SUSE-SU-2025:02491-1

This update fixes the following issues:

venv-salt-minion:

• Security issues fixed:

  • CVE-2024-38822: Fixed Minion token validation (bsc#1244561)
  • CVE-2024-38823: Fixed server vulnerability to replay attacks when not using a TLS encrypted transport (bsc#1244564)
  • CVE-2024-38824: Fixed directory traversal vulnerability in recv_file method (bsc#1244565)
  • CVE-2024-38825: Fixed salt.auth.pki module authentication issue (bsc#1244566)
  • CVE-2025-22240: Fixed arbitrary directory creation or file deletion with GitFS (bsc#1244567)
  • CVE-2025-22236: Fixed Minion event bus authorization bypass (bsc#1244568)
  • CVE-2025-22241: Fixed the use of un-validated input in the VirtKey class (bsc#1244570)
  • CVE-2025-22237: Fixed exploitation of the 'on demand' pillar functionality (bsc#1244571)
  • CVE-2025-22238: Fixed the master's default cache vulnerability to a directory traversal attack (bsc#1244572)
  • CVE-2025-22239: Fixed the arbitrary event injection on the Salt Master (bsc#1244574)
  • CVE-2025-22242: Fixed a Denial of Service vulnerability through file read operation (bsc#1244575)
  • CVE-2025-47287: Fixed a Denial of Service vulnerability in Tornado logging behavior (bsc#1243268)

• Other bugs fixed:

  • Added subsystem filter to udev.exportdb (bsc#1236621)
  • Fixed Ubuntu 24.04 test failures
  • Fixed refresh of osrelease and related grains on Python 3.10+
  • Fixed issue requiring proper Python flavor for dependencies
  • Fixed VIRTUAL_ENV variable in activate file to point to actual path
  • Fixed the bundle path in pyvenv.cfg
  • Prevent tests failures when pygit2 is not present