All errata/c10f2/ALT-PU-2026-2219-4
ALT-PU-2026-2219-4

Package update salt in branch c10f2

Version3007.5-alt0.p10.2
Task#407205
Published2026-04-23
Max severityHIGH
Severity:

Closed issues (7)

BDU:2026-05127
HIGH7.5

Уязвимость компонента Content-Length интерпретатора языка программирования Python, позволяющая нарушителю вызвать отказ в обслуживании

Published: 2026-04-14Modified: 2026-04-27
CVSS 3.xHIGH 7.5
CVSS:3.x/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVSS 2.0HIGH 7.8
CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:C
References
BDU:2026-05706
MEDIUM6.7

Уязвимость системы управления конфигурациями и удалённого выполнения операций Salt, связанная с недостатками процедуры аутентификации, позволяющая нарушителю повысить свои привилегии

Published: 2026-04-22
CVSS 3.xMEDIUM 6.7
CVSS:3.x/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L
CVSS 2.0HIGH 8.0
CVSS:2.0/AV:N/AC:L/Au:M/C:C/I:C/A:P
References
CVE-2025-13836
MEDIUM6.3

When reading an HTTP response from a server, if no read amount is specified, the default behavior will be to use Content-Length. This allows a malicious server to cause the client to read large amounts of data into memory, potentially causing OOM or other DoS.

Published: 2025-12-01Modified: 2026-02-10
CVSS 3.xHIGH 7.5
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVSS 4.0MEDIUM 6.3
CVSS:4.0/CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
References
CVE-2025-62348
HIGH7.3

Salt's junos execution module contained an unsafe YAML decode/load usage. A specially crafted YAML payload processed by the junos module could lead to unintended code execution under the context of the Salt process.

Published: 2026-01-30Modified: 2026-04-15
CVSS 3.xHIGH 7.8
CVSS:3.x/CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CVSS 4.0HIGH 7.3
CVSS:4.0/CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
References
CVE-2025-62349
HIGH7.5

Salt contains an authentication protocol version downgrade weakness that can allow a malicious minion to bypass newer authentication/security features by using an older request payload format, enabling minion impersonation and circumventing protections introduced in response to prior issues.

Published: 2026-01-30Modified: 2026-04-15
CVSS 3.xMEDIUM 6.2
CVSS:3.x/CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:L
CVSS 4.0HIGH 7.5
CVSS:4.0/CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
References
GHSA-77w2-v593-vxvv
HIGH7.3

Salt junos Module Vulnerable to Code Injection via Specially Crafted YAML Payload

Published: 2026-01-31Modified: 2026-02-01
CVSS 3.xHIGH 7.3
CVSS:3.x/CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CVSS 4.0HIGH 7.3
CVSS:4.0/CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
References
GHSA-vcf3-26xf-fw4m
HIGH7.5

Salt Authentication Protocol Version Downgrade Allows Minion Impersonation

Published: 2026-01-31Modified: 2026-02-01
CVSS 3.xHIGH 7.5
CVSS:3.x/CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:L
CVSS 4.0HIGH 7.5
CVSS:4.0/CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N
References