Security update 5.1.1.1 for Multi-Linux Manager Salt Bundle

Announcement ID:	SUSE-SU-2025:4447-1
Release Date:	2025-12-18T08:50:09Z
Rating:	important
References:	bsc#1227207 bsc#1250520 bsc#1251776 bsc#1252244 bsc#1252285 bsc#1254256 bsc#1254257 jsc#MSQA-1038
Cross-References:	CVE-2025-62348 CVE-2025-62349
CVSS scores:	CVE-2025-62348 ( SUSE ): 7.3 CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVE-2025-62348 ( SUSE ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2025-62349 ( SUSE ): 7.5 CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N CVE-2025-62349 ( SUSE ): 6.2 CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:L
Affected Products:	SUSE Multi-Linux Manager Client Tools for SLE 15 SUSE Multi-Linux Manager Client Tools for SLE Micro 5

An update that solves two vulnerabilities, contains one feature and has five security fixes can now be installed.

Description:

This update fixes the following issues:

venv-salt-minion:

• Security issues fixed:

• CVE-2025-62349: Added minimum_auth_version to enforce security (bsc#1254257)

• CVE-2025-62348: Fixed Junos module yaml loader (bsc#1254256)

• Backport security fixes for vendored tornado

  • BDSA-2024-3438
  • BDSA-2024-3439
  • BDSA-2024-9026

• Other changes and bugs fixed:

• Fixed TLS and x509 modules for OSes with older cryptography module

• Fixed Salt for Python > 3.11 (bsc#1252285) (bsc#1252244)
  • Use external tornado on Python > 3.11
  • Make tls and x509 to use python-cryptography
  • Remove usage of spwd
• Fixed payload signature verification on Tumbleweed (bsc#1251776)
• Fixed known_hosts error on gitfs (bsc#1250520) (bsc#1227207)

Special Instructions and Notes:

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• SUSE Multi-Linux Manager Client Tools for SLE 15
  zypper in -t patch SUSE-MultiLinuxManagerTools-SLE-15-2025-4447=1
• SUSE Multi-Linux Manager Client Tools for SLE Micro 5
  zypper in -t patch SUSE-MultiLinuxManagerTools-SLE-Micro-5-2025-4447=1

Package List:

• SUSE Multi-Linux Manager Client Tools for SLE 15 (aarch64 ppc64le s390x x86_64)
  • venv-salt-minion-3006.0-150002.5.6.1
• SUSE Multi-Linux Manager Client Tools for SLE Micro 5 (aarch64 ppc64le s390x x86_64)
  • venv-salt-minion-3006.0-150002.5.6.1

References:

• https://www.suse.com/security/cve/CVE-2025-62348.html
• https://www.suse.com/security/cve/CVE-2025-62349.html
• https://bugzilla.suse.com/show_bug.cgi?id=1227207
• https://bugzilla.suse.com/show_bug.cgi?id=1250520
• https://bugzilla.suse.com/show_bug.cgi?id=1251776
• https://bugzilla.suse.com/show_bug.cgi?id=1252244
• https://bugzilla.suse.com/show_bug.cgi?id=1252285
• https://bugzilla.suse.com/show_bug.cgi?id=1254256
• https://bugzilla.suse.com/show_bug.cgi?id=1254257
• https://jira.suse.com/browse/MSQA-1038