Date: Thu, 12 Nov 2020 06:14:51 +0000 (UTC) From: Rainer Hurling <rhurlin@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r554931 - head/security/vuxml Message-ID: <202011120614.0AC6Epl7054373@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: rhurlin Date: Thu Nov 12 06:14:50 2020 New Revision: 554931 URL: https://svnweb.freebsd.org/changeset/ports/554931 Log: security/vuxml: New entry for sysutils/py-salt vulnerabilities There are three security vulnerabilities described for sysutils/py-salt in version 3002[1]: CVE-2020-16846, CVE-2020-17490, and VE-2020-25592. [1] https://docs.saltstack.com/en/latest/topics/releases/3002.1.html It is planned to update the port sysutils/py-salt soon, see PR 251013 Reported by: michael.glaus@hostpoint.ch (in PR 251013) Approved by: tcberner (mentor) Differential Revision: https://reviews.freebsd.org/D27189 Modified: head/security/vuxml/vuln.xml Modified: head/security/vuxml/vuln.xml ============================================================================== --- head/security/vuxml/vuln.xml Thu Nov 12 03:22:50 2020 (r554930) +++ head/security/vuxml/vuln.xml Thu Nov 12 06:14:50 2020 (r554931) @@ -58,6 +58,46 @@ Notes: * Do not forget port variants (linux-f10-libxml2, libxml2, etc.) --> <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">; + <vuln vid="50259d8b-243e-11eb-8bae-b42e99975750"> + <topic>salt -- multiple vulnerabilities</topic> + <affects> + <package> + <name>py36-salt</name> + <name>py37-salt</name> + <name>py38-salt</name> + <range><ge>3002</ge><lt>3002.1</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>SaltStack reports multiple security vulnerabilities in Salt 3002:</p> + <blockquote cite="https://docs.saltstack.com/en/latest/topics/releases/3002.1.html">; + <ul> + <li>CVE-2020-16846: Prevent shell injections in netapi ssh client.</li> + <li>CVE-2020-17490: Prevent creating world readable private keys with the tls execution module.</li> + <li>CVE-2020-25592: Properly validate eauth credentials and tokens along with their ACLs. + Prior to this change eauth was not properly validated when calling Salt ssh via the salt-api. + Any value for 'eauth' or 'token' would allow a user to bypass authentication and make calls + to Salt ssh.</li> + </ul> + </blockquote> + </body> + </description> + <references> + <url>https://docs.saltstack.com/en/latest/topics/releases/3002.1.html</url>; + <cvename>CVE-2020-16846</cvename> + <url>https://nvd.nist.gov/vuln/detail/CVE-2020-16846</url>; + <cvename>CVE-2020-17490</cvename> + <url>https://nvd.nist.gov/vuln/detail/CVE-2020-17490</url>; + <cvename>CVE-2020-25592</cvename> + <url>https://nvd.nist.gov/vuln/detail/CVE-2020-25592</url>; + </references> + <dates> + <discovery>2020-11-06</discovery> + <entry>2020-11-12</entry> + </dates> + </vuln> + <vuln vid="4f15ca7b-23ae-11eb-9f59-1c1b0d9ea7e6"> <topic>Apache OpenOffice -- Unrestricted actions leads to arbitrary code execution in crafted documents</topic> <affects>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202011120614.0AC6Epl7054373>