--------------------------------------------------------------------------------Fedora Update Notification
FEDORA-2021-5756fbf8a6
2021-03-02 15:54:53.504811
--------------------------------------------------------------------------------Name        : salt
Product     : Fedora 33
Version     : 3002.5
Release     : 1.fc33
URL         : https://saltproject.io
Summary     : A parallel remote execution system
Description :
Salt is a distributed remote execution system used to execute commands and
query data. It was developed in order to bring the best solutions found in
the world of remote execution together and make them better, faster and more
malleable. Salt accomplishes this via its ability to handle larger loads of
information, and not just dozens, but hundreds or even thousands of individual
servers, handle them quickly and through a simple and manageable interface.

--------------------------------------------------------------------------------Update Information:

Update to CVE release 3002.5-1 for Python 3 Fixed on this release:
CVE-2021-25283 Fixed in 3002.3: CVE-2020-28243 CVE-2020-28972 CVE-2020-35662
CVE-2021-3148 CVE-2021-3144 CVE-2021-25281 CVE-2021-25282 CVE-2021-25283
CVE-2021-25284 CVE-2021-25284 CVE-2021-3197
--------------------------------------------------------------------------------ChangeLog:

* Fri Feb 26 2021 SaltStack Packaging Team  - 3002.5-1
- Update to CVE release 3002.5-1 for Python 3
--------------------------------------------------------------------------------References:

  [ 1 ] Bug #1933324 - CVE-2021-3197 salt: Shell injection by including ProxyCommand in an argument [fedora-all]
        https://bugzilla.redhat.com/show_bug.cgi?id=1933324
  [ 2 ] Bug #1933326 - CVE-2021-25281 salt: API does not honor eAuth credentials for the wheel_async client [fedora-all]
        https://bugzilla.redhat.com/show_bug.cgi?id=1933326
  [ 3 ] Bug #1933329 - CVE-2021-25282 salt: Directory traversal in wheel.pillar_roots.write [fedora-all]
        https://bugzilla.redhat.com/show_bug.cgi?id=1933329
  [ 4 ] Bug #1933332 - CVE-2021-25283 salt: Jinja renderer does not protect against server-side template injection attacks [fedora-all]
        https://bugzilla.redhat.com/show_bug.cgi?id=1933332
  [ 5 ] Bug #1933337 - CVE-2021-3148 salt: Command injection in salt.utils.thin.gen_thin() [fedora-all]
        https://bugzilla.redhat.com/show_bug.cgi?id=1933337
  [ 6 ] Bug #1933340 - CVE-2021-25284 salt: webutils write passwords in cleartext to /var/log/salt/minion [fedora-all]
        https://bugzilla.redhat.com/show_bug.cgi?id=1933340
  [ 7 ] Bug #1933343 - CVE-2020-35662 salt: Certain modules do not always validated SSL certificates [fedora-all]
        https://bugzilla.redhat.com/show_bug.cgi?id=1933343
  [ 8 ] Bug #1933345 - CVE-2021-3144 salt: eauth tokens can be used once after expiration [fedora-all]
        https://bugzilla.redhat.com/show_bug.cgi?id=1933345
  [ 9 ] Bug #1933348 - CVE-2020-28972 salt: Authentication to vCenter, vSphere, and ESXi servers does not always validate the SSL/TLS certificate [fedora-all]
        https://bugzilla.redhat.com/show_bug.cgi?id=1933348
  [ 10 ] Bug #1933351 - CVE-2020-28243 salt: Privilege escalation on a minion when an unprivileged user is able to create files in any non-blacklisted directory [fedora-all]
        https://bugzilla.redhat.com/show_bug.cgi?id=1933351
--------------------------------------------------------------------------------This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2021-5756fbf8a6' at the command
line. For more information, refer to the dnf documentation available at
https://dnf.readthedocs.io/en/latest/command_ref.html

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/security/
--------------------------------------------------------------------------------_______________________________________________
package-announce mailing list -- package-announce@lists.fedoraproject.org
To unsubscribe send an email to package-announce-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure

Fedora 33: salt 2021-5756fbf8a6

March 2, 2021
Update to CVE release 3002.5-1 for Python 3 Fixed on this release: CVE-2021-25283 Fixed in 3002.3: CVE-2020-28243 CVE-2020-28972 CVE-2020-35662 CVE-2021-3148 CVE-2021-3144 CVE-2021...

Summary

Salt is a distributed remote execution system used to execute commands and

query data. It was developed in order to bring the best solutions found in

the world of remote execution together and make them better, faster and more

malleable. Salt accomplishes this via its ability to handle larger loads of

information, and not just dozens, but hundreds or even thousands of individual

servers, handle them quickly and through a simple and manageable interface.

Update to CVE release 3002.5-1 for Python 3 Fixed on this release:

CVE-2021-25283 Fixed in 3002.3: CVE-2020-28243 CVE-2020-28972 CVE-2020-35662

CVE-2021-3148 CVE-2021-3144 CVE-2021-25281 CVE-2021-25282 CVE-2021-25283

CVE-2021-25284 CVE-2021-25284 CVE-2021-3197

* Fri Feb 26 2021 SaltStack Packaging Team - 3002.5-1

- Update to CVE release 3002.5-1 for Python 3

[ 1 ] Bug #1933324 - CVE-2021-3197 salt: Shell injection by including ProxyCommand in an argument [fedora-all]

https://bugzilla.redhat.com/show_bug.cgi?id=1933324

[ 2 ] Bug #1933326 - CVE-2021-25281 salt: API does not honor eAuth credentials for the wheel_async client [fedora-all]

https://bugzilla.redhat.com/show_bug.cgi?id=1933326

[ 3 ] Bug #1933329 - CVE-2021-25282 salt: Directory traversal in wheel.pillar_roots.write [fedora-all]

https://bugzilla.redhat.com/show_bug.cgi?id=1933329

[ 4 ] Bug #1933332 - CVE-2021-25283 salt: Jinja renderer does not protect against server-side template injection attacks [fedora-all]

https://bugzilla.redhat.com/show_bug.cgi?id=1933332

[ 5 ] Bug #1933337 - CVE-2021-3148 salt: Command injection in salt.utils.thin.gen_thin() [fedora-all]

https://bugzilla.redhat.com/show_bug.cgi?id=1933337

[ 6 ] Bug #1933340 - CVE-2021-25284 salt: webutils write passwords in cleartext to /var/log/salt/minion [fedora-all]

https://bugzilla.redhat.com/show_bug.cgi?id=1933340

[ 7 ] Bug #1933343 - CVE-2020-35662 salt: Certain modules do not always validated SSL certificates [fedora-all]

https://bugzilla.redhat.com/show_bug.cgi?id=1933343

[ 8 ] Bug #1933345 - CVE-2021-3144 salt: eauth tokens can be used once after expiration [fedora-all]

https://bugzilla.redhat.com/show_bug.cgi?id=1933345

[ 9 ] Bug #1933348 - CVE-2020-28972 salt: Authentication to vCenter, vSphere, and ESXi servers does not always validate the SSL/TLS certificate [fedora-all]

https://bugzilla.redhat.com/show_bug.cgi?id=1933348

[ 10 ] Bug #1933351 - CVE-2020-28243 salt: Privilege escalation on a minion when an unprivileged user is able to create files in any non-blacklisted directory [fedora-all]

https://bugzilla.redhat.com/show_bug.cgi?id=1933351

su -c 'dnf upgrade --advisory FEDORA-2021-5756fbf8a6' at the command

line. For more information, refer to the dnf documentation available at

https://dnf.readthedocs.io/en/latest/command_ref.html

All packages are signed with the Fedora Project GPG key. More details on the

GPG keys used by the Fedora Project can be found at

https://fedoraproject.org/security/

package-announce mailing list -- package-announce@lists.fedoraproject.org

To unsubscribe send an email to package-announce-leave@lists.fedoraproject.org

Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/

List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines

List Archives: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/

Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure

FEDORA-2021-5756fbf8a6 2021-03-02 15:54:53.504811 Product : Fedora 33 Version : 3002.5 Release : 1.fc33 URL : https://saltproject.io Summary : A parallel remote execution system Description : Salt is a distributed remote execution system used to execute commands and query data. It was developed in order to bring the best solutions found in the world of remote execution together and make them better, faster and more malleable. Salt accomplishes this via its ability to handle larger loads of information, and not just dozens, but hundreds or even thousands of individual servers, handle them quickly and through a simple and manageable interface. Update to CVE release 3002.5-1 for Python 3 Fixed on this release: CVE-2021-25283 Fixed in 3002.3: CVE-2020-28243 CVE-2020-28972 CVE-2020-35662 CVE-2021-3148 CVE-2021-3144 CVE-2021-25281 CVE-2021-25282 CVE-2021-25283 CVE-2021-25284 CVE-2021-25284 CVE-2021-3197 * Fri Feb 26 2021 SaltStack Packaging Team - 3002.5-1 - Update to CVE release 3002.5-1 for Python 3 [ 1 ] Bug #1933324 - CVE-2021-3197 salt: Shell injection by including ProxyCommand in an argument [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1933324 [ 2 ] Bug #1933326 - CVE-2021-25281 salt: API does not honor eAuth credentials for the wheel_async client [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1933326 [ 3 ] Bug #1933329 - CVE-2021-25282 salt: Directory traversal in wheel.pillar_roots.write [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1933329 [ 4 ] Bug #1933332 - CVE-2021-25283 salt: Jinja renderer does not protect against server-side template injection attacks [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1933332 [ 5 ] Bug #1933337 - CVE-2021-3148 salt: Command injection in salt.utils.thin.gen_thin() [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1933337 [ 6 ] Bug #1933340 - CVE-2021-25284 salt: webutils write passwords in cleartext to /var/log/salt/minion [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1933340 [ 7 ] Bug #1933343 - CVE-2020-35662 salt: Certain modules do not always validated SSL certificates [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1933343 [ 8 ] Bug #1933345 - CVE-2021-3144 salt: eauth tokens can be used once after expiration [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1933345 [ 9 ] Bug #1933348 - CVE-2020-28972 salt: Authentication to vCenter, vSphere, and ESXi servers does not always validate the SSL/TLS certificate [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1933348 [ 10 ] Bug #1933351 - CVE-2020-28243 salt: Privilege escalation on a minion when an unprivileged user is able to create files in any non-blacklisted directory [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1933351 su -c 'dnf upgrade --advisory FEDORA-2021-5756fbf8a6' at the command line. For more information, refer to the dnf documentation available at https://dnf.readthedocs.io/en/latest/command_ref.html All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/security/ package-announce mailing list -- package-announce@lists.fedoraproject.org To unsubscribe send an email to package-announce-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/ Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure

Change Log

References

Update Instructions

Severity
Product : Fedora 33
Version : 3002.5
Release : 1.fc33
URL : https://saltproject.io
Summary : A parallel remote execution system

Related News

19.Laptop Bed Esm H320
2 - 3 min read
AlmaLinux 9.4 beta has been released and provides compelling reasons to consider it for desktop usage. While AlmaLinux is primarily known as a
32.Lock Code Circular Esm H320
2 - 3 min read
Linux admins and security practitioners face significant challenges in keeping their Linux systems secure amidst the constant threat of kernel bugs.
1.Penguin Landscape Esm H320
2 - 3 min read
A significant security threat, known as the Spectre v2 exploit, has been observed targeting Linux systems running on modern Intel processors. Let's
10.FingerPrint Locks Esm H320
2 - 3 min read
The recent release of I2P 2.5.0 , an anonymous P2P network that protects against online censorship, surveillance, and monitoring, has brought a slew
24.Key Code Esm H320
2 - 3 min read
The Akira ransomware group has extorted approximately $42 million from over 250 victims since January 1, 2024. The group initially focused on
5.ShakingHands Esm H320
2 - 3 min read
At The Linux Foundation's Open Source Summit North America , Linus Torvalds, the creator of Linux, discussed various topics related to Linux
30.Lock Globe Motherboard Esm H320
1 - 2 min read
The SPDX 3.0 release marks a significant milestone in software management, particularly for Linux admins, infosec professionals, internet security
11.Locks IsometricPattern Esm H320
2 - 3 min read
Open Source maintainers and developers have been warned about the continued wave of attacks aimed at project maintainers similar to those recently
Sign Up

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved