Security Beta update for Salt

SUSE Security Update: Security Beta update for Salt

---

Announcement ID:	SUSE-SU-2020:14332-1
Rating:	important
References:	#1157465 #1162327 #1162504 #1163981 #1165425
Cross-References:	CVE-2019-18897
Affected Products:	SUSE Manager Ubuntu 16.04-CLIENT-TOOLS-BETA

---

An update that solves one vulnerability and has four fixes is now available.

Description:

This update fixes the following issues:
salt:

• Requiring python3-distro only for openSUSE/SLE >= 15
• Use full option name instead of undocumented abbreviation for zypper
• Python-distro is only needed for > Python 3.7. Removing it for Python 2
• Fixed a local privilege escalation to root (bsc#1157465) (CVE-2019-18897)
• Fix unit tests failures in test_batch_async tests
• Batch Async: Handle exceptions, properly unregister and close instances after running async batching to avoid CPU starvation of the MWorkers (bsc#1162327)
• RHEL/CentOS 8 uses platform-python instead of python3
• Enable build for Python 3.8
• Update to Salt version 2019.2.3 (bsc#1163981) (bsc#1162504)
• Replacing pycrypto with M2Crypto (bsc#1165425)

Patch Instructions:

To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• SUSE Manager Ubuntu 16.04-CLIENT-TOOLS-BETA:
  zypper in -t patch suse-ubu164ct-salt-beta-202003-14332=1

Package List:

• SUSE Manager Ubuntu 16.04-CLIENT-TOOLS-BETA (all):
  • salt-common-2019.2.2+ds-1.1+9.9.2
  • salt-minion-2019.2.2+ds-1.1+9.9.2

References:

• https://www.suse.com/security/cve/CVE-2019-18897.html
• https://bugzilla.suse.com/1157465
• https://bugzilla.suse.com/1162327
• https://bugzilla.suse.com/1162504
• https://bugzilla.suse.com/1163981
• https://bugzilla.suse.com/1165425