Bug 1222960 (CVE-2015-4017)

Summary: CVE-2015-4017 salt: Certificates are not verified when connecting to server with certain modules
Product: [Other] Security Response Reporter: Martin Prpič <mprpic>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: andrewniemants, branto, ceph-eng-bugs, jrusnack, sisharma
Target Milestone: ---Keywords: Reopened, Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: salt 2014.7.6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-10-09 21:36:00 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1222961, 1222962    
Bug Blocks: 1222963    

Description Martin Prpič 2015-05-19 13:42:59 UTC 
It was found that Salt does not verify the certificate when connecting via the aliyun, proxmox, and splunk modules.

This flaw has been fixed in version 2014.7.6:

https://groups.google.com/forum/#!topic/salt-users/8Kv1bytGD6c
Comment 1 Martin Prpič 2015-05-19 13:43:45 UTC 
Created salt tracking bugs for this issue:

Affects: fedora-all [bug 1222961]
Affects: epel-all [bug 1222962]
Comment 2 Erik Johnson 2015-05-27 16:00:49 UTC 
This fix was part of 2015.5.0, which was packaged on 11 May 2015. Closing.
Comment 3 Tomas Hoger 2015-05-27 16:43:16 UTC 
We still want this open for some Red Hat products.  Thank you for updating Fedora/EPEL.
Comment 4 Erik Johnson 2015-05-27 16:46:25 UTC 
Why?
Comment 5 Tomas Hoger 2015-05-27 21:21:19 UTC 
There are Red Hat products which include this component.  They will still be looked at to determine if this issue needs fixing there.  We want to keep this open until those are fully dealt with.  You can un-CC from this bug if you have no further action here.
Comment 6 Boris Ranto 2015-05-28 17:00:45 UTC 
FWIW: Calamari (that uses salt) does not use any of these modules with salt, see:

http://lists.ceph.com/pipermail/ceph-calamari-ceph.com/2015-May/000090.html
Comment 7 Siddharth Sharma 2015-10-09 21:34:30 UTC 
Salt package as shipped in ceph-1.2 and ceph-1.3 is affected , but it does not affect ceph in a way salt is used by calamari in ceph-1.2 and ceph-1.3 versions