[Nix-commits] [NixOS/nixpkgs] 379144: salt: 2016.3.3 -> 2016.11.2 for multiple CVEs

Wed, 08 Feb 2017 18:25:56 -0800 

  Branch: refs/heads/master
  Home:   https://github.com/NixOS/nixpkgs
  Commit: 379144f54b2fa0e1568f72d58860393a1e09b92d
      
https://github.com/NixOS/nixpkgs/commit/379144f54b2fa0e1568f72d58860393a1e09b92d
  Author: Graham Christensen <[email protected]>
  Date:   2017-02-08 (Wed, 08 Feb 2017)

  Changed paths:
    M pkgs/tools/admin/salt/default.nix

  Log Message:
  -----------
  salt: 2016.3.3 -> 2016.11.2 for multiple CVEs

>From the Arch Linux advisory:

- CVE-2017-5192 (arbitrary code execution): The
  `LocalClient.cmd_batch()` method client does not accept
  `external_auth` credentials and so access to it from salt-api has
  been removed for now. This vulnerability allows code execution for
  already- authenticated users and is only in effect when running
  salt-api as the `root` user.

- CVE-2017-5200 (arbitrary command execution): Salt-api allows
  arbitrary command execution on a salt-master via Salt's ssh_client.
  Users of Salt-API and salt-ssh could execute a command on the salt
  master via a hole when both systems were enabled.



_______________________________________________
nix-commits mailing list
[email protected]
http://lists.science.uu.nl/mailman/listinfo/nix-commits

Reply via email to