[Git][security-tracker-team/security-tracker][master] mark salt as ignored in jessie

[Antoine Beaupré]

Antoine Beaupré pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
3d7b2e31 by Antoine Beaupré at 2018-10-30T17:22:32Z
mark salt as ignored in jessie

Older version of stack don't have master signature verification code at
all, so there is no expectation this would be secure in the first place.

Also clarify that both the patch that enforces signing and the patch
that disables the check by default are necessary.

- - - - -


2 changed files:

- data/CVE/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -79384,12 +79384,14 @@ CVE-2017-7894 (WinDjView 2.1 might allow 
user-assisted attackers to execute code
 CVE-2017-7893 (In SaltStack Salt before 2016.3.6, compromised salt-minions can 
...)
        - salt 2016.11.5+ds-1
        [stretch] - salt <no-dsa> (Minor issue)
+       [jessie] - salt <ignored> (Vulnerable code introduced later, but older 
versions did not verify master anyways)
        NOTE: https://docs.saltstack.com/en/2017.7/topics/releases/2016.3.6.html
        NOTE: https://github.com/saltstack/salt/issues/48939
-       NOTE: 
https://github.com/saltstack/salt/commit/0a0f46fb1478be5eb2f90882a90390cb35ec43cb
+       NOTE: 
https://patch-diff.githubusercontent.com/raw/saltstack/salt/pull/40159.patch
+       NOTE: 
https://patch-diff.githubusercontent.com/raw/saltstack/salt/pull/40206.patch
        NOTE: The behaviour though was back off by default in a later commit 
again
        NOTE: cf. https://github.com/saltstack/salt/pull/40206
-       NOTE: The fix is the second part of the 0a0f46f commit, but the 
behaviour is turned
+       NOTE: The fix is the second part of the #40159 PR, but the behaviour is 
turned
        NOTE: off by default and needs considerations of admins before 
enabling. We still
        NOTE: consider the issue as fixed starting with this change. Details in
        NOTE: 
https://github.com/saltstack/salt/issues/48939#issuecomment-410777638


=====================================
data/dla-needed.txt
=====================================
@@ -76,10 +76,7 @@ qemu (Santiago)
   NOTE: 20181026: no fix yet for recent dsa issues, but start working on
   NOTE: pending no-dsa issues
 --
-salt (Antoine Beaupre)
-  NOTE: 20180921: CVE-2017-7893 is not crucial since the managed system must be
-  NOTE: 20180921: compromised first. But the security escalation effect can 
cause
-  NOTE: 20180921: a lot of system compromised. (ola)
+salt
 --
 smarty3 (Mike Gabriel)
 --



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/3d7b2e315f955c4926d7d60c608f9d90c9e6ade9

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/3d7b2e315f955c4926d7d60c608f9d90c9e6ade9
You're receiving this email because of your account on salsa.debian.org.

_______________________________________________
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits