Security update 5.0.6 for Multi-Linux Manager Client Tools, Salt and Salt Bundle SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2025:21216-1 Final 1 1 2025-12-16T07:20:56Z current 2025-12-16T07:20:56Z 2025-12-16T07:20:56Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update 5.0.6 for Multi-Linux Manager Client Tools, Salt and Salt Bundle This update fixes the following issues: salt: - Security issues fixed: - CVE-2025-62349: Added minimum_auth_version to enforce security (bsc#1254257) - CVE-2025-62348: Fixed Junos module yaml loader (bsc#1254256) - Backport security fixes for vendored tornado * BDSA-2024-3438 * BDSA-2024-3439 * BDSA-2024-9026 - Other changes and bugs fixed: - Fixed TLS and x509 modules for OSes with older cryptography module - Fixed Salt for Python > 3.11 (bsc#1252285) (bsc#1252244) * Use external tornado on Python > 3.11 * Make tls and x509 to use python-cryptography * Remove usage of spwd - Fixed payload signature verification on Tumbleweed (bsc#1251776) - Fixed broken symlink on migration to Leap 16.0 (bsc#1250755) - Fixed known_hosts error on gitfs (bsc#1250520) (bsc#1227207) - Fixed functional.states.test_user for SLES 16 and Micro systems - Fixed the tests failing on AlmaLinux 10 and other clones - Improved SL Micro 6.2 detection with grains - Require Python dependencies only for used Python version - Reverted requirement of M2Crypto >= 0.44.0 for SUSE Family distros - Set python-CherryPy as required for python-salt-testsuite uyuni-tools: - Version 0.1.37-0 * Added --registry-host, --registry-user and --registry-password to pull images from an authenticate registry * Added a lowercase version of --logLevel (bsc#1243611) * Added migration for server monitoring configuration (bsc#1247688) * Added SLE15SP7 to buildin productmap * Adjusted traefik exposed configuration for chart v27+ (bsc#1247721) * Automatically get up-to-date systemid file on salt based proxy hosts (bsc#1246789) * Check for restorecon presence before calling (bsc#1246925) * Convert the traefik install time to local time (bsc#1251138) * Deprecated --registry * Do not require backups to be at the same location for restoring (bsc#1246906) * Do not use sudo when running as a root user (bsc#1246882) * Fixed channel override for distro copy * Fixed loading product map from mgradm configuration file (bsc#1246068) * Fixed recomputing proxy images when installing a ptf or test (bsc#1246553) * Handle CA files with symlinks during migration (bsc#1251044) * Migrate custom auto installation snippets (bsc#1246320) * Run smdba and reindex only during migration (bsc#1244534) * Stop executing scripts in temporary folder (bsc#1243704) * Support config: collect podman inspect for hub container(bsc#1245099) * Use new dedicated path for Cobbler settings (bsc#1244027) - Version 0.1.36-0 * Bump the default image tag to 5.0.5.1 - Version 0.1.35-0 * Restore SELinux contexts for restored backup volumes (bsc#1244127) - Version 0.1.34-0 * Fixed mgradm backup create handling of images and systemd files (bsc#1246738) - Version 0.1.33-0 * Restore volumes using tar instead of podman import (bsc#1244127) - Version 0.1.32-0 * Fixed version compare by backport from main (bsc#1246662) venv-salt-minion: - Security issues fixed: - CVE-2025-62349: Added minimum_auth_version to enforce security (bsc#1254257) - CVE-2025-62348: Fixed Junos module yaml loader (bsc#1254256) - Backport security fixes for vendored tornado * BDSA-2024-3438 * BDSA-2024-3439 * BDSA-2024-9026 - Other changes and bugs fixed: - Added `minion_legacy_req_warnings` option to avoid noisy warnings - Fixed TLS and x509 modules for OSes with older cryptography module - Fixed Salt for Python > 3.11 (bsc#1252285) (bsc#1252244) * Use external tornado on Python > 3.11 * Make tls and x509 to use python-cryptography * Remove usage of spwd - Filter out zero-length check as the empty files are expected there - Filter out env-script-interpreter for ssh-id-wrapper as not used with the Salt Bundle, but present inside the salt module - Fixed functional.states.test_user for SLES 16 and Micro systems - Fixed known_hosts error on gitfs (bsc#1250520) (bsc#1227207) - Fixed payload signature verification on Tumbleweed (bsc#1251776) - Fixed the tests failing on AlmaLinux 10 and other clones - Improve SL Micro 6.2 detection with grains - Removed unused activate script (bsc#1245740) - Use more strict way to Fixed shebang in the bundle scripts - Use versioned python interpreter for salt-ssh The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-SLE-Micro-6.0-535 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2025/suse-su-202521216-1/ Link for SUSE-SU-2025:21216-1 https://lists.suse.com/pipermail/sle-security-updates/2025-December/023594.html E-Mail link for SUSE-SU-2025:21216-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1227207 SUSE Bug 1227207 https://bugzilla.suse.com/1243611 SUSE Bug 1243611 https://bugzilla.suse.com/1243704 SUSE Bug 1243704 https://bugzilla.suse.com/1244027 SUSE Bug 1244027 https://bugzilla.suse.com/1244127 SUSE Bug 1244127 https://bugzilla.suse.com/1244534 SUSE Bug 1244534 https://bugzilla.suse.com/1245099 SUSE Bug 1245099 https://bugzilla.suse.com/1245740 SUSE Bug 1245740 https://bugzilla.suse.com/1246068 SUSE Bug 1246068 https://bugzilla.suse.com/1246320 SUSE Bug 1246320 https://bugzilla.suse.com/1246553 SUSE Bug 1246553 https://bugzilla.suse.com/1246662 SUSE Bug 1246662 https://bugzilla.suse.com/1246738 SUSE Bug 1246738 https://bugzilla.suse.com/1246789 SUSE Bug 1246789 https://bugzilla.suse.com/1246882 SUSE Bug 1246882 https://bugzilla.suse.com/1246906 SUSE Bug 1246906 https://bugzilla.suse.com/1246925 SUSE Bug 1246925 https://bugzilla.suse.com/1247688 SUSE Bug 1247688 https://bugzilla.suse.com/1247721 SUSE Bug 1247721 https://bugzilla.suse.com/1250520 SUSE Bug 1250520 https://bugzilla.suse.com/1250755 SUSE Bug 1250755 https://bugzilla.suse.com/1251044 SUSE Bug 1251044 https://bugzilla.suse.com/1251138 SUSE Bug 1251138 https://bugzilla.suse.com/1251776 SUSE Bug 1251776 https://bugzilla.suse.com/1252244 SUSE Bug 1252244 https://bugzilla.suse.com/1252285 SUSE Bug 1252285 https://bugzilla.suse.com/1254256 SUSE Bug 1254256 https://bugzilla.suse.com/1254257 SUSE Bug 1254257 https://www.suse.com/security/cve/CVE-2025-62348/ SUSE CVE CVE-2025-62348 page https://www.suse.com/security/cve/CVE-2025-62349/ SUSE CVE CVE-2025-62349 page SUSE Linux Micro 6.0 python311-salt-3006.0-14.1 salt-3006.0-14.1 salt-master-3006.0-14.1 salt-minion-3006.0-14.1 salt-transactional-update-3006.0-14.1 python311-salt-3006.0-14.1 as a component of SUSE Linux Micro 6.0 salt-3006.0-14.1 as a component of SUSE Linux Micro 6.0 salt-master-3006.0-14.1 as a component of SUSE Linux Micro 6.0 salt-minion-3006.0-14.1 as a component of SUSE Linux Micro 6.0 salt-transactional-update-3006.0-14.1 as a component of SUSE Linux Micro 6.0 unknown CVE-2025-62348 SUSE Linux Micro 6.0:python311-salt-3006.0-14.1 SUSE Linux Micro 6.0:salt-3006.0-14.1 SUSE Linux Micro 6.0:salt-master-3006.0-14.1 SUSE Linux Micro 6.0:salt-minion-3006.0-14.1 SUSE Linux Micro 6.0:salt-transactional-update-3006.0-14.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202521216-1/ https://www.suse.com/security/cve/CVE-2025-62348.html CVE-2025-62348 https://bugzilla.suse.com/1254256 SUSE Bug 1254256 unknown CVE-2025-62349 SUSE Linux Micro 6.0:python311-salt-3006.0-14.1 SUSE Linux Micro 6.0:salt-3006.0-14.1 SUSE Linux Micro 6.0:salt-master-3006.0-14.1 SUSE Linux Micro 6.0:salt-minion-3006.0-14.1 SUSE Linux Micro 6.0:salt-transactional-update-3006.0-14.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202521216-1/ https://www.suse.com/security/cve/CVE-2025-62349.html CVE-2025-62349 https://bugzilla.suse.com/1254257 SUSE Bug 1254257