Bug#863129: jessie-pu: package salt/2014.1.13+ds-3

To: 863129@bugs.debian.org, Benjamin Drung <benjamin.drung@profitbricks.com>
Subject: Bug#863129: jessie-pu: package salt/2014.1.13+ds-3
From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
Date: Wed, 13 Jun 2018 21:05:31 +0100
Message-id: <[🔎] 1528920331.2806.65.camel@adam-barratt.org.uk>
Reply-to: "Adam D. Barratt" <adam@adam-barratt.org.uk>, 863129@bugs.debian.org
In-reply-to: <20170627234405.GA2982@mraw.org>
References: <149545457456.10847.6129644182533314566.reportbug@konstrukt.pb.local> <20170627234405.GA2982@mraw.org> <149545457456.10847.6129644182533314566.reportbug@konstrukt.pb.local>

Ping? We're a few days away from closing the window for the final
jessie point release before it becomes LTS.

Regards,

Adam


On Wed, 2017-06-28 at 01:44 +0200, Cyril Brulebois wrote:
> Control: tag -1 moreinfo
> 
> Hi,
> 
> Comments below:
> 
> Benjamin Drung <benjamin.drung@profitbricks.com> (2017-05-22):
> > diff -Nru salt-2014.1.13+ds/debian/patches/CVE-2015-6918.patch
> > salt-2014.1.13+ds/debian/patches/CVE-2015-6918.patch
> > --- salt-2014.1.13+ds/debian/patches/CVE-2015-6918.patch	197
> > 0-01-01 01:00:00.000000000 +0100
> > +++ salt-2014.1.13+ds/debian/patches/CVE-2015-6918.patch	201
> > 7-04-18 12:18:56.000000000 +0200
> > @@ -0,0 +1,46 @@
> > +From 528916548726976dcc75626dc6f6641ceb206ee3 Mon Sep 17 00:00:00
> > 2001
> > +From: Tarjei Husøy <git@thusoy.com>
> > +Date: Wed, 19 Aug 2015 11:41:10 -0700
> > +Subject: [PATCH] Git: Don't leak https user/pw to log
> > +Origin: backport, https://github.com/saltstack/salt/commit/28aa9b1
> > 05804ff433d8f663b2f9b804f2b75495a
> > +
> > +---
> > + salt/modules/git.py            | 17 ++++++++++++++---
> > + tests/unit/modules/git_test.py | 18 ++++++++++++++++++
> > + 2 files changed, 32 insertions(+), 3 deletions(-)
> > +
> > +--- a/salt/modules/git.py
> > ++++ b/salt/modules/git.py
> > +@@ -5,6 +5,7 @@
> > + 
> > + # Import python libs
> > + import os
> > ++import re
> > + import tempfile
> > + try:
> > +     import pipes
> > +@@ -75,6 +76,7 @@
> > +     result = __salt__['cmd.run_all'](cmd,
> > +                                      cwd=cwd,
> > +                                      runas=runas,
> > ++                                     output_loglevel='quiet',
> > +                                      env=env,
> > +                                      **kwargs)
> > + 
> > +@@ -86,7 +88,15 @@
> > +     if retcode == 0:
> > +         return result['stdout']
> > +     else:
> > +-        raise exceptions.CommandExecutionError(result['stderr'])
> > ++        stderr = _remove_sensitive_data(result['stderr'])
> > ++        raise exceptions.CommandExecutionError(stderr)
> > ++
> > ++
> > ++def _remove_sensitive_data(sensitive_output):
> > ++    '''
> > ++        Remove HTTP user and password.
> > ++    '''
> > ++    return re.sub('(https?)://.*@', r'\1://<redacted>@',
> > sensitive_output)
> 
> This is possibly going to remove too much stuff if one has something
> like <https://somewhere/foo@bar>?
> 
> Anyway, it's probably an acceptable loss compared to the various
> security bug fixes, so it's probably a good idea to proceed anyway.
> 
> I'm tagging this with moreinfo for the time being, as some feedback
> from your side would be welcome.
> 
> 
> KiBi.

Reply to:

Prev by Date: Bug#834854: jessie-pu: package charybdis/3.4.2-5~deb8u1
Next by Date: Bug#821239: jessie-pu: package ledgersmb/1.3.40-1~deb8u1
Previous by thread: Bug#834854: jessie-pu: package charybdis/3.4.2-5~deb8u1
Next by thread: Bug#821239: jessie-pu: package ledgersmb/1.3.40-1~deb8u1
Index(es):
- Date
- Thread