[Pkg-salt-team] Bug#959684: salt: CVE-2020-11652: [CVEHelp at saltstack.com] Action Required: SaltStack CVE Follow-Up Patch
Guilhem Moulin
guilhem at debian.org
Thu May 7 00:09:52 BST 2020
Control: notfixed -1 2016.11.2+ds-1+deb9u3
On Wed, 6 May 2020 at 10:36:42 +0200, Elimar Riesebieter wrote:
> please notice the attached note from saltstack! I assume this is not
> integrated into DSA 4676-1, isn't it?
Ooops yes, 2016.11.2+ds-1+deb9u3 appears to still be vulnerable to
CVE-2020-11652:
| If you have already applied the patch for Salt 2017.x or earlier, there
| is a follow-up patch to apply. You can download the patch and
| instructions below. **This applies to 2017.x, 2016.x, and 2015.x. This
| does NOT apply to 2018.x, 2019.x, or 3000.x.**
| […]
| - 2016.x <http://em.saltstack.com/WP01MfH790m1QhM00U0s800>
| […]
| The original patch for versions 2017.x and earlier secured against
| arbitrary commands running on Salt minions and eliminated the exposure
| (CVE-2020-11651). This additional patch is required to completely
| resolve arbitrary directory access to authenticated users
| (CVE-2020-11652).
--
Guilhem.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-salt-team/attachments/20200507/a264f75c/attachment.sig>
More information about the pkg-salt-team
mailing list