openSUSE Security Update : salt (openSUSE-2020-1074)

critical Nessus Plugin ID 139012



The remote openSUSE host is missing a security update.


This update for salt contains the following fixes :

- Fix for TypeError in Tornado importer (bsc#1174165)

- Require python3-distro only for TW (bsc#1173072)

- Update to Salt version 3000: See release notes: 0.html

- Add docker.logout to docker execution module.

- Add option to enable/disable force refresh for zypper.

- Add publish_batch to ClearFuncs exposed methods.

- Adds test for zypper abbreviation fix.

- Avoid segfault from 'salt-api' under certain conditions of heavy load managing SSH minions. (bsc#1169604)

- Avoid traceback on debug logging for swarm module.

- Batch mode now also correctly provides return value.

- Better import cache handline.

- Do not make file.recurse state to fail when msgpack 0.5.4. (bsc#1167437)

- Do not require vendored backports-abc. (bsc#1170288)

- Fix errors from unit tests due NO_MOCK and NO_MOCK_REASON deprecation.

- Fix for low rpm_lowpkg unit test.

- Fix for temp folder definition in loader unit test.

- Fix for unless requisite when pip is not installed.

- Fix integration test failure for test_mod_del_repo_multiline_values.

- Fix regression in service states with reload argument.

- Fix tornado imports and missing _utils after rebasing patches.

- Fix status attribute issue in aptpkg test.

- Improved storage pool or network handling.

- loop: fix variable names for until_no_eval.

- Make 'salt.ext.tornado.gen' to use 'salt.ext.backports_abc' on Python 2.

- Make script not to require setuptools greater than 9.1.

- More robust remote port detection.

- Prevent sporious 'salt-api' stuck processes when managing SSH minions. because of logging deadlock.

- Python3.8 compatibility changes.

- Removes unresolved merge conflict in yumpkg module.

- Returns a the list of IPs filtered by the optional network list.

- Revert broken changes to slspath made on Salt 3000 (saltstack/salt#56341). (bsc#1170104)

- Sanitize grains loaded from roster_grains.json cache during 'state.pkg'.

- Various virt backports from 3000.2.

- zypperpkg: filter patterns that start with dot.

This update was imported from the SUSE:SLE-15-SP1:Update update project.


Update the affected salt packages.

See Also

Plugin Details

Severity: Critical

ID: 139012

File Name: openSUSE-2020-1074.nasl

Version: 1.6

Type: local

Agent: unix

Published: 7/28/2020

Updated: 1/24/2022

Supported Sensors: Frictionless Assessment Agent, Frictionless Assessment AWS, Frictionless Assessment Azure, Nessus Agent

Risk Information


Risk Factor: Critical

Score: 9.2


Risk Factor: High

Base Score: 7.5

Temporal Score: 6.5

Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

Temporal Vector: E:H/RL:OF/RC:C

CVSS Score Source: CVE-2020-11651


Risk Factor: Critical

Base Score: 9.8

Temporal Score: 9.4

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: E:H/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:novell:opensuse:python2-salt, p-cpe:/a:novell:opensuse:python3-salt, p-cpe:/a:novell:opensuse:salt, p-cpe:/a:novell:opensuse:salt-api, p-cpe:/a:novell:opensuse:salt-bash-completion, p-cpe:/a:novell:opensuse:salt-cloud, p-cpe:/a:novell:opensuse:salt-fish-completion, p-cpe:/a:novell:opensuse:salt-master, p-cpe:/a:novell:opensuse:salt-minion, p-cpe:/a:novell:opensuse:salt-proxy, p-cpe:/a:novell:opensuse:salt-ssh, p-cpe:/a:novell:opensuse:salt-standalone-formulas-configuration, p-cpe:/a:novell:opensuse:salt-syndic, p-cpe:/a:novell:opensuse:salt-zsh-completion, cpe:/o:novell:opensuse:15.1

Required KB Items: Host/local_checks_enabled, Host/SuSE/release, Host/SuSE/rpm-list, Host/cpu

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 7/26/2020

Vulnerability Publication Date: 10/24/2018

CISA Known Exploited Dates: 5/3/2022

Exploitable With

Metasploit (SaltStack Salt Master/Minion Unauthenticated RCE)

Reference Information

CVE: CVE-2018-15750, CVE-2018-15751, CVE-2020-11651, CVE-2020-11652