Created attachment 198605 [details] patch We are pleased to announce the 2018.3.3 release of Salt! Release notes can be found here: https://docs.saltstack.com/en/latest/topics/releases/2018.3.3.html Sources are available on PyPI: https://pypi.python.org/pypi/salt/2018.3.3 2018.3.3 is a security release. The following CVE's were fixed as part of this release: CVE-2018-15751 Remote command execution and incorrect access control when using salt-api. CVE-2018-15750 Directory traversal vulnerability when using salt-api. Allows an attacker to determine what files exist on a server when querying /run or /events.
A commit references this bug: Author: woodsb02 Date: Sat Oct 27 08:06:03 UTC 2018 New revision: 483113 URL: https://svnweb.freebsd.org/changeset/ports/483113 Log: Add entry for sysutils/py-salt PR: 232663 Reported by: Christer Edwards <christer.edwards@gmail.com> Security: https://www.vuxml.org/freebsd/4f7c6af3-6a2c-4ead-8453-04e509688d45.html Changes: head/security/vuxml/vuln.xml
A commit references this bug: Author: woodsb02 Date: Sat Oct 27 08:07:37 UTC 2018 New revision: 483114 URL: https://svnweb.freebsd.org/changeset/ports/483114 Log: sysutils/py-salt: Update to 2018.3.3 This is a security release, addressing the following CVE's: - CVE-2018-15751 - Remote command execution and incorrect access control when using salt-api. - CVE-2018-15750 - Directory traversal vulnerability using salt-api. Allows an attacker to determine what files exist on a server when querying /run or /events. Other changes this release: https://docs.saltstack.com/en/latest/topics/releases/2018.3.3.html PR: 232663 Submitted by: Christer Edwards <christer.edwards@gmail.com> Approved by: Christer Edwards (maintainer) MFH: 2018Q4 Security: https://www.vuxml.org/freebsd/4f7c6af3-6a2c-4ead-8453-04e509688d45.html Changes: head/sysutils/py-salt/Makefile head/sysutils/py-salt/distinfo
Committed - thanks! Awaiting approval to merge to ports quarterly branch 2018Q4.
A commit references this bug: Author: woodsb02 Date: Sun Oct 28 14:11:23 UTC 2018 New revision: 483295 URL: https://svnweb.freebsd.org/changeset/ports/483295 Log: MFH: r483114 sysutils/py-salt: Update to 2018.3.3 This is a security release, addressing the following CVE's: - CVE-2018-15751 - Remote command execution and incorrect access control when using salt-api. - CVE-2018-15750 - Directory traversal vulnerability using salt-api. Allows an attacker to determine what files exist on a server when querying /run or /events. Other changes this release: https://docs.saltstack.com/en/latest/topics/releases/2018.3.3.html PR: 232663 Submitted by: Christer Edwards <christer.edwards@gmail.com> Approved by: Christer Edwards (maintainer) Security: https://www.vuxml.org/freebsd/4f7c6af3-6a2c-4ead-8453-04e509688d45.html Approved by: ports-secteam (riggs) Changes: _U branches/2018Q4/ branches/2018Q4/sysutils/py-salt/Makefile branches/2018Q4/sysutils/py-salt/distinfo
Merged to 2018Q4.