Source: salt Version: 3004.1+dfsg-2 Severity: grave Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi, The following vulnerability was published for salt. CVE-2022-22967[0]: | An issue was discovered in SaltStack Salt in versions before 3002.9, | 3003.5, 3004.2. PAM auth fails to reject locked accounts, which allows | a previously authorized user whose account is locked still run Salt | commands when their account is locked. This affects both local shell | accounts with an active session and salt-api users that authenticate | via PAM eauth. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2022-22967 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22967 [1] https://saltproject.io/security_announcements/salt-security-advisory-release-june-21st-2022/ Please adjust the affected versions in the BTS as needed. Regards, Salvatore
