SUSE-SU-2017:3381-1: moderate: Security update for Salt
sle-security-updates at lists.suse.com
sle-security-updates at lists.suse.com
Wed Dec 20 10:27:04 MST 2017
SUSE Security Update: Security update for Salt
______________________________________________________________________________
Announcement ID: SUSE-SU-2017:3381-1
Rating: moderate
References: #1041993 #1042749 #1050003 #1059291 #1059758
#1060230 #1062462 #1062464 #985112
Cross-References: CVE-2017-14695 CVE-2017-14696
Affected Products:
SUSE Linux Enterprise Server 11-SP4-CLIENT-TOOLS
SUSE Linux Enterprise Server 11-SP3-CLIENT-TOOLS
______________________________________________________________________________
An update that solves two vulnerabilities and has 7 fixes
is now available.
Description:
This update for salt fixes one security issue and bugs.
The following security issues have been fixed:
- CVE-2017-14695: A directory traversal vulnerability in minion id
validation allowed remote minions with incorrect credentials to
authenticate to a master via a crafted minion ID. (bsc#1062462)
- CVE-2017-14696: It was possible to force a remote Denial of Service with
a specially crafted authentication request. (bsc#1062464)
Additionally, the following non-security issues have been fixed:
- Removed deprecation warning for beacon configuration using dictionaries.
(bsc#1041993)
- Fixed beacons failure when pillar-based suppressing config-based.
(bsc#1060230)
- Fixed minion resource exhaustion when many functions are being executed
in parallel. (bsc#1059758)
- Remove 'TasksTask' attribute from salt-master.service in older versions
of systemd. (bsc#985112)
- Fix for delete_deployment in Kubernetes module. (bsc#1059291)
- Catching error when PIDfile cannot be deleted. (bsc#1050003)
- Use $HOME to get the user home directory instead using '~' char.
(bsc#1042749)
Patch Instructions:
To install this SUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product:
- SUSE Linux Enterprise Server 11-SP4-CLIENT-TOOLS:
zypper in -t patch slesctsp4-salt-13382=1
- SUSE Linux Enterprise Server 11-SP3-CLIENT-TOOLS:
zypper in -t patch slesctsp3-salt-13382=1
To bring your system up-to-date, use "zypper patch".
Package List:
- SUSE Linux Enterprise Server 11-SP4-CLIENT-TOOLS (i586 ia64 ppc64 s390x x86_64):
salt-2016.11.4-43.10.2
salt-doc-2016.11.4-43.10.2
salt-minion-2016.11.4-43.10.2
- SUSE Linux Enterprise Server 11-SP3-CLIENT-TOOLS (i586 ia64 ppc64 s390x x86_64):
salt-2016.11.4-43.10.2
salt-doc-2016.11.4-43.10.2
salt-minion-2016.11.4-43.10.2
References:
https://www.suse.com/security/cve/CVE-2017-14695.html
https://www.suse.com/security/cve/CVE-2017-14696.html
https://bugzilla.suse.com/1041993
https://bugzilla.suse.com/1042749
https://bugzilla.suse.com/1050003
https://bugzilla.suse.com/1059291
https://bugzilla.suse.com/1059758
https://bugzilla.suse.com/1060230
https://bugzilla.suse.com/1062462
https://bugzilla.suse.com/1062464
https://bugzilla.suse.com/985112
More information about the sle-security-updates
mailing list