Security update for salt SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2017:2383-1 Final 1 1 2017-09-07T05:59:48Z current 2017-09-07T05:59:48Z 2017-09-07T05:59:48Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for salt This update for salt fixes the following issues: - Update to 2017.7.1 See https://docs.saltstack.com/en/develop/topics/releases/2017.7.1.html for full changelog - CVE-2017-12791: crafted minion ID could lead directory traversal on the Salt-master (boo#1053955) - Run fdupes over all of /usr because it still warns about duplicate files. Remove ancient suse_version > 1020 conditional. - Replace unnecessary %__ indirections. Use grep -q in favor of >/dev/null. - Avoid bashisms in %pre. - Update to 2017.7.0 See https://docs.saltstack.com/en/develop/topics/releases/2017.7.0.html for full changelog - fix ownership for whole master cache directory (boo#1035914) - fix setting the language on SUSE systems (boo#1038855) - wrong os_family grains on SUSE - fix unittests (boo#1038855) - speed-up cherrypy by removing sleep call - Disable 3rd party runtime packages to be explicitly recommended. (boo#1040886) - fix format error (boo#1043111) - Add a salt-minion watchdog for RHEL6 and SLES11 systems (sysV) to restart salt-minion in case of crashes during upgrade. - Add procps as dependency. - Bugfix: jobs scheduled to run at a future time stay pending for Salt minions (boo#1036125) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/opensuse-updates/2017-09/msg00025.html E-Mail link for openSUSE-SU-2017:2383-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings openSUSE Leap 42.3 salt-2017.7.1-11.1 salt-api-2017.7.1-11.1 salt-bash-completion-2017.7.1-11.1 salt-cloud-2017.7.1-11.1 salt-doc-2017.7.1-11.1 salt-fish-completion-2017.7.1-11.1 salt-master-2017.7.1-11.1 salt-minion-2017.7.1-11.1 salt-proxy-2017.7.1-11.1 salt-ssh-2017.7.1-11.1 salt-syndic-2017.7.1-11.1 salt-zsh-completion-2017.7.1-11.1 salt-2017.7.1-11.1 as a component of openSUSE Leap 42.3 salt-api-2017.7.1-11.1 as a component of openSUSE Leap 42.3 salt-bash-completion-2017.7.1-11.1 as a component of openSUSE Leap 42.3 salt-cloud-2017.7.1-11.1 as a component of openSUSE Leap 42.3 salt-doc-2017.7.1-11.1 as a component of openSUSE Leap 42.3 salt-fish-completion-2017.7.1-11.1 as a component of openSUSE Leap 42.3 salt-master-2017.7.1-11.1 as a component of openSUSE Leap 42.3 salt-minion-2017.7.1-11.1 as a component of openSUSE Leap 42.3 salt-proxy-2017.7.1-11.1 as a component of openSUSE Leap 42.3 salt-ssh-2017.7.1-11.1 as a component of openSUSE Leap 42.3 salt-syndic-2017.7.1-11.1 as a component of openSUSE Leap 42.3 salt-zsh-completion-2017.7.1-11.1 as a component of openSUSE Leap 42.3 Directory traversal vulnerability in minion id validation in SaltStack Salt before 2016.11.7 and 2017.7.x before 2017.7.1 allows remote minions with incorrect credentials to authenticate to a master via a crafted minion ID. CVE-2017-12791 openSUSE Leap 42.3:salt-2017.7.1-11.1 openSUSE Leap 42.3:salt-api-2017.7.1-11.1 openSUSE Leap 42.3:salt-bash-completion-2017.7.1-11.1 openSUSE Leap 42.3:salt-cloud-2017.7.1-11.1 openSUSE Leap 42.3:salt-doc-2017.7.1-11.1 openSUSE Leap 42.3:salt-fish-completion-2017.7.1-11.1 openSUSE Leap 42.3:salt-master-2017.7.1-11.1 openSUSE Leap 42.3:salt-minion-2017.7.1-11.1 openSUSE Leap 42.3:salt-proxy-2017.7.1-11.1 openSUSE Leap 42.3:salt-ssh-2017.7.1-11.1 openSUSE Leap 42.3:salt-syndic-2017.7.1-11.1 openSUSE Leap 42.3:salt-zsh-completion-2017.7.1-11.1 moderate 4 AV:N/AC:L/Au:S/C:P/I:N/A:N Please Install the update. https://lists.opensuse.org/opensuse-updates/2017-09/msg00025.html https://www.suse.com/security/cve/CVE-2017-12791.html CVE-2017-12791 https://bugzilla.suse.com/1053955 SUSE Bug 1053955 https://bugzilla.suse.com/1062462 SUSE Bug 1062462