Bugzilla – Bug 1214797
VUL-0: CVE-2023-20898: salt: Git Providers can read from the wrong environment because they get the same cache directory base name
Last modified: 2024-06-18 12:03:49 UTC
CVE-2023-20898 Description: Git Providers can read from the wrong environment because they get the same cache directory base name. Impact: Anything that uses Git Providers with different environments can get garbage data or the wrong data, which can lead to wrongful data disclosure, wrongful executions, data corruption and/or crash. Solution: Include environment and other information in the hash that generates cache directory base name. So, if the same repository is used with different environments, they all get their own cache directory. Also wrap Git Providers lock with a multiprocessing lock to help mitigate locking race conditions. How to Mitigate: Upgrade masters to 3005.2 or 3006.2. Attribution: https://www.suse.com Severity Rating: 4.2 CVSS v3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N
This only affects the Salt Master stack. We only maintain it for Salt 3006.0. Tracking as affected: - SUSE:ALP:Source:Standard:1.0/salt - SUSE:SLE-15-SP1:Update/salt - SUSE:SLE-15-SP2:Update/salt - SUSE:SLE-15-SP3:Update/salt - SUSE:SLE-15-SP4:Update/salt - SUSE:SLE-15-SP5:Update/salt - SUSE:Debian-10:Update:Products:ManagerTools:Update/salt - SUSE:RES-8:Update:Products:ManagerTools:Update/salt - SUSE:Ubuntu-18.04:Update/salt - SUSE:Ubuntu-20.04:Update:Products:ManagerTools:Update/salt
salt-master is not shipped in the last 4 codestreams listed in comment 3, so only this codestreams are affected: - SUSE:ALP:Source:Standard:1.0/salt - SUSE:SLE-15-SP1:Update/salt - SUSE:SLE-15-SP2:Update/salt - SUSE:SLE-15-SP3:Update/salt - SUSE:SLE-15-SP4:Update/salt - SUSE:SLE-15-SP5:Update/salt
This should be fixed now by: SUSE:ALP:Source:Standard:1.0 - https://build.suse.de/request/show/307891 SUSE:SLE-15-SP1:Update/salt - https://build.suse.de/request/show/307877 SUSE:SLE-15-SP2:Update/salt - https://build.suse.de/request/show/307872 SUSE:SLE-15-SP3:Update/salt - https://build.suse.de/request/show/307875 SUSE:SLE-15-SP4:Update/salt - https://build.suse.de/request/show/307874 SUSE:SLE-15-SP5:Update/salt - https://build.suse.de/request/show/307876 I'm setting assignee back to Security Team. Thanks!
SUSE-SU-2023:3885-1: An update that solves six vulnerabilities, contains seven features and has 74 security fixes can now be installed. Category: security (important) Bug References: 1193948, 1193948, 1207330, 1207330, 1208692, 1208692, 1208692, 1210935, 1210935, 1211525, 1211525, 1211525, 1211874, 1211874, 1211884, 1211884, 1212246, 1212246, 1212730, 1212730, 1212814, 1212814, 1212827, 1212827, 1212856, 1212856, 1212856, 1212943, 1212943, 1212943, 1213009, 1213009, 1213077, 1213077, 1213288, 1213288, 1213441, 1213441, 1213445, 1213445, 1213445, 1213469, 1213469, 1213675, 1213675, 1213675, 1213716, 1213716, 1213880, 1213880, 1214002, 1214002, 1214121, 1214121, 1214124, 1214124, 1214187, 1214187, 1214266, 1214266, 1214280, 1214280, 1214796, 1214796, 1214797, 1214797, 1214889, 1214889, 1214982, 1214982, 1215352, 1215352, 1215362, 1215362, 1215413, 1215413, 1215497, 1215497, 1215756, 1215756 CVE References: CVE-2023-20897, CVE-2023-20897, CVE-2023-20898, CVE-2023-20898, CVE-2023-29409, CVE-2023-29409 Jira References: MSQA-699, MSQA-699, MSQA-699, SUMA-158, SUMA-158, SUMA-280, SUMA-280 Sources used: openSUSE Leap 15.4 (src): release-notes-susemanager-proxy-4.3.8-150400.3.61.2, release-notes-susemanager-4.3.8-150400.3.77.1 SUSE Manager Proxy 4.3 (src): release-notes-susemanager-proxy-4.3.8-150400.3.61.2 SUSE Manager Retail Branch Server 4.3 (src): release-notes-susemanager-proxy-4.3.8-150400.3.61.2 SUSE Manager Server 4.3 (src): release-notes-susemanager-4.3.8-150400.3.77.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:3884-1: An update that solves two vulnerabilities, contains one feature and has 10 security fixes can now be installed. Category: security (moderate) Bug References: 1193948, 1210994, 1212794, 1212844, 1212855, 1213257, 1213441, 1213630, 1213960, 1214796, 1214797, 1215489 CVE References: CVE-2023-20897, CVE-2023-20898 Jira References: MSQA-699 Sources used: SUSE Manager Client Tools for RHEL, Liberty and Clones 9 (src): venv-salt-minion-3006.0-1.24.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:3881-1: An update that solves two vulnerabilities, contains one feature and has 10 security fixes can now be installed. Category: security (moderate) Bug References: 1193948, 1210994, 1212794, 1212844, 1212855, 1213257, 1213441, 1213630, 1213960, 1214796, 1214797, 1215489 CVE References: CVE-2023-20897, CVE-2023-20898 Jira References: MSQA-699 Sources used: NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-202308:15234-1: An update that solves two vulnerabilities, contains one feature and has 10 security fixes can now be installed. Category: security (moderate) Bug References: 1193948, 1210994, 1212794, 1212844, 1212855, 1213257, 1213441, 1213630, 1213960, 1214796, 1214797, 1215489 CVE References: CVE-2023-20897, CVE-2023-20898 Jira References: MSQA-699 Sources used: NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-202309:15233-1: An update that solves two vulnerabilities, contains one feature and has 10 security fixes can now be installed. Category: security (moderate) Bug References: 1193948, 1210994, 1212794, 1212844, 1212855, 1213257, 1213441, 1213630, 1213960, 1214796, 1214797, 1215489 CVE References: CVE-2023-20897, CVE-2023-20898 Jira References: MSQA-699 Sources used: NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:3877-1: An update that solves two vulnerabilities, contains one feature and has 10 security fixes can now be installed. Category: security (moderate) Bug References: 1193948, 1210994, 1212794, 1212844, 1212855, 1213257, 1213441, 1213630, 1213960, 1214796, 1214797, 1215489 CVE References: CVE-2023-20897, CVE-2023-20898 Jira References: MSQA-699 Sources used: SUSE Manager Client Tools for SLE 15 (src): venv-salt-minion-3006.0-150000.3.42.1 SUSE Manager Client Tools for SLE Micro 5 (src): venv-salt-minion-3006.0-150000.3.42.1 SUSE Manager Proxy 4.3 Module 4.3 (src): venv-salt-minion-3006.0-150000.3.42.1 SUSE Manager Server 4.3 Module 4.3 (src): venv-salt-minion-3006.0-150000.3.42.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:3876-1: An update that solves two vulnerabilities, contains one feature and has 10 security fixes can now be installed. Category: security (moderate) Bug References: 1193948, 1210994, 1212794, 1212844, 1212855, 1213257, 1213441, 1213630, 1213960, 1214796, 1214797, 1215489 CVE References: CVE-2023-20897, CVE-2023-20898 Jira References: MSQA-699 Sources used: SUSE Manager Client Tools for SLE 12 (src): venv-salt-minion-3006.0-3.40.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:3871-1: An update that solves two vulnerabilities, contains one feature and has 10 security fixes can now be installed. Category: security (moderate) Bug References: 1193948, 1210994, 1212794, 1212844, 1212855, 1213257, 1213441, 1213630, 1213960, 1214796, 1214797, 1215489 CVE References: CVE-2023-20897, CVE-2023-20898 Jira References: MSQA-699 Sources used: NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-202309:15230-1: An update that solves three vulnerabilities, contains two features and has 11 security fixes can now be installed. Category: security (moderate) Bug References: 1193948, 1210994, 1212794, 1212844, 1212855, 1213257, 1213441, 1213630, 1213691, 1213880, 1213960, 1214796, 1214797, 1215489 CVE References: CVE-2023-20897, CVE-2023-20898, CVE-2023-29409 Jira References: ECO-3319, MSQA-699 Sources used: NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:3866-1: An update that solves two vulnerabilities and has 10 security fixes can now be installed. Category: security (moderate) Bug References: 1193948, 1210994, 1212794, 1212844, 1212855, 1213257, 1213441, 1213630, 1213960, 1214796, 1214797, 1215489 CVE References: CVE-2023-20897, CVE-2023-20898 Sources used: SUSE Linux Enterprise Server 15 SP1 LTSS 15-SP1 (src): salt-3006.0-150100.107.1 SUSE Linux Enterprise Server for SAP Applications 15 SP1 (src): salt-3006.0-150100.107.1 SUSE CaaS Platform 4.0 (src): salt-3006.0-150100.107.1 SUSE Linux Enterprise High Performance Computing 15 SP1 LTSS 15-SP1 (src): salt-3006.0-150100.107.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:3865-1: An update that solves two vulnerabilities and has 10 security fixes can now be installed. Category: security (moderate) Bug References: 1193948, 1210994, 1212794, 1212844, 1212855, 1213257, 1213441, 1213630, 1213960, 1214796, 1214797, 1215489 CVE References: CVE-2023-20897, CVE-2023-20898 Sources used: SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (src): salt-3006.0-150200.108.1 SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (src): salt-3006.0-150200.108.1 SUSE Linux Enterprise Server for SAP Applications 15 SP2 (src): salt-3006.0-150200.108.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:3864-1: An update that solves two vulnerabilities and has 10 security fixes can now be installed. Category: security (moderate) Bug References: 1193948, 1210994, 1212794, 1212844, 1212855, 1213257, 1213441, 1213630, 1213960, 1214796, 1214797, 1215489 CVE References: CVE-2023-20897, CVE-2023-20898 Sources used: SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3 (src): salt-3006.0-150300.53.60.1 SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src): salt-3006.0-150300.53.60.1 SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src): salt-3006.0-150300.53.60.1 SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src): salt-3006.0-150300.53.60.1 SUSE Manager Proxy 4.2 (src): salt-3006.0-150300.53.60.1 SUSE Manager Retail Branch Server 4.2 (src): salt-3006.0-150300.53.60.1 SUSE Manager Server 4.2 (src): salt-3006.0-150300.53.60.1 SUSE Enterprise Storage 7.1 (src): salt-3006.0-150300.53.60.1 SUSE Linux Enterprise Micro 5.1 (src): salt-3006.0-150300.53.60.1 SUSE Linux Enterprise Micro 5.2 (src): salt-3006.0-150300.53.60.1 SUSE Linux Enterprise Micro for Rancher 5.2 (src): salt-3006.0-150300.53.60.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:3863-1: An update that solves two vulnerabilities and has 10 security fixes can now be installed. Category: security (moderate) Bug References: 1193948, 1210994, 1212794, 1212844, 1212855, 1213257, 1213441, 1213630, 1213960, 1214796, 1214797, 1215489 CVE References: CVE-2023-20897, CVE-2023-20898 Sources used: Transactional Server Module 15-SP4 (src): salt-3006.0-150400.8.44.1 openSUSE Leap 15.4 (src): salt-3006.0-150400.8.44.1 SUSE Linux Enterprise Micro for Rancher 5.3 (src): salt-3006.0-150400.8.44.1 SUSE Linux Enterprise Micro 5.3 (src): salt-3006.0-150400.8.44.1 SUSE Linux Enterprise Micro for Rancher 5.4 (src): salt-3006.0-150400.8.44.1 SUSE Linux Enterprise Micro 5.4 (src): salt-3006.0-150400.8.44.1 Basesystem Module 15-SP4 (src): salt-3006.0-150400.8.44.1 Server Applications Module 15-SP4 (src): salt-3006.0-150400.8.44.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:3862-1: An update that solves two vulnerabilities and has 10 security fixes can now be installed. Category: security (moderate) Bug References: 1193948, 1210994, 1212794, 1212844, 1212855, 1213257, 1213441, 1213630, 1213960, 1214796, 1214797, 1215489 CVE References: CVE-2023-20897, CVE-2023-20898 Sources used: openSUSE Leap 15.5 (src): salt-3006.0-150500.4.19.1 Basesystem Module 15-SP5 (src): salt-3006.0-150500.4.19.1 Server Applications Module 15-SP5 (src): salt-3006.0-150500.4.19.1 Transactional Server Module 15-SP5 (src): salt-3006.0-150500.4.19.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-RU-2023:4408-1: An update that solves eight vulnerabilities, contains two features and has 48 fixes can now be installed. Category: recommended (important) Bug References: 1097531, 1182851, 1186738, 1190781, 1193357, 1193948, 1194632, 1195624, 1195895, 1196050, 1196432, 1197288, 1197417, 1197533, 1197637, 1198489, 1198556, 1198744, 1199149, 1199372, 1199562, 1200566, 1200596, 1201082, 1202165, 1202631, 1203685, 1203834, 1203886, 1204206, 1204939, 1205687, 1207071, 1208691, 1209233, 1210954, 1210994, 1211591, 1211612, 1211741, 1211754, 1212516, 1212517, 1212794, 1212844, 1212855, 1213257, 1213293, 1213441, 1213518, 1213630, 1213926, 1213960, 1214796, 1214797, 1215489 CVE References: CVE-2022-22934, CVE-2022-22935, CVE-2022-22936, CVE-2022-22941, CVE-2022-22967, CVE-2023-20897, CVE-2023-20898, CVE-2023-28370 Jira References: MSQA-706, PED-3139 Sources used: NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.