Detections
Analytics

openSUSE Security Update : salt (openSUSE-2020-1074)

critical Nessus Plugin ID 139012

Language:

Synopsis

The remote openSUSE host is missing a security update.

Description

This update for salt contains the following fixes :

 - Fix for TypeError in Tornado importer (bsc#1174165)

 - Require python3-distro only for TW (bsc#1173072)

 - Update to Salt version 3000: See release notes:
 https://docs.saltstack.com/en/latest/topics/releases/300 0.html

 - Add docker.logout to docker execution module.
 (bsc#1165572)

 - Add option to enable/disable force refresh for zypper.

 - Add publish_batch to ClearFuncs exposed methods.

 - Adds test for zypper abbreviation fix.

 - Avoid segfault from 'salt-api' under certain conditions of heavy load managing SSH minions. (bsc#1169604)

 - Avoid traceback on debug logging for swarm module.
 (bsc#1172075)

 - Batch mode now also correctly provides return value.
 (bsc#1168340)

 - Better import cache handline.

 - Do not make file.recurse state to fail when msgpack 0.5.4. (bsc#1167437)

 - Do not require vendored backports-abc. (bsc#1170288)

 - Fix errors from unit tests due NO_MOCK and NO_MOCK_REASON deprecation.

 - Fix for low rpm_lowpkg unit test.

 - Fix for temp folder definition in loader unit test.

 - Fix for unless requisite when pip is not installed.

 - Fix integration test failure for test_mod_del_repo_multiline_values.

 - Fix regression in service states with reload argument.

 - Fix tornado imports and missing _utils after rebasing patches.

 - Fix status attribute issue in aptpkg test.

 - Improved storage pool or network handling.

 - loop: fix variable names for until_no_eval.

 - Make 'salt.ext.tornado.gen' to use 'salt.ext.backports_abc' on Python 2.

 - Make setup.py script not to require setuptools greater than 9.1.

 - More robust remote port detection.

 - Prevent sporious 'salt-api' stuck processes when managing SSH minions. because of logging deadlock.
 (bsc#1159284)

 - Python3.8 compatibility changes.

 - Removes unresolved merge conflict in yumpkg module.

 - Returns a the list of IPs filtered by the optional network list.

 - Revert broken changes to slspath made on Salt 3000 (saltstack/salt#56341). (bsc#1170104)

 - Sanitize grains loaded from roster_grains.json cache during 'state.pkg'.

 - Various virt backports from 3000.2.

 - zypperpkg: filter patterns that start with dot.
 (bsc#1171906)

This update was imported from the SUSE:SLE-15-SP1:Update update project.

Solution

Update the affected salt packages.

See Also

https://bugzilla.opensuse.org/show_bug.cgi?id=1159284

https://bugzilla.opensuse.org/show_bug.cgi?id=1165572

https://bugzilla.opensuse.org/show_bug.cgi?id=1167437

https://bugzilla.opensuse.org/show_bug.cgi?id=1168340

https://bugzilla.opensuse.org/show_bug.cgi?id=1169604

https://bugzilla.opensuse.org/show_bug.cgi?id=1170104

https://bugzilla.opensuse.org/show_bug.cgi?id=1170288

https://bugzilla.opensuse.org/show_bug.cgi?id=1171906

https://bugzilla.opensuse.org/show_bug.cgi?id=1172075

https://bugzilla.opensuse.org/show_bug.cgi?id=1173072

https://bugzilla.opensuse.org/show_bug.cgi?id=1174165

https://docs.saltstack.com/en/latest/topics/releases/3000.html

Plugin Details

Severity: Critical

ID: 139012

File Name: openSUSE-2020-1074.nasl

Version: 1.8

Type: local

Agent: unix

Published: 7/28/2020

Updated: 2/28/2024

Supported Sensors: Frictionless Assessment AWS, Frictionless Assessment Azure, Frictionless Assessment Agent, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: High

Score: 8.4

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2020-11651

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 9.4

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:H/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:novell:opensuse:python2-salt, p-cpe:/a:novell:opensuse:python3-salt, p-cpe:/a:novell:opensuse:salt, p-cpe:/a:novell:opensuse:salt-api, p-cpe:/a:novell:opensuse:salt-bash-completion, p-cpe:/a:novell:opensuse:salt-cloud, p-cpe:/a:novell:opensuse:salt-fish-completion, p-cpe:/a:novell:opensuse:salt-master, p-cpe:/a:novell:opensuse:salt-minion, p-cpe:/a:novell:opensuse:salt-proxy, p-cpe:/a:novell:opensuse:salt-ssh, p-cpe:/a:novell:opensuse:salt-standalone-formulas-configuration, p-cpe:/a:novell:opensuse:salt-syndic, p-cpe:/a:novell:opensuse:salt-zsh-completion, cpe:/o:novell:opensuse:15.1

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/SuSE/release, Host/SuSE/rpm-list

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 7/26/2020

Vulnerability Publication Date: 10/24/2018

CISA Known Exploited Vulnerability Due Dates: 5/3/2022

Exploitable With

CANVAS (CANVAS)

Metasploit (SaltStack Salt Master/Minion Unauthenticated RCE)

Reference Information

CVE: CVE-2018-15750, CVE-2018-15751, CVE-2020-11651, CVE-2020-11652