File _patchinfo of Package patchinfo.18365
<patchinfo incident="18365">
<zypp_restart_needed/>
<issue tracker="bnc" id="1182740">Retail terminal cannot be deployed because failure in salt cmd execution module</issue>
<issue tracker="cve" id="2020-35662"/>
<issue tracker="cve" id="2021-25281"/>
<issue tracker="cve" id="2021-3148"/>
<issue tracker="cve" id="2021-25283"/>
<issue tracker="cve" id="2021-3144"/>
<issue tracker="cve" id="2021-3197"/>
<issue tracker="cve" id="2021-25284"/>
<issue tracker="cve" id="2021-25282"/>
<issue tracker="cve" id="2020-28243"/>
<issue tracker="cve" id="2020-28972"/>
<issue tracker="bnc" id="1181559">VUL-0: CVE-2021-25281: salt: API does not honor eAuth credentials for the wheel_async client</issue>
<issue tracker="bnc" id="1181560">VUL-0: CVE-2021-25282: salt: salt.wheel.pillar_roots.write method is vulnerable to directory traversal</issue>
<issue tracker="bnc" id="1181564">VUL-0: CVE-2021-3197: salt: Salt-API's SSH client is vulnerable to a shell injection by including ProxyCommand in an argument</issue>
<issue tracker="bnc" id="1181561">VUL-0: CVE-2021-25283: salt: jinja render does not protect against server-side template injection attacks</issue>
<issue tracker="bnc" id="1181556">VUL-0: CVE-2020-28243: salt: possible privilege escalation on a minion when an unprivileged user is able to create files in any non-blacklisted directory</issue>
<issue tracker="bnc" id="1181550">VUL-0: salt: February 2021 release</issue>
<issue tracker="bnc" id="1181565">VUL-0: CVE-2020-35662: salt: certain modules do not always validated SSL certificates</issue>
<issue tracker="bnc" id="1181563">VUL-0: CVE-2021-25284: salt: Salt.modules.cmdmod can log credential to the “error” log level</issue>
<issue tracker="bnc" id="1181557">VUL-0: CVE-2020-28972: salt: authentication to vCenter, vSphere, and ESXi servers does not always validate the SSL/TLS certificate</issue>
<issue tracker="bnc" id="1181558">VUL-0: CVE-2021-3148: salt: possible command injection when sending crafted web requests to the Salt API via SSH client</issue>
<issue tracker="bnc" id="1181562">VUL-0: CVE-2021-3144: salt: eauth tokens can be used once after expiration</issue>
<packager>juliogonzalezgil</packager>
<rating>critical</rating>
<category>security</category>
<summary>Security update for salt</summary>
<description>This update for salt fixes the following issues:
- Fix regression on cmd.run when passing tuples as cmd (bsc#1182740)
- Allow `extra_filerefs` as sanitized `kwargs` for SSH client
- Fix errors with virt.update
- Fix for multiple for security issues
(CVE-2020-28243) (CVE-2020-28972) (CVE-2020-35662) (CVE-2021-3148) (CVE-2021-3144)
(CVE-2021-25281) (CVE-2021-25282) (CVE-2021-25283) (CVE-2021-25284) (CVE-2021-3197)
(bsc#1181550) (bsc#1181556) (bsc#1181557) (bsc#1181558) (bsc#1181559) (bsc#1181560)
(bsc#1181561) (bsc#1181562) (bsc#1181563) (bsc#1181564) (bsc#1181565)
- virt: search for `grub.xen` path
- Xen spicevmc, DNS SRV records backports:
- Fix virtual network generated DNS XML for SRV records
- Don't add spicevmc channel to xen VMs
- virt UEFI fix: virt.update when `efi=True`
</description>
</patchinfo>