py-salt vulnerabilities in vuln.xml
ClosedPublic
Actions

Authored by rhurlin on Nov 12 2020, 5:50 AM.

Details

Reviewers

arrowd
tcberner

Commits

rP554931: security/vuxml: New entry for sysutils/py-salt vulnerabilities

Summary

There are three security vulnerabilities described for systutils/py-salt in version 3002[1]:
CVE-2020-16846, CVE-2020-17490, and VE-2020-25592.

[1] https://docs.saltstack.com/en/latest/topics/releases/3002.1.html

After this VuXML entry is committed, the port will be updated, see PR 251013.

This patch adds a new entry for sysutils/py-salt with all three CVEs described in vuln.xml
There are three flavors of the port, which have to be checked (py36, py37, py38)
'make validate' is fine with the entry
vxquery shows information as expected

#vxquery /usr/ports/security/vuxml/vuln.xml py37-salt-3002_2
Topic: salt -- multiple vulnerabilities
Affects:
    3002 <= py36-salt < 3002.1
    3002 <= py37-salt < 3002.1
    3002 <= py38-salt < 3002.1
References:
    url:https://docs.saltstack.com/en/latest/topics/releases/3002.1.html
    cvename:CVE-2020-16486
    url:https://nvd.nist.gov/vuln/detail/CVE-2020-16746
    cvename:CVE-2020-17490
    url:https://nvd.nist.gov/vuln/detail/CVE-2020-17490
    cvename:CVE-2020-25592
    url:https://nvd.nist.gov/vuln/detail/CVE-2020-25592
<URL:http://vuxml.freebsd.org/50259d8b-243e-11eb-8bae-b42e99975750.html>

Also 'make VID=50259d8b-243e-11eb-8bae-b42e99975750 html' renders fine, the links in the html are all functional.

What I am not sure about is the range for the vulnerable version. Only version 3002 is vulnerable, not 3001.3 nor 3002.1.
I am using '<range><ge>3002</ge><lt>3002.1</lt></range>' for this, because I found no working example with <eq>3002</eq>.

Diff Detail

Repository

rP FreeBSD ports repository

Lint

Lint Not Applicable

Unit

Tests Not Applicable

Event Timeline

rhurlin created this revision.Nov 12 2020, 5:50 AM

Herald added a subscriber: mat. · View Herald TranscriptNov 12 2020, 5:50 AM

rhurlin requested review of this revision.Nov 12 2020, 5:50 AM

Harbormaster completed remote builds in B34756: Diff 79457.Nov 12 2020, 5:50 AM

rhurlin edited the summary of this revision. (Show Details)Nov 12 2020, 5:54 AM

> echo 3002; pkg audit -f ./vuln.xml py37-salt-3002 ;  echo 3002.1 ;  pkg audit -f ./vuln.xml py37-salt-3002.1  ;  echo 3001.3;  pkg audit -f ./vuln.xml py37-salt-3001.3                                                                                                                
3002
py37-salt-3002 is vulnerable:
salt -- multiple vulnerabilities
CVE: CVE-2020-25592
CVE: CVE-2020-17490
CVE: CVE-2020-16846
WWW: https://vuxml.FreeBSD.org/freebsd/50259d8b-243e-11eb-8bae-b42e99975750.html

1 problem(s) in 1 installed package(s) found.
3002.1
0 problem(s) in 0 installed package(s) found.
3001.3
0 problem(s) in 0 installed package(s) found.

so I would say you matched the range you intended to :)

I would update the entry date to -12 before committing.

This revision is now accepted and ready to land.Nov 12 2020, 6:01 AM

Closed by commit rP554931: security/vuxml: New entry for sysutils/py-salt vulnerabilities (authored by rhurlin). · Explain WhyNov 12 2020, 6:45 AM

This revision was automatically updated to reflect the committed changes.

rhurlin added a commit: rP554931: security/vuxml: New entry for sysutils/py-salt vulnerabilities.