Security Beta update for Salt SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2020:0540-1 Final 1 1 2020-02-28T12:20:13Z current 2020-02-28T12:20:13Z 2020-02-28T12:20:13Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security Beta update for Salt This update fixes the following issues: salt: - Fix 'os_family' grain for Astra Linux Common Edition - Update to Salt version 2019.2.3 (CVE-2019-17361) (bsc#1163981) See release notes: https://docs.saltstack.com/en/latest/topics/releases/2019.2.3.html - Enable passing grains to start event based on 'start_event_grains' configuration parameter The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2020-540,SUSE-SLE-Manager-Tools-15-2020-540 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2020/suse-su-20200540-1/ Link for SUSE-SU-2020:0540-1 https://lists.suse.com/pipermail/sle-security-updates/2020-February/006552.html E-Mail link for SUSE-SU-2020:0540-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1163981 SUSE Bug 1163981 https://www.suse.com/security/cve/CVE-2019-17361/ SUSE CVE CVE-2019-17361 page python2-salt-2019.2.3-8.9.1 python3-salt-2019.2.3-8.9.1 salt-2019.2.3-8.9.1 salt-api-2019.2.3-8.9.1 salt-bash-completion-2019.2.3-8.9.1 salt-cloud-2019.2.3-8.9.1 salt-doc-2019.2.3-8.9.1 salt-fish-completion-2019.2.3-8.9.1 salt-master-2019.2.3-8.9.1 salt-minion-2019.2.3-8.9.1 salt-proxy-2019.2.3-8.9.1 salt-ssh-2019.2.3-8.9.1 salt-standalone-formulas-configuration-2019.2.3-8.9.1 salt-syndic-2019.2.3-8.9.1 salt-zsh-completion-2019.2.3-8.9.1 In SaltStack Salt through 2019.2.0, the salt-api NET API with the ssh client enabled is vulnerable to command injection. This allows an unauthenticated attacker with network access to the API endpoint to execute arbitrary code on the salt-api host. CVE-2019-17361 important 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2020/suse-su-20200540-1/ https://www.suse.com/security/cve/CVE-2019-17361.html CVE-2019-17361 https://bugzilla.suse.com/1162504 SUSE Bug 1162504