Your message dated Sat, 16 Apr 2022 02:34:24 +0000 with message-id <e1nfygw-000imr...@fasolo.debian.org> and subject line Bug#1008945: fixed in salt 3004.1+dfsg-1 has caused the Debian Bug report #1008945, regarding salt: CVE-2022-22934 CVE-2022-22935 CVE-2022-22936 CVE-2022-22941 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1008945: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1008945 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: salt Version: 3004+dfsg1-10 Severity: grave Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org> Hi, The following vulnerabilities were published for salt. CVE-2022-22934[0]: | An issue was discovered in SaltStack Salt in versions before 3002.8, | 3003.4, 3004.1. Salt Masters do not sign pillar data with the | minion&#8217;s public key, which can result in attackers | substituting arbitrary pillar data. CVE-2022-22935[1]: | An issue was discovered in SaltStack Salt in versions before 3002.8, | 3003.4, 3004.1. A minion authentication denial of service can cause a | MiTM attacker to force a minion process to stop by impersonating a | master. CVE-2022-22936[2]: | An issue was discovered in SaltStack Salt in versions before 3002.8, | 3003.4, 3004.1. Job publishes and file server replies are susceptible | to replay attacks, which can result in an attacker replaying job | publishes causing minions to run old jobs. File server replies can | also be re-played. A sufficient craft attacker could gain root access | on minion under certain scenarios. CVE-2022-22941[3]: | An issue was discovered in SaltStack Salt in versions before 3002.8, | 3003.4, 3004.1. When configured as a Master-of-Masters, with a | publisher_acl, if a user configured in the publisher_acl targets any | minion connected to the Syndic, the Salt Master incorrectly | interpreted no valid targets as valid, allowing configured users to | target any of the minions connected to the syndic with their | configured commands. This requires a syndic master combined with | publisher_acl configured on the Master-of-Masters, allowing users | specified in the publisher_acl to bypass permissions, publishing | authorized commands to any configured minion. See [4] for the announce. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2022-22934 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22934 [1] https://security-tracker.debian.org/tracker/CVE-2022-22935 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22935 [2] https://security-tracker.debian.org/tracker/CVE-2022-22936 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22936 [3] https://security-tracker.debian.org/tracker/CVE-2022-22941 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22941 [4] https://saltproject.io/security_announcements/salt-security-advisory-release/ Please adjust the affected versions in the BTS as needed. Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: salt Source-Version: 3004.1+dfsg-1 Done: Benjamin Drung <bdr...@debian.org> We believe that the bug you reported is fixed in the latest version of salt, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1008...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Benjamin Drung <bdr...@debian.org> (supplier of updated salt package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sat, 16 Apr 2022 03:43:12 +0200 Source: salt Built-For-Profiles: noudeb Architecture: source Version: 3004.1+dfsg-1 Distribution: unstable Urgency: medium Maintainer: Debian Salt Team <pkg-salt-t...@alioth-lists.debian.net> Changed-By: Benjamin Drung <bdr...@debian.org> Closes: 1006036 1008896 1008945 Changes: salt (3004.1+dfsg-1) unstable; urgency=medium . * New upstream security/bugfix release. (Closes: #1008945) - Sign authentication replies to prevent MiTM (CVE-2022-22935) - Prevent job and fileserver replays (CVE-2022-22936) - Sign pillar data to prevent MiTM attacks. (CVE-2202-22934) - Fixed targeting bug, especially visible when using syndic and user auth. (CVE-2022-22941) (#60413) - Fix denial of service in junos ifconfig output parsing. * d/watch: Drop number from repack suffix * Refresh patches * Mark test_list_available_packages requiring network * Rely on pytest-skip-markers 1.1.0-3 that supports NO_INTERNET * Don't rely on importlib.metadata, it's still not ready for our usage (Closes: #1008896) * test_aptpkg.py: Fix UnboundLocalError: local variable 'test_repo' (Closes: #1006036) * Update my email address to @debian.org Checksums-Sha1: 91dcc739adee3a196928f055564f95fc552eedf8 4699 salt_3004.1+dfsg-1.dsc 39531d5eeb7c7ae9273c6f4e33d329c37162eef7 12587748 salt_3004.1+dfsg.orig.tar.xz 6661df66586012a1409cbf0fe7f81d0b9f13e9db 126180 salt_3004.1+dfsg-1.debian.tar.xz e902af1ae060d49af49a6304c98e415e54cab18b 10291 salt_3004.1+dfsg-1_source.buildinfo Checksums-Sha256: 906a279291ac8092dd56e18f660d0e34bd0527cbb14578aa0e8f2f043746c6a6 4699 salt_3004.1+dfsg-1.dsc c66e13363e9e8803aeb58433429bd17a004ad596a70a93cfdf7ea3c925ca2307 12587748 salt_3004.1+dfsg.orig.tar.xz 816fe7469b0bdb17f16c0b5117ca73450b1d05f2919c02bcc438abecae9483e9 126180 salt_3004.1+dfsg-1.debian.tar.xz 961db1e2ce56bdc94b5ea224a27e2fe59abbb50e7e5624f6d59876a0ec6aa6c0 10291 salt_3004.1+dfsg-1_source.buildinfo Files: d530132f823be6d199e293813a375bf2 4699 admin optional salt_3004.1+dfsg-1.dsc 8ece5fdeac8df4704769be95d020d79e 12587748 admin optional salt_3004.1+dfsg.orig.tar.xz f76a8196ae776f25d5738ae698943ab1 126180 admin optional salt_3004.1+dfsg-1.debian.tar.xz 664f5025f9ae8ba957b06d315a5de95d 10291 admin optional salt_3004.1+dfsg-1_source.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEpi0s+9ULm1vzYNVLFZ61xO/Id0wFAmJaH6IACgkQFZ61xO/I d0xxJQ/8D3FS6iZ8MCg7qvoqD2nOZ/LwMhHlOHE1+Lulic8O+i5v0J0VCyosE+Vp JEO93Au3oFWyqNDCARBmq5FsDarhKANS0hbSmnv7HX+ZdcdayUJXgK8LMSamAxLS o1+SlSVYoP9ex2LadKplcvLV3eW3kIoXlG3FnjoBje9Qw6xg70qtA4xMM0T3oh0g phYt286Cp9YaHRSpsO/5GYS8BaPWdFsalIzNeMIe2hZs0Oshd17NrY28yLSUHyql wZlEhB4G9dcGOg9w2fWEJOWvFh6wp6TNznSSkgO1zeyi2NfUVDKeuaMKDjF12kZl PI5SVNbm2Fwbh+nY5GKjdlC1g5PDABSMbKxGwzBQ/QunhN1xLGqkvK5kmBIUFdrL NJNIykON4GDjK+P7EOD3K/YLKZBbvEh4/Auir85FrqP3LYLkCK29MJsHtt5rEqZH 25HH91XQrUw3XEqoELLnKHU/1PWSiiQGPgrKrpeKSPZINm0xwmZLCQadR6HLdmsq TG2hhREFxsOsEAQTacj+C3ew7GIoWJVHgBEohE0vg9FXwzVluhItaVPpC6vE55fd JgkBkHB9qQUl1Vq9dAA8fIcJbJHbLgVVdDWIvDvW+wg2aKU01TAXw0KuSQ8gjJzM dnwMRDxQm9/Mnm4hAB4EcwTaqX1go/8M7dVetpYOipD9DgoEia8= =EFaE -----END PGP SIGNATURE-----
--- End Message ---
