[Pkg-salt-team] Bug#959684: [External] Bug#959684: salt: CVE-2020-11652: [CVEHelp at saltstack.com] Action Required: SaltStack CVE Follow-Up Patch

Salvatore Bonaccorso carnil at debian.org
Thu May 7 13:32:07 BST 2020


Hi Graham,

On Thu, May 07, 2020 at 11:25:00AM +0100, Graham Clinch wrote:
> Hi,
> 
> > I would like to get some testing feedback on the stretch packages, if
> > you have such instance
> > https://people.debian.org/~carnil/tmp/salt/stretch/ contains testing
> > packages.
> 
> These packages look good to me.
> 
> I updated two stretch instances from 2016.11.2+ds-1+deb9u3 to
> 2016.11.2+ds-1+deb9u4, for the following packages:
> 
> salt-api, salt-common, salt-master, salt-minion.
> 
> There were no errors during the update, and minions at various releases
> (including 9u2, 9u3 and 9u4) connect to the salt master as expected.
> 
> Additionally a test tool reports the deb9u4 master as not vulnerable (it
> reported the deb9u3 master as vulnerable to 'read_token').

Thanks for testing those, much appreciated. I will send out the
followup advisory with the fixed packages later today.

Regards,
Salvatore



More information about the pkg-salt-team mailing list