From 379144f54b2fa0e1568f72d58860393a1e09b92d Mon Sep 17 00:00:00 2001 From: Graham Christensen <graham@grahamc.com> Date: Wed, 8 Feb 2017 21:24:10 -0500 Subject: [PATCH] salt: 2016.3.3 -> 2016.11.2 for multiple CVEs From the Arch Linux advisory: - CVE-2017-5192 (arbitrary code execution): The `LocalClient.cmd_batch()` method client does not accept `external_auth` credentials and so access to it from salt-api has been removed for now. This vulnerability allows code execution for already- authenticated users and is only in effect when running salt-api as the `root` user. - CVE-2017-5200 (arbitrary command execution): Salt-api allows arbitrary command execution on a salt-master via Salt's ssh_client. Users of Salt-API and salt-ssh could execute a command on the salt master via a hole when both systems were enabled. --- pkgs/tools/admin/salt/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/tools/admin/salt/default.nix b/pkgs/tools/admin/salt/default.nix index 3386ed86a2a0..786e3f64cda1 100644 --- a/pkgs/tools/admin/salt/default.nix +++ b/pkgs/tools/admin/salt/default.nix @@ -8,11 +8,11 @@ python2Packages.buildPythonApplication rec { name = "salt-${version}"; - version = "2016.3.3"; + version = "2016.11.2"; src = fetchurl { url = "mirror://pypi/s/salt/${name}.tar.gz"; - sha256 = "1djjglnh6203y8dirziz5w6zh2lgszxp8ivi86nb7fgijj2h61jr"; + sha256 = "0hrss5x47cr7ffyjl8jlkhf9j88lqvg7c33rjc5bimck8b7x7hzm"; }; propagatedBuildInputs = with python2Packages; [