Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

suse-cvrf логотип

SUSE-SU-2021:3553-1

Опубликовано: 27 окт. 2021
Источник: suse-cvrf

Описание

Security update for Salt

This update fixes the following issues:

salt:

  • Support querying for JSON data in external sql pillar
  • Exclude the full path of a download URL to prevent injection of malicious code (bsc#1190265, CVE-2021-21996)
  • Fix wrong relative paths resolution with Jinja renderer when importing subdirectories

Список пакетов

Image SLES15-SAP-Azure-BYOS
python3-salt-3002.2-8.41.17.1
salt-3002.2-8.41.17.1
salt-minion-3002.2-8.41.17.1
Image SLES15-SAP-EC2-HVM-BYOS
python3-salt-3002.2-8.41.17.1
salt-3002.2-8.41.17.1
salt-minion-3002.2-8.41.17.1
Image SLES15-SAP-GCE-BYOS
python3-salt-3002.2-8.41.17.1
salt-3002.2-8.41.17.1
salt-minion-3002.2-8.41.17.1
SUSE Linux Enterprise High Performance Computing 15-ESPOS
python3-salt-3002.2-8.41.17.1
salt-3002.2-8.41.17.1
salt-api-3002.2-8.41.17.1
salt-bash-completion-3002.2-8.41.17.1
salt-cloud-3002.2-8.41.17.1
salt-doc-3002.2-8.41.17.1
salt-fish-completion-3002.2-8.41.17.1
salt-master-3002.2-8.41.17.1
salt-minion-3002.2-8.41.17.1
salt-proxy-3002.2-8.41.17.1
salt-ssh-3002.2-8.41.17.1
salt-standalone-formulas-configuration-3002.2-8.41.17.1
salt-syndic-3002.2-8.41.17.1
salt-transactional-update-3002.2-8.41.17.1
salt-zsh-completion-3002.2-8.41.17.1
SUSE Linux Enterprise High Performance Computing 15-LTSS
python3-salt-3002.2-8.41.17.1
salt-3002.2-8.41.17.1
salt-api-3002.2-8.41.17.1
salt-bash-completion-3002.2-8.41.17.1
salt-cloud-3002.2-8.41.17.1
salt-doc-3002.2-8.41.17.1
salt-fish-completion-3002.2-8.41.17.1
salt-master-3002.2-8.41.17.1
salt-minion-3002.2-8.41.17.1
salt-proxy-3002.2-8.41.17.1
salt-ssh-3002.2-8.41.17.1
salt-standalone-formulas-configuration-3002.2-8.41.17.1
salt-syndic-3002.2-8.41.17.1
salt-transactional-update-3002.2-8.41.17.1
salt-zsh-completion-3002.2-8.41.17.1
SUSE Linux Enterprise Server 15-LTSS
python3-salt-3002.2-8.41.17.1
salt-3002.2-8.41.17.1
salt-api-3002.2-8.41.17.1
salt-bash-completion-3002.2-8.41.17.1
salt-cloud-3002.2-8.41.17.1
salt-doc-3002.2-8.41.17.1
salt-fish-completion-3002.2-8.41.17.1
salt-master-3002.2-8.41.17.1
salt-minion-3002.2-8.41.17.1
salt-proxy-3002.2-8.41.17.1
salt-ssh-3002.2-8.41.17.1
salt-standalone-formulas-configuration-3002.2-8.41.17.1
salt-syndic-3002.2-8.41.17.1
salt-transactional-update-3002.2-8.41.17.1
salt-zsh-completion-3002.2-8.41.17.1
SUSE Linux Enterprise Server for SAP Applications 15
python3-salt-3002.2-8.41.17.1
salt-3002.2-8.41.17.1
salt-api-3002.2-8.41.17.1
salt-bash-completion-3002.2-8.41.17.1
salt-cloud-3002.2-8.41.17.1
salt-doc-3002.2-8.41.17.1
salt-fish-completion-3002.2-8.41.17.1
salt-master-3002.2-8.41.17.1
salt-minion-3002.2-8.41.17.1
salt-proxy-3002.2-8.41.17.1
salt-ssh-3002.2-8.41.17.1
salt-standalone-formulas-configuration-3002.2-8.41.17.1
salt-syndic-3002.2-8.41.17.1
salt-transactional-update-3002.2-8.41.17.1
salt-zsh-completion-3002.2-8.41.17.1

Ссылки

Описание

An issue was discovered in SaltStack Salt before 3003.3. A user who has control of the source, and source_hash URLs can gain full file system access as root on a salt minion.

Затронутые продукты
Image SLES15-SAP-Azure-BYOS:python3-salt-3002.2-8.41.17.1
Image SLES15-SAP-Azure-BYOS:salt-3002.2-8.41.17.1
Image SLES15-SAP-Azure-BYOS:salt-minion-3002.2-8.41.17.1
Image SLES15-SAP-EC2-HVM-BYOS:python3-salt-3002.2-8.41.17.1
Ссылки
Уязвимость SUSE-SU-2021:3553-1