Security update 5.1.2 for Multi-Linux Manager Client Tools

Announcement ID:	SUSE-SU-2026:0628-1
Release Date:	2026-02-25T09:44:32Z
Rating:	important
References:	bsc#1227579 bsc#1247644 bsc#1247721 bsc#1248848 bsc#1249400 bsc#1249532 bsc#1250940 bsc#1250976 bsc#1250981 bsc#1251044 bsc#1251138 bsc#1251995 bsc#1253174 bsc#1253282 bsc#1253347 bsc#1253659 bsc#1253738 bsc#1253966 bsc#1254478 bsc#1255340 bsc#1255588 bsc#1255781 jsc#MSQA-1040 jsc#PED-13824 jsc#PED-14971
Cross-References:	CVE-2025-12816 CVE-2025-68156
CVSS scores:	CVE-2025-12816 ( SUSE ): 8.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N CVE-2025-12816 ( NVD ): 8.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N CVE-2025-68156 ( SUSE ): 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N CVE-2025-68156 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2025-68156 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Affected Products:	SUSE Multi-Linux Manager Client Tools for SLE 12

An update that solves two vulnerabilities, contains three features and has 20 security fixes can now be installed.

Description:

This update fixes the following issues:

golang-github-QubitProducts-exporter_exporter:

• Non-customer-facing optimization around source building

golang-github-boynux-squid_exporter:

• Update to version 1.13.0 (jsc#PED-14971)
• Add support for squid-internal-mgr path for metrics.
• Update to version 1.12.0
• Add TLS and basic authentication support for the web interface.
• Update to version 1.11.0
• Allow adding custom labels to all metrics.
• Update to version 1.10.0
• Add ability to configure the exporter using environment variables.
• Add support for Squid 6
• Add squid_up metric
• Add squid_scrape_duration_seconds metric
• Add squid_scrape_error metric
• Update to version 1.9.0
• Add process_open_fds metric to monitor open file descriptors.
• Use CAP_DAC_READ_SEARCH capability to allow reading process information without running as root.
• Update to version 1.8.0
• Add various service time metrics to provide more detailed performance data.
• Update to version 1.7.0
• Add support for basic authentication against the Squid proxy.
• Fix squid_client_http_requests_total metric
• Upstream changes for v1.9.0:
• Use CAP_DAC_READ_SEARCH capability to allow reading process information without running as root.
• Upstream changes for v1.8.0:
• Add various service time metrics to provide more detailed performance data.
• Upstream changes for v1.7.0: Squid proxy.Update to version 1.10.0
• Add ability to configure the exporter using environment variables.
• Add process_open_fds metric to monitor open file descriptors.
• Use CAP_DAC_READ_SEARCH capability to allow reading process information without running as root.
• Add various service time metrics to provide more detailed performance data.
• Add support for basic authentication against the Squid proxy.
• Use current distro go default version. Use auto-versioning on SUSE as well.

golang-github-lusitaniae-apache_exporter:

• Build without apparmor for openSUSE Leap 16, SLES 16 or newer
• Update to version 1.0.10
• Update github.com/prometheus/client_golang to 1.21.1
• Update github.com/prometheus/common to 0.63.0
• Update github.com/prometheus/exporter-toolkit to 0.14.0
• Update to version 1.0.9
• Update github.com/prometheus/client_golang to 1.20.4
• Update github.com/prometheus/common to 0.59.1
• Update github.com/prometheus/exporter-toolkit to 0.13.0
• Migrate logging to log/slog
• Fix signal handler logging

golang-github-prometheus-alertmanager:

• Require gcc11-c++ for building with SLE 12

golang-github-prometheus-node_exporter:

• Require gcc11-c++ for building with SLE 12

golang-github-prometheus-prometheus:

• Security issues fixed:

• CVE-2025-12816: Interpretation conflict vulnerability allowing bypassing cryptographic verifications (bsc#1255588)

• Update to 3.5.0 (jsc#PED-13824): This is a Long-Term Support (LTS) release.

• [FEATURE] Remote-write: Add support for Azure Workload Identity as an authentication method for the receiver.
• [FEATURE] PromQL: Add first_over_time(...) and ts_of_first_over_time(...) behind feature flag.
• [FEATURE] Federation: Add support for native histograms with custom buckets (NHCB).
• [ENHANCEMENT] PromQL: Add warn-level annotations for counter reset conflicts in certain histogram operations.
• [ENHANCEMENT] UI: Add scrape interval and scrape timeout to targets page.
• Update to 3.4.0:
• [FEATURE] SD: Add unified AWS service discovery for ec2, lightsail and ecs services.
• [FEATURE] Native histograms are now a stable, but optional feature.
• [FEATURE] UI: Show detailed relabeling steps for each discovered target.
• [ENHANCEMENT] Alerting: Add "unknown" state for alerting rules that haven't been evaluated yet.
• [BUGFIX] Scrape: Fix a bug where scrape cache would not be cleared on startup.
• Update to 3.3.0:
• [FEATURE] Spring Boot 3.3 includes support for the Prometheus Client 1.x.
• [ENHANCEMENT] Dependency management for Dropwizard Metrics has been removed.
• Update to 3.2.0:
• [FEATURE] OAuth2: support jwt-bearer grant-type (RFC7523 3.1).
• [ENHANCEMENT] PromQL: Reconcile mismatched NHCB bounds in Add and Sub.
• [BUGFIX] TSDB: Native Histogram Custom Bounds with a NaN threshold are now rejected.
• Update to 3.1.0:
• [FEATURE] Remote-write 2 (receiving): Update to 2.0-rc.4 spec. "created timestamp" (CT) is now called "start timestamp" (ST).
• [BUGFIX] Mixin: Add static UID to the remote-write dashboard.
• Update to 3.0.1:
• [BUGFIX] Promql: Make subqueries left open.
• [BUGFIX] Fix memory leak when query log is enabled.
• [BUGFIX] Support utf8 names on /v1/label/:name/values endpoint.
• Update to 3.0.0: This release includes new features such as a brand new UI and UTF-8 support enabled by default.
• [CHANGE] Deprecated feature flags removed.
• [FEATURE] New UI.
• [FEATURE] Remote Write 2.0.
• [FEATURE] OpenTelemetry Support.
• [FEATURE] UTF-8 support is now stable and enabled by default.
• [FEATURE] OTLP Ingestion.
• [FEATURE] Native Histograms.
• [BUGFIX] PromQL: Fix count_values for histograms.
• [BUGFIX] TSDB: Fix race on stale values in headAppender.
• [BUGFIX] UI: Fix selector / series formatting for empty metric names.
• Update to 2.55.0:
• [FEATURE] PromQL: Add last_over_time function.
• [FEATURE] Agent: Add prometheus_agent_build_info metric.
• [ENHANCEMENT] PromQL: Optimise group() and group by().
• [ENHANCEMENT] TSDB: Reduce memory usage when loading blocks.
• [BUGFIX] Scrape: Fix a bug where a target could be scraped multiple times.
• Update to 2.54.0: This release brings a release candidate of a major new version of Remote Write: 2.0.
• [CHANGE] Remote-Write: highest_timestamp_in_seconds and queue_highest_sent_timestamp_seconds metrics now initialized to 0.
• [CHANGE] API: Split warnings from info annotations in API response.
• [FEATURE] Remote-Write: Version 2.0 experimental, plus metadata in WAL via feature flag.
• [FEATURE] PromQL: add limitk() and limit_ratio() aggregation operators.
• [ENHANCEMENT] PromQL: Accept underscores in literal numbers.
• [ENHANCEMENT] PromQL: float literal numbers and durations are now interchangeable (experimental).
• [ENHANCEMENT] PromQL (experimental native histograms): Optimize histogram_count and histogram_sum functions.
• [BUGFIX] PromQL: Fix various issues with native histograms.
• [BUGFIX] OTLP receiver: Allow colons in non-standard units.
• Require gcc11-c++ for building with SLE 12

grafana:

• CVE-2025-68156: Fix potential DoS via unbounded recursion in builtin functions (bsc#1255340)

mgr-push:

• Version 5.1.5-0
• Non-customer-facing optimization and update

prometheus-blackbox_exporter:

• Non-customer-facing optimization and update

rhnlib:

• Version 5.1.4-0
• Non-customer-facing optimization and update

spacecmd:

• Version 5.1.12-0
• Fix spacecmd binary file upload (bsc#1253659)
• Fix typo in spacecmd help ca-cert flag (bsc#1253174)
• Convert cached IDs to int (bsc#1251995)
• Fix methods in api namespace in spacecmd (bsc#1249532)
• Make caching code Py 2.7 compatible
• Use JSON instead of pickle for spacecmd cache (bsc#1227579)
• Python 2.7 cannot re-raise exceptions

spacewalk-client-tools:

• Version 5.1.8-0
• Non-customer-facing optimization and update

supportutils-plugin-susemanager-client:

• Version 5.1.5-0
• Non-customer-facing optimization and update

uyuni-common-libs:

• Version 5.1.5-0
• Non-customer-facing optimization and update

uyuni-tools:

• Version 5.1.24-0
• Actually use the --dbupgrade-tag parameter when computing the image URL (bsc#1249400)
• Handle CA files with symlinks during migration (bsc#1251044)
• Adjust traefik exposed configuration for chart v27+ (bsc#1247721)
• Fix systemd object initialization in server rename. (bsc#1250981)
• Add SSL secrets to the db setup container during migration. (bsc#1250976)
• Fix images handling in mgrpxy support ptf (bsc#1250940)
• Fix helm upgrade parameters (bsc#1253966)
• Detect custom apache and squid config in the /etc/uyuni/proxy folder
• Add ssh tuning to configure sshd (bsc#1253738)
• Move the SSL checks at the beginning of the migration
• Remove cgroup mount for podman containers (bsc#1253347)
• Convert the traefik install time to local time (bsc#1251138)
• During migration, krb5.conf.d should be copied in /etc/rhn (bsc#1254478)
• Read env var from http conf file (bsc#1253282)
• Add --registry-host, --registry-user and --registry-password to pull images from an authenticate registry
• Deprecate --registry
• Unify backup create and restore dryrun option case
• Fix calling of squid -z in mgrpxy cache clear (bsc#1247644)
• Always start database container even if enabled
• Remove extra ipv6 mapping and nftables workaround (bsc#1248848)
• Remove old PostgreSQL exporter environment file before migration
• Support config command parse correctly supportconfig output (bsc#1255781)

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• SUSE Multi-Linux Manager Client Tools for SLE 12
  zypper in -t patch SUSE-MultiLinuxManagerTools-SLE-12-2026-628=1

Package List:

• SUSE Multi-Linux Manager Client Tools for SLE 12 (aarch64 ppc64le s390x x86_64)
  • golang-github-boynux-squid_exporter-1.13.0-120002.3.3.1
  • grafana-11.5.10-120002.4.9.1
  • golang-github-boynux-squid_exporter-debuginfo-1.13.0-120002.3.3.1
  • grafana-debuginfo-11.5.10-120002.4.9.1
  • golang-github-prometheus-prometheus-debuginfo-3.5.0-120002.3.3.1
  • golang-github-QubitProducts-exporter_exporter-0.4.0-120002.3.3.1
  • golang-github-prometheus-node_exporter-debuginfo-1.9.1-120002.3.3.1
  • golang-github-prometheus-node_exporter-1.9.1-120002.3.3.1
  • golang-github-prometheus-prometheus-3.5.0-120002.3.3.1
  • golang-github-lusitaniae-apache_exporter-1.0.10-120002.3.3.1
  • golang-github-lusitaniae-apache_exporter-debuginfo-1.0.10-120002.3.3.1
  • mgrctl-5.1.24-120002.3.9.1
  • prometheus-blackbox_exporter-debuginfo-0.26.0-120002.3.3.1
  • golang-github-prometheus-alertmanager-0.28.1-120002.4.6.1
  • prometheus-blackbox_exporter-0.26.0-120002.3.3.1
  • golang-github-prometheus-alertmanager-debuginfo-0.28.1-120002.4.6.1
  • python2-uyuni-common-libs-5.1.5-120002.3.3.1
• SUSE Multi-Linux Manager Client Tools for SLE 12 (noarch)
  • spacewalk-client-tools-5.1.8-120002.3.6.1
  • python2-rhnlib-5.1.4-120002.3.6.1
  • spacecmd-5.1.12-120002.3.6.1
  • supportutils-plugin-susemanager-client-5.1.5-120002.3.6.1
  • mgr-push-5.1.5-120002.3.6.1
  • python2-mgr-push-5.1.5-120002.3.6.1
  • python2-spacewalk-client-tools-5.1.8-120002.3.6.1
  • mgrctl-lang-5.1.24-120002.3.9.1
  • mgrctl-bash-completion-5.1.24-120002.3.9.1
  • mgrctl-zsh-completion-5.1.24-120002.3.9.1

References:

• https://www.suse.com/security/cve/CVE-2025-12816.html
• https://www.suse.com/security/cve/CVE-2025-68156.html
• https://bugzilla.suse.com/show_bug.cgi?id=1227579
• https://bugzilla.suse.com/show_bug.cgi?id=1247644
• https://bugzilla.suse.com/show_bug.cgi?id=1247721
• https://bugzilla.suse.com/show_bug.cgi?id=1248848
• https://bugzilla.suse.com/show_bug.cgi?id=1249400
• https://bugzilla.suse.com/show_bug.cgi?id=1249532
• https://bugzilla.suse.com/show_bug.cgi?id=1250940
• https://bugzilla.suse.com/show_bug.cgi?id=1250976
• https://bugzilla.suse.com/show_bug.cgi?id=1250981
• https://bugzilla.suse.com/show_bug.cgi?id=1251044
• https://bugzilla.suse.com/show_bug.cgi?id=1251138
• https://bugzilla.suse.com/show_bug.cgi?id=1251995
• https://bugzilla.suse.com/show_bug.cgi?id=1253174
• https://bugzilla.suse.com/show_bug.cgi?id=1253282
• https://bugzilla.suse.com/show_bug.cgi?id=1253347
• https://bugzilla.suse.com/show_bug.cgi?id=1253659
• https://bugzilla.suse.com/show_bug.cgi?id=1253738
• https://bugzilla.suse.com/show_bug.cgi?id=1253966
• https://bugzilla.suse.com/show_bug.cgi?id=1254478
• https://bugzilla.suse.com/show_bug.cgi?id=1255340
• https://bugzilla.suse.com/show_bug.cgi?id=1255588
• https://bugzilla.suse.com/show_bug.cgi?id=1255781
• https://jira.suse.com/browse/MSQA-1040
• https://jira.suse.com/browse/PED-13824
• https://jira.suse.com/browse/PED-14971