Stay Secure with the Latest Linux Advisories
Refine advisories
X Clear Filters
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Loading...
Explore Latest Linux Security advisories
We found -5 articles for you...
202
security advisorycriticalDoSopenSUSE 16.0 apptainer Critical DoS Advisory 2026-20730-1
An update that solves 20 vulnerabilities and has 15 bug fixes can now be installed.. openSUSE security update: security update for apptainer ------------------------------------------------------------- Announcement ID: openSUSE-SU-2026:20730-1 Rating: critical References: * bsc#1228324 * bsc#1234595 * bsc#1234794 * bsc#1235211 * bsc#1236528 * bsc#1237679 * bsc#1238611 * bsc#1239341 * bsc#1253924 * bsc#1255462 * bsc#1258047 * bsc#1258048 * bsc#1260311 * bsc#1262956 * bsc#1264177 Cross-References: * CVE-2023-45288 * CVE-2024-28180 * CVE-2024-3727 * CVE-2024-41110 * CVE-2024-45337 * CVE-2024-45338 * CVE-2025-22869 * CVE-2025-22870 * CVE-2025-22872 * CVE-2025-27144 * CVE-2025-47911 * CVE-2025-47913 * CVE-2025-47914 * CVE-2025-58181 * CVE-2025-58190 * CVE-2025-65105 * CVE-2025-8556 * CVE-2026-24137 * CVE-2026-33186 * CVE-2026-34986 CVSS scores: * CVE-2023-45288 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L * CVE-2023-45288 ( SUSE ): 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N * CVE-2024-28180 ( SUSE ): 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L * CVE-2024-28180 ( SUSE ): 2.3 CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N * CVE-2024-3727 ( SUSE ): 8.3 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H * CVE-2024-41110 ( SUSE ): 9.9 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H * CVE-2024-45337 ( SUSE ): 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H * CVE-2024-45338 ( SUSE ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2024-45338 ( SUSE ): 8.2 CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N * CVE-2025-22869 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2025-22869 ( SUSE ): 8.2 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N * CVE-2025-22870 ( SUSE ): 4.4 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L * CVE-2025-22870 ( SUSE ): 4.8 CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N *CVE-2025-22872 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L * CVE-2025-22872 ( SUSE ): 6.3 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L * CVE-2025-27144 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2025-27144 ( SUSE ): 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N * CVE-2025-47911 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L * CVE-2025-47911 ( SUSE ): 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N * CVE-2025-47913 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2025-47913 ( SUSE ): 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N * CVE-2025-47914 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L * CVE-2025-47914 ( SUSE ): 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N * CVE-2025-58181 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L * CVE-2025-58181 ( SUSE ): 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N * CVE-2025-58190 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L * CVE-2025-58190 ( SUSE ): 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N * CVE-2025-65105 ( SUSE ): 5.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L * CVE-2026-24137 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N * CVE-2026-24137 ( SUSE ): 6 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N * CVE-2026-33186 ( SUSE ): 8.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N * CVE-2026-33186 ( SUSE ): 8.6 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N * CVE-2026-34986 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2026-34986 ( SUSE ): 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N Affected Products: openSUSE Leap 16.0 ------------------------------------------------------------- An update that solves 20 vulnerabilities and has 15 bug fixes can now be installed. Description: This updatefor apptainer fixes the following issues: Changes in apptainer: - Fix CVE-2026-34986 (bsc#1262956) * github.com/go-jose/go-jose/v4@v4.1.4 CVE-2026-33186 GO-2026-4762 (bsc#1260311) * google.golang.org/grpc@v1.79.3 CVE-2026-24137 GO-2026-4358 (bsc#1264177) * github.com/sigstore/sigstore@v1.10.4 Fix fallout: github.com/moby/go-archive@v0.1.0 github.com/containers/image/v5=github.com/containers/image/v5@v5.36.0 - Fix HTML parser misimplementation of a part of the HTML specification for table related tags (CVE-2025-58190, GO-2026-4441, bsc#1258048). - Fix issue where the HTML parser takes a very long time or even never returns (CVE-2025-47911, GO-2026-4440, bsc#1258047). - Update ot 1.4.5 * Fix for moderate severity GO-2025-4176 / CVE-2025-65105 / GHSA-j3rw-fx6g-q46j (bsc#1255462): Ineffective application of selinux / apparmor --security option. Updates of a few dependent go libraries for related security fixes. * Other fix Run FUSE processes in a separate process group. This detaches them from the main process so they don't receive signals such as interrupts sent to a terminal there. This was not a problem with interactive shells because they start their own group, but was a problem with some programs with interactive Read/Eval/Print/Loops such as python. An interrupt there would kill the FUSE processes. - From 1.4.4 * By applying patches to the bundled fuse2fs, allow again the possibility of using a non-writable ext3 image file as an overlay. Fixes regression introduced in 1.4.3. * If an overlay or bound data image is asked to be mounted writable but the user has no write access to the image, show a warning message instead of silently switching to readonly. * Avoid a fatal error when starting fakeroot from suid mode while in an NFS directory. * Fix 32-bit builds which were accidentally broken by a library upgrade that was done for a minor security issue. - Fix CVEs: * GO-2025-4135 -CVE-2025-47914 Malformed constraint may cause denial of service in golang.org/x/crypto/ssh/agent. * GO-2025-4134 - CVE-2025-58181 - bsc#1253924 Unbounded memory consumption in golang.org/x/crypto/ssh. * GO-2025-4116 - CVE-2025-47913 Potential denial of service in golang.org/x/crypto/ssh/agent. * GO-2025-3595 - CVE-2025-22872 Incorrect Neutralization of Input During Web Page Generation in x/net. * GO-2025-3503 - CVE-2025-22870 HTTP Proxy bypass using IPv6 Zone IDs in golang.org/x/net. * GO-2025-3487 - CVE-2025-22869 Potential denial of service in golang.org/x/crypto. * GO-2025-3485 - CVE-2025-27144 DoS in go-jose Parsing in github.com/go-jose/go-jose. * GO-2025-3754 - CVE-2025-8556 CIRCL-Fourq: Missing and wrong validation can lead to incorrect results in github.com/cloudflare/circl. - No need for binutils-gold for aarch64 - Update to 1.4.3 * Corrected the mconfig -s option for statically building apptainer and starter binaries. * Resolved an issue where the Makefile generated by mconfig -b failed when the build directory was not a subdirectory of the Apptainer source code. * Fixed %files in definition files to correctly copy symlinks pointing above the destination directory but within the destination stage root filesystem. * Addressed a typo in nvliblist.conf ( libnvoptix.so.1 was corrected to libnvoptix.so). * Prevented timeouts during cleanup after building gocryptfs-encrypted SIF files. * Fixed a bug that prevented build with --passphrase or --pem-path (without --encrypt) from implying fakeroot. * Resolved a hang when copying files between build stages while using suid mode without user namespaces. * Fixed issues with running and building containers of different architectures than the host via binfmt_misc when using rootless fakeroot. * Corrected "target: no such file or directory" errors when extracting layers from certain OCI images that manipulate hard links across layers. *Fixed a crash when executing a privilege-encrypted container as root. * Improved documentation for the remote list command. * Removed the fakerootcallback functionality. * Updated the default pacman confURL for Bootstrap: arch container builds. * Updated bundled fuse programs to their latest releases. * Changed the default message level from silent to normal in nested apptainer executions of a build's %post section, and suppressed an unnecessary warning. * Invalid environment variables are now ignored when pulling oci/docker containers. - Add definition file for SLE 16 (SLE-16.def). - Remove definition files for SLE15 SP5 (SLE-15SP5.def) and SP6 (SLE-15SP6.def). - Update to 1.4.2 * Restore looking for registry mirrors in /etc/containers/registry.conf and related files. This had been inadvertently dropped beginning in 1.4.0. * Fix use of the image cache when the home directory contains @ characters. Previously it would assume that it was the start of a digest in the oci-dir. * Fix signature verification failures on unsigned images. * Add additional .deb packages to the release assets that include the label trixie+ to indicate that they are for installing on Debian 13 or later. Those packages are necessary to work with the new libfuse3 library in Debian13. They also support libsubid, unlike the default packages because they are built on Debian 11 which doesn't have that library. * Add automatic triggering of Ubuntu PPA builds whenever there's a new apptainer release. - Update to 1.4.1 * Fix the use of libsubid which had been broken by the revision applied in 1.4.0-rc.2. * Fix a bug introduced in 1.4.0 that caused arm64 to be mis-converted to arm64v8 and resulted in a failure when pulling OCI containers. * Fix user database lookup in master process preventing instance from starting correctly on systems using winbind. * Check for existence of `/run/systemd/system` when verifying cgroups can be used via systemdmanager. * Add a clear error message if someone tries to use privileged network options while not using setuid mode. * Allow multi-arch oci-archive files that have a nested index with the manifest. This is the default format (both for Docker and OCI) when using `nerdctl save`. * Test if docker-archive is actually an oci-archive (since Docker version 25), and if it is oci then use the OCI parser to avoid bugs in the Docker parser. Save the daemon-daemon references to a temporary docker-archive, to benefit from the same improvements also for those references. Parse as oci-archive. - New Features & Functionality in from ineherited 1.4.0 * Add new build option `--mksquashfs-args` to pass additional arguments to the `mksquashfs` command when building SIF files. If a compression method other than gzip is selected, the SIF file might not work with older installations of Apptainer or Singularity, so an INFO message about that is printed. On the other hand, an INFO message that was printed (twice) when running an image with non-gzip compression has been removed. * If the `mksquashfs` version is new enough (version 4.6 in Leaep 16.0), then show a percentage progress bar (with ETA) during SIF creation in the default log level. If the `mksquashfs` version is older, then in verbose or debug log level show the output of mksquashfs with its own progress bar. * Statistics are now normally available for instances that are started by non-root users on cgroups v2 systems. The instance will be started in the current cgroup. Information about configuration issues that prevent collection of statistics are displayed as INFO messages by default. * Add a `--sandbox` option to `apptainer pull`. * Add configuration file binding to the `--nv` option. Files that are recognized in the NVIDIA Container Toolkit, including files for EGL ICD, were added to the default `nvliblist.conf`. * It is now possible to use multiple environmentvariable files using the `--env-file` flag. Files can be specified as a comma-separated list or by using the flag multiple times. Variables defined in later files take precedence over earlier files. * The registry login and registry logout commands now support a `--authfile ` option, which causes OCI credentials to be written to / removed from a custom file located at ` ` instead of the default location (`$HOME/.apptainer/docker-config.json`). The commands `pull`, `push`, `run`, `exec`, `shell` and instance start can now also be passed a `--authfile ` option, to read OCI registry credentials from this custom file. * A new `--netns-path` option takes a path to a network namespace to join when starting a container. The root user may join any network namespace. An unprivileged user can only join a network namespace specified in the new `allow netns paths` directive in `apptainer.conf`, if they are also listed in `allow net users` / `allow net groups` and apptainer is installed with setuid privileges. Not supported with `--fakeroot`. * `apptainer.conf` now accepts setting the following options: `allow ipc ns` -- Default value is `yes`; when set to `no`, it will disable the use of the `--ipc` flag. `allow uts ns` -- Default value is `yes`; when set to `no`, it will invalidate the use of the `--uts` and `--hostname` flags. `allow user ns` -- Default value is `yes`; when set to `no`, it will disable creation of user namespaces. Note that this will prevent execution of containers with the `--userns` or `--fakeroot` flags and with unprivileged installations of Apptainer. - Changed defaults / behaviours * Label the starter process seen in `ps` with the image filename, for example: Apptainer runtime parent: `example.sif`. * Remove runtime and compute libraries from `rocmliblist.conf`. They should instead be provided by the container image. * Allow overriding the build architecture with `--arch` and `--arch-variant`, to build images for another architecture than the current host arch. This requires that the host has been set up to support multiple architectures (`binfmt_misc`). * Complete the previously partial support for the riscv64 architecture. * Show a warning message if changing directory to the cwd fails, instead of silently switching to the home directory or `/`. * Write starter messages to stderr when an instance fails to start. Previously they were incorrectly written to stdout. * Skip attempting to bind inaccessible mount points when handling the `mount hostfs = yes` configuration option. * Fix storage of credentials for `docker.io` to behave the same as for `index.docker.io`. * Change message log level from warning to debug when environment variables set inside a container or by `APPTAINERENV` have a different value than the environment variable on the host. * Change the default message level from silent to the normal level in the nested apptainer that executes a build's `%post` section, and suppress an unnecessary warning message. * Ignore invalid environment variables when pulling oci/docker containers. * Remove the little-known `fakerootcallback` functionality. * Update the default pacman confURL for `Bootstrap: arch` container builds. * Update the bundled fuse programs to their latest releases. - Bug fixes * Fix the `mconfig -s` option to build the apptainer and starter binaries statically as documented. * `%files from` in a definition file will now correctly copy symlinks that `%point` to a target above the destination directory but inside the `%destination` stage root filesystem. * Fixed typo in `nvliblist.conf` (`libnvoptix.so.1` -> `libnvoptix.so`). * Avoid timeouts when cleaning up from building gocryptfs-encrypted SIF files. * Fix bug that prevented build with `--passphrase` or `--pem-path` but without `--encrypt` from implying fakeroot. * Fix hang when copying files betweenbuild stages while using suid mode without user namespaces. * Fix running and building containers of different architectures than the host via binfmt_misc when using rootless fakeroot. * Fix `target: no such file or directory` error when extracting layers from certain OCI images that manipulate hard links across layers. * Fix the crash that happened when executing a privilege-encrypted container as root. - Fix CVE-2024-45338, CVE-2025-22870, CVE-2024-45337, CVE-2025-22869, CVE-2025-27144 CVE-2024-41110 * GO-2024-3333 CVE-2024-45338 (bsc#1234794) GO-2025-3503 CVE-2025-22870 (bsc#1238611): Update to: golang.org/x/net@v0.36.0 * GO-2024-3321 CVE-2024-45337 (bsc#1234595) GO-2025-3487 CVE-2025-22869 (bsc#1239341): Update to: golang.org/x/crypto@v0.35.0 * GO-2025-3485 CVE-2025-27144 (bsc#1237679): Update to: github.com/go-jose/go-jose/v3@v3.0.4 * GO-2024-3005 CVE-2024-41110 (bsc#1228324): Update to: github.com/docker/docker@v25.0.6+incompatible - Update golang.org/x/net to v0.23 to fix CVE-2023-45288 (bnc#1236528). - Update to version 1.3.6 * Avoid using kernel overlayfs when the lower layer is a sandbox on an incompatible filesystem type such as GPFS or Lustre. For those cases use fuse-overlayfs instead. This fixes a regression introduced in 1.3.0. The regression didn't much impact Lustre because kernel overlayfs refused to try to use it and Apptainer proceeded to use fuse-overlayfs anyway, but with GPFS the kernel overlayfs allowed mounting but returned stale file handle errors. - Version 1.3.5 * Fix a regression introduced in 1.3.4 that overwrote existing standard `/.singularity.d` files such as `runscript` in container images even if they had been modified. * Skip attempting to bind inaccessible mount points when handling the `mount hostfs = yes` configuration option. * Support parsing nested variables defined inside `%arguments` section of definition files. * Ignore invalid environment variables whenpulling oci/docker containers. - Version 1.3.4 * Fixed sif-embedded overlay partitions for containers that are larger than 2 gigabytes. * Fixed the failure when starting apptainer with `instance --fakeroot`. * `apptainer build -B ...` can now be used to mount custom resolv.conf and hosts files from non-standard outside locations. This can be used to run `apptainer build` in a nix-build sandbox that has no `/etc/resolv.conf`. * Fixed failing builds from local images that have symbolic links for paths that are part of the base container environment (e.g. /var/tmp -> /tmp). * Show info messages suggesting to use `enable underlay = preferred` or the `--underlay` flag when overlay is implied for bind mounts but the kernel is too old to support fuse mounts in user namespaces and so tries to use fusermount. * When someone uses a `yum` bootstrap to build a container without using subuid-based fakeroot or root, warn that it is unlikely to work. * Allow a writable `--overlay` to be used with `--nvccli` instead of `--writable-tmpfs`. * If an error "no descriptor found for reference" is seen while getting an oci container, retry the operation up to five times. * Make fakeroot Recommended for SUSE rpms instead of Required. * Allow bind mounts onto existing files on r/o NFS filesystems. * If an error is seen in the %post section when building a container using fakeroot mode 3 (with the fakeroot command) then show a message suggesting using `--ignore-fakeroot-command` and referring to the documentation about how to install and use it inside the container definition file. * Show a more helpful error message when using fakeroot in suid mode and there's an `/etc/subuid` mapping even though user namespaces are not available (user namespaces are required for `/etc/subuid` mapping). - Version 1.3.3 * Added libcudadebugger.so to nvliblist.conf to support cuda-gdb in CUDA 12+. * Ensure opened/kept filedescriptors in stage 1 are not closed during the Go garbage collection to avoid "bad file descriptor" errors at startup. * Fixed a segmentation violation issue when running Apptainer checkpoint. * Fixed an issue that Apptainer won't read default docker credentials. - Version 1.3.2 * Fix for [CVE-2024-3727](https://bugzilla.suse.com/show_bug.cgi?id=1224114) in a dependent library which describes a flaw that can allow attackers to trigger unexpected authenticated registry accesses due to object digest values not being validated in all cases. * Fixed the issue when nesting `apptainer instance start` inside a container on cgroups-v2 capable host. * Fixed the issue that oras download progress bar gets stuck when downloading large images. - Version 1.3.1 * Make 'apptainer build' work with signed Docker containers. * Fixed regression introduced in 1.3.0 that prevented closing cryptsetup and the corresponding loop device after running an encrypted sif container file in suid mode. * Stopped binding over the default timezone in the container with the host's timezone, which led to unexpected behavior if the application changed timezones. * Added progress bars for `oras://` push and pull. * Hide `Instance stats will not be available` message under `--sharens` mode. * Fix problem where credentials locally stored with `registry login` command were not usable in some execution flows. Run `registry login` again with latest version to ensure credentials are stored correctly. * Make runscript timeout configurable. * Return invalid bind path mount options during bind path parsing. * Make the INFO message more helpful when a running background process at exit time causes a FUSE mount to not shut down cleanly. * Fixed the wrong mediaType in the oras push manifest. - Add Apptainer definition template for SLE15-SP7. - Make sure, build is reproducible by setting the GNU build ID to one derived from the Go one. Seehttps://pkg.go.dev/cmd/link. - Use go-jose version with fix for CVE-2024-28180 (bsc#1235211). Patch instructions: To install this openSUSE security update use the suse recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Leap 16.0 zypper in -t patch openSUSE-Leap-16.0-packagehub-255=1 Package List: - openSUSE Leap 16.0: apptainer-1.4.5-bp160.1.1 apptainer-leap-1.4.5-bp160.1.1 apptainer-sle15_7-1.4.5-bp160.1.1 apptainer-sle16-1.4.5-bp160.1.1 References: * https://www.suse.com/security/cve/CVE-2023-45288.html * https://www.suse.com/security/cve/CVE-2024-28180.html * https://www.suse.com/security/cve/CVE-2024-3727.html * https://www.suse.com/security/cve/CVE-2024-41110.html * https://www.suse.com/security/cve/CVE-2024-45337.html * https://www.suse.com/security/cve/CVE-2024-45338.html * https://www.suse.com/security/cve/CVE-2025-22869.html * https://www.suse.com/security/cve/CVE-2025-22870.html * https://www.suse.com/security/cve/CVE-2025-22872.html * https://www.suse.com/security/cve/CVE-2025-27144.html * https://www.suse.com/security/cve/CVE-2025-47911.html * https://www.suse.com/security/cve/CVE-2025-47913.html * https://www.suse.com/security/cve/CVE-2025-47914.html * https://www.suse.com/security/cve/CVE-2025-58181.html * https://www.suse.com/security/cve/CVE-2025-58190.html * https://www.suse.com/security/cve/CVE-2025-65105.html * https://www.suse.com/security/cve/CVE-2025-8556.html * https://www.suse.com/security/cve/CVE-2026-24137.html * https://www.suse.com/security/cve/CVE-2026-33186.html * https://www.suse.com/security/cve/CVE-2026-34986.html . Critical update for openSUSE apptainer addressing 20 vulnerabilities and 15 bug fixes to enhance security performance.. openSUSE Apptainer security patch critical vulnerabilities. . Severity: Critical. LinuxSecurity.com Team
May 15, 2026
•Critical
OpenSUSE
197
security advisorydebianman-in-the-middleDebian 11: apache-log4j2 Critical MitM TLS Issue DLA-4444-1 CVE-2025-68161
In Apache Log4j2, a Java Logging Framework, the Socket Appender does not perform TLS hostname verification of the peer certificate, even when the verifyHostName configuration attribute or the log4j2.sslVerifyHostName system property is set to true. This issue may allow a man-in-the-middle attacker to intercept or redirect log traffic under specific and hard to. ------------------------------------------------------------------------- Debian LTS Advisory DLA-4444-1
Jan 19, 2026
•Critical
Debian LTS
89
security advisoryfedoracriticalFedora 36: 2022-5ef0bd9a27 Critical: Apptainer Golang Threat Mitigation
Rebuild to mitigate CVE-2022-{1705,32148,30631,30633,28131,30635,30632,30630,1962} in golang --- See https://groups.google.com/g/golang-dev/c/frczlF8OFQ0/m/4lrZh5BHDgAJ for more information about the specific vulnerabilities.. --------------------------------------------------------------------------------Fedora Update Notification FEDORA-2022-5ef0bd9a27 2022-07-30 01:52:05.591823 --------------------------------------------------------------------------------Name : apptainer Product : Fedora 36 Version : 1.0.3 Release : 2.fc36 URL : https://apptainer.org Summary : Application and environment virtualization Description : Apptainer provides functionality to make portable containers that can be used across host environments. --------------------------------------------------------------------------------Update Information: Rebuild to mitigate CVE-2022-{1705,32148,30631,30633,28131,30635,30632,30630,1962} in golang ---See https://groups.google.com/g/golang-dev/c/frczlF8OFQ0/m/4lrZh5BHDgAJ for more information about the specific vulnerabilities. --------------------------------------------------------------------------------ChangeLog: * Tue Jul 19 2022 Maxwell G - 1.0.3-2 - Rebuild for CVE-2022-{1705,32148,30631,30633,28131,30635,30632,30630,1962} in golang * Wed Jul 6 2022 Dave Dykstra - 1.0.3 - Update to upstream 1.0.3 --------------------------------------------------------------------------------This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2022-5ef0bd9a27' at the command line. For more information, refer to the dnf documentation available at https://dnf.readthedocs.io/en/latest/command_ref.html All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be foundat https://fedoraproject.org/security/ --------------------------------------------------------------------------------_______________________________________________ package-announce mailing list --
Jul 29, 2022
•Critical
Fedora
98
security advisoryRed HatimportantRedHat: RHSA-2019-1208 Critical Side-Channel Risks in rhvm-appliance
An update for rhvm-appliance is now available for Red Hat Virtualization 4 for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Important: rhvm-appliance security update Advisory ID: RHSA-2019:1208-01 Product: Red Hat Virtualization Advisory URL: https://access.redhat.com/errata/RHSA-2019:1208 Issue date: 2019-05-14 CVE Names: CVE-2018-12126 CVE-2018-12127 CVE-2018-12130 CVE-2019-11091 ==================================================================== 1. Summary: An update for rhvm-appliance is now available for Red Hat Virtualization 4 for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Virtualization 4 Hypervisor for RHEL 7 - x86_64 Red Hat Virtualization 4 Management Agent for RHEL 7 Hosts - x86_64 3. Description: The RHV-M Virtual Appliance automates the process of installing and configuring the Red Hat Virtualization Manager. The appliance is available to download as an OVA file from the Customer Portal. Security Fix(es): * A flaw was found in the implementation of the "fill buffer", a mechanism used by modern CPUs when a cache-miss is made on L1 CPU cache. If an attacker can generate a load operation that would create a page fault, the execution will continue speculatively with incorrect data from the fill buffer while the data is fetched from higher level caches. This response time can be measured to infer data in the fill buffer.(CVE-2018-12130) * Modern Intel microprocessors implement hardware-level micro-optimizations to improve the performance of writing data back to CPU caches. The write operation is split into STA (STore Address) and STD (STore Data) sub-operations. These sub-operations allow the processor to hand-off address generation logic into these sub-operations for optimized writes. Both of these sub-operations write to a shared distributed processor structure called the 'processor store buffer'. As a result, an unprivileged attacker could use this flaw to read private data resident within the CPU's processor store buffer. (CVE-2018-12126) * Microprocessors use a ‘load port’ subcomponent to perform load operations from memory or IO. During a load operation, the load port receives data from the memory or IO subsystem and then provides the data to the CPU registers and operations in the CPU’s pipelines. Stale load operations results are stored in the 'load port' table until overwritten by newer operations. Certain load-port operations triggered by an attacker can be used to reveal data about previous stale requests leaking data back to the attacker via a timing side-channel. (CVE-2018-12127) * Uncacheable memory on some microprocessors utilizing speculative execution may allow an authenticated user to potentially enable information disclosure via a side channel with local access. (CVE-2019-11091) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/2974891 5. Bugs fixed (https://bugzilla.redhat.com/): 1646781 - CVE-2018-12126 hardware: Microarchitectural Store Buffer Data Sampling (MSBDS) 1646784 - CVE-2018-12130 hardware: Microarchitectural Fill Buffer Data Sampling (MFBDS) 1667782 - CVE-2018-12127 hardware:Micro-architectural Load Port Data Sampling - Information Leak (MLPDS) 1705312 - CVE-2019-11091 hardware: Microarchitectural Data Sampling Uncacheable Memory (MDSUM) 6. Package List: Red Hat Virtualization 4 Management Agent for RHEL 7 Hosts: Source: rhvm-appliance-4.3-20190506.0.el7.src.rpm x86_64: rhvm-appliance-4.3-20190506.0.el7.x86_64.rpm Red Hat Virtualization 4 Hypervisor for RHEL 7: Source: rhvm-appliance-4.3-20190506.0.el7.src.rpm x86_64: rhvm-appliance-4.3-20190506.0.el7.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2018-12126 https://access.redhat.com/security/cve/CVE-2018-12127 https://access.redhat.com/security/cve/CVE-2018-12130 https://access.redhat.com/security/cve/CVE-2019-11091 https://access.redhat.com/security/vulnerabilities/mds https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2019 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBXNsvNdzjgjWX9erEAQjIXg/+IgEjKjFNvMRmExor3Uo50+VbR/JwT8z6 4jG4AFgCnP/he3jbxGe4Eto7QggbojiqCXLjVDU2CReivbVJkxb9mr/9q37h8fy7 lv5sYSmD6SEYfQkSCrjJ73P0rqHWyCD9G4GzSS4NyVVJQCGUWJb7M3CwnKNo0jb1 /d6aq9HvbkVqXSEiEtCyegSjRvnPkQ1z8H2hVM3Wv+lvkCkEfM0hPLggszwDzZsN fqmqKH8OIldKgIjwoaZM0JmWZxn3DhBkxWnM/t4FrjmdmY/RmQeFV862YOBF8Wbe gLpnNcTvcUIoxY/TYzEUxaRgP3flB/AjIOStfkI/+gNlmnvzwU/Vi3l8aekyHpa1 ZB6/LDrbntmfYcfDpnqeaSTcgANyZXOGoD1BlDQGTJkAkOZuHXSJ6nviWz3wK6cv cj4CbOMTZ+zpMrvJkcKZsThs6/riNpQCKIL9b/zquReL/jrIqkNjHopjDzLDolPG UB59Y3HBDh9vgBefH+RCjBjpsE3SUND0m0TT7yKv07hjg82MjsmjZ4mcXORRcleC cXHPM0FWS78nNNonGEg/CevTMCEsrtIbMpQfCd51c/kXsXXh/SSY7C88Ps4e2Oop KZMvuFtSqbGnPqQqqy4In+xynqMy4TR0q/HH8yYrfZ4wrswgW3VTbdMAoVI8Uwp8 /HN3OozU/xI=lEoX -----END PGP SIGNATURE----- -- RHSA-announce mailinglist
May 14, 2019
•Important
Red Hat
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Search Topics
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!