SUSE-SU-2026:22159-1 Security update for distribution

This update for distribution fixes the following issues - CVE-2026-33814: golang.org/x/net/http2: infinite loop in HTTP/2 transport when given bad SETTINGSMAXFRAMESIZE bsc1265788. - CVE-2026-39821: golang.org/x/net/idna: failure to reject ASCII-only Punycode-encoded labels allows for validation...

Invoking key constraints not enforced in golang.org/x/crypto/ssh/agent

...

Improper Check for Dropped Privileges

Overview Affected versions of this package are vulnerable to Improper Check for Dropped Privileges due to the omission of constraint extensions such as [email protected] when adding a key to a remote agent. An attacker can bypass intended key usage restrictions by forwarding ke...

GO-2026-5005 Invoking key constraints not enforced in golang.org/x/crypto/ssh/agent

The in-memory keyring returned by NewKeyring silently accepted keys with the ConfirmBeforeUse constraint but never enforced it. The key would sign without any confirmation prompt, with no indication to the caller that the constraint was not in effect. NewKeyring now returns an error when...

OpenSSH < 9.6 Multiple Vulnerabilities

The version of OpenSSH installed on the remote host is prior to 9.6. It is, therefore, affected by multiple vulnerabilities as referenced in the release-9.6 advisory. - ssh1, sshd8: implement protocol extensions to thwart the so-called Terrapin attack discovered by Fabian Bumer, Marcus Brinkmann...