Security update for SUSE Manager Salt Bundle SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2024:1525-1 Final 1 1 2024-05-06T09:50:25Z current 2024-05-06T09:50:25Z 2024-05-06T09:50:25Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for SUSE Manager Salt Bundle This update fixes the following issues: venv-salt-minion: - CVE-2024-22231: Prevent directory traversal when creating syndic cache directory on the master (bsc#1219430) - CVE-2024-22232: Prevent directory traversal attacks in the master's serve_file method (bsc#1219431) - Convert oscap output to UTF-8 - Make Salt compatible with Python 3.11 - Ignore non-ascii chars in oscap output (bsc#1219001) - Fix detected issues in Salt tests when running on VMs - Make importing seco.range thread safe (bsc#1211649) - Fix problematic tests and allow smooth tests executions on containers - Discover Ansible playbook files as '*.yml' or '*.yaml' files (bsc#1211888) - Prevent exceptions with fileserver.update when called via state (bsc#1218482) - Improve pip target override condition with VENV_PIP_TARGET environment variable (bsc#1216850) - Fixed KeyError in logs when running a state that fails The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2024-1525,SUSE-EL-9-CLIENT-TOOLS-2024-1525 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2024/suse-su-20241525-1/ Link for SUSE-SU-2024:1525-1 https://lists.suse.com/pipermail/sle-updates/2024-May/035156.html E-Mail link for SUSE-SU-2024:1525-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1211649 SUSE Bug 1211649 https://bugzilla.suse.com/1211888 SUSE Bug 1211888 https://bugzilla.suse.com/1216850 SUSE Bug 1216850 https://bugzilla.suse.com/1218482 SUSE Bug 1218482 https://bugzilla.suse.com/1219001 SUSE Bug 1219001 https://bugzilla.suse.com/1219430 SUSE Bug 1219430 https://bugzilla.suse.com/1219431 SUSE Bug 1219431 https://www.suse.com/security/cve/CVE-2024-22231/ SUSE CVE CVE-2024-22231 page https://www.suse.com/security/cve/CVE-2024-22232/ SUSE CVE CVE-2024-22232 page SUSE Manager Client Tools for RHEL, Liberty and Clones 9-CLIENT-TOOLS SUSE:EL-9:Update:Products:SaltBundle:Update saltbundlepy-3.10.14-1.20.1 saltbundlepy-base-3.10.14-1.20.1 saltbundlepy-curses-3.10.14-1.20.1 saltbundlepy-dbm-3.10.14-1.20.1 saltbundlepy-devel-3.10.14-1.20.1 saltbundlepy-libs-3.10.14-1.20.1 saltbundlepy-lxml-4.9.3-1.15.2 saltbundlepy-lxml-devel-4.9.3-1.15.2 saltbundlepy-lxml-doc-4.9.3-1.15.2 saltbundlepy-testsuite-3.10.14-1.20.1 saltbundlepy-tk-3.10.14-1.20.1 saltbundlepy-tools-3.10.14-1.20.1 venv-salt-minion-3006.0-1.36.3 venv-salt-minion-3006.0-1.36.3 as a component of SUSE Manager Client Tools for RHEL, Liberty and Clones 9-CLIENT-TOOLS saltbundlepy-3.10.14-1.20.1 as a component of SUSE:EL-9:Update:Products:SaltBundle:Update saltbundlepy-base-3.10.14-1.20.1 as a component of SUSE:EL-9:Update:Products:SaltBundle:Update saltbundlepy-curses-3.10.14-1.20.1 as a component of SUSE:EL-9:Update:Products:SaltBundle:Update saltbundlepy-dbm-3.10.14-1.20.1 as a component of SUSE:EL-9:Update:Products:SaltBundle:Update saltbundlepy-devel-3.10.14-1.20.1 as a component of SUSE:EL-9:Update:Products:SaltBundle:Update saltbundlepy-libs-3.10.14-1.20.1 as a component of SUSE:EL-9:Update:Products:SaltBundle:Update saltbundlepy-lxml-4.9.3-1.15.2 as a component of SUSE:EL-9:Update:Products:SaltBundle:Update saltbundlepy-lxml-devel-4.9.3-1.15.2 as a component of SUSE:EL-9:Update:Products:SaltBundle:Update saltbundlepy-lxml-doc-4.9.3-1.15.2 as a component of SUSE:EL-9:Update:Products:SaltBundle:Update saltbundlepy-testsuite-3.10.14-1.20.1 as a component of SUSE:EL-9:Update:Products:SaltBundle:Update saltbundlepy-tk-3.10.14-1.20.1 as a component of SUSE:EL-9:Update:Products:SaltBundle:Update saltbundlepy-tools-3.10.14-1.20.1 as a component of SUSE:EL-9:Update:Products:SaltBundle:Update venv-salt-minion-3006.0-1.36.3 as a component of SUSE:EL-9:Update:Products:SaltBundle:Update Syndic cache directory creation is vulnerable to a directory traversal attack in salt project which can lead a malicious attacker to create an arbitrary directory on a Salt master. CVE-2024-22231 SUSE Manager Client Tools for RHEL, Liberty and Clones 9-CLIENT-TOOLS:venv-salt-minion-3006.0-1.36.3 SUSE:EL-9:Update:Products:SaltBundle:Update:saltbundlepy-3.10.14-1.20.1 SUSE:EL-9:Update:Products:SaltBundle:Update:saltbundlepy-base-3.10.14-1.20.1 SUSE:EL-9:Update:Products:SaltBundle:Update:saltbundlepy-curses-3.10.14-1.20.1 SUSE:EL-9:Update:Products:SaltBundle:Update:saltbundlepy-dbm-3.10.14-1.20.1 SUSE:EL-9:Update:Products:SaltBundle:Update:saltbundlepy-devel-3.10.14-1.20.1 SUSE:EL-9:Update:Products:SaltBundle:Update:saltbundlepy-libs-3.10.14-1.20.1 SUSE:EL-9:Update:Products:SaltBundle:Update:saltbundlepy-lxml-4.9.3-1.15.2 SUSE:EL-9:Update:Products:SaltBundle:Update:saltbundlepy-lxml-devel-4.9.3-1.15.2 SUSE:EL-9:Update:Products:SaltBundle:Update:saltbundlepy-lxml-doc-4.9.3-1.15.2 SUSE:EL-9:Update:Products:SaltBundle:Update:saltbundlepy-testsuite-3.10.14-1.20.1 SUSE:EL-9:Update:Products:SaltBundle:Update:saltbundlepy-tk-3.10.14-1.20.1 SUSE:EL-9:Update:Products:SaltBundle:Update:saltbundlepy-tools-3.10.14-1.20.1 SUSE:EL-9:Update:Products:SaltBundle:Update:venv-salt-minion-3006.0-1.36.3 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20241525-1/ https://www.suse.com/security/cve/CVE-2024-22231.html CVE-2024-22231 https://bugzilla.suse.com/1219430 SUSE Bug 1219430 A specially crafted url can be created which leads to a directory traversal in the salt file server. A malicious user can read an arbitrary file from a Salt master's filesystem. CVE-2024-22232 SUSE Manager Client Tools for RHEL, Liberty and Clones 9-CLIENT-TOOLS:venv-salt-minion-3006.0-1.36.3 SUSE:EL-9:Update:Products:SaltBundle:Update:saltbundlepy-3.10.14-1.20.1 SUSE:EL-9:Update:Products:SaltBundle:Update:saltbundlepy-base-3.10.14-1.20.1 SUSE:EL-9:Update:Products:SaltBundle:Update:saltbundlepy-curses-3.10.14-1.20.1 SUSE:EL-9:Update:Products:SaltBundle:Update:saltbundlepy-dbm-3.10.14-1.20.1 SUSE:EL-9:Update:Products:SaltBundle:Update:saltbundlepy-devel-3.10.14-1.20.1 SUSE:EL-9:Update:Products:SaltBundle:Update:saltbundlepy-libs-3.10.14-1.20.1 SUSE:EL-9:Update:Products:SaltBundle:Update:saltbundlepy-lxml-4.9.3-1.15.2 SUSE:EL-9:Update:Products:SaltBundle:Update:saltbundlepy-lxml-devel-4.9.3-1.15.2 SUSE:EL-9:Update:Products:SaltBundle:Update:saltbundlepy-lxml-doc-4.9.3-1.15.2 SUSE:EL-9:Update:Products:SaltBundle:Update:saltbundlepy-testsuite-3.10.14-1.20.1 SUSE:EL-9:Update:Products:SaltBundle:Update:saltbundlepy-tk-3.10.14-1.20.1 SUSE:EL-9:Update:Products:SaltBundle:Update:saltbundlepy-tools-3.10.14-1.20.1 SUSE:EL-9:Update:Products:SaltBundle:Update:venv-salt-minion-3006.0-1.36.3 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20241525-1/ https://www.suse.com/security/cve/CVE-2024-22232.html CVE-2024-22232 https://bugzilla.suse.com/1219431 SUSE Bug 1219431