Security update 5.0.7 for Multi-Linux Manager Client Tools

Announcement ID:	SUSE-SU-2026:1013-1
Release Date:	2026-03-25T10:12:04Z
Rating:	important
References:	bsc#1245302 bsc#1251995 bsc#1253004 bsc#1253174 bsc#1253347 bsc#1253659 bsc#1253738 bsc#1254589 bsc#1255340 bsc#1255588 bsc#1255781 bsc#1256803 bsc#1257329 bsc#1257337 bsc#1257349 bsc#1257442 bsc#1257841 bsc#1257897 bsc#1257941 bsc#1258136 bsc#1258893 jsc#MSQA-1045 jsc#PED-13824 jsc#PED-14971
Cross-References:	CVE-2025-12816 CVE-2025-13465 CVE-2025-3415 CVE-2025-61140 CVE-2025-68156 CVE-2026-1615 CVE-2026-21720 CVE-2026-21721 CVE-2026-21722 CVE-2026-25547 CVE-2026-27606
CVSS scores:	CVE-2025-12816 ( SUSE ): 8.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N CVE-2025-12816 ( NVD ): 8.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N CVE-2025-13465 ( SUSE ): 8.8 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N CVE-2025-13465 ( SUSE ): 8.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H CVE-2025-13465 ( NVD ): 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:H/SI:H/SA:H/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X CVE-2025-13465 ( NVD ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N CVE-2025-3415 ( SUSE ): 5.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N CVE-2025-3415 ( SUSE ): 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVE-2025-3415 ( NVD ): 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVE-2025-61140 ( SUSE ): 9.2 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVE-2025-61140 ( SUSE ): 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2025-61140 ( NVD ): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2025-68156 ( SUSE ): 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N CVE-2025-68156 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2025-68156 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2026-1615 ( SUSE ): 8.2 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X CVE-2026-1615 ( SUSE ): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2026-1615 ( NVD ): 8.2 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X CVE-2026-1615 ( NVD ): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2026-21720 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2026-21720 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2026-21721 ( SUSE ): 8.6 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N CVE-2026-21721 ( SUSE ): 8.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N CVE-2026-21721 ( NVD ): 8.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N CVE-2026-21722 ( SUSE ): 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N CVE-2026-21722 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVE-2026-21722 ( NVD ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVE-2026-25547 ( SUSE ): 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N CVE-2026-25547 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2026-25547 ( NVD ): 9.2 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X CVE-2026-27606 ( SUSE ): 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVE-2026-27606 ( SUSE ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2026-27606 ( NVD ): 8.8 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X CVE-2026-27606 ( NVD ): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected Products:	openSUSE Leap 15.3 openSUSE Leap 15.4 openSUSE Leap 15.5 openSUSE Leap 15.6 SUSE Linux Enterprise Desktop 15 SUSE Linux Enterprise Desktop 15 SP1 SUSE Linux Enterprise Desktop 15 SP2 SUSE Linux Enterprise Desktop 15 SP3 SUSE Linux Enterprise Desktop 15 SP4 SUSE Linux Enterprise Desktop 15 SP5 SUSE Linux Enterprise Desktop 15 SP6 SUSE Linux Enterprise Desktop 15 SP7 SUSE Linux Enterprise High Performance Computing 15 SUSE Linux Enterprise High Performance Computing 15 SP1 SUSE Linux Enterprise High Performance Computing 15 SP2 SUSE Linux Enterprise High Performance Computing 15 SP3 SUSE Linux Enterprise High Performance Computing 15 SP4 SUSE Linux Enterprise High Performance Computing 15 SP5 SUSE Linux Enterprise Micro 5.0 SUSE Linux Enterprise Micro 5.1 SUSE Linux Enterprise Micro 5.2 SUSE Linux Enterprise Micro 5.3 SUSE Linux Enterprise Micro 5.4 SUSE Linux Enterprise Micro 5.5 SUSE Linux Enterprise Real Time 15 SP1 SUSE Linux Enterprise Real Time 15 SP2 SUSE Linux Enterprise Real Time 15 SP3 SUSE Linux Enterprise Real Time 15 SP4 SUSE Linux Enterprise Real Time 15 SP5 SUSE Linux Enterprise Real Time 15 SP6 SUSE Linux Enterprise Real Time 15 SP7 SUSE Linux Enterprise Server 15 SUSE Linux Enterprise Server 15 SP1 SUSE Linux Enterprise Server 15 SP2 SUSE Linux Enterprise Server 15 SP3 SUSE Linux Enterprise Server 15 SP4 SUSE Linux Enterprise Server 15 SP5 SUSE Linux Enterprise Server 15 SP6 SUSE Linux Enterprise Server 15 SP7 SUSE Linux Enterprise Server for SAP Applications 15 SUSE Linux Enterprise Server for SAP Applications 15 SP1 SUSE Linux Enterprise Server for SAP Applications 15 SP2 SUSE Linux Enterprise Server for SAP Applications 15 SP3 SUSE Linux Enterprise Server for SAP Applications 15 SP4 SUSE Linux Enterprise Server for SAP Applications 15 SP5 SUSE Linux Enterprise Server for SAP Applications 15 SP6 SUSE Linux Enterprise Server for SAP Applications 15 SP7 SUSE Manager Client Tools for SLE 15 SUSE Manager Client Tools for SLE Micro 5 SUSE Package Hub 15 15-SP7

An update that solves 11 vulnerabilities, contains three features and has 10 security fixes can now be installed.

Description:

This update fixes the following issues:

dracut-saltboot:

• Version update to 1.1.0:

• Retry DHCP requests up to 3 times (bsc#1253004)

golang-github-QubitProducts-exporter_exporter:

• Non-customer-facing optimization and update

golang-github-boynux-squid_exporter:

• Version update from 1.6.0 to 1.13.0 with the following highlighted changes and fixes (jsc#PED-14971):

• Added compatibility for Squid 6 and support for the squid-internal-mgr metrics path

• Added TLS and Basic Authentication to the exporter’s web interface
• Added support for the exporter to authenticate against the Squid proxy itself
• Allow the gathering of process information without requiring root privileges
• The exporter can now be configured using environment variables
• Added support for custom labels to all exported metrics for better data filtering
• New metrics to track if Squid is running (squid_up), how long a scrape takes, and if any errors occurred
• Added "service time" metrics to analyze proxy speed and performance.
• Added a metric for open file descriptors (process_open_fds) to help prevent connection bottlenecks
• Corrected the squid_client_http_requests_total metric to ensure accurate reporting

golang-github-lusitaniae-apache_exporter:

• Version update from 1.0.8 to 1.0.10:

• Updated github.com/prometheus/client_golang to 1.21.1

• Updated github.com/prometheus/common to 0.63.0
• Updated github.com/prometheus/exporter-toolkit to 0.14.0
• Fixed signal handler logging

golang-github-prometheus-prometheus:

• Security issues fixed:

• CVE-2026-27606: Fixed arbitrary file write via path traversal in rollup (bsc#1258893)

• CVE-2026-25547: Fixed unbounded brace range expansion leading to excessive CPU and memory consumption (bsc#1257841)
• CVE-2026-1615, CVE-2025-61140 The old web UI is no longer built due to security issues (bsc#1257897, bsc#1257442)
• CVE-2025-13465: Bump lodash package to version 4.17.23 to fix prototype pollution vulnerability (bsc#1257329)

• CVE-2025-12816: Interpretation conflict vulnerability allowing bypassing cryptographic verifications (bsc#1255588)

• Version update from 2.53.4 to 3.5.0 with the following highlighted changes (jsc#PED-13824):

• Modernized Interface: Introduced a brand-new UI

• Enhanced Cloud and Auth: Added unified AWS service discovery (EC2, ECS, Lightsail) and Azure Workload Identity support for more secure, native cloudauthentication.
• Performance Standards: Fully integrated OpenTelemetry (OTLP) ingestion and moved Native Histograms from experimental to a stable feature.
• Advanced Data Export: Rolled out Remote Write 2.0, offering better performance and metadata handling when sending data to external systems.
• Query Power: Added new PromQL functions (like first_over_time and last_over_time) and optimization for grouping operations
• Better Visibility: The UI now displays detailed relabeling steps, scrape intervals, and timeouts, making it easier to troubleshoot why targets aren't reporting correctly.
• Critical Fixes: Resolved significant memory leaks related to query logging and fixed bugs where targets were accidentally being scraped multiple times

grafana:

• Security issues fixed:

• CVE-2026-21722: Public dashboards annotations: use dashboard timerange if time selection disabled (bsc#1258136)

• CVE-2026-21721: Fixed access control by the dashboard permissions API (bsc#1257337)
• CVE-2026-21720: Fixed unauthenticated DoS (bsc#1257349)
• CVE-2025-68156: Fixed potential DoS via unbounded recursion in builtin functions (bsc#1255340)

• CVE-2025-3415: Fixedexposure of DingDing alerting integration URL to Viewer level users (bsc#1245302)

• Version update from 11.5.10 to 11.6.11 with the following highlighted changes and fixes:

• Performance Boost: Introduced WebGL-powered geomaps for smoother map visualizations and removed blurred backgrounds from UI overlays to speed up the interface

• One-Click Actions: Visualizations now support faster navigation via one-click links and actions
• Alerting History: Added version history for alert rules, allowing you to track changes over time
• Service Accounts: Automated the migration of old API keys to more secure Service Accounts upon startup
• Cron Support: Annotations now support Cron syntax for more flexible scheduling
• Identity and Auth: Hardened the Avatar feature (now requires sign-in) and fixed several login redirection issues when Grafana is hosted on a subpath
• Data Source Support: Added support for Cloud Partner Prometheus data sources and improved Azure legend formatting
• Alerting Limits: Added size limits for expanded notification templates to prevent system strain
• RBAC: Integrated Role-Based Access Control (RBAC) into the Alertmanager via the reqAction field
• Data Consistency: Fixed several issues with Graphite and InfluxDB regarding how variables are handled in repeated rows or nested queries
• Dashboard Reliability: Resolved bugs involving row repeats and "self-referencing" data links
• Alerting Fixes: Patched a critical "panic" (crash) caused by a race condition in alert rules and fixed issues where contact points weren't working correctly
• URL Handling: Fixed a bug where "true" values in URL parameters weren't being read correctly

prometheus-blackbox_exporter:

• Non-customer-facing optimization and update

spacecmd:

• Version update to 5.0.15:

• Fixed typo in spacecmd help ca-cert flag (bsc#1253174)

• Convert cached IDs to integer values (bsc#1251995)
• Fixed spacecmd binary file upload (bsc#1253659)

uyuni-tools:

• Version update to 0.1.38:

• Fixed cobbler configuration when migrating to standalone files (bsc#1256803)

• Detect custom apache and squid config in the /etc/uyuni/proxy folder
• Add ssh tuning to configure sshd (bsc#1253738)
• Ignore supportconfig errors (bsc#1255781)
• Bumped the default image tag to 5.0.7
• Removed cgroup mount for podman containers (bsc#1253347)
• Registry flag can be a string (bsc#1254589)
• Use static supportconfig name to avoid dynamic search (bsc#1257941)

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• SUSE Manager Client Tools for SLE 15
  zypper in -t patch SUSE-SLE-Manager-Tools-15-2026-1013=1
• SUSE Manager Client Tools for SLE Micro 5
  zypper in -t patch SUSE-SLE-Manager-Tools-For-Micro-5-2026-1013=1
• SUSE Package Hub 15 15-SP7
  zypper in -t patch SUSE-SLE-Module-Packagehub-Subpackages-15-SP7-2026-1013=1
• openSUSE Leap 15.6
  zypper in -t patch openSUSE-SLE-15.6-2026-1013=1

Package List:

• SUSE Manager Client Tools for SLE 15 (noarch)
  • mgrctl-lang-0.1.38-150000.1.30.1
  • mgrctl-zsh-completion-0.1.38-150000.1.30.1
  • mgrctl-bash-completion-0.1.38-150000.1.30.1
  • dracut-saltboot-1.1.0-150000.1.65.1
  • spacecmd-5.0.15-150000.3.142.1
• SUSE Manager Client Tools for SLE 15 (aarch64 ppc64le s390x x86_64)
  • golang-github-boynux-squid_exporter-debuginfo-1.13.0-150000.1.12.1
  • golang-github-QubitProducts-exporter_exporter-0.4.0-150000.1.21.1
  • grafana-11.6.11-150000.1.90.1
  • grafana-debuginfo-11.6.11-150000.1.90.1
  • mgrctl-debuginfo-0.1.38-150000.1.30.1
  • golang-github-boynux-squid_exporter-1.13.0-150000.1.12.1
  • firewalld-prometheus-config-0.1-150000.3.67.1
  • golang-github-prometheus-prometheus-3.5.0-150000.3.67.1
  • mgrctl-0.1.38-150000.1.30.1
  • golang-github-lusitaniae-apache_exporter-1.0.10-150000.1.26.1
  • golang-github-lusitaniae-apache_exporter-debuginfo-1.0.10-150000.1.26.1
  • prometheus-blackbox_exporter-0.26.0-150000.1.30.2
• SUSE Manager Client Tools for SLE Micro 5 (noarch)
  • dracut-saltboot-1.1.0-150000.1.65.1
  • mgrctl-bash-completion-0.1.38-150000.1.30.1
  • mgrctl-lang-0.1.38-150000.1.30.1
  • mgrctl-zsh-completion-0.1.38-150000.1.30.1
• SUSE Manager Client Tools for SLE Micro 5 (aarch64 s390x x86_64)
  • golang-github-QubitProducts-exporter_exporter-0.4.0-150000.1.21.1
  • mgrctl-debuginfo-0.1.38-150000.1.30.1
  • mgrctl-0.1.38-150000.1.30.1
  • prometheus-blackbox_exporter-0.26.0-150000.1.30.2
• SUSE Package Hub 15 15-SP7 (aarch64 ppc64le s390x x86_64)
  • golang-github-prometheus-promu-debuginfo-0.17.0-150000.3.30.1
  • golang-github-prometheus-promu-0.17.0-150000.3.30.1
• openSUSE Leap 15.6 (noarch)
  • dracut-saltboot-1.1.0-150000.1.65.1
  • spacecmd-5.0.15-150000.3.142.1
• openSUSE Leap 15.6 (aarch64 ppc64le s390x x86_64)
  • golang-github-boynux-squid_exporter-debuginfo-1.13.0-150000.1.12.1
  • golang-github-QubitProducts-exporter_exporter-0.4.0-150000.1.21.1
  • golang-github-boynux-squid_exporter-1.13.0-150000.1.12.1
  • golang-github-lusitaniae-apache_exporter-1.0.10-150000.1.26.1
  • golang-github-lusitaniae-apache_exporter-debuginfo-1.0.10-150000.1.26.1
  • prometheus-blackbox_exporter-0.26.0-150000.1.30.2
  • golang-github-prometheus-promu-0.17.0-150000.3.30.1

References:

• https://www.suse.com/security/cve/CVE-2025-12816.html
• https://www.suse.com/security/cve/CVE-2025-13465.html
• https://www.suse.com/security/cve/CVE-2025-3415.html
• https://www.suse.com/security/cve/CVE-2025-61140.html
• https://www.suse.com/security/cve/CVE-2025-68156.html
• https://www.suse.com/security/cve/CVE-2026-1615.html
• https://www.suse.com/security/cve/CVE-2026-21720.html
• https://www.suse.com/security/cve/CVE-2026-21721.html
• https://www.suse.com/security/cve/CVE-2026-21722.html
• https://www.suse.com/security/cve/CVE-2026-25547.html
• https://www.suse.com/security/cve/CVE-2026-27606.html
• https://bugzilla.suse.com/show_bug.cgi?id=1245302
• https://bugzilla.suse.com/show_bug.cgi?id=1251995
• https://bugzilla.suse.com/show_bug.cgi?id=1253004
• https://bugzilla.suse.com/show_bug.cgi?id=1253174
• https://bugzilla.suse.com/show_bug.cgi?id=1253347
• https://bugzilla.suse.com/show_bug.cgi?id=1253659
• https://bugzilla.suse.com/show_bug.cgi?id=1253738
• https://bugzilla.suse.com/show_bug.cgi?id=1254589
• https://bugzilla.suse.com/show_bug.cgi?id=1255340
• https://bugzilla.suse.com/show_bug.cgi?id=1255588
• https://bugzilla.suse.com/show_bug.cgi?id=1255781
• https://bugzilla.suse.com/show_bug.cgi?id=1256803
• https://bugzilla.suse.com/show_bug.cgi?id=1257329
• https://bugzilla.suse.com/show_bug.cgi?id=1257337
• https://bugzilla.suse.com/show_bug.cgi?id=1257349
• https://bugzilla.suse.com/show_bug.cgi?id=1257442
• https://bugzilla.suse.com/show_bug.cgi?id=1257841
• https://bugzilla.suse.com/show_bug.cgi?id=1257897
• https://bugzilla.suse.com/show_bug.cgi?id=1257941
• https://bugzilla.suse.com/show_bug.cgi?id=1258136
• https://bugzilla.suse.com/show_bug.cgi?id=1258893
• https://jira.suse.com/browse/MSQA-1045
• https://jira.suse.com/browse/PED-13824
• https://jira.suse.com/browse/PED-14971