--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: jessie-pu: package salt/2014.1.13+ds-3
- From: Benjamin Drung <benjamin.drung@profitbricks.com>
- Date: Mon, 22 May 2017 14:02:54 +0200
- Message-id: <149545457456.10847.6129644182533314566.reportbug@konstrukt.pb.local>
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian.org@packages.debian.org
Usertags: pu
Hi,
salt in jessie is affected by some security issues. Salvatore Bonaccorso
from the security wrote: So we are basically down at
https://security-tracker.debian.org/tracker/source-package/salt to
no-dsa issues, so up to decicde I guess if you still want a DSA or
rather go via the upcoming point release.
Thus the requests for a SPU to fix four security bugs (debdiff
attached).
--
Benjamin Drung
System Developer
Debian & Ubuntu Developer
ProfitBricks GmbH
Greifswalder Str. 207
D - 10405 Berlin
Email: benjamin.drung@profitbricks.com
Web: https://www.profitbricks.com
Sitz der Gesellschaft: Berlin.
Registergericht: Amtsgericht Charlottenburg, HRB 125506B.
Geschäftsführer: Achim Weiss.
diff -Nru salt-2014.1.13+ds/debian/changelog salt-2014.1.13+ds/debian/changelog
--- salt-2014.1.13+ds/debian/changelog 2015-02-13 06:27:53.000000000 +0100
+++ salt-2014.1.13+ds/debian/changelog 2017-05-22 13:34:40.000000000 +0200
@@ -1,3 +1,18 @@
+salt (2014.1.13+ds-3+deb8u1) jessie; urgency=high
+
+ [ Benjamin Drung ]
+ * Team upload.
+ * CVE-2015-6918: git module leaks authentication details into log
+ * CVE-2015-6941: user state displays passwords in debug log
+
+ [ Salvatore Bonaccorso ]
+ * CVE-2015-8034: Information leak from state.sls cache data stored as
+ world-readable (Closes: #807356)
+ * CVE-2016-3176: Insecure configuration of PAM external authentication
+ service (Closes: #819184)
+
+ -- Benjamin Drung <benjamin.drung@profitbricks.com> Mon, 22 May 2017 13:34:36 +0200
+
salt (2014.1.13+ds-3) unstable; urgency=medium
* [5273cd4] Added python-msgpack dependency. Closes: 777665
diff -Nru salt-2014.1.13+ds/debian/patches/CVE-2015-6918.patch salt-2014.1.13+ds/debian/patches/CVE-2015-6918.patch
--- salt-2014.1.13+ds/debian/patches/CVE-2015-6918.patch 1970-01-01 01:00:00.000000000 +0100
+++ salt-2014.1.13+ds/debian/patches/CVE-2015-6918.patch 2017-04-18 12:18:56.000000000 +0200
@@ -0,0 +1,46 @@
+From 528916548726976dcc75626dc6f6641ceb206ee3 Mon Sep 17 00:00:00 2001
+From: Tarjei Husøy <git@thusoy.com>
+Date: Wed, 19 Aug 2015 11:41:10 -0700
+Subject: [PATCH] Git: Don't leak https user/pw to log
+Origin: backport, https://github.com/saltstack/salt/commit/28aa9b105804ff433d8f663b2f9b804f2b75495a
+
+---
+ salt/modules/git.py | 17 ++++++++++++++---
+ tests/unit/modules/git_test.py | 18 ++++++++++++++++++
+ 2 files changed, 32 insertions(+), 3 deletions(-)
+
+--- a/salt/modules/git.py
++++ b/salt/modules/git.py
+@@ -5,6 +5,7 @@
+
+ # Import python libs
+ import os
++import re
+ import tempfile
+ try:
+ import pipes
+@@ -75,6 +76,7 @@
+ result = __salt__['cmd.run_all'](cmd,
+ cwd=cwd,
+ runas=runas,
++ output_loglevel='quiet',
+ env=env,
+ **kwargs)
+
+@@ -86,7 +88,15 @@
+ if retcode == 0:
+ return result['stdout']
+ else:
+- raise exceptions.CommandExecutionError(result['stderr'])
++ stderr = _remove_sensitive_data(result['stderr'])
++ raise exceptions.CommandExecutionError(stderr)
++
++
++def _remove_sensitive_data(sensitive_output):
++ '''
++ Remove HTTP user and password.
++ '''
++ return re.sub('(https?)://.*@', r'\1://<redacted>@', sensitive_output)
+
+
+ def _git_getdir(cwd, user=None):
diff -Nru salt-2014.1.13+ds/debian/patches/CVE-2015-6941.patch salt-2014.1.13+ds/debian/patches/CVE-2015-6941.patch
--- salt-2014.1.13+ds/debian/patches/CVE-2015-6941.patch 1970-01-01 01:00:00.000000000 +0100
+++ salt-2014.1.13+ds/debian/patches/CVE-2015-6941.patch 2017-04-18 12:32:52.000000000 +0200
@@ -0,0 +1,33 @@
+From fdd35374562658f4a20767a3703fab93d92f9ca9 Mon Sep 17 00:00:00 2001
+From: twangboy <slee@saltstack.com>
+Date: Fri, 11 Sep 2015 16:39:47 -0600
+Subject: [PATCH] Replaced password with redacted when displayed
+Origin: backport, https://github.com/twangboy/salt/commit/c0689e32154c41f59840ae10ffc5fbfa30618710
+
+---
+ salt/states/user.py | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+--- a/salt/states/user.py
++++ b/salt/states/user.py
+@@ -362,6 +362,8 @@
+ ret['comment'] = ('The following user attributes are set to be '
+ 'changed:\n')
+ for key, val in changes.items():
++ if key == 'password':
++ val = 'XXX-REDACTED-XXX'
+ ret['comment'] += '{0}: {1}\n'.format(key, val)
+ return ret
+ # The user is present
+@@ -480,9 +482,9 @@
+ if spost['passwd'] != password:
+ ret['comment'] = 'User {0} created but failed to set' \
+ ' password to' \
+- ' {1}'.format(name, password)
++ ' {1}'.format(name, 'XXX-REDACTED-XXX')
+ ret['result'] = False
+- ret['changes']['password'] = password
++ ret['changes']['password'] = 'XXX-REDACTED-XXX'
+ if date:
+ __salt__['shadow.set_date'](name, date)
+ spost = __salt__['shadow.info'](name)
diff -Nru salt-2014.1.13+ds/debian/patches/CVE-2015-8034.patch salt-2014.1.13+ds/debian/patches/CVE-2015-8034.patch
--- salt-2014.1.13+ds/debian/patches/CVE-2015-8034.patch 1970-01-01 01:00:00.000000000 +0100
+++ salt-2014.1.13+ds/debian/patches/CVE-2015-8034.patch 2016-06-11 16:35:29.000000000 +0200
@@ -0,0 +1,43 @@
+From 097838ec0c52b1e96f7f761e5fb3cd7e79808741 Mon Sep 17 00:00:00 2001
+From: Mike Place <mp@saltstack.com>
+Date: Fri, 30 Oct 2015 15:05:36 -0600
+Subject: [PATCH] Wrap all cache calls in state.sls in correct umask
+
+Refs #28455
+---
+ salt/modules/state.py | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/salt/modules/state.py
++++ b/salt/modules/state.py
+@@ -366,12 +366,13 @@ def sls(mods,
+ )
+
+ st_ = salt.state.HighState(opts, pillar, kwargs.get('__pub_jid'))
+-
++ umask = os.umask(0o77)
+ if kwargs.get('cache'):
+ if os.path.isfile(cfn):
+ with salt.utils.fopen(cfn, 'rb') as fp_:
+ high_ = serial.load(fp_)
+ return st_.state.call_high(high_)
++ os.umask(umask)
+
+ if isinstance(mods, string_types):
+ mods = mods.split(',')
+@@ -407,7 +408,6 @@ def sls(mods,
+ except (IOError, OSError):
+ msg = 'Unable to write to "state.sls" cache file {0}'
+ log.error(msg.format(cache_file))
+- os.umask(cumask)
+ _set_retcode(ret)
+ # Work around Windows multiprocessing bug, set __opts__['test'] back to
+ # value from before this function was run.
+@@ -422,6 +422,7 @@ def sls(mods,
+ except (IOError, OSError):
+ msg = 'Unable to write to highstate cache file {0}. Do you have permissions?'
+ log.error(msg.format(cfn))
++ os.umask(cumask)
+ return ret
+
+
diff -Nru salt-2014.1.13+ds/debian/patches/CVE-2016-3176.patch salt-2014.1.13+ds/debian/patches/CVE-2016-3176.patch
--- salt-2014.1.13+ds/debian/patches/CVE-2016-3176.patch 1970-01-01 01:00:00.000000000 +0100
+++ salt-2014.1.13+ds/debian/patches/CVE-2016-3176.patch 2016-06-11 16:35:29.000000000 +0200
@@ -0,0 +1,56 @@
+From d73f70ebb289142e4f692359fe741a54f5d2ad65 Mon Sep 17 00:00:00 2001
+From: Daniel Wallace <dwallace@saltstack.com>
+Date: Fri, 11 Mar 2016 08:25:05 -0700
+Subject: [PATCH] Remove ability of authenticating user to specify pam service
+
+This should be set at the master level, so that whoever is
+authenticating has to conform to what is set by the administrator that
+setup salt.
+---
+ salt/auth/pam.py | 16 +++++++++++-----
+ 1 file changed, 11 insertions(+), 5 deletions(-)
+
+--- a/salt/auth/pam.py
++++ b/salt/auth/pam.py
+@@ -12,6 +12,13 @@ a user against the Pluggable Authenticat
+
+ Implemented using ctypes, so no compilation is necessary.
+
++There is one extra configuration option for pam. The `pam_service` that is
++authenticated against. This defaults to `login`
++
++.. code-block:: yaml
++
++ auth.pam.service: login
++
+ .. note:: PAM authentication will not work for the ``root`` user.
+
+ The Python interface to PAM does not support authenticating as ``root``.
+@@ -120,7 +127,7 @@ def __virtual__():
+ return False
+
+
+-def authenticate(username, password, service='login'):
++def authenticate(username, password):
+ '''
+ Returns True if the given username and password authenticate for the
+ given service. Returns False otherwise
+@@ -128,10 +135,9 @@ def authenticate(username, password, ser
+ ``username``: the username to authenticate
+
+ ``password``: the password in plain text
+-
+- ``service``: the PAM service to authenticate against.
+- Defaults to 'login'
+ '''
++ service = __opts__.get('auth.pam.service', 'login')
++
+ @CONV_FUNC
+ def my_conv(n_messages, messages, p_response, app_data):
+ '''
+@@ -165,4 +171,4 @@ def auth(username, password, **kwargs):
+ '''
+ Authenticate via pam
+ '''
+- return authenticate(username, password, kwargs.get('service', 'login'))
++ return authenticate(username, password)
diff -Nru salt-2014.1.13+ds/debian/patches/series salt-2014.1.13+ds/debian/patches/series
--- salt-2014.1.13+ds/debian/patches/series 2015-02-13 06:06:38.000000000 +0100
+++ salt-2014.1.13+ds/debian/patches/series 2017-04-18 12:23:00.000000000 +0200
@@ -6,3 +6,7 @@
0175_releasenotes
remove_privacy_breaches
doc_fixes
+CVE-2015-6918.patch
+CVE-2015-6941.patch
+CVE-2015-8034.patch
+CVE-2016-3176.patch
--- End Message ---