SUSE-SU-2026:1013-1

Description

Security update 5.0.7 for Multi-Linux Manager Client Tools This update fixes the following issues: dracut-saltboot: - Version update to 1.1.0: * Retry DHCP requests up to 3 times (bsc#1253004) golang-github-QubitProducts-exporter_exporter: - Non-customer-facing optimization and update golang-github-boynux-squid_exporter: - Version update from 1.6.0 to 1.13.0 with the following highlighted changes and fixes (jsc#PED-14971): * Added compatibility for Squid 6 and support for the squid-internal-mgr metrics path * Added TLS and Basic Authentication to the exporter’s web interface * Added support for the exporter to authenticate against the Squid proxy itself * Allow the gathering of process information without requiring root privileges * The exporter can now be configured using environment variables * Added support for custom labels to all exported metrics for better data filtering * New metrics to track if Squid is running (squid_up), how long a scrape takes, and if any errors occurred * Added 'service time' metrics to analyze proxy speed and performance. * Added a metric for open file descriptors (process_open_fds) to help prevent connection bottlenecks * Corrected the squid_client_http_requests_total metric to ensure accurate reporting golang-github-lusitaniae-apache_exporter: - Version update from 1.0.8 to 1.0.10: * Updated github.com/prometheus/client_golang to 1.21.1 * Updated github.com/prometheus/common to 0.63.0 * Updated github.com/prometheus/exporter-toolkit to 0.14.0 * Fixed signal handler logging golang-github-prometheus-prometheus: - Security issues fixed: * CVE-2026-27606: Fixed arbitrary file write via path traversal in rollup (bsc#1258893) * CVE-2026-25547: Fixed unbounded brace range expansion leading to excessive CPU and memory consumption (bsc#1257841) * CVE-2026-1615, CVE-2025-61140 The old web UI is no longer built due to security issues (bsc#1257897, bsc#1257442) * CVE-2025-13465: Bump lodash package to version 4.17.23 to fix prototype pollution vulnerability (bsc#1257329) * CVE-2025-12816: Interpretation conflict vulnerability allowing bypassing cryptographic verifications (bsc#1255588) - Version update from 2.53.4 to 3.5.0 with the following highlighted changes (jsc#PED-13824): * Modernized Interface: Introduced a brand-new UI * Enhanced Cloud and Auth: Added unified AWS service discovery (EC2, ECS, Lightsail) and Azure Workload Identity support for more secure, native cloudauthentication. * Performance Standards: Fully integrated OpenTelemetry (OTLP) ingestion and moved Native Histograms from experimental to a stable feature. * Advanced Data Export: Rolled out Remote Write 2.0, offering better performance and metadata handling when sending data to external systems. * Query Power: Added new PromQL functions (like first_over_time and last_over_time) and optimization for grouping operations * Better Visibility: The UI now displays detailed relabeling steps, scrape intervals, and timeouts, making it easier to troubleshoot why targets aren't reporting correctly. * Critical Fixes: Resolved significant memory leaks related to query logging and fixed bugs where targets were accidentally being scraped multiple times grafana: - Security issues fixed: * CVE-2026-21722: Public dashboards annotations: use dashboard timerange if time selection disabled (bsc#1258136) * CVE-2026-21721: Fixed access control by the dashboard permissions API (bsc#1257337) * CVE-2026-21720: Fixed unauthenticated DoS (bsc#1257349) * CVE-2025-68156: Fixed potential DoS via unbounded recursion in builtin functions (bsc#1255340) * CVE-2025-3415: Fixedexposure of DingDing alerting integration URL to Viewer level users (bsc#1245302) - Version update from 11.5.10 to 11.6.11 with the following highlighted changes and fixes: * Performance Boost: Introduced WebGL-powered geomaps for smoother map visualizations and removed blurred backgrounds from UI overlays to speed up the interface * One-Click Actions: Visualizations now support faster navigation via one-click links and actions * Alerting History: Added version history for alert rules, allowing you to track changes over time * Service Accounts: Automated the migration of old API keys to more secure Service Accounts upon startup * Cron Support: Annotations now support Cron syntax for more flexible scheduling * Identity and Auth: Hardened the Avatar feature (now requires sign-in) and fixed several login redirection issues when Grafana is hosted on a subpath * Data Source Support: Added support for Cloud Partner Prometheus data sources and improved Azure legend formatting * Alerting Limits: Added size limits for expanded notification templates to prevent system strain * RBAC: Integrated Role-Based Access Control (RBAC) into the Alertmanager via the reqAction field * Data Consistency: Fixed several issues with Graphite and InfluxDB regarding how variables are handled in repeated rows or nested queries * Dashboard Reliability: Resolved bugs involving row repeats and 'self-referencing' data links * Alerting Fixes: Patched a critical 'panic' (crash) caused by a race condition in alert rules and fixed issues where contact points weren't working correctly * URL Handling: Fixed a bug where 'true' values in URL parameters weren't being read correctly prometheus-blackbox_exporter: - Non-customer-facing optimization and update spacecmd: - Version update to 5.0.15: * Fixed typo in spacecmd help ca-cert flag (bsc#1253174) * Convert cached IDs to integer values (bsc#1251995) * Fixed spacecmd binary file upload (bsc#1253659) uyuni-tools: - Version update to 0.1.38: * Fixed cobbler configuration when migrating to standalone files (bsc#1256803) * Detect custom apache and squid config in the /etc/uyuni/proxy folder * Add ssh tuning to configure sshd (bsc#1253738) * Ignore supportconfig errors (bsc#1255781) * Bumped the default image tag to 5.0.7 * Removed cgroup mount for podman containers (bsc#1253347) * Registry flag can be a string (bsc#1254589) * Use static supportconfig name to avoid dynamic search (bsc#1257941)

Affected Systems

• opensuse•dracut-saltboot&distro=openSUSE Leap 15.6

  < 1.1.0-150000.1.65.1

• opensuse•golang-github-boynux-squid_exporter&distro=openSUSE Leap 15.6

  < 1.13.0-150000.1.12.1

• opensuse•golang-github-lusitaniae-apache_exporter&distro=openSUSE Leap 15.6

  < 1.0.10-150000.1.26.1

• opensuse•golang-github-prometheus-promu&distro=openSUSE Leap 15.6

  < 0.17.0-150000.3.30.1

• opensuse•golang-github-QubitProducts-exporter_exporter&distro=openSUSE Leap 15.6

  < 0.4.0-150000.1.21.1

• opensuse•prometheus-blackbox_exporter&distro=openSUSE Leap 15.6

  < 0.26.0-150000.1.30.2

• opensuse•spacecmd&distro=openSUSE Leap 15.6

  < 5.0.15-150000.3.142.1

• suse•dracut-saltboot&distro=SUSE Manager Client Tools 15

  < 1.1.0-150000.1.65.1

• suse•dracut-saltboot&distro=SUSE Manager Client Tools for SLE Micro 5

  < 1.1.0-150000.1.65.1

• suse•golang-github-boynux-squid_exporter&distro=SUSE Manager Client Tools 15

  < 1.13.0-150000.1.12.1

• suse•golang-github-lusitaniae-apache_exporter&distro=SUSE Manager Client Tools 15

  < 1.0.10-150000.1.26.1

• suse•golang-github-prometheus-prometheus&distro=SUSE Manager Client Tools 15

  < 3.5.0-150000.3.67.1

• suse•golang-github-prometheus-promu&distro=SUSE Linux Enterprise Module for Package Hub 15 SP7

  < 0.17.0-150000.3.30.1

• suse•golang-github-QubitProducts-exporter_exporter&distro=SUSE Manager Client Tools 15

  < 0.4.0-150000.1.21.1

• suse•golang-github-QubitProducts-exporter_exporter&distro=SUSE Manager Client Tools for SLE Micro 5

  < 0.4.0-150000.1.21.1

• suse•grafana&distro=SUSE Manager Client Tools 15

  < 11.6.11-150000.1.90.1

• suse•prometheus-blackbox_exporter&distro=SUSE Manager Client Tools 15

  < 0.26.0-150000.1.30.2

• suse•prometheus-blackbox_exporter&distro=SUSE Manager Client Tools for SLE Micro 5

  < 0.26.0-150000.1.30.2

• suse•spacecmd&distro=SUSE Manager Client Tools 15

  < 5.0.15-150000.3.142.1

• suse•uyuni-tools&distro=SUSE Manager Client Tools 15

  < 0.1.38-150000.1.30.1

• suse•uyuni-tools&distro=SUSE Manager Client Tools for SLE Micro 5

  < 0.1.38-150000.1.30.1

References (33)

• https://www.suse.com/support/update/announcement/2026/suse-su-20261013-1/
• https://bugzilla.suse.com/1245302
• https://bugzilla.suse.com/1251995
• https://bugzilla.suse.com/1253004
• https://bugzilla.suse.com/1253174
• https://bugzilla.suse.com/1253347
• https://bugzilla.suse.com/1253659
• https://bugzilla.suse.com/1253738
• https://bugzilla.suse.com/1254589
• https://bugzilla.suse.com/1255340
• https://bugzilla.suse.com/1255588
• https://bugzilla.suse.com/1255781
• https://bugzilla.suse.com/1256803
• https://bugzilla.suse.com/1257329
• https://bugzilla.suse.com/1257337
• https://bugzilla.suse.com/1257349
• https://bugzilla.suse.com/1257442
• https://bugzilla.suse.com/1257841
• https://bugzilla.suse.com/1257897
• https://bugzilla.suse.com/1257941
• https://bugzilla.suse.com/1258136
• https://bugzilla.suse.com/1258893
• https://www.suse.com/security/cve/CVE-2025-12816
• https://www.suse.com/security/cve/CVE-2025-13465
• https://www.suse.com/security/cve/CVE-2025-3415
• https://www.suse.com/security/cve/CVE-2025-61140
• https://www.suse.com/security/cve/CVE-2025-68156
• https://www.suse.com/security/cve/CVE-2026-1615
• https://www.suse.com/security/cve/CVE-2026-21720
• https://www.suse.com/security/cve/CVE-2026-21721
• https://www.suse.com/security/cve/CVE-2026-21722
• https://www.suse.com/security/cve/CVE-2026-25547
• https://www.suse.com/security/cve/CVE-2026-27606