Antoine Beaupré pushed to branch master at Debian Security Tracker / security-tracker
Commits: 3d7b2e31 by Antoine Beaupré at 2018-10-30T17:22:32Z mark salt as ignored in jessie Older version of stack don't have master signature verification code at all, so there is no expectation this would be secure in the first place. Also clarify that both the patch that enforces signing and the patch that disables the check by default are necessary. - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: ===================================== data/CVE/list ===================================== @@ -79384,12 +79384,14 @@ CVE-2017-7894 (WinDjView 2.1 might allow user-assisted attackers to execute code CVE-2017-7893 (In SaltStack Salt before 2016.3.6, compromised salt-minions can ...) - salt 2016.11.5+ds-1 [stretch] - salt <no-dsa> (Minor issue) + [jessie] - salt <ignored> (Vulnerable code introduced later, but older versions did not verify master anyways) NOTE: https://docs.saltstack.com/en/2017.7/topics/releases/2016.3.6.html NOTE: https://github.com/saltstack/salt/issues/48939 - NOTE: https://github.com/saltstack/salt/commit/0a0f46fb1478be5eb2f90882a90390cb35ec43cb + NOTE: https://patch-diff.githubusercontent.com/raw/saltstack/salt/pull/40159.patch + NOTE: https://patch-diff.githubusercontent.com/raw/saltstack/salt/pull/40206.patch NOTE: The behaviour though was back off by default in a later commit again NOTE: cf. https://github.com/saltstack/salt/pull/40206 - NOTE: The fix is the second part of the 0a0f46f commit, but the behaviour is turned + NOTE: The fix is the second part of the #40159 PR, but the behaviour is turned NOTE: off by default and needs considerations of admins before enabling. We still NOTE: consider the issue as fixed starting with this change. Details in NOTE: https://github.com/saltstack/salt/issues/48939#issuecomment-410777638 ===================================== data/dla-needed.txt ===================================== @@ -76,10 +76,7 @@ qemu (Santiago) NOTE: 20181026: no fix yet for recent dsa issues, but start working on NOTE: pending no-dsa issues -- -salt (Antoine Beaupre) - NOTE: 20180921: CVE-2017-7893 is not crucial since the managed system must be - NOTE: 20180921: compromised first. But the security escalation effect can cause - NOTE: 20180921: a lot of system compromised. (ola) +salt -- smarty3 (Mike Gabriel) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/3d7b2e315f955c4926d7d60c608f9d90c9e6ade9 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/3d7b2e315f955c4926d7d60c608f9d90c9e6ade9 You're receiving this email because of your account on salsa.debian.org.
_______________________________________________ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits