openSUSE Security Update: Security update for salt ______________________________________________________________________________ Announcement ID: openSUSE-SU-2018:1053-1 Rating: moderate References: #1002529 #1004723 #1008933 #1011304 #1011800 #1012398 #1012999 #1017078 #1019386 #1022841 #1025896 #1027044 #1027240 #1027722 #1030009 #1036125 #1038855 #1039370 #1041993 #1050003 #1051948 #1052264 #1053376 #1053955 #1059291 #1060230 #1062462 #1063419 #1064520 #1065792 #1068446 #1068566 #1071322 #1075950 #1079048 #1081592 #967803 #972311 #972490 #975093 #975303 #975733 #975757 #978150 #983512 #985661 #986019 #988506 #989193 #989798 #990439 #991048 #993039 #999852 Cross-References: CVE-2016-9639 CVE-2017-12791 CVE-2017-14695 CVE-2017-14696 CVE-2017-5200 Affected Products: openSUSE Leap 42.3 ______________________________________________________________________________ An update that solves 5 vulnerabilities and has 49 fixes is now available. Description: This update for salt fixes the following issues: - [Regression] Permission problem: salt-ssh minion boostrap doesn't work anymore. (bsc#1027722) - wrong use of os_family string for Suse in the locale module and others (bsc#1038855) - Cannot bootstrap a host using "Manage system completely via SSH (will not install an agent)" (bsc#1002529) - add user to or replace members of group not working with SLES11 SPx (bsc#978150) - SLES-12-GA client fail to start salt minion (SUSE MANAGER 3.0) (bsc#991048) - salt pkg.latest raises exception if package is not availible (bsc#1012999) - pkg.list_products on "registerrelease" and "productline" returns boolean.False if empty (bsc#989193) - SLES-12-SP1 salt-minion clients has no Base Channel added by default (bsc#986019) - "The system requires a reboot" does not disappear from web-UI despite the reboot (bsc#1017078) - Remove option -f from startproc (bsc#975733) - [PYTHON2] package salt-minion requires /usr/bin/python (bsc#1081592) - Upgrading packages on RHEL6/7 client fails (bsc#1068566) - /var/log/salt has insecure permissions (bsc#1071322) - [Minion-bootstrapping] Invalid char cause server (salt-master ERROR) (bsc#1011304) - CVE-2016-9639: Possible information leak due to revoked keys still being used (bsc#1012398) - Bootstrapping SLES12 minion invalid (bsc#1053376) - Minions not correctly onboarded if Proxy has multiple FQDNs (bsc#1063419) - salt --summary '*' <function> reporting "# of minions that did not return" wrongly (bsc#972311) - RH-L3 SALT - Stacktrace if nscd package is not present when using nscd state (bsc#1027044) - Inspector broken: no module "query" or "inspector" while querying or inspecting (bsc#989798) - [ Regression ]Centos7 Minion remote command execution from gui or cli , minion not responding (bsc#1027240) - SALT, minion_id generation doesn't match the newhostname (bsc#967803) - Salt API server shuts down when SSH call with no matches is issued (bsc#1004723) - /var/log/salt/minion fails logrotate (bsc#1030009) - Salt proxy test.ping crashes (bsc#975303) - salt master flood log with useless messages (bsc#985661) - After bootstrap salt client has deprecation warnings (bsc#1041993) - Head: salt 2017.7.2 starts salt-master as user root (bsc#1064520) - CVE-2017-12791: Maliciously crafted minion IDs can cause unwanted directory traversals on the Salt-master (bsc#1053955) - salt-2017.7.2 - broken %post script for salt-master (bsc#1079048) - Tearing down deployment with SaltStack Kubernetes module always shows error (bsc#1059291) - lvm.vg_present does not recognize PV with certain LVM filter settings. (bsc#988506) - High state fails: No service execution module loaded: check support for service (bsc#1065792) - When multiple versions of a package are installed on a minion, patch status may vary (bsc#972490) - Salt cp.push does not work on SUMA 3.2 Builds because of python3.4 (bsc#1075950) - timezone modue does not update /etc/sysconfig/clock (bsc#1008933) - Add patches to salt to support SUSE Manager scalability features (bsc#1052264) - salt-minion failed to start on minimal RHEL6 because of DBus exception during load of snapper module (bsc#993039) - Permission denied: '/var/run/salt-master.pid' (bsc#1050003) - Jobs scheduled to run at a future time stay pending for Salt minions (bsc#1036125) - Backport kubernetes-modules to salt (bsc#1051948) - After highstate: The minion function caused an exception (bsc#1068446) - VUL-0: CVE-2017-14695: salt: directory traversal vulnerability in minion id validation (bsc#1062462) - unable to update salt-minion on RHEL (bsc#1022841) - Nodes run out of memory due to salt-minion process (bsc#983512) - [Proxy] "Broken pipe" during bootstrap of salt minion (bsc#1039370) - incorrect return code from /etc/rc.d/salt-minion (bsc#999852) - CVE-2017-5200: Salt-ssh via api let's run arbitrary commands as user salt (bsc#1011800) - beacons.conf on salt-minion not processed (bsc#1060230) - SLES11 SP3 salt-minion Client Cannot Select Base Channel (bsc#975093) - salt-ssh sys.doc gives authentication failure without arguments (bsc#1019386) - minion bootstrapping: error when bootstrap SLE11 clients (bsc#990439) - Certificate Deployment Fails for SLES11 SP3 Clients (bsc#975757) - state.module run() does not translate varargs (bsc#1025896) Patch Instructions: To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Leap 42.3: zypper in -t patch openSUSE-2018-388=1 Package List: - openSUSE Leap 42.3 (x86_64): python2-salt-2018.3.0-17.1 python3-salt-2018.3.0-17.1 salt-2018.3.0-17.1 salt-api-2018.3.0-17.1 salt-cloud-2018.3.0-17.1 salt-doc-2018.3.0-17.1 salt-master-2018.3.0-17.1 salt-minion-2018.3.0-17.1 salt-proxy-2018.3.0-17.1 salt-ssh-2018.3.0-17.1 salt-syndic-2018.3.0-17.1 - openSUSE Leap 42.3 (noarch): salt-bash-completion-2018.3.0-17.1 salt-fish-completion-2018.3.0-17.1 salt-zsh-completion-2018.3.0-17.1 References: https://www.suse.com/security/cve/CVE-2016-9639.html https://www.suse.com/security/cve/CVE-2017-12791.html https://www.suse.com/security/cve/CVE-2017-14695.html https://www.suse.com/security/cve/CVE-2017-14696.html https://www.suse.com/security/cve/CVE-2017-5200.html https://bugzilla.suse.com/1002529 https://bugzilla.suse.com/1004723 https://bugzilla.suse.com/1008933 https://bugzilla.suse.com/1011304 https://bugzilla.suse.com/1011800 https://bugzilla.suse.com/1012398 https://bugzilla.suse.com/1012999 https://bugzilla.suse.com/1017078 https://bugzilla.suse.com/1019386 https://bugzilla.suse.com/1022841 https://bugzilla.suse.com/1025896 https://bugzilla.suse.com/1027044 https://bugzilla.suse.com/1027240 https://bugzilla.suse.com/1027722 https://bugzilla.suse.com/1030009 https://bugzilla.suse.com/1036125 https://bugzilla.suse.com/1038855 https://bugzilla.suse.com/1039370 https://bugzilla.suse.com/1041993 https://bugzilla.suse.com/1050003 https://bugzilla.suse.com/1051948 https://bugzilla.suse.com/1052264 https://bugzilla.suse.com/1053376 https://bugzilla.suse.com/1053955 https://bugzilla.suse.com/1059291 https://bugzilla.suse.com/1060230 https://bugzilla.suse.com/1062462 https://bugzilla.suse.com/1063419 https://bugzilla.suse.com/1064520 https://bugzilla.suse.com/1065792 https://bugzilla.suse.com/1068446 https://bugzilla.suse.com/1068566 https://bugzilla.suse.com/1071322 https://bugzilla.suse.com/1075950 https://bugzilla.suse.com/1079048 https://bugzilla.suse.com/1081592 https://bugzilla.suse.com/967803 https://bugzilla.suse.com/972311 https://bugzilla.suse.com/972490 https://bugzilla.suse.com/975093 https://bugzilla.suse.com/975303 https://bugzilla.suse.com/975733 https://bugzilla.suse.com/975757 https://bugzilla.suse.com/978150 https://bugzilla.suse.com/983512 https://bugzilla.suse.com/985661 https://bugzilla.suse.com/986019 https://bugzilla.suse.com/988506 https://bugzilla.suse.com/989193 https://bugzilla.suse.com/989798 https://bugzilla.suse.com/990439 https://bugzilla.suse.com/991048 https://bugzilla.suse.com/993039 https://bugzilla.suse.com/999852