Saltstack, a client/server configuration system, was found to have allowed any minions to masquerade itself as any others agents when requesting stuff from the master, which could permit a compromised server to request data from another server, which could lead to potential information leak. References: http://seclists.org/oss-sec/2013/q4/85 https://github.com/saltstack/salt/pull/7356 Commit: https://github.com/saltstack/salt/pull/7356/commits
Created salt tracking bugs for this issue: Affects: fedora-all [bug 1020307] Affects: epel-all [bug 1020308]
salt-0.17.1-1.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
salt-0.17.1-1.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.
salt-0.17.1-1.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.
salt-0.17.1-1.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report.
A number of flaws were fixed in salt 0.17.1 (updates already pushed to Fedora and EPEL); noting the flaws and CVEs here for posterity. Common Vulnerabilities and Exposures assigned CVE identifiers to the following vulnerabilities: Name: CVE-2013-4435 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4435 Salt (aka SaltStack) 0.15.0 through 0.17.0 allows remote authenticated users who are using external authentication or client ACL to execute restricted routines by embedding the routine in another routine. Name: CVE-2013-4436 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4436 The default configuration for salt-ssh in Salt (aka SaltStack) 0.17.0 does not validate the SSH host key of requests, which allows remote attackers to have unspecified impact via a man-in-the-middle (MITM) attack. Name: CVE-2013-4437 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4437 Unspecified vulnerability in salt-ssh in Salt (aka SaltStack) 0.17.0 has unspecified impact and vectors related to "insecure Usage of /tmp." Name: CVE-2013-4438 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4438 Salt (aka SaltStack) before 0.17.1 allows remote attackers to execute arbitrary YAML code via unspecified vectors. NOTE: the vendor states that this might not be a vulnerability because the YAML to be loaded has already been determined to be safe. Name: CVE-2013-4439 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4439 Reference: https://github.com/saltstack/salt/pull/7356 Salt (aka SaltStack) before 0.15.0 through 0.17.0 allows remote authenticated minions to impersonate arbitrary minions via a crafted minion with a valid key. Name: CVE-2013-6617 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6617 The salt master in Salt (aka SaltStack) 0.11.0 through 0.17.0 does not properly drop group privileges, which makes it easier for remote attackers to gain privileges. External References: http://docs.saltstack.com/topics/releases/0.17.1.html