Security update for SUSE Manager Salt Bundle

Announcement ID: SUSE-SU-2024:1521-1
Rating: moderate
References:
Cross-References:
CVSS scores:
  • CVE-2024-22231 ( SUSE ): 5.0 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N
  • CVE-2024-22232 ( SUSE ): 7.7 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Affected Products:
  • SUSE Manager Client Tools for Debian 11

An update that solves two vulnerabilities, contains one feature and has five security fixes can now be installed.

Description:

This update fixes the following issues:

venv-salt-minion:

  • CVE-2024-22231: Prevent directory traversal when creating syndic cache directory on the master (bsc#1219430)
  • CVE-2024-22232: Prevent directory traversal attacks in the master's serve_file method (bsc#1219431)
  • Convert oscap output to UTF-8
  • Make Salt compatible with Python 3.11
  • Ignore non-ascii chars in oscap output (bsc#1219001)
  • Fix detected issues in Salt tests when running on VMs
  • Make importing seco.range thread safe (bsc#1211649)
  • Fix problematic tests and allow smooth tests executions on containers
  • Discover Ansible playbook files as ".yml" or ".yaml" files (bsc#1211888)
  • Prevent exceptions with fileserver.update when called via state (bsc#1218482)
  • Improve pip target override condition with VENV_PIP_TARGET environment variable (bsc#1216850)
  • Fixed KeyError in logs when running a state that fails

Special Instructions and Notes:

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

  • SUSE Manager Client Tools for Debian 11
    zypper in -t patch SUSE-Debian-11-CLIENT-TOOLS-x86_64-2024-1521=1

Package List:

  • SUSE Manager Client Tools for Debian 11 (amd64)
    • venv-salt-minion-3006.0-2.50.4

References: