Your message dated Sat, 09 May 2020 15:33:05 +0000 with message-id <e1jxrtn-00068h...@fasolo.debian.org> and subject line Bug#959684: fixed in salt 2018.3.4+dfsg1-6+deb10u1 has caused the Debian Bug report #959684, regarding salt: CVE-2020-11651 and CVE-2020-11652 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 959684: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=959684 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: salt Version: 2018.3.4+dfsg1-6 Severity: grave Tags: security upstream Justification: user security hole Control: found -1 2018.3.4+dfsg1-6 Control: found -1 2016.11.2+ds-1+deb9u2 Control: found -1 2014.1.13+ds-3 Control: notfound -1 3000.2+dfsg1-1 Dear Maintainer, These CVEs were assigned last Wednesday but I'm filing this as it seems they're not tracked in the BTS yet. CVE-2020-11651 -------------- An issue was discovered in SaltStack Salt before 2019.2.4 and 3000 before 3000.2. The salt-master process ClearFuncs class does not properly validate method calls. This allows a remote user to access some methods without authentication. These methods can be used to retrieve user tokens from the salt master and/or _run arbitrary commands on salt minions_. [emphasis mine] CVE-2020-11652 -------------- An issue was discovered in SaltStack Salt before 2019.2.4 and 3000 before 3000.2. The salt-master process ClearFuncs class allows access to some methods that improperly sanitize paths. These methods allow arbitrary directory access to authenticated users. As seen for instance at https://github.com/saltstack/salt/issues/57057 the vulnerabilities are being exploited in wild already; compromised salt masters do allow attackers to run arbitrary commands on the minions as root. See also https://labs.f-secure.com/advisories/saltstack-authorization-bypass . Cheers, -- Guilhem.
signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---Source: salt Source-Version: 2018.3.4+dfsg1-6+deb10u1 Done: Salvatore Bonaccorso <car...@debian.org> We believe that the bug you reported is fixed in the latest version of salt, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 959...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Salvatore Bonaccorso <car...@debian.org> (supplier of updated salt package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sun, 03 May 2020 21:11:01 +0200 Source: salt Architecture: source Version: 2018.3.4+dfsg1-6+deb10u1 Distribution: buster-security Urgency: high Maintainer: Debian Salt Team <pkg-salt-t...@lists.alioth.debian.org> Changed-By: Salvatore Bonaccorso <car...@debian.org> Closes: 949222 959684 Changes: salt (2018.3.4+dfsg1-6+deb10u1) buster-security; urgency=high . * Non-maintainer upload by the Security Team. * Fix CVE-2020-11651: Resolve issue which allows access to un-intended methods in the ClearFuncs class of the salt-master process (Closes: #959684) * Fix CVE-2020-11652: Sanitize paths in ClearFuncs methods provided by salt-master (Closes: #959684) * Add note about log messages to hardening salt docs * salt-api NET API with the ssh client enabled is vulnerable to command injection (CVE-2019-17361) (Closes: #949222) Checksums-Sha1: a61935e1374c53ec4bc5bf8d5c720543e5f2d272 4195 salt_2018.3.4+dfsg1-6+deb10u1.dsc 8293356cdcdb4db5777c28dda673e2620ae23520 9087128 salt_2018.3.4+dfsg1.orig.tar.xz c1b9eab6aca4cf47f32e93611141d3eaa43f9122 70292 salt_2018.3.4+dfsg1-6+deb10u1.debian.tar.xz 509e0391fd22f241811cfcdcb449ae778bc45dc9 8218 salt_2018.3.4+dfsg1-6+deb10u1_source.buildinfo Checksums-Sha256: 8bac5f5aea83d610410f896d240e67eeaa8a1bf26fd4817b557e2610e59e025b 4195 salt_2018.3.4+dfsg1-6+deb10u1.dsc c1793b5eeb98fbb8e0698b59d5f3a55d2684da17a053d3f498ec84d1e81edd2a 9087128 salt_2018.3.4+dfsg1.orig.tar.xz 6544d7857eb1f72acdb82f99cd1b634d398e8b6a2edba30d2b1cda91b2c74a58 70292 salt_2018.3.4+dfsg1-6+deb10u1.debian.tar.xz 556158ade5516359e60d2acc3ddf4529b5589fc875c4cc6d8fccbf815fbd0c7f 8218 salt_2018.3.4+dfsg1-6+deb10u1_source.buildinfo Files: fa389095007893da303a2989902e76cb 4195 admin optional salt_2018.3.4+dfsg1-6+deb10u1.dsc 1b07796d2b1af27ca51aa31efdfe6a69 9087128 admin optional salt_2018.3.4+dfsg1.orig.tar.xz 7c7df81b2c6bfda743ac3734700ae5f1 70292 admin optional salt_2018.3.4+dfsg1-6+deb10u1.debian.tar.xz 8f81d545ed0b54742d72c5c43328f214 8218 admin optional salt_2018.3.4+dfsg1-6+deb10u1_source.buildinfo -----BEGIN PGP SIGNATURE----- iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAl6wYxxfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk ZWJpYW4ub3JnAAoJEAVMuPMTQ89EpIgP/1Op8jJyistKBHBdvoFXD4BrbX17vcl5 7TZhdLcq6yeTA+/xWp8NTJLlVWg9OXBe2SzLlQcwiibs0M3KP3XGmLZAtON/NKw1 VBSoa9ZaNwiuw1IdNDEYLc/zbPxcYG/Q/zH/9tEInsYzBhI/uXr648d5FbUwMHgo Fet87fOmzhE/4PBgYvwZmtk4RcQMFFJNmpeQO/Y9jgpxUpLmbtM6p81Zry/nO6PE ZxPctaZxkv6Jjz0Z82/xHED8XoJZJN+TyPODu53aTzydX+Cd2pRYGlmp5FCb0M7F AQj0U1jH6gGi38yZsmd4fCTCg2V9xPl0m3no+jaXm7H7FI7smUht75RaC2HDek8+ H+FkOu+YzLCAXR2W3oqS2Ml+lv2+80vP2ROYMU9F3wBWiYL4MLazTFbBiW2JmbV8 kJ6aLlnkRrfJXuuwSuGnannauE3GoXJ1QE89wc5DT7RNRkKivczR6c0iS4KCvx5L my/BcZN6gNd+tZ/Qk++sjoZKT8BrryX74omxJVdAKaICknt9K+83J+bYda1ph5D4 +ayRSZnSopXFqRTmrbN7AI5C2uUwMuJh5qM8t8DeaCUHH8VN8ZSAI5YJao4reKbQ azvadaLoGgg7e3fRDvcOuGkROPnAebyJtMpMsVD/6Fs3DKeMJ/epzy52uujYmojE 9yMI4PIuTLXt =8yul -----END PGP SIGNATURE-----
--- End Message ---