Your message dated Sat, 09 May 2020 15:33:44 +0000 with message-id <e1jxru0-0006id...@fasolo.debian.org> and subject line Bug#959684: fixed in salt 2016.11.2+ds-1+deb9u3 has caused the Debian Bug report #959684, regarding salt: CVE-2020-11651 and CVE-2020-11652 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 959684: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=959684 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: salt Version: 2018.3.4+dfsg1-6 Severity: grave Tags: security upstream Justification: user security hole Control: found -1 2018.3.4+dfsg1-6 Control: found -1 2016.11.2+ds-1+deb9u2 Control: found -1 2014.1.13+ds-3 Control: notfound -1 3000.2+dfsg1-1 Dear Maintainer, These CVEs were assigned last Wednesday but I'm filing this as it seems they're not tracked in the BTS yet. CVE-2020-11651 -------------- An issue was discovered in SaltStack Salt before 2019.2.4 and 3000 before 3000.2. The salt-master process ClearFuncs class does not properly validate method calls. This allows a remote user to access some methods without authentication. These methods can be used to retrieve user tokens from the salt master and/or _run arbitrary commands on salt minions_. [emphasis mine] CVE-2020-11652 -------------- An issue was discovered in SaltStack Salt before 2019.2.4 and 3000 before 3000.2. The salt-master process ClearFuncs class allows access to some methods that improperly sanitize paths. These methods allow arbitrary directory access to authenticated users. As seen for instance at https://github.com/saltstack/salt/issues/57057 the vulnerabilities are being exploited in wild already; compromised salt masters do allow attackers to run arbitrary commands on the minions as root. See also https://labs.f-secure.com/advisories/saltstack-authorization-bypass . Cheers, -- Guilhem.
signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---Source: salt Source-Version: 2016.11.2+ds-1+deb9u3 Done: Salvatore Bonaccorso <car...@debian.org> We believe that the bug you reported is fixed in the latest version of salt, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 959...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Salvatore Bonaccorso <car...@debian.org> (supplier of updated salt package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Mon, 04 May 2020 14:29:16 +0200 Source: salt Architecture: source Version: 2016.11.2+ds-1+deb9u3 Distribution: stretch-security Urgency: high Maintainer: Debian Salt Team <pkg-salt-t...@lists.alioth.debian.org> Changed-By: Salvatore Bonaccorso <car...@debian.org> Closes: 949222 959684 Changes: salt (2016.11.2+ds-1+deb9u3) stretch-security; urgency=high . * Non-maintainer upload by the Security Team. * Address CVE-2020-11651 and CVE-2020-11652 (Closes: #959684) Thanks to Daniel Wozniak <dwozn...@saltstack.com> * Add note about log messages to hardening salt docs * salt-api NET API with the ssh client enabled is vulnerable to command injection (CVE-2019-17361) (Closes: #949222) Checksums-Sha1: c4b9b9e65530f783bd0642c5047b8e9a5d8d6d0b 2907 salt_2016.11.2+ds-1+deb9u3.dsc 22ceeb790c472b20a520fc584f08b15431ffda8e 6096896 salt_2016.11.2+ds.orig.tar.xz 628196ea597862c49727b59ade5af056d0ba51af 37744 salt_2016.11.2+ds-1+deb9u3.debian.tar.xz c2563d0f30763b6b744b0116ab0c98b7d727225e 7415 salt_2016.11.2+ds-1+deb9u3_source.buildinfo Checksums-Sha256: 97dbedd4d7ebd882c931c1617910681a73702cf9bc86c4d74cd674f762b12b79 2907 salt_2016.11.2+ds-1+deb9u3.dsc d986b715e0bef20e797fe9fbe7b5d3d52e9528b941689a9c9487c6de0e7a0c28 6096896 salt_2016.11.2+ds.orig.tar.xz 183dfa55a33c39c41e527b2409326c0b4d14c38ccae4f41b66a4af8fda4b744d 37744 salt_2016.11.2+ds-1+deb9u3.debian.tar.xz bfd3e678166d9335982fd9a1a35295e65486f72f741a00bf2326a81071dd1dd0 7415 salt_2016.11.2+ds-1+deb9u3_source.buildinfo Files: 580fe966d2a2e29c5c53208767f3ddfe 2907 admin extra salt_2016.11.2+ds-1+deb9u3.dsc ec60b35a21f25eed73e057b92cbef710 6096896 admin extra salt_2016.11.2+ds.orig.tar.xz 8252adc0df63f1df32adf40bdf331b08 37744 admin extra salt_2016.11.2+ds-1+deb9u3.debian.tar.xz 1c02c88495063931939b7add39385fb5 7415 admin extra salt_2016.11.2+ds-1+deb9u3_source.buildinfo -----BEGIN PGP SIGNATURE----- iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAl6wYtVfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk ZWJpYW4ub3JnAAoJEAVMuPMTQ89E7GwP/RqLvEwNkNW1gEgEAZeLM2CyhTCN1cSq j+mB+I42G4OoS344rRc4zVhfN9cV3/cxrLA6xmvdWdGMWyUraB8g09cDXDzGaf0a yvXY6u6eiajTFq/jn1jDmEXdPRecA1wP2kRpe6L8TdrhvjGOMtdcaXgJKqCXJWM4 g6FquVl4ltctZlJ1lh/Z2D4J/uMPF4Atu6hrWa/MCYDdJueK5aQqmlo+s7pmHs35 cUSD7pKMV5tbUP3mAC+45wFhuHvimW77JF2O/o0GFh+JRUMsKx68pNRMcq7vUiLM oHJjrrhOPzS6ynjSn/uUN1J8h6AHUwM6Y+kNbSL2zdlJKir0jPwmXEQ21mef3iHA 1AxZsQAHPHRNei8eJtJ1FpsQat8aGpIJXN5F5r2BDSr2zkgYrixerZymlzkIW82a 5CKpP/XodjwF9NmNboZYmCGRXh2KudncOWH4sZTww0YExNKFkUJbhLNXK2Q7vBH3 ClWXnK9XG34XLY5000PGqVgyARyLfCuxB+YgK9wxf4YHUQLvMINASjs6MBfVzlCZ xI5t1giVJHFA5mKBeofKCLn8f7Rax8oKn7i65mC4+BkLJs4K86eAm7jqZXBzs4yV xHnq9ww5rF8t42p47Dn4AABK3FarowTIIoAVGBRGnHuBQnNPu76qItAvD5Lje/8e lZYV6ZFYkT5L =pTCK -----END PGP SIGNATURE-----
--- End Message ---
