Detections
Analytics

openSUSE 16 Security Update : gnome-online-accounts, gvfs (openSUSE-SU-2026:20451-1)

high Nessus Plugin ID 304864

Synopsis

The remote openSUSE host is missing one or more security updates.

Description

The remote openSUSE 16 host has packages installed that are affected by multiple vulnerabilities as referenced in the openSUSE-SU-2026:20451-1 advisory.

 Changes for gvfs:

 Update gvfs to 1.59.90:

 - CVE-2026-28295: information disclosure when processing untrusted PASV responses from FTP servers (bsc#1258953).
 - CVE-2026-28296: arbitrary FTP command injection due to unsanitized CRLF sequences in user supplied file paths (bsc#1258954).

 Changelog:

 Update to version 1.59.90:

 - client: Fix use-after-free when creating async proxy failed + udisks2: Emit changed signals from update_all() + daemon: Fix race on subscribers list when on thread + ftp: Validate fe_size when parsing symlink target + ftp: Check localtime() return value before use + gphoto2: Use g_try_realloc() instead of g_realloc() + cdda: Reject path traversal in mount URI host + client: Fail when URI has invalid UTF-8 chars + udisks2: Fix memory corruption with duplicate mount paths + build: Update GOA dependency to > 3.57.0 + Some other fixes + ftp: Use control connection address for PASV data.
 + ftp: Reject paths containing CR/LF characters

 Update to version 1.59.1:

 - mtp: replace Android extension checks with capability checks + dav: Add X-OC-Mtime header on push to preserve last modified time + udisks2: Use hash tables in the volume monitor to improve performance + onedrive: Check for identity instead of presentation identity + build: Disable google option and mark as deprecated

 Update to version 1.58.2:

 - ftp: Use control connection address for PASV data + ftp: Reject paths containing CR/LF characters

 Update to version 1.58.1:

 - cdda: Fix duration of last track for some media + build: Fix build when google option is disabled + Fix various memory leaks + Updated translations.

 Update to version 1.58.0:

 - mtp: Allow cancelling ongoing folder enumerations + wsdd: Use socket-activated service if available + onedrive: Set emblem for remote data + fix: Add file rename support in MTP backend move operation + mtp: Fix -Wmaybe-uninitialized warning in pad_file + fuse: use fuse_(un)set_feature_flag for libfuse 3.17+ + smbbrowse: Purge server cache for next auth try + metatree: Open files with O_CLOEXEC + cdda: Fix incorrect track duration for 99-track CDs + metadata: Fix journal file permissions inconsistency + dav: recognize 308 Permanent Redirect

 Changes for gnome-online-accounts:

 Update to version 3.58.0:

 - SMTP server without password cannot be configured + Remove unneeded SMTP password escaping + build: Disable google provider Files feature + MS365: Fix mail address and name + Google: Set mail name to presentation identity + Updated translations.

 Update to version 3.57.1:

 - Default Microsoft 365 client is unverified + Microsoft 365: Make use of email for id + goadaemon: Allow manage system notifications + goamsgraphprovider: bump credentials generation + goaprovider: Allow to disable, instead of enable, selected providers

 Changes from version 3.57.0:

 - Support for saving a Kerberos password to the keychain after the first login + changing expired kerberos password is not supported.
 + Provided Files URI does not override undiscovered endpoint + DAV client rejects 204 status in OPTIONS request handler + Include emblem-default-symbolic.svg + Connecting a Runbox CardDAV/CalDAV account hangs/freezes after sign in + i81n: fix translatable string + goaimapsmptprovider: fix accounts without SMTP or authentication-less SMTP + build: only install icons for the goabackend build + build: don't require goabackend to build documentation + ci: test the build without gtk4 + DAV-client: Added short path for SOGo

 Update to version 3.56.4:

 - Bugs fixed:
 - Unclear which part of IMAP+SMTP account test failed
 - Adding nextcloud account which has a subfolder does not work
 - goadaemon: Handle broken account configs

 Update to version 3.56.3:

 - Add DAV detection and configuration for SOGo
 - DAV discovery fails when certain SRV lookups fail

 Update to version 3.56.1:

 - Support for saving a Kerberos password after the first login
 - Changing expired kerberos password is not supported
 - Provided Files URI does not override undiscovered endpoint
 - DAV client rejects 204 status in OPTIONS request handler

 Update to version 3.56.0:

 - Code style and logging cleanups + Updated translations

 Update to version 3.55.2:

 - goaoauth2provider: improve error handling for auth/token endpoints

 Update to version 3.55.1:

 - Support Webflow authentication for Nextcloud
 - Rename dconf key in gnome-online-accounts settings
 - Account Name GUI field is a bit ambiguous
 - Failed to generate a new POT file for the user interface of gnome-online-accounts (domain: po) and some missing files from POTFILES.in

 Update to version 3.55.0:

 - Add progress spinner for OAuth2 dialogs
 - Remove Windows Live! option
 - Improve goa_oauth2_provider_ensure_credentials_sync
 - Authentication failure in goa IMAP accounts
 - Missing files from POTFILES.in
 - WebDAV not detected for mail.ru
 - goaoauth2provider: fix task chaining for subclasses
 - Always lowercase domains when looking up base
 - goadavclient: check Nextcloud fallback last
 - goabackend: add a composite widget for authflow links
 - goadavclient: fix the mailbox.org preconfig

 Update to version 3.54.5:

 - Adding GOA account fails with sonic.net IMAP service
 - Cannot add a ProtonMail bridge with IMAP + TLS
 - Nextcloud login does not work anymore due to OPTIONS /login request
 - Linked online accounts no longer work
 - Invalid URI when adding Google account
 - goamsgraphprovider: ensure a valid PresentationIdentity
 - goadaemon: complete GTasks to avoid a scary debug warning

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update the affected packages.

See Also

https://bugzilla.suse.com/1258953

https://bugzilla.suse.com/1258954

https://www.suse.com/security/cve/CVE-2026-28295

https://www.suse.com/security/cve/CVE-2026-28296

Plugin Details

Severity: High

ID: 304864

File Name: openSUSE-2026-20451-1.nasl

Version: 1.1

Type: Local

Agent: unix

Published: 4/4/2026

Updated: 4/4/2026

Supported Sensors: Nessus Agent, Continuous Assessment, Nessus

Risk Information

VPR

Risk Factor: Low

Score: 2.2

CVSS v2

Risk Factor: Medium

Base Score: 5

Temporal Score: 3.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS Score Source: CVE-2026-28296

CVSS v3

Risk Factor: High

Base Score: 7.3

Temporal Score: 6.4

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/o:novell:opensuse:16.0, p-cpe:/a:novell:opensuse:gvfs-fuse, p-cpe:/a:novell:opensuse:gvfs-backend-goa, p-cpe:/a:novell:opensuse:gnome-online-accounts-devel, p-cpe:/a:novell:opensuse:gvfs-lang, p-cpe:/a:novell:opensuse:gvfs-backends, p-cpe:/a:novell:opensuse:typelib-1_0-goa-1_0, p-cpe:/a:novell:opensuse:gvfs-backend-gphoto, p-cpe:/a:novell:opensuse:gvfs-backend-afc, p-cpe:/a:novell:opensuse:gvfs-backend-samba, p-cpe:/a:novell:opensuse:gnome-online-accounts, p-cpe:/a:novell:opensuse:gnome-online-accounts-lang, p-cpe:/a:novell:opensuse:libgoa-1_0-0, p-cpe:/a:novell:opensuse:gvfs, p-cpe:/a:novell:opensuse:libgoa-backend-1_0-2

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/SuSE/release, Host/SuSE/rpm-list

Exploit Ease: No known exploits are available

Patch Publication Date: 3/31/2026

Vulnerability Publication Date: 2/26/2026

Reference Information

CVE: CVE-2026-28295, CVE-2026-28296