SUSE_ALP_Standard/patchinfo.20241009033558691984.90520733218749/_patchinfo

95 lines
6.8 KiB
Plaintext
Raw Normal View History

<patchinfo>
<!-- generated from request(s) 347896, 347897, 347898, 347899, 347900, 347901, 347902, 347903, 347905, 347907 -->
<issue tracker="ijsc" id="MSQA-863"/>
<issue tracker="bnc" id="1219041">SLE-Micro 5.5 Error message when starting venv-salt-minion: SELinux is preventing su from using the transition access on a process</issue>
<issue tracker="bnc" id="1220357">SLE Micro: Different behavior for Salt SSH minions when classic Salt or venv-salt-minion is already installed</issue>
<issue tracker="bnc" id="1222842">VUL-0: CVE-2024-3651: python-idna: python-idna: potential DoS via resource consumption via specially crafted inputs to idna.encode()</issue>
<issue tracker="bnc" id="1226141">Image inspection fails on built container image with code 2</issue>
<issue tracker="bnc" id="1226447">VUL-0: CVE-2024-0397: python,python3,python310,python311,python312,python36,python39: memory race condition in ssl.SSLContext certificate store methods</issue>
<issue tracker="bnc" id="1226448">VUL-0: CVE-2024-4032: python,python3,python310,python311,python312,python36,python39: incorrect IPv4 and IPv6 private ranges</issue>
<issue tracker="bnc" id="1226469">VUL-0: CVE-2024-37891: python-urllib3: proxy-authorization request header is not stripped during cross-origin redirects</issue>
<issue tracker="bnc" id="1227547">VUL-0: CVE-2024-5569: python-zipp: A Denial of Service (DoS) vulnerability exists in the jaraco/zipp library, affecting all versions prior to 3.19.1. The vulnerability is triggered when processing a specially crafted zip file that leads to an infinit ...</issue>
<issue tracker="bnc" id="1228105">VUL-0: CVE-2024-6345: python-setuptools: code execution via download functions in the package_index module in pypa/setuptools</issue>
<issue tracker="bnc" id="1228780">VUL-0: CVE-2024-6923: python,python3,python310,python311,python312,python36,python39: CPython : Email header injection due to unquoted newlines</issue>
<issue tracker="bnc" id="1229109">python3-salt is missing a 'def...' code for salt-cloud Window</issue>
<issue tracker="bnc" id="1229539">venv-salt-minion service fails to start on the minion</issue>
<issue tracker="bnc" id="1229654">VUL-0: CVE-2024-37891: venv-salt-minion: python-urllib3: proxy-authorization request header is not stripped during cross-origin redirects</issue>
<issue tracker="bnc" id="1229704">VUL-0: CVE-2024-8088: python310,python311,python312,python39: denial of service in zipfile</issue>
<issue tracker="bnc" id="1229873">PTF for python CVE-2024-7592</issue>
<issue tracker="bnc" id="1229994">VUL-0: CVE-2024-3651: venv-salt-minion: python-idna: potential DoS via resource consumption via specially crafted inputs to idna.encode()</issue>
<issue tracker="bnc" id="1229995">VUL-0: CVE-2024-6345: venv-salt-minion: python-setuptools: code execution via download functions in the package_index module in pypa/setuptools</issue>
<issue tracker="bnc" id="1229996">VUL-0: CVE-2024-5569: venv-salt-minion: python-zipp: A Denial of Service (DoS) vulnerability exists in the jaraco/zipp library, affecting all versions prior to 3.19.1. The vulnerability is triggered when processing a specially crafted zip file</issue>
<issue tracker="bnc" id="1230058">VUL-0: CVE-2024-8088: venv-salt-minion: python310,python311,python312,python39: denial of service in zipfile</issue>
<issue tracker="bnc" id="1230059">VUL-0: CVE-2024-7592: venv-salt-minion: python, cpython: Uncontrolled CPU resource consumption when in http.cookies module</issue>
<issue tracker="bnc" id="1230322">Exceptions with salt reactor</issue>
<issue tracker="cve" id="2024-7592"/>
<issue tracker="cve" id="2024-8088"/>
<issue tracker="cve" id="2024-6923"/>
<issue tracker="cve" id="2024-4032"/>
<issue tracker="cve" id="2024-0397"/>
<issue tracker="cve" id="2024-5569"/>
<issue tracker="cve" id="2024-6345"/>
<issue tracker="cve" id="2024-3651"/>
<issue tracker="cve" id="2024-37891"/>
<packager>raulosuna</packager>
<rating>important</rating>
<category>security</category>
<summary>Security update for SUSE Manager Client Tools and Salt Bundle</summary>
<description>This update for SUSE Manager Client Tools and Salt Bundle the following issues:
uyuni-tools:
venv-salt-minion:
- Security fixes on Python 3.11 interpreter:
* CVE-2024-7592: Fixed quadratic complexity in parsing -quoted cookie values with backslashes
(bsc#1229873, bsc#1230059)
* CVE-2024-8088: Prevent malformed payload to cause infinite loops in zipfile.Path (bsc#1229704, bsc#1230058)
* CVE-2024-6923: Prevent email header injection due to unquoted newlines (bsc#1228780)
* CVE-2024-4032: Rearranging definition of private global IP addresses (bsc#1226448)
* CVE-2024-0397: ssl.SSLContext.cert_store_stats() and ssl.SSLContext.get_ca_certs() now correctly lock access to the
certificate store, when the ssl.SSLContext is shared across multiple threads (bsc#1226447)
- Security fixes on Python dependencies:
* CVE-2024-5569: zipp: Fixed a Denial of Service (DoS) vulnerability in the jaraco/zipp library (bsc#1227547, bsc#1229996)
* CVE-2024-6345: setuptools: Sanitize any VCS URL used for download (bsc#1228105, bsc#1229995)
* CVE-2024-3651: idna: Fix a potential DoS via resource consumption via specially crafted inputs to idna.encode()
(bsc#1222842, bsc#1229994)
* CVE-2024-37891: urllib3: Added the ``Proxy-Authorization`` header to the list of headers to strip from requests
when redirecting to a different host (bsc#1226469, bsc#1229654)
- Other bugs fixed:
* Fixed failing x509 tests with OpenSSL &lt; 1.1
* Avoid explicit reading of /etc/salt/minion (bsc#1220357)
* Allow NamedLoaderContexts to be returned from loader
* Reverted the change making reactor less blocking (bsc#1230322)
* Use --cachedir for extension_modules in salt-call (bsc#1226141)
* Prevent using SyncWrapper with no reason
* Enable post_start_cleanup.sh to work in a transaction
* Fixed the SELinux context for Salt Minion service (bsc#1219041)
* Increase warn_until_date date for code we still support
* Avoid crash on wrong output of systemctl version (bsc#1229539)
* Improved error handling with different OpenSSL versions
* Fixed cloud Minion configuration for multiple Masters (bsc#1229109)
* Use Pygit2 id instead of deprecated oid in gitfs
* Added passlib Python module to the bundle
</description>
<package>saltbundlepy</package>
<package>saltbundlepy-cryptography</package>
<package>saltbundlepy-docker</package>
<package>saltbundlepy-idna</package>
<package>saltbundlepy-passlib</package>
<package>saltbundlepy-passlib:test</package>
<package>saltbundlepy-setuptools</package>
<package>saltbundlepy-urllib3</package>
<package>saltbundlepy-zipp</package>
<package>saltbundlepy:base</package>
<package>uyuni-tools</package>
<package>venv-salt-minion</package>
<seperate_build_arch/>
<zypp_restart_needed/>
</patchinfo>