Source: salt Version: 2018.3.4+dfsg1-7 Severity: grave Tags: security upstream Justification: user security hole Control: found -1 2018.3.4+dfsg1-6 Control: found -1 2016.11.2+ds-1+deb9u2 Control: found -1 2016.11.2+ds-1
Hi, The following vulnerability was published for salt. CVE-2019-17361[0]: | In SaltStack Salt through 2019.2.0, the salt-api NEST API with the ssh | client enabled is vulnerable to command injection. This allows an | unauthenticated attacker with network access to the API endpoint to | execute arbitrary code on the salt-api host. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2019-17361 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17361 [1] https://docs.saltstack.com/en/latest/topics/releases/2019.2.3.html#security-fix [2] https://github.com/saltstack/salt/commit/bca115f3f00fbde564dd2f12bf036b5d2fd08387 Please adjust the affected versions as needed in the BTS. It looks to me that all versions back to the stretch one have the problem, but an explicit confirmation or nack would be welcome. I did check explicitly the invocations in salt/netapi/__init__.py, but let me know if I missed something. Regards, Salvatore