Your message dated Fri, 02 Mar 2018 22:47:18 +0000
with message-id <e1ertsq-000hjb...@fasolo.debian.org>
and subject line Bug#872399: fixed in salt 2016.11.2+ds-1+deb9u1
has caused the Debian Bug report #872399,
regarding salt: CVE-2017-12791: Directory traversal vulnerability on 
salt-master via crafted minion IDs
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
872399: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=872399
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: salt
Version: 2016.11.5+ds-1
Severity: grave
Tags: security upstream patch
Forwarded: https://github.com/saltstack/salt/pull/42944

Hi,

the following vulnerability was published for salt.

CVE-2017-12791[0]:
Maliciously crafted minion IDs can cause unwanted directory traversals on the 
Salt-master

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-12791
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12791
[1] https://github.com/saltstack/salt/pull/42944
[2] 
https://github.com/saltstack/salt/commit/6366e05d0d70bd709cc4233c3faf32a759d0173a

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

--- End Message ---
--- Begin Message ---
Source: salt
Source-Version: 2016.11.2+ds-1+deb9u1

We believe that the bug you reported is fixed in the latest version of
salt, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 872...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Ondřej Nový <on...@debian.org> (supplier of updated salt package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Mon, 22 Jan 2018 16:30:47 +0100
Source: salt
Binary: salt-common salt-master salt-minion salt-syndic salt-ssh salt-doc 
salt-cloud salt-api salt-proxy
Architecture: source all
Version: 2016.11.2+ds-1+deb9u1
Distribution: stretch
Urgency: medium
Maintainer: Debian Salt Team <pkg-salt-t...@lists.alioth.debian.org>
Changed-By: Ondřej Nový <on...@debian.org>
Description:
 salt-api   - Generic, modular network access system
 salt-cloud - public cloud VM management system
 salt-common - shared libraries that salt requires for all packages
 salt-doc   - additional documentation for salt, the distributed remote executi
 salt-master - remote manager to administer servers via salt
 salt-minion - client package for salt, the distributed remote execution system
 salt-proxy - Proxy client package for salt stack
 salt-ssh   - remote manager to administer servers via Salt SSH
 salt-syndic - master-of-masters for salt, the distributed remote execution syst
Closes: 851559 872399 879089 879090 887724
Changes:
 salt (2016.11.2+ds-1+deb9u1) stretch; urgency=medium
 .
   * Fix CVE-2017-12791: Directory traversal vulnerability on salt-master
     via crafted minion IDs (Closes: #872399)
   * Fix CVE-2017-14695: Directory traversal vulnerability in minion id
     validation in SaltStack (Closes: #879089)
   * Fix CVE-2017-14696: Remote Denial of Service with a specially crafted
     authentication request (Closes: #879090)
   * Check if data[return] is dict type (Closes: #887724)
   * Do not require sphinx-build for cleaning docs (Closes: #851559)
Checksums-Sha1:
 aee5a23b469feb0da8de777fa5158286b8e6efc0 2752 salt_2016.11.2+ds-1+deb9u1.dsc
 ab6c8ee44603d090d481352b9af7976eb5d07b0b 32312 
salt_2016.11.2+ds-1+deb9u1.debian.tar.xz
 6acfabca085a9768198d9853120530f69264e286 23640 
salt-api_2016.11.2+ds-1+deb9u1_all.deb
 e06dbeddd983366a30f7528326d9f60b6be5998b 25122 
salt-cloud_2016.11.2+ds-1+deb9u1_all.deb
 24ba41c810a0d8596609bcb8e8effeaa2e35c92b 4153016 
salt-common_2016.11.2+ds-1+deb9u1_all.deb
 0b161ff66514e60cb79e690b4e77f5b34a2c6e48 4286928 
salt-doc_2016.11.2+ds-1+deb9u1_all.deb
 caa247acffac5f5bdb56e0d51f8c44274967d8d4 47770 
salt-master_2016.11.2+ds-1+deb9u1_all.deb
 14ce75c3e74faf3559b48f519f76edd2de4df936 35126 
salt-minion_2016.11.2+ds-1+deb9u1_all.deb
 bf136b50035e240a20961c93ffe58ab0921471a5 22430 
salt-proxy_2016.11.2+ds-1+deb9u1_all.deb
 c2fc7254126cfa18cd83462f105919c8eaab6fef 23680 
salt-ssh_2016.11.2+ds-1+deb9u1_all.deb
 dc4fabfd713908da6b02a1285c9bb408b9e8cdfd 23956 
salt-syndic_2016.11.2+ds-1+deb9u1_all.deb
 d747f81b990d7b0e9fa15df2b00c417d0fe78c94 9537 
salt_2016.11.2+ds-1+deb9u1_amd64.buildinfo
Checksums-Sha256:
 40a3dfa6a8b930271764f8d8888f3cdb7f3ef1869a6b15c1389f157918db0c00 2752 
salt_2016.11.2+ds-1+deb9u1.dsc
 2aa175b330fa01233adad156e179c35c0b4956774599f5c1bd5bd426cc6d820b 32312 
salt_2016.11.2+ds-1+deb9u1.debian.tar.xz
 258e8f733f003e7b30ef290b90f8986e662860fd2d02bce9c0aec63498a830c1 23640 
salt-api_2016.11.2+ds-1+deb9u1_all.deb
 46341f43d3d5c3fabf8597e3449e48f150eff949663615f2e4c9337059ceb0bb 25122 
salt-cloud_2016.11.2+ds-1+deb9u1_all.deb
 697d25f3272c4a804351b175713a88c32bd7c70630605b7df5702a95f2b2581c 4153016 
salt-common_2016.11.2+ds-1+deb9u1_all.deb
 a673ad14c42a6f562a4cebb57c7d2f7c4d47367268e90b0ca9a15cf36e59f457 4286928 
salt-doc_2016.11.2+ds-1+deb9u1_all.deb
 349bb195bd1ccc785aa903045dfe6b9d8615965136095b88210e1620c06de8ea 47770 
salt-master_2016.11.2+ds-1+deb9u1_all.deb
 19cf814363268f06cb3198299d7a5a456db77d376b107384edd610a08e39777e 35126 
salt-minion_2016.11.2+ds-1+deb9u1_all.deb
 1b650595375cf531fb4428192f46d781e73469ab10e0f5334d31a8bf1945a5e6 22430 
salt-proxy_2016.11.2+ds-1+deb9u1_all.deb
 93bb61cf8820e7f9687e3e47c8a0ef295ca9828ef12956c2c9ce9ec8e62f2a67 23680 
salt-ssh_2016.11.2+ds-1+deb9u1_all.deb
 f9eff88d15b670c3c25bd4d5c13c6f6e91cf012c8efa4f693abe4542496f5c67 23956 
salt-syndic_2016.11.2+ds-1+deb9u1_all.deb
 f36e60bbcd456defd73c7423a2c584a5c62b19463ade24e22d480ca92dc7d767 9537 
salt_2016.11.2+ds-1+deb9u1_amd64.buildinfo
Files:
 513fe800c59b31baac4b017b7621c15e 2752 admin extra 
salt_2016.11.2+ds-1+deb9u1.dsc
 c3209029853276c44f4050193c931bca 32312 admin extra 
salt_2016.11.2+ds-1+deb9u1.debian.tar.xz
 afb2ea02a94f846182ffc1269c0ee4a1 23640 admin extra 
salt-api_2016.11.2+ds-1+deb9u1_all.deb
 b81d77cea9c9ec73560da35e34de13fd 25122 admin extra 
salt-cloud_2016.11.2+ds-1+deb9u1_all.deb
 aaed0b6dd53731d747148c9c1ba1fe6a 4153016 admin extra 
salt-common_2016.11.2+ds-1+deb9u1_all.deb
 bba6ad2da86807c39e70c13c9b978ee9 4286928 doc extra 
salt-doc_2016.11.2+ds-1+deb9u1_all.deb
 7990b6381d6ce1cca995e54275bc656e 47770 admin extra 
salt-master_2016.11.2+ds-1+deb9u1_all.deb
 e30f9ebdb489b8f2ce9c34756134cb3a 35126 admin extra 
salt-minion_2016.11.2+ds-1+deb9u1_all.deb
 487123ddbe0c38cd2990aa42e69ca020 22430 admin extra 
salt-proxy_2016.11.2+ds-1+deb9u1_all.deb
 6b52c24669c03bee7db37999c9d553e6 23680 admin extra 
salt-ssh_2016.11.2+ds-1+deb9u1_all.deb
 542bc30165f6c1ab91bb24d7b3feafb5 23956 admin extra 
salt-syndic_2016.11.2+ds-1+deb9u1_all.deb
 f04d17b7cee96836ffdf17a7f3ee3745 9537 admin extra 
salt_2016.11.2+ds-1+deb9u1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEPZg8UuuFmAxGpWCQNXMSVZ0eBksFAlqVuGAACgkQNXMSVZ0e
BktNDA/+ILw/lUAoC2szBS+Ykfld2iqUiVkBmksZ91ESKW9jqMVDETfVWnTAa81R
eoi03g6UlFM5C957bJN9hpa1cJ/cxibSNgGkvKhRw1bS+mqD94tEBxNzgIzGyfiL
WOfHExGsgcGNTC1dHLneuW9mXB1BNCrMXCY2o3kyA1hu8LYcGqwjOmi3Cgocn3As
fRD7rQZokNx2S7KG6fHrpNuYyvl0y1uAOK/sFyrLXG8TWt6wrBNq+xTXZFrHXTav
AEPEwzZR7p7iWV9fwoX8gda6rFiSJbV7kRJKiIqJplrwp0DjUeXhxhiXWoL6vLJ/
hlVyLLwaeo9KczbFVc995o6WozRW6BDPVhQGFcVc3U0qYpvT2cdelUDn1LcvacPR
ZM746WodJNqqc+sZcEz163uWEjwl6fVMzOBoVo7mmSpiwj8U4x35swajYAHdbwq3
H7XacHOxSBF12amDZRj+pGdvimlWn2QVQMnoikWi3hGHZYA9OIr41OdPIxZkv+nh
aFtthajvtKKOyIsvcMRNrjKw2I8FwtH38Cg0bctqBwiu1U0eAFKv/KISfsj8St0J
iUL+Sl1lLSLavXMzSwu8pkp6Tyc1uS8yxB0l10ygKPFvmXHIF8UGWc+lSAS85i/d
sVFyTbtgY4ahYrv8AiTIQTxPKwYZEabqinxvFF1qGpoksK4zmpU=
=G2v0
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to