Security update 5.0.8 for Multi-Linux Manager Salt Bundle

Announcement ID:	SUSE-SU-2026:2244-1
Release Date:	2026-06-03T14:11:48Z
Rating:	important
References:	bsc#1254629 bsc#1254900 bsc#1257583 bsc#1257831 bsc#1258957 bsc#1259554 bsc#1259700 bsc#1259804 bsc#1259808 jsc#MSQA-1052
Cross-References:	CVE-2026-27448 CVE-2026-27459 CVE-2026-31958
CVSS scores:	CVE-2026-27448 ( SUSE ): 6.3 CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N CVE-2026-27448 ( SUSE ): 3.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N CVE-2026-27448 ( NVD ): 1.7 CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X CVE-2026-27448 ( NVD ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N CVE-2026-27459 ( SUSE ): 8.3 CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N CVE-2026-27459 ( SUSE ): 7.0 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H CVE-2026-27459 ( NVD ): 7.2 CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X CVE-2026-27459 ( NVD ): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2026-31958 ( SUSE ): 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N CVE-2026-31958 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2026-31958 ( NVD ): 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X CVE-2026-31958 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Affected Products:	openSUSE Leap 15.3 openSUSE Leap 15.4 openSUSE Leap 15.5 openSUSE Leap 15.6 SUSE Linux Enterprise Desktop 15 SUSE Linux Enterprise Desktop 15 SP1 SUSE Linux Enterprise Desktop 15 SP2 SUSE Linux Enterprise Desktop 15 SP3 SUSE Linux Enterprise Desktop 15 SP4 SUSE Linux Enterprise Desktop 15 SP5 SUSE Linux Enterprise Desktop 15 SP6 SUSE Linux Enterprise Desktop 15 SP7 SUSE Linux Enterprise High Performance Computing 15 SUSE Linux Enterprise High Performance Computing 15 SP1 SUSE Linux Enterprise High Performance Computing 15 SP2 SUSE Linux Enterprise High Performance Computing 15 SP3 SUSE Linux Enterprise High Performance Computing 15 SP4 SUSE Linux Enterprise High Performance Computing 15 SP5 SUSE Linux Enterprise Micro 5.0 SUSE Linux Enterprise Micro 5.1 SUSE Linux Enterprise Micro 5.2 SUSE Linux Enterprise Micro 5.3 SUSE Linux Enterprise Micro 5.4 SUSE Linux Enterprise Micro 5.5 SUSE Linux Enterprise Real Time 15 SP1 SUSE Linux Enterprise Real Time 15 SP2 SUSE Linux Enterprise Real Time 15 SP3 SUSE Linux Enterprise Real Time 15 SP4 SUSE Linux Enterprise Real Time 15 SP5 SUSE Linux Enterprise Real Time 15 SP6 SUSE Linux Enterprise Real Time 15 SP7 SUSE Linux Enterprise Server 15 SUSE Linux Enterprise Server 15 SP1 SUSE Linux Enterprise Server 15 SP2 SUSE Linux Enterprise Server 15 SP3 SUSE Linux Enterprise Server 15 SP4 SUSE Linux Enterprise Server 15 SP5 SUSE Linux Enterprise Server 15 SP6 SUSE Linux Enterprise Server 15 SP7 SUSE Linux Enterprise Server for SAP Applications 15 SUSE Linux Enterprise Server for SAP Applications 15 SP1 SUSE Linux Enterprise Server for SAP Applications 15 SP2 SUSE Linux Enterprise Server for SAP Applications 15 SP3 SUSE Linux Enterprise Server for SAP Applications 15 SP4 SUSE Linux Enterprise Server for SAP Applications 15 SP5 SUSE Linux Enterprise Server for SAP Applications 15 SP6 SUSE Linux Enterprise Server for SAP Applications 15 SP7 SUSE Manager Client Tools for SLE 15 SUSE Manager Client Tools for SLE Micro 5

An update that solves three vulnerabilities, contains one feature and has six security fixes can now be installed.

Description:

This update fixes the following issues:

venv-salt-minion:

• Security issues fixed:

• CVE-2026-31958: tornado: Fixed parsing large multipart bodies with many parts can cause a denial of service (bsc#1259554)

• CVE-2026-27459: pyOpenSSL: Fixed issue with large cookie value that can lead to a buffer overflow (bsc#1259808)

• CVE-2026-27448: pyOpenSSL: Fixed unhandled exception can result in connection not being cancelled (bsc#1259804)

• Other updates and bugfixes:

• Use non vendored Tornado with Python 3.11 (bsc#1257583, bsc#1259700)

• Hardened Tornado from invalid HTTP reason phrases
• Read full URI from ldap pillar config (bsc#1254900)
• Make users with backslash work for salt-ssh (bsc#1254629).
• Fixed ansible.playbooks extra-vars quoting (bsc#1257831),
• Fixed virtualenv call in test helper to use proper Python version.
• Fixed the issue preventing SELinux profile to be loaded on SLES 16 deployed using cloud images (bsc#1258957)

Special Instructions and Notes:

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• SUSE Manager Client Tools for SLE Micro 5
  zypper in -t patch SUSE-SLE-Manager-Tools-For-Micro-5-2026-2244=1
• SUSE Manager Client Tools for SLE 15
  zypper in -t patch SUSE-SLE-Manager-Tools-15-2026-2244=1

Package List:

• SUSE Manager Client Tools for SLE Micro 5 (aarch64 s390x x86_64)
  • venv-salt-minion-3006.0-150000.3.95.1
• SUSE Manager Client Tools for SLE 15 (aarch64 ppc64le s390x x86_64)
  • venv-salt-minion-3006.0-150000.3.95.1

References:

• https://www.suse.com/security/cve/CVE-2026-27448.html
• https://www.suse.com/security/cve/CVE-2026-27459.html
• https://www.suse.com/security/cve/CVE-2026-31958.html
• https://bugzilla.suse.com/show_bug.cgi?id=1254629
• https://bugzilla.suse.com/show_bug.cgi?id=1254900
• https://bugzilla.suse.com/show_bug.cgi?id=1257583
• https://bugzilla.suse.com/show_bug.cgi?id=1257831
• https://bugzilla.suse.com/show_bug.cgi?id=1258957
• https://bugzilla.suse.com/show_bug.cgi?id=1259554
• https://bugzilla.suse.com/show_bug.cgi?id=1259700
• https://bugzilla.suse.com/show_bug.cgi?id=1259804
• https://bugzilla.suse.com/show_bug.cgi?id=1259808
• https://jira.suse.com/browse/MSQA-1052