SUSE-SU-2025:21216-1

Description

Security update 5.0.6 for Multi-Linux Manager Client Tools, Salt and Salt Bundle This update fixes the following issues: salt: - Security issues fixed: - CVE-2025-62349: Added minimum_auth_version to enforce security (bsc#1254257) - CVE-2025-62348: Fixed Junos module yaml loader (bsc#1254256) - Backport security fixes for vendored tornado * BDSA-2024-3438 * BDSA-2024-3439 * BDSA-2024-9026 - Other changes and bugs fixed: - Fixed TLS and x509 modules for OSes with older cryptography module - Fixed Salt for Python > 3.11 (bsc#1252285) (bsc#1252244) * Use external tornado on Python > 3.11 * Make tls and x509 to use python-cryptography * Remove usage of spwd - Fixed payload signature verification on Tumbleweed (bsc#1251776) - Fixed broken symlink on migration to Leap 16.0 (bsc#1250755) - Fixed known_hosts error on gitfs (bsc#1250520) (bsc#1227207) - Fixed functional.states.test_user for SLES 16 and Micro systems - Fixed the tests failing on AlmaLinux 10 and other clones - Improved SL Micro 6.2 detection with grains - Require Python dependencies only for used Python version - Reverted requirement of M2Crypto >= 0.44.0 for SUSE Family distros - Set python-CherryPy as required for python-salt-testsuite uyuni-tools: - Version 0.1.37-0 * Added --registry-host, --registry-user and --registry-password to pull images from an authenticate registry * Added a lowercase version of --logLevel (bsc#1243611) * Added migration for server monitoring configuration (bsc#1247688) * Added SLE15SP7 to buildin productmap * Adjusted traefik exposed configuration for chart v27+ (bsc#1247721) * Automatically get up-to-date systemid file on salt based proxy hosts (bsc#1246789) * Check for restorecon presence before calling (bsc#1246925) * Convert the traefik install time to local time (bsc#1251138) * Deprecated --registry * Do not require backups to be at the same location for restoring (bsc#1246906) * Do not use sudo when running as a root user (bsc#1246882) * Fixed channel override for distro copy * Fixed loading product map from mgradm configuration file (bsc#1246068) * Fixed recomputing proxy images when installing a ptf or test (bsc#1246553) * Handle CA files with symlinks during migration (bsc#1251044) * Migrate custom auto installation snippets (bsc#1246320) * Run smdba and reindex only during migration (bsc#1244534) * Stop executing scripts in temporary folder (bsc#1243704) * Support config: collect podman inspect for hub container(bsc#1245099) * Use new dedicated path for Cobbler settings (bsc#1244027) - Version 0.1.36-0 * Bump the default image tag to 5.0.5.1 - Version 0.1.35-0 * Restore SELinux contexts for restored backup volumes (bsc#1244127) - Version 0.1.34-0 * Fixed mgradm backup create handling of images and systemd files (bsc#1246738) - Version 0.1.33-0 * Restore volumes using tar instead of podman import (bsc#1244127) - Version 0.1.32-0 * Fixed version compare by backport from main (bsc#1246662) venv-salt-minion: - Security issues fixed: - CVE-2025-62349: Added minimum_auth_version to enforce security (bsc#1254257) - CVE-2025-62348: Fixed Junos module yaml loader (bsc#1254256) - Backport security fixes for vendored tornado * BDSA-2024-3438 * BDSA-2024-3439 * BDSA-2024-9026 - Other changes and bugs fixed: - Added `minion_legacy_req_warnings` option to avoid noisy warnings - Fixed TLS and x509 modules for OSes with older cryptography module - Fixed Salt for Python > 3.11 (bsc#1252285) (bsc#1252244) * Use external tornado on Python > 3.11 * Make tls and x509 to use python-cryptography * Remove usage of spwd - Filter out zero-length check as the empty files are expected there - Filter out env-script-interpreter for ssh-id-wrapper as not used with the Salt Bundle, but present inside the salt module - Fixed functional.states.test_user for SLES 16 and Micro systems - Fixed known_hosts error on gitfs (bsc#1250520) (bsc#1227207) - Fixed payload signature verification on Tumbleweed (bsc#1251776) - Fixed the tests failing on AlmaLinux 10 and other clones - Improve SL Micro 6.2 detection with grains - Removed unused activate script (bsc#1245740) - Use more strict way to Fixed shebang in the bundle scripts - Use versioned python interpreter for salt-ssh

Affected Systems

• suse•salt&distro=SUSE Linux Micro 6.0

  < 3006.0-14.1

References (31)

• https://www.suse.com/support/update/announcement/2025/suse-su-202521216-1/
• https://bugzilla.suse.com/1227207
• https://bugzilla.suse.com/1243611
• https://bugzilla.suse.com/1243704
• https://bugzilla.suse.com/1244027
• https://bugzilla.suse.com/1244127
• https://bugzilla.suse.com/1244534
• https://bugzilla.suse.com/1245099
• https://bugzilla.suse.com/1245740
• https://bugzilla.suse.com/1246068
• https://bugzilla.suse.com/1246320
• https://bugzilla.suse.com/1246553
• https://bugzilla.suse.com/1246662
• https://bugzilla.suse.com/1246738
• https://bugzilla.suse.com/1246789
• https://bugzilla.suse.com/1246882
• https://bugzilla.suse.com/1246906
• https://bugzilla.suse.com/1246925
• https://bugzilla.suse.com/1247688
• https://bugzilla.suse.com/1247721
• https://bugzilla.suse.com/1250520
• https://bugzilla.suse.com/1250755
• https://bugzilla.suse.com/1251044
• https://bugzilla.suse.com/1251138
• https://bugzilla.suse.com/1251776
• https://bugzilla.suse.com/1252244
• https://bugzilla.suse.com/1252285
• https://bugzilla.suse.com/1254256
• https://bugzilla.suse.com/1254257
• https://www.suse.com/security/cve/CVE-2025-62348
• https://www.suse.com/security/cve/CVE-2025-62349