openSUSE Security Update : salt (openSUSE-2018-1574)

critical Nessus Plugin ID 119805


New! Plugin Severity Now Using CVSS v3

The calculated severity for Plugins has been updated to use CVSS v3 by default. Plugins that do not have a CVSS v3 score will fall back to CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.


The remote openSUSE host is missing a security update.


This update for salt fixes the following issues :

- Crontab module fix: file attributes option missing (boo#1114824)

- Fix git_pillar merging across multiple __env__ repositories (boo#1112874)

- Bugfix: unable to detect os arch when RPM is not installed (boo#1114197)

- Fix LDAP authentication issue when a valid token is generated by the salt-api even when invalid user credentials are passed. (U#48901)

- Improved handling of LDAP group id. gid is no longer treated as a string, which could have lead to faulty group creations. (boo#1113784)

- Fix remote command execution and incorrect access control when using salt-api. (boo#1113699) (CVE-2018-15751)

- Fix Directory traversal vulnerability when using salt-api. Allows an attacker to determine what files exist on a server when querying /run or /events.
(boo#1113698) (CVE-2018-15750)

- Add multi-file support and globbing to the filetree (U#50018)

- Bugfix: supportconfig non-root permission issues (U#50095)

- Open profiles permissions to everyone for read-only

- Preserving signature in '' state (U#50049)

- Install default salt-support profiles

- Remove unit test, came from a wrong branch. Fix merging failure.

- Add CPE_NAME for osversion* grain parsing

- Get os_family for RPM distros from the RPM macros

- Install support profiles

- Fix async call to process manager (boo#1110938)

- Salt-based supportconfig implementation (technology preview)

- Bugfix: any unicode string of length 16 will raise TypeError

- Fix IPv6 scope (boo#1108557)

- Handle zypper ZYPPER_EXIT_NO_REPOS exit code (boo#1108834, boo#1109893)

- Bugfix for pkg_resources crash (boo#1104491)

- Fix loosen azure sdk dependencies in azurearm cloud driver (boo#1107333)

- Fix broken 'resolve_capabilities' on Python 3 (boo#1108995)


Update the affected salt packages.

See Also

Plugin Details

Severity: Critical

ID: 119805

File Name: openSUSE-2018-1574.nasl

Version: 1.6

Type: local

Agent: unix

Published: 12/20/2018

Updated: 1/19/2021

Dependencies: ssh_get_info.nasl

Risk Information


Risk Factor: Medium

Score: 5.9


Risk Factor: High

Base Score: 7.5

Temporal Score: 5.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Temporal Vector: CVSS2#E:U/RL:OF/RC:C


Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:2.3:o:novell:opensuse:42.3:*:*:*:*:*:*:*, p-cpe:2.3:a:novell:opensuse:salt:*:*:*:*:*:*:*, p-cpe:2.3:a:novell:opensuse:salt-api:*:*:*:*:*:*:*, p-cpe:2.3:a:novell:opensuse:salt-bash-completion:*:*:*:*:*:*:*, p-cpe:2.3:a:novell:opensuse:salt-cloud:*:*:*:*:*:*:*, p-cpe:2.3:a:novell:opensuse:salt-fish-completion:*:*:*:*:*:*:*, p-cpe:2.3:a:novell:opensuse:salt-master:*:*:*:*:*:*:*, p-cpe:2.3:a:novell:opensuse:salt-minion:*:*:*:*:*:*:*, p-cpe:2.3:a:novell:opensuse:salt-proxy:*:*:*:*:*:*:*, p-cpe:2.3:a:novell:opensuse:salt-ssh:*:*:*:*:*:*:*, p-cpe:2.3:a:novell:opensuse:salt-syndic:*:*:*:*:*:*:*, p-cpe:2.3:a:novell:opensuse:salt-zsh-completion:*:*:*:*:*:*:*, p-cpe:2.3:a:novell:opensuse:python2-salt:*:*:*:*:*:*:*, p-cpe:2.3:a:novell:opensuse:python3-salt:*:*:*:*:*:*:*

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/SuSE/release, Host/SuSE/rpm-list

Exploit Ease: No known exploits are available

Patch Publication Date: 12/19/2018

Vulnerability Publication Date: 10/24/2018

Reference Information

CVE: CVE-2018-15750, CVE-2018-15751