Salt 2015.5.10 Release Notes

Security Fix

CVE-2016-3176: Insecure configuration of PAM external authentication service

This issue affects all Salt versions prior to 2015.8.8/2015.5.10 when PAM external authentication is enabled. This issue involves passing an alternative PAM authentication service with a command that is sent to LocalClient, enabling the attacker to bypass the configured authentication service. Thank you to Dylan Frese <dmfrese@gmail.com> for bringing this issue to our attention.

This update defines the PAM eAuth service that users authenticate against in the Salt Master configuration.

(No additional fixes are contained in this release).

Read Before Upgrading Debian 8 (Jessie) from Salt Versions Earlier than 2015.5.9

Salt systemd service files are missing the following statement in these versions:

[Service]
KillMode=process

This statement must be added to successfully upgrade on these earlier versions of Salt.