Your message dated Tue, 02 Mar 2021 14:22:05 +0000 with message-id <e1lh5ux-000hil...@fasolo.debian.org> and subject line Bug#983632: fixed in salt 3002.5+dfsg1-1 has caused the Debian Bug report #983632, regarding salt: CVE-2020-28243 CVE-2020-28972 CVE-2020-35662 CVE-2021-3148 CVE-2021-3144 CVE-2021-25281 CVE-2021-25282 CVE-2021-25283 CVE-2021-25284 CVE-2021-3197 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 983632: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=983632 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: salt Version: 3002.2+dfsg1-1 Severity: grave Tags: security upstream Justification: user security hole X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org> Hi, The following vulnerabilities were published for salt. CVE-2020-28243[0]: | An issue was discovered in SaltStack Salt before 3002.5. The minion's | restartcheck is vulnerable to command injection via a crafted process | name. This allows for a local privilege escalation by any user able to | create a files on the minion in a non-blacklisted directory. CVE-2020-28972[1]: | In SaltStack Salt before 3002.5, authentication to VMware vcenter, | vsphere, and esxi servers (in the vmware.py files) does not always | validate the SSL/TLS certificate. CVE-2020-35662[2]: | In SaltStack Salt before 3002.5, when authenticating to services using | certain modules, the SSL certificate is not always validated. CVE-2021-3148[3]: | An issue was discovered in SaltStack Salt before 3002.5. Sending | crafted web requests to the Salt API can result in | salt.utils.thin.gen_thin() command injection because of different | handling of single versus double quotes. This is related to | salt/utils/thin.py. CVE-2021-3144[4]: | In SaltStack Salt before 3002.5, eauth tokens can be used once after | expiration. (They might be used to run command against the salt master | or minions.) CVE-2021-25281[5]: | An issue was discovered in through SaltStack Salt before 3002.5. salt- | api does not honor eauth credentials for the wheel_async client. Thus, | an attacker can remotely run any wheel modules on the master. CVE-2021-25282[6]: | An issue was discovered in through SaltStack Salt before 3002.5. The | salt.wheel.pillar_roots.write method is vulnerable to directory | traversal. CVE-2021-25283[7]: | An issue was discovered in through SaltStack Salt before 3002.5. The | jinja renderer does not protect against server side template injection | attacks. CVE-2021-25284[8]: | An issue was discovered in through SaltStack Salt before 3002.5. | salt.modules.cmdmod can log credentials to the info or error log | level. CVE-2021-3197[9]: | An issue was discovered in SaltStack Salt before 3002.5. The salt- | api's ssh client is vulnerable to a shell injection by including | ProxyCommand in an argument, or via ssh_options provided in an API | request. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2020-28243 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28243 [1] https://security-tracker.debian.org/tracker/CVE-2020-28972 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28972 [2] https://security-tracker.debian.org/tracker/CVE-2020-35662 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-35662 [3] https://security-tracker.debian.org/tracker/CVE-2021-3148 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3148 [4] https://security-tracker.debian.org/tracker/CVE-2021-3144 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3144 [5] https://security-tracker.debian.org/tracker/CVE-2021-25281 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-25281 [6] https://security-tracker.debian.org/tracker/CVE-2021-25282 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-25282 [7] https://security-tracker.debian.org/tracker/CVE-2021-25283 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-25283 [8] https://security-tracker.debian.org/tracker/CVE-2021-25284 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-25284 [9] https://security-tracker.debian.org/tracker/CVE-2021-3197 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3197 [10] https://gitlab.com/saltstack/open/salt-patches [11] https://saltproject.io/security_announcements/active-saltstack-cve-release-2021-feb-25/ Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: salt Source-Version: 3002.5+dfsg1-1 Done: Benjamin Drung <benjamin.dr...@cloud.ionos.com> We believe that the bug you reported is fixed in the latest version of salt, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 983...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Benjamin Drung <benjamin.dr...@cloud.ionos.com> (supplier of updated salt package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Tue, 02 Mar 2021 14:34:15 +0100 Source: salt Architecture: source Version: 3002.5+dfsg1-1 Distribution: unstable Urgency: medium Maintainer: Debian Salt Team <pkg-salt-t...@alioth-lists.debian.net> Changed-By: Benjamin Drung <benjamin.dr...@cloud.ionos.com> Closes: 983632 Changes: salt (3002.5+dfsg1-1) unstable; urgency=medium . * New upstream release fixing several security issues (Closes: #983632): CVE-2020-28243, CVE-2020-28972, CVE-2020-35662, CVE-2021-3148, CVE-2021-3144, CVE-2021-25281, CVE-2021-25282, CVE-2021-25283, CVE-2021-25284, CVE-2021-3197 * Fix test_run_all_output_loglevel_debug * test_module_names: Exclude unit.auth.test_auth Checksums-Sha1: 4314e0006b394fd01e7e35cd64349fd677815187 4192 salt_3002.5+dfsg1-1.dsc c17d69290d6a7d2ee1ffaab7e3a351ae8cd35a9d 10740652 salt_3002.5+dfsg1.orig.tar.xz 3f1d3aa4910d6534b78ff63884f1001b36827a81 72480 salt_3002.5+dfsg1-1.debian.tar.xz 0b8fa9c31b6a73787c2262d9647db28ca152c077 13756 salt_3002.5+dfsg1-1_source.buildinfo Checksums-Sha256: 8857234988a6ce2e3c2018f258d3cfcbfe46b709c090f60cd1bc011ed5266fef 4192 salt_3002.5+dfsg1-1.dsc f3aa59fa6b6c8bc42b367053bd0476a9f9104881c330c329420fc5894d79ef58 10740652 salt_3002.5+dfsg1.orig.tar.xz 4a41c918f9731f07733dc1632952cea17986b23ab738307aaa96837c7dc62bdc 72480 salt_3002.5+dfsg1-1.debian.tar.xz 8031fa4ab6c47da42cc38d85a09d64469ff5357d6d8ebaa41eb1fc6dcba5ae41 13756 salt_3002.5+dfsg1-1_source.buildinfo Files: 92011c5345e6305083704e4dcaf22fe5 4192 admin optional salt_3002.5+dfsg1-1.dsc 219ad7c804b2101f082d6753d5f9ce3b 10740652 admin optional salt_3002.5+dfsg1.orig.tar.xz a71f867006930fc5816ffe0fb2e9b421 72480 admin optional salt_3002.5+dfsg1-1.debian.tar.xz 1767da3fd4d2c42fa7fcde75907c9f4b 13756 admin optional salt_3002.5+dfsg1-1_source.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE5/q3CzlQJ15towl13YzVpd6MfnoFAmA+RacACgkQ3YzVpd6M fnpu8hAAiYG1u8FXIjj7HpiNHlsGtTTGsprdBaFRFEJmdGo6F0j0sWhSu6RXkexw m4WspBCQDsVf4xa12uAKBSn7ZMj0PIyBGhEtm9D7uIwQTbGiXLh6FwgufjlI6tMk Xx6a30R9sIllLg+SNLCMREdnBGrWj9zPnVQZXlvPFdffriBb1on4wFYQfpHLQ0cg d32lmArkDuTWqEXX2C+EuwTTzmMUqOMMo9phjR8hQ5TaIxYuNzjcP6Ponm091ydV 1EeWLLRcqB8mZqmdusYvB+UIL3KHMN0tihygApNPZ5ADDG1M6m+0ZQPfDlGpGR2A TbsGRqXjucR7XAMVeXZV2Y/XykbZDwGjNBAtLbQ8kA+sP6o5JoCy+dMUw8UkmjkC 3uIChLTn6SPOkWlGCheNB2dw4OpdAk43GWAIe8b+M66F0vCBoCAWwTWe1NpBrwMN 5WLudx6NX3fqad+bzWrDRT5DH2r1dsQXUeEi92ZKgJXvkLz0891Ls/CSVJkHWR1j 7PEN5SFTS5gB76arI4nlnvHAImbSTYLSvm73OHnJnEMlImMtZCQJfLZQWo9fUbBf s6OyI7eXTDEXqFGTT8GlO9pF6EfqAkkqCirVer8XKAhdKXtAcv7YrvjybE6/KwFT R9jXFQc7hmX2TSysbxiIG77cITyX1cirE/U2JwEGB/WuIIAaHNs= =R/bt -----END PGP SIGNATURE-----
--- End Message ---
