pkgsrc-Bugs archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

pkg/50779: Update sysutils/salt to 2015.8.5



>Number:         50779
>Category:       pkg
>Synopsis:       Update sysutils/salt to 2015.8.5
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    pkg-manager
>State:          open
>Class:          change-request
>Submitter-Id:   net
>Arrival-Date:   Sun Feb 07 22:10:00 +0000 2016
>Originator:     Travis Paul
>Release:        current
>Organization:
>Environment:
NetBSD kagato.netverb.com 7.99.26 NetBSD 7.99.26 (kagato) #0: Sun Feb  7 11:33:50 EST 2016  tpaul%kagato.netverb.com@localhost:/build/obj/sys/arch/amd64/compile/kagato amd64


>Description:
Upgrade salt to 2015.8.5 for security and bug fixes: 
https://docs.saltstack.com/en/latest/topics/releases/2015.8.5.html

SECURITY FIX
CVE-2016-1866: Improper handling of clear messages on the minion, which could result in executing commands not sent by the master.

This issue affects only the 2015.8.x releases of Salt. In order for an attacker to use this attack vector, they would have to execute a successful attack on an existing TCP connection between minion and master on the pub port. It does not allow an external attacker to obtain the shared secret or decrypt any encrypted traffic between minion and master.

Tested on NetBSD amd64, OS X Kernel Version 15.3.0
Sent message to pkgsrc-security@ asking to add the CVE to the vulnerability list.
Makefile and distinfo patch added below.


>How-To-Repeat:

>Fix:
Index: Makefile
===================================================================
RCS file: /cvsroot/pkgsrc/sysutils/salt/Makefile,v
retrieving revision 1.34
diff -u -r1.34 Makefile
--- Makefile    4 Feb 2016 22:05:36 -0000       1.34
+++ Makefile    7 Feb 2016 21:56:34 -0000
@@ -1,7 +1,6 @@
 # $NetBSD: Makefile,v 1.34 2016/02/04 22:05:36 khorben Exp $
 
-DISTNAME=      salt-2015.8.3
-PKGREVISION=   1
+DISTNAME=      salt-2015.8.5
 CATEGORIES=    sysutils
 MASTER_SITES=  ${MASTER_SITE_PYPI:=s/salt/}
 
Index: distinfo
===================================================================
RCS file: /cvsroot/pkgsrc/sysutils/salt/distinfo,v
retrieving revision 1.17
diff -u -r1.17 distinfo
--- distinfo    4 Feb 2016 22:05:36 -0000       1.17
+++ distinfo    7 Feb 2016 21:56:34 -0000
@@ -1,7 +1,7 @@
 $NetBSD: distinfo,v 1.17 2016/02/04 22:05:36 khorben Exp $
 
-SHA1 (salt-2015.8.3.tar.gz) = 0457866d5619febc3cdf3b27b2e736b0c4ae3623
-RMD160 (salt-2015.8.3.tar.gz) = 607db5d35545cfb6c4e8676482133a1560f3e896
-SHA512 (salt-2015.8.3.tar.gz) = 18a2c63d5e54d09468189450557974e47f87d8b7dde52beaae678120da1da1e7aecfff18cf0fdfb63a11cd5f6bab102c229462f0afe5e3e858c0c467761c7121
-Size (salt-2015.8.3.tar.gz) = 6757678 bytes
+SHA1 (salt-2015.8.5.tar.gz) = f9d2b2dbb0fefc8d9b0b5a762f61f0f1d8998c47
+RMD160 (salt-2015.8.5.tar.gz) = 8b17e20f53ff201f135f0bfefeca937828289a01
+SHA512 (salt-2015.8.5.tar.gz) = 715709798fd1f4410ef204545a84e34d3ecc0f080905b7ae29ce19d273c1ed6865f56e025e59d2506301970ad05081ff119caec0ced03dcbe5803f9f00eb64f8
+Size (salt-2015.8.5.tar.gz) = 6877624 bytes
 SHA1 (patch-salt_modules_status.py) = 5253782b046c2f7b809682f52ce4d04dab1c81ac


Home | Main Index | Thread Index | Old Index