Security update for Salt

Announcement ID: SUSE-SU-2020:1971-1
Rating: moderate
References:
Cross-References:
CVSS scores:
  • CVE-2019-18897 ( SUSE ): 8.4 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • CVE-2019-18897 ( NVD ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
  • CVE-2020-11651 ( SUSE ): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • CVE-2020-11651 ( NVD ): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • CVE-2020-11652 ( SUSE ): 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
  • CVE-2020-11652 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Affected Products:
  • Advanced Systems Management Module 12
  • SUSE Linux Enterprise Desktop 12
  • SUSE Linux Enterprise Desktop 12 SP1
  • SUSE Linux Enterprise Desktop 12 SP2
  • SUSE Linux Enterprise Desktop 12 SP3
  • SUSE Linux Enterprise Desktop 12 SP4
  • SUSE Linux Enterprise High Performance Computing 12 SP2
  • SUSE Linux Enterprise High Performance Computing 12 SP3
  • SUSE Linux Enterprise High Performance Computing 12 SP4
  • SUSE Linux Enterprise High Performance Computing 12 SP5
  • SUSE Linux Enterprise Point of Service Image Server 12 12-SP2
  • SUSE Linux Enterprise Server 12
  • SUSE Linux Enterprise Server 12 SP1
  • SUSE Linux Enterprise Server 12 SP2
  • SUSE Linux Enterprise Server 12 SP3
  • SUSE Linux Enterprise Server 12 SP4
  • SUSE Linux Enterprise Server 12 SP5
  • SUSE Linux Enterprise Server for SAP Applications 12
  • SUSE Linux Enterprise Server for SAP Applications 12 SP1
  • SUSE Linux Enterprise Server for SAP Applications 12 SP2
  • SUSE Linux Enterprise Server for SAP Applications 12 SP3
  • SUSE Linux Enterprise Server for SAP Applications 12 SP4
  • SUSE Linux Enterprise Server for SAP Applications 12 SP5
  • SUSE Linux Enterprise Server for the Raspberry Pi 12-SP2
  • SUSE Manager Client Tools for SLE 12
  • SUSE Manager Proxy 3.2
  • SUSE Manager Server 3.2

An update that solves three vulnerabilities and has 12 security fixes can now be installed.

Description:

This update fixes the following issues:

salt:

  • Fix for TypeError in Tornado importer (bsc#1174165)
  • Require python3-distro only for TW (bsc#1173072)
  • Various virt backports from 3000.2
  • Avoid traceback on debug logging for swarm module (bsc#1172075)
  • Add publish_batch to ClearFuncs exposed methods
  • Update to salt version 3000 See release notes: https://docs.saltstack.com/en/latest/topics/releases/3000.html
  • Zypperpkg: filter patterns that start with dot (bsc#1171906)
  • Batch mode now also correctly provides return value (bsc#1168340)
  • Add docker.logout to docker execution module (bsc#1165572)
  • Testsuite fix
  • Add option to enable/disable force refresh for zypper
  • Python3.8 compatibility changes
  • Prevent sporious "salt-api" stuck processes when managing SSH minions because of logging deadlock (bsc#1159284)
  • Avoid segfault from "salt-api" under certain conditions of heavy load managing SSH minions (bsc#1169604)
  • Revert broken changes to slspath made on Salt 3000 (saltstack/salt#56341) (bsc#1170104)
  • Returns a the list of IPs filtered by the optional network list
  • Fix CVE-2020-11651 and CVE-2020-11652 (bsc#1170595)
  • Do not require vendored backports-abc (bsc#1170288)
  • Fix partition.mkpart to work without fstype (bsc#1169800)
  • Enable building and installation for Fedora
  • Disable python2 build on Tumbleweed We are removing the python2 interpreter from openSUSE (SLE16). As such disable salt building for python2 there.
  • More robust remote port detection
  • Sanitize grains loaded from roster_grains.json cache during "state.pkg"
  • Do not make file.recurse state to fail when msgpack 0.5.4 (bsc#1167437)
  • Build: Buildequire pkgconfig(systemd) instead of systemd pkgconfig(systemd) is provided by systemd, so this is de-facto no change. But inside the Open Build Service (OBS), the same symbol is also provided by systemd-mini, which exists to shorten build-chains by only enabling what other packages need to successfully build
  • Add new custom SUSE capability for saltutil state module
  • Fixes status attribute issue in aptpkg test
  • Make setup.py script not to require setuptools greater than 9.1
  • Loop: fix variable names for until_no_eval
  • Drop conflictive module.run state patch (bsc#1167437)
  • Update patches after rebase with upstream v3000 tag (bsc#1167437)
  • Fix some requirements issues depending on Python3 versions
  • Removes obsolete patch
  • Fix for low rpm_lowpkg unit test
  • Add python-singledispatch as dependency for python2-salt
  • Virt._get_domain: don't raise an exception if there is no VM
  • Fix for temp folder definition in loader unit test
  • Adds test for zypper abbreviation fix
  • Improved storage pool or network handling
  • Better import cache handline
  • Make "salt.ext.tornado.gen" to use "salt.ext.backports_abc" on Python 2
  • Fix regression in service states with reload argument
  • Fix integration test failure for test_mod_del_repo_multiline_values
  • Fix for unless requisite when pip is not installed
  • Fix errors from unit tests due NO_MOCK and NO_MOCK_REASON deprecation
  • Fix tornado imports and missing _utils after rebasing patches
  • Removes unresolved merge conflict in yumpkg module
  • Use full option name instead of undocumented abbreviation for zypper
  • Requiring python3-distro only for openSUSE/SLE >= 15 and not for Python 2 builds
  • Avoid possible user escalation upgrading salt-master (bsc#1157465) (CVE-2019-18897)
  • Fix unit tests failures in test_batch_async tests
  • Batch Async: Handle exceptions, properly unregister and close instances after running async batching to avoid CPU starvation of the MWorkers (bsc#1162327)
  • RHEL/CentOS 8 uses platform-python instead of python3
  • Loader: invalidate the import cachefor extra modules
  • Zypperpkg: filter patterns that start with dot (bsc#1171906)
  • Batch mode now also correctly provides return value (bsc#1168340)
  • Add docker.logout to docker execution module (bsc#1165572)
  • Improvements for chroot module
  • Add option to enable/disable force refresh for zypper
  • Prevent sporious "salt-api" stuck processes when managing SSH minions because of logging deadlock (bsc#1159284)
  • Avoid segfault from "salt-api" under certain conditions of heavy load managing SSH minions (bsc#1169604)

Special Instructions and Notes:

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

  • SUSE Manager Client Tools for SLE 12
    zypper in -t patch SUSE-SLE-Manager-Tools-12-2020-1971=1
  • Advanced Systems Management Module 12
    zypper in -t patch SUSE-SLE-Module-Adv-Systems-Management-12-2020-1971=1
  • SUSE Linux Enterprise Point of Service Image Server 12 12-SP2
    zypper in -t patch SUSE-SLE-POS-12-SP2-2020-1971=1
  • SUSE Manager Proxy 3.2
    zypper in -t patch SUSE-SUSE-Manager-Proxy-3.2-2020-1971=1
  • SUSE Manager Server 3.2
    zypper in -t patch SUSE-SUSE-Manager-Server-3.2-2020-1971=1

Package List:

  • SUSE Manager Client Tools for SLE 12 (noarch)
    • python-singledispatch-3.4.0.3-1.5.1
  • SUSE Manager Client Tools for SLE 12 (aarch64 ppc64le s390x x86_64)
    • salt-3000-46.101.1
    • salt-doc-3000-46.101.1
    • python3-salt-3000-46.101.1
    • salt-minion-3000-46.101.1
    • python2-salt-3000-46.101.1
  • Advanced Systems Management Module 12 (noarch)
    • python-singledispatch-3.4.0.3-1.5.1
    • salt-bash-completion-3000-46.101.1
    • salt-zsh-completion-3000-46.101.1
  • Advanced Systems Management Module 12 (ppc64le s390x x86_64)
    • salt-3000-46.101.1
    • salt-doc-3000-46.101.1
    • salt-standalone-formulas-configuration-3000-46.101.1
    • salt-cloud-3000-46.101.1
    • salt-ssh-3000-46.101.1
    • salt-api-3000-46.101.1
    • salt-master-3000-46.101.1
    • salt-minion-3000-46.101.1
    • python2-salt-3000-46.101.1
    • salt-proxy-3000-46.101.1
    • salt-syndic-3000-46.101.1
  • SUSE Linux Enterprise Point of Service Image Server 12 12-SP2 (noarch)
    • python-singledispatch-3.4.0.3-1.5.1
  • SUSE Linux Enterprise Point of Service Image Server 12 12-SP2 (x86_64)
    • salt-3000-46.101.1
    • python2-salt-3000-46.101.1
    • salt-minion-3000-46.101.1
  • SUSE Manager Proxy 3.2 (noarch)
    • python-singledispatch-3.4.0.3-1.5.1
  • SUSE Manager Proxy 3.2 (x86_64)
    • salt-3000-46.101.1
    • python3-salt-3000-46.101.1
    • python2-salt-3000-46.101.1
    • salt-minion-3000-46.101.1
  • SUSE Manager Server 3.2 (noarch)
    • python-singledispatch-3.4.0.3-1.5.1
    • salt-bash-completion-3000-46.101.1
    • salt-zsh-completion-3000-46.101.1
  • SUSE Manager Server 3.2 (ppc64le s390x x86_64)
    • salt-3000-46.101.1
    • salt-doc-3000-46.101.1
    • salt-standalone-formulas-configuration-3000-46.101.1
    • salt-cloud-3000-46.101.1
    • salt-ssh-3000-46.101.1
    • python3-salt-3000-46.101.1
    • salt-api-3000-46.101.1
    • salt-master-3000-46.101.1
    • salt-minion-3000-46.101.1
    • python2-salt-3000-46.101.1
    • salt-proxy-3000-46.101.1
    • salt-syndic-3000-46.101.1

References: