Bug#863129: jessie-pu: package salt/2014.1.13+ds-3

Tue, 27 Jun 2017 16:45:33 -0700 

Control: tag -1 moreinfo

Hi,

Comments below:

Benjamin Drung <benjamin.dr...@profitbricks.com> (2017-05-22):
> diff -Nru salt-2014.1.13+ds/debian/patches/CVE-2015-6918.patch 
> salt-2014.1.13+ds/debian/patches/CVE-2015-6918.patch
> --- salt-2014.1.13+ds/debian/patches/CVE-2015-6918.patch      1970-01-01 
> 01:00:00.000000000 +0100
> +++ salt-2014.1.13+ds/debian/patches/CVE-2015-6918.patch      2017-04-18 
> 12:18:56.000000000 +0200
> @@ -0,0 +1,46 @@
> +From 528916548726976dcc75626dc6f6641ceb206ee3 Mon Sep 17 00:00:00 2001
> +From: Tarjei Husøy <g...@thusoy.com>
> +Date: Wed, 19 Aug 2015 11:41:10 -0700
> +Subject: [PATCH] Git: Don't leak https user/pw to log
> +Origin: backport, 
> https://github.com/saltstack/salt/commit/28aa9b105804ff433d8f663b2f9b804f2b75495a
> +
> +---
> + salt/modules/git.py            | 17 ++++++++++++++---
> + tests/unit/modules/git_test.py | 18 ++++++++++++++++++
> + 2 files changed, 32 insertions(+), 3 deletions(-)
> +
> +--- a/salt/modules/git.py
> ++++ b/salt/modules/git.py
> +@@ -5,6 +5,7 @@
> + 
> + # Import python libs
> + import os
> ++import re
> + import tempfile
> + try:
> +     import pipes
> +@@ -75,6 +76,7 @@
> +     result = __salt__['cmd.run_all'](cmd,
> +                                      cwd=cwd,
> +                                      runas=runas,
> ++                                     output_loglevel='quiet',
> +                                      env=env,
> +                                      **kwargs)
> + 
> +@@ -86,7 +88,15 @@
> +     if retcode == 0:
> +         return result['stdout']
> +     else:
> +-        raise exceptions.CommandExecutionError(result['stderr'])
> ++        stderr = _remove_sensitive_data(result['stderr'])
> ++        raise exceptions.CommandExecutionError(stderr)
> ++
> ++
> ++def _remove_sensitive_data(sensitive_output):
> ++    '''
> ++        Remove HTTP user and password.
> ++    '''
> ++    return re.sub('(https?)://.*@', r'\1://<redacted>@', sensitive_output)

This is possibly going to remove too much stuff if one has something
like <https://somewhere/foo@bar>?

Anyway, it's probably an acceptable loss compared to the various
security bug fixes, so it's probably a good idea to proceed anyway.

I'm tagging this with moreinfo for the time being, as some feedback from
your side would be welcome.


KiBi.

Attachment: signature.asc
Description: Digital signature

Reply via email to