SUSE-SU-2026:1148-1

Description

Security Beta update 5.2.0 Beta1 for Multi-Linux Manager Client Tools This update fixes the following issues: golang-github-prometheus-prometheus: - CVE-2026-27606: Fix arbitrary file write via path traversal in rollup (bsc#1258893) * Bump rollup to version 4.59.0 - Drop SLE 12 support (jsc#PED-15474) - CVE-2026-25547: Fix unbounded brace range expansion leading to excessive CPU and memory consumption (bsc#1257841): * Bump brace-expansion to version 5.0.2 - Do not build old web UI. Fixes following security vulnerabilities: * CVE-2026-1615: jsonpath: arbitrary code injection due to unsafe evaluation of user-supplied JSON Path expressions (bsc#1257897) * CVE-2025-61140: jsonpath: the `value` function is vulnerable to prototype pollution (bsc#1257442) - Set source URL in the spec file and drop tar service grafana: - Drop support for SLE 12 (jsc#PED-15474) - Update to version 11.6.11: Features and enhancements: * Alerting: Add limits for the size of expanded notification templates * Correlations: Remove support for org_id=0 Security: * CVE-2026-21722: Public dashboards annotations: use dashboard timerange if time selection disabled (bsc#1258136) - Update to version 11.6.10: * API: Add missing scope check on dashboards * Avatar: Require sign-in, remove queue, respect timeout Bug fixes: * Alerting: Fix a race condition panic in ResetStateByRuleUID - Update to version 11.6.9: * Plugins: Add PluginContext to plugins when scenes is disabled * Alerting: Fix contacts point issues - Update to version 11.6.8: * Alerting: Fix unmarshalling of GettableStatus to include time intervals - Update to version 11.6.7: * Auth: Fix render user OAuth passthrough * LDAP Authentication: Fix URL to propagate username context as parameter * Plugins: Dependencies do not inherit parent URL for preinstall * URLParams: Stringify true values as key=true always (fixes issues with variables with true value) - Update to version 11.6.6: * Alerting: Fix copying of recording rule fields * Fix redirection after login when Grafana is served from subpath - Update to version 11.6.5: * Alerting: Bump alerting package to include change to NewTLSClient - Update to version 11.6.4: * StateTimeline: Add endTime to tooltip * Unified storage: Respect GF_DATABASE_URL override * Alerting: Fix group interval override when adding new rules * Azure: Fix legend formatting * Azure: Fix resource name determination in template variable queries * Graphite: Fix annotation queries * Graphite: Fix date mutation * Graphite: Fix nested variable interpolation for repeated rows - Update to version 11.6.3: * Fixes CVE-2025-3415 - Update to version 11.6.2: * Dashboard: Fixes issue with row repeats and first row * Graphite: Ensure template variables are interpolated correctly * Graphite: Fix Graphite series interpolation * Prometheus: Fix semver import path - Update to version 11.6.1: * DashboardScenePage: Correct slug in self referencing data links * GrafanaUI: Use safePolygon close handler for interactive tooltips instead of a delay * Prometheus: Add support for cloud partners Prometheus data sources * Alertmanager: Add Role-Based Access Control via reqAction Field * GrafanaUI: Remove blurred background from overlay backdrops to improve performance * InfluxDB: Fix nested variable interpolation * LDAP test: Fix page crash * Org redirection: Fix linking between orgs - Upgrade to version 11.6.0: * Visualisations: One click links and actions * Annotations: Add cron syntax support * WebGL-powered geomaps for better performance * Alerting: Add alert rule version history * API keys: Migrate API keys to service accounts at startup mgr-push: - Version 5.2.3-0 * Disable build for SLES 16 rhnlib: - Version 5.2.4-0 * Disable build for SLES 16 spacecmd: - Version 5.2.6-0 * Update translation strings spacewalk-client-tools: - Version 5.2.4-0 * Disable build for SLES 16 uyuni-common-libs: - Version 5.2.3-0 * Disable build for SLES 16 uyuni-tools: - Version 5.2.5-0 * Remove migrate command * Remove template script from mgradm: use the one in the image * Split the TFTP server into a separate container * Explicitly start proxy pods after operations (bsc#1258015) * Adjust mgrctl server filter to work with the new helm chart labels * Remove hub register command * Remove the Kubernetes install and upgrade from mgrpxy * Optimize postgres migration disk space usage (bsc#1257447) venv-salt-minion: - Fix the issue preventing SELinux profile to be loaded on SLES 16 deployed using cloud images (bsc#1258957) - Fix the typo causing buiding EL9 bundle without binary dependencies - Backport security patches for Salt vendored tornado: * CVE-2025-67724: missing validation of supplied reason phrase (bsc#1254903) * CVE-2025-67725: fix DoS via malicious HTTP request (bsc#1254905) * CVE-2025-67726: fix HTTP header parameter parsing algorithm (bsc#1254904) - CVE-2025-62349: Add minimum_auth_version to enforce security (bsc#1254257) - CVE-2025-62348: Junos module yaml loader fix (bsc#1254256) Multi-Linux-ManagerTools-Beta-SLE-Micro-release: - Make the product installable on all SLE Micro 5 family

Affected Systems

• suse•dracut-saltboot&distro=SUSE Multi Linux Manager Tools Beta SLE-15

  < 1.1.0-159000.2.2.1

• suse•dracut-saltboot&distro=SUSE Multi Linux Manager Tools Beta SLE-Micro-5

  < 1.1.0-159000.2.2.1

• suse•dracut-wireless&distro=SUSE Multi Linux Manager Tools Beta SLE-15

  < 0.1.1595937550.0285244-159000.2.2.1

• suse•dracut-wireless&distro=SUSE Multi Linux Manager Tools Beta SLE-Micro-5

  < 0.1.1595937550.0285244-159000.2.2.1

• suse•golang-github-boynux-squid_exporter&distro=SUSE Multi Linux Manager Tools Beta SLE-15

  < 1.13.0-159000.2.2.1

• suse•golang-github-lusitaniae-apache_exporter&distro=SUSE Multi Linux Manager Tools Beta SLE-15

  < 1.0.10-159000.2.2.1

• suse•golang-github-prometheus-alertmanager&distro=SUSE Multi Linux Manager Tools Beta SLE-15

  < 0.28.1-159000.12.2.1

• suse•golang-github-prometheus-node_exporter&distro=SUSE Multi Linux Manager Tools Beta SLE-15

  < 1.9.1-159000.4.2.1

• suse•golang-github-prometheus-node_exporter&distro=SUSE Multi Linux Manager Tools Beta SLE-Micro-5

  < 1.9.1-159000.4.2.1

• suse•golang-github-prometheus-prometheus&distro=SUSE Multi Linux Manager Tools Beta SLE-15

  < 3.5.0-159000.4.3.2

• suse•golang-github-QubitProducts-exporter_exporter&distro=SUSE Multi Linux Manager Tools Beta SLE-15

  < 0.4.0-159000.2.2.1

• suse•grafana&distro=SUSE Multi Linux Manager Tools Beta SLE-15

  < 11.6.11-159000.2.3.2

• suse•mgr-push&distro=SUSE Multi Linux Manager Tools Beta SLE-15

  < 5.2.3-159000.2.3.1

• suse•Multi-Linux-ManagerTools-Beta-SLE-Micro-release&distro=SUSE Multi Linux Manager Tools Beta SLE-Micro-5

  < 5-159000.3.3.1

• suse•prometheus-blackbox_exporter&distro=SUSE Multi Linux Manager Tools Beta SLE-15

  < 0.26.0-159000.2.2.1

• suse•prometheus-postgres_exporter&distro=SUSE Multi Linux Manager Tools Beta SLE-15

  < 0.10.1-159000.2.2.1

• suse•python-defusedxml&distro=SUSE Multi Linux Manager Tools Beta SLE-15

  < 0.7.1-159000.4.2.1

• suse•rhnlib&distro=SUSE Multi Linux Manager Tools Beta SLE-15

  < 5.2.4-159000.4.3.1

• suse•spacecmd&distro=SUSE Multi Linux Manager Tools Beta SLE-15

  < 5.2.6-159000.4.3.1

• suse•spacewalk-client-tools&distro=SUSE Multi Linux Manager Tools Beta SLE-15

  < 5.2.4-159000.4.3.1

• suse•supportutils-plugin-salt&distro=SUSE Multi Linux Manager Tools Beta SLE-15

  < 1.2.3-159000.4.2.1

• suse•supportutils-plugin-susemanager-client&distro=SUSE Multi Linux Manager Tools Beta SLE-15

  < 5.2.2-159000.4.2.1

• suse•uyuni-common-libs&distro=SUSE Multi Linux Manager Tools Beta SLE-15

  < 5.2.3-159000.2.3.1

• suse•uyuni-tools&distro=SUSE Multi Linux Manager Tools Beta SLE-15

  < 5.2.5-159000.2.3.2

• suse•uyuni-tools&distro=SUSE Multi Linux Manager Tools Beta SLE-Micro-5

  < 5.2.5-159000.2.3.2

• suse•venv-salt-minion&distro=SUSE Multi Linux Manager Tools Beta SLE-15

  < 3006.0-159000.5.3.2

• suse•venv-salt-minion&distro=SUSE Multi Linux Manager Tools Beta SLE-Micro-5

  < 3006.0-159000.5.3.2

References (25)

• https://www.suse.com/support/update/announcement/2026/suse-su-20261148-1/
• https://bugzilla.suse.com/1254256
• https://bugzilla.suse.com/1254257
• https://bugzilla.suse.com/1254903
• https://bugzilla.suse.com/1254904
• https://bugzilla.suse.com/1254905
• https://bugzilla.suse.com/1257442
• https://bugzilla.suse.com/1257447
• https://bugzilla.suse.com/1257841
• https://bugzilla.suse.com/1257897
• https://bugzilla.suse.com/1258015
• https://bugzilla.suse.com/1258136
• https://bugzilla.suse.com/1258893
• https://bugzilla.suse.com/1258957
• https://www.suse.com/security/cve/CVE-2025-3415
• https://www.suse.com/security/cve/CVE-2025-61140
• https://www.suse.com/security/cve/CVE-2025-62348
• https://www.suse.com/security/cve/CVE-2025-62349
• https://www.suse.com/security/cve/CVE-2025-67724
• https://www.suse.com/security/cve/CVE-2025-67725
• https://www.suse.com/security/cve/CVE-2025-67726
• https://www.suse.com/security/cve/CVE-2026-1615
• https://www.suse.com/security/cve/CVE-2026-21722
• https://www.suse.com/security/cve/CVE-2026-25547
• https://www.suse.com/security/cve/CVE-2026-27606