diff --git a/patchinfo.20241009033558691984.90520733218749/_patchinfo b/patchinfo.20241009033558691984.90520733218749/_patchinfo new file mode 100644 index 0000000..95235b8 --- /dev/null +++ b/patchinfo.20241009033558691984.90520733218749/_patchinfo @@ -0,0 +1,94 @@ + + + + SLE-Micro 5.5 Error message when starting venv-salt-minion: SELinux is preventing su from using the transition access on a process + SLE Micro: Different behavior for Salt SSH minions when classic Salt or venv-salt-minion is already installed + VUL-0: CVE-2024-3651: python-idna: python-idna: potential DoS via resource consumption via specially crafted inputs to idna.encode() + Image inspection fails on built container image with code 2 + VUL-0: CVE-2024-0397: python,python3,python310,python311,python312,python36,python39: memory race condition in ssl.SSLContext certificate store methods + VUL-0: CVE-2024-4032: python,python3,python310,python311,python312,python36,python39: incorrect IPv4 and IPv6 private ranges + VUL-0: CVE-2024-37891: python-urllib3: proxy-authorization request header is not stripped during cross-origin redirects + VUL-0: CVE-2024-5569: python-zipp: A Denial of Service (DoS) vulnerability exists in the jaraco/zipp library, affecting all versions prior to 3.19.1. The vulnerability is triggered when processing a specially crafted zip file that leads to an infinit ... + VUL-0: CVE-2024-6345: python-setuptools: code execution via download functions in the package_index module in pypa/setuptools + VUL-0: CVE-2024-6923: python,python3,python310,python311,python312,python36,python39: CPython : Email header injection due to unquoted newlines + python3-salt is missing a 'def...' code for salt-cloud Window + venv-salt-minion service fails to start on the minion + VUL-0: CVE-2024-37891: venv-salt-minion: python-urllib3: proxy-authorization request header is not stripped during cross-origin redirects + VUL-0: CVE-2024-8088: python310,python311,python312,python39: denial of service in zipfile + PTF for python CVE-2024-7592 + VUL-0: CVE-2024-3651: venv-salt-minion: python-idna: potential DoS via resource consumption via specially crafted inputs to idna.encode() + VUL-0: CVE-2024-6345: venv-salt-minion: python-setuptools: code execution via download functions in the package_index module in pypa/setuptools + VUL-0: CVE-2024-5569: venv-salt-minion: python-zipp: A Denial of Service (DoS) vulnerability exists in the jaraco/zipp library, affecting all versions prior to 3.19.1. The vulnerability is triggered when processing a specially crafted zip file + VUL-0: CVE-2024-8088: venv-salt-minion: python310,python311,python312,python39: denial of service in zipfile + VUL-0: CVE-2024-7592: venv-salt-minion: python, cpython: Uncontrolled CPU resource consumption when in http.cookies module + Exceptions with salt reactor + + + + + + + + + + raulosuna + important + security + Security update for SUSE Manager Client Tools and Salt Bundle + This update for SUSE Manager Client Tools and Salt Bundle the following issues: + +uyuni-tools: + +venv-salt-minion: + +- Security fixes on Python 3.11 interpreter: + + * CVE-2024-7592: Fixed quadratic complexity in parsing -quoted cookie values with backslashes + (bsc#1229873, bsc#1230059) + * CVE-2024-8088: Prevent malformed payload to cause infinite loops in zipfile.Path (bsc#1229704, bsc#1230058) + * CVE-2024-6923: Prevent email header injection due to unquoted newlines (bsc#1228780) + * CVE-2024-4032: Rearranging definition of private global IP addresses (bsc#1226448) + * CVE-2024-0397: ssl.SSLContext.cert_store_stats() and ssl.SSLContext.get_ca_certs() now correctly lock access to the + certificate store, when the ssl.SSLContext is shared across multiple threads (bsc#1226447) + +- Security fixes on Python dependencies: + + * CVE-2024-5569: zipp: Fixed a Denial of Service (DoS) vulnerability in the jaraco/zipp library (bsc#1227547, bsc#1229996) + * CVE-2024-6345: setuptools: Sanitize any VCS URL used for download (bsc#1228105, bsc#1229995) + * CVE-2024-3651: idna: Fix a potential DoS via resource consumption via specially crafted inputs to idna.encode() + (bsc#1222842, bsc#1229994) + * CVE-2024-37891: urllib3: Added the ``Proxy-Authorization`` header to the list of headers to strip from requests + when redirecting to a different host (bsc#1226469, bsc#1229654) + +- Other bugs fixed: + + * Fixed failing x509 tests with OpenSSL < 1.1 + * Avoid explicit reading of /etc/salt/minion (bsc#1220357) + * Allow NamedLoaderContexts to be returned from loader + * Reverted the change making reactor less blocking (bsc#1230322) + * Use --cachedir for extension_modules in salt-call (bsc#1226141) + * Prevent using SyncWrapper with no reason + * Enable post_start_cleanup.sh to work in a transaction + * Fixed the SELinux context for Salt Minion service (bsc#1219041) + * Increase warn_until_date date for code we still support + * Avoid crash on wrong output of systemctl version (bsc#1229539) + * Improved error handling with different OpenSSL versions + * Fixed cloud Minion configuration for multiple Masters (bsc#1229109) + * Use Pygit2 id instead of deprecated oid in gitfs + * Added passlib Python module to the bundle + + saltbundlepy + saltbundlepy-cryptography + saltbundlepy-docker + saltbundlepy-idna + saltbundlepy-passlib + saltbundlepy-passlib:test + saltbundlepy-setuptools + saltbundlepy-urllib3 + saltbundlepy-zipp + saltbundlepy:base + uyuni-tools + venv-salt-minion + + +