SUSE-SU-2023:4389-1

Опубликовано: 09 нояб. 2023

Источник: suse-cvrf

Описание

Security update for salt

This update for salt fixes the following issues:

Security issues fixed:

CVE-2023-34049: arbitrary code execution via symlink attack (bsc#1215157)

Bugs fixed:

Fix optimization_order opt to prevent testsuite fails
Improve salt.utils.json.find_json to avoid fails (bsc#1213293)
Use salt-call from salt bundle with transactional_update
Only call native_str on curl_debug message in tornado when needed
Implement the calling for batch async from the salt CLI
Fix calculation of SLS context vars when trailing dots on targetted sls/state (bsc#1213518)
Rename salt-tests to python3-salt-testsuite
Allow all primitive grain types for autosign_grains (bsc#1214477)

Список пакетов

Image SLES15-SP2-BYOS-Azure

python3-salt-3006.0-150200.113.1

salt-3006.0-150200.113.1

salt-minion-3006.0-150200.113.1

Image SLES15-SP2-HPC-BYOS-Azure

python3-salt-3006.0-150200.113.1

salt-3006.0-150200.113.1

salt-minion-3006.0-150200.113.1

Image SLES15-SP2-SAP-Azure-LI-BYOS-Production

python3-salt-3006.0-150200.113.1

salt-3006.0-150200.113.1

salt-standalone-formulas-configuration-3006.0-150200.113.1

Image SLES15-SP2-SAP-Azure-VLI-BYOS-Production

python3-salt-3006.0-150200.113.1

salt-3006.0-150200.113.1

salt-standalone-formulas-configuration-3006.0-150200.113.1

Image SLES15-SP2-SAP-BYOS-Azure

python3-salt-3006.0-150200.113.1

salt-3006.0-150200.113.1

salt-minion-3006.0-150200.113.1

salt-standalone-formulas-configuration-3006.0-150200.113.1

Image SLES15-SP2-SAP-BYOS-EC2-HVM

python3-salt-3006.0-150200.113.1

salt-3006.0-150200.113.1

salt-minion-3006.0-150200.113.1

salt-standalone-formulas-configuration-3006.0-150200.113.1

Image SLES15-SP2-SAP-BYOS-GCE

python3-salt-3006.0-150200.113.1

salt-3006.0-150200.113.1

salt-minion-3006.0-150200.113.1

salt-standalone-formulas-configuration-3006.0-150200.113.1

SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS

python3-salt-3006.0-150200.113.1

salt-3006.0-150200.113.1

salt-api-3006.0-150200.113.1

salt-bash-completion-3006.0-150200.113.1

salt-cloud-3006.0-150200.113.1

salt-doc-3006.0-150200.113.1

salt-fish-completion-3006.0-150200.113.1

salt-master-3006.0-150200.113.1

salt-minion-3006.0-150200.113.1

salt-proxy-3006.0-150200.113.1

salt-ssh-3006.0-150200.113.1

salt-standalone-formulas-configuration-3006.0-150200.113.1

salt-syndic-3006.0-150200.113.1

salt-zsh-completion-3006.0-150200.113.1

SUSE Linux Enterprise Server 15 SP2-LTSS

python3-salt-3006.0-150200.113.1

salt-3006.0-150200.113.1

salt-api-3006.0-150200.113.1

salt-bash-completion-3006.0-150200.113.1

salt-cloud-3006.0-150200.113.1

salt-doc-3006.0-150200.113.1

salt-fish-completion-3006.0-150200.113.1

salt-master-3006.0-150200.113.1

salt-minion-3006.0-150200.113.1

salt-proxy-3006.0-150200.113.1

salt-ssh-3006.0-150200.113.1

salt-standalone-formulas-configuration-3006.0-150200.113.1

salt-syndic-3006.0-150200.113.1

salt-transactional-update-3006.0-150200.113.1

salt-zsh-completion-3006.0-150200.113.1

SUSE Linux Enterprise Server for SAP Applications 15 SP2

python3-salt-3006.0-150200.113.1

salt-3006.0-150200.113.1

salt-api-3006.0-150200.113.1

salt-bash-completion-3006.0-150200.113.1

salt-cloud-3006.0-150200.113.1

salt-doc-3006.0-150200.113.1

salt-fish-completion-3006.0-150200.113.1

salt-master-3006.0-150200.113.1

salt-minion-3006.0-150200.113.1

salt-proxy-3006.0-150200.113.1

salt-ssh-3006.0-150200.113.1

salt-standalone-formulas-configuration-3006.0-150200.113.1

salt-syndic-3006.0-150200.113.1

salt-transactional-update-3006.0-150200.113.1

salt-zsh-completion-3006.0-150200.113.1

Ссылки

https://www.suse.com/support/update/announcement/2023/suse-su-20234389-1/
Link for SUSE-SU-2023:4389-1
https://lists.suse.com/pipermail/sle-security-updates/2023-November/017011.html
E-Mail link for SUSE-SU-2023:4389-1
https://www.suse.com/support/security/rating/
SUSE Security Ratings
https://bugzilla.suse.com/1213293
SUSE Bug 1213293
https://bugzilla.suse.com/1213518
SUSE Bug 1213518
https://bugzilla.suse.com/1214477
SUSE Bug 1214477
https://bugzilla.suse.com/1215157
SUSE Bug 1215157
https://www.suse.com/security/cve/CVE-2023-34049/
SUSE CVE CVE-2023-34049 page

Описание

The Salt-SSH pre-flight option copies the script to the target at a predictable path, which allows an attacker to force Salt-SSH to run their script. If an attacker has access to the target VM and knows the path to the pre-flight script before it runs they can ensure Salt-SSH runs their script with the privileges of the user running Salt-SSH. Do not make the copy path on the target predictable and ensure we check return codes of the scp command if the copy fails.

Затронутые продукты

Image SLES15-SP2-BYOS-Azure:python3-salt-3006.0-150200.113.1

Image SLES15-SP2-BYOS-Azure:salt-3006.0-150200.113.1

Image SLES15-SP2-BYOS-Azure:salt-minion-3006.0-150200.113.1

Image SLES15-SP2-HPC-BYOS-Azure:python3-salt-3006.0-150200.113.1

Ссылки

https://www.suse.com/security/cve/CVE-2023-34049.html
CVE-2023-34049
https://bugzilla.suse.com/1215157
SUSE Bug 1215157

SUSE-SU-2023:4389-1

Описание

Список пакетов

Image SLES15-SP2-BYOS-Azure

Image SLES15-SP2-HPC-BYOS-Azure

Image SLES15-SP2-SAP-Azure-LI-BYOS-Production

Image SLES15-SP2-SAP-Azure-VLI-BYOS-Production

Image SLES15-SP2-SAP-BYOS-Azure

Image SLES15-SP2-SAP-BYOS-EC2-HVM

Image SLES15-SP2-SAP-BYOS-GCE

SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS

SUSE Linux Enterprise Server 15 SP2-LTSS

SUSE Linux Enterprise Server for SAP Applications 15 SP2

Ссылки

Уязвимость: CVE-2023-34049

Описание

Затронутые продукты

Ссылки