| 12345678910111213141516171819202122232425262728293031323334353637383940414243444546 |
- ============================
- Salt 2015.5.10 Release Notes
- ============================
- :release: 2015-03-22
- Version 2015.5.10 is a bugfix release for :ref:`2015.5.0 <release-2015-5-0>`.
- Security Fix
- ============
- **CVE-2016-3176** Insecure configuration of PAM external authentication service
- This issue affects all Salt versions prior to 2015.8.8/2015.5.10 when PAM
- :ref:`external authentication <acl-eauth>` is enabled. This issue involves
- passing an alternative PAM authentication service with a command that is sent
- to :ref:`LocalClient <local-client>`, enabling the attacker to bypass the
- configured authentication service. Thank you to Dylan Frese <dmfrese@gmail.com>
- for bringing this issue to our attention.
- This update defines the PAM eAuth ``service`` that users authenticate against
- in the Salt Master configuration.
- No additional fixes are included in this release.
- Read Before Upgrading Debian 8 (Jessie) from Salt Versions Earlier than 2015.5.9
- ================================================================================
- Salt ``systemd`` service files are missing the following statement in these versions:
- .. code-block:: ini
- [Service]
- KillMode=process
- This statement must be added to successfully upgrade on these earlier versions
- of Salt.
- Changelog for v2015.5.9..v2015.5.10
- ===================================
- *Generated at: 2018-05-27 22:39:26 UTC*
- * 69ba1de71d Remove ability of authenticating user to specify pam service
|
