Bug#888006: stretch-pu: package salt/2016.11.2+ds-1

2018-03-02 Thread Adam D. Barratt 
Control: tags -1 + pending

On Wed, 2018-02-28 at 08:59 +0100, Ondrej Novy wrote:
> Hi,
> 
> 2018-02-27 19:34 GMT+01:00 Adam D. Barratt 
> :
> > Thanks. Please feel free to upload.
> 
> uploaded, thank you.
> 

Flagged for acceptance into p-u.

Regards,

Adam

Bug#888006: stretch-pu: package salt/2016.11.2+ds-1

2018-02-28 Thread Ondrej Novy 
Hi,

2018-02-27 19:34 GMT+01:00 Adam D. Barratt :

> Thanks. Please feel free to upload.
>

uploaded, thank you.

-- 
Best regards
 Ondřej Nový

Email: n...@ondrej.org
PGP: 3D98 3C52 EB85 980C 46A5  6090 3573 1255 9D1E 064B

Bug#888006: stretch-pu: package salt/2016.11.2+ds-1

2018-02-27 Thread Adam D. Barratt 
Control: tags -1 + confirmed

On Mon, 2018-02-26 at 21:15 +0100, Ondrej Novy wrote:
> Control: tags -1 - moreinfo
> 
> 2018-02-26 20:38 GMT+01:00 Adam D. Barratt 
> :
> > The metadata for #887724 indicates that it currently affects the
> > salt
> > package in unstable; is that correct?
> 
> no, package in unstable is not affected. Bug metadata fixed, sry.
> 

Thanks. Please feel free to upload.

Regards,

Adam

Bug#888006: stretch-pu: package salt/2016.11.2+ds-1

2018-02-26 Thread Ondrej Novy 
Control: tags -1 - moreinfo

2018-02-26 20:38 GMT+01:00 Adam D. Barratt :

> The metadata for #887724 indicates that it currently affects the salt
> package in unstable; is that correct?
>

no, package in unstable is not affected. Bug metadata fixed, sry.

-- 
Best regards
 Ondřej Nový

Email: n...@ondrej.org
PGP: 3D98 3C52 EB85 980C 46A5  6090 3573 1255 9D1E 064B

Bug#888006: stretch-pu: package salt/2016.11.2+ds-1

2018-02-26 Thread Adam D. Barratt 
Control: tags -1 + moreinfo

On Mon, 2018-01-22 at 16:45 +0100, Ondřej Nový wrote:
> salt (2016.11.2+ds-1+deb9u1) stretch; urgency=medium
>   * Fix CVE-2017-12791: Directory traversal vulnerability on salt-
> master
> via crafted minion IDs (Closes: #872399)
>   * Fix CVE-2017-14695: Directory traversal vulnerability in minion
> id
> validation in SaltStack (Closes: #879089)
>   * Fix CVE-2017-14696: Remote Denial of Service with a specially
> crafted
> authentication request (Closes: #879090)
>   * Check if data[return] is dict type (Closes: #887724)
>   * Do not require sphinx-build for cleaning docs (Closes: #851559)

The metadata for #887724 indicates that it currently affects the salt
package in unstable; is that correct?

Regards,

Adam

Bug#888006: stretch-pu: package salt/2016.11.2+ds-1

2018-01-22 Thread Ondřej Nový 
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu

Hi,

i would like to do stable update, fixing 5 bugs (3 of them are security
issues).

salt (2016.11.2+ds-1+deb9u1) stretch; urgency=medium
  * Fix CVE-2017-12791: Directory traversal vulnerability on salt-master
via crafted minion IDs (Closes: #872399)
  * Fix CVE-2017-14695: Directory traversal vulnerability in minion id
validation in SaltStack (Closes: #879089)
  * Fix CVE-2017-14696: Remote Denial of Service with a specially crafted
authentication request (Closes: #879090)
  * Check if data[return] is dict type (Closes: #887724)
  * Do not require sphinx-build for cleaning docs (Closes: #851559)

Build and tested on stretch. Full debdiff attached.

Thanks.

-- System Information:
Debian Release: buster/sid
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'oldstable-updates'), (500, 
'unstable'), (500, 'testing'), (500, 'stable'), (500, 'oldstable'), (1, 
'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 4.14.0-3-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
diff -Nru salt-2016.11.2+ds/debian/changelog salt-2016.11.2+ds/debian/changelog
--- salt-2016.11.2+ds/debian/changelog  2017-02-01 17:09:07.0 +0100
+++ salt-2016.11.2+ds/debian/changelog  2018-01-22 16:30:47.0 +0100
@@ -1,3 +1,16 @@
+salt (2016.11.2+ds-1+deb9u1) stretch; urgency=medium
+
+  * Fix CVE-2017-12791: Directory traversal vulnerability on salt-master
+via crafted minion IDs (Closes: #872399)
+  * Fix CVE-2017-14695: Directory traversal vulnerability in minion id
+validation in SaltStack (Closes: #879089)
+  * Fix CVE-2017-14696: Remote Denial of Service with a specially crafted
+authentication request (Closes: #879090)
+  * Check if data[return] is dict type (Closes: #887724)
+  * Do not require sphinx-build for cleaning docs (Closes: #851559)
+
+ -- Ondřej Nový   Mon, 22 Jan 2018 16:30:47 +0100
+
 salt (2016.11.2+ds-1) unstable; urgency=medium
 
   * New upstream bug-fix release. Security fixes:
diff -Nru 
salt-2016.11.2+ds/debian/patches/Check_if_data_return_is_dict_type.patch 
salt-2016.11.2+ds/debian/patches/Check_if_data_return_is_dict_type.patch
--- salt-2016.11.2+ds/debian/patches/Check_if_data_return_is_dict_type.patch
1970-01-01 01:00:00.0 +0100
+++ salt-2016.11.2+ds/debian/patches/Check_if_data_return_is_dict_type.patch
2018-01-22 15:00:58.0 +0100
@@ -0,0 +1,24 @@
+From 7c348159793a3642a558c373c5ab62b4f5e52291 Mon Sep 17 00:00:00 2001
+From: Mircea Ulinic 
+Date: Wed, 1 Feb 2017 12:17:34 +
+Subject: [PATCH] Check if data['return'] is dict type
+Origin: 
https://github.com/saltstack/salt/commit/7c348159793a3642a558c373c5ab62b4f5e52291
+
+---
+ salt/client/mixins.py | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/salt/client/mixins.py b/salt/client/mixins.py
+index 270528af83b..c703c166014 100644
+--- a/salt/client/mixins.py
 b/salt/client/mixins.py
+@@ -394,7 +394,8 @@ def _low(self, fun, low, print_event=True, 
full_return=False):
+ with 
tornado.stack_context.StackContext(self.functions.context_dict.clone):
+ data['return'] = self.functions[fun](*args, **kwargs)
+ data['success'] = True
+-if 'data' in data['return']:
++if isinstance(data['return'], dict) and 'data' in 
data['return']:
++# some functions can return boolean values
+ data['success'] = 
salt.utils.check_state_result(data['return']['data'])
+ except (Exception, SystemExit) as ex:
+ if isinstance(ex, salt.exceptions.NotImplemented):
diff -Nru salt-2016.11.2+ds/debian/patches/clean-doc-without-sphinx.patch 
salt-2016.11.2+ds/debian/patches/clean-doc-without-sphinx.patch
--- salt-2016.11.2+ds/debian/patches/clean-doc-without-sphinx.patch 
1970-01-01 01:00:00.0 +0100
+++ salt-2016.11.2+ds/debian/patches/clean-doc-without-sphinx.patch 
2018-01-22 15:00:58.0 +0100
@@ -0,0 +1,215 @@
+From 5b79a0a9f8018cee68ee20b89ea0fcda72dac8dc Mon Sep 17 00:00:00 2001
+From: Benjamin Drung 
+Date: Tue, 23 May 2017 17:08:34 +0200
+Subject: [PATCH] Do not require sphinx-build for cleaning docs
+Origin: 
https://github.com/saltstack/salt/commit/5b79a0a9f8018cee68ee20b89ea0fcda72dac8dc.patch
+
+In a minimal build environment (no sphinx), the package cannot initially
+clean itself because the upstream doc/Makefile checks for sphinx-build
+executable and Debian doesn't get any benefit of that.
+
+Thus do not check for the presence of sphinx-build when running the
+clean or help target by adding a phony check_sphinx-build that does the
+check