sles-sap-15-sp4-hardened-byos-v20260507-x86-64 Package Source Changes

000release-packages:SLES_SAP-release

n/a

cloud-netconfig

- Update to version 1.19
  + Make sure IPADDR variable is stripped of netmask

- Update to version 1.18
  +  Fix issue with link-local address routing (bsc#1258730)

- Update to version 1.17
  + Do not set broadcast address explicitly (bsc#1258406)

- Update to version 1.16
  + Fix query of default CLOUD_NETCONFIG_MANAGE (bsc#1253223
  + Fix variable names in the README

kernel-default

- crypto: authencesn - Fix src offset when decrypting in-place
  (bsc#1262573 CVE-2026-31431).
- commit eeb9840

- crypto: authencesn - Do not place hiseq at end of dst for
  out-of-place decryption (bsc#1262573 CVE-2026-31431).
- commit b95e28f

- crypto: authenc - use memcpy_sglist() instead of null skcipher
  (bsc#1262573 CVE-2026-31431).
- Refresh
  patches.suse/crypto-authencesn-reject-too-short-AAD-assoclen-8-to.patch
- commit 5e2a8c3

- kABI: Restore af_alg_{count,pull}_tsgl() signatures (bsc#1262573
  CVE-2026-31431).
- commit 4724a96

- crypto: algif_aead - Revert to operating out-of-place
  (bsc#1262573 CVE-2026-31431).
- commit 28ccad7

- crypto: algif_aead - use memcpy_sglist() instead of null skcipher
  (bsc#1262573 CVE-2026-31431).
- commit a10af2f

- crypto: scatterwalk - Fix memcpy_sglist() to always succeed
  (bsc#1262573 CVE-2026-31431).
- commit 2dd8cc2

- crypto: scatterwalk - Add memcpy_sglist (bsc#1262573
  CVE-2026-31431).
- commit 2f7dbcb

curl

- Security fixes:
  * CVE-2026-4873: connection reuse ignores TLS requirement (bsc#1262631)
  * CVE-2026-5545: wrong reuse of HTTP Negotiate connection (bsc#1262632)
  * CVE-2026-6253: proxy credentials leak over redirect-to proxy (bsc#1262635)
  * CVE-2026-6276: stale custom cookie host causes cookie leak (bsc#1262636)
  * CVE-2026-6429: netrc credential leak with reused proxy connection (bsc#1262638)
  * sws: prevent "connection monitor" to say disconnect twice (bsc#1259362)
  * Add patches:
  - curl-CVE-2026-4873.patch
  - curl-CVE-2026-5545.patch
  - curl-CVE-2026-6253.patch
  - curl-CVE-2026-6276.patch
  - curl-CVE-2026-6429.patch
  - curl-CVE-2026-1965-disable-ntlm-fix.patch

util-linux

- Recognize fuse "portal" as a virtual file system (boo#1234736,
  util-linux-libmount-fuse-portal.patch).

- fdisk: Fix possible partition overlay and data corruption if EBR
  gap is missing (boo#1222465,
  util-linux-libfdisk-ebr-missing-gap-1.patch,
  util-linux-tests-fdisk-ebr-missing-gap-1.patch,
  util-linux-tests-fdisk-ebr-missing-gap-2.patch,
  util-linux-libfdisk-ebr-missing-gap-2.patch,
  util-linux-tests-fdisk-ebr-missing-gap-3.patch).

libpng12

- version update to 1.2.59 [jsc#PED-16191]
  Added png_check_chunk_length() function, and check all chunks except
    IDAT against the default 8MB limit; check IDAT against the maximum
    size computed from IHDR parameters (Fixes CVE-2017-12652).
  Initialize memory allocated by png_inflate to zero, using memset, to
    stop an oss-fuzz "use of uninitialized value" detection in png_set_text_2()
    due to truncated iTXt or zTXt chunk.
  Added png_check_chunk_length() function, and check all chunks except
    IDAT against the default 8MB limit; check IDAT against the maximum
    size computed from IHDR parameters (Fixes CVE-2017-12652).
- deleted patches
  * libpng12-CVE-2026-25646.patch  (upstreamed)
- fixes CVE-2017-12652 [bsc#1141493]

- added patches
  CVE-2026-33416: use-after-free via pointer aliasing in `png_set_tRNS` and `png_set_PLTE` can lead to arbitrary code execution [bsc#1260754]
  * libpng12-CVE-2026-33416.patch
  CVE-2026-34757: Information disclosure and data corruption via use-after-free vulnerability [bsc#1261957]
  * libpng12-CVE-2026-34757.patch

polkit

- avoid reading endless amounts of memory (CVE-2026-4897 bsc#1260859)
  0001-CVE-2026-4897-getline-string-overflow.patch

python3

- Add CVE-2026-6019-Morsel-js_output.patch protects against HTML
  injection by Base64-encoding cookie values embedded in JS
  (bsc#1262654, CVE-2026-6019, gh#python/cpython#90309).

- Add CVE-2026-1502-reject-CRLF-HTTP-tunnel.patch which rejects
  CR/LF in HTTP tunnel request headers (bsc#1261969,
  CVE-2026-1502, gh#python/cpython#146211).

- Add CVE-2026-4786-webbrowser-open-action.patch, which fixes
  webbrowser %action substitution bypass of dash-prefix check
  (bsc#1262319, CVE-2026-4786, gh#python/cpython#148169).

- Add CVE-2026-6100-use-after-free-decompression.patch preventing
  dangling pointer which can end in the use-after-free error
  (CVE-2026-6100, bsc#1262098, gh#python/cpython#148395).

- Fix calling of sphinx build with non-standard Python
  interpreter (including new patch sphinx-set-PYTHON.patch).

- Add CVE-2026-3446-base64-padding.patch preventing ignoring
  excess Base64 data after the first padded quad (bsc#1261970,
  CVE-2026-3446, gh#python/cpython#145264).

- Add CVE-2026-3479-pkgutil_get_data.patch pkgutil.get_data() has
  the same security model as open(). The documented limitations
  ensure compatibility with non-filesystem loaders; Python
  doesn't check that. (bsc#1259989, CVE-2026-3479,
  gh#python/cpython#146121).

- Add CVE-2026-4519-webbrowser-open-dashes.patch to reject
  leading dashes in webbrowser URLs (bsc#1260026, CVE-2026-4519,
  gh#python/cpython#143930).

- Add CVE-2025-13462-tarinfo-header-parse.patch which skips
  TarInfo DIRTYPE normalization during GNU long name handling
  (bsc#1259611, CVE-2025-13462).

- Add CVE-2026-4224-expat-unbound-C-recursion.patch avoiding
  unbound C recursion in conv_content_model in pyexpat.c
  (bsc#1259735, CVE-2026-4224).

- Add CVE-2026-3644-cookies-Morsel-update-II.patch to reject
  control characters in http.cookies.Morsel.update() and
  http.cookies.BaseCookie.js_output (bsc#1259734, CVE-2026-3644).

python-requests

- CVE-2026-25645: `extract_zipped_paths()` uses predictable filenames when extracting files from zip archives and reuses target files that already exist without validation (bsc#1260589)
  Add patch CVE-2026-25645.patch

sed

- Add CVE-2026-5958.patch
  * Fix CVE-2026-5958 (bsc#1262144):
    A TOCTOU race can allow to read attacker-controlled content and write
    it to an unintended file

000release-packages:sle-ha-release

n/a

000release-packages:sle-module-basesystem-release

n/a

000release-packages:sle-module-containers-release

n/a

000release-packages:sle-module-desktop-applications-release

n/a

000release-packages:sle-module-development-tools-release

n/a

000release-packages:sle-module-public-cloud-release

n/a

000release-packages:sle-module-sap-applications-release

n/a

000release-packages:sle-module-server-applications-release

n/a

util-linux-systemd

- Recognize fuse "portal" as a virtual file system (boo#1234736,
  util-linux-libmount-fuse-portal.patch).

- fdisk: Fix possible partition overlay and data corruption if EBR
  gap is missing (boo#1222465,
  util-linux-libfdisk-ebr-missing-gap-1.patch,
  util-linux-tests-fdisk-ebr-missing-gap-1.patch,
  util-linux-tests-fdisk-ebr-missing-gap-2.patch,
  util-linux-libfdisk-ebr-missing-gap-2.patch,
  util-linux-tests-fdisk-ebr-missing-gap-3.patch).

xen

- bsc#1262428 - VUL-0: CVE-2025-54505: xen: Floating Point Divider
  State Sampling on AMD CPUs AMD-SN-7053 (XSA-488)
  xsa488.patch

- bsc#1262178 - VUL-0: CVE-2026-23557: xen: Xenstored DoS via
  XS_RESET_WATCHES command (XSA-484)
  xsa484.patch
- bsc#1262180 - VUL-0: CVE-2026-23558: xen: grant table v2 race in
  status page mapping (XSA-486)
  xsa486.patch