python3-salt-3002.2-6.1 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:11364 Final 1 1 2024-06-17T21:45:33Z current 2024-06-17T21:45:33Z 2024-06-17T21:45:33Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z python3-salt-3002.2-6.1 on GA media These are all security issues fixed in the python3-salt-3002.2-6.1 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-11364 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) E-Mail link for openSUSE-SU-2024:11364 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2016-9639/ SUSE CVE CVE-2016-9639 page https://www.suse.com/security/cve/CVE-2017-12791/ SUSE CVE CVE-2017-12791 page https://www.suse.com/security/cve/CVE-2017-14695/ SUSE CVE CVE-2017-14695 page https://www.suse.com/security/cve/CVE-2017-14696/ SUSE CVE CVE-2017-14696 page https://www.suse.com/security/cve/CVE-2018-15750/ SUSE CVE CVE-2018-15750 page https://www.suse.com/security/cve/CVE-2018-15751/ SUSE CVE CVE-2018-15751 page https://www.suse.com/security/cve/CVE-2019-17361/ SUSE CVE CVE-2019-17361 page https://www.suse.com/security/cve/CVE-2019-18897/ SUSE CVE CVE-2019-18897 page https://www.suse.com/security/cve/CVE-2020-11651/ SUSE CVE CVE-2020-11651 page https://www.suse.com/security/cve/CVE-2020-25592/ SUSE CVE CVE-2020-25592 page https://www.suse.com/security/cve/CVE-2020-28243/ SUSE CVE CVE-2020-28243 page https://www.suse.com/security/cve/CVE-2021-21996/ SUSE CVE CVE-2021-21996 page https://www.suse.com/security/cve/CVE-2021-25281/ SUSE CVE CVE-2021-25281 page https://www.suse.com/security/cve/CVE-2021-25315/ SUSE CVE CVE-2021-25315 page https://www.suse.com/security/cve/CVE-2021-31607/ SUSE CVE CVE-2021-31607 page openSUSE Tumbleweed python3-salt-3002.2-6.1 salt-3002.2-6.1 salt-api-3002.2-6.1 salt-bash-completion-3002.2-6.1 salt-cloud-3002.2-6.1 salt-doc-3002.2-6.1 salt-fish-completion-3002.2-6.1 salt-master-3002.2-6.1 salt-minion-3002.2-6.1 salt-proxy-3002.2-6.1 salt-ssh-3002.2-6.1 salt-standalone-formulas-configuration-3002.2-6.1 salt-syndic-3002.2-6.1 salt-transactional-update-3002.2-6.1 salt-zsh-completion-3002.2-6.1 python3-salt-3002.2-6.1 as a component of openSUSE Tumbleweed salt-3002.2-6.1 as a component of openSUSE Tumbleweed salt-api-3002.2-6.1 as a component of openSUSE Tumbleweed salt-bash-completion-3002.2-6.1 as a component of openSUSE Tumbleweed salt-cloud-3002.2-6.1 as a component of openSUSE Tumbleweed salt-doc-3002.2-6.1 as a component of openSUSE Tumbleweed salt-fish-completion-3002.2-6.1 as a component of openSUSE Tumbleweed salt-master-3002.2-6.1 as a component of openSUSE Tumbleweed salt-minion-3002.2-6.1 as a component of openSUSE Tumbleweed salt-proxy-3002.2-6.1 as a component of openSUSE Tumbleweed salt-ssh-3002.2-6.1 as a component of openSUSE Tumbleweed salt-standalone-formulas-configuration-3002.2-6.1 as a component of openSUSE Tumbleweed salt-syndic-3002.2-6.1 as a component of openSUSE Tumbleweed salt-transactional-update-3002.2-6.1 as a component of openSUSE Tumbleweed salt-zsh-completion-3002.2-6.1 as a component of openSUSE Tumbleweed Salt before 2015.8.11 allows deleted minions to read or write to minions with the same id, related to caching. CVE-2016-9639 openSUSE Tumbleweed:python3-salt-3002.2-6.1 openSUSE Tumbleweed:salt-3002.2-6.1 openSUSE Tumbleweed:salt-api-3002.2-6.1 openSUSE Tumbleweed:salt-bash-completion-3002.2-6.1 openSUSE Tumbleweed:salt-cloud-3002.2-6.1 openSUSE Tumbleweed:salt-doc-3002.2-6.1 openSUSE Tumbleweed:salt-fish-completion-3002.2-6.1 openSUSE Tumbleweed:salt-master-3002.2-6.1 openSUSE Tumbleweed:salt-minion-3002.2-6.1 openSUSE Tumbleweed:salt-proxy-3002.2-6.1 openSUSE Tumbleweed:salt-ssh-3002.2-6.1 openSUSE Tumbleweed:salt-standalone-formulas-configuration-3002.2-6.1 openSUSE Tumbleweed:salt-syndic-3002.2-6.1 openSUSE Tumbleweed:salt-transactional-update-3002.2-6.1 openSUSE Tumbleweed:salt-zsh-completion-3002.2-6.1 moderate 4.3 AV:N/AC:M/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-9639.html CVE-2016-9639 https://bugzilla.suse.com/1012398 SUSE Bug 1012398 Directory traversal vulnerability in minion id validation in SaltStack Salt before 2016.11.7 and 2017.7.x before 2017.7.1 allows remote minions with incorrect credentials to authenticate to a master via a crafted minion ID. CVE-2017-12791 openSUSE Tumbleweed:python3-salt-3002.2-6.1 openSUSE Tumbleweed:salt-3002.2-6.1 openSUSE Tumbleweed:salt-api-3002.2-6.1 openSUSE Tumbleweed:salt-bash-completion-3002.2-6.1 openSUSE Tumbleweed:salt-cloud-3002.2-6.1 openSUSE Tumbleweed:salt-doc-3002.2-6.1 openSUSE Tumbleweed:salt-fish-completion-3002.2-6.1 openSUSE Tumbleweed:salt-master-3002.2-6.1 openSUSE Tumbleweed:salt-minion-3002.2-6.1 openSUSE Tumbleweed:salt-proxy-3002.2-6.1 openSUSE Tumbleweed:salt-ssh-3002.2-6.1 openSUSE Tumbleweed:salt-standalone-formulas-configuration-3002.2-6.1 openSUSE Tumbleweed:salt-syndic-3002.2-6.1 openSUSE Tumbleweed:salt-transactional-update-3002.2-6.1 openSUSE Tumbleweed:salt-zsh-completion-3002.2-6.1 moderate 4 AV:N/AC:L/Au:S/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-12791.html CVE-2017-12791 https://bugzilla.suse.com/1053955 SUSE Bug 1053955 https://bugzilla.suse.com/1062462 SUSE Bug 1062462 Directory traversal vulnerability in minion id validation in SaltStack Salt before 2016.3.8, 2016.11.x before 2016.11.8, and 2017.7.x before 2017.7.2 allows remote minions with incorrect credentials to authenticate to a master via a crafted minion ID. NOTE: this vulnerability exists because of an incomplete fix for CVE-2017-12791. CVE-2017-14695 openSUSE Tumbleweed:python3-salt-3002.2-6.1 openSUSE Tumbleweed:salt-3002.2-6.1 openSUSE Tumbleweed:salt-api-3002.2-6.1 openSUSE Tumbleweed:salt-bash-completion-3002.2-6.1 openSUSE Tumbleweed:salt-cloud-3002.2-6.1 openSUSE Tumbleweed:salt-doc-3002.2-6.1 openSUSE Tumbleweed:salt-fish-completion-3002.2-6.1 openSUSE Tumbleweed:salt-master-3002.2-6.1 openSUSE Tumbleweed:salt-minion-3002.2-6.1 openSUSE Tumbleweed:salt-proxy-3002.2-6.1 openSUSE Tumbleweed:salt-ssh-3002.2-6.1 openSUSE Tumbleweed:salt-standalone-formulas-configuration-3002.2-6.1 openSUSE Tumbleweed:salt-syndic-3002.2-6.1 openSUSE Tumbleweed:salt-transactional-update-3002.2-6.1 openSUSE Tumbleweed:salt-zsh-completion-3002.2-6.1 moderate 5 AV:N/AC:L/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-14695.html CVE-2017-14695 https://bugzilla.suse.com/1053955 SUSE Bug 1053955 https://bugzilla.suse.com/1062462 SUSE Bug 1062462 SaltStack Salt before 2016.3.8, 2016.11.x before 2016.11.8, and 2017.7.x before 2017.7.2 allows remote attackers to cause a denial of service via a crafted authentication request. CVE-2017-14696 openSUSE Tumbleweed:python3-salt-3002.2-6.1 openSUSE Tumbleweed:salt-3002.2-6.1 openSUSE Tumbleweed:salt-api-3002.2-6.1 openSUSE Tumbleweed:salt-bash-completion-3002.2-6.1 openSUSE Tumbleweed:salt-cloud-3002.2-6.1 openSUSE Tumbleweed:salt-doc-3002.2-6.1 openSUSE Tumbleweed:salt-fish-completion-3002.2-6.1 openSUSE Tumbleweed:salt-master-3002.2-6.1 openSUSE Tumbleweed:salt-minion-3002.2-6.1 openSUSE Tumbleweed:salt-proxy-3002.2-6.1 openSUSE Tumbleweed:salt-ssh-3002.2-6.1 openSUSE Tumbleweed:salt-standalone-formulas-configuration-3002.2-6.1 openSUSE Tumbleweed:salt-syndic-3002.2-6.1 openSUSE Tumbleweed:salt-transactional-update-3002.2-6.1 openSUSE Tumbleweed:salt-zsh-completion-3002.2-6.1 moderate 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-14696.html CVE-2017-14696 https://bugzilla.suse.com/1053955 SUSE Bug 1053955 https://bugzilla.suse.com/1062464 SUSE Bug 1062464 Directory Traversal vulnerability in salt-api in SaltStack Salt before 2017.7.8 and 2018.3.x before 2018.3.3 allows remote attackers to determine which files exist on the server. CVE-2018-15750 openSUSE Tumbleweed:python3-salt-3002.2-6.1 openSUSE Tumbleweed:salt-3002.2-6.1 openSUSE Tumbleweed:salt-api-3002.2-6.1 openSUSE Tumbleweed:salt-bash-completion-3002.2-6.1 openSUSE Tumbleweed:salt-cloud-3002.2-6.1 openSUSE Tumbleweed:salt-doc-3002.2-6.1 openSUSE Tumbleweed:salt-fish-completion-3002.2-6.1 openSUSE Tumbleweed:salt-master-3002.2-6.1 openSUSE Tumbleweed:salt-minion-3002.2-6.1 openSUSE Tumbleweed:salt-proxy-3002.2-6.1 openSUSE Tumbleweed:salt-ssh-3002.2-6.1 openSUSE Tumbleweed:salt-standalone-formulas-configuration-3002.2-6.1 openSUSE Tumbleweed:salt-syndic-3002.2-6.1 openSUSE Tumbleweed:salt-transactional-update-3002.2-6.1 openSUSE Tumbleweed:salt-zsh-completion-3002.2-6.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-15750.html CVE-2018-15750 https://bugzilla.suse.com/1113698 SUSE Bug 1113698 SaltStack Salt before 2017.7.8 and 2018.3.x before 2018.3.3 allow remote attackers to bypass authentication and execute arbitrary commands via salt-api(netapi). CVE-2018-15751 openSUSE Tumbleweed:python3-salt-3002.2-6.1 openSUSE Tumbleweed:salt-3002.2-6.1 openSUSE Tumbleweed:salt-api-3002.2-6.1 openSUSE Tumbleweed:salt-bash-completion-3002.2-6.1 openSUSE Tumbleweed:salt-cloud-3002.2-6.1 openSUSE Tumbleweed:salt-doc-3002.2-6.1 openSUSE Tumbleweed:salt-fish-completion-3002.2-6.1 openSUSE Tumbleweed:salt-master-3002.2-6.1 openSUSE Tumbleweed:salt-minion-3002.2-6.1 openSUSE Tumbleweed:salt-proxy-3002.2-6.1 openSUSE Tumbleweed:salt-ssh-3002.2-6.1 openSUSE Tumbleweed:salt-standalone-formulas-configuration-3002.2-6.1 openSUSE Tumbleweed:salt-syndic-3002.2-6.1 openSUSE Tumbleweed:salt-transactional-update-3002.2-6.1 openSUSE Tumbleweed:salt-zsh-completion-3002.2-6.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-15751.html CVE-2018-15751 https://bugzilla.suse.com/1113698 SUSE Bug 1113698 https://bugzilla.suse.com/1113699 SUSE Bug 1113699 In SaltStack Salt through 2019.2.0, the salt-api NET API with the ssh client enabled is vulnerable to command injection. This allows an unauthenticated attacker with network access to the API endpoint to execute arbitrary code on the salt-api host. CVE-2019-17361 openSUSE Tumbleweed:python3-salt-3002.2-6.1 openSUSE Tumbleweed:salt-3002.2-6.1 openSUSE Tumbleweed:salt-api-3002.2-6.1 openSUSE Tumbleweed:salt-bash-completion-3002.2-6.1 openSUSE Tumbleweed:salt-cloud-3002.2-6.1 openSUSE Tumbleweed:salt-doc-3002.2-6.1 openSUSE Tumbleweed:salt-fish-completion-3002.2-6.1 openSUSE Tumbleweed:salt-master-3002.2-6.1 openSUSE Tumbleweed:salt-minion-3002.2-6.1 openSUSE Tumbleweed:salt-proxy-3002.2-6.1 openSUSE Tumbleweed:salt-ssh-3002.2-6.1 openSUSE Tumbleweed:salt-standalone-formulas-configuration-3002.2-6.1 openSUSE Tumbleweed:salt-syndic-3002.2-6.1 openSUSE Tumbleweed:salt-transactional-update-3002.2-6.1 openSUSE Tumbleweed:salt-zsh-completion-3002.2-6.