Your message dated Wed, 29 Jan 2020 15:05:10 +0000 with message-id <e1iwoty-000enp...@fasolo.debian.org> and subject line Bug#949222: fixed in salt 2019.2.3+dfsg1-1 has caused the Debian Bug report #949222, regarding salt: CVE-2019-17361 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 949222: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=949222 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: salt Version: 2018.3.4+dfsg1-7 Severity: grave Tags: security upstream Justification: user security hole Control: found -1 2018.3.4+dfsg1-6 Control: found -1 2016.11.2+ds-1+deb9u2 Control: found -1 2016.11.2+ds-1 Hi, The following vulnerability was published for salt. CVE-2019-17361[0]: | In SaltStack Salt through 2019.2.0, the salt-api NEST API with the ssh | client enabled is vulnerable to command injection. This allows an | unauthenticated attacker with network access to the API endpoint to | execute arbitrary code on the salt-api host. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2019-17361 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17361 [1] https://docs.saltstack.com/en/latest/topics/releases/2019.2.3.html#security-fix [2] https://github.com/saltstack/salt/commit/bca115f3f00fbde564dd2f12bf036b5d2fd08387 Please adjust the affected versions as needed in the BTS. It looks to me that all versions back to the stretch one have the problem, but an explicit confirmation or nack would be welcome. I did check explicitly the invocations in salt/netapi/__init__.py, but let me know if I missed something. Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: salt Source-Version: 2019.2.3+dfsg1-1 We believe that the bug you reported is fixed in the latest version of salt, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 949...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Benjamin Drung <benjamin.dr...@cloud.ionos.com> (supplier of updated salt package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Wed, 29 Jan 2020 14:27:51 +0100 Source: salt Architecture: source Version: 2019.2.3+dfsg1-1 Distribution: unstable Urgency: medium Maintainer: Debian Salt Team <pkg-salt-t...@lists.alioth.debian.org> Changed-By: Benjamin Drung <benjamin.dr...@cloud.ionos.com> Closes: 949222 Changes: salt (2019.2.3+dfsg1-1) unstable; urgency=medium . * New upstream release. - Fix command injection in salt-api NEST API (CVE-2019-17361) (Closes: #949222) * Drop 11 patches that are included upstream * Run KubernetesTestCase.test_setup_client_key_file again * Split and refresh patch for disabling failing tests * Refresh remaining patches * Skip hanging unit.transport.test_zeromq.AESReqTestCases * Skip failing ConfigTestCase.test_datetime_config_validation * Skip test_check_virtualname if source directory is not found * Mock kubernetes when building the documentation * Bump Standards-Version to 4.5.0 (no changes required) * Depend on python3-distro for Python >= 3.8 Checksums-Sha1: a80a6711eb7671ffb45619961e6ef626e939e739 4117 salt_2019.2.3+dfsg1-1.dsc 221630384cd487e933235073496a03afde6ee157 9646872 salt_2019.2.3+dfsg1.orig.tar.xz 7df010bcebe75486ceb75caccab17adf619607a4 109740 salt_2019.2.3+dfsg1-1.debian.tar.xz 10bdca2064686ff02e695a2a6b4de218229052dc 13720 salt_2019.2.3+dfsg1-1_source.buildinfo Checksums-Sha256: ef4a30149fe0845c2542be6f386a29d05093135c4465de46ca2ea16e20676198 4117 salt_2019.2.3+dfsg1-1.dsc 43eb9839d633769b3fda4a9a3ba2df72a0dce347241c28a27d1a615aa0b76d5a 9646872 salt_2019.2.3+dfsg1.orig.tar.xz 3b83666cd4663b2754b721b5be393e01e0125af693522d722eca88092537dcc4 109740 salt_2019.2.3+dfsg1-1.debian.tar.xz 0daa723b4bf2795da5028a178bd21b5fffbf42cda72d30f4ee33b3c51314fed8 13720 salt_2019.2.3+dfsg1-1_source.buildinfo Files: 695c626f046ad6d6d107d0105e23858b 4117 admin optional salt_2019.2.3+dfsg1-1.dsc 411138c1c1ccc0eec40c2e4f87a310b7 9646872 admin optional salt_2019.2.3+dfsg1.orig.tar.xz 90eb5992a44841b8422b708f337aa287 109740 admin optional salt_2019.2.3+dfsg1-1.debian.tar.xz dba8268d5a4df190aa73a2890aa04c72 13720 admin optional salt_2019.2.3+dfsg1-1_source.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE5/q3CzlQJ15towl13YzVpd6MfnoFAl4xm+8ACgkQ3YzVpd6M fnp+eA//XZFvFwrpCHjpRZixTnYUgAqUN3r2Ib7Ves5fKaqOThKduWM6xE4fTy/d b4wU/GK0B/Z8trpJOPI9WDqk5jXBPglxWxHkq8/VjnJ7oG/zi3Ra0Eqaksop0WZk 3diaWX9sGYEHzXThsVL26rQC74VAjgTIiuWiAKTeILrWQYkzTZ4cKC7iI8YELWdy r8+r9kRxFLtsWa7CHveatT/0SqtOl1XdxgKmWTvjdbfwH3yRbg/LrwiicI2FVSxA w4R5o5G0at8OFCFAP5XIxqdaNUg0iFgd+waMUtk95WReZcrablWZLLmZpxntjIia nWxMKE2wj+OkZ6+Zl/oI9iRBAdv1dR9sP+qD1isKqrgo/51Crti/aBv36K2zEi5+ u44gv0eGUsbPxZn1iMtm8oNnGWRHg0MPmh5XbFutQW2Epkrx5zhT7+09xTwVf5pO inhlz+rWU7qMA7cn5znnWLSR3/4RH5mra6LZBp2U+AA4ZJH4haIYSjsNQtf74XbI D3XnbsKWaJHEiqUcQxTdqeAzt8c0kqnUH/3crWZtiD/ETehIStbKgDZ27Zu+vpRB 90c6qG6ywuY7mhMlTmC5Pdzip0Qf5QflQ4PpZL5lnHkC7fxhzJTJ7xxH7AzCVW9u nbJ8ZG9LvXNmDNnv7vOoUWIDpziYmkS8vvJZXYVFLY/ICK6kUQc= =LIJv -----END PGP SIGNATURE-----
--- End Message ---
