Debian Package Tracker

general

source: salt (main)
version: 2017.7.4+dfsg1-1
maintainer: Debian Salt Team (archive) [DMD]
uploaders: Benjamin Drung [DMD] – Wolodja Wentland [DMD] – Andriy Senkovych [DMD] – Franklin G Mendoza [DMD] – Joe Healy [DMD] [dm] – Ondřej Nový [DMD]
arch: all
std-ver: 4.1.3
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-bpo: 0.17.5+ds-1~bpo70+1
oldstable: 2014.1.13+ds-3
old-bpo: 2016.11.2+ds-1~bpo8+1
stable: 2016.11.2+ds-1+deb9u2
unstable: 2017.7.4+dfsg1-1

versioned links

0.17.5+ds-1~bpo70+1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
2014.1.13+ds-3: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
2016.11.2+ds-1~bpo8+1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
2016.11.2+ds-1+deb9u2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
2017.7.4+dfsg1-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

salt-api
salt-cloud
salt-common
salt-doc
salt-master
salt-minion
salt-proxy
salt-ssh
salt-syndic

action needed

A new upstream version is available: 2018.3.3 high

A new upstream version 2018.3.3 is available, you should consider packaging it.

Created: 2018-08-17 Last update: 2018-11-17 15:18

2 security issues in sid high

There are 2 open security issues in sid.

2 important issues:

CVE-2018-15751: SaltStack Salt before 2017.7.8 and 2018.3.x before 2018.3.3 allow remote attackers to bypass authentication and execute arbitrary commands via salt-api(netapi).
CVE-2018-15750: Directory Traversal vulnerability in salt-api in SaltStack Salt before 2017.7.8 and 2018.3.x before 2018.3.3 allows remote attackers to determine which files exist on the server.

Please fix them.

Created: 2018-10-25 Last update: 2018-11-11 18:39

3 security issues in stretch high

There are 3 open security issues in stretch.

1 important issue:

CVE-2018-15751: SaltStack Salt before 2017.7.8 and 2018.3.x before 2018.3.3 allow remote attackers to bypass authentication and execute arbitrary commands via salt-api(netapi).

2 issues skipped by the security teams:

CVE-2017-7893: In SaltStack Salt before 2016.3.6, compromised salt-minions can impersonate the salt-master.
CVE-2018-15750: Directory Traversal vulnerability in salt-api in SaltStack Salt before 2017.7.8 and 2018.3.x before 2018.3.3 allows remote attackers to determine which files exist on the server.

Please fix them.

Created: 2017-04-26 Last update: 2018-11-11 18:39

11 security issues in jessie high

There are 11 open security issues in jessie.

2 important issues:

CVE-2018-15751: SaltStack Salt before 2017.7.8 and 2018.3.x before 2018.3.3 allow remote attackers to bypass authentication and execute arbitrary commands via salt-api(netapi).
CVE-2018-15750: Directory Traversal vulnerability in salt-api in SaltStack Salt before 2017.7.8 and 2018.3.x before 2018.3.3 allows remote attackers to determine which files exist on the server.

9 issues skipped by the security teams:

CVE-2017-14695: Directory traversal vulnerability in minion id validation in SaltStack Salt before 2016.3.8, 2016.11.x before 2016.11.8, and 2017.7.x before 2017.7.2 allows remote minions with incorrect credentials to authenticate to a master via a crafted minion ID. NOTE: this vulnerability exists because of an incomplete fix for CVE-2017-12791.
CVE-2017-12791: Directory traversal vulnerability in minion id validation in SaltStack Salt before 2016.11.7 and 2017.7.x before 2017.7.1 allows remote minions with incorrect credentials to authenticate to a master via a crafted minion ID.
CVE-2017-14696: SaltStack Salt before 2016.3.8, 2016.11.x before 2016.11.8, and 2017.7.x before 2017.7.2 allows remote attackers to cause a denial of service via a crafted authentication request.
CVE-2017-7893: In SaltStack Salt before 2016.3.6, compromised salt-minions can impersonate the salt-master.
CVE-2015-6918: salt before 2015.5.5 leaks git usernames and passwords to the log.
CVE-2016-9639: Salt before 2015.8.11 allows deleted minions to read or write to minions with the same id, related to caching.
CVE-2016-3176: Salt before 2015.5.10 and 2015.8.x before 2015.8.8, when PAM external authentication is enabled, allows attackers to bypass the configured authentication service by passing an alternate service with a command sent to LocalClient.
CVE-2015-8034: The state.sls function in Salt before 2015.8.3 uses weak permissions on the cache data, which allows local users to obtain sensitive information by reading the file.
CVE-2015-6941: win_useradd, salt-cloud and the Linode driver in salt 2015.5.x before 2015.5.6, and 2015.8.x before 2015.8.1 leak password information in debug logs.

Please fix them.

Created: 2015-10-27 Last update: 2018-11-11 18:39

The package has not entered testing even though the delay is over normal

The package has not entered testing even though the 5-day delay is over. Check why.

Created: 2018-05-18 Last update: 2018-11-17 18:17

Depends on packages which need a new maintainer normal

The packages that salt depends on which need a new maintainer are:

twitter-bootstrap (#704330)
- Depends: libjs-twitter-bootstrap

Created: 2017-12-02 Last update: 2018-11-17 16:03

6 new commits since last upload, time to release? normal

vcswatch reports that this package seems to have new commits in its VCS but has not yet updated debian/changelog. You should consider updating the Debian changelog and uploading this new version into the archive.

Here are the relevant commit logs:

commit af968e5a1ceafd8ab1929d9fd8b96589c855e10c
Author: Benjamin Drung <benjamin.drung@profitbricks.com>
Date:   Fri Oct 12 19:44:53 2018 +0200

    Update patch to point to recent pull request

commit 26f26631df41cf314c889645fdc40f6e75d6fdc3
Author: Ondřej Nový <onovy@debian.org>
Date:   Sun Sep 30 15:42:15 2018 +0200

    d/control: Remove ancient X-Python3-Version field

commit 691037dfcf06ed18f06ee6915fa594547de08f48
Author: Benjamin Drung <benjamin.drung@profitbricks.com>
Date:   Thu Aug 2 13:01:49 2018 +0200

    Removing inactive Wolodja Wentland
    
    Wolodja Wentland <debian@babilen5.org> has not been working on
    the salt package for quite some time. Thanks for his contributions.
    
    Closes: #898142

commit c5e93d9b490530470fd2b312e843546ec5fbf7e3
Author: Benjamin Drung <benjamin.drung@profitbricks.com>
Date:   Thu Mar 8 17:20:22 2018 +0100

    Make doc_fixes.patch upstreamable

commit 3a98faf3bc395f36a6ddc5c15837b508a3306c6e
Author: Benjamin Drung <benjamin.drung@profitbricks.com>
Date:   Thu Mar 8 16:50:43 2018 +0100

    Add upstream references to patches

commit 78a9c445de9de6c15b50af09359e5b98df69680d
Author: Benjamin Drung <benjamin.drung@profitbricks.com>
Date:   Wed Mar 7 12:04:09 2018 +0100

    Enable test_symlink_list and test_file_tree again
    
    The salt 2017.7.4 release tarball contains the correct symlinks.
    Therefore enable the test_symlink_list and test_file_tree tests again.

Created: 2018-03-08 Last update: 2018-11-16 23:02

lintian reports 1 warning normal

Lintian reports 1 warning about this package. You should make the package lintian clean getting rid of them.

Created: 2018-05-12 Last update: 2018-10-12 08:27

Standards version of the package is outdated. wishlist

The package should be updated to follow the last version of Debian Policy (Standards-Version 4.2.1 instead of 4.1.3).

