1
0

2015.8.13.rst 880 B

12345678910111213141516171819202122232425
  1. ============================
  2. Salt 2015.8.13 Release Notes
  3. ============================
  4. Version 2015.8.13 is a bugfix release for :ref:`2015.8.0 <release-2015-8-0>`.
  5. Security Fixes
  6. ==============
  7. **CVE-2017-5192** local_batch client external authentication not respected
  8. The ``LocalClient.cmd_batch()`` method client does not accept ``external_auth``
  9. credentials and so access to it from salt-api has been removed for now. This
  10. vulnerability allows code execution for already-authenticated users and is only
  11. in effect when running salt-api as the ``root`` user.
  12. **CVE-2017-5200** Salt-api allows arbitrary command execution on a salt-master
  13. via Salt's ssh_client
  14. Users of Salt-API and salt-ssh could execute a command on the salt master via a
  15. hole when both systems were enabled.
  16. We recommend everyone on the 2015.8 branch upgrade to a patched release as soon
  17. as possible.