836365 – (CVE-2022-22934, CVE-2022-22935, CVE-2022-22936, CVE-2022-22941) <app-admin/salt-{3002.7,3003.3}: multiple vulnerabilities

Bug 836365 (CVE-2022-22934, CVE-2022-22935, CVE-2022-22936, CVE-2022-22941) - <app-admin/salt-{3002.7,3003.3}: multiple vulnerabilities

Summary: <app-admin/salt-{3002.7,3003.3}: multiple vulnerabilities

Status:	RESOLVED FIXED

Alias:	CVE-2022-22934, CVE-2022-22935, CVE-2022-22936, CVE-2022-22941

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All All

Importance:	Normal minor (vote)
Assignee:	Gentoo Security

URL:
Whiteboard:	B3 [glsa+]
Keywords:

Depends on:
Blocks:

Reported:	2022-03-29 09:36 UTC by Imran Iqbal
Modified:	2023-10-31 11:59 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Imran Iqbal 2022-03-29 09:36:47 UTC

This security issue was first reported on 2022-03-22:

* https://saltproject.io/security_announcements/attention-some-critical-vulnerabilities-have-been-discovered-in-salt-versions-3004-and-earlier/

The new versions were released yesterday (2022-03-28):

* https://saltproject.io/security_announcements/salt-security-advisory-release/

> Updated packages for the versions below can be found at https://repo.saltproject.io for these supported versions of Salt:
> 
> * 3004.1
> * 3003.4
> * 3002.8

Comment 1 John Helmert III archtester

2022-03-29 14:54:51 UTC

Thanks for reporting! Is there a mailing list or something where these are announced?

Maintainer, please stabilize 3002.7 and 3003.3.

Comment 2 Imran Iqbal 2022-03-29 16:23:36 UTC

> Is there a mailing list or something where these are announced?

Yes, there are a variety of places.

* https://groups.google.com/g/salt-announce
  - This group is mainly announcements for all new releases.
* https://saltproject.io/security_announcements/
  - This is the main page for security leases (and info).
  - This can be tracked using its RSS feed:
    + https://saltproject.io/feed/?post_type=security
* https://app.slack.com/client/T7KPDM7M3/CNZKJMQ1E
  - Probably not so helpful here but there's also the `#announcements` channel on the community Slack instance.

Comment 3 John Helmert III archtester

2022-03-31 02:48:07 UTC

(In reply to Imran Iqbal from comment #2)
> > Is there a mailing list or something where these are announced?
> 
> Yes, there are a variety of places.
> 
> * https://groups.google.com/g/salt-announce
>   - This group is mainly announcements for all new releases.
> * https://saltproject.io/security_announcements/
>   - This is the main page for security leases (and info).
>   - This can be tracked using its RSS feed:
>     + https://saltproject.io/feed/?post_type=security
> * https://app.slack.com/client/T7KPDM7M3/CNZKJMQ1E
>   - Probably not so helpful here but there's also the `#announcements`
> channel on the community Slack instance.

Thanks! Should be subscribed to that Google Group now, so I shouldn't miss these in the future.

Comment 4 Larry the Git Cow gentoo-dev

2023-10-31 11:57:53 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=a4ba9f2fb65b65e29f00afe38eed9d10ac01301d

commit a4ba9f2fb65b65e29f00afe38eed9d10ac01301d
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2023-10-31 11:57:07 +0000
Commit:     Hans de Graaff <graaff@gentoo.org>
CommitDate: 2023-10-31 11:57:38 +0000

    [ GLSA 202310-22 ] Salt: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/767919
    Bug: https://bugs.gentoo.org/812440
    Bug: https://bugs.gentoo.org/836365
    Bug: https://bugs.gentoo.org/855962
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: Hans de Graaff <graaff@gentoo.org>

 glsa-202310-22.xml | 61 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 61 insertions(+)