[Git][security-tracker-team/security-tracker][master] Reference regression reports for CVE-2020-11651/salt

Salvatore Bonaccorso carnil at debian.org
Sun May 3 16:21:11 BST 2020



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
2ee05dd4 by Salvatore Bonaccorso at 2020-05-03T17:20:40+02:00
Reference regression reports for CVE-2020-11651/salt

It is known issue that the fix for CVE-2020-11651 introduced a
regression as explained in
<https://github.com/saltstack/salt/blob/v3000.2_docs/doc/topics/releases/3000.2.rst#known-issue>

The whitelisted methods in AESFuncs contained a typo, where at least
_minion_runner moethod should be minion_runner. But a second related
regression was reported as well. List both for tracking.

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -3143,9 +3143,10 @@ CVE-2020-11651 (An issue was discovered in SaltStack Salt before 2019.2.4 and 30
 	NOTE: https://github.com/saltstack/salt/blob/v3000.2_docs/doc/topics/releases/3000.2.rst
 	NOTE: Fixed by: https://github.com/saltstack/salt/commit/a67d76b15615983d467ed81371b38b4a17e4f3b7
 	NOTE: Followup needed: https://github.com/saltstack/salt/commit/78172bf647473d5c1c2720e72fc12d6f2314d583
-	NOTE: There is a typo (for more info see the release notes) in the official correction.
-	NOTE: This should be fixed too since this typo causes a regression:
+	NOTE: There is a typo in the whitelisted methods on AESFuncs:
 	NOTE: https://github.com/saltstack/salt/blob/v3000.2_docs/doc/topics/releases/3000.2.rst#known-issue
+	NOTE: Regression bugreport: https://github.com/saltstack/salt/issues/57016
+	NOTE: https://github.com/saltstack/salt/issues/57027
 CVE-2020-11650 (An issue was discovered in iXsystems FreeNAS (and TrueNAS) 11.2 before ...)
 	NOT-FOR-US: FreeNAS
 CVE-2020-11649 (An issue was discovered in GitLab CE and EE 8.15 through 12.9.2. Membe ...)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2ee05dd4e7953e786f6ad99f6beab116971176c9

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2ee05dd4e7953e786f6ad99f6beab116971176c9
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20200503/4ad3a012/attachment.html>


More information about the debian-security-tracker-commits mailing list