Security update for Salt SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2017:3381-1 Final 1 1 2017-12-20T11:22:47Z current 2017-12-20T11:22:47Z 2017-12-20T11:22:47Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for Salt This update for salt fixes one security issue and bugs. The following security issues have been fixed: - CVE-2017-14695: A directory traversal vulnerability in minion id validation allowed remote minions with incorrect credentials to authenticate to a master via a crafted minion ID. (bsc#1062462) - CVE-2017-14696: It was possible to force a remote Denial of Service with a specially crafted authentication request. (bsc#1062464) Additionally, the following non-security issues have been fixed: - Removed deprecation warning for beacon configuration using dictionaries. (bsc#1041993) - Fixed beacons failure when pillar-based suppressing config-based. (bsc#1060230) - Fixed minion resource exhaustion when many functions are being executed in parallel. (bsc#1059758) - Remove 'TasksTask' attribute from salt-master.service in older versions of systemd. (bsc#985112) - Fix for delete_deployment in Kubernetes module. (bsc#1059291) - Catching error when PIDfile cannot be deleted. (bsc#1050003) - Use $HOME to get the user home directory instead using '~' char. (bsc#1042749) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). slesctsp3-salt-13382,slesctsp4-salt-13382 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2017/suse-su-20173381-1/ Link for SUSE-SU-2017:3381-1 https://lists.suse.com/pipermail/sle-security-updates/2017-December/003543.html E-Mail link for SUSE-SU-2017:3381-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1041993 SUSE Bug 1041993 https://bugzilla.suse.com/1042749 SUSE Bug 1042749 https://bugzilla.suse.com/1050003 SUSE Bug 1050003 https://bugzilla.suse.com/1059291 SUSE Bug 1059291 https://bugzilla.suse.com/1059758 SUSE Bug 1059758 https://bugzilla.suse.com/1060230 SUSE Bug 1060230 https://bugzilla.suse.com/1062462 SUSE Bug 1062462 https://bugzilla.suse.com/1062464 SUSE Bug 1062464 https://bugzilla.suse.com/985112 SUSE Bug 985112 https://www.suse.com/security/cve/CVE-2017-14695/ SUSE CVE CVE-2017-14695 page https://www.suse.com/security/cve/CVE-2017-14696/ SUSE CVE CVE-2017-14696 page SUSE Linux Enterprise Server 11 SP3-CLIENT-TOOLS SUSE Linux Enterprise Server 11 SP4-CLIENT-TOOLS salt-2016.11.4-43.10.2 salt-doc-2016.11.4-43.10.2 salt-minion-2016.11.4-43.10.2 salt-2016.11.4-43.10.2 as a component of SUSE Linux Enterprise Server 11 SP3-CLIENT-TOOLS salt-doc-2016.11.4-43.10.2 as a component of SUSE Linux Enterprise Server 11 SP3-CLIENT-TOOLS salt-minion-2016.11.4-43.10.2 as a component of SUSE Linux Enterprise Server 11 SP3-CLIENT-TOOLS salt-2016.11.4-43.10.2 as a component of SUSE Linux Enterprise Server 11 SP4-CLIENT-TOOLS salt-doc-2016.11.4-43.10.2 as a component of SUSE Linux Enterprise Server 11 SP4-CLIENT-TOOLS salt-minion-2016.11.4-43.10.2 as a component of SUSE Linux Enterprise Server 11 SP4-CLIENT-TOOLS Directory traversal vulnerability in minion id validation in SaltStack Salt before 2016.3.8, 2016.11.x before 2016.11.8, and 2017.7.x before 2017.7.2 allows remote minions with incorrect credentials to authenticate to a master via a crafted minion ID. NOTE: this vulnerability exists because of an incomplete fix for CVE-2017-12791. CVE-2017-14695 SUSE Linux Enterprise Server 11 SP3-CLIENT-TOOLS:salt-2016.11.4-43.10.2 SUSE Linux Enterprise Server 11 SP3-CLIENT-TOOLS:salt-doc-2016.11.4-43.10.2 SUSE Linux Enterprise Server 11 SP3-CLIENT-TOOLS:salt-minion-2016.11.4-43.10.2 SUSE Linux Enterprise Server 11 SP4-CLIENT-TOOLS:salt-2016.11.4-43.10.2 SUSE Linux Enterprise Server 11 SP4-CLIENT-TOOLS:salt-doc-2016.11.4-43.10.2 SUSE Linux Enterprise Server 11 SP4-CLIENT-TOOLS:salt-minion-2016.11.4-43.10.2 moderate 5 AV:N/AC:L/Au:N/C:P/I:N/A:N 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2017/suse-su-20173381-1/ https://www.suse.com/security/cve/CVE-2017-14695.html CVE-2017-14695 https://bugzilla.suse.com/1053955 SUSE Bug 1053955 https://bugzilla.suse.com/1062462 SUSE Bug 1062462 SaltStack Salt before 2016.3.8, 2016.11.x before 2016.11.8, and 2017.7.x before 2017.7.2 allows remote attackers to cause a denial of service via a crafted authentication request. CVE-2017-14696 SUSE Linux Enterprise Server 11 SP3-CLIENT-TOOLS:salt-2016.11.4-43.10.2 SUSE Linux Enterprise Server 11 SP3-CLIENT-TOOLS:salt-doc-2016.11.4-43.10.2 SUSE Linux Enterprise Server 11 SP3-CLIENT-TOOLS:salt-minion-2016.11.4-43.10.2 SUSE Linux Enterprise Server 11 SP4-CLIENT-TOOLS:salt-2016.11.4-43.10.2 SUSE Linux Enterprise Server 11 SP4-CLIENT-TOOLS:salt-doc-2016.11.4-43.10.2 SUSE Linux Enterprise Server 11 SP4-CLIENT-TOOLS:salt-minion-2016.11.4-43.10.2 moderate 5 AV:N/AC:L/Au:N/C:N/I:N/A:P 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2017/suse-su-20173381-1/ https://www.suse.com/security/cve/CVE-2017-14696.html CVE-2017-14696 https://bugzilla.suse.com/1053955 SUSE Bug 1053955 https://bugzilla.suse.com/1062464 SUSE Bug 1062464