Bug 976942 – VUL-1: CVE-2016-2109: openssl: Harden ASN.1 BIO handling of large amounts of data.

Bug 976942 - (CVE-2016-2109) VUL-1: CVE-2016-2109: openssl: Harden ASN.1 BIO handling of large amounts of data.

(CVE-2016-2109)
Summary:	VUL-1: CVE-2016-2109: openssl: Harden ASN.1 BIO handling of large amounts of ...

Status:	RESOLVED FIXED

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P4 - Low Severity: Normal
Target Milestone:	---
Assigned To:	Security Team bot
QA Contact:	Security Team bot

URL:
Whiteboard:	CVSSv2:SUSE:CVE-2016-2109:4.3:(AV:N/A...
Keywords:

Depends on:
Blocks:	977584
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2016-04-23 15:57 UTC by Marcus Meissner
Modified:	2022-02-16 21:23 UTC (History)
CC List:	8 users (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Marcus Meissner 2016-04-23 15:57:41 UTC

via openssl git

commit 3d411057a5e28530fffc40b257698f453c89aa87
Author: Dr. Stephen Henson <steve@openssl.org>
Date:   Mon Apr 11 13:57:20 2016 +0100

    Harden ASN.1 BIO handling of large amounts of data.
    
    If the ASN.1 BIO is presented with a large length field read it in
    chunks of increasing size checking for EOF on each read. This prevents
    small files allocating excessive amounts of data.
    
    CVE-2016-2109
    
    Thanks to Brian Carpenter for reporting this issue.
    
    Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
    (cherry picked from commit c62981390d6cf9e3d612c489b8b77c2913b25807)

Comment 1 Marcus Meissner 2016-04-23 15:58:15 UTC

testcase in mastrer:

commit 9f13d4dd5ec420fb2fa0a7b94a6d66bb2700a492
Author: Dr. Stephen Henson <steve@openssl.org>
Date:   Fri Apr 22 18:44:23 2016 +0100

    add test for CVE-2016-2109
    
    Reviewed-by: Richard Levitte <levitte@openssl.org>

commit 53e409db615550c4bf5da2c9a5f56c7065315636
Author: Dr. Stephen Henson <steve@openssl.org>
Date:   Fri Apr 22 18:37:42 2016 +0100

    In d2i_test return error for malloc failure.
    
    Bad ASN.1 data should never be able to trigger a malloc failure so return
    an error in d2i_test if a malloc failure occurs.
    
    Reviewed-by: Richard Levitte <levitte@openssl.org>

Comment 2 Swamp Workflow Management 2016-04-23 22:00:13 UTC

bugbot adjusting priority

Comment 13 Swamp Workflow Management 2016-05-03 08:02:43 UTC

An update workflow for this issue was started.
This issue was rated as important.
Please submit fixed packages until 2016-05-10.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/62679

Comment 14 Bernhard Wiedemann 2016-05-03 15:00:17 UTC

This is an autogenerated message for OBS integration:
This bug (976942) was mentioned in
https://build.opensuse.org/request/show/393430 13.2+42.1 / openssl

Comment 15 Bernhard Wiedemann 2016-05-03 16:00:12 UTC

This is an autogenerated message for OBS integration:
This bug (976942) was mentioned in
https://build.opensuse.org/request/show/393456 Factory / openssl

Comment 16 Bernhard Wiedemann 2016-05-03 18:00:17 UTC

This is an autogenerated message for OBS integration:
This bug (976942) was mentioned in
https://build.opensuse.org/request/show/393469 13.2+42.1 / libopenssl0_9_8

Comment 19 Swamp Workflow Management 2016-05-03 20:08:47 UTC

SUSE-SU-2016:1206-1: An update that solves 5 vulnerabilities and has four fixes is now available.

Category: security (important)
Bug References: 889013,971354,976942,976943,977614,977615,977616,977617,977621
CVE References: CVE-2016-2105,CVE-2016-2106,CVE-2016-2107,CVE-2016-2108,CVE-2016-2109
Sources used:
SUSE Linux Enterprise Server 11-SECURITY (src):    openssl1-1.0.1g-0.47.1

Comment 20 Swamp Workflow Management 2016-05-04 14:14:36 UTC

SUSE-SU-2016:1228-1: An update that solves 5 vulnerabilities and has three fixes is now available.

Category: security (important)
Bug References: 958501,976942,976943,977614,977615,977616,977617,977621
CVE References: CVE-2016-2105,CVE-2016-2106,CVE-2016-2107,CVE-2016-2108,CVE-2016-2109
Sources used:
SUSE Linux Enterprise Software Development Kit 12 (src):    openssl-1.0.1i-27.16.1
SUSE Linux Enterprise Server 12 (src):    openssl-1.0.1i-27.16.1
SUSE Linux Enterprise Desktop 12 (src):    openssl-1.0.1i-27.16.1

Comment 21 Swamp Workflow Management 2016-05-04 16:08:28 UTC

SUSE-SU-2016:1231-1: An update that fixes four vulnerabilities is now available.

Category: security (important)
Bug References: 976942,976943,977615,977617
CVE References: CVE-2016-2105,CVE-2016-2106,CVE-2016-2108,CVE-2016-2109
Sources used:
SUSE Linux Enterprise Server for SAP 11-SP4 (src):    compat-openssl097g-0.9.7g-146.22.44.1
SUSE Linux Enterprise Server for SAP 11-SP3 (src):    compat-openssl097g-0.9.7g-146.22.44.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    compat-openssl097g-0.9.7g-146.22.44.1

Comment 22 Swamp Workflow Management 2016-05-04 16:10:05 UTC

SUSE-SU-2016:1233-1: An update that solves 5 vulnerabilities and has three fixes is now available.

Category: security (important)
Bug References: 958501,976942,976943,977614,977615,977616,977617,977621
CVE References: CVE-2016-2105,CVE-2016-2106,CVE-2016-2107,CVE-2016-2108,CVE-2016-2109
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    openssl-1.0.1i-47.1
SUSE Linux Enterprise Server 12-SP1 (src):    openssl-1.0.1i-47.1
SUSE Linux Enterprise Desktop 12-SP1 (src):    openssl-1.0.1i-47.1

Comment 23 Swamp Workflow Management 2016-05-05 11:07:43 UTC

openSUSE-SU-2016:1237-1: An update that solves 5 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 976942,976943,977614,977615,977616,977617
CVE References: CVE-2016-2105,CVE-2016-2106,CVE-2016-2107,CVE-2016-2108,CVE-2016-2109
Sources used:
openSUSE Evergreen 11.4 (src):    openssl-1.0.1p-74.1

Comment 24 Swamp Workflow Management 2016-05-05 11:08:49 UTC

openSUSE-SU-2016:1238-1: An update that solves 5 vulnerabilities and has three fixes is now available.

Category: security (important)
Bug References: 958501,976942,976943,977614,977615,977616,977617,977621
CVE References: CVE-2016-2105,CVE-2016-2106,CVE-2016-2107,CVE-2016-2108,CVE-2016-2109
Sources used:
openSUSE 13.2 (src):    openssl-1.0.1k-2.36.1

Comment 25 Swamp Workflow Management 2016-05-05 11:10:41 UTC

openSUSE-SU-2016:1239-1: An update that solves 9 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 963415,968046,968048,968050,968374,976942,976943,977614,977615,977617
CVE References: CVE-2015-3197,CVE-2016-0702,CVE-2016-0797,CVE-2016-0799,CVE-2016-0800,CVE-2016-2105,CVE-2016-2106,CVE-2016-2108,CVE-2016-2109
Sources used:
openSUSE Evergreen 11.4 (src):    libopenssl0_9_8-0.9.8zh-14.1

Comment 26 Swamp Workflow Management 2016-05-05 11:11:26 UTC

openSUSE-SU-2016:1240-1: An update that solves 5 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 976942,976943,977614,977615,977616,977617
CVE References: CVE-2016-2105,CVE-2016-2106,CVE-2016-2107,CVE-2016-2108,CVE-2016-2109
Sources used:
openSUSE 13.1 (src):    openssl-1.0.1k-11.87.1

Comment 27 Swamp Workflow Management 2016-05-05 11:13:03 UTC

openSUSE-SU-2016:1241-1: An update that solves 9 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 963415,968046,968048,968050,968374,976942,976943,977614,977615,977617
CVE References: CVE-2015-3197,CVE-2016-0702,CVE-2016-0797,CVE-2016-0799,CVE-2016-0800,CVE-2016-2105,CVE-2016-2106,CVE-2016-2108,CVE-2016-2109
Sources used:
openSUSE 13.1 (src):    libopenssl0_9_8-0.9.8zh-5.3.1

Comment 28 Swamp Workflow Management 2016-05-05 16:08:14 UTC

openSUSE-SU-2016:1242-1: An update that solves 5 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 968050,976942,976943,977614,977615,977617
CVE References: CVE-2016-0702,CVE-2016-2105,CVE-2016-2106,CVE-2016-2108,CVE-2016-2109
Sources used:
openSUSE Leap 42.1 (src):    libopenssl0_9_8-0.9.8zh-17.1
openSUSE 13.2 (src):    libopenssl0_9_8-0.9.8zh-9.6.1

Comment 29 Swamp Workflow Management 2016-05-05 16:09:08 UTC

openSUSE-SU-2016:1243-1: An update that solves 5 vulnerabilities and has three fixes is now available.

Category: security (important)
Bug References: 958501,976942,976943,977614,977615,977616,977617,977621
CVE References: CVE-2016-2105,CVE-2016-2106,CVE-2016-2107,CVE-2016-2108,CVE-2016-2109
Sources used:
openSUSE Leap 42.1 (src):    openssl-1.0.1i-15.1

Comment 30 Bo Jin 2016-05-08 22:35:03 UTC

I have a customer asking if sles11sp4 x86 is also affected and should have this patch: openssl patch openssl1 12539  (CVE-2016-2107).

Comment 31 Bo Jin 2016-05-08 22:37:13 UTC

my understanding is openssl0.9.8 is only affected if AES-NI is build-in. But I can't figure out if AES-NI is backported to openssl-0.9.8j-0.89 (on sles11sp4).

Comment 32 Marcus Meissner 2016-05-09 06:02:54 UTC

The CVE-2016-2107 AES-NI bug is a different bug 977616, please look at that.
As you wrote, 0.9.8j did not have AES-NI code, so is not affect.

This bug (for CVE-2016-2109) affects SLES 11, the update is still in QA but will be released soon, in the next days.

Comment 33 Swamp Workflow Management 2016-05-09 10:08:31 UTC

SUSE-SU-2016:1267-1: An update that solves 5 vulnerabilities and has two fixes is now available.

Category: security (important)
Bug References: 889013,968050,976942,976943,977614,977615,977617
CVE References: CVE-2016-0702,CVE-2016-2105,CVE-2016-2106,CVE-2016-2108,CVE-2016-2109
Sources used:
SUSE Linux Enterprise Server for SAP 12-SP1 (src):    compat-openssl098-0.9.8j-97.1
SUSE Linux Enterprise Module for Legacy Software 12 (src):    compat-openssl098-0.9.8j-97.1
SUSE Linux Enterprise Desktop 12-SP1 (src):    compat-openssl098-0.9.8j-97.1
SUSE Linux Enterprise Desktop 12 (src):    compat-openssl098-0.9.8j-97.1

Comment 34 Till Dörges 2016-05-10 08:17:32 UTC

This update doesn't seem to be available on download.opensuse.org yet.

The announcement was sent on 05.05.2016 to opensuse-security-announce@opensuse.org.

Am I searching in the wrong places? Anything else missing?

Comment 35 Marcus Meissner 2016-05-10 08:44:55 UTC

which opensuse?

Comment 36 Till Dörges 2016-05-10 08:46:45 UTC

More precisely, I'm looking for this one:

openSUSE 13.1:    openssl-1.0.1k-11.87.1

Comment 37 Andreas Stieger 2016-05-10 09:16:42 UTC

SUSE no longer maintains 13.1:
http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00004.html
but the Evergreen community effort is still working on it.

Evergreen seems to have released an update out of 
https://build.opensuse.org/project/show/openSUSE:Evergreen:Maintenance:4634
which is in the :Update project but apparently not the published repo.

CC'ing Evergreen maintainer.

Comment 38 Marcus Meissner 2016-05-10 09:36:43 UTC

This is a transient error. I will get Adrian to fix it.

Comment 39 Marcus Meissner 2016-05-10 14:44:37 UTC

should be fixed now.

