Branch sisyphus update bulletin.

Package salt updated to version 2017.5-alt1 for branch sisyphus in task 181447.

Published: 2017-08-23
Modified: 2024-11-21

CVE-2017-12791

Directory traversal vulnerability in minion id validation in SaltStack Salt before 2016.11.7 and 2017.7.x before 2017.7.1 allows remote minions with incorrect credentials to authenticate to a master via a crafted minion ID.

Severity: CRITICAL (9.8) Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Published: 2017-10-24
Modified: 2024-11-21

CVE-2017-14695

Directory traversal vulnerability in minion id validation in SaltStack Salt before 2016.3.8, 2016.11.x before 2016.11.8, and 2017.7.x before 2017.7.2 allows remote minions with incorrect credentials to authenticate to a master via a crafted minion ID. NOTE: this vulnerability exists because of an incomplete fix for CVE-2017-12791.

Severity: CRITICAL (9.8) Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Published: 2017-10-24
Modified: 2024-11-21

CVE-2017-14696

SaltStack Salt before 2016.3.8, 2016.11.x before 2016.11.8, and 2017.7.x before 2017.7.2 allows remote attackers to cause a denial of service via a crafted authentication request.

Severity: HIGH (7.5) Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Published: 2017-04-25
Modified: 2024-11-21

CVE-2017-8109

The salt-ssh minion code in SaltStack Salt 2016.11 before 2016.11.4 copied over configuration from the Salt Master without adjusting permissions, which might leak credentials to local attackers on configured minions (clients).

Severity: HIGH (7.8) Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References:

Package ruby-augeas updated to version 0.5.0-alt2 for branch sisyphus in task 181464.

private method `open' called for Augeas:Class

Version: 2.1.0

Branch sisyphus update on 2017-04-08

ALT-BU-2017-3045-1

ALT-PU-2017-1436-1

Closed vulnerabilities

CVE-2017-12791

CVE-2017-14695

CVE-2017-14696

CVE-2017-8109

ALT-PU-2017-1438-1

Closed bugs

Bug #33345