[Pkg-salt-team] salt autoremoval 2021-Apr-25 WAS: Debian Bugs information: logs for Bug#985085

Federico Grau donfede at casagrau.org
Fri Mar 26 01:46:10 GMT 2021 

Hello salt neighbors,

Checking if there was any planned direction to avoid the autoremoval of salt
next month, because of bug #985085?

    https://tracker.debian.org/pkg/salt


I'm mostly a salt user/admin, but will plan to spend some time this coming
weekend reviewing the suggested CVE, and try to discern if it is suse specific
or not.  Is posting findings to the bug sufficient or is something else
required?  If I find the bug is not applicable, am I allowed to close it (with
findings)?

regards,
donfede


On Fri, Mar 26, 2021 at 01:15:03AM +0000, Debian Bug Tracking System wrote:
>                         Debian Bug report logs - #985085
>                               salt: CVE-2021-25315
> 
>    Package: src:salt; Maintainer for src:salt is Debian Salt Team
>    <pkg-salt-team at alioth-lists.debian.net>;
> 
>    Reported by: Elimar Riesebieter <riesebie at lxtec.de>
> 
>    Date: Fri, 12 Mar 2021 18:51:02 UTC
> 
>    Severity: grave
> 
>    Tags: moreinfo, patch, security, upstream
> 
>    Reply or subscribe to this bug.
> 
>    Toggle useless messages
> 
>    View this report as an mbox folder, status mbox, maintainer mbox
>      __________________________________________________________________
> 
>    Report forwarded to debian-bugs-dist at lists.debian.org,
>    hostmasters at hostsharing.net, team at security.debian.org,
>    team at security.debian.org, Debian Salt Team
>    <pkg-salt-team at alioth-lists.debian.net>:
>    Bug#985085; Package src:salt. (Fri, 12 Mar 2021 18:51:03 GMT) (full
>    text, mbox, link).
>      __________________________________________________________________
> 
>    Acknowledgement sent to Elimar Riesebieter <riesebie at lxtec.de>:
>    New Bug report received and forwarded. Copy sent to
>    hostmasters at hostsharing.net, team at security.debian.org,
>    team at security.debian.org, Debian Salt Team
>    <pkg-salt-team at alioth-lists.debian.net>.
> 
>    Your message had a Version: pseudo-header with an invalid package
>    version:
> 
>    2016.11.2+ds-1+deb9u6 2018.3.4+dfsg1-6+deb10u2 3002.5+dfsg1-1
> 
>    please either use found or fixed to the control server with a correct
>    version, or reply to this report indicating the correct version so the
>    maintainer (or someone else) can correct it for you.
> 
>    (Fri, 12 Mar 2021 18:51:03 GMT) (full text, mbox, link).
>      __________________________________________________________________
> 
>    Message #5 received at submit at bugs.debian.org (full text, mbox, reply):
> 
>    From: Elimar Riesebieter <riesebie at lxtec.de>
>    To: Debian Bug Tracking System <submit at bugs.debian.org>
>    Subject: salt: CVE-2021-25315
>    Date: Fri, 12 Mar 2021 19:41:08 +0100
> 
> Source: salt
> Version: 2016.11.2+ds-1+deb9u6 2018.3.4+dfsg1-6+deb10u2 3002.5+dfsg1-1
> Severity: normal
> Tags: patch security upstream
> X-Debbugs-Cc: hostmasters at hostsharing.net, Debian Security Team <team at security.d
> ebian.org>, Debian Security Team <team at security.debian.org>
> 
> Hi,
> 
> The following vulnerability was published for salt.
> 
> CVE-2021-25315:
> A Incorrect Implementation of Authentication Algorithm vulnerability
> 
> Maybe the following patch solves that issue:
> https://bugzilla.suse.com/show_bug.cgi?id=1182382
> 
> It would be nice to have a backport to buster as well fixes
> according to
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=983632 doe buster
> and stretch as well.
> 
> Thanks in advance
> 
> --
>   Elimar
> 
> 
>      __________________________________________________________________
> 
>    Severity set to 'grave' from 'normal' Request was from Elimar
>    Riesebieter <riesebie at lxtec.de> to control at bugs.debian.org. (Fri, 12
>    Mar 2021 19:03:03 GMT) (full text, mbox, link).
>      __________________________________________________________________
> 
>    Marked as found in versions salt/3002.5+dfsg1-1. Request was from
>    Salvatore Bonaccorso <carnil at debian.org> to control at bugs.debian.org.
>    (Fri, 12 Mar 2021 20:09:04 GMT) (full text, mbox, link).
>      __________________________________________________________________
> 
>    Information forwarded to debian-bugs-dist at lists.debian.org, Debian Salt
>    Team <pkg-salt-team at alioth-lists.debian.net>:
>    Bug#985085; Package src:salt. (Sat, 13 Mar 2021 14:09:03 GMT) (full
>    text, mbox, link).
>      __________________________________________________________________
> 
>    Acknowledgement sent to Salvatore Bonaccorso <carnil at debian.org>:
>    Extra info received and forwarded to list. Copy sent to Debian Salt
>    Team <pkg-salt-team at alioth-lists.debian.net>. (Sat, 13 Mar 2021
>    14:09:03 GMT) (full text, mbox, link).
>      __________________________________________________________________
> 
>    Message #14 received at 985085 at bugs.debian.org (full text, mbox,
>    reply):
> 
>    From: Salvatore Bonaccorso <carnil at debian.org>
>    To: Elimar Riesebieter <riesebie at lxtec.de>, 985085 at bugs.debian.org
>    Cc: Debian Security Team <team at security.debian.org>
>    Subject: Re: Bug#985085: salt: CVE-2021-25315
>    Date: Sat, 13 Mar 2021 15:08:26 +0100
> 
> Hi
> 
> According to https://bugzilla.suse.com/show_bug.cgi?id=1182382#c16
> this might just be a SUSE specific issue.
> 
> salt maintainers, please could you  double check if we have the same
> interaction of patches? And otherwise please close the bug.
> 
> Regards,
> Salvatore
> 
> 
>      __________________________________________________________________
> 
>    Added tag(s) moreinfo. Request was from Salvatore Bonaccorso
>    <carnil at debian.org> to control at bugs.debian.org. (Sat, 13 Mar 2021
>    14:09:06 GMT) (full text, mbox, link).
>      __________________________________________________________________
> 
>    No longer marked as found in versions salt/3002.5+dfsg1-1. Request was
>    from Salvatore Bonaccorso <carnil at debian.org> to
>    control at bugs.debian.org. (Sat, 13 Mar 2021 14:15:03 GMT) (full text,
>    mbox, link).
>      __________________________________________________________________
> 
>    Send a report that this bug log contains spam.
>      __________________________________________________________________
> 
> 
>     Debian bug tracking system administrator <owner at bugs.debian.org>.
>     Last modified: Fri Mar 26 01:15:03 2021; Machine Name: buxtehude
>     Debian Bug tracking system
>     Debbugs is free software and licensed under the terms of the GNU
>     Public License version 2. The current version can be obtained from
>     https://bugs.debian.org/debbugs-source/.
>     Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd,
>     1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other
>     contributors.

-- 
I choose information and knowledge over profit.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-salt-team/attachments/20210325/b62e093a/attachment.sig>

More information about the pkg-salt-team mailing list