Details not yet published: https://saltproject.io/active-saltstack-cve-announced-2021-jan-21/. "Most of these, we expect the Common Vulnerability Scoring System (CVSS) rating to be high or critical. We quickly took actions to remediate once made aware of the vulnerabilities. We are preparing a CVE release to be generally available on Thursday, February 4th around Noon MST. The CVE packages will be available for 3002.3, 3001.5, and 3000.7 and patches for older versions."
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d56cf5f52d56b74774c234512f9be1610cd2c11f commit d56cf5f52d56b74774c234512f9be1610cd2c11f Author: Patrick McLean <patrick.mclean@sony.com> AuthorDate: 2021-02-27 02:31:38 +0000 Commit: Patrick McLean <chutzpah@gentoo.org> CommitDate: 2021-02-27 02:32:32 +0000 app-admin/salt-3000.8: Version bump for sec bug #767919 Bug: https://bugs.gentoo.org/767919 Copyright: Sony Interactive Entertainment Inc. Package-Manager: Portage-3.0.15, Repoman-3.0.2 Signed-off-by: Patrick McLean <chutzpah@gentoo.org> app-admin/salt/Manifest | 1 + app-admin/salt/files/salt-3000.8-tests.patch | 0 app-admin/salt/salt-3000.8.ebuild | 203 +++++++++++++++++++++++++++ 3 files changed, 204 insertions(+) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e3231439b24ee57a2641fedda919b60c7c3df91a commit e3231439b24ee57a2641fedda919b60c7c3df91a Author: Patrick McLean <patrick.mclean@sony.com> AuthorDate: 2021-02-27 00:29:01 +0000 Commit: Patrick McLean <chutzpah@gentoo.org> CommitDate: 2021-02-27 02:32:32 +0000 app-admin/salt-3001.6: Version bump (sec bug #767919) Bug: https://bugs.gentoo.org/767919 Copyright: Sony Interactive Entertainment Inc. Package-Manager: Portage-3.0.15, Repoman-3.0.2 Signed-off-by: Patrick McLean <chutzpah@gentoo.org> app-admin/salt/Manifest | 1 + app-admin/salt/files/salt-3001.6-tests.patch | 18 +++ app-admin/salt/salt-3000.6.ebuild | 7 +- app-admin/salt/salt-3001.6.ebuild | 187 +++++++++++++++++++++++++++ 4 files changed, 210 insertions(+), 3 deletions(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ab17e261731e37aa084815c3e1081d7a1bdebf3e commit ab17e261731e37aa084815c3e1081d7a1bdebf3e Author: Patrick McLean <patrick.mclean@sony.com> AuthorDate: 2021-02-26 23:48:17 +0000 Commit: Patrick McLean <chutzpah@gentoo.org> CommitDate: 2021-02-27 02:32:32 +0000 app-admin/salt-3002.5: Version bump (sec bug #767919) Bug: https://bugs.gentoo.org/767919 Copyright: Sony Interactive Entertainment Inc. Package-Manager: Portage-3.0.15, Repoman-3.0.2 Signed-off-by: Patrick McLean <chutzpah@gentoo.org> app-admin/salt/Manifest | 1 + app-admin/salt/files/salt-3002.5-tests.patch | 30 +++++ app-admin/salt/salt-3002.5.ebuild | 187 +++++++++++++++++++++++++++ 3 files changed, 218 insertions(+)
Thanks! Please stabilize when ready. CVE-2021-3197 Impact: the SaltAPI with the SSH module installed and running on the minion. This module is not running by default. Description: The Salt-API’s SSH client is vulnerable to a shell injection by including ProxyCommand in an argument, or via ssh_options provided in an API request. CVE-2021-25281 Impact: The SaltAPI does not honor eauth credentials for the wheel_async client. Thus, an attacker can remotely run any wheel modules on the master. Description: The Salt-API does not have eAuth credentials for the wheel_async client CVE-2021-25282 Impact: Unauthorized access wheel_async through salt-api can execute arbitrarily code/command. Description: The salt.wheel.pillar_roots.write method is vulnerable to directory traversal. CVE-2021-25283 Impact: Via the SaltAPI fix directory traversal in wheel.pillar_roots.write Description: The jinja renderer does not protect against server-side template injection attacks. CVE-2021-25284 Impact: Run a highstate against a machine which doesn’t already have the htpasswd file created and errors are reported but the state is applied, correctly. This issue is not present in a default configuration of Salt. Description: webutils write passwords in cleartext to /var/log/salt/minion CVE-2021-3148 Impact: Via the SaltAPI a command is constructed from formatted string and can be truncated if there are single quotes in extra_mods, since json.dumps() escapes double quotes while leaving the single quotes untouched. Description: command injection in salt.utils.thin.gen_thin() CVE-2020-35662 Impact: SSL cert not verified by default Description: Several places where Salt was not verifying the SSL cert by default CVE-2021-3144 Impact: eauth tokens can be used once after expiration Description: Token can be used once after expiration CVE-2020-28972 Impact: Code base not validating SSL/TLS certificate of the server, which might allow attackers to obtain sensitive information via a man-in-the-middle attack Description: Missing validation on SSL cert CVE-2020-28243 Impact: A privilege escalation is possible on a SaltStack minion when an unprivileged user is able to create files in any non-blacklisted directory via a command injection in a process name. Description: Local Privilege Escalation in the Minion
Let's roll?
amd64 stable
x86 done all arches done
Please cleanup
New GLSA request filed.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a31909a9b4c2ac85ba6d1bd4f8b605f3594a560c commit a31909a9b4c2ac85ba6d1bd4f8b605f3594a560c Author: Thomas Deutschmann <whissi@gentoo.org> AuthorDate: 2021-03-31 11:42:58 +0000 Commit: Thomas Deutschmann <whissi@gentoo.org> CommitDate: 2021-03-31 11:43:07 +0000 app-admin/salt: security cleanup Bug: https://bugs.gentoo.org/767919 Package-Manager: Portage-3.0.18, Repoman-3.0.3 Signed-off-by: Thomas Deutschmann <whissi@gentoo.org> app-admin/salt/Manifest | 1 - app-admin/salt/salt-3000.5.ebuild | 193 -------------------------------------- 2 files changed, 194 deletions(-)
GLSA request filed.
Package list is empty or all packages have requested keywords.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=a4ba9f2fb65b65e29f00afe38eed9d10ac01301d commit a4ba9f2fb65b65e29f00afe38eed9d10ac01301d Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2023-10-31 11:57:07 +0000 Commit: Hans de Graaff <graaff@gentoo.org> CommitDate: 2023-10-31 11:57:38 +0000 [ GLSA 202310-22 ] Salt: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/767919 Bug: https://bugs.gentoo.org/812440 Bug: https://bugs.gentoo.org/836365 Bug: https://bugs.gentoo.org/855962 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: Hans de Graaff <graaff@gentoo.org> glsa-202310-22.xml | 61 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 61 insertions(+)
