Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-announce

From: Thomas Deutschmann <whissi@g.o>
To: gentoo-announce@l.g.o
Subject: [gentoo-announce] [ GLSA 202103-01 ] Salt: Multiple vulnerabilities
Date: Wed, 31 Mar 2021 12:24:43
Message-Id: 02bc978f-02f4-efd4-062d-ff6e9ed1e981@gentoo.org
1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2 Gentoo Linux Security Advisory GLSA 202103-01
3 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4 https://security.gentoo.org/
5 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7 Severity: Normal
8 Title: Salt: Multiple vulnerabilities
9 Date: March 31, 2021
10 Bugs: #767919
11 ID: 202103-01
12
13 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14
15 Synopsis
16 ========
17
18 Multiple vulnerabilities have been found in Salt, the worst of which
19 could allow remote attacker to execute arbitrary commands.
20
21 Background
22 ==========
23
24 Salt is a fast, intelligent and scalable automation engine.
25
26 Affected packages
27 =================
28
29 -------------------------------------------------------------------
30 Package / Vulnerable / Unaffected
31 -------------------------------------------------------------------
32 1 app-admin/salt < 3000.8 >= 3000.8
33
34 Description
35 ===========
36
37 Multiple vulnerabilities have been discovered in Salt. Please review
38 the CVE identifiers referenced below for details.
39
40 Impact
41 ======
42
43 A remote attacker could possibly execute arbitrary commands via
44 salt-api, cause a Denial of Service condition, bypass access
45 restrictions or disclose sensitive information.
46
47 Workaround
48 ==========
49
50 There is no known workaround at this time.
51
52 Resolution
53 ==========
54
55 All Salt users should upgrade to the latest version:
56
57 # emerge --sync
58 # emerge --ask --oneshot --verbose ">=app-admin/salt-3000.8"
59
60 References
61 ==========
62
63 [ 1 ] CVE-2020-28243
64 https://nvd.nist.gov/vuln/detail/CVE-2020-28243
65 [ 2 ] CVE-2020-28972
66 https://nvd.nist.gov/vuln/detail/CVE-2020-28972
67 [ 3 ] CVE-2020-35662
68 https://nvd.nist.gov/vuln/detail/CVE-2020-35662
69 [ 4 ] CVE-2021-25281
70 https://nvd.nist.gov/vuln/detail/CVE-2021-25281
71 [ 5 ] CVE-2021-25282
72 https://nvd.nist.gov/vuln/detail/CVE-2021-25282
73 [ 6 ] CVE-2021-25283
74 https://nvd.nist.gov/vuln/detail/CVE-2021-25283
75 [ 7 ] CVE-2021-25284
76 https://nvd.nist.gov/vuln/detail/CVE-2021-25284
77 [ 8 ] CVE-2021-3144
78 https://nvd.nist.gov/vuln/detail/CVE-2021-3144
79 [ 9 ] CVE-2021-3148
80 https://nvd.nist.gov/vuln/detail/CVE-2021-3148
81 [ 10 ] CVE-2021-3197
82 https://nvd.nist.gov/vuln/detail/CVE-2021-3197
83
84 Availability
85 ============
86
87 This GLSA and any updates to it are available for viewing at
88 the Gentoo Security Website:
89
90 https://security.gentoo.org/glsa/202103-01
91
92 Concerns?
93 =========
94
95 Security is a primary focus of Gentoo Linux and ensuring the
96 confidentiality and security of our users' machines is of utmost
97 importance to us. Any security concerns should be addressed to
98 security@g.o or alternatively, you may file a bug at
99 https://bugs.gentoo.org.
100
101 License
102 =======
103
104 Copyright 2021 Gentoo Foundation, Inc; referenced text
105 belongs to its owner(s).
106
107 The contents of this document are licensed under the
108 Creative Commons - Attribution / Share Alike license.
109
110 https://creativecommons.org/licenses/by-sa/2.5

Attachments

File name MIME type
OpenPGP_signature.asc application/pgp-signature
Report Message
Find on MARC Find on Google Groups