Explore top 10 tips to secure your open-source projects now. Read More
×An update that solves 14 vulnerabilities can now be installed.. # Security update for sccache Announcement ID: SUSE-SU-2026:3022-1 Release Date: 2026-07-15T09:48:48Z Rating: important References: * bsc#1210346 * bsc#1223238 * bsc#1229955 * bsc#1242611 * bsc#1243868 * bsc#1257923 * bsc#1270206 * bsc#1270512 * bsc#1270559 * bsc#1270693 * bsc#1270736 * bsc#1270869 * bsc#1270938 * bsc#1270948 Cross-References: * CVE-2023-26964 * CVE-2024-12224 * CVE-2024-32650 * CVE-2024-43806 * CVE-2025-3416 * CVE-2026-25727 * CVE-2026-41676 * CVE-2026-41677 * CVE-2026-41678 * CVE-2026-41681 * CVE-2026-41898 * CVE-2026-42327 * CVE-2026-44662 * CVE-2026-45784 CVSS scores: * CVE-2023-26964 ( SUSE ): 4.7 CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H * CVE-2023-26964 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2023-26964 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2024-12224 ( SUSE ): 2.1 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N * CVE-2024-12224 ( SUSE ): 4.2 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N * CVE-2024-12224 ( NVD ): 5.1 CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X * CVE-2024-32650 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2024-43806 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H * CVE-2025-3416 ( SUSE ): 6.3 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N * CVE-2025-3416 ( SUSE ): 3.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L * CVE-2025-3416 ( NVD ): 3.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L * CVE-2026-25727 ( SUSE ): 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N * CVE-2026-25727 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2026-25727 ( NVD ): 6.8 CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X * CVE-2026-25727 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H * CVE-2026-41676 ( SUSE ): 8.3 CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N * CVE-2026-41676 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H * CVE-2026-41676 ( NVD ): 7.2 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X * CVE-2026-41676 ( NVD ): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H * CVE-2026-41677 ( SUSE ): 1.7 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:U * CVE-2026-41677 ( SUSE ): 3.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N * CVE-2026-41677 ( NVD ): 1.7 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X * CVE-2026-41677 ( NVD ): 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H * CVE-2026-41678 ( SUSE ): 8.3 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N * CVE-2026-41678 ( SUSE ): 7.4 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H * CVE-2026-41678 ( NVD ): 7.2 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X * CVE-2026-41678 ( NVD ): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H * CVE-2026-41681 ( SUSE ): 8.2 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N * CVE-2026-41681 ( SUSE ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N * CVE-2026-41681 ( NVD ): 8.1 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X * CVE-2026-41681 ( NVD ): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H * CVE-2026-41898 ( SUSE ): 8.3 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:L/SC:N/SI:N/SA:N * CVE-2026-41898 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:L * CVE-2026-41898 ( NVD ): 8.3 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X * CVE-2026-41898 ( NVD ): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H * CVE-2026-42327 ( SUSE ): 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N * CVE-2026-42327 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N * CVE-2026-42327 ( NVD ): 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X * CVE-2026-44662 ( SUSE ): 5.1 CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N * CVE-2026-44662 ( SUSE ): 4.8 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L * CVE-2026-44662 ( NVD ): 5.1 CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X * CVE-2026-45784 ( SUSE ): 5.1 CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N * CVE-2026-45784 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L Affected Products: * Development Tools Module 15-SP7 * openSUSE Leap 15.6 * SUSE Linux Enterprise Desktop 15 SP7 * SUSE Linux Enterprise Real Time 15 SP7 * SUSE Linux Enterprise Server 15 SP6 * SUSE Linux Enterprise Server 15 SP6 LTSS * SUSE Linux Enterprise Server 15 SP7 * SUSE Linux Enterprise Server for SAP Applications 15 SP6 *SUSE Linux Enterprise Server for SAP Applications 15 SP7 An update that solves 14 vulnerabilities can now be installed. ## Description: This update for sccache fixes the following issues: Update to version 0.15.0~17. * CVE-2023-26964: hyper,h2: high resource consumption due to stream stacking when H2 component processes `HTTP2 RST_STREAM` frames (bsc#1210346). * CVE-2024-32650: rust-rustls: infinite loop in `rustls::conn::ConnectionCommon:complete_io()` when processing client input network input (bsc#1223238). * CVE-2025-3416: openssl: use-after-free in `Md::fetch` and `Cipher::fetch` (bsc#1242611). * CVE-2026-25727: time: stack exhaustion in the RFC 2822 date parser when processing certain user provided input (bsc#1257923). * CVE-2026-41676: openssl: short buffer overflow via `Deriver:derive` and `PkeyCtxRef:derive` when using OpenSSL 1.1.1 (bsc#1270206). * CVE-2026-41677: openssl: out-of-bounds read in PEM password callback when returning an oversized length (bsc#1270559). * CVE-2026-41678: openssl: OOB write due to incorrect bounds assertion in `aes::unwrap_key()` (bsc#1270693). * CVE-2026-41681: openssl: stack corruption due to `MdCtxRef::digest_final()` writing past caller buffer with no length check (bsc#1270736). * CVE-2026-41898: openssl: information leak to network peers due to unchecked callback-returned length in PSK and cookie generate trampolines (bsc#1270869). * CVE-2026-42327: openssl: undefined behavior in `X509Ref::ocsp_responders` when processing certificates with non-UTF-8 OCSP URLs (bsc#1270512). * CVE-2026-44662: openssl: heap buffer overflow when encrypting with AES key- wrap-with-padding (bsc#1270938). * CVE-2026-45784: openssl: out-of-bounds write in `CipherCtxRef::cipher_update_inplace` for AES-KW-PAD ciphers (bsc#1270948). ## Patch Instructions: To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run thecommand listed for your product: * SUSE Linux Enterprise Server for SAP Applications 15 SP6 zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP6-2026-3022=1 * Development Tools Module 15-SP7 zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP7-2026-3022=1 * SUSE Linux Enterprise Server 15 SP6 LTSS zypper in -t patch SUSE-SLE-Product-SLES-15-SP6-LTSS-2026-3022=1 * openSUSE Leap 15.6 zypper in -t patch SUSE-2026-3022=1 ## Package List: * Development Tools Module 15-SP7 (aarch64 ppc64le s390x x86_64) * sccache-debuginfo-0.16.0~0-150600.10.11.1 * sccache-0.16.0~0-150600.10.11.1 * SUSE Linux Enterprise Server 15 SP6 LTSS (aarch64 ppc64le s390x x86_64) * sccache-debuginfo-0.16.0~0-150600.10.11.1 * sccache-0.16.0~0-150600.10.11.1 * openSUSE Leap 15.6 (aarch64 i586 ppc64le s390x x86_64) * sccache-debuginfo-0.16.0~0-150600.10.11.1 * sccache-debugsource-0.16.0~0-150600.10.11.1 * sccache-0.16.0~0-150600.10.11.1 * SUSE Linux Enterprise Server for SAP Applications 15 SP6 (ppc64le x86_64) * sccache-debuginfo-0.16.0~0-150600.10.11.1 * sccache-0.16.0~0-150600.10.11.1 ## References: * https://www.suse.com/security/cve/CVE-2023-26964.html * https://www.suse.com/security/cve/CVE-2024-12224.html * https://www.suse.com/security/cve/CVE-2024-32650.html * https://www.suse.com/security/cve/CVE-2024-43806.html * https://www.suse.com/security/cve/CVE-2025-3416.html * https://www.suse.com/security/cve/CVE-2026-25727.html * https://www.suse.com/security/cve/CVE-2026-41676.html * https://www.suse.com/security/cve/CVE-2026-41677.html * https://www.suse.com/security/cve/CVE-2026-41678.html * https://www.suse.com/security/cve/CVE-2026-41681.html * https://www.suse.com/security/cve/CVE-2026-41898.html * https://www.suse.com/security/cve/CVE-2026-42327.html * https://www.suse.com/security/cve/CVE-2026-44662.html * https://www.suse.com/security/cve/CVE-2026-45784.html * https://bugzilla.suse.com/show_bug.cgi?id=1210346 *https://bugzilla.suse.com/show_bug.cgi?id=1223238 * https://bugzilla.suse.com/show_bug.cgi?id=1229955 * https://bugzilla.suse.com/show_bug.cgi?id=1242611 * https://bugzilla.suse.com/show_bug.cgi?id=1243868 * https://bugzilla.suse.com/show_bug.cgi?id=1257923 * https://bugzilla.suse.com/show_bug.cgi?id=1270206 * https://bugzilla.suse.com/show_bug.cgi?id=1270512 * https://bugzilla.suse.com/show_bug.cgi?id=1270559 * https://bugzilla.suse.com/show_bug.cgi?id=1270693 * https://bugzilla.suse.com/show_bug.cgi?id=1270736 * https://bugzilla.suse.com/show_bug.cgi?id=1270869 * https://bugzilla.suse.com/show_bug.cgi?id=1270938 * https://bugzilla.suse.com/show_bug.cgi?id=1270948 . SUSE fixes 14 issues in sccache including important security flaws impacting system integrity.. sccache security update, openSUSE vulnerabilities, important patch instructions. . Severity: Important. LinuxSecurity.com Team
Addressable could be made to consume resources and cause a denial of service if it received specially crafted input.. ========================================================================== Ubuntu Security Notice USN-8515-1 July 07, 2026 ruby-addressable vulnerability ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 26.04 LTS - Ubuntu 24.04 LTS - Ubuntu 22.04 LTS - Ubuntu 20.04 LTS - Ubuntu 18.04 LTS - Ubuntu 16.04 LTS Summary: Addressable could be made to consume resources and cause a denial of service if it received specially crafted input. Software Description: - ruby-addressable: Addressable is an alternative implementation to the URI implementation that is part of Ruby's standard library Details: It was discovered that Addressable incorrectly handled certain URI templates, generating regular expressions vulnerable to catastrophic backtracking. An attacker could use this issue to craft a URI that, when matched against a vulnerable template, causes excessive resource consumption, leading to a denial of service. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 26.04 LTS ruby-addressable 2.8.7-2ubuntu0.26.04.1~esm1 Available with Ubuntu Pro Ubuntu 24.04 LTS ruby-addressable 2.8.5-1ubuntu0.1~esm1 Available with Ubuntu Pro Ubuntu 22.04 LTS ruby-addressable 2.8.0-3ubuntu0.1~esm1 Available with Ubuntu Pro Ubuntu 20.04 LTS ruby-addressable 2.7.0-1ubuntu0.1~esm1 Available with Ubuntu Pro Ubuntu 18.04 LTS ruby-addressable 2.5.2-1ubuntu0.1~esm1 Available with Ubuntu Pro Ubuntu 16.04 LTS ruby-addressable 2.3.8-1ubuntu0.1~esm1 Available with Ubuntu Pro In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-8515-1 CVE-2026-35611 . Update Ubuntu's ruby-addressable package to patch critical denial of service vulnerability affecting multiple Ubuntu LTS versions.. Ubuntu Ruby Addressable Denial Service Patch. . Severity: Critical. LinuxSecurity.com Team
