Related Vulnerabilities: CVE-2015-6918

Source

Debian Bug report logs - #803182
salt: CVE-2015-6918: git module leaks authentication details into log

Package: src:salt; Maintainer for src:salt is Debian Salt Team <pkg-salt-team@lists.alioth.debian.org>;

Reported by: Salvatore Bonaccorso <carnil@debian.org>

Date: Tue, 27 Oct 2015 18:39:01 UTC

Severity: important

Tags: security, upstream

Found in version salt/2014.1.13+ds-1

Fixed in versions salt/2015.8.3+ds-1, salt/2015.8.1+ds-1

Done: Salvatore Bonaccorso <carnil@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Salt Team <pkg-salt-team@lists.alioth.debian.org>:
Bug#803182; Package src:salt. (Tue, 27 Oct 2015 18:39:05 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Salt Team <pkg-salt-team@lists.alioth.debian.org>. (Tue, 27 Oct 2015 18:39:05 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

Source: salt
Version: 2014.1.13+ds-1
Severity: important
Tags: security upstream

Hi,

the following vulnerability was published for salt.

CVE-2015-6918[0]:
git module leaks authentication details into log

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2015-6918
[1] https://github.com/saltstack/salt/commit/28aa9b105804ff433d8f663b2f9b804f2b75495a

Regards,
Salvatore

Reply sent to Benjamin Drung <benjamin.drung@profitbricks.com>:
You have taken responsibility. (Wed, 09 Dec 2015 12:48:05 GMT) (full text, mbox, link).

Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Wed, 09 Dec 2015 12:48:05 GMT) (full text, mbox, link).

Message #10 received at 803182-done@bugs.debian.org (full text, mbox, reply):

Version: 2015.8.1+ds-1

The security bug was fixed upstream in release 2015.5.5 and thus the
fix was part of the next Debian upload 2015.8.1+ds-1

-- 
Benjamin Drung
System Developer
Debian & Ubuntu Developer

ProfitBricks GmbH
Greifswalder Str. 207
D - 10405 Berlin

Email: benjamin.drung@profitbricks.com
URL:  http://www.profitbricks.com

Sitz der Gesellschaft: Berlin.
Registergericht: Amtsgericht Charlottenburg, HRB 125506B.
Geschäftsführer: Andreas Gauger, Achim Weiss.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Salt Team <pkg-salt-team@lists.alioth.debian.org>:
Bug#803182; Package src:salt. (Wed, 09 Dec 2015 21:18:03 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Salt Team <pkg-salt-team@lists.alioth.debian.org>. (Wed, 09 Dec 2015 21:18:03 GMT) (full text, mbox, link).

Message #15 received at 803182@bugs.debian.org (full text, mbox, reply):

Control: found -1 2015.8.1+ds-1
Control: fixed -1 2015.8.3+ds-1

> Version: 2015.8.1+ds-1
> 
> The security bug was fixed upstream in release 2015.5.5 and thus the
> fix was part of the next Debian upload 2015.8.1+ds-1

Checking the debdiffs it looks the fix was actually only in
2015.8.3+ds-1 but not in 2015.8.1+ds-1. Adjusting thus the fixed
version.

Regards,
Salvatore

Marked as found in versions salt/2015.8.1+ds-1 and reopened. Request was from Salvatore Bonaccorso <carnil@debian.org> to 803182-submit@bugs.debian.org. (Wed, 09 Dec 2015 21:18:03 GMT) (full text, mbox, link).

Marked as fixed in versions salt/2015.8.3+ds-1. Request was from Salvatore Bonaccorso <carnil@debian.org> to 803182-submit@bugs.debian.org. (Wed, 09 Dec 2015 21:18:04 GMT) (full text, mbox, link).

No longer marked as fixed in versions 2015.8.1+ds-1. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Wed, 09 Dec 2015 21:21:08 GMT) (full text, mbox, link).

Marked Bug as done Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Wed, 09 Dec 2015 21:21:12 GMT) (full text, mbox, link).

Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Wed, 09 Dec 2015 21:21:13 GMT) (full text, mbox, link).

Message sent on to Salvatore Bonaccorso <carnil@debian.org>:
Bug#803182. (Wed, 09 Dec 2015 21:21:15 GMT) (full text, mbox, link).

Message #28 received at 803182-submitter@bugs.debian.org (full text, mbox, reply):

close 803182 2015.8.3+ds-1
thanks

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Salt Team <pkg-salt-team@lists.alioth.debian.org>:
Bug#803182; Package src:salt. (Thu, 10 Dec 2015 11:39:11 GMT) (full text, mbox, link).

Acknowledgement sent to Benjamin Drung <benjamin.drung@profitbricks.com>:
Extra info received and forwarded to list. Copy sent to Debian Salt Team <pkg-salt-team@lists.alioth.debian.org>. (Thu, 10 Dec 2015 11:39:11 GMT) (full text, mbox, link).

Message #33 received at 803182@bugs.debian.org (full text, mbox, reply):

Am Mittwoch, den 09.12.2015, 22:15 +0100 schrieb Salvatore Bonaccorso:
> Control: found -1 2015.8.1+ds-1
> Control: fixed -1 2015.8.3+ds-1
> 
> > Version: 2015.8.1+ds-1
> > 
> > The security bug was fixed upstream in release 2015.5.5 and thus
> > the
> > fix was part of the next Debian upload 2015.8.1+ds-1
> 
> Checking the debdiffs it looks the fix was actually only in
> 2015.8.3+ds-1 but not in 2015.8.1+ds-1. Adjusting thus the fixed
> version.

Really? 2015.8.1+ds-1 already uses redact_http_basic_auth() in
_git_run() for stderr:

                msg = 'Command \'{0}\' failed'.format(
                    salt.utils.url.redact_http_basic_auth(gitcommand)
                )
                if result['stderr']:
                    msg += ': {0}'.format(
                       
 salt.utils.url.redact_http_basic_auth(result['stderr'])
                    )
                raise CommandExecutionError(msg)

-- 
Benjamin Drung
System Developer
Debian & Ubuntu Developer

ProfitBricks GmbH
Greifswalder Str. 207
D - 10405 Berlin

Email: benjamin.drung@profitbricks.com
URL:  http://www.profitbricks.com

Sitz der Gesellschaft: Berlin.
Registergericht: Amtsgericht Charlottenburg, HRB 125506B.
Geschäftsführer: Andreas Gauger, Achim Weiss.

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Salt Team <pkg-salt-team@lists.alioth.debian.org>. (Thu, 10 Dec 2015 19:45:04 GMT) (full text, mbox, link).

Message #38 received at 803182@bugs.debian.org (full text, mbox, reply):

Hi Benjamin,

On Thu, Dec 10, 2015 at 12:37:06PM +0100, Benjamin Drung wrote:
> Am Mittwoch, den 09.12.2015, 22:15 +0100 schrieb Salvatore Bonaccorso:
> > Control: found -1 2015.8.1+ds-1
> > Control: fixed -1 2015.8.3+ds-1
> > 
> > > Version: 2015.8.1+ds-1
> > > 
> > > The security bug was fixed upstream in release 2015.5.5 and thus
> > > the
> > > fix was part of the next Debian upload 2015.8.1+ds-1
> > 
> > Checking the debdiffs it looks the fix was actually only in
> > 2015.8.3+ds-1 but not in 2015.8.1+ds-1. Adjusting thus the fixed
> > version.
> 
> Really? 2015.8.1+ds-1 already uses redact_http_basic_auth() in
> _git_run() for stderr:
> 
>                 msg = 'Command \'{0}\' failed'.format(
>                     salt.utils.url.redact_http_basic_auth(gitcommand)
>                 )
>                 if result['stderr']:
>                     msg += ': {0}'.format(
>                        
>  salt.utils.url.redact_http_basic_auth(result['stderr'])
>                     )
>                 raise CommandExecutionError(msg)

Hmm, I will reckeck then, sorry for the noise. What I did was to check
the debdiff between 2015.8.1+ds-1 and 2015.8.3+ds-1 and looked that
the relevant commit was only included there.

Can recheck, in any case thanks for the new upstream version which
fixes as well another CVE!

Regards,
Salvatore

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Salt Team <pkg-salt-team@lists.alioth.debian.org>. (Thu, 10 Dec 2015 20:12:03 GMT) (full text, mbox, link).

Message #43 received at 803182@bugs.debian.org (full text, mbox, reply):

Control: fixed -1 2015.8.1+ds-1

Hey Benjamin,

On Thu, Dec 10, 2015 at 08:41:41PM +0100, Salvatore Bonaccorso wrote:
> Hi Benjamin,
> 
> On Thu, Dec 10, 2015 at 12:37:06PM +0100, Benjamin Drung wrote:
> > Am Mittwoch, den 09.12.2015, 22:15 +0100 schrieb Salvatore Bonaccorso:
> > > Control: found -1 2015.8.1+ds-1
> > > Control: fixed -1 2015.8.3+ds-1
> > > 
> > > > Version: 2015.8.1+ds-1
> > > > 
> > > > The security bug was fixed upstream in release 2015.5.5 and thus
> > > > the
> > > > fix was part of the next Debian upload 2015.8.1+ds-1
> > > 
> > > Checking the debdiffs it looks the fix was actually only in
> > > 2015.8.3+ds-1 but not in 2015.8.1+ds-1. Adjusting thus the fixed
> > > version.
> > 
> > Really? 2015.8.1+ds-1 already uses redact_http_basic_auth() in
> > _git_run() for stderr:
> > 
> >                 msg = 'Command \'{0}\' failed'.format(
> >                     salt.utils.url.redact_http_basic_auth(gitcommand)
> >                 )
> >                 if result['stderr']:
> >                     msg += ': {0}'.format(
> >                        
> >  salt.utils.url.redact_http_basic_auth(result['stderr'])
> >                     )
> >                 raise CommandExecutionError(msg)
> 
> Hmm, I will reckeck then, sorry for the noise. What I did was to check
> the debdiff between 2015.8.1+ds-1 and 2015.8.3+ds-1 and looked that
> the relevant commit was only included there.
> 
> Can recheck, in any case thanks for the new upstream version which
> fixes as well another CVE!

You are right, apologies for my previous error in checking for the
fix.

Regards,
Salvatore

Marked as fixed in versions salt/2015.8.1+ds-1. Request was from Salvatore Bonaccorso <carnil@debian.org> to 803182-submit@bugs.debian.org. (Thu, 10 Dec 2015 20:12:03 GMT) (full text, mbox, link).

No longer marked as found in versions salt/2015.8.1+ds-1. Request was from Andreas Beckmann <anbe@debian.org> to control@bugs.debian.org. (Thu, 14 Jan 2016 17:03:17 GMT) (full text, mbox, link).

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 27 Mar 2016 07:31:40 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 15:21:54 2019; Machine Name: beach

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

salt: CVE-2015-6918: git module leaks authentication details into log

Debian Bug report logs - #803182
salt: CVE-2015-6918: git module leaks authentication details into log

Vulmon Search

About

Products

Connect

salt: CVE-2015-6918: git module leaks authentication details into log

Debian Bug report logs - #803182 salt: CVE-2015-6918: git module leaks authentication details into log

Vulmon Search

About

Products

Connect

Debian Bug report logs - #803182
salt: CVE-2015-6918: git module leaks authentication details into log