SUSE-SU-2024:0507-1

Опубликовано: 15 фев. 2024

Источник: suse-cvrf

Описание

Security update for salt

This update for salt fixes the following issues:

Security issues fixed:

CVE-2024-22231: Prevent directory traversal when creating syndic cache directory on the master (bsc#1219430)
CVE-2024-22232: Prevent directory traversal attacks in the master's serve_file method (bsc#1219431)

Bugs fixed:

Ensure that pillar refresh loads beacons from pillar without restart
Fix the aptpkg.py unit test failure
Prefer unittest.mock to python-mock in test suite
Enable 'KeepAlive' probes for Salt SSH executions (bsc#1211649)
Revert changes to set Salt configured user early in the stack (bsc#1216284)
Align behavior of some modules when using salt-call via symlink (bsc#1215963)
Fix gitfs 'env' and improve cache cleaning (bsc#1193948)
Remove python-boto dependency for the python3-salt-testsuite package for Tumbleweed

Список пакетов

Image SLES15-SP2-SAP-Azure-LI-BYOS-Production

python3-salt-3006.0-150200.118.1

salt-3006.0-150200.118.1

salt-standalone-formulas-configuration-3006.0-150200.118.1

Image SLES15-SP2-SAP-Azure-VLI-BYOS-Production

python3-salt-3006.0-150200.118.1

salt-3006.0-150200.118.1

salt-standalone-formulas-configuration-3006.0-150200.118.1

SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS

python3-salt-3006.0-150200.118.1

salt-3006.0-150200.118.1

salt-api-3006.0-150200.118.1

salt-bash-completion-3006.0-150200.118.1

salt-cloud-3006.0-150200.118.1

salt-doc-3006.0-150200.118.1

salt-fish-completion-3006.0-150200.118.1

salt-master-3006.0-150200.118.1

salt-minion-3006.0-150200.118.1

salt-proxy-3006.0-150200.118.1

salt-ssh-3006.0-150200.118.1

salt-standalone-formulas-configuration-3006.0-150200.118.1

salt-syndic-3006.0-150200.118.1

salt-zsh-completion-3006.0-150200.118.1

SUSE Linux Enterprise Server 15 SP2-LTSS

python3-salt-3006.0-150200.118.1

salt-3006.0-150200.118.1

salt-api-3006.0-150200.118.1

salt-bash-completion-3006.0-150200.118.1

salt-cloud-3006.0-150200.118.1

salt-doc-3006.0-150200.118.1

salt-fish-completion-3006.0-150200.118.1

salt-master-3006.0-150200.118.1

salt-minion-3006.0-150200.118.1

salt-proxy-3006.0-150200.118.1

salt-ssh-3006.0-150200.118.1

salt-standalone-formulas-configuration-3006.0-150200.118.1

salt-syndic-3006.0-150200.118.1

salt-transactional-update-3006.0-150200.118.1

salt-zsh-completion-3006.0-150200.118.1

SUSE Linux Enterprise Server for SAP Applications 15 SP2

python3-salt-3006.0-150200.118.1

salt-3006.0-150200.118.1

salt-api-3006.0-150200.118.1

salt-bash-completion-3006.0-150200.118.1

salt-cloud-3006.0-150200.118.1

salt-doc-3006.0-150200.118.1

salt-fish-completion-3006.0-150200.118.1

salt-master-3006.0-150200.118.1

salt-minion-3006.0-150200.118.1

salt-proxy-3006.0-150200.118.1

salt-ssh-3006.0-150200.118.1

salt-standalone-formulas-configuration-3006.0-150200.118.1

salt-syndic-3006.0-150200.118.1

salt-transactional-update-3006.0-150200.118.1

salt-zsh-completion-3006.0-150200.118.1

Ссылки

https://www.suse.com/support/update/announcement/2024/suse-su-20240507-1/
Link for SUSE-SU-2024:0507-1
https://lists.suse.com/pipermail/sle-security-updates/2024-February/017929.html
E-Mail link for SUSE-SU-2024:0507-1
https://www.suse.com/support/security/rating/
SUSE Security Ratings
https://bugzilla.suse.com/1193948
SUSE Bug 1193948
https://bugzilla.suse.com/1211649
SUSE Bug 1211649
https://bugzilla.suse.com/1215963
SUSE Bug 1215963
https://bugzilla.suse.com/1216284
SUSE Bug 1216284
https://bugzilla.suse.com/1219430
SUSE Bug 1219430
https://bugzilla.suse.com/1219431
SUSE Bug 1219431
https://www.suse.com/security/cve/CVE-2024-22231/
SUSE CVE CVE-2024-22231 page
https://www.suse.com/security/cve/CVE-2024-22232/
SUSE CVE CVE-2024-22232 page

Описание

Syndic cache directory creation is vulnerable to a directory traversal attack in salt project which can lead a malicious attacker to create an arbitrary directory on a Salt master.

Затронутые продукты

Image SLES15-SP2-SAP-Azure-LI-BYOS-Production:python3-salt-3006.0-150200.118.1

Image SLES15-SP2-SAP-Azure-LI-BYOS-Production:salt-3006.0-150200.118.1

Image SLES15-SP2-SAP-Azure-LI-BYOS-Production:salt-standalone-formulas-configuration-3006.0-150200.118.1

Image SLES15-SP2-SAP-Azure-VLI-BYOS-Production:python3-salt-3006.0-150200.118.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-22231.html
CVE-2024-22231
https://bugzilla.suse.com/1219430
SUSE Bug 1219430

Описание

A specially crafted url can be created which leads to a directory traversal in the salt file server. A malicious user can read an arbitrary file from a Salt master's filesystem.

Затронутые продукты

Image SLES15-SP2-SAP-Azure-LI-BYOS-Production:python3-salt-3006.0-150200.118.1

Image SLES15-SP2-SAP-Azure-LI-BYOS-Production:salt-3006.0-150200.118.1

Image SLES15-SP2-SAP-Azure-LI-BYOS-Production:salt-standalone-formulas-configuration-3006.0-150200.118.1

Image SLES15-SP2-SAP-Azure-VLI-BYOS-Production:python3-salt-3006.0-150200.118.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-22232.html
CVE-2024-22232
https://bugzilla.suse.com/1219431
SUSE Bug 1219431

SUSE-SU-2024:0507-1

Описание

Список пакетов

Image SLES15-SP2-SAP-Azure-LI-BYOS-Production

Image SLES15-SP2-SAP-Azure-VLI-BYOS-Production

SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS

SUSE Linux Enterprise Server 15 SP2-LTSS

SUSE Linux Enterprise Server for SAP Applications 15 SP2

Ссылки

Уязвимость: CVE-2024-22231

Описание

Затронутые продукты

Ссылки

Уязвимость: CVE-2024-22232

Описание

Затронутые продукты

Ссылки