Branch: refs/heads/master Home: https://github.com/NixOS/nixpkgs Commit: 379144f54b2fa0e1568f72d58860393a1e09b92d https://github.com/NixOS/nixpkgs/commit/379144f54b2fa0e1568f72d58860393a1e09b92d Author: Graham Christensen <gra...@grahamc.com> Date: 2017-02-08 (Wed, 08 Feb 2017)
Changed paths: M pkgs/tools/admin/salt/default.nix Log Message: ----------- salt: 2016.3.3 -> 2016.11.2 for multiple CVEs >From the Arch Linux advisory: - CVE-2017-5192 (arbitrary code execution): The `LocalClient.cmd_batch()` method client does not accept `external_auth` credentials and so access to it from salt-api has been removed for now. This vulnerability allows code execution for already- authenticated users and is only in effect when running salt-api as the `root` user. - CVE-2017-5200 (arbitrary command execution): Salt-api allows arbitrary command execution on a salt-master via Salt's ssh_client. Users of Salt-API and salt-ssh could execute a command on the salt master via a hole when both systems were enabled.
_______________________________________________ nix-commits mailing list nix-comm...@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-commits