Bug#863129: jessie-pu: package salt/2014.1.13+ds-3

To: Benjamin Drung <benjamin.drung@profitbricks.com>, 863129@bugs.debian.org
Subject: Bug#863129: jessie-pu: package salt/2014.1.13+ds-3
From: Cyril Brulebois <kibi@debian.org>
Date: Wed, 28 Jun 2017 01:44:05 +0200
Message-id: <[🔎] 20170627234405.GA2982@mraw.org>
Reply-to: Cyril Brulebois <kibi@debian.org>, 863129@bugs.debian.org
In-reply-to: <149545457456.10847.6129644182533314566.reportbug@konstrukt.pb.local>
References: <149545457456.10847.6129644182533314566.reportbug@konstrukt.pb.local>

Control: tag -1 moreinfo

Hi,

Comments below:

Benjamin Drung <benjamin.drung@profitbricks.com> (2017-05-22):
> diff -Nru salt-2014.1.13+ds/debian/patches/CVE-2015-6918.patch salt-2014.1.13+ds/debian/patches/CVE-2015-6918.patch
> --- salt-2014.1.13+ds/debian/patches/CVE-2015-6918.patch	1970-01-01 01:00:00.000000000 +0100
> +++ salt-2014.1.13+ds/debian/patches/CVE-2015-6918.patch	2017-04-18 12:18:56.000000000 +0200
> @@ -0,0 +1,46 @@
> +From 528916548726976dcc75626dc6f6641ceb206ee3 Mon Sep 17 00:00:00 2001
> +From: Tarjei Husøy <git@thusoy.com>
> +Date: Wed, 19 Aug 2015 11:41:10 -0700
> +Subject: [PATCH] Git: Don't leak https user/pw to log
> +Origin: backport, https://github.com/saltstack/salt/commit/28aa9b105804ff433d8f663b2f9b804f2b75495a
> +
> +---
> + salt/modules/git.py            | 17 ++++++++++++++---
> + tests/unit/modules/git_test.py | 18 ++++++++++++++++++
> + 2 files changed, 32 insertions(+), 3 deletions(-)
> +
> +--- a/salt/modules/git.py
> ++++ b/salt/modules/git.py
> +@@ -5,6 +5,7 @@
> + 
> + # Import python libs
> + import os
> ++import re
> + import tempfile
> + try:
> +     import pipes
> +@@ -75,6 +76,7 @@
> +     result = __salt__['cmd.run_all'](cmd,
> +                                      cwd=cwd,
> +                                      runas=runas,
> ++                                     output_loglevel='quiet',
> +                                      env=env,
> +                                      **kwargs)
> + 
> +@@ -86,7 +88,15 @@
> +     if retcode == 0:
> +         return result['stdout']
> +     else:
> +-        raise exceptions.CommandExecutionError(result['stderr'])
> ++        stderr = _remove_sensitive_data(result['stderr'])
> ++        raise exceptions.CommandExecutionError(stderr)
> ++
> ++
> ++def _remove_sensitive_data(sensitive_output):
> ++    '''
> ++        Remove HTTP user and password.
> ++    '''
> ++    return re.sub('(https?)://.*@', r'\1://<redacted>@', sensitive_output)

This is possibly going to remove too much stuff if one has something
like <https://somewhere/foo@bar>?

Anyway, it's probably an acceptable loss compared to the various
security bug fixes, so it's probably a good idea to proceed anyway.

I'm tagging this with moreinfo for the time being, as some feedback from
your side would be welcome.


KiBi.

Attachment: signature.asc
Description: Digital signature

Reply to:

Prev by Date: Processed: Re: Bug#863093: jessie-pu: package libwnckmm/0.1.1-1+deb8u1
Next by Date: Processed: Re: Bug#863129: jessie-pu: package salt/2014.1.13+ds-3
Previous by thread: Bug#863093: jessie-pu: package libwnckmm/0.1.1-1+deb8u1
Next by thread: Processed: Re: Bug#863129: jessie-pu: package salt/2014.1.13+ds-3
Index(es):
- Date
- Thread