openSUSE Security Update: Security update for salt ______________________________________________________________________________ Announcement ID: openSUSE-SU-2017:2824-1 Rating: moderate References: #1042749 #1052264 #1059758 #1061407 #1062462 #1062464 #985112 Cross-References: CVE-2017-14695 CVE-2017-14696 Affected Products: openSUSE Leap 42.3 ______________________________________________________________________________ An update that solves two vulnerabilities and has 5 fixes is now available. Description: Salt was updated to 2017.7.2 and also to fix various bugs and security issues. See https://docs.saltstack.com/en/develop/topics/releases/2017.7.2.html for full changelog. Security issues fixed: - CVE-2017-14695: A directory traversal during minion id validation was fixed. (boo#1062462) - CVE-2017-14696: A remote denial of service attack with a specially crafted authentication request was fixed. (boo#1062464) Non security issues fixed: - Add possibility to generate _version.py at the build time for raw builds: https://github.com/saltstack/salt/pull/43955 - Fix salt target-type field returns "String" for existing jids but an empty "Array" for non existing jids. (issue #1711) - Fixed minion resource exhaustion when many functions are being executed in parallel (boo#1059758) - Remove 'TasksTask' attribute from salt-master.service in older versions of systemd (boo#985112) - Provide custom SUSE salt-master.service file. - Fix wrong version reported by Salt (boo#1061407) - list_pkgs: add parameter for returned attribute selection (boo#1052264) - Adding the leftover for zypper and yum list_pkgs functionality. - Use $HOME to get the user home directory instead using '~' char (boo#1042749) Patch Instructions: To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE Leap 42.3: zypper in -t patch openSUSE-2017-1182=1 To bring your system up-to-date, use "zypper patch". Package List: - openSUSE Leap 42.3 (noarch): salt-bash-completion-2017.7.2-14.1 salt-fish-completion-2017.7.2-14.1 salt-zsh-completion-2017.7.2-14.1 - openSUSE Leap 42.3 (x86_64): salt-2017.7.2-14.1 salt-api-2017.7.2-14.1 salt-cloud-2017.7.2-14.1 salt-doc-2017.7.2-14.1 salt-master-2017.7.2-14.1 salt-minion-2017.7.2-14.1 salt-proxy-2017.7.2-14.1 salt-ssh-2017.7.2-14.1 salt-syndic-2017.7.2-14.1 References: https://www.suse.com/security/cve/CVE-2017-14695.html https://www.suse.com/security/cve/CVE-2017-14696.html https://bugzilla.suse.com/1042749 https://bugzilla.suse.com/1052264 https://bugzilla.suse.com/1059758 https://bugzilla.suse.com/1061407 https://bugzilla.suse.com/1062462 https://bugzilla.suse.com/1062464 https://bugzilla.suse.com/985112