Bug 968374 (CVE-2016-0799) - VUL-1: CVE-2016-0799: openssl: memory issues in BIO_*printf functions
Summary: VUL-1: CVE-2016-0799: openssl: memory issues in BIO_*printf functions
Status: RESOLVED FIXED
Alias: CVE-2016-0799
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P4 - Low : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL:
Whiteboard: maint:running:62484:important CVSSv...
Keywords:
Depends on:
Blocks:
 
Reported: 2016-02-26 07:52 UTC by Marcus Meissner
Modified: 2022-02-16 21:23 UTC (History)
4 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
openssl-CVE-2016-0799.patch (14.92 KB, patch)
2016-02-26 07:54 UTC, Marcus Meissner 		Details | Diff
CVE-2016-0799.c (409 bytes, text/plain)
2016-02-26 13:53 UTC, Marcus Meissner 		Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2016-02-26 07:52:13 UTC 
public via openssl git

commit a801bf263849a2ef773e5bc0c86438cbba720835
Author: Matt Caswell <matt@openssl.org>
Date:   Thu Feb 25 13:09:46 2016 +0000

    Fix memory issues in BIO_*printf functions
    
    The internal |fmtstr| function used in processing a "%s" format string
    in the BIO_*printf functions could overflow while calculating the length
    of a string and cause an OOB read when printing very long strings.
    
    Additionally the internal |doapr_outch| function can attempt to write to
    an OOB memory location (at an offset from the NULL pointer) in the event of
    a memory allocation failure. In 1.0.2 and below this could be caused where
    the size of a buffer to be allocated is greater than INT_MAX. E.g. this
    could be in processing a very long "%s" format string. Memory leaks can also
    occur.
    
    These issues will only occur on certain platforms where sizeof(size_t) >
    sizeof(int). E.g. many 64 bit systems. The first issue may mask the second
    issue dependent on compiler behaviour.
    
    These problems could enable attacks where large amounts of untrusted data
    is passed to the BIO_*printf functions. If applications use these functions
    in this way then they could be vulnerable. OpenSSL itself uses these
    functions when printing out human-readable dumps of ASN.1 data. Therefore
    applications that print this data could be vulnerable if the data is from
    untrusted sources. OpenSSL command line applications could also be
    vulnerable where they print out ASN.1 data, or if untrusted data is passed
    as command line arguments.
    
    Libssl is not considered directly vulnerable. Additionally certificates etc
    received via remote connections via libssl are also unlikely to be able to
    trigger these issues because of message size limits enforced within libssl.
    
    CVE-2016-0799
    
    Issue reported by Guido Vranken.
    
    Reviewed-by: Andy Polyakov <appro@openssl.org>
    (cherry picked from commit 578b956fe741bf8e84055547b1e83c28dd902c73)
Comment 1 Marcus Meissner 2016-02-26 07:54:04 UTC 
Created attachment 666972 [details]
openssl-CVE-2016-0799.patch

openssl-CVE-2016-0799.patch posted to git 1.0.1 branch
Comment 4 Marcus Meissner 2016-02-26 13:53:10 UTC 
Created attachment 667009 [details]
CVE-2016-0799.c

gcc -O2 -o CVE-2016-0799 CVE-2016-0799.c -lcrypto

./CVE-2016-0799 | wc -c

before:
2147745802
  (actually a bad number, it does not match the passed in format / strings)

good:
0 bytes
  (overflow caught, and returned as 0 bytes)
Comment 7 Swamp Workflow Management 2016-02-26 23:00:23 UTC 
bugbot adjusting priority
Comment 8 Cristian Rodríguez 2016-02-29 02:58:38 UTC 
Just FYI: our openSSL does not use this code..and cannot be vulnerable.. at least not since 0001-Axe-builtin-printf-implementation-use-glibc-instead.patch  is in place.. I added it in 13.2..:-)
Comment 14 Bernhard Wiedemann 2016-03-01 15:00:56 UTC 
This is an autogenerated message for OBS integration:
This bug (968374) was mentioned in
https://build.opensuse.org/request/show/363587 13.2 / openssl
Comment 15 Vítězslav Čížek 2016-03-01 16:46:01 UTC 
Packages submitted.
Reassigning to security team.
Comment 16 Swamp Workflow Management 2016-03-01 17:14:25 UTC 
SUSE-SU-2016:0617-1: An update that solves 9 vulnerabilities and has two fixes is now available.

Category: security (important)
Bug References: 952871,958501,963415,968046,968047,968048,968050,968051,968053,968265,968374
CVE References: CVE-2015-3197,CVE-2016-0702,CVE-2016-0703,CVE-2016-0704,CVE-2016-0705,CVE-2016-0797,CVE-2016-0798,CVE-2016-0799,CVE-2016-0800
Sources used:
SUSE Linux Enterprise Software Development Kit 12 (src):    openssl-1.0.1i-27.13.1
SUSE Linux Enterprise Server 12 (src):    openssl-1.0.1i-27.13.1
SUSE Linux Enterprise Desktop 12 (src):    openssl-1.0.1i-27.13.1
Comment 17 Swamp Workflow Management 2016-03-01 17:18:51 UTC 
SUSE-SU-2016:0620-1: An update that solves 9 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 958501,963415,968046,968047,968048,968050,968051,968053,968265,968374
CVE References: CVE-2015-3197,CVE-2016-0702,CVE-2016-0703,CVE-2016-0704,CVE-2016-0705,CVE-2016-0797,CVE-2016-0798,CVE-2016-0799,CVE-2016-0800
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    openssl-1.0.1i-44.1
SUSE Linux Enterprise Server 12-SP1 (src):    openssl-1.0.1i-44.1
SUSE Linux Enterprise Desktop 12-SP1 (src):    openssl-1.0.1i-44.1
Comment 18 Swamp Workflow Management 2016-03-01 17:21:37 UTC 
SUSE-SU-2016:0621-1: An update that solves 9 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 952871,963415,968046,968047,968048,968050,968051,968053,968265,968374
CVE References: CVE-2015-3197,CVE-2016-0702,CVE-2016-0703,CVE-2016-0704,CVE-2016-0705,CVE-2016-0797,CVE-2016-0798,CVE-2016-0799,CVE-2016-0800
Sources used:
SUSE Linux Enterprise Server 11-SECURITY (src):    openssl1-1.0.1g-0.40.1
Comment 19 Swamp Workflow Management 2016-03-01 18:13:50 UTC 
SUSE-SU-2016:0624-1: An update that solves 7 vulnerabilities and has two fixes is now available.

Category: security (important)
Bug References: 952871,963415,967787,968046,968047,968048,968051,968053,968374
CVE References: CVE-2015-3197,CVE-2016-0702,CVE-2016-0703,CVE-2016-0705,CVE-2016-0797,CVE-2016-0799,CVE-2016-0800
Sources used:
SUSE Studio Onsite 1.3 (src):    openssl-0.9.8j-0.89.1
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    openssl-0.9.8j-0.89.1
SUSE Linux Enterprise Server 11-SP4 (src):    openssl-0.9.8j-0.89.1
SUSE Linux Enterprise Server 11-SP3-LTSS (src):    openssl-0.9.8j-0.89.1
SUSE Linux Enterprise Server 11-SP2-LTSS (src):    openssl-0.9.8j-0.89.1
SUSE Linux Enterprise Desktop 11-SP4 (src):    openssl-0.9.8j-0.89.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    openssl-0.9.8j-0.89.1
SUSE Linux Enterprise Debuginfo 11-SP3 (src):    openssl-0.9.8j-0.89.1
SUSE Linux Enterprise Debuginfo 11-SP2 (src):    openssl-0.9.8j-0.89.1
Comment 20 Swamp Workflow Management 2016-03-02 11:13:27 UTC 
openSUSE-SU-2016:0627-1: An update that solves 6 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 952871,968046,968047,968048,968050,968265,968374
CVE References: CVE-2016-0702,CVE-2016-0705,CVE-2016-0797,CVE-2016-0798,CVE-2016-0799,CVE-2016-0800
Sources used:
openSUSE 13.2 (src):    openssl-1.0.1k-2.33.1
Comment 21 Swamp Workflow Management 2016-03-02 13:13:48 UTC 
openSUSE-SU-2016:0628-1: An update that solves 9 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 958501,963415,968046,968047,968048,968050,968051,968053,968265,968374
CVE References: CVE-2015-3197,CVE-2016-0702,CVE-2016-0703,CVE-2016-0704,CVE-2016-0705,CVE-2016-0797,CVE-2016-0798,CVE-2016-0799,CVE-2016-0800
Sources used:
openSUSE Leap 42.1 (src):    openssl-1.0.1i-12.1
Comment 22 Marcus Meissner 2016-03-02 16:58:14 UTC 
released
Comment 23 Swamp Workflow Management 2016-03-02 17:13:37 UTC 
SUSE-SU-2016:0631-1: An update that fixes 6 vulnerabilities is now available.

