Описание
Security update for Salt
This update for salt fixes one security issue and bugs.
The following security issues have been fixed:
- CVE-2017-14695: A directory traversal vulnerability in minion id validation allowed remote minions with incorrect credentials to authenticate to a master via a crafted minion ID. (bsc#1062462)
- CVE-2017-14696: It was possible to force a remote Denial of Service with a specially crafted authentication request. (bsc#1062464)
Additionally, the following non-security issues have been fixed:
- Removed deprecation warning for beacon configuration using dictionaries. (bsc#1041993)
- Fixed beacons failure when pillar-based suppressing config-based. (bsc#1060230)
- Fixed minion resource exhaustion when many functions are being executed in parallel. (bsc#1059758)
- Remove 'TasksTask' attribute from salt-master.service in older versions of systemd. (bsc#985112)
- Fix for delete_deployment in Kubernetes module. (bsc#1059291)
- Catching error when PIDfile cannot be deleted. (bsc#1050003)
- Use $HOME to get the user home directory instead using '~' char. (bsc#1042749)
Список пакетов
SUSE Linux Enterprise Server 11 SP3-CLIENT-TOOLS
salt-2016.11.4-43.10.2
salt-doc-2016.11.4-43.10.2
salt-minion-2016.11.4-43.10.2
SUSE Linux Enterprise Server 11 SP4-CLIENT-TOOLS
salt-2016.11.4-43.10.2
salt-doc-2016.11.4-43.10.2
salt-minion-2016.11.4-43.10.2
Ссылки
- Link for SUSE-SU-2017:3381-1
- E-Mail link for SUSE-SU-2017:3381-1
- SUSE Security Ratings
- SUSE Bug 1041993
- SUSE Bug 1042749
- SUSE Bug 1050003
- SUSE Bug 1059291
- SUSE Bug 1059758
- SUSE Bug 1060230
- SUSE Bug 1062462
- SUSE Bug 1062464
- SUSE Bug 985112
- SUSE CVE CVE-2017-14695 page
- SUSE CVE CVE-2017-14696 page
Описание
Directory traversal vulnerability in minion id validation in SaltStack Salt before 2016.3.8, 2016.11.x before 2016.11.8, and 2017.7.x before 2017.7.2 allows remote minions with incorrect credentials to authenticate to a master via a crafted minion ID. NOTE: this vulnerability exists because of an incomplete fix for CVE-2017-12791.
Затронутые продукты
SUSE Linux Enterprise Server 11 SP3-CLIENT-TOOLS:salt-2016.11.4-43.10.2
SUSE Linux Enterprise Server 11 SP3-CLIENT-TOOLS:salt-doc-2016.11.4-43.10.2
SUSE Linux Enterprise Server 11 SP3-CLIENT-TOOLS:salt-minion-2016.11.4-43.10.2
SUSE Linux Enterprise Server 11 SP4-CLIENT-TOOLS:salt-2016.11.4-43.10.2
Ссылки
- CVE-2017-14695
- SUSE Bug 1053955
- SUSE Bug 1062462
Описание
SaltStack Salt before 2016.3.8, 2016.11.x before 2016.11.8, and 2017.7.x before 2017.7.2 allows remote attackers to cause a denial of service via a crafted authentication request.
Затронутые продукты
SUSE Linux Enterprise Server 11 SP3-CLIENT-TOOLS:salt-2016.11.4-43.10.2
SUSE Linux Enterprise Server 11 SP3-CLIENT-TOOLS:salt-doc-2016.11.4-43.10.2
SUSE Linux Enterprise Server 11 SP3-CLIENT-TOOLS:salt-minion-2016.11.4-43.10.2
SUSE Linux Enterprise Server 11 SP4-CLIENT-TOOLS:salt-2016.11.4-43.10.2
Ссылки
- CVE-2017-14696
- SUSE Bug 1053955
- SUSE Bug 1062464