CVE-2017-8109

NameCVE-2017-8109
DescriptionThe salt-ssh minion code in SaltStack Salt 2016.11 before 2016.11.4 copied over configuration from the Salt Master without adjusting permissions, which might leak credentials to local attackers on configured minions (clients).
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub advisories/code/issues, web search, more)
Debian Bugs861219

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
salt (PTS)buster, buster (security)2018.3.4+dfsg1-6+deb10u3fixed
bullseye (security), bullseye3002.6+dfsg1-4+deb11u1fixed
sid3004.1+dfsg-2.2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
saltsourcejessie(not affected)
saltsourcestretch2016.11.2+ds-1+deb9u2
saltsource(unstable)2016.11.5+ds-1861219

Notes

[jessie] - salt <not-affected> (Vulnerable code not present)
https://github.com/saltstack/salt/issues/40075
https://github.com/saltstack/salt/pull/40609
https://github.com/saltstack/salt/commit/8492cef7a5c8871a3978ffc2f6e48b3b960e0151

Search for package or bug name: Reporting problems