Описание
In SaltStack Salt before 2016.3.6, compromised salt-minions can impersonate the salt-master.
Пакеты
| Пакет | Статус | Версия исправления | Релиз | Тип |
|---|---|---|---|---|
| salt | fixed | 2016.11.5+ds-1 | package | |
| salt | no-dsa | stretch | package | |
| salt | ignored | jessie | package |
Примечания
https://docs.saltstack.com/en/2017.7/topics/releases/2016.3.6.html
https://github.com/saltstack/salt/issues/48939
https://patch-diff.githubusercontent.com/raw/saltstack/salt/pull/40159.patch
https://patch-diff.githubusercontent.com/raw/saltstack/salt/pull/40206.patch
The behaviour though was back off by default in a later commit again
cf. https://github.com/saltstack/salt/pull/40206
The fix is the second part of the #40159 PR, but the behaviour is turned
off by default and needs considerations of admins before enabling. We still
consider the issue as fixed starting with this change. Details in
https://github.com/saltstack/salt/issues/48939#issuecomment-410777638
Связанные уязвимости
In SaltStack Salt before 2016.3.6, compromised salt-minions can impersonate the salt-master.
In SaltStack Salt before 2016.3.6, compromised salt-minions can impersonate the salt-master.
In SaltStack Salt before 2016.3.6, compromised salt-minions can impersonate the salt-master.
SaltStack Salt allows compromised salt-minions to impersonate the salt-master