[Pkg-salt-team] Bug#959684: [External] Bug#959684: salt: CVE-2020-11652: [CVEHelp at saltstack.com] Action Required: SaltStack CVE Follow-Up Patch
Salvatore Bonaccorso
carnil at debian.org
Thu May 7 13:32:07 BST 2020
Hi Graham,
On Thu, May 07, 2020 at 11:25:00AM +0100, Graham Clinch wrote:
> Hi,
>
> > I would like to get some testing feedback on the stretch packages, if
> > you have such instance
> > https://people.debian.org/~carnil/tmp/salt/stretch/ contains testing
> > packages.
>
> These packages look good to me.
>
> I updated two stretch instances from 2016.11.2+ds-1+deb9u3 to
> 2016.11.2+ds-1+deb9u4, for the following packages:
>
> salt-api, salt-common, salt-master, salt-minion.
>
> There were no errors during the update, and minions at various releases
> (including 9u2, 9u3 and 9u4) connect to the salt master as expected.
>
> Additionally a test tool reports the deb9u4 master as not vulnerable (it
> reported the deb9u3 master as vulnerable to 'read_token').
Thanks for testing those, much appreciated. I will send out the
followup advisory with the fixed packages later today.
Regards,
Salvatore
More information about the pkg-salt-team
mailing list