Debian Bug report logs -
#726480
salt: Multiple security issues
Reported by: Moritz Muehlenhoff <jmm@inutil.org>
Date: Wed, 16 Oct 2013 06:39:02 UTC
Severity: grave
Tags: security
Fixed in version salt/0.17.1+dfsg-1
Done: Joe Healy <joehealy@gmail.com>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Salt Team <pkg-salt-team@lists.alioth.debian.org>:
Bug#726480; Package salt.
(Wed, 16 Oct 2013 06:39:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@inutil.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Salt Team <pkg-salt-team@lists.alioth.debian.org>.
(Wed, 16 Oct 2013 06:39:06 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: salt
Severity: grave
Tags: security
Justification: user security hole
This was posted to oss-security. Since it's now more or less
public, you should contact upstream to check the patch status:
http://seclists.org/oss-sec/2013/q4/113
http://seclists.org/oss-sec/2013/q4/114
Cheers,
Moritz
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Salt Team <pkg-salt-team@lists.alioth.debian.org>:
Bug#726480; Package salt.
(Wed, 16 Oct 2013 07:45:15 GMT) (full text, mbox, link).
Acknowledgement sent
to Joe Healy <joehealy@gmail.com>:
Extra info received and forwarded to list. Copy sent to Debian Salt Team <pkg-salt-team@lists.alioth.debian.org>.
(Wed, 16 Oct 2013 07:45:15 GMT) (full text, mbox, link).
Message #10 received at 726480@bugs.debian.org (full text, mbox, reply):
https://github.com/saltstack/salt/pull/7356/files
Added tag(s) pending.
Request was from Anibal Monsalve Salazar <anibal@debian.org>
to control@bugs.debian.org.
(Tue, 22 Oct 2013 19:06:10 GMT) (full text, mbox, link).
Reply sent
to Joe Healy <joehealy@gmail.com>:
You have taken responsibility.
(Wed, 30 Oct 2013 16:03:22 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <jmm@inutil.org>:
Bug acknowledged by developer.
(Wed, 30 Oct 2013 16:03:22 GMT) (full text, mbox, link).
Message #17 received at 726480-close@bugs.debian.org (full text, mbox, reply):
Source: salt
Source-Version: 0.17.1+dfsg-1
We believe that the bug you reported is fixed in the latest version of
salt, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 726480@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Joe Healy <joehealy@gmail.com> (supplier of updated salt package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 23 Oct 2013 00:19:26 +1100
Source: salt
Binary: salt-common salt-master salt-minion salt-syndic salt-ssh salt-doc
Architecture: source all
Version: 0.17.1+dfsg-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Salt Team <pkg-salt-team@lists.alioth.debian.org>
Changed-By: Joe Healy <joehealy@gmail.com>
Description:
salt-common - shared libraries that salt requires for all packages
salt-doc - additional documentation for salt, the distributed remote executi
salt-master - remote manager to administer servers via salt
salt-minion - client package for salt, the distributed remote execution system
salt-ssh - remote manager to administer servers via salt
salt-syndic - master-of-masters for salt, the distributed remote execution syst
Closes: 725999 726480
Changes:
salt (0.17.1+dfsg-1) unstable; urgency=medium
.
* [ebd0329] Updated gbp.conf to remove saltstack theme
* [ba2cb77] Updated debian/watch to deal with dfsg versions
* [091a74a] Imported Upstream version 0.17.1+dfsg
* Various security fixes, Closes: 726480
* Insufficent Argument Validation CVE-2013-4435
* MITM ssh attack in salt-ssh CVE-2013-4436
* Insecure Usage of /tmp in salt-ssh CVE-2013-4438
* YAML Calling Unsafe Loading Routine CVE-2013-4438
* Failure to Validate Minions Posting Data CVE-2013-4439
* [47ce833] Removed patches for issues fixed by upstream
* [fddc7b5] Added patches for doc theme change and minor fixes
* [b146f77] Build man pages
* [cd33d3a] Copyright and licence audit, Closes: 725999
Checksums-Sha1:
3e5c2e0f629c179d60f74fcc35902aec9279daf9 2761 salt_0.17.1+dfsg-1.dsc
f33c3e0ad42be462dfb4724c69215737dbd69ee7 1532118 salt_0.17.1+dfsg.orig.tar.gz
f7660961c1c7778322d35e0c10564fc5264ba802 16344 salt_0.17.1+dfsg-1.debian.tar.gz
537b6feff9c32dde1da68c6090a4f008b3e32956 968606 salt-common_0.17.1+dfsg-1_all.deb
c549ebcdff24a9a122625cded641b278c56ebe21 25618 salt-master_0.17.1+dfsg-1_all.deb
0c3b14178c670fd58ff25df9e998cfc640916f76 17336 salt-minion_0.17.1+dfsg-1_all.deb
4af53368f4755c74dd067287cb9f1e840a8339d8 10696 salt-syndic_0.17.1+dfsg-1_all.deb
ac5c4ec257fc3f6f85abc98b8f70e3f164f9702f 10362 salt-ssh_0.17.1+dfsg-1_all.deb
d7ecad8d155f07d00018134d665062243d560305 741528 salt-doc_0.17.1+dfsg-1_all.deb
Checksums-Sha256:
9f079d806b47b05a96ff9e88343c23479d50c5f7b89df71b469eec8ac448ba4f 2761 salt_0.17.1+dfsg-1.dsc
ad155fe8c9339374c96dd644cc1c213a6eb49363ceb30895411b64abfe13ac7e 1532118 salt_0.17.1+dfsg.orig.tar.gz
a82c81969b7fabe5b57b32267b7bad21e50c623b5d9de2eae4d04ed924023592 16344 salt_0.17.1+dfsg-1.debian.tar.gz
3082e71ae216076d753595f4a96a7ae9cfed1686e0397f10a4b5fbf2f9bb6fcc 968606 salt-common_0.17.1+dfsg-1_all.deb
d778d6c7ecba8c5e2ac7203493c1167c862921e94022bf958717a8624ff2f64b 25618 salt-master_0.17.1+dfsg-1_all.deb
6729ab37d7eef9636a612fd6ef77473131af918086bde2a7d4ac34acc155e166 17336 salt-minion_0.17.1+dfsg-1_all.deb
771173066bf11fc62bc623efaa28515b76b85a977c62c3adc9a8aa4c4947a7f3 10696 salt-syndic_0.17.1+dfsg-1_all.deb
639a9e5d05e0439063537f3a0e806e06ccec76f06d12da679b02b7371e644551 10362 salt-ssh_0.17.1+dfsg-1_all.deb
92c7751fef39dcc79d1d58141049a6603b7d53a00c5af8e24ddf701dafb3dd69 741528 salt-doc_0.17.1+dfsg-1_all.deb
Files:
05e49d76ed9ac5832514e60e2e69313d 2761 admin extra salt_0.17.1+dfsg-1.dsc
107ed9d149d59522670a099d58141379 1532118 admin extra salt_0.17.1+dfsg.orig.tar.gz
fb798ed70eba7c95fb7a950b7e099816 16344 admin extra salt_0.17.1+dfsg-1.debian.tar.gz
9bf2bafa0ceaf2f0c6b4ccc45179a54b 968606 admin extra salt-common_0.17.1+dfsg-1_all.deb
68eb70b98462949ccb260da4bc343ba5 25618 admin extra salt-master_0.17.1+dfsg-1_all.deb
1d5924182e4dbed7f691d5a4b2f360dc 17336 admin extra salt-minion_0.17.1+dfsg-1_all.deb
27c2f5efd1716357d5adc7c1aae95f3a 10696 admin extra salt-syndic_0.17.1+dfsg-1_all.deb
76f2bcfcc5267ae952cf30a8f49f8ec4 10362 admin extra salt-ssh_0.17.1+dfsg-1_all.deb
e912f0660d8597ef05f77c07793f8e28 741528 doc extra salt-doc_0.17.1+dfsg-1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)
iQLvBAEBCgDZBQJScKj2wBEaaHR0cDovL21hcnRpbi1rcmFmZnQubmV0L2dwZy9z
aWctcG9saWN5LzU1Yzk4ODJkOTk5YmJjYzQvMjAxMTAxMjQxMTI1P3NoYTUxMnN1
bT0xY2FkOTZmZDI3ZDMyMzNmNTNlMjI4NDk1MzM2NDgxMDdlNWVlOGQ1YmU2NTUy
NTFkNzRjOGYxYzVjM2JjNDJmMjMwNGZhNTE1MTUwZjdiZDRkZDA1ZTk4MTk5MjRm
MDQ5NTEzZWU5OTYyY2E3MTcwOWY4MWQ5NDUxNTg1MmJkOAAKCRBVyYgtmZu8xLCh
EACcyj96XfVRs+HuC8c1O6NX5whLq1vF7DsGyNISK5ZyaUpy1Mqtvmt4m8vBNy0b
ICTmyck7HsoyJ5xBR8Od6NxXxNwAoU5AA8xc63z/GGWZs0/kf31vYaXzGKyPICLE
hJWs3k5jP1xcYghGSDNEYJj/uKl0NiaWeSKL82B10XVS+T6WwY5FuA7LYpCWrYEY
Qeb/sMad/WRFxlI0oQz9J7g23K5Z37YjF7qX7kIBssZvvY0zq9zpt1YZgARWmzQ3
Pchae7TITDxOT70xYrDsudZubh4vxhbVpNZcLqpQeGpJq42X1qxZpjH8Pk5sfwQg
PHdawOG5TrkH9MQHwQURFODSr7+zy/aYl43RYGl6lC2YUEO7Hv90numLFKuQPm5h
y96VSshjS3kP5FKD1RvicUmnWAdV0fKuYHUB6UMALJfTGyuxp0EOTFaXgKsMldrO
Kp387G+b8J8nYHmRSeEYit6IfufEwdVU81wAfQbG33f/4TJR7dtLFUIhZgI2q6FN
5df8PXd86Z0w3gDHAoF80hnXO12eGo9NrwyhT9CVCFyXVH2EgV52ZjZpKOfqCnJQ
xv4t/B4N/xl2gRCcW9qwnE102U3xCVC5qOoVRgE7kai616Gw5tPhQmTMwXeVF/wb
aQCP441cpQcGGdx67RglkMHmUmjbVuc8W+2UZBGKejzn3g==
=I7zV
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Fri, 24 Jan 2014 07:36:56 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 13:56:03 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon