Explore top 10 tips to secure your open-source projects now. Read More

×
Alerts This Week
Warning Icon 1 584
Alerts This Week
Warning Icon 1 584

Stay Secure with the Latest Linux Advisories

Filter%20icon Refine advisories
X Clear Filters
X Clear Filters
View More

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Community Poll

Is continuous patching actually viable?

No answer selected. Please try again.
Please select either existing option or enter your own, however not both.
Please select minimum {0} answer(s).
Please select maximum {0} answer(s).
/main-polls/156-is-continuous-patching-actually-viable?task=poll.vote&format=json
156
radio
0
[{"id":503,"title":"Delayed updates invite catastrophic breaches.","votes":1,"type":"x","order":1,"pct":50,"resources":[]},{"id":504,"title":"Automated fixes break production environments.","votes":1,"type":"x","order":2,"pct":50,"resources":[]},{"id":505,"title":"Manual approvals cannot keep pace.","votes":0,"type":"x","order":3,"pct":0,"resources":[]}] ["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"] ["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"] 350
bottom 200
Loading...

Explore Latest Linux Security advisories

We found 556 articles for you...
172

Ubuntu 26.04 Authlib Important JWT Bypass and CSRF Vulnerities USN-8557-1

Several security issues were fixed in Authlib.. ========================================================================== Ubuntu Security Notice USN-8557-1 July 16, 2026 python-authlib vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 26.04 LTS - Ubuntu 24.04 LTS - Ubuntu 22.04 LTS Summary: Several security issues were fixed in Authlib. Software Description: - python-authlib: Python library for building OAuth and OpenID Connect servers Details: Jay Neiva and Mauro Carrillo discovered that Authlib did not properly validate cryptographic keys embedded in JWT headers. An attacker could possibly use this issue to forge trusted tokens, resulting in authentication and authorization bypass. (CVE-2026-27962) Jay Neiva and Mauro Carrillo discovered that Authlib incorrectly handled RSA1_5 encrypted tokens. An attacker could possibly use this issue to recover sensitive encrypted information, resulting in information disclosure. (CVE-2026-28490) Jay Neiva and Mauro Carrillo discovered that Authlib did not properly reject unsupported cryptographic algorithms when validating OpenID Connect ID tokens. An attacker could possibly use this issue to bypass token integrity checks, resulting in authentication bypass. (CVE-2026-28498) Johnny Deuss discovered that Authlib did not provide cross-site request forgery protection for the OAuth cache feature in its Starlette integration. An attacker could possibly use this issue to perform unauthorized OAuth actions, resulting in cross-site request forgery. This issue only affected Ubuntu 24.04 LTS and Ubuntu 26.04 LTS. (CVE-2026-41425) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 26.04 LTS python3-authlib 1.6.7-1ubuntu0.1~esm1 Available with Ubuntu Pro Ubuntu 24.04 LTS python3-authlib 1.3.0-1ubuntu0.1~esm2 Available with Ubuntu Pro Ubuntu 22.04 LTS python3-authlib 0.15.5-1ubuntu0.1~esm2 Available with Ubuntu Pro In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-8557-1 CVE-2026-27962, CVE-2026-28490, CVE-2026-28498, CVE-2026-41425 . Multiple security flaws in Authlib fixed, affecting several Ubuntu versions. Update recommended for safety against attacks.. python-authlib, ubuntu updates, oauth security. . Severity: Important. LinuxSecurity.com Team

Calendar%202 Jul 16, 2026 Important Ubuntu
172

Ubuntu 26.04 LTS .NET Critical Privilege Escalation DoS Vuln 8553-1

Several security issues were fixed in .NET.. ========================================================================== Ubuntu Security Notice USN-8553-1 July 15, 2026 dotnet8, dotnet10 vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 26.04 LTS - Ubuntu 24.04 LTS - Ubuntu 22.04 LTS Summary: Several security issues were fixed in .NET. Software Description: - dotnet10: .NET CLI tools and runtime - dotnet8: .NET CLI tools and runtime Details: Artur Stetsko discovered that the .NET did not properly validate authentication data. An attacker could possibly use this issue to elevate privileges. (CVE-2026-47300) Levi Broderick discovered that .NET did not properly handle XML encryption during parsing. An attacker could possibly use this issue to consume excessive resources, resulting in a denial of service. (CVE-2026-47302) Pham Quang Minh discovered that .NET did not properly parse authentication data. An attacker could possibly use this issue to bypass authentication and elevate privileges. (CVE-2026-47303) Levi Broderick discovered that .NET did not properly verify cryptographic signatures during XML encryption. An attacker could possibly use this issue to bypass security features over a network and access encrypted data. (CVE-2026-47304) It was discovered that .NET did not properly validate input during TLS handshakes. An attacker could possibly use this issue to cause .NET to crash, resulting in a denial of service. (CVE-2026-50524) Levi Broderick discovered that .NET did not properly handle resource allocation during XML encryption. An attacker could possibly use this issue to consume excessive resources, resulting in a denial of service. (CVE-2026-50525) Siwei Li discovered that .NET did not properly handle link resolution before file access during the container image build process. A local attacker could possibly use this issue to inject resources that could be incorporatedinto container images built by other users on the same machine. (CVE-2026-50526) Levi Broderick discovered that .NET did not properly handle memory while performing XML encryption. An attacker could possibly use this issue to cause .NET to crash, resulting in a denial of service. (CVE-2026-50527) Henrique Pereira discovered that .NET did not properly handle authorization checks during TLS/SSL connections. An attacker could possibly use this issue to bypass authorization checks during secure communications. (CVE-2026-50528) It was discovered that .NET did not properly handle resource allocation during XML encryption. An attacker could possibly use this issue to consume excessive resources, resulting in a denial of service. (CVE-2026-50648) Miha Zupan discovered that .NET did not properly limit resource allocation when handling HTTP/2 requests. An attacker could possibly use this issue to consume excessive resources, resulting in a denial of service. (CVE-2026-50651) It was discovered that the .NET SMTP client did not properly handle the encoding or escaping of output. An attacker could possibly use this issue to spoof messages during message routing. (CVE-2026-50659) It was discovered that .NET did not properly validate resource types when parsing X.509 certificates. An attacker could possibly use this issue to cause .NET to crash, resulting in a denial of service. (CVE-2026-57108) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 26.04 LTS aspnetcore-runtime-10.0 10.0.10-0ubuntu1~26.04.1 dotnet-host-10.0 10.0.10-0ubuntu1~26.04.1 dotnet-hostfxr-10.0 10.0.10-0ubuntu1~26.04.1 dotnet-runtime-10.0 10.0.10-0ubuntu1~26.04.1 dotnet-sdk-10.0 10.0.110-0ubuntu1~26.04.1 dotnet-sdk-aot-10.0 10.0.110-0ubuntu1~26.04.1 dotnet10 10.0.110-10.0.10-0ubuntu1~26.04.1 Ubuntu 24.04 LTS aspnetcore-runtime-10.0 10.0.10-0ubuntu1~24.04.1 aspnetcore-runtime-8.0 8.0.29-0ubuntu1~24.04.1 dotnet-host-10.0 10.0.10-0ubuntu1~24.04.1 dotnet-host-8.0 8.0.29-0ubuntu1~24.04.1 dotnet-hostfxr-10.0 10.0.10-0ubuntu1~24.04.1 dotnet-hostfxr-8.0 8.0.29-0ubuntu1~24.04.1 dotnet-runtime-10.0 10.0.10-0ubuntu1~24.04.1 dotnet-runtime-8.0 8.0.29-0ubuntu1~24.04.1 dotnet-sdk-10.0 10.0.110-0ubuntu1~24.04.1 dotnet-sdk-8.0 8.0.129-0ubuntu1~24.04.1 dotnet-sdk-aot-10.0 10.0.110-0ubuntu1~24.04.1 dotnet10 10.0.110-10.0.10-0ubuntu1~24.04.1 dotnet8 8.0.129-8.0.29-0ubuntu1~24.04.1 Ubuntu 22.04 LTS aspnetcore-runtime-8.0 8.0.29-0ubuntu1~22.04.1 dotnet-host-8.0 8.0.29-0ubuntu1~22.04.1 dotnet-hostfxr-8.0 8.0.29-0ubuntu1~22.04.1 dotnet-runtime-8.0 8.0.29-0ubuntu1~22.04.1 dotnet-sdk-8.0 8.0.129-0ubuntu1~22.04.1 dotnet8 8.0.129-8.0.29-0ubuntu1~22.04.1 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-8553-1 CVE-2026-47300, CVE-2026-47302, CVE-2026-47303, CVE-2026-47304, CVE-2026-50524, CVE-2026-50525, CVE-2026-50526, CVE-2026-50527, CVE-2026-50528, CVE-2026-50648, CVE-2026-50651, CVE-2026-50659, CVE-2026-57108 Package Information: https://launchpad.net/ubuntu/+source/dotnet10/10.0.110-10.0.10-0ubuntu1~26.04.1 https://launchpad.net/ubuntu/+source/dotnet10/10.0.110-10.0.10-0ubuntu1~24.04.1 https://launchpad.net/ubuntu/+source/dotnet8/8.0.129-8.0.29-0ubuntu1~24.04.1 https://launchpad.net/ubuntu/+source/dotnet8/8.0.129-8.0.29-0ubuntu1~22.04.1 . Multiple security issues addressed in .NET affecting Ubuntu distributions. Immediate updates recommended for safety.. Ubuntu Security, .NET Update, Privilege Escalation, Denial of Service, Security Fixes. . Severity: Important. LinuxSecurity.com Team

Calendar%202 Jul 15, 2026 Important Ubuntu
172

Ubuntu OpenSSH Important File Handling Issues Vuln USN-8533-1

Several security issues were fixed in OpenSSH.. ========================================================================== Ubuntu Security Notice USN-8533-1 July 13, 2026 openssh vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 26.04 LTS - Ubuntu 24.04 LTS - Ubuntu 22.04 LTS Summary: Several security issues were fixed in OpenSSH. Software Description: - openssh: secure shell (SSH) for secure access to remote machines Details: It was discovered that OpenSSH sftp did not properly constrain the location of downloaded files when connecting to an attacker-controlled server. An attacker could possibly use this issue to write files to unintended locations on the file system. (CVE-2026-59995) It was discovered that OpenSSH scp could place files in the parent directory of the intended destination when copying between two remote hosts. An attacker could possibly use this issue to write files to unintended locations. (CVE-2026-59996) It was discovered that OpenSSH internal-sftp only recognized the first nine command-line arguments, This could result in certain security-sensitive arguments being ignored, contrary to expectations. (CVE-2026-59997) It was discovered that OpenSSH had undocumented behaviour regarding the GSSAPIStrictAcceptorCheck option in environments using Windows Active Directory. The documentation has been updated to clarify use of the option. (CVE-2026-59998) It was discovered that OpenSSH did not properly enforce precedence of DisableForwarding=yes over PermitTunnel=yes in server configurations. This could possibly result in intended network forwarding restrictions being bypassed, contrary to expectations. (CVE-2026-59999) It was discovered that OpenSSH mishandled the MaxAuthTries limit for GSSAPI authentication. A remote attacker could use this issue to perform excessive authentication attempts. (CVE-2026-60000) It was discovered that OpenSSH did not always honour theminimum authentication delay. An attacker could possibly use this issue to perform brute-force attacks more efficiently. (CVE-2026-60001) It was discovered that the OpenSSH client had a use-after-free vulnerability when a server changed its host key during a key re-exchange. An attacker able to intercept communications could possibly use this issue to execute arbitrary code or obtain sensitive information. (CVE-2026-60002) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 26.04 LTS openssh-client 1:10.2p1-2ubuntu3.4 openssh-server 1:10.2p1-2ubuntu3.4 Ubuntu 24.04 LTS openssh-client 1:9.6p1-3ubuntu13.18 openssh-server 1:9.6p1-3ubuntu13.18 Ubuntu 22.04 LTS openssh-client 1:8.9p1-3ubuntu0.16 openssh-server 1:8.9p1-3ubuntu0.16 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-8533-1 CVE-2026-59995, CVE-2026-59996, CVE-2026-59997, CVE-2026-59998, CVE-2026-59999, CVE-2026-60000, CVE-2026-60001, CVE-2026-60002 Package Information: https://launchpad.net/ubuntu/+source/openssh/1:10.2p1-2ubuntu3.4 https://launchpad.net/ubuntu/+source/openssh/1:9.6p1-3ubuntu13.18 https://launchpad.net/ubuntu/+source/openssh/1:8.9p1-3ubuntu0.16 . Multiple security issues in OpenSSH patched for Ubuntu to enhance protection against potential attacks.. OpenSSH Security, Ubuntu SSH Issues, SSH Client Server Fix, File Transfer Vulnerabilities. . Severity: Important. LinuxSecurity.com Team

Calendar%202 Jul 13, 2026 Important Ubuntu
89

Fedora 44 sssd Severe Use After Free and Path Traversal Vulnerabilities

CVE fixes: CVE-2026-12610 CVE-2026-14474 CVE-2026-14476 - rhbz#2494777: CVE-2026-12610 sssd: Use-after-free crash in SSSD' 'sssd_pam' process - rhbz#2497650: CVE-2026-14476 sssd: sssd: GPO cache path traversal via unsanitized. -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2026-5acfb0243b 2026-07-11 01:06:30.201372+00:00 -------------------------------------------------------------------------------- Name : sssd Product : Fedora 44 Version : 2.13.1 Release : 2.fc44 URL : https://github.com/SSSD/sssd/ Summary : System Security Services Daemon Description : Provides a set of daemons to manage access to remote directories and authentication mechanisms. It provides an NSS and PAM interface toward the system and a pluggable back end system to connect to multiple different account sources. It is also the basis to provide client auditing and policy services for projects like FreeIPA. The sssd subpackage is a meta-package that contains the daemon as well as all the existing back ends. -------------------------------------------------------------------------------- Update Information: CVE fixes: CVE-2026-12610 CVE-2026-14474 CVE-2026-14476 - rhbz#2494777: CVE-2026-12610 sssd: Use-after-free crash in SSSD' 'sssd_pam' process - rhbz#2497650: CVE-2026-14476 sssd: sssd: GPO cache path traversal via unsanitized gPCFileSysPath allows Kerberos authentication bypass - rhbz#2497651: CVE-2026-14474 sssd: sssd: sudo LDAP provider searches entire directory tree for sudoRole objects by default, enabling privilege escalation -------------------------------------------------------------------------------- ChangeLog: * Wed Jul 8 2026 Sumit Bose - 2.13.1-2 - CVE fixes: CVE-2026-12610 CVE-2026-14474 CVE-2026-14476 - rhbz#2494777: CVE-2026-12610 sssd: Use-after-free crash in SSSD' 'sssd_pam' process - rhbz#2497650: CVE-2026-14476 sssd: sssd: GPO cache path traversal via unsanitizedgPCFileSysPath allows Kerberos authentication bypass - rhbz#2497651: CVE-2026-14474 sssd: sssd: sudo LDAP provider searches entire directory tree for sudoRole objects by default, enabling privilege escalation -------------------------------------------------------------------------------- References: [ 1 ] Bug #2494777 - CVE-2026-12610 sssd: Use-after-free crash in SSSD' 'sssd_pam' process [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2494777 [ 2 ] Bug #2497650 - CVE-2026-14476 sssd: sssd: GPO cache path traversal via unsanitized gPCFileSysPath allows Kerberos authentication bypass [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2497650 [ 3 ] Bug #2497651 - CVE-2026-14474 sssd: sssd: sudo LDAP provider searches entire directory tree for sudoRole objects by default, enabling privilege escalation [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2497651 -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2026-5acfb0243b' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys -------------------------------------------------------------------------------- -- _______________________________________________ package-announce mailing list -- This email address is being protected from spambots. You need JavaScript enabled to view it. To unsubscribe send an email to This email address is being protected from spambots. You need JavaScript enabled to view it. Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/This email address is being protected from spambots. You need JavaScript enabled to view it. Do not reply to spam,report it: https://forge.fedoraproject.org/infra/tickets/issues/new . Critical updates for Fedora 44 addressing use-after-free crashes and authentication flaws in sssd software.. Fedora security update, sssd patches, system access flaws, PAM interface issues. . Severity: Important. LinuxSecurity.com Team

Calendar%202 Jul 10, 2026 Important Fedora
202

openSUSE Dirmngr Moderate Cross-Site Vulnerabilities Advisory 2026-11213-1

An update that solves one vulnerability can now be installed.. # dirmngr-2.5.21-1.1 on GA media Announcement ID: openSUSE-SU-2026:11213-1 Rating: moderate Cross-References: * CVE-2026-57062 CVSS scores: * CVE-2026-57062 ( SUSE ): 2.9 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N * CVE-2026-57062 ( SUSE ): 2.1 CVSS:4.0/AV:L/AC:H/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N Affected Products: * openSUSE Tumbleweed An update that solves one vulnerability can now be installed. ## Description: These are all security issues fixed in the dirmngr-2.5.21-1.1 package on the GA media of openSUSE Tumbleweed. ## Package List: * openSUSE Tumbleweed: * dirmngr 2.5.21-1.1 * gpg2 2.5.21-1.1 * gpg2-lang 2.5.21-1.1 * gpg2-tpm 2.5.21-1.1 ## References: * https://www.suse.com/security/cve/CVE-2026-57062.html . Update for dirmngr fixes a moderate security risk identified in CVE-2026-57062 on openSUSE Tumbleweed.. openSUSE Tumbleweed, dirmngr update, moderate security patch. . Severity: moderate. LinuxSecurity.com Team

Calendar%202 Jul 09, 2026 moderate OpenSUSE
99

Slackware proftpd Critical Stack Overflow Advisory 2026-189-02

New proftpd packages are available for Slackware 15.0 and -current to fix security issues.. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 [slackware-security] proftpd (SSA:2026-189-02) New proftpd packages are available for Slackware 15.0 and -current to fix security issues. Here are the details from the Slackware 15.0 ChangeLog: +--------------------------+ patches/packages/proftpd-1.3.9c-i586-1_slack15.0.txz: Upgraded. This update fixes bugs and security issues: ExecEnviron values not passed due to regression since 1.3.8.d. Stack buffer overflow in MLSD/MLST handling for long path names. MaxTransfersPerUser no longer enforces configured limits. AdminControlsACLs for config, get actions not honored as they should be. Memcached/Redis-cached JSON TLS session/OCSP entries decoded into fixed buffers without bounds checking. RewriteMap unescape builtin use causes one-byte out-of-bounds write, fails to reject illegal characters. SQL group name lookup concatenates client-provided group names without escaping. Authenticated SFTP sessions can overflow the SFTP packet buffer. Default Controls socket ACLs unintentionally allow all users access for sending Controls requests. (* Security fix *) +--------------------------+ Where to find the new packages: +-----------------------------+ Thanks to the friendly folks at the OSU Open Source Lab (http://osuosl.org) for donating FTP and rsync hosting to the Slackware project! :-) Also see the "Get Slack" section on http://slackware.com for additional mirror sites near you. Updated package for Slackware 15.0: ftp://ftp.slackware.com/pub/slackware/slackware-15.0/patches/packages/proftpd-1.3.9c-i586-1_slack15.0.txz Updated package for Slackware x86_64 15.0: ftp://ftp.slackware.com/pub/slackware/slackware64-15.0/patches/packages/proftpd-1.3.9c-x86_64-1_slack15.0.txz Updated package for Slackware -current: ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/proftpd-1.3.9c-i686-1.txz Updated package for Slackware x86_64-current: ftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/n/proftpd-1.3.9c-x86_64-1.txz MD5 signatures: +-------------+ Slackware 15.0 package: 5e957bcf4abf13fc957520d6987eb954 proftpd-1.3.9c-i586-1_slack15.0.txz Slackware x86_64 15.0 package: 7506a63751fc4996465a2c83e9174eae proftpd-1.3.9c-x86_64-1_slack15.0.txz Slackware -current package: eb1aa81c4db3a984dc39f9e75438e067 n/proftpd-1.3.9c-i686-1.txz Slackware x86_64 -current package: d28ec7ff480ab4121deb30c59c73e9ca n/proftpd-1.3.9c-x86_64-1.txz Installation instructions: +------------------------+ Upgrade the package as root: # upgradepkg proftpd-1.3.9c-i586-1_slack15.0.txz +-----+ . Upgrade to the latest proftpd package for Slackware to address significant security issues and bugs in the software.. proftpd security issues, Slackware package updates, buffer overflow fix. . Severity: Critical. LinuxSecurity.com Team

Calendar%202 Jul 08, 2026 Critical Slackware
100

SUSE Docker Important Security Update for Four Threats SUSE-SU-2026-22513-1

An update that solves four vulnerabilities can now be installed.. # Security update for docker Announcement ID: SUSE-SU-2026:22513-1 Release Date: 2026-07-02T18:48:26Z Rating: important References: * bsc#1262346 * bsc#1265782 * bsc#1266625 * bsc#1267827 Cross-References: * CVE-2026-33814 * CVE-2026-39821 * CVE-2026-39984 * CVE-2026-41567 CVSS scores: * CVE-2026-33814 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2026-33814 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2026-33814 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2026-33814 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2026-39821 ( SUSE ): 9.1 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N * CVE-2026-39821 ( SUSE ): 7.4 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N * CVE-2026-39821 ( NVD ): 8.2 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N * CVE-2026-39821 ( NVD ): 9.6 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N * CVE-2026-39984 ( SUSE ): 6.8 CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N * CVE-2026-39984 ( SUSE ): 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N * CVE-2026-39984 ( NVD ): 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N * CVE-2026-41567 ( SUSE ): 7.2 CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N * CVE-2026-41567 ( NVD ): 7.2 CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N * CVE-2026-41567 ( NVD ): 7.5 CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H Affected Products: * SUSE Linux Micro 6.0 An update that solves four vulnerabilities can now be installed. ## Description: This update for docker fixes the following issues * CVE-2026-33814: golang.org/x/net/http2: infinite loop in HTTP/2 transport when given bad SETTINGS_MAX_FRAME_SIZE (bsc#1265782). * CVE-2026-39821: golang.org/x/net/idna: failure to reject ASCII-only Punycode-encoded labels allows for validation bypass and privilege escalation (bsc#1266625). *CVE-2026-39984: github.com/sigstore/timestamp-authority/v2/pkg/verification: improper certificate validation can be used to bypass some authorization controls (bsc#1262346). * CVE-2026-41567: arbitrary code execution with full daemon privileges when a user uploads a compressed archive into that container (bsc#1267827). ## Patch Instructions: To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: * SUSE Linux Micro 6.0 zypper in -t patch SUSE-SLE-Micro-6.0-778=1 ## Package List: * SUSE Linux Micro 6.0 (aarch64 s390x x86_64) * docker-buildx-0.33.0-11.1 * docker-debuginfo-29.4.0_ce-11.1 * docker-29.4.0_ce-11.1 ## References: * https://www.suse.com/security/cve/CVE-2026-33814.html * https://www.suse.com/security/cve/CVE-2026-39821.html * https://www.suse.com/security/cve/CVE-2026-39984.html * https://www.suse.com/security/cve/CVE-2026-41567.html * https://bugzilla.suse.com/show_bug.cgi?id=1262346 * https://bugzilla.suse.com/show_bug.cgi?id=1265782 * https://bugzilla.suse.com/show_bug.cgi?id=1266625 * https://bugzilla.suse.com/show_bug.cgi?id=1267827 . SUSE's important security update addresses four vulnerabilities in docker. Patch now to safeguard your systems.. SUSE security update, docker vulnerabilities, software patching, SUSE security patch, responsive releases. . Severity: Important. LinuxSecurity.com Team

Calendar%202 Jul 08, 2026 Important SuSE
202

openSUSE Tomcat10 Important Security Update 2026-21122-1 Denial of Service

An update that solves 7 vulnerabilities and has 7 bug fixes can now be installed.. openSUSE security update: security update for tomcat10 ------------------------------------------------------------- Announcement ID: openSUSE-SU-2026:21122-1 Rating: important References: * bsc#1265145 * bsc#1265162 * bsc#1265163 * bsc#1265165 * bsc#1265166 * bsc#1265167 * bsc#1265168 Cross-References: * CVE-2026-41284 * CVE-2026-41293 * CVE-2026-42498 * CVE-2026-43512 * CVE-2026-43513 * CVE-2026-43514 * CVE-2026-43515 CVSS scores: * CVE-2026-41284 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H * CVE-2026-41284 ( SUSE ): 7.1 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N * CVE-2026-41293 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2026-41293 ( SUSE ): 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N * CVE-2026-42498 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N * CVE-2026-42498 ( SUSE ): 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N * CVE-2026-43512 ( SUSE ): 7.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L * CVE-2026-43512 ( SUSE ): 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N * CVE-2026-43513 ( SUSE ): 5.4 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N * CVE-2026-43513 ( SUSE ): 5.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N * CVE-2026-43514 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N * CVE-2026-43514 ( SUSE ): 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N * CVE-2026-43515 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N * CVE-2026-43515 ( SUSE ): 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N Affected Products: openSUSE Leap 16.0 ------------------------------------------------------------- An update that solves 7 vulnerabilities and has 7 bug fixes can now be installed. Description: This update for tomcat10 fixes the followingissues Update to Tomcat 10.1.55: - CVE-2026-41284: Unbounded read in WebDAV LOCK and PROPFIND handling (bsc#1265162). - CVE-2026-41293: HTTP/2 request headers not validated (bsc#1265163). - CVE-2026-42498: WebSocket authentication header exposure (bsc#1265165). - CVE-2026-43512: digest authenticator will authenticate any unknown user (bsc#1265145). - CVE-2026-43513: LockOutRealm treats user names as case-sensitive (bsc#1265166). - CVE-2026-43514: AJP secret compared in non-constant time (bsc#1265167). - CVE-2026-43515: Security constraints not correctly applied (bsc#1265168). Changes: * Catalina + Add: Enhance version.sh and version.bat to display APR, Tomcat Native, and OpenSSL version information (both APR and FFM implementations), along with version compatibility warnings and third-party library version information. (csutherl) + Code: Refactor generation of the remote user element in the access log to remove unnecessary code. (markt) + Fix: Fix a regression in the previous release that meant ?- could appear in the access log rather than ? when the query string was present but empty. (markt) + Fix: Failed precondition should make WebDAV DELETE fail. #982 submitted by Mahmoud Alarby. (remm) + Fix: Align the escaping in ExtendedAccessLogValve with the other AccessLogValve implementations. (markt) + Fix: 70000: fix duplication of special headers in the response after commit, following fix for 69967. (remm) + Fix: Correct the handling of URIs mapped to a security constraint that only specifies the special ** role for all authenticated users. Requests without authentication were receiving 403 responses rather than 401 responses. (markt) + Fix: Fix a race condition in StandardContext.getServletContext() that could cause the jakarta.servlet.context.tempdir attribute to be lost during a context reload. Make the context field volatile and use locking to ensure only one ApplicationContext instance is created. (dsoumis) + Fix: Update the Windows authentication (kerberos) documentation toreflect that both Java and Windows are removing / have removed support for RC4-HMAC. The guide now uses AES256-SHA1. (markt) + Fix: Add a new initialisation parameter for WebDAV, maxRequestBodySize which limits the size of a WebDAV request body for LOCK and PROPFIND. The default value is 4096 bytes. (markt) + Add: Add a new caseSensitive attribute to the LockOutRealm that controls the manner in which user names are treated when making locking decisions. The default is false, meaning user names are treated in a case insensitive manner. (markt) + Fix: Correct the handling of invalid users with DIGEST authentication. (markt) + Fix: Ensure RealmBase finds all matching extension based security constraints. (markt) * Coyote + Fix: Avoid various edge cases if Content-Length is set via setHeader(String,String) or addHeader(String,String) with an invalid value by always clearing the previous value whether the new value is valid or not and ignoring any invalid new value. (markt) + Code: Refactor the calculation of the real index in the HPACK dynamic header table implementation to reduce code duplication. (markt) + Fix: Fix various minor issues with some HTTP/2 stream error messages for HTTP/2. (markt) + Fix: Consistently reject URIs containing NULL bytes when normalizing. + Fix: Fix a few minor memory leaks on error paths reading TLS keys and certificates when using FFM. (markt) + Fix: Refactor clean-up after HTTP/2 headers have been processed to aid GC after a stream reset. (markt) + Fix: Align HTTP/2 trailer fields with HTTP/1.1 and filter out any fields not permitted in trailers. (markt) + Fix: Free private keys after use in FFM based connector configuration. + Fix: Correct an unlikely edge-case parsing bug in the HTTP/2 HPACK header decoding that could result in a valid header triggering an unexpected connection close. (markt) + Fix: Refactor HTTP/2 HPACK encoding so header field names are only converted to lower case once during the encoding process. (markt) + Fix: Refactor HTTP/2header field validation so it occurs earlier. Extend validation to check for disallowed characters as well as upper case characters. (markt) + Fix: Add TLS 1.3 groups added in OpenSSL 4.0. (remm) + Fix: Add validation that the HTTP/2 :scheme pseudo-header is consistent with the use (or not) of TLS. (markt) + Fix: Correct the validation of pseudo headers and CONNECT requests to align Tomcat's behaviour with RFC 9113, section 8.5. (markt) + Fix: Fix a potential integer overflow when allocating capacity from a connection level window update to individual HTTP/2 streams. Based on #996 by Mike Tingey Jr. (markt) + Fix: Switch AJP secret comparison to a constant time algorithm. (markt) * WebSocket + Fix: Fix the initial connection to a WebSocket end point where the connection is made via a proxy that requires DIGEST authentication. * Other + Fix: 69993: Update the URL to the CDDL 1.0 license. (markt) + Add: Add warning when OpenSSL binary is not found. (csutherl) + Add: Add check for Tomcat Native library, and log warning when it's not found to make it easier to see when it's not used by the suite. (csutherl) + Update: Update Byte Buddy to 1.18.8. (markt) + Update: Update Bouncy Castle to 1.84. (markt) + Update: Improvements to French translations. (remm) + Update: Improvements to Japanese translations provided by tak7iji. (markt) Patch instructions: To install this openSUSE security update use the suse recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Leap 16.0 zypper in -t patch openSUSE-Leap-16.0-987=1 Package List: - openSUSE Leap 16.0: tomcat10-10.1.55-160000.1.1 tomcat10-admin-webapps-10.1.55-160000.1.1 tomcat10-doc-10.1.55-160000.1.1 tomcat10-docs-webapp-10.1.55-160000.1.1 tomcat10-el-5_0-api-10.1.55-160000.1.1 tomcat10-embed-10.1.55-160000.1.1 tomcat10-jsp-3_1-api-10.1.55-160000.1.1 tomcat10-jsvc-10.1.55-160000.1.1 tomcat10-lib-10.1.55-160000.1.1 tomcat10-servlet-6_0-api-10.1.55-160000.1.1 tomcat10-webapps-10.1.55-160000.1.1 References: * https://www.suse.com/security/cve/CVE-2026-41284.html * https://www.suse.com/security/cve/CVE-2026-41293.html * https://www.suse.com/security/cve/CVE-2026-42498.html * https://www.suse.com/security/cve/CVE-2026-43512.html * https://www.suse.com/security/cve/CVE-2026-43513.html * https://www.suse.com/security/cve/CVE-2026-43514.html * https://www.suse.com/security/cve/CVE-2026-43515.html . Important openSUSE security update for tomcat10 addresses critical issues. Install patch to enhance security now!. openSUSE security, tomcat10 update, important security issues. . Severity: Important. LinuxSecurity.com Team

Calendar%202 Jun 30, 2026 Important OpenSUSE
News Add Esm H240

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Community Poll

Is continuous patching actually viable?

No answer selected. Please try again.
Please select either existing option or enter your own, however not both.
Please select minimum {0} answer(s).
Please select maximum {0} answer(s).
/main-polls/156-is-continuous-patching-actually-viable?task=poll.vote&format=json
156
radio
0
[{"id":503,"title":"Delayed updates invite catastrophic breaches.","votes":1,"type":"x","order":1,"pct":50,"resources":[]},{"id":504,"title":"Automated fixes break production environments.","votes":1,"type":"x","order":2,"pct":50,"resources":[]},{"id":505,"title":"Manual approvals cannot keep pace.","votes":0,"type":"x","order":3,"pct":0,"resources":[]}] ["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"] ["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"] 350
bottom 200