Alerts This Week
Warning Icon 1 646
Alerts This Week
Warning Icon 1 646

openSUSE 15.1: 2020:0357-1 Moderate: Salt User Escalation and API Issues

opensuse
Calendar Grey March 18, 2020
Dist Opensuse Esm H88
The latest openSUSE release tackles a duo of significant vulnerabilities and delivers 7 essential enhancements across various system components.
An update that solves two vulnerabilities and has 7 fixes is now available.

Description

This update for salt fixes the following issues:

- Avoid possible user escalation upgrading salt-master (bsc#1157465)

(CVE-2019-18897)

- Fix unit tests failures in test_batch_async tests

- Batch Async: Handle exceptions, properly unregister and close instances

after running async batching to avoid CPU starvation of the MWorkers (bsc#1162327)

- RHEL/CentOS 8 uses platform-python instead of python3

- New configuration option for selection of grains in the minion start

event.

- Fix 'os_family' grain for Astra Linux Common Edition

- Fix for salt-api NET API where unauthenticated attacker could run

arbitrary code (CVE-2019-17361) (bsc#1162504)

- Adds disabled parameter to mod_repo in aptpkg module Move token with

atomic operation Bad API token files get deleted (bsc#1160931)

- Support for Btrfs and XFS in parted and mkfs added

- Adds list_downloaded for apt Module to enable pre-downloading support

Adds...

Read the Full Advisory

Topics%20covered

Topics Covered

security advisory moderate update escalation openSUSE salt unauthenticated

Patch

Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods

like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 15.1:

zypper in -t patch openSUSE-2020-357=1

Package List

- openSUSE Leap 15.1 (x86_64):

python2-salt-2019.2.0-lp151.5.12.1

python3-salt-2019.2.0-lp151.5.12.1

salt-2019.2.0-lp151.5.12.1

salt-api-2019.2.0-lp151.5.12.1

salt-cloud-2019.2.0-lp151.5.12.1

salt-doc-2019.2.0-lp151.5.12.1

salt-master-2019.2.0-lp151.5.12.1

salt-minion-2019.2.0-lp151.5.12.1

salt-proxy-2019.2.0-lp151.5.12.1

salt-ssh-2019.2.0-lp151.5.12.1

salt-standalone-formulas-configuration-2019.2.0-lp151.5.12.1

salt-syndic-2019.2.0-lp151.5.12.1

- openSUSE Leap 15.1 (noarch):

salt-bash-completion-2019.2.0-lp151.5.12.1

salt-fish-completion-2019.2.0-lp151.5.12.1

salt-zsh-completion-2019.2.0-lp151.5.12.1

References

https://www.suse.com/security/cve/CVE-2019-17361.html

https://www.suse.com/security/cve/CVE-2019-18897.html

https://bugzilla.suse.com/1135656

https://bugzilla.suse.com/1153611

https://bugzilla.suse.com/1157465

https://bugzilla.suse.com/1158940

https://bugzilla.suse.com/1159118

https://bugzilla.suse.com/1160931

https://bugzilla.suse.com/1162327

https://bugzilla.suse.com/1162504

https://bugzilla.suse.com/1165425

--

Announcement ID: openSUSE-SU-2020:0357-1
Rating: moderate
Affected Products: openSUSE Leap 15.1 le.

Topics%20covered

Topics Covered

security advisory moderate update escalation openSUSE salt unauthenticated

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Related News

Your message here