Bugzilla – Bug 950738
VUL-1: CVE-2015-6941: salt: win_useradd module and salt-cloud display passwords in debug log
Last modified: 2020-04-01 22:15:41 UTC
https://docs.saltstack.com/en/latest/topics/releases/2015.5.6.html https://docs.saltstack.com/en/latest/topics/releases/2015.8.1.html Security Fixes CVE-2015-6941 - win_useradd module and salt-cloud display passwords in debug log Updated the win_useradd module return data to no longer include the password of the newly created user. The password is now replaced with the string XXX-REDACTED-XXX. Updated the Salt Cloud debug output to no longer display win_password and sudo_password authentication credentials. Also updated the Linode driver to no longer display authentication credentials in debug logs. These credentials are now replaced with REDACTED in the debug output.
This probably resulted from upstream review of another security issue we track in our bug 943223.
Fix commit: https://github.com/saltstack/salt/commit/aa71bae8aa7591a775b8c23cdc1615dd927588e2 Fixed upstream in tags: v2014.7.7 v2015.5.6 v2015.8.1 Rest is discontinued upstream. Affects openSUSE:13.2:Update/salt 2014.1.11 Affects openSUSE:13.1:Update/salt 0.16.4
Fixed with new upstream version release 2015.8.3 which are in systemsmanagement:saltstack https://build.opensuse.org/request/show/347030 and leap update: https://build.opensuse.org/request/show/347826