Security update for salt

Announcement ID:	SUSE-SU-2018:1757-1
Rating:	moderate
References:	bsc#1059291 bsc#1061407 bsc#1062464 bsc#1064520 bsc#1075950 bsc#1079048 bsc#1081592 bsc#1087055 bsc#1087278 bsc#1087581 bsc#1087891 bsc#1088888 bsc#1089112 bsc#1089362 bsc#1089526 bsc#1090242 bsc#1091371 bsc#1092161 bsc#1092373 bsc#1094055 bsc#1097174 bsc#1097413
Cross-References:	CVE-2017-14695 CVE-2017-14696
CVSS scores:	CVE-2017-14695 ( SUSE ): 5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVE-2017-14695 ( NVD ): 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2017-14696 ( SUSE ): 5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2017-14696 ( NVD ): 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Affected Products:	Advanced Systems Management Module 12 SUSE Linux Enterprise Desktop 12 SUSE Linux Enterprise Desktop 12 SP1 SUSE Linux Enterprise Desktop 12 SP2 SUSE Linux Enterprise Desktop 12 SP3 SUSE Linux Enterprise Desktop 12 SP4 SUSE Linux Enterprise High Performance Computing 12 SP2 SUSE Linux Enterprise High Performance Computing 12 SP3 SUSE Linux Enterprise High Performance Computing 12 SP4 SUSE Linux Enterprise High Performance Computing 12 SP5 SUSE Linux Enterprise Point of Service Image Server 12 12-SP2 SUSE Linux Enterprise Server 12 SUSE Linux Enterprise Server 12 SP1 SUSE Linux Enterprise Server 12 SP2 SUSE Linux Enterprise Server 12 SP3 SUSE Linux Enterprise Server 12 SP4 SUSE Linux Enterprise Server 12 SP5 SUSE Linux Enterprise Server for SAP Applications 12 SUSE Linux Enterprise Server for SAP Applications 12 SP1 SUSE Linux Enterprise Server for SAP Applications 12 SP2 SUSE Linux Enterprise Server for SAP Applications 12 SP3 SUSE Linux Enterprise Server for SAP Applications 12 SP4 SUSE Linux Enterprise Server for SAP Applications 12 SP5 SUSE Linux Enterprise Server for the Raspberry Pi 12-SP2 SUSE Manager Client Tools for SLE 12 SUSE Manager Proxy 3.1 SUSE Manager Proxy 3.0 SUSE Manager Server 3.1 SUSE Manager Server 3.0

An update that solves two vulnerabilities and has 20 security fixes can now be installed.

Description:

This update for salt provides version 2018.3 and brings many fixes and improvements:

• Fix for sorting of multi-version packages (bsc#1097174 and bsc#1097413)
• Align SUSE salt-master.service 'LimitNOFILES' limit with upstream Salt
• Add 'other' attribute to GECOS fields to avoid inconsistencies with chfn
• Prevent zypper from parsing repo configuration from not .repo files (bsc#1094055)
• Collect all versions of installed packages on SUSE and RHEL systems (bsc#1089526)
• No more AWS EC2 rate limitations in salt-cloud. (bsc#1088888)
• MySQL returner now also allows to use Unix sockets. (bsc#1091371)
• Do not override jid on returners, only sending back to master. (bsc#1092373)
• Remove minion/thin/version if exists to force thin regeneration. (bsc#1092161)
• Fix minion scheduler to return a 'retcode' attribute. (bsc#1089112)
• Fix for logging during network interface querying. (bsc#1087581)
• Fix rhel packages requires both net-tools and iproute. (bsc#1087055)
• Fix patchinstall on yum module. Bad comparison. (bsc#1087278)
• Strip trailing commas on Linux user's GECOS fields. (bsc#1089362)
• Fallback to PyMySQL. (bsc#1087891)
• Fix for [Errno 0] Resolver Error 0 (no error). (bsc#1087581)
• Add python-2.6 support to salt-ssh.
• Make it possible to use docker login, pull and push from module.run and detect errors.
• Fix unicode decode error with salt-ssh.
• Fix cp.push empty file. (bsc#1075950)
• Fix grains containing trailing "\n".
• Remove salt-minion python2 requirement when python3 is default. (bsc#1081592)
• Restoring installation of packages for Rhel 6 and 7.
• Prevent queryformat pattern from expanding. (bsc#1079048)
• Fix for delete_deployment in Kubernetes module. (bsc#1059291)
• Fix bsc#1062464 and CVE-2017-14696 already included in 2017.7.2.
• Fix wrong version reported by Salt. (bsc#1061407)
• Run salt-api as user salt. (bsc#1064520)

For a detailed description, please refer to the upstream-changelog at https://docs.saltstack.com/en/latest/topics/releases/index.html or to the rpm-changelog.

supportutils-plugin-salt:

• Collect salt-api, salt-broker and salt-ssh log files (bsc#1090242)

Special Instructions and Notes:

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• SUSE Manager Client Tools for SLE 12
  zypper in -t patch SUSE-SLE-Manager-Tools-12-2018-1157=1
• Advanced Systems Management Module 12
  zypper in -t patch SUSE-SLE-Module-Adv-Systems-Management-12-2018-1157=1
• SUSE Linux Enterprise Point of Service Image Server 12 12-SP2
  zypper in -t patch SUSE-SLE-POS-12-SP2-2018-1157=1
• SUSE Manager Proxy 3.0
  zypper in -t patch SUSE-SUSE-Manager-Proxy-3.0-2018-1157=1
• SUSE Manager Proxy 3.1
  zypper in -t patch SUSE-SUSE-Manager-Proxy-3.1-2018-1157=1
• SUSE Manager Server 3.0
  zypper in -t patch SUSE-SUSE-Manager-Server-3.0-2018-1157=1
• SUSE Manager Server 3.1
  zypper in -t patch SUSE-SUSE-Manager-Server-3.1-2018-1157=1

Package List:

• SUSE Manager Client Tools for SLE 12 (aarch64 ppc64le s390x x86_64)
  • salt-minion-2018.3.0-46.28.1
  • salt-2018.3.0-46.28.1
  • salt-doc-2018.3.0-46.28.1
  • python2-salt-2018.3.0-46.28.1
  • python3-salt-2018.3.0-46.28.1
• SUSE Manager Client Tools for SLE 12 (noarch)
  • supportutils-plugin-salt-1.1.4-6.9.1
• Advanced Systems Management Module 12 (ppc64le s390x x86_64)
  • salt-syndic-2018.3.0-46.28.1
  • salt-minion-2018.3.0-46.28.1
  • salt-api-2018.3.0-46.28.1
  • salt-cloud-2018.3.0-46.28.1
  • salt-2018.3.0-46.28.1
  • salt-doc-2018.3.0-46.28.1
  • python2-salt-2018.3.0-46.28.1
  • salt-proxy-2018.3.0-46.28.1
  • salt-master-2018.3.0-46.28.1
  • salt-ssh-2018.3.0-46.28.1
• Advanced Systems Management Module 12 (noarch)
  • salt-bash-completion-2018.3.0-46.28.1
  • salt-zsh-completion-2018.3.0-46.28.1
• SUSE Linux Enterprise Point of Service Image Server 12 12-SP2 (x86_64)
  • python2-salt-2018.3.0-46.28.1
  • salt-minion-2018.3.0-46.28.1
  • salt-2018.3.0-46.28.1
• SUSE Manager Proxy 3.0 (x86_64)
  • salt-syndic-2018.3.0-46.28.1
  • salt-minion-2018.3.0-46.28.1
  • salt-api-2018.3.0-46.28.1
  • salt-2018.3.0-46.28.1
  • salt-doc-2018.3.0-46.28.1
  • python2-salt-2018.3.0-46.28.1
  • salt-proxy-2018.3.0-46.28.1
  • salt-master-2018.3.0-46.28.1
  • salt-ssh-2018.3.0-46.28.1
• SUSE Manager Proxy 3.0 (noarch)
  • supportutils-plugin-salt-1.1.4-6.9.1
  • salt-bash-completion-2018.3.0-46.28.1
  • salt-zsh-completion-2018.3.0-46.28.1
• SUSE Manager Proxy 3.1 (ppc64le x86_64)
  • python2-salt-2018.3.0-46.28.1
  • salt-2018.3.0-46.28.1
  • salt-minion-2018.3.0-46.28.1
  • python3-salt-2018.3.0-46.28.1
• SUSE Manager Proxy 3.1 (noarch)
  • supportutils-plugin-salt-1.1.4-6.9.1
• SUSE Manager Server 3.0 (s390x x86_64)
  • salt-syndic-2018.3.0-46.28.1
  • salt-minion-2018.3.0-46.28.1
  • salt-api-2018.3.0-46.28.1
  • salt-2018.3.0-46.28.1
  • salt-doc-2018.3.0-46.28.1
  • python2-salt-2018.3.0-46.28.1
  • salt-proxy-2018.3.0-46.28.1
  • salt-master-2018.3.0-46.28.1
  • salt-ssh-2018.3.0-46.28.1
• SUSE Manager Server 3.0 (noarch)
  • supportutils-plugin-salt-1.1.4-6.9.1
  • salt-bash-completion-2018.3.0-46.28.1
  • salt-zsh-completion-2018.3.0-46.28.1
• SUSE Manager Server 3.1 (ppc64le s390x x86_64)
  • salt-syndic-2018.3.0-46.28.1
  • salt-minion-2018.3.0-46.28.1
  • salt-api-2018.3.0-46.28.1
  • salt-cloud-2018.3.0-46.28.1
  • salt-ssh-2018.3.0-46.28.1
  • salt-2018.3.0-46.28.1
  • salt-doc-2018.3.0-46.28.1
  • python2-salt-2018.3.0-46.28.1
  • salt-proxy-2018.3.0-46.28.1
  • salt-master-2018.3.0-46.28.1
  • python3-salt-2018.3.0-46.28.1
• SUSE Manager Server 3.1 (noarch)
  • supportutils-plugin-salt-1.1.4-6.9.1
  • salt-bash-completion-2018.3.0-46.28.1
  • salt-zsh-completion-2018.3.0-46.28.1

References:

• https://www.suse.com/security/cve/CVE-2017-14695.html
• https://www.suse.com/security/cve/CVE-2017-14696.html
• https://bugzilla.suse.com/show_bug.cgi?id=1059291
• https://bugzilla.suse.com/show_bug.cgi?id=1061407
• https://bugzilla.suse.com/show_bug.cgi?id=1062464
• https://bugzilla.suse.com/show_bug.cgi?id=1064520
• https://bugzilla.suse.com/show_bug.cgi?id=1075950
• https://bugzilla.suse.com/show_bug.cgi?id=1079048
• https://bugzilla.suse.com/show_bug.cgi?id=1081592
• https://bugzilla.suse.com/show_bug.cgi?id=1087055
• https://bugzilla.suse.com/show_bug.cgi?id=1087278
• https://bugzilla.suse.com/show_bug.cgi?id=1087581
• https://bugzilla.suse.com/show_bug.cgi?id=1087891
• https://bugzilla.suse.com/show_bug.cgi?id=1088888
• https://bugzilla.suse.com/show_bug.cgi?id=1089112
• https://bugzilla.suse.com/show_bug.cgi?id=1089362
• https://bugzilla.suse.com/show_bug.cgi?id=1089526
• https://bugzilla.suse.com/show_bug.cgi?id=1090242
• https://bugzilla.suse.com/show_bug.cgi?id=1091371
• https://bugzilla.suse.com/show_bug.cgi?id=1092161
• https://bugzilla.suse.com/show_bug.cgi?id=1092373
• https://bugzilla.suse.com/show_bug.cgi?id=1094055
• https://bugzilla.suse.com/show_bug.cgi?id=1097174
• https://bugzilla.suse.com/show_bug.cgi?id=1097413