Security update for SUSE Manager Salt Bundle SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2023:3128-1 Final 1 1 2023-08-02T07:12:44Z current 2023-08-02T07:12:44Z 2023-08-02T07:12:44Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for SUSE Manager Salt Bundle This update fixes the following issues: venv-salt-minion: - Security fixes: * CVE-2023-28370: Tornado: Fix an open redirect in StaticFileHandler (bsc#1211741) - Bug fixes: * Prevent _pygit2.GitError: error loading known_hosts when $HOME is not set (bsc#1210994) * Fix ModuleNotFoundError and other issues raised by salt-support module (bsc#1211591) * Make master_tops compatible with Salt 3000 and older minions (bsc#1212516) (bsc#1212517) * Avoid failures due transactional_update module not available in Salt 3006.0 (bsc#1211754) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2023-3128,SUSE-SLE-Manager-Tools-12-2023-3128 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2023/suse-su-20233128-1/ Link for SUSE-SU-2023:3128-1 https://lists.suse.com/pipermail/sle-security-updates/2023-August/015747.html E-Mail link for SUSE-SU-2023:3128-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1210994 SUSE Bug 1210994 https://bugzilla.suse.com/1211591 SUSE Bug 1211591 https://bugzilla.suse.com/1211741 SUSE Bug 1211741 https://bugzilla.suse.com/1211754 SUSE Bug 1211754 https://bugzilla.suse.com/1212516 SUSE Bug 1212516 https://bugzilla.suse.com/1212517 SUSE Bug 1212517 https://www.suse.com/security/cve/CVE-2023-28370/ SUSE CVE CVE-2023-28370 page SUSE Manager Client Tools 12 saltbundlepy-psutil-5.8.0-3.15.2 venv-salt-minion-3006.0-3.33.2 venv-salt-minion-3006.0-3.33.2 as a component of SUSE Manager Client Tools 12 Open redirect vulnerability in Tornado versions 6.3.1 and earlier allows a remote unauthenticated attacker to redirect a user to an arbitrary web site and conduct a phishing attack by having user access a specially crafted URL. CVE-2023-28370 SUSE Manager Client Tools 12:venv-salt-minion-3006.0-3.33.2 low To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2023/suse-su-20233128-1/ https://www.suse.com/security/cve/CVE-2023-28370.html CVE-2023-28370 https://bugzilla.suse.com/1211741 SUSE Bug 1211741