|Summary:||sysutils/py-salt: Update to 2019.2.4 (CVE fix)|
|Product:||Ports & Packages||Reporter:||Christer Edwards <christer.edwards>|
|Component:||Individual Port(s)||Assignee:||Kurt Jaeger <pi>|
|Severity:||Affects Many People||CC:||danmcgrath.ca, pi, ports-secteam, woodsb02|
Description Christer Edwards 2020-04-30 14:58:16 UTC
Created attachment 213957 [details] patch This patch updates sysutils/py-salt to 2019.2.4 which was released to address two CVE found in the Salt Master. https://docs.saltstack.com/en/latest/topics/releases/2019.2.4.html
Comment 1 Kurt Jaeger 2020-05-01 10:13:26 UTC
Can you provide a vuxml entry ?
Comment 2 Kurt Jaeger 2020-05-01 10:17:52 UTC
Comment 3 commit-hook 2020-05-01 10:28:59 UTC
A commit references this bug: Author: pi Date: Fri May 1 10:28:21 UTC 2020 New revision: 533533 URL: https://svnweb.freebsd.org/changeset/ports/533533 Log: sysutils/py-salt: update 2019.2.3 -> 2019.2.4 - fix two CVE found in the Salt Master PR: 246061 Submitted by: Christer Edwards <email@example.com> (maintainer) Relnotes: https://docs.saltstack.com/en/latest/topics/releases/2019.2.4.html Changes: head/sysutils/py-salt/Makefile head/sysutils/py-salt/distinfo
Comment 4 Kurt Jaeger 2020-05-01 10:30:21 UTC
Committed, thanks. TODO: vuxml entry
Comment 5 commit-hook 2020-05-03 06:20:45 UTC
A commit references this bug: Author: pi Date: Sun May 3 06:20:13 UTC 2020 New revision: 533746 URL: https://svnweb.freebsd.org/changeset/ports/533746 Log: MFH: r533533 sysutils/py-salt: update 2019.2.3 -> 2019.2.4 - fix two CVE found in the Salt Master PR: 246061 Submitted by: Christer Edwards <firstname.lastname@example.org> (maintainer) Relnotes: https://docs.saltstack.com/en/latest/topics/releases/2019.2.4.html Approved by: portmgr (security blanket) Changes: _U branches/2020Q2/ branches/2020Q2/sysutils/py-salt/Makefile branches/2020Q2/sysutils/py-salt/distinfo
Comment 6 Danny McGrath 2020-05-05 10:25:56 UTC
Hi, I was just noticing that while I was able to update my poudriere backed minions just fine already, the master that pulls from the 12.x quarterly branch still hasn't received this update. Any ETA on this? And more importantly, is it ok to turn a vulnerable master back on if the minions are patched?
Comment 7 Kurt Jaeger 2020-05-05 10:54:48 UTC
I don't know how often the quarterly branch is build. It will probably happen soon.
Comment 8 commit-hook 2020-05-16 06:46:05 UTC
A commit references this bug: Author: woodsb02 Date: Sat May 16 06:45:09 UTC 2020 New revision: 535356 URL: https://svnweb.freebsd.org/changeset/ports/535356 Log: Add new sysutils/py-salt vulnerabilities PR: 246061 Reported by: Christer Edwards <email@example.com> Security: CVE-2020-11651 Security: CVE-2020-11652 Changes: head/security/vuxml/vuln.xml
Comment 9 Ben Woods 2020-05-16 06:47:30 UTC
VuXML entry committed - thanks Christer and Kurt!