Kuburitswa kutsva kweiyo centralized configuration manejimendi system SaltStack 3002.5, 3001.6 uye 3000.8 yakagadzirisa kusagadzikana (CVE-2020-28243) iyo inobvumira mushandisi wemuno asina rusarura wemuenzi kuti akwidziridze maropafadzo avo muhurongwa. Dambudziko rinokonzerwa nebug mune salt-minion handler inoshandiswa kugamuchira mirairo kubva pakati server. Kusagadzikana kwakawanikwa muna Mbudzi, asi iko zvino kwagadziriswa.
Paunenge uchiita "restartcheck" mashandiro, zvinogoneka kutsiva mirairo isingaite kuburikidza nekunyengedza kwezita rekuita. Kunyanya, chikumbiro chekuvapo kwepakeji chakaitwa nekutangisa maneja wepakeji uye nekupfuura gakava rinobva pazita rekuita. Iyo package maneja inotangwa nekudaidza iyo popen basa mushell yekuvhura modhi, asi pasina kupukunyuka akakosha mavara. Nekushandura zita rekuita uye kushandisa zviratidzo se ";" uye "|" unogona kuronga kuitiswa kwekodhi yako.
Pamusoro pedambudziko rakacherechedzwa, SaltStack 3002.5 yakagadzirisa mamwe 9 kusagadzikana:
- CVE-2021-25281 - nekuda kwekushaikwa kweiyo chiremera chechokwadi, munhu ari kure anorwisa anogona kuvhura chero vhiri module padivi peiyo control master server nekuwana SaltAPI uye kukanganisa iyo yese zvigadzirwa.
- CVE-2021-3197 inyaya iri muSSH module yeminion inobvumira zvirevo zvegomba kuti zviitwe kuburikidza nekutsiviwa kwegakava ne "ProxyCommand" kuseta kana kupfuura ssh_options kuburikidza neAPI.
- CVE-2021-25282 Kusatenderwa kupinda wheel_async kunobvumira kufona kuSaltAPI kuti inyore faira kunze kwedhairekitori rekutanga uye kuita zvekupokana kodhi pane system.
- CVE-2021-25283 A base directory out-of-boundarnessability in the wheel.pillar_roots.write handler muSaltAPI inobvumira template yakasarudzika kuti iwedzerwe kune jinja renderer.
- CVE-2021-25284 - mapassword akaiswa kuburikidza newebutils akaiswa mune yakajeka mavara mu /var/log/sal/minion log.
- CVE-2021-3148 - Inogoneka yekuraira kutsiva kuburikidza neSaltAPI kufona kumunyu.utils.thin.gen_thin().
- CVE-2020-35662 - Yakashaikwa SSL chitupa chekuongorora mukumisikidzwa kwekumisikidza.
- CVE-2021-3144 -Kugona kwekushandisa euth yekusimbisa tokeni mushure mekunge vapera.
- CVE-2020-28972 - Iyo kodhi haina kutarisa server's SSL/TLS chitupa, iyo yakabvumira MITM kurwiswa.
Source: opennet.ru