Debian Bug report logs -
#807356
salt: CVE-2015-8034: Saving state.sls cache data to disk with insecure permissions
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Salt Team <pkg-salt-team@lists.alioth.debian.org>:
Bug#807356; Package src:salt.
(Mon, 07 Dec 2015 20:45:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Salt Team <pkg-salt-team@lists.alioth.debian.org>.
(Mon, 07 Dec 2015 20:45:05 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: salt
Version: 2015.8.1+ds-2
Severity: important
Tags: security upstream patch
Forwarded: https://github.com/saltstack/salt/issues/28455
Hi,
the following vulnerability was published for salt.
CVE-2015-8034[0]:
information leak from state.sls cache data stored as world-readable
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2015-8034
[1] https://github.com/saltstack/salt/issues/28455
[2] https://github.com/cachedout/salt/commit/097838ec0c52b1e96f7f761e5fb3cd7e79808741
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Reply sent
to Benjamin Drung <benjamin.drung@profitbricks.com>:
You have taken responsibility.
(Wed, 09 Dec 2015 12:57:10 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Wed, 09 Dec 2015 12:57:10 GMT) (full text, mbox, link).
Message #10 received at 807356-close@bugs.debian.org (full text, mbox, reply):
Source: salt
Source-Version: 2015.8.3+ds-1
We believe that the bug you reported is fixed in the latest version of
salt, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 807356@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Benjamin Drung <benjamin.drung@profitbricks.com> (supplier of updated salt package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Wed, 09 Dec 2015 12:14:33 +0100
Source: salt
Binary: salt-common salt-master salt-minion salt-syndic salt-ssh salt-doc salt-cloud salt-api salt-proxy
Architecture: source all
Version: 2015.8.3+ds-1
Distribution: unstable
Urgency: high
Maintainer: Debian Salt Team <pkg-salt-team@lists.alioth.debian.org>
Changed-By: Benjamin Drung <benjamin.drung@profitbricks.com>
Description:
salt-api - Generic, modular network access system
salt-cloud - public cloud VM management system
salt-common - shared libraries that salt requires for all packages
salt-doc - additional documentation for salt, the distributed remote executi
salt-master - remote manager to administer servers via salt
salt-minion - client package for salt, the distributed remote execution system
salt-proxy - Proxy client package for salt stack
salt-ssh - remote manager to administer servers via Salt SSH
salt-syndic - master-of-masters for salt, the distributed remote execution syst
Closes: 806786 807356
Changes:
salt (2015.8.3+ds-1) unstable; urgency=high
.
* New upstream release.
- CVE-2015-8034: Fix information leak from state.sls cache data stored as
world-readable (Closes: #807356)
* Drop Fix-OS-related-grains-on-Debian.patch (accepted upstream)
* Use upstream systemd service files (Closes: #806786)
* Extend description of salt-cloud
Checksums-Sha1:
d0dff592a77f5be2bc55f94765ece6bf39e4ba1b 2580 salt_2015.8.3+ds-1.dsc
b88d53a55d0c9a015ad63a17eb13bac793affe62 4244872 salt_2015.8.3+ds.orig.tar.xz
3f4da34767d07a5bd33243a73530bdd3b5d4a68f 26156 salt_2015.8.3+ds-1.debian.tar.xz
07b813dd08b5df6c3b7685e00097db1f88ff1c69 21764 salt-api_2015.8.3+ds-1_all.deb
16c022171d0143d3e615f036ece16be6b968d715 23228 salt-cloud_2015.8.3+ds-1_all.deb
c8bf2fdd2f624cb043a65bdde9688a9d7d38e2e8 3044014 salt-common_2015.8.3+ds-1_all.deb
4bac2dede60d3b8672bf8933a5feef2ae529a941 3231066 salt-doc_2015.8.3+ds-1_all.deb
a785f815969aed023db347f4fd634f43224bca55 42394 salt-master_2015.8.3+ds-1_all.deb
8c8aceb9661a35b2eb9dfae6b3b8e2350085a88d 31152 salt-minion_2015.8.3+ds-1_all.deb
ed15896091d4d97ccd9e02743ca9c0715ea8d60e 20556 salt-proxy_2015.8.3+ds-1_all.deb
44e5668df7f9407498e507b5ca413a91bc744153 22010 salt-ssh_2015.8.3+ds-1_all.deb
b65c44c532d3d9892bd8d48c417a9dbe1fb20666 22060 salt-syndic_2015.8.3+ds-1_all.deb
Checksums-Sha256:
3ebcf8eb2b42b44f3ce264df96ef6718d38b119dbd7fb67a1dad560fc4eacf1d 2580 salt_2015.8.3+ds-1.dsc
72fa59e15bc8c4d8cdd9ce494c669d6d378b425cf0cf638e74b134a15deec7d1 4244872 salt_2015.8.3+ds.orig.tar.xz
c004278d3166d1266f0c7245ad0628cc07ade00828fd1f1a1a4933e2c84647bf 26156 salt_2015.8.3+ds-1.debian.tar.xz
c78f593278b63dc832947a8e9bd6723c6ce30861a5079e884e0df5a1ea4ce3bb 21764 salt-api_2015.8.3+ds-1_all.deb
a0c825eec67ee6d08651cbef580d151b8536c007810cbff975ae06e092b35214 23228 salt-cloud_2015.8.3+ds-1_all.deb
6edfc4992ce380f0165d9357d351aeb0ca4a5bd92b5cb6619dece807b2989b36 3044014 salt-common_2015.8.3+ds-1_all.deb
c9dc59b7417a8dc12066c53e36dbe46a9b60fc31641ddb406239744ccd7896f0 3231066 salt-doc_2015.8.3+ds-1_all.deb
798ec2e8f3aae9eb1e33bb7cd4af38295ec54b4ae1948a0c6e5d575081b66058 42394 salt-master_2015.8.3+ds-1_all.deb
07fa800a5581516cba80a129c70cccd9eee63b4cbbafa0daaf12e02f669f030c 31152 salt-minion_2015.8.3+ds-1_all.deb
673a3a5976d10143bcdc2cf0067749fbd6daa03857d713cdd4d8880b7730f83d 20556 salt-proxy_2015.8.3+ds-1_all.deb
32e9f1520f4ba9b11fec77aa0d2c640473257c41a36f676bf69ebd4111a6f476 22010 salt-ssh_2015.8.3+ds-1_all.deb
e744234584615b0918caa80fe2fe19fb2c3e162cfe7c8af4bbe17851702bb3cf 22060 salt-syndic_2015.8.3+ds-1_all.deb
Files:
a35c3e32aaa524a64696b19c54e78963 2580 admin extra salt_2015.8.3+ds-1.dsc
6b4e73dbd98c5cba12f371dcce59bddc 4244872 admin extra salt_2015.8.3+ds.orig.tar.xz
639ee21489a3af88b72fc6060c22dd42 26156 admin extra salt_2015.8.3+ds-1.debian.tar.xz
e4a9d949fb9b972fdad225ca698636f0 21764 admin extra salt-api_2015.8.3+ds-1_all.deb
e528a12d97e08b07bb6719023c602d5b 23228 admin extra salt-cloud_2015.8.3+ds-1_all.deb
5b8d3bbaee56e982621db205e44818c4 3044014 admin extra salt-common_2015.8.3+ds-1_all.deb
2cebf248a202569a792c287a0f44e559 3231066 doc extra salt-doc_2015.8.3+ds-1_all.deb
45ae37f14158a91a7bbe64d89fcbb5c2 42394 admin extra salt-master_2015.8.3+ds-1_all.deb
3914abad25cc253dffae77c075f9762b 31152 admin extra salt-minion_2015.8.3+ds-1_all.deb
aaf1891060fdb295886ebd8b3a703889 20556 admin extra salt-proxy_2015.8.3+ds-1_all.deb
8910beae9ae896032a44c16a2b96fa4f 22010 admin extra salt-ssh_2015.8.3+ds-1_all.deb
11eaa51309c8a9bf5680ffe7f92d670d 22060 admin extra salt-syndic_2015.8.3+ds-1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBAgAGBQJWaBxyAAoJEN2M1aXejH56nVQP+wSytH9V+5fnwObODJ3wekU3
KGYebRllGUe8h4KkCF8I8f5RENB8rzOlyw0X4FK7gaiy54sgQw3qLabC04TX8wJJ
Y4My2sYOoMMPfgsEYIeMjn2LtCX9gslwG7DOlVsn3fQQlyws2W+bmR3Wbk1peCC4
n9Mg+VATIQV2qi65qZxqab+E0hthhDYsBqIvGtPVihppdDWmCF7oTy3o0rkuvP9g
LDCh4rtAWNJMJ+6JXhSai3OdPDqdzE8uUsTHugXN6kCymKffD5Ns6IUKhapRLmim
acb7u5m1197Xc1hHdSBC8syjMXtNHn7vRAzB0Z/4HzJIRzNS+f2Eqx/oZYCyagJM
2KfAIv49BNZccCnZIL6r6e7ffxZlZFQAUmGAPZezCon6vXbCxZcx2+s4O3MzRb+9
8wlqourxiq4LMnSZQ1cWydQNZEv22X2xxduSUdgja34v3eJgJNDMPW7Sjk+qweHN
r/kJyTOnHSqR7nKkn0Y2bEkohUxvIaKuL6wOMqGbb1bWQLrnzw2BaC0tGl/cS+xB
ymYuBlXRufv044xtqE/h4Gi94XB/6lPNAwdZAz360+/MZ5crbTt2q+FsiLlvJxAf
PbFMc0x7pZthlwU5ay7Kq4wnCz8zGsUrDRNZj8API/BNNIdxDkyC7DNC+jFRw1M7
kdE2NrKeSj+hACF5j2Ju
=7xgb
-----END PGP SIGNATURE-----
Marked as found in versions salt/2014.1.13+ds-3.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sun, 03 Jan 2016 10:06:03 GMT) (full text, mbox, link).
Marked as found in versions salt/2014.1.13+ds-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sun, 03 Jan 2016 10:15:06 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Salt Team <pkg-salt-team@lists.alioth.debian.org>:
Bug#807356; Package src:salt.
(Wed, 09 Mar 2016 17:36:04 GMT) (full text, mbox, link).
Message #17 received at 807356@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Dear Customer,
Invoice you requested is in attachment, please check it!
Thank you for choosing our company!
Leroy Sargent,
Account Manager
[Document_04898.zip (application/zip, attachment)]
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Thu, 05 May 2016 07:31:20 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 18:31:26 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon