[Pkg-salt-team] Bug#1013872: salt: CVE-2022-22967

Paul Gevers elbrus at debian.org
Thu Sep 1 07:13:07 BST 2022


Hi,

On Sun, 26 Jun 2022 13:55:24 +0200 Salvatore Bonaccorso 
<carnil at debian.org> wrote:
> Source: salt

> The following vulnerability was published for salt.
> 
> CVE-2022-22967[0]:
> | An issue was discovered in SaltStack Salt in versions before 3002.9,
> | 3003.5, 3004.2. PAM auth fails to reject locked accounts, which allows
> | a previously authorized user whose account is locked still run Salt
> | commands when their account is locked. This affects both local shell
> | accounts with an active session and salt-api users that authenticate
> | via PAM eauth.


As much as I'd like to stay away from fixing packages, do you need help 
with this one? It causing RC issues in testing even though it's removed.

https://qa.debian.org/dose/debcheck/src_testing_main/1661922002/packages/pytest-testinfra.html#076c12ad0c0676e354433b4fd854e3d5

There's a new upstream release and I pulled it locally, but there are a 
lot of changes. So without experience with the package, it's a bit much 
to go over.

Paul

PS: please CC me in reply.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 495 bytes
Desc: OpenPGP digital signature
URL: <http://alioth-lists.debian.net/pipermail/pkg-salt-team/attachments/20220901/c861bf67/attachment.sig>


More information about the pkg-salt-team mailing list