Debian Package Tracker

general

source: salt (main)
version: 3000+dfsg1-1
maintainer: Debian Salt Team (archive) (DMD)
uploaders: Andriy Senkovych [DMD] – Joe Healy [DMD] – Franklin G Mendoza [DMD] – Ondřej Nový [DMD] – Benjamin Drung [DMD]
arch: all
std-ver: 4.5.0
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 2014.1.13+ds-3
oldstable: 2016.11.2+ds-1+deb9u2
stable: 2018.3.4+dfsg1-6
testing: 2019.2.3+dfsg1-2
unstable: 3000+dfsg1-1

versioned links

2014.1.13+ds-3: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
2016.11.2+ds-1+deb9u2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
2018.3.4+dfsg1-6: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
2019.2.3+dfsg1-2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
3000+dfsg1-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

salt-api (1 bugs: 0, 1, 0, 0)
salt-cloud
salt-common
salt-doc
salt-master (1 bugs: 0, 1, 0, 0)
salt-minion (1 bugs: 0, 0, 1, 0)
salt-proxy
salt-ssh (2 bugs: 0, 2, 0, 0)
salt-syndic

action needed

A new upstream version is available: 3000.0.0~rc2 high

A new upstream version 3000.0.0~rc2 is available, you should consider packaging it.

Created: 2019-11-17 Last update: 2020-02-27 22:42

1 security issue in buster high

There is 1 open security issue in buster.

1 important issue:

CVE-2019-17361: In SaltStack Salt through 2019.2.0, the salt-api NET API with the ssh client enabled is vulnerable to command injection. This allows an unauthenticated attacker with network access to the API endpoint to execute arbitrary code on the salt-api host.

Please fix it.

Created: 2020-01-18 Last update: 2020-02-25 23:32

5 security issues in stretch high

There are 5 open security issues in stretch.

3 important issues:

CVE-2018-15751: SaltStack Salt before 2017.7.8 and 2018.3.x before 2018.3.3 allow remote attackers to bypass authentication and execute arbitrary commands via salt-api(netapi).
CVE-2019-1010259: SaltStack Salt 2018.3, 2019.2 is affected by: SQL Injection. The impact is: An attacker could escalate privileges on MySQL server deployed by cloud provider. It leads to RCE. The component is: The mysql.user_chpass function from the MySQL module for Salt. The attack vector is: specially crafted password string. The fixed version is: 2018.3.4.
CVE-2019-17361: In SaltStack Salt through 2019.2.0, the salt-api NET API with the ssh client enabled is vulnerable to command injection. This allows an unauthenticated attacker with network access to the API endpoint to execute arbitrary code on the salt-api host.

2 issues skipped by the security teams:

CVE-2017-7893: In SaltStack Salt before 2016.3.6, compromised salt-minions can impersonate the salt-master.
CVE-2018-15750: Directory Traversal vulnerability in salt-api in SaltStack Salt before 2017.7.8 and 2018.3.x before 2018.3.3 allows remote attackers to determine which files exist on the server.

Please fix them.

Created: 2017-04-26 Last update: 2020-02-25 23:32

Fails to build during reproducibility testing normal

A package building reproducibly enables third parties to verify that the source matches the distributed binaries. It has been identified that this source package produced different results, failed to build or had other issues in a test environment. Please read about how to improve the situation!

Created: 2020-02-01 Last update: 2020-02-27 23:07

1 new commit since last upload, is it time to release? normal

vcswatch reports that this package seems to have new commits in its VCS but has not yet updated debian/changelog. You should consider updating the Debian changelog and uploading this new version into the archive.

Here are the relevant commit logs:

commit 76f318d9463a75af04ab5fb014a55306a8e0de5b
Author: Benjamin Drung <benjamin.drung@cloud.ionos.com>
Date:   Wed Feb 26 21:23:53 2020 +0100

    Require python3-pytestsalt >= 2019.6.13 for tests
    
    Older versions will fail:
    
    ```
    Traceback (most recent call last):
      File "./tests/runtests.py", line 62, in <module>
        from tests.integration import TestDaemon, TestDaemonStartFailed
      File "tests/integration/__init__.py", line 34, in <module>
        from tests.support.processes import *  # pylint: disable=wildcard-import
      File "tests/support/processes.py", line 29, in <module>
        from tests.support.cli_scripts import ScriptPathMixin
      File "tests/support/cli_scripts.py", line 16, in <module>
        from pytestsalt.utils import cli_scripts
    ImportError: cannot import name 'cli_scripts' from 'pytestsalt.utils' (/usr/lib/python3/dist-packages/pytestsalt/utils.py)
    ```
    
    Signed-off-by: Benjamin Drung <benjamin.drung@cloud.ionos.com>

Created: 2020-02-26 Last update: 2020-02-26 21:36

9 ignored security issues in jessie low

There are 9 open security issues in jessie.

9 issues skipped by the security teams:

CVE-2015-6918: salt before 2015.5.5 leaks git usernames and passwords to the log.
CVE-2017-7893: In SaltStack Salt before 2016.3.6, compromised salt-minions can impersonate the salt-master.
CVE-2017-12791: Directory traversal vulnerability in minion id validation in SaltStack Salt before 2016.11.7 and 2017.7.x before 2017.7.1 allows remote minions with incorrect credentials to authenticate to a master via a crafted minion ID.
CVE-2016-9639: Salt before 2015.8.11 allows deleted minions to read or write to minions with the same id, related to caching.
CVE-2016-3176: Salt before 2015.5.10 and 2015.8.x before 2015.8.8, when PAM external authentication is enabled, allows attackers to bypass the configured authentication service by passing an alternate service with a command sent to LocalClient.
CVE-2017-14696: SaltStack Salt before 2016.3.8, 2016.11.x before 2016.11.8, and 2017.7.x before 2017.7.2 allows remote attackers to cause a denial of service via a crafted authentication request.
CVE-2015-6941: win_useradd, salt-cloud and the Linode driver in salt 2015.5.x before 2015.5.6, and 2015.8.x before 2015.8.1 leak password information in debug logs.
CVE-2017-14695: Directory traversal vulnerability in minion id validation in SaltStack Salt before 2016.3.8, 2016.11.x before 2016.11.8, and 2017.7.x before 2017.7.2 allows remote minions with incorrect credentials to authenticate to a master via a crafted minion ID. NOTE: this vulnerability exists because of an incomplete fix for CVE-2017-12791.
CVE-2015-8034: The state.sls function in Salt before 2015.8.3 uses weak permissions on the cache data, which allows local users to obtain sensitive information by reading the file.

Please fix them.

Created: 2015-10-27 Last update: 2020-02-25 23:32

testing migrations

excuses:
- Migration status for salt (2019.2.3+dfsg1-2 to 3000+dfsg1-1): Will attempt migration (Any information below is purely informational)
- Additional info:
- Piuparts tested OK - https://piuparts.debian.org/sid/source/s/salt.html
- Required age reduced by 3 days because of autopkgtest
- 2 days old (needed 2 days)

news

[rss feed]

[2020-02-25] Accepted salt 3000+dfsg1-1 (source) into unstable (Benjamin Drung)
[2020-02-07] salt 2019.2.3+dfsg1-2 MIGRATED to testing (Debian testing watch)
[2020-02-03] Accepted salt 2019.2.3+dfsg1-2 (source) into unstable (Benjamin Drung)
[2020-02-01] salt 2019.2.3+dfsg1-1 MIGRATED to testing (Debian testing watch)
[2020-01-29] Accepted salt 2019.2.3+dfsg1-1 (source) into unstable (Benjamin Drung)
[2019-10-12] salt REMOVED from testing (Debian testing watch)
[2019-09-18] salt 2018.3.4+dfsg1-7 MIGRATED to testing (Debian testing watch)
[2019-09-07] salt REMOVED from testing (Debian testing watch)
[2019-09-01] salt 2018.3.4+dfsg1-7 MIGRATED to testing (Debian testing watch)
[2019-08-29] Accepted salt 2018.3.4+dfsg1-7 (source) into unstable (Benjamin Drung)
[2019-05-28] salt 2018.3.4+dfsg1-6 MIGRATED to testing (Debian testing watch)
[2019-05-25] Accepted salt 2018.3.4+dfsg1-6 (source) into unstable (Benjamin Drung)
[2019-05-02] Accepted salt 2018.3.4+dfsg1-5 (source) into unstable (Benjamin Drung)
[2019-04-26] Accepted salt 2018.3.4+dfsg1-4 (source) into unstable (Benjamin Drung)
[2019-04-25] Accepted salt 2018.3.4+dfsg1-3 (source) into unstable (Benjamin Drung)
[2019-04-17] Accepted salt 2018.3.4+dfsg1-2 (source) into unstable (Benjamin Drung)
[2019-04-05] Accepted salt 2018.3.4+dfsg1-1 (source) into unstable (Benjamin Drung)
[2019-02-11] salt 2018.3.4~git20180207+dfsg1-1 MIGRATED to testing (Debian testing watch)
[2019-02-08] Accepted salt 2018.3.4~git20180207+dfsg1-1 (source) into unstable (Benjamin Drung)
[2019-01-10] salt 2018.3.3+dfsg1-2 MIGRATED to testing (Debian testing watch)
[2019-01-07] Accepted salt 2018.3.3+dfsg1-2 (source) into unstable (Benjamin Drung)
[2018-12-21] Accepted salt 2018.3.3+dfsg1-1 (source all) into unstable (Benjamin Drung)
[2018-07-08] Accepted salt 2016.11.2+ds-1+deb9u2 (source all) into proposed-updates->stable-new, proposed-updates (Ondřej Nový)
[2018-05-19] salt REMOVED from testing (Debian testing watch)
[2018-05-03] salt 2017.7.4+dfsg1-1 MIGRATED to testing (Debian testing watch)
[2018-05-02] salt REMOVED from testing (Debian testing watch)
[2018-03-13] salt 2017.7.4+dfsg1-1 MIGRATED to testing (Debian testing watch)
[2018-03-05] Accepted salt 2017.7.4+dfsg1-1 (source) into unstable (Benjamin Drung)
[2018-03-02] Accepted salt 2016.11.2+ds-1+deb9u1 (source all) into proposed-updates->stable-new, proposed-updates (Ondřej Nový)
[2018-02-21] Accepted salt 2017.7.3+dfsg1-1 (source) into unstable (Benjamin Drung)

bugs [bug history graph]

all: 6
RC: 0
I&N: 5
M&W: 1
F&P: 0
patch: 0

links

homepage
buildd: logs, clang, reproducibility
popcon
browse source code
edit tags
security tracker
debci