Comment 40 Till Dörges 2016-05-10 18:35:30 UTC

Works fine. Also a few other patches appeared.

Thanks a lot!

Comment 41 Swamp Workflow Management 2016-05-10 22:08:08 UTC

openSUSE-SU-2016:1273-1: An update that solves 5 vulnerabilities and has two fixes is now available.

Category: security (important)
Bug References: 889013,968050,976942,976943,977614,977615,977617
CVE References: CVE-2016-0702,CVE-2016-2105,CVE-2016-2106,CVE-2016-2108,CVE-2016-2109
Sources used:
openSUSE Leap 42.1 (src):    compat-openssl098-0.9.8j-12.2

Comment 42 Bernhard Wiedemann 2016-05-11 10:00:20 UTC

This is an autogenerated message for OBS integration:
This bug (976942) was mentioned in
https://build.opensuse.org/request/show/394817 42.2 / openssl

Comment 43 Swamp Workflow Management 2016-05-12 18:08:32 UTC

SUSE-SU-2016:1290-1: An update that solves 5 vulnerabilities and has two fixes is now available.

Category: security (important)
Bug References: 889013,968050,976942,976943,977614,977615,977617
CVE References: CVE-2016-0702,CVE-2016-2105,CVE-2016-2106,CVE-2016-2108,CVE-2016-2109
Sources used:
SUSE Studio Onsite 1.3 (src):    openssl-0.9.8j-0.97.1
SUSE OpenStack Cloud 5 (src):    openssl-0.9.8j-0.97.1
SUSE Manager Proxy 2.1 (src):    openssl-0.9.8j-0.97.1
SUSE Manager 2.1 (src):    openssl-0.9.8j-0.97.1
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    openssl-0.9.8j-0.97.1
SUSE Linux Enterprise Server 11-SP4 (src):    openssl-0.9.8j-0.97.1
SUSE Linux Enterprise Server 11-SP3-LTSS (src):    openssl-0.9.8j-0.97.1
SUSE Linux Enterprise Server 11-SP2-LTSS (src):    openssl-0.9.8j-0.97.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    openssl-0.9.8j-0.97.1
SUSE Linux Enterprise Debuginfo 11-SP3 (src):    openssl-0.9.8j-0.97.1
SUSE Linux Enterprise Debuginfo 11-SP2 (src):    openssl-0.9.8j-0.97.1

Comment 44 Marcus Meissner 2016-05-13 09:37:25 UTC

released

Comment 45 Swamp Workflow Management 2016-05-19 17:10:20 UTC

SUSE-SU-2016:1360-1: An update that solves 5 vulnerabilities and has two fixes is now available.

Category: security (important)
Bug References: 968050,973223,976942,976943,977614,977615,977617
CVE References: CVE-2016-0702,CVE-2016-2105,CVE-2016-2106,CVE-2016-2108,CVE-2016-2109
Sources used:
SUSE Linux Enterprise Server 10 SP4 LTSS (src):    openssl-0.9.8a-18.96.1

Comment 48 Swamp Workflow Management 2022-02-16 21:23:23 UTC

SUSE-FU-2022:0445-1: An update that solves 183 vulnerabilities, contains 21 features and has 299 fixes is now available.

Category: feature (moderate)
Bug References: 1000080,1000117,1000194,1000677,1000742,1001148,1001912,1002585,1002895,1003091,1005246,1009528,1010874,1010966,1011936,1015549,1019637,1021641,1022085,1022086,1022271,1027079,1027610,1027688,1027705,1027908,1028281,1028723,1029523,1029902,1030038,1032118,1032119,1035604,1039469,1040164,1040256,1041090,1042392,1042670,1044095,1044107,1044175,1049186,1049304,1050653,1050665,1055478,1055542,1055825,1056058,1056951,1057496,1062237,1065363,1066242,1066873,1068790,1070737,1070738,1070853,1071905,1071906,1071941,1073310,1073845,1073879,1074247,1076519,1077096,1077230,1078329,1079761,1080301,1081005,1081750,1081751,1082155,1082163,1082318,1083826,1084117,1084157,1085276,1085529,1085661,1087102,1087104,1088573,1089039,1090427,1090765,1090953,1093518,1093917,1094788,1094814,1094883,1095267,1096738,1096937,1097158,1097531,1097624,1098535,1098592,1099308,1099569,1100078,1101246,1101470,1102868,1104789,1106197,1108508,1109882,1109998,1110435,1110869,1110871,1111493,1111622,1111657,1112209,1112357,1113534,1113652,1113742,1113975,1115769,1117951,1118611,1119376,1119416,1119792,1121717,1121852,1122191,1123064,1123185,1123186,1123558,1124885,1125815,1126283,1126318,1127080,1127173,1128146,1128323,1128355,1129071,1129566,1130840,1131291,1132174,1132323,1132455,1132663,1132900,1135009,1136444,1138666,1138715,1138746,1139915,1140255,1141168,1142899,1143033,1143454,1143893,1144506,1149686,1149792,1150003,1150190,1150250,1150895,1153830,1155815,1156677,1156694,1156908,1157104,1157354,1158809,1159235,1159538,1160163,1161557,1161770,1162224,1162367,1162743,1163978,1164310,1165439,1165578,1165730,1165823,1165960,1166139,1166758,1167008,1167501,1167732,1167746,1168480,1168973,1169489,1170175,1170863,1171368,1171561,1172226,1172908,1172928,1173226,1173356,1174009,1174091,1174514,1175729,1176116,1176129,1176134,1176232,1176256,1176257,1176258,1176259,1176262,1176389,1176785,1176977,1177120,1177127,1177559,1178168,1178341,1178670,1179491,1179562,1179630,1179805,1180125,1180781,1181126,1181324,1181944,1182066,1182211,1182244,1182264,1182331,1182333,1182379,1182963,1183059,1183374,1183858,1184505,1185588,1185706,1185748,1186738,1187045,1189521,1190781,1193357,356549,381844,394317,408865,428177,430141,431945,437293,442740,459468,489641,504687,509031,526319,590833,610223,610642,629905,637176,651003,657698,658604,670526,673071,693027,715423,720601,743787,747125,748738,749210,749213,749735,750618,751718,751946,751977,754447,754677,761500,774710,784670,784994,787526,793420,799119,802184,803004,809831,811890,822642,825221,828513,831629,832833,834601,835687,839107,84331,849377,855666,855676,856687,857203,857850,858239,867887,869945,871152,872299,873351,876282,876710,876712,876748,880891,885662,885882,889013,889363,892477,892480,895129,898917,901223,901277,901902,902364,906878,907584,908362,908372,912014,912015,912018,912292,912293,912294,912296,912460,913229,915479,917607,917759,917815,919648,920236,922448,922488,922496,922499,922500,926597,929678,929736,930189,931698,931978,933898,933911,934487,934489,934491,934493,935856,937085,937212,937492,937634,937912,939456,940608,942385,942751,943421,944204,945455,946648,947104,947357,947679,948198,952871,954256,954486,954690,957812,957813,957815,958501,961334,962291,963415,963974,964204,964472,964474,965830,967128,968046,968047,968048,968050,968265,968270,968374,968601,975875,976942,977584,977614,977615,977616,977663,978224,981848,982268,982575,983249,984323,985054,988086,990207,990392,990419,990428,991193,991877,992120,992988,992989,992992,993130,993819,993825,993968,994749,994844,994910,995075,995324,995359,995377,995959,996255,997043,997614,998190,999665,999666,999668
CVE References: CVE-2006-2937,CVE-2006-2940,CVE-2006-3738,CVE-2006-4339,CVE-2006-4343,CVE-2006-7250,CVE-2007-3108,CVE-2007-4995,CVE-2007-5135,CVE-2008-0891,CVE-2008-1672,CVE-2008-5077,CVE-2009-0590,CVE-2009-0591,CVE-2009-0789,CVE-2009-1377,CVE-2009-1378,CVE-2009-1379,CVE-2009-1386,CVE-2009-1387,CVE-2010-0740,CVE-2010-0742,CVE-2010-1633,CVE-2010-2939,CVE-2010-3864,CVE-2010-5298,CVE-2011-0014,CVE-2011-3207,CVE-2011-3210,CVE-2011-3389,CVE-2011-4108,CVE-2011-4576,CVE-2011-4577,CVE-2011-4619,CVE-2011-4944,CVE-2012-0027,CVE-2012-0050,CVE-2012-0845,CVE-2012-0884,CVE-2012-1150,CVE-2012-1165,CVE-2012-2110,CVE-2012-2686,CVE-2012-4929,CVE-2013-0166,CVE-2013-0169,CVE-2013-1752,CVE-2013-4238,CVE-2013-4314,CVE-2013-4353,CVE-2013-6449,CVE-2013-6450,CVE-2014-0012,CVE-2014-0076,CVE-2014-0160,CVE-2014-0195,CVE-2014-0198,CVE-2014-0221,CVE-2014-0224,CVE-2014-1829,CVE-2014-1830,CVE-2014-2667,CVE-2014-3470,CVE-2014-3505,CVE-2014-3506,CVE-2014-3507,CVE-2014-3508,CVE-2014-3509,CVE-2014-3510,CVE-2014-3511,CVE-2014-3512,CVE-2014-3513,CVE-2014-3566,CVE-2014-3567,CVE-2014-3568,CVE-2014-3570,CVE-2014-3571,CVE-2014-3572,CVE-2014-4650,CVE-2014-5139,CVE-2014-7202,CVE-2014-7203,CVE-2014-8275,CVE-2014-9721,CVE-2015-0204,CVE-2015-0205,CVE-2015-0206,CVE-2015-0209,CVE-2015-0286,CVE-2015-0287,CVE-2015-0288,CVE-2015-0289,CVE-2015-0293,CVE-2015-1788,CVE-2015-1789,CVE-2015-1790,CVE-2015-1791,CVE-2015-1792,CVE-2015-2296,CVE-2015-3194,CVE-2015-3195,CVE-2015-3196,CVE-2015-3197,CVE-2015-3216,CVE-2015-4000,CVE-2016-0702,CVE-2016-0705,CVE-2016-0797,CVE-2016-0798,CVE-2016-0799,CVE-2016-0800,CVE-2016-10745,CVE-2016-2105,CVE-2016-2106,CVE-2016-2107,CVE-2016-2109,CVE-2016-2176,CVE-2016-2177,CVE-2016-2178,CVE-2016-2179,CVE-2016-2180,CVE-2016-2181,CVE-2016-2182,CVE-2016-2183,CVE-2016-6302,CVE-2016-6303,CVE-2016-6304,CVE-2016-6306,CVE-2016-7052,CVE-2016-7055,CVE-2016-9015,CVE-2017-18342,CVE-2017-3731,CVE-2017-3732,CVE-2017-3735,CVE-2017-3736,CVE-2017-3737,CVE-2017-3738,CVE-2018-0732,CVE-2018-0734,CVE-2018-0737,CVE-2018-0739,CVE-2018-18074,CVE-2018-20060,CVE-2018-5407,CVE-2018-7750,CVE-2019-10906,CVE-2019-11236,CVE-2019-11324,CVE-2019-13132,CVE-2019-1547,CVE-2019-1551,CVE-2019-1559,CVE-2019-1563,CVE-2019-20907,CVE-2019-20916,CVE-2019-5010,CVE-2019-6250,CVE-2019-8341,CVE-2019-9740,CVE-2019-9947,CVE-2020-14343,CVE-2020-15166,CVE-2020-15523,CVE-2020-15801,CVE-2020-1747,CVE-2020-1971,CVE-2020-25659,CVE-2020-26137,CVE-2020-27783,CVE-2020-28493,CVE-2020-29651,CVE-2020-36242,CVE-2020-8492,CVE-2021-23336,CVE-2021-23840,CVE-2021-23841,CVE-2021-28957,CVE-2021-29921,CVE-2021-3177,CVE-2021-33503,CVE-2021-3426,CVE-2021-3712
JIRA References: ECO-3105,SLE-11435,SLE-12684,SLE-12986,SLE-13688,SLE-14253,SLE-15159,SLE-15860,SLE-15861,SLE-16754,SLE-17532,SLE-17957,SLE-18260,SLE-18354,SLE-18446,SLE-19264,SLE-3887,SLE-4480,SLE-4577,SLE-7686,SLE-9135
Sources used:
SUSE Manager Tools 12-BETA (src):    venv-salt-minion-3002.2-3.3.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.