DSA-4676-2 salt-master -- salt-masterID: oval:org.secpod.oval:def:63523 | Date: (C)2020-05-29 (M)2023-12-26 |
Class: PATCH | Family: unix |
The update for salt-master for the oldstable distribution released as DSA 4676-1 contained an incomplete fix to address CVE-2020-11651 and CVE-2020-11652. Updated salt-master packages are now available to correct this issue. For reference, the original advisory text follows. Several vulnerabilities were discovered in salt-master, a powerful remote execution manager, which could result in retrieve of user tokens from the salt-master master, execution of arbitrary commands on salt-master minions, arbitrary directory access to authenticated users or arbitrary code execution on salt-master-api hosts.