[Pkg-salt-team] Bug#959684: salt: CVE-2020-11651 and CVE-2020-11652

Simon McVittie smcv at collabora.com
Tue May 5 15:01:45 BST 2020 

On Mon, 04 May 2020 at 01:34:33 +0200, Guilhem Moulin wrote:
>   CVE-2020-11651
>   CVE-2020-11652

I found myself needing to mitigate this for a salt deployment, so I
tried backporting the upstream patches to buster.

The attached are not at all thoroughly-tested and should be reviewed
carefully by someone who knows the codebase, but they seem to work, and
the proof-of-concept from
https://github.com/rossengeorgiev/salt-security-backports no longer reports
that the master is vulnerable. This was only a stopgap, because that
deployment is now using the packages from saltstack.com instead, but it
might be useful to the salt maintainers.

There are also unofficial backports in
https://github.com/rossengeorgiev/salt-security-backports - I tried doing
the cherry-picks myself and then compared what I got with those, in an
attempt to guard against mistakes (by either myself or the author of those
backports).

Note that patch 0003 contains unofficial workarounds for regressions in the
release that fixed those CVEs, which you might prefer to exclude from an
official update.

    smcv
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-Apply-upstream-patch-for-CVE-2019-17361.patch
Type: text/x-diff
Size: 32765 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-salt-team/attachments/20200505/5f05b551/attachment-0012.patch>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0002-Backport-upstream-patches-for-CVE-2020-11651-CVE-202.patch
Type: text/x-diff
Size: 31852 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-salt-team/attachments/20200505/5f05b551/attachment-0013.patch>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0003-Apply-proposed-regression-fixes-in-salt.master.patch
Type: text/x-diff
Size: 2895 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-salt-team/attachments/20200505/5f05b551/attachment-0014.patch>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0004-Update-changelog.patch
Type: text/x-diff
Size: 928 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-salt-team/attachments/20200505/5f05b551/attachment-0015.patch>

More information about the pkg-salt-team mailing list