openSUSE Security Update : salt (openSUSE-2020-1074)

High Nessus Plugin ID 139012

Synopsis

The remote openSUSE host is missing a security update.

Description

This update for salt contains the following fixes :

- Fix for TypeError in Tornado importer (bsc#1174165)

- Require python3-distro only for TW (bsc#1173072)

- Update to Salt version 3000: See release notes:
https://docs.saltstack.com/en/latest/topics/releases/300 0.html

- Add docker.logout to docker execution module.
(bsc#1165572)

- Add option to enable/disable force refresh for zypper.

- Add publish_batch to ClearFuncs exposed methods.

- Adds test for zypper abbreviation fix.

- Avoid segfault from 'salt-api' under certain conditions of heavy load managing SSH minions. (bsc#1169604)

- Avoid traceback on debug logging for swarm module.
(bsc#1172075)

- Batch mode now also correctly provides return value.
(bsc#1168340)

- Better import cache handline.

- Do not make file.recurse state to fail when msgpack 0.5.4. (bsc#1167437)

- Do not require vendored backports-abc. (bsc#1170288)

- Fix errors from unit tests due NO_MOCK and NO_MOCK_REASON deprecation.

- Fix for low rpm_lowpkg unit test.

- Fix for temp folder definition in loader unit test.

- Fix for unless requisite when pip is not installed.

- Fix integration test failure for test_mod_del_repo_multiline_values.

- Fix regression in service states with reload argument.

- Fix tornado imports and missing _utils after rebasing patches.

- Fix status attribute issue in aptpkg test.

- Improved storage pool or network handling.

- loop: fix variable names for until_no_eval.

- Make 'salt.ext.tornado.gen' to use 'salt.ext.backports_abc' on Python 2.

- Make setup.py script not to require setuptools greater than 9.1.

- More robust remote port detection.

- Prevent sporious 'salt-api' stuck processes when managing SSH minions. because of logging deadlock.
(bsc#1159284)

- Python3.8 compatibility changes.

- Removes unresolved merge conflict in yumpkg module.

- Returns a the list of IPs filtered by the optional network list.

- Revert broken changes to slspath made on Salt 3000 (saltstack/salt#56341). (bsc#1170104)

- Sanitize grains loaded from roster_grains.json cache during 'state.pkg'.

- Various virt backports from 3000.2.

- zypperpkg: filter patterns that start with dot.
(bsc#1171906)

This update was imported from the SUSE:SLE-15-SP1:Update update project.

Solution

Update the affected salt packages.

See Also

https://bugzilla.opensuse.org/show_bug.cgi?id=1159284

https://bugzilla.opensuse.org/show_bug.cgi?id=1165572

https://bugzilla.opensuse.org/show_bug.cgi?id=1167437

https://bugzilla.opensuse.org/show_bug.cgi?id=1168340

https://bugzilla.opensuse.org/show_bug.cgi?id=1169604

https://bugzilla.opensuse.org/show_bug.cgi?id=1170104

https://bugzilla.opensuse.org/show_bug.cgi?id=1170288

https://bugzilla.opensuse.org/show_bug.cgi?id=1171906

https://bugzilla.opensuse.org/show_bug.cgi?id=1172075

https://bugzilla.opensuse.org/show_bug.cgi?id=1173072

https://bugzilla.opensuse.org/show_bug.cgi?id=1174165

https://docs.saltstack.com/en/latest/topics/releases/3000.html

Plugin Details

Severity: High

ID: 139012

File Name: openSUSE-2020-1074.nasl

Version: 1.3

Type: local

Agent: unix

Published: 2020/07/28

Updated: 2020/08/13

Dependencies: 12634

Risk Information

Risk Factor: High

CVSS v2.0

Base Score: 7.5

Temporal Score: 6.2

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Temporal Vector: CVSS2#E:F/RL:OF/RC:C

CVSS v3.0

Base Score: 9.8

Temporal Score: 9.1

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:F/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:novell:opensuse:python2-salt, p-cpe:/a:novell:opensuse:python3-salt, p-cpe:/a:novell:opensuse:salt, p-cpe:/a:novell:opensuse:salt-api, p-cpe:/a:novell:opensuse:salt-bash-completion, p-cpe:/a:novell:opensuse:salt-cloud, p-cpe:/a:novell:opensuse:salt-fish-completion, p-cpe:/a:novell:opensuse:salt-master, p-cpe:/a:novell:opensuse:salt-minion, p-cpe:/a:novell:opensuse:salt-proxy, p-cpe:/a:novell:opensuse:salt-ssh, p-cpe:/a:novell:opensuse:salt-standalone-formulas-configuration, p-cpe:/a:novell:opensuse:salt-syndic, p-cpe:/a:novell:opensuse:salt-zsh-completion, cpe:/o:novell:opensuse:15.1

Required KB Items: Host/local_checks_enabled, Host/SuSE/release, Host/SuSE/rpm-list, Host/cpu

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 2020/07/26

Vulnerability Publication Date: 2018/10/24

Exploitable With

Metasploit (SaltStack Salt Master/Minion Unauthenticated RCE)

Reference Information

CVE: CVE-2018-15750, CVE-2018-15751, CVE-2020-11651, CVE-2020-11652