Security update for SUSE Manager Salt Bundle
| Announcement ID: | SUSE-SU-2024:4021-1 | 
|---|---|
| Release Date: | 2024-11-18T13:25:47Z | 
| Rating: | important | 
| References: | |
| Cross-References: | |
| CVSS scores: | 
 | 
| Affected Products: | 
 | 
An update that solves nine vulnerabilities, contains one feature and has 14 security fixes can now be installed.
Description:
This update fixes the following issues:
venv-salt-minion:
- 
Security fixes on Python 3.11 interpreter: 
- 
CVE-2024-7592: Fixed quadratic complexity in parsing -quoted cookie values with backslashes (bsc#1229873, bsc#1230059) 
- CVE-2024-8088: Prevent malformed payload to cause infinite loops in zipfile.Path (bsc#1229704, bsc#1230058)
- CVE-2024-6923: Prevent email header injection due to unquoted newlines (bsc#1228780)
- CVE-2024-4032: Rearranging definition of private global IP addresses (bsc#1226448)
- 
CVE-2024-0397: ssl.SSLContext.cert_store_stats() and ssl.SSLContext.get_ca_certs() now correctly lock access to the certificate store, when the ssl.SSLContext is shared across multiple threads (bsc#1226447) 
- 
Security fixes on Python dependencies: 
- 
CVE-2024-5569: zipp: Fixed a Denial of Service (DoS) vulnerability in the jaraco/zipp library (bsc#1227547, bsc#1229996) 
- CVE-2024-6345: setuptools: Sanitize any VCS URL used for download (bsc#1228105, bsc#1229995)
- CVE-2024-3651: idna: Fix a potential DoS via resource consumption via specially crafted inputs to idna.encode() (bsc#1222842, bsc#1229994)
- 
CVE-2024-37891: urllib3: Added the Proxy-Authorizationheader to the list of headers to strip from requests when redirecting to a different host (bsc#1226469, bsc#1229654)
- 
Other bugs fixed: 
- 
Added passlib Python module to the bundle 
- Allow NamedLoaderContexts to be returned from loader
- Avoid crash on wrong output of systemctl version (bsc#1229539)
- Avoid explicit reading of /etc/salt/minion (bsc#1220357)
- Enable post_start_cleanup.sh to work in a transaction
- Fixed cloud Minion configuration for multiple Masters (bsc#1229109)
- Fixed failing x509 tests with OpenSSL < 1.1
- Fixed the SELinux context for Salt Minion service (bsc#1219041)
- Fixed too frequent systemd service restart in test_system test
- Fixed zyppnotify plugin after latest zypp/libzypp upgrades (bsc#1231697, bsc#1231045)
- Improved error handling with different OpenSSL versions
- Increase warn_until_date date for code we still support
- Prevent using SyncWrapper with no reason
- Reverted the change making reactor less blocking (bsc#1230322)
- Use --cachedir for extension_modules in salt-call (bsc#1226141)
- Use Pygit2 id instead of deprecated oid in gitfs
Special Instructions and Notes:
Patch Instructions:
        To install this SUSE  update use the SUSE recommended
        installation methods like YaST online_update or "zypper patch".
        Alternatively you can run the command listed for your product:
    
- 
                SUSE Manager Client Tools for SLE 15
                
                    
                        
 zypper in -t patch SUSE-SLE-Manager-Tools-15-2024-4021=1
- 
                SUSE Manager Client Tools for SLE Micro 5
                
                    
                        
 zypper in -t patch SUSE-SLE-Manager-Tools-For-Micro-5-2024-4021=1
- 
                SUSE Manager Proxy 4.3 Module 4.3
                
                    
                        
 zypper in -t patch SUSE-SLE-Module-SUSE-Manager-Proxy-4.3-2024-4021=1
- 
                SUSE Manager Server 4.3 Module 4.3
                
                    
                        
 zypper in -t patch SUSE-SLE-Module-SUSE-Manager-Server-4.3-2024-4021=1
Package List:
- 
                    SUSE Manager Client Tools for SLE 15 (aarch64 ppc64le s390x x86_64)
                    - venv-salt-minion-3006.0-150000.3.67.1
 
- 
                    SUSE Manager Client Tools for SLE Micro 5 (aarch64 s390x x86_64)
                    - venv-salt-minion-3006.0-150000.3.67.1
 
- 
                    SUSE Manager Proxy 4.3 Module 4.3 (aarch64 ppc64le s390x x86_64)
                    - venv-salt-minion-3006.0-150000.3.67.1
 
- 
                    SUSE Manager Server 4.3 Module 4.3 (aarch64 ppc64le s390x x86_64)
                    - venv-salt-minion-3006.0-150000.3.67.1
 
References:
- https://www.suse.com/security/cve/CVE-2024-0397.html
- https://www.suse.com/security/cve/CVE-2024-3651.html
- https://www.suse.com/security/cve/CVE-2024-37891.html
- https://www.suse.com/security/cve/CVE-2024-4032.html
- https://www.suse.com/security/cve/CVE-2024-5569.html
- https://www.suse.com/security/cve/CVE-2024-6345.html
- https://www.suse.com/security/cve/CVE-2024-6923.html
- https://www.suse.com/security/cve/CVE-2024-7592.html
- https://www.suse.com/security/cve/CVE-2024-8088.html
- https://bugzilla.suse.com/show_bug.cgi?id=1219041
- https://bugzilla.suse.com/show_bug.cgi?id=1220357
- https://bugzilla.suse.com/show_bug.cgi?id=1222842
- https://bugzilla.suse.com/show_bug.cgi?id=1226141
- https://bugzilla.suse.com/show_bug.cgi?id=1226447
- https://bugzilla.suse.com/show_bug.cgi?id=1226448
- https://bugzilla.suse.com/show_bug.cgi?id=1226469
- https://bugzilla.suse.com/show_bug.cgi?id=1227547
- https://bugzilla.suse.com/show_bug.cgi?id=1228105
- https://bugzilla.suse.com/show_bug.cgi?id=1228780
- https://bugzilla.suse.com/show_bug.cgi?id=1229109
- https://bugzilla.suse.com/show_bug.cgi?id=1229539
- https://bugzilla.suse.com/show_bug.cgi?id=1229654
- https://bugzilla.suse.com/show_bug.cgi?id=1229704
- https://bugzilla.suse.com/show_bug.cgi?id=1229873
- https://bugzilla.suse.com/show_bug.cgi?id=1229994
- https://bugzilla.suse.com/show_bug.cgi?id=1229995
- https://bugzilla.suse.com/show_bug.cgi?id=1229996
- https://bugzilla.suse.com/show_bug.cgi?id=1230058
- https://bugzilla.suse.com/show_bug.cgi?id=1230059
- https://bugzilla.suse.com/show_bug.cgi?id=1230322
- https://bugzilla.suse.com/show_bug.cgi?id=1231045
- https://bugzilla.suse.com/show_bug.cgi?id=1231697
- https://jira.suse.com/browse/MSQA-863
