Alerts This Week
Warning Icon 1 916
Alerts This Week
Warning Icon 1 916

SUSE: 2022:1536-1 Important: Salt Bundle Security Fixes

suse
Calendar Grey May 4, 2022
Dist Suse Esm H88
Several remedies for SUSE Manager Salt Bundle upgrade tackling critical problems found in latest editions.
An update that fixes 8 vulnerabilities is now available

Summary

This update fixes the following issues: venv-salt-minion: - Fix the regression caused by the patch removing strict requirement for OpenSSL 1.1.1 leading to read/write issues with ssl module for SLE 15, SLE 12, CentOS 7, Debian 9 (bsc#1198556) - Fixes for Python 3.10 - Fix salt-ssh opts poisoning (bsc#1197637) - Fix multiple security issues (bsc#1197417) * CVE-2022-22935: Sign authentication replies to prevent MiTM * CVE-2022-22934: Sign pillar data to prevent MiTM attacks. * CVE-2022-22936: Prevent job and fileserver replays. * CVE-2022-22941: Fixed targeting bug, especially visible when using syndic and user auth. - Salt version bump to 3004 - Python version bump to 3.10.2 - CVE-2022-24302: unauthorized information disclosure for python-paramiko.

Topics%20covered

Topics Covered

security advisory XSS important information disclosure man-in-the-middle SUSE Manager Salt Bundle

References

#1118088 #1184177 #1196249 #1196877 #1197279

#1197417 #1197637 #1198556

Cross- CVE-2018-19787 CVE-2021-28957 CVE-2022-0778

CVE-2022-22934 CVE-2022-22935 CVE-2022-22936

CVE-2022-22941 CVE-2022-24302

CVSS scores:

CVE-2018-19787 (NVD) : 6.1 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CVE-2018-19787 (SUSE): 5.4 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

CVE-2021-28957 (NVD) : 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CVE-2021-28957 (SUSE): 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CVE-2022-0778 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVE-2022-0778 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVE-2022-22934 (NVD) : 8.8 CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Severity
important
Lowest
Low
Medium
High
Critical

Announcement ID: SUSE-SU-2022:1536-1
Rating: important

Topics%20covered

Topics Covered

security advisory XSS important information disclosure man-in-the-middle SUSE Manager Salt Bundle

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here