Security update for salt SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2021:2106-1 Final 1 1 2021-07-11T12:04:10Z current 2021-07-11T12:04:10Z 2021-07-11T12:04:10Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for salt This update for salt fixes the following issues: Update to Salt release version 3002.2 (jsc#ECO-3212, jsc#SLE-18033, jsc#SLE-18028) - Check if dpkgnotify is executable (bsc#1186674) - Drop support for Python2. Obsoletes `python2-salt` package (jsc#SLE-18028) - virt module updates * network: handle missing ipv4 netmask attribute * more network support * PCI/USB host devices passthrough support - Set distro requirement to oldest supported version in requirements/base.txt - Bring missing part of async batch implementation back (CVE-2021-25315, bsc#1182382) - Always require `python3-distro` (bsc#1182293) - Remove deprecated warning that breaks minion execution when 'server_id_use_crc' opts is missing - Fix pkg states when DEB package has 'all' arch - Do not force beacons configuration to be a list. - Remove msgpack < 1.0.0 from base requirements (bsc#1176293) - msgpack support for version >= 1.0.0 (bsc#1171257) - Fix issue parsing errors in ansiblegate state module - Prevent command injection in the snapper module (bsc#1185281, CVE-2021-31607) - transactional_update: detect recursion in the executor - Add subpackage salt-transactional-update (jsc#SLE-18033) - Improvements on 'ansiblegate' module (bsc#1185092): * New methods: ansible.targets / ansible.discover_playbooks - Add support for Alibaba Cloud Linux 2 (Aliyun Linux) - Regression fix of salt-ssh on processing targets - Update target fix for salt-ssh and avoiding race condition on salt-ssh event processing (bsc#1179831, bsc#1182281) - Add notify beacon for Debian/Ubuntu systems - Fix zmq bug that causes salt-call to freeze (bsc#1181368) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-SLE-15.3-2021-2106 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/MU6P3NIODW6ZMC4HZLBROO6ZEOD5KAUX/ E-Mail link for openSUSE-SU-2021:2106-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1171257 SUSE Bug 1171257 https://bugzilla.suse.com/1176293 SUSE Bug 1176293 https://bugzilla.suse.com/1179831 SUSE Bug 1179831 https://bugzilla.suse.com/1181368 SUSE Bug 1181368 https://bugzilla.suse.com/1182281 SUSE Bug 1182281 https://bugzilla.suse.com/1182293 SUSE Bug 1182293 https://bugzilla.suse.com/1182382 SUSE Bug 1182382 https://bugzilla.suse.com/1185092 SUSE Bug 1185092 https://bugzilla.suse.com/1185281 SUSE Bug 1185281 https://bugzilla.suse.com/1186674 SUSE Bug 1186674 https://www.suse.com/security/cve/CVE-2018-15750/ SUSE CVE CVE-2018-15750 page https://www.suse.com/security/cve/CVE-2018-15751/ SUSE CVE CVE-2018-15751 page https://www.suse.com/security/cve/CVE-2020-11651/ SUSE CVE CVE-2020-11651 page https://www.suse.com/security/cve/CVE-2020-11652/ SUSE CVE CVE-2020-11652 page https://www.suse.com/security/cve/CVE-2020-25592/ SUSE CVE CVE-2020-25592 page https://www.suse.com/security/cve/CVE-2021-25315/ SUSE CVE CVE-2021-25315 page https://www.suse.com/security/cve/CVE-2021-31607/ SUSE CVE CVE-2021-31607 page openSUSE Leap 15.3 python2-distro-1.5.0-3.5.1 python3-distro-1.5.0-3.5.1 python2-distro-1.5.0-3.5.1 as a component of openSUSE Leap 15.3 python3-distro-1.5.0-3.5.1 as a component of openSUSE Leap 15.3 Directory Traversal vulnerability in salt-api in SaltStack Salt before 2017.7.8 and 2018.3.x before 2018.3.3 allows remote attackers to determine which files exist on the server. CVE-2018-15750 openSUSE Leap 15.3:python2-distro-1.5.0-3.5.1 openSUSE Leap 15.3:python3-distro-1.5.0-3.5.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/MU6P3NIODW6ZMC4HZLBROO6ZEOD5KAUX/ https://www.suse.com/security/cve/CVE-2018-15750.html CVE-2018-15750 https://bugzilla.suse.com/1113698 SUSE Bug 1113698 SaltStack Salt before 2017.7.8 and 2018.3.x before 2018.3.3 allow remote attackers to bypass authentication and execute arbitrary commands via salt-api(netapi). CVE-2018-15751 openSUSE Leap 15.3:python2-distro-1.5.0-3.5.1 openSUSE Leap 15.3:python3-distro-1.5.0-3.5.1 critical To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/MU6P3NIODW6ZMC4HZLBROO6ZEOD5KAUX/ https://www.suse.com/security/cve/CVE-2018-15751.html CVE-2018-15751 https://bugzilla.suse.com/1113698 SUSE Bug 1113698 https://bugzilla.suse.com/1113699 SUSE Bug 1113699 An issue was discovered in SaltStack Salt before 2019.2.4 and 3000 before 3000.2. The salt-master process ClearFuncs class does not properly validate method calls. This allows a remote user to access some methods without authentication. These methods can be used to retrieve user tokens from the salt master and/or run arbitrary commands on salt minions. CVE-2020-11651 openSUSE Leap 15.3:python2-distro-1.5.0-3.5.1 openSUSE Leap 15.3:python3-distro-1.5.0-3.5.1 critical To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/MU6P3NIODW6ZMC4HZLBROO6ZEOD5KAUX/ https://www.suse.com/security/cve/CVE-2020-11651.html CVE-2020-11651 https://bugzilla.suse.com/1170595 SUSE Bug 1170595 An issue was discovered in SaltStack Salt before 2019.2.4 and 3000 before 3000.2. The salt-master process ClearFuncs class allows access to some methods that improperly sanitize paths. These methods allow arbitrary directory access to authenticated users. CVE-2020-11652 openSUSE Leap 15.3:python2-distro-1.5.0-3.5.1 openSUSE Leap 15.3:python3-distro-1.5.0-3.5.1 critical To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/MU6P3NIODW6ZMC4HZLBROO6ZEOD5KAUX/ https://www.suse.com/security/cve/CVE-2020-11652.html CVE-2020-11652 https://bugzilla.suse.com/1170595 SUSE Bug 1170595 In SaltStack Salt through 3002, salt-netapi improperly validates eauth credentials and tokens. A user can bypass authentication and invoke Salt SSH. CVE-2020-25592 openSUSE Leap 15.3:python2-distro-1.5.0-3.5.1 openSUSE Leap 15.3:python3-distro-1.5.0-3.5.1 critical To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/MU6P3NIODW6ZMC4HZLBROO6ZEOD5KAUX/ https://www.suse.com/security/cve/CVE-2020-25592.html CVE-2020-25592 https://bugzilla.suse.com/1178319 SUSE Bug 1178319 CWE - CWE-287: Improper Authentication vulnerability in SUSE Linux Enterprise Server 15 SP 3; openSUSE Tumbleweed allows local attackers to execute arbitrary code via salt without the need to specify valid credentials. This issue affects: SUSE Linux Enterprise Server 15 SP 3 salt versions prior to 3002.2-3. openSUSE Tumbleweed salt version 3002.2-2.1 and prior versions. This issue affects: SUSE Linux Enterprise Server 15 SP 3 salt versions prior to 3002.2-3. openSUSE Tumbleweed salt version 3002.2-2.1 and prior versions. CVE-2021-25315 openSUSE Leap 15.3:python2-distro-1.5.0-3.5.1 openSUSE Leap 15.3:python3-distro-1.5.0-3.5.1 critical To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/MU6P3NIODW6ZMC4HZLBROO6ZEOD5KAUX/ https://www.suse.com/security/cve/CVE-2021-25315.html CVE-2021-25315 https://bugzilla.suse.com/1182382 SUSE Bug 1182382 In SaltStack Salt 2016.9 through 3002.6, a command injection vulnerability exists in the snapper module that allows for local privilege escalation on a minion. The attack requires that a file is created with a pathname that is backed up by snapper, and that the master calls the snapper.diff function (which executes popen unsafely). CVE-2021-31607 openSUSE Leap 15.3:python2-distro-1.5.0-3.5.1 openSUSE Leap 15.3:python3-distro-1.5.0-3.5.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/MU6P3NIODW6ZMC4HZLBROO6ZEOD5KAUX/ https://www.suse.com/security/cve/CVE-2021-31607.html CVE-2021-31607 https://bugzilla.suse.com/1185281 SUSE Bug 1185281 https://bugzilla.suse.com/1210934 SUSE Bug 1210934