Описание
Security update for salt
This update for salt fixes the following issues:
- Check if dpkgnotify is executable (bsc#1186674)
- Update to Salt release version 3002.2 (jsc#ECO-3212, jsc#SLE-18033, jsc#SLE-18028)
- Drop support for Python2. Obsoletes
python2-saltpackage (jsc#SLE-18028) - Fix issue parsing errors in ansiblegate state module
- Prevent command injection in the snapper module (bsc#1185281, CVE-2021-31607)
- transactional_update: detect recursion in the executor
- Add subpackage
salt-transactional-update(jsc#SLE-18033) - Remove duplicate directories
Список пакетов
openSUSE Leap 15.3
python3-salt-3002.2-8.41.8.1
salt-3002.2-8.41.8.1
salt-api-3002.2-8.41.8.1
salt-bash-completion-3002.2-8.41.8.1
salt-cloud-3002.2-8.41.8.1
salt-doc-3002.2-8.41.8.1
salt-fish-completion-3002.2-8.41.8.1
salt-master-3002.2-8.41.8.1
salt-minion-3002.2-8.41.8.1
salt-proxy-3002.2-8.41.8.1
salt-ssh-3002.2-8.41.8.1
salt-standalone-formulas-configuration-3002.2-8.41.8.1
salt-syndic-3002.2-8.41.8.1
salt-transactional-update-3002.2-8.41.8.1
salt-zsh-completion-3002.2-8.41.8.1
Ссылки
- E-Mail link for openSUSE-SU-2021:1951-1
- SUSE Security Ratings
- SUSE Bug 1185281
- SUSE Bug 1186674
- SUSE CVE CVE-2021-31607 page
Описание
In SaltStack Salt 2016.9 through 3002.6, a command injection vulnerability exists in the snapper module that allows for local privilege escalation on a minion. The attack requires that a file is created with a pathname that is backed up by snapper, and that the master calls the snapper.diff function (which executes popen unsafely).
Затронутые продукты
openSUSE Leap 15.3:python3-salt-3002.2-8.41.8.1
openSUSE Leap 15.3:salt-3002.2-8.41.8.1
openSUSE Leap 15.3:salt-api-3002.2-8.41.8.1
openSUSE Leap 15.3:salt-bash-completion-3002.2-8.41.8.1
Ссылки
- CVE-2021-31607
- SUSE Bug 1185281
- SUSE Bug 1210934