{"affected":[{"ecosystem_specific":{"binaries":[{"venv-salt-minion":"3006.0-3.65.1"}]},"package":{"ecosystem":"SUSE:Manager Client Tools 12","name":"venv-salt-minion","purl":"pkg:rpm/suse/venv-salt-minion&distro=SUSE%20Manager%20Client%20Tools%2012"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"3006.0-3.65.1"}],"type":"ECOSYSTEM"}]}],"aliases":[],"details":"This update fixes the following issues:\n\nvenv-salt-minion:\n\n- Security fixes on Python 3.11 interpreter:\n\n  * CVE-2024-7592: Fixed quadratic complexity in parsing -quoted cookie values with backslashes\n    (bsc#1229873, bsc#1230059)\n  * CVE-2024-8088: Prevent malformed payload to cause infinite loops in zipfile.Path (bsc#1229704, bsc#1230058)\n  * CVE-2024-6923: Prevent email header injection due to unquoted newlines (bsc#1228780)\n  * CVE-2024-4032: Rearranging definition of private global IP addresses (bsc#1226448)\n  * CVE-2024-0397: ssl.SSLContext.cert_store_stats() and ssl.SSLContext.get_ca_certs() now correctly lock access to the\n    certificate store, when the ssl.SSLContext is shared across multiple threads (bsc#1226447)\n\n- Security fixes on Python dependencies:\n\n  * CVE-2024-5569: zipp: Fixed a Denial of Service (DoS) vulnerability in the jaraco/zipp library\n    (bsc#1227547, bsc#1229996)\n  * CVE-2024-6345: setuptools: Sanitize any VCS URL used for download (bsc#1228105, bsc#1229995)\n  * CVE-2024-3651: idna: Fix a potential DoS via resource consumption via specially crafted inputs to idna.encode()\n    (bsc#1222842, bsc#1229994)\n  * CVE-2024-37891: urllib3: Added the ``Proxy-Authorization`` header to the list of headers to strip from requests\n    when redirecting to a different host (bsc#1226469, bsc#1229654)\n\n- Other bugs fixed:\n\n  * Added passlib Python module to the bundle\n  * Allow NamedLoaderContexts to be returned from loader\n  * Avoid crash on wrong output of systemctl version (bsc#1229539)\n  * Avoid explicit reading of /etc/salt/minion (bsc#1220357)\n  * Enable post_start_cleanup.sh to work in a transaction\n  * Fixed cloud Minion configuration for multiple Masters (bsc#1229109)\n  * Fixed failing x509 tests with OpenSSL < 1.1 \n  * Fixed the SELinux context for Salt Minion service (bsc#1219041)\n  * Fixed zyppnotify plugin after latest zypp/libzypp upgrades (bsc#1231697, bsc#1231045)\n  * Improved error handling with different OpenSSL versions\n  * Increase warn_until_date date for code we still support\n  * Prevent using SyncWrapper with no reason\n  * Reverted the change making reactor less blocking (bsc#1230322)\n  * Use --cachedir for extension_modules in salt-call (bsc#1226141)\n  * Use Pygit2 id instead of deprecated oid in gitfs\n\n","id":"SUSE-SU-2024:4020-1","modified":"2024-11-18T13:25:06Z","published":"2024-11-18T13:25:06Z","references":[{"type":"ADVISORY","url":"https://www.suse.com/support/update/announcement/2024/suse-su-20244020-1/"},{"type":"REPORT","url":"https://bugzilla.suse.com/1219041"},{"type":"REPORT","url":"https://bugzilla.suse.com/1220357"},{"type":"REPORT","url":"https://bugzilla.suse.com/1222842"},{"type":"REPORT","url":"https://bugzilla.suse.com/1226141"},{"type":"REPORT","url":"https://bugzilla.suse.com/1226447"},{"type":"REPORT","url":"https://bugzilla.suse.com/1226448"},{"type":"REPORT","url":"https://bugzilla.suse.com/1226469"},{"type":"REPORT","url":"https://bugzilla.suse.com/1227547"},{"type":"REPORT","url":"https://bugzilla.suse.com/1228105"},{"type":"REPORT","url":"https://bugzilla.suse.com/1228780"},{"type":"REPORT","url":"https://bugzilla.suse.com/1229109"},{"type":"REPORT","url":"https://bugzilla.suse.com/1229539"},{"type":"REPORT","url":"https://bugzilla.suse.com/1229654"},{"type":"REPORT","url":"https://bugzilla.suse.com/1229704"},{"type":"REPORT","url":"https://bugzilla.suse.com/1229873"},{"type":"REPORT","url":"https://bugzilla.suse.com/1229994"},{"type":"REPORT","url":"https://bugzilla.suse.com/1229995"},{"type":"REPORT","url":"https://bugzilla.suse.com/1229996"},{"type":"REPORT","url":"https://bugzilla.suse.com/1230058"},{"type":"REPORT","url":"https://bugzilla.suse.com/1230059"},{"type":"REPORT","url":"https://bugzilla.suse.com/1230322"},{"type":"REPORT","url":"https://bugzilla.suse.com/1231045"},{"type":"REPORT","url":"https://bugzilla.suse.com/1231697"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2024-0397"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2024-3651"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2024-37891"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2024-4032"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2024-5569"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2024-6345"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2024-6923"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2024-7592"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2024-8088"}],"related":["CVE-2024-0397","CVE-2024-3651","CVE-2024-37891","CVE-2024-4032","CVE-2024-5569","CVE-2024-6345","CVE-2024-6923","CVE-2024-7592","CVE-2024-8088"],"summary":"Security update for SUSE Manager Salt Bundle","upstream":["CVE-2024-0397","CVE-2024-3651","CVE-2024-37891","CVE-2024-4032","CVE-2024-5569","CVE-2024-6345","CVE-2024-6923","CVE-2024-7592","CVE-2024-8088"]}