Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2020.2491
Security update for SUSE Manager Client Tools
22 July 2020
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: SUSE Manager Ubuntu 16.04-CLIENT-TOOLS
Publisher: SUSE
Operating System: SUSE
Impact/Access: Root Compromise -- Existing Account
Execute Arbitrary Code/Commands -- Existing Account
Access Confidential Data -- Remote/Unauthenticated
Unauthorised Access -- Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2020-11652 CVE-2020-11651 CVE-2019-18897
Reference: ESB-2020.2097
ESB-2020.1051
Original Bulletin:
https://www.suse.com/support/update/announcement/2020/suse-su-202014429-1
- --------------------------BEGIN INCLUDED TEXT--------------------
SUSE Security Update: Security update for SUSE Manager Client Tools
______________________________________________________________________________
Announcement ID: SUSE-SU-2020:14429-1
Rating: moderate
References: #1153090 #1153277 #1154940 #1155372 #1157465 #1159284
#1162327 #1163871 #1165572 #1167437 #1168340 #1169604
#1169800 #1170104 #1170288 #1170595 #1171687 #1171906
#1172075 #1173072 #1174165
Cross-References: CVE-2019-18897 CVE-2020-11651 CVE-2020-11652
Affected Products:
SUSE Manager Ubuntu 16.04-CLIENT-TOOLS
______________________________________________________________________________
An update that solves three vulnerabilities and has 18 fixes is now available.
Description:
This update fixes the following issues:
salt:
o Require python3-distro only for TW (bsc#1173072)
o Various virt backports from 3000.2
o Avoid traceback on debug logging for swarm module (bsc#1172075)
o Add publish_batch to ClearFuncs exposed methods
o Update to salt version 3000 See release notes: https://docs.saltstack.com/
en/latest/topics/releases/3000.html
o Zypperpkg: filter patterns that start with dot (bsc#1171906)
o Batch mode now also correctly provides return value (bsc#1168340)
o Add docker.logout to docker execution module (bsc#1165572)
o Testsuite fix
o Add option to enable/disable force refresh for zypper
o Python3.8 compatibility changes
o Prevent sporious "salt-api" stuck processes when managing SSH minions
because of logging deadlock (bsc#1159284)
o Avoid segfault from "salt-api" under certain conditions of heavy load
managing SSH minions (bsc#1169604)
o Revert broken changes to slspath made on Salt 3000 (saltstack/salt#56341)
(bsc#1170104)
o Returns a the list of IPs filtered by the optional network list
o Fix CVE-2020-11651 and CVE-2020-11652 (bsc#1170595)
o Do not require vendored backports-abc (bsc#1170288)
o Fix partition.mkpart to work without fstype (bsc#1169800)
o Enable building and installation for Fedora
o Disable python2 build on Tumbleweed We are removing the python2 interpreter
from openSUSE (SLE16). As such disable salt building for python2 there.
o More robust remote port detection
o Sanitize grains loaded from roster_grains.json cache during "state.pkg"
o Do not make file.recurse state to fail when msgpack 0.5.4 (bsc#1167437)
o Build: Buildequire pkgconfig(systemd) instead of systemd pkgconfig(systemd)
is provided by systemd, so this is de-facto no change. But inside the Open
Build Service (OBS), the same symbol is also provided by systemd-mini,
which exists to shorten build-chains by only enabling what other packages
need to successfully build
o Add new custom SUSE capability for saltutil state module
o Fixes status attribute issue in aptpkg test
o Make setup.py script not to require setuptools greater than 9.1
o Loop: fix variable names for until_no_eval
o Drop conflictive module.run state patch (bsc#1167437)
o Update patches after rebase with upstream v3000 tag (bsc#1167437)
o Fix some requirements issues depending on Python3 versions
o Removes obsolete patch
o Fix for low rpm_lowpkg unit test
o Add python-singledispatch as dependency for python2-salt
o Virt._get_domain: don't raise an exception if there is no VM
o Fix for temp folder definition in loader unit test
o Adds test for zypper abbreviation fix
o Improved storage pool or network handling
o Better import cache handline
o Make "salt.ext.tornado.gen" to use "salt.ext.backports_abc" on Python 2
o Fix regression in service states with reload argument
o Fix integration test failure for test_mod_del_repo_multiline_values
o Fix for unless requisite when pip is not installed
o Fix errors from unit tests due NO_MOCK and NO_MOCK_REASON deprecation
o Fix tornado imports and missing _utils after rebasing patches
o Removes unresolved merge conflict in yumpkg module
o Use full option name instead of undocumented abbreviation for zypper
o Requiring python3-distro only for openSUSE/SLE >= 15 and not for Python 2
builds
o Avoid possible user escalation upgrading salt-master (bsc#1157465)
(CVE-2019-18897)
o Fix unit tests failures in test_batch_async tests
o Batch Async: Handle exceptions, properly unregister and close instances
after running async batching to avoid CPU starvation of the MWorkers (bsc#
1162327)
o RHEL/CentOS 8 uses platform-python instead of python3
o Loader: invalidate the import cachefor extra modules
o Zypperpkg: filter patterns that start with dot (bsc#1171906)
o Batch mode now also correctly provides return value (bsc#1168340)
o Add docker.logout to docker execution module (bsc#1165572)
o Improvements for chroot module
o Add option to enable/disable force refresh for zypper
o Prevent sporious "salt-api" stuck processes when managing SSH minions
because of logging deadlock (bsc#1159284)
o Avoid segfault from "salt-api" under certain conditions of heavy load
managing SSH minions (bsc#1169604)
o Fix for TypeError in Tornado importer (bsc#1174165)
spacecmd:
o Only report real error, not result (bsc#1171687)
o Use defined return values for spacecmd methods so scripts can check for
failure (bsc#1171687)
o Disable globbing for api subcommand to allow wildcards in filter settings
(bsc#1163871)
o Bugfix: attempt to purge SSM when it is empty (bsc#1155372)
o Bump version to 4.1.0 (bsc#1154940)
o Prevent error when piping stdout in Python 2 (bsc#1153090)
o Java api expects content as encoded string instead of encoded bytes like
before (bsc#1153277)
o Enable building and installing for Ubuntu 16.04 and Ubuntu 18.04
o Add unit test for schedule, errata, user, utils, misc, configchannel and
kickstart modules
o Multiple minor bugfixes alongside the unit tests
o Bugfix: referenced variable before assignment.
o Add unit test for report, package, org, repo and group
Patch Instructions:
To install this SUSE Security Update use the SUSE recommended installation
methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
o SUSE Manager Ubuntu 16.04-CLIENT-TOOLS:
zypper in -t patch suse-ubu164ct-client-tools-202006-14429=1
Package List:
o SUSE Manager Ubuntu 16.04-CLIENT-TOOLS (all):
salt-common-3000+ds-1+47.1
salt-minion-3000+ds-1+47.1
spacecmd-4.1.4-5.2
References:
o https://www.suse.com/security/cve/CVE-2019-18897.html
o https://www.suse.com/security/cve/CVE-2020-11651.html
o https://www.suse.com/security/cve/CVE-2020-11652.html
o https://bugzilla.suse.com/1153090
o https://bugzilla.suse.com/1153277
o https://bugzilla.suse.com/1154940
o https://bugzilla.suse.com/1155372
o https://bugzilla.suse.com/1157465
o https://bugzilla.suse.com/1159284
o https://bugzilla.suse.com/1162327
o https://bugzilla.suse.com/1163871
o https://bugzilla.suse.com/1165572
o https://bugzilla.suse.com/1167437
o https://bugzilla.suse.com/1168340
o https://bugzilla.suse.com/1169604
o https://bugzilla.suse.com/1169800
o https://bugzilla.suse.com/1170104
o https://bugzilla.suse.com/1170288
o https://bugzilla.suse.com/1170595
o https://bugzilla.suse.com/1171687
o https://bugzilla.suse.com/1171906
o https://bugzilla.suse.com/1172075
o https://bugzilla.suse.com/1173072
o https://bugzilla.suse.com/1174165
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXxe5JuNLKJtyKPYoAQic/w//bzL/8tvaKU4grnB1jpnsbY89ZaYud6nX
AiYj8pdkAp1X1XYpCaw6S4+ir4g29W9u8cW8CbT6+3padNjoAzopTwPqI8dzjcmZ
AbWQYHdSNoympvwhWjvDKaSJt1f/CLvcMGlJTgak0jHHoZLRPX7bzkHxRpv1ArM6
QY0MKcWVDu6Mx5ZSkjIk1lcGBKbR0gcp9lvzOFddNl2q/zRVDAShFQoS6HZkBDl3
idA8JMHrjQmMaBZhLtX84vGfQO0dsiZH0PXkke98OK1A/6bWH07hdn//gVneU8TP
z70zRoJnDTWfd4bxR3KBjg3ySgFn5nzlSYjScgRGQbw39QPCy/jonN2MXbrNfzt8
6j/t1qQqX/g3+7JhTk4E1qxIs3SmDu9Ycjd8mNtCFa322lBbmvzytLSxRVGMOKjX
kXBmFk2ng8qccxXHHVHyX8KDAWcwkbj3GVLpZfgeRQBa7/xHLRSc9fOw01TwwD60
kit+n/AZyxtQinB0Dxi0h9N5ubRq0CKvYUFuh9GOPzcwcuD0fC4QdPlRWNOHRZDf
eUyeHnNIq0d1fZwNnfFRlmWfYgmGDaM2fsQPAxCSHIvu7vm+gvm45LKSHjv4sZn7
xcuNQKTrSR16v4JyyKSxxueKwO8Ixh7tLHQoVWMoV3o4Yc+LkK9CmkBQLz6QaEq/
fmG5sxYaqtg=
=oymP
-----END PGP SIGNATURE-----