[Pkg-salt-team] Bug#803182: Bug#803182: closed by Benjamin Drung <benjamin.drung at profitbricks.com> (salt: CVE-2015-6918: git module leaks authentication details into log)
Benjamin Drung
benjamin.drung at profitbricks.com
Thu Dec 10 11:37:06 UTC 2015
Am Mittwoch, den 09.12.2015, 22:15 +0100 schrieb Salvatore Bonaccorso:
> Control: found -1 2015.8.1+ds-1
> Control: fixed -1 2015.8.3+ds-1
>
> > Version: 2015.8.1+ds-1
> >
> > The security bug was fixed upstream in release 2015.5.5 and thus
> > the
> > fix was part of the next Debian upload 2015.8.1+ds-1
>
> Checking the debdiffs it looks the fix was actually only in
> 2015.8.3+ds-1 but not in 2015.8.1+ds-1. Adjusting thus the fixed
> version.
Really? 2015.8.1+ds-1 already uses redact_http_basic_auth() in
_git_run() for stderr:
msg = 'Command \'{0}\' failed'.format(
salt.utils.url.redact_http_basic_auth(gitcommand)
)
if result['stderr']:
msg += ': {0}'.format(
salt.utils.url.redact_http_basic_auth(result['stderr'])
)
raise CommandExecutionError(msg)
--
Benjamin Drung
System Developer
Debian & Ubuntu Developer
ProfitBricks GmbH
Greifswalder Str. 207
D - 10405 Berlin
Email: benjamin.drung at profitbricks.com
URL: http://www.profitbricks.com
Sitz der Gesellschaft: Berlin.
Registergericht: Amtsgericht Charlottenburg, HRB 125506B.
Geschäftsführer: Andreas Gauger, Achim Weiss.
More information about the pkg-salt-team
mailing list