Source: salt Version: 3004.1+dfsg-2.2 Severity: grave Tags: security upstream Justification: user security hole X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi, The following vulnerabilities were published for salt. CVE-2023-20897[0]: | Salt masters prior to 3005.2 or 3006.2 contain a DOS in minion | return. After receiving several bad packets on the request server | equal to the number of worker threads, the master will become | unresponsive to return requests until restarted. CVE-2023-20898[1]: | Git Providers can read from the wrong environment because they get | the same cache directory base name in Salt masters prior to 3005.2 | or 3006.2. Anything that uses Git Providers with different | environments can get garbage data or the wrong data, which can lead | to wrongful data disclosure, wrongful executions, data corruption | and/or crash. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-20897 https://www.cve.org/CVERecord?id=CVE-2023-20897 [1] https://security-tracker.debian.org/tracker/CVE-2023-20898 https://www.cve.org/CVERecord?id=CVE-2023-20898 [2] https://saltproject.io/security-announcements/2023-08-10-advisory/ Regards, Salvatore
