Source: salt Version: 3004+dfsg1-10 Severity: grave Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi, The following vulnerabilities were published for salt. CVE-2022-22934[0]: | An issue was discovered in SaltStack Salt in versions before 3002.8, | 3003.4, 3004.1. Salt Masters do not sign pillar data with the | minion&#8217;s public key, which can result in attackers | substituting arbitrary pillar data. CVE-2022-22935[1]: | An issue was discovered in SaltStack Salt in versions before 3002.8, | 3003.4, 3004.1. A minion authentication denial of service can cause a | MiTM attacker to force a minion process to stop by impersonating a | master. CVE-2022-22936[2]: | An issue was discovered in SaltStack Salt in versions before 3002.8, | 3003.4, 3004.1. Job publishes and file server replies are susceptible | to replay attacks, which can result in an attacker replaying job | publishes causing minions to run old jobs. File server replies can | also be re-played. A sufficient craft attacker could gain root access | on minion under certain scenarios. CVE-2022-22941[3]: | An issue was discovered in SaltStack Salt in versions before 3002.8, | 3003.4, 3004.1. When configured as a Master-of-Masters, with a | publisher_acl, if a user configured in the publisher_acl targets any | minion connected to the Syndic, the Salt Master incorrectly | interpreted no valid targets as valid, allowing configured users to | target any of the minions connected to the syndic with their | configured commands. This requires a syndic master combined with | publisher_acl configured on the Master-of-Masters, allowing users | specified in the publisher_acl to bypass permissions, publishing | authorized commands to any configured minion. See [4] for the announce. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2022-22934 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22934 [1] https://security-tracker.debian.org/tracker/CVE-2022-22935 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22935 [2] https://security-tracker.debian.org/tracker/CVE-2022-22936 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22936 [3] https://security-tracker.debian.org/tracker/CVE-2022-22941 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22941 [4] https://saltproject.io/security_announcements/salt-security-advisory-release/ Please adjust the affected versions in the BTS as needed. Regards, Salvatore