Created: 2018-04-16 Last update: 2018-08-26 08:16

testing migrations

excuses:
- Migrates after: twitter-bootstrap
- 256 days old (5 needed)
- Updating salt introduces new bugs: #893817, #896921, #904654, #908430, #913475
- Piuparts tested OK - https://piuparts.debian.org/sid/source/s/salt.html
- Not considered

news

[rss feed]

[2018-07-08] Accepted salt 2016.11.2+ds-1+deb9u2 (source all) into proposed-updates->stable-new, proposed-updates (Ondřej Nový)
[2018-05-19] salt REMOVED from testing (Debian testing watch)
[2018-05-03] salt 2017.7.4+dfsg1-1 MIGRATED to testing (Debian testing watch)
[2018-05-02] salt REMOVED from testing (Debian testing watch)
[2018-03-13] salt 2017.7.4+dfsg1-1 MIGRATED to testing (Debian testing watch)
[2018-03-05] Accepted salt 2017.7.4+dfsg1-1 (source) into unstable (Benjamin Drung)
[2018-03-02] Accepted salt 2016.11.2+ds-1+deb9u1 (source all) into proposed-updates->stable-new, proposed-updates (Ondřej Nový)
[2018-02-21] Accepted salt 2017.7.3+dfsg1-1 (source) into unstable (Benjamin Drung)
[2018-02-05] Accepted salt 2017.7.2+dfsg1-2 (source all) into unstable, unstable (Benjamin Drung)
[2018-01-25] Accepted salt 2017.7.2+dfsg1-1 (source) into unstable (Benjamin Drung)
[2018-01-21] salt 2016.11.8+dfsg1-2 MIGRATED to testing (Debian testing watch)
[2018-01-15] Accepted salt 2016.11.8+dfsg1-2 (source) into unstable (Ondřej Nový)
[2017-12-16] salt 2016.11.8+dfsg1-1 MIGRATED to testing (Debian testing watch)
[2017-12-11] Accepted salt 2016.11.8+dfsg1-1 (source) into unstable (Ondřej Nový)
[2017-10-01] salt REMOVED from testing (Debian testing watch)
[2017-06-20] salt 2016.11.5+ds-1 MIGRATED to testing (Debian testing watch)
[2017-05-29] Accepted salt 2016.11.2+ds-1~bpo8+1 (source all) into jessie-backports->backports-policy, jessie-backports (Al Nikolov)
[2017-05-26] Accepted salt 2016.11.5+ds-1 (source) into unstable (Benjamin Drung)
[2017-04-22] salt 2016.11.2+ds-1 MIGRATED to testing (Debian testing watch)
[2017-02-01] Accepted salt 2016.11.2+ds-1 (source) into unstable (Benjamin Drung)
[2017-01-29] Accepted salt 2016.11.1+ds-1~bpo8+1 (source all) into jessie-backports (Al Nikolov)
[2017-01-03] salt 2016.11.1+ds-1 MIGRATED to testing (Debian testing watch)
[2016-12-23] Accepted salt 2016.11.1+ds-1 (source) into unstable (Benjamin Drung)
[2016-12-06] Accepted salt 2016.3.4+ds-2~bpo8+1 (source all) into jessie-backports (Al Nikolov)
[2016-12-05] salt 2016.3.4+ds-2 MIGRATED to testing (Debian testing watch)
[2016-11-29] Accepted salt 2016.3.4+ds-2 (source) into unstable (Benjamin Drung)
[2016-11-28] salt 2016.3.4+ds-1 MIGRATED to testing (Debian testing watch)
[2016-11-24] Accepted salt 2016.3.4+ds-1 (source) into unstable (Benjamin Drung)
[2016-11-02] salt 2016.3.3+ds-3 MIGRATED to testing (Debian testing watch)
[2016-11-02] Accepted salt 2016.3.3+ds-3~bpo8+1 (source all) into jessie-backports (Al Nikolov)

bugs [bug history graph]

all: 13
RC: 5
I&N: 5
M&W: 2
F&P: 1
patch: 0

links

homepage
lintian (0, 1)
buildd: logs, clang
popcon
browse source code
edit tags
security tracker

ubuntu

[Information about Ubuntu for Debian Developers]

version: 2017.7.4+dfsg1-1
6 bugs