SUSE-SU-2024:4020-1

This update fixes the following issues:

venv-salt-minion:

• Security fixes on Python 3.11 interpreter:

  • CVE-2024-7592: Fixed quadratic complexity in parsing -quoted cookie values with backslashes (bsc#1229873, bsc#1230059)
  • CVE-2024-8088: Prevent malformed payload to cause infinite loops in zipfile.Path (bsc#1229704, bsc#1230058)
  • CVE-2024-6923: Prevent email header injection due to unquoted newlines (bsc#1228780)
  • CVE-2024-4032: Rearranging definition of private global IP addresses (bsc#1226448)
  • CVE-2024-0397: ssl.SSLContext.cert_store_stats() and ssl.SSLContext.get_ca_certs() now correctly lock access to the certificate store, when the ssl.SSLContext is shared across multiple threads (bsc#1226447)

• Security fixes on Python dependencies:

  • CVE-2024-5569: zipp: Fixed a Denial of Service (DoS) vulnerability in the jaraco/zipp library (bsc#1227547, bsc#1229996)
  • CVE-2024-6345: setuptools: Sanitize any VCS URL used for download (bsc#1228105, bsc#1229995)
  • CVE-2024-3651: idna: Fix a potential DoS via resource consumption via specially crafted inputs to idna.encode() (bsc#1222842, bsc#1229994)
  • CVE-2024-37891: urllib3: Added the Proxy-Authorization header to the list of headers to strip from requests when redirecting to a different host (bsc#1226469, bsc#1229654)

• Other bugs fixed:

  • Added passlib Python module to the bundle
  • Allow NamedLoaderContexts to be returned from loader
  • Avoid crash on wrong output of systemctl version (bsc#1229539)
  • Avoid explicit reading of /etc/salt/minion (bsc#1220357)
  • Enable post_start_cleanup.sh to work in a transaction
  • Fixed cloud Minion configuration for multiple Masters (bsc#1229109)
  • Fixed failing x509 tests with OpenSSL < 1.1
  • Fixed the SELinux context for Salt Minion service (bsc#1219041)
  • Fixed zyppnotify plugin after latest zypp/libzypp upgrades (bsc#1231697, bsc#1231045)
  • Improved error handling with different OpenSSL versions
  • Increase...