Описание
Security update 5.0.7 for Multi-Linux Manager Client Tools
This update fixes the following issues:
dracut-saltboot:
-
Version update to 1.1.0:
- Retry DHCP requests up to 3 times (bsc#1253004)
golang-github-QubitProducts-exporter_exporter:
- Non-customer-facing optimization and update
golang-github-boynux-squid_exporter:
-
Version update from 1.6.0 to 1.13.0 with the following highlighted changes and fixes (jsc#PED-14971):
- Added compatibility for Squid 6 and support for the squid-internal-mgr metrics path
- Added TLS and Basic Authentication to the exporter’s web interface
- Added support for the exporter to authenticate against the Squid proxy itself
- Allow the gathering of process information without requiring root privileges
- The exporter can now be configured using environment variables
- Added support for custom labels to all exported metrics for better data filtering
- New metrics to track if Squid is running (squid_up), how long a scrape takes, and if any errors occurred
- Added 'service time' metrics to analyze proxy speed and performance.
- Added a metric for open file descriptors (process_open_fds) to help prevent connection bottlenecks
- Corrected the squid_client_http_requests_total metric to ensure accurate reporting
golang-github-lusitaniae-apache_exporter:
-
Version update from 1.0.8 to 1.0.10:
- Updated github.com/prometheus/client_golang to 1.21.1
- Updated github.com/prometheus/common to 0.63.0
- Updated github.com/prometheus/exporter-toolkit to 0.14.0
- Fixed signal handler logging
golang-github-prometheus-prometheus:
-
Security issues fixed:
- CVE-2026-27606: Fixed arbitrary file write via path traversal in rollup (bsc#1258893)
- CVE-2026-25547: Fixed unbounded brace range expansion leading to excessive CPU and memory consumption (bsc#1257841)
- CVE-2026-1615, CVE-2025-61140 The old web UI is no longer built due to security issues (bsc#1257897, bsc#1257442)
- CVE-2025-13465: Bump lodash package to version 4.17.23 to fix prototype pollution vulnerability (bsc#1257329)
- CVE-2025-12816: Interpretation conflict vulnerability allowing bypassing cryptographic verifications (bsc#1255588)
-
Version update from 2.53.4 to 3.5.0 with the following highlighted changes (jsc#PED-13824):
- Modernized Interface: Introduced a brand-new UI
- Enhanced Cloud and Auth: Added unified AWS service discovery (EC2, ECS, Lightsail) and Azure Workload Identity support for more secure, native cloudauthentication.
- Performance Standards: Fully integrated OpenTelemetry (OTLP) ingestion and moved Native Histograms from experimental to a stable feature.
- Advanced Data Export: Rolled out Remote Write 2.0, offering better performance and metadata handling when sending data to external systems.
- Query Power: Added new PromQL functions (like first_over_time and last_over_time) and optimization for grouping operations
- Better Visibility: The UI now displays detailed relabeling steps, scrape intervals, and timeouts, making it easier to troubleshoot why targets aren't reporting correctly.
- Critical Fixes: Resolved significant memory leaks related to query logging and fixed bugs where targets were accidentally being scraped multiple times
grafana:
-
Security issues fixed:
- CVE-2026-21722: Public dashboards annotations: use dashboard timerange if time selection disabled (bsc#1258136)
- CVE-2026-21721: Fixed access control by the dashboard permissions API (bsc#1257337)
- CVE-2026-21720: Fixed unauthenticated DoS (bsc#1257349)
- CVE-2025-68156: Fixed potential DoS via unbounded recursion in builtin functions (bsc#1255340)
- CVE-2025-3415: Fixedexposure of DingDing alerting integration URL to Viewer level users (bsc#1245302)
-
Version update from 11.5.10 to 11.6.11 with the following highlighted changes and fixes:
- Performance Boost: Introduced WebGL-powered geomaps for smoother map visualizations and removed blurred backgrounds from UI overlays to speed up the interface
- One-Click Actions: Visualizations now support faster navigation via one-click links and actions
- Alerting History: Added version history for alert rules, allowing you to track changes over time
- Service Accounts: Automated the migration of old API keys to more secure Service Accounts upon startup
- Cron Support: Annotations now support Cron syntax for more flexible scheduling
- Identity and Auth: Hardened the Avatar feature (now requires sign-in) and fixed several login redirection issues when Grafana is hosted on a subpath
- Data Source Support: Added support for Cloud Partner Prometheus data sources and improved Azure legend formatting
- Alerting Limits: Added size limits for expanded notification templates to prevent system strain
- RBAC: Integrated Role-Based Access Control (RBAC) into the Alertmanager via the reqAction field
- Data Consistency: Fixed several issues with Graphite and InfluxDB regarding how variables are handled in repeated rows or nested queries
- Dashboard Reliability: Resolved bugs involving row repeats and 'self-referencing' data links
- Alerting Fixes: Patched a critical 'panic' (crash) caused by a race condition in alert rules and fixed issues where contact points weren't working correctly
- URL Handling: Fixed a bug where 'true' values in URL parameters weren't being read correctly
prometheus-blackbox_exporter:
- Non-customer-facing optimization and update
spacecmd:
-
Version update to 5.0.15:
- Fixed typo in spacecmd help ca-cert flag (bsc#1253174)
- Convert cached IDs to integer values (bsc#1251995)
- Fixed spacecmd binary file upload (bsc#1253659)
uyuni-tools:
-
Version update to 0.1.38:
- Fixed cobbler configuration when migrating to standalone files (bsc#1256803)
- Detect custom apache and squid config in the /etc/uyuni/proxy folder
- Add ssh tuning to configure sshd (bsc#1253738)
- Ignore supportconfig errors (bsc#1255781)
- Bumped the default image tag to 5.0.7
- Removed cgroup mount for podman containers (bsc#1253347)
- Registry flag can be a string (bsc#1254589)
- Use static supportconfig name to avoid dynamic search (bsc#1257941)
Список пакетов
Container suse/manager/5.0/x86_64/server:latest
SUSE Linux Enterprise Module for Package Hub 15 SP7
SUSE Manager Client Tools 15
SUSE Manager Client Tools for SLE Micro 5
openSUSE Leap 15.6
Ссылки
- Link for SUSE-SU-2026:1013-1
- E-Mail link for SUSE-SU-2026:1013-1
- SUSE Security Ratings
- SUSE Bug 1245302
- SUSE Bug 1251995
- SUSE Bug 1253004
- SUSE Bug 1253174
- SUSE Bug 1253347
- SUSE Bug 1253659
- SUSE Bug 1253738
- SUSE Bug 1254589
- SUSE Bug 1255340
- SUSE Bug 1255588
- SUSE Bug 1255781
- SUSE Bug 1256803
- SUSE Bug 1257329
- SUSE Bug 1257337
- SUSE Bug 1257349
- SUSE Bug 1257442
- SUSE Bug 1257841
Описание
An interpretation-conflict (CWE-436) vulnerability in node-forge versions 1.3.1 and earlier enables unauthenticated attackers to craft ASN.1 structures to desynchronize schema validations, yielding a semantic divergence that may bypass downstream cryptographic verifications and security decisions.
Затронутые продукты
Ссылки
- CVE-2025-12816
- SUSE Bug 1255584
Описание
Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution in the _.unset and _.omit functions. An attacker can pass crafted paths which cause Lodash to delete methods from global prototypes. The issue permits deletion of properties but does not allow overwriting their original behavior. This issue is patched on 4.17.23
Затронутые продукты
Ссылки
- CVE-2025-13465
- SUSE Bug 1257321
Описание
Grafana is an open-source platform for monitoring and observability. The Grafana Alerting DingDing integration was not properly protected and could be exposed to users with Viewer permission. Fixed in versions 10.4.19+security-01, 11.2.10+security-01, 11.3.7+security-01, 11.4.5+security-01, 11.5.5+security-01, 11.6.2+security-01 and 12.0.1+security-01
Затронутые продукты
Ссылки
- CVE-2025-3415
- SUSE Bug 1245302
Описание
The value function in jsonpath 1.1.1 lib/index.js is vulnerable to Prototype Pollution.
Затронутые продукты
Ссылки
- CVE-2025-61140
- SUSE Bug 1257442
Описание
Expr is an expression language and expression evaluation for Go. Prior to version 1.17.7, several builtin functions in Expr, including `flatten`, `min`, `max`, `mean`, and `median`, perform recursive traversal over user-provided data structures without enforcing a maximum recursion depth. If the evaluation environment contains deeply nested or cyclic data structures, these functions may recurse indefinitely until exceed the Go runtime stack limit. This results in a stack overflow panic, causing the host application to crash. While exploitability depends on whether an attacker can influence or inject cyclic or pathologically deep data into the evaluation environment, this behavior represents a denial-of-service (DoS) risk and affects overall library robustness. Instead of returning a recoverable evaluation error, the process may terminate unexpectedly. In affected versions, evaluation of expressions that invoke certain builtin functions on untrusted or insufficiently validated data structures can lead to a process-level crash due to stack exhaustion. This issue is most relevant in scenarios where Expr is used to evaluate expressions against externally supplied or dynamically constructed environments; cyclic references (directly or indirectly) can be introduced into arrays, maps, or structs; and there are no application-level safeguards preventing deeply nested input data. In typical use cases with controlled, acyclic data, the issue may not manifest. However, when present, the resulting panic can be used to reliably crash the application, constituting a denial of service. The issue has been fixed in the v1.17.7 versions of Expr. The patch introduces a maximum recursion depth limit for affected builtin functions. When this limit is exceeded, evaluation aborts gracefully and returns a descriptive error instead of panicking. Additionally, the maximum depth can be customized by users via `builtin.MaxDepth`, allowing applications with legitimate deep structures to raise the limit in a controlled manner. Users are strongly encouraged to upgrade to the patched release, which includes both the recursion guard and comprehensive test coverage to prevent regressions. For users who cannot immediately upgrade, some mitigations are recommended. Ensure that evaluation environments cannot contain cyclic references, validate or sanitize externally supplied data structures before passing them to Expr, and/or wrap expression evaluation with panic recovery to prevent a full process crash (as a last-resort defensive measure). These workarounds reduce risk but do not fully eliminate the issue without the patch.
Затронутые продукты
Ссылки
- CVE-2025-68156
- SUSE Bug 1255330
Описание
Versions of the package jsonpath before 1.2.0 are vulnerable to Arbitrary Code Injection via unsafe evaluation of user-supplied JSON Path expressions. The library relies on the static-eval module to process JSON Path input, which is not designed to handle untrusted data safely. An attacker can exploit this vulnerability by supplying a malicious JSON Path expression that, when evaluated, executes arbitrary JavaScript code, leading to Remote Code Execution in Node.js environments or Cross-site Scripting (XSS) in browser contexts. This affects all methods that evaluate JSON Paths against objects, including .query, .nodes, .paths, .value, .parent, and .apply.
Затронутые продукты
Ссылки
- CVE-2026-1615
- SUSE Bug 1257897
Описание
Every uncached /avatar/:hash request spawns a goroutine that refreshes the Gravatar image. If the refresh sits in the 10-slot worker queue longer than three seconds, the handler times out and stops listening for the result, so that goroutine blocks forever trying to send on an unbuffered channel. Sustained traffic with random hashes keeps tripping this timeout, so goroutine count grows linearly, eventually exhausting memory and causing Grafana to crash on some systems.
Затронутые продукты
Ссылки
- CVE-2026-21720
- SUSE Bug 1257349
Описание
The dashboard permissions API does not verify the target dashboard scope and only checks the dashboards.permissions:* action. As a result, a user who has permission management rights on one dashboard can read and modify permissions on other dashboards. This is an organization-internal privilege escalation.
Затронутые продукты
Ссылки
- CVE-2026-21721
- SUSE Bug 1257337
Описание
Public dashboards with annotations enabled did not limit their annotation timerange to the locked timerange of the public dashboard. This means one could read the entire history of annotations visible on the specific dashboard, even those outside the locked timerange. This did not leak any annotations that would not otherwise be visible on the public dashboard.
Затронутые продукты
Ссылки
- CVE-2026-21722
- SUSE Bug 1258136
Описание
@isaacs/brace-expansion is a hybrid CJS/ESM TypeScript fork of brace-expansion. Prior to version 5.0.1, @isaacs/brace-expansion is vulnerable to a denial of service (DoS) issue caused by unbounded brace range expansion. When an attacker provides a pattern containing repeated numeric brace ranges, the library attempts to eagerly generate every possible combination synchronously. Because the expansion grows exponentially, even a small input can consume excessive CPU and memory and may crash the Node.js process. This issue has been patched in version 5.0.1.
Затронутые продукты
Ссылки
- CVE-2026-25547
- SUSE Bug 1257834
Описание
Rollup is a module bundler for JavaScript. Versions prior to 2.80.0, 3.30.0, and 4.59.0 of the Rollup module bundler (specifically v4.x and present in current source) is vulnerable to an Arbitrary File Write via Path Traversal. Insecure file name sanitization in the core engine allows an attacker to control output filenames (e.g., via CLI named inputs, manual chunk aliases, or malicious plugins) and use traversal sequences (`../`) to overwrite files anywhere on the host filesystem that the build process has permissions for. This can lead to persistent Remote Code Execution (RCE) by overwriting critical system or user configuration files. Versions 2.80.0, 3.30.0, and 4.59.0 contain a patch for the issue.
Затронутые продукты
Ссылки
- CVE-2026-27606
- SUSE Bug 1258846