Created attachment 213957 [details] patch This patch updates sysutils/py-salt to 2019.2.4 which was released to address two CVE found in the Salt Master. https://docs.saltstack.com/en/latest/topics/releases/2019.2.4.html
Can you provide a vuxml entry ?
testbuilds@work
A commit references this bug: Author: pi Date: Fri May 1 10:28:21 UTC 2020 New revision: 533533 URL: https://svnweb.freebsd.org/changeset/ports/533533 Log: sysutils/py-salt: update 2019.2.3 -> 2019.2.4 - fix two CVE found in the Salt Master PR: 246061 Submitted by: Christer Edwards <christer.edwards@gmail.com> (maintainer) Relnotes: https://docs.saltstack.com/en/latest/topics/releases/2019.2.4.html Changes: head/sysutils/py-salt/Makefile head/sysutils/py-salt/distinfo
Committed, thanks. TODO: vuxml entry
A commit references this bug: Author: pi Date: Sun May 3 06:20:13 UTC 2020 New revision: 533746 URL: https://svnweb.freebsd.org/changeset/ports/533746 Log: MFH: r533533 sysutils/py-salt: update 2019.2.3 -> 2019.2.4 - fix two CVE found in the Salt Master PR: 246061 Submitted by: Christer Edwards <christer.edwards@gmail.com> (maintainer) Relnotes: https://docs.saltstack.com/en/latest/topics/releases/2019.2.4.html Approved by: portmgr (security blanket) Changes: _U branches/2020Q2/ branches/2020Q2/sysutils/py-salt/Makefile branches/2020Q2/sysutils/py-salt/distinfo
Hi, I was just noticing that while I was able to update my poudriere backed minions just fine already, the master that pulls from the 12.x quarterly branch still hasn't received this update. Any ETA on this? And more importantly, is it ok to turn a vulnerable master back on if the minions are patched?
I don't know how often the quarterly branch is build. It will probably happen soon.
A commit references this bug: Author: woodsb02 Date: Sat May 16 06:45:09 UTC 2020 New revision: 535356 URL: https://svnweb.freebsd.org/changeset/ports/535356 Log: Add new sysutils/py-salt vulnerabilities PR: 246061 Reported by: Christer Edwards <christer.edwards@gmail.com> Security: CVE-2020-11651 Security: CVE-2020-11652 Changes: head/security/vuxml/vuln.xml
VuXML entry committed - thanks Christer and Kurt!