Bug 223821 - sysutils/py-salt: Update to 2017.7.2
Summary: sysutils/py-salt: Update to 2017.7.2
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Only Me
Assignee: Ben Woods
URL:
Keywords: patch, patch-ready
Depends on:
Blocks:
 
Reported: 2017-11-23 14:41 UTC by Ben Woods
Modified: 2017-11-25 04:08 UTC (History)
1 user (show)

See Also:
christer.edwards: maintainer-feedback+
woodsb02: merge-quarterly+


Attachments
Patch to update sysutils/py-salt to 2017.7.2 (1.34 KB, patch)
2017-11-23 14:41 UTC, Ben Woods
woodsb02: maintainer-approval+
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Ben Woods freebsd_committer freebsd_triage 2017-11-23 14:41:00 UTC
Created attachment 188217 [details]
Patch to update sysutils/py-salt to 2017.7.2

sysutils/py-salt: Update to 2017.7.2

Changes this release:
  https://docs.saltstack.com/en/latest/topics/releases/2017.7.2.html

This update includes 2 security fixes:

CVE-2017-14695 Directory traversal vulnerability in minion id validation in SaltStack. Allows remote minions with incorrect credentials to authenticate to a master via a crafted minion ID. Credit for discovering the security flaw goes to: Julian Brost (julian@0x4a42.net)

CVE-2017-14696 Remote Denial of Service with a specially crafted authentication request. Credit for discovering the security flaw goes to: Julian Brost (julian@0x4a42.net)
Comment 1 Ben Woods freebsd_committer freebsd_triage 2017-11-23 14:42:03 UTC
Comment on attachment 188217 [details]
Patch to update sysutils/py-salt to 2017.7.2

Seeking maintainer approval to apply this update.
Comment 2 Ben Woods freebsd_committer freebsd_triage 2017-11-23 14:43:50 UTC
Note that this patch also adds to new dependencies to resolve PR222943.
It needs to be determined if these should be optional, with a new BOTO option, and if so whether it should be on by default.
Comment 3 Christer Edwards 2017-11-24 01:22:30 UTC
Patch looks good.

@woodsb02 - Thank you for getting to this. I've been too busy at $work the past few months but I'm hoping to have some time soon.
Comment 4 commit-hook freebsd_committer freebsd_triage 2017-11-25 01:07:42 UTC
A commit references this bug:

Author: woodsb02
Date: Sat Nov 25 01:07:11 UTC 2017
New revision: 454859
URL: https://svnweb.freebsd.org/changeset/ports/454859

Log:
  sysutils/py-salt: Update to 2017.7.2

  Changes this release:
    https://docs.saltstack.com/en/latest/topics/releases/2017.7.2.html

  This update also includes
  - 2 security fixes (CVE-2017-14695 and CVE-2017-14696)
  - 2 additional boto dependencies to fix error msgs produced by salt

  PR:		223821
  PR:		222943
  Submitted by:	netzmacher <admin@netzmacher.net> (PR 222943)
  Approved by:	Christer Edwards (maintainer)
  MFH:		2017Q4
  Security:	https://vuxml.freebsd.org/freebsd/50127e44-7b88-4ade-8e12-5d57320823f1.html

Changes:
  head/sysutils/py-salt/Makefile
  head/sysutils/py-salt/distinfo
Comment 5 commit-hook freebsd_committer freebsd_triage 2017-11-25 04:07:23 UTC
A commit references this bug:

Author: woodsb02
Date: Sat Nov 25 04:07:02 UTC 2017
New revision: 454871
URL: https://svnweb.freebsd.org/changeset/ports/454871

Log:
  MFH: r454859

  sysutils/py-salt: Update to 2017.7.2

  Changes this release:
    https://docs.saltstack.com/en/latest/topics/releases/2017.7.2.html

  This update also includes
  - 2 security fixes (CVE-2017-14695 and CVE-2017-14696)
  - 2 additional boto dependencies to fix error msgs produced by salt

  PR:		223821
  PR:		222943
  Submitted by:	netzmacher <admin@netzmacher.net> (PR 222943)
  Approved by:	Christer Edwards (maintainer)
  Security:	https://vuxml.freebsd.org/freebsd/50127e44-7b88-4ade-8e12-5d57320823f1.html

  Approved by:	ports-secteam (delphij)

Changes:
_U  branches/2017Q4/
  branches/2017Q4/sysutils/py-salt/Makefile
  branches/2017Q4/sysutils/py-salt/distinfo
Comment 6 Ben Woods freebsd_committer freebsd_triage 2017-11-25 04:08:11 UTC
Committed - thanks!