Source: salt Version: 3002.6+dfsg1-4 Severity: grave Tags: security upstream Justification: user security hole X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi, The following vulnerabilities were published for salt. CVE-2021-21996[0]: | An issue was discovered in SaltStack Salt before 3003.3. A user who | has control of the source, and source_hash URLs can gain full file | system access as root on a salt minion. CVE-2021-22004[1]: | An issue was discovered in SaltStack Salt before 3003.3. The salt | minion installer will accept and use a minion config file at | C:\salt\conf if that file is in place before the installer is run. | This allows for a malicious actor to subvert the proper behaviour of | the given minion software. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2021-21996 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21996 [1] https://security-tracker.debian.org/tracker/CVE-2021-22004 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22004 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
