Security update for salt SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2017:2822-1 Final 1 1 2017-10-20T18:05:17Z current 2017-10-20T18:05:17Z 2017-10-20T18:05:17Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for salt Salt was updated to 2017.7.2 and also to fix various bugs and security issues. See the following resources for the full changelog: https://docs.saltstack.com/en/develop/topics/releases/2017.7.2.html https://docs.saltstack.com/en/develop/topics/releases/2017.7.1.html https://docs.saltstack.com/en/develop/topics/releases/2017.7.0.html Security issues fixed: - CVE-2017-14695: A directory traversal during minion id validation was fixed. (boo#1062462) - CVE-2017-14696: A remote denial of service attack with a specially crafted authentication request was fixed. (boo#1062464) - CVE-2017-12791: crafted minion ID could lead directory traversal on the Salt-master (boo#1053955) Non security issues fixed: - Add possibility to generate _version.py at the build time for raw builds: https://github.com/saltstack/salt/pull/43955 - Fix salt target-type field returns 'String' for existing jids but an empty 'Array' for non existing jids. (issue #1711) - Fixed minion resource exhaustion when many functions are being executed in parallel (boo#1059758) - Remove 'TasksTask' attribute from salt-master.service in older versions of systemd (boo#985112) - Provide custom SUSE salt-master.service file. - Fix wrong version reported by Salt (boo#1061407) - list_pkgs: add parameter for returned attribute selection (boo#1052264) - Adding the leftover for zypper and yum list_pkgs functionality. - Use $HOME to get the user home directory instead using '~' char (boo#1042749) - fix ownership for whole master cache directory (boo#1035914) - fix setting the language on SUSE systems (boo#1038855) - wrong os_family grains on SUSE - fix unittests (boo#1038855) - speed-up cherrypy by removing sleep call - Disable 3rd party runtime packages to be explicitly recommended. (boo#1040886) - fix format error (boo#1043111) - Add a salt-minion watchdog for RHEL6 and SLES11 systems (sysV) to restart salt-minion in case of crashes during upgrade. - Add procps as dependency. - Bugfix: jobs scheduled to run at a future time stay pending for Salt minions (boo#1036125) - Wrong os_family grains on SUSE - fix unittests. (boo#1038855) - Fix setting the language on SUSE systems. (boo#1038855) - Bugfix: unable to use hostname for minion ID as '127'. (upstream) - Bugfix: remove sleep call in CheppryPy API handler. (upstream) - Fix core grains constants for timezone. (boo#1032931) - Prevents zero length error on Python 2.6. - Fixes zypper test error after backporting. - Refactoring on Zypper and Yum execution and state modules to allow installation of patches/errata. - Allows to set 'timeout' and 'gather_job_timeout' via kwargs. - Add missing bootstrap script for Salt Cloud. (boo#1032452) - raet protocol is no longer supported. (boo#1020831) - Fix: add missing /var/cache/salt/cloud directory. (boo#1032213) - Cleanup salt user environment preparation. (boo#1027722) - Fix: race condition on cache directory creation. - Fix: /var/log/salt/minion fails logrotate. (boo#1030009) - Fix: Result of master_tops extension is mutually overwritten. (boo#1030073) - Allows to set custom timeouts for 'manage.up' and 'manage.status'. - Keep fix for migrating salt home directory. (boo#1022562) - Fix salt-minion update on RHEL. (boo#1022841) - Prevents 'OSError' exception in case certain job cache path doesn't exist. (boo#1023535) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/opensuse-updates/2017-10/msg00073.html E-Mail link for openSUSE-SU-2017:2822-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings openSUSE Leap 42.2 salt-2017.7.2-5.3.1 salt-api-2017.7.2-5.3.1 salt-bash-completion-2017.7.2-5.3.1 salt-cloud-2017.7.2-5.3.1 salt-doc-2017.7.2-5.3.1 salt-fish-completion-2017.7.2-5.3.1 salt-master-2017.7.2-5.3.1 salt-minion-2017.7.2-5.3.1 salt-proxy-2017.7.2-5.3.1 salt-ssh-2017.7.2-5.3.1 salt-syndic-2017.7.2-5.3.1 salt-zsh-completion-2017.7.2-5.3.1 salt-2017.7.2-5.3.1 as a component of openSUSE Leap 42.2 salt-api-2017.7.2-5.3.1 as a component of openSUSE Leap 42.2 salt-bash-completion-2017.7.2-5.3.1 as a component of openSUSE Leap 42.2 salt-cloud-2017.7.2-5.3.1 as a component of openSUSE Leap 42.2 salt-doc-2017.7.2-5.3.1 as a component of openSUSE Leap 42.2 salt-fish-completion-2017.7.2-5.3.1 as a component of openSUSE Leap 42.2 salt-master-2017.7.2-5.3.1 as a component of openSUSE Leap 42.2 salt-minion-2017.7.2-5.3.1 as a component of openSUSE Leap 42.2 salt-proxy-2017.7.2-5.3.1 as a component of openSUSE Leap 42.2 salt-ssh-2017.7.2-5.3.1 as a component of openSUSE Leap 42.2 salt-syndic-2017.7.2-5.3.1 as a component of openSUSE Leap 42.2 salt-zsh-completion-2017.7.2-5.3.1 as a component of openSUSE Leap 42.2 Directory traversal vulnerability in minion id validation in SaltStack Salt before 2016.11.7 and 2017.7.x before 2017.7.1 allows remote minions with incorrect credentials to authenticate to a master via a crafted minion ID. CVE-2017-12791 openSUSE Leap 42.2:salt-2017.7.2-5.3.1 openSUSE Leap 42.2:salt-api-2017.7.2-5.3.1 openSUSE Leap 42.2:salt-bash-completion-2017.7.2-5.3.1 openSUSE Leap 42.2:salt-cloud-2017.7.2-5.3.1 openSUSE Leap 42.2:salt-doc-2017.7.2-5.3.1 openSUSE Leap 42.2:salt-fish-completion-2017.7.2-5.3.1 openSUSE Leap 42.2:salt-master-2017.7.2-5.3.1 openSUSE Leap 42.2:salt-minion-2017.7.2-5.3.1 openSUSE Leap 42.2:salt-proxy-2017.7.2-5.3.1 openSUSE Leap 42.2:salt-ssh-2017.7.2-5.3.1 openSUSE Leap 42.2:salt-syndic-2017.7.2-5.3.1 openSUSE Leap 42.2:salt-zsh-completion-2017.7.2-5.3.1 moderate 4 AV:N/AC:L/Au:S/C:P/I:N/A:N Please Install the update. https://lists.opensuse.org/opensuse-updates/2017-10/msg00073.html https://www.suse.com/security/cve/CVE-2017-12791.html CVE-2017-12791 https://bugzilla.suse.com/1053955 SUSE Bug 1053955 https://bugzilla.suse.com/1062462 SUSE Bug 1062462 Directory traversal vulnerability in minion id validation in SaltStack Salt before 2016.3.8, 2016.11.x before 2016.11.8, and 2017.7.x before 2017.7.2 allows remote minions with incorrect credentials to authenticate to a master via a crafted minion ID. NOTE: this vulnerability exists because of an incomplete fix for CVE-2017-12791. CVE-2017-14695 openSUSE Leap 42.2:salt-2017.7.2-5.3.1 openSUSE Leap 42.2:salt-api-2017.7.2-5.3.1 openSUSE Leap 42.2:salt-bash-completion-2017.7.2-5.3.1 openSUSE Leap 42.2:salt-cloud-2017.7.2-5.3.1 openSUSE Leap 42.2:salt-doc-2017.7.2-5.3.1 openSUSE Leap 42.2:salt-fish-completion-2017.7.2-5.3.1 openSUSE Leap 42.2:salt-master-2017.7.2-5.3.1 openSUSE Leap 42.2:salt-minion-2017.7.2-5.3.1 openSUSE Leap 42.2:salt-proxy-2017.7.2-5.3.1 openSUSE Leap 42.2:salt-ssh-2017.7.2-5.3.1 openSUSE Leap 42.2:salt-syndic-2017.7.2-5.3.1 openSUSE Leap 42.2:salt-zsh-completion-2017.7.2-5.3.1 moderate 5 AV:N/AC:L/Au:N/C:P/I:N/A:N Please Install the update. https://lists.opensuse.org/opensuse-updates/2017-10/msg00073.html https://www.suse.com/security/cve/CVE-2017-14695.html CVE-2017-14695 https://bugzilla.suse.com/1053955 SUSE Bug 1053955 https://bugzilla.suse.com/1062462 SUSE Bug 1062462 SaltStack Salt before 2016.3.8, 2016.11.x before 2016.11.8, and 2017.7.x before 2017.7.2 allows remote attackers to cause a denial of service via a crafted authentication request. CVE-2017-14696 openSUSE Leap 42.2:salt-2017.7.2-5.3.1 openSUSE Leap 42.2:salt-api-2017.7.2-5.3.1 openSUSE Leap 42.2:salt-bash-completion-2017.7.2-5.3.1 openSUSE Leap 42.2:salt-cloud-2017.7.2-5.3.1 openSUSE Leap 42.2:salt-doc-2017.7.2-5.3.1 openSUSE Leap 42.2:salt-fish-completion-2017.7.2-5.3.1 openSUSE Leap 42.2:salt-master-2017.7.2-5.3.1 openSUSE Leap 42.2:salt-minion-2017.7.2-5.3.1 openSUSE Leap 42.2:salt-proxy-2017.7.2-5.3.1 openSUSE Leap 42.2:salt-ssh-2017.7.2-5.3.1 openSUSE Leap 42.2:salt-syndic-2017.7.2-5.3.1 openSUSE Leap 42.2:salt-zsh-completion-2017.7.2-5.3.1 moderate 5 AV:N/AC:L/Au:N/C:N/I:N/A:P Please Install the update. https://lists.opensuse.org/opensuse-updates/2017-10/msg00073.html https://www.suse.com/security/cve/CVE-2017-14696.html CVE-2017-14696 https://bugzilla.suse.com/1053955 SUSE Bug 1053955 https://bugzilla.suse.com/1062464 SUSE Bug 1062464