nginx could be made to consume excessive resources if it received specially crafted network traffic.. ========================================================================== Ubuntu Security Notice USN-8398-4 July 02, 2026 nginx vulnerability ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 20.04 LTS - Ubuntu 18.04 LTS - Ubuntu 16.04 LTS - Ubuntu 14.04 LTS Summary: nginx could be made to consume excessive resources if it received specially crafted network traffic. Software Description: - nginx: small, powerful, scalable web/proxy server Details: USN-8398-3 fixed a vulnerability in nginx. This update provides the corresponding fix for Ubuntu 14.04 LTS, Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, and Ubuntu 20.04 LTS. Original advisory details: It was discovered that nginx incorrectly handled certain cookie headers in the HTTP/2 implementation. A remote attacker could possibly use this issue to cause nginx to consume excessive resources, resulting in a denial of service. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 20.04 LTS nginx 1.18.0-0ubuntu1.7+esm3 Available with Ubuntu Pro nginx-common 1.18.0-0ubuntu1.7+esm3 Available with Ubuntu Pro nginx-core 1.18.0-0ubuntu1.7+esm3 Available with Ubuntu Pro nginx-extras 1.18.0-0ubuntu1.7+esm3 Available with Ubuntu Pro nginx-full 1.18.0-0ubuntu1.7+esm3 Available with Ubuntu Pro nginx-light 1.18.0-0ubuntu1.7+esm3 Available with Ubuntu Pro Ubuntu 18.04 LTS nginx 1.14.0-0ubuntu1.11+esm4 Available with Ubuntu Pro nginx-core 1.14.0-0ubuntu1.11+esm4 Available with Ubuntu Pro nginx-extras 1.14.0-0ubuntu1.11+esm4 Available with Ubuntu Pro nginx-full 1.14.0-0ubuntu1.11+esm4 Available with Ubuntu Pro nginx-light 1.14.0-0ubuntu1.11+esm4 Available with Ubuntu Pro Ubuntu 16.04 LTS nginx 1.10.3-0ubuntu0.16.04.5+esm9 Available with Ubuntu Pro nginx-common 1.10.3-0ubuntu0.16.04.5+esm9 Available with Ubuntu Pro nginx-core 1.10.3-0ubuntu0.16.04.5+esm9 Available with Ubuntu Pro nginx-extras 1.10.3-0ubuntu0.16.04.5+esm9 Available with Ubuntu Pro nginx-full 1.10.3-0ubuntu0.16.04.5+esm9 Available with Ubuntu Pro nginx-light 1.10.3-0ubuntu0.16.04.5+esm9 Available with Ubuntu Pro Ubuntu 14.04 LTS nginx 1.4.6-1ubuntu3.9+esm8 Available with Ubuntu Pro nginx-common 1.4.6-1ubuntu3.9+esm8 Available with Ubuntu Pro nginx-core 1.4.6-1ubuntu3.9+esm8 Available with Ubuntu Pro nginx-extras 1.4.6-1ubuntu3.9+esm8 Available with Ubuntu Pro nginx-full 1.4.6-1ubuntu3.9+esm8 Available with Ubuntu Pro nginx-light 1.4.6-1ubuntu3.9+esm8 Available with Ubuntu Pro In general, a standard system update will make all the necessarychanges. References: https://ubuntu.com/security/notices/USN-8398-4 https://ubuntu.com/security/notices/USN-8398-3 https://ubuntu.com/security/notices/USN-8398-2 https://ubuntu.com/security/notices/USN-8398-1 CVE-2026-49975 . Update your Ubuntu system as nginx has a fix for a critical resource consumption issue. Protect against DoS attacks.. nginx resource fix, Ubuntu security update, denial of service mitigation, web server security issues, nginx vulnerabilities. . Severity: Important. LinuxSecurity.com Team
An update that solves 21 vulnerabilities can now be installed.. # Security update for nodejs24 Announcement ID: SUSE-SU-2026:2633-1 Release Date: 2026-06-25T13:34:13Z Rating: important References: * bsc#1259853 * bsc#1262274 * bsc#1266318 * bsc#1268097 * bsc#1268477 * bsc#1268478 * bsc#1268479 * bsc#1268480 * bsc#1268481 * bsc#1268482 * bsc#1268554 * bsc#1268555 * bsc#1268592 * bsc#1268593 * bsc#1268598 * bsc#1268605 * bsc#1268606 * bsc#1268608 * bsc#1268609 * bsc#1268611 * bsc#1268618 Cross-References: * CVE-2026-11525 * CVE-2026-12151 * CVE-2026-2581 * CVE-2026-27135 * CVE-2026-40170 * CVE-2026-42338 * CVE-2026-48615 * CVE-2026-48617 * CVE-2026-48618 * CVE-2026-48619 * CVE-2026-48928 * CVE-2026-48930 * CVE-2026-48931 * CVE-2026-48933 * CVE-2026-48934 * CVE-2026-48935 * CVE-2026-48937 * CVE-2026-6733 * CVE-2026-9496 * CVE-2026-9678 * CVE-2026-9679 CVSS scores: * CVE-2026-11525 ( SUSE ): 3.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N * CVE-2026-11525 ( NVD ): 3.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N * CVE-2026-12151 ( SUSE ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2026-12151 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2026-2581 ( SUSE ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2026-2581 ( NVD ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2026-27135 ( SUSE ): 8.2 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N * CVE-2026-27135 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2026-27135 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2026-40170 ( SUSE ): 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N * CVE-2026-40170 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2026-40170 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2026-42338 ( SUSE ): 5.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X * CVE-2026-42338 ( SUSE ): 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N * CVE-2026-42338 ( NVD ): 5.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X * CVE-2026-42338 ( NVD ): 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N * CVE-2026-48615 ( SUSE ): 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N * CVE-2026-48615 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N * CVE-2026-48617 ( SUSE ): 1.8 CVSS:4.0/AV:L/AC:H/AT:P/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N * CVE-2026-48617 ( SUSE ): 2.9 CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:N * CVE-2026-48617 ( NVD ): 1.8 CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N * CVE-2026-48618 ( SUSE ): 8.3 CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N * CVE-2026-48618 ( SUSE ): 7.4 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N * CVE-2026-48619 ( SUSE ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2026-48928 ( SUSE ): 6.0 CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N * CVE-2026-48928 ( SUSE ): 5.9 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:N * CVE-2026-48930 ( SUSE ): 6.0 CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N * CVE-2026-48930 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N * CVE-2026-48931 ( SUSE ): 6.3 CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N * CVE-2026-48931 ( SUSE ): 3.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N * CVE-2026-48931 ( NVD ): 3.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N * CVE-2026-48933 ( SUSE ): 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N * CVE-2026-48933 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2026-48934 ( SUSE ): 6.3 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N * CVE-2026-48934 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N * CVE-2026-48935 ( SUSE ): 5.1 CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N * CVE-2026-48935 ( SUSE ): 4.0 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N * CVE-2026-48937 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L * CVE-2026-48937 ( NVD ): 5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L * CVE-2026-6733 ( SUSE ): 3.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N * CVE-2026-6733 ( NVD ): 3.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N * CVE-2026-9496 ( SUSE ): 6.8 CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N * CVE-2026-9496 ( SUSE ): 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H * CVE-2026-9496 ( NVD ): 7.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X * CVE-2026-9496 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2026-9678 ( SUSE ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N * CVE-2026-9678 ( NVD ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N * CVE-2026-9679 ( SUSE ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N * CVE-2026-9679 ( NVD ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N Affected Products: * SUSE Linux Enterprise Server 15 SP7 * SUSE Linux Enterprise Server for SAP Applications 15 SP7 * Web and Scripting Module 15-SP7 An update that solves 21 vulnerabilities can now be installed. ## Description: This update for nodejs24 fixes the following issues Update to 24.17.0: * CVE-2026-2581: undici: Undici: Denial of Service due to uncontrolled resource consumption (bsc#1268480). * CVE-2026-6733: undici: Undici: Response queue poisoning on reused keep-alive sockets can lead to incorrect response delivery (bsc#1268479). *CVE-2026-9496: pacote: excessive CPU consumption in `addGitSha` when processing a specially crafted `spec.rawSpec` value can lead to DoS (bsc#1266318). * CVE-2026-9678: undici: Undici: Information disclosure due to improper cache- control header parsing (bsc#1268478). * CVE-2026-9679: undici: undici vulnerable to HTTP header injection via Set- Cookie percent-decoding (bsc#1268477). * CVE-2026-11525: undici: undici: Weakening of cookie SameSite policy due to incorrect parsing of Set-Cookie header (bsc#1268481). * CVE-2026-12151: undici: undici: Denial of Service due to unbounded memory growth via WebSocket frames (bsc#1268482). * CVE-2026-27135: nghttp2: assertion failure due to missing state validation can lead to DoS (bsc#1259853). * CVE-2026-40170: ngtcp2: qlog parameters_set stack buffer overflow (bsc#1262274). * CVE-2026-42338: ip-address: Cross-site scripting via improper HTML escaping of untrusted input (bsc#1268097). * CVE-2026-48615: Proxy credentials leaked in ERR_PROXY_TUNNEL error message (bsc#1268598). * CVE-2026-48617: permission model enforcement bypass via `process.report.writeReport()` path misvalidation (bsc#1268554). * CVE-2026-48618: Node.js unicode dot separator handling can lead to tls wildcard-depth authentication bypass due to resolver and verifier hostname normalization mismatch (bsc#1268593). * CVE-2026-48619: Unbounded memory growth in node:http2 clients via attacker- controlled ORIGIN frames (bsc#1268618). * CVE-2026-48928: Uppercase sni context matching can lead to mtls authorization bypass due to case-sensitive hostname matching (bsc#1268605). * CVE-2026-48930: Embedded-nul hostnames can lead to silent authority rebinding due to c-string truncation in resolver bindings (bsc#1268606). * CVE-2026-48931: HTTP Response Queue Poisoning via TOCTOU Race Condition in http.Agent (bsc#1268611). * CVE-2026-48933: Node.js WebCrypto AES Integer Overflow Leads to Remote Process Abort(bsc#1268592). * CVE-2026-48934: TLS host identity verification bypass via session reuse with different servername leads to unauthorized connections (bsc#1268608). * CVE-2026-48935: Permission Model bypass via FileHandle.utimes() in the promises API (bsc#1268609). * CVE-2026-48937: servers keep accepting data even after sending a `GOAWAY` frame (bsc#1268555). ## Patch Instructions: To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: * Web and Scripting Module 15-SP7 zypper in -t patch SUSE-SLE-Module-Web-Scripting-15-SP7-2026-2633=1 ## Package List: * Web and Scripting Module 15-SP7 (aarch64 ppc64le s390x x86_64) * nodejs24-devel-24.17.0-150700.15.11.1 * npm24-24.17.0-150700.15.11.1 * nodejs24-debuginfo-24.17.0-150700.15.11.1 * nodejs24-24.17.0-150700.15.11.1 * nodejs24-debugsource-24.17.0-150700.15.11.1 * Web and Scripting Module 15-SP7 (noarch) * nodejs24-docs-24.17.0-150700.15.11.1 ## References: * https://www.suse.com/security/cve/CVE-2026-11525.html * https://www.suse.com/security/cve/CVE-2026-12151.html * https://www.suse.com/security/cve/CVE-2026-2581.html * https://www.suse.com/security/cve/CVE-2026-27135.html * https://www.suse.com/security/cve/CVE-2026-40170.html * https://www.suse.com/security/cve/CVE-2026-42338.html * https://www.suse.com/security/cve/CVE-2026-48615.html * https://www.suse.com/security/cve/CVE-2026-48617.html * https://www.suse.com/security/cve/CVE-2026-48618.html * https://www.suse.com/security/cve/CVE-2026-48619.html * https://www.suse.com/security/cve/CVE-2026-48928.html * https://www.suse.com/security/cve/CVE-2026-48930.html * https://www.suse.com/security/cve/CVE-2026-48931.html * https://www.suse.com/security/cve/CVE-2026-48933.html * https://www.suse.com/security/cve/CVE-2026-48934.html * https://www.suse.com/security/cve/CVE-2026-48935.html *https://www.suse.com/security/cve/CVE-2026-48937.html * https://www.suse.com/security/cve/CVE-2026-6733.html * https://www.suse.com/security/cve/CVE-2026-9496.html * https://www.suse.com/security/cve/CVE-2026-9678.html * https://www.suse.com/security/cve/CVE-2026-9679.html * https://bugzilla.suse.com/show_bug.cgi?id=1259853 * https://bugzilla.suse.com/show_bug.cgi?id=1262274 * https://bugzilla.suse.com/show_bug.cgi?id=1266318 * https://bugzilla.suse.com/show_bug.cgi?id=1268097 * https://bugzilla.suse.com/show_bug.cgi?id=1268477 * https://bugzilla.suse.com/show_bug.cgi?id=1268478 * https://bugzilla.suse.com/show_bug.cgi?id=1268479 * https://bugzilla.suse.com/show_bug.cgi?id=1268480 * https://bugzilla.suse.com/show_bug.cgi?id=1268481 * https://bugzilla.suse.com/show_bug.cgi?id=1268482 * https://bugzilla.suse.com/show_bug.cgi?id=1268554 * https://bugzilla.suse.com/show_bug.cgi?id=1268555 * https://bugzilla.suse.com/show_bug.cgi?id=1268592 * https://bugzilla.suse.com/show_bug.cgi?id=1268593 * https://bugzilla.suse.com/show_bug.cgi?id=1268598 * https://bugzilla.suse.com/show_bug.cgi?id=1268605 * https://bugzilla.suse.com/show_bug.cgi?id=1268606 * https://bugzilla.suse.com/show_bug.cgi?id=1268608 * https://bugzilla.suse.com/show_bug.cgi?id=1268609 * https://bugzilla.suse.com/show_bug.cgi?id=1268611 * https://bugzilla.suse.com/show_bug.cgi?id=1268618 . SUSE released a vital security update for nodejs24, addressing 21 critical issues. Essential for system stability!. SUSE nodejs update security threats important patch. . Severity: Important. LinuxSecurity.com Team
An update that solves 21 vulnerabilities and contains one feature can now be installed.. # Security update for amazon-ssm-agent Announcement ID: SUSE-SU-2026:22157-1 Release Date: 2026-06-17T16:32:56Z Rating: important References: * bsc#1238702 * bsc#1239342 * bsc#1253611 * bsc#1258095 * bsc#1264952 * bsc#1265474 * bsc#1266200 * bsc#1266781 * bsc#1267332 * jsc#PED-14843 Cross-References: * CVE-2025-22869 * CVE-2025-22870 * CVE-2025-47913 * CVE-2026-1229 * CVE-2026-25934 * CVE-2026-39821 * CVE-2026-39827 * CVE-2026-39828 * CVE-2026-39829 * CVE-2026-39830 * CVE-2026-39831 * CVE-2026-39832 * CVE-2026-39833 * CVE-2026-39834 * CVE-2026-39835 * CVE-2026-41506 * CVE-2026-42508 * CVE-2026-44740 * CVE-2026-46595 * CVE-2026-46597 * CVE-2026-46598 CVSS scores: * CVE-2025-22869 ( SUSE ): 8.2 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N * CVE-2025-22869 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2025-22869 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2025-22870 ( SUSE ): 4.8 CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N * CVE-2025-22870 ( SUSE ): 4.4 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L * CVE-2025-22870 ( NVD ): 4.4 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L * CVE-2025-47913 ( SUSE ): 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N * CVE-2025-47913 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2025-47913 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2026-1229 ( SUSE ): 8.3 CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N * CVE-2026-1229 ( SUSE ): 7.0 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:L * CVE-2026-1229 ( NVD ): 2.9 CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:Y/R:X/V:X/RE:X/U:Amber * CVE-2026-1229 ( NVD ): 9.8CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H * CVE-2026-25934 ( SUSE ): 5.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N * CVE-2026-25934 ( SUSE ): 4.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N * CVE-2026-25934 ( NVD ): 4.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N * CVE-2026-25934 ( NVD ): 4.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N * CVE-2026-39821 ( SUSE ): 9.1 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N * CVE-2026-39821 ( SUSE ): 7.4 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N * CVE-2026-39821 ( NVD ): 9.6 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N * CVE-2026-39827 ( SUSE ): 7.1 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N * CVE-2026-39827 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H * CVE-2026-39827 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H * CVE-2026-39828 ( SUSE ): 8.6 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N * CVE-2026-39828 ( SUSE ): 8.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N * CVE-2026-39828 ( NVD ): 6.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L * CVE-2026-39829 ( SUSE ): 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N * CVE-2026-39829 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2026-39829 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2026-39830 ( SUSE ): 7.1 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N * CVE-2026-39830 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H * CVE-2026-39830 ( NVD ): 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H * CVE-2026-39831 ( SUSE ): 8.6 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N * CVE-2026-39831 ( SUSE ): 8.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N * CVE-2026-39831 ( NVD ): 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N * CVE-2026-39832 ( SUSE ): 6.2 CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N *CVE-2026-39832 ( SUSE ): 8.4 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N * CVE-2026-39832 ( NVD ): 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N * CVE-2026-39833 ( SUSE ): 8.5 CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N * CVE-2026-39833 ( SUSE ): 7.7 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N * CVE-2026-39833 ( NVD ): 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N * CVE-2026-39834 ( SUSE ): 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N * CVE-2026-39834 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2026-39834 ( NVD ): 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H * CVE-2026-39835 ( SUSE ): 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N * CVE-2026-39835 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2026-39835 ( NVD ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L * CVE-2026-41506 ( SUSE ): 7.1 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N * CVE-2026-41506 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N * CVE-2026-41506 ( NVD ): 4.7 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N * CVE-2026-41506 ( NVD ): 7.4 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N * CVE-2026-42508 ( SUSE ): 8.6 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N * CVE-2026-42508 ( SUSE ): 8.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N * CVE-2026-42508 ( NVD ): 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N * CVE-2026-44740 ( SUSE ): 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N * CVE-2026-44740 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2026-44740 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H * CVE-2026-46595 ( SUSE ): 8.6 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N * CVE-2026-46595 ( SUSE ): 8.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N * CVE-2026-46595 ( NVD ): 10.0 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L * CVE-2026-46597 ( SUSE ): 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N * CVE-2026-46597 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2026-46597 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2026-46598 ( SUSE ): 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N * CVE-2026-46598 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2026-46598 ( NVD ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Affected Products: * SUSE Linux Enterprise Server 16.0 * SUSE Linux Enterprise Server for SAP applications 16.0 An update that solves 21 vulnerabilities and contains one feature can now be installed. ## Description: This update for amazon-ssm-agent fixes the following issues Update to version 3.3.4624.0: * CVE-2025-22869: golang.org/x/crypto/ssh: Denial of Service in the Key Exchange of golang.org/x/crypto/ssh (bsc#1239342). * CVE-2025-22870: golang.org/x/net/proxy: proxy bypass using IPv6 zone IDs (bsc#1238702). * CVE-2025-47913: golang.org/x/crypto/ssh/agent: client process termination when receiving an unexpected message type in response to a key listing or signing request (bsc#1253611). * CVE-2026-1229: the CombinedMult function in the ecc/p384 package produces an incorrect value for specific inputs (bsc#1265474). * CVE-2026-25934: github.com/go-git/go-git/v5: improper verification of data integrity values for .pack and .idx files can lead to the consumption of corrupted files (bsc#1258095). * CVE-2026-39821: golang.org/x/net/idna: failure to reject ASCII-only Punycode-encoded labels allows for validation bypass and privilege esca (bsc#1266781). * CVE-2026-41506: github.com/go-git/go-git/v5: HTTP authentication credential leak when following redirects during smart-HTTP clone and fetch operations (bsc#1264952). * CVE-2026-44740: github.com/go-git/go-billy/v5: improper input handling in many components can lead to DoS viainfinite loops, panics or resource consumption (bsc#1267332). * CVE-2026-39827: Invoking memory leak when rejecting channels can lead to DoS in golang.org/x/crypto/ssh (bsc#1266200). * CVE-2026-39828: Invoking bypass of certificate restrictions in golang.org/x/crypto/ssh (bsc#1266200). * CVE-2026-39829: Invoking pathological RSA/DSA parameters may cause DoS in golang.org/x/crypto/ssh (bsc#1266200). * CVE-2026-39830: Invoking client can cause server deadlock on unexpected responses in golang.org/x/crypto/ssh (bsc#1266200). * CVE-2026-39831: Invoking bypass of FIDO/U2F security keys physical interaction in golang.org/x/crypto/ssh (bsc#1266200). * CVE-2026-39832: Invoking agent constraints dropped when forwarding keys in golang.org/x/crypto/ssh/agent (bsc#1266200). * CVE-2026-39833: Invoking key constraints not enforced in golang.org/x/crypto/ssh/agent (bsc#1266200). * CVE-2026-39834: Invoking infinite loop on large channel writes in golang.org/x/crypto/ssh (bsc#1266200). * CVE-2026-39835: Invoking server panic during CheckHostKey/Authenticate in golang.org/x/crypto/ssh (bsc#1266200). * CVE-2026-42508: Invoking auth bypass via unenforced @revoked status in golang.org/x/crypto/ssh/knownhosts (bsc#1266200). * CVE-2026-46595: Invoking VerifiedPublicKeyCallback permissions skip enforcement in golang.org/x/crypto/ssh (bsc#1266200). * CVE-2026-46597: Invoking byte arithmetic causes underflow and panic in golang.org/x/crypto/ssh (bsc#1266200). * CVE-2026-46598: Invoking pathological inputs can lead to client panic in golang.org/x/crypto/ssh/agent (bsc#1266200). Changes: * Bump golang.org/x/crypto from v0.51.0 to v0.52.0 * Bump golang.org/x/net from v0.54.0 to v0.55.0 * Enforce directory boundary in BuildSafePath * Fix visibility issue with Bottlerocket OS in document output * Update go-git from v5.17.1 to v5.19.1 (bsc#1264952, CVE-2026-41506), this also updates go-billy from v5.8.0 to v5.9.0 (bsc#1267332, CVE-2026-44740) *Bump golang.org/x/net from v0.48.0 to v0.53.0 (bsc#1266781, CVE-2026-39821) * Quit if sysprep failed and log its current state * Remove attached legacy cloudwatch plugin packages * Upgrade Go version to 1.25.10 * Use BuildSafePath wherever it is applicable * Add OOM killer protection to systemd service files * Apply more sanitation to file and registry inventory gatherers * Bump go-git to v5.17.1 * Deprecate legacy cloudwatch plugin * Preserve network error details in credential refresher SSM API failures * Upgrade Go version