Salt 2015.8.13 Release Notes

Version 2015.8.13 is a bugfix release for 2015.8.0.

Security Fixes

CVE-2017-5192: local_batch client external authentication not respected

The LocalClient.cmd_batch() method client does not accept external_auth credentials and so access to it from salt-api has been removed for now. This vulnerability allows code execution for already-authenticated users and is only in effect when running salt-api as the root user.

CVE-2017-5200: Salt-api allows arbitrary command execution on a salt-master via Salt's ssh_client

Users of Salt-API and salt-ssh could execute a command on the salt master via a hole when both systems were enabled.

We recommend everyone on the 2015.8 branch upgrade to a patched release as soon as possible.

Changes for v2015.8.12..v2015.8.13

Extended changelog courtesy of Todd Stansell (https://github.com/tjstansell/salt-changelogs):

Generated at: 2017-01-09T21:17:06Z

Statistics:

  • Total Merges: 3
  • Total Issue references: 3
  • Total PR references: 5

Changes:

  • 3428232 Clean up tests and docs for batch execution
  • 3d8f3d1 Remove batch execution from NetapiClient and Saltnado
  • 97b0f64 Lintfix
  • d151666 Add explanation comment
  • 62f2c87 Add docstring
  • 9b0a786 Explain what it is about and how to configure that
  • 5ea3579 Pick up a specified roster file from the configured locations
  • 3a8614c Disable custom rosters in API
  • c0e5a11 Add roster disable flag

Generated on July 18, 2017 at 06:45:48 MDT.

You are viewing docs for the previous stable release, 2016.3.6. Switch to docs for the latest stable release, 2016.11.6, or to a recent doc build from the develop branch.


saltstack.com

© 2017 SaltStack. All Rights Reserved, SaltStack Inc. | Privacy Policy