SUSE-RU-2017:0169-1

CRITICAL9.1

Recommended update for Salt

Published Jan 17, 2017

Modified 9 years ago

Fix available

Details

Description of the patch:

This update for Salt fixes one security issue and several non-security issues.

The following security issue has been fixed:

Fix possible information leak due to revoked keys still being used. (bsc#1012398, CVE-2016-9639)

The following non-security issues have been fixed:

Update to 2015.8.12
Add pre-require to salt for minions.
Do not restart salt-minion in salt package.
Add try-restart to sys-v init scripts.
Add 'Restart=on-failure' for salt-minion systemd service.
Various fixes for signal handling.
Successfully exit of salt-api child processes when SIGTERM is received.
Re-introduce 'KillMode=process' for salt-minion systemd service.
Fix changing default-timezone. (bsc#1008933)

Affected Packages

salt

SUSE Enterprise Storage 3SUSE Linux Enterprise Point of Sale 12 SP2SUSE Manager Client Tools 12SUSE Manager Proxy 3.0SUSE Manager Server 3.0

Fixed in:

2015.8.12-27.5

salt-master

SUSE Enterprise Storage 3SUSE Manager Proxy 3.0SUSE Manager Server 3.0

Fixed in:

2015.8.12-27.5

salt-minion

SUSE Enterprise Storage 3SUSE Linux Enterprise Point of Sale 12 SP2SUSE Manager Client Tools 12SUSE Manager Proxy 3.0SUSE Manager Server 3.0

Fixed in:

2015.8.12-27.5

salt-doc

SUSE Manager Client Tools 12SUSE Manager Proxy 3.0SUSE Manager Server 3.0

Fixed in:

2015.8.12-27.5

salt-api

SUSE Manager Proxy 3.0SUSE Manager Server 3.0

Fixed in:

2015.8.12-27.5

salt-bash-completion

SUSE Manager Proxy 3.0SUSE Manager Server 3.0

Fixed in:

2015.8.12-27.5

salt-proxy

SUSE Manager Proxy 3.0SUSE Manager Server 3.0

Fixed in:

2015.8.12-27.5

salt-ssh

SUSE Manager Proxy 3.0SUSE Manager Server 3.0

Fixed in:

2015.8.12-27.5

salt-syndic

SUSE Manager Proxy 3.0SUSE Manager Server 3.0

Fixed in:

2015.8.12-27.5

salt-zsh-completion

SUSE Manager Proxy 3.0SUSE Manager Server 3.0

Fixed in:

2015.8.12-27.5

References

https://bugzilla.suse.com/1008933

https://bugzilla.suse.com/1012398

https://bugzilla.suse.com/1016475

https://lists.suse.com/pipermail/sle-updates/2017-January/005783.html

https://www.suse.com/security/cve/CVE-2016-9639/

https://www.suse.com/support/security/rating/

https://www.suse.com/support/update/announcement//suse-ru-20170169-1/

CVSS Analysis

CVSS v3.0

9.1

Exploitability

Attack Vector

NetworkAV:N

Attack Complexity

LowAC:L

Privileges Required

NonePR:N

User Interaction

NoneUI:N

Scope

Scope

UnchangedS:U

Impact

Confidentiality

HighC:H

Integrity

HighI:H

Availability

NoneA:N

9.1/CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Upstream

Ecosystems

SUSE Enterprise Storage 3 SUSE Linux Enterprise Point of Sale 12 SP2 SUSE Manager Client Tools 12 SUSE Manager Proxy 3.0 SUSE Manager Server 3.0

Timeline

PublishedJan 17, 2017

ModifiedJan 17, 2017

SUSE-RU-2017:0169-1 | Mondoo Vulnerability Intelligence