From ${URL} : A vulnerability in win_useradd, salt-cloud and Linode driver were found: * win_useradd returned data including the password of the newly created user * salt-cloud debug output contained win_password and sudo_password authentication credentials * Linode driver displayed authentication credentials in debug logs Upstream patch: https://github.com/twangboy/salt/commit/c0689e32154c41f59840ae10ffc5fbfa30618710 External reference: https://docs.saltstack.com/en/latest/topics/releases/2015.8.1.html https://docs.saltstack.com/en/latest/topics/releases/2015.5.6.html @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
https://github.com/gentoo/gentoo/pull/327 app-admin/salt: Bumps to fix bug#563508 and CVE-2015-6941 Gentoo-Bug: 563508 CVE: CVE-2015-6941 - salt: win_useradd module and salt-cloud display passwords in debug log Package-Manager: portage-2.2.23
commit 0b662c556eab0c2468036e152473c2fba454ea21 Author: Elias Probst <mail@eliasprobst.eu> Date: Thu Nov 5 08:14:23 2015 +0100 app-admin/salt: Bumps to fix bug#563508 and CVE-2015-6941 Drop `salt-2015.5.0-archive-test.patch` from salt-2015.5.6.ebuild (upstream fix in @81a0d4c9) Gentoo-Bug: 563508 CVE: CVE-2015-6941 - salt: win_useradd module and salt-cloud display passwords in debug log Package-Manager: portage-2.2.23
Tree is clean now commit 8d979c150527855721e3838923313a1ea122f7d5 Author: Justin Lecher <jlec@gentoo.org> Date: Fri Nov 6 08:58:19 2015 +0100 app-admin/salt: Drop vulnerable versions Gentoo-Bug: https://bugs.gentoo.org/show_bug.cgi?id=563508 Package-Manager: portage-2.2.23 Signed-off-by: Justin Lecher <jlec@gentoo.org> https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8d979c150527855721e3838923313a1ea122f7d5
Previous comments show the new versions that were committed to the tree and vulnerable versions that were dropped. Upstream github verifies the patch is present in 5.6 and 8.1, thus future versions are good as well. GLSA Vote: No