salt: CVE-2018-15751: remote authentication bypass in salt-api(netapi) allows to execute arbitrary commands

Debian Bug report logs - #913475
salt: CVE-2018-15751: remote authentication bypass in salt-api(netapi) allows to execute arbitrary commands

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: salt: CVE-2018-15751: remote authentication bypass in salt-api(netapi) allows to execute arbitrary commands

Date: Sun, 11 Nov 2018 14:54:32 +0100

Source: salt
Version: 2017.7.4+dfsg1-1
Severity: grave
Tags: security upstream

Hi,

The following vulnerability was published for salt.

CVE-2018-15751[0]:
| SaltStack Salt before 2017.7.8 and 2018.3.x before 2018.3.3 allow
| remote attackers to bypass authentication and execute arbitrary
| commands via salt-api(netapi).

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2018-15751
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15751
[1] https://bugzilla.novell.com/show_bug.cgi?id=1113699
[2] https://docs.saltstack.com/en/2017.7/topics/releases/2017.7.8.html
    https://docs.saltstack.com/en/latest/topics/releases/2018.3.3.html

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Message #10 received at 913475-close@bugs.debian.org (full text, mbox, reply):

From: Benjamin Drung <benjamin.drung@cloud.ionos.com>

To: 913475-close@bugs.debian.org

Subject: Bug#913475: fixed in salt 2018.3.3+dfsg1-1

Date: Fri, 21 Dec 2018 19:20:58 +0000

Source: salt
Source-Version: 2018.3.3+dfsg1-1

We believe that the bug you reported is fixed in the latest version of
salt, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 913475@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Benjamin Drung <benjamin.drung@cloud.ionos.com> (supplier of updated salt package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 21 Dec 2018 19:21:57 +0100
Source: salt
Binary: salt-common salt-master salt-minion salt-syndic salt-ssh salt-doc salt-cloud salt-api salt-proxy
Architecture: source all
Version: 2018.3.3+dfsg1-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Salt Team <pkg-salt-team@lists.alioth.debian.org>
Changed-By: Benjamin Drung <benjamin.drung@cloud.ionos.com>
Description:
 salt-api   - Generic, modular network access system
 salt-cloud - public cloud VM management system
 salt-common - shared libraries that salt requires for all packages
 salt-doc   - additional documentation for salt, the distributed remote executi
 salt-master - remote manager to administer servers via salt
 salt-minion - client package for salt, the distributed remote execution system
 salt-proxy - Proxy client package for salt stack
 salt-ssh   - remote manager to administer servers via Salt SSH
 salt-syndic - master-of-masters for salt, the distributed remote execution syst
Closes: 893817 896921 898142 904654 905519 906275 908430 913475 913476
Changes:
 salt (2018.3.3+dfsg1-1) unstable; urgency=medium
 .
   * New upstream release
     - CVE-2018-15751: remote authentication bypass in salt-api (netapi) allows
       executing arbitrary commands (Closes: #913475)
     - CVE-2018-15750: Directory traversal in salt-api allows remote attackers
       to identitfy arbitrary files (Closes: #913476)
     - Support Python 3.7 (Closes: #904654)
     - Fix typo (Closes: #906275)
   * Drop 22 patches that were accepted by upstream and refresh remaining ones.
   * Remove inactive Wolodja Wentland. Thanks for your work. (Closes: #898142)
   * Remove empty /var/lib/salt on package purge (Closes: #905519)
   * Fix InstallRequirement.from_line for pip 18.1
   * Use collections.abc instead of collections for Python 3.7 (from upstream)
   * Add patch to support unittest.mock from Python >= 3.6 again
   * Fix RemoveCapacityFromDiskgroupTestCase require pyvmomi
   * Fix twilio version checking
   * Bump Standards-Version to 4.2.1 (no changes are required)
   * Call setup.py install with --install-layout deb
   * Fix documentation build (with five individual patches)
   * Upgrade to libjs-bootstrap version 3 (Closes: #908430)
   * Add multiple build dependencies to increase unittest coverage
   * Add autopkgtest to run the unittests
   * Skip failing test_event_subscription (for now) due to tornado bug #2536
     when using openssl 1.1.1 with TLS 1.3.
   * Skip failing kubernetes test (for now, needs an upstream fix)
   * Use python3-tornado4 due to missing support for tornado version 5
     (Closes: #893817, #896921)
Checksums-Sha1:
 f5f4b22cbc466e2935c0be19c60bffb374dc50d0 4046 salt_2018.3.3+dfsg1-1.dsc
 eec9f6c2be5380831dccd2e21c4d531765a30056 9042056 salt_2018.3.3+dfsg1.orig.tar.xz
 3bd4e7f35a6593c2a01d28517ef7e00d255db7c6 64888 salt_2018.3.3+dfsg1-1.debian.tar.xz
 0b9ac0c0b552859c3ce2ddbf2b036c376aab769f 25692 salt-api_2018.3.3+dfsg1-1_all.deb
 3736eb573c92b439307c9cbf18c17539a4f21d81 27564 salt-cloud_2018.3.3+dfsg1-1_all.deb
 9ccead80f70cc625a412a8cffd29137101ff18dc 3226732 salt-common_2018.3.3+dfsg1-1_all.deb
 c90f0082cf3f242ecca88151f0fa2e483c9a2546 9278356 salt-doc_2018.3.3+dfsg1-1_all.deb
 5fca39be41353efba81c9f067b11393cdc3aca41 54296 salt-master_2018.3.3+dfsg1-1_all.deb
 cae4b7eb5e4839ceef2c325919d8941e2e768321 37920 salt-minion_2018.3.3+dfsg1-1_all.deb
 577a9272392033f09cb39939a65f5e8b2a85291c 24576 salt-proxy_2018.3.3+dfsg1-1_all.deb
 08ee68b818582860ac3f2dc50b17bc110707c9da 26684 salt-ssh_2018.3.3+dfsg1-1_all.deb
 399031c1a344095deeedfc24003ee2dd7de65459 25936 salt-syndic_2018.3.3+dfsg1-1_all.deb
 b7082b36f9018f2ee2f85377fcd85b382f238db1 13510 salt_2018.3.3+dfsg1-1_amd64.buildinfo
Checksums-Sha256:
 0706b57fc075273c20f6a2b3db14240d4d828d1ab7e9ad760b3df71ba788f70a 4046 salt_2018.3.3+dfsg1-1.dsc
 b5b59032bfad66860a9739b84e2c0e68c4d9efe13f8f88d2ce58dff1bcf1860c 9042056 salt_2018.3.3+dfsg1.orig.tar.xz
 31990a092c12866068aef25eb03b9a22ae780594c10ec80f12e8f1737f19d0f3 64888 salt_2018.3.3+dfsg1-1.debian.tar.xz
 97227a4c6de3d0f7cc89edd5d2c2bea2d91ae18128749ad0bc47c73cfc215460 25692 salt-api_2018.3.3+dfsg1-1_all.deb
 8a750f27cb1b74305b0d9d263c5ec46861b45ed3e59f9949c4e8186f3663907e 27564 salt-cloud_2018.3.3+dfsg1-1_all.deb
 088cec45c9aa5a1ceb528eb4290bb37aef057e6871bacf5d2037e9362c84cd26 3226732 salt-common_2018.3.3+dfsg1-1_all.deb
 a921a4abdd5eefdcdade1b53072615ec6dcba0bf550e012808b72140a43eaefb 9278356 salt-doc_2018.3.3+dfsg1-1_all.deb
 844f4635f3a8e2354c75b71d396db791c631c26028aeb2c7926471e78c088deb 54296 salt-master_2018.3.3+dfsg1-1_all.deb
 281956346206a94bc92026364088b8c410b9c0a43ecb2b5fc84b0e377af12228 37920 salt-minion_2018.3.3+dfsg1-1_all.deb
 ca40c0b5072a4ed9fd2a64dfccbbee2c896fe4eb4dcb7be85cfd668c46094d2c 24576 salt-proxy_2018.3.3+dfsg1-1_all.deb
 bf8069a4b0d8d1b82d8dcda0d9814d3ddbfdd7e21b0b34f910e3bdba65e823a0 26684 salt-ssh_2018.3.3+dfsg1-1_all.deb
 7ddaedcef50447828ae35dba18dc04ad94fcf97590cd09fb20337eda8eb3778b 25936 salt-syndic_2018.3.3+dfsg1-1_all.deb
 22097d686ec6291e76198f59fa8d5d470f43994f8f3fb36e0818e84559b28865 13510 salt_2018.3.3+dfsg1-1_amd64.buildinfo
Files:
 1342f24f45ac57223063f2e4192725b6 4046 admin optional salt_2018.3.3+dfsg1-1.dsc
 2969a2045f3c9a07827e453c98175044 9042056 admin optional salt_2018.3.3+dfsg1.orig.tar.xz
 9315658ea44999522a63d7ca6bd2888a 64888 admin optional salt_2018.3.3+dfsg1-1.debian.tar.xz
 3fd9aa9fe3703a218f4ab79e15efa030 25692 admin optional salt-api_2018.3.3+dfsg1-1_all.deb
 9bdba31be1acb63771742c3bc29196ac 27564 admin optional salt-cloud_2018.3.3+dfsg1-1_all.deb
 1a873bfa2ab74237553a1afdb34a67eb 3226732 admin optional salt-common_2018.3.3+dfsg1-1_all.deb
 ab0724266d739b84f781f5037d93314a 9278356 doc optional salt-doc_2018.3.3+dfsg1-1_all.deb
 a19fbf47ca9cbd75295cc5cff53fb28c 54296 admin optional salt-master_2018.3.3+dfsg1-1_all.deb
 14a92bd9b523e8e96c5bb0204a5d0733 37920 admin optional salt-minion_2018.3.3+dfsg1-1_all.deb
 5a932b52db3f48abe0b5bea01f715946 24576 admin optional salt-proxy_2018.3.3+dfsg1-1_all.deb
 db1dc79f18dd9cd28b3421c09595101f 26684 admin optional salt-ssh_2018.3.3+dfsg1-1_all.deb
 9912ef5dba13dc7af45ccc1ddb85be4c 25936 admin optional salt-syndic_2018.3.3+dfsg1-1_all.deb
 5e9fd639a319e8967eb9f023b8257aba 13510 admin optional salt_2018.3.3+dfsg1-1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEpi0s+9ULm1vzYNVLFZ61xO/Id0wFAlwdOVUACgkQFZ61xO/I
d0wRXRAAn+1FRj0PFqhktCxHyXxOhtgw5Wtag8f5tT5AgwHvzBAcC2icxDRLw1/A
L9wb0pEzpoKUElEVm8B907sjAu5upnG+N7i/xQA+FiDY14NBYSKoxdCwSgcg+CL8
7AkPT+zQgb/lbJfYSax1QpZN5qSe8cYZsK0dgF88QOKhfpKCGKgfiivg2KSd8dGG
uOIVoaQkY/bk0Dd2Kvg0QoK9CuIQCR/XAsziUwvcj6ef859k1x6YDan/9tBSfBB2
SZ5u5iGj6K3bfnT3mIHbM2ZTDMhvCsZCKTkZjeQYWh7BfA7hmmPe1/fp+rLRBblo
P7eXjZ7Sjy0LRvho2/fQnE9pPp/J6qq9GvjsO8Cww/ohtXT3gxPLvVCBmMGT71VD
CKolB2m0kqkMnlca5YKzQ9QcB9IeoXxvvZeaCyiYc80Ik8Ufd2KEhk/R8zSRUgdV
Ds9gHnEWB8uWGlwr0Itac6NHjFvi2x7BPen5A2NfXTh09IUVfWLqbrMSPfF7D6L8
LKeSwtKugJR5Rhvz63iFUTf8rXSAf0v3/CE/c/kqLPrJ8W0vpwO1pRpyW6XgUZyO
diLIBEsN/yytYFnQ3LuxeSEIDQP++m6pxyjV4U6rHRGuvjCpzDL/bvgzaMOC4eyu
lM3tlcjq6dd7+Wy7wkDBTbBkGgV6yakV/KgFUJ8ABcX3NL3ULvA=
=VFcK
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.