Security update for SUSE Manager Salt Bundle SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2023:3877-1 Final 1 1 2023-09-28T11:47:21Z current 2023-09-28T11:47:21Z 2023-09-28T11:47:21Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for SUSE Manager Salt Bundle This update fixes the following issues: venv-salt-minion: - Security issues fixed: * CVE-2023-20897: Do not fail on bad message pack message (bsc#1213441) * CVE-2023-20898: Fixed Git Providers can read from the wrong environment because they get the same cache directory base name. (bsc#1214797, bsc#1193948) - Bugs fixed: * Revert usage of long running REQ channel to prevent possible missing responses on requests and duplicated responses (bsc#1213960, bsc#1213630, bsc#1213257) * Create minion_id with reproducible mtime * Do not recompile SELinux policy module on building. Use precompiled module instead to avoid incompatibility errors. * Fix broken tests to make them running in the testsuite * Fix detection of Salt codename by 'salt_version' execution module * Fix inconsistency in reported version by egg-info metadata (bsc#1215489) * Fix regression: multiple values for keyword argument 'saltenv' (bsc#1212844) * Fix the regression of user.present state when group is unset (bsc#1212855) * Fix utf8 handling in 'pass' renderer and make it more robust * Fix zypper repositories always being reconfigured * Make sure configured user is properly set by Salt (bsc#1210994) * Prevent possible exceptions on salt.utils.user.get_group_dict (bsc#1212794) * Ship SELinux policy module version 19 to make it compatible with broader list of Linux distributions The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2023-3877,SUSE-SLE-Manager-Tools-15-2023-3877,SUSE-SLE-Manager-Tools-For-Micro-5-2023-3877,SUSE-SLE-Module-SUSE-Manager-Proxy-4.3-2023-3877,SUSE-SLE-Module-SUSE-Manager-Server-4.3-2023-3877 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2023/suse-su-20233877-1/ Link for SUSE-SU-2023:3877-1 https://lists.suse.com/pipermail/sle-updates/2023-September/031782.html E-Mail link for SUSE-SU-2023:3877-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1193948 SUSE Bug 1193948 https://bugzilla.suse.com/1210994 SUSE Bug 1210994 https://bugzilla.suse.com/1212794 SUSE Bug 1212794 https://bugzilla.suse.com/1212844 SUSE Bug 1212844 https://bugzilla.suse.com/1212855 SUSE Bug 1212855 https://bugzilla.suse.com/1213257 SUSE Bug 1213257 https://bugzilla.suse.com/1213441 SUSE Bug 1213441 https://bugzilla.suse.com/1213630 SUSE Bug 1213630 https://bugzilla.suse.com/1213960 SUSE Bug 1213960 https://bugzilla.suse.com/1214796 SUSE Bug 1214796 https://bugzilla.suse.com/1214797 SUSE Bug 1214797 https://bugzilla.suse.com/1215489 SUSE Bug 1215489 https://www.suse.com/security/cve/CVE-2023-20897/ SUSE CVE CVE-2023-20897 page https://www.suse.com/security/cve/CVE-2023-20898/ SUSE CVE CVE-2023-20898 page SUSE Manager Client Tools 15 SUSE Manager Client Tools for SLE Micro 5 SUSE Manager Proxy Module 4.3 SUSE Manager Server Module 4.3 saltbundle-libsodium-1.0.18-150000.3.12.3 saltbundle-libsodium-devel-1.0.18-150000.3.12.3 saltbundle-libzmq-4.2.3-150000.3.12.3 saltbundle-zeromq-devel-4.2.3-150000.3.12.3 saltbundle-zeromq-tools-4.2.3-150000.3.12.3 saltbundlepy-3.10.10-150000.3.18.3 saltbundlepy-base-3.10.10-150000.3.18.4 saltbundlepy-cffi-1.15.1-150000.3.12.3 saltbundlepy-cryptography-3.3.2-150000.3.18.3 saltbundlepy-cryptography-vectors-3.3.2-150000.3.12.1 saltbundlepy-curses-3.10.10-150000.3.18.3 saltbundlepy-cython-0.29.32-150000.3.12.3 saltbundlepy-dbm-3.10.10-150000.3.18.3 saltbundlepy-devel-3.10.10-150000.3.18.4 saltbundlepy-kiwi-9.24.43-150000.3.15.1 saltbundlepy-libs-3.10.10-150000.3.18.4 saltbundlepy-lxml-4.9.2-150000.3.15.3 saltbundlepy-lxml-devel-4.9.2-150000.3.15.3 saltbundlepy-lxml-doc-4.9.2-150000.3.15.3 saltbundlepy-pycparser-2.17-150000.3.9.1 saltbundlepy-pytz-2022.1-150000.3.12.3 saltbundlepy-pyxattr-0.7.2-150000.3.9.3 saltbundlepy-pyzmq-24.0.1-150000.3.18.3 saltbundlepy-pyzmq-devel-24.0.1-150000.3.18.3 saltbundlepy-rpm-generators-20211001.fc6c04e-150000.3.9.1 saltbundlepy-rpm-macros-20211001.fc6c04e-150000.3.9.1 saltbundlepy-testsuite-3.10.10-150000.3.18.4 saltbundlepy-tk-3.10.10-150000.3.18.3 saltbundlepy-tools-3.10.10-150000.3.18.4 venv-salt-minion-3006.0-150000.3.42.1 venv-salt-minion-3006.0-150000.3.42.1 as a component of SUSE Manager Client Tools 15 venv-salt-minion-3006.0-150000.3.42.1 as a component of SUSE Manager Client Tools for SLE Micro 5 venv-salt-minion-3006.0-150000.3.42.1 as a component of SUSE Manager Proxy Module 4.3 venv-salt-minion-3006.0-150000.3.42.1 as a component of SUSE Manager Server Module 4.3 Salt masters prior to 3005.2 or 3006.2 contain a DOS in minion return. After receiving several bad packets on the request server equal to the number of worker threads, the master will become unresponsive to return requests until restarted. CVE-2023-20897 SUSE Manager Client Tools 15:venv-salt-minion-3006.0-150000.3.42.1 SUSE Manager Client Tools for SLE Micro 5:venv-salt-minion-3006.0-150000.3.42.1 SUSE Manager Proxy Module 4.3:venv-salt-minion-3006.0-150000.3.42.1 SUSE Manager Server Module 4.3:venv-salt-minion-3006.0-150000.3.42.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2023/suse-su-20233877-1/ https://www.suse.com/security/cve/CVE-2023-20897.html CVE-2023-20897 https://bugzilla.suse.com/1214796 SUSE Bug 1214796 Git Providers can read from the wrong environment because they get the same cache directory base name in Salt masters prior to 3005.2 or 3006.2. Anything that uses Git Providers with different environments can get garbage data or the wrong data, which can lead to wrongful data disclosure, wrongful executions, data corruption and/or crash. CVE-2023-20898 SUSE Manager Client Tools 15:venv-salt-minion-3006.0-150000.3.42.1 SUSE Manager Client Tools for SLE Micro 5:venv-salt-minion-3006.0-150000.3.42.1 SUSE Manager Proxy Module 4.3:venv-salt-minion-3006.0-150000.3.42.1 SUSE Manager Server Module 4.3:venv-salt-minion-3006.0-150000.3.42.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2023/suse-su-20233877-1/ https://www.suse.com/security/cve/CVE-2023-20898.html CVE-2023-20898 https://bugzilla.suse.com/1214797 SUSE Bug 1214797