salt: 2016.3.3 -> 2016.11.2 for multiple CVEs
From the Arch Linux advisory: - CVE-2017-5192 (arbitrary code execution): The `LocalClient.cmd_batch()` method client does not accept `external_auth` credentials and so access to it from salt-api has been removed for now. This vulnerability allows code execution for already- authenticated users and is only in effect when running salt-api as the `root` user. - CVE-2017-5200 (arbitrary command execution): Salt-api allows arbitrary command execution on a salt-master via Salt's ssh_client. Users of Salt-API and salt-ssh could execute a command on the salt master via a hole when both systems were enabled.
This commit is contained in:
parent
e01278b2de
commit
379144f54b
@ -8,11 +8,11 @@
|
|||||||
|
|
||||||
python2Packages.buildPythonApplication rec {
|
python2Packages.buildPythonApplication rec {
|
||||||
name = "salt-${version}";
|
name = "salt-${version}";
|
||||||
version = "2016.3.3";
|
version = "2016.11.2";
|
||||||
|
|
||||||
src = fetchurl {
|
src = fetchurl {
|
||||||
url = "mirror://pypi/s/salt/${name}.tar.gz";
|
url = "mirror://pypi/s/salt/${name}.tar.gz";
|
||||||
sha256 = "1djjglnh6203y8dirziz5w6zh2lgszxp8ivi86nb7fgijj2h61jr";
|
sha256 = "0hrss5x47cr7ffyjl8jlkhf9j88lqvg7c33rjc5bimck8b7x7hzm";
|
||||||
};
|
};
|
||||||
|
|
||||||
propagatedBuildInputs = with python2Packages; [
|
propagatedBuildInputs = with python2Packages; [
|
||||||
|
Loading…
Reference in New Issue
Block a user