Xen, FreeRDP, Hauler, and more updates for SUSE

SUSE 5637 Published by

SUSE recently pushed a batch of security patches for openSUSE systems that tackle dozens of vulnerabilities across several key packages. MozillaThunderbird and FreeRDP receive the most urgent attention, as their updates resolve severe memory corruption flaws and potential remote execution risks. Additional updates cover moderate and important vulnerabilities in Helm, Trivy, Xen, himmelblau, plus a necessary kernel refresh for Leap 15.6.

openSUSE-SU-2026:10660-1: moderate: xen-4.21.1_04-1.1 on GA media
openSUSE-SU-2026:20657-1: important: Security update for freerdp
openSUSE-SU-2026:20662-1: moderate: Security update for hauler
openSUSE-SU-2026:20664-1: important: Security update for MozillaThunderbird
openSUSE-SU-2026:20659-1: moderate: Security update for libspectre
openSUSE-SU-2026:20655-1: moderate: Security update for helm
openSUSE-SU-2026:20658-1: moderate: Security update for himmelblau
SUSE-SU-2026:1671-2: important: Security update for the Linux Kernel
openSUSE-SU-2026:0163-1: important: Security update for trivy




openSUSE-SU-2026:10660-1: moderate: xen-4.21.1_04-1.1 on GA media


# xen-4.21.1_04-1.1 on GA media

Announcement ID: openSUSE-SU-2026:10660-1
Rating: moderate

Cross-References:

* CVE-2026-23557
* CVE-2026-23558

CVSS scores:

* CVE-2026-23557 ( SUSE ): 6.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H
* CVE-2026-23558 ( SUSE ): 7.8 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
* CVE-2026-23558 ( SUSE ): 7.3 CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Affected Products:

* openSUSE Tumbleweed

An update that solves 2 vulnerabilities can now be installed.

## Description:

These are all security issues fixed in the xen-4.21.1_04-1.1 package on the GA media of openSUSE Tumbleweed.

## Package List:

* openSUSE Tumbleweed:
* xen 4.21.1_04-1.1
* xen-devel 4.21.1_04-1.1
* xen-doc-html 4.21.1_04-1.1
* xen-libs 4.21.1_04-1.1
* xen-tools 4.21.1_04-1.1
* xen-tools-domU 4.21.1_04-1.1
* xen-tools-xendomains-wait-disk 4.21.1_04-1.1

## References:

* https://www.suse.com/security/cve/CVE-2026-23557.html
* https://www.suse.com/security/cve/CVE-2026-23558.html



openSUSE-SU-2026:20657-1: important: Security update for freerdp


openSUSE security update: security update for freerdp
-------------------------------------------------------------

Announcement ID: openSUSE-SU-2026:20657-1
Rating: important
References:

* bsc#1258919
* bsc#1258920
* bsc#1258921
* bsc#1258923
* bsc#1258924
* bsc#1258973
* bsc#1258976
* bsc#1258977
* bsc#1258979
* bsc#1258982
* bsc#1258985
* bsc#1259653
* bsc#1259679
* bsc#1259680
* bsc#1259684
* bsc#1259686
* bsc#1259689
* bsc#1259692
* bsc#1259693
* bsc#1261196
* bsc#1261198
* bsc#1261200
* bsc#1261211
* bsc#1261217
* bsc#1261222
* bsc#1261223
* bsc#1261226
* bsc#1261227

Cross-References:

* CVE-2026-25941
* CVE-2026-25942
* CVE-2026-25952
* CVE-2026-25953
* CVE-2026-25954
* CVE-2026-25955
* CVE-2026-25959
* CVE-2026-25997
* CVE-2026-26271
* CVE-2026-26955
* CVE-2026-26965
* CVE-2026-29774
* CVE-2026-29775
* CVE-2026-29776
* CVE-2026-31806
* CVE-2026-31883
* CVE-2026-31884
* CVE-2026-31885
* CVE-2026-31897
* CVE-2026-33952
* CVE-2026-33977
* CVE-2026-33982
* CVE-2026-33983
* CVE-2026-33984
* CVE-2026-33985
* CVE-2026-33986
* CVE-2026-33987
* CVE-2026-33995

CVSS scores:

* CVE-2026-25941 ( SUSE ): 4.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
* CVE-2026-25941 ( SUSE ): 5.1 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
* CVE-2026-25942 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
* CVE-2026-25942 ( SUSE ): 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
* CVE-2026-25952 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
* CVE-2026-25952 ( SUSE ): 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
* CVE-2026-25953 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
* CVE-2026-25953 ( SUSE ): 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
* CVE-2026-25954 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
* CVE-2026-25954 ( SUSE ): 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
* CVE-2026-25955 ( SUSE ): 4.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
* CVE-2026-25955 ( SUSE ): 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
* CVE-2026-25959 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H
* CVE-2026-25959 ( SUSE ): 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
* CVE-2026-25997 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H
* CVE-2026-25997 ( SUSE ): 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
* CVE-2026-26955 ( SUSE ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
* CVE-2026-26955 ( SUSE ): 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
* CVE-2026-26965 ( SUSE ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
* CVE-2026-26965 ( SUSE ): 8.6 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
* CVE-2026-29774 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
* CVE-2026-29774 ( SUSE ): 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
* CVE-2026-29775 ( SUSE ): 3.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
* CVE-2026-29775 ( SUSE ): 6.3 CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
* CVE-2026-29776 ( SUSE ): 3.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L
* CVE-2026-29776 ( SUSE ): 2.3 CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
* CVE-2026-31806 ( SUSE ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
* CVE-2026-31806 ( SUSE ): 7.5 CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
* CVE-2026-31883 ( SUSE ): 7.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
* CVE-2026-31883 ( SUSE ): 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N
* CVE-2026-31884 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
* CVE-2026-31884 ( SUSE ): 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
* CVE-2026-31885 ( SUSE ): 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:L
* CVE-2026-31885 ( SUSE ): 7.1 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:L/SC:N/SI:N/SA:N
* CVE-2026-31897 ( SUSE ): 3.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L
* CVE-2026-31897 ( SUSE ): 2.3 CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
* CVE-2026-33952 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
* CVE-2026-33952 ( SUSE ): 7.1 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
* CVE-2026-33977 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
* CVE-2026-33977 ( SUSE ): 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
* CVE-2026-33982 ( SUSE ): 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
* CVE-2026-33983 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
* CVE-2026-33983 ( SUSE ): 7.1 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
* CVE-2026-33984 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
* CVE-2026-33984 ( SUSE ): 7.5 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
* CVE-2026-33985 ( SUSE ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:L
* CVE-2026-33985 ( SUSE ): 5.9 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:N/VA:L/SC:N/SI:N/SA:N
* CVE-2026-33986 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
* CVE-2026-33987 ( SUSE ): 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
* CVE-2026-33995 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

Affected Products:

openSUSE Leap 16.0

-------------------------------------------------------------

An update that solves 28 vulnerabilities and has 28 bug fixes can now be installed.

Description:

This update for freerdp fixes the following issues:

Update to version 3.24.2.

Security issues fixed:

- CVE-2026-25941: out-of-bounds read in the FreeRDP client RDPGFX channel (bsc#1258919).
- CVE-2026-25942: buffer overflow of global array in `xf_rail_server_execute_result` (bsc#1258920).
- CVE-2026-25952: heap use-after-free in `xf_SetWindowMinMaxInfo` (bsc#1258921).
- CVE-2026-25953: heap use-after-free in `xf_AppUpdateWindowFromSurface` (bsc#1258923).
- CVE-2026-25954: heap use-after-free in `xf_rail_server_local_move_size` (bsc#1258924).
- CVE-2026-25955: heap use-after-free in `xf_AppUpdateWindowFromSurface` (bsc#1258973).
- CVE-2026-25959: heap use-after-free in `xf_cliprdr_provide_data_` (bsc#1258976).
- CVE-2026-25997: heap use-after-free in `xf_clipboard_format_equal` (bsc#1258977).
- CVE-2026-26271: buffer overread in FreeRDP icon processing (bsc#1258979).
- CVE-2026-26955: out-of-bounds write in FreeRDP clients using the GDI surface pipeline (bsc#1258982).
- CVE-2026-26965: out-of-bounds write in FreeRDP client RLE planar decode path (bsc#1258985).
- CVE-2026-29774: heap buffer overflow in the FreeRDP client's AVC420/AVC444 YUV-to-RGB conversion path (bsc#1259689).
- CVE-2026-29775: out-of-bounds access in the FreeRDP client bitmap cache subsystem (bsc#1259684).
- CVE-2026-29776: integer underflow in `update_read_cache_bitmap_order` (bsc#1259692).
- CVE-2026-31806: heap buffer overflow in `nsc_process_message` (bsc#1259653).
- CVE-2026-31883: heap buffer overwrite due to a `size_t` underflow in the IMA-ADPCM and MS-ADPCM audio decoders
(bsc#1259679).
- CVE-2026-31884: division by zero in MS-ADPCM and IMA-ADPCM decoders (bsc#1259680).
- CVE-2026-31885: out-of-bounds read in MS-ADPCM and IMA-ADPCM decoders (bsc#1259686).
- CVE-2026-31897: out-of-bounds read in `freerdp_bitmap_decompress_planar` (bsc#1259693).
- CVE-2026-33952: client-side crash due to `WINPR_ASSERT()` failure in `rts_read_auth_verifier_no_checks()`
(bsc#1261196).
- CVE-2026-33977: client-side crash due to `WINPR_ASSERT()` failure in IMA ADPCM audio decoder (bsc#1261198).
- CVE-2026-33982: heap buffer overread in in `winpr_aligned_offset_recalloc` (bsc#1261222).
- CVE-2026-33983: undefined behavior and resource exhaustion via 80 billion iteration loop in
`progressive_decompress_tile_upgrade` (bsc#1261200).
- CVE-2026-33984: heap buffer overflow in ClearCodec `resize_vbar_entry` (bsc#1261211).
- CVE-2026-33985: heap out-of-bounds read in `clear_decompress_glyph_data` (bsc#1261217).
- CVE-2026-33986: heap out-of-bounds write due to H.264 YUV buffer dimension desync (bsc#1261223).
- CVE-2026-33987: heap out-of-bounds write due to persistent cache bmpSize desync (bsc#1261226).
- CVE-2026-33995: double-free vulnerability in `kerberos_AcceptSecurityContext` and
`kerberos_InitializeSecurityContextA` (bsc#1261227).

Other updates and bugfixes:

- Version 3.24.2:
* [channels,video] fix wrong cast (#12511)
* [codec,openh264] reject encoder ABI mismatch on runtime-loaded library (#12510)
* [client,sdl] create a copy of rdpPointer (#12512)
* [codec,video] properly pass intermediate format (#12518)
* [utils, signal] lazily initialize Windows CRITICAL_SECTION to match POSIX static mutex behavior (#12520) winpr:
improve libunwind backtraces (#12530)
* [server,shadow] remember selected caps (#12528)
* Zero credential data before free in NLA and NTLM context (#12532)
* [server,proxy] ignore missing client in input channel (#12536)
* [server,proxy] ignore rdpdr messages (#12537)
* [winpr,sspi] improve kerberos logging (#12538)
* Codec fixes (#12542)

- Version 3.24.1:
* [warnings] fix various sign and cast warnings (#12480)
* [client,x11] start with xfc->remote_app = TRUE; (#12491)
* Sam file read regression fix (#12484)
* [ncrypt,smartcardlogon] support ECC keys in PKCS#11 smartcard enumeration (#12490)
* Fix: memory leak in rdp_client_establish_keys() (#12494)
* Fix memory leak in freerdp_settings_int_buffer_copy() on error paths (libfreerdp/core/settings.c) (#12486)
* Code Cleanups (#12493)
* Fix: memory leak in PCSC_SCardListReadersW() (#12495)
* [channels,telemetry] use dynamic logging (#12496)
* [channel,gfx] use generic plugin log (@12498, #12499)
* [channels,audin] set error when audio_format_read fails (#12500)
* [channels,video] unify error handling (#12502)
* Fastpath fine grained lock (#12503)
* [core,update] make the PlaySound callback non-mandatory (#12504)
* Refinements: RPM build updates, FIPS improvements (#12506)

- Version 3.24.0:
* Completed the [[nodiscard]] marking of the API to warn about problematic
* unchecked use of functions
* Added full C23 support (default stays at C11) to allow new compilers
* to do stricter checking
* Improved X11 and SDL3 clients
* Improved smartcard support
* proxy now supports RFX graphics mode
* Attribute nodiscard related chanes (#12325, #12360, #12395, #12406, #12421, #12426, #12177, #12403, #12405, #12407,
#12409, #12408, #12412, #12413)
* c23 related improvements (#12368, #12371, #12379, #12381, #12383, #12385, #12386, #12387, #12384)
* Generic code cleanups (#12382, #12439, #12455, #12462, #12399, #12473) [core,utils] ignore NULL values in
remove_rdpdr_type (#12372)
* [codec,fdk] revert use of WinPR types (#12373)
* [core,gateway] ignore incomplete rpc header (#12375, #12376)
* [warnings] make function declaration names consistent (#12377)
* [libfreerdp] Add new define for logon error info (#12380)
* [client,x11] improve rails window locking (#12392)
* Reload fix missing null checks (#12396)
* Bounds checks (#12400)
* [server,proxy] check for nullptr before using scard_call_context (#12404)
* [uwac] fix rectangular glitch around surface damage regions (#12410)
* Address various error handling inconsistencies (#12411)
* [core,server] Improve WTS API locking (#12414)
* Address some GCC compile issues (#12415, #12420)
* Winpr atexit (#12416)
* [winpr,smartcard] fix function pointer casts (#12422)
* Xf timer fix (#12423)
* [client,sdl] workaround for wlroots compositors (#12425)
* [client,sdl] fix SdlWindow::query (#12378)
* [winpr,smartcard] fix PCSC_ReleaseCardContext (#12427)
* [client,x11] eliminate obsolete compile flags (#12428)
* [client,common] skip sending input events when not connected (#12429)
* Input connected checks (#12430)
* Floatbar and display channel improvements (#12431)
* [winpr,platform] fix WINPR_ATTR_NODISCARD definition (#12432)
* [client] Fix writing of gatewayusagemethod to .rdp files (#12433)
* Nodiscard finetune (#12435)
* [core] fix missing gateway credential sync (#12436)
* [client,sdl3] limit FREERDP_WLROOTS_HACK (#12441)
* [core,settings] Allow FreeRDP_instance in setter (#12442)
* [codec,h264] make log message trace (#12444)
* X11 rails improve (#12440)
* [codec,nsc] limit copy area in nsc_process_message (#12448)
* Proxy support RFX and NSC settings (#12449)
* [client,common] display a shortened help on parsing issues (#12450)
* [winpr,smartcard] refine locking for pcsc layer (#12451)
* [codec,swscale] allow runtime loading of swscale (#12452)
* Swscale fallback (#12454)
* Sdl multi scaling support (#12456)
* [packaging,flatpak] update runtime and dependencies (#12457)
* [codec,video] add doxygen version details (#12458)
* [github,templates] update templates (#12460)
* [client,sdl] allow FREERDP_WLROOTS_HACK for all sessions (#12461)
* [warnings,nodiscard] add log messages for failures (#12463)
* [gdi,gdi] ignore empty rectangles (#12467)
* Smartcard fix smartcard-login, pass rdpContext for abort (#12466)
* [winpr,smartcard] fix compiler warnings (#12469)
* [winpr,timezone] fix search for transition dates (#12468)
* [client,common] improve /p help (#12471)
* Scard logging refactored (#12472)
* [emu,scard] fix smartcard emulation (#12475)
* Sdl null cursor (#12474)

- Version 3.23.0:
* Sdl cleanup (#12202)
* [client,sdl] do not apply window offset (#12205)
* [client,sdl] add SDL_Error to exceptions (#12214)
* Rdp monitor log (#12215)
* [winpr,smartcard] implement some attributes (#12213)
* [client,windows] Fix return value checks for mouse event functions (#12279)
* [channels,rdpecam] fix sws context checks (#12272)
* [client,windows] Enhance error handling and context validation (#12264)
* [client,windows] Add window handle validation in RDP_EVENT_TYPE_WINDOW_NEW (#12261)
* [client,sdl] fix multimon/fullscreen on wayland (#12248)
* Vendor by app (#12207)
* [core,gateway] relax TSG parsing (#12283)
* [winpr,smartcard] simplify PCSC_ReadDeviceSystemName (#12273)
* [client,windows] Implement complete keyboard indicator synchronization (#12268)
* Fixes more more more (#12286)
* Use application details for names (#12285)
* warning cleanups (#12289)
* Warning cleanup (#12291)
* [client,windows] Enhance memory safety with NULL checks and resource protection (#12271)
* [client,x11] apply /size:xx% only once (#12293)
* Freerdp config test (#12295)
* [winpr,smartcard] fix returned attribute length (#12296)
* [client,SDL3] Fix properly handle smart-sizing with fullscreen (#12298)
* [core,test] fix use after free (#12299)
* Sign warnings (#12300)
* [cmake,compiler] disable -Wjump-misses-init (#12301)
* [codec,color] fix input length checks (#12302)
* [client,sdl] improve cursor updates, fix surface sizes (#12303)
* Sdl fullscreen (#12217)
* [client,sdl] fix move constructor of SdlWindow (#12305)
* [utils,smartcard] check stream length on padding (#12306)
* [android] Fix invert scrolling default value mismatch (#12309)
* Clear fix bounds checks (#12310)
* Winpr attr nodiscard fkt ptr (#12311)
* [codec,planar] fix missing destination bounds checks (#12312)
* [codec,clear] fix destination checks (#12315)
* NSC Codec fixes (#12317)
* Freerdp api nodiscard (#12313)
* [allocations] fix growth of preallocated buffers (#12319)
* Rdpdr simplify (#12320)
* Resource fix (#12323)
* [winpr,utils] ensure message queue capacity (#12322)
* [server,shadow] fix return and parameter checks (#12330)
* Shadow fixes (#12331)
* [rdtk,nodiscard] mark rdtk API nodiscard (#12329)
* [client,x11] fix XGetWindowProperty return handling (#12334)
* Win32 signal (#12335)
* [channel,usb] fix message parsing and creation (#12336)
* [cmake] Define WINPR_DEFINE_ATTR_NODISCARD (#12338)
* Proxy config fix (#12345)
* [codec,progressive] refine progressive decoding (#12347)
* [client,sdl] fix sdl_Pointer_New (#12350)
* [core,gateway] parse [MS-TSGU] 2.2.10.5 HTTP_CHANNEL_RESPONSE_OPTIONAL (#12353)
* X11 kbd sym (#12354)
* Windows compile warning fixes (#12357,#12358,#12359)

Patch instructions:

To install this openSUSE security update use the suse recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

- openSUSE Leap 16.0

zypper in -t patch openSUSE-Leap-16.0-663=1

Package List:

- openSUSE Leap 16.0:

freerdp-3.24.2-160000.1.1
freerdp-devel-3.24.2-160000.1.1
freerdp-proxy-3.24.2-160000.1.1
freerdp-proxy-plugins-3.24.2-160000.1.1
freerdp-sdl-3.24.2-160000.1.1
freerdp-server-3.24.2-160000.1.1
freerdp-wayland-3.24.2-160000.1.1
libfreerdp-server-proxy3-3-3.24.2-160000.1.1
libfreerdp3-3-3.24.2-160000.1.1
librdtk0-0-3.24.2-160000.1.1
libuwac0-0-3.24.2-160000.1.1
libwinpr3-3-3.24.2-160000.1.1
rdtk0-devel-3.24.2-160000.1.1
uwac0-devel-3.24.2-160000.1.1
winpr-devel-3.24.2-160000.1.1

References:

* https://www.suse.com/security/cve/CVE-2026-25941.html
* https://www.suse.com/security/cve/CVE-2026-25942.html
* https://www.suse.com/security/cve/CVE-2026-25952.html
* https://www.suse.com/security/cve/CVE-2026-25953.html
* https://www.suse.com/security/cve/CVE-2026-25954.html
* https://www.suse.com/security/cve/CVE-2026-25955.html
* https://www.suse.com/security/cve/CVE-2026-25959.html
* https://www.suse.com/security/cve/CVE-2026-25997.html
* https://www.suse.com/security/cve/CVE-2026-26271.html
* https://www.suse.com/security/cve/CVE-2026-26955.html
* https://www.suse.com/security/cve/CVE-2026-26965.html
* https://www.suse.com/security/cve/CVE-2026-29774.html
* https://www.suse.com/security/cve/CVE-2026-29775.html
* https://www.suse.com/security/cve/CVE-2026-29776.html
* https://www.suse.com/security/cve/CVE-2026-31806.html
* https://www.suse.com/security/cve/CVE-2026-31883.html
* https://www.suse.com/security/cve/CVE-2026-31884.html
* https://www.suse.com/security/cve/CVE-2026-31885.html
* https://www.suse.com/security/cve/CVE-2026-31897.html
* https://www.suse.com/security/cve/CVE-2026-33952.html
* https://www.suse.com/security/cve/CVE-2026-33977.html
* https://www.suse.com/security/cve/CVE-2026-33982.html
* https://www.suse.com/security/cve/CVE-2026-33983.html
* https://www.suse.com/security/cve/CVE-2026-33984.html
* https://www.suse.com/security/cve/CVE-2026-33985.html
* https://www.suse.com/security/cve/CVE-2026-33986.html
* https://www.suse.com/security/cve/CVE-2026-33987.html
* https://www.suse.com/security/cve/CVE-2026-33995.html



openSUSE-SU-2026:20662-1: moderate: Security update for hauler


openSUSE security update: security update for hauler
-------------------------------------------------------------

Announcement ID: openSUSE-SU-2026:20662-1
Rating: moderate
References:

* bsc#1258614

Cross-References:

* CVE-2026-24122

CVSS scores:

* CVE-2026-24122 ( SUSE ): 3.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
* CVE-2026-24122 ( SUSE ): 6.3 CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Affected Products:

openSUSE Leap 16.0

-------------------------------------------------------------

An update that solves one vulnerability and has one bug fix can now be installed.

Description:

This update for hauler fixes the following issues:

Changes in hauler:

- update to 1.4.2 (bsc#1258614, CVE-2026-24122):
* Bump github.com/theupdateframework/go-tuf/v2 from 2.3.0 to
2.3.1 in the go_modules group across 1 directory
* fix for new helm chart features
* Bump github.com/sigstore/rekor from 1.4.3 to 1.5.0 in the
go_modules group across 1 directory
* Bump github.com/sigstore/sigstore from 1.10.3 to 1.10.4 in
the go_modules group across 1 directory
* Bump github.com/theupdateframework/go-tuf/v2 from 2.3.1 to
2.4.1 in the go_modules group across 1 directory
* update cosign fork to 3.0.4 plus dep tidy
* fix: Fix file:// dependency chart path resolution
* update github.com/olekukonko/tablewriter to v1.1.2
* keep registry on image rewrite if not specified
* Bump github.com/theupdateframework/go-tuf/v2 from 2.3.1 to
2.4.1 in the go_modules group across 1 directory
* fix: handling of file referenced dependencies without
repository field
* Bump go.opentelemetry.io/otel/sdk from 1.39.0 to 1.40.0 in
the go_modules group across 1 directory
* dev.md file
* smaller changes and updates for v1.4.2 release

Patch instructions:

To install this openSUSE security update use the suse recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

- openSUSE Leap 16.0

zypper in -t patch openSUSE-Leap-16.0-packagehub-228=1

Package List:

- openSUSE Leap 16.0:

hauler-1.4.2-bp160.1.1

References:

* https://www.suse.com/security/cve/CVE-2026-24122.html



openSUSE-SU-2026:20664-1: important: Security update for MozillaThunderbird


openSUSE security update: security update for mozillathunderbird
-------------------------------------------------------------

Announcement ID: openSUSE-SU-2026:20664-1
Rating: important
References:

* bsc#1260083
* bsc#1262230

Cross-References:

* CVE-2025-59375
* CVE-2026-3889
* CVE-2026-4371
* CVE-2026-4684
* CVE-2026-4685
* CVE-2026-4686
* CVE-2026-4687
* CVE-2026-4688
* CVE-2026-4689
* CVE-2026-4690
* CVE-2026-4691
* CVE-2026-4692
* CVE-2026-4693
* CVE-2026-4694
* CVE-2026-4695
* CVE-2026-4696
* CVE-2026-4697
* CVE-2026-4698
* CVE-2026-4699
* CVE-2026-4700
* CVE-2026-4701
* CVE-2026-4702
* CVE-2026-4704
* CVE-2026-4705
* CVE-2026-4706
* CVE-2026-4707
* CVE-2026-4708
* CVE-2026-4709
* CVE-2026-4710
* CVE-2026-4711
* CVE-2026-4712
* CVE-2026-4713
* CVE-2026-4714
* CVE-2026-4715
* CVE-2026-4716
* CVE-2026-4717
* CVE-2026-4718
* CVE-2026-4719
* CVE-2026-4720
* CVE-2026-4721
* CVE-2026-5731
* CVE-2026-5732
* CVE-2026-5734
* CVE-2026-6746
* CVE-2026-6747
* CVE-2026-6748
* CVE-2026-6749
* CVE-2026-6750
* CVE-2026-6751
* CVE-2026-6752
* CVE-2026-6753
* CVE-2026-6754
* CVE-2026-6757
* CVE-2026-6759
* CVE-2026-6761
* CVE-2026-6762
* CVE-2026-6763
* CVE-2026-6764
* CVE-2026-6765
* CVE-2026-6766
* CVE-2026-6767
* CVE-2026-6769
* CVE-2026-6770
* CVE-2026-6771
* CVE-2026-6772
* CVE-2026-6776
* CVE-2026-6785
* CVE-2026-6786

CVSS scores:

* CVE-2025-59375 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2025-59375 ( SUSE ): 8.2 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
* CVE-2026-3889 ( SUSE ): 5.4 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
* CVE-2026-4371 ( SUSE ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
* CVE-2026-4684 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
* CVE-2026-4685 ( SUSE ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
* CVE-2026-4686 ( SUSE ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
* CVE-2026-4687 ( SUSE ): 8.3 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
* CVE-2026-4688 ( SUSE ): 8.3 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
* CVE-2026-4689 ( SUSE ): 8.3 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
* CVE-2026-4690 ( SUSE ): 8.3 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
* CVE-2026-4691 ( SUSE ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
* CVE-2026-4692 ( SUSE ): 8.3 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
* CVE-2026-4693 ( SUSE ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
* CVE-2026-4694 ( SUSE ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
* CVE-2026-4695 ( SUSE ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
* CVE-2026-4696 ( SUSE ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
* CVE-2026-4697 ( SUSE ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
* CVE-2026-4698 ( SUSE ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
* CVE-2026-4699 ( SUSE ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
* CVE-2026-4700 ( SUSE ): 5.4 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
* CVE-2026-4701 ( SUSE ): 6.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
* CVE-2026-4702 ( SUSE ): 6.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
* CVE-2026-4704 ( SUSE ): 4.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
* CVE-2026-4705 ( SUSE ): 5 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L
* CVE-2026-4706 ( SUSE ): 6.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
* CVE-2026-4707 ( SUSE ): 6.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
* CVE-2026-4708 ( SUSE ): 6.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
* CVE-2026-4709 ( SUSE ): 6.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
* CVE-2026-4710 ( SUSE ): 6.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
* CVE-2026-4711 ( SUSE ): 6.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
* CVE-2026-4712 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
* CVE-2026-4713 ( SUSE ): 6.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
* CVE-2026-4714 ( SUSE ): 6.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
* CVE-2026-4715 ( SUSE ): 6.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
* CVE-2026-4716 ( SUSE ): 6.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
* CVE-2026-4717 ( SUSE ): 6.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
* CVE-2026-4718 ( SUSE ): 5 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L
* CVE-2026-4719 ( SUSE ): 6.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
* CVE-2026-4720 ( SUSE ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
* CVE-2026-4721 ( SUSE ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
* CVE-2026-5731 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
* CVE-2026-5732 ( SUSE ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
* CVE-2026-5734 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

Affected Products:

openSUSE Leap 16.0

-------------------------------------------------------------

An update that solves 68 vulnerabilities and has 2 bug fixes can now be installed.

Description:

This update for MozillaThunderbird fixes the following issues:

Changes in MozillaThunderbird:

- Mozilla Thunderbird 140.10.0 ESR
* Newly translated strings were not available in Thunderbird
MFSA 2026-34 (bsc#1262230)
* CVE-2026-6746 Use-after-free in the DOM: Core & HTML component
* CVE-2026-6747 Use-after-free in the WebRTC component
* CVE-2026-6748 Uninitialized memory in the Audio/Video: Web Codecs component
* CVE-2026-6749 Information disclosure due to uninitialized memory in the Graphics: Canvas2D component
* CVE-2026-6750 Privilege escalation in the Graphics: WebRender component
* CVE-2026-6751 Uninitialized memory in the Audio/Video: Web Codecs component
* CVE-2026-6752 Incorrect boundary conditions in the WebRTC component
* CVE-2026-6753 Incorrect boundary conditions in the WebRTC component
* CVE-2026-6754 Use-after-free in the JavaScript Engine component
* CVE-2026-6757 Invalid pointer in the JavaScript: WebAssembly component
* CVE-2026-6759 Use-after-free in the Widget: Cocoa component
* CVE-2026-6761 Privilege escalation in the Networking component
* CVE-2026-6762 Spoofing issue in the DOM: Core & HTML component
* CVE-2026-6763 Mitigation bypass in the File Handling component
* CVE-2026-6764 Incorrect boundary conditions in the DOM: Device Interfaces component
* CVE-2026-6765 Information disclosure in the Form Autofill component
* CVE-2026-6766 Incorrect boundary conditions in the Libraries component in NSS
* CVE-2026-6767 Other issue in the Libraries component in NSS
* CVE-2026-6769 Privilege escalation in the Debugger component
* CVE-2026-6770 Other issue in the Storage: IndexedDB component
* CVE-2026-6771 Mitigation bypass in the DOM: Security component
* CVE-2026-6772 Incorrect boundary conditions in the Libraries component in NSS
* CVE-2026-6776 Incorrect boundary conditions in the WebRTC: Networking component
* CVE-2026-6785 Memory safety bugs fixed in Firefox ESR 115.35, Firefox ESR 140.10, Thunderbird ESR 140.10, Firefox 150 and Thunderbird 150
* CVE-2026-6786 Memory safety bugs fixed in Firefox ESR 140.10, Thunderbird ESR 140.10, Firefox 150 and Thunderbird 150

- Mozilla Thunderbird 140.9.1 ESR
MFSA 2026-29
* CVE-2026-5732 Incorrect boundary conditions, integer overflow in the Graphics: Text component
* CVE-2026-5731 Memory safety bugs fixed in Firefox ESR 115.34.1, Firefox ESR 140.9.1, Thunderbird ESR 140.9.1, Firefox 149.0.2 and Thunderbird 149.0.2
* CVE-2026-5734 Memory safety bugs fixed in Firefox ESR 140.9.1, Thunderbird ESR 140.9.1, Firefox 149.0.2 and Thunderbird 149.0.2

- Mozilla Thunderbird 140.9.0 ESR
MFSA 2026-24 (bsc#1260083)
* CVE-2026-3889 Spoofing issue in Thunderbird
* CVE-2026-4371 Out of bounds read in IMAP parsing
* CVE-2026-4684 Race condition, use-after-free in the Graphics: WebRender component
* CVE-2026-4685 Incorrect boundary conditions in the Graphics: Canvas2D component
* CVE-2026-4686 Incorrect boundary conditions in the Graphics: Canvas2D component
* CVE-2026-4687 Sandbox escape due to incorrect boundary conditions in the Telemetry component
* CVE-2026-4688 Sandbox escape due to use-after-free in the Disability Access APIs component
* CVE-2026-4689 Sandbox escape due to incorrect boundary conditions, integer overflow in the XPCOM component
* CVE-2026-4690 Sandbox escape due to incorrect boundary conditions, integer overflow in the XPCOM component
* CVE-2026-4691 Use-after-free in the CSS Parsing and Computation component
* CVE-2026-4692 Sandbox escape in the Responsive Design Mode component
* CVE-2026-4693 Incorrect boundary conditions in the Audio/Video: Playback component
* CVE-2026-4694 Incorrect boundary conditions, integer overflow in the Graphics component
* CVE-2026-4695 Incorrect boundary conditions in the Audio/Video: Web Codecs component
* CVE-2026-4696 Use-after-free in the Layout: Text and Fonts component
* CVE-2026-4697 Incorrect boundary conditions in the Audio/Video: Web Codecs component
* CVE-2026-4698 JIT miscompilation in the JavaScript Engine: JIT component
* CVE-2026-4699 Incorrect boundary conditions in the Layout: Text and Fonts component
* CVE-2026-4700 Mitigation bypass in the Networking: HTTP component
* CVE-2026-4701 Use-after-free in the JavaScript Engine component
* CVE-2026-4702 JIT miscompilation in the JavaScript Engine component
* CVE-2026-4704 Denial-of-service in the WebRTC: Signaling component
* CVE-2026-4705 Undefined behavior in the WebRTC: Signaling component
* CVE-2026-4706 Incorrect boundary conditions in the Graphics: Canvas2D component
* CVE-2026-4707 Incorrect boundary conditions in the Graphics: Canvas2D component
* CVE-2026-4708 Incorrect boundary conditions in the Graphics component
* CVE-2026-4709 Incorrect boundary conditions in the Audio/Video: GMP component
* CVE-2026-4710 Incorrect boundary conditions in the Audio/Video component
* CVE-2026-4711 Use-after-free in the Widget: Cocoa component
* CVE-2026-4712 Information disclosure in the Widget: Cocoa component
* CVE-2026-4713 Incorrect boundary conditions in the Graphics component
* CVE-2026-4714 Incorrect boundary conditions in the Audio/Video component
* CVE-2026-4715 Uninitialized memory in the Graphics: Canvas2D component
* CVE-2026-4716 Incorrect boundary conditions, uninitialized memory in the JavaScript Engine component
* CVE-2026-4717 Privilege escalation in the Netmonitor component
* CVE-2025-59375 Denial-of-service in the XML component
* CVE-2026-4718 Undefined behavior in the WebRTC: Signaling component
* CVE-2026-4719 Incorrect boundary conditions in the Graphics: Text component
* CVE-2026-4720 Memory safety bugs fixed in Firefox ESR 140.9, Thunderbird ESR 140.9, Firefox 149 and Thunderbird 149
* CVE-2026-4721 Memory safety bugs fixed in Firefox ESR 115.34, Firefox ESR 140.9, Thunderbird ESR 140.9, Firefox 149 and Thunderbird 149

Patch instructions:

To install this openSUSE security update use the suse recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

- openSUSE Leap 16.0

zypper in -t patch openSUSE-Leap-16.0-packagehub-230=1

Package List:

- openSUSE Leap 16.0:

MozillaThunderbird-140.10.0-bp160.1.1
MozillaThunderbird-openpgp-librnp-140.10.0-bp160.1.1
MozillaThunderbird-translations-common-140.10.0-bp160.1.1
MozillaThunderbird-translations-other-140.10.0-bp160.1.1

References:

* https://www.suse.com/security/cve/CVE-2025-59375.html
* https://www.suse.com/security/cve/CVE-2026-3889.html
* https://www.suse.com/security/cve/CVE-2026-4371.html
* https://www.suse.com/security/cve/CVE-2026-4684.html
* https://www.suse.com/security/cve/CVE-2026-4685.html
* https://www.suse.com/security/cve/CVE-2026-4686.html
* https://www.suse.com/security/cve/CVE-2026-4687.html
* https://www.suse.com/security/cve/CVE-2026-4688.html
* https://www.suse.com/security/cve/CVE-2026-4689.html
* https://www.suse.com/security/cve/CVE-2026-4690.html
* https://www.suse.com/security/cve/CVE-2026-4691.html
* https://www.suse.com/security/cve/CVE-2026-4692.html
* https://www.suse.com/security/cve/CVE-2026-4693.html
* https://www.suse.com/security/cve/CVE-2026-4694.html
* https://www.suse.com/security/cve/CVE-2026-4695.html
* https://www.suse.com/security/cve/CVE-2026-4696.html
* https://www.suse.com/security/cve/CVE-2026-4697.html
* https://www.suse.com/security/cve/CVE-2026-4698.html
* https://www.suse.com/security/cve/CVE-2026-4699.html
* https://www.suse.com/security/cve/CVE-2026-4700.html
* https://www.suse.com/security/cve/CVE-2026-4701.html
* https://www.suse.com/security/cve/CVE-2026-4702.html
* https://www.suse.com/security/cve/CVE-2026-4704.html
* https://www.suse.com/security/cve/CVE-2026-4705.html
* https://www.suse.com/security/cve/CVE-2026-4706.html
* https://www.suse.com/security/cve/CVE-2026-4707.html
* https://www.suse.com/security/cve/CVE-2026-4708.html
* https://www.suse.com/security/cve/CVE-2026-4709.html
* https://www.suse.com/security/cve/CVE-2026-4710.html
* https://www.suse.com/security/cve/CVE-2026-4711.html
* https://www.suse.com/security/cve/CVE-2026-4712.html
* https://www.suse.com/security/cve/CVE-2026-4713.html
* https://www.suse.com/security/cve/CVE-2026-4714.html
* https://www.suse.com/security/cve/CVE-2026-4715.html
* https://www.suse.com/security/cve/CVE-2026-4716.html
* https://www.suse.com/security/cve/CVE-2026-4717.html
* https://www.suse.com/security/cve/CVE-2026-4718.html
* https://www.suse.com/security/cve/CVE-2026-4719.html
* https://www.suse.com/security/cve/CVE-2026-4720.html
* https://www.suse.com/security/cve/CVE-2026-4721.html
* https://www.suse.com/security/cve/CVE-2026-5731.html
* https://www.suse.com/security/cve/CVE-2026-5732.html
* https://www.suse.com/security/cve/CVE-2026-5734.html
* https://www.suse.com/security/cve/CVE-2026-6746.html
* https://www.suse.com/security/cve/CVE-2026-6747.html
* https://www.suse.com/security/cve/CVE-2026-6748.html
* https://www.suse.com/security/cve/CVE-2026-6749.html
* https://www.suse.com/security/cve/CVE-2026-6750.html
* https://www.suse.com/security/cve/CVE-2026-6751.html
* https://www.suse.com/security/cve/CVE-2026-6752.html
* https://www.suse.com/security/cve/CVE-2026-6753.html
* https://www.suse.com/security/cve/CVE-2026-6754.html
* https://www.suse.com/security/cve/CVE-2026-6757.html
* https://www.suse.com/security/cve/CVE-2026-6759.html
* https://www.suse.com/security/cve/CVE-2026-6761.html
* https://www.suse.com/security/cve/CVE-2026-6762.html
* https://www.suse.com/security/cve/CVE-2026-6763.html
* https://www.suse.com/security/cve/CVE-2026-6764.html
* https://www.suse.com/security/cve/CVE-2026-6765.html
* https://www.suse.com/security/cve/CVE-2026-6766.html
* https://www.suse.com/security/cve/CVE-2026-6767.html
* https://www.suse.com/security/cve/CVE-2026-6769.html
* https://www.suse.com/security/cve/CVE-2026-6770.html
* https://www.suse.com/security/cve/CVE-2026-6771.html
* https://www.suse.com/security/cve/CVE-2026-6772.html
* https://www.suse.com/security/cve/CVE-2026-6776.html
* https://www.suse.com/security/cve/CVE-2026-6785.html
* https://www.suse.com/security/cve/CVE-2026-6786.html



openSUSE-SU-2026:20659-1: moderate: Security update for libspectre


openSUSE security update: security update for libspectre
-------------------------------------------------------------

Announcement ID: openSUSE-SU-2026:20659-1
Rating: moderate

Affected Products:

openSUSE Leap 16.0

-------------------------------------------------------------

An update that solves various issues can now be installed.

Description:

This update for libspectre fixes the following issues:

- rebuilds against ghostscript version update.

Patch instructions:

To install this openSUSE security update use the suse recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

- openSUSE Leap 16.0

zypper in -t patch openSUSE-Leap-16.0-665=1

Package List:

- openSUSE Leap 16.0:

libspectre-devel-0.2.12-160000.2.3
libspectre1-0.2.12-160000.2.3



openSUSE-SU-2026:20655-1: moderate: Security update for helm


openSUSE security update: security update for helm
-------------------------------------------------------------

Announcement ID: openSUSE-SU-2026:20655-1
Rating: moderate
References:

* bsc#1248093
* bsc#1261938

Cross-References:

* CVE-2025-55199
* CVE-2026-35206

CVSS scores:

* CVE-2025-55199 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
* CVE-2025-55199 ( SUSE ): 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
* CVE-2026-35206 ( SUSE ): 4.4 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L
* CVE-2026-35206 ( SUSE ): 4.8 CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Affected Products:

openSUSE Leap 16.0

-------------------------------------------------------------

An update that solves 2 vulnerabilities and has 2 bug fixes can now be installed.

Description:

This update for helm fixes the following issues:

Update to version 3.20.2.

Security issued fixed:

- CVE-2025-55199: specially crafted JSON Schema can lead to out of memory (OOM) termination (bsc#1248093).
- CVE-2026-35206: specially crafted Chart will have contents extracted to immediate output directory rather than to
expected output directory suffixed by the Chart's name (bsc#1261938).

Other updates and bugfixes:

- Version 3.20.1:
- chore(deps): bump the k8s-io group with 7 updates a2369ca (dependabot[bot])
- add image index test 90e1056 (Pedro T?rres)
- fix pulling charts from OCI indices 911f2e9 (Pedro T?rres)
- Remove refactorring changes from coalesce_test.go 76dad33 (Evans Mungai)
- Fix import 45c12f7 (Evans Mungai)
- Update pkg/chart/common/util/coalesce_test.go 26c6f19 (Evans Mungai)
- Fix lint warning 09f5129 (Evans Mungai)
- Preserve nil values in chart already 417deb2 (Evans Mungai)
- fix(values): preserve nil values when chart default is empty map 5417bfa (Evans Mungai)
- Version 3.20.0:
- SDK: bump k8s API versions to v0.35.0
- v3 backport: Fixed a bug where helm uninstall with --keep-history did not suspend previous deployed releases #12564
- v3 backport: Bump Go version to v1.25
- bump version to v3.20
- chore(deps): bump golang.org/x/text from 0.32.0 to 0.33.0
- chore(deps): bump golang.org/x/term from 0.38.0 to 0.39.0
- chore(deps): bump github.com/foxcpp/go-mockdns from 1.1.0 to 1.2.0
- chore(deps): bump the k8s-io group with 7 updates
- [dev-v3] Replace deprecated `NewSimpleClientset`
- [dev-v3] Bump Go v1.25, `golangci-lint` v2
- chore(deps): bump github.com/BurntSushi/toml from 1.5.0 to 1.6.0
- chore(deps): bump github.com/containerd/containerd from 1.7.29 to 1.7.30
- fix(rollback): `errors.Is` instead of string comp
- fix(uninstall): supersede deployed releases
- Use latest patch release of Go in releases
- chore(deps): bump golang.org/x/crypto from 0.45.0 to 0.46.0
- chore(deps): bump golang.org/x/text from 0.31.0 to 0.32.0
- chore(deps): bump golang.org/x/term from 0.37.0 to 0.38.0
- chore(deps): bump github.com/spf13/cobra from 1.10.1 to 1.10.2
- chore(deps): bump github.com/rubenv/sql-migrate from 1.8.0 to 1.8.1
- chore(deps): bump golang.org/x/crypto from 0.44.0 to 0.45.0
- chore(deps): bump github.com/cyphar/filepath-securejoin
- chore(deps): bump golang.org/x/text from 0.30.0 to 0.31.0
- chore(deps): bump golang.org/x/crypto from 0.43.0 to 0.44.0
- Remove dev-v3 `helm-latest-version` publish
- chore(deps): bump golang.org/x/term from 0.36.0 to 0.37.0 1.7.28 to 1.7.29
- Revert "pkg/registry: Login option for passing TLS config in memory"
- jsonschema: warn and ignore unresolved URN $ref to match v3.18.4
- Fix `helm pull` untar dir check with repo urls
- chore(deps): bump golang.org/x/crypto from 0.42.0 to 0.43.0
- chore(deps): bump github.com/gofrs/flock from 0.12.1 to 0.13.0
- chore(deps): bump golang.org/x/text from 0.29.0 to 0.30.0
- [backport] fix: get-helm-3 script use helm3-latest-version
- pkg/registry: Login option for passing TLS config in memory
- Fix deprecation warning
- chore(deps): bump golang.org/x/crypto from 0.41.0 to 0.42.0
- chore(deps): bump golang.org/x/term from 0.34.0 to 0.35.0
- Avoid "panic: interface conversion: interface {} is nil"
- bump version to v3.19.0
- chore(deps): bump github.com/spf13/pflag from 1.0.7 to 1.0.10
- fix: set repo authorizer in registry.Client.Resolve()
- fix null merge
- Add timeout flag to repo add and update flags
- Version 3.19.5:
- Fixed bug where removing subchart value via override resulted in warning #31118
- Fixed bug where helm uninstall with --keep-history did not suspend previous deployed releases #12556
- fix(rollback): errors.Is instead of string comp 4a19a5b (Hidde Beydals)
- fix(uninstall): supersede deployed releases 7a00235 (Hidde Beydals)
- fix null merge 578564e (Ben Foster)
- Version 3.19.4:
- Use latest patch release of Go in releases 7cfb6e4 (Matt Farina)
- chore(deps): bump github.com/gofrs/flock from 0.12.1 to 0.13.0 59c951f (dependabot[bot])
- chore(deps): bump github.com/cyphar/filepath-securejoin d45f3f1
- chore(deps): bump golang.org/x/crypto from 0.44.0 to 0.45.0 d459544 (dependabot[bot])
- chore(deps): bump golang.org/x/term from 0.36.0 to 0.37.0 becd387 (dependabot[bot])
- chore(deps): bump the k8s-io group with 7 updates edb1579
- Version 3.19.3:
- Bump golang.org/x/crypto to v0.45.0
- Version 3.19.2:
- [backport] fix: get-helm-3 script use helm3-latest-version 8766e71 (George Jenkins)

Patch instructions:

To install this openSUSE security update use the suse recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

- openSUSE Leap 16.0

zypper in -t patch openSUSE-Leap-16.0-661=1

Package List:

- openSUSE Leap 16.0:

helm-3.20.2-160000.1.1
helm-bash-completion-3.20.2-160000.1.1
helm-fish-completion-3.20.2-160000.1.1
helm-zsh-completion-3.20.2-160000.1.1

References:

* https://www.suse.com/security/cve/CVE-2025-55199.html
* https://www.suse.com/security/cve/CVE-2026-35206.html



openSUSE-SU-2026:20658-1: moderate: Security update for himmelblau


openSUSE security update: security update for himmelblau
-------------------------------------------------------------

Announcement ID: openSUSE-SU-2026:20658-1
Rating: moderate
References:

* bsc#1261324
* bsc#1261613

Cross-References:

* CVE-2026-34397

CVSS scores:

* CVE-2026-34397 ( SUSE ): 6.3 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N
* CVE-2026-34397 ( SUSE ): 7.2 CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Affected Products:

openSUSE Leap 16.0

-------------------------------------------------------------

An update that solves one vulnerability and has 2 bug fixes can now be installed.

Description:

This update for himmelblau fixes the following issues:

Update to version 2.3.9+git0.a9fd29b.

Security issues fixed:

- CVE-2026-34397: Fixed naming collision that can lead to local privilege escalation (bsc#1261324).

Other updates and bugfixes:

- update aws-lc-sys to 0.39.0 for security fixes
- update rustls-webpki to 0.103.10 for CRL revocation fix
- Version 2.3.9:
* packaging: fix if/else block for debian's postrm
* Update apparmor.unix-chkpwd.local (Issue #1252)
* When Hello user encounters SSPR demand, be permissive
* add tests for sudo_groups functionality
* Fix config tests to ignore local host config
* Do not clear $NOTIFY_SOCKET when calling sd_ready
* Fix token cache 24h purge
* broker: use SSO server nonce for PRT only when provided
* Fix pam_himmelblau blocking local user password changes (#1199)
* Remove unused File import
* Use is_ascii_alphanumeric() for account_id validation
* Fix path traversal in LoadProfilePhoto AccountsService writes
* Drop initialization tracing span
* himmelblau-hsm-pin-init: drop RemainAfterExit=yes
* Add fallback behavior when consent is required
* qr-greeter: enable extension without socket noise
* debian: make install/remove noninteractive; reduce QR postinst noise; soften missing hello prt
* Never respond with BadRequest without error detail
* deps(rust): bump the all-cargo-updates group across 1 directory with 7 updates

Patch instructions:

To install this openSUSE security update use the suse recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

- openSUSE Leap 16.0

zypper in -t patch openSUSE-Leap-16.0-664=1

Package List:

- openSUSE Leap 16.0:

himmelblau-2.3.9+git0.a9fd29b-160000.1.1
himmelblau-qr-greeter-2.3.9+git0.a9fd29b-160000.1.1
himmelblau-sshd-config-2.3.9+git0.a9fd29b-160000.1.1
himmelblau-sso-2.3.9+git0.a9fd29b-160000.1.1
libnss_himmelblau2-2.3.9+git0.a9fd29b-160000.1.1
pam-himmelblau-2.3.9+git0.a9fd29b-160000.1.1

References:

* https://www.suse.com/security/cve/CVE-2026-34397.html



SUSE-SU-2026:1671-2: important: Security update for the Linux Kernel


# Security update for the Linux Kernel

Announcement ID: SUSE-SU-2026:1671-2
Release Date: 2026-05-04T09:19:32Z
Rating: important
References:

* bsc#1262573

Cross-References:

* CVE-2026-31431

CVSS scores:

* CVE-2026-31431 ( SUSE ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
* CVE-2026-31431 ( NVD ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Affected Products:

* openSUSE Leap 15.6

An update that solves one vulnerability can now be installed.

## Description:

The SUSE Linux Enterprise 15 SP5 kernel was updated to fix one security issue

The following security issue was fixed:

* CVE-2026-31431: The copy.fail security issue is fixed by revert to operating
out-of-place in algif_aead (bsc#1262573).

## Special Instructions and Notes:

* Please reboot the system after installing this update.

## Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

* openSUSE Leap 15.6
zypper in -t patch openSUSE-SLE-15.6-2026-1671=1

## Package List:

* openSUSE Leap 15.6 (aarch64 ppc64le s390x x86_64)
* kernel-obs-build-6.4.0-150600.23.100.1
* kernel-default-debuginfo-6.4.0-150600.23.100.1
* kernel-default-extra-debuginfo-6.4.0-150600.23.100.1
* kernel-default-debugsource-6.4.0-150600.23.100.1
* kernel-syms-6.4.0-150600.23.100.1
* ocfs2-kmp-default-debuginfo-6.4.0-150600.23.100.1
* gfs2-kmp-default-6.4.0-150600.23.100.1
* kernel-default-optional-debuginfo-6.4.0-150600.23.100.1
* kselftests-kmp-default-debuginfo-6.4.0-150600.23.100.1
* cluster-md-kmp-default-6.4.0-150600.23.100.1
* kernel-obs-qa-6.4.0-150600.23.100.1
* kernel-default-devel-6.4.0-150600.23.100.1
* dlm-kmp-default-debuginfo-6.4.0-150600.23.100.1
* dlm-kmp-default-6.4.0-150600.23.100.1
* kernel-obs-build-debugsource-6.4.0-150600.23.100.1
* cluster-md-kmp-default-debuginfo-6.4.0-150600.23.100.1
* kernel-default-devel-debuginfo-6.4.0-150600.23.100.1
* reiserfs-kmp-default-6.4.0-150600.23.100.1
* gfs2-kmp-default-debuginfo-6.4.0-150600.23.100.1
* kselftests-kmp-default-6.4.0-150600.23.100.1
* ocfs2-kmp-default-6.4.0-150600.23.100.1
* kernel-default-livepatch-6.4.0-150600.23.100.1
* kernel-default-optional-6.4.0-150600.23.100.1
* kernel-default-extra-6.4.0-150600.23.100.1
* reiserfs-kmp-default-debuginfo-6.4.0-150600.23.100.1
* openSUSE Leap 15.6 (nosrc ppc64le x86_64)
* kernel-debug-6.4.0-150600.23.100.1
* openSUSE Leap 15.6 (ppc64le x86_64)
* kernel-debug-devel-debuginfo-6.4.0-150600.23.100.1
* kernel-debug-debugsource-6.4.0-150600.23.100.1
* kernel-debug-debuginfo-6.4.0-150600.23.100.1
* kernel-debug-devel-6.4.0-150600.23.100.1
* openSUSE Leap 15.6 (x86_64)
* kernel-debug-vdso-debuginfo-6.4.0-150600.23.100.1
* kernel-kvmsmall-vdso-debuginfo-6.4.0-150600.23.100.1
* kernel-default-vdso-6.4.0-150600.23.100.1
* kernel-debug-vdso-6.4.0-150600.23.100.1
* kernel-kvmsmall-vdso-6.4.0-150600.23.100.1
* kernel-default-vdso-debuginfo-6.4.0-150600.23.100.1
* openSUSE Leap 15.6 (aarch64 ppc64le s390x x86_64 nosrc)
* kernel-default-6.4.0-150600.23.100.1
* openSUSE Leap 15.6 (aarch64 ppc64le x86_64)
* kernel-kvmsmall-devel-debuginfo-6.4.0-150600.23.100.1
* kernel-default-base-6.4.0-150600.23.100.1.150600.12.46.2
* kernel-kvmsmall-devel-6.4.0-150600.23.100.1
* kernel-kvmsmall-debugsource-6.4.0-150600.23.100.1
* kernel-default-base-rebuild-6.4.0-150600.23.100.1.150600.12.46.2
* kernel-kvmsmall-debuginfo-6.4.0-150600.23.100.1
* openSUSE Leap 15.6 (ppc64le s390x x86_64)
* kernel-default-livepatch-devel-6.4.0-150600.23.100.1
* openSUSE Leap 15.6 (noarch)
* kernel-devel-6.4.0-150600.23.100.1
* kernel-docs-html-6.4.0-150600.23.100.1
* kernel-source-6.4.0-150600.23.100.1
* kernel-macros-6.4.0-150600.23.100.1
* kernel-source-vanilla-6.4.0-150600.23.100.1
* openSUSE Leap 15.6 (noarch nosrc)
* kernel-docs-6.4.0-150600.23.100.1
* openSUSE Leap 15.6 (aarch64 nosrc ppc64le x86_64)
* kernel-kvmsmall-6.4.0-150600.23.100.1
* openSUSE Leap 15.6 (nosrc s390x)
* kernel-zfcpdump-6.4.0-150600.23.100.1
* openSUSE Leap 15.6 (s390x)
* kernel-zfcpdump-debuginfo-6.4.0-150600.23.100.1
* kernel-zfcpdump-debugsource-6.4.0-150600.23.100.1
* openSUSE Leap 15.6 (aarch64)
* cluster-md-kmp-64kb-6.4.0-150600.23.100.1
* gfs2-kmp-64kb-debuginfo-6.4.0-150600.23.100.1
* dtb-nvidia-6.4.0-150600.23.100.1
* dtb-allwinner-6.4.0-150600.23.100.1
* kselftests-kmp-64kb-6.4.0-150600.23.100.1
* kernel-64kb-debugsource-6.4.0-150600.23.100.1
* kernel-64kb-extra-debuginfo-6.4.0-150600.23.100.1
* dtb-amlogic-6.4.0-150600.23.100.1
* dtb-lg-6.4.0-150600.23.100.1
* dtb-qcom-6.4.0-150600.23.100.1
* kernel-64kb-devel-6.4.0-150600.23.100.1
* gfs2-kmp-64kb-6.4.0-150600.23.100.1
* dtb-marvell-6.4.0-150600.23.100.1
* dtb-cavium-6.4.0-150600.23.100.1
* dtb-renesas-6.4.0-150600.23.100.1
* dtb-sprd-6.4.0-150600.23.100.1
* dtb-socionext-6.4.0-150600.23.100.1
* dtb-amazon-6.4.0-150600.23.100.1
* ocfs2-kmp-64kb-6.4.0-150600.23.100.1
* cluster-md-kmp-64kb-debuginfo-6.4.0-150600.23.100.1
* dtb-apple-6.4.0-150600.23.100.1
* dtb-mediatek-6.4.0-150600.23.100.1
* dtb-xilinx-6.4.0-150600.23.100.1
* dtb-exynos-6.4.0-150600.23.100.1
* kernel-64kb-optional-debuginfo-6.4.0-150600.23.100.1
* dtb-arm-6.4.0-150600.23.100.1
* dlm-kmp-64kb-6.4.0-150600.23.100.1
* dtb-broadcom-6.4.0-150600.23.100.1
* dtb-amd-6.4.0-150600.23.100.1
* dlm-kmp-64kb-debuginfo-6.4.0-150600.23.100.1
* kernel-64kb-debuginfo-6.4.0-150600.23.100.1
* ocfs2-kmp-64kb-debuginfo-6.4.0-150600.23.100.1
* kselftests-kmp-64kb-debuginfo-6.4.0-150600.23.100.1
* dtb-apm-6.4.0-150600.23.100.1
* reiserfs-kmp-64kb-debuginfo-6.4.0-150600.23.100.1
* dtb-rockchip-6.4.0-150600.23.100.1
* kernel-64kb-optional-6.4.0-150600.23.100.1
* kernel-64kb-devel-debuginfo-6.4.0-150600.23.100.1
* reiserfs-kmp-64kb-6.4.0-150600.23.100.1
* dtb-hisilicon-6.4.0-150600.23.100.1
* kernel-64kb-extra-6.4.0-150600.23.100.1
* dtb-freescale-6.4.0-150600.23.100.1
* dtb-altera-6.4.0-150600.23.100.1
* openSUSE Leap 15.6 (nosrc)
* dtb-aarch64-6.4.0-150600.23.100.1
* openSUSE Leap 15.6 (aarch64 nosrc)
* kernel-64kb-6.4.0-150600.23.100.1

## References:

* https://www.suse.com/security/cve/CVE-2026-31431.html
* https://bugzilla.suse.com/show_bug.cgi?id=1262573



openSUSE-SU-2026:0163-1: important: Security update for trivy


openSUSE Security Update: Security update for trivy
_______________________________

Announcement ID: openSUSE-SU-2026:0163-1
Rating: important
References: #1255366 #1258094 #1258513 #1260193 #1260971
#1261052 #1262389 #1262893
Cross-References: CVE-2025-64702 CVE-2025-66564 CVE-2025-69725
CVE-2026-25934 CVE-2026-33186 CVE-2026-33747
CVE-2026-33748 CVE-2026-34986 CVE-2026-39984

CVSS scores:
CVE-2025-64702 (SUSE): 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
CVE-2025-69725 (SUSE): 2.3 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:L/SI:N/SA:N
CVE-2026-25934 (SUSE): 5.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
CVE-2026-33186 (SUSE): 8.6 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
CVE-2026-33747 (SUSE): 8.6 CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CVE-2026-33748 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CVE-2026-34986 (SUSE): 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
CVE-2026-39984 (SUSE): 6.8 CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Affected Products:
openSUSE Backports SLE-15-SP7
_______________________________

An update that fixes 9 vulnerabilities is now available.

Description:

This update for trivy fixes the following issues:

Update to version 0.70.0 ( boo#1260193, CVE-2026-33186, boo#1260971,
CVE-2026-33747, boo#1261052, CVE-2026-33748, boo#1262389, CVE-2026-39984,
boo#1262893, CVE-2026-34986):

* release: v0.70.0 [main] (#10105)
* chore(deps): bump go.opentelemetry.io/otel/sdk from 1.42.0 to 1.43.0
(#10496)
* chore(deps): bump github.com/sigstore/timestamp-authority/v2 from
2.0.3 to 2.0.6 (#10526)
* chore(deps): bump the common group across 1 directory with 8 updates
(#10540)
* chore(deps): bump the docker group across 1 directory with 2 updates
(#10538)
* fix: use Development category for GoReleaser discussions (#10530)
* chore(deps): bump testcontainers-go to v0.42.0 (#10531)
* chore: update CODEOWNERS (#10529)
* chore(deps): bump helm.sh/helm/v3 from 3.20.1 to 3.20.2 (#10511)
* chore(deps): bump github.com/hashicorp/go-getter from 1.8.5 to 1.8.6
(#10510)
* chore(deps): bump github.com/moby/buildkit from 0.27.1 to 0.28.1
(#10449)
* ci: migrate from mkdocs-material-insiders to mkdocs-material (#10509)
* chore: remove aquasecurity/homebrew-trivy tap from GoReleaser (#10508)
* ci: update runners for workflows that interact with GitHub API (#10502)
* ci: rename tokens and update runners (#10500)
* ci: trigger helm chart publishing via helm-charts workflow (#10474)
* ci: remove ruleset update step from release-please workflow (#10499)
* ci: use large runner and replace ORG_REPO_TOKEN in release-please
workflow (#10498)
* ci: trigger rpm/deb deployment via trivy-repo workflow (#10476)
* fix: remove os.Stdout from wazero module config (#10403)
* chore(deps): bump the common group across 1 directory with 22 updates
(#10408)
* chore(deps): bump google.golang.org/grpc from 1.78.0 to 1.79.3 (#10407)
* fix(flag): validate template file extension (#10296)
* fix(sbom): preserve Red Hat BuildInfo when scanning SBOMs without
layer info (#10378)
* fix: handle Go 1.26 GOEXPERIMENT version format change (#10351)
* fix(python): handle multiple version specifiers in requirements.txt
(#10361)
* ci: run Trivy version bump in trivy-action (#10272)
* fix(python): nil pointer dereference with optional poetry groups
without dependencies (#10359)
* ci: replace personal email with github-actions[bot] in workflows
(#10369)
* chore: replace smithy epoch parsing with stdlib time.Unix (#10286)
* test: update golden files for purl changes (#10372)
* ci: add zizmor to scan GitHub Actions workflows (#10322)
* refactor: log statuses as strings (#10285)
* ci: add build provenance attestations for release artifacts (#10316)
* fix(sbom): add NOASSERTION for licenseDeclared/licenseConcluded in
SPDX non-library packages (#10368)
* fix(report): set correct sarif ROOTPATH uri when scanning a git
repository (#10366)
* perf(plugin): optimize directory traversal by replacing filepath.Walk
with filepath.WalkDir (#10325)
* docs: correct typos in CHANGELOG and diagram (#10320)
* chore: delete roadmap wf (#10295)
* ci(helm): bump Trivy version to 0.69.3 for Trivy Helm Chart 0.21.3
(#10310)
* fix(cyclonedx): include CVSS v4 vulnerability ratings (#10313)
* fix: detected vulnerability fields in azure and mariner detector
(#10275)
* ci: add persist-credentials: false to checkout steps (#10306)
* ci(helm): bump Trivy version to 0.69.2 for Trivy Helm Chart 0.21.2
(#10270)
* chore(deps): bump the common group across 1 directory with 8 updates
(#10248)
* chore(deps): bump go.opentelemetry.io/otel/sdk from 1.39.0 to 1.40.0
(#10257)
* chore(deps): bump the aws group across 1 directory with 6 updates
(#10249)
* chore(deps): bump github.com/cloudflare/circl from 1.6.1 to 1.6.3
(#10241)
* ci: remove apidiff workflow (#10259)
* chore(deps): bump github.com/docker/cli from 29.1.4+incompatible to
29.2.1+incompatible in the docker group across 1 directory (#10221)
* ci: bump golangci-lint to v2.10 in cache-test-assets (#10243)
* feat(java): add support for proxy configuration from Maven
settings.xml (#10187)
* chore(deps): bump the github-actions group across 3 directories with
11 updates (#10242)
* feat(python): add pylock.toml support (#10137)
* chore: bump SPDX license IDs and exceptions to `v3.28.0` (#10233)
* docs: fix typos and upgrade insecure HTTP links to HTTPS (#10219)
* chore: bump golangci-lint to v2.10.0 (#10223)
* feat(misconf): support for
azurerm_network_interface_security_group_association (#10215)
* ci: pin Docker Engine to v29 for integration tests (#10232)
* feat(go): detect version from ELF symbol table for binaries built with
-trimpath (#10197)
* docs: migrate private registry documentation from GCR to GAR (#10208)
* chore(deps): bump the common group across 1 directory with 24 updates
(#10206)
* chore(deps): update Docker client SDK to v29 (#10202)
* test: update Docker Engine integration tests for Docker API v0.29.0+
compatibility (#10199)
* fix(misconf): initialize custom annotation field if empty (#10123)
* feat(ubuntu): add eol data for 25.10 (#10181)
* docs: fix incorrect count of Python package managers (#10175)
* chore(deps): bump github.com/go-git/go-git/v5 from 5.16.4 to 5.16.5
(#10179)
* feat(misconf): resolve Azure resources via resource_id (#10173)
* ci(helm): bump Trivy version to 0.69.1 for Trivy Helm Chart 0.21.1
(#10155)
* refactor: remove unused Insecure field from ServiceOption (#10113)
* refactor: reduce complexity of init in detect.go (#10163)
* feat(misconf): adapt ARM k8s clusters (#9696) (#10125)
* docs: update version endpoint example in client/server documentation
(#10151)
* feat(vuln): skip third-party packages in common Detect function
(#10129)
* ci: add composite action for Go setup (#10146)
* fix(misconf): apply check aliases when filtering results via
.trivyignore (#10112)
* docs(terraform): add limitation for data sources and computed resource
attributes (#10128)
* fix: update PhotonOS feed URL (#10122)
* feat(server): include server version info in JSON output for
client/server mode (#10075)
* chore(deps): bump to alpine:3.23.3 and go-1.25.6 to fix CVEs (#10107)
* refactor: unify scanner error limit and compiler limit (#10106)
* ci(helm): bump Trivy version to 0.69.0 for Trivy Helm Chart 0.21.0
(#10103)
* fix(java): Disable overwriting exclusions (#10088)
* refactor(rust): use txtar format for cargo analyzer test data (#10104)
* feat(python): add pylock.toml (PEP 751) parser (#9632)
* chore(deps): bump the aws group across 1 directory with 6 updates
(#10068)
* fix(server): exclude JavaDB and CheckBundle from /version endpoint
(#10100)

- Update to version 0.69.3 (CVE-2026-25934, boo#1258094):
* release: v0.69.3 [release/v0.69] (#10293)
* fix(deps): bump github.com/go-git/go-git/v5 from 5.16.4 to 5.16.5
[backport: release/v0.69] (#10291)
* release: v0.69.2 [release/v0.69] (#10266)
* fix(deps): bump go.opentelemetry.io/otel/sdk from 1.39.0 to 1.40.0
[backport: release/v0.69] (#10267)
* fix(deps): bump github.com/cloudflare/circl from 1.6.1 to 1.6.3
[backport: release/v0.69] (#10264)
* ci: remove apidiff workflow
* release: v0.69.1 [release/v0.69] (#10145)
* ci: add composite action for Go setup [backport: release/v0.69]
(#10150)
* fix(misconf): apply check aliases when filtering results via
.trivyignore [backport: release/v0.69] (#10143)
* chore(deps): bump to alpine:3.23.3 and go-1.25.6 to fix CVEs
[backport: release/v0.69] (#10135)

- Update to version 0.69.0 (boo#1255366, CVE-2025-64702, boo#1258513,
CVE-2025-69725):
* release: v0.69.0 [main] (#9886)
* chore: bump trivy-checks to v2 (#9875)
* chore(deps): bump github.com/theupdateframework/go-tuf/v2 from 2.3.1
to 2.4.1 (#10091)
* fix(repo): return a nil interface for gitAuth if missing (#10097)
* fix(java): correctly inherit properties from parent fields for pom.xml
files (#9111)
* fix(rust): implement version inheritance for Cargo mono repos (#10011)
* feat(activestate): add support ActiveState images (#10081)
* feat(vex): support per-repo tls configuration (#10030)
* refactor: allow per-request transport options override (#10083)
* chore(deps): bump github.com/sigstore/rekor from 1.4.3 to 1.5.0
(#10084)
* chore(deps): bump github.com/sigstore/sigstore from 1.10.3 to 1.10.4
(#10085)
* fix(java): correctly propagate repositories from upper POMs to
dependencies (#10077)
* feat(rocky): enable modular package vulnerability detection (#10069)
* chore(deps): bump github.com/theupdateframework/go-tuf/v2 from 2.3.0
to 2.3.1 (#10079)
* docs: fix mistake in config file example for skip-dirs/skip-files flag
(#10070)
* feat(report): add Trivy version to JSON output (#10065)
* fix(rust): add cargo workspace members glob support (#10032)
* feat: add AnalyzedBy field to track which analyzer detected packages
(#10059)
* fix: use canonical SPDX license IDs from embeded licenses.json (#10053)
* docs: fix link to Docker Image Specification (#10057)
* feat(secret): add detection for Symfony default secret key (#9892)
* refactor(misconf): move common logic to base value and simplify typed
values (#9986)
* fix(java): add hash of GAV+root pom file path for pkgID for packages
from pom.xml files (#9880)
* feat(misconf): use Terraform plan configuration to partially restore
schema (#9623)
* feat(misconf): add action block to Terraform schema (#10035)
* fix(misconf): correct typos in block and attribute names (#9993)
* test(misconf): simplify test values using *Test helpers (#9985)
* fix(misconf): safely parse rotation_period in google_kms_crypto_key
(#9980)
* feat(misconf): support for ARM resources defined as an object (#9959)
* feat(misconf): support for azurerm_*_web_app (#9944)
* test: migrate private test helpers to `export_test.go` convention
(#10043)
* chore(deps): bump github.com/sigstore/cosign/v2 from 2.2.4 to 2.6.2
(#10048)
* fix(secret): improve word boundary detection for Hugging Face tokens
(#10046)
* fix(go): use ldflags version for all pseudo-versions (#10037)
* chore: switch to ID from AVDID in internal and user-facing fields
(#9655)
* refactor(misconf)!: use ID instead of AVDID for providers mapping
(#9752)
* fix: move enum into items for array-type fields in JSON Schema (#10039)
* docs: fix incorrect documentation URLs (#10038)
* feat(sbom): exclude PEP 770 SBOMs in .dist-info/sboms/ (#10033)
* fix(docker): fix non-det scan results for images with embedded SBOM
(#9866)
* chore(deps): bump the github-actions group with 11 updates (#10001)
* test: fix assertion after 2026 roll over (#10002)
* fix(vuln): skip vulns detection for CentOS Stream family without scan
failure (#9964)
* fix(license): normalize licenses for PostAnalyzers (#9941)
* feat(nodejs): parse licenses from `package-lock.json` file (#9983)
* chore: update reference links to Go Wiki (#9987)
* refactor: add xslices.Map and replace lo.Map usages (#9984)
* fix(image): race condition in image artifact inspection (#9966)
* feat(flag): add JSON Schema for trivy.yaml configuration file (#9971)
* refactor(debian): use txtar format for test data (#9957)
* chore(deps): bump `golang.org/x/tools` to `v0.40.0` + `gopls` to
`v0.21.0` (#9973)
* feat(rootio): Update trivy db to support usage of Severity from
root.io feed (#9930)
* feat(vuln): skip vulnerability scanning for third-party packages in
Debian/Ubuntu (#9932)
* docs: add info that `--file-pattern` flag doesn't disable default
behaviuor (#9961)
* perf(misconf): optimize string concatenation in azure scanner (#9969)
* chore: add client option to install script (#9962)
* ci(helm): bump Trivy version to 0.68.2 for Trivy Helm Chart 0.20.1
(#9956)
* chore(deps): bump github.com/quic-go/quic-go from 0.54.1 to 0.57.0
(#9952)
* docs: update binary signature verification for sigstore bundles (#9929)
* chore(deps): bump alpine from `3.22.1` to `3.23.0` (#9935)
* chore(alpine): add EOL date for alpine 3.23 (#9934)
* feat(cloudformation): add support for Fn::ForEach (#9508)
* ci: enable `check-latest` for `setup-go` (#9931)
* feat(debian): detect third-party packages using maintainer list (#9917)
* fix(vex): add CVE-2025-66564 as not_affected into Trivy VEX file
(#9924)
* feat(helm): add sslCertDir parameter (#9697)
* fix(misconf): respect .yml files when Helm charts are detected (#9912)
* feat(php): add support for dev dependencies in Composer (#9910)
* chore(deps): bump the common group across 1 directory with 9 updates
(#9903)
* chore(deps): bump github.com/docker/cli from 29.0.3+incompatible to
29.1.1+incompatible in the docker group (#9859)
* fix: remove trailing tab in statefulset template (#9889)
* feat(julia): enable vulnerability scanning for the Julia language
ecosystem (#9800)
* feat(misconf): initial ansible scanning support (#9332)
* feat(misconf): Update Azure Database schema (#9811)
* ci(helm): bump Trivy version to 0.68.1 for Trivy Helm Chart 0.20.0
(#9869)
* chore: update the install script (#9874)

Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Backports SLE-15-SP7:

zypper in -t patch openSUSE-2026-163=1

Package List:

- openSUSE Backports SLE-15-SP7 (aarch64 i586 ppc64le s390x x86_64):

trivy-0.70.0-bp157.2.9.1

References:

https://www.suse.com/security/cve/CVE-2025-64702.html
https://www.suse.com/security/cve/CVE-2025-66564.html
https://www.suse.com/security/cve/CVE-2025-69725.html
https://www.suse.com/security/cve/CVE-2026-25934.html
https://www.suse.com/security/cve/CVE-2026-33186.html
https://www.suse.com/security/cve/CVE-2026-33747.html
https://www.suse.com/security/cve/CVE-2026-33748.html
https://www.suse.com/security/cve/CVE-2026-34986.html
https://www.suse.com/security/cve/CVE-2026-39984.html
https://bugzilla.suse.com/1255366
https://bugzilla.suse.com/1258094
https://bugzilla.suse.com/1258513
https://bugzilla.suse.com/1260193
https://bugzilla.suse.com/1260971
https://bugzilla.suse.com/1261052
https://bugzilla.suse.com/1262389
https://bugzilla.suse.com/1262893


Apache HTTPd update for Slackware

Curl, Exim, Sed updates for Ubuntu

Windows

Linux

macOS

Community

  • Lexonight
    Hey everyone,Wanted to share a project I've been b ...
  • SeveG
    need some help here... situationPC= Packard BellOS= win1 ...
  • dhamu
    Hello Phil, I have a Linux Tutorial website that curre ...