Control: notfixed -1 2016.11.2+ds-1+deb9u3 On Wed, 6 May 2020 at 10:36:42 +0200, Elimar Riesebieter wrote: > please notice the attached note from saltstack! I assume this is not > integrated into DSA 4676-1, isn't it?
Ooops yes, 2016.11.2+ds-1+deb9u3 appears to still be vulnerable to CVE-2020-11652: | If you have already applied the patch for Salt 2017.x or earlier, there | is a follow-up patch to apply. You can download the patch and | instructions below. **This applies to 2017.x, 2016.x, and 2015.x. This | does NOT apply to 2018.x, 2019.x, or 3000.x.** | […] | - 2016.x <http://em.saltstack.com/WP01MfH790m1QhM00U0s800> | […] | The original patch for versions 2017.x and earlier secured against | arbitrary commands running on Salt minions and eliminated the exposure | (CVE-2020-11651). This additional patch is required to completely | resolve arbitrary directory access to authenticated users | (CVE-2020-11652). -- Guilhem.
signature.asc
Description: PGP signature