Security update 5.0.8 for Multi-Linux Manager Client Tools, Salt Bundle and Salt

Announcement ID: SUSE-SU-2026:21990-1
Release Date: 2026-06-03T13:34:00Z
Rating: important
References:
Cross-References:
CVSS scores:
  • CVE-2026-27448 ( SUSE ): 6.3 CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
  • CVE-2026-27448 ( SUSE ): 3.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
  • CVE-2026-27448 ( NVD ): 1.7 CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
  • CVE-2026-27448 ( NVD ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
  • CVE-2026-27459 ( SUSE ): 8.3 CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N
  • CVE-2026-27459 ( SUSE ): 7.0 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H
  • CVE-2026-27459 ( NVD ): 7.2 CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
  • CVE-2026-27459 ( NVD ): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • CVE-2026-31958 ( SUSE ): 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
  • CVE-2026-31958 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
  • CVE-2026-31958 ( NVD ): 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
  • CVE-2026-31958 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Affected Products:
  • SUSE Linux Micro 6.0

An update that solves three vulnerabilities and has 12 fixes can now be installed.

Description:

This update fixes the following issues:

golang-github-prometheus-node_exporter:

  • Version 1.10.2:

  • meminfo: Fix typo in Zswap metric name

  • Version 1.10.1:

  • filesystem: Fix mount points being collected multiple times

  • filesystem: Refactor mountinfo parsing (bsc#1261810)

  • meminfo: Add Zswap/Zswapped metrics

  • Version 1.10.0:

  • Changes:

    • mdadm: Use sysfs for RAID metrics
    • filesystem: Add erofs in default excluded fs
    • tcpstat: Use std lib binary.NativeEndian

  • New Features:

    • pcidevice: Add new collector for PCIe devices
    • AIX: Add more metrics
    • systemd: Add Virtualization metrics
    • swaps: Add new collector

  • Enhancements:

    • wifi: Add packet received and transmitted metrics
    • filesystem: Take super options into account for read-only
    • pcidevice: Add additional metrics
    • perf: Add tlb_data metrics

  • Bugs fixed:

    • interrupts: Fix OpenBSD interrupt device parsing
    • diskstats: Simplify condition
    • thermal: Sanitize darwin thermal strings
    • filesystem: Fix Darwin collector cgo memory leak
    • cpufreq: Fix: collector enable
    • ethtool: Fix returning 0 for sanitized metrics
    • netdev: Fix Darwin netdev i/o bytes metric
    • systemd: Fix logging race
    • filesystem: Fix duplicate Darwin CGO import

salt:

  • Security issues fixed:

  • CVE-2026-31958: tornado: Fixed parsing large multipart bodies with many parts can cause a denial of service (bsc#1259554)

  • Other updates and bugfixes:

  • Use non vendored Tornado with Python 3.11 (bsc#1257583, bsc#1259700)

  • Hardened Tornado from invalid HTTP reason phrases
  • Read full URI from ldap pillar config (bsc#1254900)
  • Fixed testsuite failures
  • Make users with backslash working for salt-ssh (bsc#1254629)
  • Fixed ansible.playbooks extra-vars quoting (bsc#1257831)
  • Fixed virtualenv call in test helper to use proper python version

uyuni-tools:

  • Version 0.1.39-0:

  • mgrpxy ssh tuning should happen before crypto policies (bsc#1254619)

  • Fixed default value for helm registry (bsc#1258927).
  • Use static supportconfig name to avoid dynamic search (bsc#1257941)
  • Do not nest multiple tarball files and instead collect all files into one tarball (bsc#1252964)
  • Show where final tarball was generated (bsc#1259208)

venv-salt-minion:

  • Security issues fixed:

  • CVE-2026-31958: tornado: Fixed parsing large multipart bodies with many parts can cause a denial of service (bsc#1259554)

  • CVE-2026-27459: pyOpenSSL: Fixed issue with large cookie value that can lead to a buffer overflow (bsc#1259808)

  • CVE-2026-27448: pyOpenSSL: Fixed unhandled exception can result in connection not being cancelled (bsc#1259804)

  • Other updates and bugfixes:

  • Use non vendored Tornado with Python 3.11 (bsc#1257583, bsc#1259700)

  • Hardened Tornado from invalid HTTP reason phrases
  • Read full URI from ldap pillar config (bsc#1254900)
  • Make users with backslash work for salt-ssh (bsc#1254629).
  • Fixed ansible.playbooks extra-vars quoting (bsc#1257831),
  • Fixed virtualenv call in test helper to use proper Python version.
  • Fixed the issue preventing SELinux profile to be loaded on SLES 16 deployed using cloud images (bsc#1258957)

Special Instructions and Notes:

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

  • SUSE Linux Micro 6.0
    zypper in -t patch SUSE-SLE-Micro-6.0-740=1

Package List:

  • SUSE Linux Micro 6.0 (aarch64 s390x)
    • salt-master-3006.0-16.1
    • salt-transactional-update-3006.0-16.1
    • python311-salt-3006.0-16.1
    • salt-minion-3006.0-16.1
    • salt-3006.0-16.1

References: