—

PYSEC-2016-23

Details

Salt 2015.8.x before 2015.8.4 does not properly handle clear messages on the minion, which allows man-in-the-middle attackers to execute arbitrary code by inserting packets into the minion-master data stream.

Are you affected?

Enter the version of the package you're using.

Affected packages

PyPI / salt

Introduced in: 2015.8 Fixed in: 2015.8.4

Fix pip install --upgrade 'salt>=2015.8.4'

References

http://lists.opensuse.org/opensuse-updates/2016-03/msg00034.html [WEB]
https://docs.saltstack.com/en/latest/topics/releases/2015.8.4.html [WEB]
https://github.com/advisories/GHSA-vqh4-crjf-jjxx [ADVISORY]