Bug#959684: marked as done (salt: CVE-2020-11651 and CVE-2020-11652)
Your message dated Sat, 09 May 2020 15:33:05 + with message-id and subject line Bug#959684: fixed in salt 2018.3.4+dfsg1-6+deb10u1 has caused the Debian Bug report #959684, regarding salt: CVE-2020-11651 and CVE-2020-11652 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 959684: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=959684 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Source: salt Version: 2018.3.4+dfsg1-6 Severity: grave Tags: security upstream Justification: user security hole Control: found -1 2018.3.4+dfsg1-6 Control: found -1 2016.11.2+ds-1+deb9u2 Control: found -1 2014.1.13+ds-3 Control: notfound -1 3000.2+dfsg1-1 Dear Maintainer, These CVEs were assigned last Wednesday but I'm filing this as it seems they're not tracked in the BTS yet. CVE-2020-11651 -- An issue was discovered in SaltStack Salt before 2019.2.4 and 3000 before 3000.2. The salt-master process ClearFuncs class does not properly validate method calls. This allows a remote user to access some methods without authentication. These methods can be used to retrieve user tokens from the salt master and/or _run arbitrary commands on salt minions_. [emphasis mine] CVE-2020-11652 -- An issue was discovered in SaltStack Salt before 2019.2.4 and 3000 before 3000.2. The salt-master process ClearFuncs class allows access to some methods that improperly sanitize paths. These methods allow arbitrary directory access to authenticated users. As seen for instance at https://github.com/saltstack/salt/issues/57057 the vulnerabilities are being exploited in wild already; compromised salt masters do allow attackers to run arbitrary commands on the minions as root. See also https://labs.f-secure.com/advisories/saltstack-authorization-bypass . Cheers, -- Guilhem. signature.asc Description: PGP signature --- End Message --- --- Begin Message --- Source: salt Source-Version: 2018.3.4+dfsg1-6+deb10u1 Done: Salvatore Bonaccorso We believe that the bug you reported is fixed in the latest version of salt, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 959...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Salvatore Bonaccorso (supplier of updated salt package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Sun, 03 May 2020 21:11:01 +0200 Source: salt Architecture: source Version: 2018.3.4+dfsg1-6+deb10u1 Distribution: buster-security Urgency: high Maintainer: Debian Salt Team Changed-By: Salvatore Bonaccorso Closes: 949222 959684 Changes: salt (2018.3.4+dfsg1-6+deb10u1) buster-security; urgency=high . * Non-maintainer upload by the Security Team. * Fix CVE-2020-11651: Resolve issue which allows access to un-intended methods in the ClearFuncs class of the salt-master process (Closes: #959684) * Fix CVE-2020-11652: Sanitize paths in ClearFuncs methods provided by salt-master (Closes: #959684) * Add note about log messages to hardening salt docs * salt-api NET API with the ssh client enabled is vulnerable to command injection (CVE-2019-17361) (Closes: #949222) Checksums-Sha1: a61935e1374c53ec4bc5bf8d5c720543e5f2d272 4195 salt_2018.3.4+dfsg1-6+deb10u1.dsc 8293356cdcdb4db5777c28dda673e2620ae23520 9087128 salt_2018.3.4+dfsg1.orig.tar.xz c1b9eab6aca4cf47f32e93611141d3eaa43f9122 70292 salt_2018.3.4+dfsg1-6+deb10u1.debian.tar.xz 509e0391fd22f241811cfcdcb449ae778bc45dc9 8218 salt_2018.3.4+dfsg1-6+deb10u1_source.buildinfo Checksums-Sha256: 8bac5f5aea83d610410f896d240e67eeaa8a1bf26fd4817b557e2610e59e025b 4195 salt_2018.3.4+dfsg1-6+deb10u1.dsc c1793b5eeb98fbb8e0698b59d5f3a55d2684da17a053d3f498ec84d1e81edd2a 9087128 salt_2018.3.4+dfsg1.orig.tar.xz 6544d7857eb1f72acdb82f99cd1b634d398e8b6a2edba30d2b1cda91b2c74a58 70292 salt_2018.3.4+dfsg1-6+deb10u1.debian.tar.xz 556158ade5516359e60d2acc3ddf4529b5589fc875c4cc6d8fccbf815fbd0c7f 8218 salt_2018.3.4+dfsg1-6+deb10u1_source.buildinfo Files: fa389095007893da303a2989902e76cb 4195 admin optional salt_2018.3.4+dfsg1-6+deb10u1.dsc 1b07796d2b1af27ca51aa31efdfe6a69 9087128 admin optional
Bug#959684: marked as done (salt: CVE-2020-11651 and CVE-2020-11652)
Your message dated Sat, 09 May 2020 15:33:44 + with message-id and subject line Bug#959684: fixed in salt 2016.11.2+ds-1+deb9u3 has caused the Debian Bug report #959684, regarding salt: CVE-2020-11651 and CVE-2020-11652 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 959684: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=959684 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Source: salt Version: 2018.3.4+dfsg1-6 Severity: grave Tags: security upstream Justification: user security hole Control: found -1 2018.3.4+dfsg1-6 Control: found -1 2016.11.2+ds-1+deb9u2 Control: found -1 2014.1.13+ds-3 Control: notfound -1 3000.2+dfsg1-1 Dear Maintainer, These CVEs were assigned last Wednesday but I'm filing this as it seems they're not tracked in the BTS yet. CVE-2020-11651 -- An issue was discovered in SaltStack Salt before 2019.2.4 and 3000 before 3000.2. The salt-master process ClearFuncs class does not properly validate method calls. This allows a remote user to access some methods without authentication. These methods can be used to retrieve user tokens from the salt master and/or _run arbitrary commands on salt minions_. [emphasis mine] CVE-2020-11652 -- An issue was discovered in SaltStack Salt before 2019.2.4 and 3000 before 3000.2. The salt-master process ClearFuncs class allows access to some methods that improperly sanitize paths. These methods allow arbitrary directory access to authenticated users. As seen for instance at https://github.com/saltstack/salt/issues/57057 the vulnerabilities are being exploited in wild already; compromised salt masters do allow attackers to run arbitrary commands on the minions as root. See also https://labs.f-secure.com/advisories/saltstack-authorization-bypass . Cheers, -- Guilhem. signature.asc Description: PGP signature --- End Message --- --- Begin Message --- Source: salt Source-Version: 2016.11.2+ds-1+deb9u3 Done: Salvatore Bonaccorso We believe that the bug you reported is fixed in the latest version of salt, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 959...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Salvatore Bonaccorso (supplier of updated salt package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Mon, 04 May 2020 14:29:16 +0200 Source: salt Architecture: source Version: 2016.11.2+ds-1+deb9u3 Distribution: stretch-security Urgency: high Maintainer: Debian Salt Team Changed-By: Salvatore Bonaccorso Closes: 949222 959684 Changes: salt (2016.11.2+ds-1+deb9u3) stretch-security; urgency=high . * Non-maintainer upload by the Security Team. * Address CVE-2020-11651 and CVE-2020-11652 (Closes: #959684) Thanks to Daniel Wozniak * Add note about log messages to hardening salt docs * salt-api NET API with the ssh client enabled is vulnerable to command injection (CVE-2019-17361) (Closes: #949222) Checksums-Sha1: c4b9b9e65530f783bd0642c5047b8e9a5d8d6d0b 2907 salt_2016.11.2+ds-1+deb9u3.dsc 22ceeb790c472b20a520fc584f08b15431ffda8e 6096896 salt_2016.11.2+ds.orig.tar.xz 628196ea597862c49727b59ade5af056d0ba51af 37744 salt_2016.11.2+ds-1+deb9u3.debian.tar.xz c2563d0f30763b6b744b0116ab0c98b7d727225e 7415 salt_2016.11.2+ds-1+deb9u3_source.buildinfo Checksums-Sha256: 97dbedd4d7ebd882c931c1617910681a73702cf9bc86c4d74cd674f762b12b79 2907 salt_2016.11.2+ds-1+deb9u3.dsc d986b715e0bef20e797fe9fbe7b5d3d52e9528b941689a9c9487c6de0e7a0c28 6096896 salt_2016.11.2+ds.orig.tar.xz 183dfa55a33c39c41e527b2409326c0b4d14c38ccae4f41b66a4af8fda4b744d 37744 salt_2016.11.2+ds-1+deb9u3.debian.tar.xz bfd3e678166d9335982fd9a1a35295e65486f72f741a00bf2326a81071dd1dd0 7415 salt_2016.11.2+ds-1+deb9u3_source.buildinfo Files: 580fe966d2a2e29c5c53208767f3ddfe 2907 admin extra salt_2016.11.2+ds-1+deb9u3.dsc ec60b35a21f25eed73e057b92cbef710 6096896 admin extra salt_2016.11.2+ds.orig.tar.xz 8252adc0df63f1df32adf40bdf331b08 37744 admin extra salt_2016.11.2+ds-1+deb9u3.debian.tar.xz 1c02c88495063931939b7add39385fb5 7415 admin extra salt_2016.11.2+ds-1+deb9u3_source.buildinfo
