SUSE-FU-2022:2135-1

Source
https://www.suse.com/support/update/announcement/2022/suse-fu-20222135-1/
Import Source
https://ftp.suse.com/pub/projects/security/osv/SUSE-FU-2022:2135-1.json
JSON Data
https://api.osv.dev/v1/vulns/SUSE-FU-2022:2135-1
Related
Published
2022-06-20T11:44:24Z
Modified
2022-06-20T11:44:24Z
Summary
Feature update for SUSE Manager Salt Bundle
Details

This update fixes the following issues:

venv-salt-minion:

  • Make sure SaltCacheLoader use correct fileclient (bsc#1199149)
  • Fix the regression caused by the patch removing strict requirement for OpenSSL 1.1.1 leading to read/write issues with ssl module for SLE 15, SLE 12, CentOS 7, Debian 9 (bsc#1198556)
  • Fix salt-ssh opts poisoning (bsc#1197637)
  • Fix multiple security issues (bsc#1197417)
    • CVE-2022-22935: Sign authentication replies to prevent MiTM.
    • CVE-2022-22934: Sign pillar data to prevent MiTM attacks.
    • CVE-2022-22936: Prevent job and fileserver replays
    • CVE-2022-22941: Fixed targeting bug, especially visible when using syndic and user auth.
  • Salt version bump to 3004
  • Python version bump to 3.10.2
  • Clear network interfaces cache on grains request (bsc#1196050)
  • Add salt-ssh with Salt Bundle support (venv-salt-minion) (bsc#1182851, bsc#1196432)
  • Restrict 'state.orchestrate_single' to pass a pillar value if it exists (bsc#1194632)
References

Affected packages

SUSE:Manager Client Tools 12 / venv-salt-minion

Package

Name
venv-salt-minion
Purl
pkg:rpm/suse/venv-salt-minion&distro=SUSE%20Manager%20Client%20Tools%2012

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
3004-3.8.1

Ecosystem specific

{
    "binaries": [
        {
            "venv-salt-minion": "3004-3.8.1"
        }
    ]
}