SUSE-SU-2017:3380-1: moderate: Security update for Salt

Wed Dec 20 10:25:26 MST 2017

   SUSE Security Update: Security update for Salt
______________________________________________________________________________

Announcement ID:    SUSE-SU-2017:3380-1
Rating:             moderate
References:         #1041993 #1042749 #1050003 #1059291 #1059758 
                    #1060230 #1062462 #1062464 #985112 
Cross-References:   CVE-2017-14695 CVE-2017-14696
Affected Products:
                    SUSE Manager Tools 12
                    SUSE Manager Server 3.1
                    SUSE Manager Server 3.0
                    SUSE Manager Proxy 3.1
                    SUSE Manager Proxy 3.0
                    SUSE Linux Enterprise Point of Sale 12-SP2
                    SUSE Linux Enterprise Module for Advanced Systems Management 12
                    SUSE Enterprise Storage 5
                    SUSE Enterprise Storage 4
                    SUSE Enterprise Storage 3
                    SUSE Container as a Service Platform ALL
                    OpenStack Cloud Magnum Orchestration 7
______________________________________________________________________________

   An update that solves two vulnerabilities and has 7 fixes
   is now available.

Description:

   This update for salt fixes one security issue and bugs.

   The following security issues have been fixed:

   - CVE-2017-14695: A directory traversal vulnerability in minion id
     validation allowed remote minions with incorrect credentials to
     authenticate to a master via a crafted minion ID. (bsc#1062462)
   - CVE-2017-14696: It was possible to force a remote Denial of Service with
     a specially crafted authentication request. (bsc#1062464)

   Additionally, the following non-security issues have been fixed:

   - Removed deprecation warning for beacon configuration using dictionaries.
     (bsc#1041993)
   - Fixed beacons failure when pillar-based suppressing config-based.
     (bsc#1060230)
   - Fixed minion resource exhaustion when many functions are being executed
     in parallel. (bsc#1059758)
   - Remove 'TasksTask' attribute from salt-master.service in older versions
     of systemd. (bsc#985112)
   - Fix for delete_deployment in Kubernetes module. (bsc#1059291)
   - Catching error when PIDfile cannot be deleted. (bsc#1050003)
   - Use $HOME to get the user home directory instead using '~' char.
     (bsc#1042749)

Patch Instructions:

   To install this SUSE Security Update use YaST online_update.
   Alternatively you can run the command listed for your product:

   - SUSE Manager Tools 12:

      zypper in -t patch SUSE-SLE-Manager-Tools-12-2017-2111=1

   - SUSE Manager Server 3.1:

      zypper in -t patch SUSE-SUSE-Manager-Server-3.1-2017-2111=1

   - SUSE Manager Server 3.0:

      zypper in -t patch SUSE-SUSE-Manager-Server-3.0-2017-2111=1

   - SUSE Manager Proxy 3.1:

      zypper in -t patch SUSE-SUSE-Manager-Proxy-3.1-2017-2111=1

   - SUSE Manager Proxy 3.0:

      zypper in -t patch SUSE-SUSE-Manager-Proxy-3.0-2017-2111=1

   - SUSE Linux Enterprise Point of Sale 12-SP2:

      zypper in -t patch SUSE-SLE-POS-12-SP2-2017-2111=1

   - SUSE Linux Enterprise Module for Advanced Systems Management 12:

      zypper in -t patch SUSE-SLE-Module-Adv-Systems-Management-12-2017-2111=1

   - SUSE Enterprise Storage 5:

      zypper in -t patch SUSE-Storage-5-2017-2111=1

   - SUSE Enterprise Storage 4:

      zypper in -t patch SUSE-Storage-4-2017-2111=1

   - SUSE Enterprise Storage 3:

      zypper in -t patch SUSE-Storage-3-2017-2111=1

   - SUSE Container as a Service Platform ALL:

      zypper in -t patch SUSE-CAASP-ALL-2017-2111=1

   - OpenStack Cloud Magnum Orchestration 7:

      zypper in -t patch SUSE-OpenStack-Cloud-Magnum-Orchestration-7-2017-2111=1

   To bring your system up-to-date, use "zypper patch".

Package List:

   - SUSE Manager Tools 12 (aarch64 ppc64le s390x x86_64):

      salt-2016.11.4-46.10.1
      salt-doc-2016.11.4-46.10.1
      salt-minion-2016.11.4-46.10.1

   - SUSE Manager Server 3.1 (ppc64le s390x x86_64):

      salt-2016.11.4-46.10.1
      salt-api-2016.11.4-46.10.1
      salt-cloud-2016.11.4-46.10.1
      salt-doc-2016.11.4-46.10.1
      salt-master-2016.11.4-46.10.1
      salt-minion-2016.11.4-46.10.1
      salt-proxy-2016.11.4-46.10.1
      salt-ssh-2016.11.4-46.10.1
      salt-syndic-2016.11.4-46.10.1

   - SUSE Manager Server 3.1 (noarch):

      salt-bash-completion-2016.11.4-46.10.1
      salt-zsh-completion-2016.11.4-46.10.1

   - SUSE Manager Server 3.0 (s390x x86_64):

      salt-2016.11.4-46.10.1
      salt-api-2016.11.4-46.10.1
      salt-doc-2016.11.4-46.10.1
      salt-master-2016.11.4-46.10.1
      salt-minion-2016.11.4-46.10.1
      salt-proxy-2016.11.4-46.10.1
      salt-ssh-2016.11.4-46.10.1
      salt-syndic-2016.11.4-46.10.1

   - SUSE Manager Server 3.0 (noarch):

      salt-bash-completion-2016.11.4-46.10.1
      salt-zsh-completion-2016.11.4-46.10.1

   - SUSE Manager Proxy 3.1 (ppc64le x86_64):

      salt-2016.11.4-46.10.1
      salt-minion-2016.11.4-46.10.1

   - SUSE Manager Proxy 3.0 (noarch):

      salt-bash-completion-2016.11.4-46.10.1
      salt-zsh-completion-2016.11.4-46.10.1

   - SUSE Manager Proxy 3.0 (x86_64):

      salt-2016.11.4-46.10.1
      salt-api-2016.11.4-46.10.1
      salt-doc-2016.11.4-46.10.1
      salt-master-2016.11.4-46.10.1
      salt-minion-2016.11.4-46.10.1
      salt-proxy-2016.11.4-46.10.1
      salt-ssh-2016.11.4-46.10.1
      salt-syndic-2016.11.4-46.10.1

   - SUSE Linux Enterprise Point of Sale 12-SP2 (x86_64):

      salt-2016.11.4-46.10.1
      salt-minion-2016.11.4-46.10.1

   - SUSE Linux Enterprise Module for Advanced Systems Management 12 (ppc64le s390x x86_64):

      salt-2016.11.4-46.10.1
      salt-api-2016.11.4-46.10.1
      salt-cloud-2016.11.4-46.10.1
      salt-doc-2016.11.4-46.10.1
      salt-master-2016.11.4-46.10.1
      salt-minion-2016.11.4-46.10.1
      salt-proxy-2016.11.4-46.10.1
      salt-ssh-2016.11.4-46.10.1
      salt-syndic-2016.11.4-46.10.1

   - SUSE Linux Enterprise Module for Advanced Systems Management 12 (noarch):

      salt-bash-completion-2016.11.4-46.10.1
      salt-zsh-completion-2016.11.4-46.10.1

   - SUSE Enterprise Storage 5 (aarch64 x86_64):

      salt-2016.11.4-46.10.1
      salt-api-2016.11.4-46.10.1
      salt-master-2016.11.4-46.10.1
      salt-minion-2016.11.4-46.10.1

   - SUSE Enterprise Storage 4 (aarch64 x86_64):

      salt-2016.11.4-46.10.1
      salt-master-2016.11.4-46.10.1
      salt-minion-2016.11.4-46.10.1

   - SUSE Enterprise Storage 3 (aarch64 x86_64):

      salt-2016.11.4-46.10.1
      salt-master-2016.11.4-46.10.1
      salt-minion-2016.11.4-46.10.1

   - SUSE Container as a Service Platform ALL (x86_64):

      salt-2016.11.4-46.10.1
      salt-minion-2016.11.4-46.10.1

   - OpenStack Cloud Magnum Orchestration 7 (x86_64):

      salt-2016.11.4-46.10.1
      salt-minion-2016.11.4-46.10.1

References:

   https://www.suse.com/security/cve/CVE-2017-14695.html
   https://www.suse.com/security/cve/CVE-2017-14696.html
   https://bugzilla.suse.com/1041993
   https://bugzilla.suse.com/1042749
   https://bugzilla.suse.com/1050003
   https://bugzilla.suse.com/1059291
   https://bugzilla.suse.com/1059758
   https://bugzilla.suse.com/1060230
   https://bugzilla.suse.com/1062462
   https://bugzilla.suse.com/1062464
   https://bugzilla.suse.com/985112