gvfs-1.58.2-1.1 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2026:10275-1 Final 1 1 2026-03-01T00:00:00Z current 2026-03-01T00:00:00Z 2026-03-01T00:00:00Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z gvfs-1.58.2-1.1 on GA media These are all security issues fixed in the gvfs-1.58.2-1.1 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2026-10275 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2026-28295/ SUSE CVE CVE-2026-28295 page https://www.suse.com/security/cve/CVE-2026-28296/ SUSE CVE CVE-2026-28296 page openSUSE Tumbleweed gvfs-1.58.2-1.1 gvfs-backend-afc-1.58.2-1.1 gvfs-backend-goa-1.58.2-1.1 gvfs-backend-gphoto-1.58.2-1.1 gvfs-backend-samba-1.58.2-1.1 gvfs-backends-1.58.2-1.1 gvfs-fuse-1.58.2-1.1 gvfs-lang-1.58.2-1.1 gvfs-1.58.2-1.1 as a component of openSUSE Tumbleweed gvfs-backend-afc-1.58.2-1.1 as a component of openSUSE Tumbleweed gvfs-backend-goa-1.58.2-1.1 as a component of openSUSE Tumbleweed gvfs-backend-gphoto-1.58.2-1.1 as a component of openSUSE Tumbleweed gvfs-backend-samba-1.58.2-1.1 as a component of openSUSE Tumbleweed gvfs-backends-1.58.2-1.1 as a component of openSUSE Tumbleweed gvfs-fuse-1.58.2-1.1 as a component of openSUSE Tumbleweed gvfs-lang-1.58.2-1.1 as a component of openSUSE Tumbleweed A flaw was found in the FTP GVfs backend. A malicious FTP server can exploit this vulnerability by providing an arbitrary IP address and port in its passive mode (PASV) response. The client unconditionally trusts this information and attempts to connect to the specified endpoint, allowing the malicious server to probe for open ports accessible from the client's network. CVE-2026-28295 openSUSE Tumbleweed:gvfs-1.58.2-1.1 openSUSE Tumbleweed:gvfs-backend-afc-1.58.2-1.1 openSUSE Tumbleweed:gvfs-backend-goa-1.58.2-1.1 openSUSE Tumbleweed:gvfs-backend-gphoto-1.58.2-1.1 openSUSE Tumbleweed:gvfs-backend-samba-1.58.2-1.1 openSUSE Tumbleweed:gvfs-backends-1.58.2-1.1 openSUSE Tumbleweed:gvfs-fuse-1.58.2-1.1 openSUSE Tumbleweed:gvfs-lang-1.58.2-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2026-28295.html CVE-2026-28295 https://bugzilla.suse.com/1258953 SUSE Bug 1258953 A flaw was found in the FTP GVfs backend. A remote attacker could exploit this input validation vulnerability by supplying specially crafted file paths containing carriage return and line feed (CRLF) sequences. These unsanitized sequences allow the attacker to terminate intended FTP commands and inject arbitrary FTP commands, potentially leading to arbitrary code execution or other severe impacts. CVE-2026-28296 openSUSE Tumbleweed:gvfs-1.58.2-1.1 openSUSE Tumbleweed:gvfs-backend-afc-1.58.2-1.1 openSUSE Tumbleweed:gvfs-backend-goa-1.58.2-1.1 openSUSE Tumbleweed:gvfs-backend-gphoto-1.58.2-1.1 openSUSE Tumbleweed:gvfs-backend-samba-1.58.2-1.1 openSUSE Tumbleweed:gvfs-backends-1.58.2-1.1 openSUSE Tumbleweed:gvfs-fuse-1.58.2-1.1 openSUSE Tumbleweed:gvfs-lang-1.58.2-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2026-28296.html CVE-2026-28296 https://bugzilla.suse.com/1258954 SUSE Bug 1258954