openSUSE Security Update : salt (openSUSE-2018-388)

critical Nessus Plugin ID 109293

Language:

Synopsis

The remote openSUSE host is missing a security update.

Description

This update for salt fixes the following issues :

- [Regression] Permission problem: salt-ssh minion boostrap doesn't work anymore. (bsc#1027722)

- wrong use of os_family string for Suse in the locale module and others (bsc#1038855)

- Cannot bootstrap a host using 'Manage system completely via SSH (will not install an agent)' (bsc#1002529)

- add user to or replace members of group not working with SLES11 SPx (bsc#978150)

- SLES-12-GA client fail to start salt minion (SUSE MANAGER 3.0) (bsc#991048)

- salt pkg.latest raises exception if package is not availible (bsc#1012999)

- pkg.list_products on 'registerrelease' and 'productline' returns boolean.False if empty (bsc#989193)

- SLES-12-SP1 salt-minion clients has no Base Channel added by default (bsc#986019)

- 'The system requires a reboot' does not disappear from web-UI despite the reboot (bsc#1017078)

- Remove option -f from startproc (bsc#975733)

- [PYTHON2] package salt-minion requires /usr/bin/python (bsc#1081592)

- Upgrading packages on RHEL6/7 client fails (bsc#1068566)

- /var/log/salt has insecure permissions (bsc#1071322)

- [Minion-bootstrapping] Invalid char cause server (salt-master ERROR) (bsc#1011304)

- CVE-2016-9639: Possible information leak due to revoked keys still being used (bsc#1012398)

- Bootstrapping SLES12 minion invalid (bsc#1053376)

- Minions not correctly onboarded if Proxy has multiple FQDNs (bsc#1063419)

- salt --summary '*' <function> reporting '# of minions that did not return' wrongly (bsc#972311)

- RH-L3 SALT - Stacktrace if nscd package is not present when using nscd state (bsc#1027044)

- Inspector broken: no module 'query' or 'inspector' while querying or inspecting (bsc#989798)

- [ Regression ]Centos7 Minion remote command execution from gui or cli , minion not responding (bsc#1027240)

- SALT, minion_id generation doesn't match the newhostname (bsc#967803)

- Salt API server shuts down when SSH call with no matches is issued (bsc#1004723)

- /var/log/salt/minion fails logrotate (bsc#1030009)

- Salt proxy test.ping crashes (bsc#975303)

- salt master flood log with useless messages (bsc#985661)

- After bootstrap salt client has deprecation warnings (bsc#1041993)

- Head: salt 2017.7.2 starts salt-master as user root (bsc#1064520)

- CVE-2017-12791: Maliciously crafted minion IDs can cause unwanted directory traversals on the Salt-master (bsc#1053955)

- salt-2017.7.2 - broken %post script for salt-master (bsc#1079048)

- Tearing down deployment with SaltStack Kubernetes module always shows error (bsc#1059291)

- lvm.vg_present does not recognize PV with certain LVM filter settings. (bsc#988506)

- High state fails: No service execution module loaded:
check support for service (bsc#1065792)

- When multiple versions of a package are installed on a minion, patch status may vary (bsc#972490)

- Salt cp.push does not work on SUMA 3.2 Builds because of python3.4 (bsc#1075950)

- timezone modue does not update /etc/sysconfig/clock (bsc#1008933)

- Add patches to salt to support SUSE Manager scalability features (bsc#1052264)

- salt-minion failed to start on minimal RHEL6 because of DBus exception during load of snapper module (bsc#993039)

- Permission denied: '/var/run/salt-master.pid' (bsc#1050003)

- Jobs scheduled to run at a future time stay pending for Salt minions (bsc#1036125)

- Backport kubernetes-modules to salt (bsc#1051948)

- After highstate: The minion function caused an exception (bsc#1068446)

- VUL-0: CVE-2017-14695: salt: directory traversal vulnerability in minion id validation (bsc#1062462)

- unable to update salt-minion on RHEL (bsc#1022841)

- Nodes run out of memory due to salt-minion process (bsc#983512)

- [Proxy] 'Broken pipe' during bootstrap of salt minion (bsc#1039370)

- incorrect return code from /etc/rc.d/salt-minion (bsc#999852)

- CVE-2017-5200: Salt-ssh via api let's run arbitrary commands as user salt (bsc#1011800)

- beacons.conf on salt-minion not processed (bsc#1060230)

- SLES11 SP3 salt-minion Client Cannot Select Base Channel (bsc#975093)

- salt-ssh sys.doc gives authentication failure without arguments (bsc#1019386)

- minion bootstrapping: error when bootstrap SLE11 clients (bsc#990439)

- Certificate Deployment Fails for SLES11 SP3 Clients (bsc#975757)

- state.module run() does not translate varargs (bsc#1025896)

Solution

Update the affected salt packages.

Plugin Details

Severity: Critical

ID: 109293

File Name: openSUSE-2018-388.nasl

Version: 1.6

Type: local

Agent: unix

Family: SuSE Local Security Checks

Published: 4/24/2018

Updated: 1/19/2021

Supported Sensors: Frictionless Assessment AWS, Frictionless Assessment Azure, Frictionless Assessment Agent, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

CVSS v2

Risk Factor: High

Base Score: 9

Vector: CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Vulnerability Information

CPE: p-cpe:/a:novell:opensuse:python2-salt, p-cpe:/a:novell:opensuse:python3-salt, p-cpe:/a:novell:opensuse:salt, p-cpe:/a:novell:opensuse:salt-api, p-cpe:/a:novell:opensuse:salt-bash-completion, p-cpe:/a:novell:opensuse:salt-cloud, p-cpe:/a:novell:opensuse:salt-fish-completion, p-cpe:/a:novell:opensuse:salt-master, p-cpe:/a:novell:opensuse:salt-minion, p-cpe:/a:novell:opensuse:salt-proxy, p-cpe:/a:novell:opensuse:salt-ssh, p-cpe:/a:novell:opensuse:salt-syndic, p-cpe:/a:novell:opensuse:salt-zsh-completion, cpe:/o:novell:opensuse:42.3

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/SuSE/release, Host/SuSE/rpm-list

Patch Publication Date: 4/23/2018

Reference Information

CVE: CVE-2016-9639, CVE-2017-12791, CVE-2017-14695, CVE-2017-14696, CVE-2017-5200

IAVB: 2017-B-0112-S

Detections

Analytics