openSUSE 16 Security Update : nano (openSUSE-SU-2026:21166-1)

low Nessus Plugin ID 324062

Synopsis

The remote openSUSE host is missing one or more security updates.

Description

The remote openSUSE 16 host has packages installed that are affected by multiple vulnerabilities as referenced in the openSUSE-SU-2026:21166-1 advisory.

Changes in nano:

- Update to version 9.1:
* When searching, the viewport is placed snug left where possible.
* The ability to read and write files in old Mac format (a lone carriage return as line ending) was removed.
* The ^T toggle between WhereIs and GotoLine was dropped.
* Fix backups that were missing or had a wrong timestamp when
--backup is active.
* On a crash or kill, a .save file is no longer chmodded or chowned to the base file's permissions and owner.
* The history code now creates the ~/.local directory with limited access rights (boo#1263437; the referenced CVE-2026-40556 was rejected upstream).
* M-Ins and M-Del have become rebindable.

- GNU nano 9.0:
* When the cursor almost goes offscreen to the right, all lines are now scrolled sideways together, by just the amount needed to keep the cursor in view.
Use --solosidescroll or 'set solosidescroll' to get back the old, jerky, single-line horizontal scrolling.
* The viewport can be scrolled sideways (in steps of one tabsize) with M-< and M->. See `man nanorc` if M-< and M-> should switch between buffers (as they did earlier).
* M-Left, M-Right, M-Up, and M-Down have become rebindable.
* Stopping the recording of a macro immediately after starting it cancels the recording and leaves an existing macro in place.
* Feature toggles no longer break a chain of ^K cuts or M-6 copies, except the M-K cut-from-cursor toggle.
* With --mouse and --indicator, one can click in the scrollbar area to roughly navigate within the buffer.
* CVE-2026-6843: format string vulnerability leads to denial of service (boo#1262643)
* create the ~/.local directory with limited access rights (CVE-2026-6842 boo#1263022, CVE-2026-40556 boo#1263437)

- GNU nano 8.7.1:
* fix build against glibc-2.43 (boo#1258260)

- GNU nano 8.7:
* At the Execute prompt, preceding the command with two pipe symbols allows implementing a copy-to-clipboard feature in nanorc on terminals that support OSC 52. See doc/sample.nanorc

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update the affected nano and / or nano-lang packages.

See Also

https://bugzilla.suse.com/1258260

https://bugzilla.suse.com/1262643

https://bugzilla.suse.com/1263022

https://bugzilla.suse.com/1263437

https://www.suse.com/security/cve/CVE-2026-6842

https://www.suse.com/security/cve/CVE-2026-6843

Plugin Details

Severity: Low

ID: 324062

File Name: openSUSE-2026-21166-1.nasl

Version: 1.1

Type: Local

Agent: unix

Published: 7/1/2026

Updated: 7/1/2026

Supported Sensors: Nessus Agent, Continuous Assessment, Nessus

Risk Information

VPR

Risk Factor: Low

Score: 3

Percentile: 23.68

CVSS v2

Risk Factor: Low

Base Score: 1

Temporal Score: 0.7

Vector: CVSS2#AV:L/AC:H/Au:S/C:N/I:P/A:N

CVSS Score Source: CVE-2026-6842

CVSS v3

Risk Factor: Low

Base Score: 2.5

Temporal Score: 2.2

Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/o:novell:opensuse:16.0, p-cpe:/a:novell:opensuse:nano-lang, p-cpe:/a:novell:opensuse:nano

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/SuSE/release, Host/SuSE/rpm-list

Exploit Ease: No known exploits are available

Patch Publication Date: 6/29/2026

Vulnerability Publication Date: 4/22/2026

Reference Information

CVE: CVE-2026-6842, CVE-2026-6843

IAVA: 2026-A-0513