Detections
Analytics
openSUSE Security Update : salt (openSUSE-2018-1574)
critical Nessus Plugin ID 119805
Language:
Synopsis
The remote openSUSE host is missing a security update.Description
This update for salt fixes the following issues :- Crontab module fix: file attributes option missing (boo#1114824)
- Fix git_pillar merging across multiple __env__ repositories (boo#1112874)
- Bugfix: unable to detect os arch when RPM is not installed (boo#1114197)
- Fix LDAP authentication issue when a valid token is generated by the salt-api even when invalid user credentials are passed. (U#48901)
- Improved handling of LDAP group id. gid is no longer treated as a string, which could have lead to faulty group creations. (boo#1113784)
- Fix remote command execution and incorrect access control when using salt-api. (boo#1113699) (CVE-2018-15751)
- Fix Directory traversal vulnerability when using salt-api. Allows an attacker to determine what files exist on a server when querying /run or /events.
(boo#1113698) (CVE-2018-15750)
- Add multi-file support and globbing to the filetree (U#50018)
- Bugfix: supportconfig non-root permission issues (U#50095)
- Open profiles permissions to everyone for read-only
- Preserving signature in 'module.run' state (U#50049)
- Install default salt-support profiles
- Remove unit test, came from a wrong branch. Fix merging failure.
- Add CPE_NAME for osversion* grain parsing
- Get os_family for RPM distros from the RPM macros
- Install support profiles
- Fix async call to process manager (boo#1110938)
- Salt-based supportconfig implementation (technology preview)
- Bugfix: any unicode string of length 16 will raise TypeError
- Fix IPv6 scope (boo#1108557)
- Handle zypper ZYPPER_EXIT_NO_REPOS exit code (boo#1108834, boo#1109893)
- Bugfix for pkg_resources crash (boo#1104491)
- Fix loosen azure sdk dependencies in azurearm cloud driver (boo#1107333)
- Fix broken 'resolve_capabilities' on Python 3 (boo#1108995)
Solution
Update the affected salt packages.See Also
https://bugzilla.opensuse.org/show_bug.cgi?id=1104491
https://bugzilla.opensuse.org/show_bug.cgi?id=1107333
https://bugzilla.opensuse.org/show_bug.cgi?id=1108557
https://bugzilla.opensuse.org/show_bug.cgi?id=1108834
https://bugzilla.opensuse.org/show_bug.cgi?id=1108995
https://bugzilla.opensuse.org/show_bug.cgi?id=1109893
https://bugzilla.opensuse.org/show_bug.cgi?id=1110938
https://bugzilla.opensuse.org/show_bug.cgi?id=1112874
https://bugzilla.opensuse.org/show_bug.cgi?id=1113698
https://bugzilla.opensuse.org/show_bug.cgi?id=1113699
https://bugzilla.opensuse.org/show_bug.cgi?id=1113784
Plugin Details
Severity: Critical
ID: 119805
File Name: openSUSE-2018-1574.nasl
Version: 1.6
Type: local
Agent: unix
Family: SuSE Local Security Checks
Published: 12/20/2018
Updated: 1/19/2021
Supported Sensors: Nessus Agent, Frictionless Assessment Agent, Frictionless Assessment AWS, Frictionless Assessment Azure, Nessus
Risk Information
VPR
Risk Factor: Medium
Score: 6.7
CVSS v2
Risk Factor: High
Base Score: 7.5
Temporal Score: 5.5
Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSS v3
Risk Factor: Critical
Base Score: 9.8
Temporal Score: 8.5
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C
Vulnerability Information
CPE: p-cpe:/a:novell:opensuse:python2-salt, p-cpe:/a:novell:opensuse:python3-salt, p-cpe:/a:novell:opensuse:salt, p-cpe:/a:novell:opensuse:salt-api, p-cpe:/a:novell:opensuse:salt-bash-completion, p-cpe:/a:novell:opensuse:salt-cloud, p-cpe:/a:novell:opensuse:salt-fish-completion, p-cpe:/a:novell:opensuse:salt-master, p-cpe:/a:novell:opensuse:salt-minion, p-cpe:/a:novell:opensuse:salt-proxy, p-cpe:/a:novell:opensuse:salt-ssh, p-cpe:/a:novell:opensuse:salt-syndic, p-cpe:/a:novell:opensuse:salt-zsh-completion, cpe:/o:novell:opensuse:42.3
Required KB Items: Host/local_checks_enabled, Host/SuSE/release, Host/SuSE/rpm-list, Host/cpu
Exploit Ease: No known exploits are available
Patch Publication Date: 12/19/2018
Vulnerability Publication Date: 10/24/2018
Reference Information
CVE: CVE-2018-15750, CVE-2018-15751