Bugzilla – Bug 1182382
VUL-0: CVE-2021-25315: salt: salt-api unauthenticated remote code exec
Last modified: 2021-07-11 17:43:25 UTC
I have assigned CVE-2021-25315 to this issue.
And can pau.garcia@suse.com be added to CC? He's SUSE Manager PO and will need to prepare release notes for SUSE Manager 4.2 about this.
To what products was this shipped already? on second read just tumbleweed and sp3 beta? added pau
(In reply to Marcus Meissner from comment #5) > To what products was this shipped already? > > on second read just tumbleweed and sp3 beta? Correct! > added pau
(In reply to Marcus Meissner from comment #5) > To what products was this shipped already? > > on second read just tumbleweed and sp3 beta? That's correct. I think Julio mentioned SUSE Manager 4.2 here because it's currently in alpha2, but in preparations for the public beta, which is based on SLE15SP3. Hth!
Yes, exactly. - openSUSE Tumbleweed - SLE15SP3 current milestone and next milestone (public Beta). And as a results SUSE Manager 4.2 Alpha2, and Beta1 which is being prepared but not public.
Created attachment 846239 [details] patch_for_salt_3002.2 This is the patch for fixing this CVE issue in Salt 3002.2
Hast this issue been reported upstream?
Hi. Upstream was not affected with this issue. The issue was caused by overlapping of upstream patch and one of our patches.
Thanks for the clarification!
Sorry for the confusion. Is now fixed in tumbleweed and sles 15 sp3 recent beta.
SUSE-SU-2021:0913-1: An update that solves 11 vulnerabilities and has 8 fixes is now available. Category: security (moderate) Bug References: 1099976,1172110,1174855,1177474,1179696,1181347,1181550,1181556,1181557,1181558,1181559,1181560,1181561,1181562,1181563,1181564,1181565,1182382,1182740 CVE References: CVE-2020-28243,CVE-2020-28972,CVE-2020-35662,CVE-2021-25281,CVE-2021-25282,CVE-2021-25283,CVE-2021-25284,CVE-2021-25315,CVE-2021-3144,CVE-2021-3148,CVE-2021-3197 JIRA References: Sources used: NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2021:14679-1: An update that solves 11 vulnerabilities and has 7 fixes is now available. Category: security (moderate) Bug References: 1099976,1172110,1174855,1179696,1181347,1181550,1181556,1181557,1181558,1181559,1181560,1181561,1181562,1181563,1181564,1181565,1182382,1182740 CVE References: CVE-2020-28243,CVE-2020-28972,CVE-2020-35662,CVE-2021-25281,CVE-2021-25282,CVE-2021-25283,CVE-2021-25284,CVE-2021-25315,CVE-2021-3144,CVE-2021-3148,CVE-2021-3197 JIRA References: Sources used: NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2021:0914-1: An update that solves 11 vulnerabilities and has 8 fixes is now available. Category: security (moderate) Bug References: 1099976,1172110,1174855,1177474,1179696,1181347,1181550,1181556,1181557,1181558,1181559,1181560,1181561,1181562,1181563,1181564,1181565,1182382,1182740 CVE References: CVE-2020-28243,CVE-2020-28972,CVE-2020-35662,CVE-2021-25281,CVE-2021-25282,CVE-2021-25283,CVE-2021-25284,CVE-2021-25315,CVE-2021-3144,CVE-2021-3148,CVE-2021-3197 JIRA References: Sources used: SUSE Manager Tools 15-BETA (src): salt-3002.2-8.33.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2021:14678-1: An update that solves 11 vulnerabilities and has 8 fixes is now available. Category: security (moderate) Bug References: 1099976,1172110,1174855,1177474,1179696,1181347,1181550,1181556,1181557,1181558,1181559,1181560,1181561,1181562,1181563,1181564,1181565,1182382,1182740 CVE References: CVE-2020-28243,CVE-2020-28972,CVE-2020-35662,CVE-2021-25281,CVE-2021-25282,CVE-2021-25283,CVE-2021-25284,CVE-2021-25315,CVE-2021-3144,CVE-2021-3148,CVE-2021-3197 JIRA References: Sources used: NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2021:2104-1: An update that solves two vulnerabilities, contains three features and has 8 fixes is now available. Category: security (critical) Bug References: 1171257,1176293,1179831,1181368,1182281,1182293,1182382,1185092,1185281,1186674 CVE References: CVE-2021-25315,CVE-2021-31607 JIRA References: ECO-3212,SLE-18028,SLE-18033 Sources used: SUSE Linux Enterprise Server for SAP 15 (src): salt-3002.2-8.41.8.1 SUSE Linux Enterprise Server 15-LTSS (src): salt-3002.2-8.41.8.1 SUSE Linux Enterprise High Performance Computing 15-LTSS (src): salt-3002.2-8.41.8.1 SUSE Linux Enterprise High Performance Computing 15-ESPOS (src): salt-3002.2-8.41.8.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2021:2111-1: An update that solves two vulnerabilities, contains three features and has 12 fixes is now available. Category: security (moderate) Bug References: 1171257,1173557,1176293,1179831,1180583,1180584,1180585,1181368,1182281,1182293,1182382,1185092,1185281,1186674 CVE References: CVE-2021-25315,CVE-2021-31607 JIRA References: ECO-3212,SLE-18028,SLE-18033 Sources used: NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2021:2105-1: An update that solves 7 vulnerabilities, contains three features and has three fixes is now available. Category: security (critical) Bug References: 1171257,1176293,1179831,1181368,1182281,1182293,1182382,1185092,1185281,1186674 CVE References: CVE-2018-15750,CVE-2018-15751,CVE-2020-11651,CVE-2020-11652,CVE-2020-25592,CVE-2021-25315,CVE-2021-31607 JIRA References: ECO-3212,SLE-18028,SLE-18033 Sources used: SUSE Manager Server 4.0 (src): salt-3002.2-37.1 SUSE Manager Retail Branch Server 4.0 (src): salt-3002.2-37.1 SUSE Manager Proxy 4.0 (src): salt-3002.2-37.1 SUSE Linux Enterprise Server for SAP 15-SP1 (src): salt-3002.2-37.1 SUSE Linux Enterprise Server 15-SP1-LTSS (src): salt-3002.2-37.1 SUSE Linux Enterprise Server 15-SP1-BCL (src): salt-3002.2-37.1 SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src): salt-3002.2-37.1 SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src): salt-3002.2-37.1 SUSE Enterprise Storage 6 (src): salt-3002.2-37.1 SUSE CaaS Platform 4.0 (src): salt-3002.2-37.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2021:14756-1: An update that solves two vulnerabilities, contains three features and has 12 fixes is now available. Category: security (moderate) Bug References: 1171257,1173557,1176293,1179831,1180583,1180584,1180585,1181368,1182281,1182293,1182382,1185092,1185281,1186674 CVE References: CVE-2021-25315,CVE-2021-31607 JIRA References: ECO-3212,SLE-18028,SLE-18033 Sources used: NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2021:2106-1: An update that solves 7 vulnerabilities, contains three features and has three fixes is now available. Category: security (critical) Bug References: 1171257,1176293,1179831,1181368,1182281,1182293,1182382,1185092,1185281,1186674 CVE References: CVE-2018-15750,CVE-2018-15751,CVE-2020-11651,CVE-2020-11652,CVE-2020-25592,CVE-2021-25315,CVE-2021-31607 JIRA References: ECO-3212,SLE-18028,SLE-18033 Sources used: SUSE MicroOS 5.0 (src): python-distro-1.5.0-3.5.1, salt-3002.2-37.1 SUSE Linux Enterprise Module for Transactional Server 15-SP2 (src): salt-3002.2-37.1 SUSE Linux Enterprise Module for Server Applications 15-SP2 (src): salt-3002.2-37.1 SUSE Linux Enterprise Module for Python2 15-SP3 (src): python-distro-1.5.0-3.5.1 SUSE Linux Enterprise Module for Python2 15-SP2 (src): python-distro-1.5.0-3.5.1 SUSE Linux Enterprise Module for Basesystem 15-SP3 (src): python-distro-1.5.0-3.5.1 SUSE Linux Enterprise Module for Basesystem 15-SP2 (src): python-distro-1.5.0-3.5.1, salt-3002.2-37.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2021:14755-1: An update that solves two vulnerabilities, contains three features and has 12 fixes is now available. Category: security (moderate) Bug References: 1171257,1173557,1176293,1179831,1180583,1180584,1180585,1181368,1182281,1182293,1182382,1185092,1185281,1186674 CVE References: CVE-2021-25315,CVE-2021-31607 JIRA References: ECO-3212,SLE-18028,SLE-18033 Sources used: NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
openSUSE-SU-2021:0899-1: An update that solves 7 vulnerabilities, contains three features and has three fixes is now available. Category: security (critical) Bug References: 1171257,1176293,1179831,1181368,1182281,1182293,1182382,1185092,1185281,1186674 CVE References: CVE-2018-15750,CVE-2018-15751,CVE-2020-11651,CVE-2020-11652,CVE-2020-25592,CVE-2021-25315,CVE-2021-31607 JIRA References: ECO-3212,SLE-18028,SLE-18033 Sources used: openSUSE Leap 15.2 (src): salt-3002.2-lp152.3.36.1
openSUSE-SU-2021:2106-1: An update that solves 7 vulnerabilities, contains three features and has three fixes is now available. Category: security (critical) Bug References: 1171257,1176293,1179831,1181368,1182281,1182293,1182382,1185092,1185281,1186674 CVE References: CVE-2018-15750,CVE-2018-15751,CVE-2020-11651,CVE-2020-11652,CVE-2020-25592,CVE-2021-25315,CVE-2021-31607 JIRA References: ECO-3212,SLE-18028,SLE-18033 Sources used: openSUSE Leap 15.3 (src): python-distro-1.5.0-3.5.1