Security update for gvfs SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2026:0916-1 Final 1 1 2026-03-18T07:46:59Z current 2026-03-18T07:46:59Z 2026-03-18T07:46:59Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for gvfs This update for gvfs fixes the following issues: - CVE-2026-28295: fixed by using control connection address for PASV data (bsc#1258953). - CVE-2026-28296: fixed by rejecting paths containing CR/LF characters (bsc#1258954). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2026-916,SUSE-SLE-SERVER-12-SP5-LTSS-2026-916,SUSE-SLE-SERVER-12-SP5-LTSS-EXTENDED-SECURITY-2026-916 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2026/suse-su-20260916-1/ Link for SUSE-SU-2026:0916-1 https://lists.suse.com/pipermail/sle-security-updates/2026-March/024708.html E-Mail link for SUSE-SU-2026:0916-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1258953 SUSE Bug 1258953 https://bugzilla.suse.com/1258954 SUSE Bug 1258954 https://www.suse.com/security/cve/CVE-2026-28295/ SUSE CVE CVE-2026-28295 page https://www.suse.com/security/cve/CVE-2026-28296/ SUSE CVE CVE-2026-28296 page SUSE Linux Enterprise Server 12 SP5-LTSS SUSE Linux Enterprise Server LTSS Extended Security 12 SP5 gvfs-1.28.3-18.9.1 gvfs-32bit-1.28.3-18.9.1 gvfs-64bit-1.28.3-18.9.1 gvfs-backend-afc-1.28.3-18.9.1 gvfs-backend-samba-1.28.3-18.9.1 gvfs-backends-1.28.3-18.9.1 gvfs-devel-1.28.3-18.9.1 gvfs-fuse-1.28.3-18.9.1 gvfs-lang-1.28.3-18.9.1 gvfs-1.28.3-18.9.1 as a component of SUSE Linux Enterprise Server 12 SP5-LTSS gvfs-backend-samba-1.28.3-18.9.1 as a component of SUSE Linux Enterprise Server 12 SP5-LTSS gvfs-backends-1.28.3-18.9.1 as a component of SUSE Linux Enterprise Server 12 SP5-LTSS gvfs-devel-1.28.3-18.9.1 as a component of SUSE Linux Enterprise Server 12 SP5-LTSS gvfs-fuse-1.28.3-18.9.1 as a component of SUSE Linux Enterprise Server 12 SP5-LTSS gvfs-lang-1.28.3-18.9.1 as a component of SUSE Linux Enterprise Server 12 SP5-LTSS gvfs-1.28.3-18.9.1 as a component of SUSE Linux Enterprise Server LTSS Extended Security 12 SP5 gvfs-backend-samba-1.28.3-18.9.1 as a component of SUSE Linux Enterprise Server LTSS Extended Security 12 SP5 gvfs-backends-1.28.3-18.9.1 as a component of SUSE Linux Enterprise Server LTSS Extended Security 12 SP5 gvfs-devel-1.28.3-18.9.1 as a component of SUSE Linux Enterprise Server LTSS Extended Security 12 SP5 gvfs-fuse-1.28.3-18.9.1 as a component of SUSE Linux Enterprise Server LTSS Extended Security 12 SP5 gvfs-lang-1.28.3-18.9.1 as a component of SUSE Linux Enterprise Server LTSS Extended Security 12 SP5 A flaw was found in the FTP GVfs backend. A malicious FTP server can exploit this vulnerability by providing an arbitrary IP address and port in its passive mode (PASV) response. The client unconditionally trusts this information and attempts to connect to the specified endpoint, allowing the malicious server to probe for open ports accessible from the client's network. CVE-2026-28295 SUSE Linux Enterprise Server 12 SP5-LTSS:gvfs-1.28.3-18.9.1 SUSE Linux Enterprise Server 12 SP5-LTSS:gvfs-backend-samba-1.28.3-18.9.1 SUSE Linux Enterprise Server 12 SP5-LTSS:gvfs-backends-1.28.3-18.9.1 SUSE Linux Enterprise Server 12 SP5-LTSS:gvfs-devel-1.28.3-18.9.1 SUSE Linux Enterprise Server 12 SP5-LTSS:gvfs-fuse-1.28.3-18.9.1 SUSE Linux Enterprise Server 12 SP5-LTSS:gvfs-lang-1.28.3-18.9.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:gvfs-1.28.3-18.9.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:gvfs-backend-samba-1.28.3-18.9.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:gvfs-backends-1.28.3-18.9.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:gvfs-devel-1.28.3-18.9.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:gvfs-fuse-1.28.3-18.9.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:gvfs-lang-1.28.3-18.9.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260916-1/ https://www.suse.com/security/cve/CVE-2026-28295.html CVE-2026-28295 https://bugzilla.suse.com/1258953 SUSE Bug 1258953 A flaw was found in the FTP GVfs backend. A remote attacker could exploit this input validation vulnerability by supplying specially crafted file paths containing carriage return and line feed (CRLF) sequences. These unsanitized sequences allow the attacker to terminate intended FTP commands and inject arbitrary FTP commands, potentially leading to arbitrary code execution or other severe impacts. CVE-2026-28296 SUSE Linux Enterprise Server 12 SP5-LTSS:gvfs-1.28.3-18.9.1 SUSE Linux Enterprise Server 12 SP5-LTSS:gvfs-backend-samba-1.28.3-18.9.1 SUSE Linux Enterprise Server 12 SP5-LTSS:gvfs-backends-1.28.3-18.9.1 SUSE Linux Enterprise Server 12 SP5-LTSS:gvfs-devel-1.28.3-18.9.1 SUSE Linux Enterprise Server 12 SP5-LTSS:gvfs-fuse-1.28.3-18.9.1 SUSE Linux Enterprise Server 12 SP5-LTSS:gvfs-lang-1.28.3-18.9.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:gvfs-1.28.3-18.9.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:gvfs-backend-samba-1.28.3-18.9.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:gvfs-backends-1.28.3-18.9.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:gvfs-devel-1.28.3-18.9.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:gvfs-fuse-1.28.3-18.9.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:gvfs-lang-1.28.3-18.9.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260916-1/ https://www.suse.com/security/cve/CVE-2026-28296.html CVE-2026-28296 https://bugzilla.suse.com/1258954 SUSE Bug 1258954