From ${URL} : This issue involves passing an alternative PAM authentication service with a command that is sent to LocalClient, enabling the attacker to bypass the configured authentication service. External references: https://docs.saltstack.com/en/latest/topics/releases/2015.5.10.html https://docs.saltstack.com/en/latest/topics/releases/2015.8.8.html @maintainer(s): since the fixed version is already in the tree, please remove the affected versions.
CVE-2016-3176 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-3176): This issue affects all Salt versions prior to 2015.8.8/2015.5.10 when PAM external authentication is enabled. This issue involves passing an alternative PAM authentication service with a command that is sent to LocalClient, enabling the attacker to bypass the configured authentication service. Thank you to Dylan Frese <dmfrese@gmail.com> for bringing this issue to our attention.
Only =app-admin/salt-2015.8.8 is in the tree. @maintainer, please bump the 2015.5.x series to: =app-admin/salt-2015.5.10 Once complete, please remove the vulnerable versions or backport any patches.
@maintainer, please cleanup the vulnerable versions.
Cleaned: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c80253bc63a2e1d903ce8ffdc791dc271ce1e77b