SUSE-IU-2026:1091-1 SUSE Image security@suse.de SUSE Security Team SUSE Image SUSE-IU-2026:1091-1 Interim 1 1 2026-03-19T09:00:23Z current 2026-02-19T01:00:00Z 2026-02-19T01:00:00Z cve-database/bin/generate-cvrf-publiccloud.pl 2021-02-18T01:00:00Z Image update for SUSE-IU-2026:1091-1 / google/sle-micro-6-1-byos-v20260219-x86-64 This image update for google/sle-micro-6-1-byos-v20260219-x86-64 contains the following changes: Package 000release-packages:SL-Micro-release was updated: Package cloud-netconfig:gce was updated: - Update to version 1.16 + Fix query of default CLOUD_NETCONFIG_MANAGE (bsc#1253223 + Fix variable names in the README Package cockpit-podman was updated: Package curl was updated: - Security fix: [bsc#1256105, CVE-2025-14017] * call ldap_init() before setting the options * Add patch curl-CVE-2025-14017.patch - Security fixes: * [bsc#1255731, CVE-2025-14524] if redirected, require permission to use bearer * [bsc#1255734, CVE-2025-15224] require private key or user-agent for public key auth * [bsc#1255732, CVE-2025-14819] toggling CURLSSLOPT_NO_PARTIALCHAIN makes a different CA cache * [bsc#1255733, CVE-2025-15079] set both knownhosts options to the same file * Add patches: - curl-CVE-2025-14524.patch - curl-CVE-2025-15224.patch - curl-CVE-2025-14819.patch - curl-CVE-2025-15079.patch - Security fix: [bsc#1253757, CVE-2025-11563] * curl: wcurl path traversal with percent-encoded slashes * Add curl-CVE-2025-11563.patch Package glib2 was updated: - Add CVE fixes: + glib2-CVE-2026-1484.patch (bsc#1257355 CVE-2026-1484 glgo#GNOME/glib!4979). + glib2-CVE-2026-1485.patch (bsc#1257354 CVE-2026-1485 glgo#GNOME/glib!4981). + glib2-CVE-2026-1489.patch (bsc#1257353 CVE-2026-1489 glgo#GNOME/glib!4984). - Add glib2-CVE-2026-0988.patch: fix a potential integer overflow in g_buffered_input_stream_peek (bsc#1257049 CVE-2026-0988 glgo#GNOME/glib#3851). - Add CVE fixes: + glib2-CVE-2025-13601-1.patch, glib2-CVE-2025-13601-2.patch (bsc#1254297 CVE-2025-13601 glgo#GNOME/glib#3827). + glib2-CVE-2025-14087-1.patch, glib2-CVE-2025-14087-2.patch, glib2-CVE-2025-14087-3.patch (bsc#1254662 CVE-2025-14087 glgo#GNOME/glib#3834). + glib2-CVE-2025-14512.patch (bsc#1254878 CVE-2025-14512 glgo#GNOME/glib#3845). Package google-guest-configs was updated: - Update to version 20260116.00 (bsc#1256906) * set_multiqueue: Only set XPS on "multinic accelerator platforms" - Update to version 20260112.00 * Make c4x a "multinic accelerator platform" * Merge pull request #140 from a-r-n:xps-many-numa * set_multiqueue xps: stop assuming 2 numa nodes * Merge pull request #137 from a-r-n:a4x-pick * Add IDPF irq setting; improve a4x-max performance * Merge pull request #133 from a-r-n:master * Allow test injection of the root directory and metadata server endpoint * add nic naming support for connextx VF in baremetal * bugfix for idpf only rename got skipped. * add a4x-max to google_set_multiqueue is_multinic_accelerator_platform * remove unnecessary link up and down * fix inconsistent NIC index between smart NICs and GPU NICs. - Mark %{_modprobedir}/gce-blacklist.conf as %config(noreplace) (bsc#1198323) - Update to version 20251014.00 * No public description - Update to version 20250913.00 * Swap guest-config rule from checking the build VM OS to taking in a variable for target version - from version 20250905.00 * No public description - from version 20250826.00 * Merge pull request #119 from bk202:master * Moved tx/rx IRQ logging after assignment * Fix core assignment in set_irq_range * Correct IRQ tx/rx affinity core assignment - Update to version 20250807.00 * Merge pull request #96 from rjschwei:noDupMetaData * Avoid duplicate entries for the metadata server in /etc/hosts - Drop ggc-no-dup-metasrv-entry.patch, merged upstream - Update to version 20250709.00 * Add comments in scripts to document the behavior in google hostname setting. * Always use primary NIC IP for NetworkManager dispatcher hook. - from version 20250626.00 * Fix spelling error: "explicilty" -> "explicitly" - Update to version 20250605.00 * Merge pull request (#112) from bk202:liujoh_416067717 * Added comment to the bitmap conversion functions * Remove IRQ affinity overwrite to XPS affinity * Update XPS affinity to assign the remaining unassigned CPUs to the last queue when populating the last queue * Fix set_xps_affinity to correctly parse cpus array * Update XPS CPU assignment logic * Update CPU assignment algorithm in XPS affinity * Remove commented code * Update XPS affinity vCPU distribution algorithm s.t. the vCPUs assigned to a queue are on the same core - fixed IRQ affinity on NUMA1 not using the correct bind_cores_index * Fixed NUMA comparison error in set_xps_affinity * Update XPS affinity setup to be NUMA aware and support 64 bit CPU mask calculation - from version 20250604.00 * Merge pull request (#114) from bk202:liujoh_irq_affinity_bug_fix * Bug fix: bind_cores_begin -> bind_cores_index * Name smart NICs in lexicographic order - Run %postun to modify %{_sysconfdir}/sysconfig/network/ifcfg-eth0 during uninstall only to avoid removal of POST_UP_SCRIPT on upgrade - Check that %{_sysconfdir}/sysconfig/network/ifcfg-eth0 actually exists before making any modifications to it (bsc#1241112) - Update to version 20250516.00 * Merge pull request #109 from xiliuxyz:master * Remove unused fset * Remove unused lines * Update google_set_multiqueue to unpack IRQ ranges before core assignment - Update to version 20250501.00 * Configure local domain as route only domain to support cloud dns local domain but avoid adding it to the search path. - from version 20250409.00 * Change RDMA test condition to ensure renaming race conditions can be detected. If such a case is detected the script will err and exit rather than returning a name. Udev accepts this and continues as though the rule was not triggered in such a case. - from version 20250328.00 * Merge pull request #105 from dorileo:revert-ubuntu-hostname-hooks * Revert "Include systemd-networkd hook in Ubuntu packaging (#77)" - from version 20250326.00 * Merge pull request #104 from xiliuxyz:master * Merge pull request #1 from xiliuxyz/xiliuxyz-patch-1 * Update google_set_multiqueue to check pnic_ids - from version 20250221.00 * Merge pull request #103 from a-r-n:master * Make google_set_multiqueue aware A4X is multinic_accelerator_platform - from version 20250207.00 * Merge pull request #102 from xiliuxyz:master * Update google_set_multiqueue to adapt A4 platform * Merge branch 'GoogleCloudPlatform:master' into master * Fix IS_A3_PLATFORM syntax * Fix IS_A3_PLATFORM syntax * Correct IS_A3_PLATFORM to save is_a3_platform results * Remove excess empty line. * Store is_a3_platform results into a global variable to avoid redundant curl calls * Skip tx affinity binding on non-gvnic interfaces only on A3 platforms. * Skip tx affinity binding on non-gvnic interfaces * Update comments for get_vcpu_ranges_on_accelerator_platform to reflect the expected vcpu ranges * rename get_vcpu_ranges to get_vcpu_ranges_on_accelerator_platform * Avoid IRQ binding on vCPU 0 * Fix returned value for get_vcpu_ranges * Update get_vcpu_ranges to read from sys file instead of hardcoded value * Update google_set_multiqueue * Update google_set_multiqueue to set vCPU ranges based on platform * Merge branch 'GoogleCloudPlatform:master' into master * Add comment for handling IRQ binding on non-gvnic devices * Remove excess empty line. * Update is_gvnic to include gvnic driver checks * Merge branch 'master' into master * revert removed echo lines * Update google_set_multiqueue to skip set_irq if nic is not a gvnic device. * Update google_set_multiqueue to enable on A3Ultra family - from version 20250124.00 * Merge pull request #88 from zmarano:nvme * Fix missing files. This is a no-op. * No public description * Also force virtio_scsi. - from version 20250116.00 * Add GPL-2 to licensing information (#98) - from version 20250107.00 * Restore IDPF devices for renaming rules (#95) - from version 20241213.00 * Remove Pat from owners file. (#97) Package gpg2 was updated: - Security fix [bsc#1257396, CVE-2026-24882] - gpg2: stack-based buffer overflow in TPM2 PKDECRYPT for TPM-backed RSA and ECC keys - Added gnupg-CVE-2026-24882.patch - Security fix [bsc#1256389] (gpg.fail/filename) * Added gnupg-accepts-path-separators-literal-data.patch * GnuPG Accepts Path Separators and Path Traversals in Literal Data - Security fix: [bsc#1255715, CVE-2025-68973] (gpg.fail/memcpy) * gpg: Fix possible memory corruption in the armor parser [T7906] * Add gnupg-CVE-2025-68973.patch - Security fix: [bsc#1256246] (gpg.fail/sha1) * gpg: Avoid potential downgrade to SHA1 in 3rd party key signatures [T7904] * Add gnupg-gpg-Avoid-potential-downgrade-to-SHA1-in-3rd-party-keysig.patch - Security fix: [bsc#1256244] (gpg.fail/detached) * gpg: Error out on unverified output for non-detached signatures [T7903] * Add gnupg-gpg-Error-out-on-unverified-output-for-non-detached-signatures.patch - Security fix: [bsc#1256243] * gpg2 agent: Fix a memory leak * Add patch gnupg-agent-memleak.patch - Security fix: [bsc#1256390] (gpg.fail/notdash) * gpg2: Cleartext Signature Forgery in the NotDashEscaped header implementation in GnuPG * Add patch gnupg-notdash-escape.patch Package grub2 was updated: - Optimize PBKDF2 to reduce the decryption time (bsc#1248516) * 0001-lib-crypto-Introduce-new-HMAC-functions-to-reuse-buf.patch * 0002-lib-pbkdf2-Optimize-PBKDF2-by-reusing-HMAC-handle.patch * 0001-kern-misc-Implement-faster-grub_memcpy-for-aligned-b.patch Package kmod was updated: - man: modprobe.d: document the config file order handling (bsc#1253741) * man-modprobe.d-document-the-config-file-order-handling.patch Package util-linux:systemd was updated: - Fix heap buffer overread in setpwnam() when processing 256-byte usernames (bsc#1254666, CVE-2025-14104, util-linux-CVE-2025-14104-1.patch, util-linux-CVE-2025-14104-2.patch). - lscpu: Add support for NVIDIA Olympus arm64 core (jsc#PED-13682, util-linux-lscpu-add-arm64-NVIDIA-Olympus.patch). Package util-linux was updated: - Fix heap buffer overread in setpwnam() when processing 256-byte usernames (bsc#1254666, CVE-2025-14104, util-linux-CVE-2025-14104-1.patch, util-linux-CVE-2025-14104-2.patch). - lscpu: Add support for NVIDIA Olympus arm64 core (jsc#PED-13682, util-linux-lscpu-add-arm64-NVIDIA-Olympus.patch). Package expat was updated: - security update- added patches CVE-2026-24515 [bsc#1257144], NULL dereference (CWE-476) due to function XML_ExternalEntityParserCreate() failing to copy the encoding handler data passed to XML_SetUnknownEncodingHandler() from the parent to the subparser * expat-CVE-2026-24515.patch CVE-2026-25210 [bsc#1257496], lack of buffer size check can lead to an integer overflow * expat-CVE-2026-25210.patch Package gnutls was updated: - Security fix bsc#1254132 CVE-2025-9820 * Fix buffer overflow in gnutls_pkcs11_token_init * Added gnutls-CVE-2025-9820.patch Package openssl-3 was updated: - Security fixes: * Missing ASN1_TYPE validation in PKCS#12 parsing - openssl-CVE-2026-22795.patch [bsc#1256839, CVE-2026-22795] * ASN1_TYPE Type Confusion in the PKCS7_digest_from_attributes() function - openssl-CVE-2026-22795.patch [bsc#1256840, CVE-2026-22796] * Missing ASN1_TYPE validation in TS_RESP_verify_response() function - openssl-CVE-2025-69420.patch [bsc#1256837, CVE-2025-69420] * NULL Pointer Dereference in PKCS12_item_decrypt_d2i_ex function - openssl-CVE-2025-69421.patch [bsc#1256838, CVE-2025-69421] * Out of bounds write in PKCS12_get_friendlyname() UTF-8 conversion - openssl-CVE-2025-69419.patch [bsc#1256836, CVE-2025-69419] * Heap out-of-bounds write in BIO_f_linebuffer on short writes - openssl-CVE-2025-68160.patch [bsc#1256834, CVE-2025-68160] * Unauthenticated/unencrypted trailing bytes with low-level OCB function calls - openssl-CVE-2025-69418.patch [bsc#1256835, CVE-2025-69418] * Stack buffer overflow in CMS AuthEnvelopedData parsing - openssl-CVE-2025-15467.patch [bsc#1256830, CVE-2025-15467] - openssl-CVE-2025-15467-comments.patch - openssl-CVE-2025-15467-test.patch Package libpng16 was updated: - security update- added patches CVE-2025-66293 [bsc#1254480], LIBPNG out-of-bounds read in png_image_read_composite * libpng16-CVE-2025-66293-1.patch * libpng16-CVE-2025-66293-2.patch - security update - added patches CVE-2025-64505 [bsc#1254157], heap buffer over-read in `png_do_quantize` via malformed palette index * libpng16-CVE-2025-64505.patch CVE-2025-64506 [bsc#1254158], heap buffer over-read in `png_write_image_8bit` with 8-bit input and `convert_to_8bit` enabled * libpng16-CVE-2025-64506.patch CVE-2025-64720 [bsc#1254159], buffer overflow in `png_image_read_composite` via incorrect palette premultiplication * libpng16-CVE-2025-64720.patch CVE-2025-65018 [bsc#1254160], heap buffer overflow in `png_combine_row` triggered via `png_image_finish_read` * libpng16-CVE-2025-65018.patch Package python311:base was updated: - Add CVE-2025-13836-http-resp-cont-len.patch (bsc#1254400, CVE-2025-13836) to prevent reading an HTTP response from a server, if no read amount is specified, with using Content-Length per default as the length. - Add CVE-2025-12084-minidom-quad-search.patch prevent quadratic behavior in node ID cache clearing (CVE-2025-12084, bsc#1254997). - Add CVE-2025-13837-plistlib-mailicious-length.patch protect against OOM when loading malicious content (CVE-2025-13837, bsc#1254401). - Add CVE-2025-6075-expandvars-perf-degrad.patch avoid simple quadratic complexity vulnerabilities of os.path.expandvars() (CVE-2025-6075, bsc#1252974). - Readjusted patches: - CVE-2023-52425-libexpat-2.6.0-backport.patch - CVE-2023-52425-remove-reparse_deferral-tests.patch - fix_configure_rst.patch - skip_if_buildbot-extend.patch - Update to 3.11.14: - Security - gh-139700: Check consistency of the zip64 end of central directory record. Support records with âzip64 extensible dataâ if there are no bytes prepended to the ZIP file (CVE-2025-8291, bsc#1251305). - gh-139400: xml.parsers.expat: Make sure that parent Expat parsers are only garbage-collected once they are no longer referenced by subparsers created by ExternalEntityParserCreate(). Patch by Sebastian Pipping. - gh-135661: Fix parsing start and end tags in html.parser.HTMLParser according to the HTML5 standard. * Whitespaces no longer accepted between </ and the tag name. E.g. </ script> does not end the script section. * Vertical tabulation (\v) and non-ASCII whitespaces no longer recognized as whitespaces. The only whitespaces are \t\n\r\f and space. * Null character (U+0000) no longer ends the tag name. * Attributes and slashes after the tag name in end tags are now ignored, instead of terminating after the first > in quoted attribute value. E.g. </script/foo=">"/>. * Multiple slashes and whitespaces between the last attribute and closing > are now ignored in both start and end tags. E.g. <a foo=bar/ //>. * Multiple = between attribute name and value are no longer collapsed. E.g. <a foo==bar> produces attribute âfooâ with value â=barâ. - gh-135661: Fix CDATA section parsing in html.parser.HTMLParser according to the HTML5 standard: ] ]> and ]] > no longer end the CDATA section. Add private method _set_support_cdata() which can be used to specify how to parse <[CDATA[ â as a CDATA section in foreign content (SVG or MathML) or as a bogus comment in the HTML namespace. - gh-102555: Fix comment parsing in html.parser.HTMLParser according to the HTML5 standard. --!> now ends the comment. -- > no longer ends the comment. Support abnormally ended empty comments <--> and <--->. - gh-135462: Fix quadratic complexity in processing specially crafted input in html.parser.HTMLParser. End-of-file errors are now handled according to the HTML5 specs â comments and declarations are automatically closed, tags are ignored. - gh-118350: Fix support of escapable raw text mode (elements âtextareaâ and âtitleâ) in html.parser.HTMLParser. - gh-86155: html.parser.HTMLParser.close() no longer loses data when the <script> tag is not closed. Patch by Waylan Limberg. - Library - gh-139312: Upgrade bundled libexpat to 2.7.3 - gh-138998: Update bundled libexpat to 2.7.2 - gh-130577: tarfile now validates archives to ensure member offsets are non-negative. (Contributed by Alexander Enrique Urieles Nieto in gh-130577.) - gh-135374: Update the bundled copy of setuptools to 79.0.1. - Drop upstreamed patches: - CVE-2025-8194-tarfile-no-neg-offsets.patch - CVE-2025-6069-quad-complex-HTMLParser.patch - Add gh139257-Support-docutils-0.22.patch to fix build with latest docutils (>=0.22) gh#python/cpython#139257 - Drop AppStream buildrequires and don't run appstreamcli validate as part of the build process: the appdata.xml is not updated by source directly, so we have more contol. Having Appstream or the deprecated appstream-glib result in a build cycle. - Require AppStream to validate appdata file instead of deprecated appstream-glib. - Update idle3.appdata.xml to pass the more pedantic appstreamcli. Package libsolv was updated: - fixed rare crash in the handling