Ping? We're a few days away from closing the window for the final jessie point release before it becomes LTS.
Regards, Adam On Wed, 2017-06-28 at 01:44 +0200, Cyril Brulebois wrote: > Control: tag -1 moreinfo > > Hi, > > Comments below: > > Benjamin Drung <benjamin.dr...@profitbricks.com> (2017-05-22): > > diff -Nru salt-2014.1.13+ds/debian/patches/CVE-2015-6918.patch > > salt-2014.1.13+ds/debian/patches/CVE-2015-6918.patch > > --- salt-2014.1.13+ds/debian/patches/CVE-2015-6918.patch 197 > > 0-01-01 01:00:00.000000000 +0100 > > +++ salt-2014.1.13+ds/debian/patches/CVE-2015-6918.patch 201 > > 7-04-18 12:18:56.000000000 +0200 > > @@ -0,0 +1,46 @@ > > +From 528916548726976dcc75626dc6f6641ceb206ee3 Mon Sep 17 00:00:00 > > 2001 > > +From: Tarjei Husøy <g...@thusoy.com> > > +Date: Wed, 19 Aug 2015 11:41:10 -0700 > > +Subject: [PATCH] Git: Don't leak https user/pw to log > > +Origin: backport, https://github.com/saltstack/salt/commit/28aa9b1 > > 05804ff433d8f663b2f9b804f2b75495a > > + > > +--- > > + salt/modules/git.py | 17 ++++++++++++++--- > > + tests/unit/modules/git_test.py | 18 ++++++++++++++++++ > > + 2 files changed, 32 insertions(+), 3 deletions(-) > > + > > +--- a/salt/modules/git.py > > ++++ b/salt/modules/git.py > > +@@ -5,6 +5,7 @@ > > + > > + # Import python libs > > + import os > > ++import re > > + import tempfile > > + try: > > + import pipes > > +@@ -75,6 +76,7 @@ > > + result = __salt__['cmd.run_all'](cmd, > > + cwd=cwd, > > + runas=runas, > > ++ output_loglevel='quiet', > > + env=env, > > + **kwargs) > > + > > +@@ -86,7 +88,15 @@ > > + if retcode == 0: > > + return result['stdout'] > > + else: > > +- raise exceptions.CommandExecutionError(result['stderr']) > > ++ stderr = _remove_sensitive_data(result['stderr']) > > ++ raise exceptions.CommandExecutionError(stderr) > > ++ > > ++ > > ++def _remove_sensitive_data(sensitive_output): > > ++ ''' > > ++ Remove HTTP user and password. > > ++ ''' > > ++ return re.sub('(https?)://.*@', r'\1://<redacted>@', > > sensitive_output) > > This is possibly going to remove too much stuff if one has something > like <https://somewhere/foo@bar>? > > Anyway, it's probably an acceptable loss compared to the various > security bug fixes, so it's probably a good idea to proceed anyway. > > I'm tagging this with moreinfo for the time being, as some feedback > from your side would be welcome. > > > KiBi.
