Bug#863129: jessie-pu: package salt/2014.1.13+ds-3
Ping? We're a few days away from closing the window for the final
jessie point release before it becomes LTS.
Regards,
Adam
On Wed, 2017-06-28 at 01:44 +0200, Cyril Brulebois wrote:
> Control: tag -1 moreinfo
>
> Hi,
>
> Comments below:
>
> Benjamin Drung <benjamin.drung@profitbricks.com> (2017-05-22):
> > diff -Nru salt-2014.1.13+ds/debian/patches/CVE-2015-6918.patch
> > salt-2014.1.13+ds/debian/patches/CVE-2015-6918.patch
> > --- salt-2014.1.13+ds/debian/patches/CVE-2015-6918.patch 197
> > 0-01-01 01:00:00.000000000 +0100
> > +++ salt-2014.1.13+ds/debian/patches/CVE-2015-6918.patch 201
> > 7-04-18 12:18:56.000000000 +0200
> > @@ -0,0 +1,46 @@
> > +From 528916548726976dcc75626dc6f6641ceb206ee3 Mon Sep 17 00:00:00
> > 2001
> > +From: Tarjei Husøy <git@thusoy.com>
> > +Date: Wed, 19 Aug 2015 11:41:10 -0700
> > +Subject: [PATCH] Git: Don't leak https user/pw to log
> > +Origin: backport, https://github.com/saltstack/salt/commit/28aa9b1
> > 05804ff433d8f663b2f9b804f2b75495a
> > +
> > +---
> > + salt/modules/git.py | 17 ++++++++++++++---
> > + tests/unit/modules/git_test.py | 18 ++++++++++++++++++
> > + 2 files changed, 32 insertions(+), 3 deletions(-)
> > +
> > +--- a/salt/modules/git.py
> > ++++ b/salt/modules/git.py
> > +@@ -5,6 +5,7 @@
> > +
> > + # Import python libs
> > + import os
> > ++import re
> > + import tempfile
> > + try:
> > + import pipes
> > +@@ -75,6 +76,7 @@
> > + result = __salt__['cmd.run_all'](cmd,
> > + cwd=cwd,
> > + runas=runas,
> > ++ output_loglevel='quiet',
> > + env=env,
> > + **kwargs)
> > +
> > +@@ -86,7 +88,15 @@
> > + if retcode == 0:
> > + return result['stdout']
> > + else:
> > +- raise exceptions.CommandExecutionError(result['stderr'])
> > ++ stderr = _remove_sensitive_data(result['stderr'])
> > ++ raise exceptions.CommandExecutionError(stderr)
> > ++
> > ++
> > ++def _remove_sensitive_data(sensitive_output):
> > ++ '''
> > ++ Remove HTTP user and password.
> > ++ '''
> > ++ return re.sub('(https?)://.*@', r'\1://<redacted>@',
> > sensitive_output)
>
> This is possibly going to remove too much stuff if one has something
> like <https://somewhere/foo@bar>?
>
> Anyway, it's probably an acceptable loss compared to the various
> security bug fixes, so it's probably a good idea to proceed anyway.
>
> I'm tagging this with moreinfo for the time being, as some feedback
> from your side would be welcome.
>
>
> KiBi.
Reply to: