Inicio Explorar Axuda
Rexistro Iniciar sesión
nee2c
/
salt
réplica de https://github.com/nee2c/salt.git
1
0
Fork 0
Ficheiros Incidencias 0 Wiki
Rama: 2018.3
Ramas Etiquetas
salt
/
doc
/
topics
/
releases
/
0.17.1.rst

0.17.1.rst 8.1 KB
Permalink Histórico Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260 
  1. =========================
    2. 

  2. Salt 0.17.1 Release Notes
    3. 

  3. =========================
    4. 

  4. 

  5. :release: 2013-10-17
    6. 

  6. 

  7. .. note::
    8. 

  8. 

  9.     THIS RELEASE IS NOT COMPATIBLE WITH PREVIOUS VERSIONS.  If you update your
    10. 

  10.     master to 0.17.1, you must update your minions as well.  Sorry for the
    11. 

  11.     inconvenience -- this is a result of one of the security fixes listed
    12. 

  12.     below.
    13. 

  13. 

  14. The 0.17.1 release comes with a number of improvements to salt-ssh, many
    15. 

  15. bugfixes, and a number of security updates.
    16. 

  16. 

  17. Salt SSH has been improved to be faster, more featureful and more secure.
    18. 

  18. Since the original release of Salt SSH was primarily a proof of concept, it has
    19. 

  19. been very exciting to see its rapid adoption. We appreciate the willingness of
    20. 

  20. security experts to review Salt SSH and help discover oversights and ensure
    21. 

  21. that security issues only exist for such a tiny window of time.
    22. 

  22. 

  23. 

  24. SSH Enhancements
    25. 

  25. ================
    26. 

  26. 

  27. Shell Improvements
    28. 

  28. ------------------
    29. 

  29. 

  30. Improvements to Salt SSH's communication have been added that improve routine
    31. 

  31. execution regardless of the target system's login shell.
    32. 

  32. 

  33. Performance
    34. 

  34. -----------
    35. 

  35. 

  36. Deployment of routines is now faster and takes fewer commands to execute.
    37. 

  37. 

  38. Security Updates
    39. 

  39. ================
    40. 

  40. 

  41. Be advised that these security issues all apply to a small subset of Salt
    42. 

  42. users and mostly apply to Salt SSH.
    43. 

  43. 

  44. Insufficient Argument Validation
    45. 

  45. --------------------------------
    46. 

  46. 

  47. This issue allowed for a user with limited privileges to embed executions
    48. 

  48. inside of routines to execute routines that should be restricted. This applies
    49. 

  49. to users using external auth or client ACL and opening up specific routines.
    50. 

  50. 

  51. Be advised that these patches address the direct issue. Additional commits have
    52. 

  52. been applied to help mitigate this issue from resurfacing.
    53. 

  53. 

  54. CVE
    55. 

  55. ~~~
    56. 

  56. 

  57. CVE-2013-4435
    58. 

  58. 

  59. Affected Versions
    60. 

  60. -----------------
    61. 

  61. 

  62. 0.15.0 - 0.17.0
    63. 

  63. 

  64. Patches
    65. 

  65. ~~~~~~~
    66. 

  66. https://github.com/saltstack/salt/commit/6d8ef68b605fd63c36bb8ed96122a75ad2e80269
    67. 

  67. https://github.com/saltstack/salt/commit/ebdef37b7e5d2b95a01d34b211c61c61da67e46a
    68. 

  68. https://github.com/saltstack/salt/commit/7f190ff890e47cdd591d9d7cefa5126574660824
    69. 

  69. https://github.com/saltstack/salt/commit/8e5afe59cef6743fe5dbd510dcf463dbdfca1ced
    70. 

  70. https://github.com/saltstack/salt/commit/aca78f314481082862e96d4f0c1b75fa382bb885
    71. 

  71. https://github.com/saltstack/salt/commit/6a9752cdb1e8df2c9505ea910434c79d132eb1e2
    72. 

  72. https://github.com/saltstack/salt/commit/b73677435ba54ecfc93c1c2d840a7f9ba6f53410
    73. 

  73. https://github.com/saltstack/salt/commit/07972eb0a6f985749a55d8d4a2e471596591c80d
    74. 

  74. https://github.com/saltstack/salt/commit/1e3f197726aa13ac5c3f2416000089f477f489b5
    75. 

  75. 

  76. Found By
    77. 

  77. ~~~~~~~~
    78. 

  78. 

  79. Feth Arezki, of Majerti
    80. 

  80. 

  81. MITM SSH attack in salt-ssh
    82. 

  82. ---------------------------
    83. 

  83. 

  84. SSH host keys were being accepted by default and not enforced on future SSH
    85. 

  85. connections. These patches set SSH host key checking by default and can be
    86. 

