CVE-2023-20897

NameCVE-2023-20897
DescriptionSalt masters prior to 3005.2 or 3006.2 contain a DOS in minion return. After receiving several bad packets on the request server equal to the number of worker threads, the master will become unresponsive to return requests until restarted.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1051504

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
salt (PTS)jessie, jessie (lts)2014.1.13+ds-3+deb8u2vulnerable
stretch (security), stretch (lts), stretch2016.11.2+ds-1+deb9u10vulnerable
buster (security), buster, buster (lts)2018.3.4+dfsg1-6+deb10u3vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
saltsourcejessie(unfixed)end-of-life
saltsourcestretch(unfixed)end-of-life
saltsourcebuster(unfixed)end-of-life
saltsource(unstable)(unfixed)1051504

Notes

[buster] - salt <end-of-life> (EOL in buster LTS)
https://saltproject.io/security-announcements/2023-08-10-advisory/
https://github.com/saltstack/salt/issues/64061

Search for package or bug name: Reporting problems