Accepting request 876003 from systemsmanagement:saltstack

Fix for multiple Salt CVEs

OBS-URL: https://build.opensuse.org/request/show/876003
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/salt?expand=0&rev=115

_lastrevision

@@ -1 +1 @@
-98a9fb14263d76c4873bc68f208aeee04b583044
+20438f0fbeca551fd5a04babf1a686a5455c2ce3

add-sleep-on-exception-handling-on-minion-connection.patch

@@ -0,0 +1,41 @@
+From aafa76ddd04114f699d760577681db75579685d7 Mon Sep 17 00:00:00 2001
+From: Victor Zhestkov <35733135+vzhestkov@users.noreply.github.com>
+Date: Thu, 18 Feb 2021 14:49:38 +0300
+Subject: [PATCH] Add sleep on exception handling on minion connection
+ attempt to the master (bsc#1174855) (#321)
+
+* Async batch implementation fix
+
+* Add sleep on exception handling on minion connection attempt to the master (bsc#1174855)
+---
+ salt/minion.py | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/salt/minion.py b/salt/minion.py
+index 4da665a130..dacff1e0a9 100644
+--- a/salt/minion.py
++++ b/salt/minion.py
+@@ -1123,6 +1123,9 @@ class MinionManager(MinionBase):
+         last = 0  # never have we signed in
+         auth_wait = minion.opts["acceptance_wait_time"]
+         failed = False
++        retry_wait = 1
++        retry_wait_inc = 1
++        max_retry_wait = 20
+         while True:
+             try:
+                 if minion.opts.get("beacons_before_connect", False):
+@@ -1158,6 +1161,9 @@ class MinionManager(MinionBase):
+                     minion.opts["master"],
+                     exc_info=True,
+                 )
++                yield salt.ext.tornado.gen.sleep(retry_wait)
++                if retry_wait < max_retry_wait:
++                    retry_wait += retry_wait_inc
+ 
+     # Multi Master Tune In
+     def tune_in(self):
+-- 
+2.29.2
+
+

allow-extra_filerefs-as-sanitized-kwargs-for-ssh-cli.patch

@@ -0,0 +1,28 @@
+From 5e8a9c9eaa18c53b259a3bb1da8df51f5382ed6b Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Pablo=20Su=C3=A1rez=20Hern=C3=A1ndez?=
+ <psuarezhernandez@suse.com>
+Date: Mon, 22 Feb 2021 11:39:19 +0000
+Subject: [PATCH] Allow extra_filerefs as sanitized kwargs for SSH
+ client
+
+(cherry picked from commit 89f843398849633af52cceab2155e9cedf8ad3dd)
+---
+ salt/client/ssh/client.py | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/salt/client/ssh/client.py b/salt/client/ssh/client.py
+index 2cf42f53e7..3631c3bb67 100644
+--- a/salt/client/ssh/client.py
++++ b/salt/client/ssh/client.py
+@@ -60,6 +60,7 @@ class SSHClient:
+             ("rosters", list),
+             ("ignore_host_keys", bool),
+             ("raw_shell", bool),
++            ("extra_filerefs", str),
+         ]
+         sane_kwargs = {}
+         for name, kind in roster_vals:
+-- 
+2.30.1
+
+

async-batch-implementation-fix-320.patch

@@ -0,0 +1,69 @@
+From 843c76e5889659ec80fea3f39b750b9f907a902d Mon Sep 17 00:00:00 2001
+From: Victor Zhestkov <35733135+vzhestkov@users.noreply.github.com>
+Date: Wed, 17 Feb 2021 16:47:11 +0300
+Subject: [PATCH] Async batch implementation fix (#320)
+
+---
+ salt/client/__init__.py | 38 --------------------------------------
+ 1 file changed, 38 deletions(-)
+
+diff --git a/salt/client/__init__.py b/salt/client/__init__.py
+index cc8fd4048d..ddb437604b 100644
+--- a/salt/client/__init__.py
++++ b/salt/client/__init__.py
+@@ -534,12 +534,6 @@ class LocalClient:
+             {'dave': {...}}
+             {'stewart': {...}}
+         """
+-        # We need to re-import salt.utils.args here
+-        # even though it has already been imported.
+-        # when cmd_batch is called via the NetAPI
+-        # the module is unavailable.
+-        import salt.utils.args
+-
+         # Late import - not used anywhere else in this file
+         import salt.cli.batch
+ 
+@@ -557,38 +551,6 @@ class LocalClient:
+ 
+         eauth = salt.cli.batch.batch_get_eauth(kwargs)
+ 
+-        arg = salt.utils.args.condition_input(arg, kwarg)
+-        opts = {
+-            "tgt": tgt,
+-            "fun": fun,
+-            "arg": arg,
+-            "tgt_type": tgt_type,
+-            "ret": ret,
+-            "batch": batch,
+-            "failhard": kwargs.get("failhard", self.opts.get("failhard", False)),
+-            "raw": kwargs.get("raw", False),
+-        }
+-
+-        if "timeout" in kwargs:
+-            opts["timeout"] = kwargs["timeout"]
+-        if "gather_job_timeout" in kwargs:
+-            opts["gather_job_timeout"] = kwargs["gather_job_timeout"]
+-        if "batch_wait" in kwargs:
+-            opts["batch_wait"] = int(kwargs["batch_wait"])
+-
+-        eauth = {}
+-        if "eauth" in kwargs:
+-            eauth["eauth"] = kwargs.pop("eauth")
+-        if "username" in kwargs:
+-            eauth["username"] = kwargs.pop("username")
+-        if "password" in kwargs:
+-            eauth["password"] = kwargs.pop("password")
+-        if "token" in kwargs:
+-            eauth["token"] = kwargs.pop("token")
+-
+-        for key, val in self.opts.items():
+-            if key not in opts:
+-                opts[key] = val
+         batch = salt.cli.batch.Batch(opts, eauth=eauth, quiet=True)
+         for ret in batch.run():
+             yield ret
+-- 
+2.30.0
+
+

fix-regression-on-cmd.run-when-passing-tuples-as-cmd.patch

@@ -0,0 +1,29 @@
+From d8538a57553d94290870671db1d5a4fcd4d7e709 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Pablo=20Su=C3=A1rez=20Hern=C3=A1ndez?=
+ <psuarezhernandez@suse.com>
+Date: Fri, 26 Feb 2021 09:15:03 +0000
+Subject: [PATCH] Fix regression on cmd.run when passing tuples as cmd
+ (bsc#1182740)
+
+(cherry picked from commit 9a76246adedb60e24a75682077654a352a965cb9)
+---
+ salt/modules/cmdmod.py | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/salt/modules/cmdmod.py b/salt/modules/cmdmod.py
+index bbc303c3f8..f24e7cc9ae 100644
+--- a/salt/modules/cmdmod.py
++++ b/salt/modules/cmdmod.py
+@@ -78,7 +78,7 @@ def __virtual__():
+ 
+ 
+ def _log_cmd(cmd):
+-    if not isinstance(cmd, list):
++    if isinstance(cmd, str):
+         return cmd.split()[0].strip()
+     return cmd[0].strip()
+ 
+-- 
+2.30.1
+
+

fixes-56144-to-enable-hotadd-profile-support.patch

@@ -0,0 +1,63 @@
+From 5761a11227c8d78df62d1a1552a50c0a4b76ae33 Mon Sep 17 00:00:00 2001
+From: nicholasmhughes <nicholasmhughes@gmail.com>
+Date: Fri, 14 Feb 2020 22:03:42 -0500
+Subject: [PATCH] fixes #56144 to enable hotadd profile support
+
+---
+ doc/topics/cloud/vmware.rst |  8 ++++++++
+ salt/cloud/clouds/vmware.py | 12 ++++++++++++
+ 2 files changed, 20 insertions(+)
+
+diff --git a/doc/topics/cloud/vmware.rst b/doc/topics/cloud/vmware.rst
+index e4cb607e8d..0ac7c255a8 100644
+--- a/doc/topics/cloud/vmware.rst
++++ b/doc/topics/cloud/vmware.rst
+@@ -457,6 +457,14 @@ Set up an initial profile at ``/etc/salt/cloud.profiles`` or
+     Specifies whether the new virtual machine should be powered on or not. If
+     ``template: True`` is set, this field is ignored. Default is ``power_on: True``.
+ 
++``cpu_hot_add``
++    Boolean value that enables hot-add support for modifying CPU resources while
++    the guest is powered on.
++
++``mem_hot_add``
++    Boolean value that enables hot-add support for modifying memory resources while
++    the guest is powered on.
++
+ ``extra_config``
+     Specifies the additional configuration information for the virtual machine. This
+     describes a set of modifications to the additional options. If the key is already
+diff --git a/salt/cloud/clouds/vmware.py b/salt/cloud/clouds/vmware.py
+index 5ebf448abc..edaca9618b 100644
+--- a/salt/cloud/clouds/vmware.py
++++ b/salt/cloud/clouds/vmware.py
+@@ -2824,6 +2824,12 @@ def create(vm_):
+     win_run_once = config.get_cloud_config_value(
+         "win_run_once", vm_, __opts__, search_global=False, default=None
+     )
++    cpu_hot_add = config.get_cloud_config_value(
++        'cpu_hot_add', vm_, __opts__, search_global=False, default=None
++    )
++    mem_hot_add = config.get_cloud_config_value(
++        'mem_hot_add', vm_, __opts__, search_global=False, default=None
++    )
+ 
+     # Get service instance object
+     si = _get_si()
+@@ -3042,6 +3048,12 @@ def create(vm_):
+         )
+         config_spec.deviceChange = specs["device_specs"]
+ 
++    if cpu_hot_add and hasattr(config_spec, 'cpuHotAddEnabled'):
++        config_spec.cpuHotAddEnabled = bool(cpu_hot_add)
++
++    if mem_hot_add and hasattr(config_spec, 'memoryHotAddEnabled'):
++        config_spec.memoryHotAddEnabled = bool(mem_hot_add)
++
+     if extra_config:
+         for key, value in six.iteritems(extra_config):
+             option = vim.option.OptionValue(key=key, value=value)
+-- 
+2.29.2
+
+

salt.changes

@@ -1,3 +1,33 @@
+-------------------------------------------------------------------
+Mon Mar  1 11:21:01 UTC 2021 - Alexander Graul <alexander.graul@suse.com>
+
+- Allow extra_filerefs as sanitized kwargs for SSH client
+- Fix regression on cmd.run when passing tuples as cmd (bsc#1182740)
+- Fix for multiple for security issues
+  (CVE-2020-28243) (CVE-2020-28972) (CVE-2020-35662) (CVE-2021-3148) (CVE-2021-3144)
+  (CVE-2021-25281) (CVE-2021-25282) (CVE-2021-25283) (CVE-2021-25284) (CVE-2021-3197)
+  (bsc#1181550) (bsc#1181556) (bsc#1181557) (bsc#1181558) (bsc#1181559) (bsc#1181560)
+  (bsc#1181561) (bsc#1181562) (bsc#1181563) (bsc#1181564) (bsc#1181565)
+- Implementation of suse_ip execution module to prevent issues with network.managed (bsc#1099976)
+- Add sleep on exception handling on minion connection attempt to the master (bsc#1174855)
+- Allows for the VMware provider to handle CPU and memory hot-add in newer versions of the software. (bsc#1181347)
+- Always require python-certifi (used by salt.ext.tornado)
+- Bring missing part of async batch implementation back (bsc#1182382) (CVE-2021-25315)
+
+- Added:
+  * implementation-of-suse_ip-execution-module-bsc-10999.patch
+  * fix-regression-on-cmd.run-when-passing-tuples-as-cmd.patch
+  * async-batch-implementation-fix-320.patch
+  * add-sleep-on-exception-handling-on-minion-connection.patch
+  * allow-extra_filerefs-as-sanitized-kwargs-for-ssh-cli.patch
+  * fix-for-some-cves-bsc1181550.patch
+  * fixes-56144-to-enable-hotadd-profile-support.patch
+
+-------------------------------------------------------------------
+Tue Feb 16 17:10:30 UTC 2021 - Alexander Graul <alexander.graul@suse.com>
+
+- Always require python3-distro (bsc#1182293)
+
 -------------------------------------------------------------------
 Thu Feb 11 16:02:59 UTC 2021 - Pablo Suárez Hernández <pablo.suarezhernandez@suse.com>
 

salt.spec

@@ -359,6 +359,20 @@ Patch148:     virt-uefi-fix-backport-312.patch
 Patch149:     3002.2-xen-spicevmc-dns-srv-records-backports-314.patch
 # PATCH-FIX_UPSTREAM: https://github.com/saltstack/salt/pull/59485
 Patch150:     open-suse-3002.2-xen-grub-316.patch
+# PATCH-FIX_OPENSUSE: https://github.com/openSUSE/salt/pull/320
+Patch151:     async-batch-implementation-fix-320.patch
+# PATCH-FIX_UPSTREAM: https://github.com/saltstack/salt/pull/56173
+Patch152:     fixes-56144-to-enable-hotadd-profile-support.patch
+# PATCH-FIX_OPENSUSE: https://github.com/openSUSE/salt/pull/307
+Patch153:     add-sleep-on-exception-handling-on-minion-connection.patch
+# PATCH-FIX_OPENSUSE: https://github.com/openSUSE/salt/pull/323
+Patch154:     implementation-of-suse_ip-execution-module-bsc-10999.patch
+# PATCH-FIX_UPSTREAM: no PR to link to yet
+Patch155:     fix-for-some-cves-bsc1181550.patch
+# PATCH-FIX_UPSTREAM: no PR to link to yet
+Patch156:     allow-extra_filerefs-as-sanitized-kwargs-for-ssh-cli.patch
+# PATCH-FIX_UPSTREAM: no PR to link to yet
+Patch157:     fix-regression-on-cmd.run-when-passing-tuples-as-cmd.patch
 
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 BuildRequires:  logrotate
@@ -458,7 +472,6 @@ BuildRequires:  python3-MarkupSafe
 BuildRequires:  python3-msgpack-python > 0.3
 BuildRequires:  python3-pyzmq >= 2.2.0
 %if 0%{?suse_version} >= 1500
-BuildRequires:  python3-distro
 BuildRequires:  python3-M2Crypto
 %else
 BuildRequires:  python3-pycrypto >= 2.6.1
@@ -467,6 +480,7 @@ BuildRequires:  python3-pycrypto >= 2.6.1
 BuildRequires:  python3-PyYAML
 BuildRequires:  python3-psutil
 BuildRequires:  python3-requests >= 1.0.0
+BuildRequires:  python3-distro
 
 # requirements/zeromq.txt
 %if %{with test}
@@ -486,10 +500,7 @@ Requires:       platform-python
 %else
 Requires:       python3
 %endif
-#
-%if ! 0%{?suse_version} > 1110
 Requires:       python3-certifi
-%endif
 # requirements/base.txt
 %if 0%{?rhel} || 0%{?fedora}
 Requires:       python3-jinja2
@@ -510,7 +521,6 @@ Requires:       python3-Jinja2
 Requires:       python3-MarkupSafe
 Requires:       python3-msgpack-python > 0.3
 %if 0%{?suse_version} >= 1500
-Requires:       python3-distro
 Requires:       python3-M2Crypto
 %else
 Requires:       python3-pycrypto >= 2.6.1
@@ -520,6 +530,7 @@ Requires:       python3-pyzmq >= 2.2.0
 Requires:       python3-PyYAML
 Requires:       python3-psutil
 Requires:       python3-requests >= 1.0.0
+Requires:       python3-distro
 %if 0%{?suse_version}
 # required for zypper.py
 Requires:       python3-rpm
@@ -908,6 +919,13 @@ cp %{S:5} ./.travis.yml
 %patch148 -p1
 %patch149 -p1
 %patch150 -p1
+%patch151 -p1
+%patch152 -p1
+%patch153 -p1
+%patch154 -p1
+%patch155 -p1
+%patch156 -p1
+%patch157 -p1
 
 %build
 # Putting /usr/bin at the front of $PATH is needed for RHEL/RES 7. Without this