Security update for salt

Announcement ID:	SUSE-SU-2025:21218-1
Release Date:	2025-12-16T08:19:40Z
Rating:	important
References:	bsc#1227207 bsc#1250520 bsc#1250755 bsc#1251776 bsc#1252244 bsc#1252285
Cross-References:	CVE-2025-62348 CVE-2025-62349
CVSS scores:	CVE-2025-62348 ( SUSE ): 7.3 CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVE-2025-62348 ( SUSE ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2025-62349 ( SUSE ): 7.5 CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N CVE-2025-62349 ( SUSE ): 6.2 CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:L
Affected Products:	SUSE Linux Micro 6.1

An update that solves two vulnerabilities and has four fixes can now be installed.

Description:

This update for salt fixes the following issues:

salt:

• Security issues fixed:

• CVE-2025-62349: Added minimum_auth_version to enforce security (bsc#1254257)

• CVE-2025-62348: Fixed Junos module yaml loader (bsc#1254256)

• Backport security fixes for vendored tornado

  • BDSA-2024-3438
  • BDSA-2024-3439
  • BDSA-2024-9026

• Other changes and bugs fixed:

• Added minion_legacy_req_warnings option to avoid noisy warnings

• Fixed TLS and x509 modules for OSes with older cryptography module
• Fixed Salt for Python > 3.11 (bsc#1252285) (bsc#1252244)
  • Use external tornado on Python > 3.11
  • Make tls and x509 to use python-cryptography
  • Remove usage of spwd
• Fixed payload signature verification on Tumbleweed (bsc#1251776)
• Fixed broken symlink on migration to Leap 16.0 (bsc#1250755)
• Fixed known_hosts error on gitfs (bsc#1250520) (bsc#1227207)
• Fixed functional.states.test_user for SLES 16 and Micro systems
• Fixed the tests failing on AlmaLinux 10 and other clones
• Improved SL Micro 6.2 detection with grains
• Require Python dependencies only for used Python version
• Reverted requirement of M2Crypto >= 0.44.0 for SUSE Family distros
• Set python-CherryPy as required for python-salt-testsuite

Special Instructions and Notes:

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• SUSE Linux Micro 6.1
  zypper in -t patch SUSE-SLE-Micro-6.1-350=1

Package List:

• SUSE Linux Micro 6.1 (aarch64 ppc64le s390x x86_64)
  • python311-salt-3006.0-slfo.1.1_5.1
  • salt-transactional-update-3006.0-slfo.1.1_5.1
  • salt-3006.0-slfo.1.1_5.1
  • salt-minion-3006.0-slfo.1.1_5.1

References:

• https://www.suse.com/security/cve/CVE-2025-62348.html
• https://www.suse.com/security/cve/CVE-2025-62349.html
• https://bugzilla.suse.com/show_bug.cgi?id=1227207
• https://bugzilla.suse.com/show_bug.cgi?id=1250520
• https://bugzilla.suse.com/show_bug.cgi?id=1250755
• https://bugzilla.suse.com/show_bug.cgi?id=1251776
• https://bugzilla.suse.com/show_bug.cgi?id=1252244
• https://bugzilla.suse.com/show_bug.cgi?id=1252285