Bug 232663

Summary:

sysutils/py-salt: update to 2018.3.3 (CVE-2018-15751, CVE-2018-15750)

Product:

Ports & Packages

Reporter:

Christer Edwards <christer.edwards>

Component:

Individual Port(s)

Assignee:

Ben Woods <woodsb02>

Status:

Closed FIXED

Severity:

Affects Many People

CC:

bdrewery, woodsb02

Priority:

---

Flags:

woodsb02: merge-quarterly+

Version:

Latest

Hardware:

Any

OS:

Any

Attachments:

Description	Flags
patch	woodsb02: maintainer-approval+

Description Christer Edwards 2018-10-24 22:18:28 UTC

Created attachment 198605 [details]
patch

We are pleased to announce the 2018.3.3 release of Salt!

Release notes can be found here:
https://docs.saltstack.com/en/latest/topics/releases/2018.3.3.html

Sources are available on PyPI:
https://pypi.python.org/pypi/salt/2018.3.3

2018.3.3 is a security release. The following CVE's were fixed as part of this release:

CVE-2018-15751 Remote command execution and incorrect access control when using salt-api.

CVE-2018-15750 Directory traversal vulnerability when using salt-api. Allows an attacker to determine what files exist on a server when querying /run or /events.

Comment 1 commit-hook freebsd_committer

2018-10-27 08:06:17 UTC

A commit references this bug:

Author: woodsb02
Date: Sat Oct 27 08:06:03 UTC 2018
New revision: 483113
URL: https://svnweb.freebsd.org/changeset/ports/483113

Log:
  Add entry for sysutils/py-salt

  PR:		232663
  Reported by:	Christer Edwards <christer.edwards@gmail.com>
  Security:	https://www.vuxml.org/freebsd/4f7c6af3-6a2c-4ead-8453-04e509688d45.html

Changes:
  head/security/vuxml/vuln.xml

Comment 2 commit-hook freebsd_committer

2018-10-27 08:08:21 UTC

A commit references this bug:

Author: woodsb02
Date: Sat Oct 27 08:07:37 UTC 2018
New revision: 483114
URL: https://svnweb.freebsd.org/changeset/ports/483114

Log:
  sysutils/py-salt: Update to 2018.3.3

  This is a security release, addressing the following CVE's:
  - CVE-2018-15751 - Remote command execution and incorrect access control
                     when using salt-api.
  - CVE-2018-15750 - Directory traversal vulnerability using salt-api.
                     Allows an attacker to determine what files exist on
                     a server when querying /run or /events.

  Other changes this release:
    https://docs.saltstack.com/en/latest/topics/releases/2018.3.3.html

  PR:		232663
  Submitted by:	Christer Edwards <christer.edwards@gmail.com>
  Approved by:	Christer Edwards (maintainer)
  MFH:		2018Q4
  Security:	https://www.vuxml.org/freebsd/4f7c6af3-6a2c-4ead-8453-04e509688d45.html

Changes:
  head/sysutils/py-salt/Makefile
  head/sysutils/py-salt/distinfo

Comment 3 Ben Woods freebsd_committer

2018-10-27 08:09:55 UTC

Committed - thanks!
Awaiting approval to merge to ports quarterly branch 2018Q4.

Comment 4 commit-hook freebsd_committer

2018-10-28 14:11:49 UTC

A commit references this bug:

Author: woodsb02
Date: Sun Oct 28 14:11:23 UTC 2018
New revision: 483295
URL: https://svnweb.freebsd.org/changeset/ports/483295

Log:
  MFH: r483114

  sysutils/py-salt: Update to 2018.3.3

  This is a security release, addressing the following CVE's:
  - CVE-2018-15751 - Remote command execution and incorrect access control
                     when using salt-api.
  - CVE-2018-15750 - Directory traversal vulnerability using salt-api.
                     Allows an attacker to determine what files exist on
                     a server when querying /run or /events.

  Other changes this release:
    https://docs.saltstack.com/en/latest/topics/releases/2018.3.3.html

  PR:		232663
  Submitted by:	Christer Edwards <christer.edwards@gmail.com>
  Approved by:	Christer Edwards (maintainer)
  Security:	https://www.vuxml.org/freebsd/4f7c6af3-6a2c-4ead-8453-04e509688d45.html

  Approved by:	ports-secteam (riggs)

Changes:
_U  branches/2018Q4/
  branches/2018Q4/sysutils/py-salt/Makefile
  branches/2018Q4/sysutils/py-salt/distinfo

Comment 5 Ben Woods freebsd_committer

2018-10-28 14:12:01 UTC

Merged to 2018Q4.