuginfo-4.7.1-150600.3.26.1
* Basesystem Module 15-SP7 (x86_64)
* libtiff6-32bit-debuginfo-4.7.1-150600.3.26.1
* libtiff6-32bit-4.7.1-150600.3.26.1
* SUSE Package Hub 15 15-SP7 (aarch64 ppc64le s390x x86_64)
* tiff-4.7.1-150600.3.26.1
* tiff-debugsource-4.7.1-150600.3.26.1
* tiff-debuginfo-4.7.1-150600.3.26.1
* SUSE Linux Enterprise Server 15 SP6 LTSS (aarch64 ppc64le s390x x86_64)
* tiff-debugsource-4.7.1-150600.3.26.1
* tiff-debuginfo-4.7.1-150600.3.26.1
* libtiff-devel-4.7.1-150600.3.26.1
* libtiff6-4.7.1-150600.3.26.1
* libtiff6-debuginfo-4.7.1-150600.3.26.1
* SUSE Linux Enterprise Server 15 SP6 LTSS (x86_64)
* libtiff6-32bit-debuginfo-4.7.1-150600.3.26.1
* libtiff6-32bit-4.7.1-150600.3.26.1
* SUSE Linux Enterprise Server for SAP Applications 15 SP6 (ppc64le x86_64)
* tiff-debugsource-4.7.1-150600.3.26.1
* tiff-debuginfo-4.7.1-150600.3.26.1
* libtiff-devel-4.7.1-150600.3.26.1
* libtiff6-4.7.1-150600.3.26.1
* libtiff6-debuginfo-4.7.1-150600.3.26.1
* SUSE Linux Enterprise Server for SAP Applications 15 SP6 (x86_64)
* libtiff6-32bit-debuginfo-4.7.1-150600.3.26.1
* libtiff6-32bit-4.7.1-150600.3.26.1

## References:

* https://www.suse.com/security/cve/CVE-2026-4775.html
* https://bugzilla.suse.com/show_bug.cgi?id=1260411

SUSE-SU-2026:1970-1: important: Security update for php-composer2

# Security update for php-composer2

Announcement ID: SUSE-SU-2026:1970-1
Release Date: 2026-05-18T08:16:20Z
Rating: important
References:

* bsc#1262254
* bsc#1262255

Cross-References:

* CVE-2022-24828
* CVE-2023-43655
* CVE-2024-24821
* CVE-2024-35241
* CVE-2024-35242
* CVE-2025-67746
* CVE-2026-40176
* CVE-2026-40261

CVSS scores:

* CVE-2022-24828 ( SUSE ): 7.0 CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
* CVE-2022-24828 ( NVD ): 8.3 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
* CVE-2023-43655 ( SUSE ): 6.4 CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H
* CVE-2023-43655 ( NVD ): 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
* CVE-2023-43655 ( NVD ): 6.4 CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H
* CVE-2024-24821 ( SUSE ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
* CVE-2024-24821 ( NVD ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
* CVE-2024-35241 ( SUSE ): 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
* CVE-2024-35241 ( NVD ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
* CVE-2024-35242 ( SUSE ): 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
* CVE-2024-35242 ( NVD ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
* CVE-2025-67746 ( SUSE ): 2.0
CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
* CVE-2025-67746 ( SUSE ): 3.3 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
* CVE-2025-67746 ( NVD ): 1.3
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
* CVE-2025-67746 ( NVD ): 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
* CVE-2026-40176 ( SUSE ): 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
* CVE-2026-40176 ( NVD ): 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
* CVE-2026-40261 ( SUSE ): 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
* CVE-2026-40261 ( NVD ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Affected Products:

* openSUSE Leap 15.4
* SUSE Linux Enterprise High Performance Computing 15 SP4
* SUSE Linux Enterprise High Performance Computing 15 SP5
* SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4
* SUSE Linux Enterprise High Performance Computing ESPOS 15 SP5
* SUSE Linux Enterprise High Performance Computing LTSS 15 SP4
* SUSE Linux Enterprise High Performance Computing LTSS 15 SP5
* SUSE Linux Enterprise Server 15 SP4
* SUSE Linux Enterprise Server 15 SP4 LTSS
* SUSE Linux Enterprise Server 15 SP5
* SUSE Linux Enterprise Server 15 SP5 LTSS
* SUSE Linux Enterprise Server for SAP Applications 15 SP4
* SUSE Linux Enterprise Server for SAP Applications 15 SP5

An update that solves eight vulnerabilities can now be installed.

## Description:

This update for php-composer2 fixes the following issues

* CVE-2026-40176: command injection via malicious Perforce repository
definition (bsc#1262254).
* CVE-2026-40261: command injection via malicious Perforce source
reference/url (bsc#1262255).

Changes for php-composer2:

* version update to 2.2.27 (align with upstream LTS version)
* Security: Hardened git/hg/perforce/fossil identifier validation to ensure
branch names starting with - do not cause issues (246f807b, 246f807b,
246f807b)
* Security: Fixed Perforce unescaped user input in queryP4User shell command
(246f807b)
* Security: Fixed usage of insecure 3DES ciphers when ext-curl is missing
(21ffece62)
* Fixed issue handling paths with = in them on Windows (#11568)
* version 2.2.26 2025-12-30
* Security: Fixed ANSI sequence injection (GHSA-59pp-r3rg-353g /
CVE-2025-67746)
* version 2.2.25 2024-12-11
* Fixed deprecation notices appearing on this LTS version in case it is used
on modern PHP. Modern PHP support is not guaranteed nor tested for though
and the main purpose of LTS releases is legacy PHP versions support.
(#12217)
* Fixed issue on plugin upgrade when it defines multiple classes (#12226)
* Fixed duplicate errors appearing in the output depending on php settings
(#12214)
* Fixed InstalledVersions returning duplicate data in some instances (#12225)
* version 2.2.24 2024-06-10
* Security: Fixed command injection via malicious git branch name
(GHSA-47f6-5gq3-vx9c / CVE-2024-35241)
* Security: Fixed multiple command injections via malicious git/hg branch
names (GHSA-v9qv-c7wm-wgmf / CVE-2024-35242)
* Security: Fixed secure-http checks that could be bypassed by using malformed
URL formats (fa3b9582c)
* Security: Fixed Filesystem::isLocalPath including windows-specific checks on
linux (3c37a67c)
* Security: Fixed perforce argument escaping (3773f775)
* Security: Fixed handling of zip bombs when extracting archives (de5f7e32)
* Security: Fixed Windows command parameter escaping to prevent abuse of
unicode characters with best fit encoding
* conversion (3130a7455, 04a63b324)
* version 2.2.23 2024-02-08
* Security: Fixed code execution and possible privilege escalation via
compromised vendor dir contents (GHSA-7c6p-848j-wh5h / CVE-2024-24821)
* version 2.2.22 2023-09-29
* Security: Fixed possible remote code execution vulnerability if
composer.phar is publicly accessible, executable as PHP, and
register_argc_argv is enabled in php.ini (GHSA-jm6m-4632-36hf /
CVE-2023-43655)
* Fixed authentication issue when downloading several files from private
Bitbucket in parallel (#11464)
* Fixed handling of broken junctions on windows (#11550)
* Fixed loading of root aliases on path repo packages when doing partial
updates (#11632)
* Fixed parsing of lib-curl-openssl version with OSX SecureTransport (#11534)
* Fixed binary proxies not being transparent when included by another PHP
process and returning a value (#11454)
* Fixed support for plugin classes being marked as readonly (#11404)
* Fixed GitHub rate limit reporting (#11366)
* Fixed issue displaying solver problems with branch names containing % signs
(#11359)
* version 2.2.21 2023-02-15
* Fixed extra.plugin-optional support in PluginInstaller when doing pre-
install checks (#11326)
* version 2.2.20 2023-02-10
* Added extra.plugin-optional support for allow auto-disabling unknown plugins
which are not critical when running non-interactive (#11315)
* version 2.2.19 2023-02-04
* Fixed URL sanitizer to handle new GitHub personal access tokens format
(#11137)
* Fixed cache keys to allow _ to avoid conflicts between package names like
a-b and a_b (#11229)
* Fixed handling of --ignore-platform-req with upper-bound ignores to not
apply to conflict rules (#11037)
* Fixed handling of COMPOSER_DISCARD_CHANGES when set to 0
* version 2.2.18 2022-08-20
* Fixed COMPOSER_NO_DEV so it also works with require and remove's --update-
no-dev (#10995)
* Fixed duplicate missing extension warnings being displayed (#10938)
* Fixed hg version detection (#10955)
* Fixed git cache invalidation issue when a git tag gets created after the
cache has loaded a given reference (#11004)
* version 2.2.17 2022-07-13
* Fixed plugins from CWD/vendor being loaded in some cases like create-project
or validate even though the target directory is outside of CWD (#10935)
* Fixed support for legacy (Composer 1.x, e.g. hirak/prestissimo) plugins
which will not warn/error anymore if not in allow-plugins, as they are
anyway not loaded (#10928)
* Fixed pre-install check for allowed plugins not taking --no-plugins into
account (#10925)
* Fixed support for disable_functions containing disk_free_space (#10936)
* Fixed RootPackageRepository usages to always clone the root package to avoid
interoperability issues with plugins (#10940)
* version 2.2.16 2022-07-05
* Fixed non-interactive behavior of allow-plugins to throw instead of continue
with a warning to avoid broken installs (#10920)
* Fixed allow-plugins BC mode to ensure old lock files created pre-2.2 can be
installed with only a warning but plugins fully loaded (#10920)
* Fixed deprecation notice (#10921)
* version 2.2.15 2022-07-01
* Fixed support for cache-read-only where the filesystem is not writable
(#10906)
* Fixed type error when using allow-plugins: true (#10909)
* Fixed @putenv scripts receiving arguments passed to the command (#10846)
* Fixed support for spaces in paths with binary proxies on Windows (#10836)
* Fixed type error in GitDownloader if branches cannot be listed (#10888)
* Fixed RootPackageInterface issue on PHP 5.3.3 (#10895)
* version 2.2.14 2022-06-06
* Fixed handling of broken symlinks when checking whether a package is still
installed (#6708)
* Fixed JSON schema regex pattern for name to be JS compatible (#10811)
* Fixed bin proxies to allow a proxy to include another one safely (#10823)
* Fixed gitlab-token JSON schema definition (#10800)
* Fixed openssl 3.x version parsing as it is now semver compliant
* Fixed type error when a json file cannot be read (#10818)
* Fixed parsing of multi-line arrays in funding.yml (#10784)
* version 2.2.13 2022-05-25
* Fixed invalid credentials loop when setting up GitLab token (#10748)
* Fixed PHP 8.2 deprecations (#10766)
* Fixed lock file changes being output even when the lock file creation is
disabled
* Fixed race condition when multiple requests asking for auth on the same
hostname fired concurrently (#10763)
* Fixed quoting of commas on Windows (#10775)
* Fixed issue installing path repos with a disabled symlink function (#10786)
* version 2.2.12 2022-04-13
* Security: Fixed command injection vulnerability in HgDriver/GitDriver
(GHSA-x7cr-6qr6-2hh6 / CVE-2022-24828)
* Fixed curl downloader not retrying when a DNS resolution failure occurs
(#10716)
* Fixed composer.lock file still being used/read when the lock config option
is disabled (#10726)
* Fixed validate command checking the lock file even if the lock option is
disabled (#10723)
* version 2.2.11 2022-04-01
* Added missing config.bitbucket-oauth in composer-schema.json
* Added --2.2 flag to self-update to pin the Composer version to the 2.2 LTS
range (#10682)
* Updated semver, jsonlint deps for minor fixes
* Fixed generation of autoload crashing if a package has a broken path
(#10688)
* Removed dev-master=>dev-main alias from #10372 as it does not work when
reloading from lock file and extracting dev deps (#10651)
* version 2.2.10 2022-03-29
* Fixed Bitbucket authorization detection due to API changes (#10657)
* Fixed validate command warning about dist/source keys if defined (#10655)
* Fixed deletion/handling of corrupted 0-bytes zip archives (#10666)
* version 2.2.9 2022-03-15
* Fixed regression with plugins that modify install path of packages, see docs
if you are authoring such a plugin (#10621)
* version 2.2.8 2022-03-15
* Fixed files autoloading sort order to be fully deterministic (#10617)
* Fixed pool optimization pass edge cases (#10579)
* Fixed require command failing when self.version is used as constraint
(#10593)
* Fixed --no-ansi / undecorated output still showing color in repo warnings
(#10601)
* Performance improvement in pool optimization step (composer/semver#131)
* version 2.2.7 2022-02-25
* Allow installation together with composer/xdebug-handler ^3 (#10528)
* Fixed support for packages with no licenses in licenses command output
(#10537)
* Fixed handling of allow-plugins: false which kept warning (#10530)
* Fixed enum parsing in classmap generation when the enum keyword is not
lowercased (#10521)
* Fixed author parsing in init command requiring an email whereas the schema
allows a name only (#10538)
* Fixed issues in require command when requiring packages which do not exist
(but are provided by something else you require) (#10541)
* Performance improvement in pool optimization step (#10546)
* version 2.2.6 2022-02-04
* BC Break: due to an oversight, the COMPOSER_BIN_DIR env var for binaries
added in Composer 2.2.2 had to be renamed to COMPOSER_RUNTIME_BIN_DIR
(#10512)
* Fixed enum parsing in classmap generation with syntax like enum foo:string
without space after : (#10498)
* Fixed package search not urlencoding the input (#10500)
* Fixed reinstall command not firing pre-install-cmd/post-install-cmd events
(#10514)
* Fixed edge case in path repositories where a symlink: true option would be
ignored on old Windows and old PHP combos (#10482)
* Fixed test suite compatibility with latest symfony/console releases (#10499)
* Fixed some error reporting edge cases (#10484, #10451, #10493)
* version 2.2.5 2022-01-21
* Disabled composer/package-versions-deprecated by default as it can function
using Composer\InstalledVersions at runtime (#10458)
* Fixed artifact repositories crashing if a phar file was present in the
directory (#10406)
* Fixed binary proxy issue on PHP

Ruby and Nginx updates for Rocky Linux

Montech Ten SFF Chassis Reviews and more

Tiff, PHP-Composer, OpenSSH, and more updates for SUSE

SUSE-SU-2026:1967-1: important: Security update for tiff

SUSE-SU-2026:1970-1: important: Security update for php-composer2

Windows

Linux

macOS

Community