1
0

0.15.1.rst 2.5 KB

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091
  1. =========================
  2. Salt 0.15.1 Release Notes
  3. =========================
  4. :release: 2013-05-08
  5. The 0.15.1 release has been posted, this release includes fixes to a number of
  6. bugs in 0.15.1 and a three security patches.
  7. Security Updates
  8. ================
  9. A number of security issues have been resolved via the 0.15.1 release.
  10. Path Injection in Minion IDs
  11. ----------------------------
  12. Salt masters did not properly validate the id of a connecting minion. This can
  13. lead to an attacker uploading files to the master in arbitrary locations.
  14. In particular this can be used to bypass the manual validation of new unknown
  15. minions. Exploiting this vulnerability does not require authentication.
  16. This issue affects all known versions of Salt.
  17. This issue was reported by Ronald Volgers.
  18. Patch
  19. ~~~~~
  20. The issue is fixed in Salt 0.15.1. Updated packages are available in the usual
  21. locations.
  22. Specific commits:
  23. https://github.com/saltstack/salt/commit/5427b9438e452a5a8910d9128c6aafb45d8fd5d3
  24. https://github.com/saltstack/salt/commit/7560908ee62351769c3cd43b03d74c1ca772cc52
  25. https://github.com/saltstack/salt/commit/e200b8a7ff53780124e08d2bdefde7587e52bfca
  26. RSA Key Generation Fault
  27. ------------------------
  28. RSA key generation was done incorrectly, leading to very insecure keys. It is
  29. recommended to regenerate all RSA keys.
  30. This issue can be used to impersonate Salt masters or minions, or decrypt any
  31. transferred data.
  32. This issue can only be exploited by attackers who are able to observe or modify
  33. traffic between Salt minions and the legitimate Salt master.
  34. A tool was included in 0.15.1 to assist in mass key regeneration, the
  35. manage.regen_keys runner.
  36. This issue affects all known versions of Salt.
  37. This issue was reported by Ronald Volgers.
  38. Patch
  39. ~~~~~
  40. The issue is fixed in Salt 0.15.1. Updated packages are available in the usual
  41. locations.
  42. Specific commits:
  43. https://github.com/saltstack/salt/commit/5dd304276ba5745ec21fc1e6686a0b28da29e6fc
  44. Command Injection Via ext_pillar
  45. --------------------------------
  46. Arbitrary shell commands could be executed on the master by an authenticated
  47. minion through options passed when requesting a pillar.
  48. Ext pillar options have been restricted to only allow safe external pillars to
  49. be called when prompted by the minion.
  50. This issue affects Salt versions from 0.14.0 to 0.15.0.
  51. This issue was reported by Ronald Volgers.
  52. Patch
  53. ~~~~~
  54. The issue is fixed in Salt 0.15.1. Updated packages are available in the usual locations.
  55. Specific commits:
  56. https://github.com/saltstack/salt/commit/43d8c16bd26159d827d1a945c83ac28159ec5865