Bug 1170595 - (CVE-2020-11651) VUL-0: CVE-2020-11651,CVE-2020-11652: salt: critical salt issue
(CVE-2020-11651)
VUL-0: CVE-2020-11651,CVE-2020-11652: salt: critical salt issue
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P1 - Urgent : Critical
: ---
Assigned To: Jochen Breuer
Security Team bot
CVSSv3.1:SUSE:CVE-2020-11651:9.8:(AV...
:
Depends on:
Blocks: 1171350
  Show dependency treegraph
 
Reported: 2020-04-27 14:23 UTC by Marcus Meissner
Modified: 2021-06-10 12:54 UTC (History)
14 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
Original Patch from Saltstack (21.60 KB, patch)
2020-04-28 07:16 UTC, Jochen Breuer
Details | Diff
Patch for Salt in SUMA 3.2 and SLE15 SP1 (25.51 KB, patch)
2020-04-28 08:40 UTC, Jochen Breuer
Details | Diff
Patch for SUSE Salt3000 (25.50 KB, patch)
2020-04-28 09:51 UTC, Jochen Breuer
Details | Diff
Fix-CVE-2020-11651-and-Fix-CVE-2020-11652-3000.x-no-tests.patch (9.48 KB, patch)
2020-04-30 05:35 UTC, Marcus Meissner
Details | Diff
Fix-CVE-2020-11651-and-Fix-CVE-2020-11652-2019.2.x-no-tests.patch (9.52 KB, patch)
2020-04-30 05:35 UTC, Marcus Meissner
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Comment 6 Jochen Breuer 2020-04-28 08:51:52 UTC
Saltstack is planning to do their release on Wednesday 12:00 MDT, which is 20:00 CEST (Berlin).
Comment 7 Jochen Breuer 2020-04-28 08:52:02 UTC
Saltstack is planning to do their release on Wednesday 12:00 MDT, which is 20:00 CEST (Berlin).
Comment 9 Jochen Breuer 2020-04-28 09:51:57 UTC
Created attachment 836933 [details]
Patch for SUSE Salt3000

This is the backported patch for salt in openSUSE-3000.
Comment 10 Marcus Meissner 2020-04-28 11:15:41 UTC
Please submit the salt updates in IBS when ready.
Comment 13 Robert Frohl 2020-04-29 20:37:20 UTC
CVE-2020-11651

An issue was discovered in SaltStack Salt before 2019.2.4 and 3000 before 3000.2. The salt-master process ClearFuncs class does not properly validate method calls. This allows a remote user to access some methods without authentication. These methods can be used to retrieve user tokens from the salt master and/or run arbitrary commands on salt minions.

CVE-2020-11652

An issue was discovered in SaltStack Salt before 2019.2.4 and 3000 before 3000.2. The salt-master process ClearFuncs class allows access to some methods that improperly sanitize paths. These methods allow arbitrary directory access to authenticated users.

https://docs.saltstack.com/en/latest/topics/releases/3000.2.html
Comment 14 Swamp Workflow Management 2020-04-30 01:14:25 UTC
SUSE-SU-2020:1151-1: An update that fixes two vulnerabilities is now available.

Category: security (critical)
Bug References: 1170595
CVE References: CVE-2020-11651,CVE-2020-11652
Sources used:
SUSE Linux Enterprise Server for SAP 15 (src):    salt-2019.2.0-5.67.1
SUSE Linux Enterprise Server 15-LTSS (src):    salt-2019.2.0-5.67.1
SUSE Linux Enterprise High Performance Computing 15-LTSS (src):    salt-2019.2.0-5.67.1
SUSE Linux Enterprise High Performance Computing 15-ESPOS (src):    salt-2019.2.0-5.67.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 15 Swamp Workflow Management 2020-04-30 01:15:06 UTC
SUSE-SU-2020:14350-1: An update that fixes two vulnerabilities is now available.

Category: security (critical)
Bug References: 1170595
CVE References: CVE-2020-11651,CVE-2020-11652
Sources used:

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 16 Swamp Workflow Management 2020-04-30 01:15:53 UTC
SUSE-SU-2020:1147-1: An update that fixes two vulnerabilities is now available.

Category: security (critical)
Bug References: 1170595
CVE References: CVE-2020-11651,CVE-2020-11652
Sources used:
SUSE Manager Tools 12 (src):    salt-2019.2.0-46.91.1
SUSE Manager Server 3.2 (src):    salt-2019.2.0-46.91.1
SUSE Manager Proxy 3.2 (src):    salt-2019.2.0-46.91.1
SUSE Linux Enterprise Point of Sale 12-SP2 (src):    salt-2019.2.0-46.91.1
SUSE Linux Enterprise Module for Advanced Systems Management 12 (src):    salt-2019.2.0-46.91.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 17 Swamp Workflow Management 2020-04-30 01:16:36 UTC
SUSE-SU-2020:14351-1: An update that fixes two vulnerabilities is now available.

Category: security (critical)
Bug References: 1170595
CVE References: CVE-2020-11651,CVE-2020-11652
Sources used:

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 18 Swamp Workflow Management 2020-04-30 01:17:22 UTC
SUSE-SU-2020:1150-1: An update that fixes two vulnerabilities is now available.

Category: security (critical)
Bug References: 1170595
CVE References: CVE-2020-11651,CVE-2020-11652
Sources used:
SUSE Linux Enterprise Module for Server Applications 15-SP1 (src):    salt-2019.2.0-6.27.1
SUSE Linux Enterprise Module for Python2 15-SP1 (src):    salt-2019.2.0-6.27.1
SUSE Linux Enterprise Module for Basesystem 15-SP1 (src):    salt-2019.2.0-6.27.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 19 Marcus Meissner 2020-04-30 05:35:17 UTC
Created attachment 837137 [details]
Fix-CVE-2020-11651-and-Fix-CVE-2020-11652-3000.x-no-tests.patch

incremental patch sent last night by salt.dev
Comment 20 Marcus Meissner 2020-04-30 05:35:42 UTC
Created attachment 837138 [details]
Fix-CVE-2020-11651-and-Fix-CVE-2020-11652-2019.2.x-no-tests.patch

small adjusted patch sent by saltdev last night
Fix-CVE-2020-11651-and-Fix-CVE-2020-11652-2019.2.x-no-tests.patch
Comment 21 Swamp Workflow Management 2020-04-30 15:00:14 UTC
This is an autogenerated message for OBS integration:
This bug (1170595) was mentioned in
https://build.opensuse.org/request/show/799271 Factory / salt
Comment 22 Swamp Workflow Management 2020-04-30 19:21:45 UTC
openSUSE-SU-2020:0564-1: An update that fixes two vulnerabilities is now available.

Category: security (critical)
Bug References: 1170595
CVE References: CVE-2020-11651,CVE-2020-11652
Sources used:
openSUSE Leap 15.1 (src):    salt-2019.2.0-lp151.5.15.1
Comment 36 Swamp Workflow Management 2020-05-22 16:14:00 UTC
SUSE-SU-2020:1392-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1170595
CVE References: CVE-2020-11651,CVE-2020-11652
Sources used:
SUSE Enterprise Storage 5 (src):    salt-2016.11.4-48.10.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 37 Alexandros Toptsoglou 2020-05-25 13:11:23 UTC
Done
Comment 42 Swamp Workflow Management 2020-06-23 16:14:47 UTC
SUSE-SU-2020:14404-1: An update that solves two vulnerabilities and has 10 fixes is now available.

Category: security (moderate)
Bug References: 1159284,1165572,1168340,1169604,1169800,1170104,1170288,1170595,1171687,1171906,1172075,1173072
CVE References: CVE-2020-11651,CVE-2020-11652
Sources used:

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 43 Swamp Workflow Management 2020-06-23 16:17:21 UTC
SUSE-SU-2020:1718-1: An update that solves 6 vulnerabilities and has 13 fixes is now available.

Category: security (moderate)
Bug References: 1134195,1141661,1159284,1165572,1168310,1168340,1169604,1169800,1170104,1170231,1170288,1170557,1170595,1170684,1171687,1171906,1172075,1172462,1173072
CVE References: CVE-2019-10215,CVE-2019-15043,CVE-2020-11651,CVE-2020-11652,CVE-2020-12245,CVE-2020-13379
Sources used:
SUSE Manager Tools 12-BETA (src):    cobbler-2.6.6-52.3.2, golang-github-prometheus-prometheus-2.18.0-4.6.2, grafana-7.0.3-4.3.2, salt-3000-49.20.1, spacecmd-4.1.4-41.9.2, spacewalk-client-tools-4.1.5-55.15.2, suseRegisterInfo-4.1.2-28.6.2, uyuni-common-libs-4.1.5-3.12.2, zypp-plugin-spacewalk-1.0.7-33.6.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 44 Swamp Workflow Management 2020-06-23 16:41:05 UTC
SUSE-SU-2020:14402-1: An update that solves 11 vulnerabilities and has 245 fixes is now available.

Category: security (moderate)
Bug References: 1002529,1003449,1004047,1004260,1004723,1008933,1011304,1011800,1012398,1012999,1013876,1013938,1015882,1017078,1019386,1020831,1022562,1022841,1023535,1024406,1025896,1027044,1027240,1027426,1027722,1030009,1030073,1032213,1032452,1032931,1035914,1036125,1038855,1039370,1040886,1041993,1042749,1043111,1044719,1050003,1051948,1052264,1053376,1053955,1057635,1059291,1059758,1060230,1061407,1062462,1062464,1063419,1064520,1065792,1068446,1068566,1070372,1071322,1072599,1075950,1076578,1079048,1080290,1081151,1081592,1083294,1085667,1087055,1087278,1087581,1087891,1088070,1088888,1089112,1089362,1089526,1091371,1092161,1092373,1094055,1094190,1095507,1095651,1095942,1096514,1097174,1097413,1098394,1099323,1099460,1099887,1099945,1100142,1100225,1100697,1101780,1101812,1101880,1102013,1102218,1102265,1102819,1103090,1103530,1103696,1104034,1104154,1104491,1106164,1107333,1108557,1108834,1108969,1108995,1109023,1109893,1110938,1111542,1112874,1113698,1113699,1113784,1114029,1114197,1114474,1114824,1116343,1116837,1117995,1121091,1121439,1122663,1122680,1123044,1123512,1123865,1124277,1125015,1125610,1125744,1127389,1128061,1128554,1129079,1129243,1130077,1130588,1130784,1131114,1132076,1133523,1133647,1134860,1135360,1135507,1135567,1135732,1135881,1137642,1138454,1139761,1140193,1140912,1143301,1146192,1146382,1148311,1148714,1150447,1151650,1151947,1152366,1153090,1153277,1153611,1154620,1154940,1155372,1157465,1157479,1158441,1159284,1162327,1162504,1163871,1163981,1165425,1165572,1167437,1167556,1168340,1169604,1169800,1170104,1170288,1170595,1171687,1171906,1172075,1173072,769106,769108,776615,849184,849204,849205,879904,887879,889605,892707,902494,908849,926318,932288,945380,948245,955373,958350,959572,963322,965403,967803,969320,970669,971372,972311,972490,975093,975303,975306,975733,975757,976148,977264,978150,978833,979448,979676,980313,983017,983512,985112,985661,986019,987798,988506,989193,989798,990029,990439,990440,991048,993039,993549,996455,999852
CVE References: CVE-2016-1866,CVE-2016-9639,CVE-2017-12791,CVE-2017-14695,CVE-2017-14696,CVE-2018-15750,CVE-2018-15751,CVE-2019-17361,CVE-2019-18897,CVE-2020-11651,CVE-2020-11652
Sources used:

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 45 Swamp Workflow Management 2020-06-23 16:49:09 UTC
SUSE-SU-2020:14403-1: An update that solves two vulnerabilities and has 10 fixes is now available.

Category: security (moderate)
Bug References: 1159284,1165572,1168340,1169604,1169800,1170104,1170288,1170595,1171687,1171906,1172075,1173072
CVE References: CVE-2020-11651,CVE-2020-11652
Sources used:

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 46 Swamp Workflow Management 2020-06-23 16:54:18 UTC
SUSE-SU-2020:1715-1: An update that solves 6 vulnerabilities and has 12 fixes is now available.

Category: security (moderate)
Bug References: 1159284,1165572,1168310,1168340,1169604,1169800,1170104,1170231,1170288,1170557,1170595,1170684,1170824,1171687,1171906,1172075,1172462,1173072
CVE References: CVE-2019-10215,CVE-2019-15043,CVE-2020-11651,CVE-2020-11652,CVE-2020-12245,CVE-2020-13379
Sources used:
SUSE Manager Tools 15-BETA (src):    dracut-saltboot-0.1.1590413773.a959db7-3.18.2, golang-github-prometheus-prometheus-2.18.0-6.6.2, grafana-7.0.3-4.3.2, koan-2.9.0-7.6.2, salt-3000-8.20.1, spacecmd-4.1.4-6.9.2, spacewalk-client-tools-4.1.5-6.15.2, suseRegisterInfo-4.1.2-6.6.2, uyuni-common-libs-4.1.5-3.12.2, zypp-plugin-spacewalk-1.0.7-6.6.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 48 Swamp Workflow Management 2020-07-21 04:39:42 UTC
SUSE-SU-2020:14431-1: An update that solves 11 vulnerabilities and has 251 fixes is now available.

Category: security (moderate)
Bug References: 1002529,1003449,1004047,1004260,1004723,1008933,1011304,1011800,1012398,1012999,1013876,1013938,1015882,1017078,1019386,1020831,1022562,1022841,1023535,1024406,1025896,1027044,1027240,1027426,1027722,1030009,1030073,1032213,1032452,1032931,1035914,1036125,1038855,1039370,1040886,1041993,1042749,1043111,1044719,1050003,1051948,1052264,1053376,1053955,1057635,1059291,1059758,1060230,1061407,1062462,1062464,1063419,1064520,1065792,1068446,1068566,1070372,1071322,1072599,1075950,1076578,1079048,1080290,1081151,1081592,1083294,1085667,1087055,1087278,1087581,1087891,1088070,1088888,1089112,1089362,1089526,1091371,1092161,1092373,1094055,1094190,1095507,1095651,1095942,1096514,1097174,1097413,1098394,1099323,1099460,1099887,1099945,1100142,1100225,1100697,1101780,1101812,1101880,1102013,1102218,1102265,1102819,1103090,1103530,1103696,1104034,1104154,1104491,1106164,1107333,1108557,1108834,1108969,1108995,1109023,1109893,1110938,1111542,1112874,1113698,1113699,1113784,1114029,1114197,1114474,1114824,1116343,1116837,1117995,1121091,1121439,1122663,1122680,1123044,1123512,1123865,1124277,1125015,1125610,1125744,1127389,1128061,1128554,1129079,1129243,1130077,1130588,1130784,1131114,1132076,1133523,1133647,1134860,1135360,1135507,1135567,1135656,1135732,1135881,1137642,1138454,1138952,1139761,1140193,1140912,1143301,1146192,1146382,1148311,1148714,1150447,1151650,1151947,1152366,1153090,1153277,1153611,1154620,1154940,1155372,1157465,1157479,1158441,1158940,1159118,1159284,1160931,1162327,1162504,1163871,1165425,1165572,1167437,1167556,1168340,1169604,1169800,1170042,1170104,1170288,1170595,1171687,1171906,1172075,1173072,1174165,769106,769108,776615,849184,849204,849205,879904,887879,889605,892707,902494,908849,926318,932288,945380,948245,955373,958350,959572,963322,965403,967803,969320,970669,971372,972311,972490,975093,975303,975306,975733,975757,976148,977264,978150,978833,979448,979676,980313,983017,983512,985112,985661,986019,987798,988506,989193,989798,990029,990439,990440,991048,993039,993549,996455,999852
CVE References: CVE-2016-1866,CVE-2016-9639,CVE-2017-12791,CVE-2017-14695,CVE-2017-14696,CVE-2018-15750,CVE-2018-15751,CVE-2019-17361,CVE-2019-18897,CVE-2020-11651,CVE-2020-11652
Sources used:

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 49 Swamp Workflow Management 2020-07-21 04:49:21 UTC
SUSE-SU-2020:1971-1: An update that solves three vulnerabilities and has 12 fixes is now available.

Category: security (moderate)
Bug References: 1157465,1159284,1162327,1165572,1167437,1168340,1169604,1169800,1170104,1170288,1170595,1171906,1172075,1173072,1174165
CVE References: CVE-2019-18897,CVE-2020-11651,CVE-2020-11652
Sources used:
SUSE Manager Tools 12 (src):    python-singledispatch-3.4.0.3-1.5.1, salt-3000-46.101.1
SUSE Manager Server 3.2 (src):    python-singledispatch-3.4.0.3-1.5.1, salt-3000-46.101.1
SUSE Manager Proxy 3.2 (src):    python-singledispatch-3.4.0.3-1.5.1, salt-3000-46.101.1
SUSE Linux Enterprise Point of Sale 12-SP2 (src):    python-singledispatch-3.4.0.3-1.5.1, salt-3000-46.101.1
SUSE Linux Enterprise Module for Advanced Systems Management 12 (src):    python-singledispatch-3.4.0.3-1.5.1, salt-3000-46.101.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 50 Swamp Workflow Management 2020-07-21 05:03:53 UTC
SUSE-SU-2020:14430-1: An update that solves three vulnerabilities and has 18 fixes is now available.

Category: security (moderate)
Bug References: 1153090,1153277,1154940,1155372,1157465,1159284,1162327,1163871,1165572,1167437,1168340,1169604,1169800,1170104,1170288,1170595,1171687,1171906,1172075,1173072,1174165
CVE References: CVE-2019-18897,CVE-2020-11651,CVE-2020-11652
Sources used:

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 51 Swamp Workflow Management 2020-07-21 05:23:35 UTC
SUSE-SU-2020:14429-1: An update that solves three vulnerabilities and has 18 fixes is now available.

Category: security (moderate)
Bug References: 1153090,1153277,1154940,1155372,1157465,1159284,1162327,1163871,1165572,1167437,1168340,1169604,1169800,1170104,1170288,1170595,1171687,1171906,1172075,1173072,1174165
CVE References: CVE-2019-18897,CVE-2020-11651,CVE-2020-11652
Sources used:

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 52 Swamp Workflow Management 2020-07-21 05:26:17 UTC
SUSE-SU-2020:1973-1: An update that solves three vulnerabilities and has 12 fixes is now available.

Category: security (moderate)
Bug References: 1157465,1159284,1162327,1165572,1167437,1168340,1169604,1169800,1170104,1170288,1170595,1171906,1172075,1173072,1174165
CVE References: CVE-2019-18897,CVE-2020-11651,CVE-2020-11652
Sources used:
SUSE Linux Enterprise Server for SAP 15 (src):    salt-3000-5.78.1
SUSE Linux Enterprise Server 15-LTSS (src):    salt-3000-5.78.1
SUSE Linux Enterprise High Performance Computing 15-LTSS (src):    salt-3000-5.78.1
SUSE Linux Enterprise High Performance Computing 15-ESPOS (src):    salt-3000-5.78.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 58 Swamp Workflow Management 2021-02-08 14:57:56 UTC
SUSE-SU-2021:0315-1: An update that solves 14 vulnerabilities and has 218 fixes is now available.

Category: security (moderate)
Bug References: 1002529,1004047,1004260,1004723,1008933,1011304,1011800,1012398,1012999,1017078,1019386,1020831,1022562,1022841,1023535,1025896,1027044,1027240,1027722,1030009,1030073,1032213,1032452,1032931,1035914,1036125,1038855,1039370,1040886,1041993,1042749,1043111,1050003,1051948,1052264,1053376,1053955,1057635,1059291,1059758,1060230,1061407,1062462,1062464,1063419,1064520,1065792,1068446,1068566,1071322,1072599,1075950,1079048,1081592,1083110,1087055,1087278,1087581,1087891,1088888,1089112,1089362,1089526,1091371,1092161,1092373,1094055,1095507,1095651,1095942,1096514,1097174,1097413,1098394,1099323,1099460,1099887,1099945,1100142,1100225,1100697,1101780,1101812,1101880,1102013,1102218,1102248,1102265,1102819,1103530,1104154,1104491,1106164,1107333,1108557,1108834,1108969,1108995,1109893,1110938,1112874,1113698,1113699,1113784,1114029,1114197,1114474,1114824,1116343,1116837,1117995,1121091,1121439,1122663,1122680,1123044,1123512,1123865,1124277,1125015,1128061,1128554,1129079,1130588,1130784,1131114,1132076,1133523,1133647,1134860,1135360,1135507,1135567,1135656,1135732,1137642,1138952,1139761,1140193,1140912,1143301,1146192,1146382,1148714,1150447,1151650,1151947,1152366,1153611,1154620,1157465,1157479,1158441,1158940,1159118,1159284,1159670,1160931,1162327,1162504,1165425,1165572,1167437,1167556,1168340,1169604,1169800,1170042,1170104,1170288,1170595,1171461,1171906,1172075,1172211,1173072,1173909,1173911,1173936,1174165,1175549,1175987,1176024,1176294,1176397,1176480,1177867,1178319,1178361,1178362,1178485,849184,849204,849205,955373,958350,959572,963322,965403,967803,969320,970669,971372,972311,972490,975093,975303,975306,975733,975757,976148,978150,978833,979448,979676,980313,983017,983512,985112,985661,986019,988506,989193,989798,990029,990439,990440,991048,993039,993549,996455,999852
CVE References: CVE-2016-1866,CVE-2016-9639,CVE-2017-12791,CVE-2017-14695,CVE-2017-14696,CVE-2018-15750,CVE-2018-15751,CVE-2019-17361,CVE-2019-18897,CVE-2020-11651,CVE-2020-11652,CVE-2020-16846,CVE-2020-17490,CVE-2020-25592
JIRA References: 
Sources used:

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 59 Swamp Workflow Management 2021-02-08 15:33:21 UTC
SUSE-SU-2021:0316-1: An update that solves 14 vulnerabilities and has 218 fixes is now available.

Category: security (moderate)
Bug References: 1002529,1004047,1004260,1004723,1008933,1011304,1011800,1012398,1012999,1017078,1019386,1020831,1022562,1022841,1023535,1025896,1027044,1027240,1027722,1030009,1030073,1032213,1032452,1032931,1035914,1036125,1038855,1039370,1040886,1041993,1042749,1043111,1050003,1051948,1052264,1053376,1053955,1057635,1059291,1059758,1060230,1061407,1062462,1062464,1063419,1064520,1065792,1068446,1068566,1071322,1072599,1075950,1079048,1081592,1083110,1087055,1087278,1087581,1087891,1088888,1089112,1089362,1089526,1091371,1092161,1092373,1094055,1095507,1095651,1095942,1096514,1097174,1097413,1098394,1099323,1099460,1099887,1099945,1100142,1100225,1100697,1101780,1101812,1101880,1102013,1102218,1102248,1102265,1102819,1103530,1104154,1104491,1106164,1107333,1108557,1108834,1108969,1108995,1109893,1110938,1112874,1113698,1113699,1113784,1114029,1114197,1114474,1114824,1116343,1116837,1117995,1121091,1121439,1122663,1122680,1123044,1123512,1123865,1124277,1125015,1128061,1128554,1129079,1130588,1130784,1131114,1132076,1133523,1133647,1134860,1135360,1135507,1135567,1135656,1135732,1137642,1138952,1139761,1140193,1140912,1143301,1146192,1146382,1148714,1150447,1151650,1151947,1152366,1153611,1154620,1157465,1157479,1158441,1158940,1159118,1159284,1159670,1160931,1162327,1162504,1165425,1165572,1167437,1167556,1168340,1169604,1169800,1170042,1170104,1170288,1170595,1171461,1171906,1172075,1172211,1173072,1173909,1173911,1173936,1174165,1175549,1175987,1176024,1176294,1176397,1176480,1177867,1178319,1178361,1178362,1178485,849184,849204,849205,955373,958350,959572,963322,965403,967803,969320,970669,971372,972311,972490,975093,975303,975306,975733,975757,976148,978150,978833,979448,979676,980313,983017,983512,985112,985661,986019,988506,989193,989798,990029,990439,990440,991048,993039,993549,996455,999852
CVE References: CVE-2016-1866,CVE-2016-9639,CVE-2017-12791,CVE-2017-14695,CVE-2017-14696,CVE-2018-15750,CVE-2018-15751,CVE-2019-17361,CVE-2019-18897,CVE-2020-11651,CVE-2020-11652,CVE-2020-16846,CVE-2020-17490,CVE-2020-25592
JIRA References: 
Sources used:

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.