Your message dated Wed, 13 Oct 2021 19:20:31 +0000 with message-id <e1majnj-000f4g...@fasolo.debian.org> and subject line Bug#994016: fixed in salt 3002.7+dfsg1-1 has caused the Debian Bug report #994016, regarding salt: CVE-2021-21996 CVE-2021-22004 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 994016: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=994016 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: salt Version: 3002.6+dfsg1-4 Severity: grave Tags: security upstream Justification: user security hole X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org> Hi, The following vulnerabilities were published for salt. CVE-2021-21996[0]: | An issue was discovered in SaltStack Salt before 3003.3. A user who | has control of the source, and source_hash URLs can gain full file | system access as root on a salt minion. CVE-2021-22004[1]: | An issue was discovered in SaltStack Salt before 3003.3. The salt | minion installer will accept and use a minion config file at | C:\salt\conf if that file is in place before the installer is run. | This allows for a malicious actor to subvert the proper behaviour of | the given minion software. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2021-21996 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21996 [1] https://security-tracker.debian.org/tracker/CVE-2021-22004 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22004 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: salt Source-Version: 3002.7+dfsg1-1 Done: Benjamin Drung <benjamin.dr...@ionos.com> We believe that the bug you reported is fixed in the latest version of salt, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 994...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Benjamin Drung <benjamin.dr...@ionos.com> (supplier of updated salt package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Wed, 13 Oct 2021 21:01:21 +0200 Source: salt Built-For-Profiles: noudeb Architecture: source Version: 3002.7+dfsg1-1 Distribution: unstable Urgency: high Maintainer: Debian Salt Team <pkg-salt-t...@alioth-lists.debian.net> Changed-By: Benjamin Drung <benjamin.dr...@ionos.com> Closes: 994016 996271 Changes: salt (3002.7+dfsg1-1) unstable; urgency=high . * New upstream CVE security fix release fixing CVE-2021-21996 and CVE-2021-22004 (Closes: #994016) * Drop Fix-CVE-2021-31607-in-snapper-module.patch (applied upstream) * Update homepage URL to saltproject.io * Fix doc building with sphinx 4.2.0 * Depend on bind9-dnsutils for NetworkTestCase.test_dig * Bump Standards-Version to 4.6.0 * Update lintian overrides for lintian 2.108.0 * Backport schedule.job_status from version 3003 * templates: move the globals up to the Environment (Jinja2 3.0.0) (upstream #60811, closes: #996271) * Override lintan error python-traceback-in-manpage for salt man page * Depend on python3-m2crypto as alternative to python3-pycryptodome Checksums-Sha1: 9632a53c606851ec07dd333b47e52d4b81fad1c3 4288 salt_3002.7+dfsg1-1.dsc cd1e01f1367d36365381c17ff61c3963ccb2d181 10744764 salt_3002.7+dfsg1.orig.tar.xz 36409264e080a2415c10135427f74a915bd5f03a 78944 salt_3002.7+dfsg1-1.debian.tar.xz 74361f58e8a50c81f0ed41bae12df45f94d3b1d9 14680 salt_3002.7+dfsg1-1_source.buildinfo Checksums-Sha256: a76155f464f511ca21129dc45884f47d4e411765561b59cf8426790e4966d65b 4288 salt_3002.7+dfsg1-1.dsc b1b882c90e1330be4f50ea2c4fce2b7260590868f71bd21ac147730cc8ddd7d8 10744764 salt_3002.7+dfsg1.orig.tar.xz 9277b4e1b3db80311471e53b9505d724196ea1f6b0be7ff14bebd94c7805a503 78944 salt_3002.7+dfsg1-1.debian.tar.xz 25b1e72faae02e5d328d4650fe090262b393d41ad316b619bf0282306192d839 14680 salt_3002.7+dfsg1-1_source.buildinfo Files: bbe3be742fb408791d6abc56596ecb36 4288 admin optional salt_3002.7+dfsg1-1.dsc bea12905b14b47f10d73252f096fc906 10744764 admin optional salt_3002.7+dfsg1.orig.tar.xz de32d3638700c659443b04572b7df859 78944 admin optional salt_3002.7+dfsg1-1.debian.tar.xz 1cbfd84169374b191f6d8b42485328b3 14680 admin optional salt_3002.7+dfsg1-1_source.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE5/q3CzlQJ15towl13YzVpd6MfnoFAmFnLWUACgkQ3YzVpd6M fnpfXA//Z1vz9tRal0anja9ASOECfn0CfGQStrj948mKvaHyUUI9UmcSi16PR5C0 a5UE/JdUooQWFPCV/RpwrEZ63jADXwIrxcTNIIxScxa9owH9tI77/RF3hw0VTcTf /f96MMAjY3iUDJ9aVaaXrivyTBBUAAx8wJ7Dc+BlCG14Sytxw8ocPWa1S1WrIbbi lwjPZhV9lq3dg4Von88f4CStNVPL0paIF5Jb1SYQN1wML4bH+26T2c1osgSR/EV5 thOkDeBeD8/bMyvQxxH2z0s9ELUBRMheATstXOPWZPts+8uPU6gEnW/M43NnYQ+u NbmD5MgSXc5SEwaJhpbb00WdkImfe8ObhJrhg0hGxDkylifFwYM8dNrZ3oxP9yNA HCisixXky+4BsyhDMA1kGgqOiGdfg7sA5d5SCEDjFn55qwUG6RQqyH992RcLAbBG X5JmODcTzRdp12FMwsGFt1TtoLVzb9WASwRNgmBUYAuMjeOFOsXqL8UUtEwDmBfY X9aJb7LWF3e58DDieE1xBGcDlWDhiz1PV2Cx9l2GfRXPLWgJz0tOe+OcX5Kz9SCr 5o0Sj2srGmrux/C4nQ8KQIddOApdFNMqWjFNH6hHBPS2qRzcsJSGC5Wm1q9QTzLB aSOHxapj+1hI3nV5HAwzN/qMaNt9LRowbqKeZWJZ704ndwONrlI= =qm1Y -----END PGP SIGNATURE-----
--- End Message ---
