openSUSE-SU-2026:20105-1

See a problem?
Import Source
https://ftp.suse.com/pub/projects/security/osv/openSUSE-SU-2026:20105-1.json
JSON Data
https://api.test.osv.dev/v1/vulns/openSUSE-SU-2026:20105-1
Upstream
Related
Published
2026-01-23T10:02:42Z
Modified
2026-03-12T02:08:06.045534Z
Summary
Security update for sbctl
Details

This update for sbctl fixes the following issues:

Changes in sbctl:

  • Upgrade the embedded golang.org/x/net to 0.46.0

    • Fixes: bsc#1251399, CVE-2025-47911: various algorithms with quadratic complexity when parsing HTML documents
    • Fixes: bsc#1251609, CVE-2025-58190: excessive memory consumption by 'html.ParseFragment' when processing specially crafted input

  • Update to version 0.18:

    • logging: fixup new go vet warning
    • workflows: add cc for cross compile
    • workflow: add sudo to apt
    • workflow: add pcsclite to ci
    • workflow: try enable cgo
    • go.mod: update golang.org/x/ dependencies
    • fix: avoid adding bogus Country attribute to subject DNs
    • sbctl: only store file if we did actually sign the file
    • installkernel: add post install hook for Debian's traditional installkernel
    • CI: missing libpcsclite pkg
    • workflows: add missing depends and new pattern keyword
    • Add yubikey example for create keys to the README
    • Initial yubikey backend keytype support
    • verify: ensure we pass args in correct order

  • bsc#1248949 (CVE-2025-58058): Bump xz to 0.5.14

  • Update to version 0.17:

    • Ensure we don't wrongly compare input/output files when signing
    • Added --json supprt to sbctl verify
    • Ensure sbctl setup with no arguments returns a helpful output
    • Import latest Microsoft keys for KEK and db databases
    • Ensure we print the path of the file when encountering an invalid PE file
    • Misc fixups in tests
    • Misc typo fixes in prints

  • Update to version 0.16:

    • Ensure sbctl reads --config even if /etc/sbctl/sbctl.conf is present
    • Fixed a bug where sbctl would abort if the TPM eventlog contains the same byte multiple times
    • Fixed a landlock bug where enroll-keys --export did not work
    • Fixed a bug where an ESP mounted to multiple paths would not be detected
    • Exporting keys without efivars present work again
    • sbctl sign will now use the saved output path if the signed file is enrolled
    • enroll-keys --append will now work without --force.
  • Updates from version 0.15.4:
    • Fixed an issue where sign-all did not report a non-zero exit code when something failed
    • Fixed and issue where we couldn't write to a file with landlock
    • Fixed an issue where --json would print the human readable output and the json
    • Fixes landlock for UKI/bundles by disabling the sandbox feature
    • Some doc fixups that mentioned /usr/share/
References

Affected packages

openSUSE:Leap 16.0 / sbctl

Package

Name
sbctl
Purl
pkg:rpm/opensuse/sbctl&distro=openSUSE%20Leap%2016.0

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.18-bp160.1.1

Ecosystem specific 

{
    "binaries": [
        {
            "sbctl": "0.18-bp160.1.1"
        }
    ]
}

Database specific

source 
"https://ftp.suse.com/pub/projects/security/osv/openSUSE-SU-2026:20105-1.json"