http://www.openwall.com/lists/oss-security/2015/05/02/1 Bug/200044 will bring in a new version to resolve the issue, just needs a vuxml entry
This issue has been addressed upstream and the fix is included in the 2015.5.0 release which is pending commit now. See: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=200044
(In reply to christer.edwards from comment #1) Correct, vuxml still needs an entry so users of previous versions are informed of the vulnerability. Which is what this bug report is more about.
Patch required for VuXML entry See instructions in security/vuxml/vuxml.xml and the porters handbook: http://www2.au.freebsd.org/doc/en_US.ISO8859-1/books/porters-handbook/book.html#security-notify
Created attachment 156815 [details] Patch for security/vuxml update for Salt 2015.5.0 TESTING: # # After patching # root@xts-bsd:/usr/ports/security/vuxml # make validate [55/1947] /bin/sh /usr/ports/security/vuxml/files/tidy.sh "/usr/ports/security/vuxml/files/tidy.xsl" "/usr/ports/security/vuxml/vuln.xml" > "/us r/ports/security/vuxml/vuln.xml.tidy" >>> Validating... /usr/local/bin/xmllint --valid --noout /usr/ports/security/vuxml/vuln.xml >>> Successful. Checking if tidy differs... ... seems okay Checking for space/tab... ... seems okay /usr/local/bin/python2.7 /usr/ports/security/vuxml/files/extra-validation.py # # After copy to /var/db/pkg/vuxml.xml on vulnerable saltmaster # root@saltmaster:~ # pkg audit py27-salt-2014.7.5 is vulnerable: py-salt -- potential shell injection vulnerabilities WWW: http://vuxml.FreeBSD.org/freebsd/865863af-fb5e-11e4-8fda-002590263bf5.html 1 problem(s) in the installed packages found.
Christer, security/vuxml update was based on the official documentation in the release notes. The security issue was also mentioned in the salt-announce list. https://groups.google.com/forum/#!topic/salt-announce/kLJs2gmcHKs Neither reference the issue discussed in http://www.openwall.com/lists/oss-security/2015/05/02/1. I'm not sure about that issue so the update only covers announced issues. With your approval this should be good to go in with the update to Salt 2015.5.0. Jason
Sounds good
Kubilay, next time you grab any diff to a python port (including vulnerabilities like these) off freebsd-ports-bugs, please make sure to assign it to python@ or yourself. I'm mildly frustrated that we're taking thirteen days to address a potential security issue in what is a widely used infrastructure port, not due to lack of patches but just lack of attention. freebsd-ports-bugs
A commit references this bug: Author: xmj Date: Sun May 24 03:43:25 UTC 2015 New revision: 387242 URL: https://svnweb.freebsd.org/changeset/ports/387242 Log: document possible vulnerabilities in sysutils/py-salt PR: 200172 Submitted by: Sevan Janiyan <venture37@geeklan.co.uk> Changes: head/security/vuxml/vuln.xml
Modifying freebsd-ports-bugs, without changing the owner of a PR, is akin to throwing changes into a black hole, for all I care. Anyway, enough ranting. Thanks Jason for submitting things. Let's make sure we'll do it better next time.
This issues history doesn't show me modifying assignee's, only triaging it as security related and requiring a patch. If I'm mistaken, let's figure out what happened and how it can be done better in future offline (IRC) Also regarding the commit log (and for reference here), the patch was: Submitted by: Jason Unovitch <jason dot unovitch gmail com> Reported by: Sevan Janiyan <venture37 geeklan co uk>
Comment on attachment 156815 [details] Patch for security/vuxml update for Salt 2015.5.0 Maintainer approved in comment 6 (also missing in commit log)