[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[SECURITY] [DLA 2223-1] salt security update



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Package        : salt
Version        : 2014.1.13+ds-3+deb8u1
CVE ID         : CVE-2020-11651 CVE-2020-11652
Debian Bug     : 959684


Several vulnerabilities were discovered in package salt, a
configuration management and infrastructure automation software.

CVE-2020-11651

    The salt-master process ClearFuncs class does not properly validate
    method calls. This allows a remote user to access some methods
    without authentication. These methods can be used to retrieve user
    tokens from the salt master and/or run arbitrary commands on salt
    minions.

CVE-2020-11652

    The salt-master process ClearFuncs class allows access to some
    methods that improperly sanitize paths. These methods allow
    arbitrary directory access to authenticated users.

For Debian 8 "Jessie", these problems have been fixed in version
2014.1.13+ds-3+deb8u1.

We recommend that you upgrade your salt packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE7xPqJqaY/zX9fJAuhj1N8u2cKO8FAl7R3zsACgkQhj1N8u2c
KO/V0A/+I+O9Wtme0a+TfryuHJhQ5VsvyQwSzPItGSBCbq54jmATV5k7KbSBVyzR
YEpG5fvIXlpwlAtJxC4uJH2qALQx+UuJtBiRvA4biG3vpXvF09LJdw1dFRCzzHxn
wPzSIZVK0QTyrjzRvI/CJeCeaECwxZWmw5Qs9Y5FOJffNC1S3oyj6YAZVLhz9vBx
11sZXzsejzvZsS2HORi4+uEHrS8/pEcJdmQ7SuHLfL7rasvRzTvAPZ9mEkrX4Cs+
rr1AOm4KrBzyzARhK8t40ECsJQBWVAw8qo7Mv10PWDD7qsvnf6QYZi1DXwwqpihY
PdZl+wF8hhRQFRzbwpHbXqZq4bRLTdjSFcrLaMkKVjnXHim7OmvZD7lTzAw0Skmd
pRj6HuIHoudF142MVXY6cUXlyofZrnj2FwiM47bFHMx+KzBdu8DKrQFZltykk+/q
gKsuBVyr+JUz23l4XeiBBf70o/NJeVFj/fY4VMravkYIYrkeNoEO4ugYCHkE4Jht
ieOkubkpLeluMV2ouJAPa/L+59m6z4BTuwcfjkZ0rxAS7wpIr1yod0EcQT57x9SE
YreW7s5T9L//d0TJt2UarqyRGhJfkgm2cJiUr4rKNS3mr8zvKuQHp5jBsA8xdTYR
4o+hCqXvsL50k4uuNx58gv+Fzux/PQnfE5+x9BcIiA3m2tYJAXE=
=QPyo
-----END PGP SIGNATURE-----


Reply to: