ESB-2026.7515
=========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2026.7515 Security update 5.1.4 for Multi-Linux Manager Client Tools 7 July 2026 =========================================================================== AUSCERT Security Bulletin Summary --------------------------------- Product: Multi-Linux Manager Client Tools Publisher: SUSE Operating System: SUSE Resolution: Patch/Upgrade CVE Names: CVE-2022-21698 CVE-2023-45288 CVE-2025-22870 Original Bulletin: https://www.suse.com/support/update/announcement/2026/suse-su-20262765-1 Comment: CVSS (Max): 7.5 CVE-2022-21698 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) CVSS Source: SUSE Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS (Max): 92.0% (99th) CVE-2023-45288 2026-07-06 - --------------------------BEGIN INCLUDED TEXT-------------------- Security update 5.1.4 for Multi-Linux Manager Client Tools Announcement ID: SUSE-SU-2026:2765-1 Release Date: 2026-07-06T07:47:16Z Rating: important o bsc#1227579 o bsc#1235516 o bsc#1236516 o bsc#1238686 o bsc#1248699 o bsc#1248707 o bsc#1249532 o bsc#1253174 References: o bsc#1254900 o bsc#1255418 o bsc#1257583 o bsc#1259700 o bsc#1261810 o jsc#MSQA-1056 o jsc#PED-12485 o jsc#PED-7893 o jsc#PED-7928 o CVE-2022-21698 Cross-References: o CVE-2023-45288 o CVE-2025-22870 o CVE-2022-21698 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N /S:U/C:N/I:N/A:H o CVE-2022-21698 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/ S:U/C:N/I:N/A:H o CVE-2023-45288 ( SUSE ): 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N /UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N o CVE-2023-45288 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N /S:U/C:N/I:N/A:L CVSS scores: o CVE-2023-45288 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/ S:U/C:N/I:N/A:H o CVE-2025-22870 ( SUSE ): 4.8 CVSS:4.0/AV:L/AC:L/AT:N/PR:L /UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N o CVE-2025-22870 ( SUSE ): 4.4 CVSS:3.1/AV:L/AC:L/PR:L/UI:N /S:U/C:L/I:N/A:L o CVE-2025-22870 ( NVD ): 4.4 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/ S:U/C:L/I:N/A:L o SUSE Liberty Linux 7 Affected o SUSE Liberty Linux 7 LTSS Products: o SUSE Liberty Linux LTSS 7 for Oracle Linux o SUSE Multi-Linux Manager Client Tools for SUSE Liberty Linux 7, RHEL and clones An update that solves three vulnerabilities, contains four features and has 10 security fixes can now be installed. Description: This update fixes the following issues: golang-github-QubitProducts-exporter_exporter: o Security issue fixed: o CVE-2022-21698: Fixed prometheus/client_golang possible denial of service using InstrumentHandlerCounter (bsc#1248699) golang-github-lusitaniae-apache_exporter: o Non customer facing changes golang-github-prometheus-node_exporter updated to version 1.10.2: o Security issues fixed: CVE-2025-22870: Fixed potential proxy bypass using IPv6 zone IDs (v1.9.1) (bsc#1238686) CVE-2023-45288: Close connections when receiving too many headers (v1.9.0) (bsc#1236516) o Highlights of other changes and bug fixes: o Backward Compatibility and packaging changes: Added compatibility for Go 1.22/1.23 needed in older RHEL toolchains Pinned golang.org/x/net to v0.37.0 for Go 1.22 compatibility o Version 1.10.2: Fixed typo in Zswap metric name (meminfo) o Version 1.10.1: Fixed mount points being collected multiple times (filesystem) Refactored mountinfo parsing (bsc#1261810) Added Zswap/Zswapped metrics (meminfo) o Version 1.10.0: New collectors: PCIe devices, swaps Added systemd virtualization metrics, AIX metrics WiFi packet metrics, additional PCIe and TLB metrics Changed mdadm to use sysfs, added erofs to excluded filesystems Fixed bugs: cpufreq collector, ethtool metrics o Version 1.9.1: Fixed missing IRQ on older kernels (pressure) o Version 1.9.0 (jsc#PED-12485): Switched to Go log/slog for logging Converted meminfo to use procfs library New features: filesystem mount info, Btrfs commit stats, interrupt filtering, slabinfo filters, IRQ PSI metrics, hwmon filtering, network interface alias labels, GPU clock frequencies, AIX support, Enhancements: TCP receive queue drop, block device rotational status, CPU online status, performance optimizations Fixed: ZFS integer underflow, CPU pressure on limited systems, dataset name parsing Use systemd-sysusers to configure the user in a dedicated 'system-user-prometheus' subpackage (bsc#1235516) o Version 1.8.x: Fixed CPU pressure metric collection, pressure collector nil reference o Version 1.8.0: New collectors: xfrm (IPsec), watchdog Added CPU vulnerability mitigation labels, TCP out-of-order queue metrics, filesystem device error surfacing Removed caching of os-release file modtime/filename Fixed: hwmon nil pointer, ethtool metric sanitization, NetClass data race o Version 1.7.0 (jsc#PED-7893, jsc#PED-7928): New: CPU vulnerabilities reporting from sysfs Enhancements: parallelized filesystem stat calls, missing link speeds in ethtool, CPU MHz values, qdisc performance, hwmon filtering, rtnetlink for ARP stats Fixed: netdev 32-bit fallback, btrfs handle leaks, NFSd v4 index o Version 1.6.0: Deprecated ntp and supervisord collectors Removed bcache cache_readaheads_totals metrics Improved offline CPU handling (removed metrics for offline CPUs) New: softirqs collector Enhancements: ZFS zpool states and memory metrics, network interface admin state, CPU frequency governor, reduced btrfs privileges Fixed: perf tracefs detection, thermal zone noise, Linux aarch64 interrupts mgr-push updated to version 5.2.4: o Internal updates with no customer facing changes across versions (v5.2.1-0 to v5.2.4-0) prometheus-postgres_exporter: o Security issue fixed: o CVE-2022-21698: Fixed denial of service using InstrumentHandlerCounter (bsc #1248699) python-simplejson: o Non customer facing changes rhnlib updated to version 5.2.5: o Internal updates with non customer facing changes across versions (v5.2.1-0 to v5.2.5-0) spacecmd updated to version 5.2.8: o Key Update Highlights (v5.2.3-0): o Fixed typo in spacecmd help ca-cert flag (bsc#1253174) o Add subcommand to check if reboot is needed after applying all available patches o Key Update Highlights (v5.2.1-0): o Use JSON instead of pickle for spacecmd cache (bsc#1227579) o Fixed methods in api namespace in spacecmd (bsc#1249532) o Other changes (v5.2.2-0 to 5.2.8-0): o Translation strings updates o Internal updates with non customer facing changes spacewalk-client-tools updated to version 5.2.6: o Internal updates with non customer facing changes across versions (v5.2.1-0 to v5.2.6-0) uyuni-common-libs updated to version 5.2.5: o Key Update Highlights (v5.2.5-0): o Cleaned up the checksum module by removing legacy MD5/SHA1 fallback imports in favor of using standard hashlib directly o Other changes: o Internal updates with non customer facing changes across versions (v5.2.1-0 to v5.2.5-0) venv-salt-minion: o Improved shutdown reliability when the salt-master/minion is terminated o Fixed broken "pkg.info_installed" after migration to salt.utils.timeutil o Calculate UUID grain for Xen PV guests (bsc#1255418) o Use non vendored tornado with Python 3.11 (bsc#1257583, bsc#1259700) o Hardened Tornado from invalid HTTP reason phrases o Read full URI from ldap pillar config (bsc#1254900) Special Instructions and Notes: Patch Instructions: To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: o SUSE Multi-Linux Manager Client Tools for SUSE Liberty Linux 7, RHEL and clones zypper in -t patch SUSE-MultiLinuxManagerTools-RES-7-2026-2765=1 Package List: o SUSE Multi-Linux Manager Client Tools for SUSE Liberty Linux 7, RHEL and clones (aarch64 ppc64le x86_64) python-simplejson-3.3.1-70002.1.3.1 venv-salt-minion-3006.0-70002.5.19.1 prometheus-postgres_exporter-0.10.1-70002.3.3.3 golang-github-lusitaniae-apache_exporter-1.0.10-70002.3.9.3 golang-github-prometheus-node_exporter-1.10.2-70002.3.3.3 golang-github-QubitProducts-exporter_exporter-0.4.0-70002.3.6.2 o SUSE Multi-Linux Manager Client Tools for SUSE Liberty Linux 7, RHEL and clones (noarch) spacewalk-client-tools-5.2.6-70002.3.9.1 mgr-push-5.2.4-70002.3.9.2 python2-rhnlib-5.2.5-70002.3.9.1 python2-uyuni-common-libs-5.2.5-70002.3.6.1 spacecmd-5.2.8-70002.3.12.1 python2-spacewalk-client-tools-5.2.6-70002.3.9.1 python2-mgr-push-5.2.4-70002.3.9.2 References: o https://www.suse.com/security/cve/CVE-2022-21698.html o https://www.suse.com/security/cve/CVE-2023-45288.html o https://www.suse.com/security/cve/CVE-2025-22870.html o https://bugzilla.suse.com/show_bug.cgi?id=1227579 o https://bugzilla.suse.com/show_bug.cgi?id=1235516 o https://bugzilla.suse.com/show_bug.cgi?id=1236516 o https://bugzilla.suse.com/show_bug.cgi?id=1238686 o https://bugzilla.suse.com/show_bug.cgi?id=1248699 o https://bugzilla.suse.com/show_bug.cgi?id=1248707 o https://bugzilla.suse.com/show_bug.cgi?id=1249532 o https://bugzilla.suse.com/show_bug.cgi?id=1253174 o https://bugzilla.suse.com/show_bug.cgi?id=1254900 o https://bugzilla.suse.com/show_bug.cgi?id=1255418 o https://bugzilla.suse.com/show_bug.cgi?id=1257583 o https://bugzilla.suse.com/show_bug.cgi?id=1259700 o https://bugzilla.suse.com/show_bug.cgi?id=1261810 o https://jira.suse.com/browse/MSQA-1056 o https://jira.suse.com/browse/PED-12485 o https://jira.suse.com/browse/PED-7893 o https://jira.suse.com/browse/PED-7928 - --------------------------END INCLUDED TEXT---------------------- You have received this e-mail bulletin as a result of your organisation's registration with AUSCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AUSCERT's members. As AUSCERT did not write the document quoted above, AUSCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AUSCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://portal.auscert.org.au/bulletins/ =========================================================================== AUSCERT The University of Queensland, Brisbane QLD 4072 Australia e: auscert@auscert.org.au t: +61 (0)7 3365 4417 Allies in Cyber Security ===========================================================================
Risk Scores
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| SUSE | Multi-Linux Manager Client Tools |
Timeline
- Jul 7, 2026 CVE Published