[Pkg-salt-team] Bug#1000265: typo in fix for CVE-2021-21996 breaks file.managed on stretch
Jamie Heilman
jamie at audible.transient.net
Sat Nov 20 16:46:34 GMT 2021
Package: salt-common
Version: 2016.11.2+ds-1+deb9u8
Severity: grave
The patch for 994016 in the
/usr/lib/python2.7/dist-packages/salt/fileclient.py file included:
+ # clean_path returns an empty string if the check fails
+ root_path = salt.utils.path.join(cachedir, "extrn_files", saltenv, netloc)
which might work for newer versions of salt, but in stretch that has
to be salt.utils.path_join(...) as the salt.utils.path module didn't
exist yet. As-is, the security update for CVE-2021-21996 makes
file.managed states fail with:
Unable to manage file: 'module' object has no attribute 'path'
which makes salt on stretch pretty much unusable.
--
Jamie Heilman http://audible.transient.net/~jamie/
More information about the pkg-salt-team
mailing list