Created attachment 188217 [details] Patch to update sysutils/py-salt to 2017.7.2 sysutils/py-salt: Update to 2017.7.2 Changes this release: https://docs.saltstack.com/en/latest/topics/releases/2017.7.2.html This update includes 2 security fixes: CVE-2017-14695 Directory traversal vulnerability in minion id validation in SaltStack. Allows remote minions with incorrect credentials to authenticate to a master via a crafted minion ID. Credit for discovering the security flaw goes to: Julian Brost (julian@0x4a42.net) CVE-2017-14696 Remote Denial of Service with a specially crafted authentication request. Credit for discovering the security flaw goes to: Julian Brost (julian@0x4a42.net)
Comment on attachment 188217 [details] Patch to update sysutils/py-salt to 2017.7.2 Seeking maintainer approval to apply this update.
Note that this patch also adds to new dependencies to resolve PR222943. It needs to be determined if these should be optional, with a new BOTO option, and if so whether it should be on by default.
Patch looks good. @woodsb02 - Thank you for getting to this. I've been too busy at $work the past few months but I'm hoping to have some time soon.
A commit references this bug: Author: woodsb02 Date: Sat Nov 25 01:07:11 UTC 2017 New revision: 454859 URL: https://svnweb.freebsd.org/changeset/ports/454859 Log: sysutils/py-salt: Update to 2017.7.2 Changes this release: https://docs.saltstack.com/en/latest/topics/releases/2017.7.2.html This update also includes - 2 security fixes (CVE-2017-14695 and CVE-2017-14696) - 2 additional boto dependencies to fix error msgs produced by salt PR: 223821 PR: 222943 Submitted by: netzmacher <admin@netzmacher.net> (PR 222943) Approved by: Christer Edwards (maintainer) MFH: 2017Q4 Security: https://vuxml.freebsd.org/freebsd/50127e44-7b88-4ade-8e12-5d57320823f1.html Changes: head/sysutils/py-salt/Makefile head/sysutils/py-salt/distinfo
A commit references this bug: Author: woodsb02 Date: Sat Nov 25 04:07:02 UTC 2017 New revision: 454871 URL: https://svnweb.freebsd.org/changeset/ports/454871 Log: MFH: r454859 sysutils/py-salt: Update to 2017.7.2 Changes this release: https://docs.saltstack.com/en/latest/topics/releases/2017.7.2.html This update also includes - 2 security fixes (CVE-2017-14695 and CVE-2017-14696) - 2 additional boto dependencies to fix error msgs produced by salt PR: 223821 PR: 222943 Submitted by: netzmacher <admin@netzmacher.net> (PR 222943) Approved by: Christer Edwards (maintainer) Security: https://vuxml.freebsd.org/freebsd/50127e44-7b88-4ade-8e12-5d57320823f1.html Approved by: ports-secteam (delphij) Changes: _U branches/2017Q4/ branches/2017Q4/sysutils/py-salt/Makefile branches/2017Q4/sysutils/py-salt/distinfo
Committed - thanks!