Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2021.3958 salt security update 22 November 2021 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: salt Publisher: Debian Operating System: Debian GNU/Linux Impact/Access: Root Compromise -- Remote/Unauthenticated Execute Arbitrary Code/Commands -- Remote/Unauthenticated Access Confidential Data -- Remote/Unauthenticated Unauthorised Access -- Remote/Unauthenticated Reduced Security -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2021-31607 CVE-2021-25284 CVE-2021-25283 CVE-2021-25282 CVE-2021-25281 CVE-2021-21996 CVE-2021-3197 CVE-2021-3148 CVE-2021-3144 CVE-2020-35662 CVE-2020-28972 CVE-2020-28243 Reference: ASB-2021.0115 ESB-2021.3835 ESB-2021.3825 ESB-2021.3708 ESB-2021.3605 Original Bulletin: http://www.debian.org/security/2021/dsa-5011 https://lists.debian.org/debian-lts-announce/2021/11/msg00017.html https://lists.debian.org/debian-lts-announce/2021/11/msg00019.html Comment: This bulletin contains three (3) Debian security advisories. - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - - ------------------------------------------------------------------------- Debian Security Advisory DSA-5011-1 security@debian.org https://www.debian.org/security/ Markus Koschany November 19, 2021 https://www.debian.org/security/faq - - ------------------------------------------------------------------------- Package : salt CVE ID : CVE-2021-21996 CVE-2021-31607 CVE-2021-25284 CVE-2021-25283 CVE-2021-25282 CVE-2021-25281 CVE-2021-3197 CVE-2021-3148 CVE-2021-3144 CVE-2020-35662 CVE-2020-28972 CVE-2020-28243 Debian Bug : 983632 994016 987496 Multiple security vulnerabilities have been discovered in Salt, a powerful remote execution manager, that allow for local privilege escalation on a minion, server side template injection attacks, insufficient checks for eauth credentials, shell and command injections or incorrect validation of SSL certificates. For the oldstable distribution (buster), this problem has been fixed in version 2018.3.4+dfsg1-6+deb10u3. For the stable distribution (bullseye), this problem has been fixed in version 3002.6+dfsg1-4+deb11u1. We recommend that you upgrade your salt packages. For the detailed security status of salt please refer to its security tracker page at: https://security-tracker.debian.org/tracker/salt Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org - -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmGXh/dfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7 UeS6tA/9HU8C6gX84cSIeGzzvhchhQXrEgoKf6Yf6vSmrsVKGcpWwwRmTnBag+/q 1JGHjP687v8htdD6n6wbtbCIhRyJ0JiAXr/renhElEpiO6BSOMEq5llNxDCMyecM +7h1GSkTJz3POEYdWbYqv9Y1qrAMYu7jy4UGN86IX/W0iHS4FLLUbumn2119GUhT 8+UjvhputWhs7k1lX3VgkWUFMvI+lhOzbeHB1qu6W2ZYbR1WjeXYHqsyFzpo4UYB znYu6GA68yeixJEiKLcNX2ulVyW9e/1vFoCwNdtCaDJRjdIj8i6sYQhCV8wTsPk6 NI+61y47XRUoQrKG1s9qMmoQ4e943shUwVmJcxKuxMg9fhaEjiJJ/CqkBOGcX+Wb KNEKqlTykSUeGZlyLTLWYqOkLIbH7zyGwfaJrMWyXeBB/kG2Eumsnl3W3M3Oe53z cBqpxGcRBsz6F1lyUGmxVhh/DeZeOM4BHJ+26v+LuxTjNPjvTCsAaXInbxswnJbh L2E/4voWQgLd8tykrxtF7Fg/6z492R5Mhg5QLddFBf+86FePnr2mnZatzxKibL0E MB4cGitkkoiclK/fz20J3s7v19+TeJElAHBCRBFER2DdKjRfX+8+1rNlBhIDWh5k whUdDGIj4QqoA09GlBJgMKhBM5Cnm6SC+t7ZgB3le0LDCFoOhHc= =HzbO - -----END PGP SIGNATURE----- - -------------------------------------------------------------------------------------------------------- - ------------------------------------------------------------------------- Debian LTS Advisory DLA-2823-1 debian-lts@lists.debian.org https://www.debian.org/lts/security/ Markus Koschany November 19, 2021 https://wiki.debian.org/LTS - ------------------------------------------------------------------------- Package : salt Version : 2016.11.2+ds-1+deb9u8 CVE ID : CVE-2021-21996 Debian Bug : 994016 Jonathan Schlue discovered a vulnerability in Salt, a powerful remote execution manager. A user who has control of the source, and source_hash URLs can gain full file system access as root on a salt minion. For Debian 9 stretch, this problem has been fixed in version 2016.11.2+ds-1+deb9u8. We recommend that you upgrade your salt packages. For the detailed security status of salt please refer to its security tracker page at: https://security-tracker.debian.org/tracker/salt Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS - -------------------------------------------------------------------------------------------------------- - ------------------------------------------------------------------------- Debian LTS Advisory DLA-2823-2 debian-lts@lists.debian.org https://www.debian.org/lts/security/ Markus Koschany November 21, 2021 https://wiki.debian.org/LTS - ------------------------------------------------------------------------- Package : salt Version : 2016.11.2+ds-1+deb9u9 CVE ID : CVE-2021-21996 Debian Bug : 1000265 The security update of Salt, a remote execution manager, to fix CVE-2021-21 996 introduced a regression in salt/fileclient.py which raised an unexpected exception and made file.managed states fail. For Debian 9 stretch, this problem has been fixed in version 2016.11.2+ds-1+deb9u9. We recommend that you upgrade your salt packages. For the detailed security status of salt please refer to its security tracker page at: https://security-tracker.debian.org/tracker/salt Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS - -----BEGIN PGP SIGNATURE----- iQKTBAABCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmGZlZ5fFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7 UeShsA/9EkWbSb3kPUJuV0FZmIDHnSz9zSFsDXREi+m09shzYcVvyFagYqvty6kd N9KuuXOmVMB6RdJRrs8BZ/34qZGTX5EtPE/e5fWIMVjxx+nypern3cl43tp+S1Fa mpOv4F4xs+dv/fggRAS1IJ+wXMU04tqPXnDI41yTDGgEWPOd2fAIx38QNyc/oxIB kredrvXzyjBORNTQaCLNXNTLvOGOt/5oCvxOj3ZY/RmQA27aBdk+f1JgjmTEab3c j3jHzoASbCYcqTanB1xA5To4WrthtCRDDCy4yUGMQoO5nu6aaUFoP1GFaFwmuv2j ao2c8/2GhGfq6rM/szQwdytgzpknse/2zPqK1EZlSIgELIB9uF2T/+ypQT3UBeK1 KkhGEeSLB7mXeUPr1n+vVWUSGVtW0ySZ8FuNPrRmNehvSXEy+XKHY5zxGG5QPBQJ vTi7uuZlJ3Ka921TXG35KreuZWwUk6eCR2DyL6b9Gh/jzWkdrBJVqAQEYjCobsY+ aSr6DUCOtC1uA30z6mbBXRwPmqBcQOWSvrYWkYWfYNvYGVwQRnVdjH8xEuqnipIA PkHZGnWxgK2GNC8bTarPATkh1VIXQQdAMkwBPoSSYWSCcZD3Y8hrF6HnEh60pZ7P av8t5w/nzR+vAWbF3ZFGMYVLWTJlAZvHgU6SHUMRZ/V7qWHZsUk= =mg49 - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYZrnR+NLKJtyKPYoAQgdxw/8DzFTZDQeHfMXCIG/fNAdBx1MM8Oe1vyy hKCYypMzearSkvaGqUNykBoqQ0Dxmp7cAvcweCHvPZqC56NyiHo2VGx3f6xng7HJ dUhf+QSDZTRpwTA1hkHlnJAqm5OJXBmohr7eQSsiwTfzt/vn2ELQDL2zF5f8fE13 /pA3yVmRKEmPW6kVpH58TxbGqBaLukUXA2tq6vXSQBgSmQX3oWv7aMy4uCjjD2HB ETEb4t8MQoZHf7QONhwAxjtDBY0XulnGP6XHZHL3Vp/qmFCtOBn0DlWD2v3T//nw Svy4IqcPWDckZjUePHAFe8Oin/0sUvyRH3zMOH15DWHPO1K18F+aW3CzwpalRcWl 2yvf3cALk8/VIn507V3ntKahxzwWFPXlxRgrJ997NXhy7SuarSvUVqYraShxNAn7 oWocOmo5DhTzV2I6u8UcuJ2M07IZz4zfv7PqqplppgNVdm87nhDsoc2x1m33SfXP GMJsytYvntNlzu/OleAhsaq1KaQGdzdlQkx2xP6V/2TUGkRYR4f7fRZ5ibMFhL9P 2sEUFMGVyNpVb615S38G50o/hxKnYX9ZT9LWGhBT/mkqmu+lQ7miO3YfI/MvOGCR cSKhdu73ul8M4g66r9/vOlM7ddttEJlJ6Kt6vNOzldOFciNfQ7DJeV/xbvyNq2kt bOgGdL03YBk= =3X9X -----END PGP SIGNATURE-----