Security update 5.1.2 for Multi-Linux Manager Client Tools

Announcement ID:	SUSE-SU-2026:0626-1
Release Date:	2026-02-25T09:42:55Z
Rating:	important
References:	bsc#1227579 bsc#1240532 bsc#1246130 bsc#1249532 bsc#1251995 bsc#1253174 bsc#1253659 bsc#1254325 bsc#1254903 bsc#1254904 bsc#1254905 jsc#ECO-3319 jsc#MSQA-1040
Cross-References:	CVE-2025-67724 CVE-2025-67725 CVE-2025-67726
CVSS scores:	CVE-2025-67724 ( SUSE ): 5.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N CVE-2025-67724 ( SUSE ): 5.4 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N CVE-2025-67724 ( NVD ): 5.4 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N CVE-2025-67724 ( NVD ): 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVE-2025-67725 ( SUSE ): 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N CVE-2025-67725 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2025-67725 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2025-67726 ( SUSE ): 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N CVE-2025-67726 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2025-67726 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Affected Products:	SUSE Multi-Linux Manager Client Tools for SUSE Liberty Linux 8, RHEL and clones

An update that solves three vulnerabilities, contains two features and has eight security fixes can now be installed.

Description:

This update fixes the following issues:

golang-github-QubitProducts-exporter_exporter:

• Non-customer-facing optimization around source building

golang-github-lusitaniae-apache_exporter:

• Build without apparmor for openSUSE Leap 16, SLES 16 or newer
• Require Go 1.23 for building
• Update to version 1.0.10
• Update github.com/prometheus/client_golang to 1.21.1
• Update github.com/prometheus/common to 0.63.0
• Update github.com/prometheus/exporter-toolkit to 0.14.0
• Update to version 1.0.9
• Update github.com/prometheus/client_golang to 1.20.4
• Update github.com/prometheus/common to 0.59.1
• Update github.com/prometheus/exporter-toolkit to 0.13.0
• Migrate logging to log/slog
• Fix signal handler logging

scap-security-guide:

• Updated to 0.1.79 (jsc#ECO-3319)
  • Add rhcos4 Profile for BSI Grundschutz
  • Create SLE15 general profile
  • Remove OCP STIG V1R1
  • Remove OCP STIG V2R1
  • Various updates for SLE 12/15
• Updated to 0.1.78 (jsc#ECO-3319)
  • Enable SCE content for problematic rules that can traverse the whole filesystem
  • Remove unnecessary Jinja2 macros in control files
  • Update RHEL 8 STIG to V2R4 and RHEL 9 STIG to V2R5
  • Add Debian 13 profile for ANSSI BP 28 (enhanced)
  • Create SLEM5 General profile
  • Create SL Micro 6 product and general profile
  • Update SLE15 STIG version to V2R5
  • Update SLE12 STIG version to V3R3
  • Update SLEM5 STIG version to V1R2
• Remove the CIS profiles from all products
• Remove the CIS profiles from the tarball

spacecmd:

• Version 5.1.12-0
• Fix spacecmd binary file upload (bsc#1253659)
• Fix typo in spacecmd help ca-cert flag (bsc#1253174)
• Convert cached IDs to int (bsc#1251995)
• Fix methods in api namespace in spacecmd (bsc#1249532)
• Make caching code Py 2.7 compatible
• Use JSON instead of pickle for spacecmd cache (bsc#1227579)
• Python 2.7 cannot re-raise exceptions

venv-salt-minion:

• Backport security patches for Salt vendored tornado:
• CVE-2025-67724: missing validation of supplied reason phrase (bsc#1254903)
• CVE-2025-67725: fix DoS via malicious HTTP request (bsc#1254905)
• CVE-2025-67726: fix HTTP header parameter parsing algorithm (bsc#1254904)
• Make syntax in httputil_test compatible with Python 3.6
• Fix KeyError in postgres module with PostgreSQL 17 (bsc#1254325)
• Use internal deb classes instead of external aptsource lib
• Speed up wheel key.finger call (bsc#1240532)
• Simplify and speed up utils.find_json function (bsc#1246130)
• Extend warn_until period to 2027

Special Instructions and Notes:

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• SUSE Multi-Linux Manager Client Tools for SUSE Liberty Linux 8, RHEL and clones
  zypper in -t patch SUSE-MultiLinuxManagerTools-EL-8-2026-626=1

Package List:

• SUSE Multi-Linux Manager Client Tools for SUSE Liberty Linux 8, RHEL and clones (aarch64 ppc64le x86_64)
  • mgrctl-5.1.24-80002.3.6.1
  • golang-github-QubitProducts-exporter_exporter-debugsource-0.4.0-80002.3.3.1
  • golang-github-lusitaniae-apache_exporter-1.0.10-80002.3.3.1
  • golang-github-QubitProducts-exporter_exporter-debuginfo-0.4.0-80002.3.3.1
  • golang-github-QubitProducts-exporter_exporter-0.4.0-80002.3.3.1
  • venv-salt-minion-3006.0-80002.5.9.1
• SUSE Multi-Linux Manager Client Tools for SUSE Liberty Linux 8, RHEL and clones (noarch)
  • mgrctl-zsh-completion-5.1.24-80002.3.6.1
  • spacecmd-5.1.12-80002.3.6.1
  • mgrctl-bash-completion-5.1.24-80002.3.6.1
  • scap-security-guide-redhat-0.1.79-80002.3.6.1

References:

• https://www.suse.com/security/cve/CVE-2025-67724.html
• https://www.suse.com/security/cve/CVE-2025-67725.html
• https://www.suse.com/security/cve/CVE-2025-67726.html
• https://bugzilla.suse.com/show_bug.cgi?id=1227579
• https://bugzilla.suse.com/show_bug.cgi?id=1240532
• https://bugzilla.suse.com/show_bug.cgi?id=1246130
• https://bugzilla.suse.com/show_bug.cgi?id=1249532
• https://bugzilla.suse.com/show_bug.cgi?id=1251995
• https://bugzilla.suse.com/show_bug.cgi?id=1253174
• https://bugzilla.suse.com/show_bug.cgi?id=1253659
• https://bugzilla.suse.com/show_bug.cgi?id=1254325
• https://bugzilla.suse.com/show_bug.cgi?id=1254903
• https://bugzilla.suse.com/show_bug.cgi?id=1254904
• https://bugzilla.suse.com/show_bug.cgi?id=1254905
• https://jira.suse.com/browse/ECO-3319
• https://jira.suse.com/browse/MSQA-1040