diff --git a/_lastrevision b/_lastrevision index 61f3dd9..5ae7ef3 100644 --- a/_lastrevision +++ b/_lastrevision @@ -1 +1 @@ -babf3dc7d243793c1134a8009ce18de316451d1a \ No newline at end of file +2a9748d411cf0d0e49f59fb6fa7ddd336992532e \ No newline at end of file diff --git a/fix-regression-with-depending-client.ssh-on-psutil-b.patch b/fix-regression-with-depending-client.ssh-on-psutil-b.patch new file mode 100644 index 0000000..58a1878 --- /dev/null +++ b/fix-regression-with-depending-client.ssh-on-psutil-b.patch @@ -0,0 +1,53 @@ +From 0c4a71224d49e778b4a2c683c63de52a0876de69 Mon Sep 17 00:00:00 2001 +From: Victor Zhestkov +Date: Tue, 12 Apr 2022 10:08:17 +0300 +Subject: [PATCH] Fix regression with depending client.ssh on psutil + (bsc#1197533) + +--- + salt/client/ssh/__init__.py | 14 ++++++++++++-- + 1 file changed, 12 insertions(+), 2 deletions(-) + +diff --git a/salt/client/ssh/__init__.py b/salt/client/ssh/__init__.py +index 6d24d8d716..396f9457f2 100644 +--- a/salt/client/ssh/__init__.py ++++ b/salt/client/ssh/__init__.py +@@ -12,7 +12,6 @@ import hashlib + import logging + import multiprocessing + import os +-import psutil + import queue + import re + import shlex +@@ -407,6 +406,16 @@ class SSH: + self.__parsed_rosters[self.ROSTER_UPDATE_FLAG] = False + return + ++ def _pid_exists(self, pid): ++ """ ++ Check if specified pid is alive ++ """ ++ try: ++ os.kill(pid, 0) ++ except OSError: ++ return False ++ return True ++ + def _update_roster(self, hostname=None, user=None): + """ + Update default flat roster with the passed in information. +@@ -626,7 +635,8 @@ class SSH: + pid_running = ( + False + if cached_session["pid"] == 0 +- else cached_session.get("running", False) or psutil.pid_exists(cached_session["pid"]) ++ else cached_session.get("running", False) ++ or self._pid_exists(cached_session["pid"]) + ) + if ( + pid_running and prev_session_running < self.max_pid_wait +-- +2.35.1 + + diff --git a/fixes-for-python-3.10-502.patch b/fixes-for-python-3.10-502.patch new file mode 100644 index 0000000..39ab5a6 --- /dev/null +++ b/fixes-for-python-3.10-502.patch @@ -0,0 +1,94 @@ +From efcf52ad6b7edf64e6a2eaead99c8df5894ab613 Mon Sep 17 00:00:00 2001 +From: Victor Zhestkov +Date: Tue, 5 Apr 2022 12:04:46 +0300 +Subject: [PATCH] Fixes for Python 3.10 (#502) + +* Fix _compat.py importlib logic for Python 3.10 + +Use the same logic in _compat.py and entrypoints.py to load +the same importlib.metadata. Python's built in implementation for +Python >= 3.10 and the Salt one for others. + +* Use collections.abc.Mapping instead collections.Mapping in state + +Co-authored-by: piterpunk +--- + salt/_compat.py | 30 +++++++++++++++++------------- + salt/state.py | 5 +++-- + 2 files changed, 20 insertions(+), 15 deletions(-) + +diff --git a/salt/_compat.py b/salt/_compat.py +index 8149657bea..a402f17a3c 100644 +--- a/salt/_compat.py ++++ b/salt/_compat.py +@@ -11,19 +11,23 @@ if sys.version_info >= (3, 9, 5): + else: + import salt.ext.ipaddress as ipaddress + ++if sys.version_info >= (3, 10): ++ # Python 3.10 will include a fix in importlib.metadata which allows us to ++ # get the distribution of a loaded entry-point ++ import importlib.metadata # pylint: disable=no-member,no-name-in-module ++else: ++ # importlib_metadata before version 3.3.0 does not include the functionality we need. ++ try: ++ import importlib_metadata + +-# importlib_metadata before version 3.3.0 does not include the functionality we need. +-try: +- import importlib_metadata +- +- importlib_metadata_version = [ +- int(part) +- for part in importlib_metadata.version("importlib_metadata").split(".") +- if part.isdigit() +- ] +- if tuple(importlib_metadata_version) < (3, 3, 0): ++ importlib_metadata_version = [ ++ int(part) ++ for part in importlib_metadata.version("importlib_metadata").split(".") ++ if part.isdigit() ++ ] ++ if tuple(importlib_metadata_version) < (3, 3, 0): ++ # Use the vendored importlib_metadata ++ import salt.ext.importlib_metadata as importlib_metadata ++ except ImportError: + # Use the vendored importlib_metadata + import salt.ext.importlib_metadata as importlib_metadata +-except ImportError: +- # Use the vendored importlib_metadata +- import salt.ext.importlib_metadata as importlib_metadata +diff --git a/salt/state.py b/salt/state.py +index 3361a537cd..b759c8e0ee 100644 +--- a/salt/state.py ++++ b/salt/state.py +@@ -12,7 +12,6 @@ The data sent to the state calls is as follows: + """ + + +-import collections + import copy + import datetime + import fnmatch +@@ -26,6 +25,8 @@ import sys + import time + import traceback + ++from collections.abc import Mapping ++ + import salt.fileclient + import salt.loader + import salt.minion +@@ -3276,7 +3277,7 @@ class State: + """ + for chunk in high: + state = high[chunk] +- if not isinstance(state, collections.Mapping): ++ if not isinstance(state, Mapping): + continue + for state_ref in state: + needs_default = True +-- +2.35.1 + + diff --git a/prevent-affection-of-ssh.opts-with-lazyloader-bsc-11.patch b/prevent-affection-of-ssh.opts-with-lazyloader-bsc-11.patch new file mode 100644 index 0000000..48cb0cf --- /dev/null +++ b/prevent-affection-of-ssh.opts-with-lazyloader-bsc-11.patch @@ -0,0 +1,174 @@ +From c86432645863a21da589346ad587b610ab51a2a9 Mon Sep 17 00:00:00 2001 +From: Victor Zhestkov +Date: Tue, 12 Apr 2022 10:06:43 +0300 +Subject: [PATCH] Prevent affection of SSH.opts with LazyLoader + (bsc#1197637) + +* Prevent affection SSH.opts with LazyLoader + +* Restore parsed targets + +* Fix test_ssh unit tests +--- + salt/client/ssh/__init__.py | 19 +++++++++++-------- + tests/unit/client/test_ssh.py | 16 ++++++++-------- + 2 files changed, 19 insertions(+), 16 deletions(-) + +diff --git a/salt/client/ssh/__init__.py b/salt/client/ssh/__init__.py +index bc77eb700e..6d24d8d716 100644 +--- a/salt/client/ssh/__init__.py ++++ b/salt/client/ssh/__init__.py +@@ -225,15 +225,16 @@ class SSH: + ROSTER_UPDATE_FLAG = "#__needs_update" + + def __init__(self, opts, context=None): ++ self.opts = copy.deepcopy(opts) ++ self.sopts = copy.deepcopy(self.opts) + self.__parsed_rosters = {SSH.ROSTER_UPDATE_FLAG: True} +- pull_sock = os.path.join(opts["sock_dir"], "master_event_pull.ipc") ++ pull_sock = os.path.join(self.opts["sock_dir"], "master_event_pull.ipc") + if os.path.exists(pull_sock) and zmq: + self.event = salt.utils.event.get_event( +- "master", opts["sock_dir"], opts["transport"], opts=opts, listen=False ++ "master", self.opts["sock_dir"], self.opts["transport"], opts=self.opts, listen=False + ) + else: + self.event = None +- self.opts = opts + if self.opts["regen_thin"]: + self.opts["ssh_wipe"] = True + if not salt.utils.path.which("ssh"): +@@ -244,7 +245,7 @@ class SSH: + " to run. Exiting." + ), + ) +- self.opts["_ssh_version"] = ssh_version() ++ self.sopts["_ssh_version"] = ssh_version() + self.tgt_type = ( + self.opts["selected_target_option"] + if self.opts["selected_target_option"] +@@ -341,6 +342,9 @@ class SSH: + self.opts["cachedir"], "salt-ssh.session.lock" + ) + self.ssh_session_grace_time = int(self.opts.get("ssh_session_grace_time", 1)) ++ self.sopts["tgt"] = copy.deepcopy(self.opts["tgt"]) ++ self.sopts["ssh_cli_tgt"] = copy.deepcopy(self.opts["ssh_cli_tgt"]) ++ self.opts = self.sopts + + @property + def parse_tgt(self): +@@ -594,7 +598,6 @@ class SSH: + Spin up the needed threads or processes and execute the subsequent + routines + """ +- opts = copy.deepcopy(self.opts) + que = multiprocessing.Queue() + running = {} + targets_queue = deque(self.targets.keys()) +@@ -605,7 +608,7 @@ class SSH: + if not self.targets: + log.error("No matching targets found in roster.") + break +- if len(running) < opts.get("ssh_max_procs", 25) and not init: ++ if len(running) < self.opts.get("ssh_max_procs", 25) and not init: + if targets_queue: + host = targets_queue.popleft() + else: +@@ -669,7 +672,7 @@ class SSH: + continue + args = ( + que, +- opts, ++ self.opts, + host, + self.targets[host], + mine, +@@ -763,7 +766,7 @@ class SSH: + if len(rets) >= len(self.targets): + break + # Sleep when limit or all threads started +- if len(running) >= opts.get("ssh_max_procs", 25) or len( ++ if len(running) >= self.opts.get("ssh_max_procs", 25) or len( + self.targets + ) >= len(running): + time.sleep(0.1) +diff --git a/tests/unit/client/test_ssh.py b/tests/unit/client/test_ssh.py +index 23cb3d0700..5003500de1 100644 +--- a/tests/unit/client/test_ssh.py ++++ b/tests/unit/client/test_ssh.py +@@ -95,7 +95,7 @@ class SSHReturnEventTests(ShellCase): + assert "localhost" in ret + assert "fun" in ret["localhost"] + client.run() +- display_output.assert_called_once_with(expected, "nested", opts) ++ display_output.assert_called_once_with(expected, "nested", client.opts) + self.assertIs(ret, handle_ssh_ret[0]) + assert len(client.event.fire_event.call_args_list) == 2 + assert "fun" in client.event.fire_event.call_args_list[0][0][0] +@@ -539,7 +539,7 @@ class SSHTests(ShellCase): + MagicMock(return_value=salt.utils.yaml.safe_load(self.roster)), + ): + client._expand_target() +- assert opts["tgt"] == host ++ assert client.opts["tgt"] == host + + def test_expand_target_dns(self): + """ +@@ -562,7 +562,7 @@ class SSHTests(ShellCase): + MagicMock(return_value=salt.utils.yaml.safe_load(self.roster)), + ): + client._expand_target() +- assert opts["tgt"] == host ++ assert client.opts["tgt"] == host + + def test_expand_target_no_user(self): + """ +@@ -602,7 +602,7 @@ class SSHTests(ShellCase): + client = ssh.SSH(opts) + assert opts["tgt"] == user + host + client._update_targets() +- assert opts["tgt"] == host ++ assert client.opts["tgt"] == host + assert client.targets[host]["user"] == user.split("@")[0] + + def test_update_targets_dns(self): +@@ -620,7 +620,7 @@ class SSHTests(ShellCase): + client = ssh.SSH(opts) + assert opts["tgt"] == user + host + client._update_targets() +- assert opts["tgt"] == host ++ assert client.opts["tgt"] == host + assert client.targets[host]["user"] == user.split("@")[0] + + def test_update_targets_no_user(self): +@@ -661,7 +661,7 @@ class SSHTests(ShellCase): + ): + client._expand_target() + client._update_targets() +- assert opts["tgt"] == host ++ assert client.opts["tgt"] == host + assert client.targets[host]["user"] == user.split("@")[0] + + def test_parse_tgt(self): +@@ -681,7 +681,7 @@ class SSHTests(ShellCase): + client = ssh.SSH(opts) + assert client.parse_tgt["hostname"] == host + assert client.parse_tgt["user"] == user.split("@")[0] +- assert self.opts.get("ssh_cli_tgt") == user + host ++ assert client.opts.get("ssh_cli_tgt") == user + host + + def test_parse_tgt_no_user(self): + """ +@@ -700,7 +700,7 @@ class SSHTests(ShellCase): + client = ssh.SSH(opts) + assert client.parse_tgt["hostname"] == host + assert client.parse_tgt["user"] == opts["ssh_user"] +- assert self.opts.get("ssh_cli_tgt") == host ++ assert client.opts.get("ssh_cli_tgt") == host + + def test_extra_filerefs(self): + """ +-- +2.35.1 + + diff --git a/salt.changes b/salt.changes index 9e91cf7..4d7f357 100644 --- a/salt.changes +++ b/salt.changes @@ -1,3 +1,23 @@ +------------------------------------------------------------------- +Tue Apr 12 09:21:38 UTC 2022 - Victor Zhestkov + +- Prevent data pollution between actions proceesed + at the same time (bsc#1197637) +- Fix regression preventing bootstrapping new clients + caused by redundant dependency on psutil (bsc#1197533) + +- Added: + * fix-regression-with-depending-client.ssh-on-psutil-b.patch + * prevent-affection-of-ssh.opts-with-lazyloader-bsc-11.patch + +------------------------------------------------------------------- +Tue Apr 5 09:29:14 UTC 2022 - Victor Zhestkov + +- Fixes for Python 3.10 + +- Added: + * fixes-for-python-3.10-502.patch + ------------------------------------------------------------------- Thu Mar 31 11:16:01 UTC 2022 - Victor Zhestkov @@ -10,10 +30,10 @@ Thu Mar 31 11:16:01 UTC 2022 - Victor Zhestkov Thu Mar 31 08:34:58 UTC 2022 - Pablo Suárez Hernández - Fix multiple security issues (bsc#1197417) -- * Sign authentication replies to prevent MiTM (CVE-2022-22935) -- * Sign pillar data to prevent MiTM attacks. (CVE-2022-22934) -- * Prevent job and fileserver replays (CVE-2022-22936) -- * Fixed targeting bug, especially visible when using syndic and user auth. (CVE-2022-22941) + * Sign authentication replies to prevent MiTM (CVE-2022-22935) + * Sign pillar data to prevent MiTM attacks. (CVE-2022-22934) + * Prevent job and fileserver replays (CVE-2022-22936) + * Fixed targeting bug, especially visible when using syndic and user auth. (CVE-2022-22941) - Added: * fix-multiple-security-issues-bsc-1197417.patch diff --git a/salt.spec b/salt.spec index 3648044..534d8a3 100644 --- a/salt.spec +++ b/salt.spec @@ -296,6 +296,15 @@ Patch75: fix-multiple-security-issues-bsc-1197417.patch # PATCH-FIX_OPENSUSE: https://github.com/openSUSE/salt/pull/501 Patch76: fix-salt-ssh-opts-poisoning-bsc-1197637-3004-501.patch +# PATCH-FIX_UPSTREAM: https://github.com/saltstack/salt/pull/61064 +Patch77: fixes-for-python-3.10-502.patch + +# PATCH-FIX_OPENSUSE: https://github.com/openSUSE/salt/pull/505 +Patch78: prevent-affection-of-ssh.opts-with-lazyloader-bsc-11.patch + +# PATCH-FIX_OPENSUSE: https://github.com/openSUSE/salt/pull/506 +Patch79: fix-regression-with-depending-client.ssh-on-psutil-b.patch + BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: logrotate