Debian Bug report logs -
#819184
salt: CVE-2016-3176: insecure configuration of PAM external authentication service
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Thu, 24 Mar 2016 16:15:02 UTC
Severity: important
Tags: fixed-upstream, security, upstream
Found in versions salt/2015.8.7+ds-1, salt/2014.1.13+ds-1
Fixed in version salt/2015.8.8+ds-1
Done: Benjamin Drung <benjamin.drung@profitbricks.com>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Salt Team <pkg-salt-team@lists.alioth.debian.org>:
Bug#819184; Package src:salt.
(Thu, 24 Mar 2016 16:15:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Salt Team <pkg-salt-team@lists.alioth.debian.org>.
(Thu, 24 Mar 2016 16:15:06 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: salt
Version: 2015.8.7+ds-1
Severity: important
Tags: security upstream fixed-upstream
Hi,
the following vulnerability was published for salt. Please
double-check. It is fixed upstream in 2015.8.8 and said to affect all
previous releases.
CVE-2016-3176[0]:
insecure configuration of PAM external authentication service
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2016-3176
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Reply sent
to Benjamin Drung <benjamin.drung@profitbricks.com>:
You have taken responsibility.
(Mon, 04 Apr 2016 12:21:15 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Mon, 04 Apr 2016 12:21:16 GMT) (full text, mbox, link).
Message #10 received at 819184-close@bugs.debian.org (full text, mbox, reply):
Source: salt
Source-Version: 2015.8.8+ds-1
We believe that the bug you reported is fixed in the latest version of
salt, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 819184@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Benjamin Drung <benjamin.drung@profitbricks.com> (supplier of updated salt package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Mon, 04 Apr 2016 13:21:16 +0200
Source: salt
Binary: salt-common salt-master salt-minion salt-syndic salt-ssh salt-doc salt-cloud salt-api salt-proxy
Architecture: source all
Version: 2015.8.8+ds-1
Distribution: unstable
Urgency: high
Maintainer: Debian Salt Team <pkg-salt-team@lists.alioth.debian.org>
Changed-By: Benjamin Drung <benjamin.drung@profitbricks.com>
Description:
salt-api - Generic, modular network access system
salt-cloud - public cloud VM management system
salt-common - shared libraries that salt requires for all packages
salt-doc - additional documentation for salt, the distributed remote executi
salt-master - remote manager to administer servers via salt
salt-minion - client package for salt, the distributed remote execution system
salt-proxy - Proxy client package for salt stack
salt-ssh - remote manager to administer servers via Salt SSH
salt-syndic - master-of-masters for salt, the distributed remote execution syst
Closes: 819184
Changes:
salt (2015.8.8+ds-1) unstable; urgency=high
.
* New upstream release
- CVE-2016-3176: Fix insecure configuration of PAM external
authentication service (Closes: #819184)
* Drop reproducible_builds.patch (accepted upstream)
* Cherry-pick the four patches from 2015.8.8.2
* Re-add shebang to ssh-id-wrapper shell script
Checksums-Sha1:
a4ecefbedad16193a30a752ccc4ab688e9abced0 2627 salt_2015.8.8+ds-1.dsc
dac02e10dd1fa10ae0d52b3c5f8a73697cb58155 4364396 salt_2015.8.8+ds.orig.tar.xz
4f983b3a2ed8e408926a68ec74c5152b038e2bc6 28636 salt_2015.8.8+ds-1.debian.tar.xz
17f90c9b85b90ee94766f21896e9f7784cd40cd4 22300 salt-api_2015.8.8+ds-1_all.deb
262b4e882946d5a34481700611fd5ce4f3f6b88d 23748 salt-cloud_2015.8.8+ds-1_all.deb
579203fc608bc6dc616862fd44b0e5008aa3a75f 3173858 salt-common_2015.8.8+ds-1_all.deb
605d515143809c96e0f9782b5d178e98e7781730 3380360 salt-doc_2015.8.8+ds-1_all.deb
5876dbcc9943d00c8391e1610c66bfd5c5c8f2b1 44126 salt-master_2015.8.8+ds-1_all.deb
85afe2414505ec8430d619d742d0d1fb3ade8a3f 31852 salt-minion_2015.8.8+ds-1_all.deb
1f797768673600f0d33e2cff46ff22bc7f819725 21080 salt-proxy_2015.8.8+ds-1_all.deb
72b3b1dc68e9cecfe2b7f68b16bd4d33ab04072a 22530 salt-ssh_2015.8.8+ds-1_all.deb
6edb088ff636e03f1e0b3d9a0640d54b5df3b2e3 22612 salt-syndic_2015.8.8+ds-1_all.deb
Checksums-Sha256:
eeac41252005c64b5144ca492de553a21d3eb2b11e14e39b89f5eb53afae500b 2627 salt_2015.8.8+ds-1.dsc
c9bd451be27f971d68756f5d0633042b457fec34acda6686767080cdeaa73f3f 4364396 salt_2015.8.8+ds.orig.tar.xz
fdd0c2e83cec7aba524fa624b1d2df0dfa3f652d492a60b668755c63c4e68cbc 28636 salt_2015.8.8+ds-1.debian.tar.xz
10c69fe2950ccf11e6fec46e549431c56c45fc59fa6dae9c2aa25be394d77a82 22300 salt-api_2015.8.8+ds-1_all.deb
3c2a17b0872b9cb6fd9a26ca8a2f0891db3534cb849a83b15e31149981d27e0f 23748 salt-cloud_2015.8.8+ds-1_all.deb
9b068b8489dc8839984fec4508ab93dbc6a303e6e2faf3f342c4ccff09ee3fd2 3173858 salt-common_2015.8.8+ds-1_all.deb
a7faf67efbcc81f1b5b825a9e3ac85aaf10660dbb1755fdd6b30046894c4a20d 3380360 salt-doc_2015.8.8+ds-1_all.deb
f5fbeecd9c9527379b3f34b7dec94e1eeb3afc9675a553e8180d8ccbcef09841 44126 salt-master_2015.8.8+ds-1_all.deb
fe5ba0950632b2d1c891950eade26ca17011a16abb3c7deae38e4b52c4520f2c 31852 salt-minion_2015.8.8+ds-1_all.deb
c7192c0b9d7e0bceabbe66e5a72adcbd3d3e21b7acccf646c28dc71229dc3b33 21080 salt-proxy_2015.8.8+ds-1_all.deb
816a093312ba2ff73d06d6741e56bdd07ed9c76993883b9f7d836631cd7f6278 22530 salt-ssh_2015.8.8+ds-1_all.deb
517fb3123d8d4db5696e5663284fa859d38b5e904d466244cc440d771b432ef9 22612 salt-syndic_2015.8.8+ds-1_all.deb
Files:
e3927e23e1dd793d3e680f3fb7b8191a 2627 admin extra salt_2015.8.8+ds-1.dsc
078a765ae83eaf561af0f0a9ecc3097f 4364396 admin extra salt_2015.8.8+ds.orig.tar.xz
929e47d9b3a2130a07dfc68072982330 28636 admin extra salt_2015.8.8+ds-1.debian.tar.xz
c85a4dc63057bd889d66802a207bd172 22300 admin extra salt-api_2015.8.8+ds-1_all.deb
855916ae360eaece42d97f4d26de533c 23748 admin extra salt-cloud_2015.8.8+ds-1_all.deb
308499325c424038a30999565fa9b88f 3173858 admin extra salt-common_2015.8.8+ds-1_all.deb
9701c5defd99252b527fa1f58d7a9611 3380360 doc extra salt-doc_2015.8.8+ds-1_all.deb
e304725cda7158f079ee666b6d7d8465 44126 admin extra salt-master_2015.8.8+ds-1_all.deb
f95639e0f9d7e95567a98496517410b1 31852 admin extra salt-minion_2015.8.8+ds-1_all.deb
4d1f57c900fa7ef0330496eb9569baad 21080 admin extra salt-proxy_2015.8.8+ds-1_all.deb
2717b43e8dc76890aa2aac40b9b4096a 22530 admin extra salt-ssh_2015.8.8+ds-1_all.deb
d1355564d354e0aaa2db4a8b707b711d 22612 admin extra salt-syndic_2015.8.8+ds-1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBAgAGBQJXAliyAAoJEN2M1aXejH56xggP/1mNDHHvv87oEWvM6nLoLBlJ
1hhX77M7hZ6YIN+WW6sS6nwUeQEk/txZYYnQt9IuxItCzkKgBsXETkmewDBT6IYX
pkKnWigR67dQSK9ANADQ/8R+c9yJI6iLxhk7VykjJCm7cpPwpP3/Fnt5YmEfdaiP
x4iIUXJcMC+DAUxv376nFOEOVdhMNs7hzBXwZRONGm/rXC7wHRiPd7geuXM7WaPV
rf3XDW4qPvvxg2KXlEvYacUHLzr2iQ8YritSTsnNoO4Xy78reFIr+fV3ApMKYbYO
qqQm7AoF985uACOnIEx2S9ynyop0+zZs3PBzZrBtek1o2StVu4tZ8f2V4bRi4jgo
R3nBluT0NpJhg5JYiKSzDkmxvFqsOHhlm1lh4elWyVQkb5AleO5TFkTrzkrunNEl
YG9NBY2QB3+LPvB9BEOEO1c3Z7cKWgjp6jFuOKKwNGzDrER1tJr29pCv33Magm+r
2ROREMkh7mgeW5yIQ58STu/tCp5apjM9sd66FYxkFmzT9nZWy1nEYC2c5Ee395Fd
Yx3yh4L3FJBeBBKLYXoyA80e60RI+tVPum2FRBG93ZjCAQbtwjOK1ATUuZue6CRG
Hls3XQ3yAP89Y220/L/kR6GLY+itIWxTZoeIbHJUdDDfQ/1V3H+A4KKKOcWcIEtb
O72iCe1gFAOXpRgzElRs
=iid9
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Thu, 05 May 2016 07:34:31 GMT) (full text, mbox, link).
Bug unarchived.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Mon, 16 May 2016 13:12:04 GMT) (full text, mbox, link).
Marked as found in versions salt/2014.1.13+ds-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Mon, 16 May 2016 13:12:05 GMT) (full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 03 Jul 2016 07:47:17 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 16:21:58 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon