mirceaulinic

>>> dev.rpc.get('<interfaces xmlns="http://openconfig.net/yang/interfaces"/>')
{u'data': {u'interfaces': {u'interface': [{u'ethernet': {u'state': {u'auto-negotiate': u'false', u'hw-mac-address': u'08:00:27:81:71:e8', u'counters': {u'in-fragment-frames': u'0', u'in-oversize-frames': u'0', u'in-8021q-frames': u'0', u'out-8021q-frames': u'0', u'in-mac-pause-frames': u'0', u'in-jabber-frames': u'0', u'in-crc-errors': u'0', u'out-mac-pause-frames': u'0'}}, u'config': {u'auto-negotiate': u'false'}}, u'state': {u'name': u'MgmtEth0/RP0/CPU0/0', u'oper-status': u'UP', u'enabled': u'true', u'admin-status': u'UP', u'mtu': u'1514', u'ifindex': u'7', u'last-change': u'381', u'counters': {u'out-octets': u'2030950', u'out-errors': u'0', u'in-multicast-pkts': u'0', u'out-broadcast-pkts': u'0', u'in-errors': u'0', u'out-multicast-pkts': u'0', u'in-discards': u'0', u'last-clear': u'Never', u'in-unicast-pkts': u'12773', u'out-unicast-pkts': u'7933', u'out-discards': u'0', u'in-broadcast-pkts': u'2', u'in-unknown-protos': u'0', 

mirceaulinic

>>> dev.rpc.get_config('<interfaces xmlns="http://openconfig.net/yang/interfaces"/>')
{u'data': {u'interfaces': {u'interface': [{u'ethernet': {u'config': {u'auto-negotiate': u'false'}}, u'config': {u'enabled': u'true', u'type': u'idx:ethernetCsmacd', u'name': u'MgmtEth0/RP0/CPU0/0'}, u'name': u'MgmtEth0/RP0/CPU0/0'}, {u'ethernet': {u'config': {u'auto-negotiate': u'false'}}, u'config': {u'enabled': u'false', u'type': u'idx:ethernetCsmacd', u'name': u'GigabitEthernet0/0/0/0'}, u'name': u'GigabitEthernet0/0/0/0'}, {u'ethernet': {u'config': {u'auto-negotiate': u'false'}}, u'config': {u'enabled': u'false', u'type': u'idx:ethernetCsmacd', u'name': u'GigabitEthernet0/0/0/1'}, u'name': u'GigabitEthernet0/0/0/1'}, {u'ethernet': {u'config': {u'auto-negotiate': u'false'}}, u'config': {u'enabled': u'false', u'type': u'idx:ethernetCsmacd', u'name': u'GigabitEthernet0/0/0/2'}, u'name': u'GigabitEthernet0/0/0/2'}, {u'ethernet': {u'config': {u'auto-negotiate': u'false'}}, u'config': {u'enabled': u'false', u'type': u'idx:ethe

mirceaulinic

root@ip-172-31-13-136:~# salt device1 netmiko.send_command "show clock"
device1:
    *11:46:08.849 UTC Tue Mar 21 2017
root@ip-172-31-13-136:~# salt device1 netmiko.send_command "show ip interface brief"
device1:
    Interface              IP-Address      OK? Method Status                Protocol
    GigabitEthernet1       172.31.46.249   YES DHCP   up                    up
root@ip-172-31-13-136:~# salt device1 netmiko.send_command "show interfaces"
device1:
    GigabitEthernet1 is up, line protocol is up

mirceaulinic

[INFO    ] nxos proxy __virtual__() called...
[DEBUG   ] rest_sample proxy __virtual__() called...
[INFO    ] ssh_sample proxy __virtual__() called...
[DEBUG   ] Could not LazyLoad netmiko.grains: 'netmiko.grains' is not available.
[DEBUG   ] starting thread (client mode): 0x40279690L
[DEBUG   ] Local version/idstring: SSH-2.0-paramiko_2.1.2
[DEBUG   ] Remote version/idstring: SSH-2.0-Cisco-1.25
[INFO    ] Connected (version 2.0, client Cisco-1.25)
[DEBUG   ] kex algos:[u'diffie-hellman-group-exchange-sha1', u'diffie-hellman-group14-sha1'] server key:[u'ssh-rsa'] client encrypt:[u'aes128-ctr', u'aes192-ctr', u'aes256-ctr', u'aes128-cbc', u'3des-cbc', u'aes192-cbc', u'aes256-cbc'] server encrypt:[u'aes128-ctr', u'aes192-ctr', u'aes256-ctr', u'aes128-cbc', u'3des-cbc', u'aes192-cbc', u'aes256-cbc'] client mac:[u'hmac-sha1', u'hmac-sha1-96'] server mac:[u'hmac-sha1', u'hmac-sha1-96'] client compress:[u'none'] server compress:[u'none'] client lang:[u''] server lang:[u''] kex follows?False
[DEBUG   ] Kex agreed: d

mirceaulinic

proxy:
    proxytype: netmiko
    device_type: cisco_ios
    host: ip-172-31-46-249
    username: napalm
    password: zzzz

mirceaulinic

$ docker exec -it salt-master bash                                                                                                                                                                        (git) 0dd843a8ba93  salt-47117
root@salt-master:/# salt napalm test.versions_report
napalm:
    Salt Version:
               Salt: 2018.3.0

    Dependency Versions:
               cffi: 1.11.5
           cherrypy: Not Installed
           dateutil: 2.5.3

mirceaulinic

Keybase proof

I hereby claim:

• I am mirceaulinic on github.
• I am mirceaulinic (https://keybase.io/mirceaulinic) on keybase.
• I have a public key whose fingerprint is A17C 1D1C 37DA FF75 E410 4138 3EFF 87F6 091B 4B29

To claim this, I am signing this object:

mirceaulinic

From ac9691f3c86bb7fd27ae84bff620addfbec8853d Mon Sep 17 00:00:00 2001
From: "Daniel A. Wozniak" <dwozniak@saltstack.com>
Date: Fri, 24 Apr 2020 18:01:01 +0000
Subject: [PATCH] CVE-2020-11651 and CVE-2020-11652

---
 salt/master.py           | 58 +++++++++++++++++++++++++++++++++-------
 salt/tokens/localfs.py   |  3 +++
 salt/utils/verify.py     | 57 +++++++++++++++++++++++++++++++++++----
 salt/wheel/config.py     |  8 +++++-

mirceaulinic

root@dev-salt-master02:~# salt-master -l debug
[DEBUG   ] Reading configuration from /etc/salt/master
[DEBUG   ] Changed git to gitfs in master opts' fileserver_backend list
[DEBUG   ] Using cached minion ID from /etc/salt/minion_id: dev-salt-master02.example.com
[INFO    ] Processing `log_handlers.sentry`
[DEBUG   ] Grains refresh requested. Refreshing grains.
[DEBUG   ] Reading configuration from /etc/salt/master
[DEBUG   ] Marking 'http_query' as a jinja filter
[DEBUG   ] Marking 'strftime' as a jinja filter
[DEBUG   ] Marking 'date_format' as a jinja filter

mirceaulinic

{%- set cmd = 'show configuration | display set | match prod-net-master01' %}
{%- set cli = salt.net.cli(cmd) %}
{%- set ret = cli.out[cmd] %}
{%- for line in ret.splitlines() %}
{{ line | replace('set ', 'delete ') }}
{%- endfor %}