VYPR

rpm package

opensuse/distribution&distro=openSUSE Tumbleweed

pkg:rpm/opensuse/distribution&distro=openSUSE%20Tumbleweed

Vulnerabilities (11)

  • CVE-2026-39821CriMay 22, 2026
    affected < 3.1.1-3.1fixed 3.1.1-3.1

    The ToASCII and ToUnicode functions incorrectly accept Punycode-encoded labels that decode to an ASCII-only label. For example, ToUnicode("xn--example-.com") incorrectly returns the name "example.com" rather than an error. This behavior can lead to privilege escalation in program

  • CVE-2026-46597HigMay 22, 2026
    affected < 3.1.1-3.1fixed 3.1.1-3.1

    An incorrectly placed cast from bytes to int allowed for server-side panic in the AES-GCM packet decoder for well-crafted inputs.

  • CVE-2026-42508CriMay 22, 2026
    affected < 3.1.1-3.1fixed 3.1.1-3.1

    Previously, a revoked 'SignatureKey' belonging to a CA was not correctly checked for revocation. Now, both the 'key' and 'key.SignatureKey' are checked for @revoked.

  • CVE-2026-39834CriMay 22, 2026
    affected < 3.1.1-3.1fixed 3.1.1-3.1

    When writing data larger than 4GB in a single Write call on an SSH channel, an integer overflow in the internal payload size calculation caused the write loop to spin indefinitely, sending empty packets without making progress. The size comparison now uses int64 to prevent trunca

  • CVE-2026-39827MedMay 22, 2026
    affected < 3.1.1-3.1fixed 3.1.1-3.1

    An authenticated SSH client that repeatedly opened channels which were rejected by the server caused unbounded memory growth, eventually crashing the server process and affecting all connected users. Rejected channels are now properly removed from the connection's internal state

  • CVE-2026-41888MedMay 14, 2026
    affected < 3.1.1-1.1fixed 3.1.1-1.1

    Distribution is a toolkit to pack, ship, store, and deliver container content. Prior to 3.1.1, tag deletion via the DELETE /v2//manifests/ endpoint bypasses the storage.delete.enabled: false configuration, allowing any API client to remove tags from repositories even w

  • CVE-2026-33814HigMay 7, 2026
    affected < 3.1.1-3.1fixed 3.1.1-3.1

    When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of writing CONTINUATION frames if it receives a SETTINGS_MAX_FRAME_SIZE with a value of 0.

  • CVE-2026-35172HigApr 6, 2026
    affected < 3.1.0-1.1fixed 3.1.0-1.1

    Distribution is a toolkit to pack, ship, store, and deliver container content. Prior to 3.1.0, distribution can restore read access in repo a after an explicit delete when storage.cache.blobdescriptor: redis and storage.delete.enabled: true are both enabled. The delete path clear

  • CVE-2026-34986HigApr 6, 2026
    affected < 3.1.0-1.1fixed 3.1.0-1.1

    Go JOSE provides an implementation of the Javascript Object Signing and Encryption set of standards in Go, including support for JSON Web Encryption (JWE), JSON Web Signature (JWS), and JSON Web Token (JWT) standards. Prior to 4.1.4 and 3.0.5, decrypting a JSON Web Encryption (JW

  • CVE-2026-33540HigApr 6, 2026
    affected < 3.1.0-1.1fixed 3.1.0-1.1

    Distribution is a toolkit to pack, ship, store, and deliver container content. Prior to 3.1.0, in pull-through cache mode, distribution discovers token auth endpoints by parsing WWW-Authenticate challenges returned by the configured upstream registry. The realm URL from a bearer

  • CVE-2026-33186CriMar 20, 2026
    affected < 3.1.0-1.1fixed 3.1.0-1.1

    gRPC-Go is the Go language implementation of gRPC. Versions prior to 1.79.3 have an authorization bypass resulting from improper input validation of the HTTP/2 `:path` pseudo-header. The gRPC-Go server was too lenient in its routing logic, accepting requests where the `:path` omi