Security update 4.3.16 for Multi-Linux Manager Server SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2025:02476-1 Final 1 1 2025-07-23T12:37:12Z current 2025-07-23T12:37:12Z 2025-07-23T12:37:12Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update 4.3.16 for Multi-Linux Manager Server This update fixes the following issues: release-notes-susemanager: - Update to SUSE Manager 4.3.16 * Important Salt Security Update * Added support for SUSE Linux Enterprise 15 SP7 as a client using the Salt Bundle * CVE Fixed CVE-2025-23392, CVE-2025-23393, CVE-2024-38824, CVE-2025-22239 CVE-2025-22236, CVE-2025-22237, CVE-2024-38825, CVE-2025-22240 CVE-2024-38823, CVE-2025-22241, CVE-2025-22238, CVE-2025-22242 CVE-2024-38822, CVE-2025-46811, CVE-2025-46809 * Bugs mentioned: bsc#1157520, bsc#1191142, bsc#1209060, bsc#1211373, bsc#1213952 bsc#1216187, bsc#1221031, bsc#1225740, bsc#1230403, bsc#1230908 bsc#1233371, bsc#1234608, bsc#1236635, bsc#1236779, bsc#1236810 bsc#1236877, bsc#1236910, bsc#1237060, bsc#1237082, bsc#1237294 bsc#1237403, bsc#1237581, bsc#1237694, bsc#1237770, bsc#1238922 bsc#1238924, bsc#1239102, bsc#1239154, bsc#1239604, bsc#1239743 bsc#1239826, bsc#1239868, bsc#1239907, bsc#1240038, bsc#1240386 bsc#1240666, bsc#1240842, bsc#1241239, bsc#1241286, bsc#1241455 bsc#1241490, bsc#1242004, bsc#1242030, bsc#1242148, bsc#1242554 bsc#1242911, bsc#1243239, bsc#1243460, bsc#1243724, bsc#1243825 bsc#1244065, bsc#1244290, bsc#1245027, bsc#1245222, bsc#1245368 bsc#1245005, bsc#1246119 The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Container suse/manager/4.3/proxy-httpd:latest-2025-2476,SUSE-2025-2476,SUSE-SLE-Product-SUSE-Manager-Proxy-4.3-2025-2476,SUSE-SLE-Product-SUSE-Manager-Server-4.3-2025-2476 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2025/suse-su-202502476-1/ Link for SUSE-SU-2025:02476-1 https://lists.suse.com/pipermail/sle-updates/2025-July/040893.html E-Mail link for SUSE-SU-2025:02476-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1157520 SUSE Bug 1157520 https://bugzilla.suse.com/1191142 SUSE Bug 1191142 https://bugzilla.suse.com/1209060 SUSE Bug 1209060 https://bugzilla.suse.com/1211373 SUSE Bug 1211373 https://bugzilla.suse.com/1213952 SUSE Bug 1213952 https://bugzilla.suse.com/1216187 SUSE Bug 1216187 https://bugzilla.suse.com/1221031 SUSE Bug 1221031 https://bugzilla.suse.com/1225740 SUSE Bug 1225740 https://bugzilla.suse.com/1230403 SUSE Bug 1230403 https://bugzilla.suse.com/1230908 SUSE Bug 1230908 https://bugzilla.suse.com/1233371 SUSE Bug 1233371 https://bugzilla.suse.com/1234608 SUSE Bug 1234608 https://bugzilla.suse.com/1236635 SUSE Bug 1236635 https://bugzilla.suse.com/1236779 SUSE Bug 1236779 https://bugzilla.suse.com/1236810 SUSE Bug 1236810 https://bugzilla.suse.com/1236877 SUSE Bug 1236877 https://bugzilla.suse.com/1236910 SUSE Bug 1236910 https://bugzilla.suse.com/1237060 SUSE Bug 1237060 https://bugzilla.suse.com/1237082 SUSE Bug 1237082 https://bugzilla.suse.com/1237294 SUSE Bug 1237294 https://bugzilla.suse.com/1237403 SUSE Bug 1237403 https://bugzilla.suse.com/1237581 SUSE Bug 1237581 https://bugzilla.suse.com/1237694 SUSE Bug 1237694 https://bugzilla.suse.com/1237770 SUSE Bug 1237770 https://bugzilla.suse.com/1238922 SUSE Bug 1238922 https://bugzilla.suse.com/1238924 SUSE Bug 1238924 https://bugzilla.suse.com/1239102 SUSE Bug 1239102 https://bugzilla.suse.com/1239154 