Security update 5.0.8 for Multi-Linux Manager Client Tools

Announcement ID:	SUSE-SU-2026:2254-1
Release Date:	2026-06-03T14:18:10Z
Rating:	important
References:	bsc#1236516 bsc#1238686 bsc#1248699 bsc#1248707 bsc#1252964 bsc#1254619 bsc#1257941 bsc#1258927 bsc#1259208 bsc#1261810 jsc#ECO-3319 jsc#MSQA-1052 jsc#PED-12485 jsc#PED-7893 jsc#PED-7928
Cross-References:	CVE-2022-21698 CVE-2023-45288 CVE-2025-22870
CVSS scores:	CVE-2022-21698 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2022-21698 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2023-45288 ( SUSE ): 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N CVE-2023-45288 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2023-45288 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2025-22870 ( SUSE ): 4.8 CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N CVE-2025-22870 ( SUSE ): 4.4 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L CVE-2025-22870 ( NVD ): 4.4 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L
Affected Products:	SUSE Liberty Linux 9.6 EMS SUSE Manager Client Tools for RHEL, Liberty and Clones 9

An update that solves three vulnerabilities, contains five features and has seven security fixes can now be installed.

Description:

This update fixes the following issues:

golang-github-QubitProducts-exporter_exporter:

• Security Fixes:

• CVE-2022-21698: Fixed denial of service using InstrumentHandlerCounter (bsc#1248707)

golang-github-prometheus-node_exporter was updated from version 1.5.0 to 1.10.2:

• Security Fixes:

• Version 1.9.1:

  • CVE-2025-22870: Fixed potential proxy bypass using IPv6 zone IDs (bsc#1238686)

• Version 1.9.0:

  • CVE-2023-45288: Close connections when receiving too many headers (bsc#1236516)

• Highlights of other changes and bug fixes:

• Backward Compatibility and packaging changes:

  • Added compatibility for Go 1.22/1.23 needed in older RHEL toolchains
  • Pinned golang.org/x/net to v0.37.0 for Go 1.22 compatibility

• Version 1.10.2:

  • Fixed typo in Zswap metric name (meminfo)

• Version 1.10.1:

  • Fixed mount points being collected multiple times (filesystem)
  • Refactored mountinfo parsing (bsc#1261810)
  • Added Zswap/Zswapped metrics (meminfo)

• Version 1.10.0:

  • New collectors: PCIe devices, swaps
  • Added systemd virtualization metrics, AIX metrics
  • WiFi packet metrics, additional PCIe and TLB metrics
  • Changed mdadm to use sysfs, added erofs to excluded filesystems
  • Fixed bugs: cpufreq collector, ethtool metrics

• Version 1.9.1:

  • Fixed missing IRQ on older kernels (pressure)

• Version 1.9.0 (jsc#PED-12485):

  • Switched to Go log/slog for logging
  • Converted meminfo to use procfs library
  • New features: filesystem mount info, Btrfs commit stats, interrupt filtering, slabinfo filters, IRQ PSI metrics, hwmon filtering, network interface alias labels, GPU clock frequencies, AIX support,
  • Enhancements: TCP receive queue drop, block device rotational status, CPU online status, performance optimizations
  • Fixed: ZFS integer underflow, CPU pressure on limited systems, dataset name parsing

• Version 1.8.x:

  • Fixed CPU pressure metric collection, CPU seconds on Solaris, pressure collector nil reference

• Version 1.8.0:

  • New collectors: xfrm (IPsec), watchdog
  • Added CPU vulnerability mitigation labels, TCP out-of-order queue metrics, filesystem device error surfacing
  • Removed caching of os-release file modtime/filename
  • Fixed: hwmon nil pointer, ethtool metric sanitization, NetClass data race

• Version 1.7.0 (jsc#PED-7893, jsc#PED-7928):

  • New: CPU vulnerabilities reporting from sysfs
  • Enhancements: parallelized filesystem stat calls, missing link speeds in ethtool, CPU MHz values, qdisc performance, hwmon filtering, rtnetlink for ARP stats
  • Fixed: netdev 32-bit fallback, btrfs handle leaks, NFSd v4 index

• Version 1.6.0:

  • Deprecated ntp and supervisord collectors
  • Removed bcache cache_readaheads_totals metrics
  • Improved offline CPU handling (removed metrics for offline CPUs)
  • New: softirqs collector
  • Enhancements: ZFS zpool states and memory metrics, network interface admin state, CPU frequency governor, reduced btrfs privileges
  • Fixed: perf tracefs detection, thermal zone noise, Linux aarch64 interrupts

prometheus-postgres_exporter:

• Security Fixes:

• CVE-2022-21698: Fixed denial of service using InstrumentHandlerCounter (bsc#1248699)

scap-security-guide:

• Update the SSG package description
• Add SLE16 profiles to the build
• Updated to 0.1.79 (jsc#ECO-3319)
  • Create SLE16 HIPAA profile
  • Create SLE16 PCI DSS 4 profile
  • Use Sequoia in RHEL 10 instead of GPG
  • New Profile for RHEL10: BSI
  • Move RHEL Control files to product files
  • Update RHEL 9 CCN profile
  • Various updates for SLE 12/15

spacecmd:

• Version 5.0.16-0
• Update translation strings

uyuni-tools:

• Version 0.1.39-0
• mgrpxy ssh tuning should happen before crypto policies (bsc#1254619)
• Fix default value for helm registry (bsc#1258927).
• Use static supportconfig name to avoid dynamic search (bsc#1257941)
• Do not nest multiple tarball files and instead collect all files into one tarball (bsc#1252964)
• Show where final tarball was generated (bsc#1259208)

Special Instructions and Notes:

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• SUSE Manager Client Tools for RHEL, Liberty and Clones 9
  zypper in -t patch SUSE-EL-9-CLIENT-TOOLS-2026-2254=1

Package List:

• SUSE Manager Client Tools for RHEL, Liberty and Clones 9 (aarch64 ppc64le s390x x86_64)
  • golang-github-QubitProducts-exporter_exporter-debuginfo-0.4.0-1.9.1
  • mgrctl-0.1.39-1.32.1
  • prometheus-postgres_exporter-0.10.1-1.15.1
  • mgrctl-debuginfo-0.1.39-1.32.1
  • golang-github-QubitProducts-exporter_exporter-0.4.0-1.9.1
  • golang-github-QubitProducts-exporter_exporter-debugsource-0.4.0-1.9.1
• SUSE Manager Client Tools for RHEL, Liberty and Clones 9 (aarch64 ppc64le x86_64)
  • golang-github-prometheus-node_exporter-1.10.2-1.12.1
• SUSE Manager Client Tools for RHEL, Liberty and Clones 9 (noarch)
  • mgrctl-zsh-completion-0.1.39-1.32.1
  • mgrctl-bash-completion-0.1.39-1.32.1
  • scap-security-guide-redhat-0.1.80-1.44.1
  • spacecmd-5.0.16-1.61.1

References:

• https://www.suse.com/security/cve/CVE-2022-21698.html
• https://www.suse.com/security/cve/CVE-2023-45288.html
• https://www.suse.com/security/cve/CVE-2025-22870.html
• https://bugzilla.suse.com/show_bug.cgi?id=1236516
• https://bugzilla.suse.com/show_bug.cgi?id=1238686
• https://bugzilla.suse.com/show_bug.cgi?id=1248699
• https://bugzilla.suse.com/show_bug.cgi?id=1248707
• https://bugzilla.suse.com/show_bug.cgi?id=1252964
• https://bugzilla.suse.com/show_bug.cgi?id=1254619
• https://bugzilla.suse.com/show_bug.cgi?id=1257941
• https://bugzilla.suse.com/show_bug.cgi?id=1258927
• https://bugzilla.suse.com/show_bug.cgi?id=1259208
• https://bugzilla.suse.com/show_bug.cgi?id=1261810
• https://jira.suse.com/browse/ECO-3319
• https://jira.suse.com/browse/MSQA-1052
• https://jira.suse.com/browse/PED-12485
• https://jira.suse.com/browse/PED-7893
• https://jira.suse.com/browse/PED-7928