Security update 4.3.16.1 SUSE Manager Server and Proxy 4.3 LTS

Announcement ID:	SUSE-SU-2025:3826-1
Release Date:	2025-10-28T07:26:47Z
Rating:	important
References:	bsc#1227577 bsc#1246277 bsc#1246439 bsc#1250911 jsc#MSQA-1026
Cross-References:	CVE-2025-53880 CVE-2025-53883
CVSS scores:	CVE-2025-53880 ( SUSE ): 8.7 CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVE-2025-53880 ( SUSE ): 8.8 CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected Products:	SUSE Manager Proxy 4.3 SUSE Manager Proxy 4.3 LTS SUSE Manager Retail Branch Server 4.3 SUSE Manager Server 4.3 SUSE Manager Server 4.3 LTS

An update that solves two vulnerabilities, contains one feature and has two security fixes can now be installed.

Security update 4.3.16.1 for SUSE Manager Proxy and Retail Branch 4.3 LTS

Description:

This update fixes the following issues:

susemanager-build-keys:

• Update SUSE GPG key and make it available for Salt (bsc#1250911)

susemanager-tftpsync-recv:

• Version 4.3.11-0 with security fix:
• CVE-2025-53880: Sanitize path in sync-proxy script (bsc#1246277)

rhnlib:

• Version 4.3.7-0:
• Use more secure defusedxml parser (bsc#1227577)

spacewalk-backend:

• Version 4.3.34-0:
• Use more secure defusedxml parser (bsc#1227577)

spacewalk-web:

• Version 4.3.46-0:
• Bumped the WebUI version to 4.3.16.1

proxy-helm, proxy-httpd-image, proxy-salt-broker-image, proxy-squid-image, proxy-ssh-image, proxy-tftpd-image:

• Images rebuilt to the newest version with updated dependencies

How to apply this update:

1. Log in as root user to the SUSE Multi-Linux Manager Proxy or Retail Branch Server.
2. Stop the proxy service: spacewalk-proxy stop
3. Apply the patch using either zypper patch or YaST Online Update.
4. Start the Spacewalk service: spacewalk-proxy start

Security update 4.3.16.1 for SUSE Manager Server 4.3 LTS

Description:

This update fixes the following issues:

susemanager-build-keys:

• Update SUSE GPG key and make it available for Salt (bsc#1250911)

susemanager-sls:

• Version 4.3.50-0
• Fix OS Family grain name (bsc#1250911)
• Version 4.3.49-0
• Fixed syntax error in Salt state
• Version 4.3.48-0
• Automatically deploy the SUSE GPG key (bsc#1250911)

spacewalk-java:

• Version 4.3.88-0 with security fix:
• CVE-2025-53883: Escape input strings in system search form (bsc#1246439)

rhnlib:

• Version 4.3.7-0:
• Use more secure defusedxml parser (bsc#1227577)

spacewalk-backend:

• Version 4.3.34-0:
• Use more secure defusedxml parser (bsc#1227577)

spacewalk-web:

• Version 4.3.46-0:
• Bumped the WebUI version to 4.3.16.1

How to apply this update:

1. Log in as root user to the Multi-Linux Manager Server.
2. Stop the Spacewalk service: spacewalk-service stop
3. Apply the patch using either zypper patch or YaST Online Update.
4. Start the Spacewalk service: spacewalk-service start

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• SUSE Manager Proxy 4.3 LTS
  zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Proxy-4.3-LTS-2025-3826=1
• SUSE Manager Server 4.3 LTS
  zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Server-4.3-LTS-2025-3826=1

Package List:

• SUSE Manager Proxy 4.3 LTS (noarch)
  • susemanager-build-keys-15.4.11-150400.3.38.1
  • spacewalk-base-minimal-config-4.3.46-150400.3.63.5
  • python3-rhnlib-4.3.7-150400.3.9.4
  • spacewalk-backend-4.3.34-150400.3.58.6
  • susemanager-tftpsync-recv-4.3.11-150400.3.15.3
  • susemanager-build-keys-web-15.4.11-150400.3.38.1
  • spacewalk-base-minimal-4.3.46-150400.3.63.5
• SUSE Manager Server 4.3 LTS (noarch)
  • spacewalk-backend-xmlrpc-4.3.34-150400.3.58.6
  • spacewalk-base-4.3.46-150400.3.63.5
  • spacewalk-html-4.3.46-150400.3.63.5
  • spacewalk-base-minimal-config-4.3.46-150400.3.63.5
  • spacewalk-backend-sql-4.3.34-150400.3.58.6
  • spacewalk-java-lib-4.3.88-150400.3.113.5
  • spacewalk-backend-app-4.3.34-150400.3.58.6
  • spacewalk-backend-sql-postgresql-4.3.34-150400.3.58.6
  • spacewalk-taskomatic-4.3.88-150400.3.113.5
  • spacewalk-java-config-4.3.88-150400.3.113.5
  • susemanager-sls-4.3.50-150400.3.68.1
  • spacewalk-backend-iss-4.3.34-150400.3.58.6
  • python3-rhnlib-4.3.7-150400.3.9.4
  • spacewalk-backend-applet-4.3.34-150400.3.58.6
  • spacewalk-java-postgresql-4.3.88-150400.3.113.5
  • spacewalk-backend-xml-export-libs-4.3.34-150400.3.58.6
  • spacewalk-backend-config-files-common-4.3.34-150400.3.58.6
  • spacewalk-backend-tools-4.3.34-150400.3.58.6
  • spacewalk-backend-iss-export-4.3.34-150400.3.58.6
  • uyuni-config-modules-4.3.50-150400.3.68.1
  • spacewalk-backend-config-files-tool-4.3.34-150400.3.58.6
  • spacewalk-backend-config-files-4.3.34-150400.3.58.6
  • spacewalk-backend-package-push-server-4.3.34-150400.3.58.6
  • spacewalk-backend-server-4.3.34-150400.3.58.6
  • susemanager-build-keys-15.4.11-150400.3.38.1
  • spacewalk-backend-4.3.34-150400.3.58.6
  • susemanager-build-keys-web-15.4.11-150400.3.38.1
  • spacewalk-base-minimal-4.3.46-150400.3.63.5
  • spacewalk-java-4.3.88-150400.3.113.5

References:

• https://www.suse.com/security/cve/CVE-2025-53880.html
• https://www.suse.com/security/cve/CVE-2025-53883.html
• https://bugzilla.suse.com/show_bug.cgi?id=1227577
• https://bugzilla.suse.com/show_bug.cgi?id=1246277
• https://bugzilla.suse.com/show_bug.cgi?id=1246439
• https://bugzilla.suse.com/show_bug.cgi?id=1250911
• https://jira.suse.com/browse/MSQA-1026