Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
Salt Bundle Security Update for Multi-Linux Manager
SUSE-SU-2026:1026-1
Summary
A security update is available for the Salt Bundle software to fix multiple security issues that could allow an attacker to crash the system or steal sensitive information. These issues were found in the way the software handles HTTP requests and validates certain inputs. It is recommended to update to the latest version, 5.0.7, to ensure the security of your system.
What to do
- Update saltbundlepy to version 3.11.13-1.38.1.
- Update saltbundlepy-core to version 3.11.13-1.38.1.
- Update saltbundlepy-m2crypto to version 0.45.1-1.18.2.
- Update saltbundlepy-passlib to version 1.7.4-1.9.2.
- Update saltbundlepy-passlib-test to version 1.7.4-1.9.2.
- Update saltbundlepy-pyasn1 to version 0.5.0-1.12.1.
- Update saltbundlepy-pyzmq to version 25.1.2-1.17.2.
- Update saltbundlepy-simplejson to version 3.19.1-1.12.2.
- Update saltbundlepy-tornado to version 6.3.2-1.18.2.
- Update saltbundlepy-websocket-client to version 1.5.1-1.12.2.
- Update venv-salt-minion to version 3006.0-1.67.1.
Affected software
| Ecosystem | Vendor | Product | Affected versions |
|---|---|---|---|
| SUSE:EL-9:Update:Products:SaltBundle:Update | – | saltbundlepy |
< 3.11.13-1.38.1 Fix: upgrade to 3.11.13-1.38.1
|
| SUSE:EL-9:Update:Products:SaltBundle:Update | – | saltbundlepy-core |
< 3.11.13-1.38.1 Fix: upgrade to 3.11.13-1.38.1
|
| SUSE:EL-9:Update:Products:SaltBundle:Update | – | saltbundlepy-m2crypto |
< 0.45.1-1.18.2 Fix: upgrade to 0.45.1-1.18.2
|
| SUSE:EL-9:Update:Products:SaltBundle:Update | – | saltbundlepy-passlib |
< 1.7.4-1.9.2 Fix: upgrade to 1.7.4-1.9.2
|
| SUSE:EL-9:Update:Products:SaltBundle:Update | – | saltbundlepy-passlib-test |
< 1.7.4-1.9.2 Fix: upgrade to 1.7.4-1.9.2
|
| SUSE:EL-9:Update:Products:SaltBundle:Update | – | saltbundlepy-pyasn1 |
< 0.5.0-1.12.1 Fix: upgrade to 0.5.0-1.12.1
|
| SUSE:EL-9:Update:Products:SaltBundle:Update | – | saltbundlepy-pyzmq |
< 25.1.2-1.17.2 Fix: upgrade to 25.1.2-1.17.2
|
| SUSE:EL-9:Update:Products:SaltBundle:Update | – | saltbundlepy-simplejson |
< 3.19.1-1.12.2 Fix: upgrade to 3.19.1-1.12.2
|
| SUSE:EL-9:Update:Products:SaltBundle:Update | – | saltbundlepy-tornado |
< 6.3.2-1.18.2 Fix: upgrade to 6.3.2-1.18.2
|
| SUSE:EL-9:Update:Products:SaltBundle:Update | – | saltbundlepy-websocket-client |
< 1.5.1-1.12.2 Fix: upgrade to 1.5.1-1.12.2
|
| SUSE:EL-9:Update:Products:SaltBundle:Update | – | venv-salt-minion |
< 3006.0-1.67.1 Fix: upgrade to 3006.0-1.67.1
|
| SUSE:Manager Client Tools for RHEL, Liberty and Clones 9-CLIENT-TOOLS | – | venv-salt-minion |
< 3006.0-1.67.1 Fix: upgrade to 3006.0-1.67.1
|
Original title
Security update 5.0.7 for Multi-Linux Manager Salt Bundle
Original description
This update fixes the following issues:
venv-salt-minion:
- Security issues fixed:
* CVE-2025-67724: fixed missing validation of supplied reason phrase (bsc#1254903)
* CVE-2025-67725: fixed DoS via malicious HTTP request (bsc#1254905)
* CVE-2025-67726: fixed HTTP header parameter parsing algorithm (bsc#1254904)
* CVE-2025-62349: Added minimum_auth_version to enforce security (bsc#1254257)
* CVE-2025-62348: Fixed Junos module yaml loader (bsc#1254256)
* CVE-2025-13836: Set a safe limit to http.client response read (bsc#1254400)
- Fixed KeyError in postgres module with PostgreSQL 17 (bsc#1254325)
- Use internal deb classes instead of external aptsource lib
- Improved performance of wheel key.finger call (bsc#1240532)
- Improved performance of utils.find_json function (bsc#1246130)
- Extended warn_until period to 2027
venv-salt-minion:
- Security issues fixed:
* CVE-2025-67724: fixed missing validation of supplied reason phrase (bsc#1254903)
* CVE-2025-67725: fixed DoS via malicious HTTP request (bsc#1254905)
* CVE-2025-67726: fixed HTTP header parameter parsing algorithm (bsc#1254904)
* CVE-2025-62349: Added minimum_auth_version to enforce security (bsc#1254257)
* CVE-2025-62348: Fixed Junos module yaml loader (bsc#1254256)
* CVE-2025-13836: Set a safe limit to http.client response read (bsc#1254400)
- Fixed KeyError in postgres module with PostgreSQL 17 (bsc#1254325)
- Use internal deb classes instead of external aptsource lib
- Improved performance of wheel key.finger call (bsc#1240532)
- Improved performance of utils.find_json function (bsc#1246130)
- Extended warn_until period to 2027
- https://www.suse.com/support/update/announcement/2026/suse-su-20261026-1/ Vendor Advisory
- https://bugzilla.suse.com/1240532 Third Party Advisory
- https://bugzilla.suse.com/1246130 Third Party Advisory
- https://bugzilla.suse.com/1254256 Third Party Advisory
- https://bugzilla.suse.com/1254257 Third Party Advisory
- https://bugzilla.suse.com/1254325 Third Party Advisory
- https://bugzilla.suse.com/1254400 Third Party Advisory
- https://bugzilla.suse.com/1254903 Third Party Advisory
- https://bugzilla.suse.com/1254904 Third Party Advisory
- https://bugzilla.suse.com/1254905 Third Party Advisory
- https://www.suse.com/security/cve/CVE-2025-13836 URL
- https://www.suse.com/security/cve/CVE-2025-62348 URL
- https://www.suse.com/security/cve/CVE-2025-62349 URL
- https://www.suse.com/security/cve/CVE-2025-67724 URL
- https://www.suse.com/security/cve/CVE-2025-67725 URL
- https://www.suse.com/security/cve/CVE-2025-67726 URL
Published: 25 Mar 2026 · Updated: 26 Mar 2026 · First seen: 26 Mar 2026