sles-15-sp5-hardened-byos-v20260518-x86-64 Package Source Changes

Mesa

- bsc1261998-CVE-2026-40393-nir-Use-STACK_ARRAY-instead-of-NIR_VLA.patch
  bsc1261998-CVE-2026-40393-spirv-Use-STACK_ARRAY-instead-of-NIR_VLA.patch
  * Mesa: out-of-bounds memory access can occur in WebGPU because
    the amount of to-be-allocated data depends on an untrusted
    party (bsc#1261998, CVE-2026-40393)

cloud-netconfig

- Update to version 1.19
  + Make sure IPADDR variable is stripped of netmask

- Update to version 1.18
  +  Fix issue with link-local address routing (bsc#1258730)

- Update to version 1.17
  + Do not set broadcast address explicitly (bsc#1258406)

- Update to version 1.16
  + Fix query of default CLOUD_NETCONFIG_MANAGE (bsc#1253223
  + Fix variable names in the README

curl

- Security fixes:
  * CVE-2026-4873: connection reuse ignores TLS requirement (bsc#1262631)
  * CVE-2026-5545: wrong reuse of HTTP Negotiate connection (bsc#1262632)
  * CVE-2026-6253: proxy credentials leak over redirect-to proxy (bsc#1262635)
  * CVE-2026-6276: stale custom cookie host causes cookie leak (bsc#1262636)
  * CVE-2026-6429: netrc credential leak with reused proxy connection (bsc#1262638)
  * sws: prevent "connection monitor" to say disconnect twice (bsc#1259362)
  * Add patches:
  - curl-CVE-2026-4873.patch
  - curl-CVE-2026-5545.patch
  - curl-CVE-2026-6253.patch
  - curl-CVE-2026-6276.patch
  - curl-CVE-2026-6429.patch
  - curl-CVE-2026-1965-disable-ntlm-fix.patch

dracut

- Update to version 055+suse.399.g9aa7e567:
  * fix: make iso-scan trigger udev events (bsc#1261274)

kernel-default

- Revert "kabi assert: ptrace: slightly saner 'get_dumpable()' logic"
  This reverts commit 12cb5f3c8a837d7216b867289a491dbbf7deb562.
  there are 14 bits at most (including the new one) so this cannot break the kabi
  proper assert fix will follow later
- commit cd71df9

- kabi: ptrace: slightly saner 'get_dumpable()' logic
  (bsc#1265308).
- commit 3f88b62

- series.conf : sort patches
- commit 72093b8

- kabi assert: ptrace: slightly saner 'get_dumpable()' logic
  (bsc#1265308).
- commit 12cb5f3

- ptrace: slightly saner 'get_dumpable()' logic (bsc#1265308).
- commit 58cef8e

- io-wq: check that the predecessor is hashed in
  io_wq_remove_pending() (git-fixes).
- commit 8c60ec8

- net: skbuff: propagate shared-frag marker through pskb_copy()
  (CVE-2026-46300 bsc#1265209).
- commit 0506a1e

- Refresh
  patches.suse/xfrm-esp-avoid-in-place-decrypt-on-shared-skb-frags.patch.
  Add missing hunk to make sure SKBFL_SHARED_FRAG flag is set for
  ESP-UDP packet.
- commit 48549a4

- supported.conf: drop rxrpc and af_kfs (bsc#1264450)
- commit 4f2846b

- xfrm: esp: avoid in-place decrypt on shared skb frags
  (bsc#1264449).
- commit e509080

- x86/CPU/AMD: Prevent improper isolation of shared resources in Zen2's  op cache (bsc#1264013 CVE-2025-54518).
- commit 039ae0b

krb5

- Fix Fix two NegoEx parsing vulnerabilities:
  * CVE-2026-40355, bsc#1263366
  * CVE-2026-40356, bsc#1263367
- Add patch 0014-Fix-two-NegoEx-parsing-vulnerabilities.patch

util-linux

- loopdev: Prevent unauthorized read access to symlinked filesystem
  images (bsc#1261606, CVE-2026-27456,
  util-linux-CVE-2026-27456.patch).

python3

- Add CVE-2026-6019-Morsel-js_output.patch protects against HTML
  injection by Base64-encoding cookie values embedded in JS
  (bsc#1262654, CVE-2026-6019, gh#python/cpython#90309).

- Add CVE-2026-1502-reject-CRLF-HTTP-tunnel.patch which rejects
  CR/LF in HTTP tunnel request headers (bsc#1261969,
  CVE-2026-1502, gh#python/cpython#146211).

- Add CVE-2026-4786-webbrowser-open-action.patch, which fixes
  webbrowser %action substitution bypass of dash-prefix check
  (bsc#1262319, CVE-2026-4786, gh#python/cpython#148169).

- Add CVE-2026-6100-use-after-free-decompression.patch preventing
  dangling pointer which can end in the use-after-free error
  (CVE-2026-6100, bsc#1262098, gh#python/cpython#148395).

- Fix calling of sphinx build with non-standard Python
  interpreter (including new patch sphinx-set-PYTHON.patch).

- Add CVE-2026-3446-base64-padding.patch preventing ignoring
  excess Base64 data after the first padded quad (bsc#1261970,
  CVE-2026-3446, gh#python/cpython#145264).

- Add CVE-2026-3479-pkgutil_get_data.patch pkgutil.get_data() has
  the same security model as open(). The documented limitations
  ensure compatibility with non-filesystem loaders; Python
  doesn't check that. (bsc#1259989, CVE-2026-3479,
  gh#python/cpython#146121).

- Add CVE-2026-4519-webbrowser-open-dashes.patch to reject
  leading dashes in webbrowser URLs (bsc#1260026, CVE-2026-4519,
  gh#python/cpython#143930).

- Add CVE-2025-13462-tarinfo-header-parse.patch which skips
  TarInfo DIRTYPE normalization during GNU long name handling
  (bsc#1259611, CVE-2025-13462).

- Add CVE-2026-4224-expat-unbound-C-recursion.patch avoiding
  unbound C recursion in conv_content_model in pyexpat.c
  (bsc#1259735, CVE-2026-4224).

- Add CVE-2026-3644-cookies-Morsel-update-II.patch to reject
  control characters in http.cookies.Morsel.update() and
  http.cookies.BaseCookie.js_output (bsc#1259734, CVE-2026-3644).

tiff

- * CVE-2026-4775: Signed integer overflow in putcontig8bitYCbCr44tile (bsc#1260411)
    Add tiff-CVE-2026-4775.patch

000release-packages:sle-module-basesystem-release

n/a

000release-packages:sle-module-containers-release

n/a

000release-packages:sle-module-desktop-applications-release

n/a

000release-packages:sle-module-development-tools-release

n/a

000release-packages:sle-module-public-cloud-release

n/a

000release-packages:sle-module-server-applications-release

n/a

suse-build-key

- import all keys if they are not yet in the RPM db.

- Added post quantum cryptographic keys for SLES 15 and SLES 16.
  - build-pqc-15.pem
  - build-pqc-16.pem

util-linux-systemd

- loopdev: Prevent unauthorized read access to symlinked filesystem
  images (bsc#1261606, CVE-2026-27456,
  util-linux-CVE-2026-27456.patch).

xen

- bsc#1264066 - VUL-0: CVE-2025-54518: xen: AMD-SN-7052: CPU OP
  Cache Corruption
  xsa490-1.patch
  xsa490-2.patch