[Pkg-salt-team] Bug#888006: stretch-pu: package salt/2016.11.2+ds-1
Ondřej Nový
novy at ondrej.org
Mon Jan 22 15:45:48 UTC 2018
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian.org at packages.debian.org
Usertags: pu
Hi,
i would like to do stable update, fixing 5 bugs (3 of them are security
issues).
salt (2016.11.2+ds-1+deb9u1) stretch; urgency=medium
* Fix CVE-2017-12791: Directory traversal vulnerability on salt-master
via crafted minion IDs (Closes: #872399)
* Fix CVE-2017-14695: Directory traversal vulnerability in minion id
validation in SaltStack (Closes: #879089)
* Fix CVE-2017-14696: Remote Denial of Service with a specially crafted
authentication request (Closes: #879090)
* Check if data[return] is dict type (Closes: #887724)
* Do not require sphinx-build for cleaning docs (Closes: #851559)
Build and tested on stretch. Full debdiff attached.
Thanks.
-- System Information:
Debian Release: buster/sid
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'oldstable-updates'), (500, 'unstable'), (500, 'testing'), (500, 'stable'), (500, 'oldstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 4.14.0-3-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
-------------- next part --------------
diff -Nru salt-2016.11.2+ds/debian/changelog salt-2016.11.2+ds/debian/changelog
--- salt-2016.11.2+ds/debian/changelog 2017-02-01 17:09:07.000000000 +0100
+++ salt-2016.11.2+ds/debian/changelog 2018-01-22 16:30:47.000000000 +0100
@@ -1,3 +1,16 @@
+salt (2016.11.2+ds-1+deb9u1) stretch; urgency=medium
+
+ * Fix CVE-2017-12791: Directory traversal vulnerability on salt-master
+ via crafted minion IDs (Closes: #872399)
+ * Fix CVE-2017-14695: Directory traversal vulnerability in minion id
+ validation in SaltStack (Closes: #879089)
+ * Fix CVE-2017-14696: Remote Denial of Service with a specially crafted
+ authentication request (Closes: #879090)
+ * Check if data[return] is dict type (Closes: #887724)
+ * Do not require sphinx-build for cleaning docs (Closes: #851559)
+
+ -- Ond?ej Nov? <onovy at debian.org> Mon, 22 Jan 2018 16:30:47 +0100
+
salt (2016.11.2+ds-1) unstable; urgency=medium
* New upstream bug-fix release. Security fixes:
diff -Nru salt-2016.11.2+ds/debian/patches/Check_if_data_return_is_dict_type.patch salt-2016.11.2+ds/debian/patches/Check_if_data_return_is_dict_type.patch
--- salt-2016.11.2+ds/debian/patches/Check_if_data_return_is_dict_type.patch 1970-01-01 01:00:00.000000000 +0100
+++ salt-2016.11.2+ds/debian/patches/Check_if_data_return_is_dict_type.patch 2018-01-22 15:00:58.000000000 +0100
@@ -0,0 +1,24 @@
+From 7c348159793a3642a558c373c5ab62b4f5e52291 Mon Sep 17 00:00:00 2001
+From: Mircea Ulinic <mirucha at cloudflare.com>
+Date: Wed, 1 Feb 2017 12:17:34 +0000
+Subject: [PATCH] Check if data['return'] is dict type
+Origin: https://github.com/saltstack/salt/commit/7c348159793a3642a558c373c5ab62b4f5e52291
+
+---
+ salt/client/mixins.py | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/salt/client/mixins.py b/salt/client/mixins.py
+index 270528af83b..c703c166014 100644
+--- a/salt/client/mixins.py
++++ b/salt/client/mixins.py
+@@ -394,7 +394,8 @@ def _low(self, fun, low, print_event=True, full_return=False):
+ with tornado.stack_context.StackContext(self.functions.context_dict.clone):
+ data['return'] = self.functions[fun](*args, **kwargs)
+ data['success'] = True
+- if 'data' in data['return']:
++ if isinstance(data['return'], dict) and 'data' in data['return']:
++ # some functions can return boolean values
+ data['success'] = salt.utils.check_state_result(data['return']['data'])
+ except (Exception, SystemExit) as ex:
+ if isinstance(ex, salt.exceptions.NotImplemented):
diff -Nru salt-2016.11.2+ds/debian/patches/clean-doc-without-sphinx.patch salt-2016.11.2+ds/debian/patches/clean-doc-without-sphinx.patch
--- salt-2016.11.2+ds/debian/patches/clean-doc-without-sphinx.patch 1970-01-01 01:00:00.000000000 +0100
+++ salt-2016.11.2+ds/debian/patches/clean-doc-without-sphinx.patch 2018-01-22 15:00:58.000000000 +0100
@@ -0,0 +1,215 @@
+From 5b79a0a9f8018cee68ee20b89ea0fcda72dac8dc Mon Sep 17 00:00:00 2001
+From: Benjamin Drung <benjamin.drung at profitbricks.com>
+Date: Tue, 23 May 2017 17:08:34 +0200
+Subject: [PATCH] Do not require sphinx-build for cleaning docs
+Origin: https://github.com/saltstack/salt/commit/5b79a0a9f8018cee68ee20b89ea0fcda72dac8dc.patch
+
+In a minimal build environment (no sphinx), the package cannot initially
+clean itself because the upstream doc/Makefile checks for sphinx-build
+executable and Debian doesn't get any benefit of that.
+
+Thus do not check for the presence of sphinx-build when running the
+clean or help target by adding a phony check_sphinx-build that does the
+check for sphinx-build.
+
+Debian bug: https://bugs.debian.org/851559
+Signed-off-by: Benjamin Drung <benjamin.drung at profitbricks.com>
+---
+ doc/Makefile | 59 +++++++++++++++++++++++++++++------------------------------
+ 1 file changed, 29 insertions(+), 30 deletions(-)
+
+diff --git a/doc/Makefile b/doc/Makefile
+index beaeb67bc63..39af8918fb9 100644
+--- a/doc/Makefile
++++ b/doc/Makefile
+@@ -9,11 +9,6 @@ BUILDDIR = _build
+ SPHINXLANG =
+ XELATEX = xelatex
+
+-# User-friendly check for sphinx-build
+-ifeq ($(shell which $(SPHINXBUILD) >/dev/null 2>&1; echo $$?), 1)
+-$(error The '$(SPHINXBUILD)' command was not found. Make sure you have Sphinx installed, then set the SPHINXBUILD environment variable to point to the full path of the '$(SPHINXBUILD)' executable. Alternatively you can add the directory with the executable to your PATH. If you don't have Sphinx installed, grab it from http://sphinx-doc.org/)
+-endif
+-
+ # ----- Translations Support ------------------------------------------------>
+ # If language is set, also set translation options
+ ifeq ($(shell [ "x$(SPHINXLANG)" != "x" ] && echo 0 || echo 1), 0)
+@@ -36,7 +31,7 @@ ALLSPHINXOPTS = -d $(BUILDDIR)/doctrees $(PAPEROPT_$(PAPER)) $(TRANSLATIONOPTS
+ # the i18n builder cannot share the environment and doctrees with the others
+ I18NSPHINXOPTS = $(PAPEROPT_$(PAPER)) $(SPHINXOPTS) .
+
+-.PHONY: help clean html dirhtml singlehtml pickle json htmlhelp qthelp devhelp epub latex latexpdf text man changes linkcheck doctest gettext translations download-translations
++.PHONY: help clean check_sphinx-build html dirhtml singlehtml pickle json htmlhelp qthelp devhelp epub latex latexpdf text man changes linkcheck doctest gettext translations download-translations
+
+ help:
+ @echo "Please use \`make <target>' where <target> is one of"
+@@ -69,38 +64,42 @@ clean:
+ rm -rf $(BUILDDIR)/*
+ test -d 'locale' && find locale/ -name *.mo -exec rm {} \; || true
+
+-html: translations
++# User-friendly check for sphinx-build
++check_sphinx-build:
++ @which $(SPHINXBUILD) >/dev/null 2>&1 || (echo "The '$(SPHINXBUILD)' command was not found. Make sure you have Sphinx installed, then set the SPHINXBUILD environment variable to point to the full path of the '$(SPHINXBUILD)' executable. Alternatively you can add the directory with the executable to your PATH. If you don't have Sphinx installed, grab it from http://sphinx-doc.org/)" >&2; false)
++
++html: check_sphinx-build translations
+ $(SPHINXBUILD) -b html $(ALLSPHINXOPTS) $(BUILDDIR)/html
+ @echo
+ @echo "Build finished. The HTML pages are in $(BUILDDIR)/html."
+
+-dirhtml: translations
++dirhtml: check_sphinx-build translations
+ $(SPHINXBUILD) -b dirhtml $(ALLSPHINXOPTS) $(BUILDDIR)/dirhtml
+ @echo
+ @echo "Build finished. The HTML pages are in $(BUILDDIR)/dirhtml."
+
+-singlehtml: translations
++singlehtml: check_sphinx-build translations
+ $(SPHINXBUILD) -b singlehtml $(ALLSPHINXOPTS) $(BUILDDIR)/singlehtml
+ @echo
+ @echo "Build finished. The HTML page is in $(BUILDDIR)/singlehtml."
+
+-pickle: translations
++pickle: check_sphinx-build translations
+ $(SPHINXBUILD) -b pickle $(ALLSPHINXOPTS) $(BUILDDIR)/pickle
+ @echo
+ @echo "Build finished; now you can process the pickle files."
+
+-json: translations
++json: check_sphinx-build translations
+ $(SPHINXBUILD) -b json $(ALLSPHINXOPTS) $(BUILDDIR)/json
+ @echo
+ @echo "Build finished; now you can process the JSON files."
+
+-htmlhelp: translations
++htmlhelp: check_sphinx-build translations
+ $(SPHINXBUILD) -b htmlhelp $(ALLSPHINXOPTS) $(BUILDDIR)/htmlhelp
+ @echo
+ @echo "Build finished; now you can run HTML Help Workshop with the" \
+ ".hhp project file in $(BUILDDIR)/htmlhelp."
+
+-qthelp: translations
++qthelp: check_sphinx-build translations
+ $(SPHINXBUILD) -b qthelp $(ALLSPHINXOPTS) $(BUILDDIR)/qthelp
+ @echo
+ @echo "Build finished; now you can run "qcollectiongenerator" with the" \
+@@ -109,7 +108,7 @@ qthelp: translations
+ @echo "To view the help file:"
+ @echo "# assistant -collectionFile $(BUILDDIR)/qthelp/Salt.qhc"
+
+-devhelp: translations
++devhelp: check_sphinx-build translations
+ $(SPHINXBUILD) -b devhelp $(ALLSPHINXOPTS) $(BUILDDIR)/devhelp
+ @echo
+ @echo "Build finished."
+@@ -118,31 +117,31 @@ devhelp: translations
+ @echo "# ln -s $(BUILDDIR)/devhelp $$HOME/.local/share/devhelp/Salt"
+ @echo "# devhelp"
+
+-epub: translations
++epub: check_sphinx-build translations
+ $(SPHINXBUILD) -b epub $(ALLSPHINXOPTS) $(BUILDDIR)/epub
+ @echo
+ @echo "Build finished. The epub file is in $(BUILDDIR)/epub."
+
+-latex: translations
++latex: check_sphinx-build translations
+ $(SPHINXBUILD) -b latex $(ALLSPHINXOPTS) $(BUILDDIR)/latex
+ @echo
+ @echo "Build finished; the LaTeX files are in $(BUILDDIR)/latex."
+ @echo "Run \`make' in that directory to run these through (pdf)latex" \
+ "(use \`make latexpdf' here to do that automatically)."
+
+-latexpdf: translations
++latexpdf: check_sphinx-build translations
+ $(SPHINXBUILD) -b latex $(ALLSPHINXOPTS) $(BUILDDIR)/latex
+ @echo "Running LaTeX files through pdflatex..."
+ $(MAKE) -C $(BUILDDIR)/latex all-pdf
+ @echo "pdflatex finished; the PDF files are in $(BUILDDIR)/latex."
+
+-latexpdfja: translations
++latexpdfja: check_sphinx-build translations
+ $(SPHINXBUILD) -b latex $(ALLSPHINXOPTS) $(BUILDDIR)/latex
+ @echo "Running LaTeX files through platex and dvipdfmx..."
+ $(MAKE) -C $(BUILDDIR)/latex all-pdf-ja
+ @echo "pdflatex finished; the PDF files are in $(BUILDDIR)/latex."
