File _patchinfo of Package patchinfo.43045
<patchinfo incident="43045">
<issue tracker="ijsc" id="MSQA-1045"/>
<issue tracker="bnc" id="1251995">A system_schedulepackagerefresh can't be trigered trough the spacecmd command in minions managed through ssh. Error: com.redhat.rhn.common.translation.TranslationException: Could not find translator for class java.lang.String to class java.lang.Integer</issue>
<issue tracker="bnc" id="1253004">saltboot does not get dhcp address on the first attempt</issue>
<issue tracker="bnc" id="1253174">spacecmd proxy_container_config_generate_cert --help shows wrong option --ca-crt</issue>
<issue tracker="bnc" id="1253347">Podman container restarting several times or completely failing to start</issue>
<issue tracker="bnc" id="1253659">spacecmd's configchannel_addfile ignores the -b switch causing binary file uploads to fail</issue>
<issue tracker="bnc" id="1253738">Disable deprecated cyphers using sha1 on MLM Proxy Container.</issue>
<issue tracker="bnc" id="1254589">mgradm install podman --config fails when a provided registry key is a string</issue>
<issue tracker="bnc" id="1255340">VUL-0: CVE-2025-68156: grafana: github.com/expr-lang/expr/builtin: uncontrolled recursion in expression evaluation can cause a denial of service</issue>
<issue tracker="bnc" id="1255588">VUL-0: CVE-2025-12816: golang-github-prometheus-prometheus: node-forge: Interpretation conflict vulnerability allows bypassing cryptographic verifications</issue>
<issue tracker="bnc" id="1255781">mgradm support config fails to create combined archive</issue>
<issue tracker="bnc" id="1256803">Cobbler configuration issue unable to delete minion after upgrade from 4.3 to 5.0.6</issue>
<issue tracker="bnc" id="1257329">VUL-0: CVE-2025-13465: golang-github-prometheus-prometheus: lodash: prototype pollution in the _.unset and _.omit functions can lead to deletion of methods from global prototypes</issue>
<issue tracker="bnc" id="1257337">VUL-0: CVE-2026-21721: grafana: improper access control by the dashboard permissions API allows users with permission management rights on one dashboard to read and modify permissions on other dashboards</issue>
<issue tracker="bnc" id="1257349">VUL-0: CVE-2026-21720: grafana: Every uncached /avatar/:hash request spawns a goroutine that refreshes the Gravatar image</issue>
<issue tracker="bnc" id="1257442">VUL-0: CVE-2025-61140: golang-github-prometheus-prometheus: jsonpath: the `value` function is vulnerable to prototype pollution</issue>
<issue tracker="bnc" id="1257841">VUL-0: CVE-2026-25547: golang-github-prometheus-prometheus: brace-expansion: unbounded brace range expansion can lead to excessive CPU and memory consumption and may crash a Node.js process</issue>
<issue tracker="bnc" id="1257897">VUL-0: CVE-2026-1615: golang-github-prometheus-prometheus: jsonpath: arbitrary code injection due to unsafe evaluation of user-supplied JSON Path expressions</issue>
<issue tracker="bnc" id="1257941">mgradm support config: fails to create combined archive:</issue>
<issue tracker="bnc" id="1258136">VUL-0: CVE-2026-21722: grafana: entire history of annotations visible due to public dashboards not limiting their annotation timerange to the locked timerange of the public dashboard</issue>
<issue tracker="bnc" id="1258893">VUL-0: CVE-2026-27606: golang-github-prometheus-prometheus: rollup: Arbitrary File Write via Path Traversal in Rollup 4</issue>
<issue tracker="bnc" id="1245302">VUL-0: CVE-2025-3415: grafana: exposure of DingDing alerting integration URL to Viewer level users</issue>
<issue tracker="cve" id="2025-12816"/>
<issue tracker="cve" id="2025-13465"/>
<issue tracker="cve" id="2025-3415"/>
<issue tracker="cve" id="2025-61140"/>
<issue tracker="cve" id="2025-68156"/>
<issue tracker="cve" id="2026-1615"/>
<issue tracker="cve" id="2026-21720"/>
<issue tracker="cve" id="2026-21721"/>
<issue tracker="cve" id="2026-21722"/>
<issue tracker="cve" id="2026-25547"/>
<issue tracker="cve" id="2026-27606"/>
<issue tracker="jsc" id="PED-13824"/>
<issue tracker="jsc" id="PED-14971"/>
<packager>PSuarezHernandez</packager>
<rating>important</rating>
<category>security</category>
<summary>Security update 5.0.7 for Multi-Linux Manager Client Tools</summary>
<description>This update fixes the following issues:
dracut-saltboot:
- Version update to 1.1.0:
* Retry DHCP requests up to 3 times (bsc#1253004)
golang-github-QubitProducts-exporter_exporter:
- Non-customer-facing optimization and update
golang-github-boynux-squid_exporter:
- Version update from 1.6.0 to 1.13.0 with the following highlighted changes and fixes (jsc#PED-14971):
* Added compatibility for Squid 6 and support for the squid-internal-mgr metrics path
* Added TLS and Basic Authentication to the exporter’s web interface
* Added support for the exporter to authenticate against the Squid proxy itself
* Allow the gathering of process information without requiring root privileges
* The exporter can now be configured using environment variables
* Added support for custom labels to all exported metrics for better data filtering
* New metrics to track if Squid is running (squid_up), how long a scrape takes, and if any errors occurred
* Added "service time" metrics to analyze proxy speed and performance.
* Added a metric for open file descriptors (process_open_fds) to help prevent connection bottlenecks
* Corrected the squid_client_http_requests_total metric to ensure accurate reporting
golang-github-lusitaniae-apache_exporter:
- Version update from 1.0.8 to 1.0.10:
* Updated github.com/prometheus/client_golang to 1.21.1
* Updated github.com/prometheus/common to 0.63.0
* Updated github.com/prometheus/exporter-toolkit to 0.14.0
* Fixed signal handler logging
golang-github-prometheus-prometheus:
- Security issues fixed:
* CVE-2026-27606: Fixed arbitrary file write via path traversal in rollup (bsc#1258893)
* CVE-2026-25547: Fixed unbounded brace range expansion leading to excessive CPU and memory consumption (bsc#1257841)
* CVE-2026-1615, CVE-2025-61140 The old web UI is no longer built due to security issues (bsc#1257897, bsc#1257442)
* CVE-2025-13465: Bump lodash package to version 4.17.23 to fix prototype pollution vulnerability (bsc#1257329)
* CVE-2025-12816: Interpretation conflict vulnerability allowing bypassing cryptographic verifications (bsc#1255588)
- Version update from 2.53.4 to 3.5.0 with the following highlighted changes (jsc#PED-13824):
* Modernized Interface: Introduced a brand-new UI
* Enhanced Cloud and Auth: Added unified AWS service discovery (EC2, ECS, Lightsail) and Azure Workload Identity support
for more secure, native cloudauthentication.
* Performance Standards: Fully integrated OpenTelemetry (OTLP) ingestion and moved Native Histograms from experimental
to a stable feature.
* Advanced Data Export: Rolled out Remote Write 2.0, offering better performance and metadata handling when sending
data to external systems.
* Query Power: Added new PromQL functions (like first_over_time and last_over_time) and optimization for grouping
operations
* Better Visibility: The UI now displays detailed relabeling steps, scrape intervals, and timeouts, making it easier
to troubleshoot why targets aren't reporting correctly.
* Critical Fixes: Resolved significant memory leaks related to query logging and fixed bugs where targets were
accidentally being scraped multiple times
grafana:
- Security issues fixed:
* CVE-2026-21722: Public dashboards annotations: use dashboard timerange if time selection disabled (bsc#1258136)
* CVE-2026-21721: Fixed access control by the dashboard permissions API (bsc#1257337)
* CVE-2026-21720: Fixed unauthenticated DoS (bsc#1257349)
* CVE-2025-68156: Fixed potential DoS via unbounded recursion in builtin functions (bsc#1255340)
* CVE-2025-3415: Fixedexposure of DingDing alerting integration URL to Viewer level users (bsc#1245302)
- Version update from 11.5.10 to 11.6.11 with the following highlighted changes and fixes:
* Performance Boost: Introduced WebGL-powered geomaps for smoother map visualizations and
removed blurred backgrounds from UI overlays to speed up the interface
* One-Click Actions: Visualizations now support faster navigation via one-click links and actions
* Alerting History: Added version history for alert rules, allowing you to track changes over time
* Service Accounts: Automated the migration of old API keys to more secure Service Accounts upon startup
* Cron Support: Annotations now support Cron syntax for more flexible scheduling
* Identity and Auth: Hardened the Avatar feature (now requires sign-in) and fixed several login redirection issues
when Grafana is hosted on a subpath
* Data Source Support: Added support for Cloud Partner Prometheus data sources and improved Azure legend formatting
* Alerting Limits: Added size limits for expanded notification templates to prevent system strain
* RBAC: Integrated Role-Based Access Control (RBAC) into the Alertmanager via the reqAction field
* Data Consistency: Fixed several issues with Graphite and InfluxDB regarding how variables are handled in repeated
rows or nested queries
* Dashboard Reliability: Resolved bugs involving row repeats and "self-referencing" data links
* Alerting Fixes: Patched a critical "panic" (crash) caused by a race condition in alert rules and fixed issues where
contact points weren't working correctly
* URL Handling: Fixed a bug where "true" values in URL parameters weren't being read correctly
prometheus-blackbox_exporter:
- Non-customer-facing optimization and update
spacecmd:
- Version update to 5.0.15:
* Fixed typo in spacecmd help ca-cert flag (bsc#1253174)
* Convert cached IDs to integer values (bsc#1251995)
* Fixed spacecmd binary file upload (bsc#1253659)
uyuni-tools:
- Version update to 0.1.38:
* Fixed cobbler configuration when migrating to standalone files (bsc#1256803)
* Detect custom apache and squid config in the /etc/uyuni/proxy folder
* Add ssh tuning to configure sshd (bsc#1253738)
* Ignore supportconfig errors (bsc#1255781)
* Bumped the default image tag to 5.0.7
* Removed cgroup mount for podman containers (bsc#1253347)
* Registry flag can be a string (bsc#1254589)
* Use static supportconfig name to avoid dynamic search (bsc#1257941)
</description>
</patchinfo>
