SUSE Package Hub - SUSE-PackageHub-16.0-900

Update Info

SUSE-PackageHub-16.0-900

Security update for salt

Type: security

Severity: important

Issued: 2026-06-08

Description:

This update for salt fixes the following issues:

Security fixes:

- CVE-2026-31958: python-tornado: parsing large multipart bodies with many parts can cause a denial of service (bsc#1259554)

Other changes in salt:

- Use non vendored tornado with Python 3.11 (bsc#1257583, bsc#1259700)
- Harden Tornado from invalid HTTP reason phrases
- Read full URI from ldap pillar config (bsc#1254900)
- Make users with backslash working for salt-ssh (bsc#1254629)
- Fixed ansible.playbooks extra-vars quoting (bsc#1257831)
- Fixed virtualenv call in test helper to use proper python version

References

CVE: CVE-2026-31958
Bugzilla: 1259700 L3-Question: how to debug a memory leak in salt server stack and probably also in postgres container
Bugzilla: 1259554 VUL-0: CVE-2026-31958: salt: python-tornado: parsing large multipart bodies with many parts can cause a denial of service
Bugzilla: 1257831 Ansible WebUI feature - updating variables or yaml file leads to errors
Bugzilla: 1257583 L3: Memory Leak in venv-salt-minion-3006.0-150000.3.83.1.x86_64
Bugzilla: 1254900 unable to use "ldaps://" for salt ldap connection in SUSE MLM via pillar_ldap.py
Bugzilla: 1254629 AD User with Fully Qualified Name Unable to Bootstrap Minion

Packages

salt-3006.0-160000.5.1

salt-test-3006.0-160000.5.1