On Thu, 1 Sep 2022 08:13:07 +0200 Paul Gevers <elb...@debian.org> wrote:
Hi,
On Sun, 26 Jun 2022 13:55:24 +0200 Salvatore Bonaccorso
<car...@debian.org> wrote:
> Source: salt
> The following vulnerability was published for salt.
>
> CVE-2022-22967[0]:
> | An issue was discovered in SaltStack Salt in versions before 3002.9,
> | 3003.5, 3004.2. PAM auth fails to reject locked accounts, which allows
> | a previously authorized user whose account is locked still run Salt
> | commands when their account is locked. This affects both local shell
> | accounts with an active session and salt-api users that authenticate
> | via PAM eauth.
As much as I'd like to stay away from fixing packages, do you need help
with this one? It causing RC issues in testing even though it's removed.
https://qa.debian.org/dose/debcheck/src_testing_main/1661922002/packages/pytest-testinfra.html#076c12ad0c0676e354433b4fd854e3d5
There's a new upstream release and I pulled it locally, but there are a
lot of changes. So without experience with the package, it's a bit much
to go over.
The fix for this is very simple. We are ignoring pam_acct_mgmt()'s return value.
The upstream fix (with tests) is at:
https://github.com/saltstack/salt/commit/e068a34ccb2e17ae7224f8016a24b727f726d4c8
Cheers,
Emilio