SUSE Bug 1239154 https://bugzilla.suse.com/1239604 SUSE Bug 1239604 https://bugzilla.suse.com/1239743 SUSE Bug 1239743 https://bugzilla.suse.com/1239826 SUSE Bug 1239826 https://bugzilla.suse.com/1239868 SUSE Bug 1239868 https://bugzilla.suse.com/1239907 SUSE Bug 1239907 https://bugzilla.suse.com/1240038 SUSE Bug 1240038 https://bugzilla.suse.com/1240386 SUSE Bug 1240386 https://bugzilla.suse.com/1240666 SUSE Bug 1240666 https://bugzilla.suse.com/1240842 SUSE Bug 1240842 https://bugzilla.suse.com/1241239 SUSE Bug 1241239 https://bugzilla.suse.com/1241286 SUSE Bug 1241286 https://bugzilla.suse.com/1241455 SUSE Bug 1241455 https://bugzilla.suse.com/1241490 SUSE Bug 1241490 https://bugzilla.suse.com/1242004 SUSE Bug 1242004 https://bugzilla.suse.com/1242030 SUSE Bug 1242030 https://bugzilla.suse.com/1242148 SUSE Bug 1242148 https://bugzilla.suse.com/1242554 SUSE Bug 1242554 https://bugzilla.suse.com/1242911 SUSE Bug 1242911 https://bugzilla.suse.com/1243239 SUSE Bug 1243239 https://bugzilla.suse.com/1243460 SUSE Bug 1243460 https://bugzilla.suse.com/1243724 SUSE Bug 1243724 https://bugzilla.suse.com/1243825 SUSE Bug 1243825 https://bugzilla.suse.com/1244065 SUSE Bug 1244065 https://bugzilla.suse.com/1244290 SUSE Bug 1244290 https://bugzilla.suse.com/1245005 SUSE Bug 1245005 https://bugzilla.suse.com/1245027 SUSE Bug 1245027 https://bugzilla.suse.com/1245222 SUSE Bug 1245222 https://bugzilla.suse.com/1245368 SUSE Bug 1245368 https://bugzilla.suse.com/1246119 SUSE Bug 1246119 https://www.suse.com/security/cve/CVE-2024-38822/ SUSE CVE CVE-2024-38822 page https://www.suse.com/security/cve/CVE-2024-38823/ SUSE CVE CVE-2024-38823 page https://www.suse.com/security/cve/CVE-2024-38824/ SUSE CVE CVE-2024-38824 page https://www.suse.com/security/cve/CVE-2024-38825/ SUSE CVE CVE-2024-38825 page https://www.suse.com/security/cve/CVE-2025-22236/ SUSE CVE CVE-2025-22236 page https://www.suse.com/security/cve/CVE-2025-22237/ SUSE CVE CVE-2025-22237 page https://www.suse.com/security/cve/CVE-2025-22238/ SUSE CVE CVE-2025-22238 page https://www.suse.com/security/cve/CVE-2025-22239/ SUSE CVE CVE-2025-22239 page https://www.suse.com/security/cve/CVE-2025-22240/ SUSE CVE CVE-2025-22240 page https://www.suse.com/security/cve/CVE-2025-22241/ SUSE CVE CVE-2025-22241 page https://www.suse.com/security/cve/CVE-2025-22242/ SUSE CVE CVE-2025-22242 page https://www.suse.com/security/cve/CVE-2025-23392/ SUSE CVE CVE-2025-23392 page https://www.suse.com/security/cve/CVE-2025-23393/ SUSE CVE CVE-2025-23393 page https://www.suse.com/security/cve/CVE-2025-46809/ SUSE CVE CVE-2025-46809 page https://www.suse.com/security/cve/CVE-2025-46811/ SUSE CVE CVE-2025-46811 page Container suse/manager/4.3/proxy-httpd:latest SUSE Manager Proxy 4.3 SUSE Manager Server 4.3 release-notes-susemanager-proxy-4.3.16-150400.3.98.1 release-notes-susemanager-4.3.16-150400.3.140.1 release-notes-susemanager-proxy-4.3.16-150400.3.98.1 as a component of Container suse/manager/4.3/proxy-httpd:latest release-notes-susemanager-proxy-4.3.16-150400.3.98.1 as a component of SUSE Manager Proxy 4.3 release-notes-susemanager-4.3.16-150400.3.140.1 as a component of SUSE Manager Server 4.3 Multiple methods in the salt master skip minion token validation. Therefore a misbehaving minion can impersonate another minion. CVE-2024-38822 Container suse/manager/4.3/proxy-httpd:latest:release-notes-susemanager-proxy-4.3.16-150400.3.98.1 SUSE Manager Proxy 4.3:release-notes-susemanager-proxy-4.3.16-150400.3.98.1 SUSE Manager Server 4.3:release-notes-susemanager-4.3.16-150400.3.140.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202502476-1/ https://www.suse.com/security/cve/CVE-2024-38822.html CVE-2024-38822 https://bugzilla.suse.com/1244561 SUSE Bug 1244561 Salt's request server is vulnerable to replay attacks when not using a TLS encrypted transport. CVE-2024-38823 Container suse/manager/4.3/proxy-httpd:latest:release-notes-susemanager-proxy-4.3.16-150400.3.98.1 SUSE Manager Proxy 4.3:release-notes-susemanager-proxy-4.3.16-150400.3.98.1 SUSE Manager Server 4.3:release-notes-susemanager-4.3.16-150400.3.140.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202502476-1/ https://www.suse.com/security/cve/CVE-2024-38823.html CVE-2024-38823 https://bugzilla.suse.com/1244564 SUSE Bug 1244564 Directory traversal vulnerability in recv_file method allows arbitrary files to be written to the master cache directory. CVE-2024-38824 Container suse/manager/4.3/proxy-httpd:latest:release-notes-susemanager-proxy-4.3.16-150400.3.98.1 SUSE Manager Proxy 4.3:release-notes-susemanager-proxy-4.3.16-150400.3.98.1 SUSE Manager Server 4.3:release-notes-susemanager-4.3.16-150400.3.140.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202502476-1/ https://www.suse.com/security/cve/CVE-2024-38824.html CVE-2024-38824 https://bugzilla.suse.com/1244565 SUSE Bug 1244565 The salt.auth.pki module does not properly authenticate callers. The "password" field contains a public certificate which is validated against a CA certificate by the module. This is not pki authentication, as the caller does not need access to the corresponding private key for the authentication attempt to be accepted. CVE-2024-38825 Container suse/manager/4.3/proxy-httpd:latest:release-notes-susemanager-proxy-4.3.16-150400.3.98.1 SUSE Manager Proxy 4.3:release-notes-susemanager-proxy-4.3.16-150400.3.98.1 SUSE Manager Server 4.3:release-notes-susemanager-4.3.16-150400.3.140.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202502476-1/ https://www.suse.com/security/cve/CVE-2024-38825.html CVE-2024-38825 https://bugzilla.suse.com/1244566 SUSE Bug 1244566 Minion event bus authorization bypass. An attacker with access to a minion key can craft a message which may be able to execute a job on other minions (>= 3007.0). CVE-2025-22236 Container suse/manager/4.3/proxy-httpd:latest:release-notes-susemanager-proxy-4.3.16-150400.3.98.1 SUSE Manager Proxy 4.3:release-notes-susemanager-proxy-4.3.16-150400.3.98.1 SUSE Manager Server 4.3:release-notes-susemanager-4.3.16-150400.3.140.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202502476-1/ https://www.suse.com/security/cve/CVE-2025-22236.html CVE-2025-22236 https://bugzilla.suse.com/1244568 SUSE Bug 1244568 An attacker with access to a minion key can exploit the 'on demand' pillar functionality with a specially crafted git url which could cause and arbitrary command to be run on the master with the same privileges as the master process. CVE-2025-22237 Container suse/manager/4.3/proxy-httpd:latest:release-notes-susemanager-proxy-4.3.16-150400.3.98.1 SUSE Manager Proxy 4.3:release-notes-susemanager-proxy-4.3.16-150400.3.98.1 SUSE Manager Server 4.3:release-notes-susemanager-4.3.16-150400.3.140.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202502476-1/ https://www.suse.com/security/cve/CVE-2025-22237.html CVE-2025-22237 https://bugzilla.suse.com/1244571 SUSE Bug 1244571 Directory traversal attack in minion file cache creation. The master's default cache is vulnerable to a directory traversal attack. Which could be leveraged to write or overwrite 'cache' files outside of the cache directory. CVE-2025-22238 Container suse/manager/4.3/proxy-httpd:latest:release-notes-susemanager-proxy-4.3.16-150400.3.98.1 SUSE Manager Proxy 4.3:release-notes-susemanager-proxy-4.3.16-150400.3.98.1 SUSE Manager Server 4.3:release-notes-susemanager-4.3.16-150400.3.140.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202502476-1/ https://www.suse.com/security/cve/CVE-2025-22238.html CVE-2025-22238 https://bugzilla.suse.com/1244572 SUSE Bug 1244572 Arbitrary event injection on Salt Master. The master's "_minion_event" method can be used by and authorized minion to send arbitrary events onto the master's event bus. CVE-2025-22239 Container suse/manager/4.3/proxy-httpd:latest:release-notes-susemanager-proxy-4.3.16-150400.3.98.1 SUSE Manager Proxy 4.3:release-notes-susemanager-proxy-4.3.16-150400.3.98.1 SUSE Manager Server 4.3:release-notes-susemanager-4.3.16-150400.3.140.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202502476-1/ https://www.suse.com/security/cve/CVE-2025-22239.html CVE-2025-22239 https://bugzilla.suse.com/1244574 SUSE Bug 1244574 Arbitrary directory creation or file deletion. In the find_file method of the GitFS class, a path is created using os.path.join using unvalidated input from the "tgt_env" variable. This can be exploited by an attacker to delete any file on the Master's process has permissions to. CVE-2025-22240 Container suse/manager/4.3/proxy-httpd:latest:release-notes-susemanager-proxy-4.3.16-150400.3.98.1 SUSE Manager Proxy 4.3:release-notes-susemanager-proxy-4.3.16-150400.3.98.1 SUSE Manager Server 4.3:release-notes-susemanager-4.3.16-150400.3.140.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202502476-1/ https://www.suse.com/security/cve/CVE-2025-22240.html CVE-2025-22240 https://bugzilla.suse.com/1244567 SUSE Bug 1244567 File contents overwrite the VirtKey class is called when "on-demand pillar" data is requested and uses un-validated input to create paths to the "pki directory". The functionality is used to auto-accept Minion authentication keys based on a pre-placed "authorization file" at a specific location and is present in the default configuration. CVE-2025-22241 Container suse/manager/4.3/proxy-httpd:latest:release-notes-susemanager-proxy-4.3.16-150400.3.98.1 SUSE Manager Proxy 4.3:release-notes-susemanager-proxy-4.3.16-150400.3.98.1 SUSE Manager Server 4.3:release-notes-susemanager-4.3.16-150400.3.140.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202502476-1/ https://www.suse.com/security/cve/CVE-2025-22241.html CVE-2025-22241 https://bugzilla.suse.com/1244570 SUSE Bug 1244570 Worker process denial of service through file read operation. .A vulnerability exists in the Master's "pub_ret" method which is exposed to all minions. The un-sanitized input value "jid" is used to construct a path which is then opened for reading. An attacker could exploit this vulnerabilities by attempting to read from a filename that will not return any data, e.g. by targeting a pipe node on the proc file system. CVE-2025-22242 Container suse/manager/4.3/proxy-httpd:latest:release-notes-susemanager-proxy-4.3.16-150400.3.98.1 SUSE Manager Proxy 4.3:release-notes-susemanager-proxy-4.3.16-150400.3.98.1 SUSE Manager Server 4.3:release-notes-susemanager-4.3.16-150400.3.140.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202502476-1/ https://www.suse.com/security/cve/CVE-2025-22242.html CVE-2025-22242 https://bugzilla.suse.com/1244575 SUSE Bug 1244575 A Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in spacewalk-java allows execution of arbitrary Javascript code on target systems.This issue affects Container suse/manager/5.0/x86_64/server:5.0.4.7.19.1: from ? before 5.0.24-150600.3.25.1; Container suse/manager/5.0/x86_64/server:5.0.4.7.19.1: from ? before 5.0.24-150600.3.25.1; Container suse/manager/5.0/x86_64/server:5.0.4.7.19.1: from ? before 5.0.24-150600.3.25.1; Container suse/manager/5.0/x86_64/server:5.0.4.7.19.1: from ? before 5.0.24-150600.3.25.1; SUSE Manager Server Module 4.3: from ? before 4.3.85-150400.3.105.3; SUSE Manager Server Module 4.3: from ? before 4.3.85-150400.3.105.3; SUSE Manager Server Module 4.3: from ? before 4.3.85-150400.3.105.3; SUSE Manager Server Module 4.3: from ? before 4.3.85-150400.3.105.3. CVE-2025-23392 Container suse/manager/4.3/proxy-httpd:latest:release-notes-susemanager-proxy-4.3.16-150400.3.98.1 SUSE Manager Proxy 4.3:release-notes-susemanager-proxy-4.3.16-150400.3.98.1 SUSE Manager Server 4.3:release-notes-susemanager-4.3.16-150400.3.140.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202502476-1/ https://www.suse.com/security/cve/CVE-2025-23392.html CVE-2025-23392 https://bugzilla.suse.com/1239826 SUSE Bug 1239826 A Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in spacewalk-java allows execution of arbitrary Javascript code on users machines.This issue affects Container suse/manager/5.0/x86_64/server:5.0.4.7.19.1: from ? before 5.0.24-150600.3.25.1; SUSE Manager Server Module 4.3: from ? before 4.3.85-150400.3.105.3. CVE-2025-23393 Container suse/manager/4.3/proxy-httpd:latest:release-notes-susemanager-proxy-4.3.16-150400.3.98.1 SUSE Manager Proxy 4.3:release-notes-susemanager-proxy-4.3.16-150400.3.98.1 SUSE Manager Server 4.3:release-notes-susemanager-4.3.16-150400.3.140.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202502476-1/ https://www.suse.com/security/cve/CVE-2025-23393.html CVE-2025-23393 https://bugzilla.suse.com/1240386 SUSE Bug 1240386 unknown CVE-2025-46809 Container suse/manager/4.3/proxy-httpd:latest:release-notes-susemanager-proxy-4.3.16-150400.3.98.1 SUSE Manager Proxy 4.3:release-notes-susemanager-proxy-4.3.16-150400.3.98.1 SUSE Manager Server 4.3:release-notes-susemanager-4.3.16-150400.3.140.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202502476-1/ https://www.suse.com/security/cve/CVE-2025-46809.html CVE-2025-46809 https://bugzilla.suse.com/1245005 SUSE Bug 1245005 unknown CVE-2025-46811 Container suse/manager/4.3/proxy-httpd:latest:release-notes-susemanager-proxy-4.3.16-150400.3.98.1 SUSE Manager Proxy 4.3:release-notes-susemanager-proxy-4.3.16-150400.3.98.1 SUSE Manager Server 4.3:release-notes-susemanager-4.3.16-150400.3.140.1 critical To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202502476-1/ https://www.suse.com/security/cve/CVE-2025-46811.html CVE-2025-46811 https://bugzilla.suse.com/1246119 SUSE Bug 1246119