to 1.25.9 * Add SSM Distributor support for Bottlerocket OS * Implement flush credentials command in ssm-cli * Log ec2messages access denied as debug instead of error to reduce log noise * Make credential refresher refresh cache quickly in case of credential flush * Make Greengrass component registration resilient with retry * Add EnforceWorkspaceRootOwnership configuration to support disable hardening of agent workspace * Add reboot comment to Windows shutdown command for SSM Agent traceability * Update privilege access check to verify ownership and permissions of document state files * Add read-only version check prior to install and uninstall in case of occupied package manager locks * Add ANSI processing for CloudWatch and S3 log * Upgrade go-git to v5.17.0 and cloudflare/circl to v1.6.3 to fix CVE-2026-1229 * Switch to systemd-tmpfiles to store runtime data (jsc#PED-14843) * Disable Go 1.25 container-aware GOMAXPROCS to prevent holding cgroup file descriptors open * Upgrade Go version to 1.25.8 * Document CommandWorkerBufferLimit config * Include package update in Dockerfile * Reduce CloudWatch event message length threshold * Upgrade Go version to 1.25.7 * Update github.com/go-git/go-git/v5 to 5.16.5 (bsc#1258095, CVE-2026-25934) * Update greengrass version * Update Golang version to 1.24.12 * Updating golang.org/x/crypto from v0.37.0 to v0.47.0, golang.org/x/net from v0.39.0 to v0.48.0 andgolang.org/x/sys from v0.32.0 to v0.40.0 (bsc#1253611, CVE-2025-47913) * Categorize integration tests by adding new tags to split fast and slow ones * Fix bug where IP field being empty string and causing UII API failure * Allow Patch execution to persist across reboots not registered to SSM Agent * Fix ENV_VAR interpolation to work correctly with parameter store value * Implement immediate retries for failed reply messages to MGS for RunCommand documents * Improve ssm-cli get-diagnostics command log output * Support DomainJoin endpoint for EU sovereign cloud * Support dualstack S3 endpoint for distributor packages * Upgrade Go version to 1.24.11 * Add initial IPv6 support with UseDualStackEndpoint configuration option * Fix CPU utilization issue for instances with thousands of network interfaces * Add IMDS retry count to account for EC2 droplet refresh * Fix duplicate uid error logging in MDS module * Update aws:Domainjoin plugin logging from Log4Net to NLog * Upgrade Go version to 1.24.7 * Update github.com/go-git/go-git/v5 to 5.15.0 * Update golang.org/x/crypto to v0.37.0 (bsc#1238702, CVE-2025-22870) * Update golang.org/x/net to v0.39.0 * Update golang.org/x/sys to v0.32.0 * Add EU sovereign cloud S3 endpoint for DownloadContent plugin * Add configurable credential rotation max backoff interval * Migrate from twinj/uuid to google/uuid library * Allow newer agent versions to be installed when deploying on Greengrass * Harden function to remove non-admin run command documents in execution path * Fix macOS credential refresher test issue due to missing Debugf from serialport skip file * Enhance testability of custom certificate usage in debug SSM Agent builds * Decouple serial port from startup and add credential refresher serialport logging * Add GlobalEnhancedTelemetryEnabled config to README * Add cloudwatch logs endpoint configuration to optional config for agent * Update Greengrass component version * Add file privilege checkbefore processing document state file * Storing AWS document interpolation ENV_VAR types as environment variables * Throw explicit error when running local cli as non-priviledged user * Harden telemetry dynamic config folder permissions * Add configuration option for HandshakeTimeout * Improve unit tests * Add setup for emitting telemetry logs and metrics * Add initial selection of error logs to emit to telemetry * Simplify checkstyle and import organization in build scripts * Update golang.org/x/net from v0.37.0 to v0.38.0 * Agent hibernation reason is logged to EC2 system logs * Add metrics for the EC2Detector and IMDS EC2 status findings * Change Linux DomainJoin plugin parameter KeepHostName to accept both boolean and string * Upgrade GoLang to version 1.23.8 * Update golang.org/x/crypto from v0.32.0 to v0.36.0 (bsc#1239342, CVE-2025-22869) ## Patch Instructions: To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: * SUSE Linux Enterprise Server 16.0 zypper in -t patch SUSE-SLES-16.0-943=1 * SUSE Linux Enterprise Server for SAP applications 16.0 zypper in -t patch SUSE-SLES-16.0-943=1 ## Package List: * SUSE Linux Enterprise Server for SAP applications 16.0 (x86_64) * amazon-ssm-agent-3.3.4624.0-160000.1.1 * SUSE Linux Enterprise Server 16.0 (aarch64 x86_64) * amazon-ssm-agent-3.3.4624.0-160000.1.1 ## References: * https://www.suse.com/security/cve/CVE-2025-22869.html * https://www.suse.com/security/cve/CVE-2025-22870.html * https://www.suse.com/security/cve/CVE-2025-47913.html * https://www.suse.com/security/cve/CVE-2026-1229.html * https://www.suse.com/security/cve/CVE-2026-25934.html * https://www.suse.com/security/cve/CVE-2026-39821.html * https://www.suse.com/security/cve/CVE-2026-39827.html * https://www.suse.com/security/cve/CVE-2026-39828.html *https://www.suse.com/security/cve/CVE-2026-39829.html * https://www.suse.com/security/cve/CVE-2026-39830.html * https://www.suse.com/security/cve/CVE-2026-39831.html * https://www.suse.com/security/cve/CVE-2026-39832.html * https://www.suse.com/security/cve/CVE-2026-39833.html * https://www.suse.com/security/cve/CVE-2026-39834.html * https://www.suse.com/security/cve/CVE-2026-39835.html * https://www.suse.com/security/cve/CVE-2026-41506.html * https://www.suse.com/security/cve/CVE-2026-42508.html * https://www.suse.com/security/cve/CVE-2026-44740.html * https://www.suse.com/security/cve/CVE-2026-46595.html * https://www.suse.com/security/cve/CVE-2026-46597.html * https://www.suse.com/security/cve/CVE-2026-46598.html * https://bugzilla.suse.com/show_bug.cgi?id=1238702 * https://bugzilla.suse.com/show_bug.cgi?id=1239342 * https://bugzilla.suse.com/show_bug.cgi?id=1253611 * https://bugzilla.suse.com/show_bug.cgi?id=1258095 * https://bugzilla.suse.com/show_bug.cgi?id=1264952 * https://bugzilla.suse.com/show_bug.cgi?id=1265474 * https://bugzilla.suse.com/show_bug.cgi?id=1266200 * https://bugzilla.suse.com/show_bug.cgi?id=1266781 * https://bugzilla.suse.com/show_bug.cgi?id=1267332 * https://jira.suse.com/browse/PED-14843 . Important security update for Amazon SSM Agent addresses 21 vulnerabilities including DoS and resource issues through patches.. SUSE updates, security patch, Amazon SSM Agent, vulnerability management. . Severity: Important. LinuxSecurity.com Team
