Bug 2237513 (CVE-2023-20897)

Summary: CVE-2023-20897 salt: DOS in minion return
Product: [Other] Security Response Reporter: Patrick Del Bello <pdelbell>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedKeywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2237514    
Bug Blocks:    

Description Patrick Del Bello 2023-09-05 19:31:47 UTC 
Salt masters prior to 3005.2 or 3006.2 contain a DOS in minion return. After receiving several bad packets on the request server equal to the number of worker threads, the master will become unresponsive to return requests until restarted.


https://saltproject.io/security-announcements/2023-08-10-advisory/
Comment 1 Patrick Del Bello 2023-09-05 19:32:00 UTC 
Created salt tracking bugs for this issue:

Affects: fedora-all [bug 2237514]