Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2020.1894
salt security update
1 June 2020
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: salt
Publisher: Debian
Operating System: Debian GNU/Linux 8
Impact/Access: Execute Arbitrary Code/Commands -- Unknown/Unspecified
Access Confidential Data -- Unknown/Unspecified
Unauthorised Access -- Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2020-11652 CVE-2020-11651
Reference: ESB-2020.1884
ESB-2020.1756
ESB-2020.1547
Original Bulletin:
https://www.debian.org/lts/security/2020/dla-2223
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Package : salt
Version : 2014.1.13+ds-3+deb8u1
CVE ID : CVE-2020-11651 CVE-2020-11652
Debian Bug : 959684
Several vulnerabilities were discovered in package salt, a
configuration management and infrastructure automation software.
CVE-2020-11651
The salt-master process ClearFuncs class does not properly validate
method calls. This allows a remote user to access some methods
without authentication. These methods can be used to retrieve user
tokens from the salt master and/or run arbitrary commands on salt
minions.
CVE-2020-11652
The salt-master process ClearFuncs class allows access to some
methods that improperly sanitize paths. These methods allow
arbitrary directory access to authenticated users.
For Debian 8 "Jessie", these problems have been fixed in version
2014.1.13+ds-3+deb8u1.
We recommend that you upgrade your salt packages.
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
- -----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEE7xPqJqaY/zX9fJAuhj1N8u2cKO8FAl7R3zsACgkQhj1N8u2c
KO/V0A/+I+O9Wtme0a+TfryuHJhQ5VsvyQwSzPItGSBCbq54jmATV5k7KbSBVyzR
YEpG5fvIXlpwlAtJxC4uJH2qALQx+UuJtBiRvA4biG3vpXvF09LJdw1dFRCzzHxn
wPzSIZVK0QTyrjzRvI/CJeCeaECwxZWmw5Qs9Y5FOJffNC1S3oyj6YAZVLhz9vBx
11sZXzsejzvZsS2HORi4+uEHrS8/pEcJdmQ7SuHLfL7rasvRzTvAPZ9mEkrX4Cs+
rr1AOm4KrBzyzARhK8t40ECsJQBWVAw8qo7Mv10PWDD7qsvnf6QYZi1DXwwqpihY
PdZl+wF8hhRQFRzbwpHbXqZq4bRLTdjSFcrLaMkKVjnXHim7OmvZD7lTzAw0Skmd
pRj6HuIHoudF142MVXY6cUXlyofZrnj2FwiM47bFHMx+KzBdu8DKrQFZltykk+/q
gKsuBVyr+JUz23l4XeiBBf70o/NJeVFj/fY4VMravkYIYrkeNoEO4ugYCHkE4Jht
ieOkubkpLeluMV2ouJAPa/L+59m6z4BTuwcfjkZ0rxAS7wpIr1yod0EcQT57x9SE
YreW7s5T9L//d0TJt2UarqyRGhJfkgm2cJiUr4rKNS3mr8zvKuQHp5jBsA8xdTYR
4o+hCqXvsL50k4uuNx58gv+Fzux/PQnfE5+x9BcIiA3m2tYJAXE=
=QPyo
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXtRc+eNLKJtyKPYoAQhDkxAAsRusY5NMZUzciiXbLvG5VKtk6NwoNHUB
I7nzMQBTyZ8IxvX68DNT5qguNQ9p6QG19nPd01XdtpbqSvdSpGXMOn+m/HzdsXy4
PcrGoVjP7j04EnDzdZKria0+06YChiPmUJ9TN6FArXwmh0afDo2iK78nocUGaYNj
eNP/EwvjPyDxPwbIBbNoEbzL6E+YK5gjazqDcM1VRNr6RN1lQnx9qVp6KnK7BHXb
cAzSIToj/AiUxaaamEMTiyVsG8sfNxNgad/hG83YJHMlWHcrqIAUgcVe3vGHZFPT
4Ellw1Mgc/P18U9KUWIIj/LxSMNztQgvvvngEfqeyg85jmbFAfbLPihAjHcVttn0
ejJ1CLqLPlfdLkxhjh68ykIVpOzSxWfGfthVa3Jn5vhnhs4zB9tFI38OznXQkjra
8aADXMAQ4YpKohVPOju2yNwcclgrSHUV/vkN26kmyIlJX8nRzc/rSUR8W5HcFleT
+HV84F+46ohPBMJLY9cE2ghla9hGpEaLDrF58Ex23i8jSOiSx61gGHC4zWRUP+mm
+ctwHlU2UHBpdGP0mVBfY3JM//LpvThUTRx0DieHOe+/WV2rL+dsfj2lRiYOZnVY
QDtKhxnlQjsGSpogbD0mW194BjR9yfFuJvaMkHc0kRQpSkqDnKJD7MGzT3Vo62Y8
nf3JtFbSVss=
=rQsP
-----END PGP SIGNATURE-----