Index: head/security/vuxml/vuln.xml =================================================================== --- head/security/vuxml/vuln.xml +++ head/security/vuxml/vuln.xml @@ -58,6 +58,46 @@ * Do not forget port variants (linux-f10-libxml2, libxml2, etc.) --> + + salt -- multiple vulnerabilities + + + py36-salt + py37-salt + py38-salt + 30023002.1 + + + + +

SaltStack reports multiple security vulnerabilities in Salt 3002:

+
+
CVE-2020-16846: Prevent shell injections in netapi ssh client.
+
CVE-2020-17490: Prevent creating world readable private keys with the tls execution module.
+
CVE-2020-25592: Properly validate eauth credentials and tokens along with their ACLs. + Prior to this change eauth was not properly validated when calling Salt ssh via the salt-api. + Any value for 'eauth' or 'token' would allow a user to bypass authentication and make calls + to Salt ssh.
+
+

+ + + + https://docs.saltstack.com/en/latest/topics/releases/3002.1.html + CVE-2020-16846 + https://nvd.nist.gov/vuln/detail/CVE-2020-16846 + CVE-2020-17490 + https://nvd.nist.gov/vuln/detail/CVE-2020-17490 + CVE-2020-25592 + https://nvd.nist.gov/vuln/detail/CVE-2020-25592 + + + 2020-11-06 + 2020-11-12 + + + Apache OpenOffice -- Unrestricted actions leads to arbitrary code execution in crafted documents