Debian Bug report logs -
#861219
salt: CVE-2017-8109
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Salt Team <pkg-salt-team@lists.alioth.debian.org>:
Bug#861219; Package src:salt.
(Wed, 26 Apr 2017 05:39:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Salt Team <pkg-salt-team@lists.alioth.debian.org>.
(Wed, 26 Apr 2017 05:39:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: salt
Version: 2016.11.2+ds-1
Severity: important
Tags: security patch upstream
Forwarded: https://github.com/saltstack/salt/issues/40075
Hi,
the following vulnerability was published for salt.
CVE-2017-8109[0]:
| The salt-ssh minion code in SaltStack Salt before 2016.11.4 copied over
| configuration from the Salt Master without adjusting permissions, which
| might leak credentials to local attackers on configured minions
| (clients).
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-8109
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8109
[1] https://github.com/saltstack/salt/issues/40075
[2] https://github.com/saltstack/salt/pull/40609
[3] https://github.com/saltstack/salt/commit/8492cef7a5c8871a3978ffc2f6e48b3b960e0151
Please adjust the affected versions in the BTS as needed, I only
quickly checked the sid version for the affected source code, no
checks for jessie done yet.
Regards,
Salvatore
Added tag(s) fixed-upstream.
Request was from bts-link-upstream@lists.alioth.debian.org
to control@bugs.debian.org.
(Mon, 01 May 2017 17:57:07 GMT) (full text, mbox, link).
Reply sent
to Benjamin Drung <benjamin.drung@profitbricks.com>:
You have taken responsibility.
(Fri, 26 May 2017 16:21:11 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Fri, 26 May 2017 16:21:11 GMT) (full text, mbox, link).
Message #12 received at 861219-close@bugs.debian.org (full text, mbox, reply):
Source: salt
Source-Version: 2016.11.5+ds-1
We believe that the bug you reported is fixed in the latest version of
salt, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 861219@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Benjamin Drung <benjamin.drung@profitbricks.com> (supplier of updated salt package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Fri, 26 May 2017 17:54:23 +0200
Source: salt
Binary: salt-common salt-master salt-minion salt-syndic salt-ssh salt-doc salt-cloud salt-api salt-proxy
Architecture: source
Version: 2016.11.5+ds-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Salt Team <pkg-salt-team@lists.alioth.debian.org>
Changed-By: Benjamin Drung <benjamin.drung@profitbricks.com>
Description:
salt-api - Generic, modular network access system
salt-cloud - public cloud VM management system
salt-common - shared libraries that salt requires for all packages
salt-doc - additional documentation for salt, the distributed remote executi
salt-master - remote manager to administer servers via salt
salt-minion - client package for salt, the distributed remote execution system
salt-proxy - Proxy client package for salt stack
salt-ssh - remote manager to administer servers via Salt SSH
salt-syndic - master-of-masters for salt, the distributed remote execution syst
Closes: 772406 851559 861219
Changes:
salt (2016.11.5+ds-1) unstable; urgency=medium
.
* New upstream bug-fix release. Security fixes:
- CVE-2017-8109: salt-ssh minion copied over configuration from the Salt
Master without adjusting permissions (Closes: #861219)
* Refresh patches and drop Fix-top_file_merging_strategy-warning.patch
* Do not require sphinx-build for cleaning docs (Closes: #851559)
* Install spm into salt-common
* Install salt-unity into salt-master
* Add documentation keys to systemd service files (PR 41401)
* Move salt.7 from salt-common to salt-doc, since it uses 1.7 MiB (compressed)
* Fix spelling mistakes (found by lintian) (PR 41404)
* Document aptpkg architectures parameter
* Fix pkgrepo.managed always return changes for test=true (PR 41456)
* Update fingerprint hash type default from md5 to sha256. Note: upstream
defers this change to the next major release (Nitrogen)
* Fix bashism in bootstrap-salt.sh (Closes: #772406)
Checksums-Sha1:
680d8554d7c2e6d741673737a6de5ce560cd4436 2692 salt_2016.11.5+ds-1.dsc
f78cd5f55572b47f2d8f2829d047fc0eb341a1d3 6173660 salt_2016.11.5+ds.orig.tar.xz
e79e5b5198bc1b7fd19349f0e916fab61ae0b451 53140 salt_2016.11.5+ds-1.debian.tar.xz
Checksums-Sha256:
a688d9b3ae585a71c834512a4024fe5a787a0bd129e23c65921306af6682f5a6 2692 salt_2016.11.5+ds-1.dsc
634436dd543813792140e494c770fef0345f68683b11dccdf0434760c222eaf8 6173660 salt_2016.11.5+ds.orig.tar.xz
7fcb41656a752f81ca6357ccbddbfaa4cac3ade779d24186e2b42deb87417d89 53140 salt_2016.11.5+ds-1.debian.tar.xz
Files:
fb1dc19347acf730cea7ca149ed0b750 2692 admin extra salt_2016.11.5+ds-1.dsc
e76b08aa9f571f2b88c52938b6a1d549 6173660 admin extra salt_2016.11.5+ds.orig.tar.xz
1be8d60f8ed8f0f86e7f54369daa5a64 53140 admin extra salt_2016.11.5+ds-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCAAGBQJZKFKBAAoJEN2M1aXejH56P2IQAJtKKoVa/vSEet3TuNtz/IU+
1FyJjvRtdg+79igMGVAH2ySyzrL9Ey8pUeB8tPxEj2gIPzoEj4LhI4vgVPBA9YlP
f6dMJXBN25Y/TuxxssNv+lYgrMU2RJeRLGgvru9b6cw+CIU+OdrKCCfQjAPaOYcB
CCic24U/Viz/ab/XDlvBdL/DO9zqMn4H/ae1eLuQ/3F/g8TA5+ppl8SHSlntMfco
95bV50JCk3sbG9X4eiYgdXhRzYNL0aF4XLRPXZysUU7iuFKjy/P5Re9X+f8y7GYZ
4ZvgT+jOwO8sOKhelX+CVBv7+XTBo8EpLaVWMMI/HEG0lPP1J5jyuYl2RqJb/YKj
J//rhz3DY99vpgP8XzFwbPg4Oc6q97ZvYsRFSe90lTlaiNy497H0XgowfqljYPQ2
Hj721hWbDLOYqoeGox3fMSuf2a9v/BLflKBsIWfw7O+sd43zgWOykUiyZ3isv7HO
JZZL3G+VdUg/RHJaK4BHv0whOkvFGqaQa2jDF3zgftXtS5JTeBUyci+EkVeqkED9
poBFnCQW6TTZp9yixjHiZbIqBnnzgtOo3278HGHXZfn253Rdt/6UfXuIiaouGMuk
tQ/NGPCohpHOijaXT5wS8KRHH+GZKwkCSsx32A9/l3wsVBP4j4QHKrOq+sG62bTD
FZDdn5P+rKogf6tm3PGK
=Ijhh
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Tue, 18 Jul 2017 07:31:24 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 18:09:32 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon