SUSE-SU-2024:4021-1
- Source
- https://www.suse.com/support/update/announcement/2024/suse-su-20244021-1/
- Import Source
- https://ftp.suse.com/pub/projects/security/osv/SUSE-SU-2024:4021-1.json
- JSON Data
- https://api.osv.dev/v1/vulns/SUSE-SU-2024:4021-1
- Related
- Published
- 2024-11-18T13:25:44Z
- Modified
- 2024-11-18T13:25:44Z
- Summary
- Security update for SUSE Manager Salt Bundle
- Details
-
This update fixes the following issues:
venv-salt-minion:
Security fixes on Python 3.11 interpreter:
- CVE-2024-7592: Fixed quadratic complexity in parsing -quoted cookie values with backslashes (bsc#1229873, bsc#1230059)
- CVE-2024-8088: Prevent malformed payload to cause infinite loops in zipfile.Path (bsc#1229704, bsc#1230058)
- CVE-2024-6923: Prevent email header injection due to unquoted newlines (bsc#1228780)
- CVE-2024-4032: Rearranging definition of private global IP addresses (bsc#1226448)
- CVE-2024-0397: ssl.SSLContext.certstorestats() and ssl.SSLContext.getcacerts() now correctly lock access to the certificate store, when the ssl.SSLContext is shared across multiple threads (bsc#1226447)
Security fixes on Python dependencies:
- CVE-2024-5569: zipp: Fixed a Denial of Service (DoS) vulnerability in the jaraco/zipp library (bsc#1227547, bsc#1229996)
- CVE-2024-6345: setuptools: Sanitize any VCS URL used for download (bsc#1228105, bsc#1229995)
- CVE-2024-3651: idna: Fix a potential DoS via resource consumption via specially crafted inputs to idna.encode() (bsc#1222842, bsc#1229994)
- CVE-2024-37891: urllib3: Added the
Proxy-Authorizationheader to the list of headers to strip from requests when redirecting to a different host (bsc#1226469, bsc#1229654)
Other bugs fixed:
- Added passlib Python module to the bundle
- Allow NamedLoaderContexts to be returned from loader
- Avoid crash on wrong output of systemctl version (bsc#1229539)
- Avoid explicit reading of /etc/salt/minion (bsc#1220357)
- Enable poststartcleanup.sh to work in a transaction
- Fixed cloud Minion configuration for multiple Masters (bsc#1229109)
- Fixed failing x509 tests with OpenSSL < 1.1
- Fixed the SELinux context for Salt Minion service (bsc#1219041)
- Fixed too frequent systemd service restart in test_system test
- Fixed zyppnotify plugin after latest zypp/libzypp upgrades (bsc#1231697, bsc#1231045)
- Improved error handling with different OpenSSL versions
- Increase warnuntildate date for code we still support
- Prevent using SyncWrapper with no reason
- Reverted the change making reactor less blocking (bsc#1230322)
- Use --cachedir for extension_modules in salt-call (bsc#1226141)
- Use Pygit2 id instead of deprecated oid in gitfs
- References
-
- https://www.suse.com/support/update/announcement/2024/suse-su-20244021-1/
- https://bugzilla.suse.com/1219041
- https://bugzilla.suse.com/1220357
- https://bugzilla.suse.com/1222842
- https://bugzilla.suse.com/1226141
- https://bugzilla.suse.com/1226447
- https://bugzilla.suse.com/1226448
- https://bugzilla.suse.com/1226469
- https://bugzilla.suse.com/1227547
- https://bugzilla.suse.com/1228105
- https://bugzilla.suse.com/1228780
- https://bugzilla.suse.com/1229109
- https://bugzilla.suse.com/1229539
- https://bugzilla.suse.com/1229654
- https://bugzilla.suse.com/1229704
- https://bugzilla.suse.com/1229873
- https://bugzilla.suse.com/1229994
- https://bugzilla.suse.com/1229995
- https://bugzilla.suse.com/1229996
- https://bugzilla.suse.com/1230058
- https://bugzilla.suse.com/1230059
- https://bugzilla.suse.com/1230322
- https://bugzilla.suse.com/1231045
- https://bugzilla.suse.com/1231697
- https://www.suse.com/security/cve/CVE-2024-0397
- https://www.suse.com/security/cve/CVE-2024-3651
- https://www.suse.com/security/cve/CVE-2024-37891
- https://www.suse.com/security/cve/CVE-2024-4032
- https://www.suse.com/security/cve/CVE-2024-5569
- https://www.suse.com/security/cve/CVE-2024-6345
- https://www.suse.com/security/cve/CVE-2024-6923
- https://www.suse.com/security/cve/CVE-2024-7592
- https://www.suse.com/security/cve/CVE-2024-8088
Affected packages
SUSE:Manager Client Tools 15 / venv-salt-minion
Package
- Name
- venv-salt-minion
- Purl
- purl:rpm/suse/venv-salt-minion&distro=SUSE%20Manager%20Client%20Tools%2015
SUSE:Manager Client Tools for SLE Micro 5 / venv-salt-minion
Package
- Name
- venv-salt-minion
- Purl
- purl:rpm/suse/venv-salt-minion&distro=SUSE%20Manager%20Client%20Tools%20for%20SLE%20Micro%205
SUSE:Manager Proxy Module 4.3 / venv-salt-minion
Package
- Name
- venv-salt-minion
- Purl
- purl:rpm/suse/venv-salt-minion&distro=SUSE%20Manager%20Proxy%20Module%204.3