colin/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

salt: 2016.3.3 -> 2016.11.2 for multiple CVEs

Browse Source 
From the Arch Linux advisory:

- CVE-2017-5192 (arbitrary code execution): The
  `LocalClient.cmd_batch()` method client does not accept
  `external_auth` credentials and so access to it from salt-api has
  been removed for now. This vulnerability allows code execution for
  already- authenticated users and is only in effect when running
  salt-api as the `root` user.

- CVE-2017-5200 (arbitrary command execution): Salt-api allows
  arbitrary command execution on a salt-master via Salt's ssh_client.
  Users of Salt-API and salt-ssh could execute a command on the salt
  master via a hole when both systems were enabled.
This commit is contained in:
Graham Christensen 2017-02-08 21:24:10 -05:00
parent e01278b2de
commit 379144f54b
No known key found for this signature in database
GPG Key ID: 06121D366FE9435C
1 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
pkgs/tools/admin/salt/default.nix
View File

@ -8,11 +8,11 @@
python2Packages.buildPythonApplication rec {
name = "salt-${version}";
version = "2016.3.3";
version = "2016.11.2";
src = fetchurl {
url = "mirror://pypi/s/salt/${name}.tar.gz";
sha256 = "1djjglnh6203y8dirziz5w6zh2lgszxp8ivi86nb7fgijj2h61jr";
sha256 = "0hrss5x47cr7ffyjl8jlkhf9j88lqvg7c33rjc5bimck8b7x7hzm";
};
propagatedBuildInputs = with python2Packages; [