Bug 901223 (CVE-2014-3566)

Summary: VUL-0: CVE-2014-3566: openssl: SSLv3 POODLE attack
Product: [Novell Products] SUSE Security Incidents Reporter: Sebastian Krahmer <krahmer>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Major    
Priority: P2 - High CC: boyd.memmott, david.robb, jack.hodge, lchiquitto, meissner, okir, puzel, security-team, srinidhi.bs, vcizek
Version: unspecifiedKeywords: DSLA_REQUIRED, DSLA_SOLUTION_PROVIDED
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard: maint:released:sle11-sp3:59470 maint:released:sle11-sp3:59479 wasL3:41885 maint:released:sle11-sp2:59553 maint:released:sle10-sp4:59554 maint:released:sle11-sp1:59466 maint:released:sle10-sp3:59469 maint:released:sle10-sp3-manager:59468 maint:released:sle11-sp2:59467 maint:running:59655:important maint:running:59658:moderate maint:released:sle10-sp3:59843 maint:released:sle11-sp3:59844 maint:released:oes11-sp1:59708 maint:released:sles10-oes2-sp3:59734 maint:running:60610:important maint:released:sle10-sp4:60718 maint:released:sle10-sp4:60721 maint:released:sle11-sp2:60789 maint:released:sle11-sp1:60790 maint:running:61113:important maint:released:sle11-sp2:61230
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Bug Depends on: 1031023    
Bug Blocks:    

Description Sebastian Krahmer 2014-10-15 06:10:01 UTC 
Please refer to this:

https://www.openssl.org/~bodo/ssl-poodle.pdf
Comment 2 Swamp Workflow Management 2014-10-15 22:00:13 UTC 
bugbot adjusting priority
Comment 3 Bernhard Wiedemann 2014-10-16 14:00:07 UTC 
This is an autogenerated message for OBS integration:
This bug (901223) was mentioned in
https://build.opensuse.org/request/show/256899 13.1+12.3 / openssl
Comment 4 Olaf Kirch 2014-10-21 12:09:26 UTC 
The changelog says:

---
- upgrade to 1.0.1j
  * fixes bnc#901277 and bnc#901223
---

At least as far as the POODLE vulnerability is concerned, this is factually wrong and also misleading.

As POODLE is *not* a code vulnerability but a flaw in the protocol, merely patching openssl will not help. The new TLS_FALLBACK_SCSV feature can help applications detect illegal protocol downgrades (which is one crucial ingredient of the attack). But all by itself, this change doesn't do anything to protect the user.

Maybe I'm nitpicking, but given that we're getting lots of enquiries from SLES users who have been led to believe that an openssl update is all they need, I'm worried that we're adding to the misinformation.
Comment 5 Vítězslav Čížek 2014-10-21 12:45:10 UTC 
(In reply to Olaf Kirch from comment #4)
> The changelog says:
> 
> ---
> - upgrade to 1.0.1j
>   * fixes bnc#901277 and bnc#901223
> 
> At least as far as the POODLE vulnerability is concerned, this is factually
> wrong and also misleading.

Well, the package indeed fixes these two *SUSE* bugs.
bnc#901277 and bnc#901223 are bugs reported against openssl and these two bugs are going to be closed, once the openssl update is shipped.

> As POODLE is *not* a code vulnerability but a flaw in the protocol, merely
> patching openssl will not help. The new TLS_FALLBACK_SCSV feature can help
> applications detect illegal protocol downgrades (which is one crucial
> ingredient of the attack). But all by itself, this change doesn't do
> anything to protect the user.

The changelog only says:

*) Add support for TLS_FALLBACK_SCSV.
   Client applications doing fallback retries should call
   SSL_set_mode(s, SSL_MODE_SEND_FALLBACK_SCSV).
   (CVE-2014-3566)

I think it's quite clear.
Nothing there about fixing the POODLE.

> Maybe I'm nitpicking, but given that we're getting lots of enquiries from
> SLES users who have been led to believe that an openssl update is all they
> need, I'm worried that we're adding to the misinformation.

For the SLE updates, I'll try to more emphasize that this update doesn't fix the POODLE protocol vulnerability, just adds a downgrade detection support for client applications.
Comment 6 Vítězslav Čížek 2014-10-21 12:54:33 UTC 
(In reply to Vitezslav Cizek from comment #5)
> (In reply to Olaf Kirch from comment #4)
> >
> > Maybe I'm nitpicking, but given that we're getting lots of enquiries from
> > SLES users who have been led to believe that an openssl update is all they
> > need, I'm worried that we're adding to the misinformation.
> 
> For the SLE updates, I'll try to more emphasize that this update doesn't fix
> the POODLE protocol vulnerability, just adds a downgrade detection support
> for client applications.

I suppose I can reference either https://www.suse.com/communities/conversations/poodle-weakness-ssl-protocol-cve-2014-3566/ or https://www.suse.com/support/kb/doc.php?id=7015773 in the openssl changelog.
Comment 14 Swamp Workflow Management 2014-10-29 15:05:08 UTC 
openSUSE-SU-2014:1331-1: An update that fixes four vulnerabilities is now available.

Category: security (important)
Bug References: 901223,901277
CVE References: CVE-2014-3513,CVE-2014-3566,CVE-2014-3567,CVE-2014-3568
Sources used:
openSUSE 13.1 (src):    openssl-1.0.1j-11.56.1
openSUSE 12.3 (src):    openssl-1.0.1j-1.68.1
Comment 18 Swamp Workflow Management 2014-11-04 22:04:54 UTC 
SUSE-SU-2014:1357-1: An update that fixes four vulnerabilities is now available.

Category: security (important)
Bug References: 901223,901277
CVE References: CVE-2014-3513,CVE-2014-3566,CVE-2014-3567,CVE-2014-3568
Sources used:
SUSE Linux Enterprise Security Module 11 SP3 (src):    openssl1-1.0.1g-0.22.1
Comment 23 Swamp Workflow Management 2014-11-05 22:05:08 UTC 
SUSE-SU-2014:1361-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 892403,901223,901277
CVE References: CVE-2014-3566,CVE-2014-3567,CVE-2014-3568
Sources used:
SUSE Linux Enterprise Software Development Kit 11 SP3 (src):    openssl-0.9.8j-0.66.1
SUSE Linux Enterprise Server 11 SP3 for VMware (src):    openssl-0.9.8j-0.66.1
SUSE Linux Enterprise Server 11 SP3 (src):    openssl-0.9.8j-0.66.1
SUSE Linux Enterprise Desktop 11 SP3 (src):    openssl-0.9.8j-0.66.1
Comment 24 Swamp Workflow Management 2014-11-10 23:05:26 UTC 
SUSE-SU-2014:1386-1: An update that fixes four vulnerabilities is now available.

Category: security (important)
Bug References: 892403,901223,901277
CVE References: CVE-2014-3513,CVE-2014-3566,CVE-2014-3567,CVE-2014-3568
Sources used:
SUSE Linux Enterprise Server 11 SP2 LTSS (src):    openssl-0.9.8j-0.66.1
SUSE Linux Enterprise Server 11 SP1 LTSS (src):    openssl-0.9.8j-0.66.1
Comment 25 Swamp Workflow Management 2014-11-11 00:04:55 UTC 
SUSE-SU-2014:1387-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 901223,901277
CVE References: CVE-2014-3566,CVE-2014-3567,CVE-2014-3568
Sources used:
SUSE Linux Enterprise Server 10 SP4 LTSS (src):    openssl-0.9.8a-18.86.3
Comment 27 Swamp Workflow Management 2014-11-12 18:05:08 UTC 
SUSE-SU-2014:1409-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 901223,901277
CVE References: CVE-2014-3566,CVE-2014-3568
Sources used:
SLE CLIENT TOOLS 10 for x86_64 (src):    openssl-0.9.8a-18.86.2
SLE CLIENT TOOLS 10 for s390x (src):    openssl-0.9.8a-18.86.2
SLE CLIENT TOOLS 10 (src):    openssl-0.9.8a-18.86.2
Comment 28 Swamp Workflow Management 2014-11-13 00:04:55 UTC 
SUSE-SU-2014:1387-2: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 901223,901277
CVE References: CVE-2014-3566,CVE-2014-3567,CVE-2014-3568
Sources used:
SUSE Studio Onsite 1.3 (src):    openssl-0.9.8j-0.66.1
SUSE Manager 1.7 for SLE 11 SP2 (src):    openssl-0.9.8j-0.66.1
Comment 30 Swamp Workflow Management 2014-11-14 07:40:06 UTC 
An update workflow for this issue was started.
This issue was rated as important.
Please submit fixed packages until 2014-11-21.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/59655
Comment 31 Swamp Workflow Management 2014-11-14 07:45:13 UTC 
An update workflow for this issue was started.
This issue was rated as important.
Please submit fixed packages until 2014-11-21.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/59656
Comment 37 Swamp Workflow Management 2014-11-27 09:05:50 UTC 
SUSE-SU-2014:1512-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 901223,901277
CVE References: CVE-2014-3566,CVE-2014-3567,CVE-2014-3568
Sources used:
SUSE Linux Enterprise Module for Legacy Software 12 (src):    compat-openssl098-0.9.8j-62.1
SUSE Linux Enterprise Desktop 12 (src):    compat-openssl098-0.9.8j-62.1
Comment 38 Swamp Workflow Management 2014-11-28 10:06:19 UTC 
SUSE-SU-2014:1524-1: An update that fixes four vulnerabilities is now available.

Category: security (moderate)
Bug References: 901223,901277
CVE References: CVE-2014-3513,CVE-2014-3566,CVE-2014-3567,CVE-2014-3568
Sources used:
SUSE Linux Enterprise Software Development Kit 12 (src):    openssl-1.0.1i-5.1
SUSE Linux Enterprise Server 12 (src):    openssl-1.0.1i-5.1
SUSE Linux Enterprise Desktop 12 (src):    openssl-1.0.1i-5.1
Comment 42 Swamp Workflow Management 2014-12-02 17:04:53 UTC 
SUSE-SU-2014:1541-1: An update that fixes 18 vulnerabilities is now available.

Category: security (moderate)
Bug References: 901223,901239,904889
CVE References: CVE-2014-3065,CVE-2014-3566,CVE-2014-4288,CVE-2014-6457,CVE-2014-6458,CVE-2014-6466,CVE-2014-6492,CVE-2014-6493,CVE-2014-6502,CVE-2014-6503,CVE-2014-6506,CVE-2014-6511,CVE-2014-6512,CVE-2014-6513,CVE-2014-6515,CVE-2014-6531,CVE-2014-6532,CVE-2014-6558
Sources used:
Comment 43 Swamp Workflow Management 2014-12-03 16:04:55 UTC 
SUSE-SU-2014:1549-1: An update that fixes 21 vulnerabilities is now available.

Category: security (important)
Bug References: 901223,901239,904889
CVE References: CVE-2014-3065,CVE-2014-3566,CVE-2014-4288,CVE-2014-6456,CVE-2014-6457,CVE-2014-6458,CVE-2014-6466,CVE-2014-6476,CVE-2014-6492,CVE-2014-6493,CVE-2014-6502,CVE-2014-6503,CVE-2014-6506,CVE-2014-6511,CVE-2014-6512,CVE-2014-6513,CVE-2014-6515,CVE-2014-6527,CVE-2014-6531,CVE-2014-6532,CVE-2014-6558
Sources used:
Comment 44 Swamp Workflow Management 2014-12-04 19:05:23 UTC 
SUSE-SU-2014:1557-1: An update that fixes 7 vulnerabilities is now available.

Category: security (moderate)
Bug References: 802184,880891,890764,901223,901277,905106
CVE References: CVE-2013-0166,CVE-2013-0169,CVE-2014-0224,CVE-2014-3470,CVE-2014-3508,CVE-2014-3566,CVE-2014-3568
Sources used:
SUSE Linux Enterprise for SAP Applications 11 SP1 (src):    compat-openssl097g-0.9.7g-146.22.25.1
Comment 45 Swamp Workflow Management 2014-12-04 23:05:24 UTC 
SUSE-SU-2014:1557-2: An update that fixes 7 vulnerabilities is now available.

Category: security (moderate)
Bug References: 802184,880891,890764,901223,901277,905106
CVE References: CVE-2013-0166,CVE-2013-0169,CVE-2014-0224,CVE-2014-3470,CVE-2014-3508,CVE-2014-3566,CVE-2014-3568
Sources used:
SUSE Linux Enterprise Desktop 11 SP3 (src):    compat-openssl097g-0.9.7g-146.22.25.1
Comment 47 Marcus Meissner 2014-12-12 13:22:21 UTC 
released as much as we could
Comment 50 Swamp Workflow Management 2015-02-21 00:06:05 UTC 
SUSE-SU-2015:0344-1: An update that solves two vulnerabilities and has four fixes is now available.

Category: security (important)
Bug References: 891701,901223,901239,904889,916265,916266
CVE References: CVE-2014-8891,CVE-2014-8892
Sources used:
SUSE Linux Enterprise Server 11 SP2 LTSS (src):    java-1_7_0-ibm-1.7.0_sr8.10-0.6.4, java-1_7_0-ibm-1.7.0_sr8.10-0.6.5
Comment 51 Swamp Workflow Management 2015-02-21 00:07:18 UTC 
SUSE-SU-2015:0345-1: An update that solves two vulnerabilities and has three fixes is now available.

Category: security (important)
Bug References: 901223,901239,904889,916265,916266
CVE References: CVE-2014-8891,CVE-2014-8892
Sources used:
SUSE Linux Enterprise Server 10 SP4 LTSS (src):    java-1_6_0-ibm-1.6.0_sr16.3-0.9.1
Comment 52 Swamp Workflow Management 2015-02-25 18:05:50 UTC 
SUSE-SU-2015:0376-1: An update that solves two vulnerabilities and has four fixes is now available.

Category: security (important)
Bug References: 891699,901223,901239,904889,916265,916266
CVE References: CVE-2014-8891,CVE-2014-8892
Sources used:
SUSE Linux Enterprise Server 10 SP4 LTSS (src):    java-1_5_0-ibm-1.5.0_sr16.9-0.6.1
Comment 53 Swamp Workflow Management 2015-02-27 18:06:06 UTC 
SUSE-SU-2015:0392-1: An update that solves two vulnerabilities and has four fixes is now available.

Category: security (important)
Bug References: 592934,891700,901223,904889,916265,916266
CVE References: CVE-2014-8891,CVE-2014-8892
Sources used:
SUSE Linux Enterprise Server 11 SP2 LTSS (src):    java-1_6_0-ibm-1.6.0_sr16.3-0.4.5
SUSE Linux Enterprise Server 11 SP1 LTSS (src):    java-1_6_0-ibm-1.6.0_sr16.3-0.4.5
Comment 54 Swamp Workflow Management 2015-03-16 11:05:56 UTC 
SUSE-SU-2015:0503-1: An update that fixes 13 vulnerabilities is now available.

Category: security (important)
Bug References: 901223,914041
CVE References: CVE-2014-3566,CVE-2014-6585,CVE-2014-6587,CVE-2014-6591,CVE-2014-6593,CVE-2014-6601,CVE-2015-0383,CVE-2015-0395,CVE-2015-0400,CVE-2015-0407,CVE-2015-0408,CVE-2015-0410,CVE-2015-0412
Sources used:
SUSE Linux Enterprise Server 12 (src):    java-1_7_0-openjdk-1.7.0.75-11.3
SUSE Linux Enterprise Desktop 12 (src):    java-1_7_0-openjdk-1.7.0.75-11.3
Comment 55 Swamp Workflow Management 2015-03-23 23:06:02 UTC 
SUSE-SU-2015:0578-1: An update that contains security fixes can now be installed.

Category: security (important)
Bug References: 802184,880891,890764,901223,901277,905106,912014,912015,912018,912293,912296,920236,922488,922496,922499,922500,922501
CVE References: 
Sources used:
SUSE Linux Enterprise for SAP Applications 11 SP2 (src):    compat-openssl097g-0.9.7g-146.22.29.1
Comment 56 Swamp Workflow Management 2022-02-16 21:15:55 UTC 
SUSE-FU-2022:0445-1: An update that solves 183 vulnerabilities, contains 21 features and has 299 fixes is now available.

Category: feature (moderate)
Bug References: 1000080,1000117,1000194,1000677,1000742,1001148,1001912,1002585,1002895,1003091,1005246,1009528,1010874,1010966,1011936,1015549,1019637,1021641,1022085,1022086,1022271,1027079,1027610,1027688,1027705,1027908,1028281,1028723,1029523,1029902,1030038,1032118,1032119,1035604,1039469,1040164,1040256,1041090,1042392,1042670,1044095,1044107,1044175,1049186,1049304,1050653,1050665,1055478,1055542,1055825,1056058,1056951,1057496,1062237,1065363,1066242,1066873,1068790,1070737,1070738,1070853,1071905,1071906,1071941,1073310,1073845,1073879,1074247,1076519,1077096,1077230,1078329,1079761,1080301,1081005,1081750,1081751,1082155,1082163,1082318,1083826,1084117,1084157,1085276,1085529,1085661,1087102,1087104,1088573,1089039,1090427,1090765,1090953,1093518,1093917,1094788,1094814,1094883,1095267,1096738,1096937,1097158,1097531,1097624,1098535,1098592,1099308,1099569,1100078,1101246,1101470,1102868,1104789,1106197,1108508,1109882,1109998,1110435,1110869,1110871,1111493,1111622,1111657,1112209,1112357,1113534,1113652,1113742,1113975,1115769,1117951,1118611,1119376,1119416,1119792,1121717,1121852,1122191,1123064,1123185,1123186,1123558,1124885,1125815,1126283,1126318,1127080,1127173,1128146,1128323,1128355,1129071,1129566,1130840,1131291,1132174,1132323,1132455,1132663,1132900,1135009,1136444,1138666,1138715,1138746,1139915,1140255,1141168,1142899,1143033,1143454,1143893,1144506,1149686,1149792,1150003,1150190,1150250,1150895,1153830,1155815,1156677,1156694,1156908,1157104,1157354,1158809,1159235,1159538,1160163,1161557,1161770,1162224,1162367,1162743,1163978,1164310,1165439,1165578,1165730,1165823,1165960,1166139,1166758,1167008,1167501,1167732,1167746,1168480,1168973,1169489,1170175,1170863,1171368,1171561,1172226,1172908,1172928,1173226,1173356,1174009,1174091,1174514,1175729,1176116,1176129,1176134,1176232,1176256,1176257,1176258,1176259,1176262,1176389,1176785,1176977,1177120,1177127,1177559,1178168,1178341,1178670,1179491,1179562,1179630,1179805,1180125,1180781,1181126,1181324,1181944,1182066,1182211,1182244,1182264,1182331,1182333,1182379,1182963,1183059,1183374,1183858,1184505,1185588,1185706,1185748,1186738,1187045,1189521,1190781,1193357,356549,381844,394317,408865,428177,430141,431945,437293,442740,459468,489641,504687,509031,526319,590833,610223,610642,629905,637176,651003,657698,658604,670526,673071,693027,715423,720601,743787,747125,748738,749210,749213,749735,750618,751718,751946,751977,754447,754677,761500,774710,784670,784994,787526,793420,799119,802184,803004,809831,811890,822642,825221,828513,831629,832833,834601,835687,839107,84331,849377,855666,855676,856687,857203,857850,858239,867887,869945,871152,872299,873351,876282,876710,876712,876748,880891,885662,885882,889013,889363,892477,892480,895129,898917,901223,901277,901902,902364,906878,907584,908362,908372,912014,912015,912018,912292,912293,912294,912296,912460,913229,915479,917607,917759,917815,919648,920236,922448,922488,922496,922499,922500,926597,929678,929736,930189,931698,931978,933898,933911,934487,934489,934491,934493,935856,937085,937212,937492,937634,937912,939456,940608,942385,942751,943421,944204,945455,946648,947104,947357,947679,948198,952871,954256,954486,954690,957812,957813,957815,958501,961334,962291,963415,963974,964204,964472,964474,965830,967128,968046,968047,968048,968050,968265,968270,968374,968601,975875,976942,977584,977614,977615,977616,977663,978224,981848,982268,982575,983249,984323,985054,988086,990207,990392,990419,990428,991193,991877,992120,992988,992989,992992,993130,993819,993825,993968,994749,994844,994910,995075,995324,995359,995377,995959,996255,997043,997614,998190,999665,999666,999668
