Security update for SUSE Manager Client Tools

Announcement ID:	SUSE-SU-202404:15254-1
Rating:	moderate
References:	bsc#1211649 bsc#1211888 bsc#1216850 bsc#1218482 bsc#1219001 bsc#1219430 bsc#1219431 jsc#ECO-3319 jsc#MSQA-760
Cross-References:	CVE-2024-22231 CVE-2024-22232
CVSS scores:	CVE-2024-22231 ( SUSE ): 5.0 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N CVE-2024-22232 ( SUSE ): 7.7 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Affected Products:	SUSE Manager Client Tools for Ubuntu 20.04 2004

An update that solves two vulnerabilities, contains two features and has five security fixes can now be installed.

Description:

This update fixes the following issues:

salt:

• Prevent directory traversal when creating syndic cache directory on the master (CVE-2024-22231, bsc#1219430)
• Prevent directory traversal attacks in the master's serve_file method (CVE-2024-22232, bsc#1219431)
• Convert oscap output to UTF-8
• Make Salt compatible with Python 3.11
• Ignore non-ascii chars in oscap output (bsc#1219001)
• Fix detected issues in Salt tests when running on VMs
• Make importing seco.range thread safe (bsc#1211649)
• Fix problematic tests and allow smooth tests executions on containers
• Discover Ansible playbook files as ".yml" or ".yaml" files (bsc#1211888)
• Provide user(salt)/group(salt) capabilities for RPM 4.19
• Extend dependencies for python3-salt-testsuite and python3-salt packages
• Improve Salt and testsuite packages multibuild
• Enable multibuild and create test flavor
• Additionally we require python-mock just for older Python versions.
• Prevent exceptions with fileserver.update when called via state (bsc#1218482)
• Improve pip target override condition with VENV_PIP_TARGET environment variable (bsc#1216850)
• Fixed KeyError in logs when running a state that fails

scap-security-guide:

• Updated to 0.1.71 (jsc#ECO-3319)
• Add RHEL 9 STIG
• Add support for Debian 12
• Update PCI-DSS profile for RHEL
• lots of bugfixes and improvements for SLE

spacecmd:

• Version 4.3.27-0
• Update translation strings

Special Instructions and Notes:

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• SUSE Manager Client Tools for Ubuntu 20.04 2004
  zypper in -t patch suse-ubu204ct-client-tools-202404-15254=1

Package List:

• SUSE Manager Client Tools for Ubuntu 20.04 2004 (all)
  • salt-common-3006.0+ds-1+2.122.2
  • salt-minion-3006.0+ds-1+2.122.2
  • scap-security-guide-ubuntu-0.1.71-2.41.2
  • spacecmd-4.3.27-2.81.2

References:

• https://www.suse.com/security/cve/CVE-2024-22231.html
• https://www.suse.com/security/cve/CVE-2024-22232.html
• https://bugzilla.suse.com/show_bug.cgi?id=1211649
• https://bugzilla.suse.com/show_bug.cgi?id=1211888
• https://bugzilla.suse.com/show_bug.cgi?id=1216850
• https://bugzilla.suse.com/show_bug.cgi?id=1218482
• https://bugzilla.suse.com/show_bug.cgi?id=1219001
• https://bugzilla.suse.com/show_bug.cgi?id=1219430
• https://bugzilla.suse.com/show_bug.cgi?id=1219431
• https://jira.suse.com/browse/ECO-3319
• https://jira.suse.com/browse/MSQA-760