openSUSE Security Update: Security update for salt
______________________________________________________________________________

Announcement ID: openSUSE-SU-2018:4197-1
Rating: moderate
References: #1104491 #1107333 #1108557 #1108834 #1108995
#1109893 #1110938 #1112874 #1113698 #1113699
#1113784 #1114197 #1114824
Cross-References: CVE-2018-15750 CVE-2018-15751
Affected Products:
openSUSE Leap 42.3
______________________________________________________________________________

An update that solves two vulnerabilities and has 11 fixes
is now available.

Description:

This update for salt fixes the following issues:

– Crontab module fix: file attributes option missing (boo#1114824)
– Fix git_pillar merging across multiple __env__ repositories (boo#1112874)
– Bugfix: unable to detect os arch when RPM is not installed (boo#1114197)
– Fix LDAP authentication issue when a valid token is generated by the
salt-api even when invalid user credentials are passed. (U#48901)
– Improved handling of LDAP group id. gid is no longer treated as a
string, which could have lead to faulty group creations. (boo#1113784)
– Fix remote command execution and incorrect access control when using
salt-api. (boo#1113699) (CVE-2018-15751)
– Fix Directory traversal vulnerability when using salt-api. Allows an
attacker to determine what files exist on a server when querying /run or
/events. (boo#1113698) (CVE-2018-15750)
– Add multi-file support and globbing to the filetree (U#50018)
– Bugfix: supportconfig non-root permission issues (U#50095)
– Open profiles permissions to everyone for read-only
– Preserving signature in “module.run” state (U#50049)
– Install default salt-support profiles
– Remove unit test, came from a wrong branch. Fix merging failure.
– Add CPE_NAME for osversion* grain parsing
– Get os_family for RPM distros from the RPM macros
– Install support profiles
– Fix async call to process manager (boo#1110938)
– Salt-based supportconfig implementation (technology preview)
– Bugfix: any unicode string of length 16 will raise TypeError
– Fix IPv6 scope (boo#1108557)
– Handle zypper ZYPPER_EXIT_NO_REPOS exit code (boo#1108834, boo#1109893)
– Bugfix for pkg_resources crash (boo#1104491)
– Fix loosen azure sdk dependencies in azurearm cloud driver (boo#1107333)
– Fix broken “resolve_capabilities” on Python 3 (boo#1108995)

Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or “zypper patch”.

Alternatively you can run the command listed for your product:

– openSUSE Leap 42.3:

zypper in -t patch openSUSE-2018-1574=1

Package List:

– openSUSE Leap 42.3 (noarch):

salt-bash-completion-2018.3.0-23.1
salt-fish-completion-2018.3.0-23.1
salt-zsh-completion-2018.3.0-23.1

– openSUSE Leap 42.3 (x86_64):

python2-salt-2018.3.0-23.1
python3-salt-2018.3.0-23.1
salt-2018.3.0-23.1
salt-api-2018.3.0-23.1
salt-cloud-2018.3.0-23.1
salt-doc-2018.3.0-23.1
salt-master-2018.3.0-23.1
salt-minion-2018.3.0-23.1
salt-proxy-2018.3.0-23.1
salt-ssh-2018.3.0-23.1
salt-syndic-2018.3.0-23.1

References:

https://www.suse.com/security/cve/CVE-2018-15750.html
https://www.suse.com/security/cve/CVE-2018-15751.html
https://bugzilla.suse.com/1104491
https://bugzilla.suse.com/1107333
https://bugzilla.suse.com/1108557
https://bugzilla.suse.com/1108834
https://bugzilla.suse.com/1108995
https://bugzilla.suse.com/1109893
https://bugzilla.suse.com/1110938
https://bugzilla.suse.com/1112874
https://bugzilla.suse.com/1113698
https://bugzilla.suse.com/1113699
https://bugzilla.suse.com/1113784
https://bugzilla.suse.com/1114197
https://bugzilla.suse.com/1114824

—
To unsubscribe, e-mail: opensuse-security-announce+unsubscribe@opensuse.org
For additional commands, e-mail: opensuse-security-announce+help@opensuse.org