Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2020.2572
salt security update
29 July 2020
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: salt
Publisher: Debian
Operating System: Debian GNU/Linux 9
Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Unauthorised Access -- Remote/Unauthenticated
Access Confidential Data -- Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2018-15751 CVE-2018-15750
Reference: ESB-2018.3641
Original Bulletin:
https://lists.debian.org/debian-lts-announce/2020/07/msg00024.html
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
- - -------------------------------------------------------------------------
Debian LTS Advisory DLA-2294-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Thorsten Alteholz
July 28, 2020 https://wiki.debian.org/LTS
- - -------------------------------------------------------------------------
Package : salt
Version : 2016.11.2+ds-1+deb9u5
CVE ID : CVE-2018-15750 CVE-2018-15751
Two issues have been found in salt, a remote manager to administer
servers.
These issues are related to remote hackers bypassing authentication to
execute arbitrary commands and getting informations about files on the
server
For Debian 9 stretch, these problems have been fixed in version
2016.11.2+ds-1+deb9u5.
We recommend that you upgrade your salt packages.
For the detailed security status of salt please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/salt
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
- -----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9FiEEYgH7/9u94Hgi6ruWlvysDTh7WEcFAl8gieRfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDYy
MDFGQkZGREJCREUwNzgyMkVBQkI5Njk2RkNBQzBEMzg3QjU4NDcACgkQlvysDTh7
WEevIw//WoINA80vDyFnsxiCpJEU6ZE0K171amM17d8iQckBjW87Ys8WhX4A2Vo9
r6Edk5snB86SjseXrBhgfya3ER0VqVhozWhNacD3eeAaMUjLawzgg+AjMPxGeYN+
ng8O2I8vWxP0cmeylsg1hiWNmStNw16LpHLT+Gv6ZHj/FFX5C9dIwxg1JJqzrwcr
VRNCc/tlEmSQmtXgrfUwxF28BewJLpxNgHViC93HGXgAmhVK0+ALAloKYKVEM34o
pigYS55epdfZxLvtUJv+QD2xjMj4no6iQlRSDVPcwn2LjTO2V0m1JdtA1FXjwMRd
zQt65I7qVp2Nvgwr77+Yjvi+XoioLNyLJEiBDCuTleQhxBtLS0Cp8FCbEwyIGqhe
4gl1zXySisvqeu73NnpOgQcH1kAxjxA7WTc47JwBhOLYUmPXa4H8bQ22vkvq6LHh
mX48m11DiJty3xHJXvQEZ9MERK0AcLdtxNk6qv75SkC1NuYyXhvPet3rTMCokevn
YVAZb6jperKPwj++Yv2aGcC2tZflhluPprmdr2vnKqOUK34gAbn5si+kVC7YGAEa
GznDEetz2ArcBiqUI7KC6s+Zk6XkW+k4lV4UKaJUmWVztB9M3jJUYG/CUTmO33lx
x70xwVnsK4PLjcfyJOOkSA4MBmfLPN/rWzE3L2ILIAHxsT/jdNI=
=56eo
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXyDNj+NLKJtyKPYoAQgTlBAAjxWSgHoocMgLBIG4+Y9lzF+0ZNGpIK4S
82khoccBiA0O6EFKZxT52YEv2MvVATdyWHVI6mmxp8LXb3vUdsJ0WXwj4Q5jQoR6
WftcTiQyvDUuX1ds/7sJHxusCKu22SXlWsvYQ+ZQDBdOUmQ/9H4N4VXUirul3bho
QD+iHmUZhAYRsge2DcSDAteiOkWjENWF93oXY6UAsbdru7vcpJ36f+Lvwr5DcTEG
xIpfpJLK4fX4cHvBfqxH8mPwO8/XydcgTLsfKxwok9B3nyk/pH1jklky+U9rzR4o
K/8BZR+hOl7j2/Asp/OMoqIRCGm5UKHwxAGaYX/af8+yBIBfyKDzSNCf1VKw+3dp
l9lKwISuy4LUy2kSbdU3TWlbx1n3iZJkZoBTz0tUKgT+aaWBoiIi/MylrE6o/pmt
kzMJcBOpOYaueifi570z00YK9+FWnI9irIF6HWUDbJugFu7Yc2Q7B32+s6apZqHZ
oxMj/vtWvsW28RctlSRlKdDQnSzSxt8STwu9Qiv1t/wOUpgMV2WKjXPlduEe3Yh5
uHNGqFW14mEoeiOIyvzmqKr5dGaHXwWvJGCH3V589hwy8/Qp79GCLxGUwRvAWZ4d
fEV6SqPRvB44c2r6b69LrCucDV0qO/eOMIW1QJml91uFonvndqYnnv2zRD0jQhl4
R8T4SMWktNk=
=Qmup
-----END PGP SIGNATURE-----