FreeBSD Bugzilla – Attachment 156815 Details for
Bug 200172
sysutils/py-salt: Multiple security vulnerabilities
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
Patch for security/vuxml update for Salt 2015.5.0
PR200172_salt-vuxml.patch (text/plain), 2.31 KB, created by
Jason Unovitch
on 2015-05-16 00:20:24 UTC
(
hide
)
Description:
Patch for security/vuxml update for Salt 2015.5.0
Filename:
MIME Type:
Creator:
Jason Unovitch
Created:
2015-05-16 00:20:24 UTC
Size:
2.31 KB
patch
obsolete
>Index: security/vuxml/vuln.xml >=================================================================== >--- security/vuxml/vuln.xml (revision 386492) >+++ security/vuxml/vuln.xml (working copy) >@@ -57,6 +57,48 @@ > > --> > <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1"> >+ <vuln vid="865863af-fb5e-11e4-8fda-002590263bf5"> >+ <topic>py-salt -- potential shell injection vulnerabilities</topic> >+ <affects> >+ <package> >+ <name>py27-salt</name> >+ <range><lt>2015.5.0</lt></range> >+ </package> >+ </affects> >+ <description> >+ <body xmlns="http://www.w3.org/1999/xhtml"> >+ <p>Colton Myers reports:</p> >+ <blockquote cite="http://docs.saltstack.com/en/latest/topics/releases/2015.5.0.html"> >+ <p>In order to fix potential shell injection vulnerabilities in salt >+ modules, a change has been made to the various cmd module functions. >+ These functions now default to python_shell=False, which means that >+ the commands will not be sent to an actual shell.</p> >+ <p>The largest side effect of this change is that "shellisms", such as >+ pipes, will not work by default. The modules shipped with salt have >+ been audited to fix any issues that might have arisen from this >+ change. Additionally, the cmd state module has been unaffected, and >+ use of cmd.run in jinja is also unaffected. cmd.run calls on the >+ CLI will also allow shellisms.</p> >+ <p>However, custom execution modules which use shellisms in cmd calls >+ will break, unless you pass python_shell=True to these calls.</p> >+ <p>As a temporary workaround, you can set cmd_safe: False in your >+ minion and master configs. This will revert the default, but is >+ also less secure, as it will allow shell injection vulnerabilities >+ to be written in custom code. We recommend you only set this >+ setting for as long as it takes to resolve these issues in your >+ custom code, then remove the override.</p> >+ </blockquote> >+ </body> >+ </description> >+ <references> >+ <url>http://docs.saltstack.com/en/latest/topics/releases/2015.5.0.html</url> >+ </references> >+ <dates> >+ <discovery>2015-05-11</discovery> >+ <entry>2015-05-16</entry> >+ </dates> >+ </vuln> >+ > <vuln vid="c368155a-fa83-11e4-bc58-001e67150279"> > <topic>rubygem-redcarpet -- XSS vulnerability</topic> > <affects>
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=156815">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Flags:
koobs
:
maintainer-approval+
Actions:
View
|
Diff
Attachments on
bug 200172
: 156815