From 9d3b3b73bc408820e1f3c0dbabe0da2eae6f841d Mon Sep 17 00:00:00 2001 From: Pedro Algarvio Date: Wed, 26 Apr 2023 10:32:16 +0100 Subject: [PATCH 01/17] Add backports support Signed-off-by: Pedro Algarvio (cherry picked from commit 99cb7c0e084f2b47ef3a6e9aa9c46b35c3676cc1) --- .backportrc.json | 15 +++++++++++ .github/workflows/backport.yml | 48 ++++++++++++++++++++++++++++++++++ 2 files changed, 63 insertions(+) create mode 100644 .backportrc.json create mode 100644 .github/workflows/backport.yml diff --git a/.backportrc.json b/.backportrc.json new file mode 100644 index 00000000000..b988c16660f --- /dev/null +++ b/.backportrc.json @@ -0,0 +1,15 @@ +{ + "repoOwner": "saltstack", + "repoName": "salt", + "targetBranchChoices": ["master", "3006.x", "3005.x"], + "autoMerge": false, + "autoMergeMethod": "rebase", + "branchLabelMapping": { + "^backport:(.+)$": "$1" + }, + "prTitle": "[BACKPORT] {commitMessages}", + "publishStatusCommentOnSuccess": true, + "sourcePRLabels": [ + "backport:complete" + ] +} diff --git a/.github/workflows/backport.yml b/.github/workflows/backport.yml new file mode 100644 index 00000000000..b70b84df5b3 --- /dev/null +++ b/.github/workflows/backport.yml @@ -0,0 +1,48 @@ +name: Backport PR +run-name: "Backport PR #${{ github.event.number }}" + +on: + pull_request_target: + types: + - "labeled" + - "closed" + +permissions: + contents: write + pull-requests: write + +jobs: + backport: + name: Backport PR + runs-on: + - ubuntu-latest + if: | + github.event.pull_request.merged == true + && ( + contains(github.event.pull_request.labels.*.name, 'backport:master') || + contains(github.event.pull_request.labels.*.name, 'backport:3006.x') || + contains(github.event.pull_request.labels.*.name, 'backport:3005.x') + ) + && ( + (github.event.action == 'labeled' && ( + contains(github.event.pull_request.labels.*.name, 'backport:master') || + contains(github.event.pull_request.labels.*.name, 'backport:3006.x') || + contains(github.event.pull_request.labels.*.name, 'backport:3005.x') + )) + || (github.event.action == 'closed') + ) + steps: + - name: Backport Action + uses: sqren/backport-github-action@v8.9.7 + with: + github_token: ${{ secrets.GITHUB_TOKEN }} + auto_backport_label_prefix: "backport:" + add_original_reviewers: true + + - name: Info log + if: ${{ success() }} + run: jq -C '.' ~/.backport/backport.info.log + + - name: Debug log + if: ${{ failure() }} + run: jq -C '.' ~/.backport/backport.debug.log From aad2f675761e66252f63988c0a6ea38604e0b94f Mon Sep 17 00:00:00 2001 From: Pedro Algarvio Date: Sun, 24 Sep 2023 10:23:27 +0100 Subject: [PATCH 02/17] Bump to `sqren/backport-github-action@v9.3.0-a` Signed-off-by: Pedro Algarvio --- .github/workflows/backport.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/backport.yml b/.github/workflows/backport.yml index b70b84df5b3..4e255576c92 100644 --- a/.github/workflows/backport.yml +++ b/.github/workflows/backport.yml @@ -33,7 +33,7 @@ jobs: ) steps: - name: Backport Action - uses: sqren/backport-github-action@v8.9.7 + uses: sqren/backport-github-action@v9.3.0-a with: github_token: ${{ secrets.GITHUB_TOKEN }} auto_backport_label_prefix: "backport:" From 29ae9829eec75d88420eeaa2685cbed48b9134f1 Mon Sep 17 00:00:00 2001 From: Pedro Algarvio Date: Sun, 24 Sep 2023 21:20:44 +0100 Subject: [PATCH 03/17] Downgrade to `sqren/backport-github-action@v8.9.7` at least errors are reported Signed-off-by: Pedro Algarvio --- .backportrc.json | 2 +- .github/workflows/backport.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.backportrc.json b/.backportrc.json index b988c16660f..1fc808b961b 100644 --- a/.backportrc.json +++ b/.backportrc.json @@ -1,7 +1,7 @@ { "repoOwner": "saltstack", "repoName": "salt", - "targetBranchChoices": ["master", "3006.x", "3005.x"], + "targetBranchChoices": ["master", "3006.x", "3005.x", "freeze"], "autoMerge": false, "autoMergeMethod": "rebase", "branchLabelMapping": { diff --git a/.github/workflows/backport.yml b/.github/workflows/backport.yml index 4e255576c92..b70b84df5b3 100644 --- a/.github/workflows/backport.yml +++ b/.github/workflows/backport.yml @@ -33,7 +33,7 @@ jobs: ) steps: - name: Backport Action - uses: sqren/backport-github-action@v9.3.0-a + uses: sqren/backport-github-action@v8.9.7 with: github_token: ${{ secrets.GITHUB_TOKEN }} auto_backport_label_prefix: "backport:" From db0f92038288bd69422dfde1612af194bea7fda4 Mon Sep 17 00:00:00 2001 From: Pedro Algarvio Date: Fri, 22 Sep 2023 15:39:07 +0100 Subject: [PATCH 04/17] Bump to `cryptography==41.0.4` due to https://github.com/advisories/GHSA-v8gr-m533-ghj9 Signed-off-by: Pedro Algarvio --- changelog/65267.security | 1 + requirements/static/ci/py3.10/cloud.txt | 2 +- requirements/static/ci/py3.10/darwin.txt | 2 +- requirements/static/ci/py3.10/docs.txt | 2 +- requirements/static/ci/py3.10/freebsd.txt | 2 +- requirements/static/ci/py3.10/lint.txt | 2 +- requirements/static/ci/py3.10/linux.txt | 2 +- requirements/static/ci/py3.10/windows.txt | 2 +- requirements/static/ci/py3.7/cloud.txt | 2 +- requirements/static/ci/py3.7/docs.txt | 2 +- requirements/static/ci/py3.7/freebsd.txt | 2 +- requirements/static/ci/py3.7/lint.txt | 2 +- requirements/static/ci/py3.7/linux.txt | 2 +- requirements/static/ci/py3.7/windows.txt | 2 +- requirements/static/ci/py3.8/cloud.txt | 2 +- requirements/static/ci/py3.8/docs.txt | 2 +- requirements/static/ci/py3.8/freebsd.txt | 2 +- requirements/static/ci/py3.8/lint.txt | 2 +- requirements/static/ci/py3.8/linux.txt | 2 +- requirements/static/ci/py3.8/windows.txt | 2 +- requirements/static/ci/py3.9/cloud.txt | 2 +- requirements/static/ci/py3.9/darwin.txt | 2 +- requirements/static/ci/py3.9/docs.txt | 2 +- requirements/static/ci/py3.9/freebsd.txt | 2 +- requirements/static/ci/py3.9/lint.txt | 2 +- requirements/static/ci/py3.9/linux.txt | 2 +- requirements/static/ci/py3.9/windows.txt | 2 +- requirements/static/pkg/py3.10/darwin.txt | 2 +- requirements/static/pkg/py3.10/freebsd.txt | 2 +- requirements/static/pkg/py3.10/linux.txt | 2 +- requirements/static/pkg/py3.10/windows.txt | 2 +- requirements/static/pkg/py3.7/freebsd.txt | 2 +- requirements/static/pkg/py3.7/linux.txt | 2 +- requirements/static/pkg/py3.7/windows.txt | 2 +- requirements/static/pkg/py3.8/freebsd.txt | 2 +- requirements/static/pkg/py3.8/linux.txt | 2 +- requirements/static/pkg/py3.8/windows.txt | 2 +- requirements/static/pkg/py3.9/darwin.txt | 2 +- requirements/static/pkg/py3.9/freebsd.txt | 2 +- requirements/static/pkg/py3.9/linux.txt | 2 +- requirements/static/pkg/py3.9/windows.txt | 2 +- 41 files changed, 41 insertions(+), 40 deletions(-) create mode 100644 changelog/65267.security diff --git a/changelog/65267.security b/changelog/65267.security new file mode 100644 index 00000000000..15588570ad6 --- /dev/null +++ b/changelog/65267.security @@ -0,0 +1 @@ +Bump to `cryptography==41.0.4` due to https://github.com/advisories/GHSA-v8gr-m533-ghj9 diff --git a/requirements/static/ci/py3.10/cloud.txt b/requirements/static/ci/py3.10/cloud.txt index 84a17a57933..3e163e77a18 100644 --- a/requirements/static/ci/py3.10/cloud.txt +++ b/requirements/static/ci/py3.10/cloud.txt @@ -383,7 +383,7 @@ contextvars==2.4 # via -r requirements/base.txt croniter==1.0.15 ; sys_platform != "win32" # via -r requirements/static/ci/common.in -cryptography==41.0.3 ; python_version >= "3.7" +cryptography==41.0.4 ; python_version >= "3.7" # via # -r requirements/static/pkg/linux.in # adal diff --git a/requirements/static/ci/py3.10/darwin.txt b/requirements/static/ci/py3.10/darwin.txt index 6725d76cafb..1cfb54e7426 100644 --- a/requirements/static/ci/py3.10/darwin.txt +++ b/requirements/static/ci/py3.10/darwin.txt @@ -386,7 +386,7 @@ contextvars==2.4 # via -r requirements/base.txt croniter==0.3.29 ; sys_platform != "win32" # via -r requirements/static/ci/common.in -cryptography==41.0.3 ; python_version >= "3.7" +cryptography==41.0.4 ; python_version >= "3.7" # via # -r requirements/darwin.txt # adal diff --git a/requirements/static/ci/py3.10/docs.txt b/requirements/static/ci/py3.10/docs.txt index 5fa86b1cc9c..d8aa8cbaeaa 100644 --- a/requirements/static/ci/py3.10/docs.txt +++ b/requirements/static/ci/py3.10/docs.txt @@ -390,7 +390,7 @@ contextvars==2.4 # via -r requirements/base.txt croniter==1.0.15 ; sys_platform != "win32" # via -r requirements/static/ci/common.in -cryptography==41.0.3 ; python_version >= "3.7" +cryptography==41.0.4 ; python_version >= "3.7" # via # -r requirements/static/pkg/linux.in # adal diff --git a/requirements/static/ci/py3.10/freebsd.txt b/requirements/static/ci/py3.10/freebsd.txt index 4de08ee486f..5dc862b00c5 100644 --- a/requirements/static/ci/py3.10/freebsd.txt +++ b/requirements/static/ci/py3.10/freebsd.txt @@ -382,7 +382,7 @@ contextvars==2.4 # via -r requirements/base.txt croniter==0.3.29 ; sys_platform != "win32" # via -r requirements/static/ci/common.in -cryptography==41.0.3 ; python_version >= "3.7" +cryptography==41.0.4 ; python_version >= "3.7" # via # -r requirements/static/pkg/freebsd.in # adal diff --git a/requirements/static/ci/py3.10/lint.txt b/requirements/static/ci/py3.10/lint.txt index 9fb36c3b357..96865dc989e 100644 --- a/requirements/static/ci/py3.10/lint.txt +++ b/requirements/static/ci/py3.10/lint.txt @@ -388,7 +388,7 @@ contextvars==2.4 # via -r requirements/base.txt croniter==1.0.15 ; sys_platform != "win32" # via -r requirements/static/ci/common.in -cryptography==41.0.3 ; python_version >= "3.7" +cryptography==41.0.4 ; python_version >= "3.7" # via # -r requirements/static/pkg/linux.in # adal diff --git a/requirements/static/ci/py3.10/linux.txt b/requirements/static/ci/py3.10/linux.txt index dbbc7f94b97..b9a9f45fcb8 100644 --- a/requirements/static/ci/py3.10/linux.txt +++ b/requirements/static/ci/py3.10/linux.txt @@ -396,7 +396,7 @@ contextvars==2.4 # via -r requirements/base.txt croniter==0.3.29 ; sys_platform != "win32" # via -r requirements/static/ci/common.in -cryptography==41.0.3 ; python_version >= "3.7" +cryptography==41.0.4 ; python_version >= "3.7" # via # -r requirements/static/pkg/linux.in # adal diff --git a/requirements/static/ci/py3.10/windows.txt b/requirements/static/ci/py3.10/windows.txt index afabb8762f0..572e049fc3a 100644 --- a/requirements/static/ci/py3.10/windows.txt +++ b/requirements/static/ci/py3.10/windows.txt @@ -73,7 +73,7 @@ colorama==0.4.1 # via pytest contextvars==2.4 # via -r requirements/base.txt -cryptography==39.0.1 +cryptography==41.0.4 # via # -r requirements/static/pkg/py3.10/windows.txt # moto diff --git a/requirements/static/ci/py3.7/cloud.txt b/requirements/static/ci/py3.7/cloud.txt index 8a6a86bc53f..f903b2d6d29 100644 --- a/requirements/static/ci/py3.7/cloud.txt +++ b/requirements/static/ci/py3.7/cloud.txt @@ -390,7 +390,7 @@ contextvars==2.4 # via -r requirements/base.txt croniter==1.0.15 ; sys_platform != "win32" # via -r requirements/static/ci/common.in -cryptography==41.0.3 ; python_version >= "3.7" +cryptography==41.0.4 ; python_version >= "3.7" # via # -r requirements/static/pkg/linux.in # adal diff --git a/requirements/static/ci/py3.7/docs.txt b/requirements/static/ci/py3.7/docs.txt index b99ff436bbb..c67e346203f 100644 --- a/requirements/static/ci/py3.7/docs.txt +++ b/requirements/static/ci/py3.7/docs.txt @@ -399,7 +399,7 @@ contextvars==2.4 # via -r requirements/base.txt croniter==1.0.15 ; sys_platform != "win32" # via -r requirements/static/ci/common.in -cryptography==41.0.3 ; python_version >= "3.7" +cryptography==41.0.4 ; python_version >= "3.7" # via # -r requirements/static/pkg/linux.in # adal diff --git a/requirements/static/ci/py3.7/freebsd.txt b/requirements/static/ci/py3.7/freebsd.txt index 098811c2533..4976c9fbb6c 100644 --- a/requirements/static/ci/py3.7/freebsd.txt +++ b/requirements/static/ci/py3.7/freebsd.txt @@ -389,7 +389,7 @@ contextvars==2.4 # via -r requirements/base.txt croniter==0.3.29 ; sys_platform != "win32" # via -r requirements/static/ci/common.in -cryptography==41.0.3 ; python_version >= "3.7" +cryptography==41.0.4 ; python_version >= "3.7" # via # -r requirements/static/pkg/freebsd.in # adal diff --git a/requirements/static/ci/py3.7/lint.txt b/requirements/static/ci/py3.7/lint.txt index d995e9c3999..dd5932f1caa 100644 --- a/requirements/static/ci/py3.7/lint.txt +++ b/requirements/static/ci/py3.7/lint.txt @@ -397,7 +397,7 @@ contextvars==2.4 # via -r requirements/base.txt croniter==1.0.15 ; sys_platform != "win32" # via -r requirements/static/ci/common.in -cryptography==41.0.3 ; python_version >= "3.7" +cryptography==41.0.4 ; python_version >= "3.7" # via # -r requirements/static/pkg/linux.in # adal diff --git a/requirements/static/ci/py3.7/linux.txt b/requirements/static/ci/py3.7/linux.txt index 039f18a3c3a..09dad7aa75a 100644 --- a/requirements/static/ci/py3.7/linux.txt +++ b/requirements/static/ci/py3.7/linux.txt @@ -403,7 +403,7 @@ contextvars==2.4 # via -r requirements/base.txt croniter==0.3.29 ; sys_platform != "win32" # via -r requirements/static/ci/common.in -cryptography==41.0.3 ; python_version >= "3.7" +cryptography==41.0.4 ; python_version >= "3.7" # via # -r requirements/static/pkg/linux.in # adal diff --git a/requirements/static/ci/py3.7/windows.txt b/requirements/static/ci/py3.7/windows.txt index 9c9e2415345..d0d6085415f 100644 --- a/requirements/static/ci/py3.7/windows.txt +++ b/requirements/static/ci/py3.7/windows.txt @@ -74,7 +74,7 @@ colorama==0.4.1 # via pytest contextvars==2.4 # via -r requirements/base.txt -cryptography==41.0.3 ; python_version >= "3.7" +cryptography==41.0.4 ; python_version >= "3.7" # via # -r requirements/windows.txt # etcd3-py diff --git a/requirements/static/ci/py3.8/cloud.txt b/requirements/static/ci/py3.8/cloud.txt index ae3a2330f51..d47a2de683a 100644 --- a/requirements/static/ci/py3.8/cloud.txt +++ b/requirements/static/ci/py3.8/cloud.txt @@ -388,7 +388,7 @@ contextvars==2.4 # via -r requirements/base.txt croniter==1.0.15 ; sys_platform != "win32" # via -r requirements/static/ci/common.in -cryptography==41.0.3 ; python_version >= "3.7" +cryptography==41.0.4 ; python_version >= "3.7" # via # -r requirements/static/pkg/linux.in # adal diff --git a/requirements/static/ci/py3.8/docs.txt b/requirements/static/ci/py3.8/docs.txt index 704100ccc31..af50b9ad185 100644 --- a/requirements/static/ci/py3.8/docs.txt +++ b/requirements/static/ci/py3.8/docs.txt @@ -397,7 +397,7 @@ contextvars==2.4 # via -r requirements/base.txt croniter==1.0.15 ; sys_platform != "win32" # via -r requirements/static/ci/common.in -cryptography==41.0.3 ; python_version >= "3.7" +cryptography==41.0.4 ; python_version >= "3.7" # via # -r requirements/static/pkg/linux.in # adal diff --git a/requirements/static/ci/py3.8/freebsd.txt b/requirements/static/ci/py3.8/freebsd.txt index 64b895815d6..408b9308c10 100644 --- a/requirements/static/ci/py3.8/freebsd.txt +++ b/requirements/static/ci/py3.8/freebsd.txt @@ -387,7 +387,7 @@ contextvars==2.4 # via -r requirements/base.txt croniter==0.3.29 ; sys_platform != "win32" # via -r requirements/static/ci/common.in -cryptography==41.0.3 ; python_version >= "3.7" +cryptography==41.0.4 ; python_version >= "3.7" # via # -r requirements/static/pkg/freebsd.in # adal diff --git a/requirements/static/ci/py3.8/lint.txt b/requirements/static/ci/py3.8/lint.txt index ebe72d749e2..63e853bf68f 100644 --- a/requirements/static/ci/py3.8/lint.txt +++ b/requirements/static/ci/py3.8/lint.txt @@ -395,7 +395,7 @@ contextvars==2.4 # via -r requirements/base.txt croniter==1.0.15 ; sys_platform != "win32" # via -r requirements/static/ci/common.in -cryptography==41.0.3 ; python_version >= "3.7" +cryptography==41.0.4 ; python_version >= "3.7" # via # -r requirements/static/pkg/linux.in # adal diff --git a/requirements/static/ci/py3.8/linux.txt b/requirements/static/ci/py3.8/linux.txt index 77b2c36a5d1..8cfc4e8a092 100644 --- a/requirements/static/ci/py3.8/linux.txt +++ b/requirements/static/ci/py3.8/linux.txt @@ -401,7 +401,7 @@ contextvars==2.4 # via -r requirements/base.txt croniter==0.3.29 ; sys_platform != "win32" # via -r requirements/static/ci/common.in -cryptography==41.0.3 ; python_version >= "3.7" +cryptography==41.0.4 ; python_version >= "3.7" # via # -r requirements/static/pkg/linux.in # adal diff --git a/requirements/static/ci/py3.8/windows.txt b/requirements/static/ci/py3.8/windows.txt index ca5e306b800..5b2ba5adace 100644 --- a/requirements/static/ci/py3.8/windows.txt +++ b/requirements/static/ci/py3.8/windows.txt @@ -72,7 +72,7 @@ colorama==0.4.1 # via pytest contextvars==2.4 # via -r requirements/base.txt -cryptography==41.0.3 ; python_version >= "3.7" +cryptography==41.0.4 ; python_version >= "3.7" # via # -r requirements/windows.txt # etcd3-py diff --git a/requirements/static/ci/py3.9/cloud.txt b/requirements/static/ci/py3.9/cloud.txt index 9495c538ecc..10730f00910 100644 --- a/requirements/static/ci/py3.9/cloud.txt +++ b/requirements/static/ci/py3.9/cloud.txt @@ -388,7 +388,7 @@ contextvars==2.4 # via -r requirements/base.txt croniter==1.0.15 ; sys_platform != "win32" # via -r requirements/static/ci/common.in -cryptography==41.0.3 ; python_version >= "3.7" +cryptography==41.0.4 ; python_version >= "3.7" # via # -r requirements/static/pkg/linux.in # adal diff --git a/requirements/static/ci/py3.9/darwin.txt b/requirements/static/ci/py3.9/darwin.txt index d47db18063f..277defef4d5 100644 --- a/requirements/static/ci/py3.9/darwin.txt +++ b/requirements/static/ci/py3.9/darwin.txt @@ -391,7 +391,7 @@ contextvars==2.4 # via -r requirements/base.txt croniter==0.3.29 ; sys_platform != "win32" # via -r requirements/static/ci/common.in -cryptography==41.0.3 ; python_version >= "3.7" +cryptography==41.0.4 ; python_version >= "3.7" # via # -r requirements/darwin.txt # adal diff --git a/requirements/static/ci/py3.9/docs.txt b/requirements/static/ci/py3.9/docs.txt index 12d672d4a38..4ed09bed8eb 100644 --- a/requirements/static/ci/py3.9/docs.txt +++ b/requirements/static/ci/py3.9/docs.txt @@ -395,7 +395,7 @@ contextvars==2.4 # via -r requirements/base.txt croniter==1.0.15 ; sys_platform != "win32" # via -r requirements/static/ci/common.in -cryptography==41.0.3 ; python_version >= "3.7" +cryptography==41.0.4 ; python_version >= "3.7" # via # -r requirements/static/pkg/linux.in # adal diff --git a/requirements/static/ci/py3.9/freebsd.txt b/requirements/static/ci/py3.9/freebsd.txt index 7ebc98e63a3..119b9a7e39b 100644 --- a/requirements/static/ci/py3.9/freebsd.txt +++ b/requirements/static/ci/py3.9/freebsd.txt @@ -387,7 +387,7 @@ contextvars==2.4 # via -r requirements/base.txt croniter==0.3.29 ; sys_platform != "win32" # via -r requirements/static/ci/common.in -cryptography==41.0.3 ; python_version >= "3.7" +cryptography==41.0.4 ; python_version >= "3.7" # via # -r requirements/static/pkg/freebsd.in # adal diff --git a/requirements/static/ci/py3.9/lint.txt b/requirements/static/ci/py3.9/lint.txt index 084f5cb6724..87b7665c97b 100644 --- a/requirements/static/ci/py3.9/lint.txt +++ b/requirements/static/ci/py3.9/lint.txt @@ -393,7 +393,7 @@ contextvars==2.4 # via -r requirements/base.txt croniter==1.0.15 ; sys_platform != "win32" # via -r requirements/static/ci/common.in -cryptography==41.0.3 ; python_version >= "3.7" +cryptography==41.0.4 ; python_version >= "3.7" # via # -r requirements/static/pkg/linux.in # adal diff --git a/requirements/static/ci/py3.9/linux.txt b/requirements/static/ci/py3.9/linux.txt index b8125669def..8c635fd7cf3 100644 --- a/requirements/static/ci/py3.9/linux.txt +++ b/requirements/static/ci/py3.9/linux.txt @@ -403,7 +403,7 @@ contextvars==2.4 # via -r requirements/base.txt croniter==0.3.29 ; sys_platform != "win32" # via -r requirements/static/ci/common.in -cryptography==41.0.3 ; python_version >= "3.7" +cryptography==41.0.4 ; python_version >= "3.7" # via # -r requirements/static/pkg/linux.in # adal diff --git a/requirements/static/ci/py3.9/windows.txt b/requirements/static/ci/py3.9/windows.txt index d98e73e91f6..280315b4c8a 100644 --- a/requirements/static/ci/py3.9/windows.txt +++ b/requirements/static/ci/py3.9/windows.txt @@ -72,7 +72,7 @@ colorama==0.4.1 # via pytest contextvars==2.4 # via -r requirements/base.txt -cryptography==41.0.3 ; python_version >= "3.7" +cryptography==41.0.4 ; python_version >= "3.7" # via # -r requirements/windows.txt # etcd3-py diff --git a/requirements/static/pkg/py3.10/darwin.txt b/requirements/static/pkg/py3.10/darwin.txt index 9d6409d28c8..d3250c794d4 100644 --- a/requirements/static/pkg/py3.10/darwin.txt +++ b/requirements/static/pkg/py3.10/darwin.txt @@ -18,7 +18,7 @@ cherrypy==18.6.1 # via -r requirements/darwin.txt contextvars==2.4 # via -r requirements/base.txt -cryptography==41.0.3 ; python_version >= "3.7" +cryptography==41.0.4 ; python_version >= "3.7" # via # -r requirements/darwin.txt # pyopenssl diff --git a/requirements/static/pkg/py3.10/freebsd.txt b/requirements/static/pkg/py3.10/freebsd.txt index c25bc90a4b5..2ff655041f3 100644 --- a/requirements/static/pkg/py3.10/freebsd.txt +++ b/requirements/static/pkg/py3.10/freebsd.txt @@ -16,7 +16,7 @@ cherrypy==18.6.1 # via -r requirements/static/pkg/freebsd.in contextvars==2.4 # via -r requirements/base.txt -cryptography==41.0.3 ; python_version >= "3.7" +cryptography==41.0.4 ; python_version >= "3.7" # via # -r requirements/static/pkg/freebsd.in # pyopenssl diff --git a/requirements/static/pkg/py3.10/linux.txt b/requirements/static/pkg/py3.10/linux.txt index 9944c2e4d1d..04ca508c92f 100644 --- a/requirements/static/pkg/py3.10/linux.txt +++ b/requirements/static/pkg/py3.10/linux.txt @@ -16,7 +16,7 @@ cherrypy==18.6.1 # via -r requirements/static/pkg/linux.in contextvars==2.4 # via -r requirements/base.txt -cryptography==41.0.3 ; python_version >= "3.7" +cryptography==41.0.4 ; python_version >= "3.7" # via # -r requirements/static/pkg/linux.in # pyopenssl diff --git a/requirements/static/pkg/py3.10/windows.txt b/requirements/static/pkg/py3.10/windows.txt index 9f8b7435fb6..ac39e84b328 100644 --- a/requirements/static/pkg/py3.10/windows.txt +++ b/requirements/static/pkg/py3.10/windows.txt @@ -20,7 +20,7 @@ cherrypy==18.6.1 # via -r requirements/windows.txt contextvars==2.4 # via -r requirements/base.txt -cryptography==39.0.1 +cryptography==41.0.4 # via # -r requirements/windows.txt # pyopenssl diff --git a/requirements/static/pkg/py3.7/freebsd.txt b/requirements/static/pkg/py3.7/freebsd.txt index f8c2f0a56a2..6aa3ccea8f9 100644 --- a/requirements/static/pkg/py3.7/freebsd.txt +++ b/requirements/static/pkg/py3.7/freebsd.txt @@ -16,7 +16,7 @@ cherrypy==18.6.1 # via -r requirements/static/pkg/freebsd.in contextvars==2.4 # via -r requirements/base.txt -cryptography==41.0.3 ; python_version >= "3.7" +cryptography==41.0.4 ; python_version >= "3.7" # via # -r requirements/static/pkg/freebsd.in # pyopenssl diff --git a/requirements/static/pkg/py3.7/linux.txt b/requirements/static/pkg/py3.7/linux.txt index 0585f5aa5c7..0b88348435b 100644 --- a/requirements/static/pkg/py3.7/linux.txt +++ b/requirements/static/pkg/py3.7/linux.txt @@ -16,7 +16,7 @@ cherrypy==18.6.1 # via -r requirements/static/pkg/linux.in contextvars==2.4 # via -r requirements/base.txt -cryptography==41.0.3 ; python_version >= "3.7" +cryptography==41.0.4 ; python_version >= "3.7" # via # -r requirements/static/pkg/linux.in # pyopenssl diff --git a/requirements/static/pkg/py3.7/windows.txt b/requirements/static/pkg/py3.7/windows.txt index 90f0ad64b9f..99733fb8079 100644 --- a/requirements/static/pkg/py3.7/windows.txt +++ b/requirements/static/pkg/py3.7/windows.txt @@ -20,7 +20,7 @@ cherrypy==18.6.1 # via -r requirements/windows.txt contextvars==2.4 # via -r requirements/base.txt -cryptography==41.0.3 ; python_version >= "3.7" +cryptography==41.0.4 ; python_version >= "3.7" # via # -r requirements/windows.txt # pyopenssl diff --git a/requirements/static/pkg/py3.8/freebsd.txt b/requirements/static/pkg/py3.8/freebsd.txt index 8baa680c8dd..fd731dee62d 100644 --- a/requirements/static/pkg/py3.8/freebsd.txt +++ b/requirements/static/pkg/py3.8/freebsd.txt @@ -16,7 +16,7 @@ cherrypy==18.6.1 # via -r requirements/static/pkg/freebsd.in contextvars==2.4 # via -r requirements/base.txt -cryptography==41.0.3 ; python_version >= "3.7" +cryptography==41.0.4 ; python_version >= "3.7" # via # -r requirements/static/pkg/freebsd.in # pyopenssl diff --git a/requirements/static/pkg/py3.8/linux.txt b/requirements/static/pkg/py3.8/linux.txt index 35882187a40..82dde6a5496 100644 --- a/requirements/static/pkg/py3.8/linux.txt +++ b/requirements/static/pkg/py3.8/linux.txt @@ -16,7 +16,7 @@ cherrypy==18.6.1 # via -r requirements/static/pkg/linux.in contextvars==2.4 # via -r requirements/base.txt -cryptography==41.0.3 ; python_version >= "3.7" +cryptography==41.0.4 ; python_version >= "3.7" # via # -r requirements/static/pkg/linux.in # pyopenssl diff --git a/requirements/static/pkg/py3.8/windows.txt b/requirements/static/pkg/py3.8/windows.txt index ecccae81ab4..c1eff89b569 100644 --- a/requirements/static/pkg/py3.8/windows.txt +++ b/requirements/static/pkg/py3.8/windows.txt @@ -20,7 +20,7 @@ cherrypy==18.6.1 # via -r requirements/windows.txt contextvars==2.4 # via -r requirements/base.txt -cryptography==41.0.3 ; python_version >= "3.7" +cryptography==41.0.4 ; python_version >= "3.7" # via # -r requirements/windows.txt # pyopenssl diff --git a/requirements/static/pkg/py3.9/darwin.txt b/requirements/static/pkg/py3.9/darwin.txt index 6ccf6601b30..2acb0ce7257 100644 --- a/requirements/static/pkg/py3.9/darwin.txt +++ b/requirements/static/pkg/py3.9/darwin.txt @@ -18,7 +18,7 @@ cherrypy==18.6.1 # via -r requirements/darwin.txt contextvars==2.4 # via -r requirements/base.txt -cryptography==41.0.3 ; python_version >= "3.7" +cryptography==41.0.4 ; python_version >= "3.7" # via # -r requirements/darwin.txt # pyopenssl diff --git a/requirements/static/pkg/py3.9/freebsd.txt b/requirements/static/pkg/py3.9/freebsd.txt index 748fbd5a1a3..04cd7193591 100644 --- a/requirements/static/pkg/py3.9/freebsd.txt +++ b/requirements/static/pkg/py3.9/freebsd.txt @@ -16,7 +16,7 @@ cherrypy==18.6.1 # via -r requirements/static/pkg/freebsd.in contextvars==2.4 # via -r requirements/base.txt -cryptography==41.0.3 ; python_version >= "3.7" +cryptography==41.0.4 ; python_version >= "3.7" # via # -r requirements/static/pkg/freebsd.in # pyopenssl diff --git a/requirements/static/pkg/py3.9/linux.txt b/requirements/static/pkg/py3.9/linux.txt index f59b9cb4cce..870ee43ba11 100644 --- a/requirements/static/pkg/py3.9/linux.txt +++ b/requirements/static/pkg/py3.9/linux.txt @@ -16,7 +16,7 @@ cherrypy==18.6.1 # via -r requirements/static/pkg/linux.in contextvars==2.4 # via -r requirements/base.txt -cryptography==41.0.3 ; python_version >= "3.7" +cryptography==41.0.4 ; python_version >= "3.7" # via # -r requirements/static/pkg/linux.in # pyopenssl diff --git a/requirements/static/pkg/py3.9/windows.txt b/requirements/static/pkg/py3.9/windows.txt index e4555f86448..c9cc3c067dc 100644 --- a/requirements/static/pkg/py3.9/windows.txt +++ b/requirements/static/pkg/py3.9/windows.txt @@ -20,7 +20,7 @@ cherrypy==18.6.1 # via -r requirements/windows.txt contextvars==2.4 # via -r requirements/base.txt -cryptography==41.0.3 ; python_version >= "3.7" +cryptography==41.0.4 ; python_version >= "3.7" # via # -r requirements/windows.txt # pyopenssl From b7735ab8f6868610db7b25e29ecf35d5263d9c9b Mon Sep 17 00:00:00 2001 From: Megan Wilhite Date: Thu, 28 Sep 2023 07:58:09 -0600 Subject: [PATCH 05/17] Add pytest integration pre_flight integration tests for CVE-2023-34049 --- tests/integration/ssh/test_pre_flight.py | 132 -------- .../integration/ssh/test_pre_flight.py | 308 ++++++++++++++++++ 2 files changed, 308 insertions(+), 132 deletions(-) delete mode 100644 tests/integration/ssh/test_pre_flight.py create mode 100644 tests/pytests/integration/ssh/test_pre_flight.py diff --git a/tests/integration/ssh/test_pre_flight.py b/tests/integration/ssh/test_pre_flight.py deleted file mode 100644 index 9ce8bf70243..00000000000 --- a/tests/integration/ssh/test_pre_flight.py +++ /dev/null @@ -1,132 +0,0 @@ -""" -Test for ssh_pre_flight roster option -""" - -import os - -import pytest -import salt.utils.files -from tests.support.case import SSHCase -from tests.support.runtests import RUNTIME_VARS - - -class SSHPreFlightTest(SSHCase): - """ - Test ssh_pre_flight roster option - """ - - def setUp(self): - super().setUp() - self.roster = os.path.join(RUNTIME_VARS.TMP, "pre_flight_roster") - self.data = { - "ssh_pre_flight": os.path.join(RUNTIME_VARS.TMP, "ssh_pre_flight.sh") - } - self.test_script = os.path.join( - RUNTIME_VARS.TMP, "test-pre-flight-script-worked.txt" - ) - - def _create_roster(self, pre_flight_script_args=None): - data = dict(self.data) - if pre_flight_script_args: - data["ssh_pre_flight_args"] = pre_flight_script_args - - self.custom_roster(self.roster, data) - - with salt.utils.files.fopen(data["ssh_pre_flight"], "w") as fp_: - fp_.write("touch {}".format(self.test_script)) - - @pytest.mark.slow_test - def test_ssh_pre_flight(self): - """ - test ssh when ssh_pre_flight is set - ensure the script runs successfully - """ - self._create_roster() - assert self.run_function("test.ping", roster_file=self.roster) - - assert os.path.exists(self.test_script) - - @pytest.mark.slow_test - def test_ssh_run_pre_flight(self): - """ - test ssh when --pre-flight is passed to salt-ssh - to ensure the script runs successfully - """ - self._create_roster() - # make sure we previously ran a command so the thin dir exists - self.run_function("test.ping", wipe=False) - assert not os.path.exists(self.test_script) - - assert self.run_function( - "test.ping", ssh_opts="--pre-flight", roster_file=self.roster, wipe=False - ) - assert os.path.exists(self.test_script) - - @pytest.mark.slow_test - def test_ssh_run_pre_flight_args(self): - """ - test ssh when --pre-flight is passed to salt-ssh - to ensure the script runs successfully passing some args - """ - self._create_roster(pre_flight_script_args="foobar test") - # make sure we previously ran a command so the thin dir exists - self.run_function("test.ping", wipe=False) - assert not os.path.exists(self.test_script) - - assert self.run_function( - "test.ping", ssh_opts="--pre-flight", roster_file=self.roster, wipe=False - ) - assert os.path.exists(self.test_script) - - @pytest.mark.slow_test - def test_ssh_run_pre_flight_args_prevent_injection(self): - """ - test ssh when --pre-flight is passed to salt-ssh - and evil arguments are used in order to produce shell injection - """ - injected_file = os.path.join(RUNTIME_VARS.TMP, "injection") - self._create_roster( - pre_flight_script_args="foobar; echo injected > {}".format(injected_file) - ) - # make sure we previously ran a command so the thin dir exists - self.run_function("test.ping", wipe=False) - assert not os.path.exists(self.test_script) - assert not os.path.isfile(injected_file) - - assert self.run_function( - "test.ping", ssh_opts="--pre-flight", roster_file=self.roster, wipe=False - ) - - assert not os.path.isfile( - injected_file - ), "File injection suceeded. This shouldn't happend" - - @pytest.mark.flaky(max_runs=4) - @pytest.mark.slow_test - def test_ssh_run_pre_flight_failure(self): - """ - test ssh_pre_flight when there is a failure - in the script. - """ - self._create_roster() - with salt.utils.files.fopen(self.data["ssh_pre_flight"], "w") as fp_: - fp_.write("exit 2") - - ret = self.run_function( - "test.ping", ssh_opts="--pre-flight", roster_file=self.roster, wipe=False - ) - assert ret["retcode"] == 2 - - def tearDown(self): - """ - make sure to clean up any old ssh directories - """ - files = [ - self.roster, - self.data["ssh_pre_flight"], - self.test_script, - os.path.join(RUNTIME_VARS.TMP, "injection"), - ] - for fp_ in files: - if os.path.exists(fp_): - os.remove(fp_) diff --git a/tests/pytests/integration/ssh/test_pre_flight.py b/tests/pytests/integration/ssh/test_pre_flight.py new file mode 100644 index 00000000000..0f97424b5c8 --- /dev/null +++ b/tests/pytests/integration/ssh/test_pre_flight.py @@ -0,0 +1,308 @@ +""" +Test for ssh_pre_flight roster option +""" + +import grp +import os +import pathlib +import pwd +import shutil +import subprocess + +import pytest +import salt.utils.files +import yaml +from saltfactories.utils import random_string + + +def _custom_roster(roster_file, roster_data): + with salt.utils.files.fopen(roster_file, "r") as fp: + data = salt.utils.yaml.safe_load(fp) + for key, item in roster_data.items(): + data["localhost"][key] = item + with salt.utils.files.fopen(roster_file, "w") as fp: + yaml.safe_dump(data, fp) + + +@pytest.fixture +def _create_roster(salt_ssh_roster_file, tmp_path): + ret = {} + ret["roster"] = salt_ssh_roster_file + ret["data"] = {"ssh_pre_flight": str(tmp_path / "ssh_pre_flight.sh")} + ret["test_script"] = str(tmp_path / "test-pre-flight-script-worked.txt") + ret["thin_dir"] = tmp_path / "thin_dir" + + with salt.utils.files.fopen(salt_ssh_roster_file, "r") as fp: + data = salt.utils.yaml.safe_load(fp) + pre_flight_script = ret["data"]["ssh_pre_flight"] + data["localhost"]["ssh_pre_flight"] = pre_flight_script + data["localhost"]["thin_dir"] = str(ret["thin_dir"]) + with salt.utils.files.fopen(salt_ssh_roster_file, "w") as fp: + yaml.safe_dump(data, fp) + + with salt.utils.files.fopen(pre_flight_script, "w") as fp: + fp.write("touch {}".format(ret["test_script"])) + + yield ret + if ret["thin_dir"].exists(): + shutil.rmtree(ret["thin_dir"]) + + +@pytest.mark.slow_test +def test_ssh_pre_flight(salt_ssh_cli, caplog, _create_roster): + """ + test ssh when ssh_pre_flight is set + ensure the script runs successfully + """ + ret = salt_ssh_cli.run("test.ping") + assert ret.returncode == 0 + + assert pathlib.Path(_create_roster["test_script"]).exists() + + +@pytest.mark.slow_test +def test_ssh_run_pre_flight(salt_ssh_cli, _create_roster): + """ + test ssh when --pre-flight is passed to salt-ssh + to ensure the script runs successfully + """ + # make sure we previously ran a command so the thin dir exists + ret = salt_ssh_cli.run("test.ping") + assert pathlib.Path(_create_roster["test_script"]).exists() + + # Now remeove the script to ensure pre_flight doesn't run + # without --pre-flight + pathlib.Path(_create_roster["test_script"]).unlink() + + assert salt_ssh_cli.run("test.ping").returncode == 0 + assert not pathlib.Path(_create_roster["test_script"]).exists() + + # Now ensure + ret = salt_ssh_cli.run( + "test.ping", + "--pre-flight", + ) + assert ret.returncode == 0 + assert pathlib.Path(_create_roster["test_script"]).exists() + + +@pytest.mark.slow_test +def test_ssh_run_pre_flight_args(salt_ssh_cli, _create_roster): + """ + test ssh when --pre-flight is passed to salt-ssh + to ensure the script runs successfully passing some args + """ + _custom_roster(salt_ssh_cli.roster_file, {"ssh_pre_flight_args": "foobar test"}) + # Create pre_flight script that accepts args + test_script = _create_roster["test_script"] + test_script_1 = pathlib.Path(test_script + "-foobar") + test_script_2 = pathlib.Path(test_script + "-test") + with salt.utils.files.fopen(_create_roster["data"]["ssh_pre_flight"], "w") as fp: + fp.write( + f""" + touch {str(test_script)}-$1 + touch {str(test_script)}-$2 + """ + ) + ret = salt_ssh_cli.run("test.ping") + assert ret.returncode == 0 + assert test_script_1.exists() + assert test_script_2.exists() + pathlib.Path(test_script_1).unlink() + pathlib.Path(test_script_2).unlink() + + ret = salt_ssh_cli.run("test.ping") + assert ret.returncode == 0 + assert not test_script_1.exists() + assert not test_script_2.exists() + + ret = salt_ssh_cli.run( + "test.ping", + "--pre-flight", + ) + assert ret.returncode == 0 + assert test_script_1.exists() + assert test_script_2.exists() + + +@pytest.mark.slow_test +def test_ssh_run_pre_flight_args_prevent_injection( + salt_ssh_cli, _create_roster, tmp_path +): + """ + test ssh when --pre-flight is passed to salt-ssh + and evil arguments are used in order to produce shell injection + """ + injected_file = tmp_path / "injection" + _custom_roster( + salt_ssh_cli.roster_file, + {"ssh_pre_flight_args": f"foobar; echo injected > {str(injected_file)}"}, + ) + # Create pre_flight script that accepts args + test_script = _create_roster["test_script"] + test_script_1 = pathlib.Path(test_script + "-echo") + test_script_2 = pathlib.Path(test_script + "-foobar;") + with salt.utils.files.fopen(_create_roster["data"]["ssh_pre_flight"], "w") as fp: + fp.write( + f""" + touch {str(test_script)}-$1 + touch {str(test_script)}-$2 + """ + ) + + # make sure we previously ran a command so the thin dir exists + ret = salt_ssh_cli.run("test.ping") + assert ret.returncode == 0 + assert test_script_1.exists() + assert test_script_2.exists() + test_script_1.unlink() + test_script_2.unlink() + assert not injected_file.is_file() + + ret = salt_ssh_cli.run( + "test.ping", + "--pre-flight", + ) + assert ret.returncode == 0 + + assert test_script_1.exists() + assert test_script_2.exists() + assert not pathlib.Path( + injected_file + ).is_file(), "File injection suceeded. This shouldn't happend" + + +@pytest.mark.flaky(max_runs=4) +@pytest.mark.slow_test +def test_ssh_run_pre_flight_failure(salt_ssh_cli, _create_roster): + """ + test ssh_pre_flight when there is a failure + in the script. + """ + with salt.utils.files.fopen(_create_roster["data"]["ssh_pre_flight"], "w") as fp_: + fp_.write("exit 2") + + ret = salt_ssh_cli.run( + "test.ping", + "--pre-flight", + ) + assert ret.data["retcode"] == 2 + + +@pytest.fixture +def account(): + username = random_string("test-account-", uppercase=False) + with pytest.helpers.create_account(username=username) as account: + yield account + + +@pytest.mark.slow_test +def test_ssh_pre_flight_script(salt_ssh_cli, caplog, _create_roster, tmp_path, account): + """ + Test to ensure user cannot create and run a script + with the expected pre_flight script path on target. + """ + try: + script = pathlib.Path.home() / "hacked" + tmp_preflight = pathlib.Path("/tmp", "ssh_pre_flight.sh") + tmp_preflight.write_text(f"touch {script}") + os.chown(tmp_preflight, account.info.uid, account.info.gid) + ret = salt_ssh_cli.run("test.ping") + assert not script.is_file() + assert ret.returncode == 0 + assert ret.stdout == '{\n"localhost": true\n}\n' + finally: + for _file in [script, tmp_preflight]: + if _file.is_file(): + _file.unlink() + + +def demote(user_uid, user_gid): + def result(): + # os.setgid does not remove group membership, so we remove them here so they are REALLY non-root + os.setgroups([]) + os.setgid(user_gid) + os.setuid(user_uid) + + return result + + +@pytest.mark.slow_test +def test_ssh_pre_flight_perms(salt_ssh_cli, caplog, _create_roster, account): + """ + Test to ensure standard user cannot run pre flight script + on target when user sets wrong permissions (777) on + ssh_pre_flight script. + """ + try: + script = pathlib.Path("/tmp", "itworked") + preflight = pathlib.Path("/ssh_pre_flight.sh") + preflight.write_text(f"touch {str(script)}") + tmp_preflight = pathlib.Path("/tmp", preflight.name) + + _custom_roster(salt_ssh_cli.roster_file, {"ssh_pre_flight": str(preflight)}) + preflight.chmod(0o0777) + run_script = pathlib.Path("/run_script") + run_script.write_text( + f""" + x=1 + while [ $x -le 200000 ]; do + SCRIPT=`bash {str(tmp_preflight)} 2> /dev/null; echo $?` + if [ ${{SCRIPT}} == 0 ]; then + break + fi + x=$(( $x + 1 )) + done + """ + ) + run_script.chmod(0o0777) + # pylint: disable=W1509 + ret = subprocess.Popen( + ["sh", f"{run_script}"], + preexec_fn=demote(account.info.uid, account.info.gid), + stdout=None, + stderr=None, + stdin=None, + universal_newlines=True, + ) + # pylint: enable=W1509 + ret = salt_ssh_cli.run("test.ping") + assert ret.returncode == 0 + + # Lets make sure a different user other than root + # Didn't run the script + assert os.stat(script).st_uid != account.info.uid + assert script.is_file() + finally: + for _file in [script, preflight, tmp_preflight, run_script]: + if _file.is_file(): + _file.unlink() + + +@pytest.mark.slow_test +def test_ssh_run_pre_flight_target_file_perms(salt_ssh_cli, _create_roster, tmp_path): + """ + test ssh_pre_flight to ensure the target pre flight script + has the correct perms + """ + perms_file = tmp_path / "perms" + with salt.utils.files.fopen(_create_roster["data"]["ssh_pre_flight"], "w") as fp_: + fp_.write( + f""" + SCRIPT_NAME=$0 + stat -L -c "%a %G %U" $SCRIPT_NAME > {perms_file} + """ + ) + + ret = salt_ssh_cli.run( + "test.ping", + "--pre-flight", + ) + assert ret.returncode == 0 + with salt.utils.files.fopen(perms_file) as fp: + data = fp.read() + assert data.split()[0] == "600" + uid = os.getuid() + gid = os.getgid() + assert data.split()[1] == grp.getgrgid(gid).gr_name + assert data.split()[2] == pwd.getpwuid(uid).pw_name From 8ed7bad4f8b9439ad2fbb86a22d120fb2fa592ce Mon Sep 17 00:00:00 2001 From: Megan Wilhite Date: Thu, 28 Sep 2023 07:59:29 -0600 Subject: [PATCH 06/17] Fix CVE-2023-34049 --- changelog/cve-2023-34049.security | 2 + salt/client/ssh/__init__.py | 68 +- tests/pytests/unit/client/ssh/test_single.py | 820 +++++++++++++++++++ tests/pytests/unit/client/ssh/test_ssh.py | 277 +++++++ 4 files changed, 1149 insertions(+), 18 deletions(-) create mode 100644 changelog/cve-2023-34049.security create mode 100644 tests/pytests/unit/client/ssh/test_single.py diff --git a/changelog/cve-2023-34049.security b/changelog/cve-2023-34049.security new file mode 100644 index 00000000000..6b0ca190a27 --- /dev/null +++ b/changelog/cve-2023-34049.security @@ -0,0 +1,2 @@ +Fix CVE-2023-34049 by ensuring we do not use a predictable name for the script and correctly check returncode of scp command. +This only impacts salt-ssh users using the pre-flight option. diff --git a/salt/client/ssh/__init__.py b/salt/client/ssh/__init__.py index 5e557c51da1..1c25942d90a 100644 --- a/salt/client/ssh/__init__.py +++ b/salt/client/ssh/__init__.py @@ -11,9 +11,11 @@ import hashlib import logging import multiprocessing import os +import pathlib import queue import re import shlex +import shutil import subprocess import sys import tarfile @@ -467,7 +469,14 @@ class SSH(MultiprocessingStateMixin): if target.get("passwd", False) or self.opts["ssh_passwd"]: self._key_deploy_run(host, target, False) return ret - if ret[host].get("stderr", "").count("Permission denied"): + stderr = ret[host].get("stderr", "") + # -failed to upload file- is detecting scp errors + # Errors to ignore when Permission denied is in the stderr. For example + # scp can get a permission denied on the target host, but they where + # able to accurate authenticate against the box + ignore_err = ["failed to upload file"] + check_err = [x for x in ignore_err if stderr.count(x)] + if "Permission denied" in stderr and not check_err: target = self.targets[host] # permission denied, attempt to auto deploy ssh key print( @@ -500,7 +509,7 @@ class SSH(MultiprocessingStateMixin): mods=self.mods, fsclient=self.fsclient, thin=self.thin, - **target + **target, ) if salt.utils.path.which("ssh-copy-id"): # we have ssh-copy-id, use it! @@ -516,7 +525,7 @@ class SSH(MultiprocessingStateMixin): mods=self.mods, fsclient=self.fsclient, thin=self.thin, - **target + **target, ) stdout, stderr, retcode = single.cmd_block() try: @@ -543,7 +552,7 @@ class SSH(MultiprocessingStateMixin): fsclient=self.fsclient, thin=self.thin, mine=mine, - **target + **target, ) ret = {"id": single.id} stdout, stderr, retcode = single.run() @@ -883,7 +892,7 @@ class Single: remote_port_forwards=None, winrm=False, ssh_options=None, - **kwargs + **kwargs, ): # Get mine setting and mine_functions if defined in kwargs (from roster) self.mine = mine @@ -1007,11 +1016,32 @@ class Single: """ Run our pre_flight script before running any ssh commands """ - script = os.path.join(tempfile.gettempdir(), self.ssh_pre_file) + with tempfile.NamedTemporaryFile() as temp: + # ensure we use copyfile to not copy the file attributes + # we want to ensure we use the perms set by the secure + # NamedTemporaryFile + try: + shutil.copyfile(self.ssh_pre_flight, temp.name) + except OSError as err: + return ( + "", + f"Could not copy pre flight script {self.ssh_pre_flight} to temporary path", + 1, + ) + target_script = f".{pathlib.Path(temp.name).name}" + log.trace(f"Copying the pre flight script {self.ssh_pre_file} to target") + stdout, stderr, retcode = self.shell.send(temp.name, target_script) + if retcode != 0: + # We could not copy the script to the target + log.error( + f"Could not copy the pre flight script {self.ssh_pre_file} to target" + ) + return stdout, stderr, retcode - self.shell.send(self.ssh_pre_flight, script) - - return self.execute_script(script, script_args=self.ssh_pre_flight_args) + log.trace(f"Executing the pre flight script {self.ssh_pre_file} on target") + return self.execute_script( + target_script, script_args=self.ssh_pre_flight_args + ) def check_thin_dir(self): """ @@ -1131,7 +1161,7 @@ class Single: self.id, fsclient=self.fsclient, minion_opts=self.minion_opts, - **self.target + **self.target, ) opts_pkg = pre_wrapper["test.opts_pkg"]() # pylint: disable=E1102 @@ -1210,7 +1240,7 @@ class Single: self.id, fsclient=self.fsclient, minion_opts=self.minion_opts, - **self.target + **self.target, ) wrapper.fsclient.opts["cachedir"] = opts["cachedir"] self.wfuncs = salt.loader.ssh_wrapper(opts, wrapper, self.context) @@ -1381,18 +1411,20 @@ ARGS = {arguments}\n'''.format( return self.shell.exec_cmd(cmd_str) # Write the shim to a temporary file in the default temp directory - with tempfile.NamedTemporaryFile( - mode="w+b", prefix="shim_", delete=False - ) as shim_tmp_file: + with tempfile.NamedTemporaryFile(mode="w+b", delete=False) as shim_tmp_file: shim_tmp_file.write(salt.utils.stringutils.to_bytes(cmd_str)) # Copy shim to target system, under $HOME/. - target_shim_file = ".{}.{}".format( - binascii.hexlify(os.urandom(6)).decode("ascii"), extension - ) + target_shim_file = f".{pathlib.Path(shim_tmp_file.name).name}" + if self.winrm: target_shim_file = saltwinshell.get_target_shim_file(self, target_shim_file) - self.shell.send(shim_tmp_file.name, target_shim_file, makedirs=True) + stdout, stderr, retcode = self.shell.send( + shim_tmp_file.name, target_shim_file, makedirs=True + ) + if retcode != 0: + log.error(f"Could not copy the shim script to target") + return stdout, stderr, retcode # Remove our shim file try: diff --git a/tests/pytests/unit/client/ssh/test_single.py b/tests/pytests/unit/client/ssh/test_single.py new file mode 100644 index 00000000000..912c8cccec0 --- /dev/null +++ b/tests/pytests/unit/client/ssh/test_single.py @@ -0,0 +1,820 @@ +import logging +import re +from textwrap import dedent + +import pytest +import salt.client.ssh.client +import salt.config +import salt.roster +import salt.utils.files +import salt.utils.path +import salt.utils.platform +import salt.utils.thin +import salt.utils.yaml +from salt.client import ssh +from tests.support.mock import MagicMock, call, patch + +log = logging.getLogger(__name__) + + +@pytest.fixture +def opts(tmp_path): + return { + "argv": [ + "ssh.set_auth_key", + "root", + "hobn+amNAXSBTiOXEqlBjGB...rsa root@master", + ], + "__role": "master", + "cachedir": str(tmp_path), + "extension_modules": str(tmp_path / "extmods"), + } + + +@pytest.fixture +def target(): + return { + "passwd": "abc123", + "ssh_options": None, + "sudo": False, + "identities_only": False, + "host": "login1", + "user": "root", + "timeout": 65, + "remote_port_forwards": None, + "sudo_user": "", + "port": "22", + "priv": "/etc/salt/pki/master/ssh/salt-ssh.rsa", + } + + +def test_single_opts(opts, target): + """Sanity check for ssh.Single options""" + + single = ssh.Single( + opts, + opts["argv"], + "localhost", + mods={}, + fsclient=None, + thin=salt.utils.thin.thin_path(opts["cachedir"]), + mine=False, + **target, + ) + + assert single.shell._ssh_opts() == "" + expected_cmd = ( + "ssh login1 " + "-o KbdInteractiveAuthentication=no -o " + "PasswordAuthentication=yes -o ConnectTimeout=65 -o Port=22 " + "-o IdentityFile=/etc/salt/pki/master/ssh/salt-ssh.rsa " + "-o User=root date +%s" + ) + assert single.shell._cmd_str("date +%s") == expected_cmd + + +def test_run_with_pre_flight(opts, target, tmp_path): + """ + test Single.run() when ssh_pre_flight is set + and script successfully runs + """ + target["ssh_pre_flight"] = str(tmp_path / "script.sh") + single = ssh.Single( + opts, + opts["argv"], + "localhost", + mods={}, + fsclient=None, + thin=salt.utils.thin.thin_path(opts["cachedir"]), + mine=False, + **target, + ) + + cmd_ret = ("Success", "", 0) + mock_flight = MagicMock(return_value=cmd_ret) + mock_cmd = MagicMock(return_value=cmd_ret) + patch_flight = patch("salt.client.ssh.Single.run_ssh_pre_flight", mock_flight) + patch_cmd = patch("salt.client.ssh.Single.cmd_block", mock_cmd) + patch_exec_cmd = patch( + "salt.client.ssh.shell.Shell.exec_cmd", return_value=("", "", 1) + ) + patch_os = patch("os.path.exists", side_effect=[True]) + + with patch_os, patch_flight, patch_cmd, patch_exec_cmd: + ret = single.run() + mock_cmd.assert_called() + mock_flight.assert_called() + assert ret == cmd_ret + + +def test_run_with_pre_flight_with_args(opts, target, tmp_path): + """ + test Single.run() when ssh_pre_flight is set + and script successfully runs + """ + target["ssh_pre_flight"] = str(tmp_path / "script.sh") + target["ssh_pre_flight_args"] = "foobar" + single = ssh.Single( + opts, + opts["argv"], + "localhost", + mods={}, + fsclient=None, + thin=salt.utils.thin.thin_path(opts["cachedir"]), + mine=False, + **target, + ) + + cmd_ret = ("Success", "foobar", 0) + mock_flight = MagicMock(return_value=cmd_ret) + mock_cmd = MagicMock(return_value=cmd_ret) + patch_flight = patch("salt.client.ssh.Single.run_ssh_pre_flight", mock_flight) + patch_cmd = patch("salt.client.ssh.Single.cmd_block", mock_cmd) + patch_exec_cmd = patch( + "salt.client.ssh.shell.Shell.exec_cmd", return_value=("", "", 1) + ) + patch_os = patch("os.path.exists", side_effect=[True]) + + with patch_os, patch_flight, patch_cmd, patch_exec_cmd: + ret = single.run() + mock_cmd.assert_called() + mock_flight.assert_called() + assert ret == cmd_ret + + +def test_run_with_pre_flight_stderr(opts, target, tmp_path): + """ + test Single.run() when ssh_pre_flight is set + and script errors when run + """ + target["ssh_pre_flight"] = str(tmp_path / "script.sh") + single = ssh.Single( + opts, + opts["argv"], + "localhost", + mods={}, + fsclient=None, + thin=salt.utils.thin.thin_path(opts["cachedir"]), + mine=False, + **target, + ) + + cmd_ret = ("", "Error running script", 1) + mock_flight = MagicMock(return_value=cmd_ret) + mock_cmd = MagicMock(return_value=cmd_ret) + patch_flight = patch("salt.client.ssh.Single.run_ssh_pre_flight", mock_flight) + patch_cmd = patch("salt.client.ssh.Single.cmd_block", mock_cmd) + patch_exec_cmd = patch( + "salt.client.ssh.shell.Shell.exec_cmd", return_value=("", "", 1) + ) + patch_os = patch("os.path.exists", side_effect=[True]) + + with patch_os, patch_flight, patch_cmd, patch_exec_cmd: + ret = single.run() + mock_cmd.assert_not_called() + mock_flight.assert_called() + assert ret == cmd_ret + + +def test_run_with_pre_flight_script_doesnot_exist(opts, target, tmp_path): + """ + test Single.run() when ssh_pre_flight is set + and the script does not exist + """ + target["ssh_pre_flight"] = str(tmp_path / "script.sh") + single = ssh.Single( + opts, + opts["argv"], + "localhost", + mods={}, + fsclient=None, + thin=salt.utils.thin.thin_path(opts["cachedir"]), + mine=False, + **target, + ) + + cmd_ret = ("Success", "", 0) + mock_flight = MagicMock(return_value=cmd_ret) + mock_cmd = MagicMock(return_value=cmd_ret) + patch_flight = patch("salt.client.ssh.Single.run_ssh_pre_flight", mock_flight) + patch_cmd = patch("salt.client.ssh.Single.cmd_block", mock_cmd) + patch_exec_cmd = patch( + "salt.client.ssh.shell.Shell.exec_cmd", return_value=("", "", 1) + ) + patch_os = patch("os.path.exists", side_effect=[False]) + + with patch_os, patch_flight, patch_cmd, patch_exec_cmd: + ret = single.run() + mock_cmd.assert_called() + mock_flight.assert_not_called() + assert ret == cmd_ret + + +def test_run_with_pre_flight_thin_dir_exists(opts, target, tmp_path): + """ + test Single.run() when ssh_pre_flight is set + and thin_dir already exists + """ + target["ssh_pre_flight"] = str(tmp_path / "script.sh") + single = ssh.Single( + opts, + opts["argv"], + "localhost", + mods={}, + fsclient=None, + thin=salt.utils.thin.thin_path(opts["cachedir"]), + mine=False, + **target, + ) + + cmd_ret = ("", "", 0) + mock_flight = MagicMock(return_value=cmd_ret) + mock_cmd = MagicMock(return_value=cmd_ret) + patch_flight = patch("salt.client.ssh.Single.run_ssh_pre_flight", mock_flight) + patch_cmd = patch("salt.client.ssh.shell.Shell.exec_cmd", mock_cmd) + patch_cmd_block = patch("salt.client.ssh.Single.cmd_block", mock_cmd) + patch_os = patch("os.path.exists", return_value=True) + + with patch_os, patch_flight, patch_cmd, patch_cmd_block: + ret = single.run() + mock_cmd.assert_called() + mock_flight.assert_not_called() + assert ret == cmd_ret + + +def test_run_ssh_pre_flight(opts, target, tmp_path): + """ + test Single.run_ssh_pre_flight function + """ + target["ssh_pre_flight"] = str(tmp_path / "script.sh") + single = ssh.Single( + opts, + opts["argv"], + "localhost", + mods={}, + fsclient=None, + thin=salt.utils.thin.thin_path(opts["cachedir"]), + mine=False, + **target, + ) + + cmd_ret = ("Success", "", 0) + mock_flight = MagicMock(return_value=cmd_ret) + mock_cmd = MagicMock(return_value=cmd_ret) + patch_flight = patch("salt.client.ssh.Single.run_ssh_pre_flight", mock_flight) + patch_cmd = patch("salt.client.ssh.Single.cmd_block", mock_cmd) + patch_exec_cmd = patch( + "salt.client.ssh.shell.Shell.exec_cmd", return_value=("", "", 1) + ) + patch_os = patch("os.path.exists", side_effect=[True]) + + with patch_os, patch_flight, patch_cmd, patch_exec_cmd: + ret = single.run() + mock_cmd.assert_called() + mock_flight.assert_called() + assert ret == cmd_ret + + +def test_execute_script(opts, target, tmp_path): + """ + test Single.execute_script() + """ + single = ssh.Single( + opts, + opts["argv"], + "localhost", + mods={}, + fsclient=None, + thin=salt.utils.thin.thin_path(opts["cachedir"]), + mine=False, + winrm=False, + **target, + ) + + exp_ret = ("Success", "", 0) + mock_cmd = MagicMock(return_value=exp_ret) + patch_cmd = patch("salt.client.ssh.shell.Shell.exec_cmd", mock_cmd) + script = str(tmp_path / "script.sh") + + with patch_cmd: + ret = single.execute_script(script=script) + assert ret == exp_ret + assert mock_cmd.call_count == 2 + assert [ + call("/bin/sh '{}'".format(script)), + call("rm '{}'".format(script)), + ] == mock_cmd.call_args_list + + +def test_shim_cmd(opts, target, tmp_path): + """ + test Single.shim_cmd() + """ + single = ssh.Single( + opts, + opts["argv"], + "localhost", + mods={}, + fsclient=None, + thin=salt.utils.thin.thin_path(opts["cachedir"]), + mine=False, + winrm=False, + tty=True, + **target, + ) + + exp_ret = ("Success", "", 0) + mock_cmd = MagicMock(return_value=exp_ret) + patch_cmd = patch("salt.client.ssh.shell.Shell.exec_cmd", mock_cmd) + patch_send = patch("salt.client.ssh.shell.Shell.send", return_value=("", "", 0)) + patch_rand = patch("os.urandom", return_value=b"5\xd9l\xca\xc2\xff") + tmp_file = tmp_path / "tmp_file" + mock_tmp = MagicMock() + patch_tmp = patch("tempfile.NamedTemporaryFile", mock_tmp) + mock_tmp.return_value.__enter__.return_value.name = tmp_file + + with patch_cmd, patch_tmp, patch_send: + ret = single.shim_cmd(cmd_str="echo test") + assert ret == exp_ret + assert [ + call(f"/bin/sh '.{tmp_file.name}'"), + call(f"rm '.{tmp_file.name}'"), + ] == mock_cmd.call_args_list + + +def test_shim_cmd_copy_fails(opts, target, caplog): + """ + test Single.shim_cmd() when copying the file fails + """ + single = ssh.Single( + opts, + opts["argv"], + "localhost", + mods={}, + fsclient=None, + thin=salt.utils.thin.thin_path(opts["cachedir"]), + mine=False, + winrm=False, + tty=True, + **target, + ) + + ret_cmd = ("Success", "", 0) + mock_cmd = MagicMock(return_value=ret_cmd) + patch_cmd = patch("salt.client.ssh.shell.Shell.exec_cmd", mock_cmd) + ret_send = ("", "General error in file copy", 1) + patch_send = patch("salt.client.ssh.shell.Shell.send", return_value=ret_send) + patch_rand = patch("os.urandom", return_value=b"5\xd9l\xca\xc2\xff") + + with patch_cmd, patch_rand, patch_send: + ret = single.shim_cmd(cmd_str="echo test") + assert ret == ret_send + assert "Could not copy the shim script to target" in caplog.text + mock_cmd.assert_not_called() + + +def test_run_ssh_pre_flight_no_connect(opts, target, tmp_path, caplog): + """ + test Single.run_ssh_pre_flight when you + cannot connect to the target + """ + pre_flight = tmp_path / "script.sh" + pre_flight.write_text("") + target["ssh_pre_flight"] = str(pre_flight) + single = ssh.Single( + opts, + opts["argv"], + "localhost", + mods={}, + fsclient=None, + thin=salt.utils.thin.thin_path(opts["cachedir"]), + mine=False, + winrm=False, + tty=True, + **target, + ) + mock_exec_cmd = MagicMock(return_value=("", "", 1)) + patch_exec_cmd = patch("salt.client.ssh.shell.Shell.exec_cmd", mock_exec_cmd) + tmp_file = tmp_path / "tmp_file" + mock_tmp = MagicMock() + patch_tmp = patch("tempfile.NamedTemporaryFile", mock_tmp) + mock_tmp.return_value.__enter__.return_value.name = tmp_file + ret_send = ( + "", + "ssh: connect to host 192.168.1.186 port 22: No route to host\nscp: Connection closed\n", + 255, + ) + send_mock = MagicMock(return_value=ret_send) + patch_send = patch("salt.client.ssh.shell.Shell.send", send_mock) + + with caplog.at_level(logging.TRACE): + with patch_send, patch_exec_cmd, patch_tmp: + ret = single.run_ssh_pre_flight() + assert f"Copying the pre flight script {pre_flight.name}" in caplog.text + assert ( + f"Could not copy the pre flight script {pre_flight.name} to target" + in caplog.text + ) + assert ret == ret_send + assert send_mock.call_args_list[0][0][0] == tmp_file + target_script = send_mock.call_args_list[0][0][1] + assert re.search(r".[a-z0-9]+", target_script) + mock_exec_cmd.assert_not_called() + + +def test_run_ssh_pre_flight_permission_denied(opts, target, tmp_path): + """ + test Single.run_ssh_pre_flight when you + cannot copy script to the target due to + a permission denied error + """ + pre_flight = tmp_path / "script.sh" + pre_flight.write_text("") + target["ssh_pre_flight"] = str(pre_flight) + single = ssh.Single( + opts, + opts["argv"], + "localhost", + mods={}, + fsclient=None, + thin=salt.utils.thin.thin_path(opts["cachedir"]), + mine=False, + winrm=False, + tty=True, + **target, + ) + mock_exec_cmd = MagicMock(return_value=("", "", 1)) + patch_exec_cmd = patch("salt.client.ssh.shell.Shell.exec_cmd", mock_exec_cmd) + tmp_file = tmp_path / "tmp_file" + mock_tmp = MagicMock() + patch_tmp = patch("tempfile.NamedTemporaryFile", mock_tmp) + mock_tmp.return_value.__enter__.return_value.name = tmp_file + ret_send = ( + "", + 'scp: dest open "/tmp/preflight.sh": Permission denied\nscp: failed to upload file /etc/salt/preflight.sh to /tmp/preflight.sh\n', + 255, + ) + send_mock = MagicMock(return_value=ret_send) + patch_send = patch("salt.client.ssh.shell.Shell.send", send_mock) + + with patch_send, patch_exec_cmd, patch_tmp: + ret = single.run_ssh_pre_flight() + assert ret == ret_send + assert send_mock.call_args_list[0][0][0] == tmp_file + target_script = send_mock.call_args_list[0][0][1] + assert re.search(r".[a-z0-9]+", target_script) + mock_exec_cmd.assert_not_called() + + +def test_run_ssh_pre_flight_connect(opts, target, tmp_path, caplog): + """ + test Single.run_ssh_pre_flight when you + can connect to the target + """ + pre_flight = tmp_path / "script.sh" + pre_flight.write_text("") + target["ssh_pre_flight"] = str(pre_flight) + single = ssh.Single( + opts, + opts["argv"], + "localhost", + mods={}, + fsclient=None, + thin=salt.utils.thin.thin_path(opts["cachedir"]), + mine=False, + winrm=False, + tty=True, + **target, + ) + ret_exec_cmd = ("", "", 1) + mock_exec_cmd = MagicMock(return_value=ret_exec_cmd) + patch_exec_cmd = patch("salt.client.ssh.shell.Shell.exec_cmd", mock_exec_cmd) + tmp_file = tmp_path / "tmp_file" + mock_tmp = MagicMock() + patch_tmp = patch("tempfile.NamedTemporaryFile", mock_tmp) + mock_tmp.return_value.__enter__.return_value.name = tmp_file + ret_send = ( + "", + "\rroot@192.168.1.187's password: \n\rpreflight.sh 0% 0 0.0KB/s --:-- ETA\rpreflight.sh 100% 20 2.7KB/s 00:00 \n", + 0, + ) + send_mock = MagicMock(return_value=ret_send) + patch_send = patch("salt.client.ssh.shell.Shell.send", send_mock) + + with caplog.at_level(logging.TRACE): + with patch_send, patch_exec_cmd, patch_tmp: + ret = single.run_ssh_pre_flight() + + assert f"Executing the pre flight script {pre_flight.name} on target" in caplog.text + assert ret == ret_exec_cmd + assert send_mock.call_args_list[0][0][0] == tmp_file + target_script = send_mock.call_args_list[0][0][1] + assert re.search(r".[a-z0-9]+", target_script) + mock_exec_cmd.assert_called() + + +def test_run_ssh_pre_flight_shutil_fails(opts, target, tmp_path): + """ + test Single.run_ssh_pre_flight when cannot + copyfile with shutil + """ + pre_flight = tmp_path / "script.sh" + pre_flight.write_text("") + target["ssh_pre_flight"] = str(pre_flight) + single = ssh.Single( + opts, + opts["argv"], + "localhost", + mods={}, + fsclient=None, + thin=salt.utils.thin.thin_path(opts["cachedir"]), + mine=False, + winrm=False, + tty=True, + **target, + ) + ret_exec_cmd = ("", "", 1) + mock_exec_cmd = MagicMock(return_value=ret_exec_cmd) + patch_exec_cmd = patch("salt.client.ssh.shell.Shell.exec_cmd", mock_exec_cmd) + tmp_file = tmp_path / "tmp_file" + mock_tmp = MagicMock() + patch_tmp = patch("tempfile.NamedTemporaryFile", mock_tmp) + mock_tmp.return_value.__enter__.return_value.name = tmp_file + send_mock = MagicMock() + mock_shutil = MagicMock(side_effect=IOError("Permission Denied")) + patch_shutil = patch("shutil.copyfile", mock_shutil) + patch_send = patch("salt.client.ssh.shell.Shell.send", send_mock) + + with patch_send, patch_exec_cmd, patch_tmp, patch_shutil: + ret = single.run_ssh_pre_flight() + + assert ret == ( + "", + f"Could not copy pre flight script {pre_flight} to temporary path", + 1, + ) + mock_exec_cmd.assert_not_called() + send_mock.assert_not_called() + + +@pytest.mark.skip_on_windows(reason="SSH_PY_SHIM not set on windows") +@pytest.mark.slow_test +def test_cmd_run_set_path(opts, target): + """ + test when set_path is set + """ + target["set_path"] = "$PATH:/tmp/path/" + single = ssh.Single( + opts, + opts["argv"], + "localhost", + mods={}, + fsclient=None, + thin=salt.utils.thin.thin_path(opts["cachedir"]), + mine=False, + **target, + ) + + ret = single._cmd_str() + assert re.search("\\" + target["set_path"], ret) + + +@pytest.mark.skip_on_windows(reason="SSH_PY_SHIM not set on windows") +@pytest.mark.slow_test +def test_cmd_run_not_set_path(opts, target): + """ + test when set_path is not set + """ + single = ssh.Single( + opts, + opts["argv"], + "localhost", + mods={}, + fsclient=None, + thin=salt.utils.thin.thin_path(opts["cachedir"]), + mine=False, + **target, + ) + + ret = single._cmd_str() + assert re.search('SET_PATH=""', ret) + + +@pytest.mark.skip_on_windows(reason="SSH_PY_SHIM not set on windows") +@pytest.mark.slow_test +def test_cmd_block_python_version_error(opts, target): + single = ssh.Single( + opts, + opts["argv"], + "localhost", + mods={}, + fsclient=None, + thin=salt.utils.thin.thin_path(opts["cachedir"]), + mine=False, + winrm=False, + **target, + ) + mock_shim = MagicMock( + return_value=(("", "ERROR: Unable to locate appropriate python command\n", 10)) + ) + patch_shim = patch("salt.client.ssh.Single.shim_cmd", mock_shim) + with patch_shim: + ret = single.cmd_block() + assert "ERROR: Python version error. Recommendation(s) follow:" in ret[0] + + +def _check_skip(grains): + if grains["os"] == "MacOS": + return True + return False + + +@pytest.mark.skip_initial_gh_actions_failure(skip=_check_skip) +@pytest.mark.skip_on_windows(reason="pre_flight_args is not implemented for Windows") +@pytest.mark.parametrize( + "test_opts", + [ + (None, ""), + ("one", " one"), + ("one two", " one two"), + ("| touch /tmp/test", " '|' touch /tmp/test"), + ("; touch /tmp/test", " ';' touch /tmp/test"), + (["one"], " one"), + (["one", "two"], " one two"), + (["one", "two", "| touch /tmp/test"], " one two '| touch /tmp/test'"), + (["one", "two", "; touch /tmp/test"], " one two '; touch /tmp/test'"), + ], +) +def test_run_with_pre_flight_args(opts, target, test_opts, tmp_path): + """ + test Single.run() when ssh_pre_flight is set + and script successfully runs + """ + opts["ssh_run_pre_flight"] = True + pre_flight_script = tmp_path / "script.sh" + pre_flight_script.write_text("") + target["ssh_pre_flight"] = str(pre_flight_script) + + if test_opts[0] is not None: + target["ssh_pre_flight_args"] = test_opts[0] + expected_args = test_opts[1] + + single = ssh.Single( + opts, + opts["argv"], + "localhost", + mods={}, + fsclient=None, + thin=salt.utils.thin.thin_path(opts["cachedir"]), + mine=False, + **target, + ) + + cmd_ret = ("Success", "", 0) + mock_cmd = MagicMock(return_value=cmd_ret) + mock_exec_cmd = MagicMock(return_value=("", "", 0)) + patch_cmd = patch("salt.client.ssh.Single.cmd_block", mock_cmd) + patch_exec_cmd = patch("salt.client.ssh.shell.Shell.exec_cmd", mock_exec_cmd) + patch_shell_send = patch( + "salt.client.ssh.shell.Shell.send", return_value=("", "", 0) + ) + patch_os = patch("os.path.exists", side_effect=[True]) + + with patch_os, patch_cmd, patch_exec_cmd, patch_shell_send: + single.run() + script_args = mock_exec_cmd.mock_calls[0].args[0] + assert re.search(r"\/bin\/sh '.[a-z0-9]+", script_args) + + +@pytest.mark.slow_test +@pytest.mark.skip_on_windows(reason="Windows does not support salt-ssh") +@pytest.mark.skip_if_binaries_missing("ssh", check_all=True) +def test_ssh_single__cmd_str(opts): + argv = [] + id_ = "minion" + host = "minion" + + single = ssh.Single(opts, argv, id_, host, sudo=False) + cmd = single._cmd_str() + expected = dedent( + """ + SUDO="" + if [ -n "" ] + then SUDO=" " + fi + SUDO_USER="" + if [ "$SUDO" ] && [ "$SUDO_USER" ] + then SUDO="$SUDO -u $SUDO_USER" + fi + """ + ) + + assert expected in cmd + + +@pytest.mark.slow_test +@pytest.mark.skip_on_windows(reason="Windows does not support salt-ssh") +@pytest.mark.skip_if_binaries_missing("ssh", check_all=True) +def test_ssh_single__cmd_str_sudo(opts): + argv = [] + id_ = "minion" + host = "minion" + + single = ssh.Single(opts, argv, id_, host, sudo=True) + cmd = single._cmd_str() + expected = dedent( + """ + SUDO="" + if [ -n "sudo" ] + then SUDO="sudo " + fi + SUDO_USER="" + if [ "$SUDO" ] && [ "$SUDO_USER" ] + then SUDO="$SUDO -u $SUDO_USER" + fi + """ + ) + + assert expected in cmd + + +@pytest.mark.slow_test +@pytest.mark.skip_on_windows(reason="Windows does not support salt-ssh") +@pytest.mark.skip_if_binaries_missing("ssh", check_all=True) +def test_ssh_single__cmd_str_sudo_user(opts): + argv = [] + id_ = "minion" + host = "minion" + user = "wayne" + + single = ssh.Single(opts, argv, id_, host, sudo=True, sudo_user=user) + cmd = single._cmd_str() + expected = dedent( + """ + SUDO="" + if [ -n "sudo" ] + then SUDO="sudo " + fi + SUDO_USER="wayne" + if [ "$SUDO" ] && [ "$SUDO_USER" ] + then SUDO="$SUDO -u $SUDO_USER" + fi + """ + ) + + assert expected in cmd + + +@pytest.mark.slow_test +@pytest.mark.skip_on_windows(reason="Windows does not support salt-ssh") +@pytest.mark.skip_if_binaries_missing("ssh", check_all=True) +def test_ssh_single__cmd_str_sudo_passwd(opts): + argv = [] + id_ = "minion" + host = "minion" + passwd = "salty" + + single = ssh.Single(opts, argv, id_, host, sudo=True, passwd=passwd) + cmd = single._cmd_str() + expected = dedent( + """ + SUDO="" + if [ -n "sudo -p '[salt:sudo:d11bd4221135c33324a6bdc09674146fbfdf519989847491e34a689369bbce23]passwd:'" ] + then SUDO="sudo -p '[salt:sudo:d11bd4221135c33324a6bdc09674146fbfdf519989847491e34a689369bbce23]passwd:' " + fi + SUDO_USER="" + if [ "$SUDO" ] && [ "$SUDO_USER" ] + then SUDO="$SUDO -u $SUDO_USER" + fi + """ + ) + + assert expected in cmd + + +@pytest.mark.slow_test +@pytest.mark.skip_on_windows(reason="Windows does not support salt-ssh") +@pytest.mark.skip_if_binaries_missing("ssh", check_all=True) +def test_ssh_single__cmd_str_sudo_passwd_user(opts): + argv = [] + id_ = "minion" + host = "minion" + user = "wayne" + passwd = "salty" + + single = ssh.Single(opts, argv, id_, host, sudo=True, passwd=passwd, sudo_user=user) + cmd = single._cmd_str() + expected = dedent( + """ + SUDO="" + if [ -n "sudo -p '[salt:sudo:d11bd4221135c33324a6bdc09674146fbfdf519989847491e34a689369bbce23]passwd:'" ] + then SUDO="sudo -p '[salt:sudo:d11bd4221135c33324a6bdc09674146fbfdf519989847491e34a689369bbce23]passwd:' " + fi + SUDO_USER="wayne" + if [ "$SUDO" ] && [ "$SUDO_USER" ] + then SUDO="$SUDO -u $SUDO_USER" + fi + """ + ) + + assert expected in cmd diff --git a/tests/pytests/unit/client/ssh/test_ssh.py b/tests/pytests/unit/client/ssh/test_ssh.py index b9388f10ea2..07f70c42437 100644 --- a/tests/pytests/unit/client/ssh/test_ssh.py +++ b/tests/pytests/unit/client/ssh/test_ssh.py @@ -194,3 +194,280 @@ def test_run_with_pre_flight_args(ssh_target, test_opts): assert mock_exec_cmd.mock_calls[0].args[ 0 ] == "/bin/sh '/tmp/script.sh'{}".format(expected_args) + + +def test_expand_target_dns(opts, roster): + """ + test expand_target when target is root@ + """ + host = "localhost" + user = "test-user@" + opts["tgt"] = user + host + + with patch("salt.utils.network.is_reachable_host", MagicMock(return_value=False)): + client = ssh.SSH(opts) + assert opts["tgt"] == user + host + with patch( + "salt.roster.get_roster_file", MagicMock(return_value="/etc/salt/roster") + ), patch( + "salt.client.ssh.compile_template", + MagicMock(return_value=salt.utils.yaml.safe_load(roster)), + ): + client._expand_target() + assert opts["tgt"] == host + + +def test_expand_target_no_user(opts, roster): + """ + test expand_target when no user defined + """ + host = "127.0.0.1" + opts["tgt"] = host + + with patch("salt.utils.network.is_reachable_host", MagicMock(return_value=False)): + client = ssh.SSH(opts) + assert opts["tgt"] == host + + with patch( + "salt.roster.get_roster_file", MagicMock(return_value="/etc/salt/roster") + ), patch( + "salt.client.ssh.compile_template", + MagicMock(return_value=salt.utils.yaml.safe_load(roster)), + ): + client._expand_target() + assert opts["tgt"] == host + + +def test_update_targets_ip_address(opts): + """ + test update_targets when host is ip address + """ + host = "127.0.0.1" + user = "test-user@" + opts["tgt"] = user + host + + with patch("salt.utils.network.is_reachable_host", MagicMock(return_value=False)): + client = ssh.SSH(opts) + assert opts["tgt"] == user + host + client._update_targets() + assert opts["tgt"] == host + assert client.targets[host]["user"] == user.split("@")[0] + + +def test_update_targets_dns(opts): + """ + test update_targets when host is dns + """ + host = "localhost" + user = "test-user@" + opts["tgt"] = user + host + + with patch("salt.utils.network.is_reachable_host", MagicMock(return_value=False)): + client = ssh.SSH(opts) + assert opts["tgt"] == user + host + client._update_targets() + assert opts["tgt"] == host + assert client.targets[host]["user"] == user.split("@")[0] + + +def test_update_targets_no_user(opts): + """ + test update_targets when no user defined + """ + host = "127.0.0.1" + opts["tgt"] = host + + with patch("salt.utils.network.is_reachable_host", MagicMock(return_value=False)): + client = ssh.SSH(opts) + assert opts["tgt"] == host + client._update_targets() + assert opts["tgt"] == host + + +def test_update_expand_target_dns(opts, roster): + """ + test update_targets and expand_target when host is dns + """ + host = "localhost" + user = "test-user@" + opts["tgt"] = user + host + + with patch("salt.utils.network.is_reachable_host", MagicMock(return_value=False)): + client = ssh.SSH(opts) + assert opts["tgt"] == user + host + with patch( + "salt.roster.get_roster_file", MagicMock(return_value="/etc/salt/roster") + ), patch( + "salt.client.ssh.compile_template", + MagicMock(return_value=salt.utils.yaml.safe_load(roster)), + ): + client._expand_target() + client._update_targets() + assert opts["tgt"] == host + assert client.targets[host]["user"] == user.split("@")[0] + + +def test_parse_tgt(opts): + """ + test parse_tgt when user and host set on + the ssh cli tgt + """ + host = "localhost" + user = "test-user@" + opts["tgt"] = user + host + + with patch("salt.utils.network.is_reachable_host", MagicMock(return_value=False)): + assert not opts.get("ssh_cli_tgt") + client = ssh.SSH(opts) + assert client.parse_tgt["hostname"] == host + assert client.parse_tgt["user"] == user.split("@")[0] + assert opts.get("ssh_cli_tgt") == user + host + + +def test_parse_tgt_no_user(opts): + """ + test parse_tgt when only the host set on + the ssh cli tgt + """ + host = "localhost" + opts["ssh_user"] = "ssh-usr" + opts["tgt"] = host + + with patch("salt.utils.network.is_reachable_host", MagicMock(return_value=False)): + assert not opts.get("ssh_cli_tgt") + client = ssh.SSH(opts) + assert client.parse_tgt["hostname"] == host + assert client.parse_tgt["user"] == opts["ssh_user"] + assert opts.get("ssh_cli_tgt") == host + + +def test_extra_filerefs(tmp_path, opts): + """ + test "extra_filerefs" are not excluded from kwargs + when preparing the SSH opts + """ + ssh_opts = { + "eauth": "auto", + "username": "test", + "password": "test", + "client": "ssh", + "tgt": "localhost", + "fun": "test.ping", + "ssh_port": 22, + "extra_filerefs": "salt://foobar", + } + roster = str(tmp_path / "roster") + client = salt.client.ssh.client.SSHClient(mopts=opts, disable_custom_roster=True) + with patch("salt.roster.get_roster_file", MagicMock(return_value=roster)): + ssh_obj = client._prep_ssh(**ssh_opts) + assert ssh_obj.opts.get("extra_filerefs", None) == "salt://foobar" + + +def test_key_deploy_permission_denied_scp(tmp_path, opts): + """ + test "key_deploy" function when + permission denied authentication error + when attempting to use scp to copy file + to target + """ + host = "localhost" + passwd = "password" + usr = "ssh-usr" + opts["ssh_user"] = usr + opts["tgt"] = host + + ssh_ret = { + host: { + "stdout": "\rroot@192.168.1.187's password: \n\rroot@192.168.1.187's password: \n\rroot@192.168.1.187's password: \n", + "stderr": "Permission denied, please try again.\nPermission denied, please try again.\nroot@192.168.1.187: Permission denied (publickey,gssapi-keyex,gssapi-with-micimport pudb; pu.dbassword).\nscp: Connection closed\n", + "retcode": 255, + } + } + key_run_ret = { + "localhost": { + "jid": "20230922155652279959", + "return": "test", + "retcode": 0, + "id": "test", + "fun": "cmd.run", + "fun_args": ["echo test"], + } + } + patch_roster_file = patch("salt.roster.get_roster_file", MagicMock(return_value="")) + with patch_roster_file: + client = ssh.SSH(opts) + patch_input = patch("builtins.input", side_effect=["y"]) + patch_getpass = patch("getpass.getpass", return_value=["password"]) + mock_key_run = MagicMock(return_value=key_run_ret) + patch_key_run = patch("salt.client.ssh.SSH._key_deploy_run", mock_key_run) + with patch_input, patch_getpass, patch_key_run: + ret = client.key_deploy(host, ssh_ret) + assert mock_key_run.call_args_list[0][0] == ( + host, + {"passwd": [passwd], "host": host, "user": usr}, + True, + ) + assert ret == key_run_ret + assert mock_key_run.call_count == 1 + + +def test_key_deploy_permission_denied_file_scp(tmp_path, opts): + """ + test "key_deploy" function when permission denied + due to not having access to copy the file to the target + We do not want to deploy the key, because this is not + an authentication to the target error. + """ + host = "localhost" + passwd = "password" + usr = "ssh-usr" + opts["ssh_user"] = usr + opts["tgt"] = host + + mock_key_run = MagicMock(return_value=False) + patch_key_run = patch("salt.client.ssh.SSH._key_deploy_run", mock_key_run) + + ssh_ret = { + "localhost": { + "stdout": "", + "stderr": 'scp: dest open "/tmp/preflight.sh": Permission denied\nscp: failed to upload file /etc/salt/preflight.sh to /tmp/preflight.sh\n', + "retcode": 1, + } + } + patch_roster_file = patch("salt.roster.get_roster_file", MagicMock(return_value="")) + with patch_roster_file: + client = ssh.SSH(opts) + ret = client.key_deploy(host, ssh_ret) + assert ret == ssh_ret + assert mock_key_run.call_count == 0 + + +def test_key_deploy_no_permission_denied(tmp_path, opts): + """ + test "key_deploy" function when no permission denied + is returned + """ + host = "localhost" + passwd = "password" + usr = "ssh-usr" + opts["ssh_user"] = usr + opts["tgt"] = host + + mock_key_run = MagicMock(return_value=False) + patch_key_run = patch("salt.client.ssh.SSH._key_deploy_run", mock_key_run) + ssh_ret = { + "localhost": { + "jid": "20230922161937998385", + "return": "test", + "retcode": 0, + "id": "test", + "fun": "cmd.run", + "fun_args": ["echo test"], + } + } + patch_roster_file = patch("salt.roster.get_roster_file", MagicMock(return_value="")) + with patch_roster_file: + client = ssh.SSH(opts) + ret = client.key_deploy(host, ssh_ret) + assert ret == ssh_ret + assert mock_key_run.call_count == 0 From a05bd144db17bf50bb4e9ac1e97bb10733aae235 Mon Sep 17 00:00:00 2001 From: Megan Wilhite Date: Thu, 28 Sep 2023 11:19:03 -0600 Subject: [PATCH 07/17] Do not run ssh integration tests on windows --- tests/pytests/integration/ssh/test_pre_flight.py | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/tests/pytests/integration/ssh/test_pre_flight.py b/tests/pytests/integration/ssh/test_pre_flight.py index 0f97424b5c8..4cbe0790019 100644 --- a/tests/pytests/integration/ssh/test_pre_flight.py +++ b/tests/pytests/integration/ssh/test_pre_flight.py @@ -2,10 +2,14 @@ Test for ssh_pre_flight roster option """ -import grp +try: + import grp + import pwd +except ImportError: + # windows stacktraces on import of these modules + pass import os import pathlib -import pwd import shutil import subprocess @@ -14,6 +18,8 @@ import salt.utils.files import yaml from saltfactories.utils import random_string +pytestmark = pytest.mark.skip_on_windows(reason="Salt-ssh not available on Windows") + def _custom_roster(roster_file, roster_data): with salt.utils.files.fopen(roster_file, "r") as fp: From e85ff36292cd0628eafc0090b574650fd706d753 Mon Sep 17 00:00:00 2001 From: Megan Wilhite Date: Fri, 29 Sep 2023 11:24:55 -0600 Subject: [PATCH 08/17] Fix ssh tests on 3005 --- tests/pytests/unit/client/ssh/test_ssh.py | 87 ++++++++--------------- tests/unit/client/test_ssh.py | 66 ----------------- 2 files changed, 28 insertions(+), 125 deletions(-) diff --git a/tests/pytests/unit/client/ssh/test_ssh.py b/tests/pytests/unit/client/ssh/test_ssh.py index 07f70c42437..6e487651ae2 100644 --- a/tests/pytests/unit/client/ssh/test_ssh.py +++ b/tests/pytests/unit/client/ssh/test_ssh.py @@ -1,11 +1,8 @@ -import os - import pytest import salt.client.ssh.client import salt.utils.msgpack from salt.client import ssh from tests.support.mock import MagicMock, patch -from tests.support.runtests import RUNTIME_VARS pytestmark = [ pytest.mark.skip_if_binaries_missing("ssh", "ssh-keygen", check_all=True), @@ -42,6 +39,34 @@ def ssh_target(tmp_path): return opts, target +@pytest.fixture +def opts(tmp_path, temp_salt_master): + updated_values = { + "argv": [ + "ssh.set_auth_key", + "root", + "hobn+amNAXSBTiOXEqlBjGB...rsa root@master", + ], + "__role": "master", + "cachedir": str(tmp_path), + "extension_modules": str(tmp_path / "extmods"), + "selected_target_option": "glob", + } + + opts = temp_salt_master.config.copy() + opts.update(updated_values) + return opts + + +@pytest.fixture +def roster(): + return """ + localhost: + host: 127.0.0.1 + port: 2827 + """ + + @pytest.mark.skip_on_windows(reason="SSH_PY_SHIM not set on windows") def test_cmd_block_python_version_error(ssh_target): opts = ssh_target[0] @@ -140,62 +165,6 @@ def test_ssh_kwargs(test_opts): assert ssh_obj.opts.get(opt_key, None) == opt_value -@pytest.mark.skip_on_windows(reason="pre_flight_args is not implemented for Windows") -@pytest.mark.parametrize( - "test_opts", - [ - (None, ""), - ("one", " one"), - ("one two", " one two"), - ("| touch /tmp/test", " '|' touch /tmp/test"), - ("; touch /tmp/test", " ';' touch /tmp/test"), - (["one"], " one"), - (["one", "two"], " one two"), - (["one", "two", "| touch /tmp/test"], " one two '| touch /tmp/test'"), - (["one", "two", "; touch /tmp/test"], " one two '; touch /tmp/test'"), - ], -) -def test_run_with_pre_flight_args(ssh_target, test_opts): - """ - test Single.run() when ssh_pre_flight is set - and script successfully runs - """ - opts = ssh_target[0] - target = ssh_target[1] - - opts["ssh_run_pre_flight"] = True - target["ssh_pre_flight"] = os.path.join(RUNTIME_VARS.TMP, "script.sh") - - if test_opts[0] is not None: - target["ssh_pre_flight_args"] = test_opts[0] - expected_args = test_opts[1] - - single = ssh.Single( - opts, - opts["argv"], - "localhost", - mods={}, - fsclient=None, - thin=salt.utils.thin.thin_path(opts["cachedir"]), - mine=False, - **target - ) - - cmd_ret = ("Success", "", 0) - mock_cmd = MagicMock(return_value=cmd_ret) - mock_exec_cmd = MagicMock(return_value=("", "", 0)) - patch_cmd = patch("salt.client.ssh.Single.cmd_block", mock_cmd) - patch_exec_cmd = patch("salt.client.ssh.shell.Shell.exec_cmd", mock_exec_cmd) - patch_shell_send = patch("salt.client.ssh.shell.Shell.send", return_value=None) - patch_os = patch("os.path.exists", side_effect=[True]) - - with patch_os, patch_cmd, patch_exec_cmd, patch_shell_send: - ret = single.run() - assert mock_exec_cmd.mock_calls[0].args[ - 0 - ] == "/bin/sh '/tmp/script.sh'{}".format(expected_args) - - def test_expand_target_dns(opts, roster): """ test expand_target when target is root@ diff --git a/tests/unit/client/test_ssh.py b/tests/unit/client/test_ssh.py index 00313ed55f1..64ba9e22e14 100644 --- a/tests/unit/client/test_ssh.py +++ b/tests/unit/client/test_ssh.py @@ -399,72 +399,6 @@ class SSHSingleTests(TestCase): call("rm '{}'".format(script)), ] == mock_cmd.call_args_list - def test_shim_cmd(self): - """ - test Single.shim_cmd() - """ - single = ssh.Single( - self.opts, - self.opts["argv"], - "localhost", - mods={}, - fsclient=None, - thin=salt.utils.thin.thin_path(self.opts["cachedir"]), - mine=False, - winrm=False, - tty=True, - **self.target - ) - - exp_ret = ("Success", "", 0) - mock_cmd = MagicMock(return_value=exp_ret) - patch_cmd = patch("salt.client.ssh.shell.Shell.exec_cmd", mock_cmd) - patch_send = patch("salt.client.ssh.shell.Shell.send", return_value=("", "", 0)) - patch_rand = patch("os.urandom", return_value=b"5\xd9l\xca\xc2\xff") - - with patch_cmd, patch_rand, patch_send: - ret = single.shim_cmd(cmd_str="echo test") - assert ret == exp_ret - assert [ - call("/bin/sh '.35d96ccac2ff.py'"), - call("rm '.35d96ccac2ff.py'"), - ] == mock_cmd.call_args_list - - def test_run_ssh_pre_flight(self): - """ - test Single.run_ssh_pre_flight - """ - target = self.target.copy() - target["ssh_pre_flight"] = os.path.join(RUNTIME_VARS.TMP, "script.sh") - single = ssh.Single( - self.opts, - self.opts["argv"], - "localhost", - mods={}, - fsclient=None, - thin=salt.utils.thin.thin_path(self.opts["cachedir"]), - mine=False, - winrm=False, - tty=True, - **target - ) - - exp_ret = ("Success", "", 0) - mock_cmd = MagicMock(return_value=exp_ret) - patch_cmd = patch("salt.client.ssh.shell.Shell.exec_cmd", mock_cmd) - patch_send = patch("salt.client.ssh.shell.Shell.send", return_value=exp_ret) - exp_tmp = os.path.join( - tempfile.gettempdir(), os.path.basename(target["ssh_pre_flight"]) - ) - - with patch_cmd, patch_send: - ret = single.run_ssh_pre_flight() - assert ret == exp_ret - assert [ - call("/bin/sh '{}'".format(exp_tmp)), - call("rm '{}'".format(exp_tmp)), - ] == mock_cmd.call_args_list - @skipIf(salt.utils.platform.is_windows(), "SSH_PY_SHIM not set on windows") def test_cmd_run_set_path(self): """ From 22afb445651652128265d81b893d2e5898ecb1bb Mon Sep 17 00:00:00 2001 From: Megan Wilhite Date: Mon, 2 Oct 2023 12:51:49 -0600 Subject: [PATCH 09/17] Fix pre_flight tests on darwin --- .../integration/ssh/test_pre_flight.py | 28 ++++++++++++++++--- 1 file changed, 24 insertions(+), 4 deletions(-) diff --git a/tests/pytests/integration/ssh/test_pre_flight.py b/tests/pytests/integration/ssh/test_pre_flight.py index 4cbe0790019..ed2dfeee61c 100644 --- a/tests/pytests/integration/ssh/test_pre_flight.py +++ b/tests/pytests/integration/ssh/test_pre_flight.py @@ -12,9 +12,11 @@ import os import pathlib import shutil import subprocess +import tempfile import pytest import salt.utils.files +import salt.utils.platform import yaml from saltfactories.utils import random_string @@ -240,15 +242,22 @@ def test_ssh_pre_flight_perms(salt_ssh_cli, caplog, _create_roster, account): on target when user sets wrong permissions (777) on ssh_pre_flight script. """ + is_darwin = salt.utils.platform.is_darwin() try: script = pathlib.Path("/tmp", "itworked") preflight = pathlib.Path("/ssh_pre_flight.sh") + if is_darwin: + preflight = pathlib.Path("/etc/ssh_pre_flight.sh") preflight.write_text(f"touch {str(script)}") tmp_preflight = pathlib.Path("/tmp", preflight.name) + if is_darwin: + tmp_preflight = pathlib.Path(tempfile.gettempdir(), preflight.name) _custom_roster(salt_ssh_cli.roster_file, {"ssh_pre_flight": str(preflight)}) preflight.chmod(0o0777) run_script = pathlib.Path("/run_script") + if is_darwin: + run_script = pathlib.Path("/etc/run_script") run_script.write_text( f""" x=1 @@ -291,12 +300,16 @@ def test_ssh_run_pre_flight_target_file_perms(salt_ssh_cli, _create_roster, tmp_ test ssh_pre_flight to ensure the target pre flight script has the correct perms """ + is_darwin = salt.utils.platform.is_darwin() + stat_cmd = 'stat -L -c "%a %G %U"' + if is_darwin: + stat_cmd = 'stat -L -f"%p %g %u"' perms_file = tmp_path / "perms" with salt.utils.files.fopen(_create_roster["data"]["ssh_pre_flight"], "w") as fp_: fp_.write( f""" SCRIPT_NAME=$0 - stat -L -c "%a %G %U" $SCRIPT_NAME > {perms_file} + {stat_cmd} $SCRIPT_NAME > {perms_file} """ ) @@ -307,8 +320,15 @@ def test_ssh_run_pre_flight_target_file_perms(salt_ssh_cli, _create_roster, tmp_ assert ret.returncode == 0 with salt.utils.files.fopen(perms_file) as fp: data = fp.read() - assert data.split()[0] == "600" + if is_darwin: + assert data.split()[0] == "100600" + else: + assert data.split()[0] == "600" uid = os.getuid() gid = os.getgid() - assert data.split()[1] == grp.getgrgid(gid).gr_name - assert data.split()[2] == pwd.getpwuid(uid).pw_name + if is_darwin: + assert int(data.split()[1]) == gid + assert int(data.split()[2]) == uid + else: + assert data.split()[1] == grp.getgrgid(gid).gr_name + assert data.split()[2] == pwd.getpwuid(uid).pw_name From 71589535e87e3e326577560fdcb7bd878c47442c Mon Sep 17 00:00:00 2001 From: Megan Wilhite Date: Tue, 3 Oct 2023 13:49:41 -0600 Subject: [PATCH 10/17] Remove filename from logs --- salt/client/ssh/__init__.py | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) diff --git a/salt/client/ssh/__init__.py b/salt/client/ssh/__init__.py index 1c25942d90a..ff484597b25 100644 --- a/salt/client/ssh/__init__.py +++ b/salt/client/ssh/__init__.py @@ -1025,20 +1025,18 @@ class Single: except OSError as err: return ( "", - f"Could not copy pre flight script {self.ssh_pre_flight} to temporary path", + "Could not copy pre flight script to temporary path", 1, ) target_script = f".{pathlib.Path(temp.name).name}" - log.trace(f"Copying the pre flight script {self.ssh_pre_file} to target") + log.trace("Copying the pre flight script to target") stdout, stderr, retcode = self.shell.send(temp.name, target_script) if retcode != 0: # We could not copy the script to the target - log.error( - f"Could not copy the pre flight script {self.ssh_pre_file} to target" - ) + log.error("Could not copy the pre flight script to target") return stdout, stderr, retcode - log.trace(f"Executing the pre flight script {self.ssh_pre_file} on target") + log.trace("Executing the pre flight script on target") return self.execute_script( target_script, script_args=self.ssh_pre_flight_args ) @@ -1423,7 +1421,7 @@ ARGS = {arguments}\n'''.format( shim_tmp_file.name, target_shim_file, makedirs=True ) if retcode != 0: - log.error(f"Could not copy the shim script to target") + log.error("Could not copy the shim script to target") return stdout, stderr, retcode # Remove our shim file From 805a8deb74e35dde23b906ecacccba852a707a73 Mon Sep 17 00:00:00 2001 From: Megan Wilhite Date: Tue, 3 Oct 2023 13:50:50 -0600 Subject: [PATCH 11/17] Fix logs in ssh tests --- tests/pytests/unit/client/ssh/test_single.py | 11 ++++------- 1 file changed, 4 insertions(+), 7 deletions(-) diff --git a/tests/pytests/unit/client/ssh/test_single.py b/tests/pytests/unit/client/ssh/test_single.py index 912c8cccec0..68457147e6f 100644 --- a/tests/pytests/unit/client/ssh/test_single.py +++ b/tests/pytests/unit/client/ssh/test_single.py @@ -410,11 +410,8 @@ def test_run_ssh_pre_flight_no_connect(opts, target, tmp_path, caplog): with caplog.at_level(logging.TRACE): with patch_send, patch_exec_cmd, patch_tmp: ret = single.run_ssh_pre_flight() - assert f"Copying the pre flight script {pre_flight.name}" in caplog.text - assert ( - f"Could not copy the pre flight script {pre_flight.name} to target" - in caplog.text - ) + assert "Copying the pre flight script" in caplog.text + assert "Could not copy the pre flight script to target" in caplog.text assert ret == ret_send assert send_mock.call_args_list[0][0][0] == tmp_file target_script = send_mock.call_args_list[0][0][1] @@ -505,7 +502,7 @@ def test_run_ssh_pre_flight_connect(opts, target, tmp_path, caplog): with patch_send, patch_exec_cmd, patch_tmp: ret = single.run_ssh_pre_flight() - assert f"Executing the pre flight script {pre_flight.name} on target" in caplog.text + assert "Executing the pre flight script on target" in caplog.text assert ret == ret_exec_cmd assert send_mock.call_args_list[0][0][0] == tmp_file target_script = send_mock.call_args_list[0][0][1] @@ -550,7 +547,7 @@ def test_run_ssh_pre_flight_shutil_fails(opts, target, tmp_path): assert ret == ( "", - f"Could not copy pre flight script {pre_flight} to temporary path", + "Could not copy pre flight script to temporary path", 1, ) mock_exec_cmd.assert_not_called() From f805bc98af3394ddc0d289d428afa854abdb2ed6 Mon Sep 17 00:00:00 2001 From: Megan Wilhite Date: Thu, 5 Oct 2023 08:03:31 -0600 Subject: [PATCH 12/17] [3005.4] Update amazon linux 2 AMI --- cicd/amis.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cicd/amis.yml b/cicd/amis.yml index 47f6691883f..5197c9b51e4 100644 --- a/cicd/amis.yml +++ b/cicd/amis.yml @@ -1,5 +1,5 @@ alma-8-x86_64: ami-0594d7cf435c3d2f7 -amazon-2-x86_64: ami-0695f87baa5b5ce15 +amazon-2-x86_64: ami-09682e96e7785642d arch-lts-x86_64: ami-018a6b479dcb87969 centos-7-x86_64: ami-05764f27cdf8f99e0 centosstream-8-x86_64: ami-02fc0a57f9b1fa4ed From e31b6e21b44c9f33842ec4e1ebed7362a46b5a8d Mon Sep 17 00:00:00 2001 From: Megan Wilhite Date: Thu, 5 Oct 2023 17:53:01 -0600 Subject: [PATCH 13/17] Set version for redis docker tests --- tests/pytests/functional/cache/test_redis.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/pytests/functional/cache/test_redis.py b/tests/pytests/functional/cache/test_redis.py index 9b3d5aa27e9..d56b0c86429 100644 --- a/tests/pytests/functional/cache/test_redis.py +++ b/tests/pytests/functional/cache/test_redis.py @@ -22,7 +22,7 @@ pytest.importorskip("redis") def redis_container(salt_factories): container = salt_factories.get_container( random_string("redis-server-"), - image_name="redis:alpine", + image_name="redis:7.2.0-alpine", container_run_kwargs={"ports": {"6379/tcp": None}}, ) with container.started() as factory: From 5c236eaac16964e1e7d925232d1ccec038c004c2 Mon Sep 17 00:00:00 2001 From: Megan Wilhite Date: Tue, 3 Oct 2023 12:36:33 -0600 Subject: [PATCH 14/17] Bump urllib3 to 1.26.17 or 2.0.6 --- changelog/65334.security | 1 + requirements/static/ci/py3.10/cloud.txt | 2 +- requirements/static/ci/py3.10/darwin.txt | 2 +- requirements/static/ci/py3.10/docs.txt | 2 +- requirements/static/ci/py3.10/freebsd.txt | 2 +- requirements/static/ci/py3.10/lint.txt | 2 +- requirements/static/ci/py3.10/linux.txt | 2 +- requirements/static/ci/py3.6/cloud.txt | 2 +- requirements/static/ci/py3.6/docs.txt | 2 +- requirements/static/ci/py3.6/lint.txt | 2 +- requirements/static/ci/py3.6/linux.txt | 2 +- requirements/static/ci/py3.7/cloud.txt | 2 +- requirements/static/ci/py3.7/docs.txt | 2 +- requirements/static/ci/py3.7/freebsd.txt | 2 +- requirements/static/ci/py3.7/lint.txt | 2 +- requirements/static/ci/py3.7/linux.txt | 2 +- requirements/static/ci/py3.7/windows.txt | 2 +- requirements/static/ci/py3.8/cloud.txt | 2 +- requirements/static/ci/py3.8/docs.txt | 2 +- requirements/static/ci/py3.8/freebsd.txt | 2 +- requirements/static/ci/py3.8/lint.txt | 2 +- requirements/static/ci/py3.8/linux.txt | 2 +- requirements/static/ci/py3.8/windows.txt | 2 +- requirements/static/ci/py3.9/cloud.txt | 2 +- requirements/static/ci/py3.9/darwin.txt | 2 +- requirements/static/ci/py3.9/docs.txt | 2 +- requirements/static/ci/py3.9/freebsd.txt | 2 +- requirements/static/ci/py3.9/lint.txt | 2 +- requirements/static/ci/py3.9/linux.txt | 2 +- requirements/static/ci/py3.9/windows.txt | 2 +- requirements/static/pkg/py3.10/darwin.txt | 2 +- requirements/static/pkg/py3.10/freebsd.txt | 2 +- requirements/static/pkg/py3.10/linux.txt | 2 +- requirements/static/pkg/py3.6/linux.txt | 2 +- requirements/static/pkg/py3.7/freebsd.txt | 2 +- requirements/static/pkg/py3.7/linux.txt | 2 +- requirements/static/pkg/py3.7/windows.txt | 2 +- requirements/static/pkg/py3.8/freebsd.txt | 2 +- requirements/static/pkg/py3.8/linux.txt | 2 +- requirements/static/pkg/py3.8/windows.txt | 2 +- requirements/static/pkg/py3.9/darwin.txt | 2 +- requirements/static/pkg/py3.9/freebsd.txt | 2 +- requirements/static/pkg/py3.9/linux.txt | 2 +- requirements/static/pkg/py3.9/windows.txt | 2 +- 44 files changed, 44 insertions(+), 43 deletions(-) create mode 100644 changelog/65334.security diff --git a/changelog/65334.security b/changelog/65334.security new file mode 100644 index 00000000000..9f1e2ecb0a8 --- /dev/null +++ b/changelog/65334.security @@ -0,0 +1 @@ +Bump to `urllib3==1.26.17` or `urllib3==2.0.6` due to https://github.com/advisories/GHSA-v845-jxx5-vc9f diff --git a/requirements/static/ci/py3.10/cloud.txt b/requirements/static/ci/py3.10/cloud.txt index 3e163e77a18..6a85808c774 100644 --- a/requirements/static/ci/py3.10/cloud.txt +++ b/requirements/static/ci/py3.10/cloud.txt @@ -845,7 +845,7 @@ typing-extensions==4.2.0 # via # pytest-shell-utilities # pytest-system-statistics -urllib3==1.26.6 +urllib3==1.26.17 # via # botocore # kubernetes diff --git a/requirements/static/ci/py3.10/darwin.txt b/requirements/static/ci/py3.10/darwin.txt index 1cfb54e7426..55b40a44ce8 100644 --- a/requirements/static/ci/py3.10/darwin.txt +++ b/requirements/static/ci/py3.10/darwin.txt @@ -833,7 +833,7 @@ typing-extensions==4.2.0 # via # pytest-shell-utilities # pytest-system-statistics -urllib3==1.26.6 +urllib3==1.26.17 # via # botocore # kubernetes diff --git a/requirements/static/ci/py3.10/docs.txt b/requirements/static/ci/py3.10/docs.txt index d8aa8cbaeaa..fd3a8fbb80d 100644 --- a/requirements/static/ci/py3.10/docs.txt +++ b/requirements/static/ci/py3.10/docs.txt @@ -833,7 +833,7 @@ twilio==7.9.2 # via -r requirements/static/ci/linux.in tzlocal==3.0 # via apscheduler -urllib3==1.26.6 +urllib3==1.26.17 # via # botocore # kubernetes diff --git a/requirements/static/ci/py3.10/freebsd.txt b/requirements/static/ci/py3.10/freebsd.txt index 5dc862b00c5..4cbd3c8e568 100644 --- a/requirements/static/ci/py3.10/freebsd.txt +++ b/requirements/static/ci/py3.10/freebsd.txt @@ -830,7 +830,7 @@ typing-extensions==4.2.0 # via # pytest-shell-utilities # pytest-system-statistics -urllib3==1.26.6 +urllib3==1.26.17 # via # botocore # kubernetes diff --git a/requirements/static/ci/py3.10/lint.txt b/requirements/static/ci/py3.10/lint.txt index 96865dc989e..0f1259f7fae 100644 --- a/requirements/static/ci/py3.10/lint.txt +++ b/requirements/static/ci/py3.10/lint.txt @@ -819,7 +819,7 @@ twilio==7.9.2 # via -r requirements/static/ci/linux.in tzlocal==3.0 # via apscheduler -urllib3==1.26.6 +urllib3==1.26.17 # via # botocore # kubernetes diff --git a/requirements/static/ci/py3.10/linux.txt b/requirements/static/ci/py3.10/linux.txt index b9a9f45fcb8..c35ad1305c0 100644 --- a/requirements/static/ci/py3.10/linux.txt +++ b/requirements/static/ci/py3.10/linux.txt @@ -878,7 +878,7 @@ typing-extensions==4.2.0 # pytest-system-statistics tzlocal==2.1 # via apscheduler -urllib3==1.26.6 +urllib3==1.26.17 # via # botocore # kubernetes diff --git a/requirements/static/ci/py3.6/cloud.txt b/requirements/static/ci/py3.6/cloud.txt index be1bc344e21..f775f838e04 100644 --- a/requirements/static/ci/py3.6/cloud.txt +++ b/requirements/static/ci/py3.6/cloud.txt @@ -876,7 +876,7 @@ typing-extensions==3.10.0.0 # pytest-shell-utilities # pytest-system-statistics # yarl -urllib3==1.26.6 +urllib3==1.26.17 # via # botocore # kubernetes diff --git a/requirements/static/ci/py3.6/docs.txt b/requirements/static/ci/py3.6/docs.txt index 3a2c32fbaa8..745087510a4 100644 --- a/requirements/static/ci/py3.6/docs.txt +++ b/requirements/static/ci/py3.6/docs.txt @@ -865,7 +865,7 @@ typing-extensions==3.10.0.0 # yarl tzlocal==3.0 # via apscheduler -urllib3==1.26.6 +urllib3==1.26.17 # via # botocore # kubernetes diff --git a/requirements/static/ci/py3.6/lint.txt b/requirements/static/ci/py3.6/lint.txt index 2946e3602ba..e82930b1b5e 100644 --- a/requirements/static/ci/py3.6/lint.txt +++ b/requirements/static/ci/py3.6/lint.txt @@ -856,7 +856,7 @@ typing-extensions==3.10.0.0 # yarl tzlocal==3.0 # via apscheduler -urllib3==1.26.6 +urllib3==1.26.17 # via # botocore # kubernetes diff --git a/requirements/static/ci/py3.6/linux.txt b/requirements/static/ci/py3.6/linux.txt index 1c81008cda0..b7a1e63faf9 100644 --- a/requirements/static/ci/py3.6/linux.txt +++ b/requirements/static/ci/py3.6/linux.txt @@ -910,7 +910,7 @@ typing-extensions==3.10.0.0 # yarl tzlocal==2.1 # via apscheduler -urllib3==1.26.6 +urllib3==1.26.17 # via # botocore # kubernetes diff --git a/requirements/static/ci/py3.7/cloud.txt b/requirements/static/ci/py3.7/cloud.txt index f903b2d6d29..23073194403 100644 --- a/requirements/static/ci/py3.7/cloud.txt +++ b/requirements/static/ci/py3.7/cloud.txt @@ -906,7 +906,7 @@ typing-extensions==3.10.0.0 # pytest-shell-utilities # pytest-system-statistics # yarl -urllib3==1.26.6 +urllib3==1.26.17 # via # botocore # kubernetes diff --git a/requirements/static/ci/py3.7/docs.txt b/requirements/static/ci/py3.7/docs.txt index c67e346203f..2b752fc5f40 100644 --- a/requirements/static/ci/py3.7/docs.txt +++ b/requirements/static/ci/py3.7/docs.txt @@ -894,7 +894,7 @@ typing-extensions==3.10.0.0 # yarl tzlocal==3.0 # via apscheduler -urllib3==1.26.6 +urllib3==1.26.17 # via # botocore # kubernetes diff --git a/requirements/static/ci/py3.7/freebsd.txt b/requirements/static/ci/py3.7/freebsd.txt index 4976c9fbb6c..5d973d41837 100644 --- a/requirements/static/ci/py3.7/freebsd.txt +++ b/requirements/static/ci/py3.7/freebsd.txt @@ -887,7 +887,7 @@ typing-extensions==3.10.0.0 # pytest-shell-utilities # pytest-system-statistics # yarl -urllib3==1.26.6 +urllib3==1.26.17 # via # botocore # kubernetes diff --git a/requirements/static/ci/py3.7/lint.txt b/requirements/static/ci/py3.7/lint.txt index dd5932f1caa..c32356af790 100644 --- a/requirements/static/ci/py3.7/lint.txt +++ b/requirements/static/ci/py3.7/lint.txt @@ -885,7 +885,7 @@ typing-extensions==3.10.0.0 # yarl tzlocal==3.0 # via apscheduler -urllib3==1.26.6 +urllib3==1.26.17 # via # botocore # kubernetes diff --git a/requirements/static/ci/py3.7/linux.txt b/requirements/static/ci/py3.7/linux.txt index 09dad7aa75a..65ff4877046 100644 --- a/requirements/static/ci/py3.7/linux.txt +++ b/requirements/static/ci/py3.7/linux.txt @@ -933,7 +933,7 @@ typing-extensions==3.10.0.0 # yarl tzlocal==2.1 # via apscheduler -urllib3==1.26.6 +urllib3==1.26.17 # via # botocore # kubernetes diff --git a/requirements/static/ci/py3.7/windows.txt b/requirements/static/ci/py3.7/windows.txt index d0d6085415f..d39a2c37020 100644 --- a/requirements/static/ci/py3.7/windows.txt +++ b/requirements/static/ci/py3.7/windows.txt @@ -401,7 +401,7 @@ typing-extensions==3.10.0.0 # pytest-shell-utilities # pytest-system-statistics # yarl -urllib3==1.26.6 +urllib3==1.26.17 # via # -r requirements/windows.txt # botocore diff --git a/requirements/static/ci/py3.8/cloud.txt b/requirements/static/ci/py3.8/cloud.txt index d47a2de683a..ac77ecc13ff 100644 --- a/requirements/static/ci/py3.8/cloud.txt +++ b/requirements/static/ci/py3.8/cloud.txt @@ -890,7 +890,7 @@ typing-extensions==3.10.0.2 # via # pytest-shell-utilities # pytest-system-statistics -urllib3==1.26.6 +urllib3==1.26.17 # via # botocore # kubernetes diff --git a/requirements/static/ci/py3.8/docs.txt b/requirements/static/ci/py3.8/docs.txt index af50b9ad185..a84e86f2156 100644 --- a/requirements/static/ci/py3.8/docs.txt +++ b/requirements/static/ci/py3.8/docs.txt @@ -879,7 +879,7 @@ twilio==7.9.2 # via -r requirements/static/ci/linux.in tzlocal==3.0 # via apscheduler -urllib3==1.26.6 +urllib3==1.26.17 # via # botocore # kubernetes diff --git a/requirements/static/ci/py3.8/freebsd.txt b/requirements/static/ci/py3.8/freebsd.txt index 408b9308c10..766805cf7ea 100644 --- a/requirements/static/ci/py3.8/freebsd.txt +++ b/requirements/static/ci/py3.8/freebsd.txt @@ -873,7 +873,7 @@ typing-extensions==4.2.0 # via # pytest-shell-utilities # pytest-system-statistics -urllib3==1.26.6 +urllib3==1.26.17 # via # botocore # kubernetes diff --git a/requirements/static/ci/py3.8/lint.txt b/requirements/static/ci/py3.8/lint.txt index 63e853bf68f..df356e75c32 100644 --- a/requirements/static/ci/py3.8/lint.txt +++ b/requirements/static/ci/py3.8/lint.txt @@ -867,7 +867,7 @@ twilio==7.9.2 # via -r requirements/static/ci/linux.in tzlocal==3.0 # via apscheduler -urllib3==1.26.6 +urllib3==1.26.17 # via # botocore # kubernetes diff --git a/requirements/static/ci/py3.8/linux.txt b/requirements/static/ci/py3.8/linux.txt index 8cfc4e8a092..274fde2325f 100644 --- a/requirements/static/ci/py3.8/linux.txt +++ b/requirements/static/ci/py3.8/linux.txt @@ -919,7 +919,7 @@ typing-extensions==4.2.0 # pytest-system-statistics tzlocal==2.1 # via apscheduler -urllib3==1.26.6 +urllib3==1.26.17 # via # botocore # kubernetes diff --git a/requirements/static/ci/py3.8/windows.txt b/requirements/static/ci/py3.8/windows.txt index 5b2ba5adace..ed29068ec30 100644 --- a/requirements/static/ci/py3.8/windows.txt +++ b/requirements/static/ci/py3.8/windows.txt @@ -387,7 +387,7 @@ typing-extensions==4.2.0 # via # pytest-shell-utilities # pytest-system-statistics -urllib3==1.26.6 +urllib3==1.26.17 # via # -r requirements/windows.txt # botocore diff --git a/requirements/static/ci/py3.9/cloud.txt b/requirements/static/ci/py3.9/cloud.txt index 10730f00910..562928442d7 100644 --- a/requirements/static/ci/py3.9/cloud.txt +++ b/requirements/static/ci/py3.9/cloud.txt @@ -893,7 +893,7 @@ typing-extensions==3.10.0.2 # via # pytest-shell-utilities # pytest-system-statistics -urllib3==1.26.6 +urllib3==1.26.17 # via # botocore # kubernetes diff --git a/requirements/static/ci/py3.9/darwin.txt b/requirements/static/ci/py3.9/darwin.txt index 277defef4d5..afeec28a1d4 100644 --- a/requirements/static/ci/py3.9/darwin.txt +++ b/requirements/static/ci/py3.9/darwin.txt @@ -879,7 +879,7 @@ typing-extensions==4.2.0 # via # pytest-shell-utilities # pytest-system-statistics -urllib3==1.26.6 +urllib3==1.26.17 # via # botocore # kubernetes diff --git a/requirements/static/ci/py3.9/docs.txt b/requirements/static/ci/py3.9/docs.txt index 4ed09bed8eb..8d7fb6f4302 100644 --- a/requirements/static/ci/py3.9/docs.txt +++ b/requirements/static/ci/py3.9/docs.txt @@ -880,7 +880,7 @@ twilio==7.9.2 # via -r requirements/static/ci/linux.in tzlocal==3.0 # via apscheduler -urllib3==1.26.6 +urllib3==1.26.17 # via # botocore # kubernetes diff --git a/requirements/static/ci/py3.9/freebsd.txt b/requirements/static/ci/py3.9/freebsd.txt index 119b9a7e39b..a09f0e7578c 100644 --- a/requirements/static/ci/py3.9/freebsd.txt +++ b/requirements/static/ci/py3.9/freebsd.txt @@ -876,7 +876,7 @@ typing-extensions==4.2.0 # via # pytest-shell-utilities # pytest-system-statistics -urllib3==1.26.6 +urllib3==1.26.17 # via # botocore # kubernetes diff --git a/requirements/static/ci/py3.9/lint.txt b/requirements/static/ci/py3.9/lint.txt index 87b7665c97b..e69756544c1 100644 --- a/requirements/static/ci/py3.9/lint.txt +++ b/requirements/static/ci/py3.9/lint.txt @@ -868,7 +868,7 @@ twilio==7.9.2 # via -r requirements/static/ci/linux.in tzlocal==3.0 # via apscheduler -urllib3==1.26.6 +urllib3==1.26.17 # via # botocore # kubernetes diff --git a/requirements/static/ci/py3.9/linux.txt b/requirements/static/ci/py3.9/linux.txt index 8c635fd7cf3..01ca0c0e9e6 100644 --- a/requirements/static/ci/py3.9/linux.txt +++ b/requirements/static/ci/py3.9/linux.txt @@ -924,7 +924,7 @@ typing-extensions==4.2.0 # pytest-system-statistics tzlocal==2.1 # via apscheduler -urllib3==1.26.6 +urllib3==1.26.17 # via # botocore # kubernetes diff --git a/requirements/static/ci/py3.9/windows.txt b/requirements/static/ci/py3.9/windows.txt index 280315b4c8a..edc7125397e 100644 --- a/requirements/static/ci/py3.9/windows.txt +++ b/requirements/static/ci/py3.9/windows.txt @@ -388,7 +388,7 @@ typing-extensions==4.2.0 # via # pytest-shell-utilities # pytest-system-statistics -urllib3==1.26.6 +urllib3==1.26.17 # via # -r requirements/windows.txt # botocore diff --git a/requirements/static/pkg/py3.10/darwin.txt b/requirements/static/pkg/py3.10/darwin.txt index d3250c794d4..9a684e23867 100644 --- a/requirements/static/pkg/py3.10/darwin.txt +++ b/requirements/static/pkg/py3.10/darwin.txt @@ -107,7 +107,7 @@ tempora==4.1.1 # via portend timelib==0.2.5 # via -r requirements/darwin.txt -urllib3==1.26.6 +urllib3==2.0.6 # via requests vultr==1.0.1 # via -r requirements/darwin.txt diff --git a/requirements/static/pkg/py3.10/freebsd.txt b/requirements/static/pkg/py3.10/freebsd.txt index 2ff655041f3..3ef547e4f57 100644 --- a/requirements/static/pkg/py3.10/freebsd.txt +++ b/requirements/static/pkg/py3.10/freebsd.txt @@ -90,7 +90,7 @@ tempora==4.1.1 # via portend timelib==0.2.5 # via -r requirements/static/pkg/freebsd.in -urllib3==1.26.6 +urllib3==2.0.6 # via requests zc.lockfile==1.4 # via cherrypy diff --git a/requirements/static/pkg/py3.10/linux.txt b/requirements/static/pkg/py3.10/linux.txt index 04ca508c92f..568fce73ae0 100644 --- a/requirements/static/pkg/py3.10/linux.txt +++ b/requirements/static/pkg/py3.10/linux.txt @@ -92,7 +92,7 @@ tempora==4.1.1 # via portend timelib==0.2.5 # via -r requirements/static/pkg/linux.in -urllib3==1.26.6 +urllib3==2.0.6 # via requests zc.lockfile==1.4 # via cherrypy diff --git a/requirements/static/pkg/py3.6/linux.txt b/requirements/static/pkg/py3.6/linux.txt index f49dfbcd7c5..eaf2f2feddc 100644 --- a/requirements/static/pkg/py3.6/linux.txt +++ b/requirements/static/pkg/py3.6/linux.txt @@ -96,7 +96,7 @@ timelib==0.2.5 # via -r requirements/static/pkg/linux.in typing-extensions==3.10.0.0 # via importlib-metadata -urllib3==1.26.6 +urllib3==1.26.17 # via requests zc.lockfile==1.4 # via cherrypy diff --git a/requirements/static/pkg/py3.7/freebsd.txt b/requirements/static/pkg/py3.7/freebsd.txt index 6aa3ccea8f9..927e0f068aa 100644 --- a/requirements/static/pkg/py3.7/freebsd.txt +++ b/requirements/static/pkg/py3.7/freebsd.txt @@ -92,7 +92,7 @@ timelib==0.2.5 # via -r requirements/static/pkg/freebsd.in typing-extensions==3.10.0.0 # via importlib-metadata -urllib3==1.26.6 +urllib3==2.0.6 # via requests zc.lockfile==1.4 # via cherrypy diff --git a/requirements/static/pkg/py3.7/linux.txt b/requirements/static/pkg/py3.7/linux.txt index 0b88348435b..678c9ca8935 100644 --- a/requirements/static/pkg/py3.7/linux.txt +++ b/requirements/static/pkg/py3.7/linux.txt @@ -92,7 +92,7 @@ timelib==0.2.5 # via -r requirements/static/pkg/linux.in typing-extensions==3.10.0.0 # via importlib-metadata -urllib3==1.26.6 +urllib3==2.0.6 # via requests zc.lockfile==1.4 # via cherrypy diff --git a/requirements/static/pkg/py3.7/windows.txt b/requirements/static/pkg/py3.7/windows.txt index 99733fb8079..60d844351ee 100644 --- a/requirements/static/pkg/py3.7/windows.txt +++ b/requirements/static/pkg/py3.7/windows.txt @@ -130,7 +130,7 @@ typing-extensions==3.10.0.0 # via # gitpython # importlib-metadata -urllib3==1.26.6 +urllib3==2.0.6 # via # -r requirements/windows.txt # requests diff --git a/requirements/static/pkg/py3.8/freebsd.txt b/requirements/static/pkg/py3.8/freebsd.txt index fd731dee62d..ef0df9d3ee5 100644 --- a/requirements/static/pkg/py3.8/freebsd.txt +++ b/requirements/static/pkg/py3.8/freebsd.txt @@ -90,7 +90,7 @@ tempora==4.1.1 # via portend timelib==0.2.5 # via -r requirements/static/pkg/freebsd.in -urllib3==1.26.6 +urllib3==2.0.6 # via requests zc.lockfile==1.4 # via cherrypy diff --git a/requirements/static/pkg/py3.8/linux.txt b/requirements/static/pkg/py3.8/linux.txt index 82dde6a5496..e561616094a 100644 --- a/requirements/static/pkg/py3.8/linux.txt +++ b/requirements/static/pkg/py3.8/linux.txt @@ -90,7 +90,7 @@ tempora==4.1.1 # via portend timelib==0.2.5 # via -r requirements/static/pkg/linux.in -urllib3==1.26.6 +urllib3==2.0.6 # via requests zc.lockfile==1.4 # via cherrypy diff --git a/requirements/static/pkg/py3.8/windows.txt b/requirements/static/pkg/py3.8/windows.txt index c1eff89b569..9b2261039a0 100644 --- a/requirements/static/pkg/py3.8/windows.txt +++ b/requirements/static/pkg/py3.8/windows.txt @@ -126,7 +126,7 @@ tempora==4.1.1 # via portend timelib==0.2.5 # via -r requirements/windows.txt -urllib3==1.26.6 +urllib3==2.0.6 # via # -r requirements/windows.txt # requests diff --git a/requirements/static/pkg/py3.9/darwin.txt b/requirements/static/pkg/py3.9/darwin.txt index 2acb0ce7257..f96e4ed8b11 100644 --- a/requirements/static/pkg/py3.9/darwin.txt +++ b/requirements/static/pkg/py3.9/darwin.txt @@ -109,7 +109,7 @@ tempora==4.1.1 # via portend timelib==0.2.5 # via -r requirements/darwin.txt -urllib3==1.26.6 +urllib3==2.0.6 # via requests vultr==1.0.1 # via -r requirements/darwin.txt diff --git a/requirements/static/pkg/py3.9/freebsd.txt b/requirements/static/pkg/py3.9/freebsd.txt index 04cd7193591..ab146d121ab 100644 --- a/requirements/static/pkg/py3.9/freebsd.txt +++ b/requirements/static/pkg/py3.9/freebsd.txt @@ -92,7 +92,7 @@ tempora==4.1.1 # via portend timelib==0.2.5 # via -r requirements/static/pkg/freebsd.in -urllib3==1.26.6 +urllib3==2.0.6 # via requests zc.lockfile==1.4 # via cherrypy diff --git a/requirements/static/pkg/py3.9/linux.txt b/requirements/static/pkg/py3.9/linux.txt index 870ee43ba11..9430433f1b1 100644 --- a/requirements/static/pkg/py3.9/linux.txt +++ b/requirements/static/pkg/py3.9/linux.txt @@ -92,7 +92,7 @@ tempora==4.1.1 # via portend timelib==0.2.5 # via -r requirements/static/pkg/linux.in -urllib3==1.26.6 +urllib3==2.0.6 # via requests zc.lockfile==1.4 # via cherrypy diff --git a/requirements/static/pkg/py3.9/windows.txt b/requirements/static/pkg/py3.9/windows.txt index c9cc3c067dc..2500bf4d1e3 100644 --- a/requirements/static/pkg/py3.9/windows.txt +++ b/requirements/static/pkg/py3.9/windows.txt @@ -126,7 +126,7 @@ tempora==4.1.1 # via portend timelib==0.2.5 # via -r requirements/windows.txt -urllib3==1.26.6 +urllib3==2.0.6 # via # -r requirements/windows.txt # requests From db4636b4021ffc7b904ea8ee44b944b5b6efdcc9 Mon Sep 17 00:00:00 2001 From: ScriptAutomate Date: Tue, 10 Oct 2023 13:17:18 -0500 Subject: [PATCH 15/17] [3005.4] Update Amazon Linux 2 AMI --- cicd/amis.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cicd/amis.yml b/cicd/amis.yml index 5197c9b51e4..d7792c7ef93 100644 --- a/cicd/amis.yml +++ b/cicd/amis.yml @@ -1,5 +1,5 @@ alma-8-x86_64: ami-0594d7cf435c3d2f7 -amazon-2-x86_64: ami-09682e96e7785642d +amazon-2-x86_64: ami-01cef47eb0f1d5363 arch-lts-x86_64: ami-018a6b479dcb87969 centos-7-x86_64: ami-05764f27cdf8f99e0 centosstream-8-x86_64: ami-02fc0a57f9b1fa4ed From 1184c5ebfaae8458b7ba27c9965adfd9216c311c Mon Sep 17 00:00:00 2001 From: Megan Wilhite Date: Wed, 11 Oct 2023 08:51:56 -0600 Subject: [PATCH 16/17] [3005.4] Update gitpython to 3.1.37 --- changelog/65383.security | 1 + requirements/darwin.txt | 2 +- requirements/static/ci/common.in | 2 +- requirements/static/ci/py3.10/cloud.txt | 2 +- requirements/static/ci/py3.10/darwin.txt | 2 +- requirements/static/ci/py3.10/docs.txt | 2 +- requirements/static/ci/py3.10/freebsd.txt | 2 +- requirements/static/ci/py3.10/lint.txt | 2 +- requirements/static/ci/py3.10/linux.txt | 2 +- requirements/static/ci/py3.7/cloud.txt | 2 +- requirements/static/ci/py3.7/docs.txt | 2 +- requirements/static/ci/py3.7/freebsd.txt | 2 +- requirements/static/ci/py3.7/lint.txt | 2 +- requirements/static/ci/py3.7/linux.txt | 2 +- requirements/static/ci/py3.7/windows.txt | 2 +- requirements/static/ci/py3.8/cloud.txt | 2 +- requirements/static/ci/py3.8/docs.txt | 2 +- requirements/static/ci/py3.8/freebsd.txt | 2 +- requirements/static/ci/py3.8/lint.txt | 2 +- requirements/static/ci/py3.8/linux.txt | 2 +- requirements/static/ci/py3.8/windows.txt | 2 +- requirements/static/ci/py3.9/cloud.txt | 2 +- requirements/static/ci/py3.9/darwin.txt | 2 +- requirements/static/ci/py3.9/docs.txt | 2 +- requirements/static/ci/py3.9/freebsd.txt | 2 +- requirements/static/ci/py3.9/lint.txt | 2 +- requirements/static/ci/py3.9/linux.txt | 2 +- requirements/static/ci/py3.9/windows.txt | 2 +- requirements/static/pkg/py3.10/darwin.txt | 2 +- requirements/static/pkg/py3.7/windows.txt | 2 +- requirements/static/pkg/py3.8/windows.txt | 2 +- requirements/static/pkg/py3.9/darwin.txt | 2 +- requirements/static/pkg/py3.9/windows.txt | 2 +- requirements/windows.txt | 2 +- 34 files changed, 34 insertions(+), 33 deletions(-) create mode 100644 changelog/65383.security diff --git a/changelog/65383.security b/changelog/65383.security new file mode 100644 index 00000000000..d7a4d86f94d --- /dev/null +++ b/changelog/65383.security @@ -0,0 +1 @@ +Bump to `gitpython==3.1.37` due to https://github.com/advisories/GHSA-cwvm-v4w8-q58c diff --git a/requirements/darwin.txt b/requirements/darwin.txt index c723a896dee..e61265a9310 100644 --- a/requirements/darwin.txt +++ b/requirements/darwin.txt @@ -9,7 +9,7 @@ cryptography>=41.0.3 ; python_version >= "3.7" cryptography<=40.0.2 ; python_version == "3.6" cryptography<=3.2.1 ; python_version <= "3.5" gitpython>=2.1.15 ; python_version <= "3.6" -gitpython>=3.1.35 ; python_version >= "3.7" +gitpython>=3.1.37 ; python_version >= "3.7" idna>=2.8 linode-python>=1.1.1 mako>=1.0.7 diff --git a/requirements/static/ci/common.in b/requirements/static/ci/common.in index 6defcad9fde..be3a30727cf 100644 --- a/requirements/static/ci/common.in +++ b/requirements/static/ci/common.in @@ -17,7 +17,7 @@ dnspython docker etcd3-py==0.1.6 ; python_version >= '3.6' gitpython>=2.1.15 ; python_version <= "3.6" -gitpython>=3.1.35 ; python_version >= "3.7" +gitpython>=3.1.37 ; python_version >= "3.7" jmespath jsonschema junos-eznc==2.4.0; sys_platform != 'win32' and python_version <= '3.9' diff --git a/requirements/static/ci/py3.10/cloud.txt b/requirements/static/ci/py3.10/cloud.txt index 6a85808c774..38e94b85a20 100644 --- a/requirements/static/ci/py3.10/cloud.txt +++ b/requirements/static/ci/py3.10/cloud.txt @@ -427,7 +427,7 @@ geomet==0.2.1.post1 # via cassandra-driver gitdb==4.0.7 # via gitpython -gitpython==3.1.35 ; python_version >= "3.7" +gitpython==3.1.37 ; python_version >= "3.7" # via -r requirements/static/ci/common.in google-auth==2.1.0 # via kubernetes diff --git a/requirements/static/ci/py3.10/darwin.txt b/requirements/static/ci/py3.10/darwin.txt index 55b40a44ce8..ac3eede42cf 100644 --- a/requirements/static/ci/py3.10/darwin.txt +++ b/requirements/static/ci/py3.10/darwin.txt @@ -428,7 +428,7 @@ geomet==0.1.2 # via cassandra-driver gitdb==4.0.5 # via gitpython -gitpython==3.1.35 ; python_version >= "3.7" +gitpython==3.1.37 ; python_version >= "3.7" # via # -r requirements/darwin.txt # -r requirements/static/ci/common.in diff --git a/requirements/static/ci/py3.10/docs.txt b/requirements/static/ci/py3.10/docs.txt index fd3a8fbb80d..202bdbe0e7c 100644 --- a/requirements/static/ci/py3.10/docs.txt +++ b/requirements/static/ci/py3.10/docs.txt @@ -429,7 +429,7 @@ geomet==0.2.1.post1 # via cassandra-driver gitdb==4.0.7 # via gitpython -gitpython==3.1.35 ; python_version >= "3.7" +gitpython==3.1.37 ; python_version >= "3.7" # via -r requirements/static/ci/common.in google-auth==2.0.1 # via kubernetes diff --git a/requirements/static/ci/py3.10/freebsd.txt b/requirements/static/ci/py3.10/freebsd.txt index 4cbd3c8e568..19f1ff38a06 100644 --- a/requirements/static/ci/py3.10/freebsd.txt +++ b/requirements/static/ci/py3.10/freebsd.txt @@ -425,7 +425,7 @@ geomet==0.2.1.post1 # via cassandra-driver gitdb==4.0.5 # via gitpython -gitpython==3.1.35 ; python_version >= "3.7" +gitpython==3.1.37 ; python_version >= "3.7" # via -r requirements/static/ci/common.in google-auth==1.6.3 # via kubernetes diff --git a/requirements/static/ci/py3.10/lint.txt b/requirements/static/ci/py3.10/lint.txt index 0f1259f7fae..20317a6ff2f 100644 --- a/requirements/static/ci/py3.10/lint.txt +++ b/requirements/static/ci/py3.10/lint.txt @@ -425,7 +425,7 @@ geomet==0.2.1.post1 # via cassandra-driver gitdb==4.0.7 # via gitpython -gitpython==3.1.35 ; python_version >= "3.7" +gitpython==3.1.37 ; python_version >= "3.7" # via -r requirements/static/ci/common.in google-auth==2.0.1 # via kubernetes diff --git a/requirements/static/ci/py3.10/linux.txt b/requirements/static/ci/py3.10/linux.txt index c35ad1305c0..fe495f44a6a 100644 --- a/requirements/static/ci/py3.10/linux.txt +++ b/requirements/static/ci/py3.10/linux.txt @@ -439,7 +439,7 @@ geomet==0.1.2 # via cassandra-driver gitdb==4.0.5 # via gitpython -gitpython==3.1.35 ; python_version >= "3.7" +gitpython==3.1.37 ; python_version >= "3.7" # via -r requirements/static/ci/common.in google-auth==1.6.3 # via kubernetes diff --git a/requirements/static/ci/py3.7/cloud.txt b/requirements/static/ci/py3.7/cloud.txt index 23073194403..19755d08874 100644 --- a/requirements/static/ci/py3.7/cloud.txt +++ b/requirements/static/ci/py3.7/cloud.txt @@ -439,7 +439,7 @@ geomet==0.2.1.post1 # via cassandra-driver gitdb==4.0.7 # via gitpython -gitpython==3.1.35 ; python_version >= "3.7" +gitpython==3.1.37 ; python_version >= "3.7" # via -r requirements/static/ci/common.in google-auth==2.1.0 # via kubernetes diff --git a/requirements/static/ci/py3.7/docs.txt b/requirements/static/ci/py3.7/docs.txt index 2b752fc5f40..b432d2f9bc4 100644 --- a/requirements/static/ci/py3.7/docs.txt +++ b/requirements/static/ci/py3.7/docs.txt @@ -443,7 +443,7 @@ geomet==0.2.1.post1 # via cassandra-driver gitdb==4.0.7 # via gitpython -gitpython==3.1.35 ; python_version >= "3.7" +gitpython==3.1.37 ; python_version >= "3.7" # via -r requirements/static/ci/common.in google-auth==2.0.1 # via kubernetes diff --git a/requirements/static/ci/py3.7/freebsd.txt b/requirements/static/ci/py3.7/freebsd.txt index 5d973d41837..9d62e3e5bcd 100644 --- a/requirements/static/ci/py3.7/freebsd.txt +++ b/requirements/static/ci/py3.7/freebsd.txt @@ -437,7 +437,7 @@ geomet==0.2.1.post1 # via cassandra-driver gitdb==4.0.5 # via gitpython -gitpython==3.1.35 ; python_version >= "3.7" +gitpython==3.1.37 ; python_version >= "3.7" # via -r requirements/static/ci/common.in google-auth==1.6.3 # via kubernetes diff --git a/requirements/static/ci/py3.7/lint.txt b/requirements/static/ci/py3.7/lint.txt index c32356af790..b099c2678d0 100644 --- a/requirements/static/ci/py3.7/lint.txt +++ b/requirements/static/ci/py3.7/lint.txt @@ -439,7 +439,7 @@ geomet==0.2.1.post1 # via cassandra-driver gitdb==4.0.7 # via gitpython -gitpython==3.1.35 ; python_version >= "3.7" +gitpython==3.1.37 ; python_version >= "3.7" # via -r requirements/static/ci/common.in google-auth==2.0.1 # via kubernetes diff --git a/requirements/static/ci/py3.7/linux.txt b/requirements/static/ci/py3.7/linux.txt index 65ff4877046..cbb48ffc114 100644 --- a/requirements/static/ci/py3.7/linux.txt +++ b/requirements/static/ci/py3.7/linux.txt @@ -451,7 +451,7 @@ geomet==0.1.2 # via cassandra-driver gitdb==4.0.5 # via gitpython -gitpython==3.1.35 ; python_version >= "3.7" +gitpython==3.1.37 ; python_version >= "3.7" # via -r requirements/static/ci/common.in google-auth==1.6.3 # via kubernetes diff --git a/requirements/static/ci/py3.7/windows.txt b/requirements/static/ci/py3.7/windows.txt index d39a2c37020..279b06c7d99 100644 --- a/requirements/static/ci/py3.7/windows.txt +++ b/requirements/static/ci/py3.7/windows.txt @@ -113,7 +113,7 @@ geomet==0.1.2 # via cassandra-driver gitdb==4.0.5 # via gitpython -gitpython==3.1.35 ; python_version >= "3.7" +gitpython==3.1.37 ; python_version >= "3.7" # via # -r requirements/static/ci/common.in # -r requirements/windows.txt diff --git a/requirements/static/ci/py3.8/cloud.txt b/requirements/static/ci/py3.8/cloud.txt index ac77ecc13ff..a768ba3001c 100644 --- a/requirements/static/ci/py3.8/cloud.txt +++ b/requirements/static/ci/py3.8/cloud.txt @@ -437,7 +437,7 @@ geomet==0.2.1.post1 # via cassandra-driver gitdb==4.0.7 # via gitpython -gitpython==3.1.35 ; python_version >= "3.7" +gitpython==3.1.37 ; python_version >= "3.7" # via -r requirements/static/ci/common.in google-auth==2.1.0 # via kubernetes diff --git a/requirements/static/ci/py3.8/docs.txt b/requirements/static/ci/py3.8/docs.txt index a84e86f2156..be504e720ab 100644 --- a/requirements/static/ci/py3.8/docs.txt +++ b/requirements/static/ci/py3.8/docs.txt @@ -441,7 +441,7 @@ geomet==0.2.1.post1 # via cassandra-driver gitdb==4.0.7 # via gitpython -gitpython==3.1.35 ; python_version >= "3.7" +gitpython==3.1.37 ; python_version >= "3.7" # via -r requirements/static/ci/common.in google-auth==2.0.1 # via kubernetes diff --git a/requirements/static/ci/py3.8/freebsd.txt b/requirements/static/ci/py3.8/freebsd.txt index 766805cf7ea..7d0ed289f21 100644 --- a/requirements/static/ci/py3.8/freebsd.txt +++ b/requirements/static/ci/py3.8/freebsd.txt @@ -435,7 +435,7 @@ geomet==0.2.1.post1 # via cassandra-driver gitdb==4.0.5 # via gitpython -gitpython==3.1.35 ; python_version >= "3.7" +gitpython==3.1.37 ; python_version >= "3.7" # via -r requirements/static/ci/common.in google-auth==1.6.3 # via kubernetes diff --git a/requirements/static/ci/py3.8/lint.txt b/requirements/static/ci/py3.8/lint.txt index df356e75c32..1f0b59b70a1 100644 --- a/requirements/static/ci/py3.8/lint.txt +++ b/requirements/static/ci/py3.8/lint.txt @@ -437,7 +437,7 @@ geomet==0.2.1.post1 # via cassandra-driver gitdb==4.0.7 # via gitpython -gitpython==3.1.35 ; python_version >= "3.7" +gitpython==3.1.37 ; python_version >= "3.7" # via -r requirements/static/ci/common.in google-auth==2.0.1 # via kubernetes diff --git a/requirements/static/ci/py3.8/linux.txt b/requirements/static/ci/py3.8/linux.txt index 274fde2325f..397d9974198 100644 --- a/requirements/static/ci/py3.8/linux.txt +++ b/requirements/static/ci/py3.8/linux.txt @@ -449,7 +449,7 @@ geomet==0.1.2 # via cassandra-driver gitdb==4.0.5 # via gitpython -gitpython==3.1.35 ; python_version >= "3.7" +gitpython==3.1.37 ; python_version >= "3.7" # via -r requirements/static/ci/common.in google-auth==1.6.3 # via kubernetes diff --git a/requirements/static/ci/py3.8/windows.txt b/requirements/static/ci/py3.8/windows.txt index ed29068ec30..b2fd444ce5e 100644 --- a/requirements/static/ci/py3.8/windows.txt +++ b/requirements/static/ci/py3.8/windows.txt @@ -111,7 +111,7 @@ geomet==0.1.2 # via cassandra-driver gitdb==4.0.7 # via gitpython -gitpython==3.1.35 ; python_version >= "3.7" +gitpython==3.1.37 ; python_version >= "3.7" # via # -r requirements/static/ci/common.in # -r requirements/windows.txt diff --git a/requirements/static/ci/py3.9/cloud.txt b/requirements/static/ci/py3.9/cloud.txt index 562928442d7..383f8b43667 100644 --- a/requirements/static/ci/py3.9/cloud.txt +++ b/requirements/static/ci/py3.9/cloud.txt @@ -437,7 +437,7 @@ geomet==0.2.1.post1 # via cassandra-driver gitdb==4.0.7 # via gitpython -gitpython==3.1.35 ; python_version >= "3.7" +gitpython==3.1.37 ; python_version >= "3.7" # via -r requirements/static/ci/common.in google-auth==2.1.0 # via kubernetes diff --git a/requirements/static/ci/py3.9/darwin.txt b/requirements/static/ci/py3.9/darwin.txt index afeec28a1d4..8d5b8786e42 100644 --- a/requirements/static/ci/py3.9/darwin.txt +++ b/requirements/static/ci/py3.9/darwin.txt @@ -438,7 +438,7 @@ geomet==0.1.2 # via cassandra-driver gitdb==4.0.5 # via gitpython -gitpython==3.1.35 ; python_version >= "3.7" +gitpython==3.1.37 ; python_version >= "3.7" # via # -r requirements/darwin.txt # -r requirements/static/ci/common.in diff --git a/requirements/static/ci/py3.9/docs.txt b/requirements/static/ci/py3.9/docs.txt index 8d7fb6f4302..f45ae26401d 100644 --- a/requirements/static/ci/py3.9/docs.txt +++ b/requirements/static/ci/py3.9/docs.txt @@ -439,7 +439,7 @@ geomet==0.2.1.post1 # via cassandra-driver gitdb==4.0.7 # via gitpython -gitpython==3.1.35 ; python_version >= "3.7" +gitpython==3.1.37 ; python_version >= "3.7" # via -r requirements/static/ci/common.in google-auth==2.0.1 # via kubernetes diff --git a/requirements/static/ci/py3.9/freebsd.txt b/requirements/static/ci/py3.9/freebsd.txt index a09f0e7578c..776dd68c96c 100644 --- a/requirements/static/ci/py3.9/freebsd.txt +++ b/requirements/static/ci/py3.9/freebsd.txt @@ -435,7 +435,7 @@ geomet==0.2.1.post1 # via cassandra-driver gitdb==4.0.5 # via gitpython -gitpython==3.1.35 ; python_version >= "3.7" +gitpython==3.1.37 ; python_version >= "3.7" # via -r requirements/static/ci/common.in google-auth==1.6.3 # via kubernetes diff --git a/requirements/static/ci/py3.9/lint.txt b/requirements/static/ci/py3.9/lint.txt index e69756544c1..64035f63a0e 100644 --- a/requirements/static/ci/py3.9/lint.txt +++ b/requirements/static/ci/py3.9/lint.txt @@ -435,7 +435,7 @@ geomet==0.2.1.post1 # via cassandra-driver gitdb==4.0.7 # via gitpython -gitpython==3.1.35 ; python_version >= "3.7" +gitpython==3.1.37 ; python_version >= "3.7" # via -r requirements/static/ci/common.in google-auth==2.0.1 # via kubernetes diff --git a/requirements/static/ci/py3.9/linux.txt b/requirements/static/ci/py3.9/linux.txt index 01ca0c0e9e6..e8f73ceb5a4 100644 --- a/requirements/static/ci/py3.9/linux.txt +++ b/requirements/static/ci/py3.9/linux.txt @@ -451,7 +451,7 @@ geomet==0.1.2 # via cassandra-driver gitdb==4.0.5 # via gitpython -gitpython==3.1.35 ; python_version >= "3.7" +gitpython==3.1.37 ; python_version >= "3.7" # via -r requirements/static/ci/common.in google-auth==1.6.3 # via kubernetes diff --git a/requirements/static/ci/py3.9/windows.txt b/requirements/static/ci/py3.9/windows.txt index edc7125397e..b38ad09e31d 100644 --- a/requirements/static/ci/py3.9/windows.txt +++ b/requirements/static/ci/py3.9/windows.txt @@ -111,7 +111,7 @@ geomet==0.1.2 # via cassandra-driver gitdb==4.0.7 # via gitpython -gitpython==3.1.35 ; python_version >= "3.7" +gitpython==3.1.37 ; python_version >= "3.7" # via # -r requirements/static/ci/common.in # -r requirements/windows.txt diff --git a/requirements/static/pkg/py3.10/darwin.txt b/requirements/static/pkg/py3.10/darwin.txt index 9a684e23867..fe43b275dfd 100644 --- a/requirements/static/pkg/py3.10/darwin.txt +++ b/requirements/static/pkg/py3.10/darwin.txt @@ -26,7 +26,7 @@ distro==1.5.0 # via -r requirements/base.txt gitdb==4.0.5 # via gitpython -gitpython==3.1.35 ; python_version >= "3.7" +gitpython==3.1.37 ; python_version >= "3.7" # via -r requirements/darwin.txt idna==2.8 # via diff --git a/requirements/static/pkg/py3.7/windows.txt b/requirements/static/pkg/py3.7/windows.txt index 60d844351ee..fc4ea5e330b 100644 --- a/requirements/static/pkg/py3.7/windows.txt +++ b/requirements/static/pkg/py3.7/windows.txt @@ -28,7 +28,7 @@ distro==1.5.0 # via -r requirements/base.txt gitdb==4.0.5 # via gitpython -gitpython==3.1.35 ; python_version >= "3.7" +gitpython==3.1.37 ; python_version >= "3.7" # via -r requirements/windows.txt idna==2.8 # via requests diff --git a/requirements/static/pkg/py3.8/windows.txt b/requirements/static/pkg/py3.8/windows.txt index 9b2261039a0..8cd71504140 100644 --- a/requirements/static/pkg/py3.8/windows.txt +++ b/requirements/static/pkg/py3.8/windows.txt @@ -28,7 +28,7 @@ distro==1.5.0 # via -r requirements/base.txt gitdb==4.0.7 # via gitpython -gitpython==3.1.35 ; python_version >= "3.7" +gitpython==3.1.37 ; python_version >= "3.7" # via -r requirements/windows.txt idna==2.8 # via requests diff --git a/requirements/static/pkg/py3.9/darwin.txt b/requirements/static/pkg/py3.9/darwin.txt index f96e4ed8b11..9614f770903 100644 --- a/requirements/static/pkg/py3.9/darwin.txt +++ b/requirements/static/pkg/py3.9/darwin.txt @@ -26,7 +26,7 @@ distro==1.5.0 # via -r requirements/base.txt gitdb==4.0.5 # via gitpython -gitpython==3.1.35 ; python_version >= "3.7" +gitpython==3.1.37 ; python_version >= "3.7" # via -r requirements/darwin.txt idna==2.8 # via diff --git a/requirements/static/pkg/py3.9/windows.txt b/requirements/static/pkg/py3.9/windows.txt index 2500bf4d1e3..1ed6dfa76b6 100644 --- a/requirements/static/pkg/py3.9/windows.txt +++ b/requirements/static/pkg/py3.9/windows.txt @@ -28,7 +28,7 @@ distro==1.5.0 # via -r requirements/base.txt gitdb==4.0.7 # via gitpython -gitpython==3.1.35 ; python_version >= "3.7" +gitpython==3.1.37 ; python_version >= "3.7" # via -r requirements/windows.txt idna==2.8 # via requests diff --git a/requirements/windows.txt b/requirements/windows.txt index 9784054f921..aaa93f5e238 100644 --- a/requirements/windows.txt +++ b/requirements/windows.txt @@ -15,7 +15,7 @@ cryptography>=41.0.3 ; python_version >= "3.7" cryptography<=40.0.2 ; python_version == "3.6" cryptography<=3.2.1 ; python_version <= "3.5" gitpython>=2.1.15 ; python_version <= "3.6" -gitpython>=3.1.35 ; python_version >= "3.7" +gitpython>=3.1.37 ; python_version >= "3.7" ioloop>=0.1a0 libnacl>=1.8.0 lxml>=4.6.3 From 1d983e40188ed2cc577c7d4de1e193d9abe8fa5c Mon Sep 17 00:00:00 2001 From: Megan Wilhite Date: Mon, 16 Oct 2023 13:43:24 -0600 Subject: [PATCH 17/17] Prepare release notes, changelog, and man pages for 3005.4 --- CHANGELOG.md | 13 +++++++++++ changelog/65267.security | 1 - changelog/65334.security | 1 - changelog/65383.security | 1 - changelog/cve-2023-34049.security | 2 -- doc/man/salt-api.1 | 2 +- doc/man/salt-call.1 | 2 +- doc/man/salt-cloud.1 | 2 +- doc/man/salt-cp.1 | 2 +- doc/man/salt-key.1 | 2 +- doc/man/salt-master.1 | 2 +- doc/man/salt-minion.1 | 2 +- doc/man/salt-proxy.1 | 2 +- doc/man/salt-run.1 | 2 +- doc/man/salt-ssh.1 | 2 +- doc/man/salt-syndic.1 | 2 +- doc/man/salt.1 | 2 +- doc/man/salt.7 | 39 ++++++++++++++++++++----------- doc/man/spm.1 | 2 +- doc/topics/releases/3005.4.rst | 17 ++++++++++++++ 20 files changed, 69 insertions(+), 31 deletions(-) delete mode 100644 changelog/65267.security delete mode 100644 changelog/65334.security delete mode 100644 changelog/65383.security delete mode 100644 changelog/cve-2023-34049.security create mode 100644 doc/topics/releases/3005.4.rst diff --git a/CHANGELOG.md b/CHANGELOG.md index f9fca0d973f..221549c4168 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,6 +7,19 @@ Versions are `MAJOR.PATCH`. # Changelog +Salt v3005.4 (2023-10-16) +========================= + +Security +-------- + +- Fix CVE-2023-34049 by ensuring we do not use a predictable name for the script and correctly check returncode of scp command. + This only impacts salt-ssh users using the pre-flight option. (cve-2023-34049) +- Bump to `cryptography==41.0.4` due to https://github.com/advisories/GHSA-v8gr-m533-ghj9 (#65267) +- Bump to `urllib3==1.26.17` or `urllib3==2.0.6` due to https://github.com/advisories/GHSA-v845-jxx5-vc9f (#65334) +- Bump to `gitpython==3.1.37` due to https://github.com/advisories/GHSA-cwvm-v4w8-q58c (#65383) + + ## Salt v3005.3 (2023-09-14) ### Fixed diff --git a/changelog/65267.security b/changelog/65267.security deleted file mode 100644 index 15588570ad6..00000000000 --- a/changelog/65267.security +++ /dev/null @@ -1 +0,0 @@ -Bump to `cryptography==41.0.4` due to https://github.com/advisories/GHSA-v8gr-m533-ghj9 diff --git a/changelog/65334.security b/changelog/65334.security deleted file mode 100644 index 9f1e2ecb0a8..00000000000 --- a/changelog/65334.security +++ /dev/null @@ -1 +0,0 @@ -Bump to `urllib3==1.26.17` or `urllib3==2.0.6` due to https://github.com/advisories/GHSA-v845-jxx5-vc9f diff --git a/changelog/65383.security b/changelog/65383.security deleted file mode 100644 index d7a4d86f94d..00000000000 --- a/changelog/65383.security +++ /dev/null @@ -1 +0,0 @@ -Bump to `gitpython==3.1.37` due to https://github.com/advisories/GHSA-cwvm-v4w8-q58c diff --git a/changelog/cve-2023-34049.security b/changelog/cve-2023-34049.security deleted file mode 100644 index 6b0ca190a27..00000000000 --- a/changelog/cve-2023-34049.security +++ /dev/null @@ -1,2 +0,0 @@ -Fix CVE-2023-34049 by ensuring we do not use a predictable name for the script and correctly check returncode of scp command. -This only impacts salt-ssh users using the pre-flight option. diff --git a/doc/man/salt-api.1 b/doc/man/salt-api.1 index c42435a5ec1..f93a4808031 100644 --- a/doc/man/salt-api.1 +++ b/doc/man/salt-api.1 @@ -1,6 +1,6 @@ .\" Man page generated from reStructuredText. . -.TH "SALT-API" "1" "Sep 14, 2023" "3005" "Salt" +.TH "SALT-API" "1" "Oct 16, 2023" "3005" "Salt" .SH NAME salt-api \- salt-api Command . diff --git a/doc/man/salt-call.1 b/doc/man/salt-call.1 index d6778f60f25..2a1ec1051c5 100644 --- a/doc/man/salt-call.1 +++ b/doc/man/salt-call.1 @@ -1,6 +1,6 @@ .\" Man page generated from reStructuredText. . -.TH "SALT-CALL" "1" "Sep 14, 2023" "3005" "Salt" +.TH "SALT-CALL" "1" "Oct 16, 2023" "3005" "Salt" .SH NAME salt-call \- salt-call Documentation . diff --git a/doc/man/salt-cloud.1 b/doc/man/salt-cloud.1 index 54690b7655c..d2906e9ad33 100644 --- a/doc/man/salt-cloud.1 +++ b/doc/man/salt-cloud.1 @@ -1,6 +1,6 @@ .\" Man page generated from reStructuredText. . -.TH "SALT-CLOUD" "1" "Sep 14, 2023" "3005" "Salt" +.TH "SALT-CLOUD" "1" "Oct 16, 2023" "3005" "Salt" .SH NAME salt-cloud \- Salt Cloud Command . diff --git a/doc/man/salt-cp.1 b/doc/man/salt-cp.1 index 1f03be91abe..1c342aa60c0 100644 --- a/doc/man/salt-cp.1 +++ b/doc/man/salt-cp.1 @@ -1,6 +1,6 @@ .\" Man page generated from reStructuredText. . -.TH "SALT-CP" "1" "Sep 14, 2023" "3005" "Salt" +.TH "SALT-CP" "1" "Oct 16, 2023" "3005" "Salt" .SH NAME salt-cp \- salt-cp Documentation . diff --git a/doc/man/salt-key.1 b/doc/man/salt-key.1 index 568a2fd6396..978fa8f106a 100644 --- a/doc/man/salt-key.1 +++ b/doc/man/salt-key.1 @@ -1,6 +1,6 @@ .\" Man page generated from reStructuredText. . -.TH "SALT-KEY" "1" "Sep 14, 2023" "3005" "Salt" +.TH "SALT-KEY" "1" "Oct 16, 2023" "3005" "Salt" .SH NAME salt-key \- salt-key Documentation . diff --git a/doc/man/salt-master.1 b/doc/man/salt-master.1 index 86731be2685..e22e558d2ef 100644 --- a/doc/man/salt-master.1 +++ b/doc/man/salt-master.1 @@ -1,6 +1,6 @@ .\" Man page generated from reStructuredText. . -.TH "SALT-MASTER" "1" "Sep 14, 2023" "3005" "Salt" +.TH "SALT-MASTER" "1" "Oct 16, 2023" "3005" "Salt" .SH NAME salt-master \- salt-master Documentation . diff --git a/doc/man/salt-minion.1 b/doc/man/salt-minion.1 index b53b93500d0..8cccf72a077 100644 --- a/doc/man/salt-minion.1 +++ b/doc/man/salt-minion.1 @@ -1,6 +1,6 @@ .\" Man page generated from reStructuredText. . -.TH "SALT-MINION" "1" "Sep 14, 2023" "3005" "Salt" +.TH "SALT-MINION" "1" "Oct 16, 2023" "3005" "Salt" .SH NAME salt-minion \- salt-minion Documentation . diff --git a/doc/man/salt-proxy.1 b/doc/man/salt-proxy.1 index b8e82cad1c0..cefa2152540 100644 --- a/doc/man/salt-proxy.1 +++ b/doc/man/salt-proxy.1 @@ -1,6 +1,6 @@ .\" Man page generated from reStructuredText. . -.TH "SALT-PROXY" "1" "Sep 14, 2023" "3005" "Salt" +.TH "SALT-PROXY" "1" "Oct 16, 2023" "3005" "Salt" .SH NAME salt-proxy \- salt-proxy Documentation . diff --git a/doc/man/salt-run.1 b/doc/man/salt-run.1 index 02b286b287e..f710a86474d 100644 --- a/doc/man/salt-run.1 +++ b/doc/man/salt-run.1 @@ -1,6 +1,6 @@ .\" Man page generated from reStructuredText. . -.TH "SALT-RUN" "1" "Sep 14, 2023" "3005" "Salt" +.TH "SALT-RUN" "1" "Oct 16, 2023" "3005" "Salt" .SH NAME salt-run \- salt-run Documentation . diff --git a/doc/man/salt-ssh.1 b/doc/man/salt-ssh.1 index 98a488f2b08..f4c26cb5d55 100644 --- a/doc/man/salt-ssh.1 +++ b/doc/man/salt-ssh.1 @@ -1,6 +1,6 @@ .\" Man page generated from reStructuredText. . -.TH "SALT-SSH" "1" "Sep 14, 2023" "3005" "Salt" +.TH "SALT-SSH" "1" "Oct 16, 2023" "3005" "Salt" .SH NAME salt-ssh \- salt-ssh Documentation . diff --git a/doc/man/salt-syndic.1 b/doc/man/salt-syndic.1 index 19ee5394518..7c981e737a9 100644 --- a/doc/man/salt-syndic.1 +++ b/doc/man/salt-syndic.1 @@ -1,6 +1,6 @@ .\" Man page generated from reStructuredText. . -.TH "SALT-SYNDIC" "1" "Sep 14, 2023" "3005" "Salt" +.TH "SALT-SYNDIC" "1" "Oct 16, 2023" "3005" "Salt" .SH NAME salt-syndic \- salt-syndic Documentation . diff --git a/doc/man/salt.1 b/doc/man/salt.1 index 2302acd4654..5ee91d6afc9 100644 --- a/doc/man/salt.1 +++ b/doc/man/salt.1 @@ -1,6 +1,6 @@ .\" Man page generated from reStructuredText. . -.TH "SALT" "1" "Sep 14, 2023" "3005" "Salt" +.TH "SALT" "1" "Oct 16, 2023" "3005" "Salt" .SH NAME salt \- salt . diff --git a/doc/man/salt.7 b/doc/man/salt.7 index 295694bb977..2718ffd2bfd 100644 --- a/doc/man/salt.7 +++ b/doc/man/salt.7 @@ -1,6 +1,6 @@ .\" Man page generated from reStructuredText. . -.TH "SALT" "7" "Sep 14, 2023" "3005" "Salt" +.TH "SALT" "7" "Oct 16, 2023" "3005" "Salt" .SH NAME salt \- Salt Documentation . @@ -151127,7 +151127,7 @@ salt \(aq*\(aq cmd.powershell_all "dir mydirectory" force_list=True .UNINDENT .INDENT 0.0 .TP -.B salt.modules.cmdmod.retcode(cmd, cwd=None, stdin=None, runas=None, group=None, shell=\(aq/usr/bin/fish\(aq, python_shell=None, env=None, clean_env=False, template=None, umask=None, output_encoding=None, output_loglevel=\(aqdebug\(aq, log_callback=None, timeout=None, reset_system_locale=True, ignore_retcode=False, saltenv=None, use_vt=False, password=None, success_retcodes=None, success_stdout=None, success_stderr=None, **kwargs) +.B salt.modules.cmdmod.retcode(cmd, cwd=None, stdin=None, runas=None, group=None, shell=\(aq/bin/zsh\(aq, python_shell=None, env=None, clean_env=False, template=None, umask=None, output_encoding=None, output_loglevel=\(aqdebug\(aq, log_callback=None, timeout=None, reset_system_locale=True, ignore_retcode=False, saltenv=None, use_vt=False, password=None, success_retcodes=None, success_stdout=None, success_stderr=None, **kwargs) Execute a shell command and return the command\(aqs return code. .INDENT 7.0 .TP @@ -151386,7 +151386,7 @@ salt \(aq*\(aq cmd.retcode "grep f" stdin=\(aqone\entwo\enthree\enfour\enfive\en .UNINDENT .INDENT 0.0 .TP -.B salt.modules.cmdmod.run(cmd, cwd=None, stdin=None, runas=None, group=None, shell=\(aq/usr/bin/fish\(aq, python_shell=None, env=None, clean_env=False, template=None, rstrip=True, umask=None, output_encoding=None, output_loglevel=\(aqdebug\(aq, log_callback=None, hide_output=False, timeout=None, reset_system_locale=True, ignore_retcode=False, saltenv=None, use_vt=False, bg=False, password=None, encoded_cmd=False, raise_err=False, prepend_path=None, success_retcodes=None, success_stdout=None, success_stderr=None, **kwargs) +.B salt.modules.cmdmod.run(cmd, cwd=None, stdin=None, runas=None, group=None, shell=\(aq/bin/zsh\(aq, python_shell=None, env=None, clean_env=False, template=None, rstrip=True, umask=None, output_encoding=None, output_loglevel=\(aqdebug\(aq, log_callback=None, hide_output=False, timeout=None, reset_system_locale=True, ignore_retcode=False, saltenv=None, use_vt=False, bg=False, password=None, encoded_cmd=False, raise_err=False, prepend_path=None, success_retcodes=None, success_stdout=None, success_stderr=None, **kwargs) Execute the passed command and return the output as a string .INDENT 7.0 .TP @@ -151767,7 +151767,7 @@ salt \(aq*\(aq cmd.run cmd=\(aqsed \-e s/=/:/g\(aq .UNINDENT .INDENT 0.0 .TP -.B salt.modules.cmdmod.run_all(cmd, cwd=None, stdin=None, runas=None, group=None, shell=\(aq/usr/bin/fish\(aq, python_shell=None, env=None, clean_env=False, template=None, rstrip=True, umask=None, output_encoding=None, output_loglevel=\(aqdebug\(aq, log_callback=None, hide_output=False, timeout=None, reset_system_locale=True, ignore_retcode=False, saltenv=None, use_vt=False, redirect_stderr=False, password=None, encoded_cmd=False, prepend_path=None, success_retcodes=None, success_stdout=None, success_stderr=None, **kwargs) +.B salt.modules.cmdmod.run_all(cmd, cwd=None, stdin=None, runas=None, group=None, shell=\(aq/bin/zsh\(aq, python_shell=None, env=None, clean_env=False, template=None, rstrip=True, umask=None, output_encoding=None, output_loglevel=\(aqdebug\(aq, log_callback=None, hide_output=False, timeout=None, reset_system_locale=True, ignore_retcode=False, saltenv=None, use_vt=False, redirect_stderr=False, password=None, encoded_cmd=False, prepend_path=None, success_retcodes=None, success_stdout=None, success_stderr=None, **kwargs) Execute the passed command and return a dict of return data .INDENT 7.0 .TP @@ -152110,7 +152110,7 @@ salt \(aq*\(aq cmd.run_all "grep f" stdin=\(aqone\entwo\enthree\enfour\enfive\en .UNINDENT .INDENT 0.0 .TP -.B salt.modules.cmdmod.run_bg(cmd, cwd=None, runas=None, group=None, shell=\(aq/usr/bin/fish\(aq, python_shell=None, env=None, clean_env=False, template=None, umask=None, timeout=None, output_encoding=None, output_loglevel=\(aqdebug\(aq, log_callback=None, reset_system_locale=True, ignore_retcode=False, saltenv=None, password=None, prepend_path=None, success_retcodes=None, success_stdout=None, success_stderr=None, **kwargs) +.B salt.modules.cmdmod.run_bg(cmd, cwd=None, runas=None, group=None, shell=\(aq/bin/zsh\(aq, python_shell=None, env=None, clean_env=False, template=None, umask=None, timeout=None, output_encoding=None, output_loglevel=\(aqdebug\(aq, log_callback=None, reset_system_locale=True, ignore_retcode=False, saltenv=None, password=None, prepend_path=None, success_retcodes=None, success_stdout=None, success_stderr=None, **kwargs) New in version 2016.3.0. .sp @@ -152411,7 +152411,7 @@ salt \(aq*\(aq cmd.run_bg cmd=\(aqls \-lR / | sed \-e s/=/:/g > /tmp/dontwait\(a .UNINDENT .INDENT 0.0 .TP -.B salt.modules.cmdmod.run_chroot(root, cmd, cwd=None, stdin=None, runas=None, group=None, shell=\(aq/usr/bin/fish\(aq, python_shell=True, binds=None, env=None, clean_env=False, template=None, rstrip=True, umask=None, output_encoding=None, output_loglevel=\(aqquiet\(aq, log_callback=None, hide_output=False, timeout=None, reset_system_locale=True, ignore_retcode=False, saltenv=None, use_vt=False, bg=False, success_retcodes=None, success_stdout=None, success_stderr=None, **kwargs) +.B salt.modules.cmdmod.run_chroot(root, cmd, cwd=None, stdin=None, runas=None, group=None, shell=\(aq/bin/zsh\(aq, python_shell=True, binds=None, env=None, clean_env=False, template=None, rstrip=True, umask=None, output_encoding=None, output_loglevel=\(aqquiet\(aq, log_callback=None, hide_output=False, timeout=None, reset_system_locale=True, ignore_retcode=False, saltenv=None, use_vt=False, bg=False, success_retcodes=None, success_stdout=None, success_stderr=None, **kwargs) New in version 2014.7.0. .sp @@ -152632,7 +152632,7 @@ salt \(aq*\(aq cmd.run_chroot /var/lib/lxc/container_name/rootfs \(aqsh /tmp/boo .UNINDENT .INDENT 0.0 .TP -.B salt.modules.cmdmod.run_stderr(cmd, cwd=None, stdin=None, runas=None, group=None, shell=\(aq/usr/bin/fish\(aq, python_shell=None, env=None, clean_env=False, template=None, rstrip=True, umask=None, output_encoding=None, output_loglevel=\(aqdebug\(aq, log_callback=None, hide_output=False, timeout=None, reset_system_locale=True, ignore_retcode=False, saltenv=None, use_vt=False, password=None, prepend_path=None, success_retcodes=None, success_stdout=None, success_stderr=None, **kwargs) +.B salt.modules.cmdmod.run_stderr(cmd, cwd=None, stdin=None, runas=None, group=None, shell=\(aq/bin/zsh\(aq, python_shell=None, env=None, clean_env=False, template=None, rstrip=True, umask=None, output_encoding=None, output_loglevel=\(aqdebug\(aq, log_callback=None, hide_output=False, timeout=None, reset_system_locale=True, ignore_retcode=False, saltenv=None, use_vt=False, password=None, prepend_path=None, success_retcodes=None, success_stdout=None, success_stderr=None, **kwargs) Execute a command and only return the standard error .INDENT 7.0 .TP @@ -152909,7 +152909,7 @@ salt \(aq*\(aq cmd.run_stderr "grep f" stdin=\(aqone\entwo\enthree\enfour\enfive .UNINDENT .INDENT 0.0 .TP -.B salt.modules.cmdmod.run_stdout(cmd, cwd=None, stdin=None, runas=None, group=None, shell=\(aq/usr/bin/fish\(aq, python_shell=None, env=None, clean_env=False, template=None, rstrip=True, umask=None, output_encoding=None, output_loglevel=\(aqdebug\(aq, log_callback=None, hide_output=False, timeout=None, reset_system_locale=True, ignore_retcode=False, saltenv=None, use_vt=False, password=None, prepend_path=None, success_retcodes=None, success_stdout=None, success_stderr=None, **kwargs) +.B salt.modules.cmdmod.run_stdout(cmd, cwd=None, stdin=None, runas=None, group=None, shell=\(aq/bin/zsh\(aq, python_shell=None, env=None, clean_env=False, template=None, rstrip=True, umask=None, output_encoding=None, output_loglevel=\(aqdebug\(aq, log_callback=None, hide_output=False, timeout=None, reset_system_locale=True, ignore_retcode=False, saltenv=None, use_vt=False, password=None, prepend_path=None, success_retcodes=None, success_stdout=None, success_stderr=None, **kwargs) Execute a command, and only return the standard out .INDENT 7.0 .TP @@ -153186,7 +153186,7 @@ salt \(aq*\(aq cmd.run_stdout "grep f" stdin=\(aqone\entwo\enthree\enfour\enfive .UNINDENT .INDENT 0.0 .TP -.B salt.modules.cmdmod.script(source, args=None, cwd=None, stdin=None, runas=None, group=None, shell=\(aq/usr/bin/fish\(aq, python_shell=None, env=None, template=None, umask=None, output_encoding=None, output_loglevel=\(aqdebug\(aq, log_callback=None, hide_output=False, timeout=None, reset_system_locale=True, saltenv=None, use_vt=False, bg=False, password=None, success_retcodes=None, success_stdout=None, success_stderr=None, **kwargs) +.B salt.modules.cmdmod.script(source, args=None, cwd=None, stdin=None, runas=None, group=None, shell=\(aq/bin/zsh\(aq, python_shell=None, env=None, template=None, umask=None, output_encoding=None, output_loglevel=\(aqdebug\(aq, log_callback=None, hide_output=False, timeout=None, reset_system_locale=True, saltenv=None, use_vt=False, bg=False, password=None, success_retcodes=None, success_stdout=None, success_stderr=None, **kwargs) Download a script from a remote location and execute the script locally. The script can be located on the salt master file server or on an HTTP/FTP server. @@ -153462,7 +153462,7 @@ salt \(aq*\(aq cmd.script salt://scripts/runme.sh stdin=\(aqone\entwo\enthree\en .UNINDENT .INDENT 0.0 .TP -.B salt.modules.cmdmod.script_retcode(source, args=None, cwd=None, stdin=None, runas=None, group=None, shell=\(aq/usr/bin/fish\(aq, python_shell=None, env=None, template=\(aqjinja\(aq, umask=None, timeout=None, reset_system_locale=True, saltenv=None, output_encoding=None, output_loglevel=\(aqdebug\(aq, log_callback=None, use_vt=False, password=None, success_retcodes=None, success_stdout=None, success_stderr=None, **kwargs) +.B salt.modules.cmdmod.script_retcode(source, args=None, cwd=None, stdin=None, runas=None, group=None, shell=\(aq/bin/zsh\(aq, python_shell=None, env=None, template=\(aqjinja\(aq, umask=None, timeout=None, reset_system_locale=True, saltenv=None, output_encoding=None, output_loglevel=\(aqdebug\(aq, log_callback=None, use_vt=False, password=None, success_retcodes=None, success_stdout=None, success_stderr=None, **kwargs) Download a script from a remote location and execute the script locally. The script can be located on the salt master file server or on an HTTP/FTP server. @@ -153687,7 +153687,7 @@ salt \(aq*\(aq cmd.script_retcode salt://scripts/runme.sh stdin=\(aqone\entwo\en .UNINDENT .INDENT 0.0 .TP -.B salt.modules.cmdmod.shell(cmd, cwd=None, stdin=None, runas=None, group=None, shell=\(aq/usr/bin/fish\(aq, env=None, clean_env=False, template=None, rstrip=True, umask=None, output_encoding=None, output_loglevel=\(aqdebug\(aq, log_callback=None, hide_output=False, timeout=None, reset_system_locale=True, ignore_retcode=False, saltenv=None, use_vt=False, bg=False, password=None, prepend_path=None, success_retcodes=None, success_stdout=None, success_stderr=None, **kwargs) +.B salt.modules.cmdmod.shell(cmd, cwd=None, stdin=None, runas=None, group=None, shell=\(aq/bin/zsh\(aq, env=None, clean_env=False, template=None, rstrip=True, umask=None, output_encoding=None, output_loglevel=\(aqdebug\(aq, log_callback=None, hide_output=False, timeout=None, reset_system_locale=True, ignore_retcode=False, saltenv=None, use_vt=False, bg=False, password=None, prepend_path=None, success_retcodes=None, success_stdout=None, success_stderr=None, **kwargs) Execute the passed command and return the output as a string. .sp New in version 2015.5.0. @@ -192875,7 +192875,7 @@ Passes through all the parameters described in the \fI\%utils.http.query function\fP: .INDENT 7.0 .TP -.B salt.utils.http.query(url, method=\(aqGET\(aq, params=None, data=None, data_file=None, header_dict=None, header_list=None, header_file=None, username=None, password=None, auth=None, decode=False, decode_type=\(aqauto\(aq, status=False, headers=False, text=False, cookies=None, cookie_jar=None, cookie_format=\(aqlwp\(aq, persist_session=False, session_cookie_jar=None, data_render=False, data_renderer=None, header_render=False, header_renderer=None, template_dict=None, test=False, test_url=None, node=\(aqminion\(aq, port=80, opts=None, backend=None, ca_bundle=None, verify_ssl=None, cert=None, text_out=None, headers_out=None, decode_out=None, stream=False, streaming_callback=None, header_callback=None, handle=False, agent=\(aqSalt/3005.2+47.gf78d44cb11\(aq, hide_fields=None, raise_error=True, formdata=False, formdata_fieldname=None, formdata_filename=None, decode_body=True, **kwargs) +.B salt.utils.http.query(url, method=\(aqGET\(aq, params=None, data=None, data_file=None, header_dict=None, header_list=None, header_file=None, username=None, password=None, auth=None, decode=False, decode_type=\(aqauto\(aq, status=False, headers=False, text=False, cookies=None, cookie_jar=None, cookie_format=\(aqlwp\(aq, persist_session=False, session_cookie_jar=None, data_render=False, data_renderer=None, header_render=False, header_renderer=None, template_dict=None, test=False, test_url=None, node=\(aqminion\(aq, port=80, opts=None, backend=None, ca_bundle=None, verify_ssl=None, cert=None, text_out=None, headers_out=None, decode_out=None, stream=False, streaming_callback=None, header_callback=None, handle=False, agent=\(aqSalt/3005.3+25.g1184c5ebfa\(aq, hide_fields=None, raise_error=True, formdata=False, formdata_fieldname=None, formdata_filename=None, decode_body=True, **kwargs) Query a resource, and decode the return data .UNINDENT .INDENT 7.0 @@ -448748,7 +448748,7 @@ installed2 .UNINDENT .INDENT 0.0 .TP -.B salt.states.zcbuildout.installed(name, config=\(aqbuildout.cfg\(aq, quiet=False, parts=None, user=None, env=(), buildout_ver=None, test_release=False, distribute=None, new_st=None, offline=False, newest=False, python=\(aq/home/vampas/projects/SaltStack/salt/branches/freeze/.nox/docs\-man\-compress\-true\-update\-true\-clean\-true/bin/python\(aq, debug=False, verbose=False, unless=None, onlyif=None, use_vt=False, loglevel=\(aqdebug\(aq, **kwargs) +.B salt.states.zcbuildout.installed(name, config=\(aqbuildout.cfg\(aq, quiet=False, parts=None, user=None, env=(), buildout_ver=None, test_release=False, distribute=None, new_st=None, offline=False, newest=False, python=\(aq/home/ch3ll/git/salt/.nox/docs\-man\-compress\-false\-update\-true\-clean\-true/bin/python\(aq, debug=False, verbose=False, unless=None, onlyif=None, use_vt=False, loglevel=\(aqdebug\(aq, **kwargs) Install buildout in a specific directory .sp It is a thin wrapper to modules.buildout.buildout @@ -468143,6 +468143,19 @@ Bump to \fIcertifi==2023.07.22\fP due to \fI\%https://github.com/advisories/GHSA .sp Python 3.5 cannot get the updated requirements since certifi no longer supports this python version (#64720) .UNINDENT +.SS Salt 3005.3 Release Notes +.sp +Version 3005.3 is a Bug fix release for 3005\&. +.SS Changed +.INDENT 0.0 +.IP \(bu 2 +Fix __env__ and improve cache cleaning see more info at pull #65017. (#65002) +.UNINDENT +.SS Security +.INDENT 0.0 +.IP \(bu 2 +Update to \fIgitpython>=3.1.35\fP due to \fI\%https://github.com/advisories/GHSA\-wfm5\-v35h\-vwf4\fP and \fI\%https://github.com/advisories/GHSA\-cwvm\-v4w8\-q58c\fP (#65167) +.UNINDENT .SS Salt 3004 Release Notes \- Codename Silicon .SS New Features .SS Transactional System Support (MicroOS) diff --git a/doc/man/spm.1 b/doc/man/spm.1 index a5d2a65458c..a5be93e66a2 100644 --- a/doc/man/spm.1 +++ b/doc/man/spm.1 @@ -1,6 +1,6 @@ .\" Man page generated from reStructuredText. . -.TH "SPM" "1" "Sep 14, 2023" "3005" "Salt" +.TH "SPM" "1" "Oct 16, 2023" "3005" "Salt" .SH NAME spm \- Salt Package Manager Command . diff --git a/doc/topics/releases/3005.4.rst b/doc/topics/releases/3005.4.rst new file mode 100644 index 00000000000..18f904e74a2 --- /dev/null +++ b/doc/topics/releases/3005.4.rst @@ -0,0 +1,17 @@ +.. _release-3005-4: + +========================= +Salt 3005.4 Release Notes +========================= + +Version 3005.4 is a CVE security fix release for :ref:`3005 `. + + +Security +-------- + +- Fix CVE-2023-34049 by ensuring we do not use a predictable name for the script and correctly check returncode of scp command. + This only impacts salt-ssh users using the pre-flight option. (cve-2023-34049) +- Bump to `cryptography==41.0.4` due to https://github.com/advisories/GHSA-v8gr-m533-ghj9 (#65267) +- Bump to `urllib3==1.26.17` or `urllib3==2.0.6` due to https://github.com/advisories/GHSA-v845-jxx5-vc9f (#65334) +- Bump to `gitpython==3.1.37` due to https://github.com/advisories/GHSA-cwvm-v4w8-q58c (#65383)