Safety vulnerability ID: 61048
The information on this page was manually curated by our Cybersecurity Intelligence Team.
Salt 3005.2 and 3006.2 update its dependency 'certifi' to v2023.07.22 to include a security fix.
Latest version: 3007.1
Portable, distributed, remote execution and configuration management system
Changed
- Additional required package upgrades
* It's now `pyzmq>=20.0.0` on all platforms, and `<=22.0.3` just for windows.
* Upgrade to `pyopenssl==23.0.0` due to the cryptography upgrade. (63757)
Security
- fix CVE-2023-20897 by catching exception instead of letting exception disrupt connection (cve-2023-20897)
- Fixed gitfs cachedir_basename to avoid hash collisions. Added MP Lock to gitfs. These changes should stop race conditions. (cve-2023-20898)
- Upgrade to `requests==2.31.0`
Due to:
* https://github.com/advisories/GHSA-j8r2-6x86-q33q (#64336)
- Upgrade to `cryptography==41.0.3`(and therefor `pyopenssl==23.2.0` due to https://github.com/advisories/GHSA-jm77-qphf-c4w8)
Also resolves the following cryptography advisories:
Due to:
* https://github.com/advisories/GHSA-5cpq-8wj7-hf2v
* https://github.com/advisories/GHSA-x4qr-2fvf-3mr5
* https://github.com/advisories/GHSA-w7pp-m8wf-vj6r
There is no security upgrade available for Py3.5 (64595)
- Bump to `certifi==2023.07.22` due to https://github.com/advisories/GHSA-xqr8-7jwr-rhp7
Python 3.5 cannot get the updated requirements since certifi no longer supports this python version (64720)
Scan your Python project for dependency vulnerabilities in two minutes
Scan your application