SUSE Security Update: Security Beta update for SUSE Manager Client Tools
______________________________________________________________________________

Announcement ID:    SUSE-SU-2021:3901-1
Rating:             moderate
References:         #1164192 #1167586 #1168327 #1173103 #1173692 
                    #1180650 #1181223 #1184659 #1185131 #1186287 
                    #1186310 #1186581 #1186674 #1186738 #1187787 
                    #1187813 #1188042 #1188170 #1188259 #1188647 
                    #1188977 #1189040 #1190265 #1190446 #1190512 
                    #1191412 #1191431 ECO-3212 ECO-3319 SLE-18028 
                    SLE-18033 
Cross-References:   CVE-2021-21996
CVSS scores:
                    CVE-2021-21996 (SUSE): 4.2 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L

Affected Products:
                    SUSE Manager Debian 10-CLIENT-TOOLS-BETA
______________________________________________________________________________

   An update that solves one vulnerability, contains four
   features and has 26 fixes is now available.

Description:

   This update fixes the following issues:

   salt:

   - Simplify "transactional_update" module to not use SSH wrapper and allow
     more flexible execution
   - Add "--no-return-event" option to salt-call to prevent sending return
     event back to master.
   - Make "state.highstate" to acts on concurrent flag.
   - Fix print regression for yumnotify plugin
   - Use dnfnotify instead yumnotify for relevant distros
   - Dnfnotify pkgset plugin implementation
   - Add rpm_vercmp python library support for version comparison
   - Prevent pkg plugins errors on missing cookie path (bsc#1186738)
   - Fix ip6_interface grain to not leak secondary IPv4 aliases (bsc#1191412)
   - Make "salt-api" package to require python3-cherrypy on RHEL systems
   - Make "tar" as required for "salt-transactional-update" package
   - Fix issues with salt-ssh's extra-filerefs
   - Fix crash when calling manage.not_alive runners   - Do not consider skipped targets as failed for ansible.playbooks state
     (bsc#1190446)
   - Do not break master_tops for minion with version lower to 3003
   - Support querying for JSON data in external sql pillar
   - Update to Salt release version 3003.3
   - See release notes:
     https://docs.saltstack.com/en/latest/topics/releases/3003.3.html
   - Exclude the full path of a download URL to prevent injection of
     malicious code (bsc#1190265) (CVE-2021-21996)
   - Fix wrong relative paths resolution with Jinja renderer when importing
     subdirectories
   - Don't pass shell="/sbin/nologin" to onlyif/unless checks (bsc#1188259)
   - Add missing aarch64 to rpm package architectures
   - Backport of upstream PR#59492
   - Fix failing unit test for systemd
   - Fix error handling in openscap module (bsc#1188647)
   - Better handling of bad public keys from minions (bsc#1189040)
   - Define license macro as doc in spec file if not existing
   - Add standalone formulas configuration for salt minion and remove
     salt-master requirement (bsc#1168327)
   - Do noop for services states when running systemd in offline mode
     (bsc#1187787)
   - Transactional_updates: do not execute states in parallel but use a queue
     (bsc#1188170)
   - Handle "master tops" data when states are applied by
     "transactional_update" (bsc#1187787)
   - Enhance openscap module: add "xccdf_eval" call
   - Virt: pass emulator when getting domain capabilities from libvirt
   - Adding preliminary support for Rocky Linux
   - Implementation of held/unheld functions for state pkg (bsc#1187813)
   - Replace deprecated Thread.isAlive() with Thread.is_alive()
   - Fix exception in yumpkg.remove for not installed package
   - Fix save for iptables state module (bsc#1185131)
   - Virt: use /dev/kvm to detect KVM
   - Zypperpkg: improve logic for handling vendorchange flags
   - Add bundled provides for tornado to the spec file
   - Enhance logging when inotify beacon is missing pyinotify (bsc#1186310)
   - Add "python3-pyinotify" as a recommended package for Salt in
     SUSE/openSUSE distros
   - Fix tmpfiles.d configuration for salt to not use legacy paths
     (bsc#1173103)
   - Detect Python version to use inside container (bsc#1167586) (bsc#1164192)
   - Handle volumes on stopped pools in virt.vm_info (bsc#1186287)
   - Grains.extra: support old non-intel kernels (bsc#1180650)
   - Fix missing minion returns in batch mode (bsc#1184659)
   - Parsing Epoch out of version provided during pkg remove (bsc#1173692)
   - Check if dpkgnotify is executable (bsc#1186674)
   - Update to Salt release version 3002.2 (jsc#ECO-3212) (jsc#SLE-18033)
   - Add subpackage salt-transactional-update (jsc#SLE-18028)

   scap-security-guide:

   - Fix SLE-12 build issue caused by '\xb0' character (bsc#1191431).
   - Updated to 0.1.58 release (jsc#ECO-3319)
   - Support for Script Checking Engine (SCE)
   - Split RHEL 8 CIS profile using new controls file format
   - CIS Profiles for SLE12
   - Initial Ubuntu 20.04 STIG Profiles
   - Addition of an automated CCE adder
   - Updated to 0.1.57 release (jsc#ECO-3319)
     - CIS profile for RHEL 7 is updated
     - initial CIS profiles for Ubuntu 20.04
     - Major improvement of RHEL 9 content
     - new release process implemented using Github actions
   - Specify the maintainer, for deb packages.
   - Updated to 0.1.56 release (jsc#ECO-3319)
     - Align ism_o profile with latest ISM SSP (#6878)
     - Align RHEL 7 STIG profile with DISA STIG V3R3
     - Creating new RHEL 7 STIG GUI profile (#6863)
     - Creating new RHEL 8 STIG GUI profile (#6862)
     - Add the RHEL9 product (#6801)
     - Initial support for SUSE SLE-15 (#6666)
     - add support for osbuild blueprint remediations (#6970)
   - Updated to a intermediate GIT snapshot of 20210323 (jsc#ECO-3319)
     - initial SLES15 STIG added
     - more SLES 12 STIG work
     - correct tables and cross references for SLES 12 and 15 STIG
   - Updated to 0.1.55 release (jsc#ECO-3319)
     - big update of rules used in SLES-12 STIG profile
     - Render policy to HTML (#6532)
     - Add variable support to yamlfile_value template (#6563)
     - Introduce new template for dconf configuration files (#6118)
   - Avoid some non sles12 sp2 available macros.

   spacecmd:

   - Version 4.3.4-1
     * Update translation strings
   - Version 4.3.3-1
     * Improved event history listing and added new system_eventdetails
       command to retrieve the details of an event
     * configchannel_updatefile handles directory properly (bsc#1190512)
   - Version 4.3.2-1
     * Add schedule_archivecompleted to mass archive actions (bsc#1181223)
     * Make schedule_deletearchived to get all actions without display limit
     * Allow passing a date limit for schedule_deletearchived on spacecmd
       (bsc#1181223)
     * Remove whoami from the list of unauthenticated commands (bsc#1188977)
   - Version 4.3.1-1
   - Use correct API endpoint in list_proxies (bsc#1188042)
   - Add schedule_deletearchived to bulk delete archived actions (bsc#1181223)
   - Make spacecmd aware of retracted patches/packages
   - Version 4.2.10-1
   - Enhance help for installation types when creating distributions
     (bsc#1186581)
   - Version 4.2.9-1
   - Parse empty argument when nothing in between the separator


Patch Instructions:

   To install this SUSE Security Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - SUSE Manager Debian 10-CLIENT-TOOLS-BETA:

      zypper in -t patch SUSE-Debian-10-CLIENT-TOOLS-BETA-2021-3901=1



Package List:

   - SUSE Manager Debian 10-CLIENT-TOOLS-BETA (all):

      salt-common-3003.3+ds-1+2.27.1
      salt-minion-3003.3+ds-1+2.27.1
      scap-security-guide-debian-0.1.58-2.6.1
      spacecmd-4.3.4-2.20.1


References:

   https://www.suse.com/security/cve/CVE-2021-21996.html
   https://bugzilla.suse.com/1164192
   https://bugzilla.suse.com/1167586
   https://bugzilla.suse.com/1168327
   https://bugzilla.suse.com/1173103
   https://bugzilla.suse.com/1173692
   https://bugzilla.suse.com/1180650
   https://bugzilla.suse.com/1181223
   https://bugzilla.suse.com/1184659
   https://bugzilla.suse.com/1185131
   https://bugzilla.suse.com/1186287
   https://bugzilla.suse.com/1186310
   https://bugzilla.suse.com/1186581
   https://bugzilla.suse.com/1186674
   https://bugzilla.suse.com/1186738
   https://bugzilla.suse.com/1187787
   https://bugzilla.suse.com/1187813
   https://bugzilla.suse.com/1188042
   https://bugzilla.suse.com/1188170
   https://bugzilla.suse.com/1188259
   https://bugzilla.suse.com/1188647
   https://bugzilla.suse.com/1188977
   https://bugzilla.suse.com/1189040
   https://bugzilla.suse.com/1190265
   https://bugzilla.suse.com/1190446
   https://bugzilla.suse.com/1190512
   https://bugzilla.suse.com/1191412
   https://bugzilla.suse.com/1191431

SUSE: 2021:3901-1 moderate: Security Beta SUSE Manager Client Tools

December 3, 2021
An update that solves one vulnerability, contains four features and has 26 fixes is now available

Summary

This update fixes the following issues: salt: - Simplify "transactional_update" module to not use SSH wrapper and allow more flexible execution - Add "--no-return-event" option to salt-call to prevent sending return event back to master. - Make "state.highstate" to acts on concurrent flag. - Fix print regression for yumnotify plugin - Use dnfnotify instead yumnotify for relevant distros - Dnfnotify pkgset plugin implementation - Add rpm_vercmp python library support for version comparison - Prevent pkg plugins errors on missing cookie path (bsc#1186738) - Fix ip6_interface grain to not leak secondary IPv4 aliases (bsc#1191412) - Make "salt-api" package to require python3-cherrypy on RHEL systems - Make "tar" as required for "salt-transactional-update" package - Fix issues with salt-ssh's extra-filerefs - Fix crash when calling manage.not_alive runners - Do not consider skipped targets as failed for ansible.playbooks state (bsc#1190446) - Do not break master_tops for minion with version lower to 3003 - Support querying for JSON data in external sql pillar - Update to Salt release version 3003.3 - See release notes: https://docs.saltstack.com/en/latest/topics/releases/3003.3.html - Exclude the full path of a download URL to prevent injection of malicious code (bsc#1190265) (CVE-2021-21996) - Fix wrong relative paths resolution with Jinja renderer when importing subdirectories - Don't pass shell="/sbin/nologin" to onlyif/unless checks (bsc#1188259) - Add missing aarch64 to rpm package architectures - Backport of upstream PR#59492 - Fix failing unit test for systemd - Fix error handling in openscap module (bsc#1188647) - Better handling of bad public keys from minions (bsc#1189040) - Define license macro as doc in spec file if not existing - Add standalone formulas configuration for salt minion and remove salt-master requirement (bsc#1168327) - Do noop for services states when running systemd in offline mode (bsc#1187787) - Transactional_updates: do not execute states in parallel but use a queue (bsc#1188170) - Handle "master tops" data when states are applied by "transactional_update" (bsc#1187787) - Enhance openscap module: add "xccdf_eval" call - Virt: pass emulator when getting domain capabilities from libvirt - Adding preliminary support for Rocky Linux - Implementation of held/unheld functions for state pkg (bsc#1187813) - Replace deprecated Thread.isAlive() with Thread.is_alive() - Fix exception in yumpkg.remove for not installed package - Fix save for iptables state module (bsc#1185131) - Virt: use /dev/kvm to detect KVM - Zypperpkg: improve logic for handling vendorchange flags - Add bundled provides for tornado to the spec file - Enhance logging when inotify beacon is missing pyinotify (bsc#1186310) - Add "python3-pyinotify" as a recommended package for Salt in SUSE/openSUSE distros - Fix tmpfiles.d configuration for salt to not use legacy paths (bsc#1173103) - Detect Python version to use inside container (bsc#1167586) (bsc#1164192) - Handle volumes on stopped pools in virt.vm_info (bsc#1186287) - Grains.extra: support old non-intel kernels (bsc#1180650) - Fix missing minion returns in batch mode (bsc#1184659) - Parsing Epoch out of version provided during pkg remove (bsc#1173692) - Check if dpkgnotify is executable (bsc#1186674) - Update to Salt release version 3002.2 (jsc#ECO-3212) (jsc#SLE-18033) - Add subpackage salt-transactional-update (jsc#SLE-18028) scap-security-guide: - Fix SLE-12 build issue caused by '\xb0' character (bsc#1191431). - Updated to 0.1.58 release (jsc#ECO-3319) - Support for Script Checking Engine (SCE) - Split RHEL 8 CIS profile using new controls file format - CIS Profiles for SLE12 - Initial Ubuntu 20.04 STIG Profiles - Addition of an automated CCE adder - Updated to 0.1.57 release (jsc#ECO-3319) - CIS profile for RHEL 7 is updated - initial CIS profiles for Ubuntu 20.04 - Major improvement of RHEL 9 content - new release process implemented using Github actions - Specify the maintainer, for deb packages. - Updated to 0.1.56 release (jsc#ECO-3319) - Align ism_o profile with latest ISM SSP (#6878) - Align RHEL 7 STIG profile with DISA STIG V3R3 - Creating new RHEL 7 STIG GUI profile (#6863) - Creating new RHEL 8 STIG GUI profile (#6862) - Add the RHEL9 product (#6801) - Initial support for SUSE SLE-15 (#6666) - add support for osbuild blueprint remediations (#6970) - Updated to a intermediate GIT snapshot of 20210323 (jsc#ECO-3319) - initial SLES15 STIG added - more SLES 12 STIG work - correct tables and cross references for SLES 12 and 15 STIG - Updated to 0.1.55 release (jsc#ECO-3319) - big update of rules used in SLES-12 STIG profile - Render policy to HTML (#6532) - Add variable support to yamlfile_value template (#6563) - Introduce new template for dconf configuration files (#6118) - Avoid some non sles12 sp2 available macros. spacecmd: - Version 4.3.4-1 * Update translation strings - Version 4.3.3-1 * Improved event history listing and added new system_eventdetails command to retrieve the details of an event * configchannel_updatefile handles directory properly (bsc#1190512) - Version 4.3.2-1 * Add schedule_archivecompleted to mass archive actions (bsc#1181223) * Make schedule_deletearchived to get all actions without display limit * Allow passing a date limit for schedule_deletearchived on spacecmd (bsc#1181223) * Remove whoami from the list of unauthenticated commands (bsc#1188977) - Version 4.3.1-1 - Use correct API endpoint in list_proxies (bsc#1188042) - Add schedule_deletearchived to bulk delete archived actions (bsc#1181223) - Make spacecmd aware of retracted patches/packages - Version 4.2.10-1 - Enhance help for installation types when creating distributions (bsc#1186581) - Version 4.2.9-1 - Parse empty argument when nothing in between the separator Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Manager Debian 10-CLIENT-TOOLS-BETA: zypper in -t patch SUSE-Debian-10-CLIENT-TOOLS-BETA-2021-3901=1 Package List: - SUSE Manager Debian 10-CLIENT-TOOLS-BETA (all): salt-common-3003.3+ds-1+2.27.1 salt-minion-3003.3+ds-1+2.27.1 scap-security-guide-debian-0.1.58-2.6.1 spacecmd-4.3.4-2.20.1

References

#1164192 #1167586 #1168327 #1173103 #1173692

#1180650 #1181223 #1184659 #1185131 #1186287

#1186310 #1186581 #1186674 #1186738 #1187787

#1187813 #1188042 #1188170 #1188259 #1188647

#1188977 #1189040 #1190265 #1190446 #1190512

#1191412 #1191431 ECO-3212 ECO-3319 SLE-18028

SLE-18033

Cross- CVE-2021-21996

CVSS scores:

CVE-2021-21996 (SUSE): 4.2 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L

Affected Products:

SUSE Manager Debian 10-CLIENT-TOOLS-BETA

https://www.suse.com/security/cve/CVE-2021-21996.html

https://bugzilla.suse.com/1164192

https://bugzilla.suse.com/1167586

https://bugzilla.suse.com/1168327

https://bugzilla.suse.com/1173103

https://bugzilla.suse.com/1173692

https://bugzilla.suse.com/1180650

https://bugzilla.suse.com/1181223

https://bugzilla.suse.com/1184659

https://bugzilla.suse.com/1185131

https://bugzilla.suse.com/1186287

https://bugzilla.suse.com/1186310

https://bugzilla.suse.com/1186581

https://bugzilla.suse.com/1186674

https://bugzilla.suse.com/1186738

https://bugzilla.suse.com/1187787

https://bugzilla.suse.com/1187813

https://bugzilla.suse.com/1188042

https://bugzilla.suse.com/1188170

https://bugzilla.suse.com/1188259

https://bugzilla.suse.com/1188647

https://bugzilla.suse.com/1188977

https://bugzilla.suse.com/1189040

https://bugzilla.suse.com/1190265

https://bugzilla.suse.com/1190446

https://bugzilla.suse.com/1190512

https://bugzilla.suse.com/1191412

https://bugzilla.suse.com/1191431

Severity
Announcement ID: SUSE-SU-2021:3901-1
Rating: moderate

Related News

24.Key Code Esm H320
2 - 3 min read
The Akira ransomware group has extorted approximately $42 million from over 250 victims since January 1, 2024. The group initially focused on
5.ShakingHands Esm H320
2 - 3 min read
At The Linux Foundation's Open Source Summit North America , Linus Torvalds, the creator of Linux, discussed various topics related to Linux
30.Lock Globe Motherboard Esm H320
1 - 2 min read
The SPDX 3.0 release marks a significant milestone in software management, particularly for Linux admins, infosec professionals, internet security
11.Locks IsometricPattern Esm H320
2 - 3 min read
Open Source maintainers and developers have been warned about the continued wave of attacks aimed at project maintainers similar to those recently
28.Lock Globe Esm H320
1 - 2 min read
A resurgence of cyberattacks targeting Linux systems in Asian campaigns through the utilization of the Pupy Remote Access Trojan (RAT) has been
27.Tablet Connections Blocks Lock Esm H320
2 - 4 min read
Canonical has recently announced the Beta release of Ubuntu Linux 24.04 LTS , codenamed "Noble Numbat." This release aims to continue Ubuntu's
21.Globe RadiatingCode Esm H320
2 - 3 min read
The open-source movement has come a long way, from its origins in the 1960s and 1970s to becoming an integral part of organizations worldwide.
13.Lock StylizedMotherboard Esm H320
2 - 3 min read
The Rust-based Edera project demonstrates a unique approach to container security that addresses cloud-native computing challenges. Let's examine
Sign Up

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved