Join GitHub today
Isolated fix for CVE-2017-7893? Which releases apart 2016.3.6 fix the issue? #48939
While going within Debian trough a couple of CVEs for salt noticed the CVE-2017-7893 mentioned in the https://docs.saltstack.com/en/2017.7/topics/releases/2016.3.6.html which credits Frank Spierings as the discoverer).
Unfortunately neither https://bugzilla.redhat.com/show_bug.cgi?id=1572139 or https://bugzilla.novell.com/show_bug.cgi?id=1090665 is helping identifying the fix.
Can you share the fix which would neet to be cherry-picked (and/or which releases contain the fix)?
@anarcat, sorry, I was on vacation for a couple of days.
CVE-2017-7893 is fixed by the code in this PR. The best mitigation scenario is when