The TLS module within SaltStack Salt through 3002 creates certificates with weak file permissions. Reference: https://www.saltstack.com/blog/on-november-3-2020-saltstack-publicly-disclosed-three-new-cves/
Created salt tracking bugs for this issue: Affects: fedora-all [bug 1895452]
This was already fixed in salt 3001.3 and 3002.1 which have been released in fedora 31, 32, 33, and rawhide.
Statement: Red Hat Ceph Storage 2 shipped salt for the usage of Red Hat Storage Console 2(RHSCON-2), which required salt to administrate ceph nodes. RHSCON-2 has reached End Of Life, hence salt is no longer used and supported. Therefore, the salt package provided by Red Hat Ceph Storage 2 has been marked as 'will not fix'.
Upstream fix commit: https://github.com/saltstack/salt/commit/86e18b91ae006de381f71b972f1daab9239bad3c
External References: https://www.saltstack.com/blog/on-november-3-2020-saltstack-publicly-disclosed-three-new-cves/ https://docs.saltstack.com/en/latest/topics/releases/3002.1.html https://docs.saltstack.com/en/latest/topics/releases/3001.2.html https://docs.saltstack.com/en/latest/topics/releases/3000.4.html https://docs.saltstack.com/en/latest/topics/releases/2019.2.6.html