Created attachment 211383 [details] patch This patch updates sysutils/py-salt to 2019.2.3. Version 2019.2.3 is a CVE-fix release for 2019.2.0. CVE-2019-17361 With the Salt NetAPI enabled in addition to having a SSH roster defined, unauthenticated access is possible when specifying the client as SSH. Additionally, when the raw_shell option is specified any arbitrary command may be run on the Salt master when specifying SSH options.
Created attachment 211384 [details] poudriere testport (amd64)
Build info is available at https://gitlab.com/swills/freebsd-ports/pipelines/115294584
Please please don't just update salt to 3000. Its one of the most buggy pieces of software we use and they break huge things every major release. Especially on FreeBSD where they do no testing. Can we split the port into py-salt2019-2 and py-salt3000 or whatever the best naming convention is? EOL for 2019.2 security patches is not until Sept-2021. https://www.saltstack.com/product-support-lifecycle/
Christopher, it sounds like an update to security/vuxml would be in order.
Created attachment 212146 [details] poudriere testport output Christer, I get build errors when I attempt to build with all options turned on. See the attached log.
A commit references this bug: Author: woodsb02 Date: Sat Mar 7 00:41:13 UTC 2020 New revision: 527909 URL: https://svnweb.freebsd.org/changeset/ports/527909 Log: Document vulnerability in sysutils/py-salt PR: 243908 Reported by: Christer Edwards <christer.edwards@gmail.com> Security: CVE-2019-17361 Changes: head/security/vuxml/vuln.xml
A commit references this bug: Author: woodsb02 Date: Sat Mar 7 00:43:30 UTC 2020 New revision: 527910 URL: https://svnweb.freebsd.org/changeset/ports/527910 Log: sysutils/py-salt: Update to 2019.2.3 Changes this release: https://docs.saltstack.com/en/latest/topics/releases/2019.2.3.html PR: 243908 Submitted by: Christer Edwards <christer.edwards@gmail.com> (maintainer) Approved by: Christer Edwards <christer.edwards@gmail.com> (maintainer) Security: CVE-2019-17361 Changes: head/sysutils/py-salt/Makefile head/sysutils/py-salt/distinfo
Committed - thanks!