[Pkg-salt-team] Bug#803182: Bug#803182: closed by Benjamin Drung <benjamin.drung at profitbricks.com> (salt: CVE-2015-6918: git module leaks authentication details into log)
Salvatore Bonaccorso
carnil at debian.org
Thu Dec 10 19:41:41 UTC 2015
Hi Benjamin,
On Thu, Dec 10, 2015 at 12:37:06PM +0100, Benjamin Drung wrote:
> Am Mittwoch, den 09.12.2015, 22:15 +0100 schrieb Salvatore Bonaccorso:
> > Control: found -1 2015.8.1+ds-1
> > Control: fixed -1 2015.8.3+ds-1
> >
> > > Version: 2015.8.1+ds-1
> > >
> > > The security bug was fixed upstream in release 2015.5.5 and thus
> > > the
> > > fix was part of the next Debian upload 2015.8.1+ds-1
> >
> > Checking the debdiffs it looks the fix was actually only in
> > 2015.8.3+ds-1 but not in 2015.8.1+ds-1. Adjusting thus the fixed
> > version.
>
> Really? 2015.8.1+ds-1 already uses redact_http_basic_auth() in
> _git_run() for stderr:
>
> msg = 'Command \'{0}\' failed'.format(
> salt.utils.url.redact_http_basic_auth(gitcommand)
> )
> if result['stderr']:
> msg += ': {0}'.format(
>
> salt.utils.url.redact_http_basic_auth(result['stderr'])
> )
> raise CommandExecutionError(msg)
Hmm, I will reckeck then, sorry for the noise. What I did was to check
the debdiff between 2015.8.1+ds-1 and 2015.8.3+ds-1 and looked that
the relevant commit was only included there.
Can recheck, in any case thanks for the new upstream version which
fixes as well another CVE!
Regards,
Salvatore
More information about the pkg-salt-team
mailing list