File _patchinfo of Package patchinfo.41610

<patchinfo incident="41610">
  <issue tracker="ijsc" id="MSQA-1034"/>
  <issue tracker="bnc" id="1227577">VUL-0: spacecmd, susemanager, rhnlib and spacewalk-backend: usage of unsafe third party library for XML</issue>
  <issue tracker="bnc" id="1227579">AUDIT-FIND: spacecmd: get rid of pickle to read and parse configuration files</issue>
  <issue tracker="bnc" id="1237495">Cash registers being updated to SLE15 SP5 via salt sometimes hang and loop  "waiting for salt key" in initrd</issue>
  <issue tracker="bnc" id="1243611">mgrpxy [stop|status|start] --loglevel &lt;loglevel&gt; returns error: unknown flag --loglevel</issue>
  <issue tracker="bnc" id="1243704">MLM 5.0 installation on server hardened based on CIS</issue>
  <issue tracker="bnc" id="1244027">/etc/cobbler/settings.yaml has no 'default-suse-efi' key, missing /grub/grub.efi in TFTPd root</issue>
  <issue tracker="bnc" id="1244127">Restoring MLM does not work correctly. The server does not start properly after starting it</issue>
  <issue tracker="bnc" id="1244534">postgresql.conf is not persistent through a container creation</issue>
  <issue tracker="bnc" id="1245099">mgradm support config fails on hub server</issue>
  <issue tracker="bnc" id="1245302">VUL-0: CVE-2025-3415: grafana: exposure of DingDing alerting integration URL to Viewer level users</issue>
  <issue tracker="bnc" id="1246068">mgradm distribution copy: Error: distribution not found in product map. Please update productmap or provide channel label</issue>
  <issue tracker="bnc" id="1246320">Internal server error when creating new snippet or modifying existing snippet.</issue>
  <issue tracker="bnc" id="1246553">mgrpxy can't install PTFs</issue>
  <issue tracker="bnc" id="1246586">spacecmd on ubuntu 24.04 install python files at the wrong place</issue>
  <issue tracker="bnc" id="1246662">mgradm upgrade podman error:  "cannot downgrade from version 5.0.4.1 to 5.0.5"</issue>
  <issue tracker="bnc" id="1246735">VUL-0: CVE-2025-6023: grafana: open redirect can be chained with path traversal vulnerabilities to achieve XSS</issue>
  <issue tracker="bnc" id="1246736">VUL-0: CVE-2025-6197: grafana: open redirect in organization switching functionality</issue>
  <issue tracker="bnc" id="1246738">mgradm backup create error: no such object: "server"</issue>
  <issue tracker="bnc" id="1246789">ID used for proxy config creation is changed after a hardware refresh</issue>
  <issue tracker="bnc" id="1246882">mgradm distribution copy not possible as root</issue>
  <issue tracker="bnc" id="1246906">Changing Backup Folder Path Breaks Server Restore</issue>
  <issue tracker="bnc" id="1246925">mgradm backup restore: warnings about missing restorecon on SLE 15 SP6</issue>
  <issue tracker="bnc" id="1247688">Monitor is broken after update to 5.1</issue>
  <issue tracker="bnc" id="1247721">Bootstrapping a client to a proxy from the webUI  fails with port error</issue>
  <issue tracker="bnc" id="1250616">VUL-0: CVE-2025-11065: grafana: github.com/go-viper/mapstructure/v2: sensitive Information leak in logs</issue>
  <issue tracker="bnc" id="1251044">mgradm migrate podman creates new CA infrastructure.</issue>
  <issue tracker="bnc" id="1251138">A proxy of the version 5.1.1 can 't be installed in k3s.  Failed to reload Traefik.</issue>
  <issue tracker="bnc" id="1252100">Bootstrapping retail terminal sles15sp4 is blocked</issue>
  <issue tracker="cve" id="2025-11065"/>
  <issue tracker="cve" id="2025-6023"/>
  <issue tracker="cve" id="2025-6197"/>
  <issue tracker="cve" id="2025-3415"/>
  <packager>raulosuna</packager>
  <rating>important</rating>
  <category>security</category>
  <summary>Security update 5.0.6 for Multi-Linux Manager Client Tools</summary>
  <description>This update fixes the following issues:

dracut-saltboot:

- Update to version 1.0.0
  * Reboot on salt key timeout (bsc#1237495)
  * Fixed parsing files with space in the name (bsc#1252100)

grafana was updated from version 11.5.5 to 11.5.10:

- Security issues fixed:

  * CVE-2025-47911: Fix parsing HTML documents (bsc#1251454)
  * CVE-2025-58190: Fix excessive memory consumption (bsc#1251657)
  * CVE-2025-64751: Drop experimental implementation of authorization Zanzana server/client
                    (bsc#1254113)
  * CVE-2025-11065: Fixed sensitive information leak in logs (version 11.5.9) (bsc#1250616)
  * CVE-2025-6023: Fixed cross-site-scripting via scripted dashboards (version 11.5.7) (bsc#1246735)
  * CVE-2025-6197: Fixed open redirect in organization switching (version 11.5.7) (bsc#1246736)
  * CVE-2025-3415: Fixed exposure of DingDing alerting integration URL to Viewer level users (version 11.5.6)
                   (bsc#1245302)

- Other changes, new features and bugs fixed:
    
  * Version 11.5.10:
    + Update to Go 1.25
    + Update to golang.org/x/net v0.45.0
    + Auth: Fix render user OAuth passthrough
    + LDAP Authentication: Fix URL to propagate username context as parameter

  * Version 11.5.9:
    + Auditing: Document new options for recording datasource query request/response body.
    + Login: Fixed redirection after login when Grafana is served from subpath.

  * Version 11.5.7:
    + Azure: Fixed legend formatting and resource name determination in template variable queries.

mgr-push:

- Version 5.0.3-0
  * Fixed syntax error in changelog

rhnlib:

- Version 5.0.6-0
  * Use more secure defusedxml parser (bsc#1227577)

spacecmd:

- Version 5.0.14-0
  * Fixed installation of python lib files on Ubuntu 24.04 (bsc#1246586)
  * Use JSON instead of pickle for spacecmd cache (bsc#1227579)
  * Make spacecmd to work with Python 3.12 and higher
  * Call print statements properly in Python 3

uyuni-tools:

- Version 0.1.37-0
  * Handle CA files with symlinks during migration (bsc#1251044)
  * Add a lowercase version of --logLevel (bsc#1243611)
  * Adjust traefik exposed configuration for chart v27+ (bsc#1247721)
  * Stop executing scripts in temporary folder (bsc#1243704)
  * Convert the traefik install time to local time (bsc#1251138)
  * Run smdba and reindex only during migration (bsc#1244534)
  * Support config: collect podman inspect for hub container (bsc#1245099)
  * Add --registry-host, --registry-user and --registry-password to pull images from an authenticate registry
  * Deprecate --registry
  * Use new dedicated path for Cobbler settings (bsc#1244027)
  * Migrate custom auto installation snippets (bsc#1246320)
  * Add SLE15SP7 to buildin productmap
  * Fix loading product map from mgradm configuration file (bsc#1246068)
  * Fix channel override for distro copy
  * Do not use sudo when running as a root user (bsc#1246882)
  * Do not require backups to be at the same location for restoring (bsc#1246906)
  * Check for restorecon presence before calling (bsc#1246925)
  * Automatically get up-to-date systemid file on salt based proxy hosts (bsc#1246789)
  * Fix recomputing proxy images when installing a ptf or test (bsc#1246553)
  * Add migration for server monitoring configuration (bsc#1247688)
- Version 0.1.36-0
  * Bump the default image tag
- Version 0.1.35-0
  * Restore SELinux contexts for restored backup volumes (bsc#1244127)
- Version 0.1.34-0
  * Fix mgradm backup create handling of images and systemd files (bsc#1246738)
- Version 0.1.33-0
  * Restore volumes using tar instead of podman import (bsc#1244127)

</description>
</patchinfo>