rpm/salt
SHA256
1
0
Fork 0
forked from pool/salt
Code Pull Requests Activity

Accepting request 876003 from systemsmanagement:saltstack

Browse Source 
Fix for multiple Salt CVEs

OBS-URL: https://build.opensuse.org/request/show/876003
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/salt?expand=0&rev=115
This commit is contained in:
Dominique Leuenberger 2021-03-10 07:48:52 +00:00 committed by Git OBS Bridge
commit b4355e7126
10 changed files with 6936 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
_lastrevision
View File

@ -1 +1 @@
98a9fb14263d76c4873bc68f208aeee04b583044 20438f0fbeca551fd5a04babf1a686a5455c2ce3

41
add-sleep-on-exception-handling-on-minion-connection.patch Normal file
View File

@ -0,0 +1,41 @@
From aafa76ddd04114f699d760577681db75579685d7 Mon Sep 17 00:00:00 2001
From: Victor Zhestkov <35733135+vzhestkov@users.noreply.github.com>
Date: Thu, 18 Feb 2021 14:49:38 +0300
Subject: [PATCH] Add sleep on exception handling on minion connection
attempt to the master (bsc#1174855) (#321)
* Async batch implementation fix
* Add sleep on exception handling on minion connection attempt to the master (bsc#1174855)
---
salt/minion.py | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/salt/minion.py b/salt/minion.py
index 4da665a130..dacff1e0a9 100644
--- a/salt/minion.py
+++ b/salt/minion.py
@@ -1123,6 +1123,9 @@ class MinionManager(MinionBase):
last = 0 # never have we signed in
auth_wait = minion.opts["acceptance_wait_time"]
failed = False
+ retry_wait = 1
+ retry_wait_inc = 1
+ max_retry_wait = 20
while True:
try:
if minion.opts.get("beacons_before_connect", False):
@@ -1158,6 +1161,9 @@ class MinionManager(MinionBase):
minion.opts["master"],
exc_info=True,
)
+ yield salt.ext.tornado.gen.sleep(retry_wait)
+ if retry_wait < max_retry_wait:
+ retry_wait += retry_wait_inc
# Multi Master Tune In
def tune_in(self):
--
2.29.2

28
allow-extra_filerefs-as-sanitized-kwargs-for-ssh-cli.patch Normal file
View File

@ -0,0 +1,28 @@
From 5e8a9c9eaa18c53b259a3bb1da8df51f5382ed6b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pablo=20Su=C3=A1rez=20Hern=C3=A1ndez?=
<psuarezhernandez@suse.com>
Date: Mon, 22 Feb 2021 11:39:19 +0000
Subject: [PATCH] Allow extra_filerefs as sanitized kwargs for SSH
client
(cherry picked from commit 89f843398849633af52cceab2155e9cedf8ad3dd)
---
salt/client/ssh/client.py | 1 +
1 file changed, 1 insertion(+)
diff --git a/salt/client/ssh/client.py b/salt/client/ssh/client.py
index 2cf42f53e7..3631c3bb67 100644
--- a/salt/client/ssh/client.py
+++ b/salt/client/ssh/client.py
@@ -60,6 +60,7 @@ class SSHClient:
("rosters", list),
("ignore_host_keys", bool),
("raw_shell", bool),
+ ("extra_filerefs", str),
]
sane_kwargs = {}
for name, kind in roster_vals:
--
2.30.1

69
async-batch-implementation-fix-320.patch Normal file
View File

@ -0,0 +1,69 @@
From 843c76e5889659ec80fea3f39b750b9f907a902d Mon Sep 17 00:00:00 2001
From: Victor Zhestkov <35733135+vzhestkov@users.noreply.github.com>
Date: Wed, 17 Feb 2021 16:47:11 +0300
Subject: [PATCH] Async batch implementation fix (#320)
---
salt/client/__init__.py | 38 --------------------------------------
1 file changed, 38 deletions(-)
diff --git a/salt/client/__init__.py b/salt/client/__init__.py
index cc8fd4048d..ddb437604b 100644
--- a/salt/client/__init__.py
+++ b/salt/client/__init__.py
@@ -534,12 +534,6 @@ class LocalClient:
{'dave': {...}}
{'stewart': {...}}
"""
- # We need to re-import salt.utils.args here
- # even though it has already been imported.
- # when cmd_batch is called via the NetAPI
- # the module is unavailable.
- import salt.utils.args
-
# Late import - not used anywhere else in this file
import salt.cli.batch
@@ -557,38 +551,6 @@ class LocalClient:
eauth = salt.cli.batch.batch_get_eauth(kwargs)
- arg = salt.utils.args.condition_input(arg, kwarg)
- opts = {
- "tgt": tgt,
- "fun": fun,
- "arg": arg,
- "tgt_type": tgt_type,
- "ret": ret,
- "batch": batch,
- "failhard": kwargs.get("failhard", self.opts.get("failhard", False)),
- "raw": kwargs.get("raw", False),
- }
-
- if "timeout" in kwargs:
- opts["timeout"] = kwargs["timeout"]
- if "gather_job_timeout" in kwargs:
- opts["gather_job_timeout"] = kwargs["gather_job_timeout"]
- if "batch_wait" in kwargs:
- opts["batch_wait"] = int(kwargs["batch_wait"])
-
- eauth = {}
- if "eauth" in kwargs:
- eauth["eauth"] = kwargs.pop("eauth")
- if "username" in kwargs:
- eauth["username"] = kwargs.pop("username")
- if "password" in kwargs:
- eauth["password"] = kwargs.pop("password")
- if "token" in kwargs:
- eauth["token"] = kwargs.pop("token")
-
- for key, val in self.opts.items():
- if key not in opts:
- opts[key] = val
batch = salt.cli.batch.Batch(opts, eauth=eauth, quiet=True)
for ret in batch.run():
yield ret
--
2.30.0

5284
fix-for-some-cves-bsc1181550.patch Normal file
View File

File diff suppressed because it is too large Load Diff

29
fix-regression-on-cmd.run-when-passing-tuples-as-cmd.patch Normal file
View File

@ -0,0 +1,29 @@
From d8538a57553d94290870671db1d5a4fcd4d7e709 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pablo=20Su=C3=A1rez=20Hern=C3=A1ndez?=
<psuarezhernandez@suse.com>
Date: Fri, 26 Feb 2021 09:15:03 +0000
Subject: [PATCH] Fix regression on cmd.run when passing tuples as cmd
(bsc#1182740)
(cherry picked from commit 9a76246adedb60e24a75682077654a352a965cb9)
---
salt/modules/cmdmod.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/salt/modules/cmdmod.py b/salt/modules/cmdmod.py
index bbc303c3f8..f24e7cc9ae 100644
--- a/salt/modules/cmdmod.py
+++ b/salt/modules/cmdmod.py
@@ -78,7 +78,7 @@ def __virtual__():
def _log_cmd(cmd):
- if not isinstance(cmd, list):
+ if isinstance(cmd, str):
return cmd.split()[0].strip()
return cmd[0].strip()
--
2.30.1

63
fixes-56144-to-enable-hotadd-profile-support.patch Normal file
View File

@ -0,0 +1,63 @@
From 5761a11227c8d78df62d1a1552a50c0a4b76ae33 Mon Sep 17 00:00:00 2001
From: nicholasmhughes <nicholasmhughes@gmail.com>
Date: Fri, 14 Feb 2020 22:03:42 -0500
Subject: [PATCH] fixes #56144 to enable hotadd profile support
---
doc/topics/cloud/vmware.rst | 8 ++++++++
salt/cloud/clouds/vmware.py | 12 ++++++++++++
2 files changed, 20 insertions(+)
diff --git a/doc/topics/cloud/vmware.rst b/doc/topics/cloud/vmware.rst
index e4cb607e8d..0ac7c255a8 100644
--- a/doc/topics/cloud/vmware.rst
+++ b/doc/topics/cloud/vmware.rst
@@ -457,6 +457,14 @@ Set up an initial profile at ``/etc/salt/cloud.profiles`` or
Specifies whether the new virtual machine should be powered on or not. If
``template: True`` is set, this field is ignored. Default is ``power_on: True``.
+``cpu_hot_add``
+ Boolean value that enables hot-add support for modifying CPU resources while
+ the guest is powered on.
+
+``mem_hot_add``
+ Boolean value that enables hot-add support for modifying memory resources while
+ the guest is powered on.
+
``extra_config``
Specifies the additional configuration information for the virtual machine. This
describes a set of modifications to the additional options. If the key is already
diff --git a/salt/cloud/clouds/vmware.py b/salt/cloud/clouds/vmware.py
index 5ebf448abc..edaca9618b 100644
--- a/salt/cloud/clouds/vmware.py
+++ b/salt/cloud/clouds/vmware.py
@@ -2824,6 +2824,12 @@ def create(vm_):
win_run_once = config.get_cloud_config_value(
"win_run_once", vm_, __opts__, search_global=False, default=None
)
+ cpu_hot_add = config.get_cloud_config_value(
+ 'cpu_hot_add', vm_, __opts__, search_global=False, default=None
+ )
+ mem_hot_add = config.get_cloud_config_value(
+ 'mem_hot_add', vm_, __opts__, search_global=False, default=None
+ )
# Get service instance object
si = _get_si()
@@ -3042,6 +3048,12 @@ def create(vm_):
)
config_spec.deviceChange = specs["device_specs"]
+ if cpu_hot_add and hasattr(config_spec, 'cpuHotAddEnabled'):
+ config_spec.cpuHotAddEnabled = bool(cpu_hot_add)
+
+ if mem_hot_add and hasattr(config_spec, 'memoryHotAddEnabled'):
+ config_spec.memoryHotAddEnabled = bool(mem_hot_add)
+
if extra_config:
for key, value in six.iteritems(extra_config):
option = vim.option.OptionValue(key=key, value=value)
--
2.29.2

1368
implementation-of-suse_ip-execution-module-bsc-10999.patch Normal file
View File

File diff suppressed because it is too large Load Diff

30
salt.changes
View File

@ -1,3 +1,33 @@
-------------------------------------------------------------------
Mon Mar 1 11:21:01 UTC 2021 - Alexander Graul <alexander.graul@suse.com>
- Allow extra_filerefs as sanitized kwargs for SSH client
- Fix regression on cmd.run when passing tuples as cmd (bsc#1182740)
- Fix for multiple for security issues
(CVE-2020-28243) (CVE-2020-28972) (CVE-2020-35662) (CVE-2021-3148) (CVE-2021-3144)
(CVE-2021-25281) (CVE-2021-25282) (CVE-2021-25283) (CVE-2021-25284) (CVE-2021-3197)
(bsc#1181550) (bsc#1181556) (bsc#1181557) (bsc#1181558) (bsc#1181559) (bsc#1181560)
(bsc#1181561) (bsc#1181562) (bsc#1181563) (bsc#1181564) (bsc#1181565)
- Implementation of suse_ip execution module to prevent issues with network.managed (bsc#1099976)
- Add sleep on exception handling on minion connection attempt to the master (bsc#1174855)
- Allows for the VMware provider to handle CPU and memory hot-add in newer versions of the software. (bsc#1181347)
- Always require python-certifi (used by salt.ext.tornado)
- Bring missing part of async batch implementation back (bsc#1182382) (CVE-2021-25315)
- Added:
* implementation-of-suse_ip-execution-module-bsc-10999.patch
* fix-regression-on-cmd.run-when-passing-tuples-as-cmd.patch
* async-batch-implementation-fix-320.patch
* add-sleep-on-exception-handling-on-minion-connection.patch
* allow-extra_filerefs-as-sanitized-kwargs-for-ssh-cli.patch
* fix-for-some-cves-bsc1181550.patch
* fixes-56144-to-enable-hotadd-profile-support.patch
-------------------------------------------------------------------
Tue Feb 16 17:10:30 UTC 2021 - Alexander Graul <alexander.graul@suse.com>
- Always require python3-distro (bsc#1182293)
------------------------------------------------------------------- -------------------------------------------------------------------
Thu Feb 11 16:02:59 UTC 2021 - Pablo Suárez Hernández <pablo.suarezhernandez@suse.com> Thu Feb 11 16:02:59 UTC 2021 - Pablo Suárez Hernández <pablo.suarezhernandez@suse.com>

28
salt.spec
View File

@ -359,6 +359,20 @@ Patch148: virt-uefi-fix-backport-312.patch
Patch149: 3002.2-xen-spicevmc-dns-srv-records-backports-314.patch Patch149: 3002.2-xen-spicevmc-dns-srv-records-backports-314.patch
# PATCH-FIX_UPSTREAM: https://github.com/saltstack/salt/pull/59485 # PATCH-FIX_UPSTREAM: https://github.com/saltstack/salt/pull/59485
Patch150: open-suse-3002.2-xen-grub-316.patch Patch150: open-suse-3002.2-xen-grub-316.patch
# PATCH-FIX_OPENSUSE: https://github.com/openSUSE/salt/pull/320
Patch151: async-batch-implementation-fix-320.patch
# PATCH-FIX_UPSTREAM: https://github.com/saltstack/salt/pull/56173
Patch152: fixes-56144-to-enable-hotadd-profile-support.patch
# PATCH-FIX_OPENSUSE: https://github.com/openSUSE/salt/pull/307
Patch153: add-sleep-on-exception-handling-on-minion-connection.patch
# PATCH-FIX_OPENSUSE: https://github.com/openSUSE/salt/pull/323
Patch154: implementation-of-suse_ip-execution-module-bsc-10999.patch
# PATCH-FIX_UPSTREAM: no PR to link to yet
Patch155: fix-for-some-cves-bsc1181550.patch
# PATCH-FIX_UPSTREAM: no PR to link to yet
Patch156: allow-extra_filerefs-as-sanitized-kwargs-for-ssh-cli.patch
# PATCH-FIX_UPSTREAM: no PR to link to yet
Patch157: fix-regression-on-cmd.run-when-passing-tuples-as-cmd.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRoot: %{_tmppath}/%{name}-%{version}-build
BuildRequires: logrotate BuildRequires: logrotate
@ -458,7 +472,6 @@ BuildRequires: python3-MarkupSafe
BuildRequires: python3-msgpack-python > 0.3 BuildRequires: python3-msgpack-python > 0.3
BuildRequires: python3-pyzmq >= 2.2.0 BuildRequires: python3-pyzmq >= 2.2.0
%if 0%{?suse_version} >= 1500 %if 0%{?suse_version} >= 1500
BuildRequires: python3-distro
BuildRequires: python3-M2Crypto BuildRequires: python3-M2Crypto
%else %else
BuildRequires: python3-pycrypto >= 2.6.1 BuildRequires: python3-pycrypto >= 2.6.1
@ -467,6 +480,7 @@ BuildRequires: python3-pycrypto >= 2.6.1
BuildRequires: python3-PyYAML BuildRequires: python3-PyYAML
BuildRequires: python3-psutil BuildRequires: python3-psutil
BuildRequires: python3-requests >= 1.0.0 BuildRequires: python3-requests >= 1.0.0
BuildRequires: python3-distro
# requirements/zeromq.txt # requirements/zeromq.txt
%if %{with test} %if %{with test}
@ -486,10 +500,7 @@ Requires: platform-python
%else %else
Requires: python3 Requires: python3
%endif %endif
#
%if ! 0%{?suse_version} > 1110
Requires: python3-certifi Requires: python3-certifi
%endif
# requirements/base.txt # requirements/base.txt
%if 0%{?rhel} || 0%{?fedora} %if 0%{?rhel} || 0%{?fedora}
Requires: python3-jinja2 Requires: python3-jinja2
@ -510,7 +521,6 @@ Requires: python3-Jinja2
Requires: python3-MarkupSafe Requires: python3-MarkupSafe
Requires: python3-msgpack-python > 0.3 Requires: python3-msgpack-python > 0.3
%if 0%{?suse_version} >= 1500 %if 0%{?suse_version} >= 1500
Requires: python3-distro
Requires: python3-M2Crypto Requires: python3-M2Crypto
%else %else
Requires: python3-pycrypto >= 2.6.1 Requires: python3-pycrypto >= 2.6.1
@ -520,6 +530,7 @@ Requires: python3-pyzmq >= 2.2.0
Requires: python3-PyYAML Requires: python3-PyYAML
Requires: python3-psutil Requires: python3-psutil
Requires: python3-requests >= 1.0.0 Requires: python3-requests >= 1.0.0
Requires: python3-distro
%if 0%{?suse_version} %if 0%{?suse_version}
# required for zypper.py # required for zypper.py
Requires: python3-rpm Requires: python3-rpm
@ -908,6 +919,13 @@ cp %{S:5} ./.travis.yml
%patch148 -p1 %patch148 -p1
%patch149 -p1 %patch149 -p1
%patch150 -p1 %patch150 -p1
%patch151 -p1
%patch152 -p1
%patch153 -p1
%patch154 -p1
%patch155 -p1
%patch156 -p1
%patch157 -p1
%build %build
# Putting /usr/bin at the front of $PATH is needed for RHEL/RES 7. Without this # Putting /usr/bin at the front of $PATH is needed for RHEL/RES 7. Without this