Hi all, please notice the attached note from saltstack! I assume this is not integrated into DSA 4676-1, isn't it?
Elimar -- On the keyboard of life you have always to keep a finger at the escape key;-)
--- Begin Message ---SaltStack CVE Follow-Up Patch We have a few important developments to share with you regarding CVE-2020-11651 and CVE-2020-11652. - Follow-up patch for Salt 2017.x and earlier - Patch Validation to confirm your Salt environment is secure - CVE Technical Guide ACTIVE CVE: IF YOU HAVE NOT YET UPDATED SALT OR APPLIED PATCHES, PLEASE DO SO IMMEDIATELY FOLLOW-UP PATCH FOR SALT 2017.X AND EARLIER If you have already applied the patch for Salt 2017.x or earlier, there is a follow-up patch to apply. You can download the patch and instructions below. **This applies to 2017.x, 2016.x, and 2015.x. This does NOT apply to 2018.x, 2019.x, or 3000.x.** - 2015.x <http://em.saltstack.com/Mf0Q0U0sP971h00f90MH0O1> - 2016.x <http://em.saltstack.com/WP01MfH790m1QhM00U0s800> - 2017.x <http://em.saltstack.com/z0Us1h90007Hfn81PMN0Q00> - CVE Technical Guide <http://em.saltstack.com/F1sH900Pg0P0M19U000Qhf7> The original patch for versions 2017.x and earlier secured against arbitrary commands running on Salt minions and eliminated the exposure (CVE-2020-11651 <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11651>). This additional patch is required to completely resolve arbitrary directory access to authenticated users (CVE-2020-11652 <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11652>). PATCH VALIDATION SCRIPTS Once you have updated / patched Salt, you can verify that your Salt environment is secure. We are offering this to all Salt users to ensure the patches were applied correctly and optionally perform a non-disruptive exploitation test. Details can be found here: CVE Patch Verification. <http://em.saltstack.com/R0097s1HUh0010M0PQQ9hf0> We strongly encourage you to take advantage of this tool. We understand many of you want that additional assurance and confirmation. CVE TECHNICAL GUIDE This document provides technical guidelines for applying CVE-2020-11651 / CVE-2020-11652 patches and performing exploitation assessment and check up analysis. It is an additional resource that can be leveraged by your technical teams for in depth analysis of exploitation scenarios and how to check for these using a variety of techniques. Download the CVE Technical Guide Here. <http://em.saltstack.com/F1sH900Pg0P0M19U000Qhf7> HELPFUL RESOURCES - PDF Description of the CVEs <http://em.saltstack.com/P000f0hP9H0Mo7080sOQ1U1> - Upgrading your Salt Infrastructure <http://em.saltstack.com/P000f0hP9H0Mp7080sPQ1U1> - SaltStack Response Policy for Cybersecurity Vulnerabilities and Exposures (CVE) <http://em.saltstack.com/thQM1U09Ps09i00fH70001R> - If you run into any major obstacles and can’t find a solution in the provided resources, you can email cveh...@saltstack.com <http://em.saltstack.com/Mf0Q0U0sP971h00j90MH0S1>
--- End Message ---
signature.asc
Description: PGP signature