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2019-17361.html CVE-2019-17361 https://bugzilla.suse.com/1162504 SUSE Bug 1162504 A UNIX Symbolic Link (Symlink) Following vulnerability in the packaging of salt of SUSE Linux Enterprise Server 12, SUSE Linux Enterprise Server 15; openSUSE Factory allows local attackers to escalate privileges from user salt to root. This issue affects: SUSE Linux Enterprise Server 12 salt-master version 2019.2.0-46.83.1 and prior versions. SUSE Linux Enterprise Server 15 salt-master version 2019.2.0-6.21.1 and prior versions. openSUSE Factory salt-master version 2019.2.2-3.1 and prior versions. CVE-2019-18897 openSUSE Tumbleweed:python3-salt-3002.2-6.1 openSUSE Tumbleweed:salt-3002.2-6.1 openSUSE Tumbleweed:salt-api-3002.2-6.1 openSUSE Tumbleweed:salt-bash-completion-3002.2-6.1 openSUSE Tumbleweed:salt-cloud-3002.2-6.1 openSUSE Tumbleweed:salt-doc-3002.2-6.1 openSUSE Tumbleweed:salt-fish-completion-3002.2-6.1 openSUSE Tumbleweed:salt-master-3002.2-6.1 openSUSE Tumbleweed:salt-minion-3002.2-6.1 openSUSE Tumbleweed:salt-proxy-3002.2-6.1 openSUSE Tumbleweed:salt-ssh-3002.2-6.1 openSUSE Tumbleweed:salt-standalone-formulas-configuration-3002.2-6.1 openSUSE Tumbleweed:salt-syndic-3002.2-6.1 openSUSE Tumbleweed:salt-transactional-update-3002.2-6.1 openSUSE Tumbleweed:salt-zsh-completion-3002.2-6.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2019-18897.html CVE-2019-18897 https://bugzilla.suse.com/1157465 SUSE Bug 1157465 An issue was discovered in SaltStack Salt before 2019.2.4 and 3000 before 3000.2. The salt-master process ClearFuncs class does not properly validate method calls. This allows a remote user to access some methods without authentication. These methods can be used to retrieve user tokens from the salt master and/or run arbitrary commands on salt minions. CVE-2020-11651 openSUSE Tumbleweed:python3-salt-3002.2-6.1 openSUSE Tumbleweed:salt-3002.2-6.1 openSUSE Tumbleweed:salt-api-3002.2-6.1 openSUSE Tumbleweed:salt-bash-completion-3002.2-6.1 openSUSE Tumbleweed:salt-cloud-3002.2-6.1 openSUSE Tumbleweed:salt-doc-3002.2-6.1 openSUSE Tumbleweed:salt-fish-completion-3002.2-6.1 openSUSE Tumbleweed:salt-master-3002.2-6.1 openSUSE Tumbleweed:salt-minion-3002.2-6.1 openSUSE Tumbleweed:salt-proxy-3002.2-6.1 openSUSE Tumbleweed:salt-ssh-3002.2-6.1 openSUSE Tumbleweed:salt-standalone-formulas-configuration-3002.2-6.1 openSUSE Tumbleweed:salt-syndic-3002.2-6.1 openSUSE Tumbleweed:salt-transactional-update-3002.2-6.1 openSUSE Tumbleweed:salt-zsh-completion-3002.2-6.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2020-11651.html CVE-2020-11651 https://bugzilla.suse.com/1170595 SUSE Bug 1170595 In SaltStack Salt through 3002, salt-netapi improperly validates eauth credentials and tokens. A user can bypass authentication and invoke Salt SSH. CVE-2020-25592 openSUSE Tumbleweed:python3-salt-3002.2-6.1 openSUSE Tumbleweed:salt-3002.2-6.1 openSUSE Tumbleweed:salt-api-3002.2-6.1 openSUSE Tumbleweed:salt-bash-completion-3002.2-6.1 openSUSE Tumbleweed:salt-cloud-3002.2-6.1 openSUSE Tumbleweed:salt-doc-3002.2-6.1 openSUSE Tumbleweed:salt-fish-completion-3002.2-6.1 openSUSE Tumbleweed:salt-master-3002.2-6.1 openSUSE Tumbleweed:salt-minion-3002.2-6.1 openSUSE Tumbleweed:salt-proxy-3002.2-6.1 openSUSE Tumbleweed:salt-ssh-3002.2-6.1 openSUSE Tumbleweed:salt-standalone-formulas-configuration-3002.2-6.1 openSUSE Tumbleweed:salt-syndic-3002.2-6.1 openSUSE Tumbleweed:salt-transactional-update-3002.2-6.1 openSUSE Tumbleweed:salt-zsh-completion-3002.2-6.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2020-25592.html CVE-2020-25592 https://bugzilla.suse.com/1178319 SUSE Bug 1178319 An issue was discovered in SaltStack Salt before 3002.5. The minion's restartcheck is vulnerable to command injection via a crafted process name. This allows for a local privilege escalation by any user able to create a files on the minion in a non-blacklisted directory. CVE-2020-28243 openSUSE Tumbleweed:python3-salt-3002.2-6.1 openSUSE Tumbleweed:salt-3002.2-6.1 openSUSE Tumbleweed:salt-api-3002.2-6.1 openSUSE Tumbleweed:salt-bash-completion-3002.2-6.1 openSUSE Tumbleweed:salt-cloud-3002.2-6.1 openSUSE Tumbleweed:salt-doc-3002.2-6.1 openSUSE Tumbleweed:salt-fish-completion-3002.2-6.1 openSUSE Tumbleweed:salt-master-3002.2-6.1 openSUSE Tumbleweed:salt-minion-3002.2-6.1 openSUSE Tumbleweed:salt-proxy-3002.2-6.1 openSUSE Tumbleweed:salt-ssh-3002.2-6.1 openSUSE Tumbleweed:salt-standalone-formulas-configuration-3002.2-6.1 openSUSE Tumbleweed:salt-syndic-3002.2-6.1 openSUSE Tumbleweed:salt-transactional-update-3002.2-6.1 openSUSE Tumbleweed:salt-zsh-completion-3002.2-6.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2020-28243.html CVE-2020-28243 https://bugzilla.suse.com/1181550 SUSE Bug 1181550 https://bugzilla.suse.com/1181556 SUSE Bug 1181556 An issue was discovered in SaltStack Salt before 3003.3. A user who has control of the source, and source_hash URLs can gain full file system access as root on a salt minion. CVE-2021-21996 openSUSE Tumbleweed:python3-salt-3002.2-6.1 openSUSE Tumbleweed:salt-3002.2-6.1 openSUSE Tumbleweed:salt-api-3002.2-6.1 openSUSE Tumbleweed:salt-bash-completion-3002.2-6.1 openSUSE Tumbleweed:salt-cloud-3002.2-6.1 openSUSE Tumbleweed:salt-doc-3002.2-6.1 openSUSE Tumbleweed:salt-fish-completion-3002.2-6.1 openSUSE Tumbleweed:salt-master-3002.2-6.1 openSUSE Tumbleweed:salt-minion-3002.2-6.1 openSUSE Tumbleweed:salt-proxy-3002.2-6.1 openSUSE Tumbleweed:salt-ssh-3002.2-6.1 openSUSE Tumbleweed:salt-standalone-formulas-configuration-3002.2-6.1 openSUSE Tumbleweed:salt-syndic-3002.2-6.1 openSUSE Tumbleweed:salt-transactional-update-3002.2-6.1 openSUSE Tumbleweed:salt-zsh-completion-3002.2-6.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2021-21996.html CVE-2021-21996 https://bugzilla.suse.com/1190265 SUSE Bug 1190265 https://bugzilla.suse.com/1210934 SUSE Bug 1210934 An issue was discovered in through SaltStack Salt before 3002.5. salt-api does not honor eauth credentials for the wheel_async client. Thus, an attacker can remotely run any wheel modules on the master. CVE-2021-25281 openSUSE Tumbleweed:python3-salt-3002.2-6.1 openSUSE Tumbleweed:salt-3002.2-6.1 openSUSE Tumbleweed:salt-api-3002.2-6.1 openSUSE Tumbleweed:salt-bash-completion-3002.2-6.1 openSUSE Tumbleweed:salt-cloud-3002.2-6.1 openSUSE Tumbleweed:salt-doc-3002.2-6.1 openSUSE Tumbleweed:salt-fish-completion-3002.2-6.1 openSUSE Tumbleweed:salt-master-3002.2-6.1 openSUSE Tumbleweed:salt-minion-3002.2-6.1 openSUSE Tumbleweed:salt-proxy-3002.2-6.1 openSUSE Tumbleweed:salt-ssh-3002.2-6.1 openSUSE Tumbleweed:salt-standalone-formulas-configuration-3002.2-6.1 openSUSE Tumbleweed:salt-syndic-3002.2-6.1 openSUSE Tumbleweed:salt-transactional-update-3002.2-6.1 openSUSE Tumbleweed:salt-zsh-completion-3002.2-6.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2021-25281.html CVE-2021-25281 https://bugzilla.suse.com/1181550 SUSE Bug 1181550 https://bugzilla.suse.com/1181559 SUSE Bug 1181559 CWE - CWE-287: Improper Authentication vulnerability in SUSE Linux Enterprise Server 15 SP 3; openSUSE Tumbleweed allows local attackers to execute arbitrary code via salt without the need to specify valid credentials. This issue affects: SUSE Linux Enterprise Server 15 SP 3 salt versions prior to 3002.2-3. openSUSE Tumbleweed salt version 3002.2-2.1 and prior versions. This issue affects: SUSE Linux Enterprise Server 15 SP 3 salt versions prior to 3002.2-3. openSUSE Tumbleweed salt version 3002.2-2.1 and prior versions. CVE-2021-25315 openSUSE Tumbleweed:python3-salt-3002.2-6.1 openSUSE Tumbleweed:salt-3002.2-6.1 openSUSE Tumbleweed:salt-api-3002.2-6.1 openSUSE Tumbleweed:salt-bash-completion-3002.2-6.1 openSUSE Tumbleweed:salt-cloud-3002.2-6.1 openSUSE Tumbleweed:salt-doc-3002.2-6.1 openSUSE Tumbleweed:salt-fish-completion-3002.2-6.1 openSUSE Tumbleweed:salt-master-3002.2-6.1 openSUSE Tumbleweed:salt-minion-3002.2-6.1 openSUSE Tumbleweed:salt-proxy-3002.2-6.1 openSUSE Tumbleweed:salt-ssh-3002.2-6.1 openSUSE Tumbleweed:salt-standalone-formulas-configuration-3002.2-6.1 openSUSE Tumbleweed:salt-syndic-3002.2-6.1 openSUSE Tumbleweed:salt-transactional-update-3002.2-6.1 openSUSE Tumbleweed:salt-zsh-completion-3002.2-6.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2021-25315.html CVE-2021-25315 https://bugzilla.suse.com/1182382 SUSE Bug 1182382 In SaltStack Salt 2016.9 through 3002.6, a command injection vulnerability exists in the snapper module that allows for local privilege escalation on a minion. The attack requires that a file is created with a pathname that is backed up by snapper, and that the master calls the snapper.diff function (which executes popen unsafely). CVE-2021-31607 openSUSE Tumbleweed:python3-salt-3002.2-6.1 openSUSE Tumbleweed:salt-3002.2-6.1 openSUSE Tumbleweed:salt-api-3002.2-6.1 openSUSE Tumbleweed:salt-bash-completion-3002.2-6.1 openSUSE Tumbleweed:salt-cloud-3002.2-6.1 openSUSE Tumbleweed:salt-doc-3002.2-6.1 openSUSE Tumbleweed:salt-fish-completion-3002.2-6.1 openSUSE Tumbleweed:salt-master-3002.2-6.1 openSUSE Tumbleweed:salt-minion-3002.2-6.1 openSUSE Tumbleweed:salt-proxy-3002.2-6.1 openSUSE Tumbleweed:salt-ssh-3002.2-6.1 openSUSE Tumbleweed:salt-standalone-formulas-configuration-3002.2-6.1 openSUSE Tumbleweed:salt-syndic-3002.2-6.1 openSUSE Tumbleweed:salt-transactional-update-3002.2-6.1 openSUSE Tumbleweed:salt-zsh-completion-3002.2-6.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2021-31607.html CVE-2021-31607 https://bugzilla.suse.com/1185281 SUSE Bug 1185281 https://bugzilla.suse.com/1210934 SUSE Bug 1210934