nixpkgs/pkgs/tools/admin/salt/default.nix
Graham Christensen 379144f54b
salt: 2016.3.3 -> 2016.11.2 for multiple CVEs
From the Arch Linux advisory:

- CVE-2017-5192 (arbitrary code execution): The
  `LocalClient.cmd_batch()` method client does not accept
  `external_auth` credentials and so access to it from salt-api has
  been removed for now. This vulnerability allows code execution for
  already- authenticated users and is only in effect when running
  salt-api as the `root` user.

- CVE-2017-5200 (arbitrary command execution): Salt-api allows
  arbitrary command execution on a salt-master via Salt's ssh_client.
  Users of Salt-API and salt-ssh could execute a command on the salt
  master via a hole when both systems were enabled.
2017-02-08 21:24:10 -05:00

48 lines
1.2 KiB
Nix

{
stdenv, fetchurl, python2Packages, openssl,
# Many Salt modules require various Python modules to be installed,
# passing them in this array enables Salt to find them.
extraInputs ? []
}:
python2Packages.buildPythonApplication rec {
name = "salt-${version}";
version = "2016.11.2";
src = fetchurl {
url = "mirror://pypi/s/salt/${name}.tar.gz";
sha256 = "0hrss5x47cr7ffyjl8jlkhf9j88lqvg7c33rjc5bimck8b7x7hzm";
};
propagatedBuildInputs = with python2Packages; [
futures
jinja2
markupsafe
msgpack
pycrypto
pyyaml
pyzmq
requests
tornado
] ++ extraInputs;
patches = [ ./fix-libcrypto-loading.patch ];
postPatch = ''
substituteInPlace "salt/utils/rsax931.py" \
--subst-var-by "libcrypto" "${openssl.out}/lib/libcrypto.so"
'';
# The tests fail due to socket path length limits at the very least;
# possibly there are more issues but I didn't leave the test suite running
# as is it rather long.
doCheck = false;
meta = with stdenv.lib; {
homepage = https://saltstack.com/;
description = "Portable, distributed, remote execution and configuration management system";
maintainers = with maintainers; [ aneeshusa ];
license = licenses.asl20;
};
}