In T5536, we discovered wildly used exploits for SaltStack were used to attack dozens of Salt masters with a certain vulnerability. We have found no proof Miraheze was affected, but we did discover that was only due to luck on our side (manual upgrade of packages due to unrelated reasons); not because unattended-upgrades worked as intended. Even while we are not vulnerable to the Salt exploits (thus immediate danger taken away), I want to take this opportunity to revise our usage of third party repositories, as it was a very contributing factor regardless.
Despite the fact both paladox and I are responsible for the investigation process, I will be inactive for the rest of this week. I am asking paladox to provide his answers and pov on the questions below, after which I will give input and my pov to his input.
- Why do we use third party repositories in general? What is the reason SaltStack depends on one of them?
- If the depedency for the third party repository was only temporarily, shouldn't it have been removed from puppet immediately?
- What is the security impact of third party repositories? Are there risks we have never considered before?
- Should we consider decreasing (or even prohibiting) these repositories?
- If the answer is 'yes' on either question: for all packages relying on them, can we safely remove the repositories? Why?
- If the answer is 'no; to both, should we discuss this further and make a policy for it? What are important points for such a policy?
- The fix was released multiple days before we found reports of this exploit, could we have been notified sooner? Are we not subscribed to important mailing lists?