On Sat, 20 Nov 2021 16:46:34 +0000 Jamie Heilman <ja...@audible.transient.net> wrote: > Package: salt-common > Version: 2016.11.2+ds-1+deb9u8 > Severity: grave > > The patch for 994016 in the > /usr/lib/python2.7/dist-packages/salt/fileclient.py file included: > > + # clean_path returns an empty string if the check fails > + root_path = salt.utils.path.join(cachedir, "extrn_files", saltenv, netloc) > > which might work for newer versions of salt, but in stretch that has > to be salt.utils.path_join(...) as the salt.utils.path module didn't > exist yet. As-is, the security update for CVE-2021-21996 makes > file.managed states fail with: > > Unable to manage file: 'module' object has no attribute 'path' > > which makes salt on stretch pretty much unusable.
Thanks for the report. I wonder why the tests didn't catch that problem. I will address this with the next upload of salt. Regards, Markus
signature.asc
Description: This is a digitally signed message part