forked from mirrors/nixpkgs
379144f54b
From the Arch Linux advisory: - CVE-2017-5192 (arbitrary code execution): The `LocalClient.cmd_batch()` method client does not accept `external_auth` credentials and so access to it from salt-api has been removed for now. This vulnerability allows code execution for already- authenticated users and is only in effect when running salt-api as the `root` user. - CVE-2017-5200 (arbitrary command execution): Salt-api allows arbitrary command execution on a salt-master via Salt's ssh_client. Users of Salt-API and salt-ssh could execute a command on the salt master via a hole when both systems were enabled.
49 lines
1.2 KiB
Nix
49 lines
1.2 KiB
Nix
{
|
|
stdenv, fetchurl, python2Packages, openssl,
|
|
|
|
# Many Salt modules require various Python modules to be installed,
|
|
# passing them in this array enables Salt to find them.
|
|
extraInputs ? []
|
|
}:
|
|
|
|
python2Packages.buildPythonApplication rec {
|
|
name = "salt-${version}";
|
|
version = "2016.11.2";
|
|
|
|
src = fetchurl {
|
|
url = "mirror://pypi/s/salt/${name}.tar.gz";
|
|
sha256 = "0hrss5x47cr7ffyjl8jlkhf9j88lqvg7c33rjc5bimck8b7x7hzm";
|
|
};
|
|
|
|
propagatedBuildInputs = with python2Packages; [
|
|
futures
|
|
jinja2
|
|
markupsafe
|
|
msgpack
|
|
pycrypto
|
|
pyyaml
|
|
pyzmq
|
|
requests
|
|
tornado
|
|
] ++ extraInputs;
|
|
|
|
patches = [ ./fix-libcrypto-loading.patch ];
|
|
|
|
postPatch = ''
|
|
substituteInPlace "salt/utils/rsax931.py" \
|
|
--subst-var-by "libcrypto" "${openssl.out}/lib/libcrypto.so"
|
|
'';
|
|
|
|
# The tests fail due to socket path length limits at the very least;
|
|
# possibly there are more issues but I didn't leave the test suite running
|
|
# as is it rather long.
|
|
doCheck = false;
|
|
|
|
meta = with stdenv.lib; {
|
|
homepage = https://saltstack.com/;
|
|
description = "Portable, distributed, remote execution and configuration management system";
|
|
maintainers = with maintainers; [ aneeshusa ];
|
|
license = licenses.asl20;
|
|
};
|
|
}
|