Security update for gnome-online-accounts, gvfs

Announcement ID:	SUSE-SU-2026:20988-1
Release Date:	2026-03-31T09:11:58Z
Rating:	important
References:	bsc#1258953 bsc#1258954
Cross-References:	CVE-2026-28295 CVE-2026-28296
CVSS scores:	CVE-2026-28295 ( SUSE ): 5.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N CVE-2026-28295 ( SUSE ): 4.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N CVE-2026-28295 ( NVD ): 4.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N CVE-2026-28296 ( SUSE ): 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N CVE-2026-28296 ( SUSE ): 7.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L CVE-2026-28296 ( NVD ): 4.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
Affected Products:	SUSE Linux Enterprise Server - BCI 16.0

An update that solves two vulnerabilities can now be installed.

Description:

This update for gnome-online-accounts, gvfs fixes the following issues:

Changes for gvfs:

Update gvfs to 1.59.90:

• CVE-2026-28295: information disclosure when processing untrusted PASV responses from FTP servers (bsc#1258953).
• CVE-2026-28296: arbitrary FTP command injection due to unsanitized CRLF sequences in user supplied file paths (bsc#1258954).

Changelog:

Update to version 1.59.90:

• client: Fix use-after-free when creating async proxy failed
• udisks2: Emit changed signals from update_all()
• daemon: Fix race on subscribers list when on thread
• ftp: Validate fe_size when parsing symlink target
• ftp: Check localtime() return value before use
• gphoto2: Use g_try_realloc() instead of g_realloc()
• cdda: Reject path traversal in mount URI host
• client: Fail when URI has invalid UTF-8 chars
• udisks2: Fix memory corruption with duplicate mount paths
• build: Update GOA dependency to > 3.57.0
• Some other fixes
• ftp: Use control connection address for PASV data.
• ftp: Reject paths containing CR/LF characters

Update to version 1.59.1:

• mtp: replace Android extension checks with capability checks
• dav: Add X-OC-Mtime header on push to preserve last modified time
• udisks2: Use hash tables in the volume monitor to improve performance
• onedrive: Check for identity instead of presentation identity
• build: Disable google option and mark as deprecated

Update to version 1.58.2:

• ftp: Use control connection address for PASV data
• ftp: Reject paths containing CR/LF characters

Update to version 1.58.1:

• cdda: Fix duration of last track for some media
• build: Fix build when google option is disabled
• Fix various memory leaks
• Updated translations.

Update to version 1.58.0:

• mtp: Allow cancelling ongoing folder enumerations
• wsdd: Use socket-activated service if available
• onedrive: Set emblem for remote data
• fix: Add file rename support in MTP backend move operation
• mtp: Fix -Wmaybe-uninitialized warning in pad_file
• fuse: use fuse_(un)set_feature_flag for libfuse 3.17+
• smbbrowse: Purge server cache for next auth try
• metatree: Open files with O_CLOEXEC
• cdda: Fix incorrect track duration for 99-track CDs
• metadata: Fix journal file permissions inconsistency
• dav: recognize 308 Permanent Redirect

Changes for gnome-online-accounts:

Update to version 3.58.0:

• SMTP server without password cannot be configured
• Remove unneeded SMTP password escaping
• build: Disable google provider Files feature
• MS365: Fix mail address and name
• Google: Set mail name to presentation identity
• Updated translations.

Update to version 3.57.1:

• Default Microsoft 365 client is unverified
• Microsoft 365: Make use of email for id
• goadaemon: Allow manage system notifications
• goamsgraphprovider: bump credentials generation
• goaprovider: Allow to disable, instead of enable, selected providers

Changes from version 3.57.0:

• Support for saving a Kerberos password to the keychain after the first login
• changing expired kerberos password is not supported.
• Provided Files URI does not override undiscovered endpoint
• DAV client rejects 204 status in OPTIONS request handler
• Include emblem-default-symbolic.svg
• Connecting a Runbox CardDAV/CalDAV account hangs/freezes after sign in
• i81n: fix translatable string
• goaimapsmptprovider: fix accounts without SMTP or authentication-less SMTP
• build: only install icons for the goabackend build
• build: don't require goabackend to build documentation
• ci: test the build without gtk4
• DAV-client: Added short path for SOGo

Update to version 3.56.4:

• Bugs fixed:
• Unclear which part of "IMAP+SMTP" account test failed
• Adding nextcloud account which has a subfolder does not work
• goadaemon: Handle broken account configs

Update to version 3.56.3:

• Add DAV detection and configuration for SOGo
• DAV discovery fails when certain SRV lookups fail

Update to version 3.56.1:

• Support for saving a Kerberos password after the first login
• Changing expired kerberos password is not supported
• Provided Files URI does not override undiscovered endpoint
• DAV client rejects 204 status in OPTIONS request handler

Update to version 3.56.0:

• Code style and logging cleanups
• Updated translations

Update to version 3.55.2:

• goaoauth2provider: improve error handling for auth/token endpoints

Update to version 3.55.1:

• Support Webflow authentication for Nextcloud
• Rename dconf key in gnome-online-accounts settings
• "Account Name" GUI field is a bit ambiguous
• Failed to generate a new POT file for the user interface of "gnome-online-accounts" (domain: "po") and some missing files from POTFILES.in

Update to version 3.55.0:

• Add progress spinner for OAuth2 dialogs
• Remove Windows Live! option
• Improve goa_oauth2_provider_ensure_credentials_sync
• Authentication failure in goa IMAP accounts
• Missing files from POTFILES.in
• WebDAV not detected for mail.ru
• goaoauth2provider: fix task chaining for subclasses
• Always lowercase domains when looking up base
• goadavclient: check Nextcloud fallback last
• goabackend: add a composite widget for authflow links
• goadavclient: fix the mailbox.org preconfig

Update to version 3.54.5:

• Adding GOA account fails with sonic.net IMAP service
• Cannot add a ProtonMail bridge with IMAP + TLS
• Nextcloud login does not work anymore due to OPTIONS /login request
• Linked online accounts no longer work
• Invalid URI when adding Google account
• goamsgraphprovider: ensure a valid PresentationIdentity
• goadaemon: complete GTasks to avoid a scary debug warning

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• SUSE Linux Enterprise Server - BCI 16.0
  zypper in -t patch SUSE-SLES-16.0-469=1

Package List:

• SUSE Linux Enterprise Server - BCI 16.0 (aarch64 ppc64le s390x x86_64)
  • gvfs-debuginfo-1.59.90-160000.1.1
  • gvfs-fuse-debuginfo-1.59.90-160000.1.1
  • gnome-online-accounts-debuginfo-3.58.0-160000.1.1
  • gvfs-debugsource-1.59.90-160000.1.1
  • typelib-1_0-Goa-1_0-3.58.0-160000.1.1
  • gvfs-backends-1.59.90-160000.1.1
  • gvfs-fuse-1.59.90-160000.1.1
  • gnome-online-accounts-debugsource-3.58.0-160000.1.1
  • libgoa-backend-1_0-2-3.58.0-160000.1.1
  • libgoa-backend-1_0-2-debuginfo-3.58.0-160000.1.1
  • gvfs-1.59.90-160000.1.1
  • gvfs-backends-debuginfo-1.59.90-160000.1.1
  • libgoa-1_0-0-3.58.0-160000.1.1
  • libgoa-1_0-0-debuginfo-3.58.0-160000.1.1
• SUSE Linux Enterprise Server - BCI 16.0 (noarch)
  • gvfs-lang-1.59.90-160000.1.1

References:

• https://www.suse.com/security/cve/CVE-2026-28295.html
• https://www.suse.com/security/cve/CVE-2026-28296.html
• https://bugzilla.suse.com/show_bug.cgi?id=1258953
• https://bugzilla.suse.com/show_bug.cgi?id=1258954