You are here
Home > Preporuke > Sigurnosni nedostaci programskog paketa salt

Sigurnosni nedostaci programskog paketa salt

openSUSE Security Update: Security update for salt
______________________________________________________________________________

Announcement ID: openSUSE-SU-2020:1833-1
Rating: critical
References: #1159670 #1175987 #1176024 #1176294 #1176397
#1177867 #1178319 #1178361 #1178362
Cross-References: CVE-2020-16846 CVE-2020-17490 CVE-2020-25592

Affected Products:
openSUSE Leap 15.2
______________________________________________________________________________

An update that solves three vulnerabilities and has 6 fixes
is now available.

Description:

This update for salt fixes the following issues:

– Properly validate eauth credentials and tokens on SSH calls made by Salt
API (bsc#1178319, bsc#1178362, bsc#1178361, CVE-2020-25592,
CVE-2020-17490, CVE-2020-16846)
– Fix disk.blkid to avoid unexpected keyword argument ‘__pub_user’.
(bsc#1177867)
– Ensure virt.update stop_on_reboot is updated with its default value.
– Do not break package building for systemd OSes.
– Drop wrong mock from chroot unit test.
– Support systemd versions with dot. (bsc#1176294)
– Fix for grains.test_core unit test.
– Fix file/directory user and group ownership containing UTF-8 characters.
(bsc#1176024)
– Several changes to virtualization:
* Fix virt update when cpu and memory are changed.
* Memory Tuning GSoC.
* Properly fix memory setting regression in virt.update.
* Expose libvirt on_reboot in virt states.
– Support transactional systems (MicroOS).
– zypperpkg module ignores retcode 104 for search(). (bsc#1159670)
– Xen disk fixes. No longer generates volumes for Xen disks, but the
corresponding file or block disk. (bsc#1175987)
– Invalidate file list cache when cache file modified time is in the
future. (bsc#1176397)
– Prevent import errors when running test_btrfs unit tests.

This update was imported from the SUSE:SLE-15-SP2:Update update project.

Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or “zypper patch”.

Alternatively you can run the command listed for your product:

– openSUSE Leap 15.2:

zypper in -t patch openSUSE-2020-1833=1

Package List:

– openSUSE Leap 15.2 (x86_64):

python2-salt-3000-lp152.3.15.1
python3-salt-3000-lp152.3.15.1
salt-3000-lp152.3.15.1
salt-api-3000-lp152.3.15.1
salt-cloud-3000-lp152.3.15.1
salt-doc-3000-lp152.3.15.1
salt-master-3000-lp152.3.15.1
salt-minion-3000-lp152.3.15.1
salt-proxy-3000-lp152.3.15.1
salt-ssh-3000-lp152.3.15.1
salt-standalone-formulas-configuration-3000-lp152.3.15.1
salt-syndic-3000-lp152.3.15.1

– openSUSE Leap 15.2 (noarch):

salt-bash-completion-3000-lp152.3.15.1
salt-fish-completion-3000-lp152.3.15.1
salt-zsh-completion-3000-lp152.3.15.1

References:

https://protect2.fireeye.com/v1/url?k=f42a8611-abb69c0f-f42d1bdd-000babd90757-3ead9d45f80a6eea&q=1&e=0fb6f9a6-7000-4467-94f2-fb227e01dbf3&u=https%3A%2F%2Fwww.suse.com%2Fsecurity%2Fcve%2FCVE-2020-16846.html
https://protect2.fireeye.com/v1/url?k=b176c9df-eeead3c1-b1715413-000babd90757-1be788ecbffe7592&q=1&e=0fb6f9a6-7000-4467-94f2-fb227e01dbf3&u=https%3A%2F%2Fwww.suse.com%2Fsecurity%2Fcve%2FCVE-2020-17490.html
https://protect2.fireeye.com/v1/url?k=9e01307c-c19d2a62-9e06adb0-000babd90757-3f93beb8b4f9b871&q=1&e=0fb6f9a6-7000-4467-94f2-fb227e01dbf3&u=https%3A%2F%2Fwww.suse.com%2Fsecurity%2Fcve%2FCVE-2020-25592.html
https://protect2.fireeye.com/v1/url?k=95bff2c1-ca23e8df-95b86f0d-000babd90757-7712ff9861ee137f&q=1&e=0fb6f9a6-7000-4467-94f2-fb227e01dbf3&u=https%3A%2F%2Fbugzilla.suse.com%2F1159670
https://protect2.fireeye.com/v1/url?k=fbe07f62-a47c657c-fbe7e2ae-000babd90757-737085add16ff49e&q=1&e=0fb6f9a6-7000-4467-94f2-fb227e01dbf3&u=https%3A%2F%2Fbugzilla.suse.com%2F1175987
https://protect2.fireeye.com/v1/url?k=903911b3-cfa50bad-903e8c7f-000babd90757-ed3ddf1ad01b19c7&q=1&e=0fb6f9a6-7000-4467-94f2-fb227e01dbf3&u=https%3A%2F%2Fbugzilla.suse.com%2F1176024
https://protect2.fireeye.com/v1/url?k=b8b6286c-e72a3272-b8b1b5a0-000babd90757-db6fbb34014c0a4f&q=1&e=0fb6f9a6-7000-4467-94f2-fb227e01dbf3&u=https%3A%2F%2Fbugzilla.suse.com%2F1176294
https://protect2.fireeye.com/v1/url?k=e85fcd30-b7c3d72e-e85850fc-000babd90757-1c82285c259c3e32&q=1&e=0fb6f9a6-7000-4467-94f2-fb227e01dbf3&u=https%3A%2F%2Fbugzilla.suse.com%2F1176397
https://protect2.fireeye.com/v1/url?k=f6715417-a9ed4e09-f676c9db-000babd90757-720c6e1787607702&q=1&e=0fb6f9a6-7000-4467-94f2-fb227e01dbf3&u=https%3A%2F%2Fbugzilla.suse.com%2F1177867
https://protect2.fireeye.com/v1/url?k=6bea981c-34768202-6bed05d0-000babd90757-bc38a3c109abe562&q=1&e=0fb6f9a6-7000-4467-94f2-fb227e01dbf3&u=https%3A%2F%2Fbugzilla.suse.com%2F1178319
https://protect2.fireeye.com/v1/url?k=786aa5bc-27f6bfa2-786d3870-000babd90757-88647175e113fe15&q=1&e=0fb6f9a6-7000-4467-94f2-fb227e01dbf3&u=https%3A%2F%2Fbugzilla.suse.com%2F1178361
https://protect2.fireeye.com/v1/url?k=10c766db-4f5b7cc5-10c0fb17-000babd90757-65cac9d9112223a9&q=1&e=0fb6f9a6-7000-4467-94f2-fb227e01dbf3&u=https%3A%2F%2Fbugzilla.suse.com%2F1178362


To unsubscribe, e-mail: opensuse-security-announce+unsubscribe@opensuse.org
For additional commands, e-mail: opensuse-security-announce+help@opensuse.org

Top
More in Preporuke
Sigurnosni nedostatak programskog paketa transfig

Otkriven je sigurnosni nedostatak u programskom paketu transfig za operacijski sustav openSUSE. Otkriveni nedostatak potencijalnim udaljenim napadačima omogućuje izvršavanje proizvoljnog...

Close