Explore top 10 tips to secure your open-source projects now. Read More
×An update that solves four vulnerabilities and has two security fixes can now be installed.. # Security update for warewulf4 Announcement ID: SUSE-SU-2026:2830-1 Release Date: 2026-07-09T18:42:10Z Rating: important References: * bsc#1254470 * bsc#1258511 * bsc#1262810 * bsc#1265653 * bsc#1266483 * bsc#1268790 Cross-References: * CVE-2025-69725 * CVE-2026-33814 * CVE-2026-34986 * CVE-2026-39821 CVSS scores: * CVE-2025-69725 ( SUSE ): 2.3 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:L/SI:N/SA:N * CVE-2025-69725 ( SUSE ): 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N * CVE-2025-69725 ( NVD ): 4.7 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N * CVE-2026-33814 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2026-33814 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2026-33814 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2026-33814 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2026-34986 ( SUSE ): 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N * CVE-2026-34986 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2026-34986 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2026-34986 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2026-39821 ( SUSE ): 9.1 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N * CVE-2026-39821 ( SUSE ): 7.4 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N * CVE-2026-39821 ( NVD ): 9.6 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N * CVE-2026-39821 ( NVD ): 8.2 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N Affected Products: * HPC Module 15-SP7 * openSUSE Leap 15.5 * SUSE Linux Enterprise High Performance Computing 15 SP5 * SUSE Linux Enterprise High Performance Computing ESPOS 15 SP5 * SUSE Linux Enterprise High Performance Computing LTSS 15 SP5 * SUSE Linux Enterprise Server 15 SP6 * SUSE Linux Enterprise Server 15 SP6 LTSS *SUSE Linux Enterprise Server 15 SP7 An update that solves four vulnerabilities and has two security fixes can now be installed. ## Description: This update for warewulf4 fixes the following issues: Update to v4.7.0. Security issues fixed: * CVE-2025-69725: incorrect input validation in the `RedirectSlashes` function can lead to an open redirect (bsc#1258511). * CVE-2026-33814: golang.org/x/net/http2: infinite loop in HTTP/2 transport when given bad `SETTINGS_MAX_FRAME_SIZE` can lead to a denial of service (bsc#1265653). * CVE-2026-34986: github.com/go-jose/go-jose/v4: crafted JWE input with a missing encrypted key can lead to a denial of service (bsc#1262810). * CVE-2026-39821: golang.org/x/net/idna: failure to reject ASCII-only Punycode-encoded labels allows for validation bypass and privilege escalation (bsc#1266483). Other updates and bugfixes: * Add correct flag `--update-overlays` fix (bsc#1268790). * v4.7.0: * New `wwctl` unset command * Refactored server routes (URLs) * New `/files/` route for serving individual files and templates * Server TLS support * Removed support for fetching individual overlays and individual files from overlays * Fixed whitespace handling around template functions * Security fixes, including updated Go and library versions * v4.6.5: * New wwctl overlay info command * Fixed `wwctl` image import `--update` option * Cross-arch support for `wwclient` * Improved IPv6 support * Improved support for bonded interfaces * Renamed `debian.interfaces` overlay to `ifupdown` * New `systemd-networkd` overlay * `warewulf-dracut` fixes, including `provision-to-disk` fixes * Remove `slurm-overlay` package. * Fix `wwctl` image import `--update` option (bsc#1254470). ## Patch Instructions: To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: * SUSE Linux Enterprise HighPerformance Computing ESPOS 15 SP5 zypper in -t patch SUSE-SLE-Product-HPC-15-SP5-ESPOS-2026-2830=1 * SUSE Linux Enterprise Server 15 SP6 LTSS zypper in -t patch SUSE-SLE-Product-SLES-15-SP6-LTSS-2026-2830=1 * SUSE Linux Enterprise High Performance Computing LTSS 15 SP5 zypper in -t patch SUSE-SLE-Product-HPC-15-SP5-LTSS-2026-2830=1 * openSUSE Leap 15.5 zypper in -t patch SUSE-2026-2830=1 * HPC Module 15-SP7 zypper in -t patch SUSE-SLE-Module-HPC-15-SP7-2026-2830=1 ## Package List: * openSUSE Leap 15.5 (noarch) * warewulf4-dracut-4.7.0-150500.6.42.1 * warewulf4-reference-doc-4.7.0-150500.6.42.1 * warewulf4-man-4.7.0-150500.6.42.1 * warewulf4-overlay-rke2-4.7.0-150500.6.42.1 * openSUSE Leap 15.5 (aarch64 x86_64) * warewulf4-overlay-4.7.0-150500.6.42.1 * warewulf4-4.7.0-150500.6.42.1 * SUSE Linux Enterprise High Performance Computing LTSS 15 SP5 (aarch64 x86_64) * warewulf4-overlay-4.7.0-150500.6.42.1 * warewulf4-4.7.0-150500.6.42.1 * SUSE Linux Enterprise High Performance Computing LTSS 15 SP5 (noarch) * warewulf4-dracut-4.7.0-150500.6.42.1 * warewulf4-man-4.7.0-150500.6.42.1 * warewulf4-reference-doc-4.7.0-150500.6.42.1 * SUSE Linux Enterprise High Performance Computing ESPOS 15 SP5 (aarch64 x86_64) * warewulf4-overlay-4.7.0-150500.6.42.1 * warewulf4-4.7.0-150500.6.42.1 * SUSE Linux Enterprise High Performance Computing ESPOS 15 SP5 (noarch) * warewulf4-dracut-4.7.0-150500.6.42.1 * warewulf4-man-4.7.0-150500.6.42.1 * warewulf4-reference-doc-4.7.0-150500.6.42.1 * HPC Module 15-SP7 (aarch64 x86_64) * warewulf4-overlay-4.7.0-150500.6.42.1 * warewulf4-4.7.0-150500.6.42.1 * HPC Module 15-SP7 (noarch) * warewulf4-dracut-4.7.0-150500.6.42.1 * warewulf4-reference-doc-4.7.0-150500.6.42.1 * warewulf4-man-4.7.0-150500.6.42.1 * SUSE Linux Enterprise Server 15 SP6 LTSS (aarch64 x86_64) * warewulf4-overlay-4.7.0-150500.6.42.1 * warewulf4-4.7.0-150500.6.42.1 * SUSELinux Enterprise Server 15 SP6 LTSS (noarch) * warewulf4-dracut-4.7.0-150500.6.42.1 * warewulf4-reference-doc-4.7.0-150500.6.42.1 * warewulf4-man-4.7.0-150500.6.42.1 ## References: * https://www.suse.com/security/cve/CVE-2025-69725.html * https://www.suse.com/security/cve/CVE-2026-33814.html * https://www.suse.com/security/cve/CVE-2026-34986.html * https://www.suse.com/security/cve/CVE-2026-39821.html * https://bugzilla.suse.com/show_bug.cgi?id=1254470 * https://bugzilla.suse.com/show_bug.cgi?id=1258511 * https://bugzilla.suse.com/show_bug.cgi?id=1262810 * https://bugzilla.suse.com/show_bug.cgi?id=1265653 * https://bugzilla.suse.com/show_bug.cgi?id=1266483 * https://bugzilla.suse.com/show_bug.cgi?id=1268790 . This update for warewulf4 addresses multiple security fixes, enhancing system stability and security.. vulnerability assessment, patch management, software updates. . Severity: Important. LinuxSecurity.com Team
shell-quote could be made to crash or run programs as your login if it received specially crafted input.. ========================================================================== Ubuntu Security Notice USN-8410-1 June 09, 2026 node-shell-quote vulnerability ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 26.04 LTS - Ubuntu 25.10 - Ubuntu 24.04 LTS - Ubuntu 22.04 LTS - Ubuntu 18.04 LTS Summary: shell-quote could be made to crash or run programs as your login if it received specially crafted input. Software Description: - node-shell-quote: Parse and quote shell commands Details: Akshat Sinha discovered that shell-quote improperly validated object-token inputs. An attacker could possibly use this issue to cause shell-quote to crash, resulting in a denial of service, or execute arbitrary code. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 26.04 LTS node-shell-quote 1.8.3+~1.7.5-1ubuntu0.1~esm1 Available with Ubuntu Pro Ubuntu 25.10 node-shell-quote 1.7.4+~1.7.1-1ubuntu0.25.10.1 Ubuntu 24.04 LTS node-shell-quote 1.7.4+~1.7.1-1ubuntu0.24.04.1 Ubuntu 22.04 LTS node-shell-quote 1.7.3+~1.7.1-1ubuntu0.1~esm1 Available with Ubuntu Pro Ubuntu 18.04 LTS node-shell-quote 1.6.1+20160617-git72fb5a8ce29b-1ubuntu0.1~esm1 Available with Ubuntu Pro In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-8410-1 CVE-2026-9277 Package Information: https://launchpad.net/ubuntu/+source/node-shell-quote/1.7.4+~1.7.1-1ubuntu0.25.10.1 https://launchpad.net/ubuntu/+source/node-shell-quote/1.7.4+~1.7.1-1ubuntu0.24.04.1 . Critical Shell-Quote Flaw in Ubuntu Could Lead to Denial ofService or Code Execution.. Ubuntu Security,node-shell-quote,Denial of Service,Security Update. . Severity: Important. LinuxSecurity.com Team
An update that fixes one vulnerability is now available.. openSUSE Security Update: Security update for libjxl ______________________________________________________________________________ Announcement ID: openSUSE-SU-2026:0182-1 Rating: important References: #1266460 Cross-References: CVE-2025-70103 CVSS scores: CVE-2025-70103 (SUSE): 9.2 CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N Affected Products: openSUSE Backports SLE-15-SP7 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for libjxl fixes the following issues: - CVE-2025-70103: take EC into account when checking required PNM input length (boo#1266460). Patch Instructions: To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Backports SLE-15-SP7: zypper in -t patch openSUSE-2026-182=1 Package List: - openSUSE Backports SLE-15-SP7 (aarch64 i586 ppc64le s390x x86_64): gdk-pixbuf-loader-jxl-0.8.5-bp157.2.6.1 gimp-plugin-jxl-0.8.5-bp157.2.6.1 libjxl-devel-0.8.5-bp157.2.6.1 libjxl-tools-0.8.5-bp157.2.6.1 libjxl0_8-0.8.5-bp157.2.6.1 - openSUSE Backports SLE-15-SP7 (aarch64_ilp32): libjxl0_8-64bit-0.8.5-bp157.2.6.1 - openSUSE Backports SLE-15-SP7 (noarch): jxl-thumbnailer-0.8.5-bp157.2.6.1 - openSUSE Backports SLE-15-SP7 (x86_64): libjxl0_8-32bit-0.8.5-bp157.2.6.1 References: https://www.suse.com/security/cve/CVE-2025-70103.html https://bugzilla.suse.com/1266460 . Update available for libjxl addressing CVE-2025-70103 with important severity. Ensure to apply the patch promptly.. libjxl security update, openSUSE patches, important vulnerabilities. . Severity: Important. LinuxSecurity.com Team
This update addresses some input validation issues: Reject Unicode digits and trailing newlines in parser inputs (CVE-2026-45190) Reject zero-padded CIDR masks (CVE-2026-45191). -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2026-9e783d6aa1 2026-05-19 16:00:44.522643+00:00 -------------------------------------------------------------------------------- Name : perl-Net-CIDR-Lite Product : Fedora 43 Version : 0.24 Release : 1.fc43 URL : https://metacpan.org/release/Net-CIDR-Lite Summary : Perl extension for merging IPv4 or IPv6 CIDR addresses Description : Faster alternative to Net::CIDR when merging a large number of CIDR address ranges. Works for IPv4 and IPv6 addresses. -------------------------------------------------------------------------------- Update Information: This update addresses some input validation issues: Reject Unicode digits and trailing newlines in parser inputs (CVE-2026-45190) Reject zero-padded CIDR masks (CVE-2026-45191) -------------------------------------------------------------------------------- ChangeLog: * Mon May 11 2026 Paul Howarth - 0.24-1 - Update to 0.24 - Reject Unicode digits and trailing newlines in parser inputs (CVE-2026-45190) - Reject zero-padded CIDR masks (CVE-2026-45191) -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2026-9e783d6aa1' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys -------------------------------------------------------------------------------- -- _______________________________________________ package-announce mailing list --
This update addresses some input validation issues: Reject Unicode digits and trailing newlines in parser inputs (CVE-2026-45190) Reject zero-padded CIDR masks (CVE-2026-45191). -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2026-6f3d2d0d82 2026-05-15 20:57:10.102582+00:00 -------------------------------------------------------------------------------- Name : perl-Net-CIDR-Lite Product : Fedora 44 Version : 0.24 Release : 1.fc44 URL : https://metacpan.org/release/Net-CIDR-Lite Summary : Perl extension for merging IPv4 or IPv6 CIDR addresses Description : Faster alternative to Net::CIDR when merging a large number of CIDR address ranges. Works for IPv4 and IPv6 addresses. -------------------------------------------------------------------------------- Update Information: This update addresses some input validation issues: Reject Unicode digits and trailing newlines in parser inputs (CVE-2026-45190) Reject zero-padded CIDR masks (CVE-2026-45191) -------------------------------------------------------------------------------- ChangeLog: * Mon May 11 2026 Paul Howarth - 0.24-1 - Update to 0.24 - Reject Unicode digits and trailing newlines in parser inputs (CVE-2026-45190) - Reject zero-padded CIDR masks (CVE-2026-45191) -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2026-6f3d2d0d82' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys -------------------------------------------------------------------------------- -- _______________________________________________ package-announce mailing list --
MGASA-2026-0127 - Updated php packages fix security vulnerabilities. MGASA-2026-0127 - Updated php packages fix security vulnerabilities Publication date: 13 May 2026 URL: https://advisories.mageia.org/MGASA-2026-0127.html Type: security Affected Mageia releases: 9 CVE: CVE-2026-6735, CVE-2026-7259, CVE-2025-14179, CVE-2026-6722, CVE-2026-7261, CVE-2026-7262, CVE-2026-7568, CVE-2026-7258 Description: FPM: Fixed GHSA-7qg2-v9fj-4mwv (XSS within status endpoint). (CVE-2026-6735) MBString: Fixed GHSA-wm6j-2649-pv75 (Null pointer dereference in php_mb_check_encoding() via mb_ereg_search_init()). (CVE-2026-7259) OpenSSL: Fix compatibility issues with OpenSSL 4.0. PDO_Firebird: Fixed GHSA-w476-322c-wpvm (SQL injection via NUL bytes in quoted strings). (CVE-2025-14179) SOAP: - Fixed GHSA-85c2-q967-79q5 (Stale SOAP_GLOBAL(ref_map) pointer with Apache Map). (CVE-2026-6722) - Fixed GHSA-m33r-qmcv-p97q (Use-after-free after header parsing failure with SOAP_PERSISTENCE_SESSION). (CVE-2026-7261) - Fixed GHSA-hmxp-6pc4-f3vv (Broken Apache map value NULL check). (CVE-2026-7262) Standard: - Fixed GHSA-96wq-48vp-hh57 (Signed integer overflow of char array offset). (CVE-2026-7568) - Fixed GHSA-m8rr-4c36-8gq4 (Consistently pass unsigned char to ctype.h functions). (CVE-2026-7258) References: - https://bugs.mageia.org/show_bug.cgi?id=35481 - https://www.php.net/ChangeLog-8.php#8.2.31 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-6735 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-7259 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-14179 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-6722 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-7261 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-7262 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-7568 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-7258 SRPMS: - 9/core/php-8.2.31-1.mga9 . Updated php packages in Mageia 9 address critical vulnerabilities includingXSS and SQL injection. Get the latest fixes now.. Mageia PHP security patch, Mageia 9 vulnerabilities, PHP update security. . Severity: Critical. LinuxSecurity.com Team
An update that solves five vulnerabilities can now be installed.. # Security update for python311 Announcement ID: SUSE-SU-2026:21254-1 Release Date: 2026-04-16T13:24:01Z Rating: important References: * bsc#1259611 * bsc#1259734 * bsc#1259735 * bsc#1259989 * bsc#1260026 Cross-References: * CVE-2025-13462 * CVE-2026-3479 * CVE-2026-3644 * CVE-2026-4224 * CVE-2026-4519 CVSS scores: * CVE-2025-13462 ( SUSE ): 2.0 CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N * CVE-2025-13462 ( SUSE ): 2.5 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N * CVE-2025-13462 ( NVD ): 2.0 CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X * CVE-2026-3479 ( SUSE ): 2.0 CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N * CVE-2026-3479 ( SUSE ): 3.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N * CVE-2026-3479 ( NVD ): 0.0 CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X * CVE-2026-3644 ( SUSE ): 6.3 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N * CVE-2026-3644 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N * CVE-2026-3644 ( NVD ): 6.0 CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X * CVE-2026-4224 ( SUSE ): 8.2 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N * CVE-2026-4224 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2026-4224 ( NVD ): 6.0 CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X * CVE-2026-4519 ( SUSE ): 7.1 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:H/VA:N/SC:L/SI:H/SA:N * CVE-2026-4519 ( SUSE ): 6.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:H/A:N * CVE-2026-4519 ( NVD ): 7.0 CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X * CVE-2026-4519 ( NVD ): 3.3 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N Affected Products: * SUSE Linux Micro 6.1 An update that solves five vulnerabilities can now be installed. ## Description: This update for python311 fixes the following issues: * CVE-2025-13462: incorrect parsing of TarInfo when GNU long name and type AREGTYPE are combined can lead to misinterpretation of tar archives (bsc#1259611). * CVE-2026-3479: improper resource argument validation in `pkgutil.get_data()` can lead to path traversal (bsc#1259989). * CVE-2026-3644: incomplete control character validation in http.cookies can lead to input validation bypass (bsc#1259734). * CVE-2026-4224: parsing XML with deeply nested DTD content models can lead to C stack overflow (bsc#1259735). * CVE-2026-4519: failure to sanitize leading dashes in URLs in the `webbrowser.open()` API can lead to web browser command line option injection (bsc#1260026). ## Patch Instructions: To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: * SUSE Linux Micro 6.1 zypper in -t patch SUSE-SLE-Micro-6.1-490=1 ## Package List: * SUSE Linux Micro 6.1 (aarch64 ppc64le s390x x86_64) * python311-3.11.15-slfo.1.1_3.1 * python311-curses-3.11.15-slfo.1.1_3.1 * python311-debugsource-3.11.15-slfo.1.1_3.1 * python311-debuginfo-3.11.15-slfo.1.1_3.1 * python311-core-debugsource-3.11.15-slfo.1.1_3.1 * python311-base-debuginfo-3.11.15-slfo.1.1_3.1 * python311-curses-debuginfo-3.11.15-slfo.1.1_3.1 *libpython3_11-1_0-3.11.15-slfo.1.1_3.1 * libpython3_11-1_0-debuginfo-3.11.15-slfo.1.1_3.1 * python311-base-3.11.15-slfo.1.1_3.1 ## References: * https://www.suse.com/security/cve/CVE-2025-13462.html * https://www.suse.com/security/cve/CVE-2026-3479.html * https://www.suse.com/security/cve/CVE-2026-3644.html * https://www.suse.com/security/cve/CVE-2026-4224.html * https://www.suse.com/security/cve/CVE-2026-4519.html * https://bugzilla.suse.com/show_bug.cgi?id=1259611 * https://bugzilla.suse.com/show_bug.cgi?id=1259734 * https://bugzilla.suse.com/show_bug.cgi?id=1259735 * https://bugzilla.suse.com/show_bug.cgi?id=1259989 * https://bugzilla.suse.com/show_bug.cgi?id=1260026 . SUSE updates python311 to address five security issues including input validation and path traversal risks for users.. SUSE Python Security Important Update Path Traversal. . Severity: Important. LinuxSecurity.com Team
An update that solves 7 vulnerabilities and has 7 bug fixes can now be installed.. openSUSE security update: security update for python313 ------------------------------------------------------------- Announcement ID: openSUSE-SU-2026:20517-1 Rating: important References: * bsc#1257181 * bsc#1259240 * bsc#1259611 * bsc#1259734 * bsc#1259735 * bsc#1259989 * bsc#1260026 Cross-References: * CVE-2025-13462 * CVE-2026-1299 * CVE-2026-2297 * CVE-2026-3479 * CVE-2026-3644 * CVE-2026-4224 * CVE-2026-4519 CVSS scores: * CVE-2025-13462 ( SUSE ): 2.5 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N * CVE-2025-13462 ( SUSE ): 2 CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N * CVE-2026-1299 ( SUSE ): 8.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N * CVE-2026-1299 ( SUSE ): 8.3 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N * CVE-2026-2297 ( SUSE ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N * CVE-2026-2297 ( SUSE ): 5.7 CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N * CVE-2026-3479 ( SUSE ): 3.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N * CVE-2026-3479 ( SUSE ): 2 CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N * CVE-2026-3644 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N * CVE-2026-3644 ( SUSE ): 6.3 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N * CVE-2026-4224 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2026-4224 ( SUSE ): 8.2 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N * CVE-2026-4519 ( SUSE ): 6.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:H/A:N * CVE-2026-4519 ( SUSE ): 7.1 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:H/VA:N/SC:L/SI:H/SA:N Affected Products: openSUSE Leap 16.0 ------------------------------------------------------------- An update that solves 7 vulnerabilities and has 7 bug fixes can now be installed. Description: This update for python313 fixes the following issues: Update to version3.13.13. - CVE-2025-13462: incorrect parsing of TarInfo when GNU long name and type AREGTYPE are combined can lead to misinterpretation of tar archives (bsc#1259611). - CVE-2026-2297: incorrectly handled hook in FileLoader can lead to validation bypass (bsc#1259240). - CVE-2026-3479: improper resource argument validation in `pkgutil.get_data()` can lead to path traversal (bsc#1259989). - CVE-2026-3644: incomplete control character validation in http.cookies can lead to input validation bypass (bsc#1259734). - CVE-2026-4224: parsing XML with deeply nested DTD content models can lead to C stack overflow (bsc#1259735). - CVE-2026-4519: failure to sanitize leading dashes in URLs in the `webbrowser.open()` API can lead to web browser command line option injection (bsc#1260026). Patch instructions: To install this openSUSE security update use the suse recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Leap 16.0 zypper in -t patch openSUSE-Leap-16.0-539=1 Package List: - openSUSE Leap 16.0: libpython3_13-1_0-3.13.13-160000.1.1 libpython3_13-1_0-x86-64-v3-3.13.13-160000.1.1 libpython3_13t1_0-3.13.13-160000.1.1 python313-3.13.13-160000.1.1 python313-base-3.13.13-160000.1.1 python313-base-x86-64-v3-3.13.13-160000.1.1 python313-curses-3.13.13-160000.1.1 python313-dbm-3.13.13-160000.1.1 python313-devel-3.13.13-160000.1.1 python313-doc-3.13.13-160000.1.1 python313-doc-devhelp-3.13.13-160000.1.1 python313-idle-3.13.13-160000.1.1 python313-nogil-3.13.13-160000.1.1 python313-nogil-base-3.13.13-160000.1.1 python313-nogil-curses-3.13.13-160000.1.1 python313-nogil-dbm-3.13.13-160000.1.1 python313-nogil-devel-3.13.13-160000.1.1 python313-nogil-idle-3.13.13-160000.1.1 python313-nogil-testsuite-3.13.13-160000.1.1 python313-nogil-tk-3.13.13-160000.1.1 python313-nogil-tools-3.13.13-160000.1.1 python313-testsuite-3.13.13-160000.1.1 python313-tk-3.13.13-160000.1.1 python313-tools-3.13.13-160000.1.1 python313-x86-64-v3-3.13.13-160000.1.1 References: * https://www.suse.com/security/cve/CVE-2025-13462.html * https://www.suse.com/security/cve/CVE-2026-1299.html * https://www.suse.com/security/cve/CVE-2026-2297.html * https://www.suse.com/security/cve/CVE-2026-3479.html * https://www.suse.com/security/cve/CVE-2026-3644.html * https://www.suse.com/security/cve/CVE-2026-4224.html * https://www.suse.com/security/cve/CVE-2026-4519.html . Critical security update for python313 in openSUSE addressing important vulnerabilities. Immediate installation recommended.. openSUSE Python Update Security, CVE Updates, Linux Security Patch. . Severity: Important. LinuxSecurity.com Team
Get the latest Linux and open source security news straight to your inbox.