Page MenuHomeFreeBSD
Differential D27189

security/vuxml: Add an entry for sysutils/py-salt vulnerabilities in vuln.xml
ClosedPublic
Actions

Authored by rhurlin on Nov 12 2020, 5:50 AM.
Tags
None
Referenced Files
Unknown Object (File)
Jan 28 2024, 8:17 AM
Unknown Object (File)
Jan 24 2024, 10:20 PM
Unknown Object (File)
Jan 17 2024, 4:55 AM
Unknown Object (File)
Dec 20 2023, 5:55 AM
Unknown Object (File)
Dec 7 2023, 8:44 AM
Unknown Object (File)
Nov 28 2023, 2:25 PM
Unknown Object (File)
Nov 22 2023, 8:32 AM
Unknown Object (File)
Nov 11 2023, 7:54 AM
View All 22 Files
Subscribers
mat

Details

Reviewers
arrowd
tcberner
Commits
rP554931: security/vuxml: New entry for sysutils/py-salt vulnerabilities
Summary

There are three security vulnerabilities described for systutils/py-salt in version 3002[1]:
CVE-2020-16846, CVE-2020-17490, and VE-2020-25592.

[1] https://docs.saltstack.com/en/latest/topics/releases/3002.1.html

After this VuXML entry is committed, the port will be updated, see PR 251013.

  • This patch adds a new entry for sysutils/py-salt with all three CVEs described in vuln.xml
  • There are three flavors of the port, which have to be checked (py36, py37, py38)
  • 'make validate' is fine with the entry
  • vxquery shows information as expected
#vxquery /usr/ports/security/vuxml/vuln.xml py37-salt-3002_2
Topic: salt -- multiple vulnerabilities
Affects:
    3002 <= py36-salt < 3002.1
    3002 <= py37-salt < 3002.1
    3002 <= py38-salt < 3002.1
References:
    url:https://docs.saltstack.com/en/latest/topics/releases/3002.1.html
    cvename:CVE-2020-16486
    url:https://nvd.nist.gov/vuln/detail/CVE-2020-16746
    cvename:CVE-2020-17490
    url:https://nvd.nist.gov/vuln/detail/CVE-2020-17490
    cvename:CVE-2020-25592
    url:https://nvd.nist.gov/vuln/detail/CVE-2020-25592
<URL:http://vuxml.freebsd.org/50259d8b-243e-11eb-8bae-b42e99975750.html>

Also 'make VID=50259d8b-243e-11eb-8bae-b42e99975750 html' renders fine, the links in the html are all functional.

What I am not sure about is the range for the vulnerable version. Only version 3002 is vulnerable, not 3001.3 nor 3002.1.
I am using '<range><ge>3002</ge><lt>3002.1</lt></range>' for this, because I found no working example with <eq>3002</eq>.

Diff Detail

Repository
rP FreeBSD ports repository
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

rhurlin created this revision.Nov 12 2020, 5:50 AM
Herald added a subscriber: mat. · View Herald TranscriptNov 12 2020, 5:50 AM
rhurlin requested review of this revision.Nov 12 2020, 5:50 AM
Harbormaster completed remote builds in B34756: Diff 79457.Nov 12 2020, 5:50 AM
rhurlin edited the summary of this revision. (Show Details)Nov 12 2020, 5:54 AM
tcberner accepted this revision.Nov 12 2020, 6:01 AM
> echo 3002; pkg audit -f ./vuln.xml py37-salt-3002 ;  echo 3002.1 ;  pkg audit -f ./vuln.xml py37-salt-3002.1  ;  echo 3001.3;  pkg audit -f ./vuln.xml py37-salt-3001.3                                                                                                                
3002
py37-salt-3002 is vulnerable:
salt -- multiple vulnerabilities
CVE: CVE-2020-25592
CVE: CVE-2020-17490
CVE: CVE-2020-16846
WWW: https://vuxml.FreeBSD.org/freebsd/50259d8b-243e-11eb-8bae-b42e99975750.html

1 problem(s) in 1 installed package(s) found.
3002.1
0 problem(s) in 0 installed package(s) found.
3001.3
0 problem(s) in 0 installed package(s) found.

so I would say you matched the range you intended to :)

I would update the entry date to -12 before committing.

This revision is now accepted and ready to land.Nov 12 2020, 6:01 AM
Closed by commit rP554931: security/vuxml: New entry for sysutils/py-salt vulnerabilities (authored by rhurlin). · Explain WhyNov 12 2020, 6:45 AM
This revision was automatically updated to reflect the committed changes.
rhurlin added a commit: rP554931: security/vuxml: New entry for sysutils/py-salt vulnerabilities.

Revision Contents
Changeset List

PathSize
head/
security/
vuxml/
40 lines

Diff 79458

View Options

head/security/vuxml/vuln.xml

Loading...