  86. overridden by passing the -i flag to `salt-ssh`.
    87. 

  87. 

  88. CVE
    89. 

  89. ~~~
    90. 

  90. 

  91. CVE-2013-4436
    92. 

  92. 

  93. Affected Versions
    94. 

  94. ~~~~~~~~~~~~~~~~~
    95. 

  95. 

  96. 0.17.0
    97. 

  97. 

  98. Found By
    99. 

  99. ~~~~~~~~
    100. 

  100. 

  101. Michael Scherer, Red Hat
    102. 

  102. 

  103. Insecure Usage of /tmp in salt-ssh
    104. 

  104. ----------------------------------
    105. 

  105. 

  106. The initial release of salt-ssh used the /tmp directory in an insecure way.
    107. 

  107. These patches not only secure usage of files under /tmp in salt-ssh, but
    108. 

  108. also add checksum validation for all packages sent into the now secure
    109. 

  109. locations on target systems.
    110. 

  110. 

  111. CVE
    112. 

  112. ~~~
    113. 

  113. 

  114. CVE-2013-4438
    115. 

  115. 

  116. Affected Versions
    117. 

  117. ~~~~~~~~~~~~~~~~~
    118. 

  118. 

  119. 0.17.0
    120. 

  120. 

  121. Patches
    122. 

  122. ~~~~~~~
    123. 

  123. https://github.com/saltstack/salt/commit/aa4bb77ef230758cad84381dde0ec660d2dc340a
    124. 

  124. https://github.com/saltstack/salt/commit/8f92b6b2cb2e4ec3af8783eb6bf4ff06f5a352cf
    125. 

  125. https://github.com/saltstack/salt/commit/c58e56811d5a50c908df0597a0ba0b643b45ebfd
    126. 

  126. https://github.com/saltstack/salt/commit/0359db9b46e47614cff35a66ea6a6a76846885d2
    127. 

  127. https://github.com/saltstack/salt/commit/4348392860e0fd43701c331ac3e681cf1a8c17b0
    128. 

  128. https://github.com/saltstack/salt/commit/664d1a1cac05602fad2693f6f97092d98a72bf61
    129. 

  129. https://github.com/saltstack/salt/commit/bab92775a576e28ff9db262f32db9cf2375bba87
    130. 

  130. https://github.com/saltstack/salt/commit/c6d34f1acf64900a3c87a2d37618ff414e5a704e
    131. 

  131. 

  132. Found By
    133. 

  133. ~~~~~~~~
    134. 

  134. 

  135. Michael Scherer, Red Hat
    136. 

  136. 

  137. YAML Calling Unsafe Loading Routine
    138. 

  138. -----------------------------------
    139. 

  139. 

  140. It has been argued that this is not a valid security issue, as the YAML loading
    141. 

  141. that was happening was only being called after an initial gateway filter in
    142. 

  142. Salt has already safely loaded the YAML and would fail if non-safe routines
    143. 

  143. were embedded. Nonetheless, the CVE was filed and patches applied.
    144. 

  144. 

  145. CVE
    146. 

  146. ~~~
    147. 

  147. 

  148. CVE-2013-4438
    149. 

  149. 

  150. Patches
    151. 

  151. -------
    152. 

  152. https://github.com/saltstack/salt/commit/339b0a51befae6b6b218ebcb55daa9cd3329a1c5
    153. 

  153. 

  154. Found By
    155. 

  155. ~~~~~~~~
    156. 

  156. 

  157. Michael Scherer, Red Hat
    158. 

  158. 

  159. Failure to Drop Supplementary Group on Salt Master
    160. 

  160. --------------------------------------------------
    161. 

  161. 

  162. If a salt master was started as a non-root user by the root user, root's
    163. 

  163. groups would still be applied to the running process. This fix changes the
    164. 

  164. process to have only the groups of the running user.
    165. 

  165. 

  166. CVE
    167. 

  167. ~~~
    168. 

  168. 

  169. CVE not considered necessary by submitter.
    170. 

  170. 

  171. Affected Versions
    172. 

  172. ~~~~~~~~~~~~~~~~~
    173. 

  173. 

  174. 0.11.0 - 0.17.0
    175. 

  175. 

  176. Patches
    177. 

  177. ~~~~~~~
    178. 

  178. https://github.com/saltstack/salt/commit/b89fa9135822d029795ab1eecd68cce2d1ced715
    179. 

  179. 

  180. Found By
    181. 

  181. ~~~~~~~~
    182. 

  182. 

  183. Michael Scherer, Red Hat
    184. 

  184. 

  185. Failure to Validate Minions Posting Data
    186. 

  186. ----------------------------------------
    187. 

  187. 

  188. This issue allowed a minion to pose as another authorized minion when posting
    189. 

  189. data such as the mine data. All minions now pass through the id challenge
    190. 

  190. before posting such data.
    191. 

  191. 

  192. CVE
    193. 

  193. ~~~
    194. 

  194. 

  195. CVE-2013-4439
    196. 

  196. 

  197. Affected Versions
    198. 

  198. ~~~~~~~~~~~~~~~~~
    199. 

  199. 

  200. 0.15.0 - 0.17.0
    201. 

  201. 

  202. Patches
    203. 

  203. -------
    204. 

  204. https://github.com/saltstack/salt/commit/7b850ff3d07ef6782888914ac4556c01e8a1c482
    205. 

  205. https://github.com/saltstack/salt/commit/151759b2a1e1c6ce29277aa81b054219147f80fd
    206. 

  206. 

  207. Found By
    208. 

  208. ~~~~~~~~
    209. 

  209. 

  210. David Anderson
    211. 

  211. 

  212. Fix Reference
    213. 

  213. =============
    214. 

  214. 

  215. Version 0.17.1 is the first bugfix release for :ref:`0.17.0
    216. 

  216. <release-0-17-0>`.  The changes include:
    217. 

  217. 

  218. - Fix symbolic links in thin.tgz (:issue:`7482`)
    219. 

  219. - Pass env through to file.patch state (:issue:`7452`)
    220. 

  220. - Service provider fixes and reporting improvements (:issue:`7361`)
    221. 

  221. - Add ``--priv`` option for specifying salt-ssh private key
    222. 

  222. - Fix salt-thin's salt-call on setuptools installations (:issue:`7516`)
    223. 

  223. - Fix salt-ssh to support passwords with spaces (:issue:`7480`)
    224. 

  224. - Fix regression in wildcard includes (:issue:`7455`)
    225. 

  225. - Fix salt-call outputter regression (:issue:`7456`)
    226. 

  226. - Fix custom returner support for startup states (:issue:`7540`)
    227. 

  227. - Fix value handling in augeas (:issue:`7605`)
    228. 

  228. - Fix regression in apt (:issue:`7624`)
    229. 

  229. - Fix minion ID guessing to use ``socket.getfqdn()`` first (:issue:`7558`)
    230. 

  230. - Add minion ID caching (:issue:`7558`)
    231. 

  231. - Fix salt-key race condition (:issue:`7304`)
    232. 

  232. - Add ``--include-all`` flag to salt-key (:issue:`7399`)
    233. 

  233. - Fix custom grains in pillar (part of :issue:`5716`, :issue:`6083`)
    234. 

  234. - Fix race condition in salt-key (:issue:`7304`)
    235. 

  235. - Fix regression in minion ID guessing, prioritize ``socket.getfqdn()``
    236. 

  236.   (:issue:`7558`)
    237. 

  237. - Cache minion ID on first guess (:issue:`7558`)
    238. 

  238. - Allow trailing slash in ``file.directory`` state
    239. 

  239. - Fix reporting of file_roots in pillar return (:issue:`5449` and
    240. 

  240.   :issue:`5951`)
    241. 

  241. - Remove pillar matching for mine.get (:issue:`7197`)
    242. 

  242. - Sanitize args for multiple execution modules
    243. 

  243. - Fix yumpkg mod_repo functions to filter hidden args (:issue:`7656`)
    244. 

  244. - Fix conflicting IDs in state includes (:issue:`7526`)
    245. 

  245. - Fix mysql_grants.absent string formatting issue (:issue:`7827`)
    246. 

  246. - Fix postgres.version so it won't return None (:issue:`7695`)
    247. 

  247. - Fix for trailing slashes in mount.mounted state
    248. 

  248. - Fix rogue AttributErrors in the outputter system (:issue:`7845`)
    249. 

  249. - Fix for incorrect ssh key encodings resulting in incorrect key added
    250. 

  250.   (:issue:`7718`)
    251. 

  251. - Fix for pillar/grains naming regression in python renderer (:issue:`7693`)
    252. 

  252. - Fix args/kwargs handling in the scheduler (:issue:`7422`)
    253. 

  253. - Fix logfile handling for `file://`, `tcp://`, and `udp://` (:issue:`7754`)
    254. 

  254. - Fix error handling in config file parsing (:issue:`6714`)
    255. 

  255. - Fix RVM using sudo when running as non-root user (:issue:`2193`)
    256. 

  256. - Fix client ACL and underlying logging bugs (:issue:`7706`)
    257. 

  257. - Fix scheduler bug with returner (:issue:`7367`)
    258. 

  258. - Fix user management bug related to default groups (:issue:`7690`)
    259. 

  259. - Fix various salt-ssh bugs (:issue:`7528`)
    260. 

  260. - Many various documentation fixes
    261.