of allowuninstall in combination with forcebest updates - new pool_satisfieddep_map feature to test if a set of packages satisfies a dependency - bump version to 0.7.35 Package systemd was updated: - Name libsystemd-{shared,core} based on the major version of systemd and the package release number (bsc#1228081 bsc#1256427) This way, both the old and new versions of the shared libraries will be present during the update. This should prevent issues during package updates when incompatible changes are introduced in the new versions of the shared libraries. - Import commit 8bbac1d508acb8aa4e7262f47c7f4076b8350f72 8bbac1d508 detect-virt: bare-metal GCE only for x86 and i386 (bsc#1254293) - Import commit 9ecd16228492f44212e2771bec11ec78245b4094 9ecd162284 timer: rebase last_trigger timestamp if needed cd4a9103ef timer: rebase the next elapse timestamp only if timer didn't already run c3f4407e97 timer: don't run service immediately after restart of a timer (bsc#1254563) 05bcfe3295 test: check the next elapse timer timestamp after deserialization fe8f656975 test: restarting elapsed timer shouldn't trigger the corresponding service e4dd315b6c units: don't force the loading of the loop and dm_mod modules in systemd-repart.service (bsc#1248356) b58e72215a units: add dep on systemd-logind.service by user@.service 97ceca445c detect-virt: add bare-metal support for GCE (bsc#1244449 - Sync systemd-update-helper with the version shipped in Base:System This includes the following changes: - systemd-update-helper: do not stop or disable services when they are migrated to other packages. This can occur during package renaming or splitting. - systemd-update-helper: Fix invalid use of "break" in case statement - systemd-update-helper: fix regression introduced when support for package renaming/splitting was added (bsc#1245551) - systemd-update-helper: backport commit 2d0af8bc354f4a1429ce Since user@.service has `Type=notify-reload` (making the reloading process synchronous) and reloading implies reexecuting with `ReloadSignal=RTMIN+25`, reexecuting user managers synchronously can be achieved with `systemctl reload user@*.service" now. - systemd.spec: use %sysusers_generate_pre so that some systemd users are already available in %pre. This is important because D-Bus automatically reloads its configuration whenever new configuration files are installed, i.e. between %pre and %post. (bsc#1248501) No needs for systemd and udev packages as they are always installed during the initial installation. - Split systemd-network into two new sub-packages: systemd-networkd and systemd-resolved (bsc#1224386 jsc#PED-12669) Package libtasn1 was updated: - Security fix: [bsc#1256341, CVE-2025-13151] * Stack-based buffer overflow. The function asn1_expend_octet_string() fails to validate the size of input data resulting in a buffer overflow. * Add libtasn1-CVE-2025-13151.patch Package libxml2 was updated: - Add patch libxml2-CVE-2026-0989.patch, to fix call stack exhaustion leading to application crash due to RelaxNG parser not limiting the recursion depth when resolving `<include>` directives CVE-2026-0989, bsc#1256805, https://gitlab.gnome.org/GNOME/libxml2/-/merge_requests/374 Package libzypp was updated: - Prepare a legacy /etc/zypp/zypp.conf to be installed on old distros. See the ZYPP.CONF(5) man page for details. - Fix runtime check for broken rpm --runposttrans (bsc#1257068) - version 17.38.2 (35) - Avoid libcurl-mini4 when building as it does not support ftp protocol. - Translation: updated .pot file. - version 17.38.1 (35) - zypp.conf: follow the UAPI configuration file specification (PED-14658) In short terms it means we will no longer ship an /etc/zypp/zypp.conf, but store our own defaults in /usr/etc/zypp/zypp.conf. The systems administrator may choose to keep a full copy in /etc/zypp/zypp.conf ignoring our config file settings completely, or - the preferred way - to overwrite specific settings via /etc/zypp/zypp.conf.d/*.conf overlay files. See the ZYPP.CONF(5) man page for details. - cmake: correctly detect rpm6 (fixes #689) - Use 'zypp.tmp' as temp directory component to ease setting up SELinux policies (bsc#1249435) - zyppng: Update Provider to current MediaCurl2 download approach, drop Metalink ( fixes #682 ) - version 17.38.0 (35) Package podman was updated: Package libxml2:python was updated: - Add patch libxml2-CVE-2026-0989.patch, to fix call stack exhaustion leading to application crash due to RelaxNG parser not limiting the recursion depth when resolving `<include>` directives CVE-2026-0989, bsc#1256805, https://gitlab.gnome.org/GNOME/libxml2/-/merge_requests/374 Package python-urllib3 was updated: - Add security patches: * CVE-2025-66471.patch (bsc#1254867) * CVE-2025-66418.patch (bsc#1254866) - Add CVE-2026-21441.patch to fix excessive resource consumption during decompression of data in HTTP redirect responses (bsc#1256331, CVE-2026-21441) Package python311 was updated: - Add CVE-2025-13836-http-resp-cont-len.patch (bsc#1254400, CVE-2025-13836) to prevent reading an HTTP response from a server, if no read amount is specified, with using Content-Length per default as the length. - Add CVE-2025-12084-minidom-quad-search.patch prevent quadratic behavior in node ID cache clearing (CVE-2025-12084, bsc#1254997). - Add CVE-2025-13837-plistlib-mailicious-length.patch protect against OOM when loading malicious content (CVE-2025-13837, bsc#1254401). - Add CVE-2025-6075-expandvars-perf-degrad.patch avoid simple quadratic complexity vulnerabilities of os.path.expandvars() (CVE-2025-6075, bsc#1252974). - Readjusted patches: - CVE-2023-52425-libexpat-2.6.0-backport.patch - CVE-2023-52425-remove-reparse_deferral-tests.patch - fix_configure_rst.patch - skip_if_buildbot-extend.patch - Update to 3.11.14: - Security - gh-139700: Check consistency of the zip64 end of central directory record. Support records with âzip64 extensible dataâ if there are no bytes prepended to the ZIP file (CVE-2025-8291, bsc#1251305). - gh-139400: xml.parsers.expat: Make sure that parent Expat parsers are only garbage-collected once they are no longer referenced by subparsers created by ExternalEntityParserCreate(). Patch by Sebastian Pipping. - gh-135661: Fix parsing start and end tags in html.parser.HTMLParser according to the HTML5 standard. * Whitespaces no longer accepted between </ and the tag name. E.g. </ script> does not end the script section. * Vertical tabulation (\v) and non-ASCII whitespaces no longer recognized as whitespaces. The only whitespaces are \t\n\r\f and space. * Null character (U+0000) no longer ends the tag name. * Attributes and slashes after the tag name in end tags are now ignored, instead of terminating after the first > in quoted attribute value. E.g. </script/foo=">"/>. * Multiple slashes and whitespaces between the last attribute and closing > are now ignored in both start and end tags. E.g. <a foo=bar/ //>. * Multiple = between attribute name and value are no longer collapsed. E.g. <a foo==bar> produces attribute âfooâ with value â=barâ. - gh-135661: Fix CDATA section parsing in html.parser.HTMLParser according to the HTML5 standard: ] ]> and ]] > no longer end the CDATA section. Add private method _set_support_cdata() which can be used to specify how to parse <[CDATA[ â as a CDATA section in foreign content (SVG or MathML) or as a bogus comment in the HTML namespace. - gh-102555: Fix comment parsing in html.parser.HTMLParser according to the HTML5 standard. --!