Bug 232663 - sysutils/py-salt: update to 2018.3.3 (CVE-2018-15751, CVE-2018-15750)
Summary: sysutils/py-salt: update to 2018.3.3 (CVE-2018-15751, CVE-2018-15750)
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Many People
Assignee: Ben Woods
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2018-10-24 22:18 UTC by Christer Edwards
Modified: 2018-10-28 14:12 UTC (History)
2 users (show)

See Also:
woodsb02: merge-quarterly+


Attachments
patch (968 bytes, patch)
2018-10-24 22:18 UTC, Christer Edwards
woodsb02: maintainer-approval+
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Christer Edwards 2018-10-24 22:18:28 UTC
Created attachment 198605 [details]
patch

We are pleased to announce the 2018.3.3 release of Salt!

Release notes can be found here:
https://docs.saltstack.com/en/latest/topics/releases/2018.3.3.html

Sources are available on PyPI:
https://pypi.python.org/pypi/salt/2018.3.3

2018.3.3 is a security release. The following CVE's were fixed as part of this release:

CVE-2018-15751 Remote command execution and incorrect access control when using salt-api.

CVE-2018-15750 Directory traversal vulnerability when using salt-api. Allows an attacker to determine what files exist on a server when querying /run or /events.
Comment 1 commit-hook freebsd_committer 2018-10-27 08:06:17 UTC
A commit references this bug:

Author: woodsb02
Date: Sat Oct 27 08:06:03 UTC 2018
New revision: 483113
URL: https://svnweb.freebsd.org/changeset/ports/483113

Log:
  Add entry for sysutils/py-salt

  PR:		232663
  Reported by:	Christer Edwards <christer.edwards@gmail.com>
  Security:	https://www.vuxml.org/freebsd/4f7c6af3-6a2c-4ead-8453-04e509688d45.html

Changes:
  head/security/vuxml/vuln.xml
Comment 2 commit-hook freebsd_committer 2018-10-27 08:08:21 UTC
A commit references this bug:

Author: woodsb02
Date: Sat Oct 27 08:07:37 UTC 2018
New revision: 483114
URL: https://svnweb.freebsd.org/changeset/ports/483114

Log:
  sysutils/py-salt: Update to 2018.3.3

  This is a security release, addressing the following CVE's:
  - CVE-2018-15751 - Remote command execution and incorrect access control
                     when using salt-api.
  - CVE-2018-15750 - Directory traversal vulnerability using salt-api.
                     Allows an attacker to determine what files exist on
                     a server when querying /run or /events.

  Other changes this release:
    https://docs.saltstack.com/en/latest/topics/releases/2018.3.3.html

  PR:		232663
  Submitted by:	Christer Edwards <christer.edwards@gmail.com>
  Approved by:	Christer Edwards (maintainer)
  MFH:		2018Q4
  Security:	https://www.vuxml.org/freebsd/4f7c6af3-6a2c-4ead-8453-04e509688d45.html

Changes:
  head/sysutils/py-salt/Makefile
  head/sysutils/py-salt/distinfo
Comment 3 Ben Woods freebsd_committer 2018-10-27 08:09:55 UTC
Committed - thanks!
Awaiting approval to merge to ports quarterly branch 2018Q4.
Comment 4 commit-hook freebsd_committer 2018-10-28 14:11:49 UTC
A commit references this bug:

Author: woodsb02
Date: Sun Oct 28 14:11:23 UTC 2018
New revision: 483295
URL: https://svnweb.freebsd.org/changeset/ports/483295

Log:
  MFH: r483114

  sysutils/py-salt: Update to 2018.3.3

  This is a security release, addressing the following CVE's:
  - CVE-2018-15751 - Remote command execution and incorrect access control
                     when using salt-api.
  - CVE-2018-15750 - Directory traversal vulnerability using salt-api.
                     Allows an attacker to determine what files exist on
                     a server when querying /run or /events.

  Other changes this release:
    https://docs.saltstack.com/en/latest/topics/releases/2018.3.3.html

  PR:		232663
  Submitted by:	Christer Edwards <christer.edwards@gmail.com>
  Approved by:	Christer Edwards (maintainer)
  Security:	https://www.vuxml.org/freebsd/4f7c6af3-6a2c-4ead-8453-04e509688d45.html

  Approved by:	ports-secteam (riggs)

Changes:
_U  branches/2018Q4/
  branches/2018Q4/sysutils/py-salt/Makefile
  branches/2018Q4/sysutils/py-salt/distinfo
Comment 5 Ben Woods freebsd_committer 2018-10-28 14:12:01 UTC
Merged to 2018Q4.