Feature update for SUSE Manager Salt Bundle

Announcement ID:	SUSE-FU-2022:2042-1
Rating:	important
References:	bsc#1182851 bsc#1194632 bsc#1196050 bsc#1196432 bsc#1197417 bsc#1197637 bsc#1198556 bsc#1199149
Cross-References:	CVE-2022-22934 CVE-2022-22935 CVE-2022-22936 CVE-2022-22941
CVSS scores:	CVE-2022-22934 ( SUSE ): 7.5 CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2022-22934 ( NVD ): 8.8 CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2022-22935 ( SUSE ): 6.5 CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2022-22935 ( NVD ): 3.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2022-22936 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2022-22936 ( NVD ): 8.8 CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2022-22941 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2022-22941 ( NVD ): 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Affected Products:	openSUSE Leap 15.3 openSUSE Leap 15.4 openSUSE Leap 15.5 SUSE Linux Enterprise Desktop 15 SUSE Linux Enterprise Desktop 15 SP1 SUSE Linux Enterprise Desktop 15 SP2 SUSE Linux Enterprise Desktop 15 SP3 SUSE Linux Enterprise Desktop 15 SP4 SUSE Linux Enterprise Desktop 15 SP5 SUSE Linux Enterprise Desktop 15 SP6 SUSE Linux Enterprise High Performance Computing 15 SUSE Linux Enterprise High Performance Computing 15 SP1 SUSE Linux Enterprise High Performance Computing 15 SP2 SUSE Linux Enterprise High Performance Computing 15 SP3 SUSE Linux Enterprise High Performance Computing 15 SP4 SUSE Linux Enterprise High Performance Computing 15 SP5 SUSE Linux Enterprise High Performance Computing 15 SP6 SUSE Linux Enterprise Real Time 15 SP1 SUSE Linux Enterprise Real Time 15 SP2 SUSE Linux Enterprise Real Time 15 SP3 SUSE Linux Enterprise Real Time 15 SP4 SUSE Linux Enterprise Real Time 15 SP5 SUSE Linux Enterprise Server 15 SUSE Linux Enterprise Server 15 SP1 SUSE Linux Enterprise Server 15 SP2 SUSE Linux Enterprise Server 15 SP3 SUSE Linux Enterprise Server 15 SP4 SUSE Linux Enterprise Server 15 SP5 SUSE Linux Enterprise Server 15 SP6 SUSE Linux Enterprise Server for SAP Applications 15 SUSE Linux Enterprise Server for SAP Applications 15 SP1 SUSE Linux Enterprise Server for SAP Applications 15 SP2 SUSE Linux Enterprise Server for SAP Applications 15 SP3 SUSE Linux Enterprise Server for SAP Applications 15 SP4 SUSE Linux Enterprise Server for SAP Applications 15 SP5 SUSE Linux Enterprise Server for SAP Applications 15 SP6 SUSE Manager Client Tools for SLE 15

An update that solves four vulnerabilities and has four fixes can now be installed.

Description:

This update fixes the following issues:

venv-salt-minion:

Make sure SaltCacheLoader use correct fileclient (bsc#1199149)
Fix the regression caused by the patch removing strict requirement for OpenSSL 1.1.1 leading to read/write issues with ssl module for SLE 15, SLE 12, CentOS 7, Debian 9 (bsc#1198556)
Fix salt-ssh opts poisoning (bsc#1197637)
Fix multiple security issues (bsc#1197417)
CVE-2022-22935: Sign authentication replies to prevent MiTM.
CVE-2022-22934: Sign pillar data to prevent MiTM attacks.
CVE-2022-22936: Prevent job and fileserver replays.
CVE-2022-22941: Fixed targeting bug, especially visible when using syndic and user auth.
Salt version bump to 3004
Python version bump to 3.10.2
Clear network interfaces cache on grains request (bsc#1196050)
Add salt-ssh with Salt Bundle support (venv-salt-minion) (bsc#1182851, bsc#1196432)
Restrict "state.orchestrate_single" to pass a pillar value if it exists (bsc#1194632)

Special Instructions and Notes:

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

SUSE Manager Client Tools for SLE 15
zypper in -t patch SUSE-SLE-Manager-Tools-15-2022-2042=1

Package List:

SUSE Manager Client Tools for SLE 15 (aarch64 ppc64le s390x x86_64)
- venv-salt-minion-3004-150000.3.8.1

Feature update for SUSE Manager Salt Bundle

Description:

Special Instructions and Notes:

Patch Instructions:

Package List:

References: