Mailinglist Archive: opensuse-security-announce (78 mails)

< Previous Next >
[security-announce] openSUSE-SU-2018:4197-1: moderate: Security update for salt
openSUSE Security Update: Security update for salt

Announcement ID: openSUSE-SU-2018:4197-1
Rating: moderate
References: #1104491 #1107333 #1108557 #1108834 #1108995
#1109893 #1110938 #1112874 #1113698 #1113699
#1113784 #1114197 #1114824
Cross-References: CVE-2018-15750 CVE-2018-15751
Affected Products:
openSUSE Leap 42.3

An update that solves two vulnerabilities and has 11 fixes
is now available.


This update for salt fixes the following issues:

- Crontab module fix: file attributes option missing (boo#1114824)
- Fix git_pillar merging across multiple __env__ repositories (boo#1112874)
- Bugfix: unable to detect os arch when RPM is not installed (boo#1114197)
- Fix LDAP authentication issue when a valid token is generated by the
salt-api even when invalid user credentials are passed. (U#48901)
- Improved handling of LDAP group id. gid is no longer treated as a
string, which could have lead to faulty group creations. (boo#1113784)
- Fix remote command execution and incorrect access control when using
salt-api. (boo#1113699) (CVE-2018-15751)
- Fix Directory traversal vulnerability when using salt-api. Allows an
attacker to determine what files exist on a server when querying /run or
/events. (boo#1113698) (CVE-2018-15750)
- Add multi-file support and globbing to the filetree (U#50018)
- Bugfix: supportconfig non-root permission issues (U#50095)
- Open profiles permissions to everyone for read-only
- Preserving signature in "" state (U#50049)
- Install default salt-support profiles
- Remove unit test, came from a wrong branch. Fix merging failure.
- Add CPE_NAME for osversion* grain parsing
- Get os_family for RPM distros from the RPM macros
- Install support profiles
- Fix async call to process manager (boo#1110938)
- Salt-based supportconfig implementation (technology preview)
- Bugfix: any unicode string of length 16 will raise TypeError
- Fix IPv6 scope (boo#1108557)
- Handle zypper ZYPPER_EXIT_NO_REPOS exit code (boo#1108834, boo#1109893)
- Bugfix for pkg_resources crash (boo#1104491)
- Fix loosen azure sdk dependencies in azurearm cloud driver (boo#1107333)
- Fix broken "resolve_capabilities" on Python 3 (boo#1108995)

Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended
installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 42.3:

zypper in -t patch openSUSE-2018-1574=1

Package List:

- openSUSE Leap 42.3 (noarch):


- openSUSE Leap 42.3 (x86_64):



To unsubscribe, e-mail: opensuse-security-announce+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse-security-announce+help@xxxxxxxxxxxx

< Previous Next >
This Thread
  • No further messages