sles-15-sp6-hardened-byos-v20260519-x86-64 Package Source Changes

cloud-netconfig

- Update to version 1.19
  + Make sure IPADDR variable is stripped of netmask

- Update to version 1.18
  +  Fix issue with link-local address routing (bsc#1258730)

- Update to version 1.17
  + Do not set broadcast address explicitly (bsc#1258406)

- Update to version 1.16
  + Fix query of default CLOUD_NETCONFIG_MANAGE (bsc#1253223
  + Fix variable names in the README

curl

- Security fixes:
  * CVE-2026-4873: connection reuse ignores TLS requirement (bsc#1262631)
  * CVE-2026-5545: wrong reuse of HTTP Negotiate connection (bsc#1262632)
  * CVE-2026-6253: proxy credentials leak over redirect-to proxy (bsc#1262635)
  * CVE-2026-6276: stale custom cookie host causes cookie leak (bsc#1262636)
  * CVE-2026-6429: netrc credential leak with reused proxy connection (bsc#1262638)
  * sws: prevent "connection monitor" to say disconnect twice (bsc#1259362)
  * Add patches:
  - curl-CVE-2026-4873.patch
  - curl-CVE-2026-5545.patch
  - curl-CVE-2026-6253.patch
  - curl-CVE-2026-6276.patch
  - curl-CVE-2026-6429.patch
  - curl-CVE-2026-1965-disable-ntlm-fix.patch

kernel-default

- kabi assert ptrace: slightly saner 'get_dumpable()' logic
  (bsc#1265308).
- kabi ptrace: slightly saner 'get_dumpable()' logic
  (bsc#1265308).
- commit a41488d

- ptrace: slightly saner 'get_dumpable()' logic (bsc#1265308).
- commit 64e874a

- x86/CPU/AMD: Prevent improper isolation of shared resources
  in Zen2's op cache (bsc#1264013 CVE-2025-54518).
- commit f788381

- io-wq: check that the predecessor is hashed in
  io_wq_remove_pending() (git-fixes).
- commit fcb4942

- net: skbuff: propagate shared-frag marker through pskb_copy()
  (CVE-2026-46300 bsc#1265209).
- commit 7c5b30e

- disable unsupported CONFIG_AFS_FS and CONFIG_AF_RXRPC
- commit 52e00eb

- supported.conf: drop rxrpc and afs_fs (bsc#1264450)
- commit 8bd3950

- xfrm: esp: avoid in-place decrypt on shared skb frags
  (bsc#1264449).
- commit 871ac04

python3

- Add CVE-2026-6019-Morsel-js_output.patch protects against HTML
  injection by Base64-encoding cookie values embedded in JS
  (bsc#1262654, CVE-2026-6019, gh#python/cpython#90309).

- Add CVE-2026-1502-reject-CRLF-HTTP-tunnel.patch which rejects
  CR/LF in HTTP tunnel request headers (bsc#1261969,
  CVE-2026-1502, gh#python/cpython#146211).

- Add CVE-2026-4786-webbrowser-open-action.patch, which fixes
  webbrowser %action substitution bypass of dash-prefix check
  (bsc#1262319, CVE-2026-4786, gh#python/cpython#148169).

- Add CVE-2026-6100-use-after-free-decompression.patch preventing
  dangling pointer which can end in the use-after-free error
  (CVE-2026-6100, bsc#1262098, gh#python/cpython#148395).

- Fix calling of sphinx build with non-standard Python
  interpreter (including new patch sphinx-set-PYTHON.patch).

- Add CVE-2026-3446-base64-padding.patch preventing ignoring
  excess Base64 data after the first padded quad (bsc#1261970,
  CVE-2026-3446, gh#python/cpython#145264).

- Add CVE-2026-3479-pkgutil_get_data.patch pkgutil.get_data() has
  the same security model as open(). The documented limitations
  ensure compatibility with non-filesystem loaders; Python
  doesn't check that. (bsc#1259989, CVE-2026-3479,
  gh#python/cpython#146121).

- Add CVE-2026-4519-webbrowser-open-dashes.patch to reject
  leading dashes in webbrowser URLs (bsc#1260026, CVE-2026-4519,
  gh#python/cpython#143930).

- Add CVE-2025-13462-tarinfo-header-parse.patch which skips
  TarInfo DIRTYPE normalization during GNU long name handling
  (bsc#1259611, CVE-2025-13462).

- Add CVE-2026-4224-expat-unbound-C-recursion.patch avoiding
  unbound C recursion in conv_content_model in pyexpat.c
  (bsc#1259735, CVE-2026-4224).

- Add CVE-2026-3644-cookies-Morsel-update-II.patch to reject
  control characters in http.cookies.Morsel.update() and
  http.cookies.BaseCookie.js_output (bsc#1259734, CVE-2026-3644).

tiff

- * CVE-2026-4775: Signed integer overflow in putcontig8bitYCbCr44tile (bsc#1260411)
    Add tiff-CVE-2026-4775.patch

openssh

- Added openssh-cve-2026-35385-scp-setuid-modes.patch (bsc#1261427),
  ensuring setuid bits default to being masked out by scp.
- Added openssh-cve-2026-35414-mishandled-ca-commas.patch
  (bsc#1261430), fixing mishandling of comma characters in CA in
  certain situations.

scap-security-guide

- Temporary package with hardening profile for CHOST

sed

- Add CVE-2026-5958.patch
  * Fix CVE-2026-5958 (bsc#1262144):
    A TOCTOU race can allow to read attacker-controlled content and write
    it to an unintended file

suse-build-key

- import all keys if they are not yet in the RPM db.

- Added post quantum cryptographic keys for SLES 15 and SLES 16.
  - build-pqc-15.pem
  - build-pqc-16.pem