3
0
Fork 0
forked from mirrors/nixpkgs

salt: 2016.3.3 -> 2016.11.2 for multiple CVEs

From the Arch Linux advisory:

- CVE-2017-5192 (arbitrary code execution): The
  `LocalClient.cmd_batch()` method client does not accept
  `external_auth` credentials and so access to it from salt-api has
  been removed for now. This vulnerability allows code execution for
  already- authenticated users and is only in effect when running
  salt-api as the `root` user.

- CVE-2017-5200 (arbitrary command execution): Salt-api allows
  arbitrary command execution on a salt-master via Salt's ssh_client.
  Users of Salt-API and salt-ssh could execute a command on the salt
  master via a hole when both systems were enabled.
This commit is contained in:
Graham Christensen 2017-02-08 21:24:10 -05:00
parent e01278b2de
commit 379144f54b
No known key found for this signature in database
GPG key ID: 06121D366FE9435C

View file

@ -8,11 +8,11 @@
python2Packages.buildPythonApplication rec {
name = "salt-${version}";
version = "2016.3.3";
version = "2016.11.2";
src = fetchurl {
url = "mirror://pypi/s/salt/${name}.tar.gz";
sha256 = "1djjglnh6203y8dirziz5w6zh2lgszxp8ivi86nb7fgijj2h61jr";
sha256 = "0hrss5x47cr7ffyjl8jlkhf9j88lqvg7c33rjc5bimck8b7x7hzm";
};
propagatedBuildInputs = with python2Packages; [