SUSE Security Update: Security Beta update for Salt
______________________________________________________________________________

Announcement ID:    SUSE-SU-2021:3906-1
Rating:             moderate
References:         #1164192 #1167586 #1168327 #1180650 #1184659 
                    #1185131 #1186287 #1186310 #1186674 #1187787 
                    #1187813 #1188170 #1188641 #1188647 #1189040 
                    #1189043 #1190114 #1190265 #1190446 #1191412 
                    
Cross-References:   CVE-2021-21996
CVSS scores:
                    CVE-2021-21996 (SUSE): 4.2 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L

Affected Products:
                    SUSE Manager Tools 12-BETA
______________________________________________________________________________

   An update that solves one vulnerability and has 19 fixes is
   now available.

Description:

   This update fixes the following issues:

   salt:

   - Remove wrong _parse_cpe_name from grains.core
   - Prevent tracebacks if directory for cookie is missing
   - Fix file.find tracebacks with non utf8 file names (bsc#1190114)
   - Fix ip6_interface grain to not leak secondary IPv4 aliases (bsc#1191412)
   - Do not consider skipped targets as failed for ansible.playbooks state
     (bsc#1190446)
   - Fix traceback.*_exc() calls
   - Fix the regression of docker_container state module
   - Support querying for JSON data in external sql pillar
   - Exclude the full path of a download URL to prevent injection of
     malicious code (bsc#1190265) (CVE-2021-21996)
   - Fix wrong relative paths resolution with Jinja renderer when importing
     subdirectories
   - Fix python-MarkupSafe dependency (bsc#1189043)
   - Add missing aarch64 to rpm package architectures
   - Consolidate some state requisites (bsc#1188641)
   - Fix failing unit test for systemd
   - Fix error handling in openscap module (bsc#1188647)
   - Better handling of bad public keys from minions (bsc#1189040)
   - Define license macro as doc in spec file if not existing
   - Add standalone formulas configuration for salt minion and remove
     salt-master requirement (bsc#1168327)
   - Do noop for services states when running systemd in offline mode
     (bsc#1187787)
   - Transactional_updates: do not execute states in parallel but use a queue
     (bsc#1188170)
   - Handle "master tops" data when states are applied by
     "transactional_update" (bsc#1187787)
   - Enhance openscap module: add "xccdf_eval" call
   - Virt: pass emulator when getting domain capabilities from libvirt
   - Implementation of held/unheld functions for state pkg (bsc#1187813)
   - Fix exception in yumpkg.remove for not installed package
   - Fix save for iptables state module (bsc#1185131)
   - Virt: use /dev/kvm to detect KVM
   - Zypperpkg: improve logic for handling vendorchange flags
   - Add bundled provides for tornado to the spec file
   - Enhance logging when inotify beacon is missing pyinotify (bsc#1186310)
   - Add "python3-pyinotify" as a recommended package for Salt in
     SUSE/openSUSE distros
   - Check if dpkgnotify is executable (bsc#1186674)
   - Detect Python version to use inside container (bsc#1167586) (bsc#1164192)
   - Handle volumes on stopped pools in virt.vm_info (bsc#1186287)
   - Grains.extra: support old non-intel kernels (bsc#1180650)
   - Fix missing minion returns in batch mode (bsc#1184659)


Patch Instructions:

   To install this SUSE Security Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - SUSE Manager Tools 12-BETA:

      zypper in -t patch SUSE-SLE-Manager-Tools-12-BETA-2021-3906=1



Package List:

   - SUSE Manager Tools 12-BETA (aarch64 ppc64le s390x x86_64):

      python-MarkupSafe-0.23-6.5.1
      python-MarkupSafe-debuginfo-0.23-6.5.1
      python-MarkupSafe-debugsource-0.23-6.5.1
      python-PyYAML-5.1.2-29.5.1
      python-PyYAML-debuginfo-5.1.2-29.5.1
      python-PyYAML-debugsource-5.1.2-29.5.1
      python-msgpack-python-0.4.6-11.5.1
      python-msgpack-python-debuginfo-0.4.6-11.5.1
      python-msgpack-python-debugsource-0.4.6-11.5.1
      python-psutil-5.2.2-18.5.1
      python-psutil-debuginfo-5.2.2-18.5.1
      python-psutil-debugsource-5.2.2-18.5.1
      python-pycrypto-2.6.1-13.5.1
      python-pyzmq-14.0.0-12.5.1
      python-pyzmq-debuginfo-14.0.0-12.5.1
      python-pyzmq-debugsource-14.0.0-12.5.1
      python2-salt-3000-49.38.2
      python3-MarkupSafe-0.23-6.5.1
      python3-PyYAML-5.1.2-29.5.1
      python3-msgpack-python-0.4.6-11.5.1
      python3-psutil-5.2.2-18.5.1
      python3-pycrypto-2.6.1-13.5.1
      python3-pyzmq-14.0.0-12.5.1
      python3-salt-3000-49.38.2
      salt-3000-49.38.2
      salt-doc-3000-49.38.2
      salt-minion-3000-49.38.2

   - SUSE Manager Tools 12-BETA (ppc64le s390x x86_64):

      python-pycrypto-debuginfo-2.6.1-13.5.1

   - SUSE Manager Tools 12-BETA (noarch):

      python-Jinja2-2.8-22.5.1
      python-singledispatch-3.4.0.3-4.8.1
      python3-Jinja2-2.8-22.5.1


References:

   https://www.suse.com/security/cve/CVE-2021-21996.html
   https://bugzilla.suse.com/1164192
   https://bugzilla.suse.com/1167586
   https://bugzilla.suse.com/1168327
   https://bugzilla.suse.com/1180650
   https://bugzilla.suse.com/1184659
   https://bugzilla.suse.com/1185131
   https://bugzilla.suse.com/1186287
   https://bugzilla.suse.com/1186310
   https://bugzilla.suse.com/1186674
   https://bugzilla.suse.com/1187787
   https://bugzilla.suse.com/1187813
   https://bugzilla.suse.com/1188170
   https://bugzilla.suse.com/1188641
   https://bugzilla.suse.com/1188647
   https://bugzilla.suse.com/1189040
   https://bugzilla.suse.com/1189043
   https://bugzilla.suse.com/1190114
   https://bugzilla.suse.com/1190265
   https://bugzilla.suse.com/1190446
   https://bugzilla.suse.com/1191412