SUSE-SU-2025:21227-1: important: Security update 5.0.6 for Multi-Linux Manager Client Tools, Salt and Salt Bundle
SLE-SECURITY-UPDATES
null at suse.de
Thu Dec 18 16:30:24 UTC 2025
# Security update 5.0.6 for Multi-Linux Manager Client Tools, Salt and Salt
Bundle
Announcement ID: SUSE-SU-2025:21227-1
Release Date: 2025-12-16T07:24:16Z
Rating: important
References:
* bsc#1227207
* bsc#1243611
* bsc#1243704
* bsc#1244027
* bsc#1244127
* bsc#1244534
* bsc#1245099
* bsc#1245740
* bsc#1246068
* bsc#1246320
* bsc#1246553
* bsc#1246662
* bsc#1246738
* bsc#1246789
* bsc#1246882
* bsc#1246906
* bsc#1246925
* bsc#1247688
* bsc#1247721
* bsc#1250520
* bsc#1250755
* bsc#1251044
* bsc#1251138
* bsc#1251776
* bsc#1252244
* bsc#1252285
* bsc#1254256
* bsc#1254257
Cross-References:
* CVE-2025-62348
* CVE-2025-62349
CVSS scores:
* CVE-2025-62348 ( SUSE ): 7.3
CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
* CVE-2025-62348 ( SUSE ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
* CVE-2025-62349 ( SUSE ): 7.5
CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N
* CVE-2025-62349 ( SUSE ): 6.2 CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:L
Affected Products:
* SUSE Linux Micro 6.0
* SUSE Linux Micro 6.1
* SUSE Linux Micro 6.2
* SUSE Manager Client Tools for SUSE Linux Micro 6
An update that solves two vulnerabilities and has 26 fixes can now be installed.
## Description:
This update fixes the following issues:
salt:
* Security issues fixed:
* CVE-2025-62349: Added minimum_auth_version to enforce security (bsc#1254257)
* CVE-2025-62348: Fixed Junos module yaml loader (bsc#1254256)
* Backport security fixes for vendored tornado
* BDSA-2024-3438
* BDSA-2024-3439
* BDSA-2024-9026
* Other changes and bugs fixed:
* Fixed TLS and x509 modules for OSes with older cryptography module
* Fixed Salt for Python > 3.11 (bsc#1252285) (bsc#1252244)
* Use external tornado on Python > 3.11
* Make tls and x509 to use python-cryptography
* Remove usage of spwd
* Fixed payload signature verification on Tumbleweed (bsc#1251776)
* Fixed broken symlink on migration to Leap 16.0 (bsc#1250755)
* Fixed known_hosts error on gitfs (bsc#1250520) (bsc#1227207)
* Fixed functional.states.test_user for SLES 16 and Micro systems
* Fixed the tests failing on AlmaLinux 10 and other clones
* Improved SL Micro 6.2 detection with grains
* Require Python dependencies only for used Python version
* Reverted requirement of M2Crypto >= 0.44.0 for SUSE Family distros
* Set python-CherryPy as required for python-salt-testsuite
uyuni-tools:
* Version 0.1.37-0
* Added --registry-host, --registry-user and --registry-password to pull
images from an authenticate registry
* Added a lowercase version of --logLevel (bsc#1243611)
* Added migration for server monitoring configuration (bsc#1247688)
* Added SLE15SP7 to buildin productmap
* Adjusted traefik exposed configuration for chart v27+ (bsc#1247721)
* Automatically get up-to-date systemid file on salt based proxy hosts
(bsc#1246789)
* Check for restorecon presence before calling (bsc#1246925)
* Convert the traefik install time to local time (bsc#1251138)
* Deprecated --registry
* Do not require backups to be at the same location for restoring
(bsc#1246906)
* Do not use sudo when running as a root user (bsc#1246882)
* Fixed channel override for distro copy
* Fixed loading product map from mgradm configuration file (bsc#1246068)
* Fixed recomputing proxy images when installing a ptf or test (bsc#1246553)
* Handle CA files with symlinks during migration (bsc#1251044)
* Migrate custom auto installation snippets (bsc#1246320)
* Run smdba and reindex only during migration (bsc#1244534)
* Stop executing scripts in temporary folder (bsc#1243704)
* Support config: collect podman inspect for hub container(bsc#1245099)
* Use new dedicated path for Cobbler settings (bsc#1244027)
* Version 0.1.36-0
* Bump the default image tag to 5.0.5.1
* Version 0.1.35-0
* Restore SELinux contexts for restored backup volumes (bsc#1244127)
* Version 0.1.34-0
* Fixed mgradm backup create handling of images and systemd files
(bsc#1246738)
* Version 0.1.33-0
* Restore volumes using tar instead of podman import (bsc#1244127)
* Version 0.1.32-0
* Fixed version compare by backport from main (bsc#1246662)
venv-salt-minion:
* Security issues fixed:
* CVE-2025-62349: Added minimum_auth_version to enforce security (bsc#1254257)
* CVE-2025-62348: Fixed Junos module yaml loader (bsc#1254256)
* Backport security fixes for vendored tornado
* BDSA-2024-3438
* BDSA-2024-3439
* BDSA-2024-9026
* Other changes and bugs fixed:
* Added `minion_legacy_req_warnings` option to avoid noisy warnings
* Fixed TLS and x509 modules for OSes with older cryptography module
* Fixed Salt for Python > 3.11 (bsc#1252285) (bsc#1252244)
* Use external tornado on Python > 3.11
* Make tls and x509 to use python-cryptography
* Remove usage of spwd
* Filter out zero-length check as the empty files are expected there
* Filter out env-script-interpreter for ssh-id-wrapper as not used with the
Salt Bundle, but present inside the salt module
* Fixed functional.states.test_user for SLES 16 and Micro systems
* Fixed known_hosts error on gitfs (bsc#1250520) (bsc#1227207)
* Fixed payload signature verification on Tumbleweed (bsc#1251776)
* Fixed the tests failing on AlmaLinux 10 and other clones
* Improve SL Micro 6.2 detection with grains
* Removed unused activate script (bsc#1245740)
* Use more strict way to Fixed shebang in the bundle scripts
* Use versioned python interpreter for salt-ssh
## Special Instructions and Notes:
## Patch Instructions:
To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
* SUSE Manager Client Tools for SUSE Linux Micro 6
zypper in -t patch SUSE-Manager-Tools-For-SL-Micro-6-535=1
## Package List:
* SUSE Manager Client Tools for SUSE Linux Micro 6 (aarch64 ppc64le s390x
x86_64)
* mgrctl-debuginfo-0.1.37-1.1
* venv-salt-minion-3006.0-9.1
* mgrctl-0.1.37-1.1
* SUSE Manager Client Tools for SUSE Linux Micro 6 (noarch)
* mgrctl-lang-0.1.37-1.1
* mgrctl-zsh-completion-0.1.37-1.1
* mgrctl-bash-completion-0.1.37-1.1
## References:
* https://www.suse.com/security/cve/CVE-2025-62348.html
* https://www.suse.com/security/cve/CVE-2025-62349.html
* https://bugzilla.suse.com/show_bug.cgi?id=1227207
* https://bugzilla.suse.com/show_bug.cgi?id=1243611
* https://bugzilla.suse.com/show_bug.cgi?id=1243704
* https://bugzilla.suse.com/show_bug.cgi?id=1244027
* https://bugzilla.suse.com/show_bug.cgi?id=1244127
* https://bugzilla.suse.com/show_bug.cgi?id=1244534
* https://bugzilla.suse.com/show_bug.cgi?id=1245099
* https://bugzilla.suse.com/show_bug.cgi?id=1245740
* https://bugzilla.suse.com/show_bug.cgi?id=1246068
* https://bugzilla.suse.com/show_bug.cgi?id=1246320
* https://bugzilla.suse.com/show_bug.cgi?id=1246553
* https://bugzilla.suse.com/show_bug.cgi?id=1246662
* https://bugzilla.suse.com/show_bug.cgi?id=1246738
* https://bugzilla.suse.com/show_bug.cgi?id=1246789
* https://bugzilla.suse.com/show_bug.cgi?id=1246882
* https://bugzilla.suse.com/show_bug.cgi?id=1246906
* https://bugzilla.suse.com/show_bug.cgi?id=1246925
* https://bugzilla.suse.com/show_bug.cgi?id=1247688
* https://bugzilla.suse.com/show_bug.cgi?id=1247721
* https://bugzilla.suse.com/show_bug.cgi?id=1250520
* https://bugzilla.suse.com/show_bug.cgi?id=1250755
* https://bugzilla.suse.com/show_bug.cgi?id=1251044
* https://bugzilla.suse.com/show_bug.cgi?id=1251138
* https://bugzilla.suse.com/show_bug.cgi?id=1251776
* https://bugzilla.suse.com/show_bug.cgi?id=1252244
* https://bugzilla.suse.com/show_bug.cgi?id=1252285
* https://bugzilla.suse.com/show_bug.cgi?id=1254256
* https://bugzilla.suse.com/show_bug.cgi?id=1254257
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.suse.com/pipermail/sle-security-updates/attachments/20251218/5dbdd268/attachment.htm>
More information about the sle-security-updates
mailing list