Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2021.3958
salt security update
22 November 2021
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: salt
Publisher: Debian
Operating System: Debian GNU/Linux
Impact/Access: Root Compromise -- Remote/Unauthenticated
Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Access Confidential Data -- Remote/Unauthenticated
Unauthorised Access -- Remote/Unauthenticated
Reduced Security -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2021-31607 CVE-2021-25284 CVE-2021-25283
CVE-2021-25282 CVE-2021-25281 CVE-2021-21996
CVE-2021-3197 CVE-2021-3148 CVE-2021-3144
CVE-2020-35662 CVE-2020-28972 CVE-2020-28243
Reference: ASB-2021.0115
ESB-2021.3835
ESB-2021.3825
ESB-2021.3708
ESB-2021.3605
Original Bulletin:
http://www.debian.org/security/2021/dsa-5011
https://lists.debian.org/debian-lts-announce/2021/11/msg00017.html
https://lists.debian.org/debian-lts-announce/2021/11/msg00019.html
Comment: This bulletin contains three (3) Debian security advisories.
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
- - -------------------------------------------------------------------------
Debian Security Advisory DSA-5011-1 security@debian.org
https://www.debian.org/security/ Markus Koschany
November 19, 2021 https://www.debian.org/security/faq
- - -------------------------------------------------------------------------
Package : salt
CVE ID : CVE-2021-21996 CVE-2021-31607 CVE-2021-25284 CVE-2021-25283
CVE-2021-25282 CVE-2021-25281 CVE-2021-3197 CVE-2021-3148
CVE-2021-3144 CVE-2020-35662 CVE-2020-28972 CVE-2020-28243
Debian Bug : 983632 994016 987496
Multiple security vulnerabilities have been discovered in Salt, a powerful
remote execution manager, that allow for local privilege escalation on a
minion, server side template injection attacks, insufficient checks for eauth
credentials, shell and command injections or incorrect validation of SSL
certificates.
For the oldstable distribution (buster), this problem has been fixed
in version 2018.3.4+dfsg1-6+deb10u3.
For the stable distribution (bullseye), this problem has been fixed in
version 3002.6+dfsg1-4+deb11u1.
We recommend that you upgrade your salt packages.
For the detailed security status of salt please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/salt
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmGXh/dfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7
UeS6tA/9HU8C6gX84cSIeGzzvhchhQXrEgoKf6Yf6vSmrsVKGcpWwwRmTnBag+/q
1JGHjP687v8htdD6n6wbtbCIhRyJ0JiAXr/renhElEpiO6BSOMEq5llNxDCMyecM
+7h1GSkTJz3POEYdWbYqv9Y1qrAMYu7jy4UGN86IX/W0iHS4FLLUbumn2119GUhT
8+UjvhputWhs7k1lX3VgkWUFMvI+lhOzbeHB1qu6W2ZYbR1WjeXYHqsyFzpo4UYB
znYu6GA68yeixJEiKLcNX2ulVyW9e/1vFoCwNdtCaDJRjdIj8i6sYQhCV8wTsPk6
NI+61y47XRUoQrKG1s9qMmoQ4e943shUwVmJcxKuxMg9fhaEjiJJ/CqkBOGcX+Wb
KNEKqlTykSUeGZlyLTLWYqOkLIbH7zyGwfaJrMWyXeBB/kG2Eumsnl3W3M3Oe53z
cBqpxGcRBsz6F1lyUGmxVhh/DeZeOM4BHJ+26v+LuxTjNPjvTCsAaXInbxswnJbh
L2E/4voWQgLd8tykrxtF7Fg/6z492R5Mhg5QLddFBf+86FePnr2mnZatzxKibL0E
MB4cGitkkoiclK/fz20J3s7v19+TeJElAHBCRBFER2DdKjRfX+8+1rNlBhIDWh5k
whUdDGIj4QqoA09GlBJgMKhBM5Cnm6SC+t7ZgB3le0LDCFoOhHc=
=HzbO
- -----END PGP SIGNATURE-----
- --------------------------------------------------------------------------------------------------------
- -------------------------------------------------------------------------
Debian LTS Advisory DLA-2823-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Markus Koschany
November 19, 2021 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------
Package : salt
Version : 2016.11.2+ds-1+deb9u8
CVE ID : CVE-2021-21996
Debian Bug : 994016
Jonathan Schlue discovered a vulnerability in Salt, a powerful remote execution
manager. A user who has control of the source, and source_hash URLs can gain
full file system access as root on a salt minion.
For Debian 9 stretch, this problem has been fixed in version
2016.11.2+ds-1+deb9u8.
We recommend that you upgrade your salt packages.
For the detailed security status of salt please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/salt
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
- --------------------------------------------------------------------------------------------------------
- -------------------------------------------------------------------------
Debian LTS Advisory DLA-2823-2 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Markus Koschany
November 21, 2021 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------
Package : salt
Version : 2016.11.2+ds-1+deb9u9
CVE ID : CVE-2021-21996
Debian Bug : 1000265
The security update of Salt, a remote execution manager, to fix CVE-2021-21
996
introduced a regression in salt/fileclient.py which raised an unexpected
exception and made file.managed states fail.
For Debian 9 stretch, this problem has been fixed in version
2016.11.2+ds-1+deb9u9.
We recommend that you upgrade your salt packages.
For the detailed security status of salt please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/salt
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
- -----BEGIN PGP SIGNATURE-----
iQKTBAABCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmGZlZ5fFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7
UeShsA/9EkWbSb3kPUJuV0FZmIDHnSz9zSFsDXREi+m09shzYcVvyFagYqvty6kd
N9KuuXOmVMB6RdJRrs8BZ/34qZGTX5EtPE/e5fWIMVjxx+nypern3cl43tp+S1Fa
mpOv4F4xs+dv/fggRAS1IJ+wXMU04tqPXnDI41yTDGgEWPOd2fAIx38QNyc/oxIB
kredrvXzyjBORNTQaCLNXNTLvOGOt/5oCvxOj3ZY/RmQA27aBdk+f1JgjmTEab3c
j3jHzoASbCYcqTanB1xA5To4WrthtCRDDCy4yUGMQoO5nu6aaUFoP1GFaFwmuv2j
ao2c8/2GhGfq6rM/szQwdytgzpknse/2zPqK1EZlSIgELIB9uF2T/+ypQT3UBeK1
KkhGEeSLB7mXeUPr1n+vVWUSGVtW0ySZ8FuNPrRmNehvSXEy+XKHY5zxGG5QPBQJ
vTi7uuZlJ3Ka921TXG35KreuZWwUk6eCR2DyL6b9Gh/jzWkdrBJVqAQEYjCobsY+
aSr6DUCOtC1uA30z6mbBXRwPmqBcQOWSvrYWkYWfYNvYGVwQRnVdjH8xEuqnipIA
PkHZGnWxgK2GNC8bTarPATkh1VIXQQdAMkwBPoSSYWSCcZD3Y8hrF6HnEh60pZ7P
av8t5w/nzR+vAWbF3ZFGMYVLWTJlAZvHgU6SHUMRZ/V7qWHZsUk=
=mg49
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYZrnR+NLKJtyKPYoAQgdxw/8DzFTZDQeHfMXCIG/fNAdBx1MM8Oe1vyy
hKCYypMzearSkvaGqUNykBoqQ0Dxmp7cAvcweCHvPZqC56NyiHo2VGx3f6xng7HJ
dUhf+QSDZTRpwTA1hkHlnJAqm5OJXBmohr7eQSsiwTfzt/vn2ELQDL2zF5f8fE13
/pA3yVmRKEmPW6kVpH58TxbGqBaLukUXA2tq6vXSQBgSmQX3oWv7aMy4uCjjD2HB
ETEb4t8MQoZHf7QONhwAxjtDBY0XulnGP6XHZHL3Vp/qmFCtOBn0DlWD2v3T//nw
Svy4IqcPWDckZjUePHAFe8Oin/0sUvyRH3zMOH15DWHPO1K18F+aW3CzwpalRcWl
2yvf3cALk8/VIn507V3ntKahxzwWFPXlxRgrJ997NXhy7SuarSvUVqYraShxNAn7
oWocOmo5DhTzV2I6u8UcuJ2M07IZz4zfv7PqqplppgNVdm87nhDsoc2x1m33SfXP
GMJsytYvntNlzu/OleAhsaq1KaQGdzdlQkx2xP6V/2TUGkRYR4f7fRZ5ibMFhL9P
2sEUFMGVyNpVb615S38G50o/hxKnYX9ZT9LWGhBT/mkqmu+lQ7miO3YfI/MvOGCR
cSKhdu73ul8M4g66r9/vOlM7ddttEJlJ6Kt6vNOzldOFciNfQ7DJeV/xbvyNq2kt
bOgGdL03YBk=
=3X9X
-----END PGP SIGNATURE-----