salt vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

* Ubuntu 18.04 LTS
* Ubuntu 16.04 LTS

Summary

Several security issues were fixed in Salt.

Software Description

* salt - Infrastructure management built on a dynamic
communication bus

Details

It was discovered that Salt allows remote attackers to determine
which files exist on the server. An attacker could use that to
extract sensitive information. (CVE-2018-15750)

It was discovered that Salt has a vulnerability that allows an
user to bypass authentication. An attacker could use that to
extract sensitive information, execute abritrary code or crash the
server. (CVE-2018-15751)

It was discovered that Salt is vulnerable to command injection.
This allows an unauthenticated attacker with network access to the
API endpoint to execute arbitrary code on the salt-api host.
(CVE-2019-17361)

It was discovered that Salt incorrectly validated method calls and
sanitized paths. A remote attacker could possibly use this issue
to access some methods without authentication. (CVE-2020-11651,
CVE-2020-11652)

Update instructions

The problem can be corrected by updating your system to the
following package versions:

Ubuntu 18.04 LTS
salt-api - 2017.7.4+dfsg1-1ubuntu18.04.2
salt-common - 2017.7.4+dfsg1-1ubuntu18.04.2
salt-master - 2017.7.4+dfsg1-1ubuntu18.04.2
salt-minion - 2017.7.4+dfsg1-1ubuntu18.04.2

Ubuntu 16.04 LTS
salt-api - 2015.8.8+ds-1ubuntu0.1
salt-common - 2015.8.8+ds-1ubuntu0.1
salt-master - 2015.8.8+ds-1ubuntu0.1
salt-minion - 2015.8.8+ds-1ubuntu0.1

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to restart salt to make
all the necessary changes.

References

* CVE-2018-15750
* CVE-2018-15751
* CVE-2019-17361
* CVE-2020-11651
* CVE-2020-11652

--- Mystic BBS v1.12 A45 (Linux/64)
* Origin: BZ&BZ BBS (21:4/110)