[Pkg-salt-team] Bug#1000265: typo in fix for CVE-2021-21996 breaks file.managed on stretch

Jamie Heilman jamie at audible.transient.net
Sat Nov 20 16:46:34 GMT 2021


Package: salt-common
Version: 2016.11.2+ds-1+deb9u8
Severity: grave

The patch for 994016 in the
/usr/lib/python2.7/dist-packages/salt/fileclient.py file included:

+        # clean_path returns an empty string if the check fails
+        root_path = salt.utils.path.join(cachedir, "extrn_files", saltenv, netloc)

which might work for newer versions of salt, but in stretch that has
to be salt.utils.path_join(...) as the salt.utils.path module didn't
exist yet.  As-is, the security update for CVE-2021-21996 makes
file.managed states fail with:

  Unable to manage file: 'module' object has no attribute 'path'

which makes salt on stretch pretty much unusable.

-- 
Jamie Heilman                     http://audible.transient.net/~jamie/



More information about the pkg-salt-team mailing list