Safety vulnerability ID: 65956
The information on this page was manually curated by our Cybersecurity Intelligence Team.
Salt 3006.6 upgrades its gitpython library to version 3.1.41 as a security measure in response to CVE-2024-22190.
Latest version: 3007.1
Portable, distributed, remote execution and configuration management system
Changed
- Salt no longer time bombs user installations on code using `salt.utils.versions.warn_until_date` [665924](https://github.com/saltstack/salt/issues/665924)
Fixed
- Fix un-closed transport in tornado netapi [65759](https://github.com/saltstack/salt/issues/65759)
Security
- CVE-2024-22231 Prevent directory traversal when creating syndic cache directory on the master
CVE-2024-22232 Prevent directory traversal attacks in the master's serve_file method.
These vulerablities were discovered and reported by:
Yudi Zhao(Huawei Nebula Security Lab),Chenwei Jiang(Huawei Nebula Security Lab) [565](https://github.com/saltstack/salt/issues/565)
- Update some requirements which had some security issues:
* Bump to `pycryptodome==3.19.1` and `pycryptodomex==3.19.1` due to https://github.com/advisories/GHSA-j225-cvw7-qrx7
* Bump to `gitpython==3.1.41` due to https://github.com/advisories/GHSA-2mqj-m65w-jghx
* Bump to `jinja2==3.1.3` due to https://github.com/advisories/GHSA-h5c8-rqwp-cp95 [#65830](https://github.com/saltstack/salt/issues/65830)
Scan your Python project for dependency vulnerabilities in two minutes
Scan your application