svn commit: r411973 - head/security/vuxml
Jason Unovitch
junovitch at FreeBSD.org
Sun Mar 27 01:42:43 UTC 2016
Author: junovitch
Date: Sun Mar 27 01:42:42 2016
New Revision: 411973
URL: https://svnweb.freebsd.org/changeset/ports/411973
Log:
Document Salt Insecure configuration of PAM external authentication service
PR: 208244
Security: CVE-2016-3176
Security: https://vuxml.FreeBSD.org/freebsd/6d25c306-f3bb-11e5-92ce-002590263bf5.html
Modified:
head/security/vuxml/vuln.xml
Modified: head/security/vuxml/vuln.xml
==============================================================================
--- head/security/vuxml/vuln.xml Sun Mar 27 01:23:39 2016 (r411972)
+++ head/security/vuxml/vuln.xml Sun Mar 27 01:42:42 2016 (r411973)
@@ -58,6 +58,41 @@ Notes:
* Do not forget port variants (linux-f10-libxml2, libxml2, etc.)
-->
<vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
+ <vuln vid="6d25c306-f3bb-11e5-92ce-002590263bf5">
+ <topic>salt -- Insecure configuration of PAM external authentication service</topic>
+ <affects>
+ <package>
+ <name>py27-salt</name>
+ <name>py32-salt</name>
+ <name>py33-salt</name>
+ <name>py34-salt</name>
+ <name>py35-salt</name>
+ <range><lt>2015.5.10</lt></range>
+ <range><ge>2015.8.0</ge><lt>2015.8.8</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>SaltStack reports:</p>
+ <blockquote cite="https://docs.saltstack.com/en/latest/topics/releases/2015.8.8.html">
+ <p>This issue affects all Salt versions prior to 2015.8.8/2015.5.10
+ when PAM external authentication is enabled. This issue involves
+ passing an alternative PAM authentication service with a command
+ that is sent to LocalClient, enabling the attacker to bypass the
+ configured authentication service.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2016-3176</cvename>
+ <url>https://docs.saltstack.com/en/latest/topics/releases/2015.8.8.html</url>
+ </references>
+ <dates>
+ <discovery>2016-03-17</discovery>
+ <entry>2016-03-27</entry>
+ </dates>
+ </vuln>
+
<vuln vid="a258604d-f2aa-11e5-b4a9-ac220bdcec59">
<topic>activemq -- Unsafe deserialization</topic>
<affects>
More information about the svn-ports-all
mailing list