SUSE-SU-2026:1524-1: critical: Security update 5.1.3 for Multi-Linux Manager Client Tools
SLE-SECURITY-UPDATES
null at suse.de
Tue Apr 21 16:33:26 UTC 2026
# Security update 5.1.3 for Multi-Linux Manager Client Tools
Announcement ID: SUSE-SU-2026:1524-1
Release Date: 2026-04-21T09:26:10Z
Rating: critical
References:
* bsc#1245302
* bsc#1250367
* bsc#1252548
* bsc#1252964
* bsc#1254154
* bsc#1254619
* bsc#1257329
* bsc#1257337
* bsc#1257349
* bsc#1257442
* bsc#1257447
* bsc#1257660
* bsc#1257841
* bsc#1257897
* bsc#1257941
* bsc#1258015
* bsc#1258136
* bsc#1258418
* bsc#1258595
* bsc#1258873
* bsc#1258893
* bsc#1258927
* bsc#1259208
* bsc#1260263
* bsc#1260267
* bsc#1260878
* bsc#1261025
* bsc#1261026
* bsc#1261027
* bsc#1261029
* jsc#MSQA-1048
* jsc#PED-15474
Cross-References:
* CVE-2025-13465
* CVE-2025-3415
* CVE-2025-61140
* CVE-2026-1615
* CVE-2026-21720
* CVE-2026-21721
* CVE-2026-21722
* CVE-2026-21724
* CVE-2026-21725
* CVE-2026-25547
* CVE-2026-26958
* CVE-2026-27606
* CVE-2026-27876
* CVE-2026-27877
* CVE-2026-27879
* CVE-2026-28375
* CVE-2026-33186
CVSS scores:
* CVE-2025-13465 ( SUSE ): 8.8
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N
* CVE-2025-13465 ( SUSE ): 8.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
* CVE-2025-13465 ( NVD ): 6.9
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:H/SI:H/SA:H/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
* CVE-2025-13465 ( NVD ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
* CVE-2025-3415 ( SUSE ): 5.3
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
* CVE-2025-3415 ( SUSE ): 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
* CVE-2025-3415 ( NVD ): 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
* CVE-2025-61140 ( SUSE ): 9.2
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
* CVE-2025-61140 ( SUSE ): 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
* CVE-2025-61140 ( NVD ): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
* CVE-2026-1615 ( SUSE ): 8.2
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
* CVE-2026-1615 ( SUSE ): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
* CVE-2026-1615 ( NVD ): 8.2
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
* CVE-2026-1615 ( NVD ): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
* CVE-2026-21720 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2026-21720 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2026-21721 ( SUSE ): 8.6
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
* CVE-2026-21721 ( SUSE ): 8.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
* CVE-2026-21721 ( NVD ): 8.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
* CVE-2026-21722 ( SUSE ): 6.9
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
* CVE-2026-21722 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
* CVE-2026-21722 ( NVD ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
* CVE-2026-21724 ( SUSE ): 5.3
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
* CVE-2026-21724 ( SUSE ): 5.4 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
* CVE-2026-21724 ( NVD ): 5.4 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
* CVE-2026-21724 ( NVD ): 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
* CVE-2026-21725 ( SUSE ): 2.1
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N
* CVE-2026-21725 ( SUSE ): 3.7 CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:L
* CVE-2026-21725 ( NVD ): 2.6 CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:L
* CVE-2026-21725 ( NVD ): 2.0 CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N
* CVE-2026-25547 ( SUSE ): 8.7
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
* CVE-2026-25547 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2026-25547 ( NVD ): 9.2
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
* CVE-2026-26958 ( SUSE ): 8.3
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N
* CVE-2026-26958 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:L
* CVE-2026-26958 ( NVD ): 1.7
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
* CVE-2026-27606 ( SUSE ): 8.7
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
* CVE-2026-27606 ( SUSE ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
* CVE-2026-27606 ( NVD ): 8.8
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
* CVE-2026-27606 ( NVD ): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
* CVE-2026-27876 ( SUSE ): 8.9
CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
* CVE-2026-27876 ( SUSE ): 9.1 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
* CVE-2026-27876 ( NVD ): 9.1 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
* CVE-2026-27877 ( SUSE ): 8.7
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
* CVE-2026-27877 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
* CVE-2026-27877 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
* CVE-2026-27877 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
* CVE-2026-27879 ( SUSE ): 7.1
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
* CVE-2026-27879 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
* CVE-2026-27879 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
* CVE-2026-28375 ( SUSE ): 7.1
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
* CVE-2026-28375 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
* CVE-2026-28375 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
* CVE-2026-33186 ( SUSE ): 8.6
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
* CVE-2026-33186 ( SUSE ): 8.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
* CVE-2026-33186 ( NVD ): 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Affected Products:
* SUSE Multi-Linux Manager Client Tools for SLE 15
* SUSE Multi-Linux Manager Client Tools for SLE Micro 5
An update that solves 17 vulnerabilities, contains two features and has 13
security fixes can now be installed.
## Description:
This update fixes the following issues:
golang-github-lusitaniae-apache_exporter:
* Internal changes to fix build issues with no impact for customers
golang-github-prometheus-prometheus:
* Security issues fixed:
* CVE-2026-27606: Fixed arbitrary file write via path traversal in rollup
(bsc#1258893)
* Bumped rollup to version 4.59.0
* CVE-2026-25547: Fixed unbounded brace range expansion leading to excessive
CPU and memory consumption (bsc#1257841)
* Bumped brace-expansion to version 5.0.2
* CVE-2026-1615, CVE-2025-61140 The old web UI is no longer built due to
security issues (bsc#1257897, bsc#1257442)
* CVE-2025-13465: Bumped lodash package to version 4.17.23 to fix prototype
pollution vulnerability (bsc#1257329)
* CVE-2026-33186: Fixed authorization bypass due to improper validation of the
HTTP/2 :path pseudo-header (bsc#1260267)
* Bumped google.golang.org/grpc to version 1.79.3
grafana:
* Security issues fixed:
* CVE-2026-21722: Public dashboards annotations: use dashboard timerange if
time selection disabled (bsc#1258136)
* CVE-2026-21721: Fixed access control by the dashboard permissions API
(bsc#1257337)
* CVE-2026-21720: Fixed unauthenticated DoS (bsc#1257349)
* CVE-2025-3415: Fixed exposure of DingDing alerting integration URL to Viewer
level users (bsc#1245302)
* CVE-2026-26958: Bumped filippo.io/edwards25519 to version 1.1.1
(bsc#1258595)
* CVE-2026-21725: Fixed missing UID when deleting datasource by name
(bsc#1258873)
* CVE-2026-21725: Fixed missing UID when deleting datasource by name
(bsc#1258873)
* CVE-2026-27876: Fixed remote arbitrary code execution via chained SQL
Expressions (bsc#1261025)
* CVE-2026-27877: Fixed information disclosure of data-source passwords via
public dashboards (bsc#1261026)
* CVE-2026-28375: Fixed denial of service via testdata data-source
(bsc#1261029)
* CVE-2026-27879: Fixed denial of service via resample query (bsc#1261027)
* CVE-2026-33186: Fixed authorization bypass due to improper validation of the
HTTP/2 :path pseudo-header (bsc#1260263)
* CVE-2026-21724: Fixed authorization bypass allows modification of protected
webhook URLs (bsc#1260878)
* Version update from 11.5.10 to 11.6.14+security01 with the following
highlighted changes and fixes:
* Public Dashboards: Wired the public dashboard service to the HTTP server to
ensure proper connectivity and availability
* Authentication: Refined the redirect logic to ensure consistent behavior
during login and logout sequences
* Dashboard Reliability: Resolved a bug preventing single panels from
rendering correctly when dashboard variables are referenced
* Performance Boost: Introduced WebGL-powered geomaps for smoother map
visualizations and removed blurred backgrounds from UI overlays to speed up
the interface
* One-Click Actions: Visualizations now support faster navigation via one-
click links and actions
* Alerting History: Added version history for alert rules, allowing you to
track changes over time
* Service Accounts: Automated the migration of old API keys to more secure
Service Accounts upon startup
* Cron Support: Annotations now support Cron syntax for more flexible
scheduling
* Identity and Auth: Hardened the Avatar feature (now requires sign-in) and
fixed several login redirection issues when Grafana is hosted on a subpath
* Data Source Support: Added support for Cloud Partner Prometheus data sources
and improved Azure legend formatting
* Alerting Limits: Added size limits for expanded notification templates to
prevent system strain
* RBAC: Integrated Role-Based Access Control (RBAC) into the Alertmanager via
the reqAction field
* Data Consistency: Fixed several issues with Graphite and InfluxDB regarding
how variables are handled in repeated rows or nested queries
* Dashboard Reliability:
* Fixed bugs involving row repeats and "self-referencing" data links
* Fixed a bug preventing single panels from rendering correctly when dashboard variables are referenced
* Alerting Fixes: Patched a critical "panic" (crash) caused by a race
condition in alert rules and fixed issues where contact points weren't
working correctly
* URL Handling: Fixed a bug where "true" values in URL parameters weren't
being read correctly
prometheus-blackbox_exporter:
* Internal changes to fix build issues with no impact for customers
spacecmd:
* Version 5.1.13-0
* Update translation strings
uyuni-tools:
* Version 5.1.26-0
* Fixed applying PTF with images from RPMs (bsc#1252548)
* Ssl Key file can miss if CA password is blank (bsc#1254154)
* mgrpxy ssh tuning should happens before crypto policies (bsc#1254619)
* Fixed default value for helm registry (bsc#1258927).
* Remove hub register command
* Optimize postgres migration disk space usage (bsc#1257447)
* Added continuous database backup support (bsc#1250367)
* Explicitly start proxy pods after operations (bsc#1258015)
* Use static supportconfig name to avoid dynamic search (bsc#1257941)
* Do not nest multiple tarball files and instead collect all files into one
tarball (bsc#1252964)
* Show where final tarball was generated (bsc#1259208)
* Set proxy config file permissions (bsc#1257660)
* Version 5.1.25-0
* If PTF image doesn't exists, use the current service image (bsc#1258418)
## Patch Instructions:
To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
* SUSE Multi-Linux Manager Client Tools for SLE 15
zypper in -t patch SUSE-MultiLinuxManagerTools-SLE-15-2026-1524=1
* SUSE Multi-Linux Manager Client Tools for SLE Micro 5
zypper in -t patch SUSE-MultiLinuxManagerTools-SLE-Micro-5-2026-1524=1
## Package List:
* SUSE Multi-Linux Manager Client Tools for SLE 15 (aarch64 ppc64le s390x
x86_64)
* mgrctl-5.1.26-150002.3.12.1
* grafana-11.6.14+security01-150002.4.14.1
* golang-github-prometheus-prometheus-3.5.0-150002.3.8.1
* prometheus-blackbox_exporter-0.26.0-150002.3.6.1
* firewalld-prometheus-config-0.1-150002.3.8.1
* mgrctl-debuginfo-5.1.26-150002.3.12.1
* golang-github-lusitaniae-apache_exporter-debuginfo-1.0.10-150002.3.6.1
* golang-github-lusitaniae-apache_exporter-1.0.10-150002.3.6.1
* grafana-debuginfo-11.6.14+security01-150002.4.14.1
* golang-github-prometheus-prometheus-debuginfo-3.5.0-150002.3.8.1
* SUSE Multi-Linux Manager Client Tools for SLE 15 (noarch)
* mgrctl-bash-completion-5.1.26-150002.3.12.1
* mgrctl-zsh-completion-5.1.26-150002.3.12.1
* mgrctl-lang-5.1.26-150002.3.12.1
* spacecmd-5.1.13-150002.3.9.3
* SUSE Multi-Linux Manager Client Tools for SLE Micro 5 (aarch64 ppc64le s390x
x86_64)
* mgrctl-5.1.26-150002.3.12.1
* mgrctl-debuginfo-5.1.26-150002.3.12.1
* prometheus-blackbox_exporter-0.26.0-150002.3.6.1
* SUSE Multi-Linux Manager Client Tools for SLE Micro 5 (noarch)
* mgrctl-bash-completion-5.1.26-150002.3.12.1
* mgrctl-zsh-completion-5.1.26-150002.3.12.1
* mgrctl-lang-5.1.26-150002.3.12.1
## References:
* https://www.suse.com/security/cve/CVE-2025-13465.html
* https://www.suse.com/security/cve/CVE-2025-3415.html
* https://www.suse.com/security/cve/CVE-2025-61140.html
* https://www.suse.com/security/cve/CVE-2026-1615.html
* https://www.suse.com/security/cve/CVE-2026-21720.html
* https://www.suse.com/security/cve/CVE-2026-21721.html
* https://www.suse.com/security/cve/CVE-2026-21722.html
* https://www.suse.com/security/cve/CVE-2026-21724.html
* https://www.suse.com/security/cve/CVE-2026-21725.html
* https://www.suse.com/security/cve/CVE-2026-25547.html
* https://www.suse.com/security/cve/CVE-2026-26958.html
* https://www.suse.com/security/cve/CVE-2026-27606.html
* https://www.suse.com/security/cve/CVE-2026-27876.html
* https://www.suse.com/security/cve/CVE-2026-27877.html
* https://www.suse.com/security/cve/CVE-2026-27879.html
* https://www.suse.com/security/cve/CVE-2026-28375.html
* https://www.suse.com/security/cve/CVE-2026-33186.html
* https://bugzilla.suse.com/show_bug.cgi?id=1245302
* https://bugzilla.suse.com/show_bug.cgi?id=1250367
* https://bugzilla.suse.com/show_bug.cgi?id=1252548
* https://bugzilla.suse.com/show_bug.cgi?id=1252964
* https://bugzilla.suse.com/show_bug.cgi?id=1254154
* https://bugzilla.suse.com/show_bug.cgi?id=1254619
* https://bugzilla.suse.com/show_bug.cgi?id=1257329
* https://bugzilla.suse.com/show_bug.cgi?id=1257337
* https://bugzilla.suse.com/show_bug.cgi?id=1257349
* https://bugzilla.suse.com/show_bug.cgi?id=1257442
* https://bugzilla.suse.com/show_bug.cgi?id=1257447
* https://bugzilla.suse.com/show_bug.cgi?id=1257660
* https://bugzilla.suse.com/show_bug.cgi?id=1257841
* https://bugzilla.suse.com/show_bug.cgi?id=1257897
* https://bugzilla.suse.com/show_bug.cgi?id=1257941
* https://bugzilla.suse.com/show_bug.cgi?id=1258015
* https://bugzilla.suse.com/show_bug.cgi?id=1258136
* https://bugzilla.suse.com/show_bug.cgi?id=1258418
* https://bugzilla.suse.com/show_bug.cgi?id=1258595
* https://bugzilla.suse.com/show_bug.cgi?id=1258873
* https://bugzilla.suse.com/show_bug.cgi?id=1258893
* https://bugzilla.suse.com/show_bug.cgi?id=1258927
* https://bugzilla.suse.com/show_bug.cgi?id=1259208
* https://bugzilla.suse.com/show_bug.cgi?id=1260263
* https://bugzilla.suse.com/show_bug.cgi?id=1260267
* https://bugzilla.suse.com/show_bug.cgi?id=1260878
* https://bugzilla.suse.com/show_bug.cgi?id=1261025
* https://bugzilla.suse.com/show_bug.cgi?id=1261026
* https://bugzilla.suse.com/show_bug.cgi?id=1261027
* https://bugzilla.suse.com/show_bug.cgi?id=1261029
* https://jira.suse.com/browse/MSQA-1048
* https://jira.suse.com/browse/PED-15474
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.suse.com/pipermail/sle-security-updates/attachments/20260421/10db9d2c/attachment.htm>
More information about the sle-security-updates
mailing list