Package: release.debian.org Severity: normal Tags: jessie User: release.debian....@packages.debian.org Usertags: pu
Hi, salt in jessie is affected by some security issues. Salvatore Bonaccorso from the security wrote: So we are basically down at https://security-tracker.debian.org/tracker/source-package/salt to no-dsa issues, so up to decicde I guess if you still want a DSA or rather go via the upcoming point release. Thus the requests for a SPU to fix four security bugs (debdiff attached). -- Benjamin Drung System Developer Debian & Ubuntu Developer ProfitBricks GmbH Greifswalder Str. 207 D - 10405 Berlin Email: benjamin.dr...@profitbricks.com Web: https://www.profitbricks.com Sitz der Gesellschaft: Berlin. Registergericht: Amtsgericht Charlottenburg, HRB 125506B. Geschäftsführer: Achim Weiss.
diff -Nru salt-2014.1.13+ds/debian/changelog salt-2014.1.13+ds/debian/changelog --- salt-2014.1.13+ds/debian/changelog 2015-02-13 06:27:53.000000000 +0100 +++ salt-2014.1.13+ds/debian/changelog 2017-05-22 13:34:40.000000000 +0200 @@ -1,3 +1,18 @@ +salt (2014.1.13+ds-3+deb8u1) jessie; urgency=high + + [ Benjamin Drung ] + * Team upload. + * CVE-2015-6918: git module leaks authentication details into log + * CVE-2015-6941: user state displays passwords in debug log + + [ Salvatore Bonaccorso ] + * CVE-2015-8034: Information leak from state.sls cache data stored as + world-readable (Closes: #807356) + * CVE-2016-3176: Insecure configuration of PAM external authentication + service (Closes: #819184) + + -- Benjamin Drung <benjamin.dr...@profitbricks.com> Mon, 22 May 2017 13:34:36 +0200 + salt (2014.1.13+ds-3) unstable; urgency=medium * [5273cd4] Added python-msgpack dependency. Closes: 777665 diff -Nru salt-2014.1.13+ds/debian/patches/CVE-2015-6918.patch salt-2014.1.13+ds/debian/patches/CVE-2015-6918.patch --- salt-2014.1.13+ds/debian/patches/CVE-2015-6918.patch 1970-01-01 01:00:00.000000000 +0100 +++ salt-2014.1.13+ds/debian/patches/CVE-2015-6918.patch 2017-04-18 12:18:56.000000000 +0200 @@ -0,0 +1,46 @@ +From 528916548726976dcc75626dc6f6641ceb206ee3 Mon Sep 17 00:00:00 2001 +From: Tarjei Husøy <g...@thusoy.com> +Date: Wed, 19 Aug 2015 11:41:10 -0700 +Subject: [PATCH] Git: Don't leak https user/pw to log +Origin: backport, https://github.com/saltstack/salt/commit/28aa9b105804ff433d8f663b2f9b804f2b75495a + +--- + salt/modules/git.py | 17 ++++++++++++++--- + tests/unit/modules/git_test.py | 18 ++++++++++++++++++ + 2 files changed, 32 insertions(+), 3 deletions(-) + +--- a/salt/modules/git.py ++++ b/salt/modules/git.py +@@ -5,6 +5,7 @@ + + # Import python libs + import os ++import re + import tempfile + try: + import pipes +@@ -75,6 +76,7 @@ + result = __salt__['cmd.run_all'](cmd, + cwd=cwd, + runas=runas, ++ output_loglevel='quiet', + env=env, + **kwargs) + +@@ -86,7 +88,15 @@ + if retcode == 0: + return result['stdout'] + else: +- raise exceptions.CommandExecutionError(result['stderr']) ++ stderr = _remove_sensitive_data(result['stderr']) ++ raise exceptions.CommandExecutionError(stderr) ++ ++ ++def _remove_sensitive_data(sensitive_output): ++ ''' ++ Remove HTTP user and password. ++ ''' ++ return re.sub('(https?)://.*@', r'\1://<redacted>@', sensitive_output) + + + def _git_getdir(cwd, user=None): diff -Nru salt-2014.1.13+ds/debian/patches/CVE-2015-6941.patch salt-2014.1.13+ds/debian/patches/CVE-2015-6941.patch --- salt-2014.1.13+ds/debian/patches/CVE-2015-6941.patch 1970-01-01 01:00:00.000000000 +0100 +++ salt-2014.1.13+ds/debian/patches/CVE-2015-6941.patch 2017-04-18 12:32:52.000000000 +0200 @@ -0,0 +1,33 @@ +From fdd35374562658f4a20767a3703fab93d92f9ca9 Mon Sep 17 00:00:00 2001 +From: twangboy <s...@saltstack.com> +Date: Fri, 11 Sep 2015 16:39:47 -0600 +Subject: [PATCH] Replaced password with redacted when displayed +Origin: backport, https://github.com/twangboy/salt/commit/c0689e32154c41f59840ae10ffc5fbfa30618710 + +--- + salt/states/user.py | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +--- a/salt/states/user.py ++++ b/salt/states/user.py +@@ -362,6 +362,8 @@ + ret['comment'] = ('The following user attributes are set to be ' + 'changed:\n') + for key, val in changes.items(): ++ if key == 'password': ++ val = 'XXX-REDACTED-XXX' + ret['comment'] += '{0}: {1}\n'.format(key, val) + return ret + # The user is present +@@ -480,9 +482,9 @@ + if spost['passwd'] != password: + ret['comment'] = 'User {0} created but failed to set' \ + ' password to' \ +- ' {1}'.format(name, password) ++ ' {1}'.format(name, 'XXX-REDACTED-XXX') + ret['result'] = False +- ret['changes']['password'] = password ++ ret['changes']['password'] = 'XXX-REDACTED-XXX' + if date: + __salt__['shadow.set_date'](name, date) + spost = __salt__['shadow.info'](name) diff -Nru salt-2014.1.13+ds/debian/patches/CVE-2015-8034.patch salt-2014.1.13+ds/debian/patches/CVE-2015-8034.patch --- salt-2014.1.13+ds/debian/patches/CVE-2015-8034.patch 1970-01-01 01:00:00.000000000 +0100 +++ salt-2014.1.13+ds/debian/patches/CVE-2015-8034.patch 2016-06-11 16:35:29.000000000 +0200 @@ -0,0 +1,43 @@ +From 097838ec0c52b1e96f7f761e5fb3cd7e79808741 Mon Sep 17 00:00:00 2001 +From: Mike Place <m...@saltstack.com> +Date: Fri, 30 Oct 2015 15:05:36 -0600 +Subject: [PATCH] Wrap all cache calls in state.sls in correct umask + +Refs #28455 +--- + salt/modules/state.py | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/salt/modules/state.py ++++ b/salt/modules/state.py +@@ -366,12 +366,13 @@ def sls(mods, + ) + + st_ = salt.state.HighState(opts, pillar, kwargs.get('__pub_jid')) +- ++ umask = os.umask(0o77) + if kwargs.get('cache'): + if os.path.isfile(cfn): + with salt.utils.fopen(cfn, 'rb') as fp_: + high_ = serial.load(fp_) + return st_.state.call_high(high_) ++ os.umask(umask) + + if isinstance(mods, string_types): + mods = mods.split(',') +@@ -407,7 +408,6 @@ def sls(mods, + except (IOError, OSError): + msg = 'Unable to write to "state.sls" cache file {0}' + log.error(msg.format(cache_file)) +- os.umask(cumask) + _set_retcode(ret) + # Work around Windows multiprocessing bug, set __opts__['test'] back to + # value from before this function was run. +@@ -422,6 +422,7 @@ def sls(mods, + except (IOError, OSError): + msg = 'Unable to write to highstate cache file {0}. Do you have permissions?' + log.error(msg.format(cfn)) ++ os.umask(cumask) + return ret + + diff -Nru salt-2014.1.13+ds/debian/patches/CVE-2016-3176.patch salt-2014.1.13+ds/debian/patches/CVE-2016-3176.patch --- salt-2014.1.13+ds/debian/patches/CVE-2016-3176.patch 1970-01-01 01:00:00.000000000 +0100 +++ salt-2014.1.13+ds/debian/patches/CVE-2016-3176.patch 2016-06-11 16:35:29.000000000 +0200 @@ -0,0 +1,56 @@ +From d73f70ebb289142e4f692359fe741a54f5d2ad65 Mon Sep 17 00:00:00 2001 +From: Daniel Wallace <dwall...@saltstack.com> +Date: Fri, 11 Mar 2016 08:25:05 -0700 +Subject: [PATCH] Remove ability of authenticating user to specify pam service + +This should be set at the master level, so that whoever is +authenticating has to conform to what is set by the administrator that +setup salt. +--- + salt/auth/pam.py | 16 +++++++++++----- + 1 file changed, 11 insertions(+), 5 deletions(-) + +--- a/salt/auth/pam.py ++++ b/salt/auth/pam.py +@@ -12,6 +12,13 @@ a user against the Pluggable Authenticat + + Implemented using ctypes, so no compilation is necessary. + ++There is one extra configuration option for pam. The `pam_service` that is ++authenticated against. This defaults to `login` ++ ++.. code-block:: yaml ++ ++ auth.pam.service: login ++ + .. note:: PAM authentication will not work for the ``root`` user. + + The Python interface to PAM does not support authenticating as ``root``. +@@ -120,7 +127,7 @@ def __virtual__(): + return False + + +-def authenticate(username, password, service='login'): ++def authenticate(username, password): + ''' + Returns True if the given username and password authenticate for the + given service. Returns False otherwise +@@ -128,10 +135,9 @@ def authenticate(username, password, ser + ``username``: the username to authenticate + + ``password``: the password in plain text +- +- ``service``: the PAM service to authenticate against. +- Defaults to 'login' + ''' ++ service = __opts__.get('auth.pam.service', 'login') ++ + @CONV_FUNC + def my_conv(n_messages, messages, p_response, app_data): + ''' +@@ -165,4 +171,4 @@ def auth(username, password, **kwargs): + ''' + Authenticate via pam + ''' +- return authenticate(username, password, kwargs.get('service', 'login')) ++ return authenticate(username, password) diff -Nru salt-2014.1.13+ds/debian/patches/series salt-2014.1.13+ds/debian/patches/series --- salt-2014.1.13+ds/debian/patches/series 2015-02-13 06:06:38.000000000 +0100 +++ salt-2014.1.13+ds/debian/patches/series 2017-04-18 12:23:00.000000000 +0200 @@ -6,3 +6,7 @@ 0175_releasenotes remove_privacy_breaches doc_fixes +CVE-2015-6918.patch +CVE-2015-6941.patch +CVE-2015-8034.patch +CVE-2016-3176.patch
