[Git][security-tracker-team/security-tracker][master] 2 commits: Mark Buster issues in Salt as fixed in version 2018.3.4+dfsg1-6+deb10u3

Markus Koschany (@apo) apo at debian.org
Fri Nov 19 11:11:10 GMT 2021 


Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker


Commits:
27a14d6b by Markus Koschany at 2021-11-19T12:09:17+01:00
Mark Buster issues in Salt as fixed in version 2018.3.4+dfsg1-6+deb10u3

- - - - -
55045117 by Markus Koschany at 2021-11-19T12:10:36+01:00
Reserve DSA-5011-1 for salt

- - - - -


3 changed files:

- data/CVE/list
- data/DSA/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -33216,6 +33216,7 @@ CVE-2021-31608
 CVE-2021-31607 (In SaltStack Salt 2016.9 through 3002.6, a command injection vulnerabi ...)
 	{DLA-2815-1}
 	- salt 3002.6+dfsg1-2 (bug #987496)
+	[buster] - salt 2018.3.4+dfsg1-6+deb10u3
 	NOTE: https://sec.stealthcopter.com/saltstack-snapper-minion-privledge-escaltion/
 CVE-2021-31606 (furlongm openvpn-monitor through 1.1.3 allows Authorization Bypass to  ...)
 	NOT-FOR-US: openvpn-monitor
@@ -48285,6 +48286,7 @@ CVE-2019-25015 (LuCI in OpenWrt 18.06.0 through 18.06.4 allows stored XSS via a
 CVE-2021-3197 (An issue was discovered in SaltStack Salt before 3002.5. The salt-api' ...)
 	{DLA-2815-1}
 	- salt 3002.5+dfsg1-1 (bug #983632)
+	[buster] - salt 2018.3.4+dfsg1-6+deb10u3
 	NOTE: https://saltproject.io/security_announcements/active-saltstack-cve-release-2021-feb-25/
 CVE-2021-3196 (An issue was discovered in Hitachi ID Bravura Security Fabric 11.0.0 t ...)
 	NOT-FOR-US: Hitachi ID Bravura Security Fabric
@@ -49276,18 +49278,22 @@ CVE-2021-25285
 CVE-2021-25284 (An issue was discovered in through SaltStack Salt before 3002.5. salt. ...)
 	{DLA-2815-1}
 	- salt 3002.5+dfsg1-1 (bug #983632)
+	[buster] - salt 2018.3.4+dfsg1-6+deb10u3
 	NOTE: https://saltproject.io/security_announcements/active-saltstack-cve-release-2021-feb-25/
 CVE-2021-25283 (An issue was discovered in through SaltStack Salt before 3002.5. The j ...)
 	{DLA-2815-1}
 	- salt 3002.5+dfsg1-1 (bug #983632)
+	[buster] - salt 2018.3.4+dfsg1-6+deb10u3
 	NOTE: https://saltproject.io/security_announcements/active-saltstack-cve-release-2021-feb-25/
 CVE-2021-25282 (An issue was discovered in through SaltStack Salt before 3002.5. The s ...)
 	{DLA-2815-1}
 	- salt 3002.5+dfsg1-1 (bug #983632)
+	[buster] - salt 2018.3.4+dfsg1-6+deb10u3
 	NOTE: https://saltproject.io/security_announcements/active-saltstack-cve-release-2021-feb-25/
 CVE-2021-25281 (An issue was discovered in through SaltStack Salt before 3002.5. salt- ...)
 	{DLA-2815-1}
 	- salt 3002.5+dfsg1-1 (bug #983632)
+	[buster] - salt 2018.3.4+dfsg1-6+deb10u3
 	NOTE: https://saltproject.io/security_announcements/active-saltstack-cve-release-2021-feb-25/
 CVE-2021-XXXX [SQL Server LIMIT / OFFSET SQL Injection]
 	- php-laravel-framework 6.20.14+dfsg-2 (bug #987831)
@@ -49540,6 +49546,7 @@ CVE-2021-3149 (On Netshield NANO 25 10.2.18 devices, /usr/local/webmin/System/ma
 CVE-2021-3148 (An issue was discovered in SaltStack Salt before 3002.5. Sending craft ...)
 	{DLA-2815-1}
 	- salt 3002.5+dfsg1-1 (bug #983632)
+	[buster] - salt 2018.3.4+dfsg1-6+deb10u3
 	NOTE: https://saltproject.io/security_announcements/active-saltstack-cve-release-2021-feb-25/
 CVE-2021-3147
 	RESERVED
@@ -51729,6 +51736,7 @@ CVE-2021-3145 (In Ionic Identity Vault before 5, a local root attacker on an And
 CVE-2021-3144 (In SaltStack Salt before 3002.5, eauth tokens can be used once after e ...)
 	{DLA-2815-1}
 	- salt 3002.5+dfsg1-1 (bug #983632)
+	[buster] - salt 2018.3.4+dfsg1-6+deb10u3
 	NOTE: https://saltproject.io/security_announcements/active-saltstack-cve-release-2021-feb-25/
 CVE-2021-3143
 	RESERVED
@@ -59279,6 +59287,7 @@ CVE-2020-35663
 CVE-2020-35662 (In SaltStack Salt before 3002.5, when authenticating to services using ...)
 	{DLA-2815-1}
 	- salt 3002.5+dfsg1-1 (bug #983632)
+	[buster] - salt 2018.3.4+dfsg1-6+deb10u3
 	NOTE: https://saltproject.io/security_announcements/active-saltstack-cve-release-2021-feb-25/
 CVE-2020-35661
 	RESERVED
@@ -67939,6 +67948,7 @@ CVE-2020-28973 (The ABUS Secvest wireless alarm system FUAA50000 (v3.01.17) fail
 CVE-2020-28972 (In SaltStack Salt before 3002.5, authentication to VMware vcenter, vsp ...)
 	{DLA-2815-1}
 	- salt 3002.5+dfsg1-1 (bug #983632)
+	[buster] - salt 2018.3.4+dfsg1-6+deb10u3
 	NOTE: https://saltproject.io/security_announcements/active-saltstack-cve-release-2021-feb-25/
 CVE-2020-26235 (In Rust time crate from version 0.2.7 and before version 0.2.23, unix- ...)
 	- rust-time <not-affected> (Vulnerable methods introduced in v0.2.7)
@@ -72456,6 +72466,7 @@ CVE-2020-28244
 CVE-2020-28243 (An issue was discovered in SaltStack Salt before 3002.5. The minion's  ...)
 	{DLA-2815-1}
 	- salt 3002.5+dfsg1-1 (bug #983632)
+	[buster] - salt 2018.3.4+dfsg1-6+deb10u3
 	NOTE: https://saltproject.io/security_announcements/active-saltstack-cve-release-2021-feb-25/
 CVE-2020-28242 (An issue was discovered in Asterisk Open Source 13.x before 13.37.1, 1 ...)
 	- asterisk 1:16.15.0~dfsg-1 (bug #974713)


=====================================
data/DSA/list
=====================================
@@ -1,3 +1,7 @@
+[19 Nov 2021] DSA-5011-1 salt - security update
+	{CVE-2021-21996}
+	[buster] - salt 2018.3.4+dfsg1-6+deb10u3
+	[bullseye] - salt 3002.6+dfsg1-4+deb11u1
 [15 Nov 2021] DSA-5010-1 libxml-security-java - security update
 	{CVE-2021-40690}
 	[buster] - libxml-security-java 2.0.10-2+deb10u1


=====================================
data/dsa-needed.txt
=====================================
@@ -43,8 +43,6 @@ rabbitmq-server
 --
 runc
 --
-salt (apo)
---
 samba/oldstable (carnil)
   We will likely only address the 'min domain uid' patch, the fixes for the CVEs
   are otherwise quite intrusive.



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/12e730cc029ad1d1ac35dfc48c40eb87481b3b94...5504511792f40b57b9995ffa0d3ecde7650bd31e

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/12e730cc029ad1d1ac35dfc48c40eb87481b3b94...5504511792f40b57b9995ffa0d3ecde7650bd31e
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20211119/24c6b333/attachment-0001.htm>

More information about the debian-security-tracker-commits mailing list