1. Home
  2. Security Advisories
  3. SUSE
  4. SUSE-SU-2022:1536-1

[SUSE-SU-2022:1536-1] Security Beta update for SUSE Manager Salt Bundle

Severity Important
CVEs 8
Info References Vulnerabilities

Security Beta update for SUSE Manager Salt Bundle

This update fixes the following issues:

venv-salt-minion:

  • Fix the regression caused by the patch removing strict requirement for OpenSSL 1.1.1 leading to read/write issues with ssl module for SLE 15, SLE 12, CentOS 7, Debian 9 (bsc#1198556)
  • Fixes for Python 3.10
  • Fix salt-ssh opts poisoning (bsc#1197637)
  • Fix multiple security issues (bsc#1197417)
    • CVE-2022-22935: Sign authentication replies to prevent MiTM
    • CVE-2022-22934: Sign pillar data to prevent MiTM attacks.
    • CVE-2022-22936: Prevent job and fileserver replays.
    • CVE-2022-22941: Fixed targeting bug, especially visible when using syndic and user auth.
  • Salt version bump to 3004
  • Python version bump to 3.10.2
  • CVE-2022-24302: unauthorized information disclosure for python-paramiko.
  • CVE-2021-28957: XSS due to missing input sanitization in python-lxml.
  • CVE-2018-19787: XSS attacks due to missing URLs sanitization in python-lxml.
  • Security Fix: (bsc#1196249, bsc#1196877, CVE-2022-0778)
    • Allow CRYPTO_THREADID_set_callback to be called with NULL parameter
    • Infinite loop in BN_mod_sqrt() reachable when parsing certificates
ID
SUSE-SU-2022:1536-1
Severity
important
URL
https://www.suse.com/support/update/announcement/2022/suse-su-20221536-1/
Published
2022-05-04T13:33:28
(2 years ago)
Modified
2022-05-04T13:33:28
(2 years ago)
Rights
Copyright 2023 SUSE LLC. All rights reserved.
Other Advisories
Source # ID Name URL
Suse URL for SUSE-SU-2022:1536-1 https://www.suse.com/support/update/announcement/2022/suse-su-20221536-1/
Suse SUSE ratings https://www.suse.com/support/security/rating/
Suse URL of this CSAF notice https://ftp.suse.com/pub/projects/security/csaf/suse-su-2022_1536-1.json
Suse E-Mail link for SUSE-SU-2022:1536-1 https://lists.suse.com/pipermail/sle-security-updates/2022-May/010932.html
Bugzilla SUSE Bug 1118088 https://bugzilla.suse.com/1118088
Bugzilla SUSE Bug 1184177 https://bugzilla.suse.com/1184177
Bugzilla SUSE Bug 1196249 https://bugzilla.suse.com/1196249
Bugzilla SUSE Bug 1196877 https://bugzilla.suse.com/1196877
Bugzilla SUSE Bug 1197279 https://bugzilla.suse.com/1197279
Bugzilla SUSE Bug 1197417 https://bugzilla.suse.com/1197417
Bugzilla SUSE Bug 1197637 https://bugzilla.suse.com/1197637
Bugzilla SUSE Bug 1198556 https://bugzilla.suse.com/1198556
CVE SUSE CVE CVE-2018-19787 page https://www.suse.com/security/cve/CVE-2018-19787/
CVE SUSE CVE CVE-2021-28957 page https://www.suse.com/security/cve/CVE-2021-28957/
CVE SUSE CVE CVE-2022-0778 page https://www.suse.com/security/cve/CVE-2022-0778/
CVE SUSE CVE CVE-2022-22934 page https://www.suse.com/security/cve/CVE-2022-22934/
CVE SUSE CVE CVE-2022-22935 page https://www.suse.com/security/cve/CVE-2022-22935/
CVE SUSE CVE CVE-2022-22936 page https://www.suse.com/security/cve/CVE-2022-22936/
CVE SUSE CVE CVE-2022-22941 page https://www.suse.com/security/cve/CVE-2022-22941/
CVE SUSE CVE CVE-2022-24302 page https://www.suse.com/security/cve/CVE-2022-24302/
# CVE Description CVSS EPSS EPSS Trend (30 days) Affected Products Weaknesses Security Advisories Exploits PoC Pubblication Date Modification Date
# CVE Description CVSS EPSS EPSS Trend (30 days) Affected Products Weaknesses Security Advisories PoC Pubblication Date Modification Date