SUSE_ALP_Standard/patchinfo.20241028101016238270.90520733218749/_patchinfo

<patchinfo incident="96">
  <!-- generated from request(s) 348086, 347897, 347898, 347899, 347900, 347901, 347902, 347903, 347905, 347907, 349520, 349859 -->
  <issue tracker="ijsc" id="MSQA-863"/>
  <issue tracker="bnc" id="1219041">SLE-Micro 5.5 Error message when starting venv-salt-minion:  SELinux is preventing su from using the transition access on a process</issue>
  <issue tracker="bnc" id="1220357">SLE Micro: Different behavior for Salt SSH minions when classic Salt or venv-salt-minion is already installed</issue>
  <issue tracker="bnc" id="1222842">VUL-0: CVE-2024-3651: python-idna: python-idna: potential DoS via resource consumption via specially crafted inputs to idna.encode()</issue>
  <issue tracker="bnc" id="1226141">Image inspection fails on built container image with code 2</issue>
  <issue tracker="bnc" id="1226447">VUL-0: CVE-2024-0397: python,python3,python310,python311,python312,python36,python39: memory race condition in ssl.SSLContext certificate store methods</issue>
  <issue tracker="bnc" id="1226448">VUL-0: CVE-2024-4032: python,python3,python310,python311,python312,python36,python39: incorrect IPv4 and IPv6 private ranges</issue>
  <issue tracker="bnc" id="1226469">VUL-0: CVE-2024-37891: python-urllib3: proxy-authorization request header is not stripped during cross-origin redirects</issue>
  <issue tracker="bnc" id="1227547">VUL-0: CVE-2024-5569: python-zipp: A Denial of Service (DoS) vulnerability exists in the jaraco/zipp library, affecting all versions prior to 3.19.1. The vulnerability is triggered when processing a specially crafted zip file that leads to an infinit ...</issue>
  <issue tracker="bnc" id="1228105">VUL-0: CVE-2024-6345: python-setuptools: code execution via download functions in the package_index module in pypa/setuptools</issue>
  <issue tracker="bnc" id="1228780">VUL-0: CVE-2024-6923: python,python3,python310,python311,python312,python36,python39: CPython : Email header injection due to unquoted newlines</issue>
  <issue tracker="bnc" id="1229109">python3-salt is missing a 'def...' code for salt-cloud Window</issue>
  <issue tracker="bnc" id="1229539">venv-salt-minion service fails to start on  the minion</issue>
  <issue tracker="bnc" id="1229654">VUL-0: CVE-2024-37891: venv-salt-minion: python-urllib3: proxy-authorization request header is not stripped during cross-origin redirects</issue>
  <issue tracker="bnc" id="1229704">VUL-0: CVE-2024-8088: python310,python311,python312,python39: denial of service in zipfile</issue>
  <issue tracker="bnc" id="1229873">PTF for python CVE-2024-7592</issue>
  <issue tracker="bnc" id="1229994">VUL-0: CVE-2024-3651: venv-salt-minion: python-idna: potential DoS via resource consumption via specially crafted inputs to idna.encode()</issue>
  <issue tracker="bnc" id="1229995">VUL-0: CVE-2024-6345: venv-salt-minion: python-setuptools: code execution via download functions in the package_index module in pypa/setuptools</issue>
  <issue tracker="bnc" id="1229996">VUL-0: CVE-2024-5569: venv-salt-minion: python-zipp: A Denial of Service (DoS) vulnerability exists in the jaraco/zipp library, affecting all versions prior to 3.19.1. The vulnerability is triggered when processing a specially crafted zip file</issue>
  <issue tracker="bnc" id="1230058">VUL-0: CVE-2024-8088: venv-salt-minion: python310,python311,python312,python39: denial of service in zipfile</issue>
  <issue tracker="bnc" id="1230059">VUL-0: CVE-2024-7592: venv-salt-minion: python, cpython: Uncontrolled CPU resource consumption when in http.cookies module</issue>
  <issue tracker="bnc" id="1230322">Exceptions with salt reactor</issue>
  <issue tracker="bnc" id="1231045">L3: System List screen status icon is not updating accurately if "reboot required" flag is present.</issue>
  <issue tracker="bnc" id="1231497">VUL-0: CVE-2024-22037: SUMA: Database password leaked by systemd uyuni-server-attestation service</issue>
  <issue tracker="bnc" id="1231568">Redacting JSESSIONID and pxt-session-cookie from the installation log</issue>
  <issue tracker="bnc" id="1231697">L3: manual execution of zypper commands is not indicated in Events -> History on 15SP6 clients</issue>
  <issue tracker="cve" id="2024-0397"/>
  <issue tracker="cve" id="2024-22037"/>
  <issue tracker="cve" id="2024-3651"/>
  <issue tracker="cve" id="2024-37891"/>
  <issue tracker="cve" id="2024-4032"/>
  <issue tracker="cve" id="2024-5569"/>
  <issue tracker="cve" id="2024-6345"/>
  <issue tracker="cve" id="2024-6923"/>
  <issue tracker="cve" id="2024-7592"/>
  <issue tracker="cve" id="2024-8088"/>
  <packager>deneb_alpha</packager>
  <rating>important</rating>
  <category>security</category>
  <summary>Security update for SUSE Manager Client Tools and Salt Bundle</summary>
  <description>This update for SUSE Manager Client Tools and Salt Bundle the following issues:

uyuni-tools:

- Security issues fixed:

  * Version 0.1.24-0
    * CVE-2024-22037: Use podman secret to store the database credentials (bsc#1231497)

- Other bugs fixed:

  * Version 0.1.24-0
    * Redact JSESSIONID and pxt-session-cookie values from logs and console output (bsc#1231568)

venv-salt-minion:

- Security fixes on Python 3.11 interpreter:

  * CVE-2024-7592: Fixed quadratic complexity in parsing -quoted cookie values with backslashes
    (bsc#1229873, bsc#1230059)
  * CVE-2024-8088: Prevent malformed payload to cause infinite loops in zipfile.Path (bsc#1229704, bsc#1230058)
  * CVE-2024-6923: Prevent email header injection due to unquoted newlines (bsc#1228780)
  * CVE-2024-4032: Rearranging definition of private global IP addresses (bsc#1226448)
  * CVE-2024-0397: ssl.SSLContext.cert_store_stats() and ssl.SSLContext.get_ca_certs() now correctly lock access to the
    certificate store, when the ssl.SSLContext is shared across multiple threads (bsc#1226447)

- Security fixes on Python dependencies:

  * CVE-2024-5569: zipp: Fixed a Denial of Service (DoS) vulnerability in the jaraco/zipp library
    (bsc#1227547, bsc#1229996)
  * CVE-2024-6345: setuptools: Sanitize any VCS URL used for download (bsc#1228105, bsc#1229995)
  * CVE-2024-3651: idna: Fix a potential DoS via resource consumption via specially crafted inputs to idna.encode()
    (bsc#1222842, bsc#1229994)
  * CVE-2024-37891: urllib3: Added the ``Proxy-Authorization`` header to the list of headers to strip from requests
    when redirecting to a different host (bsc#1226469, bsc#1229654)

- Other bugs fixed:

  * Added passlib Python module to the bundle
  * Allow NamedLoaderContexts to be returned from loader
  * Avoid crash on wrong output of systemctl version (bsc#1229539)
  * Avoid explicit reading of /etc/salt/minion (bsc#1220357)
  * Enable post_start_cleanup.sh to work in a transaction
  * Fixed cloud Minion configuration for multiple Masters (bsc#1229109)
  * Fixed failing x509 tests with OpenSSL &lt; 1.1 
  * Fixed the SELinux context for Salt Minion service (bsc#1219041)
  * Fixed zyppnotify plugin after latest zypp/libzypp upgrades (bsc#1231697, bsc#1231045)
  * Improved error handling with different OpenSSL versions
  * Increase warn_until_date date for code we still support
  * Prevent using SyncWrapper with no reason
  * Reverted the change making reactor less blocking (bsc#1230322)
  * Use --cachedir for extension_modules in salt-call (bsc#1226141)
  * Use Pygit2 id instead of deprecated oid in gitfs

</description>
  <package>saltbundlepy</package>
  <package>saltbundlepy-cryptography</package>
  <package>saltbundlepy-docker</package>
  <package>saltbundlepy-idna</package>
  <package>saltbundlepy-passlib</package>
  <package>saltbundlepy-passlib:test</package>
  <package>saltbundlepy-setuptools</package>
  <package>saltbundlepy-urllib3</package>
  <package>saltbundlepy-zipp</package>
  <package>saltbundlepy-zypp-plugin</package>
  <package>saltbundlepy:base</package>
  <package>uyuni-tools</package>
  <package>venv-salt-minion</package>
  <seperate_build_arch/>
  <zypp_restart_needed/>
</patchinfo>