Explore top 10 tips to secure your open-source projects now. Read More
×An update that solves two vulnerabilities and has one fix can now be installed.. # Security update for openssh Announcement ID: SUSE-SU-2026:21875-1 Release Date: 2026-05-28T15:02:37Z Rating: important References: * bsc#1261427 * bsc#1261430 * bsc#1264568 Cross-References: * CVE-2026-35385 * CVE-2026-35414 CVSS scores: * CVE-2026-35385 ( SUSE ): 7.5 CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N * CVE-2026-35385 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H * CVE-2026-35385 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H * CVE-2026-35385 ( NVD ): 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H * CVE-2026-35414 ( SUSE ): 2.3 CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N * CVE-2026-35414 ( SUSE ): 4.2 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N * CVE-2026-35414 ( NVD ): 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H * CVE-2026-35414 ( NVD ): 4.2 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N Affected Products: * SUSE Linux Micro 6.1 An update that solves two vulnerabilities and has one fix can now be installed. ## Description: This update for openssh fixes the following issues * CVE-2026-35385: a file downloaded by scp may be installed setuid or setgid (bsc#1261427). * CVE-2026-35414: mishandling of authorized_keys principals option (bsc#1261430). Changes for openssh: * Fix a potential issue when validating mac (bsc#1264568): ## Patch Instructions: To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: * SUSE Linux Micro 6.1 zypper in -t patch SUSE-SLE-Micro-6.1-552=1 ## Package List: * SUSE Linux Micro 6.1 (aarch64 ppc64le s390x x86_64) * openssh-clients-9.6p1-slfo.1.1_5.1 * openssh-server-9.6p1-slfo.1.1_5.1 * openssh-debugsource-9.6p1-slfo.1.1_5.1 * openssh-common-debuginfo-9.6p1-slfo.1.1_5.1 *openssh-9.6p1-slfo.1.1_5.1 * openssh-common-9.6p1-slfo.1.1_5.1 * openssh-clients-debuginfo-9.6p1-slfo.1.1_5.1 * openssh-server-config-rootlogin-9.6p1-slfo.1.1_5.1 * openssh-server-debuginfo-9.6p1-slfo.1.1_5.1 * openssh-fips-9.6p1-slfo.1.1_5.1 * openssh-debuginfo-9.6p1-slfo.1.1_5.1 ## References: * https://www.suse.com/security/cve/CVE-2026-35385.html * https://www.suse.com/security/cve/CVE-2026-35414.html * https://bugzilla.suse.com/show_bug.cgi?id=1261427 * https://bugzilla.suse.com/show_bug.cgi?id=1261430 * https://bugzilla.suse.com/show_bug.cgi?id=1264568 . Important security update for openssh resolves critical issues and enhances system integrity.. SUSE Linux, openssh, security update, access control issue, file permission threats. . Severity: Important. LinuxSecurity.com Team
An update that solves one vulnerability can now be installed.. # Security update for python-wheel Announcement ID: SUSE-SU-2026:20217-1 Release Date: 2026-02-02T09:48:28Z Rating: important References: * bsc#1257100 Cross-References: * CVE-2026-24049 CVSS scores: * CVE-2026-24049 ( SUSE ): 7.2 CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:P/VC:N/VI:H/VA:H/SC:H/SI:H/SA:H * CVE-2026-24049 ( SUSE ): 7.7 CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H * CVE-2026-24049 ( NVD ): 7.1 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H Affected Products: * SUSE Linux Enterprise Server 16.0 * SUSE Linux Enterprise Server for SAP Applications 16.0 An update that solves one vulnerability can now be installed. ## Description: This update for python-wheel fixes the following issues: * CVE-2026-24049: Fixed absent path sanitization can cause arbitrary file permission modification (bsc#1257100). ## Patch Instructions: To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: * SUSE Linux Enterprise Server 16.0 zypper in -t patch SUSE-SLES-16.0-232=1 * SUSE Linux Enterprise Server for SAP Applications 16.0 zypper in -t patch SUSE-SLES-16.0-232=1 ## Package List: * SUSE Linux Enterprise Server 16.0 (noarch) * python313-wheel-0.45.1-160000.3.1 * SUSE Linux Enterprise Server for SAP Applications 16.0 (noarch) * python313-wheel-0.45.1-160000.3.1 ## References: * https://www.suse.com/security/cve/CVE-2026-24049.html * https://bugzilla.suse.com/show_bug.cgi?id=1257100 . SUSE releases an important security update for python-wheel addressing file permission issues, enhancing system protection.. SUSE Linux, python-wheel update, security fix, system integrity, permission issue. . Severity: Important. LinuxSecurity.com Team
An update that solves one vulnerability and has one bug fix can now be installed.. openSUSE security update: security update for python-wheel ------------------------------------------------------------- Announcement ID: openSUSE-SU-2026:20147-1 Rating: important References: * bsc#1257100 Cross-References: * CVE-2026-24049 CVSS scores: * CVE-2026-24049 ( SUSE ): 7.7 CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H * CVE-2026-24049 ( SUSE ): 7.2 CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:P/VC:N/VI:H/VA:H/SC:H/SI:H/SA:H Affected Products: openSUSE Leap 16.0 ------------------------------------------------------------- An update that solves one vulnerability and has one bug fix can now be installed. Description: This update for python-wheel fixes the following issues: - CVE-2026-24049: Fixed absent path sanitization can cause arbitrary file permission modification (bsc#1257100). Patch instructions: To install this openSUSE security update use the suse recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Leap 16.0 zypper in -t patch openSUSE-Leap-16.0-232=1 Package List: - openSUSE Leap 16.0: python313-wheel-0.45.1-160000.3.1 References: * https://www.suse.com/security/cve/CVE-2026-24049.html . A security update for openSUSE addressing an important issue in python-wheel to prevent arbitrary file permission changes.. openSUSE security update, important python-wheel patch, CVE-2026-24049 fix. . Severity: Important. LinuxSecurity.com Team
* bsc#1210141 * bsc#1214855 * bsc#1215323 * bsc#1217513 * bsc#1219267 . # Security update for docker Announcement ID: SUSE-SU-2025:20056-1 Release Date: 2025-02-03T08:56:57Z Rating: critical References: * bsc#1210141 * bsc#1214855 * bsc#1215323 * bsc#1217513 * bsc#1219267 * bsc#1219268 * bsc#1219438 * bsc#1220339 * bsc#1221916 * bsc#1223409 * bsc#1228324 Cross-References: * CVE-2024-23651 * CVE-2024-23652 * CVE-2024-23653 * CVE-2024-41110 CVSS scores: * CVE-2024-23651 ( SUSE ): 7.4 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H * CVE-2024-23651 ( NVD ): 7.4 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N * CVE-2024-23652 ( SUSE ): 6.7 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H * CVE-2024-23652 ( NVD ): 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H * CVE-2024-23653 ( SUSE ): 7.0 CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H * CVE-2024-23653 ( NVD ): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H * CVE-2024-41110 ( SUSE ): 9.9 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H Affected Products: * SUSE Linux Micro 6.0 An update that solves four vulnerabilities and has seven fixes can now be installed. ## Description: This update for docker fixes the following issues: Security fixes: * CVE-2024-23651: Fixed arbitrary files write due to race condition on mounts (bsc#1219267) * CVE-2024-23652: Fixed insufficient validation of parent directory on mount (bsc#1219268) * CVE-2024-23653: Fixed insufficient validation on entitlement on container creation via buildkit (bsc#1219438) * CVE-2024-41110: A Authz zero length regression that could lead to authentication bypass was fixed (bsc#1228324) Other changes: * Update to Docker 25.0.6-ce. * Fix BuildKit's symlink resolution logic to correctly handle non-lexical symlinks. (bsc#1221916) * Write volume options atomically so sudden system crashes won't result in future Docker starts failing due to empty files. (bsc#1214855) * Fixed world writable dockeroverlay files (bsc#1220339) ## Patch Instructions: To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: * SUSE Linux Micro 6.0 zypper in -t patch SUSE-SLE-Micro-6.0-64=1 ## Package List: * SUSE Linux Micro 6.0 (aarch64 s390x x86_64) * docker-25.0.6_ce-1.1 * docker-debuginfo-25.0.6_ce-1.1 ## References: * https://www.suse.com/security/cve/CVE-2024-23651.html * https://www.suse.com/security/cve/CVE-2024-23652.html * https://www.suse.com/security/cve/CVE-2024-23653.html * https://www.suse.com/security/cve/CVE-2024-41110.html * https://bugzilla.suse.com/show_bug.cgi?id=1210141 * https://bugzilla.suse.com/show_bug.cgi?id=1214855 * https://bugzilla.suse.com/show_bug.cgi?id=1215323 * https://bugzilla.suse.com/show_bug.cgi?id=1217513 * https://bugzilla.suse.com/show_bug.cgi?id=1219267 * https://bugzilla.suse.com/show_bug.cgi?id=1219268 * https://bugzilla.suse.com/show_bug.cgi?id=1219438 * https://bugzilla.suse.com/show_bug.cgi?id=1220339 * https://bugzilla.suse.com/show_bug.cgi?id=1221916 * https://bugzilla.suse.com/show_bug.cgi?id=1223409 * https://bugzilla.suse.com/show_bug.cgi?id=1228324 . A vital security patch for SUSE Linux Micro targeting significant vulnerabilities in Docker, featuring various corrections and improvements.. Docker Security, SUSE Update, Critical Vulnerabilities, Security Fixes, Linux Micro Patches. . Severity: Critical. LinuxSecurity.com Team
oath-toolkit could be made overwrite files as the administrator.. ========================================================================== Ubuntu Security Notice USN-7059-1 October 09, 2024 oath-toolkit vulnerability ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 24.04 LTS - Ubuntu 22.04 LTS Summary: oath-toolkit could be made overwrite files as the administrator. Software Description: - oath-toolkit: Development files for the OATH Toolkit Liboath library Details: Fabian Vogt discovered that OATH Toolkit incorrectly handled file permissions. A remote attacker could possibly use this issue to overwrite root owned files, leading to a privilege escalation attack. (CVE-2024-47191) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 24.04 LTS liboath-dev 2.6.11-2.1ubuntu0.1 Ubuntu 22.04 LTS liboath-dev 2.6.7-3ubuntu0.1 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-7059-1 CVE-2024-47191 Package Information: https://launchpad.net/ubuntu/+source/oath-toolkit/2.6.11-2.1ubuntu0.1 https://launchpad.net/ubuntu/+source/oath-toolkit/2.6.7-3ubuntu0.1 . OATH Toolkit potentially enables unapproved file alteration, jeopardizing administrative control. Upgrade now to safeguard your infrastructure thoroughly.. OATH Toolkit updates, Ubuntu security notice, file permissions issue. . Severity: Critical. LinuxSecurity.com Team
* bsc#1225365 Cross-References: * CVE-2024-35235 . # Security update for cups Announcement ID: SUSE-SU-2024:2002-1 Rating: important References: * bsc#1225365 Cross-References: * CVE-2024-35235 CVSS scores: * CVE-2024-35235 ( SUSE ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Affected Products: * SUSE Linux Enterprise High Performance Computing 12 SP5 * SUSE Linux Enterprise Server 12 SP5 * SUSE Linux Enterprise Server for SAP Applications 12 SP5 * SUSE Linux Enterprise Software Development Kit 12 SP5 An update that solves one vulnerability can now be installed. ## Description: This update for cups fixes the following issues: * CVE-2024-35235: Fixed a bug in cupsd that could allow an attacker to change the permissions of other files in the system. (bsc#1225365) ## Patch Instructions: To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: * SUSE Linux Enterprise Software Development Kit 12 SP5 zypper in -t patch SUSE-SLE-SDK-12-SP5-2024-2002=1 * SUSE Linux Enterprise High Performance Computing 12 SP5 zypper in -t patch SUSE-SLE-SERVER-12-SP5-2024-2002=1 * SUSE Linux Enterprise Server 12 SP5 zypper in -t patch SUSE-SLE-SERVER-12-SP5-2024-2002=1 * SUSE Linux Enterprise Server for SAP Applications 12 SP5 zypper in -t patch SUSE-SLE-SERVER-12-SP5-2024-2002=1 ## Package List: * SUSE Linux Enterprise Software Development Kit 12 SP5 (aarch64 ppc64le s390x x86_64) * cups-debugsource-1.7.5-20.49.1 * cups-ddk-debuginfo-1.7.5-20.49.1 * cups-devel-1.7.5-20.49.1 * cups-debuginfo-1.7.5-20.49.1 * cups-ddk-1.7.5-20.49.1 * SUSE Linux Enterprise High Performance Computing 12 SP5 (aarch64 x86_64) * cups-debugsource-1.7.5-20.49.1 * cups-client-debuginfo-1.7.5-20.49.1 * cups-1.7.5-20.49.1 * cups-debuginfo-1.7.5-20.49.1 * cups-client-1.7.5-20.49.1 *cups-libs-1.7.5-20.49.1 * cups-libs-debuginfo-1.7.5-20.49.1 * SUSE Linux Enterprise High Performance Computing 12 SP5 (x86_64) * cups-libs-32bit-1.7.5-20.49.1 * cups-libs-debuginfo-32bit-1.7.5-20.49.1 * SUSE Linux Enterprise Server 12 SP5 (aarch64 ppc64le s390x x86_64) * cups-debugsource-1.7.5-20.49.1 * cups-client-debuginfo-1.7.5-20.49.1 * cups-1.7.5-20.49.1 * cups-debuginfo-1.7.5-20.49.1 * cups-client-1.7.5-20.49.1 * cups-libs-1.7.5-20.49.1 * cups-libs-debuginfo-1.7.5-20.49.1 * SUSE Linux Enterprise Server 12 SP5 (s390x x86_64) * cups-libs-32bit-1.7.5-20.49.1 * cups-libs-debuginfo-32bit-1.7.5-20.49.1 * SUSE Linux Enterprise Server for SAP Applications 12 SP5 (ppc64le x86_64) * cups-debugsource-1.7.5-20.49.1 * cups-client-debuginfo-1.7.5-20.49.1 * cups-1.7.5-20.49.1 * cups-debuginfo-1.7.5-20.49.1 * cups-client-1.7.5-20.49.1 * cups-libs-1.7.5-20.49.1 * cups-libs-debuginfo-1.7.5-20.49.1 * SUSE Linux Enterprise Server for SAP Applications 12 SP5 (x86_64) * cups-libs-32bit-1.7.5-20.49.1 * cups-libs-debuginfo-32bit-1.7.5-20.49.1 ## References: * https://www.suse.com/security/cve/CVE-2024-35235.html * https://bugzilla.suse.com/show_bug.cgi?id=1225365 . SUSE-SU-2024:2002-1 CUPS update addresses critical file permissions issue affecting system integrity.. CUPS Security, SUSE Update, Important Advisory, System Integrity, File Permissions. . Severity: Important. LinuxSecurity.com Team
Ruby on Rails security upgrade: - Versions-7-0-7-2-6-1-7-6-have-been-released - incorrect file permissions on encrypted files. Exploit not known.. -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2023-4f0bb4ff5e 2023-09-15 18:36:13.240099 -------------------------------------------------------------------------------- Name : rubygem-activestorage Product : Fedora 39 Version : 7.0.7.2 Release : 1.fc39 URL : https://rubyonrails.org/ Summary : Local and cloud file storage framework Description : Attach cloud and local files in Rails applications. -------------------------------------------------------------------------------- Update Information: Ruby on Rails security upgrade: - Versions-7-0-7-2-6-1-7-6-have-been-released - incorrect file permissions on encrypted files. Exploit not known. -------------------------------------------------------------------------------- ChangeLog: * Mon Aug 28 2023 Pavel Valena - 7.0.7.2-1 - Update to activestorage 7.0.7.2. -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2023-4f0bb4ff5e' at the command line. For more information, refer to the dnf documentation available at https://dnf.readthedocs.io/en/latest/command_ref.html All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at -------------------------------------------------------------------------------- _______________________________________________ package-announce mailing list --
Cargo could be made to run programs as your login if it installed a specially crafted crate.. ========================================================================== Ubuntu Security Notice USN-6275-1 August 03, 2023 cargo, rust-cargo vulnerability ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 22.04 LTS (Available with Ubuntu Pro) - Ubuntu 20.04 LTS (Available with Ubuntu Pro) - Ubuntu 18.04 LTS (Available with Ubuntu Pro) - Ubuntu 16.04 LTS (Available with Ubuntu Pro) Summary: Cargo could be made to run programs as your login if it installed a specially crafted crate. Software Description: - cargo: Rust package manager - rust-cargo: Rust package manager - feature "openssl" Details: Addison Crump discovered that Cargo incorrectly set file permissions on UNIX-like systems when extracting crate archives. If the crate would contain files writable by any user, a local attacker could possibly use this issue to execute code as another user. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 22.04 LTS (Available with Ubuntu Pro): cargo 0.67.1+ds0ubuntu0.libgit2-0ubuntu0.22.04.2+esm1 librust-cargo+openssl-dev 0.57.0-1ubuntu0.1~esm1 librust-cargo-dev 0.57.0-1ubuntu0.1~esm1 Ubuntu 20.04 LTS (Available with Ubuntu Pro): cargo 0.67.1+ds0ubuntu0.libgit2-0ubuntu0.20.04.2+esm1 Ubuntu 18.04 LTS (Available with Ubuntu Pro): cargo 0.66.0+ds0ubuntu0.libgit2-0ubuntu0.18.04.1~esm1 Ubuntu 16.04 LTS (Available with Ubuntu Pro): cargo 0.47.0-1~exp1ubuntu1~16.04.1+esm1 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-6275-1 CVE-2023-38497 . Ubuntu users should be cautious with the Cargo package manager; malicious crates might exploit yourpermissions. Verify package integrity from trusted sources before use. Ubuntu Security,Cargo Vulnerability,Rust Package Manager,File Permissions Issue,Local Code Execution. . LinuxSecurity.com Team
Get the latest Linux and open source security news straight to your inbox.