Safety vulnerability ID: 61043
The information on this page was manually curated by our Cybersecurity Intelligence Team.
Salt 3005.2 and 3006.2 include a fix for CVE-2023-20897: DOS in minion return. After receiving several bad packets on the request server equal to the number of worker threads, the master will become unresponsive to return requests until restarted.
https://saltproject.io/security-announcements/2023-08-10-advisory
Latest version: 3007.1
Portable, distributed, remote execution and configuration management system
Changed
- Additional required package upgrades
* It's now `pyzmq>=20.0.0` on all platforms, and `<=22.0.3` just for windows.
* Upgrade to `pyopenssl==23.0.0` due to the cryptography upgrade. (63757)
Security
- fix CVE-2023-20897 by catching exception instead of letting exception disrupt connection (cve-2023-20897)
- Fixed gitfs cachedir_basename to avoid hash collisions. Added MP Lock to gitfs. These changes should stop race conditions. (cve-2023-20898)
- Upgrade to `requests==2.31.0`
Due to:
* https://github.com/advisories/GHSA-j8r2-6x86-q33q (#64336)
- Upgrade to `cryptography==41.0.3`(and therefor `pyopenssl==23.2.0` due to https://github.com/advisories/GHSA-jm77-qphf-c4w8)
Also resolves the following cryptography advisories:
Due to:
* https://github.com/advisories/GHSA-5cpq-8wj7-hf2v
* https://github.com/advisories/GHSA-x4qr-2fvf-3mr5
* https://github.com/advisories/GHSA-w7pp-m8wf-vj6r
There is no security upgrade available for Py3.5 (64595)
- Bump to `certifi==2023.07.22` due to https://github.com/advisories/GHSA-xqr8-7jwr-rhp7
Python 3.5 cannot get the updated requirements since certifi no longer supports this python version (64720)
Scan your Python project for dependency vulnerabilities in two minutes
Scan your application