Hi Simon,
On Tue, May 05, 2020 at 03:01:45PM +0100, Simon McVittie wrote:
> On Mon, 04 May 2020 at 01:34:33 +0200, Guilhem Moulin wrote:
> > CVE-2020-11651
> > CVE-2020-11652
>
> I found myself needing to mitigate this for a salt deployment, so I
> tried backporting the upstream patches to buster.
>
> The attached are not at all thoroughly-tested and should be reviewed
> carefully by someone who knows the codebase, but they seem to work, and
> the proof-of-concept from
> https://github.com/rossengeorgiev/salt-security-backports no longer reports
> that the master is vulnerable. This was only a stopgap, because that
> deployment is now using the packages from saltstack.com instead, but it
> might be useful to the salt maintainers.
>
> There are also unofficial backports in
> https://github.com/rossengeorgiev/salt-security-backports - I tried doing
> the cherry-picks myself and then compared what I got with those, in an
> attempt to guard against mistakes (by either myself or the author of those
> backports).
>
> Note that patch 0003 contains unofficial workarounds for regressions in the
> release that fixed those CVEs, which you might prefer to exclude from an
> official update.
I did actually work on that already yesterday and uploaded the
attached debdiffs to security-master *but* I'm in need of someone
using salt to effectively ina good way to test them.
Do you have respective stretch and buster setups which you could
expose those packages to?
Regards,
Salvatore
diff -Nru salt-2016.11.2+ds/debian/changelog salt-2016.11.2+ds/debian/changelog
--- salt-2016.11.2+ds/debian/changelog 2018-04-20 14:33:54.0 +0200
+++ salt-2016.11.2+ds/debian/changelog 2020-05-04 14:29:16.0 +0200
@@ -1,3 +1,14 @@
+salt (2016.11.2+ds-1+deb9u3) stretch-security; urgency=high
+
+ * Non-maintainer upload by the Security Team.
+ * Address CVE-2020-11651 and CVE-2020-11652 (Closes: #959684)
+Thanks to Daniel Wozniak
+ * Add note about log messages to hardening salt docs
+ * salt-api NET API with the ssh client enabled is vulnerable to command
+injection (CVE-2019-17361) (Closes: #949222)
+
+ -- Salvatore Bonaccorso Mon, 04 May 2020 14:29:16 +0200
+
salt (2016.11.2+ds-1+deb9u2) stretch; urgency=medium
* Fix CVE-2017-8109: salt-ssh minion copied over configuration from the
diff -Nru
salt-2016.11.2+ds/debian/patches/Add-note-about-log-messages-to-hardening-salt-docs.patch
salt-2016.11.2+ds/debian/patches/Add-note-about-log-messages-to-hardening-salt-docs.patch
---
salt-2016.11.2+ds/debian/patches/Add-note-about-log-messages-to-hardening-salt-docs.patch
1970-01-01 01:00:00.0 +0100
+++
salt-2016.11.2+ds/debian/patches/Add-note-about-log-messages-to-hardening-salt-docs.patch
2020-05-04 14:29:16.0 +0200
@@ -0,0 +1,41 @@
+From: "Daniel A. Wozniak"
+Date: Mon, 13 Apr 2020 07:01:07 +
+Subject: Add note about log messages to hardening salt docs
+Origin:
https://github.com/saltstack/salt/commit/4631781376ddc9ee9d279f407ac3d0b78644fae7
+
+---
+ doc/topics/hardening.rst | 4
+ salt/master.py | 2 +-
+ 2 files changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/doc/topics/hardening.rst b/doc/topics/hardening.rst
+index c645b84128e4..569ad654af69 100644
+--- a/doc/topics/hardening.rst
b/doc/topics/hardening.rst
+@@ -57,6 +57,10 @@ Salt hardening tips
+ particularly sensitive minions. There is also :ref:`salt-ssh` or the
+ :mod:`modules.sudo ` if you need to further restrict
+ a minion.
++- Monitor specific security releated log messages. Salt ``salt-master`` logs
++ attempts to access methods which are not exposed to network clients. These
log
++ messages are logged at the ``error`` log level and start with ``Requested
++ method not exposed``.
+
+ .. _salt-users: https://groups.google.com/forum/#!forum/salt-users
+ .. _salt-announce: https://groups.google.com/forum/#!forum/salt-announce
+diff --git a/salt/master.py b/salt/master.py
+index 7d1444cf1221..aae55f1828e1 100644
+--- a/salt/master.py
b/salt/master.py
+@@ -1162,7 +1162,7 @@ class TransportMethods(object):
+ try:
+ return getattr(self, name)
+ except AttributeError:
+-log.error("Expose method not found: %s", name)
++log.error("Requested method not exposed: %s", name)
+ else:
+ log.error("Requested method not exposed: %s", name)
+
+--
+2.20.1
+
diff -Nru
salt-2016.11.2+ds/debian/patches/Fix-CVE-2020-11651-and-Fix-CVE-2020-11652-2016.11.2.patch
salt-2016.11.2+ds/debian/patches/Fix-CVE-2020-11651-and-Fix-CVE-2020-11652-2016.11.2.patch
---
salt-2016.11.2+ds/debian/patches/Fix-CVE-2020-11651-and-Fix-CVE-2020-11652-2016.11.2.patch
1970-01-01 01:00:00.0 +0100
+++
salt-2016.11.2+ds/debian/patches/Fix-CVE-2020-11651-and-Fix-CVE-2020-11652-2016.11.2.patch
2020-05-04 14:29:16.0 +0200
@@ -0,0 +1,237 @@
+From 006219501bbb3a81a9fb64975035011016d5a7eb Mon Sep 17 00:00:0