Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2020.2572 salt security update 29 July 2020 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: salt Publisher: Debian Operating System: Debian GNU/Linux 9 Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated Unauthorised Access -- Remote/Unauthenticated Access Confidential Data -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2018-15751 CVE-2018-15750 Reference: ESB-2018.3641 Original Bulletin: https://lists.debian.org/debian-lts-announce/2020/07/msg00024.html - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - - ------------------------------------------------------------------------- Debian LTS Advisory DLA-2294-1 debian-lts@lists.debian.org https://www.debian.org/lts/security/ Thorsten Alteholz July 28, 2020 https://wiki.debian.org/LTS - - ------------------------------------------------------------------------- Package : salt Version : 2016.11.2+ds-1+deb9u5 CVE ID : CVE-2018-15750 CVE-2018-15751 Two issues have been found in salt, a remote manager to administer servers. These issues are related to remote hackers bypassing authentication to execute arbitrary commands and getting informations about files on the server For Debian 9 stretch, these problems have been fixed in version 2016.11.2+ds-1+deb9u5. We recommend that you upgrade your salt packages. For the detailed security status of salt please refer to its security tracker page at: https://security-tracker.debian.org/tracker/salt Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS - -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEEYgH7/9u94Hgi6ruWlvysDTh7WEcFAl8gieRfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDYy MDFGQkZGREJCREUwNzgyMkVBQkI5Njk2RkNBQzBEMzg3QjU4NDcACgkQlvysDTh7 WEevIw//WoINA80vDyFnsxiCpJEU6ZE0K171amM17d8iQckBjW87Ys8WhX4A2Vo9 r6Edk5snB86SjseXrBhgfya3ER0VqVhozWhNacD3eeAaMUjLawzgg+AjMPxGeYN+ ng8O2I8vWxP0cmeylsg1hiWNmStNw16LpHLT+Gv6ZHj/FFX5C9dIwxg1JJqzrwcr VRNCc/tlEmSQmtXgrfUwxF28BewJLpxNgHViC93HGXgAmhVK0+ALAloKYKVEM34o pigYS55epdfZxLvtUJv+QD2xjMj4no6iQlRSDVPcwn2LjTO2V0m1JdtA1FXjwMRd zQt65I7qVp2Nvgwr77+Yjvi+XoioLNyLJEiBDCuTleQhxBtLS0Cp8FCbEwyIGqhe 4gl1zXySisvqeu73NnpOgQcH1kAxjxA7WTc47JwBhOLYUmPXa4H8bQ22vkvq6LHh mX48m11DiJty3xHJXvQEZ9MERK0AcLdtxNk6qv75SkC1NuYyXhvPet3rTMCokevn YVAZb6jperKPwj++Yv2aGcC2tZflhluPprmdr2vnKqOUK34gAbn5si+kVC7YGAEa GznDEetz2ArcBiqUI7KC6s+Zk6XkW+k4lV4UKaJUmWVztB9M3jJUYG/CUTmO33lx x70xwVnsK4PLjcfyJOOkSA4MBmfLPN/rWzE3L2ILIAHxsT/jdNI= =56eo - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXyDNj+NLKJtyKPYoAQgTlBAAjxWSgHoocMgLBIG4+Y9lzF+0ZNGpIK4S 82khoccBiA0O6EFKZxT52YEv2MvVATdyWHVI6mmxp8LXb3vUdsJ0WXwj4Q5jQoR6 WftcTiQyvDUuX1ds/7sJHxusCKu22SXlWsvYQ+ZQDBdOUmQ/9H4N4VXUirul3bho QD+iHmUZhAYRsge2DcSDAteiOkWjENWF93oXY6UAsbdru7vcpJ36f+Lvwr5DcTEG xIpfpJLK4fX4cHvBfqxH8mPwO8/XydcgTLsfKxwok9B3nyk/pH1jklky+U9rzR4o K/8BZR+hOl7j2/Asp/OMoqIRCGm5UKHwxAGaYX/af8+yBIBfyKDzSNCf1VKw+3dp l9lKwISuy4LUy2kSbdU3TWlbx1n3iZJkZoBTz0tUKgT+aaWBoiIi/MylrE6o/pmt kzMJcBOpOYaueifi570z00YK9+FWnI9irIF6HWUDbJugFu7Yc2Q7B32+s6apZqHZ oxMj/vtWvsW28RctlSRlKdDQnSzSxt8STwu9Qiv1t/wOUpgMV2WKjXPlduEe3Yh5 uHNGqFW14mEoeiOIyvzmqKr5dGaHXwWvJGCH3V589hwy8/Qp79GCLxGUwRvAWZ4d fEV6SqPRvB44c2r6b69LrCucDV0qO/eOMIW1QJml91uFonvndqYnnv2zRD0jQhl4 R8T4SMWktNk= =Qmup -----END PGP SIGNATURE-----