[Git][security-tracker-team/security-tracker][master] mark salt as ignored in jessie

[Antoine Beaupré]

Antoine Beaupré pushed to branch master at Debian Security Tracker / security-tracker


Commits:
3d7b2e31 by Antoine Beaupré at 2018-10-30T17:22:32Z
mark salt as ignored in jessie

Older version of stack don't have master signature verification code at
all, so there is no expectation this would be secure in the first place.

Also clarify that both the patch that enforces signing and the patch
that disables the check by default are necessary.

- - - - -


2 changed files:

- data/CVE/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -79384,12 +79384,14 @@ CVE-2017-7894 (WinDjView 2.1 might allow user-assisted attackers to execute code
 CVE-2017-7893 (In SaltStack Salt before 2016.3.6, compromised salt-minions can ...)
 	- salt 2016.11.5+ds-1
 	[stretch] - salt <no-dsa> (Minor issue)
+	[jessie] - salt <ignored> (Vulnerable code introduced later, but older versions did not verify master anyways)
 	NOTE: https://docs.saltstack.com/en/2017.7/topics/releases/2016.3.6.html
 	NOTE: https://github.com/saltstack/salt/issues/48939
-	NOTE: https://github.com/saltstack/salt/commit/0a0f46fb1478be5eb2f90882a90390cb35ec43cb
+	NOTE: https://patch-diff.githubusercontent.com/raw/saltstack/salt/pull/40159.patch
+	NOTE: https://patch-diff.githubusercontent.com/raw/saltstack/salt/pull/40206.patch
 	NOTE: The behaviour though was back off by default in a later commit again
 	NOTE: cf. https://github.com/saltstack/salt/pull/40206
-	NOTE: The fix is the second part of the 0a0f46f commit, but the behaviour is turned
+	NOTE: The fix is the second part of the #40159 PR, but the behaviour is turned
 	NOTE: off by default and needs considerations of admins before enabling. We still
 	NOTE: consider the issue as fixed starting with this change. Details in
 	NOTE: https://github.com/saltstack/salt/issues/48939#issuecomment-410777638


=====================================
data/dla-needed.txt
=====================================
@@ -76,10 +76,7 @@ qemu (Santiago)
   NOTE: 20181026: no fix yet for recent dsa issues, but start working on
   NOTE: pending no-dsa issues
 --
-salt (Antoine Beaupre)
-  NOTE: 20180921: CVE-2017-7893 is not crucial since the managed system must be
-  NOTE: 20180921: compromised first. But the security escalation effect can cause
-  NOTE: 20180921: a lot of system compromised. (ola)
+salt
 --
 smarty3 (Mike Gabriel)
 --



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/3d7b2e315f955c4926d7d60c608f9d90c9e6ade9

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/3d7b2e315f955c4926d7d60c608f9d90c9e6ade9
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20181030/cbc64d24/attachment.html>