Category: security (important)
Bug References: 963415,968046,968048,968051,968053,968374
CVE References: CVE-2015-3197,CVE-2016-0702,CVE-2016-0703,CVE-2016-0797,CVE-2016-0799,CVE-2016-0800
Sources used:
SUSE Linux Enterprise Server for SAP 11-SP4 (src):    compat-openssl097g-0.9.7g-146.22.41.1
SUSE Linux Enterprise Desktop 11-SP4 (src):    compat-openssl097g-0.9.7g-146.22.41.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    compat-openssl097g-0.9.7g-146.22.41.1
Comment 24 Swamp Workflow Management 2016-03-02 22:13:58 UTC 
openSUSE-SU-2016:0637-1: An update that fixes 11 vulnerabilities is now available.

Category: security (important)
Bug References: 957812,957815,963415,968046,968047,968048,968050,968265,968374
CVE References: CVE-2015-1794,CVE-2015-3194,CVE-2015-3195,CVE-2015-3197,CVE-2016-0701,CVE-2016-0702,CVE-2016-0705,CVE-2016-0797,CVE-2016-0798,CVE-2016-0799,CVE-2016-0800
Sources used:
openSUSE Evergreen 11.4 (src):    openssl-1.0.1p-71.1
Comment 25 Swamp Workflow Management 2016-03-03 13:12:57 UTC 
openSUSE-SU-2016:0640-1: An update that fixes 37 vulnerabilities is now available.

Category: security (important)
Bug References: 952871,963415,967787,968046,968048,968374
CVE References: CVE-2013-0166,CVE-2013-0169,CVE-2014-0076,CVE-2014-0195,CVE-2014-0221,CVE-2014-0224,CVE-2014-3470,CVE-2014-3505,CVE-2014-3506,CVE-2014-3507,CVE-2014-3508,CVE-2014-3510,CVE-2014-3566,CVE-2014-3567,CVE-2014-3568,CVE-2014-3569,CVE-2014-3570,CVE-2014-3571,CVE-2014-3572,CVE-2014-8275,CVE-2015-0204,CVE-2015-0209,CVE-2015-0286,CVE-2015-0287,CVE-2015-0288,CVE-2015-0289,CVE-2015-0293,CVE-2015-1788,CVE-2015-1789,CVE-2015-1790,CVE-2015-1791,CVE-2015-1792,CVE-2015-3195,CVE-2015-3197,CVE-2016-0797,CVE-2016-0799,CVE-2016-0800
Sources used:
openSUSE Leap 42.1 (src):    libopenssl0_9_8-0.9.8zh-14.1
openSUSE 13.2 (src):    libopenssl0_9_8-0.9.8zh-9.3.1
Comment 26 Swamp Workflow Management 2016-03-03 14:12:56 UTC 
SUSE-SU-2016:0641-1: An update that fixes 7 vulnerabilities is now available.

Category: security (important)
Bug References: 952871,963415,968046,968048,968051,968053,968374
CVE References: CVE-2015-3197,CVE-2016-0702,CVE-2016-0703,CVE-2016-0704,CVE-2016-0797,CVE-2016-0799,CVE-2016-0800
Sources used:
SUSE Linux Enterprise Server for SAP 12-SP1 (src):    compat-openssl098-0.9.8j-94.1
SUSE Linux Enterprise Module for Legacy Software 12 (src):    compat-openssl098-0.9.8j-94.1
SUSE Linux Enterprise Desktop 12-SP1 (src):    compat-openssl098-0.9.8j-94.1
SUSE Linux Enterprise Desktop 12 (src):    compat-openssl098-0.9.8j-94.1
Comment 27 Swamp Workflow Management 2016-03-07 17:15:13 UTC 
SUSE-SU-2016:0678-1: An update that fixes 8 vulnerabilities is now available.

Category: security (important)
Bug References: 937492,957812,963415,968046,968048,968051,968053,968374
CVE References: CVE-2015-0287,CVE-2015-3195,CVE-2015-3197,CVE-2016-0703,CVE-2016-0704,CVE-2016-0797,CVE-2016-0799,CVE-2016-0800
Sources used:
SUSE Linux Enterprise Server 10 SP4 LTSS (src):    openssl-0.9.8a-18.94.2
Comment 28 Swamp Workflow Management 2016-03-11 13:15:59 UTC 
openSUSE-SU-2016:0720-1: An update that fixes 7 vulnerabilities is now available.

Category: security (important)
Bug References: 952871,963415,968046,968048,968051,968053,968374
CVE References: CVE-2015-3197,CVE-2016-0702,CVE-2016-0703,CVE-2016-0704,CVE-2016-0797,CVE-2016-0799,CVE-2016-0800
Sources used:
openSUSE Leap 42.1 (src):    compat-openssl098-0.9.8j-9.1
Comment 29 Swamp Workflow Management 2016-04-15 19:11:15 UTC 
SUSE-SU-2016:1057-1: An update that solves 7 vulnerabilities and has two fixes is now available.

Category: security (important)
Bug References: 952871,963415,967787,968046,968047,968048,968051,968053,968374
CVE References: CVE-2015-3197,CVE-2016-0702,CVE-2016-0703,CVE-2016-0705,CVE-2016-0797,CVE-2016-0799,CVE-2016-0800
Sources used:
SUSE OpenStack Cloud 5 (src):    openssl-0.9.8j-0.91.1
SUSE Manager Proxy 2.1 (src):    openssl-0.9.8j-0.91.1
SUSE Manager 2.1 (src):    openssl-0.9.8j-0.91.1
Comment 30 Swamp Workflow Management 2016-05-05 11:10:32 UTC 
openSUSE-SU-2016:1239-1: An update that solves 9 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 963415,968046,968048,968050,968374,976942,976943,977614,977615,977617
CVE References: CVE-2015-3197,CVE-2016-0702,CVE-2016-0797,CVE-2016-0799,CVE-2016-0800,CVE-2016-2105,CVE-2016-2106,CVE-2016-2108,CVE-2016-2109
Sources used:
openSUSE Evergreen 11.4 (src):    libopenssl0_9_8-0.9.8zh-14.1
Comment 31 Swamp Workflow Management 2016-05-05 11:12:54 UTC 
openSUSE-SU-2016:1241-1: An update that solves 9 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 963415,968046,968048,968050,968374,976942,976943,977614,977615,977617
CVE References: CVE-2015-3197,CVE-2016-0702,CVE-2016-0797,CVE-2016-0799,CVE-2016-0800,CVE-2016-2105,CVE-2016-2106,CVE-2016-2108,CVE-2016-2109
Sources used:
openSUSE 13.1 (src):    libopenssl0_9_8-0.9.8zh-5.3.1
Comment 33 Swamp Workflow Management 2022-02-16 21:23:07 UTC 
SUSE-FU-2022:0445-1: An update that solves 183 vulnerabilities, contains 21 features and has 299 fixes is now available.

Category: feature (moderate)
Bug References: 1000080,1000117,1000194,1000677,1000742,1001148,1001912,1002585,1002895,1003091,1005246,1009528,1010874,1010966,1011936,1015549,1019637,1021641,1022085,1022086,1022271,1027079,1027610,1027688,1027705,1027908,1028281,1028723,1029523,1029902,1030038,1032118,1032119,1035604,1039469,1040164,1040256,1041090,1042392,1042670,1044095,1044107,1044175,1049186,1049304,1050653,1050665,1055478,1055542,1055825,1056058,1056951,1057496,1062237,1065363,1066242,1066873,1068790,1070737,1070738,1070853,1071905,1071906,1071941,1073310,1073845,1073879,1074247,1076519,1077096,1077230,1078329,1079761,1080301,1081005,1081750,1081751,1082155,1082163,1082318,1083826,1084117,1084157,1085276,1085529,1085661,1087102,1087104,1088573,1089039,1090427,1090765,1090953,1093518,1093917,1094788,1094814,1094883,1095267,1096738,1096937,1097158,1097531,1097624,1098535,1098592,1099308,1099569,1100078,1101246,1101470,1102868,1104789,1106197,1108508,1109882,1109998,1110435,1110869,1110871,1111493,1111622,1111657,1112209,1112357,1113534,1113652,1113742,1113975,1115769,1117951,1118611,1119376,1119416,1119792,1121717,1121852,1122191,1123064,1123185,1123186,1123558,1124885,1125815,1126283,1126318,1127080,1127173,1128146,1128323,1128355,1129071,1129566,1130840,1131291,1132174,1132323,1132455,1132663,1132900,1135009,1136444,1138666,1138715,1138746,1139915,1140255,1141168,1142899,1143033,1143454,1143893,1144506,1149686,1149792,1150003,1150190,1150250,1150895,1153830,1155815,1156677,1156694,1156908,1157104,1157354,1158809,1159235,1159538,1160163,1161557,1161770,1162224,1162367,1162743,1163978,1164310,1165439,1165578,1165730,1165823,1165960,1166139,1166758,1167008,1167501,1167732,1167746,1168480,1168973,1169489,1170175,1170863,1171368,1171561,1172226,1172908,1172928,1173226,1173356,1174009,1174091,1174514,1175729,1176116,1176129,1176134,1176232,1176256,1176257,1176258,1176259,1176262,1176389,1176785,1176977,1177120,1177127,1177559,1178168,1178341,1178670,1179491,1179562,1179630,1179805,1180125,1180781,1181126,1181324,1181944,1182066,1182211,1182244,1182264,1182331,1182333,1182379,1182963,1183059,1183374,1183858,1184505,1185588,1185706,1185748,1186738,1187045,1189521,1190781,1193357,356549,381844,394317,408865,428177,430141,431945,437293,442740,459468,489641,504687,509031,526319,590833,610223,610642,629905,637176,651003,657698,658604,670526,673071,693027,715423,720601,743787,747125,748738,749210,749213,749735,750618,751718,751946,751977,754447,754677,761500,774710,784670,784994,787526,793420,799119,802184,803004,809831,811890,822642,825221,828513,831629,832833,834601,835687,839107,84331,849377,855666,855676,856687,857203,857850,858239,867887,869945,871152,872299,873351,876282,876710,876712,876748,880891,885662,885882,889013,889363,892477,892480,895129,898917,901223,901277,901902,902364,906878,907584,908362,908372,912014,912015,912018,912292,912293,912294,912296,912460,913229,915479,917607,917759,917815,919648,920236,922448,922488,922496,922499,922500,926597,929678,929736,930189,931698,931978,933898,933911,934487,934489,934491,934493,935856,937085,937212,937492,937634,937912,939456,940608,942385,942751,943421,944204,945455,946648,947104,947357,947679,948198,952871,954256,954486,954690,957812,957813,957815,958501,961334,962291,963415,963974,964204,964472,964474,965830,967128,968046,968047,968048,968050,968265,968270,968374,968601,975875,976942,977584,977614,977615,977616,977663,978224,981848,982268,982575,983249,984323,985054,988086,990207,990392,990419,990428,991193,991877,992120,992988,992989,992992,993130,993819,993825,993968,994749,994844,994910,995075,995324,995359,995377,995959,996255,997043,997614,998190,999665,999666,999668
CVE References: CVE-2006-2937,CVE-2006-2940,CVE-2006-3738,CVE-2006-4339,CVE-2006-4343,CVE-2006-7250,CVE-2007-3108,CVE-2007-4995,CVE-2007-5135,CVE-2008-0891,CVE-2008-1672,CVE-2008-5077,CVE-2009-0590,CVE-2009-0591,CVE-2009-0789,CVE-2009-1377,CVE-2009-1378,CVE-2009-1379,CVE-2009-1386,CVE-2009-1387,CVE-2010-0740,CVE-2010-0742,CVE-2010-1633,CVE-2010-2939,CVE-2010-3864,CVE-2010-5298,CVE-2011-0014,CVE-2011-3207,CVE-2011-3210,CVE-2011-3389,CVE-2011-4108,CVE-2011-4576,CVE-2011-4577,CVE-2011-4619,CVE-2011-4944,CVE-2012-0027,CVE-2012-0050,CVE-2012-0845,CVE-2012-0884,CVE-2012-1150,CVE-2012-1165,CVE-2012-2110,CVE-2012-2686,CVE-2012-4929,CVE-2013-0166,CVE-2013-0169,CVE-2013-1752,CVE-2013-4238,CVE-2013-4314,CVE-2013-4353,CVE-2013-6449,CVE-2013-6450,CVE-2014-0012,CVE-2014-0076,CVE-2014-0160,CVE-2014-0195,CVE-2014-0198,CVE-2014-0221,CVE-2014-0224,CVE-2014-1829,CVE-2014-1830,CVE-2014-2667,CVE-2014-3470,CVE-2014-3505,CVE-2014-3506,CVE-2014-3507,CVE-2014-3508,CVE-2014-3509,CVE-2014-3510,CVE-2014-3511,CVE-2014-3512,CVE-2014-3513,CVE-2014-3566,CVE-2014-3567,CVE-2014-3568,CVE-2014-3570,CVE-2014-3571,CVE-2014-3572,CVE-2014-4650,CVE-2014-5139,CVE-2014-7202,CVE-2014-7203,CVE-2014-8275,CVE-2014-9721,CVE-2015-0204,CVE-2015-0205,CVE-2015-0206,CVE-2015-0209,CVE-2015-0286,CVE-2015-0287,CVE-2015-0288,CVE-2015-0289,CVE-2015-0293,CVE-2015-1788,CVE-2015-1789,CVE-2015-1790,CVE-2015-1791,CVE-2015-1792,CVE-2015-2296,CVE-2015-3194,CVE-2015-3195,CVE-2015-3196,CVE-2015-3197,CVE-2015-3216,CVE-2015-4000,CVE-2016-0702,CVE-2016-0705,CVE-2016-0797,CVE-2016-0798,CVE-2016-0799,CVE-2016-0800,CVE-2016-10745,CVE-2016-2105,CVE-2016-2106,CVE-2016-2107,CVE-2016-2109,CVE-2016-2176,CVE-2016-2177,CVE-2016-2178,CVE-2016-2179,CVE-2016-2180,CVE-2016-2181,CVE-2016-2182,CVE-2016-2183,CVE-2016-6302,CVE-2016-6303,CVE-2016-6304,CVE-2016-6306,CVE-2016-7052,CVE-2016-7055,CVE-2016-9015,CVE-2017-18342,CVE-2017-3731,CVE-2017-3732,CVE-2017-3735,CVE-2017-3736,CVE-2017-3737,CVE-2017-3738,CVE-2018-0732,CVE-2018-0734,CVE-2018-0737,CVE-2018-0739,CVE-2018-18074,CVE-2018-20060,CVE-2018-5407,CVE-2018-7750,CVE-2019-10906,CVE-2019-11236,CVE-2019-11324,CVE-2019-13132,CVE-2019-1547,CVE-2019-1551,CVE-2019-1559,CVE-2019-1563,CVE-2019-20907,CVE-2019-20916,CVE-2019-5010,CVE-2019-6250,CVE-2019-8341,CVE-2019-9740,CVE-2019-9947,CVE-2020-14343,CVE-2020-15166,CVE-2020-15523,CVE-2020-15801,CVE-2020-1747,CVE-2020-1971,CVE-2020-25659,CVE-2020-26137,CVE-2020-27783,CVE-2020-28493,CVE-2020-29651,CVE-2020-36242,CVE-2020-8492,CVE-2021-23336,CVE-2021-23840,CVE-2021-23841,CVE-2021-28957,CVE-2021-29921,CVE-2021-3177,CVE-2021-33503,CVE-2021-3426,CVE-2021-3712
JIRA References: ECO-3105,SLE-11435,SLE-12684,SLE-12986,SLE-13688,SLE-14253,SLE-15159,SLE-15860,SLE-15861,SLE-16754,SLE-17532,SLE-17957,SLE-18260,SLE-18354,SLE-18446,SLE-19264,SLE-3887,SLE-4480,SLE-4577,SLE-7686,SLE-9135
Sources used:
SUSE Manager Tools 12-BETA (src):    venv-salt-minion-3002.2-3.3.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.