Bug 246061

Summary: sysutils/py-salt: Update to 2019.2.4 (CVE fix)
Product: Ports & Packages Reporter: Christer Edwards <christer.edwards>
Component: Individual Port(s)Assignee: Kurt Jaeger <pi>
Status: Closed FIXED    
Severity: Affects Many People CC: danmcgrath.ca, pi, ports-secteam, woodsb02
Priority: Normal Keywords: security
Version: LatestFlags: woodsb02: merge-quarterly+
Hardware: Any   
OS: Any   
URL: https://docs.saltstack.com/en/latest/topics/releases/2019.2.4.html
Attachments:
Description Flags
patch christer.edwards: maintainer-approval+

Description Christer Edwards 2020-04-30 14:58:16 UTC
Created attachment 213957 [details]
patch

This patch updates sysutils/py-salt to 2019.2.4 which was released to address two CVE found in the Salt Master.

https://docs.saltstack.com/en/latest/topics/releases/2019.2.4.html
Comment 1 Kurt Jaeger freebsd_committer 2020-05-01 10:13:26 UTC
Can you provide a vuxml entry ?
Comment 2 Kurt Jaeger freebsd_committer 2020-05-01 10:17:52 UTC
testbuilds@work
Comment 3 commit-hook freebsd_committer 2020-05-01 10:28:59 UTC
A commit references this bug:

Author: pi
Date: Fri May  1 10:28:21 UTC 2020
New revision: 533533
URL: https://svnweb.freebsd.org/changeset/ports/533533

Log:
  sysutils/py-salt: update 2019.2.3 -> 2019.2.4

  - fix two CVE found in the Salt Master

  PR:		246061
  Submitted by:	Christer Edwards <christer.edwards@gmail.com> (maintainer)
  Relnotes:	https://docs.saltstack.com/en/latest/topics/releases/2019.2.4.html

Changes:
  head/sysutils/py-salt/Makefile
  head/sysutils/py-salt/distinfo
Comment 4 Kurt Jaeger freebsd_committer 2020-05-01 10:30:21 UTC
Committed, thanks. TODO: vuxml entry
Comment 5 commit-hook freebsd_committer 2020-05-03 06:20:45 UTC
A commit references this bug:

Author: pi
Date: Sun May  3 06:20:13 UTC 2020
New revision: 533746
URL: https://svnweb.freebsd.org/changeset/ports/533746

Log:
  MFH: r533533

  sysutils/py-salt: update 2019.2.3 -> 2019.2.4

  - fix two CVE found in the Salt Master

  PR:		246061
  Submitted by:	Christer Edwards <christer.edwards@gmail.com> (maintainer)
  Relnotes:	https://docs.saltstack.com/en/latest/topics/releases/2019.2.4.html
  Approved by:	portmgr (security blanket)

Changes:
_U  branches/2020Q2/
  branches/2020Q2/sysutils/py-salt/Makefile
  branches/2020Q2/sysutils/py-salt/distinfo
Comment 6 Danny McGrath 2020-05-05 10:25:56 UTC
Hi,

I was just noticing that while I was able to update my poudriere backed minions just fine already, the master that pulls from the 12.x quarterly branch still hasn't received this update.

Any ETA on this? And more importantly, is it ok to turn a vulnerable master back on if the minions are patched?
Comment 7 Kurt Jaeger freebsd_committer 2020-05-05 10:54:48 UTC
I don't know how often the quarterly branch is build. It will probably happen soon.
Comment 8 commit-hook freebsd_committer 2020-05-16 06:46:05 UTC
A commit references this bug:

Author: woodsb02
Date: Sat May 16 06:45:09 UTC 2020
New revision: 535356
URL: https://svnweb.freebsd.org/changeset/ports/535356

Log:
  Add new sysutils/py-salt vulnerabilities

  PR:		246061
  Reported by:	Christer Edwards <christer.edwards@gmail.com>
  Security:	CVE-2020-11651
  Security:	CVE-2020-11652

Changes:
  head/security/vuxml/vuln.xml
Comment 9 Ben Woods freebsd_committer 2020-05-16 06:47:30 UTC
VuXML entry committed - thanks Christer and Kurt!