SUSE-SU-2021:3550-1 | Mondoo Vulnerability Intelligence

SUSE-SU-2021:3550-1

MEDIUM4.2

Security update for Salt

Published Oct 27, 2021

Modified 4 years ago

Fix available

Details

Description of the patch:

This update fixes the following issues:

salt:

Fix the regression of docker_container state module
Support querying for JSON data in external sql pillar
Exclude the full path of a download URL to prevent injection of malicious code (bsc#1190265) (CVE-2021-21996)
Fix wrong relative paths resolution with Jinja renderer when importing subdirectories

Affected Packages(14 packages)

python2-salt

SUSE Linux Enterprise Module for Advanced Systems Management 12SUSE Manager Client Tools 12

Fixed in:

3000-46.151.2

salt

SUSE Linux Enterprise Module for Advanced Systems Management 12SUSE Manager Client Tools 12

Fixed in:

3000-46.151.2

salt-api

SUSE Linux Enterprise Module for Advanced Systems Management 12

Fixed in:

3000-46.151.2

salt-bash-completion

SUSE Linux Enterprise Module for Advanced Systems Management 12

Fixed in:

3000-46.151.2

salt-cloud

SUSE Linux Enterprise Module for Advanced Systems Management 12

Fixed in:

3000-46.151.2

salt-doc

SUSE Linux Enterprise Module for Advanced Systems Management 12SUSE Manager Client Tools 12

Fixed in:

3000-46.151.2

salt-master

SUSE Linux Enterprise Module for Advanced Systems Management 12

Fixed in:

3000-46.151.2

salt-minion

SUSE Linux Enterprise Module for Advanced Systems Management 12SUSE Manager Client Tools 12

Fixed in:

3000-46.151.2

salt-proxy

SUSE Linux Enterprise Module for Advanced Systems Management 12

Fixed in:

3000-46.151.2

salt-ssh

SUSE Linux Enterprise Module for Advanced Systems Management 12

Fixed in:

3000-46.151.2

References

ADVISORY

https://bugzilla.suse.com/1190265

ADVISORY

https://lists.suse.com/pipermail/sle-security-updates/2021-October/009669.html

ADVISORY

https://www.suse.com/security/cve/CVE-2021-21996/

WEB

https://www.suse.com/support/security/rating/

ADVISORY

https://www.suse.com/support/update/announcement/2021/suse-su-20213550-1/

CVSS Analysis

CVSS v3.1

4.2

Exploitability

Attack Vector

LocalAV:L

Attack Complexity

LowAC:L

Privileges Required

HighPR:H

User Interaction

NoneUI:N

Scope

UnchangedS:U

Impact

Confidentiality

LowC:L

Integrity

LowI:L

Availability

LowA:L

4.2/CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L

Upstream

CVE-2021-21996

Ecosystems

SUSE Linux Enterprise Module for Advanced Systems Management 12 SUSE Manager Client Tools 12

Timeline

PublishedOct 27, 2021

ModifiedOct 27, 2021