openSUSE 16: openQA / openQA-auto-update / openQA-bootstrap / openQA-client / etc (openSUSE-SU-2026:21266-1)

high Nessus Plugin ID 326030

Synopsis

The remote openSUSE host is missing one or more security updates.

Description

The remote openSUSE 16 host has packages installed that are affected by multiple vulnerabilities as referenced in the openSUSE-SU-2026:21266-1 advisory.

Changes in openQA:

- Update to version 5.1783076943.6691832d:
* test: Stabilize `t/05-scheduler-full.t`

- Clarify resolution of three CVEs
* The following CVEs have been fixed (see previous changelog entries that mentioned only the according Bugzilla tickets):
- bsc#1259005 - CVE-2026-27904
- bsc#1264376 - CVE-2026-6321
- bsc#1258632 - CVE-2026-26996

- Update to version 5.1782995932.ffeb09be:
* feat: throw 404 for nonexistent groups in overview
* feat: Avoid logwarn notifications for non-critical auth error
* chore(deps): Dependency cron 2026-07-02
* git subrepo pull (merge) external/os-autoinst-common
* fix: Check also hidden files in checklist plugin
* test: Enable faster re-connects in full scheduler test consistently
* test: Avoid silent daemons in verbose mode
* test: Allow running `t/43--scalability.t` in parallel
* test: Allow running `t/05-scheduler-full.t` in parallel
* test: Avoid race condition when generating ports in `25-cache.t`
* test: Avoid wasting seconds in `40-script_load_dump_templates.t`
* refactor: Remove disabled code in `openqa-load-templates`
* test: Avoid race condition when generating ports in many tests
* chore(deps): Dependency cron 2026-07-01
* fix(ci): format inline comments in workflows to pass yamllint
* test: Avoid running into Address already in use in fullstack test
* feat(ci): pin GitHub Actions by commit hash

Changes in os-autoinst:

- Update to version 5.1783082953.c3cb41d:
* test: Disable unstable `t/28-signalblocker.t` on ppc64le OBS builds
* fix: Check also hidden files in checklist plugin
* feat(ci): disable Mergify interactive queue controls in PR comments
* test: assert pipe size adjustment dynamically
* test: assert terminal session boundary safety
* refactor: support pretty markers in script_sudo and become_root
* fix: mmapi test failures and infinite loop hangs
* test: simplify Level 3 pretty marker detection
* fix: exclude virt-firmware on all older Leap archs

- Update to version 5.1782917048.dcc97e9:
* fix: Check also hidden files in checklist plugin
* feat(ci): disable Mergify interactive queue controls in PR comments
* fix(ci): format inline comments in workflows to pass yamllint
* feat(ci): pin GitHub Actions by commit hash
* test: assert pipe size adjustment dynamically
* test: assert terminal session boundary safety
* refactor: support pretty markers in script_sudo and become_root
* fix: mmapi test failures and infinite loop hangs
* test: simplify Level 3 pretty marker detection
* fix: exclude virt-firmware on all older Leap archs

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update the affected packages.

See Also

https://bugzilla.suse.com/1258632

https://bugzilla.suse.com/1259005

https://bugzilla.suse.com/1264376

https://www.suse.com/security/cve/CVE-2026-26996

https://www.suse.com/security/cve/CVE-2026-27904

https://www.suse.com/security/cve/CVE-2026-6321

Plugin Details

Severity: High

ID: 326030

File Name: openSUSE-2026-21266-1.nasl

Version: 1.1

Type: Local

Agent: unix

Published: 7/9/2026

Updated: 7/9/2026

Supported Sensors: Continuous Assessment, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Low

Score: 3

Percentile: 23.73

CVSS v2

Risk Factor: High

Base Score: 7.8

Temporal Score: 6.1

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C

CVSS Score Source: CVE-2026-26996

CVSS v3

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.7

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

CVSS v4

Risk Factor: High

Base Score: 8.7

Threat Score: 7.7

Threat Vector: CVSS:4.0/E:P

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Vulnerability Information

CPE: p-cpe:/a:novell:opensuse:openqa-auto-update, p-cpe:/a:novell:opensuse:openqa-client, cpe:/o:novell:opensuse:16.0, p-cpe:/a:novell:opensuse:openqa-bootstrap, p-cpe:/a:novell:opensuse:os-autoinst-qemu-x86, p-cpe:/a:novell:opensuse:openqa-common, p-cpe:/a:novell:opensuse:openqa-single-instance, p-cpe:/a:novell:opensuse:os-autoinst-devel, p-cpe:/a:novell:opensuse:openqa-mcp, p-cpe:/a:novell:opensuse:openqa-client-bash-completion, p-cpe:/a:novell:opensuse:os-autoinst-s390-deps, p-cpe:/a:novell:opensuse:openqa-client-zsh-completion, p-cpe:/a:novell:opensuse:os-autoinst-openvswitch, p-cpe:/a:novell:opensuse:openqa-single-instance-nginx, p-cpe:/a:novell:opensuse:openqa-munin, p-cpe:/a:novell:opensuse:openqa-python-scripts, p-cpe:/a:novell:opensuse:openqa-devel, p-cpe:/a:novell:opensuse:openqa-continuous-update, p-cpe:/a:novell:opensuse:openqa-local-db, p-cpe:/a:novell:opensuse:os-autoinst-ipmi-deps, p-cpe:/a:novell:opensuse:openqa-llm-server, p-cpe:/a:novell:opensuse:os-autoinst-swtpm, p-cpe:/a:novell:opensuse:os-autoinst, p-cpe:/a:novell:opensuse:openqa-worker, p-cpe:/a:novell:opensuse:os-autoinst-qemu-kvm, p-cpe:/a:novell:opensuse:openqa

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/SuSE/release, Host/SuSE/rpm-list

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 7/6/2026

Vulnerability Publication Date: 2/18/2026

Reference Information

CVE: CVE-2026-26996, CVE-2026-27904, CVE-2026-6321