- apache2
-
* Fix bsc#1263952 / CVE-2026-33857.
* Fix bsc#1263954 / CVE-2026-33007.
* Fix bsc#1264163 / CVE-2026-28780.
* Fix bsc#1264150 / CVE-2026-29168.
* Add patch files:
- CVE-2026-33857.patch
- CVE-2026-33007.patch
- CVE-2026-28780.patch
- CVE-2026-29168.patch
* Fix bsc#1263957 / CVE-2026-23918.
* Fix bsc#1263953 / CVE-2026-33523.
* Fix bsc#1263955 / CVE-2026-33006.
* Fix bsc#1263956 / CVE-2026-29169.
* Fix bsc#1263935 / CVE-2026-24072.
* Fix bsc#1263950 / CVE-2026-34059.
* Fix bsc#1263951 / CVE-2026-34032.
* Add patch files:
- CVE-2026-23918.patch
- CVE-2026-33523.patch
- CVE-2026-33006.patch
- CVE-2026-29169.patch
- CVE-2026-24072.patch
- CVE-2026-34059.patch
- CVE-2026-34032.patch
- java-1_8_0-ibm
-
- Update to Java 8.0 Service Refresh 8 Fix Pack 65 (bsc#1264735)
* IBM Security Update, Oracle April 21 2026 CPU.
* Security fixes:
- CVE-2026-22016: APIs in the specified Component can cause
unauthorized access to critical data (bsc#1262495)
- CVE-2026-22021: APIs in the specified Component can cause
a partial denial of service (bsc#1262497)
- CVE-2026-22013: Unauthenticated attacker with network access
can access to critical data (bsc#1262494)
- CVE-2026-22018: Unauthenticated attacker with network access
can cause a partial denial of service (bsc#1262496)
- CVE-2026-34268: Unauthenticated attacker with logon can gain
unauthorized read access (bsc#1262500)
- CVE-2026-22007: APIs in the specified component can lead to
an unauthorized read access (bsc#1262490)
- IBM Security Update January 2026:
* [bsc#1265261, CVE-2026-1188] Eclipse: Ensure room for separator in
omrsysinfo_get_processor_feature_string
- gnutls
-
- Security fixes:
* CVE-2026-33846: buffers: add more checks to DTLS reassembly (bsc#1263705)
* CVE-2026-42009: lib/buffers: ensure packets have differing sequence numbers (bsc#1263708)
* CVE-2026-33845: buffers: switch from end_offset over to frag_length (bsc#1263704)
* CVE-2026-42010: lib/auth/rsa_psk: fix binary PSK identity lookup (bsc#1263709)
* CVE-2026-3833: x509/name-constraints: compare domain names case-insensitive (bsc#1263707)
* CVE-2026-42011: x509/name_constraints: fix intersecting empty constraints (bsc#1263710)
* CVE-2026-42012: x509/hostname-verify: make URI/SRV SAN preclude CN fallback (bsc#1263711)
* CVE-2026-42013: x509: prevent fallback on oversized SAN (bsc#1263712)
* CVE-2026-42014: pkcs11_write: fix UAF and leak in gnutls_pkcs11_token_set_pin (bsc#1263713)
* CVE-2026-42015: x509/pkcs12_bag: fix off-by-one in bag element bounds check (bsc#1263714)
* CVE-2026-5260: lib/pkcs11_privkey: guard against overreading on short ciphertexts (bsc#1263715)
* CVE-2026-5419: gnutls_cipher_decrypt3: make PKCS#7 unpadding branch free (bsc#1263716)
* Add patches:
gnutls-CVE-2026-33846.patch gnutls-CVE-2026-42009.patch
gnutls-CVE-2026-33845.patch gnutls-CVE-2026-42010.patch
gnutls-CVE-2026-3833.patch gnutls-CVE-2026-42011.patch
gnutls-CVE-2026-42012.patch gnutls-CVE-2026-42013.patch
gnutls-CVE-2026-42014.patch gnutls-CVE-2026-5260.patch
gnutls-CVE-2026-42015.patch gnutls-CVE-2026-5419.patch
- samba
-
- CVE-2026-4480: Fix Unauthenticated Remote Code Execution;
(bso#16033); (bsc#1261161).
- CVE-2026-4408: Fix Remote Code Execution in SAMR;(bso#16034);
(bsc#1261163).
- CVE-2026-3238: Fix unauthenticated udp packet crashes AD DC
nbt server; (bso#16012); (bsc#1261160).
- CVE-2026-3012: Fix CVE-2026-3012 group policy certificate
enrollment using http:// without validation;(bso#16003);
(bsc#1261159).
- CVE-2026-1933: Fix missing access check on reparse point
operations; (bso#15992); (bsc#1261188).
- CVE-2026-2340: vfs_worm does not block directory modification;
(bso#15997); (bsc#1261158).
- Fix rpc workers with long living clients from growing server
memory keytab and increasing memory used by workers;
(bso#16042); (bsc#1257200).
- Generated dynamic profile based on path to special 'printers'
share. (bsc#1259441).
- Fix regression "use-kerberos=desired" broken doesn't even try
to authenticate with kerberos and instead fallsback to NTLM;
(bsc#1255755); (bso#15789).
- Fix memory leak using cups parsed options and from filename
allocated when processing end of printing job; (bso#15979);
(bsc#1257200).
- fix manpage for "net offlinejoin requestodj"; (bso#15964)
- fix "ctdbd socket" documentation in manpage for smb.conf;
(bso#15977)
- Fix memory leak opening local named pipe; (bso#15979);
(bsc#1257200).
- xz
-
- Fix buffer overflow in lzma_index_append (bsc#1261280, CVE-2026-34743)
* CVE-2026-34743.patch
- Change SUSE-Public-Domain license to LicenseRef-SUSE-Public-Domain to
fix rpmlint errors
- openssl-1_1
-
- bsc#1250782 Fix 30-test_fips_sli.t fails intermittently on s390x
Fix AES_GCM IV test sometimes failing on s390x.
* Add openssl-fix-fips-slitest-s390x.patch
- python-certifi
-
- Add python36-certifi provides/obsoletes to enable SLE-12 ->
SLE-15 migration, bsc#1233012
- python-idna
-
- Add python36-idna provides/obsoletes to enable SLE-12 ->
SLE-15 migration, bsc#1233012
- python-packaging
-
- Add python36-packaging provides/obsoletes to enable SLE-12 ->
SLE-15 migration, bsc#1233012
- python-pycparser
-
- Add python36-pycparser provides/obsoletes to enable SLE-12 ->
SLE-15 migration, bsc#1233012
- python-py
-
- Add python36-py provides/obsoletes to enable SLE-12 ->
SLE-15 migration, bsc#1233012
- python-six
-
- Add python36-six provides/obsoletes to enable SLE-12 ->
SLE-15 migration, bsc#1233012
- python-urllib3
-
- CVE-2026-44431: sensitive information disclosure due to sensitive
headers being forwarded across origins in proxied low-level redirects
(bsc#1265267)
Add patch CVE-2026-44431.patch
- fix regression in CVE-2025-66471.patch when downloading large files
(bsc#1259829)
- rsync
-
- Security update:
- bsc#1234100, CVE-2024-12084: Heap Buffer Overflow in Checksum Parsing
- bsc#1234101, CVE-2024-12085: Info Leak via uninitialized Stack contents defeats ASLR
- bsc#1234102, CVE-2024-12086: server leaks arbitrary client files
- bsc#1234103, CVE-2024-12087: server can make client write files outside of destination directory using symbolic links
- bsc#1234104, CVE-2024-12088: --safe-links bypass
- bsc#1235475, CVE-2024-12747: Race Condition in rsync Handling Symbolic Links
- bsc#1254441, CVE-2025-10158: Out of bounds array access via negative index
- bsc#1262223, CVE-2026-41035: Count of entries mismatch can lead to a use-after-free
- bsc#1264511, CVE-2026-29518: Symlink-Race TOCTOU in Daemon (use chroot = no)
- bsc#1264515, CVE-2026-43617: Authorization Bypass via Hostname Resolution
- bsc#1264512, CVE-2026-43618: Integer Overflow Information Disclosure
- bsc#1264514, CVE-2026-43619: Symlink Race Condition via Path-Based Syscalls
- bsc#1264513, CVE-2026-43620: Out-of-Bounds Array Read via recv_files()
- bsc#1265296, CVE-2026-45232: Off-by-one stack OOB write in HTTP CONNECT proxy response parsing
- With the big security update above-mentioned, we received a big amount of harderning
patches that are pre-requisitoes that we added to this version:
- rsync-hardening-0001-Fix-warning-about-conflicting-lseek-lseek64-prototyp.patch
- rsync-hardening-0002-hlink-Fix-function-pointer-cast-in-qsort.patch
- rsync-hardening-0003-bool-is-a-keyword-in-C23.patch
- rsync-hardening-0004-Fix-warning-about-missing-bomb-.-prototype.patch
- rsync-hardening-0005-CVE-2024-12084-Some-checksum-buffer-fixes.patch
(replaces: rsync-CVE-2024-12084-overflow-01.patch)
- rsync-hardening-0006-CVE-2024-12084-Another-cast-when-multiplying-integers.patch
(replaces: rsync-CVE-2024-12084-overflow-02.patch)
- rsync-hardening-0007-CVE-2024-12085-prevent-information-leak-off-the-stack.patch
(replaces: rsync-CVE-2024-12085.patch)
- rsync-hardening-0008-CVE-2024-12086-refuse-fuzzy-options-when-fuzzy-not-selected.patch
(replaces: rsync-CVE-2024-12086_01.patch)
- rsync-hardening-0009-added-secure_relative_open.patch
(replaces: rsync-CVE-2024-12086_02.patch)
- rsync-hardening-0010-receiver-use-secure_relative_open-for-basis-file.patch
(replaces: rsync-CVE-2024-12086_03.patch)
- rsync-hardening-0011-disallow-.-elements-in-relpath-for-secure_relative_o.patch
(replaces: rsync-CVE-2024-12086_04.patch)
- rsync-hardening-0012-CVE-2024-12087-Refuse-a-duplicate-dirlist.patch
(replaces: rsync-CVE-2024-12087_01.patch)
- rsync-hardening-0013-CVE-2024-12087-range-check-dir_ndx-before-use.patch
(replaces:: rsync-CVE-2024-12087_02.patch)
- rsync-hardening-0014-CVE-2024-12088-make-safe-links-stricter.patch
(replaces: rsync-CVE-2024-12088.patch)
- rsync-hardening-0015-CVE-2024-12747-fixed-symlink-race-condition-in-sender.patch
(replaces: rsync-CVE-2024-12747.patch)
- rsync-hardening-0016-syscall-fix-a-Y2038-bug-by-replacing-Int32x32To64-wi.patch
- rsync-hardening-0017-options.c-Fix-segv-if-poptGetContext-returns-NULL.patch
- rsync-hardening-0018-Using-a-correct-time-in-log-file.patch
- rsync-hardening-0019-configure.ac-check-for-xattr-support-both-in-libc-an.patch
(replaces: rsync-no-libattr.patch)
- rsync-hardening-0020-util-fixed-issue-in-clean_fname.patch
- rsync-hardening-0021-testsuite-added-clean-fname-underflow-test.patch
- rsync-hardening-0022-CVE-2025-10158-fixed-an-invalid-access-to-files-array.patch
(replaces: rsync-CVE-2025-10158.patch)
- rsync-hardening-0023-fix-uninitialized-buf1-in-get_checksum2-MD4-path.patch
- rsync-hardening-0024-reject-negative-token-values-in-compressed-stream-re.patch
- rsync-hardening-0025-acl-fixed-ACL-ID-mapping-for-non-root.patch
- rsync-hardening-0026-fix-uninitialized-mul_one-in-AVX2-checksum-and-add-S.patch
- rsync-hardening-0027-Fix-glibc-2.43-constness-warnings.patch
- rsync-hardening-0029-fix-signed-integer-overflow-in-proxy-protocol-v2-hea.patch
- rsync-hardening-0030-zero-all-new-memory-from-allocations.patch
- rsync-hardening-0031-CVE-2026-41035-xattrs-fixed-count-in-qsort.patch
- rsync-hardening-0032-call-tzset-before-chroot-to-cache-timezone-data.patch
- rsync-hardening-0033-testsuite-xattrs-ignore-SUNWattr_-in-the-Solaris-xls.patch
- rsync-hardening-0034-syscall-use-openat2-RESOLVE_BENEATH-on-Linux-for-sec.patch
- rsync-hardening-0035-syscall-also-use-O_RESOLVE_BENEATH-on-FreeBSD-and-Ma.patch
- rsync-hardening-0036-testsuite-skip-symlink-dirlink-basis-on-platforms-wi.patch
- rsync-hardening-0037-CVE-2026-29518-syscall-clientserver-am_chrooted-and-use_secure_syml.patch
- rsync-hardening-0038-CVE-2026-29518-sender-fix-read-path-TOCTOU-by-opening-from-module-r.patch
- rsync-hardening-0039-CVE-2026-43619-syscall-receiver-secure-receiver-side-do_chmod-again.patch
- rsync-hardening-0040-CVE-2026-43619-util1-secure-change_dir-against-symlink-race-chdir-e.patch
- rsync-hardening-0041-CVE-2026-43619-syscall-add-symlink-race-safe-do_-_at-wrappers-and-h.patch
- rsync-hardening-0042-CVE-2026-43619-util1-syscall-secure-copy_file-source-dest-opens-bar.patch
- rsync-hardening-0043-CVE-2026-43619-testsuite-end-to-end-regression-test-for-chdir-symli.patch
- rsync-hardening-0044-CVE-2026-43618-token-harden-compressed-token-decoding-against-integ.patch
- rsync-hardening-0045-CVE-2026-43618-testsuite-cover-refuse-options-compress-for-the-daem.patch
- rsync-hardening-0046-CVE-2026-43620-receiver-add-parent_ndx-0-guard-mirroring-797e17f.patch
- rsync-hardening-0047-CVE-2026-43617-clientserver-fix-hostname-ACL-bypass-when-using-daem.patch
- rsync-hardening-0048-CVE-2026-43618-defence-in-depth-bound-wire-supplied-counts-and-leng.patch
- rsync-hardening-0049-CVE-2026-43618-defence-in-depth-guard-cumulative-snprintf-against-l.patch
- rsync-hardening-0050-CVE-2026-43620-defence-in-depth-receiver-block-index-bounds-read_de.patch
- rsync-hardening-0052-exclude-fix-crashes-with-fortified-strlcpy.patch
(replaces: rsync-fortified-strlcpy-fix.patch)
- rsync-hardening-0053-testsuite-use-integer-sleep-in-clean-fname-underflow.patch
- rsync-hardening-0055-popt-fix-poptDupArgv-strlcpy-size-argument.patch
- rsync-hardening-0056-testsuite-fixes-for-3.2.7-backport.patch
- rsync-hardening-0057-rsync.h-lower-MAX_WIRE_DEL_STAT-to-avoid-signed-int-.patch
- rsync-hardening-0058-CVE-2026-45232-socket-reject-over-long-proxy-response-line.patch
- rsync-hardening-0059-main-reject-hyphen-prefixed-remote-shell-hostnames.patch
- rsync-hardening-0060-util1-handle-out-of-range-times-in-timestring.patch
- A few hardening patches were discarded, as the don't affect SUSE distributions:
- rsync-hardening-0028-zlib-convert-K-R-function-definitions-to-ANSI-style
(we don't bundle zlib, nothing to patch)
- rsync-hardening-0051-CI-added-workflows-from-master-for-backport-testing
(fixes CI Github Actions, not present in release tarballs)
- rsync-hardening-0054-ci-update-RSYNC_EXPECT_SKIPPED-for-3.2.7-backport-ba
(fixes CI Github Actions, not present in release tarballs)
- Rename rsync-fix-FLAG_GOT_DIR_FLIST.patch to rsync-fix-duplicate.patch to align codestreams.
- Security update (CVE-2026-41035, bsc#1262223): rsync: count of
entries mismatch can lead to a use-after-free
- Add rsync-CVE-2026-41035.patch
- sysctl-logger
-
- Update to v0.0.7
* Add systemd hardenings
* Make output directory visible
- Specify LLVM version to use for SLES 15 SP7
- xorg-x11-server
-
- bsc1266294_CVE-2026-XXXX1_0007-dix-increase-XLFDMAXFONTNAMELEN-to-match-libXfont2-s.patch
* Font Alias Stack-based Buffer Overflow (ZDI-CAN-30136, bsc#1266294)
- bsc1266295_CVE-2026-XXXX2_0001-sync-fix-deletion-of-counters-and-fences.patch
* XSYNC Use-After-Free in miSyncDestroyFence() (ZDI-CAN-30159, ZDI-CAN-30163, bsc#1266295, bsc#1266298)
- bsc1266296_CVE-2026-XXXX3_0003-xkb-reject-key-types-with-num_levels-exceeding-XkbMa.patch
* XKB Key Types Stack-based Buffer Overflow (ZDI-CAN-30160, bsc#1266296)
- bsc1266297_CVE-2026-XXXX4_0004-xkb-clamp-nMaps-to-mapWidths-buffer-size-in-CheckKey.patch
* XKB SetMap Request Stack-based Buffer Overflow (ZDI-CAN-30161, bsc#1266297)
- bsc1266299_CVE-2026-XXXX6_0002-sync-restart-trigger-list-iteration-in-SyncChangeCou.patch
* XSYNC Use-After-Free in SyncChangeCounter() (ZDI-CAN-30164, bsc#1266299)
- bsc1266300_CVE-2026-XXXX7_0005-glx-fix-reversed-length-check-in-ChangeDrawableAttri.patch
* GLX ChangeDrawableAttributes Out-Of-Bounds Read/Write (ZDI-CAN-30165, bsc#1266300)
- bsc1266301_CVE-2026-XXXX8_0006-saver-re-fetch-screen-private-after-CheckScreenPriva.patch
* CreateSaverWindow Use-After-Free Information Disclosure (ZDI-CAN-30168, bsc#1266301)
- bsc1266302_CVE-2026-XXXX9_0001-dri2-Use-booleans-for-fake-front-buffer-tracking-in-.patch
bsc1266302_CVE-2026-XXXX9_0002-dri2-Deduplicate-attachments-in-do_get_buffer.patch
* DRI2 DRIGetBuffers/DRIGetBuffersWithFormat Out-Of-Bounds Write (CVE-2026-XXXX9, bsc#1266302)