traefik-3.6.10-2.1 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2026:10385-1 Final 1 1 2026-03-17T00:00:00Z current 2026-03-17T00:00:00Z 2026-03-17T00:00:00Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z traefik-3.6.10-2.1 on GA media These are all security issues fixed in the traefik-3.6.10-2.1 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2026-10385 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2026-27141/ SUSE CVE CVE-2026-27141 page https://www.suse.com/security/cve/CVE-2026-29777/ SUSE CVE CVE-2026-29777 page openSUSE Tumbleweed traefik-3.6.10-2.1 traefik-3.6.10-2.1 as a component of openSUSE Tumbleweed Due to missing nil check, sending 0x0a-0x0f HTTP/2 frames will cause a running server to panic CVE-2026-27141 openSUSE Tumbleweed:traefik-3.6.10-2.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2026-27141.html CVE-2026-27141 https://bugzilla.suse.com/1259062 SUSE Bug 1259062 Traefik is an HTTP reverse proxy and load balancer. Prior to 3.6.10, A tenant with write access to an HTTPRoute resource can inject backtick-delimited rule tokens into Traefik's router rule language via unsanitized header or query parameter match values. In shared gateway deployments, this can bypass listener hostname constraints and redirect traffic for victim hostnames to attacker-controlled backends. This vulnerability is fixed in 3.6.10. CVE-2026-29777 openSUSE Tumbleweed:traefik-3.6.10-2.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2026-29777.html CVE-2026-29777 https://bugzilla.suse.com/1259525 SUSE Bug 1259525