nginx could be made to consume excessive resources if it received specially crafted network traffic.. ========================================================================== Ubuntu Security Notice USN-8398-1 June 08, 2026 nginx vulnerability ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 26.04 LTS - Ubuntu 25.10 - Ubuntu 24.04 LTS - Ubuntu 22.04 LTS Summary: nginx could be made to consume excessive resources if it received specially crafted network traffic. Software Description: - nginx: small, powerful, scalable web/proxy server Details: It was discovered that nginx incorrectly handled certain cookie headers in the HTTP/2 implementation. A remote attacker could possibly use this issue to cause nginx to consume excessive resources, resulting in a denial of service. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 26.04 LTS nginx 1.28.3-2ubuntu1.3 nginx-core 1.28.3-2ubuntu1.3 nginx-extras 1.28.3-2ubuntu1.3 nginx-full 1.28.3-2ubuntu1.3 nginx-light 1.28.3-2ubuntu1.3 Ubuntu 25.10 nginx 1.28.0-6ubuntu1.5 nginx-core 1.28.0-6ubuntu1.5 nginx-extras 1.28.0-6ubuntu1.5 nginx-full 1.28.0-6ubuntu1.5 nginx-light 1.28.0-6ubuntu1.5 Ubuntu 24.04 LTS nginx 1.24.0-2ubuntu7.10 nginx-core 1.24.0-2ubuntu7.10 nginx-extras 1.24.0-2ubuntu7.10 nginx-full 1.24.0-2ubuntu7.10 nginx-light 1.24.0-2ubuntu7.10 Ubuntu 22.04 LTS nginx 1.18.0-6ubuntu14.13 nginx-core 1.18.0-6ubuntu14.13 nginx-extras 1.18.0-6ubuntu14.13 nginx-full 1.18.0-6ubuntu14.13 nginx-light 1.18.0-6ubuntu14.13 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-8398-1 CVE-2026-49975 Package Information: https://launchpad.net/ubuntu/+source/nginx/1.28.3-2ubuntu1.3 https://launchpad.net/ubuntu/+source/nginx/1.28.0-6ubuntu1.5 https://launchpad.net/ubuntu/+source/nginx/1.24.0-2ubuntu7.10 https://launchpad.net/ubuntu/+source/nginx/1.18.0-6ubuntu14.13 . nginx update for Ubuntu fixes excessive resource consumption due to crafted network traffic. Stay secure with the latest details.. nginx security update, Ubuntu resource management, denial of service threat, network exploitation. . Severity: Important. LinuxSecurity.com Team
Apache HTTP Server could be made to consume excessive resources if it received specially crafted network traffic.. ========================================================================== Ubuntu Security Notice USN-8384-1 June 04, 2026 apache2 vulnerability ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 26.04 LTS - Ubuntu 25.10 - Ubuntu 24.04 LTS - Ubuntu 22.04 LTS Summary: Apache HTTP Server could be made to consume excessive resources if it received specially crafted network traffic. Software Description: - apache2: Apache HTTP server Details: It was discovered that Apache HTTP Server incorrectly handled certain cookie headers in the HTTP/2 implementation. A remote attacker could possibly use this issue to cause Apache HTTP Server to consume excessive resources, resulting in a denial of service. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 26.04 LTS apache2 2.4.66-2ubuntu2.2 Ubuntu 25.10 apache2 2.4.64-1ubuntu3.5 Ubuntu 24.04 LTS apache2 2.4.58-1ubuntu8.13 Ubuntu 22.04 LTS apache2 2.4.52-1ubuntu4.21 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-8384-1 CVE-2026-49975 Package Information: https://launchpad.net/ubuntu/+source/apache2/2.4.66-2ubuntu2.2 https://launchpad.net/ubuntu/+source/apache2/2.4.64-1ubuntu3.5 https://launchpad.net/ubuntu/+source/apache2/2.4.58-1ubuntu8.13 https://launchpad.net/ubuntu/+source/apache2/2.4.52-1ubuntu4.21 . Apache HTTP Server on Ubuntu can be exploited causing resource exhaustion. Stay updated to prevent denial of service attacks.. Apache HTTP, Ubuntu Security, Denial of Service, Resource Consumption, Apache Server Update. . Severity: Important. LinuxSecurity.com Team
Pillow could be made to crash if it opened a specially crafted file.. ========================================================================== Ubuntu Security Notice USN-8211-1 April 27, 2026 pillow vulnerability ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 25.10 Summary: Pillow could be made to crash if it opened a specially crafted file. Software Description: - pillow: Python Imaging Library Details: It was discovered that Pillow incorrectly handled certain FITS images. An attacker could possibly use this issue to cause Pillow to consume resources, leading to a denial of service. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 25.10 python3-pil 11.3.0-1ubuntu1.2 python3-pil.imagetk 11.3.0-1ubuntu1.2 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-8211-1 CVE-2026-40192 Package Information: https://launchpad.net/ubuntu/+source/pillow/11.3.0-1ubuntu1.2 . Pillow crash risk on Ubuntu 25.10 addresses crucial update for denial of service vulnerability.. Ubuntu security,Pillow update,denial of service,security patch,resource crash. . Severity: Important. LinuxSecurity.com Team
Get the latest Linux and open source security news straight to your inbox.