subject:"Bug#863129\: jessie\-pu\: package salt\/2014.1.13\+ds\-3"

Bug#863129: jessie-pu: package salt/2014.1.13+ds-3

2018-06-13 Thread Adam D. Barratt

Ping? We're a few days away from closing the window for the final
jessie point release before it becomes LTS.

Regards,

Adam


On Wed, 2017-06-28 at 01:44 +0200, Cyril Brulebois wrote:
> Control: tag -1 moreinfo
> 
> Hi,
> 
> Comments below:
> 
> Benjamin Drung  (2017-05-22):
> > diff -Nru salt-2014.1.13+ds/debian/patches/CVE-2015-6918.patch
> > salt-2014.1.13+ds/debian/patches/CVE-2015-6918.patch
> > --- salt-2014.1.13+ds/debian/patches/CVE-2015-6918.patch197
> > 0-01-01 01:00:00.0 +0100
> > +++ salt-2014.1.13+ds/debian/patches/CVE-2015-6918.patch201
> > 7-04-18 12:18:56.0 +0200
> > @@ -0,0 +1,46 @@
> > +From 528916548726976dcc75626dc6f6641ceb206ee3 Mon Sep 17 00:00:00
> > 2001
> > +From: Tarjei Husøy 
> > +Date: Wed, 19 Aug 2015 11:41:10 -0700
> > +Subject: [PATCH] Git: Don't leak https user/pw to log
> > +Origin: backport, https://github.com/saltstack/salt/commit/28aa9b1
> > 05804ff433d8f663b2f9b804f2b75495a
> > +
> > +---
> > + salt/modules/git.py| 17 ++---
> > + tests/unit/modules/git_test.py | 18 ++
> > + 2 files changed, 32 insertions(+), 3 deletions(-)
> > +
> > +--- a/salt/modules/git.py
> >  b/salt/modules/git.py
> > +@@ -5,6 +5,7 @@
> > + 
> > + # Import python libs
> > + import os
> > ++import re
> > + import tempfile
> > + try:
> > + import pipes
> > +@@ -75,6 +76,7 @@
> > + result = __salt__['cmd.run_all'](cmd,
> > +  cwd=cwd,
> > +  runas=runas,
> > ++ output_loglevel='quiet',
> > +  env=env,
> > +  **kwargs)
> > + 
> > +@@ -86,7 +88,15 @@
> > + if retcode == 0:
> > + return result['stdout']
> > + else:
> > +-raise exceptions.CommandExecutionError(result['stderr'])
> > ++stderr = _remove_sensitive_data(result['stderr'])
> > ++raise exceptions.CommandExecutionError(stderr)
> > ++
> > ++
> > ++def _remove_sensitive_data(sensitive_output):
> > ++'''
> > ++Remove HTTP user and password.
> > ++'''
> > ++return re.sub('(https?)://.*@', r'\1://@',
> > sensitive_output)
> 
> This is possibly going to remove too much stuff if one has something
> like ?
> 
> Anyway, it's probably an acceptable loss compared to the various
> security bug fixes, so it's probably a good idea to proceed anyway.
> 
> I'm tagging this with moreinfo for the time being, as some feedback
> from your side would be welcome.
> 
> 
> KiBi.

Bug#863129: jessie-pu: package salt/2014.1.13+ds-3

2017-06-27 Thread Cyril Brulebois

Control: tag -1 moreinfo

Hi,

Comments below:

Benjamin Drung  (2017-05-22):
> diff -Nru salt-2014.1.13+ds/debian/patches/CVE-2015-6918.patch 
> salt-2014.1.13+ds/debian/patches/CVE-2015-6918.patch
> --- salt-2014.1.13+ds/debian/patches/CVE-2015-6918.patch  1970-01-01 
> 01:00:00.0 +0100
> +++ salt-2014.1.13+ds/debian/patches/CVE-2015-6918.patch  2017-04-18 
> 12:18:56.0 +0200
> @@ -0,0 +1,46 @@
> +From 528916548726976dcc75626dc6f6641ceb206ee3 Mon Sep 17 00:00:00 2001
> +From: Tarjei Husøy 
> +Date: Wed, 19 Aug 2015 11:41:10 -0700
> +Subject: [PATCH] Git: Don't leak https user/pw to log
> +Origin: backport, 
> https://github.com/saltstack/salt/commit/28aa9b105804ff433d8f663b2f9b804f2b75495a
> +
> +---
> + salt/modules/git.py| 17 ++---
> + tests/unit/modules/git_test.py | 18 ++
> + 2 files changed, 32 insertions(+), 3 deletions(-)
> +
> +--- a/salt/modules/git.py
>  b/salt/modules/git.py
> +@@ -5,6 +5,7 @@
> + 
> + # Import python libs
> + import os
> ++import re
> + import tempfile
> + try:
> + import pipes
> +@@ -75,6 +76,7 @@
> + result = __salt__['cmd.run_all'](cmd,
> +  cwd=cwd,
> +  runas=runas,
> ++ output_loglevel='quiet',
> +  env=env,
> +  **kwargs)
> + 
> +@@ -86,7 +88,15 @@
> + if retcode == 0:
> + return result['stdout']
> + else:
> +-raise exceptions.CommandExecutionError(result['stderr'])
> ++stderr = _remove_sensitive_data(result['stderr'])
> ++raise exceptions.CommandExecutionError(stderr)
> ++
> ++
> ++def _remove_sensitive_data(sensitive_output):
> ++'''
> ++Remove HTTP user and password.
> ++'''
> ++return re.sub('(https?)://.*@', r'\1://@', sensitive_output)

This is possibly going to remove too much stuff if one has something
like ?

Anyway, it's probably an acceptable loss compared to the various
security bug fixes, so it's probably a good idea to proceed anyway.

I'm tagging this with moreinfo for the time being, as some feedback from
your side would be welcome.


KiBi.


signature.asc
Description: Digital signature

Processed: Re: Bug#863129: jessie-pu: package salt/2014.1.13+ds-3

2017-06-27 Thread Debian Bug Tracking System

Processing control commands:

> tag -1 moreinfo
Bug #863129 [release.debian.org] jessie-pu: package salt/2014.1.13+ds-3
Added tag(s) moreinfo.

-- 
863129: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=863129
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#863129: jessie-pu: package salt/2014.1.13+ds-3

2017-05-22 Thread Benjamin Drung

Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu

Hi,

salt in jessie is affected by some security issues. Salvatore Bonaccorso
from the security wrote: So we are basically down at
https://security-tracker.debian.org/tracker/source-package/salt to
no-dsa issues, so up to decicde I guess if you still want a DSA or
rather go via the upcoming point release.

Thus the requests for a SPU to fix four security bugs (debdiff
attached).

-- 
Benjamin Drung
System Developer
Debian & Ubuntu Developer

ProfitBricks GmbH
Greifswalder Str. 207
D - 10405 Berlin

Email: benjamin.dr...@profitbricks.com
Web: https://www.profitbricks.com

Sitz der Gesellschaft: Berlin.
Registergericht: Amtsgericht Charlottenburg, HRB 125506B.
Geschäftsführer: Achim Weiss.
diff -Nru salt-2014.1.13+ds/debian/changelog salt-2014.1.13+ds/debian/changelog
--- salt-2014.1.13+ds/debian/changelog  2015-02-13 06:27:53.0 +0100
+++ salt-2014.1.13+ds/debian/changelog  2017-05-22 13:34:40.0 +0200
@@ -1,3 +1,18 @@
+salt (2014.1.13+ds-3+deb8u1) jessie; urgency=high
+
+  [ Benjamin Drung ]
+  * Team upload.
+  * CVE-2015-6918: git module leaks authentication details into log
+  * CVE-2015-6941: user state displays passwords in debug log
+
+  [ Salvatore Bonaccorso ]
+  * CVE-2015-8034: Information leak from state.sls cache data stored as
+world-readable (Closes: #807356)
+  * CVE-2016-3176: Insecure configuration of PAM external authentication
+service (Closes: #819184)
+
+ -- Benjamin Drung   Mon, 22 May 2017 
13:34:36 +0200
+
 salt (2014.1.13+ds-3) unstable; urgency=medium
 
   * [5273cd4] Added python-msgpack dependency. Closes: 777665
diff -Nru salt-2014.1.13+ds/debian/patches/CVE-2015-6918.patch 
salt-2014.1.13+ds/debian/patches/CVE-2015-6918.patch
--- salt-2014.1.13+ds/debian/patches/CVE-2015-6918.patch1970-01-01 
01:00:00.0 +0100
+++ salt-2014.1.13+ds/debian/patches/CVE-2015-6918.patch2017-04-18 
12:18:56.0 +0200
@@ -0,0 +1,46 @@
+From 528916548726976dcc75626dc6f6641ceb206ee3 Mon Sep 17 00:00:00 2001
+From: Tarjei Husøy 
+Date: Wed, 19 Aug 2015 11:41:10 -0700
+Subject: [PATCH] Git: Don't leak https user/pw to log
+Origin: backport, 
https://github.com/saltstack/salt/commit/28aa9b105804ff433d8f663b2f9b804f2b75495a
+
+---
+ salt/modules/git.py| 17 ++---
+ tests/unit/modules/git_test.py | 18 ++
+ 2 files changed, 32 insertions(+), 3 deletions(-)
+
+--- a/salt/modules/git.py
 b/salt/modules/git.py
+@@ -5,6 +5,7 @@
+ 
+ # Import python libs
+ import os
++import re
+ import tempfile
+ try:
+ import pipes
+@@ -75,6 +76,7 @@
+ result = __salt__['cmd.run_all'](cmd,
+  cwd=cwd,
+  runas=runas,
++ output_loglevel='quiet',
+  env=env,
+  **kwargs)
+ 
+@@ -86,7 +88,15 @@
+ if retcode == 0:
+ return result['stdout']
+ else:
+-raise exceptions.CommandExecutionError(result['stderr'])
++stderr = _remove_sensitive_data(result['stderr'])
++raise exceptions.CommandExecutionError(stderr)
++
++
++def _remove_sensitive_data(sensitive_output):
++'''
++Remove HTTP user and password.
++'''
++return re.sub('(https?)://.*@', r'\1://@', sensitive_output)
+ 
+ 
+ def _git_getdir(cwd, user=None):
diff -Nru salt-2014.1.13+ds/debian/patches/CVE-2015-6941.patch 
salt-2014.1.13+ds/debian/patches/CVE-2015-6941.patch
--- salt-2014.1.13+ds/debian/patches/CVE-2015-6941.patch1970-01-01 
01:00:00.0 +0100
+++ salt-2014.1.13+ds/debian/patches/CVE-2015-6941.patch2017-04-18 
12:32:52.0 +0200
@@ -0,0 +1,33 @@
+From fdd35374562658f4a20767a3703fab93d92f9ca9 Mon Sep 17 00:00:00 2001
+From: twangboy 
+Date: Fri, 11 Sep 2015 16:39:47 -0600
+Subject: [PATCH] Replaced password with redacted when displayed
+Origin: backport, 
https://github.com/twangboy/salt/commit/c0689e32154c41f59840ae10ffc5fbfa30618710
+
+---
+ salt/states/user.py | 10 ++
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+--- a/salt/states/user.py
 b/salt/states/user.py
+@@ -362,6 +362,8 @@
+ ret['comment'] = ('The following user attributes are set to be '
+   'changed:\n')
+ for key, val in changes.items():
++if key == 'password':
++val = 'XXX-REDACTED-XXX'
+ ret['comment'] += '{0}: {1}\n'.format(key, val)
+ return ret
+ # The user is present
+@@ -480,9 +482,9 @@
+ if spost['passwd'] != password:
+ ret['comment'] = 'User {0} created but failed to set' 
\
+  ' password to' \
+-

Bug#863129: jessie-pu: package salt/2014.1.13+ds-3

Bug#863129: jessie-pu: package salt/2014.1.13+ds-3

Processed: Re: Bug#863129: jessie-pu: package salt/2014.1.13+ds-3

Bug#863129: jessie-pu: package salt/2014.1.13+ds-3

4 matches

Site Navigation

Mail list logo

Footer information