Debian 10261 Published by

A salt security update has been released for Debian GNU/Linux 8 Extended LTS to address multiple security vulnerabilities.



ELA-537-1 salt security update

Package salt
Version 2014.1.13+ds-3+deb8u2
Related CVEs CVE-2020-16846 CVE-2020-17490 CVE-2020-35662 CVE-2021-3197 CVE-2021-21996 CVE-2021-25282 CVE-2021-25283 CVE-2021-25284

Multiple security vulnerabilities have been discovered in Salt, a powerful remote execution manager, that allow for local privilege escalation on a minion, server side template injection attacks, shell and command injections or incorrect validation of SSL certificates.

CVE-2020-16846

Sending crafted web requests to the Salt API, with the SSH client enabled, can result in shell injection.

CVE-2020-17490

The TLS module creates certificates with weak file permissions.

CVE-2020-35662

When authenticating to services using certain modules, the SSL certificate is not always validated.

CVE-2021-3197

The salt-api’s ssh client is vulnerable to a shell injection by including ProxyCommand in an argument, or via ssh_options provided in an API request.

CVE-2021-21996

A user who has control of the source, and source_hash URLs can gain full file system access as root on a salt minion.

CVE-2021-25282

The salt.wheel.pillar_roots.write method is vulnerable to directory traversal.

CVE-2021-25283

The jinja renderer does not protect against server side template injection attacks.

CVE-2021-25284

salt.modules.cmdmod can log credentials to the info or error log level.

For Debian 8 jessie, these problems have been fixed in version 2014.1.13+ds-3+deb8u2.

We recommend that you upgrade your salt packages.

Further information about Extended LTS security advisories can be found at: https://deb.freexian.com/extended-lts/

  ELA-537-1 salt security update