Security Update for salt

2017-07-0507:51:05

lists.debian.org

CVSS2

2.1

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:L/AC:L/Au:N/C:P/I:N/A:N

CVSS3

7.8

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS

Percentile

5.1%

JSON

Al Nikolov uploaded new package for salt which fixed the
following security problem:

CVE-2017-8109
The salt-ssh minion code in SaltStack Salt 2016.11 before 2016.11.4
copied over configuration from the Salt Master without adjusting
permissions, which might leak credentials to local attackers on
configured minions (clients).

For the jessie-backports distribution the problems have been fixed in
version 2016.11.2+ds-1~bpo8+2.

OSVersionArchitecturePackageVersionFilename
Debian9allsalt-cloud< 2016.11.2+ds-1+deb9u2salt-cloud_2016.11.2+ds-1+deb9u2_all.deb
Debian9allsalt-common< 2016.11.2+ds-1+deb9u2salt-common_2016.11.2+ds-1+deb9u2_all.deb
Debian9allsalt-proxy< 2016.11.2+ds-1+deb9u2salt-proxy_2016.11.2+ds-1+deb9u2_all.deb
Debian9allsalt-api< 2016.11.2+ds-1+deb9u2salt-api_2016.11.2+ds-1+deb9u2_all.deb
Debian9allsalt-ssh< 2016.11.2+ds-1+deb9u2salt-ssh_2016.11.2+ds-1+deb9u2_all.deb
Debian9allsalt-doc< 2016.11.2+ds-1+deb9u2salt-doc_2016.11.2+ds-1+deb9u2_all.deb
Debian9allsalt< 2016.11.2+ds-1+deb9u2salt_2016.11.2+ds-1+deb9u2_all.deb
Debian9allsalt-master< 2016.11.2+ds-1+deb9u2salt-master_2016.11.2+ds-1+deb9u2_all.deb
Debian9allsalt-minion< 2016.11.2+ds-1+deb9u2salt-minion_2016.11.2+ds-1+deb9u2_all.deb
Debian9allsalt-syndic< 2016.11.2+ds-1+deb9u2salt-syndic_2016.11.2+ds-1+deb9u2_all.deb

OS	Version	Architecture	Package	Version	Filename
Debian	9	all	salt-cloud	< 2016.11.2+ds-1+deb9u2	salt-cloud_2016.11.2+ds-1+deb9u2_all.deb
Debian	9	all	salt-common	< 2016.11.2+ds-1+deb9u2	salt-common_2016.11.2+ds-1+deb9u2_all.deb
Debian	9	all	salt-proxy	< 2016.11.2+ds-1+deb9u2	salt-proxy_2016.11.2+ds-1+deb9u2_all.deb
Debian	9	all	salt-api	< 2016.11.2+ds-1+deb9u2	salt-api_2016.11.2+ds-1+deb9u2_all.deb
Debian	9	all	salt-ssh	< 2016.11.2+ds-1+deb9u2	salt-ssh_2016.11.2+ds-1+deb9u2_all.deb
Debian	9	all	salt-doc	< 2016.11.2+ds-1+deb9u2	salt-doc_2016.11.2+ds-1+deb9u2_all.deb
Debian	9	all	salt	< 2016.11.2+ds-1+deb9u2	salt_2016.11.2+ds-1+deb9u2_all.deb
Debian	9	all	salt-master	< 2016.11.2+ds-1+deb9u2	salt-master_2016.11.2+ds-1+deb9u2_all.deb
Debian	9	all	salt-minion	< 2016.11.2+ds-1+deb9u2	salt-minion_2016.11.2+ds-1+deb9u2_all.deb
Debian	9	all	salt-syndic	< 2016.11.2+ds-1+deb9u2	salt-syndic_2016.11.2+ds-1+deb9u2_all.deb