> now ends the comment. -- > no longer ends the comment. Support abnormally ended empty comments <--> and <--->. - gh-135462: Fix quadratic complexity in processing specially crafted input in html.parser.HTMLParser. End-of-file errors are now handled according to the HTML5 specs â comments and declarations are automatically closed, tags are ignored. - gh-118350: Fix support of escapable raw text mode (elements âtextareaâ and âtitleâ) in html.parser.HTMLParser. - gh-86155: html.parser.HTMLParser.close() no longer loses data when the <script> tag is not closed. Patch by Waylan Limberg. - Library - gh-139312: Upgrade bundled libexpat to 2.7.3 - gh-138998: Update bundled libexpat to 2.7.2 - gh-130577: tarfile now validates archives to ensure member offsets are non-negative. (Contributed by Alexander Enrique Urieles Nieto in gh-130577.) - gh-135374: Update the bundled copy of setuptools to 79.0.1. - Drop upstreamed patches: - CVE-2025-8194-tarfile-no-neg-offsets.patch - CVE-2025-6069-quad-complex-HTMLParser.patch - Add gh139257-Support-docutils-0.22.patch to fix build with latest docutils (>=0.22) gh#python/cpython#139257 - Drop AppStream buildrequires and don't run appstreamcli validate as part of the build process: the appdata.xml is not updated by source directly, so we have more contol. Having Appstream or the deprecated appstream-glib result in a build cycle. - Require AppStream to validate appdata file instead of deprecated appstream-glib. - Update idle3.appdata.xml to pass the more pedantic appstreamcli. Package rsync was updated: - Security update (CVE-2025-10158, bsc#1254441): rsync: Out of bounds array access via negative index - Add rsync-CVE-2025-10158.patch Package runc was updated: - Update to runc v1.3.4. Upstream changelog is available from <https://github.com/opencontainers/runc/releases/tag/v1.3.4>. bsc#1254362 Package selinux-policy was updated: - Update to version 20241031+git17.66062d7a5: * rsync: add rsync_exec_commands boolean and enable it by default (bsc#1231494, bsc#1255372) - Update to version 20241031+git15.e32e86fd5: * Add a new type for systemd-ssh-issue PID files (bsc#1254889) * Label /usr/lib/systemd/systemd-ssh-issue with systemd_ssh_issue_exec_t (bsc#1254889) Package shim was updated: - shim-install: Add ca_string for SL Micro to update fallback loader The fallback loader, /boot/efi/EFI/BOOT/bootaa64.efi or bootx64.efi, cannot be upgraded by shim-install on SL Micro. The issue case is SL Micro 6.0. It causes that system gets regression bug because it's fallback to a old shim. So this patch adds ca_string to SL Micro. (bsc#1254336) - Add DER format certificate files for the pretrans script to verify that the necessary certificate is in the UEFI db - openSUSE Secure Boot CA, 2013-2035 openSUSE_Secure_Boot_CA_2013.crt - SUSE Linux Enterprise Secure Boot CA, 2013-2035 SUSE_Linux_Enterprise_Secure_Boot_CA_2013.crt - Microsoft Corporation UEFI CA 2011, 2011-2026 Microsoft_Corporation_UEFI_CA_2011.crt - Microsoft UEFI CA 2023, 2023-2038 Microsoft_UEFI_CA_2023.crt - shim.spec: Add a pretrans script to verify that the necessary certificate is in the UEFI db. - Always put SUSE Linux Enterprise Secure Boot CA to target array. (bsc#1254679) - Update to 16.1 - RPMs shim-16.1-150300.4.31.1.x86_64.rpm shim-debuginfo-16.1-150300.4.31.1.x86_64.rpm shim-debugsource-16.1-150300.4.31.1.x86_64.rpm shim-16.1-150300.4.31.1.aarch64.rpm shim-debuginfo-16.1-150300.4.31.1.aarch64.rpm shim-debugsource-16.1-150300.4.31.1.aarch64.rpm - submitreq: https://build.suse.de/request/show/395247 - repo: https://build.suse.de/package/show/SUSE:Maintenance:39913/shim.SUSE_SLE-15-SP3_Update - Patches (git log --oneline --reverse 16.0..16.1) 4040ec4 shim_start_image(): fix guid/handle pairing when uninstalling protocols 39c0aa1 str2ip6(): parsing of "uncompressed" ipv6 addresses 3133d19 test-mock-variables: make our filter list entries safer. d44405e mock-variables: remove unused variable 0e8459f Update CI to use ubuntu-24.04 instead of ubuntu-20.04 d16a5a6 SbatLevel_Variable.txt: minor typo fix. 32804cf Realloc() needs one more byte for sprintf() 431d370 IPv6: Add more check to avoid multiple double colon and illegal char 5e4d93c Loader Proto: make freeing of bprop.buffer conditional. 33deac2 Prepare to move things from shim.c to verify.c 030e7df Move a bunch of stuff from shim.c to verify.c f3ddda7 handle_image(): make verification conditional 774f226 Cache sections of a loaded image and sub-images from them. eb0d20b loader-protocol: handle sub-section loading for UKIs 2f64bb9 loader-protocol: add workaround for EDK2 2025.02 page fault on FreePages 1abc7ca loader-protocol: NULL output variable in load_image on failure fb77b44 Generate Authenticode for the entire PE file b86b909 README: mention new loader protocol and interaction with UKIs 8522612 ci: add mkosi configuration and CI 9ebab84 mkosi workflow: fix the branch name for main. 72a4c41 shim: change automatically enable MOK_POLICY_REQUIRE_NX a2f0dfa This is an organizational patch to move some things around in mok.c 54b9946 Update to the shim-16.1 branch of gnu-efi to get AsciiSPrint() a5a6922 get_max_var_sz(): add more debugging for apple platforms 77a2922 Add a "VariableInfo" variable to mok-variables. efc71c9 build: Avoid passing *FLAGS to sub-make 7670932 Fixes for 'make TOPDIR=... clean' 13ab598 add SbatLevel entry 2025051000 for PSA-2025-00012-1 617aed5 Update version to 16.1~rc1 d316ba8 format_variable_info(): fix wrong size test. f5fad0e _do_sha256_sum(): Fix missing error check. 3a9734d doc: add howto for running mkosi locally ced5f71 mkosi: remove spurious slashes from script 0076155 ci: update mkosi commit 5481105 fix http boot 121cddf loader-protocol: Handle UnloadImage after StartImage properly 6a1d1a9 loader-protocol: Fix memory leaks 27a5d22 gitignore: add more mkosi dirs and vscode dir 346ed15 mkosi: disable repository key check on Fedora afc4955 Update version to 16.1 - 16.1 release note https://github.com/rhboot/shim/releases shim_start_image(): fix guid/handle pairing when uninstalling protocols by @vathpela in #738 Fix uncompressed ipv6 netboot by @hrvach in #742 fix test segfaults caused by uninitialized memory by @Fabian-Gruenbichler in #739 Update CI to use ubuntu-24.04 instead of ubuntu-20.04 by @vathpela in #749 SbatLevel_Variable.txt: minor typo fix. by @vathpela in #751 Realloc() needs to allocate one more byte for sprintf() by @dennis-tseng99 in #746 IPv6: Add more check to avoid multiple double colon and illegal char by @dennis-tseng99 in #753 Loader proto v2 by @vathpela in #748 loader-protocol: add workaround for EDK2 2025.02 page fault on FreePages by @bluca in #750 Generate Authenticode for the entire PE file by @esnowberg in #604 README: mention new loader protocol and interaction with UKIs by @bluca in #755 ci: add mkosi configuration and CI by @bluca in #764 shim: change automatically enable MOK_POLICY_REQUIRE_NX by @vathpela in #761 Save var info by @vathpela in #763 build: Avoid passing *FLAGS to sub-make by @rosslagerwall in #758 Fixes for 'make TOPDIR=... clean' by @bluca in #762 add SbatLevel entry 2025051000 for PSA-2025-00012-1 by @Fabian-Gruenbichler in #766 Coverity fixes 20250804 by @vathpela in #767 ci: fixlets and docs for mkosi workflow by @bluca in #768 fix http boot by @jsetje in #770 Fix double free and leak in the loader protocol by @rosslagerwall in #769 gitignore: add more mkosi dirs and vscode dir by @bluca in #771 - Drop upstreamed patch: The following patches are merged to 16.1 - shim-alloc-one-more-byte-for-sprintf.patch - 32804cf5d9 Realloc() needs one more byte for sprintf() [16.1] - shim-change-automatically-enable-MOK_POLICY_REQUIRE_NX.patch (bsc#1205588) - 72a4c41877 shim: change automatically enable MOK_POLICY_REQUIRE_NX [16.1] - Building MokManager.efi and fallback.efi with POST_PROCESS_PE_FLAGS=-n (bsc#1205588) - Building with the latest version of gcc in the codebase: - The gcc13 can workaround dxe_get_mem_attrs() hsi_status problem - We prefer that building shim with the latest version of gcc in codebase. - Set the minimum version is gcc-13. (bsc#1247432) - SLE shim should includes vendor-dbx-sles.esl instead of vendor-dbx-opensuse.esl. Fixed it in shim.spec. Package supportutils was updated: - Changes to version 3.2.12 + Optimized lsof usage and honors OPTION_OFILES (bsc#1232351, PR#274) + Run in containers without errors (bsc#1245667, PR#272) + Removed pmap PID from memory.txt (bsc#1246011, PR#263) + Added missing /proc/pagetypeinfo to memory.txt (bsc#1246025, PR#264) + Improved database perforce with kGraft patching (bsc#1249657, PR#273) + Using last boot for journalctl for optimization (bsc#1250224, PR#287) + Fixed extraction failures (bsc#1252318, PR#275) + Update supportconfig.conf path in docs (bsc#1254425, PR#281) + drm_sub_info: Catch error when dir doesn't exist (PR#265) + Replace remaining `egrep` with `grep -E` (PR#261, PR#266) + Add process affinity to slert logs (PR#269) + Reintroduce cgroup statistics (and v2) (PR#270) + Minor changes to basic-health-check: improve information level (PR#271) + Collect important machine health counters (PR#276) + powerpc: collect hot-pluggable PCI and PHB slots (PR#278) + podman: collect podman disk usage (PR#279) + Exclude binary files in crondir (PR#282) + kexec/kdump: collect everything under /sys/kernel/kexec dir (PR#284) + Use short-iso for journalctl (PR#288) - Changes to version 3.2.11 + Collect rsyslog frule files (bsc#1244003, pr#257) + Remove proxy passwords (bsc#1244011, pr#257) + Missing NetworkManager information (bsc#1241284, pr#257) + Include agama logs bsc#1244937, pr#256) + Additional NFS conf files (pr#253) + New fadump sysfs files (pr#252) + Fixed change log dates Package suseconnect-ng was updated: - Update version to 1.20: - Update error message for Public Cloud instances with registercloudguest installed. SUSEConnect -d is disabled on PYAG and BYOS when the registercloudguest command is available. (bsc#1230861) - Enhanced SAP detected. Take TREX into account and remove empty values when only /usr/sap but no installation exists (bsc#1241002) - Fixed modules and extension link to point to version less documentation. (bsc#1239439) - Fixed SAP instance detection (bsc#1244550) - Remove link to extensions documentation (bsc#1239439) - Migrate to the public library - Version 1.14 public library release This version is only available on Github as a tag to release the new golang public library which can be consumed without the need to interface with SUSEConnect directly. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). https://publiccloudimagechangeinfo.suse.com/google/sle-micro-6-1-byos-v20260219-x86-64/ Public Cloud Image Info https://www.suse.com/support/security/rating/ SUSE Security Ratings Public Cloud Image google/sle-micro-6-1-byos-v20260219-x86-64 SL-Micro-release-6.1-slfo.1.12.10 cloud-netconfig-gce-1.16-slfo.1.1_1.1 cockpit-podman-91-slfo.1.1_3.1 curl-8.14.1-slfo.1.1_5.1 glib2-tools-2.78.6-slfo.1.1_6.1 google-guest-agent-20250116.00-slfo.1.1_2.1 google-guest-configs-20260116.00-slfo.1.1_1.1 google-osconfig-agent-20250416.02-slfo.1.1_2.1 gpg2-2.4.4-slfo.1.1_7.1 grub2-2.12-slfo.1.1_4.1 grub2-i386-pc-2.12-slfo.1.1_4.1 grub2-snapper-plugin-2.12-slfo.1.1_4.1 grub2-x86_64-efi-2.12-slfo.1.1_4.1 kmod-32-slfo.1.1_2.1 lastlog2-2.40.4-slfo.1.1_3.1 libblkid1-2.40.4-slfo.1.1_3.1 libcurl4-8.14.1-slfo.1.1_5.1 libexpat1-2.7.1-slfo.1.1_4.1 libfdisk1-2.40.4-slfo.1.1_3.1 libgio-2_0-0-2.78.6-slfo.1.1_6.1 libglib-2_0-0-2.78.6-slfo.1.1_6.1 libgmodule-2_0-0-2.78.6-slfo.1.1_6.1 libgnutls30-3.8.3-slfo.1.1_5.1 libgobject-2_0-0-2.78.6-slfo.1.1_6.1 libkmod2-32-slfo.1.1_2.1 liblastlog2-2-2.40.4-slfo.1.1_3.1 libmount1-2.40.4-slfo.1.1_3.1 libopenssl3-3.1.4-slfo.1.1_8.1 libpng16-16-1.6.43-slfo.1.1_2.1 libpython3_11-1_0-3.11.14-slfo.1.1_2.1 libsmartcols1-2.40.4-slfo.1.1_3.1 libsolv-tools-base-0.7.35-slfo.1.1_1.1 libsystemd0-254.27-slfo.1.1_3.1 libtasn1-6-4.19.0-slfo.1.1_3.1 libudev1-254.27-slfo.1.1_3.1 libuuid1-2.40.4-slfo.1.1_3.1 libxml2-2-2.11.6-slfo.1.1_7.1 libxml2-tools-2.11.6-slfo.1.1_7.1 libzypp-17.38.2-slfo.1.1_1.1 openssl-3-3.1.4-slfo.1.1_8.1 podman-5.4.2-slfo.1.1_3.1 python311-3.11.14-slfo.1.1_2.1 python311-base-3.11.14-slfo.1.1_2.1 python311-libxml2-2.11.6-slfo.1.1_7.1 python311-urllib3-2.1.0-slfo.1.1_4.1 rsync-3.3.0-slfo.1.1_4.1 runc-1.3.4-slfo.1.1_1.1 selinux-policy-20241031+git17.66062d7a5-slfo.1.1_1.1 selinux-policy-targeted-20241031+git17.66062d7a5-slfo.1.1_1.1 shim-16.1-slfo.1.1_1.1 supportutils-3.2.12.2-slfo.1.1_1.1 suseconnect-ng-1.20.0-slfo.1.1_1.1 systemd-254.27-slfo.1.1_3.1 systemd-coredump-254.27-slfo.1.1_3.1 udev-254.27-slfo.1.1_3.1 util-linux-2.40.4-slfo.1.1_3.1 util-linux-systemd-2.40.4-slfo.1.1_3.1 SL-Micro-release-6.1-slfo.1.12.10 as a component of Public Cloud Image google/sle-micro-6-1-byos-v20260219-x86-64 cloud-netconfig-gce-1.16-slfo.1.1_1.1 as a component of Public Cloud Image google/sle-micro-6-1-byos-v20260219-x86-64 cockpit-podman-91-slfo.1.1_3.1 as a component of Public Cloud Image google/sle-micro-6-1-byos-v20260219-x86-64 curl-8.14.1-slfo.1.1_5.1 as a component of Public Cloud Image google/sle-micro-6-1-byos-v20260219-x86-64 glib2-tools-2.78.6-slfo.1.1_6.1 as a component of Public Cloud Image google/sle-micro-6-1-byos-v20260219-x86-64 google-guest-agent-20250116.00-slfo.1.1_2.1 as a component of Public Cloud Image google/sle-micro-6-1-byos-v20260219-x86-64 google-guest-configs-20260116.00-slfo.1.1_1.1 as a component of Public Cloud Image google/sle-micro-6-1-byos-v20260219-x86-64 google-osconfig-agent-20250416.02-slfo.1.1_2.1 as a component of Public Cloud Image google/sle-micro-6-1-byos-v20260219-x86-64 gpg2-2.4.4-slfo.1.1_7.1 as a component of Public Cloud Image google/sle-micro-6-1-byos-v20260219-x86-64 grub2-2.12-slfo.1.1_4.1 as a component of Public Cloud Image google/sle-micro-6-1-byos-v20260219-x86-64 grub2-i386-pc-2.12-slfo.1.1_4.1 as a component of Public Cloud Image google/sle-micro-6-1-byos-v20260219-x86-64 grub2-snapper-plugin-2.12-slfo.1.1_4.1 as a component of Public Cloud Image google/sle-micro-6-1-byos-v20260219-x86-64 grub2-x86_64-efi-2.12-slfo.1.1_4.1 as a component of Public Cloud Image google/sle-micro-6-1-byos-v20260219-x86-64 kmod-32-slfo.1.1_2.1 as a component of Public Cloud Image google/sle-micro-6-1-byos-v20260219-x86-64 lastlog2-2.40.4-slfo.1.1_3.1 as a component of Public Cloud Image google/sle-micro-6-1-byos-v20260219-x86-64 libblkid1-2.40.4-slfo.1.1_3.1 as a component of Public Cloud Image google/sle-micro-6-1-byos-v20260219-x86-64 libcurl4-8.14.1-slfo.1.1_5.1 as a component of Public Cloud Image google/sle-micro-6-1-byos-v20260219-x86-64 libexpat1-2.7.1-slfo.1.1_4.1 as a component of Public Cloud Image google/sle-micro-6-1-byos-v20260219-x86-64 libfdisk1-2.40.4-slfo.1.1_3.1 as a component of Public Cloud Image google/sle-micro-6-1-byos-v20260219-x86-64 libgio-2_0-0-2.78.6-slfo.1.1_6.1 as a component of Public Cloud Image google/sle-micro-6-1-byos-v20260219-x86-64 libglib-2_0-0-2.78.6-slfo.1.1_6.1 as a component of Public Cloud Image google/sle-micro-6-1-byos-v20260219-x86-64 libgmodule-2_0-0-2.78.6-slfo.1.1_6.1 as a component of Public Cloud Image google/sle-micro-6-1-byos-v20260219-x86-64 libgnutls30-3.8.3-slfo.1.1_5.1 as a component of Public Cloud Image google/sle-micro-6-1-byos-v20260219-x86-64 libgobject-2_0-0-2.78.6-slfo.1.1_6.1 as a component of Public Cloud Image google/sle-micro-6-1-byos-v20260219-x86-64 libkmod2-32-slfo.1.1_2.1 as a component of Public Cloud Image google/sle-micro-6-1-byos-v20260219-x86-64 liblastlog2-2-2.40.4-slfo.1.1_3.1 as a component of Public Cloud Image google/sle-micro-6-1-byos-v20260219-x86-64 libmount1-2.40.4-slfo.1.1_3.1 as a component of Public Cloud Image google/sle-micro-6-1-byos-v20260219-x86-64 libopenssl3-3.1.4-slfo.1.1_8.1 as a component of Public Cloud Image google/sle-micro-6-1-byos-v20260219-x86-64 libpng16-16-1.6.43-slfo.1.1_2.1 as a component of Public Cloud Image google/sle-micro-6-1-byos-v20260219-x86-64 libpython3_11-1_0-3.11.14-slfo.1.1_2.1 as a component of Public Cloud Image google/sle-micro-6-1-byos-v20260219-x86-64 libsmartcols1-2.40.4-slfo.1.1_3.1 as a component of Public Cloud Image google/sle-micro-6-1-byos-v20260219-x86-64 libsolv-tools-base-0.7.35-slfo.1.1_1.1 as a component of Public Cloud Image google/sle-micro-6-1-byos-v20260219-x86-64 libsystemd0-254.27-slfo.1.1_3.1 as a component of Public Cloud Image google/sle-micro-6-1-byos-v20260219-x86-64 libtasn1-6-4.19.0-slfo.1.1_3.1 as a component of Public Cloud Image google/sle-micro-6-1-byos-v20260219-x86-64 libudev1-254.27-slfo.1.1_3.1 as a component of Public Cloud Image google/sle-micro-6-1-byos-v20260219-x86-64 libuuid1-2.40.4-slfo.1.1_3.1 as a component of Public Cloud Image google/sle-micro-6-1-byos-v20260219-x86-64 libxml2-2-2.11.6-slfo.1.1_7.1 as a component of Public Cloud Image google/sle-micro-6-1-byos-v20260219-x86-64 libxml2-tools-2.11.6-slfo.1.1_7.1 as a component of Public Cloud Image google/sle-micro-6-1-byos-v20260219-x86-64 libzypp-17.38.2-slfo.1.1_1.1 as a component of Public Cloud Image google/sle-micro-6-1-byos-v20260219-x86-64 openssl-3-3.1.4-slfo.1.1_8.1 as a component of Public Cloud Image google/sle-micro-6-1-byos-v20260219-x86-64 podman-5.4.2-slfo.1.1_3.1 as a component of Public Cloud Image google/sle-micro-6-1-byos-v20260219-x86-64 python311-3.11.14-slfo.1.1_2.1 as a component of Public Cloud Image google/sle-micro-6-1-byos-v20260219-x86-64 python311-base-3.11.14-slfo.1.1_2.1 as a component of Public Cloud Image google/sle-micro-6-1-byos-v20260219-x86-64 python311-libxml2-2.11.6-slfo.1.1_7.1 as a component of Public Cloud Image google/sle-micro-6-1-byos-v20260219-x86-64 python311-urllib3-2.1.0-slfo.1.1_4.1 as a component of Public Cloud Image google/sle-micro-6-1-byos-v20260219-x86-64 rsync-3.3.0-slfo.1.1_4.1 as a component of Public Cloud Image google/sle-micro-6-1-byos-v20260219-x86-64 runc-1.3.4-slfo.1.1_1.1 as a component of Public Cloud Image google/sle-micro-6-1-byos-v20260219-x86-64 selinux-policy-20241031+git17.66062d7a5-slfo.1.1_1.1 as a component of Public Cloud Image google/sle-micro-6-1-byos-v20260219-x86-64 selinux-policy-targeted-20241031+git17.66062d7a5-slfo.1.1_1.1 as a component of Public Cloud Image google/sle-micro-6-1-byos-v20260219-x86-64 shim-16.1-slfo.1.1_1.1 as a component of Public Cloud Image google/sle-micro-6-1-byos-v20260219-x86-64 supportutils-3.2.12.2-slfo.1.1_1.1 as a component of Public Cloud Image google/sle-micro-6-1-byos-v20260219-x86-64 suseconnect-ng-1.20.0-slfo.1.1_1.1 as a component of Public Cloud Image google/sle-micro-6-1-byos-v20260219-x86-64 systemd-254.27-slfo.1.1_3.1 as a component of Public Cloud Image google/sle-micro-6-1-byos-v20260219-x86-64 systemd-coredump-254.27-slfo.1.1_3.1 as a component of Public Cloud Image google/sle-micro-6-1-byos-v20260219-x86-64 udev-254.27-slfo.1.1_3.1 as a component of Public Cloud Image google/sle-micro-6-1-byos-v20260219-x86-64 util-linux-2.40.4-slfo.1.1_3.1 as a component of Public Cloud Image google/sle-micro-6-1-byos-v20260219-x86-64 util-linux-systemd-2.40.4-slfo.1.1_3.1 as a component of Public Cloud Image google/sle-micro-6-1-byos-v20260219-x86-64 libexpat through 2.5.0 allows a denial of service (resource consumption) because many full reparsings are required in the case of a large token for which multiple buffer fills are needed. CVE-2023-52425 moderate A malicious client acting as the receiver of an rsync file transfer can trigger an out of bounds read of a heap based buffer, via a negative array index. The malicious rsync client requires at least read access to the remote rsync module in order to trigger the issue. CVE-2025-10158 moderate URLs containing percent-encoded slashes (`/` or `\`) can trick wcurl into saving the output file outside of the current directory without the user explicitly asking for it. This flaw only affects the wcurl command line tool. CVE-2025-11563 moderate When building nested elements using xml.dom.minidom methods such as appendChild() that have a dependency on _clear_id_cache() the algorithm is quadratic. Availability can be impacted when building excessively nested documents. CVE-2025-12084 moderate Stack-based buffer overflow in libtasn1 version: v4.20.0. The function fails to validate the size of input data resulting in a buffer overflow in asn1_expend_octet_string. CVE-2025-13151 moderate Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution in the _.unset and _.omit functions. An attacker can pass crafted paths which cause Lodash to delete methods from global prototypes. The issue permits deletion of properties but does not allow overwriting their original behavior. This issue is patched on 4.17.23 CVE-2025-13465 important A heap-based buffer overflow problem was found in glib through an incorrect calculation of buffer size in the g_escape_uri_string() function. If the string to escape contains a very large number of unacceptable characters (which would need escaping), the calculation of the length of the escaped string could overflow, leading to a potential write off the end of the newly allocated string. CVE-2025-13601 important When reading an HTTP response from a server, if no read amount is specified, the default behavior will be to use Content-Length. This allows a malicious server to cause the client to read large amounts of data into memory, potentially causing OOM or other DoS. CVE-2025-13836 moderate When loading a plist file, the plistlib module reads data in size specified by the file itself, meaning a malicious file can cause OOM and DoS issues CVE-2025-13837 moderate When doing multi-threaded LDAPS transfers (LDAP over TLS) with libcurl, changing TLS options in one thread would inadvertently change them globally and therefore possibly also affect other concurrently setup transfers. Disabling certificate verification for a specific transfer could unintentionally disable the feature for other threads as well. CVE-2025-14017 moderate A flaw was found in GLib (Gnome Lib). This vulnerability allows a remote attacker to cause heap corruption, leading to a denial of service or potential code execution via a buffer-underflow in the GVariant parser when processing maliciously crafted input strings. CVE-2025-14087 important A flaw was found in util-linux. This vulnerability allows a heap buffer overread when processing 256-byte usernames, specifically within the `setpwnam()` function, affecting SUID (Set User ID) login-utils utilities writing to the password database. CVE-2025-14104 moderate A flaw was found in glib. This vulnerability allows a heap buffer overflow and denial-of-service (DoS) via an integer overflow in GLib's GIO (GLib Input/Output) escape_byte_string() function when processing malicious file or remote filesystem attribute values. CVE-2025-14512 moderate When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transfer performs a cross-protocol redirect to a second URL that uses an IMAP, LDAP, POP3 or SMTP scheme, curl might wrongly pass on the bearer token to the new target host. CVE-2025-14524 moderate When doing TLS related transfers with reused easy or multi handles and altering the `CURLSSLOPT_NO_PARTIALCHAIN` option, libcurl could accidentally reuse a CA store cached in memory for which the partial chain option was reversed. Contrary to the user's wishes and expectations. This could make libcurl find and accept a trust chain that it otherwise would not. CVE-2025-14819 moderate When doing SSH-based transfers using either SCP or SFTP, and setting the known_hosts file, libcurl could still mistakenly accept connecting to hosts *not present* in the specified file if they were added as recognized in the libssh *global* known_hosts file. CVE-2025-15079 moderate When doing SSH-based transfers using either SCP or SFTP, and asked to do public key authentication, curl would wrongly still ask and authenticate using a locally running SSH agent. CVE-2025-15224 moderate Issue summary: Parsing CMS AuthEnvelopedData or EnvelopedData message with maliciously crafted AEAD parameters can trigger a stack buffer overflow. Impact summary: A stack buffer overflow may lead to a crash, causing Denial of Service, or potentially remote code execution. When parsing CMS (Auth)EnvelopedData structures that use AEAD ciphers such as AES-GCM, the IV (Initialization Vector) encoded in the ASN.1 parameters is copied into a fixed-size stack buffer without verifying that its length fits the destination. An attacker can supply a crafted CMS message with an oversized IV, causing a stack-based out-of-bounds write before any authentication or tag verification occurs. Applications and services that parse untrusted CMS or PKCS#7 content using AEAD ciphers (e.g., S/MIME (Auth)EnvelopedData with AES-GCM) are vulnerable. Because the overflow occurs prior to authentication, no valid key material is required to trigger it. While exploitability to remote code execution depends on platform and toolchain mitigations, the stack-based write primitive represents a severe risk. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the CMS implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3 and 3.0 are vulnerable to this issue. OpenSSL 1.1.1 and 1.0.2 are not affected by this issue. CVE-2025-15467 critical The html.parser.HTMLParser class had worse-case quadratic complexity when processing certain crafted malformed inputs potentially leading to amplified denial-of-service. CVE-2025-6069 moderate If the value passed to os.path.expandvars() is user-controlled a performance degradation is possible when expanding environment variables. CVE-2025-6075 low LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. Prior to version 1.6.51, a heap buffer over-read vulnerability exists in libpng's png_do_quantize function when processing PNG files with malformed palette indices. The vulnerability occurs when palette_lookup array bounds are not validated against externally-supplied image data, allowing an attacker to craft a PNG file with out-of-range palette indices that trigger out-of-bounds memory access. This issue has been patched in version 1.6.51. CVE-2025-64505 moderate LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From version 1.6.0 to before 1.6.51, a heap buffer over-read vulnerability exists in libpng's png_write_image_8bit function when processing 8-bit images through the simplified write API with convert_to_8bit enabled. The vulnerability affects 8-bit grayscale+alpha, RGB/RGBA, and images with incomplete row data. A conditional guard incorrectly allows 8-bit input to enter code expecting 16-bit input, causing reads up to 2 bytes beyond allocated buffer boundaries. This issue has been patched in version 1.6.51. CVE-2025-64506 moderate LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From version 1.6.0 to before 1.6.51, an out-of-bounds read vulnerability exists in png_image_read_composite when processing palette images with PNG_FLAG_OPTIMIZE_ALPHA enabled. The palette compositing code in png_init_read_transformations incorrectly applies background compositing during premultiplication, violating the invariant component ≤ alpha x 257 required by the simplified PNG API. This issue has been patched in version 1.6.51. CVE-2025-64720 moderate LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From version 1.6.0 to before 1.6.51, there is a heap buffer overflow vulnerability in the libpng simplified API function png_image_finish_read when processing 16-bit interlaced PNGs with 8-bit output format. Attacker-crafted interlaced PNG files cause heap writes beyond allocated buffer bounds. This issue has been patched in version 1.6.51. CVE-2025-65018 moderate LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. Prior to 1.6.52, an out-of-bounds read vulnerability in libpng's simplified API allows reading up to 1012 bytes beyond the png_sRGB_base[512] array when processing valid palette PNG images with partial transparency and gamma correction. The PNG files that trigger this vulnerability are valid per the PNG specification; the bug is in libpng's internal state management. Upgrade to libpng 1.6.52 or later. CVE-2025-66293 important urllib3 is a user-friendly HTTP client library for Python. Starting in version 1.24 and prior to 2.6.0, the number of links in the decompression chain was unbounded allowing a malicious server to insert a virtually unlimited number of compression steps leading to high CPU usage and massive memory allocation for the decompressed data. This vulnerability is fixed in 2.6.0. CVE-2025-66418 moderate urllib3 is a user-friendly HTTP client library for Python. Starting in version 1.0 and prior to 2.6.0, the Streaming API improperly handles highly compressed data. urllib3's streaming API is designed for the efficient handling of large HTTP responses by reading the content in chunks, rather than loading the entire response body into memory at once. When streaming a compressed response, urllib3 can perform decoding or decompression based on the HTTP Content-Encoding header (e.g., gzip, deflate, br, or zstd). The library must read compressed data from the network and decompress it until the requested chunk size is met. Any resulting decompressed data that exceeds the requested amount is held in an internal buffer for the next read operation. The decompression logic could cause urllib3 to fully decode a small amount of highly compressed data in a single operation. This can result in excessive resource consumption (high CPU usage and massive memory allocation for the decompressed data. CVE-2025-66471 moderate Issue summary: Writing large, newline-free data into a BIO chain using the line-buffering filter where the next BIO performs short writes can trigger a heap-based out-of-bounds write. Impact summary: This out-of-bounds write can cause memory corruption which typically results in a crash, leading to Denial of Service for an application. The line-buffering BIO filter (BIO_f_linebuffer) is not used by default in TLS/SSL data paths. In OpenSSL command-line applications, it is typically only pushed onto stdout/stderr on VMS systems. Third-party applications that explicitly use this filter with a BIO chain that can short-write and that write large, newline-free data influenced by an attacker would be affected. However, the circumstances where this could happen are unlikely to be under attacker control, and BIO_f_linebuffer is unlikely to be handling non-curated data controlled by an attacker. For that reason the issue was assessed as Low severity. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the BIO implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue. CVE-2025-68160 moderate In GnuPG before 2.4.9, armor_filter in g10/armor.c has two increments of an index variable where one is intended, leading to an out-of-bounds write for crafted input. (For ExtendedLTS, 2.2.51 and later are fixed versions.) CVE-2025-68973 important Issue summary: When using the low-level OCB API directly with AES-NI or<br>other hardware-accelerated code paths, inputs whose length is not a multiple<br>of 16 bytes can leave the final partial block unencrypted and unauthenticated.<br><br>Impact summary: The trailing 1-15 bytes of a message may be exposed in<br>cleartext on encryption and are not covered by the authentication tag,<br>allowing an attacker to read or tamper with those bytes without detection.<br><br>The low-level OCB encrypt and decrypt routines in the hardware-accelerated<br>stream path process full 16-byte blocks but do not advance the input/output<br>pointers. The subsequent tail-handling code then operates on the original<br>base pointers, effectively reprocessing the beginning of the buffer while<br>leaving the actual trailing bytes unprocessed. The authentication checksum<br>also excludes the true tail bytes.<br><br>However, typical OpenSSL consumers using EVP are not affected because the<br>higher-level EVP and provider OCB implementations split inputs so that full<br>blocks and trailing partial blocks are processed in separate calls, avoiding<br>the problematic code path. Additionally, TLS does not use OCB ciphersuites.<br>The vulnerability only affects applications that call the low-level<br>CRYPTO_ocb128_encrypt() or CRYPTO_ocb128_decrypt() functions directly with<br>non-block-aligned lengths in a single call on hardware-accelerated builds.<br>For these reasons the issue was assessed as Low severity.<br><br>The FIPS modules in 3.6, 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected<br>by this issue, as OCB mode is not a FIPS-approved algorithm.<br><br>OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue.<br><br>OpenSSL 1.0.2 is not affected by this issue. CVE-2025-69418 moderate Issue summary: Calling PKCS12_get_friendlyname() function on a maliciously crafted PKCS#12 file with a BMPString (UTF-16BE) friendly name containing non-ASCII BMP code point can trigger a one byte write before the allocated buffer. Impact summary: The out-of-bounds write can cause a memory corruption which can have various consequences including a Denial of Service. The OPENSSL_uni2utf8() function performs a two-pass conversion of a PKCS#12 BMPString (UTF-16BE) to UTF-8. In the second pass, when emitting UTF-8 bytes, the helper function bmp_to_utf8() incorrectly forwards the remaining UTF-16 source byte count as the destination buffer capacity to UTF8_putc(). For BMP code points above U+07FF, UTF-8 requires three bytes, but the forwarded capacity can be just two bytes. UTF8_putc() then returns -1, and this negative value is added to the output length without validation, causing the length to become negative. The subsequent trailing NUL byte is then written at a negative offset, causing write outside of heap allocated buffer. The vulnerability is reachable via the public PKCS12_get_friendlyname() API when parsing attacker-controlled PKCS#12 files. While PKCS12_parse() uses a different code path that avoids this issue, PKCS12_get_friendlyname() directly invokes the vulnerable function. Exploitation requires an attacker to provide a malicious PKCS#12 file to be parsed by the application and the attacker can just trigger a one zero byte write before the allocated buffer. For that reason the issue was assessed as Low severity according to our Security Policy. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the PKCS#12 implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue. OpenSSL 1.0.2 is not affected by this issue. CVE-2025-69419 moderate Issue summary: A type confusion vulnerability exists in the TimeStamp Response verification code where an ASN1_TYPE union member is accessed without first validating the type, causing an invalid or NULL pointer dereference when processing a malformed TimeStamp Response file. Impact summary: An application calling TS_RESP_verify_response() with a malformed TimeStamp Response can be caused to dereference an invalid or NULL pointer when reading, resulting in a Denial of Service. The functions ossl_ess_get_signing_cert() and ossl_ess_get_signing_cert_v2() access the signing cert attribute value without validating its type. When the type is not V_ASN1_SEQUENCE, this results in accessing invalid memory through the ASN1_TYPE union, causing a crash. Exploiting this vulnerability requires an attacker to provide a malformed TimeStamp Response to an application that verifies timestamp responses. The TimeStamp protocol (RFC 3161) is not widely used and the impact of the exploit is just a Denial of Service. For these reasons the issue was assessed as Low severity. The FIPS modules in 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the TimeStamp Response implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue. OpenSSL 1.0.2 is not affected by this issue. CVE-2025-69420 moderate Issue summary: Processing a malformed PKCS#12 file can trigger a NULL pointer dereference in the PKCS12_item_decrypt_d2i_ex() function. Impact summary: A NULL pointer dereference can trigger a crash which leads to Denial of Service for an application processing PKCS#12 files. The PKCS12_item_decrypt_d2i_ex() function does not check whether the oct parameter is NULL before dereferencing it. When called from PKCS12_unpack_p7encdata() with a malformed PKCS#12 file, this parameter can be NULL, causing a crash. The vulnerability is limited to Denial of Service and cannot be escalated to achieve code execution or memory disclosure. Exploiting this issue requires an attacker to provide a malformed PKCS#12 file to an application that processes it. For that reason the issue was assessed as Low severity according to our Security Policy. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the PKCS#12 implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue. CVE-2025-69421 moderate There is a defect in the CPython “tarfile” module affecting the “TarFile” extraction and entry enumeration APIs. The tar implementation would process tar archives with negative offsets without error, resulting in an infinite loop and deadlock during the parsing of maliciously crafted tar archives. This vulnerability can be mitigated by including the following patch after importing the “tarfile” module: https://gist.github.com/sethmlarson/1716ac5b82b73dbcbf23ad2eff8b33e1 CVE-2025-8194 moderate The 'zipfile' module would not check the validity of the ZIP64 End of Central Directory (EOCD) Locator record offset value would not be used to locate the ZIP64 EOCD record, instead the ZIP64 EOCD record would be assumed to be the previous record in the ZIP archive. This could be abused to create ZIP archives that are handled differently by the 'zipfile' module compared to other ZIP implementations. Remediation maintains this behavior, but checks that the offset specified in the ZIP64 EOCD Locator record matches the expected value. CVE-2025-8291 low A flaw was found in the GnuTLS library, specifically in the gnutls_pkcs11_token_init() function that handles PKCS#11 token initialization. When a token label longer than expected is processed, the function writes past the end of a fixed-size stack buffer. This programming error can cause the application using GnuTLS to crash or, in certain conditions, be exploited for code execution. As a result, systems or applications relying on GnuTLS may be vulnerable to a denial of service or local privilege escalation attacks. CVE-2025-9820 moderate A flaw was found in glib. Missing validation of offset and count parameters in the g_buffered_input_stream_peek() function can lead to an integer overflow during length calculation. When specially crafted values are provided, this overflow results in an incorrect size being passed to memcpy(), triggering a buffer overflow. This can cause application crashes, leading to a Denial of Service (DoS). CVE-2026-0988 low A flaw was identified in the RelaxNG parser of libxml2 related to how external schema inclusions are handled. The parser does not enforce a limit on inclusion depth when resolving nested <include> directives. Specially crafted or overly complex schemas can cause excessive recursion during parsing. This may lead to stack exhaustion and application crashes, creating a denial-of-service risk. CVE-2026-0989 moderate A flaw was found in the GLib Base64 encoding routine when processing very large input data. Due to incorrect use of integer types during length calculation, the library may miscalculate buffer boundaries. This can cause memory writes outside the allocated buffer. Applications that process untrusted or extremely large Base64 input using GLib may crash or behave unpredictably. CVE-2026-1484 important A flaw was found in Glib's content type parsing logic. This buffer underflow vulnerability occurs because the length of a header line is stored in a signed integer, which can lead to integer wraparound for very large inputs. This results in pointer underflow and out-of-bounds memory access. Exploitation requires a local user to install or process a specially crafted treemagic file, which can lead to local denial of service or application instability. CVE-2026-1485 low A flaw was found in GLib. An integer overflow vulnerability in its Unicode case conversion implementation can lead to memory corruption. By processing specially crafted and extremely large Unicode strings, an attacker could trigger an undersized memory allocation, resulting in out-of-bounds writes. This could cause applications utilizing GLib for string conversion to crash or become unstable. CVE-2026-1489 important urllib3 is an HTTP client library for Python. urllib3's streaming API is designed for the efficient handling of large HTTP responses by reading the content in chunks, rather than loading the entire response body into memory at once. urllib3 can perform decoding or decompression based on the HTTP `Content-Encoding` header (e.g., `gzip`, `deflate`, `br`, or `zstd`). When using the streaming API, the library decompresses only the necessary bytes, enabling partial content consumption. Starting in version 1.22 and prior to version 2.6.3, for HTTP redirect responses, the library would read the entire response body to drain the connection and decompress the content unnecessarily. This decompression occurred even before any read methods were called, and configured read limits did not restrict the amount of decompressed data. As a result, there was no safeguard against decompression bombs. A malicious server could exploit this to trigger excessive resource consumption on the client. Applications and libraries are affected when they stream content from untrusted sources by setting `preload_content=False` when they do not disable redirects. Users should upgrade to at least urllib3 v2.6.3, in which the library does not decode content of redirect responses when `preload_content=False`. If upgrading is not immediately possible, disable redirects by setting `redirect=False` for requests to untrusted source. CVE-2026-21441 moderate Issue summary: An invalid or NULL pointer dereference can happen in an application processing a malformed PKCS#12 file. Impact summary: An application processing a malformed PKCS#12 file can be caused to dereference an invalid or NULL pointer on memory read, resulting in a Denial of Service. A type confusion vulnerability exists in PKCS#12 parsing code where an ASN1_TYPE union member is accessed without first validating the type, causing an invalid pointer read. The location is constrained to a 1-byte address space, meaning any attempted pointer manipulation can only target addresses between 0x00 and 0xFF. This range corresponds to the zero page, which is unmapped on most modern operating systems and will reliably result in a crash, leading only to a Denial of Service. Exploiting this issue also requires a user or application to process a maliciously crafted PKCS#12 file. It is uncommon to accept untrusted PKCS#12 files in applications as they are usually used to store private keys which are trusted by definition. For these reasons, the issue was assessed as Low severity. The FIPS modules in 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the PKCS12 implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue. OpenSSL 1.0.2 is not affected by this issue. CVE-2026-22795 moderate In libexpat before 2.7.4, XML_ExternalEntityParserCreate does not copy unknown encoding handler user data. CVE-2026-24515 moderate In GnuPG before 2.5.17, a stack-based buffer overflow exists in tpm2daemon during handling of the PKDECRYPT command for TPM-backed RSA and ECC keys. CVE-2026-24882 important In libexpat before 2.7.4, the doContent function does not properly determine the buffer size bufSize because there is no integer overflow check for tag buffer reallocation. CVE-2026-25210 moderate