Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
First Last Prev Next    This bug is not in your last search results.
Bug 1222960 - (CVE-2015-4017) CVE-2015-4017 salt: Certificates are not verified when connecting to server with certain modules
CVE-2015-4017 salt: Certificates are not verified when connecting to server w...
Status: CLOSED WONTFIX
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20150502,repor...
: Reopened, Security
Depends On: 1222961 1222962
Blocks: 1222963
  Show dependency treegraph
 
Reported: 2015-05-19 09:42 EDT by Martin Prpič
Modified: 2016-01-21 11:10 EST (History)
5 users (show)

See Also:
Fixed In Version: salt 2014.7.6
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-10-09 17:36:00 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

  None (edit)
Description Martin Prpič 2015-05-19 09:42:59 EDT 
It was found that Salt does not verify the certificate when connecting via the aliyun, proxmox, and splunk modules.

This flaw has been fixed in version 2014.7.6:

https://groups.google.com/forum/#!topic/salt-users/8Kv1bytGD6c
Comment 1 Martin Prpič 2015-05-19 09:43:45 EDT 
Created salt tracking bugs for this issue:

Affects: fedora-all [bug 1222961]
Affects: epel-all [bug 1222962]
Comment 2 Erik Johnson 2015-05-27 12:00:49 EDT 
This fix was part of 2015.5.0, which was packaged on 11 May 2015. Closing.
Comment 3 Tomas Hoger 2015-05-27 12:43:16 EDT 
We still want this open for some Red Hat products.  Thank you for updating Fedora/EPEL.
Comment 4 Erik Johnson 2015-05-27 12:46:25 EDT 
Why?
Comment 5 Tomas Hoger 2015-05-27 17:21:19 EDT 
There are Red Hat products which include this component.  They will still be looked at to determine if this issue needs fixing there.  We want to keep this open until those are fully dealt with.  You can un-CC from this bug if you have no further action here.
Comment 6 Boris Ranto 2015-05-28 13:00:45 EDT 
FWIW: Calamari (that uses salt) does not use any of these modules with salt, see:

http://lists.ceph.com/pipermail/ceph-calamari-ceph.com/2015-May/000090.html
Comment 7 Siddharth Sharma 2015-10-09 17:34:30 EDT 
Salt package as shipped in ceph-1.2 and ceph-1.3 is affected , but it does not affect ceph in a way salt is used by calamari in ceph-1.2 and ceph-1.3 versions
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.