It was found that state.sls function stores state run cache on the minion onto the disk with incorrect permissions, making it world-readable. This file could potentially contain sensitive data that was inserted via jinja into the state SLS files.
Upstream bug report:
Created salt tracking bugs for this issue:
Affects: fedora-all [bug 1289110]
Affects: epel-all [bug 1289111]
The 2015.5.9 builds currently in testing include this patch already.
Actually, the 2015.5.8 builds in stable also include this patch, so I'm going to close this.
(In reply to Erik Johnson from comment #3)
> Actually, the 2015.5.8 builds in stable also include this patch, so I'm
> going to close this.
Please do not close CVE bugs, these bugs are supposed to be closed by Red Hat's Product Security after the issue is fixed in all its products.
OK, but the issue *is* fixed. 2015.5.8 is in stable. What is the path to getting this issue closed, then, since I didn't add the bug number when I submitted the 2015.5.8 builds to bodhi?
I did add this bug to the 2015.5.9 builds of Salt currently in testing, before I realized that the issue was already resolved in 2015.5.8.
salt-2015.5.9-2.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.