Debian Bug report logs -
#1008945
salt: CVE-2022-22934 CVE-2022-22935 CVE-2022-22936 CVE-2022-22941
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, Debian Salt Team <pkg-salt-team@alioth-lists.debian.net>:
Bug#1008945; Package src:salt.
(Mon, 04 Apr 2022 19:45:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, Debian Salt Team <pkg-salt-team@alioth-lists.debian.net>.
(Mon, 04 Apr 2022 19:45:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: salt
Version: 3004+dfsg1-10
Severity: grave
Tags: security upstream
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
Hi,
The following vulnerabilities were published for salt.
CVE-2022-22934[0]:
| An issue was discovered in SaltStack Salt in versions before 3002.8,
| 3003.4, 3004.1. Salt Masters do not sign pillar data with the
| minion&#8217;s public key, which can result in attackers
| substituting arbitrary pillar data.
CVE-2022-22935[1]:
| An issue was discovered in SaltStack Salt in versions before 3002.8,
| 3003.4, 3004.1. A minion authentication denial of service can cause a
| MiTM attacker to force a minion process to stop by impersonating a
| master.
CVE-2022-22936[2]:
| An issue was discovered in SaltStack Salt in versions before 3002.8,
| 3003.4, 3004.1. Job publishes and file server replies are susceptible
| to replay attacks, which can result in an attacker replaying job
| publishes causing minions to run old jobs. File server replies can
| also be re-played. A sufficient craft attacker could gain root access
| on minion under certain scenarios.
CVE-2022-22941[3]:
| An issue was discovered in SaltStack Salt in versions before 3002.8,
| 3003.4, 3004.1. When configured as a Master-of-Masters, with a
| publisher_acl, if a user configured in the publisher_acl targets any
| minion connected to the Syndic, the Salt Master incorrectly
| interpreted no valid targets as valid, allowing configured users to
| target any of the minions connected to the syndic with their
| configured commands. This requires a syndic master combined with
| publisher_acl configured on the Master-of-Masters, allowing users
| specified in the publisher_acl to bypass permissions, publishing
| authorized commands to any configured minion.
See [4] for the announce.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2022-22934
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22934
[1] https://security-tracker.debian.org/tracker/CVE-2022-22935
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22935
[2] https://security-tracker.debian.org/tracker/CVE-2022-22936
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22936
[3] https://security-tracker.debian.org/tracker/CVE-2022-22941
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22941
[4] https://saltproject.io/security_announcements/salt-security-advisory-release/
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Tue Apr 5 13:10:01 2022;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon