Workflow

Salt

Latest version: v3007.0

Safety actively analyzes 630052 Python packages for vulnerabilities to keep your Python projects secure.

Scan your dependencies

Page 7 of 9

3001.7

Not secure
Fixed

- Fix argument injection bug in restartcheck.restartcheck. This change hardens
the fix for CVE-2020-28243. (200)
- Allow "extra_filerefs" as sanitized kwargs for SSH client.
Fix regression on "cmd.run" when passing tuples as cmd. (59664)
- Allow all ssh kwargs as sanitized kwargs for SSH client. (59748)

3001.6

Not secure
Fixed

- Fix runners that broke when patching for CVE-2021-25281
- Fix issue with runners in SSE

3001.5

Not secure
Fixed

- CVE-2020-28243 - Fix local privilege escalation in the restartcheck module. (CVE-2020-28243)
- CVE-2020-28972 - Ensure authentication to vcenter, vsphere, and esxi server
validates the SSL/TLS certificate by default. If you want to skip SSL verification
you can use `verify_ssl: False`. (CVE-2020-28972)
- CVE-2020-35662 - Ensure the asam runner, qingcloud, splunk returner, panos
proxy, cimc proxy, zenoss module, esxi module, vsphere module, glassfish
module, bigip module, and keystone module validate SSL by default. If you want
to skip SSL verification you can use `verify_ssl: False`. (CVE-2020-35662)
- CVE-2021-25281 - Fix salt-api so it honors eauth credentials for the
wheel_async client. (CVE-2021-25281)
- CVE-2021-25282 - Fix the salt.wheel.pillar_roots.write method so it is not
vulnerable to directory traversal. (CVE-2021-25282)
- CVE-2021-25283 - Fix the jinja render to protect against server side template
injection attacks. (CVE-2021-25283)
- CVE-2021-25284 - Fix cmdmod so it will not log credentials to log levels info
and error. (CVE-2021-25284)
- CVE-2021-3144 - Fix eauth tokens can be used once after expiration. (CVE-2021-3144)
- CVE-2021-3148 - Fix a command injection in the Salt-API when using the Salt-SSH client. (CVE-2021-3148)
- CVE-2021-3197 - Fix ssh client to remove ProxyCommand from arguments provided
by cli and netapi. (CVE-2021-3197)

3001.4

Not secure
Fixed

- Fixes salt-ssh authentication when using tty (58922)

3001.3

Not secure
Fixed

- Properly validate eauth credentials and tokens along with their ACLs.
Prior to this change eauth was not properly validated when calling
Salt ssh via the salt-api. Any value for 'eauth' or 'token' would allow a user
to bypass authentication and make calls to Salt ssh. (CVE-2020-25592)

3001.2

Not secure
Fixed

- Prevent shell injections in netapi ssh client (cve-2020-16846)
- Prevent creating world readable private keys with the tls execution module. (cve-2020-17490)

Page 7 of 9

Links

Releases

Has known vulnerabilities

Previous Next

© 2024 Safety CLI Cybersecurity Inc. All Rights Reserved.