Mailinglist Archive: opensuse-updates (123 mails)
< Previous | Next > |
openSUSE-SU-2017:2824-1: moderate: Security update for salt
- From: opensuse-security@xxxxxxxxxxxx
- Date: Sat, 21 Oct 2017 00:17:23 +0200 (CEST)
- Message-id: <20171020221723.299BDFC69@maintenance.suse.de>
openSUSE Security Update: Security update for salt
______________________________________________________________________________
Announcement ID: openSUSE-SU-2017:2824-1
Rating: moderate
References: #1042749 #1052264 #1059758 #1061407 #1062462
#1062464 #985112
Cross-References: CVE-2017-14695 CVE-2017-14696
Affected Products:
openSUSE Leap 42.3
______________________________________________________________________________
An update that solves two vulnerabilities and has 5 fixes
is now available.
Description:
Salt was updated to 2017.7.2 and also to fix various bugs and security
issues.
See https://docs.saltstack.com/en/develop/topics/releases/2017.7.2.html
for full changelog.
Security issues fixed:
- CVE-2017-14695: A directory traversal during minion id validation was
fixed. (boo#1062462)
- CVE-2017-14696: A remote denial of service attack with a specially
crafted authentication request was fixed. (boo#1062464)
Non security issues fixed:
- Add possibility to generate _version.py at the build time for raw
builds: https://github.com/saltstack/salt/pull/43955
- Fix salt target-type field returns "String" for existing jids but an
empty "Array" for non existing jids. (issue #1711)
- Fixed minion resource exhaustion when many functions are being executed
in parallel (boo#1059758)
- Remove 'TasksTask' attribute from salt-master.service in older versions
of systemd (boo#985112)
- Provide custom SUSE salt-master.service file.
- Fix wrong version reported by Salt (boo#1061407)
- list_pkgs: add parameter for returned attribute selection (boo#1052264)
- Adding the leftover for zypper and yum list_pkgs functionality.
- Use $HOME to get the user home directory instead using '~' char
(boo#1042749)
Patch Instructions:
To install this openSUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product:
- openSUSE Leap 42.3:
zypper in -t patch openSUSE-2017-1182=1
To bring your system up-to-date, use "zypper patch".
Package List:
- openSUSE Leap 42.3 (noarch):
salt-bash-completion-2017.7.2-14.1
salt-fish-completion-2017.7.2-14.1
salt-zsh-completion-2017.7.2-14.1
- openSUSE Leap 42.3 (x86_64):
salt-2017.7.2-14.1
salt-api-2017.7.2-14.1
salt-cloud-2017.7.2-14.1
salt-doc-2017.7.2-14.1
salt-master-2017.7.2-14.1
salt-minion-2017.7.2-14.1
salt-proxy-2017.7.2-14.1
salt-ssh-2017.7.2-14.1
salt-syndic-2017.7.2-14.1
References:
https://www.suse.com/security/cve/CVE-2017-14695.html
https://www.suse.com/security/cve/CVE-2017-14696.html
https://bugzilla.suse.com/1042749
https://bugzilla.suse.com/1052264
https://bugzilla.suse.com/1059758
https://bugzilla.suse.com/1061407
https://bugzilla.suse.com/1062462
https://bugzilla.suse.com/1062464
https://bugzilla.suse.com/985112
______________________________________________________________________________
Announcement ID: openSUSE-SU-2017:2824-1
Rating: moderate
References: #1042749 #1052264 #1059758 #1061407 #1062462
#1062464 #985112
Cross-References: CVE-2017-14695 CVE-2017-14696
Affected Products:
openSUSE Leap 42.3
______________________________________________________________________________
An update that solves two vulnerabilities and has 5 fixes
is now available.
Description:
Salt was updated to 2017.7.2 and also to fix various bugs and security
issues.
See https://docs.saltstack.com/en/develop/topics/releases/2017.7.2.html
for full changelog.
Security issues fixed:
- CVE-2017-14695: A directory traversal during minion id validation was
fixed. (boo#1062462)
- CVE-2017-14696: A remote denial of service attack with a specially
crafted authentication request was fixed. (boo#1062464)
Non security issues fixed:
- Add possibility to generate _version.py at the build time for raw
builds: https://github.com/saltstack/salt/pull/43955
- Fix salt target-type field returns "String" for existing jids but an
empty "Array" for non existing jids. (issue #1711)
- Fixed minion resource exhaustion when many functions are being executed
in parallel (boo#1059758)
- Remove 'TasksTask' attribute from salt-master.service in older versions
of systemd (boo#985112)
- Provide custom SUSE salt-master.service file.
- Fix wrong version reported by Salt (boo#1061407)
- list_pkgs: add parameter for returned attribute selection (boo#1052264)
- Adding the leftover for zypper and yum list_pkgs functionality.
- Use $HOME to get the user home directory instead using '~' char
(boo#1042749)
Patch Instructions:
To install this openSUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product:
- openSUSE Leap 42.3:
zypper in -t patch openSUSE-2017-1182=1
To bring your system up-to-date, use "zypper patch".
Package List:
- openSUSE Leap 42.3 (noarch):
salt-bash-completion-2017.7.2-14.1
salt-fish-completion-2017.7.2-14.1
salt-zsh-completion-2017.7.2-14.1
- openSUSE Leap 42.3 (x86_64):
salt-2017.7.2-14.1
salt-api-2017.7.2-14.1
salt-cloud-2017.7.2-14.1
salt-doc-2017.7.2-14.1
salt-master-2017.7.2-14.1
salt-minion-2017.7.2-14.1
salt-proxy-2017.7.2-14.1
salt-ssh-2017.7.2-14.1
salt-syndic-2017.7.2-14.1
References:
https://www.suse.com/security/cve/CVE-2017-14695.html
https://www.suse.com/security/cve/CVE-2017-14696.html
https://bugzilla.suse.com/1042749
https://bugzilla.suse.com/1052264
https://bugzilla.suse.com/1059758
https://bugzilla.suse.com/1061407
https://bugzilla.suse.com/1062462
https://bugzilla.suse.com/1062464
https://bugzilla.suse.com/985112
< Previous | Next > |