+
+-pdf: translations
++pdf: check_sphinx-build translations
+ @if [ "$(XELATEX)" = "xelatex" ] || [ "x$(XELATEX)" = "x" ]; then \
+ echo "The '$(XELATEX)' command was not found."; \
+ fi
+@@ -157,62 +156,62 @@ cheatsheet: translations
+ cd cheatsheet && xelatex salt.tex && cp salt.pdf ../salt-cheatsheet.pdf
+ @echo "./salt-cheatsheet.pdf created."
+
+-text: translations
++text: check_sphinx-build translations
+ $(SPHINXBUILD) -b text $(ALLSPHINXOPTS) $(BUILDDIR)/text
+ @echo
+ @echo "Build finished. The text files are in $(BUILDDIR)/text."
+
+-man: translations
++man: check_sphinx-build translations
+ $(SPHINXBUILD) -b man $(ALLSPHINXOPTS) $(BUILDDIR)/man
+ @echo
+ @echo "Build finished. The manual pages are in $(BUILDDIR)/man."
+
+-texinfo: translations
++texinfo: check_sphinx-build translations
+ $(SPHINXBUILD) -b texinfo $(ALLSPHINXOPTS) $(BUILDDIR)/texinfo
+ @echo
+ @echo "Build finished. The Texinfo files are in $(BUILDDIR)/texinfo."
+ @echo "Run \`make' in that directory to run these through makeinfo" \
+ "(use \`make info' here to do that automatically)."
+
+-info: translations
++info: check_sphinx-build translations
+ $(SPHINXBUILD) -b texinfo $(ALLSPHINXOPTS) $(BUILDDIR)/texinfo
+ @echo "Running Texinfo files through makeinfo..."
+ make -C $(BUILDDIR)/texinfo info
+ @echo "makeinfo finished; the Info files are in $(BUILDDIR)/texinfo."
+
+-gettext:
++gettext: check_sphinx-build
+ $(SPHINXBUILD) -b gettext $(I18NSPHINXOPTS) $(BUILDDIR)/locale
+ @echo
+ @echo "Build finished. The message catalogs are in $(BUILDDIR)/locale"
+
+-changes: translations
++changes: check_sphinx-build translations
+ $(SPHINXBUILD) -b changes $(ALLSPHINXOPTS) $(BUILDDIR)/changes
+ @echo
+ @echo "The overview file is in $(BUILDDIR)/changes."
+
+-spelling:
++spelling: check_sphinx-build
+ $(SPHINXBUILD) -b spelling $(ALLSPHINXOPTS) $(BUILDDIR)/spelling
+ @echo
+ @echo "Spell check complete; look for any errors in the above output " \
+ "or in $(BUILDDIR)/spelling/output.txt."
+
+-linkcheck:
++linkcheck: check_sphinx-build
+ $(SPHINXBUILD) -b linkcheck $(ALLSPHINXOPTS) $(BUILDDIR)/linkcheck
+ @echo
+ @echo "Link check complete; look for any errors in the above output " \
+ "or in $(BUILDDIR)/linkcheck/output.txt."
+
+-doctest:
++doctest: check_sphinx-build
+ $(SPHINXBUILD) -b doctest $(ALLSPHINXOPTS) $(BUILDDIR)/doctest
+ @echo "Testing of doctests in the sources finished, look at the " \
+ "results in $(BUILDDIR)/doctest/output.txt."
+
+-xml: translations
++xml: check_sphinx-build translations
+ $(SPHINXBUILD) -b xml $(ALLSPHINXOPTS) $(BUILDDIR)/xml
+ @echo
+ @echo "Build finished. The XML files are in $(BUILDDIR)/xml."
+
+-pseudoxml: translations
++pseudoxml: check_sphinx-build translations
+ $(SPHINXBUILD) -b pseudoxml $(ALLSPHINXOPTS) $(BUILDDIR)/pseudoxml
+ @echo
+ @echo "Build finished. The pseudo-XML files are in $(BUILDDIR)/pseudoxml."
diff -Nru salt-2016.11.2+ds/debian/patches/CVE-2017-12791.patch salt-2016.11.2+ds/debian/patches/CVE-2017-12791.patch
--- salt-2016.11.2+ds/debian/patches/CVE-2017-12791.patch 1970-01-01 01:00:00.000000000 +0100
+++ salt-2016.11.2+ds/debian/patches/CVE-2017-12791.patch 2018-01-22 15:00:58.000000000 +0100
@@ -0,0 +1,37 @@
+From fce6a3f407210ed93db6bea9c63fb7ea1d08042f Mon Sep 17 00:00:00 2001
+From: Ch3LL <megan.wilhite at gmail.com>
+Date: Mon, 31 Jul 2017 11:50:21 -0400
+Subject: [PATCH] Add clean_id function to salt.utils.verify.py
+Origin: https://github.com/saltstack/salt/commit/fce6a3f407210ed93db6bea9c63fb7ea1d08042f
+
+---
+ salt/utils/verify.py | 11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+diff --git a/salt/utils/verify.py b/salt/utils/verify.py
+index 5e320c3b59c..db513ba675c 100644
+--- a/salt/utils/verify.py
++++ b/salt/utils/verify.py
+@@ -481,12 +481,21 @@ def clean_path(root, path, subdir=False):
+ return ''
+
+
++def clean_id(id_):
++ '''
++ Returns if the passed id is clean.
++ '''
++ if re.search(r'\.\.{sep}'.format(sep=os.sep), id_):
++ return False
++ return True
++
++
+ def valid_id(opts, id_):
+ '''
+ Returns if the passed id is valid
+ '''
+ try:
+- return bool(clean_path(opts['pki_dir'], id_))
++ return bool(clean_path(opts['pki_dir'], id_)) and clean_id(id_)
+ except (AttributeError, KeyError) as e:
+ return False
+
diff -Nru salt-2016.11.2+ds/debian/patches/CVE-2017-14695.patch salt-2016.11.2+ds/debian/patches/CVE-2017-14695.patch
--- salt-2016.11.2+ds/debian/patches/CVE-2017-14695.patch 1970-01-01 01:00:00.000000000 +0100
+++ salt-2016.11.2+ds/debian/patches/CVE-2017-14695.patch 2018-01-22 15:00:58.000000000 +0100
@@ -0,0 +1,63 @@
+From 9ba1f6112fa72627b42eed4c4eea439dce2df31c Mon Sep 17 00:00:00 2001
+From: Erik Johnson <palehose at gmail.com>
+Date: Wed, 23 Aug 2017 10:20:50 -0500
+Subject: [PATCH] Don't allow path separators in minion ID
+Origin: https://github.com/saltstack/salt/commit/9ba1f6112fa72627b42eed4c4eea439dce2df31c
+
+---
+ salt/utils/verify.py | 15 ++++-----------
+ tests/unit/utils/verify_test.py | 10 ++++++++++
+ 2 files changed, 14 insertions(+), 11 deletions(-)
+
+diff --git a/salt/utils/verify.py b/salt/utils/verify.py
+index db513ba675c..45581f02ce0 100644
+--- a/salt/utils/verify.py
++++ b/salt/utils/verify.py
+@@ -481,22 +481,15 @@ def clean_path(root, path, subdir=False):
+ return ''
+
+
+-def clean_id(id_):
+- '''
+- Returns if the passed id is clean.
+- '''
+- if re.search(r'\.\.{sep}'.format(sep=os.sep), id_):
+- return False
+- return True
+-
+-
+ def valid_id(opts, id_):
+ '''
+ Returns if the passed id is valid
+ '''
+ try:
+- return bool(clean_path(opts['pki_dir'], id_)) and clean_id(id_)
+- except (AttributeError, KeyError) as e:
++ if any(x in id_ for x in ('/', '\\', '\0')):
++ return False
++ return bool(clean_path(opts['pki_dir'], id_))
++ except (AttributeError, KeyError, TypeError):
+ return False
+
+
+diff --git a/tests/unit/utils/verify_test.py b/tests/unit/utils/verify_test.py
+index 7e60f886d06..c3fa3732904 100644
+--- a/tests/unit/utils/verify_test.py
++++ b/tests/unit/utils/verify_test.py
+@@ -60,6 +60,16 @@ def test_valid_id_exception_handler(self):
+ opts = {'pki_dir': '/tmp/whatever'}
+ self.assertFalse(valid_id(opts, None))
+
++ def test_valid_id_pathsep(self):
++ '''
++ Path separators in id should make it invalid
++ '''
++ opts = {'pki_dir': '/tmp/whatever'}
++ # We have to test both path separators because os.path.normpath will
++ # convert forward slashes to backslashes on Windows.
++ for pathsep in ('/', '\\'):
++ self.assertFalse(valid_id(opts, pathsep.join(('..', 'foobar'))))
++
+ def test_zmq_verify(self):
+ self.assertTrue(zmq_version())
+
diff -Nru salt-2016.11.2+ds/debian/patches/CVE-2017-14696.patch salt-2016.11.2+ds/debian/patches/CVE-2017-14696.patch
--- salt-2016.11.2+ds/debian/patches/CVE-2017-14696.patch 1970-01-01 01:00:00.000000000 +0100
+++ salt-2016.11.2+ds/debian/patches/CVE-2017-14696.patch 2018-01-22 15:00:58.000000000 +0100
@@ -0,0 +1,64 @@
+From 862f6b8eb8a8172d5b1d43c97136ded52b97b957 Mon Sep 17 00:00:00 2001
+From: Erik Johnson <palehose at gmail.com>
+Date: Fri, 25 Aug 2017 14:15:58 -0500
+Subject: [PATCH] Do not allow IDs with null bytes in decoded payloads
+Origin: https://github.com/saltstack/salt/commit/862f6b8eb8a8172d5b1d43c97136ded52b97b957
+
+---
+ salt/crypt.py | 3 +++
+ salt/transport/tcp.py | 11 +++++++++++
+ salt/transport/zeromq.py | 11 +++++++++++
+ 3 files changed, 25 insertions(+)
+
+--- a/salt/crypt.py
++++ b/salt/crypt.py
+@@ -566,6 +566,9 @@
+ raise tornado.gen.Return('retry')
+ else:
+ raise SaltClientError('Attempt to authenticate with the salt master failed with timeout error')
++ if not isinstance(payload, dict):
++ log.error('Sign-in attempt failed: %s', payload)
++ raise tornado.gen.Return(False)
+ if 'load' in payload:
+ if 'ret' in payload['load']:
+ if not payload['load']['ret']:
+--- a/salt/transport/tcp.py
++++ b/salt/transport/tcp.py
+@@ -612,6 +612,17 @@
+ 'payload and load must be a dict', header=header))
+ raise tornado.gen.Return()
+
++ try:
++ id_ = payload['load'].get('id', '')
++ if '\0' in id_:
++ log.error('Payload contains an id with a null byte: %s', payload)
++ stream.send(self.serial.dumps('bad load: id contains a null byte'))
++ raise tornado.gen.Return()
++ except TypeError:
++ log.error('Payload contains non-string id: %s', payload)
++ stream.send(self.serial.dumps('bad load: id {0} is not a string'.format(id_)))
++ raise tornado.gen.Return()
++
+ # intercept the "_auth" commands, since the main daemon shouldn't know
+ # anything about our key auth
+ if payload['enc'] == 'clear' and payload.get('load', {}).get('cmd') == '_auth':
+--- a/salt/transport/zeromq.py
++++ b/salt/transport/zeromq.py
+@@ -601,6 +601,17 @@
+ stream.send(self.serial.dumps('payload and load must be a dict'))
+ raise tornado.gen.Return()
+
++ try:
++ id_ = payload['load'].get('id', '')
++ if '\0' in id_:
++ log.error('Payload contains an id with a null byte: %s', payload)
++ stream.send(self.serial.dumps('bad load: id contains a null byte'))
++ raise tornado.gen.Return()
++ except TypeError:
++ log.error('Payload contains non-string id: %s', payload)
++ stream.send(self.serial.dumps('bad load: id {0} is not a string'.format(id_)))
++ raise tornado.gen.Return()
++
+ # intercept the "_auth" commands, since the main daemon shouldn't know
+ # anything about our key auth
+ if payload['enc'] == 'clear' and payload.get('load', {}).get('cmd') == '_auth':
diff -Nru salt-2016.11.2+ds/debian/patches/series salt-2016.11.2+ds/debian/patches/series
--- salt-2016.11.2+ds/debian/patches/series 2017-02-01 16:59:00.000000000 +0100
+++ salt-2016.11.2+ds/debian/patches/series 2018-01-22 15:00:58.000000000 +0100
@@ -3,3 +3,8 @@
Make-the-Salt-Proxy-environment-aware.patch
Workaround-wrong-oscodename-grain.patch
Fix-top_file_merging_strategy-warning.patch
+CVE-2017-12791.patch
+CVE-2017-14695.patch
+CVE-2017-14696.patch
+Check_if_data_return_is_dict_type.patch
+clean-doc-without-sphinx.patch
More information about the pkg-salt-team
mailing list