CVE-2021-21996

Advisory

Salt 3003.3, 3002.7 and 3001.8 include a fix for CVE-2021-21996: An issue was discovered in SaltStack Salt before 3003.3. A user who has control of the source, and source_hash URLs can gain full file system access as root on a salt minion.
https://saltproject.io/security_announcements/salt-security-advisory-2021-sep-02/

Affected package

Affected versions

Fixed versions

Vulnerability changelog

========================

Version 3001.8 is a bug fix release for :ref:`3001 <release-3001>`.


Fixed
-----

- Verify the owner of an existing config before trusting it during install. If the owner cannot be verified, back it up and use defaults. (CVE-2021-22004)


Security
--------

- Fix the CVE-2021-31607 vulnerability
Additionally, an audit and a tool was put in place, ``bandit``, to address similar issues througout the code base, and prevent them. (CVE-2021-31607)
- Ensure that sourced file is cached using its hash name (cve-2021-21996)

Resources

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21996
• https://saltproject.io/security_announcements/salt-security-advisory-2021-sep-02/
• https://lists.fedoraproject.org/archives/list/[email protected]/message/MBAHHSGZLEJRCG4DX6J4RBWJAAWH55RQ/
• https://lists.fedoraproject.org/archives/list/[email protected]/message/ACVT7M4YLZRLWWQ6SGRK3C6TOF4FXOXT/
• https://lists.fedoraproject.org/archives/list/[email protected]/message/6BUWUF5VTENNP2ZYZBVFKPSUHLKLUBD5/
• https://www.debian.org/security/2021/dsa-5011
• https://lists.debian.org/debian-lts-announce/2021/11/msg00017.html
• https://lists.debian.org/debian-lts-announce/2021/11/msg00019.html
• https://security.gentoo.org/glsa/202310-22