Debian Bug report logs -
#879089
salt: CVE-2017-14695: Directory traversal in minion id validation
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Thu, 19 Oct 2017 08:03:01 UTC
Severity: important
Tags: security, upstream
Found in version salt/2016.11.5+ds-1
Fixed in version salt/2016.11.8+dfsg1-1
Done: Ondřej Nový <onovy@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Salt Team <pkg-salt-team@lists.alioth.debian.org>:
Bug#879089; Package src:salt.
(Thu, 19 Oct 2017 08:03:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Salt Team <pkg-salt-team@lists.alioth.debian.org>.
(Thu, 19 Oct 2017 08:03:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: salt
Version: 2016.11.5+ds-1
Severity: important
Tags: security upstream
Hi,
the following vulnerability was published for salt.
CVE-2017-14695[0]:
Directory traversal in minion id validation
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-14695
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14695
[1] https://docs.saltstack.com/en/2016.11/topics/releases/2016.11.8.html
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Reply sent
to Ondřej Nový <onovy@debian.org>:
You have taken responsibility.
(Mon, 11 Dec 2017 12:06:09 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Mon, 11 Dec 2017 12:06:09 GMT) (full text, mbox, link).
Message #10 received at 879089-close@bugs.debian.org (full text, mbox, reply):
Source: salt
Source-Version: 2016.11.8+dfsg1-1
We believe that the bug you reported is fixed in the latest version of
salt, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 879089@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Ondřej Nový <onovy@debian.org> (supplier of updated salt package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 11 Dec 2017 12:21:41 +0100
Source: salt
Binary: salt-common salt-master salt-minion salt-syndic salt-ssh salt-doc salt-cloud salt-api salt-proxy
Architecture: source
Version: 2016.11.8+dfsg1-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Salt Team <pkg-salt-team@lists.alioth.debian.org>
Changed-By: Ondřej Nový <onovy@debian.org>
Description:
salt-api - Generic, modular network access system
salt-cloud - public cloud VM management system
salt-common - shared libraries that salt requires for all packages
salt-doc - additional documentation for salt, the distributed remote executi
salt-master - remote manager to administer servers via salt
salt-minion - client package for salt, the distributed remote execution system
salt-proxy - Proxy client package for salt stack
salt-ssh - remote manager to administer servers via Salt SSH
salt-syndic - master-of-masters for salt, the distributed remote execution syst
Closes: 869659 872399 879089 879090
Changes:
salt (2016.11.8+dfsg1-1) unstable; urgency=medium
.
[ Ondřej Nový ]
* New upstream release. Security fixies:
- CVE-2017-12791: Directory traversal vulnerability on salt-master via
crafted minion IDs (Closes: #872399)
- CVE-2017-14695: Directory traversal vulnerability in minion id
validation in SaltStack (Closes: #879089)
- CVE-2017-14696: Remote Denial of Service with a specially crafted
authentication request (Closes: #879090)
* Remove patches applied upstream and rebase others
* Add myself to uploaders
* Bump debhelper compat level to 10
- Use dh_missing --fail-missing
- New debhelper don't require to depend on dh-systemd
- Don't pass --with-systemd to dh, it's default now
* d/watch: Use https
* Use Files-Excluded in d/copyright instead of own repack script
* d/copyright:
- Add myself for Debian part
- Remove debian/repack
* Deprecating priority extra as per policy 4.0.1
* Remove deprecated upstart configuration
.
[ Benjamin Drung ]
* Add python-msgpack dependency to salt-common (Closes: #869659)
Checksums-Sha1:
6197370c15cb5b0cb321f4f24dbafa185ef0258a 2777 salt_2016.11.8+dfsg1-1.dsc
5a71bae7a01c367c9107bf3741d0f1434eb1c9c6 8913118 salt_2016.11.8+dfsg1.orig.tar.gz
f61d6bc07f1bc81d06088dac3b4ff94ecf0dfe28 29224 salt_2016.11.8+dfsg1-1.debian.tar.xz
b3131aceaa79b9f80533504db3bf65e59dd9d8a7 9373 salt_2016.11.8+dfsg1-1_amd64.buildinfo
Checksums-Sha256:
da5a70acf6089d12f3840fbc88a2353bea5cd449fd9d0c3b9a698c3dad5936b3 2777 salt_2016.11.8+dfsg1-1.dsc
8231eb141966b2c354a0f1085f0fcfe4d5d426f33dc404fe443457b086bce041 8913118 salt_2016.11.8+dfsg1.orig.tar.gz
0cdc1e28aed5ad1da6e3acebf8750b2c1115a5c6f1d639040163e2d94db8ecb2 29224 salt_2016.11.8+dfsg1-1.debian.tar.xz
61c718b1015c0c4ae9bf86ae9be4c4b6575929d8dc5a45d66848eb25f888bca5 9373 salt_2016.11.8+dfsg1-1_amd64.buildinfo
Files:
fd0894952533363c387d645516d580ad 2777 admin optional salt_2016.11.8+dfsg1-1.dsc
933cf4f2af1c547b5a4c873bb64a25cb 8913118 admin optional salt_2016.11.8+dfsg1.orig.tar.gz
4df656ca080eaf526340de554deff559 29224 admin optional salt_2016.11.8+dfsg1-1.debian.tar.xz
745f7f02d2f3298fdeafff011362d6ab 9373 admin optional salt_2016.11.8+dfsg1-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEPZg8UuuFmAxGpWCQNXMSVZ0eBksFAloubecACgkQNXMSVZ0e
BkuKvRAAkwLI8z5ZNwVhm8Vc6HVTCiUuHfElym2/kv1XZ3NAkz8lyyMsmx1KtT8L
idgvSBUZkOKR4ltLM/9N6bj8uez14G5e0teBvHuJLTZWEUdMZdkXFqwy7CNbGnwV
DZ7IIrSr1YBuo579uLVRZb8B53N5dFUlp9g5hxKdwSY0TR+MUzKvYxDUj9tfs78C
ja/hV2S8IZvBRFxQEwWRir+Q/dGGIRsjgzKNi5YVQiBnaEB6R2gz9IX1C2jz2tTH
Wr2exa7YF4ll2//dn39miIIrLZNhzjgw/qkOmKruARpfAaY7Pn/PtZtgtFNaC7j7
gZrf6JZz7oiuLV2t+Al9r08Jz7iuFOlMrReMrLCmv92mUdse4hM11TSWcdv1Hgzr
gRDemnSYUEn5xDwSsqjYWiHq1aVukpgZU1EMoC+oXU0sYaktGNpYkDsXDJty4+eR
AbBSKTD1oNEzx8Ld+jW/BYhiw4f9ZMeFSeCg565wX+/SJ9HccERVDTNgsYfhwaEI
d2FFGTTLEWFdXa7rG1YF+YjCBKo1BL9dCQ7rcXHyFpQcovAo7Fjlje96E1veL+Qw
HrnTy+BL5Dj56DpCvMhoaHWcJEQS+4iizKRatzFImio0EFG888SCoAJ3Ad5vbyoi
1SPF29W5cAFmDJw3mko1mhv3HKVTcluvng6eDYDBFgZl5i8WhSs=
=Ydz4
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sat, 13 Jan 2018 07:31:52 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 13:22:21 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon