File _patchinfo of Package patchinfo.18365

<patchinfo incident="18365">
  <zypp_restart_needed/> 
  <issue tracker="bnc" id="1182740">Retail terminal cannot be deployed because  failure in salt cmd execution module</issue>
  <issue tracker="cve" id="2020-35662"/>
  <issue tracker="cve" id="2021-25281"/>
  <issue tracker="cve" id="2021-3148"/>
  <issue tracker="cve" id="2021-25283"/>
  <issue tracker="cve" id="2021-3144"/>
  <issue tracker="cve" id="2021-3197"/>
  <issue tracker="cve" id="2021-25284"/>
  <issue tracker="cve" id="2021-25282"/>
  <issue tracker="cve" id="2020-28243"/>
  <issue tracker="cve" id="2020-28972"/>
  <issue tracker="bnc" id="1181559">VUL-0: CVE-2021-25281: salt: API does not honor eAuth credentials for the wheel_async client</issue>
  <issue tracker="bnc" id="1181560">VUL-0: CVE-2021-25282: salt: salt.wheel.pillar_roots.write method is vulnerable to directory traversal</issue>
  <issue tracker="bnc" id="1181564">VUL-0: CVE-2021-3197: salt: Salt-API's SSH client is vulnerable to a shell injection by including ProxyCommand in an argument</issue>
  <issue tracker="bnc" id="1181561">VUL-0: CVE-2021-25283: salt: jinja render does not protect against server-side template injection attacks</issue>
  <issue tracker="bnc" id="1181556">VUL-0: CVE-2020-28243: salt: possible privilege escalation on a minion when an unprivileged user is able to create files in any non-blacklisted directory</issue>
  <issue tracker="bnc" id="1181550">VUL-0: salt: February 2021 release</issue>
  <issue tracker="bnc" id="1181565">VUL-0: CVE-2020-35662: salt: certain modules do not always validated SSL certificates</issue>
  <issue tracker="bnc" id="1181563">VUL-0: CVE-2021-25284: salt: Salt.modules.cmdmod can log credential to the &#8220;error&#8221; log level</issue>
  <issue tracker="bnc" id="1181557">VUL-0: CVE-2020-28972: salt: authentication to vCenter, vSphere, and ESXi servers does not always validate the SSL/TLS certificate</issue>
  <issue tracker="bnc" id="1181558">VUL-0: CVE-2021-3148: salt: possible command injection when sending crafted web requests to the Salt API via SSH client</issue>
  <issue tracker="bnc" id="1181562">VUL-0: CVE-2021-3144: salt: eauth tokens can be used once after expiration</issue>
  <packager>juliogonzalezgil</packager>
  <rating>critical</rating>
  <category>security</category>
  <summary>Security update for salt</summary>
  <description>This update for salt fixes the following issues:

- Fix regression on cmd.run when passing tuples as cmd (bsc#1182740)
- Allow `extra_filerefs` as sanitized `kwargs` for SSH client
- Fix errors with virt.update
- Fix for multiple for security issues
  (CVE-2020-28243) (CVE-2020-28972) (CVE-2020-35662) (CVE-2021-3148) (CVE-2021-3144)
  (CVE-2021-25281) (CVE-2021-25282) (CVE-2021-25283) (CVE-2021-25284) (CVE-2021-3197)
  (bsc#1181550) (bsc#1181556) (bsc#1181557) (bsc#1181558) (bsc#1181559) (bsc#1181560)
  (bsc#1181561) (bsc#1181562) (bsc#1181563) (bsc#1181564) (bsc#1181565)
- virt: search for `grub.xen` path
- Xen spicevmc, DNS SRV records backports:
  - Fix virtual network generated DNS XML for SRV records
  - Don't add spicevmc channel to xen VMs
- virt UEFI fix: virt.update when `efi=True`  
</description>
</patchinfo>
openSUSE Build Service is sponsored by