Control: tag -1 pending Hello,
Bug #987496 in salt reported by you has been fixed in the Git repository and is awaiting an upload. You can see the commit message below and you can check the diff of the fix at: https://salsa.debian.org/salt-team/salt/-/commit/71f7f30851f9609bfda5a1b0f5b115d2743372cd ------------------------------------------------------------------------ Fix CVE-2021-31607 in snapper module In SaltStack Salt 2016.9 through 3002.6, a command injection vulnerability exists in the snapper module that allows for local privilege escalation on a minion. The attack requires that a file is created with a pathname that is backed up by snapper, and that the master calls the snapper.diff function (which executes popen unsafely). Cherry-pick the fix from pull request #59648 [1], but also fix the regression introduced by that commit [2]. [1] https://github.com/saltstack/salt/pull/59648 [2] https://github.com/saltstack/salt/issues/60046 Closes: #987496 Signed-off-by: Benjamin Drung <benjamin.dr...@ionos.com> ------------------------------------------------------------------------ (this message was generated automatically) -- Greetings https://bugs.debian.org/987496
