Security update for py26-compat-salt SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2021:0624-1 Final 1 1 2021-02-26T10:11:02Z current 2021-02-26T10:11:02Z 2021-02-26T10:11:02Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for py26-compat-salt This update for py26-compat-salt fixes the following issues: - Allow extra_filerefs as sanitized kwargs for SSH client - Fix for multiple for security issues (CVE-2020-28243) (CVE-2020-28972) (CVE-2020-35662) (CVE-2021-3148) (CVE-2021-3144) (CVE-2021-25281) (CVE-2021-25282) (CVE-2021-25283) (CVE-2021-25284) (CVE-2021-3197) (bsc#1181550) (bsc#1181556) (bsc#1181557) (bsc#1181558) (bsc#1181559) (bsc#1181560) (bsc#1181561) (bsc#1181562) (bsc#1181563) (bsc#1181564) (bsc#1181565) - Fix regression on cmd.run when passing tuples as cmd (bsc#1182740) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2021-624,SUSE-SLE-Module-SUSE-Manager-Server-4.1-2021-624 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2021/suse-su-20210624-1/ Link for SUSE-SU-2021:0624-1 https://lists.suse.com/pipermail/sle-security-updates/2021-February/008379.html E-Mail link for SUSE-SU-2021:0624-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1181550 SUSE Bug 1181550 https://bugzilla.suse.com/1181556 SUSE Bug 1181556 https://bugzilla.suse.com/1181557 SUSE Bug 1181557 https://bugzilla.suse.com/1181558 SUSE Bug 1181558 https://bugzilla.suse.com/1181559 SUSE Bug 1181559 https://bugzilla.suse.com/1181560 SUSE Bug 1181560 https://bugzilla.suse.com/1181561 SUSE Bug 1181561 https://bugzilla.suse.com/1181562 SUSE Bug 1181562 https://bugzilla.suse.com/1181563 SUSE Bug 1181563 https://bugzilla.suse.com/1181564 SUSE Bug 1181564 https://bugzilla.suse.com/1181565 SUSE Bug 1181565 https://bugzilla.suse.com/1182740 SUSE Bug 1182740 https://www.suse.com/security/cve/CVE-2020-28243/ SUSE CVE CVE-2020-28243 page https://www.suse.com/security/cve/CVE-2020-28972/ SUSE CVE CVE-2020-28972 page https://www.suse.com/security/cve/CVE-2020-35662/ SUSE CVE CVE-2020-35662 page https://www.suse.com/security/cve/CVE-2021-25281/ SUSE CVE CVE-2021-25281 page https://www.suse.com/security/cve/CVE-2021-25282/ SUSE CVE CVE-2021-25282 page https://www.suse.com/security/cve/CVE-2021-25283/ SUSE CVE CVE-2021-25283 page https://www.suse.com/security/cve/CVE-2021-25284/ SUSE CVE CVE-2021-25284 page https://www.suse.com/security/cve/CVE-2021-3144/ SUSE CVE CVE-2021-3144 page https://www.suse.com/security/cve/CVE-2021-3148/ SUSE CVE CVE-2021-3148 page https://www.suse.com/security/cve/CVE-2021-3197/ SUSE CVE CVE-2021-3197 page SUSE Manager Server Module 4.1 py26-compat-salt-2016.11.10-6.8.1 py26-compat-salt-2016.11.10-6.8.1 as a component of SUSE Manager Server Module 4.1 An issue was discovered in SaltStack Salt before 3002.5. The minion's restartcheck is vulnerable to command injection via a crafted process name. This allows for a local privilege escalation by any user able to create a files on the minion in a non-blacklisted directory. CVE-2020-28243 SUSE Manager Server Module 4.1:py26-compat-salt-2016.11.10-6.8.1 important 4.4 AV:L/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2021/suse-su-20210624-1/ https://www.suse.com/security/cve/CVE-2020-28243.html CVE-2020-28243 https://bugzilla.suse.com/1181550 SUSE Bug 1181550 https://bugzilla.suse.com/1181556 SUSE Bug 1181556 In SaltStack Salt before 3002.5, authentication to VMware vcenter, vsphere, and esxi servers (in the vmware.py files) does not always validate the SSL/TLS certificate. CVE-2020-28972 SUSE Manager Server Module 4.1:py26-compat-salt-2016.11.10-6.8.1 critical 4.3 AV:N/AC:M/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2021/suse-su-20210624-1/ https://www.suse.com/security/cve/CVE-2020-28972.html CVE-2020-28972 https://bugzilla.suse.com/1181550 SUSE Bug 1181550 https://bugzilla.suse.com/1181557 SUSE Bug 1181557 In SaltStack Salt before 3002.5, when authenticating to services using certain modules, the SSL certificate is not always validated. CVE-2020-35662 SUSE Manager Server Module 4.1:py26-compat-salt-2016.11.10-6.8.1 critical 5.8 AV:N/AC:M/Au:N/C:P/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2021/suse-su-20210624-1/ https://www.suse.com/security/cve/CVE-2020-35662.html CVE-2020-35662 https://bugzilla.suse.com/1181550 SUSE Bug 1181550 https://bugzilla.suse.com/1181565 SUSE Bug 1181565 An issue was discovered in through SaltStack Salt before 3002.5. salt-api does not honor eauth credentials for the wheel_async client. Thus, an attacker can remotely run any wheel modules on the master. CVE-2021-25281 SUSE Manager Server Module 4.1:py26-compat-salt-2016.11.10-6.8.1 critical 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2021/suse-su-20210624-1/ https://www.suse.com/security/cve/CVE-2021-25281.html CVE-2021-25281 https://bugzilla.suse.com/1181550 SUSE Bug 1181550 https://bugzilla.suse.com/1181559 SUSE Bug 1181559 An issue was discovered in through SaltStack Salt before 3002.5. The salt.wheel.pillar_roots.write method is vulnerable to directory traversal. CVE-2021-25282 SUSE Manager Server Module 4.1:py26-compat-salt-2016.11.10-6.8.1 critical 6.4 AV:N/AC:L/Au:N/C:N/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2021/suse-su-20210624-1/ https://www.suse.com/security/cve/CVE-2021-25282.html CVE-2021-25282 https://bugzilla.suse.com/1181550 SUSE Bug 1181550 https://bugzilla.suse.com/1181560 SUSE Bug 1181560 An issue was discovered in through SaltStack Salt before 3002.5. The jinja renderer does not protect against server side template injection attacks. CVE-2021-25283 SUSE Manager Server Module 4.1:py26-compat-salt-2016.11.10-6.8.1 critical 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2021/suse-su-20210624-1/ https://www.suse.com/security/cve/CVE-2021-25283.html CVE-2021-25283 https://bugzilla.suse.com/1181550 SUSE Bug 1181550 https://bugzilla.suse.com/1181561 SUSE Bug 1181561 An issue was discovered in through SaltStack Salt before 3002.5. salt.modules.cmdmod can log credentials to the info or error log level. CVE-2021-25284 SUSE Manager Server Module 4.1:py26-compat-salt-2016.11.10-6.8.1 critical 1.9 AV:L/AC:M/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2021/suse-su-20210624-1/ https://www.suse.com/security/cve/CVE-2021-25284.html CVE-2021-25284 https://bugzilla.suse.com/1181550 SUSE Bug 1181550 In SaltStack Salt before 3002.5, eauth tokens can be used once after expiration. (They might be used to run command against the salt master or minions.) CVE-2021-3144 SUSE Manager Server Module 4.1:py26-compat-salt-2016.11.10-6.8.1 critical 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2021/suse-su-20210624-1/ https://www.suse.com/security/cve/CVE-2021-3144.html CVE-2021-3144 https://bugzilla.suse.com/1181550 SUSE Bug 1181550 https://bugzilla.suse.com/1181562 SUSE Bug 1181562 An issue was discovered in SaltStack Salt before 3002.5. Sending crafted web requests to the Salt API can result in salt.utils.thin.gen_thin() command injection because of different handling of single versus double quotes. This is related to salt/utils/thin.py. CVE-2021-3148 SUSE Manager Server Module 4.1:py26-compat-salt-2016.11.10-6.8.1 critical 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2021/suse-su-20210624-1/ https://www.suse.com/security/cve/CVE-2021-3148.html CVE-2021-3148 https://bugzilla.suse.com/1181550 SUSE Bug 1181550 https://bugzilla.suse.com/1181558 SUSE Bug 1181558 An issue was discovered in SaltStack Salt before 3002.5. The salt-api's ssh client is vulnerable to a shell injection by including ProxyCommand in an argument, or via ssh_options provided in an API request. CVE-2021-3197 SUSE Manager Server Module 4.1:py26-compat-salt-2016.11.10-6.8.1 critical 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2021/suse-su-20210624-1/ https://www.suse.com/security/cve/CVE-2021-3197.html CVE-2021-3197 https://bugzilla.suse.com/1181550 SUSE Bug 1181550 https://bugzilla.suse.com/1181564 SUSE Bug 1181564