CVE References: CVE-2006-2937,CVE-2006-2940,CVE-2006-3738,CVE-2006-4339,CVE-2006-4343,CVE-2006-7250,CVE-2007-3108,CVE-2007-4995,CVE-2007-5135,CVE-2008-0891,CVE-2008-1672,CVE-2008-5077,CVE-2009-0590,CVE-2009-0591,CVE-2009-0789,CVE-2009-1377,CVE-2009-1378,CVE-2009-1379,CVE-2009-1386,CVE-2009-1387,CVE-2010-0740,CVE-2010-0742,CVE-2010-1633,CVE-2010-2939,CVE-2010-3864,CVE-2010-5298,CVE-2011-0014,CVE-2011-3207,CVE-2011-3210,CVE-2011-3389,CVE-2011-4108,CVE-2011-4576,CVE-2011-4577,CVE-2011-4619,CVE-2011-4944,CVE-2012-0027,CVE-2012-0050,CVE-2012-0845,CVE-2012-0884,CVE-2012-1150,CVE-2012-1165,CVE-2012-2110,CVE-2012-2686,CVE-2012-4929,CVE-2013-0166,CVE-2013-0169,CVE-2013-1752,CVE-2013-4238,CVE-2013-4314,CVE-2013-4353,CVE-2013-6449,CVE-2013-6450,CVE-2014-0012,CVE-2014-0076,CVE-2014-0160,CVE-2014-0195,CVE-2014-0198,CVE-2014-0221,CVE-2014-0224,CVE-2014-1829,CVE-2014-1830,CVE-2014-2667,CVE-2014-3470,CVE-2014-3505,CVE-2014-3506,CVE-2014-3507,CVE-2014-3508,CVE-2014-3509,CVE-2014-3510,CVE-2014-3511,CVE-2014-3512,CVE-2014-3513,CVE-2014-3566,CVE-2014-3567,CVE-2014-3568,CVE-2014-3570,CVE-2014-3571,CVE-2014-3572,CVE-2014-4650,CVE-2014-5139,CVE-2014-7202,CVE-2014-7203,CVE-2014-8275,CVE-2014-9721,CVE-2015-0204,CVE-2015-0205,CVE-2015-0206,CVE-2015-0209,CVE-2015-0286,CVE-2015-0287,CVE-2015-0288,CVE-2015-0289,CVE-2015-0293,CVE-2015-1788,CVE-2015-1789,CVE-2015-1790,CVE-2015-1791,CVE-2015-1792,CVE-2015-2296,CVE-2015-3194,CVE-2015-3195,CVE-2015-3196,CVE-2015-3197,CVE-2015-3216,CVE-2015-4000,CVE-2016-0702,CVE-2016-0705,CVE-2016-0797,CVE-2016-0798,CVE-2016-0799,CVE-2016-0800,CVE-2016-10745,CVE-2016-2105,CVE-2016-2106,CVE-2016-2107,CVE-2016-2109,CVE-2016-2176,CVE-2016-2177,CVE-2016-2178,CVE-2016-2179,CVE-2016-2180,CVE-2016-2181,CVE-2016-2182,CVE-2016-2183,CVE-2016-6302,CVE-2016-6303,CVE-2016-6304,CVE-2016-6306,CVE-2016-7052,CVE-2016-7055,CVE-2016-9015,CVE-2017-18342,CVE-2017-3731,CVE-2017-3732,CVE-2017-3735,CVE-2017-3736,CVE-2017-3737,CVE-2017-3738,CVE-2018-0732,CVE-2018-0734,CVE-2018-0737,CVE-2018-0739,CVE-2018-18074,CVE-2018-20060,CVE-2018-5407,CVE-2018-7750,CVE-2019-10906,CVE-2019-11236,CVE-2019-11324,CVE-2019-13132,CVE-2019-1547,CVE-2019-1551,CVE-2019-1559,CVE-2019-1563,CVE-2019-20907,CVE-2019-20916,CVE-2019-5010,CVE-2019-6250,CVE-2019-8341,CVE-2019-9740,CVE-2019-9947,CVE-2020-14343,CVE-2020-15166,CVE-2020-15523,CVE-2020-15801,CVE-2020-1747,CVE-2020-1971,CVE-2020-25659,CVE-2020-26137,CVE-2020-27783,CVE-2020-28493,CVE-2020-29651,CVE-2020-36242,CVE-2020-8492,CVE-2021-23336,CVE-2021-23840,CVE-2021-23841,CVE-2021-28957,CVE-2021-29921,CVE-2021-3177,CVE-2021-33503,CVE-2021-3426,CVE-2021-3712
JIRA References: ECO-3105,SLE-11435,SLE-12684,SLE-12986,SLE-13688,SLE-14253,SLE-15159,SLE-15860,SLE-15861,SLE-16754,SLE-17532,SLE-17957,SLE-18260,SLE-18354,SLE-18446,SLE-19264,SLE-3887,SLE-4480,SLE-4577,SLE-7686,SLE-9135
Sources used:
SUSE Manager Tools 12-BETA (src):    venv-salt-minion-3002.2-3.3.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.