CVE-2023-20897

NameCVE-2023-20897
DescriptionSalt masters prior to 3005.2 or 3006.2 contain a DOS in minion return. After receiving several bad packets on the request server equal to the number of worker threads, the master will become unresponsive to return requests until restarted.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1051504

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
salt (PTS)buster, buster (security)2018.3.4+dfsg1-6+deb10u3vulnerable
bullseye (security), bullseye3002.6+dfsg1-4+deb11u1vulnerable
sid3004.1+dfsg-2.2vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
saltsourcebuster(unfixed)end-of-life
saltsource(unstable)(unfixed)1051504

Notes

[buster] - salt <end-of-life> (EOL in buster LTS)
https://saltproject.io/security-announcements/2023-08-10-advisory/
https://github.com/saltstack/salt/issues/64061

Search for package or bug name: Reporting problems