Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 836365 (CVE-2022-22934, CVE-2022-22935, CVE-2022-22936, CVE-2022-22941)

Summary: <app-admin/salt-{3002.7,3003.3}: multiple vulnerabilities
Product: Gentoo Security Reporter: Imran Iqbal <iqbalmy>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: chutzpah
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: All   
Whiteboard: B3 [glsa+]
Package list:
Runtime testing required: ---

Description Imran Iqbal 2022-03-29 09:36:47 UTC 
This security issue was first reported on 2022-03-22:

* https://saltproject.io/security_announcements/attention-some-critical-vulnerabilities-have-been-discovered-in-salt-versions-3004-and-earlier/

The new versions were released yesterday (2022-03-28):

* https://saltproject.io/security_announcements/salt-security-advisory-release/

> Updated packages for the versions below can be found at https://repo.saltproject.io for these supported versions of Salt:
> 
> * 3004.1
> * 3003.4
> * 3002.8
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-03-29 14:54:51 UTC 
Thanks for reporting! Is there a mailing list or something where these are announced?

Maintainer, please stabilize 3002.7 and 3003.3.
Comment 2 Imran Iqbal 2022-03-29 16:23:36 UTC 
> Is there a mailing list or something where these are announced?

Yes, there are a variety of places.

* https://groups.google.com/g/salt-announce
  - This group is mainly announcements for all new releases.
* https://saltproject.io/security_announcements/
  - This is the main page for security leases (and info).
  - This can be tracked using its RSS feed:
    + https://saltproject.io/feed/?post_type=security
* https://app.slack.com/client/T7KPDM7M3/CNZKJMQ1E
  - Probably not so helpful here but there's also the `#announcements` channel on the community Slack instance.
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-03-31 02:48:07 UTC 
(In reply to Imran Iqbal from comment #2)
> > Is there a mailing list or something where these are announced?
> 
> Yes, there are a variety of places.
> 
> * https://groups.google.com/g/salt-announce
>   - This group is mainly announcements for all new releases.
> * https://saltproject.io/security_announcements/
>   - This is the main page for security leases (and info).
>   - This can be tracked using its RSS feed:
>     + https://saltproject.io/feed/?post_type=security
> * https://app.slack.com/client/T7KPDM7M3/CNZKJMQ1E
>   - Probably not so helpful here but there's also the `#announcements`
> channel on the community Slack instance.

Thanks! Should be subscribed to that Google Group now, so I shouldn't miss these in the future.
Comment 4 Larry the Git Cow gentoo-dev 2023-10-31 11:57:53 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=a4ba9f2fb65b65e29f00afe38eed9d10ac01301d

commit a4ba9f2fb65b65e29f00afe38eed9d10ac01301d
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2023-10-31 11:57:07 +0000
Commit:     Hans de Graaff <graaff@gentoo.org>
CommitDate: 2023-10-31 11:57:38 +0000

    [ GLSA 202310-22 ] Salt: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/767919
    Bug: https://bugs.gentoo.org/812440
    Bug: https://bugs.gentoo.org/836365
    Bug: https://bugs.gentoo.org/855962
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: Hans de Graaff <graaff@gentoo.org>

 glsa-202310-22.xml | 61 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 61 insertions(+)