Your message dated Tue, 27 Apr 2021 19:33:34 +0000
with message-id <e1lbtsg-0009en...@fasolo.debian.org>
and subject line Bug#987496: fixed in salt 3002.6+dfsg1-2
has caused the Debian Bug report #987496,
regarding salt: CVE-2021-31607
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
987496: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=987496
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: salt
Version: 3002.6+dfsg1-1
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Control: found -1 2018.3.4+dfsg1-6+deb10u2
Control: found -1 2018.3.4+dfsg1-6
Hi,
The following vulnerability was published for salt.
CVE-2021-31607[0]:
| In SaltStack Salt 2016.9 through 3002.6, a command injection
| vulnerability exists in the snapper module that allows for local
| privilege escalation on a minion. The attack requires that a file is
| created with a pathname that is backed up by snapper, and that the
| master calls the snapper.diff function (which executes popen
| unsafely).
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2021-31607
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31607
[1] https://sec.stealthcopter.com/saltstack-snapper-minion-privledge-escaltion/
Please adjust the affected versions in the BTS as needed, but
according to the reporte rall versions between 2016.9 through 3002.6
are affected.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: salt
Source-Version: 3002.6+dfsg1-2
Done: Benjamin Drung <benjamin.dr...@ionos.com>
We believe that the bug you reported is fixed in the latest version of
salt, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 987...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Benjamin Drung <benjamin.dr...@ionos.com> (supplier of updated salt package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 27 Apr 2021 19:20:29 +0200
Source: salt
Architecture: source
Version: 3002.6+dfsg1-2
Distribution: unstable
Urgency: medium
Maintainer: Debian Salt Team <pkg-salt-t...@alioth-lists.debian.net>
Changed-By: Benjamin Drung <benjamin.dr...@ionos.com>
Closes: 987496
Changes:
salt (3002.6+dfsg1-2) unstable; urgency=medium
.
* Fix CVE-2021-31607 in snapper module (Closes: #987496)
* doc: Set latest version during documentation generation
Checksums-Sha1:
dff79bc4b5ceaa2ad6a134ec1c1cfcafc449af0a 4186 salt_3002.6+dfsg1-2.dsc
6cd2c7b157e5ac4d9426d8805cf3f194f40a726d 73280
salt_3002.6+dfsg1-2.debian.tar.xz
17768ea23f17088f18896e4d136bccedb7d072c1 13822
salt_3002.6+dfsg1-2_source.buildinfo
Checksums-Sha256:
8eb2eafcc0bec6f5f0610084c79a5d0339782c2b24f283f59c9c64910b17bc17 4186
salt_3002.6+dfsg1-2.dsc
0d0317e7848ab1bd7137d02827cd91a20ff0e019b6cec1b813eb75e0676d0797 73280
salt_3002.6+dfsg1-2.debian.tar.xz
91ad7d8e931baa6ab0a25f89c6fe0decdee7aec2305d5b7b3f312e968185d067 13822
salt_3002.6+dfsg1-2_source.buildinfo
Files:
66b22e98a92fb22422babfaf657f6d93 4186 admin optional salt_3002.6+dfsg1-2.dsc
75177041f94fdcd732a601b379caa43d 73280 admin optional
salt_3002.6+dfsg1-2.debian.tar.xz
5da57becbbcf6de9b80b1442dd0549c6 13822 admin optional
salt_3002.6+dfsg1-2_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEE5/q3CzlQJ15towl13YzVpd6MfnoFAmCIYaIACgkQ3YzVpd6M
fnrajxAAkoIvD31Lg+ZU3QwmCS6SorSGIK2LEa6zfzicXgDpLzito3HrPKPk2NXE
usMbz6L3HzwXouhW3nPNuhm6fR8sqS8wunIQxsUZxBu1nuVoXXN1pGD2tWWlacWD
CvaHwTXcfh0ab4Qq8SJ4yzXboiDETtseCIlQ18Um76bLUyX+9OZhcCW4sGryqfhJ
2/oe4VGgeTiZLQqeZozllzke+cNN2sHxhpxpfq+3L21azZwUGop62DEL9wxwaq5p
p1QiqqolGVwxHOVpozsQ3r1h+fgOJFPdsQS4WuuY1Lm7dp2vNJuSB2CnusF3RgnG
psLU8mhpiqgEiDLfYeyK/6b0/bKFR1b6EcGbZwUKeAuzEs21IdF0dZpwCuc0gp1k
wVyoQSXaRR6VxGi1pyMqkYK1RaMcLvcBuv/Y1dlPCbSSArexzxOzqtrMRxJLzrjJ
xBqUvCjDluqsaDcEFG+q/lAIneQ/ZrDT9ZIbb7+40Jxkpm2dl6LxAMZ9VY8jSvZ/
qIYKTZ9IPZVXvm6179uwV63qaZ43WhoyqgEmJDVuMM3iTjmLeU9f3hvvODQiw8c9
M1hqAxyGAD7g5wg6LpgXU6Nke8UH/Na1pY/d7OpSlXxrXzmVgvq546T0ogRlRXPF
eQKgnSFc8lpAqjoRvIisPPtweW+OlXMQXgmx2+1AEyJ0cGq4rfM=
=+YFo
-----END PGP SIGNATURE-----
--- End Message ---
