Your message dated Sat, 09 May 2020 15:33:05 +0000 with message-id <e1jxrtn-00068e...@fasolo.debian.org> and subject line Bug#949222: fixed in salt 2018.3.4+dfsg1-6+deb10u1 has caused the Debian Bug report #949222, regarding salt: CVE-2019-17361 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 949222: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=949222 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: salt Version: 2018.3.4+dfsg1-7 Severity: grave Tags: security upstream Justification: user security hole Control: found -1 2018.3.4+dfsg1-6 Control: found -1 2016.11.2+ds-1+deb9u2 Control: found -1 2016.11.2+ds-1 Hi, The following vulnerability was published for salt. CVE-2019-17361[0]: | In SaltStack Salt through 2019.2.0, the salt-api NEST API with the ssh | client enabled is vulnerable to command injection. This allows an | unauthenticated attacker with network access to the API endpoint to | execute arbitrary code on the salt-api host. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2019-17361 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17361 [1] https://docs.saltstack.com/en/latest/topics/releases/2019.2.3.html#security-fix [2] https://github.com/saltstack/salt/commit/bca115f3f00fbde564dd2f12bf036b5d2fd08387 Please adjust the affected versions as needed in the BTS. It looks to me that all versions back to the stretch one have the problem, but an explicit confirmation or nack would be welcome. I did check explicitly the invocations in salt/netapi/__init__.py, but let me know if I missed something. Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: salt Source-Version: 2018.3.4+dfsg1-6+deb10u1 Done: Salvatore Bonaccorso <car...@debian.org> We believe that the bug you reported is fixed in the latest version of salt, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 949...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Salvatore Bonaccorso <car...@debian.org> (supplier of updated salt package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sun, 03 May 2020 21:11:01 +0200 Source: salt Architecture: source Version: 2018.3.4+dfsg1-6+deb10u1 Distribution: buster-security Urgency: high Maintainer: Debian Salt Team <pkg-salt-t...@lists.alioth.debian.org> Changed-By: Salvatore Bonaccorso <car...@debian.org> Closes: 949222 959684 Changes: salt (2018.3.4+dfsg1-6+deb10u1) buster-security; urgency=high . * Non-maintainer upload by the Security Team. * Fix CVE-2020-11651: Resolve issue which allows access to un-intended methods in the ClearFuncs class of the salt-master process (Closes: #959684) * Fix CVE-2020-11652: Sanitize paths in ClearFuncs methods provided by salt-master (Closes: #959684) * Add note about log messages to hardening salt docs * salt-api NET API with the ssh client enabled is vulnerable to command injection (CVE-2019-17361) (Closes: #949222) Checksums-Sha1: a61935e1374c53ec4bc5bf8d5c720543e5f2d272 4195 salt_2018.3.4+dfsg1-6+deb10u1.dsc 8293356cdcdb4db5777c28dda673e2620ae23520 9087128 salt_2018.3.4+dfsg1.orig.tar.xz c1b9eab6aca4cf47f32e93611141d3eaa43f9122 70292 salt_2018.3.4+dfsg1-6+deb10u1.debian.tar.xz 509e0391fd22f241811cfcdcb449ae778bc45dc9 8218 salt_2018.3.4+dfsg1-6+deb10u1_source.buildinfo Checksums-Sha256: 8bac5f5aea83d610410f896d240e67eeaa8a1bf26fd4817b557e2610e59e025b 4195 salt_2018.3.4+dfsg1-6+deb10u1.dsc c1793b5eeb98fbb8e0698b59d5f3a55d2684da17a053d3f498ec84d1e81edd2a 9087128 salt_2018.3.4+dfsg1.orig.tar.xz 6544d7857eb1f72acdb82f99cd1b634d398e8b6a2edba30d2b1cda91b2c74a58 70292 salt_2018.3.4+dfsg1-6+deb10u1.debian.tar.xz 556158ade5516359e60d2acc3ddf4529b5589fc875c4cc6d8fccbf815fbd0c7f 8218 salt_2018.3.4+dfsg1-6+deb10u1_source.buildinfo Files: fa389095007893da303a2989902e76cb 4195 admin optional salt_2018.3.4+dfsg1-6+deb10u1.dsc 1b07796d2b1af27ca51aa31efdfe6a69 9087128 admin optional salt_2018.3.4+dfsg1.orig.tar.xz 7c7df81b2c6bfda743ac3734700ae5f1 70292 admin optional salt_2018.3.4+dfsg1-6+deb10u1.debian.tar.xz 8f81d545ed0b54742d72c5c43328f214 8218 admin optional salt_2018.3.4+dfsg1-6+deb10u1_source.buildinfo -----BEGIN PGP SIGNATURE----- iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAl6wYxxfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk ZWJpYW4ub3JnAAoJEAVMuPMTQ89EpIgP/1Op8jJyistKBHBdvoFXD4BrbX17vcl5 7TZhdLcq6yeTA+/xWp8NTJLlVWg9OXBe2SzLlQcwiibs0M3KP3XGmLZAtON/NKw1 VBSoa9ZaNwiuw1IdNDEYLc/zbPxcYG/Q/zH/9tEInsYzBhI/uXr648d5FbUwMHgo Fet87fOmzhE/4PBgYvwZmtk4RcQMFFJNmpeQO/Y9jgpxUpLmbtM6p81Zry/nO6PE ZxPctaZxkv6Jjz0Z82/xHED8XoJZJN+TyPODu53aTzydX+Cd2pRYGlmp5FCb0M7F AQj0U1jH6gGi38yZsmd4fCTCg2V9xPl0m3no+jaXm7H7FI7smUht75RaC2HDek8+ H+FkOu+YzLCAXR2W3oqS2Ml+lv2+80vP2ROYMU9F3wBWiYL4MLazTFbBiW2JmbV8 kJ6aLlnkRrfJXuuwSuGnannauE3GoXJ1QE89wc5DT7RNRkKivczR6c0iS4KCvx5L my/BcZN6gNd+tZ/Qk++sjoZKT8BrryX74omxJVdAKaICknt9K+83J+bYda1ph5D4 +ayRSZnSopXFqRTmrbN7AI5C2uUwMuJh5qM8t8DeaCUHH8VN8ZSAI5YJao4reKbQ azvadaLoGgg7e3fRDvcOuGkROPnAebyJtMpMsVD/6Fs3DKeMJ/epzy52uujYmojE 9yMI4PIuTLXt =8yul -----END PGP SIGNATURE-----
--- End Message ---
