Debian Bug report logs -
#803182
salt: CVE-2015-6918: git module leaks authentication details into log
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Tue, 27 Oct 2015 18:39:01 UTC
Severity: important
Tags: security, upstream
Found in version salt/2014.1.13+ds-1
Fixed in versions salt/2015.8.3+ds-1, salt/2015.8.1+ds-1
Done: Salvatore Bonaccorso <carnil@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Salt Team <pkg-salt-team@lists.alioth.debian.org>
:
Bug#803182
; Package src:salt
.
(Tue, 27 Oct 2015 18:39:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Salt Team <pkg-salt-team@lists.alioth.debian.org>
.
(Tue, 27 Oct 2015 18:39:05 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: salt
Version: 2014.1.13+ds-1
Severity: important
Tags: security upstream
Hi,
the following vulnerability was published for salt.
CVE-2015-6918[0]:
git module leaks authentication details into log
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2015-6918
[1] https://github.com/saltstack/salt/commit/28aa9b105804ff433d8f663b2f9b804f2b75495a
Regards,
Salvatore
Reply sent
to Benjamin Drung <benjamin.drung@profitbricks.com>
:
You have taken responsibility.
(Wed, 09 Dec 2015 12:48:05 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Bug acknowledged by developer.
(Wed, 09 Dec 2015 12:48:05 GMT) (full text, mbox, link).
Message #10 received at 803182-done@bugs.debian.org (full text, mbox, reply):
Version: 2015.8.1+ds-1
The security bug was fixed upstream in release 2015.5.5 and thus the
fix was part of the next Debian upload 2015.8.1+ds-1
--
Benjamin Drung
System Developer
Debian & Ubuntu Developer
ProfitBricks GmbH
Greifswalder Str. 207
D - 10405 Berlin
Email: benjamin.drung@profitbricks.com
URL: http://www.profitbricks.com
Sitz der Gesellschaft: Berlin.
Registergericht: Amtsgericht Charlottenburg, HRB 125506B.
Geschäftsführer: Andreas Gauger, Achim Weiss.
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Salt Team <pkg-salt-team@lists.alioth.debian.org>
:
Bug#803182
; Package src:salt
.
(Wed, 09 Dec 2015 21:18:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian Salt Team <pkg-salt-team@lists.alioth.debian.org>
.
(Wed, 09 Dec 2015 21:18:03 GMT) (full text, mbox, link).
Message #15 received at 803182@bugs.debian.org (full text, mbox, reply):
Control: found -1 2015.8.1+ds-1
Control: fixed -1 2015.8.3+ds-1
> Version: 2015.8.1+ds-1
>
> The security bug was fixed upstream in release 2015.5.5 and thus the
> fix was part of the next Debian upload 2015.8.1+ds-1
Checking the debdiffs it looks the fix was actually only in
2015.8.3+ds-1 but not in 2015.8.1+ds-1. Adjusting thus the fixed
version.
Regards,
Salvatore
Marked as found in versions salt/2015.8.1+ds-1 and reopened.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to 803182-submit@bugs.debian.org
.
(Wed, 09 Dec 2015 21:18:03 GMT) (full text, mbox, link).
Marked as fixed in versions salt/2015.8.3+ds-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to 803182-submit@bugs.debian.org
.
(Wed, 09 Dec 2015 21:18:04 GMT) (full text, mbox, link).
No longer marked as fixed in versions 2015.8.1+ds-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Wed, 09 Dec 2015 21:21:08 GMT) (full text, mbox, link).
Marked Bug as done
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Wed, 09 Dec 2015 21:21:12 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Bug acknowledged by developer.
(Wed, 09 Dec 2015 21:21:13 GMT) (full text, mbox, link).
Message sent on
to Salvatore Bonaccorso <carnil@debian.org>
:
Bug#803182.
(Wed, 09 Dec 2015 21:21:15 GMT) (full text, mbox, link).
Message #28 received at 803182-submitter@bugs.debian.org (full text, mbox, reply):
close 803182 2015.8.3+ds-1
thanks
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Salt Team <pkg-salt-team@lists.alioth.debian.org>
:
Bug#803182
; Package src:salt
.
(Thu, 10 Dec 2015 11:39:11 GMT) (full text, mbox, link).
Acknowledgement sent
to Benjamin Drung <benjamin.drung@profitbricks.com>
:
Extra info received and forwarded to list. Copy sent to Debian Salt Team <pkg-salt-team@lists.alioth.debian.org>
.
(Thu, 10 Dec 2015 11:39:11 GMT) (full text, mbox, link).
Message #33 received at 803182@bugs.debian.org (full text, mbox, reply):
Am Mittwoch, den 09.12.2015, 22:15 +0100 schrieb Salvatore Bonaccorso:
> Control: found -1 2015.8.1+ds-1
> Control: fixed -1 2015.8.3+ds-1
>
> > Version: 2015.8.1+ds-1
> >
> > The security bug was fixed upstream in release 2015.5.5 and thus
> > the
> > fix was part of the next Debian upload 2015.8.1+ds-1
>
> Checking the debdiffs it looks the fix was actually only in
> 2015.8.3+ds-1 but not in 2015.8.1+ds-1. Adjusting thus the fixed
> version.
Really? 2015.8.1+ds-1 already uses redact_http_basic_auth() in
_git_run() for stderr:
msg = 'Command \'{0}\' failed'.format(
salt.utils.url.redact_http_basic_auth(gitcommand)
)
if result['stderr']:
msg += ': {0}'.format(
salt.utils.url.redact_http_basic_auth(result['stderr'])
)
raise CommandExecutionError(msg)
--
Benjamin Drung
System Developer
Debian & Ubuntu Developer
ProfitBricks GmbH
Greifswalder Str. 207
D - 10405 Berlin
Email: benjamin.drung@profitbricks.com
URL: http://www.profitbricks.com
Sitz der Gesellschaft: Berlin.
Registergericht: Amtsgericht Charlottenburg, HRB 125506B.
Geschäftsführer: Andreas Gauger, Achim Weiss.
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Salt Team <pkg-salt-team@lists.alioth.debian.org>
:
Bug#803182
; Package src:salt
.
(Thu, 10 Dec 2015 19:45:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian Salt Team <pkg-salt-team@lists.alioth.debian.org>
.
(Thu, 10 Dec 2015 19:45:04 GMT) (full text, mbox, link).
Message #38 received at 803182@bugs.debian.org (full text, mbox, reply):
Hi Benjamin,
On Thu, Dec 10, 2015 at 12:37:06PM +0100, Benjamin Drung wrote:
> Am Mittwoch, den 09.12.2015, 22:15 +0100 schrieb Salvatore Bonaccorso:
> > Control: found -1 2015.8.1+ds-1
> > Control: fixed -1 2015.8.3+ds-1
> >
> > > Version: 2015.8.1+ds-1
> > >
> > > The security bug was fixed upstream in release 2015.5.5 and thus
> > > the
> > > fix was part of the next Debian upload 2015.8.1+ds-1
> >
> > Checking the debdiffs it looks the fix was actually only in
> > 2015.8.3+ds-1 but not in 2015.8.1+ds-1. Adjusting thus the fixed
> > version.
>
> Really? 2015.8.1+ds-1 already uses redact_http_basic_auth() in
> _git_run() for stderr:
>
> msg = 'Command \'{0}\' failed'.format(
> salt.utils.url.redact_http_basic_auth(gitcommand)
> )
> if result['stderr']:
> msg += ': {0}'.format(
>
> salt.utils.url.redact_http_basic_auth(result['stderr'])
> )
> raise CommandExecutionError(msg)
Hmm, I will reckeck then, sorry for the noise. What I did was to check
the debdiff between 2015.8.1+ds-1 and 2015.8.3+ds-1 and looked that
the relevant commit was only included there.
Can recheck, in any case thanks for the new upstream version which
fixes as well another CVE!
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Salt Team <pkg-salt-team@lists.alioth.debian.org>
:
Bug#803182
; Package src:salt
.
(Thu, 10 Dec 2015 20:12:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian Salt Team <pkg-salt-team@lists.alioth.debian.org>
.
(Thu, 10 Dec 2015 20:12:03 GMT) (full text, mbox, link).
Message #43 received at 803182@bugs.debian.org (full text, mbox, reply):
Control: fixed -1 2015.8.1+ds-1
Hey Benjamin,
On Thu, Dec 10, 2015 at 08:41:41PM +0100, Salvatore Bonaccorso wrote:
> Hi Benjamin,
>
> On Thu, Dec 10, 2015 at 12:37:06PM +0100, Benjamin Drung wrote:
> > Am Mittwoch, den 09.12.2015, 22:15 +0100 schrieb Salvatore Bonaccorso:
> > > Control: found -1 2015.8.1+ds-1
> > > Control: fixed -1 2015.8.3+ds-1
> > >
> > > > Version: 2015.8.1+ds-1
> > > >
> > > > The security bug was fixed upstream in release 2015.5.5 and thus
> > > > the
> > > > fix was part of the next Debian upload 2015.8.1+ds-1
> > >
> > > Checking the debdiffs it looks the fix was actually only in
> > > 2015.8.3+ds-1 but not in 2015.8.1+ds-1. Adjusting thus the fixed
> > > version.
> >
> > Really? 2015.8.1+ds-1 already uses redact_http_basic_auth() in
> > _git_run() for stderr:
> >
> > msg = 'Command \'{0}\' failed'.format(
> > salt.utils.url.redact_http_basic_auth(gitcommand)
> > )
> > if result['stderr']:
> > msg += ': {0}'.format(
> >
> > salt.utils.url.redact_http_basic_auth(result['stderr'])
> > )
> > raise CommandExecutionError(msg)
>
> Hmm, I will reckeck then, sorry for the noise. What I did was to check
> the debdiff between 2015.8.1+ds-1 and 2015.8.3+ds-1 and looked that
> the relevant commit was only included there.
>
> Can recheck, in any case thanks for the new upstream version which
> fixes as well another CVE!
You are right, apologies for my previous error in checking for the
fix.
Regards,
Salvatore
Marked as fixed in versions salt/2015.8.1+ds-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to 803182-submit@bugs.debian.org
.
(Thu, 10 Dec 2015 20:12:03 GMT) (full text, mbox, link).
No longer marked as found in versions salt/2015.8.1+ds-1.
Request was from Andreas Beckmann <anbe@debian.org>
to control@bugs.debian.org
.
(Thu, 14 Jan 2016 17:03:17 GMT) (full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Sun, 27 Mar 2016 07:31:40 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 15:21:54 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.