Bug 243908 - sysutils/py-salt: Update to 2019.2.3
Summary: sysutils/py-salt: Update to 2019.2.3
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Only Me
Assignee: Ben Woods
URL:
Keywords: buildisok
Depends on:
Blocks:
 
Reported: 2020-02-05 17:21 UTC by Christer Edwards
Modified: 2020-03-07 00:44 UTC (History)
3 users (show)

See Also:


Attachments
patch (964 bytes, patch)
2020-02-05 17:21 UTC, Christer Edwards
no flags Details | Diff
poudriere testport (amd64) (656.92 KB, text/plain)
2020-02-05 17:21 UTC, Christer Edwards
no flags Details
poudriere testport output (124.65 KB, text/plain)
2020-03-04 15:33 UTC, Alan Somers
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Christer Edwards 2020-02-05 17:21:27 UTC
Created attachment 211383 [details]
patch

This patch updates sysutils/py-salt to 2019.2.3.

Version 2019.2.3 is a CVE-fix release for 2019.2.0.

CVE-2019-17361

With the Salt NetAPI enabled in addition to having a SSH roster defined, unauthenticated access is possible when specifying the client as SSH. Additionally, when the raw_shell option is specified any arbitrary command may be run on the Salt master when specifying SSH options.
Comment 1 Christer Edwards 2020-02-05 17:21:46 UTC
Created attachment 211384 [details]
poudriere testport (amd64)
Comment 2 Automation User 2020-02-05 20:42:27 UTC
Build info is available at https://gitlab.com/swills/freebsd-ports/pipelines/115294584
Comment 3 ari 2020-02-20 07:44:03 UTC
Please please don't just update salt to 3000. Its one of the most buggy pieces of software we use and they break huge things every major release. Especially on FreeBSD where they do no testing.

Can we split the port into py-salt2019-2 and py-salt3000 or whatever the best naming convention is?

EOL for 2019.2 security patches is not until Sept-2021. https://www.saltstack.com/product-support-lifecycle/
Comment 4 Alan Somers freebsd_committer 2020-03-03 16:47:48 UTC
Christopher, it sounds like an update to security/vuxml would be in order.
Comment 5 Alan Somers freebsd_committer 2020-03-04 15:33:12 UTC
Created attachment 212146 [details]
poudriere testport output

Christer, I get build errors when I attempt to build with all options turned on.  See the attached log.
Comment 6 commit-hook freebsd_committer 2020-03-07 00:41:54 UTC
A commit references this bug:

Author: woodsb02
Date: Sat Mar  7 00:41:13 UTC 2020
New revision: 527909
URL: https://svnweb.freebsd.org/changeset/ports/527909

Log:
  Document vulnerability in sysutils/py-salt

  PR:		243908
  Reported by:	Christer Edwards <christer.edwards@gmail.com>
  Security:	CVE-2019-17361

Changes:
  head/security/vuxml/vuln.xml
Comment 7 commit-hook freebsd_committer 2020-03-07 00:43:58 UTC
A commit references this bug:

Author: woodsb02
Date: Sat Mar  7 00:43:30 UTC 2020
New revision: 527910
URL: https://svnweb.freebsd.org/changeset/ports/527910

Log:
  sysutils/py-salt: Update to 2019.2.3

  Changes this release:
    https://docs.saltstack.com/en/latest/topics/releases/2019.2.3.html

  PR:		243908
  Submitted by:	Christer Edwards <christer.edwards@gmail.com> (maintainer)
  Approved by:	Christer Edwards <christer.edwards@gmail.com> (maintainer)
  Security:	CVE-2019-17361

Changes:
  head/sysutils/py-salt/Makefile
  head/sysutils/py-salt/distinfo
Comment 8 Ben Woods freebsd_committer 2020-03-07 00:44:14 UTC
Committed - thanks!