Debian Bug report logs -
#949222
salt: CVE-2019-17361
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Sat, 18 Jan 2020 12:42:01 UTC
Severity: grave
Tags: security, upstream
Found in versions salt/2016.11.2+ds-1+deb9u2, salt/2018.3.4+dfsg1-7, salt/2018.3.4+dfsg1-6, salt/2016.11.2+ds-1
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian Salt Team <pkg-salt-team@lists.alioth.debian.org>:
Bug#949222; Package src:salt.
(Sat, 18 Jan 2020 12:42:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian Salt Team <pkg-salt-team@lists.alioth.debian.org>.
(Sat, 18 Jan 2020 12:42:03 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: salt
Version: 2018.3.4+dfsg1-7
Severity: grave
Tags: security upstream
Justification: user security hole
Control: found -1 2018.3.4+dfsg1-6
Control: found -1 2016.11.2+ds-1+deb9u2
Control: found -1 2016.11.2+ds-1
Hi,
The following vulnerability was published for salt.
CVE-2019-17361[0]:
| In SaltStack Salt through 2019.2.0, the salt-api NEST API with the ssh
| client enabled is vulnerable to command injection. This allows an
| unauthenticated attacker with network access to the API endpoint to
| execute arbitrary code on the salt-api host.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2019-17361
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17361
[1] https://docs.saltstack.com/en/latest/topics/releases/2019.2.3.html#security-fix
[2] https://github.com/saltstack/salt/commit/bca115f3f00fbde564dd2f12bf036b5d2fd08387
Please adjust the affected versions as needed in the BTS. It looks to
me that all versions back to the stretch one have the problem, but an
explicit confirmation or nack would be welcome. I did check explicitly
the invocations in salt/netapi/__init__.py, but let me know if I
missed something.
Regards,
Salvatore
Marked as found in versions salt/2018.3.4+dfsg1-6.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to submit@bugs.debian.org.
(Sat, 18 Jan 2020 12:42:03 GMT) (full text, mbox, link).
Marked as found in versions salt/2016.11.2+ds-1+deb9u2.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to submit@bugs.debian.org.
(Sat, 18 Jan 2020 12:42:03 GMT) (full text, mbox, link).
Marked as found in versions salt/2016.11.2+ds-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to submit@bugs.debian.org.
(Sat, 18 Jan 2020 12:42:04 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Fri Jan 24 08:36:51 2020;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon