[Pkg-salt-team] Bug#959684: salt: CVE-2020-11652: [CVEHelp at saltstack.com] Action Required: SaltStack CVE Follow-Up Patch

Salvatore Bonaccorso carnil at debian.org
Thu May 7 07:18:34 BST 2020


Hi Guilhem,

On Thu, May 07, 2020 at 01:09:52AM +0200, Guilhem Moulin wrote:
> Control: notfixed -1 2016.11.2+ds-1+deb9u3
> 
> On Wed, 6 May 2020 at 10:36:42 +0200, Elimar Riesebieter wrote:
> > please notice the attached note from saltstack! I assume this is not
> > integrated into DSA 4676-1, isn't it?
> 
> Ooops yes, 2016.11.2+ds-1+deb9u3 appears to still be vulnerable to
> CVE-2020-11652:
> 
> | If you have already applied the patch for Salt 2017.x or earlier, there
> | is a follow-up patch to apply. You can download the patch and
> | instructions below. **This applies to 2017.x, 2016.x, and 2015.x. This
> | does NOT apply to 2018.x, 2019.x, or 3000.x.** 
> | […]
> |   - 2016.x <http://em.saltstack.com/WP01MfH790m1QhM00U0s800>
> | […] 
> | The original patch for versions 2017.x and earlier secured against
> | arbitrary commands running on Salt minions and eliminated the exposure
> | (CVE-2020-11651). This additional patch is required to completely
> | resolve arbitrary directory access to authenticated users
> | (CVE-2020-11652).

Yes aware of this incomplete fix, and a follow up DSA will go out
later today.

I would like to get some testing feedback on the stretch packages, if
you have such instance
https://people.debian.org/~carnil/tmp/salt/stretch/ contains testing
packages.

Regards,
Salvatore



More information about the pkg-salt-team mailing list