[Pkg-salt-team] Bug#803182: Bug#803182: closed by Benjamin Drung <benjamin.drung at profitbricks.com> (salt: CVE-2015-6918: git module leaks authentication details into log)

[Salvatore Bonaccorso]

Control: fixed -1 2015.8.1+ds-1

Hey Benjamin,

On Thu, Dec 10, 2015 at 08:41:41PM +0100, Salvatore Bonaccorso wrote:
> Hi Benjamin,
> 
> On Thu, Dec 10, 2015 at 12:37:06PM +0100, Benjamin Drung wrote:
> > Am Mittwoch, den 09.12.2015, 22:15 +0100 schrieb Salvatore Bonaccorso:
> > > Control: found -1 2015.8.1+ds-1
> > > Control: fixed -1 2015.8.3+ds-1
> > > 
> > > > Version: 2015.8.1+ds-1
> > > > 
> > > > The security bug was fixed upstream in release 2015.5.5 and thus
> > > > the
> > > > fix was part of the next Debian upload 2015.8.1+ds-1
> > > 
> > > Checking the debdiffs it looks the fix was actually only in
> > > 2015.8.3+ds-1 but not in 2015.8.1+ds-1. Adjusting thus the fixed
> > > version.
> > 
> > Really? 2015.8.1+ds-1 already uses redact_http_basic_auth() in
> > _git_run() for stderr:
> > 
> >                 msg = 'Command \'{0}\' failed'.format(
> >                     salt.utils.url.redact_http_basic_auth(gitcommand)
> >                 )
> >                 if result['stderr']:
> >                     msg += ': {0}'.format(
> >                        
> >  salt.utils.url.redact_http_basic_auth(result['stderr'])
> >                     )
> >                 raise CommandExecutionError(msg)
> 
> Hmm, I will reckeck then, sorry for the noise. What I did was to check
> the debdiff between 2015.8.1+ds-1 and 2015.8.3+ds-1 and looked that
> the relevant commit was only included there.
> 
> Can recheck, in any case thanks for the new upstream version which
> fixes as well another CVE!

You are right, apologies for my previous error in checking for the
fix.

Regards,
Salvatore