SUSE-SLE-Module-Desktop-Applications-15-SP7-2025-298 moderate SUSE Updates SLE-Module-Desktop-Applications 15-SP7 x86 64 This update for libostree fixes the following issues: - Version update 2024.10: + enable composefs by default, various composefs fixes. + core: Always sort incoming xattrs. + sign-ed25519: Fix error message of validate_length. + profiles-fuse: when fuse execution fails it still returns exit code 0. + documentation updates. + deploy: Don't recompute verity checksums if not enabled (performance improvement). + various prepare-root fixes. - Drop rcFOO symlinks. + Adapt to a change in libcurl that caused ostree to start crashing. + switchroot: Stop making /sysroot mount private. + bugfix for "transient-etc" users, root.transient switch to tmpfs. + sysroot: check if deployments are in the same stateroot, turn on bootloader-naming-2 by default. + sepolicy: Fix publicity mismatch for ostree_sepolicy_host_enabled. + main: Ignore SIGPIPE when printing version. + bootloader/grub2: Don't do anything if we have static configs. + kargs: parse spaces in kargs input and keep quotes. + Ensure boot directory is open before accessing it for early pruning. + checkout: Always replace existing content with overlay mode. + Expand ostree admin pin command. + Finalize "deployment finalization locking" feature. + Add ostree admin post-copy. + Speed-up through reflinks. + Improvements to system root and bootloader. + Bug fixes, documentation updates, and developer fixes. libostree-2024.10-150500.3.9.4.src.rpm libostree-2024.10-150500.3.9.4.x86_64.rpm libostree-devel-2024.10-150500.3.9.4.x86_64.rpm typelib-1_0-OSTree-1_0-2024.10-150500.3.9.4.x86_64.rpm SUSE-SLE-Module-Desktop-Applications-15-SP7-2025-1638 moderate SUSE Updates SLE-Module-Desktop-Applications 15-SP7 x86 64 This update for openssh fixes the following issue: Security fixes: - CVE-2025-32728: Fixed logic error in DisableForwarding option (bsc#1241012) Other fixes: - Fix ssh client segfault with GSSAPIKeyExchange=yes in ssh_kex2 due to gssapi proposal not being correctly initialized (bsc#1236826). The problem was introduced in the rebase of the patch for 9.6p1 - Enable --with-logind to call the SetTTY dbus method in systemd. This allows "wall" to print messages in ssh ttys (bsc#1239671) openssh-askpass-gnome-9.6p1-150600.6.26.1.src.rpm openssh-askpass-gnome-9.6p1-150600.6.26.1.x86_64.rpm SUSE-SLE-Module-Desktop-Applications-15-SP7-2025-1696 moderate SUSE Updates SLE-Module-Desktop-Applications 15-SP7 x86 64 This update for brasero fixes the following issue: - Prefer "application/vnd.efi.iso" to "application/x-cd-image" mime type for ISO images (bsc#1240410). brasero-3.12.3-150600.10.3.2.src.rpm brasero-3.12.3-150600.10.3.2.x86_64.rpm brasero-devel-3.12.3-150600.10.3.2.x86_64.rpm brasero-lang-3.12.3-150600.10.3.2.noarch.rpm libbrasero-burn3-1-3.12.3-150600.10.3.2.x86_64.rpm libbrasero-media3-1-3.12.3-150600.10.3.2.x86_64.rpm libbrasero-utils3-1-3.12.3-150600.10.3.2.x86_64.rpm typelib-1_0-BraseroBurn-3_2_0-3.12.3-150600.10.3.2.x86_64.rpm typelib-1_0-BraseroMedia-3_2_0-3.12.3-150600.10.3.2.x86_64.rpm SUSE-SLE-Module-Desktop-Applications-15-SP7-2025-1572 moderate SUSE Updates SLE-Module-Desktop-Applications 15-SP7 x86 64 This update for libraw fixes the following issues: - CVE-2025-43961: Fixed out-of-bounds read in the Fujifilm 0xf00c tag parser in metadata/tiff.cpp (bsc#1241643) - CVE-2025-43962: Fixed out-of-bounds read when tag 0x412 processing in phase_one_correct function (bsc#1241585) - CVE-2025-43963: Fixed out-of-buffer access during phase_one_correct in decoders/load_mfbacks.cpp (bsc#1241642) - CVE-2025-43964: Fixed tag 0x412 processing in phase_one_correct does not enforce minimum w0 and w1 values (bsc#1241584) libraw-0.21.1-150600.3.5.1.src.rpm libraw23-0.21.1-150600.3.5.1.x86_64.rpm SUSE-SLE-Module-Desktop-Applications-15-SP7-2025-1464 moderate SUSE Updates SLE-Module-Desktop-Applications 15-SP7 x86 64 This update for ImageMagick fixes the following issues: - CVE-2025-43965: Fixed mishandling of image depth after SetQuantumFormat is used in MIFF image processing. (bsc#1241659) - CVE-2025-46393: Fixed mishandling of packet_size leads to rendering of channels in arbitrary order in multispectral MIFF image processing. (bsc#1241658) ImageMagick-7.1.0.9-150400.6.30.1.src.rpm ImageMagick-config-7-upstream-7.1.0.9-150400.6.30.1.x86_64.rpm SUSE-SLE-Module-Desktop-Applications-15-SP7-2025-1559 moderate SUSE Updates SLE-Module-Desktop-Applications 15-SP7 x86 64 This update for audiofile fixes the following issues: - CVE-2019-13147: Fixed NULL pointer dereference in ulaw2linear_buf that could lead to DOS (bsc#1140031). - CVE-2022-24599: unverified user input when processing audio files can lead to information leak (bsc#1196487). audiofile-0.3.6-150000.3.12.1.src.rpm audiofile-devel-0.3.6-150000.3.12.1.x86_64.rpm libaudiofile1-0.3.6-150000.3.12.1.x86_64.rpm SUSE-SLE-Module-Desktop-Applications-15-SP7-2025-1582 moderate SUSE Updates SLE-Module-Desktop-Applications 15-SP7 x86 64 This update for brltty fixes the following issues: - Avoid having brlapi.key temporarily world-readable during creation (bsc#1235438). brltty-6.6-150600.3.3.1.src.rpm brltty-6.6-150600.3.3.1.x86_64.rpm brltty-driver-at-spi2-6.6-150600.3.3.1.x86_64.rpm brltty-driver-brlapi-6.6-150600.3.3.1.x86_64.rpm brltty-driver-speech-dispatcher-6.6-150600.3.3.1.x86_64.rpm brltty-lang-6.6-150600.3.3.1.noarch.rpm SUSE-SLE-Module-Desktop-Applications-15-SP7-2025-1781 moderate SUSE Updates SLE-Module-Desktop-Applications 15-SP7 x86 64 This update for pipewire fixes the following issue: - Add patch from upstream to make pipewire not run as root at all (bsc#1222762). gstreamer-plugin-pipewire-1.0.5+git36.60deeb2-150600.3.6.2.x86_64.rpm pipewire-1.0.5+git36.60deeb2-150600.3.6.2.src.rpm pipewire-1.0.5+git36.60deeb2-150600.3.6.2.x86_64.rpm pipewire-lang-1.0.5+git36.60deeb2-150600.3.6.2.noarch.rpm pipewire-spa-tools-1.0.5+git36.60deeb2-150600.3.6.2.x86_64.rpm pipewire-tools-1.0.5+git36.60deeb2-150600.3.6.2.x86_64.rpm SUSE-SLE-Module-Desktop-Applications-15-SP7-2025-1565 moderate SUSE Updates SLE-Module-Desktop-Applications 15-SP7 x86 64 This update for open-vm-tools fixes the following issues: Update to 12.5.2: Security fixes: - CVE-2025-22247: Fixed Insecure file handling (bsc#1243106) Other fixes: - Fixed GCC 15 compile time error (bsc#1241938) - Fix building with containerd 1.7.25+ (bsc#1237147) Full changelog: https://github.com/vmware/open-vm-tools/blob/stable-12.5.2/ReleaseNotes.md https://github.com/vmware/open-vm-tools/blob/stable-12.5.2/open-vm-tools/ChangeLog open-vm-tools-12.5.2-150600.3.12.1.src.rpm open-vm-tools-desktop-12.5.2-150600.3.12.1.x86_64.rpm SUSE-SLE-Module-Desktop-Applications-15-SP7-2025-2215 moderate SUSE Updates SLE-Module-Desktop-Applications 15-SP7 x86 64 This update for firewalld fixes the following issue: Align with up to update python stack tools. This update also ships python311-firewall and python311-dbus-python to the Python3 Module. firewall-applet-2.0.1-150600.3.9.1.noarch.rpm firewall-config-2.0.1-150600.3.9.1.noarch.rpm firewalld-2.0.1-150600.3.9.1.src.rpm SUSE-SLE-Module-Desktop-Applications-15-SP7-2025-2170 moderate SUSE Updates SLE-Module-Desktop-Applications 15-SP7 x86 64 This update for yelp fixes the following issues: - CVE-2025-3155: JavaScript code execution and arbitrary file read through specially crafted help files and ghelp scheme URLs (bsc#1240688). libyelp0-42.2-150600.3.3.1.x86_64.rpm yelp-42.2-150600.3.3.1.src.rpm yelp-42.2-150600.3.3.1.x86_64.rpm yelp-devel-42.2-150600.3.3.1.x86_64.rpm yelp-lang-42.2-150600.3.3.1.noarch.rpm SUSE-SLE-Module-Desktop-Applications-15-SP7-2025-2168 moderate SUSE Updates SLE-Module-Desktop-Applications 15-SP7 x86 64 This update for yelp-xsl fixes the following issues: - CVE-2025-3155: JavaScript code execution and arbitrary file read through specially crafted help files and ghelp scheme URLs (bsc#1240688). yelp-xsl-41.1-150400.3.3.1.noarch.rpm yelp-xsl-41.1-150400.3.3.1.src.rpm SUSE-SLE-Module-Desktop-Applications-15-SP7-2025-1737 important SUSE Updates SLE-Module-Desktop-Applications 15-SP7 x86 64 This update for gstreamer-plugins-bad fixes the following issues: - CVE-2025-3887: Fixed possible RCE vulnerability via buffer overflow in H265 Codec Parsing (bsc#1242809). gstreamer-plugins-bad-1.24.0-150600.4.3.1.src.rpm gstreamer-plugins-bad-1.24.0-150600.4.3.1.x86_64.rpm gstreamer-plugins-bad-devel-1.24.0-150600.4.3.1.x86_64.rpm gstreamer-plugins-bad-lang-1.24.0-150600.4.3.1.noarch.rpm libgstadaptivedemux-1_0-0-1.24.0-150600.4.3.1.x86_64.rpm libgstanalytics-1_0-0-1.24.0-150600.4.3.1.x86_64.rpm libgstbadaudio-1_0-0-1.24.0-150600.4.3.1.x86_64.rpm libgstbasecamerabinsrc-1_0-0-1.24.0-150600.4.3.1.x86_64.rpm libgstcodecparsers-1_0-0-1.24.0-150600.4.3.1.x86_64.rpm libgstcodecs-1_0-0-1.24.0-150600.4.3.1.x86_64.rpm libgstcuda-1_0-0-1.24.0-150600.4.3.1.x86_64.rpm libgstdxva-1_0-0-1.24.0-150600.4.3.1.x86_64.rpm libgstinsertbin-1_0-0-1.24.0-150600.4.3.1.x86_64.rpm libgstisoff-1_0-0-1.24.0-150600.4.3.1.x86_64.rpm libgstmpegts-1_0-0-1.24.0-150600.4.3.1.x86_64.rpm libgstmse-1_0-0-1.24.0-150600.4.3.1.x86_64.rpm libgstsctp-1_0-0-1.24.0-150600.4.3.1.x86_64.rpm libgsturidownloader-1_0-0-1.24.0-150600.4.3.1.x86_64.rpm libgstva-1_0-0-1.24.0-150600.4.3.1.x86_64.rpm libgstvulkan-1_0-0-1.24.0-150600.4.3.1.x86_64.rpm libgstwayland-1_0-0-1.24.0-150600.4.3.1.x86_64.rpm libgstwebrtc-1_0-0-1.24.0-150600.4.3.1.x86_64.rpm libgstwebrtcnice-1_0-0-1.24.0-150600.4.3.1.x86_64.rpm typelib-1_0-CudaGst-1_0-1.24.0-150600.4.3.1.x86_64.rpm typelib-1_0-GstAnalytics-1_0-1.24.0-150600.4.3.1.x86_64.rpm typelib-1_0-GstBadAudio-1_0-1.24.0-150600.4.3.1.x86_64.rpm typelib-1_0-GstCodecs-1_0-1.24.0-150600.4.3.1.x86_64.rpm typelib-1_0-GstCuda-1_0-1.24.0-150600.4.3.1.x86_64.rpm typelib-1_0-GstDxva-1_0-1.24.0-150600.4.3.1.x86_64.rpm typelib-1_0-GstInsertBin-1_0-1.24.0-150600.4.3.1.x86_64.rpm typelib-1_0-GstMpegts-1_0-1.24.0-150600.4.3.1.x86_64.rpm typelib-1_0-GstMse-1_0-1.24.0-150600.4.3.1.x86_64.rpm typelib-1_0-GstPlay-1_0-1.24.0-150600.4.3.1.x86_64.rpm typelib-1_0-GstPlayer-1_0-1.24.0-150600.4.3.1.x86_64.rpm typelib-1_0-GstVa-1_0-1.24.0-150600.4.3.1.x86_64.rpm typelib-1_0-GstWebRTC-1_0-1.24.0-150600.4.3.1.x86_64.rpm SUSE-SLE-Module-Desktop-Applications-15-SP7-2025-1746 important SUSE Updates SLE-Module-Desktop-Applications 15-SP7 x86 64 This update for webkit2gtk3 fixes the following issues: Update to version 2.48.2. Security issues fixed: - CVE-2025-31205: lack of checks may lead to cross-origin data exfiltration through a malicious website (bsc#1243282). - CVE-2025-31204: improper memory handling when processing certain web content may lead to memory corruption (bsc#1243286). - CVE-2025-31206: type confusion issue when processing certain web content may lead to an unexpected crash (bsc#1243288). - CVE-2025-31215: lack of checks when processing certain web content may lead to an unexpected crash (bsc#1243289). - CVE-2025-31257: improper memory handling when processing certain web content may lead to an unexpected crash (bsc#1243596). - CVE-2025-24223: improper memory handling when processing certain web content may lead to memory corruption (bsc#1243424). Other changes and issues fixed: - Enable CSS overscroll behavior by default. - Change threaded rendering implementation to use Skia API instead of WebCore display list that is not thread safe. - Fix rendering when device scale factor change comes before the web view geometry update. - Fix network process crash on exit. - Fix the build with ENABLE_RESOURCE_USAGE=OFF. - Fix several crashes and rendering issues. WebKitGTK-4.1-lang-2.48.2-150600.12.40.2.noarch.rpm libjavascriptcoregtk-4_1-0-2.48.2-150600.12.40.2.x86_64.rpm libwebkit2gtk-4_1-0-2.48.2-150600.12.40.2.x86_64.rpm typelib-1_0-JavaScriptCore-4_1-2.48.2-150600.12.40.2.x86_64.rpm typelib-1_0-WebKit2-4_1-2.48.2-150600.12.40.2.x86_64.rpm typelib-1_0-WebKit2WebExtension-4_1-2.48.2-150600.12.40.2.x86_64.rpm webkit2gtk-4_1-injected-bundles-2.48.2-150600.12.40.2.x86_64.rpm webkit2gtk3-2.48.2-150600.12.40.2.src.rpm webkit2gtk3-devel-2.48.2-150600.12.40.2.x86_64.rpm SUSE-SLE-Module-Desktop-Applications-15-SP7-2025-2183 moderate SUSE Updates SLE-Module-Desktop-Applications 15-SP7 x86 64 This update for libnvidia-egl-x11 fixes the following issues: - Use upstream URL - Update to official version 1.0.1 libnvidia-egl-x11-1.0.1-150700.4.3.1.src.rpm libnvidia-egl-x11-devel-1.0.1-150700.4.3.1.x86_64.rpm libnvidia-egl-x111-1.0.1-150700.4.3.1.x86_64.rpm libnvidia-egl-x111-32bit-1.0.1-150700.4.3.1.x86_64.rpm SUSE-SLE-Module-Desktop-Applications-15-SP7-2025-2182 moderate SUSE Updates SLE-Module-Desktop-Applications 15-SP7 x86 64 This update for libnvidia-egl-wayland fixes the following issues: - Fix an issue causing EGL_EXT_present_opaque to be advertised on non-Wayland EGLDisplays - Moved XML documentation to -devel package libnvidia-egl-wayland-1.1.19-150700.3.3.1.src.rpm libnvidia-egl-wayland1-32bit-1.1.19-150700.3.3.1.x86_64.rpm SUSE-SLE-Module-Desktop-Applications-15-SP7-2025-2005 important SUSE Updates SLE-Module-Desktop-Applications 15-SP7 x86 64 This update for gdm fixes the following issues: - CVE-2025-6018: Removes pam_env from auth stack for security reason (bsc#1243226). gdm-45.0.1-150700.12.5.1.src.rpm gdm-45.0.1-150700.12.5.1.x86_64.rpm gdm-devel-45.0.1-150700.12.5.1.x86_64.rpm gdm-lang-45.0.1-150700.12.5.1.noarch.rpm gdm-schema-45.0.1-150700.12.5.1.noarch.rpm gdm-systemd-45.0.1-150700.12.5.1.noarch.rpm gdmflexiserver-45.0.1-150700.12.5.1.noarch.rpm libgdm1-45.0.1-150700.12.5.1.x86_64.rpm typelib-1_0-Gdm-1_0-45.0.1-150700.12.5.1.x86_64.rpm SUSE-SLE-Module-Desktop-Applications-15-SP7-2025-2188 moderate SUSE Updates SLE-Module-Desktop-Applications 15-SP7 x86 64 This update for ImageMagick fixes the following issues: Security issues fixed: - CVE-2025-43965: mishandling of image depth after SetQuantumFormat is used in MIFF image processing (bsc#1241659). - CVE-2025-46393: mishandling of packet_size and rendering of channels in arbitrary order in multispectral MIFF image processing (bsc#1241658). Other issues fixed: - Restore SUSE specific hardening config policies that got lost in refactoring (bsc#1243622). ImageMagick-7.1.1.43-150700.3.3.1.src.rpm ImageMagick-7.1.1.43-150700.3.3.1.x86_64.rpm ImageMagick-config-7-SUSE-7.1.1.43-150700.3.3.1.x86_64.rpm ImageMagick-config-7-upstream-limited-7.1.1.43-150700.3.3.1.x86_64.rpm ImageMagick-config-7-upstream-open-7.1.1.43-150700.3.3.1.x86_64.rpm ImageMagick-config-7-upstream-secure-7.1.1.43-150700.3.3.1.x86_64.rpm ImageMagick-config-7-upstream-websafe-7.1.1.43-150700.3.3.1.x86_64.rpm ImageMagick-devel-7.1.1.43-150700.3.3.1.x86_64.rpm libMagick++-7_Q16HDRI5-7.1.1.43-150700.3.3.1.x86_64.rpm libMagick++-devel-7.1.1.43-150700.3.3.1.x86_64.rpm libMagickCore-7_Q16HDRI10-7.1.1.43-150700.3.3.1.x86_64.rpm libMagickWand-7_Q16HDRI10-7.1.1.43-150700.3.3.1.x86_64.rpm SUSE-SLE-Module-Desktop-Applications-15-SP7-2025-1768 important SUSE Updates SLE-Module-Desktop-Applications 15-SP7 x86 64 This update for libwnck fixes the following issues: - Fix declaration after labelcerror reported by compiler. (glgo#GNOME/libwnck!67) - Update to version 43.2 (bsc#1241297): + Add WnckHandle to the docs. + Add missing build dependency. + Do not restore original event mask. - Switch to source service for tarball/source. - Update to version 43.1: + Return correct number of application windows. + Avoid showing pointless tooltips. + Do not remove underscores form window titles. + Do not crash if XRes 1.2 is not available. + Do not crash if display is not available. - Fixed upstream. - BuildRequire gettext-devel instead of gettext: allow OBS to shortcut through gettext-runtime-mini. libwnck-3-0-43.2-150600.3.3.1.x86_64.rpm libwnck-43.2-150600.3.3.1.src.rpm libwnck-devel-43.2-150600.3.3.1.x86_64.rpm libwnck-lang-43.2-150600.3.3.1.noarch.rpm typelib-1_0-Wnck-3_0-43.2-150600.3.3.1.x86_64.rpm SUSE-SLE-Module-Desktop-Applications-15-SP7-2025-1814 important SUSE Updates SLE-Module-Desktop-Applications 15-SP7 x86 64 This update for MozillaFirefox fixes the following issues: Update to Mozilla Firefox ESR 128.11 (MFSA 2025-44, bsc#1243353): - MFSA-TMP-2025-0001: Double-free in libvpx encoder (bmo#1962421) - CVE-2025-5263: Error handling for script execution was incorrectly isolated from web content (bmo#1960745) - CVE-2025-5264: Potential local code execution in "Copy as cURL" command (bmo#1950001) - CVE-2025-5265: Potential local code execution in "Copy as cURL" command (bmo#1962301) - CVE-2025-5266: Script element events leaked cross-origin resource status (bmo#1965628) - CVE-2025-5267: Clickjacking vulnerability could have led to leaking saved payment card details (bmo#1954137) - CVE-2025-5268: Memory safety bugs fixed in Firefox 139, Thunderbird 139, Firefox ESR 128.11, and Thunderbird 128.11 (bmo#1950136, bmo#1958121, bmo#1960499, bmo#1962634) - CVE-2025-5269: Memory safety bug fixed in Firefox ESR 128.11 and Thunderbird 128.11 (bmo#1924108) MozillaFirefox-128.11.0-150200.152.185.1.src.rpm MozillaFirefox-128.11.0-150200.152.185.1.x86_64.rpm MozillaFirefox-devel-128.11.0-150200.152.185.1.noarch.rpm MozillaFirefox-translations-common-128.11.0-150200.152.185.1.x86_64.rpm MozillaFirefox-translations-other-128.11.0-150200.152.185.1.x86_64.rpm SUSE-SLE-Module-Desktop-Applications-15-SP7-2025-2892 low SUSE Updates SLE-Module-Desktop-Applications 15-SP7 x86 64 This update for brltty provides the following fix: - Ship missing latest updates on specific architectures: system-user-brltty to x86_64. brltty to s390x. brltty-6.6-150600.3.5.1.src.rpm brltty-6.6-150600.3.5.1.x86_64.rpm brltty-driver-at-spi2-6.6-150600.3.5.1.x86_64.rpm brltty-driver-brlapi-6.6-150600.3.5.1.x86_64.rpm brltty-driver-speech-dispatcher-6.6-150600.3.5.1.x86_64.rpm brltty-lang-6.6-150600.3.5.1.noarch.rpm SUSE-SLE-Module-Desktop-Applications-15-SP7-2025-2129 moderate SUSE Updates SLE-Module-Desktop-Applications 15-SP7 x86 64 This update for MozillaFirefox-branding-SLE fixes the following issues: - Rebuild and ship MozillaFirefox-branding-SLE to LTSS, no source change (bsc#1243790) MozillaFirefox-branding-SLE-128-150200.9.18.1.src.rpm MozillaFirefox-branding-SLE-128-150200.9.18.1.x86_64.rpm SUSE-SLE-Module-Desktop-Applications-15-SP7-2025-1968 moderate SUSE Updates SLE-Module-Desktop-Applications 15-SP7 x86 64 This update for wireshark fixes the following issues: - CVE-2025-5601: Dissection engine crash (bsc#1244081). wireshark-4.2.12-150600.18.23.1.src.rpm wireshark-devel-4.2.12-150600.18.23.1.x86_64.rpm wireshark-ui-qt-4.2.12-150600.18.23.1.x86_64.rpm SUSE-SLE-Module-Desktop-Applications-15-SP7-2025-2352 moderate SUSE Updates SLE-Module-Desktop-Applications 15-SP7 x86 64 This update for ffmpeg fixes the following issues: - CVE-2022-1475: Fixed integer overflow in g729_parse() in llibavcodec/g729_parser.c (bsc#1198898). - CVE-2024-36616: Fixed integer overflow in the component libavformat/westwood_vqa.c (bsc#1234018). - CVE-2024-36617: Fixed integer overflow vulnerability in the FFmpeg CAF decoder (bsc#1234019). - CVE-2024-36618: Fixed vulnerability in the AVI demuxer of the libavformat library (bsc#1234020). ffmpeg-3.4.2-150200.11.64.1.src.rpm libavcodec57-3.4.2-150200.11.64.1.x86_64.rpm libavutil-devel-3.4.2-150200.11.64.1.x86_64.rpm libavutil55-3.4.2-150200.11.64.1.x86_64.rpm libpostproc-devel-3.4.2-150200.11.64.1.x86_64.rpm libpostproc54-3.4.2-150200.11.64.1.x86_64.rpm libswresample-devel-3.4.2-150200.11.64.1.x86_64.rpm libswresample2-3.4.2-150200.11.64.1.x86_64.rpm libswscale-devel-3.4.2-150200.11.64.1.x86_64.rpm libswscale4-3.4.2-150200.11.64.1.x86_64.rpm SUSE-SLE-Module-Desktop-Applications-15-SP7-2025-2240 moderate SUSE Updates SLE-Module-Desktop-Applications 15-SP7 x86 64 This update for openssh fixes the following issue: - "scp" on SLE 15 ignores write directory permissions for group and world (bsc#1241667). openssh-askpass-gnome-9.6p1-150600.6.29.2.src.rpm openssh-askpass-gnome-9.6p1-150600.6.29.2.x86_64.rpm SUSE-SLE-Module-Desktop-Applications-15-SP7-2025-2226 moderate SUSE Updates SLE-Module-Desktop-Applications 15-SP7 x86 64 This update for vim fixes the following issues: - CVE-2024-41965: Fixed improper neutralization of argument delimiters in zip.vim that could have led to data loss (bsc#1228776). - CVE-2025-29768: Fixed double-free in dialog_changed() (bsc#1239602). gvim-9.1.1406-150500.20.27.1.x86_64.rpm vim-9.1.1406-150500.20.27.1.src.rpm SUSE-SLE-Module-Desktop-Applications-15-SP7-2025-2122 important SUSE Updates SLE-Module-Desktop-Applications 15-SP7 x86 64 This update for MozillaFirefox fixes the following issues: Update to MozillaFirefox 128.12.0 (MFSA 2025-23, bsc#1244670): - CVE-2025-6424: Use-after-free in FontFaceSet - CVE-2025-6425: The WebCompat WebExtension shipped with Firefox exposed a persistent UUID - CVE-2025-6426: No warning when opening executable terminal files on macOS - CVE-2025-6429: Incorrect parsing of URLs could have allowed embedding of youtube.com - CVE-2025-6430: Content-Disposition header ignored when a file is included in an embed or object tag MozillaFirefox-128.12.0-150200.152.188.1.src.rpm MozillaFirefox-128.12.0-150200.152.188.1.x86_64.rpm MozillaFirefox-devel-128.12.0-150200.152.188.1.noarch.rpm MozillaFirefox-translations-common-128.12.0-150200.152.188.1.x86_64.rpm MozillaFirefox-translations-other-128.12.0-150200.152.188.1.x86_64.rpm SUSE-SLE-Module-Desktop-Applications-15-SP7-2025-2210 moderate SUSE Updates SLE-Module-Desktop-Applications 15-SP7 x86 64 This update for open-vm-tools fixes the following issues: - Update to open-vm-tools 13.0.0 based on build 24696409. (bsc#1245169): There are no new features in the open-vm-tools 13.0.0 release. This is primarily a maintenance release that addresses a few issues, including: + The vm-support script has been updated to collect the open-vm-tools log files from the Linux guest and information from the systemd journal. + Github pull requests has been integrated and issues fixed. Please see the Resolved Issues section of the Release Notes. - Add patch: Currently the "telinit 6" command is used to reboot a Linux VM following Guest OS Customization. As the classic Linux init system, SysVinit, is deprecated in favor of a newer init system, systemd, the telinit command may not be available on the base Linux OS. This change adds support to Guest OS Customization for the systemd init system. If the modern init system, systemd, is available, then a "systemctl reboot" command will be used to trigger reboot. Otherwise, the "telinit 6" command will be used assuming the traditional init system, SysVinit, is still available. - Drop patch now contained in 13.0.0: - Ran /usr/lib/obs/service/source_validators/helpers/fix_changelog to fix changes file where source validator was failing. open-vm-tools-13.0.0-150600.3.15.1.src.rpm open-vm-tools-desktop-13.0.0-150600.3.15.1.x86_64.rpm SUSE-SLE-Module-Desktop-Applications-15-SP7-2025-2655 moderate SUSE Updates SLE-Module-Desktop-Applications 15-SP7 x86 64 This update for mutter fixes the following issue: - Fix: Gnome shell crash on startup with mutter scroll event (bsc#1245592). mutter-45.3-150700.12.3.2.src.rpm mutter-45.3-150700.12.3.2.x86_64.rpm mutter-devel-45.3-150700.12.3.2.x86_64.rpm mutter-lang-45.3-150700.12.3.2.noarch.rpm SUSE-SLE-Module-Desktop-Applications-15-SP7-2025-3611 moderate SUSE Updates SLE-Module-Desktop-Applications 15-SP7 x86 64 This update for mutter fixes the following issues: - Fix: Gnome shell crash on startup with mutter scroll event. - Fix lagging after applying a patch for syncing mutter and x11 (bsc#1247940). - Fixing crash introduced from a previous patch when entering NULL entries (bsc#1248456, bsc#1249075, bsc#1241155, bsc#1245592). mutter-45.3-150700.12.12.2.src.rpm mutter-45.3-150700.12.12.2.x86_64.rpm mutter-devel-45.3-150700.12.12.2.x86_64.rpm mutter-lang-45.3-150700.12.12.2.noarch.rpm SUSE-SLE-Module-Desktop-Applications-15-SP7-2025-2703 moderate SUSE Updates SLE-Module-Desktop-Applications 15-SP7 x86 64 This update for djvulibre fixes the following issues: - CVE-2025-53367: Fixed a bug where a crafted document may lead to an out of bound write. (bsc#1245773) djvulibre-3.5.27-150200.11.17.1.src.rpm libdjvulibre-devel-3.5.27-150200.11.17.1.x86_64.rpm libdjvulibre21-3.5.27-150200.11.17.1.x86_64.rpm SUSE-SLE-Module-Desktop-Applications-15-SP7-2025-2529 important SUSE Updates SLE-Module-Desktop-Applications 15-SP7 x86 64 This update for MozillaFirefox, MozillaFirefox-branding-SLE fixes the following issues: MozillaFirefox is updated to the 140ESR series. Firefox Extended Support Release 140.0esr ESR: * General - Reader View now has an enhanced Text and Layout menu with new options for character spacing, word spacing, and text alignment. These changes offer a more accessible reading experience. - Reader View now has a Theme menu with additional Contrast and Gray options. You can also select custom colors for text, background, and links from the Custom tab. - Firefox will now offer to temporarily remember when users grant permissions to sites (e.g. geolocation). Temporary permissions will be removed either after one hour or when the tab is closed. - Firefox now includes safeguards to prevent sites from abusing the history API by generating excessive history entries, which can make navigating with the back and forward buttons difficult by cluttering the history. This intervention ensures that such entries, unless interacted with by the user, are skipped when using the back and forward buttons. - Firefox now identifies all links in PDFs and turns them into hyperlinks. - You can now copy links from background tabs using the tabstrip context menu on macOS and Linux. - Users on macOS and Linux are now given the option to close only the current tab if the Quit keyboard shortcut is used while multiple tabs are open in the window. (bmo#None) * Sidebar and Tabs - You can now enable the updated Firefox sidebar in Settings > General > Browser Layout to quickly access multiple tools in one click, without leaving your main view. Sidebar tools include an AI chatbot of your choice, bookmarks, history, and tabs from devices you sync with your Mozilla account. - Keep a lot of tabs open? Try our new vertical tabs layout to quickly scan your list of tabs. With vertical tabs, your open and pinned tabs appear in the sidebar instead of along the top of the browser. To turn on vertical tabs, right-click on the toolbar near the top of the browser and select Turn on Vertical Tabs. If you’ve enabled the updated sidebar, you can also go to Customize sidebar and check Vertical tabs. Early testers report feeling more organized after using vertical tabs for a few days. - Stay productive and organized with less effort by grouping related tabs together. One simple way to create a group is to drag a tab onto another, pause until you see a highlight, then drop to create the group. Tab groups can be named, color-coded, and are always saved. You can close a group and reopen it later. - A tab preview is now displayed when hovering the mouse over background tabs, making it easier to locate the desired tab without needing to switch tabs. - The sidebar to view tabs from other devices can now be opened via the Tab overview menu. * Security & Privacy - HTTPS is replacing HTTP as the default protocol in the address bar on non-local sites. If a site is not available via HTTPS, Firefox will fall back to HTTP. - Firefox now blocks third-party cookie access when Enhanced Tracking Protection's Strict mode is enabled. - Firefox now has a new anti-tracking feature, Bounce Tracking Protection, which is now available in Enhanced Tracking Protection's "Strict" mode. This feature detects bounce trackers based on their redirect behavior and periodically purges their cookies and site data to block tracking. - Firefox now enforces certificate transparency, requiring web servers to provide sufficient proof that their certificates were publicly disclosed before they will be trusted. This only affects servers using certificates issued by a certificate authority in Mozilla's Root CA Program. - Smartblock Embeds allows users to selectively unblock certain social media embeds that are blocked in ETP Strict and Private Browsing modes. Currently, support is limited to a few embed types, with more to be added in future updates. - Firefox now upgrades page loads to HTTPS by default and gracefully falls back to HTTP if the secure connection fails. This behavior is known as HTTPS-First. - The "Copy Without Site Tracking" menu item was renamed to "Copy Clean Link" to help clarify expectations around what the feature does. "Copy Clean Link" is a list based approach to remove - known tracking parameters from links. This option can also now be used on plain text links. - The Clear browsing data and cookies dialog now allows clearing saved form info separately from browsing history. * Translations - Firefox now allows translating selected text portions to different languages after a full-page translation. - Full-Page Translations are now available within Firefox extension pages that start with the moz-extension:// URL scheme. - When suggesting a default translation language, Firefox will now take into consideration languages you have previously used for translations. - Added support for many new languages in Firefox translation. * Linux - Firefox now supports touchpad hold gestures on Linux. This means that kinetic (momentum) scrolling can now be interrupted by placing two fingers on the touchpad. * Developer: - Firefox now supports text fragments, which allows users to link directly to a specific portion of text in a web document via a special URL fragment. - Debugger log-point values are now automatically converted into profiler markers, making it easy to add information to the marker timeline directly from the Debugger. - The Debugger's directory root is now scoped to the specific domain where it was set, which aligns with typical usage and avoids applying it across unrelated domains. This builds on previous improvements such as a redesigned UI and easier removal of the root setting. Setting a directory root updates the Source List to show only the selected directory and its children. (Learn more) - The Network Blocking feature in the Network panel now blocks HTTP requests in addition to blocking responses. - The Network panel displays information about Early Hints, including a dedicated indicator for the 103 HTTP status code in the user interface. - The Network panel now allows overriding network request responses with local files. - The filter setting in the Network panel is now preserved across DevTools Toolbox sessions. - A new column has been added to the Network panel to display the full path of the request URL. This enhancement makes helps developers quickly view and analyze complete request paths. - Introduced a new console command `$$$` that allows searching the page, including within shadow roots. - Improved support for debugging web extensions, such as automatically reloading the web extension's source code in the Debugger when the extension is reloaded. Workers are now available in the Console panel’s context selector and breakpoints function correctly in content scripts. - In the Inspector Fonts panel, we now display fonts metadata, like the font version, designer, vendor, license, etc. - Added support for the import map integrity field, allowing you to ensure the integrity of dynamically or statically imported modules. - Implemented support for `Error.isError`, enabling brand checks to determine whether an object is an instance of Error. (Learn more) - Added support for the `error.captureStackTrace` extension to improve compatibility with other browsers. (Learn more: http://github.com/tc39/proposal-error-capturestacktrace) * Enterprise: - The UserMessaging policy has been updated with a new option to allow disabling Firefox Labs in preferences. - The Preferences policy has been updated to allow setting the preference security.pki.certificate_transparency.mode. - HTTPS-First is now on by default. You can manage this behavior using the HttpsOnlyMode and HttpAllowlist policies. - An internal change has been made to Firefox that removes `XPCOMUtils.defineLazyGetter`. For most people, this shouldn't matter, but if you encounter problems with AutoConfig or third party software like PolicyPak, this might be the cause. You'll need to reach out to your provider. - Firefox now supports the Content Analysis SDK for integrating DLP software. For more information, see this post. - The SearchEngines policy is now available on all versions of Firefox (not just the ESR). Various security fixes MFSA 2025-51 (bsc#1244670): * CVE-2025-6424 (bmo#1966423) Use-after-free in FontFaceSet * CVE-2025-6425 (bmo#1717672) The WebCompat WebExtension shipped with Firefox exposed a persistent UUID * CVE-2025-6426 (bmo#1964385) No warning when opening executable terminal files on macOS * CVE-2025-6427 (bmo#1966927) connect-src Content Security Policy restriction could be bypassed * CVE-2025-6428 (bmo#1970151) Firefox for Android opened URLs specified in a link querystring parameter * CVE-2025-6429 (bmo#1970658) Incorrect parsing of URLs could have allowed embedding of youtube.com * CVE-2025-6430 (bmo#1971140) Content-Disposition header ignored when a file is included in an embed or object tag * CVE-2025-6431 (bmo#1942716) The prompt in Firefox for Android that asks before opening a link in an external application could be bypassed * CVE-2025-6432 (bmo#1943804) DNS Requests leaked outside of a configured SOCKS proxy * CVE-2025-6433 (bmo#1954033) WebAuthn would allow a user to sign a challenge on a webpage with an invalid TLS certificate * CVE-2025-6434 (bmo#1955182) HTTPS-Only exception screen lacked anti-clickjacking delay * CVE-2025-6435 (bmo#1950056, bmo#1961777) Save as in Devtools could download files without sanitizing the extension * CVE-2025-6436 (bmo#1941377, bmo#1960948, bmo#1966187, bmo#1966505, bmo#1970764) Memory safety bugs fixed in Firefox 140 and Thunderbird 140 Various security fixes MFSA 2025-59 (bsc#1246664): - CVE-2025-8027: JavaScript engine only wrote partial return value to stack - CVE-2025-8028: Large branch table could lead to truncated instruction - CVE-2025-8029: javascript: URLs executed on object and embed tags - CVE-2025-8036: DNS rebinding circumvents CORS - CVE-2025-8037: Nameless cookies shadow secure cookies - CVE-2025-8030: Potential user-assisted code execution in “Copy as cURL” command - CVE-2025-8031: Incorrect URL stripping in CSP reports - CVE-2025-8032: XSLT documents could bypass CSP - CVE-2025-8038: CSP frame-src was not correctly enforced for paths - CVE-2025-8039: Search terms persisted in URL bar - CVE-2025-8033: Incorrect JavaScript state machine for generators - CVE-2025-8034: Memory safety bugs fixed in Firefox ESR 115.26, Firefox ESR 128.13, Thunderbird ESR 128.13, Firefox ESR 140.1, Thunderbird ESR 140.1, Firefox 141 and Thunderbird 141 - CVE-2025-8040: Memory safety bugs fixed in Firefox ESR 140.1, Thunderbird ESR 140.1, Firefox 141 and Thunderbird 141 - CVE-2025-8035: Memory safety bugs fixed in Firefox ESR 128.13, Thunderbird ESR 128.13, Firefox ESR 140.1, Thunderbird ESR 140.1, Firefox 141 and Thunderbird 141 MozillaFirefox-140.1.0-150200.152.193.1.src.rpm MozillaFirefox-140.1.0-150200.152.193.1.x86_64.rpm MozillaFirefox-branding-SLE-140-150200.9.21.1.src.rpm MozillaFirefox-branding-SLE-140-150200.9.21.1.x86_64.rpm MozillaFirefox-devel-140.1.0-150200.152.193.1.noarch.rpm MozillaFirefox-translations-common-140.1.0-150200.152.193.1.x86_64.rpm MozillaFirefox-translations-other-140.1.0-150200.152.193.1.x86_64.rpm SUSE-SLE-Module-Desktop-Applications-15-SP7-2025-2580 moderate SUSE Updates SLE-Module-Desktop-Applications 15-SP7 x86 64 This update for firewalld fixes the following issues: - Do not recommend python311-firewalld (bsc#1246100) firewall-applet-2.0.1-150600.3.12.1.noarch.rpm firewall-config-2.0.1-150600.3.12.1.noarch.rpm firewalld-2.0.1-150600.3.12.1.src.rpm SUSE-SLE-Module-Desktop-Applications-15-SP7-2025-3094 low SUSE Updates SLE-Module-Desktop-Applications 15-SP7 x86 64 This update for NetworkManager fixes the following issue - Add NetworkManager-wwan to SLE-Module-Desktop-Applications_15-SP7 (bsc#1246113) NetworkManager-1.44.2-150600.3.4.1.src.rpm NetworkManager-1.44.2-150600.3.4.1.x86_64.rpm NetworkManager-wwan-1.44.2-150600.3.4.1.x86_64.rpm SUSE-SLE-Module-Desktop-Applications-15-SP7-2025-2510 important SUSE Updates SLE-Module-Desktop-Applications 15-SP7 x86 64 This update for ImageMagick fixes the following issues: - CVE-2025-53014: Fixed an off-by-one error may cause an out-of-bounds memory access (bsc#1246530) - CVE-2025-53019: Fixed format specifiers in a filename template may cause a memory leak (bsc#1246534) - CVE-2025-53101: Fixed input manipulation may lead to an out-of-bound write (bsc#1246529) ImageMagick-7.1.0.9-150400.6.33.1.src.rpm ImageMagick-config-7-upstream-7.1.0.9-150400.6.33.1.x86_64.rpm SUSE-SLE-Module-Desktop-Applications-15-SP7-2025-2801 moderate SUSE Updates SLE-Module-Desktop-Applications 15-SP7 x86 64 This update for ImageMagick fixes the following issues: - CVE-2025-53014: Fixed an off-by-one error may cause an out-of-bounds memory access (bsc#1246530) - CVE-2025-53015: Fixed specific XMP file conversion may cause an infinite loop (bsc#1246531) - CVE-2025-53019: Fixed format specifiers in a filename template may cause a memory leak (bsc#1246534) - CVE-2025-53101: Fixed input manipulation may lead to an out-of-bound write (bsc#1246529) Other fix: - Crop filename pattern %03d no longer works in ImageMagick 7 (bsc#1247475) ImageMagick-7.1.1.43-150700.3.8.1.src.rpm ImageMagick-7.1.1.43-150700.3.8.1.x86_64.rpm ImageMagick-config-7-SUSE-7.1.1.43-150700.3.8.1.x86_64.rpm ImageMagick-config-7-upstream-limited-7.1.1.43-150700.3.8.1.x86_64.rpm ImageMagick-config-7-upstream-open-7.1.1.43-150700.3.8.1.x86_64.rpm ImageMagick-config-7-upstream-secure-7.1.1.43-150700.3.8.1.x86_64.rpm ImageMagick-config-7-upstream-websafe-7.1.1.43-150700.3.8.1.x86_64.rpm ImageMagick-devel-7.1.1.43-150700.3.8.1.x86_64.rpm libMagick++-7_Q16HDRI5-7.1.1.43-150700.3.8.1.x86_64.rpm libMagick++-devel-7.1.1.43-150700.3.8.1.x86_64.rpm libMagickCore-7_Q16HDRI10-7.1.1.43-150700.3.8.1.x86_64.rpm libMagickWand-7_Q16HDRI10-7.1.1.43-150700.3.8.1.x86_64.rpm SUSE-SLE-Module-Desktop-Applications-15-SP7-2025-2990 moderate SUSE Updates SLE-Module-Desktop-Applications 15-SP7 x86 64 This update for ffmpeg fixes the following issues: - CVE-2025-7700: Fixed NULL Pointer Dereference in FFmpeg ALS Decoder (libavcodec/alsdec.c) (bsc#1246790). ffmpeg-3.4.2-150200.11.67.1.src.rpm libavcodec57-3.4.2-150200.11.67.1.x86_64.rpm libavutil-devel-3.4.2-150200.11.67.1.x86_64.rpm libavutil55-3.4.2-150200.11.67.1.x86_64.rpm libpostproc-devel-3.4.2-150200.11.67.1.x86_64.rpm libpostproc54-3.4.2-150200.11.67.1.x86_64.rpm libswresample-devel-3.4.2-150200.11.67.1.x86_64.rpm libswresample2-3.4.2-150200.11.67.1.x86_64.rpm libswscale-devel-3.4.2-150200.11.67.1.x86_64.rpm libswscale4-3.4.2-150200.11.67.1.x86_64.rpm SUSE-SLE-Module-Desktop-Applications-15-SP7-2025-2765 important SUSE Updates SLE-Module-Desktop-Applications 15-SP7 x86 64 This update for webkit2gtk3 fixes the following issues: Updated to version 2.48.5: - CVE-2025-31273: Fixed a vulnerability where processing maliciously crafted web content could lead to memory corruption. (bsc#1247564) - CVE-2025-31278: Fixed a vulnerability where processing maliciously crafted web content may lead to memory corruption. (bsc#1247563) - CVE-2025-43211: Fixed a vulnerability where processing web content may lead to a denial-of-service. (bsc#1247562) - CVE-2025-43212: Fixed a vulnerability where processing maliciously crafted web content may lead to an unexpected Safari crash. (bsc#1247595) - CVE-2025-43216: Fixed a vulnerability where processing maliciously crafted web content may lead to an unexpected Safari crash. (bsc#1247596) - CVE-2025-43227: Fixed a vulnerability where processing maliciously crafted web content may disclose sensitive user information. (bsc#1247597) - CVE-2025-43228: Fixed a vulnerability where visiting a malicious website may lead to address bar spoofing. (bsc#1247598) - CVE-2025-43240: Fixed a vulnerability where a download's origin may be incorrectly associated. (bsc#1247599) - CVE-2025-43265: Fixed a vulnerability where processing maliciously crafted web content may disclose internal states of the app. (bsc#1247600) - CVE-2025-6558: Fixed a vulnerability where processing maliciously crafted web content may lead to an unexpected Safari crash. (bsc#1247742) Other fixes: - Improve emoji font selection with USE_SKIA=ON. - Improve playback of multimedia streams from blob URLs. - Fix the build with USE_SKIA_OPENTYPE_SVG=ON and USE_SYSPROF_CAPTURE=ON. - Fix crash when using a WebKitWebView widget in an offscreen window. - Fix several crashes and rendering issues. - Fix a crash introduced by the new threaded rendering implementation using Skia API. - Improve rendering performance by recording layers once and replaying every dirty region in different worker threads. - Fix a crash when setting WEBKIT_SKIA_GPU_PAINTING_THREADS=0. - Fix a reference cycle in webkitmediastreamsrc preventing its disposal. - Increase mem_per_process again to avoid running out of memory. WebKitGTK-4.1-lang-2.48.5-150600.12.43.1.noarch.rpm libjavascriptcoregtk-4_1-0-2.48.5-150600.12.43.1.x86_64.rpm libwebkit2gtk-4_1-0-2.48.5-150600.12.43.1.x86_64.rpm typelib-1_0-JavaScriptCore-4_1-2.48.5-150600.12.43.1.x86_64.rpm typelib-1_0-WebKit2-4_1-2.48.5-150600.12.43.1.x86_64.rpm typelib-1_0-WebKit2WebExtension-4_1-2.48.5-150600.12.43.1.x86_64.rpm webkit2gtk-4_1-injected-bundles-2.48.5-150600.12.43.1.x86_64.rpm webkit2gtk3-2.48.5-150600.12.43.1.src.rpm webkit2gtk3-devel-2.48.5-150600.12.43.1.x86_64.rpm SUSE-SLE-Module-Desktop-Applications-15-SP7-2025-3152 important SUSE Updates SLE-Module-Desktop-Applications 15-SP7 x86 64 This update for ImageMagick fixes the following issues: - CVE-2025-55004: Fixed heap buffer over-read in in ReadOneMNGIMage when processing images with separate alpha channels (bsc#1248076). - CVE-2025-55005: Fixed heap buffer overflow when transforming from Log to sRGB colorspaces (bsc#1248077). - CVE-2025-55154: Fixed integer overflow when performing magnified size calculations in ReadOneMNGIMage (bsc#1248078). - CVE-2025-55160: Fixed undefined behavior due to function-type-mismatch in CloneSplayTree (bsc#1248079). - CVE-2025-55212: Fixed division-by-zero in ThumbnailImage() when passing a geometry string containing only a colon to `montage -geometry` (bsc#1248767). - CVE-2025-55298: Fixed heap overflow due to format string bug vulnerability (bsc#1248780). - CVE-2025-57803: Fixed heap out-of-bounds (OOB) write due to 32-bit integer overflow (bsc#1248784). Other fixes: - Fixed output file placeholders (bsc#1247475). ImageMagick-7.1.0.9-150400.6.40.1.src.rpm ImageMagick-config-7-upstream-7.1.0.9-150400.6.40.1.x86_64.rpm SUSE-SLE-Module-Desktop-Applications-15-SP7-2025-3286 moderate SUSE Updates SLE-Module-Desktop-Applications 15-SP7 x86 64 This update for gtk3 fixes the following issues: - Fixed issue with window dimensions (bsc#1247503) gtk3-3.24.43-150600.3.10.1.src.rpm gtk3-devel-doc-3.24.43-150600.3.10.1.noarch.rpm SUSE-SLE-Module-Desktop-Applications-15-SP7-2025-3122 moderate SUSE Updates SLE-Module-Desktop-Applications 15-SP7 x86 64 This update for libnvidia-egl-wayland fixes the following issues: - Update nvidia driver to version 580.76.05 (bsc#1247907) * Add support for tegradisp-drm libnvidia-egl-wayland-1.1.20-150700.3.6.1.src.rpm libnvidia-egl-wayland1-32bit-1.1.20-150700.3.6.1.x86_64.rpm SUSE-SLE-Module-Desktop-Applications-15-SP7-2025-3121 moderate SUSE Updates SLE-Module-Desktop-Applications 15-SP7 x86 64 This update for libnvidia-egl-x11 fixes the following issues: - Update nvidia driver to version 580.76.05 (bsc#1247907) - Increment the version number to 1.0.3 - egl-x11: Add support for tegradisp drm - Increment version number to 1.0.2 - Do not close the syncfd in WaitImplicitFence - Fix the error reporting in WaitTimelinePoint libnvidia-egl-x11-1.0.3-150700.4.6.1.src.rpm libnvidia-egl-x11-devel-1.0.3-150700.4.6.1.x86_64.rpm libnvidia-egl-x111-1.0.3-150700.4.6.1.x86_64.rpm libnvidia-egl-x111-32bit-1.0.3-150700.4.6.1.x86_64.rpm SUSE-SLE-Module-Desktop-Applications-15-SP7-2025-3008 important SUSE Updates SLE-Module-Desktop-Applications 15-SP7 x86 64 This update for MozillaFirefox fixes the following issues: - Firefox Extended Support Release 140.2.0 ESR MFSA 2025-67 (bsc#1248162) * CVE-2025-9179 (bmo#1979527): Sandbox escape due to invalid pointer in the Audio/Video: GMP component * CVE-2025-9180 (bmo#1979782): Same-origin policy bypass in the Graphics: Canvas2D component * CVE-2025-9181 (bmo#1977130): Uninitialized memory in the JavaScript Engine component * CVE-2025-9182 (bmo#1975837): Denial-of-service due to out-of-memory in the Graphics: WebRender component * CVE-2025-9183 (bmo#1976102): Spoofing issue in the Address Bar component * CVE-2025-9184 (bmo#1929482, bmo#1976376, bmo#1979163, bmo#1979955): Memory safety bugs fixed in Firefox ESR 140.2, Thunderbird ESR 140.2, Firefox 142 and Thunderbird 142 * CVE-2025-9185 (bmo#1970154, bmo#1976782, bmo#1977166): Memory safety bugs fixed in Firefox ESR 115.27, Firefox ESR 128.14, Thunderbird ESR 128.14, Firefox ESR 140.2, Thunderbird ESR 140.2, Firefox 142 and Thunderbird 142 * CVE-2025-9187 (bmo#1825621, bmo#1970079, bmo#1976736, bmo#1979072): Memory safety bugs fixed in Firefox 142 and Thunderbird 142 - Other fixes: * Ensure the use of the correct file-picker on KDE (bsc#1226112) MozillaFirefox-140.2.0-150200.152.198.1.src.rpm MozillaFirefox-140.2.0-150200.152.198.1.x86_64.rpm MozillaFirefox-devel-140.2.0-150200.152.198.1.noarch.rpm MozillaFirefox-translations-common-140.2.0-150200.152.198.1.x86_64.rpm MozillaFirefox-translations-other-140.2.0-150200.152.198.1.x86_64.rpm SUSE-SLE-Module-Desktop-Applications-15-SP7-2025-3244 moderate SUSE Updates SLE-Module-Desktop-Applications 15-SP7 x86 64 This update for raptor fixes the following issues: - CVE-2024-57823: Fixed integer underflow when normalizing a URI with the turtle parser (bsc#1235673) - CVE-2024-57822: Fixed heap buffer overread when parsing triples with the nquads parser (bsc#1235674) libraptor-devel-2.0.15-150200.9.18.1.x86_64.rpm libraptor2-0-2.0.15-150200.9.18.1.x86_64.rpm raptor-2.0.15-150200.9.18.1.src.rpm raptor-2.0.15-150200.9.18.1.x86_64.rpm SUSE-SLE-Module-Desktop-Applications-15-SP7-2025-3449 low SUSE Updates SLE-Module-Desktop-Applications 15-SP7 x86 64 This update for cairo fixes the following issues: - CVE-2025-50422: Fixed Poppler crash on malformed input (bsc#1247589) - Update to version 1.18.4: + The dependency on LZO has been made optional through a build time configuration toggle. + You can build Cairo against a Freetype installation that does not have the FT_Color type. + Cairo tests now build on Solaris 11.4 with GCC 14. + The DirectWrite backend now builds on MINGW 11. + The DirectWrite backend now supports font variations and proper glyph coverage. - Use tarball in lieu of source service due to freedesktop gitlab migration, will switch back at next release at the latest. - Add pkgconfig(lzo2) BuildRequires: New optional dependency, build lzo2 support feature. - Convert to source service: allows for easier upgrades by the GNOME team. - Update to version 1.18.2: + The malloc-stats code has been removed from the tests directory + Cairo now requires a version of pixman equal to, or newer than, 0.40. + There have been multiple build fixes for newer versions of GCC for MSVC; for Solaris; and on macOS 10.7. + PNG errors caused by loading malformed data are correctly propagated to callers, so they can handle the case. + Both stroke and fill colors are now set when showing glyphs on a PDF surface. + All the font options are copied when creating a fallback font object. + When drawing text on macOS, Cairo now tries harder to select the appropriate font name. + Cairo now prefers the COLRv1 table inside a font, if one is available. + Cairo requires a C11 toolchain when building. cairo-1.18.4-150600.3.3.1.src.rpm libcairo2-32bit-1.18.4-150600.3.3.1.x86_64.rpm SUSE-SLE-Module-Desktop-Applications-15-SP7-2025-3300 moderate SUSE Updates SLE-Module-Desktop-Applications 15-SP7 x86 64 This update for vim fixes the following issues: Updated to 9.1.1629: - CVE-2025-53905: Fixed malicious tar archive may causing a path traversal in Vim’s tar.vim plugin (bsc#1246604) - CVE-2025-53906: Fixed malicious zip archive may causing a path traversal in Vim’s zip (bsc#1246602) - CVE-2025-55157: Fixed use-after-free in internal tuple reference management (bsc#1247938) - CVE-2025-55158: Fixed double-free in internal typed value (typval_T) management (bsc#1247939) gvim-9.1.1629-150500.20.33.1.x86_64.rpm vim-9.1.1629-150500.20.33.1.src.rpm SUSE-SLE-Module-Desktop-Applications-15-SP7-2025-3113 important SUSE Updates SLE-Module-Desktop-Applications 15-SP7 x86 64 This update for ImageMagick fixes the following issues: - CVE-2025-55004: Fixed heap buffer over-read in in ReadOneMNGIMage when processing images with separate alpha channels (bsc#1248076). - CVE-2025-55005: Fixed heap buffer overflow when transforming from Log to sRGB colorspaces (bsc#1248077). - CVE-2025-55154: Fixed integer overflow when performing magnified size calculations in ReadOneMNGIMage can lead to out-of-bounds write (bsc#1248078). - CVE-2025-55160: Fixed undefined behavior due to function-type-mismatch in CloneSplayTree (bsc#1248079). - CVE-2025-55212: Fixed division-by-zero in ThumbnailImage() when passing a geometry string containing only a colon to `montage -geometry` (bsc#1248767). - CVE-2025-55298: Fixed heap overflow due to format string bug vulnerability (bsc#1248780). - CVE-2025-57803: Fixed heap out-of-bounds (OOB) write due to 32-bit integer overflow (bsc#1248784). ImageMagick-7.1.1.43-150700.3.13.1.src.rpm ImageMagick-7.1.1.43-150700.3.13.1.x86_64.rpm ImageMagick-config-7-SUSE-7.1.1.43-150700.3.13.1.x86_64.rpm ImageMagick-config-7-upstream-limited-7.1.1.43-150700.3.13.1.x86_64.rpm ImageMagick-config-7-upstream-open-7.1.1.43-150700.3.13.1.x86_64.rpm ImageMagick-config-7-upstream-secure-7.1.1.43-150700.3.13.1.x86_64.rpm ImageMagick-config-7-upstream-websafe-7.1.1.43-150700.3.13.1.x86_64.rpm ImageMagick-devel-7.1.1.43-150700.3.13.1.x86_64.rpm libMagick++-7_Q16HDRI5-7.1.1.43-150700.3.13.1.x86_64.rpm libMagick++-devel-7.1.1.43-150700.3.13.1.x86_64.rpm libMagickCore-7_Q16HDRI10-7.1.1.43-150700.3.13.1.x86_64.rpm libMagickWand-7_Q16HDRI10-7.1.1.43-150700.3.13.1.x86_64.rpm SUSE-SLE-Module-Desktop-Applications-15-SP7-2025-3261 important SUSE Updates SLE-Module-Desktop-Applications 15-SP7 x86 64 This update for cups fixes the following issues: - CVE-2024-47175: no validation of IPP attributes in `ppdCreatePPDFromIPP2` when writing to a temporary PPD file allows for the injection of attacker-controlled data to the resulting PPD (bsc#1230932). - CVE-2025-58060: no password check when `AuthType` is set to anything but `Basic` and a request is made with an `Authorization: Basic` header (bsc#1249049). - CVE-2025-58364: unsafe deserialization and validation of printer attributes leads to NULL pointer dereference (bsc#1249128). cups-2.2.7-150000.3.72.1.src.rpm libcups2-32bit-2.2.7-150000.3.72.1.x86_64.rpm SUSE-SLE-Module-Desktop-Applications-15-SP7-2025-3599 moderate SUSE Updates SLE-Module-Desktop-Applications 15-SP7 x86 64 This update for qt6-base fixes the following issues: - CVE-2025-5455: processing of malformed data in `qDecodeDataUrl()` can trigger assertion and cause a crash (bsc#1243958). - CVE-2025-30348: complex algorithm used in `encodeText` in QDom when processing XML data can cause low performance (bsc#1239896). libQt6Core6-6.6.3-150600.3.6.1.x86_64.rpm libQt6DBus6-6.6.3-150600.3.6.1.x86_64.rpm libQt6Gui6-6.6.3-150600.3.6.1.x86_64.rpm libQt6Network6-6.6.3-150600.3.6.1.x86_64.rpm libQt6OpenGL6-6.6.3-150600.3.6.1.x86_64.rpm libQt6Sql6-6.6.3-150600.3.6.1.x86_64.rpm libQt6Test6-6.6.3-150600.3.6.1.x86_64.rpm libQt6Widgets6-6.6.3-150600.3.6.1.x86_64.rpm qt6-base-6.6.3-150600.3.6.1.src.rpm qt6-network-tls-6.6.3-150600.3.6.1.x86_64.rpm qt6-networkinformation-glib-6.6.3-150600.3.6.1.x86_64.rpm qt6-networkinformation-nm-6.6.3-150600.3.6.1.x86_64.rpm SUSE-SLE-Module-Desktop-Applications-15-SP7-2025-3294 moderate SUSE Updates SLE-Module-Desktop-Applications 15-SP7 x86 64 This update for wireshark fixes the following issues: Update to version 4.2.13. Security issues fixed: - CVE-2025-9817: SSH dissector crash due to NULL pointer dereference when processing malformed packet traces (bsc#1249090). Other issues fixed: - Bug in UDS dissector with Service ReadDataByPeriodicIdentifier Response. - Incorrectly parsed `application/x-www-form-urlencoded` key following a name-value byte sequence with no `=`. - DNP3 time stamp not working after epoch time (year 2038). - Bug in LZ77 decoder; reads a 16-bit length when it should read a 32-bit length. - Further features, bug fixes and updated protocol support as listed in: * https://www.wireshark.org/docs/relnotes/wireshark-4.2.13.html wireshark-4.2.13-150600.18.26.1.src.rpm wireshark-devel-4.2.13-150600.18.26.1.x86_64.rpm wireshark-ui-qt-4.2.13-150600.18.26.1.x86_64.rpm SUSE-SLE-Module-Desktop-Applications-15-SP7-2025-3723 moderate SUSE Updates SLE-Module-Desktop-Applications 15-SP7 x86 64 This update for libqt5-qtbase fixes the following issues: Security issues fixed: - CVE-2025-5455: processing of malformed data in `qDecodeDataUrl()` can trigger assertion and cause a crash (bsc#1243958). - CVE-2025-30348: complex algorithm used in `encodeText` in QDom when processing XML data can cause low performance (bsc#1239896). Other issues fixed: - Initialize a member variable in `QObjectPrivate::Signal` that was uninitialized under some circumstances. - Fix a crash when parsing a particular glyph in a particular font. - Avoid repeatedly registering xsettings callbacks when switching cursor themes. - Check validity of RandR output info before using it. - Fix reparenting a window so it takes effect even if there are no other state changes to the window. libQt5OpenGLExtensions-devel-static-5.15.12+kde151-150600.3.9.1.x86_64.rpm libQt5Sql5-mysql-5.15.12+kde151-150600.3.9.1.x86_64.rpm libQt5Sql5-postgresql-5.15.12+kde151-150600.3.9.1.x86_64.rpm libQt5Sql5-unixODBC-5.15.12+kde151-150600.3.9.1.x86_64.rpm libqt5-qtbase-5.15.12+kde151-150600.3.9.1.src.rpm libqt5-qtbase-platformtheme-gtk3-5.15.12+kde151-150600.3.9.1.x86_64.rpm SUSE-SLE-Module-Desktop-Applications-15-SP7-2025-3510 moderate SUSE Updates SLE-Module-Desktop-Applications 15-SP7 x86 64 This update for ImageMagick fixes the following issues: - CVE-2025-57807: heap out-of-bounds write can lead to memory corruption (bsc#1249362). ImageMagick-7.1.1.43-150700.3.16.1.src.rpm ImageMagick-7.1.1.43-150700.3.16.1.x86_64.rpm ImageMagick-config-7-SUSE-7.1.1.43-150700.3.16.1.x86_64.rpm ImageMagick-config-7-upstream-limited-7.1.1.43-150700.3.16.1.x86_64.rpm ImageMagick-config-7-upstream-open-7.1.1.43-150700.3.16.1.x86_64.rpm ImageMagick-config-7-upstream-secure-7.1.1.43-150700.3.16.1.x86_64.rpm ImageMagick-config-7-upstream-websafe-7.1.1.43-150700.3.16.1.x86_64.rpm ImageMagick-devel-7.1.1.43-150700.3.16.1.x86_64.rpm libMagick++-7_Q16HDRI5-7.1.1.43-150700.3.16.1.x86_64.rpm libMagick++-devel-7.1.1.43-150700.3.16.1.x86_64.rpm libMagickCore-7_Q16HDRI10-7.1.1.43-150700.3.16.1.x86_64.rpm libMagickWand-7_Q16HDRI10-7.1.1.43-150700.3.16.1.x86_64.rpm SUSE-SLE-Module-Desktop-Applications-15-SP7-2025-3616 moderate SUSE Updates SLE-Module-Desktop-Applications 15-SP7 x86 64 This update for ImageMagick fixes the following issues: - CVE-2025-57807: heap out-of-bounds write can lead to memory corruption (bsc#1249362). ImageMagick-7.1.0.9-150400.6.43.1.src.rpm ImageMagick-config-7-upstream-7.1.0.9-150400.6.43.1.x86_64.rpm SUSE-SLE-Module-Desktop-Applications-15-SP7-2025-3291 important SUSE Updates SLE-Module-Desktop-Applications 15-SP7 x86 64 This update for MozillaFirefox fixes the following issues: Firefox Extended Support Release 140.3.0 ESR (bsc#1249391). MFSA 2025-75: * CVE-2025-10527 (bmo#1984825) Sandbox escape due to use-after-free in the Graphics: Canvas2D component * CVE-2025-10528 (bmo#1986185) Sandbox escape due to undefined behavior, invalid pointer in the Graphics: Canvas2D component * CVE-2025-10529 (bmo#1970490) Same-origin policy bypass in the Layout component * CVE-2025-10532 (bmo#1979502) Incorrect boundary conditions in the JavaScript: GC component * CVE-2025-10533 (bmo#1980788) Integer overflow in the SVG component * CVE-2025-10536 (bmo#1981502) Information disclosure in the Networking: Cache component * CVE-2025-10537 (bmo#1938220, bmo#1980730, bmo#1981280, bmo#1981283, bmo#1984505, bmo#1985067) Memory safety bugs fixed in Firefox ESR 140.3, Thunderbird ESR 140.3, Firefox 143 and Thunderbird 143 MozillaFirefox-140.3.0-150200.152.201.1.src.rpm MozillaFirefox-140.3.0-150200.152.201.1.x86_64.rpm MozillaFirefox-devel-140.3.0-150200.152.201.1.noarch.rpm MozillaFirefox-translations-common-140.3.0-150200.152.201.1.x86_64.rpm MozillaFirefox-translations-other-140.3.0-150200.152.201.1.x86_64.rpm SUSE-SLE-Module-Desktop-Applications-15-SP7-2025-3333 moderate SUSE Updates SLE-Module-Desktop-Applications 15-SP7 x86 64 This update for avahi fixes the following issues: - CVE-2024-52615: wide-area DNS uses constant source port for queries and can expose the Avahi-daemon to DNS spoofing attacks (bsc#1233421). avahi-0.8-150600.15.9.1.src.rpm avahi-autoipd-0.8-150600.15.9.1.x86_64.rpm avahi-glib2-0.8-150600.15.9.1.src.rpm avahi-utils-gtk-0.8-150600.15.9.1.x86_64.rpm libavahi-gobject-devel-0.8-150600.15.9.1.x86_64.rpm SUSE-SLE-Module-Desktop-Applications-15-SP7-2025-4119 low SUSE Updates SLE-Module-Desktop-Applications 15-SP7 x86 64 This update for bind fixes the following issues: - Ship libgnome-desktop-4-devel Desktop-Applications Module for 15-SP7 (bsc#1249416) gnome-desktop-44.0-150600.3.2.1.src.rpm gnome-desktop-lang-44.0-150600.3.2.1.noarch.rpm libgnome-desktop-3-20-44.0-150600.3.2.1.x86_64.rpm libgnome-desktop-3-devel-44.0-150600.3.2.1.x86_64.rpm libgnome-desktop-3_0-common-44.0-150600.3.2.1.x86_64.rpm libgnome-desktop-4-2-44.0-150600.3.2.1.x86_64.rpm libgnome-desktop-4-devel-44.0-150600.3.2.1.x86_64.rpm typelib-1_0-GnomeBG-4_0-44.0-150600.3.2.1.x86_64.rpm typelib-1_0-GnomeDesktop-3_0-44.0-150600.3.2.1.x86_64.rpm typelib-1_0-GnomeDesktop-4_0-44.0-150600.3.2.1.x86_64.rpm typelib-1_0-GnomeRR-4_0-44.0-150600.3.2.1.x86_64.rpm SUSE-SLE-Module-Desktop-Applications-15-SP7-2025-3434 important SUSE Updates SLE-Module-Desktop-Applications 15-SP7 x86 64 This update for open-vm-tools fixes the following issues: - CVE-2025-41244: local privilege escalation via the Service Discovery Plugin (bsc#1250373). open-vm-tools-13.0.0-150600.3.18.1.src.rpm open-vm-tools-desktop-13.0.0-150600.3.18.1.x86_64.rpm SUSE-SLE-Module-Desktop-Applications-15-SP7-2025-3462 important SUSE Updates SLE-Module-Desktop-Applications 15-SP7 x86 64 This update for MozillaFirefox fixes the following issues: Update to Firefox Extended Support Release 140.3.1 ESR (bsc#1250452). - Improved reliability when HTTP/3 connections fail: Firefox no longer forces HTTP/2 during fallback, allowing the server to choose the protocol and preventing stalls on some sites. MozillaFirefox-140.3.1-150200.152.204.1.src.rpm MozillaFirefox-140.3.1-150200.152.204.1.x86_64.rpm MozillaFirefox-devel-140.3.1-150200.152.204.1.noarch.rpm MozillaFirefox-translations-common-140.3.1-150200.152.204.1.x86_64.rpm MozillaFirefox-translations-other-140.3.1-150200.152.204.1.x86_64.rpm SUSE-SLE-Module-Desktop-Applications-15-SP7-2025-3851 moderate SUSE Updates SLE-Module-Desktop-Applications 15-SP7 x86 64 This update for vim fixes the following issues: - Fix regression in vim: xxd -a shows no output (bsc#1250593). Backported from 9.1.1683 (xxd: Avoid null dereference in autoskip colorless). - Fix vim compatible mode is not switched off earlier (bsc#1229750). Nocompatible must be set before the syntax highlighting is turned on. gvim-9.1.1629-150500.20.38.1.x86_64.rpm vim-9.1.1629-150500.20.38.1.src.rpm SUSE-SLE-Module-Desktop-Applications-15-SP7-2025-3535 important SUSE Updates SLE-Module-Desktop-Applications 15-SP7 x86 64 This update for open-vm-tools fixes the following issues: - CVE-2025-41244: fixed a local privilege escalation vulnerability (bnc#1250373). open-vm-tools-13.0.5-150600.3.21.1.src.rpm open-vm-tools-desktop-13.0.5-150600.3.21.1.x86_64.rpm SUSE-SLE-Module-Desktop-Applications-15-SP7-2025-3629 important SUSE Updates SLE-Module-Desktop-Applications 15-SP7 x86 64 This update for gstreamer-plugins-rs fixes the following issues: Update to version 0.12.11 (jsc#PED-13826): - CVE-2024-32650: Fixed infinite loop in rustls::conn::ConnectionCommon:complete_io() with proper client input (bsc#1223219). gstreamer-plugins-rs-0.12.11-150600.3.3.1.src.rpm gstreamer-plugins-rs-0.12.11-150600.3.3.1.x86_64.rpm gstreamer-plugins-rs-devel-0.12.11-150600.3.3.1.x86_64.rpm SUSE-SLE-Module-Desktop-Applications-15-SP7-2025-3949 moderate SUSE Updates SLE-Module-Desktop-Applications 15-SP7 x86 64 This update for colord fixes the following issues: - CVE-2021-42523: The original fix was wrong and did not properly free the error, resulting in a crash that has now been addressed (bsc#1250750). colord-1.4.6-150600.3.8.1.src.rpm colord-color-profiles-1.4.6-150600.3.8.1.x86_64.rpm libcolord-devel-1.4.6-150600.3.8.1.x86_64.rpm libcolorhug2-1.4.6-150600.3.8.1.x86_64.rpm typelib-1_0-Colord-1_0-1.4.6-150600.3.8.1.x86_64.rpm typelib-1_0-Colorhug-1_0-1.4.6-150600.3.8.1.x86_64.rpm SUSE-SLE-Module-Desktop-Applications-15-SP7-2025-3701 important SUSE Updates SLE-Module-Desktop-Applications 15-SP7 x86 64 This update for webkit2gtk3 fixes the following issues: - CVE-2025-43343: improved memory handling in web content processing to prevent process crash (bsc#1251975) - CVE-2025-43272: improved memory handling to prevent unexpected process crash (bsc#1250439) - CVE-2025-43342: correctness issue was addressed with improved checks to prevent unexcepted process crash (bsc#1250440) - CVE-2025-43356: improved handling of caches to prevent sensor access without consent (bsc#1250441) - CVE-2025-43368: improved memory management to prevent a use-after-free (bsc#1250442) WebKitGTK-4.1-lang-2.50.1-150600.12.48.3.noarch.rpm libjavascriptcoregtk-4_1-0-2.50.1-150600.12.48.3.x86_64.rpm libwebkit2gtk-4_1-0-2.50.1-150600.12.48.3.x86_64.rpm typelib-1_0-JavaScriptCore-4_1-2.50.1-150600.12.48.3.x86_64.rpm typelib-1_0-WebKit2-4_1-2.50.1-150600.12.48.3.x86_64.rpm typelib-1_0-WebKit2WebExtension-4_1-2.50.1-150600.12.48.3.x86_64.rpm webkit2gtk-4_1-injected-bundles-2.50.1-150600.12.48.3.x86_64.rpm webkit2gtk3-2.50.1-150600.12.48.3.src.rpm webkit2gtk3-devel-2.50.1-150600.12.48.3.x86_64.rpm SUSE-SLE-Module-Desktop-Applications-15-SP7-2025-3811 moderate SUSE Updates SLE-Module-Desktop-Applications 15-SP7 x86 64 This update for wireshark fixes the following issues: - CVE-2025-11626: fixed MONGO dissector infinite loop (bsc#1251933). wireshark-4.2.14-150600.18.29.1.src.rpm wireshark-devel-4.2.14-150600.18.29.1.x86_64.rpm wireshark-ui-qt-4.2.14-150600.18.29.1.x86_64.rpm SUSE-SLE-Module-Desktop-Applications-15-SP7-2025-3775 important SUSE Updates SLE-Module-Desktop-Applications 15-SP7 x86 64 This update for MozillaFirefox fixes the following issues: Update to Firefox Extended Support Release 140.4.0 ESR (bsc#1251263). - CVE-2025-11708: Use-after-free in MediaTrackGraphImpl::GetInstance() - CVE-2025-11709: Out of bounds read/write in a privileged process triggered by WebGL textures - CVE-2025-11710: Cross-process information leaked due to malicious IPC messages - CVE-2025-11711: Some non-writable Object properties could be modified - CVE-2025-11712: An OBJECT tag type attribute overrode browser behavior on web resources without a content-type - CVE-2025-11713: Potential user-assisted code execution in “Copy as cURL” command - CVE-2025-11714: Memory safety bugs fixed in Firefox ESR 115.29, Firefox ESR 140.4, Thunderbird ESR 140.4, Firefox 144 and Thunderbird 144 - CVE-2025-11715: Memory safety bugs fixed in Firefox ESR 140.4, Thunderbird ESR 140.4, Firefox 144 and Thunderbird 144 MozillaFirefox-140.4.0-150200.152.207.1.src.rpm MozillaFirefox-140.4.0-150200.152.207.1.x86_64.rpm MozillaFirefox-devel-140.4.0-150200.152.207.1.noarch.rpm MozillaFirefox-translations-common-140.4.0-150200.152.207.1.x86_64.rpm MozillaFirefox-translations-other-140.4.0-150200.152.207.1.x86_64.rpm SUSE-SLE-Module-Desktop-Applications-15-SP7-2025-3845 moderate SUSE Updates SLE-Module-Desktop-Applications 15-SP7 x86 64 This update for fetchmail fixes the following issues: - CVE-2025-61962: fixed a denial of service condition (bsc#1251194) fetchmail-6.4.22-150600.35.3.1.src.rpm fetchmailconf-6.4.22-150600.35.3.1.x86_64.rpm SUSE-SLE-Module-Desktop-Applications-15-SP7-2025-3867 moderate SUSE Updates SLE-Module-Desktop-Applications 15-SP7 x86 64 This update for ImageMagick fixes the following issues: - CVE-2025-62171: Fixed incomplete fix for integer overflow in BMP Decoder (bsc#1252282). ImageMagick-7.1.1.43-150700.3.19.1.src.rpm ImageMagick-7.1.1.43-150700.3.19.1.x86_64.rpm ImageMagick-config-7-SUSE-7.1.1.43-150700.3.19.1.x86_64.rpm ImageMagick-config-7-upstream-limited-7.1.1.43-150700.3.19.1.x86_64.rpm ImageMagick-config-7-upstream-open-7.1.1.43-150700.3.19.1.x86_64.rpm ImageMagick-config-7-upstream-secure-7.1.1.43-150700.3.19.1.x86_64.rpm ImageMagick-config-7-upstream-websafe-7.1.1.43-150700.3.19.1.x86_64.rpm ImageMagick-devel-7.1.1.43-150700.3.19.1.x86_64.rpm libMagick++-7_Q16HDRI5-7.1.1.43-150700.3.19.1.x86_64.rpm libMagick++-devel-7.1.1.43-150700.3.19.1.x86_64.rpm libMagickCore-7_Q16HDRI10-7.1.1.43-150700.3.19.1.x86_64.rpm libMagickWand-7_Q16HDRI10-7.1.1.43-150700.3.19.1.x86_64.rpm SUSE-SLE-Module-Desktop-Applications-15-SP7-2025-3796 moderate SUSE Updates SLE-Module-Desktop-Applications 15-SP7 x86 64 This update for ImageMagick fixes the following issues: - CVE-2025-62171: Fixed incomplete fix for integer overflow in BMP Decoder (bsc#1252282). ImageMagick-7.1.0.9-150400.6.46.1.src.rpm ImageMagick-config-7-upstream-7.1.0.9-150400.6.46.1.x86_64.rpm SUSE-SLE-Module-Desktop-Applications-15-SP7-2025-3860 low SUSE Updates SLE-Module-Desktop-Applications 15-SP7 x86 64 This update for firewalld-legacy fixes the following issues: - Provide v1.3.4 as installable option due to slow firewall rule generation introduced in the 2.x.x series (jsc#PED-13314). firewall-applet-1.3.4-150600.13.3.1.noarch.rpm firewall-config-1.3.4-150600.13.3.1.noarch.rpm firewalld-1.3.4-150600.13.3.1.src.rpm SUSE-SLE-Module-Desktop-Applications-15-SP7-2025-3946 moderate SUSE Updates SLE-Module-Desktop-Applications 15-SP7 x86 64 This update for openjpeg fixes the following issues: - CVE-2023-39327: Fixed that malicious files can cause a large loop that continuously prints warning messages on the terminal (bsc#1227410). Other bug fixes: - Ensure no bundled libraries are used (bsc#1250467). libopenjpeg1-1.5.2-150000.4.15.1.x86_64.rpm openjpeg-1.5.2-150000.4.15.1.src.rpm openjpeg-devel-1.5.2-150000.4.15.1.x86_64.rpm SUSE-SLE-Module-Desktop-Applications-15-SP7-2025-3947 moderate SUSE Updates SLE-Module-Desktop-Applications 15-SP7 x86 64 This update for jasper fixes the following issues: - Update to 4.2.8: - CVE-2025-8837: Fixed a bug in the JPC decoder that could cause bad memory accesses if the debug level is set sufficiently high (bsc#1247901). - CVE-2025-8836: Added some missing range checking on several coding parameters in the JPC encoder (bsc#1247902). - CVE-2025-8835: Added a check for a missing color component in the jas_image_chclrspc function (bsc#1247904). - CVE-2023-51257: Fixed invalid memory write bug (bsc#1218802). jasper-4.2.8-150600.4.5.1.src.rpm libjasper-devel-4.2.8-150600.4.5.1.x86_64.rpm libjasper7-4.2.8-150600.4.5.1.x86_64.rpm SUSE-SLE-Module-Desktop-Applications-15-SP7-2025-3956 moderate SUSE Updates SLE-Module-Desktop-Applications 15-SP7 x86 64 This update for ImageMagick fixes the following issues: - CVE-2025-62594: Fixed unsigned underflow and division-by-zero that can lead to OOB pointer arithmetic and process crash. (bsc#1252749) ImageMagick-7.1.1.43-150700.3.22.1.src.rpm ImageMagick-7.1.1.43-150700.3.22.1.x86_64.rpm ImageMagick-config-7-SUSE-7.1.1.43-150700.3.22.1.x86_64.rpm ImageMagick-config-7-upstream-limited-7.1.1.43-150700.3.22.1.x86_64.rpm ImageMagick-config-7-upstream-open-7.1.1.43-150700.3.22.1.x86_64.rpm ImageMagick-config-7-upstream-secure-7.1.1.43-150700.3.22.1.x86_64.rpm ImageMagick-config-7-upstream-websafe-7.1.1.43-150700.3.22.1.x86_64.rpm ImageMagick-devel-7.1.1.43-150700.3.22.1.x86_64.rpm libMagick++-7_Q16HDRI5-7.1.1.43-150700.3.22.1.x86_64.rpm libMagick++-devel-7.1.1.43-150700.3.22.1.x86_64.rpm libMagickCore-7_Q16HDRI10-7.1.1.43-150700.3.22.1.x86_64.rpm libMagickWand-7_Q16HDRI10-7.1.1.43-150700.3.22.1.x86_64.rpm SUSE-SLE-Module-Desktop-Applications-15-SP7-2025-3985 moderate SUSE Updates SLE-Module-Desktop-Applications 15-SP7 x86 64 This update for ImageMagick fixes the following issues: - CVE-2025-62594: Fixed unsigned underflow and division-by-zero that can lead to OOB pointer arithmetic and process crash. (bsc#1252749) ImageMagick-7.1.0.9-150400.6.51.1.src.rpm ImageMagick-config-7-upstream-7.1.0.9-150400.6.51.1.x86_64.rpm SUSE-SLE-Module-Desktop-Applications-15-SP7-2025-4067 moderate SUSE Updates SLE-Module-Desktop-Applications 15-SP7 x86 64 This update for openssh fixes the following issues: - CVE-2025-61984: Fixed code execution via control characters in usernames when a ProxyCommand is used (bsc#1251198) - CVE-2025-61985: Fixed code execution via '\0' character in ssh:// URI when a ProxyCommand is used (bsc#1251199) openssh-askpass-gnome-9.6p1-150600.6.34.1.src.rpm openssh-askpass-gnome-9.6p1-150600.6.34.1.x86_64.rpm SUSE-SLE-Module-Desktop-Applications-15-SP7-2025-4223 important SUSE Updates SLE-Module-Desktop-Applications 15-SP7 x86 64 This update for glu fixes the following issues: - Fix the %licence tag (bsc#1252149) * Add missing LICENSE file * Fix license string glu-9.0.0-150200.10.3.1.src.rpm glu-devel-9.0.0-150200.10.3.1.x86_64.rpm SUSE-SLE-Module-Desktop-Applications-15-SP7-2025-4173 important SUSE Updates SLE-Module-Desktop-Applications 15-SP7 x86 64 This update for MozillaFirefox fixes the following issues: - Update to Firefox Extended Support Release 140.5.0 ESR (bsc#1253188) - CVE-2025-13012: Race condition in the Graphics component. - CVE-2025-13016: Incorrect boundary conditions in the JavaScript: WebAssembly component. - CVE-2025-13017: Same-origin policy bypass in the DOM: Notifications component. - CVE-2025-13018: Mitigation bypass in the DOM: Security component. - CVE-2025-13019: Same-origin policy bypass in the DOM: Workers component. - CVE-2025-13013: Mitigation bypass in the DOM: Core & HTML component. - CVE-2025-13020: Use-after-free in the WebRTC: Audio/Video component. - CVE-2025-13014: Use-after-free in the Audio/Video component. - CVE-2025-13015: Spoofing issue in Firefox. MozillaFirefox-140.5.0-150200.152.210.1.src.rpm MozillaFirefox-140.5.0-150200.152.210.1.x86_64.rpm MozillaFirefox-devel-140.5.0-150200.152.210.1.noarch.rpm MozillaFirefox-translations-common-140.5.0-150200.152.210.1.x86_64.rpm MozillaFirefox-translations-other-140.5.0-150200.152.210.1.x86_64.rpm SUSE-SLE-Module-Desktop-Applications-15-SP7-2025-4118 important SUSE Updates SLE-Module-Desktop-Applications 15-SP7 x86 64 This update for freetype2 fixes the following issues: - Fix the %licence tag (bsc#1252148) * package FTL.TXT and GPLv2.TXT as %license ft2demos-2.10.4-150000.4.25.1.nosrc.rpm ftdump-2.10.4-150000.4.25.1.x86_64.rpm SUSE-SLE-Module-Desktop-Applications-15-SP7-2025-4290 moderate SUSE Updates SLE-Module-Desktop-Applications 15-SP7 x86 64 This update for cups fixes the following issues: - CVE-2025-61915: Fixed a local denial-of-service via cupsd.conf update and related issues. (bsc#1253783) - CVE-2025-58436: Fixed an issue where a slow client communication leads to a possible DoS attack. (bsc#1244057) cups-2.2.7-150000.3.77.1.src.rpm libcups2-32bit-2.2.7-150000.3.77.1.x86_64.rpm SUSE-SLE-Module-Desktop-Applications-15-SP7-2025-4291 important SUSE Updates SLE-Module-Desktop-Applications 15-SP7 x86 64 This update for libmicrohttpd fixes the following issues: - CVE-2025-59777: Fixed NULL pointer dereference via specially crafted packet sent by an attacker (bsc#1253177) - CVE-2025-62689: Fixed heap-based buffer overflow via specially crafted packet sent by an attacker (bsc#1253178) libmicrohttpd-0.9.77-150600.3.3.1.src.rpm libmicrohttpd-devel-0.9.77-150600.3.3.1.x86_64.rpm SUSE-SLE-Module-Desktop-Applications-15-SP7-2025-4353 low SUSE Updates SLE-Module-Desktop-Applications 15-SP7 x86 64 This update for fontforge fixes the following issues: - CVE-2025-50949: Fixed a memory leak in the DlgCreate8 function. (bsc#1252652) fontforge-20200314-150200.3.12.1.src.rpm fontforge-20200314-150200.3.12.1.x86_64.rpm SUSE-SLE-Module-Desktop-Applications-15-SP7-2025-4319 important SUSE Updates SLE-Module-Desktop-Applications 15-SP7 x86 64 This update for cups fixes the following issues: - The fix for CVE-2025-58436 causes a regression where GTK applications will hang. (bsc#1254353) See also https://github.com/OpenPrinting/cups/issues/1429 The fix has been temporary disabled. cups-2.2.7-150000.3.80.1.src.rpm libcups2-32bit-2.2.7-150000.3.80.1.x86_64.rpm SUSE-SLE-Module-Desktop-Applications-15-SP7-2025-4348 important SUSE Updates SLE-Module-Desktop-Applications 15-SP7 x86 64 This update for ibus fixes the following issues: - Fix: Barcode scanner input gets jumbled when ibus is running and an application written in certain frameworks has focus (bsc#1252250): * After libX11 is fixed about the XIM jumbled input issues, too quick focus change can causes a freeze with barcode reader * Fix the synchronous "ProcessKeyEvent" D-Bus method in ibus-x11 * Add ibus_input_context_set_post_process_key_event() and ibus_input_context_post_process_key_event() ibus-1.5.28-150600.3.3.1.src.rpm ibus-1.5.28-150600.3.3.1.x86_64.rpm ibus-devel-1.5.28-150600.3.3.1.x86_64.rpm ibus-dict-emoji-1.5.28-150600.3.3.1.noarch.rpm ibus-gtk-1.5.28-150600.3.3.1.x86_64.rpm ibus-gtk3-1.5.28-150600.3.3.1.x86_64.rpm ibus-lang-1.5.28-150600.3.3.1.noarch.rpm libibus-1_0-5-1.5.28-150600.3.3.1.x86_64.rpm typelib-1_0-IBus-1_0-1.5.28-150600.3.3.1.x86_64.rpm SUSE-SLE-Module-Desktop-Applications-15-SP7-2025-4425 moderate SUSE Updates SLE-Module-Desktop-Applications 15-SP7 x86 64 This update for cups fixes the following issues: Security issues fixed: - CVE-2025-58436: single client sending slow messages to cupsd can delay the application and make it unusable for other clients (bsc#1244057). Other issues fixed: - Update the CVE-2025-58436 patch to fix a regression that causes GTK applications to hang (bsc#1254353). cups-2.2.7-150000.3.83.1.src.rpm libcups2-32bit-2.2.7-150000.3.83.1.x86_64.rpm SUSE-SLE-Module-Desktop-Applications-15-SP7-2026-21 important SUSE Updates SLE-Module-Desktop-Applications 15-SP7 x86 64 This update for webkit2gtk3 fixes the following issues: Update to version 2.50.4. Security issues fixed: - CVE-2025-13502: processing of maliciously crafted payloads by the GLib remote inspector server may lead to a UIProcess crash due to an out-of-bounds read and an integer underflow (bsc#1254208). - CVE-2025-13947: use of the file drag-and-drop mechanism may lead to remote information disclosure due to a lack of verification of the origins of drag operations (bsc#1254473). - CVE-2025-14174: processing maliciously crafted web content may lead to memory corruption due to improper validation (bsc#1255497). - CVE-2025-43392: websites may exfiltrate image data cross-origin due to issues with cache handling (bsc#1254165). - CVE-2025-43421: processing maliciously crafted web content may lead to an unexpected process crash due to enabled array allocation sinking (bsc#1254167). - CVE-2025-43425: processing maliciously crafted web content may lead to an unexpected process crash due to improper memory handling (bsc#1254168). - CVE-2025-43427: processing maliciously crafted web content may lead to an unexpected process crash due to issues with state management (bsc#1254169). - CVE-2025-43429: processing maliciously crafted web content may lead to an unexpected process crash due to a buffer overflow issue (bsc#1254174). - CVE-2025-43430: processing maliciously crafted web content may lead to an unexpected process crash due to issues with state management (bsc#1254172). - CVE-2025-43431: processing maliciously crafted web content may lead to memory corruption due to improper memory handling (bsc#1254170). - CVE-2025-43432: processing maliciously crafted web content may lead to an unexpected process crash due to a use-after-free issue (bsc#1254171). - CVE-2025-43434: processing maliciously crafted web content may lead to an unexpected process crash due to a use-after-free issue (bsc#1254179). - CVE-2025-43440: processing maliciously crafted web content may lead to an unexpected process crash due to missing checks (bsc#1254177). - CVE-2025-43443: processing maliciously crafted web content may lead to an unexpected process crash due to missing checks (bsc#1254176). - CVE-2025-43458: processing maliciously crafted web content may lead to an unexpected process crash due to issues with state management (bsc#1254498). - CVE-2025-43501: processing maliciously crafted web content may lead to an unexpected process crash due to a buffer overflow issue (bsc#1255194). - CVE-2025-43529: processing maliciously crafted web content may lead to arbitrary code execution due to a use-after-free issue (bsc#1255198). - CVE-2025-43531: processing maliciously crafted web content may lead to an unexpected process crash due to a race condition (bsc#1255183). - CVE-2025-43535: processing maliciously crafted web content may lead to an unexpected process crash due to improper memory handling (bsc#1255195). - CVE-2025-43536: processing maliciously crafted web content may lead to an unexpected process crash due to a use-after-free issue (bsc#1255200). - CVE-2025-43541: processing maliciously crafted web content may lead to an unexpected process crash due to type confusion (bsc#1255191). - CVE-2025-66287: processing maliciously crafted web content may lead to an unexpected process crash due to improper memory handling (bsc#1254509). Other issues fixed and changes: - Version 2.50.4: * Correctly handle the program name passed to the sleep disabler. * Ensure GStreamer is initialized before using the Quirks. * Fix several crashes and rendering issues. - Version 2.50.3: * Fix seeking and looping of media elements that set the "loop" property. * Fix several crashes and rendering issues. - Version 2.50.2: * Prevent unsafe URI schemes from participating in media playback. * Make jsc_value_array_buffer_get_data() function introspectable. * Fix logging in to Google accounts that have a WebAuthn second factor configured. * Fix loading webkit://gpu when there are no threads configured for GPU rendering. * Fix rendering gradiants that use the CSS hue interpolation method. * Fix pasting image data from the clipboard. * Fix font-family selection when the font name contains spaces. * Fix the build with standard C libraries that lack execinfo.h, like Musl or uClibc. * Fix capturing canvas snapshots in the Web Inspector. * Fix several crashes and rendering issues. - Fix a11y regression where AT-SPI roles were mapped incorrectly. WebKitGTK-4.1-lang-2.50.4-150600.12.54.1.noarch.rpm libjavascriptcoregtk-4_1-0-2.50.4-150600.12.54.1.x86_64.rpm libwebkit2gtk-4_1-0-2.50.4-150600.12.54.1.x86_64.rpm typelib-1_0-JavaScriptCore-4_1-2.50.4-150600.12.54.1.x86_64.rpm typelib-1_0-WebKit2-4_1-2.50.4-150600.12.54.1.x86_64.rpm typelib-1_0-WebKit2WebExtension-4_1-2.50.4-150600.12.54.1.x86_64.rpm webkit2gtk-4_1-injected-bundles-2.50.4-150600.12.54.1.x86_64.rpm webkit2gtk3-2.50.4-150600.12.54.1.src.rpm webkit2gtk3-devel-2.50.4-150600.12.54.1.x86_64.rpm SUSE-SLE-Module-Desktop-Applications-15-SP7-2025-4424 important SUSE Updates SLE-Module-Desktop-Applications 15-SP7 x86 64 This update for MozillaFirefox fixes the following issues: Update to Firefox Extended Support Release 140.6.0 ESR (bsc#1254551). - MFSA 2025-94 * CVE-2025-14321: use-after-free in the WebRTC: Signaling component. * CVE-2025-14322: sandbox escape due to incorrect boundary conditions in the Graphics: CanvasWebGL component. * CVE-2025-14323: privilege escalation in the DOM: Notifications component. * CVE-2025-14324: JIT miscompilation in the JavaScript Engine: JIT component. * CVE-2025-14325: JIT miscompilation in the JavaScript Engine: JIT component. * CVE-2025-14328: privilege escalation in the Netmonitor component. * CVE-2025-14329: privilege escalation in the Netmonitor component. * CVE-2025-14330: JIT miscompilation in the JavaScript Engine: JIT component. * CVE-2025-14331: same-origin policy bypass in the Request Handling component. * CVE-2025-14333: memory safety bugs. MozillaFirefox-140.6.0-150200.152.213.1.src.rpm MozillaFirefox-140.6.0-150200.152.213.1.x86_64.rpm MozillaFirefox-devel-140.6.0-150200.152.213.1.noarch.rpm MozillaFirefox-translations-common-140.6.0-150200.152.213.1.x86_64.rpm MozillaFirefox-translations-other-140.6.0-150200.152.213.1.x86_64.rpm SUSE-SLE-Module-Desktop-Applications-15-SP7-2025-4427 important SUSE Updates SLE-Module-Desktop-Applications 15-SP7 x86 64 This update for ImageMagick fixes the following issues: - CVE-2025-65955: possible use-after-free/double-free in `Options::fontFamily` when clearing a family can lead to crashes or memory corruption (bsc#1254435). - CVE-2025-66628: possible integer overflow in the TIM image parser's `ReadTIMImage` function can lead to arbitrary memory disclosure on 32-bit systems (bsc#1254820). ImageMagick-7.1.1.43-150700.3.27.1.src.rpm ImageMagick-7.1.1.43-150700.3.27.1.x86_64.rpm ImageMagick-config-7-SUSE-7.1.1.43-150700.3.27.1.x86_64.rpm ImageMagick-config-7-upstream-limited-7.1.1.43-150700.3.27.1.x86_64.rpm ImageMagick-config-7-upstream-open-7.1.1.43-150700.3.27.1.x86_64.rpm ImageMagick-config-7-upstream-secure-7.1.1.43-150700.3.27.1.x86_64.rpm ImageMagick-config-7-upstream-websafe-7.1.1.43-150700.3.27.1.x86_64.rpm ImageMagick-devel-7.1.1.43-150700.3.27.1.x86_64.rpm libMagick++-7_Q16HDRI5-7.1.1.43-150700.3.27.1.x86_64.rpm libMagick++-devel-7.1.1.43-150700.3.27.1.x86_64.rpm libMagickCore-7_Q16HDRI10-7.1.1.43-150700.3.27.1.x86_64.rpm libMagickWand-7_Q16HDRI10-7.1.1.43-150700.3.27.1.x86_64.rpm SUSE-SLE-Module-Desktop-Applications-15-SP7-2026-13 important SUSE Updates SLE-Module-Desktop-Applications 15-SP7 x86 64 This update for ImageMagick fixes the following issues: - CVE-2025-65955: possible use-after-free/double-free in `Options::fontFamily` when clearing a family can lead to crashes or memory corruption (bsc#1254435). - CVE-2025-66628: possible integer overflow in the TIM image parser's `ReadTIMImage` function can lead to arbitrary memory disclosure on 32-bit systems (bsc#1254820). - CVE-2025-68469: crash due to heap buffer overflow when processing a specially crafted TIFF file (bsc#1255391). ImageMagick-7.1.0.9-150400.6.58.1.src.rpm ImageMagick-config-7-upstream-7.1.0.9-150400.6.58.1.x86_64.rpm SUSE-SLE-Module-Desktop-Applications-15-SP7-2025-4440 moderate SUSE Updates SLE-Module-Desktop-Applications 15-SP7 x86 64 This update for wireshark fixes the following issues: - CVE-2025-13499: Fixed Kafka dissector crash due to malformed packet (bsc#1254108). - CVE-2025-13946: Fixed MEGACO dissector infinite loop that allows denial of service (bsc#1254472). wireshark-4.2.14-150600.18.32.1.src.rpm wireshark-devel-4.2.14-150600.18.32.1.x86_64.rpm wireshark-ui-qt-4.2.14-150600.18.32.1.x86_64.rpm SUSE-SLE-Module-Desktop-Applications-15-SP7-2025-4501 low SUSE Updates SLE-Module-Desktop-Applications 15-SP7 x86 64 This update for taglib fixes the following issues: - CVE-2023-47466: application crash when processing specially crafted WAV files during tag writing operations (bsc#1243499). libtag-devel-1.13.1-150600.3.3.1.x86_64.rpm libtag_c0-1.13.1-150600.3.3.1.x86_64.rpm taglib-1.13.1-150600.3.3.1.src.rpm SUSE-SLE-Module-Desktop-Applications-15-SP7-2026-44 moderate SUSE Updates SLE-Module-Desktop-Applications 15-SP7 x86 64 This update for mozjs60 fixes the following issues: - CVE-2024-45492: embedded expat: detect integer overflow in function nextScaffoldPart (bsc#1230038) - CVE-2024-45491: embedded expat: detect integer overflow in dtdCopy (bsc#1230037) - CVE-2024-45490: embedded expat: reject negative len for XML_ParseBuffer (bsc#1230036) - CVE-2024-50602: libexpat: DoS via XML_ResumeParser (bsc#1232602) mozjs60-60.9.0-150200.6.8.1.src.rpm mozjs60-devel-60.9.0-150200.6.8.1.x86_64.rpm SUSE-SLE-Module-Desktop-Applications-15-SP7-2026-64 moderate SUSE Updates SLE-Module-Desktop-Applications 15-SP7 x86 64 This update for libmicrohttpd fixes the following issues: - Fix: libmicrohttpd 0.9.77: test_tricky_url fails during %check (bsc#1254301). libmicrohttpd-0.9.77-150600.3.6.1.src.rpm libmicrohttpd-devel-0.9.77-150600.3.6.1.x86_64.rpm SUSE-SLE-Module-Desktop-Applications-15-SP7-2026-87 moderate SUSE Updates SLE-Module-Desktop-Applications 15-SP7 x86 64 This update for libheif fixes the following issues: - CVE-2025-68431: Fixed heap buffer over-read in `HeifPixelImage::overlay()` via crafted HEIF that exercises the overlay image item (bsc#1255735) libheif-1.19.5-150700.3.3.1.src.rpm libheif1-1.19.5-150700.3.3.1.x86_64.rpm SUSE-SLE-Module-Desktop-Applications-15-SP7-2026-73 moderate SUSE Updates SLE-Module-Desktop-Applications 15-SP7 x86 64 This update for ImageMagick fixes the following issues: - CVE-2025-68618: read a malicious SVG file may result in a DoS attack (bsc#1255821). - CVE-2025-68950: check for circular references in mvg files may lead to stack overflow (bsc#1255822). - CVE-2025-69204: an integer overflow can lead to a DoS attack (bsc#1255823). ImageMagick-7.1.1.43-150700.3.30.1.src.rpm ImageMagick-7.1.1.43-150700.3.30.1.x86_64.rpm ImageMagick-config-7-SUSE-7.1.1.43-150700.3.30.1.x86_64.rpm ImageMagick-config-7-upstream-limited-7.1.1.43-150700.3.30.1.x86_64.rpm ImageMagick-config-7-upstream-open-7.1.1.43-150700.3.30.1.x86_64.rpm ImageMagick-config-7-upstream-secure-7.1.1.43-150700.3.30.1.x86_64.rpm ImageMagick-config-7-upstream-websafe-7.1.1.43-150700.3.30.1.x86_64.rpm ImageMagick-devel-7.1.1.43-150700.3.30.1.x86_64.rpm libMagick++-7_Q16HDRI5-7.1.1.43-150700.3.30.1.x86_64.rpm libMagick++-devel-7.1.1.43-150700.3.30.1.x86_64.rpm libMagickCore-7_Q16HDRI10-7.1.1.43-150700.3.30.1.x86_64.rpm libMagickWand-7_Q16HDRI10-7.1.1.43-150700.3.30.1.x86_64.rpm SUSE-SLE-Module-Desktop-Applications-15-SP7-2026-72 moderate SUSE Updates SLE-Module-Desktop-Applications 15-SP7 x86 64 This update for ImageMagick fixes the following issues: - CVE-2025-68618: read a malicious SVG file may result in a DoS attack (bsc#1255821). - CVE-2025-68950: check for circular references in mvg files may lead to stack overflow (bsc#1255822). ImageMagick-7.1.0.9-150400.6.61.1.src.rpm ImageMagick-config-7-upstream-7.1.0.9-150400.6.61.1.x86_64.rpm SUSE-SLE-Module-Desktop-Applications-15-SP7-2026-243 moderate SUSE Updates SLE-Module-Desktop-Applications 15-SP7 x86 64 This update for librsvg fixes the following issues: Update to version 2.57.4 - bsc#1243867: + CVE-2024-12224: RUSTSEC-2024-0421 - idna accepts Punycode labels that do not produce any non-ASCII when decoded. + RUSTSEC-2024-0404 - Unsoundness in anstream. librsvg-2.57.4-150600.3.3.1.src.rpm librsvg-devel-2.57.4-150600.3.3.1.x86_64.rpm typelib-1_0-Rsvg-2_0-2.57.4-150600.3.3.1.x86_64.rpm SUSE-SLE-Module-Desktop-Applications-15-SP7-2026-260 important SUSE Updates SLE-Module-Desktop-Applications 15-SP7 x86 64 This update for MozillaFirefox fixes the following issues: Update to Firefox Extended Support Release 140.7.0 ESR (bsc#1256340). - MFSA 2026-03 * CVE-2026-0877: Mitigation bypass in the DOM: Security component * CVE-2026-0878: Sandbox escape due to incorrect boundary conditions in the Graphics: CanvasWebGL component * CVE-2026-0879: Sandbox escape due to incorrect boundary conditions in the Graphics component * CVE-2026-0880: Sandbox escape due to integer overflow in the Graphics component * CVE-2026-0882: Use-after-free in the IPC component * CVE-2025-14327: Spoofing issue in the Downloads Panel component * CVE-2026-0883: Information disclosure in the Networking component * CVE-2026-0884: Use-after-free in the JavaScript Engine component * CVE-2026-0885: Use-after-free in the JavaScript: GC component * CVE-2026-0886: Incorrect boundary conditions in the Graphics component * CVE-2026-0887: Clickjacking issue, information disclosure in the PDF Viewer component * CVE-2026-0890: Spoofing issue in the DOM: Copy-Paste and Drag-Drop component * CVE-2026-0891: Memory safety bugs fixed in Firefox ESR 140.7, Thunderbird ESR 140.7, Firefox 147 and Thunderbird 147 MozillaFirefox-140.7.0-150200.152.216.1.src.rpm MozillaFirefox-140.7.0-150200.152.216.1.x86_64.rpm MozillaFirefox-devel-140.7.0-150200.152.216.1.noarch.rpm MozillaFirefox-translations-common-140.7.0-150200.152.216.1.x86_64.rpm MozillaFirefox-translations-other-140.7.0-150200.152.216.1.x86_64.rpm SUSE-SLE-Module-Desktop-Applications-15-SP7-2026-259 moderate SUSE Updates SLE-Module-Desktop-Applications 15-SP7 x86 64 This update for avahi fixes the following issues: - CVE-2025-68276: Fixed refuse to create wide-area record browsers when wide-area is off (bsc#1256498) - CVE-2025-68471: Fixed DoS bug by changing assert to return (bsc#1256500) - CVE-2025-68468: Fixed DoS bug by removing incorrect assertion (bsc#1256499) avahi-0.8-150600.15.12.1.src.rpm avahi-autoipd-0.8-150600.15.12.1.x86_64.rpm avahi-glib2-0.8-150600.15.12.1.src.rpm avahi-utils-gtk-0.8-150600.15.12.1.x86_64.rpm libavahi-gobject-devel-0.8-150600.15.12.1.x86_64.rpm SUSE-SLE-Module-Desktop-Applications-15-SP7-2026-201 moderate SUSE Updates SLE-Module-Desktop-Applications 15-SP7 x86 64 This update for libheif fixes the following issue: - missing aom, jpeg, dav1d, ffmpeg plugins are shipped to the Desktop Applications module (bsc#1249446). libheif-1.19.5-150700.3.5.1.src.rpm libheif-aom-1.19.5-150700.3.5.1.x86_64.rpm libheif-dav1d-1.19.5-150700.3.5.1.x86_64.rpm libheif-jpeg-1.19.5-150700.3.5.1.x86_64.rpm libheif-rav1e-1.19.5-150700.3.5.1.x86_64.rpm libheif1-1.19.5-150700.3.5.1.x86_64.rpm SUSE-SLE-Module-Desktop-Applications-15-SP7-2026-237 moderate SUSE Updates SLE-Module-Desktop-Applications 15-SP7 x86 64 This update for wireshark fixes the following issues: - CVE-2026-0959: IEEE 802.11 dissector crash (bsc#1256734). - CVE-2026-0960: HTTP3 dissector infinite loop (bsc#1256736). - CVE-2026-0962: SOME/IP-SD dissector crash (bsc#1256739). wireshark-4.2.14-150600.18.35.1.src.rpm wireshark-devel-4.2.14-150600.18.35.1.x86_64.rpm wireshark-ui-qt-4.2.14-150600.18.35.1.x86_64.rpm SUSE-SLE-Module-Desktop-Applications-15-SP7-2026-437 important SUSE Updates SLE-Module-Desktop-Applications 15-SP7 x86 64 This update for ImageMagick fixes the following issues: - CVE-2026-22770: improper pointer initialization can cause denial of service (bsc#1256969). - CVE-2026-23874: manipulation of digital images can lead to stack overflow (bsc#1256976). - CVE-2026-23876: maliciously crafted image can lead to heap buffer overflow (bsc#1256962). - CVE-2026-23952: processing comment tag can cause null pointer dereference (bsc#1257076). ImageMagick-7.1.1.43-150700.3.33.1.src.rpm ImageMagick-7.1.1.43-150700.3.33.1.x86_64.rpm ImageMagick-config-7-SUSE-7.1.1.43-150700.3.33.1.x86_64.rpm ImageMagick-config-7-upstream-limited-7.1.1.43-150700.3.33.1.x86_64.rpm ImageMagick-config-7-upstream-open-7.1.1.43-150700.3.33.1.x86_64.rpm ImageMagick-config-7-upstream-secure-7.1.1.43-150700.3.33.1.x86_64.rpm ImageMagick-config-7-upstream-websafe-7.1.1.43-150700.3.33.1.x86_64.rpm ImageMagick-devel-7.1.1.43-150700.3.33.1.x86_64.rpm libMagick++-7_Q16HDRI5-7.1.1.43-150700.3.33.1.x86_64.rpm libMagick++-devel-7.1.1.43-150700.3.33.1.x86_64.rpm libMagickCore-7_Q16HDRI10-7.1.1.43-150700.3.33.1.x86_64.rpm libMagickWand-7_Q16HDRI10-7.1.1.43-150700.3.33.1.x86_64.rpm SUSE-SLE-Module-Desktop-Applications-15-SP7-2026-503 important SUSE Updates SLE-Module-Desktop-Applications 15-SP7 x86 64 This update for ImageMagick fixes the following issues: - CVE-2026-23874: manipulation of digital images can lead to stack overflow (bsc#1256976). - CVE-2026-23876: maliciously crafted image can lead to heap buffer overflow (bsc#1256962). - CVE-2026-23952: processing comment tag can cause null pointer dereference (bsc#1257076). ImageMagick-7.1.0.9-150400.6.64.1.src.rpm ImageMagick-config-7-upstream-7.1.0.9-150400.6.64.1.x86_64.rpm SUSE-SLE-Module-Desktop-Applications-15-SP7-2026-428 moderate SUSE Updates SLE-Module-Desktop-Applications 15-SP7 x86 64 This update for open-vm-tools fixes the following issues: - update to 13.0.10 based on build 25056151: (bsc#1257357): * There are no new features in the open-vm-tools 13.0.10 release. * This is primarily a maintenance release that addresses a fix. * A minor enhancement has been made for Guest OS Customization. * The DeployPkg plugin has been updated to handle a new cloud-init error code that signals a recoverable error and allow cloud-init to finish running. open-vm-tools-13.0.10-150600.3.24.1.src.rpm open-vm-tools-desktop-13.0.10-150600.3.24.1.x86_64.rpm SUSE-SLE-Module-Desktop-Applications-15-SP7-2026-780 moderate SUSE Updates SLE-Module-Desktop-Applications 15-SP7 x86 64 This update for tracker-miners fixes the following issues: - CVE-2026-1764: heap buffer overflow leads to denial of service or information disclosure when parsing MP3 files (bsc#1257606). - CVE-2026-1765: denial of Service and potential information disclosure via crafted MP3 files (bsc#1257607). - CVE-2026-1766: denial of Service and information disclosure via malformed MP3 files (bsc#1257608). - CVE-2026-1767: heap buffer overflow leading to denial of service or information disclosure via malformed MP3 ID3 tags (bsc#1257609). tracker-miner-files-3.6.2-150600.4.6.1.x86_64.rpm tracker-miners-3.6.2-150600.4.6.1.src.rpm tracker-miners-3.6.2-150600.4.6.1.x86_64.rpm SUSE-SLE-Module-Desktop-Applications-15-SP7-2026-820 moderate SUSE Updates SLE-Module-Desktop-Applications 15-SP7 x86 64 This update for libnvidia-egl-wayland fixes the following issues: - update to version 1.1.22: * egl-wayland: remove extraneous call to wl_display_rou - update to version 1.1.21: * fix loading libdrm when wl_drm is not available * add FP16 DRM format - requires some fixes to the core driver to fully work however - fixed build against sle15-sp6/Leap 15.6 libnvidia-egl-wayland-1.1.22-150700.3.9.1.src.rpm libnvidia-egl-wayland1-32bit-1.1.22-150700.3.9.1.x86_64.rpm SUSE-SLE-Module-Desktop-Applications-15-SP7-2026-1036 moderate SUSE Updates SLE-Module-Desktop-Applications 15-SP7 x86 64 This update for libnvidia-egl-x11 fixes the following issues: - bump version number to 1.0.5: * fix building on FreeBSD * rename a patch - update to v1.0.4 tarball/version 1.0.5: * fix attribute handling for eglCreateWindowPixmapSur * handle eglQuerySurface EGL_RENDER_BUFFER * enable implicit sync if we re-talking to the NVIDIA libnvidia-egl-x11-1.0.5-150700.4.9.1.src.rpm libnvidia-egl-x11-devel-1.0.5-150700.4.9.1.x86_64.rpm libnvidia-egl-x111-1.0.5-150700.4.9.1.x86_64.rpm libnvidia-egl-x111-32bit-1.0.5-150700.4.9.1.x86_64.rpm SUSE-SLE-Module-Desktop-Applications-15-SP7-2026-611 important SUSE Updates SLE-Module-Desktop-Applications 15-SP7 x86 64 This update for MozillaFirefox fixes the following issues: - Update to Firefox 140.7.1 ESR - CVE-2026-2447: Fixed a heap buffer overflow in libvpx. (bsc#1258231) MozillaFirefox-140.7.1-150200.152.219.1.src.rpm MozillaFirefox-140.7.1-150200.152.219.1.x86_64.rpm MozillaFirefox-devel-140.7.1-150200.152.219.1.noarch.rpm MozillaFirefox-translations-common-140.7.1-150200.152.219.1.x86_64.rpm MozillaFirefox-translations-other-140.7.1-150200.152.219.1.x86_64.rpm SUSE-SLE-Module-Desktop-Applications-15-SP7-2026-1169 important SUSE Updates SLE-Module-Desktop-Applications 15-SP7 x86 64 This update for wireshark fixes the following issues: Update Wireshark to version 4.6.4 (jsc#PED-15400). - CVE-2024-9780: ITS dissector crash (bsc#1231475). - CVE-2024-9781: AppleTalk and RELOAD Framing dissector crash (bsc#1231476). - CVE-2024-11595: Loop with Unreachable Exit Condition ('Infinite Loop') in Wireshark (bsc#1233594). - CVE-2024-11596: Buffer Over-read in Wireshark (bsc#1233593). - CVE-2025-1492: Uncontrolled Recursion in Wireshark (bsc#1237414). - CVE-2025-5601: Column handling crashes in Wireshark allows denial of service (bsc#1244081). - CVE-2025-9817: NULL Pointer Dereference in ssh dissector (bsc#1249090). - CVE-2025-13499: a malformed packet can lead to a Kafka dissector crash (bsc#1254108). - CVE-2025-13674: injecting a malformed packet can cause a crash (bsc#1254262). - CVE-2025-13945: HTTP3 dissector crash in Wireshark 4.6.0 and 4.6.1 allows denial of service (bsc#1254471). - CVE-2025-13946: MEGACO dissector infinite loop in Wireshark 4.6.0 to 4.6.1 and 4.4.0 to 4.4.11 allows denial of service (bsc#1254472). - CVE-2026-0959: denial of service via IEEE 802.11 protocol dissector crash (bsc#1256734). - CVE-2026-0960: denial of Service via HTTP3 protocol dissector infinite loop (bsc#1256736). - CVE-2026-0961: denial of Service vulnerability in BLF file parser (bsc#1256738). - CVE-2026-0962: denial of Service via SOME/IP-SD protocol dissector crash (bsc#1256739). - CVE-2026-3201: missing limit checks in USB HID protocol dissector's `parse_report_descriptor` function can lead to memory exhaustion (bsc#1258907). - CVE-2026-3202: missing checks in NTS-KE protocol dissector can lead to crash (bsc#1258908). - CVE-2026-3203: missing length checks in the RF4CE Profile protocol dissector can lead to illegal memory access and crash (bsc#1258909). Also libvirt was rebuilt against wireshark for the libvirt plugin. wireshark-4.6.4-150700.21.8.1.src.rpm wireshark-devel-4.6.4-150700.21.8.1.x86_64.rpm wireshark-ui-qt-4.6.4-150700.21.8.1.x86_64.rpm SUSE-SLE-Module-Desktop-Applications-15-SP7-2026-871 important SUSE Updates SLE-Module-Desktop-Applications 15-SP7 x86 64 This update for MozillaFirefox fixes the following issues: Update to Firefox Extended Support Release 140.8.0 ESR (MFSA 2026-15) (bsc#1258568): - CVE-2026-2757: Incorrect boundary conditions in the WebRTC: Audio/Video component - CVE-2026-2758: Use-after-free in the JavaScript: GC component - CVE-2026-2759: Incorrect boundary conditions in the Graphics: ImageLib component - CVE-2026-2760: Sandbox escape due to incorrect boundary conditions in the Graphics: WebRender component - CVE-2026-2761: Sandbox escape in the Graphics: WebRender component - CVE-2026-2762: Integer overflow in the JavaScript: Standard Library component - CVE-2026-2763: Use-after-free in the JavaScript Engine component - CVE-2026-2764: JIT miscompilation, use-after-free in the JavaScript Engine: JIT component - CVE-2026-2765: Use-after-free in the JavaScript Engine component - CVE-2026-2766: Use-after-free in the JavaScript Engine: JIT component - CVE-2026-2767: Use-after-free in the JavaScript: WebAssembly component - CVE-2026-2768: Sandbox escape in the Storage: IndexedDB component - CVE-2026-2769: Use-after-free in the Storage: IndexedDB component - CVE-2026-2770: Use-after-free in the DOM: Bindings (WebIDL) component - CVE-2026-2771: Undefined behavior in the DOM: Core & HTML component - CVE-2026-2772: Use-after-free in the Audio/Video: Playback component - CVE-2026-2773: Incorrect boundary conditions in the Web Audio component - CVE-2026-2774: Integer overflow in the Audio/Video component - CVE-2026-2775: Mitigation bypass in the DOM: HTML Parser component - CVE-2026-2776: Sandbox escape due to incorrect boundary conditions in the Telemetry component in External Software - CVE-2026-2777: Privilege escalation in the Messaging System component - CVE-2026-2778: Sandbox escape due to incorrect boundary conditions in the DOM: Core & HTML component - CVE-2026-2779: Incorrect boundary conditions in the Networking: JAR component - CVE-2026-2780: Privilege escalation in the Netmonitor component - CVE-2026-2781: Integer overflow in the Libraries component in NSS - CVE-2026-2782: Privilege escalation in the Netmonitor component - CVE-2026-2783: Information disclosure due to JIT miscompilation in the JavaScript Engine: JIT component - CVE-2026-2784: Mitigation bypass in the DOM: Security component - CVE-2026-2785: Invalid pointer in the JavaScript Engine component - CVE-2026-2786: Use-after-free in the JavaScript Engine component - CVE-2026-2787: Use-after-free in the DOM: Window and Location component - CVE-2026-2788: Incorrect boundary conditions in the Audio/Video: GMP component - CVE-2026-2789: Use-after-free in the Graphics: ImageLib component - CVE-2026-2790: Same-origin policy bypass in the Networking: JAR component - CVE-2026-2791: Mitigation bypass in the Networking: Cache component - CVE-2026-2792: Memory safety bugs fixed in Firefox ESR 140.8, Thunderbird ESR 140.8, Firefox 148 and Thunderbird 148 - CVE-2026-2793: Memory safety bugs fixed in Firefox ESR 115.33, Firefox ESR 140.8, Thunderbird ESR 140.8, Firefox 148 and Thunderbird 148 MozillaFirefox-140.8.0-150200.152.222.1.src.rpm MozillaFirefox-140.8.0-150200.152.222.1.x86_64.rpm MozillaFirefox-devel-140.8.0-150200.152.222.1.noarch.rpm MozillaFirefox-translations-common-140.8.0-150200.152.222.1.x86_64.rpm MozillaFirefox-translations-other-140.8.0-150200.152.222.1.x86_64.rpm SUSE-SLE-Module-Desktop-Applications-15-SP7-2026-851 important SUSE Updates SLE-Module-Desktop-Applications 15-SP7 x86 64 This update for ImageMagick fixes the following issues: - CVE-2026-24481: Possible Heap Information Disclosure in PSD ZIP Decompression (bsc#1258743). - CVE-2026-24484: denial of service vulnerability via multi-layer nested MVG to SVG conversion (bsc#1258790). - CVE-2026-24485: denial of service via malformed PCD file processing (bsc#1258791). - CVE-2026-25576: Out of bounds read in multiple coders that read raw pixel data (bsc#1258748). - CVE-2026-25637: Denial of Service via crafted image due to memory leak (bsc#1258759). - CVE-2026-25638: Denial of Service due to memory leak in image processing (bsc#1258793). - CVE-2026-25795: Denial of Service due to NULL pointer dereference during temporary file creation failure (bsc#1258792). - CVE-2026-25796: Memory leak of watermark Image object in ReadSTEGANOImage on multiple error/early-return paths (bsc#1258757). - CVE-2026-25797: Code injection in various encoders (bsc#1258770). - CVE-2026-25798: NULL Pointer Dereference in ClonePixelCacheRepository via crafted image (bsc#1258787). - CVE-2026-25799: Division-by-Zero in YUV sampling factor validation leads to crash (bsc#1258786). - CVE-2026-25897: Out-of-bounds heap write via integer overflow in sun decoder (bsc#1258799). - CVE-2026-25898: Information disclosure or denial of service via crafted image with invalid pixel index (bsc#1258807). - CVE-2026-25965: Policy bypass through path traversal allows reading restricted content despite secured policy (bsc#1258785). - CVE-2026-25966: Security Policy Bypass through config/policy-secure.xml via "fd handler" leads to stdin/stdout access (bsc#1258780). - CVE-2026-25967: Stack buffer overflow in FTXT reader via oversized integer field (bsc#1258779). - CVE-2026-25968: MSL attribute stack buffer overflow leads to out of bounds write (bsc#1258776). - CVE-2026-25969: Memory Leak in coders/ashlar.c (bsc#1258775). - CVE-2026-25970: Memory corruption and denial of service via signed integer overflow in SIXEL decoder (bsc#1258802). - CVE-2026-25971: MSL: Stack overflow in ProcessMSLScript (bsc#1258774). - CVE-2026-25982: Heap Out-of-Bounds Read in DCM Decoder (bsc#1258772). - CVE-2026-25983: Denial of service via crafted MSL script (bsc#1258805). - CVE-2026-25985: Memory allocation with excessive without limits in the internal SVG decoder (bsc#1258812). - CVE-2026-25986: Denial of Service via malicious YUV image processing (bsc#1258818). - CVE-2026-25987: Memory disclosure and denial of service via crafted MAP files (bsc#1258821). - CVE-2026-25988: Denial of Service due to memory leak in image processing (bsc#1258810). - CVE-2026-25989: Integer overflow or wraparound and incorrect conversion between numeric types in the internal SVG decoder (bsc#1258771). - CVE-2026-26066: Infinite loop when writing IPTCTEXT leads to denial of service via crafted profile (bsc#1258769). - CVE-2026-26283: Possible infinite loop in JPEG encoder when using `jpeg: extent` (bsc#1258767). - CVE-2026-26284: Heap overflow in pcd decoder leads to out of bounds read (bsc#1258765). - CVE-2026-26983: Invalid MSL <map> can result in a use after free (bsc#1258763). - CVE-2026-27798: Heap Buffer Over-read in WaveletDenoise when processing small images (bsc#1259018). - CVE-2026-27799: ImageMagick has a heap Buffer Over-read in its DJVU image format handler (bsc#1259017). ImageMagick-7.1.1.43-150700.3.37.1.src.rpm ImageMagick-7.1.1.43-150700.3.37.1.x86_64.rpm ImageMagick-config-7-SUSE-7.1.1.43-150700.3.37.1.x86_64.rpm ImageMagick-config-7-upstream-limited-7.1.1.43-150700.3.37.1.x86_64.rpm ImageMagick-config-7-upstream-open-7.1.1.43-150700.3.37.1.x86_64.rpm ImageMagick-config-7-upstream-secure-7.1.1.43-150700.3.37.1.x86_64.rpm ImageMagick-config-7-upstream-websafe-7.1.1.43-150700.3.37.1.x86_64.rpm ImageMagick-devel-7.1.1.43-150700.3.37.1.x86_64.rpm libMagick++-7_Q16HDRI5-7.1.1.43-150700.3.37.1.x86_64.rpm libMagick++-devel-7.1.1.43-150700.3.37.1.x86_64.rpm libMagickCore-7_Q16HDRI10-7.1.1.43-150700.3.37.1.x86_64.rpm libMagickWand-7_Q16HDRI10-7.1.1.43-150700.3.37.1.x86_64.rpm SUSE-SLE-Module-Desktop-Applications-15-SP7-2026-853 important SUSE Updates SLE-Module-Desktop-Applications 15-SP7 x86 64 This update for ImageMagick fixes the following issues: - CVE-2026-24481: Possible Heap Information Disclosure in PSD ZIP Decompression (bsc#1258743). - CVE-2026-24484: denial of service vulnerability via multi-layer nested MVG to SVG conversion (bsc#1258790). - CVE-2026-24485: denial of service via malformed PCD file processing (bsc#1258791). - CVE-2026-25576: Out of bounds read in multiple coders that read raw pixel data (bsc#1258748). - CVE-2026-25637: Denial of Service via crafted image due to memory leak (bsc#1258759). - CVE-2026-25638: Denial of Service due to memory leak in image processing (bsc#1258793). - CVE-2026-25795: Denial of Service due to NULL pointer dereference during temporary file creation failure (bsc#1258792). - CVE-2026-25796: Memory leak of watermark Image object in ReadSTEGANOImage on multiple error/early-return paths (bsc#1258757). - CVE-2026-25797: Code injection in various encoders (bsc#1258770). - CVE-2026-25798: NULL Pointer Dereference in ClonePixelCacheRepository via crafted image (bsc#1258787). - CVE-2026-25799: Division-by-Zero in YUV sampling factor validation leads to crash (bsc#1258786). - CVE-2026-25897: Out-of-bounds heap write via integer overflow in sun decoder (bsc#1258799). - CVE-2026-25898: Information disclosure or denial of service via crafted image with invalid pixel index (bsc#1258807). - CVE-2026-25965: Policy bypass through path traversal allows reading restricted content despite secured policy (bsc#1258785). - CVE-2026-25966: Security Policy Bypass through config/policy-secure.xml via "fd handler" leads to stdin/stdout access (bsc#1258780). - CVE-2026-25970: Memory corruption and denial of service via signed integer overflow in SIXEL decoder (bsc#1258802). - CVE-2026-25971: MSL: Stack overflow in ProcessMSLScript (bsc#1258774). - CVE-2026-25983: Denial of service via crafted MSL script (bsc#1258805). - CVE-2026-25986: Denial of Service via malicious YUV image processing (bsc#1258818). - CVE-2026-25987: Memory disclosure and denial of service via crafted MAP files (bsc#1258821). - CVE-2026-25988: Denial of Service due to memory leak in image processing (bsc#1258810). - CVE-2026-25989: Integer overflow or wraparound and incorrect conversion between numeric types in the internal SVG decoder (bsc#1258771). - CVE-2026-26066: Infinite loop when writing IPTCTEXT leads to denial of service via crafted profile (bsc#1258769). - CVE-2026-26284: Heap overflow in pcd decoder leads to out of bounds read (bsc#1258765). - CVE-2026-26983: Invalid MSL <map> can result in a use after free (bsc#1258763). - CVE-2026-27798: Heap Buffer Over-read in WaveletDenoise when processing small images (bsc#1259018). - CVE-2026-27799: ImageMagick has a heap Buffer Over-read in its DJVU image format handler (bsc#1259017). ImageMagick-7.1.0.9-150400.6.68.2.src.rpm ImageMagick-config-7-upstream-7.1.0.9-150400.6.68.2.x86_64.rpm SUSE-SLE-Module-Desktop-Applications-15-SP7-2026-929 important SUSE Updates SLE-Module-Desktop-Applications 15-SP7 x86 64 This update for gedit fixes the following issues: - Disable externaltools plugin to prevent crash (bsc#1255717). gedit-46.1-150600.3.3.1.src.rpm gedit-46.1-150600.3.3.1.x86_64.rpm gedit-devel-46.1-150600.3.3.1.x86_64.rpm gedit-lang-46.1-150600.3.3.1.noarch.rpm SUSE-SLE-Module-Desktop-Applications-15-SP7-2026-910 moderate SUSE Updates SLE-Module-Desktop-Applications 15-SP7 x86 64 This update for vim fixes the following issues: Update Vim to version 9.2.0110: - CVE-2025-53906: Fixed that malicious zip archive may cause a path traversal in Vim's zip (bsc#1246602). - CVE-2026-26269: Fixed Netbeans specialKeys stack buffer overflow (bsc#1258229). - CVE-2026-28417: Fixed that a crafted URL parsed by netrw plugin can lead to execute arbitrary shell commands (bsc#1259051). - CVE-2026-28418: Fixed that a malformed tags file can cause an heap-based buffer overflow out-of-bounds read (bsc#1259052) - CVE-2026-28419: Fixed processing a malformed tags file containing a delimiter can lead to a crash (bsc#1259053) - CVE-2026-28420: Fixed that processing maximum combining characters in terminal emulator can lead to heap-based buffer overflow write (bsc#1259054) - CVE-2026-28421: Fixed that a crafted swap file can cause a heap-buffer-overflow and a segmentation fault - CVE-2026-28422: Fixed that a malicious modeline or plugin can trigger a stack-buffer-overflow (bsc#1259056) gvim-9.2.0110-150500.20.43.1.x86_64.rpm vim-9.2.0110-150500.20.43.1.src.rpm SUSE-SLE-Module-Desktop-Applications-15-SP7-2026-960 important SUSE Updates SLE-Module-Desktop-Applications 15-SP7 x86 64 This update for gvfs fixes the following issues: - CVE-2026-28295: information disclosure when processing untrusted PASV responses from FTP servers (bsc#1258953). - CVE-2026-28296: arbitrary FTP command injection due to unsanitized CRLF sequences in user supplied file paths (bsc#1258954). gvfs-1.52.2-150600.3.3.1.src.rpm gvfs-1.52.2-150600.3.3.1.x86_64.rpm gvfs-backend-afc-1.52.2-150600.3.3.1.x86_64.rpm gvfs-backend-samba-1.52.2-150600.3.3.1.x86_64.rpm gvfs-backends-1.52.2-150600.3.3.1.x86_64.rpm gvfs-devel-1.52.2-150600.3.3.1.noarch.rpm gvfs-fuse-1.52.2-150600.3.3.1.x86_64.rpm gvfs-lang-1.52.2-150600.3.3.1.noarch.rpm SUSE-SLE-Module-Desktop-Applications-15-SP7-2026-1202 important SUSE Updates SLE-Module-Desktop-Applications 15-SP7 x86 64 This update for ImageMagick fixes the following issues: - CVE-2026-24484: denial of service vulnerability via multi-layer nested MVG to SVG conversion (bsc#1258790). - CVE-2026-28493: integer overflow in the SIXEL decoder leads to out-of-bounds write (bsc#1259446). - CVE-2026-28494: missing bounds checks in the morphology kernel parsing functions can lead to a stack buffer overflow (bsc#1259447). - CVE-2026-28686: undersized output buffer allocation in the PCL encoder can lead to a heap buffer overflow (bsc#1259448). - CVE-2026-28687: heap use-after-free vulnerability in the MSL decoder via a crafted MSL file (bsc#1259450). - CVE-2026-28688: heap use-after-free in the MSL encoder when a cloned image is destroyed twice (bsc#1259451). - CVE-2026-28689: `domain="path"` authorization is checked before final file open/use and allows for read/write bypass via symlink swaps (bsc#1259452). - CVE-2026-28690: missing bounds check in the MNG encoder can lead to a stack buffer overflow (bsc#1259456). - CVE-2026-28691: missing check in the JBIG decoder can lead to an uninitialized pointer dereference (bsc#1259455). - CVE-2026-28692: 32-bit integer overflow in MAT decoder can lead to a heap buffer over-read (bsc#1259457). - CVE-2026-28693: integer overflow in the DIB coder can lead to an out-of-bounds read or write (bsc#1259466). - CVE-2026-30883: missing bounds check when encoding a PNG image can lead to a heap buffer over-write (bsc#1259467). - CVE-2026-30929: improper use of fixed-size stack buffer in `MagnifyImage`can lead to a stack buffer overflow (bsc#1259468). - CVE-2026-30931: value truncation in the UHDR encoder can lead to a heap buffer overflow (bsc#1259469). - CVE-2026-30935: heap-based buffer over-read in BilateralBlurImage (bsc#1259497). - CVE-2026-30936: Heap Buffer Overflow in WaveletDenoiseImage (bsc#1259464). - CVE-2026-30937: Heap buffer overflow in XWD encoder due to CARD32 arithmetic overflow (bsc#1259463). - CVE-2026-31853: heap buffer overflow leads to crash in the SFW decoder of 32-bit systems when processing extremely large images (bsc#1259528). - CVE-2026-32259: memory allocation fails can lead to out of bound write (bsc#1259612). - CVE-2026-32636: Denial of Service via out-of-bounds write in NewXMLTree method (bsc#1259872). - CVE-2026-33535: Out-of-Bounds write of a zero byte in X11 display interaction (bsc#1260874). - CVE-2026-33536: Denial of Service via out-of-bounds write (bsc#1260879). ImageMagick-7.1.1.43-150700.3.42.1.src.rpm ImageMagick-7.1.1.43-150700.3.42.1.x86_64.rpm ImageMagick-config-7-SUSE-7.1.1.43-150700.3.42.1.x86_64.rpm ImageMagick-config-7-upstream-limited-7.1.1.43-150700.3.42.1.x86_64.rpm ImageMagick-config-7-upstream-open-7.1.1.43-150700.3.42.1.x86_64.rpm ImageMagick-config-7-upstream-secure-7.1.1.43-150700.3.42.1.x86_64.rpm ImageMagick-config-7-upstream-websafe-7.1.1.43-150700.3.42.1.x86_64.rpm ImageMagick-devel-7.1.1.43-150700.3.42.1.x86_64.rpm libMagick++-7_Q16HDRI5-7.1.1.43-150700.3.42.1.x86_64.rpm libMagick++-devel-7.1.1.43-150700.3.42.1.x86_64.rpm libMagickCore-7_Q16HDRI10-7.1.1.43-150700.3.42.1.x86_64.rpm libMagickWand-7_Q16HDRI10-7.1.1.43-150700.3.42.1.x86_64.rpm SUSE-SLE-Module-Desktop-Applications-15-SP7-2026-1497 important SUSE Updates SLE-Module-Desktop-Applications 15-SP7 x86 64 This update for ImageMagick fixes the following issues: - CVE-2026-24484: denial of service via multi-layer nested MVG to SVG conversion (bsc#1258790). - CVE-2026-28493: integer overflow in the SIXEL decoder leads to out-of-bounds write (bsc#1259446). - CVE-2026-28494: missing bounds checks in the morphology kernel parsing functions can lead to a stack buffer overflow (bsc#1259447). - CVE-2026-28686: undersized output buffer allocation in the PCL encoder can lead to a heap buffer overflow (bsc#1259448). - CVE-2026-28687: heap use-after-free vulnerability in the MSL decoder via a crafted MSL file (bsc#1259450). - CVE-2026-28688: heap use-after-free in the MSL encoder when a cloned image is destroyed twice (bsc#1259451). - CVE-2026-28689: `domain="path"` authorization is checked before final file open/use and allows for read/write bypass via symlink swaps (bsc#1259452). - CVE-2026-28690: missing bounds check in the MNG encoder can lead to a stack buffer overflow (bsc#1259456). - CVE-2026-28691: missing check in the JBIG decoder can lead to an uninitialized pointer dereference (bsc#1259455). - CVE-2026-28692: 32-bit integer overflow in MAT decoder can lead to a heap buffer over-read (bsc#1259457). - CVE-2026-28693: integer overflow in the DIB coder can lead to an out-of-bounds read or write (bsc#1259466). - CVE-2026-30883: missing bounds check when encoding a PNG image can lead to a heap buffer over-write (bsc#1259467). - CVE-2026-30929: improper use of fixed-size stack buffer in `MagnifyImage`can lead to a stack buffer overflow (bsc#1259468). - CVE-2026-30936: heap buffer overflow in `WaveletDenoiseImage` (bsc#1259464). - CVE-2026-30937: heap buffer overflow in XWD encoder due to CARD32 arithmetic overflow (bsc#1259463). - CVE-2026-31853: heap buffer overflow leads to crash in the SFW decoder of 32-bit systems when processing extremely large images (bsc#1259528). - CVE-2026-32259: memory allocation failure in the SIXEL encoder can lead to a stack out-of-bound write (bsc#1259612). - CVE-2026-32636: denial of service via out-of-bounds write in `NewXMLTree` method (bsc#1259872). - CVE-2026-33535: out-of-Bounds write of a zero byte in X11 display interaction (bsc#1260874). - CVE-2026-33536: denial of Service via a stack out-of-bounds write in `InterpretImageFilename` (bsc#1260879). - CVE-2026-33905: denial of service via out-of-bounds read in `-sample` operation (bsc#1262097). ImageMagick-7.1.0.9-150400.6.75.1.src.rpm ImageMagick-config-7-upstream-7.1.0.9-150400.6.75.1.x86_64.rpm SUSE-SLE-Module-Desktop-Applications-15-SP7-2026-1161 important SUSE Updates SLE-Module-Desktop-Applications 15-SP7 x86 64 This update for gnome-shell fixes the following issues: - Fix: L3: GDM smartcard login hangs/fails after PIN entry (bsc#1258238) * Don't assume this._user is always defined - Fix: GNOME Shell built-in screencast feature does not work (bsc#1235036) * Correct expected bus name for streams gnome-extensions-45.3-150700.11.3.1.x86_64.rpm gnome-shell-45.3-150700.11.3.1.src.rpm gnome-shell-45.3-150700.11.3.1.x86_64.rpm gnome-shell-devel-45.3-150700.11.3.1.x86_64.rpm gnome-shell-lang-45.3-150700.11.3.1.noarch.rpm SUSE-SLE-Module-Desktop-Applications-15-SP7-2026-1660 low SUSE Updates SLE-Module-Desktop-Applications 15-SP7 x86 64 This update for libheif fixes the following issues: - CVE-2026-3949: Manipulation of the argument size of a malicious frame can lead to out-of-bounds read (bsc#1259541). libheif-1.19.5-150700.3.8.1.src.rpm libheif-aom-1.19.5-150700.3.8.1.x86_64.rpm libheif-dav1d-1.19.5-150700.3.8.1.x86_64.rpm libheif-jpeg-1.19.5-150700.3.8.1.x86_64.rpm libheif-rav1e-1.19.5-150700.3.8.1.x86_64.rpm libheif1-1.19.5-150700.3.8.1.x86_64.rpm SUSE-SLE-Module-Desktop-Applications-15-SP7-2026-1364 important SUSE Updates SLE-Module-Desktop-Applications 15-SP7 x86 64 This update for webkit2gtk3 fixes the following issues: Update to version 2.52.0. Security issues fixed: - CVE-2023-43010: processing maliciously crafted web content may lead to memory corruption (bsc#1259950). - CVE-2025-31223: processing maliciously crafted web content may lead to memory corruption (bsc#1259949). - CVE-2025-31277: processing maliciously crafted web content may lead to memory corruption (bsc#1259948). - CVE-2025-43213: processing maliciously crafted web content may lead to an unexpected crash (bsc#1259947). - CVE-2025-43214: processing maliciously crafted web content may lead to an unexpected crash (bsc#1259946). - CVE-2025-43433: processing maliciously crafted web content may lead to memory corruption (bsc#1259945). - CVE-2025-43438: processing maliciously crafted web content may lead to an unexpected crash (bsc#1259944). - CVE-2025-43441: processing maliciously crafted web content may lead to an unexpected process crash (bsc#1259943). - CVE-2025-43457: processing maliciously crafted web content may lead to an unexpected crash (bsc#1259942). - CVE-2025-43511: processing maliciously crafted web content may lead to an unexpected process crash (bsc#1259941). - CVE-2025-46299: processing maliciously crafted web content may disclose internal states of an app (bsc#1259940). - CVE-2026-20608: processing maliciously crafted web content may lead to an unexpected process crash (bsc#1259939). - CVE-2026-20635: processing maliciously crafted web content may lead to an unexpected process crash (bsc#1259938). - CVE-2026-20636: processing maliciously crafted web content may lead to an unexpected process crash (bsc#1259937). - CVE-2026-20643: processing maliciously crafted web content may bypass Same Origin Policy (bsc#1261172). - CVE-2026-20644: processing maliciously crafted web content may lead to an unexpected process crash (bsc#1259936). - CVE-2026-20652: a remote attacker may be able to cause a denial-of-service (bsc#1259935). - CVE-2026-20664: processing maliciously crafted web content may lead to an unexpected process crash (bsc#1261173). - CVE-2026-20665: processing maliciously crafted web content may prevent Content Security Policy from being enforced (bsc#1261174). - CVE-2026-20676: a website may be able to track users through web extensions (bsc#1259934). - CVE-2026-20691: a maliciously crafted webpage may be able to fingerprint the user (bsc#1261175). - CVE-2026-28857: processing maliciously crafted web content may lead to an unexpected process crash (bsc#1261176). - CVE-2026-28859: a malicious website may be able to process restricted web content outside the sandbox (bsc#1261177). - CVE-2026-28861: a malicious website may be able to access script message handlers intended for other origins (bsc#1261178). - CVE-2026-28871: visiting a maliciously crafted website may lead to a cross-site scripting attack (bsc#1261179). Other updates and bugfixes: - Make scrolling with touch input smoother for small movements. - Fix estimated load progress of downloads when Content-Length value is wrong. - Ensure that "scrollend" events are correctly emitted after scroll animations. - Reduce the amount of useless MPRIS notifications produced by MediaSession when the information about media being played is incomplete. - Support turning off USE_GSTREAMER to configure the build with all multimedia features disabled. - Add Sysprof marks for mouse events. - Fix MediaSession icon for iheart.com not being displayed. - Fix the build with USE_GSTREAMER_GL disabled. - Fix the build with librice version 0.3.0 or newer. - Fix several crashes and rendering issues. - Translation updates: Georgian. WebKitGTK-4.1-lang-2.52.1-150600.12.63.1.noarch.rpm libjavascriptcoregtk-4_1-0-2.52.1-150600.12.63.1.x86_64.rpm libwebkit2gtk-4_1-0-2.52.1-150600.12.63.1.x86_64.rpm typelib-1_0-JavaScriptCore-4_1-2.52.1-150600.12.63.1.x86_64.rpm typelib-1_0-WebKit2-4_1-2.52.1-150600.12.63.1.x86_64.rpm typelib-1_0-WebKit2WebExtension-4_1-2.52.1-150600.12.63.1.x86_64.rpm webkit2gtk-4_1-injected-bundles-2.52.1-150600.12.63.1.x86_64.rpm webkit2gtk3-2.52.1-150600.12.63.1.src.rpm webkit2gtk3-devel-2.52.1-150600.12.63.1.x86_64.rpm SUSE-SLE-Module-Desktop-Applications-15-SP7-2026-1126 important SUSE Updates SLE-Module-Desktop-Applications 15-SP7 x86 64 This update for MozillaFirefox fixes the following issues: Update to Firefox 140.9.0 ESR (MFSA 2026-22, bsc#1260083): - CVE-2026-4684: Race condition, use-after-free in the Graphics: WebRender component - CVE-2026-4685: Incorrect boundary conditions in the Graphics: Canvas2D component - CVE-2026-4686: Incorrect boundary conditions in the Graphics: Canvas2D component - CVE-2026-4687: Sandbox escape due to incorrect boundary conditions in the Telemetry component - CVE-2026-4688: Sandbox escape due to use-after-free in the Disability Access APIs component - CVE-2026-4689: Sandbox escape due to incorrect boundary conditions, integer overflow in the XPCOM component - CVE-2026-4690: Sandbox escape due to incorrect boundary conditions, integer overflow in the XPCOM component - CVE-2026-4691: Use-after-free in the CSS Parsing and Computation component - CVE-2026-4692: Sandbox escape in the Responsive Design Mode component - CVE-2026-4693: Incorrect boundary conditions in the Audio/Video: Playback component - CVE-2026-4694: Incorrect boundary conditions, integer overflow in the Graphics component - CVE-2026-4695: Incorrect boundary conditions in the Audio/Video: Web Codecs component - CVE-2026-4696: Use-after-free in the Layout: Text and Fonts component - CVE-2026-4697: Incorrect boundary conditions in the Audio/Video: Web Codecs component - CVE-2026-4698: JIT miscompilation in the JavaScript Engine: JIT component - CVE-2026-4699: Incorrect boundary conditions in the Layout: Text and Fonts component - CVE-2026-4700: Mitigation bypass in the Networking: HTTP component - CVE-2026-4701: Use-after-free in the JavaScript Engine component - CVE-2026-4702: JIT miscompilation in the JavaScript Engine component - CVE-2026-4704: Denial-of-service in the WebRTC: Signaling component - CVE-2026-4705: Undefined behavior in the WebRTC: Signaling component - CVE-2026-4706: Incorrect boundary conditions in the Graphics: Canvas2D component - CVE-2026-4707: Incorrect boundary conditions in the Graphics: Canvas2D component - CVE-2026-4708: Incorrect boundary conditions in the Graphics component - CVE-2026-4709: Incorrect boundary conditions in the Audio/Video: GMP component - CVE-2026-4710: Incorrect boundary conditions in the Audio/Video component - CVE-2026-4711: Use-after-free in the Widget: Cocoa component - CVE-2026-4712: Information disclosure in the Widget: Cocoa component - CVE-2026-4713: Incorrect boundary conditions in the Graphics component - CVE-2026-4714: Incorrect boundary conditions in the Audio/Video component - CVE-2026-4715: Uninitialized memory in the Graphics: Canvas2D component - CVE-2026-4716: Incorrect boundary conditions, uninitialized memory in the JavaScript Engine component - CVE-2026-4717: Privilege escalation in the Netmonitor component - CVE-2025-59375: Denial-of-service in the XML component - CVE-2026-4718: Undefined behavior in the WebRTC: Signaling component - CVE-2026-4719: Incorrect boundary conditions in the Graphics: Text component - CVE-2026-4720: Memory safety bugs fixed in Firefox ESR 140.9, Thunderbird ESR 140.9, Firefox 149 and Thunderbird 149 - CVE-2026-4721: Memory safety bugs fixed in Firefox ESR 115.34, Firefox ESR 140.9, Thunderbird ESR 140.9, Firefox 149 and Thunderbird 149 MozillaFirefox-140.9.0-150200.152.225.1.src.rpm MozillaFirefox-140.9.0-150200.152.225.1.x86_64.rpm MozillaFirefox-devel-140.9.0-150200.152.225.1.noarch.rpm MozillaFirefox-translations-common-140.9.0-150200.152.225.1.x86_64.rpm MozillaFirefox-translations-other-140.9.0-150200.152.225.1.x86_64.rpm SUSE-SLE-Module-Desktop-Applications-15-SP7-2026-1360 important SUSE Updates SLE-Module-Desktop-Applications 15-SP7 x86 64 This update for tigervnc fixes the following issues: - CVE-2026-34352: Fixed permissions to prevent other users from observing the screen, or modifying what is sent to the client. (bsc#1260871) libXvnc-devel-1.14.1-150700.4.3.1.x86_64.rpm tigervnc-1.14.1-150700.4.3.1.src.rpm SUSE-SLE-Module-Desktop-Applications-15-SP7-2026-1443 moderate SUSE Updates SLE-Module-Desktop-Applications 15-SP7 x86 64 This update for NetworkManager fixes the following issue: Security fixes: - CVE-2025-9615: Fixed non-admin user using others' certificates (bsc#1257359). Other fixes: - Fixed renew dhcp lease when software devices' MAC is empty (bsc#1225498, glfd#NetworkManager/NetworkManager#1587). NetworkManager-1.44.2-150600.3.7.1.src.rpm NetworkManager-1.44.2-150600.3.7.1.x86_64.rpm NetworkManager-wwan-1.44.2-150600.3.7.1.x86_64.rpm SUSE-SLE-Module-Desktop-Applications-15-SP7-2026-1441 moderate SUSE Updates SLE-Module-Desktop-Applications 15-SP7 x86 64 This update for avahi fixes the following issue: - CVE-2026-24401: avahi-daemon can be crashed via a segmentation fault by sending an unsolicited mDNS response containing a recursive CNAME record (bsc#1257235). avahi-0.8-150600.15.15.1.src.rpm avahi-autoipd-0.8-150600.15.15.1.x86_64.rpm avahi-glib2-0.8-150600.15.15.1.src.rpm avahi-utils-gtk-0.8-150600.15.15.1.x86_64.rpm libavahi-gobject-devel-0.8-150600.15.15.1.x86_64.rpm SUSE-SLE-Module-Desktop-Applications-15-SP7-2026-1607 important SUSE Updates SLE-Module-Desktop-Applications 15-SP7 x86 64 This update for vim fixes the following issues: Update to version 9.2.0280. - CVE-2026-34982: missing input validation allows for a modeline sandbox bypass and can lead to arbitrary OS command execution (bsc#1261271). - CVE-2026-34714: missing checks allow for a `tabpanel` modeline escape and can lead to arbitrary OS command execution (bsc#1261191). - CVE-2026-33412: improper escaping of newline characters allows for command injection in `glob` and can lead to arbitrary code execution (bsc#1259985). gvim-9.2.0280-150500.20.46.1.x86_64.rpm vim-9.2.0280-150500.20.46.1.src.rpm SUSE-SLE-Module-Desktop-Applications-15-SP7-2026-1555 important SUSE Updates SLE-Module-Desktop-Applications 15-SP7 x86 64 This update for libraw fixes the following issues: - CVE-2026-5342: out-of-bounds read via `LibRaw::nikon_load_padded_packed_raw` (bsc#1261499). - CVE-2026-20884: integer overflow and heap buffer overflow via `deflate_dng_load_raw` (bsc#1261671). - CVE-2026-20889: heap-based buffer overflow in `x3f_thumb_loader`(bsc#1261672). - CVE-2026-20911: heap-based buffer overflow in `HuffTable::initval`(bsc#1261673). - CVE-2026-21413: heap-based buffer overflow in `lossless_jpeg_load_raw` (bsc#1261674). - CVE-2026-24450: integer overflow and heap buffer overflow via `uncompressed_fp_dng_load_raw` (bsc#1261675). - CVE-2026-24660: heap-based buffer overflow in `x3f_load_huffman` (bsc#1261676). libraw-0.21.1-150600.3.10.1.src.rpm libraw23-0.21.1-150600.3.10.1.x86_64.rpm SUSE-SLE-Module-Desktop-Applications-15-SP7-2026-1322 important SUSE Updates SLE-Module-Desktop-Applications 15-SP7 x86 64 This update for MozillaFirefox fixes the following issues: - Update to 149.0.2 and 140.9.1esr (bsc#1261663). - CVE-2026-5731: Memory safety bugs fixed in Firefox ESR 115.34.1, Firefox ESR 140.9.1, Thunderbird ESR 140.9.1, Firefox 149.0.2 and Thunderbird 149.0.2. - CVE-2026-5732: Incorrect boundary conditions, integer overflow in the Graphics: Text component. - CVE-2026-5734: Memory safety bugs fixed in Firefox ESR 140.9.1, Thunderbird ESR 140.9.1, Firefox 149.0.2 and Thunderbird 149.0.2. MozillaFirefox-140.9.1-150200.152.228.1.src.rpm MozillaFirefox-140.9.1-150200.152.228.1.x86_64.rpm MozillaFirefox-devel-140.9.1-150200.152.228.1.noarch.rpm MozillaFirefox-translations-common-140.9.1-150200.152.228.1.x86_64.rpm MozillaFirefox-translations-other-140.9.1-150200.152.228.1.x86_64.rpm SUSE-SLE-Module-Desktop-Applications-15-SP7-2026-1399 important SUSE Updates SLE-Module-Desktop-Applications 15-SP7 x86 64 This update for cups fixes the following issue: - CVE-2026-34990: Local print admin token disclosure using temporary printers (bsc#1261568). cups-2.2.7-150000.3.86.1.src.rpm libcups2-32bit-2.2.7-150000.3.86.1.x86_64.rpm SUSE-SLE-Module-Desktop-Applications-15-SP7-2026-1598 important SUSE Updates SLE-Module-Desktop-Applications 15-SP7 x86 64 This update for ImageMagick fixes the following issues: - CVE-2026-33899: Denial of Service via out-of-bounds write in XML parsing (bsc#1262154). - CVE-2026-33900: Denial of Service via integer truncation in viff encoder (bsc#1262156). - CVE-2026-33901: Denial of Service due to heap buffer overflow in MVG decoder (bsc#1262155). - CVE-2026-33902: Denial of Service via deeply nested expression in FX parser (bsc#1262153). - CVE-2026-33905: Denial of service via out-of-bounds read in -sample operation (bsc#1262097). - CVE-2026-33908: Denial of Service via deeply nested XML file processing (bsc#1262152). - CVE-2026-34238: Denial of Service via integer overflow in despeckle operation (bsc#1262147). - CVE-2026-40169: Denial of Service via crafted image leading to out-of-bounds write (bsc#1262150). - CVE-2026-40183: Denial of Service via heap write overflow in JXL encoder (bsc#1262145). - CVE-2026-40310: Denial of service via heap out-of-bounds write in JP2 encoder (bsc#1262148). - CVE-2026-40311: Denial of Service via heap use-after-free in XMP profile processing (bsc#1262146). - CVE-2026-40312: Denial of Service via malicious MSL file processing (bsc#1262149). ImageMagick-7.1.1.43-150700.3.47.1.src.rpm ImageMagick-7.1.1.43-150700.3.47.1.x86_64.rpm ImageMagick-config-7-SUSE-7.1.1.43-150700.3.47.1.x86_64.rpm ImageMagick-config-7-upstream-limited-7.1.1.43-150700.3.47.1.x86_64.rpm ImageMagick-config-7-upstream-open-7.1.1.43-150700.3.47.1.x86_64.rpm ImageMagick-config-7-upstream-secure-7.1.1.43-150700.3.47.1.x86_64.rpm ImageMagick-config-7-upstream-websafe-7.1.1.43-150700.3.47.1.x86_64.rpm ImageMagick-devel-7.1.1.43-150700.3.47.1.x86_64.rpm libMagick++-7_Q16HDRI5-7.1.1.43-150700.3.47.1.x86_64.rpm libMagick++-devel-7.1.1.43-150700.3.47.1.x86_64.rpm libMagickCore-7_Q16HDRI10-7.1.1.43-150700.3.47.1.x86_64.rpm libMagickWand-7_Q16HDRI10-7.1.1.43-150700.3.47.1.x86_64.rpm SUSE-SLE-Module-Desktop-Applications-15-SP7-2026-1600 important SUSE Updates SLE-Module-Desktop-Applications 15-SP7 x86 64 This update for flatpak fixes the following issues: - CVE-2026-34078: Arbitrary code execution via crafted symlinks in sandbox-expose options (bsc#1261769). - CVE-2026-34079: Arbitrary file deletion on host via improper cache file path validation (bsc#1261770). flatpak-1.16.0-150600.3.9.1.src.rpm flatpak-1.16.0-150600.3.9.1.x86_64.rpm flatpak-devel-1.16.0-150600.3.9.1.x86_64.rpm flatpak-remote-flathub-1.16.0-150600.3.9.1.noarch.rpm flatpak-zsh-completion-1.16.0-150600.3.9.1.noarch.rpm libflatpak0-1.16.0-150600.3.9.1.x86_64.rpm system-user-flatpak-1.16.0-150600.3.9.1.noarch.rpm typelib-1_0-Flatpak-1_0-1.16.0-150600.3.9.1.x86_64.rpm SUSE-SLE-Module-Desktop-Applications-15-SP7-2026-1649 important SUSE Updates SLE-Module-Desktop-Applications 15-SP7 x86 64 This update for MozillaFirefox fixes the following issue: Update to Firefox Extended Support Release 140.10.0 ESR (bsc#1262230, MFSA 2026-32): - CVE-2026-6746: Use-after-free in the DOM: Core & HTML component. - CVE-2026-6747: Use-after-free in the WebRTC component. - CVE-2026-6748: Uninitialized memory in the Audio/Video: Web Codecs component. - CVE-2026-6749: Information disclosure due to uninitialized memory in the Graphics: Canvas2D component. - CVE-2026-6750: Privilege escalation in the Graphics: WebRender component. - CVE-2026-6751: Uninitialized memory in the Audio/Video: Web Codecs component. - CVE-2026-6752: Incorrect boundary conditions in the WebRTC component. - CVE-2026-6753: Incorrect boundary conditions in the WebRTC component. - CVE-2026-6754: Use-after-free in the JavaScript Engine component. - CVE-2026-6757: Invalid pointer in the JavaScript: WebAssembly component. - CVE-2026-6759: Use-after-free in the Widget: Cocoa component. - CVE-2026-6761: Privilege escalation in the Networking component. - CVE-2026-6762: Spoofing issue in the DOM: Core & HTML component. - CVE-2026-6763: Mitigation bypass in the File Handling component. - CVE-2026-6764: Incorrect boundary conditions in the DOM: Device Interfaces component. - CVE-2026-6765: Information disclosure in the Form Autofill component. - CVE-2026-6766: Incorrect boundary conditions in the Libraries component in NSS. - CVE-2026-6767: Other issue in the Libraries component in NSS. - CVE-2026-6769: Privilege escalation in the Debugger component. - CVE-2026-6770: Other issue in the Storage: IndexedDB component. - CVE-2026-6771: Mitigation bypass in the DOM: Security component. - CVE-2026-6772: Incorrect boundary conditions in the Libraries component in NSS. - CVE-2026-6776: Incorrect boundary conditions in the WebRTC: Networking component. - CVE-2026-6785: Memory safety bugs fixed in Firefox ESR 115.35, Firefox ESR 140.10, Thunderbird ESR 140.10, Firefox 150 and Thunderbird 150. - CVE-2026-6786: Memory safety bugs fixed in Firefox ESR 140.10, Thunderbird ESR 140.10, Firefox 150 and Thunderbird 150. MozillaFirefox-140.10.0-150200.152.231.1.src.rpm MozillaFirefox-140.10.0-150200.152.231.1.x86_64.rpm MozillaFirefox-devel-140.10.0-150200.152.231.1.noarch.rpm MozillaFirefox-translations-common-140.10.0-150200.152.231.1.x86_64.rpm MozillaFirefox-translations-other-140.10.0-150200.152.231.1.x86_64.rpm SUSE-SLE-Module-Desktop-Applications-15-SP7-2026-1636 important SUSE Updates SLE-Module-Desktop-Applications 15-SP7 x86 64 This update for fontforge fixes the following issue: - CVE-2025-15270: Remote Code Execution via malicious SFD file parsing (bsc#1256031). fontforge-20200314-150200.3.15.1.src.rpm fontforge-20200314-150200.3.15.1.x86_64.rpm