Security update for salt

Announcement ID:	SUSE-SU-2020:3171-1
Rating:	critical
References:	bsc#1178319 bsc#1178361 bsc#1178362
Cross-References:	CVE-2020-16846 CVE-2020-17490 CVE-2020-25592
CVSS scores:	CVE-2020-16846 ( SUSE ): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2020-16846 ( NVD ): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2020-17490 ( SUSE ): 6.2 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2020-17490 ( NVD ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVE-2020-25592 ( SUSE ): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2020-25592 ( NVD ): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected Products:	SUSE Enterprise Storage 5 SUSE Linux Enterprise High Performance Computing 12 SP3 SUSE Linux Enterprise Server 12 SP3 SUSE Linux Enterprise Server for SAP Applications 12 SP3

An update that solves three vulnerabilities can now be installed.

Description:

This update for salt fixes the following issues:

• Fix for CVE-2020-25592 (bsc#1178319), CVE-2020-16846, (bsc#1178361), and CVE-2020-17490 (bsc#1178362).

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• SUSE Enterprise Storage 5
  zypper in -t patch SUSE-Storage-5-2020-3171=1

Package List:

• SUSE Enterprise Storage 5 (aarch64 x86_64)
  • salt-2016.11.4-48.13.1
  • salt-master-2016.11.4-48.13.1
  • salt-minion-2016.11.4-48.13.1
  • salt-api-2016.11.4-48.13.1

References:

• https://www.suse.com/security/cve/CVE-2020-16846.html
• https://www.suse.com/security/cve/CVE-2020-17490.html
• https://www.suse.com/security/cve/CVE-2020-25592.html
• https://bugzilla.suse.com/show_bug.cgi?id=1178319
• https://bugzilla.suse.com/show_bug.cgi?id=1178361
• https://bugzilla.suse.com/show_bug.cgi?id=1178362