Explore top 10 tips to secure your open-source projects now. Read More
×An update that solves 6 vulnerabilities can now be installed.. # python313-Pillow-12.3.0-2.1 on GA media Announcement ID: openSUSE-SU-2026:11283-1 Rating: moderate Cross-References: * CVE-2026-54058 * CVE-2026-54060 * CVE-2026-55380 * CVE-2026-59198 * CVE-2026-59200 * CVE-2026-59204 CVSS scores: * CVE-2026-54058 ( SUSE ): 6.7 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H * CVE-2026-54058 ( SUSE ): 5.9 CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N * CVE-2026-54060 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2026-55380 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2026-59198 ( SUSE ): 5.1 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N * CVE-2026-59198 ( SUSE ): 5.9 CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N * CVE-2026-59200 ( SUSE ): 6.2 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2026-59200 ( SUSE ): 6.9 CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N * CVE-2026-59204 ( SUSE ): 6.2 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2026-59204 ( SUSE ): 6.9 CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N Affected Products: * openSUSE Tumbleweed An update that solves 6 vulnerabilities can now be installed. ## Description: These are all security issues fixed in the python313-Pillow-12.3.0-2.1 package on the GA media of openSUSE Tumbleweed. ## Package List: * openSUSE Tumbleweed: * python313-Pillow 12.3.0-2.1 * python313-Pillow-tk 12.3.0-2.1 * python314-Pillow 12.3.0-2.1 * python314-Pillow-tk 12.3.0-2.1 ## References: * https://www.suse.com/security/cve/CVE-2026-54058.html * https://www.suse.com/security/cve/CVE-2026-54060.html * https://www.suse.com/security/cve/CVE-2026-55380.html * https://www.suse.com/security/cve/CVE-2026-59198.html * https://www.suse.com/security/cve/CVE-2026-59200.html * https://www.suse.com/security/cve/CVE-2026-59204.html . An update for python313-Pillow resolves six issues in openSUSETumbleweed, enhancing system security efficiently.. openSUSE security python Pillow vulnerabilities update. . Severity: moderate. LinuxSecurity.com Team
New upstream release (152.0.6). -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2026-365cce949c 2026-07-17 01:08:58.262282+00:00 -------------------------------------------------------------------------------- Name : firefox Product : Fedora 43 Version : 152.0.6 Release : 1.fc43 URL : https://www.mozilla.org/firefox/ Summary : Mozilla Firefox Web browser Description : Mozilla Firefox is an open-source web browser, designed for standards compliance, performance and portability. -------------------------------------------------------------------------------- Update Information: New upstream release (152.0.6) -------------------------------------------------------------------------------- ChangeLog: * Tue Jul 14 2026 Martin Stransky - 152.0.6-1 - Updated to latest upstream (152.0.6) * Fri Jul 10 2026 Martin Stransky - 152.0.4-3 - Added rhbz#2458184 - Drop -fcf-protection flag * Tue Jul 7 2026 Martin Stransky - 152.0.4-2 - Remove Fedora 40/41 tweaks. -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2026-365cce949c' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys -------------------------------------------------------------------------------- -- _______________________________________________ package-announce mailing list --
Fixes CVE-2026-53511. -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2026-6776f4e492 2026-07-14 01:23:26.838757+00:00 -------------------------------------------------------------------------------- Name : calibre Product : Fedora 43 Version : 9.11.0 Release : 1.fc43 URL : https://calibre-ebook.com/ Summary : E-book converter and library manager Description : Calibre is meant to be a complete e-library solution. It includes library management, format conversion, news feeds to ebook conversion as well as e-book reader sync features. Calibre is primarily a ebook cataloging program. It manages your ebook collection for you. It is designed around the concept of the logical book, i.e. a single entry in the database that may correspond to ebooks in several formats. It also supports conversion to and from a dozen different ebook formats. Supported input formats are: MOBI, LIT, PRC, EPUB, CHM, ODT, HTML, CBR, CBZ, RTF, TXT, PDF and LRS. -------------------------------------------------------------------------------- Update Information: Fixes CVE-2026-53511 -------------------------------------------------------------------------------- ChangeLog: * Sun Jul 5 2026 Kevin Fenzi - 9.11.0-1 - Update to 9.11.0. Fixes rhbz#2493338 * Fri Jun 12 2026 Yaakov Selkowitz - 9.9.0-4 - Rebuilt for openssl 4.0 * Mon Jun 8 2026 František Zatloukal - 9.9.0-3 - Rebuilt for icu 78.3 * Sun Jun 7 2026 Kevin Fenzi - 9.9.0-2 - Disable test_mem_leaks for now, it is failing on x86_64 only for some reason * Sat May 30 2026 Kevin Fenzi - 9.9.0-1 - Update to 9.9.0. Fixes rhbz#2482466 * Tue May 19 2026 Michael J Gruber - 9.8.0-2 - add missing tzlocal requires * Mon May 4 2026 Kevin Fenzi - 9.8.0-1 - Update to 9.8.0. Fixes rhbz#2464288 * Thu Apr 16 2026 Jan Grulich - 9.7.0-2 - Rebuild (qt6) * Wed Apr 15 2026 Kevin Fenzi - 9.7.0-1 - Update to 9.7.0. fixesrhbz#2457244 -------------------------------------------------------------------------------- References: [ 1 ] Bug #2498951 - CVE-2026-53511 calibre: Calibre: Arbitrary code execution via malicious e-book file processing [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2498951 -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2026-6776f4e492' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys -------------------------------------------------------------------------------- . Fixes arbitrary code execution issue in calibre for Fedora 43 with update for CVE-2026-53511 following best practices.. Fedora update, calibre security fix, arbitrary code execution, software vulnerability, Linux application management. . Severity: Important. LinuxSecurity.com Team
Update to release v5.3.0. -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2026-8e7eb40534 2026-07-11 00:52:57.708574+00:00 -------------------------------------------------------------------------------- Name : docker-compose Product : Fedora 43 Version : 5.3.0 Release : 1.fc43 URL : https://github.com/docker/compose Summary : Define and run multi-container applications with Docker Description : Define and run multi-container applications with Docker. -------------------------------------------------------------------------------- Update Information: Update to release v5.3.0 -------------------------------------------------------------------------------- ChangeLog: * Thu Jul 2 2026 Bradley G Smith - 5.3.0-1 - Update to release v5.3.0 - Resolves: rhbz#2496535 - Resolves CVE-2026-53492: rhbz#2496550 - Resolves CVE-2026-47262: rhbz#2496433 - Upstream note: This release introduces native support for init containers. - Additional upstream fixes and new features -------------------------------------------------------------------------------- References: [ 1 ] Bug #2496535 - docker-compose-5.3.0 is available https://bugzilla.redhat.com/show_bug.cgi?id=2496535 -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2026-8e7eb40534' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys -------------------------------------------------------------------------------- -- _______________________________________________ package-announce mailing list
Bump golang.org/x/crypto to v0.52.0 and golang.org/x/net to v0.55.0. -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2026-d6f3a0fa5a 2026-07-10 01:05:32.166944+00:00 -------------------------------------------------------------------------------- Name : k9s Product : Fedora 43 Version : 0.51.0 Release : 2.fc43 URL : https://github.com/derailed/k9s Summary : Kubernetes CLI To Manage Your Clusters In Style Description : Kubernetes CLI To Manage Your Clusters In Style! -------------------------------------------------------------------------------- Update Information: Bump golang.org/x/crypto to v0.52.0 and golang.org/x/net to v0.55.0 -------------------------------------------------------------------------------- ChangeLog: * Tue Jul 7 2026 blinxen - 0.51.0-2 - Bump golang.org/x/crypto to v0.52.0 and golang.org/x/net to v0.55.0 -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2026-d6f3a0fa5a' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys -------------------------------------------------------------------------------- -- _______________________________________________ package-announce mailing list --
libXfont2 2.0.8 (CVE-2026-56001, CVE-2026-56002, CVE-2026-56003). -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2026-43652cd5e8 2026-07-10 00:52:14.826392+00:00 -------------------------------------------------------------------------------- Name : libXfont2 Product : Fedora 44 Version : 2.0.8 Release : 1.fc44 URL : http://www.x.org Summary : X.Org X11 libXfont2 runtime library Description : X.Org X11 libXfont2 runtime library -------------------------------------------------------------------------------- Update Information: libXfont2 2.0.8 (CVE-2026-56001, CVE-2026-56002, CVE-2026-56003) -------------------------------------------------------------------------------- ChangeLog: * Wed Jul 8 2026 Peter Hutterer - 2.0.8-1 - libXfont2 2.0.8 (CVE-2026-56001, CVE-2026-56002, CVE-2026-56003) -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2026-43652cd5e8' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys -------------------------------------------------------------------------------- -- _______________________________________________ package-announce mailing list --
Update to 0.3.6; this includes an update to PyO3 0.29, which fixes RUSTSEC-2026-0176 and RUSTSEC-2026-0177.. -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2026-5ebb12f543 2026-07-09 00:54:37.609316+00:00 -------------------------------------------------------------------------------- Name : python-nh3 Product : Fedora 44 Version : 0.3.6 Release : 1.fc44 URL : https://github.com/messense/nh3 Summary : Python binding to Ammonia HTML sanitizer Rust crate Description : Python binding to Ammonia HTML sanitizer Rust crate. -------------------------------------------------------------------------------- Update Information: Update to 0.3.6; this includes an update to PyO3 0.29, which fixes RUSTSEC-2026-0176 and RUSTSEC-2026-0177. -------------------------------------------------------------------------------- ChangeLog: * Tue Jun 30 2026 Benjamin A. Beasley - 0.3.6-1 - Update to 0.3.6 (close RHBZ#2491252) - Update `License` expression * Wed Jun 3 2026 Python Maint - 0.3.5-2 - Rebuilt for Python 3.15 -------------------------------------------------------------------------------- References: [ 1 ] Bug #2491252 - python-nh3-0.3.6 is available https://bugzilla.redhat.com/show_bug.cgi?id=2491252 -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2026-5ebb12f543' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys -------------------------------------------------------------------------------- -- _______________________________________________ package-announcemailing list --
An update that solves 26 vulnerabilities and has 10 bug fixes can now be installed.. openSUSE security update: security update for alloy ------------------------------------------------------------- Announcement ID: openSUSE-SU-2026:21251-1 Rating: important References: * bsc#1260981 * bsc#1265440 * bsc#1266196 * bsc#1266654 * bsc#1267185 * bsc#1267333 * bsc#1267481 * bsc#1267485 * bsc#1267488 * bsc#1267489 Cross-References: * CVE-2026-25680 * CVE-2026-25681 * CVE-2026-27136 * CVE-2026-33532 * CVE-2026-39821 * CVE-2026-39827 * CVE-2026-39828 * CVE-2026-39829 * CVE-2026-39830 * CVE-2026-39831 * CVE-2026-39832 * CVE-2026-39833 * CVE-2026-39834 * CVE-2026-39835 * CVE-2026-41889 * CVE-2026-42502 * CVE-2026-42506 * CVE-2026-42508 * CVE-2026-44740 * CVE-2026-45678 * CVE-2026-45682 * CVE-2026-45685 * CVE-2026-45686 * CVE-2026-46595 * CVE-2026-46597 * CVE-2026-46598 CVSS scores: * CVE-2026-25680 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2026-25680 ( SUSE ): 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N * CVE-2026-25681 ( SUSE ): 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N * CVE-2026-25681 ( SUSE ): 5.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N * CVE-2026-27136 ( SUSE ): 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N * CVE-2026-27136 ( SUSE ): 5.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N * CVE-2026-33532 ( SUSE ): 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L * CVE-2026-33532 ( SUSE ): 5.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N * CVE-2026-39821 ( SUSE ): 7.4 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N * CVE-2026-39821 ( SUSE ): 9.1 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N * CVE-2026-39827 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H * CVE-2026-39827 ( SUSE ): 7.1 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N * CVE-2026-39828 ( SUSE ):8.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N * CVE-2026-39828 ( SUSE ): 8.6 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N * CVE-2026-39829 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2026-39829 ( SUSE ): 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N * CVE-2026-39830 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H * CVE-2026-39830 ( SUSE ): 7.1 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N * CVE-2026-39831 ( SUSE ): 8.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N * CVE-2026-39831 ( SUSE ): 8.6 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N * CVE-2026-39832 ( SUSE ): 8.4 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N * CVE-2026-39832 ( SUSE ): 6.2 CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N * CVE-2026-39833 ( SUSE ): 7.7 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N * CVE-2026-39833 ( SUSE ): 8.5 CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N * CVE-2026-39834 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2026-39834 ( SUSE ): 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N * CVE-2026-39835 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2026-39835 ( SUSE ): 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N * CVE-2026-41889 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H * CVE-2026-41889 ( SUSE ): 7.7 CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N * CVE-2026-42502 ( SUSE ): 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N * CVE-2026-42502 ( SUSE ): 5.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N * CVE-2026-42506 ( SUSE ): 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N * CVE-2026-42506 ( SUSE ): 5.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N * CVE-2026-42508 ( SUSE ): 8.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N * CVE-2026-42508 ( SUSE ): 8.6CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N * CVE-2026-44740 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2026-44740 ( SUSE ): 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N * CVE-2026-45678 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2026-45678 ( SUSE ): 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N * CVE-2026-45682 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2026-45682 ( SUSE ): 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N * CVE-2026-45685 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2026-45685 ( SUSE ): 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N * CVE-2026-45686 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2026-45686 ( SUSE ): 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N * CVE-2026-46595 ( SUSE ): 8.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N * CVE-2026-46595 ( SUSE ): 8.6 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N * CVE-2026-46597 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2026-46597 ( SUSE ): 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N * CVE-2026-46598 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2026-46598 ( SUSE ): 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N Affected Products: openSUSE Leap 16.0 ------------------------------------------------------------- An update that solves 26 vulnerabilities and has 10 bug fixes can now be installed. Description: This update for alloy fixes the following issues: Update to version 1.17.0. Security issues fixed: - CVE-2026-25680: golang.org/x/net/html: parsing arbitrary HTML can consume excessive CPU time, possibly leading to denial of service (bsc#1267185). - CVE-2026-25681: golang.org/x/net/html: parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree and allows for XSS (bsc#1267185). - CVE-2026-27136: golang.org/x/net/html: parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree and allows for XSS (bsc#1267185). - CVE-2026-33532: yaml: parsing input with deeply nestes collections may throw a `RangeError` due to a stack overflow and cause to a denial of service (bsc#1260981). - CVE-2026-39821: golang.org/x/net/idna: failure to reject ASCII-only Punycode-encoded labels allows for validation bypass and privilege escalation (bsc#1266654). - CVE-2026-39827: golang.org/x/crypto/ssh: authenticated SSH clients that repeatedly open channels which were rejected by the server can cause unbounded memory growth and a crash (bsc#1266196). - CVE-2026-39828: golang.org/x/crypto/ssh: permissions discarded when an SSH server authentication callback returns `PartialSuccessError` with non-`nil` permissions (bsc#1266196). - CVE-2026-39829: golang.org/x/crypto/ssh: unenforced size limits on key parameters by the the RSA and DSA public key parsers can lead to excessive CPU consumption when processing a crafted public key (bsc#1266196). - CVE-2026-39830: golang.org/x/crypto/ssh: malicious SSH peers sending unsolicited global request responses can block a connection's read loop and cause a resource leak (bsc#1266196). - CVE-2026-39831: golang.org/x/crypto/ssh: missing `User Presence` flag checks in the `Verify()` method for FIDO/U2F security key types cause signatures generated without physical touch to be accepted (bsc#1266196). - CVE-2026-39832: golang.org/x/crypto/ssh: destination restrictions are silently stripped when forwarding keys and allow for unrestricted use of a key on a remote host (bsc#1266196). - CVE-2026-39833: golang.org/x/crypto/ssh: in-memory keyring returned by `NewKeyring()` silently accepts keys with the `ConfirmBeforeUse` constraint but never enforces it (bsc#1266196). - CVE-2026-39834: golang.org/x/crypto/ssh: writing data larger than 4GB in a single `Write` call on an SSHchannel leads to an integer overflow and an infinite loop that sends empty packets (bsc#1266196). - CVE-2026-39835: golang.org/x/crypto/ssh: processing of certificates by SSH servers using `CertChecker` as a public key callback without setting `IsUserAuthority` or `IsHostAuthority` can lead to a panic (bsc#1266196). - CVE-2026-41889: github.com/jackc/pgx/v5/internal/sanitize: use placeholders in dollar-quoted string literals in an SQL query can lead to a SQL injection (bsc#1265440). - CVE-2026-42502: golang.org/x/net/html: parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree and allows for XSS (bsc#1267185). - CVE-2026-42506: golang.org/x/net/html: parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree and allows for XSS (bsc#1267185). - CVE-2026-42508: golang.org/x/crypto/ssh: revoked `SignatureKey`s belonging to a CA are not correctly checked for revocation (bsc#1266196). - CVE-2026-44740: github.com/go-git/go-billy/v5: improper input handling in many components can lead to DoS via infinite loops, panics or resource consumption (bsc#1267333). - CVE-2026-45678: go.opentelemetry.io/obi: Postgres BIND parsing can lead to a panic when malformed payloads are processed (bsc#1267481). - CVE-2026-45682: go.opentelemetry.io/obi: keys not deleted by `CappedConcurrentHashMap` after removals allows repeated connection churn to grow the queue without bound and exhaust heap memory (bsc#1267485). - CVE-2026-45685: go.opentelemetry.io/obi: MongoDB TCP parser panics on malformed wire messages and causes a DoS (bsc#1267488). - CVE-2026-45686: go.opentelemetry.io/obi: integer overflow in memcached text protocol parser can crash the OBI process and cause denial of service (bsc#1267489). - CVE-2026-46595: golang.org/x/crypto/ssh: source-address validation is skipped if any other type of callback is passed other than public key (bsc#1266196). - CVE-2026-46597: golang.org/x/crypto/ssh: incorrectly placed cast from bytes toint in the AES-GCM packet decoder when processing specially crafted input can lead to for server-side panic (bsc#1266196). - CVE-2026-46598: golang.org/x/crypto/ssh: `ed25519.PrivateKey` created by casting malformed wire bytes due to processing of certain crafted inputs can lead to panic when used (bsc#1266196). Other updates and bugfixes: - Version 1.17.0: * Features * Add GraphQL server and `gql` subcommand. * `otelcol`: Add Nginx receiver. * `otelcol.exporter.prometheus`: Convert classic histograms to NHCB. * `database_observability`: Various enhancements for MySQL and Postgres. * `faro.receiver`: Support gzip-compressed request bodies. * Update to Beyla 3.9.8. * Bug Fixes * security: Update `x/crypto`, `x/net`, `jackc/pgx/v5`, and `obi`. * cluster: Fix nodes failing to join the cluster with TLS enabled. * `loki.process`: Fix potential deadlocks and limit stage shutdown. * Update Go to v1.26.4. - Version 1.16.3: * cluster: Fix nodes failing to join the cluster when TLS is enabled. - Version 1.16.2: * `loki.process`: No longer mutate rules in `stage.truncate` causing every config update to reload pipeline when this stage is used. * `loki.process`: Potential deadlock on update with stage and receiver changes. * `otelcol.exporter.awss3`: Add missing `unique_key_func_name` attribute. - Remove dependency on vulnerable `yaml` library. Patch instructions: To install this openSUSE security update use the suse recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Leap 16.0 zypper in -t patch openSUSE-Leap-16.0-1172=1 Package List: - openSUSE Leap 16.0: alloy-1.17.0-160000.1.1 References: * https://www.suse.com/security/cve/CVE-2026-25680.html * https://www.suse.com/security/cve/CVE-2026-25681.html * https://www.suse.com/security/cve/CVE-2026-27136.html * https://www.suse.com/security/cve/CVE-2026-33532.html *https://www.suse.com/security/cve/CVE-2026-39821.html * https://www.suse.com/security/cve/CVE-2026-39827.html * https://www.suse.com/security/cve/CVE-2026-39828.html * https://www.suse.com/security/cve/CVE-2026-39829.html * https://www.suse.com/security/cve/CVE-2026-39830.html * https://www.suse.com/security/cve/CVE-2026-39831.html * https://www.suse.com/security/cve/CVE-2026-39832.html * https://www.suse.com/security/cve/CVE-2026-39833.html * https://www.suse.com/security/cve/CVE-2026-39834.html * https://www.suse.com/security/cve/CVE-2026-39835.html * https://www.suse.com/security/cve/CVE-2026-41889.html * https://www.suse.com/security/cve/CVE-2026-42502.html * https://www.suse.com/security/cve/CVE-2026-42506.html * https://www.suse.com/security/cve/CVE-2026-42508.html * https://www.suse.com/security/cve/CVE-2026-44740.html * https://www.suse.com/security/cve/CVE-2026-45678.html * https://www.suse.com/security/cve/CVE-2026-45682.html * https://www.suse.com/security/cve/CVE-2026-45685.html * https://www.suse.com/security/cve/CVE-2026-45686.html * https://www.suse.com/security/cve/CVE-2026-46595.html * https://www.suse.com/security/cve/CVE-2026-46597.html * https://www.suse.com/security/cve/CVE-2026-46598.html . Critical openSUSE security update for alloy resolves 26 issues, enhancing stability and preventing service disruptions.. openSUSE security advisory software update vulnerabilities patch. . Severity: Important. LinuxSecurity.com Team
Get the latest Linux and open source security news straight to your inbox.