Description of the patch:
This update for apptainer fixes the following issues
- CVE-2026-24137: github.com/sigstore/sigstore/pkg/tuf: legacy TUF client allows for arbitrary file writes with target
cache path traversal (bsc#1264177).
- CVE-2026-33186: google.golang.org/grpc: authorization bypass due to improper validation of the HTTP/2: path pseudo-
header (bsc#1260311).
- CVE-2026-33814: golang.org/x/net/http2: infinite loop in HTTP/2 transport when given bad SETTINGS_MAX_FRAME_SIZE
(bsc#1265844).
- CVE-2026-34986: github.com/go-jose/go-jose/v4,github.com/go-jose/go-jose/v3: crafted JWE input with a missing
encrypted key can lead to a denial of service (bsc#1262956).
- CVE-2026-39821: golang.org/x/net/idna: failure to reject ASCII-only Punycode-encoded labels allows for validation
bypass and privilege escalation (bsc#1266656).
- CVE-2026-39827: memory leak when rejecting channels can lead to DoS in golang.org/x/crypto/ssh
(bsc#1266202).
- CVE-2026-39828: bypass of certificate restrictions in golang.org/x/crypto/ssh (bsc#1266202).
- CVE-2026-39829: pathological RSA/DSA parameters may cause DoS in golang.org/x/crypto/ssh (bsc#1266202).
- CVE-2026-39830: client can cause server deadlock on unexpected responses in golang.org/x/crypto/ssh
(bsc#1266202).
- CVE-2026-39831: bypass of FIDO/U2F security keys physical interaction in golang.org/x/crypto/ssh
(bsc#1266202).
- CVE-2026-39832: agent constraints dropped when forwarding keys in golang.org/x/crypto/ssh/agent
(bsc#1266202).
- CVE-2026-39833: key constraints not enforced in golang.org/x/crypto/ssh/agent (bsc#1266202).
- CVE-2026-39834: infinite loop on large channel writes in golang.org/x/crypto/ssh (bsc#1266202).
- CVE-2026-39835: server panic during CheckHostKey/Authenticate in golang.org/x/crypto/ssh (bsc#1266202).
- CVE-2026-42508: auth bypass via unenforced @revoked status in golang.org/x/crypto/ssh/knownhosts
(bsc#1266202).
- CVE-2026-46595: VerifiedPublicKeyCallback permissions skip...