Описание
Security update for salt
Salt was updated to 2017.7.2 and also to fix various bugs and security issues.
See https://docs.saltstack.com/en/develop/topics/releases/2017.7.2.html for full changelog.
Security issues fixed:
- CVE-2017-14695: A directory traversal during minion id validation was fixed. (boo#1062462)
- CVE-2017-14696: A remote denial of service attack with a specially crafted authentication request was fixed. (boo#1062464)
Non security issues fixed:
- Add possibility to generate _version.py at the build time for raw builds: https://github.com/saltstack/salt/pull/43955
- Fix salt target-type field returns 'String' for existing jids but an empty 'Array' for non existing jids. (issue #1711)
- Fixed minion resource exhaustion when many functions are being executed in parallel (boo#1059758)
- Remove 'TasksTask' attribute from salt-master.service in older versions of systemd (boo#985112)
- Provide custom SUSE salt-master.service file.
- Fix wrong version reported by Salt (boo#1061407)
- list_pkgs: add parameter for returned attribute selection (boo#1052264)
- Adding the leftover for zypper and yum list_pkgs functionality.
- Use $HOME to get the user home directory instead using '~' char (boo#1042749)
Список пакетов
openSUSE Leap 42.3
Ссылки
- E-Mail link for openSUSE-SU-2017:2824-1
- SUSE Security Ratings
Описание
Directory traversal vulnerability in minion id validation in SaltStack Salt before 2016.3.8, 2016.11.x before 2016.11.8, and 2017.7.x before 2017.7.2 allows remote minions with incorrect credentials to authenticate to a master via a crafted minion ID. NOTE: this vulnerability exists because of an incomplete fix for CVE-2017-12791.
Затронутые продукты
Ссылки
- CVE-2017-14695
- SUSE Bug 1053955
- SUSE Bug 1062462
Описание
SaltStack Salt before 2016.3.8, 2016.11.x before 2016.11.8, and 2017.7.x before 2017.7.2 allows remote attackers to cause a denial of service via a crafted authentication request.
Затронутые продукты
Ссылки
- CVE-2017-14696
- SUSE Bug 1053955
- SUSE Bug 1062464