CVE-2022-22967: An issue was discovered in SaltStack Salt in versions before 3002.9, 3003.5, 3004.2. PAM auth fails to reject locked accounts, which allows a previously authorized user whose account is locked still run Salt commands when their account is locked. This affects both local shell accounts with an active session and salt-api users that authenticate via PAM eauth. Please stabilize a fixed version.
Please cleanup
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=a4ba9f2fb65b65e29f00afe38eed9d10ac01301d commit a4ba9f2fb65b65e29f00afe38eed9d10ac01301d Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2023-10-31 11:57:07 +0000 Commit: Hans de Graaff <graaff@gentoo.org> CommitDate: 2023-10-31 11:57:38 +0000 [ GLSA 202310-22 ] Salt: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/767919 Bug: https://bugs.gentoo.org/812440 Bug: https://bugs.gentoo.org/836365 Bug: https://bugs.gentoo.org/855962 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: Hans de Graaff <graaff@gentoo.org> glsa-202310-22.xml | 61 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 61 insertions(+)
