🟠 High   ⏱ 15–60 min  Last verified: 25 May 2026
Affected versions: SLES 12

📖 ~4 min read  •  Source: SUSE advisory RHSA-2025:0308 (see also SUSE bugzilla)

Related CVEs: CVE-2024-56326 CVE-2016-10745 CVE-2019-10906 CVE-2019-8341 CVE-2020-28493 CVE-2024-34064 CVE-2014-0012

Upstream summary: Jinja is an extensible templating engine. Prior to 3.1.5, An oversight in how the Jinja sandboxed environment detects calls to str.format allows an attacker that controls the content of a template to execute arbitrary Python code. To exploit the vulnerability, an attacker needs to control the content of a template. Whether that is the case depends on the type of application using Jinja. This vulnerability impacts users of applications which execute untrusted templates. Jinja'

Table of contents
  1. Symptom & Impact
  2. Environment & Reproduction
  3. Root Cause Analysis
  4. Quick Triage
  5. Step-by-Step Diagnosis
  6. Solution – Primary Fix
  7. Solution – Alternative Approaches
  8. Verification & Acceptance Criteria
  9. Rollback Plan
  10. Prevention & Hardening
  11. Related Errors & Cross-Refs
  12. References & Further Reading

Symptom & Impact

On SLES 12 hosts that have python-Jinja2 installed, administrators report behaviour consistent with SUSE advisory RHSA-2025:0308: zypper patch-check lists open patches, services backed by python-Jinja2 fail or restart unexpectedly, AppArmor profile warnings appear in journalctl -k — and for security-rated advisories the host is exposed to the vulnerability set above. Impact ranges from a single service-restart loop to wider availability incidents whenever python-Jinja2 sits on the serving path.

Environment & Reproduction

Reproduction targets SLES 12. Confirm release, registration, and installed package:

cat /etc/os-release
SUSEConnect --status-text
SUSEConnect --list-extensions 2>/dev/null | head -30
rpm -q python-Jinja2
zypper info python-Jinja2 | head -20

Trigger the workflow that exposes python-Jinja2 — multiple vulnerabilities (7 CVEs) — patch and remediation guide while collecting:

sudo journalctl -u python-Jinja2 -b --no-pager | tail -200
sudo journalctl -xe --no-pager | tail -200
sudo tail -200 /var/log/zypp/history
sudo tail -200 /var/log/audit/audit.log
# For SUSE support, bundle evidence with supportconfig:
sudo supportconfig -R /var/tmp -B python-Jinja2

Root Cause Analysis

Root cause is documented in SUSE advisory RHSA-2025:0308. SUSE security maintainers shipped fixes in the corresponding python-Jinja2 update for SLES 12; running an outdated build leaves the host exposed to the failure modes described in the advisory. Correlate zypper history with system logs:

sudo zypper history | grep python-Jinja2
sudo zypper history --since='-7 days' | tail -40
sudo journalctl -k | grep -i apparmor | tail -100
cat /proc/sys/kernel/tainted   # non-zero = tainted kernel / out-of-tree modules

Quick Triage

Run these on SLES 12 to capture the current state of python-Jinja2:

rpm -q python-Jinja2                              # installed NVR
rpm -V python-Jinja2                              # verify shipped files
sudo zypper patch-check                    # open patches
sudo zypper lp -r SUSE-SLE-Server-12-* 2>/dev/null | head
systemctl --failed --no-pager
sudo firewall-cmd --list-all 2>/dev/null || sudo SuSEfirewall2 status 2>/dev/null
sudo aa-status                              # AppArmor profiles
# If python-Jinja2 ships a systemd unit (unit name may differ from pkg name, e.g.
# bind→named, postgresql-server→postgresql, php-fpm→php-fpm):
systemctl list-unit-files | grep -i python | head

Step-by-Step Diagnosis

  1. List failed systemd units.

    systemctl --failed --no-pager

  2. Tail the journal for python-Jinja2 and the system bus.

    sudo journalctl -u python-Jinja2 -f --no-pager
sudo journalctl -xe -f --no-pager

  3. Inspect firewall posture. This release uses firewalld; SuSEfirewall2 may still be present on SLES 12 GA.

    sudo firewall-cmd --list-all-zones
sudo SuSEfirewall2 status 2>/dev/null   # legacy, only present on early SLES 12
sudo iptables -L -n -v | head -30

  4. Surface AppArmor denials and switch the profile to complain mode if needed.

    sudo journalctl -k | grep -i 'apparmor="DENIED"' | tail -30
sudo aa-status
sudo aa-complain /etc/apparmor.d/usr.sbin.python-Jinja2 2>/dev/null || true

  5. Verify python-Jinja2 integrity and reinstall if anything is altered.

    sudo rpm -V python-Jinja2
sudo zypper verify
sudo zypper install --force python-Jinja2

  6. Correlate findings with /var/log/zypp/history, zypper history, and SUSE advisory RHSA-2025:0308 to pin the change that introduced python-Jinja2 — multiple vulnerabilities (7 CVEs) — patch and remediation guide.

Solution – Primary Fix

Apply the corrective zypper transaction referenced by SUSE advisory RHSA-2025:0308, then reload affected systemd units:

sudo zypper ref                        # refresh repos
sudo zypper -n patch                   # apply ALL open patches (recommended)
# Or target a single package:
sudo zypper -n update python-Jinja2
sudo systemctl daemon-reload
# Unit name may differ from pkg name; check first:
systemctl list-unit-files | grep -i python | head
sudo systemctl restart python-Jinja2
rpm -q python-Jinja2                           # confirm new NVR
systemctl is-active python-Jinja2 2>/dev/null  # confirm running (if a unit exists)

For kernel / glibc / systemd / openssl advisories a reboot is required (or SLE Live Patching where licensed):

sudo zypper ps -s                      # services using deleted libs
sudo systemctl reboot                  # or: sudo shutdown -r now
# SUSE Live Patching (kgraft / klp) avoids reboot for kernel CVEs:
sudo zypper install -y kernel-livepatch-$(uname -r | tr - _)
klp -v patches                         # active livepatches

Need help rolling this patch across a SUSE fleet? Our IT Solutions & Services team manages SUSE patch windows with SUSE Manager / RMT and Live Patching. Get in touch for a free consultation.

Solution – Alternative Approaches

If the primary patch is not viable, choose from these:

  • Roll back via Snapper (Btrfs snapshots taken automatically before zypper transactions on SLES 12):

    sudo snapper list
sudo snapper undochange <pre>..<post>  # diff between two snapshot numbers
sudo snapper rollback <pre>            # boot the host into the chosen snapshot

  • Lock the package so zypper cannot upgrade it:

    sudo zypper al python-Jinja2                   # add lock
zypper ll | grep python-Jinja2                 # list locks
sudo zypper rl python-Jinja2                   # remove lock

  • Install an older NVR if a regression is suspected:

    zypper se -s python-Jinja2                     # show all available versions
sudo zypper install --oldpackage python-Jinja2-<older-NVR>

  • If SuSEfirewall2 is still in use (rare on modern SLES 12), migrate to firewalld:

    sudo zypper install -y firewalld
sudo systemctl disable --now SuSEfirewall2
sudo systemctl enable --now firewalld

  • Disable the AppArmor profile briefly to confirm policy is the cause, then re-enable:

    sudo aa-disable /etc/apparmor.d/usr.sbin.python-Jinja2
# reproduce, capture denials in the journal:
sudo journalctl -k | grep apparmor | tail
sudo aa-enforce /etc/apparmor.d/usr.sbin.python-Jinja2

  • Where SLE Live Patching is licensed, apply kernel fixes without reboot:

    klp -v patches                         # active livepatches
sudo zypper install -y kernel-livepatch-$(uname -r | tr - _)

Verification & Acceptance Criteria

All of these should pass after the fix:

rpm -q python-Jinja2                                            # expected fixed NVR
sudo zypper patch-check                                  # 0 critical patches outstanding
systemctl is-active python-Jinja2 2>/dev/null
sudo journalctl -u python-Jinja2 --since "5 minutes ago" --no-pager | grep -iE "error|fail" || echo OK
sudo firewall-cmd --list-services
sudo aa-status | head -5
sudo zypper ps -s                                        # any services still using deleted libs

The original reproduction for python-Jinja2 — multiple vulnerabilities (7 CVEs) — patch and remediation guide must not trigger across two consecutive runs.

Rollback Plan

Capture state before any change:

rpm -qa > /root/rpm-pre.txt
sudo zypper history list > /root/zypper-history-pre.txt
# Snapper takes pre/post snapshots automatically on Btrfs root.
sudo snapper create -d 'pre-patch-python-Jinja2'   # explicit named snapshot
sudo snapper list | head

To revert if the patch is bad:

# Preferred on Btrfs root — boot the prior snapshot:
sudo snapper rollback <snapshot-id>
sudo systemctl reboot
# Or downgrade just the package:
sudo zypper install --oldpackage python-Jinja2-<older-NVR>
sudo systemctl daemon-reload
sudo systemctl restart python-Jinja2
# Custom security policy cleanup:
sudo apparmor_parser -R /etc/apparmor.d/usr.sbin.python-Jinja2

Prevention & Hardening

Reduce the chance of this recurring on SLES 12:

  • Enable automatic patch installation:

    sudo zypper install -y zypper-automatic
sudo systemctl enable --now zypper-automatic.timer
# Or use YaST: yast2 online_update_configuration

  • Subscribe to sle-security-updates and watch suse.com/support/update.

  • Mirror through SUSE Manager or RMT (Repository Mirroring Tool) for controlled rollouts:

    sudo zypper install -y rmt-server rmt-cli
sudo rmt-cli sync
sudo rmt-cli products enable SLES/12/x86_64

  • Lock sensitive packages so they cannot be auto-upgraded:

    sudo zypper al python-Jinja2

  • Ensure Snapper is enabled on the root subvolume and pre/post hooks run for every zypper transaction:

    sudo snapper -c root get-config | head
# Default zypper plugin: /usr/lib/zypp/plugins/commit/snapper.zypp-commit-plugin

  • Monitor file integrity with AIDE:

    sudo zypper install -y aide
sudo aide --init && sudo mv /var/lib/aide/aide.db.new /var/lib/aide/aide.db
sudo aide --check

  • Subscribe to SUSE Live Patching so kernel CVEs can be remediated without reboot:

    sudo SUSEConnect -p sle-module-live-patching/12.0/x86_64
sudo zypper install -y kernel-livepatch-$(uname -r | tr - _)
klp -v patches

  • Keep AppArmor profiles in enforce; review /etc/apparmor.d/ after every package upgrade.

  • Apply CIS SUSE Linux Enterprise Server Benchmark hardening.

Issues that commonly surface alongside python-Jinja2 — multiple vulnerabilities (7 CVEs) — patch and remediation guide: zypper lock contention, systemd unit ordering cycles, AppArmor denials, firewalld zone drift, and kernel taint flags. Useful triage:

sudo zypper ps -s
systemd-analyze critical-chain
sudo journalctl -k | grep apparmor | tail
sudo firewall-cmd --get-active-zones
cat /proc/sys/kernel/tainted

View all sles-12 tutorials on the Tutorials Hub →

Browse all common problems & solutions on the Tutorials Hub.

References & Further Reading

Primary reference: SUSE advisory RHSA-2025:0308 (see also SUSE bugzilla). Manual pages useful on SLES 12:

man zypper
man zypper.conf
man systemctl
man journalctl
man firewall-cmd
man snapper
man apparmor
man aa-status
man SUSEConnect
man klp

Other resources: SUSE Linux Enterprise Server 12 documentation, suse.com/security, SUSE security blog, and per-package notes in /usr/share/doc/packages/python-Jinja2/ for components implicated in python-Jinja2 — multiple vulnerabilities (7 CVEs) — patch and remediation guide.