Bug 1222960 (CVE-2015-4017) - CVE-2015-4017 salt: Certificates are not verified when connecting to server with certain modules
Summary: CVE-2015-4017 salt: Certificates are not verified when connecting to server w...
Alias: CVE-2015-4017
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 1222961 1222962
Blocks: 1222963
TreeView+ depends on / blocked
Reported: 2015-05-19 13:42 UTC by Martin Prpič
Modified: 2019-09-29 13:32 UTC (History)
5 users (show)

Fixed In Version: salt 2014.7.6
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2015-10-09 21:36:00 UTC

Attachments (Terms of Use)

Description Martin Prpič 2015-05-19 13:42:59 UTC
It was found that Salt does not verify the certificate when connecting via the aliyun, proxmox, and splunk modules.

This flaw has been fixed in version 2014.7.6:


Comment 1 Martin Prpič 2015-05-19 13:43:45 UTC
Created salt tracking bugs for this issue:

Affects: fedora-all [bug 1222961]
Affects: epel-all [bug 1222962]

Comment 2 Erik Johnson 2015-05-27 16:00:49 UTC
This fix was part of 2015.5.0, which was packaged on 11 May 2015. Closing.

Comment 3 Tomas Hoger 2015-05-27 16:43:16 UTC
We still want this open for some Red Hat products.  Thank you for updating Fedora/EPEL.

Comment 4 Erik Johnson 2015-05-27 16:46:25 UTC

Comment 5 Tomas Hoger 2015-05-27 21:21:19 UTC
There are Red Hat products which include this component.  They will still be looked at to determine if this issue needs fixing there.  We want to keep this open until those are fully dealt with.  You can un-CC from this bug if you have no further action here.

Comment 6 Boris Ranto 2015-05-28 17:00:45 UTC
FWIW: Calamari (that uses salt) does not use any of these modules with salt, see:


Comment 7 Siddharth Sharma 2015-10-09 21:34:30 UTC
Salt package as shipped in ceph-1.2 and ceph-1.3 is affected , but it does not affect ceph in a way salt is used by calamari in ceph-1.2 and ceph-1.3 versions

Note You need to log in before you can comment on or make changes to this bug.