SUSE-SU-2017:3381-1: moderate: Security update for Salt

sle-security-updates at lists.suse.com sle-security-updates at lists.suse.com
Wed Dec 20 10:27:04 MST 2017


   SUSE Security Update: Security update for Salt
______________________________________________________________________________

Announcement ID:    SUSE-SU-2017:3381-1
Rating:             moderate
References:         #1041993 #1042749 #1050003 #1059291 #1059758 
                    #1060230 #1062462 #1062464 #985112 
Cross-References:   CVE-2017-14695 CVE-2017-14696
Affected Products:
                    SUSE Linux Enterprise Server 11-SP4-CLIENT-TOOLS
                    SUSE Linux Enterprise Server 11-SP3-CLIENT-TOOLS
______________________________________________________________________________

   An update that solves two vulnerabilities and has 7 fixes
   is now available.

Description:

   This update for salt fixes one security issue and bugs.

   The following security issues have been fixed:

   - CVE-2017-14695: A directory traversal vulnerability in minion id
     validation allowed remote minions with incorrect credentials to
     authenticate to a master via a crafted minion ID. (bsc#1062462)
   - CVE-2017-14696: It was possible to force a remote Denial of Service with
     a specially crafted authentication request. (bsc#1062464)

   Additionally, the following non-security issues have been fixed:

   - Removed deprecation warning for beacon configuration using dictionaries.
     (bsc#1041993)
   - Fixed beacons failure when pillar-based suppressing config-based.
     (bsc#1060230)
   - Fixed minion resource exhaustion when many functions are being executed
     in parallel. (bsc#1059758)
   - Remove 'TasksTask' attribute from salt-master.service in older versions
     of systemd. (bsc#985112)
   - Fix for delete_deployment in Kubernetes module. (bsc#1059291)
   - Catching error when PIDfile cannot be deleted. (bsc#1050003)
   - Use $HOME to get the user home directory instead using '~' char.
     (bsc#1042749)


Patch Instructions:

   To install this SUSE Security Update use YaST online_update.
   Alternatively you can run the command listed for your product:

   - SUSE Linux Enterprise Server 11-SP4-CLIENT-TOOLS:

      zypper in -t patch slesctsp4-salt-13382=1

   - SUSE Linux Enterprise Server 11-SP3-CLIENT-TOOLS:

      zypper in -t patch slesctsp3-salt-13382=1

   To bring your system up-to-date, use "zypper patch".


Package List:

   - SUSE Linux Enterprise Server 11-SP4-CLIENT-TOOLS (i586 ia64 ppc64 s390x x86_64):

      salt-2016.11.4-43.10.2
      salt-doc-2016.11.4-43.10.2
      salt-minion-2016.11.4-43.10.2

   - SUSE Linux Enterprise Server 11-SP3-CLIENT-TOOLS (i586 ia64 ppc64 s390x x86_64):

      salt-2016.11.4-43.10.2
      salt-doc-2016.11.4-43.10.2
      salt-minion-2016.11.4-43.10.2


References:

   https://www.suse.com/security/cve/CVE-2017-14695.html
   https://www.suse.com/security/cve/CVE-2017-14696.html
   https://bugzilla.suse.com/1041993
   https://bugzilla.suse.com/1042749
   https://bugzilla.suse.com/1050003
   https://bugzilla.suse.com/1059291
   https://bugzilla.suse.com/1059758
   https://bugzilla.suse.com/1060230
   https://bugzilla.suse.com/1062462
   https://bugzilla.suse.com/1062464
   https://bugzilla.suse.com/985112



More information about the sle-security-updates mailing list