Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 569880 (CVE-2015-8034) - <app-admin/salt-2015.8.3: Saving state.sls cache data to disk with insecure permissions (CVE-2015-8034)
Summary: <app-admin/salt-2015.8.3: Saving state.sls cache data to disk with insecure p...
Status: RESOLVED FIXED
Alias: CVE-2015-8034
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: ~3 [noglsa/cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2015-12-27 03:09 UTC by Manuel Rüger (RETIRED)
Modified: 2016-04-04 04:05 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Manuel Rüger (RETIRED) gentoo-dev 2015-12-27 03:09:43 UTC 
CVE-2015-8034: Saving state.sls cache data to disk with insecure permissions

This affects users of the state.sls function. The state run cache on the minion was being created with incorrect permissions. This file could potentially contain sensitive data that was inserted via jinja into the state SLS files. The permissions for this file are now being set correctly. Thanks to @zmalone for bringing this issue to our attention.
Comment 1 Yury German Gentoo Infrastructure gentoo-dev 2015-12-31 07:56:55 UTC 
Maintainer(s), please drop the vulnerable version(s).
Comment 2 Yury German Gentoo Infrastructure gentoo-dev 2016-01-26 02:20:19 UTC 
It has been 30 days since cleanup was requested.
Maintainer(s), please drop the vulnerable version(s).
Comment 3 Patrick McLean gentoo-dev 2016-01-26 20:01:04 UTC 
Vulnerable versions dropped

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=dcafe3c0e0de0634372e32fbc560a732efc9be37
Comment 4 Yury German Gentoo Infrastructure gentoo-dev 2016-02-25 16:26:45 UTC 
Thank you all for you work. 
Closing as [noglsa].