Security update 5.0.6 for Multi-Linux Manager Client Tools, Salt and Salt Bundle

Announcement ID: SUSE-SU-2025:21216-1
Release Date: 2025-12-16T07:23:26Z
Rating: important
References:
Cross-References:
CVSS scores:
  • CVE-2025-62348 ( SUSE ): 7.3 CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
  • CVE-2025-62348 ( SUSE ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
  • CVE-2025-62349 ( SUSE ): 7.5 CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N
  • CVE-2025-62349 ( SUSE ): 6.2 CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:L
Affected Products:
  • SUSE Linux Micro 6.0

An update that solves two vulnerabilities and has 26 fixes can now be installed.

Description:

This update fixes the following issues:

salt:

  • Security issues fixed:

  • CVE-2025-62349: Added minimum_auth_version to enforce security (bsc#1254257)

  • CVE-2025-62348: Fixed Junos module yaml loader (bsc#1254256)

  • Backport security fixes for vendored tornado

    • BDSA-2024-3438
    • BDSA-2024-3439
    • BDSA-2024-9026

  • Other changes and bugs fixed:

  • Fixed TLS and x509 modules for OSes with older cryptography module

  • Fixed Salt for Python > 3.11 (bsc#1252285) (bsc#1252244)
    • Use external tornado on Python > 3.11
    • Make tls and x509 to use python-cryptography
    • Remove usage of spwd
  • Fixed payload signature verification on Tumbleweed (bsc#1251776)
  • Fixed broken symlink on migration to Leap 16.0 (bsc#1250755)
  • Fixed known_hosts error on gitfs (bsc#1250520) (bsc#1227207)
  • Fixed functional.states.test_user for SLES 16 and Micro systems
  • Fixed the tests failing on AlmaLinux 10 and other clones
  • Improved SL Micro 6.2 detection with grains
  • Require Python dependencies only for used Python version
  • Reverted requirement of M2Crypto >= 0.44.0 for SUSE Family distros
  • Set python-CherryPy as required for python-salt-testsuite

uyuni-tools:

  • Version 0.1.37-0

  • Added --registry-host, --registry-user and --registry-password to pull images from an authenticate registry

  • Added a lowercase version of --logLevel (bsc#1243611)
  • Added migration for server monitoring configuration (bsc#1247688)
  • Added SLE15SP7 to buildin productmap
  • Adjusted traefik exposed configuration for chart v27+ (bsc#1247721)
  • Automatically get up-to-date systemid file on salt based proxy hosts (bsc#1246789)
  • Check for restorecon presence before calling (bsc#1246925)
  • Convert the traefik install time to local time (bsc#1251138)
  • Deprecated --registry
  • Do not require backups to be at the same location for restoring (bsc#1246906)
  • Do not use sudo when running as a root user (bsc#1246882)
  • Fixed channel override for distro copy
  • Fixed loading product map from mgradm configuration file (bsc#1246068)
  • Fixed recomputing proxy images when installing a ptf or test (bsc#1246553)
  • Handle CA files with symlinks during migration (bsc#1251044)
  • Migrate custom auto installation snippets (bsc#1246320)
  • Run smdba and reindex only during migration (bsc#1244534)
  • Stop executing scripts in temporary folder (bsc#1243704)
  • Support config: collect podman inspect for hub container(bsc#1245099)

  • Use new dedicated path for Cobbler settings (bsc#1244027)

  • Version 0.1.36-0

  • Bump the default image tag to 5.0.5.1

  • Version 0.1.35-0

  • Restore SELinux contexts for restored backup volumes (bsc#1244127)

  • Version 0.1.34-0

  • Fixed mgradm backup create handling of images and systemd files (bsc#1246738)

  • Version 0.1.33-0

  • Restore volumes using tar instead of podman import (bsc#1244127)

  • Version 0.1.32-0

  • Fixed version compare by backport from main (bsc#1246662)

venv-salt-minion:

  • Security issues fixed:

  • CVE-2025-62349: Added minimum_auth_version to enforce security (bsc#1254257)

  • CVE-2025-62348: Fixed Junos module yaml loader (bsc#1254256)

  • Backport security fixes for vendored tornado

    • BDSA-2024-3438
    • BDSA-2024-3439
    • BDSA-2024-9026

  • Other changes and bugs fixed:

  • Added minion_legacy_req_warnings option to avoid noisy warnings

  • Fixed TLS and x509 modules for OSes with older cryptography module

  • Fixed Salt for Python > 3.11 (bsc#1252285) (bsc#1252244)

    • Use external tornado on Python > 3.11
    • Make tls and x509 to use python-cryptography
    • Remove usage of spwd

  • Filter out zero-length check as the empty files are expected there

  • Filter out env-script-interpreter for ssh-id-wrapper as not used with the Salt Bundle, but present inside the salt module
  • Fixed functional.states.test_user for SLES 16 and Micro systems
  • Fixed known_hosts error on gitfs (bsc#1250520) (bsc#1227207)
  • Fixed payload signature verification on Tumbleweed (bsc#1251776)
  • Fixed the tests failing on AlmaLinux 10 and other clones
  • Improve SL Micro 6.2 detection with grains
  • Removed unused activate script (bsc#1245740)
  • Use more strict way to Fixed shebang in the bundle scripts
  • Use versioned python interpreter for salt-ssh

Special Instructions and Notes:

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

  • SUSE Linux Micro 6.0
    zypper in -t patch SUSE-SLE-Micro-6.0-535=1

Package List:

  • SUSE Linux Micro 6.0 (aarch64 s390x x86_64)
    • salt-3006.0-14.1
    • python311-salt-3006.0-14.1
    • salt-master-3006.0-14.1
    • salt-minion-3006.0-14.1
    • salt-transactional-update-3006.0-14.1

References: