Home Esplora Aiuto
Registrati Accedi
nee2c
/
salt
mirror da https://github.com/nee2c/salt.git
1
0
Forka 0
File Problemi 0 Wiki
Albero (Tree): 34e17e8139
Rami (Branch) Tag
salt
/
doc
/
topics
/
releases
/
0.15.1.rst

0.15.1.rst 2.5 KB
Cronologia Originale

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091 
  1. =========================
    2. 

  2. Salt 0.15.1 Release Notes
    3. 

  3. =========================
    4. 

  4. 

  5. :release: 2013-05-08
    6. 

  6. 

  7. The 0.15.1 release has been posted, this release includes fixes to a number of
    8. 

  8. bugs in 0.15.1 and a three security patches.
    9. 

  9. 

  10. Security Updates
    11. 

  11. ================
    12. 

  12. 

  13. A number of security issues have been resolved via the 0.15.1 release.
    14. 

  14. 

  15. Path Injection in Minion IDs
    16. 

  16. ----------------------------
    17. 

  17. 

  18. Salt masters did not properly validate the id of a connecting minion. This can
    19. 

  19. lead to an attacker uploading files to the master in arbitrary locations.
    20. 

  20. In particular this can be used to bypass the manual validation of new unknown
    21. 

  21. minions. Exploiting this vulnerability does not require authentication.
    22. 

  22. 

  23. This issue affects all known versions of Salt.
    24. 

  24. 

  25. This issue was reported by Ronald Volgers.
    26. 

  26. 

  27. Patch
    28. 

  28. ~~~~~
    29. 

  29. 

  30. The issue is fixed in Salt 0.15.1. Updated packages are available in the usual
    31. 

  31. locations.
    32. 

  32. 

  33. Specific commits:
    34. 

  34. 

  35. https://github.com/saltstack/salt/commit/5427b9438e452a5a8910d9128c6aafb45d8fd5d3
    36. 

  36. 

  37. https://github.com/saltstack/salt/commit/7560908ee62351769c3cd43b03d74c1ca772cc52
    38. 

  38. 

  39. https://github.com/saltstack/salt/commit/e200b8a7ff53780124e08d2bdefde7587e52bfca
    40. 

  40. 

  41. RSA Key Generation Fault
    42. 

  42. ------------------------
    43. 

  43. 

  44. RSA key generation was done incorrectly, leading to very insecure keys. It is
    45. 

  45. recommended to regenerate all RSA keys.
    46. 

  46. 

  47. This issue can be used to impersonate Salt masters or minions, or decrypt any
    48. 

  48. transferred data.
    49. 

  49. 

  50. This issue can only be exploited by attackers who are able to observe or modify
    51. 

  51. traffic between Salt minions and the legitimate Salt master.
    52. 

  52. 

  53. A tool was included in 0.15.1 to assist in mass key regeneration, the
    54. 

  54. manage.regen_keys runner.
    55. 

  55. 

  56. This issue affects all known versions of Salt.
    57. 

  57. 

  58. This issue was reported by Ronald Volgers.
    59. 

  59. 

  60. 

  61. Patch
    62. 

  62. ~~~~~
    63. 

  63. 

  64. The issue is fixed in Salt 0.15.1. Updated packages are available in the usual
    65. 

  65. locations.
    66. 

  66. 

  67. Specific commits:
    68. 

  68. 

  69. https://github.com/saltstack/salt/commit/5dd304276ba5745ec21fc1e6686a0b28da29e6fc
    70. 

  70. 

  71. Command Injection Via ext_pillar
    72. 

  72. --------------------------------
    73. 

  73. 

  74. Arbitrary shell commands could be executed on the master by an authenticated
    75. 

  75. minion through options passed when requesting a pillar.
    76. 

  76. 

  77. Ext pillar options have been restricted to only allow safe external pillars to
    78. 

  78. be called when prompted by the minion.
    79. 

  79. 

  80. This issue affects Salt versions from 0.14.0 to 0.15.0.
    81. 

  81. 

  82. This issue was reported by Ronald Volgers.
    83. 

  83. 

  84. Patch
    85. 

  85. ~~~~~
    86. 

  86. 

  87. The issue is fixed in Salt 0.15.1. Updated packages are available in the usual locations.
    88. 

  88. 

  89. Specific commits:
    90. 

  90. 

  91. https://github.com/saltstack/salt/commit/43d8c16bd26159d827d1a945c83ac28159ec5865
    92.