File _patchinfo of Package patchinfo.41609
<patchinfo incident="41609">
<issue tracker="ijsc" id="MSQA-1034"/>
<issue tracker="bnc" id="1227577">VUL-0: spacecmd, susemanager, rhnlib and spacewalk-backend: usage of unsafe third party library for XML</issue>
<issue tracker="bnc" id="1227579">AUDIT-FIND: spacecmd: get rid of pickle to read and parse configuration files</issue>
<issue tracker="bnc" id="1243611">mgrpxy [stop|status|start] --loglevel <loglevel> returns error: unknown flag --loglevel</issue>
<issue tracker="bnc" id="1243704">MLM 5.0 installation on server hardened based on CIS</issue>
<issue tracker="bnc" id="1244027">/etc/cobbler/settings.yaml has no 'default-suse-efi' key, missing /grub/grub.efi in TFTPd root</issue>
<issue tracker="bnc" id="1244127">Restoring MLM does not work correctly. The server does not start properly after starting it</issue>
<issue tracker="bnc" id="1244534">postgresql.conf is not persistent through a container creation</issue>
<issue tracker="bnc" id="1245099">mgradm support config fails on hub server</issue>
<issue tracker="bnc" id="1245302">VUL-0: CVE-2025-3415: grafana: exposure of DingDing alerting integration URL to Viewer level users</issue>
<issue tracker="bnc" id="1246068">mgradm distribution copy: Error: distribution not found in product map. Please update productmap or provide channel label</issue>
<issue tracker="bnc" id="1246320">Internal server error when creating new snippet or modifying existing snippet.</issue>
<issue tracker="bnc" id="1246553">mgrpxy can't install PTFs</issue>
<issue tracker="bnc" id="1246586">spacecmd on ubuntu 24.04 install python files at the wrong place</issue>
<issue tracker="bnc" id="1246662">mgradm upgrade podman error: "cannot downgrade from version 5.0.4.1 to 5.0.5"</issue>
<issue tracker="bnc" id="1246735">VUL-0: CVE-2025-6023: grafana: open redirect can be chained with path traversal vulnerabilities to achieve XSS</issue>
<issue tracker="bnc" id="1246736">VUL-0: CVE-2025-6197: grafana: open redirect in organization switching functionality</issue>
<issue tracker="bnc" id="1246738">mgradm backup create error: no such object: "server"</issue>
<issue tracker="bnc" id="1246789">ID used for proxy config creation is changed after a hardware refresh</issue>
<issue tracker="bnc" id="1246882">mgradm distribution copy not possible as root</issue>
<issue tracker="bnc" id="1246906">Changing Backup Folder Path Breaks Server Restore</issue>
<issue tracker="bnc" id="1246925">mgradm backup restore: warnings about missing restorecon on SLE 15 SP6</issue>
<issue tracker="bnc" id="1247688">Monitor is broken after update to 5.1</issue>
<issue tracker="bnc" id="1247721">Bootstrapping a client to a proxy from the webUI fails with port error</issue>
<issue tracker="bnc" id="1247748">VUL-0: CVE-2025-47908: golang-github-prometheus-alertmanager: github.com/rs/cors: processing of preflight requests with maliciously long ACRH headers causes a prohibitive amount of heap allocations</issue>
<issue tracker="bnc" id="1250616">VUL-0: CVE-2025-11065: grafana: github.com/go-viper/mapstructure/v2: sensitive Information leak in logs</issue>
<issue tracker="bnc" id="1251044">mgradm migrate podman creates new CA infrastructure.</issue>
<issue tracker="bnc" id="1251138">A proxy of the version 5.1.1 can 't be installed in k3s. Failed to reload Traefik.</issue>
<issue tracker="jsc" id="PED-13285"/>
<issue tracker="cve" id="2025-47908"/>
<issue tracker="cve" id="2025-11065"/>
<issue tracker="cve" id="2025-6023"/>
<issue tracker="cve" id="2025-6197"/>
<issue tracker="cve" id="2025-3415"/>
<packager>raulosuna</packager>
<rating>important</rating>
<category>security</category>
<summary>Security update 5.0.6 for Multi-Linux Manager Client Tools</summary>
<description>This update fixes the following issues:
golang-github-prometheus-alertmanager:
- Update to version 0.28.1 (jsc#PED-13285):
* Improved performance of inhibition rules when using Equal
labels.
* Improve the documentation on escaping in UTF-8 matchers.
* Update alertmanager_config_hash metric help to document the
hash is not cryptographically strong.
* Fix panic in amtool when using --verbose.
* Fix templating of channel field for Rocket.Chat.
* Fix rocketchat_configs written as rocket_configs in docs.
* Fix usage for --enable-feature flag.
* Trim whitespace from OpsGenie API Key.
* Fix Jira project template not rendered when searching for
existing issues.
* Fix subtle bug in JSON/YAML encoding of inhibition rules that
would cause Equal labels to be omitted.
* Fix header for slack_configs in docs.
* Fix weight and wrap of Microsoft Teams notifications.
- Upgrade to version 0.28.0:
* CVE-2025-47908: Bump github.com/rs/cors (bsc#1247748).
* Templating errors in the SNS integration now return an error.
* Adopt log/slog, drop go-kit/log.
* Add a new Microsoft Teams integration based on Flows.
* Add a new Rocket.Chat integration.
* Add a new Jira integration.
* Add support for GOMEMLIMIT, enable it via the feature flag
--enable-feature=auto-gomemlimit.
* Add support for GOMAXPROCS, enable it via the feature flag
--enable-feature=auto-gomaxprocs.
* Add support for limits of silences including the maximum number
of active and pending silences, and the maximum size per
silence (in bytes). You can use the flags
--silences.max-silences and --silences.max-silence-size-bytes
to set them accordingly.
* Muted alerts now show whether they are suppressed or not in
both the /api/v2/alerts endpoint and the Alertmanager UI.
- Upgrade to version 0.27.0:
* API: Removal of all api/v1/ endpoints. These endpoints
now log and return a deprecation message and respond with a
status code of 410.
* UTF-8 Support: Introduction of support for any UTF-8
character as part of label names and matchers.
* Discord Integration: Enforce max length in message.
* Metrics: Introduced the experimental feature flag
--enable-feature=receiver-name-in-metrics to include the
receiver name.
* Metrics: Introduced a new gauge named
alertmanager_inhibition_rules that counts the number of
configured inhibition rules.
* Metrics: Introduced a new counter named
alertmanager_alerts_supressed_total that tracks muted alerts,
it contains a reason label to indicate the source of the mute.
* Discord Integration: Introduced support for webhook_url_file.
* Microsoft Teams Integration: Introduced support for
webhook_url_file.
* Microsoft Teams Integration: Add support for summary.
* Metrics: Notification metrics now support two new values for
the label reason, contextCanceled and contextDeadlineExceeded.
* Email Integration: Contents of auth_password_file are now
trimmed of prefixed and suffixed whitespace.
* amtool: Fixes the error scheme required for webhook url when
using amtool with --alertmanager.url.
* Mixin: Fix AlertmanagerFailedToSendAlerts,
AlertmanagerClusterFailedToSendAlerts, and
AlertmanagerClusterFailedToSendAlerts to make sure they ignore
the reason label.
grafana was updated from version 11.5.5 to 11.5.10:
- Security issues fixed:
* CVE-2025-47911: Fix parsing HTML documents (bsc#1251454)
* CVE-2025-58190: Fix excessive memory consumption (bsc#1251657)
* CVE-2025-64751: Drop experimental implementation of authorization Zanzana server/client
(bsc#1254113)
* CVE-2025-11065: Fixed sensitive information leak in logs (version 11.5.9) (bsc#1250616)
* CVE-2025-6023: Fixed cross-site-scripting via scripted dashboards (version 11.5.7) (bsc#1246735)
* CVE-2025-6197: Fixed open redirect in organization switching (version 11.5.7) (bsc#1246736)
* CVE-2025-3415: Fixed exposure of DingDing alerting integration URL to Viewer level users (version 11.5.6)
(bsc#1245302)
- Other changes, new features and bugs fixed:
* Version 11.5.10:
+ Update to Go 1.25
+ Update to golang.org/x/net v0.45.0
+ Auth: Fix render user OAuth passthrough
+ LDAP Authentication: Fix URL to propagate username context as parameter
* Version 11.5.9:
+ Auditing: Document new options for recording datasource query request/response body.
+ Login: Fixed redirection after login when Grafana is served from subpath.
* Version 11.5.7:
+ Azure: Fixed legend formatting and resource name determination in template variable queries.
mgr-push:
- Version 5.0.3-0
* Fixed syntax error in changelog
rhnlib:
- Version 5.0.6-0
* Use more secure defusedxml parser (bsc#1227577)
spacecmd:
- Version 5.0.14-0:
* Fixed installation of python lib files on Ubuntu 24.04 (bsc#1246586)
* Use JSON instead of pickle for spacecmd cache (bsc#1227579)
* Make spacecmd to work with Python 3.12 and higher
* Call print statements properly in Python 3
supportutils-plugin-susemanager-client:
- Version 5.0.5-0
* Fix syntax error in changelog
uyuni-tools:
- Version 0.1.37-0
* Handle CA files with symlinks during migration (bsc#1251044)
* Add a lowercase version of --logLevel (bsc#1243611)
* Adjust traefik exposed configuration for chart v27+ (bsc#1247721)
* Stop executing scripts in temporary folder (bsc#1243704)
* Convert the traefik install time to local time (bsc#1251138)
* Run smdba and reindex only during migration (bsc#1244534)
* Support config: collect podman inspect for hub container (bsc#1245099)
* Add --registry-host, --registry-user and --registry-password to pull images from an authenticate registry
* Deprecate --registry
* Use new dedicated path for Cobbler settings (bsc#1244027)
* Migrate custom auto installation snippets (bsc#1246320)
* Add SLE15SP7 to buildin productmap
* Fix loading product map from mgradm configuration file (bsc#1246068)
* Fix channel override for distro copy
* Do not use sudo when running as a root user (bsc#1246882)
* Do not require backups to be at the same location for restoring (bsc#1246906)
* Check for restorecon presence before calling (bsc#1246925)
* Automatically get up-to-date systemid file on salt based proxy hosts (bsc#1246789)
* Fix recomputing proxy images when installing a ptf or test (bsc#1246553)
* Add migration for server monitoring configuration (bsc#1247688)
- Version 0.1.36-0
* Bump the default image tag
- Version 0.1.35-0
* Restore SELinux contexts for restored backup volumes (bsc#1244127)
- Version 0.1.34-0
* Fix mgradm backup create handling of images and systemd files (bsc#1246738)
- Version 0.1.33-0
* Restore volumes using tar instead of podman import (bsc#1244127)
</description>
</patchinfo>
