SUSE-SU-2024:4020-1

Source
https://www.suse.com/support/update/announcement/2024/suse-su-20244020-1/
Import Source
https://ftp.suse.com/pub/projects/security/osv/SUSE-SU-2024:4020-1.json
JSON Data
https://api.osv.dev/v1/vulns/SUSE-SU-2024:4020-1
Related
Published
2024-11-18T13:25:06Z
Modified
2024-11-18T13:25:06Z
Summary
Security update for SUSE Manager Salt Bundle
Details

This update fixes the following issues:

venv-salt-minion:

  • Security fixes on Python 3.11 interpreter:

    • CVE-2024-7592: Fixed quadratic complexity in parsing -quoted cookie values with backslashes (bsc#1229873, bsc#1230059)
    • CVE-2024-8088: Prevent malformed payload to cause infinite loops in zipfile.Path (bsc#1229704, bsc#1230058)
    • CVE-2024-6923: Prevent email header injection due to unquoted newlines (bsc#1228780)
    • CVE-2024-4032: Rearranging definition of private global IP addresses (bsc#1226448)
    • CVE-2024-0397: ssl.SSLContext.certstorestats() and ssl.SSLContext.getcacerts() now correctly lock access to the certificate store, when the ssl.SSLContext is shared across multiple threads (bsc#1226447)
  • Security fixes on Python dependencies:

    • CVE-2024-5569: zipp: Fixed a Denial of Service (DoS) vulnerability in the jaraco/zipp library (bsc#1227547, bsc#1229996)
    • CVE-2024-6345: setuptools: Sanitize any VCS URL used for download (bsc#1228105, bsc#1229995)
    • CVE-2024-3651: idna: Fix a potential DoS via resource consumption via specially crafted inputs to idna.encode() (bsc#1222842, bsc#1229994)
    • CVE-2024-37891: urllib3: Added the Proxy-Authorization header to the list of headers to strip from requests when redirecting to a different host (bsc#1226469, bsc#1229654)
  • Other bugs fixed:

    • Added passlib Python module to the bundle
    • Allow NamedLoaderContexts to be returned from loader
    • Avoid crash on wrong output of systemctl version (bsc#1229539)
    • Avoid explicit reading of /etc/salt/minion (bsc#1220357)
    • Enable poststartcleanup.sh to work in a transaction
    • Fixed cloud Minion configuration for multiple Masters (bsc#1229109)
    • Fixed failing x509 tests with OpenSSL < 1.1
    • Fixed the SELinux context for Salt Minion service (bsc#1219041)
    • Fixed zyppnotify plugin after latest zypp/libzypp upgrades (bsc#1231697, bsc#1231045)
    • Improved error handling with different OpenSSL versions
    • Increase warnuntildate date for code we still support
    • Prevent using SyncWrapper with no reason
    • Reverted the change making reactor less blocking (bsc#1230322)
    • Use --cachedir for extension_modules in salt-call (bsc#1226141)
    • Use Pygit2 id instead of deprecated oid in gitfs
References

Affected packages

SUSE:Manager Client Tools 12 / venv-salt-minion

Package

Name
venv-salt-minion
Purl
pkg:rpm/suse/venv-salt-minion&distro=SUSE%20Manager%20Client%20Tools%2012

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
3006.0-3.65.1

Ecosystem specific

{
    "binaries": [
        {
            "venv-salt-minion": "3006.0-3.65.1"
        }
    ]
}