Correction for the email subject. The correct CVEs are CVE-2020-16846, CVE-2020-17490 and CVE-2020-25592. Best regards. On viernes, 6 de noviembre de 2020 21:04:13 (CET) Julio González Gil wrote:
Dear lists,
Today we released an unscheduled release on top of Uyuni 2020.09, for CVE-2020-16846, CVE-2020-17490 and CVE-2020-25592 that affect salt master and clients.
First, a small warning. The current salt on openSUSE Leap 15.2/15.2 fixes the CVEs already, but contains a regression that breaks onboarding from WebUI and salt ssh manage minions.
A fix for this is already in the openSUSE queue and should be released soon.
Server ======
Please make sure you are on the most recent release (2020.09) and use the following commands on the Uyuni server:
zypper addrepo https://download.opensuse.org/repositories/systemsmanagement:/Uyuni:/Stable :/Patches/openSUSE_Leap_15.2/systemsmanagement:Uyuni:Stable:Patches.repo zypper refresh spacewalk-service stop zypper update spacewalk-service start
This will download the required spacewalk-java and py26-compat-salt packages and packages, as well as salt from openSUSE Leap 15.2
Proxies and Clients ===================
Just sync your channels on the Uyuni Server for all operating systems, and that will get the updated salt packages.
Then apply the updates to all your clients as you would do for any other security updates.
More information ================
https://www.saltstack.com/blog/on-november-3-2020-saltstack-publicly-disclos ed-three-new-cves/ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16846/ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25592/ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-17490/
-- Julio González Gil Release Engineer, SUSE Manager and Uyuni jgonzalez@suse.com