It was found that state.sls function stores state run cache on the minion onto the disk with incorrect permissions, making it world-readable. This file could potentially contain sensitive data that was inserted via jinja into the state SLS files. Upstream bug report: https://github.com/saltstack/salt/issues/28455 Upstream patch: https://github.com/cachedout/salt/commit/097838ec0c52b1e96f7f761e5fb3cd7e79808741
Created salt tracking bugs for this issue: Affects: fedora-all [bug 1289110] Affects: epel-all [bug 1289111]
The 2015.5.9 builds currently in testing include this patch already.
Actually, the 2015.5.8 builds in stable also include this patch, so I'm going to close this.
(In reply to Erik Johnson from comment #3) > Actually, the 2015.5.8 builds in stable also include this patch, so I'm > going to close this. Please do not close CVE bugs, these bugs are supposed to be closed by Red Hat's Product Security after the issue is fixed in all its products. Thanks
OK, but the issue *is* fixed. 2015.5.8 is in stable. What is the path to getting this issue closed, then, since I didn't add the bug number when I submitted the 2015.5.8 builds to bodhi? I did add this bug to the 2015.5.9 builds of Salt currently in testing, before I realized that the issue was already resolved in 2015.5.8.
salt-2015.5.9-2.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.