[Pkg-salt-team] Bug#949222: salt: CVE-2019-17361

Salvatore Bonaccorso carnil at debian.org
Sat Jan 18 12:38:12 GMT 2020


Source: salt
Version: 2018.3.4+dfsg1-7
Severity: grave
Tags: security upstream
Justification: user security hole
Control: found -1 2018.3.4+dfsg1-6
Control: found -1 2016.11.2+ds-1+deb9u2
Control: found -1 2016.11.2+ds-1

Hi,

The following vulnerability was published for salt.

CVE-2019-17361[0]:
| In SaltStack Salt through 2019.2.0, the salt-api NEST API with the ssh
| client enabled is vulnerable to command injection. This allows an
| unauthenticated attacker with network access to the API endpoint to
| execute arbitrary code on the salt-api host.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2019-17361
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17361
[1] https://docs.saltstack.com/en/latest/topics/releases/2019.2.3.html#security-fix
[2] https://github.com/saltstack/salt/commit/bca115f3f00fbde564dd2f12bf036b5d2fd08387

Please adjust the affected versions as needed in the BTS. It looks to
me that all versions back to the stretch one have the problem, but an
explicit confirmation or nack would be welcome. I did check explicitly
the invocations in salt/netapi/__init__.py, but let me know if I
missed something.

Regards,
Salvatore



More information about the pkg-salt-team mailing list