openSUSE no longer metioned in CVEs

English Network/Internet
,
1

At first sorry if I did not choose the right category, but I did not find anything fitting better.

In the past openSUSE Leap and Tumbleweed versions were mentioned and tracked in the CVE system of SUSE at (https://www.suse.com/security/cve)

However it seems that starting in May this is no longer the case.

For example the following entry for CVE-2025-55753 last modified in April 2026 shows entries for Leap 15/16 and Tumbleweed:

CVE-2025-55753

The entry for the new CVE-2026-24072 from two days ago mentions openSUSE Leap 15.3, 15.4 and 15.5 as no longer supported but omits Leap 15.6, 16.0, 16.1 and Tumbleweed altogether.

CVE-2026-24072

I have a somewhat uncomfortable feeling with a distribution no longer offering CVE tracking in those challenging times like now or did I overlook something obvious.

Regards goppi

2

Interesting i did not notice this so far.
According to the rpm changelog CVE-2025-55753 was patched for Leap 16.0 last december:

rpm --changelog -q apache2 |head -n 12
* Di Dez 16 2025 martin.schreiner@suse.com
- Fix the following bugs and CVEs:
  * bsc#1254511 / CVE-2025-55753
  * bsc#1254512 / CVE-2025-58098
  * bsc#1254514 / CVE-2025-65082
  * bsc#1254515 / CVE-2025-66200
- Add patches:
  * CVE-2025-55753.patch
  * CVE-2025-58098.patch
  * CVE-2025-65082.patch
  * CVE-2025-66200.patch
1 Like
3

@goppi:

For example – “copy.fail vulnerability” –

A possible explanation is, the time stamps – the SUSE statement published via Planet openSUSE, is dated the 3rd of May 2026 – the CVE page was last modified on the 7th of May 2026 …
Possibly the CVE page will receive some more changes …

4

Ok maybe I was somewhat too impatient.
See how things evolve.

Regards
goppi

1 Like
5

I did recheck but still OpenSuse 15.6 and up are not event mentioned in CVE. I also checked some other CVEs from April this year. It’s all the same.

Not sure but It seems that OpenSuse is no longer tracked by SUSE CVEs?

6

@goppi:

With respect to CVE-2026-24072 – it’s still pending – and, there’s this text →

Users are recommended to upgrade to version 2.4.67, which fixes this issue.

Here on Tumbleweed, the apache2 version is 2.4.66-3.1.

The openSUSE Factory is indicating that, the repair for CVE-2026-24072 has been built but, it seems that, it hasn’t hit the streets yet – <https://build.opensuse.org/package/show/Apache/apache2>

*) SECURITY: CVE-2026-24072: Apache HTTP Server: mod_rewrite elevation of privileges via ap_expr [boo#1263935]
An escalation of privilege bug in various modules in Apache HTTP 2.4.66 and earlier allows local .htaccess authors to read files with the privileges of the httpd user.
Users are recommended to upgrade to version 2.4.67, which fixes this issue.

1 Like
7

@ dcurtisfra

Thanks for the information which was quite helpful. What still remains uncertain to me is why the official SUSE CVE still no longer mentions the latest openSUSE editions.

In the past it was very helpful to have a single place (SUSE CVE Website) where status of all vulnerabilites could have been tracked from a single place.

Regards
goppi

8

AFAICS, the Apache2 change related to CVE-2026-24072 are in a “waiting for release” state – about 23 hours ago the “factory-maintainer” submitted the changes for a final review before release – <https://build.opensuse.org/requests/1353166>

At a guess, the CVE status will be change once the repair hits the streets … :innocent:

1 Like
9

I’m not quite sure about that. If you take a look at the CVE page in question you could see, that openSuse 15.6 and up and also Tumbleweed are not even mentioned with status “affected”.

In the past you were able to track lifecycle of an CVE also for openSUSE on the SUSE CVE page, starting with “affected” and then transitioning to “released” over time with links to the related packages.

CVE-2026-24072