Version 2018.3.4~git20180207+dfsg1-1 of salt is marked for autoremoval from testing on Fri 15 Mar 2019. It depends (transitively) on python-ncclient, affected by #918825. You should try to prevent the removal by fixing these RC bugs.
A new upstream version is available: 2019.2.0~rc2high
A new upstream version 2019.2.0~rc2 is available, you should consider packaging it.
CVE-2018-15751: SaltStack Salt before 2017.7.8 and 2018.3.x before 2018.3.3 allow remote attackers to bypass authentication and execute arbitrary commands via salt-api(netapi).
2 issues skipped by the security teams:
CVE-2018-15750: Directory Traversal vulnerability in salt-api in SaltStack Salt before 2017.7.8 and 2018.3.x before 2018.3.3 allows remote attackers to determine which files exist on the server.
CVE-2017-7893: In SaltStack Salt before 2016.3.6, compromised salt-minions can impersonate the salt-master.
1 new commit since last upload, time to release?
normal
vcswatch reports that
this package seems to have new commits in its VCS but has
not yet updated debian/changelog. You should consider updating
the Debian changelog and uploading this new version into the archive.
Here are the relevant commit logs:
commit 539ea14383a75a5b1e097e0df44da79aef0a3c0d
Author: Benjamin Drung <benjamin.drung@profitbricks.com>
Date: Tue Feb 12 18:24:48 2019 +0100
Fix various spelling mistakes
Forwarded: https://github.com/saltstack/salt/pull/51594
CVE-2017-14696: SaltStack Salt before 2016.3.8, 2016.11.x before 2016.11.8, and 2017.7.x before 2017.7.2 allows remote attackers to cause a denial of service via a crafted authentication request.
CVE-2016-3176: Salt before 2015.5.10 and 2015.8.x before 2015.8.8, when PAM external authentication is enabled, allows attackers to bypass the configured authentication service by passing an alternate service with a command sent to LocalClient.
CVE-2017-12791: Directory traversal vulnerability in minion id validation in SaltStack Salt before 2016.11.7 and 2017.7.x before 2017.7.1 allows remote minions with incorrect credentials to authenticate to a master via a crafted minion ID.
CVE-2017-7893: In SaltStack Salt before 2016.3.6, compromised salt-minions can impersonate the salt-master.
CVE-2015-8034: The state.sls function in Salt before 2015.8.3 uses weak permissions on the cache data, which allows local users to obtain sensitive information by reading the file.
CVE-2016-9639: Salt before 2015.8.11 allows deleted minions to read or write to minions with the same id, related to caching.
CVE-2017-14695: Directory traversal vulnerability in minion id validation in SaltStack Salt before 2016.3.8, 2016.11.x before 2016.11.8, and 2017.7.x before 2017.7.2 allows remote minions with incorrect credentials to authenticate to a master via a crafted minion ID. NOTE: this vulnerability exists because of an incomplete fix for CVE-2017-12791.
CVE-2015-6941: win_useradd, salt-cloud and the Linode driver in salt 2015.5.x before 2015.5.6, and 2015.8.x before 2015.8.1 leak password information in debug logs.
CVE-2015-6918: salt before 2015.5.5 leaks git usernames and passwords to the log.
![[bug history graph]](https://qa.debian.org/data/bts/graphs/s/salt.png){kind=link}