Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 627928 (CVE-2017-12791) - <app-admin/salt-2016.11.8: directory traversals on the Salt-master via crafted minion ID
Summary: <app-admin/salt-2016.11.8: directory traversals on the Salt-master via crafte...
Status: RESOLVED FIXED
Alias: CVE-2017-12791
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://github.com/saltstack/salt/pul...
Whiteboard: ~2 [noglsa cve]
Keywords:
Depends on:
Blocks: CVE-2017-14695, CVE-2017-14696
  Show dependency tree
 
Reported: 2017-08-15 15:48 UTC by GLSAMaker/CVETool Bot
Modified: 2018-01-25 00:47 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2017-08-15 15:48:57 UTC 
CVE-2017-12791 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-12791):
  Maliciously crafted minion IDs can cause unwanted directory traversals on
  the Salt-master.
Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev 2017-08-15 15:53:15 UTC 
@ Maintainer(s): Please bump to

>=app-admin/salt-2016.3.7
>=app-admin/salt-2016.11.7
>=app-admin/salt-2017.7.1
Comment 2 Manuel Rüger (RETIRED) gentoo-dev 2017-08-15 17:22:26 UTC 
(In reply to Thomas Deutschmann from comment #1)
> @ Maintainer(s): Please bump to
> 
> >=app-admin/salt-2016.3.7
> >=app-admin/salt-2016.11.7
Added the specified versions and cleaned the old ones up.
Applied the fix to salt-2015.8.13 series as well (in 2015.8.13-r1), which I assume Patrick still wants to keep around.

These still need to be fixed:
> =app-admin/salt-2015.5.10
> =app-admin/salt-2017.7.0
These need to be cleaned up:
> =salt-2015.8.13
Comment 3 Aaron Bauman (RETIRED) gentoo-dev 2017-10-28 14:02:12 UTC 
@maintainer, upstream only patched 2016.11. Are previous versions needed?