Security update 5.1.1.1 for Multi-Linux Manager Client Tools

Announcement ID:	SUSE-SU-2025:4448-1
Release Date:	2025-12-18T08:50:16Z
Rating:	important
References:	bsc#1227207 bsc#1250520 bsc#1251776 bsc#1252244 bsc#1252285 bsc#1254256 bsc#1254257 jsc#MSQA-1038
Cross-References:	CVE-2025-62348 CVE-2025-62349
CVSS scores:	CVE-2025-62348 ( SUSE ): 7.3 CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVE-2025-62348 ( SUSE ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2025-62349 ( SUSE ): 7.5 CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N CVE-2025-62349 ( SUSE ): 6.2 CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:L
Affected Products:	SUSE Multi-Linux Manager Client Tools for SUSE Liberty Linux 9, RHEL and clones

An update that solves two vulnerabilities, contains one feature and has five security fixes can now be installed.

Description:

This update fixes the following issues:

venv-salt-minion:

• Security issues fixed:

• CVE-2025-62349: Added minimum_auth_version to enforce security (bsc#1254257)

• CVE-2025-62348: Fixed Junos module yaml loader (bsc#1254256)

• Backport security fixes for vendored tornado

  • BDSA-2024-3438
  • BDSA-2024-3439
  • BDSA-2024-9026

• Other changes and bugs fixed:

• Fixed TLS and x509 modules for OSes with older cryptography module

• Fixed Salt for Python > 3.11 (bsc#1252285) (bsc#1252244)
  • Use external tornado on Python > 3.11
  • Make tls and x509 to use python-cryptography
  • Remove usage of spwd
• Fixed payload signature verification on Tumbleweed (bsc#1251776)
• Fixed broken symlink on migration to Leap 16.0 (bsc#1250755)
• Fixed known_hosts error on gitfs (bsc#1250520) (bsc#1227207)

Special Instructions and Notes:

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• SUSE Multi-Linux Manager Client Tools for SUSE Liberty Linux 9, RHEL and clones
  zypper in -t patch SUSE-MultiLinuxManagerTools-EL-9-2025-4448=1

Package List:

• SUSE Multi-Linux Manager Client Tools for SUSE Liberty Linux 9, RHEL and clones (aarch64 ppc64le s390x x86_64)
  • venv-salt-minion-3006.0-90002.5.6.1

References:

• https://www.suse.com/security/cve/CVE-2025-62348.html
• https://www.suse.com/security/cve/CVE-2025-62349.html
• https://bugzilla.suse.com/show_bug.cgi?id=1227207
• https://bugzilla.suse.com/show_bug.cgi?id=1250520
• https://bugzilla.suse.com/show_bug.cgi?id=1251776
• https://bugzilla.suse.com/show_bug.cgi?id=1252244
• https://bugzilla.suse.com/show_bug.cgi?id=1252285
• https://bugzilla.suse.com/show_bug.cgi?id=1254256
• https://bugzilla.suse.com/show_bug.cgi?id=1254257
• https://jira.suse.com/browse/MSQA-1038