{"affected":[],"aliases":[],"details":"This update fixes the following issues:\n\nvenv-salt-minion:\n\n- Fix the regression caused by the patch removing strict requirement for\n  OpenSSL 1.1.1 leading to read/write issues with ssl module for\n  SLE 15, SLE 12, CentOS 7, Debian 9 (bsc#1198556)\n- Fixes for Python 3.10\n- Fix salt-ssh opts poisoning (bsc#1197637)\n- Fix multiple security issues (bsc#1197417)\n  * CVE-2022-22935: Sign authentication replies to prevent MiTM\n  * CVE-2022-22934: Sign pillar data to prevent MiTM attacks.\n  * CVE-2022-22936: Prevent job and fileserver replays.\n  * CVE-2022-22941: Fixed targeting bug, especially visible when using syndic and user auth.\n- Salt version bump to 3004\n- Python version bump to 3.10.2\n- CVE-2022-24302: unauthorized information disclosure for python-paramiko.\n- CVE-2021-28957: XSS due to missing input sanitization in python-lxml.\n- CVE-2018-19787: XSS attacks due to missing URLs sanitization in python-lxml.\n- Security Fix: (bsc#1196249, bsc#1196877, CVE-2022-0778)\n  * Allow CRYPTO_THREADID_set_callback to be called with NULL parameter\n  * Infinite loop in BN_mod_sqrt() reachable when parsing certificates \n","id":"SUSE-SU-2022:1536-1","modified":"2022-05-04T13:33:28Z","published":"2022-05-04T13:33:28Z","references":[{"type":"ADVISORY","url":"https://www.suse.com/support/update/announcement/2022/suse-su-20221536-1/"},{"type":"REPORT","url":"https://bugzilla.suse.com/1118088"},{"type":"REPORT","url":"https://bugzilla.suse.com/1184177"},{"type":"REPORT","url":"https://bugzilla.suse.com/1196249"},{"type":"REPORT","url":"https://bugzilla.suse.com/1196877"},{"type":"REPORT","url":"https://bugzilla.suse.com/1197279"},{"type":"REPORT","url":"https://bugzilla.suse.com/1197417"},{"type":"REPORT","url":"https://bugzilla.suse.com/1197637"},{"type":"REPORT","url":"https://bugzilla.suse.com/1198556"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2018-19787"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2021-28957"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2022-0778"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2022-22934"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2022-22935"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2022-22936"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2022-22941"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2022-24302"}],"related":["CVE-2018-19787","CVE-2021-28957","CVE-2022-0778","CVE-2022-22934","CVE-2022-22935","CVE-2022-22936","CVE-2022-22941","CVE-2022-24302"],"summary":"Security Beta update for SUSE Manager Salt Bundle","upstream":["CVE-2018-19787","CVE-2021-28957","CVE-2022-0778","CVE-2022-22934","CVE-2022-22935","CVE-2022-22936","CVE-2022-22941","CVE-2022-24302"]}