Mailinglist Archive: opensuse-security-announce (78 mails)

< Previous Next >
[security-announce] openSUSE-SU-2018:4197-1: moderate: Security update for salt
openSUSE Security Update: Security update for salt
______________________________________________________________________________

Announcement ID: openSUSE-SU-2018:4197-1
Rating: moderate
References: #1104491 #1107333 #1108557 #1108834 #1108995
#1109893 #1110938 #1112874 #1113698 #1113699
#1113784 #1114197 #1114824
Cross-References: CVE-2018-15750 CVE-2018-15751
Affected Products:
openSUSE Leap 42.3
______________________________________________________________________________

An update that solves two vulnerabilities and has 11 fixes
is now available.

Description:

This update for salt fixes the following issues:

- Crontab module fix: file attributes option missing (boo#1114824)
- Fix git_pillar merging across multiple __env__ repositories (boo#1112874)
- Bugfix: unable to detect os arch when RPM is not installed (boo#1114197)
- Fix LDAP authentication issue when a valid token is generated by the
salt-api even when invalid user credentials are passed. (U#48901)
- Improved handling of LDAP group id. gid is no longer treated as a
string, which could have lead to faulty group creations. (boo#1113784)
- Fix remote command execution and incorrect access control when using
salt-api. (boo#1113699) (CVE-2018-15751)
- Fix Directory traversal vulnerability when using salt-api. Allows an
attacker to determine what files exist on a server when querying /run or
/events. (boo#1113698) (CVE-2018-15750)
- Add multi-file support and globbing to the filetree (U#50018)
- Bugfix: supportconfig non-root permission issues (U#50095)
- Open profiles permissions to everyone for read-only
- Preserving signature in "module.run" state (U#50049)
- Install default salt-support profiles
- Remove unit test, came from a wrong branch. Fix merging failure.
- Add CPE_NAME for osversion* grain parsing
- Get os_family for RPM distros from the RPM macros
- Install support profiles
- Fix async call to process manager (boo#1110938)
- Salt-based supportconfig implementation (technology preview)
- Bugfix: any unicode string of length 16 will raise TypeError
- Fix IPv6 scope (boo#1108557)
- Handle zypper ZYPPER_EXIT_NO_REPOS exit code (boo#1108834, boo#1109893)
- Bugfix for pkg_resources crash (boo#1104491)
- Fix loosen azure sdk dependencies in azurearm cloud driver (boo#1107333)
- Fix broken "resolve_capabilities" on Python 3 (boo#1108995)


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended
installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 42.3:

zypper in -t patch openSUSE-2018-1574=1



Package List:

- openSUSE Leap 42.3 (noarch):

salt-bash-completion-2018.3.0-23.1
salt-fish-completion-2018.3.0-23.1
salt-zsh-completion-2018.3.0-23.1

- openSUSE Leap 42.3 (x86_64):

python2-salt-2018.3.0-23.1
python3-salt-2018.3.0-23.1
salt-2018.3.0-23.1
salt-api-2018.3.0-23.1
salt-cloud-2018.3.0-23.1
salt-doc-2018.3.0-23.1
salt-master-2018.3.0-23.1
salt-minion-2018.3.0-23.1
salt-proxy-2018.3.0-23.1
salt-ssh-2018.3.0-23.1
salt-syndic-2018.3.0-23.1


References:

https://www.suse.com/security/cve/CVE-2018-15750.html
https://www.suse.com/security/cve/CVE-2018-15751.html
https://bugzilla.suse.com/1104491
https://bugzilla.suse.com/1107333
https://bugzilla.suse.com/1108557
https://bugzilla.suse.com/1108834
https://bugzilla.suse.com/1108995
https://bugzilla.suse.com/1109893
https://bugzilla.suse.com/1110938
https://bugzilla.suse.com/1112874
https://bugzilla.suse.com/1113698
https://bugzilla.suse.com/1113699
https://bugzilla.suse.com/1113784
https://bugzilla.suse.com/1114197
https://bugzilla.suse.com/1114824

--
To unsubscribe, e-mail: opensuse-security-announce+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse-security-announce+help@xxxxxxxxxxxx

< Previous Next >
This Thread
  • No further messages