1) CVE-2020-11651 Description: "An issue was discovered in SaltStack Salt before 2019.2.4 and 3000 before 3000.2. The salt-master process ClearFuncs class does not properly validate method calls. This allows a remote user to access some methods without authentication. These methods can be used to retrieve user tokens from the salt master and/or run arbitrary commands on salt minions." 2) CVE-2020-11652 Description: "An issue was discovered in SaltStack Salt before 2019.2.4 and 3000 before 3000.2. The salt-master process ClearFuncs class allows access to some methods that improperly sanitize paths. These methods allow arbitrary directory access to authenticated users." Advisories: https://docs.saltstack.com/en/latest/topics/releases/3000.2.html#security-fix https://docs.saltstack.com/en/latest/topics/releases/2019.2.4.html#security-fix
@maintainer(s), please cleanup
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0209d23f9c0a4365b63f57d50cc664afdcf86da8 commit 0209d23f9c0a4365b63f57d50cc664afdcf86da8 Author: Patrick McLean <patrick.mclean@sony.com> AuthorDate: 2020-04-30 17:58:03 +0000 Commit: Patrick McLean <chutzpah@gentoo.org> CommitDate: 2020-04-30 17:58:03 +0000 app-admin/salt: Clean out vunlerable versions (bug #720056) Bug: https://bugs.gentoo.org/720056 Copyright: Sony Interactive Entertainment Inc. Package-Manager: Portage-2.3.99, Repoman-2.3.22 Signed-off-by: Patrick McLean <chutzpah@gentoo.org> app-admin/salt/Manifest | 1 - ...salt-2018.3.2-skip-zeromq-test-that-hangs.patch | 79 ----------- app-admin/salt/files/salt-2018.3.4-tests.patch | 76 ----------- app-admin/salt/salt-2018.3.4.ebuild | 147 --------------------- 4 files changed, 303 deletions(-)
Repository is clean, all done!