SUSE-SU-2026:22159-1

Source
https://www.suse.com/support/update/announcement/2026/suse-su-202622159-1/
Import Source
https://ftp.suse.com/pub/projects/security/osv/SUSE-SU-2026:22159-1.json
JSON Data
https://api.test.osv.dev/v1/vulns/SUSE-SU-2026:22159-1
Upstream
Related
Published
2026-06-18T14:30:18Z
Modified
2026-06-24T18:24:21.504627319Z
Summary
Security update for distribution
Details

This update for distribution fixes the following issues

  • CVE-2026-33814: golang.org/x/net/http2: infinite loop in HTTP/2 transport when given bad SETTINGSMAXFRAME_SIZE (bsc#1265788).
  • CVE-2026-39821: golang.org/x/net/idna: failure to reject ASCII-only Punycode-encoded labels allows for validation bypass and privilege escalation (bsc#1266629).
  • CVE-2026-41888: tag deletion bypasses the storage.delete.enabled configuration (bsc#1265429).
  • CVE-2026-39827: Invoking memory leak when rejecting channels can lead to DoS in golang.org/x/crypto/ssh (bsc#1266049).
  • CVE-2026-39828: Invoking bypass of certificate restrictions in golang.org/x/crypto/ssh (bsc#1266049).
  • CVE-2026-39829: Invoking pathological RSA/DSA parameters may cause DoS in golang.org/x/crypto/ssh (bsc#1266049).
  • CVE-2026-39830: Invoking client can cause server deadlock on unexpected responses in golang.org/x/crypto/ssh (bsc#1266049).
  • CVE-2026-39831: Invoking bypass of FIDO/U2F security keys physical interaction in golang.org/x/crypto/ssh (bsc#1266049).
  • CVE-2026-39832: Invoking agent constraints dropped when forwarding keys in golang.org/x/crypto/ssh/agent (bsc#1266049).
  • CVE-2026-39833: Invoking key constraints not enforced in golang.org/x/crypto/ssh/agent (bsc#1266049).
  • CVE-2026-39834: Invoking infinite loop on large channel writes in golang.org/x/crypto/ssh (bsc#1266049).
  • CVE-2026-39835: Invoking server panic during CheckHostKey/Authenticate in golang.org/x/crypto/ssh (bsc#1266049).
  • CVE-2026-42508: Invoking auth bypass via unenforced @revoked status in golang.org/x/crypto/ssh/knownhosts (bsc#1266049).
  • CVE-2026-46595: Invoking VerifiedPublicKeyCallback permissions skip enforcement in golang.org/x/crypto/ssh (bsc#1266049).
  • CVE-2026-46597: Invoking byte arithmetic causes underflow and panic in golang.org/x/crypto/ssh (bsc#1266049).
  • CVE-2026-46598: Invoking pathological inputs can lead to client panic in golang.org/x/crypto/ssh/agent (bsc#1266049).

Changes:

  • Bounds-check the file basename in PurgeUploads Walk callback
  • Add S3 Express One Zone support to the S3 storage driver
  • Fix tag list endpoint in proxy mode
  • Clamp oversized n query parameter in proxy mode instead of returning 400
  • See the full changelog below for the full list of changes.
  • internal/client/auth/challenge: cleanups and minor refactor
  • build(deps): bump go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp from 0.18.0 to 0.19.0 in the go_modules group across 1 directory
  • build(deps): bump go.opentelemetry.io/otel/exporters/otlp/otl ptrace/otlptracehttp from 1.42.0 to 1.43.0 in the go_modules group across 1 directory
  • build(deps): bump github/codeql-action from 4.34.1 to 4.35.1
  • chore(build): Bump go version to latest
  • refactor: use slices.Backward to simplify the code
  • fix(proxy): fix tag list endpoint in proxy mode
  • Update docker-compose structure in deploying.md
  • build(deps): bump actions/upload-artifact from 7.0.0 to 7.0.1
  • build(deps): bump actions/upload-pages-artifact from 4.0.0 to 5.0.0
  • build(deps): bump docker/login-action from 4.0.0 to 4.1.0
  • build(deps): bump docker/bake-action from 7.0.0 to 7.1.0
  • fix(proxy): clamp oversized n query param instead of
  • feat(s3): add express zone one support to S3 driver
  • fix(storage): bounds-check the file basename in PurgeUploads Walk callback
  • chore(release): prepare for v3.1.1 release
References

Affected packages

SUSE:Linux Enterprise Server 16.0 / distribution

Package

Name
distribution
Purl
pkg:rpm/suse/distribution&distro=SUSE%20Linux%20Enterprise%20Server%2016.0

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
3.1.1-160000.1.1

Ecosystem specific

{
    "binaries": [
        {
            "distribution-registry": "3.1.1-160000.1.1"
        }
    ]
}

Database specific

source
"https://ftp.suse.com/pub/projects/security/osv/SUSE-SU-2026:22159-1.json"

SUSE:Linux Enterprise Server for SAP applications 16.0 / distribution

Package

Name
distribution
Purl
pkg:rpm/suse/distribution&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20applications%2016.0

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
3.1.1-160000.1.1

Ecosystem specific

{
    "binaries": [
        {
            "distribution-registry": "3.1.1-160000.1.1"
        }
    ]
}

Database specific

source
"https://ftp.suse.com/pub/projects/security/osv/SUSE-SU-2026:22159-1.json"