Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2020.1894 salt security update 1 June 2020 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: salt Publisher: Debian Operating System: Debian GNU/Linux 8 Impact/Access: Execute Arbitrary Code/Commands -- Unknown/Unspecified Access Confidential Data -- Unknown/Unspecified Unauthorised Access -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2020-11652 CVE-2020-11651 Reference: ESB-2020.1884 ESB-2020.1756 ESB-2020.1547 Original Bulletin: https://www.debian.org/lts/security/2020/dla-2223 - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Package : salt Version : 2014.1.13+ds-3+deb8u1 CVE ID : CVE-2020-11651 CVE-2020-11652 Debian Bug : 959684 Several vulnerabilities were discovered in package salt, a configuration management and infrastructure automation software. CVE-2020-11651 The salt-master process ClearFuncs class does not properly validate method calls. This allows a remote user to access some methods without authentication. These methods can be used to retrieve user tokens from the salt master and/or run arbitrary commands on salt minions. CVE-2020-11652 The salt-master process ClearFuncs class allows access to some methods that improperly sanitize paths. These methods allow arbitrary directory access to authenticated users. For Debian 8 "Jessie", these problems have been fixed in version 2014.1.13+ds-3+deb8u1. We recommend that you upgrade your salt packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS - -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE7xPqJqaY/zX9fJAuhj1N8u2cKO8FAl7R3zsACgkQhj1N8u2c KO/V0A/+I+O9Wtme0a+TfryuHJhQ5VsvyQwSzPItGSBCbq54jmATV5k7KbSBVyzR YEpG5fvIXlpwlAtJxC4uJH2qALQx+UuJtBiRvA4biG3vpXvF09LJdw1dFRCzzHxn wPzSIZVK0QTyrjzRvI/CJeCeaECwxZWmw5Qs9Y5FOJffNC1S3oyj6YAZVLhz9vBx 11sZXzsejzvZsS2HORi4+uEHrS8/pEcJdmQ7SuHLfL7rasvRzTvAPZ9mEkrX4Cs+ rr1AOm4KrBzyzARhK8t40ECsJQBWVAw8qo7Mv10PWDD7qsvnf6QYZi1DXwwqpihY PdZl+wF8hhRQFRzbwpHbXqZq4bRLTdjSFcrLaMkKVjnXHim7OmvZD7lTzAw0Skmd pRj6HuIHoudF142MVXY6cUXlyofZrnj2FwiM47bFHMx+KzBdu8DKrQFZltykk+/q gKsuBVyr+JUz23l4XeiBBf70o/NJeVFj/fY4VMravkYIYrkeNoEO4ugYCHkE4Jht ieOkubkpLeluMV2ouJAPa/L+59m6z4BTuwcfjkZ0rxAS7wpIr1yod0EcQT57x9SE YreW7s5T9L//d0TJt2UarqyRGhJfkgm2cJiUr4rKNS3mr8zvKuQHp5jBsA8xdTYR 4o+hCqXvsL50k4uuNx58gv+Fzux/PQnfE5+x9BcIiA3m2tYJAXE= =QPyo - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXtRc+eNLKJtyKPYoAQhDkxAAsRusY5NMZUzciiXbLvG5VKtk6NwoNHUB I7nzMQBTyZ8IxvX68DNT5qguNQ9p6QG19nPd01XdtpbqSvdSpGXMOn+m/HzdsXy4 PcrGoVjP7j04EnDzdZKria0+06YChiPmUJ9TN6FArXwmh0afDo2iK78nocUGaYNj eNP/EwvjPyDxPwbIBbNoEbzL6E+YK5gjazqDcM1VRNr6RN1lQnx9qVp6KnK7BHXb cAzSIToj/AiUxaaamEMTiyVsG8sfNxNgad/hG83YJHMlWHcrqIAUgcVe3vGHZFPT 4Ellw1Mgc/P18U9KUWIIj/LxSMNztQgvvvngEfqeyg85jmbFAfbLPihAjHcVttn0 ejJ1CLqLPlfdLkxhjh68ykIVpOzSxWfGfthVa3Jn5vhnhs4zB9tFI38OznXQkjra 8aADXMAQ4YpKohVPOju2yNwcclgrSHUV/vkN26kmyIlJX8nRzc/rSUR8W5HcFleT +HV84F+46ohPBMJLY9cE2ghla9hGpEaLDrF58Ex23i8jSOiSx61gGHC4zWRUP+mm +ctwHlU2UHBpdGP0mVBfY3JM//LpvThUTRx0DieHOe+/WV2rL+dsfj2lRiYOZnVY QDtKhxnlQjsGSpogbD0mW194BjR9yfFuJvaMkHc0kRQpSkqDnKJD7MGzT3Vo62Y8 nf3JtFbSVss= =rQsP -----END PGP SIGNATURE-----