Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package salt for openSUSE:Factory checked in at 2026-04-28 11:53:48 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/salt (Old) and /work/SRC/openSUSE:Factory/.salt.new.11940 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "salt" Tue Apr 28 11:53:48 2026 rev:194 rq:1349536 version:3006.0 Changes: -------- --- /work/SRC/openSUSE:Factory/salt/salt.changes 2026-04-18 21:34:01.307811896 +0200 +++ /work/SRC/openSUSE:Factory/.salt.new.11940/salt.changes 2026-04-28 11:54:16.920296388 +0200 @@ -1,0 +2,10 @@ +Mon Apr 27 07:33:48 UTC 2026 - Marek Czernek <[email protected]> + +- BDSA-2025-60810: Harden Tornado from invalid HTTP reason phrases +- Read full URI from ldap pillar config (bsc#1254900) + +- Added: + * bdsa-2025-60810-harden-against-invalid-http-reason-p.patch + * read-full-uri-from-ldap-pillar-config-753.patch + +------------------------------------------------------------------- New: ---- bdsa-2025-60810-harden-against-invalid-http-reason-p.patch read-full-uri-from-ldap-pillar-config-753.patch ----------(New B)---------- New:- Added: * bdsa-2025-60810-harden-against-invalid-http-reason-p.patch * read-full-uri-from-ldap-pillar-config-753.patch New: * bdsa-2025-60810-harden-against-invalid-http-reason-p.patch * read-full-uri-from-ldap-pillar-config-753.patch ----------(New E)---------- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ salt.spec ++++++ --- /var/tmp/diff_new_pack.A7WS9a/_old 2026-04-28 11:54:22.908543657 +0200 +++ /var/tmp/diff_new_pack.A7WS9a/_new 2026-04-28 11:54:22.912543823 +0200 @@ -633,6 +633,11 @@ # PATCH-FIX_UPSTREAM: https://github.com/saltstack/salt/pull/68928 # PATCH-FIX_OPENSUSE: https://github.com/openSUSE/salt/pull/754 Patch201: fix-test-failures-754.patch +# PATCH-FIX_OPENSUSE: https://github.com/openSUSE/salt/pull/753 +Patch202: read-full-uri-from-ldap-pillar-config-753.patch +# PATCH-FIX_UPSTREAM: https://github.com/saltstack/salt/pull/68855 +# PATCH-FIX_OPENSUSE: https://github.com/openSUSE/salt/pull/757 +Patch203: bdsa-2025-60810-harden-against-invalid-http-reason-p.patch ### IMPORTANT: The line below is used as a snippet marker. Do not touch it. ### SALT PATCHES LIST END ++++++ _lastrevision ++++++ --- /var/tmp/diff_new_pack.A7WS9a/_old 2026-04-28 11:54:23.068550264 +0200 +++ /var/tmp/diff_new_pack.A7WS9a/_new 2026-04-28 11:54:23.076550595 +0200 @@ -1,3 +1,3 @@ -8b6e8757be49c548a84a0245e1bd8e90b1f966ba +53c103db41a166997e1d5c5fff0a3d34327d4110 (No newline at EOF) ++++++ bdsa-2025-60810-harden-against-invalid-http-reason-p.patch ++++++ >From c2d4a1083bcce46fc239bc03a75b87d04b9bf47e Mon Sep 17 00:00:00 2001 From: Marek Czernek <[email protected]> Date: Mon, 27 Apr 2026 09:07:49 +0200 Subject: [PATCH] (BDSA-2025-60810) Harden against invalid HTTP reason phrases (#757) We allow applications to set custom reason phrases for the HTTP status line (to support custom status codes), but if this were exposed to untrusted data it could be exploited in various ways. This commit guards against invalid reason phrases in both HTTP headers and in error pages. --- salt/ext/tornado/web.py | 26 ++++++++++++++++++++------ 1 file changed, 20 insertions(+), 6 deletions(-) diff --git a/salt/ext/tornado/web.py b/salt/ext/tornado/web.py index bb76abef359..ce381ea9113 100644 --- a/salt/ext/tornado/web.py +++ b/salt/ext/tornado/web.py @@ -313,11 +313,21 @@ class RequestHandler(object): :arg int status_code: Response status code. If ``reason`` is ``None``, it must be present in `httplib.responses <http.client.responses>`. :arg string reason: Human-readable reason phrase describing the status - code. If ``None``, it will be filled in from - `httplib.responses <http.client.responses>`. + code (for example, the "Not Found" in ``HTTP/1.1 404 Not Found``). + Normally determined automatically from `http.client.responses`; this + argument should only be used if you need to use a non-standard + status code. """ self._status_code = status_code if reason is not None: + if "<" in reason or not RequestHandler._REASON_PHRASE_RE.fullmatch(reason): + # Logically this would be better as an exception, but this method + # is called on error-handling paths that would need some refactoring + # to tolerate internal errors cleanly. + # + # The check for "<" is a defense-in-depth against XSS attacks (we also + # escape the reason when rendering error pages). + reason = "Unknown" self._reason = escape.native_str(reason) else: try: @@ -358,6 +368,7 @@ class RequestHandler(object): del self._headers[name] _INVALID_HEADER_CHAR_RE = re.compile(r"[\x00-\x1f]") + _REASON_PHRASE_RE = re.compile(r"(?:[\t ]|[\x21-\x7E]|[\x80-\xFF])+") def _convert_header_value(self, value): # type: (_HeaderTypes) -> str @@ -1058,7 +1069,8 @@ class RequestHandler(object): reason = exception.reason self.set_status(status_code, reason=reason) try: - self.write_error(status_code, **kwargs) + if status_code != 304: + self.write_error(status_code, **kwargs) except Exception: app_log.error("Uncaught exception in write_error", exc_info=True) if not self._finished: @@ -1086,7 +1098,7 @@ class RequestHandler(object): self.finish("<html><title>%(code)d: %(message)s</title>" "<body>%(code)d: %(message)s</body></html>" % { "code": status_code, - "message": self._reason, + "message": escape.xhtml_escape(self._reason), }) @property @@ -2185,9 +2197,11 @@ class HTTPError(Exception): mode). May contain ``%s``-style placeholders, which will be filled in with remaining positional parameters. :arg string reason: Keyword-only argument. The HTTP "reason" phrase - to pass in the status line along with ``status_code``. Normally + to pass in the status line along with ``status_code`` (for example, + the "Not Found" in ``HTTP/1.1 404 Not Found``). Normally determined automatically from ``status_code``, but can be used - to use a non-standard numeric code. + to use a non-standard numeric code. This is not a general-purpose + error message. """ def __init__(self, status_code=500, log_message=None, *args, **kwargs): self.status_code = status_code -- 2.53.0 ++++++ read-full-uri-from-ldap-pillar-config-753.patch ++++++ >From 1f9fcdede42dc1ccf3866726c2126d9a92ec6df0 Mon Sep 17 00:00:00 2001 From: Alexander Graul <[email protected]> Date: Wed, 22 Apr 2026 13:47:43 +0200 Subject: [PATCH] Read full URI from ldap pillar config (#753) A full URI allows the user to set a scheme for the ldap connection and enables tls. This is a workaround for the ldap execution module, which is used by the ldap pillar module. While the ldap auth module supports both "tls" and "starttls" modes, the ldap execution module only supports "starttls", which it calls "tls". Fixes https://bugzilla.suse.com/show_bug.cgi?id=1254900 --- salt/modules/ldapmod.py | 2 +- salt/pillar/pillar_ldap.py | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/salt/modules/ldapmod.py b/salt/modules/ldapmod.py index 8b1e22d994..9cffd76a1e 100644 --- a/salt/modules/ldapmod.py +++ b/salt/modules/ldapmod.py @@ -190,7 +190,7 @@ class _LDAPConnection: self.binddn = binddn self.bindpw = bindpw - if self.uri == "": + if self.uri is None or self.uri == "": self.uri = "ldap://{}:{}".format(self.server, self.port) try: diff --git a/salt/pillar/pillar_ldap.py b/salt/pillar/pillar_ldap.py index 9649194ad0..be19f6d296 100644 --- a/salt/pillar/pillar_ldap.py +++ b/salt/pillar/pillar_ldap.py @@ -271,7 +271,7 @@ def _do_search(conf): """ # Build LDAP connection args connargs = {} - for name in ["server", "port", "tls", "binddn", "bindpw", "anonymous"]: + for name in ["uri", "server", "port", "tls", "binddn", "bindpw", "anonymous"]: connargs[name] = _config(name, conf) if connargs["binddn"] and connargs["bindpw"]: connargs["anonymous"] = False -- 2.53.0
