[Pkg-salt-team] Bug#1013872: salt: CVE-2022-22967
Paul Gevers
elbrus at debian.org
Thu Sep 1 07:13:07 BST 2022
Hi,
On Sun, 26 Jun 2022 13:55:24 +0200 Salvatore Bonaccorso
<carnil at debian.org> wrote:
> Source: salt
> The following vulnerability was published for salt.
>
> CVE-2022-22967[0]:
> | An issue was discovered in SaltStack Salt in versions before 3002.9,
> | 3003.5, 3004.2. PAM auth fails to reject locked accounts, which allows
> | a previously authorized user whose account is locked still run Salt
> | commands when their account is locked. This affects both local shell
> | accounts with an active session and salt-api users that authenticate
> | via PAM eauth.
As much as I'd like to stay away from fixing packages, do you need help
with this one? It causing RC issues in testing even though it's removed.
https://qa.debian.org/dose/debcheck/src_testing_main/1661922002/packages/pytest-testinfra.html#076c12ad0c0676e354433b4fd854e3d5
There's a new upstream release and I pulled it locally, but there are a
lot of changes. So without experience with the package, it's a bit much
to go over.
Paul
PS: please CC me in reply.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 495 bytes
Desc: OpenPGP digital signature
URL: <http://alioth-lists.debian.net/pipermail/pkg-salt-team/attachments/20220901/c861bf67/attachment.sig>
More information about the pkg-salt-team
mailing list